2 * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
36 #include <openssl/engine.h>
38 #include "helpers/ssltestlib.h"
40 #include "testutil/output.h"
41 #include "internal/nelem.h"
42 #include "internal/ktls.h"
43 #include "../ssl/ssl_local.h"
44 #include "../ssl/record/methods/recmethod_local.h"
45 #include "filterprov.h"
47 #undef OSSL_NO_USABLE_TLS1_3
48 #if defined(OPENSSL_NO_TLS1_3) \
49 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
51 * If we don't have ec or dh then there are no built-in groups that are usable
54 # define OSSL_NO_USABLE_TLS1_3
57 /* Defined in tls-provider.c */
58 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
59 const OSSL_DISPATCH *in,
60 const OSSL_DISPATCH **out,
63 static OSSL_LIB_CTX *libctx = NULL;
64 static OSSL_PROVIDER *defctxnull = NULL;
66 #ifndef OSSL_NO_USABLE_TLS1_3
68 static SSL_SESSION *clientpsk = NULL;
69 static SSL_SESSION *serverpsk = NULL;
70 static const char *pskid = "Identity";
71 static const char *srvid;
73 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
74 size_t *idlen, SSL_SESSION **sess);
75 static int find_session_cb(SSL *ssl, const unsigned char *identity,
76 size_t identity_len, SSL_SESSION **sess);
78 static int use_session_cb_cnt = 0;
79 static int find_session_cb_cnt = 0;
81 static SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize);
84 static char *certsdir = NULL;
85 static char *cert = NULL;
86 static char *privkey = NULL;
87 static char *cert2 = NULL;
88 static char *privkey2 = NULL;
89 static char *cert1024 = NULL;
90 static char *privkey1024 = NULL;
91 static char *cert3072 = NULL;
92 static char *privkey3072 = NULL;
93 static char *cert4096 = NULL;
94 static char *privkey4096 = NULL;
95 static char *cert8192 = NULL;
96 static char *privkey8192 = NULL;
97 static char *srpvfile = NULL;
98 static char *tmpfilename = NULL;
99 static char *dhfile = NULL;
101 static int is_fips = 0;
102 static int fips_ems_check = 0;
104 #define LOG_BUFFER_SIZE 2048
105 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
106 static size_t server_log_buffer_index = 0;
107 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
108 static size_t client_log_buffer_index = 0;
109 static int error_writing_log = 0;
111 #ifndef OPENSSL_NO_OCSP
112 static const unsigned char orespder[] = "Dummy OCSP Response";
113 static int ocsp_server_called = 0;
114 static int ocsp_client_called = 0;
116 static int cdummyarg = 1;
117 static X509 *ocspcert = NULL;
120 #define NUM_EXTRA_CERTS 40
121 #define CLIENT_VERSION_LEN 2
124 * This structure is used to validate that the correct number of log messages
125 * of various types are emitted when emitting secret logs.
127 struct sslapitest_log_counts {
128 unsigned int rsa_key_exchange_count;
129 unsigned int master_secret_count;
130 unsigned int client_early_secret_count;
131 unsigned int client_handshake_secret_count;
132 unsigned int server_handshake_secret_count;
133 unsigned int client_application_secret_count;
134 unsigned int server_application_secret_count;
135 unsigned int early_exporter_secret_count;
136 unsigned int exporter_secret_count;
140 static int hostname_cb(SSL *s, int *al, void *arg)
142 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
144 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
145 || strcmp(hostname, "altgoodhost") == 0))
146 return SSL_TLSEXT_ERR_OK;
148 return SSL_TLSEXT_ERR_NOACK;
151 static void client_keylog_callback(const SSL *ssl, const char *line)
153 int line_length = strlen(line);
155 /* If the log doesn't fit, error out. */
156 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
157 TEST_info("Client log too full");
158 error_writing_log = 1;
162 strcat(client_log_buffer, line);
163 client_log_buffer_index += line_length;
164 client_log_buffer[client_log_buffer_index++] = '\n';
167 static void server_keylog_callback(const SSL *ssl, const char *line)
169 int line_length = strlen(line);
171 /* If the log doesn't fit, error out. */
172 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
173 TEST_info("Server log too full");
174 error_writing_log = 1;
178 strcat(server_log_buffer, line);
179 server_log_buffer_index += line_length;
180 server_log_buffer[server_log_buffer_index++] = '\n';
183 static int compare_hex_encoded_buffer(const char *hex_encoded,
191 if (!TEST_size_t_eq(raw_length * 2, hex_length))
194 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
195 sprintf(hexed, "%02x", raw[i]);
196 if (!TEST_int_eq(hexed[0], hex_encoded[j])
197 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
204 static int test_keylog_output(char *buffer, const SSL *ssl,
205 const SSL_SESSION *session,
206 struct sslapitest_log_counts *expected)
209 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
210 size_t client_random_size = SSL3_RANDOM_SIZE;
211 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
212 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
213 unsigned int rsa_key_exchange_count = 0;
214 unsigned int master_secret_count = 0;
215 unsigned int client_early_secret_count = 0;
216 unsigned int client_handshake_secret_count = 0;
217 unsigned int server_handshake_secret_count = 0;
218 unsigned int client_application_secret_count = 0;
219 unsigned int server_application_secret_count = 0;
220 unsigned int early_exporter_secret_count = 0;
221 unsigned int exporter_secret_count = 0;
223 for (token = strtok(buffer, " \n"); token != NULL;
224 token = strtok(NULL, " \n")) {
225 if (strcmp(token, "RSA") == 0) {
227 * Premaster secret. Tokens should be: 16 ASCII bytes of
228 * hex-encoded encrypted secret, then the hex-encoded pre-master
231 if (!TEST_ptr(token = strtok(NULL, " \n")))
233 if (!TEST_size_t_eq(strlen(token), 16))
235 if (!TEST_ptr(token = strtok(NULL, " \n")))
238 * We can't sensibly check the log because the premaster secret is
239 * transient, and OpenSSL doesn't keep hold of it once the master
240 * secret is generated.
242 rsa_key_exchange_count++;
243 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
245 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
246 * client random, then the hex-encoded master secret.
248 client_random_size = SSL_get_client_random(ssl,
249 actual_client_random,
251 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
254 if (!TEST_ptr(token = strtok(NULL, " \n")))
256 if (!TEST_size_t_eq(strlen(token), 64))
258 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
259 actual_client_random,
260 client_random_size)))
263 if (!TEST_ptr(token = strtok(NULL, " \n")))
265 master_key_size = SSL_SESSION_get_master_key(session,
268 if (!TEST_size_t_ne(master_key_size, 0))
270 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
274 master_secret_count++;
275 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
276 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
277 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
278 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
279 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
280 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
281 || strcmp(token, "EXPORTER_SECRET") == 0) {
283 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
284 * client random, and then the hex-encoded secret. In this case,
285 * we treat all of these secrets identically and then just
286 * distinguish between them when counting what we saw.
288 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
289 client_early_secret_count++;
290 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
291 client_handshake_secret_count++;
292 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
293 server_handshake_secret_count++;
294 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
295 client_application_secret_count++;
296 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
297 server_application_secret_count++;
298 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
299 early_exporter_secret_count++;
300 else if (strcmp(token, "EXPORTER_SECRET") == 0)
301 exporter_secret_count++;
303 client_random_size = SSL_get_client_random(ssl,
304 actual_client_random,
306 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
309 if (!TEST_ptr(token = strtok(NULL, " \n")))
311 if (!TEST_size_t_eq(strlen(token), 64))
313 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
314 actual_client_random,
315 client_random_size)))
318 if (!TEST_ptr(token = strtok(NULL, " \n")))
321 TEST_info("Unexpected token %s\n", token);
326 /* Got what we expected? */
327 if (!TEST_size_t_eq(rsa_key_exchange_count,
328 expected->rsa_key_exchange_count)
329 || !TEST_size_t_eq(master_secret_count,
330 expected->master_secret_count)
331 || !TEST_size_t_eq(client_early_secret_count,
332 expected->client_early_secret_count)
333 || !TEST_size_t_eq(client_handshake_secret_count,
334 expected->client_handshake_secret_count)
335 || !TEST_size_t_eq(server_handshake_secret_count,
336 expected->server_handshake_secret_count)
337 || !TEST_size_t_eq(client_application_secret_count,
338 expected->client_application_secret_count)
339 || !TEST_size_t_eq(server_application_secret_count,
340 expected->server_application_secret_count)
341 || !TEST_size_t_eq(early_exporter_secret_count,
342 expected->early_exporter_secret_count)
343 || !TEST_size_t_eq(exporter_secret_count,
344 expected->exporter_secret_count))
349 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
350 static int test_keylog(void)
352 SSL_CTX *cctx = NULL, *sctx = NULL;
353 SSL *clientssl = NULL, *serverssl = NULL;
355 struct sslapitest_log_counts expected;
357 /* Clean up logging space */
358 memset(&expected, 0, sizeof(expected));
359 memset(client_log_buffer, 0, sizeof(client_log_buffer));
360 memset(server_log_buffer, 0, sizeof(server_log_buffer));
361 client_log_buffer_index = 0;
362 server_log_buffer_index = 0;
363 error_writing_log = 0;
365 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
368 &sctx, &cctx, cert, privkey)))
371 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
372 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
373 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
375 /* We also want to ensure that we use RSA-based key exchange. */
376 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
379 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
380 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
382 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
383 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
384 == client_keylog_callback))
386 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
387 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
388 == server_keylog_callback))
391 /* Now do a handshake and check that the logs have been written to. */
392 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
393 &clientssl, NULL, NULL))
394 || !TEST_true(create_ssl_connection(serverssl, clientssl,
396 || !TEST_false(error_writing_log)
397 || !TEST_int_gt(client_log_buffer_index, 0)
398 || !TEST_int_gt(server_log_buffer_index, 0))
402 * Now we want to test that our output data was vaguely sensible. We
403 * do that by using strtok and confirming that we have more or less the
404 * data we expect. For both client and server, we expect to see one master
405 * secret. The client should also see an RSA key exchange.
407 expected.rsa_key_exchange_count = 1;
408 expected.master_secret_count = 1;
409 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
410 SSL_get_session(clientssl), &expected)))
413 expected.rsa_key_exchange_count = 0;
414 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
415 SSL_get_session(serverssl), &expected)))
430 #ifndef OSSL_NO_USABLE_TLS1_3
431 static int test_keylog_no_master_key(void)
433 SSL_CTX *cctx = NULL, *sctx = NULL;
434 SSL *clientssl = NULL, *serverssl = NULL;
435 SSL_SESSION *sess = NULL;
437 struct sslapitest_log_counts expected;
438 unsigned char buf[1];
439 size_t readbytes, written;
441 /* Clean up logging space */
442 memset(&expected, 0, sizeof(expected));
443 memset(client_log_buffer, 0, sizeof(client_log_buffer));
444 memset(server_log_buffer, 0, sizeof(server_log_buffer));
445 client_log_buffer_index = 0;
446 server_log_buffer_index = 0;
447 error_writing_log = 0;
449 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
450 TLS_client_method(), TLS1_VERSION, 0,
451 &sctx, &cctx, cert, privkey))
452 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
453 SSL3_RT_MAX_PLAIN_LENGTH)))
456 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
457 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
460 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
461 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
462 == client_keylog_callback))
465 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
466 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
467 == server_keylog_callback))
470 /* Now do a handshake and check that the logs have been written to. */
471 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
472 &clientssl, NULL, NULL))
473 || !TEST_true(create_ssl_connection(serverssl, clientssl,
475 || !TEST_false(error_writing_log))
479 * Now we want to test that our output data was vaguely sensible. For this
480 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
481 * TLSv1.3, but we do expect both client and server to emit keys.
483 expected.client_handshake_secret_count = 1;
484 expected.server_handshake_secret_count = 1;
485 expected.client_application_secret_count = 1;
486 expected.server_application_secret_count = 1;
487 expected.exporter_secret_count = 1;
488 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
489 SSL_get_session(clientssl), &expected))
490 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
491 SSL_get_session(serverssl),
495 /* Terminate old session and resume with early data. */
496 sess = SSL_get1_session(clientssl);
497 SSL_shutdown(clientssl);
498 SSL_shutdown(serverssl);
501 serverssl = clientssl = NULL;
504 memset(client_log_buffer, 0, sizeof(client_log_buffer));
505 memset(server_log_buffer, 0, sizeof(server_log_buffer));
506 client_log_buffer_index = 0;
507 server_log_buffer_index = 0;
509 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
510 &clientssl, NULL, NULL))
511 || !TEST_true(SSL_set_session(clientssl, sess))
512 /* Here writing 0 length early data is enough. */
513 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
514 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
516 SSL_READ_EARLY_DATA_ERROR)
517 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
518 SSL_EARLY_DATA_ACCEPTED)
519 || !TEST_true(create_ssl_connection(serverssl, clientssl,
521 || !TEST_true(SSL_session_reused(clientssl)))
524 /* In addition to the previous entries, expect early secrets. */
525 expected.client_early_secret_count = 1;
526 expected.early_exporter_secret_count = 1;
527 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
528 SSL_get_session(clientssl), &expected))
529 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
530 SSL_get_session(serverssl),
537 SSL_SESSION_free(sess);
547 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
549 int res = X509_verify_cert(ctx);
550 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
553 /* this should not happen but check anyway */
555 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
558 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
559 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
560 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
561 return SSL_set_retry_verify(ssl);
566 static int test_client_cert_verify_cb(void)
568 /* server key, cert, chain, and root */
569 char *skey = test_mk_file_path(certsdir, "leaf.key");
570 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
571 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
572 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
573 char *root = test_mk_file_path(certsdir, "rootCA.pem");
574 X509 *crt1 = NULL, *crt2 = NULL;
575 STACK_OF(X509) *server_chain;
576 SSL_CTX *cctx = NULL, *sctx = NULL;
577 SSL *clientssl = NULL, *serverssl = NULL;
580 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
581 TLS_client_method(), TLS1_VERSION, 0,
582 &sctx, &cctx, NULL, NULL)))
584 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
585 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
586 SSL_FILETYPE_PEM), 1)
587 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
589 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
591 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
592 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
593 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
594 &clientssl, NULL, NULL)))
597 /* attempt SSL_connect() with incomplete server chain */
598 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
599 SSL_ERROR_WANT_RETRY_VERIFY)))
602 /* application provides intermediate certs needed to verify server cert */
603 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
604 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
605 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
607 /* add certs in reverse order to demonstrate real chain building */
608 if (!TEST_true(sk_X509_push(server_chain, crt1)))
611 if (!TEST_true(sk_X509_push(server_chain, crt2)))
615 /* continue SSL_connect(), must now succeed with completed server chain */
616 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
625 if (clientssl != NULL) {
626 SSL_shutdown(clientssl);
629 if (serverssl != NULL) {
630 SSL_shutdown(serverssl);
645 static int test_ssl_build_cert_chain(void)
648 SSL_CTX *ssl_ctx = NULL;
650 char *skey = test_mk_file_path(certsdir, "leaf.key");
651 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
653 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
655 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
657 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
658 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
659 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
660 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
662 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
663 | SSL_BUILD_CHAIN_FLAG_CHECK)))
668 SSL_CTX_free(ssl_ctx);
669 OPENSSL_free(leaf_chain);
674 static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
676 static const char pass[] = "testpass";
678 if (!TEST_int_eq(size, PEM_BUFSIZE))
681 memcpy(buf, pass, sizeof(pass) - 1);
682 return sizeof(pass) - 1;
685 static int test_ssl_ctx_build_cert_chain(void)
689 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
690 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
692 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
694 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
695 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
696 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
697 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
698 SSL_FILETYPE_PEM), 1)
699 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
701 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
702 | SSL_BUILD_CHAIN_FLAG_CHECK)))
707 OPENSSL_free(leaf_chain);
712 #ifndef OPENSSL_NO_TLS1_2
713 static int full_client_hello_callback(SSL *s, int *al, void *arg)
716 const unsigned char *p;
718 /* We only configure two ciphers, but the SCSV is added automatically. */
720 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
722 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
725 const int expected_extensions[] = {
726 #ifndef OPENSSL_NO_EC
732 /* Make sure we can defer processing and get called back. */
734 return SSL_CLIENT_HELLO_RETRY;
736 len = SSL_client_hello_get0_ciphers(s, &p);
737 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
739 SSL_client_hello_get0_compression_methods(s, &p), 1)
740 || !TEST_int_eq(*p, 0))
741 return SSL_CLIENT_HELLO_ERROR;
742 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
743 return SSL_CLIENT_HELLO_ERROR;
744 if (len != OSSL_NELEM(expected_extensions) ||
745 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
746 printf("ClientHello callback expected extensions mismatch\n");
748 return SSL_CLIENT_HELLO_ERROR;
751 return SSL_CLIENT_HELLO_SUCCESS;
754 static int test_client_hello_cb(void)
756 SSL_CTX *cctx = NULL, *sctx = NULL;
757 SSL *clientssl = NULL, *serverssl = NULL;
758 int testctr = 0, testresult = 0;
760 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
761 TLS_client_method(), TLS1_VERSION, 0,
762 &sctx, &cctx, cert, privkey)))
764 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
766 /* The gimpy cipher list we configure can't do TLS 1.3. */
767 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
769 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
770 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
771 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
772 &clientssl, NULL, NULL))
773 || !TEST_false(create_ssl_connection(serverssl, clientssl,
774 SSL_ERROR_WANT_CLIENT_HELLO_CB))
776 * Passing a -1 literal is a hack since
777 * the real value was lost.
779 || !TEST_int_eq(SSL_get_error(serverssl, -1),
780 SSL_ERROR_WANT_CLIENT_HELLO_CB)
781 || !TEST_true(create_ssl_connection(serverssl, clientssl,
796 static int test_no_ems(void)
798 SSL_CTX *cctx = NULL, *sctx = NULL;
799 SSL *clientssl = NULL, *serverssl = NULL;
800 int testresult = 0, status;
802 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
803 TLS1_VERSION, TLS1_2_VERSION,
804 &sctx, &cctx, cert, privkey)) {
805 printf("Unable to create SSL_CTX pair\n");
809 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
811 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
812 printf("Unable to create SSL objects\n");
816 status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
817 if (fips_ems_check) {
819 printf("When FIPS uses the EMS check a connection that doesn't use EMS should fail\n");
824 printf("Creating SSL connection failed\n");
827 if (SSL_get_extms_support(serverssl)) {
828 printf("Server reports Extended Master Secret support\n");
831 if (SSL_get_extms_support(clientssl)) {
832 printf("Client reports Extended Master Secret support\n");
848 * Very focused test to exercise a single case in the server-side state
849 * machine, when the ChangeCipherState message needs to actually change
850 * from one cipher to a different cipher (i.e., not changing from null
851 * encryption to real encryption).
853 static int test_ccs_change_cipher(void)
855 SSL_CTX *cctx = NULL, *sctx = NULL;
856 SSL *clientssl = NULL, *serverssl = NULL;
857 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
864 * Create a connection so we can resume and potentially (but not) use
865 * a different cipher in the second connection.
867 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
869 TLS1_VERSION, TLS1_2_VERSION,
870 &sctx, &cctx, cert, privkey))
871 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
872 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
874 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
875 || !TEST_true(create_ssl_connection(serverssl, clientssl,
877 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
878 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
881 shutdown_ssl_connection(serverssl, clientssl);
882 serverssl = clientssl = NULL;
884 /* Resume, preferring a different cipher. Our server will force the
885 * same cipher to be used as the initial handshake. */
886 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
888 || !TEST_true(SSL_set_session(clientssl, sess))
889 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
890 || !TEST_true(create_ssl_connection(serverssl, clientssl,
892 || !TEST_true(SSL_session_reused(clientssl))
893 || !TEST_true(SSL_session_reused(serverssl))
894 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
895 || !TEST_ptr_eq(sesspre, sesspost)
896 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
897 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
899 shutdown_ssl_connection(serverssl, clientssl);
900 serverssl = clientssl = NULL;
903 * Now create a fresh connection and try to renegotiate a different
906 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
908 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
909 || !TEST_true(create_ssl_connection(serverssl, clientssl,
911 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
912 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
913 || !TEST_true(SSL_renegotiate(clientssl))
914 || !TEST_true(SSL_renegotiate_pending(clientssl)))
916 /* Actually drive the renegotiation. */
917 for (i = 0; i < 3; i++) {
918 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
919 if (!TEST_ulong_eq(readbytes, 0))
921 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
922 SSL_ERROR_WANT_READ)) {
925 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
926 if (!TEST_ulong_eq(readbytes, 0))
928 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
929 SSL_ERROR_WANT_READ)) {
933 /* sesspre and sesspost should be different since the cipher changed. */
934 if (!TEST_false(SSL_renegotiate_pending(clientssl))
935 || !TEST_false(SSL_session_reused(clientssl))
936 || !TEST_false(SSL_session_reused(serverssl))
937 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
938 || !TEST_ptr_ne(sesspre, sesspost)
939 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
940 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
943 shutdown_ssl_connection(serverssl, clientssl);
944 serverssl = clientssl = NULL;
953 SSL_SESSION_free(sess);
959 static int add_large_cert_chain(SSL_CTX *sctx)
962 X509 *chaincert = NULL;
967 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
970 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
973 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
979 * We assume the supplied certificate is big enough so that if we add
980 * NUM_EXTRA_CERTS it will make the overall message large enough. The
981 * default buffer size is requested to be 16k, but due to the way BUF_MEM
982 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
983 * test we need to have a message larger than that.
985 certlen = i2d_X509(chaincert, NULL);
986 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
987 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
988 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
989 if (!X509_up_ref(chaincert))
991 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
992 X509_free(chaincert);
1000 X509_free(chaincert);
1004 static int execute_test_large_message(const SSL_METHOD *smeth,
1005 const SSL_METHOD *cmeth,
1006 int min_version, int max_version,
1009 SSL_CTX *cctx = NULL, *sctx = NULL;
1010 SSL *clientssl = NULL, *serverssl = NULL;
1013 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
1014 max_version, &sctx, &cctx, cert,
1018 #ifdef OPENSSL_NO_DTLS1_2
1019 if (smeth == DTLS_server_method()) {
1021 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1024 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1025 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1026 "DEFAULT:@SECLEVEL=0")))
1033 * Test that read_ahead works correctly when dealing with large
1036 SSL_CTX_set_read_ahead(cctx, 1);
1039 if (!add_large_cert_chain(sctx))
1042 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1044 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1049 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1052 if (!TEST_true(SSL_clear(serverssl)))
1057 SSL_free(serverssl);
1058 SSL_free(clientssl);
1065 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1066 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1067 /* sock must be connected */
1068 static int ktls_chk_platform(int sock)
1070 if (!ktls_enable(sock))
1075 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1077 static char count = 1;
1078 unsigned char cbuf[16000] = {0};
1079 unsigned char sbuf[16000];
1081 char crec_wseq_before[SEQ_NUM_SIZE];
1082 char crec_wseq_after[SEQ_NUM_SIZE];
1083 char crec_rseq_before[SEQ_NUM_SIZE];
1084 char crec_rseq_after[SEQ_NUM_SIZE];
1085 char srec_wseq_before[SEQ_NUM_SIZE];
1086 char srec_wseq_after[SEQ_NUM_SIZE];
1087 char srec_rseq_before[SEQ_NUM_SIZE];
1088 char srec_rseq_after[SEQ_NUM_SIZE];
1089 SSL_CONNECTION *clientsc, *serversc;
1091 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1092 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1096 memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1097 memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1098 memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1099 memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1101 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1104 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1105 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1110 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1113 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1114 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1119 memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1120 memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1121 memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1122 memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1124 /* verify the payload */
1125 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1129 * If ktls is used then kernel sequences are used instead of
1132 if (!BIO_get_ktls_send(clientsc->wbio)) {
1133 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1134 crec_wseq_after, SEQ_NUM_SIZE))
1137 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1138 crec_wseq_after, SEQ_NUM_SIZE))
1142 if (!BIO_get_ktls_send(serversc->wbio)) {
1143 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1144 srec_wseq_after, SEQ_NUM_SIZE))
1147 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1148 srec_wseq_after, SEQ_NUM_SIZE))
1152 if (!BIO_get_ktls_recv(clientsc->wbio)) {
1153 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1154 crec_rseq_after, SEQ_NUM_SIZE))
1157 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1158 crec_rseq_after, SEQ_NUM_SIZE))
1162 if (!BIO_get_ktls_recv(serversc->wbio)) {
1163 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1164 srec_rseq_after, SEQ_NUM_SIZE))
1167 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1168 srec_rseq_after, SEQ_NUM_SIZE))
1177 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1178 int tls_version, const char *cipher)
1180 SSL_CTX *cctx = NULL, *sctx = NULL;
1181 SSL *clientssl = NULL, *serverssl = NULL;
1182 int ktls_used = 0, testresult = 0;
1183 int cfd = -1, sfd = -1;
1185 SSL_CONNECTION *clientsc, *serversc;
1187 if (!TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1190 /* Skip this test if the platform does not support ktls */
1191 if (!ktls_chk_platform(cfd)) {
1192 testresult = TEST_skip("Kernel does not support KTLS");
1196 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1197 testresult = TEST_skip("CHACHA is not supported in FIPS");
1201 /* Create a session based on SHA-256 */
1202 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1203 TLS_client_method(),
1204 tls_version, tls_version,
1205 &sctx, &cctx, cert, privkey)))
1208 if (tls_version == TLS1_3_VERSION) {
1209 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1210 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1213 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1214 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1218 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1219 &clientssl, sfd, cfd)))
1222 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1223 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1227 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1232 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1236 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1240 * The running kernel may not support a given cipher suite
1241 * or direction, so just check that KTLS isn't used when it
1245 if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
1248 if (BIO_get_ktls_send(clientsc->wbio))
1253 if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
1256 if (BIO_get_ktls_send(serversc->wbio))
1260 #if defined(OPENSSL_NO_KTLS_RX)
1265 if (!cis_ktls || !rx_supported) {
1266 if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
1269 if (BIO_get_ktls_send(clientsc->rbio))
1273 if (!sis_ktls || !rx_supported) {
1274 if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
1277 if (BIO_get_ktls_send(serversc->rbio))
1281 if ((cis_ktls || sis_ktls) && !ktls_used) {
1282 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1283 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1288 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1294 SSL_shutdown(clientssl);
1295 SSL_free(clientssl);
1298 SSL_shutdown(serverssl);
1299 SSL_free(serverssl);
1303 serverssl = clientssl = NULL;
1311 #define SENDFILE_SZ (16 * 4096)
1312 #define SENDFILE_CHUNK (4 * 4096)
1313 #define min(a,b) ((a) > (b) ? (b) : (a))
1315 static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
1318 SSL_CTX *cctx = NULL, *sctx = NULL;
1319 SSL *clientssl = NULL, *serverssl = NULL;
1320 unsigned char *buf, *buf_dst;
1321 BIO *out = NULL, *in = NULL;
1322 int cfd = -1, sfd = -1, ffd, err;
1323 ssize_t chunk_size = 0;
1324 off_t chunk_off = 0;
1327 SSL_CONNECTION *serversc;
1329 buf = OPENSSL_zalloc(SENDFILE_SZ);
1330 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1331 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1332 || !TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1335 /* Skip this test if the platform does not support ktls */
1336 if (!ktls_chk_platform(sfd)) {
1337 testresult = TEST_skip("Kernel does not support KTLS");
1341 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1342 testresult = TEST_skip("CHACHA is not supported in FIPS");
1346 /* Create a session based on SHA-256 */
1347 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1348 TLS_client_method(),
1349 tls_version, tls_version,
1350 &sctx, &cctx, cert, privkey)))
1353 if (tls_version == TLS1_3_VERSION) {
1354 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1355 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1358 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1359 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1363 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1364 &clientssl, sfd, cfd)))
1367 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1370 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1374 if (!TEST_true(SSL_set_options(serverssl,
1375 SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)))
1379 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1383 if (!BIO_get_ktls_send(serversc->wbio)) {
1384 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1385 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1390 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1393 out = BIO_new_file(tmpfilename, "wb");
1397 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1402 in = BIO_new_file(tmpfilename, "rb");
1403 BIO_get_fp(in, &ffdp);
1406 while (chunk_off < SENDFILE_SZ) {
1407 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1408 while ((err = SSL_sendfile(serverssl,
1412 0)) != chunk_size) {
1413 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1416 while ((err = SSL_read(clientssl,
1417 buf_dst + chunk_off,
1418 chunk_size)) != chunk_size) {
1419 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1423 /* verify the payload */
1424 if (!TEST_mem_eq(buf_dst + chunk_off,
1430 chunk_off += chunk_size;
1436 SSL_shutdown(clientssl);
1437 SSL_free(clientssl);
1440 SSL_shutdown(serverssl);
1441 SSL_free(serverssl);
1445 serverssl = clientssl = NULL;
1453 OPENSSL_free(buf_dst);
1457 static struct ktls_test_cipher {
1460 } ktls_test_ciphers[] = {
1461 # if !defined(OPENSSL_NO_TLS1_2)
1462 # ifdef OPENSSL_KTLS_AES_GCM_128
1463 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1465 # ifdef OPENSSL_KTLS_AES_CCM_128
1466 { TLS1_2_VERSION, "AES128-CCM"},
1468 # ifdef OPENSSL_KTLS_AES_GCM_256
1469 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1471 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1472 # ifndef OPENSSL_NO_EC
1473 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1477 # if !defined(OSSL_NO_USABLE_TLS1_3)
1478 # ifdef OPENSSL_KTLS_AES_GCM_128
1479 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1481 # ifdef OPENSSL_KTLS_AES_CCM_128
1482 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1484 # ifdef OPENSSL_KTLS_AES_GCM_256
1485 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1487 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1488 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1493 #define NUM_KTLS_TEST_CIPHERS \
1494 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1496 static int test_ktls(int test)
1498 struct ktls_test_cipher *cipher;
1499 int cis_ktls, sis_ktls;
1501 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1502 cipher = &ktls_test_ciphers[test / 4];
1504 cis_ktls = (test & 1) != 0;
1505 sis_ktls = (test & 2) != 0;
1507 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1511 static int test_ktls_sendfile(int test)
1513 struct ktls_test_cipher *cipher;
1514 int tst = test >> 1;
1516 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1517 cipher = &ktls_test_ciphers[tst];
1519 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher,
1524 static int test_large_message_tls(void)
1526 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1527 TLS1_VERSION, 0, 0);
1530 static int test_large_message_tls_read_ahead(void)
1532 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1533 TLS1_VERSION, 0, 1);
1536 #ifndef OPENSSL_NO_DTLS
1537 static int test_large_message_dtls(void)
1539 # ifdef OPENSSL_NO_DTLS1_2
1540 /* Not supported in the FIPS provider */
1545 * read_ahead is not relevant to DTLS because DTLS always acts as if
1546 * read_ahead is set.
1548 return execute_test_large_message(DTLS_server_method(),
1549 DTLS_client_method(),
1550 DTLS1_VERSION, 0, 0);
1555 * Test we can successfully send the maximum amount of application data. We
1556 * test each protocol version individually, each with and without EtM enabled.
1557 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1558 * simpler this way. We also test all combinations with and without the
1559 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1560 * underlying buffer.
1562 static int test_large_app_data(int tst)
1564 SSL_CTX *cctx = NULL, *sctx = NULL;
1565 SSL *clientssl = NULL, *serverssl = NULL;
1566 int testresult = 0, prot;
1567 unsigned char *msg, *buf = NULL;
1568 size_t written, readbytes;
1569 const SSL_METHOD *smeth = TLS_server_method();
1570 const SSL_METHOD *cmeth = TLS_client_method();
1574 #ifndef OSSL_NO_USABLE_TLS1_3
1575 prot = TLS1_3_VERSION;
1582 #ifndef OPENSSL_NO_TLS1_2
1583 prot = TLS1_2_VERSION;
1590 #ifndef OPENSSL_NO_TLS1_1
1591 prot = TLS1_1_VERSION;
1598 #ifndef OPENSSL_NO_TLS1
1599 prot = TLS1_VERSION;
1606 #ifndef OPENSSL_NO_SSL3
1607 prot = SSL3_VERSION;
1614 #ifndef OPENSSL_NO_DTLS1_2
1615 prot = DTLS1_2_VERSION;
1616 smeth = DTLS_server_method();
1617 cmeth = DTLS_client_method();
1624 #ifndef OPENSSL_NO_DTLS1
1625 prot = DTLS1_VERSION;
1626 smeth = DTLS_server_method();
1627 cmeth = DTLS_client_method();
1634 /* Shouldn't happen */
1638 if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips)
1641 /* Maximal sized message of zeros */
1642 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1646 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1649 /* Set whole buffer to all bits set */
1650 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1652 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
1653 &sctx, &cctx, cert, privkey)))
1656 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
1657 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1658 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1659 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1660 "DEFAULT:@SECLEVEL=0")))
1664 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1665 &clientssl, NULL, NULL)))
1668 if ((tst & 1) != 0) {
1669 /* Setting this option gives us a minimally sized underlying buffer */
1670 if (!TEST_true(SSL_set_options(serverssl,
1671 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1672 || !TEST_true(SSL_set_options(clientssl,
1673 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1677 if ((tst & 2) != 0) {
1679 * Setting this option means the MAC is added before encryption
1680 * giving us a larger record for the encryption process
1682 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1683 || !TEST_true(SSL_set_options(clientssl,
1684 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1688 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1691 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1693 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1696 /* We provide a buffer slightly larger than what we are actually expecting */
1697 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1701 if (!TEST_mem_eq(msg, written, buf, readbytes))
1708 SSL_free(serverssl);
1709 SSL_free(clientssl);
1715 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \
1716 || !defined(OPENSSL_NO_DTLS)
1717 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1718 const SSL_METHOD *cmeth,
1719 int min_version, int max_version)
1722 SSL_CTX *cctx = NULL, *sctx = NULL;
1723 SSL *clientssl = NULL, *serverssl = NULL;
1725 const unsigned char *zbuf;
1726 SSL_CONNECTION *serversc;
1729 static unsigned char cbuf[16000];
1730 static unsigned char sbuf[16000];
1732 if (!TEST_true(create_ssl_ctx_pair(libctx,
1734 min_version, max_version,
1739 # ifdef OPENSSL_NO_DTLS1_2
1740 if (smeth == DTLS_server_method()) {
1741 /* Not supported in the FIPS provider */
1747 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1750 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1751 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1752 "DEFAULT:@SECLEVEL=0")))
1757 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1761 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1764 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1768 for (i = 0; i < sizeof(cbuf); i++) {
1772 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1775 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1778 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1782 * Since we called SSL_peek(), we know the data in the record
1783 * layer is a plaintext record. We can gather the pointer to check
1784 * for zeroization after SSL_read().
1786 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1788 rr = serversc->rlayer.tlsrecs;
1790 zbuf = &rr->data[rr->off];
1791 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1795 * After SSL_peek() the plaintext must still be stored in the
1798 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1801 memset(sbuf, 0, sizeof(sbuf));
1802 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1805 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1808 /* Check if rbuf is cleansed */
1809 memset(cbuf, 0, sizeof(cbuf));
1810 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1815 SSL_free(serverssl);
1816 SSL_free(clientssl);
1823 * !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
1824 * || !defined(OPENSSL_NO_DTLS)
1827 static int test_cleanse_plaintext(void)
1829 #if !defined(OPENSSL_NO_TLS1_2)
1830 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1831 TLS_client_method(),
1838 #if !defined(OSSL_NO_USABLE_TLS1_3)
1839 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1840 TLS_client_method(),
1846 #if !defined(OPENSSL_NO_DTLS)
1848 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1849 DTLS_client_method(),
1857 #ifndef OPENSSL_NO_OCSP
1858 static int ocsp_server_cb(SSL *s, void *arg)
1860 int *argi = (int *)arg;
1861 unsigned char *copy = NULL;
1862 STACK_OF(OCSP_RESPID) *ids = NULL;
1863 OCSP_RESPID *id = NULL;
1866 /* In this test we are expecting exactly 1 OCSP_RESPID */
1867 SSL_get_tlsext_status_ids(s, &ids);
1868 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1869 return SSL_TLSEXT_ERR_ALERT_FATAL;
1871 id = sk_OCSP_RESPID_value(ids, 0);
1872 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1873 return SSL_TLSEXT_ERR_ALERT_FATAL;
1874 } else if (*argi != 1) {
1875 return SSL_TLSEXT_ERR_ALERT_FATAL;
1878 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1879 return SSL_TLSEXT_ERR_ALERT_FATAL;
1881 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1882 sizeof(orespder)))) {
1884 return SSL_TLSEXT_ERR_ALERT_FATAL;
1886 ocsp_server_called = 1;
1887 return SSL_TLSEXT_ERR_OK;
1890 static int ocsp_client_cb(SSL *s, void *arg)
1892 int *argi = (int *)arg;
1893 const unsigned char *respderin;
1896 if (*argi != 1 && *argi != 2)
1899 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1900 if (!TEST_mem_eq(orespder, len, respderin, len))
1903 ocsp_client_called = 1;
1907 static int test_tlsext_status_type(void)
1909 SSL_CTX *cctx = NULL, *sctx = NULL;
1910 SSL *clientssl = NULL, *serverssl = NULL;
1912 STACK_OF(OCSP_RESPID) *ids = NULL;
1913 OCSP_RESPID *id = NULL;
1914 BIO *certbio = NULL;
1916 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1918 &sctx, &cctx, cert, privkey))
1921 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1924 /* First just do various checks getting and setting tlsext_status_type */
1926 clientssl = SSL_new(cctx);
1927 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1928 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1929 TLSEXT_STATUSTYPE_ocsp))
1930 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1931 TLSEXT_STATUSTYPE_ocsp))
1934 SSL_free(clientssl);
1937 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1938 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1941 clientssl = SSL_new(cctx);
1942 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1944 SSL_free(clientssl);
1948 * Now actually do a handshake and check OCSP information is exchanged and
1949 * the callbacks get called
1951 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1952 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1953 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1954 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1955 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1956 &clientssl, NULL, NULL))
1957 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1959 || !TEST_true(ocsp_client_called)
1960 || !TEST_true(ocsp_server_called))
1962 SSL_free(serverssl);
1963 SSL_free(clientssl);
1967 /* Try again but this time force the server side callback to fail */
1968 ocsp_client_called = 0;
1969 ocsp_server_called = 0;
1971 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1972 &clientssl, NULL, NULL))
1973 /* This should fail because the callback will fail */
1974 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1976 || !TEST_false(ocsp_client_called)
1977 || !TEST_false(ocsp_server_called))
1979 SSL_free(serverssl);
1980 SSL_free(clientssl);
1985 * This time we'll get the client to send an OCSP_RESPID that it will
1988 ocsp_client_called = 0;
1989 ocsp_server_called = 0;
1991 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1992 &clientssl, NULL, NULL)))
1996 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1997 * specific one. We'll use the server cert.
1999 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
2000 || !TEST_ptr(id = OCSP_RESPID_new())
2001 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
2002 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
2003 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
2004 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
2005 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
2008 SSL_set_tlsext_status_ids(clientssl, ids);
2009 /* Control has been transferred */
2015 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2017 || !TEST_true(ocsp_client_called)
2018 || !TEST_true(ocsp_server_called))
2024 SSL_free(serverssl);
2025 SSL_free(clientssl);
2028 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
2029 OCSP_RESPID_free(id);
2031 X509_free(ocspcert);
2038 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
2039 static int new_called, remove_called, get_called;
2041 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
2045 * sess has been up-refed for us, but we don't actually need it so free it
2048 SSL_SESSION_free(sess);
2052 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2057 static SSL_SESSION *get_sess_val = NULL;
2059 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2064 return get_sess_val;
2067 static int execute_test_session(int maxprot, int use_int_cache,
2068 int use_ext_cache, long s_options)
2070 SSL_CTX *sctx = NULL, *cctx = NULL;
2071 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2072 SSL *serverssl2 = NULL, *clientssl2 = NULL;
2073 # ifndef OPENSSL_NO_TLS1_1
2074 SSL *serverssl3 = NULL, *clientssl3 = NULL;
2076 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
2077 int testresult = 0, numnewsesstick = 1;
2079 new_called = remove_called = 0;
2081 /* TLSv1.3 sends 2 NewSessionTickets */
2082 if (maxprot == TLS1_3_VERSION)
2085 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2086 TLS_client_method(), TLS1_VERSION, 0,
2087 &sctx, &cctx, cert, privkey)))
2091 * Only allow the max protocol version so we can force a connection failure
2094 SSL_CTX_set_min_proto_version(cctx, maxprot);
2095 SSL_CTX_set_max_proto_version(cctx, maxprot);
2097 /* Set up session cache */
2098 if (use_ext_cache) {
2099 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2100 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2102 if (use_int_cache) {
2103 /* Also covers instance where both are set */
2104 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2106 SSL_CTX_set_session_cache_mode(cctx,
2107 SSL_SESS_CACHE_CLIENT
2108 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2112 SSL_CTX_set_options(sctx, s_options);
2115 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2117 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2119 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2122 /* Should fail because it should already be in the cache */
2123 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
2126 && (!TEST_int_eq(new_called, numnewsesstick)
2128 || !TEST_int_eq(remove_called, 0)))
2131 new_called = remove_called = 0;
2132 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2133 &clientssl2, NULL, NULL))
2134 || !TEST_true(SSL_set_session(clientssl2, sess1))
2135 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2137 || !TEST_true(SSL_session_reused(clientssl2)))
2140 if (maxprot == TLS1_3_VERSION) {
2142 * In TLSv1.3 we should have created a new session even though we have
2143 * resumed. Since we attempted a resume we should also have removed the
2144 * old ticket from the cache so that we try to only use tickets once.
2147 && (!TEST_int_eq(new_called, 1)
2148 || !TEST_int_eq(remove_called, 1)))
2152 * In TLSv1.2 we expect to have resumed so no sessions added or
2156 && (!TEST_int_eq(new_called, 0)
2157 || !TEST_int_eq(remove_called, 0)))
2161 SSL_SESSION_free(sess1);
2162 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2164 shutdown_ssl_connection(serverssl2, clientssl2);
2165 serverssl2 = clientssl2 = NULL;
2167 new_called = remove_called = 0;
2168 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2169 &clientssl2, NULL, NULL))
2170 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2174 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2178 && (!TEST_int_eq(new_called, numnewsesstick)
2179 || !TEST_int_eq(remove_called, 0)))
2182 new_called = remove_called = 0;
2184 * This should clear sess2 from the cache because it is a "bad" session.
2185 * See SSL_set_session() documentation.
2187 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2190 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2192 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2195 if (use_int_cache) {
2196 /* Should succeeded because it should not already be in the cache */
2197 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2198 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2202 new_called = remove_called = 0;
2203 /* This shouldn't be in the cache so should fail */
2204 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2208 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2211 # if !defined(OPENSSL_NO_TLS1_1)
2212 new_called = remove_called = 0;
2213 /* Force a connection failure */
2214 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2215 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2216 &clientssl3, NULL, NULL))
2217 || !TEST_true(SSL_set_session(clientssl3, sess1))
2218 /* This should fail because of the mismatched protocol versions */
2219 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2223 /* We should have automatically removed the session from the cache */
2225 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2228 /* Should succeed because it should not already be in the cache */
2229 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2233 /* Now do some tests for server side caching */
2234 if (use_ext_cache) {
2235 SSL_CTX_sess_set_new_cb(cctx, NULL);
2236 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2237 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2238 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2239 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2240 get_sess_val = NULL;
2243 SSL_CTX_set_session_cache_mode(cctx, 0);
2244 /* Internal caching is the default on the server side */
2246 SSL_CTX_set_session_cache_mode(sctx,
2247 SSL_SESS_CACHE_SERVER
2248 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2250 SSL_free(serverssl1);
2251 SSL_free(clientssl1);
2252 serverssl1 = clientssl1 = NULL;
2253 SSL_free(serverssl2);
2254 SSL_free(clientssl2);
2255 serverssl2 = clientssl2 = NULL;
2256 SSL_SESSION_free(sess1);
2258 SSL_SESSION_free(sess2);
2261 SSL_CTX_set_max_proto_version(sctx, maxprot);
2262 if (maxprot == TLS1_2_VERSION)
2263 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2264 new_called = remove_called = get_called = 0;
2265 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2267 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2269 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2270 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2273 if (use_int_cache) {
2274 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2276 * In TLSv1.3 it should not have been added to the internal cache,
2277 * except in the case where we also have an external cache (in that
2278 * case it gets added to the cache in order to generate remove
2279 * events after timeout).
2281 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2284 /* Should fail because it should already be in the cache */
2285 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2290 if (use_ext_cache) {
2291 SSL_SESSION *tmp = sess2;
2293 if (!TEST_int_eq(new_called, numnewsesstick)
2294 || !TEST_int_eq(remove_called, 0)
2295 || !TEST_int_eq(get_called, 0))
2298 * Delete the session from the internal cache to force a lookup from
2299 * the external cache. We take a copy first because
2300 * SSL_CTX_remove_session() also marks the session as non-resumable.
2302 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2303 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2304 || !TEST_true(sess2->owner != NULL)
2305 || !TEST_true(tmp->owner == NULL)
2306 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2308 SSL_SESSION_free(sess2);
2313 new_called = remove_called = get_called = 0;
2314 get_sess_val = sess2;
2315 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2316 &clientssl2, NULL, NULL))
2317 || !TEST_true(SSL_set_session(clientssl2, sess1))
2318 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2320 || !TEST_true(SSL_session_reused(clientssl2)))
2323 if (use_ext_cache) {
2324 if (!TEST_int_eq(remove_called, 0))
2327 if (maxprot == TLS1_3_VERSION) {
2328 if (!TEST_int_eq(new_called, 1)
2329 || !TEST_int_eq(get_called, 0))
2332 if (!TEST_int_eq(new_called, 0)
2333 || !TEST_int_eq(get_called, 1))
2338 * Make a small cache, force out all other sessions but
2339 * sess2, try to add sess1, which should succeed. Then
2340 * make sure it's there by checking the owners. Despite
2341 * the timeouts, sess1 should have kicked out sess2
2344 /* Make sess1 expire before sess2 */
2345 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2346 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2347 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2348 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2351 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2354 /* Don't care about results - cache should only be sess2 at end */
2355 SSL_CTX_add_session(sctx, sess1);
2356 SSL_CTX_add_session(sctx, sess2);
2358 /* Now add sess1, and make sure it remains, despite timeout */
2359 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2360 || !TEST_ptr(sess1->owner)
2361 || !TEST_ptr_null(sess2->owner))
2367 SSL_free(serverssl1);
2368 SSL_free(clientssl1);
2369 SSL_free(serverssl2);
2370 SSL_free(clientssl2);
2371 # ifndef OPENSSL_NO_TLS1_1
2372 SSL_free(serverssl3);
2373 SSL_free(clientssl3);
2375 SSL_SESSION_free(sess1);
2376 SSL_SESSION_free(sess2);
2382 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2384 static int test_session_with_only_int_cache(void)
2386 #ifndef OSSL_NO_USABLE_TLS1_3
2387 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2391 #ifndef OPENSSL_NO_TLS1_2
2392 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2398 static int test_session_with_only_ext_cache(void)
2400 #ifndef OSSL_NO_USABLE_TLS1_3
2401 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2405 #ifndef OPENSSL_NO_TLS1_2
2406 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2412 static int test_session_with_both_cache(void)
2414 #ifndef OSSL_NO_USABLE_TLS1_3
2415 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2419 #ifndef OPENSSL_NO_TLS1_2
2420 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2426 static int test_session_wo_ca_names(void)
2428 #ifndef OSSL_NO_USABLE_TLS1_3
2429 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2433 #ifndef OPENSSL_NO_TLS1_2
2434 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2441 #ifndef OSSL_NO_USABLE_TLS1_3
2442 static SSL_SESSION *sesscache[6];
2443 static int do_cache;
2445 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2448 sesscache[new_called] = sess;
2450 /* We don't need the reference to the session, so free it */
2451 SSL_SESSION_free(sess);
2458 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2460 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2461 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2464 /* Start handshake on the server and client */
2465 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2466 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2467 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2468 || !TEST_true(create_ssl_connection(sssl, cssl,
2475 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2478 int sess_id_ctx = 1;
2480 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2481 TLS_client_method(), TLS1_VERSION, 0,
2482 sctx, cctx, cert, privkey))
2483 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2484 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2485 (void *)&sess_id_ctx,
2486 sizeof(sess_id_ctx))))
2490 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2492 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2493 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2494 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2499 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2501 SSL *serverssl = NULL, *clientssl = NULL;
2504 /* Test that we can resume with all the tickets we got given */
2505 for (i = 0; i < idx * 2; i++) {
2507 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2508 &clientssl, NULL, NULL))
2509 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2512 SSL_set_post_handshake_auth(clientssl, 1);
2514 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2519 * Following a successful resumption we only get 1 ticket. After a
2520 * failed one we should get idx tickets.
2523 if (!TEST_true(SSL_session_reused(clientssl))
2524 || !TEST_int_eq(new_called, 1))
2527 if (!TEST_false(SSL_session_reused(clientssl))
2528 || !TEST_int_eq(new_called, idx))
2533 /* After a post-handshake authentication we should get 1 new ticket */
2535 && (!post_handshake_verify(serverssl, clientssl)
2536 || !TEST_int_eq(new_called, 1)))
2539 SSL_shutdown(clientssl);
2540 SSL_shutdown(serverssl);
2541 SSL_free(serverssl);
2542 SSL_free(clientssl);
2543 serverssl = clientssl = NULL;
2544 SSL_SESSION_free(sesscache[i]);
2545 sesscache[i] = NULL;
2551 SSL_free(clientssl);
2552 SSL_free(serverssl);
2556 static int test_tickets(int stateful, int idx)
2558 SSL_CTX *sctx = NULL, *cctx = NULL;
2559 SSL *serverssl = NULL, *clientssl = NULL;
2563 /* idx is the test number, but also the number of tickets we want */
2568 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2571 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2572 &clientssl, NULL, NULL)))
2575 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2577 /* Check we got the number of tickets we were expecting */
2578 || !TEST_int_eq(idx, new_called))
2581 SSL_shutdown(clientssl);
2582 SSL_shutdown(serverssl);
2583 SSL_free(serverssl);
2584 SSL_free(clientssl);
2587 clientssl = serverssl = NULL;
2591 * Now we try to resume with the tickets we previously created. The
2592 * resumption attempt is expected to fail (because we're now using a new
2593 * SSL_CTX). We should see idx number of tickets issued again.
2596 /* Stop caching sessions - just count them */
2599 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2602 if (!check_resumption(idx, sctx, cctx, 0))
2605 /* Start again with caching sessions */
2612 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2615 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2616 &clientssl, NULL, NULL)))
2619 SSL_set_post_handshake_auth(clientssl, 1);
2621 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2623 /* Check we got the number of tickets we were expecting */
2624 || !TEST_int_eq(idx, new_called))
2627 /* After a post-handshake authentication we should get new tickets issued */
2628 if (!post_handshake_verify(serverssl, clientssl)
2629 || !TEST_int_eq(idx * 2, new_called))
2632 SSL_shutdown(clientssl);
2633 SSL_shutdown(serverssl);
2634 SSL_free(serverssl);
2635 SSL_free(clientssl);
2636 serverssl = clientssl = NULL;
2638 /* Stop caching sessions - just count them */
2642 * Check we can resume with all the tickets we created. This time around the
2643 * resumptions should all be successful.
2645 if (!check_resumption(idx, sctx, cctx, 1))
2651 SSL_free(serverssl);
2652 SSL_free(clientssl);
2653 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2654 SSL_SESSION_free(sesscache[j]);
2655 sesscache[j] = NULL;
2663 static int test_stateless_tickets(int idx)
2665 return test_tickets(0, idx);
2668 static int test_stateful_tickets(int idx)
2670 return test_tickets(1, idx);
2673 static int test_psk_tickets(void)
2675 SSL_CTX *sctx = NULL, *cctx = NULL;
2676 SSL *serverssl = NULL, *clientssl = NULL;
2678 int sess_id_ctx = 1;
2680 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2681 TLS_client_method(), TLS1_VERSION, 0,
2682 &sctx, &cctx, NULL, NULL))
2683 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2684 (void *)&sess_id_ctx,
2685 sizeof(sess_id_ctx))))
2688 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2689 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2690 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2691 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2692 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2693 use_session_cb_cnt = 0;
2694 find_session_cb_cnt = 0;
2698 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2701 clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
2702 if (!TEST_ptr(clientpsk))
2704 SSL_SESSION_up_ref(clientpsk);
2706 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2708 || !TEST_int_eq(1, find_session_cb_cnt)
2709 || !TEST_int_eq(1, use_session_cb_cnt)
2710 /* We should always get 1 ticket when using external PSK */
2711 || !TEST_int_eq(1, new_called))
2717 SSL_free(serverssl);
2718 SSL_free(clientssl);
2721 SSL_SESSION_free(clientpsk);
2722 SSL_SESSION_free(serverpsk);
2723 clientpsk = serverpsk = NULL;
2728 static int test_extra_tickets(int idx)
2730 SSL_CTX *sctx = NULL, *cctx = NULL;
2731 SSL *serverssl = NULL, *clientssl = NULL;
2732 BIO *bretry = BIO_new(bio_s_always_retry());
2737 unsigned char c, buf[1];
2747 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2749 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2750 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2751 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2753 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2754 &clientssl, NULL, NULL)))
2758 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2759 * incremented by both client and server.
2761 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2763 /* Check we got the number of tickets we were expecting */
2764 || !TEST_int_eq(idx * 2, new_called)
2765 || !TEST_true(SSL_new_session_ticket(serverssl))
2766 || !TEST_true(SSL_new_session_ticket(serverssl))
2767 || !TEST_int_eq(idx * 2, new_called))
2770 /* Now try a (real) write to actually send the tickets */
2772 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2773 || !TEST_size_t_eq(1, nbytes)
2774 || !TEST_int_eq(idx * 2 + 2, new_called)
2775 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2776 || !TEST_int_eq(idx * 2 + 4, new_called)
2777 || !TEST_int_eq(sizeof(buf), nbytes)
2778 || !TEST_int_eq(c, buf[0])
2779 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2782 /* Try with only requesting one new ticket, too */
2785 if (!TEST_true(SSL_new_session_ticket(serverssl))
2786 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2787 || !TEST_size_t_eq(sizeof(c), nbytes)
2788 || !TEST_int_eq(1, new_called)
2789 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2790 || !TEST_int_eq(2, new_called)
2791 || !TEST_size_t_eq(sizeof(buf), nbytes)
2792 || !TEST_int_eq(c, buf[0]))
2795 /* Do it again but use dummy writes to drive the ticket generation */
2798 if (!TEST_true(SSL_new_session_ticket(serverssl))
2799 || !TEST_true(SSL_new_session_ticket(serverssl))
2800 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2801 || !TEST_size_t_eq(0, nbytes)
2802 || !TEST_int_eq(2, new_called)
2803 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2804 || !TEST_int_eq(4, new_called))
2807 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2810 if (!TEST_true(SSL_new_session_ticket(serverssl))
2811 || !TEST_true(SSL_new_session_ticket(serverssl))
2812 || !TEST_true(SSL_do_handshake(serverssl))
2813 || !TEST_int_eq(2, new_called)
2814 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2815 || !TEST_int_eq(4, new_called))
2819 * Use the always-retry BIO to exercise the logic that forces ticket
2820 * generation to wait until a record boundary.
2824 tmp = SSL_get_wbio(serverssl);
2825 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2829 SSL_set0_wbio(serverssl, bretry);
2831 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2832 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2833 || !TEST_size_t_eq(nbytes, 0))
2835 /* Restore a BIO that will let the write succeed */
2836 SSL_set0_wbio(serverssl, tmp);
2839 * These calls should just queue the request and not send anything
2840 * even if we explicitly try to hit the state machine.
2842 if (!TEST_true(SSL_new_session_ticket(serverssl))
2843 || !TEST_true(SSL_new_session_ticket(serverssl))
2844 || !TEST_int_eq(0, new_called)
2845 || !TEST_true(SSL_do_handshake(serverssl))
2846 || !TEST_int_eq(0, new_called))
2848 /* Re-do the write; still no tickets sent */
2849 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2850 || !TEST_size_t_eq(1, nbytes)
2851 || !TEST_int_eq(0, new_called)
2852 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2853 || !TEST_int_eq(0, new_called)
2854 || !TEST_int_eq(sizeof(buf), nbytes)
2855 || !TEST_int_eq(c, buf[0])
2856 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2858 /* Even trying to hit the state machine now will still not send tickets */
2859 if (!TEST_true(SSL_do_handshake(serverssl))
2860 || !TEST_int_eq(0, new_called))
2862 /* Now the *next* write should send the tickets */
2864 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2865 || !TEST_size_t_eq(1, nbytes)
2866 || !TEST_int_eq(2, new_called)
2867 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2868 || !TEST_int_eq(4, new_called)
2869 || !TEST_int_eq(sizeof(buf), nbytes)
2870 || !TEST_int_eq(c, buf[0])
2871 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2874 SSL_shutdown(clientssl);
2875 SSL_shutdown(serverssl);
2881 SSL_free(serverssl);
2882 SSL_free(clientssl);
2885 clientssl = serverssl = NULL;
2894 #define USE_DEFAULT 3
2896 #define CONNTYPE_CONNECTION_SUCCESS 0
2897 #define CONNTYPE_CONNECTION_FAIL 1
2898 #define CONNTYPE_NO_CONNECTION 2
2900 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2901 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2902 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2903 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2905 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2908 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2909 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2910 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2912 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2929 * Tests calls to SSL_set_bio() under various conditions.
2931 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2932 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2933 * then do more tests where we create a successful connection first using our
2934 * standard connection setup functions, and then call SSL_set_bio() with
2935 * various combinations of valid BIOs or NULL. We then repeat these tests
2936 * following a failed connection. In this last case we are looking to check that
2937 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2939 static int test_ssl_set_bio(int idx)
2941 SSL_CTX *sctx = NULL, *cctx = NULL;
2944 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2945 SSL *serverssl = NULL, *clientssl = NULL;
2946 int initrbio, initwbio, newrbio, newwbio, conntype;
2949 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2957 conntype = CONNTYPE_NO_CONNECTION;
2959 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2960 initrbio = initwbio = USE_DEFAULT;
2968 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2969 TLS_client_method(), TLS1_VERSION, 0,
2970 &sctx, &cctx, cert, privkey)))
2973 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2975 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2976 * because we reduced the number of tests in the definition of
2977 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2978 * mismatched protocol versions we will force a connection failure.
2980 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2981 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2984 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2988 if (initrbio == USE_BIO_1
2989 || initwbio == USE_BIO_1
2990 || newrbio == USE_BIO_1
2991 || newwbio == USE_BIO_1) {
2992 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2996 if (initrbio == USE_BIO_2
2997 || initwbio == USE_BIO_2
2998 || newrbio == USE_BIO_2
2999 || newwbio == USE_BIO_2) {
3000 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
3004 if (initrbio != USE_DEFAULT) {
3005 setupbio(&irbio, bio1, bio2, initrbio);
3006 setupbio(&iwbio, bio1, bio2, initwbio);
3007 SSL_set_bio(clientssl, irbio, iwbio);
3010 * We want to maintain our own refs to these BIO, so do an up ref for
3011 * each BIO that will have ownership transferred in the SSL_set_bio()
3016 if (iwbio != NULL && iwbio != irbio)
3020 if (conntype != CONNTYPE_NO_CONNECTION
3021 && !TEST_true(create_ssl_connection(serverssl, clientssl,
3023 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
3026 setupbio(&nrbio, bio1, bio2, newrbio);
3027 setupbio(&nwbio, bio1, bio2, newwbio);
3030 * We will (maybe) transfer ownership again so do more up refs.
3031 * SSL_set_bio() has some really complicated ownership rules where BIOs have
3036 && (nwbio != iwbio || nrbio != nwbio))
3040 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
3043 SSL_set_bio(clientssl, nrbio, nwbio);
3052 * This test is checking that the ref counting for SSL_set_bio is correct.
3053 * If we get here and we did too many frees then we will fail in the above
3056 SSL_free(serverssl);
3057 SSL_free(clientssl);
3063 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
3065 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
3067 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
3072 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
3073 || !TEST_ptr(ssl = SSL_new(ctx))
3074 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3075 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
3078 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3081 * If anything goes wrong here then we could leak memory.
3083 BIO_push(sslbio, membio1);
3085 /* Verify changing the rbio/wbio directly does not cause leaks */
3086 if (change_bio != NO_BIO_CHANGE) {
3087 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3091 if (change_bio == CHANGE_RBIO)
3092 SSL_set0_rbio(ssl, membio2);
3094 SSL_set0_wbio(ssl, membio2);
3113 static int test_ssl_bio_pop_next_bio(void)
3115 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
3118 static int test_ssl_bio_pop_ssl_bio(void)
3120 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
3123 static int test_ssl_bio_change_rbio(void)
3125 return execute_test_ssl_bio(0, CHANGE_RBIO);
3128 static int test_ssl_bio_change_wbio(void)
3130 return execute_test_ssl_bio(0, CHANGE_WBIO);
3133 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
3135 /* The list of sig algs */
3137 /* The length of the list */
3139 /* A sigalgs list in string format */
3140 const char *liststr;
3141 /* Whether setting the list should succeed */
3143 /* Whether creating a connection with the list should succeed */
3147 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
3148 # ifndef OPENSSL_NO_EC
3149 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3150 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
3152 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3153 static const int invalidlist2[] = {NID_sha256, NID_undef};
3154 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3155 static const int invalidlist4[] = {NID_sha256};
3156 static const sigalgs_list testsigalgs[] = {
3157 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
3158 # ifndef OPENSSL_NO_EC
3159 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3160 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
3162 {NULL, 0, "RSA+SHA256", 1, 1},
3163 # ifndef OPENSSL_NO_EC
3164 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3165 {NULL, 0, "ECDSA+SHA512", 1, 0},
3167 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3168 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3169 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3170 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3171 {NULL, 0, "RSA", 0, 0},
3172 {NULL, 0, "SHA256", 0, 0},
3173 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
3174 {NULL, 0, "Invalid", 0, 0}
3177 static int test_set_sigalgs(int idx)
3179 SSL_CTX *cctx = NULL, *sctx = NULL;
3180 SSL *clientssl = NULL, *serverssl = NULL;
3182 const sigalgs_list *curr;
3185 /* Should never happen */
3186 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
3189 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3190 curr = testctx ? &testsigalgs[idx]
3191 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3193 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3194 TLS_client_method(), TLS1_VERSION, 0,
3195 &sctx, &cctx, cert, privkey)))
3198 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3203 if (curr->list != NULL)
3204 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3206 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3210 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
3216 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
3221 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3222 &clientssl, NULL, NULL)))
3228 if (curr->list != NULL)
3229 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3231 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3234 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3243 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3251 SSL_free(serverssl);
3252 SSL_free(clientssl);
3260 #ifndef OSSL_NO_USABLE_TLS1_3
3261 static int psk_client_cb_cnt = 0;
3262 static int psk_server_cb_cnt = 0;
3264 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3265 size_t *idlen, SSL_SESSION **sess)
3267 switch (++use_session_cb_cnt) {
3269 /* The first call should always have a NULL md */
3275 /* The second call should always have an md */
3281 /* We should only be called a maximum of twice */
3285 if (clientpsk != NULL)
3286 SSL_SESSION_up_ref(clientpsk);
3289 *id = (const unsigned char *)pskid;
3290 *idlen = strlen(pskid);
3295 #ifndef OPENSSL_NO_PSK
3296 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3297 unsigned int max_id_len,
3299 unsigned int max_psk_len)
3301 unsigned int psklen = 0;
3303 psk_client_cb_cnt++;
3305 if (strlen(pskid) + 1 > max_id_len)
3308 /* We should only ever be called a maximum of twice per connection */
3309 if (psk_client_cb_cnt > 2)
3312 if (clientpsk == NULL)
3315 /* We'll reuse the PSK we set up for TLSv1.3 */
3316 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3318 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3319 strncpy(id, pskid, max_id_len);
3323 #endif /* OPENSSL_NO_PSK */
3325 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3326 size_t identity_len, SSL_SESSION **sess)
3328 find_session_cb_cnt++;
3330 /* We should only ever be called a maximum of twice per connection */
3331 if (find_session_cb_cnt > 2)
3334 if (serverpsk == NULL)
3337 /* Identity should match that set by the client */
3338 if (strlen(srvid) != identity_len
3339 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3340 /* No PSK found, continue but without a PSK */
3345 SSL_SESSION_up_ref(serverpsk);
3351 #ifndef OPENSSL_NO_PSK
3352 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3353 unsigned char *psk, unsigned int max_psk_len)
3355 unsigned int psklen = 0;
3357 psk_server_cb_cnt++;
3359 /* We should only ever be called a maximum of twice per connection */
3360 if (find_session_cb_cnt > 2)
3363 if (serverpsk == NULL)
3366 /* Identity should match that set by the client */
3367 if (strcmp(srvid, identity) != 0) {
3371 /* We'll reuse the PSK we set up for TLSv1.3 */
3372 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3374 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3378 #endif /* OPENSSL_NO_PSK */
3380 #define MSG1 "Hello"
3381 #define MSG2 "World."
3386 #define MSG7 "message."
3388 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3389 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3390 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3391 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3392 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3395 static SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize)
3397 const SSL_CIPHER *cipher = NULL;
3398 const unsigned char key[] = {
3399 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3400 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3401 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3402 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3403 0x2c, 0x2d, 0x2e, 0x2f /* SHA384_DIGEST_LENGTH bytes */
3405 SSL_SESSION *sess = NULL;
3407 if (mdsize == SHA384_DIGEST_LENGTH) {
3408 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3409 } else if (mdsize == SHA256_DIGEST_LENGTH) {
3411 * Any ciphersuite using SHA256 will do - it will be compatible with
3412 * the actual ciphersuite selected as long as it too is based on SHA256
3414 cipher = SSL_CIPHER_find(ssl, TLS13_AES_128_GCM_SHA256_BYTES);
3416 /* Should not happen */
3419 sess = SSL_SESSION_new();
3421 || !TEST_ptr(cipher)
3422 || !TEST_true(SSL_SESSION_set1_master_key(sess, key, mdsize))
3423 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3425 SSL_SESSION_set_protocol_version(sess,
3427 SSL_SESSION_free(sess);
3433 static int artificial_ticket_time = 0;
3435 static int ed_gen_cb(SSL *s, void *arg)
3437 SSL_SESSION *sess = SSL_get0_session(s);
3443 * Artificially give the ticket some age. Just do it for the number of
3444 * tickets we've been told to do.
3446 if (artificial_ticket_time == 0)
3448 artificial_ticket_time--;
3450 if (SSL_SESSION_set_time(sess, SSL_SESSION_get_time(sess) - 10) == 0)
3457 * Helper method to setup objects for early data test. Caller frees objects on
3460 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3461 SSL **serverssl, SSL_SESSION **sess, int idx,
3464 int artificial = (artificial_ticket_time > 0);
3467 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3468 TLS_client_method(),
3470 sctx, cctx, cert, privkey)))
3474 SSL_CTX_set_session_ticket_cb(*sctx, ed_gen_cb, NULL, NULL);
3476 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3480 /* When idx == 1 we repeat the tests with read_ahead set */
3481 SSL_CTX_set_read_ahead(*cctx, 1);
3482 SSL_CTX_set_read_ahead(*sctx, 1);
3483 } else if (idx == 2) {
3484 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3485 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3486 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3487 use_session_cb_cnt = 0;
3488 find_session_cb_cnt = 0;
3492 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3497 * For one of the run throughs (doesn't matter which one), we'll try sending
3498 * some SNI data in the initial ClientHello. This will be ignored (because
3499 * there is no SNI cb set up by the server), so it should not impact
3503 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3507 clientpsk = create_a_psk(*clientssl, mdsize);
3508 if (!TEST_ptr(clientpsk)
3510 * We just choose an arbitrary value for max_early_data which
3511 * should be big enough for testing purposes.
3513 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3515 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3516 SSL_SESSION_free(clientpsk);
3520 serverpsk = clientpsk;
3523 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3524 SSL_SESSION_free(clientpsk);
3525 SSL_SESSION_free(serverpsk);
3526 clientpsk = serverpsk = NULL;
3537 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3541 *sess = SSL_get1_session(*clientssl);
3542 SSL_shutdown(*clientssl);
3543 SSL_shutdown(*serverssl);
3544 SSL_free(*serverssl);
3545 SSL_free(*clientssl);
3546 *serverssl = *clientssl = NULL;
3549 * Artificially give the ticket some age to match the artificial age we
3550 * gave it on the server side
3553 && !TEST_long_gt(SSL_SESSION_set_time(*sess,
3554 SSL_SESSION_get_time(*sess) - 10), 0))
3557 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3558 clientssl, NULL, NULL))
3559 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3565 static int test_early_data_read_write(int idx)
3567 SSL_CTX *cctx = NULL, *sctx = NULL;
3568 SSL *clientssl = NULL, *serverssl = NULL;
3570 SSL_SESSION *sess = NULL;
3571 unsigned char buf[20], data[1024];
3572 size_t readbytes, written, eoedlen, rawread, rawwritten;
3575 /* Artificially give the next 2 tickets some age for non PSK sessions */
3577 artificial_ticket_time = 2;
3578 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3579 &serverssl, &sess, idx,
3580 SHA384_DIGEST_LENGTH))) {
3581 artificial_ticket_time = 0;
3584 artificial_ticket_time = 0;
3586 /* Write and read some early data */
3587 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3589 || !TEST_size_t_eq(written, strlen(MSG1))
3590 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3591 sizeof(buf), &readbytes),
3592 SSL_READ_EARLY_DATA_SUCCESS)
3593 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3594 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3595 SSL_EARLY_DATA_ACCEPTED))
3599 * Server should be able to write data, and client should be able to
3602 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3604 || !TEST_size_t_eq(written, strlen(MSG2))
3605 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3606 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3609 /* Even after reading normal data, client should be able write early data */
3610 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3612 || !TEST_size_t_eq(written, strlen(MSG3)))
3615 /* Server should still be able read early data after writing data */
3616 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3618 SSL_READ_EARLY_DATA_SUCCESS)
3619 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3622 /* Write more data from server and read it from client */
3623 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3625 || !TEST_size_t_eq(written, strlen(MSG4))
3626 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3627 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3631 * If client writes normal data it should mean writing early data is no
3634 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3635 || !TEST_size_t_eq(written, strlen(MSG5))
3636 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3637 SSL_EARLY_DATA_ACCEPTED))
3641 * At this point the client has written EndOfEarlyData, ClientFinished and
3642 * normal (fully protected) data. We are going to cause a delay between the
3643 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3644 * in the read BIO, and then just put back the EndOfEarlyData message.
3646 rbio = SSL_get_rbio(serverssl);
3647 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3648 || !TEST_size_t_lt(rawread, sizeof(data))
3649 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3652 /* Record length is in the 4th and 5th bytes of the record header */
3653 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3654 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3655 || !TEST_size_t_eq(rawwritten, eoedlen))
3658 /* Server should be told that there is no more early data */
3659 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3661 SSL_READ_EARLY_DATA_FINISH)
3662 || !TEST_size_t_eq(readbytes, 0))
3666 * Server has not finished init yet, so should still be able to write early
3669 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3671 || !TEST_size_t_eq(written, strlen(MSG6)))
3674 /* Push the ClientFinished and the normal data back into the server rbio */
3675 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3677 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3680 /* Server should be able to read normal data */
3681 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3682 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3685 /* Client and server should not be able to write/read early data now */
3686 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3690 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3692 SSL_READ_EARLY_DATA_ERROR))
3696 /* Client should be able to read the data sent by the server */
3697 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3698 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3702 * Make sure we process the two NewSessionTickets. These arrive
3703 * post-handshake. We attempt reads which we do not expect to return any
3706 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3707 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3711 /* Server should be able to write normal data */
3712 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3713 || !TEST_size_t_eq(written, strlen(MSG7))
3714 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3715 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3718 SSL_SESSION_free(sess);
3719 sess = SSL_get1_session(clientssl);
3720 use_session_cb_cnt = 0;
3721 find_session_cb_cnt = 0;
3723 SSL_shutdown(clientssl);
3724 SSL_shutdown(serverssl);
3725 SSL_free(serverssl);
3726 SSL_free(clientssl);
3727 serverssl = clientssl = NULL;
3728 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3729 &clientssl, NULL, NULL))
3730 || !TEST_true(SSL_set_session(clientssl, sess)))
3733 /* Write and read some early data */
3734 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3736 || !TEST_size_t_eq(written, strlen(MSG1))
3737 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3739 SSL_READ_EARLY_DATA_SUCCESS)
3740 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3743 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3744 || !TEST_int_gt(SSL_accept(serverssl), 0))
3747 /* Client and server should not be able to write/read early data now */
3748 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3752 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3754 SSL_READ_EARLY_DATA_ERROR))
3758 /* Client and server should be able to write/read normal data */
3759 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3760 || !TEST_size_t_eq(written, strlen(MSG5))
3761 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3762 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3768 SSL_SESSION_free(sess);
3769 SSL_SESSION_free(clientpsk);
3770 SSL_SESSION_free(serverpsk);
3771 clientpsk = serverpsk = NULL;
3772 SSL_free(serverssl);
3773 SSL_free(clientssl);
3779 static int allow_ed_cb_called = 0;
3781 static int allow_early_data_cb(SSL *s, void *arg)
3783 int *usecb = (int *)arg;
3785 allow_ed_cb_called++;
3794 * idx == 0: Standard early_data setup
3795 * idx == 1: early_data setup using read_ahead
3796 * usecb == 0: Don't use a custom early data callback
3797 * usecb == 1: Use a custom early data callback and reject the early data
3798 * usecb == 2: Use a custom early data callback and accept the early data
3799 * confopt == 0: Configure anti-replay directly
3800 * confopt == 1: Configure anti-replay using SSL_CONF
3802 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3804 SSL_CTX *cctx = NULL, *sctx = NULL;
3805 SSL *clientssl = NULL, *serverssl = NULL;
3807 SSL_SESSION *sess = NULL;
3808 size_t readbytes, written;
3809 unsigned char buf[20];
3811 allow_ed_cb_called = 0;
3813 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3814 TLS_client_method(), TLS1_VERSION, 0,
3815 &sctx, &cctx, cert, privkey)))
3820 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3822 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3824 if (!TEST_ptr(confctx))
3826 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3827 | SSL_CONF_FLAG_SERVER);
3828 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3829 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3831 SSL_CONF_CTX_free(confctx);
3834 SSL_CONF_CTX_free(confctx);
3836 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3839 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3840 &serverssl, &sess, idx,
3841 SHA384_DIGEST_LENGTH)))
3845 * The server is configured to accept early data. Create a connection to
3846 * "use up" the ticket
3848 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3849 || !TEST_true(SSL_session_reused(clientssl)))
3852 SSL_shutdown(clientssl);
3853 SSL_shutdown(serverssl);
3854 SSL_free(serverssl);
3855 SSL_free(clientssl);
3856 serverssl = clientssl = NULL;
3858 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3859 &clientssl, NULL, NULL))
3860 || !TEST_true(SSL_set_session(clientssl, sess)))
3863 /* Write and read some early data */
3864 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3866 || !TEST_size_t_eq(written, strlen(MSG1)))
3870 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3872 SSL_READ_EARLY_DATA_FINISH)
3874 * The ticket was reused, so the we should have rejected the
3877 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3878 SSL_EARLY_DATA_REJECTED))
3881 /* In this case the callback decides to accept the early data */
3882 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3884 SSL_READ_EARLY_DATA_SUCCESS)
3885 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3887 * Server will have sent its flight so client can now send
3888 * end of early data and complete its half of the handshake
3890 || !TEST_int_gt(SSL_connect(clientssl), 0)
3891 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3893 SSL_READ_EARLY_DATA_FINISH)
3894 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3895 SSL_EARLY_DATA_ACCEPTED))
3899 /* Complete the connection */
3900 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3901 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3902 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3908 SSL_SESSION_free(sess);
3909 SSL_SESSION_free(clientpsk);
3910 SSL_SESSION_free(serverpsk);
3911 clientpsk = serverpsk = NULL;
3912 SSL_free(serverssl);
3913 SSL_free(clientssl);
3919 static int test_early_data_replay(int idx)
3921 int ret = 1, usecb, confopt;
3923 for (usecb = 0; usecb < 3; usecb++) {
3924 for (confopt = 0; confopt < 2; confopt++)
3925 ret &= test_early_data_replay_int(idx, usecb, confopt);
3931 static const char *ciphersuites[] = {
3932 "TLS_AES_128_CCM_8_SHA256",
3933 "TLS_AES_128_GCM_SHA256",
3934 "TLS_AES_256_GCM_SHA384",
3935 "TLS_AES_128_CCM_SHA256",
3936 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3937 "TLS_CHACHA20_POLY1305_SHA256"
3942 * Helper function to test that a server attempting to read early data can
3943 * handle a connection from a client where the early data should be skipped.
3944 * testtype: 0 == No HRR
3945 * testtype: 1 == HRR
3946 * testtype: 2 == HRR, invalid early_data sent after HRR
3947 * testtype: 3 == recv_max_early_data set to 0
3949 static int early_data_skip_helper(int testtype, int cipher, int idx)
3951 SSL_CTX *cctx = NULL, *sctx = NULL;
3952 SSL *clientssl = NULL, *serverssl = NULL;
3954 SSL_SESSION *sess = NULL;
3955 unsigned char buf[20];
3956 size_t readbytes, written;
3958 if (is_fips && cipher == 4)
3961 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3962 TLS_client_method(),
3964 &sctx, &cctx, cert, privkey)))
3968 SSL_CTX_set_security_level(sctx, 0);
3969 SSL_CTX_set_security_level(cctx, 0);
3972 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher]))
3973 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher])))
3976 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3977 &serverssl, &sess, idx,
3978 cipher == 2 ? SHA384_DIGEST_LENGTH
3979 : SHA256_DIGEST_LENGTH)))
3982 if (testtype == 1 || testtype == 2) {
3983 /* Force an HRR to occur */
3984 #if defined(OPENSSL_NO_EC)
3985 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3988 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
3991 } else if (idx == 2) {
3993 * We force early_data rejection by ensuring the PSK identity is
3996 srvid = "Dummy Identity";
3999 * Deliberately corrupt the creation time. We take 20 seconds off the
4000 * time. It could be any value as long as it is not within tolerance.
4001 * This should mean the ticket is rejected.
4003 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
4008 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
4011 /* Write some early data */
4012 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4014 || !TEST_size_t_eq(written, strlen(MSG1)))
4017 /* Server should reject the early data */
4018 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4020 SSL_READ_EARLY_DATA_FINISH)
4021 || !TEST_size_t_eq(readbytes, 0)
4022 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4023 SSL_EARLY_DATA_REJECTED))
4033 * Finish off the handshake. We perform the same writes and reads as
4034 * further down but we expect them to fail due to the incomplete
4037 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4038 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
4045 BIO *wbio = SSL_get_wbio(clientssl);
4046 /* A record that will appear as bad early_data */
4047 const unsigned char bad_early_data[] = {
4048 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
4052 * We force the client to attempt a write. This will fail because
4053 * we're still in the handshake. It will cause the second
4054 * ClientHello to be sent.
4056 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
4061 * Inject some early_data after the second ClientHello. This should
4062 * cause the server to fail
4064 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
4065 sizeof(bad_early_data), &written)))
4072 * This client has sent more early_data than we are willing to skip
4073 * (case 3) or sent invalid early_data (case 2) so the connection should
4076 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4077 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
4080 /* Connection has failed - nothing more to do */
4085 TEST_error("Invalid test type");
4091 * Should be able to send normal data despite rejection of early data. The
4092 * early_data should be skipped.
4094 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4095 || !TEST_size_t_eq(written, strlen(MSG2))
4096 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4097 SSL_EARLY_DATA_REJECTED)
4098 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4099 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4103 * Failure to decrypt early data records should not leave spurious errors
4104 * on the error stack
4106 if (!TEST_long_eq(ERR_peek_error(), 0))
4112 SSL_SESSION_free(clientpsk);
4113 SSL_SESSION_free(serverpsk);
4114 clientpsk = serverpsk = NULL;
4115 SSL_SESSION_free(sess);
4116 SSL_free(serverssl);
4117 SSL_free(clientssl);
4124 * Test that a server attempting to read early data can handle a connection
4125 * from a client where the early data is not acceptable.
4127 static int test_early_data_skip(int idx)
4129 return early_data_skip_helper(0,
4130 idx % OSSL_NELEM(ciphersuites),
4131 idx / OSSL_NELEM(ciphersuites));
4135 * Test that a server attempting to read early data can handle a connection
4136 * from a client where an HRR occurs.
4138 static int test_early_data_skip_hrr(int idx)
4140 return early_data_skip_helper(1,
4141 idx % OSSL_NELEM(ciphersuites),
4142 idx / OSSL_NELEM(ciphersuites));
4146 * Test that a server attempting to read early data can handle a connection
4147 * from a client where an HRR occurs and correctly fails if early_data is sent
4150 static int test_early_data_skip_hrr_fail(int idx)
4152 return early_data_skip_helper(2,
4153 idx % OSSL_NELEM(ciphersuites),
4154 idx / OSSL_NELEM(ciphersuites));
4158 * Test that a server attempting to read early data will abort if it tries to
4159 * skip over too much.
4161 static int test_early_data_skip_abort(int idx)
4163 return early_data_skip_helper(3,
4164 idx % OSSL_NELEM(ciphersuites),
4165 idx / OSSL_NELEM(ciphersuites));
4169 * Test that a server attempting to read early data can handle a connection
4170 * from a client that doesn't send any.
4172 static int test_early_data_not_sent(int idx)
4174 SSL_CTX *cctx = NULL, *sctx = NULL;
4175 SSL *clientssl = NULL, *serverssl = NULL;
4177 SSL_SESSION *sess = NULL;
4178 unsigned char buf[20];
4179 size_t readbytes, written;
4181 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4182 &serverssl, &sess, idx,
4183 SHA384_DIGEST_LENGTH)))
4186 /* Write some data - should block due to handshake with server */
4187 SSL_set_connect_state(clientssl);
4188 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4191 /* Server should detect that early data has not been sent */
4192 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4194 SSL_READ_EARLY_DATA_FINISH)
4195 || !TEST_size_t_eq(readbytes, 0)
4196 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4197 SSL_EARLY_DATA_NOT_SENT)
4198 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4199 SSL_EARLY_DATA_NOT_SENT))
4202 /* Continue writing the message we started earlier */
4203 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4204 || !TEST_size_t_eq(written, strlen(MSG1))
4205 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4206 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4207 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4208 || !TEST_size_t_eq(written, strlen(MSG2)))
4211 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4212 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4218 SSL_SESSION_free(sess);
4219 SSL_SESSION_free(clientpsk);
4220 SSL_SESSION_free(serverpsk);
4221 clientpsk = serverpsk = NULL;
4222 SSL_free(serverssl);
4223 SSL_free(clientssl);
4229 static const char *servalpn;
4231 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4232 unsigned char *outlen, const unsigned char *in,
4233 unsigned int inlen, void *arg)
4235 unsigned int protlen = 0;
4236 const unsigned char *prot;
4238 for (prot = in; prot < in + inlen; prot += protlen) {
4240 if (in + inlen < prot + protlen)
4241 return SSL_TLSEXT_ERR_NOACK;
4243 if (protlen == strlen(servalpn)
4244 && memcmp(prot, servalpn, protlen) == 0) {
4247 return SSL_TLSEXT_ERR_OK;
4251 return SSL_TLSEXT_ERR_NOACK;
4254 /* Test that a PSK can be used to send early_data */
4255 static int test_early_data_psk(int idx)
4257 SSL_CTX *cctx = NULL, *sctx = NULL;
4258 SSL *clientssl = NULL, *serverssl = NULL;
4260 SSL_SESSION *sess = NULL;
4261 unsigned char alpnlist[] = {
4262 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4265 #define GOODALPNLEN 9
4266 #define BADALPNLEN 8
4267 #define GOODALPN (alpnlist)
4268 #define BADALPN (alpnlist + GOODALPNLEN)
4270 unsigned char buf[20];
4271 size_t readbytes, written;
4272 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
4273 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4275 /* We always set this up with a final parameter of "2" for PSK */
4276 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4277 &serverssl, &sess, 2,
4278 SHA384_DIGEST_LENGTH)))
4281 servalpn = "goodalpn";
4284 * Note: There is no test for inconsistent SNI with late client detection.
4285 * This is because servers do not acknowledge SNI even if they are using
4286 * it in a resumption handshake - so it is not actually possible for a
4287 * client to detect a problem.
4291 /* Set inconsistent SNI (early client detection) */
4292 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4293 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4294 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4299 /* Set inconsistent ALPN (early client detection) */
4300 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4301 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4302 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4304 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4311 * Set invalid protocol version. Technically this affects PSKs without
4312 * early_data too, but we test it here because it is similar to the
4313 * SNI/ALPN consistency tests.
4315 err = SSL_R_BAD_PSK;
4316 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4322 * Set inconsistent SNI (server side). In this case the connection
4323 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4324 * is associated with each handshake - not the session. Therefore it
4325 * should not matter that we used a different server name last time.
4327 SSL_SESSION_free(serverpsk);
4328 serverpsk = SSL_SESSION_dup(clientpsk);
4329 if (!TEST_ptr(serverpsk)
4330 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4334 /* Set consistent SNI */
4335 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4336 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4337 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4344 * Set inconsistent ALPN (server detected). In this case the connection
4345 * will succeed but reject early_data.
4347 servalpn = "badalpn";
4348 edstatus = SSL_EARLY_DATA_REJECTED;
4349 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4353 * Set consistent ALPN.
4354 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4355 * accepts a list of protos (each one length prefixed).
4356 * SSL_set1_alpn_selected accepts a single protocol (not length
4359 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4361 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4365 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4369 /* Set inconsistent ALPN (late client detection) */
4370 SSL_SESSION_free(serverpsk);
4371 serverpsk = SSL_SESSION_dup(clientpsk);
4372 if (!TEST_ptr(serverpsk)
4373 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4376 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4379 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4382 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4383 edstatus = SSL_EARLY_DATA_ACCEPTED;
4384 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4385 /* SSL_connect() call should fail */
4390 TEST_error("Bad test index");
4394 SSL_set_connect_state(clientssl);
4396 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4398 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4399 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4402 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4406 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4407 &readbytes), readearlyres)
4408 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4409 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4410 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4411 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4418 SSL_SESSION_free(sess);
4419 SSL_SESSION_free(clientpsk);
4420 SSL_SESSION_free(serverpsk);
4421 clientpsk = serverpsk = NULL;
4422 SSL_free(serverssl);
4423 SSL_free(clientssl);
4430 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4431 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4432 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4433 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4434 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4435 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4437 static int test_early_data_psk_with_all_ciphers(int idx)
4439 SSL_CTX *cctx = NULL, *sctx = NULL;
4440 SSL *clientssl = NULL, *serverssl = NULL;
4442 SSL_SESSION *sess = NULL;
4443 unsigned char buf[20];
4444 size_t readbytes, written;
4445 const SSL_CIPHER *cipher;
4446 const char *cipher_str[] = {
4447 TLS1_3_RFC_AES_128_GCM_SHA256,
4448 TLS1_3_RFC_AES_256_GCM_SHA384,
4449 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4450 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4454 TLS1_3_RFC_AES_128_CCM_SHA256,
4455 TLS1_3_RFC_AES_128_CCM_8_SHA256
4457 const unsigned char *cipher_bytes[] = {
4458 TLS13_AES_128_GCM_SHA256_BYTES,
4459 TLS13_AES_256_GCM_SHA384_BYTES,
4460 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4461 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4465 TLS13_AES_128_CCM_SHA256_BYTES,
4466 TLS13_AES_128_CCM_8_SHA256_BYTES
4469 if (cipher_str[idx] == NULL)
4471 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4472 if (idx == 2 && is_fips == 1)
4475 /* We always set this up with a final parameter of "2" for PSK */
4476 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4477 &serverssl, &sess, 2,
4478 SHA384_DIGEST_LENGTH)))
4482 /* CCM8 ciphers are considered low security due to their short tag */
4483 SSL_set_security_level(clientssl, 0);
4484 SSL_set_security_level(serverssl, 0);
4487 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4488 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4492 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4493 * and assigns to both client and server with incremented reference
4494 * and the same instance is updated in 'sess'.
4495 * So updating ciphersuite in 'sess' which will get reflected in
4496 * PSK handshake using psk use sess and find sess cb.
4498 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4499 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4502 SSL_set_connect_state(clientssl);
4503 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4507 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4509 SSL_READ_EARLY_DATA_SUCCESS)
4510 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4511 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4512 SSL_EARLY_DATA_ACCEPTED)
4513 || !TEST_int_eq(SSL_connect(clientssl), 1)
4514 || !TEST_int_eq(SSL_accept(serverssl), 1))
4517 /* Send some normal data from client to server */
4518 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4519 || !TEST_size_t_eq(written, strlen(MSG2)))
4522 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4523 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4528 SSL_SESSION_free(sess);
4529 SSL_SESSION_free(clientpsk);
4530 SSL_SESSION_free(serverpsk);
4531 clientpsk = serverpsk = NULL;
4532 if (clientssl != NULL)
4533 SSL_shutdown(clientssl);
4534 if (serverssl != NULL)
4535 SSL_shutdown(serverssl);
4536 SSL_free(serverssl);
4537 SSL_free(clientssl);
4544 * Test that a server that doesn't try to read early data can handle a
4545 * client sending some.
4547 static int test_early_data_not_expected(int idx)
4549 SSL_CTX *cctx = NULL, *sctx = NULL;
4550 SSL *clientssl = NULL, *serverssl = NULL;
4552 SSL_SESSION *sess = NULL;
4553 unsigned char buf[20];
4554 size_t readbytes, written;
4556 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4557 &serverssl, &sess, idx,
4558 SHA384_DIGEST_LENGTH)))
4561 /* Write some early data */
4562 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4567 * Server should skip over early data and then block waiting for client to
4568 * continue handshake
4570 if (!TEST_int_le(SSL_accept(serverssl), 0)
4571 || !TEST_int_gt(SSL_connect(clientssl), 0)
4572 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4573 SSL_EARLY_DATA_REJECTED)
4574 || !TEST_int_gt(SSL_accept(serverssl), 0)
4575 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4576 SSL_EARLY_DATA_REJECTED))
4579 /* Send some normal data from client to server */
4580 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4581 || !TEST_size_t_eq(written, strlen(MSG2)))
4584 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4585 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4591 SSL_SESSION_free(sess);
4592 SSL_SESSION_free(clientpsk);
4593 SSL_SESSION_free(serverpsk);
4594 clientpsk = serverpsk = NULL;
4595 SSL_free(serverssl);
4596 SSL_free(clientssl);
4603 # ifndef OPENSSL_NO_TLS1_2
4605 * Test that a server attempting to read early data can handle a connection
4606 * from a TLSv1.2 client.
4608 static int test_early_data_tls1_2(int idx)
4610 SSL_CTX *cctx = NULL, *sctx = NULL;
4611 SSL *clientssl = NULL, *serverssl = NULL;
4613 unsigned char buf[20];
4614 size_t readbytes, written;
4616 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4617 &serverssl, NULL, idx,
4618 SHA384_DIGEST_LENGTH)))
4621 /* Write some data - should block due to handshake with server */
4622 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4623 SSL_set_connect_state(clientssl);
4624 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4628 * Server should do TLSv1.2 handshake. First it will block waiting for more
4629 * messages from client after ServerDone. Then SSL_read_early_data should
4630 * finish and detect that early data has not been sent
4632 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4634 SSL_READ_EARLY_DATA_ERROR))
4638 * Continue writing the message we started earlier. Will still block waiting
4639 * for the CCS/Finished from server
4641 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4642 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4644 SSL_READ_EARLY_DATA_FINISH)
4645 || !TEST_size_t_eq(readbytes, 0)
4646 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4647 SSL_EARLY_DATA_NOT_SENT))
4650 /* Continue writing the message we started earlier */
4651 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4652 || !TEST_size_t_eq(written, strlen(MSG1))
4653 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4654 SSL_EARLY_DATA_NOT_SENT)
4655 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4656 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4657 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4658 || !TEST_size_t_eq(written, strlen(MSG2))
4659 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4660 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4666 SSL_SESSION_free(clientpsk);
4667 SSL_SESSION_free(serverpsk);
4668 clientpsk = serverpsk = NULL;
4669 SSL_free(serverssl);
4670 SSL_free(clientssl);
4676 # endif /* OPENSSL_NO_TLS1_2 */
4679 * Test configuring the TLSv1.3 ciphersuites
4681 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4682 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4683 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4684 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4685 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4686 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4687 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4688 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4689 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4690 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4692 static int test_set_ciphersuite(int idx)
4694 SSL_CTX *cctx = NULL, *sctx = NULL;
4695 SSL *clientssl = NULL, *serverssl = NULL;
4698 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4699 TLS_client_method(), TLS1_VERSION, 0,
4700 &sctx, &cctx, cert, privkey))
4701 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4702 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4705 if (idx >=4 && idx <= 7) {
4706 /* SSL_CTX explicit cipher list */
4707 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4711 if (idx == 0 || idx == 4) {
4712 /* Default ciphersuite */
4713 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4714 "TLS_AES_128_GCM_SHA256")))
4716 } else if (idx == 1 || idx == 5) {
4717 /* Non default ciphersuite */
4718 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4719 "TLS_AES_128_CCM_SHA256")))
4723 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4724 &clientssl, NULL, NULL)))
4727 if (idx == 8 || idx == 9) {
4728 /* SSL explicit cipher list */
4729 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4733 if (idx == 2 || idx == 6 || idx == 8) {
4734 /* Default ciphersuite */
4735 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4736 "TLS_AES_128_GCM_SHA256")))
4738 } else if (idx == 3 || idx == 7 || idx == 9) {
4739 /* Non default ciphersuite */
4740 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4741 "TLS_AES_128_CCM_SHA256")))
4745 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4751 SSL_free(serverssl);
4752 SSL_free(clientssl);
4759 static int test_ciphersuite_change(void)
4761 SSL_CTX *cctx = NULL, *sctx = NULL;
4762 SSL *clientssl = NULL, *serverssl = NULL;
4763 SSL_SESSION *clntsess = NULL;
4765 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4767 /* Create a session based on SHA-256 */
4768 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4769 TLS_client_method(), TLS1_VERSION, 0,
4770 &sctx, &cctx, cert, privkey))
4771 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4772 "TLS_AES_128_GCM_SHA256:"
4773 "TLS_AES_256_GCM_SHA384:"
4774 "TLS_AES_128_CCM_SHA256"))
4775 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4776 "TLS_AES_128_GCM_SHA256")))
4779 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4781 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4785 clntsess = SSL_get1_session(clientssl);
4786 /* Save for later */
4787 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4788 SSL_shutdown(clientssl);
4789 SSL_shutdown(serverssl);
4790 SSL_free(serverssl);
4791 SSL_free(clientssl);
4792 serverssl = clientssl = NULL;
4794 /* Check we can resume a session with a different SHA-256 ciphersuite */
4795 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4796 "TLS_AES_128_CCM_SHA256"))
4797 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4798 &clientssl, NULL, NULL))
4799 || !TEST_true(SSL_set_session(clientssl, clntsess))
4800 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4802 || !TEST_true(SSL_session_reused(clientssl)))
4805 SSL_SESSION_free(clntsess);
4806 clntsess = SSL_get1_session(clientssl);
4807 SSL_shutdown(clientssl);
4808 SSL_shutdown(serverssl);
4809 SSL_free(serverssl);
4810 SSL_free(clientssl);
4811 serverssl = clientssl = NULL;
4814 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4815 * succeeds but does not resume.
4817 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4818 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4820 || !TEST_true(SSL_set_session(clientssl, clntsess))
4821 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4823 || !TEST_false(SSL_session_reused(clientssl)))
4826 SSL_SESSION_free(clntsess);
4828 SSL_shutdown(clientssl);
4829 SSL_shutdown(serverssl);
4830 SSL_free(serverssl);
4831 SSL_free(clientssl);
4832 serverssl = clientssl = NULL;
4834 /* Create a session based on SHA384 */
4835 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4836 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4837 &clientssl, NULL, NULL))
4838 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4842 clntsess = SSL_get1_session(clientssl);
4843 SSL_shutdown(clientssl);
4844 SSL_shutdown(serverssl);
4845 SSL_free(serverssl);
4846 SSL_free(clientssl);
4847 serverssl = clientssl = NULL;
4849 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4850 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4851 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4852 "TLS_AES_256_GCM_SHA384"))
4853 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4855 || !TEST_true(SSL_set_session(clientssl, clntsess))
4857 * We use SSL_ERROR_WANT_READ below so that we can pause the
4858 * connection after the initial ClientHello has been sent to
4859 * enable us to make some session changes.
4861 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4862 SSL_ERROR_WANT_READ)))
4865 /* Trick the client into thinking this session is for a different digest */
4866 clntsess->cipher = aes_128_gcm_sha256;
4867 clntsess->cipher_id = clntsess->cipher->id;
4870 * Continue the previously started connection. Server has selected a SHA-384
4871 * ciphersuite, but client thinks the session is for SHA-256, so it should
4874 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4876 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4877 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4883 SSL_SESSION_free(clntsess);
4884 SSL_free(serverssl);
4885 SSL_free(clientssl);
4893 * Test TLSv1.3 Key exchange
4894 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4895 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4896 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4897 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4898 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4899 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4900 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4901 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4902 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4903 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4904 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4905 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4906 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4907 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4909 # ifndef OPENSSL_NO_EC
4910 static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4912 # ifndef OPENSSL_NO_ECX
4913 NID_X25519, NID_X448
4917 # ifndef OPENSSL_NO_DH
4918 static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4919 NID_ffdhe6144, NID_ffdhe8192};
4921 static int test_key_exchange(int idx)
4923 SSL_CTX *sctx = NULL, *cctx = NULL;
4924 SSL *serverssl = NULL, *clientssl = NULL;
4927 int *kexch_groups = &kexch_alg;
4928 int kexch_groups_size = 1;
4929 int max_version = TLS1_3_VERSION;
4930 char *kexch_name0 = NULL;
4933 # ifndef OPENSSL_NO_EC
4934 # ifndef OPENSSL_NO_TLS1_2
4936 max_version = TLS1_2_VERSION;
4940 kexch_groups = ecdhe_kexch_groups;
4941 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4942 kexch_name0 = "secp256r1";
4945 kexch_alg = NID_X9_62_prime256v1;
4946 kexch_name0 = "secp256r1";
4949 kexch_alg = NID_secp384r1;
4950 kexch_name0 = "secp384r1";
4953 kexch_alg = NID_secp521r1;
4954 kexch_name0 = "secp521r1";
4956 # ifndef OPENSSL_NO_ECX
4958 kexch_alg = NID_X25519;
4959 kexch_name0 = "x25519";
4962 kexch_alg = NID_X448;
4963 kexch_name0 = "x448";
4967 # ifndef OPENSSL_NO_DH
4968 # ifndef OPENSSL_NO_TLS1_2
4970 max_version = TLS1_2_VERSION;
4971 kexch_name0 = "ffdhe2048";
4975 kexch_groups = ffdhe_kexch_groups;
4976 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4977 kexch_name0 = "ffdhe2048";
4980 kexch_alg = NID_ffdhe2048;
4981 kexch_name0 = "ffdhe2048";
4984 kexch_alg = NID_ffdhe3072;
4985 kexch_name0 = "ffdhe3072";
4988 kexch_alg = NID_ffdhe4096;
4989 kexch_name0 = "ffdhe4096";
4992 kexch_alg = NID_ffdhe6144;
4993 kexch_name0 = "ffdhe6144";
4996 kexch_alg = NID_ffdhe8192;
4997 kexch_name0 = "ffdhe8192";
5001 /* We're skipping this test */
5005 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5006 TLS_client_method(), TLS1_VERSION,
5007 max_version, &sctx, &cctx, cert,
5011 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
5012 TLS1_3_RFC_AES_128_GCM_SHA256)))
5015 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5016 TLS1_3_RFC_AES_128_GCM_SHA256)))
5019 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5020 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5021 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5022 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5026 * Must include an EC ciphersuite so that we send supported groups in
5029 # ifndef OPENSSL_NO_TLS1_2
5030 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5031 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5032 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5036 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5040 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
5041 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
5044 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5048 * If Handshake succeeds the negotiated kexch alg should be the first one in
5049 * configured, except in the case of FFDHE groups (idx 13), which are
5050 * TLSv1.3 only so we expect no shared group to exist.
5052 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5053 idx == 13 ? 0 : kexch_groups[0]))
5056 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
5060 /* We don't implement RFC 7919 named groups for TLS 1.2. */
5062 if (!TEST_str_eq(SSL_get0_group_name(serverssl), kexch_name0)
5063 || !TEST_str_eq(SSL_get0_group_name(clientssl), kexch_name0))
5065 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
5067 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
5073 SSL_free(serverssl);
5074 SSL_free(clientssl);
5080 # if !defined(OPENSSL_NO_TLS1_2) \
5081 && !defined(OPENSSL_NO_EC) \
5082 && !defined(OPENSSL_NO_DH)
5083 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
5084 int isecdhe, int idx)
5087 int *kexch_groups = &kexch_alg;
5090 numec = OSSL_NELEM(ecdhe_kexch_groups);
5091 numff = OSSL_NELEM(ffdhe_kexch_groups);
5093 kexch_alg = ecdhe_kexch_groups[idx];
5095 kexch_alg = ffdhe_kexch_groups[idx];
5098 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
5101 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
5105 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
5110 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
5113 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
5117 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
5126 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
5127 * Run through both the ECDHE and FFDHE group lists used in the previous
5128 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
5129 * confirming the expected result; then perform a resumption handshake
5130 * while offering the same group list, and another resumption handshake
5131 * offering a different group list. The returned value should be the
5132 * negotiated group for the initial handshake; for TLS 1.3 resumption
5133 * handshakes the returned value will be negotiated on the resumption
5134 * handshake itself, but for TLS 1.2 resumption handshakes the value will
5135 * be cached in the session from the original handshake, regardless of what
5136 * was offered in the resumption ClientHello.
5138 * Using E for the number of EC groups and F for the number of FF groups:
5139 * E tests of ECDHE with TLS 1.3, server only has one group
5140 * F tests of FFDHE with TLS 1.3, server only has one group
5141 * E tests of ECDHE with TLS 1.2, server only has one group
5142 * F tests of FFDHE with TLS 1.2, server only has one group
5143 * E tests of ECDHE with TLS 1.3, client sends only one group
5144 * F tests of FFDHE with TLS 1.3, client sends only one group
5145 * E tests of ECDHE with TLS 1.2, client sends only one group
5146 * F tests of FFDHE with TLS 1.2, client sends only one group
5148 static int test_negotiated_group(int idx)
5150 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5152 SSL_CTX *sctx = NULL, *cctx = NULL;
5153 SSL *serverssl = NULL, *clientssl = NULL;
5154 SSL_SESSION *origsess = NULL;
5157 int max_version = TLS1_3_VERSION;
5159 numec = OSSL_NELEM(ecdhe_kexch_groups);
5160 numff = OSSL_NELEM(ffdhe_kexch_groups);
5161 numgroups = numec + numff;
5162 clientmulti = (idx < 2 * numgroups);
5163 idx = idx % (2 * numgroups);
5164 istls13 = (idx < numgroups);
5165 idx = idx % numgroups;
5166 isecdhe = (idx < numec);
5169 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5171 kexch_alg = ecdhe_kexch_groups[idx];
5173 kexch_alg = ffdhe_kexch_groups[idx];
5174 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5175 if (!istls13 && !isecdhe)
5176 expectednid = NID_undef;
5178 expectednid = kexch_alg;
5181 max_version = TLS1_2_VERSION;
5183 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5184 TLS_client_method(), TLS1_VERSION,
5185 max_version, &sctx, &cctx, cert,
5190 * Force (EC)DHE ciphers for TLS 1.2.
5191 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5193 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5194 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5195 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5196 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5198 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5199 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5200 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5203 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5207 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5211 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5214 /* Initial handshake; always the configured one */
5215 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5216 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5219 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5222 SSL_shutdown(clientssl);
5223 SSL_shutdown(serverssl);
5224 SSL_free(serverssl);
5225 SSL_free(clientssl);
5226 serverssl = clientssl = NULL;
5228 /* First resumption attempt; use the same config as initial handshake */
5229 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5231 || !TEST_true(SSL_set_session(clientssl, origsess))
5232 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5236 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5237 || !TEST_true(SSL_session_reused(clientssl)))
5240 /* Still had better agree, since nothing changed... */
5241 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5242 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5245 SSL_shutdown(clientssl);
5246 SSL_shutdown(serverssl);
5247 SSL_free(serverssl);
5248 SSL_free(clientssl);
5249 serverssl = clientssl = NULL;
5252 * Second resumption attempt
5253 * The party that picks one group changes it, which we effectuate by
5254 * changing 'idx' and updating what we expect.
5262 expectednid = ecdhe_kexch_groups[idx];
5264 expectednid = ffdhe_kexch_groups[idx];
5265 /* Verify that we are changing what we expect. */
5266 if (!TEST_int_ne(expectednid, kexch_alg))
5269 /* TLS 1.2 only supports named groups for ECDHE. */
5271 expectednid = kexch_alg;
5275 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5277 || !TEST_true(SSL_set_session(clientssl, origsess))
5278 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5282 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5283 || !TEST_true(SSL_session_reused(clientssl)))
5286 /* Check that we get what we expected */
5287 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5288 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5293 SSL_free(serverssl);
5294 SSL_free(clientssl);
5297 SSL_SESSION_free(origsess);
5300 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5303 * Test TLSv1.3 Cipher Suite
5304 * Test 0 = Set TLS1.3 cipher on context
5305 * Test 1 = Set TLS1.3 cipher on SSL
5306 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5307 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5309 static int test_tls13_ciphersuite(int idx)
5311 SSL_CTX *sctx = NULL, *cctx = NULL;
5312 SSL *serverssl = NULL, *clientssl = NULL;
5313 static const struct {
5314 const char *ciphername;
5318 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5319 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5320 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5321 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5322 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5323 { TLS1_3_RFC_AES_256_GCM_SHA384
5324 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5326 /* CCM8 ciphers are considered low security due to their short tag */
5327 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5328 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }
5330 const char *t13_cipher = NULL;
5331 const char *t12_cipher = NULL;
5332 const char *negotiated_scipher;
5333 const char *negotiated_ccipher;
5349 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5353 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5357 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5358 # ifdef OPENSSL_NO_TLS1_2
5359 if (max_ver == TLS1_2_VERSION)
5362 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5363 if (is_fips && !t13_ciphers[i].fipscapable)
5365 t13_cipher = t13_ciphers[i].ciphername;
5366 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5367 TLS_client_method(),
5368 TLS1_VERSION, max_ver,
5369 &sctx, &cctx, cert, privkey)))
5372 if (t13_ciphers[i].low_security) {
5373 SSL_CTX_set_security_level(sctx, 0);
5374 SSL_CTX_set_security_level(cctx, 0);
5378 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5379 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5381 if (t12_cipher != NULL) {
5382 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5383 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5389 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5390 &clientssl, NULL, NULL)))
5394 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5395 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5397 if (t12_cipher != NULL) {
5398 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5399 || !TEST_true(SSL_set_cipher_list(clientssl,
5405 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5409 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5411 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5413 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5417 * TEST_strn_eq is used below because t13_cipher can contain
5418 * multiple ciphersuites
5420 if (max_ver == TLS1_3_VERSION
5421 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5422 strlen(negotiated_scipher)))
5425 # ifndef OPENSSL_NO_TLS1_2
5426 /* Below validation is not done when t12_cipher is NULL */
5427 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5428 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5432 SSL_free(serverssl);
5434 SSL_free(clientssl);
5445 SSL_free(serverssl);
5446 SSL_free(clientssl);
5454 * Test 0 = Test new style callbacks
5455 * Test 1 = Test both new and old style callbacks
5456 * Test 2 = Test old style callbacks
5457 * Test 3 = Test old style callbacks with no certificate
5459 static int test_tls13_psk(int idx)
5461 SSL_CTX *sctx = NULL, *cctx = NULL;
5462 SSL *serverssl = NULL, *clientssl = NULL;
5463 const SSL_CIPHER *cipher = NULL;
5464 const unsigned char key[] = {
5465 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5466 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5467 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5468 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5472 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5473 TLS_client_method(), TLS1_VERSION, 0,
5474 &sctx, &cctx, idx == 3 ? NULL : cert,
5475 idx == 3 ? NULL : privkey)))
5480 * We use a ciphersuite with SHA256 to ease testing old style PSK
5481 * callbacks which will always default to SHA256. This should not be
5482 * necessary if we have no cert/priv key. In that case the server should
5483 * prefer SHA256 automatically.
5485 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5486 "TLS_AES_128_GCM_SHA256")))
5490 * As noted above the server should prefer SHA256 automatically. However
5491 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5492 * code works even if we are testing with only the FIPS provider loaded.
5494 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5495 "TLS_AES_256_GCM_SHA384:"
5496 "TLS_AES_128_GCM_SHA256")))
5501 * Test 0: New style callbacks only
5502 * Test 1: New and old style callbacks (only the new ones should be used)
5503 * Test 2: Old style callbacks only
5505 if (idx == 0 || idx == 1) {
5506 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5507 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5509 #ifndef OPENSSL_NO_PSK
5511 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5512 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5516 use_session_cb_cnt = 0;
5517 find_session_cb_cnt = 0;
5518 psk_client_cb_cnt = 0;
5519 psk_server_cb_cnt = 0;
5523 * Check we can create a connection if callback decides not to send a
5526 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5528 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5530 || !TEST_false(SSL_session_reused(clientssl))
5531 || !TEST_false(SSL_session_reused(serverssl)))
5534 if (idx == 0 || idx == 1) {
5535 if (!TEST_true(use_session_cb_cnt == 1)
5536 || !TEST_true(find_session_cb_cnt == 0)
5538 * If no old style callback then below should be 0
5541 || !TEST_true(psk_client_cb_cnt == idx)
5542 || !TEST_true(psk_server_cb_cnt == 0))
5545 if (!TEST_true(use_session_cb_cnt == 0)
5546 || !TEST_true(find_session_cb_cnt == 0)
5547 || !TEST_true(psk_client_cb_cnt == 1)
5548 || !TEST_true(psk_server_cb_cnt == 0))
5552 shutdown_ssl_connection(serverssl, clientssl);
5553 serverssl = clientssl = NULL;
5554 use_session_cb_cnt = psk_client_cb_cnt = 0;
5557 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5561 /* Create the PSK */
5562 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5563 clientpsk = SSL_SESSION_new();
5564 if (!TEST_ptr(clientpsk)
5565 || !TEST_ptr(cipher)
5566 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5568 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5569 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5571 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5573 serverpsk = clientpsk;
5575 /* Check we can create a connection and the PSK is used */
5576 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5577 || !TEST_true(SSL_session_reused(clientssl))
5578 || !TEST_true(SSL_session_reused(serverssl)))
5581 if (idx == 0 || idx == 1) {
5582 if (!TEST_true(use_session_cb_cnt == 1)
5583 || !TEST_true(find_session_cb_cnt == 1)
5584 || !TEST_true(psk_client_cb_cnt == 0)
5585 || !TEST_true(psk_server_cb_cnt == 0))
5588 if (!TEST_true(use_session_cb_cnt == 0)
5589 || !TEST_true(find_session_cb_cnt == 0)
5590 || !TEST_true(psk_client_cb_cnt == 1)
5591 || !TEST_true(psk_server_cb_cnt == 1))
5595 shutdown_ssl_connection(serverssl, clientssl);
5596 serverssl = clientssl = NULL;
5597 use_session_cb_cnt = find_session_cb_cnt = 0;
5598 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5600 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5605 #if defined(OPENSSL_NO_EC)
5606 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5609 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
5614 * Check we can create a connection, the PSK is used and the callbacks are
5617 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5618 || !TEST_true(SSL_session_reused(clientssl))
5619 || !TEST_true(SSL_session_reused(serverssl)))
5622 if (idx == 0 || idx == 1) {
5623 if (!TEST_true(use_session_cb_cnt == 2)
5624 || !TEST_true(find_session_cb_cnt == 2)
5625 || !TEST_true(psk_client_cb_cnt == 0)
5626 || !TEST_true(psk_server_cb_cnt == 0))
5629 if (!TEST_true(use_session_cb_cnt == 0)
5630 || !TEST_true(find_session_cb_cnt == 0)
5631 || !TEST_true(psk_client_cb_cnt == 2)
5632 || !TEST_true(psk_server_cb_cnt == 2))
5636 shutdown_ssl_connection(serverssl, clientssl);
5637 serverssl = clientssl = NULL;
5638 use_session_cb_cnt = find_session_cb_cnt = 0;
5639 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5643 * Check that if the server rejects the PSK we can still connect, but with
5646 srvid = "Dummy Identity";
5647 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5649 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5651 || !TEST_false(SSL_session_reused(clientssl))
5652 || !TEST_false(SSL_session_reused(serverssl)))
5655 if (idx == 0 || idx == 1) {
5656 if (!TEST_true(use_session_cb_cnt == 1)
5657 || !TEST_true(find_session_cb_cnt == 1)
5658 || !TEST_true(psk_client_cb_cnt == 0)
5660 * If no old style callback then below should be 0
5663 || !TEST_true(psk_server_cb_cnt == idx))
5666 if (!TEST_true(use_session_cb_cnt == 0)
5667 || !TEST_true(find_session_cb_cnt == 0)
5668 || !TEST_true(psk_client_cb_cnt == 1)
5669 || !TEST_true(psk_server_cb_cnt == 1))
5673 shutdown_ssl_connection(serverssl, clientssl);
5674 serverssl = clientssl = NULL;
5679 SSL_SESSION_free(clientpsk);
5680 SSL_SESSION_free(serverpsk);
5681 clientpsk = serverpsk = NULL;
5682 SSL_free(serverssl);
5683 SSL_free(clientssl);
5689 static unsigned char cookie_magic_value[] = "cookie magic";
5691 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5692 unsigned int *cookie_len)
5695 * Not suitable as a real cookie generation function but good enough for
5698 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5699 *cookie_len = sizeof(cookie_magic_value) - 1;
5704 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5705 unsigned int cookie_len)
5707 if (cookie_len == sizeof(cookie_magic_value) - 1
5708 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5714 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5718 int res = generate_cookie_callback(ssl, cookie, &temp);
5723 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5726 return verify_cookie_callback(ssl, cookie, cookie_len);
5729 static int test_stateless(void)
5731 SSL_CTX *sctx = NULL, *cctx = NULL;
5732 SSL *serverssl = NULL, *clientssl = NULL;
5735 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5736 TLS_client_method(), TLS1_VERSION, 0,
5737 &sctx, &cctx, cert, privkey)))
5740 /* The arrival of CCS messages can confuse the test */
5741 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5743 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5745 /* Send the first ClientHello */
5746 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5747 SSL_ERROR_WANT_READ))
5749 * This should fail with a -1 return because we have no callbacks
5752 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5755 /* Fatal error so abandon the connection from this client */
5756 SSL_free(clientssl);
5759 /* Set up the cookie generation and verification callbacks */
5760 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5761 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5764 * Create a new connection from the client (we can reuse the server SSL
5767 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5769 /* Send the first ClientHello */
5770 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5771 SSL_ERROR_WANT_READ))
5772 /* This should fail because there is no cookie */
5773 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5776 /* Abandon the connection from this client */
5777 SSL_free(clientssl);
5781 * Now create a connection from a new client but with the same server SSL
5784 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5786 /* Send the first ClientHello */
5787 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5788 SSL_ERROR_WANT_READ))
5789 /* This should fail because there is no cookie */
5790 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5791 /* Send the second ClientHello */
5792 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5793 SSL_ERROR_WANT_READ))
5794 /* This should succeed because a cookie is now present */
5795 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5796 /* Complete the connection */
5797 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5801 shutdown_ssl_connection(serverssl, clientssl);
5802 serverssl = clientssl = NULL;
5806 SSL_free(serverssl);
5807 SSL_free(clientssl);
5813 #endif /* OSSL_NO_USABLE_TLS1_3 */
5815 static int clntaddoldcb = 0;
5816 static int clntparseoldcb = 0;
5817 static int srvaddoldcb = 0;
5818 static int srvparseoldcb = 0;
5819 static int clntaddnewcb = 0;
5820 static int clntparsenewcb = 0;
5821 static int srvaddnewcb = 0;
5822 static int srvparsenewcb = 0;
5823 static int snicb = 0;
5825 #define TEST_EXT_TYPE1 0xff00
5827 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5828 size_t *outlen, int *al, void *add_arg)
5830 int *server = (int *)add_arg;
5831 unsigned char *data;
5833 if (SSL_is_server(s))
5838 if (*server != SSL_is_server(s)
5839 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5844 *outlen = sizeof(char);
5848 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5851 OPENSSL_free((unsigned char *)out);
5854 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5855 size_t inlen, int *al, void *parse_arg)
5857 int *server = (int *)parse_arg;
5859 if (SSL_is_server(s))
5864 if (*server != SSL_is_server(s)
5865 || inlen != sizeof(char)
5872 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5873 const unsigned char **out, size_t *outlen, X509 *x,
5874 size_t chainidx, int *al, void *add_arg)
5876 int *server = (int *)add_arg;
5877 unsigned char *data;
5879 if (SSL_is_server(s))
5884 if (*server != SSL_is_server(s)
5885 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5890 *outlen = sizeof(*data);
5894 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5895 const unsigned char *out, void *add_arg)
5897 OPENSSL_free((unsigned char *)out);
5900 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5901 const unsigned char *in, size_t inlen, X509 *x,
5902 size_t chainidx, int *al, void *parse_arg)
5904 int *server = (int *)parse_arg;
5906 if (SSL_is_server(s))
5911 if (*server != SSL_is_server(s)
5912 || inlen != sizeof(char) || *in != 1)
5918 static int sni_cb(SSL *s, int *al, void *arg)
5920 SSL_CTX *ctx = (SSL_CTX *)arg;
5922 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5923 *al = SSL_AD_INTERNAL_ERROR;
5924 return SSL_TLSEXT_ERR_ALERT_FATAL;
5927 return SSL_TLSEXT_ERR_OK;
5930 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5936 * Custom call back tests.
5937 * Test 0: Old style callbacks in TLSv1.2
5938 * Test 1: New style callbacks in TLSv1.2
5939 * Test 2: New style callbacks in TLSv1.2 with SNI
5940 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5941 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5942 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
5944 static int test_custom_exts(int tst)
5946 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5947 SSL *clientssl = NULL, *serverssl = NULL;
5949 static int server = 1;
5950 static int client = 0;
5951 SSL_SESSION *sess = NULL;
5952 unsigned int context;
5954 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5955 /* Skip tests for TLSv1.2 and below in this case */
5960 /* Reset callback counters */
5961 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5962 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5965 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5966 TLS_client_method(), TLS1_VERSION, 0,
5967 &sctx, &cctx, cert, privkey)))
5971 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5973 &sctx2, NULL, cert, privkey)))
5978 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5979 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5981 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5985 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5986 | SSL_EXT_TLS1_3_CERTIFICATE;
5987 SSL_CTX_set_verify(sctx,
5988 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5990 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5991 SSL_FILETYPE_PEM), 1)
5992 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5993 SSL_FILETYPE_PEM), 1)
5994 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5996 } else if (tst == 4) {
5997 context = SSL_EXT_CLIENT_HELLO
5998 | SSL_EXT_TLS1_2_SERVER_HELLO
5999 | SSL_EXT_TLS1_3_SERVER_HELLO
6000 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
6001 | SSL_EXT_TLS1_3_CERTIFICATE
6002 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
6004 context = SSL_EXT_CLIENT_HELLO
6005 | SSL_EXT_TLS1_2_SERVER_HELLO
6006 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
6009 /* Create a client side custom extension */
6011 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6012 old_add_cb, old_free_cb,
6013 &client, old_parse_cb,
6017 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
6018 new_add_cb, new_free_cb,
6019 &client, new_parse_cb, &client)))
6023 /* Should not be able to add duplicates */
6024 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6025 old_add_cb, old_free_cb,
6026 &client, old_parse_cb,
6028 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
6029 context, new_add_cb,
6030 new_free_cb, &client,
6031 new_parse_cb, &client)))
6034 /* Create a server side custom extension */
6036 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6037 old_add_cb, old_free_cb,
6038 &server, old_parse_cb,
6042 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
6043 new_add_cb, new_free_cb,
6044 &server, new_parse_cb, &server)))
6047 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
6048 context, new_add_cb,
6049 new_free_cb, &server,
6050 new_parse_cb, &server)))
6054 /* Should not be able to add duplicates */
6055 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6056 old_add_cb, old_free_cb,
6057 &server, old_parse_cb,
6059 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
6060 context, new_add_cb,
6061 new_free_cb, &server,
6062 new_parse_cb, &server)))
6067 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
6068 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
6072 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6073 &clientssl, NULL, NULL))
6074 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6079 if (clntaddoldcb != 1
6080 || clntparseoldcb != 1
6082 || srvparseoldcb != 1)
6084 } else if (tst == 1 || tst == 2 || tst == 3) {
6085 if (clntaddnewcb != 1
6086 || clntparsenewcb != 1
6088 || srvparsenewcb != 1
6089 || (tst != 2 && snicb != 0)
6090 || (tst == 2 && snicb != 1))
6092 } else if (tst == 5) {
6093 if (clntaddnewcb != 1
6094 || clntparsenewcb != 1
6096 || srvparsenewcb != 1)
6099 /* In this case there 2 NewSessionTicket messages created */
6100 if (clntaddnewcb != 1
6101 || clntparsenewcb != 5
6103 || srvparsenewcb != 1)
6107 sess = SSL_get1_session(clientssl);
6108 SSL_shutdown(clientssl);
6109 SSL_shutdown(serverssl);
6110 SSL_free(serverssl);
6111 SSL_free(clientssl);
6112 serverssl = clientssl = NULL;
6114 if (tst == 3 || tst == 5) {
6115 /* We don't bother with the resumption aspects for these tests */
6120 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6122 || !TEST_true(SSL_set_session(clientssl, sess))
6123 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6128 * For a resumed session we expect to add the ClientHello extension. For the
6129 * old style callbacks we ignore it on the server side because they set
6130 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
6134 if (clntaddoldcb != 2
6135 || clntparseoldcb != 1
6137 || srvparseoldcb != 1)
6139 } else if (tst == 1 || tst == 2 || tst == 3) {
6140 if (clntaddnewcb != 2
6141 || clntparsenewcb != 2
6143 || srvparsenewcb != 2)
6147 * No Certificate message extensions in the resumption handshake,
6148 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6150 if (clntaddnewcb != 2
6151 || clntparsenewcb != 8
6153 || srvparsenewcb != 2)
6160 SSL_SESSION_free(sess);
6161 SSL_free(serverssl);
6162 SSL_free(clientssl);
6163 SSL_CTX_free(sctx2);
6169 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6171 #define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6172 | SSL_EXT_CLIENT_HELLO \
6173 | SSL_EXT_TLS1_2_SERVER_HELLO \
6174 | SSL_EXT_IGNORE_ON_RESUMPTION)
6176 #define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6177 | SSL_EXT_TLS1_2_SERVER_HELLO \
6178 | SSL_EXT_CLIENT_HELLO)
6180 #define SERVERINFO_CUSTOM \
6181 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6185 static const unsigned char serverinfo_custom_tls13[] = {
6186 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6189 static const unsigned char serverinfo_custom_v2[] = {
6190 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6193 static const unsigned char serverinfo_custom_v1[] = {
6196 static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6197 static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6198 static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6200 static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6201 unsigned int context,
6202 const unsigned char *in,
6203 size_t inlen, X509 *x,
6204 size_t chainidx, int *al,
6207 const size_t len = serverinfo_custom_v1_len;
6208 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6209 int *p_cb_result = (int*)parse_arg;
6210 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6214 static int test_serverinfo_custom(const int idx)
6216 SSL_CTX *sctx = NULL, *cctx = NULL;
6217 SSL *clientssl = NULL, *serverssl = NULL;
6222 * Following variables are set in the switch statement
6223 * according to the test iteration.
6224 * Default values do not make much sense: test would fail with them.
6226 int serverinfo_version = 0;
6227 int protocol_version = 0;
6228 unsigned int extension_context = 0;
6229 const unsigned char *si = NULL;
6232 const int call_use_serverinfo_ex = idx > 0;
6234 case 0: /* FALLTHROUGH */
6236 serverinfo_version = SSL_SERVERINFOV1;
6237 protocol_version = TLS1_2_VERSION;
6238 extension_context = SYNTHV1CONTEXT;
6239 si = serverinfo_custom_v1;
6240 si_len = serverinfo_custom_v1_len;
6243 serverinfo_version = SSL_SERVERINFOV2;
6244 protocol_version = TLS1_2_VERSION;
6245 extension_context = SYNTHV1CONTEXT;
6246 si = serverinfo_custom_v2;
6247 si_len = serverinfo_custom_v2_len;
6250 serverinfo_version = SSL_SERVERINFOV2;
6251 protocol_version = TLS1_3_VERSION;
6252 extension_context = TLS13CONTEXT;
6253 si = serverinfo_custom_tls13;
6254 si_len = serverinfo_custom_tls13_len;
6258 if (!TEST_true(create_ssl_ctx_pair(libctx,
6263 &sctx, &cctx, cert, privkey)))
6266 if (call_use_serverinfo_ex) {
6267 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6271 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6275 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6278 serverinfo_custom_parse_cb,
6280 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6282 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6284 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6287 if (!TEST_true(cb_result))
6293 SSL_free(serverssl);
6294 SSL_free(clientssl);
6303 * Test that SSL_export_keying_material() produces expected results. There are
6304 * no test vectors so all we do is test that both sides of the communication
6305 * produce the same results for different protocol versions.
6307 #define SMALL_LABEL_LEN 10
6308 #define LONG_LABEL_LEN 249
6309 static int test_export_key_mat(int tst)
6312 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6313 SSL *clientssl = NULL, *serverssl = NULL;
6314 const char label[LONG_LABEL_LEN + 1] = "test label";
6315 const unsigned char context[] = "context";
6316 const unsigned char *emptycontext = NULL;
6317 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
6318 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
6320 const int protocols[] = {
6329 #ifdef OPENSSL_NO_TLS1
6333 #ifdef OPENSSL_NO_TLS1_1
6337 if (is_fips && (tst == 0 || tst == 1))
6339 #ifdef OPENSSL_NO_TLS1_2
6343 #ifdef OSSL_NO_USABLE_TLS1_3
6347 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6348 TLS_client_method(), TLS1_VERSION, 0,
6349 &sctx, &cctx, cert, privkey)))
6352 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6353 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6354 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
6355 if ((protocols[tst] < TLS1_2_VERSION) &&
6356 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6357 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6360 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6365 * Premature call of SSL_export_keying_material should just fail.
6367 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6368 sizeof(ckeymat1), label,
6369 SMALL_LABEL_LEN + 1, context,
6370 sizeof(context) - 1, 1), 0))
6373 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6379 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6382 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6383 sizeof(ckeymat1), label,
6384 LONG_LABEL_LEN + 1, context,
6385 sizeof(context) - 1, 1), 0))
6390 } else if (tst == 4) {
6391 labellen = LONG_LABEL_LEN;
6393 labellen = SMALL_LABEL_LEN;
6396 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6397 sizeof(ckeymat1), label,
6399 sizeof(context) - 1, 1), 1)
6400 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6401 sizeof(ckeymat2), label,
6405 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6406 sizeof(ckeymat3), label,
6409 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6410 sizeof(skeymat1), label,
6413 sizeof(context) -1, 1),
6415 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6416 sizeof(skeymat2), label,
6420 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6421 sizeof(skeymat3), label,
6425 * Check that both sides created the same key material with the
6428 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6431 * Check that both sides created the same key material with an
6434 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6437 * Check that both sides created the same key material without a
6440 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6442 /* Different contexts should produce different results */
6443 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6448 * Check that an empty context and no context produce different results in
6449 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6451 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6453 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6460 SSL_free(serverssl);
6461 SSL_free(clientssl);
6462 SSL_CTX_free(sctx2);
6469 #ifndef OSSL_NO_USABLE_TLS1_3
6471 * Test that SSL_export_keying_material_early() produces expected
6472 * results. There are no test vectors so all we do is test that both
6473 * sides of the communication produce the same results for different
6474 * protocol versions.
6476 static int test_export_key_mat_early(int idx)
6478 static const char label[] = "test label";
6479 static const unsigned char context[] = "context";
6481 SSL_CTX *cctx = NULL, *sctx = NULL;
6482 SSL *clientssl = NULL, *serverssl = NULL;
6483 SSL_SESSION *sess = NULL;
6484 const unsigned char *emptycontext = NULL;
6485 unsigned char ckeymat1[80], ckeymat2[80];
6486 unsigned char skeymat1[80], skeymat2[80];
6487 unsigned char buf[1];
6488 size_t readbytes, written;
6490 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6491 &sess, idx, SHA384_DIGEST_LENGTH)))
6494 /* Here writing 0 length early data is enough. */
6495 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6496 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6498 SSL_READ_EARLY_DATA_ERROR)
6499 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6500 SSL_EARLY_DATA_ACCEPTED))
6503 if (!TEST_int_eq(SSL_export_keying_material_early(
6504 clientssl, ckeymat1, sizeof(ckeymat1), label,
6505 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6506 || !TEST_int_eq(SSL_export_keying_material_early(
6507 clientssl, ckeymat2, sizeof(ckeymat2), label,
6508 sizeof(label) - 1, emptycontext, 0), 1)
6509 || !TEST_int_eq(SSL_export_keying_material_early(
6510 serverssl, skeymat1, sizeof(skeymat1), label,
6511 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6512 || !TEST_int_eq(SSL_export_keying_material_early(
6513 serverssl, skeymat2, sizeof(skeymat2), label,
6514 sizeof(label) - 1, emptycontext, 0), 1)
6516 * Check that both sides created the same key material with the
6519 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6522 * Check that both sides created the same key material with an
6525 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6527 /* Different contexts should produce different results */
6528 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6535 SSL_SESSION_free(sess);
6536 SSL_SESSION_free(clientpsk);
6537 SSL_SESSION_free(serverpsk);
6538 clientpsk = serverpsk = NULL;
6539 SSL_free(serverssl);
6540 SSL_free(clientssl);
6547 #define NUM_KEY_UPDATE_MESSAGES 40
6551 static int test_key_update(void)
6553 SSL_CTX *cctx = NULL, *sctx = NULL;
6554 SSL *clientssl = NULL, *serverssl = NULL;
6555 int testresult = 0, i, j;
6557 static char *mess = "A test message";
6559 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6560 TLS_client_method(),
6563 &sctx, &cctx, cert, privkey))
6564 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6566 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6570 for (j = 0; j < 2; j++) {
6571 /* Send lots of KeyUpdate messages */
6572 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6573 if (!TEST_true(SSL_key_update(clientssl,
6575 ? SSL_KEY_UPDATE_NOT_REQUESTED
6576 : SSL_KEY_UPDATE_REQUESTED))
6577 || !TEST_true(SSL_do_handshake(clientssl)))
6581 /* Check that sending and receiving app data is ok */
6582 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6583 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6587 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6588 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6596 SSL_free(serverssl);
6597 SSL_free(clientssl);
6605 * Test we can handle a KeyUpdate (update requested) message while
6606 * write data is pending in peer.
6607 * Test 0: Client sends KeyUpdate while Server is writing
6608 * Test 1: Server sends KeyUpdate while Client is writing
6610 static int test_key_update_peer_in_write(int tst)
6612 SSL_CTX *cctx = NULL, *sctx = NULL;
6613 SSL *clientssl = NULL, *serverssl = NULL;
6616 static char *mess = "A test message";
6617 BIO *bretry = BIO_new(bio_s_always_retry());
6619 SSL *peerupdate = NULL, *peerwrite = NULL;
6621 if (!TEST_ptr(bretry)
6622 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6623 TLS_client_method(),
6626 &sctx, &cctx, cert, privkey))
6627 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6629 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6633 peerupdate = tst == 0 ? clientssl : serverssl;
6634 peerwrite = tst == 0 ? serverssl : clientssl;
6636 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6637 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6640 /* Swap the writing endpoint's write BIO to force a retry */
6641 tmp = SSL_get_wbio(peerwrite);
6642 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6646 SSL_set0_wbio(peerwrite, bretry);
6649 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6650 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6651 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6654 /* Reinstate the original writing endpoint's write BIO */
6655 SSL_set0_wbio(peerwrite, tmp);
6658 /* Now read some data - we will read the key update */
6659 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6660 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6664 * Complete the write we started previously and read it from the other
6667 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6668 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6671 /* Write more data to ensure we send the KeyUpdate message back */
6672 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6673 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6679 SSL_free(serverssl);
6680 SSL_free(clientssl);
6690 * Test we can handle a KeyUpdate (update requested) message while
6691 * peer read data is pending after peer accepted keyupdate(the msg header
6692 * had been read 5 bytes).
6693 * Test 0: Client sends KeyUpdate while Server is reading
6694 * Test 1: Server sends KeyUpdate while Client is reading
6696 static int test_key_update_peer_in_read(int tst)
6698 SSL_CTX *cctx = NULL, *sctx = NULL;
6699 SSL *clientssl = NULL, *serverssl = NULL;
6701 char prbuf[515], lwbuf[515] = {0};
6702 static char *mess = "A test message";
6703 BIO *lbio = NULL, *pbio = NULL;
6704 SSL *local = NULL, *peer = NULL;
6706 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6707 TLS_client_method(),
6710 &sctx, &cctx, cert, privkey))
6711 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6713 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6717 local = tst == 0 ? clientssl : serverssl;
6718 peer = tst == 0 ? serverssl : clientssl;
6720 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6723 SSL_set_bio(local, lbio, lbio);
6724 SSL_set_bio(peer, pbio, pbio);
6727 * we first write keyupdate msg then appdata in local
6728 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6729 * lwbuf app data msg size + key updata msg size > 512(the size of
6730 * the bio pair buffer)
6732 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6733 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6734 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6738 * first read keyupdate msg in peer in peer
6739 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6741 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6742 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6745 /* Now write some data in peer - we will write the key update */
6746 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6750 * write data in local previously that we will complete
6751 * read data in peer previously that we will complete
6753 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6754 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6757 /* check that sending and receiving appdata ok */
6758 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6759 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6765 SSL_free(serverssl);
6766 SSL_free(clientssl);
6774 * Test we can't send a KeyUpdate (update requested) message while
6775 * local write data is pending.
6776 * Test 0: Client sends KeyUpdate while Client is writing
6777 * Test 1: Server sends KeyUpdate while Server is writing
6779 static int test_key_update_local_in_write(int tst)
6781 SSL_CTX *cctx = NULL, *sctx = NULL;
6782 SSL *clientssl = NULL, *serverssl = NULL;
6785 static char *mess = "A test message";
6786 BIO *bretry = BIO_new(bio_s_always_retry());
6788 SSL *local = NULL, *peer = NULL;
6790 if (!TEST_ptr(bretry)
6791 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6792 TLS_client_method(),
6795 &sctx, &cctx, cert, privkey))
6796 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6798 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6802 local = tst == 0 ? clientssl : serverssl;
6803 peer = tst == 0 ? serverssl : clientssl;
6805 /* Swap the writing endpoint's write BIO to force a retry */
6806 tmp = SSL_get_wbio(local);
6807 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6811 SSL_set0_wbio(local, bretry);
6814 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6815 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6816 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6819 /* Reinstate the original writing endpoint's write BIO */
6820 SSL_set0_wbio(local, tmp);
6823 /* SSL_key_update will fail, because writing in local*/
6824 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6825 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6829 /* write data in local previously that we will complete */
6830 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6833 /* SSL_key_update will succeed because there is no pending write data */
6834 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6835 || !TEST_int_eq(SSL_do_handshake(local), 1))
6839 * we write some appdata in local
6840 * read data in peer - we will read the keyupdate msg
6842 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6843 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6846 /* Write more peer more data to ensure we send the keyupdate message back */
6847 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6848 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6854 SSL_free(serverssl);
6855 SSL_free(clientssl);
6865 * Test we can handle a KeyUpdate (update requested) message while
6866 * local read data is pending(the msg header had been read 5 bytes).
6867 * Test 0: Client sends KeyUpdate while Client is reading
6868 * Test 1: Server sends KeyUpdate while Server is reading
6870 static int test_key_update_local_in_read(int tst)
6872 SSL_CTX *cctx = NULL, *sctx = NULL;
6873 SSL *clientssl = NULL, *serverssl = NULL;
6875 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6876 static char *mess = "A test message";
6877 BIO *lbio = NULL, *pbio = NULL;
6878 SSL *local = NULL, *peer = NULL;
6880 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6881 TLS_client_method(),
6884 &sctx, &cctx, cert, privkey))
6885 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6887 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6891 local = tst == 0 ? clientssl : serverssl;
6892 peer = tst == 0 ? serverssl : clientssl;
6894 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6897 SSL_set_bio(local, lbio, lbio);
6898 SSL_set_bio(peer, pbio, pbio);
6900 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6901 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6902 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6905 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6906 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6907 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6910 /* SSL_do_handshake will send keyupdate msg */
6911 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6912 || !TEST_int_eq(SSL_do_handshake(local), 1))
6916 * write data in peer previously that we will complete
6917 * read data in local previously that we will complete
6919 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6920 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6924 * write data in local
6925 * read data in peer - we will read the key update
6927 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6928 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6931 /* Write more peer data to ensure we send the keyupdate message back */
6932 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6933 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6939 SSL_free(serverssl);
6940 SSL_free(clientssl);
6946 #endif /* OSSL_NO_USABLE_TLS1_3 */
6948 static int test_ssl_clear(int idx)
6950 SSL_CTX *cctx = NULL, *sctx = NULL;
6951 SSL *clientssl = NULL, *serverssl = NULL;
6954 #ifdef OPENSSL_NO_TLS1_2
6959 /* Create an initial connection */
6960 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6961 TLS_client_method(), TLS1_VERSION, 0,
6962 &sctx, &cctx, cert, privkey))
6964 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6966 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6967 &clientssl, NULL, NULL))
6968 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6972 SSL_shutdown(clientssl);
6973 SSL_shutdown(serverssl);
6974 SSL_free(serverssl);
6977 /* Clear clientssl - we're going to reuse the object */
6978 if (!TEST_true(SSL_clear(clientssl)))
6981 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6983 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6985 || !TEST_true(SSL_session_reused(clientssl)))
6988 SSL_shutdown(clientssl);
6989 SSL_shutdown(serverssl);
6994 SSL_free(serverssl);
6995 SSL_free(clientssl);
7002 /* Parse CH and retrieve any MFL extension value if present */
7003 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
7006 unsigned char *data;
7007 PACKET pkt, pkt2, pkt3;
7008 unsigned int MFL_code = 0, type = 0;
7010 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
7013 memset(&pkt, 0, sizeof(pkt));
7014 memset(&pkt2, 0, sizeof(pkt2));
7015 memset(&pkt3, 0, sizeof(pkt3));
7017 if (!TEST_long_gt(len, 0)
7018 || !TEST_true(PACKET_buf_init(&pkt, data, len))
7019 /* Skip the record header */
7020 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
7021 /* Skip the handshake message header */
7022 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
7023 /* Skip client version and random */
7024 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
7025 + SSL3_RANDOM_SIZE))
7026 /* Skip session id */
7027 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7029 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
7030 /* Skip compression */
7031 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7032 /* Extensions len */
7033 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
7036 /* Loop through all extensions */
7037 while (PACKET_remaining(&pkt2)) {
7038 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
7039 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
7042 if (type == TLSEXT_TYPE_max_fragment_length) {
7043 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
7044 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
7047 *mfl_codemfl_code = MFL_code;
7056 /* Maximum-Fragment-Length TLS extension mode to test */
7057 static const unsigned char max_fragment_len_test[] = {
7058 TLSEXT_max_fragment_length_512,
7059 TLSEXT_max_fragment_length_1024,
7060 TLSEXT_max_fragment_length_2048,
7061 TLSEXT_max_fragment_length_4096
7064 static int test_max_fragment_len_ext(int idx_tst)
7066 SSL_CTX *ctx = NULL;
7068 int testresult = 0, MFL_mode = 0;
7071 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
7072 TLS1_VERSION, 0, NULL, &ctx, NULL,
7076 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
7077 ctx, max_fragment_len_test[idx_tst])))
7084 rbio = BIO_new(BIO_s_mem());
7085 wbio = BIO_new(BIO_s_mem());
7086 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
7092 SSL_set_bio(con, rbio, wbio);
7094 if (!TEST_int_le(SSL_connect(con), 0)) {
7095 /* This shouldn't succeed because we don't have a server! */
7099 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
7100 /* no MFL in client hello */
7102 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
7114 #ifndef OSSL_NO_USABLE_TLS1_3
7115 static int test_pha_key_update(void)
7117 SSL_CTX *cctx = NULL, *sctx = NULL;
7118 SSL *clientssl = NULL, *serverssl = NULL;
7121 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7122 TLS_client_method(), TLS1_VERSION, 0,
7123 &sctx, &cctx, cert, privkey)))
7126 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
7127 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
7128 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
7129 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
7132 SSL_CTX_set_post_handshake_auth(cctx, 1);
7134 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7138 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7142 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7143 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7146 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7149 /* Start handshake on the server */
7150 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7153 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7154 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7158 SSL_shutdown(clientssl);
7159 SSL_shutdown(serverssl);
7164 SSL_free(serverssl);
7165 SSL_free(clientssl);
7172 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7174 static SRP_VBASE *vbase = NULL;
7176 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7178 int ret = SSL3_AL_FATAL;
7180 SRP_user_pwd *user = NULL;
7182 username = SSL_get_srp_username(s);
7183 if (username == NULL) {
7184 *ad = SSL_AD_INTERNAL_ERROR;
7188 user = SRP_VBASE_get1_by_user(vbase, username);
7190 *ad = SSL_AD_INTERNAL_ERROR;
7194 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7196 *ad = SSL_AD_INTERNAL_ERROR;
7203 SRP_user_pwd_free(user);
7207 static int create_new_vfile(char *userid, char *password, const char *filename)
7210 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7213 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7216 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7219 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
7220 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
7221 if (!TEST_ptr(gNid))
7225 * The only way to create an empty TXT_DB is to provide a BIO with no data
7228 db = TXT_DB_read(dummy, DB_NUMBER);
7232 out = BIO_new_file(filename, "w");
7236 row[DB_srpid] = OPENSSL_strdup(userid);
7237 row[DB_srptype] = OPENSSL_strdup("V");
7238 row[DB_srpgN] = OPENSSL_strdup(gNid);
7240 if (!TEST_ptr(row[DB_srpid])
7241 || !TEST_ptr(row[DB_srptype])
7242 || !TEST_ptr(row[DB_srpgN])
7243 || !TEST_true(TXT_DB_insert(db, row)))
7248 if (TXT_DB_write(out, db) <= 0)
7254 for (i = 0; i < DB_NUMBER; i++)
7255 OPENSSL_free(row[i]);
7265 static int create_new_vbase(char *userid, char *password)
7267 BIGNUM *verifier = NULL, *salt = NULL;
7268 const SRP_gN *lgN = NULL;
7269 SRP_user_pwd *user_pwd = NULL;
7272 lgN = SRP_get_default_gN(NULL);
7276 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
7277 lgN->N, lgN->g, libctx, NULL)))
7280 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7281 if (!TEST_ptr(user_pwd))
7284 user_pwd->N = lgN->N;
7285 user_pwd->g = lgN->g;
7286 user_pwd->id = OPENSSL_strdup(userid);
7287 if (!TEST_ptr(user_pwd->id))
7290 user_pwd->v = verifier;
7292 verifier = salt = NULL;
7294 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7300 SRP_user_pwd_free(user_pwd);
7310 * Test 0: Simple successful SRP connection, new vbase
7311 * Test 1: Connection failure due to bad password, new vbase
7312 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7313 * Test 3: Connection failure due to bad password, vbase loaded from existing
7315 * Test 4: Simple successful SRP connection, vbase loaded from new file
7316 * Test 5: Connection failure due to bad password, vbase loaded from new file
7318 static int test_srp(int tst)
7320 char *userid = "test", *password = "password", *tstsrpfile;
7321 SSL_CTX *cctx = NULL, *sctx = NULL;
7322 SSL *clientssl = NULL, *serverssl = NULL;
7323 int ret, testresult = 0;
7325 vbase = SRP_VBASE_new(NULL);
7326 if (!TEST_ptr(vbase))
7329 if (tst == 0 || tst == 1) {
7330 if (!TEST_true(create_new_vbase(userid, password)))
7333 if (tst == 4 || tst == 5) {
7334 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7336 tstsrpfile = tmpfilename;
7338 tstsrpfile = srpvfile;
7340 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7344 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7345 TLS_client_method(), TLS1_VERSION, 0,
7346 &sctx, &cctx, cert, privkey)))
7349 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7350 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7351 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7352 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7353 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7357 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7360 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7364 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7368 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7370 if (!TEST_true(tst % 2 == 0))
7373 if (!TEST_true(tst % 2 == 1))
7380 SRP_VBASE_free(vbase);
7382 SSL_free(serverssl);
7383 SSL_free(clientssl);
7391 static int info_cb_failed = 0;
7392 static int info_cb_offset = 0;
7393 static int info_cb_this_state = -1;
7395 static struct info_cb_states_st {
7397 const char *statestr;
7398 } info_cb_states[][60] = {
7400 /* TLSv1.2 server followed by resumption */
7401 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7402 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7403 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7404 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7405 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7406 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7407 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7408 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7409 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
7410 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7411 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7412 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7413 {SSL_CB_EXIT, NULL}, {0, NULL},
7415 /* TLSv1.2 client followed by resumption */
7416 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7417 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7418 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7419 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7420 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7421 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7422 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7423 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7424 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7425 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7426 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7427 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7429 /* TLSv1.3 server followed by resumption */
7430 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7431 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7432 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
7433 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7434 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7435 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7436 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7437 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7438 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7439 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7440 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7441 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7442 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7444 /* TLSv1.3 client followed by resumption */
7445 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7446 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7447 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7448 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7449 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7450 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7451 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7452 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7453 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7454 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7455 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7456 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7457 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7458 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7459 {SSL_CB_EXIT, NULL}, {0, NULL},
7461 /* TLSv1.3 server, early_data */
7462 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7463 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7464 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7465 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7466 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7467 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7468 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7469 {SSL_CB_EXIT, NULL}, {0, NULL},
7471 /* TLSv1.3 client, early_data */
7472 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7473 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7474 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7475 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7476 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7477 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7478 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7479 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7480 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7482 /* TLSv1.3 server, certificate compression, followed by resumption */
7483 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7484 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7485 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSCC"},
7486 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7487 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7488 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7489 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7490 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7491 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7492 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7493 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7494 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7495 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7497 /* TLSv1.3 client, certificate compression, followed by resumption */
7498 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7499 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7500 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSCC"},
7501 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7502 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7503 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7504 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7505 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7506 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7507 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7508 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7509 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7510 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7511 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7512 {SSL_CB_EXIT, NULL}, {0, NULL},
7518 static void sslapi_info_callback(const SSL *s, int where, int ret)
7520 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7522 /* We do not ever expect a connection to fail in this test */
7523 if (!TEST_false(ret == 0)) {
7529 * Do some sanity checks. We never expect these things to happen in this
7532 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7533 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7534 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7539 /* Now check we're in the right state */
7540 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7544 if ((where & SSL_CB_LOOP) != 0
7545 && !TEST_int_eq(strcmp(SSL_state_string(s),
7546 state[info_cb_this_state].statestr), 0)) {
7552 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7554 if ((where & SSL_CB_HANDSHAKE_DONE)
7555 && SSL_in_init((SSL *)s) != 0) {
7562 * Test the info callback gets called when we expect it to.
7564 * Test 0: TLSv1.2, server
7565 * Test 1: TLSv1.2, client
7566 * Test 2: TLSv1.3, server
7567 * Test 3: TLSv1.3, client
7568 * Test 4: TLSv1.3, server, early_data
7569 * Test 5: TLSv1.3, client, early_data
7570 * Test 6: TLSv1.3, server, compressed certificate
7571 * Test 7: TLSv1.3, client, compressed certificate
7573 static int test_info_callback(int tst)
7575 SSL_CTX *cctx = NULL, *sctx = NULL;
7576 SSL *clientssl = NULL, *serverssl = NULL;
7577 SSL_SESSION *clntsess = NULL;
7582 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
7583 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7584 || !defined(OPENSSL_NO_DH))
7585 tlsvers = TLS1_2_VERSION;
7590 #ifndef OSSL_NO_USABLE_TLS1_3
7591 tlsvers = TLS1_3_VERSION;
7599 info_cb_this_state = -1;
7600 info_cb_offset = tst;
7602 #ifndef OSSL_NO_USABLE_TLS1_3
7603 if (tst >= 4 && tst < 6) {
7604 SSL_SESSION *sess = NULL;
7605 size_t written, readbytes;
7606 unsigned char buf[80];
7608 /* early_data tests */
7609 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7610 &serverssl, &sess, 0,
7611 SHA384_DIGEST_LENGTH)))
7614 /* We don't actually need this reference */
7615 SSL_SESSION_free(sess);
7617 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7618 sslapi_info_callback);
7620 /* Write and read some early data and then complete the connection */
7621 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7623 || !TEST_size_t_eq(written, strlen(MSG1))
7624 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7625 sizeof(buf), &readbytes),
7626 SSL_READ_EARLY_DATA_SUCCESS)
7627 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7628 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7629 SSL_EARLY_DATA_ACCEPTED)
7630 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7632 || !TEST_false(info_cb_failed))
7640 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7641 TLS_client_method(),
7642 tlsvers, tlsvers, &sctx, &cctx, cert,
7646 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7650 * For even numbered tests we check the server callbacks. For odd numbers we
7653 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7654 sslapi_info_callback);
7656 if (!SSL_CTX_compress_certs(sctx, 0))
7660 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7661 &clientssl, NULL, NULL))
7662 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7664 || !TEST_false(info_cb_failed))
7669 clntsess = SSL_get1_session(clientssl);
7670 SSL_shutdown(clientssl);
7671 SSL_shutdown(serverssl);
7672 SSL_free(serverssl);
7673 SSL_free(clientssl);
7674 serverssl = clientssl = NULL;
7676 /* Now do a resumption */
7677 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7679 || !TEST_true(SSL_set_session(clientssl, clntsess))
7680 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7682 || !TEST_true(SSL_session_reused(clientssl))
7683 || !TEST_false(info_cb_failed))
7689 SSL_free(serverssl);
7690 SSL_free(clientssl);
7691 SSL_SESSION_free(clntsess);
7697 static int test_ssl_pending(int tst)
7699 SSL_CTX *cctx = NULL, *sctx = NULL;
7700 SSL *clientssl = NULL, *serverssl = NULL;
7702 char msg[] = "A test message";
7704 size_t written, readbytes;
7707 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7708 TLS_client_method(),
7710 &sctx, &cctx, cert, privkey)))
7713 #ifndef OPENSSL_NO_DTLS
7714 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7715 DTLS_client_method(),
7717 &sctx, &cctx, cert, privkey)))
7720 # ifdef OPENSSL_NO_DTLS1_2
7721 /* Not supported in the FIPS provider */
7727 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7730 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7731 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7732 "DEFAULT:@SECLEVEL=0")))
7740 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7742 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7746 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7747 || !TEST_false(SSL_has_pending(clientssl))
7748 || !TEST_int_eq(SSL_pending(serverssl), 0)
7749 || !TEST_false(SSL_has_pending(serverssl))
7750 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7751 || !TEST_size_t_eq(written, sizeof(msg))
7752 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7753 || !TEST_size_t_eq(readbytes, sizeof(buf))
7754 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7755 || !TEST_true(SSL_has_pending(clientssl)))
7761 SSL_free(serverssl);
7762 SSL_free(clientssl);
7770 unsigned int maxprot;
7771 const char *clntciphers;
7772 const char *clnttls13ciphers;
7773 const char *srvrciphers;
7774 const char *srvrtls13ciphers;
7776 const char *fipsshared;
7777 } shared_ciphers_data[] = {
7779 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7780 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7782 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7785 "AES128-SHA:AES256-SHA",
7787 "AES256-SHA:DHE-RSA-AES128-SHA",
7792 # if !defined(OPENSSL_NO_CHACHA) \
7793 && !defined(OPENSSL_NO_POLY1305) \
7794 && !defined(OPENSSL_NO_EC)
7797 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7799 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7801 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7807 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7809 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7811 "AES128-SHA:AES256-SHA",
7812 "AES128-SHA:AES256-SHA"
7816 "AES128-SHA:AES256-SHA",
7818 "AES128-SHA:DHE-RSA-AES128-SHA",
7825 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7828 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7829 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7832 "AES128-SHA:AES256-SHA",
7834 "AES256-SHA:AES128-SHA256",
7836 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7837 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7838 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7841 #ifndef OSSL_NO_USABLE_TLS1_3
7845 "TLS_AES_256_GCM_SHA384",
7847 "TLS_AES_256_GCM_SHA384",
7848 "TLS_AES_256_GCM_SHA384",
7849 "TLS_AES_256_GCM_SHA384"
7854 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
7856 SSL_CTX *cctx = NULL, *sctx = NULL;
7857 SSL *clientssl = NULL, *serverssl = NULL;
7860 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
7862 if (!TEST_ptr(tmplibctx))
7866 * Regardless of whether we're testing with the FIPS provider loaded into
7867 * libctx, we want one peer to always use the full set of ciphersuites
7868 * available. Therefore we use a separate libctx with the default provider
7869 * loaded into it. We run the same tests twice - once with the client side
7870 * having the full set of ciphersuites and once with the server side.
7873 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
7874 if (!TEST_ptr(cctx))
7877 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
7878 if (!TEST_ptr(sctx))
7882 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7883 TLS_client_method(),
7885 shared_ciphers_data[tst].maxprot,
7886 &sctx, &cctx, cert, privkey)))
7889 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7890 shared_ciphers_data[tst].clntciphers))
7891 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7892 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7893 shared_ciphers_data[tst].clnttls13ciphers)))
7894 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7895 shared_ciphers_data[tst].srvrciphers))
7896 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7897 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7898 shared_ciphers_data[tst].srvrtls13ciphers))))
7902 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7904 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7908 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
7909 || !TEST_int_eq(strcmp(buf,
7911 ? shared_ciphers_data[tst].fipsshared
7912 : shared_ciphers_data[tst].shared),
7914 TEST_info("Shared ciphers are: %s\n", buf);
7921 SSL_free(serverssl);
7922 SSL_free(clientssl);
7925 OSSL_LIB_CTX_free(tmplibctx);
7930 static int test_ssl_get_shared_ciphers(int tst)
7932 return int_test_ssl_get_shared_ciphers(tst, 0)
7933 && int_test_ssl_get_shared_ciphers(tst, 1);
7937 static const char *appdata = "Hello World";
7938 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7939 static int tick_key_renew = 0;
7940 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7942 static int gen_tick_cb(SSL *s, void *arg)
7944 gen_tick_called = 1;
7946 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7950 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7951 const unsigned char *keyname,
7952 size_t keyname_length,
7953 SSL_TICKET_STATUS status,
7959 dec_tick_called = 1;
7961 if (status == SSL_TICKET_EMPTY)
7962 return SSL_TICKET_RETURN_IGNORE_RENEW;
7964 if (!TEST_true(status == SSL_TICKET_SUCCESS
7965 || status == SSL_TICKET_SUCCESS_RENEW))
7966 return SSL_TICKET_RETURN_ABORT;
7968 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7970 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7971 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
7972 return SSL_TICKET_RETURN_ABORT;
7974 if (tick_key_cb_called) {
7975 /* Don't change what the ticket key callback wanted to do */
7977 case SSL_TICKET_NO_DECRYPT:
7978 return SSL_TICKET_RETURN_IGNORE_RENEW;
7980 case SSL_TICKET_SUCCESS:
7981 return SSL_TICKET_RETURN_USE;
7983 case SSL_TICKET_SUCCESS_RENEW:
7984 return SSL_TICKET_RETURN_USE_RENEW;
7987 return SSL_TICKET_RETURN_ABORT;
7990 return tick_dec_ret;
7994 #ifndef OPENSSL_NO_DEPRECATED_3_0
7995 static int tick_key_cb(SSL *s, unsigned char key_name[16],
7996 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7997 HMAC_CTX *hctx, int enc)
7999 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8000 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
8001 EVP_CIPHER *aes128cbc;
8005 tick_key_cb_called = 1;
8007 if (tick_key_renew == -1)
8010 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8011 if (!TEST_ptr(aes128cbc))
8013 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
8014 if (!TEST_ptr(sha256)) {
8015 EVP_CIPHER_free(aes128cbc);
8019 memset(iv, 0, AES_BLOCK_SIZE);
8020 memset(key_name, 0, 16);
8021 if (aes128cbc == NULL
8023 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8024 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
8028 ret = tick_key_renew ? 2 : 1;
8030 EVP_CIPHER_free(aes128cbc);
8031 EVP_MD_free(sha256);
8037 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
8038 unsigned char iv[EVP_MAX_IV_LENGTH],
8039 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
8041 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8042 unsigned char tick_hmac_key[16] = "0123456789abcdef";
8043 OSSL_PARAM params[2];
8044 EVP_CIPHER *aes128cbc;
8047 tick_key_cb_called = 1;
8049 if (tick_key_renew == -1)
8052 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8053 if (!TEST_ptr(aes128cbc))
8056 memset(iv, 0, AES_BLOCK_SIZE);
8057 memset(key_name, 0, 16);
8058 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
8060 params[1] = OSSL_PARAM_construct_end();
8061 if (aes128cbc == NULL
8062 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8063 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
8067 ret = tick_key_renew ? 2 : 1;
8069 EVP_CIPHER_free(aes128cbc);
8075 * Test the various ticket callbacks
8076 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
8077 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
8078 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
8079 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
8080 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
8081 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
8082 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
8083 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
8084 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
8085 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
8086 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
8087 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
8088 * Test 12: TLSv1.2, old ticket key callback, no ticket
8089 * Test 13: TLSv1.3, old ticket key callback, no ticket
8090 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
8091 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
8092 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
8093 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
8094 * Test 18: TLSv1.2, ticket key callback, no ticket
8095 * Test 19: TLSv1.3, ticket key callback, no ticket
8097 static int test_ticket_callbacks(int tst)
8099 SSL_CTX *cctx = NULL, *sctx = NULL;
8100 SSL *clientssl = NULL, *serverssl = NULL;
8101 SSL_SESSION *clntsess = NULL;
8104 #ifdef OPENSSL_NO_TLS1_2
8108 #ifdef OSSL_NO_USABLE_TLS1_3
8112 #ifdef OPENSSL_NO_DEPRECATED_3_0
8113 if (tst >= 8 && tst <= 13)
8117 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
8119 /* Which tests the ticket key callback should request renewal for */
8121 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
8123 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
8124 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
8128 /* Which tests the decrypt ticket callback should request renewal for */
8132 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
8137 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
8142 tick_dec_ret = SSL_TICKET_RETURN_USE;
8147 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8151 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8154 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8155 TLS_client_method(),
8157 ((tst % 2) == 0) ? TLS1_2_VERSION
8159 &sctx, &cctx, cert, privkey)))
8163 * We only want sessions to resume from tickets - not the session cache. So
8164 * switch the cache off.
8166 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8169 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8174 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8176 #ifndef OPENSSL_NO_DEPRECATED_3_0
8177 } else if (tst >= 8) {
8178 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8183 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8185 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8190 * The decrypt ticket key callback in TLSv1.2 should be called even though
8191 * we have no ticket yet, because it gets called with a status of
8192 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8193 * actually send any ticket data). This does not happen in TLSv1.3 because
8194 * it is not valid to send empty ticket data in TLSv1.3.
8196 if (!TEST_int_eq(gen_tick_called, 1)
8197 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
8200 gen_tick_called = dec_tick_called = 0;
8202 clntsess = SSL_get1_session(clientssl);
8203 SSL_shutdown(clientssl);
8204 SSL_shutdown(serverssl);
8205 SSL_free(serverssl);
8206 SSL_free(clientssl);
8207 serverssl = clientssl = NULL;
8209 /* Now do a resumption */
8210 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8212 || !TEST_true(SSL_set_session(clientssl, clntsess))
8213 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8217 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
8218 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8219 || tick_key_renew == -1) {
8220 if (!TEST_false(SSL_session_reused(clientssl)))
8223 if (!TEST_true(SSL_session_reused(clientssl)))
8227 if (!TEST_int_eq(gen_tick_called,
8229 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8230 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8232 /* There is no ticket to decrypt in tests 13 and 19 */
8233 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
8239 SSL_SESSION_free(clntsess);
8240 SSL_free(serverssl);
8241 SSL_free(clientssl);
8249 * Test incorrect shutdown.
8250 * Test 0: client does not shutdown properly,
8251 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8252 * server should get SSL_ERROR_SSL
8253 * Test 1: client does not shutdown properly,
8254 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8255 * server should get SSL_ERROR_ZERO_RETURN
8257 static int test_incorrect_shutdown(int tst)
8259 SSL_CTX *cctx = NULL, *sctx = NULL;
8260 SSL *clientssl = NULL, *serverssl = NULL;
8265 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8266 TLS_client_method(), 0, 0,
8267 &sctx, &cctx, cert, privkey)))
8271 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8273 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8277 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8281 c2s = SSL_get_rbio(serverssl);
8282 BIO_set_mem_eof_return(c2s, 0);
8284 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8287 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8289 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8295 SSL_free(serverssl);
8296 SSL_free(clientssl);
8304 * Test bi-directional shutdown.
8306 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8307 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8308 * Test 3: TLSv1.3, pending NewSessionTicket messages
8309 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8310 * sends key update, client reads it
8311 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8312 * sends CertificateRequest, client reads and ignores it
8313 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
8316 static int test_shutdown(int tst)
8318 SSL_CTX *cctx = NULL, *sctx = NULL;
8319 SSL *clientssl = NULL, *serverssl = NULL;
8321 char msg[] = "A test message";
8323 size_t written, readbytes;
8326 #ifdef OPENSSL_NO_TLS1_2
8330 #ifdef OSSL_NO_USABLE_TLS1_3
8335 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8336 TLS_client_method(),
8338 (tst <= 1) ? TLS1_2_VERSION
8340 &sctx, &cctx, cert, privkey)))
8344 SSL_CTX_set_post_handshake_auth(cctx, 1);
8346 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8351 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
8352 SSL_ERROR_NONE, 1, 0))
8353 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8354 || !TEST_false(SSL_SESSION_is_resumable(sess)))
8356 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8358 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8359 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
8363 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8368 * Reading on the server after the client has sent close_notify should
8369 * fail and provide SSL_ERROR_ZERO_RETURN
8371 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8372 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8373 SSL_ERROR_ZERO_RETURN)
8374 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8375 SSL_RECEIVED_SHUTDOWN)
8377 * Even though we're shutdown on receive we should still be
8380 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8383 && !TEST_true(SSL_key_update(serverssl,
8384 SSL_KEY_UPDATE_REQUESTED)))
8387 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8388 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8391 if ((tst == 4 || tst == 5)
8392 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8394 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8396 if (tst == 4 || tst == 5) {
8397 /* Should still be able to read data from server */
8398 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8400 || !TEST_size_t_eq(readbytes, sizeof(msg))
8401 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8402 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8404 || !TEST_size_t_eq(readbytes, sizeof(msg))
8405 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8410 /* Writing on the client after sending close_notify shouldn't be possible */
8411 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
8416 * For these tests the client has sent close_notify but it has not yet
8417 * been received by the server. The server has not sent close_notify
8420 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
8422 * Writing on the server after sending close_notify shouldn't
8425 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8426 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
8427 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8428 || !TEST_true(SSL_SESSION_is_resumable(sess))
8429 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8431 } else if (tst == 4 || tst == 5) {
8433 * In this test the client has sent close_notify and it has been
8434 * received by the server which has responded with a close_notify. The
8435 * client needs to read the close_notify sent by the server.
8437 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8438 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8439 || !TEST_true(SSL_SESSION_is_resumable(sess)))
8445 * The client has sent close_notify and is expecting a close_notify
8446 * back, but instead there is application data first. The shutdown
8447 * should fail with a fatal error.
8449 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8450 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8457 SSL_free(serverssl);
8458 SSL_free(clientssl);
8466 * Test that sending close_notify alerts works correctly in the case of a
8467 * retryable write failure.
8469 static int test_async_shutdown(void)
8471 SSL_CTX *cctx = NULL, *sctx = NULL;
8472 SSL *clientssl = NULL, *serverssl = NULL;
8474 BIO *bretry = BIO_new(bio_s_always_retry()), *tmp = NULL;
8476 if (!TEST_ptr(bretry))
8479 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8480 TLS_client_method(),
8482 &sctx, &cctx, cert, privkey)))
8485 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8489 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8492 /* Close write side of clientssl */
8493 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8496 tmp = SSL_get_wbio(serverssl);
8497 if (!TEST_true(BIO_up_ref(tmp))) {
8501 SSL_set0_wbio(serverssl, bretry);
8504 /* First server shutdown should fail because of a retrable write failure */
8505 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8506 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8509 /* Second server shutdown should fail for the same reason */
8510 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8511 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8514 SSL_set0_wbio(serverssl, tmp);
8517 /* Third server shutdown should send close_notify */
8518 if (!TEST_int_eq(SSL_shutdown(serverssl), 0))
8521 /* Fourth server shutdown should read close_notify from client and finish */
8522 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8525 /* Client should also successfully fully shutdown */
8526 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
8531 SSL_free(serverssl);
8532 SSL_free(clientssl);
8541 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8542 static int cert_cb_cnt;
8544 static int cert_cb(SSL *s, void *arg)
8546 SSL_CTX *ctx = (SSL_CTX *)arg;
8548 EVP_PKEY *pkey = NULL;
8549 X509 *x509 = NULL, *rootx = NULL;
8550 STACK_OF(X509) *chain = NULL;
8551 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8554 if (cert_cb_cnt == 0) {
8555 /* Suspend the handshake */
8558 } else if (cert_cb_cnt == 1) {
8560 * Update the SSL_CTX, set the certificate and private key and then
8561 * continue the handshake normally.
8563 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8566 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8567 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8569 || !TEST_true(SSL_check_private_key(s)))
8573 } else if (cert_cb_cnt == 3) {
8576 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8577 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8578 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8579 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8581 chain = sk_X509_new_null();
8582 if (!TEST_ptr(chain))
8584 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8585 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
8586 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
8587 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
8588 || !TEST_true(sk_X509_push(chain, rootx)))
8592 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8593 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
8594 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
8595 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
8598 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8599 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
8600 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8604 rv = SSL_check_chain(s, x509, pkey, chain);
8606 * If the cert doesn't show as valid here (e.g., because we don't
8607 * have any shared sigalgs), then we will not set it, and there will
8608 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8609 * will cause tls_choose_sigalgs() to fail the connection.
8611 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8612 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8613 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8620 /* Abort the handshake */
8622 OPENSSL_free(ecdsacert);
8623 OPENSSL_free(ecdsakey);
8624 OPENSSL_free(rootfile);
8626 EVP_PKEY_free(pkey);
8629 OSSL_STACK_OF_X509_free(chain);
8634 * Test the certificate callback.
8635 * Test 0: Callback fails
8636 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8637 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8638 * Test 3: Success - Call SSL_check_chain from the callback
8639 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8641 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8643 static int test_cert_cb_int(int prot, int tst)
8645 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8646 SSL *clientssl = NULL, *serverssl = NULL;
8647 int testresult = 0, ret;
8649 #ifdef OPENSSL_NO_EC
8650 /* We use an EC cert in these tests, so we skip in a no-ec build */
8655 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8656 TLS_client_method(),
8659 &sctx, &cctx, NULL, NULL)))
8670 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8671 if (!TEST_ptr(snictx))
8675 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8677 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8683 * We cause SSL_check_chain() to fail by specifying sig_algs that
8684 * the chain doesn't meet (the root uses an RSA cert)
8686 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8687 "ecdsa_secp256r1_sha256")))
8689 } else if (tst == 5) {
8691 * We cause SSL_check_chain() to fail by specifying sig_algs that
8692 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8694 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8695 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8699 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8700 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8702 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8709 SSL_free(serverssl);
8710 SSL_free(clientssl);
8713 SSL_CTX_free(snictx);
8719 static int test_cert_cb(int tst)
8723 #ifndef OPENSSL_NO_TLS1_2
8724 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8726 #ifndef OSSL_NO_USABLE_TLS1_3
8727 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8733 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8738 BIO *priv_in = NULL;
8740 /* Check that SSL_get0_peer_certificate() returns something sensible */
8741 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
8744 in = BIO_new_file(cert, "r");
8748 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
8749 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8750 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
8751 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8769 static int test_client_cert_cb(int tst)
8771 SSL_CTX *cctx = NULL, *sctx = NULL;
8772 SSL *clientssl = NULL, *serverssl = NULL;
8775 #ifdef OPENSSL_NO_TLS1_2
8779 #ifdef OSSL_NO_USABLE_TLS1_3
8784 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8785 TLS_client_method(),
8787 tst == 0 ? TLS1_2_VERSION
8789 &sctx, &cctx, cert, privkey)))
8793 * Test that setting a client_cert_cb results in a client certificate being
8796 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8797 SSL_CTX_set_verify(sctx,
8798 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8801 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8803 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8810 SSL_free(serverssl);
8811 SSL_free(clientssl);
8818 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8820 * Test setting certificate authorities on both client and server.
8822 * Test 0: SSL_CTX_set0_CA_list() only
8823 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8824 * Test 2: Only SSL_CTX_set_client_CA_list()
8826 static int test_ca_names_int(int prot, int tst)
8828 SSL_CTX *cctx = NULL, *sctx = NULL;
8829 SSL *clientssl = NULL, *serverssl = NULL;
8832 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8833 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8834 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8835 const STACK_OF(X509_NAME) *sktmp = NULL;
8837 for (i = 0; i < OSSL_NELEM(name); i++) {
8838 name[i] = X509_NAME_new();
8839 if (!TEST_ptr(name[i])
8840 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8848 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8849 TLS_client_method(),
8852 &sctx, &cctx, cert, privkey)))
8855 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8857 if (tst == 0 || tst == 1) {
8858 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8859 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8860 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8861 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8862 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8863 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8866 SSL_CTX_set0_CA_list(sctx, sk1);
8867 SSL_CTX_set0_CA_list(cctx, sk2);
8870 if (tst == 1 || tst == 2) {
8871 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8872 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8873 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8874 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8875 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8876 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8879 SSL_CTX_set_client_CA_list(sctx, sk1);
8880 SSL_CTX_set_client_CA_list(cctx, sk2);
8884 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8886 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8891 * We only expect certificate authorities to have been sent to the server
8892 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8894 sktmp = SSL_get0_peer_CA_list(serverssl);
8895 if (prot == TLS1_3_VERSION
8896 && (tst == 0 || tst == 1)) {
8897 if (!TEST_ptr(sktmp)
8898 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8899 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8901 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8904 } else if (!TEST_ptr_null(sktmp)) {
8909 * In all tests we expect certificate authorities to have been sent to the
8910 * client. However, SSL_set_client_CA_list() should override
8911 * SSL_set0_CA_list()
8913 sktmp = SSL_get0_peer_CA_list(clientssl);
8914 if (!TEST_ptr(sktmp)
8915 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8916 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8917 name[tst == 0 ? 0 : 2]), 0)
8918 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8919 name[tst == 0 ? 1 : 3]), 0))
8925 SSL_free(serverssl);
8926 SSL_free(clientssl);
8929 for (i = 0; i < OSSL_NELEM(name); i++)
8930 X509_NAME_free(name[i]);
8931 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8932 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8938 static int test_ca_names(int tst)
8942 #ifndef OPENSSL_NO_TLS1_2
8943 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8945 #ifndef OSSL_NO_USABLE_TLS1_3
8946 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8952 #ifndef OPENSSL_NO_TLS1_2
8953 static const char *multiblock_cipherlist_data[]=
8961 /* Reduce the fragment size - so the multiblock test buffer can be small */
8962 # define MULTIBLOCK_FRAGSIZE 512
8964 static int test_multiblock_write(int test_index)
8966 static const char *fetchable_ciphers[]=
8968 "AES-128-CBC-HMAC-SHA1",
8969 "AES-128-CBC-HMAC-SHA256",
8970 "AES-256-CBC-HMAC-SHA1",
8971 "AES-256-CBC-HMAC-SHA256"
8973 const char *cipherlist = multiblock_cipherlist_data[test_index];
8974 const SSL_METHOD *smeth = TLS_server_method();
8975 const SSL_METHOD *cmeth = TLS_client_method();
8976 int min_version = TLS1_VERSION;
8977 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8978 SSL_CTX *cctx = NULL, *sctx = NULL;
8979 SSL *clientssl = NULL, *serverssl = NULL;
8983 * Choose a buffer large enough to perform a multi-block operation
8984 * i.e: write_len >= 4 * frag_size
8985 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8987 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8988 unsigned char buf[sizeof(msg)], *p = buf;
8989 size_t readbytes, written, len;
8990 EVP_CIPHER *ciph = NULL;
8993 * Check if the cipher exists before attempting to use it since it only has
8994 * a hardware specific implementation.
8996 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
8998 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
9001 EVP_CIPHER_free(ciph);
9003 /* Set up a buffer with some data that will be sent to the client */
9004 RAND_bytes(msg, sizeof(msg));
9006 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
9007 max_version, &sctx, &cctx, cert,
9011 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
9014 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9018 /* settings to force it to use AES-CBC-HMAC_SHA */
9019 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
9020 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
9023 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9026 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
9027 || !TEST_size_t_eq(written, sizeof(msg)))
9032 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
9037 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
9042 SSL_free(serverssl);
9043 SSL_free(clientssl);
9049 #endif /* OPENSSL_NO_TLS1_2 */
9051 static int test_session_timeout(int test)
9054 * Test session ordering and timeout
9055 * Can't explicitly test performance of the new code,
9056 * but can test to see if the ordering of the sessions
9057 * are correct, and they are removed as expected
9059 SSL_SESSION *early = NULL;
9060 SSL_SESSION *middle = NULL;
9061 SSL_SESSION *late = NULL;
9064 long now = (long)time(NULL);
9067 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
9068 || !TEST_ptr(early = SSL_SESSION_new())
9069 || !TEST_ptr(middle = SSL_SESSION_new())
9070 || !TEST_ptr(late = SSL_SESSION_new()))
9073 /* assign unique session ids */
9074 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9075 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
9076 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9077 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
9078 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9079 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
9081 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9082 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9083 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9086 /* Make sure they are all added */
9087 if (!TEST_ptr(early->prev)
9088 || !TEST_ptr(middle->prev)
9089 || !TEST_ptr(late->prev))
9092 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
9093 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
9094 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
9097 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
9098 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
9099 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
9102 /* Make sure they are all still there */
9103 if (!TEST_ptr(early->prev)
9104 || !TEST_ptr(middle->prev)
9105 || !TEST_ptr(late->prev))
9108 /* Make sure they are in the expected order */
9109 if (!TEST_ptr_eq(late->next, middle)
9110 || !TEST_ptr_eq(middle->next, early)
9111 || !TEST_ptr_eq(early->prev, middle)
9112 || !TEST_ptr_eq(middle->prev, late))
9115 /* This should remove "early" */
9116 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
9117 if (!TEST_ptr_null(early->prev)
9118 || !TEST_ptr(middle->prev)
9119 || !TEST_ptr(late->prev))
9122 /* This should remove "middle" */
9123 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
9124 if (!TEST_ptr_null(early->prev)
9125 || !TEST_ptr_null(middle->prev)
9126 || !TEST_ptr(late->prev))
9129 /* This should remove "late" */
9130 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
9131 if (!TEST_ptr_null(early->prev)
9132 || !TEST_ptr_null(middle->prev)
9133 || !TEST_ptr_null(late->prev))
9136 /* Add them back in again */
9137 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9138 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9139 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9142 /* Make sure they are all added */
9143 if (!TEST_ptr(early->prev)
9144 || !TEST_ptr(middle->prev)
9145 || !TEST_ptr(late->prev))
9148 /* This should remove all of them */
9149 SSL_CTX_flush_sessions(ctx, 0);
9150 if (!TEST_ptr_null(early->prev)
9151 || !TEST_ptr_null(middle->prev)
9152 || !TEST_ptr_null(late->prev))
9155 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
9156 | SSL_CTX_get_session_cache_mode(ctx));
9158 /* make sure |now| is NOT equal to the current time */
9160 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
9161 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9162 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
9168 SSL_SESSION_free(early);
9169 SSL_SESSION_free(middle);
9170 SSL_SESSION_free(late);
9175 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
9176 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
9177 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
9178 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
9179 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
9180 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
9181 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
9182 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
9183 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
9184 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
9186 static int test_servername(int tst)
9188 SSL_CTX *cctx = NULL, *sctx = NULL;
9189 SSL *clientssl = NULL, *serverssl = NULL;
9191 SSL_SESSION *sess = NULL;
9192 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
9194 #ifdef OPENSSL_NO_TLS1_2
9198 #ifdef OSSL_NO_USABLE_TLS1_3
9203 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9204 TLS_client_method(),
9206 (tst <= 4) ? TLS1_2_VERSION
9208 &sctx, &cctx, cert, privkey))
9209 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9213 if (tst != 1 && tst != 6) {
9214 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
9219 if (tst != 3 && tst != 8) {
9220 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9222 sexpectedhost = cexpectedhost = "goodhost";
9225 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9228 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
9230 || !TEST_str_eq(SSL_get_servername(serverssl,
9231 TLSEXT_NAMETYPE_host_name),
9235 /* Now repeat with a resumption handshake */
9237 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9238 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9239 || !TEST_true(SSL_SESSION_is_resumable(sess))
9240 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9243 SSL_free(clientssl);
9244 SSL_free(serverssl);
9245 clientssl = serverssl = NULL;
9247 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9251 if (!TEST_true(SSL_set_session(clientssl, sess)))
9254 sexpectedhost = cexpectedhost = "goodhost";
9255 if (tst == 2 || tst == 7) {
9256 /* Set an inconsistent hostname */
9257 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9260 * In TLSv1.2 we expect the hostname from the original handshake, in
9261 * TLSv1.3 we expect the hostname from this handshake
9264 sexpectedhost = cexpectedhost = "altgoodhost";
9266 if (!TEST_str_eq(SSL_get_servername(clientssl,
9267 TLSEXT_NAMETYPE_host_name),
9270 } else if (tst == 4 || tst == 9) {
9272 * A TLSv1.3 session does not associate a session with a servername,
9273 * but a TLSv1.2 session does.
9276 sexpectedhost = cexpectedhost = NULL;
9278 if (!TEST_str_eq(SSL_get_servername(clientssl,
9279 TLSEXT_NAMETYPE_host_name),
9283 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9286 * In a TLSv1.2 resumption where the hostname was not acknowledged
9287 * we expect the hostname on the server to be empty. On the client we
9288 * return what was requested in this case.
9290 * Similarly if the client didn't set a hostname on an original TLSv1.2
9291 * session but is now, the server hostname will be empty, but the client
9294 if (tst == 1 || tst == 3)
9295 sexpectedhost = NULL;
9297 if (!TEST_str_eq(SSL_get_servername(clientssl,
9298 TLSEXT_NAMETYPE_host_name),
9303 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9306 if (!TEST_true(SSL_session_reused(clientssl))
9307 || !TEST_true(SSL_session_reused(serverssl))
9308 || !TEST_str_eq(SSL_get_servername(clientssl,
9309 TLSEXT_NAMETYPE_host_name),
9311 || !TEST_str_eq(SSL_get_servername(serverssl,
9312 TLSEXT_NAMETYPE_host_name),
9319 SSL_SESSION_free(sess);
9320 SSL_free(serverssl);
9321 SSL_free(clientssl);
9328 #if !defined(OPENSSL_NO_EC) \
9329 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9331 * Test that if signature algorithms are not available, then we do not offer or
9333 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9334 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9335 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9336 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9337 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9338 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9340 static int test_sigalgs_available(int idx)
9342 SSL_CTX *cctx = NULL, *sctx = NULL;
9343 SSL *clientssl = NULL, *serverssl = NULL;
9345 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9346 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
9347 OSSL_PROVIDER *filterprov = NULL;
9350 if (!TEST_ptr(tmpctx))
9353 if (idx != 0 && idx != 3) {
9354 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9355 filter_provider_init)))
9358 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9359 if (!TEST_ptr(filterprov))
9364 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9365 * or accepted for the peer that uses this libctx. Note that libssl
9366 * *requires* SHA2-256 to be available so we cannot disable that. We
9367 * also need SHA1 for our certificate.
9369 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9373 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9375 # ifdef OPENSSL_NO_ECX
9376 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT, "EC"))
9378 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
9385 if (idx == 1 || idx == 4)
9391 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9392 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9393 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9397 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9398 TLS_client_method(),
9401 &sctx, &cctx, cert, privkey)))
9404 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9405 TLS_client_method(),
9408 &sctx, &cctx, cert2, privkey2)))
9412 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9414 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9415 "ECDHE-RSA-AES128-GCM-SHA256")))
9418 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9419 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9424 if (!SSL_CTX_set1_sigalgs_list(cctx,
9425 "rsa_pss_rsae_sha384"
9426 ":rsa_pss_rsae_sha256")
9427 || !SSL_CTX_set1_sigalgs_list(sctx,
9428 "rsa_pss_rsae_sha384"
9429 ":rsa_pss_rsae_sha256"))
9432 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9433 || !SSL_CTX_set1_sigalgs_list(sctx,
9434 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9439 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9440 SSL_FILETYPE_PEM), 1)
9441 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9443 SSL_FILETYPE_PEM), 1)
9444 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
9447 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9451 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9454 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9455 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9457 (idx == 0 || idx == 3) ? 2 : 1))
9460 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9463 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9467 testresult = filter_provider_check_clean_finish();
9470 SSL_free(serverssl);
9471 SSL_free(clientssl);
9474 OSSL_PROVIDER_unload(filterprov);
9475 OSSL_LIB_CTX_free(tmpctx);
9480 * !defined(OPENSSL_NO_EC) \
9481 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9484 #ifndef OPENSSL_NO_TLS1_3
9485 /* This test can run in TLSv1.3 even if ec and dh are disabled */
9486 static int test_pluggable_group(int idx)
9488 SSL_CTX *cctx = NULL, *sctx = NULL;
9489 SSL *clientssl = NULL, *serverssl = NULL;
9491 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9492 /* Check that we are not impacted by a provider without any groups */
9493 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
9494 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
9496 if (!TEST_ptr(tlsprov))
9499 if (legacyprov == NULL) {
9501 * In this case we assume we've been built with "no-legacy" and skip
9502 * this test (there is no OPENSSL_NO_LEGACY)
9508 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9509 TLS_client_method(),
9512 &sctx, &cctx, cert, privkey))
9513 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9517 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
9518 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
9521 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9524 if (!TEST_str_eq(group_name,
9525 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9528 if (!TEST_str_eq(group_name, SSL_get0_group_name(serverssl))
9529 || !TEST_str_eq(group_name, SSL_get0_group_name(clientssl)))
9535 SSL_free(serverssl);
9536 SSL_free(clientssl);
9539 OSSL_PROVIDER_unload(tlsprov);
9540 OSSL_PROVIDER_unload(legacyprov);
9546 * This function triggers encode, decode and sign functions
9547 * of the artificial "xorhmacsig" algorithm implemented in tls-provider
9548 * creating private key and certificate files for use in TLS testing.
9550 static int create_cert_key(int idx, char *certfilename, char *privkeyfilename)
9552 EVP_PKEY_CTX * evpctx = EVP_PKEY_CTX_new_from_name(libctx,
9553 (idx == 0) ? "xorhmacsig" : "xorhmacsha2sig", NULL);
9554 EVP_PKEY *pkey = NULL;
9555 X509 *x509 = X509_new();
9556 X509_NAME *name = NULL;
9557 BIO *keybio = NULL, *certbio = NULL;
9560 if (!TEST_ptr(evpctx)
9561 || !TEST_true(EVP_PKEY_keygen_init(evpctx))
9562 || !TEST_true(EVP_PKEY_generate(evpctx, &pkey))
9565 || !TEST_true(ASN1_INTEGER_set(X509_get_serialNumber(x509), 1))
9566 || !TEST_true(X509_gmtime_adj(X509_getm_notBefore(x509), 0))
9567 || !TEST_true(X509_gmtime_adj(X509_getm_notAfter(x509), 31536000L))
9568 || !TEST_true(X509_set_pubkey(x509, pkey))
9569 || !TEST_ptr(name = X509_get_subject_name(x509))
9570 || !TEST_true(X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
9571 (unsigned char *)"CH", -1, -1, 0))
9572 || !TEST_true(X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
9573 (unsigned char *)"test.org", -1, -1, 0))
9574 || !TEST_true(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
9575 (unsigned char *)"localhost", -1, -1, 0))
9576 || !TEST_true(X509_set_issuer_name(x509, name))
9577 || !TEST_true(X509_sign(x509, pkey, EVP_sha1()))
9578 || !TEST_ptr(keybio = BIO_new_file(privkeyfilename, "wb"))
9579 || !TEST_true(PEM_write_bio_PrivateKey(keybio, pkey, NULL, NULL, 0, NULL, NULL))
9580 || !TEST_ptr(certbio = BIO_new_file(certfilename, "wb"))
9581 || !TEST_true(PEM_write_bio_X509(certbio, x509)))
9584 EVP_PKEY_free(pkey);
9586 EVP_PKEY_CTX_free(evpctx);
9593 * Test that signature algorithms loaded via the provider interface can
9594 * correctly establish a TLS (1.3) connection.
9595 * Test 0: Signature algorithm with built-in hashing functionality: "xorhmacsig"
9596 * Test 1: Signature algorithm using external SHA2 hashing: "xorhmacsha2sig"
9597 * Test 2: Test 0 using RPK
9598 * Test 3: Test 1 using RPK
9600 static int test_pluggable_signature(int idx)
9602 static const unsigned char cert_type_rpk[] = { TLSEXT_cert_type_rpk, TLSEXT_cert_type_x509 };
9603 SSL_CTX *cctx = NULL, *sctx = NULL;
9604 SSL *clientssl = NULL, *serverssl = NULL;
9606 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9607 OSSL_PROVIDER *defaultprov = OSSL_PROVIDER_load(libctx, "default");
9608 char *certfilename = "tls-prov-cert.pem";
9609 char *privkeyfilename = "tls-prov-key.pem";
9610 int sigidx = idx % 2;
9611 int rpkidx = idx / 2;
9613 /* create key and certificate for the different algorithm types */
9614 if (!TEST_ptr(tlsprov)
9615 || !TEST_true(create_cert_key(sigidx, certfilename, privkeyfilename)))
9618 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9619 TLS_client_method(),
9622 &sctx, &cctx, certfilename, privkeyfilename))
9623 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9627 /* Enable RPK for server cert */
9629 if (!TEST_true(SSL_set1_server_cert_type(serverssl, cert_type_rpk, sizeof(cert_type_rpk)))
9630 || !TEST_true(SSL_set1_server_cert_type(clientssl, cert_type_rpk, sizeof(cert_type_rpk))))
9634 /* This is necessary to pass minimal setup w/o other groups configured */
9635 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
9636 || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
9640 * If this connection gets established, it must have been completed
9641 * via the tls-provider-implemented "hmacsig" algorithm, testing
9642 * both sign and verify functions during handshake.
9644 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9647 /* If using RPK, make sure we got one */
9648 if (rpkidx && !TEST_long_eq(SSL_get_verify_result(clientssl), X509_V_ERR_RPK_UNTRUSTED))
9654 SSL_free(serverssl);
9655 SSL_free(clientssl);
9658 OSSL_PROVIDER_unload(tlsprov);
9659 OSSL_PROVIDER_unload(defaultprov);
9665 #ifndef OPENSSL_NO_TLS1_2
9666 static int test_ssl_dup(void)
9668 SSL_CTX *cctx = NULL, *sctx = NULL;
9669 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
9671 BIO *rbio = NULL, *wbio = NULL;
9673 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9674 TLS_client_method(),
9677 &sctx, &cctx, cert, privkey)))
9680 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9684 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
9685 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
9688 client2ssl = SSL_dup(clientssl);
9689 rbio = SSL_get_rbio(clientssl);
9691 || !TEST_true(BIO_up_ref(rbio)))
9693 SSL_set0_rbio(client2ssl, rbio);
9696 wbio = SSL_get_wbio(clientssl);
9697 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
9699 SSL_set0_wbio(client2ssl, wbio);
9702 if (!TEST_ptr(client2ssl)
9703 /* Handshake not started so pointers should be different */
9704 || !TEST_ptr_ne(clientssl, client2ssl))
9707 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9708 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9711 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9714 SSL_free(clientssl);
9715 clientssl = SSL_dup(client2ssl);
9716 if (!TEST_ptr(clientssl)
9717 /* Handshake has finished so pointers should be the same */
9718 || !TEST_ptr_eq(clientssl, client2ssl))
9724 SSL_free(serverssl);
9725 SSL_free(clientssl);
9726 SSL_free(client2ssl);
9733 # ifndef OPENSSL_NO_DH
9735 static EVP_PKEY *tmp_dh_params = NULL;
9737 /* Helper function for the test_set_tmp_dh() tests */
9738 static EVP_PKEY *get_tmp_dh_params(void)
9740 if (tmp_dh_params == NULL) {
9742 OSSL_PARAM_BLD *tmpl = NULL;
9743 EVP_PKEY_CTX *pctx = NULL;
9744 OSSL_PARAM *params = NULL;
9745 EVP_PKEY *dhpkey = NULL;
9747 p = BN_get_rfc3526_prime_2048(NULL);
9751 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9753 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
9756 tmpl = OSSL_PARAM_BLD_new();
9758 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9759 OSSL_PKEY_PARAM_FFC_P,
9761 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9762 OSSL_PKEY_PARAM_FFC_G,
9766 params = OSSL_PARAM_BLD_to_param(tmpl);
9767 if (!TEST_ptr(params)
9768 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9769 EVP_PKEY_KEY_PARAMETERS,
9773 tmp_dh_params = dhpkey;
9776 EVP_PKEY_CTX_free(pctx);
9777 OSSL_PARAM_BLD_free(tmpl);
9778 OSSL_PARAM_free(params);
9781 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
9784 return tmp_dh_params;
9787 # ifndef OPENSSL_NO_DEPRECATED_3_0
9788 /* Callback used by test_set_tmp_dh() */
9789 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9791 EVP_PKEY *dhpkey = get_tmp_dh_params();
9794 if (!TEST_ptr(dhpkey))
9798 * libssl does not free the returned DH, so we free it now knowing that even
9799 * after we free dhpkey, there will still be a reference to the owning
9800 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9801 * of time we need it for.
9803 ret = EVP_PKEY_get1_DH(dhpkey);
9806 EVP_PKEY_free(dhpkey);
9813 * Test the various methods for setting temporary DH parameters
9815 * Test 0: Default (no auto) setting
9816 * Test 1: Explicit SSL_CTX auto off
9817 * Test 2: Explicit SSL auto off
9818 * Test 3: Explicit SSL_CTX auto on
9819 * Test 4: Explicit SSL auto on
9820 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9821 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9823 * The following are testing deprecated APIs, so we only run them if available
9824 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9825 * Test 8: Explicit SSL auto off, custom DH params via DH
9826 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9827 * Test 10: Explicit SSL auto off, custom DH params via callback
9829 static int test_set_tmp_dh(int idx)
9831 SSL_CTX *cctx = NULL, *sctx = NULL;
9832 SSL *clientssl = NULL, *serverssl = NULL;
9834 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9835 int expected = (idx <= 2) ? 0 : 1;
9836 EVP_PKEY *dhpkey = NULL;
9837 # ifndef OPENSSL_NO_DEPRECATED_3_0
9845 if (idx >= 5 && idx <= 8) {
9846 dhpkey = get_tmp_dh_params();
9847 if (!TEST_ptr(dhpkey))
9850 # ifndef OPENSSL_NO_DEPRECATED_3_0
9851 if (idx == 7 || idx == 8) {
9852 dh = EVP_PKEY_get1_DH(dhpkey);
9858 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9859 TLS_client_method(),
9862 &sctx, &cctx, cert, privkey)))
9865 if ((idx & 1) == 1) {
9866 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9871 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9875 # ifndef OPENSSL_NO_DEPRECATED_3_0
9876 else if (idx == 7) {
9877 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9879 } else if (idx == 9) {
9880 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9884 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9888 if ((idx & 1) == 0 && idx != 0) {
9889 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9893 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9897 # ifndef OPENSSL_NO_DEPRECATED_3_0
9898 else if (idx == 8) {
9899 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9901 } else if (idx == 10) {
9902 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9906 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9907 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9908 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9912 * If autoon then we should succeed. Otherwise we expect failure because
9913 * there are no parameters
9915 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9916 SSL_ERROR_NONE), expected))
9922 # ifndef OPENSSL_NO_DEPRECATED_3_0
9925 SSL_free(serverssl);
9926 SSL_free(clientssl);
9929 EVP_PKEY_free(dhpkey);
9935 * Test the auto DH keys are appropriately sized
9937 static int test_dh_auto(int idx)
9939 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
9940 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9941 SSL *clientssl = NULL, *serverssl = NULL;
9943 EVP_PKEY *tmpkey = NULL;
9944 char *thiscert = NULL, *thiskey = NULL;
9945 size_t expdhsize = 0;
9946 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9948 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
9953 /* The FIPS provider doesn't support this DH size - so we ignore it */
9958 thiscert = cert1024;
9959 thiskey = privkey1024;
9961 SSL_CTX_set_security_level(sctx, 1);
9962 SSL_CTX_set_security_level(cctx, 1);
9965 /* 2048 bit prime */
9971 thiscert = cert3072;
9972 thiskey = privkey3072;
9976 thiscert = cert4096;
9977 thiskey = privkey4096;
9981 thiscert = cert8192;
9982 thiskey = privkey8192;
9985 /* No certificate cases */
9987 /* The FIPS provider doesn't support this DH size - so we ignore it */
9992 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9996 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
10000 TEST_error("Invalid text index");
10004 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
10008 &sctx, &cctx, thiscert, thiskey)))
10011 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10015 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
10016 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
10017 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10018 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
10019 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
10023 * Send the server's first flight. At this point the server has created the
10024 * temporary DH key but hasn't finished using it yet. Once used it is
10025 * removed, so we cannot test it.
10027 if (!TEST_int_le(SSL_connect(clientssl), 0)
10028 || !TEST_int_le(SSL_accept(serverssl), 0))
10031 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
10033 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
10036 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10042 SSL_free(serverssl);
10043 SSL_free(clientssl);
10044 SSL_CTX_free(sctx);
10045 SSL_CTX_free(cctx);
10046 EVP_PKEY_free(tmpkey);
10051 # endif /* OPENSSL_NO_DH */
10052 #endif /* OPENSSL_NO_TLS1_2 */
10054 #ifndef OSSL_NO_USABLE_TLS1_3
10056 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
10057 * that it works even without a certificate configured for the original
10060 static int test_sni_tls13(void)
10062 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
10063 SSL *clientssl = NULL, *serverssl = NULL;
10064 int testresult = 0;
10066 /* Reset callback counter */
10069 /* Create an initial SSL_CTX with no certificate configured */
10070 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10071 if (!TEST_ptr(sctx))
10073 /* Require TLSv1.3 as a minimum */
10074 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10075 TLS_client_method(), TLS1_3_VERSION, 0,
10076 &sctx2, &cctx, cert, privkey)))
10080 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
10081 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
10085 * Connection should still succeed because the final SSL_CTX has the right
10086 * certificates configured.
10088 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10089 &clientssl, NULL, NULL))
10090 || !TEST_true(create_ssl_connection(serverssl, clientssl,
10094 /* We should have had the SNI callback called exactly once */
10095 if (!TEST_int_eq(snicb, 1))
10101 SSL_free(serverssl);
10102 SSL_free(clientssl);
10103 SSL_CTX_free(sctx2);
10104 SSL_CTX_free(sctx);
10105 SSL_CTX_free(cctx);
10110 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
10114 static int test_ticket_lifetime(int idx)
10116 SSL_CTX *cctx = NULL, *sctx = NULL;
10117 SSL *clientssl = NULL, *serverssl = NULL;
10118 int testresult = 0;
10119 int version = TLS1_3_VERSION;
10121 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
10122 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
10125 #ifdef OPENSSL_NO_TLS1_2
10126 return TEST_skip("TLS 1.2 is disabled.");
10128 version = TLS1_2_VERSION;
10132 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10133 TLS_client_method(), version, version,
10134 &sctx, &cctx, cert, privkey)))
10137 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10138 &clientssl, NULL, NULL)))
10142 * Set the timeout to be more than 1 week
10143 * make sure the returned value is the default
10145 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
10146 SSL_get_default_timeout(serverssl)))
10149 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10153 /* TLSv1.2 uses the set value */
10154 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
10157 /* TLSv1.3 uses the limited value */
10158 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
10164 SSL_free(serverssl);
10165 SSL_free(clientssl);
10166 SSL_CTX_free(sctx);
10167 SSL_CTX_free(cctx);
10172 * Test that setting an ALPN does not violate RFC
10174 static int test_set_alpn(void)
10176 SSL_CTX *ctx = NULL;
10178 int testresult = 0;
10180 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
10181 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
10182 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
10183 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
10184 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
10185 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
10187 /* Create an initial SSL_CTX with no certificate configured */
10188 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10189 if (!TEST_ptr(ctx))
10192 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
10193 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
10195 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
10197 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
10199 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
10201 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
10203 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
10205 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
10207 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
10209 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
10212 ssl = SSL_new(ctx);
10213 if (!TEST_ptr(ssl))
10216 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
10218 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
10220 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
10222 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
10224 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
10226 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
10228 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
10230 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
10232 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
10244 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
10246 static int test_set_verify_cert_store_ssl_ctx(void)
10248 SSL_CTX *ctx = NULL;
10249 int testresult = 0;
10250 X509_STORE *store = NULL, *new_store = NULL,
10251 *cstore = NULL, *new_cstore = NULL;
10253 /* Create an initial SSL_CTX. */
10254 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10255 if (!TEST_ptr(ctx))
10258 /* Retrieve verify store pointer. */
10259 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10262 /* Retrieve chain store pointer. */
10263 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10266 /* We haven't set any yet, so this should be NULL. */
10267 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10270 /* Create stores. We use separate stores so pointers are different. */
10271 new_store = X509_STORE_new();
10272 if (!TEST_ptr(new_store))
10275 new_cstore = X509_STORE_new();
10276 if (!TEST_ptr(new_cstore))
10280 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
10283 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
10286 /* Should be able to retrieve the same pointer. */
10287 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10290 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10293 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10296 /* Should be able to unset again. */
10297 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
10300 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
10303 /* Should now be NULL. */
10304 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10307 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10310 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10316 X509_STORE_free(new_store);
10317 X509_STORE_free(new_cstore);
10323 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
10325 static int test_set_verify_cert_store_ssl(void)
10327 SSL_CTX *ctx = NULL;
10329 int testresult = 0;
10330 X509_STORE *store = NULL, *new_store = NULL,
10331 *cstore = NULL, *new_cstore = NULL;
10333 /* Create an initial SSL_CTX. */
10334 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10335 if (!TEST_ptr(ctx))
10338 /* Create an SSL object. */
10339 ssl = SSL_new(ctx);
10340 if (!TEST_ptr(ssl))
10343 /* Retrieve verify store pointer. */
10344 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10347 /* Retrieve chain store pointer. */
10348 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10351 /* We haven't set any yet, so this should be NULL. */
10352 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10355 /* Create stores. We use separate stores so pointers are different. */
10356 new_store = X509_STORE_new();
10357 if (!TEST_ptr(new_store))
10360 new_cstore = X509_STORE_new();
10361 if (!TEST_ptr(new_cstore))
10365 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
10368 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
10371 /* Should be able to retrieve the same pointer. */
10372 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10375 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10378 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10381 /* Should be able to unset again. */
10382 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
10385 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
10388 /* Should now be NULL. */
10389 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10392 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10395 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10401 X509_STORE_free(new_store);
10402 X509_STORE_free(new_cstore);
10409 static int test_inherit_verify_param(void)
10411 int testresult = 0;
10413 SSL_CTX *ctx = NULL;
10414 X509_VERIFY_PARAM *cp = NULL;
10416 X509_VERIFY_PARAM *sp = NULL;
10417 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
10419 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10420 if (!TEST_ptr(ctx))
10423 cp = SSL_CTX_get0_param(ctx);
10426 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
10429 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
10431 ssl = SSL_new(ctx);
10432 if (!TEST_ptr(ssl))
10435 sp = SSL_get0_param(ssl);
10438 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10450 static int test_load_dhfile(void)
10452 #ifndef OPENSSL_NO_DH
10453 int testresult = 0;
10455 SSL_CTX *ctx = NULL;
10456 SSL_CONF_CTX *cctx = NULL;
10458 if (dhfile == NULL)
10461 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10462 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10465 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10466 SSL_CONF_CTX_set_flags(cctx,
10467 SSL_CONF_FLAG_CERTIFICATE
10468 | SSL_CONF_FLAG_SERVER
10469 | SSL_CONF_FLAG_FILE);
10471 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
10476 SSL_CONF_CTX_free(cctx);
10481 return TEST_skip("DH not supported by this build");
10485 #ifndef OSSL_NO_USABLE_TLS1_3
10486 /* Test that read_ahead works across a key change */
10487 static int test_read_ahead_key_change(void)
10489 SSL_CTX *cctx = NULL, *sctx = NULL;
10490 SSL *clientssl = NULL, *serverssl = NULL;
10491 int testresult = 0;
10492 char *msg = "Hello World";
10493 size_t written, readbytes;
10497 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10498 TLS_client_method(), TLS1_3_VERSION, 0,
10499 &sctx, &cctx, cert, privkey)))
10502 SSL_CTX_set_read_ahead(sctx, 1);
10504 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10505 &clientssl, NULL, NULL)))
10508 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10511 /* Write some data, send a key update, write more data */
10512 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10513 || !TEST_size_t_eq(written, strlen(msg)))
10516 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
10519 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10520 || !TEST_size_t_eq(written, strlen(msg)))
10524 * Since read_ahead is on the first read below should read the record with
10525 * the first app data, the second record with the key update message, and
10526 * the third record with the app data all in one go. We should be able to
10527 * still process the read_ahead data correctly even though it crosses
10530 for (i = 0; i < 2; i++) {
10531 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10535 buf[readbytes] = '\0';
10536 if (!TEST_str_eq(buf, msg))
10543 SSL_free(serverssl);
10544 SSL_free(clientssl);
10545 SSL_CTX_free(sctx);
10546 SSL_CTX_free(cctx);
10550 static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
10554 switch ((*called)++) {
10556 /* Add some padding to first record */
10559 /* Maximally pad the second record */
10560 return SSL3_RT_MAX_PLAIN_LENGTH - len;
10563 * Exceeding the maximum padding should be fine. It should just pad to
10564 * the maximum anyway
10566 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
10569 * Very large padding should also be ok. Should just pad to the maximum
10579 * Test that setting record padding in TLSv1.3 works as expected
10580 * Test 0: Record padding callback on the SSL_CTX
10581 * Test 1: Record padding callback on the SSL
10582 * Test 2: Record block padding on the SSL_CTX
10583 * Test 3: Record block padding on the SSL
10585 static int test_tls13_record_padding(int idx)
10587 SSL_CTX *cctx = NULL, *sctx = NULL;
10588 SSL *clientssl = NULL, *serverssl = NULL;
10589 int testresult = 0;
10590 char *msg = "Hello World";
10591 size_t written, readbytes;
10596 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10597 TLS_client_method(), TLS1_3_VERSION, 0,
10598 &sctx, &cctx, cert, privkey)))
10602 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
10603 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
10604 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
10606 } else if (idx == 2) {
10607 /* Exceeding the max plain length should fail */
10608 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
10609 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10611 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
10615 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10616 &clientssl, NULL, NULL)))
10620 SSL_set_record_padding_callback(clientssl, record_pad_cb);
10621 SSL_set_record_padding_callback_arg(clientssl, &called);
10622 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
10624 } else if (idx == 3) {
10625 /* Exceeding the max plain length should fail */
10626 if (!TEST_false(SSL_set_block_padding(clientssl,
10627 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10629 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
10633 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10638 * Write some data, then check we can read it. Do this four times to check
10639 * we can continue to write and read padded data after the initial record
10640 * padding has been added. We don't actually check that the padding has
10641 * been applied to the record - just that we can continue to communicate
10642 * normally and that the callback has been called (if appropriate).
10644 for (i = 0; i < 4; i++) {
10645 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10646 || !TEST_size_t_eq(written, strlen(msg)))
10649 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10651 || !TEST_size_t_eq(written, readbytes))
10654 buf[readbytes] = '\0';
10655 if (!TEST_str_eq(buf, msg))
10659 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
10664 SSL_free(serverssl);
10665 SSL_free(clientssl);
10666 SSL_CTX_free(sctx);
10667 SSL_CTX_free(cctx);
10670 #endif /* OSSL_NO_USABLE_TLS1_3 */
10672 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10674 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
10675 * support this yet. The only pipeline capable cipher that we have is in the
10676 * dasync engine (providers don't support this yet), so we have to use
10677 * deprecated APIs for this test.
10679 * Test 0: Client has pipelining enabled, server does not
10680 * Test 1: Server has pipelining enabled, client does not
10681 * Test 2: Client has pipelining enabled, server does not: not enough data to
10682 * fill all the pipelines
10683 * Test 3: Client has pipelining enabled, server does not: not enough data to
10684 * fill all the pipelines by more than a full pipeline's worth
10685 * Test 4: Client has pipelining enabled, server does not: more data than all
10686 * the available pipelines can take
10687 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
10689 static int test_pipelining(int idx)
10691 SSL_CTX *cctx = NULL, *sctx = NULL;
10692 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
10693 int testresult = 0, numreads;
10694 /* A 55 byte message */
10695 unsigned char *msg = (unsigned char *)
10696 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
10697 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
10698 size_t expectedreads;
10699 unsigned char *buf = NULL;
10702 if (!TEST_ptr(e = ENGINE_by_id("dasync")))
10705 if (!TEST_true(ENGINE_init(e))) {
10710 if (!TEST_true(ENGINE_register_ciphers(e)))
10713 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10714 TLS_client_method(), 0,
10715 TLS1_2_VERSION, &sctx, &cctx, cert,
10719 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10720 &clientssl, NULL, NULL)))
10723 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
10726 /* peera is always configured for pipelining, while peerb is not. */
10738 /* Maximum allowed fragment size */
10739 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
10740 msglen = fragsize * numpipes;
10741 msg = OPENSSL_malloc(msglen);
10742 if (!TEST_ptr(msg))
10744 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
10746 } else if (idx == 4) {
10752 msglen -= 2; /* Send 2 less bytes */
10754 msglen -= 12; /* Send 12 less bytes */
10756 buf = OPENSSL_malloc(msglen);
10757 if (!TEST_ptr(buf))
10762 * Test that setting a split send fragment longer than the maximum
10765 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
10770 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
10771 * (50 bytes in total). This is a ridiculously small number of bytes -
10772 * but sufficient for our purposes
10774 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
10775 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
10778 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10781 /* Write some data from peera to peerb */
10782 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
10783 || !TEST_size_t_eq(written, msglen))
10787 * If the pipelining code worked, then we expect all |numpipes| pipelines to
10788 * have been used - except in test 3 where only |numpipes - 1| pipelines
10789 * will be used. This will result in |numpipes| records (|numpipes - 1| for
10790 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
10791 * expect this to be read in |numpipes| or |numpipes - 1| separate
10792 * SSL_read_ex calls. In the case of test 4, there is then one additional
10793 * read for left over data that couldn't fit in the previous pipelines
10795 for (offset = 0, numreads = 0;
10797 offset += readbytes, numreads++) {
10798 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
10799 msglen - offset, &readbytes)))
10803 expectedreads = idx == 4 ? numpipes + 1
10804 : (idx == 3 ? numpipes - 1 : numpipes);
10805 if (!TEST_mem_eq(msg, msglen, buf, offset)
10806 || !TEST_int_eq(numreads, expectedreads))
10810 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
10811 * chunks to exercise the read pipelining code on peera.
10813 for (offset = 0; offset < msglen; offset += fragsize) {
10814 size_t sendlen = msglen - offset;
10816 if (sendlen > fragsize)
10817 sendlen = fragsize;
10818 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
10819 || !TEST_size_t_eq(written, sendlen))
10824 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
10825 * separate chunks (depending on which test we are running). If the
10826 * pipelining is working then we expect peera to read up to numpipes chunks
10827 * and process them in parallel, giving back the complete result in a single
10828 * call to SSL_read_ex
10830 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
10831 || !TEST_size_t_le(readbytes, msglen))
10837 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
10838 msglen - readbytes, &readbytes2)))
10840 readbytes += readbytes2;
10841 if (!TEST_size_t_le(readbytes, msglen))
10845 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
10850 SSL_free(serverssl);
10851 SSL_free(clientssl);
10852 SSL_CTX_free(sctx);
10853 SSL_CTX_free(cctx);
10854 ENGINE_unregister_ciphers(e);
10858 if (fragsize == SSL3_RT_MAX_PLAIN_LENGTH)
10862 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
10864 static int check_version_string(SSL *s, int version)
10866 const char *verstr = NULL;
10875 case TLS1_1_VERSION:
10876 verstr = "TLSv1.1";
10878 case TLS1_2_VERSION:
10879 verstr = "TLSv1.2";
10881 case TLS1_3_VERSION:
10882 verstr = "TLSv1.3";
10884 case DTLS1_VERSION:
10887 case DTLS1_2_VERSION:
10888 verstr = "DTLSv1.2";
10891 return TEST_str_eq(verstr, SSL_get_version(s));
10895 * Test that SSL_version, SSL_get_version, SSL_is_quic, SSL_is_tls and
10896 * SSL_is_dtls return the expected results for a (D)TLS connection. Compare with
10897 * test_version() in quicapitest.c which does the same thing for QUIC
10900 static int test_version(int idx)
10902 SSL_CTX *cctx = NULL, *sctx = NULL;
10903 SSL *clientssl = NULL, *serverssl = NULL;
10904 int testresult = 0, version;
10905 const SSL_METHOD *servmeth = TLS_server_method();
10906 const SSL_METHOD *clientmeth = TLS_client_method();
10909 #if !defined(OPENSSL_NO_SSL3)
10911 version = SSL3_VERSION;
10914 #if !defined(OPENSSL_NO_TLS1)
10916 version = TLS1_VERSION;
10919 #if !defined(OPENSSL_NO_TLS1_2)
10921 version = TLS1_2_VERSION;
10924 #if !defined(OSSL_NO_USABLE_TLS1_3)
10926 version = TLS1_3_VERSION;
10929 #if !defined(OPENSSL_NO_DTLS1)
10931 version = DTLS1_VERSION;
10934 #if !defined(OPENSSL_NO_DTLS1_2)
10936 version = DTLS1_2_VERSION;
10940 * NB we do not support QUIC in this test. That is covered by quicapitest.c
10941 * We also don't support DTLS1_BAD_VER since we have no server support for
10945 TEST_skip("Unsupported protocol version");
10950 && (version == SSL3_VERSION
10951 || version == TLS1_VERSION
10952 || version == DTLS1_VERSION)) {
10953 TEST_skip("Protocol version not supported with FIPS");
10957 #if !defined(OPENSSL_NO_DTLS)
10958 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
10959 servmeth = DTLS_server_method();
10960 clientmeth = DTLS_client_method();
10964 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, version,
10965 version, &sctx, &cctx, cert, privkey)))
10968 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
10969 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
10970 "DEFAULT:@SECLEVEL=0")))
10973 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10974 &clientssl, NULL, NULL)))
10977 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10980 if (!TEST_int_eq(SSL_version(serverssl), version)
10981 || !TEST_int_eq(SSL_version(clientssl), version)
10982 || !TEST_true(check_version_string(serverssl, version))
10983 || !TEST_true(check_version_string(clientssl, version)))
10986 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
10987 if (!TEST_true(SSL_is_dtls(serverssl))
10988 || !TEST_true(SSL_is_dtls(clientssl))
10989 || !TEST_false(SSL_is_tls(serverssl))
10990 || !TEST_false(SSL_is_tls(clientssl))
10991 || !TEST_false(SSL_is_quic(serverssl))
10992 || !TEST_false(SSL_is_quic(clientssl)))
10995 if (!TEST_true(SSL_is_tls(serverssl))
10996 || !TEST_true(SSL_is_tls(clientssl))
10997 || !TEST_false(SSL_is_dtls(serverssl))
10998 || !TEST_false(SSL_is_dtls(clientssl))
10999 || !TEST_false(SSL_is_quic(serverssl))
11000 || !TEST_false(SSL_is_quic(clientssl)))
11006 SSL_free(serverssl);
11007 SSL_free(clientssl);
11008 SSL_CTX_free(sctx);
11009 SSL_CTX_free(cctx);
11014 * Test that the SSL_rstate_string*() APIs return sane results
11016 static int test_rstate_string(void)
11018 SSL_CTX *cctx = NULL, *sctx = NULL;
11019 SSL *clientssl = NULL, *serverssl = NULL;
11020 int testresult = 0, version;
11021 const SSL_METHOD *servmeth = TLS_server_method();
11022 const SSL_METHOD *clientmeth = TLS_client_method();
11023 size_t written, readbytes;
11024 unsigned char buf[2];
11025 unsigned char dummyheader[SSL3_RT_HEADER_LENGTH] = {
11026 SSL3_RT_APPLICATION_DATA,
11027 TLS1_2_VERSION_MAJOR,
11028 0, /* To be filled in later */
11033 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, 0,
11034 0, &sctx, &cctx, cert, privkey)))
11037 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11038 &clientssl, NULL, NULL)))
11041 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11042 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11045 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11048 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11049 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11052 /* Fill in the correct version for the record header */
11053 version = SSL_version(serverssl);
11054 if (version == TLS1_3_VERSION)
11055 version = TLS1_2_VERSION;
11056 dummyheader[2] = version & 0xff;
11059 * Send a dummy header. If we continued to read the body as well this
11060 * would fail with a bad record mac, but we're not going to go that far.
11062 if (!TEST_true(BIO_write_ex(SSL_get_rbio(serverssl), dummyheader,
11063 sizeof(dummyheader), &written))
11064 || !TEST_size_t_eq(written, SSL3_RT_HEADER_LENGTH))
11067 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)))
11070 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RB")
11071 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read body"))
11076 SSL_free(serverssl);
11077 SSL_free(clientssl);
11078 SSL_CTX_free(sctx);
11079 SSL_CTX_free(cctx);
11084 * Force a write retry during handshaking. We test various combinations of
11085 * scenarios. We test a large certificate message which will fill the buffering
11086 * BIO used in the handshake. We try with client auth on and off. Finally we
11087 * also try a BIO that indicates retry via a 0 return. BIO_write() is documented
11088 * to indicate retry via -1 - but sometimes BIOs don't do that.
11090 * Test 0: Standard certificate message
11091 * Test 1: Large certificate message
11092 * Test 2: Standard cert, verify peer
11093 * Test 3: Large cert, verify peer
11094 * Test 4: Standard cert, BIO returns 0 on retry
11095 * Test 5: Large cert, BIO returns 0 on retry
11096 * Test 6: Standard cert, verify peer, BIO returns 0 on retry
11097 * Test 7: Large cert, verify peer, BIO returns 0 on retry
11098 * Test 8-15: Repeat of above with TLSv1.2
11100 static int test_handshake_retry(int idx)
11102 SSL_CTX *cctx = NULL, *sctx = NULL;
11103 SSL *clientssl = NULL, *serverssl = NULL;
11104 int testresult = 0;
11105 BIO *tmp = NULL, *bretry = BIO_new(bio_s_always_retry());
11106 int maxversion = 0;
11108 if (!TEST_ptr(bretry))
11111 #ifndef OPENSSL_NO_TLS1_2
11112 if ((idx & 8) == 8)
11113 maxversion = TLS1_2_VERSION;
11115 if ((idx & 8) == 8)
11116 return TEST_skip("No TLSv1.2");
11119 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11120 TLS_client_method(), 0, maxversion,
11121 &sctx, &cctx, cert, privkey)))
11125 * Add a large amount of data to fill the buffering BIO used by the SSL
11128 if ((idx & 1) == 1 && !add_large_cert_chain(sctx))
11132 * We don't actually configure a client cert, but neither do we fail if one
11135 if ((idx & 2) == 2)
11136 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
11138 if ((idx & 4) == 4)
11139 set_always_retry_err_val(0);
11141 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11142 &clientssl, NULL, NULL)))
11145 tmp = SSL_get_wbio(serverssl);
11146 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
11150 SSL_set0_wbio(serverssl, bretry);
11153 if (!TEST_int_eq(SSL_connect(clientssl), -1))
11156 if (!TEST_int_eq(SSL_accept(serverssl), -1)
11157 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
11160 /* Restore a BIO that will let the write succeed */
11161 SSL_set0_wbio(serverssl, tmp);
11164 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11169 SSL_free(serverssl);
11170 SSL_free(clientssl);
11171 SSL_CTX_free(sctx);
11172 SSL_CTX_free(cctx);
11175 set_always_retry_err_val(-1);
11179 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
11181 int setup_tests(void)
11186 libctx = OSSL_LIB_CTX_new();
11187 if (!TEST_ptr(libctx))
11190 defctxnull = OSSL_PROVIDER_load(NULL, "null");
11193 * Verify that the default and fips providers in the default libctx are not
11196 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
11197 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
11200 if (!test_skip_common_options()) {
11201 TEST_error("Error parsing test options\n");
11205 if (!TEST_ptr(certsdir = test_get_argument(0))
11206 || !TEST_ptr(srpvfile = test_get_argument(1))
11207 || !TEST_ptr(tmpfilename = test_get_argument(2))
11208 || !TEST_ptr(modulename = test_get_argument(3))
11209 || !TEST_ptr(configfile = test_get_argument(4))
11210 || !TEST_ptr(dhfile = test_get_argument(5)))
11213 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
11216 /* Check we have the expected provider available */
11217 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
11220 /* Check the default provider is not available */
11221 if (strcmp(modulename, "default") != 0
11222 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
11225 if (strcmp(modulename, "fips") == 0) {
11226 OSSL_PROVIDER *prov = NULL;
11227 OSSL_PARAM params[2];
11231 prov = OSSL_PROVIDER_load(libctx, "fips");
11232 if (prov != NULL) {
11233 /* Query the fips provider to check if the check ems option is enabled */
11235 OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
11237 params[1] = OSSL_PARAM_construct_end();
11238 OSSL_PROVIDER_get_params(prov, params);
11239 OSSL_PROVIDER_unload(prov);
11244 * We add, but don't load the test "tls-provider". We'll load it when we
11247 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
11248 tls_provider_init)))
11252 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
11253 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
11254 TEST_error("not supported in this build");
11257 int i, mcount, rcount, fcount;
11259 for (i = 0; i < 4; i++)
11260 test_export_key_mat(i);
11261 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
11262 test_printf_stdout("malloc %d realloc %d free %d\n",
11263 mcount, rcount, fcount);
11268 cert = test_mk_file_path(certsdir, "servercert.pem");
11272 privkey = test_mk_file_path(certsdir, "serverkey.pem");
11273 if (privkey == NULL)
11276 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
11280 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
11281 if (privkey2 == NULL)
11284 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
11285 if (cert1024 == NULL)
11288 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
11289 if (privkey1024 == NULL)
11292 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
11293 if (cert3072 == NULL)
11296 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
11297 if (privkey3072 == NULL)
11300 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
11301 if (cert4096 == NULL)
11304 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
11305 if (privkey4096 == NULL)
11308 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
11309 if (cert8192 == NULL)
11312 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
11313 if (privkey8192 == NULL)
11316 if (fips_ems_check) {
11317 #ifndef OPENSSL_NO_TLS1_2
11318 ADD_TEST(test_no_ems);
11322 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
11323 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
11324 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
11325 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2);
11328 ADD_TEST(test_large_message_tls);
11329 ADD_TEST(test_large_message_tls_read_ahead);
11330 #ifndef OPENSSL_NO_DTLS
11331 ADD_TEST(test_large_message_dtls);
11333 ADD_ALL_TESTS(test_large_app_data, 28);
11334 ADD_TEST(test_cleanse_plaintext);
11335 #ifndef OPENSSL_NO_OCSP
11336 ADD_TEST(test_tlsext_status_type);
11338 ADD_TEST(test_session_with_only_int_cache);
11339 ADD_TEST(test_session_with_only_ext_cache);
11340 ADD_TEST(test_session_with_both_cache);
11341 ADD_TEST(test_session_wo_ca_names);
11342 #ifndef OSSL_NO_USABLE_TLS1_3
11343 ADD_ALL_TESTS(test_stateful_tickets, 3);
11344 ADD_ALL_TESTS(test_stateless_tickets, 3);
11345 ADD_TEST(test_psk_tickets);
11346 ADD_ALL_TESTS(test_extra_tickets, 6);
11348 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
11349 ADD_TEST(test_ssl_bio_pop_next_bio);
11350 ADD_TEST(test_ssl_bio_pop_ssl_bio);
11351 ADD_TEST(test_ssl_bio_change_rbio);
11352 ADD_TEST(test_ssl_bio_change_wbio);
11353 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
11354 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
11355 ADD_TEST(test_keylog);
11357 #ifndef OSSL_NO_USABLE_TLS1_3
11358 ADD_TEST(test_keylog_no_master_key);
11360 ADD_TEST(test_client_cert_verify_cb);
11361 ADD_TEST(test_ssl_build_cert_chain);
11362 ADD_TEST(test_ssl_ctx_build_cert_chain);
11363 #ifndef OPENSSL_NO_TLS1_2
11364 ADD_TEST(test_client_hello_cb);
11365 ADD_TEST(test_no_ems);
11366 ADD_TEST(test_ccs_change_cipher);
11368 #ifndef OSSL_NO_USABLE_TLS1_3
11369 ADD_ALL_TESTS(test_early_data_read_write, 6);
11371 * We don't do replay tests for external PSK. Replay protection isn't used
11372 * in that scenario.
11374 ADD_ALL_TESTS(test_early_data_replay, 2);
11375 ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3);
11376 ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3);
11377 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3);
11378 ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3);
11379 ADD_ALL_TESTS(test_early_data_not_sent, 3);
11380 ADD_ALL_TESTS(test_early_data_psk, 8);
11381 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
11382 ADD_ALL_TESTS(test_early_data_not_expected, 3);
11383 # ifndef OPENSSL_NO_TLS1_2
11384 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
11387 #ifndef OSSL_NO_USABLE_TLS1_3
11388 ADD_ALL_TESTS(test_set_ciphersuite, 10);
11389 ADD_TEST(test_ciphersuite_change);
11390 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
11391 # ifdef OPENSSL_NO_PSK
11392 ADD_ALL_TESTS(test_tls13_psk, 1);
11394 ADD_ALL_TESTS(test_tls13_psk, 4);
11395 # endif /* OPENSSL_NO_PSK */
11396 # ifndef OPENSSL_NO_TLS1_2
11397 /* Test with both TLSv1.3 and 1.2 versions */
11398 ADD_ALL_TESTS(test_key_exchange, 14);
11399 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
11400 ADD_ALL_TESTS(test_negotiated_group,
11401 4 * (OSSL_NELEM(ecdhe_kexch_groups)
11402 + OSSL_NELEM(ffdhe_kexch_groups)));
11405 /* Test with only TLSv1.3 versions */
11406 ADD_ALL_TESTS(test_key_exchange, 12);
11408 ADD_ALL_TESTS(test_custom_exts, 6);
11409 ADD_TEST(test_stateless);
11410 ADD_TEST(test_pha_key_update);
11412 ADD_ALL_TESTS(test_custom_exts, 3);
11414 ADD_ALL_TESTS(test_export_key_mat, 6);
11415 #ifndef OSSL_NO_USABLE_TLS1_3
11416 ADD_ALL_TESTS(test_export_key_mat_early, 3);
11417 ADD_TEST(test_key_update);
11418 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
11419 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
11420 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
11421 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
11423 ADD_ALL_TESTS(test_ssl_clear, 2);
11424 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
11425 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
11426 ADD_ALL_TESTS(test_srp, 6);
11428 #if !defined(OPENSSL_NO_COMP_ALG)
11429 /* Add compression case */
11430 ADD_ALL_TESTS(test_info_callback, 8);
11432 ADD_ALL_TESTS(test_info_callback, 6);
11434 ADD_ALL_TESTS(test_ssl_pending, 2);
11435 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
11436 ADD_ALL_TESTS(test_ticket_callbacks, 20);
11437 ADD_ALL_TESTS(test_shutdown, 7);
11438 ADD_TEST(test_async_shutdown);
11439 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
11440 ADD_ALL_TESTS(test_cert_cb, 6);
11441 ADD_ALL_TESTS(test_client_cert_cb, 2);
11442 ADD_ALL_TESTS(test_ca_names, 3);
11443 #ifndef OPENSSL_NO_TLS1_2
11444 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
11446 ADD_ALL_TESTS(test_servername, 10);
11447 #if !defined(OPENSSL_NO_EC) \
11448 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
11449 ADD_ALL_TESTS(test_sigalgs_available, 6);
11451 #ifndef OPENSSL_NO_TLS1_3
11452 ADD_ALL_TESTS(test_pluggable_group, 2);
11453 ADD_ALL_TESTS(test_pluggable_signature, 4);
11455 #ifndef OPENSSL_NO_TLS1_2
11456 ADD_TEST(test_ssl_dup);
11457 # ifndef OPENSSL_NO_DH
11458 ADD_ALL_TESTS(test_set_tmp_dh, 11);
11459 ADD_ALL_TESTS(test_dh_auto, 7);
11462 #ifndef OSSL_NO_USABLE_TLS1_3
11463 ADD_TEST(test_sni_tls13);
11464 ADD_ALL_TESTS(test_ticket_lifetime, 2);
11466 ADD_TEST(test_inherit_verify_param);
11467 ADD_TEST(test_set_alpn);
11468 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
11469 ADD_TEST(test_set_verify_cert_store_ssl);
11470 ADD_ALL_TESTS(test_session_timeout, 1);
11471 ADD_TEST(test_load_dhfile);
11472 #ifndef OSSL_NO_USABLE_TLS1_3
11473 ADD_TEST(test_read_ahead_key_change);
11474 ADD_ALL_TESTS(test_tls13_record_padding, 4);
11476 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
11477 ADD_ALL_TESTS(test_serverinfo_custom, 4);
11479 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
11480 ADD_ALL_TESTS(test_pipelining, 6);
11482 ADD_ALL_TESTS(test_version, 6);
11483 ADD_TEST(test_rstate_string);
11484 ADD_ALL_TESTS(test_handshake_retry, 16);
11488 OPENSSL_free(cert);
11489 OPENSSL_free(privkey);
11490 OPENSSL_free(cert2);
11491 OPENSSL_free(privkey2);
11495 void cleanup_tests(void)
11497 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
11498 EVP_PKEY_free(tmp_dh_params);
11500 OPENSSL_free(cert);
11501 OPENSSL_free(privkey);
11502 OPENSSL_free(cert2);
11503 OPENSSL_free(privkey2);
11504 OPENSSL_free(cert1024);
11505 OPENSSL_free(privkey1024);
11506 OPENSSL_free(cert3072);
11507 OPENSSL_free(privkey3072);
11508 OPENSSL_free(cert4096);
11509 OPENSSL_free(privkey4096);
11510 OPENSSL_free(cert8192);
11511 OPENSSL_free(privkey8192);
11512 bio_s_mempacket_test_free();
11513 bio_s_always_retry_free();
11514 OSSL_PROVIDER_unload(defctxnull);
11515 OSSL_LIB_CTX_free(libctx);
projects / openssl.git / blob