2 * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
37 #include "helpers/ssltestlib.h"
39 #include "testutil/output.h"
40 #include "internal/nelem.h"
41 #include "internal/ktls.h"
42 #include "../ssl/ssl_local.h"
43 #include "filterprov.h"
45 #undef OSSL_NO_USABLE_TLS1_3
46 #if defined(OPENSSL_NO_TLS1_3) \
47 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
49 * If we don't have ec or dh then there are no built-in groups that are usable
52 # define OSSL_NO_USABLE_TLS1_3
55 /* Defined in tls-provider.c */
56 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
57 const OSSL_DISPATCH *in,
58 const OSSL_DISPATCH **out,
61 static OSSL_LIB_CTX *libctx = NULL;
62 static OSSL_PROVIDER *defctxnull = NULL;
64 #ifndef OSSL_NO_USABLE_TLS1_3
66 static SSL_SESSION *clientpsk = NULL;
67 static SSL_SESSION *serverpsk = NULL;
68 static const char *pskid = "Identity";
69 static const char *srvid;
71 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
72 size_t *idlen, SSL_SESSION **sess);
73 static int find_session_cb(SSL *ssl, const unsigned char *identity,
74 size_t identity_len, SSL_SESSION **sess);
76 static int use_session_cb_cnt = 0;
77 static int find_session_cb_cnt = 0;
79 static SSL_SESSION *create_a_psk(SSL *ssl);
82 static char *certsdir = NULL;
83 static char *cert = NULL;
84 static char *privkey = NULL;
85 static char *cert2 = NULL;
86 static char *privkey2 = NULL;
87 static char *cert1024 = NULL;
88 static char *privkey1024 = NULL;
89 static char *cert3072 = NULL;
90 static char *privkey3072 = NULL;
91 static char *cert4096 = NULL;
92 static char *privkey4096 = NULL;
93 static char *cert8192 = NULL;
94 static char *privkey8192 = NULL;
95 static char *srpvfile = NULL;
96 static char *tmpfilename = NULL;
98 static int is_fips = 0;
100 #define LOG_BUFFER_SIZE 2048
101 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
102 static size_t server_log_buffer_index = 0;
103 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
104 static size_t client_log_buffer_index = 0;
105 static int error_writing_log = 0;
107 #ifndef OPENSSL_NO_OCSP
108 static const unsigned char orespder[] = "Dummy OCSP Response";
109 static int ocsp_server_called = 0;
110 static int ocsp_client_called = 0;
112 static int cdummyarg = 1;
113 static X509 *ocspcert = NULL;
116 #define NUM_EXTRA_CERTS 40
117 #define CLIENT_VERSION_LEN 2
120 * This structure is used to validate that the correct number of log messages
121 * of various types are emitted when emitting secret logs.
123 struct sslapitest_log_counts {
124 unsigned int rsa_key_exchange_count;
125 unsigned int master_secret_count;
126 unsigned int client_early_secret_count;
127 unsigned int client_handshake_secret_count;
128 unsigned int server_handshake_secret_count;
129 unsigned int client_application_secret_count;
130 unsigned int server_application_secret_count;
131 unsigned int early_exporter_secret_count;
132 unsigned int exporter_secret_count;
136 static unsigned char serverinfov1[] = {
137 0xff, 0xff, /* Dummy extension type */
138 0x00, 0x01, /* Extension length is 1 byte */
139 0xff /* Dummy extension data */
142 static unsigned char serverinfov2[] = {
144 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
145 0xff, 0xff, /* Dummy extension type */
146 0x00, 0x01, /* Extension length is 1 byte */
147 0xff /* Dummy extension data */
150 static int hostname_cb(SSL *s, int *al, void *arg)
152 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
154 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
155 || strcmp(hostname, "altgoodhost") == 0))
156 return SSL_TLSEXT_ERR_OK;
158 return SSL_TLSEXT_ERR_NOACK;
161 static void client_keylog_callback(const SSL *ssl, const char *line)
163 int line_length = strlen(line);
165 /* If the log doesn't fit, error out. */
166 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
167 TEST_info("Client log too full");
168 error_writing_log = 1;
172 strcat(client_log_buffer, line);
173 client_log_buffer_index += line_length;
174 client_log_buffer[client_log_buffer_index++] = '\n';
177 static void server_keylog_callback(const SSL *ssl, const char *line)
179 int line_length = strlen(line);
181 /* If the log doesn't fit, error out. */
182 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
183 TEST_info("Server log too full");
184 error_writing_log = 1;
188 strcat(server_log_buffer, line);
189 server_log_buffer_index += line_length;
190 server_log_buffer[server_log_buffer_index++] = '\n';
193 static int compare_hex_encoded_buffer(const char *hex_encoded,
201 if (!TEST_size_t_eq(raw_length * 2, hex_length))
204 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
205 sprintf(hexed, "%02x", raw[i]);
206 if (!TEST_int_eq(hexed[0], hex_encoded[j])
207 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
214 static int test_keylog_output(char *buffer, const SSL *ssl,
215 const SSL_SESSION *session,
216 struct sslapitest_log_counts *expected)
219 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
220 size_t client_random_size = SSL3_RANDOM_SIZE;
221 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
222 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
223 unsigned int rsa_key_exchange_count = 0;
224 unsigned int master_secret_count = 0;
225 unsigned int client_early_secret_count = 0;
226 unsigned int client_handshake_secret_count = 0;
227 unsigned int server_handshake_secret_count = 0;
228 unsigned int client_application_secret_count = 0;
229 unsigned int server_application_secret_count = 0;
230 unsigned int early_exporter_secret_count = 0;
231 unsigned int exporter_secret_count = 0;
233 for (token = strtok(buffer, " \n"); token != NULL;
234 token = strtok(NULL, " \n")) {
235 if (strcmp(token, "RSA") == 0) {
237 * Premaster secret. Tokens should be: 16 ASCII bytes of
238 * hex-encoded encrypted secret, then the hex-encoded pre-master
241 if (!TEST_ptr(token = strtok(NULL, " \n")))
243 if (!TEST_size_t_eq(strlen(token), 16))
245 if (!TEST_ptr(token = strtok(NULL, " \n")))
248 * We can't sensibly check the log because the premaster secret is
249 * transient, and OpenSSL doesn't keep hold of it once the master
250 * secret is generated.
252 rsa_key_exchange_count++;
253 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
255 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
256 * client random, then the hex-encoded master secret.
258 client_random_size = SSL_get_client_random(ssl,
259 actual_client_random,
261 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
264 if (!TEST_ptr(token = strtok(NULL, " \n")))
266 if (!TEST_size_t_eq(strlen(token), 64))
268 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
269 actual_client_random,
270 client_random_size)))
273 if (!TEST_ptr(token = strtok(NULL, " \n")))
275 master_key_size = SSL_SESSION_get_master_key(session,
278 if (!TEST_size_t_ne(master_key_size, 0))
280 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
284 master_secret_count++;
285 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
286 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
287 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
288 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
289 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
290 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
291 || strcmp(token, "EXPORTER_SECRET") == 0) {
293 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
294 * client random, and then the hex-encoded secret. In this case,
295 * we treat all of these secrets identically and then just
296 * distinguish between them when counting what we saw.
298 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
299 client_early_secret_count++;
300 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
301 client_handshake_secret_count++;
302 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
303 server_handshake_secret_count++;
304 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
305 client_application_secret_count++;
306 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
307 server_application_secret_count++;
308 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
309 early_exporter_secret_count++;
310 else if (strcmp(token, "EXPORTER_SECRET") == 0)
311 exporter_secret_count++;
313 client_random_size = SSL_get_client_random(ssl,
314 actual_client_random,
316 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
319 if (!TEST_ptr(token = strtok(NULL, " \n")))
321 if (!TEST_size_t_eq(strlen(token), 64))
323 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
324 actual_client_random,
325 client_random_size)))
328 if (!TEST_ptr(token = strtok(NULL, " \n")))
331 TEST_info("Unexpected token %s\n", token);
336 /* Got what we expected? */
337 if (!TEST_size_t_eq(rsa_key_exchange_count,
338 expected->rsa_key_exchange_count)
339 || !TEST_size_t_eq(master_secret_count,
340 expected->master_secret_count)
341 || !TEST_size_t_eq(client_early_secret_count,
342 expected->client_early_secret_count)
343 || !TEST_size_t_eq(client_handshake_secret_count,
344 expected->client_handshake_secret_count)
345 || !TEST_size_t_eq(server_handshake_secret_count,
346 expected->server_handshake_secret_count)
347 || !TEST_size_t_eq(client_application_secret_count,
348 expected->client_application_secret_count)
349 || !TEST_size_t_eq(server_application_secret_count,
350 expected->server_application_secret_count)
351 || !TEST_size_t_eq(early_exporter_secret_count,
352 expected->early_exporter_secret_count)
353 || !TEST_size_t_eq(exporter_secret_count,
354 expected->exporter_secret_count))
359 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
360 static int test_keylog(void)
362 SSL_CTX *cctx = NULL, *sctx = NULL;
363 SSL *clientssl = NULL, *serverssl = NULL;
365 struct sslapitest_log_counts expected;
367 /* Clean up logging space */
368 memset(&expected, 0, sizeof(expected));
369 memset(client_log_buffer, 0, sizeof(client_log_buffer));
370 memset(server_log_buffer, 0, sizeof(server_log_buffer));
371 client_log_buffer_index = 0;
372 server_log_buffer_index = 0;
373 error_writing_log = 0;
375 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
378 &sctx, &cctx, cert, privkey)))
381 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
382 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
383 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
385 /* We also want to ensure that we use RSA-based key exchange. */
386 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
389 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
390 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
392 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
393 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
394 == client_keylog_callback))
396 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
397 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
398 == server_keylog_callback))
401 /* Now do a handshake and check that the logs have been written to. */
402 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
403 &clientssl, NULL, NULL))
404 || !TEST_true(create_ssl_connection(serverssl, clientssl,
406 || !TEST_false(error_writing_log)
407 || !TEST_int_gt(client_log_buffer_index, 0)
408 || !TEST_int_gt(server_log_buffer_index, 0))
412 * Now we want to test that our output data was vaguely sensible. We
413 * do that by using strtok and confirming that we have more or less the
414 * data we expect. For both client and server, we expect to see one master
415 * secret. The client should also see a RSA key exchange.
417 expected.rsa_key_exchange_count = 1;
418 expected.master_secret_count = 1;
419 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
420 SSL_get_session(clientssl), &expected)))
423 expected.rsa_key_exchange_count = 0;
424 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
425 SSL_get_session(serverssl), &expected)))
440 #ifndef OSSL_NO_USABLE_TLS1_3
441 static int test_keylog_no_master_key(void)
443 SSL_CTX *cctx = NULL, *sctx = NULL;
444 SSL *clientssl = NULL, *serverssl = NULL;
445 SSL_SESSION *sess = NULL;
447 struct sslapitest_log_counts expected;
448 unsigned char buf[1];
449 size_t readbytes, written;
451 /* Clean up logging space */
452 memset(&expected, 0, sizeof(expected));
453 memset(client_log_buffer, 0, sizeof(client_log_buffer));
454 memset(server_log_buffer, 0, sizeof(server_log_buffer));
455 client_log_buffer_index = 0;
456 server_log_buffer_index = 0;
457 error_writing_log = 0;
459 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
460 TLS_client_method(), TLS1_VERSION, 0,
461 &sctx, &cctx, cert, privkey))
462 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
463 SSL3_RT_MAX_PLAIN_LENGTH)))
466 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
467 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
470 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
471 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
472 == client_keylog_callback))
475 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
476 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
477 == server_keylog_callback))
480 /* Now do a handshake and check that the logs have been written to. */
481 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
482 &clientssl, NULL, NULL))
483 || !TEST_true(create_ssl_connection(serverssl, clientssl,
485 || !TEST_false(error_writing_log))
489 * Now we want to test that our output data was vaguely sensible. For this
490 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
491 * TLSv1.3, but we do expect both client and server to emit keys.
493 expected.client_handshake_secret_count = 1;
494 expected.server_handshake_secret_count = 1;
495 expected.client_application_secret_count = 1;
496 expected.server_application_secret_count = 1;
497 expected.exporter_secret_count = 1;
498 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
499 SSL_get_session(clientssl), &expected))
500 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
501 SSL_get_session(serverssl),
505 /* Terminate old session and resume with early data. */
506 sess = SSL_get1_session(clientssl);
507 SSL_shutdown(clientssl);
508 SSL_shutdown(serverssl);
511 serverssl = clientssl = NULL;
514 memset(client_log_buffer, 0, sizeof(client_log_buffer));
515 memset(server_log_buffer, 0, sizeof(server_log_buffer));
516 client_log_buffer_index = 0;
517 server_log_buffer_index = 0;
519 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
520 &clientssl, NULL, NULL))
521 || !TEST_true(SSL_set_session(clientssl, sess))
522 /* Here writing 0 length early data is enough. */
523 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
524 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
526 SSL_READ_EARLY_DATA_ERROR)
527 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
528 SSL_EARLY_DATA_ACCEPTED)
529 || !TEST_true(create_ssl_connection(serverssl, clientssl,
531 || !TEST_true(SSL_session_reused(clientssl)))
534 /* In addition to the previous entries, expect early secrets. */
535 expected.client_early_secret_count = 1;
536 expected.early_exporter_secret_count = 1;
537 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
538 SSL_get_session(clientssl), &expected))
539 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
540 SSL_get_session(serverssl),
547 SSL_SESSION_free(sess);
557 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
559 int res = X509_verify_cert(ctx);
561 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
562 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
563 return -1; /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
567 static int test_client_cert_verify_cb(void)
569 /* server key, cert, chain, and root */
570 char *skey = test_mk_file_path(certsdir, "leaf.key");
571 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
572 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
573 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
574 char *root = test_mk_file_path(certsdir, "rootCA.pem");
575 X509 *crt1 = NULL, *crt2 = NULL;
576 STACK_OF(X509) *server_chain;
577 SSL_CTX *cctx = NULL, *sctx = NULL;
578 SSL *clientssl = NULL, *serverssl = NULL;
581 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
582 TLS_client_method(), TLS1_VERSION, 0,
583 &sctx, &cctx, NULL, NULL)))
585 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
586 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
587 SSL_FILETYPE_PEM), 1)
588 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
590 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
592 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
593 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
594 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
595 &clientssl, NULL, NULL)))
598 /* attempt SSL_connect() with incomplete server chain */
599 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
600 SSL_ERROR_WANT_RETRY_VERIFY)))
603 /* application provides intermediate certs needed to verify server cert */
604 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
605 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
606 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
608 /* add certs in reverse order to demonstrate real chain building */
609 if (!TEST_true(sk_X509_push(server_chain, crt1)))
612 if (!TEST_true(sk_X509_push(server_chain, crt2)))
616 /* continue SSL_connect(), must now succeed with completed server chain */
617 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
626 if (clientssl != NULL) {
627 SSL_shutdown(clientssl);
630 if (serverssl != NULL) {
631 SSL_shutdown(serverssl);
646 static int test_ssl_build_cert_chain(void)
649 SSL_CTX *ssl_ctx = NULL;
651 char *skey = test_mk_file_path(certsdir, "leaf.key");
652 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
654 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
656 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
658 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
659 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
660 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
661 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
663 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
664 | SSL_BUILD_CHAIN_FLAG_CHECK)))
669 SSL_CTX_free(ssl_ctx);
670 OPENSSL_free(leaf_chain);
675 static int test_ssl_ctx_build_cert_chain(void)
679 char *skey = test_mk_file_path(certsdir, "leaf.key");
680 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
682 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
684 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
685 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
686 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
687 SSL_FILETYPE_PEM), 1)
688 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
690 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
691 | SSL_BUILD_CHAIN_FLAG_CHECK)))
696 OPENSSL_free(leaf_chain);
701 #ifndef OPENSSL_NO_TLS1_2
702 static int full_client_hello_callback(SSL *s, int *al, void *arg)
705 const unsigned char *p;
707 /* We only configure two ciphers, but the SCSV is added automatically. */
709 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
711 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
714 const int expected_extensions[] = {
715 #ifndef OPENSSL_NO_EC
721 /* Make sure we can defer processing and get called back. */
723 return SSL_CLIENT_HELLO_RETRY;
725 len = SSL_client_hello_get0_ciphers(s, &p);
726 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
728 SSL_client_hello_get0_compression_methods(s, &p), 1)
729 || !TEST_int_eq(*p, 0))
730 return SSL_CLIENT_HELLO_ERROR;
731 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
732 return SSL_CLIENT_HELLO_ERROR;
733 if (len != OSSL_NELEM(expected_extensions) ||
734 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
735 printf("ClientHello callback expected extensions mismatch\n");
737 return SSL_CLIENT_HELLO_ERROR;
740 return SSL_CLIENT_HELLO_SUCCESS;
743 static int test_client_hello_cb(void)
745 SSL_CTX *cctx = NULL, *sctx = NULL;
746 SSL *clientssl = NULL, *serverssl = NULL;
747 int testctr = 0, testresult = 0;
749 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
750 TLS_client_method(), TLS1_VERSION, 0,
751 &sctx, &cctx, cert, privkey)))
753 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
755 /* The gimpy cipher list we configure can't do TLS 1.3. */
756 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
758 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
759 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
760 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
761 &clientssl, NULL, NULL))
762 || !TEST_false(create_ssl_connection(serverssl, clientssl,
763 SSL_ERROR_WANT_CLIENT_HELLO_CB))
765 * Passing a -1 literal is a hack since
766 * the real value was lost.
768 || !TEST_int_eq(SSL_get_error(serverssl, -1),
769 SSL_ERROR_WANT_CLIENT_HELLO_CB)
770 || !TEST_true(create_ssl_connection(serverssl, clientssl,
785 static int test_no_ems(void)
787 SSL_CTX *cctx = NULL, *sctx = NULL;
788 SSL *clientssl = NULL, *serverssl = NULL;
791 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
792 TLS1_VERSION, TLS1_2_VERSION,
793 &sctx, &cctx, cert, privkey)) {
794 printf("Unable to create SSL_CTX pair\n");
798 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
800 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
801 printf("Unable to create SSL objects\n");
805 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
806 printf("Creating SSL connection failed\n");
810 if (SSL_get_extms_support(serverssl)) {
811 printf("Server reports Extended Master Secret support\n");
815 if (SSL_get_extms_support(clientssl)) {
816 printf("Client reports Extended Master Secret support\n");
831 * Very focused test to exercise a single case in the server-side state
832 * machine, when the ChangeCipherState message needs to actually change
833 * from one cipher to a different cipher (i.e., not changing from null
834 * encryption to real encryption).
836 static int test_ccs_change_cipher(void)
838 SSL_CTX *cctx = NULL, *sctx = NULL;
839 SSL *clientssl = NULL, *serverssl = NULL;
840 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
847 * Create a conection so we can resume and potentially (but not) use
848 * a different cipher in the second connection.
850 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
852 TLS1_VERSION, TLS1_2_VERSION,
853 &sctx, &cctx, cert, privkey))
854 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
855 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
857 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
858 || !TEST_true(create_ssl_connection(serverssl, clientssl,
860 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
861 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
864 shutdown_ssl_connection(serverssl, clientssl);
865 serverssl = clientssl = NULL;
867 /* Resume, preferring a different cipher. Our server will force the
868 * same cipher to be used as the initial handshake. */
869 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
871 || !TEST_true(SSL_set_session(clientssl, sess))
872 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
873 || !TEST_true(create_ssl_connection(serverssl, clientssl,
875 || !TEST_true(SSL_session_reused(clientssl))
876 || !TEST_true(SSL_session_reused(serverssl))
877 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
878 || !TEST_ptr_eq(sesspre, sesspost)
879 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
880 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
882 shutdown_ssl_connection(serverssl, clientssl);
883 serverssl = clientssl = NULL;
886 * Now create a fresh connection and try to renegotiate a different
889 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
891 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
892 || !TEST_true(create_ssl_connection(serverssl, clientssl,
894 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
895 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
896 || !TEST_true(SSL_renegotiate(clientssl))
897 || !TEST_true(SSL_renegotiate_pending(clientssl)))
899 /* Actually drive the renegotiation. */
900 for (i = 0; i < 3; i++) {
901 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
902 if (!TEST_ulong_eq(readbytes, 0))
904 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
905 SSL_ERROR_WANT_READ)) {
908 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
909 if (!TEST_ulong_eq(readbytes, 0))
911 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
912 SSL_ERROR_WANT_READ)) {
916 /* sesspre and sesspost should be different since the cipher changed. */
917 if (!TEST_false(SSL_renegotiate_pending(clientssl))
918 || !TEST_false(SSL_session_reused(clientssl))
919 || !TEST_false(SSL_session_reused(serverssl))
920 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
921 || !TEST_ptr_ne(sesspre, sesspost)
922 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
923 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
926 shutdown_ssl_connection(serverssl, clientssl);
927 serverssl = clientssl = NULL;
936 SSL_SESSION_free(sess);
942 static int execute_test_large_message(const SSL_METHOD *smeth,
943 const SSL_METHOD *cmeth,
944 int min_version, int max_version,
947 SSL_CTX *cctx = NULL, *sctx = NULL;
948 SSL *clientssl = NULL, *serverssl = NULL;
952 X509 *chaincert = NULL;
955 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
958 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
961 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
966 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
967 max_version, &sctx, &cctx, cert,
971 #ifdef OPENSSL_NO_DTLS1_2
972 if (smeth == DTLS_server_method()) {
974 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
977 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
978 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
979 "DEFAULT:@SECLEVEL=0")))
986 * Test that read_ahead works correctly when dealing with large
989 SSL_CTX_set_read_ahead(cctx, 1);
993 * We assume the supplied certificate is big enough so that if we add
994 * NUM_EXTRA_CERTS it will make the overall message large enough. The
995 * default buffer size is requested to be 16k, but due to the way BUF_MEM
996 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
997 * test we need to have a message larger than that.
999 certlen = i2d_X509(chaincert, NULL);
1000 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1001 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
1002 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
1003 if (!X509_up_ref(chaincert))
1005 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
1006 X509_free(chaincert);
1011 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1013 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1018 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1021 if (!TEST_true(SSL_clear(serverssl)))
1027 X509_free(chaincert);
1028 SSL_free(serverssl);
1029 SSL_free(clientssl);
1036 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1037 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1038 /* sock must be connected */
1039 static int ktls_chk_platform(int sock)
1041 if (!ktls_enable(sock))
1046 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1048 static char count = 1;
1049 unsigned char cbuf[16000] = {0};
1050 unsigned char sbuf[16000];
1052 char crec_wseq_before[SEQ_NUM_SIZE];
1053 char crec_wseq_after[SEQ_NUM_SIZE];
1054 char crec_rseq_before[SEQ_NUM_SIZE];
1055 char crec_rseq_after[SEQ_NUM_SIZE];
1056 char srec_wseq_before[SEQ_NUM_SIZE];
1057 char srec_wseq_after[SEQ_NUM_SIZE];
1058 char srec_rseq_before[SEQ_NUM_SIZE];
1059 char srec_rseq_after[SEQ_NUM_SIZE];
1062 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1063 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1064 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1065 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1067 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1070 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1071 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1076 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1079 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1080 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1085 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1086 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1087 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1088 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1090 /* verify the payload */
1091 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1095 * If ktls is used then kernel sequences are used instead of
1098 if (!BIO_get_ktls_send(clientssl->wbio)) {
1099 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1100 crec_wseq_after, SEQ_NUM_SIZE))
1103 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1104 crec_wseq_after, SEQ_NUM_SIZE))
1108 if (!BIO_get_ktls_send(serverssl->wbio)) {
1109 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1110 srec_wseq_after, SEQ_NUM_SIZE))
1113 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1114 srec_wseq_after, SEQ_NUM_SIZE))
1118 if (!BIO_get_ktls_recv(clientssl->wbio)) {
1119 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1120 crec_rseq_after, SEQ_NUM_SIZE))
1123 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1124 crec_rseq_after, SEQ_NUM_SIZE))
1128 if (!BIO_get_ktls_recv(serverssl->wbio)) {
1129 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1130 srec_rseq_after, SEQ_NUM_SIZE))
1133 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1134 srec_rseq_after, SEQ_NUM_SIZE))
1143 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1144 int tls_version, const char *cipher)
1146 SSL_CTX *cctx = NULL, *sctx = NULL;
1147 SSL *clientssl = NULL, *serverssl = NULL;
1148 int ktls_used = 0, testresult = 0;
1149 int cfd = -1, sfd = -1;
1152 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1155 /* Skip this test if the platform does not support ktls */
1156 if (!ktls_chk_platform(cfd)) {
1157 testresult = TEST_skip("Kernel does not support KTLS");
1161 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1162 testresult = TEST_skip("CHACHA is not supported in FIPS");
1166 /* Create a session based on SHA-256 */
1167 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1168 TLS_client_method(),
1169 tls_version, tls_version,
1170 &sctx, &cctx, cert, privkey)))
1173 if (tls_version == TLS1_3_VERSION) {
1174 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1175 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1178 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1179 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1183 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1184 &clientssl, sfd, cfd)))
1188 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1193 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1197 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1201 * The running kernel may not support a given cipher suite
1202 * or direction, so just check that KTLS isn't used when it
1206 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1209 if (BIO_get_ktls_send(clientssl->wbio))
1214 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1217 if (BIO_get_ktls_send(serverssl->wbio))
1221 #if defined(OPENSSL_NO_KTLS_RX)
1224 rx_supported = (tls_version != TLS1_3_VERSION);
1226 if (!cis_ktls || !rx_supported) {
1227 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1230 if (BIO_get_ktls_send(clientssl->rbio))
1234 if (!sis_ktls || !rx_supported) {
1235 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1238 if (BIO_get_ktls_send(serverssl->rbio))
1242 if ((cis_ktls || sis_ktls) && !ktls_used) {
1243 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1244 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1249 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1255 SSL_shutdown(clientssl);
1256 SSL_free(clientssl);
1259 SSL_shutdown(serverssl);
1260 SSL_free(serverssl);
1264 serverssl = clientssl = NULL;
1272 #define SENDFILE_SZ (16 * 4096)
1273 #define SENDFILE_CHUNK (4 * 4096)
1274 #define min(a,b) ((a) > (b) ? (b) : (a))
1276 static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
1278 SSL_CTX *cctx = NULL, *sctx = NULL;
1279 SSL *clientssl = NULL, *serverssl = NULL;
1280 unsigned char *buf, *buf_dst;
1281 BIO *out = NULL, *in = NULL;
1282 int cfd = -1, sfd = -1, ffd, err;
1283 ssize_t chunk_size = 0;
1284 off_t chunk_off = 0;
1288 buf = OPENSSL_zalloc(SENDFILE_SZ);
1289 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1290 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1291 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1294 /* Skip this test if the platform does not support ktls */
1295 if (!ktls_chk_platform(sfd)) {
1296 testresult = TEST_skip("Kernel does not support KTLS");
1300 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1301 testresult = TEST_skip("CHACHA is not supported in FIPS");
1305 /* Create a session based on SHA-256 */
1306 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1307 TLS_client_method(),
1308 tls_version, tls_version,
1309 &sctx, &cctx, cert, privkey)))
1312 if (tls_version == TLS1_3_VERSION) {
1313 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1314 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1317 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1318 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1322 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1323 &clientssl, sfd, cfd)))
1326 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1329 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1333 if (!BIO_get_ktls_send(serverssl->wbio)) {
1334 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1335 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1340 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1343 out = BIO_new_file(tmpfilename, "wb");
1347 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1352 in = BIO_new_file(tmpfilename, "rb");
1353 BIO_get_fp(in, &ffdp);
1356 while (chunk_off < SENDFILE_SZ) {
1357 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1358 while ((err = SSL_sendfile(serverssl,
1362 0)) != chunk_size) {
1363 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1366 while ((err = SSL_read(clientssl,
1367 buf_dst + chunk_off,
1368 chunk_size)) != chunk_size) {
1369 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1373 /* verify the payload */
1374 if (!TEST_mem_eq(buf_dst + chunk_off,
1380 chunk_off += chunk_size;
1386 SSL_shutdown(clientssl);
1387 SSL_free(clientssl);
1390 SSL_shutdown(serverssl);
1391 SSL_free(serverssl);
1395 serverssl = clientssl = NULL;
1403 OPENSSL_free(buf_dst);
1407 static struct ktls_test_cipher {
1410 } ktls_test_ciphers[] = {
1411 # if !defined(OPENSSL_NO_TLS1_2)
1412 # ifdef OPENSSL_KTLS_AES_GCM_128
1413 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1415 # ifdef OPENSSL_KTLS_AES_CCM_128
1416 { TLS1_2_VERSION, "AES128-CCM"},
1418 # ifdef OPENSSL_KTLS_AES_GCM_256
1419 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1421 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1422 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1425 # if !defined(OSSL_NO_USABLE_TLS1_3)
1426 # ifdef OPENSSL_KTLS_AES_GCM_128
1427 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1429 # ifdef OPENSSL_KTLS_AES_CCM_128
1430 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1432 # ifdef OPENSSL_KTLS_AES_GCM_256
1433 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1435 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1436 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1441 #define NUM_KTLS_TEST_CIPHERS \
1442 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1444 static int test_ktls(int test)
1446 struct ktls_test_cipher *cipher;
1447 int cis_ktls, sis_ktls;
1449 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1450 cipher = &ktls_test_ciphers[test / 4];
1452 cis_ktls = (test & 1) != 0;
1453 sis_ktls = (test & 2) != 0;
1455 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1459 static int test_ktls_sendfile(int tst)
1461 struct ktls_test_cipher *cipher;
1463 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1464 cipher = &ktls_test_ciphers[tst];
1466 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher);
1470 static int test_large_message_tls(void)
1472 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1473 TLS1_VERSION, 0, 0);
1476 static int test_large_message_tls_read_ahead(void)
1478 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1479 TLS1_VERSION, 0, 1);
1482 #ifndef OPENSSL_NO_DTLS
1483 static int test_large_message_dtls(void)
1485 # ifdef OPENSSL_NO_DTLS1_2
1486 /* Not supported in the FIPS provider */
1491 * read_ahead is not relevant to DTLS because DTLS always acts as if
1492 * read_ahead is set.
1494 return execute_test_large_message(DTLS_server_method(),
1495 DTLS_client_method(),
1496 DTLS1_VERSION, 0, 0);
1500 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1501 const SSL_METHOD *cmeth,
1502 int min_version, int max_version)
1505 SSL_CTX *cctx = NULL, *sctx = NULL;
1506 SSL *clientssl = NULL, *serverssl = NULL;
1511 static unsigned char cbuf[16000];
1512 static unsigned char sbuf[16000];
1514 if (!TEST_true(create_ssl_ctx_pair(libctx,
1516 min_version, max_version,
1521 #ifdef OPENSSL_NO_DTLS1_2
1522 if (smeth == DTLS_server_method()) {
1523 # ifdef OPENSSL_NO_DTLS1_2
1524 /* Not supported in the FIPS provider */
1531 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1534 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1535 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1536 "DEFAULT:@SECLEVEL=0")))
1541 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1545 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1548 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1552 for (i = 0; i < sizeof(cbuf); i++) {
1556 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1559 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1562 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1566 * Since we called SSL_peek(), we know the data in the record
1567 * layer is a plaintext record. We can gather the pointer to check
1568 * for zeroization after SSL_read().
1570 rr = serverssl->rlayer.rrec;
1571 zbuf = &rr->data[rr->off];
1572 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1576 * After SSL_peek() the plaintext must still be stored in the
1579 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1582 memset(sbuf, 0, sizeof(sbuf));
1583 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1586 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1589 /* Check if rbuf is cleansed */
1590 memset(cbuf, 0, sizeof(cbuf));
1591 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1596 SSL_free(serverssl);
1597 SSL_free(clientssl);
1604 static int test_cleanse_plaintext(void)
1606 #if !defined(OPENSSL_NO_TLS1_2)
1607 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1608 TLS_client_method(),
1615 #if !defined(OSSL_NO_USABLE_TLS1_3)
1616 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1617 TLS_client_method(),
1623 #if !defined(OPENSSL_NO_DTLS)
1625 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1626 DTLS_client_method(),
1634 #ifndef OPENSSL_NO_OCSP
1635 static int ocsp_server_cb(SSL *s, void *arg)
1637 int *argi = (int *)arg;
1638 unsigned char *copy = NULL;
1639 STACK_OF(OCSP_RESPID) *ids = NULL;
1640 OCSP_RESPID *id = NULL;
1643 /* In this test we are expecting exactly 1 OCSP_RESPID */
1644 SSL_get_tlsext_status_ids(s, &ids);
1645 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1646 return SSL_TLSEXT_ERR_ALERT_FATAL;
1648 id = sk_OCSP_RESPID_value(ids, 0);
1649 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1650 return SSL_TLSEXT_ERR_ALERT_FATAL;
1651 } else if (*argi != 1) {
1652 return SSL_TLSEXT_ERR_ALERT_FATAL;
1655 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1656 return SSL_TLSEXT_ERR_ALERT_FATAL;
1658 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1659 sizeof(orespder)))) {
1661 return SSL_TLSEXT_ERR_ALERT_FATAL;
1663 ocsp_server_called = 1;
1664 return SSL_TLSEXT_ERR_OK;
1667 static int ocsp_client_cb(SSL *s, void *arg)
1669 int *argi = (int *)arg;
1670 const unsigned char *respderin;
1673 if (*argi != 1 && *argi != 2)
1676 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1677 if (!TEST_mem_eq(orespder, len, respderin, len))
1680 ocsp_client_called = 1;
1684 static int test_tlsext_status_type(void)
1686 SSL_CTX *cctx = NULL, *sctx = NULL;
1687 SSL *clientssl = NULL, *serverssl = NULL;
1689 STACK_OF(OCSP_RESPID) *ids = NULL;
1690 OCSP_RESPID *id = NULL;
1691 BIO *certbio = NULL;
1693 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1695 &sctx, &cctx, cert, privkey))
1698 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1701 /* First just do various checks getting and setting tlsext_status_type */
1703 clientssl = SSL_new(cctx);
1704 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1705 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1706 TLSEXT_STATUSTYPE_ocsp))
1707 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1708 TLSEXT_STATUSTYPE_ocsp))
1711 SSL_free(clientssl);
1714 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1715 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1718 clientssl = SSL_new(cctx);
1719 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1721 SSL_free(clientssl);
1725 * Now actually do a handshake and check OCSP information is exchanged and
1726 * the callbacks get called
1728 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1729 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1730 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1731 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1732 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1733 &clientssl, NULL, NULL))
1734 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1736 || !TEST_true(ocsp_client_called)
1737 || !TEST_true(ocsp_server_called))
1739 SSL_free(serverssl);
1740 SSL_free(clientssl);
1744 /* Try again but this time force the server side callback to fail */
1745 ocsp_client_called = 0;
1746 ocsp_server_called = 0;
1748 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1749 &clientssl, NULL, NULL))
1750 /* This should fail because the callback will fail */
1751 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1753 || !TEST_false(ocsp_client_called)
1754 || !TEST_false(ocsp_server_called))
1756 SSL_free(serverssl);
1757 SSL_free(clientssl);
1762 * This time we'll get the client to send an OCSP_RESPID that it will
1765 ocsp_client_called = 0;
1766 ocsp_server_called = 0;
1768 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1769 &clientssl, NULL, NULL)))
1773 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1774 * specific one. We'll use the server cert.
1776 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1777 || !TEST_ptr(id = OCSP_RESPID_new())
1778 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1779 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1780 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1781 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1782 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1785 SSL_set_tlsext_status_ids(clientssl, ids);
1786 /* Control has been transferred */
1792 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1794 || !TEST_true(ocsp_client_called)
1795 || !TEST_true(ocsp_server_called))
1801 SSL_free(serverssl);
1802 SSL_free(clientssl);
1805 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1806 OCSP_RESPID_free(id);
1808 X509_free(ocspcert);
1815 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1816 static int new_called, remove_called, get_called;
1818 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1822 * sess has been up-refed for us, but we don't actually need it so free it
1825 SSL_SESSION_free(sess);
1829 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1834 static SSL_SESSION *get_sess_val = NULL;
1836 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1841 return get_sess_val;
1844 static int execute_test_session(int maxprot, int use_int_cache,
1845 int use_ext_cache, long s_options)
1847 SSL_CTX *sctx = NULL, *cctx = NULL;
1848 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1849 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1850 # ifndef OPENSSL_NO_TLS1_1
1851 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1853 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1854 int testresult = 0, numnewsesstick = 1;
1856 new_called = remove_called = 0;
1858 /* TLSv1.3 sends 2 NewSessionTickets */
1859 if (maxprot == TLS1_3_VERSION)
1862 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1863 TLS_client_method(), TLS1_VERSION, 0,
1864 &sctx, &cctx, cert, privkey)))
1868 * Only allow the max protocol version so we can force a connection failure
1871 SSL_CTX_set_min_proto_version(cctx, maxprot);
1872 SSL_CTX_set_max_proto_version(cctx, maxprot);
1874 /* Set up session cache */
1875 if (use_ext_cache) {
1876 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1877 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1879 if (use_int_cache) {
1880 /* Also covers instance where both are set */
1881 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1883 SSL_CTX_set_session_cache_mode(cctx,
1884 SSL_SESS_CACHE_CLIENT
1885 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1889 SSL_CTX_set_options(sctx, s_options);
1892 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1894 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1896 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1899 /* Should fail because it should already be in the cache */
1900 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1903 && (!TEST_int_eq(new_called, numnewsesstick)
1905 || !TEST_int_eq(remove_called, 0)))
1908 new_called = remove_called = 0;
1909 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1910 &clientssl2, NULL, NULL))
1911 || !TEST_true(SSL_set_session(clientssl2, sess1))
1912 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1914 || !TEST_true(SSL_session_reused(clientssl2)))
1917 if (maxprot == TLS1_3_VERSION) {
1919 * In TLSv1.3 we should have created a new session even though we have
1920 * resumed. Since we attempted a resume we should also have removed the
1921 * old ticket from the cache so that we try to only use tickets once.
1924 && (!TEST_int_eq(new_called, 1)
1925 || !TEST_int_eq(remove_called, 1)))
1929 * In TLSv1.2 we expect to have resumed so no sessions added or
1933 && (!TEST_int_eq(new_called, 0)
1934 || !TEST_int_eq(remove_called, 0)))
1938 SSL_SESSION_free(sess1);
1939 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1941 shutdown_ssl_connection(serverssl2, clientssl2);
1942 serverssl2 = clientssl2 = NULL;
1944 new_called = remove_called = 0;
1945 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1946 &clientssl2, NULL, NULL))
1947 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1951 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1955 && (!TEST_int_eq(new_called, numnewsesstick)
1956 || !TEST_int_eq(remove_called, 0)))
1959 new_called = remove_called = 0;
1961 * This should clear sess2 from the cache because it is a "bad" session.
1962 * See SSL_set_session() documentation.
1964 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1967 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1969 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1972 if (use_int_cache) {
1973 /* Should succeeded because it should not already be in the cache */
1974 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1975 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1979 new_called = remove_called = 0;
1980 /* This shouldn't be in the cache so should fail */
1981 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1985 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1988 # if !defined(OPENSSL_NO_TLS1_1)
1989 new_called = remove_called = 0;
1990 /* Force a connection failure */
1991 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1992 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1993 &clientssl3, NULL, NULL))
1994 || !TEST_true(SSL_set_session(clientssl3, sess1))
1995 /* This should fail because of the mismatched protocol versions */
1996 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2000 /* We should have automatically removed the session from the cache */
2002 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2005 /* Should succeed because it should not already be in the cache */
2006 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2010 /* Now do some tests for server side caching */
2011 if (use_ext_cache) {
2012 SSL_CTX_sess_set_new_cb(cctx, NULL);
2013 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2014 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2015 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2016 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2017 get_sess_val = NULL;
2020 SSL_CTX_set_session_cache_mode(cctx, 0);
2021 /* Internal caching is the default on the server side */
2023 SSL_CTX_set_session_cache_mode(sctx,
2024 SSL_SESS_CACHE_SERVER
2025 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2027 SSL_free(serverssl1);
2028 SSL_free(clientssl1);
2029 serverssl1 = clientssl1 = NULL;
2030 SSL_free(serverssl2);
2031 SSL_free(clientssl2);
2032 serverssl2 = clientssl2 = NULL;
2033 SSL_SESSION_free(sess1);
2035 SSL_SESSION_free(sess2);
2038 SSL_CTX_set_max_proto_version(sctx, maxprot);
2039 if (maxprot == TLS1_2_VERSION)
2040 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2041 new_called = remove_called = get_called = 0;
2042 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2044 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2046 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2047 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2050 if (use_int_cache) {
2051 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2053 * In TLSv1.3 it should not have been added to the internal cache,
2054 * except in the case where we also have an external cache (in that
2055 * case it gets added to the cache in order to generate remove
2056 * events after timeout).
2058 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2061 /* Should fail because it should already be in the cache */
2062 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2067 if (use_ext_cache) {
2068 SSL_SESSION *tmp = sess2;
2070 if (!TEST_int_eq(new_called, numnewsesstick)
2071 || !TEST_int_eq(remove_called, 0)
2072 || !TEST_int_eq(get_called, 0))
2075 * Delete the session from the internal cache to force a lookup from
2076 * the external cache. We take a copy first because
2077 * SSL_CTX_remove_session() also marks the session as non-resumable.
2079 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2080 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2081 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2083 SSL_SESSION_free(sess2);
2088 new_called = remove_called = get_called = 0;
2089 get_sess_val = sess2;
2090 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2091 &clientssl2, NULL, NULL))
2092 || !TEST_true(SSL_set_session(clientssl2, sess1))
2093 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2095 || !TEST_true(SSL_session_reused(clientssl2)))
2098 if (use_ext_cache) {
2099 if (!TEST_int_eq(remove_called, 0))
2102 if (maxprot == TLS1_3_VERSION) {
2103 if (!TEST_int_eq(new_called, 1)
2104 || !TEST_int_eq(get_called, 0))
2107 if (!TEST_int_eq(new_called, 0)
2108 || !TEST_int_eq(get_called, 1))
2116 SSL_free(serverssl1);
2117 SSL_free(clientssl1);
2118 SSL_free(serverssl2);
2119 SSL_free(clientssl2);
2120 # ifndef OPENSSL_NO_TLS1_1
2121 SSL_free(serverssl3);
2122 SSL_free(clientssl3);
2124 SSL_SESSION_free(sess1);
2125 SSL_SESSION_free(sess2);
2131 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2133 static int test_session_with_only_int_cache(void)
2135 #ifndef OSSL_NO_USABLE_TLS1_3
2136 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2140 #ifndef OPENSSL_NO_TLS1_2
2141 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2147 static int test_session_with_only_ext_cache(void)
2149 #ifndef OSSL_NO_USABLE_TLS1_3
2150 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2154 #ifndef OPENSSL_NO_TLS1_2
2155 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2161 static int test_session_with_both_cache(void)
2163 #ifndef OSSL_NO_USABLE_TLS1_3
2164 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2168 #ifndef OPENSSL_NO_TLS1_2
2169 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2175 static int test_session_wo_ca_names(void)
2177 #ifndef OSSL_NO_USABLE_TLS1_3
2178 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2182 #ifndef OPENSSL_NO_TLS1_2
2183 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2190 #ifndef OSSL_NO_USABLE_TLS1_3
2191 static SSL_SESSION *sesscache[6];
2192 static int do_cache;
2194 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2197 sesscache[new_called] = sess;
2199 /* We don't need the reference to the session, so free it */
2200 SSL_SESSION_free(sess);
2207 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2209 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2210 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2213 /* Start handshake on the server and client */
2214 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2215 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2216 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2217 || !TEST_true(create_ssl_connection(sssl, cssl,
2224 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2227 int sess_id_ctx = 1;
2229 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2230 TLS_client_method(), TLS1_VERSION, 0,
2231 sctx, cctx, cert, privkey))
2232 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2233 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2234 (void *)&sess_id_ctx,
2235 sizeof(sess_id_ctx))))
2239 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2241 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2242 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2243 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2248 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2250 SSL *serverssl = NULL, *clientssl = NULL;
2253 /* Test that we can resume with all the tickets we got given */
2254 for (i = 0; i < idx * 2; i++) {
2256 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2257 &clientssl, NULL, NULL))
2258 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2261 SSL_set_post_handshake_auth(clientssl, 1);
2263 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2268 * Following a successful resumption we only get 1 ticket. After a
2269 * failed one we should get idx tickets.
2272 if (!TEST_true(SSL_session_reused(clientssl))
2273 || !TEST_int_eq(new_called, 1))
2276 if (!TEST_false(SSL_session_reused(clientssl))
2277 || !TEST_int_eq(new_called, idx))
2282 /* After a post-handshake authentication we should get 1 new ticket */
2284 && (!post_handshake_verify(serverssl, clientssl)
2285 || !TEST_int_eq(new_called, 1)))
2288 SSL_shutdown(clientssl);
2289 SSL_shutdown(serverssl);
2290 SSL_free(serverssl);
2291 SSL_free(clientssl);
2292 serverssl = clientssl = NULL;
2293 SSL_SESSION_free(sesscache[i]);
2294 sesscache[i] = NULL;
2300 SSL_free(clientssl);
2301 SSL_free(serverssl);
2305 static int test_tickets(int stateful, int idx)
2307 SSL_CTX *sctx = NULL, *cctx = NULL;
2308 SSL *serverssl = NULL, *clientssl = NULL;
2312 /* idx is the test number, but also the number of tickets we want */
2317 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2320 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2321 &clientssl, NULL, NULL)))
2324 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2326 /* Check we got the number of tickets we were expecting */
2327 || !TEST_int_eq(idx, new_called))
2330 SSL_shutdown(clientssl);
2331 SSL_shutdown(serverssl);
2332 SSL_free(serverssl);
2333 SSL_free(clientssl);
2336 clientssl = serverssl = NULL;
2340 * Now we try to resume with the tickets we previously created. The
2341 * resumption attempt is expected to fail (because we're now using a new
2342 * SSL_CTX). We should see idx number of tickets issued again.
2345 /* Stop caching sessions - just count them */
2348 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2351 if (!check_resumption(idx, sctx, cctx, 0))
2354 /* Start again with caching sessions */
2361 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2364 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2365 &clientssl, NULL, NULL)))
2368 SSL_set_post_handshake_auth(clientssl, 1);
2370 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2372 /* Check we got the number of tickets we were expecting */
2373 || !TEST_int_eq(idx, new_called))
2376 /* After a post-handshake authentication we should get new tickets issued */
2377 if (!post_handshake_verify(serverssl, clientssl)
2378 || !TEST_int_eq(idx * 2, new_called))
2381 SSL_shutdown(clientssl);
2382 SSL_shutdown(serverssl);
2383 SSL_free(serverssl);
2384 SSL_free(clientssl);
2385 serverssl = clientssl = NULL;
2387 /* Stop caching sessions - just count them */
2391 * Check we can resume with all the tickets we created. This time around the
2392 * resumptions should all be successful.
2394 if (!check_resumption(idx, sctx, cctx, 1))
2400 SSL_free(serverssl);
2401 SSL_free(clientssl);
2402 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2403 SSL_SESSION_free(sesscache[j]);
2404 sesscache[j] = NULL;
2412 static int test_stateless_tickets(int idx)
2414 return test_tickets(0, idx);
2417 static int test_stateful_tickets(int idx)
2419 return test_tickets(1, idx);
2422 static int test_psk_tickets(void)
2424 SSL_CTX *sctx = NULL, *cctx = NULL;
2425 SSL *serverssl = NULL, *clientssl = NULL;
2427 int sess_id_ctx = 1;
2429 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2430 TLS_client_method(), TLS1_VERSION, 0,
2431 &sctx, &cctx, NULL, NULL))
2432 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2433 (void *)&sess_id_ctx,
2434 sizeof(sess_id_ctx))))
2437 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2438 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2439 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2440 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2441 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2442 use_session_cb_cnt = 0;
2443 find_session_cb_cnt = 0;
2447 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2450 clientpsk = serverpsk = create_a_psk(clientssl);
2451 if (!TEST_ptr(clientpsk))
2453 SSL_SESSION_up_ref(clientpsk);
2455 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2457 || !TEST_int_eq(1, find_session_cb_cnt)
2458 || !TEST_int_eq(1, use_session_cb_cnt)
2459 /* We should always get 1 ticket when using external PSK */
2460 || !TEST_int_eq(1, new_called))
2466 SSL_free(serverssl);
2467 SSL_free(clientssl);
2470 SSL_SESSION_free(clientpsk);
2471 SSL_SESSION_free(serverpsk);
2472 clientpsk = serverpsk = NULL;
2477 static int test_extra_tickets(int idx)
2479 SSL_CTX *sctx = NULL, *cctx = NULL;
2480 SSL *serverssl = NULL, *clientssl = NULL;
2481 BIO *bretry = BIO_new(bio_s_always_retry());
2486 unsigned char c, buf[1];
2496 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2498 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2499 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2500 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2502 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2503 &clientssl, NULL, NULL)))
2507 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2508 * incremented by both client and server.
2510 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2512 /* Check we got the number of tickets we were expecting */
2513 || !TEST_int_eq(idx * 2, new_called)
2514 || !TEST_true(SSL_new_session_ticket(serverssl))
2515 || !TEST_true(SSL_new_session_ticket(serverssl))
2516 || !TEST_int_eq(idx * 2, new_called))
2519 /* Now try a (real) write to actually send the tickets */
2521 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2522 || !TEST_size_t_eq(1, nbytes)
2523 || !TEST_int_eq(idx * 2 + 2, new_called)
2524 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2525 || !TEST_int_eq(idx * 2 + 4, new_called)
2526 || !TEST_int_eq(sizeof(buf), nbytes)
2527 || !TEST_int_eq(c, buf[0])
2528 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2531 /* Try with only requesting one new ticket, too */
2534 if (!TEST_true(SSL_new_session_ticket(serverssl))
2535 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2536 || !TEST_size_t_eq(sizeof(c), nbytes)
2537 || !TEST_int_eq(1, new_called)
2538 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2539 || !TEST_int_eq(2, new_called)
2540 || !TEST_size_t_eq(sizeof(buf), nbytes)
2541 || !TEST_int_eq(c, buf[0]))
2544 /* Do it again but use dummy writes to drive the ticket generation */
2547 if (!TEST_true(SSL_new_session_ticket(serverssl))
2548 || !TEST_true(SSL_new_session_ticket(serverssl))
2549 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2550 || !TEST_size_t_eq(0, nbytes)
2551 || !TEST_int_eq(2, new_called)
2552 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2553 || !TEST_int_eq(4, new_called))
2556 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2559 if (!TEST_true(SSL_new_session_ticket(serverssl))
2560 || !TEST_true(SSL_new_session_ticket(serverssl))
2561 || !TEST_true(SSL_do_handshake(serverssl))
2562 || !TEST_int_eq(2, new_called)
2563 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2564 || !TEST_int_eq(4, new_called))
2568 * Use the always-retry BIO to exercise the logic that forces ticket
2569 * generation to wait until a record boundary.
2573 tmp = SSL_get_wbio(serverssl);
2574 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2578 SSL_set0_wbio(serverssl, bretry);
2580 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2581 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2582 || !TEST_size_t_eq(nbytes, 0))
2584 /* Restore a BIO that will let the write succeed */
2585 SSL_set0_wbio(serverssl, tmp);
2588 * These calls should just queue the request and not send anything
2589 * even if we explicitly try to hit the state machine.
2591 if (!TEST_true(SSL_new_session_ticket(serverssl))
2592 || !TEST_true(SSL_new_session_ticket(serverssl))
2593 || !TEST_int_eq(0, new_called)
2594 || !TEST_true(SSL_do_handshake(serverssl))
2595 || !TEST_int_eq(0, new_called))
2597 /* Re-do the write; still no tickets sent */
2598 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2599 || !TEST_size_t_eq(1, nbytes)
2600 || !TEST_int_eq(0, new_called)
2601 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2602 || !TEST_int_eq(0, new_called)
2603 || !TEST_int_eq(sizeof(buf), nbytes)
2604 || !TEST_int_eq(c, buf[0])
2605 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2607 /* Even trying to hit the state machine now will still not send tickets */
2608 if (!TEST_true(SSL_do_handshake(serverssl))
2609 || !TEST_int_eq(0, new_called))
2611 /* Now the *next* write should send the tickets */
2613 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2614 || !TEST_size_t_eq(1, nbytes)
2615 || !TEST_int_eq(2, new_called)
2616 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2617 || !TEST_int_eq(4, new_called)
2618 || !TEST_int_eq(sizeof(buf), nbytes)
2619 || !TEST_int_eq(c, buf[0])
2620 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2623 SSL_shutdown(clientssl);
2624 SSL_shutdown(serverssl);
2630 SSL_free(serverssl);
2631 SSL_free(clientssl);
2634 clientssl = serverssl = NULL;
2643 #define USE_DEFAULT 3
2645 #define CONNTYPE_CONNECTION_SUCCESS 0
2646 #define CONNTYPE_CONNECTION_FAIL 1
2647 #define CONNTYPE_NO_CONNECTION 2
2649 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2650 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2651 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2652 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2654 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2657 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2658 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2659 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2661 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2678 * Tests calls to SSL_set_bio() under various conditions.
2680 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2681 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2682 * then do more tests where we create a successful connection first using our
2683 * standard connection setup functions, and then call SSL_set_bio() with
2684 * various combinations of valid BIOs or NULL. We then repeat these tests
2685 * following a failed connection. In this last case we are looking to check that
2686 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2688 static int test_ssl_set_bio(int idx)
2690 SSL_CTX *sctx = NULL, *cctx = NULL;
2693 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2694 SSL *serverssl = NULL, *clientssl = NULL;
2695 int initrbio, initwbio, newrbio, newwbio, conntype;
2698 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2706 conntype = CONNTYPE_NO_CONNECTION;
2708 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2709 initrbio = initwbio = USE_DEFAULT;
2717 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2718 TLS_client_method(), TLS1_VERSION, 0,
2719 &sctx, &cctx, cert, privkey)))
2722 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2724 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2725 * because we reduced the number of tests in the definition of
2726 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2727 * mismatched protocol versions we will force a connection failure.
2729 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2730 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2733 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2737 if (initrbio == USE_BIO_1
2738 || initwbio == USE_BIO_1
2739 || newrbio == USE_BIO_1
2740 || newwbio == USE_BIO_1) {
2741 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2745 if (initrbio == USE_BIO_2
2746 || initwbio == USE_BIO_2
2747 || newrbio == USE_BIO_2
2748 || newwbio == USE_BIO_2) {
2749 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2753 if (initrbio != USE_DEFAULT) {
2754 setupbio(&irbio, bio1, bio2, initrbio);
2755 setupbio(&iwbio, bio1, bio2, initwbio);
2756 SSL_set_bio(clientssl, irbio, iwbio);
2759 * We want to maintain our own refs to these BIO, so do an up ref for
2760 * each BIO that will have ownership transferred in the SSL_set_bio()
2765 if (iwbio != NULL && iwbio != irbio)
2769 if (conntype != CONNTYPE_NO_CONNECTION
2770 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2772 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2775 setupbio(&nrbio, bio1, bio2, newrbio);
2776 setupbio(&nwbio, bio1, bio2, newwbio);
2779 * We will (maybe) transfer ownership again so do more up refs.
2780 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2785 && (nwbio != iwbio || nrbio != nwbio))
2789 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2792 SSL_set_bio(clientssl, nrbio, nwbio);
2801 * This test is checking that the ref counting for SSL_set_bio is correct.
2802 * If we get here and we did too many frees then we will fail in the above
2805 SSL_free(serverssl);
2806 SSL_free(clientssl);
2812 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2814 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2816 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2821 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
2822 || !TEST_ptr(ssl = SSL_new(ctx))
2823 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2824 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2827 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2830 * If anything goes wrong here then we could leak memory.
2832 BIO_push(sslbio, membio1);
2834 /* Verify changing the rbio/wbio directly does not cause leaks */
2835 if (change_bio != NO_BIO_CHANGE) {
2836 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
2840 if (change_bio == CHANGE_RBIO)
2841 SSL_set0_rbio(ssl, membio2);
2843 SSL_set0_wbio(ssl, membio2);
2862 static int test_ssl_bio_pop_next_bio(void)
2864 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2867 static int test_ssl_bio_pop_ssl_bio(void)
2869 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2872 static int test_ssl_bio_change_rbio(void)
2874 return execute_test_ssl_bio(0, CHANGE_RBIO);
2877 static int test_ssl_bio_change_wbio(void)
2879 return execute_test_ssl_bio(0, CHANGE_WBIO);
2882 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
2884 /* The list of sig algs */
2886 /* The length of the list */
2888 /* A sigalgs list in string format */
2889 const char *liststr;
2890 /* Whether setting the list should succeed */
2892 /* Whether creating a connection with the list should succeed */
2896 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2897 # ifndef OPENSSL_NO_EC
2898 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2899 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2901 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2902 static const int invalidlist2[] = {NID_sha256, NID_undef};
2903 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2904 static const int invalidlist4[] = {NID_sha256};
2905 static const sigalgs_list testsigalgs[] = {
2906 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2907 # ifndef OPENSSL_NO_EC
2908 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2909 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2911 {NULL, 0, "RSA+SHA256", 1, 1},
2912 # ifndef OPENSSL_NO_EC
2913 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2914 {NULL, 0, "ECDSA+SHA512", 1, 0},
2916 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2917 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2918 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2919 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2920 {NULL, 0, "RSA", 0, 0},
2921 {NULL, 0, "SHA256", 0, 0},
2922 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2923 {NULL, 0, "Invalid", 0, 0}
2926 static int test_set_sigalgs(int idx)
2928 SSL_CTX *cctx = NULL, *sctx = NULL;
2929 SSL *clientssl = NULL, *serverssl = NULL;
2931 const sigalgs_list *curr;
2934 /* Should never happen */
2935 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2938 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2939 curr = testctx ? &testsigalgs[idx]
2940 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2942 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2943 TLS_client_method(), TLS1_VERSION, 0,
2944 &sctx, &cctx, cert, privkey)))
2947 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2952 if (curr->list != NULL)
2953 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2955 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2959 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2965 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2970 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2971 &clientssl, NULL, NULL)))
2977 if (curr->list != NULL)
2978 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2980 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2983 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2992 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3000 SSL_free(serverssl);
3001 SSL_free(clientssl);
3009 #ifndef OSSL_NO_USABLE_TLS1_3
3010 static int psk_client_cb_cnt = 0;
3011 static int psk_server_cb_cnt = 0;
3013 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3014 size_t *idlen, SSL_SESSION **sess)
3016 switch (++use_session_cb_cnt) {
3018 /* The first call should always have a NULL md */
3024 /* The second call should always have an md */
3030 /* We should only be called a maximum of twice */
3034 if (clientpsk != NULL)
3035 SSL_SESSION_up_ref(clientpsk);
3038 *id = (const unsigned char *)pskid;
3039 *idlen = strlen(pskid);
3044 #ifndef OPENSSL_NO_PSK
3045 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3046 unsigned int max_id_len,
3048 unsigned int max_psk_len)
3050 unsigned int psklen = 0;
3052 psk_client_cb_cnt++;
3054 if (strlen(pskid) + 1 > max_id_len)
3057 /* We should only ever be called a maximum of twice per connection */
3058 if (psk_client_cb_cnt > 2)
3061 if (clientpsk == NULL)
3064 /* We'll reuse the PSK we set up for TLSv1.3 */
3065 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3067 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3068 strncpy(id, pskid, max_id_len);
3072 #endif /* OPENSSL_NO_PSK */
3074 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3075 size_t identity_len, SSL_SESSION **sess)
3077 find_session_cb_cnt++;
3079 /* We should only ever be called a maximum of twice per connection */
3080 if (find_session_cb_cnt > 2)
3083 if (serverpsk == NULL)
3086 /* Identity should match that set by the client */
3087 if (strlen(srvid) != identity_len
3088 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3089 /* No PSK found, continue but without a PSK */
3094 SSL_SESSION_up_ref(serverpsk);
3100 #ifndef OPENSSL_NO_PSK
3101 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3102 unsigned char *psk, unsigned int max_psk_len)
3104 unsigned int psklen = 0;
3106 psk_server_cb_cnt++;
3108 /* We should only ever be called a maximum of twice per connection */
3109 if (find_session_cb_cnt > 2)
3112 if (serverpsk == NULL)
3115 /* Identity should match that set by the client */
3116 if (strcmp(srvid, identity) != 0) {
3120 /* We'll reuse the PSK we set up for TLSv1.3 */
3121 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3123 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3127 #endif /* OPENSSL_NO_PSK */
3129 #define MSG1 "Hello"
3130 #define MSG2 "World."
3135 #define MSG7 "message."
3137 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3138 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3139 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3140 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3141 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3144 static SSL_SESSION *create_a_psk(SSL *ssl)
3146 const SSL_CIPHER *cipher = NULL;
3147 const unsigned char key[] = {
3148 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3149 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3150 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3151 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3152 0x2c, 0x2d, 0x2e, 0x2f
3154 SSL_SESSION *sess = NULL;
3156 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3157 sess = SSL_SESSION_new();
3159 || !TEST_ptr(cipher)
3160 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3162 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3164 SSL_SESSION_set_protocol_version(sess,
3166 SSL_SESSION_free(sess);
3173 * Helper method to setup objects for early data test. Caller frees objects on
3176 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3177 SSL **serverssl, SSL_SESSION **sess, int idx)
3180 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3181 TLS_client_method(),
3183 sctx, cctx, cert, privkey)))
3186 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3190 /* When idx == 1 we repeat the tests with read_ahead set */
3191 SSL_CTX_set_read_ahead(*cctx, 1);
3192 SSL_CTX_set_read_ahead(*sctx, 1);
3193 } else if (idx == 2) {
3194 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3195 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3196 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3197 use_session_cb_cnt = 0;
3198 find_session_cb_cnt = 0;
3202 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3207 * For one of the run throughs (doesn't matter which one), we'll try sending
3208 * some SNI data in the initial ClientHello. This will be ignored (because
3209 * there is no SNI cb set up by the server), so it should not impact
3213 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3217 clientpsk = create_a_psk(*clientssl);
3218 if (!TEST_ptr(clientpsk)
3220 * We just choose an arbitrary value for max_early_data which
3221 * should be big enough for testing purposes.
3223 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3225 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3226 SSL_SESSION_free(clientpsk);
3230 serverpsk = clientpsk;
3233 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3234 SSL_SESSION_free(clientpsk);
3235 SSL_SESSION_free(serverpsk);
3236 clientpsk = serverpsk = NULL;
3247 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3251 *sess = SSL_get1_session(*clientssl);
3252 SSL_shutdown(*clientssl);
3253 SSL_shutdown(*serverssl);
3254 SSL_free(*serverssl);
3255 SSL_free(*clientssl);
3256 *serverssl = *clientssl = NULL;
3258 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3259 clientssl, NULL, NULL))
3260 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3266 static int test_early_data_read_write(int idx)
3268 SSL_CTX *cctx = NULL, *sctx = NULL;
3269 SSL *clientssl = NULL, *serverssl = NULL;
3271 SSL_SESSION *sess = NULL;
3272 unsigned char buf[20], data[1024];
3273 size_t readbytes, written, eoedlen, rawread, rawwritten;
3276 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3277 &serverssl, &sess, idx)))
3280 /* Write and read some early data */
3281 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3283 || !TEST_size_t_eq(written, strlen(MSG1))
3284 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3285 sizeof(buf), &readbytes),
3286 SSL_READ_EARLY_DATA_SUCCESS)
3287 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3288 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3289 SSL_EARLY_DATA_ACCEPTED))
3293 * Server should be able to write data, and client should be able to
3296 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3298 || !TEST_size_t_eq(written, strlen(MSG2))
3299 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3300 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3303 /* Even after reading normal data, client should be able write early data */
3304 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3306 || !TEST_size_t_eq(written, strlen(MSG3)))
3309 /* Server should still be able read early data after writing data */
3310 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3312 SSL_READ_EARLY_DATA_SUCCESS)
3313 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3316 /* Write more data from server and read it from client */
3317 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3319 || !TEST_size_t_eq(written, strlen(MSG4))
3320 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3321 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3325 * If client writes normal data it should mean writing early data is no
3328 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3329 || !TEST_size_t_eq(written, strlen(MSG5))
3330 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3331 SSL_EARLY_DATA_ACCEPTED))
3335 * At this point the client has written EndOfEarlyData, ClientFinished and
3336 * normal (fully protected) data. We are going to cause a delay between the
3337 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3338 * in the read BIO, and then just put back the EndOfEarlyData message.
3340 rbio = SSL_get_rbio(serverssl);
3341 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3342 || !TEST_size_t_lt(rawread, sizeof(data))
3343 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3346 /* Record length is in the 4th and 5th bytes of the record header */
3347 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3348 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3349 || !TEST_size_t_eq(rawwritten, eoedlen))
3352 /* Server should be told that there is no more early data */
3353 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3355 SSL_READ_EARLY_DATA_FINISH)
3356 || !TEST_size_t_eq(readbytes, 0))
3360 * Server has not finished init yet, so should still be able to write early
3363 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3365 || !TEST_size_t_eq(written, strlen(MSG6)))
3368 /* Push the ClientFinished and the normal data back into the server rbio */
3369 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3371 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3374 /* Server should be able to read normal data */
3375 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3376 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3379 /* Client and server should not be able to write/read early data now */
3380 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3384 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3386 SSL_READ_EARLY_DATA_ERROR))
3390 /* Client should be able to read the data sent by the server */
3391 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3392 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3396 * Make sure we process the two NewSessionTickets. These arrive
3397 * post-handshake. We attempt reads which we do not expect to return any
3400 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3401 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3405 /* Server should be able to write normal data */
3406 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3407 || !TEST_size_t_eq(written, strlen(MSG7))
3408 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3409 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3412 SSL_SESSION_free(sess);
3413 sess = SSL_get1_session(clientssl);
3414 use_session_cb_cnt = 0;
3415 find_session_cb_cnt = 0;
3417 SSL_shutdown(clientssl);
3418 SSL_shutdown(serverssl);
3419 SSL_free(serverssl);
3420 SSL_free(clientssl);
3421 serverssl = clientssl = NULL;
3422 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3423 &clientssl, NULL, NULL))
3424 || !TEST_true(SSL_set_session(clientssl, sess)))
3427 /* Write and read some early data */
3428 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3430 || !TEST_size_t_eq(written, strlen(MSG1))
3431 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3433 SSL_READ_EARLY_DATA_SUCCESS)
3434 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3437 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3438 || !TEST_int_gt(SSL_accept(serverssl), 0))
3441 /* Client and server should not be able to write/read early data now */
3442 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3446 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3448 SSL_READ_EARLY_DATA_ERROR))
3452 /* Client and server should be able to write/read normal data */
3453 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3454 || !TEST_size_t_eq(written, strlen(MSG5))
3455 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3456 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3462 SSL_SESSION_free(sess);
3463 SSL_SESSION_free(clientpsk);
3464 SSL_SESSION_free(serverpsk);
3465 clientpsk = serverpsk = NULL;
3466 SSL_free(serverssl);
3467 SSL_free(clientssl);
3473 static int allow_ed_cb_called = 0;
3475 static int allow_early_data_cb(SSL *s, void *arg)
3477 int *usecb = (int *)arg;
3479 allow_ed_cb_called++;
3488 * idx == 0: Standard early_data setup
3489 * idx == 1: early_data setup using read_ahead
3490 * usecb == 0: Don't use a custom early data callback
3491 * usecb == 1: Use a custom early data callback and reject the early data
3492 * usecb == 2: Use a custom early data callback and accept the early data
3493 * confopt == 0: Configure anti-replay directly
3494 * confopt == 1: Configure anti-replay using SSL_CONF
3496 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3498 SSL_CTX *cctx = NULL, *sctx = NULL;
3499 SSL *clientssl = NULL, *serverssl = NULL;
3501 SSL_SESSION *sess = NULL;
3502 size_t readbytes, written;
3503 unsigned char buf[20];
3505 allow_ed_cb_called = 0;
3507 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3508 TLS_client_method(), TLS1_VERSION, 0,
3509 &sctx, &cctx, cert, privkey)))
3514 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3516 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3518 if (!TEST_ptr(confctx))
3520 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3521 | SSL_CONF_FLAG_SERVER);
3522 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3523 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3525 SSL_CONF_CTX_free(confctx);
3528 SSL_CONF_CTX_free(confctx);
3530 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3533 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3534 &serverssl, &sess, idx)))
3538 * The server is configured to accept early data. Create a connection to
3539 * "use up" the ticket
3541 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3542 || !TEST_true(SSL_session_reused(clientssl)))
3545 SSL_shutdown(clientssl);
3546 SSL_shutdown(serverssl);
3547 SSL_free(serverssl);
3548 SSL_free(clientssl);
3549 serverssl = clientssl = NULL;
3551 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3552 &clientssl, NULL, NULL))
3553 || !TEST_true(SSL_set_session(clientssl, sess)))
3556 /* Write and read some early data */
3557 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3559 || !TEST_size_t_eq(written, strlen(MSG1)))
3563 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3565 SSL_READ_EARLY_DATA_FINISH)
3567 * The ticket was reused, so the we should have rejected the
3570 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3571 SSL_EARLY_DATA_REJECTED))
3574 /* In this case the callback decides to accept the early data */
3575 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3577 SSL_READ_EARLY_DATA_SUCCESS)
3578 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3580 * Server will have sent its flight so client can now send
3581 * end of early data and complete its half of the handshake
3583 || !TEST_int_gt(SSL_connect(clientssl), 0)
3584 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3586 SSL_READ_EARLY_DATA_FINISH)
3587 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3588 SSL_EARLY_DATA_ACCEPTED))
3592 /* Complete the connection */
3593 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3594 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3595 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3601 SSL_SESSION_free(sess);
3602 SSL_SESSION_free(clientpsk);
3603 SSL_SESSION_free(serverpsk);
3604 clientpsk = serverpsk = NULL;
3605 SSL_free(serverssl);
3606 SSL_free(clientssl);
3612 static int test_early_data_replay(int idx)
3614 int ret = 1, usecb, confopt;
3616 for (usecb = 0; usecb < 3; usecb++) {
3617 for (confopt = 0; confopt < 2; confopt++)
3618 ret &= test_early_data_replay_int(idx, usecb, confopt);
3625 * Helper function to test that a server attempting to read early data can
3626 * handle a connection from a client where the early data should be skipped.
3627 * testtype: 0 == No HRR
3628 * testtype: 1 == HRR
3629 * testtype: 2 == HRR, invalid early_data sent after HRR
3630 * testtype: 3 == recv_max_early_data set to 0
3632 static int early_data_skip_helper(int testtype, int idx)
3634 SSL_CTX *cctx = NULL, *sctx = NULL;
3635 SSL *clientssl = NULL, *serverssl = NULL;
3637 SSL_SESSION *sess = NULL;
3638 unsigned char buf[20];
3639 size_t readbytes, written;
3641 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3642 &serverssl, &sess, idx)))
3645 if (testtype == 1 || testtype == 2) {
3646 /* Force an HRR to occur */
3647 #if defined(OPENSSL_NO_EC)
3648 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3651 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3654 } else if (idx == 2) {
3656 * We force early_data rejection by ensuring the PSK identity is
3659 srvid = "Dummy Identity";
3662 * Deliberately corrupt the creation time. We take 20 seconds off the
3663 * time. It could be any value as long as it is not within tolerance.
3664 * This should mean the ticket is rejected.
3666 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3671 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3674 /* Write some early data */
3675 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3677 || !TEST_size_t_eq(written, strlen(MSG1)))
3680 /* Server should reject the early data */
3681 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3683 SSL_READ_EARLY_DATA_FINISH)
3684 || !TEST_size_t_eq(readbytes, 0)
3685 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3686 SSL_EARLY_DATA_REJECTED))
3696 * Finish off the handshake. We perform the same writes and reads as
3697 * further down but we expect them to fail due to the incomplete
3700 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3701 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3708 BIO *wbio = SSL_get_wbio(clientssl);
3709 /* A record that will appear as bad early_data */
3710 const unsigned char bad_early_data[] = {
3711 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3715 * We force the client to attempt a write. This will fail because
3716 * we're still in the handshake. It will cause the second
3717 * ClientHello to be sent.
3719 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3724 * Inject some early_data after the second ClientHello. This should
3725 * cause the server to fail
3727 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3728 sizeof(bad_early_data), &written)))
3735 * This client has sent more early_data than we are willing to skip
3736 * (case 3) or sent invalid early_data (case 2) so the connection should
3739 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3740 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3743 /* Connection has failed - nothing more to do */
3748 TEST_error("Invalid test type");
3753 * Should be able to send normal data despite rejection of early data. The
3754 * early_data should be skipped.
3756 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3757 || !TEST_size_t_eq(written, strlen(MSG2))
3758 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3759 SSL_EARLY_DATA_REJECTED)
3760 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3761 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3767 SSL_SESSION_free(clientpsk);
3768 SSL_SESSION_free(serverpsk);
3769 clientpsk = serverpsk = NULL;
3770 SSL_SESSION_free(sess);
3771 SSL_free(serverssl);
3772 SSL_free(clientssl);
3779 * Test that a server attempting to read early data can handle a connection
3780 * from a client where the early data is not acceptable.
3782 static int test_early_data_skip(int idx)
3784 return early_data_skip_helper(0, idx);
3788 * Test that a server attempting to read early data can handle a connection
3789 * from a client where an HRR occurs.
3791 static int test_early_data_skip_hrr(int idx)
3793 return early_data_skip_helper(1, idx);
3797 * Test that a server attempting to read early data can handle a connection
3798 * from a client where an HRR occurs and correctly fails if early_data is sent
3801 static int test_early_data_skip_hrr_fail(int idx)
3803 return early_data_skip_helper(2, idx);
3807 * Test that a server attempting to read early data will abort if it tries to
3808 * skip over too much.
3810 static int test_early_data_skip_abort(int idx)
3812 return early_data_skip_helper(3, idx);
3816 * Test that a server attempting to read early data can handle a connection
3817 * from a client that doesn't send any.
3819 static int test_early_data_not_sent(int idx)
3821 SSL_CTX *cctx = NULL, *sctx = NULL;
3822 SSL *clientssl = NULL, *serverssl = NULL;
3824 SSL_SESSION *sess = NULL;
3825 unsigned char buf[20];
3826 size_t readbytes, written;
3828 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3829 &serverssl, &sess, idx)))
3832 /* Write some data - should block due to handshake with server */
3833 SSL_set_connect_state(clientssl);
3834 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3837 /* Server should detect that early data has not been sent */
3838 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3840 SSL_READ_EARLY_DATA_FINISH)
3841 || !TEST_size_t_eq(readbytes, 0)
3842 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3843 SSL_EARLY_DATA_NOT_SENT)
3844 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3845 SSL_EARLY_DATA_NOT_SENT))
3848 /* Continue writing the message we started earlier */
3849 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3850 || !TEST_size_t_eq(written, strlen(MSG1))
3851 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3852 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3853 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3854 || !TEST_size_t_eq(written, strlen(MSG2)))
3857 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3858 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3864 SSL_SESSION_free(sess);
3865 SSL_SESSION_free(clientpsk);
3866 SSL_SESSION_free(serverpsk);
3867 clientpsk = serverpsk = NULL;
3868 SSL_free(serverssl);
3869 SSL_free(clientssl);
3875 static const char *servalpn;
3877 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3878 unsigned char *outlen, const unsigned char *in,
3879 unsigned int inlen, void *arg)
3881 unsigned int protlen = 0;
3882 const unsigned char *prot;
3884 for (prot = in; prot < in + inlen; prot += protlen) {
3886 if (in + inlen < prot + protlen)
3887 return SSL_TLSEXT_ERR_NOACK;
3889 if (protlen == strlen(servalpn)
3890 && memcmp(prot, servalpn, protlen) == 0) {
3893 return SSL_TLSEXT_ERR_OK;
3897 return SSL_TLSEXT_ERR_NOACK;
3900 /* Test that a PSK can be used to send early_data */
3901 static int test_early_data_psk(int idx)
3903 SSL_CTX *cctx = NULL, *sctx = NULL;
3904 SSL *clientssl = NULL, *serverssl = NULL;
3906 SSL_SESSION *sess = NULL;
3907 unsigned char alpnlist[] = {
3908 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3911 #define GOODALPNLEN 9
3912 #define BADALPNLEN 8
3913 #define GOODALPN (alpnlist)
3914 #define BADALPN (alpnlist + GOODALPNLEN)
3916 unsigned char buf[20];
3917 size_t readbytes, written;
3918 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3919 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3921 /* We always set this up with a final parameter of "2" for PSK */
3922 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3923 &serverssl, &sess, 2)))
3926 servalpn = "goodalpn";
3929 * Note: There is no test for inconsistent SNI with late client detection.
3930 * This is because servers do not acknowledge SNI even if they are using
3931 * it in a resumption handshake - so it is not actually possible for a
3932 * client to detect a problem.
3936 /* Set inconsistent SNI (early client detection) */
3937 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3938 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3939 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3944 /* Set inconsistent ALPN (early client detection) */
3945 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3946 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3947 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3949 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3956 * Set invalid protocol version. Technically this affects PSKs without
3957 * early_data too, but we test it here because it is similar to the
3958 * SNI/ALPN consistency tests.
3960 err = SSL_R_BAD_PSK;
3961 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3967 * Set inconsistent SNI (server side). In this case the connection
3968 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3969 * is associated with each handshake - not the session. Therefore it
3970 * should not matter that we used a different server name last time.
3972 SSL_SESSION_free(serverpsk);
3973 serverpsk = SSL_SESSION_dup(clientpsk);
3974 if (!TEST_ptr(serverpsk)
3975 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3979 /* Set consistent SNI */
3980 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3981 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3982 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3989 * Set inconsistent ALPN (server detected). In this case the connection
3990 * will succeed but reject early_data.
3992 servalpn = "badalpn";
3993 edstatus = SSL_EARLY_DATA_REJECTED;
3994 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3998 * Set consistent ALPN.
3999 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4000 * accepts a list of protos (each one length prefixed).
4001 * SSL_set1_alpn_selected accepts a single protocol (not length
4004 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4006 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4010 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4014 /* Set inconsistent ALPN (late client detection) */
4015 SSL_SESSION_free(serverpsk);
4016 serverpsk = SSL_SESSION_dup(clientpsk);
4017 if (!TEST_ptr(serverpsk)
4018 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4021 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4024 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4027 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4028 edstatus = SSL_EARLY_DATA_ACCEPTED;
4029 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4030 /* SSL_connect() call should fail */
4035 TEST_error("Bad test index");
4039 SSL_set_connect_state(clientssl);
4041 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4043 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4044 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4047 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4051 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4052 &readbytes), readearlyres)
4053 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4054 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4055 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4056 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4063 SSL_SESSION_free(sess);
4064 SSL_SESSION_free(clientpsk);
4065 SSL_SESSION_free(serverpsk);
4066 clientpsk = serverpsk = NULL;
4067 SSL_free(serverssl);
4068 SSL_free(clientssl);
4075 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4076 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4077 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4078 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4079 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4080 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4082 static int test_early_data_psk_with_all_ciphers(int idx)
4084 SSL_CTX *cctx = NULL, *sctx = NULL;
4085 SSL *clientssl = NULL, *serverssl = NULL;
4087 SSL_SESSION *sess = NULL;
4088 unsigned char buf[20];
4089 size_t readbytes, written;
4090 const SSL_CIPHER *cipher;
4091 const char *cipher_str[] = {
4092 TLS1_3_RFC_AES_128_GCM_SHA256,
4093 TLS1_3_RFC_AES_256_GCM_SHA384,
4094 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4095 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4099 TLS1_3_RFC_AES_128_CCM_SHA256,
4100 TLS1_3_RFC_AES_128_CCM_8_SHA256
4102 const unsigned char *cipher_bytes[] = {
4103 TLS13_AES_128_GCM_SHA256_BYTES,
4104 TLS13_AES_256_GCM_SHA384_BYTES,
4105 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4106 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4110 TLS13_AES_128_CCM_SHA256_BYTES,
4111 TLS13_AES_128_CCM_8_SHA256_BYTES
4114 if (cipher_str[idx] == NULL)
4116 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4117 if (idx == 2 && is_fips == 1)
4120 /* We always set this up with a final parameter of "2" for PSK */
4121 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4122 &serverssl, &sess, 2)))
4126 /* CCM8 ciphers are considered low security due to their short tag */
4127 SSL_set_security_level(clientssl, 0);
4128 SSL_set_security_level(serverssl, 0);
4131 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4132 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4136 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4137 * and assigns to both client and server with incremented reference
4138 * and the same instance is updated in 'sess'.
4139 * So updating ciphersuite in 'sess' which will get reflected in
4140 * PSK handshake using psk use sess and find sess cb.
4142 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4143 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4146 SSL_set_connect_state(clientssl);
4147 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4151 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4153 SSL_READ_EARLY_DATA_SUCCESS)
4154 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4155 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4156 SSL_EARLY_DATA_ACCEPTED)
4157 || !TEST_int_eq(SSL_connect(clientssl), 1)
4158 || !TEST_int_eq(SSL_accept(serverssl), 1))
4161 /* Send some normal data from client to server */
4162 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4163 || !TEST_size_t_eq(written, strlen(MSG2)))
4166 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4167 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4172 SSL_SESSION_free(sess);
4173 SSL_SESSION_free(clientpsk);
4174 SSL_SESSION_free(serverpsk);
4175 clientpsk = serverpsk = NULL;
4176 if (clientssl != NULL)
4177 SSL_shutdown(clientssl);
4178 if (serverssl != NULL)
4179 SSL_shutdown(serverssl);
4180 SSL_free(serverssl);
4181 SSL_free(clientssl);
4188 * Test that a server that doesn't try to read early data can handle a
4189 * client sending some.
4191 static int test_early_data_not_expected(int idx)
4193 SSL_CTX *cctx = NULL, *sctx = NULL;
4194 SSL *clientssl = NULL, *serverssl = NULL;
4196 SSL_SESSION *sess = NULL;
4197 unsigned char buf[20];
4198 size_t readbytes, written;
4200 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4201 &serverssl, &sess, idx)))
4204 /* Write some early data */
4205 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4210 * Server should skip over early data and then block waiting for client to
4211 * continue handshake
4213 if (!TEST_int_le(SSL_accept(serverssl), 0)
4214 || !TEST_int_gt(SSL_connect(clientssl), 0)
4215 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4216 SSL_EARLY_DATA_REJECTED)
4217 || !TEST_int_gt(SSL_accept(serverssl), 0)
4218 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4219 SSL_EARLY_DATA_REJECTED))
4222 /* Send some normal data from client to server */
4223 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4224 || !TEST_size_t_eq(written, strlen(MSG2)))
4227 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4228 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4234 SSL_SESSION_free(sess);
4235 SSL_SESSION_free(clientpsk);
4236 SSL_SESSION_free(serverpsk);
4237 clientpsk = serverpsk = NULL;
4238 SSL_free(serverssl);
4239 SSL_free(clientssl);
4246 # ifndef OPENSSL_NO_TLS1_2
4248 * Test that a server attempting to read early data can handle a connection
4249 * from a TLSv1.2 client.
4251 static int test_early_data_tls1_2(int idx)
4253 SSL_CTX *cctx = NULL, *sctx = NULL;
4254 SSL *clientssl = NULL, *serverssl = NULL;
4256 unsigned char buf[20];
4257 size_t readbytes, written;
4259 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4260 &serverssl, NULL, idx)))
4263 /* Write some data - should block due to handshake with server */
4264 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4265 SSL_set_connect_state(clientssl);
4266 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4270 * Server should do TLSv1.2 handshake. First it will block waiting for more
4271 * messages from client after ServerDone. Then SSL_read_early_data should
4272 * finish and detect that early data has not been sent
4274 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4276 SSL_READ_EARLY_DATA_ERROR))
4280 * Continue writing the message we started earlier. Will still block waiting
4281 * for the CCS/Finished from server
4283 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4284 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4286 SSL_READ_EARLY_DATA_FINISH)
4287 || !TEST_size_t_eq(readbytes, 0)
4288 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4289 SSL_EARLY_DATA_NOT_SENT))
4292 /* Continue writing the message we started earlier */
4293 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4294 || !TEST_size_t_eq(written, strlen(MSG1))
4295 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4296 SSL_EARLY_DATA_NOT_SENT)
4297 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4298 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4299 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4300 || !TEST_size_t_eq(written, strlen(MSG2))
4301 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4302 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4308 SSL_SESSION_free(clientpsk);
4309 SSL_SESSION_free(serverpsk);
4310 clientpsk = serverpsk = NULL;
4311 SSL_free(serverssl);
4312 SSL_free(clientssl);
4318 # endif /* OPENSSL_NO_TLS1_2 */
4321 * Test configuring the TLSv1.3 ciphersuites
4323 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4324 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4325 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4326 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4327 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4328 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4329 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4330 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4331 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4332 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4334 static int test_set_ciphersuite(int idx)
4336 SSL_CTX *cctx = NULL, *sctx = NULL;
4337 SSL *clientssl = NULL, *serverssl = NULL;
4340 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4341 TLS_client_method(), TLS1_VERSION, 0,
4342 &sctx, &cctx, cert, privkey))
4343 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4344 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4347 if (idx >=4 && idx <= 7) {
4348 /* SSL_CTX explicit cipher list */
4349 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4353 if (idx == 0 || idx == 4) {
4354 /* Default ciphersuite */
4355 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4356 "TLS_AES_128_GCM_SHA256")))
4358 } else if (idx == 1 || idx == 5) {
4359 /* Non default ciphersuite */
4360 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4361 "TLS_AES_128_CCM_SHA256")))
4365 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4366 &clientssl, NULL, NULL)))
4369 if (idx == 8 || idx == 9) {
4370 /* SSL explicit cipher list */
4371 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4375 if (idx == 2 || idx == 6 || idx == 8) {
4376 /* Default ciphersuite */
4377 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4378 "TLS_AES_128_GCM_SHA256")))
4380 } else if (idx == 3 || idx == 7 || idx == 9) {
4381 /* Non default ciphersuite */
4382 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4383 "TLS_AES_128_CCM_SHA256")))
4387 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4393 SSL_free(serverssl);
4394 SSL_free(clientssl);
4401 static int test_ciphersuite_change(void)
4403 SSL_CTX *cctx = NULL, *sctx = NULL;
4404 SSL *clientssl = NULL, *serverssl = NULL;
4405 SSL_SESSION *clntsess = NULL;
4407 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4409 /* Create a session based on SHA-256 */
4410 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4411 TLS_client_method(), TLS1_VERSION, 0,
4412 &sctx, &cctx, cert, privkey))
4413 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4414 "TLS_AES_128_GCM_SHA256:"
4415 "TLS_AES_256_GCM_SHA384:"
4416 "TLS_AES_128_CCM_SHA256"))
4417 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4418 "TLS_AES_128_GCM_SHA256")))
4421 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4423 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4427 clntsess = SSL_get1_session(clientssl);
4428 /* Save for later */
4429 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4430 SSL_shutdown(clientssl);
4431 SSL_shutdown(serverssl);
4432 SSL_free(serverssl);
4433 SSL_free(clientssl);
4434 serverssl = clientssl = NULL;
4436 /* Check we can resume a session with a different SHA-256 ciphersuite */
4437 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4438 "TLS_AES_128_CCM_SHA256"))
4439 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4440 &clientssl, NULL, NULL))
4441 || !TEST_true(SSL_set_session(clientssl, clntsess))
4442 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4444 || !TEST_true(SSL_session_reused(clientssl)))
4447 SSL_SESSION_free(clntsess);
4448 clntsess = SSL_get1_session(clientssl);
4449 SSL_shutdown(clientssl);
4450 SSL_shutdown(serverssl);
4451 SSL_free(serverssl);
4452 SSL_free(clientssl);
4453 serverssl = clientssl = NULL;
4456 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4457 * succeeds but does not resume.
4459 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4460 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4462 || !TEST_true(SSL_set_session(clientssl, clntsess))
4463 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4465 || !TEST_false(SSL_session_reused(clientssl)))
4468 SSL_SESSION_free(clntsess);
4470 SSL_shutdown(clientssl);
4471 SSL_shutdown(serverssl);
4472 SSL_free(serverssl);
4473 SSL_free(clientssl);
4474 serverssl = clientssl = NULL;
4476 /* Create a session based on SHA384 */
4477 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4478 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4479 &clientssl, NULL, NULL))
4480 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4484 clntsess = SSL_get1_session(clientssl);
4485 SSL_shutdown(clientssl);
4486 SSL_shutdown(serverssl);
4487 SSL_free(serverssl);
4488 SSL_free(clientssl);
4489 serverssl = clientssl = NULL;
4491 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4492 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4493 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4494 "TLS_AES_256_GCM_SHA384"))
4495 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4497 || !TEST_true(SSL_set_session(clientssl, clntsess))
4499 * We use SSL_ERROR_WANT_READ below so that we can pause the
4500 * connection after the initial ClientHello has been sent to
4501 * enable us to make some session changes.
4503 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4504 SSL_ERROR_WANT_READ)))
4507 /* Trick the client into thinking this session is for a different digest */
4508 clntsess->cipher = aes_128_gcm_sha256;
4509 clntsess->cipher_id = clntsess->cipher->id;
4512 * Continue the previously started connection. Server has selected a SHA-384
4513 * ciphersuite, but client thinks the session is for SHA-256, so it should
4516 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4518 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4519 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4525 SSL_SESSION_free(clntsess);
4526 SSL_free(serverssl);
4527 SSL_free(clientssl);
4535 * Test TLSv1.3 Key exchange
4536 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4537 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4538 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4539 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4540 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4541 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4542 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4543 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4544 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4545 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4546 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4547 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4548 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4549 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4551 # ifndef OPENSSL_NO_EC
4552 static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4553 NID_secp521r1, NID_X25519, NID_X448};
4555 # ifndef OPENSSL_NO_DH
4556 static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4557 NID_ffdhe6144, NID_ffdhe8192};
4559 static int test_key_exchange(int idx)
4561 SSL_CTX *sctx = NULL, *cctx = NULL;
4562 SSL *serverssl = NULL, *clientssl = NULL;
4565 int *kexch_groups = &kexch_alg;
4566 int kexch_groups_size = 1;
4567 int max_version = TLS1_3_VERSION;
4568 char *kexch_name0 = NULL;
4571 # ifndef OPENSSL_NO_EC
4572 # ifndef OPENSSL_NO_TLS1_2
4574 max_version = TLS1_2_VERSION;
4578 kexch_groups = ecdhe_kexch_groups;
4579 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4580 kexch_name0 = "secp256r1";
4583 kexch_alg = NID_X9_62_prime256v1;
4584 kexch_name0 = "secp256r1";
4587 kexch_alg = NID_secp384r1;
4588 kexch_name0 = "secp384r1";
4591 kexch_alg = NID_secp521r1;
4592 kexch_name0 = "secp521r1";
4595 kexch_alg = NID_X25519;
4596 kexch_name0 = "x25519";
4599 kexch_alg = NID_X448;
4600 kexch_name0 = "x448";
4603 # ifndef OPENSSL_NO_DH
4604 # ifndef OPENSSL_NO_TLS1_2
4606 max_version = TLS1_2_VERSION;
4607 kexch_name0 = "ffdhe2048";
4611 kexch_groups = ffdhe_kexch_groups;
4612 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4613 kexch_name0 = "ffdhe2048";
4616 kexch_alg = NID_ffdhe2048;
4617 kexch_name0 = "ffdhe2048";
4620 kexch_alg = NID_ffdhe3072;
4621 kexch_name0 = "ffdhe3072";
4624 kexch_alg = NID_ffdhe4096;
4625 kexch_name0 = "ffdhe4096";
4628 kexch_alg = NID_ffdhe6144;
4629 kexch_name0 = "ffdhe6144";
4632 kexch_alg = NID_ffdhe8192;
4633 kexch_name0 = "ffdhe8192";
4637 /* We're skipping this test */
4641 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4642 TLS_client_method(), TLS1_VERSION,
4643 max_version, &sctx, &cctx, cert,
4647 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4648 TLS1_3_RFC_AES_128_GCM_SHA256)))
4651 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4652 TLS1_3_RFC_AES_128_GCM_SHA256)))
4655 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4656 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4657 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4658 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4662 * Must include an EC ciphersuite so that we send supported groups in
4665 # ifndef OPENSSL_NO_TLS1_2
4666 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4667 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4668 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4672 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4676 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4677 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4680 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4684 * If Handshake succeeds the negotiated kexch alg should be the first one in
4685 * configured, except in the case of FFDHE groups (idx 13), which are
4686 * TLSv1.3 only so we expect no shared group to exist.
4688 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4689 idx == 13 ? 0 : kexch_groups[0]))
4692 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4696 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4698 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4700 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4706 SSL_free(serverssl);
4707 SSL_free(clientssl);
4713 # if !defined(OPENSSL_NO_TLS1_2) \
4714 && !defined(OPENSSL_NO_EC) \
4715 && !defined(OPENSSL_NO_DH)
4716 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4717 int isecdhe, int idx)
4720 int *kexch_groups = &kexch_alg;
4723 numec = OSSL_NELEM(ecdhe_kexch_groups);
4724 numff = OSSL_NELEM(ffdhe_kexch_groups);
4726 kexch_alg = ecdhe_kexch_groups[idx];
4728 kexch_alg = ffdhe_kexch_groups[idx];
4731 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
4734 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
4738 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
4743 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
4746 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
4750 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
4759 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
4760 * Run through both the ECDHE and FFDHE group lists used in the previous
4761 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
4762 * confirming the expected result; then perform a resumption handshake
4763 * while offering the same group list, and another resumption handshake
4764 * offering a different group list. The returned value should be the
4765 * negotiated group for the initial handshake; for TLS 1.3 resumption
4766 * handshakes the returned value will be negotiated on the resumption
4767 * handshake itself, but for TLS 1.2 resumption handshakes the value will
4768 * be cached in the session from the original handshake, regardless of what
4769 * was offered in the resumption ClientHello.
4771 * Using E for the number of EC groups and F for the number of FF groups:
4772 * E tests of ECDHE with TLS 1.3, server only has one group
4773 * F tests of FFDHE with TLS 1.3, server only has one group
4774 * E tests of ECDHE with TLS 1.2, server only has one group
4775 * F tests of FFDHE with TLS 1.2, server only has one group
4776 * E tests of ECDHE with TLS 1.3, client sends only one group
4777 * F tests of FFDHE with TLS 1.3, client sends only one group
4778 * E tests of ECDHE with TLS 1.2, client sends only one group
4779 * F tests of FFDHE with TLS 1.2, client sends only one group
4781 static int test_negotiated_group(int idx)
4783 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
4785 SSL_CTX *sctx = NULL, *cctx = NULL;
4786 SSL *serverssl = NULL, *clientssl = NULL;
4787 SSL_SESSION *origsess = NULL;
4790 int max_version = TLS1_3_VERSION;
4792 numec = OSSL_NELEM(ecdhe_kexch_groups);
4793 numff = OSSL_NELEM(ffdhe_kexch_groups);
4794 numgroups = numec + numff;
4795 clientmulti = (idx < 2 * numgroups);
4796 idx = idx % (2 * numgroups);
4797 istls13 = (idx < numgroups);
4798 idx = idx % numgroups;
4799 isecdhe = (idx < numec);
4802 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
4804 kexch_alg = ecdhe_kexch_groups[idx];
4806 kexch_alg = ffdhe_kexch_groups[idx];
4807 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
4808 if (!istls13 && !isecdhe)
4809 expectednid = NID_undef;
4811 expectednid = kexch_alg;
4814 max_version = TLS1_2_VERSION;
4816 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4817 TLS_client_method(), TLS1_VERSION,
4818 max_version, &sctx, &cctx, cert,
4823 * Force (EC)DHE ciphers for TLS 1.2.
4824 * Be sure to enable auto tmp DH so that FFDHE can succeed.
4826 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4827 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4828 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4829 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4831 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4832 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4833 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4836 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4840 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
4844 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4847 /* Initial handshake; always the configured one */
4848 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4849 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4852 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
4855 SSL_shutdown(clientssl);
4856 SSL_shutdown(serverssl);
4857 SSL_free(serverssl);
4858 SSL_free(clientssl);
4859 serverssl = clientssl = NULL;
4861 /* First resumption attempt; use the same config as initial handshake */
4862 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4864 || !TEST_true(SSL_set_session(clientssl, origsess))
4865 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4869 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4870 || !TEST_true(SSL_session_reused(clientssl)))
4873 /* Still had better agree, since nothing changed... */
4874 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4875 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4878 SSL_shutdown(clientssl);
4879 SSL_shutdown(serverssl);
4880 SSL_free(serverssl);
4881 SSL_free(clientssl);
4882 serverssl = clientssl = NULL;
4885 * Second resumption attempt
4886 * The party that picks one group changes it, which we effectuate by
4887 * changing 'idx' and updating what we expect.
4895 expectednid = ecdhe_kexch_groups[idx];
4897 expectednid = ffdhe_kexch_groups[idx];
4898 /* Verify that we are changing what we expect. */
4899 if (!TEST_int_ne(expectednid, kexch_alg))
4902 /* TLS 1.2 only supports named groups for ECDHE. */
4904 expectednid = kexch_alg;
4908 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4910 || !TEST_true(SSL_set_session(clientssl, origsess))
4911 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4915 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4916 || !TEST_true(SSL_session_reused(clientssl)))
4919 /* Check that we get what we expected */
4920 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4921 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4926 SSL_free(serverssl);
4927 SSL_free(clientssl);
4930 SSL_SESSION_free(origsess);
4933 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
4936 * Test TLSv1.3 Cipher Suite
4937 * Test 0 = Set TLS1.3 cipher on context
4938 * Test 1 = Set TLS1.3 cipher on SSL
4939 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4940 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4942 static int test_tls13_ciphersuite(int idx)
4944 SSL_CTX *sctx = NULL, *cctx = NULL;
4945 SSL *serverssl = NULL, *clientssl = NULL;
4946 static const struct {
4947 const char *ciphername;
4951 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
4952 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
4953 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
4954 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4955 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
4956 { TLS1_3_RFC_AES_256_GCM_SHA384
4957 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
4959 /* CCM8 ciphers are considered low security due to their short tag */
4960 { TLS1_3_RFC_AES_128_CCM_8_SHA256
4961 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }
4963 const char *t13_cipher = NULL;
4964 const char *t12_cipher = NULL;
4965 const char *negotiated_scipher;
4966 const char *negotiated_ccipher;
4982 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4986 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4990 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4991 # ifdef OPENSSL_NO_TLS1_2
4992 if (max_ver == TLS1_2_VERSION)
4995 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4996 if (is_fips && !t13_ciphers[i].fipscapable)
4998 t13_cipher = t13_ciphers[i].ciphername;
4999 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5000 TLS_client_method(),
5001 TLS1_VERSION, max_ver,
5002 &sctx, &cctx, cert, privkey)))
5005 if (t13_ciphers[i].low_security) {
5006 SSL_CTX_set_security_level(sctx, 0);
5007 SSL_CTX_set_security_level(cctx, 0);
5011 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5012 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5014 if (t12_cipher != NULL) {
5015 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5016 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5022 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5023 &clientssl, NULL, NULL)))
5027 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5028 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5030 if (t12_cipher != NULL) {
5031 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5032 || !TEST_true(SSL_set_cipher_list(clientssl,
5038 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5042 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5044 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5046 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5050 * TEST_strn_eq is used below because t13_cipher can contain
5051 * multiple ciphersuites
5053 if (max_ver == TLS1_3_VERSION
5054 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5055 strlen(negotiated_scipher)))
5058 # ifndef OPENSSL_NO_TLS1_2
5059 /* Below validation is not done when t12_cipher is NULL */
5060 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5061 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5065 SSL_free(serverssl);
5067 SSL_free(clientssl);
5078 SSL_free(serverssl);
5079 SSL_free(clientssl);
5087 * Test 0 = Test new style callbacks
5088 * Test 1 = Test both new and old style callbacks
5089 * Test 2 = Test old style callbacks
5090 * Test 3 = Test old style callbacks with no certificate
5092 static int test_tls13_psk(int idx)
5094 SSL_CTX *sctx = NULL, *cctx = NULL;
5095 SSL *serverssl = NULL, *clientssl = NULL;
5096 const SSL_CIPHER *cipher = NULL;
5097 const unsigned char key[] = {
5098 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5099 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5100 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5101 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5105 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5106 TLS_client_method(), TLS1_VERSION, 0,
5107 &sctx, &cctx, idx == 3 ? NULL : cert,
5108 idx == 3 ? NULL : privkey)))
5113 * We use a ciphersuite with SHA256 to ease testing old style PSK
5114 * callbacks which will always default to SHA256. This should not be
5115 * necessary if we have no cert/priv key. In that case the server should
5116 * prefer SHA256 automatically.
5118 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5119 "TLS_AES_128_GCM_SHA256")))
5123 * As noted above the server should prefer SHA256 automatically. However
5124 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5125 * code works even if we are testing with only the FIPS provider loaded.
5127 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5128 "TLS_AES_256_GCM_SHA384:"
5129 "TLS_AES_128_GCM_SHA256")))
5134 * Test 0: New style callbacks only
5135 * Test 1: New and old style callbacks (only the new ones should be used)
5136 * Test 2: Old style callbacks only
5138 if (idx == 0 || idx == 1) {
5139 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5140 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5142 #ifndef OPENSSL_NO_PSK
5144 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5145 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5149 use_session_cb_cnt = 0;
5150 find_session_cb_cnt = 0;
5151 psk_client_cb_cnt = 0;
5152 psk_server_cb_cnt = 0;
5156 * Check we can create a connection if callback decides not to send a
5159 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5161 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5163 || !TEST_false(SSL_session_reused(clientssl))
5164 || !TEST_false(SSL_session_reused(serverssl)))
5167 if (idx == 0 || idx == 1) {
5168 if (!TEST_true(use_session_cb_cnt == 1)
5169 || !TEST_true(find_session_cb_cnt == 0)
5171 * If no old style callback then below should be 0
5174 || !TEST_true(psk_client_cb_cnt == idx)
5175 || !TEST_true(psk_server_cb_cnt == 0))
5178 if (!TEST_true(use_session_cb_cnt == 0)
5179 || !TEST_true(find_session_cb_cnt == 0)
5180 || !TEST_true(psk_client_cb_cnt == 1)
5181 || !TEST_true(psk_server_cb_cnt == 0))
5185 shutdown_ssl_connection(serverssl, clientssl);
5186 serverssl = clientssl = NULL;
5187 use_session_cb_cnt = psk_client_cb_cnt = 0;
5190 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5194 /* Create the PSK */
5195 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5196 clientpsk = SSL_SESSION_new();
5197 if (!TEST_ptr(clientpsk)
5198 || !TEST_ptr(cipher)
5199 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5201 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5202 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5204 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5206 serverpsk = clientpsk;
5208 /* Check we can create a connection and the PSK is used */
5209 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5210 || !TEST_true(SSL_session_reused(clientssl))
5211 || !TEST_true(SSL_session_reused(serverssl)))
5214 if (idx == 0 || idx == 1) {
5215 if (!TEST_true(use_session_cb_cnt == 1)
5216 || !TEST_true(find_session_cb_cnt == 1)
5217 || !TEST_true(psk_client_cb_cnt == 0)
5218 || !TEST_true(psk_server_cb_cnt == 0))
5221 if (!TEST_true(use_session_cb_cnt == 0)
5222 || !TEST_true(find_session_cb_cnt == 0)
5223 || !TEST_true(psk_client_cb_cnt == 1)
5224 || !TEST_true(psk_server_cb_cnt == 1))
5228 shutdown_ssl_connection(serverssl, clientssl);
5229 serverssl = clientssl = NULL;
5230 use_session_cb_cnt = find_session_cb_cnt = 0;
5231 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5233 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5238 #if defined(OPENSSL_NO_EC)
5239 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5242 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5247 * Check we can create a connection, the PSK is used and the callbacks are
5250 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5251 || !TEST_true(SSL_session_reused(clientssl))
5252 || !TEST_true(SSL_session_reused(serverssl)))
5255 if (idx == 0 || idx == 1) {
5256 if (!TEST_true(use_session_cb_cnt == 2)
5257 || !TEST_true(find_session_cb_cnt == 2)
5258 || !TEST_true(psk_client_cb_cnt == 0)
5259 || !TEST_true(psk_server_cb_cnt == 0))
5262 if (!TEST_true(use_session_cb_cnt == 0)
5263 || !TEST_true(find_session_cb_cnt == 0)
5264 || !TEST_true(psk_client_cb_cnt == 2)
5265 || !TEST_true(psk_server_cb_cnt == 2))
5269 shutdown_ssl_connection(serverssl, clientssl);
5270 serverssl = clientssl = NULL;
5271 use_session_cb_cnt = find_session_cb_cnt = 0;
5272 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5276 * Check that if the server rejects the PSK we can still connect, but with
5279 srvid = "Dummy Identity";
5280 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5282 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5284 || !TEST_false(SSL_session_reused(clientssl))
5285 || !TEST_false(SSL_session_reused(serverssl)))
5288 if (idx == 0 || idx == 1) {
5289 if (!TEST_true(use_session_cb_cnt == 1)
5290 || !TEST_true(find_session_cb_cnt == 1)
5291 || !TEST_true(psk_client_cb_cnt == 0)
5293 * If no old style callback then below should be 0
5296 || !TEST_true(psk_server_cb_cnt == idx))
5299 if (!TEST_true(use_session_cb_cnt == 0)
5300 || !TEST_true(find_session_cb_cnt == 0)
5301 || !TEST_true(psk_client_cb_cnt == 1)
5302 || !TEST_true(psk_server_cb_cnt == 1))
5306 shutdown_ssl_connection(serverssl, clientssl);
5307 serverssl = clientssl = NULL;
5312 SSL_SESSION_free(clientpsk);
5313 SSL_SESSION_free(serverpsk);
5314 clientpsk = serverpsk = NULL;
5315 SSL_free(serverssl);
5316 SSL_free(clientssl);
5322 static unsigned char cookie_magic_value[] = "cookie magic";
5324 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5325 unsigned int *cookie_len)
5328 * Not suitable as a real cookie generation function but good enough for
5331 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5332 *cookie_len = sizeof(cookie_magic_value) - 1;
5337 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5338 unsigned int cookie_len)
5340 if (cookie_len == sizeof(cookie_magic_value) - 1
5341 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5347 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5351 int res = generate_cookie_callback(ssl, cookie, &temp);
5356 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5359 return verify_cookie_callback(ssl, cookie, cookie_len);
5362 static int test_stateless(void)
5364 SSL_CTX *sctx = NULL, *cctx = NULL;
5365 SSL *serverssl = NULL, *clientssl = NULL;
5368 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5369 TLS_client_method(), TLS1_VERSION, 0,
5370 &sctx, &cctx, cert, privkey)))
5373 /* The arrival of CCS messages can confuse the test */
5374 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5376 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5378 /* Send the first ClientHello */
5379 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5380 SSL_ERROR_WANT_READ))
5382 * This should fail with a -1 return because we have no callbacks
5385 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5388 /* Fatal error so abandon the connection from this client */
5389 SSL_free(clientssl);
5392 /* Set up the cookie generation and verification callbacks */
5393 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5394 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5397 * Create a new connection from the client (we can reuse the server SSL
5400 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5402 /* Send the first ClientHello */
5403 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5404 SSL_ERROR_WANT_READ))
5405 /* This should fail because there is no cookie */
5406 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5409 /* Abandon the connection from this client */
5410 SSL_free(clientssl);
5414 * Now create a connection from a new client but with the same server SSL
5417 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5419 /* Send the first ClientHello */
5420 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5421 SSL_ERROR_WANT_READ))
5422 /* This should fail because there is no cookie */
5423 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5424 /* Send the second ClientHello */
5425 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5426 SSL_ERROR_WANT_READ))
5427 /* This should succeed because a cookie is now present */
5428 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5429 /* Complete the connection */
5430 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5434 shutdown_ssl_connection(serverssl, clientssl);
5435 serverssl = clientssl = NULL;
5439 SSL_free(serverssl);
5440 SSL_free(clientssl);
5446 #endif /* OSSL_NO_USABLE_TLS1_3 */
5448 static int clntaddoldcb = 0;
5449 static int clntparseoldcb = 0;
5450 static int srvaddoldcb = 0;
5451 static int srvparseoldcb = 0;
5452 static int clntaddnewcb = 0;
5453 static int clntparsenewcb = 0;
5454 static int srvaddnewcb = 0;
5455 static int srvparsenewcb = 0;
5456 static int snicb = 0;
5458 #define TEST_EXT_TYPE1 0xff00
5460 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5461 size_t *outlen, int *al, void *add_arg)
5463 int *server = (int *)add_arg;
5464 unsigned char *data;
5466 if (SSL_is_server(s))
5471 if (*server != SSL_is_server(s)
5472 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5477 *outlen = sizeof(char);
5481 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5484 OPENSSL_free((unsigned char *)out);
5487 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5488 size_t inlen, int *al, void *parse_arg)
5490 int *server = (int *)parse_arg;
5492 if (SSL_is_server(s))
5497 if (*server != SSL_is_server(s)
5498 || inlen != sizeof(char)
5505 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5506 const unsigned char **out, size_t *outlen, X509 *x,
5507 size_t chainidx, int *al, void *add_arg)
5509 int *server = (int *)add_arg;
5510 unsigned char *data;
5512 if (SSL_is_server(s))
5517 if (*server != SSL_is_server(s)
5518 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5523 *outlen = sizeof(*data);
5527 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5528 const unsigned char *out, void *add_arg)
5530 OPENSSL_free((unsigned char *)out);
5533 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5534 const unsigned char *in, size_t inlen, X509 *x,
5535 size_t chainidx, int *al, void *parse_arg)
5537 int *server = (int *)parse_arg;
5539 if (SSL_is_server(s))
5544 if (*server != SSL_is_server(s)
5545 || inlen != sizeof(char) || *in != 1)
5551 static int sni_cb(SSL *s, int *al, void *arg)
5553 SSL_CTX *ctx = (SSL_CTX *)arg;
5555 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5556 *al = SSL_AD_INTERNAL_ERROR;
5557 return SSL_TLSEXT_ERR_ALERT_FATAL;
5560 return SSL_TLSEXT_ERR_OK;
5563 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5569 * Custom call back tests.
5570 * Test 0: Old style callbacks in TLSv1.2
5571 * Test 1: New style callbacks in TLSv1.2
5572 * Test 2: New style callbacks in TLSv1.2 with SNI
5573 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5574 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5575 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
5577 static int test_custom_exts(int tst)
5579 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5580 SSL *clientssl = NULL, *serverssl = NULL;
5582 static int server = 1;
5583 static int client = 0;
5584 SSL_SESSION *sess = NULL;
5585 unsigned int context;
5587 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5588 /* Skip tests for TLSv1.2 and below in this case */
5593 /* Reset callback counters */
5594 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5595 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5598 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5599 TLS_client_method(), TLS1_VERSION, 0,
5600 &sctx, &cctx, cert, privkey)))
5604 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5606 &sctx2, NULL, cert, privkey)))
5611 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5612 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5614 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5618 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5619 | SSL_EXT_TLS1_3_CERTIFICATE;
5620 SSL_CTX_set_verify(sctx,
5621 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5623 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5624 SSL_FILETYPE_PEM), 1)
5625 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5626 SSL_FILETYPE_PEM), 1)
5627 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5629 } else if (tst == 4) {
5630 context = SSL_EXT_CLIENT_HELLO
5631 | SSL_EXT_TLS1_2_SERVER_HELLO
5632 | SSL_EXT_TLS1_3_SERVER_HELLO
5633 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5634 | SSL_EXT_TLS1_3_CERTIFICATE
5635 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5637 context = SSL_EXT_CLIENT_HELLO
5638 | SSL_EXT_TLS1_2_SERVER_HELLO
5639 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5642 /* Create a client side custom extension */
5644 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5645 old_add_cb, old_free_cb,
5646 &client, old_parse_cb,
5650 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5651 new_add_cb, new_free_cb,
5652 &client, new_parse_cb, &client)))
5656 /* Should not be able to add duplicates */
5657 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5658 old_add_cb, old_free_cb,
5659 &client, old_parse_cb,
5661 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5662 context, new_add_cb,
5663 new_free_cb, &client,
5664 new_parse_cb, &client)))
5667 /* Create a server side custom extension */
5669 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5670 old_add_cb, old_free_cb,
5671 &server, old_parse_cb,
5675 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5676 new_add_cb, new_free_cb,
5677 &server, new_parse_cb, &server)))
5680 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5681 context, new_add_cb,
5682 new_free_cb, &server,
5683 new_parse_cb, &server)))
5687 /* Should not be able to add duplicates */
5688 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5689 old_add_cb, old_free_cb,
5690 &server, old_parse_cb,
5692 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5693 context, new_add_cb,
5694 new_free_cb, &server,
5695 new_parse_cb, &server)))
5700 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5701 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5705 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5706 &clientssl, NULL, NULL))
5707 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5712 if (clntaddoldcb != 1
5713 || clntparseoldcb != 1
5715 || srvparseoldcb != 1)
5717 } else if (tst == 1 || tst == 2 || tst == 3) {
5718 if (clntaddnewcb != 1
5719 || clntparsenewcb != 1
5721 || srvparsenewcb != 1
5722 || (tst != 2 && snicb != 0)
5723 || (tst == 2 && snicb != 1))
5725 } else if (tst == 5) {
5726 if (clntaddnewcb != 1
5727 || clntparsenewcb != 1
5729 || srvparsenewcb != 1)
5732 /* In this case there 2 NewSessionTicket messages created */
5733 if (clntaddnewcb != 1
5734 || clntparsenewcb != 5
5736 || srvparsenewcb != 1)
5740 sess = SSL_get1_session(clientssl);
5741 SSL_shutdown(clientssl);
5742 SSL_shutdown(serverssl);
5743 SSL_free(serverssl);
5744 SSL_free(clientssl);
5745 serverssl = clientssl = NULL;
5747 if (tst == 3 || tst == 5) {
5748 /* We don't bother with the resumption aspects for these tests */
5753 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5755 || !TEST_true(SSL_set_session(clientssl, sess))
5756 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5761 * For a resumed session we expect to add the ClientHello extension. For the
5762 * old style callbacks we ignore it on the server side because they set
5763 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5767 if (clntaddoldcb != 2
5768 || clntparseoldcb != 1
5770 || srvparseoldcb != 1)
5772 } else if (tst == 1 || tst == 2 || tst == 3) {
5773 if (clntaddnewcb != 2
5774 || clntparsenewcb != 2
5776 || srvparsenewcb != 2)
5780 * No Certificate message extensions in the resumption handshake,
5781 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5783 if (clntaddnewcb != 2
5784 || clntparsenewcb != 8
5786 || srvparsenewcb != 2)
5793 SSL_SESSION_free(sess);
5794 SSL_free(serverssl);
5795 SSL_free(clientssl);
5796 SSL_CTX_free(sctx2);
5803 * Test loading of serverinfo data in various formats. test_sslmessages actually
5804 * tests to make sure the extensions appear in the handshake
5806 static int test_serverinfo(int tst)
5808 unsigned int version;
5809 unsigned char *sibuf;
5811 int ret, expected, testresult = 0;
5814 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
5818 if ((tst & 0x01) == 0x01)
5819 version = SSL_SERVERINFOV2;
5821 version = SSL_SERVERINFOV1;
5823 if ((tst & 0x02) == 0x02) {
5824 sibuf = serverinfov2;
5825 sibuflen = sizeof(serverinfov2);
5826 expected = (version == SSL_SERVERINFOV2);
5828 sibuf = serverinfov1;
5829 sibuflen = sizeof(serverinfov1);
5830 expected = (version == SSL_SERVERINFOV1);
5833 if ((tst & 0x04) == 0x04) {
5834 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5836 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5839 * The version variable is irrelevant in this case - it's what is in the
5840 * buffer that matters
5842 if ((tst & 0x02) == 0x02)
5848 if (!TEST_true(ret == expected))
5860 * Test that SSL_export_keying_material() produces expected results. There are
5861 * no test vectors so all we do is test that both sides of the communication
5862 * produce the same results for different protocol versions.
5864 #define SMALL_LABEL_LEN 10
5865 #define LONG_LABEL_LEN 249
5866 static int test_export_key_mat(int tst)
5869 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5870 SSL *clientssl = NULL, *serverssl = NULL;
5871 const char label[LONG_LABEL_LEN + 1] = "test label";
5872 const unsigned char context[] = "context";
5873 const unsigned char *emptycontext = NULL;
5874 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5875 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
5877 const int protocols[] = {
5886 #ifdef OPENSSL_NO_TLS1
5890 #ifdef OPENSSL_NO_TLS1_1
5894 if (is_fips && (tst == 0 || tst == 1))
5896 #ifdef OPENSSL_NO_TLS1_2
5900 #ifdef OSSL_NO_USABLE_TLS1_3
5904 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5905 TLS_client_method(), TLS1_VERSION, 0,
5906 &sctx, &cctx, cert, privkey)))
5909 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5910 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5911 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
5912 if ((protocols[tst] < TLS1_2_VERSION) &&
5913 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5914 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5917 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5922 * Premature call of SSL_export_keying_material should just fail.
5924 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5925 sizeof(ckeymat1), label,
5926 SMALL_LABEL_LEN + 1, context,
5927 sizeof(context) - 1, 1), 0))
5930 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5936 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5939 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5940 sizeof(ckeymat1), label,
5941 LONG_LABEL_LEN + 1, context,
5942 sizeof(context) - 1, 1), 0))
5947 } else if (tst == 4) {
5948 labellen = LONG_LABEL_LEN;
5950 labellen = SMALL_LABEL_LEN;
5953 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5954 sizeof(ckeymat1), label,
5956 sizeof(context) - 1, 1), 1)
5957 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5958 sizeof(ckeymat2), label,
5962 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5963 sizeof(ckeymat3), label,
5966 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5967 sizeof(skeymat1), label,
5970 sizeof(context) -1, 1),
5972 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5973 sizeof(skeymat2), label,
5977 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5978 sizeof(skeymat3), label,
5982 * Check that both sides created the same key material with the
5985 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5988 * Check that both sides created the same key material with an
5991 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5994 * Check that both sides created the same key material without a
5997 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5999 /* Different contexts should produce different results */
6000 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6005 * Check that an empty context and no context produce different results in
6006 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6008 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6010 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6017 SSL_free(serverssl);
6018 SSL_free(clientssl);
6019 SSL_CTX_free(sctx2);
6026 #ifndef OSSL_NO_USABLE_TLS1_3
6028 * Test that SSL_export_keying_material_early() produces expected
6029 * results. There are no test vectors so all we do is test that both
6030 * sides of the communication produce the same results for different
6031 * protocol versions.
6033 static int test_export_key_mat_early(int idx)
6035 static const char label[] = "test label";
6036 static const unsigned char context[] = "context";
6038 SSL_CTX *cctx = NULL, *sctx = NULL;
6039 SSL *clientssl = NULL, *serverssl = NULL;
6040 SSL_SESSION *sess = NULL;
6041 const unsigned char *emptycontext = NULL;
6042 unsigned char ckeymat1[80], ckeymat2[80];
6043 unsigned char skeymat1[80], skeymat2[80];
6044 unsigned char buf[1];
6045 size_t readbytes, written;
6047 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6051 /* Here writing 0 length early data is enough. */
6052 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6053 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6055 SSL_READ_EARLY_DATA_ERROR)
6056 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6057 SSL_EARLY_DATA_ACCEPTED))
6060 if (!TEST_int_eq(SSL_export_keying_material_early(
6061 clientssl, ckeymat1, sizeof(ckeymat1), label,
6062 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6063 || !TEST_int_eq(SSL_export_keying_material_early(
6064 clientssl, ckeymat2, sizeof(ckeymat2), label,
6065 sizeof(label) - 1, emptycontext, 0), 1)
6066 || !TEST_int_eq(SSL_export_keying_material_early(
6067 serverssl, skeymat1, sizeof(skeymat1), label,
6068 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6069 || !TEST_int_eq(SSL_export_keying_material_early(
6070 serverssl, skeymat2, sizeof(skeymat2), label,
6071 sizeof(label) - 1, emptycontext, 0), 1)
6073 * Check that both sides created the same key material with the
6076 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6079 * Check that both sides created the same key material with an
6082 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6084 /* Different contexts should produce different results */
6085 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6092 SSL_SESSION_free(sess);
6093 SSL_SESSION_free(clientpsk);
6094 SSL_SESSION_free(serverpsk);
6095 clientpsk = serverpsk = NULL;
6096 SSL_free(serverssl);
6097 SSL_free(clientssl);
6104 #define NUM_KEY_UPDATE_MESSAGES 40
6108 static int test_key_update(void)
6110 SSL_CTX *cctx = NULL, *sctx = NULL;
6111 SSL *clientssl = NULL, *serverssl = NULL;
6112 int testresult = 0, i, j;
6114 static char *mess = "A test message";
6116 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6117 TLS_client_method(),
6120 &sctx, &cctx, cert, privkey))
6121 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6123 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6127 for (j = 0; j < 2; j++) {
6128 /* Send lots of KeyUpdate messages */
6129 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6130 if (!TEST_true(SSL_key_update(clientssl,
6132 ? SSL_KEY_UPDATE_NOT_REQUESTED
6133 : SSL_KEY_UPDATE_REQUESTED))
6134 || !TEST_true(SSL_do_handshake(clientssl)))
6138 /* Check that sending and receiving app data is ok */
6139 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6140 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6144 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6145 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6153 SSL_free(serverssl);
6154 SSL_free(clientssl);
6162 * Test we can handle a KeyUpdate (update requested) message while
6163 * write data is pending in peer.
6164 * Test 0: Client sends KeyUpdate while Server is writing
6165 * Test 1: Server sends KeyUpdate while Client is writing
6167 static int test_key_update_peer_in_write(int tst)
6169 SSL_CTX *cctx = NULL, *sctx = NULL;
6170 SSL *clientssl = NULL, *serverssl = NULL;
6173 static char *mess = "A test message";
6174 BIO *bretry = BIO_new(bio_s_always_retry());
6176 SSL *peerupdate = NULL, *peerwrite = NULL;
6178 if (!TEST_ptr(bretry)
6179 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6180 TLS_client_method(),
6183 &sctx, &cctx, cert, privkey))
6184 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6186 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6190 peerupdate = tst == 0 ? clientssl : serverssl;
6191 peerwrite = tst == 0 ? serverssl : clientssl;
6193 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6194 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6197 /* Swap the writing endpoint's write BIO to force a retry */
6198 tmp = SSL_get_wbio(peerwrite);
6199 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6203 SSL_set0_wbio(peerwrite, bretry);
6206 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6207 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6208 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6211 /* Reinstate the original writing endpoint's write BIO */
6212 SSL_set0_wbio(peerwrite, tmp);
6215 /* Now read some data - we will read the key update */
6216 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6217 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6221 * Complete the write we started previously and read it from the other
6224 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6225 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6228 /* Write more data to ensure we send the KeyUpdate message back */
6229 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6230 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6236 SSL_free(serverssl);
6237 SSL_free(clientssl);
6247 * Test we can handle a KeyUpdate (update requested) message while
6248 * peer read data is pending after peer accepted keyupdate(the msg header
6249 * had been read 5 bytes).
6250 * Test 0: Client sends KeyUpdate while Server is reading
6251 * Test 1: Server sends KeyUpdate while Client is reading
6253 static int test_key_update_peer_in_read(int tst)
6255 SSL_CTX *cctx = NULL, *sctx = NULL;
6256 SSL *clientssl = NULL, *serverssl = NULL;
6258 char prbuf[515], lwbuf[515] = {0};
6259 static char *mess = "A test message";
6260 BIO *lbio = NULL, *pbio = NULL;
6261 SSL *local = NULL, *peer = NULL;
6263 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6264 TLS_client_method(),
6267 &sctx, &cctx, cert, privkey))
6268 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6270 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6274 local = tst == 0 ? clientssl : serverssl;
6275 peer = tst == 0 ? serverssl : clientssl;
6277 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6280 SSL_set_bio(local, lbio, lbio);
6281 SSL_set_bio(peer, pbio, pbio);
6284 * we first write keyupdate msg then appdata in local
6285 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6286 * lwbuf app data msg size + key updata msg size > 512(the size of
6287 * the bio pair buffer)
6289 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6290 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6291 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6295 * first read keyupdate msg in peer in peer
6296 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6298 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6299 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6302 /* Now write some data in peer - we will write the key update */
6303 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6307 * write data in local previously that we will complete
6308 * read data in peer previously that we will complete
6310 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6311 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6314 /* check that sending and receiving appdata ok */
6315 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6316 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6322 SSL_free(serverssl);
6323 SSL_free(clientssl);
6331 * Test we can't send a KeyUpdate (update requested) message while
6332 * local write data is pending.
6333 * Test 0: Client sends KeyUpdate while Client is writing
6334 * Test 1: Server sends KeyUpdate while Server is writing
6336 static int test_key_update_local_in_write(int tst)
6338 SSL_CTX *cctx = NULL, *sctx = NULL;
6339 SSL *clientssl = NULL, *serverssl = NULL;
6342 static char *mess = "A test message";
6343 BIO *bretry = BIO_new(bio_s_always_retry());
6345 SSL *local = NULL, *peer = NULL;
6347 if (!TEST_ptr(bretry)
6348 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6349 TLS_client_method(),
6352 &sctx, &cctx, cert, privkey))
6353 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6355 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6359 local = tst == 0 ? clientssl : serverssl;
6360 peer = tst == 0 ? serverssl : clientssl;
6362 /* Swap the writing endpoint's write BIO to force a retry */
6363 tmp = SSL_get_wbio(local);
6364 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6368 SSL_set0_wbio(local, bretry);
6371 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6372 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6373 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6376 /* Reinstate the original writing endpoint's write BIO */
6377 SSL_set0_wbio(local, tmp);
6380 /* SSL_key_update will fail, because writing in local*/
6381 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6382 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6386 /* write data in local previously that we will complete */
6387 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6390 /* SSL_key_update will succeed because there is no pending write data */
6391 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6392 || !TEST_int_eq(SSL_do_handshake(local), 1))
6396 * we write some appdata in local
6397 * read data in peer - we will read the keyupdate msg
6399 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6400 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6403 /* Write more peer more data to ensure we send the keyupdate message back */
6404 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6405 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6411 SSL_free(serverssl);
6412 SSL_free(clientssl);
6422 * Test we can handle a KeyUpdate (update requested) message while
6423 * local read data is pending(the msg header had been read 5 bytes).
6424 * Test 0: Client sends KeyUpdate while Client is reading
6425 * Test 1: Server sends KeyUpdate while Server is reading
6427 static int test_key_update_local_in_read(int tst)
6429 SSL_CTX *cctx = NULL, *sctx = NULL;
6430 SSL *clientssl = NULL, *serverssl = NULL;
6432 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6433 static char *mess = "A test message";
6434 BIO *lbio = NULL, *pbio = NULL;
6435 SSL *local = NULL, *peer = NULL;
6437 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6438 TLS_client_method(),
6441 &sctx, &cctx, cert, privkey))
6442 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6444 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6448 local = tst == 0 ? clientssl : serverssl;
6449 peer = tst == 0 ? serverssl : clientssl;
6451 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6454 SSL_set_bio(local, lbio, lbio);
6455 SSL_set_bio(peer, pbio, pbio);
6457 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6458 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6459 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6462 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6463 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6464 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6467 /* SSL_do_handshake will send keyupdate msg */
6468 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6469 || !TEST_int_eq(SSL_do_handshake(local), 1))
6473 * write data in peer previously that we will complete
6474 * read data in local previously that we will complete
6476 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6477 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6481 * write data in local
6482 * read data in peer - we will read the key update
6484 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6485 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6488 /* Write more peer data to ensure we send the keyupdate message back */
6489 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6490 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6496 SSL_free(serverssl);
6497 SSL_free(clientssl);
6503 #endif /* OSSL_NO_USABLE_TLS1_3 */
6505 static int test_ssl_clear(int idx)
6507 SSL_CTX *cctx = NULL, *sctx = NULL;
6508 SSL *clientssl = NULL, *serverssl = NULL;
6511 #ifdef OPENSSL_NO_TLS1_2
6516 /* Create an initial connection */
6517 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6518 TLS_client_method(), TLS1_VERSION, 0,
6519 &sctx, &cctx, cert, privkey))
6521 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6523 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6524 &clientssl, NULL, NULL))
6525 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6529 SSL_shutdown(clientssl);
6530 SSL_shutdown(serverssl);
6531 SSL_free(serverssl);
6534 /* Clear clientssl - we're going to reuse the object */
6535 if (!TEST_true(SSL_clear(clientssl)))
6538 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6540 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6542 || !TEST_true(SSL_session_reused(clientssl)))
6545 SSL_shutdown(clientssl);
6546 SSL_shutdown(serverssl);
6551 SSL_free(serverssl);
6552 SSL_free(clientssl);
6559 /* Parse CH and retrieve any MFL extension value if present */
6560 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6563 unsigned char *data;
6564 PACKET pkt, pkt2, pkt3;
6565 unsigned int MFL_code = 0, type = 0;
6567 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
6570 memset(&pkt, 0, sizeof(pkt));
6571 memset(&pkt2, 0, sizeof(pkt2));
6572 memset(&pkt3, 0, sizeof(pkt3));
6574 if (!TEST_long_gt(len, 0)
6575 || !TEST_true(PACKET_buf_init(&pkt, data, len))
6576 /* Skip the record header */
6577 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6578 /* Skip the handshake message header */
6579 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6580 /* Skip client version and random */
6581 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6582 + SSL3_RANDOM_SIZE))
6583 /* Skip session id */
6584 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6586 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6587 /* Skip compression */
6588 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6589 /* Extensions len */
6590 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6593 /* Loop through all extensions */
6594 while (PACKET_remaining(&pkt2)) {
6595 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6596 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6599 if (type == TLSEXT_TYPE_max_fragment_length) {
6600 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6601 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6604 *mfl_codemfl_code = MFL_code;
6613 /* Maximum-Fragment-Length TLS extension mode to test */
6614 static const unsigned char max_fragment_len_test[] = {
6615 TLSEXT_max_fragment_length_512,
6616 TLSEXT_max_fragment_length_1024,
6617 TLSEXT_max_fragment_length_2048,
6618 TLSEXT_max_fragment_length_4096
6621 static int test_max_fragment_len_ext(int idx_tst)
6623 SSL_CTX *ctx = NULL;
6625 int testresult = 0, MFL_mode = 0;
6628 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6629 TLS1_VERSION, 0, NULL, &ctx, NULL,
6633 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6634 ctx, max_fragment_len_test[idx_tst])))
6641 rbio = BIO_new(BIO_s_mem());
6642 wbio = BIO_new(BIO_s_mem());
6643 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6649 SSL_set_bio(con, rbio, wbio);
6651 if (!TEST_int_le(SSL_connect(con), 0)) {
6652 /* This shouldn't succeed because we don't have a server! */
6656 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6657 /* no MFL in client hello */
6659 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6671 #ifndef OSSL_NO_USABLE_TLS1_3
6672 static int test_pha_key_update(void)
6674 SSL_CTX *cctx = NULL, *sctx = NULL;
6675 SSL *clientssl = NULL, *serverssl = NULL;
6678 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6679 TLS_client_method(), TLS1_VERSION, 0,
6680 &sctx, &cctx, cert, privkey)))
6683 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6684 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6685 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6686 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6689 SSL_CTX_set_post_handshake_auth(cctx, 1);
6691 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6695 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6699 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6700 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6703 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6706 /* Start handshake on the server */
6707 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6710 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6711 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6715 SSL_shutdown(clientssl);
6716 SSL_shutdown(serverssl);
6721 SSL_free(serverssl);
6722 SSL_free(clientssl);
6729 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6731 static SRP_VBASE *vbase = NULL;
6733 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6735 int ret = SSL3_AL_FATAL;
6737 SRP_user_pwd *user = NULL;
6739 username = SSL_get_srp_username(s);
6740 if (username == NULL) {
6741 *ad = SSL_AD_INTERNAL_ERROR;
6745 user = SRP_VBASE_get1_by_user(vbase, username);
6747 *ad = SSL_AD_INTERNAL_ERROR;
6751 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6753 *ad = SSL_AD_INTERNAL_ERROR;
6760 SRP_user_pwd_free(user);
6764 static int create_new_vfile(char *userid, char *password, const char *filename)
6767 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6770 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6773 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6776 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
6777 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
6778 if (!TEST_ptr(gNid))
6782 * The only way to create an empty TXT_DB is to provide a BIO with no data
6785 db = TXT_DB_read(dummy, DB_NUMBER);
6789 out = BIO_new_file(filename, "w");
6793 row[DB_srpid] = OPENSSL_strdup(userid);
6794 row[DB_srptype] = OPENSSL_strdup("V");
6795 row[DB_srpgN] = OPENSSL_strdup(gNid);
6797 if (!TEST_ptr(row[DB_srpid])
6798 || !TEST_ptr(row[DB_srptype])
6799 || !TEST_ptr(row[DB_srpgN])
6800 || !TEST_true(TXT_DB_insert(db, row)))
6805 if (TXT_DB_write(out, db) <= 0)
6811 for (i = 0; i < DB_NUMBER; i++)
6812 OPENSSL_free(row[i]);
6822 static int create_new_vbase(char *userid, char *password)
6824 BIGNUM *verifier = NULL, *salt = NULL;
6825 const SRP_gN *lgN = NULL;
6826 SRP_user_pwd *user_pwd = NULL;
6829 lgN = SRP_get_default_gN(NULL);
6833 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
6834 lgN->N, lgN->g, libctx, NULL)))
6837 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6838 if (!TEST_ptr(user_pwd))
6841 user_pwd->N = lgN->N;
6842 user_pwd->g = lgN->g;
6843 user_pwd->id = OPENSSL_strdup(userid);
6844 if (!TEST_ptr(user_pwd->id))
6847 user_pwd->v = verifier;
6849 verifier = salt = NULL;
6851 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6857 SRP_user_pwd_free(user_pwd);
6867 * Test 0: Simple successful SRP connection, new vbase
6868 * Test 1: Connection failure due to bad password, new vbase
6869 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6870 * Test 3: Connection failure due to bad password, vbase loaded from existing
6872 * Test 4: Simple successful SRP connection, vbase loaded from new file
6873 * Test 5: Connection failure due to bad password, vbase loaded from new file
6875 static int test_srp(int tst)
6877 char *userid = "test", *password = "password", *tstsrpfile;
6878 SSL_CTX *cctx = NULL, *sctx = NULL;
6879 SSL *clientssl = NULL, *serverssl = NULL;
6880 int ret, testresult = 0;
6882 vbase = SRP_VBASE_new(NULL);
6883 if (!TEST_ptr(vbase))
6886 if (tst == 0 || tst == 1) {
6887 if (!TEST_true(create_new_vbase(userid, password)))
6890 if (tst == 4 || tst == 5) {
6891 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6893 tstsrpfile = tmpfilename;
6895 tstsrpfile = srpvfile;
6897 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6901 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6902 TLS_client_method(), TLS1_VERSION, 0,
6903 &sctx, &cctx, cert, privkey)))
6906 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6907 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6908 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6909 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6910 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6914 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6917 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6921 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6925 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6927 if (!TEST_true(tst % 2 == 0))
6930 if (!TEST_true(tst % 2 == 1))
6937 SRP_VBASE_free(vbase);
6939 SSL_free(serverssl);
6940 SSL_free(clientssl);
6948 static int info_cb_failed = 0;
6949 static int info_cb_offset = 0;
6950 static int info_cb_this_state = -1;
6952 static struct info_cb_states_st {
6954 const char *statestr;
6955 } info_cb_states[][60] = {
6957 /* TLSv1.2 server followed by resumption */
6958 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6959 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6960 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6961 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6962 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6963 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6964 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6965 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6966 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
6967 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6968 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6969 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6970 {SSL_CB_EXIT, NULL}, {0, NULL},
6972 /* TLSv1.2 client followed by resumption */
6973 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6974 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6975 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6976 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6977 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6978 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6979 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6980 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6981 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6982 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6983 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6984 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6986 /* TLSv1.3 server followed by resumption */
6987 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6988 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6989 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6990 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6991 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
6992 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6993 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6994 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6995 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6996 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6997 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6998 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6999 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7001 /* TLSv1.3 client followed by resumption */
7002 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7003 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7004 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7005 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7006 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7007 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7008 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7009 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7010 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7011 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7012 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7013 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7014 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7015 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7016 {SSL_CB_EXIT, NULL}, {0, NULL},
7018 /* TLSv1.3 server, early_data */
7019 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7020 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7021 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7022 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7023 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7024 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7025 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7026 {SSL_CB_EXIT, NULL}, {0, NULL},
7028 /* TLSv1.3 client, early_data */
7029 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7030 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7031 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7032 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7033 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7034 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7035 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7036 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7037 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7043 static void sslapi_info_callback(const SSL *s, int where, int ret)
7045 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7047 /* We do not ever expect a connection to fail in this test */
7048 if (!TEST_false(ret == 0)) {
7054 * Do some sanity checks. We never expect these things to happen in this
7057 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7058 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7059 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7064 /* Now check we're in the right state */
7065 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7069 if ((where & SSL_CB_LOOP) != 0
7070 && !TEST_int_eq(strcmp(SSL_state_string(s),
7071 state[info_cb_this_state].statestr), 0)) {
7077 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7079 if ((where & SSL_CB_HANDSHAKE_DONE)
7080 && SSL_in_init((SSL *)s) != 0) {
7087 * Test the info callback gets called when we expect it to.
7089 * Test 0: TLSv1.2, server
7090 * Test 1: TLSv1.2, client
7091 * Test 2: TLSv1.3, server
7092 * Test 3: TLSv1.3, client
7093 * Test 4: TLSv1.3, server, early_data
7094 * Test 5: TLSv1.3, client, early_data
7096 static int test_info_callback(int tst)
7098 SSL_CTX *cctx = NULL, *sctx = NULL;
7099 SSL *clientssl = NULL, *serverssl = NULL;
7100 SSL_SESSION *clntsess = NULL;
7105 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
7106 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7107 || !defined(OPENSSL_NO_DH))
7108 tlsvers = TLS1_2_VERSION;
7113 #ifndef OSSL_NO_USABLE_TLS1_3
7114 tlsvers = TLS1_3_VERSION;
7122 info_cb_this_state = -1;
7123 info_cb_offset = tst;
7125 #ifndef OSSL_NO_USABLE_TLS1_3
7127 SSL_SESSION *sess = NULL;
7128 size_t written, readbytes;
7129 unsigned char buf[80];
7131 /* early_data tests */
7132 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7133 &serverssl, &sess, 0)))
7136 /* We don't actually need this reference */
7137 SSL_SESSION_free(sess);
7139 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7140 sslapi_info_callback);
7142 /* Write and read some early data and then complete the connection */
7143 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7145 || !TEST_size_t_eq(written, strlen(MSG1))
7146 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7147 sizeof(buf), &readbytes),
7148 SSL_READ_EARLY_DATA_SUCCESS)
7149 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7150 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7151 SSL_EARLY_DATA_ACCEPTED)
7152 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7154 || !TEST_false(info_cb_failed))
7162 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7163 TLS_client_method(),
7164 tlsvers, tlsvers, &sctx, &cctx, cert,
7168 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7172 * For even numbered tests we check the server callbacks. For odd numbers we
7175 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7176 sslapi_info_callback);
7178 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7179 &clientssl, NULL, NULL))
7180 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7182 || !TEST_false(info_cb_failed))
7187 clntsess = SSL_get1_session(clientssl);
7188 SSL_shutdown(clientssl);
7189 SSL_shutdown(serverssl);
7190 SSL_free(serverssl);
7191 SSL_free(clientssl);
7192 serverssl = clientssl = NULL;
7194 /* Now do a resumption */
7195 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7197 || !TEST_true(SSL_set_session(clientssl, clntsess))
7198 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7200 || !TEST_true(SSL_session_reused(clientssl))
7201 || !TEST_false(info_cb_failed))
7207 SSL_free(serverssl);
7208 SSL_free(clientssl);
7209 SSL_SESSION_free(clntsess);
7215 static int test_ssl_pending(int tst)
7217 SSL_CTX *cctx = NULL, *sctx = NULL;
7218 SSL *clientssl = NULL, *serverssl = NULL;
7220 char msg[] = "A test message";
7222 size_t written, readbytes;
7225 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7226 TLS_client_method(),
7228 &sctx, &cctx, cert, privkey)))
7231 #ifndef OPENSSL_NO_DTLS
7232 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7233 DTLS_client_method(),
7235 &sctx, &cctx, cert, privkey)))
7238 # ifdef OPENSSL_NO_DTLS1_2
7239 /* Not supported in the FIPS provider */
7245 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7248 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7249 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7250 "DEFAULT:@SECLEVEL=0")))
7258 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7260 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7264 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7265 || !TEST_false(SSL_has_pending(clientssl))
7266 || !TEST_int_eq(SSL_pending(serverssl), 0)
7267 || !TEST_false(SSL_has_pending(serverssl))
7268 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7269 || !TEST_size_t_eq(written, sizeof(msg))
7270 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7271 || !TEST_size_t_eq(readbytes, sizeof(buf))
7272 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7273 || !TEST_true(SSL_has_pending(clientssl)))
7279 SSL_free(serverssl);
7280 SSL_free(clientssl);
7288 unsigned int maxprot;
7289 const char *clntciphers;
7290 const char *clnttls13ciphers;
7291 const char *srvrciphers;
7292 const char *srvrtls13ciphers;
7294 const char *fipsshared;
7295 } shared_ciphers_data[] = {
7297 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7298 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7300 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7303 "AES128-SHA:AES256-SHA",
7305 "AES256-SHA:DHE-RSA-AES128-SHA",
7310 # if !defined(OPENSSL_NO_CHACHA) \
7311 && !defined(OPENSSL_NO_POLY1305) \
7312 && !defined(OPENSSL_NO_EC)
7315 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7317 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7319 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7325 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7327 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7329 "AES128-SHA:AES256-SHA",
7330 "AES128-SHA:AES256-SHA"
7334 "AES128-SHA:AES256-SHA",
7336 "AES128-SHA:DHE-RSA-AES128-SHA",
7343 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7346 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7347 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7350 "AES128-SHA:AES256-SHA",
7352 "AES256-SHA:AES128-SHA256",
7354 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7355 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7356 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7359 #ifndef OSSL_NO_USABLE_TLS1_3
7363 "TLS_AES_256_GCM_SHA384",
7365 "TLS_AES_256_GCM_SHA384",
7366 "TLS_AES_256_GCM_SHA384",
7367 "TLS_AES_256_GCM_SHA384"
7372 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
7374 SSL_CTX *cctx = NULL, *sctx = NULL;
7375 SSL *clientssl = NULL, *serverssl = NULL;
7378 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
7380 if (!TEST_ptr(tmplibctx))
7384 * Regardless of whether we're testing with the FIPS provider loaded into
7385 * libctx, we want one peer to always use the full set of ciphersuites
7386 * available. Therefore we use a separate libctx with the default provider
7387 * loaded into it. We run the same tests twice - once with the client side
7388 * having the full set of ciphersuites and once with the server side.
7391 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
7392 if (!TEST_ptr(cctx))
7395 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
7396 if (!TEST_ptr(sctx))
7400 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7401 TLS_client_method(),
7403 shared_ciphers_data[tst].maxprot,
7404 &sctx, &cctx, cert, privkey)))
7407 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7408 shared_ciphers_data[tst].clntciphers))
7409 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7410 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7411 shared_ciphers_data[tst].clnttls13ciphers)))
7412 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7413 shared_ciphers_data[tst].srvrciphers))
7414 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7415 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7416 shared_ciphers_data[tst].srvrtls13ciphers))))
7420 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7422 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7426 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
7427 || !TEST_int_eq(strcmp(buf,
7429 ? shared_ciphers_data[tst].fipsshared
7430 : shared_ciphers_data[tst].shared),
7432 TEST_info("Shared ciphers are: %s\n", buf);
7439 SSL_free(serverssl);
7440 SSL_free(clientssl);
7443 OSSL_LIB_CTX_free(tmplibctx);
7448 static int test_ssl_get_shared_ciphers(int tst)
7450 return int_test_ssl_get_shared_ciphers(tst, 0)
7451 && int_test_ssl_get_shared_ciphers(tst, 1);
7455 static const char *appdata = "Hello World";
7456 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7457 static int tick_key_renew = 0;
7458 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7460 static int gen_tick_cb(SSL *s, void *arg)
7462 gen_tick_called = 1;
7464 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7468 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7469 const unsigned char *keyname,
7470 size_t keyname_length,
7471 SSL_TICKET_STATUS status,
7477 dec_tick_called = 1;
7479 if (status == SSL_TICKET_EMPTY)
7480 return SSL_TICKET_RETURN_IGNORE_RENEW;
7482 if (!TEST_true(status == SSL_TICKET_SUCCESS
7483 || status == SSL_TICKET_SUCCESS_RENEW))
7484 return SSL_TICKET_RETURN_ABORT;
7486 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7488 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7489 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
7490 return SSL_TICKET_RETURN_ABORT;
7492 if (tick_key_cb_called) {
7493 /* Don't change what the ticket key callback wanted to do */
7495 case SSL_TICKET_NO_DECRYPT:
7496 return SSL_TICKET_RETURN_IGNORE_RENEW;
7498 case SSL_TICKET_SUCCESS:
7499 return SSL_TICKET_RETURN_USE;
7501 case SSL_TICKET_SUCCESS_RENEW:
7502 return SSL_TICKET_RETURN_USE_RENEW;
7505 return SSL_TICKET_RETURN_ABORT;
7508 return tick_dec_ret;
7512 #ifndef OPENSSL_NO_DEPRECATED_3_0
7513 static int tick_key_cb(SSL *s, unsigned char key_name[16],
7514 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7515 HMAC_CTX *hctx, int enc)
7517 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7518 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
7519 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7520 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7523 tick_key_cb_called = 1;
7524 memset(iv, 0, AES_BLOCK_SIZE);
7525 memset(key_name, 0, 16);
7526 if (aes128cbc == NULL
7528 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7529 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7533 ret = tick_key_renew ? 2 : 1;
7535 EVP_CIPHER_free(aes128cbc);
7536 EVP_MD_free(sha256);
7542 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7543 unsigned char iv[EVP_MAX_IV_LENGTH],
7544 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7546 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7547 unsigned char tick_hmac_key[16] = "0123456789abcdef";
7548 OSSL_PARAM params[2];
7549 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7552 tick_key_cb_called = 1;
7553 memset(iv, 0, AES_BLOCK_SIZE);
7554 memset(key_name, 0, 16);
7555 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7557 params[1] = OSSL_PARAM_construct_end();
7558 if (aes128cbc == NULL
7559 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7560 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7564 ret = tick_key_renew ? 2 : 1;
7566 EVP_CIPHER_free(aes128cbc);
7572 * Test the various ticket callbacks
7573 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7574 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7575 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7576 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7577 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7578 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7579 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7580 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
7581 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7582 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7583 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7584 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7585 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
7586 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
7587 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
7588 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
7590 static int test_ticket_callbacks(int tst)
7592 SSL_CTX *cctx = NULL, *sctx = NULL;
7593 SSL *clientssl = NULL, *serverssl = NULL;
7594 SSL_SESSION *clntsess = NULL;
7597 #ifdef OPENSSL_NO_TLS1_2
7601 #ifdef OSSL_NO_USABLE_TLS1_3
7605 #ifdef OPENSSL_NO_DEPRECATED_3_0
7606 if (tst >= 8 && tst <= 11)
7610 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
7612 /* Which tests the ticket key callback should request renewal for */
7613 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
7618 /* Which tests the decrypt ticket callback should request renewal for */
7622 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7627 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7632 tick_dec_ret = SSL_TICKET_RETURN_USE;
7637 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7641 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7644 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7645 TLS_client_method(),
7647 ((tst % 2) == 0) ? TLS1_2_VERSION
7649 &sctx, &cctx, cert, privkey)))
7653 * We only want sessions to resume from tickets - not the session cache. So
7654 * switch the cache off.
7656 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7659 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7664 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7666 #ifndef OPENSSL_NO_DEPRECATED_3_0
7667 } else if (tst >= 8) {
7668 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7673 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7675 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7680 * The decrypt ticket key callback in TLSv1.2 should be called even though
7681 * we have no ticket yet, because it gets called with a status of
7682 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7683 * actually send any ticket data). This does not happen in TLSv1.3 because
7684 * it is not valid to send empty ticket data in TLSv1.3.
7686 if (!TEST_int_eq(gen_tick_called, 1)
7687 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
7690 gen_tick_called = dec_tick_called = 0;
7692 clntsess = SSL_get1_session(clientssl);
7693 SSL_shutdown(clientssl);
7694 SSL_shutdown(serverssl);
7695 SSL_free(serverssl);
7696 SSL_free(clientssl);
7697 serverssl = clientssl = NULL;
7699 /* Now do a resumption */
7700 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7702 || !TEST_true(SSL_set_session(clientssl, clntsess))
7703 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7707 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7708 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7709 if (!TEST_false(SSL_session_reused(clientssl)))
7712 if (!TEST_true(SSL_session_reused(clientssl)))
7716 if (!TEST_int_eq(gen_tick_called,
7718 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7719 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7721 || !TEST_int_eq(dec_tick_called, 1))
7727 SSL_SESSION_free(clntsess);
7728 SSL_free(serverssl);
7729 SSL_free(clientssl);
7737 * Test incorrect shutdown.
7738 * Test 0: client does not shutdown properly,
7739 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7740 * server should get SSL_ERROR_SSL
7741 * Test 1: client does not shutdown properly,
7742 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7743 * server should get SSL_ERROR_ZERO_RETURN
7745 static int test_incorrect_shutdown(int tst)
7747 SSL_CTX *cctx = NULL, *sctx = NULL;
7748 SSL *clientssl = NULL, *serverssl = NULL;
7753 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7754 TLS_client_method(), 0, 0,
7755 &sctx, &cctx, cert, privkey)))
7759 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7761 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7765 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7769 c2s = SSL_get_rbio(serverssl);
7770 BIO_set_mem_eof_return(c2s, 0);
7772 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7775 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7777 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7783 SSL_free(serverssl);
7784 SSL_free(clientssl);
7792 * Test bi-directional shutdown.
7794 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7795 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7796 * Test 3: TLSv1.3, pending NewSessionTicket messages
7797 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7798 * sends key update, client reads it
7799 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7800 * sends CertificateRequest, client reads and ignores it
7801 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
7804 static int test_shutdown(int tst)
7806 SSL_CTX *cctx = NULL, *sctx = NULL;
7807 SSL *clientssl = NULL, *serverssl = NULL;
7809 char msg[] = "A test message";
7811 size_t written, readbytes;
7814 #ifdef OPENSSL_NO_TLS1_2
7818 #ifdef OSSL_NO_USABLE_TLS1_3
7823 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7824 TLS_client_method(),
7826 (tst <= 1) ? TLS1_2_VERSION
7828 &sctx, &cctx, cert, privkey)))
7832 SSL_CTX_set_post_handshake_auth(cctx, 1);
7834 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7839 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
7841 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7842 || !TEST_false(SSL_SESSION_is_resumable(sess)))
7844 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7846 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7847 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
7851 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7856 * Reading on the server after the client has sent close_notify should
7857 * fail and provide SSL_ERROR_ZERO_RETURN
7859 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7860 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7861 SSL_ERROR_ZERO_RETURN)
7862 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7863 SSL_RECEIVED_SHUTDOWN)
7865 * Even though we're shutdown on receive we should still be
7868 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7871 && !TEST_true(SSL_key_update(serverssl,
7872 SSL_KEY_UPDATE_REQUESTED)))
7875 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7876 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7879 if ((tst == 4 || tst == 5)
7880 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7882 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
7884 if (tst == 4 || tst == 5) {
7885 /* Should still be able to read data from server */
7886 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7888 || !TEST_size_t_eq(readbytes, sizeof(msg))
7889 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7890 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7892 || !TEST_size_t_eq(readbytes, sizeof(msg))
7893 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7898 /* Writing on the client after sending close_notify shouldn't be possible */
7899 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
7904 * For these tests the client has sent close_notify but it has not yet
7905 * been received by the server. The server has not sent close_notify
7908 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
7910 * Writing on the server after sending close_notify shouldn't
7913 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7914 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
7915 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7916 || !TEST_true(SSL_SESSION_is_resumable(sess))
7917 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7919 } else if (tst == 4 || tst == 5) {
7921 * In this test the client has sent close_notify and it has been
7922 * received by the server which has responded with a close_notify. The
7923 * client needs to read the close_notify sent by the server.
7925 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7926 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7927 || !TEST_true(SSL_SESSION_is_resumable(sess)))
7933 * The client has sent close_notify and is expecting a close_notify
7934 * back, but instead there is application data first. The shutdown
7935 * should fail with a fatal error.
7937 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7938 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7945 SSL_free(serverssl);
7946 SSL_free(clientssl);
7953 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
7954 static int cert_cb_cnt;
7956 static int cert_cb(SSL *s, void *arg)
7958 SSL_CTX *ctx = (SSL_CTX *)arg;
7960 EVP_PKEY *pkey = NULL;
7961 X509 *x509 = NULL, *rootx = NULL;
7962 STACK_OF(X509) *chain = NULL;
7963 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7966 if (cert_cb_cnt == 0) {
7967 /* Suspend the handshake */
7970 } else if (cert_cb_cnt == 1) {
7972 * Update the SSL_CTX, set the certificate and private key and then
7973 * continue the handshake normally.
7975 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7978 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7979 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7981 || !TEST_true(SSL_check_private_key(s)))
7985 } else if (cert_cb_cnt == 3) {
7988 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7989 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7990 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7991 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7993 chain = sk_X509_new_null();
7994 if (!TEST_ptr(chain))
7996 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7997 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
7998 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
7999 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
8000 || !TEST_true(sk_X509_push(chain, rootx)))
8004 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8005 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
8006 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
8007 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
8010 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8011 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
8012 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8016 rv = SSL_check_chain(s, x509, pkey, chain);
8018 * If the cert doesn't show as valid here (e.g., because we don't
8019 * have any shared sigalgs), then we will not set it, and there will
8020 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8021 * will cause tls_choose_sigalgs() to fail the connection.
8023 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8024 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8025 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8032 /* Abort the handshake */
8034 OPENSSL_free(ecdsacert);
8035 OPENSSL_free(ecdsakey);
8036 OPENSSL_free(rootfile);
8038 EVP_PKEY_free(pkey);
8041 OSSL_STACK_OF_X509_free(chain);
8046 * Test the certificate callback.
8047 * Test 0: Callback fails
8048 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8049 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8050 * Test 3: Success - Call SSL_check_chain from the callback
8051 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8053 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8055 static int test_cert_cb_int(int prot, int tst)
8057 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8058 SSL *clientssl = NULL, *serverssl = NULL;
8059 int testresult = 0, ret;
8061 #ifdef OPENSSL_NO_EC
8062 /* We use an EC cert in these tests, so we skip in a no-ec build */
8067 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8068 TLS_client_method(),
8071 &sctx, &cctx, NULL, NULL)))
8082 snictx = SSL_CTX_new(TLS_server_method());
8083 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8085 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8091 * We cause SSL_check_chain() to fail by specifying sig_algs that
8092 * the chain doesn't meet (the root uses an RSA cert)
8094 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8095 "ecdsa_secp256r1_sha256")))
8097 } else if (tst == 5) {
8099 * We cause SSL_check_chain() to fail by specifying sig_algs that
8100 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8102 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8103 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8107 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8108 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8110 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8117 SSL_free(serverssl);
8118 SSL_free(clientssl);
8121 SSL_CTX_free(snictx);
8127 static int test_cert_cb(int tst)
8131 #ifndef OPENSSL_NO_TLS1_2
8132 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8134 #ifndef OSSL_NO_USABLE_TLS1_3
8135 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8141 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8146 BIO *priv_in = NULL;
8148 /* Check that SSL_get0_peer_certificate() returns something sensible */
8149 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
8152 in = BIO_new_file(cert, "r");
8156 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
8157 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8158 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
8159 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8177 static int test_client_cert_cb(int tst)
8179 SSL_CTX *cctx = NULL, *sctx = NULL;
8180 SSL *clientssl = NULL, *serverssl = NULL;
8183 #ifdef OPENSSL_NO_TLS1_2
8187 #ifdef OSSL_NO_USABLE_TLS1_3
8192 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8193 TLS_client_method(),
8195 tst == 0 ? TLS1_2_VERSION
8197 &sctx, &cctx, cert, privkey)))
8201 * Test that setting a client_cert_cb results in a client certificate being
8204 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8205 SSL_CTX_set_verify(sctx,
8206 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8209 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8211 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8218 SSL_free(serverssl);
8219 SSL_free(clientssl);
8226 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8228 * Test setting certificate authorities on both client and server.
8230 * Test 0: SSL_CTX_set0_CA_list() only
8231 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8232 * Test 2: Only SSL_CTX_set_client_CA_list()
8234 static int test_ca_names_int(int prot, int tst)
8236 SSL_CTX *cctx = NULL, *sctx = NULL;
8237 SSL *clientssl = NULL, *serverssl = NULL;
8240 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8241 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8242 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8243 const STACK_OF(X509_NAME) *sktmp = NULL;
8245 for (i = 0; i < OSSL_NELEM(name); i++) {
8246 name[i] = X509_NAME_new();
8247 if (!TEST_ptr(name[i])
8248 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8256 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8257 TLS_client_method(),
8260 &sctx, &cctx, cert, privkey)))
8263 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8265 if (tst == 0 || tst == 1) {
8266 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8267 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8268 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8269 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8270 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8271 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8274 SSL_CTX_set0_CA_list(sctx, sk1);
8275 SSL_CTX_set0_CA_list(cctx, sk2);
8278 if (tst == 1 || tst == 2) {
8279 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8280 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8281 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8282 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8283 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8284 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8287 SSL_CTX_set_client_CA_list(sctx, sk1);
8288 SSL_CTX_set_client_CA_list(cctx, sk2);
8292 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8294 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8299 * We only expect certificate authorities to have been sent to the server
8300 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8302 sktmp = SSL_get0_peer_CA_list(serverssl);
8303 if (prot == TLS1_3_VERSION
8304 && (tst == 0 || tst == 1)) {
8305 if (!TEST_ptr(sktmp)
8306 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8307 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8309 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8312 } else if (!TEST_ptr_null(sktmp)) {
8317 * In all tests we expect certificate authorities to have been sent to the
8318 * client. However, SSL_set_client_CA_list() should override
8319 * SSL_set0_CA_list()
8321 sktmp = SSL_get0_peer_CA_list(clientssl);
8322 if (!TEST_ptr(sktmp)
8323 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8324 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8325 name[tst == 0 ? 0 : 2]), 0)
8326 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8327 name[tst == 0 ? 1 : 3]), 0))
8333 SSL_free(serverssl);
8334 SSL_free(clientssl);
8337 for (i = 0; i < OSSL_NELEM(name); i++)
8338 X509_NAME_free(name[i]);
8339 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8340 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8346 static int test_ca_names(int tst)
8350 #ifndef OPENSSL_NO_TLS1_2
8351 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8353 #ifndef OSSL_NO_USABLE_TLS1_3
8354 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8360 #ifndef OPENSSL_NO_TLS1_2
8361 static const char *multiblock_cipherlist_data[]=
8369 /* Reduce the fragment size - so the multiblock test buffer can be small */
8370 # define MULTIBLOCK_FRAGSIZE 512
8372 static int test_multiblock_write(int test_index)
8374 static const char *fetchable_ciphers[]=
8376 "AES-128-CBC-HMAC-SHA1",
8377 "AES-128-CBC-HMAC-SHA256",
8378 "AES-256-CBC-HMAC-SHA1",
8379 "AES-256-CBC-HMAC-SHA256"
8381 const char *cipherlist = multiblock_cipherlist_data[test_index];
8382 const SSL_METHOD *smeth = TLS_server_method();
8383 const SSL_METHOD *cmeth = TLS_client_method();
8384 int min_version = TLS1_VERSION;
8385 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8386 SSL_CTX *cctx = NULL, *sctx = NULL;
8387 SSL *clientssl = NULL, *serverssl = NULL;
8391 * Choose a buffer large enough to perform a multi-block operation
8392 * i.e: write_len >= 4 * frag_size
8393 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8395 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8396 unsigned char buf[sizeof(msg)], *p = buf;
8397 size_t readbytes, written, len;
8398 EVP_CIPHER *ciph = NULL;
8401 * Check if the cipher exists before attempting to use it since it only has
8402 * a hardware specific implementation.
8404 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
8406 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8409 EVP_CIPHER_free(ciph);
8411 /* Set up a buffer with some data that will be sent to the client */
8412 RAND_bytes(msg, sizeof(msg));
8414 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8415 max_version, &sctx, &cctx, cert,
8419 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8422 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8426 /* settings to force it to use AES-CBC-HMAC_SHA */
8427 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8428 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8431 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8434 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8435 || !TEST_size_t_eq(written, sizeof(msg)))
8440 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8445 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8450 SSL_free(serverssl);
8451 SSL_free(clientssl);
8457 #endif /* OPENSSL_NO_TLS1_2 */
8459 static int test_session_timeout(int test)
8462 * Test session ordering and timeout
8463 * Can't explicitly test performance of the new code,
8464 * but can test to see if the ordering of the sessions
8465 * are correct, and they they are removed as expected
8467 SSL_SESSION *early = NULL;
8468 SSL_SESSION *middle = NULL;
8469 SSL_SESSION *late = NULL;
8472 long now = (long)time(NULL);
8475 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8476 || !TEST_ptr(early = SSL_SESSION_new())
8477 || !TEST_ptr(middle = SSL_SESSION_new())
8478 || !TEST_ptr(late = SSL_SESSION_new()))
8481 /* assign unique session ids */
8482 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8483 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8484 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8485 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8486 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8487 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8489 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8490 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8491 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8494 /* Make sure they are all added */
8495 if (!TEST_ptr(early->prev)
8496 || !TEST_ptr(middle->prev)
8497 || !TEST_ptr(late->prev))
8500 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8501 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8502 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8505 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8506 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
8507 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
8510 /* Make sure they are all still there */
8511 if (!TEST_ptr(early->prev)
8512 || !TEST_ptr(middle->prev)
8513 || !TEST_ptr(late->prev))
8516 /* Make sure they are in the expected order */
8517 if (!TEST_ptr_eq(late->next, middle)
8518 || !TEST_ptr_eq(middle->next, early)
8519 || !TEST_ptr_eq(early->prev, middle)
8520 || !TEST_ptr_eq(middle->prev, late))
8523 /* This should remove "early" */
8524 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
8525 if (!TEST_ptr_null(early->prev)
8526 || !TEST_ptr(middle->prev)
8527 || !TEST_ptr(late->prev))
8530 /* This should remove "middle" */
8531 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
8532 if (!TEST_ptr_null(early->prev)
8533 || !TEST_ptr_null(middle->prev)
8534 || !TEST_ptr(late->prev))
8537 /* This should remove "late" */
8538 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
8539 if (!TEST_ptr_null(early->prev)
8540 || !TEST_ptr_null(middle->prev)
8541 || !TEST_ptr_null(late->prev))
8544 /* Add them back in again */
8545 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8546 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8547 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8550 /* Make sure they are all added */
8551 if (!TEST_ptr(early->prev)
8552 || !TEST_ptr(middle->prev)
8553 || !TEST_ptr(late->prev))
8556 /* This should remove all of them */
8557 SSL_CTX_flush_sessions(ctx, 0);
8558 if (!TEST_ptr_null(early->prev)
8559 || !TEST_ptr_null(middle->prev)
8560 || !TEST_ptr_null(late->prev))
8563 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
8564 | SSL_CTX_get_session_cache_mode(ctx));
8566 /* make sure |now| is NOT equal to the current time */
8568 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
8569 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8570 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
8576 SSL_SESSION_free(early);
8577 SSL_SESSION_free(middle);
8578 SSL_SESSION_free(late);
8583 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
8584 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
8585 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
8586 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
8587 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
8588 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
8589 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
8590 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
8591 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
8592 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
8594 static int test_servername(int tst)
8596 SSL_CTX *cctx = NULL, *sctx = NULL;
8597 SSL *clientssl = NULL, *serverssl = NULL;
8599 SSL_SESSION *sess = NULL;
8600 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
8602 #ifdef OPENSSL_NO_TLS1_2
8606 #ifdef OSSL_NO_USABLE_TLS1_3
8611 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8612 TLS_client_method(),
8614 (tst <= 4) ? TLS1_2_VERSION
8616 &sctx, &cctx, cert, privkey))
8617 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8621 if (tst != 1 && tst != 6) {
8622 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
8627 if (tst != 3 && tst != 8) {
8628 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8630 sexpectedhost = cexpectedhost = "goodhost";
8633 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8636 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
8638 || !TEST_str_eq(SSL_get_servername(serverssl,
8639 TLSEXT_NAMETYPE_host_name),
8643 /* Now repeat with a resumption handshake */
8645 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
8646 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
8647 || !TEST_true(SSL_SESSION_is_resumable(sess))
8648 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
8651 SSL_free(clientssl);
8652 SSL_free(serverssl);
8653 clientssl = serverssl = NULL;
8655 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8659 if (!TEST_true(SSL_set_session(clientssl, sess)))
8662 sexpectedhost = cexpectedhost = "goodhost";
8663 if (tst == 2 || tst == 7) {
8664 /* Set an inconsistent hostname */
8665 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
8668 * In TLSv1.2 we expect the hostname from the original handshake, in
8669 * TLSv1.3 we expect the hostname from this handshake
8672 sexpectedhost = cexpectedhost = "altgoodhost";
8674 if (!TEST_str_eq(SSL_get_servername(clientssl,
8675 TLSEXT_NAMETYPE_host_name),
8678 } else if (tst == 4 || tst == 9) {
8680 * A TLSv1.3 session does not associate a session with a servername,
8681 * but a TLSv1.2 session does.
8684 sexpectedhost = cexpectedhost = NULL;
8686 if (!TEST_str_eq(SSL_get_servername(clientssl,
8687 TLSEXT_NAMETYPE_host_name),
8691 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8694 * In a TLSv1.2 resumption where the hostname was not acknowledged
8695 * we expect the hostname on the server to be empty. On the client we
8696 * return what was requested in this case.
8698 * Similarly if the client didn't set a hostname on an original TLSv1.2
8699 * session but is now, the server hostname will be empty, but the client
8702 if (tst == 1 || tst == 3)
8703 sexpectedhost = NULL;
8705 if (!TEST_str_eq(SSL_get_servername(clientssl,
8706 TLSEXT_NAMETYPE_host_name),
8711 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8714 if (!TEST_true(SSL_session_reused(clientssl))
8715 || !TEST_true(SSL_session_reused(serverssl))
8716 || !TEST_str_eq(SSL_get_servername(clientssl,
8717 TLSEXT_NAMETYPE_host_name),
8719 || !TEST_str_eq(SSL_get_servername(serverssl,
8720 TLSEXT_NAMETYPE_host_name),
8727 SSL_SESSION_free(sess);
8728 SSL_free(serverssl);
8729 SSL_free(clientssl);
8736 #if !defined(OPENSSL_NO_EC) \
8737 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8739 * Test that if signature algorithms are not available, then we do not offer or
8741 * Test 0: Two RSA sig algs available: both RSA sig algs shared
8742 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
8743 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
8744 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
8745 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
8746 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
8748 static int test_sigalgs_available(int idx)
8750 SSL_CTX *cctx = NULL, *sctx = NULL;
8751 SSL *clientssl = NULL, *serverssl = NULL;
8753 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
8754 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
8755 OSSL_PROVIDER *filterprov = NULL;
8758 if (!TEST_ptr(tmpctx))
8761 if (idx != 0 && idx != 3) {
8762 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
8763 filter_provider_init)))
8766 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
8767 if (!TEST_ptr(filterprov))
8772 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8773 * or accepted for the peer that uses this libctx. Note that libssl
8774 * *requires* SHA2-256 to be available so we cannot disable that. We
8775 * also need SHA1 for our certificate.
8777 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
8781 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
8783 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
8788 if (idx == 1 || idx == 4)
8794 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
8795 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
8796 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
8800 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8801 TLS_client_method(),
8804 &sctx, &cctx, cert, privkey)))
8807 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8808 TLS_client_method(),
8811 &sctx, &cctx, cert2, privkey2)))
8815 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
8817 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8818 "ECDHE-RSA-AES128-GCM-SHA256")))
8821 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8822 "ECDHE-ECDSA-AES128-GCM-SHA256")))
8827 if (!SSL_CTX_set1_sigalgs_list(cctx,
8828 "rsa_pss_rsae_sha384"
8829 ":rsa_pss_rsae_sha256")
8830 || !SSL_CTX_set1_sigalgs_list(sctx,
8831 "rsa_pss_rsae_sha384"
8832 ":rsa_pss_rsae_sha256"))
8835 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8836 || !SSL_CTX_set1_sigalgs_list(sctx,
8837 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8842 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8843 SSL_FILETYPE_PEM), 1)
8844 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8846 SSL_FILETYPE_PEM), 1)
8847 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
8850 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8854 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8857 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8858 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8860 (idx == 0 || idx == 3) ? 2 : 1))
8863 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8866 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8870 testresult = filter_provider_check_clean_finish();
8873 SSL_free(serverssl);
8874 SSL_free(clientssl);
8877 OSSL_PROVIDER_unload(filterprov);
8878 OSSL_LIB_CTX_free(tmpctx);
8883 * !defined(OPENSSL_NO_EC) \
8884 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8887 #ifndef OPENSSL_NO_TLS1_3
8888 /* This test can run in TLSv1.3 even if ec and dh are disabled */
8889 static int test_pluggable_group(int idx)
8891 SSL_CTX *cctx = NULL, *sctx = NULL;
8892 SSL *clientssl = NULL, *serverssl = NULL;
8894 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
8895 /* Check that we are not impacted by a provider without any groups */
8896 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
8897 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
8899 if (!TEST_ptr(tlsprov))
8902 if (legacyprov == NULL) {
8904 * In this case we assume we've been built with "no-legacy" and skip
8905 * this test (there is no OPENSSL_NO_LEGACY)
8911 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8912 TLS_client_method(),
8915 &sctx, &cctx, cert, privkey))
8916 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8920 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
8921 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
8924 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8927 if (!TEST_str_eq(group_name,
8928 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
8934 SSL_free(serverssl);
8935 SSL_free(clientssl);
8938 OSSL_PROVIDER_unload(tlsprov);
8939 OSSL_PROVIDER_unload(legacyprov);
8945 #ifndef OPENSSL_NO_TLS1_2
8946 static int test_ssl_dup(void)
8948 SSL_CTX *cctx = NULL, *sctx = NULL;
8949 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
8951 BIO *rbio = NULL, *wbio = NULL;
8953 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8954 TLS_client_method(),
8957 &sctx, &cctx, cert, privkey)))
8960 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8964 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8965 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8968 client2ssl = SSL_dup(clientssl);
8969 rbio = SSL_get_rbio(clientssl);
8971 || !TEST_true(BIO_up_ref(rbio)))
8973 SSL_set0_rbio(client2ssl, rbio);
8976 wbio = SSL_get_wbio(clientssl);
8977 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
8979 SSL_set0_wbio(client2ssl, wbio);
8982 if (!TEST_ptr(client2ssl)
8983 /* Handshake not started so pointers should be different */
8984 || !TEST_ptr_ne(clientssl, client2ssl))
8987 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
8988 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
8991 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
8994 SSL_free(clientssl);
8995 clientssl = SSL_dup(client2ssl);
8996 if (!TEST_ptr(clientssl)
8997 /* Handshake has finished so pointers should be the same */
8998 || !TEST_ptr_eq(clientssl, client2ssl))
9004 SSL_free(serverssl);
9005 SSL_free(clientssl);
9006 SSL_free(client2ssl);
9013 # ifndef OPENSSL_NO_DH
9015 static EVP_PKEY *tmp_dh_params = NULL;
9017 /* Helper function for the test_set_tmp_dh() tests */
9018 static EVP_PKEY *get_tmp_dh_params(void)
9020 if (tmp_dh_params == NULL) {
9022 OSSL_PARAM_BLD *tmpl = NULL;
9023 EVP_PKEY_CTX *pctx = NULL;
9024 OSSL_PARAM *params = NULL;
9025 EVP_PKEY *dhpkey = NULL;
9027 p = BN_get_rfc3526_prime_2048(NULL);
9031 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9033 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
9036 tmpl = OSSL_PARAM_BLD_new();
9038 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9039 OSSL_PKEY_PARAM_FFC_P,
9041 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9042 OSSL_PKEY_PARAM_FFC_G,
9046 params = OSSL_PARAM_BLD_to_param(tmpl);
9047 if (!TEST_ptr(params)
9048 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9049 EVP_PKEY_KEY_PARAMETERS,
9053 tmp_dh_params = dhpkey;
9056 EVP_PKEY_CTX_free(pctx);
9057 OSSL_PARAM_BLD_free(tmpl);
9058 OSSL_PARAM_free(params);
9061 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
9064 return tmp_dh_params;
9067 # ifndef OPENSSL_NO_DEPRECATED_3_0
9068 /* Callback used by test_set_tmp_dh() */
9069 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9071 EVP_PKEY *dhpkey = get_tmp_dh_params();
9074 if (!TEST_ptr(dhpkey))
9078 * libssl does not free the returned DH, so we free it now knowing that even
9079 * after we free dhpkey, there will still be a reference to the owning
9080 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9081 * of time we need it for.
9083 ret = EVP_PKEY_get1_DH(dhpkey);
9086 EVP_PKEY_free(dhpkey);
9093 * Test the various methods for setting temporary DH parameters
9095 * Test 0: Default (no auto) setting
9096 * Test 1: Explicit SSL_CTX auto off
9097 * Test 2: Explicit SSL auto off
9098 * Test 3: Explicit SSL_CTX auto on
9099 * Test 4: Explicit SSL auto on
9100 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9101 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9103 * The following are testing deprecated APIs, so we only run them if available
9104 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9105 * Test 8: Explicit SSL auto off, custom DH params via DH
9106 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9107 * Test 10: Explicit SSL auto off, custom DH params via callback
9109 static int test_set_tmp_dh(int idx)
9111 SSL_CTX *cctx = NULL, *sctx = NULL;
9112 SSL *clientssl = NULL, *serverssl = NULL;
9114 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9115 int expected = (idx <= 2) ? 0 : 1;
9116 EVP_PKEY *dhpkey = NULL;
9117 # ifndef OPENSSL_NO_DEPRECATED_3_0
9125 if (idx >= 5 && idx <= 8) {
9126 dhpkey = get_tmp_dh_params();
9127 if (!TEST_ptr(dhpkey))
9130 # ifndef OPENSSL_NO_DEPRECATED_3_0
9131 if (idx == 7 || idx == 8) {
9132 dh = EVP_PKEY_get1_DH(dhpkey);
9138 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9139 TLS_client_method(),
9142 &sctx, &cctx, cert, privkey)))
9145 if ((idx & 1) == 1) {
9146 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9151 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9155 # ifndef OPENSSL_NO_DEPRECATED_3_0
9156 else if (idx == 7) {
9157 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9159 } else if (idx == 9) {
9160 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9164 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9168 if ((idx & 1) == 0 && idx != 0) {
9169 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9173 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9177 # ifndef OPENSSL_NO_DEPRECATED_3_0
9178 else if (idx == 8) {
9179 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9181 } else if (idx == 10) {
9182 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9186 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9187 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9188 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9192 * If autoon then we should succeed. Otherwise we expect failure because
9193 * there are no parameters
9195 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9196 SSL_ERROR_NONE), expected))
9202 # ifndef OPENSSL_NO_DEPRECATED_3_0
9205 SSL_free(serverssl);
9206 SSL_free(clientssl);
9209 EVP_PKEY_free(dhpkey);
9215 * Test the auto DH keys are appropriately sized
9217 static int test_dh_auto(int idx)
9219 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
9220 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9221 SSL *clientssl = NULL, *serverssl = NULL;
9223 EVP_PKEY *tmpkey = NULL;
9224 char *thiscert = NULL, *thiskey = NULL;
9225 size_t expdhsize = 0;
9226 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9228 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
9233 /* The FIPS provider doesn't support this DH size - so we ignore it */
9238 thiscert = cert1024;
9239 thiskey = privkey1024;
9241 SSL_CTX_set_security_level(sctx, 1);
9242 SSL_CTX_set_security_level(cctx, 1);
9245 /* 2048 bit prime */
9251 thiscert = cert3072;
9252 thiskey = privkey3072;
9256 thiscert = cert4096;
9257 thiskey = privkey4096;
9261 thiscert = cert8192;
9262 thiskey = privkey8192;
9265 /* No certificate cases */
9267 /* The FIPS provider doesn't support this DH size - so we ignore it */
9272 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9276 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9280 TEST_error("Invalid text index");
9284 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
9288 &sctx, &cctx, thiscert, thiskey)))
9291 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9295 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9296 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9297 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9298 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9299 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9303 * Send the server's first flight. At this point the server has created the
9304 * temporary DH key but hasn't finished using it yet. Once used it is
9305 * removed, so we cannot test it.
9307 if (!TEST_int_le(SSL_connect(clientssl), 0)
9308 || !TEST_int_le(SSL_accept(serverssl), 0))
9311 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9313 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
9316 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9322 SSL_free(serverssl);
9323 SSL_free(clientssl);
9326 EVP_PKEY_free(tmpkey);
9331 # endif /* OPENSSL_NO_DH */
9332 #endif /* OPENSSL_NO_TLS1_2 */
9334 #ifndef OSSL_NO_USABLE_TLS1_3
9336 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9337 * that it works even without a certificate configured for the original
9340 static int test_sni_tls13(void)
9342 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9343 SSL *clientssl = NULL, *serverssl = NULL;
9346 /* Reset callback counter */
9349 /* Create an initial SSL_CTX with no certificate configured */
9350 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9351 if (!TEST_ptr(sctx))
9353 /* Require TLSv1.3 as a minimum */
9354 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9355 TLS_client_method(), TLS1_3_VERSION, 0,
9356 &sctx2, &cctx, cert, privkey)))
9360 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9361 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9365 * Connection should still succeed because the final SSL_CTX has the right
9366 * certificates configured.
9368 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9369 &clientssl, NULL, NULL))
9370 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9374 /* We should have had the SNI callback called exactly once */
9375 if (!TEST_int_eq(snicb, 1))
9381 SSL_free(serverssl);
9382 SSL_free(clientssl);
9383 SSL_CTX_free(sctx2);
9390 * Test that setting an ALPN does not violate RFC
9392 static int test_set_alpn(void)
9394 SSL_CTX *ctx = NULL;
9398 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
9399 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
9400 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
9401 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
9402 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
9403 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
9405 /* Create an initial SSL_CTX with no certificate configured */
9406 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9410 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
9411 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
9413 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
9415 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
9417 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
9419 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
9421 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
9423 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
9425 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
9427 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
9434 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
9436 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
9438 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
9440 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
9442 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
9444 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
9446 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
9448 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
9450 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
9461 static int test_inherit_verify_param(void)
9465 SSL_CTX *ctx = NULL;
9466 X509_VERIFY_PARAM *cp = NULL;
9468 X509_VERIFY_PARAM *sp = NULL;
9469 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
9471 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9475 cp = SSL_CTX_get0_param(ctx);
9478 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
9481 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
9487 sp = SSL_get0_param(ssl);
9490 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
9502 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
9504 int setup_tests(void)
9509 libctx = OSSL_LIB_CTX_new();
9510 if (!TEST_ptr(libctx))
9513 defctxnull = OSSL_PROVIDER_load(NULL, "null");
9516 * Verify that the default and fips providers in the default libctx are not
9519 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
9520 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
9523 if (!test_skip_common_options()) {
9524 TEST_error("Error parsing test options\n");
9528 if (!TEST_ptr(certsdir = test_get_argument(0))
9529 || !TEST_ptr(srpvfile = test_get_argument(1))
9530 || !TEST_ptr(tmpfilename = test_get_argument(2))
9531 || !TEST_ptr(modulename = test_get_argument(3))
9532 || !TEST_ptr(configfile = test_get_argument(4)))
9535 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
9538 /* Check we have the expected provider available */
9539 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
9542 /* Check the default provider is not available */
9543 if (strcmp(modulename, "default") != 0
9544 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
9547 if (strcmp(modulename, "fips") == 0)
9551 * We add, but don't load the test "tls-provider". We'll load it when we
9554 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
9555 tls_provider_init)))
9559 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
9560 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
9561 TEST_error("not supported in this build");
9564 int i, mcount, rcount, fcount;
9566 for (i = 0; i < 4; i++)
9567 test_export_key_mat(i);
9568 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
9569 test_printf_stdout("malloc %d realloc %d free %d\n",
9570 mcount, rcount, fcount);
9575 cert = test_mk_file_path(certsdir, "servercert.pem");
9579 privkey = test_mk_file_path(certsdir, "serverkey.pem");
9580 if (privkey == NULL)
9583 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
9587 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
9588 if (privkey2 == NULL)
9591 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
9592 if (cert1024 == NULL)
9595 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
9596 if (privkey1024 == NULL)
9599 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
9600 if (cert3072 == NULL)
9603 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
9604 if (privkey3072 == NULL)
9607 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
9608 if (cert4096 == NULL)
9611 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
9612 if (privkey4096 == NULL)
9615 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
9616 if (cert8192 == NULL)
9619 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
9620 if (privkey8192 == NULL)
9623 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
9624 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
9625 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
9626 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS);
9629 ADD_TEST(test_large_message_tls);
9630 ADD_TEST(test_large_message_tls_read_ahead);
9631 #ifndef OPENSSL_NO_DTLS
9632 ADD_TEST(test_large_message_dtls);
9634 ADD_TEST(test_cleanse_plaintext);
9635 #ifndef OPENSSL_NO_OCSP
9636 ADD_TEST(test_tlsext_status_type);
9638 ADD_TEST(test_session_with_only_int_cache);
9639 ADD_TEST(test_session_with_only_ext_cache);
9640 ADD_TEST(test_session_with_both_cache);
9641 ADD_TEST(test_session_wo_ca_names);
9642 #ifndef OSSL_NO_USABLE_TLS1_3
9643 ADD_ALL_TESTS(test_stateful_tickets, 3);
9644 ADD_ALL_TESTS(test_stateless_tickets, 3);
9645 ADD_TEST(test_psk_tickets);
9646 ADD_ALL_TESTS(test_extra_tickets, 6);
9648 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9649 ADD_TEST(test_ssl_bio_pop_next_bio);
9650 ADD_TEST(test_ssl_bio_pop_ssl_bio);
9651 ADD_TEST(test_ssl_bio_change_rbio);
9652 ADD_TEST(test_ssl_bio_change_wbio);
9653 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
9654 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
9655 ADD_TEST(test_keylog);
9657 #ifndef OSSL_NO_USABLE_TLS1_3
9658 ADD_TEST(test_keylog_no_master_key);
9660 ADD_TEST(test_client_cert_verify_cb);
9661 ADD_TEST(test_ssl_build_cert_chain);
9662 ADD_TEST(test_ssl_ctx_build_cert_chain);
9663 #ifndef OPENSSL_NO_TLS1_2
9664 ADD_TEST(test_client_hello_cb);
9665 ADD_TEST(test_no_ems);
9666 ADD_TEST(test_ccs_change_cipher);
9668 #ifndef OSSL_NO_USABLE_TLS1_3
9669 ADD_ALL_TESTS(test_early_data_read_write, 3);
9671 * We don't do replay tests for external PSK. Replay protection isn't used
9674 ADD_ALL_TESTS(test_early_data_replay, 2);
9675 ADD_ALL_TESTS(test_early_data_skip, 3);
9676 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
9677 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
9678 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
9679 ADD_ALL_TESTS(test_early_data_not_sent, 3);
9680 ADD_ALL_TESTS(test_early_data_psk, 8);
9681 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
9682 ADD_ALL_TESTS(test_early_data_not_expected, 3);
9683 # ifndef OPENSSL_NO_TLS1_2
9684 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
9687 #ifndef OSSL_NO_USABLE_TLS1_3
9688 ADD_ALL_TESTS(test_set_ciphersuite, 10);
9689 ADD_TEST(test_ciphersuite_change);
9690 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
9691 # ifdef OPENSSL_NO_PSK
9692 ADD_ALL_TESTS(test_tls13_psk, 1);
9694 ADD_ALL_TESTS(test_tls13_psk, 4);
9695 # endif /* OPENSSL_NO_PSK */
9696 # ifndef OPENSSL_NO_TLS1_2
9697 /* Test with both TLSv1.3 and 1.2 versions */
9698 ADD_ALL_TESTS(test_key_exchange, 14);
9699 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
9700 ADD_ALL_TESTS(test_negotiated_group,
9701 4 * (OSSL_NELEM(ecdhe_kexch_groups)
9702 + OSSL_NELEM(ffdhe_kexch_groups)));
9705 /* Test with only TLSv1.3 versions */
9706 ADD_ALL_TESTS(test_key_exchange, 12);
9708 ADD_ALL_TESTS(test_custom_exts, 6);
9709 ADD_TEST(test_stateless);
9710 ADD_TEST(test_pha_key_update);
9712 ADD_ALL_TESTS(test_custom_exts, 3);
9714 ADD_ALL_TESTS(test_serverinfo, 8);
9715 ADD_ALL_TESTS(test_export_key_mat, 6);
9716 #ifndef OSSL_NO_USABLE_TLS1_3
9717 ADD_ALL_TESTS(test_export_key_mat_early, 3);
9718 ADD_TEST(test_key_update);
9719 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
9720 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
9721 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
9722 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
9724 ADD_ALL_TESTS(test_ssl_clear, 2);
9725 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
9726 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
9727 ADD_ALL_TESTS(test_srp, 6);
9729 ADD_ALL_TESTS(test_info_callback, 6);
9730 ADD_ALL_TESTS(test_ssl_pending, 2);
9731 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
9732 ADD_ALL_TESTS(test_ticket_callbacks, 16);
9733 ADD_ALL_TESTS(test_shutdown, 7);
9734 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
9735 ADD_ALL_TESTS(test_cert_cb, 6);
9736 ADD_ALL_TESTS(test_client_cert_cb, 2);
9737 ADD_ALL_TESTS(test_ca_names, 3);
9738 #ifndef OPENSSL_NO_TLS1_2
9739 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
9741 ADD_ALL_TESTS(test_servername, 10);
9742 #if !defined(OPENSSL_NO_EC) \
9743 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9744 ADD_ALL_TESTS(test_sigalgs_available, 6);
9746 #ifndef OPENSSL_NO_TLS1_3
9747 ADD_ALL_TESTS(test_pluggable_group, 2);
9749 #ifndef OPENSSL_NO_TLS1_2
9750 ADD_TEST(test_ssl_dup);
9751 # ifndef OPENSSL_NO_DH
9752 ADD_ALL_TESTS(test_set_tmp_dh, 11);
9753 ADD_ALL_TESTS(test_dh_auto, 7);
9756 #ifndef OSSL_NO_USABLE_TLS1_3
9757 ADD_TEST(test_sni_tls13);
9759 ADD_TEST(test_inherit_verify_param);
9760 ADD_TEST(test_set_alpn);
9761 ADD_ALL_TESTS(test_session_timeout, 1);
9766 OPENSSL_free(privkey);
9767 OPENSSL_free(cert2);
9768 OPENSSL_free(privkey2);
9772 void cleanup_tests(void)
9774 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
9775 EVP_PKEY_free(tmp_dh_params);
9778 OPENSSL_free(privkey);
9779 OPENSSL_free(cert2);
9780 OPENSSL_free(privkey2);
9781 OPENSSL_free(cert1024);
9782 OPENSSL_free(privkey1024);
9783 OPENSSL_free(cert3072);
9784 OPENSSL_free(privkey3072);
9785 OPENSSL_free(cert4096);
9786 OPENSSL_free(privkey4096);
9787 OPENSSL_free(cert8192);
9788 OPENSSL_free(privkey8192);
9789 bio_s_mempacket_test_free();
9790 bio_s_always_retry_free();
9791 OSSL_PROVIDER_unload(defctxnull);
9792 OSSL_LIB_CTX_free(libctx);