2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
35 #include "helpers/ssltestlib.h"
37 #include "testutil/output.h"
38 #include "internal/nelem.h"
39 #include "internal/ktls.h"
40 #include "../ssl/ssl_local.h"
42 /* Defined in filterprov.c */
43 OSSL_provider_init_fn filter_provider_init;
44 int filter_provider_set_filter(int operation, const char *name);
46 /* Defined in tls-provider.c */
47 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
48 const OSSL_DISPATCH *in,
49 const OSSL_DISPATCH **out,
52 static OSSL_LIB_CTX *libctx = NULL;
53 static OSSL_PROVIDER *defctxnull = NULL;
55 #ifndef OPENSSL_NO_TLS1_3
57 static SSL_SESSION *clientpsk = NULL;
58 static SSL_SESSION *serverpsk = NULL;
59 static const char *pskid = "Identity";
60 static const char *srvid;
62 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
63 size_t *idlen, SSL_SESSION **sess);
64 static int find_session_cb(SSL *ssl, const unsigned char *identity,
65 size_t identity_len, SSL_SESSION **sess);
67 static int use_session_cb_cnt = 0;
68 static int find_session_cb_cnt = 0;
70 static SSL_SESSION *create_a_psk(SSL *ssl);
73 static char *certsdir = NULL;
74 static char *cert = NULL;
75 static char *privkey = NULL;
76 static char *cert2 = NULL;
77 static char *privkey2 = NULL;
78 static char *cert1024 = NULL;
79 static char *privkey1024 = NULL;
80 static char *cert3072 = NULL;
81 static char *privkey3072 = NULL;
82 static char *cert4096 = NULL;
83 static char *privkey4096 = NULL;
84 static char *cert8192 = NULL;
85 static char *privkey8192 = NULL;
86 static char *srpvfile = NULL;
87 static char *tmpfilename = NULL;
89 static int is_fips = 0;
91 #define LOG_BUFFER_SIZE 2048
92 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
93 static size_t server_log_buffer_index = 0;
94 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
95 static size_t client_log_buffer_index = 0;
96 static int error_writing_log = 0;
98 #ifndef OPENSSL_NO_OCSP
99 static const unsigned char orespder[] = "Dummy OCSP Response";
100 static int ocsp_server_called = 0;
101 static int ocsp_client_called = 0;
103 static int cdummyarg = 1;
104 static X509 *ocspcert = NULL;
107 #define NUM_EXTRA_CERTS 40
108 #define CLIENT_VERSION_LEN 2
111 * This structure is used to validate that the correct number of log messages
112 * of various types are emitted when emitting secret logs.
114 struct sslapitest_log_counts {
115 unsigned int rsa_key_exchange_count;
116 unsigned int master_secret_count;
117 unsigned int client_early_secret_count;
118 unsigned int client_handshake_secret_count;
119 unsigned int server_handshake_secret_count;
120 unsigned int client_application_secret_count;
121 unsigned int server_application_secret_count;
122 unsigned int early_exporter_secret_count;
123 unsigned int exporter_secret_count;
127 static unsigned char serverinfov1[] = {
128 0xff, 0xff, /* Dummy extension type */
129 0x00, 0x01, /* Extension length is 1 byte */
130 0xff /* Dummy extension data */
133 static unsigned char serverinfov2[] = {
135 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
136 0xff, 0xff, /* Dummy extension type */
137 0x00, 0x01, /* Extension length is 1 byte */
138 0xff /* Dummy extension data */
141 static int hostname_cb(SSL *s, int *al, void *arg)
143 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
145 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
146 || strcmp(hostname, "altgoodhost") == 0))
147 return SSL_TLSEXT_ERR_OK;
149 return SSL_TLSEXT_ERR_NOACK;
152 static void client_keylog_callback(const SSL *ssl, const char *line)
154 int line_length = strlen(line);
156 /* If the log doesn't fit, error out. */
157 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
158 TEST_info("Client log too full");
159 error_writing_log = 1;
163 strcat(client_log_buffer, line);
164 client_log_buffer_index += line_length;
165 client_log_buffer[client_log_buffer_index++] = '\n';
168 static void server_keylog_callback(const SSL *ssl, const char *line)
170 int line_length = strlen(line);
172 /* If the log doesn't fit, error out. */
173 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
174 TEST_info("Server log too full");
175 error_writing_log = 1;
179 strcat(server_log_buffer, line);
180 server_log_buffer_index += line_length;
181 server_log_buffer[server_log_buffer_index++] = '\n';
184 static int compare_hex_encoded_buffer(const char *hex_encoded,
192 if (!TEST_size_t_eq(raw_length * 2, hex_length))
195 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
196 sprintf(hexed, "%02x", raw[i]);
197 if (!TEST_int_eq(hexed[0], hex_encoded[j])
198 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
205 static int test_keylog_output(char *buffer, const SSL *ssl,
206 const SSL_SESSION *session,
207 struct sslapitest_log_counts *expected)
210 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
211 size_t client_random_size = SSL3_RANDOM_SIZE;
212 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
213 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
214 unsigned int rsa_key_exchange_count = 0;
215 unsigned int master_secret_count = 0;
216 unsigned int client_early_secret_count = 0;
217 unsigned int client_handshake_secret_count = 0;
218 unsigned int server_handshake_secret_count = 0;
219 unsigned int client_application_secret_count = 0;
220 unsigned int server_application_secret_count = 0;
221 unsigned int early_exporter_secret_count = 0;
222 unsigned int exporter_secret_count = 0;
224 for (token = strtok(buffer, " \n"); token != NULL;
225 token = strtok(NULL, " \n")) {
226 if (strcmp(token, "RSA") == 0) {
228 * Premaster secret. Tokens should be: 16 ASCII bytes of
229 * hex-encoded encrypted secret, then the hex-encoded pre-master
232 if (!TEST_ptr(token = strtok(NULL, " \n")))
234 if (!TEST_size_t_eq(strlen(token), 16))
236 if (!TEST_ptr(token = strtok(NULL, " \n")))
239 * We can't sensibly check the log because the premaster secret is
240 * transient, and OpenSSL doesn't keep hold of it once the master
241 * secret is generated.
243 rsa_key_exchange_count++;
244 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
246 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
247 * client random, then the hex-encoded master secret.
249 client_random_size = SSL_get_client_random(ssl,
250 actual_client_random,
252 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
255 if (!TEST_ptr(token = strtok(NULL, " \n")))
257 if (!TEST_size_t_eq(strlen(token), 64))
259 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
260 actual_client_random,
261 client_random_size)))
264 if (!TEST_ptr(token = strtok(NULL, " \n")))
266 master_key_size = SSL_SESSION_get_master_key(session,
269 if (!TEST_size_t_ne(master_key_size, 0))
271 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
275 master_secret_count++;
276 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
277 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
278 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
279 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
280 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
281 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
282 || strcmp(token, "EXPORTER_SECRET") == 0) {
284 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
285 * client random, and then the hex-encoded secret. In this case,
286 * we treat all of these secrets identically and then just
287 * distinguish between them when counting what we saw.
289 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
290 client_early_secret_count++;
291 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
292 client_handshake_secret_count++;
293 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
294 server_handshake_secret_count++;
295 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
296 client_application_secret_count++;
297 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
298 server_application_secret_count++;
299 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
300 early_exporter_secret_count++;
301 else if (strcmp(token, "EXPORTER_SECRET") == 0)
302 exporter_secret_count++;
304 client_random_size = SSL_get_client_random(ssl,
305 actual_client_random,
307 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
310 if (!TEST_ptr(token = strtok(NULL, " \n")))
312 if (!TEST_size_t_eq(strlen(token), 64))
314 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
315 actual_client_random,
316 client_random_size)))
319 if (!TEST_ptr(token = strtok(NULL, " \n")))
323 * TODO(TLS1.3): test that application traffic secrets are what
326 TEST_info("Unexpected token %s\n", token);
331 /* Got what we expected? */
332 if (!TEST_size_t_eq(rsa_key_exchange_count,
333 expected->rsa_key_exchange_count)
334 || !TEST_size_t_eq(master_secret_count,
335 expected->master_secret_count)
336 || !TEST_size_t_eq(client_early_secret_count,
337 expected->client_early_secret_count)
338 || !TEST_size_t_eq(client_handshake_secret_count,
339 expected->client_handshake_secret_count)
340 || !TEST_size_t_eq(server_handshake_secret_count,
341 expected->server_handshake_secret_count)
342 || !TEST_size_t_eq(client_application_secret_count,
343 expected->client_application_secret_count)
344 || !TEST_size_t_eq(server_application_secret_count,
345 expected->server_application_secret_count)
346 || !TEST_size_t_eq(early_exporter_secret_count,
347 expected->early_exporter_secret_count)
348 || !TEST_size_t_eq(exporter_secret_count,
349 expected->exporter_secret_count))
354 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
355 static int test_keylog(void)
357 SSL_CTX *cctx = NULL, *sctx = NULL;
358 SSL *clientssl = NULL, *serverssl = NULL;
360 struct sslapitest_log_counts expected;
362 /* Clean up logging space */
363 memset(&expected, 0, sizeof(expected));
364 memset(client_log_buffer, 0, sizeof(client_log_buffer));
365 memset(server_log_buffer, 0, sizeof(server_log_buffer));
366 client_log_buffer_index = 0;
367 server_log_buffer_index = 0;
368 error_writing_log = 0;
370 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
373 &sctx, &cctx, cert, privkey)))
376 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
377 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
378 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
380 /* We also want to ensure that we use RSA-based key exchange. */
381 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
384 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
385 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
387 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
388 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
389 == client_keylog_callback))
391 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
392 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
393 == server_keylog_callback))
396 /* Now do a handshake and check that the logs have been written to. */
397 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
398 &clientssl, NULL, NULL))
399 || !TEST_true(create_ssl_connection(serverssl, clientssl,
401 || !TEST_false(error_writing_log)
402 || !TEST_int_gt(client_log_buffer_index, 0)
403 || !TEST_int_gt(server_log_buffer_index, 0))
407 * Now we want to test that our output data was vaguely sensible. We
408 * do that by using strtok and confirming that we have more or less the
409 * data we expect. For both client and server, we expect to see one master
410 * secret. The client should also see a RSA key exchange.
412 expected.rsa_key_exchange_count = 1;
413 expected.master_secret_count = 1;
414 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
415 SSL_get_session(clientssl), &expected)))
418 expected.rsa_key_exchange_count = 0;
419 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
420 SSL_get_session(serverssl), &expected)))
435 #ifndef OPENSSL_NO_TLS1_3
436 static int test_keylog_no_master_key(void)
438 SSL_CTX *cctx = NULL, *sctx = NULL;
439 SSL *clientssl = NULL, *serverssl = NULL;
440 SSL_SESSION *sess = NULL;
442 struct sslapitest_log_counts expected;
443 unsigned char buf[1];
444 size_t readbytes, written;
446 /* Clean up logging space */
447 memset(&expected, 0, sizeof(expected));
448 memset(client_log_buffer, 0, sizeof(client_log_buffer));
449 memset(server_log_buffer, 0, sizeof(server_log_buffer));
450 client_log_buffer_index = 0;
451 server_log_buffer_index = 0;
452 error_writing_log = 0;
454 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
455 TLS_client_method(), TLS1_VERSION, 0,
456 &sctx, &cctx, cert, privkey))
457 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
458 SSL3_RT_MAX_PLAIN_LENGTH)))
461 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
462 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
465 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
466 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
467 == client_keylog_callback))
470 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
471 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
472 == server_keylog_callback))
475 /* Now do a handshake and check that the logs have been written to. */
476 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
477 &clientssl, NULL, NULL))
478 || !TEST_true(create_ssl_connection(serverssl, clientssl,
480 || !TEST_false(error_writing_log))
484 * Now we want to test that our output data was vaguely sensible. For this
485 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
486 * TLSv1.3, but we do expect both client and server to emit keys.
488 expected.client_handshake_secret_count = 1;
489 expected.server_handshake_secret_count = 1;
490 expected.client_application_secret_count = 1;
491 expected.server_application_secret_count = 1;
492 expected.exporter_secret_count = 1;
493 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
494 SSL_get_session(clientssl), &expected))
495 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
496 SSL_get_session(serverssl),
500 /* Terminate old session and resume with early data. */
501 sess = SSL_get1_session(clientssl);
502 SSL_shutdown(clientssl);
503 SSL_shutdown(serverssl);
506 serverssl = clientssl = NULL;
509 memset(client_log_buffer, 0, sizeof(client_log_buffer));
510 memset(server_log_buffer, 0, sizeof(server_log_buffer));
511 client_log_buffer_index = 0;
512 server_log_buffer_index = 0;
514 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
515 &clientssl, NULL, NULL))
516 || !TEST_true(SSL_set_session(clientssl, sess))
517 /* Here writing 0 length early data is enough. */
518 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
519 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
521 SSL_READ_EARLY_DATA_ERROR)
522 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
523 SSL_EARLY_DATA_ACCEPTED)
524 || !TEST_true(create_ssl_connection(serverssl, clientssl,
526 || !TEST_true(SSL_session_reused(clientssl)))
529 /* In addition to the previous entries, expect early secrets. */
530 expected.client_early_secret_count = 1;
531 expected.early_exporter_secret_count = 1;
532 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
533 SSL_get_session(clientssl), &expected))
534 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
535 SSL_get_session(serverssl),
542 SSL_SESSION_free(sess);
552 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
554 int res = X509_verify_cert(ctx);
556 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
557 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
558 return -1; /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
562 static int test_client_cert_verify_cb(void)
564 /* server key, cert, chain, and root */
565 char *skey = test_mk_file_path(certsdir, "leaf.key");
566 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
567 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
568 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
569 char *root = test_mk_file_path(certsdir, "rootCA.pem");
570 X509 *crt1 = NULL, *crt2 = NULL;
571 STACK_OF(X509) *server_chain;
572 SSL_CTX *cctx = NULL, *sctx = NULL;
573 SSL *clientssl = NULL, *serverssl = NULL;
576 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
577 TLS_client_method(), TLS1_VERSION, 0,
578 &sctx, &cctx, NULL, NULL)))
580 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
581 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
582 SSL_FILETYPE_PEM), 1)
583 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
585 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
587 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
588 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
589 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
590 &clientssl, NULL, NULL)))
593 /* attempt SSL_connect() with incomplete server chain */
594 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
595 SSL_ERROR_WANT_RETRY_VERIFY)))
598 /* application provides intermediate certs needed to verify server cert */
599 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
600 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
601 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
603 /* add certs in reverse order to demonstrate real chain building */
604 if (!TEST_true(sk_X509_push(server_chain, crt1)))
607 if (!TEST_true(sk_X509_push(server_chain, crt2)))
611 /* continue SSL_connect(), must now succeed with completed server chain */
612 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
621 SSL_shutdown(clientssl);
622 SSL_shutdown(serverssl);
637 #ifndef OPENSSL_NO_TLS1_2
638 static int full_client_hello_callback(SSL *s, int *al, void *arg)
641 const unsigned char *p;
643 /* We only configure two ciphers, but the SCSV is added automatically. */
645 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
647 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
650 const int expected_extensions[] = {
651 #ifndef OPENSSL_NO_EC
657 /* Make sure we can defer processing and get called back. */
659 return SSL_CLIENT_HELLO_RETRY;
661 len = SSL_client_hello_get0_ciphers(s, &p);
662 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
664 SSL_client_hello_get0_compression_methods(s, &p), 1)
665 || !TEST_int_eq(*p, 0))
666 return SSL_CLIENT_HELLO_ERROR;
667 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
668 return SSL_CLIENT_HELLO_ERROR;
669 if (len != OSSL_NELEM(expected_extensions) ||
670 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
671 printf("ClientHello callback expected extensions mismatch\n");
673 return SSL_CLIENT_HELLO_ERROR;
676 return SSL_CLIENT_HELLO_SUCCESS;
679 static int test_client_hello_cb(void)
681 SSL_CTX *cctx = NULL, *sctx = NULL;
682 SSL *clientssl = NULL, *serverssl = NULL;
683 int testctr = 0, testresult = 0;
685 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
686 TLS_client_method(), TLS1_VERSION, 0,
687 &sctx, &cctx, cert, privkey)))
689 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
691 /* The gimpy cipher list we configure can't do TLS 1.3. */
692 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
694 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
695 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
696 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
697 &clientssl, NULL, NULL))
698 || !TEST_false(create_ssl_connection(serverssl, clientssl,
699 SSL_ERROR_WANT_CLIENT_HELLO_CB))
701 * Passing a -1 literal is a hack since
702 * the real value was lost.
704 || !TEST_int_eq(SSL_get_error(serverssl, -1),
705 SSL_ERROR_WANT_CLIENT_HELLO_CB)
706 || !TEST_true(create_ssl_connection(serverssl, clientssl,
721 static int test_no_ems(void)
723 SSL_CTX *cctx = NULL, *sctx = NULL;
724 SSL *clientssl = NULL, *serverssl = NULL;
727 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
728 TLS1_VERSION, TLS1_2_VERSION,
729 &sctx, &cctx, cert, privkey)) {
730 printf("Unable to create SSL_CTX pair\n");
734 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
736 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
737 printf("Unable to create SSL objects\n");
741 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
742 printf("Creating SSL connection failed\n");
746 if (SSL_get_extms_support(serverssl)) {
747 printf("Server reports Extended Master Secret support\n");
751 if (SSL_get_extms_support(clientssl)) {
752 printf("Client reports Extended Master Secret support\n");
767 * Very focused test to exercise a single case in the server-side state
768 * machine, when the ChangeCipherState message needs to actually change
769 * from one cipher to a different cipher (i.e., not changing from null
770 * encryption to real encryption).
772 static int test_ccs_change_cipher(void)
774 SSL_CTX *cctx = NULL, *sctx = NULL;
775 SSL *clientssl = NULL, *serverssl = NULL;
776 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
783 * Create a conection so we can resume and potentially (but not) use
784 * a different cipher in the second connection.
786 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
788 TLS1_VERSION, TLS1_2_VERSION,
789 &sctx, &cctx, cert, privkey))
790 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
791 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
793 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
794 || !TEST_true(create_ssl_connection(serverssl, clientssl,
796 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
797 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
800 shutdown_ssl_connection(serverssl, clientssl);
801 serverssl = clientssl = NULL;
803 /* Resume, preferring a different cipher. Our server will force the
804 * same cipher to be used as the initial handshake. */
805 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
807 || !TEST_true(SSL_set_session(clientssl, sess))
808 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
809 || !TEST_true(create_ssl_connection(serverssl, clientssl,
811 || !TEST_true(SSL_session_reused(clientssl))
812 || !TEST_true(SSL_session_reused(serverssl))
813 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
814 || !TEST_ptr_eq(sesspre, sesspost)
815 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
816 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
818 shutdown_ssl_connection(serverssl, clientssl);
819 serverssl = clientssl = NULL;
822 * Now create a fresh connection and try to renegotiate a different
825 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
827 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
828 || !TEST_true(create_ssl_connection(serverssl, clientssl,
830 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
831 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
832 || !TEST_true(SSL_renegotiate(clientssl))
833 || !TEST_true(SSL_renegotiate_pending(clientssl)))
835 /* Actually drive the renegotiation. */
836 for (i = 0; i < 3; i++) {
837 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
838 if (!TEST_ulong_eq(readbytes, 0))
840 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
841 SSL_ERROR_WANT_READ)) {
844 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
845 if (!TEST_ulong_eq(readbytes, 0))
847 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
848 SSL_ERROR_WANT_READ)) {
852 /* sesspre and sesspost should be different since the cipher changed. */
853 if (!TEST_false(SSL_renegotiate_pending(clientssl))
854 || !TEST_false(SSL_session_reused(clientssl))
855 || !TEST_false(SSL_session_reused(serverssl))
856 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
857 || !TEST_ptr_ne(sesspre, sesspost)
858 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
859 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
862 shutdown_ssl_connection(serverssl, clientssl);
863 serverssl = clientssl = NULL;
872 SSL_SESSION_free(sess);
878 static int execute_test_large_message(const SSL_METHOD *smeth,
879 const SSL_METHOD *cmeth,
880 int min_version, int max_version,
883 SSL_CTX *cctx = NULL, *sctx = NULL;
884 SSL *clientssl = NULL, *serverssl = NULL;
888 X509 *chaincert = NULL;
891 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
894 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
897 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
902 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
903 max_version, &sctx, &cctx, cert,
909 * Test that read_ahead works correctly when dealing with large
912 SSL_CTX_set_read_ahead(cctx, 1);
916 * We assume the supplied certificate is big enough so that if we add
917 * NUM_EXTRA_CERTS it will make the overall message large enough. The
918 * default buffer size is requested to be 16k, but due to the way BUF_MEM
919 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
920 * test we need to have a message larger than that.
922 certlen = i2d_X509(chaincert, NULL);
923 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
924 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
925 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
926 if (!X509_up_ref(chaincert))
928 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
929 X509_free(chaincert);
934 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
936 || !TEST_true(create_ssl_connection(serverssl, clientssl,
941 * Calling SSL_clear() first is not required but this tests that SSL_clear()
944 if (!TEST_true(SSL_clear(serverssl)))
950 X509_free(chaincert);
959 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
960 !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
961 #define TLS_CIPHER_MAX_REC_SEQ_SIZE 8
962 /* sock must be connected */
963 static int ktls_chk_platform(int sock)
965 if (!ktls_enable(sock))
970 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd, int rec_seq_size)
972 static char count = 1;
973 unsigned char cbuf[16000] = {0};
974 unsigned char sbuf[16000];
976 char crec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
977 char crec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
978 char crec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
979 char crec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
980 char srec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
981 char srec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
982 char srec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
983 char srec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
986 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, rec_seq_size);
987 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, rec_seq_size);
988 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, rec_seq_size);
989 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, rec_seq_size);
991 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
994 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
995 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1000 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1003 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1004 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1009 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, rec_seq_size);
1010 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, rec_seq_size);
1011 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, rec_seq_size);
1012 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, rec_seq_size);
1014 /* verify the payload */
1015 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1018 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
1019 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
1020 if (!TEST_mem_ne(crec_wseq_before, rec_seq_size,
1021 crec_wseq_after, rec_seq_size))
1024 if (!TEST_mem_eq(crec_wseq_before, rec_seq_size,
1025 crec_wseq_after, rec_seq_size))
1029 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
1030 if (!TEST_mem_ne(srec_wseq_before, rec_seq_size,
1031 srec_wseq_after, rec_seq_size))
1034 if (!TEST_mem_eq(srec_wseq_before, rec_seq_size,
1035 srec_wseq_after, rec_seq_size))
1039 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
1040 if (!TEST_mem_ne(crec_rseq_before, rec_seq_size,
1041 crec_rseq_after, rec_seq_size))
1044 if (!TEST_mem_eq(crec_rseq_before, rec_seq_size,
1045 crec_rseq_after, rec_seq_size))
1049 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
1050 if (!TEST_mem_ne(srec_rseq_before, rec_seq_size,
1051 srec_rseq_after, rec_seq_size))
1054 if (!TEST_mem_eq(srec_rseq_before, rec_seq_size,
1055 srec_rseq_after, rec_seq_size))
1064 static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
1065 int sis_ktls_tx, int sis_ktls_rx,
1066 int tls_version, const char *cipher,
1069 SSL_CTX *cctx = NULL, *sctx = NULL;
1070 SSL *clientssl = NULL, *serverssl = NULL;
1074 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1077 /* Skip this test if the platform does not support ktls */
1078 if (!ktls_chk_platform(cfd))
1081 /* Create a session based on SHA-256 */
1082 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1083 TLS_client_method(),
1084 tls_version, tls_version,
1085 &sctx, &cctx, cert, privkey))
1086 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1087 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
1088 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1089 &clientssl, sfd, cfd)))
1093 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
1098 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
1103 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
1108 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1112 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1117 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1120 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1125 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1128 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1133 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1136 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1141 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1144 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1148 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd,
1155 SSL_shutdown(clientssl);
1156 SSL_free(clientssl);
1159 SSL_shutdown(serverssl);
1160 SSL_free(serverssl);
1164 serverssl = clientssl = NULL;
1168 #define SENDFILE_SZ (16 * 4096)
1169 #define SENDFILE_CHUNK (4 * 4096)
1170 #define min(a,b) ((a) > (b) ? (b) : (a))
1172 static int test_ktls_sendfile(int tls_version, const char *cipher)
1174 SSL_CTX *cctx = NULL, *sctx = NULL;
1175 SSL *clientssl = NULL, *serverssl = NULL;
1176 unsigned char *buf, *buf_dst;
1177 BIO *out = NULL, *in = NULL;
1178 int cfd, sfd, ffd, err;
1179 ssize_t chunk_size = 0;
1180 off_t chunk_off = 0;
1184 buf = OPENSSL_zalloc(SENDFILE_SZ);
1185 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1186 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1187 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1190 /* Skip this test if the platform does not support ktls */
1191 if (!ktls_chk_platform(sfd)) {
1196 /* Create a session based on SHA-256 */
1197 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1198 TLS_client_method(),
1199 tls_version, tls_version,
1200 &sctx, &cctx, cert, privkey))
1201 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1202 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
1203 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1204 &clientssl, sfd, cfd)))
1207 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1209 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1212 if (!TEST_true(RAND_bytes_ex(libctx, buf, SENDFILE_SZ)))
1215 out = BIO_new_file(tmpfilename, "wb");
1219 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1224 in = BIO_new_file(tmpfilename, "rb");
1225 BIO_get_fp(in, &ffdp);
1228 while (chunk_off < SENDFILE_SZ) {
1229 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1230 while ((err = SSL_sendfile(serverssl,
1234 0)) != chunk_size) {
1235 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1238 while ((err = SSL_read(clientssl,
1239 buf_dst + chunk_off,
1240 chunk_size)) != chunk_size) {
1241 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1245 /* verify the payload */
1246 if (!TEST_mem_eq(buf_dst + chunk_off,
1252 chunk_off += chunk_size;
1258 SSL_shutdown(clientssl);
1259 SSL_free(clientssl);
1262 SSL_shutdown(serverssl);
1263 SSL_free(serverssl);
1267 serverssl = clientssl = NULL;
1271 OPENSSL_free(buf_dst);
1275 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
1276 static int test_ktls(int test)
1278 int cis_ktls_tx, cis_ktls_rx, sis_ktls_tx, sis_ktls_rx;
1279 int tlsver, testresult;
1282 #if defined(OPENSSL_NO_TLS1_3)
1286 tlsver = TLS1_3_VERSION;
1289 #if defined(OPENSSL_NO_TLS1_2)
1292 tlsver = TLS1_2_VERSION;
1296 cis_ktls_tx = (test & 1) != 0;
1297 cis_ktls_rx = (test & 2) != 0;
1298 sis_ktls_tx = (test & 4) != 0;
1299 sis_ktls_rx = (test & 8) != 0;
1301 #if defined(OPENSSL_NO_KTLS_RX)
1302 if (cis_ktls_rx || sis_ktls_rx)
1305 #if !defined(OPENSSL_NO_TLS1_3)
1306 if (tlsver == TLS1_3_VERSION && (cis_ktls_rx || sis_ktls_rx))
1311 #ifdef OPENSSL_KTLS_AES_GCM_128
1312 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
1313 sis_ktls_rx, tlsver, "AES128-GCM-SHA256",
1314 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1316 #ifdef OPENSSL_KTLS_AES_CCM_128
1317 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
1318 sis_ktls_rx, tlsver, "AES128-CCM",
1319 TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1321 #ifdef OPENSSL_KTLS_AES_GCM_256
1322 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
1323 sis_ktls_rx, tlsver, "AES256-GCM-SHA384",
1324 TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1329 static int test_ktls_sendfile_anytls(int tst)
1331 char *cipher[] = {"AES128-GCM-SHA256","AES128-CCM","AES256-GCM-SHA384"};
1335 #if defined(OPENSSL_NO_TLS1_3)
1339 tlsver = TLS1_3_VERSION;
1342 #if defined(OPENSSL_NO_TLS1_2)
1345 tlsver = TLS1_2_VERSION;
1349 #ifndef OPENSSL_KTLS_AES_GCM_128
1350 if(tst == 0) return 1;
1352 #ifndef OPENSSL_KTLS_AES_CCM_128
1353 if(tst == 1) return 1;
1355 #ifndef OPENSSL_KTLS_AES_GCM_256
1356 if(tst == 2) return 1;
1358 return test_ktls_sendfile(tlsver, cipher[tst]);
1364 static int test_large_message_tls(void)
1366 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1367 TLS1_VERSION, 0, 0);
1370 static int test_large_message_tls_read_ahead(void)
1372 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1373 TLS1_VERSION, 0, 1);
1376 #ifndef OPENSSL_NO_DTLS
1377 static int test_large_message_dtls(void)
1380 * read_ahead is not relevant to DTLS because DTLS always acts as if
1381 * read_ahead is set.
1383 return execute_test_large_message(DTLS_server_method(),
1384 DTLS_client_method(),
1385 DTLS1_VERSION, 0, 0);
1389 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1390 const SSL_METHOD *cmeth,
1391 int min_version, int max_version)
1394 SSL_CTX *cctx = NULL, *sctx = NULL;
1395 SSL *clientssl = NULL, *serverssl = NULL;
1400 static unsigned char cbuf[16000];
1401 static unsigned char sbuf[16000];
1403 if (!TEST_true(create_ssl_ctx_pair(libctx,
1405 min_version, max_version,
1410 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1414 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1417 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1421 for (i = 0; i < sizeof(cbuf); i++) {
1425 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1428 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1431 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1435 * Since we called SSL_peek(), we know the data in the record
1436 * layer is a plaintext record. We can gather the pointer to check
1437 * for zeroization after SSL_read().
1439 rr = serverssl->rlayer.rrec;
1440 zbuf = &rr->data[rr->off];
1441 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1445 * After SSL_peek() the plaintext must still be stored in the
1448 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1451 memset(sbuf, 0, sizeof(sbuf));
1452 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1455 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1458 /* Check if rbuf is cleansed */
1459 memset(cbuf, 0, sizeof(cbuf));
1460 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1465 SSL_free(serverssl);
1466 SSL_free(clientssl);
1473 static int test_cleanse_plaintext(void)
1475 #if !defined(OPENSSL_NO_TLS1_2)
1476 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1477 TLS_client_method(),
1484 #if !defined(OPENSSL_NO_TLS1_3)
1485 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1486 TLS_client_method(),
1492 #if !defined(OPENSSL_NO_DTLS)
1493 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1494 DTLS_client_method(),
1502 #ifndef OPENSSL_NO_OCSP
1503 static int ocsp_server_cb(SSL *s, void *arg)
1505 int *argi = (int *)arg;
1506 unsigned char *copy = NULL;
1507 STACK_OF(OCSP_RESPID) *ids = NULL;
1508 OCSP_RESPID *id = NULL;
1511 /* In this test we are expecting exactly 1 OCSP_RESPID */
1512 SSL_get_tlsext_status_ids(s, &ids);
1513 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1514 return SSL_TLSEXT_ERR_ALERT_FATAL;
1516 id = sk_OCSP_RESPID_value(ids, 0);
1517 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1518 return SSL_TLSEXT_ERR_ALERT_FATAL;
1519 } else if (*argi != 1) {
1520 return SSL_TLSEXT_ERR_ALERT_FATAL;
1523 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1524 return SSL_TLSEXT_ERR_ALERT_FATAL;
1526 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1527 ocsp_server_called = 1;
1528 return SSL_TLSEXT_ERR_OK;
1531 static int ocsp_client_cb(SSL *s, void *arg)
1533 int *argi = (int *)arg;
1534 const unsigned char *respderin;
1537 if (*argi != 1 && *argi != 2)
1540 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1541 if (!TEST_mem_eq(orespder, len, respderin, len))
1544 ocsp_client_called = 1;
1548 static int test_tlsext_status_type(void)
1550 SSL_CTX *cctx = NULL, *sctx = NULL;
1551 SSL *clientssl = NULL, *serverssl = NULL;
1553 STACK_OF(OCSP_RESPID) *ids = NULL;
1554 OCSP_RESPID *id = NULL;
1555 BIO *certbio = NULL;
1557 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1559 &sctx, &cctx, cert, privkey))
1562 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1565 /* First just do various checks getting and setting tlsext_status_type */
1567 clientssl = SSL_new(cctx);
1568 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1569 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1570 TLSEXT_STATUSTYPE_ocsp))
1571 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1572 TLSEXT_STATUSTYPE_ocsp))
1575 SSL_free(clientssl);
1578 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1579 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1582 clientssl = SSL_new(cctx);
1583 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1585 SSL_free(clientssl);
1589 * Now actually do a handshake and check OCSP information is exchanged and
1590 * the callbacks get called
1592 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1593 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1594 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1595 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1596 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1597 &clientssl, NULL, NULL))
1598 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1600 || !TEST_true(ocsp_client_called)
1601 || !TEST_true(ocsp_server_called))
1603 SSL_free(serverssl);
1604 SSL_free(clientssl);
1608 /* Try again but this time force the server side callback to fail */
1609 ocsp_client_called = 0;
1610 ocsp_server_called = 0;
1612 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1613 &clientssl, NULL, NULL))
1614 /* This should fail because the callback will fail */
1615 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1617 || !TEST_false(ocsp_client_called)
1618 || !TEST_false(ocsp_server_called))
1620 SSL_free(serverssl);
1621 SSL_free(clientssl);
1626 * This time we'll get the client to send an OCSP_RESPID that it will
1629 ocsp_client_called = 0;
1630 ocsp_server_called = 0;
1632 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1633 &clientssl, NULL, NULL)))
1637 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1638 * specific one. We'll use the server cert.
1640 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1641 || !TEST_ptr(id = OCSP_RESPID_new())
1642 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1643 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1644 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1645 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1646 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1649 SSL_set_tlsext_status_ids(clientssl, ids);
1650 /* Control has been transferred */
1656 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1658 || !TEST_true(ocsp_client_called)
1659 || !TEST_true(ocsp_server_called))
1665 SSL_free(serverssl);
1666 SSL_free(clientssl);
1669 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1670 OCSP_RESPID_free(id);
1672 X509_free(ocspcert);
1679 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1680 static int new_called, remove_called, get_called;
1682 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1686 * sess has been up-refed for us, but we don't actually need it so free it
1689 SSL_SESSION_free(sess);
1693 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1698 static SSL_SESSION *get_sess_val = NULL;
1700 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1705 return get_sess_val;
1708 static int execute_test_session(int maxprot, int use_int_cache,
1709 int use_ext_cache, long s_options)
1711 SSL_CTX *sctx = NULL, *cctx = NULL;
1712 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1713 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1714 # ifndef OPENSSL_NO_TLS1_1
1715 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1717 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1718 int testresult = 0, numnewsesstick = 1;
1720 new_called = remove_called = 0;
1722 /* TLSv1.3 sends 2 NewSessionTickets */
1723 if (maxprot == TLS1_3_VERSION)
1726 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1727 TLS_client_method(), TLS1_VERSION, 0,
1728 &sctx, &cctx, cert, privkey)))
1732 * Only allow the max protocol version so we can force a connection failure
1735 SSL_CTX_set_min_proto_version(cctx, maxprot);
1736 SSL_CTX_set_max_proto_version(cctx, maxprot);
1738 /* Set up session cache */
1739 if (use_ext_cache) {
1740 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1741 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1743 if (use_int_cache) {
1744 /* Also covers instance where both are set */
1745 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1747 SSL_CTX_set_session_cache_mode(cctx,
1748 SSL_SESS_CACHE_CLIENT
1749 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1753 SSL_CTX_set_options(sctx, s_options);
1756 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1758 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1760 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1763 /* Should fail because it should already be in the cache */
1764 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1767 && (!TEST_int_eq(new_called, numnewsesstick)
1769 || !TEST_int_eq(remove_called, 0)))
1772 new_called = remove_called = 0;
1773 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1774 &clientssl2, NULL, NULL))
1775 || !TEST_true(SSL_set_session(clientssl2, sess1))
1776 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1778 || !TEST_true(SSL_session_reused(clientssl2)))
1781 if (maxprot == TLS1_3_VERSION) {
1783 * In TLSv1.3 we should have created a new session even though we have
1784 * resumed. Since we attempted a resume we should also have removed the
1785 * old ticket from the cache so that we try to only use tickets once.
1788 && (!TEST_int_eq(new_called, 1)
1789 || !TEST_int_eq(remove_called, 1)))
1793 * In TLSv1.2 we expect to have resumed so no sessions added or
1797 && (!TEST_int_eq(new_called, 0)
1798 || !TEST_int_eq(remove_called, 0)))
1802 SSL_SESSION_free(sess1);
1803 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1805 shutdown_ssl_connection(serverssl2, clientssl2);
1806 serverssl2 = clientssl2 = NULL;
1808 new_called = remove_called = 0;
1809 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1810 &clientssl2, NULL, NULL))
1811 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1815 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1819 && (!TEST_int_eq(new_called, numnewsesstick)
1820 || !TEST_int_eq(remove_called, 0)))
1823 new_called = remove_called = 0;
1825 * This should clear sess2 from the cache because it is a "bad" session.
1826 * See SSL_set_session() documentation.
1828 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1831 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1833 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1836 if (use_int_cache) {
1837 /* Should succeeded because it should not already be in the cache */
1838 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1839 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1843 new_called = remove_called = 0;
1844 /* This shouldn't be in the cache so should fail */
1845 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1849 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1852 # if !defined(OPENSSL_NO_TLS1_1)
1853 new_called = remove_called = 0;
1854 /* Force a connection failure */
1855 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1856 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1857 &clientssl3, NULL, NULL))
1858 || !TEST_true(SSL_set_session(clientssl3, sess1))
1859 /* This should fail because of the mismatched protocol versions */
1860 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1864 /* We should have automatically removed the session from the cache */
1866 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1869 /* Should succeed because it should not already be in the cache */
1870 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1874 /* Now do some tests for server side caching */
1875 if (use_ext_cache) {
1876 SSL_CTX_sess_set_new_cb(cctx, NULL);
1877 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1878 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1879 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1880 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1881 get_sess_val = NULL;
1884 SSL_CTX_set_session_cache_mode(cctx, 0);
1885 /* Internal caching is the default on the server side */
1887 SSL_CTX_set_session_cache_mode(sctx,
1888 SSL_SESS_CACHE_SERVER
1889 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1891 SSL_free(serverssl1);
1892 SSL_free(clientssl1);
1893 serverssl1 = clientssl1 = NULL;
1894 SSL_free(serverssl2);
1895 SSL_free(clientssl2);
1896 serverssl2 = clientssl2 = NULL;
1897 SSL_SESSION_free(sess1);
1899 SSL_SESSION_free(sess2);
1902 SSL_CTX_set_max_proto_version(sctx, maxprot);
1903 if (maxprot == TLS1_2_VERSION)
1904 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1905 new_called = remove_called = get_called = 0;
1906 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1908 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1910 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1911 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1914 if (use_int_cache) {
1915 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1917 * In TLSv1.3 it should not have been added to the internal cache,
1918 * except in the case where we also have an external cache (in that
1919 * case it gets added to the cache in order to generate remove
1920 * events after timeout).
1922 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1925 /* Should fail because it should already be in the cache */
1926 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1931 if (use_ext_cache) {
1932 SSL_SESSION *tmp = sess2;
1934 if (!TEST_int_eq(new_called, numnewsesstick)
1935 || !TEST_int_eq(remove_called, 0)
1936 || !TEST_int_eq(get_called, 0))
1939 * Delete the session from the internal cache to force a lookup from
1940 * the external cache. We take a copy first because
1941 * SSL_CTX_remove_session() also marks the session as non-resumable.
1943 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1944 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1945 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1947 SSL_SESSION_free(sess2);
1952 new_called = remove_called = get_called = 0;
1953 get_sess_val = sess2;
1954 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1955 &clientssl2, NULL, NULL))
1956 || !TEST_true(SSL_set_session(clientssl2, sess1))
1957 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1959 || !TEST_true(SSL_session_reused(clientssl2)))
1962 if (use_ext_cache) {
1963 if (!TEST_int_eq(remove_called, 0))
1966 if (maxprot == TLS1_3_VERSION) {
1967 if (!TEST_int_eq(new_called, 1)
1968 || !TEST_int_eq(get_called, 0))
1971 if (!TEST_int_eq(new_called, 0)
1972 || !TEST_int_eq(get_called, 1))
1980 SSL_free(serverssl1);
1981 SSL_free(clientssl1);
1982 SSL_free(serverssl2);
1983 SSL_free(clientssl2);
1984 # ifndef OPENSSL_NO_TLS1_1
1985 SSL_free(serverssl3);
1986 SSL_free(clientssl3);
1988 SSL_SESSION_free(sess1);
1989 SSL_SESSION_free(sess2);
1995 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1997 static int test_session_with_only_int_cache(void)
1999 #ifndef OPENSSL_NO_TLS1_3
2000 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2004 #ifndef OPENSSL_NO_TLS1_2
2005 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2011 static int test_session_with_only_ext_cache(void)
2013 #ifndef OPENSSL_NO_TLS1_3
2014 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2018 #ifndef OPENSSL_NO_TLS1_2
2019 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2025 static int test_session_with_both_cache(void)
2027 #ifndef OPENSSL_NO_TLS1_3
2028 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2032 #ifndef OPENSSL_NO_TLS1_2
2033 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2039 static int test_session_wo_ca_names(void)
2041 #ifndef OPENSSL_NO_TLS1_3
2042 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2046 #ifndef OPENSSL_NO_TLS1_2
2047 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2054 #ifndef OPENSSL_NO_TLS1_3
2055 static SSL_SESSION *sesscache[6];
2056 static int do_cache;
2058 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2061 sesscache[new_called] = sess;
2063 /* We don't need the reference to the session, so free it */
2064 SSL_SESSION_free(sess);
2071 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2073 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2074 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2077 /* Start handshake on the server and client */
2078 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2079 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2080 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2081 || !TEST_true(create_ssl_connection(sssl, cssl,
2088 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2091 int sess_id_ctx = 1;
2093 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2094 TLS_client_method(), TLS1_VERSION, 0,
2095 sctx, cctx, cert, privkey))
2096 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2097 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2098 (void *)&sess_id_ctx,
2099 sizeof(sess_id_ctx))))
2103 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2105 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2106 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2107 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2112 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2114 SSL *serverssl = NULL, *clientssl = NULL;
2117 /* Test that we can resume with all the tickets we got given */
2118 for (i = 0; i < idx * 2; i++) {
2120 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2121 &clientssl, NULL, NULL))
2122 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2125 SSL_set_post_handshake_auth(clientssl, 1);
2127 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2132 * Following a successful resumption we only get 1 ticket. After a
2133 * failed one we should get idx tickets.
2136 if (!TEST_true(SSL_session_reused(clientssl))
2137 || !TEST_int_eq(new_called, 1))
2140 if (!TEST_false(SSL_session_reused(clientssl))
2141 || !TEST_int_eq(new_called, idx))
2146 /* After a post-handshake authentication we should get 1 new ticket */
2148 && (!post_handshake_verify(serverssl, clientssl)
2149 || !TEST_int_eq(new_called, 1)))
2152 SSL_shutdown(clientssl);
2153 SSL_shutdown(serverssl);
2154 SSL_free(serverssl);
2155 SSL_free(clientssl);
2156 serverssl = clientssl = NULL;
2157 SSL_SESSION_free(sesscache[i]);
2158 sesscache[i] = NULL;
2164 SSL_free(clientssl);
2165 SSL_free(serverssl);
2169 static int test_tickets(int stateful, int idx)
2171 SSL_CTX *sctx = NULL, *cctx = NULL;
2172 SSL *serverssl = NULL, *clientssl = NULL;
2176 /* idx is the test number, but also the number of tickets we want */
2181 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2184 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2185 &clientssl, NULL, NULL)))
2188 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2190 /* Check we got the number of tickets we were expecting */
2191 || !TEST_int_eq(idx, new_called))
2194 SSL_shutdown(clientssl);
2195 SSL_shutdown(serverssl);
2196 SSL_free(serverssl);
2197 SSL_free(clientssl);
2200 clientssl = serverssl = NULL;
2204 * Now we try to resume with the tickets we previously created. The
2205 * resumption attempt is expected to fail (because we're now using a new
2206 * SSL_CTX). We should see idx number of tickets issued again.
2209 /* Stop caching sessions - just count them */
2212 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2215 if (!check_resumption(idx, sctx, cctx, 0))
2218 /* Start again with caching sessions */
2225 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2228 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2229 &clientssl, NULL, NULL)))
2232 SSL_set_post_handshake_auth(clientssl, 1);
2234 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2236 /* Check we got the number of tickets we were expecting */
2237 || !TEST_int_eq(idx, new_called))
2240 /* After a post-handshake authentication we should get new tickets issued */
2241 if (!post_handshake_verify(serverssl, clientssl)
2242 || !TEST_int_eq(idx * 2, new_called))
2245 SSL_shutdown(clientssl);
2246 SSL_shutdown(serverssl);
2247 SSL_free(serverssl);
2248 SSL_free(clientssl);
2249 serverssl = clientssl = NULL;
2251 /* Stop caching sessions - just count them */
2255 * Check we can resume with all the tickets we created. This time around the
2256 * resumptions should all be successful.
2258 if (!check_resumption(idx, sctx, cctx, 1))
2264 SSL_free(serverssl);
2265 SSL_free(clientssl);
2266 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2267 SSL_SESSION_free(sesscache[j]);
2268 sesscache[j] = NULL;
2276 static int test_stateless_tickets(int idx)
2278 return test_tickets(0, idx);
2281 static int test_stateful_tickets(int idx)
2283 return test_tickets(1, idx);
2286 static int test_psk_tickets(void)
2288 SSL_CTX *sctx = NULL, *cctx = NULL;
2289 SSL *serverssl = NULL, *clientssl = NULL;
2291 int sess_id_ctx = 1;
2293 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2294 TLS_client_method(), TLS1_VERSION, 0,
2295 &sctx, &cctx, NULL, NULL))
2296 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2297 (void *)&sess_id_ctx,
2298 sizeof(sess_id_ctx))))
2301 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2302 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2303 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2304 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2305 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2306 use_session_cb_cnt = 0;
2307 find_session_cb_cnt = 0;
2311 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2314 clientpsk = serverpsk = create_a_psk(clientssl);
2315 if (!TEST_ptr(clientpsk))
2317 SSL_SESSION_up_ref(clientpsk);
2319 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2321 || !TEST_int_eq(1, find_session_cb_cnt)
2322 || !TEST_int_eq(1, use_session_cb_cnt)
2323 /* We should always get 1 ticket when using external PSK */
2324 || !TEST_int_eq(1, new_called))
2330 SSL_free(serverssl);
2331 SSL_free(clientssl);
2334 SSL_SESSION_free(clientpsk);
2335 SSL_SESSION_free(serverpsk);
2336 clientpsk = serverpsk = NULL;
2341 static int test_extra_tickets(int idx)
2343 SSL_CTX *sctx = NULL, *cctx = NULL;
2344 SSL *serverssl = NULL, *clientssl = NULL;
2345 BIO *bretry = BIO_new(bio_s_always_retry());
2350 unsigned char c, buf[1];
2360 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2362 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2363 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2364 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2366 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2367 &clientssl, NULL, NULL)))
2371 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2372 * incremented by both client and server.
2374 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2376 /* Check we got the number of tickets we were expecting */
2377 || !TEST_int_eq(idx * 2, new_called)
2378 || !TEST_true(SSL_new_session_ticket(serverssl))
2379 || !TEST_true(SSL_new_session_ticket(serverssl))
2380 || !TEST_int_eq(idx * 2, new_called))
2383 /* Now try a (real) write to actually send the tickets */
2385 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2386 || !TEST_size_t_eq(1, nbytes)
2387 || !TEST_int_eq(idx * 2 + 2, new_called)
2388 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2389 || !TEST_int_eq(idx * 2 + 4, new_called)
2390 || !TEST_int_eq(sizeof(buf), nbytes)
2391 || !TEST_int_eq(c, buf[0])
2392 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2395 /* Try with only requesting one new ticket, too */
2398 if (!TEST_true(SSL_new_session_ticket(serverssl))
2399 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2400 || !TEST_size_t_eq(sizeof(c), nbytes)
2401 || !TEST_int_eq(1, new_called)
2402 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2403 || !TEST_int_eq(2, new_called)
2404 || !TEST_size_t_eq(sizeof(buf), nbytes)
2405 || !TEST_int_eq(c, buf[0]))
2408 /* Do it again but use dummy writes to drive the ticket generation */
2411 if (!TEST_true(SSL_new_session_ticket(serverssl))
2412 || !TEST_true(SSL_new_session_ticket(serverssl))
2413 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2414 || !TEST_size_t_eq(0, nbytes)
2415 || !TEST_int_eq(2, new_called)
2416 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2417 || !TEST_int_eq(4, new_called))
2421 * Use the always-retry BIO to exercise the logic that forces ticket
2422 * generation to wait until a record boundary.
2426 tmp = SSL_get_wbio(serverssl);
2427 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2431 SSL_set0_wbio(serverssl, bretry);
2433 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2434 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2435 || !TEST_size_t_eq(nbytes, 0))
2437 /* Restore a BIO that will let the write succeed */
2438 SSL_set0_wbio(serverssl, tmp);
2440 /* These calls should just queue the request and not send anything. */
2441 if (!TEST_true(SSL_new_session_ticket(serverssl))
2442 || !TEST_true(SSL_new_session_ticket(serverssl))
2443 || !TEST_int_eq(0, new_called))
2445 /* Re-do the write; still no tickets sent */
2446 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2447 || !TEST_size_t_eq(1, nbytes)
2448 || !TEST_int_eq(0, new_called)
2449 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2450 || !TEST_int_eq(0, new_called)
2451 || !TEST_int_eq(sizeof(buf), nbytes)
2452 || !TEST_int_eq(c, buf[0])
2453 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2455 /* Now the *next* write should send the tickets */
2457 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2458 || !TEST_size_t_eq(1, nbytes)
2459 || !TEST_int_eq(2, new_called)
2460 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2461 || !TEST_int_eq(4, new_called)
2462 || !TEST_int_eq(sizeof(buf), nbytes)
2463 || !TEST_int_eq(c, buf[0])
2464 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2467 SSL_shutdown(clientssl);
2468 SSL_shutdown(serverssl);
2474 SSL_free(serverssl);
2475 SSL_free(clientssl);
2478 clientssl = serverssl = NULL;
2487 #define USE_DEFAULT 3
2489 #define CONNTYPE_CONNECTION_SUCCESS 0
2490 #define CONNTYPE_CONNECTION_FAIL 1
2491 #define CONNTYPE_NO_CONNECTION 2
2493 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2494 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2495 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2496 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2498 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2501 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2502 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2503 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2505 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2522 * Tests calls to SSL_set_bio() under various conditions.
2524 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2525 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2526 * then do more tests where we create a successful connection first using our
2527 * standard connection setup functions, and then call SSL_set_bio() with
2528 * various combinations of valid BIOs or NULL. We then repeat these tests
2529 * following a failed connection. In this last case we are looking to check that
2530 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2532 static int test_ssl_set_bio(int idx)
2534 SSL_CTX *sctx = NULL, *cctx = NULL;
2537 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2538 SSL *serverssl = NULL, *clientssl = NULL;
2539 int initrbio, initwbio, newrbio, newwbio, conntype;
2542 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2550 conntype = CONNTYPE_NO_CONNECTION;
2552 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2553 initrbio = initwbio = USE_DEFAULT;
2561 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2562 TLS_client_method(), TLS1_VERSION, 0,
2563 &sctx, &cctx, cert, privkey)))
2566 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2568 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2569 * because we reduced the number of tests in the definition of
2570 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2571 * mismatched protocol versions we will force a connection failure.
2573 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2574 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2577 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2581 if (initrbio == USE_BIO_1
2582 || initwbio == USE_BIO_1
2583 || newrbio == USE_BIO_1
2584 || newwbio == USE_BIO_1) {
2585 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2589 if (initrbio == USE_BIO_2
2590 || initwbio == USE_BIO_2
2591 || newrbio == USE_BIO_2
2592 || newwbio == USE_BIO_2) {
2593 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2597 if (initrbio != USE_DEFAULT) {
2598 setupbio(&irbio, bio1, bio2, initrbio);
2599 setupbio(&iwbio, bio1, bio2, initwbio);
2600 SSL_set_bio(clientssl, irbio, iwbio);
2603 * We want to maintain our own refs to these BIO, so do an up ref for
2604 * each BIO that will have ownership transferred in the SSL_set_bio()
2609 if (iwbio != NULL && iwbio != irbio)
2613 if (conntype != CONNTYPE_NO_CONNECTION
2614 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2616 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2619 setupbio(&nrbio, bio1, bio2, newrbio);
2620 setupbio(&nwbio, bio1, bio2, newwbio);
2623 * We will (maybe) transfer ownership again so do more up refs.
2624 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2629 && (nwbio != iwbio || nrbio != nwbio))
2633 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2636 SSL_set_bio(clientssl, nrbio, nwbio);
2645 * This test is checking that the ref counting for SSL_set_bio is correct.
2646 * If we get here and we did too many frees then we will fail in the above
2649 SSL_free(serverssl);
2650 SSL_free(clientssl);
2656 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2658 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2660 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2665 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
2666 || !TEST_ptr(ssl = SSL_new(ctx))
2667 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2668 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2671 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2674 * If anything goes wrong here then we could leak memory.
2676 BIO_push(sslbio, membio1);
2678 /* Verify changing the rbio/wbio directly does not cause leaks */
2679 if (change_bio != NO_BIO_CHANGE) {
2680 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
2682 if (change_bio == CHANGE_RBIO)
2683 SSL_set0_rbio(ssl, membio2);
2685 SSL_set0_wbio(ssl, membio2);
2704 static int test_ssl_bio_pop_next_bio(void)
2706 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2709 static int test_ssl_bio_pop_ssl_bio(void)
2711 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2714 static int test_ssl_bio_change_rbio(void)
2716 return execute_test_ssl_bio(0, CHANGE_RBIO);
2719 static int test_ssl_bio_change_wbio(void)
2721 return execute_test_ssl_bio(0, CHANGE_WBIO);
2724 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2726 /* The list of sig algs */
2728 /* The length of the list */
2730 /* A sigalgs list in string format */
2731 const char *liststr;
2732 /* Whether setting the list should succeed */
2734 /* Whether creating a connection with the list should succeed */
2738 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2739 # ifndef OPENSSL_NO_EC
2740 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2741 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2743 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2744 static const int invalidlist2[] = {NID_sha256, NID_undef};
2745 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2746 static const int invalidlist4[] = {NID_sha256};
2747 static const sigalgs_list testsigalgs[] = {
2748 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2749 # ifndef OPENSSL_NO_EC
2750 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2751 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2753 {NULL, 0, "RSA+SHA256", 1, 1},
2754 # ifndef OPENSSL_NO_EC
2755 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2756 {NULL, 0, "ECDSA+SHA512", 1, 0},
2758 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2759 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2760 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2761 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2762 {NULL, 0, "RSA", 0, 0},
2763 {NULL, 0, "SHA256", 0, 0},
2764 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2765 {NULL, 0, "Invalid", 0, 0}
2768 static int test_set_sigalgs(int idx)
2770 SSL_CTX *cctx = NULL, *sctx = NULL;
2771 SSL *clientssl = NULL, *serverssl = NULL;
2773 const sigalgs_list *curr;
2776 /* Should never happen */
2777 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2780 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2781 curr = testctx ? &testsigalgs[idx]
2782 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2784 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2785 TLS_client_method(), TLS1_VERSION, 0,
2786 &sctx, &cctx, cert, privkey)))
2790 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2791 * for TLSv1.2 for now until we add a new API.
2793 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2798 if (curr->list != NULL)
2799 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2801 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2805 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2811 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2816 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2817 &clientssl, NULL, NULL)))
2823 if (curr->list != NULL)
2824 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2826 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2829 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2838 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2846 SSL_free(serverssl);
2847 SSL_free(clientssl);
2855 #ifndef OPENSSL_NO_TLS1_3
2856 static int psk_client_cb_cnt = 0;
2857 static int psk_server_cb_cnt = 0;
2859 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2860 size_t *idlen, SSL_SESSION **sess)
2862 switch (++use_session_cb_cnt) {
2864 /* The first call should always have a NULL md */
2870 /* The second call should always have an md */
2876 /* We should only be called a maximum of twice */
2880 if (clientpsk != NULL)
2881 SSL_SESSION_up_ref(clientpsk);
2884 *id = (const unsigned char *)pskid;
2885 *idlen = strlen(pskid);
2890 #ifndef OPENSSL_NO_PSK
2891 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2892 unsigned int max_id_len,
2894 unsigned int max_psk_len)
2896 unsigned int psklen = 0;
2898 psk_client_cb_cnt++;
2900 if (strlen(pskid) + 1 > max_id_len)
2903 /* We should only ever be called a maximum of twice per connection */
2904 if (psk_client_cb_cnt > 2)
2907 if (clientpsk == NULL)
2910 /* We'll reuse the PSK we set up for TLSv1.3 */
2911 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2913 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2914 strncpy(id, pskid, max_id_len);
2918 #endif /* OPENSSL_NO_PSK */
2920 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2921 size_t identity_len, SSL_SESSION **sess)
2923 find_session_cb_cnt++;
2925 /* We should only ever be called a maximum of twice per connection */
2926 if (find_session_cb_cnt > 2)
2929 if (serverpsk == NULL)
2932 /* Identity should match that set by the client */
2933 if (strlen(srvid) != identity_len
2934 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2935 /* No PSK found, continue but without a PSK */
2940 SSL_SESSION_up_ref(serverpsk);
2946 #ifndef OPENSSL_NO_PSK
2947 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2948 unsigned char *psk, unsigned int max_psk_len)
2950 unsigned int psklen = 0;
2952 psk_server_cb_cnt++;
2954 /* We should only ever be called a maximum of twice per connection */
2955 if (find_session_cb_cnt > 2)
2958 if (serverpsk == NULL)
2961 /* Identity should match that set by the client */
2962 if (strcmp(srvid, identity) != 0) {
2966 /* We'll reuse the PSK we set up for TLSv1.3 */
2967 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2969 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2973 #endif /* OPENSSL_NO_PSK */
2975 #define MSG1 "Hello"
2976 #define MSG2 "World."
2981 #define MSG7 "message."
2983 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2984 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2985 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
2986 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
2987 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
2990 static SSL_SESSION *create_a_psk(SSL *ssl)
2992 const SSL_CIPHER *cipher = NULL;
2993 const unsigned char key[] = {
2994 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2995 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2996 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2997 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2998 0x2c, 0x2d, 0x2e, 0x2f
3000 SSL_SESSION *sess = NULL;
3002 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3003 sess = SSL_SESSION_new();
3005 || !TEST_ptr(cipher)
3006 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3008 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3010 SSL_SESSION_set_protocol_version(sess,
3012 SSL_SESSION_free(sess);
3019 * Helper method to setup objects for early data test. Caller frees objects on
3022 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3023 SSL **serverssl, SSL_SESSION **sess, int idx)
3026 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3027 TLS_client_method(),
3029 sctx, cctx, cert, privkey)))
3032 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3036 /* When idx == 1 we repeat the tests with read_ahead set */
3037 SSL_CTX_set_read_ahead(*cctx, 1);
3038 SSL_CTX_set_read_ahead(*sctx, 1);
3039 } else if (idx == 2) {
3040 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3041 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3042 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3043 use_session_cb_cnt = 0;
3044 find_session_cb_cnt = 0;
3048 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3053 * For one of the run throughs (doesn't matter which one), we'll try sending
3054 * some SNI data in the initial ClientHello. This will be ignored (because
3055 * there is no SNI cb set up by the server), so it should not impact
3059 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3063 clientpsk = create_a_psk(*clientssl);
3064 if (!TEST_ptr(clientpsk)
3066 * We just choose an arbitrary value for max_early_data which
3067 * should be big enough for testing purposes.
3069 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3071 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3072 SSL_SESSION_free(clientpsk);
3076 serverpsk = clientpsk;
3079 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3080 SSL_SESSION_free(clientpsk);
3081 SSL_SESSION_free(serverpsk);
3082 clientpsk = serverpsk = NULL;
3093 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3097 *sess = SSL_get1_session(*clientssl);
3098 SSL_shutdown(*clientssl);
3099 SSL_shutdown(*serverssl);
3100 SSL_free(*serverssl);
3101 SSL_free(*clientssl);
3102 *serverssl = *clientssl = NULL;
3104 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3105 clientssl, NULL, NULL))
3106 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3112 static int test_early_data_read_write(int idx)
3114 SSL_CTX *cctx = NULL, *sctx = NULL;
3115 SSL *clientssl = NULL, *serverssl = NULL;
3117 SSL_SESSION *sess = NULL;
3118 unsigned char buf[20], data[1024];
3119 size_t readbytes, written, eoedlen, rawread, rawwritten;
3122 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3123 &serverssl, &sess, idx)))
3126 /* Write and read some early data */
3127 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3129 || !TEST_size_t_eq(written, strlen(MSG1))
3130 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3131 sizeof(buf), &readbytes),
3132 SSL_READ_EARLY_DATA_SUCCESS)
3133 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3134 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3135 SSL_EARLY_DATA_ACCEPTED))
3139 * Server should be able to write data, and client should be able to
3142 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3144 || !TEST_size_t_eq(written, strlen(MSG2))
3145 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3146 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3149 /* Even after reading normal data, client should be able write early data */
3150 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3152 || !TEST_size_t_eq(written, strlen(MSG3)))
3155 /* Server should still be able read early data after writing data */
3156 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3158 SSL_READ_EARLY_DATA_SUCCESS)
3159 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3162 /* Write more data from server and read it from client */
3163 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3165 || !TEST_size_t_eq(written, strlen(MSG4))
3166 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3167 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3171 * If client writes normal data it should mean writing early data is no
3174 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3175 || !TEST_size_t_eq(written, strlen(MSG5))
3176 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3177 SSL_EARLY_DATA_ACCEPTED))
3181 * At this point the client has written EndOfEarlyData, ClientFinished and
3182 * normal (fully protected) data. We are going to cause a delay between the
3183 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3184 * in the read BIO, and then just put back the EndOfEarlyData message.
3186 rbio = SSL_get_rbio(serverssl);
3187 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3188 || !TEST_size_t_lt(rawread, sizeof(data))
3189 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3192 /* Record length is in the 4th and 5th bytes of the record header */
3193 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3194 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3195 || !TEST_size_t_eq(rawwritten, eoedlen))
3198 /* Server should be told that there is no more early data */
3199 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3201 SSL_READ_EARLY_DATA_FINISH)
3202 || !TEST_size_t_eq(readbytes, 0))
3206 * Server has not finished init yet, so should still be able to write early
3209 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3211 || !TEST_size_t_eq(written, strlen(MSG6)))
3214 /* Push the ClientFinished and the normal data back into the server rbio */
3215 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3217 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3220 /* Server should be able to read normal data */
3221 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3222 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3225 /* Client and server should not be able to write/read early data now */
3226 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3230 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3232 SSL_READ_EARLY_DATA_ERROR))
3236 /* Client should be able to read the data sent by the server */
3237 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3238 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3242 * Make sure we process the two NewSessionTickets. These arrive
3243 * post-handshake. We attempt reads which we do not expect to return any
3246 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3247 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3251 /* Server should be able to write normal data */
3252 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3253 || !TEST_size_t_eq(written, strlen(MSG7))
3254 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3255 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3258 SSL_SESSION_free(sess);
3259 sess = SSL_get1_session(clientssl);
3260 use_session_cb_cnt = 0;
3261 find_session_cb_cnt = 0;
3263 SSL_shutdown(clientssl);
3264 SSL_shutdown(serverssl);
3265 SSL_free(serverssl);
3266 SSL_free(clientssl);
3267 serverssl = clientssl = NULL;
3268 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3269 &clientssl, NULL, NULL))
3270 || !TEST_true(SSL_set_session(clientssl, sess)))
3273 /* Write and read some early data */
3274 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3276 || !TEST_size_t_eq(written, strlen(MSG1))
3277 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3279 SSL_READ_EARLY_DATA_SUCCESS)
3280 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3283 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3284 || !TEST_int_gt(SSL_accept(serverssl), 0))
3287 /* Client and server should not be able to write/read early data now */
3288 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3292 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3294 SSL_READ_EARLY_DATA_ERROR))
3298 /* Client and server should be able to write/read normal data */
3299 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3300 || !TEST_size_t_eq(written, strlen(MSG5))
3301 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3302 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3308 SSL_SESSION_free(sess);
3309 SSL_SESSION_free(clientpsk);
3310 SSL_SESSION_free(serverpsk);
3311 clientpsk = serverpsk = NULL;
3312 SSL_free(serverssl);
3313 SSL_free(clientssl);
3319 static int allow_ed_cb_called = 0;
3321 static int allow_early_data_cb(SSL *s, void *arg)
3323 int *usecb = (int *)arg;
3325 allow_ed_cb_called++;
3334 * idx == 0: Standard early_data setup
3335 * idx == 1: early_data setup using read_ahead
3336 * usecb == 0: Don't use a custom early data callback
3337 * usecb == 1: Use a custom early data callback and reject the early data
3338 * usecb == 2: Use a custom early data callback and accept the early data
3339 * confopt == 0: Configure anti-replay directly
3340 * confopt == 1: Configure anti-replay using SSL_CONF
3342 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3344 SSL_CTX *cctx = NULL, *sctx = NULL;
3345 SSL *clientssl = NULL, *serverssl = NULL;
3347 SSL_SESSION *sess = NULL;
3348 size_t readbytes, written;
3349 unsigned char buf[20];
3351 allow_ed_cb_called = 0;
3353 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3354 TLS_client_method(), TLS1_VERSION, 0,
3355 &sctx, &cctx, cert, privkey)))
3360 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3362 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3364 if (!TEST_ptr(confctx))
3366 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3367 | SSL_CONF_FLAG_SERVER);
3368 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3369 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3371 SSL_CONF_CTX_free(confctx);
3374 SSL_CONF_CTX_free(confctx);
3376 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3379 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3380 &serverssl, &sess, idx)))
3384 * The server is configured to accept early data. Create a connection to
3385 * "use up" the ticket
3387 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3388 || !TEST_true(SSL_session_reused(clientssl)))
3391 SSL_shutdown(clientssl);
3392 SSL_shutdown(serverssl);
3393 SSL_free(serverssl);
3394 SSL_free(clientssl);
3395 serverssl = clientssl = NULL;
3397 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3398 &clientssl, NULL, NULL))
3399 || !TEST_true(SSL_set_session(clientssl, sess)))
3402 /* Write and read some early data */
3403 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3405 || !TEST_size_t_eq(written, strlen(MSG1)))
3409 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3411 SSL_READ_EARLY_DATA_FINISH)
3413 * The ticket was reused, so the we should have rejected the
3416 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3417 SSL_EARLY_DATA_REJECTED))
3420 /* In this case the callback decides to accept the early data */
3421 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3423 SSL_READ_EARLY_DATA_SUCCESS)
3424 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3426 * Server will have sent its flight so client can now send
3427 * end of early data and complete its half of the handshake
3429 || !TEST_int_gt(SSL_connect(clientssl), 0)
3430 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3432 SSL_READ_EARLY_DATA_FINISH)
3433 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3434 SSL_EARLY_DATA_ACCEPTED))
3438 /* Complete the connection */
3439 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3440 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3441 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3447 SSL_SESSION_free(sess);
3448 SSL_SESSION_free(clientpsk);
3449 SSL_SESSION_free(serverpsk);
3450 clientpsk = serverpsk = NULL;
3451 SSL_free(serverssl);
3452 SSL_free(clientssl);
3458 static int test_early_data_replay(int idx)
3460 int ret = 1, usecb, confopt;
3462 for (usecb = 0; usecb < 3; usecb++) {
3463 for (confopt = 0; confopt < 2; confopt++)
3464 ret &= test_early_data_replay_int(idx, usecb, confopt);
3471 * Helper function to test that a server attempting to read early data can
3472 * handle a connection from a client where the early data should be skipped.
3473 * testtype: 0 == No HRR
3474 * testtype: 1 == HRR
3475 * testtype: 2 == HRR, invalid early_data sent after HRR
3476 * testtype: 3 == recv_max_early_data set to 0
3478 static int early_data_skip_helper(int testtype, int idx)
3480 SSL_CTX *cctx = NULL, *sctx = NULL;
3481 SSL *clientssl = NULL, *serverssl = NULL;
3483 SSL_SESSION *sess = NULL;
3484 unsigned char buf[20];
3485 size_t readbytes, written;
3487 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3488 &serverssl, &sess, idx)))
3491 if (testtype == 1 || testtype == 2) {
3492 /* Force an HRR to occur */
3493 #if defined(OPENSSL_NO_EC)
3494 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3497 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3500 } else if (idx == 2) {
3502 * We force early_data rejection by ensuring the PSK identity is
3505 srvid = "Dummy Identity";
3508 * Deliberately corrupt the creation time. We take 20 seconds off the
3509 * time. It could be any value as long as it is not within tolerance.
3510 * This should mean the ticket is rejected.
3512 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3517 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3520 /* Write some early data */
3521 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3523 || !TEST_size_t_eq(written, strlen(MSG1)))
3526 /* Server should reject the early data */
3527 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3529 SSL_READ_EARLY_DATA_FINISH)
3530 || !TEST_size_t_eq(readbytes, 0)
3531 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3532 SSL_EARLY_DATA_REJECTED))
3542 * Finish off the handshake. We perform the same writes and reads as
3543 * further down but we expect them to fail due to the incomplete
3546 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3547 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3554 BIO *wbio = SSL_get_wbio(clientssl);
3555 /* A record that will appear as bad early_data */
3556 const unsigned char bad_early_data[] = {
3557 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3561 * We force the client to attempt a write. This will fail because
3562 * we're still in the handshake. It will cause the second
3563 * ClientHello to be sent.
3565 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3570 * Inject some early_data after the second ClientHello. This should
3571 * cause the server to fail
3573 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3574 sizeof(bad_early_data), &written)))
3581 * This client has sent more early_data than we are willing to skip
3582 * (case 3) or sent invalid early_data (case 2) so the connection should
3585 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3586 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3589 /* Connection has failed - nothing more to do */
3594 TEST_error("Invalid test type");
3599 * Should be able to send normal data despite rejection of early data. The
3600 * early_data should be skipped.
3602 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3603 || !TEST_size_t_eq(written, strlen(MSG2))
3604 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3605 SSL_EARLY_DATA_REJECTED)
3606 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3607 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3613 SSL_SESSION_free(clientpsk);
3614 SSL_SESSION_free(serverpsk);
3615 clientpsk = serverpsk = NULL;
3616 SSL_SESSION_free(sess);
3617 SSL_free(serverssl);
3618 SSL_free(clientssl);
3625 * Test that a server attempting to read early data can handle a connection
3626 * from a client where the early data is not acceptable.
3628 static int test_early_data_skip(int idx)
3630 return early_data_skip_helper(0, idx);
3634 * Test that a server attempting to read early data can handle a connection
3635 * from a client where an HRR occurs.
3637 static int test_early_data_skip_hrr(int idx)
3639 return early_data_skip_helper(1, idx);
3643 * Test that a server attempting to read early data can handle a connection
3644 * from a client where an HRR occurs and correctly fails if early_data is sent
3647 static int test_early_data_skip_hrr_fail(int idx)
3649 return early_data_skip_helper(2, idx);
3653 * Test that a server attempting to read early data will abort if it tries to
3654 * skip over too much.
3656 static int test_early_data_skip_abort(int idx)
3658 return early_data_skip_helper(3, idx);
3662 * Test that a server attempting to read early data can handle a connection
3663 * from a client that doesn't send any.
3665 static int test_early_data_not_sent(int idx)
3667 SSL_CTX *cctx = NULL, *sctx = NULL;
3668 SSL *clientssl = NULL, *serverssl = NULL;
3670 SSL_SESSION *sess = NULL;
3671 unsigned char buf[20];
3672 size_t readbytes, written;
3674 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3675 &serverssl, &sess, idx)))
3678 /* Write some data - should block due to handshake with server */
3679 SSL_set_connect_state(clientssl);
3680 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3683 /* Server should detect that early data has not been sent */
3684 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3686 SSL_READ_EARLY_DATA_FINISH)
3687 || !TEST_size_t_eq(readbytes, 0)
3688 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3689 SSL_EARLY_DATA_NOT_SENT)
3690 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3691 SSL_EARLY_DATA_NOT_SENT))
3694 /* Continue writing the message we started earlier */
3695 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3696 || !TEST_size_t_eq(written, strlen(MSG1))
3697 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3698 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3699 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3700 || !TEST_size_t_eq(written, strlen(MSG2)))
3703 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3704 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3710 SSL_SESSION_free(sess);
3711 SSL_SESSION_free(clientpsk);
3712 SSL_SESSION_free(serverpsk);
3713 clientpsk = serverpsk = NULL;
3714 SSL_free(serverssl);
3715 SSL_free(clientssl);
3721 static const char *servalpn;
3723 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3724 unsigned char *outlen, const unsigned char *in,
3725 unsigned int inlen, void *arg)
3727 unsigned int protlen = 0;
3728 const unsigned char *prot;
3730 for (prot = in; prot < in + inlen; prot += protlen) {
3732 if (in + inlen < prot + protlen)
3733 return SSL_TLSEXT_ERR_NOACK;
3735 if (protlen == strlen(servalpn)
3736 && memcmp(prot, servalpn, protlen) == 0) {
3739 return SSL_TLSEXT_ERR_OK;
3743 return SSL_TLSEXT_ERR_NOACK;
3746 /* Test that a PSK can be used to send early_data */
3747 static int test_early_data_psk(int idx)
3749 SSL_CTX *cctx = NULL, *sctx = NULL;
3750 SSL *clientssl = NULL, *serverssl = NULL;
3752 SSL_SESSION *sess = NULL;
3753 unsigned char alpnlist[] = {
3754 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3757 #define GOODALPNLEN 9
3758 #define BADALPNLEN 8
3759 #define GOODALPN (alpnlist)
3760 #define BADALPN (alpnlist + GOODALPNLEN)
3762 unsigned char buf[20];
3763 size_t readbytes, written;
3764 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3765 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3767 /* We always set this up with a final parameter of "2" for PSK */
3768 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3769 &serverssl, &sess, 2)))
3772 servalpn = "goodalpn";
3775 * Note: There is no test for inconsistent SNI with late client detection.
3776 * This is because servers do not acknowledge SNI even if they are using
3777 * it in a resumption handshake - so it is not actually possible for a
3778 * client to detect a problem.
3782 /* Set inconsistent SNI (early client detection) */
3783 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3784 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3785 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3790 /* Set inconsistent ALPN (early client detection) */
3791 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3792 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3793 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3795 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3802 * Set invalid protocol version. Technically this affects PSKs without
3803 * early_data too, but we test it here because it is similar to the
3804 * SNI/ALPN consistency tests.
3806 err = SSL_R_BAD_PSK;
3807 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3813 * Set inconsistent SNI (server side). In this case the connection
3814 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3815 * is associated with each handshake - not the session. Therefore it
3816 * should not matter that we used a different server name last time.
3818 SSL_SESSION_free(serverpsk);
3819 serverpsk = SSL_SESSION_dup(clientpsk);
3820 if (!TEST_ptr(serverpsk)
3821 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3825 /* Set consistent SNI */
3826 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3827 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3828 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3835 * Set inconsistent ALPN (server detected). In this case the connection
3836 * will succeed but reject early_data.
3838 servalpn = "badalpn";
3839 edstatus = SSL_EARLY_DATA_REJECTED;
3840 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3844 * Set consistent ALPN.
3845 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3846 * accepts a list of protos (each one length prefixed).
3847 * SSL_set1_alpn_selected accepts a single protocol (not length
3850 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3852 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3856 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3860 /* Set inconsistent ALPN (late client detection) */
3861 SSL_SESSION_free(serverpsk);
3862 serverpsk = SSL_SESSION_dup(clientpsk);
3863 if (!TEST_ptr(serverpsk)
3864 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3867 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3870 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3873 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3874 edstatus = SSL_EARLY_DATA_ACCEPTED;
3875 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3876 /* SSL_connect() call should fail */
3881 TEST_error("Bad test index");
3885 SSL_set_connect_state(clientssl);
3887 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3889 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3890 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3893 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3897 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3898 &readbytes), readearlyres)
3899 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3900 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3901 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3902 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3909 SSL_SESSION_free(sess);
3910 SSL_SESSION_free(clientpsk);
3911 SSL_SESSION_free(serverpsk);
3912 clientpsk = serverpsk = NULL;
3913 SSL_free(serverssl);
3914 SSL_free(clientssl);
3921 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
3922 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
3923 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
3924 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3925 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
3926 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
3928 static int test_early_data_psk_with_all_ciphers(int idx)
3930 SSL_CTX *cctx = NULL, *sctx = NULL;
3931 SSL *clientssl = NULL, *serverssl = NULL;
3933 SSL_SESSION *sess = NULL;
3934 unsigned char buf[20];
3935 size_t readbytes, written;
3936 const SSL_CIPHER *cipher;
3937 const char *cipher_str[] = {
3938 TLS1_3_RFC_AES_128_GCM_SHA256,
3939 TLS1_3_RFC_AES_256_GCM_SHA384,
3940 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3941 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3945 TLS1_3_RFC_AES_128_CCM_SHA256,
3946 TLS1_3_RFC_AES_128_CCM_8_SHA256
3948 const unsigned char *cipher_bytes[] = {
3949 TLS13_AES_128_GCM_SHA256_BYTES,
3950 TLS13_AES_256_GCM_SHA384_BYTES,
3951 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3952 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
3956 TLS13_AES_128_CCM_SHA256_BYTES,
3957 TLS13_AES_128_CCM_8_SHA256_BYTES
3960 if (cipher_str[idx] == NULL)
3962 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
3963 if (idx == 2 && is_fips == 1)
3966 /* We always set this up with a final parameter of "2" for PSK */
3967 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3968 &serverssl, &sess, 2)))
3971 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
3972 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
3976 * 'setupearly_data_test' creates only one instance of SSL_SESSION
3977 * and assigns to both client and server with incremented reference
3978 * and the same instance is updated in 'sess'.
3979 * So updating ciphersuite in 'sess' which will get reflected in
3980 * PSK handshake using psk use sess and find sess cb.
3982 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
3983 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
3986 SSL_set_connect_state(clientssl);
3987 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3991 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3993 SSL_READ_EARLY_DATA_SUCCESS)
3994 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3995 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3996 SSL_EARLY_DATA_ACCEPTED)
3997 || !TEST_int_eq(SSL_connect(clientssl), 1)
3998 || !TEST_int_eq(SSL_accept(serverssl), 1))
4001 /* Send some normal data from client to server */
4002 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4003 || !TEST_size_t_eq(written, strlen(MSG2)))
4006 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4007 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4012 SSL_SESSION_free(sess);
4013 SSL_SESSION_free(clientpsk);
4014 SSL_SESSION_free(serverpsk);
4015 clientpsk = serverpsk = NULL;
4016 if (clientssl != NULL)
4017 SSL_shutdown(clientssl);
4018 if (serverssl != NULL)
4019 SSL_shutdown(serverssl);
4020 SSL_free(serverssl);
4021 SSL_free(clientssl);
4028 * Test that a server that doesn't try to read early data can handle a
4029 * client sending some.
4031 static int test_early_data_not_expected(int idx)
4033 SSL_CTX *cctx = NULL, *sctx = NULL;
4034 SSL *clientssl = NULL, *serverssl = NULL;
4036 SSL_SESSION *sess = NULL;
4037 unsigned char buf[20];
4038 size_t readbytes, written;
4040 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4041 &serverssl, &sess, idx)))
4044 /* Write some early data */
4045 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4050 * Server should skip over early data and then block waiting for client to
4051 * continue handshake
4053 if (!TEST_int_le(SSL_accept(serverssl), 0)
4054 || !TEST_int_gt(SSL_connect(clientssl), 0)
4055 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4056 SSL_EARLY_DATA_REJECTED)
4057 || !TEST_int_gt(SSL_accept(serverssl), 0)
4058 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4059 SSL_EARLY_DATA_REJECTED))
4062 /* Send some normal data from client to server */
4063 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4064 || !TEST_size_t_eq(written, strlen(MSG2)))
4067 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4068 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4074 SSL_SESSION_free(sess);
4075 SSL_SESSION_free(clientpsk);
4076 SSL_SESSION_free(serverpsk);
4077 clientpsk = serverpsk = NULL;
4078 SSL_free(serverssl);
4079 SSL_free(clientssl);
4086 # ifndef OPENSSL_NO_TLS1_2
4088 * Test that a server attempting to read early data can handle a connection
4089 * from a TLSv1.2 client.
4091 static int test_early_data_tls1_2(int idx)
4093 SSL_CTX *cctx = NULL, *sctx = NULL;
4094 SSL *clientssl = NULL, *serverssl = NULL;
4096 unsigned char buf[20];
4097 size_t readbytes, written;
4099 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4100 &serverssl, NULL, idx)))
4103 /* Write some data - should block due to handshake with server */
4104 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4105 SSL_set_connect_state(clientssl);
4106 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4110 * Server should do TLSv1.2 handshake. First it will block waiting for more
4111 * messages from client after ServerDone. Then SSL_read_early_data should
4112 * finish and detect that early data has not been sent
4114 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4116 SSL_READ_EARLY_DATA_ERROR))
4120 * Continue writing the message we started earlier. Will still block waiting
4121 * for the CCS/Finished from server
4123 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4124 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4126 SSL_READ_EARLY_DATA_FINISH)
4127 || !TEST_size_t_eq(readbytes, 0)
4128 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4129 SSL_EARLY_DATA_NOT_SENT))
4132 /* Continue writing the message we started earlier */
4133 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4134 || !TEST_size_t_eq(written, strlen(MSG1))
4135 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4136 SSL_EARLY_DATA_NOT_SENT)
4137 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4138 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4139 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4140 || !TEST_size_t_eq(written, strlen(MSG2))
4141 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4142 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4148 SSL_SESSION_free(clientpsk);
4149 SSL_SESSION_free(serverpsk);
4150 clientpsk = serverpsk = NULL;
4151 SSL_free(serverssl);
4152 SSL_free(clientssl);
4158 # endif /* OPENSSL_NO_TLS1_2 */
4161 * Test configuring the TLSv1.3 ciphersuites
4163 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4164 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4165 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4166 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4167 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4168 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4169 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4170 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4171 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4172 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4174 static int test_set_ciphersuite(int idx)
4176 SSL_CTX *cctx = NULL, *sctx = NULL;
4177 SSL *clientssl = NULL, *serverssl = NULL;
4180 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4181 TLS_client_method(), TLS1_VERSION, 0,
4182 &sctx, &cctx, cert, privkey))
4183 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4184 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4187 if (idx >=4 && idx <= 7) {
4188 /* SSL_CTX explicit cipher list */
4189 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4193 if (idx == 0 || idx == 4) {
4194 /* Default ciphersuite */
4195 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4196 "TLS_AES_128_GCM_SHA256")))
4198 } else if (idx == 1 || idx == 5) {
4199 /* Non default ciphersuite */
4200 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4201 "TLS_AES_128_CCM_SHA256")))
4205 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4206 &clientssl, NULL, NULL)))
4209 if (idx == 8 || idx == 9) {
4210 /* SSL explicit cipher list */
4211 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4215 if (idx == 2 || idx == 6 || idx == 8) {
4216 /* Default ciphersuite */
4217 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4218 "TLS_AES_128_GCM_SHA256")))
4220 } else if (idx == 3 || idx == 7 || idx == 9) {
4221 /* Non default ciphersuite */
4222 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4223 "TLS_AES_128_CCM_SHA256")))
4227 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4233 SSL_free(serverssl);
4234 SSL_free(clientssl);
4241 static int test_ciphersuite_change(void)
4243 SSL_CTX *cctx = NULL, *sctx = NULL;
4244 SSL *clientssl = NULL, *serverssl = NULL;
4245 SSL_SESSION *clntsess = NULL;
4247 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4249 /* Create a session based on SHA-256 */
4250 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4251 TLS_client_method(), TLS1_VERSION, 0,
4252 &sctx, &cctx, cert, privkey))
4253 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4254 "TLS_AES_128_GCM_SHA256:"
4255 "TLS_AES_256_GCM_SHA384:"
4256 "TLS_AES_128_CCM_SHA256"))
4257 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4258 "TLS_AES_128_GCM_SHA256"))
4259 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4260 &clientssl, NULL, NULL))
4261 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4265 clntsess = SSL_get1_session(clientssl);
4266 /* Save for later */
4267 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4268 SSL_shutdown(clientssl);
4269 SSL_shutdown(serverssl);
4270 SSL_free(serverssl);
4271 SSL_free(clientssl);
4272 serverssl = clientssl = NULL;
4274 /* Check we can resume a session with a different SHA-256 ciphersuite */
4275 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4276 "TLS_AES_128_CCM_SHA256"))
4277 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4278 &clientssl, NULL, NULL))
4279 || !TEST_true(SSL_set_session(clientssl, clntsess))
4280 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4282 || !TEST_true(SSL_session_reused(clientssl)))
4285 SSL_SESSION_free(clntsess);
4286 clntsess = SSL_get1_session(clientssl);
4287 SSL_shutdown(clientssl);
4288 SSL_shutdown(serverssl);
4289 SSL_free(serverssl);
4290 SSL_free(clientssl);
4291 serverssl = clientssl = NULL;
4294 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4295 * succeeds but does not resume.
4297 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4298 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4300 || !TEST_true(SSL_set_session(clientssl, clntsess))
4301 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4303 || !TEST_false(SSL_session_reused(clientssl)))
4306 SSL_SESSION_free(clntsess);
4308 SSL_shutdown(clientssl);
4309 SSL_shutdown(serverssl);
4310 SSL_free(serverssl);
4311 SSL_free(clientssl);
4312 serverssl = clientssl = NULL;
4314 /* Create a session based on SHA384 */
4315 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4316 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4317 &clientssl, NULL, NULL))
4318 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4322 clntsess = SSL_get1_session(clientssl);
4323 SSL_shutdown(clientssl);
4324 SSL_shutdown(serverssl);
4325 SSL_free(serverssl);
4326 SSL_free(clientssl);
4327 serverssl = clientssl = NULL;
4329 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4330 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4331 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4332 "TLS_AES_256_GCM_SHA384"))
4333 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4335 || !TEST_true(SSL_set_session(clientssl, clntsess))
4337 * We use SSL_ERROR_WANT_READ below so that we can pause the
4338 * connection after the initial ClientHello has been sent to
4339 * enable us to make some session changes.
4341 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4342 SSL_ERROR_WANT_READ)))
4345 /* Trick the client into thinking this session is for a different digest */
4346 clntsess->cipher = aes_128_gcm_sha256;
4347 clntsess->cipher_id = clntsess->cipher->id;
4350 * Continue the previously started connection. Server has selected a SHA-384
4351 * ciphersuite, but client thinks the session is for SHA-256, so it should
4354 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4356 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4357 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4363 SSL_SESSION_free(clntsess);
4364 SSL_free(serverssl);
4365 SSL_free(clientssl);
4373 * Test TLSv1.3 Key exchange
4374 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4375 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4376 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4377 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4378 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4379 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4380 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4381 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4382 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4383 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4384 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4385 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4386 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4387 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4389 static int test_key_exchange(int idx)
4391 SSL_CTX *sctx = NULL, *cctx = NULL;
4392 SSL *serverssl = NULL, *clientssl = NULL;
4394 # ifndef OPENSSL_NO_EC
4395 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4396 NID_secp521r1, NID_X25519, NID_X448};
4398 # ifndef OPENSSL_NO_DH
4399 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4400 NID_ffdhe6144, NID_ffdhe8192};
4403 int *kexch_groups = &kexch_alg;
4404 int kexch_groups_size = 1;
4405 int max_version = TLS1_3_VERSION;
4406 char *kexch_name0 = NULL;
4409 # ifndef OPENSSL_NO_EC
4410 # ifndef OPENSSL_NO_TLS1_2
4412 max_version = TLS1_2_VERSION;
4416 kexch_groups = ecdhe_kexch_groups;
4417 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4418 kexch_name0 = "secp256r1";
4421 kexch_alg = NID_X9_62_prime256v1;
4422 kexch_name0 = "secp256r1";
4425 kexch_alg = NID_secp384r1;
4426 kexch_name0 = "secp384r1";
4429 kexch_alg = NID_secp521r1;
4430 kexch_name0 = "secp521r1";
4433 kexch_alg = NID_X25519;
4434 kexch_name0 = "x25519";
4437 kexch_alg = NID_X448;
4438 kexch_name0 = "x448";
4441 # ifndef OPENSSL_NO_DH
4442 # ifndef OPENSSL_NO_TLS1_2
4444 max_version = TLS1_2_VERSION;
4445 kexch_name0 = "ffdhe2048";
4449 kexch_groups = ffdhe_kexch_groups;
4450 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4451 kexch_name0 = "ffdhe2048";
4454 kexch_alg = NID_ffdhe2048;
4455 kexch_name0 = "ffdhe2048";
4458 kexch_alg = NID_ffdhe3072;
4459 kexch_name0 = "ffdhe3072";
4462 kexch_alg = NID_ffdhe4096;
4463 kexch_name0 = "ffdhe4096";
4466 kexch_alg = NID_ffdhe6144;
4467 kexch_name0 = "ffdhe6144";
4470 kexch_alg = NID_ffdhe8192;
4471 kexch_name0 = "ffdhe8192";
4475 /* We're skipping this test */
4479 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4480 TLS_client_method(), TLS1_VERSION,
4481 max_version, &sctx, &cctx, cert,
4485 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4486 TLS1_3_RFC_AES_128_GCM_SHA256)))
4489 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4490 TLS1_3_RFC_AES_128_GCM_SHA256)))
4493 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4494 TLS1_TXT_RSA_WITH_AES_128_SHA)))
4498 * Must include an EC ciphersuite so that we send supported groups in
4501 # ifndef OPENSSL_NO_TLS1_2
4502 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4503 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
4504 TLS1_TXT_RSA_WITH_AES_128_SHA)))
4508 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4512 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4513 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4516 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4520 * If Handshake succeeds the negotiated kexch alg should be the first one in
4521 * configured, except in the case of FFDHE groups (idx 13), which are
4522 * TLSv1.3 only so we expect no shared group to exist.
4524 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4525 idx == 13 ? 0 : kexch_groups[0]))
4528 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4532 if (max_version == TLS1_3_VERSION) {
4533 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4535 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4541 SSL_free(serverssl);
4542 SSL_free(clientssl);
4549 * Test TLSv1.3 Cipher Suite
4550 * Test 0 = Set TLS1.3 cipher on context
4551 * Test 1 = Set TLS1.3 cipher on SSL
4552 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4553 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4555 static int test_tls13_ciphersuite(int idx)
4557 SSL_CTX *sctx = NULL, *cctx = NULL;
4558 SSL *serverssl = NULL, *clientssl = NULL;
4559 static const struct {
4560 const char *ciphername;
4563 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4564 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4565 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
4566 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4567 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4568 { TLS1_3_RFC_AES_256_GCM_SHA384
4569 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4571 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
4573 const char *t13_cipher = NULL;
4574 const char *t12_cipher = NULL;
4575 const char *negotiated_scipher;
4576 const char *negotiated_ccipher;
4592 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4596 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4600 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4601 # ifdef OPENSSL_NO_TLS1_2
4602 if (max_ver == TLS1_2_VERSION)
4605 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4606 if (is_fips && !t13_ciphers[i].fipscapable)
4608 t13_cipher = t13_ciphers[i].ciphername;
4609 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4610 TLS_client_method(),
4611 TLS1_VERSION, max_ver,
4612 &sctx, &cctx, cert, privkey)))
4616 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4617 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4619 if (t12_cipher != NULL) {
4620 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4621 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4627 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4628 &clientssl, NULL, NULL)))
4632 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4633 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4635 if (t12_cipher != NULL) {
4636 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4637 || !TEST_true(SSL_set_cipher_list(clientssl,
4643 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4647 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4649 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4651 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4655 * TEST_strn_eq is used below because t13_cipher can contain
4656 * multiple ciphersuites
4658 if (max_ver == TLS1_3_VERSION
4659 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4660 strlen(negotiated_scipher)))
4663 # ifndef OPENSSL_NO_TLS1_2
4664 /* Below validation is not done when t12_cipher is NULL */
4665 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4666 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4670 SSL_free(serverssl);
4672 SSL_free(clientssl);
4683 SSL_free(serverssl);
4684 SSL_free(clientssl);
4692 * Test 0 = Test new style callbacks
4693 * Test 1 = Test both new and old style callbacks
4694 * Test 2 = Test old style callbacks
4695 * Test 3 = Test old style callbacks with no certificate
4697 static int test_tls13_psk(int idx)
4699 SSL_CTX *sctx = NULL, *cctx = NULL;
4700 SSL *serverssl = NULL, *clientssl = NULL;
4701 const SSL_CIPHER *cipher = NULL;
4702 const unsigned char key[] = {
4703 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4704 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4705 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4706 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
4710 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4711 TLS_client_method(), TLS1_VERSION, 0,
4712 &sctx, &cctx, idx == 3 ? NULL : cert,
4713 idx == 3 ? NULL : privkey)))
4718 * We use a ciphersuite with SHA256 to ease testing old style PSK
4719 * callbacks which will always default to SHA256. This should not be
4720 * necessary if we have no cert/priv key. In that case the server should
4721 * prefer SHA256 automatically.
4723 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4724 "TLS_AES_128_GCM_SHA256")))
4728 * As noted above the server should prefer SHA256 automatically. However
4729 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4730 * code works even if we are testing with only the FIPS provider loaded.
4732 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4733 "TLS_AES_256_GCM_SHA384:"
4734 "TLS_AES_128_GCM_SHA256")))
4739 * Test 0: New style callbacks only
4740 * Test 1: New and old style callbacks (only the new ones should be used)
4741 * Test 2: Old style callbacks only
4743 if (idx == 0 || idx == 1) {
4744 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4745 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4747 #ifndef OPENSSL_NO_PSK
4749 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4750 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4754 use_session_cb_cnt = 0;
4755 find_session_cb_cnt = 0;
4756 psk_client_cb_cnt = 0;
4757 psk_server_cb_cnt = 0;
4761 * Check we can create a connection if callback decides not to send a
4764 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4766 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4768 || !TEST_false(SSL_session_reused(clientssl))
4769 || !TEST_false(SSL_session_reused(serverssl)))
4772 if (idx == 0 || idx == 1) {
4773 if (!TEST_true(use_session_cb_cnt == 1)
4774 || !TEST_true(find_session_cb_cnt == 0)
4776 * If no old style callback then below should be 0
4779 || !TEST_true(psk_client_cb_cnt == idx)
4780 || !TEST_true(psk_server_cb_cnt == 0))
4783 if (!TEST_true(use_session_cb_cnt == 0)
4784 || !TEST_true(find_session_cb_cnt == 0)
4785 || !TEST_true(psk_client_cb_cnt == 1)
4786 || !TEST_true(psk_server_cb_cnt == 0))
4790 shutdown_ssl_connection(serverssl, clientssl);
4791 serverssl = clientssl = NULL;
4792 use_session_cb_cnt = psk_client_cb_cnt = 0;
4795 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4799 /* Create the PSK */
4800 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
4801 clientpsk = SSL_SESSION_new();
4802 if (!TEST_ptr(clientpsk)
4803 || !TEST_ptr(cipher)
4804 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4806 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4807 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4809 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
4811 serverpsk = clientpsk;
4813 /* Check we can create a connection and the PSK is used */
4814 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4815 || !TEST_true(SSL_session_reused(clientssl))
4816 || !TEST_true(SSL_session_reused(serverssl)))
4819 if (idx == 0 || idx == 1) {
4820 if (!TEST_true(use_session_cb_cnt == 1)
4821 || !TEST_true(find_session_cb_cnt == 1)
4822 || !TEST_true(psk_client_cb_cnt == 0)
4823 || !TEST_true(psk_server_cb_cnt == 0))
4826 if (!TEST_true(use_session_cb_cnt == 0)
4827 || !TEST_true(find_session_cb_cnt == 0)
4828 || !TEST_true(psk_client_cb_cnt == 1)
4829 || !TEST_true(psk_server_cb_cnt == 1))
4833 shutdown_ssl_connection(serverssl, clientssl);
4834 serverssl = clientssl = NULL;
4835 use_session_cb_cnt = find_session_cb_cnt = 0;
4836 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4838 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4843 #if defined(OPENSSL_NO_EC)
4844 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4847 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4852 * Check we can create a connection, the PSK is used and the callbacks are
4855 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4856 || !TEST_true(SSL_session_reused(clientssl))
4857 || !TEST_true(SSL_session_reused(serverssl)))
4860 if (idx == 0 || idx == 1) {
4861 if (!TEST_true(use_session_cb_cnt == 2)
4862 || !TEST_true(find_session_cb_cnt == 2)
4863 || !TEST_true(psk_client_cb_cnt == 0)
4864 || !TEST_true(psk_server_cb_cnt == 0))
4867 if (!TEST_true(use_session_cb_cnt == 0)
4868 || !TEST_true(find_session_cb_cnt == 0)
4869 || !TEST_true(psk_client_cb_cnt == 2)
4870 || !TEST_true(psk_server_cb_cnt == 2))
4874 shutdown_ssl_connection(serverssl, clientssl);
4875 serverssl = clientssl = NULL;
4876 use_session_cb_cnt = find_session_cb_cnt = 0;
4877 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4881 * Check that if the server rejects the PSK we can still connect, but with
4884 srvid = "Dummy Identity";
4885 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4887 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4889 || !TEST_false(SSL_session_reused(clientssl))
4890 || !TEST_false(SSL_session_reused(serverssl)))
4893 if (idx == 0 || idx == 1) {
4894 if (!TEST_true(use_session_cb_cnt == 1)
4895 || !TEST_true(find_session_cb_cnt == 1)
4896 || !TEST_true(psk_client_cb_cnt == 0)
4898 * If no old style callback then below should be 0
4901 || !TEST_true(psk_server_cb_cnt == idx))
4904 if (!TEST_true(use_session_cb_cnt == 0)
4905 || !TEST_true(find_session_cb_cnt == 0)
4906 || !TEST_true(psk_client_cb_cnt == 1)
4907 || !TEST_true(psk_server_cb_cnt == 1))
4911 shutdown_ssl_connection(serverssl, clientssl);
4912 serverssl = clientssl = NULL;
4917 SSL_SESSION_free(clientpsk);
4918 SSL_SESSION_free(serverpsk);
4919 clientpsk = serverpsk = NULL;
4920 SSL_free(serverssl);
4921 SSL_free(clientssl);
4927 static unsigned char cookie_magic_value[] = "cookie magic";
4929 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4930 unsigned int *cookie_len)
4933 * Not suitable as a real cookie generation function but good enough for
4936 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4937 *cookie_len = sizeof(cookie_magic_value) - 1;
4942 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4943 unsigned int cookie_len)
4945 if (cookie_len == sizeof(cookie_magic_value) - 1
4946 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4952 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4956 int res = generate_cookie_callback(ssl, cookie, &temp);
4961 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4964 return verify_cookie_callback(ssl, cookie, cookie_len);
4967 static int test_stateless(void)
4969 SSL_CTX *sctx = NULL, *cctx = NULL;
4970 SSL *serverssl = NULL, *clientssl = NULL;
4973 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4974 TLS_client_method(), TLS1_VERSION, 0,
4975 &sctx, &cctx, cert, privkey)))
4978 /* The arrival of CCS messages can confuse the test */
4979 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4981 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4983 /* Send the first ClientHello */
4984 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4985 SSL_ERROR_WANT_READ))
4987 * This should fail with a -1 return because we have no callbacks
4990 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4993 /* Fatal error so abandon the connection from this client */
4994 SSL_free(clientssl);
4997 /* Set up the cookie generation and verification callbacks */
4998 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4999 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5002 * Create a new connection from the client (we can reuse the server SSL
5005 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5007 /* Send the first ClientHello */
5008 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5009 SSL_ERROR_WANT_READ))
5010 /* This should fail because there is no cookie */
5011 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5014 /* Abandon the connection from this client */
5015 SSL_free(clientssl);
5019 * Now create a connection from a new client but with the same server SSL
5022 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5024 /* Send the first ClientHello */
5025 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5026 SSL_ERROR_WANT_READ))
5027 /* This should fail because there is no cookie */
5028 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5029 /* Send the second ClientHello */
5030 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5031 SSL_ERROR_WANT_READ))
5032 /* This should succeed because a cookie is now present */
5033 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5034 /* Complete the connection */
5035 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5039 shutdown_ssl_connection(serverssl, clientssl);
5040 serverssl = clientssl = NULL;
5044 SSL_free(serverssl);
5045 SSL_free(clientssl);
5051 #endif /* OPENSSL_NO_TLS1_3 */
5053 static int clntaddoldcb = 0;
5054 static int clntparseoldcb = 0;
5055 static int srvaddoldcb = 0;
5056 static int srvparseoldcb = 0;
5057 static int clntaddnewcb = 0;
5058 static int clntparsenewcb = 0;
5059 static int srvaddnewcb = 0;
5060 static int srvparsenewcb = 0;
5061 static int snicb = 0;
5063 #define TEST_EXT_TYPE1 0xff00
5065 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5066 size_t *outlen, int *al, void *add_arg)
5068 int *server = (int *)add_arg;
5069 unsigned char *data;
5071 if (SSL_is_server(s))
5076 if (*server != SSL_is_server(s)
5077 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5082 *outlen = sizeof(char);
5086 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5089 OPENSSL_free((unsigned char *)out);
5092 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5093 size_t inlen, int *al, void *parse_arg)
5095 int *server = (int *)parse_arg;
5097 if (SSL_is_server(s))
5102 if (*server != SSL_is_server(s)
5103 || inlen != sizeof(char)
5110 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5111 const unsigned char **out, size_t *outlen, X509 *x,
5112 size_t chainidx, int *al, void *add_arg)
5114 int *server = (int *)add_arg;
5115 unsigned char *data;
5117 if (SSL_is_server(s))
5122 if (*server != SSL_is_server(s)
5123 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5128 *outlen = sizeof(*data);
5132 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5133 const unsigned char *out, void *add_arg)
5135 OPENSSL_free((unsigned char *)out);
5138 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5139 const unsigned char *in, size_t inlen, X509 *x,
5140 size_t chainidx, int *al, void *parse_arg)
5142 int *server = (int *)parse_arg;
5144 if (SSL_is_server(s))
5149 if (*server != SSL_is_server(s)
5150 || inlen != sizeof(char) || *in != 1)
5156 static int sni_cb(SSL *s, int *al, void *arg)
5158 SSL_CTX *ctx = (SSL_CTX *)arg;
5160 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5161 *al = SSL_AD_INTERNAL_ERROR;
5162 return SSL_TLSEXT_ERR_ALERT_FATAL;
5165 return SSL_TLSEXT_ERR_OK;
5169 * Custom call back tests.
5170 * Test 0: Old style callbacks in TLSv1.2
5171 * Test 1: New style callbacks in TLSv1.2
5172 * Test 2: New style callbacks in TLSv1.2 with SNI
5173 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5174 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5176 static int test_custom_exts(int tst)
5178 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5179 SSL *clientssl = NULL, *serverssl = NULL;
5181 static int server = 1;
5182 static int client = 0;
5183 SSL_SESSION *sess = NULL;
5184 unsigned int context;
5186 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
5187 /* Skip tests for TLSv1.2 and below in this case */
5192 /* Reset callback counters */
5193 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5194 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5197 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5198 TLS_client_method(), TLS1_VERSION, 0,
5199 &sctx, &cctx, cert, privkey)))
5203 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5205 &sctx2, NULL, cert, privkey)))
5210 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5211 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5213 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5217 context = SSL_EXT_CLIENT_HELLO
5218 | SSL_EXT_TLS1_2_SERVER_HELLO
5219 | SSL_EXT_TLS1_3_SERVER_HELLO
5220 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5221 | SSL_EXT_TLS1_3_CERTIFICATE
5222 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5224 context = SSL_EXT_CLIENT_HELLO
5225 | SSL_EXT_TLS1_2_SERVER_HELLO
5226 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5229 /* Create a client side custom extension */
5231 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5232 old_add_cb, old_free_cb,
5233 &client, old_parse_cb,
5237 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5238 new_add_cb, new_free_cb,
5239 &client, new_parse_cb, &client)))
5243 /* Should not be able to add duplicates */
5244 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5245 old_add_cb, old_free_cb,
5246 &client, old_parse_cb,
5248 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5249 context, new_add_cb,
5250 new_free_cb, &client,
5251 new_parse_cb, &client)))
5254 /* Create a server side custom extension */
5256 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5257 old_add_cb, old_free_cb,
5258 &server, old_parse_cb,
5262 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5263 new_add_cb, new_free_cb,
5264 &server, new_parse_cb, &server)))
5267 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5268 context, new_add_cb,
5269 new_free_cb, &server,
5270 new_parse_cb, &server)))
5274 /* Should not be able to add duplicates */
5275 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5276 old_add_cb, old_free_cb,
5277 &server, old_parse_cb,
5279 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5280 context, new_add_cb,
5281 new_free_cb, &server,
5282 new_parse_cb, &server)))
5287 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5288 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5292 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5293 &clientssl, NULL, NULL))
5294 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5299 if (clntaddoldcb != 1
5300 || clntparseoldcb != 1
5302 || srvparseoldcb != 1)
5304 } else if (tst == 1 || tst == 2 || tst == 3) {
5305 if (clntaddnewcb != 1
5306 || clntparsenewcb != 1
5308 || srvparsenewcb != 1
5309 || (tst != 2 && snicb != 0)
5310 || (tst == 2 && snicb != 1))
5313 /* In this case there 2 NewSessionTicket messages created */
5314 if (clntaddnewcb != 1
5315 || clntparsenewcb != 5
5317 || srvparsenewcb != 1)
5321 sess = SSL_get1_session(clientssl);
5322 SSL_shutdown(clientssl);
5323 SSL_shutdown(serverssl);
5324 SSL_free(serverssl);
5325 SSL_free(clientssl);
5326 serverssl = clientssl = NULL;
5329 /* We don't bother with the resumption aspects for this test */
5334 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5336 || !TEST_true(SSL_set_session(clientssl, sess))
5337 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5342 * For a resumed session we expect to add the ClientHello extension. For the
5343 * old style callbacks we ignore it on the server side because they set
5344 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5348 if (clntaddoldcb != 2
5349 || clntparseoldcb != 1
5351 || srvparseoldcb != 1)
5353 } else if (tst == 1 || tst == 2 || tst == 3) {
5354 if (clntaddnewcb != 2
5355 || clntparsenewcb != 2
5357 || srvparsenewcb != 2)
5361 * No Certificate message extensions in the resumption handshake,
5362 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5364 if (clntaddnewcb != 2
5365 || clntparsenewcb != 8
5367 || srvparsenewcb != 2)
5374 SSL_SESSION_free(sess);
5375 SSL_free(serverssl);
5376 SSL_free(clientssl);
5377 SSL_CTX_free(sctx2);
5384 * Test loading of serverinfo data in various formats. test_sslmessages actually
5385 * tests to make sure the extensions appear in the handshake
5387 static int test_serverinfo(int tst)
5389 unsigned int version;
5390 unsigned char *sibuf;
5392 int ret, expected, testresult = 0;
5395 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
5399 if ((tst & 0x01) == 0x01)
5400 version = SSL_SERVERINFOV2;
5402 version = SSL_SERVERINFOV1;
5404 if ((tst & 0x02) == 0x02) {
5405 sibuf = serverinfov2;
5406 sibuflen = sizeof(serverinfov2);
5407 expected = (version == SSL_SERVERINFOV2);
5409 sibuf = serverinfov1;
5410 sibuflen = sizeof(serverinfov1);
5411 expected = (version == SSL_SERVERINFOV1);
5414 if ((tst & 0x04) == 0x04) {
5415 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5417 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5420 * The version variable is irrelevant in this case - it's what is in the
5421 * buffer that matters
5423 if ((tst & 0x02) == 0x02)
5429 if (!TEST_true(ret == expected))
5441 * Test that SSL_export_keying_material() produces expected results. There are
5442 * no test vectors so all we do is test that both sides of the communication
5443 * produce the same results for different protocol versions.
5445 #define SMALL_LABEL_LEN 10
5446 #define LONG_LABEL_LEN 249
5447 static int test_export_key_mat(int tst)
5450 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5451 SSL *clientssl = NULL, *serverssl = NULL;
5452 const char label[LONG_LABEL_LEN + 1] = "test label";
5453 const unsigned char context[] = "context";
5454 const unsigned char *emptycontext = NULL;
5455 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5456 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
5458 const int protocols[] = {
5467 #ifdef OPENSSL_NO_TLS1
5471 #ifdef OPENSSL_NO_TLS1_1
5475 if (is_fips && (tst == 0 || tst == 1))
5477 #ifdef OPENSSL_NO_TLS1_2
5481 #ifdef OPENSSL_NO_TLS1_3
5485 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5486 TLS_client_method(), TLS1_VERSION, 0,
5487 &sctx, &cctx, cert, privkey)))
5490 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5491 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5492 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
5493 if ((protocols[tst] < TLS1_2_VERSION) &&
5494 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5495 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5498 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5503 * Premature call of SSL_export_keying_material should just fail.
5505 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5506 sizeof(ckeymat1), label,
5507 SMALL_LABEL_LEN + 1, context,
5508 sizeof(context) - 1, 1), 0))
5511 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5517 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5520 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5521 sizeof(ckeymat1), label,
5522 LONG_LABEL_LEN + 1, context,
5523 sizeof(context) - 1, 1), 0))
5528 } else if (tst == 4) {
5529 labellen = LONG_LABEL_LEN;
5531 labellen = SMALL_LABEL_LEN;
5534 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5535 sizeof(ckeymat1), label,
5537 sizeof(context) - 1, 1), 1)
5538 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5539 sizeof(ckeymat2), label,
5543 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5544 sizeof(ckeymat3), label,
5547 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5548 sizeof(skeymat1), label,
5551 sizeof(context) -1, 1),
5553 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5554 sizeof(skeymat2), label,
5558 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5559 sizeof(skeymat3), label,
5563 * Check that both sides created the same key material with the
5566 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5569 * Check that both sides created the same key material with an
5572 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5575 * Check that both sides created the same key material without a
5578 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5580 /* Different contexts should produce different results */
5581 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5586 * Check that an empty context and no context produce different results in
5587 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5589 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
5591 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5598 SSL_free(serverssl);
5599 SSL_free(clientssl);
5600 SSL_CTX_free(sctx2);
5607 #ifndef OPENSSL_NO_TLS1_3
5609 * Test that SSL_export_keying_material_early() produces expected
5610 * results. There are no test vectors so all we do is test that both
5611 * sides of the communication produce the same results for different
5612 * protocol versions.
5614 static int test_export_key_mat_early(int idx)
5616 static const char label[] = "test label";
5617 static const unsigned char context[] = "context";
5619 SSL_CTX *cctx = NULL, *sctx = NULL;
5620 SSL *clientssl = NULL, *serverssl = NULL;
5621 SSL_SESSION *sess = NULL;
5622 const unsigned char *emptycontext = NULL;
5623 unsigned char ckeymat1[80], ckeymat2[80];
5624 unsigned char skeymat1[80], skeymat2[80];
5625 unsigned char buf[1];
5626 size_t readbytes, written;
5628 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5632 /* Here writing 0 length early data is enough. */
5633 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5634 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5636 SSL_READ_EARLY_DATA_ERROR)
5637 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5638 SSL_EARLY_DATA_ACCEPTED))
5641 if (!TEST_int_eq(SSL_export_keying_material_early(
5642 clientssl, ckeymat1, sizeof(ckeymat1), label,
5643 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5644 || !TEST_int_eq(SSL_export_keying_material_early(
5645 clientssl, ckeymat2, sizeof(ckeymat2), label,
5646 sizeof(label) - 1, emptycontext, 0), 1)
5647 || !TEST_int_eq(SSL_export_keying_material_early(
5648 serverssl, skeymat1, sizeof(skeymat1), label,
5649 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5650 || !TEST_int_eq(SSL_export_keying_material_early(
5651 serverssl, skeymat2, sizeof(skeymat2), label,
5652 sizeof(label) - 1, emptycontext, 0), 1)
5654 * Check that both sides created the same key material with the
5657 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5660 * Check that both sides created the same key material with an
5663 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5665 /* Different contexts should produce different results */
5666 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5673 SSL_SESSION_free(sess);
5674 SSL_SESSION_free(clientpsk);
5675 SSL_SESSION_free(serverpsk);
5676 clientpsk = serverpsk = NULL;
5677 SSL_free(serverssl);
5678 SSL_free(clientssl);
5685 #define NUM_KEY_UPDATE_MESSAGES 40
5689 static int test_key_update(void)
5691 SSL_CTX *cctx = NULL, *sctx = NULL;
5692 SSL *clientssl = NULL, *serverssl = NULL;
5693 int testresult = 0, i, j;
5695 static char *mess = "A test message";
5697 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5698 TLS_client_method(),
5701 &sctx, &cctx, cert, privkey))
5702 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5704 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5708 for (j = 0; j < 2; j++) {
5709 /* Send lots of KeyUpdate messages */
5710 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5711 if (!TEST_true(SSL_key_update(clientssl,
5713 ? SSL_KEY_UPDATE_NOT_REQUESTED
5714 : SSL_KEY_UPDATE_REQUESTED))
5715 || !TEST_true(SSL_do_handshake(clientssl)))
5719 /* Check that sending and receiving app data is ok */
5720 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5721 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5725 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5726 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5734 SSL_free(serverssl);
5735 SSL_free(clientssl);
5743 * Test we can handle a KeyUpdate (update requested) message while write data
5745 * Test 0: Client sends KeyUpdate while Server is writing
5746 * Test 1: Server sends KeyUpdate while Client is writing
5748 static int test_key_update_in_write(int tst)
5750 SSL_CTX *cctx = NULL, *sctx = NULL;
5751 SSL *clientssl = NULL, *serverssl = NULL;
5754 static char *mess = "A test message";
5755 BIO *bretry = BIO_new(bio_s_always_retry());
5757 SSL *peerupdate = NULL, *peerwrite = NULL;
5759 if (!TEST_ptr(bretry)
5760 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5761 TLS_client_method(),
5764 &sctx, &cctx, cert, privkey))
5765 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5767 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5771 peerupdate = tst == 0 ? clientssl : serverssl;
5772 peerwrite = tst == 0 ? serverssl : clientssl;
5774 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5775 || !TEST_true(SSL_do_handshake(peerupdate)))
5778 /* Swap the writing endpoint's write BIO to force a retry */
5779 tmp = SSL_get_wbio(peerwrite);
5780 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5784 SSL_set0_wbio(peerwrite, bretry);
5787 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5788 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5789 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5792 /* Reinstate the original writing endpoint's write BIO */
5793 SSL_set0_wbio(peerwrite, tmp);
5796 /* Now read some data - we will read the key update */
5797 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5798 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5802 * Complete the write we started previously and read it from the other
5805 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5806 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5809 /* Write more data to ensure we send the KeyUpdate message back */
5810 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5811 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5817 SSL_free(serverssl);
5818 SSL_free(clientssl);
5826 #endif /* OPENSSL_NO_TLS1_3 */
5828 static int test_ssl_clear(int idx)
5830 SSL_CTX *cctx = NULL, *sctx = NULL;
5831 SSL *clientssl = NULL, *serverssl = NULL;
5834 #ifdef OPENSSL_NO_TLS1_2
5839 /* Create an initial connection */
5840 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5841 TLS_client_method(), TLS1_VERSION, 0,
5842 &sctx, &cctx, cert, privkey))
5844 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5846 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5847 &clientssl, NULL, NULL))
5848 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5852 SSL_shutdown(clientssl);
5853 SSL_shutdown(serverssl);
5854 SSL_free(serverssl);
5857 /* Clear clientssl - we're going to reuse the object */
5858 if (!TEST_true(SSL_clear(clientssl)))
5861 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5863 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5865 || !TEST_true(SSL_session_reused(clientssl)))
5868 SSL_shutdown(clientssl);
5869 SSL_shutdown(serverssl);
5874 SSL_free(serverssl);
5875 SSL_free(clientssl);
5882 /* Parse CH and retrieve any MFL extension value if present */
5883 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5886 unsigned char *data;
5887 PACKET pkt, pkt2, pkt3;
5888 unsigned int MFL_code = 0, type = 0;
5890 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5893 memset(&pkt, 0, sizeof(pkt));
5894 memset(&pkt2, 0, sizeof(pkt2));
5895 memset(&pkt3, 0, sizeof(pkt3));
5897 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5898 /* Skip the record header */
5899 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5900 /* Skip the handshake message header */
5901 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5902 /* Skip client version and random */
5903 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5904 + SSL3_RANDOM_SIZE))
5905 /* Skip session id */
5906 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5908 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5909 /* Skip compression */
5910 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5911 /* Extensions len */
5912 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5915 /* Loop through all extensions */
5916 while (PACKET_remaining(&pkt2)) {
5917 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5918 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5921 if (type == TLSEXT_TYPE_max_fragment_length) {
5922 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5923 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5926 *mfl_codemfl_code = MFL_code;
5935 /* Maximum-Fragment-Length TLS extension mode to test */
5936 static const unsigned char max_fragment_len_test[] = {
5937 TLSEXT_max_fragment_length_512,
5938 TLSEXT_max_fragment_length_1024,
5939 TLSEXT_max_fragment_length_2048,
5940 TLSEXT_max_fragment_length_4096
5943 static int test_max_fragment_len_ext(int idx_tst)
5947 int testresult = 0, MFL_mode = 0;
5950 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
5954 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5955 ctx, max_fragment_len_test[idx_tst])))
5962 rbio = BIO_new(BIO_s_mem());
5963 wbio = BIO_new(BIO_s_mem());
5964 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5970 SSL_set_bio(con, rbio, wbio);
5971 SSL_set_connect_state(con);
5973 if (!TEST_int_le(SSL_connect(con), 0)) {
5974 /* This shouldn't succeed because we don't have a server! */
5978 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5979 /* no MFL in client hello */
5981 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5993 #ifndef OPENSSL_NO_TLS1_3
5994 static int test_pha_key_update(void)
5996 SSL_CTX *cctx = NULL, *sctx = NULL;
5997 SSL *clientssl = NULL, *serverssl = NULL;
6000 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6001 TLS_client_method(), TLS1_VERSION, 0,
6002 &sctx, &cctx, cert, privkey)))
6005 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6006 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6007 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6008 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6011 SSL_CTX_set_post_handshake_auth(cctx, 1);
6013 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6017 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6021 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6022 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6025 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6028 /* Start handshake on the server */
6029 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6032 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6033 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6037 SSL_shutdown(clientssl);
6038 SSL_shutdown(serverssl);
6043 SSL_free(serverssl);
6044 SSL_free(clientssl);
6051 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6053 static SRP_VBASE *vbase = NULL;
6055 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6057 int ret = SSL3_AL_FATAL;
6059 SRP_user_pwd *user = NULL;
6061 username = SSL_get_srp_username(s);
6062 if (username == NULL) {
6063 *ad = SSL_AD_INTERNAL_ERROR;
6067 user = SRP_VBASE_get1_by_user(vbase, username);
6069 *ad = SSL_AD_INTERNAL_ERROR;
6073 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6075 *ad = SSL_AD_INTERNAL_ERROR;
6082 SRP_user_pwd_free(user);
6086 static int create_new_vfile(char *userid, char *password, const char *filename)
6089 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6092 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6095 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6098 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
6099 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
6100 if (!TEST_ptr(gNid))
6104 * The only way to create an empty TXT_DB is to provide a BIO with no data
6107 db = TXT_DB_read(dummy, DB_NUMBER);
6111 out = BIO_new_file(filename, "w");
6115 row[DB_srpid] = OPENSSL_strdup(userid);
6116 row[DB_srptype] = OPENSSL_strdup("V");
6117 row[DB_srpgN] = OPENSSL_strdup(gNid);
6119 if (!TEST_ptr(row[DB_srpid])
6120 || !TEST_ptr(row[DB_srptype])
6121 || !TEST_ptr(row[DB_srpgN])
6122 || !TEST_true(TXT_DB_insert(db, row)))
6127 if (!TXT_DB_write(out, db))
6133 for (i = 0; i < DB_NUMBER; i++)
6134 OPENSSL_free(row[i]);
6144 static int create_new_vbase(char *userid, char *password)
6146 BIGNUM *verifier = NULL, *salt = NULL;
6147 const SRP_gN *lgN = NULL;
6148 SRP_user_pwd *user_pwd = NULL;
6151 lgN = SRP_get_default_gN(NULL);
6155 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
6156 lgN->N, lgN->g, libctx, NULL)))
6159 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6160 if (!TEST_ptr(user_pwd))
6163 user_pwd->N = lgN->N;
6164 user_pwd->g = lgN->g;
6165 user_pwd->id = OPENSSL_strdup(userid);
6166 if (!TEST_ptr(user_pwd->id))
6169 user_pwd->v = verifier;
6171 verifier = salt = NULL;
6173 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6179 SRP_user_pwd_free(user_pwd);
6189 * Test 0: Simple successful SRP connection, new vbase
6190 * Test 1: Connection failure due to bad password, new vbase
6191 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6192 * Test 3: Connection failure due to bad password, vbase loaded from existing
6194 * Test 4: Simple successful SRP connection, vbase loaded from new file
6195 * Test 5: Connection failure due to bad password, vbase loaded from new file
6197 static int test_srp(int tst)
6199 char *userid = "test", *password = "password", *tstsrpfile;
6200 SSL_CTX *cctx = NULL, *sctx = NULL;
6201 SSL *clientssl = NULL, *serverssl = NULL;
6202 int ret, testresult = 0;
6204 vbase = SRP_VBASE_new(NULL);
6205 if (!TEST_ptr(vbase))
6208 if (tst == 0 || tst == 1) {
6209 if (!TEST_true(create_new_vbase(userid, password)))
6212 if (tst == 4 || tst == 5) {
6213 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6215 tstsrpfile = tmpfilename;
6217 tstsrpfile = srpvfile;
6219 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6223 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6224 TLS_client_method(), TLS1_VERSION, 0,
6225 &sctx, &cctx, cert, privkey)))
6228 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6229 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6230 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6231 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6232 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6236 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6239 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6243 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6247 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6249 if (!TEST_true(tst % 2 == 0))
6252 if (!TEST_true(tst % 2 == 1))
6259 SRP_VBASE_free(vbase);
6261 SSL_free(serverssl);
6262 SSL_free(clientssl);
6270 static int info_cb_failed = 0;
6271 static int info_cb_offset = 0;
6272 static int info_cb_this_state = -1;
6274 static struct info_cb_states_st {
6276 const char *statestr;
6277 } info_cb_states[][60] = {
6279 /* TLSv1.2 server followed by resumption */
6280 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6281 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6282 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6283 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6284 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6285 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6286 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6287 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6288 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
6289 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6290 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6291 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6292 {SSL_CB_EXIT, NULL}, {0, NULL},
6294 /* TLSv1.2 client followed by resumption */
6295 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6296 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6297 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6298 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6299 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6300 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6301 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6302 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6303 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6304 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6305 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6306 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6308 /* TLSv1.3 server followed by resumption */
6309 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6310 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6311 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6312 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6313 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
6314 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6315 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6316 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6317 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6318 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6319 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6320 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6321 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6323 /* TLSv1.3 client followed by resumption */
6324 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6325 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6326 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
6327 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
6328 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6329 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6330 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
6331 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
6332 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6333 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
6334 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6335 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6336 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6337 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
6338 {SSL_CB_EXIT, NULL}, {0, NULL},
6340 /* TLSv1.3 server, early_data */
6341 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6342 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6343 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6344 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6345 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6346 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
6347 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6348 {SSL_CB_EXIT, NULL}, {0, NULL},
6350 /* TLSv1.3 client, early_data */
6351 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6352 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
6353 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6354 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6355 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6356 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
6357 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6358 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6359 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6365 static void sslapi_info_callback(const SSL *s, int where, int ret)
6367 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
6369 /* We do not ever expect a connection to fail in this test */
6370 if (!TEST_false(ret == 0)) {
6376 * Do some sanity checks. We never expect these things to happen in this
6379 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
6380 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
6381 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
6386 /* Now check we're in the right state */
6387 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
6391 if ((where & SSL_CB_LOOP) != 0
6392 && !TEST_int_eq(strcmp(SSL_state_string(s),
6393 state[info_cb_this_state].statestr), 0)) {
6399 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6401 if ((where & SSL_CB_HANDSHAKE_DONE)
6402 && SSL_in_init((SSL *)s) != 0) {
6409 * Test the info callback gets called when we expect it to.
6411 * Test 0: TLSv1.2, server
6412 * Test 1: TLSv1.2, client
6413 * Test 2: TLSv1.3, server
6414 * Test 3: TLSv1.3, client
6415 * Test 4: TLSv1.3, server, early_data
6416 * Test 5: TLSv1.3, client, early_data
6418 static int test_info_callback(int tst)
6420 SSL_CTX *cctx = NULL, *sctx = NULL;
6421 SSL *clientssl = NULL, *serverssl = NULL;
6422 SSL_SESSION *clntsess = NULL;
6427 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
6428 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6429 || !defined(OPENSSL_NO_DH))
6430 tlsvers = TLS1_2_VERSION;
6435 #ifndef OPENSSL_NO_TLS1_3
6436 tlsvers = TLS1_3_VERSION;
6444 info_cb_this_state = -1;
6445 info_cb_offset = tst;
6447 #ifndef OPENSSL_NO_TLS1_3
6449 SSL_SESSION *sess = NULL;
6450 size_t written, readbytes;
6451 unsigned char buf[80];
6453 /* early_data tests */
6454 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
6455 &serverssl, &sess, 0)))
6458 /* We don't actually need this reference */
6459 SSL_SESSION_free(sess);
6461 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
6462 sslapi_info_callback);
6464 /* Write and read some early data and then complete the connection */
6465 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
6467 || !TEST_size_t_eq(written, strlen(MSG1))
6468 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
6469 sizeof(buf), &readbytes),
6470 SSL_READ_EARLY_DATA_SUCCESS)
6471 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
6472 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6473 SSL_EARLY_DATA_ACCEPTED)
6474 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6476 || !TEST_false(info_cb_failed))
6484 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6485 TLS_client_method(),
6486 tlsvers, tlsvers, &sctx, &cctx, cert,
6490 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
6494 * For even numbered tests we check the server callbacks. For odd numbers we
6497 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
6498 sslapi_info_callback);
6500 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6501 &clientssl, NULL, NULL))
6502 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6504 || !TEST_false(info_cb_failed))
6509 clntsess = SSL_get1_session(clientssl);
6510 SSL_shutdown(clientssl);
6511 SSL_shutdown(serverssl);
6512 SSL_free(serverssl);
6513 SSL_free(clientssl);
6514 serverssl = clientssl = NULL;
6516 /* Now do a resumption */
6517 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6519 || !TEST_true(SSL_set_session(clientssl, clntsess))
6520 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6522 || !TEST_true(SSL_session_reused(clientssl))
6523 || !TEST_false(info_cb_failed))
6529 SSL_free(serverssl);
6530 SSL_free(clientssl);
6531 SSL_SESSION_free(clntsess);
6537 static int test_ssl_pending(int tst)
6539 SSL_CTX *cctx = NULL, *sctx = NULL;
6540 SSL *clientssl = NULL, *serverssl = NULL;
6542 char msg[] = "A test message";
6544 size_t written, readbytes;
6547 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6548 TLS_client_method(),
6550 &sctx, &cctx, cert, privkey)))
6553 #ifndef OPENSSL_NO_DTLS
6554 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
6555 DTLS_client_method(),
6557 &sctx, &cctx, cert, privkey)))
6564 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6566 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6570 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6571 || !TEST_false(SSL_has_pending(clientssl))
6572 || !TEST_int_eq(SSL_pending(serverssl), 0)
6573 || !TEST_false(SSL_has_pending(serverssl))
6574 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6575 || !TEST_size_t_eq(written, sizeof(msg))
6576 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6577 || !TEST_size_t_eq(readbytes, sizeof(buf))
6578 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6579 || !TEST_true(SSL_has_pending(clientssl)))
6585 SSL_free(serverssl);
6586 SSL_free(clientssl);
6594 unsigned int maxprot;
6595 const char *clntciphers;
6596 const char *clnttls13ciphers;
6597 const char *srvrciphers;
6598 const char *srvrtls13ciphers;
6600 const char *fipsshared;
6601 } shared_ciphers_data[] = {
6603 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6604 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6606 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
6609 "AES128-SHA:AES256-SHA",
6611 "AES256-SHA:DHE-RSA-AES128-SHA",
6616 # if !defined(OPENSSL_NO_CHACHA) \
6617 && !defined(OPENSSL_NO_POLY1305) \
6618 && !defined(OPENSSL_NO_EC)
6621 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6623 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6625 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6631 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6633 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6635 "AES128-SHA:AES256-SHA",
6636 "AES128-SHA:AES256-SHA"
6640 "AES128-SHA:AES256-SHA",
6642 "AES128-SHA:DHE-RSA-AES128-SHA",
6649 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6652 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6653 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
6656 "AES128-SHA:AES256-SHA",
6658 "AES256-SHA:AES128-SHA256",
6660 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
6661 "TLS_AES_128_GCM_SHA256:AES256-SHA",
6662 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
6665 #ifndef OPENSSL_NO_TLS1_3
6669 "TLS_AES_256_GCM_SHA384",
6671 "TLS_AES_256_GCM_SHA384",
6672 "TLS_AES_256_GCM_SHA384",
6673 "TLS_AES_256_GCM_SHA384"
6678 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
6680 SSL_CTX *cctx = NULL, *sctx = NULL;
6681 SSL *clientssl = NULL, *serverssl = NULL;
6684 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
6686 if (!TEST_ptr(tmplibctx))
6690 * Regardless of whether we're testing with the FIPS provider loaded into
6691 * libctx, we want one peer to always use the full set of ciphersuites
6692 * available. Therefore we use a separate libctx with the default provider
6693 * loaded into it. We run the same tests twice - once with the client side
6694 * having the full set of ciphersuites and once with the server side.
6697 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
6698 if (!TEST_ptr(cctx))
6701 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
6702 if (!TEST_ptr(sctx))
6706 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6707 TLS_client_method(),
6709 shared_ciphers_data[tst].maxprot,
6710 &sctx, &cctx, cert, privkey)))
6713 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6714 shared_ciphers_data[tst].clntciphers))
6715 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6716 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6717 shared_ciphers_data[tst].clnttls13ciphers)))
6718 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6719 shared_ciphers_data[tst].srvrciphers))
6720 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6721 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6722 shared_ciphers_data[tst].srvrtls13ciphers))))
6726 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6728 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6732 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6733 || !TEST_int_eq(strcmp(buf,
6735 ? shared_ciphers_data[tst].fipsshared
6736 : shared_ciphers_data[tst].shared),
6738 TEST_info("Shared ciphers are: %s\n", buf);
6745 SSL_free(serverssl);
6746 SSL_free(clientssl);
6749 OSSL_LIB_CTX_free(tmplibctx);
6754 static int test_ssl_get_shared_ciphers(int tst)
6756 return int_test_ssl_get_shared_ciphers(tst, 0)
6757 && int_test_ssl_get_shared_ciphers(tst, 1);
6761 static const char *appdata = "Hello World";
6762 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6763 static int tick_key_renew = 0;
6764 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6766 static int gen_tick_cb(SSL *s, void *arg)
6768 gen_tick_called = 1;
6770 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6774 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6775 const unsigned char *keyname,
6776 size_t keyname_length,
6777 SSL_TICKET_STATUS status,
6783 dec_tick_called = 1;
6785 if (status == SSL_TICKET_EMPTY)
6786 return SSL_TICKET_RETURN_IGNORE_RENEW;
6788 if (!TEST_true(status == SSL_TICKET_SUCCESS
6789 || status == SSL_TICKET_SUCCESS_RENEW))
6790 return SSL_TICKET_RETURN_ABORT;
6792 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6794 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6795 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
6796 return SSL_TICKET_RETURN_ABORT;
6798 if (tick_key_cb_called) {
6799 /* Don't change what the ticket key callback wanted to do */
6801 case SSL_TICKET_NO_DECRYPT:
6802 return SSL_TICKET_RETURN_IGNORE_RENEW;
6804 case SSL_TICKET_SUCCESS:
6805 return SSL_TICKET_RETURN_USE;
6807 case SSL_TICKET_SUCCESS_RENEW:
6808 return SSL_TICKET_RETURN_USE_RENEW;
6811 return SSL_TICKET_RETURN_ABORT;
6814 return tick_dec_ret;
6818 #ifndef OPENSSL_NO_DEPRECATED_3_0
6819 static int tick_key_cb(SSL *s, unsigned char key_name[16],
6820 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6821 HMAC_CTX *hctx, int enc)
6823 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6824 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
6825 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6826 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
6829 tick_key_cb_called = 1;
6830 memset(iv, 0, AES_BLOCK_SIZE);
6831 memset(key_name, 0, 16);
6832 if (aes128cbc == NULL
6834 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6835 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
6839 ret = tick_key_renew ? 2 : 1;
6841 EVP_CIPHER_free(aes128cbc);
6842 EVP_MD_free(sha256);
6848 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6849 unsigned char iv[EVP_MAX_IV_LENGTH],
6850 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6852 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6853 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6854 OSSL_PARAM params[3];
6855 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6858 tick_key_cb_called = 1;
6859 memset(iv, 0, AES_BLOCK_SIZE);
6860 memset(key_name, 0, 16);
6861 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6863 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6865 sizeof(tick_hmac_key));
6866 params[2] = OSSL_PARAM_construct_end();
6867 if (aes128cbc == NULL
6868 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6869 || !EVP_MAC_CTX_set_params(hctx, params)
6870 || !EVP_MAC_init(hctx))
6873 ret = tick_key_renew ? 2 : 1;
6875 EVP_CIPHER_free(aes128cbc);
6881 * Test the various ticket callbacks
6882 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6883 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6884 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6885 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6886 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6887 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6888 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6889 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
6890 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6891 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6892 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6893 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6894 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6895 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6896 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6897 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
6899 static int test_ticket_callbacks(int tst)
6901 SSL_CTX *cctx = NULL, *sctx = NULL;
6902 SSL *clientssl = NULL, *serverssl = NULL;
6903 SSL_SESSION *clntsess = NULL;
6906 #ifdef OPENSSL_NO_TLS1_2
6910 #ifdef OPENSSL_NO_TLS1_3
6914 #ifdef OPENSSL_NO_DEPRECATED_3_0
6915 if (tst >= 8 && tst <= 11)
6919 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
6921 /* Which tests the ticket key callback should request renewal for */
6922 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
6927 /* Which tests the decrypt ticket callback should request renewal for */
6931 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6936 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6941 tick_dec_ret = SSL_TICKET_RETURN_USE;
6946 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6950 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6953 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6954 TLS_client_method(),
6956 ((tst % 2) == 0) ? TLS1_2_VERSION
6958 &sctx, &cctx, cert, privkey)))
6962 * We only want sessions to resume from tickets - not the session cache. So
6963 * switch the cache off.
6965 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6968 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6973 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
6975 #ifndef OPENSSL_NO_DEPRECATED_3_0
6976 } else if (tst >= 8) {
6977 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6982 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6984 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6989 * The decrypt ticket key callback in TLSv1.2 should be called even though
6990 * we have no ticket yet, because it gets called with a status of
6991 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6992 * actually send any ticket data). This does not happen in TLSv1.3 because
6993 * it is not valid to send empty ticket data in TLSv1.3.
6995 if (!TEST_int_eq(gen_tick_called, 1)
6996 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
6999 gen_tick_called = dec_tick_called = 0;
7001 clntsess = SSL_get1_session(clientssl);
7002 SSL_shutdown(clientssl);
7003 SSL_shutdown(serverssl);
7004 SSL_free(serverssl);
7005 SSL_free(clientssl);
7006 serverssl = clientssl = NULL;
7008 /* Now do a resumption */
7009 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7011 || !TEST_true(SSL_set_session(clientssl, clntsess))
7012 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7016 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7017 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7018 if (!TEST_false(SSL_session_reused(clientssl)))
7021 if (!TEST_true(SSL_session_reused(clientssl)))
7025 if (!TEST_int_eq(gen_tick_called,
7027 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7028 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7030 || !TEST_int_eq(dec_tick_called, 1))
7036 SSL_SESSION_free(clntsess);
7037 SSL_free(serverssl);
7038 SSL_free(clientssl);
7046 * Test incorrect shutdown.
7047 * Test 0: client does not shutdown properly,
7048 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7049 * server should get SSL_ERROR_SSL
7050 * Test 1: client does not shutdown properly,
7051 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7052 * server should get SSL_ERROR_ZERO_RETURN
7054 static int test_incorrect_shutdown(int tst)
7056 SSL_CTX *cctx = NULL, *sctx = NULL;
7057 SSL *clientssl = NULL, *serverssl = NULL;
7062 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7063 TLS_client_method(), 0, 0,
7064 &sctx, &cctx, cert, privkey)))
7068 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7070 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7074 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7078 c2s = SSL_get_rbio(serverssl);
7079 BIO_set_mem_eof_return(c2s, 0);
7081 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7084 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7086 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7092 SSL_free(serverssl);
7093 SSL_free(clientssl);
7101 * Test bi-directional shutdown.
7103 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7104 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7105 * Test 3: TLSv1.3, pending NewSessionTicket messages
7106 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7107 * sends key update, client reads it
7108 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7109 * sends CertificateRequest, client reads and ignores it
7110 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
7113 static int test_shutdown(int tst)
7115 SSL_CTX *cctx = NULL, *sctx = NULL;
7116 SSL *clientssl = NULL, *serverssl = NULL;
7118 char msg[] = "A test message";
7120 size_t written, readbytes;
7123 #ifdef OPENSSL_NO_TLS1_2
7127 #ifdef OPENSSL_NO_TLS1_3
7132 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7133 TLS_client_method(),
7135 (tst <= 1) ? TLS1_2_VERSION
7137 &sctx, &cctx, cert, privkey)))
7141 SSL_CTX_set_post_handshake_auth(cctx, 1);
7143 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7148 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
7150 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7151 || !TEST_false(SSL_SESSION_is_resumable(sess)))
7153 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7155 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7156 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
7160 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7165 * Reading on the server after the client has sent close_notify should
7166 * fail and provide SSL_ERROR_ZERO_RETURN
7168 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7169 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7170 SSL_ERROR_ZERO_RETURN)
7171 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7172 SSL_RECEIVED_SHUTDOWN)
7174 * Even though we're shutdown on receive we should still be
7177 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7180 && !TEST_true(SSL_key_update(serverssl,
7181 SSL_KEY_UPDATE_REQUESTED)))
7184 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7185 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7188 if ((tst == 4 || tst == 5)
7189 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7191 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
7193 if (tst == 4 || tst == 5) {
7194 /* Should still be able to read data from server */
7195 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7197 || !TEST_size_t_eq(readbytes, sizeof(msg))
7198 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7199 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7201 || !TEST_size_t_eq(readbytes, sizeof(msg))
7202 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7207 /* Writing on the client after sending close_notify shouldn't be possible */
7208 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
7213 * For these tests the client has sent close_notify but it has not yet
7214 * been received by the server. The server has not sent close_notify
7217 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
7219 * Writing on the server after sending close_notify shouldn't
7222 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7223 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
7224 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7225 || !TEST_true(SSL_SESSION_is_resumable(sess))
7226 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7228 } else if (tst == 4 || tst == 5) {
7230 * In this test the client has sent close_notify and it has been
7231 * received by the server which has responded with a close_notify. The
7232 * client needs to read the close_notify sent by the server.
7234 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7235 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7236 || !TEST_true(SSL_SESSION_is_resumable(sess)))
7242 * The client has sent close_notify and is expecting a close_notify
7243 * back, but instead there is application data first. The shutdown
7244 * should fail with a fatal error.
7246 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7247 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7254 SSL_free(serverssl);
7255 SSL_free(clientssl);
7262 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7263 static int cert_cb_cnt;
7265 static int cert_cb(SSL *s, void *arg)
7267 SSL_CTX *ctx = (SSL_CTX *)arg;
7269 EVP_PKEY *pkey = NULL;
7270 X509 *x509 = NULL, *rootx = NULL;
7271 STACK_OF(X509) *chain = NULL;
7272 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7275 if (cert_cb_cnt == 0) {
7276 /* Suspend the handshake */
7279 } else if (cert_cb_cnt == 1) {
7281 * Update the SSL_CTX, set the certificate and private key and then
7282 * continue the handshake normally.
7284 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7287 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7288 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7290 || !TEST_true(SSL_check_private_key(s)))
7294 } else if (cert_cb_cnt == 3) {
7297 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7298 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7299 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7300 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7302 chain = sk_X509_new_null();
7303 if (!TEST_ptr(chain))
7305 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7306 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
7307 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
7308 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
7309 || !TEST_true(sk_X509_push(chain, rootx)))
7313 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7314 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
7315 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
7316 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7319 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7320 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
7321 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
7325 rv = SSL_check_chain(s, x509, pkey, chain);
7327 * If the cert doesn't show as valid here (e.g., because we don't
7328 * have any shared sigalgs), then we will not set it, and there will
7329 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
7330 * will cause tls_choose_sigalgs() to fail the connection.
7332 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
7333 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7334 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
7341 /* Abort the handshake */
7343 OPENSSL_free(ecdsacert);
7344 OPENSSL_free(ecdsakey);
7345 OPENSSL_free(rootfile);
7347 EVP_PKEY_free(pkey);
7350 sk_X509_pop_free(chain, X509_free);
7355 * Test the certificate callback.
7356 * Test 0: Callback fails
7357 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
7358 * Test 2: Success - SSL_set_SSL_CTX() in the callback
7359 * Test 3: Success - Call SSL_check_chain from the callback
7360 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
7362 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
7364 static int test_cert_cb_int(int prot, int tst)
7366 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
7367 SSL *clientssl = NULL, *serverssl = NULL;
7368 int testresult = 0, ret;
7370 #ifdef OPENSSL_NO_EC
7371 /* We use an EC cert in these tests, so we skip in a no-ec build */
7376 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7377 TLS_client_method(),
7380 &sctx, &cctx, NULL, NULL)))
7391 snictx = SSL_CTX_new(TLS_server_method());
7392 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
7394 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7400 * We cause SSL_check_chain() to fail by specifying sig_algs that
7401 * the chain doesn't meet (the root uses an RSA cert)
7403 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7404 "ecdsa_secp256r1_sha256")))
7406 } else if (tst == 5) {
7408 * We cause SSL_check_chain() to fail by specifying sig_algs that
7409 * the ee cert doesn't meet (the ee uses an ECDSA cert)
7411 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7412 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
7416 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7417 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7419 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
7426 SSL_free(serverssl);
7427 SSL_free(clientssl);
7430 SSL_CTX_free(snictx);
7436 static int test_cert_cb(int tst)
7440 #ifndef OPENSSL_NO_TLS1_2
7441 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
7443 #ifndef OPENSSL_NO_TLS1_3
7444 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
7450 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
7455 BIO *priv_in = NULL;
7457 /* Check that SSL_get0_peer_certificate() returns something sensible */
7458 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
7461 in = BIO_new_file(cert, "r");
7465 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
7466 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
7467 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
7468 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
7486 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
7491 static int test_client_cert_cb(int tst)
7493 SSL_CTX *cctx = NULL, *sctx = NULL;
7494 SSL *clientssl = NULL, *serverssl = NULL;
7497 #ifdef OPENSSL_NO_TLS1_2
7501 #ifdef OPENSSL_NO_TLS1_3
7506 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7507 TLS_client_method(),
7509 tst == 0 ? TLS1_2_VERSION
7511 &sctx, &cctx, cert, privkey)))
7515 * Test that setting a client_cert_cb results in a client certificate being
7518 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
7519 SSL_CTX_set_verify(sctx,
7520 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
7523 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7525 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7532 SSL_free(serverssl);
7533 SSL_free(clientssl);
7540 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7542 * Test setting certificate authorities on both client and server.
7544 * Test 0: SSL_CTX_set0_CA_list() only
7545 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7546 * Test 2: Only SSL_CTX_set_client_CA_list()
7548 static int test_ca_names_int(int prot, int tst)
7550 SSL_CTX *cctx = NULL, *sctx = NULL;
7551 SSL *clientssl = NULL, *serverssl = NULL;
7554 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
7555 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
7556 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
7557 const STACK_OF(X509_NAME) *sktmp = NULL;
7559 for (i = 0; i < OSSL_NELEM(name); i++) {
7560 name[i] = X509_NAME_new();
7561 if (!TEST_ptr(name[i])
7562 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
7570 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7571 TLS_client_method(),
7574 &sctx, &cctx, cert, privkey)))
7577 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
7579 if (tst == 0 || tst == 1) {
7580 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7581 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
7582 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
7583 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7584 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
7585 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
7588 SSL_CTX_set0_CA_list(sctx, sk1);
7589 SSL_CTX_set0_CA_list(cctx, sk2);
7592 if (tst == 1 || tst == 2) {
7593 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7594 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
7595 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
7596 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7597 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
7598 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
7601 SSL_CTX_set_client_CA_list(sctx, sk1);
7602 SSL_CTX_set_client_CA_list(cctx, sk2);
7606 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7608 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7613 * We only expect certificate authorities to have been sent to the server
7614 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7616 sktmp = SSL_get0_peer_CA_list(serverssl);
7617 if (prot == TLS1_3_VERSION
7618 && (tst == 0 || tst == 1)) {
7619 if (!TEST_ptr(sktmp)
7620 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7621 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7623 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7626 } else if (!TEST_ptr_null(sktmp)) {
7631 * In all tests we expect certificate authorities to have been sent to the
7632 * client. However, SSL_set_client_CA_list() should override
7633 * SSL_set0_CA_list()
7635 sktmp = SSL_get0_peer_CA_list(clientssl);
7636 if (!TEST_ptr(sktmp)
7637 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7638 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7639 name[tst == 0 ? 0 : 2]), 0)
7640 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7641 name[tst == 0 ? 1 : 3]), 0))
7647 SSL_free(serverssl);
7648 SSL_free(clientssl);
7651 for (i = 0; i < OSSL_NELEM(name); i++)
7652 X509_NAME_free(name[i]);
7653 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
7654 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
7660 static int test_ca_names(int tst)
7664 #ifndef OPENSSL_NO_TLS1_2
7665 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
7667 #ifndef OPENSSL_NO_TLS1_3
7668 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
7674 #ifndef OPENSSL_NO_TLS1_2
7675 static const char *multiblock_cipherlist_data[]=
7683 /* Reduce the fragment size - so the multiblock test buffer can be small */
7684 # define MULTIBLOCK_FRAGSIZE 512
7686 static int test_multiblock_write(int test_index)
7688 static const char *fetchable_ciphers[]=
7690 "AES-128-CBC-HMAC-SHA1",
7691 "AES-128-CBC-HMAC-SHA256",
7692 "AES-256-CBC-HMAC-SHA1",
7693 "AES-256-CBC-HMAC-SHA256"
7695 const char *cipherlist = multiblock_cipherlist_data[test_index];
7696 const SSL_METHOD *smeth = TLS_server_method();
7697 const SSL_METHOD *cmeth = TLS_client_method();
7698 int min_version = TLS1_VERSION;
7699 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7700 SSL_CTX *cctx = NULL, *sctx = NULL;
7701 SSL *clientssl = NULL, *serverssl = NULL;
7705 * Choose a buffer large enough to perform a multi-block operation
7706 * i.e: write_len >= 4 * frag_size
7707 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7709 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7710 unsigned char buf[sizeof(msg)], *p = buf;
7711 size_t readbytes, written, len;
7712 EVP_CIPHER *ciph = NULL;
7715 * Check if the cipher exists before attempting to use it since it only has
7716 * a hardware specific implementation.
7718 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7720 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7723 EVP_CIPHER_free(ciph);
7725 /* Set up a buffer with some data that will be sent to the client */
7726 RAND_bytes(msg, sizeof(msg));
7728 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
7729 max_version, &sctx, &cctx, cert,
7733 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7736 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7740 /* settings to force it to use AES-CBC-HMAC_SHA */
7741 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7742 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7745 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7748 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7749 || !TEST_size_t_eq(written, sizeof(msg)))
7754 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7759 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7764 SSL_free(serverssl);
7765 SSL_free(clientssl);
7771 #endif /* OPENSSL_NO_TLS1_2 */
7774 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7775 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7776 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7777 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7778 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7779 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7780 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7781 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7782 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7783 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7785 static int test_servername(int tst)
7787 SSL_CTX *cctx = NULL, *sctx = NULL;
7788 SSL *clientssl = NULL, *serverssl = NULL;
7790 SSL_SESSION *sess = NULL;
7791 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7793 #ifdef OPENSSL_NO_TLS1_2
7797 #ifdef OPENSSL_NO_TLS1_3
7802 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7803 TLS_client_method(),
7805 (tst <= 4) ? TLS1_2_VERSION
7807 &sctx, &cctx, cert, privkey))
7808 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7812 if (tst != 1 && tst != 6) {
7813 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7818 if (tst != 3 && tst != 8) {
7819 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7821 sexpectedhost = cexpectedhost = "goodhost";
7824 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7827 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7829 || !TEST_str_eq(SSL_get_servername(serverssl,
7830 TLSEXT_NAMETYPE_host_name),
7834 /* Now repeat with a resumption handshake */
7836 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7837 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7838 || !TEST_true(SSL_SESSION_is_resumable(sess))
7839 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7842 SSL_free(clientssl);
7843 SSL_free(serverssl);
7844 clientssl = serverssl = NULL;
7846 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7850 if (!TEST_true(SSL_set_session(clientssl, sess)))
7853 sexpectedhost = cexpectedhost = "goodhost";
7854 if (tst == 2 || tst == 7) {
7855 /* Set an inconsistent hostname */
7856 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7859 * In TLSv1.2 we expect the hostname from the original handshake, in
7860 * TLSv1.3 we expect the hostname from this handshake
7863 sexpectedhost = cexpectedhost = "altgoodhost";
7865 if (!TEST_str_eq(SSL_get_servername(clientssl,
7866 TLSEXT_NAMETYPE_host_name),
7869 } else if (tst == 4 || tst == 9) {
7871 * A TLSv1.3 session does not associate a session with a servername,
7872 * but a TLSv1.2 session does.
7875 sexpectedhost = cexpectedhost = NULL;
7877 if (!TEST_str_eq(SSL_get_servername(clientssl,
7878 TLSEXT_NAMETYPE_host_name),
7882 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7885 * In a TLSv1.2 resumption where the hostname was not acknowledged
7886 * we expect the hostname on the server to be empty. On the client we
7887 * return what was requested in this case.
7889 * Similarly if the client didn't set a hostname on an original TLSv1.2
7890 * session but is now, the server hostname will be empty, but the client
7893 if (tst == 1 || tst == 3)
7894 sexpectedhost = NULL;
7896 if (!TEST_str_eq(SSL_get_servername(clientssl,
7897 TLSEXT_NAMETYPE_host_name),
7902 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7905 if (!TEST_true(SSL_session_reused(clientssl))
7906 || !TEST_true(SSL_session_reused(serverssl))
7907 || !TEST_str_eq(SSL_get_servername(clientssl,
7908 TLSEXT_NAMETYPE_host_name),
7910 || !TEST_str_eq(SSL_get_servername(serverssl,
7911 TLSEXT_NAMETYPE_host_name),
7918 SSL_SESSION_free(sess);
7919 SSL_free(serverssl);
7920 SSL_free(clientssl);
7927 #if !defined(OPENSSL_NO_EC) \
7928 && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
7930 * Test that if signature algorithms are not available, then we do not offer or
7932 * Test 0: Two RSA sig algs available: both RSA sig algs shared
7933 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
7934 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
7935 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
7936 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
7937 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
7939 static int test_sigalgs_available(int idx)
7941 SSL_CTX *cctx = NULL, *sctx = NULL;
7942 SSL *clientssl = NULL, *serverssl = NULL;
7944 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
7945 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
7946 OSSL_PROVIDER *filterprov = NULL;
7949 if (!TEST_ptr(tmpctx))
7952 if (idx != 0 && idx != 3) {
7953 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
7954 filter_provider_init)))
7957 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
7958 if (!TEST_ptr(filterprov))
7963 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
7964 * or accepted for the peer that uses this libctx. Note that libssl
7965 * *requires* SHA2-256 to be available so we cannot disable that. We
7966 * also need SHA1 for our certificate.
7968 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
7972 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
7974 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
7979 if (idx == 1 || idx == 4)
7985 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
7986 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
7987 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
7990 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7991 TLS_client_method(),
7994 &sctx, &cctx, cert, privkey)))
7997 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
7999 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8000 "ECDHE-RSA-AES128-GCM-SHA256")))
8003 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8004 "ECDHE-ECDSA-AES128-GCM-SHA256")))
8009 if (!SSL_CTX_set1_sigalgs_list(cctx,
8010 "rsa_pss_rsae_sha384"
8011 ":rsa_pss_rsae_sha256")
8012 || !SSL_CTX_set1_sigalgs_list(sctx,
8013 "rsa_pss_rsae_sha384"
8014 ":rsa_pss_rsae_sha256"))
8017 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8018 || !SSL_CTX_set1_sigalgs_list(sctx,
8019 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8023 if (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8024 SSL_FILETYPE_PEM), 1)
8025 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8027 SSL_FILETYPE_PEM), 1)
8028 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
8031 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8035 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8038 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8039 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8041 (idx == 0 || idx == 3) ? 2 : 1))
8044 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8047 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8054 SSL_free(serverssl);
8055 SSL_free(clientssl);
8058 OSSL_PROVIDER_unload(filterprov);
8059 OSSL_LIB_CTX_free(tmpctx);
8064 * !defined(OPENSSL_NO_EC) \
8065 * && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8068 #ifndef OPENSSL_NO_TLS1_3
8069 static int test_pluggable_group(int idx)
8071 SSL_CTX *cctx = NULL, *sctx = NULL;
8072 SSL *clientssl = NULL, *serverssl = NULL;
8074 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
8075 /* Check that we are not impacted by a provider without any groups */
8076 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
8077 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
8079 if (!TEST_ptr(tlsprov))
8082 if (legacyprov == NULL) {
8084 * In this case we assume we've been built with "no-legacy" and skip
8085 * this test (there is no OPENSSL_NO_LEGACY)
8091 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8092 TLS_client_method(),
8095 &sctx, &cctx, cert, privkey))
8096 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8100 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
8101 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
8104 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8107 if (!TEST_str_eq(group_name,
8108 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
8114 SSL_free(serverssl);
8115 SSL_free(clientssl);
8118 OSSL_PROVIDER_unload(tlsprov);
8119 OSSL_PROVIDER_unload(legacyprov);
8125 #ifndef OPENSSL_NO_TLS1_2
8126 static int test_ssl_dup(void)
8128 SSL_CTX *cctx = NULL, *sctx = NULL;
8129 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
8131 BIO *rbio = NULL, *wbio = NULL;
8133 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8134 TLS_client_method(),
8137 &sctx, &cctx, cert, privkey)))
8140 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8144 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8145 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8148 client2ssl = SSL_dup(clientssl);
8149 rbio = SSL_get_rbio(clientssl);
8151 || !TEST_true(BIO_up_ref(rbio)))
8153 SSL_set0_rbio(client2ssl, rbio);
8156 wbio = SSL_get_wbio(clientssl);
8157 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
8159 SSL_set0_wbio(client2ssl, wbio);
8162 if (!TEST_ptr(client2ssl)
8163 /* Handshake not started so pointers should be different */
8164 || !TEST_ptr_ne(clientssl, client2ssl))
8167 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
8168 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
8171 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
8174 SSL_free(clientssl);
8175 clientssl = SSL_dup(client2ssl);
8176 if (!TEST_ptr(clientssl)
8177 /* Handshake has finished so pointers should be the same */
8178 || !TEST_ptr_eq(clientssl, client2ssl))
8184 SSL_free(serverssl);
8185 SSL_free(clientssl);
8186 SSL_free(client2ssl);
8193 # ifndef OPENSSL_NO_DH
8195 static EVP_PKEY *tmp_dh_params = NULL;
8197 /* Helper function for the test_set_tmp_dh() tests */
8198 static EVP_PKEY *get_tmp_dh_params(void)
8200 if (tmp_dh_params == NULL) {
8202 OSSL_PARAM_BLD *tmpl = NULL;
8203 EVP_PKEY_CTX *pctx = NULL;
8204 OSSL_PARAM *params = NULL;
8205 EVP_PKEY *dhpkey = NULL;
8207 p = BN_get_rfc3526_prime_2048(NULL);
8211 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
8213 || !TEST_true(EVP_PKEY_key_fromdata_init(pctx)))
8216 tmpl = OSSL_PARAM_BLD_new();
8218 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
8219 OSSL_PKEY_PARAM_FFC_P,
8221 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
8222 OSSL_PKEY_PARAM_FFC_G,
8226 params = OSSL_PARAM_BLD_to_param(tmpl);
8227 if (!TEST_ptr(params)
8228 || !TEST_true(EVP_PKEY_fromdata(pctx, &dhpkey, params)))
8231 tmp_dh_params = dhpkey;
8234 EVP_PKEY_CTX_free(pctx);
8235 OSSL_PARAM_BLD_free(tmpl);
8236 OSSL_PARAM_BLD_free_params(params);
8239 if (!EVP_PKEY_up_ref(tmp_dh_params))
8242 return tmp_dh_params;
8245 # ifndef OPENSSL_NO_DEPRECATED_3_0
8246 /* Callback used by test_set_tmp_dh() */
8247 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
8249 EVP_PKEY *dhpkey = get_tmp_dh_params();
8252 if (!TEST_ptr(dhpkey))
8255 ret = EVP_PKEY_get0_DH(dhpkey);
8257 EVP_PKEY_free(dhpkey);
8264 * Test the various methods for setting temporary DH parameters
8266 * Test 0: Default (no auto) setting
8267 * Test 1: Explicit SSL_CTX auto off
8268 * Test 2: Explicit SSL auto off
8269 * Test 3: Explicit SSL_CTX auto on
8270 * Test 4: Explicit SSL auto on
8271 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
8272 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
8274 * The following are testing deprecated APIs, so we only run them if available
8275 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
8276 * Test 8: Explicit SSL auto off, custom DH params via DH
8277 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
8278 * Test 10: Explicit SSL auto off, custom DH params via callback
8280 static int test_set_tmp_dh(int idx)
8282 SSL_CTX *cctx = NULL, *sctx = NULL;
8283 SSL *clientssl = NULL, *serverssl = NULL;
8285 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
8286 int expected = (idx <= 2) ? 0 : 1;
8287 EVP_PKEY *dhpkey = NULL;
8288 # ifndef OPENSSL_NO_DEPRECATED_3_0
8296 if (idx >= 5 && idx <= 8) {
8297 dhpkey = get_tmp_dh_params();
8298 if (!TEST_ptr(dhpkey))
8301 # ifndef OPENSSL_NO_DEPRECATED_3_0
8302 if (idx == 7 || idx == 8) {
8303 dh = EVP_PKEY_get0_DH(dhpkey);
8309 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8310 TLS_client_method(),
8313 &sctx, &cctx, cert, privkey)))
8316 if ((idx & 1) == 1) {
8317 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
8322 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
8326 # ifndef OPENSSL_NO_DEPRECATED_3_0
8327 else if (idx == 7) {
8328 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
8330 } else if (idx == 9) {
8331 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
8335 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8339 if ((idx & 1) == 0 && idx != 0) {
8340 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
8344 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
8348 # ifndef OPENSSL_NO_DEPRECATED_3_0
8349 else if (idx == 8) {
8350 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
8352 } else if (idx == 10) {
8353 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
8357 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
8358 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
8359 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
8363 * If autoon then we should succeed. Otherwise we expect failure because
8364 * there are no parameters
8366 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
8367 SSL_ERROR_NONE), expected))
8373 SSL_free(serverssl);
8374 SSL_free(clientssl);
8377 EVP_PKEY_free(dhpkey);
8383 * Test the auto DH keys are appropriately sized
8385 static int test_dh_auto(int idx)
8387 SSL_CTX *cctx = NULL, *sctx = NULL;
8388 SSL *clientssl = NULL, *serverssl = NULL;
8390 EVP_PKEY *tmpkey = NULL;
8391 char *thiscert = NULL, *thiskey = NULL;
8392 size_t expdhsize = 0;
8393 const char *ciphersuite = "DHE-RSA-AES128-SHA";
8397 /* The FIPS provider doesn't support this DH size - so we ignore it */
8400 thiscert = cert1024;
8401 thiskey = privkey1024;
8405 /* 2048 bit prime */
8411 thiscert = cert3072;
8412 thiskey = privkey3072;
8416 thiscert = cert4096;
8417 thiskey = privkey4096;
8421 thiscert = cert8192;
8422 thiskey = privkey8192;
8425 /* No certificate cases */
8427 /* The FIPS provider doesn't support this DH size - so we ignore it */
8430 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
8434 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
8438 TEST_error("Invalid text index");
8442 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8443 TLS_client_method(),
8446 &sctx, &cctx, thiscert, thiskey)))
8449 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8453 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
8454 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
8455 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
8456 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
8457 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
8461 * Send the server's first flight. At this point the server has created the
8462 * temporary DH key but hasn't finished using it yet. Once used it is
8463 * removed, so we cannot test it.
8465 if (!TEST_int_le(SSL_connect(clientssl), 0)
8466 || !TEST_int_le(SSL_accept(serverssl), 0))
8469 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
8471 if (!TEST_size_t_eq(EVP_PKEY_bits(tmpkey), expdhsize))
8474 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8480 SSL_free(serverssl);
8481 SSL_free(clientssl);
8484 EVP_PKEY_free(tmpkey);
8489 # endif /* OPENSSL_NO_DH */
8490 #endif /* OPENSSL_NO_TLS1_2 */
8492 #ifndef OPENSSL_NO_TLS1_3
8494 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
8495 * that it works even without a certificate configured for the original
8498 static int test_sni_tls13(void)
8500 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
8501 SSL *clientssl = NULL, *serverssl = NULL;
8504 /* Reset callback counter */
8507 /* Create an initial SSL_CTX with no certificate configured */
8508 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8509 if (!TEST_ptr(sctx))
8511 /* Require TLSv1.3 as a minimum */
8512 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8513 TLS_client_method(), TLS1_3_VERSION, 0,
8514 &sctx2, &cctx, cert, privkey)))
8518 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
8519 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
8523 * Connection should still succeed because the final SSL_CTX has the right
8524 * certificates configured.
8526 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
8527 &clientssl, NULL, NULL))
8528 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8532 /* We should have had the SNI callback called exactly once */
8533 if (!TEST_int_eq(snicb, 1))
8539 SSL_free(serverssl);
8540 SSL_free(clientssl);
8541 SSL_CTX_free(sctx2);
8548 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
8550 int setup_tests(void)
8555 libctx = OSSL_LIB_CTX_new();
8556 if (!TEST_ptr(libctx))
8559 defctxnull = OSSL_PROVIDER_load(NULL, "null");
8562 * Verify that the default and fips providers in the default libctx are not
8565 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
8566 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
8569 if (!test_skip_common_options()) {
8570 TEST_error("Error parsing test options\n");
8574 if (!TEST_ptr(certsdir = test_get_argument(0))
8575 || !TEST_ptr(srpvfile = test_get_argument(1))
8576 || !TEST_ptr(tmpfilename = test_get_argument(2))
8577 || !TEST_ptr(modulename = test_get_argument(3))
8578 || !TEST_ptr(configfile = test_get_argument(4)))
8581 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
8584 /* Check we have the expected provider available */
8585 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
8588 /* Check the default provider is not available */
8589 if (strcmp(modulename, "default") != 0
8590 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
8593 if (strcmp(modulename, "fips") == 0)
8597 * We add, but don't load the test "tls-provider". We'll load it when we
8600 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
8601 tls_provider_init)))
8605 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
8606 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
8607 TEST_error("not supported in this build");
8610 int i, mcount, rcount, fcount;
8612 for (i = 0; i < 4; i++)
8613 test_export_key_mat(i);
8614 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
8615 test_printf_stdout("malloc %d realloc %d free %d\n",
8616 mcount, rcount, fcount);
8621 cert = test_mk_file_path(certsdir, "servercert.pem");
8625 privkey = test_mk_file_path(certsdir, "serverkey.pem");
8626 if (privkey == NULL)
8629 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8633 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8634 if (privkey2 == NULL)
8637 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
8638 if (cert1024 == NULL)
8641 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
8642 if (privkey1024 == NULL)
8645 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
8646 if (cert3072 == NULL)
8649 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
8650 if (privkey3072 == NULL)
8653 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
8654 if (cert4096 == NULL)
8657 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
8658 if (privkey4096 == NULL)
8661 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
8662 if (cert8192 == NULL)
8665 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
8666 if (privkey8192 == NULL)
8669 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
8670 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
8671 ADD_ALL_TESTS(test_ktls, 32);
8672 ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6);
8675 ADD_TEST(test_large_message_tls);
8676 ADD_TEST(test_large_message_tls_read_ahead);
8677 #ifndef OPENSSL_NO_DTLS
8678 ADD_TEST(test_large_message_dtls);
8680 ADD_TEST(test_cleanse_plaintext);
8681 #ifndef OPENSSL_NO_OCSP
8682 ADD_TEST(test_tlsext_status_type);
8684 ADD_TEST(test_session_with_only_int_cache);
8685 ADD_TEST(test_session_with_only_ext_cache);
8686 ADD_TEST(test_session_with_both_cache);
8687 ADD_TEST(test_session_wo_ca_names);
8688 #ifndef OPENSSL_NO_TLS1_3
8689 ADD_ALL_TESTS(test_stateful_tickets, 3);
8690 ADD_ALL_TESTS(test_stateless_tickets, 3);
8691 ADD_TEST(test_psk_tickets);
8692 ADD_ALL_TESTS(test_extra_tickets, 6);
8694 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
8695 ADD_TEST(test_ssl_bio_pop_next_bio);
8696 ADD_TEST(test_ssl_bio_pop_ssl_bio);
8697 ADD_TEST(test_ssl_bio_change_rbio);
8698 ADD_TEST(test_ssl_bio_change_wbio);
8699 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
8700 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
8701 ADD_TEST(test_keylog);
8703 #ifndef OPENSSL_NO_TLS1_3
8704 ADD_TEST(test_keylog_no_master_key);
8706 ADD_TEST(test_client_cert_verify_cb);
8707 #ifndef OPENSSL_NO_TLS1_2
8708 ADD_TEST(test_client_hello_cb);
8709 ADD_TEST(test_no_ems);
8710 ADD_TEST(test_ccs_change_cipher);
8712 #ifndef OPENSSL_NO_TLS1_3
8713 ADD_ALL_TESTS(test_early_data_read_write, 3);
8715 * We don't do replay tests for external PSK. Replay protection isn't used
8718 ADD_ALL_TESTS(test_early_data_replay, 2);
8719 ADD_ALL_TESTS(test_early_data_skip, 3);
8720 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
8721 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
8722 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
8723 ADD_ALL_TESTS(test_early_data_not_sent, 3);
8724 ADD_ALL_TESTS(test_early_data_psk, 8);
8725 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
8726 ADD_ALL_TESTS(test_early_data_not_expected, 3);
8727 # ifndef OPENSSL_NO_TLS1_2
8728 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
8731 #ifndef OPENSSL_NO_TLS1_3
8732 ADD_ALL_TESTS(test_set_ciphersuite, 10);
8733 ADD_TEST(test_ciphersuite_change);
8734 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
8735 # ifdef OPENSSL_NO_PSK
8736 ADD_ALL_TESTS(test_tls13_psk, 1);
8738 ADD_ALL_TESTS(test_tls13_psk, 4);
8739 # endif /* OPENSSL_NO_PSK */
8740 # ifndef OPENSSL_NO_TLS1_2
8741 /* Test with both TLSv1.3 and 1.2 versions */
8742 ADD_ALL_TESTS(test_key_exchange, 14);
8744 /* Test with only TLSv1.3 versions */
8745 ADD_ALL_TESTS(test_key_exchange, 12);
8747 ADD_ALL_TESTS(test_custom_exts, 5);
8748 ADD_TEST(test_stateless);
8749 ADD_TEST(test_pha_key_update);
8751 ADD_ALL_TESTS(test_custom_exts, 3);
8753 ADD_ALL_TESTS(test_serverinfo, 8);
8754 ADD_ALL_TESTS(test_export_key_mat, 6);
8755 #ifndef OPENSSL_NO_TLS1_3
8756 ADD_ALL_TESTS(test_export_key_mat_early, 3);
8757 ADD_TEST(test_key_update);
8758 ADD_ALL_TESTS(test_key_update_in_write, 2);
8760 ADD_ALL_TESTS(test_ssl_clear, 2);
8761 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
8762 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
8763 ADD_ALL_TESTS(test_srp, 6);
8765 ADD_ALL_TESTS(test_info_callback, 6);
8766 ADD_ALL_TESTS(test_ssl_pending, 2);
8767 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
8768 ADD_ALL_TESTS(test_ticket_callbacks, 16);
8769 ADD_ALL_TESTS(test_shutdown, 7);
8770 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
8771 ADD_ALL_TESTS(test_cert_cb, 6);
8772 ADD_ALL_TESTS(test_client_cert_cb, 2);
8773 ADD_ALL_TESTS(test_ca_names, 3);
8774 #ifndef OPENSSL_NO_TLS1_2
8775 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
8777 ADD_ALL_TESTS(test_servername, 10);
8778 #if !defined(OPENSSL_NO_EC) \
8779 && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8780 ADD_ALL_TESTS(test_sigalgs_available, 6);
8782 #ifndef OPENSSL_NO_TLS1_3
8783 ADD_ALL_TESTS(test_pluggable_group, 2);
8785 #ifndef OPENSSL_NO_TLS1_2
8786 ADD_TEST(test_ssl_dup);
8787 # ifndef OPENSSL_NO_DH
8788 ADD_ALL_TESTS(test_set_tmp_dh, 11);
8789 ADD_ALL_TESTS(test_dh_auto, 7);
8792 #ifndef OPENSSL_NO_TLS1_3
8793 ADD_TEST(test_sni_tls13);
8799 OPENSSL_free(privkey);
8800 OPENSSL_free(cert2);
8801 OPENSSL_free(privkey2);
8805 void cleanup_tests(void)
8807 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
8808 EVP_PKEY_free(tmp_dh_params);
8811 OPENSSL_free(privkey);
8812 OPENSSL_free(cert2);
8813 OPENSSL_free(privkey2);
8814 OPENSSL_free(cert1024);
8815 OPENSSL_free(privkey1024);
8816 OPENSSL_free(cert3072);
8817 OPENSSL_free(privkey3072);
8818 OPENSSL_free(cert4096);
8819 OPENSSL_free(privkey4096);
8820 OPENSSL_free(cert8192);
8821 OPENSSL_free(privkey8192);
8822 bio_s_mempacket_test_free();
8823 bio_s_always_retry_free();
8824 OSSL_PROVIDER_unload(defctxnull);
8825 OSSL_LIB_CTX_free(libctx);