2 * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
37 #include "helpers/ssltestlib.h"
39 #include "testutil/output.h"
40 #include "internal/nelem.h"
41 #include "internal/ktls.h"
42 #include "../ssl/ssl_local.h"
43 #include "filterprov.h"
45 #undef OSSL_NO_USABLE_TLS1_3
46 #if defined(OPENSSL_NO_TLS1_3) \
47 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
49 * If we don't have ec or dh then there are no built-in groups that are usable
52 # define OSSL_NO_USABLE_TLS1_3
55 /* Defined in tls-provider.c */
56 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
57 const OSSL_DISPATCH *in,
58 const OSSL_DISPATCH **out,
61 static OSSL_LIB_CTX *libctx = NULL;
62 static OSSL_PROVIDER *defctxnull = NULL;
64 #ifndef OSSL_NO_USABLE_TLS1_3
66 static SSL_SESSION *clientpsk = NULL;
67 static SSL_SESSION *serverpsk = NULL;
68 static const char *pskid = "Identity";
69 static const char *srvid;
71 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
72 size_t *idlen, SSL_SESSION **sess);
73 static int find_session_cb(SSL *ssl, const unsigned char *identity,
74 size_t identity_len, SSL_SESSION **sess);
76 static int use_session_cb_cnt = 0;
77 static int find_session_cb_cnt = 0;
79 static SSL_SESSION *create_a_psk(SSL *ssl);
82 static char *certsdir = NULL;
83 static char *cert = NULL;
84 static char *privkey = NULL;
85 static char *cert2 = NULL;
86 static char *privkey2 = NULL;
87 static char *cert1024 = NULL;
88 static char *privkey1024 = NULL;
89 static char *cert3072 = NULL;
90 static char *privkey3072 = NULL;
91 static char *cert4096 = NULL;
92 static char *privkey4096 = NULL;
93 static char *cert8192 = NULL;
94 static char *privkey8192 = NULL;
95 static char *srpvfile = NULL;
96 static char *tmpfilename = NULL;
98 static int is_fips = 0;
100 #define LOG_BUFFER_SIZE 2048
101 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
102 static size_t server_log_buffer_index = 0;
103 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
104 static size_t client_log_buffer_index = 0;
105 static int error_writing_log = 0;
107 #ifndef OPENSSL_NO_OCSP
108 static const unsigned char orespder[] = "Dummy OCSP Response";
109 static int ocsp_server_called = 0;
110 static int ocsp_client_called = 0;
112 static int cdummyarg = 1;
113 static X509 *ocspcert = NULL;
116 #define NUM_EXTRA_CERTS 40
117 #define CLIENT_VERSION_LEN 2
120 * This structure is used to validate that the correct number of log messages
121 * of various types are emitted when emitting secret logs.
123 struct sslapitest_log_counts {
124 unsigned int rsa_key_exchange_count;
125 unsigned int master_secret_count;
126 unsigned int client_early_secret_count;
127 unsigned int client_handshake_secret_count;
128 unsigned int server_handshake_secret_count;
129 unsigned int client_application_secret_count;
130 unsigned int server_application_secret_count;
131 unsigned int early_exporter_secret_count;
132 unsigned int exporter_secret_count;
136 static unsigned char serverinfov1[] = {
137 0xff, 0xff, /* Dummy extension type */
138 0x00, 0x01, /* Extension length is 1 byte */
139 0xff /* Dummy extension data */
142 static unsigned char serverinfov2[] = {
144 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
145 0xff, 0xff, /* Dummy extension type */
146 0x00, 0x01, /* Extension length is 1 byte */
147 0xff /* Dummy extension data */
150 static int hostname_cb(SSL *s, int *al, void *arg)
152 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
154 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
155 || strcmp(hostname, "altgoodhost") == 0))
156 return SSL_TLSEXT_ERR_OK;
158 return SSL_TLSEXT_ERR_NOACK;
161 static void client_keylog_callback(const SSL *ssl, const char *line)
163 int line_length = strlen(line);
165 /* If the log doesn't fit, error out. */
166 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
167 TEST_info("Client log too full");
168 error_writing_log = 1;
172 strcat(client_log_buffer, line);
173 client_log_buffer_index += line_length;
174 client_log_buffer[client_log_buffer_index++] = '\n';
177 static void server_keylog_callback(const SSL *ssl, const char *line)
179 int line_length = strlen(line);
181 /* If the log doesn't fit, error out. */
182 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
183 TEST_info("Server log too full");
184 error_writing_log = 1;
188 strcat(server_log_buffer, line);
189 server_log_buffer_index += line_length;
190 server_log_buffer[server_log_buffer_index++] = '\n';
193 static int compare_hex_encoded_buffer(const char *hex_encoded,
201 if (!TEST_size_t_eq(raw_length * 2, hex_length))
204 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
205 sprintf(hexed, "%02x", raw[i]);
206 if (!TEST_int_eq(hexed[0], hex_encoded[j])
207 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
214 static int test_keylog_output(char *buffer, const SSL *ssl,
215 const SSL_SESSION *session,
216 struct sslapitest_log_counts *expected)
219 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
220 size_t client_random_size = SSL3_RANDOM_SIZE;
221 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
222 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
223 unsigned int rsa_key_exchange_count = 0;
224 unsigned int master_secret_count = 0;
225 unsigned int client_early_secret_count = 0;
226 unsigned int client_handshake_secret_count = 0;
227 unsigned int server_handshake_secret_count = 0;
228 unsigned int client_application_secret_count = 0;
229 unsigned int server_application_secret_count = 0;
230 unsigned int early_exporter_secret_count = 0;
231 unsigned int exporter_secret_count = 0;
233 for (token = strtok(buffer, " \n"); token != NULL;
234 token = strtok(NULL, " \n")) {
235 if (strcmp(token, "RSA") == 0) {
237 * Premaster secret. Tokens should be: 16 ASCII bytes of
238 * hex-encoded encrypted secret, then the hex-encoded pre-master
241 if (!TEST_ptr(token = strtok(NULL, " \n")))
243 if (!TEST_size_t_eq(strlen(token), 16))
245 if (!TEST_ptr(token = strtok(NULL, " \n")))
248 * We can't sensibly check the log because the premaster secret is
249 * transient, and OpenSSL doesn't keep hold of it once the master
250 * secret is generated.
252 rsa_key_exchange_count++;
253 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
255 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
256 * client random, then the hex-encoded master secret.
258 client_random_size = SSL_get_client_random(ssl,
259 actual_client_random,
261 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
264 if (!TEST_ptr(token = strtok(NULL, " \n")))
266 if (!TEST_size_t_eq(strlen(token), 64))
268 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
269 actual_client_random,
270 client_random_size)))
273 if (!TEST_ptr(token = strtok(NULL, " \n")))
275 master_key_size = SSL_SESSION_get_master_key(session,
278 if (!TEST_size_t_ne(master_key_size, 0))
280 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
284 master_secret_count++;
285 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
286 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
287 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
288 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
289 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
290 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
291 || strcmp(token, "EXPORTER_SECRET") == 0) {
293 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
294 * client random, and then the hex-encoded secret. In this case,
295 * we treat all of these secrets identically and then just
296 * distinguish between them when counting what we saw.
298 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
299 client_early_secret_count++;
300 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
301 client_handshake_secret_count++;
302 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
303 server_handshake_secret_count++;
304 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
305 client_application_secret_count++;
306 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
307 server_application_secret_count++;
308 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
309 early_exporter_secret_count++;
310 else if (strcmp(token, "EXPORTER_SECRET") == 0)
311 exporter_secret_count++;
313 client_random_size = SSL_get_client_random(ssl,
314 actual_client_random,
316 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
319 if (!TEST_ptr(token = strtok(NULL, " \n")))
321 if (!TEST_size_t_eq(strlen(token), 64))
323 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
324 actual_client_random,
325 client_random_size)))
328 if (!TEST_ptr(token = strtok(NULL, " \n")))
331 TEST_info("Unexpected token %s\n", token);
336 /* Got what we expected? */
337 if (!TEST_size_t_eq(rsa_key_exchange_count,
338 expected->rsa_key_exchange_count)
339 || !TEST_size_t_eq(master_secret_count,
340 expected->master_secret_count)
341 || !TEST_size_t_eq(client_early_secret_count,
342 expected->client_early_secret_count)
343 || !TEST_size_t_eq(client_handshake_secret_count,
344 expected->client_handshake_secret_count)
345 || !TEST_size_t_eq(server_handshake_secret_count,
346 expected->server_handshake_secret_count)
347 || !TEST_size_t_eq(client_application_secret_count,
348 expected->client_application_secret_count)
349 || !TEST_size_t_eq(server_application_secret_count,
350 expected->server_application_secret_count)
351 || !TEST_size_t_eq(early_exporter_secret_count,
352 expected->early_exporter_secret_count)
353 || !TEST_size_t_eq(exporter_secret_count,
354 expected->exporter_secret_count))
359 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
360 static int test_keylog(void)
362 SSL_CTX *cctx = NULL, *sctx = NULL;
363 SSL *clientssl = NULL, *serverssl = NULL;
365 struct sslapitest_log_counts expected;
367 /* Clean up logging space */
368 memset(&expected, 0, sizeof(expected));
369 memset(client_log_buffer, 0, sizeof(client_log_buffer));
370 memset(server_log_buffer, 0, sizeof(server_log_buffer));
371 client_log_buffer_index = 0;
372 server_log_buffer_index = 0;
373 error_writing_log = 0;
375 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
378 &sctx, &cctx, cert, privkey)))
381 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
382 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
383 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
385 /* We also want to ensure that we use RSA-based key exchange. */
386 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
389 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
390 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
392 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
393 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
394 == client_keylog_callback))
396 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
397 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
398 == server_keylog_callback))
401 /* Now do a handshake and check that the logs have been written to. */
402 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
403 &clientssl, NULL, NULL))
404 || !TEST_true(create_ssl_connection(serverssl, clientssl,
406 || !TEST_false(error_writing_log)
407 || !TEST_int_gt(client_log_buffer_index, 0)
408 || !TEST_int_gt(server_log_buffer_index, 0))
412 * Now we want to test that our output data was vaguely sensible. We
413 * do that by using strtok and confirming that we have more or less the
414 * data we expect. For both client and server, we expect to see one master
415 * secret. The client should also see a RSA key exchange.
417 expected.rsa_key_exchange_count = 1;
418 expected.master_secret_count = 1;
419 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
420 SSL_get_session(clientssl), &expected)))
423 expected.rsa_key_exchange_count = 0;
424 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
425 SSL_get_session(serverssl), &expected)))
440 #ifndef OSSL_NO_USABLE_TLS1_3
441 static int test_keylog_no_master_key(void)
443 SSL_CTX *cctx = NULL, *sctx = NULL;
444 SSL *clientssl = NULL, *serverssl = NULL;
445 SSL_SESSION *sess = NULL;
447 struct sslapitest_log_counts expected;
448 unsigned char buf[1];
449 size_t readbytes, written;
451 /* Clean up logging space */
452 memset(&expected, 0, sizeof(expected));
453 memset(client_log_buffer, 0, sizeof(client_log_buffer));
454 memset(server_log_buffer, 0, sizeof(server_log_buffer));
455 client_log_buffer_index = 0;
456 server_log_buffer_index = 0;
457 error_writing_log = 0;
459 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
460 TLS_client_method(), TLS1_VERSION, 0,
461 &sctx, &cctx, cert, privkey))
462 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
463 SSL3_RT_MAX_PLAIN_LENGTH)))
466 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
467 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
470 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
471 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
472 == client_keylog_callback))
475 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
476 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
477 == server_keylog_callback))
480 /* Now do a handshake and check that the logs have been written to. */
481 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
482 &clientssl, NULL, NULL))
483 || !TEST_true(create_ssl_connection(serverssl, clientssl,
485 || !TEST_false(error_writing_log))
489 * Now we want to test that our output data was vaguely sensible. For this
490 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
491 * TLSv1.3, but we do expect both client and server to emit keys.
493 expected.client_handshake_secret_count = 1;
494 expected.server_handshake_secret_count = 1;
495 expected.client_application_secret_count = 1;
496 expected.server_application_secret_count = 1;
497 expected.exporter_secret_count = 1;
498 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
499 SSL_get_session(clientssl), &expected))
500 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
501 SSL_get_session(serverssl),
505 /* Terminate old session and resume with early data. */
506 sess = SSL_get1_session(clientssl);
507 SSL_shutdown(clientssl);
508 SSL_shutdown(serverssl);
511 serverssl = clientssl = NULL;
514 memset(client_log_buffer, 0, sizeof(client_log_buffer));
515 memset(server_log_buffer, 0, sizeof(server_log_buffer));
516 client_log_buffer_index = 0;
517 server_log_buffer_index = 0;
519 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
520 &clientssl, NULL, NULL))
521 || !TEST_true(SSL_set_session(clientssl, sess))
522 /* Here writing 0 length early data is enough. */
523 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
524 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
526 SSL_READ_EARLY_DATA_ERROR)
527 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
528 SSL_EARLY_DATA_ACCEPTED)
529 || !TEST_true(create_ssl_connection(serverssl, clientssl,
531 || !TEST_true(SSL_session_reused(clientssl)))
534 /* In addition to the previous entries, expect early secrets. */
535 expected.client_early_secret_count = 1;
536 expected.early_exporter_secret_count = 1;
537 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
538 SSL_get_session(clientssl), &expected))
539 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
540 SSL_get_session(serverssl),
547 SSL_SESSION_free(sess);
557 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
559 int res = X509_verify_cert(ctx);
561 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
562 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
563 return -1; /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
567 static int test_client_cert_verify_cb(void)
569 /* server key, cert, chain, and root */
570 char *skey = test_mk_file_path(certsdir, "leaf.key");
571 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
572 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
573 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
574 char *root = test_mk_file_path(certsdir, "rootCA.pem");
575 X509 *crt1 = NULL, *crt2 = NULL;
576 STACK_OF(X509) *server_chain;
577 SSL_CTX *cctx = NULL, *sctx = NULL;
578 SSL *clientssl = NULL, *serverssl = NULL;
581 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
582 TLS_client_method(), TLS1_VERSION, 0,
583 &sctx, &cctx, NULL, NULL)))
585 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
586 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
587 SSL_FILETYPE_PEM), 1)
588 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
590 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
592 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
593 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
594 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
595 &clientssl, NULL, NULL)))
598 /* attempt SSL_connect() with incomplete server chain */
599 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
600 SSL_ERROR_WANT_RETRY_VERIFY)))
603 /* application provides intermediate certs needed to verify server cert */
604 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
605 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
606 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
608 /* add certs in reverse order to demonstrate real chain building */
609 if (!TEST_true(sk_X509_push(server_chain, crt1)))
612 if (!TEST_true(sk_X509_push(server_chain, crt2)))
616 /* continue SSL_connect(), must now succeed with completed server chain */
617 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
626 if (clientssl != NULL) {
627 SSL_shutdown(clientssl);
630 if (serverssl != NULL) {
631 SSL_shutdown(serverssl);
646 static int test_ssl_build_cert_chain(void)
649 SSL_CTX *ssl_ctx = NULL;
651 char *skey = test_mk_file_path(certsdir, "leaf.key");
652 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
654 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
656 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
658 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
659 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
660 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
661 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
663 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
664 | SSL_BUILD_CHAIN_FLAG_CHECK)))
669 SSL_CTX_free(ssl_ctx);
670 OPENSSL_free(leaf_chain);
675 static int test_ssl_ctx_build_cert_chain(void)
679 char *skey = test_mk_file_path(certsdir, "leaf.key");
680 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
682 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
684 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
685 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
686 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
687 SSL_FILETYPE_PEM), 1)
688 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
690 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
691 | SSL_BUILD_CHAIN_FLAG_CHECK)))
696 OPENSSL_free(leaf_chain);
701 #ifndef OPENSSL_NO_TLS1_2
702 static int full_client_hello_callback(SSL *s, int *al, void *arg)
705 const unsigned char *p;
707 /* We only configure two ciphers, but the SCSV is added automatically. */
709 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
711 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
714 const int expected_extensions[] = {
715 #ifndef OPENSSL_NO_EC
721 /* Make sure we can defer processing and get called back. */
723 return SSL_CLIENT_HELLO_RETRY;
725 len = SSL_client_hello_get0_ciphers(s, &p);
726 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
728 SSL_client_hello_get0_compression_methods(s, &p), 1)
729 || !TEST_int_eq(*p, 0))
730 return SSL_CLIENT_HELLO_ERROR;
731 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
732 return SSL_CLIENT_HELLO_ERROR;
733 if (len != OSSL_NELEM(expected_extensions) ||
734 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
735 printf("ClientHello callback expected extensions mismatch\n");
737 return SSL_CLIENT_HELLO_ERROR;
740 return SSL_CLIENT_HELLO_SUCCESS;
743 static int test_client_hello_cb(void)
745 SSL_CTX *cctx = NULL, *sctx = NULL;
746 SSL *clientssl = NULL, *serverssl = NULL;
747 int testctr = 0, testresult = 0;
749 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
750 TLS_client_method(), TLS1_VERSION, 0,
751 &sctx, &cctx, cert, privkey)))
753 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
755 /* The gimpy cipher list we configure can't do TLS 1.3. */
756 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
758 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
759 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
760 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
761 &clientssl, NULL, NULL))
762 || !TEST_false(create_ssl_connection(serverssl, clientssl,
763 SSL_ERROR_WANT_CLIENT_HELLO_CB))
765 * Passing a -1 literal is a hack since
766 * the real value was lost.
768 || !TEST_int_eq(SSL_get_error(serverssl, -1),
769 SSL_ERROR_WANT_CLIENT_HELLO_CB)
770 || !TEST_true(create_ssl_connection(serverssl, clientssl,
785 static int test_no_ems(void)
787 SSL_CTX *cctx = NULL, *sctx = NULL;
788 SSL *clientssl = NULL, *serverssl = NULL;
791 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
792 TLS1_VERSION, TLS1_2_VERSION,
793 &sctx, &cctx, cert, privkey)) {
794 printf("Unable to create SSL_CTX pair\n");
798 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
800 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
801 printf("Unable to create SSL objects\n");
805 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
806 printf("Creating SSL connection failed\n");
810 if (SSL_get_extms_support(serverssl)) {
811 printf("Server reports Extended Master Secret support\n");
815 if (SSL_get_extms_support(clientssl)) {
816 printf("Client reports Extended Master Secret support\n");
831 * Very focused test to exercise a single case in the server-side state
832 * machine, when the ChangeCipherState message needs to actually change
833 * from one cipher to a different cipher (i.e., not changing from null
834 * encryption to real encryption).
836 static int test_ccs_change_cipher(void)
838 SSL_CTX *cctx = NULL, *sctx = NULL;
839 SSL *clientssl = NULL, *serverssl = NULL;
840 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
847 * Create a conection so we can resume and potentially (but not) use
848 * a different cipher in the second connection.
850 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
852 TLS1_VERSION, TLS1_2_VERSION,
853 &sctx, &cctx, cert, privkey))
854 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
855 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
857 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
858 || !TEST_true(create_ssl_connection(serverssl, clientssl,
860 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
861 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
864 shutdown_ssl_connection(serverssl, clientssl);
865 serverssl = clientssl = NULL;
867 /* Resume, preferring a different cipher. Our server will force the
868 * same cipher to be used as the initial handshake. */
869 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
871 || !TEST_true(SSL_set_session(clientssl, sess))
872 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
873 || !TEST_true(create_ssl_connection(serverssl, clientssl,
875 || !TEST_true(SSL_session_reused(clientssl))
876 || !TEST_true(SSL_session_reused(serverssl))
877 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
878 || !TEST_ptr_eq(sesspre, sesspost)
879 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
880 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
882 shutdown_ssl_connection(serverssl, clientssl);
883 serverssl = clientssl = NULL;
886 * Now create a fresh connection and try to renegotiate a different
889 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
891 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
892 || !TEST_true(create_ssl_connection(serverssl, clientssl,
894 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
895 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
896 || !TEST_true(SSL_renegotiate(clientssl))
897 || !TEST_true(SSL_renegotiate_pending(clientssl)))
899 /* Actually drive the renegotiation. */
900 for (i = 0; i < 3; i++) {
901 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
902 if (!TEST_ulong_eq(readbytes, 0))
904 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
905 SSL_ERROR_WANT_READ)) {
908 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
909 if (!TEST_ulong_eq(readbytes, 0))
911 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
912 SSL_ERROR_WANT_READ)) {
916 /* sesspre and sesspost should be different since the cipher changed. */
917 if (!TEST_false(SSL_renegotiate_pending(clientssl))
918 || !TEST_false(SSL_session_reused(clientssl))
919 || !TEST_false(SSL_session_reused(serverssl))
920 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
921 || !TEST_ptr_ne(sesspre, sesspost)
922 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
923 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
926 shutdown_ssl_connection(serverssl, clientssl);
927 serverssl = clientssl = NULL;
936 SSL_SESSION_free(sess);
942 static int execute_test_large_message(const SSL_METHOD *smeth,
943 const SSL_METHOD *cmeth,
944 int min_version, int max_version,
947 SSL_CTX *cctx = NULL, *sctx = NULL;
948 SSL *clientssl = NULL, *serverssl = NULL;
952 X509 *chaincert = NULL;
955 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
958 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
961 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
966 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
967 max_version, &sctx, &cctx, cert,
971 #ifdef OPENSSL_NO_DTLS1_2
972 if (smeth == DTLS_server_method()) {
974 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
977 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
978 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
979 "DEFAULT:@SECLEVEL=0")))
986 * Test that read_ahead works correctly when dealing with large
989 SSL_CTX_set_read_ahead(cctx, 1);
993 * We assume the supplied certificate is big enough so that if we add
994 * NUM_EXTRA_CERTS it will make the overall message large enough. The
995 * default buffer size is requested to be 16k, but due to the way BUF_MEM
996 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
997 * test we need to have a message larger than that.
999 certlen = i2d_X509(chaincert, NULL);
1000 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1001 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
1002 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
1003 if (!X509_up_ref(chaincert))
1005 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
1006 X509_free(chaincert);
1011 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1013 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1018 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1021 if (!TEST_true(SSL_clear(serverssl)))
1027 X509_free(chaincert);
1028 SSL_free(serverssl);
1029 SSL_free(clientssl);
1036 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1037 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1038 /* sock must be connected */
1039 static int ktls_chk_platform(int sock)
1041 if (!ktls_enable(sock))
1046 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1048 static char count = 1;
1049 unsigned char cbuf[16000] = {0};
1050 unsigned char sbuf[16000];
1052 char crec_wseq_before[SEQ_NUM_SIZE];
1053 char crec_wseq_after[SEQ_NUM_SIZE];
1054 char crec_rseq_before[SEQ_NUM_SIZE];
1055 char crec_rseq_after[SEQ_NUM_SIZE];
1056 char srec_wseq_before[SEQ_NUM_SIZE];
1057 char srec_wseq_after[SEQ_NUM_SIZE];
1058 char srec_rseq_before[SEQ_NUM_SIZE];
1059 char srec_rseq_after[SEQ_NUM_SIZE];
1062 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1063 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1064 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1065 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1067 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1070 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1071 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1076 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1079 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1080 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1085 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1086 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1087 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1088 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1090 /* verify the payload */
1091 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1095 * If ktls is used then kernel sequences are used instead of
1098 if (!BIO_get_ktls_send(clientssl->wbio)) {
1099 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1100 crec_wseq_after, SEQ_NUM_SIZE))
1103 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1104 crec_wseq_after, SEQ_NUM_SIZE))
1108 if (!BIO_get_ktls_send(serverssl->wbio)) {
1109 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1110 srec_wseq_after, SEQ_NUM_SIZE))
1113 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1114 srec_wseq_after, SEQ_NUM_SIZE))
1118 if (!BIO_get_ktls_recv(clientssl->wbio)) {
1119 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1120 crec_rseq_after, SEQ_NUM_SIZE))
1123 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1124 crec_rseq_after, SEQ_NUM_SIZE))
1128 if (!BIO_get_ktls_recv(serverssl->wbio)) {
1129 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1130 srec_rseq_after, SEQ_NUM_SIZE))
1133 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1134 srec_rseq_after, SEQ_NUM_SIZE))
1143 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1144 int tls_version, const char *cipher)
1146 SSL_CTX *cctx = NULL, *sctx = NULL;
1147 SSL *clientssl = NULL, *serverssl = NULL;
1148 int ktls_used = 0, testresult = 0;
1149 int cfd = -1, sfd = -1;
1152 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1155 /* Skip this test if the platform does not support ktls */
1156 if (!ktls_chk_platform(cfd)) {
1157 testresult = TEST_skip("Kernel does not support KTLS");
1161 /* Create a session based on SHA-256 */
1162 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1163 TLS_client_method(),
1164 tls_version, tls_version,
1165 &sctx, &cctx, cert, privkey)))
1168 if (tls_version == TLS1_3_VERSION) {
1169 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1170 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1173 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1174 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1178 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1179 &clientssl, sfd, cfd)))
1183 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1188 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1192 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1196 * The running kernel may not support a given cipher suite
1197 * or direction, so just check that KTLS isn't used when it
1201 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1204 if (BIO_get_ktls_send(clientssl->wbio))
1209 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1212 if (BIO_get_ktls_send(serverssl->wbio))
1216 #if defined(OPENSSL_NO_KTLS_RX)
1219 rx_supported = (tls_version != TLS1_3_VERSION);
1221 if (!cis_ktls || !rx_supported) {
1222 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1225 if (BIO_get_ktls_send(clientssl->rbio))
1229 if (!sis_ktls || !rx_supported) {
1230 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1233 if (BIO_get_ktls_send(serverssl->rbio))
1237 if ((cis_ktls || sis_ktls) && !ktls_used) {
1238 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1239 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1244 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1250 SSL_shutdown(clientssl);
1251 SSL_free(clientssl);
1254 SSL_shutdown(serverssl);
1255 SSL_free(serverssl);
1259 serverssl = clientssl = NULL;
1267 #define SENDFILE_SZ (16 * 4096)
1268 #define SENDFILE_CHUNK (4 * 4096)
1269 #define min(a,b) ((a) > (b) ? (b) : (a))
1271 static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
1273 SSL_CTX *cctx = NULL, *sctx = NULL;
1274 SSL *clientssl = NULL, *serverssl = NULL;
1275 unsigned char *buf, *buf_dst;
1276 BIO *out = NULL, *in = NULL;
1277 int cfd = -1, sfd = -1, ffd, err;
1278 ssize_t chunk_size = 0;
1279 off_t chunk_off = 0;
1283 buf = OPENSSL_zalloc(SENDFILE_SZ);
1284 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1285 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1286 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1289 /* Skip this test if the platform does not support ktls */
1290 if (!ktls_chk_platform(sfd)) {
1291 testresult = TEST_skip("Kernel does not support KTLS");
1295 /* Create a session based on SHA-256 */
1296 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1297 TLS_client_method(),
1298 tls_version, tls_version,
1299 &sctx, &cctx, cert, privkey)))
1302 if (tls_version == TLS1_3_VERSION) {
1303 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1304 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1307 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1308 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1312 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1313 &clientssl, sfd, cfd)))
1316 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1319 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1323 if (!BIO_get_ktls_send(serverssl->wbio)) {
1324 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1325 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1330 if (!TEST_true(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0)))
1333 out = BIO_new_file(tmpfilename, "wb");
1337 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1342 in = BIO_new_file(tmpfilename, "rb");
1343 BIO_get_fp(in, &ffdp);
1346 while (chunk_off < SENDFILE_SZ) {
1347 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1348 while ((err = SSL_sendfile(serverssl,
1352 0)) != chunk_size) {
1353 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1356 while ((err = SSL_read(clientssl,
1357 buf_dst + chunk_off,
1358 chunk_size)) != chunk_size) {
1359 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1363 /* verify the payload */
1364 if (!TEST_mem_eq(buf_dst + chunk_off,
1370 chunk_off += chunk_size;
1376 SSL_shutdown(clientssl);
1377 SSL_free(clientssl);
1380 SSL_shutdown(serverssl);
1381 SSL_free(serverssl);
1385 serverssl = clientssl = NULL;
1393 OPENSSL_free(buf_dst);
1397 static struct ktls_test_cipher {
1400 } ktls_test_ciphers[] = {
1401 # if !defined(OPENSSL_NO_TLS1_2)
1402 # ifdef OPENSSL_KTLS_AES_GCM_128
1403 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1405 # ifdef OPENSSL_KTLS_AES_CCM_128
1406 { TLS1_2_VERSION, "AES128-CCM"},
1408 # ifdef OPENSSL_KTLS_AES_GCM_256
1409 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1411 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1412 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1415 # if !defined(OSSL_NO_USABLE_TLS1_3)
1416 # ifdef OPENSSL_KTLS_AES_GCM_128
1417 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1419 # ifdef OPENSSL_KTLS_AES_CCM_128
1420 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1422 # ifdef OPENSSL_KTLS_AES_GCM_256
1423 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1425 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1426 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1431 #define NUM_KTLS_TEST_CIPHERS \
1432 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1434 static int test_ktls(int test)
1436 struct ktls_test_cipher *cipher;
1437 int cis_ktls, sis_ktls;
1439 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1440 cipher = &ktls_test_ciphers[test / 4];
1442 cis_ktls = (test & 1) != 0;
1443 sis_ktls = (test & 2) != 0;
1445 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1449 static int test_ktls_sendfile(int tst)
1451 struct ktls_test_cipher *cipher;
1453 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1454 cipher = &ktls_test_ciphers[tst];
1456 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher);
1460 static int test_large_message_tls(void)
1462 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1463 TLS1_VERSION, 0, 0);
1466 static int test_large_message_tls_read_ahead(void)
1468 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1469 TLS1_VERSION, 0, 1);
1472 #ifndef OPENSSL_NO_DTLS
1473 static int test_large_message_dtls(void)
1475 # ifdef OPENSSL_NO_DTLS1_2
1476 /* Not supported in the FIPS provider */
1481 * read_ahead is not relevant to DTLS because DTLS always acts as if
1482 * read_ahead is set.
1484 return execute_test_large_message(DTLS_server_method(),
1485 DTLS_client_method(),
1486 DTLS1_VERSION, 0, 0);
1490 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1491 const SSL_METHOD *cmeth,
1492 int min_version, int max_version)
1495 SSL_CTX *cctx = NULL, *sctx = NULL;
1496 SSL *clientssl = NULL, *serverssl = NULL;
1501 static unsigned char cbuf[16000];
1502 static unsigned char sbuf[16000];
1504 if (!TEST_true(create_ssl_ctx_pair(libctx,
1506 min_version, max_version,
1511 #ifdef OPENSSL_NO_DTLS1_2
1512 if (smeth == DTLS_server_method()) {
1513 # ifdef OPENSSL_NO_DTLS1_2
1514 /* Not supported in the FIPS provider */
1521 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1524 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1525 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1526 "DEFAULT:@SECLEVEL=0")))
1531 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1535 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1538 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1542 for (i = 0; i < sizeof(cbuf); i++) {
1546 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1549 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1552 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1556 * Since we called SSL_peek(), we know the data in the record
1557 * layer is a plaintext record. We can gather the pointer to check
1558 * for zeroization after SSL_read().
1560 rr = serverssl->rlayer.rrec;
1561 zbuf = &rr->data[rr->off];
1562 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1566 * After SSL_peek() the plaintext must still be stored in the
1569 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1572 memset(sbuf, 0, sizeof(sbuf));
1573 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1576 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1579 /* Check if rbuf is cleansed */
1580 memset(cbuf, 0, sizeof(cbuf));
1581 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1586 SSL_free(serverssl);
1587 SSL_free(clientssl);
1594 static int test_cleanse_plaintext(void)
1596 #if !defined(OPENSSL_NO_TLS1_2)
1597 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1598 TLS_client_method(),
1605 #if !defined(OSSL_NO_USABLE_TLS1_3)
1606 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1607 TLS_client_method(),
1613 #if !defined(OPENSSL_NO_DTLS)
1615 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1616 DTLS_client_method(),
1624 #ifndef OPENSSL_NO_OCSP
1625 static int ocsp_server_cb(SSL *s, void *arg)
1627 int *argi = (int *)arg;
1628 unsigned char *copy = NULL;
1629 STACK_OF(OCSP_RESPID) *ids = NULL;
1630 OCSP_RESPID *id = NULL;
1633 /* In this test we are expecting exactly 1 OCSP_RESPID */
1634 SSL_get_tlsext_status_ids(s, &ids);
1635 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1636 return SSL_TLSEXT_ERR_ALERT_FATAL;
1638 id = sk_OCSP_RESPID_value(ids, 0);
1639 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1640 return SSL_TLSEXT_ERR_ALERT_FATAL;
1641 } else if (*argi != 1) {
1642 return SSL_TLSEXT_ERR_ALERT_FATAL;
1645 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1646 return SSL_TLSEXT_ERR_ALERT_FATAL;
1648 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1649 sizeof(orespder)))) {
1651 return SSL_TLSEXT_ERR_ALERT_FATAL;
1653 ocsp_server_called = 1;
1654 return SSL_TLSEXT_ERR_OK;
1657 static int ocsp_client_cb(SSL *s, void *arg)
1659 int *argi = (int *)arg;
1660 const unsigned char *respderin;
1663 if (*argi != 1 && *argi != 2)
1666 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1667 if (!TEST_mem_eq(orespder, len, respderin, len))
1670 ocsp_client_called = 1;
1674 static int test_tlsext_status_type(void)
1676 SSL_CTX *cctx = NULL, *sctx = NULL;
1677 SSL *clientssl = NULL, *serverssl = NULL;
1679 STACK_OF(OCSP_RESPID) *ids = NULL;
1680 OCSP_RESPID *id = NULL;
1681 BIO *certbio = NULL;
1683 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1685 &sctx, &cctx, cert, privkey))
1688 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1691 /* First just do various checks getting and setting tlsext_status_type */
1693 clientssl = SSL_new(cctx);
1694 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1695 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1696 TLSEXT_STATUSTYPE_ocsp))
1697 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1698 TLSEXT_STATUSTYPE_ocsp))
1701 SSL_free(clientssl);
1704 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1705 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1708 clientssl = SSL_new(cctx);
1709 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1711 SSL_free(clientssl);
1715 * Now actually do a handshake and check OCSP information is exchanged and
1716 * the callbacks get called
1718 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1719 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1720 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1721 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1722 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1723 &clientssl, NULL, NULL))
1724 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1726 || !TEST_true(ocsp_client_called)
1727 || !TEST_true(ocsp_server_called))
1729 SSL_free(serverssl);
1730 SSL_free(clientssl);
1734 /* Try again but this time force the server side callback to fail */
1735 ocsp_client_called = 0;
1736 ocsp_server_called = 0;
1738 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1739 &clientssl, NULL, NULL))
1740 /* This should fail because the callback will fail */
1741 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1743 || !TEST_false(ocsp_client_called)
1744 || !TEST_false(ocsp_server_called))
1746 SSL_free(serverssl);
1747 SSL_free(clientssl);
1752 * This time we'll get the client to send an OCSP_RESPID that it will
1755 ocsp_client_called = 0;
1756 ocsp_server_called = 0;
1758 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1759 &clientssl, NULL, NULL)))
1763 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1764 * specific one. We'll use the server cert.
1766 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1767 || !TEST_ptr(id = OCSP_RESPID_new())
1768 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1769 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1770 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1771 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1772 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1775 SSL_set_tlsext_status_ids(clientssl, ids);
1776 /* Control has been transferred */
1782 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1784 || !TEST_true(ocsp_client_called)
1785 || !TEST_true(ocsp_server_called))
1791 SSL_free(serverssl);
1792 SSL_free(clientssl);
1795 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1796 OCSP_RESPID_free(id);
1798 X509_free(ocspcert);
1805 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1806 static int new_called, remove_called, get_called;
1808 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1812 * sess has been up-refed for us, but we don't actually need it so free it
1815 SSL_SESSION_free(sess);
1819 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1824 static SSL_SESSION *get_sess_val = NULL;
1826 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1831 return get_sess_val;
1834 static int execute_test_session(int maxprot, int use_int_cache,
1835 int use_ext_cache, long s_options)
1837 SSL_CTX *sctx = NULL, *cctx = NULL;
1838 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1839 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1840 # ifndef OPENSSL_NO_TLS1_1
1841 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1843 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1844 int testresult = 0, numnewsesstick = 1;
1846 new_called = remove_called = 0;
1848 /* TLSv1.3 sends 2 NewSessionTickets */
1849 if (maxprot == TLS1_3_VERSION)
1852 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1853 TLS_client_method(), TLS1_VERSION, 0,
1854 &sctx, &cctx, cert, privkey)))
1858 * Only allow the max protocol version so we can force a connection failure
1861 SSL_CTX_set_min_proto_version(cctx, maxprot);
1862 SSL_CTX_set_max_proto_version(cctx, maxprot);
1864 /* Set up session cache */
1865 if (use_ext_cache) {
1866 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1867 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1869 if (use_int_cache) {
1870 /* Also covers instance where both are set */
1871 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1873 SSL_CTX_set_session_cache_mode(cctx,
1874 SSL_SESS_CACHE_CLIENT
1875 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1879 SSL_CTX_set_options(sctx, s_options);
1882 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1884 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1886 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1889 /* Should fail because it should already be in the cache */
1890 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1893 && (!TEST_int_eq(new_called, numnewsesstick)
1895 || !TEST_int_eq(remove_called, 0)))
1898 new_called = remove_called = 0;
1899 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1900 &clientssl2, NULL, NULL))
1901 || !TEST_true(SSL_set_session(clientssl2, sess1))
1902 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1904 || !TEST_true(SSL_session_reused(clientssl2)))
1907 if (maxprot == TLS1_3_VERSION) {
1909 * In TLSv1.3 we should have created a new session even though we have
1910 * resumed. Since we attempted a resume we should also have removed the
1911 * old ticket from the cache so that we try to only use tickets once.
1914 && (!TEST_int_eq(new_called, 1)
1915 || !TEST_int_eq(remove_called, 1)))
1919 * In TLSv1.2 we expect to have resumed so no sessions added or
1923 && (!TEST_int_eq(new_called, 0)
1924 || !TEST_int_eq(remove_called, 0)))
1928 SSL_SESSION_free(sess1);
1929 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1931 shutdown_ssl_connection(serverssl2, clientssl2);
1932 serverssl2 = clientssl2 = NULL;
1934 new_called = remove_called = 0;
1935 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1936 &clientssl2, NULL, NULL))
1937 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1941 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1945 && (!TEST_int_eq(new_called, numnewsesstick)
1946 || !TEST_int_eq(remove_called, 0)))
1949 new_called = remove_called = 0;
1951 * This should clear sess2 from the cache because it is a "bad" session.
1952 * See SSL_set_session() documentation.
1954 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1957 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1959 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1962 if (use_int_cache) {
1963 /* Should succeeded because it should not already be in the cache */
1964 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1965 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1969 new_called = remove_called = 0;
1970 /* This shouldn't be in the cache so should fail */
1971 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1975 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1978 # if !defined(OPENSSL_NO_TLS1_1)
1979 new_called = remove_called = 0;
1980 /* Force a connection failure */
1981 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1982 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1983 &clientssl3, NULL, NULL))
1984 || !TEST_true(SSL_set_session(clientssl3, sess1))
1985 /* This should fail because of the mismatched protocol versions */
1986 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1990 /* We should have automatically removed the session from the cache */
1992 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1995 /* Should succeed because it should not already be in the cache */
1996 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2000 /* Now do some tests for server side caching */
2001 if (use_ext_cache) {
2002 SSL_CTX_sess_set_new_cb(cctx, NULL);
2003 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2004 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2005 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2006 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2007 get_sess_val = NULL;
2010 SSL_CTX_set_session_cache_mode(cctx, 0);
2011 /* Internal caching is the default on the server side */
2013 SSL_CTX_set_session_cache_mode(sctx,
2014 SSL_SESS_CACHE_SERVER
2015 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2017 SSL_free(serverssl1);
2018 SSL_free(clientssl1);
2019 serverssl1 = clientssl1 = NULL;
2020 SSL_free(serverssl2);
2021 SSL_free(clientssl2);
2022 serverssl2 = clientssl2 = NULL;
2023 SSL_SESSION_free(sess1);
2025 SSL_SESSION_free(sess2);
2028 SSL_CTX_set_max_proto_version(sctx, maxprot);
2029 if (maxprot == TLS1_2_VERSION)
2030 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2031 new_called = remove_called = get_called = 0;
2032 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2034 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2036 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2037 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2040 if (use_int_cache) {
2041 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2043 * In TLSv1.3 it should not have been added to the internal cache,
2044 * except in the case where we also have an external cache (in that
2045 * case it gets added to the cache in order to generate remove
2046 * events after timeout).
2048 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2051 /* Should fail because it should already be in the cache */
2052 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2057 if (use_ext_cache) {
2058 SSL_SESSION *tmp = sess2;
2060 if (!TEST_int_eq(new_called, numnewsesstick)
2061 || !TEST_int_eq(remove_called, 0)
2062 || !TEST_int_eq(get_called, 0))
2065 * Delete the session from the internal cache to force a lookup from
2066 * the external cache. We take a copy first because
2067 * SSL_CTX_remove_session() also marks the session as non-resumable.
2069 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2070 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2071 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2073 SSL_SESSION_free(sess2);
2078 new_called = remove_called = get_called = 0;
2079 get_sess_val = sess2;
2080 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2081 &clientssl2, NULL, NULL))
2082 || !TEST_true(SSL_set_session(clientssl2, sess1))
2083 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2085 || !TEST_true(SSL_session_reused(clientssl2)))
2088 if (use_ext_cache) {
2089 if (!TEST_int_eq(remove_called, 0))
2092 if (maxprot == TLS1_3_VERSION) {
2093 if (!TEST_int_eq(new_called, 1)
2094 || !TEST_int_eq(get_called, 0))
2097 if (!TEST_int_eq(new_called, 0)
2098 || !TEST_int_eq(get_called, 1))
2106 SSL_free(serverssl1);
2107 SSL_free(clientssl1);
2108 SSL_free(serverssl2);
2109 SSL_free(clientssl2);
2110 # ifndef OPENSSL_NO_TLS1_1
2111 SSL_free(serverssl3);
2112 SSL_free(clientssl3);
2114 SSL_SESSION_free(sess1);
2115 SSL_SESSION_free(sess2);
2121 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2123 static int test_session_with_only_int_cache(void)
2125 #ifndef OSSL_NO_USABLE_TLS1_3
2126 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2130 #ifndef OPENSSL_NO_TLS1_2
2131 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2137 static int test_session_with_only_ext_cache(void)
2139 #ifndef OSSL_NO_USABLE_TLS1_3
2140 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2144 #ifndef OPENSSL_NO_TLS1_2
2145 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2151 static int test_session_with_both_cache(void)
2153 #ifndef OSSL_NO_USABLE_TLS1_3
2154 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2158 #ifndef OPENSSL_NO_TLS1_2
2159 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2165 static int test_session_wo_ca_names(void)
2167 #ifndef OSSL_NO_USABLE_TLS1_3
2168 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2172 #ifndef OPENSSL_NO_TLS1_2
2173 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2180 #ifndef OSSL_NO_USABLE_TLS1_3
2181 static SSL_SESSION *sesscache[6];
2182 static int do_cache;
2184 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2187 sesscache[new_called] = sess;
2189 /* We don't need the reference to the session, so free it */
2190 SSL_SESSION_free(sess);
2197 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2199 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2200 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2203 /* Start handshake on the server and client */
2204 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2205 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2206 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2207 || !TEST_true(create_ssl_connection(sssl, cssl,
2214 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2217 int sess_id_ctx = 1;
2219 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2220 TLS_client_method(), TLS1_VERSION, 0,
2221 sctx, cctx, cert, privkey))
2222 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2223 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2224 (void *)&sess_id_ctx,
2225 sizeof(sess_id_ctx))))
2229 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2231 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2232 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2233 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2238 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2240 SSL *serverssl = NULL, *clientssl = NULL;
2243 /* Test that we can resume with all the tickets we got given */
2244 for (i = 0; i < idx * 2; i++) {
2246 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2247 &clientssl, NULL, NULL))
2248 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2251 SSL_set_post_handshake_auth(clientssl, 1);
2253 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2258 * Following a successful resumption we only get 1 ticket. After a
2259 * failed one we should get idx tickets.
2262 if (!TEST_true(SSL_session_reused(clientssl))
2263 || !TEST_int_eq(new_called, 1))
2266 if (!TEST_false(SSL_session_reused(clientssl))
2267 || !TEST_int_eq(new_called, idx))
2272 /* After a post-handshake authentication we should get 1 new ticket */
2274 && (!post_handshake_verify(serverssl, clientssl)
2275 || !TEST_int_eq(new_called, 1)))
2278 SSL_shutdown(clientssl);
2279 SSL_shutdown(serverssl);
2280 SSL_free(serverssl);
2281 SSL_free(clientssl);
2282 serverssl = clientssl = NULL;
2283 SSL_SESSION_free(sesscache[i]);
2284 sesscache[i] = NULL;
2290 SSL_free(clientssl);
2291 SSL_free(serverssl);
2295 static int test_tickets(int stateful, int idx)
2297 SSL_CTX *sctx = NULL, *cctx = NULL;
2298 SSL *serverssl = NULL, *clientssl = NULL;
2302 /* idx is the test number, but also the number of tickets we want */
2307 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2310 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2311 &clientssl, NULL, NULL)))
2314 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2316 /* Check we got the number of tickets we were expecting */
2317 || !TEST_int_eq(idx, new_called))
2320 SSL_shutdown(clientssl);
2321 SSL_shutdown(serverssl);
2322 SSL_free(serverssl);
2323 SSL_free(clientssl);
2326 clientssl = serverssl = NULL;
2330 * Now we try to resume with the tickets we previously created. The
2331 * resumption attempt is expected to fail (because we're now using a new
2332 * SSL_CTX). We should see idx number of tickets issued again.
2335 /* Stop caching sessions - just count them */
2338 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2341 if (!check_resumption(idx, sctx, cctx, 0))
2344 /* Start again with caching sessions */
2351 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2354 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2355 &clientssl, NULL, NULL)))
2358 SSL_set_post_handshake_auth(clientssl, 1);
2360 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2362 /* Check we got the number of tickets we were expecting */
2363 || !TEST_int_eq(idx, new_called))
2366 /* After a post-handshake authentication we should get new tickets issued */
2367 if (!post_handshake_verify(serverssl, clientssl)
2368 || !TEST_int_eq(idx * 2, new_called))
2371 SSL_shutdown(clientssl);
2372 SSL_shutdown(serverssl);
2373 SSL_free(serverssl);
2374 SSL_free(clientssl);
2375 serverssl = clientssl = NULL;
2377 /* Stop caching sessions - just count them */
2381 * Check we can resume with all the tickets we created. This time around the
2382 * resumptions should all be successful.
2384 if (!check_resumption(idx, sctx, cctx, 1))
2390 SSL_free(serverssl);
2391 SSL_free(clientssl);
2392 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2393 SSL_SESSION_free(sesscache[j]);
2394 sesscache[j] = NULL;
2402 static int test_stateless_tickets(int idx)
2404 return test_tickets(0, idx);
2407 static int test_stateful_tickets(int idx)
2409 return test_tickets(1, idx);
2412 static int test_psk_tickets(void)
2414 SSL_CTX *sctx = NULL, *cctx = NULL;
2415 SSL *serverssl = NULL, *clientssl = NULL;
2417 int sess_id_ctx = 1;
2419 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2420 TLS_client_method(), TLS1_VERSION, 0,
2421 &sctx, &cctx, NULL, NULL))
2422 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2423 (void *)&sess_id_ctx,
2424 sizeof(sess_id_ctx))))
2427 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2428 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2429 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2430 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2431 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2432 use_session_cb_cnt = 0;
2433 find_session_cb_cnt = 0;
2437 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2440 clientpsk = serverpsk = create_a_psk(clientssl);
2441 if (!TEST_ptr(clientpsk))
2443 SSL_SESSION_up_ref(clientpsk);
2445 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2447 || !TEST_int_eq(1, find_session_cb_cnt)
2448 || !TEST_int_eq(1, use_session_cb_cnt)
2449 /* We should always get 1 ticket when using external PSK */
2450 || !TEST_int_eq(1, new_called))
2456 SSL_free(serverssl);
2457 SSL_free(clientssl);
2460 SSL_SESSION_free(clientpsk);
2461 SSL_SESSION_free(serverpsk);
2462 clientpsk = serverpsk = NULL;
2467 static int test_extra_tickets(int idx)
2469 SSL_CTX *sctx = NULL, *cctx = NULL;
2470 SSL *serverssl = NULL, *clientssl = NULL;
2471 BIO *bretry = BIO_new(bio_s_always_retry());
2476 unsigned char c, buf[1];
2486 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2488 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2489 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2490 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2492 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2493 &clientssl, NULL, NULL)))
2497 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2498 * incremented by both client and server.
2500 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2502 /* Check we got the number of tickets we were expecting */
2503 || !TEST_int_eq(idx * 2, new_called)
2504 || !TEST_true(SSL_new_session_ticket(serverssl))
2505 || !TEST_true(SSL_new_session_ticket(serverssl))
2506 || !TEST_int_eq(idx * 2, new_called))
2509 /* Now try a (real) write to actually send the tickets */
2511 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2512 || !TEST_size_t_eq(1, nbytes)
2513 || !TEST_int_eq(idx * 2 + 2, new_called)
2514 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2515 || !TEST_int_eq(idx * 2 + 4, new_called)
2516 || !TEST_int_eq(sizeof(buf), nbytes)
2517 || !TEST_int_eq(c, buf[0])
2518 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2521 /* Try with only requesting one new ticket, too */
2524 if (!TEST_true(SSL_new_session_ticket(serverssl))
2525 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2526 || !TEST_size_t_eq(sizeof(c), nbytes)
2527 || !TEST_int_eq(1, new_called)
2528 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2529 || !TEST_int_eq(2, new_called)
2530 || !TEST_size_t_eq(sizeof(buf), nbytes)
2531 || !TEST_int_eq(c, buf[0]))
2534 /* Do it again but use dummy writes to drive the ticket generation */
2537 if (!TEST_true(SSL_new_session_ticket(serverssl))
2538 || !TEST_true(SSL_new_session_ticket(serverssl))
2539 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2540 || !TEST_size_t_eq(0, nbytes)
2541 || !TEST_int_eq(2, new_called)
2542 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2543 || !TEST_int_eq(4, new_called))
2546 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2549 if (!TEST_true(SSL_new_session_ticket(serverssl))
2550 || !TEST_true(SSL_new_session_ticket(serverssl))
2551 || !TEST_true(SSL_do_handshake(serverssl))
2552 || !TEST_int_eq(2, new_called)
2553 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2554 || !TEST_int_eq(4, new_called))
2558 * Use the always-retry BIO to exercise the logic that forces ticket
2559 * generation to wait until a record boundary.
2563 tmp = SSL_get_wbio(serverssl);
2564 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2568 SSL_set0_wbio(serverssl, bretry);
2570 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2571 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2572 || !TEST_size_t_eq(nbytes, 0))
2574 /* Restore a BIO that will let the write succeed */
2575 SSL_set0_wbio(serverssl, tmp);
2578 * These calls should just queue the request and not send anything
2579 * even if we explicitly try to hit the state machine.
2581 if (!TEST_true(SSL_new_session_ticket(serverssl))
2582 || !TEST_true(SSL_new_session_ticket(serverssl))
2583 || !TEST_int_eq(0, new_called)
2584 || !TEST_true(SSL_do_handshake(serverssl))
2585 || !TEST_int_eq(0, new_called))
2587 /* Re-do the write; still no tickets sent */
2588 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2589 || !TEST_size_t_eq(1, nbytes)
2590 || !TEST_int_eq(0, new_called)
2591 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2592 || !TEST_int_eq(0, new_called)
2593 || !TEST_int_eq(sizeof(buf), nbytes)
2594 || !TEST_int_eq(c, buf[0])
2595 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2597 /* Even trying to hit the state machine now will still not send tickets */
2598 if (!TEST_true(SSL_do_handshake(serverssl))
2599 || !TEST_int_eq(0, new_called))
2601 /* Now the *next* write should send the tickets */
2603 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2604 || !TEST_size_t_eq(1, nbytes)
2605 || !TEST_int_eq(2, new_called)
2606 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2607 || !TEST_int_eq(4, new_called)
2608 || !TEST_int_eq(sizeof(buf), nbytes)
2609 || !TEST_int_eq(c, buf[0])
2610 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2613 SSL_shutdown(clientssl);
2614 SSL_shutdown(serverssl);
2620 SSL_free(serverssl);
2621 SSL_free(clientssl);
2624 clientssl = serverssl = NULL;
2633 #define USE_DEFAULT 3
2635 #define CONNTYPE_CONNECTION_SUCCESS 0
2636 #define CONNTYPE_CONNECTION_FAIL 1
2637 #define CONNTYPE_NO_CONNECTION 2
2639 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2640 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2641 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2642 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2644 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2647 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2648 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2649 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2651 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2668 * Tests calls to SSL_set_bio() under various conditions.
2670 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2671 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2672 * then do more tests where we create a successful connection first using our
2673 * standard connection setup functions, and then call SSL_set_bio() with
2674 * various combinations of valid BIOs or NULL. We then repeat these tests
2675 * following a failed connection. In this last case we are looking to check that
2676 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2678 static int test_ssl_set_bio(int idx)
2680 SSL_CTX *sctx = NULL, *cctx = NULL;
2683 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2684 SSL *serverssl = NULL, *clientssl = NULL;
2685 int initrbio, initwbio, newrbio, newwbio, conntype;
2688 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2696 conntype = CONNTYPE_NO_CONNECTION;
2698 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2699 initrbio = initwbio = USE_DEFAULT;
2707 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2708 TLS_client_method(), TLS1_VERSION, 0,
2709 &sctx, &cctx, cert, privkey)))
2712 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2714 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2715 * because we reduced the number of tests in the definition of
2716 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2717 * mismatched protocol versions we will force a connection failure.
2719 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2720 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2723 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2727 if (initrbio == USE_BIO_1
2728 || initwbio == USE_BIO_1
2729 || newrbio == USE_BIO_1
2730 || newwbio == USE_BIO_1) {
2731 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2735 if (initrbio == USE_BIO_2
2736 || initwbio == USE_BIO_2
2737 || newrbio == USE_BIO_2
2738 || newwbio == USE_BIO_2) {
2739 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2743 if (initrbio != USE_DEFAULT) {
2744 setupbio(&irbio, bio1, bio2, initrbio);
2745 setupbio(&iwbio, bio1, bio2, initwbio);
2746 SSL_set_bio(clientssl, irbio, iwbio);
2749 * We want to maintain our own refs to these BIO, so do an up ref for
2750 * each BIO that will have ownership transferred in the SSL_set_bio()
2755 if (iwbio != NULL && iwbio != irbio)
2759 if (conntype != CONNTYPE_NO_CONNECTION
2760 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2762 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2765 setupbio(&nrbio, bio1, bio2, newrbio);
2766 setupbio(&nwbio, bio1, bio2, newwbio);
2769 * We will (maybe) transfer ownership again so do more up refs.
2770 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2775 && (nwbio != iwbio || nrbio != nwbio))
2779 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2782 SSL_set_bio(clientssl, nrbio, nwbio);
2791 * This test is checking that the ref counting for SSL_set_bio is correct.
2792 * If we get here and we did too many frees then we will fail in the above
2795 SSL_free(serverssl);
2796 SSL_free(clientssl);
2802 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2804 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2806 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2811 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
2812 || !TEST_ptr(ssl = SSL_new(ctx))
2813 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2814 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2817 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2820 * If anything goes wrong here then we could leak memory.
2822 BIO_push(sslbio, membio1);
2824 /* Verify changing the rbio/wbio directly does not cause leaks */
2825 if (change_bio != NO_BIO_CHANGE) {
2826 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
2830 if (change_bio == CHANGE_RBIO)
2831 SSL_set0_rbio(ssl, membio2);
2833 SSL_set0_wbio(ssl, membio2);
2852 static int test_ssl_bio_pop_next_bio(void)
2854 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2857 static int test_ssl_bio_pop_ssl_bio(void)
2859 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2862 static int test_ssl_bio_change_rbio(void)
2864 return execute_test_ssl_bio(0, CHANGE_RBIO);
2867 static int test_ssl_bio_change_wbio(void)
2869 return execute_test_ssl_bio(0, CHANGE_WBIO);
2872 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
2874 /* The list of sig algs */
2876 /* The length of the list */
2878 /* A sigalgs list in string format */
2879 const char *liststr;
2880 /* Whether setting the list should succeed */
2882 /* Whether creating a connection with the list should succeed */
2886 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2887 # ifndef OPENSSL_NO_EC
2888 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2889 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2891 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2892 static const int invalidlist2[] = {NID_sha256, NID_undef};
2893 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2894 static const int invalidlist4[] = {NID_sha256};
2895 static const sigalgs_list testsigalgs[] = {
2896 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2897 # ifndef OPENSSL_NO_EC
2898 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2899 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2901 {NULL, 0, "RSA+SHA256", 1, 1},
2902 # ifndef OPENSSL_NO_EC
2903 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2904 {NULL, 0, "ECDSA+SHA512", 1, 0},
2906 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2907 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2908 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2909 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2910 {NULL, 0, "RSA", 0, 0},
2911 {NULL, 0, "SHA256", 0, 0},
2912 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2913 {NULL, 0, "Invalid", 0, 0}
2916 static int test_set_sigalgs(int idx)
2918 SSL_CTX *cctx = NULL, *sctx = NULL;
2919 SSL *clientssl = NULL, *serverssl = NULL;
2921 const sigalgs_list *curr;
2924 /* Should never happen */
2925 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2928 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2929 curr = testctx ? &testsigalgs[idx]
2930 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2932 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2933 TLS_client_method(), TLS1_VERSION, 0,
2934 &sctx, &cctx, cert, privkey)))
2937 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2942 if (curr->list != NULL)
2943 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2945 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2949 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2955 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2960 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2961 &clientssl, NULL, NULL)))
2967 if (curr->list != NULL)
2968 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2970 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2973 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2982 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2990 SSL_free(serverssl);
2991 SSL_free(clientssl);
2999 #ifndef OSSL_NO_USABLE_TLS1_3
3000 static int psk_client_cb_cnt = 0;
3001 static int psk_server_cb_cnt = 0;
3003 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3004 size_t *idlen, SSL_SESSION **sess)
3006 switch (++use_session_cb_cnt) {
3008 /* The first call should always have a NULL md */
3014 /* The second call should always have an md */
3020 /* We should only be called a maximum of twice */
3024 if (clientpsk != NULL)
3025 SSL_SESSION_up_ref(clientpsk);
3028 *id = (const unsigned char *)pskid;
3029 *idlen = strlen(pskid);
3034 #ifndef OPENSSL_NO_PSK
3035 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3036 unsigned int max_id_len,
3038 unsigned int max_psk_len)
3040 unsigned int psklen = 0;
3042 psk_client_cb_cnt++;
3044 if (strlen(pskid) + 1 > max_id_len)
3047 /* We should only ever be called a maximum of twice per connection */
3048 if (psk_client_cb_cnt > 2)
3051 if (clientpsk == NULL)
3054 /* We'll reuse the PSK we set up for TLSv1.3 */
3055 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3057 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3058 strncpy(id, pskid, max_id_len);
3062 #endif /* OPENSSL_NO_PSK */
3064 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3065 size_t identity_len, SSL_SESSION **sess)
3067 find_session_cb_cnt++;
3069 /* We should only ever be called a maximum of twice per connection */
3070 if (find_session_cb_cnt > 2)
3073 if (serverpsk == NULL)
3076 /* Identity should match that set by the client */
3077 if (strlen(srvid) != identity_len
3078 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3079 /* No PSK found, continue but without a PSK */
3084 SSL_SESSION_up_ref(serverpsk);
3090 #ifndef OPENSSL_NO_PSK
3091 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3092 unsigned char *psk, unsigned int max_psk_len)
3094 unsigned int psklen = 0;
3096 psk_server_cb_cnt++;
3098 /* We should only ever be called a maximum of twice per connection */
3099 if (find_session_cb_cnt > 2)
3102 if (serverpsk == NULL)
3105 /* Identity should match that set by the client */
3106 if (strcmp(srvid, identity) != 0) {
3110 /* We'll reuse the PSK we set up for TLSv1.3 */
3111 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3113 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3117 #endif /* OPENSSL_NO_PSK */
3119 #define MSG1 "Hello"
3120 #define MSG2 "World."
3125 #define MSG7 "message."
3127 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3128 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3129 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3130 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3131 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3134 static SSL_SESSION *create_a_psk(SSL *ssl)
3136 const SSL_CIPHER *cipher = NULL;
3137 const unsigned char key[] = {
3138 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3139 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3140 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3141 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3142 0x2c, 0x2d, 0x2e, 0x2f
3144 SSL_SESSION *sess = NULL;
3146 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3147 sess = SSL_SESSION_new();
3149 || !TEST_ptr(cipher)
3150 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3152 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3154 SSL_SESSION_set_protocol_version(sess,
3156 SSL_SESSION_free(sess);
3163 * Helper method to setup objects for early data test. Caller frees objects on
3166 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3167 SSL **serverssl, SSL_SESSION **sess, int idx)
3170 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3171 TLS_client_method(),
3173 sctx, cctx, cert, privkey)))
3176 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3180 /* When idx == 1 we repeat the tests with read_ahead set */
3181 SSL_CTX_set_read_ahead(*cctx, 1);
3182 SSL_CTX_set_read_ahead(*sctx, 1);
3183 } else if (idx == 2) {
3184 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3185 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3186 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3187 use_session_cb_cnt = 0;
3188 find_session_cb_cnt = 0;
3192 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3197 * For one of the run throughs (doesn't matter which one), we'll try sending
3198 * some SNI data in the initial ClientHello. This will be ignored (because
3199 * there is no SNI cb set up by the server), so it should not impact
3203 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3207 clientpsk = create_a_psk(*clientssl);
3208 if (!TEST_ptr(clientpsk)
3210 * We just choose an arbitrary value for max_early_data which
3211 * should be big enough for testing purposes.
3213 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3215 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3216 SSL_SESSION_free(clientpsk);
3220 serverpsk = clientpsk;
3223 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3224 SSL_SESSION_free(clientpsk);
3225 SSL_SESSION_free(serverpsk);
3226 clientpsk = serverpsk = NULL;
3237 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3241 *sess = SSL_get1_session(*clientssl);
3242 SSL_shutdown(*clientssl);
3243 SSL_shutdown(*serverssl);
3244 SSL_free(*serverssl);
3245 SSL_free(*clientssl);
3246 *serverssl = *clientssl = NULL;
3248 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3249 clientssl, NULL, NULL))
3250 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3256 static int test_early_data_read_write(int idx)
3258 SSL_CTX *cctx = NULL, *sctx = NULL;
3259 SSL *clientssl = NULL, *serverssl = NULL;
3261 SSL_SESSION *sess = NULL;
3262 unsigned char buf[20], data[1024];
3263 size_t readbytes, written, eoedlen, rawread, rawwritten;
3266 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3267 &serverssl, &sess, idx)))
3270 /* Write and read some early data */
3271 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3273 || !TEST_size_t_eq(written, strlen(MSG1))
3274 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3275 sizeof(buf), &readbytes),
3276 SSL_READ_EARLY_DATA_SUCCESS)
3277 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3278 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3279 SSL_EARLY_DATA_ACCEPTED))
3283 * Server should be able to write data, and client should be able to
3286 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3288 || !TEST_size_t_eq(written, strlen(MSG2))
3289 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3290 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3293 /* Even after reading normal data, client should be able write early data */
3294 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3296 || !TEST_size_t_eq(written, strlen(MSG3)))
3299 /* Server should still be able read early data after writing data */
3300 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3302 SSL_READ_EARLY_DATA_SUCCESS)
3303 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3306 /* Write more data from server and read it from client */
3307 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3309 || !TEST_size_t_eq(written, strlen(MSG4))
3310 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3311 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3315 * If client writes normal data it should mean writing early data is no
3318 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3319 || !TEST_size_t_eq(written, strlen(MSG5))
3320 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3321 SSL_EARLY_DATA_ACCEPTED))
3325 * At this point the client has written EndOfEarlyData, ClientFinished and
3326 * normal (fully protected) data. We are going to cause a delay between the
3327 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3328 * in the read BIO, and then just put back the EndOfEarlyData message.
3330 rbio = SSL_get_rbio(serverssl);
3331 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3332 || !TEST_size_t_lt(rawread, sizeof(data))
3333 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3336 /* Record length is in the 4th and 5th bytes of the record header */
3337 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3338 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3339 || !TEST_size_t_eq(rawwritten, eoedlen))
3342 /* Server should be told that there is no more early data */
3343 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3345 SSL_READ_EARLY_DATA_FINISH)
3346 || !TEST_size_t_eq(readbytes, 0))
3350 * Server has not finished init yet, so should still be able to write early
3353 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3355 || !TEST_size_t_eq(written, strlen(MSG6)))
3358 /* Push the ClientFinished and the normal data back into the server rbio */
3359 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3361 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3364 /* Server should be able to read normal data */
3365 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3366 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3369 /* Client and server should not be able to write/read early data now */
3370 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3374 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3376 SSL_READ_EARLY_DATA_ERROR))
3380 /* Client should be able to read the data sent by the server */
3381 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3382 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3386 * Make sure we process the two NewSessionTickets. These arrive
3387 * post-handshake. We attempt reads which we do not expect to return any
3390 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3391 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3395 /* Server should be able to write normal data */
3396 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3397 || !TEST_size_t_eq(written, strlen(MSG7))
3398 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3399 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3402 SSL_SESSION_free(sess);
3403 sess = SSL_get1_session(clientssl);
3404 use_session_cb_cnt = 0;
3405 find_session_cb_cnt = 0;
3407 SSL_shutdown(clientssl);
3408 SSL_shutdown(serverssl);
3409 SSL_free(serverssl);
3410 SSL_free(clientssl);
3411 serverssl = clientssl = NULL;
3412 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3413 &clientssl, NULL, NULL))
3414 || !TEST_true(SSL_set_session(clientssl, sess)))
3417 /* Write and read some early data */
3418 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3420 || !TEST_size_t_eq(written, strlen(MSG1))
3421 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3423 SSL_READ_EARLY_DATA_SUCCESS)
3424 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3427 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3428 || !TEST_int_gt(SSL_accept(serverssl), 0))
3431 /* Client and server should not be able to write/read early data now */
3432 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3436 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3438 SSL_READ_EARLY_DATA_ERROR))
3442 /* Client and server should be able to write/read normal data */
3443 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3444 || !TEST_size_t_eq(written, strlen(MSG5))
3445 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3446 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3452 SSL_SESSION_free(sess);
3453 SSL_SESSION_free(clientpsk);
3454 SSL_SESSION_free(serverpsk);
3455 clientpsk = serverpsk = NULL;
3456 SSL_free(serverssl);
3457 SSL_free(clientssl);
3463 static int allow_ed_cb_called = 0;
3465 static int allow_early_data_cb(SSL *s, void *arg)
3467 int *usecb = (int *)arg;
3469 allow_ed_cb_called++;
3478 * idx == 0: Standard early_data setup
3479 * idx == 1: early_data setup using read_ahead
3480 * usecb == 0: Don't use a custom early data callback
3481 * usecb == 1: Use a custom early data callback and reject the early data
3482 * usecb == 2: Use a custom early data callback and accept the early data
3483 * confopt == 0: Configure anti-replay directly
3484 * confopt == 1: Configure anti-replay using SSL_CONF
3486 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3488 SSL_CTX *cctx = NULL, *sctx = NULL;
3489 SSL *clientssl = NULL, *serverssl = NULL;
3491 SSL_SESSION *sess = NULL;
3492 size_t readbytes, written;
3493 unsigned char buf[20];
3495 allow_ed_cb_called = 0;
3497 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3498 TLS_client_method(), TLS1_VERSION, 0,
3499 &sctx, &cctx, cert, privkey)))
3504 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3506 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3508 if (!TEST_ptr(confctx))
3510 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3511 | SSL_CONF_FLAG_SERVER);
3512 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3513 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3515 SSL_CONF_CTX_free(confctx);
3518 SSL_CONF_CTX_free(confctx);
3520 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3523 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3524 &serverssl, &sess, idx)))
3528 * The server is configured to accept early data. Create a connection to
3529 * "use up" the ticket
3531 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3532 || !TEST_true(SSL_session_reused(clientssl)))
3535 SSL_shutdown(clientssl);
3536 SSL_shutdown(serverssl);
3537 SSL_free(serverssl);
3538 SSL_free(clientssl);
3539 serverssl = clientssl = NULL;
3541 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3542 &clientssl, NULL, NULL))
3543 || !TEST_true(SSL_set_session(clientssl, sess)))
3546 /* Write and read some early data */
3547 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3549 || !TEST_size_t_eq(written, strlen(MSG1)))
3553 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3555 SSL_READ_EARLY_DATA_FINISH)
3557 * The ticket was reused, so the we should have rejected the
3560 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3561 SSL_EARLY_DATA_REJECTED))
3564 /* In this case the callback decides to accept the early data */
3565 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3567 SSL_READ_EARLY_DATA_SUCCESS)
3568 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3570 * Server will have sent its flight so client can now send
3571 * end of early data and complete its half of the handshake
3573 || !TEST_int_gt(SSL_connect(clientssl), 0)
3574 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3576 SSL_READ_EARLY_DATA_FINISH)
3577 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3578 SSL_EARLY_DATA_ACCEPTED))
3582 /* Complete the connection */
3583 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3584 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3585 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3591 SSL_SESSION_free(sess);
3592 SSL_SESSION_free(clientpsk);
3593 SSL_SESSION_free(serverpsk);
3594 clientpsk = serverpsk = NULL;
3595 SSL_free(serverssl);
3596 SSL_free(clientssl);
3602 static int test_early_data_replay(int idx)
3604 int ret = 1, usecb, confopt;
3606 for (usecb = 0; usecb < 3; usecb++) {
3607 for (confopt = 0; confopt < 2; confopt++)
3608 ret &= test_early_data_replay_int(idx, usecb, confopt);
3615 * Helper function to test that a server attempting to read early data can
3616 * handle a connection from a client where the early data should be skipped.
3617 * testtype: 0 == No HRR
3618 * testtype: 1 == HRR
3619 * testtype: 2 == HRR, invalid early_data sent after HRR
3620 * testtype: 3 == recv_max_early_data set to 0
3622 static int early_data_skip_helper(int testtype, int idx)
3624 SSL_CTX *cctx = NULL, *sctx = NULL;
3625 SSL *clientssl = NULL, *serverssl = NULL;
3627 SSL_SESSION *sess = NULL;
3628 unsigned char buf[20];
3629 size_t readbytes, written;
3631 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3632 &serverssl, &sess, idx)))
3635 if (testtype == 1 || testtype == 2) {
3636 /* Force an HRR to occur */
3637 #if defined(OPENSSL_NO_EC)
3638 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3641 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3644 } else if (idx == 2) {
3646 * We force early_data rejection by ensuring the PSK identity is
3649 srvid = "Dummy Identity";
3652 * Deliberately corrupt the creation time. We take 20 seconds off the
3653 * time. It could be any value as long as it is not within tolerance.
3654 * This should mean the ticket is rejected.
3656 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3661 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3664 /* Write some early data */
3665 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3667 || !TEST_size_t_eq(written, strlen(MSG1)))
3670 /* Server should reject the early data */
3671 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3673 SSL_READ_EARLY_DATA_FINISH)
3674 || !TEST_size_t_eq(readbytes, 0)
3675 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3676 SSL_EARLY_DATA_REJECTED))
3686 * Finish off the handshake. We perform the same writes and reads as
3687 * further down but we expect them to fail due to the incomplete
3690 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3691 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3698 BIO *wbio = SSL_get_wbio(clientssl);
3699 /* A record that will appear as bad early_data */
3700 const unsigned char bad_early_data[] = {
3701 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3705 * We force the client to attempt a write. This will fail because
3706 * we're still in the handshake. It will cause the second
3707 * ClientHello to be sent.
3709 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3714 * Inject some early_data after the second ClientHello. This should
3715 * cause the server to fail
3717 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3718 sizeof(bad_early_data), &written)))
3725 * This client has sent more early_data than we are willing to skip
3726 * (case 3) or sent invalid early_data (case 2) so the connection should
3729 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3730 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3733 /* Connection has failed - nothing more to do */
3738 TEST_error("Invalid test type");
3743 * Should be able to send normal data despite rejection of early data. The
3744 * early_data should be skipped.
3746 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3747 || !TEST_size_t_eq(written, strlen(MSG2))
3748 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3749 SSL_EARLY_DATA_REJECTED)
3750 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3751 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3757 SSL_SESSION_free(clientpsk);
3758 SSL_SESSION_free(serverpsk);
3759 clientpsk = serverpsk = NULL;
3760 SSL_SESSION_free(sess);
3761 SSL_free(serverssl);
3762 SSL_free(clientssl);
3769 * Test that a server attempting to read early data can handle a connection
3770 * from a client where the early data is not acceptable.
3772 static int test_early_data_skip(int idx)
3774 return early_data_skip_helper(0, idx);
3778 * Test that a server attempting to read early data can handle a connection
3779 * from a client where an HRR occurs.
3781 static int test_early_data_skip_hrr(int idx)
3783 return early_data_skip_helper(1, idx);
3787 * Test that a server attempting to read early data can handle a connection
3788 * from a client where an HRR occurs and correctly fails if early_data is sent
3791 static int test_early_data_skip_hrr_fail(int idx)
3793 return early_data_skip_helper(2, idx);
3797 * Test that a server attempting to read early data will abort if it tries to
3798 * skip over too much.
3800 static int test_early_data_skip_abort(int idx)
3802 return early_data_skip_helper(3, idx);
3806 * Test that a server attempting to read early data can handle a connection
3807 * from a client that doesn't send any.
3809 static int test_early_data_not_sent(int idx)
3811 SSL_CTX *cctx = NULL, *sctx = NULL;
3812 SSL *clientssl = NULL, *serverssl = NULL;
3814 SSL_SESSION *sess = NULL;
3815 unsigned char buf[20];
3816 size_t readbytes, written;
3818 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3819 &serverssl, &sess, idx)))
3822 /* Write some data - should block due to handshake with server */
3823 SSL_set_connect_state(clientssl);
3824 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3827 /* Server should detect that early data has not been sent */
3828 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3830 SSL_READ_EARLY_DATA_FINISH)
3831 || !TEST_size_t_eq(readbytes, 0)
3832 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3833 SSL_EARLY_DATA_NOT_SENT)
3834 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3835 SSL_EARLY_DATA_NOT_SENT))
3838 /* Continue writing the message we started earlier */
3839 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3840 || !TEST_size_t_eq(written, strlen(MSG1))
3841 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3842 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3843 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3844 || !TEST_size_t_eq(written, strlen(MSG2)))
3847 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3848 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3854 SSL_SESSION_free(sess);
3855 SSL_SESSION_free(clientpsk);
3856 SSL_SESSION_free(serverpsk);
3857 clientpsk = serverpsk = NULL;
3858 SSL_free(serverssl);
3859 SSL_free(clientssl);
3865 static const char *servalpn;
3867 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3868 unsigned char *outlen, const unsigned char *in,
3869 unsigned int inlen, void *arg)
3871 unsigned int protlen = 0;
3872 const unsigned char *prot;
3874 for (prot = in; prot < in + inlen; prot += protlen) {
3876 if (in + inlen < prot + protlen)
3877 return SSL_TLSEXT_ERR_NOACK;
3879 if (protlen == strlen(servalpn)
3880 && memcmp(prot, servalpn, protlen) == 0) {
3883 return SSL_TLSEXT_ERR_OK;
3887 return SSL_TLSEXT_ERR_NOACK;
3890 /* Test that a PSK can be used to send early_data */
3891 static int test_early_data_psk(int idx)
3893 SSL_CTX *cctx = NULL, *sctx = NULL;
3894 SSL *clientssl = NULL, *serverssl = NULL;
3896 SSL_SESSION *sess = NULL;
3897 unsigned char alpnlist[] = {
3898 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3901 #define GOODALPNLEN 9
3902 #define BADALPNLEN 8
3903 #define GOODALPN (alpnlist)
3904 #define BADALPN (alpnlist + GOODALPNLEN)
3906 unsigned char buf[20];
3907 size_t readbytes, written;
3908 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3909 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3911 /* We always set this up with a final parameter of "2" for PSK */
3912 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3913 &serverssl, &sess, 2)))
3916 servalpn = "goodalpn";
3919 * Note: There is no test for inconsistent SNI with late client detection.
3920 * This is because servers do not acknowledge SNI even if they are using
3921 * it in a resumption handshake - so it is not actually possible for a
3922 * client to detect a problem.
3926 /* Set inconsistent SNI (early client detection) */
3927 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3928 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3929 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3934 /* Set inconsistent ALPN (early client detection) */
3935 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3936 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3937 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3939 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3946 * Set invalid protocol version. Technically this affects PSKs without
3947 * early_data too, but we test it here because it is similar to the
3948 * SNI/ALPN consistency tests.
3950 err = SSL_R_BAD_PSK;
3951 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3957 * Set inconsistent SNI (server side). In this case the connection
3958 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3959 * is associated with each handshake - not the session. Therefore it
3960 * should not matter that we used a different server name last time.
3962 SSL_SESSION_free(serverpsk);
3963 serverpsk = SSL_SESSION_dup(clientpsk);
3964 if (!TEST_ptr(serverpsk)
3965 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3969 /* Set consistent SNI */
3970 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3971 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3972 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3979 * Set inconsistent ALPN (server detected). In this case the connection
3980 * will succeed but reject early_data.
3982 servalpn = "badalpn";
3983 edstatus = SSL_EARLY_DATA_REJECTED;
3984 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3988 * Set consistent ALPN.
3989 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3990 * accepts a list of protos (each one length prefixed).
3991 * SSL_set1_alpn_selected accepts a single protocol (not length
3994 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3996 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4000 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4004 /* Set inconsistent ALPN (late client detection) */
4005 SSL_SESSION_free(serverpsk);
4006 serverpsk = SSL_SESSION_dup(clientpsk);
4007 if (!TEST_ptr(serverpsk)
4008 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4011 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4014 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4017 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4018 edstatus = SSL_EARLY_DATA_ACCEPTED;
4019 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4020 /* SSL_connect() call should fail */
4025 TEST_error("Bad test index");
4029 SSL_set_connect_state(clientssl);
4031 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4033 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4034 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4037 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4041 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4042 &readbytes), readearlyres)
4043 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4044 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4045 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4046 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4053 SSL_SESSION_free(sess);
4054 SSL_SESSION_free(clientpsk);
4055 SSL_SESSION_free(serverpsk);
4056 clientpsk = serverpsk = NULL;
4057 SSL_free(serverssl);
4058 SSL_free(clientssl);
4065 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4066 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4067 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4068 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4069 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4070 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4072 static int test_early_data_psk_with_all_ciphers(int idx)
4074 SSL_CTX *cctx = NULL, *sctx = NULL;
4075 SSL *clientssl = NULL, *serverssl = NULL;
4077 SSL_SESSION *sess = NULL;
4078 unsigned char buf[20];
4079 size_t readbytes, written;
4080 const SSL_CIPHER *cipher;
4081 const char *cipher_str[] = {
4082 TLS1_3_RFC_AES_128_GCM_SHA256,
4083 TLS1_3_RFC_AES_256_GCM_SHA384,
4084 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4085 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4089 TLS1_3_RFC_AES_128_CCM_SHA256,
4090 TLS1_3_RFC_AES_128_CCM_8_SHA256
4092 const unsigned char *cipher_bytes[] = {
4093 TLS13_AES_128_GCM_SHA256_BYTES,
4094 TLS13_AES_256_GCM_SHA384_BYTES,
4095 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4096 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4100 TLS13_AES_128_CCM_SHA256_BYTES,
4101 TLS13_AES_128_CCM_8_SHA256_BYTES
4104 if (cipher_str[idx] == NULL)
4106 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4107 if (idx == 2 && is_fips == 1)
4110 /* We always set this up with a final parameter of "2" for PSK */
4111 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4112 &serverssl, &sess, 2)))
4115 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4116 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4120 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4121 * and assigns to both client and server with incremented reference
4122 * and the same instance is updated in 'sess'.
4123 * So updating ciphersuite in 'sess' which will get reflected in
4124 * PSK handshake using psk use sess and find sess cb.
4126 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4127 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4130 SSL_set_connect_state(clientssl);
4131 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4135 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4137 SSL_READ_EARLY_DATA_SUCCESS)
4138 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4139 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4140 SSL_EARLY_DATA_ACCEPTED)
4141 || !TEST_int_eq(SSL_connect(clientssl), 1)
4142 || !TEST_int_eq(SSL_accept(serverssl), 1))
4145 /* Send some normal data from client to server */
4146 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4147 || !TEST_size_t_eq(written, strlen(MSG2)))
4150 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4151 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4156 SSL_SESSION_free(sess);
4157 SSL_SESSION_free(clientpsk);
4158 SSL_SESSION_free(serverpsk);
4159 clientpsk = serverpsk = NULL;
4160 if (clientssl != NULL)
4161 SSL_shutdown(clientssl);
4162 if (serverssl != NULL)
4163 SSL_shutdown(serverssl);
4164 SSL_free(serverssl);
4165 SSL_free(clientssl);
4172 * Test that a server that doesn't try to read early data can handle a
4173 * client sending some.
4175 static int test_early_data_not_expected(int idx)
4177 SSL_CTX *cctx = NULL, *sctx = NULL;
4178 SSL *clientssl = NULL, *serverssl = NULL;
4180 SSL_SESSION *sess = NULL;
4181 unsigned char buf[20];
4182 size_t readbytes, written;
4184 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4185 &serverssl, &sess, idx)))
4188 /* Write some early data */
4189 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4194 * Server should skip over early data and then block waiting for client to
4195 * continue handshake
4197 if (!TEST_int_le(SSL_accept(serverssl), 0)
4198 || !TEST_int_gt(SSL_connect(clientssl), 0)
4199 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4200 SSL_EARLY_DATA_REJECTED)
4201 || !TEST_int_gt(SSL_accept(serverssl), 0)
4202 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4203 SSL_EARLY_DATA_REJECTED))
4206 /* Send some normal data from client to server */
4207 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4208 || !TEST_size_t_eq(written, strlen(MSG2)))
4211 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4212 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4218 SSL_SESSION_free(sess);
4219 SSL_SESSION_free(clientpsk);
4220 SSL_SESSION_free(serverpsk);
4221 clientpsk = serverpsk = NULL;
4222 SSL_free(serverssl);
4223 SSL_free(clientssl);
4230 # ifndef OPENSSL_NO_TLS1_2
4232 * Test that a server attempting to read early data can handle a connection
4233 * from a TLSv1.2 client.
4235 static int test_early_data_tls1_2(int idx)
4237 SSL_CTX *cctx = NULL, *sctx = NULL;
4238 SSL *clientssl = NULL, *serverssl = NULL;
4240 unsigned char buf[20];
4241 size_t readbytes, written;
4243 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4244 &serverssl, NULL, idx)))
4247 /* Write some data - should block due to handshake with server */
4248 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4249 SSL_set_connect_state(clientssl);
4250 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4254 * Server should do TLSv1.2 handshake. First it will block waiting for more
4255 * messages from client after ServerDone. Then SSL_read_early_data should
4256 * finish and detect that early data has not been sent
4258 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4260 SSL_READ_EARLY_DATA_ERROR))
4264 * Continue writing the message we started earlier. Will still block waiting
4265 * for the CCS/Finished from server
4267 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4268 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4270 SSL_READ_EARLY_DATA_FINISH)
4271 || !TEST_size_t_eq(readbytes, 0)
4272 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4273 SSL_EARLY_DATA_NOT_SENT))
4276 /* Continue writing the message we started earlier */
4277 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4278 || !TEST_size_t_eq(written, strlen(MSG1))
4279 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4280 SSL_EARLY_DATA_NOT_SENT)
4281 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4282 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4283 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4284 || !TEST_size_t_eq(written, strlen(MSG2))
4285 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4286 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4292 SSL_SESSION_free(clientpsk);
4293 SSL_SESSION_free(serverpsk);
4294 clientpsk = serverpsk = NULL;
4295 SSL_free(serverssl);
4296 SSL_free(clientssl);
4302 # endif /* OPENSSL_NO_TLS1_2 */
4305 * Test configuring the TLSv1.3 ciphersuites
4307 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4308 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4309 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4310 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4311 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4312 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4313 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4314 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4315 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4316 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4318 static int test_set_ciphersuite(int idx)
4320 SSL_CTX *cctx = NULL, *sctx = NULL;
4321 SSL *clientssl = NULL, *serverssl = NULL;
4324 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4325 TLS_client_method(), TLS1_VERSION, 0,
4326 &sctx, &cctx, cert, privkey))
4327 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4328 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4331 if (idx >=4 && idx <= 7) {
4332 /* SSL_CTX explicit cipher list */
4333 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4337 if (idx == 0 || idx == 4) {
4338 /* Default ciphersuite */
4339 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4340 "TLS_AES_128_GCM_SHA256")))
4342 } else if (idx == 1 || idx == 5) {
4343 /* Non default ciphersuite */
4344 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4345 "TLS_AES_128_CCM_SHA256")))
4349 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4350 &clientssl, NULL, NULL)))
4353 if (idx == 8 || idx == 9) {
4354 /* SSL explicit cipher list */
4355 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4359 if (idx == 2 || idx == 6 || idx == 8) {
4360 /* Default ciphersuite */
4361 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4362 "TLS_AES_128_GCM_SHA256")))
4364 } else if (idx == 3 || idx == 7 || idx == 9) {
4365 /* Non default ciphersuite */
4366 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4367 "TLS_AES_128_CCM_SHA256")))
4371 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4377 SSL_free(serverssl);
4378 SSL_free(clientssl);
4385 static int test_ciphersuite_change(void)
4387 SSL_CTX *cctx = NULL, *sctx = NULL;
4388 SSL *clientssl = NULL, *serverssl = NULL;
4389 SSL_SESSION *clntsess = NULL;
4391 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4393 /* Create a session based on SHA-256 */
4394 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4395 TLS_client_method(), TLS1_VERSION, 0,
4396 &sctx, &cctx, cert, privkey))
4397 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4398 "TLS_AES_128_GCM_SHA256:"
4399 "TLS_AES_256_GCM_SHA384:"
4400 "TLS_AES_128_CCM_SHA256"))
4401 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4402 "TLS_AES_128_GCM_SHA256"))
4403 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4404 &clientssl, NULL, NULL))
4405 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4409 clntsess = SSL_get1_session(clientssl);
4410 /* Save for later */
4411 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4412 SSL_shutdown(clientssl);
4413 SSL_shutdown(serverssl);
4414 SSL_free(serverssl);
4415 SSL_free(clientssl);
4416 serverssl = clientssl = NULL;
4418 /* Check we can resume a session with a different SHA-256 ciphersuite */
4419 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4420 "TLS_AES_128_CCM_SHA256"))
4421 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4422 &clientssl, NULL, NULL))
4423 || !TEST_true(SSL_set_session(clientssl, clntsess))
4424 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4426 || !TEST_true(SSL_session_reused(clientssl)))
4429 SSL_SESSION_free(clntsess);
4430 clntsess = SSL_get1_session(clientssl);
4431 SSL_shutdown(clientssl);
4432 SSL_shutdown(serverssl);
4433 SSL_free(serverssl);
4434 SSL_free(clientssl);
4435 serverssl = clientssl = NULL;
4438 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4439 * succeeds but does not resume.
4441 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4442 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4444 || !TEST_true(SSL_set_session(clientssl, clntsess))
4445 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4447 || !TEST_false(SSL_session_reused(clientssl)))
4450 SSL_SESSION_free(clntsess);
4452 SSL_shutdown(clientssl);
4453 SSL_shutdown(serverssl);
4454 SSL_free(serverssl);
4455 SSL_free(clientssl);
4456 serverssl = clientssl = NULL;
4458 /* Create a session based on SHA384 */
4459 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4460 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4461 &clientssl, NULL, NULL))
4462 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4466 clntsess = SSL_get1_session(clientssl);
4467 SSL_shutdown(clientssl);
4468 SSL_shutdown(serverssl);
4469 SSL_free(serverssl);
4470 SSL_free(clientssl);
4471 serverssl = clientssl = NULL;
4473 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4474 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4475 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4476 "TLS_AES_256_GCM_SHA384"))
4477 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4479 || !TEST_true(SSL_set_session(clientssl, clntsess))
4481 * We use SSL_ERROR_WANT_READ below so that we can pause the
4482 * connection after the initial ClientHello has been sent to
4483 * enable us to make some session changes.
4485 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4486 SSL_ERROR_WANT_READ)))
4489 /* Trick the client into thinking this session is for a different digest */
4490 clntsess->cipher = aes_128_gcm_sha256;
4491 clntsess->cipher_id = clntsess->cipher->id;
4494 * Continue the previously started connection. Server has selected a SHA-384
4495 * ciphersuite, but client thinks the session is for SHA-256, so it should
4498 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4500 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4501 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4507 SSL_SESSION_free(clntsess);
4508 SSL_free(serverssl);
4509 SSL_free(clientssl);
4517 * Test TLSv1.3 Key exchange
4518 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4519 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4520 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4521 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4522 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4523 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4524 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4525 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4526 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4527 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4528 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4529 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4530 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4531 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4533 # ifndef OPENSSL_NO_EC
4534 static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4535 NID_secp521r1, NID_X25519, NID_X448};
4537 # ifndef OPENSSL_NO_DH
4538 static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4539 NID_ffdhe6144, NID_ffdhe8192};
4541 static int test_key_exchange(int idx)
4543 SSL_CTX *sctx = NULL, *cctx = NULL;
4544 SSL *serverssl = NULL, *clientssl = NULL;
4547 int *kexch_groups = &kexch_alg;
4548 int kexch_groups_size = 1;
4549 int max_version = TLS1_3_VERSION;
4550 char *kexch_name0 = NULL;
4553 # ifndef OPENSSL_NO_EC
4554 # ifndef OPENSSL_NO_TLS1_2
4556 max_version = TLS1_2_VERSION;
4560 kexch_groups = ecdhe_kexch_groups;
4561 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4562 kexch_name0 = "secp256r1";
4565 kexch_alg = NID_X9_62_prime256v1;
4566 kexch_name0 = "secp256r1";
4569 kexch_alg = NID_secp384r1;
4570 kexch_name0 = "secp384r1";
4573 kexch_alg = NID_secp521r1;
4574 kexch_name0 = "secp521r1";
4577 kexch_alg = NID_X25519;
4578 kexch_name0 = "x25519";
4581 kexch_alg = NID_X448;
4582 kexch_name0 = "x448";
4585 # ifndef OPENSSL_NO_DH
4586 # ifndef OPENSSL_NO_TLS1_2
4588 max_version = TLS1_2_VERSION;
4589 kexch_name0 = "ffdhe2048";
4593 kexch_groups = ffdhe_kexch_groups;
4594 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4595 kexch_name0 = "ffdhe2048";
4598 kexch_alg = NID_ffdhe2048;
4599 kexch_name0 = "ffdhe2048";
4602 kexch_alg = NID_ffdhe3072;
4603 kexch_name0 = "ffdhe3072";
4606 kexch_alg = NID_ffdhe4096;
4607 kexch_name0 = "ffdhe4096";
4610 kexch_alg = NID_ffdhe6144;
4611 kexch_name0 = "ffdhe6144";
4614 kexch_alg = NID_ffdhe8192;
4615 kexch_name0 = "ffdhe8192";
4619 /* We're skipping this test */
4623 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4624 TLS_client_method(), TLS1_VERSION,
4625 max_version, &sctx, &cctx, cert,
4629 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4630 TLS1_3_RFC_AES_128_GCM_SHA256)))
4633 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4634 TLS1_3_RFC_AES_128_GCM_SHA256)))
4637 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4638 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4639 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4640 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4644 * Must include an EC ciphersuite so that we send supported groups in
4647 # ifndef OPENSSL_NO_TLS1_2
4648 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4649 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4650 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4654 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4658 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4659 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4662 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4666 * If Handshake succeeds the negotiated kexch alg should be the first one in
4667 * configured, except in the case of FFDHE groups (idx 13), which are
4668 * TLSv1.3 only so we expect no shared group to exist.
4670 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4671 idx == 13 ? 0 : kexch_groups[0]))
4674 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4678 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4680 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4682 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4688 SSL_free(serverssl);
4689 SSL_free(clientssl);
4695 # if !defined(OPENSSL_NO_TLS1_2) \
4696 && !defined(OPENSSL_NO_EC) \
4697 && !defined(OPENSSL_NO_DH)
4698 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4699 int isecdhe, int idx)
4702 int *kexch_groups = &kexch_alg;
4705 numec = OSSL_NELEM(ecdhe_kexch_groups);
4706 numff = OSSL_NELEM(ffdhe_kexch_groups);
4708 kexch_alg = ecdhe_kexch_groups[idx];
4710 kexch_alg = ffdhe_kexch_groups[idx];
4713 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
4716 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
4720 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
4725 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
4728 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
4732 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
4741 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
4742 * Run through both the ECDHE and FFDHE group lists used in the previous
4743 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
4744 * confirming the expected result; then perform a resumption handshake
4745 * while offering the same group list, and another resumption handshake
4746 * offering a different group list. The returned value should be the
4747 * negotiated group for the initial handshake; for TLS 1.3 resumption
4748 * handshakes the returned value will be negotiated on the resumption
4749 * handshake itself, but for TLS 1.2 resumption handshakes the value will
4750 * be cached in the session from the original handshake, regardless of what
4751 * was offered in the resumption ClientHello.
4753 * Using E for the number of EC groups and F for the number of FF groups:
4754 * E tests of ECDHE with TLS 1.3, server only has one group
4755 * F tests of FFDHE with TLS 1.3, server only has one group
4756 * E tests of ECDHE with TLS 1.2, server only has one group
4757 * F tests of FFDHE with TLS 1.2, server only has one group
4758 * E tests of ECDHE with TLS 1.3, client sends only one group
4759 * F tests of FFDHE with TLS 1.3, client sends only one group
4760 * E tests of ECDHE with TLS 1.2, client sends only one group
4761 * F tests of FFDHE with TLS 1.2, client sends only one group
4763 static int test_negotiated_group(int idx)
4765 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
4767 SSL_CTX *sctx = NULL, *cctx = NULL;
4768 SSL *serverssl = NULL, *clientssl = NULL;
4769 SSL_SESSION *origsess = NULL;
4772 int max_version = TLS1_3_VERSION;
4774 numec = OSSL_NELEM(ecdhe_kexch_groups);
4775 numff = OSSL_NELEM(ffdhe_kexch_groups);
4776 numgroups = numec + numff;
4777 clientmulti = (idx < 2 * numgroups);
4778 idx = idx % (2 * numgroups);
4779 istls13 = (idx < numgroups);
4780 idx = idx % numgroups;
4781 isecdhe = (idx < numec);
4784 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
4786 kexch_alg = ecdhe_kexch_groups[idx];
4788 kexch_alg = ffdhe_kexch_groups[idx];
4789 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
4790 if (!istls13 && !isecdhe)
4791 expectednid = NID_undef;
4793 expectednid = kexch_alg;
4796 max_version = TLS1_2_VERSION;
4798 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4799 TLS_client_method(), TLS1_VERSION,
4800 max_version, &sctx, &cctx, cert,
4805 * Force (EC)DHE ciphers for TLS 1.2.
4806 * Be sure to enable auto tmp DH so that FFDHE can succeed.
4808 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4809 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4810 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4811 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4813 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4814 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4815 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4818 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4822 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
4826 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4829 /* Initial handshake; always the configured one */
4830 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4831 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4834 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
4837 SSL_shutdown(clientssl);
4838 SSL_shutdown(serverssl);
4839 SSL_free(serverssl);
4840 SSL_free(clientssl);
4841 serverssl = clientssl = NULL;
4843 /* First resumption attempt; use the same config as initial handshake */
4844 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4846 || !TEST_true(SSL_set_session(clientssl, origsess))
4847 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4851 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4852 || !TEST_true(SSL_session_reused(clientssl)))
4855 /* Still had better agree, since nothing changed... */
4856 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4857 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4860 SSL_shutdown(clientssl);
4861 SSL_shutdown(serverssl);
4862 SSL_free(serverssl);
4863 SSL_free(clientssl);
4864 serverssl = clientssl = NULL;
4867 * Second resumption attempt
4868 * The party that picks one group changes it, which we effectuate by
4869 * changing 'idx' and updating what we expect.
4877 expectednid = ecdhe_kexch_groups[idx];
4879 expectednid = ffdhe_kexch_groups[idx];
4880 /* Verify that we are changing what we expect. */
4881 if (!TEST_int_ne(expectednid, kexch_alg))
4884 /* TLS 1.2 only supports named groups for ECDHE. */
4886 expectednid = kexch_alg;
4890 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4892 || !TEST_true(SSL_set_session(clientssl, origsess))
4893 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4897 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4898 || !TEST_true(SSL_session_reused(clientssl)))
4901 /* Check that we get what we expected */
4902 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4903 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4908 SSL_free(serverssl);
4909 SSL_free(clientssl);
4912 SSL_SESSION_free(origsess);
4915 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
4918 * Test TLSv1.3 Cipher Suite
4919 * Test 0 = Set TLS1.3 cipher on context
4920 * Test 1 = Set TLS1.3 cipher on SSL
4921 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4922 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4924 static int test_tls13_ciphersuite(int idx)
4926 SSL_CTX *sctx = NULL, *cctx = NULL;
4927 SSL *serverssl = NULL, *clientssl = NULL;
4928 static const struct {
4929 const char *ciphername;
4932 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4933 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4934 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
4935 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4936 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4937 { TLS1_3_RFC_AES_256_GCM_SHA384
4938 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4940 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
4942 const char *t13_cipher = NULL;
4943 const char *t12_cipher = NULL;
4944 const char *negotiated_scipher;
4945 const char *negotiated_ccipher;
4961 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4965 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4969 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4970 # ifdef OPENSSL_NO_TLS1_2
4971 if (max_ver == TLS1_2_VERSION)
4974 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4975 if (is_fips && !t13_ciphers[i].fipscapable)
4977 t13_cipher = t13_ciphers[i].ciphername;
4978 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4979 TLS_client_method(),
4980 TLS1_VERSION, max_ver,
4981 &sctx, &cctx, cert, privkey)))
4985 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4986 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4988 if (t12_cipher != NULL) {
4989 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4990 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4996 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4997 &clientssl, NULL, NULL)))
5001 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5002 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5004 if (t12_cipher != NULL) {
5005 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5006 || !TEST_true(SSL_set_cipher_list(clientssl,
5012 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5016 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5018 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5020 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5024 * TEST_strn_eq is used below because t13_cipher can contain
5025 * multiple ciphersuites
5027 if (max_ver == TLS1_3_VERSION
5028 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5029 strlen(negotiated_scipher)))
5032 # ifndef OPENSSL_NO_TLS1_2
5033 /* Below validation is not done when t12_cipher is NULL */
5034 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5035 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5039 SSL_free(serverssl);
5041 SSL_free(clientssl);
5052 SSL_free(serverssl);
5053 SSL_free(clientssl);
5061 * Test 0 = Test new style callbacks
5062 * Test 1 = Test both new and old style callbacks
5063 * Test 2 = Test old style callbacks
5064 * Test 3 = Test old style callbacks with no certificate
5066 static int test_tls13_psk(int idx)
5068 SSL_CTX *sctx = NULL, *cctx = NULL;
5069 SSL *serverssl = NULL, *clientssl = NULL;
5070 const SSL_CIPHER *cipher = NULL;
5071 const unsigned char key[] = {
5072 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5073 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5074 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5075 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5079 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5080 TLS_client_method(), TLS1_VERSION, 0,
5081 &sctx, &cctx, idx == 3 ? NULL : cert,
5082 idx == 3 ? NULL : privkey)))
5087 * We use a ciphersuite with SHA256 to ease testing old style PSK
5088 * callbacks which will always default to SHA256. This should not be
5089 * necessary if we have no cert/priv key. In that case the server should
5090 * prefer SHA256 automatically.
5092 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5093 "TLS_AES_128_GCM_SHA256")))
5097 * As noted above the server should prefer SHA256 automatically. However
5098 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5099 * code works even if we are testing with only the FIPS provider loaded.
5101 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5102 "TLS_AES_256_GCM_SHA384:"
5103 "TLS_AES_128_GCM_SHA256")))
5108 * Test 0: New style callbacks only
5109 * Test 1: New and old style callbacks (only the new ones should be used)
5110 * Test 2: Old style callbacks only
5112 if (idx == 0 || idx == 1) {
5113 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5114 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5116 #ifndef OPENSSL_NO_PSK
5118 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5119 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5123 use_session_cb_cnt = 0;
5124 find_session_cb_cnt = 0;
5125 psk_client_cb_cnt = 0;
5126 psk_server_cb_cnt = 0;
5130 * Check we can create a connection if callback decides not to send a
5133 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5135 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5137 || !TEST_false(SSL_session_reused(clientssl))
5138 || !TEST_false(SSL_session_reused(serverssl)))
5141 if (idx == 0 || idx == 1) {
5142 if (!TEST_true(use_session_cb_cnt == 1)
5143 || !TEST_true(find_session_cb_cnt == 0)
5145 * If no old style callback then below should be 0
5148 || !TEST_true(psk_client_cb_cnt == idx)
5149 || !TEST_true(psk_server_cb_cnt == 0))
5152 if (!TEST_true(use_session_cb_cnt == 0)
5153 || !TEST_true(find_session_cb_cnt == 0)
5154 || !TEST_true(psk_client_cb_cnt == 1)
5155 || !TEST_true(psk_server_cb_cnt == 0))
5159 shutdown_ssl_connection(serverssl, clientssl);
5160 serverssl = clientssl = NULL;
5161 use_session_cb_cnt = psk_client_cb_cnt = 0;
5164 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5168 /* Create the PSK */
5169 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5170 clientpsk = SSL_SESSION_new();
5171 if (!TEST_ptr(clientpsk)
5172 || !TEST_ptr(cipher)
5173 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5175 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5176 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5178 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5180 serverpsk = clientpsk;
5182 /* Check we can create a connection and the PSK is used */
5183 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5184 || !TEST_true(SSL_session_reused(clientssl))
5185 || !TEST_true(SSL_session_reused(serverssl)))
5188 if (idx == 0 || idx == 1) {
5189 if (!TEST_true(use_session_cb_cnt == 1)
5190 || !TEST_true(find_session_cb_cnt == 1)
5191 || !TEST_true(psk_client_cb_cnt == 0)
5192 || !TEST_true(psk_server_cb_cnt == 0))
5195 if (!TEST_true(use_session_cb_cnt == 0)
5196 || !TEST_true(find_session_cb_cnt == 0)
5197 || !TEST_true(psk_client_cb_cnt == 1)
5198 || !TEST_true(psk_server_cb_cnt == 1))
5202 shutdown_ssl_connection(serverssl, clientssl);
5203 serverssl = clientssl = NULL;
5204 use_session_cb_cnt = find_session_cb_cnt = 0;
5205 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5207 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5212 #if defined(OPENSSL_NO_EC)
5213 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5216 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5221 * Check we can create a connection, the PSK is used and the callbacks are
5224 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5225 || !TEST_true(SSL_session_reused(clientssl))
5226 || !TEST_true(SSL_session_reused(serverssl)))
5229 if (idx == 0 || idx == 1) {
5230 if (!TEST_true(use_session_cb_cnt == 2)
5231 || !TEST_true(find_session_cb_cnt == 2)
5232 || !TEST_true(psk_client_cb_cnt == 0)
5233 || !TEST_true(psk_server_cb_cnt == 0))
5236 if (!TEST_true(use_session_cb_cnt == 0)
5237 || !TEST_true(find_session_cb_cnt == 0)
5238 || !TEST_true(psk_client_cb_cnt == 2)
5239 || !TEST_true(psk_server_cb_cnt == 2))
5243 shutdown_ssl_connection(serverssl, clientssl);
5244 serverssl = clientssl = NULL;
5245 use_session_cb_cnt = find_session_cb_cnt = 0;
5246 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5250 * Check that if the server rejects the PSK we can still connect, but with
5253 srvid = "Dummy Identity";
5254 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5256 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5258 || !TEST_false(SSL_session_reused(clientssl))
5259 || !TEST_false(SSL_session_reused(serverssl)))
5262 if (idx == 0 || idx == 1) {
5263 if (!TEST_true(use_session_cb_cnt == 1)
5264 || !TEST_true(find_session_cb_cnt == 1)
5265 || !TEST_true(psk_client_cb_cnt == 0)
5267 * If no old style callback then below should be 0
5270 || !TEST_true(psk_server_cb_cnt == idx))
5273 if (!TEST_true(use_session_cb_cnt == 0)
5274 || !TEST_true(find_session_cb_cnt == 0)
5275 || !TEST_true(psk_client_cb_cnt == 1)
5276 || !TEST_true(psk_server_cb_cnt == 1))
5280 shutdown_ssl_connection(serverssl, clientssl);
5281 serverssl = clientssl = NULL;
5286 SSL_SESSION_free(clientpsk);
5287 SSL_SESSION_free(serverpsk);
5288 clientpsk = serverpsk = NULL;
5289 SSL_free(serverssl);
5290 SSL_free(clientssl);
5296 static unsigned char cookie_magic_value[] = "cookie magic";
5298 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5299 unsigned int *cookie_len)
5302 * Not suitable as a real cookie generation function but good enough for
5305 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5306 *cookie_len = sizeof(cookie_magic_value) - 1;
5311 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5312 unsigned int cookie_len)
5314 if (cookie_len == sizeof(cookie_magic_value) - 1
5315 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5321 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5325 int res = generate_cookie_callback(ssl, cookie, &temp);
5330 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5333 return verify_cookie_callback(ssl, cookie, cookie_len);
5336 static int test_stateless(void)
5338 SSL_CTX *sctx = NULL, *cctx = NULL;
5339 SSL *serverssl = NULL, *clientssl = NULL;
5342 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5343 TLS_client_method(), TLS1_VERSION, 0,
5344 &sctx, &cctx, cert, privkey)))
5347 /* The arrival of CCS messages can confuse the test */
5348 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5350 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5352 /* Send the first ClientHello */
5353 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5354 SSL_ERROR_WANT_READ))
5356 * This should fail with a -1 return because we have no callbacks
5359 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5362 /* Fatal error so abandon the connection from this client */
5363 SSL_free(clientssl);
5366 /* Set up the cookie generation and verification callbacks */
5367 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5368 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5371 * Create a new connection from the client (we can reuse the server SSL
5374 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5376 /* Send the first ClientHello */
5377 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5378 SSL_ERROR_WANT_READ))
5379 /* This should fail because there is no cookie */
5380 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5383 /* Abandon the connection from this client */
5384 SSL_free(clientssl);
5388 * Now create a connection from a new client but with the same server SSL
5391 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5393 /* Send the first ClientHello */
5394 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5395 SSL_ERROR_WANT_READ))
5396 /* This should fail because there is no cookie */
5397 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5398 /* Send the second ClientHello */
5399 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5400 SSL_ERROR_WANT_READ))
5401 /* This should succeed because a cookie is now present */
5402 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5403 /* Complete the connection */
5404 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5408 shutdown_ssl_connection(serverssl, clientssl);
5409 serverssl = clientssl = NULL;
5413 SSL_free(serverssl);
5414 SSL_free(clientssl);
5420 #endif /* OSSL_NO_USABLE_TLS1_3 */
5422 static int clntaddoldcb = 0;
5423 static int clntparseoldcb = 0;
5424 static int srvaddoldcb = 0;
5425 static int srvparseoldcb = 0;
5426 static int clntaddnewcb = 0;
5427 static int clntparsenewcb = 0;
5428 static int srvaddnewcb = 0;
5429 static int srvparsenewcb = 0;
5430 static int snicb = 0;
5432 #define TEST_EXT_TYPE1 0xff00
5434 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5435 size_t *outlen, int *al, void *add_arg)
5437 int *server = (int *)add_arg;
5438 unsigned char *data;
5440 if (SSL_is_server(s))
5445 if (*server != SSL_is_server(s)
5446 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5451 *outlen = sizeof(char);
5455 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5458 OPENSSL_free((unsigned char *)out);
5461 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5462 size_t inlen, int *al, void *parse_arg)
5464 int *server = (int *)parse_arg;
5466 if (SSL_is_server(s))
5471 if (*server != SSL_is_server(s)
5472 || inlen != sizeof(char)
5479 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5480 const unsigned char **out, size_t *outlen, X509 *x,
5481 size_t chainidx, int *al, void *add_arg)
5483 int *server = (int *)add_arg;
5484 unsigned char *data;
5486 if (SSL_is_server(s))
5491 if (*server != SSL_is_server(s)
5492 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5497 *outlen = sizeof(*data);
5501 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5502 const unsigned char *out, void *add_arg)
5504 OPENSSL_free((unsigned char *)out);
5507 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5508 const unsigned char *in, size_t inlen, X509 *x,
5509 size_t chainidx, int *al, void *parse_arg)
5511 int *server = (int *)parse_arg;
5513 if (SSL_is_server(s))
5518 if (*server != SSL_is_server(s)
5519 || inlen != sizeof(char) || *in != 1)
5525 static int sni_cb(SSL *s, int *al, void *arg)
5527 SSL_CTX *ctx = (SSL_CTX *)arg;
5529 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5530 *al = SSL_AD_INTERNAL_ERROR;
5531 return SSL_TLSEXT_ERR_ALERT_FATAL;
5534 return SSL_TLSEXT_ERR_OK;
5538 * Custom call back tests.
5539 * Test 0: Old style callbacks in TLSv1.2
5540 * Test 1: New style callbacks in TLSv1.2
5541 * Test 2: New style callbacks in TLSv1.2 with SNI
5542 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5543 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5545 static int test_custom_exts(int tst)
5547 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5548 SSL *clientssl = NULL, *serverssl = NULL;
5550 static int server = 1;
5551 static int client = 0;
5552 SSL_SESSION *sess = NULL;
5553 unsigned int context;
5555 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5556 /* Skip tests for TLSv1.2 and below in this case */
5561 /* Reset callback counters */
5562 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5563 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5566 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5567 TLS_client_method(), TLS1_VERSION, 0,
5568 &sctx, &cctx, cert, privkey)))
5572 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5574 &sctx2, NULL, cert, privkey)))
5579 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5580 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5582 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5586 context = SSL_EXT_CLIENT_HELLO
5587 | SSL_EXT_TLS1_2_SERVER_HELLO
5588 | SSL_EXT_TLS1_3_SERVER_HELLO
5589 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5590 | SSL_EXT_TLS1_3_CERTIFICATE
5591 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5593 context = SSL_EXT_CLIENT_HELLO
5594 | SSL_EXT_TLS1_2_SERVER_HELLO
5595 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5598 /* Create a client side custom extension */
5600 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5601 old_add_cb, old_free_cb,
5602 &client, old_parse_cb,
5606 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5607 new_add_cb, new_free_cb,
5608 &client, new_parse_cb, &client)))
5612 /* Should not be able to add duplicates */
5613 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5614 old_add_cb, old_free_cb,
5615 &client, old_parse_cb,
5617 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5618 context, new_add_cb,
5619 new_free_cb, &client,
5620 new_parse_cb, &client)))
5623 /* Create a server side custom extension */
5625 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5626 old_add_cb, old_free_cb,
5627 &server, old_parse_cb,
5631 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5632 new_add_cb, new_free_cb,
5633 &server, new_parse_cb, &server)))
5636 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5637 context, new_add_cb,
5638 new_free_cb, &server,
5639 new_parse_cb, &server)))
5643 /* Should not be able to add duplicates */
5644 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5645 old_add_cb, old_free_cb,
5646 &server, old_parse_cb,
5648 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5649 context, new_add_cb,
5650 new_free_cb, &server,
5651 new_parse_cb, &server)))
5656 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5657 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5661 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5662 &clientssl, NULL, NULL))
5663 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5668 if (clntaddoldcb != 1
5669 || clntparseoldcb != 1
5671 || srvparseoldcb != 1)
5673 } else if (tst == 1 || tst == 2 || tst == 3) {
5674 if (clntaddnewcb != 1
5675 || clntparsenewcb != 1
5677 || srvparsenewcb != 1
5678 || (tst != 2 && snicb != 0)
5679 || (tst == 2 && snicb != 1))
5682 /* In this case there 2 NewSessionTicket messages created */
5683 if (clntaddnewcb != 1
5684 || clntparsenewcb != 5
5686 || srvparsenewcb != 1)
5690 sess = SSL_get1_session(clientssl);
5691 SSL_shutdown(clientssl);
5692 SSL_shutdown(serverssl);
5693 SSL_free(serverssl);
5694 SSL_free(clientssl);
5695 serverssl = clientssl = NULL;
5698 /* We don't bother with the resumption aspects for this test */
5703 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5705 || !TEST_true(SSL_set_session(clientssl, sess))
5706 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5711 * For a resumed session we expect to add the ClientHello extension. For the
5712 * old style callbacks we ignore it on the server side because they set
5713 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5717 if (clntaddoldcb != 2
5718 || clntparseoldcb != 1
5720 || srvparseoldcb != 1)
5722 } else if (tst == 1 || tst == 2 || tst == 3) {
5723 if (clntaddnewcb != 2
5724 || clntparsenewcb != 2
5726 || srvparsenewcb != 2)
5730 * No Certificate message extensions in the resumption handshake,
5731 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5733 if (clntaddnewcb != 2
5734 || clntparsenewcb != 8
5736 || srvparsenewcb != 2)
5743 SSL_SESSION_free(sess);
5744 SSL_free(serverssl);
5745 SSL_free(clientssl);
5746 SSL_CTX_free(sctx2);
5753 * Test loading of serverinfo data in various formats. test_sslmessages actually
5754 * tests to make sure the extensions appear in the handshake
5756 static int test_serverinfo(int tst)
5758 unsigned int version;
5759 unsigned char *sibuf;
5761 int ret, expected, testresult = 0;
5764 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
5768 if ((tst & 0x01) == 0x01)
5769 version = SSL_SERVERINFOV2;
5771 version = SSL_SERVERINFOV1;
5773 if ((tst & 0x02) == 0x02) {
5774 sibuf = serverinfov2;
5775 sibuflen = sizeof(serverinfov2);
5776 expected = (version == SSL_SERVERINFOV2);
5778 sibuf = serverinfov1;
5779 sibuflen = sizeof(serverinfov1);
5780 expected = (version == SSL_SERVERINFOV1);
5783 if ((tst & 0x04) == 0x04) {
5784 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5786 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5789 * The version variable is irrelevant in this case - it's what is in the
5790 * buffer that matters
5792 if ((tst & 0x02) == 0x02)
5798 if (!TEST_true(ret == expected))
5810 * Test that SSL_export_keying_material() produces expected results. There are
5811 * no test vectors so all we do is test that both sides of the communication
5812 * produce the same results for different protocol versions.
5814 #define SMALL_LABEL_LEN 10
5815 #define LONG_LABEL_LEN 249
5816 static int test_export_key_mat(int tst)
5819 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5820 SSL *clientssl = NULL, *serverssl = NULL;
5821 const char label[LONG_LABEL_LEN + 1] = "test label";
5822 const unsigned char context[] = "context";
5823 const unsigned char *emptycontext = NULL;
5824 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5825 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
5827 const int protocols[] = {
5836 #ifdef OPENSSL_NO_TLS1
5840 #ifdef OPENSSL_NO_TLS1_1
5844 if (is_fips && (tst == 0 || tst == 1))
5846 #ifdef OPENSSL_NO_TLS1_2
5850 #ifdef OSSL_NO_USABLE_TLS1_3
5854 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5855 TLS_client_method(), TLS1_VERSION, 0,
5856 &sctx, &cctx, cert, privkey)))
5859 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5860 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5861 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
5862 if ((protocols[tst] < TLS1_2_VERSION) &&
5863 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5864 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5867 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5872 * Premature call of SSL_export_keying_material should just fail.
5874 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5875 sizeof(ckeymat1), label,
5876 SMALL_LABEL_LEN + 1, context,
5877 sizeof(context) - 1, 1), 0))
5880 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5886 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5889 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5890 sizeof(ckeymat1), label,
5891 LONG_LABEL_LEN + 1, context,
5892 sizeof(context) - 1, 1), 0))
5897 } else if (tst == 4) {
5898 labellen = LONG_LABEL_LEN;
5900 labellen = SMALL_LABEL_LEN;
5903 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5904 sizeof(ckeymat1), label,
5906 sizeof(context) - 1, 1), 1)
5907 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5908 sizeof(ckeymat2), label,
5912 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5913 sizeof(ckeymat3), label,
5916 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5917 sizeof(skeymat1), label,
5920 sizeof(context) -1, 1),
5922 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5923 sizeof(skeymat2), label,
5927 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5928 sizeof(skeymat3), label,
5932 * Check that both sides created the same key material with the
5935 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5938 * Check that both sides created the same key material with an
5941 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5944 * Check that both sides created the same key material without a
5947 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5949 /* Different contexts should produce different results */
5950 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5955 * Check that an empty context and no context produce different results in
5956 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5958 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
5960 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5967 SSL_free(serverssl);
5968 SSL_free(clientssl);
5969 SSL_CTX_free(sctx2);
5976 #ifndef OSSL_NO_USABLE_TLS1_3
5978 * Test that SSL_export_keying_material_early() produces expected
5979 * results. There are no test vectors so all we do is test that both
5980 * sides of the communication produce the same results for different
5981 * protocol versions.
5983 static int test_export_key_mat_early(int idx)
5985 static const char label[] = "test label";
5986 static const unsigned char context[] = "context";
5988 SSL_CTX *cctx = NULL, *sctx = NULL;
5989 SSL *clientssl = NULL, *serverssl = NULL;
5990 SSL_SESSION *sess = NULL;
5991 const unsigned char *emptycontext = NULL;
5992 unsigned char ckeymat1[80], ckeymat2[80];
5993 unsigned char skeymat1[80], skeymat2[80];
5994 unsigned char buf[1];
5995 size_t readbytes, written;
5997 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6001 /* Here writing 0 length early data is enough. */
6002 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6003 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6005 SSL_READ_EARLY_DATA_ERROR)
6006 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6007 SSL_EARLY_DATA_ACCEPTED))
6010 if (!TEST_int_eq(SSL_export_keying_material_early(
6011 clientssl, ckeymat1, sizeof(ckeymat1), label,
6012 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6013 || !TEST_int_eq(SSL_export_keying_material_early(
6014 clientssl, ckeymat2, sizeof(ckeymat2), label,
6015 sizeof(label) - 1, emptycontext, 0), 1)
6016 || !TEST_int_eq(SSL_export_keying_material_early(
6017 serverssl, skeymat1, sizeof(skeymat1), label,
6018 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6019 || !TEST_int_eq(SSL_export_keying_material_early(
6020 serverssl, skeymat2, sizeof(skeymat2), label,
6021 sizeof(label) - 1, emptycontext, 0), 1)
6023 * Check that both sides created the same key material with the
6026 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6029 * Check that both sides created the same key material with an
6032 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6034 /* Different contexts should produce different results */
6035 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6042 SSL_SESSION_free(sess);
6043 SSL_SESSION_free(clientpsk);
6044 SSL_SESSION_free(serverpsk);
6045 clientpsk = serverpsk = NULL;
6046 SSL_free(serverssl);
6047 SSL_free(clientssl);
6054 #define NUM_KEY_UPDATE_MESSAGES 40
6058 static int test_key_update(void)
6060 SSL_CTX *cctx = NULL, *sctx = NULL;
6061 SSL *clientssl = NULL, *serverssl = NULL;
6062 int testresult = 0, i, j;
6064 static char *mess = "A test message";
6066 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6067 TLS_client_method(),
6070 &sctx, &cctx, cert, privkey))
6071 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6073 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6077 for (j = 0; j < 2; j++) {
6078 /* Send lots of KeyUpdate messages */
6079 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6080 if (!TEST_true(SSL_key_update(clientssl,
6082 ? SSL_KEY_UPDATE_NOT_REQUESTED
6083 : SSL_KEY_UPDATE_REQUESTED))
6084 || !TEST_true(SSL_do_handshake(clientssl)))
6088 /* Check that sending and receiving app data is ok */
6089 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6090 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6094 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6095 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6103 SSL_free(serverssl);
6104 SSL_free(clientssl);
6112 * Test we can handle a KeyUpdate (update requested) message while
6113 * write data is pending in peer.
6114 * Test 0: Client sends KeyUpdate while Server is writing
6115 * Test 1: Server sends KeyUpdate while Client is writing
6117 static int test_key_update_peer_in_write(int tst)
6119 SSL_CTX *cctx = NULL, *sctx = NULL;
6120 SSL *clientssl = NULL, *serverssl = NULL;
6123 static char *mess = "A test message";
6124 BIO *bretry = BIO_new(bio_s_always_retry());
6126 SSL *peerupdate = NULL, *peerwrite = NULL;
6128 if (!TEST_ptr(bretry)
6129 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6130 TLS_client_method(),
6133 &sctx, &cctx, cert, privkey))
6134 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6136 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6140 peerupdate = tst == 0 ? clientssl : serverssl;
6141 peerwrite = tst == 0 ? serverssl : clientssl;
6143 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6144 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6147 /* Swap the writing endpoint's write BIO to force a retry */
6148 tmp = SSL_get_wbio(peerwrite);
6149 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6153 SSL_set0_wbio(peerwrite, bretry);
6156 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6157 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6158 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6161 /* Reinstate the original writing endpoint's write BIO */
6162 SSL_set0_wbio(peerwrite, tmp);
6165 /* Now read some data - we will read the key update */
6166 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6167 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6171 * Complete the write we started previously and read it from the other
6174 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6175 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6178 /* Write more data to ensure we send the KeyUpdate message back */
6179 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6180 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6186 SSL_free(serverssl);
6187 SSL_free(clientssl);
6197 * Test we can handle a KeyUpdate (update requested) message while
6198 * peer read data is pending after peer accepted keyupdate(the msg header
6199 * had been read 5 bytes).
6200 * Test 0: Client sends KeyUpdate while Server is reading
6201 * Test 1: Server sends KeyUpdate while Client is reading
6203 static int test_key_update_peer_in_read(int tst)
6205 SSL_CTX *cctx = NULL, *sctx = NULL;
6206 SSL *clientssl = NULL, *serverssl = NULL;
6208 char prbuf[515], lwbuf[515] = {0};
6209 static char *mess = "A test message";
6210 BIO *lbio = NULL, *pbio = NULL;
6211 SSL *local = NULL, *peer = NULL;
6213 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6214 TLS_client_method(),
6217 &sctx, &cctx, cert, privkey))
6218 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6220 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6224 local = tst == 0 ? clientssl : serverssl;
6225 peer = tst == 0 ? serverssl : clientssl;
6227 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6230 SSL_set_bio(local, lbio, lbio);
6231 SSL_set_bio(peer, pbio, pbio);
6234 * we first write keyupdate msg then appdata in local
6235 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6236 * lwbuf app data msg size + key updata msg size > 512(the size of
6237 * the bio pair buffer)
6239 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6240 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6241 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6245 * first read keyupdate msg in peer in peer
6246 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6248 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6249 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6252 /* Now write some data in peer - we will write the key update */
6253 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6257 * write data in local previously that we will complete
6258 * read data in peer previously that we will complete
6260 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6261 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6264 /* check that sending and receiving appdata ok */
6265 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6266 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6272 SSL_free(serverssl);
6273 SSL_free(clientssl);
6281 * Test we can't send a KeyUpdate (update requested) message while
6282 * local write data is pending.
6283 * Test 0: Client sends KeyUpdate while Client is writing
6284 * Test 1: Server sends KeyUpdate while Server is writing
6286 static int test_key_update_local_in_write(int tst)
6288 SSL_CTX *cctx = NULL, *sctx = NULL;
6289 SSL *clientssl = NULL, *serverssl = NULL;
6292 static char *mess = "A test message";
6293 BIO *bretry = BIO_new(bio_s_always_retry());
6295 SSL *local = NULL, *peer = NULL;
6297 if (!TEST_ptr(bretry)
6298 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6299 TLS_client_method(),
6302 &sctx, &cctx, cert, privkey))
6303 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6305 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6309 local = tst == 0 ? clientssl : serverssl;
6310 peer = tst == 0 ? serverssl : clientssl;
6312 /* Swap the writing endpoint's write BIO to force a retry */
6313 tmp = SSL_get_wbio(local);
6314 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6318 SSL_set0_wbio(local, bretry);
6321 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6322 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6323 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6326 /* Reinstate the original writing endpoint's write BIO */
6327 SSL_set0_wbio(local, tmp);
6330 /* SSL_key_update will fail, because writing in local*/
6331 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6332 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6336 /* write data in local previously that we will complete */
6337 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6340 /* SSL_key_update will succeed because there is no pending write data */
6341 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6342 || !TEST_int_eq(SSL_do_handshake(local), 1))
6346 * we write some appdata in local
6347 * read data in peer - we will read the keyupdate msg
6349 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6350 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6353 /* Write more peer more data to ensure we send the keyupdate message back */
6354 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6355 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6361 SSL_free(serverssl);
6362 SSL_free(clientssl);
6372 * Test we can handle a KeyUpdate (update requested) message while
6373 * local read data is pending(the msg header had been read 5 bytes).
6374 * Test 0: Client sends KeyUpdate while Client is reading
6375 * Test 1: Server sends KeyUpdate while Server is reading
6377 static int test_key_update_local_in_read(int tst)
6379 SSL_CTX *cctx = NULL, *sctx = NULL;
6380 SSL *clientssl = NULL, *serverssl = NULL;
6382 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6383 static char *mess = "A test message";
6384 BIO *lbio = NULL, *pbio = NULL;
6385 SSL *local = NULL, *peer = NULL;
6387 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6388 TLS_client_method(),
6391 &sctx, &cctx, cert, privkey))
6392 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6394 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6398 local = tst == 0 ? clientssl : serverssl;
6399 peer = tst == 0 ? serverssl : clientssl;
6401 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6404 SSL_set_bio(local, lbio, lbio);
6405 SSL_set_bio(peer, pbio, pbio);
6407 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6408 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6409 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6412 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6413 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6414 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6417 /* SSL_do_handshake will send keyupdate msg */
6418 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6419 || !TEST_int_eq(SSL_do_handshake(local), 1))
6423 * write data in peer previously that we will complete
6424 * read data in local previously that we will complete
6426 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6427 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6431 * write data in local
6432 * read data in peer - we will read the key update
6434 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6435 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6438 /* Write more peer data to ensure we send the keyupdate message back */
6439 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6440 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6446 SSL_free(serverssl);
6447 SSL_free(clientssl);
6453 #endif /* OSSL_NO_USABLE_TLS1_3 */
6455 static int test_ssl_clear(int idx)
6457 SSL_CTX *cctx = NULL, *sctx = NULL;
6458 SSL *clientssl = NULL, *serverssl = NULL;
6461 #ifdef OPENSSL_NO_TLS1_2
6466 /* Create an initial connection */
6467 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6468 TLS_client_method(), TLS1_VERSION, 0,
6469 &sctx, &cctx, cert, privkey))
6471 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6473 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6474 &clientssl, NULL, NULL))
6475 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6479 SSL_shutdown(clientssl);
6480 SSL_shutdown(serverssl);
6481 SSL_free(serverssl);
6484 /* Clear clientssl - we're going to reuse the object */
6485 if (!TEST_true(SSL_clear(clientssl)))
6488 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6490 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6492 || !TEST_true(SSL_session_reused(clientssl)))
6495 SSL_shutdown(clientssl);
6496 SSL_shutdown(serverssl);
6501 SSL_free(serverssl);
6502 SSL_free(clientssl);
6509 /* Parse CH and retrieve any MFL extension value if present */
6510 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6513 unsigned char *data;
6514 PACKET pkt, pkt2, pkt3;
6515 unsigned int MFL_code = 0, type = 0;
6517 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
6520 memset(&pkt, 0, sizeof(pkt));
6521 memset(&pkt2, 0, sizeof(pkt2));
6522 memset(&pkt3, 0, sizeof(pkt3));
6524 if (!TEST_long_gt(len, 0)
6525 || !TEST_true( PACKET_buf_init( &pkt, data, len ) )
6526 /* Skip the record header */
6527 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6528 /* Skip the handshake message header */
6529 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6530 /* Skip client version and random */
6531 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6532 + SSL3_RANDOM_SIZE))
6533 /* Skip session id */
6534 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6536 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6537 /* Skip compression */
6538 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6539 /* Extensions len */
6540 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6543 /* Loop through all extensions */
6544 while (PACKET_remaining(&pkt2)) {
6545 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6546 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6549 if (type == TLSEXT_TYPE_max_fragment_length) {
6550 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6551 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6554 *mfl_codemfl_code = MFL_code;
6563 /* Maximum-Fragment-Length TLS extension mode to test */
6564 static const unsigned char max_fragment_len_test[] = {
6565 TLSEXT_max_fragment_length_512,
6566 TLSEXT_max_fragment_length_1024,
6567 TLSEXT_max_fragment_length_2048,
6568 TLSEXT_max_fragment_length_4096
6571 static int test_max_fragment_len_ext(int idx_tst)
6573 SSL_CTX *ctx = NULL;
6575 int testresult = 0, MFL_mode = 0;
6578 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6579 TLS1_VERSION, 0, NULL, &ctx, NULL,
6583 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6584 ctx, max_fragment_len_test[idx_tst])))
6591 rbio = BIO_new(BIO_s_mem());
6592 wbio = BIO_new(BIO_s_mem());
6593 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6599 SSL_set_bio(con, rbio, wbio);
6601 if (!TEST_int_le(SSL_connect(con), 0)) {
6602 /* This shouldn't succeed because we don't have a server! */
6606 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6607 /* no MFL in client hello */
6609 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6621 #ifndef OSSL_NO_USABLE_TLS1_3
6622 static int test_pha_key_update(void)
6624 SSL_CTX *cctx = NULL, *sctx = NULL;
6625 SSL *clientssl = NULL, *serverssl = NULL;
6628 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6629 TLS_client_method(), TLS1_VERSION, 0,
6630 &sctx, &cctx, cert, privkey)))
6633 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6634 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6635 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6636 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6639 SSL_CTX_set_post_handshake_auth(cctx, 1);
6641 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6645 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6649 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6650 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6653 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6656 /* Start handshake on the server */
6657 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6660 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6661 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6665 SSL_shutdown(clientssl);
6666 SSL_shutdown(serverssl);
6671 SSL_free(serverssl);
6672 SSL_free(clientssl);
6679 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6681 static SRP_VBASE *vbase = NULL;
6683 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6685 int ret = SSL3_AL_FATAL;
6687 SRP_user_pwd *user = NULL;
6689 username = SSL_get_srp_username(s);
6690 if (username == NULL) {
6691 *ad = SSL_AD_INTERNAL_ERROR;
6695 user = SRP_VBASE_get1_by_user(vbase, username);
6697 *ad = SSL_AD_INTERNAL_ERROR;
6701 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6703 *ad = SSL_AD_INTERNAL_ERROR;
6710 SRP_user_pwd_free(user);
6714 static int create_new_vfile(char *userid, char *password, const char *filename)
6717 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6720 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6723 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6726 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
6727 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
6728 if (!TEST_ptr(gNid))
6732 * The only way to create an empty TXT_DB is to provide a BIO with no data
6735 db = TXT_DB_read(dummy, DB_NUMBER);
6739 out = BIO_new_file(filename, "w");
6743 row[DB_srpid] = OPENSSL_strdup(userid);
6744 row[DB_srptype] = OPENSSL_strdup("V");
6745 row[DB_srpgN] = OPENSSL_strdup(gNid);
6747 if (!TEST_ptr(row[DB_srpid])
6748 || !TEST_ptr(row[DB_srptype])
6749 || !TEST_ptr(row[DB_srpgN])
6750 || !TEST_true(TXT_DB_insert(db, row)))
6755 if (!TXT_DB_write(out, db))
6761 for (i = 0; i < DB_NUMBER; i++)
6762 OPENSSL_free(row[i]);
6772 static int create_new_vbase(char *userid, char *password)
6774 BIGNUM *verifier = NULL, *salt = NULL;
6775 const SRP_gN *lgN = NULL;
6776 SRP_user_pwd *user_pwd = NULL;
6779 lgN = SRP_get_default_gN(NULL);
6783 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
6784 lgN->N, lgN->g, libctx, NULL)))
6787 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6788 if (!TEST_ptr(user_pwd))
6791 user_pwd->N = lgN->N;
6792 user_pwd->g = lgN->g;
6793 user_pwd->id = OPENSSL_strdup(userid);
6794 if (!TEST_ptr(user_pwd->id))
6797 user_pwd->v = verifier;
6799 verifier = salt = NULL;
6801 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6807 SRP_user_pwd_free(user_pwd);
6817 * Test 0: Simple successful SRP connection, new vbase
6818 * Test 1: Connection failure due to bad password, new vbase
6819 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6820 * Test 3: Connection failure due to bad password, vbase loaded from existing
6822 * Test 4: Simple successful SRP connection, vbase loaded from new file
6823 * Test 5: Connection failure due to bad password, vbase loaded from new file
6825 static int test_srp(int tst)
6827 char *userid = "test", *password = "password", *tstsrpfile;
6828 SSL_CTX *cctx = NULL, *sctx = NULL;
6829 SSL *clientssl = NULL, *serverssl = NULL;
6830 int ret, testresult = 0;
6832 vbase = SRP_VBASE_new(NULL);
6833 if (!TEST_ptr(vbase))
6836 if (tst == 0 || tst == 1) {
6837 if (!TEST_true(create_new_vbase(userid, password)))
6840 if (tst == 4 || tst == 5) {
6841 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6843 tstsrpfile = tmpfilename;
6845 tstsrpfile = srpvfile;
6847 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6851 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6852 TLS_client_method(), TLS1_VERSION, 0,
6853 &sctx, &cctx, cert, privkey)))
6856 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6857 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6858 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6859 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6860 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6864 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6867 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6871 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6875 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6877 if (!TEST_true(tst % 2 == 0))
6880 if (!TEST_true(tst % 2 == 1))
6887 SRP_VBASE_free(vbase);
6889 SSL_free(serverssl);
6890 SSL_free(clientssl);
6898 static int info_cb_failed = 0;
6899 static int info_cb_offset = 0;
6900 static int info_cb_this_state = -1;
6902 static struct info_cb_states_st {
6904 const char *statestr;
6905 } info_cb_states[][60] = {
6907 /* TLSv1.2 server followed by resumption */
6908 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6909 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6910 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6911 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6912 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6913 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6914 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6915 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6916 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
6917 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6918 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6919 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6920 {SSL_CB_EXIT, NULL}, {0, NULL},
6922 /* TLSv1.2 client followed by resumption */
6923 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6924 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6925 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6926 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6927 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6928 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6929 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6930 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6931 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6932 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6933 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6934 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6936 /* TLSv1.3 server followed by resumption */
6937 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6938 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6939 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6940 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6941 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
6942 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6943 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6944 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6945 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6946 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6947 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6948 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6949 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6951 /* TLSv1.3 client followed by resumption */
6952 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6953 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6954 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
6955 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
6956 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6957 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6958 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
6959 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
6960 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6961 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
6962 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6963 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6964 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6965 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
6966 {SSL_CB_EXIT, NULL}, {0, NULL},
6968 /* TLSv1.3 server, early_data */
6969 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6970 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6971 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6972 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6973 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6974 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
6975 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6976 {SSL_CB_EXIT, NULL}, {0, NULL},
6978 /* TLSv1.3 client, early_data */
6979 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6980 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
6981 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6982 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6983 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6984 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
6985 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6986 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6987 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6993 static void sslapi_info_callback(const SSL *s, int where, int ret)
6995 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
6997 /* We do not ever expect a connection to fail in this test */
6998 if (!TEST_false(ret == 0)) {
7004 * Do some sanity checks. We never expect these things to happen in this
7007 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7008 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7009 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7014 /* Now check we're in the right state */
7015 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7019 if ((where & SSL_CB_LOOP) != 0
7020 && !TEST_int_eq(strcmp(SSL_state_string(s),
7021 state[info_cb_this_state].statestr), 0)) {
7027 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7029 if ((where & SSL_CB_HANDSHAKE_DONE)
7030 && SSL_in_init((SSL *)s) != 0) {
7037 * Test the info callback gets called when we expect it to.
7039 * Test 0: TLSv1.2, server
7040 * Test 1: TLSv1.2, client
7041 * Test 2: TLSv1.3, server
7042 * Test 3: TLSv1.3, client
7043 * Test 4: TLSv1.3, server, early_data
7044 * Test 5: TLSv1.3, client, early_data
7046 static int test_info_callback(int tst)
7048 SSL_CTX *cctx = NULL, *sctx = NULL;
7049 SSL *clientssl = NULL, *serverssl = NULL;
7050 SSL_SESSION *clntsess = NULL;
7055 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
7056 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7057 || !defined(OPENSSL_NO_DH))
7058 tlsvers = TLS1_2_VERSION;
7063 #ifndef OSSL_NO_USABLE_TLS1_3
7064 tlsvers = TLS1_3_VERSION;
7072 info_cb_this_state = -1;
7073 info_cb_offset = tst;
7075 #ifndef OSSL_NO_USABLE_TLS1_3
7077 SSL_SESSION *sess = NULL;
7078 size_t written, readbytes;
7079 unsigned char buf[80];
7081 /* early_data tests */
7082 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7083 &serverssl, &sess, 0)))
7086 /* We don't actually need this reference */
7087 SSL_SESSION_free(sess);
7089 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7090 sslapi_info_callback);
7092 /* Write and read some early data and then complete the connection */
7093 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7095 || !TEST_size_t_eq(written, strlen(MSG1))
7096 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7097 sizeof(buf), &readbytes),
7098 SSL_READ_EARLY_DATA_SUCCESS)
7099 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7100 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7101 SSL_EARLY_DATA_ACCEPTED)
7102 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7104 || !TEST_false(info_cb_failed))
7112 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7113 TLS_client_method(),
7114 tlsvers, tlsvers, &sctx, &cctx, cert,
7118 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7122 * For even numbered tests we check the server callbacks. For odd numbers we
7125 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7126 sslapi_info_callback);
7128 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7129 &clientssl, NULL, NULL))
7130 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7132 || !TEST_false(info_cb_failed))
7137 clntsess = SSL_get1_session(clientssl);
7138 SSL_shutdown(clientssl);
7139 SSL_shutdown(serverssl);
7140 SSL_free(serverssl);
7141 SSL_free(clientssl);
7142 serverssl = clientssl = NULL;
7144 /* Now do a resumption */
7145 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7147 || !TEST_true(SSL_set_session(clientssl, clntsess))
7148 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7150 || !TEST_true(SSL_session_reused(clientssl))
7151 || !TEST_false(info_cb_failed))
7157 SSL_free(serverssl);
7158 SSL_free(clientssl);
7159 SSL_SESSION_free(clntsess);
7165 static int test_ssl_pending(int tst)
7167 SSL_CTX *cctx = NULL, *sctx = NULL;
7168 SSL *clientssl = NULL, *serverssl = NULL;
7170 char msg[] = "A test message";
7172 size_t written, readbytes;
7175 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7176 TLS_client_method(),
7178 &sctx, &cctx, cert, privkey)))
7181 #ifndef OPENSSL_NO_DTLS
7182 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7183 DTLS_client_method(),
7185 &sctx, &cctx, cert, privkey)))
7188 # ifdef OPENSSL_NO_DTLS1_2
7189 /* Not supported in the FIPS provider */
7195 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7198 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7199 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7200 "DEFAULT:@SECLEVEL=0")))
7208 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7210 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7214 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7215 || !TEST_false(SSL_has_pending(clientssl))
7216 || !TEST_int_eq(SSL_pending(serverssl), 0)
7217 || !TEST_false(SSL_has_pending(serverssl))
7218 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7219 || !TEST_size_t_eq(written, sizeof(msg))
7220 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7221 || !TEST_size_t_eq(readbytes, sizeof(buf))
7222 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7223 || !TEST_true(SSL_has_pending(clientssl)))
7229 SSL_free(serverssl);
7230 SSL_free(clientssl);
7238 unsigned int maxprot;
7239 const char *clntciphers;
7240 const char *clnttls13ciphers;
7241 const char *srvrciphers;
7242 const char *srvrtls13ciphers;
7244 const char *fipsshared;
7245 } shared_ciphers_data[] = {
7247 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7248 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7250 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7253 "AES128-SHA:AES256-SHA",
7255 "AES256-SHA:DHE-RSA-AES128-SHA",
7260 # if !defined(OPENSSL_NO_CHACHA) \
7261 && !defined(OPENSSL_NO_POLY1305) \
7262 && !defined(OPENSSL_NO_EC)
7265 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7267 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7269 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7275 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7277 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7279 "AES128-SHA:AES256-SHA",
7280 "AES128-SHA:AES256-SHA"
7284 "AES128-SHA:AES256-SHA",
7286 "AES128-SHA:DHE-RSA-AES128-SHA",
7293 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7296 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7297 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7300 "AES128-SHA:AES256-SHA",
7302 "AES256-SHA:AES128-SHA256",
7304 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7305 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7306 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7309 #ifndef OSSL_NO_USABLE_TLS1_3
7313 "TLS_AES_256_GCM_SHA384",
7315 "TLS_AES_256_GCM_SHA384",
7316 "TLS_AES_256_GCM_SHA384",
7317 "TLS_AES_256_GCM_SHA384"
7322 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
7324 SSL_CTX *cctx = NULL, *sctx = NULL;
7325 SSL *clientssl = NULL, *serverssl = NULL;
7328 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
7330 if (!TEST_ptr(tmplibctx))
7334 * Regardless of whether we're testing with the FIPS provider loaded into
7335 * libctx, we want one peer to always use the full set of ciphersuites
7336 * available. Therefore we use a separate libctx with the default provider
7337 * loaded into it. We run the same tests twice - once with the client side
7338 * having the full set of ciphersuites and once with the server side.
7341 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
7342 if (!TEST_ptr(cctx))
7345 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
7346 if (!TEST_ptr(sctx))
7350 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7351 TLS_client_method(),
7353 shared_ciphers_data[tst].maxprot,
7354 &sctx, &cctx, cert, privkey)))
7357 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7358 shared_ciphers_data[tst].clntciphers))
7359 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7360 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7361 shared_ciphers_data[tst].clnttls13ciphers)))
7362 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7363 shared_ciphers_data[tst].srvrciphers))
7364 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7365 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7366 shared_ciphers_data[tst].srvrtls13ciphers))))
7370 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7372 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7376 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
7377 || !TEST_int_eq(strcmp(buf,
7379 ? shared_ciphers_data[tst].fipsshared
7380 : shared_ciphers_data[tst].shared),
7382 TEST_info("Shared ciphers are: %s\n", buf);
7389 SSL_free(serverssl);
7390 SSL_free(clientssl);
7393 OSSL_LIB_CTX_free(tmplibctx);
7398 static int test_ssl_get_shared_ciphers(int tst)
7400 return int_test_ssl_get_shared_ciphers(tst, 0)
7401 && int_test_ssl_get_shared_ciphers(tst, 1);
7405 static const char *appdata = "Hello World";
7406 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7407 static int tick_key_renew = 0;
7408 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7410 static int gen_tick_cb(SSL *s, void *arg)
7412 gen_tick_called = 1;
7414 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7418 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7419 const unsigned char *keyname,
7420 size_t keyname_length,
7421 SSL_TICKET_STATUS status,
7427 dec_tick_called = 1;
7429 if (status == SSL_TICKET_EMPTY)
7430 return SSL_TICKET_RETURN_IGNORE_RENEW;
7432 if (!TEST_true(status == SSL_TICKET_SUCCESS
7433 || status == SSL_TICKET_SUCCESS_RENEW))
7434 return SSL_TICKET_RETURN_ABORT;
7436 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7438 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7439 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
7440 return SSL_TICKET_RETURN_ABORT;
7442 if (tick_key_cb_called) {
7443 /* Don't change what the ticket key callback wanted to do */
7445 case SSL_TICKET_NO_DECRYPT:
7446 return SSL_TICKET_RETURN_IGNORE_RENEW;
7448 case SSL_TICKET_SUCCESS:
7449 return SSL_TICKET_RETURN_USE;
7451 case SSL_TICKET_SUCCESS_RENEW:
7452 return SSL_TICKET_RETURN_USE_RENEW;
7455 return SSL_TICKET_RETURN_ABORT;
7458 return tick_dec_ret;
7462 #ifndef OPENSSL_NO_DEPRECATED_3_0
7463 static int tick_key_cb(SSL *s, unsigned char key_name[16],
7464 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7465 HMAC_CTX *hctx, int enc)
7467 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7468 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
7469 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7470 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7473 tick_key_cb_called = 1;
7474 memset(iv, 0, AES_BLOCK_SIZE);
7475 memset(key_name, 0, 16);
7476 if (aes128cbc == NULL
7478 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7479 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7483 ret = tick_key_renew ? 2 : 1;
7485 EVP_CIPHER_free(aes128cbc);
7486 EVP_MD_free(sha256);
7492 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7493 unsigned char iv[EVP_MAX_IV_LENGTH],
7494 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7496 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7497 unsigned char tick_hmac_key[16] = "0123456789abcdef";
7498 OSSL_PARAM params[2];
7499 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7502 tick_key_cb_called = 1;
7503 memset(iv, 0, AES_BLOCK_SIZE);
7504 memset(key_name, 0, 16);
7505 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7507 params[1] = OSSL_PARAM_construct_end();
7508 if (aes128cbc == NULL
7509 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7510 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7514 ret = tick_key_renew ? 2 : 1;
7516 EVP_CIPHER_free(aes128cbc);
7522 * Test the various ticket callbacks
7523 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7524 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7525 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7526 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7527 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7528 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7529 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7530 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
7531 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7532 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7533 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7534 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7535 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
7536 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
7537 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
7538 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
7540 static int test_ticket_callbacks(int tst)
7542 SSL_CTX *cctx = NULL, *sctx = NULL;
7543 SSL *clientssl = NULL, *serverssl = NULL;
7544 SSL_SESSION *clntsess = NULL;
7547 #ifdef OPENSSL_NO_TLS1_2
7551 #ifdef OSSL_NO_USABLE_TLS1_3
7555 #ifdef OPENSSL_NO_DEPRECATED_3_0
7556 if (tst >= 8 && tst <= 11)
7560 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
7562 /* Which tests the ticket key callback should request renewal for */
7563 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
7568 /* Which tests the decrypt ticket callback should request renewal for */
7572 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7577 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7582 tick_dec_ret = SSL_TICKET_RETURN_USE;
7587 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7591 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7594 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7595 TLS_client_method(),
7597 ((tst % 2) == 0) ? TLS1_2_VERSION
7599 &sctx, &cctx, cert, privkey)))
7603 * We only want sessions to resume from tickets - not the session cache. So
7604 * switch the cache off.
7606 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7609 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7614 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7616 #ifndef OPENSSL_NO_DEPRECATED_3_0
7617 } else if (tst >= 8) {
7618 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7623 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7625 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7630 * The decrypt ticket key callback in TLSv1.2 should be called even though
7631 * we have no ticket yet, because it gets called with a status of
7632 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7633 * actually send any ticket data). This does not happen in TLSv1.3 because
7634 * it is not valid to send empty ticket data in TLSv1.3.
7636 if (!TEST_int_eq(gen_tick_called, 1)
7637 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
7640 gen_tick_called = dec_tick_called = 0;
7642 clntsess = SSL_get1_session(clientssl);
7643 SSL_shutdown(clientssl);
7644 SSL_shutdown(serverssl);
7645 SSL_free(serverssl);
7646 SSL_free(clientssl);
7647 serverssl = clientssl = NULL;
7649 /* Now do a resumption */
7650 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7652 || !TEST_true(SSL_set_session(clientssl, clntsess))
7653 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7657 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7658 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7659 if (!TEST_false(SSL_session_reused(clientssl)))
7662 if (!TEST_true(SSL_session_reused(clientssl)))
7666 if (!TEST_int_eq(gen_tick_called,
7668 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7669 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7671 || !TEST_int_eq(dec_tick_called, 1))
7677 SSL_SESSION_free(clntsess);
7678 SSL_free(serverssl);
7679 SSL_free(clientssl);
7687 * Test incorrect shutdown.
7688 * Test 0: client does not shutdown properly,
7689 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7690 * server should get SSL_ERROR_SSL
7691 * Test 1: client does not shutdown properly,
7692 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7693 * server should get SSL_ERROR_ZERO_RETURN
7695 static int test_incorrect_shutdown(int tst)
7697 SSL_CTX *cctx = NULL, *sctx = NULL;
7698 SSL *clientssl = NULL, *serverssl = NULL;
7703 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7704 TLS_client_method(), 0, 0,
7705 &sctx, &cctx, cert, privkey)))
7709 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7711 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7715 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7719 c2s = SSL_get_rbio(serverssl);
7720 BIO_set_mem_eof_return(c2s, 0);
7722 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7725 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7727 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7733 SSL_free(serverssl);
7734 SSL_free(clientssl);
7742 * Test bi-directional shutdown.
7744 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7745 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7746 * Test 3: TLSv1.3, pending NewSessionTicket messages
7747 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7748 * sends key update, client reads it
7749 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7750 * sends CertificateRequest, client reads and ignores it
7751 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
7754 static int test_shutdown(int tst)
7756 SSL_CTX *cctx = NULL, *sctx = NULL;
7757 SSL *clientssl = NULL, *serverssl = NULL;
7759 char msg[] = "A test message";
7761 size_t written, readbytes;
7764 #ifdef OPENSSL_NO_TLS1_2
7768 #ifdef OSSL_NO_USABLE_TLS1_3
7773 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7774 TLS_client_method(),
7776 (tst <= 1) ? TLS1_2_VERSION
7778 &sctx, &cctx, cert, privkey)))
7782 SSL_CTX_set_post_handshake_auth(cctx, 1);
7784 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7789 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
7791 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7792 || !TEST_false(SSL_SESSION_is_resumable(sess)))
7794 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7796 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7797 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
7801 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7806 * Reading on the server after the client has sent close_notify should
7807 * fail and provide SSL_ERROR_ZERO_RETURN
7809 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7810 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7811 SSL_ERROR_ZERO_RETURN)
7812 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7813 SSL_RECEIVED_SHUTDOWN)
7815 * Even though we're shutdown on receive we should still be
7818 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7821 && !TEST_true(SSL_key_update(serverssl,
7822 SSL_KEY_UPDATE_REQUESTED)))
7825 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7826 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7829 if ((tst == 4 || tst == 5)
7830 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7832 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
7834 if (tst == 4 || tst == 5) {
7835 /* Should still be able to read data from server */
7836 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7838 || !TEST_size_t_eq(readbytes, sizeof(msg))
7839 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7840 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7842 || !TEST_size_t_eq(readbytes, sizeof(msg))
7843 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7848 /* Writing on the client after sending close_notify shouldn't be possible */
7849 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
7854 * For these tests the client has sent close_notify but it has not yet
7855 * been received by the server. The server has not sent close_notify
7858 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
7860 * Writing on the server after sending close_notify shouldn't
7863 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7864 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
7865 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7866 || !TEST_true(SSL_SESSION_is_resumable(sess))
7867 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7869 } else if (tst == 4 || tst == 5) {
7871 * In this test the client has sent close_notify and it has been
7872 * received by the server which has responded with a close_notify. The
7873 * client needs to read the close_notify sent by the server.
7875 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7876 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7877 || !TEST_true(SSL_SESSION_is_resumable(sess)))
7883 * The client has sent close_notify and is expecting a close_notify
7884 * back, but instead there is application data first. The shutdown
7885 * should fail with a fatal error.
7887 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7888 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7895 SSL_free(serverssl);
7896 SSL_free(clientssl);
7903 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
7904 static int cert_cb_cnt;
7906 static int cert_cb(SSL *s, void *arg)
7908 SSL_CTX *ctx = (SSL_CTX *)arg;
7910 EVP_PKEY *pkey = NULL;
7911 X509 *x509 = NULL, *rootx = NULL;
7912 STACK_OF(X509) *chain = NULL;
7913 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7916 if (cert_cb_cnt == 0) {
7917 /* Suspend the handshake */
7920 } else if (cert_cb_cnt == 1) {
7922 * Update the SSL_CTX, set the certificate and private key and then
7923 * continue the handshake normally.
7925 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7928 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7929 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7931 || !TEST_true(SSL_check_private_key(s)))
7935 } else if (cert_cb_cnt == 3) {
7938 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7939 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7940 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7941 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7943 chain = sk_X509_new_null();
7944 if (!TEST_ptr(chain))
7946 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7947 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
7948 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
7949 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
7950 || !TEST_true(sk_X509_push(chain, rootx)))
7954 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7955 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
7956 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
7957 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7960 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7961 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
7962 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
7966 rv = SSL_check_chain(s, x509, pkey, chain);
7968 * If the cert doesn't show as valid here (e.g., because we don't
7969 * have any shared sigalgs), then we will not set it, and there will
7970 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
7971 * will cause tls_choose_sigalgs() to fail the connection.
7973 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
7974 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7975 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
7982 /* Abort the handshake */
7984 OPENSSL_free(ecdsacert);
7985 OPENSSL_free(ecdsakey);
7986 OPENSSL_free(rootfile);
7988 EVP_PKEY_free(pkey);
7991 sk_X509_pop_free(chain, X509_free);
7996 * Test the certificate callback.
7997 * Test 0: Callback fails
7998 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
7999 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8000 * Test 3: Success - Call SSL_check_chain from the callback
8001 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8003 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8005 static int test_cert_cb_int(int prot, int tst)
8007 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8008 SSL *clientssl = NULL, *serverssl = NULL;
8009 int testresult = 0, ret;
8011 #ifdef OPENSSL_NO_EC
8012 /* We use an EC cert in these tests, so we skip in a no-ec build */
8017 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8018 TLS_client_method(),
8021 &sctx, &cctx, NULL, NULL)))
8032 snictx = SSL_CTX_new(TLS_server_method());
8033 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8035 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8041 * We cause SSL_check_chain() to fail by specifying sig_algs that
8042 * the chain doesn't meet (the root uses an RSA cert)
8044 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8045 "ecdsa_secp256r1_sha256")))
8047 } else if (tst == 5) {
8049 * We cause SSL_check_chain() to fail by specifying sig_algs that
8050 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8052 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8053 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8057 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8058 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8060 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8067 SSL_free(serverssl);
8068 SSL_free(clientssl);
8071 SSL_CTX_free(snictx);
8077 static int test_cert_cb(int tst)
8081 #ifndef OPENSSL_NO_TLS1_2
8082 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8084 #ifndef OSSL_NO_USABLE_TLS1_3
8085 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8091 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8096 BIO *priv_in = NULL;
8098 /* Check that SSL_get0_peer_certificate() returns something sensible */
8099 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
8102 in = BIO_new_file(cert, "r");
8106 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
8107 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8108 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
8109 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8127 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
8132 static int test_client_cert_cb(int tst)
8134 SSL_CTX *cctx = NULL, *sctx = NULL;
8135 SSL *clientssl = NULL, *serverssl = NULL;
8138 #ifdef OPENSSL_NO_TLS1_2
8142 #ifdef OSSL_NO_USABLE_TLS1_3
8147 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8148 TLS_client_method(),
8150 tst == 0 ? TLS1_2_VERSION
8152 &sctx, &cctx, cert, privkey)))
8156 * Test that setting a client_cert_cb results in a client certificate being
8159 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8160 SSL_CTX_set_verify(sctx,
8161 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8164 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8166 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8173 SSL_free(serverssl);
8174 SSL_free(clientssl);
8181 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8183 * Test setting certificate authorities on both client and server.
8185 * Test 0: SSL_CTX_set0_CA_list() only
8186 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8187 * Test 2: Only SSL_CTX_set_client_CA_list()
8189 static int test_ca_names_int(int prot, int tst)
8191 SSL_CTX *cctx = NULL, *sctx = NULL;
8192 SSL *clientssl = NULL, *serverssl = NULL;
8195 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8196 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8197 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8198 const STACK_OF(X509_NAME) *sktmp = NULL;
8200 for (i = 0; i < OSSL_NELEM(name); i++) {
8201 name[i] = X509_NAME_new();
8202 if (!TEST_ptr(name[i])
8203 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8211 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8212 TLS_client_method(),
8215 &sctx, &cctx, cert, privkey)))
8218 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8220 if (tst == 0 || tst == 1) {
8221 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8222 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8223 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8224 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8225 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8226 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8229 SSL_CTX_set0_CA_list(sctx, sk1);
8230 SSL_CTX_set0_CA_list(cctx, sk2);
8233 if (tst == 1 || tst == 2) {
8234 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8235 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8236 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8237 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8238 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8239 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8242 SSL_CTX_set_client_CA_list(sctx, sk1);
8243 SSL_CTX_set_client_CA_list(cctx, sk2);
8247 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8249 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8254 * We only expect certificate authorities to have been sent to the server
8255 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8257 sktmp = SSL_get0_peer_CA_list(serverssl);
8258 if (prot == TLS1_3_VERSION
8259 && (tst == 0 || tst == 1)) {
8260 if (!TEST_ptr(sktmp)
8261 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8262 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8264 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8267 } else if (!TEST_ptr_null(sktmp)) {
8272 * In all tests we expect certificate authorities to have been sent to the
8273 * client. However, SSL_set_client_CA_list() should override
8274 * SSL_set0_CA_list()
8276 sktmp = SSL_get0_peer_CA_list(clientssl);
8277 if (!TEST_ptr(sktmp)
8278 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8279 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8280 name[tst == 0 ? 0 : 2]), 0)
8281 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8282 name[tst == 0 ? 1 : 3]), 0))
8288 SSL_free(serverssl);
8289 SSL_free(clientssl);
8292 for (i = 0; i < OSSL_NELEM(name); i++)
8293 X509_NAME_free(name[i]);
8294 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8295 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8301 static int test_ca_names(int tst)
8305 #ifndef OPENSSL_NO_TLS1_2
8306 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8308 #ifndef OSSL_NO_USABLE_TLS1_3
8309 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8315 #ifndef OPENSSL_NO_TLS1_2
8316 static const char *multiblock_cipherlist_data[]=
8324 /* Reduce the fragment size - so the multiblock test buffer can be small */
8325 # define MULTIBLOCK_FRAGSIZE 512
8327 static int test_multiblock_write(int test_index)
8329 static const char *fetchable_ciphers[]=
8331 "AES-128-CBC-HMAC-SHA1",
8332 "AES-128-CBC-HMAC-SHA256",
8333 "AES-256-CBC-HMAC-SHA1",
8334 "AES-256-CBC-HMAC-SHA256"
8336 const char *cipherlist = multiblock_cipherlist_data[test_index];
8337 const SSL_METHOD *smeth = TLS_server_method();
8338 const SSL_METHOD *cmeth = TLS_client_method();
8339 int min_version = TLS1_VERSION;
8340 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8341 SSL_CTX *cctx = NULL, *sctx = NULL;
8342 SSL *clientssl = NULL, *serverssl = NULL;
8346 * Choose a buffer large enough to perform a multi-block operation
8347 * i.e: write_len >= 4 * frag_size
8348 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8350 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8351 unsigned char buf[sizeof(msg)], *p = buf;
8352 size_t readbytes, written, len;
8353 EVP_CIPHER *ciph = NULL;
8356 * Check if the cipher exists before attempting to use it since it only has
8357 * a hardware specific implementation.
8359 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
8361 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8364 EVP_CIPHER_free(ciph);
8366 /* Set up a buffer with some data that will be sent to the client */
8367 RAND_bytes(msg, sizeof(msg));
8369 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8370 max_version, &sctx, &cctx, cert,
8374 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8377 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8381 /* settings to force it to use AES-CBC-HMAC_SHA */
8382 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8383 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8386 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8389 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8390 || !TEST_size_t_eq(written, sizeof(msg)))
8395 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8400 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8405 SSL_free(serverssl);
8406 SSL_free(clientssl);
8412 #endif /* OPENSSL_NO_TLS1_2 */
8414 static int test_session_timeout(int test)
8417 * Test session ordering and timeout
8418 * Can't explicitly test performance of the new code,
8419 * but can test to see if the ordering of the sessions
8420 * are correct, and they they are removed as expected
8422 SSL_SESSION *early = NULL;
8423 SSL_SESSION *middle = NULL;
8424 SSL_SESSION *late = NULL;
8427 long now = (long)time(NULL);
8430 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8431 || !TEST_ptr(early = SSL_SESSION_new())
8432 || !TEST_ptr(middle = SSL_SESSION_new())
8433 || !TEST_ptr(late = SSL_SESSION_new()))
8436 /* assign unique session ids */
8437 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8438 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8439 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8440 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8441 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8442 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8444 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8445 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8446 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8449 /* Make sure they are all added */
8450 if (!TEST_ptr(early->prev)
8451 || !TEST_ptr(middle->prev)
8452 || !TEST_ptr(late->prev))
8455 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8456 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8457 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8460 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8461 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
8462 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
8465 /* Make sure they are all still there */
8466 if (!TEST_ptr(early->prev)
8467 || !TEST_ptr(middle->prev)
8468 || !TEST_ptr(late->prev))
8471 /* Make sure they are in the expected order */
8472 if (!TEST_ptr_eq(late->next, middle)
8473 || !TEST_ptr_eq(middle->next, early)
8474 || !TEST_ptr_eq(early->prev, middle)
8475 || !TEST_ptr_eq(middle->prev, late))
8478 /* This should remove "early" */
8479 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
8480 if (!TEST_ptr_null(early->prev)
8481 || !TEST_ptr(middle->prev)
8482 || !TEST_ptr(late->prev))
8485 /* This should remove "middle" */
8486 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
8487 if (!TEST_ptr_null(early->prev)
8488 || !TEST_ptr_null(middle->prev)
8489 || !TEST_ptr(late->prev))
8492 /* This should remove "late" */
8493 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
8494 if (!TEST_ptr_null(early->prev)
8495 || !TEST_ptr_null(middle->prev)
8496 || !TEST_ptr_null(late->prev))
8499 /* Add them back in again */
8500 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8501 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8502 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8505 /* Make sure they are all added */
8506 if (!TEST_ptr(early->prev)
8507 || !TEST_ptr(middle->prev)
8508 || !TEST_ptr(late->prev))
8511 /* This should remove all of them */
8512 SSL_CTX_flush_sessions(ctx, 0);
8513 if (!TEST_ptr_null(early->prev)
8514 || !TEST_ptr_null(middle->prev)
8515 || !TEST_ptr_null(late->prev))
8518 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
8519 | SSL_CTX_get_session_cache_mode(ctx));
8521 /* make sure |now| is NOT equal to the current time */
8523 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
8524 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8525 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
8531 SSL_SESSION_free(early);
8532 SSL_SESSION_free(middle);
8533 SSL_SESSION_free(late);
8538 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
8539 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
8540 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
8541 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
8542 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
8543 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
8544 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
8545 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
8546 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
8547 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
8549 static int test_servername(int tst)
8551 SSL_CTX *cctx = NULL, *sctx = NULL;
8552 SSL *clientssl = NULL, *serverssl = NULL;
8554 SSL_SESSION *sess = NULL;
8555 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
8557 #ifdef OPENSSL_NO_TLS1_2
8561 #ifdef OSSL_NO_USABLE_TLS1_3
8566 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8567 TLS_client_method(),
8569 (tst <= 4) ? TLS1_2_VERSION
8571 &sctx, &cctx, cert, privkey))
8572 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8576 if (tst != 1 && tst != 6) {
8577 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
8582 if (tst != 3 && tst != 8) {
8583 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8585 sexpectedhost = cexpectedhost = "goodhost";
8588 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8591 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
8593 || !TEST_str_eq(SSL_get_servername(serverssl,
8594 TLSEXT_NAMETYPE_host_name),
8598 /* Now repeat with a resumption handshake */
8600 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
8601 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
8602 || !TEST_true(SSL_SESSION_is_resumable(sess))
8603 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
8606 SSL_free(clientssl);
8607 SSL_free(serverssl);
8608 clientssl = serverssl = NULL;
8610 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8614 if (!TEST_true(SSL_set_session(clientssl, sess)))
8617 sexpectedhost = cexpectedhost = "goodhost";
8618 if (tst == 2 || tst == 7) {
8619 /* Set an inconsistent hostname */
8620 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
8623 * In TLSv1.2 we expect the hostname from the original handshake, in
8624 * TLSv1.3 we expect the hostname from this handshake
8627 sexpectedhost = cexpectedhost = "altgoodhost";
8629 if (!TEST_str_eq(SSL_get_servername(clientssl,
8630 TLSEXT_NAMETYPE_host_name),
8633 } else if (tst == 4 || tst == 9) {
8635 * A TLSv1.3 session does not associate a session with a servername,
8636 * but a TLSv1.2 session does.
8639 sexpectedhost = cexpectedhost = NULL;
8641 if (!TEST_str_eq(SSL_get_servername(clientssl,
8642 TLSEXT_NAMETYPE_host_name),
8646 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8649 * In a TLSv1.2 resumption where the hostname was not acknowledged
8650 * we expect the hostname on the server to be empty. On the client we
8651 * return what was requested in this case.
8653 * Similarly if the client didn't set a hostname on an original TLSv1.2
8654 * session but is now, the server hostname will be empty, but the client
8657 if (tst == 1 || tst == 3)
8658 sexpectedhost = NULL;
8660 if (!TEST_str_eq(SSL_get_servername(clientssl,
8661 TLSEXT_NAMETYPE_host_name),
8666 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8669 if (!TEST_true(SSL_session_reused(clientssl))
8670 || !TEST_true(SSL_session_reused(serverssl))
8671 || !TEST_str_eq(SSL_get_servername(clientssl,
8672 TLSEXT_NAMETYPE_host_name),
8674 || !TEST_str_eq(SSL_get_servername(serverssl,
8675 TLSEXT_NAMETYPE_host_name),
8682 SSL_SESSION_free(sess);
8683 SSL_free(serverssl);
8684 SSL_free(clientssl);
8691 #if !defined(OPENSSL_NO_EC) \
8692 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8694 * Test that if signature algorithms are not available, then we do not offer or
8696 * Test 0: Two RSA sig algs available: both RSA sig algs shared
8697 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
8698 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
8699 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
8700 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
8701 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
8703 static int test_sigalgs_available(int idx)
8705 SSL_CTX *cctx = NULL, *sctx = NULL;
8706 SSL *clientssl = NULL, *serverssl = NULL;
8708 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
8709 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
8710 OSSL_PROVIDER *filterprov = NULL;
8713 if (!TEST_ptr(tmpctx))
8716 if (idx != 0 && idx != 3) {
8717 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
8718 filter_provider_init)))
8721 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
8722 if (!TEST_ptr(filterprov))
8727 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8728 * or accepted for the peer that uses this libctx. Note that libssl
8729 * *requires* SHA2-256 to be available so we cannot disable that. We
8730 * also need SHA1 for our certificate.
8732 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
8736 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
8738 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
8743 if (idx == 1 || idx == 4)
8749 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
8750 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
8751 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
8755 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8756 TLS_client_method(),
8759 &sctx, &cctx, cert, privkey)))
8762 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8763 TLS_client_method(),
8766 &sctx, &cctx, cert2, privkey2)))
8770 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
8772 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8773 "ECDHE-RSA-AES128-GCM-SHA256")))
8776 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8777 "ECDHE-ECDSA-AES128-GCM-SHA256")))
8782 if (!SSL_CTX_set1_sigalgs_list(cctx,
8783 "rsa_pss_rsae_sha384"
8784 ":rsa_pss_rsae_sha256")
8785 || !SSL_CTX_set1_sigalgs_list(sctx,
8786 "rsa_pss_rsae_sha384"
8787 ":rsa_pss_rsae_sha256"))
8790 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8791 || !SSL_CTX_set1_sigalgs_list(sctx,
8792 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8797 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8798 SSL_FILETYPE_PEM), 1)
8799 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8801 SSL_FILETYPE_PEM), 1)
8802 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
8805 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8809 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8812 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8813 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8815 (idx == 0 || idx == 3) ? 2 : 1))
8818 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8821 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8825 testresult = filter_provider_check_clean_finish();
8828 SSL_free(serverssl);
8829 SSL_free(clientssl);
8832 OSSL_PROVIDER_unload(filterprov);
8833 OSSL_LIB_CTX_free(tmpctx);
8838 * !defined(OPENSSL_NO_EC) \
8839 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8842 #ifndef OPENSSL_NO_TLS1_3
8843 /* This test can run in TLSv1.3 even if ec and dh are disabled */
8844 static int test_pluggable_group(int idx)
8846 SSL_CTX *cctx = NULL, *sctx = NULL;
8847 SSL *clientssl = NULL, *serverssl = NULL;
8849 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
8850 /* Check that we are not impacted by a provider without any groups */
8851 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
8852 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
8854 if (!TEST_ptr(tlsprov))
8857 if (legacyprov == NULL) {
8859 * In this case we assume we've been built with "no-legacy" and skip
8860 * this test (there is no OPENSSL_NO_LEGACY)
8866 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8867 TLS_client_method(),
8870 &sctx, &cctx, cert, privkey))
8871 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8875 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
8876 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
8879 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8882 if (!TEST_str_eq(group_name,
8883 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
8889 SSL_free(serverssl);
8890 SSL_free(clientssl);
8893 OSSL_PROVIDER_unload(tlsprov);
8894 OSSL_PROVIDER_unload(legacyprov);
8900 #ifndef OPENSSL_NO_TLS1_2
8901 static int test_ssl_dup(void)
8903 SSL_CTX *cctx = NULL, *sctx = NULL;
8904 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
8906 BIO *rbio = NULL, *wbio = NULL;
8908 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8909 TLS_client_method(),
8912 &sctx, &cctx, cert, privkey)))
8915 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8919 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8920 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8923 client2ssl = SSL_dup(clientssl);
8924 rbio = SSL_get_rbio(clientssl);
8926 || !TEST_true(BIO_up_ref(rbio)))
8928 SSL_set0_rbio(client2ssl, rbio);
8931 wbio = SSL_get_wbio(clientssl);
8932 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
8934 SSL_set0_wbio(client2ssl, wbio);
8937 if (!TEST_ptr(client2ssl)
8938 /* Handshake not started so pointers should be different */
8939 || !TEST_ptr_ne(clientssl, client2ssl))
8942 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
8943 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
8946 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
8949 SSL_free(clientssl);
8950 clientssl = SSL_dup(client2ssl);
8951 if (!TEST_ptr(clientssl)
8952 /* Handshake has finished so pointers should be the same */
8953 || !TEST_ptr_eq(clientssl, client2ssl))
8959 SSL_free(serverssl);
8960 SSL_free(clientssl);
8961 SSL_free(client2ssl);
8968 # ifndef OPENSSL_NO_DH
8970 static EVP_PKEY *tmp_dh_params = NULL;
8972 /* Helper function for the test_set_tmp_dh() tests */
8973 static EVP_PKEY *get_tmp_dh_params(void)
8975 if (tmp_dh_params == NULL) {
8977 OSSL_PARAM_BLD *tmpl = NULL;
8978 EVP_PKEY_CTX *pctx = NULL;
8979 OSSL_PARAM *params = NULL;
8980 EVP_PKEY *dhpkey = NULL;
8982 p = BN_get_rfc3526_prime_2048(NULL);
8986 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
8988 || !TEST_true(EVP_PKEY_fromdata_init(pctx)))
8991 tmpl = OSSL_PARAM_BLD_new();
8993 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
8994 OSSL_PKEY_PARAM_FFC_P,
8996 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
8997 OSSL_PKEY_PARAM_FFC_G,
9001 params = OSSL_PARAM_BLD_to_param(tmpl);
9002 if (!TEST_ptr(params)
9003 || !TEST_true(EVP_PKEY_fromdata(pctx, &dhpkey,
9004 EVP_PKEY_KEY_PARAMETERS, params)))
9007 tmp_dh_params = dhpkey;
9010 EVP_PKEY_CTX_free(pctx);
9011 OSSL_PARAM_BLD_free(tmpl);
9012 OSSL_PARAM_free(params);
9015 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
9018 return tmp_dh_params;
9021 # ifndef OPENSSL_NO_DEPRECATED_3_0
9022 /* Callback used by test_set_tmp_dh() */
9023 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9025 EVP_PKEY *dhpkey = get_tmp_dh_params();
9028 if (!TEST_ptr(dhpkey))
9032 * libssl does not free the returned DH, so we free it now knowing that even
9033 * after we free dhpkey, there will still be a reference to the owning
9034 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9035 * of time we need it for.
9037 ret = EVP_PKEY_get1_DH(dhpkey);
9040 EVP_PKEY_free(dhpkey);
9047 * Test the various methods for setting temporary DH parameters
9049 * Test 0: Default (no auto) setting
9050 * Test 1: Explicit SSL_CTX auto off
9051 * Test 2: Explicit SSL auto off
9052 * Test 3: Explicit SSL_CTX auto on
9053 * Test 4: Explicit SSL auto on
9054 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9055 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9057 * The following are testing deprecated APIs, so we only run them if available
9058 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9059 * Test 8: Explicit SSL auto off, custom DH params via DH
9060 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9061 * Test 10: Explicit SSL auto off, custom DH params via callback
9063 static int test_set_tmp_dh(int idx)
9065 SSL_CTX *cctx = NULL, *sctx = NULL;
9066 SSL *clientssl = NULL, *serverssl = NULL;
9068 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9069 int expected = (idx <= 2) ? 0 : 1;
9070 EVP_PKEY *dhpkey = NULL;
9071 # ifndef OPENSSL_NO_DEPRECATED_3_0
9079 if (idx >= 5 && idx <= 8) {
9080 dhpkey = get_tmp_dh_params();
9081 if (!TEST_ptr(dhpkey))
9084 # ifndef OPENSSL_NO_DEPRECATED_3_0
9085 if (idx == 7 || idx == 8) {
9086 dh = EVP_PKEY_get1_DH(dhpkey);
9092 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9093 TLS_client_method(),
9096 &sctx, &cctx, cert, privkey)))
9099 if ((idx & 1) == 1) {
9100 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9105 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9109 # ifndef OPENSSL_NO_DEPRECATED_3_0
9110 else if (idx == 7) {
9111 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9113 } else if (idx == 9) {
9114 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9118 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9122 if ((idx & 1) == 0 && idx != 0) {
9123 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9127 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9131 # ifndef OPENSSL_NO_DEPRECATED_3_0
9132 else if (idx == 8) {
9133 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9135 } else if (idx == 10) {
9136 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9140 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9141 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9142 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9146 * If autoon then we should succeed. Otherwise we expect failure because
9147 * there are no parameters
9149 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9150 SSL_ERROR_NONE), expected))
9156 # ifndef OPENSSL_NO_DEPRECATED_3_0
9159 SSL_free(serverssl);
9160 SSL_free(clientssl);
9163 EVP_PKEY_free(dhpkey);
9169 * Test the auto DH keys are appropriately sized
9171 static int test_dh_auto(int idx)
9173 SSL_CTX *cctx = NULL, *sctx = NULL;
9174 SSL *clientssl = NULL, *serverssl = NULL;
9176 EVP_PKEY *tmpkey = NULL;
9177 char *thiscert = NULL, *thiskey = NULL;
9178 size_t expdhsize = 0;
9179 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9183 /* The FIPS provider doesn't support this DH size - so we ignore it */
9186 thiscert = cert1024;
9187 thiskey = privkey1024;
9191 /* 2048 bit prime */
9197 thiscert = cert3072;
9198 thiskey = privkey3072;
9202 thiscert = cert4096;
9203 thiskey = privkey4096;
9207 thiscert = cert8192;
9208 thiskey = privkey8192;
9211 /* No certificate cases */
9213 /* The FIPS provider doesn't support this DH size - so we ignore it */
9216 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9220 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9224 TEST_error("Invalid text index");
9228 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9229 TLS_client_method(),
9232 &sctx, &cctx, thiscert, thiskey)))
9235 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9239 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9240 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9241 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9242 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9243 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9247 * Send the server's first flight. At this point the server has created the
9248 * temporary DH key but hasn't finished using it yet. Once used it is
9249 * removed, so we cannot test it.
9251 if (!TEST_int_le(SSL_connect(clientssl), 0)
9252 || !TEST_int_le(SSL_accept(serverssl), 0))
9255 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9257 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
9260 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9266 SSL_free(serverssl);
9267 SSL_free(clientssl);
9270 EVP_PKEY_free(tmpkey);
9275 # endif /* OPENSSL_NO_DH */
9276 #endif /* OPENSSL_NO_TLS1_2 */
9278 #ifndef OSSL_NO_USABLE_TLS1_3
9280 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9281 * that it works even without a certificate configured for the original
9284 static int test_sni_tls13(void)
9286 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9287 SSL *clientssl = NULL, *serverssl = NULL;
9290 /* Reset callback counter */
9293 /* Create an initial SSL_CTX with no certificate configured */
9294 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9295 if (!TEST_ptr(sctx))
9297 /* Require TLSv1.3 as a minimum */
9298 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9299 TLS_client_method(), TLS1_3_VERSION, 0,
9300 &sctx2, &cctx, cert, privkey)))
9304 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9305 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9309 * Connection should still succeed because the final SSL_CTX has the right
9310 * certificates configured.
9312 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9313 &clientssl, NULL, NULL))
9314 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9318 /* We should have had the SNI callback called exactly once */
9319 if (!TEST_int_eq(snicb, 1))
9325 SSL_free(serverssl);
9326 SSL_free(clientssl);
9327 SSL_CTX_free(sctx2);
9334 * Test that setting an ALPN does not violate RFC
9336 static int test_set_alpn(void)
9338 SSL_CTX *ctx = NULL;
9342 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
9343 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
9344 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
9345 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
9346 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
9347 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
9349 /* Create an initial SSL_CTX with no certificate configured */
9350 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9354 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
9355 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
9357 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
9359 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
9361 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
9363 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
9365 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
9367 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
9369 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
9371 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
9378 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
9380 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
9382 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
9384 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
9386 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
9388 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
9390 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
9392 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
9394 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
9405 static int test_inherit_verify_param(void)
9409 SSL_CTX *ctx = NULL;
9410 X509_VERIFY_PARAM *cp = NULL;
9412 X509_VERIFY_PARAM *sp = NULL;
9413 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
9415 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9419 cp = SSL_CTX_get0_param(ctx);
9422 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
9425 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
9431 sp = SSL_get0_param(ssl);
9434 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
9446 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
9448 int setup_tests(void)
9453 libctx = OSSL_LIB_CTX_new();
9454 if (!TEST_ptr(libctx))
9457 defctxnull = OSSL_PROVIDER_load(NULL, "null");
9460 * Verify that the default and fips providers in the default libctx are not
9463 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
9464 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
9467 if (!test_skip_common_options()) {
9468 TEST_error("Error parsing test options\n");
9472 if (!TEST_ptr(certsdir = test_get_argument(0))
9473 || !TEST_ptr(srpvfile = test_get_argument(1))
9474 || !TEST_ptr(tmpfilename = test_get_argument(2))
9475 || !TEST_ptr(modulename = test_get_argument(3))
9476 || !TEST_ptr(configfile = test_get_argument(4)))
9479 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
9482 /* Check we have the expected provider available */
9483 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
9486 /* Check the default provider is not available */
9487 if (strcmp(modulename, "default") != 0
9488 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
9491 if (strcmp(modulename, "fips") == 0)
9495 * We add, but don't load the test "tls-provider". We'll load it when we
9498 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
9499 tls_provider_init)))
9503 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
9504 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
9505 TEST_error("not supported in this build");
9508 int i, mcount, rcount, fcount;
9510 for (i = 0; i < 4; i++)
9511 test_export_key_mat(i);
9512 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
9513 test_printf_stdout("malloc %d realloc %d free %d\n",
9514 mcount, rcount, fcount);
9519 cert = test_mk_file_path(certsdir, "servercert.pem");
9523 privkey = test_mk_file_path(certsdir, "serverkey.pem");
9524 if (privkey == NULL)
9527 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
9531 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
9532 if (privkey2 == NULL)
9535 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
9536 if (cert1024 == NULL)
9539 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
9540 if (privkey1024 == NULL)
9543 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
9544 if (cert3072 == NULL)
9547 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
9548 if (privkey3072 == NULL)
9551 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
9552 if (cert4096 == NULL)
9555 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
9556 if (privkey4096 == NULL)
9559 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
9560 if (cert8192 == NULL)
9563 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
9564 if (privkey8192 == NULL)
9567 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
9568 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
9569 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
9570 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS);
9573 ADD_TEST(test_large_message_tls);
9574 ADD_TEST(test_large_message_tls_read_ahead);
9575 #ifndef OPENSSL_NO_DTLS
9576 ADD_TEST(test_large_message_dtls);
9578 ADD_TEST(test_cleanse_plaintext);
9579 #ifndef OPENSSL_NO_OCSP
9580 ADD_TEST(test_tlsext_status_type);
9582 ADD_TEST(test_session_with_only_int_cache);
9583 ADD_TEST(test_session_with_only_ext_cache);
9584 ADD_TEST(test_session_with_both_cache);
9585 ADD_TEST(test_session_wo_ca_names);
9586 #ifndef OSSL_NO_USABLE_TLS1_3
9587 ADD_ALL_TESTS(test_stateful_tickets, 3);
9588 ADD_ALL_TESTS(test_stateless_tickets, 3);
9589 ADD_TEST(test_psk_tickets);
9590 ADD_ALL_TESTS(test_extra_tickets, 6);
9592 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9593 ADD_TEST(test_ssl_bio_pop_next_bio);
9594 ADD_TEST(test_ssl_bio_pop_ssl_bio);
9595 ADD_TEST(test_ssl_bio_change_rbio);
9596 ADD_TEST(test_ssl_bio_change_wbio);
9597 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
9598 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
9599 ADD_TEST(test_keylog);
9601 #ifndef OSSL_NO_USABLE_TLS1_3
9602 ADD_TEST(test_keylog_no_master_key);
9604 ADD_TEST(test_client_cert_verify_cb);
9605 ADD_TEST(test_ssl_build_cert_chain);
9606 ADD_TEST(test_ssl_ctx_build_cert_chain);
9607 #ifndef OPENSSL_NO_TLS1_2
9608 ADD_TEST(test_client_hello_cb);
9609 ADD_TEST(test_no_ems);
9610 ADD_TEST(test_ccs_change_cipher);
9612 #ifndef OSSL_NO_USABLE_TLS1_3
9613 ADD_ALL_TESTS(test_early_data_read_write, 3);
9615 * We don't do replay tests for external PSK. Replay protection isn't used
9618 ADD_ALL_TESTS(test_early_data_replay, 2);
9619 ADD_ALL_TESTS(test_early_data_skip, 3);
9620 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
9621 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
9622 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
9623 ADD_ALL_TESTS(test_early_data_not_sent, 3);
9624 ADD_ALL_TESTS(test_early_data_psk, 8);
9625 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
9626 ADD_ALL_TESTS(test_early_data_not_expected, 3);
9627 # ifndef OPENSSL_NO_TLS1_2
9628 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
9631 #ifndef OSSL_NO_USABLE_TLS1_3
9632 ADD_ALL_TESTS(test_set_ciphersuite, 10);
9633 ADD_TEST(test_ciphersuite_change);
9634 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
9635 # ifdef OPENSSL_NO_PSK
9636 ADD_ALL_TESTS(test_tls13_psk, 1);
9638 ADD_ALL_TESTS(test_tls13_psk, 4);
9639 # endif /* OPENSSL_NO_PSK */
9640 # ifndef OPENSSL_NO_TLS1_2
9641 /* Test with both TLSv1.3 and 1.2 versions */
9642 ADD_ALL_TESTS(test_key_exchange, 14);
9643 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
9644 ADD_ALL_TESTS(test_negotiated_group,
9645 4 * (OSSL_NELEM(ecdhe_kexch_groups)
9646 + OSSL_NELEM(ffdhe_kexch_groups)));
9649 /* Test with only TLSv1.3 versions */
9650 ADD_ALL_TESTS(test_key_exchange, 12);
9652 ADD_ALL_TESTS(test_custom_exts, 5);
9653 ADD_TEST(test_stateless);
9654 ADD_TEST(test_pha_key_update);
9656 ADD_ALL_TESTS(test_custom_exts, 3);
9658 ADD_ALL_TESTS(test_serverinfo, 8);
9659 ADD_ALL_TESTS(test_export_key_mat, 6);
9660 #ifndef OSSL_NO_USABLE_TLS1_3
9661 ADD_ALL_TESTS(test_export_key_mat_early, 3);
9662 ADD_TEST(test_key_update);
9663 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
9664 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
9665 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
9666 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
9668 ADD_ALL_TESTS(test_ssl_clear, 2);
9669 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
9670 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
9671 ADD_ALL_TESTS(test_srp, 6);
9673 ADD_ALL_TESTS(test_info_callback, 6);
9674 ADD_ALL_TESTS(test_ssl_pending, 2);
9675 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
9676 ADD_ALL_TESTS(test_ticket_callbacks, 16);
9677 ADD_ALL_TESTS(test_shutdown, 7);
9678 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
9679 ADD_ALL_TESTS(test_cert_cb, 6);
9680 ADD_ALL_TESTS(test_client_cert_cb, 2);
9681 ADD_ALL_TESTS(test_ca_names, 3);
9682 #ifndef OPENSSL_NO_TLS1_2
9683 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
9685 ADD_ALL_TESTS(test_servername, 10);
9686 #if !defined(OPENSSL_NO_EC) \
9687 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9688 ADD_ALL_TESTS(test_sigalgs_available, 6);
9690 #ifndef OPENSSL_NO_TLS1_3
9691 ADD_ALL_TESTS(test_pluggable_group, 2);
9693 #ifndef OPENSSL_NO_TLS1_2
9694 ADD_TEST(test_ssl_dup);
9695 # ifndef OPENSSL_NO_DH
9696 ADD_ALL_TESTS(test_set_tmp_dh, 11);
9697 ADD_ALL_TESTS(test_dh_auto, 7);
9700 #ifndef OSSL_NO_USABLE_TLS1_3
9701 ADD_TEST(test_sni_tls13);
9703 ADD_TEST(test_inherit_verify_param);
9704 ADD_TEST(test_set_alpn);
9705 ADD_ALL_TESTS(test_session_timeout, 1);
9710 OPENSSL_free(privkey);
9711 OPENSSL_free(cert2);
9712 OPENSSL_free(privkey2);
9716 void cleanup_tests(void)
9718 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
9719 EVP_PKEY_free(tmp_dh_params);
9722 OPENSSL_free(privkey);
9723 OPENSSL_free(cert2);
9724 OPENSSL_free(privkey2);
9725 OPENSSL_free(cert1024);
9726 OPENSSL_free(privkey1024);
9727 OPENSSL_free(cert3072);
9728 OPENSSL_free(privkey3072);
9729 OPENSSL_free(cert4096);
9730 OPENSSL_free(privkey4096);
9731 OPENSSL_free(cert8192);
9732 OPENSSL_free(privkey8192);
9733 bio_s_mempacket_test_free();
9734 bio_s_always_retry_free();
9735 OSSL_PROVIDER_unload(defctxnull);
9736 OSSL_LIB_CTX_free(libctx);