2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
34 #include "ssltestlib.h"
36 #include "testutil/output.h"
37 #include "internal/nelem.h"
38 #include "internal/ktls.h"
39 #include "../ssl/ssl_local.h"
41 /* Defined in filterprov.c */
42 OSSL_provider_init_fn filter_provider_init;
43 int filter_provider_set_filter(int operation, const char *name);
45 /* Defined in tls-provider.c */
46 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
47 const OSSL_DISPATCH *in,
48 const OSSL_DISPATCH **out,
51 static OPENSSL_CTX *libctx = NULL;
52 static OSSL_PROVIDER *defctxnull = NULL;
54 #ifndef OPENSSL_NO_TLS1_3
56 static SSL_SESSION *clientpsk = NULL;
57 static SSL_SESSION *serverpsk = NULL;
58 static const char *pskid = "Identity";
59 static const char *srvid;
61 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
62 size_t *idlen, SSL_SESSION **sess);
63 static int find_session_cb(SSL *ssl, const unsigned char *identity,
64 size_t identity_len, SSL_SESSION **sess);
66 static int use_session_cb_cnt = 0;
67 static int find_session_cb_cnt = 0;
69 static SSL_SESSION *create_a_psk(SSL *ssl);
72 static char *certsdir = NULL;
73 static char *cert = NULL;
74 static char *privkey = NULL;
75 static char *cert2 = NULL;
76 static char *privkey2 = NULL;
77 static char *srpvfile = NULL;
78 static char *tmpfilename = NULL;
80 static int is_fips = 0;
82 #define LOG_BUFFER_SIZE 2048
83 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
84 static size_t server_log_buffer_index = 0;
85 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
86 static size_t client_log_buffer_index = 0;
87 static int error_writing_log = 0;
89 #ifndef OPENSSL_NO_OCSP
90 static const unsigned char orespder[] = "Dummy OCSP Response";
91 static int ocsp_server_called = 0;
92 static int ocsp_client_called = 0;
94 static int cdummyarg = 1;
95 static X509 *ocspcert = NULL;
98 #define NUM_EXTRA_CERTS 40
99 #define CLIENT_VERSION_LEN 2
102 * This structure is used to validate that the correct number of log messages
103 * of various types are emitted when emitting secret logs.
105 struct sslapitest_log_counts {
106 unsigned int rsa_key_exchange_count;
107 unsigned int master_secret_count;
108 unsigned int client_early_secret_count;
109 unsigned int client_handshake_secret_count;
110 unsigned int server_handshake_secret_count;
111 unsigned int client_application_secret_count;
112 unsigned int server_application_secret_count;
113 unsigned int early_exporter_secret_count;
114 unsigned int exporter_secret_count;
118 static unsigned char serverinfov1[] = {
119 0xff, 0xff, /* Dummy extension type */
120 0x00, 0x01, /* Extension length is 1 byte */
121 0xff /* Dummy extension data */
124 static unsigned char serverinfov2[] = {
126 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
127 0xff, 0xff, /* Dummy extension type */
128 0x00, 0x01, /* Extension length is 1 byte */
129 0xff /* Dummy extension data */
132 static int hostname_cb(SSL *s, int *al, void *arg)
134 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
136 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
137 || strcmp(hostname, "altgoodhost") == 0))
138 return SSL_TLSEXT_ERR_OK;
140 return SSL_TLSEXT_ERR_NOACK;
143 static void client_keylog_callback(const SSL *ssl, const char *line)
145 int line_length = strlen(line);
147 /* If the log doesn't fit, error out. */
148 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
149 TEST_info("Client log too full");
150 error_writing_log = 1;
154 strcat(client_log_buffer, line);
155 client_log_buffer_index += line_length;
156 client_log_buffer[client_log_buffer_index++] = '\n';
159 static void server_keylog_callback(const SSL *ssl, const char *line)
161 int line_length = strlen(line);
163 /* If the log doesn't fit, error out. */
164 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
165 TEST_info("Server log too full");
166 error_writing_log = 1;
170 strcat(server_log_buffer, line);
171 server_log_buffer_index += line_length;
172 server_log_buffer[server_log_buffer_index++] = '\n';
175 static int compare_hex_encoded_buffer(const char *hex_encoded,
183 if (!TEST_size_t_eq(raw_length * 2, hex_length))
186 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
187 sprintf(hexed, "%02x", raw[i]);
188 if (!TEST_int_eq(hexed[0], hex_encoded[j])
189 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
196 static int test_keylog_output(char *buffer, const SSL *ssl,
197 const SSL_SESSION *session,
198 struct sslapitest_log_counts *expected)
201 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
202 size_t client_random_size = SSL3_RANDOM_SIZE;
203 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
204 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
205 unsigned int rsa_key_exchange_count = 0;
206 unsigned int master_secret_count = 0;
207 unsigned int client_early_secret_count = 0;
208 unsigned int client_handshake_secret_count = 0;
209 unsigned int server_handshake_secret_count = 0;
210 unsigned int client_application_secret_count = 0;
211 unsigned int server_application_secret_count = 0;
212 unsigned int early_exporter_secret_count = 0;
213 unsigned int exporter_secret_count = 0;
215 for (token = strtok(buffer, " \n"); token != NULL;
216 token = strtok(NULL, " \n")) {
217 if (strcmp(token, "RSA") == 0) {
219 * Premaster secret. Tokens should be: 16 ASCII bytes of
220 * hex-encoded encrypted secret, then the hex-encoded pre-master
223 if (!TEST_ptr(token = strtok(NULL, " \n")))
225 if (!TEST_size_t_eq(strlen(token), 16))
227 if (!TEST_ptr(token = strtok(NULL, " \n")))
230 * We can't sensibly check the log because the premaster secret is
231 * transient, and OpenSSL doesn't keep hold of it once the master
232 * secret is generated.
234 rsa_key_exchange_count++;
235 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
237 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
238 * client random, then the hex-encoded master secret.
240 client_random_size = SSL_get_client_random(ssl,
241 actual_client_random,
243 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
246 if (!TEST_ptr(token = strtok(NULL, " \n")))
248 if (!TEST_size_t_eq(strlen(token), 64))
250 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
251 actual_client_random,
252 client_random_size)))
255 if (!TEST_ptr(token = strtok(NULL, " \n")))
257 master_key_size = SSL_SESSION_get_master_key(session,
260 if (!TEST_size_t_ne(master_key_size, 0))
262 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
266 master_secret_count++;
267 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
268 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
269 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
270 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
271 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
272 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
273 || strcmp(token, "EXPORTER_SECRET") == 0) {
275 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
276 * client random, and then the hex-encoded secret. In this case,
277 * we treat all of these secrets identically and then just
278 * distinguish between them when counting what we saw.
280 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
281 client_early_secret_count++;
282 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
283 client_handshake_secret_count++;
284 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
285 server_handshake_secret_count++;
286 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
287 client_application_secret_count++;
288 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
289 server_application_secret_count++;
290 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
291 early_exporter_secret_count++;
292 else if (strcmp(token, "EXPORTER_SECRET") == 0)
293 exporter_secret_count++;
295 client_random_size = SSL_get_client_random(ssl,
296 actual_client_random,
298 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
301 if (!TEST_ptr(token = strtok(NULL, " \n")))
303 if (!TEST_size_t_eq(strlen(token), 64))
305 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
306 actual_client_random,
307 client_random_size)))
310 if (!TEST_ptr(token = strtok(NULL, " \n")))
314 * TODO(TLS1.3): test that application traffic secrets are what
317 TEST_info("Unexpected token %s\n", token);
322 /* Got what we expected? */
323 if (!TEST_size_t_eq(rsa_key_exchange_count,
324 expected->rsa_key_exchange_count)
325 || !TEST_size_t_eq(master_secret_count,
326 expected->master_secret_count)
327 || !TEST_size_t_eq(client_early_secret_count,
328 expected->client_early_secret_count)
329 || !TEST_size_t_eq(client_handshake_secret_count,
330 expected->client_handshake_secret_count)
331 || !TEST_size_t_eq(server_handshake_secret_count,
332 expected->server_handshake_secret_count)
333 || !TEST_size_t_eq(client_application_secret_count,
334 expected->client_application_secret_count)
335 || !TEST_size_t_eq(server_application_secret_count,
336 expected->server_application_secret_count)
337 || !TEST_size_t_eq(early_exporter_secret_count,
338 expected->early_exporter_secret_count)
339 || !TEST_size_t_eq(exporter_secret_count,
340 expected->exporter_secret_count))
345 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
346 static int test_keylog(void)
348 SSL_CTX *cctx = NULL, *sctx = NULL;
349 SSL *clientssl = NULL, *serverssl = NULL;
351 struct sslapitest_log_counts expected;
353 /* Clean up logging space */
354 memset(&expected, 0, sizeof(expected));
355 memset(client_log_buffer, 0, sizeof(client_log_buffer));
356 memset(server_log_buffer, 0, sizeof(server_log_buffer));
357 client_log_buffer_index = 0;
358 server_log_buffer_index = 0;
359 error_writing_log = 0;
361 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
364 &sctx, &cctx, cert, privkey)))
367 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
368 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
369 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
371 /* We also want to ensure that we use RSA-based key exchange. */
372 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
375 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
376 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
378 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
379 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
380 == client_keylog_callback))
382 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
383 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
384 == server_keylog_callback))
387 /* Now do a handshake and check that the logs have been written to. */
388 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
389 &clientssl, NULL, NULL))
390 || !TEST_true(create_ssl_connection(serverssl, clientssl,
392 || !TEST_false(error_writing_log)
393 || !TEST_int_gt(client_log_buffer_index, 0)
394 || !TEST_int_gt(server_log_buffer_index, 0))
398 * Now we want to test that our output data was vaguely sensible. We
399 * do that by using strtok and confirming that we have more or less the
400 * data we expect. For both client and server, we expect to see one master
401 * secret. The client should also see a RSA key exchange.
403 expected.rsa_key_exchange_count = 1;
404 expected.master_secret_count = 1;
405 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
406 SSL_get_session(clientssl), &expected)))
409 expected.rsa_key_exchange_count = 0;
410 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
411 SSL_get_session(serverssl), &expected)))
426 #ifndef OPENSSL_NO_TLS1_3
427 static int test_keylog_no_master_key(void)
429 SSL_CTX *cctx = NULL, *sctx = NULL;
430 SSL *clientssl = NULL, *serverssl = NULL;
431 SSL_SESSION *sess = NULL;
433 struct sslapitest_log_counts expected;
434 unsigned char buf[1];
435 size_t readbytes, written;
437 /* Clean up logging space */
438 memset(&expected, 0, sizeof(expected));
439 memset(client_log_buffer, 0, sizeof(client_log_buffer));
440 memset(server_log_buffer, 0, sizeof(server_log_buffer));
441 client_log_buffer_index = 0;
442 server_log_buffer_index = 0;
443 error_writing_log = 0;
445 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
446 TLS_client_method(), TLS1_VERSION, 0,
447 &sctx, &cctx, cert, privkey))
448 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
449 SSL3_RT_MAX_PLAIN_LENGTH)))
452 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
453 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
456 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
457 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
458 == client_keylog_callback))
461 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
462 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
463 == server_keylog_callback))
466 /* Now do a handshake and check that the logs have been written to. */
467 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
468 &clientssl, NULL, NULL))
469 || !TEST_true(create_ssl_connection(serverssl, clientssl,
471 || !TEST_false(error_writing_log))
475 * Now we want to test that our output data was vaguely sensible. For this
476 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
477 * TLSv1.3, but we do expect both client and server to emit keys.
479 expected.client_handshake_secret_count = 1;
480 expected.server_handshake_secret_count = 1;
481 expected.client_application_secret_count = 1;
482 expected.server_application_secret_count = 1;
483 expected.exporter_secret_count = 1;
484 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
485 SSL_get_session(clientssl), &expected))
486 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
487 SSL_get_session(serverssl),
491 /* Terminate old session and resume with early data. */
492 sess = SSL_get1_session(clientssl);
493 SSL_shutdown(clientssl);
494 SSL_shutdown(serverssl);
497 serverssl = clientssl = NULL;
500 memset(client_log_buffer, 0, sizeof(client_log_buffer));
501 memset(server_log_buffer, 0, sizeof(server_log_buffer));
502 client_log_buffer_index = 0;
503 server_log_buffer_index = 0;
505 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
506 &clientssl, NULL, NULL))
507 || !TEST_true(SSL_set_session(clientssl, sess))
508 /* Here writing 0 length early data is enough. */
509 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
510 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
512 SSL_READ_EARLY_DATA_ERROR)
513 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
514 SSL_EARLY_DATA_ACCEPTED)
515 || !TEST_true(create_ssl_connection(serverssl, clientssl,
517 || !TEST_true(SSL_session_reused(clientssl)))
520 /* In addition to the previous entries, expect early secrets. */
521 expected.client_early_secret_count = 1;
522 expected.early_exporter_secret_count = 1;
523 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
524 SSL_get_session(clientssl), &expected))
525 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
526 SSL_get_session(serverssl),
533 SSL_SESSION_free(sess);
543 #ifndef OPENSSL_NO_TLS1_2
544 static int full_client_hello_callback(SSL *s, int *al, void *arg)
547 const unsigned char *p;
549 /* We only configure two ciphers, but the SCSV is added automatically. */
551 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
553 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
556 const int expected_extensions[] = {
557 #ifndef OPENSSL_NO_EC
563 /* Make sure we can defer processing and get called back. */
565 return SSL_CLIENT_HELLO_RETRY;
567 len = SSL_client_hello_get0_ciphers(s, &p);
568 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
570 SSL_client_hello_get0_compression_methods(s, &p), 1)
571 || !TEST_int_eq(*p, 0))
572 return SSL_CLIENT_HELLO_ERROR;
573 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
574 return SSL_CLIENT_HELLO_ERROR;
575 if (len != OSSL_NELEM(expected_extensions) ||
576 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
577 printf("ClientHello callback expected extensions mismatch\n");
579 return SSL_CLIENT_HELLO_ERROR;
582 return SSL_CLIENT_HELLO_SUCCESS;
585 static int test_client_hello_cb(void)
587 SSL_CTX *cctx = NULL, *sctx = NULL;
588 SSL *clientssl = NULL, *serverssl = NULL;
589 int testctr = 0, testresult = 0;
591 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
592 TLS_client_method(), TLS1_VERSION, 0,
593 &sctx, &cctx, cert, privkey)))
595 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
597 /* The gimpy cipher list we configure can't do TLS 1.3. */
598 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
600 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
601 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
602 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
603 &clientssl, NULL, NULL))
604 || !TEST_false(create_ssl_connection(serverssl, clientssl,
605 SSL_ERROR_WANT_CLIENT_HELLO_CB))
607 * Passing a -1 literal is a hack since
608 * the real value was lost.
610 || !TEST_int_eq(SSL_get_error(serverssl, -1),
611 SSL_ERROR_WANT_CLIENT_HELLO_CB)
612 || !TEST_true(create_ssl_connection(serverssl, clientssl,
627 static int test_no_ems(void)
629 SSL_CTX *cctx = NULL, *sctx = NULL;
630 SSL *clientssl = NULL, *serverssl = NULL;
633 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
634 TLS1_VERSION, TLS1_2_VERSION,
635 &sctx, &cctx, cert, privkey)) {
636 printf("Unable to create SSL_CTX pair\n");
640 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
642 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
643 printf("Unable to create SSL objects\n");
647 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
648 printf("Creating SSL connection failed\n");
652 if (SSL_get_extms_support(serverssl)) {
653 printf("Server reports Extended Master Secret support\n");
657 if (SSL_get_extms_support(clientssl)) {
658 printf("Client reports Extended Master Secret support\n");
673 * Very focused test to exercise a single case in the server-side state
674 * machine, when the ChangeCipherState message needs to actually change
675 * from one cipher to a different cipher (i.e., not changing from null
676 * encryption to real encryption).
678 static int test_ccs_change_cipher(void)
680 SSL_CTX *cctx = NULL, *sctx = NULL;
681 SSL *clientssl = NULL, *serverssl = NULL;
682 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
689 * Create a conection so we can resume and potentially (but not) use
690 * a different cipher in the second connection.
692 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
694 TLS1_VERSION, TLS1_2_VERSION,
695 &sctx, &cctx, cert, privkey))
696 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
697 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
699 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
700 || !TEST_true(create_ssl_connection(serverssl, clientssl,
702 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
703 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
706 shutdown_ssl_connection(serverssl, clientssl);
707 serverssl = clientssl = NULL;
709 /* Resume, preferring a different cipher. Our server will force the
710 * same cipher to be used as the initial handshake. */
711 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
713 || !TEST_true(SSL_set_session(clientssl, sess))
714 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
715 || !TEST_true(create_ssl_connection(serverssl, clientssl,
717 || !TEST_true(SSL_session_reused(clientssl))
718 || !TEST_true(SSL_session_reused(serverssl))
719 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
720 || !TEST_ptr_eq(sesspre, sesspost)
721 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
722 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
724 shutdown_ssl_connection(serverssl, clientssl);
725 serverssl = clientssl = NULL;
728 * Now create a fresh connection and try to renegotiate a different
731 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
733 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
734 || !TEST_true(create_ssl_connection(serverssl, clientssl,
736 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
737 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
738 || !TEST_true(SSL_renegotiate(clientssl))
739 || !TEST_true(SSL_renegotiate_pending(clientssl)))
741 /* Actually drive the renegotiation. */
742 for (i = 0; i < 3; i++) {
743 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
744 if (!TEST_ulong_eq(readbytes, 0))
746 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
747 SSL_ERROR_WANT_READ)) {
750 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
751 if (!TEST_ulong_eq(readbytes, 0))
753 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
754 SSL_ERROR_WANT_READ)) {
758 /* sesspre and sesspost should be different since the cipher changed. */
759 if (!TEST_false(SSL_renegotiate_pending(clientssl))
760 || !TEST_false(SSL_session_reused(clientssl))
761 || !TEST_false(SSL_session_reused(serverssl))
762 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
763 || !TEST_ptr_ne(sesspre, sesspost)
764 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
765 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
768 shutdown_ssl_connection(serverssl, clientssl);
769 serverssl = clientssl = NULL;
778 SSL_SESSION_free(sess);
784 static int execute_test_large_message(const SSL_METHOD *smeth,
785 const SSL_METHOD *cmeth,
786 int min_version, int max_version,
789 SSL_CTX *cctx = NULL, *sctx = NULL;
790 SSL *clientssl = NULL, *serverssl = NULL;
794 X509 *chaincert = NULL;
797 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
800 if (!TEST_ptr(chaincert = X509_new_with_libctx(libctx, NULL)))
803 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
808 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
809 max_version, &sctx, &cctx, cert,
815 * Test that read_ahead works correctly when dealing with large
818 SSL_CTX_set_read_ahead(cctx, 1);
822 * We assume the supplied certificate is big enough so that if we add
823 * NUM_EXTRA_CERTS it will make the overall message large enough. The
824 * default buffer size is requested to be 16k, but due to the way BUF_MEM
825 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
826 * test we need to have a message larger than that.
828 certlen = i2d_X509(chaincert, NULL);
829 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
830 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
831 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
832 if (!X509_up_ref(chaincert))
834 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
835 X509_free(chaincert);
840 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
842 || !TEST_true(create_ssl_connection(serverssl, clientssl,
847 * Calling SSL_clear() first is not required but this tests that SSL_clear()
850 if (!TEST_true(SSL_clear(serverssl)))
856 X509_free(chaincert);
865 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
866 !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
867 #define TLS_CIPHER_MAX_REC_SEQ_SIZE 8
868 /* sock must be connected */
869 static int ktls_chk_platform(int sock)
871 if (!ktls_enable(sock))
876 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd, int rec_seq_size)
878 static char count = 1;
879 unsigned char cbuf[16000] = {0};
880 unsigned char sbuf[16000];
882 char crec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
883 char crec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
884 char crec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
885 char crec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
886 char srec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
887 char srec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
888 char srec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
889 char srec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
892 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, rec_seq_size);
893 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, rec_seq_size);
894 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, rec_seq_size);
895 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, rec_seq_size);
897 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
900 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
901 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
906 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
909 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
910 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
915 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, rec_seq_size);
916 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, rec_seq_size);
917 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, rec_seq_size);
918 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, rec_seq_size);
920 /* verify the payload */
921 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
924 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
925 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
926 if (!TEST_mem_ne(crec_wseq_before, rec_seq_size,
927 crec_wseq_after, rec_seq_size))
930 if (!TEST_mem_eq(crec_wseq_before, rec_seq_size,
931 crec_wseq_after, rec_seq_size))
935 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
936 if (!TEST_mem_ne(srec_wseq_before, rec_seq_size,
937 srec_wseq_after, rec_seq_size))
940 if (!TEST_mem_eq(srec_wseq_before, rec_seq_size,
941 srec_wseq_after, rec_seq_size))
945 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
946 if (!TEST_mem_ne(crec_rseq_before, rec_seq_size,
947 crec_rseq_after, rec_seq_size))
950 if (!TEST_mem_eq(crec_rseq_before, rec_seq_size,
951 crec_rseq_after, rec_seq_size))
955 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
956 if (!TEST_mem_ne(srec_rseq_before, rec_seq_size,
957 srec_rseq_after, rec_seq_size))
960 if (!TEST_mem_eq(srec_rseq_before, rec_seq_size,
961 srec_rseq_after, rec_seq_size))
970 static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
971 int sis_ktls_tx, int sis_ktls_rx,
972 int tls_version, const char *cipher,
975 SSL_CTX *cctx = NULL, *sctx = NULL;
976 SSL *clientssl = NULL, *serverssl = NULL;
980 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
983 /* Skip this test if the platform does not support ktls */
984 if (!ktls_chk_platform(cfd))
987 /* Create a session based on SHA-256 */
988 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
990 tls_version, tls_version,
991 &sctx, &cctx, cert, privkey))
992 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
993 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
994 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
995 &clientssl, sfd, cfd)))
999 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
1004 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
1009 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
1014 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1018 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1023 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1026 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1031 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1034 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1039 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1042 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1047 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1050 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1054 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd,
1061 SSL_shutdown(clientssl);
1062 SSL_free(clientssl);
1065 SSL_shutdown(serverssl);
1066 SSL_free(serverssl);
1070 serverssl = clientssl = NULL;
1074 #define SENDFILE_SZ (16 * 4096)
1075 #define SENDFILE_CHUNK (4 * 4096)
1076 #define min(a,b) ((a) > (b) ? (b) : (a))
1078 static int test_ktls_sendfile(int tls_version, const char *cipher)
1080 SSL_CTX *cctx = NULL, *sctx = NULL;
1081 SSL *clientssl = NULL, *serverssl = NULL;
1082 unsigned char *buf, *buf_dst;
1083 BIO *out = NULL, *in = NULL;
1084 int cfd, sfd, ffd, err;
1085 ssize_t chunk_size = 0;
1086 off_t chunk_off = 0;
1090 buf = OPENSSL_zalloc(SENDFILE_SZ);
1091 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1092 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1093 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1096 /* Skip this test if the platform does not support ktls */
1097 if (!ktls_chk_platform(sfd)) {
1102 /* Create a session based on SHA-256 */
1103 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1104 TLS_client_method(),
1105 tls_version, tls_version,
1106 &sctx, &cctx, cert, privkey))
1107 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1108 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
1109 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1110 &clientssl, sfd, cfd)))
1113 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1115 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1118 if (!TEST_true(RAND_bytes_ex(libctx, buf, SENDFILE_SZ)))
1121 out = BIO_new_file(tmpfilename, "wb");
1125 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1130 in = BIO_new_file(tmpfilename, "rb");
1131 BIO_get_fp(in, &ffdp);
1134 while (chunk_off < SENDFILE_SZ) {
1135 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1136 while ((err = SSL_sendfile(serverssl,
1140 0)) != chunk_size) {
1141 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1144 while ((err = SSL_read(clientssl,
1145 buf_dst + chunk_off,
1146 chunk_size)) != chunk_size) {
1147 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1151 /* verify the payload */
1152 if (!TEST_mem_eq(buf_dst + chunk_off,
1158 chunk_off += chunk_size;
1164 SSL_shutdown(clientssl);
1165 SSL_free(clientssl);
1168 SSL_shutdown(serverssl);
1169 SSL_free(serverssl);
1173 serverssl = clientssl = NULL;
1177 OPENSSL_free(buf_dst);
1181 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
1182 static int test_ktls(int test)
1184 int cis_ktls_tx, cis_ktls_rx, sis_ktls_tx, sis_ktls_rx;
1185 int tlsver, testresult;
1188 #if defined(OPENSSL_NO_TLS1_3)
1192 tlsver = TLS1_3_VERSION;
1195 #if defined(OPENSSL_NO_TLS1_2)
1198 tlsver = TLS1_2_VERSION;
1202 cis_ktls_tx = (test & 1) != 0;
1203 cis_ktls_rx = (test & 2) != 0;
1204 sis_ktls_tx = (test & 4) != 0;
1205 sis_ktls_rx = (test & 8) != 0;
1207 #if defined(OPENSSL_NO_KTLS_RX)
1208 if (cis_ktls_rx || sis_ktls_rx)
1211 #if !defined(OPENSSL_NO_TLS1_3)
1212 if (tlsver == TLS1_3_VERSION && (cis_ktls_rx || sis_ktls_rx))
1217 #ifdef OPENSSL_KTLS_AES_GCM_128
1218 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
1219 sis_ktls_rx, tlsver, "AES128-GCM-SHA256",
1220 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1222 #ifdef OPENSSL_KTLS_AES_CCM_128
1223 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
1224 sis_ktls_rx, tlsver, "AES128-CCM",
1225 TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1227 #ifdef OPENSSL_KTLS_AES_GCM_256
1228 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
1229 sis_ktls_rx, tlsver, "AES256-GCM-SHA384",
1230 TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1235 static int test_ktls_sendfile_anytls(int tst)
1237 char *cipher[] = {"AES128-GCM-SHA256","AES128-CCM","AES256-GCM-SHA384"};
1241 #if defined(OPENSSL_NO_TLS1_3)
1245 tlsver = TLS1_3_VERSION;
1248 #if defined(OPENSSL_NO_TLS1_2)
1251 tlsver = TLS1_2_VERSION;
1255 #ifndef OPENSSL_KTLS_AES_GCM_128
1256 if(tst == 0) return 1;
1258 #ifndef OPENSSL_KTLS_AES_CCM_128
1259 if(tst == 1) return 1;
1261 #ifndef OPENSSL_KTLS_AES_GCM_256
1262 if(tst == 2) return 1;
1264 return test_ktls_sendfile(tlsver, cipher[tst]);
1270 static int test_large_message_tls(void)
1272 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1273 TLS1_VERSION, 0, 0);
1276 static int test_large_message_tls_read_ahead(void)
1278 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1279 TLS1_VERSION, 0, 1);
1282 #ifndef OPENSSL_NO_DTLS
1283 static int test_large_message_dtls(void)
1286 * read_ahead is not relevant to DTLS because DTLS always acts as if
1287 * read_ahead is set.
1289 return execute_test_large_message(DTLS_server_method(),
1290 DTLS_client_method(),
1291 DTLS1_VERSION, 0, 0);
1295 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1296 const SSL_METHOD *cmeth,
1297 int min_version, int max_version)
1300 SSL_CTX *cctx = NULL, *sctx = NULL;
1301 SSL *clientssl = NULL, *serverssl = NULL;
1306 static unsigned char cbuf[16000];
1307 static unsigned char sbuf[16000];
1309 if (!TEST_true(create_ssl_ctx_pair(libctx,
1311 min_version, max_version,
1316 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1320 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1323 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1327 for (i = 0; i < sizeof(cbuf); i++) {
1331 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1334 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1337 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1341 * Since we called SSL_peek(), we know the data in the record
1342 * layer is a plaintext record. We can gather the pointer to check
1343 * for zeroization after SSL_read().
1345 rr = serverssl->rlayer.rrec;
1346 zbuf = &rr->data[rr->off];
1347 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1351 * After SSL_peek() the plaintext must still be stored in the
1354 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1357 memset(sbuf, 0, sizeof(sbuf));
1358 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1361 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1364 /* Check if rbuf is cleansed */
1365 memset(cbuf, 0, sizeof(cbuf));
1366 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1371 SSL_free(serverssl);
1372 SSL_free(clientssl);
1379 static int test_cleanse_plaintext(void)
1381 #if !defined(OPENSSL_NO_TLS1_2)
1382 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1383 TLS_client_method(),
1390 #if !defined(OPENSSL_NO_TLS1_3)
1391 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1392 TLS_client_method(),
1398 #if !defined(OPENSSL_NO_DTLS)
1399 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1400 DTLS_client_method(),
1408 #ifndef OPENSSL_NO_OCSP
1409 static int ocsp_server_cb(SSL *s, void *arg)
1411 int *argi = (int *)arg;
1412 unsigned char *copy = NULL;
1413 STACK_OF(OCSP_RESPID) *ids = NULL;
1414 OCSP_RESPID *id = NULL;
1417 /* In this test we are expecting exactly 1 OCSP_RESPID */
1418 SSL_get_tlsext_status_ids(s, &ids);
1419 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1420 return SSL_TLSEXT_ERR_ALERT_FATAL;
1422 id = sk_OCSP_RESPID_value(ids, 0);
1423 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1424 return SSL_TLSEXT_ERR_ALERT_FATAL;
1425 } else if (*argi != 1) {
1426 return SSL_TLSEXT_ERR_ALERT_FATAL;
1429 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1430 return SSL_TLSEXT_ERR_ALERT_FATAL;
1432 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1433 ocsp_server_called = 1;
1434 return SSL_TLSEXT_ERR_OK;
1437 static int ocsp_client_cb(SSL *s, void *arg)
1439 int *argi = (int *)arg;
1440 const unsigned char *respderin;
1443 if (*argi != 1 && *argi != 2)
1446 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1447 if (!TEST_mem_eq(orespder, len, respderin, len))
1450 ocsp_client_called = 1;
1454 static int test_tlsext_status_type(void)
1456 SSL_CTX *cctx = NULL, *sctx = NULL;
1457 SSL *clientssl = NULL, *serverssl = NULL;
1459 STACK_OF(OCSP_RESPID) *ids = NULL;
1460 OCSP_RESPID *id = NULL;
1461 BIO *certbio = NULL;
1463 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1465 &sctx, &cctx, cert, privkey))
1468 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1471 /* First just do various checks getting and setting tlsext_status_type */
1473 clientssl = SSL_new(cctx);
1474 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1475 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1476 TLSEXT_STATUSTYPE_ocsp))
1477 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1478 TLSEXT_STATUSTYPE_ocsp))
1481 SSL_free(clientssl);
1484 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1485 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1488 clientssl = SSL_new(cctx);
1489 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1491 SSL_free(clientssl);
1495 * Now actually do a handshake and check OCSP information is exchanged and
1496 * the callbacks get called
1498 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1499 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1500 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1501 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1502 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1503 &clientssl, NULL, NULL))
1504 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1506 || !TEST_true(ocsp_client_called)
1507 || !TEST_true(ocsp_server_called))
1509 SSL_free(serverssl);
1510 SSL_free(clientssl);
1514 /* Try again but this time force the server side callback to fail */
1515 ocsp_client_called = 0;
1516 ocsp_server_called = 0;
1518 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1519 &clientssl, NULL, NULL))
1520 /* This should fail because the callback will fail */
1521 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1523 || !TEST_false(ocsp_client_called)
1524 || !TEST_false(ocsp_server_called))
1526 SSL_free(serverssl);
1527 SSL_free(clientssl);
1532 * This time we'll get the client to send an OCSP_RESPID that it will
1535 ocsp_client_called = 0;
1536 ocsp_server_called = 0;
1538 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1539 &clientssl, NULL, NULL)))
1543 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1544 * specific one. We'll use the server cert.
1546 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1547 || !TEST_ptr(id = OCSP_RESPID_new())
1548 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1549 || !TEST_ptr(ocspcert = X509_new_with_libctx(libctx, NULL))
1550 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1551 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1552 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1555 SSL_set_tlsext_status_ids(clientssl, ids);
1556 /* Control has been transferred */
1562 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1564 || !TEST_true(ocsp_client_called)
1565 || !TEST_true(ocsp_server_called))
1571 SSL_free(serverssl);
1572 SSL_free(clientssl);
1575 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1576 OCSP_RESPID_free(id);
1578 X509_free(ocspcert);
1585 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1586 static int new_called, remove_called, get_called;
1588 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1592 * sess has been up-refed for us, but we don't actually need it so free it
1595 SSL_SESSION_free(sess);
1599 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1604 static SSL_SESSION *get_sess_val = NULL;
1606 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1611 return get_sess_val;
1614 static int execute_test_session(int maxprot, int use_int_cache,
1615 int use_ext_cache, long s_options)
1617 SSL_CTX *sctx = NULL, *cctx = NULL;
1618 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1619 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1620 # ifndef OPENSSL_NO_TLS1_1
1621 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1623 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1624 int testresult = 0, numnewsesstick = 1;
1626 new_called = remove_called = 0;
1628 /* TLSv1.3 sends 2 NewSessionTickets */
1629 if (maxprot == TLS1_3_VERSION)
1632 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1633 TLS_client_method(), TLS1_VERSION, 0,
1634 &sctx, &cctx, cert, privkey)))
1638 * Only allow the max protocol version so we can force a connection failure
1641 SSL_CTX_set_min_proto_version(cctx, maxprot);
1642 SSL_CTX_set_max_proto_version(cctx, maxprot);
1644 /* Set up session cache */
1645 if (use_ext_cache) {
1646 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1647 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1649 if (use_int_cache) {
1650 /* Also covers instance where both are set */
1651 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1653 SSL_CTX_set_session_cache_mode(cctx,
1654 SSL_SESS_CACHE_CLIENT
1655 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1659 SSL_CTX_set_options(sctx, s_options);
1662 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1664 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1666 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1669 /* Should fail because it should already be in the cache */
1670 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1673 && (!TEST_int_eq(new_called, numnewsesstick)
1675 || !TEST_int_eq(remove_called, 0)))
1678 new_called = remove_called = 0;
1679 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1680 &clientssl2, NULL, NULL))
1681 || !TEST_true(SSL_set_session(clientssl2, sess1))
1682 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1684 || !TEST_true(SSL_session_reused(clientssl2)))
1687 if (maxprot == TLS1_3_VERSION) {
1689 * In TLSv1.3 we should have created a new session even though we have
1690 * resumed. Since we attempted a resume we should also have removed the
1691 * old ticket from the cache so that we try to only use tickets once.
1694 && (!TEST_int_eq(new_called, 1)
1695 || !TEST_int_eq(remove_called, 1)))
1699 * In TLSv1.2 we expect to have resumed so no sessions added or
1703 && (!TEST_int_eq(new_called, 0)
1704 || !TEST_int_eq(remove_called, 0)))
1708 SSL_SESSION_free(sess1);
1709 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1711 shutdown_ssl_connection(serverssl2, clientssl2);
1712 serverssl2 = clientssl2 = NULL;
1714 new_called = remove_called = 0;
1715 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1716 &clientssl2, NULL, NULL))
1717 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1721 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1725 && (!TEST_int_eq(new_called, numnewsesstick)
1726 || !TEST_int_eq(remove_called, 0)))
1729 new_called = remove_called = 0;
1731 * This should clear sess2 from the cache because it is a "bad" session.
1732 * See SSL_set_session() documentation.
1734 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1737 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1739 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1742 if (use_int_cache) {
1743 /* Should succeeded because it should not already be in the cache */
1744 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1745 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1749 new_called = remove_called = 0;
1750 /* This shouldn't be in the cache so should fail */
1751 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1755 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1758 # if !defined(OPENSSL_NO_TLS1_1)
1759 new_called = remove_called = 0;
1760 /* Force a connection failure */
1761 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1762 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1763 &clientssl3, NULL, NULL))
1764 || !TEST_true(SSL_set_session(clientssl3, sess1))
1765 /* This should fail because of the mismatched protocol versions */
1766 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1770 /* We should have automatically removed the session from the cache */
1772 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1775 /* Should succeed because it should not already be in the cache */
1776 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1780 /* Now do some tests for server side caching */
1781 if (use_ext_cache) {
1782 SSL_CTX_sess_set_new_cb(cctx, NULL);
1783 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1784 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1785 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1786 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1787 get_sess_val = NULL;
1790 SSL_CTX_set_session_cache_mode(cctx, 0);
1791 /* Internal caching is the default on the server side */
1793 SSL_CTX_set_session_cache_mode(sctx,
1794 SSL_SESS_CACHE_SERVER
1795 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1797 SSL_free(serverssl1);
1798 SSL_free(clientssl1);
1799 serverssl1 = clientssl1 = NULL;
1800 SSL_free(serverssl2);
1801 SSL_free(clientssl2);
1802 serverssl2 = clientssl2 = NULL;
1803 SSL_SESSION_free(sess1);
1805 SSL_SESSION_free(sess2);
1808 SSL_CTX_set_max_proto_version(sctx, maxprot);
1809 if (maxprot == TLS1_2_VERSION)
1810 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1811 new_called = remove_called = get_called = 0;
1812 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1814 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1816 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1817 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1820 if (use_int_cache) {
1821 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1823 * In TLSv1.3 it should not have been added to the internal cache,
1824 * except in the case where we also have an external cache (in that
1825 * case it gets added to the cache in order to generate remove
1826 * events after timeout).
1828 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1831 /* Should fail because it should already be in the cache */
1832 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1837 if (use_ext_cache) {
1838 SSL_SESSION *tmp = sess2;
1840 if (!TEST_int_eq(new_called, numnewsesstick)
1841 || !TEST_int_eq(remove_called, 0)
1842 || !TEST_int_eq(get_called, 0))
1845 * Delete the session from the internal cache to force a lookup from
1846 * the external cache. We take a copy first because
1847 * SSL_CTX_remove_session() also marks the session as non-resumable.
1849 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1850 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1851 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1853 SSL_SESSION_free(sess2);
1858 new_called = remove_called = get_called = 0;
1859 get_sess_val = sess2;
1860 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1861 &clientssl2, NULL, NULL))
1862 || !TEST_true(SSL_set_session(clientssl2, sess1))
1863 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1865 || !TEST_true(SSL_session_reused(clientssl2)))
1868 if (use_ext_cache) {
1869 if (!TEST_int_eq(remove_called, 0))
1872 if (maxprot == TLS1_3_VERSION) {
1873 if (!TEST_int_eq(new_called, 1)
1874 || !TEST_int_eq(get_called, 0))
1877 if (!TEST_int_eq(new_called, 0)
1878 || !TEST_int_eq(get_called, 1))
1886 SSL_free(serverssl1);
1887 SSL_free(clientssl1);
1888 SSL_free(serverssl2);
1889 SSL_free(clientssl2);
1890 # ifndef OPENSSL_NO_TLS1_1
1891 SSL_free(serverssl3);
1892 SSL_free(clientssl3);
1894 SSL_SESSION_free(sess1);
1895 SSL_SESSION_free(sess2);
1901 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1903 static int test_session_with_only_int_cache(void)
1905 #ifndef OPENSSL_NO_TLS1_3
1906 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
1910 #ifndef OPENSSL_NO_TLS1_2
1911 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
1917 static int test_session_with_only_ext_cache(void)
1919 #ifndef OPENSSL_NO_TLS1_3
1920 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
1924 #ifndef OPENSSL_NO_TLS1_2
1925 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
1931 static int test_session_with_both_cache(void)
1933 #ifndef OPENSSL_NO_TLS1_3
1934 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
1938 #ifndef OPENSSL_NO_TLS1_2
1939 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
1945 static int test_session_wo_ca_names(void)
1947 #ifndef OPENSSL_NO_TLS1_3
1948 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
1952 #ifndef OPENSSL_NO_TLS1_2
1953 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
1960 #ifndef OPENSSL_NO_TLS1_3
1961 static SSL_SESSION *sesscache[6];
1962 static int do_cache;
1964 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1967 sesscache[new_called] = sess;
1969 /* We don't need the reference to the session, so free it */
1970 SSL_SESSION_free(sess);
1977 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1979 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1980 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1983 /* Start handshake on the server and client */
1984 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1985 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1986 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1987 || !TEST_true(create_ssl_connection(sssl, cssl,
1994 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1997 int sess_id_ctx = 1;
1999 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2000 TLS_client_method(), TLS1_VERSION, 0,
2001 sctx, cctx, cert, privkey))
2002 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2003 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2004 (void *)&sess_id_ctx,
2005 sizeof(sess_id_ctx))))
2009 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2011 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2012 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2013 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2018 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2020 SSL *serverssl = NULL, *clientssl = NULL;
2023 /* Test that we can resume with all the tickets we got given */
2024 for (i = 0; i < idx * 2; i++) {
2026 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2027 &clientssl, NULL, NULL))
2028 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2031 SSL_set_post_handshake_auth(clientssl, 1);
2033 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2038 * Following a successful resumption we only get 1 ticket. After a
2039 * failed one we should get idx tickets.
2042 if (!TEST_true(SSL_session_reused(clientssl))
2043 || !TEST_int_eq(new_called, 1))
2046 if (!TEST_false(SSL_session_reused(clientssl))
2047 || !TEST_int_eq(new_called, idx))
2052 /* After a post-handshake authentication we should get 1 new ticket */
2054 && (!post_handshake_verify(serverssl, clientssl)
2055 || !TEST_int_eq(new_called, 1)))
2058 SSL_shutdown(clientssl);
2059 SSL_shutdown(serverssl);
2060 SSL_free(serverssl);
2061 SSL_free(clientssl);
2062 serverssl = clientssl = NULL;
2063 SSL_SESSION_free(sesscache[i]);
2064 sesscache[i] = NULL;
2070 SSL_free(clientssl);
2071 SSL_free(serverssl);
2075 static int test_tickets(int stateful, int idx)
2077 SSL_CTX *sctx = NULL, *cctx = NULL;
2078 SSL *serverssl = NULL, *clientssl = NULL;
2082 /* idx is the test number, but also the number of tickets we want */
2087 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2090 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2091 &clientssl, NULL, NULL)))
2094 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2096 /* Check we got the number of tickets we were expecting */
2097 || !TEST_int_eq(idx, new_called))
2100 SSL_shutdown(clientssl);
2101 SSL_shutdown(serverssl);
2102 SSL_free(serverssl);
2103 SSL_free(clientssl);
2106 clientssl = serverssl = NULL;
2110 * Now we try to resume with the tickets we previously created. The
2111 * resumption attempt is expected to fail (because we're now using a new
2112 * SSL_CTX). We should see idx number of tickets issued again.
2115 /* Stop caching sessions - just count them */
2118 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2121 if (!check_resumption(idx, sctx, cctx, 0))
2124 /* Start again with caching sessions */
2131 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2134 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2135 &clientssl, NULL, NULL)))
2138 SSL_set_post_handshake_auth(clientssl, 1);
2140 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2142 /* Check we got the number of tickets we were expecting */
2143 || !TEST_int_eq(idx, new_called))
2146 /* After a post-handshake authentication we should get new tickets issued */
2147 if (!post_handshake_verify(serverssl, clientssl)
2148 || !TEST_int_eq(idx * 2, new_called))
2151 SSL_shutdown(clientssl);
2152 SSL_shutdown(serverssl);
2153 SSL_free(serverssl);
2154 SSL_free(clientssl);
2155 serverssl = clientssl = NULL;
2157 /* Stop caching sessions - just count them */
2161 * Check we can resume with all the tickets we created. This time around the
2162 * resumptions should all be successful.
2164 if (!check_resumption(idx, sctx, cctx, 1))
2170 SSL_free(serverssl);
2171 SSL_free(clientssl);
2172 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2173 SSL_SESSION_free(sesscache[j]);
2174 sesscache[j] = NULL;
2182 static int test_stateless_tickets(int idx)
2184 return test_tickets(0, idx);
2187 static int test_stateful_tickets(int idx)
2189 return test_tickets(1, idx);
2192 static int test_psk_tickets(void)
2194 SSL_CTX *sctx = NULL, *cctx = NULL;
2195 SSL *serverssl = NULL, *clientssl = NULL;
2197 int sess_id_ctx = 1;
2199 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2200 TLS_client_method(), TLS1_VERSION, 0,
2201 &sctx, &cctx, NULL, NULL))
2202 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2203 (void *)&sess_id_ctx,
2204 sizeof(sess_id_ctx))))
2207 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2208 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2209 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2210 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2211 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2212 use_session_cb_cnt = 0;
2213 find_session_cb_cnt = 0;
2217 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2220 clientpsk = serverpsk = create_a_psk(clientssl);
2221 if (!TEST_ptr(clientpsk))
2223 SSL_SESSION_up_ref(clientpsk);
2225 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2227 || !TEST_int_eq(1, find_session_cb_cnt)
2228 || !TEST_int_eq(1, use_session_cb_cnt)
2229 /* We should always get 1 ticket when using external PSK */
2230 || !TEST_int_eq(1, new_called))
2236 SSL_free(serverssl);
2237 SSL_free(clientssl);
2240 SSL_SESSION_free(clientpsk);
2241 SSL_SESSION_free(serverpsk);
2242 clientpsk = serverpsk = NULL;
2247 static int test_extra_tickets(int idx)
2249 SSL_CTX *sctx = NULL, *cctx = NULL;
2250 SSL *serverssl = NULL, *clientssl = NULL;
2251 BIO *bretry = BIO_new(bio_s_always_retry());
2256 unsigned char c, buf[1];
2266 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2268 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2269 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2270 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2272 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2273 &clientssl, NULL, NULL)))
2277 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2278 * incremented by both client and server.
2280 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2282 /* Check we got the number of tickets we were expecting */
2283 || !TEST_int_eq(idx * 2, new_called)
2284 || !TEST_true(SSL_new_session_ticket(serverssl))
2285 || !TEST_true(SSL_new_session_ticket(serverssl))
2286 || !TEST_int_eq(idx * 2, new_called))
2289 /* Now try a (real) write to actually send the tickets */
2291 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2292 || !TEST_size_t_eq(1, nbytes)
2293 || !TEST_int_eq(idx * 2 + 2, new_called)
2294 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2295 || !TEST_int_eq(idx * 2 + 4, new_called)
2296 || !TEST_int_eq(sizeof(buf), nbytes)
2297 || !TEST_int_eq(c, buf[0])
2298 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2301 /* Try with only requesting one new ticket, too */
2304 if (!TEST_true(SSL_new_session_ticket(serverssl))
2305 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2306 || !TEST_size_t_eq(sizeof(c), nbytes)
2307 || !TEST_int_eq(1, new_called)
2308 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2309 || !TEST_int_eq(2, new_called)
2310 || !TEST_size_t_eq(sizeof(buf), nbytes)
2311 || !TEST_int_eq(c, buf[0]))
2314 /* Do it again but use dummy writes to drive the ticket generation */
2317 if (!TEST_true(SSL_new_session_ticket(serverssl))
2318 || !TEST_true(SSL_new_session_ticket(serverssl))
2319 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2320 || !TEST_size_t_eq(0, nbytes)
2321 || !TEST_int_eq(2, new_called)
2322 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2323 || !TEST_int_eq(4, new_called))
2327 * Use the always-retry BIO to exercise the logic that forces ticket
2328 * generation to wait until a record boundary.
2332 tmp = SSL_get_wbio(serverssl);
2333 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2337 SSL_set0_wbio(serverssl, bretry);
2339 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2340 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2341 || !TEST_size_t_eq(nbytes, 0))
2343 /* Restore a BIO that will let the write succeed */
2344 SSL_set0_wbio(serverssl, tmp);
2346 /* These calls should just queue the request and not send anything. */
2347 if (!TEST_true(SSL_new_session_ticket(serverssl))
2348 || !TEST_true(SSL_new_session_ticket(serverssl))
2349 || !TEST_int_eq(0, new_called))
2351 /* Re-do the write; still no tickets sent */
2352 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2353 || !TEST_size_t_eq(1, nbytes)
2354 || !TEST_int_eq(0, new_called)
2355 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2356 || !TEST_int_eq(0, new_called)
2357 || !TEST_int_eq(sizeof(buf), nbytes)
2358 || !TEST_int_eq(c, buf[0])
2359 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2361 /* Now the *next* write should send the tickets */
2363 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2364 || !TEST_size_t_eq(1, nbytes)
2365 || !TEST_int_eq(2, new_called)
2366 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2367 || !TEST_int_eq(4, new_called)
2368 || !TEST_int_eq(sizeof(buf), nbytes)
2369 || !TEST_int_eq(c, buf[0])
2370 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2373 SSL_shutdown(clientssl);
2374 SSL_shutdown(serverssl);
2380 SSL_free(serverssl);
2381 SSL_free(clientssl);
2384 clientssl = serverssl = NULL;
2393 #define USE_DEFAULT 3
2395 #define CONNTYPE_CONNECTION_SUCCESS 0
2396 #define CONNTYPE_CONNECTION_FAIL 1
2397 #define CONNTYPE_NO_CONNECTION 2
2399 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2400 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2401 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2402 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2404 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2407 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2408 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2409 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2411 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2428 * Tests calls to SSL_set_bio() under various conditions.
2430 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2431 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2432 * then do more tests where we create a successful connection first using our
2433 * standard connection setup functions, and then call SSL_set_bio() with
2434 * various combinations of valid BIOs or NULL. We then repeat these tests
2435 * following a failed connection. In this last case we are looking to check that
2436 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2438 static int test_ssl_set_bio(int idx)
2440 SSL_CTX *sctx = NULL, *cctx = NULL;
2443 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2444 SSL *serverssl = NULL, *clientssl = NULL;
2445 int initrbio, initwbio, newrbio, newwbio, conntype;
2448 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2456 conntype = CONNTYPE_NO_CONNECTION;
2458 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2459 initrbio = initwbio = USE_DEFAULT;
2467 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2468 TLS_client_method(), TLS1_VERSION, 0,
2469 &sctx, &cctx, cert, privkey)))
2472 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2474 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2475 * because we reduced the number of tests in the definition of
2476 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2477 * mismatched protocol versions we will force a connection failure.
2479 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2480 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2483 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2487 if (initrbio == USE_BIO_1
2488 || initwbio == USE_BIO_1
2489 || newrbio == USE_BIO_1
2490 || newwbio == USE_BIO_1) {
2491 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2495 if (initrbio == USE_BIO_2
2496 || initwbio == USE_BIO_2
2497 || newrbio == USE_BIO_2
2498 || newwbio == USE_BIO_2) {
2499 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2503 if (initrbio != USE_DEFAULT) {
2504 setupbio(&irbio, bio1, bio2, initrbio);
2505 setupbio(&iwbio, bio1, bio2, initwbio);
2506 SSL_set_bio(clientssl, irbio, iwbio);
2509 * We want to maintain our own refs to these BIO, so do an up ref for
2510 * each BIO that will have ownership transferred in the SSL_set_bio()
2515 if (iwbio != NULL && iwbio != irbio)
2519 if (conntype != CONNTYPE_NO_CONNECTION
2520 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2522 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2525 setupbio(&nrbio, bio1, bio2, newrbio);
2526 setupbio(&nwbio, bio1, bio2, newwbio);
2529 * We will (maybe) transfer ownership again so do more up refs.
2530 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2535 && (nwbio != iwbio || nrbio != nwbio))
2539 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2542 SSL_set_bio(clientssl, nrbio, nwbio);
2551 * This test is checking that the ref counting for SSL_set_bio is correct.
2552 * If we get here and we did too many frees then we will fail in the above
2555 SSL_free(serverssl);
2556 SSL_free(clientssl);
2562 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2564 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2566 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2571 if (!TEST_ptr(ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method()))
2572 || !TEST_ptr(ssl = SSL_new(ctx))
2573 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2574 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2577 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2580 * If anything goes wrong here then we could leak memory.
2582 BIO_push(sslbio, membio1);
2584 /* Verify changing the rbio/wbio directly does not cause leaks */
2585 if (change_bio != NO_BIO_CHANGE) {
2586 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
2588 if (change_bio == CHANGE_RBIO)
2589 SSL_set0_rbio(ssl, membio2);
2591 SSL_set0_wbio(ssl, membio2);
2610 static int test_ssl_bio_pop_next_bio(void)
2612 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2615 static int test_ssl_bio_pop_ssl_bio(void)
2617 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2620 static int test_ssl_bio_change_rbio(void)
2622 return execute_test_ssl_bio(0, CHANGE_RBIO);
2625 static int test_ssl_bio_change_wbio(void)
2627 return execute_test_ssl_bio(0, CHANGE_WBIO);
2630 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2632 /* The list of sig algs */
2634 /* The length of the list */
2636 /* A sigalgs list in string format */
2637 const char *liststr;
2638 /* Whether setting the list should succeed */
2640 /* Whether creating a connection with the list should succeed */
2644 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2645 # ifndef OPENSSL_NO_EC
2646 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2647 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2649 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2650 static const int invalidlist2[] = {NID_sha256, NID_undef};
2651 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2652 static const int invalidlist4[] = {NID_sha256};
2653 static const sigalgs_list testsigalgs[] = {
2654 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2655 # ifndef OPENSSL_NO_EC
2656 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2657 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2659 {NULL, 0, "RSA+SHA256", 1, 1},
2660 # ifndef OPENSSL_NO_EC
2661 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2662 {NULL, 0, "ECDSA+SHA512", 1, 0},
2664 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2665 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2666 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2667 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2668 {NULL, 0, "RSA", 0, 0},
2669 {NULL, 0, "SHA256", 0, 0},
2670 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2671 {NULL, 0, "Invalid", 0, 0}
2674 static int test_set_sigalgs(int idx)
2676 SSL_CTX *cctx = NULL, *sctx = NULL;
2677 SSL *clientssl = NULL, *serverssl = NULL;
2679 const sigalgs_list *curr;
2682 /* Should never happen */
2683 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2686 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2687 curr = testctx ? &testsigalgs[idx]
2688 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2690 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2691 TLS_client_method(), TLS1_VERSION, 0,
2692 &sctx, &cctx, cert, privkey)))
2696 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2697 * for TLSv1.2 for now until we add a new API.
2699 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2704 if (curr->list != NULL)
2705 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2707 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2711 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2717 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2722 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2723 &clientssl, NULL, NULL)))
2729 if (curr->list != NULL)
2730 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2732 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2735 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2744 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2752 SSL_free(serverssl);
2753 SSL_free(clientssl);
2761 #ifndef OPENSSL_NO_TLS1_3
2762 static int psk_client_cb_cnt = 0;
2763 static int psk_server_cb_cnt = 0;
2765 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2766 size_t *idlen, SSL_SESSION **sess)
2768 switch (++use_session_cb_cnt) {
2770 /* The first call should always have a NULL md */
2776 /* The second call should always have an md */
2782 /* We should only be called a maximum of twice */
2786 if (clientpsk != NULL)
2787 SSL_SESSION_up_ref(clientpsk);
2790 *id = (const unsigned char *)pskid;
2791 *idlen = strlen(pskid);
2796 #ifndef OPENSSL_NO_PSK
2797 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2798 unsigned int max_id_len,
2800 unsigned int max_psk_len)
2802 unsigned int psklen = 0;
2804 psk_client_cb_cnt++;
2806 if (strlen(pskid) + 1 > max_id_len)
2809 /* We should only ever be called a maximum of twice per connection */
2810 if (psk_client_cb_cnt > 2)
2813 if (clientpsk == NULL)
2816 /* We'll reuse the PSK we set up for TLSv1.3 */
2817 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2819 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2820 strncpy(id, pskid, max_id_len);
2824 #endif /* OPENSSL_NO_PSK */
2826 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2827 size_t identity_len, SSL_SESSION **sess)
2829 find_session_cb_cnt++;
2831 /* We should only ever be called a maximum of twice per connection */
2832 if (find_session_cb_cnt > 2)
2835 if (serverpsk == NULL)
2838 /* Identity should match that set by the client */
2839 if (strlen(srvid) != identity_len
2840 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2841 /* No PSK found, continue but without a PSK */
2846 SSL_SESSION_up_ref(serverpsk);
2852 #ifndef OPENSSL_NO_PSK
2853 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2854 unsigned char *psk, unsigned int max_psk_len)
2856 unsigned int psklen = 0;
2858 psk_server_cb_cnt++;
2860 /* We should only ever be called a maximum of twice per connection */
2861 if (find_session_cb_cnt > 2)
2864 if (serverpsk == NULL)
2867 /* Identity should match that set by the client */
2868 if (strcmp(srvid, identity) != 0) {
2872 /* We'll reuse the PSK we set up for TLSv1.3 */
2873 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2875 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2879 #endif /* OPENSSL_NO_PSK */
2881 #define MSG1 "Hello"
2882 #define MSG2 "World."
2887 #define MSG7 "message."
2889 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2890 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2891 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
2892 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
2893 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
2896 static SSL_SESSION *create_a_psk(SSL *ssl)
2898 const SSL_CIPHER *cipher = NULL;
2899 const unsigned char key[] = {
2900 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2901 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2902 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2903 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2904 0x2c, 0x2d, 0x2e, 0x2f
2906 SSL_SESSION *sess = NULL;
2908 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2909 sess = SSL_SESSION_new();
2911 || !TEST_ptr(cipher)
2912 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2914 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2916 SSL_SESSION_set_protocol_version(sess,
2918 SSL_SESSION_free(sess);
2925 * Helper method to setup objects for early data test. Caller frees objects on
2928 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2929 SSL **serverssl, SSL_SESSION **sess, int idx)
2932 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2933 TLS_client_method(),
2935 sctx, cctx, cert, privkey)))
2938 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2942 /* When idx == 1 we repeat the tests with read_ahead set */
2943 SSL_CTX_set_read_ahead(*cctx, 1);
2944 SSL_CTX_set_read_ahead(*sctx, 1);
2945 } else if (idx == 2) {
2946 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2947 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2948 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2949 use_session_cb_cnt = 0;
2950 find_session_cb_cnt = 0;
2954 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2959 * For one of the run throughs (doesn't matter which one), we'll try sending
2960 * some SNI data in the initial ClientHello. This will be ignored (because
2961 * there is no SNI cb set up by the server), so it should not impact
2965 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2969 clientpsk = create_a_psk(*clientssl);
2970 if (!TEST_ptr(clientpsk)
2972 * We just choose an arbitrary value for max_early_data which
2973 * should be big enough for testing purposes.
2975 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2977 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2978 SSL_SESSION_free(clientpsk);
2982 serverpsk = clientpsk;
2985 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2986 SSL_SESSION_free(clientpsk);
2987 SSL_SESSION_free(serverpsk);
2988 clientpsk = serverpsk = NULL;
2999 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3003 *sess = SSL_get1_session(*clientssl);
3004 SSL_shutdown(*clientssl);
3005 SSL_shutdown(*serverssl);
3006 SSL_free(*serverssl);
3007 SSL_free(*clientssl);
3008 *serverssl = *clientssl = NULL;
3010 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3011 clientssl, NULL, NULL))
3012 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3018 static int test_early_data_read_write(int idx)
3020 SSL_CTX *cctx = NULL, *sctx = NULL;
3021 SSL *clientssl = NULL, *serverssl = NULL;
3023 SSL_SESSION *sess = NULL;
3024 unsigned char buf[20], data[1024];
3025 size_t readbytes, written, eoedlen, rawread, rawwritten;
3028 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3029 &serverssl, &sess, idx)))
3032 /* Write and read some early data */
3033 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3035 || !TEST_size_t_eq(written, strlen(MSG1))
3036 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3037 sizeof(buf), &readbytes),
3038 SSL_READ_EARLY_DATA_SUCCESS)
3039 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3040 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3041 SSL_EARLY_DATA_ACCEPTED))
3045 * Server should be able to write data, and client should be able to
3048 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3050 || !TEST_size_t_eq(written, strlen(MSG2))
3051 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3052 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3055 /* Even after reading normal data, client should be able write early data */
3056 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3058 || !TEST_size_t_eq(written, strlen(MSG3)))
3061 /* Server should still be able read early data after writing data */
3062 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3064 SSL_READ_EARLY_DATA_SUCCESS)
3065 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3068 /* Write more data from server and read it from client */
3069 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3071 || !TEST_size_t_eq(written, strlen(MSG4))
3072 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3073 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3077 * If client writes normal data it should mean writing early data is no
3080 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3081 || !TEST_size_t_eq(written, strlen(MSG5))
3082 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3083 SSL_EARLY_DATA_ACCEPTED))
3087 * At this point the client has written EndOfEarlyData, ClientFinished and
3088 * normal (fully protected) data. We are going to cause a delay between the
3089 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3090 * in the read BIO, and then just put back the EndOfEarlyData message.
3092 rbio = SSL_get_rbio(serverssl);
3093 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3094 || !TEST_size_t_lt(rawread, sizeof(data))
3095 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3098 /* Record length is in the 4th and 5th bytes of the record header */
3099 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3100 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3101 || !TEST_size_t_eq(rawwritten, eoedlen))
3104 /* Server should be told that there is no more early data */
3105 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3107 SSL_READ_EARLY_DATA_FINISH)
3108 || !TEST_size_t_eq(readbytes, 0))
3112 * Server has not finished init yet, so should still be able to write early
3115 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3117 || !TEST_size_t_eq(written, strlen(MSG6)))
3120 /* Push the ClientFinished and the normal data back into the server rbio */
3121 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3123 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3126 /* Server should be able to read normal data */
3127 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3128 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3131 /* Client and server should not be able to write/read early data now */
3132 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3136 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3138 SSL_READ_EARLY_DATA_ERROR))
3142 /* Client should be able to read the data sent by the server */
3143 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3144 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3148 * Make sure we process the two NewSessionTickets. These arrive
3149 * post-handshake. We attempt reads which we do not expect to return any
3152 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3153 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3157 /* Server should be able to write normal data */
3158 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3159 || !TEST_size_t_eq(written, strlen(MSG7))
3160 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3161 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3164 SSL_SESSION_free(sess);
3165 sess = SSL_get1_session(clientssl);
3166 use_session_cb_cnt = 0;
3167 find_session_cb_cnt = 0;
3169 SSL_shutdown(clientssl);
3170 SSL_shutdown(serverssl);
3171 SSL_free(serverssl);
3172 SSL_free(clientssl);
3173 serverssl = clientssl = NULL;
3174 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3175 &clientssl, NULL, NULL))
3176 || !TEST_true(SSL_set_session(clientssl, sess)))
3179 /* Write and read some early data */
3180 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3182 || !TEST_size_t_eq(written, strlen(MSG1))
3183 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3185 SSL_READ_EARLY_DATA_SUCCESS)
3186 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3189 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3190 || !TEST_int_gt(SSL_accept(serverssl), 0))
3193 /* Client and server should not be able to write/read early data now */
3194 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3198 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3200 SSL_READ_EARLY_DATA_ERROR))
3204 /* Client and server should be able to write/read normal data */
3205 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3206 || !TEST_size_t_eq(written, strlen(MSG5))
3207 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3208 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3214 SSL_SESSION_free(sess);
3215 SSL_SESSION_free(clientpsk);
3216 SSL_SESSION_free(serverpsk);
3217 clientpsk = serverpsk = NULL;
3218 SSL_free(serverssl);
3219 SSL_free(clientssl);
3225 static int allow_ed_cb_called = 0;
3227 static int allow_early_data_cb(SSL *s, void *arg)
3229 int *usecb = (int *)arg;
3231 allow_ed_cb_called++;
3240 * idx == 0: Standard early_data setup
3241 * idx == 1: early_data setup using read_ahead
3242 * usecb == 0: Don't use a custom early data callback
3243 * usecb == 1: Use a custom early data callback and reject the early data
3244 * usecb == 2: Use a custom early data callback and accept the early data
3245 * confopt == 0: Configure anti-replay directly
3246 * confopt == 1: Configure anti-replay using SSL_CONF
3248 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3250 SSL_CTX *cctx = NULL, *sctx = NULL;
3251 SSL *clientssl = NULL, *serverssl = NULL;
3253 SSL_SESSION *sess = NULL;
3254 size_t readbytes, written;
3255 unsigned char buf[20];
3257 allow_ed_cb_called = 0;
3259 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3260 TLS_client_method(), TLS1_VERSION, 0,
3261 &sctx, &cctx, cert, privkey)))
3266 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3268 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3270 if (!TEST_ptr(confctx))
3272 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3273 | SSL_CONF_FLAG_SERVER);
3274 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3275 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3277 SSL_CONF_CTX_free(confctx);
3280 SSL_CONF_CTX_free(confctx);
3282 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3285 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3286 &serverssl, &sess, idx)))
3290 * The server is configured to accept early data. Create a connection to
3291 * "use up" the ticket
3293 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3294 || !TEST_true(SSL_session_reused(clientssl)))
3297 SSL_shutdown(clientssl);
3298 SSL_shutdown(serverssl);
3299 SSL_free(serverssl);
3300 SSL_free(clientssl);
3301 serverssl = clientssl = NULL;
3303 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3304 &clientssl, NULL, NULL))
3305 || !TEST_true(SSL_set_session(clientssl, sess)))
3308 /* Write and read some early data */
3309 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3311 || !TEST_size_t_eq(written, strlen(MSG1)))
3315 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3317 SSL_READ_EARLY_DATA_FINISH)
3319 * The ticket was reused, so the we should have rejected the
3322 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3323 SSL_EARLY_DATA_REJECTED))
3326 /* In this case the callback decides to accept the early data */
3327 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3329 SSL_READ_EARLY_DATA_SUCCESS)
3330 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3332 * Server will have sent its flight so client can now send
3333 * end of early data and complete its half of the handshake
3335 || !TEST_int_gt(SSL_connect(clientssl), 0)
3336 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3338 SSL_READ_EARLY_DATA_FINISH)
3339 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3340 SSL_EARLY_DATA_ACCEPTED))
3344 /* Complete the connection */
3345 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3346 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3347 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3353 SSL_SESSION_free(sess);
3354 SSL_SESSION_free(clientpsk);
3355 SSL_SESSION_free(serverpsk);
3356 clientpsk = serverpsk = NULL;
3357 SSL_free(serverssl);
3358 SSL_free(clientssl);
3364 static int test_early_data_replay(int idx)
3366 int ret = 1, usecb, confopt;
3368 for (usecb = 0; usecb < 3; usecb++) {
3369 for (confopt = 0; confopt < 2; confopt++)
3370 ret &= test_early_data_replay_int(idx, usecb, confopt);
3377 * Helper function to test that a server attempting to read early data can
3378 * handle a connection from a client where the early data should be skipped.
3379 * testtype: 0 == No HRR
3380 * testtype: 1 == HRR
3381 * testtype: 2 == HRR, invalid early_data sent after HRR
3382 * testtype: 3 == recv_max_early_data set to 0
3384 static int early_data_skip_helper(int testtype, int idx)
3386 SSL_CTX *cctx = NULL, *sctx = NULL;
3387 SSL *clientssl = NULL, *serverssl = NULL;
3389 SSL_SESSION *sess = NULL;
3390 unsigned char buf[20];
3391 size_t readbytes, written;
3393 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3394 &serverssl, &sess, idx)))
3397 if (testtype == 1 || testtype == 2) {
3398 /* Force an HRR to occur */
3399 #if defined(OPENSSL_NO_EC)
3400 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3403 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3406 } else if (idx == 2) {
3408 * We force early_data rejection by ensuring the PSK identity is
3411 srvid = "Dummy Identity";
3414 * Deliberately corrupt the creation time. We take 20 seconds off the
3415 * time. It could be any value as long as it is not within tolerance.
3416 * This should mean the ticket is rejected.
3418 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3423 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3426 /* Write some early data */
3427 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3429 || !TEST_size_t_eq(written, strlen(MSG1)))
3432 /* Server should reject the early data */
3433 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3435 SSL_READ_EARLY_DATA_FINISH)
3436 || !TEST_size_t_eq(readbytes, 0)
3437 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3438 SSL_EARLY_DATA_REJECTED))
3448 * Finish off the handshake. We perform the same writes and reads as
3449 * further down but we expect them to fail due to the incomplete
3452 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3453 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3460 BIO *wbio = SSL_get_wbio(clientssl);
3461 /* A record that will appear as bad early_data */
3462 const unsigned char bad_early_data[] = {
3463 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3467 * We force the client to attempt a write. This will fail because
3468 * we're still in the handshake. It will cause the second
3469 * ClientHello to be sent.
3471 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3476 * Inject some early_data after the second ClientHello. This should
3477 * cause the server to fail
3479 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3480 sizeof(bad_early_data), &written)))
3487 * This client has sent more early_data than we are willing to skip
3488 * (case 3) or sent invalid early_data (case 2) so the connection should
3491 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3492 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3495 /* Connection has failed - nothing more to do */
3500 TEST_error("Invalid test type");
3505 * Should be able to send normal data despite rejection of early data. The
3506 * early_data should be skipped.
3508 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3509 || !TEST_size_t_eq(written, strlen(MSG2))
3510 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3511 SSL_EARLY_DATA_REJECTED)
3512 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3513 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3519 SSL_SESSION_free(clientpsk);
3520 SSL_SESSION_free(serverpsk);
3521 clientpsk = serverpsk = NULL;
3522 SSL_SESSION_free(sess);
3523 SSL_free(serverssl);
3524 SSL_free(clientssl);
3531 * Test that a server attempting to read early data can handle a connection
3532 * from a client where the early data is not acceptable.
3534 static int test_early_data_skip(int idx)
3536 return early_data_skip_helper(0, idx);
3540 * Test that a server attempting to read early data can handle a connection
3541 * from a client where an HRR occurs.
3543 static int test_early_data_skip_hrr(int idx)
3545 return early_data_skip_helper(1, idx);
3549 * Test that a server attempting to read early data can handle a connection
3550 * from a client where an HRR occurs and correctly fails if early_data is sent
3553 static int test_early_data_skip_hrr_fail(int idx)
3555 return early_data_skip_helper(2, idx);
3559 * Test that a server attempting to read early data will abort if it tries to
3560 * skip over too much.
3562 static int test_early_data_skip_abort(int idx)
3564 return early_data_skip_helper(3, idx);
3568 * Test that a server attempting to read early data can handle a connection
3569 * from a client that doesn't send any.
3571 static int test_early_data_not_sent(int idx)
3573 SSL_CTX *cctx = NULL, *sctx = NULL;
3574 SSL *clientssl = NULL, *serverssl = NULL;
3576 SSL_SESSION *sess = NULL;
3577 unsigned char buf[20];
3578 size_t readbytes, written;
3580 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3581 &serverssl, &sess, idx)))
3584 /* Write some data - should block due to handshake with server */
3585 SSL_set_connect_state(clientssl);
3586 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3589 /* Server should detect that early data has not been sent */
3590 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3592 SSL_READ_EARLY_DATA_FINISH)
3593 || !TEST_size_t_eq(readbytes, 0)
3594 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3595 SSL_EARLY_DATA_NOT_SENT)
3596 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3597 SSL_EARLY_DATA_NOT_SENT))
3600 /* Continue writing the message we started earlier */
3601 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3602 || !TEST_size_t_eq(written, strlen(MSG1))
3603 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3604 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3605 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3606 || !TEST_size_t_eq(written, strlen(MSG2)))
3609 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3610 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3616 SSL_SESSION_free(sess);
3617 SSL_SESSION_free(clientpsk);
3618 SSL_SESSION_free(serverpsk);
3619 clientpsk = serverpsk = NULL;
3620 SSL_free(serverssl);
3621 SSL_free(clientssl);
3627 static const char *servalpn;
3629 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3630 unsigned char *outlen, const unsigned char *in,
3631 unsigned int inlen, void *arg)
3633 unsigned int protlen = 0;
3634 const unsigned char *prot;
3636 for (prot = in; prot < in + inlen; prot += protlen) {
3638 if (in + inlen < prot + protlen)
3639 return SSL_TLSEXT_ERR_NOACK;
3641 if (protlen == strlen(servalpn)
3642 && memcmp(prot, servalpn, protlen) == 0) {
3645 return SSL_TLSEXT_ERR_OK;
3649 return SSL_TLSEXT_ERR_NOACK;
3652 /* Test that a PSK can be used to send early_data */
3653 static int test_early_data_psk(int idx)
3655 SSL_CTX *cctx = NULL, *sctx = NULL;
3656 SSL *clientssl = NULL, *serverssl = NULL;
3658 SSL_SESSION *sess = NULL;
3659 unsigned char alpnlist[] = {
3660 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3663 #define GOODALPNLEN 9
3664 #define BADALPNLEN 8
3665 #define GOODALPN (alpnlist)
3666 #define BADALPN (alpnlist + GOODALPNLEN)
3668 unsigned char buf[20];
3669 size_t readbytes, written;
3670 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3671 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3673 /* We always set this up with a final parameter of "2" for PSK */
3674 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3675 &serverssl, &sess, 2)))
3678 servalpn = "goodalpn";
3681 * Note: There is no test for inconsistent SNI with late client detection.
3682 * This is because servers do not acknowledge SNI even if they are using
3683 * it in a resumption handshake - so it is not actually possible for a
3684 * client to detect a problem.
3688 /* Set inconsistent SNI (early client detection) */
3689 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3690 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3691 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3696 /* Set inconsistent ALPN (early client detection) */
3697 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3698 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3699 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3701 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3708 * Set invalid protocol version. Technically this affects PSKs without
3709 * early_data too, but we test it here because it is similar to the
3710 * SNI/ALPN consistency tests.
3712 err = SSL_R_BAD_PSK;
3713 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3719 * Set inconsistent SNI (server side). In this case the connection
3720 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3721 * is associated with each handshake - not the session. Therefore it
3722 * should not matter that we used a different server name last time.
3724 SSL_SESSION_free(serverpsk);
3725 serverpsk = SSL_SESSION_dup(clientpsk);
3726 if (!TEST_ptr(serverpsk)
3727 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3731 /* Set consistent SNI */
3732 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3733 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3734 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3741 * Set inconsistent ALPN (server detected). In this case the connection
3742 * will succeed but reject early_data.
3744 servalpn = "badalpn";
3745 edstatus = SSL_EARLY_DATA_REJECTED;
3746 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3750 * Set consistent ALPN.
3751 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3752 * accepts a list of protos (each one length prefixed).
3753 * SSL_set1_alpn_selected accepts a single protocol (not length
3756 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3758 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3762 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3766 /* Set inconsistent ALPN (late client detection) */
3767 SSL_SESSION_free(serverpsk);
3768 serverpsk = SSL_SESSION_dup(clientpsk);
3769 if (!TEST_ptr(serverpsk)
3770 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3773 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3776 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3779 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3780 edstatus = SSL_EARLY_DATA_ACCEPTED;
3781 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3782 /* SSL_connect() call should fail */
3787 TEST_error("Bad test index");
3791 SSL_set_connect_state(clientssl);
3793 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3795 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3796 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3799 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3803 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3804 &readbytes), readearlyres)
3805 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3806 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3807 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3808 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3815 SSL_SESSION_free(sess);
3816 SSL_SESSION_free(clientpsk);
3817 SSL_SESSION_free(serverpsk);
3818 clientpsk = serverpsk = NULL;
3819 SSL_free(serverssl);
3820 SSL_free(clientssl);
3827 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
3828 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
3829 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
3830 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3831 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
3832 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
3834 static int test_early_data_psk_with_all_ciphers(int idx)
3836 SSL_CTX *cctx = NULL, *sctx = NULL;
3837 SSL *clientssl = NULL, *serverssl = NULL;
3839 SSL_SESSION *sess = NULL;
3840 unsigned char buf[20];
3841 size_t readbytes, written;
3842 const SSL_CIPHER *cipher;
3843 const char *cipher_str[] = {
3844 TLS1_3_RFC_AES_128_GCM_SHA256,
3845 TLS1_3_RFC_AES_256_GCM_SHA384,
3846 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3847 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3851 TLS1_3_RFC_AES_128_CCM_SHA256,
3852 TLS1_3_RFC_AES_128_CCM_8_SHA256
3854 const unsigned char *cipher_bytes[] = {
3855 TLS13_AES_128_GCM_SHA256_BYTES,
3856 TLS13_AES_256_GCM_SHA384_BYTES,
3857 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3858 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
3862 TLS13_AES_128_CCM_SHA256_BYTES,
3863 TLS13_AES_128_CCM_8_SHA256_BYTES
3866 if (cipher_str[idx] == NULL)
3868 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
3869 if (idx == 2 && is_fips == 1)
3872 /* We always set this up with a final parameter of "2" for PSK */
3873 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3874 &serverssl, &sess, 2)))
3877 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
3878 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
3882 * 'setupearly_data_test' creates only one instance of SSL_SESSION
3883 * and assigns to both client and server with incremented reference
3884 * and the same instance is updated in 'sess'.
3885 * So updating ciphersuite in 'sess' which will get reflected in
3886 * PSK handshake using psk use sess and find sess cb.
3888 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
3889 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
3892 SSL_set_connect_state(clientssl);
3893 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3897 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3899 SSL_READ_EARLY_DATA_SUCCESS)
3900 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3901 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3902 SSL_EARLY_DATA_ACCEPTED)
3903 || !TEST_int_eq(SSL_connect(clientssl), 1)
3904 || !TEST_int_eq(SSL_accept(serverssl), 1))
3907 /* Send some normal data from client to server */
3908 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3909 || !TEST_size_t_eq(written, strlen(MSG2)))
3912 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3913 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3918 SSL_SESSION_free(sess);
3919 SSL_SESSION_free(clientpsk);
3920 SSL_SESSION_free(serverpsk);
3921 clientpsk = serverpsk = NULL;
3922 if (clientssl != NULL)
3923 SSL_shutdown(clientssl);
3924 if (serverssl != NULL)
3925 SSL_shutdown(serverssl);
3926 SSL_free(serverssl);
3927 SSL_free(clientssl);
3934 * Test that a server that doesn't try to read early data can handle a
3935 * client sending some.
3937 static int test_early_data_not_expected(int idx)
3939 SSL_CTX *cctx = NULL, *sctx = NULL;
3940 SSL *clientssl = NULL, *serverssl = NULL;
3942 SSL_SESSION *sess = NULL;
3943 unsigned char buf[20];
3944 size_t readbytes, written;
3946 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3947 &serverssl, &sess, idx)))
3950 /* Write some early data */
3951 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3956 * Server should skip over early data and then block waiting for client to
3957 * continue handshake
3959 if (!TEST_int_le(SSL_accept(serverssl), 0)
3960 || !TEST_int_gt(SSL_connect(clientssl), 0)
3961 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3962 SSL_EARLY_DATA_REJECTED)
3963 || !TEST_int_gt(SSL_accept(serverssl), 0)
3964 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3965 SSL_EARLY_DATA_REJECTED))
3968 /* Send some normal data from client to server */
3969 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3970 || !TEST_size_t_eq(written, strlen(MSG2)))
3973 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3974 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3980 SSL_SESSION_free(sess);
3981 SSL_SESSION_free(clientpsk);
3982 SSL_SESSION_free(serverpsk);
3983 clientpsk = serverpsk = NULL;
3984 SSL_free(serverssl);
3985 SSL_free(clientssl);
3992 # ifndef OPENSSL_NO_TLS1_2
3994 * Test that a server attempting to read early data can handle a connection
3995 * from a TLSv1.2 client.
3997 static int test_early_data_tls1_2(int idx)
3999 SSL_CTX *cctx = NULL, *sctx = NULL;
4000 SSL *clientssl = NULL, *serverssl = NULL;
4002 unsigned char buf[20];
4003 size_t readbytes, written;
4005 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4006 &serverssl, NULL, idx)))
4009 /* Write some data - should block due to handshake with server */
4010 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4011 SSL_set_connect_state(clientssl);
4012 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4016 * Server should do TLSv1.2 handshake. First it will block waiting for more
4017 * messages from client after ServerDone. Then SSL_read_early_data should
4018 * finish and detect that early data has not been sent
4020 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4022 SSL_READ_EARLY_DATA_ERROR))
4026 * Continue writing the message we started earlier. Will still block waiting
4027 * for the CCS/Finished from server
4029 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4030 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4032 SSL_READ_EARLY_DATA_FINISH)
4033 || !TEST_size_t_eq(readbytes, 0)
4034 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4035 SSL_EARLY_DATA_NOT_SENT))
4038 /* Continue writing the message we started earlier */
4039 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4040 || !TEST_size_t_eq(written, strlen(MSG1))
4041 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4042 SSL_EARLY_DATA_NOT_SENT)
4043 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4044 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4045 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4046 || !TEST_size_t_eq(written, strlen(MSG2))
4047 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4048 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4054 SSL_SESSION_free(clientpsk);
4055 SSL_SESSION_free(serverpsk);
4056 clientpsk = serverpsk = NULL;
4057 SSL_free(serverssl);
4058 SSL_free(clientssl);
4064 # endif /* OPENSSL_NO_TLS1_2 */
4067 * Test configuring the TLSv1.3 ciphersuites
4069 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4070 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4071 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4072 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4073 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4074 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4075 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4076 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4077 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4078 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4080 static int test_set_ciphersuite(int idx)
4082 SSL_CTX *cctx = NULL, *sctx = NULL;
4083 SSL *clientssl = NULL, *serverssl = NULL;
4086 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4087 TLS_client_method(), TLS1_VERSION, 0,
4088 &sctx, &cctx, cert, privkey))
4089 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4090 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4093 if (idx >=4 && idx <= 7) {
4094 /* SSL_CTX explicit cipher list */
4095 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4099 if (idx == 0 || idx == 4) {
4100 /* Default ciphersuite */
4101 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4102 "TLS_AES_128_GCM_SHA256")))
4104 } else if (idx == 1 || idx == 5) {
4105 /* Non default ciphersuite */
4106 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4107 "TLS_AES_128_CCM_SHA256")))
4111 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4112 &clientssl, NULL, NULL)))
4115 if (idx == 8 || idx == 9) {
4116 /* SSL explicit cipher list */
4117 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4121 if (idx == 2 || idx == 6 || idx == 8) {
4122 /* Default ciphersuite */
4123 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4124 "TLS_AES_128_GCM_SHA256")))
4126 } else if (idx == 3 || idx == 7 || idx == 9) {
4127 /* Non default ciphersuite */
4128 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4129 "TLS_AES_128_CCM_SHA256")))
4133 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4139 SSL_free(serverssl);
4140 SSL_free(clientssl);
4147 static int test_ciphersuite_change(void)
4149 SSL_CTX *cctx = NULL, *sctx = NULL;
4150 SSL *clientssl = NULL, *serverssl = NULL;
4151 SSL_SESSION *clntsess = NULL;
4153 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4155 /* Create a session based on SHA-256 */
4156 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4157 TLS_client_method(), TLS1_VERSION, 0,
4158 &sctx, &cctx, cert, privkey))
4159 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4160 "TLS_AES_128_GCM_SHA256:"
4161 "TLS_AES_256_GCM_SHA384:"
4162 "TLS_AES_128_CCM_SHA256"))
4163 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4164 "TLS_AES_128_GCM_SHA256"))
4165 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4166 &clientssl, NULL, NULL))
4167 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4171 clntsess = SSL_get1_session(clientssl);
4172 /* Save for later */
4173 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4174 SSL_shutdown(clientssl);
4175 SSL_shutdown(serverssl);
4176 SSL_free(serverssl);
4177 SSL_free(clientssl);
4178 serverssl = clientssl = NULL;
4180 /* Check we can resume a session with a different SHA-256 ciphersuite */
4181 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4182 "TLS_AES_128_CCM_SHA256"))
4183 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4184 &clientssl, NULL, NULL))
4185 || !TEST_true(SSL_set_session(clientssl, clntsess))
4186 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4188 || !TEST_true(SSL_session_reused(clientssl)))
4191 SSL_SESSION_free(clntsess);
4192 clntsess = SSL_get1_session(clientssl);
4193 SSL_shutdown(clientssl);
4194 SSL_shutdown(serverssl);
4195 SSL_free(serverssl);
4196 SSL_free(clientssl);
4197 serverssl = clientssl = NULL;
4200 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4201 * succeeds but does not resume.
4203 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4204 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4206 || !TEST_true(SSL_set_session(clientssl, clntsess))
4207 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4209 || !TEST_false(SSL_session_reused(clientssl)))
4212 SSL_SESSION_free(clntsess);
4214 SSL_shutdown(clientssl);
4215 SSL_shutdown(serverssl);
4216 SSL_free(serverssl);
4217 SSL_free(clientssl);
4218 serverssl = clientssl = NULL;
4220 /* Create a session based on SHA384 */
4221 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4222 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4223 &clientssl, NULL, NULL))
4224 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4228 clntsess = SSL_get1_session(clientssl);
4229 SSL_shutdown(clientssl);
4230 SSL_shutdown(serverssl);
4231 SSL_free(serverssl);
4232 SSL_free(clientssl);
4233 serverssl = clientssl = NULL;
4235 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4236 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4237 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4238 "TLS_AES_256_GCM_SHA384"))
4239 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4241 || !TEST_true(SSL_set_session(clientssl, clntsess))
4243 * We use SSL_ERROR_WANT_READ below so that we can pause the
4244 * connection after the initial ClientHello has been sent to
4245 * enable us to make some session changes.
4247 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4248 SSL_ERROR_WANT_READ)))
4251 /* Trick the client into thinking this session is for a different digest */
4252 clntsess->cipher = aes_128_gcm_sha256;
4253 clntsess->cipher_id = clntsess->cipher->id;
4256 * Continue the previously started connection. Server has selected a SHA-384
4257 * ciphersuite, but client thinks the session is for SHA-256, so it should
4260 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4262 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4263 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4269 SSL_SESSION_free(clntsess);
4270 SSL_free(serverssl);
4271 SSL_free(clientssl);
4279 * Test TLSv1.3 Key exchange
4280 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4281 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4282 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4283 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4284 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4285 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4286 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4287 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4288 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4289 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4290 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4291 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4292 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4293 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4295 static int test_key_exchange(int idx)
4297 SSL_CTX *sctx = NULL, *cctx = NULL;
4298 SSL *serverssl = NULL, *clientssl = NULL;
4300 # ifndef OPENSSL_NO_EC
4301 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4302 NID_secp521r1, NID_X25519, NID_X448};
4304 # ifndef OPENSSL_NO_DH
4305 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4306 NID_ffdhe6144, NID_ffdhe8192};
4309 int *kexch_groups = &kexch_alg;
4310 int kexch_groups_size = 1;
4311 int max_version = TLS1_3_VERSION;
4314 # ifndef OPENSSL_NO_EC
4315 # ifndef OPENSSL_NO_TLS1_2
4317 max_version = TLS1_2_VERSION;
4321 kexch_groups = ecdhe_kexch_groups;
4322 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4325 kexch_alg = NID_X9_62_prime256v1;
4328 kexch_alg = NID_secp384r1;
4331 kexch_alg = NID_secp521r1;
4334 kexch_alg = NID_X25519;
4337 kexch_alg = NID_X448;
4340 # ifndef OPENSSL_NO_DH
4341 # ifndef OPENSSL_NO_TLS1_2
4343 max_version = TLS1_2_VERSION;
4347 kexch_groups = ffdhe_kexch_groups;
4348 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4351 kexch_alg = NID_ffdhe2048;
4354 kexch_alg = NID_ffdhe3072;
4357 kexch_alg = NID_ffdhe4096;
4360 kexch_alg = NID_ffdhe6144;
4363 kexch_alg = NID_ffdhe8192;
4367 /* We're skipping this test */
4371 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4372 TLS_client_method(), TLS1_VERSION,
4373 max_version, &sctx, &cctx, cert,
4377 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4378 TLS1_3_RFC_AES_128_GCM_SHA256)))
4381 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4382 TLS1_3_RFC_AES_128_GCM_SHA256)))
4385 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4386 TLS1_TXT_RSA_WITH_AES_128_SHA)))
4390 * Must include an EC ciphersuite so that we send supported groups in
4393 # ifndef OPENSSL_NO_TLS1_2
4394 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4395 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
4396 TLS1_TXT_RSA_WITH_AES_128_SHA)))
4400 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4404 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4405 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4408 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4412 * If Handshake succeeds the negotiated kexch alg should be the first one in
4413 * configured, except in the case of FFDHE groups (idx 13), which are
4414 * TLSv1.3 only so we expect no shared group to exist.
4416 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4417 idx == 13 ? 0 : kexch_groups[0]))
4419 if (max_version == TLS1_3_VERSION) {
4420 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4422 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4428 SSL_free(serverssl);
4429 SSL_free(clientssl);
4436 * Test TLSv1.3 Cipher Suite
4437 * Test 0 = Set TLS1.3 cipher on context
4438 * Test 1 = Set TLS1.3 cipher on SSL
4439 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4440 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4442 static int test_tls13_ciphersuite(int idx)
4444 SSL_CTX *sctx = NULL, *cctx = NULL;
4445 SSL *serverssl = NULL, *clientssl = NULL;
4446 static const struct {
4447 const char *ciphername;
4450 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4451 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4452 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
4453 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4454 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4455 { TLS1_3_RFC_AES_256_GCM_SHA384
4456 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4458 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
4460 const char *t13_cipher = NULL;
4461 const char *t12_cipher = NULL;
4462 const char *negotiated_scipher;
4463 const char *negotiated_ccipher;
4479 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4483 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4487 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4488 # ifdef OPENSSL_NO_TLS1_2
4489 if (max_ver == TLS1_2_VERSION)
4492 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4493 if (is_fips && !t13_ciphers[i].fipscapable)
4495 t13_cipher = t13_ciphers[i].ciphername;
4496 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4497 TLS_client_method(),
4498 TLS1_VERSION, max_ver,
4499 &sctx, &cctx, cert, privkey)))
4503 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4504 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4506 if (t12_cipher != NULL) {
4507 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4508 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4514 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4515 &clientssl, NULL, NULL)))
4519 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4520 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4522 if (t12_cipher != NULL) {
4523 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4524 || !TEST_true(SSL_set_cipher_list(clientssl,
4530 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4534 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4536 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4538 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4542 * TEST_strn_eq is used below because t13_cipher can contain
4543 * multiple ciphersuites
4545 if (max_ver == TLS1_3_VERSION
4546 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4547 strlen(negotiated_scipher)))
4550 # ifndef OPENSSL_NO_TLS1_2
4551 /* Below validation is not done when t12_cipher is NULL */
4552 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4553 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4557 SSL_free(serverssl);
4559 SSL_free(clientssl);
4570 SSL_free(serverssl);
4571 SSL_free(clientssl);
4579 * Test 0 = Test new style callbacks
4580 * Test 1 = Test both new and old style callbacks
4581 * Test 2 = Test old style callbacks
4582 * Test 3 = Test old style callbacks with no certificate
4584 static int test_tls13_psk(int idx)
4586 SSL_CTX *sctx = NULL, *cctx = NULL;
4587 SSL *serverssl = NULL, *clientssl = NULL;
4588 const SSL_CIPHER *cipher = NULL;
4589 const unsigned char key[] = {
4590 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4591 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4592 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4593 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
4597 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4598 TLS_client_method(), TLS1_VERSION, 0,
4599 &sctx, &cctx, idx == 3 ? NULL : cert,
4600 idx == 3 ? NULL : privkey)))
4605 * We use a ciphersuite with SHA256 to ease testing old style PSK
4606 * callbacks which will always default to SHA256. This should not be
4607 * necessary if we have no cert/priv key. In that case the server should
4608 * prefer SHA256 automatically.
4610 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4611 "TLS_AES_128_GCM_SHA256")))
4615 * As noted above the server should prefer SHA256 automatically. However
4616 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4617 * code works even if we are testing with only the FIPS provider loaded.
4619 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4620 "TLS_AES_256_GCM_SHA384:"
4621 "TLS_AES_128_GCM_SHA256")))
4626 * Test 0: New style callbacks only
4627 * Test 1: New and old style callbacks (only the new ones should be used)
4628 * Test 2: Old style callbacks only
4630 if (idx == 0 || idx == 1) {
4631 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4632 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4634 #ifndef OPENSSL_NO_PSK
4636 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4637 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4641 use_session_cb_cnt = 0;
4642 find_session_cb_cnt = 0;
4643 psk_client_cb_cnt = 0;
4644 psk_server_cb_cnt = 0;
4648 * Check we can create a connection if callback decides not to send a
4651 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4653 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4655 || !TEST_false(SSL_session_reused(clientssl))
4656 || !TEST_false(SSL_session_reused(serverssl)))
4659 if (idx == 0 || idx == 1) {
4660 if (!TEST_true(use_session_cb_cnt == 1)
4661 || !TEST_true(find_session_cb_cnt == 0)
4663 * If no old style callback then below should be 0
4666 || !TEST_true(psk_client_cb_cnt == idx)
4667 || !TEST_true(psk_server_cb_cnt == 0))
4670 if (!TEST_true(use_session_cb_cnt == 0)
4671 || !TEST_true(find_session_cb_cnt == 0)
4672 || !TEST_true(psk_client_cb_cnt == 1)
4673 || !TEST_true(psk_server_cb_cnt == 0))
4677 shutdown_ssl_connection(serverssl, clientssl);
4678 serverssl = clientssl = NULL;
4679 use_session_cb_cnt = psk_client_cb_cnt = 0;
4682 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4686 /* Create the PSK */
4687 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
4688 clientpsk = SSL_SESSION_new();
4689 if (!TEST_ptr(clientpsk)
4690 || !TEST_ptr(cipher)
4691 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4693 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4694 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4696 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
4698 serverpsk = clientpsk;
4700 /* Check we can create a connection and the PSK is used */
4701 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4702 || !TEST_true(SSL_session_reused(clientssl))
4703 || !TEST_true(SSL_session_reused(serverssl)))
4706 if (idx == 0 || idx == 1) {
4707 if (!TEST_true(use_session_cb_cnt == 1)
4708 || !TEST_true(find_session_cb_cnt == 1)
4709 || !TEST_true(psk_client_cb_cnt == 0)
4710 || !TEST_true(psk_server_cb_cnt == 0))
4713 if (!TEST_true(use_session_cb_cnt == 0)
4714 || !TEST_true(find_session_cb_cnt == 0)
4715 || !TEST_true(psk_client_cb_cnt == 1)
4716 || !TEST_true(psk_server_cb_cnt == 1))
4720 shutdown_ssl_connection(serverssl, clientssl);
4721 serverssl = clientssl = NULL;
4722 use_session_cb_cnt = find_session_cb_cnt = 0;
4723 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4725 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4730 #if defined(OPENSSL_NO_EC)
4731 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4734 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4739 * Check we can create a connection, the PSK is used and the callbacks are
4742 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4743 || !TEST_true(SSL_session_reused(clientssl))
4744 || !TEST_true(SSL_session_reused(serverssl)))
4747 if (idx == 0 || idx == 1) {
4748 if (!TEST_true(use_session_cb_cnt == 2)
4749 || !TEST_true(find_session_cb_cnt == 2)
4750 || !TEST_true(psk_client_cb_cnt == 0)
4751 || !TEST_true(psk_server_cb_cnt == 0))
4754 if (!TEST_true(use_session_cb_cnt == 0)
4755 || !TEST_true(find_session_cb_cnt == 0)
4756 || !TEST_true(psk_client_cb_cnt == 2)
4757 || !TEST_true(psk_server_cb_cnt == 2))
4761 shutdown_ssl_connection(serverssl, clientssl);
4762 serverssl = clientssl = NULL;
4763 use_session_cb_cnt = find_session_cb_cnt = 0;
4764 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4768 * Check that if the server rejects the PSK we can still connect, but with
4771 srvid = "Dummy Identity";
4772 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4774 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4776 || !TEST_false(SSL_session_reused(clientssl))
4777 || !TEST_false(SSL_session_reused(serverssl)))
4780 if (idx == 0 || idx == 1) {
4781 if (!TEST_true(use_session_cb_cnt == 1)
4782 || !TEST_true(find_session_cb_cnt == 1)
4783 || !TEST_true(psk_client_cb_cnt == 0)
4785 * If no old style callback then below should be 0
4788 || !TEST_true(psk_server_cb_cnt == idx))
4791 if (!TEST_true(use_session_cb_cnt == 0)
4792 || !TEST_true(find_session_cb_cnt == 0)
4793 || !TEST_true(psk_client_cb_cnt == 1)
4794 || !TEST_true(psk_server_cb_cnt == 1))
4798 shutdown_ssl_connection(serverssl, clientssl);
4799 serverssl = clientssl = NULL;
4804 SSL_SESSION_free(clientpsk);
4805 SSL_SESSION_free(serverpsk);
4806 clientpsk = serverpsk = NULL;
4807 SSL_free(serverssl);
4808 SSL_free(clientssl);
4814 static unsigned char cookie_magic_value[] = "cookie magic";
4816 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4817 unsigned int *cookie_len)
4820 * Not suitable as a real cookie generation function but good enough for
4823 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4824 *cookie_len = sizeof(cookie_magic_value) - 1;
4829 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4830 unsigned int cookie_len)
4832 if (cookie_len == sizeof(cookie_magic_value) - 1
4833 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4839 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4843 int res = generate_cookie_callback(ssl, cookie, &temp);
4848 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4851 return verify_cookie_callback(ssl, cookie, cookie_len);
4854 static int test_stateless(void)
4856 SSL_CTX *sctx = NULL, *cctx = NULL;
4857 SSL *serverssl = NULL, *clientssl = NULL;
4860 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4861 TLS_client_method(), TLS1_VERSION, 0,
4862 &sctx, &cctx, cert, privkey)))
4865 /* The arrival of CCS messages can confuse the test */
4866 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4868 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4870 /* Send the first ClientHello */
4871 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4872 SSL_ERROR_WANT_READ))
4874 * This should fail with a -1 return because we have no callbacks
4877 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4880 /* Fatal error so abandon the connection from this client */
4881 SSL_free(clientssl);
4884 /* Set up the cookie generation and verification callbacks */
4885 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4886 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
4889 * Create a new connection from the client (we can reuse the server SSL
4892 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4894 /* Send the first ClientHello */
4895 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4896 SSL_ERROR_WANT_READ))
4897 /* This should fail because there is no cookie */
4898 || !TEST_int_eq(SSL_stateless(serverssl), 0))
4901 /* Abandon the connection from this client */
4902 SSL_free(clientssl);
4906 * Now create a connection from a new client but with the same server SSL
4909 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4911 /* Send the first ClientHello */
4912 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4913 SSL_ERROR_WANT_READ))
4914 /* This should fail because there is no cookie */
4915 || !TEST_int_eq(SSL_stateless(serverssl), 0)
4916 /* Send the second ClientHello */
4917 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4918 SSL_ERROR_WANT_READ))
4919 /* This should succeed because a cookie is now present */
4920 || !TEST_int_eq(SSL_stateless(serverssl), 1)
4921 /* Complete the connection */
4922 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4926 shutdown_ssl_connection(serverssl, clientssl);
4927 serverssl = clientssl = NULL;
4931 SSL_free(serverssl);
4932 SSL_free(clientssl);
4938 #endif /* OPENSSL_NO_TLS1_3 */
4940 static int clntaddoldcb = 0;
4941 static int clntparseoldcb = 0;
4942 static int srvaddoldcb = 0;
4943 static int srvparseoldcb = 0;
4944 static int clntaddnewcb = 0;
4945 static int clntparsenewcb = 0;
4946 static int srvaddnewcb = 0;
4947 static int srvparsenewcb = 0;
4948 static int snicb = 0;
4950 #define TEST_EXT_TYPE1 0xff00
4952 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4953 size_t *outlen, int *al, void *add_arg)
4955 int *server = (int *)add_arg;
4956 unsigned char *data;
4958 if (SSL_is_server(s))
4963 if (*server != SSL_is_server(s)
4964 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4969 *outlen = sizeof(char);
4973 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4976 OPENSSL_free((unsigned char *)out);
4979 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4980 size_t inlen, int *al, void *parse_arg)
4982 int *server = (int *)parse_arg;
4984 if (SSL_is_server(s))
4989 if (*server != SSL_is_server(s)
4990 || inlen != sizeof(char)
4997 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4998 const unsigned char **out, size_t *outlen, X509 *x,
4999 size_t chainidx, int *al, void *add_arg)
5001 int *server = (int *)add_arg;
5002 unsigned char *data;
5004 if (SSL_is_server(s))
5009 if (*server != SSL_is_server(s)
5010 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5015 *outlen = sizeof(*data);
5019 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5020 const unsigned char *out, void *add_arg)
5022 OPENSSL_free((unsigned char *)out);
5025 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5026 const unsigned char *in, size_t inlen, X509 *x,
5027 size_t chainidx, int *al, void *parse_arg)
5029 int *server = (int *)parse_arg;
5031 if (SSL_is_server(s))
5036 if (*server != SSL_is_server(s)
5037 || inlen != sizeof(char) || *in != 1)
5043 static int sni_cb(SSL *s, int *al, void *arg)
5045 SSL_CTX *ctx = (SSL_CTX *)arg;
5047 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5048 *al = SSL_AD_INTERNAL_ERROR;
5049 return SSL_TLSEXT_ERR_ALERT_FATAL;
5052 return SSL_TLSEXT_ERR_OK;
5056 * Custom call back tests.
5057 * Test 0: Old style callbacks in TLSv1.2
5058 * Test 1: New style callbacks in TLSv1.2
5059 * Test 2: New style callbacks in TLSv1.2 with SNI
5060 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5061 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5063 static int test_custom_exts(int tst)
5065 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5066 SSL *clientssl = NULL, *serverssl = NULL;
5068 static int server = 1;
5069 static int client = 0;
5070 SSL_SESSION *sess = NULL;
5071 unsigned int context;
5073 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
5074 /* Skip tests for TLSv1.2 and below in this case */
5079 /* Reset callback counters */
5080 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5081 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5084 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5085 TLS_client_method(), TLS1_VERSION, 0,
5086 &sctx, &cctx, cert, privkey)))
5090 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5092 &sctx2, NULL, cert, privkey)))
5097 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5098 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5100 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5104 context = SSL_EXT_CLIENT_HELLO
5105 | SSL_EXT_TLS1_2_SERVER_HELLO
5106 | SSL_EXT_TLS1_3_SERVER_HELLO
5107 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5108 | SSL_EXT_TLS1_3_CERTIFICATE
5109 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5111 context = SSL_EXT_CLIENT_HELLO
5112 | SSL_EXT_TLS1_2_SERVER_HELLO
5113 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5116 /* Create a client side custom extension */
5118 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5119 old_add_cb, old_free_cb,
5120 &client, old_parse_cb,
5124 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5125 new_add_cb, new_free_cb,
5126 &client, new_parse_cb, &client)))
5130 /* Should not be able to add duplicates */
5131 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5132 old_add_cb, old_free_cb,
5133 &client, old_parse_cb,
5135 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5136 context, new_add_cb,
5137 new_free_cb, &client,
5138 new_parse_cb, &client)))
5141 /* Create a server side custom extension */
5143 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5144 old_add_cb, old_free_cb,
5145 &server, old_parse_cb,
5149 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5150 new_add_cb, new_free_cb,
5151 &server, new_parse_cb, &server)))
5154 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5155 context, new_add_cb,
5156 new_free_cb, &server,
5157 new_parse_cb, &server)))
5161 /* Should not be able to add duplicates */
5162 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5163 old_add_cb, old_free_cb,
5164 &server, old_parse_cb,
5166 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5167 context, new_add_cb,
5168 new_free_cb, &server,
5169 new_parse_cb, &server)))
5174 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5175 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5179 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5180 &clientssl, NULL, NULL))
5181 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5186 if (clntaddoldcb != 1
5187 || clntparseoldcb != 1
5189 || srvparseoldcb != 1)
5191 } else if (tst == 1 || tst == 2 || tst == 3) {
5192 if (clntaddnewcb != 1
5193 || clntparsenewcb != 1
5195 || srvparsenewcb != 1
5196 || (tst != 2 && snicb != 0)
5197 || (tst == 2 && snicb != 1))
5200 /* In this case there 2 NewSessionTicket messages created */
5201 if (clntaddnewcb != 1
5202 || clntparsenewcb != 5
5204 || srvparsenewcb != 1)
5208 sess = SSL_get1_session(clientssl);
5209 SSL_shutdown(clientssl);
5210 SSL_shutdown(serverssl);
5211 SSL_free(serverssl);
5212 SSL_free(clientssl);
5213 serverssl = clientssl = NULL;
5216 /* We don't bother with the resumption aspects for this test */
5221 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5223 || !TEST_true(SSL_set_session(clientssl, sess))
5224 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5229 * For a resumed session we expect to add the ClientHello extension. For the
5230 * old style callbacks we ignore it on the server side because they set
5231 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5235 if (clntaddoldcb != 2
5236 || clntparseoldcb != 1
5238 || srvparseoldcb != 1)
5240 } else if (tst == 1 || tst == 2 || tst == 3) {
5241 if (clntaddnewcb != 2
5242 || clntparsenewcb != 2
5244 || srvparsenewcb != 2)
5248 * No Certificate message extensions in the resumption handshake,
5249 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5251 if (clntaddnewcb != 2
5252 || clntparsenewcb != 8
5254 || srvparsenewcb != 2)
5261 SSL_SESSION_free(sess);
5262 SSL_free(serverssl);
5263 SSL_free(clientssl);
5264 SSL_CTX_free(sctx2);
5271 * Test loading of serverinfo data in various formats. test_sslmessages actually
5272 * tests to make sure the extensions appear in the handshake
5274 static int test_serverinfo(int tst)
5276 unsigned int version;
5277 unsigned char *sibuf;
5279 int ret, expected, testresult = 0;
5282 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
5286 if ((tst & 0x01) == 0x01)
5287 version = SSL_SERVERINFOV2;
5289 version = SSL_SERVERINFOV1;
5291 if ((tst & 0x02) == 0x02) {
5292 sibuf = serverinfov2;
5293 sibuflen = sizeof(serverinfov2);
5294 expected = (version == SSL_SERVERINFOV2);
5296 sibuf = serverinfov1;
5297 sibuflen = sizeof(serverinfov1);
5298 expected = (version == SSL_SERVERINFOV1);
5301 if ((tst & 0x04) == 0x04) {
5302 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5304 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5307 * The version variable is irrelevant in this case - it's what is in the
5308 * buffer that matters
5310 if ((tst & 0x02) == 0x02)
5316 if (!TEST_true(ret == expected))
5328 * Test that SSL_export_keying_material() produces expected results. There are
5329 * no test vectors so all we do is test that both sides of the communication
5330 * produce the same results for different protocol versions.
5332 #define SMALL_LABEL_LEN 10
5333 #define LONG_LABEL_LEN 249
5334 static int test_export_key_mat(int tst)
5337 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5338 SSL *clientssl = NULL, *serverssl = NULL;
5339 const char label[LONG_LABEL_LEN + 1] = "test label";
5340 const unsigned char context[] = "context";
5341 const unsigned char *emptycontext = NULL;
5342 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5343 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
5345 const int protocols[] = {
5354 #ifdef OPENSSL_NO_TLS1
5358 #ifdef OPENSSL_NO_TLS1_1
5362 if (is_fips && (tst == 0 || tst == 1))
5364 #ifdef OPENSSL_NO_TLS1_2
5368 #ifdef OPENSSL_NO_TLS1_3
5372 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5373 TLS_client_method(), TLS1_VERSION, 0,
5374 &sctx, &cctx, cert, privkey)))
5377 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5378 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5379 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
5380 if ((protocols[tst] < TLS1_2_VERSION) &&
5381 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5382 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5385 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5390 * Premature call of SSL_export_keying_material should just fail.
5392 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5393 sizeof(ckeymat1), label,
5394 SMALL_LABEL_LEN + 1, context,
5395 sizeof(context) - 1, 1), 0))
5398 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5404 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5407 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5408 sizeof(ckeymat1), label,
5409 LONG_LABEL_LEN + 1, context,
5410 sizeof(context) - 1, 1), 0))
5415 } else if (tst == 4) {
5416 labellen = LONG_LABEL_LEN;
5418 labellen = SMALL_LABEL_LEN;
5421 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5422 sizeof(ckeymat1), label,
5424 sizeof(context) - 1, 1), 1)
5425 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5426 sizeof(ckeymat2), label,
5430 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5431 sizeof(ckeymat3), label,
5434 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5435 sizeof(skeymat1), label,
5438 sizeof(context) -1, 1),
5440 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5441 sizeof(skeymat2), label,
5445 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5446 sizeof(skeymat3), label,
5450 * Check that both sides created the same key material with the
5453 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5456 * Check that both sides created the same key material with an
5459 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5462 * Check that both sides created the same key material without a
5465 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5467 /* Different contexts should produce different results */
5468 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5473 * Check that an empty context and no context produce different results in
5474 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5476 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
5478 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5485 SSL_free(serverssl);
5486 SSL_free(clientssl);
5487 SSL_CTX_free(sctx2);
5494 #ifndef OPENSSL_NO_TLS1_3
5496 * Test that SSL_export_keying_material_early() produces expected
5497 * results. There are no test vectors so all we do is test that both
5498 * sides of the communication produce the same results for different
5499 * protocol versions.
5501 static int test_export_key_mat_early(int idx)
5503 static const char label[] = "test label";
5504 static const unsigned char context[] = "context";
5506 SSL_CTX *cctx = NULL, *sctx = NULL;
5507 SSL *clientssl = NULL, *serverssl = NULL;
5508 SSL_SESSION *sess = NULL;
5509 const unsigned char *emptycontext = NULL;
5510 unsigned char ckeymat1[80], ckeymat2[80];
5511 unsigned char skeymat1[80], skeymat2[80];
5512 unsigned char buf[1];
5513 size_t readbytes, written;
5515 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5519 /* Here writing 0 length early data is enough. */
5520 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5521 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5523 SSL_READ_EARLY_DATA_ERROR)
5524 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5525 SSL_EARLY_DATA_ACCEPTED))
5528 if (!TEST_int_eq(SSL_export_keying_material_early(
5529 clientssl, ckeymat1, sizeof(ckeymat1), label,
5530 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5531 || !TEST_int_eq(SSL_export_keying_material_early(
5532 clientssl, ckeymat2, sizeof(ckeymat2), label,
5533 sizeof(label) - 1, emptycontext, 0), 1)
5534 || !TEST_int_eq(SSL_export_keying_material_early(
5535 serverssl, skeymat1, sizeof(skeymat1), label,
5536 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5537 || !TEST_int_eq(SSL_export_keying_material_early(
5538 serverssl, skeymat2, sizeof(skeymat2), label,
5539 sizeof(label) - 1, emptycontext, 0), 1)
5541 * Check that both sides created the same key material with the
5544 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5547 * Check that both sides created the same key material with an
5550 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5552 /* Different contexts should produce different results */
5553 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5560 SSL_SESSION_free(sess);
5561 SSL_SESSION_free(clientpsk);
5562 SSL_SESSION_free(serverpsk);
5563 clientpsk = serverpsk = NULL;
5564 SSL_free(serverssl);
5565 SSL_free(clientssl);
5572 #define NUM_KEY_UPDATE_MESSAGES 40
5576 static int test_key_update(void)
5578 SSL_CTX *cctx = NULL, *sctx = NULL;
5579 SSL *clientssl = NULL, *serverssl = NULL;
5580 int testresult = 0, i, j;
5582 static char *mess = "A test message";
5584 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5585 TLS_client_method(),
5588 &sctx, &cctx, cert, privkey))
5589 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5591 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5595 for (j = 0; j < 2; j++) {
5596 /* Send lots of KeyUpdate messages */
5597 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5598 if (!TEST_true(SSL_key_update(clientssl,
5600 ? SSL_KEY_UPDATE_NOT_REQUESTED
5601 : SSL_KEY_UPDATE_REQUESTED))
5602 || !TEST_true(SSL_do_handshake(clientssl)))
5606 /* Check that sending and receiving app data is ok */
5607 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5608 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5612 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5613 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5621 SSL_free(serverssl);
5622 SSL_free(clientssl);
5630 * Test we can handle a KeyUpdate (update requested) message while write data
5632 * Test 0: Client sends KeyUpdate while Server is writing
5633 * Test 1: Server sends KeyUpdate while Client is writing
5635 static int test_key_update_in_write(int tst)
5637 SSL_CTX *cctx = NULL, *sctx = NULL;
5638 SSL *clientssl = NULL, *serverssl = NULL;
5641 static char *mess = "A test message";
5642 BIO *bretry = BIO_new(bio_s_always_retry());
5644 SSL *peerupdate = NULL, *peerwrite = NULL;
5646 if (!TEST_ptr(bretry)
5647 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5648 TLS_client_method(),
5651 &sctx, &cctx, cert, privkey))
5652 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5654 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5658 peerupdate = tst == 0 ? clientssl : serverssl;
5659 peerwrite = tst == 0 ? serverssl : clientssl;
5661 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5662 || !TEST_true(SSL_do_handshake(peerupdate)))
5665 /* Swap the writing endpoint's write BIO to force a retry */
5666 tmp = SSL_get_wbio(peerwrite);
5667 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5671 SSL_set0_wbio(peerwrite, bretry);
5674 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5675 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5676 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5679 /* Reinstate the original writing endpoint's write BIO */
5680 SSL_set0_wbio(peerwrite, tmp);
5683 /* Now read some data - we will read the key update */
5684 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5685 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5689 * Complete the write we started previously and read it from the other
5692 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5693 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5696 /* Write more data to ensure we send the KeyUpdate message back */
5697 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5698 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5704 SSL_free(serverssl);
5705 SSL_free(clientssl);
5713 #endif /* OPENSSL_NO_TLS1_3 */
5715 static int test_ssl_clear(int idx)
5717 SSL_CTX *cctx = NULL, *sctx = NULL;
5718 SSL *clientssl = NULL, *serverssl = NULL;
5721 #ifdef OPENSSL_NO_TLS1_2
5726 /* Create an initial connection */
5727 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5728 TLS_client_method(), TLS1_VERSION, 0,
5729 &sctx, &cctx, cert, privkey))
5731 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5733 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5734 &clientssl, NULL, NULL))
5735 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5739 SSL_shutdown(clientssl);
5740 SSL_shutdown(serverssl);
5741 SSL_free(serverssl);
5744 /* Clear clientssl - we're going to reuse the object */
5745 if (!TEST_true(SSL_clear(clientssl)))
5748 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5750 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5752 || !TEST_true(SSL_session_reused(clientssl)))
5755 SSL_shutdown(clientssl);
5756 SSL_shutdown(serverssl);
5761 SSL_free(serverssl);
5762 SSL_free(clientssl);
5769 /* Parse CH and retrieve any MFL extension value if present */
5770 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5773 unsigned char *data;
5774 PACKET pkt, pkt2, pkt3;
5775 unsigned int MFL_code = 0, type = 0;
5777 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5780 memset(&pkt, 0, sizeof(pkt));
5781 memset(&pkt2, 0, sizeof(pkt2));
5782 memset(&pkt3, 0, sizeof(pkt3));
5784 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5785 /* Skip the record header */
5786 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5787 /* Skip the handshake message header */
5788 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5789 /* Skip client version and random */
5790 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5791 + SSL3_RANDOM_SIZE))
5792 /* Skip session id */
5793 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5795 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5796 /* Skip compression */
5797 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5798 /* Extensions len */
5799 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5802 /* Loop through all extensions */
5803 while (PACKET_remaining(&pkt2)) {
5804 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5805 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5808 if (type == TLSEXT_TYPE_max_fragment_length) {
5809 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5810 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5813 *mfl_codemfl_code = MFL_code;
5822 /* Maximum-Fragment-Length TLS extension mode to test */
5823 static const unsigned char max_fragment_len_test[] = {
5824 TLSEXT_max_fragment_length_512,
5825 TLSEXT_max_fragment_length_1024,
5826 TLSEXT_max_fragment_length_2048,
5827 TLSEXT_max_fragment_length_4096
5830 static int test_max_fragment_len_ext(int idx_tst)
5834 int testresult = 0, MFL_mode = 0;
5837 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
5841 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5842 ctx, max_fragment_len_test[idx_tst])))
5849 rbio = BIO_new(BIO_s_mem());
5850 wbio = BIO_new(BIO_s_mem());
5851 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5857 SSL_set_bio(con, rbio, wbio);
5858 SSL_set_connect_state(con);
5860 if (!TEST_int_le(SSL_connect(con), 0)) {
5861 /* This shouldn't succeed because we don't have a server! */
5865 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5866 /* no MFL in client hello */
5868 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5880 #ifndef OPENSSL_NO_TLS1_3
5881 static int test_pha_key_update(void)
5883 SSL_CTX *cctx = NULL, *sctx = NULL;
5884 SSL *clientssl = NULL, *serverssl = NULL;
5887 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5888 TLS_client_method(), TLS1_VERSION, 0,
5889 &sctx, &cctx, cert, privkey)))
5892 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5893 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5894 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5895 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5898 SSL_CTX_set_post_handshake_auth(cctx, 1);
5900 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5904 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5908 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5909 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5912 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5915 /* Start handshake on the server */
5916 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5919 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5920 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5924 SSL_shutdown(clientssl);
5925 SSL_shutdown(serverssl);
5930 SSL_free(serverssl);
5931 SSL_free(clientssl);
5938 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5940 static SRP_VBASE *vbase = NULL;
5942 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5944 int ret = SSL3_AL_FATAL;
5946 SRP_user_pwd *user = NULL;
5948 username = SSL_get_srp_username(s);
5949 if (username == NULL) {
5950 *ad = SSL_AD_INTERNAL_ERROR;
5954 user = SRP_VBASE_get1_by_user(vbase, username);
5956 *ad = SSL_AD_INTERNAL_ERROR;
5960 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5962 *ad = SSL_AD_INTERNAL_ERROR;
5969 SRP_user_pwd_free(user);
5973 static int create_new_vfile(char *userid, char *password, const char *filename)
5976 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5979 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5982 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5985 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5986 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
5987 if (!TEST_ptr(gNid))
5991 * The only way to create an empty TXT_DB is to provide a BIO with no data
5994 db = TXT_DB_read(dummy, DB_NUMBER);
5998 out = BIO_new_file(filename, "w");
6002 row[DB_srpid] = OPENSSL_strdup(userid);
6003 row[DB_srptype] = OPENSSL_strdup("V");
6004 row[DB_srpgN] = OPENSSL_strdup(gNid);
6006 if (!TEST_ptr(row[DB_srpid])
6007 || !TEST_ptr(row[DB_srptype])
6008 || !TEST_ptr(row[DB_srpgN])
6009 || !TEST_true(TXT_DB_insert(db, row)))
6014 if (!TXT_DB_write(out, db))
6020 for (i = 0; i < DB_NUMBER; i++)
6021 OPENSSL_free(row[i]);
6031 static int create_new_vbase(char *userid, char *password)
6033 BIGNUM *verifier = NULL, *salt = NULL;
6034 const SRP_gN *lgN = NULL;
6035 SRP_user_pwd *user_pwd = NULL;
6038 lgN = SRP_get_default_gN(NULL);
6042 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
6043 lgN->N, lgN->g, libctx, NULL)))
6046 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6047 if (!TEST_ptr(user_pwd))
6050 user_pwd->N = lgN->N;
6051 user_pwd->g = lgN->g;
6052 user_pwd->id = OPENSSL_strdup(userid);
6053 if (!TEST_ptr(user_pwd->id))
6056 user_pwd->v = verifier;
6058 verifier = salt = NULL;
6060 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6066 SRP_user_pwd_free(user_pwd);
6076 * Test 0: Simple successful SRP connection, new vbase
6077 * Test 1: Connection failure due to bad password, new vbase
6078 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6079 * Test 3: Connection failure due to bad password, vbase loaded from existing
6081 * Test 4: Simple successful SRP connection, vbase loaded from new file
6082 * Test 5: Connection failure due to bad password, vbase loaded from new file
6084 static int test_srp(int tst)
6086 char *userid = "test", *password = "password", *tstsrpfile;
6087 SSL_CTX *cctx = NULL, *sctx = NULL;
6088 SSL *clientssl = NULL, *serverssl = NULL;
6089 int ret, testresult = 0;
6091 vbase = SRP_VBASE_new(NULL);
6092 if (!TEST_ptr(vbase))
6095 if (tst == 0 || tst == 1) {
6096 if (!TEST_true(create_new_vbase(userid, password)))
6099 if (tst == 4 || tst == 5) {
6100 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6102 tstsrpfile = tmpfilename;
6104 tstsrpfile = srpvfile;
6106 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6110 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6111 TLS_client_method(), TLS1_VERSION, 0,
6112 &sctx, &cctx, cert, privkey)))
6115 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6116 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6117 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6118 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6119 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6123 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6126 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6130 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6134 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6136 if (!TEST_true(tst % 2 == 0))
6139 if (!TEST_true(tst % 2 == 1))
6146 SRP_VBASE_free(vbase);
6148 SSL_free(serverssl);
6149 SSL_free(clientssl);
6157 static int info_cb_failed = 0;
6158 static int info_cb_offset = 0;
6159 static int info_cb_this_state = -1;
6161 static struct info_cb_states_st {
6163 const char *statestr;
6164 } info_cb_states[][60] = {
6166 /* TLSv1.2 server followed by resumption */
6167 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6168 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6169 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6170 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6171 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6172 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6173 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6174 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6175 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
6176 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6177 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6178 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6179 {SSL_CB_EXIT, NULL}, {0, NULL},
6181 /* TLSv1.2 client followed by resumption */
6182 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6183 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6184 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6185 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6186 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6187 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6188 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6189 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6190 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6191 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6192 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6193 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6195 /* TLSv1.3 server followed by resumption */
6196 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6197 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6198 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6199 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6200 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
6201 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6202 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6203 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6204 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6205 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6206 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6207 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6208 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6210 /* TLSv1.3 client followed by resumption */
6211 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6212 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6213 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
6214 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
6215 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6216 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6217 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
6218 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
6219 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6220 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
6221 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6222 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6223 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6224 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
6225 {SSL_CB_EXIT, NULL}, {0, NULL},
6227 /* TLSv1.3 server, early_data */
6228 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6229 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6230 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6231 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6232 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6233 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
6234 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6235 {SSL_CB_EXIT, NULL}, {0, NULL},
6237 /* TLSv1.3 client, early_data */
6238 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6239 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
6240 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6241 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6242 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6243 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
6244 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6245 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6246 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6252 static void sslapi_info_callback(const SSL *s, int where, int ret)
6254 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
6256 /* We do not ever expect a connection to fail in this test */
6257 if (!TEST_false(ret == 0)) {
6263 * Do some sanity checks. We never expect these things to happen in this
6266 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
6267 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
6268 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
6273 /* Now check we're in the right state */
6274 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
6278 if ((where & SSL_CB_LOOP) != 0
6279 && !TEST_int_eq(strcmp(SSL_state_string(s),
6280 state[info_cb_this_state].statestr), 0)) {
6286 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6288 if ((where & SSL_CB_HANDSHAKE_DONE)
6289 && SSL_in_init((SSL *)s) != 0) {
6296 * Test the info callback gets called when we expect it to.
6298 * Test 0: TLSv1.2, server
6299 * Test 1: TLSv1.2, client
6300 * Test 2: TLSv1.3, server
6301 * Test 3: TLSv1.3, client
6302 * Test 4: TLSv1.3, server, early_data
6303 * Test 5: TLSv1.3, client, early_data
6305 static int test_info_callback(int tst)
6307 SSL_CTX *cctx = NULL, *sctx = NULL;
6308 SSL *clientssl = NULL, *serverssl = NULL;
6309 SSL_SESSION *clntsess = NULL;
6314 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
6315 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6316 || !defined(OPENSSL_NO_DH))
6317 tlsvers = TLS1_2_VERSION;
6322 #ifndef OPENSSL_NO_TLS1_3
6323 tlsvers = TLS1_3_VERSION;
6331 info_cb_this_state = -1;
6332 info_cb_offset = tst;
6334 #ifndef OPENSSL_NO_TLS1_3
6336 SSL_SESSION *sess = NULL;
6337 size_t written, readbytes;
6338 unsigned char buf[80];
6340 /* early_data tests */
6341 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
6342 &serverssl, &sess, 0)))
6345 /* We don't actually need this reference */
6346 SSL_SESSION_free(sess);
6348 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
6349 sslapi_info_callback);
6351 /* Write and read some early data and then complete the connection */
6352 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
6354 || !TEST_size_t_eq(written, strlen(MSG1))
6355 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
6356 sizeof(buf), &readbytes),
6357 SSL_READ_EARLY_DATA_SUCCESS)
6358 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
6359 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6360 SSL_EARLY_DATA_ACCEPTED)
6361 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6363 || !TEST_false(info_cb_failed))
6371 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6372 TLS_client_method(),
6373 tlsvers, tlsvers, &sctx, &cctx, cert,
6378 * For even numbered tests we check the server callbacks. For odd numbers we
6381 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
6382 sslapi_info_callback);
6384 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6385 &clientssl, NULL, NULL))
6386 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6388 || !TEST_false(info_cb_failed))
6393 clntsess = SSL_get1_session(clientssl);
6394 SSL_shutdown(clientssl);
6395 SSL_shutdown(serverssl);
6396 SSL_free(serverssl);
6397 SSL_free(clientssl);
6398 serverssl = clientssl = NULL;
6400 /* Now do a resumption */
6401 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6403 || !TEST_true(SSL_set_session(clientssl, clntsess))
6404 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6406 || !TEST_true(SSL_session_reused(clientssl))
6407 || !TEST_false(info_cb_failed))
6413 SSL_free(serverssl);
6414 SSL_free(clientssl);
6415 SSL_SESSION_free(clntsess);
6421 static int test_ssl_pending(int tst)
6423 SSL_CTX *cctx = NULL, *sctx = NULL;
6424 SSL *clientssl = NULL, *serverssl = NULL;
6426 char msg[] = "A test message";
6428 size_t written, readbytes;
6431 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6432 TLS_client_method(),
6434 &sctx, &cctx, cert, privkey)))
6437 #ifndef OPENSSL_NO_DTLS
6438 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
6439 DTLS_client_method(),
6441 &sctx, &cctx, cert, privkey)))
6448 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6450 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6454 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6455 || !TEST_false(SSL_has_pending(clientssl))
6456 || !TEST_int_eq(SSL_pending(serverssl), 0)
6457 || !TEST_false(SSL_has_pending(serverssl))
6458 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6459 || !TEST_size_t_eq(written, sizeof(msg))
6460 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6461 || !TEST_size_t_eq(readbytes, sizeof(buf))
6462 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6463 || !TEST_true(SSL_has_pending(clientssl)))
6469 SSL_free(serverssl);
6470 SSL_free(clientssl);
6478 unsigned int maxprot;
6479 const char *clntciphers;
6480 const char *clnttls13ciphers;
6481 const char *srvrciphers;
6482 const char *srvrtls13ciphers;
6484 const char *fipsshared;
6485 } shared_ciphers_data[] = {
6487 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6488 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6490 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
6493 "AES128-SHA:AES256-SHA",
6495 "AES256-SHA:DHE-RSA-AES128-SHA",
6500 # if !defined(OPENSSL_NO_CHACHA) \
6501 && !defined(OPENSSL_NO_POLY1305) \
6502 && !defined(OPENSSL_NO_EC)
6505 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6507 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6509 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6515 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6517 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6519 "AES128-SHA:AES256-SHA",
6520 "AES128-SHA:AES256-SHA"
6524 "AES128-SHA:AES256-SHA",
6526 "AES128-SHA:DHE-RSA-AES128-SHA",
6533 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6536 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6537 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
6540 "AES128-SHA:AES256-SHA",
6542 "AES256-SHA:AES128-SHA256",
6544 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
6545 "TLS_AES_128_GCM_SHA256:AES256-SHA",
6546 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
6549 #ifndef OPENSSL_NO_TLS1_3
6553 "TLS_AES_256_GCM_SHA384",
6555 "TLS_AES_256_GCM_SHA384",
6556 "TLS_AES_256_GCM_SHA384",
6557 "TLS_AES_256_GCM_SHA384"
6562 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
6564 SSL_CTX *cctx = NULL, *sctx = NULL;
6565 SSL *clientssl = NULL, *serverssl = NULL;
6568 OPENSSL_CTX *tmplibctx = OPENSSL_CTX_new();
6570 if (!TEST_ptr(tmplibctx))
6574 * Regardless of whether we're testing with the FIPS provider loaded into
6575 * libctx, we want one peer to always use the full set of ciphersuites
6576 * available. Therefore we use a separate libctx with the default provider
6577 * loaded into it. We run the same tests twice - once with the client side
6578 * having the full set of ciphersuites and once with the server side.
6581 cctx = SSL_CTX_new_with_libctx(tmplibctx, NULL, TLS_client_method());
6582 if (!TEST_ptr(cctx))
6585 sctx = SSL_CTX_new_with_libctx(tmplibctx, NULL, TLS_server_method());
6586 if (!TEST_ptr(sctx))
6590 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6591 TLS_client_method(),
6593 shared_ciphers_data[tst].maxprot,
6594 &sctx, &cctx, cert, privkey)))
6597 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6598 shared_ciphers_data[tst].clntciphers))
6599 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6600 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6601 shared_ciphers_data[tst].clnttls13ciphers)))
6602 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6603 shared_ciphers_data[tst].srvrciphers))
6604 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6605 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6606 shared_ciphers_data[tst].srvrtls13ciphers))))
6610 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6612 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6616 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6617 || !TEST_int_eq(strcmp(buf,
6619 ? shared_ciphers_data[tst].fipsshared
6620 : shared_ciphers_data[tst].shared),
6622 TEST_info("Shared ciphers are: %s\n", buf);
6629 SSL_free(serverssl);
6630 SSL_free(clientssl);
6633 OPENSSL_CTX_free(tmplibctx);
6638 static int test_ssl_get_shared_ciphers(int tst)
6640 return int_test_ssl_get_shared_ciphers(tst, 0)
6641 && int_test_ssl_get_shared_ciphers(tst, 1);
6645 static const char *appdata = "Hello World";
6646 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6647 static int tick_key_renew = 0;
6648 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6650 static int gen_tick_cb(SSL *s, void *arg)
6652 gen_tick_called = 1;
6654 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6658 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6659 const unsigned char *keyname,
6660 size_t keyname_length,
6661 SSL_TICKET_STATUS status,
6667 dec_tick_called = 1;
6669 if (status == SSL_TICKET_EMPTY)
6670 return SSL_TICKET_RETURN_IGNORE_RENEW;
6672 if (!TEST_true(status == SSL_TICKET_SUCCESS
6673 || status == SSL_TICKET_SUCCESS_RENEW))
6674 return SSL_TICKET_RETURN_ABORT;
6676 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6678 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6679 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
6680 return SSL_TICKET_RETURN_ABORT;
6682 if (tick_key_cb_called) {
6683 /* Don't change what the ticket key callback wanted to do */
6685 case SSL_TICKET_NO_DECRYPT:
6686 return SSL_TICKET_RETURN_IGNORE_RENEW;
6688 case SSL_TICKET_SUCCESS:
6689 return SSL_TICKET_RETURN_USE;
6691 case SSL_TICKET_SUCCESS_RENEW:
6692 return SSL_TICKET_RETURN_USE_RENEW;
6695 return SSL_TICKET_RETURN_ABORT;
6698 return tick_dec_ret;
6702 #ifndef OPENSSL_NO_DEPRECATED_3_0
6703 static int tick_key_cb(SSL *s, unsigned char key_name[16],
6704 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6705 HMAC_CTX *hctx, int enc)
6707 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6708 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
6709 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6710 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
6713 tick_key_cb_called = 1;
6714 memset(iv, 0, AES_BLOCK_SIZE);
6715 memset(key_name, 0, 16);
6716 if (aes128cbc == NULL
6718 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6719 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
6723 ret = tick_key_renew ? 2 : 1;
6725 EVP_CIPHER_free(aes128cbc);
6726 EVP_MD_free(sha256);
6732 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6733 unsigned char iv[EVP_MAX_IV_LENGTH],
6734 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6736 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6737 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6738 OSSL_PARAM params[3];
6739 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6742 tick_key_cb_called = 1;
6743 memset(iv, 0, AES_BLOCK_SIZE);
6744 memset(key_name, 0, 16);
6745 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6747 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6749 sizeof(tick_hmac_key));
6750 params[2] = OSSL_PARAM_construct_end();
6751 if (aes128cbc == NULL
6752 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6753 || !EVP_MAC_CTX_set_params(hctx, params)
6754 || !EVP_MAC_init(hctx))
6757 ret = tick_key_renew ? 2 : 1;
6759 EVP_CIPHER_free(aes128cbc);
6765 * Test the various ticket callbacks
6766 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6767 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6768 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6769 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6770 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6771 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6772 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6773 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
6774 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6775 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6776 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6777 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6778 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6779 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6780 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6781 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
6783 static int test_ticket_callbacks(int tst)
6785 SSL_CTX *cctx = NULL, *sctx = NULL;
6786 SSL *clientssl = NULL, *serverssl = NULL;
6787 SSL_SESSION *clntsess = NULL;
6790 #ifdef OPENSSL_NO_TLS1_2
6794 #ifdef OPENSSL_NO_TLS1_3
6798 #ifdef OPENSSL_NO_DEPRECATED_3_0
6799 if (tst >= 8 && tst <= 11)
6803 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
6805 /* Which tests the ticket key callback should request renewal for */
6806 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
6811 /* Which tests the decrypt ticket callback should request renewal for */
6815 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6820 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6825 tick_dec_ret = SSL_TICKET_RETURN_USE;
6830 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6834 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6837 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6838 TLS_client_method(),
6840 ((tst % 2) == 0) ? TLS1_2_VERSION
6842 &sctx, &cctx, cert, privkey)))
6846 * We only want sessions to resume from tickets - not the session cache. So
6847 * switch the cache off.
6849 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6852 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6857 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
6859 #ifndef OPENSSL_NO_DEPRECATED_3_0
6860 } else if (tst >= 8) {
6861 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6866 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6868 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6873 * The decrypt ticket key callback in TLSv1.2 should be called even though
6874 * we have no ticket yet, because it gets called with a status of
6875 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6876 * actually send any ticket data). This does not happen in TLSv1.3 because
6877 * it is not valid to send empty ticket data in TLSv1.3.
6879 if (!TEST_int_eq(gen_tick_called, 1)
6880 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
6883 gen_tick_called = dec_tick_called = 0;
6885 clntsess = SSL_get1_session(clientssl);
6886 SSL_shutdown(clientssl);
6887 SSL_shutdown(serverssl);
6888 SSL_free(serverssl);
6889 SSL_free(clientssl);
6890 serverssl = clientssl = NULL;
6892 /* Now do a resumption */
6893 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6895 || !TEST_true(SSL_set_session(clientssl, clntsess))
6896 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6900 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6901 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6902 if (!TEST_false(SSL_session_reused(clientssl)))
6905 if (!TEST_true(SSL_session_reused(clientssl)))
6909 if (!TEST_int_eq(gen_tick_called,
6911 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6912 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6914 || !TEST_int_eq(dec_tick_called, 1))
6920 SSL_SESSION_free(clntsess);
6921 SSL_free(serverssl);
6922 SSL_free(clientssl);
6930 * Test incorrect shutdown.
6931 * Test 0: client does not shutdown properly,
6932 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
6933 * server should get SSL_ERROR_SSL
6934 * Test 1: client does not shutdown properly,
6935 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
6936 * server should get SSL_ERROR_ZERO_RETURN
6938 static int test_incorrect_shutdown(int tst)
6940 SSL_CTX *cctx = NULL, *sctx = NULL;
6941 SSL *clientssl = NULL, *serverssl = NULL;
6946 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6947 TLS_client_method(), 0, 0,
6948 &sctx, &cctx, cert, privkey)))
6952 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
6954 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6958 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6962 c2s = SSL_get_rbio(serverssl);
6963 BIO_set_mem_eof_return(c2s, 0);
6965 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
6968 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
6970 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
6976 SSL_free(serverssl);
6977 SSL_free(clientssl);
6985 * Test bi-directional shutdown.
6987 * Test 1: TLSv1.2, server continues to read/write after client shutdown
6988 * Test 2: TLSv1.3, no pending NewSessionTicket messages
6989 * Test 3: TLSv1.3, pending NewSessionTicket messages
6990 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
6991 * sends key update, client reads it
6992 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
6993 * sends CertificateRequest, client reads and ignores it
6994 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
6997 static int test_shutdown(int tst)
6999 SSL_CTX *cctx = NULL, *sctx = NULL;
7000 SSL *clientssl = NULL, *serverssl = NULL;
7002 char msg[] = "A test message";
7004 size_t written, readbytes;
7007 #ifdef OPENSSL_NO_TLS1_2
7011 #ifdef OPENSSL_NO_TLS1_3
7016 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7017 TLS_client_method(),
7019 (tst <= 1) ? TLS1_2_VERSION
7021 &sctx, &cctx, cert, privkey)))
7025 SSL_CTX_set_post_handshake_auth(cctx, 1);
7027 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7032 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
7034 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7035 || !TEST_false(SSL_SESSION_is_resumable(sess)))
7037 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7039 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7040 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
7044 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7049 * Reading on the server after the client has sent close_notify should
7050 * fail and provide SSL_ERROR_ZERO_RETURN
7052 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7053 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7054 SSL_ERROR_ZERO_RETURN)
7055 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7056 SSL_RECEIVED_SHUTDOWN)
7058 * Even though we're shutdown on receive we should still be
7061 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7064 && !TEST_true(SSL_key_update(serverssl,
7065 SSL_KEY_UPDATE_REQUESTED)))
7068 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7069 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7072 if ((tst == 4 || tst == 5)
7073 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7075 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
7077 if (tst == 4 || tst == 5) {
7078 /* Should still be able to read data from server */
7079 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7081 || !TEST_size_t_eq(readbytes, sizeof(msg))
7082 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7083 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7085 || !TEST_size_t_eq(readbytes, sizeof(msg))
7086 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7091 /* Writing on the client after sending close_notify shouldn't be possible */
7092 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
7097 * For these tests the client has sent close_notify but it has not yet
7098 * been received by the server. The server has not sent close_notify
7101 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
7103 * Writing on the server after sending close_notify shouldn't
7106 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7107 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
7108 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7109 || !TEST_true(SSL_SESSION_is_resumable(sess))
7110 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7112 } else if (tst == 4 || tst == 5) {
7114 * In this test the client has sent close_notify and it has been
7115 * received by the server which has responded with a close_notify. The
7116 * client needs to read the close_notify sent by the server.
7118 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7119 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7120 || !TEST_true(SSL_SESSION_is_resumable(sess)))
7126 * The client has sent close_notify and is expecting a close_notify
7127 * back, but instead there is application data first. The shutdown
7128 * should fail with a fatal error.
7130 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7131 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7138 SSL_free(serverssl);
7139 SSL_free(clientssl);
7146 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7147 static int cert_cb_cnt;
7149 static int cert_cb(SSL *s, void *arg)
7151 SSL_CTX *ctx = (SSL_CTX *)arg;
7153 EVP_PKEY *pkey = NULL;
7154 X509 *x509 = NULL, *rootx = NULL;
7155 STACK_OF(X509) *chain = NULL;
7156 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7159 if (cert_cb_cnt == 0) {
7160 /* Suspend the handshake */
7163 } else if (cert_cb_cnt == 1) {
7165 * Update the SSL_CTX, set the certificate and private key and then
7166 * continue the handshake normally.
7168 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7171 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7172 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7174 || !TEST_true(SSL_check_private_key(s)))
7178 } else if (cert_cb_cnt == 3) {
7181 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7182 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7183 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7184 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7186 chain = sk_X509_new_null();
7187 if (!TEST_ptr(chain))
7189 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7190 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
7191 || !TEST_ptr(rootx = X509_new_with_libctx(libctx, NULL))
7192 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
7193 || !TEST_true(sk_X509_push(chain, rootx)))
7197 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7198 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
7199 || !TEST_ptr(x509 = X509_new_with_libctx(libctx, NULL))
7200 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7203 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7204 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
7205 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
7209 rv = SSL_check_chain(s, x509, pkey, chain);
7211 * If the cert doesn't show as valid here (e.g., because we don't
7212 * have any shared sigalgs), then we will not set it, and there will
7213 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
7214 * will cause tls_choose_sigalgs() to fail the connection.
7216 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
7217 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7218 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
7225 /* Abort the handshake */
7227 OPENSSL_free(ecdsacert);
7228 OPENSSL_free(ecdsakey);
7229 OPENSSL_free(rootfile);
7231 EVP_PKEY_free(pkey);
7234 sk_X509_pop_free(chain, X509_free);
7239 * Test the certificate callback.
7240 * Test 0: Callback fails
7241 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
7242 * Test 2: Success - SSL_set_SSL_CTX() in the callback
7243 * Test 3: Success - Call SSL_check_chain from the callback
7244 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
7246 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
7248 static int test_cert_cb_int(int prot, int tst)
7250 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
7251 SSL *clientssl = NULL, *serverssl = NULL;
7252 int testresult = 0, ret;
7254 #ifdef OPENSSL_NO_EC
7255 /* We use an EC cert in these tests, so we skip in a no-ec build */
7260 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7261 TLS_client_method(),
7264 &sctx, &cctx, NULL, NULL)))
7275 snictx = SSL_CTX_new(TLS_server_method());
7276 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
7278 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7284 * We cause SSL_check_chain() to fail by specifying sig_algs that
7285 * the chain doesn't meet (the root uses an RSA cert)
7287 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7288 "ecdsa_secp256r1_sha256")))
7290 } else if (tst == 5) {
7292 * We cause SSL_check_chain() to fail by specifying sig_algs that
7293 * the ee cert doesn't meet (the ee uses an ECDSA cert)
7295 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7296 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
7300 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7301 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7303 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
7310 SSL_free(serverssl);
7311 SSL_free(clientssl);
7314 SSL_CTX_free(snictx);
7320 static int test_cert_cb(int tst)
7324 #ifndef OPENSSL_NO_TLS1_2
7325 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
7327 #ifndef OPENSSL_NO_TLS1_3
7328 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
7334 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
7339 BIO *priv_in = NULL;
7341 /* Check that SSL_get0_peer_certificate() returns something sensible */
7342 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
7345 in = BIO_new_file(cert, "r");
7349 if (!TEST_ptr(xcert = X509_new_with_libctx(libctx, NULL))
7350 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
7351 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
7352 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
7370 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
7375 static int test_client_cert_cb(int tst)
7377 SSL_CTX *cctx = NULL, *sctx = NULL;
7378 SSL *clientssl = NULL, *serverssl = NULL;
7381 #ifdef OPENSSL_NO_TLS1_2
7385 #ifdef OPENSSL_NO_TLS1_3
7390 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7391 TLS_client_method(),
7393 tst == 0 ? TLS1_2_VERSION
7395 &sctx, &cctx, cert, privkey)))
7399 * Test that setting a client_cert_cb results in a client certificate being
7402 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
7403 SSL_CTX_set_verify(sctx,
7404 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
7407 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7409 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7416 SSL_free(serverssl);
7417 SSL_free(clientssl);
7424 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7426 * Test setting certificate authorities on both client and server.
7428 * Test 0: SSL_CTX_set0_CA_list() only
7429 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7430 * Test 2: Only SSL_CTX_set_client_CA_list()
7432 static int test_ca_names_int(int prot, int tst)
7434 SSL_CTX *cctx = NULL, *sctx = NULL;
7435 SSL *clientssl = NULL, *serverssl = NULL;
7438 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
7439 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
7440 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
7441 const STACK_OF(X509_NAME) *sktmp = NULL;
7443 for (i = 0; i < OSSL_NELEM(name); i++) {
7444 name[i] = X509_NAME_new();
7445 if (!TEST_ptr(name[i])
7446 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
7454 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7455 TLS_client_method(),
7458 &sctx, &cctx, cert, privkey)))
7461 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
7463 if (tst == 0 || tst == 1) {
7464 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7465 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
7466 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
7467 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7468 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
7469 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
7472 SSL_CTX_set0_CA_list(sctx, sk1);
7473 SSL_CTX_set0_CA_list(cctx, sk2);
7476 if (tst == 1 || tst == 2) {
7477 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7478 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
7479 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
7480 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7481 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
7482 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
7485 SSL_CTX_set_client_CA_list(sctx, sk1);
7486 SSL_CTX_set_client_CA_list(cctx, sk2);
7490 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7492 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7497 * We only expect certificate authorities to have been sent to the server
7498 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7500 sktmp = SSL_get0_peer_CA_list(serverssl);
7501 if (prot == TLS1_3_VERSION
7502 && (tst == 0 || tst == 1)) {
7503 if (!TEST_ptr(sktmp)
7504 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7505 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7507 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7510 } else if (!TEST_ptr_null(sktmp)) {
7515 * In all tests we expect certificate authorities to have been sent to the
7516 * client. However, SSL_set_client_CA_list() should override
7517 * SSL_set0_CA_list()
7519 sktmp = SSL_get0_peer_CA_list(clientssl);
7520 if (!TEST_ptr(sktmp)
7521 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7522 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7523 name[tst == 0 ? 0 : 2]), 0)
7524 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7525 name[tst == 0 ? 1 : 3]), 0))
7531 SSL_free(serverssl);
7532 SSL_free(clientssl);
7535 for (i = 0; i < OSSL_NELEM(name); i++)
7536 X509_NAME_free(name[i]);
7537 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
7538 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
7544 static int test_ca_names(int tst)
7548 #ifndef OPENSSL_NO_TLS1_2
7549 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
7551 #ifndef OPENSSL_NO_TLS1_3
7552 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
7558 #ifndef OPENSSL_NO_TLS1_2
7559 static const char *multiblock_cipherlist_data[]=
7567 /* Reduce the fragment size - so the multiblock test buffer can be small */
7568 # define MULTIBLOCK_FRAGSIZE 512
7570 static int test_multiblock_write(int test_index)
7572 static const char *fetchable_ciphers[]=
7574 "AES-128-CBC-HMAC-SHA1",
7575 "AES-128-CBC-HMAC-SHA256",
7576 "AES-256-CBC-HMAC-SHA1",
7577 "AES-256-CBC-HMAC-SHA256"
7579 const char *cipherlist = multiblock_cipherlist_data[test_index];
7580 const SSL_METHOD *smeth = TLS_server_method();
7581 const SSL_METHOD *cmeth = TLS_client_method();
7582 int min_version = TLS1_VERSION;
7583 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7584 SSL_CTX *cctx = NULL, *sctx = NULL;
7585 SSL *clientssl = NULL, *serverssl = NULL;
7589 * Choose a buffer large enough to perform a multi-block operation
7590 * i.e: write_len >= 4 * frag_size
7591 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7593 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7594 unsigned char buf[sizeof(msg)], *p = buf;
7595 size_t readbytes, written, len;
7596 EVP_CIPHER *ciph = NULL;
7599 * Check if the cipher exists before attempting to use it since it only has
7600 * a hardware specific implementation.
7602 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7604 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7607 EVP_CIPHER_free(ciph);
7609 /* Set up a buffer with some data that will be sent to the client */
7610 RAND_bytes(msg, sizeof(msg));
7612 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
7613 max_version, &sctx, &cctx, cert,
7617 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7620 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7624 /* settings to force it to use AES-CBC-HMAC_SHA */
7625 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7626 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7629 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7632 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7633 || !TEST_size_t_eq(written, sizeof(msg)))
7638 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7643 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7648 SSL_free(serverssl);
7649 SSL_free(clientssl);
7655 #endif /* OPENSSL_NO_TLS1_2 */
7658 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7659 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7660 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7661 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7662 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7663 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7664 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7665 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7666 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7667 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7669 static int test_servername(int tst)
7671 SSL_CTX *cctx = NULL, *sctx = NULL;
7672 SSL *clientssl = NULL, *serverssl = NULL;
7674 SSL_SESSION *sess = NULL;
7675 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7677 #ifdef OPENSSL_NO_TLS1_2
7681 #ifdef OPENSSL_NO_TLS1_3
7686 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7687 TLS_client_method(),
7689 (tst <= 4) ? TLS1_2_VERSION
7691 &sctx, &cctx, cert, privkey))
7692 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7696 if (tst != 1 && tst != 6) {
7697 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7702 if (tst != 3 && tst != 8) {
7703 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7705 sexpectedhost = cexpectedhost = "goodhost";
7708 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7711 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7713 || !TEST_str_eq(SSL_get_servername(serverssl,
7714 TLSEXT_NAMETYPE_host_name),
7718 /* Now repeat with a resumption handshake */
7720 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7721 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7722 || !TEST_true(SSL_SESSION_is_resumable(sess))
7723 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7726 SSL_free(clientssl);
7727 SSL_free(serverssl);
7728 clientssl = serverssl = NULL;
7730 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7734 if (!TEST_true(SSL_set_session(clientssl, sess)))
7737 sexpectedhost = cexpectedhost = "goodhost";
7738 if (tst == 2 || tst == 7) {
7739 /* Set an inconsistent hostname */
7740 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7743 * In TLSv1.2 we expect the hostname from the original handshake, in
7744 * TLSv1.3 we expect the hostname from this handshake
7747 sexpectedhost = cexpectedhost = "altgoodhost";
7749 if (!TEST_str_eq(SSL_get_servername(clientssl,
7750 TLSEXT_NAMETYPE_host_name),
7753 } else if (tst == 4 || tst == 9) {
7755 * A TLSv1.3 session does not associate a session with a servername,
7756 * but a TLSv1.2 session does.
7759 sexpectedhost = cexpectedhost = NULL;
7761 if (!TEST_str_eq(SSL_get_servername(clientssl,
7762 TLSEXT_NAMETYPE_host_name),
7766 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7769 * In a TLSv1.2 resumption where the hostname was not acknowledged
7770 * we expect the hostname on the server to be empty. On the client we
7771 * return what was requested in this case.
7773 * Similarly if the client didn't set a hostname on an original TLSv1.2
7774 * session but is now, the server hostname will be empty, but the client
7777 if (tst == 1 || tst == 3)
7778 sexpectedhost = NULL;
7780 if (!TEST_str_eq(SSL_get_servername(clientssl,
7781 TLSEXT_NAMETYPE_host_name),
7786 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7789 if (!TEST_true(SSL_session_reused(clientssl))
7790 || !TEST_true(SSL_session_reused(serverssl))
7791 || !TEST_str_eq(SSL_get_servername(clientssl,
7792 TLSEXT_NAMETYPE_host_name),
7794 || !TEST_str_eq(SSL_get_servername(serverssl,
7795 TLSEXT_NAMETYPE_host_name),
7802 SSL_SESSION_free(sess);
7803 SSL_free(serverssl);
7804 SSL_free(clientssl);
7811 #ifndef OPENSSL_NO_EC
7813 * Test that if signature algorithms are not available, then we do not offer or
7815 * Test 0: Two RSA sig algs available: both RSA sig algs shared
7816 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
7817 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
7818 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
7819 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
7820 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
7822 static int test_sigalgs_available(int idx)
7824 SSL_CTX *cctx = NULL, *sctx = NULL;
7825 SSL *clientssl = NULL, *serverssl = NULL;
7827 OPENSSL_CTX *tmpctx = OPENSSL_CTX_new();
7828 OPENSSL_CTX *clientctx = libctx, *serverctx = libctx;
7829 OSSL_PROVIDER *filterprov = NULL;
7832 if (!TEST_ptr(tmpctx))
7835 if (idx != 0 && idx != 3) {
7836 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
7837 filter_provider_init)))
7840 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
7841 if (!TEST_ptr(filterprov))
7846 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
7847 * or accepted for the peer that uses this libctx. Note that libssl
7848 * *requires* SHA2-256 to be available so we cannot disable that. We
7849 * also need SHA1 for our certificate.
7851 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
7855 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
7857 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
7862 if (idx == 1 || idx == 4)
7868 cctx = SSL_CTX_new_with_libctx(clientctx, NULL, TLS_client_method());
7869 sctx = SSL_CTX_new_with_libctx(serverctx, NULL, TLS_server_method());
7870 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
7873 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7874 TLS_client_method(),
7877 &sctx, &cctx, cert, privkey)))
7881 if (!SSL_CTX_set1_sigalgs_list(cctx,
7882 "rsa_pss_rsae_sha384"
7883 ":rsa_pss_rsae_sha256")
7884 || !SSL_CTX_set1_sigalgs_list(sctx,
7885 "rsa_pss_rsae_sha384"
7886 ":rsa_pss_rsae_sha256"))
7889 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
7890 || !SSL_CTX_set1_sigalgs_list(sctx,
7891 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
7895 if (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
7896 SSL_FILETYPE_PEM), 1)
7897 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
7899 SSL_FILETYPE_PEM), 1)
7900 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
7903 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7907 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7910 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
7911 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
7913 (idx == 0 || idx == 3) ? 2 : 1))
7916 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
7919 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
7926 SSL_free(serverssl);
7927 SSL_free(clientssl);
7930 OSSL_PROVIDER_unload(filterprov);
7931 OPENSSL_CTX_free(tmpctx);
7935 #endif /* OPENSSL_NO_EC */
7937 #ifndef OPENSSL_NO_TLS1_3
7938 static int test_pluggable_group(void)
7940 SSL_CTX *cctx = NULL, *sctx = NULL;
7941 SSL *clientssl = NULL, *serverssl = NULL;
7943 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
7944 /* Check that we are not impacted by a provider without any groups */
7945 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
7947 if (!TEST_ptr(tlsprov) || !TEST_ptr(legacyprov))
7950 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7951 TLS_client_method(),
7954 &sctx, &cctx, cert, privkey))
7955 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7959 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
7960 || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
7963 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7969 SSL_free(serverssl);
7970 SSL_free(clientssl);
7973 OSSL_PROVIDER_unload(tlsprov);
7974 OSSL_PROVIDER_unload(legacyprov);
7980 #ifndef OPENSSL_NO_TLS1_2
7981 static int test_ssl_dup(void)
7983 SSL_CTX *cctx = NULL, *sctx = NULL;
7984 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
7986 BIO *rbio = NULL, *wbio = NULL;
7988 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7989 TLS_client_method(),
7992 &sctx, &cctx, cert, privkey)))
7995 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7999 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8000 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8003 client2ssl = SSL_dup(clientssl);
8004 rbio = SSL_get_rbio(clientssl);
8006 || !TEST_true(BIO_up_ref(rbio)))
8008 SSL_set0_rbio(client2ssl, rbio);
8011 wbio = SSL_get_wbio(clientssl);
8012 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
8014 SSL_set0_wbio(client2ssl, wbio);
8017 if (!TEST_ptr(client2ssl)
8018 /* Handshake not started so pointers should be different */
8019 || !TEST_ptr_ne(clientssl, client2ssl))
8022 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
8023 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
8026 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
8029 SSL_free(clientssl);
8030 clientssl = SSL_dup(client2ssl);
8031 if (!TEST_ptr(clientssl)
8032 /* Handshake has finished so pointers should be the same */
8033 || !TEST_ptr_eq(clientssl, client2ssl))
8039 SSL_free(serverssl);
8040 SSL_free(clientssl);
8041 SSL_free(client2ssl);
8049 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
8051 int setup_tests(void)
8056 libctx = OPENSSL_CTX_new();
8057 if (!TEST_ptr(libctx))
8060 defctxnull = OSSL_PROVIDER_load(NULL, "null");
8063 * Verify that the default and fips providers in the default libctx are not
8066 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
8067 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
8070 if (!test_skip_common_options()) {
8071 TEST_error("Error parsing test options\n");
8075 if (!TEST_ptr(certsdir = test_get_argument(0))
8076 || !TEST_ptr(srpvfile = test_get_argument(1))
8077 || !TEST_ptr(tmpfilename = test_get_argument(2))
8078 || !TEST_ptr(modulename = test_get_argument(3))
8079 || !TEST_ptr(configfile = test_get_argument(4)))
8082 if (!TEST_true(OPENSSL_CTX_load_config(libctx, configfile)))
8085 /* Check we have the expected provider available */
8086 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
8089 /* Check the default provider is not available */
8090 if (strcmp(modulename, "default") != 0
8091 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
8094 if (strcmp(modulename, "fips") == 0)
8098 * We add, but don't load the test "tls-provider". We'll load it when we
8101 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
8102 tls_provider_init)))
8106 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
8107 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
8108 TEST_error("not supported in this build");
8111 int i, mcount, rcount, fcount;
8113 for (i = 0; i < 4; i++)
8114 test_export_key_mat(i);
8115 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
8116 test_printf_stdout("malloc %d realloc %d free %d\n",
8117 mcount, rcount, fcount);
8122 cert = test_mk_file_path(certsdir, "servercert.pem");
8126 privkey = test_mk_file_path(certsdir, "serverkey.pem");
8127 if (privkey == NULL)
8130 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8134 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8135 if (privkey2 == NULL)
8138 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
8139 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
8140 ADD_ALL_TESTS(test_ktls, 32);
8141 ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6);
8144 ADD_TEST(test_large_message_tls);
8145 ADD_TEST(test_large_message_tls_read_ahead);
8146 #ifndef OPENSSL_NO_DTLS
8147 ADD_TEST(test_large_message_dtls);
8149 ADD_TEST(test_cleanse_plaintext);
8150 #ifndef OPENSSL_NO_OCSP
8151 ADD_TEST(test_tlsext_status_type);
8153 ADD_TEST(test_session_with_only_int_cache);
8154 ADD_TEST(test_session_with_only_ext_cache);
8155 ADD_TEST(test_session_with_both_cache);
8156 ADD_TEST(test_session_wo_ca_names);
8157 #ifndef OPENSSL_NO_TLS1_3
8158 ADD_ALL_TESTS(test_stateful_tickets, 3);
8159 ADD_ALL_TESTS(test_stateless_tickets, 3);
8160 ADD_TEST(test_psk_tickets);
8161 ADD_ALL_TESTS(test_extra_tickets, 6);
8163 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
8164 ADD_TEST(test_ssl_bio_pop_next_bio);
8165 ADD_TEST(test_ssl_bio_pop_ssl_bio);
8166 ADD_TEST(test_ssl_bio_change_rbio);
8167 ADD_TEST(test_ssl_bio_change_wbio);
8168 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
8169 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
8170 ADD_TEST(test_keylog);
8172 #ifndef OPENSSL_NO_TLS1_3
8173 ADD_TEST(test_keylog_no_master_key);
8175 #ifndef OPENSSL_NO_TLS1_2
8176 ADD_TEST(test_client_hello_cb);
8177 ADD_TEST(test_no_ems);
8178 ADD_TEST(test_ccs_change_cipher);
8180 #ifndef OPENSSL_NO_TLS1_3
8181 ADD_ALL_TESTS(test_early_data_read_write, 3);
8183 * We don't do replay tests for external PSK. Replay protection isn't used
8186 ADD_ALL_TESTS(test_early_data_replay, 2);
8187 ADD_ALL_TESTS(test_early_data_skip, 3);
8188 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
8189 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
8190 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
8191 ADD_ALL_TESTS(test_early_data_not_sent, 3);
8192 ADD_ALL_TESTS(test_early_data_psk, 8);
8193 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
8194 ADD_ALL_TESTS(test_early_data_not_expected, 3);
8195 # ifndef OPENSSL_NO_TLS1_2
8196 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
8199 #ifndef OPENSSL_NO_TLS1_3
8200 ADD_ALL_TESTS(test_set_ciphersuite, 10);
8201 ADD_TEST(test_ciphersuite_change);
8202 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
8203 # ifdef OPENSSL_NO_PSK
8204 ADD_ALL_TESTS(test_tls13_psk, 1);
8206 ADD_ALL_TESTS(test_tls13_psk, 4);
8207 # endif /* OPENSSL_NO_PSK */
8208 # ifndef OPENSSL_NO_TLS1_2
8209 /* Test with both TLSv1.3 and 1.2 versions */
8210 ADD_ALL_TESTS(test_key_exchange, 14);
8212 /* Test with only TLSv1.3 versions */
8213 ADD_ALL_TESTS(test_key_exchange, 12);
8215 ADD_ALL_TESTS(test_custom_exts, 5);
8216 ADD_TEST(test_stateless);
8217 ADD_TEST(test_pha_key_update);
8219 ADD_ALL_TESTS(test_custom_exts, 3);
8221 ADD_ALL_TESTS(test_serverinfo, 8);
8222 ADD_ALL_TESTS(test_export_key_mat, 6);
8223 #ifndef OPENSSL_NO_TLS1_3
8224 ADD_ALL_TESTS(test_export_key_mat_early, 3);
8225 ADD_TEST(test_key_update);
8226 ADD_ALL_TESTS(test_key_update_in_write, 2);
8228 ADD_ALL_TESTS(test_ssl_clear, 2);
8229 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
8230 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
8231 ADD_ALL_TESTS(test_srp, 6);
8233 ADD_ALL_TESTS(test_info_callback, 6);
8234 ADD_ALL_TESTS(test_ssl_pending, 2);
8235 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
8236 ADD_ALL_TESTS(test_ticket_callbacks, 16);
8237 ADD_ALL_TESTS(test_shutdown, 7);
8238 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
8239 ADD_ALL_TESTS(test_cert_cb, 6);
8240 ADD_ALL_TESTS(test_client_cert_cb, 2);
8241 ADD_ALL_TESTS(test_ca_names, 3);
8242 #ifndef OPENSSL_NO_TLS1_2
8243 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
8245 ADD_ALL_TESTS(test_servername, 10);
8246 #ifndef OPENSSL_NO_EC
8247 ADD_ALL_TESTS(test_sigalgs_available, 6);
8249 #ifndef OPENSSL_NO_TLS1_3
8250 ADD_TEST(test_pluggable_group);
8252 #ifndef OPENSSL_NO_TLS1_2
8253 ADD_TEST(test_ssl_dup);
8259 OPENSSL_free(privkey);
8260 OPENSSL_free(cert2);
8261 OPENSSL_free(privkey2);
8265 void cleanup_tests(void)
8268 OPENSSL_free(privkey);
8269 OPENSSL_free(cert2);
8270 OPENSSL_free(privkey2);
8271 bio_s_mempacket_test_free();
8272 bio_s_always_retry_free();
8273 OSSL_PROVIDER_unload(defctxnull);
8274 OPENSSL_CTX_free(libctx);