2 * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
35 #include "helpers/ssltestlib.h"
37 #include "testutil/output.h"
38 #include "internal/nelem.h"
39 #include "internal/ktls.h"
40 #include "../ssl/ssl_local.h"
42 #undef OSSL_NO_USABLE_TLS1_3
43 #if defined(OPENSSL_NO_TLS1_3) \
44 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
46 * If we don't have ec or dh then there are no built-in groups that are usable
49 # define OSSL_NO_USABLE_TLS1_3
52 /* Defined in filterprov.c */
53 OSSL_provider_init_fn filter_provider_init;
54 int filter_provider_set_filter(int operation, const char *name);
56 /* Defined in tls-provider.c */
57 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
58 const OSSL_DISPATCH *in,
59 const OSSL_DISPATCH **out,
62 static OSSL_LIB_CTX *libctx = NULL;
63 static OSSL_PROVIDER *defctxnull = NULL;
65 #ifndef OSSL_NO_USABLE_TLS1_3
67 static SSL_SESSION *clientpsk = NULL;
68 static SSL_SESSION *serverpsk = NULL;
69 static const char *pskid = "Identity";
70 static const char *srvid;
72 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
73 size_t *idlen, SSL_SESSION **sess);
74 static int find_session_cb(SSL *ssl, const unsigned char *identity,
75 size_t identity_len, SSL_SESSION **sess);
77 static int use_session_cb_cnt = 0;
78 static int find_session_cb_cnt = 0;
80 static SSL_SESSION *create_a_psk(SSL *ssl);
83 static char *certsdir = NULL;
84 static char *cert = NULL;
85 static char *privkey = NULL;
86 static char *cert2 = NULL;
87 static char *privkey2 = NULL;
88 static char *cert1024 = NULL;
89 static char *privkey1024 = NULL;
90 static char *cert3072 = NULL;
91 static char *privkey3072 = NULL;
92 static char *cert4096 = NULL;
93 static char *privkey4096 = NULL;
94 static char *cert8192 = NULL;
95 static char *privkey8192 = NULL;
96 static char *srpvfile = NULL;
97 static char *tmpfilename = NULL;
99 static int is_fips = 0;
101 #define LOG_BUFFER_SIZE 2048
102 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
103 static size_t server_log_buffer_index = 0;
104 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
105 static size_t client_log_buffer_index = 0;
106 static int error_writing_log = 0;
108 #ifndef OPENSSL_NO_OCSP
109 static const unsigned char orespder[] = "Dummy OCSP Response";
110 static int ocsp_server_called = 0;
111 static int ocsp_client_called = 0;
113 static int cdummyarg = 1;
114 static X509 *ocspcert = NULL;
117 #define NUM_EXTRA_CERTS 40
118 #define CLIENT_VERSION_LEN 2
121 * This structure is used to validate that the correct number of log messages
122 * of various types are emitted when emitting secret logs.
124 struct sslapitest_log_counts {
125 unsigned int rsa_key_exchange_count;
126 unsigned int master_secret_count;
127 unsigned int client_early_secret_count;
128 unsigned int client_handshake_secret_count;
129 unsigned int server_handshake_secret_count;
130 unsigned int client_application_secret_count;
131 unsigned int server_application_secret_count;
132 unsigned int early_exporter_secret_count;
133 unsigned int exporter_secret_count;
137 static unsigned char serverinfov1[] = {
138 0xff, 0xff, /* Dummy extension type */
139 0x00, 0x01, /* Extension length is 1 byte */
140 0xff /* Dummy extension data */
143 static unsigned char serverinfov2[] = {
145 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
146 0xff, 0xff, /* Dummy extension type */
147 0x00, 0x01, /* Extension length is 1 byte */
148 0xff /* Dummy extension data */
151 static int hostname_cb(SSL *s, int *al, void *arg)
153 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
155 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
156 || strcmp(hostname, "altgoodhost") == 0))
157 return SSL_TLSEXT_ERR_OK;
159 return SSL_TLSEXT_ERR_NOACK;
162 static void client_keylog_callback(const SSL *ssl, const char *line)
164 int line_length = strlen(line);
166 /* If the log doesn't fit, error out. */
167 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
168 TEST_info("Client log too full");
169 error_writing_log = 1;
173 strcat(client_log_buffer, line);
174 client_log_buffer_index += line_length;
175 client_log_buffer[client_log_buffer_index++] = '\n';
178 static void server_keylog_callback(const SSL *ssl, const char *line)
180 int line_length = strlen(line);
182 /* If the log doesn't fit, error out. */
183 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
184 TEST_info("Server log too full");
185 error_writing_log = 1;
189 strcat(server_log_buffer, line);
190 server_log_buffer_index += line_length;
191 server_log_buffer[server_log_buffer_index++] = '\n';
194 static int compare_hex_encoded_buffer(const char *hex_encoded,
202 if (!TEST_size_t_eq(raw_length * 2, hex_length))
205 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
206 sprintf(hexed, "%02x", raw[i]);
207 if (!TEST_int_eq(hexed[0], hex_encoded[j])
208 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
215 static int test_keylog_output(char *buffer, const SSL *ssl,
216 const SSL_SESSION *session,
217 struct sslapitest_log_counts *expected)
220 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
221 size_t client_random_size = SSL3_RANDOM_SIZE;
222 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
223 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
224 unsigned int rsa_key_exchange_count = 0;
225 unsigned int master_secret_count = 0;
226 unsigned int client_early_secret_count = 0;
227 unsigned int client_handshake_secret_count = 0;
228 unsigned int server_handshake_secret_count = 0;
229 unsigned int client_application_secret_count = 0;
230 unsigned int server_application_secret_count = 0;
231 unsigned int early_exporter_secret_count = 0;
232 unsigned int exporter_secret_count = 0;
234 for (token = strtok(buffer, " \n"); token != NULL;
235 token = strtok(NULL, " \n")) {
236 if (strcmp(token, "RSA") == 0) {
238 * Premaster secret. Tokens should be: 16 ASCII bytes of
239 * hex-encoded encrypted secret, then the hex-encoded pre-master
242 if (!TEST_ptr(token = strtok(NULL, " \n")))
244 if (!TEST_size_t_eq(strlen(token), 16))
246 if (!TEST_ptr(token = strtok(NULL, " \n")))
249 * We can't sensibly check the log because the premaster secret is
250 * transient, and OpenSSL doesn't keep hold of it once the master
251 * secret is generated.
253 rsa_key_exchange_count++;
254 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
256 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
257 * client random, then the hex-encoded master secret.
259 client_random_size = SSL_get_client_random(ssl,
260 actual_client_random,
262 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
265 if (!TEST_ptr(token = strtok(NULL, " \n")))
267 if (!TEST_size_t_eq(strlen(token), 64))
269 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
270 actual_client_random,
271 client_random_size)))
274 if (!TEST_ptr(token = strtok(NULL, " \n")))
276 master_key_size = SSL_SESSION_get_master_key(session,
279 if (!TEST_size_t_ne(master_key_size, 0))
281 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
285 master_secret_count++;
286 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
287 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
288 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
289 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
290 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
291 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
292 || strcmp(token, "EXPORTER_SECRET") == 0) {
294 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
295 * client random, and then the hex-encoded secret. In this case,
296 * we treat all of these secrets identically and then just
297 * distinguish between them when counting what we saw.
299 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
300 client_early_secret_count++;
301 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
302 client_handshake_secret_count++;
303 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
304 server_handshake_secret_count++;
305 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
306 client_application_secret_count++;
307 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
308 server_application_secret_count++;
309 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
310 early_exporter_secret_count++;
311 else if (strcmp(token, "EXPORTER_SECRET") == 0)
312 exporter_secret_count++;
314 client_random_size = SSL_get_client_random(ssl,
315 actual_client_random,
317 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
320 if (!TEST_ptr(token = strtok(NULL, " \n")))
322 if (!TEST_size_t_eq(strlen(token), 64))
324 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
325 actual_client_random,
326 client_random_size)))
329 if (!TEST_ptr(token = strtok(NULL, " \n")))
333 * TODO(TLS1.3): test that application traffic secrets are what
336 TEST_info("Unexpected token %s\n", token);
341 /* Got what we expected? */
342 if (!TEST_size_t_eq(rsa_key_exchange_count,
343 expected->rsa_key_exchange_count)
344 || !TEST_size_t_eq(master_secret_count,
345 expected->master_secret_count)
346 || !TEST_size_t_eq(client_early_secret_count,
347 expected->client_early_secret_count)
348 || !TEST_size_t_eq(client_handshake_secret_count,
349 expected->client_handshake_secret_count)
350 || !TEST_size_t_eq(server_handshake_secret_count,
351 expected->server_handshake_secret_count)
352 || !TEST_size_t_eq(client_application_secret_count,
353 expected->client_application_secret_count)
354 || !TEST_size_t_eq(server_application_secret_count,
355 expected->server_application_secret_count)
356 || !TEST_size_t_eq(early_exporter_secret_count,
357 expected->early_exporter_secret_count)
358 || !TEST_size_t_eq(exporter_secret_count,
359 expected->exporter_secret_count))
364 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
365 static int test_keylog(void)
367 SSL_CTX *cctx = NULL, *sctx = NULL;
368 SSL *clientssl = NULL, *serverssl = NULL;
370 struct sslapitest_log_counts expected;
372 /* Clean up logging space */
373 memset(&expected, 0, sizeof(expected));
374 memset(client_log_buffer, 0, sizeof(client_log_buffer));
375 memset(server_log_buffer, 0, sizeof(server_log_buffer));
376 client_log_buffer_index = 0;
377 server_log_buffer_index = 0;
378 error_writing_log = 0;
380 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
383 &sctx, &cctx, cert, privkey)))
386 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
387 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
388 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
390 /* We also want to ensure that we use RSA-based key exchange. */
391 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
394 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
395 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
397 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
398 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
399 == client_keylog_callback))
401 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
402 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
403 == server_keylog_callback))
406 /* Now do a handshake and check that the logs have been written to. */
407 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
408 &clientssl, NULL, NULL))
409 || !TEST_true(create_ssl_connection(serverssl, clientssl,
411 || !TEST_false(error_writing_log)
412 || !TEST_int_gt(client_log_buffer_index, 0)
413 || !TEST_int_gt(server_log_buffer_index, 0))
417 * Now we want to test that our output data was vaguely sensible. We
418 * do that by using strtok and confirming that we have more or less the
419 * data we expect. For both client and server, we expect to see one master
420 * secret. The client should also see a RSA key exchange.
422 expected.rsa_key_exchange_count = 1;
423 expected.master_secret_count = 1;
424 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
425 SSL_get_session(clientssl), &expected)))
428 expected.rsa_key_exchange_count = 0;
429 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
430 SSL_get_session(serverssl), &expected)))
445 #ifndef OSSL_NO_USABLE_TLS1_3
446 static int test_keylog_no_master_key(void)
448 SSL_CTX *cctx = NULL, *sctx = NULL;
449 SSL *clientssl = NULL, *serverssl = NULL;
450 SSL_SESSION *sess = NULL;
452 struct sslapitest_log_counts expected;
453 unsigned char buf[1];
454 size_t readbytes, written;
456 /* Clean up logging space */
457 memset(&expected, 0, sizeof(expected));
458 memset(client_log_buffer, 0, sizeof(client_log_buffer));
459 memset(server_log_buffer, 0, sizeof(server_log_buffer));
460 client_log_buffer_index = 0;
461 server_log_buffer_index = 0;
462 error_writing_log = 0;
464 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
465 TLS_client_method(), TLS1_VERSION, 0,
466 &sctx, &cctx, cert, privkey))
467 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
468 SSL3_RT_MAX_PLAIN_LENGTH)))
471 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
472 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
475 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
476 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
477 == client_keylog_callback))
480 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
481 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
482 == server_keylog_callback))
485 /* Now do a handshake and check that the logs have been written to. */
486 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
487 &clientssl, NULL, NULL))
488 || !TEST_true(create_ssl_connection(serverssl, clientssl,
490 || !TEST_false(error_writing_log))
494 * Now we want to test that our output data was vaguely sensible. For this
495 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
496 * TLSv1.3, but we do expect both client and server to emit keys.
498 expected.client_handshake_secret_count = 1;
499 expected.server_handshake_secret_count = 1;
500 expected.client_application_secret_count = 1;
501 expected.server_application_secret_count = 1;
502 expected.exporter_secret_count = 1;
503 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
504 SSL_get_session(clientssl), &expected))
505 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
506 SSL_get_session(serverssl),
510 /* Terminate old session and resume with early data. */
511 sess = SSL_get1_session(clientssl);
512 SSL_shutdown(clientssl);
513 SSL_shutdown(serverssl);
516 serverssl = clientssl = NULL;
519 memset(client_log_buffer, 0, sizeof(client_log_buffer));
520 memset(server_log_buffer, 0, sizeof(server_log_buffer));
521 client_log_buffer_index = 0;
522 server_log_buffer_index = 0;
524 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
525 &clientssl, NULL, NULL))
526 || !TEST_true(SSL_set_session(clientssl, sess))
527 /* Here writing 0 length early data is enough. */
528 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
529 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
531 SSL_READ_EARLY_DATA_ERROR)
532 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
533 SSL_EARLY_DATA_ACCEPTED)
534 || !TEST_true(create_ssl_connection(serverssl, clientssl,
536 || !TEST_true(SSL_session_reused(clientssl)))
539 /* In addition to the previous entries, expect early secrets. */
540 expected.client_early_secret_count = 1;
541 expected.early_exporter_secret_count = 1;
542 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
543 SSL_get_session(clientssl), &expected))
544 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
545 SSL_get_session(serverssl),
552 SSL_SESSION_free(sess);
562 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
564 int res = X509_verify_cert(ctx);
566 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
567 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
568 return -1; /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
572 static int test_client_cert_verify_cb(void)
574 /* server key, cert, chain, and root */
575 char *skey = test_mk_file_path(certsdir, "leaf.key");
576 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
577 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
578 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
579 char *root = test_mk_file_path(certsdir, "rootCA.pem");
580 X509 *crt1 = NULL, *crt2 = NULL;
581 STACK_OF(X509) *server_chain;
582 SSL_CTX *cctx = NULL, *sctx = NULL;
583 SSL *clientssl = NULL, *serverssl = NULL;
586 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
587 TLS_client_method(), TLS1_VERSION, 0,
588 &sctx, &cctx, NULL, NULL)))
590 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
591 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
592 SSL_FILETYPE_PEM), 1)
593 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
595 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
597 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
598 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
599 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
600 &clientssl, NULL, NULL)))
603 /* attempt SSL_connect() with incomplete server chain */
604 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
605 SSL_ERROR_WANT_RETRY_VERIFY)))
608 /* application provides intermediate certs needed to verify server cert */
609 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
610 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
611 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
613 /* add certs in reverse order to demonstrate real chain building */
614 if (!TEST_true(sk_X509_push(server_chain, crt1)))
617 if (!TEST_true(sk_X509_push(server_chain, crt2)))
621 /* continue SSL_connect(), must now succeed with completed server chain */
622 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
631 SSL_shutdown(clientssl);
632 SSL_shutdown(serverssl);
647 #ifndef OPENSSL_NO_TLS1_2
648 static int full_client_hello_callback(SSL *s, int *al, void *arg)
651 const unsigned char *p;
653 /* We only configure two ciphers, but the SCSV is added automatically. */
655 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
657 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
660 const int expected_extensions[] = {
661 #ifndef OPENSSL_NO_EC
667 /* Make sure we can defer processing and get called back. */
669 return SSL_CLIENT_HELLO_RETRY;
671 len = SSL_client_hello_get0_ciphers(s, &p);
672 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
674 SSL_client_hello_get0_compression_methods(s, &p), 1)
675 || !TEST_int_eq(*p, 0))
676 return SSL_CLIENT_HELLO_ERROR;
677 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
678 return SSL_CLIENT_HELLO_ERROR;
679 if (len != OSSL_NELEM(expected_extensions) ||
680 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
681 printf("ClientHello callback expected extensions mismatch\n");
683 return SSL_CLIENT_HELLO_ERROR;
686 return SSL_CLIENT_HELLO_SUCCESS;
689 static int test_client_hello_cb(void)
691 SSL_CTX *cctx = NULL, *sctx = NULL;
692 SSL *clientssl = NULL, *serverssl = NULL;
693 int testctr = 0, testresult = 0;
695 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
696 TLS_client_method(), TLS1_VERSION, 0,
697 &sctx, &cctx, cert, privkey)))
699 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
701 /* The gimpy cipher list we configure can't do TLS 1.3. */
702 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
704 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
705 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
706 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
707 &clientssl, NULL, NULL))
708 || !TEST_false(create_ssl_connection(serverssl, clientssl,
709 SSL_ERROR_WANT_CLIENT_HELLO_CB))
711 * Passing a -1 literal is a hack since
712 * the real value was lost.
714 || !TEST_int_eq(SSL_get_error(serverssl, -1),
715 SSL_ERROR_WANT_CLIENT_HELLO_CB)
716 || !TEST_true(create_ssl_connection(serverssl, clientssl,
731 static int test_no_ems(void)
733 SSL_CTX *cctx = NULL, *sctx = NULL;
734 SSL *clientssl = NULL, *serverssl = NULL;
737 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
738 TLS1_VERSION, TLS1_2_VERSION,
739 &sctx, &cctx, cert, privkey)) {
740 printf("Unable to create SSL_CTX pair\n");
744 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
746 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
747 printf("Unable to create SSL objects\n");
751 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
752 printf("Creating SSL connection failed\n");
756 if (SSL_get_extms_support(serverssl)) {
757 printf("Server reports Extended Master Secret support\n");
761 if (SSL_get_extms_support(clientssl)) {
762 printf("Client reports Extended Master Secret support\n");
777 * Very focused test to exercise a single case in the server-side state
778 * machine, when the ChangeCipherState message needs to actually change
779 * from one cipher to a different cipher (i.e., not changing from null
780 * encryption to real encryption).
782 static int test_ccs_change_cipher(void)
784 SSL_CTX *cctx = NULL, *sctx = NULL;
785 SSL *clientssl = NULL, *serverssl = NULL;
786 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
793 * Create a conection so we can resume and potentially (but not) use
794 * a different cipher in the second connection.
796 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
798 TLS1_VERSION, TLS1_2_VERSION,
799 &sctx, &cctx, cert, privkey))
800 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
801 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
803 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
804 || !TEST_true(create_ssl_connection(serverssl, clientssl,
806 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
807 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
810 shutdown_ssl_connection(serverssl, clientssl);
811 serverssl = clientssl = NULL;
813 /* Resume, preferring a different cipher. Our server will force the
814 * same cipher to be used as the initial handshake. */
815 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
817 || !TEST_true(SSL_set_session(clientssl, sess))
818 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
819 || !TEST_true(create_ssl_connection(serverssl, clientssl,
821 || !TEST_true(SSL_session_reused(clientssl))
822 || !TEST_true(SSL_session_reused(serverssl))
823 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
824 || !TEST_ptr_eq(sesspre, sesspost)
825 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
826 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
828 shutdown_ssl_connection(serverssl, clientssl);
829 serverssl = clientssl = NULL;
832 * Now create a fresh connection and try to renegotiate a different
835 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
837 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
838 || !TEST_true(create_ssl_connection(serverssl, clientssl,
840 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
841 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
842 || !TEST_true(SSL_renegotiate(clientssl))
843 || !TEST_true(SSL_renegotiate_pending(clientssl)))
845 /* Actually drive the renegotiation. */
846 for (i = 0; i < 3; i++) {
847 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
848 if (!TEST_ulong_eq(readbytes, 0))
850 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
851 SSL_ERROR_WANT_READ)) {
854 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
855 if (!TEST_ulong_eq(readbytes, 0))
857 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
858 SSL_ERROR_WANT_READ)) {
862 /* sesspre and sesspost should be different since the cipher changed. */
863 if (!TEST_false(SSL_renegotiate_pending(clientssl))
864 || !TEST_false(SSL_session_reused(clientssl))
865 || !TEST_false(SSL_session_reused(serverssl))
866 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
867 || !TEST_ptr_ne(sesspre, sesspost)
868 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
869 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
872 shutdown_ssl_connection(serverssl, clientssl);
873 serverssl = clientssl = NULL;
882 SSL_SESSION_free(sess);
888 static int execute_test_large_message(const SSL_METHOD *smeth,
889 const SSL_METHOD *cmeth,
890 int min_version, int max_version,
893 SSL_CTX *cctx = NULL, *sctx = NULL;
894 SSL *clientssl = NULL, *serverssl = NULL;
898 X509 *chaincert = NULL;
901 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
904 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
907 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
912 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
913 max_version, &sctx, &cctx, cert,
919 * Test that read_ahead works correctly when dealing with large
922 SSL_CTX_set_read_ahead(cctx, 1);
926 * We assume the supplied certificate is big enough so that if we add
927 * NUM_EXTRA_CERTS it will make the overall message large enough. The
928 * default buffer size is requested to be 16k, but due to the way BUF_MEM
929 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
930 * test we need to have a message larger than that.
932 certlen = i2d_X509(chaincert, NULL);
933 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
934 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
935 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
936 if (!X509_up_ref(chaincert))
938 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
939 X509_free(chaincert);
944 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
946 || !TEST_true(create_ssl_connection(serverssl, clientssl,
951 * Calling SSL_clear() first is not required but this tests that SSL_clear()
954 if (!TEST_true(SSL_clear(serverssl)))
960 X509_free(chaincert);
969 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
970 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
971 #define TLS_CIPHER_MAX_REC_SEQ_SIZE 8
972 /* sock must be connected */
973 static int ktls_chk_platform(int sock)
975 if (!ktls_enable(sock))
980 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd, int rec_seq_size)
982 static char count = 1;
983 unsigned char cbuf[16000] = {0};
984 unsigned char sbuf[16000];
986 char crec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
987 char crec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
988 char crec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
989 char crec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
990 char srec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
991 char srec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
992 char srec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
993 char srec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
996 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, rec_seq_size);
997 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, rec_seq_size);
998 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, rec_seq_size);
999 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, rec_seq_size);
1001 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1004 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1005 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1010 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1013 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1014 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1019 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, rec_seq_size);
1020 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, rec_seq_size);
1021 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, rec_seq_size);
1022 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, rec_seq_size);
1024 /* verify the payload */
1025 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1028 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
1029 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
1030 if (!TEST_mem_ne(crec_wseq_before, rec_seq_size,
1031 crec_wseq_after, rec_seq_size))
1034 if (!TEST_mem_eq(crec_wseq_before, rec_seq_size,
1035 crec_wseq_after, rec_seq_size))
1039 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
1040 if (!TEST_mem_ne(srec_wseq_before, rec_seq_size,
1041 srec_wseq_after, rec_seq_size))
1044 if (!TEST_mem_eq(srec_wseq_before, rec_seq_size,
1045 srec_wseq_after, rec_seq_size))
1049 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
1050 if (!TEST_mem_ne(crec_rseq_before, rec_seq_size,
1051 crec_rseq_after, rec_seq_size))
1054 if (!TEST_mem_eq(crec_rseq_before, rec_seq_size,
1055 crec_rseq_after, rec_seq_size))
1059 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
1060 if (!TEST_mem_ne(srec_rseq_before, rec_seq_size,
1061 srec_rseq_after, rec_seq_size))
1064 if (!TEST_mem_eq(srec_rseq_before, rec_seq_size,
1065 srec_rseq_after, rec_seq_size))
1074 static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
1075 int sis_ktls_tx, int sis_ktls_rx,
1076 int tls_version, const char *cipher,
1079 SSL_CTX *cctx = NULL, *sctx = NULL;
1080 SSL *clientssl = NULL, *serverssl = NULL;
1084 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1087 /* Skip this test if the platform does not support ktls */
1088 if (!ktls_chk_platform(cfd))
1091 /* Create a session based on SHA-256 */
1092 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1093 TLS_client_method(),
1094 tls_version, tls_version,
1095 &sctx, &cctx, cert, privkey))
1096 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1097 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
1098 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1099 &clientssl, sfd, cfd)))
1103 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
1108 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
1113 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
1118 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1122 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1127 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1130 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1135 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1138 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1143 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1146 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1151 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1154 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1158 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd,
1165 SSL_shutdown(clientssl);
1166 SSL_free(clientssl);
1169 SSL_shutdown(serverssl);
1170 SSL_free(serverssl);
1174 serverssl = clientssl = NULL;
1178 #define SENDFILE_SZ (16 * 4096)
1179 #define SENDFILE_CHUNK (4 * 4096)
1180 #define min(a,b) ((a) > (b) ? (b) : (a))
1182 static int test_ktls_sendfile(int tls_version, const char *cipher)
1184 SSL_CTX *cctx = NULL, *sctx = NULL;
1185 SSL *clientssl = NULL, *serverssl = NULL;
1186 unsigned char *buf, *buf_dst;
1187 BIO *out = NULL, *in = NULL;
1188 int cfd, sfd, ffd, err;
1189 ssize_t chunk_size = 0;
1190 off_t chunk_off = 0;
1194 buf = OPENSSL_zalloc(SENDFILE_SZ);
1195 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1196 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1197 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1200 /* Skip this test if the platform does not support ktls */
1201 if (!ktls_chk_platform(sfd)) {
1206 /* Create a session based on SHA-256 */
1207 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1208 TLS_client_method(),
1209 tls_version, tls_version,
1210 &sctx, &cctx, cert, privkey))
1211 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1212 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
1213 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1214 &clientssl, sfd, cfd)))
1217 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1219 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1222 if (!TEST_true(RAND_bytes_ex(libctx, buf, SENDFILE_SZ)))
1225 out = BIO_new_file(tmpfilename, "wb");
1229 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1234 in = BIO_new_file(tmpfilename, "rb");
1235 BIO_get_fp(in, &ffdp);
1238 while (chunk_off < SENDFILE_SZ) {
1239 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1240 while ((err = SSL_sendfile(serverssl,
1244 0)) != chunk_size) {
1245 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1248 while ((err = SSL_read(clientssl,
1249 buf_dst + chunk_off,
1250 chunk_size)) != chunk_size) {
1251 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1255 /* verify the payload */
1256 if (!TEST_mem_eq(buf_dst + chunk_off,
1262 chunk_off += chunk_size;
1268 SSL_shutdown(clientssl);
1269 SSL_free(clientssl);
1272 SSL_shutdown(serverssl);
1273 SSL_free(serverssl);
1277 serverssl = clientssl = NULL;
1281 OPENSSL_free(buf_dst);
1285 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
1286 static int test_ktls(int test)
1288 int cis_ktls_tx, cis_ktls_rx, sis_ktls_tx, sis_ktls_rx;
1289 int tlsver, testresult;
1292 #if defined(OSSL_NO_USABLE_TLS1_3)
1296 tlsver = TLS1_3_VERSION;
1299 #if defined(OPENSSL_NO_TLS1_2)
1302 tlsver = TLS1_2_VERSION;
1306 cis_ktls_tx = (test & 1) != 0;
1307 cis_ktls_rx = (test & 2) != 0;
1308 sis_ktls_tx = (test & 4) != 0;
1309 sis_ktls_rx = (test & 8) != 0;
1311 #if defined(OPENSSL_NO_KTLS_RX)
1312 if (cis_ktls_rx || sis_ktls_rx)
1315 #if !defined(OSSL_NO_USABLE_TLS1_3)
1316 if (tlsver == TLS1_3_VERSION && (cis_ktls_rx || sis_ktls_rx))
1321 #ifdef OPENSSL_KTLS_AES_GCM_128
1322 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
1323 sis_ktls_rx, tlsver, "AES128-GCM-SHA256",
1324 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1326 #ifdef OPENSSL_KTLS_AES_CCM_128
1327 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
1328 sis_ktls_rx, tlsver, "AES128-CCM",
1329 TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1331 #ifdef OPENSSL_KTLS_AES_GCM_256
1332 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
1333 sis_ktls_rx, tlsver, "AES256-GCM-SHA384",
1334 TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1339 static int test_ktls_sendfile_anytls(int tst)
1341 char *cipher[] = {"AES128-GCM-SHA256","AES128-CCM","AES256-GCM-SHA384"};
1345 #if defined(OSSL_NO_USABLE_TLS1_3)
1349 tlsver = TLS1_3_VERSION;
1352 #if defined(OPENSSL_NO_TLS1_2)
1355 tlsver = TLS1_2_VERSION;
1359 #ifndef OPENSSL_KTLS_AES_GCM_128
1360 if(tst == 0) return 1;
1362 #ifndef OPENSSL_KTLS_AES_CCM_128
1363 if(tst == 1) return 1;
1365 #ifndef OPENSSL_KTLS_AES_GCM_256
1366 if(tst == 2) return 1;
1368 return test_ktls_sendfile(tlsver, cipher[tst]);
1374 static int test_large_message_tls(void)
1376 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1377 TLS1_VERSION, 0, 0);
1380 static int test_large_message_tls_read_ahead(void)
1382 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1383 TLS1_VERSION, 0, 1);
1386 #ifndef OPENSSL_NO_DTLS
1387 static int test_large_message_dtls(void)
1390 * read_ahead is not relevant to DTLS because DTLS always acts as if
1391 * read_ahead is set.
1393 return execute_test_large_message(DTLS_server_method(),
1394 DTLS_client_method(),
1395 DTLS1_VERSION, 0, 0);
1399 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1400 const SSL_METHOD *cmeth,
1401 int min_version, int max_version)
1404 SSL_CTX *cctx = NULL, *sctx = NULL;
1405 SSL *clientssl = NULL, *serverssl = NULL;
1410 static unsigned char cbuf[16000];
1411 static unsigned char sbuf[16000];
1413 if (!TEST_true(create_ssl_ctx_pair(libctx,
1415 min_version, max_version,
1420 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1424 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1427 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1431 for (i = 0; i < sizeof(cbuf); i++) {
1435 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1438 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1441 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1445 * Since we called SSL_peek(), we know the data in the record
1446 * layer is a plaintext record. We can gather the pointer to check
1447 * for zeroization after SSL_read().
1449 rr = serverssl->rlayer.rrec;
1450 zbuf = &rr->data[rr->off];
1451 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1455 * After SSL_peek() the plaintext must still be stored in the
1458 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1461 memset(sbuf, 0, sizeof(sbuf));
1462 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1465 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1468 /* Check if rbuf is cleansed */
1469 memset(cbuf, 0, sizeof(cbuf));
1470 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1475 SSL_free(serverssl);
1476 SSL_free(clientssl);
1483 static int test_cleanse_plaintext(void)
1485 #if !defined(OPENSSL_NO_TLS1_2)
1486 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1487 TLS_client_method(),
1494 #if !defined(OSSL_NO_USABLE_TLS1_3)
1495 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1496 TLS_client_method(),
1502 #if !defined(OPENSSL_NO_DTLS)
1503 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1504 DTLS_client_method(),
1512 #ifndef OPENSSL_NO_OCSP
1513 static int ocsp_server_cb(SSL *s, void *arg)
1515 int *argi = (int *)arg;
1516 unsigned char *copy = NULL;
1517 STACK_OF(OCSP_RESPID) *ids = NULL;
1518 OCSP_RESPID *id = NULL;
1521 /* In this test we are expecting exactly 1 OCSP_RESPID */
1522 SSL_get_tlsext_status_ids(s, &ids);
1523 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1524 return SSL_TLSEXT_ERR_ALERT_FATAL;
1526 id = sk_OCSP_RESPID_value(ids, 0);
1527 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1528 return SSL_TLSEXT_ERR_ALERT_FATAL;
1529 } else if (*argi != 1) {
1530 return SSL_TLSEXT_ERR_ALERT_FATAL;
1533 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1534 return SSL_TLSEXT_ERR_ALERT_FATAL;
1536 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1537 ocsp_server_called = 1;
1538 return SSL_TLSEXT_ERR_OK;
1541 static int ocsp_client_cb(SSL *s, void *arg)
1543 int *argi = (int *)arg;
1544 const unsigned char *respderin;
1547 if (*argi != 1 && *argi != 2)
1550 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1551 if (!TEST_mem_eq(orespder, len, respderin, len))
1554 ocsp_client_called = 1;
1558 static int test_tlsext_status_type(void)
1560 SSL_CTX *cctx = NULL, *sctx = NULL;
1561 SSL *clientssl = NULL, *serverssl = NULL;
1563 STACK_OF(OCSP_RESPID) *ids = NULL;
1564 OCSP_RESPID *id = NULL;
1565 BIO *certbio = NULL;
1567 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1569 &sctx, &cctx, cert, privkey))
1572 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1575 /* First just do various checks getting and setting tlsext_status_type */
1577 clientssl = SSL_new(cctx);
1578 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1579 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1580 TLSEXT_STATUSTYPE_ocsp))
1581 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1582 TLSEXT_STATUSTYPE_ocsp))
1585 SSL_free(clientssl);
1588 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1589 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1592 clientssl = SSL_new(cctx);
1593 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1595 SSL_free(clientssl);
1599 * Now actually do a handshake and check OCSP information is exchanged and
1600 * the callbacks get called
1602 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1603 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1604 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1605 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1606 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1607 &clientssl, NULL, NULL))
1608 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1610 || !TEST_true(ocsp_client_called)
1611 || !TEST_true(ocsp_server_called))
1613 SSL_free(serverssl);
1614 SSL_free(clientssl);
1618 /* Try again but this time force the server side callback to fail */
1619 ocsp_client_called = 0;
1620 ocsp_server_called = 0;
1622 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1623 &clientssl, NULL, NULL))
1624 /* This should fail because the callback will fail */
1625 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1627 || !TEST_false(ocsp_client_called)
1628 || !TEST_false(ocsp_server_called))
1630 SSL_free(serverssl);
1631 SSL_free(clientssl);
1636 * This time we'll get the client to send an OCSP_RESPID that it will
1639 ocsp_client_called = 0;
1640 ocsp_server_called = 0;
1642 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1643 &clientssl, NULL, NULL)))
1647 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1648 * specific one. We'll use the server cert.
1650 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1651 || !TEST_ptr(id = OCSP_RESPID_new())
1652 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1653 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1654 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1655 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1656 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1659 SSL_set_tlsext_status_ids(clientssl, ids);
1660 /* Control has been transferred */
1666 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1668 || !TEST_true(ocsp_client_called)
1669 || !TEST_true(ocsp_server_called))
1675 SSL_free(serverssl);
1676 SSL_free(clientssl);
1679 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1680 OCSP_RESPID_free(id);
1682 X509_free(ocspcert);
1689 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1690 static int new_called, remove_called, get_called;
1692 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1696 * sess has been up-refed for us, but we don't actually need it so free it
1699 SSL_SESSION_free(sess);
1703 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1708 static SSL_SESSION *get_sess_val = NULL;
1710 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1715 return get_sess_val;
1718 static int execute_test_session(int maxprot, int use_int_cache,
1719 int use_ext_cache, long s_options)
1721 SSL_CTX *sctx = NULL, *cctx = NULL;
1722 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1723 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1724 # ifndef OPENSSL_NO_TLS1_1
1725 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1727 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1728 int testresult = 0, numnewsesstick = 1;
1730 new_called = remove_called = 0;
1732 /* TLSv1.3 sends 2 NewSessionTickets */
1733 if (maxprot == TLS1_3_VERSION)
1736 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1737 TLS_client_method(), TLS1_VERSION, 0,
1738 &sctx, &cctx, cert, privkey)))
1742 * Only allow the max protocol version so we can force a connection failure
1745 SSL_CTX_set_min_proto_version(cctx, maxprot);
1746 SSL_CTX_set_max_proto_version(cctx, maxprot);
1748 /* Set up session cache */
1749 if (use_ext_cache) {
1750 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1751 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1753 if (use_int_cache) {
1754 /* Also covers instance where both are set */
1755 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1757 SSL_CTX_set_session_cache_mode(cctx,
1758 SSL_SESS_CACHE_CLIENT
1759 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1763 SSL_CTX_set_options(sctx, s_options);
1766 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1768 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1770 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1773 /* Should fail because it should already be in the cache */
1774 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1777 && (!TEST_int_eq(new_called, numnewsesstick)
1779 || !TEST_int_eq(remove_called, 0)))
1782 new_called = remove_called = 0;
1783 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1784 &clientssl2, NULL, NULL))
1785 || !TEST_true(SSL_set_session(clientssl2, sess1))
1786 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1788 || !TEST_true(SSL_session_reused(clientssl2)))
1791 if (maxprot == TLS1_3_VERSION) {
1793 * In TLSv1.3 we should have created a new session even though we have
1794 * resumed. Since we attempted a resume we should also have removed the
1795 * old ticket from the cache so that we try to only use tickets once.
1798 && (!TEST_int_eq(new_called, 1)
1799 || !TEST_int_eq(remove_called, 1)))
1803 * In TLSv1.2 we expect to have resumed so no sessions added or
1807 && (!TEST_int_eq(new_called, 0)
1808 || !TEST_int_eq(remove_called, 0)))
1812 SSL_SESSION_free(sess1);
1813 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1815 shutdown_ssl_connection(serverssl2, clientssl2);
1816 serverssl2 = clientssl2 = NULL;
1818 new_called = remove_called = 0;
1819 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1820 &clientssl2, NULL, NULL))
1821 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1825 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1829 && (!TEST_int_eq(new_called, numnewsesstick)
1830 || !TEST_int_eq(remove_called, 0)))
1833 new_called = remove_called = 0;
1835 * This should clear sess2 from the cache because it is a "bad" session.
1836 * See SSL_set_session() documentation.
1838 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1841 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1843 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1846 if (use_int_cache) {
1847 /* Should succeeded because it should not already be in the cache */
1848 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1849 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1853 new_called = remove_called = 0;
1854 /* This shouldn't be in the cache so should fail */
1855 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1859 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1862 # if !defined(OPENSSL_NO_TLS1_1)
1863 new_called = remove_called = 0;
1864 /* Force a connection failure */
1865 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1866 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1867 &clientssl3, NULL, NULL))
1868 || !TEST_true(SSL_set_session(clientssl3, sess1))
1869 /* This should fail because of the mismatched protocol versions */
1870 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1874 /* We should have automatically removed the session from the cache */
1876 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1879 /* Should succeed because it should not already be in the cache */
1880 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1884 /* Now do some tests for server side caching */
1885 if (use_ext_cache) {
1886 SSL_CTX_sess_set_new_cb(cctx, NULL);
1887 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1888 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1889 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1890 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1891 get_sess_val = NULL;
1894 SSL_CTX_set_session_cache_mode(cctx, 0);
1895 /* Internal caching is the default on the server side */
1897 SSL_CTX_set_session_cache_mode(sctx,
1898 SSL_SESS_CACHE_SERVER
1899 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1901 SSL_free(serverssl1);
1902 SSL_free(clientssl1);
1903 serverssl1 = clientssl1 = NULL;
1904 SSL_free(serverssl2);
1905 SSL_free(clientssl2);
1906 serverssl2 = clientssl2 = NULL;
1907 SSL_SESSION_free(sess1);
1909 SSL_SESSION_free(sess2);
1912 SSL_CTX_set_max_proto_version(sctx, maxprot);
1913 if (maxprot == TLS1_2_VERSION)
1914 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1915 new_called = remove_called = get_called = 0;
1916 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1918 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1920 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1921 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1924 if (use_int_cache) {
1925 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1927 * In TLSv1.3 it should not have been added to the internal cache,
1928 * except in the case where we also have an external cache (in that
1929 * case it gets added to the cache in order to generate remove
1930 * events after timeout).
1932 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1935 /* Should fail because it should already be in the cache */
1936 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1941 if (use_ext_cache) {
1942 SSL_SESSION *tmp = sess2;
1944 if (!TEST_int_eq(new_called, numnewsesstick)
1945 || !TEST_int_eq(remove_called, 0)
1946 || !TEST_int_eq(get_called, 0))
1949 * Delete the session from the internal cache to force a lookup from
1950 * the external cache. We take a copy first because
1951 * SSL_CTX_remove_session() also marks the session as non-resumable.
1953 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1954 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1955 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1957 SSL_SESSION_free(sess2);
1962 new_called = remove_called = get_called = 0;
1963 get_sess_val = sess2;
1964 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1965 &clientssl2, NULL, NULL))
1966 || !TEST_true(SSL_set_session(clientssl2, sess1))
1967 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1969 || !TEST_true(SSL_session_reused(clientssl2)))
1972 if (use_ext_cache) {
1973 if (!TEST_int_eq(remove_called, 0))
1976 if (maxprot == TLS1_3_VERSION) {
1977 if (!TEST_int_eq(new_called, 1)
1978 || !TEST_int_eq(get_called, 0))
1981 if (!TEST_int_eq(new_called, 0)
1982 || !TEST_int_eq(get_called, 1))
1990 SSL_free(serverssl1);
1991 SSL_free(clientssl1);
1992 SSL_free(serverssl2);
1993 SSL_free(clientssl2);
1994 # ifndef OPENSSL_NO_TLS1_1
1995 SSL_free(serverssl3);
1996 SSL_free(clientssl3);
1998 SSL_SESSION_free(sess1);
1999 SSL_SESSION_free(sess2);
2005 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2007 static int test_session_with_only_int_cache(void)
2009 #ifndef OSSL_NO_USABLE_TLS1_3
2010 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2014 #ifndef OPENSSL_NO_TLS1_2
2015 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2021 static int test_session_with_only_ext_cache(void)
2023 #ifndef OSSL_NO_USABLE_TLS1_3
2024 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2028 #ifndef OPENSSL_NO_TLS1_2
2029 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2035 static int test_session_with_both_cache(void)
2037 #ifndef OSSL_NO_USABLE_TLS1_3
2038 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2042 #ifndef OPENSSL_NO_TLS1_2
2043 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2049 static int test_session_wo_ca_names(void)
2051 #ifndef OSSL_NO_USABLE_TLS1_3
2052 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2056 #ifndef OPENSSL_NO_TLS1_2
2057 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2064 #ifndef OSSL_NO_USABLE_TLS1_3
2065 static SSL_SESSION *sesscache[6];
2066 static int do_cache;
2068 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2071 sesscache[new_called] = sess;
2073 /* We don't need the reference to the session, so free it */
2074 SSL_SESSION_free(sess);
2081 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2083 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2084 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2087 /* Start handshake on the server and client */
2088 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2089 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2090 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2091 || !TEST_true(create_ssl_connection(sssl, cssl,
2098 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2101 int sess_id_ctx = 1;
2103 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2104 TLS_client_method(), TLS1_VERSION, 0,
2105 sctx, cctx, cert, privkey))
2106 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2107 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2108 (void *)&sess_id_ctx,
2109 sizeof(sess_id_ctx))))
2113 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2115 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2116 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2117 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2122 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2124 SSL *serverssl = NULL, *clientssl = NULL;
2127 /* Test that we can resume with all the tickets we got given */
2128 for (i = 0; i < idx * 2; i++) {
2130 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2131 &clientssl, NULL, NULL))
2132 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2135 SSL_set_post_handshake_auth(clientssl, 1);
2137 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2142 * Following a successful resumption we only get 1 ticket. After a
2143 * failed one we should get idx tickets.
2146 if (!TEST_true(SSL_session_reused(clientssl))
2147 || !TEST_int_eq(new_called, 1))
2150 if (!TEST_false(SSL_session_reused(clientssl))
2151 || !TEST_int_eq(new_called, idx))
2156 /* After a post-handshake authentication we should get 1 new ticket */
2158 && (!post_handshake_verify(serverssl, clientssl)
2159 || !TEST_int_eq(new_called, 1)))
2162 SSL_shutdown(clientssl);
2163 SSL_shutdown(serverssl);
2164 SSL_free(serverssl);
2165 SSL_free(clientssl);
2166 serverssl = clientssl = NULL;
2167 SSL_SESSION_free(sesscache[i]);
2168 sesscache[i] = NULL;
2174 SSL_free(clientssl);
2175 SSL_free(serverssl);
2179 static int test_tickets(int stateful, int idx)
2181 SSL_CTX *sctx = NULL, *cctx = NULL;
2182 SSL *serverssl = NULL, *clientssl = NULL;
2186 /* idx is the test number, but also the number of tickets we want */
2191 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2194 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2195 &clientssl, NULL, NULL)))
2198 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2200 /* Check we got the number of tickets we were expecting */
2201 || !TEST_int_eq(idx, new_called))
2204 SSL_shutdown(clientssl);
2205 SSL_shutdown(serverssl);
2206 SSL_free(serverssl);
2207 SSL_free(clientssl);
2210 clientssl = serverssl = NULL;
2214 * Now we try to resume with the tickets we previously created. The
2215 * resumption attempt is expected to fail (because we're now using a new
2216 * SSL_CTX). We should see idx number of tickets issued again.
2219 /* Stop caching sessions - just count them */
2222 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2225 if (!check_resumption(idx, sctx, cctx, 0))
2228 /* Start again with caching sessions */
2235 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2238 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2239 &clientssl, NULL, NULL)))
2242 SSL_set_post_handshake_auth(clientssl, 1);
2244 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2246 /* Check we got the number of tickets we were expecting */
2247 || !TEST_int_eq(idx, new_called))
2250 /* After a post-handshake authentication we should get new tickets issued */
2251 if (!post_handshake_verify(serverssl, clientssl)
2252 || !TEST_int_eq(idx * 2, new_called))
2255 SSL_shutdown(clientssl);
2256 SSL_shutdown(serverssl);
2257 SSL_free(serverssl);
2258 SSL_free(clientssl);
2259 serverssl = clientssl = NULL;
2261 /* Stop caching sessions - just count them */
2265 * Check we can resume with all the tickets we created. This time around the
2266 * resumptions should all be successful.
2268 if (!check_resumption(idx, sctx, cctx, 1))
2274 SSL_free(serverssl);
2275 SSL_free(clientssl);
2276 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2277 SSL_SESSION_free(sesscache[j]);
2278 sesscache[j] = NULL;
2286 static int test_stateless_tickets(int idx)
2288 return test_tickets(0, idx);
2291 static int test_stateful_tickets(int idx)
2293 return test_tickets(1, idx);
2296 static int test_psk_tickets(void)
2298 SSL_CTX *sctx = NULL, *cctx = NULL;
2299 SSL *serverssl = NULL, *clientssl = NULL;
2301 int sess_id_ctx = 1;
2303 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2304 TLS_client_method(), TLS1_VERSION, 0,
2305 &sctx, &cctx, NULL, NULL))
2306 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2307 (void *)&sess_id_ctx,
2308 sizeof(sess_id_ctx))))
2311 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2312 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2313 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2314 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2315 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2316 use_session_cb_cnt = 0;
2317 find_session_cb_cnt = 0;
2321 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2324 clientpsk = serverpsk = create_a_psk(clientssl);
2325 if (!TEST_ptr(clientpsk))
2327 SSL_SESSION_up_ref(clientpsk);
2329 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2331 || !TEST_int_eq(1, find_session_cb_cnt)
2332 || !TEST_int_eq(1, use_session_cb_cnt)
2333 /* We should always get 1 ticket when using external PSK */
2334 || !TEST_int_eq(1, new_called))
2340 SSL_free(serverssl);
2341 SSL_free(clientssl);
2344 SSL_SESSION_free(clientpsk);
2345 SSL_SESSION_free(serverpsk);
2346 clientpsk = serverpsk = NULL;
2351 static int test_extra_tickets(int idx)
2353 SSL_CTX *sctx = NULL, *cctx = NULL;
2354 SSL *serverssl = NULL, *clientssl = NULL;
2355 BIO *bretry = BIO_new(bio_s_always_retry());
2360 unsigned char c, buf[1];
2370 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2372 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2373 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2374 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2376 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2377 &clientssl, NULL, NULL)))
2381 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2382 * incremented by both client and server.
2384 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2386 /* Check we got the number of tickets we were expecting */
2387 || !TEST_int_eq(idx * 2, new_called)
2388 || !TEST_true(SSL_new_session_ticket(serverssl))
2389 || !TEST_true(SSL_new_session_ticket(serverssl))
2390 || !TEST_int_eq(idx * 2, new_called))
2393 /* Now try a (real) write to actually send the tickets */
2395 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2396 || !TEST_size_t_eq(1, nbytes)
2397 || !TEST_int_eq(idx * 2 + 2, new_called)
2398 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2399 || !TEST_int_eq(idx * 2 + 4, new_called)
2400 || !TEST_int_eq(sizeof(buf), nbytes)
2401 || !TEST_int_eq(c, buf[0])
2402 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2405 /* Try with only requesting one new ticket, too */
2408 if (!TEST_true(SSL_new_session_ticket(serverssl))
2409 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2410 || !TEST_size_t_eq(sizeof(c), nbytes)
2411 || !TEST_int_eq(1, new_called)
2412 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2413 || !TEST_int_eq(2, new_called)
2414 || !TEST_size_t_eq(sizeof(buf), nbytes)
2415 || !TEST_int_eq(c, buf[0]))
2418 /* Do it again but use dummy writes to drive the ticket generation */
2421 if (!TEST_true(SSL_new_session_ticket(serverssl))
2422 || !TEST_true(SSL_new_session_ticket(serverssl))
2423 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2424 || !TEST_size_t_eq(0, nbytes)
2425 || !TEST_int_eq(2, new_called)
2426 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2427 || !TEST_int_eq(4, new_called))
2431 * Use the always-retry BIO to exercise the logic that forces ticket
2432 * generation to wait until a record boundary.
2436 tmp = SSL_get_wbio(serverssl);
2437 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2441 SSL_set0_wbio(serverssl, bretry);
2443 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2444 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2445 || !TEST_size_t_eq(nbytes, 0))
2447 /* Restore a BIO that will let the write succeed */
2448 SSL_set0_wbio(serverssl, tmp);
2450 /* These calls should just queue the request and not send anything. */
2451 if (!TEST_true(SSL_new_session_ticket(serverssl))
2452 || !TEST_true(SSL_new_session_ticket(serverssl))
2453 || !TEST_int_eq(0, new_called))
2455 /* Re-do the write; still no tickets sent */
2456 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2457 || !TEST_size_t_eq(1, nbytes)
2458 || !TEST_int_eq(0, new_called)
2459 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2460 || !TEST_int_eq(0, new_called)
2461 || !TEST_int_eq(sizeof(buf), nbytes)
2462 || !TEST_int_eq(c, buf[0])
2463 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2465 /* Now the *next* write should send the tickets */
2467 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2468 || !TEST_size_t_eq(1, nbytes)
2469 || !TEST_int_eq(2, new_called)
2470 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2471 || !TEST_int_eq(4, new_called)
2472 || !TEST_int_eq(sizeof(buf), nbytes)
2473 || !TEST_int_eq(c, buf[0])
2474 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2477 SSL_shutdown(clientssl);
2478 SSL_shutdown(serverssl);
2484 SSL_free(serverssl);
2485 SSL_free(clientssl);
2488 clientssl = serverssl = NULL;
2497 #define USE_DEFAULT 3
2499 #define CONNTYPE_CONNECTION_SUCCESS 0
2500 #define CONNTYPE_CONNECTION_FAIL 1
2501 #define CONNTYPE_NO_CONNECTION 2
2503 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2504 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2505 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2506 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2508 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2511 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2512 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2513 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2515 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2532 * Tests calls to SSL_set_bio() under various conditions.
2534 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2535 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2536 * then do more tests where we create a successful connection first using our
2537 * standard connection setup functions, and then call SSL_set_bio() with
2538 * various combinations of valid BIOs or NULL. We then repeat these tests
2539 * following a failed connection. In this last case we are looking to check that
2540 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2542 static int test_ssl_set_bio(int idx)
2544 SSL_CTX *sctx = NULL, *cctx = NULL;
2547 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2548 SSL *serverssl = NULL, *clientssl = NULL;
2549 int initrbio, initwbio, newrbio, newwbio, conntype;
2552 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2560 conntype = CONNTYPE_NO_CONNECTION;
2562 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2563 initrbio = initwbio = USE_DEFAULT;
2571 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2572 TLS_client_method(), TLS1_VERSION, 0,
2573 &sctx, &cctx, cert, privkey)))
2576 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2578 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2579 * because we reduced the number of tests in the definition of
2580 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2581 * mismatched protocol versions we will force a connection failure.
2583 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2584 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2587 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2591 if (initrbio == USE_BIO_1
2592 || initwbio == USE_BIO_1
2593 || newrbio == USE_BIO_1
2594 || newwbio == USE_BIO_1) {
2595 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2599 if (initrbio == USE_BIO_2
2600 || initwbio == USE_BIO_2
2601 || newrbio == USE_BIO_2
2602 || newwbio == USE_BIO_2) {
2603 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2607 if (initrbio != USE_DEFAULT) {
2608 setupbio(&irbio, bio1, bio2, initrbio);
2609 setupbio(&iwbio, bio1, bio2, initwbio);
2610 SSL_set_bio(clientssl, irbio, iwbio);
2613 * We want to maintain our own refs to these BIO, so do an up ref for
2614 * each BIO that will have ownership transferred in the SSL_set_bio()
2619 if (iwbio != NULL && iwbio != irbio)
2623 if (conntype != CONNTYPE_NO_CONNECTION
2624 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2626 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2629 setupbio(&nrbio, bio1, bio2, newrbio);
2630 setupbio(&nwbio, bio1, bio2, newwbio);
2633 * We will (maybe) transfer ownership again so do more up refs.
2634 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2639 && (nwbio != iwbio || nrbio != nwbio))
2643 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2646 SSL_set_bio(clientssl, nrbio, nwbio);
2655 * This test is checking that the ref counting for SSL_set_bio is correct.
2656 * If we get here and we did too many frees then we will fail in the above
2659 SSL_free(serverssl);
2660 SSL_free(clientssl);
2666 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2668 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2670 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2675 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
2676 || !TEST_ptr(ssl = SSL_new(ctx))
2677 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2678 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2681 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2684 * If anything goes wrong here then we could leak memory.
2686 BIO_push(sslbio, membio1);
2688 /* Verify changing the rbio/wbio directly does not cause leaks */
2689 if (change_bio != NO_BIO_CHANGE) {
2690 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
2692 if (change_bio == CHANGE_RBIO)
2693 SSL_set0_rbio(ssl, membio2);
2695 SSL_set0_wbio(ssl, membio2);
2714 static int test_ssl_bio_pop_next_bio(void)
2716 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2719 static int test_ssl_bio_pop_ssl_bio(void)
2721 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2724 static int test_ssl_bio_change_rbio(void)
2726 return execute_test_ssl_bio(0, CHANGE_RBIO);
2729 static int test_ssl_bio_change_wbio(void)
2731 return execute_test_ssl_bio(0, CHANGE_WBIO);
2734 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
2736 /* The list of sig algs */
2738 /* The length of the list */
2740 /* A sigalgs list in string format */
2741 const char *liststr;
2742 /* Whether setting the list should succeed */
2744 /* Whether creating a connection with the list should succeed */
2748 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2749 # ifndef OPENSSL_NO_EC
2750 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2751 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2753 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2754 static const int invalidlist2[] = {NID_sha256, NID_undef};
2755 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2756 static const int invalidlist4[] = {NID_sha256};
2757 static const sigalgs_list testsigalgs[] = {
2758 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2759 # ifndef OPENSSL_NO_EC
2760 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2761 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2763 {NULL, 0, "RSA+SHA256", 1, 1},
2764 # ifndef OPENSSL_NO_EC
2765 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2766 {NULL, 0, "ECDSA+SHA512", 1, 0},
2768 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2769 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2770 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2771 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2772 {NULL, 0, "RSA", 0, 0},
2773 {NULL, 0, "SHA256", 0, 0},
2774 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2775 {NULL, 0, "Invalid", 0, 0}
2778 static int test_set_sigalgs(int idx)
2780 SSL_CTX *cctx = NULL, *sctx = NULL;
2781 SSL *clientssl = NULL, *serverssl = NULL;
2783 const sigalgs_list *curr;
2786 /* Should never happen */
2787 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2790 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2791 curr = testctx ? &testsigalgs[idx]
2792 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2794 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2795 TLS_client_method(), TLS1_VERSION, 0,
2796 &sctx, &cctx, cert, privkey)))
2800 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2801 * for TLSv1.2 for now until we add a new API.
2803 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2808 if (curr->list != NULL)
2809 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2811 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2815 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2821 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2826 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2827 &clientssl, NULL, NULL)))
2833 if (curr->list != NULL)
2834 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2836 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2839 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2848 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2856 SSL_free(serverssl);
2857 SSL_free(clientssl);
2865 #ifndef OSSL_NO_USABLE_TLS1_3
2866 static int psk_client_cb_cnt = 0;
2867 static int psk_server_cb_cnt = 0;
2869 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2870 size_t *idlen, SSL_SESSION **sess)
2872 switch (++use_session_cb_cnt) {
2874 /* The first call should always have a NULL md */
2880 /* The second call should always have an md */
2886 /* We should only be called a maximum of twice */
2890 if (clientpsk != NULL)
2891 SSL_SESSION_up_ref(clientpsk);
2894 *id = (const unsigned char *)pskid;
2895 *idlen = strlen(pskid);
2900 #ifndef OPENSSL_NO_PSK
2901 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2902 unsigned int max_id_len,
2904 unsigned int max_psk_len)
2906 unsigned int psklen = 0;
2908 psk_client_cb_cnt++;
2910 if (strlen(pskid) + 1 > max_id_len)
2913 /* We should only ever be called a maximum of twice per connection */
2914 if (psk_client_cb_cnt > 2)
2917 if (clientpsk == NULL)
2920 /* We'll reuse the PSK we set up for TLSv1.3 */
2921 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2923 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2924 strncpy(id, pskid, max_id_len);
2928 #endif /* OPENSSL_NO_PSK */
2930 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2931 size_t identity_len, SSL_SESSION **sess)
2933 find_session_cb_cnt++;
2935 /* We should only ever be called a maximum of twice per connection */
2936 if (find_session_cb_cnt > 2)
2939 if (serverpsk == NULL)
2942 /* Identity should match that set by the client */
2943 if (strlen(srvid) != identity_len
2944 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2945 /* No PSK found, continue but without a PSK */
2950 SSL_SESSION_up_ref(serverpsk);
2956 #ifndef OPENSSL_NO_PSK
2957 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2958 unsigned char *psk, unsigned int max_psk_len)
2960 unsigned int psklen = 0;
2962 psk_server_cb_cnt++;
2964 /* We should only ever be called a maximum of twice per connection */
2965 if (find_session_cb_cnt > 2)
2968 if (serverpsk == NULL)
2971 /* Identity should match that set by the client */
2972 if (strcmp(srvid, identity) != 0) {
2976 /* We'll reuse the PSK we set up for TLSv1.3 */
2977 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2979 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2983 #endif /* OPENSSL_NO_PSK */
2985 #define MSG1 "Hello"
2986 #define MSG2 "World."
2991 #define MSG7 "message."
2993 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2994 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2995 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
2996 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
2997 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3000 static SSL_SESSION *create_a_psk(SSL *ssl)
3002 const SSL_CIPHER *cipher = NULL;
3003 const unsigned char key[] = {
3004 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3005 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3006 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3007 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3008 0x2c, 0x2d, 0x2e, 0x2f
3010 SSL_SESSION *sess = NULL;
3012 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3013 sess = SSL_SESSION_new();
3015 || !TEST_ptr(cipher)
3016 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3018 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3020 SSL_SESSION_set_protocol_version(sess,
3022 SSL_SESSION_free(sess);
3029 * Helper method to setup objects for early data test. Caller frees objects on
3032 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3033 SSL **serverssl, SSL_SESSION **sess, int idx)
3036 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3037 TLS_client_method(),
3039 sctx, cctx, cert, privkey)))
3042 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3046 /* When idx == 1 we repeat the tests with read_ahead set */
3047 SSL_CTX_set_read_ahead(*cctx, 1);
3048 SSL_CTX_set_read_ahead(*sctx, 1);
3049 } else if (idx == 2) {
3050 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3051 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3052 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3053 use_session_cb_cnt = 0;
3054 find_session_cb_cnt = 0;
3058 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3063 * For one of the run throughs (doesn't matter which one), we'll try sending
3064 * some SNI data in the initial ClientHello. This will be ignored (because
3065 * there is no SNI cb set up by the server), so it should not impact
3069 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3073 clientpsk = create_a_psk(*clientssl);
3074 if (!TEST_ptr(clientpsk)
3076 * We just choose an arbitrary value for max_early_data which
3077 * should be big enough for testing purposes.
3079 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3081 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3082 SSL_SESSION_free(clientpsk);
3086 serverpsk = clientpsk;
3089 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3090 SSL_SESSION_free(clientpsk);
3091 SSL_SESSION_free(serverpsk);
3092 clientpsk = serverpsk = NULL;
3103 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3107 *sess = SSL_get1_session(*clientssl);
3108 SSL_shutdown(*clientssl);
3109 SSL_shutdown(*serverssl);
3110 SSL_free(*serverssl);
3111 SSL_free(*clientssl);
3112 *serverssl = *clientssl = NULL;
3114 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3115 clientssl, NULL, NULL))
3116 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3122 static int test_early_data_read_write(int idx)
3124 SSL_CTX *cctx = NULL, *sctx = NULL;
3125 SSL *clientssl = NULL, *serverssl = NULL;
3127 SSL_SESSION *sess = NULL;
3128 unsigned char buf[20], data[1024];
3129 size_t readbytes, written, eoedlen, rawread, rawwritten;
3132 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3133 &serverssl, &sess, idx)))
3136 /* Write and read some early data */
3137 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3139 || !TEST_size_t_eq(written, strlen(MSG1))
3140 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3141 sizeof(buf), &readbytes),
3142 SSL_READ_EARLY_DATA_SUCCESS)
3143 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3144 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3145 SSL_EARLY_DATA_ACCEPTED))
3149 * Server should be able to write data, and client should be able to
3152 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3154 || !TEST_size_t_eq(written, strlen(MSG2))
3155 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3156 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3159 /* Even after reading normal data, client should be able write early data */
3160 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3162 || !TEST_size_t_eq(written, strlen(MSG3)))
3165 /* Server should still be able read early data after writing data */
3166 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3168 SSL_READ_EARLY_DATA_SUCCESS)
3169 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3172 /* Write more data from server and read it from client */
3173 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3175 || !TEST_size_t_eq(written, strlen(MSG4))
3176 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3177 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3181 * If client writes normal data it should mean writing early data is no
3184 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3185 || !TEST_size_t_eq(written, strlen(MSG5))
3186 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3187 SSL_EARLY_DATA_ACCEPTED))
3191 * At this point the client has written EndOfEarlyData, ClientFinished and
3192 * normal (fully protected) data. We are going to cause a delay between the
3193 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3194 * in the read BIO, and then just put back the EndOfEarlyData message.
3196 rbio = SSL_get_rbio(serverssl);
3197 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3198 || !TEST_size_t_lt(rawread, sizeof(data))
3199 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3202 /* Record length is in the 4th and 5th bytes of the record header */
3203 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3204 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3205 || !TEST_size_t_eq(rawwritten, eoedlen))
3208 /* Server should be told that there is no more early data */
3209 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3211 SSL_READ_EARLY_DATA_FINISH)
3212 || !TEST_size_t_eq(readbytes, 0))
3216 * Server has not finished init yet, so should still be able to write early
3219 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3221 || !TEST_size_t_eq(written, strlen(MSG6)))
3224 /* Push the ClientFinished and the normal data back into the server rbio */
3225 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3227 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3230 /* Server should be able to read normal data */
3231 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3232 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3235 /* Client and server should not be able to write/read early data now */
3236 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3240 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3242 SSL_READ_EARLY_DATA_ERROR))
3246 /* Client should be able to read the data sent by the server */
3247 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3248 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3252 * Make sure we process the two NewSessionTickets. These arrive
3253 * post-handshake. We attempt reads which we do not expect to return any
3256 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3257 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3261 /* Server should be able to write normal data */
3262 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3263 || !TEST_size_t_eq(written, strlen(MSG7))
3264 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3265 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3268 SSL_SESSION_free(sess);
3269 sess = SSL_get1_session(clientssl);
3270 use_session_cb_cnt = 0;
3271 find_session_cb_cnt = 0;
3273 SSL_shutdown(clientssl);
3274 SSL_shutdown(serverssl);
3275 SSL_free(serverssl);
3276 SSL_free(clientssl);
3277 serverssl = clientssl = NULL;
3278 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3279 &clientssl, NULL, NULL))
3280 || !TEST_true(SSL_set_session(clientssl, sess)))
3283 /* Write and read some early data */
3284 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3286 || !TEST_size_t_eq(written, strlen(MSG1))
3287 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3289 SSL_READ_EARLY_DATA_SUCCESS)
3290 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3293 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3294 || !TEST_int_gt(SSL_accept(serverssl), 0))
3297 /* Client and server should not be able to write/read early data now */
3298 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3302 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3304 SSL_READ_EARLY_DATA_ERROR))
3308 /* Client and server should be able to write/read normal data */
3309 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3310 || !TEST_size_t_eq(written, strlen(MSG5))
3311 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3312 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3318 SSL_SESSION_free(sess);
3319 SSL_SESSION_free(clientpsk);
3320 SSL_SESSION_free(serverpsk);
3321 clientpsk = serverpsk = NULL;
3322 SSL_free(serverssl);
3323 SSL_free(clientssl);
3329 static int allow_ed_cb_called = 0;
3331 static int allow_early_data_cb(SSL *s, void *arg)
3333 int *usecb = (int *)arg;
3335 allow_ed_cb_called++;
3344 * idx == 0: Standard early_data setup
3345 * idx == 1: early_data setup using read_ahead
3346 * usecb == 0: Don't use a custom early data callback
3347 * usecb == 1: Use a custom early data callback and reject the early data
3348 * usecb == 2: Use a custom early data callback and accept the early data
3349 * confopt == 0: Configure anti-replay directly
3350 * confopt == 1: Configure anti-replay using SSL_CONF
3352 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3354 SSL_CTX *cctx = NULL, *sctx = NULL;
3355 SSL *clientssl = NULL, *serverssl = NULL;
3357 SSL_SESSION *sess = NULL;
3358 size_t readbytes, written;
3359 unsigned char buf[20];
3361 allow_ed_cb_called = 0;
3363 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3364 TLS_client_method(), TLS1_VERSION, 0,
3365 &sctx, &cctx, cert, privkey)))
3370 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3372 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3374 if (!TEST_ptr(confctx))
3376 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3377 | SSL_CONF_FLAG_SERVER);
3378 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3379 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3381 SSL_CONF_CTX_free(confctx);
3384 SSL_CONF_CTX_free(confctx);
3386 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3389 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3390 &serverssl, &sess, idx)))
3394 * The server is configured to accept early data. Create a connection to
3395 * "use up" the ticket
3397 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3398 || !TEST_true(SSL_session_reused(clientssl)))
3401 SSL_shutdown(clientssl);
3402 SSL_shutdown(serverssl);
3403 SSL_free(serverssl);
3404 SSL_free(clientssl);
3405 serverssl = clientssl = NULL;
3407 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3408 &clientssl, NULL, NULL))
3409 || !TEST_true(SSL_set_session(clientssl, sess)))
3412 /* Write and read some early data */
3413 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3415 || !TEST_size_t_eq(written, strlen(MSG1)))
3419 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3421 SSL_READ_EARLY_DATA_FINISH)
3423 * The ticket was reused, so the we should have rejected the
3426 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3427 SSL_EARLY_DATA_REJECTED))
3430 /* In this case the callback decides to accept the early data */
3431 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3433 SSL_READ_EARLY_DATA_SUCCESS)
3434 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3436 * Server will have sent its flight so client can now send
3437 * end of early data and complete its half of the handshake
3439 || !TEST_int_gt(SSL_connect(clientssl), 0)
3440 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3442 SSL_READ_EARLY_DATA_FINISH)
3443 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3444 SSL_EARLY_DATA_ACCEPTED))
3448 /* Complete the connection */
3449 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3450 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3451 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3457 SSL_SESSION_free(sess);
3458 SSL_SESSION_free(clientpsk);
3459 SSL_SESSION_free(serverpsk);
3460 clientpsk = serverpsk = NULL;
3461 SSL_free(serverssl);
3462 SSL_free(clientssl);
3468 static int test_early_data_replay(int idx)
3470 int ret = 1, usecb, confopt;
3472 for (usecb = 0; usecb < 3; usecb++) {
3473 for (confopt = 0; confopt < 2; confopt++)
3474 ret &= test_early_data_replay_int(idx, usecb, confopt);
3481 * Helper function to test that a server attempting to read early data can
3482 * handle a connection from a client where the early data should be skipped.
3483 * testtype: 0 == No HRR
3484 * testtype: 1 == HRR
3485 * testtype: 2 == HRR, invalid early_data sent after HRR
3486 * testtype: 3 == recv_max_early_data set to 0
3488 static int early_data_skip_helper(int testtype, int idx)
3490 SSL_CTX *cctx = NULL, *sctx = NULL;
3491 SSL *clientssl = NULL, *serverssl = NULL;
3493 SSL_SESSION *sess = NULL;
3494 unsigned char buf[20];
3495 size_t readbytes, written;
3497 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3498 &serverssl, &sess, idx)))
3501 if (testtype == 1 || testtype == 2) {
3502 /* Force an HRR to occur */
3503 #if defined(OPENSSL_NO_EC)
3504 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3507 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3510 } else if (idx == 2) {
3512 * We force early_data rejection by ensuring the PSK identity is
3515 srvid = "Dummy Identity";
3518 * Deliberately corrupt the creation time. We take 20 seconds off the
3519 * time. It could be any value as long as it is not within tolerance.
3520 * This should mean the ticket is rejected.
3522 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3527 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3530 /* Write some early data */
3531 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3533 || !TEST_size_t_eq(written, strlen(MSG1)))
3536 /* Server should reject the early data */
3537 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3539 SSL_READ_EARLY_DATA_FINISH)
3540 || !TEST_size_t_eq(readbytes, 0)
3541 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3542 SSL_EARLY_DATA_REJECTED))
3552 * Finish off the handshake. We perform the same writes and reads as
3553 * further down but we expect them to fail due to the incomplete
3556 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3557 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3564 BIO *wbio = SSL_get_wbio(clientssl);
3565 /* A record that will appear as bad early_data */
3566 const unsigned char bad_early_data[] = {
3567 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3571 * We force the client to attempt a write. This will fail because
3572 * we're still in the handshake. It will cause the second
3573 * ClientHello to be sent.
3575 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3580 * Inject some early_data after the second ClientHello. This should
3581 * cause the server to fail
3583 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3584 sizeof(bad_early_data), &written)))
3591 * This client has sent more early_data than we are willing to skip
3592 * (case 3) or sent invalid early_data (case 2) so the connection should
3595 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3596 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3599 /* Connection has failed - nothing more to do */
3604 TEST_error("Invalid test type");
3609 * Should be able to send normal data despite rejection of early data. The
3610 * early_data should be skipped.
3612 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3613 || !TEST_size_t_eq(written, strlen(MSG2))
3614 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3615 SSL_EARLY_DATA_REJECTED)
3616 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3617 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3623 SSL_SESSION_free(clientpsk);
3624 SSL_SESSION_free(serverpsk);
3625 clientpsk = serverpsk = NULL;
3626 SSL_SESSION_free(sess);
3627 SSL_free(serverssl);
3628 SSL_free(clientssl);
3635 * Test that a server attempting to read early data can handle a connection
3636 * from a client where the early data is not acceptable.
3638 static int test_early_data_skip(int idx)
3640 return early_data_skip_helper(0, idx);
3644 * Test that a server attempting to read early data can handle a connection
3645 * from a client where an HRR occurs.
3647 static int test_early_data_skip_hrr(int idx)
3649 return early_data_skip_helper(1, idx);
3653 * Test that a server attempting to read early data can handle a connection
3654 * from a client where an HRR occurs and correctly fails if early_data is sent
3657 static int test_early_data_skip_hrr_fail(int idx)
3659 return early_data_skip_helper(2, idx);
3663 * Test that a server attempting to read early data will abort if it tries to
3664 * skip over too much.
3666 static int test_early_data_skip_abort(int idx)
3668 return early_data_skip_helper(3, idx);
3672 * Test that a server attempting to read early data can handle a connection
3673 * from a client that doesn't send any.
3675 static int test_early_data_not_sent(int idx)
3677 SSL_CTX *cctx = NULL, *sctx = NULL;
3678 SSL *clientssl = NULL, *serverssl = NULL;
3680 SSL_SESSION *sess = NULL;
3681 unsigned char buf[20];
3682 size_t readbytes, written;
3684 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3685 &serverssl, &sess, idx)))
3688 /* Write some data - should block due to handshake with server */
3689 SSL_set_connect_state(clientssl);
3690 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3693 /* Server should detect that early data has not been sent */
3694 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3696 SSL_READ_EARLY_DATA_FINISH)
3697 || !TEST_size_t_eq(readbytes, 0)
3698 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3699 SSL_EARLY_DATA_NOT_SENT)
3700 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3701 SSL_EARLY_DATA_NOT_SENT))
3704 /* Continue writing the message we started earlier */
3705 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3706 || !TEST_size_t_eq(written, strlen(MSG1))
3707 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3708 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3709 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3710 || !TEST_size_t_eq(written, strlen(MSG2)))
3713 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3714 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3720 SSL_SESSION_free(sess);
3721 SSL_SESSION_free(clientpsk);
3722 SSL_SESSION_free(serverpsk);
3723 clientpsk = serverpsk = NULL;
3724 SSL_free(serverssl);
3725 SSL_free(clientssl);
3731 static const char *servalpn;
3733 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3734 unsigned char *outlen, const unsigned char *in,
3735 unsigned int inlen, void *arg)
3737 unsigned int protlen = 0;
3738 const unsigned char *prot;
3740 for (prot = in; prot < in + inlen; prot += protlen) {
3742 if (in + inlen < prot + protlen)
3743 return SSL_TLSEXT_ERR_NOACK;
3745 if (protlen == strlen(servalpn)
3746 && memcmp(prot, servalpn, protlen) == 0) {
3749 return SSL_TLSEXT_ERR_OK;
3753 return SSL_TLSEXT_ERR_NOACK;
3756 /* Test that a PSK can be used to send early_data */
3757 static int test_early_data_psk(int idx)
3759 SSL_CTX *cctx = NULL, *sctx = NULL;
3760 SSL *clientssl = NULL, *serverssl = NULL;
3762 SSL_SESSION *sess = NULL;
3763 unsigned char alpnlist[] = {
3764 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3767 #define GOODALPNLEN 9
3768 #define BADALPNLEN 8
3769 #define GOODALPN (alpnlist)
3770 #define BADALPN (alpnlist + GOODALPNLEN)
3772 unsigned char buf[20];
3773 size_t readbytes, written;
3774 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3775 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3777 /* We always set this up with a final parameter of "2" for PSK */
3778 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3779 &serverssl, &sess, 2)))
3782 servalpn = "goodalpn";
3785 * Note: There is no test for inconsistent SNI with late client detection.
3786 * This is because servers do not acknowledge SNI even if they are using
3787 * it in a resumption handshake - so it is not actually possible for a
3788 * client to detect a problem.
3792 /* Set inconsistent SNI (early client detection) */
3793 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3794 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3795 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3800 /* Set inconsistent ALPN (early client detection) */
3801 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3802 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3803 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3805 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3812 * Set invalid protocol version. Technically this affects PSKs without
3813 * early_data too, but we test it here because it is similar to the
3814 * SNI/ALPN consistency tests.
3816 err = SSL_R_BAD_PSK;
3817 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3823 * Set inconsistent SNI (server side). In this case the connection
3824 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3825 * is associated with each handshake - not the session. Therefore it
3826 * should not matter that we used a different server name last time.
3828 SSL_SESSION_free(serverpsk);
3829 serverpsk = SSL_SESSION_dup(clientpsk);
3830 if (!TEST_ptr(serverpsk)
3831 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3835 /* Set consistent SNI */
3836 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3837 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3838 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3845 * Set inconsistent ALPN (server detected). In this case the connection
3846 * will succeed but reject early_data.
3848 servalpn = "badalpn";
3849 edstatus = SSL_EARLY_DATA_REJECTED;
3850 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3854 * Set consistent ALPN.
3855 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3856 * accepts a list of protos (each one length prefixed).
3857 * SSL_set1_alpn_selected accepts a single protocol (not length
3860 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3862 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3866 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3870 /* Set inconsistent ALPN (late client detection) */
3871 SSL_SESSION_free(serverpsk);
3872 serverpsk = SSL_SESSION_dup(clientpsk);
3873 if (!TEST_ptr(serverpsk)
3874 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3877 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3880 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3883 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3884 edstatus = SSL_EARLY_DATA_ACCEPTED;
3885 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3886 /* SSL_connect() call should fail */
3891 TEST_error("Bad test index");
3895 SSL_set_connect_state(clientssl);
3897 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3899 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3900 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3903 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3907 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3908 &readbytes), readearlyres)
3909 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3910 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3911 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3912 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3919 SSL_SESSION_free(sess);
3920 SSL_SESSION_free(clientpsk);
3921 SSL_SESSION_free(serverpsk);
3922 clientpsk = serverpsk = NULL;
3923 SSL_free(serverssl);
3924 SSL_free(clientssl);
3931 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
3932 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
3933 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
3934 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3935 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
3936 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
3938 static int test_early_data_psk_with_all_ciphers(int idx)
3940 SSL_CTX *cctx = NULL, *sctx = NULL;
3941 SSL *clientssl = NULL, *serverssl = NULL;
3943 SSL_SESSION *sess = NULL;
3944 unsigned char buf[20];
3945 size_t readbytes, written;
3946 const SSL_CIPHER *cipher;
3947 const char *cipher_str[] = {
3948 TLS1_3_RFC_AES_128_GCM_SHA256,
3949 TLS1_3_RFC_AES_256_GCM_SHA384,
3950 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3951 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3955 TLS1_3_RFC_AES_128_CCM_SHA256,
3956 TLS1_3_RFC_AES_128_CCM_8_SHA256
3958 const unsigned char *cipher_bytes[] = {
3959 TLS13_AES_128_GCM_SHA256_BYTES,
3960 TLS13_AES_256_GCM_SHA384_BYTES,
3961 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3962 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
3966 TLS13_AES_128_CCM_SHA256_BYTES,
3967 TLS13_AES_128_CCM_8_SHA256_BYTES
3970 if (cipher_str[idx] == NULL)
3972 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
3973 if (idx == 2 && is_fips == 1)
3976 /* We always set this up with a final parameter of "2" for PSK */
3977 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3978 &serverssl, &sess, 2)))
3981 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
3982 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
3986 * 'setupearly_data_test' creates only one instance of SSL_SESSION
3987 * and assigns to both client and server with incremented reference
3988 * and the same instance is updated in 'sess'.
3989 * So updating ciphersuite in 'sess' which will get reflected in
3990 * PSK handshake using psk use sess and find sess cb.
3992 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
3993 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
3996 SSL_set_connect_state(clientssl);
3997 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4001 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4003 SSL_READ_EARLY_DATA_SUCCESS)
4004 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4005 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4006 SSL_EARLY_DATA_ACCEPTED)
4007 || !TEST_int_eq(SSL_connect(clientssl), 1)
4008 || !TEST_int_eq(SSL_accept(serverssl), 1))
4011 /* Send some normal data from client to server */
4012 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4013 || !TEST_size_t_eq(written, strlen(MSG2)))
4016 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4017 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4022 SSL_SESSION_free(sess);
4023 SSL_SESSION_free(clientpsk);
4024 SSL_SESSION_free(serverpsk);
4025 clientpsk = serverpsk = NULL;
4026 if (clientssl != NULL)
4027 SSL_shutdown(clientssl);
4028 if (serverssl != NULL)
4029 SSL_shutdown(serverssl);
4030 SSL_free(serverssl);
4031 SSL_free(clientssl);
4038 * Test that a server that doesn't try to read early data can handle a
4039 * client sending some.
4041 static int test_early_data_not_expected(int idx)
4043 SSL_CTX *cctx = NULL, *sctx = NULL;
4044 SSL *clientssl = NULL, *serverssl = NULL;
4046 SSL_SESSION *sess = NULL;
4047 unsigned char buf[20];
4048 size_t readbytes, written;
4050 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4051 &serverssl, &sess, idx)))
4054 /* Write some early data */
4055 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4060 * Server should skip over early data and then block waiting for client to
4061 * continue handshake
4063 if (!TEST_int_le(SSL_accept(serverssl), 0)
4064 || !TEST_int_gt(SSL_connect(clientssl), 0)
4065 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4066 SSL_EARLY_DATA_REJECTED)
4067 || !TEST_int_gt(SSL_accept(serverssl), 0)
4068 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4069 SSL_EARLY_DATA_REJECTED))
4072 /* Send some normal data from client to server */
4073 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4074 || !TEST_size_t_eq(written, strlen(MSG2)))
4077 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4078 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4084 SSL_SESSION_free(sess);
4085 SSL_SESSION_free(clientpsk);
4086 SSL_SESSION_free(serverpsk);
4087 clientpsk = serverpsk = NULL;
4088 SSL_free(serverssl);
4089 SSL_free(clientssl);
4096 # ifndef OPENSSL_NO_TLS1_2
4098 * Test that a server attempting to read early data can handle a connection
4099 * from a TLSv1.2 client.
4101 static int test_early_data_tls1_2(int idx)
4103 SSL_CTX *cctx = NULL, *sctx = NULL;
4104 SSL *clientssl = NULL, *serverssl = NULL;
4106 unsigned char buf[20];
4107 size_t readbytes, written;
4109 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4110 &serverssl, NULL, idx)))
4113 /* Write some data - should block due to handshake with server */
4114 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4115 SSL_set_connect_state(clientssl);
4116 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4120 * Server should do TLSv1.2 handshake. First it will block waiting for more
4121 * messages from client after ServerDone. Then SSL_read_early_data should
4122 * finish and detect that early data has not been sent
4124 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4126 SSL_READ_EARLY_DATA_ERROR))
4130 * Continue writing the message we started earlier. Will still block waiting
4131 * for the CCS/Finished from server
4133 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4134 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4136 SSL_READ_EARLY_DATA_FINISH)
4137 || !TEST_size_t_eq(readbytes, 0)
4138 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4139 SSL_EARLY_DATA_NOT_SENT))
4142 /* Continue writing the message we started earlier */
4143 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4144 || !TEST_size_t_eq(written, strlen(MSG1))
4145 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4146 SSL_EARLY_DATA_NOT_SENT)
4147 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4148 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4149 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4150 || !TEST_size_t_eq(written, strlen(MSG2))
4151 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4152 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4158 SSL_SESSION_free(clientpsk);
4159 SSL_SESSION_free(serverpsk);
4160 clientpsk = serverpsk = NULL;
4161 SSL_free(serverssl);
4162 SSL_free(clientssl);
4168 # endif /* OPENSSL_NO_TLS1_2 */
4171 * Test configuring the TLSv1.3 ciphersuites
4173 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4174 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4175 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4176 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4177 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4178 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4179 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4180 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4181 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4182 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4184 static int test_set_ciphersuite(int idx)
4186 SSL_CTX *cctx = NULL, *sctx = NULL;
4187 SSL *clientssl = NULL, *serverssl = NULL;
4190 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4191 TLS_client_method(), TLS1_VERSION, 0,
4192 &sctx, &cctx, cert, privkey))
4193 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4194 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4197 if (idx >=4 && idx <= 7) {
4198 /* SSL_CTX explicit cipher list */
4199 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4203 if (idx == 0 || idx == 4) {
4204 /* Default ciphersuite */
4205 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4206 "TLS_AES_128_GCM_SHA256")))
4208 } else if (idx == 1 || idx == 5) {
4209 /* Non default ciphersuite */
4210 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4211 "TLS_AES_128_CCM_SHA256")))
4215 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4216 &clientssl, NULL, NULL)))
4219 if (idx == 8 || idx == 9) {
4220 /* SSL explicit cipher list */
4221 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4225 if (idx == 2 || idx == 6 || idx == 8) {
4226 /* Default ciphersuite */
4227 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4228 "TLS_AES_128_GCM_SHA256")))
4230 } else if (idx == 3 || idx == 7 || idx == 9) {
4231 /* Non default ciphersuite */
4232 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4233 "TLS_AES_128_CCM_SHA256")))
4237 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4243 SSL_free(serverssl);
4244 SSL_free(clientssl);
4251 static int test_ciphersuite_change(void)
4253 SSL_CTX *cctx = NULL, *sctx = NULL;
4254 SSL *clientssl = NULL, *serverssl = NULL;
4255 SSL_SESSION *clntsess = NULL;
4257 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4259 /* Create a session based on SHA-256 */
4260 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4261 TLS_client_method(), TLS1_VERSION, 0,
4262 &sctx, &cctx, cert, privkey))
4263 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4264 "TLS_AES_128_GCM_SHA256:"
4265 "TLS_AES_256_GCM_SHA384:"
4266 "TLS_AES_128_CCM_SHA256"))
4267 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4268 "TLS_AES_128_GCM_SHA256"))
4269 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4270 &clientssl, NULL, NULL))
4271 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4275 clntsess = SSL_get1_session(clientssl);
4276 /* Save for later */
4277 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4278 SSL_shutdown(clientssl);
4279 SSL_shutdown(serverssl);
4280 SSL_free(serverssl);
4281 SSL_free(clientssl);
4282 serverssl = clientssl = NULL;
4284 /* Check we can resume a session with a different SHA-256 ciphersuite */
4285 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4286 "TLS_AES_128_CCM_SHA256"))
4287 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4288 &clientssl, NULL, NULL))
4289 || !TEST_true(SSL_set_session(clientssl, clntsess))
4290 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4292 || !TEST_true(SSL_session_reused(clientssl)))
4295 SSL_SESSION_free(clntsess);
4296 clntsess = SSL_get1_session(clientssl);
4297 SSL_shutdown(clientssl);
4298 SSL_shutdown(serverssl);
4299 SSL_free(serverssl);
4300 SSL_free(clientssl);
4301 serverssl = clientssl = NULL;
4304 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4305 * succeeds but does not resume.
4307 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4308 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4310 || !TEST_true(SSL_set_session(clientssl, clntsess))
4311 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4313 || !TEST_false(SSL_session_reused(clientssl)))
4316 SSL_SESSION_free(clntsess);
4318 SSL_shutdown(clientssl);
4319 SSL_shutdown(serverssl);
4320 SSL_free(serverssl);
4321 SSL_free(clientssl);
4322 serverssl = clientssl = NULL;
4324 /* Create a session based on SHA384 */
4325 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4326 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4327 &clientssl, NULL, NULL))
4328 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4332 clntsess = SSL_get1_session(clientssl);
4333 SSL_shutdown(clientssl);
4334 SSL_shutdown(serverssl);
4335 SSL_free(serverssl);
4336 SSL_free(clientssl);
4337 serverssl = clientssl = NULL;
4339 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4340 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4341 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4342 "TLS_AES_256_GCM_SHA384"))
4343 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4345 || !TEST_true(SSL_set_session(clientssl, clntsess))
4347 * We use SSL_ERROR_WANT_READ below so that we can pause the
4348 * connection after the initial ClientHello has been sent to
4349 * enable us to make some session changes.
4351 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4352 SSL_ERROR_WANT_READ)))
4355 /* Trick the client into thinking this session is for a different digest */
4356 clntsess->cipher = aes_128_gcm_sha256;
4357 clntsess->cipher_id = clntsess->cipher->id;
4360 * Continue the previously started connection. Server has selected a SHA-384
4361 * ciphersuite, but client thinks the session is for SHA-256, so it should
4364 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4366 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4367 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4373 SSL_SESSION_free(clntsess);
4374 SSL_free(serverssl);
4375 SSL_free(clientssl);
4383 * Test TLSv1.3 Key exchange
4384 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4385 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4386 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4387 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4388 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4389 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4390 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4391 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4392 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4393 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4394 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4395 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4396 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4397 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4399 static int test_key_exchange(int idx)
4401 SSL_CTX *sctx = NULL, *cctx = NULL;
4402 SSL *serverssl = NULL, *clientssl = NULL;
4404 # ifndef OPENSSL_NO_EC
4405 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4406 NID_secp521r1, NID_X25519, NID_X448};
4408 # ifndef OPENSSL_NO_DH
4409 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4410 NID_ffdhe6144, NID_ffdhe8192};
4413 int *kexch_groups = &kexch_alg;
4414 int kexch_groups_size = 1;
4415 int max_version = TLS1_3_VERSION;
4416 char *kexch_name0 = NULL;
4419 # ifndef OPENSSL_NO_EC
4420 # ifndef OPENSSL_NO_TLS1_2
4422 max_version = TLS1_2_VERSION;
4426 kexch_groups = ecdhe_kexch_groups;
4427 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4428 kexch_name0 = "secp256r1";
4431 kexch_alg = NID_X9_62_prime256v1;
4432 kexch_name0 = "secp256r1";
4435 kexch_alg = NID_secp384r1;
4436 kexch_name0 = "secp384r1";
4439 kexch_alg = NID_secp521r1;
4440 kexch_name0 = "secp521r1";
4443 kexch_alg = NID_X25519;
4444 kexch_name0 = "x25519";
4447 kexch_alg = NID_X448;
4448 kexch_name0 = "x448";
4451 # ifndef OPENSSL_NO_DH
4452 # ifndef OPENSSL_NO_TLS1_2
4454 max_version = TLS1_2_VERSION;
4455 kexch_name0 = "ffdhe2048";
4459 kexch_groups = ffdhe_kexch_groups;
4460 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4461 kexch_name0 = "ffdhe2048";
4464 kexch_alg = NID_ffdhe2048;
4465 kexch_name0 = "ffdhe2048";
4468 kexch_alg = NID_ffdhe3072;
4469 kexch_name0 = "ffdhe3072";
4472 kexch_alg = NID_ffdhe4096;
4473 kexch_name0 = "ffdhe4096";
4476 kexch_alg = NID_ffdhe6144;
4477 kexch_name0 = "ffdhe6144";
4480 kexch_alg = NID_ffdhe8192;
4481 kexch_name0 = "ffdhe8192";
4485 /* We're skipping this test */
4489 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4490 TLS_client_method(), TLS1_VERSION,
4491 max_version, &sctx, &cctx, cert,
4495 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4496 TLS1_3_RFC_AES_128_GCM_SHA256)))
4499 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4500 TLS1_3_RFC_AES_128_GCM_SHA256)))
4503 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4504 TLS1_TXT_RSA_WITH_AES_128_SHA)))
4508 * Must include an EC ciphersuite so that we send supported groups in
4511 # ifndef OPENSSL_NO_TLS1_2
4512 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4513 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
4514 TLS1_TXT_RSA_WITH_AES_128_SHA)))
4518 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4522 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4523 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4526 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4530 * If Handshake succeeds the negotiated kexch alg should be the first one in
4531 * configured, except in the case of FFDHE groups (idx 13), which are
4532 * TLSv1.3 only so we expect no shared group to exist.
4534 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4535 idx == 13 ? 0 : kexch_groups[0]))
4538 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4542 if (max_version == TLS1_3_VERSION) {
4543 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4545 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4551 SSL_free(serverssl);
4552 SSL_free(clientssl);
4559 * Test TLSv1.3 Cipher Suite
4560 * Test 0 = Set TLS1.3 cipher on context
4561 * Test 1 = Set TLS1.3 cipher on SSL
4562 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4563 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4565 static int test_tls13_ciphersuite(int idx)
4567 SSL_CTX *sctx = NULL, *cctx = NULL;
4568 SSL *serverssl = NULL, *clientssl = NULL;
4569 static const struct {
4570 const char *ciphername;
4573 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4574 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4575 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
4576 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4577 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4578 { TLS1_3_RFC_AES_256_GCM_SHA384
4579 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4581 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
4583 const char *t13_cipher = NULL;
4584 const char *t12_cipher = NULL;
4585 const char *negotiated_scipher;
4586 const char *negotiated_ccipher;
4602 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4606 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4610 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4611 # ifdef OPENSSL_NO_TLS1_2
4612 if (max_ver == TLS1_2_VERSION)
4615 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4616 if (is_fips && !t13_ciphers[i].fipscapable)
4618 t13_cipher = t13_ciphers[i].ciphername;
4619 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4620 TLS_client_method(),
4621 TLS1_VERSION, max_ver,
4622 &sctx, &cctx, cert, privkey)))
4626 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4627 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4629 if (t12_cipher != NULL) {
4630 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4631 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4637 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4638 &clientssl, NULL, NULL)))
4642 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4643 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4645 if (t12_cipher != NULL) {
4646 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4647 || !TEST_true(SSL_set_cipher_list(clientssl,
4653 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4657 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4659 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4661 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4665 * TEST_strn_eq is used below because t13_cipher can contain
4666 * multiple ciphersuites
4668 if (max_ver == TLS1_3_VERSION
4669 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4670 strlen(negotiated_scipher)))
4673 # ifndef OPENSSL_NO_TLS1_2
4674 /* Below validation is not done when t12_cipher is NULL */
4675 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4676 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4680 SSL_free(serverssl);
4682 SSL_free(clientssl);
4693 SSL_free(serverssl);
4694 SSL_free(clientssl);
4702 * Test 0 = Test new style callbacks
4703 * Test 1 = Test both new and old style callbacks
4704 * Test 2 = Test old style callbacks
4705 * Test 3 = Test old style callbacks with no certificate
4707 static int test_tls13_psk(int idx)
4709 SSL_CTX *sctx = NULL, *cctx = NULL;
4710 SSL *serverssl = NULL, *clientssl = NULL;
4711 const SSL_CIPHER *cipher = NULL;
4712 const unsigned char key[] = {
4713 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4714 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4715 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4716 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
4720 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4721 TLS_client_method(), TLS1_VERSION, 0,
4722 &sctx, &cctx, idx == 3 ? NULL : cert,
4723 idx == 3 ? NULL : privkey)))
4728 * We use a ciphersuite with SHA256 to ease testing old style PSK
4729 * callbacks which will always default to SHA256. This should not be
4730 * necessary if we have no cert/priv key. In that case the server should
4731 * prefer SHA256 automatically.
4733 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4734 "TLS_AES_128_GCM_SHA256")))
4738 * As noted above the server should prefer SHA256 automatically. However
4739 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4740 * code works even if we are testing with only the FIPS provider loaded.
4742 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4743 "TLS_AES_256_GCM_SHA384:"
4744 "TLS_AES_128_GCM_SHA256")))
4749 * Test 0: New style callbacks only
4750 * Test 1: New and old style callbacks (only the new ones should be used)
4751 * Test 2: Old style callbacks only
4753 if (idx == 0 || idx == 1) {
4754 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4755 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4757 #ifndef OPENSSL_NO_PSK
4759 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4760 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4764 use_session_cb_cnt = 0;
4765 find_session_cb_cnt = 0;
4766 psk_client_cb_cnt = 0;
4767 psk_server_cb_cnt = 0;
4771 * Check we can create a connection if callback decides not to send a
4774 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4776 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4778 || !TEST_false(SSL_session_reused(clientssl))
4779 || !TEST_false(SSL_session_reused(serverssl)))
4782 if (idx == 0 || idx == 1) {
4783 if (!TEST_true(use_session_cb_cnt == 1)
4784 || !TEST_true(find_session_cb_cnt == 0)
4786 * If no old style callback then below should be 0
4789 || !TEST_true(psk_client_cb_cnt == idx)
4790 || !TEST_true(psk_server_cb_cnt == 0))
4793 if (!TEST_true(use_session_cb_cnt == 0)
4794 || !TEST_true(find_session_cb_cnt == 0)
4795 || !TEST_true(psk_client_cb_cnt == 1)
4796 || !TEST_true(psk_server_cb_cnt == 0))
4800 shutdown_ssl_connection(serverssl, clientssl);
4801 serverssl = clientssl = NULL;
4802 use_session_cb_cnt = psk_client_cb_cnt = 0;
4805 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4809 /* Create the PSK */
4810 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
4811 clientpsk = SSL_SESSION_new();
4812 if (!TEST_ptr(clientpsk)
4813 || !TEST_ptr(cipher)
4814 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4816 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4817 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4819 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
4821 serverpsk = clientpsk;
4823 /* Check we can create a connection and the PSK is used */
4824 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4825 || !TEST_true(SSL_session_reused(clientssl))
4826 || !TEST_true(SSL_session_reused(serverssl)))
4829 if (idx == 0 || idx == 1) {
4830 if (!TEST_true(use_session_cb_cnt == 1)
4831 || !TEST_true(find_session_cb_cnt == 1)
4832 || !TEST_true(psk_client_cb_cnt == 0)
4833 || !TEST_true(psk_server_cb_cnt == 0))
4836 if (!TEST_true(use_session_cb_cnt == 0)
4837 || !TEST_true(find_session_cb_cnt == 0)
4838 || !TEST_true(psk_client_cb_cnt == 1)
4839 || !TEST_true(psk_server_cb_cnt == 1))
4843 shutdown_ssl_connection(serverssl, clientssl);
4844 serverssl = clientssl = NULL;
4845 use_session_cb_cnt = find_session_cb_cnt = 0;
4846 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4848 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4853 #if defined(OPENSSL_NO_EC)
4854 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4857 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4862 * Check we can create a connection, the PSK is used and the callbacks are
4865 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4866 || !TEST_true(SSL_session_reused(clientssl))
4867 || !TEST_true(SSL_session_reused(serverssl)))
4870 if (idx == 0 || idx == 1) {
4871 if (!TEST_true(use_session_cb_cnt == 2)
4872 || !TEST_true(find_session_cb_cnt == 2)
4873 || !TEST_true(psk_client_cb_cnt == 0)
4874 || !TEST_true(psk_server_cb_cnt == 0))
4877 if (!TEST_true(use_session_cb_cnt == 0)
4878 || !TEST_true(find_session_cb_cnt == 0)
4879 || !TEST_true(psk_client_cb_cnt == 2)
4880 || !TEST_true(psk_server_cb_cnt == 2))
4884 shutdown_ssl_connection(serverssl, clientssl);
4885 serverssl = clientssl = NULL;
4886 use_session_cb_cnt = find_session_cb_cnt = 0;
4887 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4891 * Check that if the server rejects the PSK we can still connect, but with
4894 srvid = "Dummy Identity";
4895 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4897 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4899 || !TEST_false(SSL_session_reused(clientssl))
4900 || !TEST_false(SSL_session_reused(serverssl)))
4903 if (idx == 0 || idx == 1) {
4904 if (!TEST_true(use_session_cb_cnt == 1)
4905 || !TEST_true(find_session_cb_cnt == 1)
4906 || !TEST_true(psk_client_cb_cnt == 0)
4908 * If no old style callback then below should be 0
4911 || !TEST_true(psk_server_cb_cnt == idx))
4914 if (!TEST_true(use_session_cb_cnt == 0)
4915 || !TEST_true(find_session_cb_cnt == 0)
4916 || !TEST_true(psk_client_cb_cnt == 1)
4917 || !TEST_true(psk_server_cb_cnt == 1))
4921 shutdown_ssl_connection(serverssl, clientssl);
4922 serverssl = clientssl = NULL;
4927 SSL_SESSION_free(clientpsk);
4928 SSL_SESSION_free(serverpsk);
4929 clientpsk = serverpsk = NULL;
4930 SSL_free(serverssl);
4931 SSL_free(clientssl);
4937 static unsigned char cookie_magic_value[] = "cookie magic";
4939 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4940 unsigned int *cookie_len)
4943 * Not suitable as a real cookie generation function but good enough for
4946 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4947 *cookie_len = sizeof(cookie_magic_value) - 1;
4952 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4953 unsigned int cookie_len)
4955 if (cookie_len == sizeof(cookie_magic_value) - 1
4956 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4962 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4966 int res = generate_cookie_callback(ssl, cookie, &temp);
4971 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4974 return verify_cookie_callback(ssl, cookie, cookie_len);
4977 static int test_stateless(void)
4979 SSL_CTX *sctx = NULL, *cctx = NULL;
4980 SSL *serverssl = NULL, *clientssl = NULL;
4983 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4984 TLS_client_method(), TLS1_VERSION, 0,
4985 &sctx, &cctx, cert, privkey)))
4988 /* The arrival of CCS messages can confuse the test */
4989 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4991 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4993 /* Send the first ClientHello */
4994 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4995 SSL_ERROR_WANT_READ))
4997 * This should fail with a -1 return because we have no callbacks
5000 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5003 /* Fatal error so abandon the connection from this client */
5004 SSL_free(clientssl);
5007 /* Set up the cookie generation and verification callbacks */
5008 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5009 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5012 * Create a new connection from the client (we can reuse the server SSL
5015 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5017 /* Send the first ClientHello */
5018 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5019 SSL_ERROR_WANT_READ))
5020 /* This should fail because there is no cookie */
5021 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5024 /* Abandon the connection from this client */
5025 SSL_free(clientssl);
5029 * Now create a connection from a new client but with the same server SSL
5032 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5034 /* Send the first ClientHello */
5035 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5036 SSL_ERROR_WANT_READ))
5037 /* This should fail because there is no cookie */
5038 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5039 /* Send the second ClientHello */
5040 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5041 SSL_ERROR_WANT_READ))
5042 /* This should succeed because a cookie is now present */
5043 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5044 /* Complete the connection */
5045 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5049 shutdown_ssl_connection(serverssl, clientssl);
5050 serverssl = clientssl = NULL;
5054 SSL_free(serverssl);
5055 SSL_free(clientssl);
5061 #endif /* OSSL_NO_USABLE_TLS1_3 */
5063 static int clntaddoldcb = 0;
5064 static int clntparseoldcb = 0;
5065 static int srvaddoldcb = 0;
5066 static int srvparseoldcb = 0;
5067 static int clntaddnewcb = 0;
5068 static int clntparsenewcb = 0;
5069 static int srvaddnewcb = 0;
5070 static int srvparsenewcb = 0;
5071 static int snicb = 0;
5073 #define TEST_EXT_TYPE1 0xff00
5075 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5076 size_t *outlen, int *al, void *add_arg)
5078 int *server = (int *)add_arg;
5079 unsigned char *data;
5081 if (SSL_is_server(s))
5086 if (*server != SSL_is_server(s)
5087 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5092 *outlen = sizeof(char);
5096 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5099 OPENSSL_free((unsigned char *)out);
5102 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5103 size_t inlen, int *al, void *parse_arg)
5105 int *server = (int *)parse_arg;
5107 if (SSL_is_server(s))
5112 if (*server != SSL_is_server(s)
5113 || inlen != sizeof(char)
5120 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5121 const unsigned char **out, size_t *outlen, X509 *x,
5122 size_t chainidx, int *al, void *add_arg)
5124 int *server = (int *)add_arg;
5125 unsigned char *data;
5127 if (SSL_is_server(s))
5132 if (*server != SSL_is_server(s)
5133 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5138 *outlen = sizeof(*data);
5142 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5143 const unsigned char *out, void *add_arg)
5145 OPENSSL_free((unsigned char *)out);
5148 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5149 const unsigned char *in, size_t inlen, X509 *x,
5150 size_t chainidx, int *al, void *parse_arg)
5152 int *server = (int *)parse_arg;
5154 if (SSL_is_server(s))
5159 if (*server != SSL_is_server(s)
5160 || inlen != sizeof(char) || *in != 1)
5166 static int sni_cb(SSL *s, int *al, void *arg)
5168 SSL_CTX *ctx = (SSL_CTX *)arg;
5170 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5171 *al = SSL_AD_INTERNAL_ERROR;
5172 return SSL_TLSEXT_ERR_ALERT_FATAL;
5175 return SSL_TLSEXT_ERR_OK;
5179 * Custom call back tests.
5180 * Test 0: Old style callbacks in TLSv1.2
5181 * Test 1: New style callbacks in TLSv1.2
5182 * Test 2: New style callbacks in TLSv1.2 with SNI
5183 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5184 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5186 static int test_custom_exts(int tst)
5188 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5189 SSL *clientssl = NULL, *serverssl = NULL;
5191 static int server = 1;
5192 static int client = 0;
5193 SSL_SESSION *sess = NULL;
5194 unsigned int context;
5196 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5197 /* Skip tests for TLSv1.2 and below in this case */
5202 /* Reset callback counters */
5203 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5204 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5207 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5208 TLS_client_method(), TLS1_VERSION, 0,
5209 &sctx, &cctx, cert, privkey)))
5213 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5215 &sctx2, NULL, cert, privkey)))
5220 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5221 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5223 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5227 context = SSL_EXT_CLIENT_HELLO
5228 | SSL_EXT_TLS1_2_SERVER_HELLO
5229 | SSL_EXT_TLS1_3_SERVER_HELLO
5230 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5231 | SSL_EXT_TLS1_3_CERTIFICATE
5232 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5234 context = SSL_EXT_CLIENT_HELLO
5235 | SSL_EXT_TLS1_2_SERVER_HELLO
5236 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5239 /* Create a client side custom extension */
5241 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5242 old_add_cb, old_free_cb,
5243 &client, old_parse_cb,
5247 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5248 new_add_cb, new_free_cb,
5249 &client, new_parse_cb, &client)))
5253 /* Should not be able to add duplicates */
5254 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5255 old_add_cb, old_free_cb,
5256 &client, old_parse_cb,
5258 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5259 context, new_add_cb,
5260 new_free_cb, &client,
5261 new_parse_cb, &client)))
5264 /* Create a server side custom extension */
5266 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5267 old_add_cb, old_free_cb,
5268 &server, old_parse_cb,
5272 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5273 new_add_cb, new_free_cb,
5274 &server, new_parse_cb, &server)))
5277 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5278 context, new_add_cb,
5279 new_free_cb, &server,
5280 new_parse_cb, &server)))
5284 /* Should not be able to add duplicates */
5285 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5286 old_add_cb, old_free_cb,
5287 &server, old_parse_cb,
5289 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5290 context, new_add_cb,
5291 new_free_cb, &server,
5292 new_parse_cb, &server)))
5297 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5298 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5302 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5303 &clientssl, NULL, NULL))
5304 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5309 if (clntaddoldcb != 1
5310 || clntparseoldcb != 1
5312 || srvparseoldcb != 1)
5314 } else if (tst == 1 || tst == 2 || tst == 3) {
5315 if (clntaddnewcb != 1
5316 || clntparsenewcb != 1
5318 || srvparsenewcb != 1
5319 || (tst != 2 && snicb != 0)
5320 || (tst == 2 && snicb != 1))
5323 /* In this case there 2 NewSessionTicket messages created */
5324 if (clntaddnewcb != 1
5325 || clntparsenewcb != 5
5327 || srvparsenewcb != 1)
5331 sess = SSL_get1_session(clientssl);
5332 SSL_shutdown(clientssl);
5333 SSL_shutdown(serverssl);
5334 SSL_free(serverssl);
5335 SSL_free(clientssl);
5336 serverssl = clientssl = NULL;
5339 /* We don't bother with the resumption aspects for this test */
5344 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5346 || !TEST_true(SSL_set_session(clientssl, sess))
5347 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5352 * For a resumed session we expect to add the ClientHello extension. For the
5353 * old style callbacks we ignore it on the server side because they set
5354 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5358 if (clntaddoldcb != 2
5359 || clntparseoldcb != 1
5361 || srvparseoldcb != 1)
5363 } else if (tst == 1 || tst == 2 || tst == 3) {
5364 if (clntaddnewcb != 2
5365 || clntparsenewcb != 2
5367 || srvparsenewcb != 2)
5371 * No Certificate message extensions in the resumption handshake,
5372 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5374 if (clntaddnewcb != 2
5375 || clntparsenewcb != 8
5377 || srvparsenewcb != 2)
5384 SSL_SESSION_free(sess);
5385 SSL_free(serverssl);
5386 SSL_free(clientssl);
5387 SSL_CTX_free(sctx2);
5394 * Test loading of serverinfo data in various formats. test_sslmessages actually
5395 * tests to make sure the extensions appear in the handshake
5397 static int test_serverinfo(int tst)
5399 unsigned int version;
5400 unsigned char *sibuf;
5402 int ret, expected, testresult = 0;
5405 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
5409 if ((tst & 0x01) == 0x01)
5410 version = SSL_SERVERINFOV2;
5412 version = SSL_SERVERINFOV1;
5414 if ((tst & 0x02) == 0x02) {
5415 sibuf = serverinfov2;
5416 sibuflen = sizeof(serverinfov2);
5417 expected = (version == SSL_SERVERINFOV2);
5419 sibuf = serverinfov1;
5420 sibuflen = sizeof(serverinfov1);
5421 expected = (version == SSL_SERVERINFOV1);
5424 if ((tst & 0x04) == 0x04) {
5425 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5427 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5430 * The version variable is irrelevant in this case - it's what is in the
5431 * buffer that matters
5433 if ((tst & 0x02) == 0x02)
5439 if (!TEST_true(ret == expected))
5451 * Test that SSL_export_keying_material() produces expected results. There are
5452 * no test vectors so all we do is test that both sides of the communication
5453 * produce the same results for different protocol versions.
5455 #define SMALL_LABEL_LEN 10
5456 #define LONG_LABEL_LEN 249
5457 static int test_export_key_mat(int tst)
5460 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5461 SSL *clientssl = NULL, *serverssl = NULL;
5462 const char label[LONG_LABEL_LEN + 1] = "test label";
5463 const unsigned char context[] = "context";
5464 const unsigned char *emptycontext = NULL;
5465 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5466 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
5468 const int protocols[] = {
5477 #ifdef OPENSSL_NO_TLS1
5481 #ifdef OPENSSL_NO_TLS1_1
5485 if (is_fips && (tst == 0 || tst == 1))
5487 #ifdef OPENSSL_NO_TLS1_2
5491 #ifdef OSSL_NO_USABLE_TLS1_3
5495 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5496 TLS_client_method(), TLS1_VERSION, 0,
5497 &sctx, &cctx, cert, privkey)))
5500 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5501 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5502 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
5503 if ((protocols[tst] < TLS1_2_VERSION) &&
5504 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5505 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5508 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5513 * Premature call of SSL_export_keying_material should just fail.
5515 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5516 sizeof(ckeymat1), label,
5517 SMALL_LABEL_LEN + 1, context,
5518 sizeof(context) - 1, 1), 0))
5521 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5527 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5530 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5531 sizeof(ckeymat1), label,
5532 LONG_LABEL_LEN + 1, context,
5533 sizeof(context) - 1, 1), 0))
5538 } else if (tst == 4) {
5539 labellen = LONG_LABEL_LEN;
5541 labellen = SMALL_LABEL_LEN;
5544 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5545 sizeof(ckeymat1), label,
5547 sizeof(context) - 1, 1), 1)
5548 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5549 sizeof(ckeymat2), label,
5553 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5554 sizeof(ckeymat3), label,
5557 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5558 sizeof(skeymat1), label,
5561 sizeof(context) -1, 1),
5563 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5564 sizeof(skeymat2), label,
5568 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5569 sizeof(skeymat3), label,
5573 * Check that both sides created the same key material with the
5576 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5579 * Check that both sides created the same key material with an
5582 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5585 * Check that both sides created the same key material without a
5588 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5590 /* Different contexts should produce different results */
5591 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5596 * Check that an empty context and no context produce different results in
5597 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5599 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
5601 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5608 SSL_free(serverssl);
5609 SSL_free(clientssl);
5610 SSL_CTX_free(sctx2);
5617 #ifndef OSSL_NO_USABLE_TLS1_3
5619 * Test that SSL_export_keying_material_early() produces expected
5620 * results. There are no test vectors so all we do is test that both
5621 * sides of the communication produce the same results for different
5622 * protocol versions.
5624 static int test_export_key_mat_early(int idx)
5626 static const char label[] = "test label";
5627 static const unsigned char context[] = "context";
5629 SSL_CTX *cctx = NULL, *sctx = NULL;
5630 SSL *clientssl = NULL, *serverssl = NULL;
5631 SSL_SESSION *sess = NULL;
5632 const unsigned char *emptycontext = NULL;
5633 unsigned char ckeymat1[80], ckeymat2[80];
5634 unsigned char skeymat1[80], skeymat2[80];
5635 unsigned char buf[1];
5636 size_t readbytes, written;
5638 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5642 /* Here writing 0 length early data is enough. */
5643 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5644 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5646 SSL_READ_EARLY_DATA_ERROR)
5647 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5648 SSL_EARLY_DATA_ACCEPTED))
5651 if (!TEST_int_eq(SSL_export_keying_material_early(
5652 clientssl, ckeymat1, sizeof(ckeymat1), label,
5653 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5654 || !TEST_int_eq(SSL_export_keying_material_early(
5655 clientssl, ckeymat2, sizeof(ckeymat2), label,
5656 sizeof(label) - 1, emptycontext, 0), 1)
5657 || !TEST_int_eq(SSL_export_keying_material_early(
5658 serverssl, skeymat1, sizeof(skeymat1), label,
5659 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5660 || !TEST_int_eq(SSL_export_keying_material_early(
5661 serverssl, skeymat2, sizeof(skeymat2), label,
5662 sizeof(label) - 1, emptycontext, 0), 1)
5664 * Check that both sides created the same key material with the
5667 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5670 * Check that both sides created the same key material with an
5673 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5675 /* Different contexts should produce different results */
5676 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5683 SSL_SESSION_free(sess);
5684 SSL_SESSION_free(clientpsk);
5685 SSL_SESSION_free(serverpsk);
5686 clientpsk = serverpsk = NULL;
5687 SSL_free(serverssl);
5688 SSL_free(clientssl);
5695 #define NUM_KEY_UPDATE_MESSAGES 40
5699 static int test_key_update(void)
5701 SSL_CTX *cctx = NULL, *sctx = NULL;
5702 SSL *clientssl = NULL, *serverssl = NULL;
5703 int testresult = 0, i, j;
5705 static char *mess = "A test message";
5707 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5708 TLS_client_method(),
5711 &sctx, &cctx, cert, privkey))
5712 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5714 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5718 for (j = 0; j < 2; j++) {
5719 /* Send lots of KeyUpdate messages */
5720 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5721 if (!TEST_true(SSL_key_update(clientssl,
5723 ? SSL_KEY_UPDATE_NOT_REQUESTED
5724 : SSL_KEY_UPDATE_REQUESTED))
5725 || !TEST_true(SSL_do_handshake(clientssl)))
5729 /* Check that sending and receiving app data is ok */
5730 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5731 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5735 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5736 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5744 SSL_free(serverssl);
5745 SSL_free(clientssl);
5753 * Test we can handle a KeyUpdate (update requested) message while write data
5755 * Test 0: Client sends KeyUpdate while Server is writing
5756 * Test 1: Server sends KeyUpdate while Client is writing
5758 static int test_key_update_in_write(int tst)
5760 SSL_CTX *cctx = NULL, *sctx = NULL;
5761 SSL *clientssl = NULL, *serverssl = NULL;
5764 static char *mess = "A test message";
5765 BIO *bretry = BIO_new(bio_s_always_retry());
5767 SSL *peerupdate = NULL, *peerwrite = NULL;
5769 if (!TEST_ptr(bretry)
5770 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5771 TLS_client_method(),
5774 &sctx, &cctx, cert, privkey))
5775 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5777 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5781 peerupdate = tst == 0 ? clientssl : serverssl;
5782 peerwrite = tst == 0 ? serverssl : clientssl;
5784 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5785 || !TEST_true(SSL_do_handshake(peerupdate)))
5788 /* Swap the writing endpoint's write BIO to force a retry */
5789 tmp = SSL_get_wbio(peerwrite);
5790 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5794 SSL_set0_wbio(peerwrite, bretry);
5797 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5798 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5799 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5802 /* Reinstate the original writing endpoint's write BIO */
5803 SSL_set0_wbio(peerwrite, tmp);
5806 /* Now read some data - we will read the key update */
5807 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5808 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5812 * Complete the write we started previously and read it from the other
5815 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5816 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5819 /* Write more data to ensure we send the KeyUpdate message back */
5820 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5821 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5827 SSL_free(serverssl);
5828 SSL_free(clientssl);
5836 #endif /* OSSL_NO_USABLE_TLS1_3 */
5838 static int test_ssl_clear(int idx)
5840 SSL_CTX *cctx = NULL, *sctx = NULL;
5841 SSL *clientssl = NULL, *serverssl = NULL;
5844 #ifdef OPENSSL_NO_TLS1_2
5849 /* Create an initial connection */
5850 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5851 TLS_client_method(), TLS1_VERSION, 0,
5852 &sctx, &cctx, cert, privkey))
5854 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5856 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5857 &clientssl, NULL, NULL))
5858 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5862 SSL_shutdown(clientssl);
5863 SSL_shutdown(serverssl);
5864 SSL_free(serverssl);
5867 /* Clear clientssl - we're going to reuse the object */
5868 if (!TEST_true(SSL_clear(clientssl)))
5871 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5873 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5875 || !TEST_true(SSL_session_reused(clientssl)))
5878 SSL_shutdown(clientssl);
5879 SSL_shutdown(serverssl);
5884 SSL_free(serverssl);
5885 SSL_free(clientssl);
5892 /* Parse CH and retrieve any MFL extension value if present */
5893 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5896 unsigned char *data;
5897 PACKET pkt, pkt2, pkt3;
5898 unsigned int MFL_code = 0, type = 0;
5900 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5903 memset(&pkt, 0, sizeof(pkt));
5904 memset(&pkt2, 0, sizeof(pkt2));
5905 memset(&pkt3, 0, sizeof(pkt3));
5907 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5908 /* Skip the record header */
5909 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5910 /* Skip the handshake message header */
5911 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5912 /* Skip client version and random */
5913 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5914 + SSL3_RANDOM_SIZE))
5915 /* Skip session id */
5916 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5918 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5919 /* Skip compression */
5920 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5921 /* Extensions len */
5922 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5925 /* Loop through all extensions */
5926 while (PACKET_remaining(&pkt2)) {
5927 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5928 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5931 if (type == TLSEXT_TYPE_max_fragment_length) {
5932 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5933 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5936 *mfl_codemfl_code = MFL_code;
5945 /* Maximum-Fragment-Length TLS extension mode to test */
5946 static const unsigned char max_fragment_len_test[] = {
5947 TLSEXT_max_fragment_length_512,
5948 TLSEXT_max_fragment_length_1024,
5949 TLSEXT_max_fragment_length_2048,
5950 TLSEXT_max_fragment_length_4096
5953 static int test_max_fragment_len_ext(int idx_tst)
5955 SSL_CTX *ctx = NULL;
5957 int testresult = 0, MFL_mode = 0;
5960 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
5961 TLS1_VERSION, 0, NULL, &ctx, NULL,
5965 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5966 ctx, max_fragment_len_test[idx_tst])))
5973 rbio = BIO_new(BIO_s_mem());
5974 wbio = BIO_new(BIO_s_mem());
5975 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5981 SSL_set_bio(con, rbio, wbio);
5983 if (!TEST_int_le(SSL_connect(con), 0)) {
5984 /* This shouldn't succeed because we don't have a server! */
5988 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5989 /* no MFL in client hello */
5991 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6003 #ifndef OSSL_NO_USABLE_TLS1_3
6004 static int test_pha_key_update(void)
6006 SSL_CTX *cctx = NULL, *sctx = NULL;
6007 SSL *clientssl = NULL, *serverssl = NULL;
6010 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6011 TLS_client_method(), TLS1_VERSION, 0,
6012 &sctx, &cctx, cert, privkey)))
6015 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6016 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6017 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6018 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6021 SSL_CTX_set_post_handshake_auth(cctx, 1);
6023 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6027 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6031 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6032 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6035 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6038 /* Start handshake on the server */
6039 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6042 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6043 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6047 SSL_shutdown(clientssl);
6048 SSL_shutdown(serverssl);
6053 SSL_free(serverssl);
6054 SSL_free(clientssl);
6061 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6063 static SRP_VBASE *vbase = NULL;
6065 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6067 int ret = SSL3_AL_FATAL;
6069 SRP_user_pwd *user = NULL;
6071 username = SSL_get_srp_username(s);
6072 if (username == NULL) {
6073 *ad = SSL_AD_INTERNAL_ERROR;
6077 user = SRP_VBASE_get1_by_user(vbase, username);
6079 *ad = SSL_AD_INTERNAL_ERROR;
6083 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6085 *ad = SSL_AD_INTERNAL_ERROR;
6092 SRP_user_pwd_free(user);
6096 static int create_new_vfile(char *userid, char *password, const char *filename)
6099 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6102 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6105 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6108 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
6109 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
6110 if (!TEST_ptr(gNid))
6114 * The only way to create an empty TXT_DB is to provide a BIO with no data
6117 db = TXT_DB_read(dummy, DB_NUMBER);
6121 out = BIO_new_file(filename, "w");
6125 row[DB_srpid] = OPENSSL_strdup(userid);
6126 row[DB_srptype] = OPENSSL_strdup("V");
6127 row[DB_srpgN] = OPENSSL_strdup(gNid);
6129 if (!TEST_ptr(row[DB_srpid])
6130 || !TEST_ptr(row[DB_srptype])
6131 || !TEST_ptr(row[DB_srpgN])
6132 || !TEST_true(TXT_DB_insert(db, row)))
6137 if (!TXT_DB_write(out, db))
6143 for (i = 0; i < DB_NUMBER; i++)
6144 OPENSSL_free(row[i]);
6154 static int create_new_vbase(char *userid, char *password)
6156 BIGNUM *verifier = NULL, *salt = NULL;
6157 const SRP_gN *lgN = NULL;
6158 SRP_user_pwd *user_pwd = NULL;
6161 lgN = SRP_get_default_gN(NULL);
6165 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
6166 lgN->N, lgN->g, libctx, NULL)))
6169 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6170 if (!TEST_ptr(user_pwd))
6173 user_pwd->N = lgN->N;
6174 user_pwd->g = lgN->g;
6175 user_pwd->id = OPENSSL_strdup(userid);
6176 if (!TEST_ptr(user_pwd->id))
6179 user_pwd->v = verifier;
6181 verifier = salt = NULL;
6183 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6189 SRP_user_pwd_free(user_pwd);
6199 * Test 0: Simple successful SRP connection, new vbase
6200 * Test 1: Connection failure due to bad password, new vbase
6201 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6202 * Test 3: Connection failure due to bad password, vbase loaded from existing
6204 * Test 4: Simple successful SRP connection, vbase loaded from new file
6205 * Test 5: Connection failure due to bad password, vbase loaded from new file
6207 static int test_srp(int tst)
6209 char *userid = "test", *password = "password", *tstsrpfile;
6210 SSL_CTX *cctx = NULL, *sctx = NULL;
6211 SSL *clientssl = NULL, *serverssl = NULL;
6212 int ret, testresult = 0;
6214 vbase = SRP_VBASE_new(NULL);
6215 if (!TEST_ptr(vbase))
6218 if (tst == 0 || tst == 1) {
6219 if (!TEST_true(create_new_vbase(userid, password)))
6222 if (tst == 4 || tst == 5) {
6223 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6225 tstsrpfile = tmpfilename;
6227 tstsrpfile = srpvfile;
6229 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6233 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6234 TLS_client_method(), TLS1_VERSION, 0,
6235 &sctx, &cctx, cert, privkey)))
6238 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6239 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6240 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6241 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6242 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6246 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6249 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6253 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6257 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6259 if (!TEST_true(tst % 2 == 0))
6262 if (!TEST_true(tst % 2 == 1))
6269 SRP_VBASE_free(vbase);
6271 SSL_free(serverssl);
6272 SSL_free(clientssl);
6280 static int info_cb_failed = 0;
6281 static int info_cb_offset = 0;
6282 static int info_cb_this_state = -1;
6284 static struct info_cb_states_st {
6286 const char *statestr;
6287 } info_cb_states[][60] = {
6289 /* TLSv1.2 server followed by resumption */
6290 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6291 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6292 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6293 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6294 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6295 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6296 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6297 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6298 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
6299 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6300 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6301 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6302 {SSL_CB_EXIT, NULL}, {0, NULL},
6304 /* TLSv1.2 client followed by resumption */
6305 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6306 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6307 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6308 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6309 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6310 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6311 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6312 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6313 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6314 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6315 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6316 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6318 /* TLSv1.3 server followed by resumption */
6319 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6320 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6321 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6322 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6323 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
6324 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6325 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6326 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6327 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6328 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6329 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6330 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6331 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6333 /* TLSv1.3 client followed by resumption */
6334 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6335 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6336 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
6337 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
6338 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6339 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6340 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
6341 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
6342 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6343 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
6344 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6345 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6346 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6347 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
6348 {SSL_CB_EXIT, NULL}, {0, NULL},
6350 /* TLSv1.3 server, early_data */
6351 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6352 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6353 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6354 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6355 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6356 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
6357 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6358 {SSL_CB_EXIT, NULL}, {0, NULL},
6360 /* TLSv1.3 client, early_data */
6361 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6362 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
6363 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6364 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6365 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6366 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
6367 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6368 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6369 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6375 static void sslapi_info_callback(const SSL *s, int where, int ret)
6377 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
6379 /* We do not ever expect a connection to fail in this test */
6380 if (!TEST_false(ret == 0)) {
6386 * Do some sanity checks. We never expect these things to happen in this
6389 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
6390 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
6391 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
6396 /* Now check we're in the right state */
6397 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
6401 if ((where & SSL_CB_LOOP) != 0
6402 && !TEST_int_eq(strcmp(SSL_state_string(s),
6403 state[info_cb_this_state].statestr), 0)) {
6409 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6411 if ((where & SSL_CB_HANDSHAKE_DONE)
6412 && SSL_in_init((SSL *)s) != 0) {
6419 * Test the info callback gets called when we expect it to.
6421 * Test 0: TLSv1.2, server
6422 * Test 1: TLSv1.2, client
6423 * Test 2: TLSv1.3, server
6424 * Test 3: TLSv1.3, client
6425 * Test 4: TLSv1.3, server, early_data
6426 * Test 5: TLSv1.3, client, early_data
6428 static int test_info_callback(int tst)
6430 SSL_CTX *cctx = NULL, *sctx = NULL;
6431 SSL *clientssl = NULL, *serverssl = NULL;
6432 SSL_SESSION *clntsess = NULL;
6437 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
6438 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6439 || !defined(OPENSSL_NO_DH))
6440 tlsvers = TLS1_2_VERSION;
6445 #ifndef OSSL_NO_USABLE_TLS1_3
6446 tlsvers = TLS1_3_VERSION;
6454 info_cb_this_state = -1;
6455 info_cb_offset = tst;
6457 #ifndef OSSL_NO_USABLE_TLS1_3
6459 SSL_SESSION *sess = NULL;
6460 size_t written, readbytes;
6461 unsigned char buf[80];
6463 /* early_data tests */
6464 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
6465 &serverssl, &sess, 0)))
6468 /* We don't actually need this reference */
6469 SSL_SESSION_free(sess);
6471 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
6472 sslapi_info_callback);
6474 /* Write and read some early data and then complete the connection */
6475 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
6477 || !TEST_size_t_eq(written, strlen(MSG1))
6478 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
6479 sizeof(buf), &readbytes),
6480 SSL_READ_EARLY_DATA_SUCCESS)
6481 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
6482 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6483 SSL_EARLY_DATA_ACCEPTED)
6484 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6486 || !TEST_false(info_cb_failed))
6494 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6495 TLS_client_method(),
6496 tlsvers, tlsvers, &sctx, &cctx, cert,
6500 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
6504 * For even numbered tests we check the server callbacks. For odd numbers we
6507 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
6508 sslapi_info_callback);
6510 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6511 &clientssl, NULL, NULL))
6512 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6514 || !TEST_false(info_cb_failed))
6519 clntsess = SSL_get1_session(clientssl);
6520 SSL_shutdown(clientssl);
6521 SSL_shutdown(serverssl);
6522 SSL_free(serverssl);
6523 SSL_free(clientssl);
6524 serverssl = clientssl = NULL;
6526 /* Now do a resumption */
6527 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6529 || !TEST_true(SSL_set_session(clientssl, clntsess))
6530 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6532 || !TEST_true(SSL_session_reused(clientssl))
6533 || !TEST_false(info_cb_failed))
6539 SSL_free(serverssl);
6540 SSL_free(clientssl);
6541 SSL_SESSION_free(clntsess);
6547 static int test_ssl_pending(int tst)
6549 SSL_CTX *cctx = NULL, *sctx = NULL;
6550 SSL *clientssl = NULL, *serverssl = NULL;
6552 char msg[] = "A test message";
6554 size_t written, readbytes;
6557 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6558 TLS_client_method(),
6560 &sctx, &cctx, cert, privkey)))
6563 #ifndef OPENSSL_NO_DTLS
6564 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
6565 DTLS_client_method(),
6567 &sctx, &cctx, cert, privkey)))
6574 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6576 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6580 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6581 || !TEST_false(SSL_has_pending(clientssl))
6582 || !TEST_int_eq(SSL_pending(serverssl), 0)
6583 || !TEST_false(SSL_has_pending(serverssl))
6584 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6585 || !TEST_size_t_eq(written, sizeof(msg))
6586 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6587 || !TEST_size_t_eq(readbytes, sizeof(buf))
6588 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6589 || !TEST_true(SSL_has_pending(clientssl)))
6595 SSL_free(serverssl);
6596 SSL_free(clientssl);
6604 unsigned int maxprot;
6605 const char *clntciphers;
6606 const char *clnttls13ciphers;
6607 const char *srvrciphers;
6608 const char *srvrtls13ciphers;
6610 const char *fipsshared;
6611 } shared_ciphers_data[] = {
6613 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6614 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6616 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
6619 "AES128-SHA:AES256-SHA",
6621 "AES256-SHA:DHE-RSA-AES128-SHA",
6626 # if !defined(OPENSSL_NO_CHACHA) \
6627 && !defined(OPENSSL_NO_POLY1305) \
6628 && !defined(OPENSSL_NO_EC)
6631 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6633 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6635 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6641 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6643 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6645 "AES128-SHA:AES256-SHA",
6646 "AES128-SHA:AES256-SHA"
6650 "AES128-SHA:AES256-SHA",
6652 "AES128-SHA:DHE-RSA-AES128-SHA",
6659 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6662 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6663 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
6666 "AES128-SHA:AES256-SHA",
6668 "AES256-SHA:AES128-SHA256",
6670 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
6671 "TLS_AES_128_GCM_SHA256:AES256-SHA",
6672 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
6675 #ifndef OSSL_NO_USABLE_TLS1_3
6679 "TLS_AES_256_GCM_SHA384",
6681 "TLS_AES_256_GCM_SHA384",
6682 "TLS_AES_256_GCM_SHA384",
6683 "TLS_AES_256_GCM_SHA384"
6688 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
6690 SSL_CTX *cctx = NULL, *sctx = NULL;
6691 SSL *clientssl = NULL, *serverssl = NULL;
6694 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
6696 if (!TEST_ptr(tmplibctx))
6700 * Regardless of whether we're testing with the FIPS provider loaded into
6701 * libctx, we want one peer to always use the full set of ciphersuites
6702 * available. Therefore we use a separate libctx with the default provider
6703 * loaded into it. We run the same tests twice - once with the client side
6704 * having the full set of ciphersuites and once with the server side.
6707 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
6708 if (!TEST_ptr(cctx))
6711 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
6712 if (!TEST_ptr(sctx))
6716 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6717 TLS_client_method(),
6719 shared_ciphers_data[tst].maxprot,
6720 &sctx, &cctx, cert, privkey)))
6723 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6724 shared_ciphers_data[tst].clntciphers))
6725 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6726 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6727 shared_ciphers_data[tst].clnttls13ciphers)))
6728 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6729 shared_ciphers_data[tst].srvrciphers))
6730 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6731 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6732 shared_ciphers_data[tst].srvrtls13ciphers))))
6736 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6738 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6742 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6743 || !TEST_int_eq(strcmp(buf,
6745 ? shared_ciphers_data[tst].fipsshared
6746 : shared_ciphers_data[tst].shared),
6748 TEST_info("Shared ciphers are: %s\n", buf);
6755 SSL_free(serverssl);
6756 SSL_free(clientssl);
6759 OSSL_LIB_CTX_free(tmplibctx);
6764 static int test_ssl_get_shared_ciphers(int tst)
6766 return int_test_ssl_get_shared_ciphers(tst, 0)
6767 && int_test_ssl_get_shared_ciphers(tst, 1);
6771 static const char *appdata = "Hello World";
6772 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6773 static int tick_key_renew = 0;
6774 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6776 static int gen_tick_cb(SSL *s, void *arg)
6778 gen_tick_called = 1;
6780 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6784 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6785 const unsigned char *keyname,
6786 size_t keyname_length,
6787 SSL_TICKET_STATUS status,
6793 dec_tick_called = 1;
6795 if (status == SSL_TICKET_EMPTY)
6796 return SSL_TICKET_RETURN_IGNORE_RENEW;
6798 if (!TEST_true(status == SSL_TICKET_SUCCESS
6799 || status == SSL_TICKET_SUCCESS_RENEW))
6800 return SSL_TICKET_RETURN_ABORT;
6802 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6804 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6805 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
6806 return SSL_TICKET_RETURN_ABORT;
6808 if (tick_key_cb_called) {
6809 /* Don't change what the ticket key callback wanted to do */
6811 case SSL_TICKET_NO_DECRYPT:
6812 return SSL_TICKET_RETURN_IGNORE_RENEW;
6814 case SSL_TICKET_SUCCESS:
6815 return SSL_TICKET_RETURN_USE;
6817 case SSL_TICKET_SUCCESS_RENEW:
6818 return SSL_TICKET_RETURN_USE_RENEW;
6821 return SSL_TICKET_RETURN_ABORT;
6824 return tick_dec_ret;
6828 #ifndef OPENSSL_NO_DEPRECATED_3_0
6829 static int tick_key_cb(SSL *s, unsigned char key_name[16],
6830 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6831 HMAC_CTX *hctx, int enc)
6833 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6834 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
6835 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6836 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
6839 tick_key_cb_called = 1;
6840 memset(iv, 0, AES_BLOCK_SIZE);
6841 memset(key_name, 0, 16);
6842 if (aes128cbc == NULL
6844 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6845 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
6849 ret = tick_key_renew ? 2 : 1;
6851 EVP_CIPHER_free(aes128cbc);
6852 EVP_MD_free(sha256);
6858 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6859 unsigned char iv[EVP_MAX_IV_LENGTH],
6860 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6862 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6863 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6864 OSSL_PARAM params[3];
6865 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6868 tick_key_cb_called = 1;
6869 memset(iv, 0, AES_BLOCK_SIZE);
6870 memset(key_name, 0, 16);
6871 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6873 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6875 sizeof(tick_hmac_key));
6876 params[2] = OSSL_PARAM_construct_end();
6877 if (aes128cbc == NULL
6878 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6879 || !EVP_MAC_CTX_set_params(hctx, params)
6880 || !EVP_MAC_init(hctx))
6883 ret = tick_key_renew ? 2 : 1;
6885 EVP_CIPHER_free(aes128cbc);
6891 * Test the various ticket callbacks
6892 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6893 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6894 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6895 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6896 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6897 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6898 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6899 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
6900 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6901 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6902 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6903 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6904 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6905 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6906 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6907 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
6909 static int test_ticket_callbacks(int tst)
6911 SSL_CTX *cctx = NULL, *sctx = NULL;
6912 SSL *clientssl = NULL, *serverssl = NULL;
6913 SSL_SESSION *clntsess = NULL;
6916 #ifdef OPENSSL_NO_TLS1_2
6920 #ifdef OSSL_NO_USABLE_TLS1_3
6924 #ifdef OPENSSL_NO_DEPRECATED_3_0
6925 if (tst >= 8 && tst <= 11)
6929 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
6931 /* Which tests the ticket key callback should request renewal for */
6932 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
6937 /* Which tests the decrypt ticket callback should request renewal for */
6941 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6946 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6951 tick_dec_ret = SSL_TICKET_RETURN_USE;
6956 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6960 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6963 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6964 TLS_client_method(),
6966 ((tst % 2) == 0) ? TLS1_2_VERSION
6968 &sctx, &cctx, cert, privkey)))
6972 * We only want sessions to resume from tickets - not the session cache. So
6973 * switch the cache off.
6975 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6978 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6983 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
6985 #ifndef OPENSSL_NO_DEPRECATED_3_0
6986 } else if (tst >= 8) {
6987 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6992 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6994 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6999 * The decrypt ticket key callback in TLSv1.2 should be called even though
7000 * we have no ticket yet, because it gets called with a status of
7001 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7002 * actually send any ticket data). This does not happen in TLSv1.3 because
7003 * it is not valid to send empty ticket data in TLSv1.3.
7005 if (!TEST_int_eq(gen_tick_called, 1)
7006 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
7009 gen_tick_called = dec_tick_called = 0;
7011 clntsess = SSL_get1_session(clientssl);
7012 SSL_shutdown(clientssl);
7013 SSL_shutdown(serverssl);
7014 SSL_free(serverssl);
7015 SSL_free(clientssl);
7016 serverssl = clientssl = NULL;
7018 /* Now do a resumption */
7019 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7021 || !TEST_true(SSL_set_session(clientssl, clntsess))
7022 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7026 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7027 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7028 if (!TEST_false(SSL_session_reused(clientssl)))
7031 if (!TEST_true(SSL_session_reused(clientssl)))
7035 if (!TEST_int_eq(gen_tick_called,
7037 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7038 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7040 || !TEST_int_eq(dec_tick_called, 1))
7046 SSL_SESSION_free(clntsess);
7047 SSL_free(serverssl);
7048 SSL_free(clientssl);
7056 * Test incorrect shutdown.
7057 * Test 0: client does not shutdown properly,
7058 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7059 * server should get SSL_ERROR_SSL
7060 * Test 1: client does not shutdown properly,
7061 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7062 * server should get SSL_ERROR_ZERO_RETURN
7064 static int test_incorrect_shutdown(int tst)
7066 SSL_CTX *cctx = NULL, *sctx = NULL;
7067 SSL *clientssl = NULL, *serverssl = NULL;
7072 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7073 TLS_client_method(), 0, 0,
7074 &sctx, &cctx, cert, privkey)))
7078 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7080 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7084 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7088 c2s = SSL_get_rbio(serverssl);
7089 BIO_set_mem_eof_return(c2s, 0);
7091 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7094 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7096 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7102 SSL_free(serverssl);
7103 SSL_free(clientssl);
7111 * Test bi-directional shutdown.
7113 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7114 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7115 * Test 3: TLSv1.3, pending NewSessionTicket messages
7116 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7117 * sends key update, client reads it
7118 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7119 * sends CertificateRequest, client reads and ignores it
7120 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
7123 static int test_shutdown(int tst)
7125 SSL_CTX *cctx = NULL, *sctx = NULL;
7126 SSL *clientssl = NULL, *serverssl = NULL;
7128 char msg[] = "A test message";
7130 size_t written, readbytes;
7133 #ifdef OPENSSL_NO_TLS1_2
7137 #ifdef OSSL_NO_USABLE_TLS1_3
7142 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7143 TLS_client_method(),
7145 (tst <= 1) ? TLS1_2_VERSION
7147 &sctx, &cctx, cert, privkey)))
7151 SSL_CTX_set_post_handshake_auth(cctx, 1);
7153 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7158 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
7160 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7161 || !TEST_false(SSL_SESSION_is_resumable(sess)))
7163 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7165 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7166 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
7170 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7175 * Reading on the server after the client has sent close_notify should
7176 * fail and provide SSL_ERROR_ZERO_RETURN
7178 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7179 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7180 SSL_ERROR_ZERO_RETURN)
7181 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7182 SSL_RECEIVED_SHUTDOWN)
7184 * Even though we're shutdown on receive we should still be
7187 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7190 && !TEST_true(SSL_key_update(serverssl,
7191 SSL_KEY_UPDATE_REQUESTED)))
7194 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7195 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7198 if ((tst == 4 || tst == 5)
7199 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7201 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
7203 if (tst == 4 || tst == 5) {
7204 /* Should still be able to read data from server */
7205 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7207 || !TEST_size_t_eq(readbytes, sizeof(msg))
7208 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7209 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7211 || !TEST_size_t_eq(readbytes, sizeof(msg))
7212 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7217 /* Writing on the client after sending close_notify shouldn't be possible */
7218 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
7223 * For these tests the client has sent close_notify but it has not yet
7224 * been received by the server. The server has not sent close_notify
7227 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
7229 * Writing on the server after sending close_notify shouldn't
7232 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7233 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
7234 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7235 || !TEST_true(SSL_SESSION_is_resumable(sess))
7236 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7238 } else if (tst == 4 || tst == 5) {
7240 * In this test the client has sent close_notify and it has been
7241 * received by the server which has responded with a close_notify. The
7242 * client needs to read the close_notify sent by the server.
7244 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7245 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7246 || !TEST_true(SSL_SESSION_is_resumable(sess)))
7252 * The client has sent close_notify and is expecting a close_notify
7253 * back, but instead there is application data first. The shutdown
7254 * should fail with a fatal error.
7256 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7257 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7264 SSL_free(serverssl);
7265 SSL_free(clientssl);
7272 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
7273 static int cert_cb_cnt;
7275 static int cert_cb(SSL *s, void *arg)
7277 SSL_CTX *ctx = (SSL_CTX *)arg;
7279 EVP_PKEY *pkey = NULL;
7280 X509 *x509 = NULL, *rootx = NULL;
7281 STACK_OF(X509) *chain = NULL;
7282 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7285 if (cert_cb_cnt == 0) {
7286 /* Suspend the handshake */
7289 } else if (cert_cb_cnt == 1) {
7291 * Update the SSL_CTX, set the certificate and private key and then
7292 * continue the handshake normally.
7294 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7297 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7298 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7300 || !TEST_true(SSL_check_private_key(s)))
7304 } else if (cert_cb_cnt == 3) {
7307 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7308 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7309 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7310 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7312 chain = sk_X509_new_null();
7313 if (!TEST_ptr(chain))
7315 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7316 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
7317 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
7318 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
7319 || !TEST_true(sk_X509_push(chain, rootx)))
7323 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7324 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
7325 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
7326 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7329 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7330 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
7331 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
7335 rv = SSL_check_chain(s, x509, pkey, chain);
7337 * If the cert doesn't show as valid here (e.g., because we don't
7338 * have any shared sigalgs), then we will not set it, and there will
7339 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
7340 * will cause tls_choose_sigalgs() to fail the connection.
7342 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
7343 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7344 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
7351 /* Abort the handshake */
7353 OPENSSL_free(ecdsacert);
7354 OPENSSL_free(ecdsakey);
7355 OPENSSL_free(rootfile);
7357 EVP_PKEY_free(pkey);
7360 sk_X509_pop_free(chain, X509_free);
7365 * Test the certificate callback.
7366 * Test 0: Callback fails
7367 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
7368 * Test 2: Success - SSL_set_SSL_CTX() in the callback
7369 * Test 3: Success - Call SSL_check_chain from the callback
7370 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
7372 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
7374 static int test_cert_cb_int(int prot, int tst)
7376 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
7377 SSL *clientssl = NULL, *serverssl = NULL;
7378 int testresult = 0, ret;
7380 #ifdef OPENSSL_NO_EC
7381 /* We use an EC cert in these tests, so we skip in a no-ec build */
7386 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7387 TLS_client_method(),
7390 &sctx, &cctx, NULL, NULL)))
7401 snictx = SSL_CTX_new(TLS_server_method());
7402 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
7404 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7410 * We cause SSL_check_chain() to fail by specifying sig_algs that
7411 * the chain doesn't meet (the root uses an RSA cert)
7413 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7414 "ecdsa_secp256r1_sha256")))
7416 } else if (tst == 5) {
7418 * We cause SSL_check_chain() to fail by specifying sig_algs that
7419 * the ee cert doesn't meet (the ee uses an ECDSA cert)
7421 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7422 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
7426 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7427 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7429 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
7436 SSL_free(serverssl);
7437 SSL_free(clientssl);
7440 SSL_CTX_free(snictx);
7446 static int test_cert_cb(int tst)
7450 #ifndef OPENSSL_NO_TLS1_2
7451 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
7453 #ifndef OSSL_NO_USABLE_TLS1_3
7454 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
7460 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
7465 BIO *priv_in = NULL;
7467 /* Check that SSL_get0_peer_certificate() returns something sensible */
7468 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
7471 in = BIO_new_file(cert, "r");
7475 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
7476 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
7477 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
7478 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
7496 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
7501 static int test_client_cert_cb(int tst)
7503 SSL_CTX *cctx = NULL, *sctx = NULL;
7504 SSL *clientssl = NULL, *serverssl = NULL;
7507 #ifdef OPENSSL_NO_TLS1_2
7511 #ifdef OSSL_NO_USABLE_TLS1_3
7516 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7517 TLS_client_method(),
7519 tst == 0 ? TLS1_2_VERSION
7521 &sctx, &cctx, cert, privkey)))
7525 * Test that setting a client_cert_cb results in a client certificate being
7528 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
7529 SSL_CTX_set_verify(sctx,
7530 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
7533 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7535 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7542 SSL_free(serverssl);
7543 SSL_free(clientssl);
7550 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
7552 * Test setting certificate authorities on both client and server.
7554 * Test 0: SSL_CTX_set0_CA_list() only
7555 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7556 * Test 2: Only SSL_CTX_set_client_CA_list()
7558 static int test_ca_names_int(int prot, int tst)
7560 SSL_CTX *cctx = NULL, *sctx = NULL;
7561 SSL *clientssl = NULL, *serverssl = NULL;
7564 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
7565 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
7566 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
7567 const STACK_OF(X509_NAME) *sktmp = NULL;
7569 for (i = 0; i < OSSL_NELEM(name); i++) {
7570 name[i] = X509_NAME_new();
7571 if (!TEST_ptr(name[i])
7572 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
7580 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7581 TLS_client_method(),
7584 &sctx, &cctx, cert, privkey)))
7587 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
7589 if (tst == 0 || tst == 1) {
7590 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7591 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
7592 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
7593 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7594 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
7595 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
7598 SSL_CTX_set0_CA_list(sctx, sk1);
7599 SSL_CTX_set0_CA_list(cctx, sk2);
7602 if (tst == 1 || tst == 2) {
7603 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7604 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
7605 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
7606 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7607 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
7608 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
7611 SSL_CTX_set_client_CA_list(sctx, sk1);
7612 SSL_CTX_set_client_CA_list(cctx, sk2);
7616 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7618 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7623 * We only expect certificate authorities to have been sent to the server
7624 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7626 sktmp = SSL_get0_peer_CA_list(serverssl);
7627 if (prot == TLS1_3_VERSION
7628 && (tst == 0 || tst == 1)) {
7629 if (!TEST_ptr(sktmp)
7630 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7631 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7633 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7636 } else if (!TEST_ptr_null(sktmp)) {
7641 * In all tests we expect certificate authorities to have been sent to the
7642 * client. However, SSL_set_client_CA_list() should override
7643 * SSL_set0_CA_list()
7645 sktmp = SSL_get0_peer_CA_list(clientssl);
7646 if (!TEST_ptr(sktmp)
7647 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7648 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7649 name[tst == 0 ? 0 : 2]), 0)
7650 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7651 name[tst == 0 ? 1 : 3]), 0))
7657 SSL_free(serverssl);
7658 SSL_free(clientssl);
7661 for (i = 0; i < OSSL_NELEM(name); i++)
7662 X509_NAME_free(name[i]);
7663 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
7664 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
7670 static int test_ca_names(int tst)
7674 #ifndef OPENSSL_NO_TLS1_2
7675 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
7677 #ifndef OSSL_NO_USABLE_TLS1_3
7678 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
7684 #ifndef OPENSSL_NO_TLS1_2
7685 static const char *multiblock_cipherlist_data[]=
7693 /* Reduce the fragment size - so the multiblock test buffer can be small */
7694 # define MULTIBLOCK_FRAGSIZE 512
7696 static int test_multiblock_write(int test_index)
7698 static const char *fetchable_ciphers[]=
7700 "AES-128-CBC-HMAC-SHA1",
7701 "AES-128-CBC-HMAC-SHA256",
7702 "AES-256-CBC-HMAC-SHA1",
7703 "AES-256-CBC-HMAC-SHA256"
7705 const char *cipherlist = multiblock_cipherlist_data[test_index];
7706 const SSL_METHOD *smeth = TLS_server_method();
7707 const SSL_METHOD *cmeth = TLS_client_method();
7708 int min_version = TLS1_VERSION;
7709 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7710 SSL_CTX *cctx = NULL, *sctx = NULL;
7711 SSL *clientssl = NULL, *serverssl = NULL;
7715 * Choose a buffer large enough to perform a multi-block operation
7716 * i.e: write_len >= 4 * frag_size
7717 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7719 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7720 unsigned char buf[sizeof(msg)], *p = buf;
7721 size_t readbytes, written, len;
7722 EVP_CIPHER *ciph = NULL;
7725 * Check if the cipher exists before attempting to use it since it only has
7726 * a hardware specific implementation.
7728 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7730 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7733 EVP_CIPHER_free(ciph);
7735 /* Set up a buffer with some data that will be sent to the client */
7736 RAND_bytes(msg, sizeof(msg));
7738 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
7739 max_version, &sctx, &cctx, cert,
7743 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7746 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7750 /* settings to force it to use AES-CBC-HMAC_SHA */
7751 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7752 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7755 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7758 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7759 || !TEST_size_t_eq(written, sizeof(msg)))
7764 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7769 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7774 SSL_free(serverssl);
7775 SSL_free(clientssl);
7781 #endif /* OPENSSL_NO_TLS1_2 */
7784 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7785 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7786 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7787 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7788 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7789 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7790 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7791 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7792 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7793 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7795 static int test_servername(int tst)
7797 SSL_CTX *cctx = NULL, *sctx = NULL;
7798 SSL *clientssl = NULL, *serverssl = NULL;
7800 SSL_SESSION *sess = NULL;
7801 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7803 #ifdef OPENSSL_NO_TLS1_2
7807 #ifdef OSSL_NO_USABLE_TLS1_3
7812 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7813 TLS_client_method(),
7815 (tst <= 4) ? TLS1_2_VERSION
7817 &sctx, &cctx, cert, privkey))
7818 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7822 if (tst != 1 && tst != 6) {
7823 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7828 if (tst != 3 && tst != 8) {
7829 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7831 sexpectedhost = cexpectedhost = "goodhost";
7834 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7837 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7839 || !TEST_str_eq(SSL_get_servername(serverssl,
7840 TLSEXT_NAMETYPE_host_name),
7844 /* Now repeat with a resumption handshake */
7846 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7847 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7848 || !TEST_true(SSL_SESSION_is_resumable(sess))
7849 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7852 SSL_free(clientssl);
7853 SSL_free(serverssl);
7854 clientssl = serverssl = NULL;
7856 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7860 if (!TEST_true(SSL_set_session(clientssl, sess)))
7863 sexpectedhost = cexpectedhost = "goodhost";
7864 if (tst == 2 || tst == 7) {
7865 /* Set an inconsistent hostname */
7866 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7869 * In TLSv1.2 we expect the hostname from the original handshake, in
7870 * TLSv1.3 we expect the hostname from this handshake
7873 sexpectedhost = cexpectedhost = "altgoodhost";
7875 if (!TEST_str_eq(SSL_get_servername(clientssl,
7876 TLSEXT_NAMETYPE_host_name),
7879 } else if (tst == 4 || tst == 9) {
7881 * A TLSv1.3 session does not associate a session with a servername,
7882 * but a TLSv1.2 session does.
7885 sexpectedhost = cexpectedhost = NULL;
7887 if (!TEST_str_eq(SSL_get_servername(clientssl,
7888 TLSEXT_NAMETYPE_host_name),
7892 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7895 * In a TLSv1.2 resumption where the hostname was not acknowledged
7896 * we expect the hostname on the server to be empty. On the client we
7897 * return what was requested in this case.
7899 * Similarly if the client didn't set a hostname on an original TLSv1.2
7900 * session but is now, the server hostname will be empty, but the client
7903 if (tst == 1 || tst == 3)
7904 sexpectedhost = NULL;
7906 if (!TEST_str_eq(SSL_get_servername(clientssl,
7907 TLSEXT_NAMETYPE_host_name),
7912 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7915 if (!TEST_true(SSL_session_reused(clientssl))
7916 || !TEST_true(SSL_session_reused(serverssl))
7917 || !TEST_str_eq(SSL_get_servername(clientssl,
7918 TLSEXT_NAMETYPE_host_name),
7920 || !TEST_str_eq(SSL_get_servername(serverssl,
7921 TLSEXT_NAMETYPE_host_name),
7928 SSL_SESSION_free(sess);
7929 SSL_free(serverssl);
7930 SSL_free(clientssl);
7937 #if !defined(OPENSSL_NO_EC) \
7938 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
7940 * Test that if signature algorithms are not available, then we do not offer or
7942 * Test 0: Two RSA sig algs available: both RSA sig algs shared
7943 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
7944 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
7945 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
7946 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
7947 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
7949 static int test_sigalgs_available(int idx)
7951 SSL_CTX *cctx = NULL, *sctx = NULL;
7952 SSL *clientssl = NULL, *serverssl = NULL;
7954 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
7955 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
7956 OSSL_PROVIDER *filterprov = NULL;
7959 if (!TEST_ptr(tmpctx))
7962 if (idx != 0 && idx != 3) {
7963 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
7964 filter_provider_init)))
7967 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
7968 if (!TEST_ptr(filterprov))
7973 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
7974 * or accepted for the peer that uses this libctx. Note that libssl
7975 * *requires* SHA2-256 to be available so we cannot disable that. We
7976 * also need SHA1 for our certificate.
7978 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
7982 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
7984 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
7989 if (idx == 1 || idx == 4)
7995 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
7996 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
7997 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
8000 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8001 TLS_client_method(),
8004 &sctx, &cctx, cert, privkey)))
8007 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
8009 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8010 "ECDHE-RSA-AES128-GCM-SHA256")))
8013 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8014 "ECDHE-ECDSA-AES128-GCM-SHA256")))
8019 if (!SSL_CTX_set1_sigalgs_list(cctx,
8020 "rsa_pss_rsae_sha384"
8021 ":rsa_pss_rsae_sha256")
8022 || !SSL_CTX_set1_sigalgs_list(sctx,
8023 "rsa_pss_rsae_sha384"
8024 ":rsa_pss_rsae_sha256"))
8027 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8028 || !SSL_CTX_set1_sigalgs_list(sctx,
8029 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8033 if (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8034 SSL_FILETYPE_PEM), 1)
8035 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8037 SSL_FILETYPE_PEM), 1)
8038 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
8041 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8045 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8048 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8049 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8051 (idx == 0 || idx == 3) ? 2 : 1))
8054 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8057 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8064 SSL_free(serverssl);
8065 SSL_free(clientssl);
8068 OSSL_PROVIDER_unload(filterprov);
8069 OSSL_LIB_CTX_free(tmpctx);
8074 * !defined(OPENSSL_NO_EC) \
8075 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8078 #ifndef OPENSSL_NO_TLS1_3
8079 /* This test can run in TLSv1.3 even if ec and dh are disabled */
8080 static int test_pluggable_group(int idx)
8082 SSL_CTX *cctx = NULL, *sctx = NULL;
8083 SSL *clientssl = NULL, *serverssl = NULL;
8085 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
8086 /* Check that we are not impacted by a provider without any groups */
8087 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
8088 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
8090 if (!TEST_ptr(tlsprov))
8093 if (legacyprov == NULL) {
8095 * In this case we assume we've been built with "no-legacy" and skip
8096 * this test (there is no OPENSSL_NO_LEGACY)
8102 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8103 TLS_client_method(),
8106 &sctx, &cctx, cert, privkey))
8107 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8111 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
8112 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
8115 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8118 if (!TEST_str_eq(group_name,
8119 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
8125 SSL_free(serverssl);
8126 SSL_free(clientssl);
8129 OSSL_PROVIDER_unload(tlsprov);
8130 OSSL_PROVIDER_unload(legacyprov);
8136 #ifndef OPENSSL_NO_TLS1_2
8137 static int test_ssl_dup(void)
8139 SSL_CTX *cctx = NULL, *sctx = NULL;
8140 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
8142 BIO *rbio = NULL, *wbio = NULL;
8144 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8145 TLS_client_method(),
8148 &sctx, &cctx, cert, privkey)))
8151 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8155 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8156 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8159 client2ssl = SSL_dup(clientssl);
8160 rbio = SSL_get_rbio(clientssl);
8162 || !TEST_true(BIO_up_ref(rbio)))
8164 SSL_set0_rbio(client2ssl, rbio);
8167 wbio = SSL_get_wbio(clientssl);
8168 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
8170 SSL_set0_wbio(client2ssl, wbio);
8173 if (!TEST_ptr(client2ssl)
8174 /* Handshake not started so pointers should be different */
8175 || !TEST_ptr_ne(clientssl, client2ssl))
8178 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
8179 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
8182 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
8185 SSL_free(clientssl);
8186 clientssl = SSL_dup(client2ssl);
8187 if (!TEST_ptr(clientssl)
8188 /* Handshake has finished so pointers should be the same */
8189 || !TEST_ptr_eq(clientssl, client2ssl))
8195 SSL_free(serverssl);
8196 SSL_free(clientssl);
8197 SSL_free(client2ssl);
8204 # ifndef OPENSSL_NO_DH
8206 static EVP_PKEY *tmp_dh_params = NULL;
8208 /* Helper function for the test_set_tmp_dh() tests */
8209 static EVP_PKEY *get_tmp_dh_params(void)
8211 if (tmp_dh_params == NULL) {
8213 OSSL_PARAM_BLD *tmpl = NULL;
8214 EVP_PKEY_CTX *pctx = NULL;
8215 OSSL_PARAM *params = NULL;
8216 EVP_PKEY *dhpkey = NULL;
8218 p = BN_get_rfc3526_prime_2048(NULL);
8222 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
8224 || !TEST_true(EVP_PKEY_fromdata_init(pctx)))
8227 tmpl = OSSL_PARAM_BLD_new();
8229 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
8230 OSSL_PKEY_PARAM_FFC_P,
8232 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
8233 OSSL_PKEY_PARAM_FFC_G,
8237 params = OSSL_PARAM_BLD_to_param(tmpl);
8238 if (!TEST_ptr(params)
8239 || !TEST_true(EVP_PKEY_fromdata(pctx, &dhpkey,
8240 EVP_PKEY_KEY_PARAMETERS, params)))
8243 tmp_dh_params = dhpkey;
8246 EVP_PKEY_CTX_free(pctx);
8247 OSSL_PARAM_BLD_free(tmpl);
8248 OSSL_PARAM_BLD_free_params(params);
8251 if (!EVP_PKEY_up_ref(tmp_dh_params))
8254 return tmp_dh_params;
8257 # ifndef OPENSSL_NO_DEPRECATED_3_0
8258 /* Callback used by test_set_tmp_dh() */
8259 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
8261 EVP_PKEY *dhpkey = get_tmp_dh_params();
8264 if (!TEST_ptr(dhpkey))
8267 ret = EVP_PKEY_get0_DH(dhpkey);
8269 EVP_PKEY_free(dhpkey);
8276 * Test the various methods for setting temporary DH parameters
8278 * Test 0: Default (no auto) setting
8279 * Test 1: Explicit SSL_CTX auto off
8280 * Test 2: Explicit SSL auto off
8281 * Test 3: Explicit SSL_CTX auto on
8282 * Test 4: Explicit SSL auto on
8283 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
8284 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
8286 * The following are testing deprecated APIs, so we only run them if available
8287 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
8288 * Test 8: Explicit SSL auto off, custom DH params via DH
8289 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
8290 * Test 10: Explicit SSL auto off, custom DH params via callback
8292 static int test_set_tmp_dh(int idx)
8294 SSL_CTX *cctx = NULL, *sctx = NULL;
8295 SSL *clientssl = NULL, *serverssl = NULL;
8297 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
8298 int expected = (idx <= 2) ? 0 : 1;
8299 EVP_PKEY *dhpkey = NULL;
8300 # ifndef OPENSSL_NO_DEPRECATED_3_0
8308 if (idx >= 5 && idx <= 8) {
8309 dhpkey = get_tmp_dh_params();
8310 if (!TEST_ptr(dhpkey))
8313 # ifndef OPENSSL_NO_DEPRECATED_3_0
8314 if (idx == 7 || idx == 8) {
8315 dh = EVP_PKEY_get0_DH(dhpkey);
8321 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8322 TLS_client_method(),
8325 &sctx, &cctx, cert, privkey)))
8328 if ((idx & 1) == 1) {
8329 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
8334 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
8338 # ifndef OPENSSL_NO_DEPRECATED_3_0
8339 else if (idx == 7) {
8340 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
8342 } else if (idx == 9) {
8343 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
8347 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8351 if ((idx & 1) == 0 && idx != 0) {
8352 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
8356 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
8360 # ifndef OPENSSL_NO_DEPRECATED_3_0
8361 else if (idx == 8) {
8362 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
8364 } else if (idx == 10) {
8365 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
8369 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
8370 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
8371 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
8375 * If autoon then we should succeed. Otherwise we expect failure because
8376 * there are no parameters
8378 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
8379 SSL_ERROR_NONE), expected))
8385 SSL_free(serverssl);
8386 SSL_free(clientssl);
8389 EVP_PKEY_free(dhpkey);
8395 * Test the auto DH keys are appropriately sized
8397 static int test_dh_auto(int idx)
8399 SSL_CTX *cctx = NULL, *sctx = NULL;
8400 SSL *clientssl = NULL, *serverssl = NULL;
8402 EVP_PKEY *tmpkey = NULL;
8403 char *thiscert = NULL, *thiskey = NULL;
8404 size_t expdhsize = 0;
8405 const char *ciphersuite = "DHE-RSA-AES128-SHA";
8409 /* The FIPS provider doesn't support this DH size - so we ignore it */
8412 thiscert = cert1024;
8413 thiskey = privkey1024;
8417 /* 2048 bit prime */
8423 thiscert = cert3072;
8424 thiskey = privkey3072;
8428 thiscert = cert4096;
8429 thiskey = privkey4096;
8433 thiscert = cert8192;
8434 thiskey = privkey8192;
8437 /* No certificate cases */
8439 /* The FIPS provider doesn't support this DH size - so we ignore it */
8442 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
8446 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
8450 TEST_error("Invalid text index");
8454 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8455 TLS_client_method(),
8458 &sctx, &cctx, thiscert, thiskey)))
8461 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8465 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
8466 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
8467 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
8468 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
8469 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
8473 * Send the server's first flight. At this point the server has created the
8474 * temporary DH key but hasn't finished using it yet. Once used it is
8475 * removed, so we cannot test it.
8477 if (!TEST_int_le(SSL_connect(clientssl), 0)
8478 || !TEST_int_le(SSL_accept(serverssl), 0))
8481 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
8483 if (!TEST_size_t_eq(EVP_PKEY_bits(tmpkey), expdhsize))
8486 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8492 SSL_free(serverssl);
8493 SSL_free(clientssl);
8496 EVP_PKEY_free(tmpkey);
8501 # endif /* OPENSSL_NO_DH */
8502 #endif /* OPENSSL_NO_TLS1_2 */
8504 #ifndef OSSL_NO_USABLE_TLS1_3
8506 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
8507 * that it works even without a certificate configured for the original
8510 static int test_sni_tls13(void)
8512 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
8513 SSL *clientssl = NULL, *serverssl = NULL;
8516 /* Reset callback counter */
8519 /* Create an initial SSL_CTX with no certificate configured */
8520 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8521 if (!TEST_ptr(sctx))
8523 /* Require TLSv1.3 as a minimum */
8524 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8525 TLS_client_method(), TLS1_3_VERSION, 0,
8526 &sctx2, &cctx, cert, privkey)))
8530 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
8531 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
8535 * Connection should still succeed because the final SSL_CTX has the right
8536 * certificates configured.
8538 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
8539 &clientssl, NULL, NULL))
8540 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8544 /* We should have had the SNI callback called exactly once */
8545 if (!TEST_int_eq(snicb, 1))
8551 SSL_free(serverssl);
8552 SSL_free(clientssl);
8553 SSL_CTX_free(sctx2);
8560 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
8562 int setup_tests(void)
8567 libctx = OSSL_LIB_CTX_new();
8568 if (!TEST_ptr(libctx))
8571 defctxnull = OSSL_PROVIDER_load(NULL, "null");
8574 * Verify that the default and fips providers in the default libctx are not
8577 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
8578 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
8581 if (!test_skip_common_options()) {
8582 TEST_error("Error parsing test options\n");
8586 if (!TEST_ptr(certsdir = test_get_argument(0))
8587 || !TEST_ptr(srpvfile = test_get_argument(1))
8588 || !TEST_ptr(tmpfilename = test_get_argument(2))
8589 || !TEST_ptr(modulename = test_get_argument(3))
8590 || !TEST_ptr(configfile = test_get_argument(4)))
8593 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
8596 /* Check we have the expected provider available */
8597 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
8600 /* Check the default provider is not available */
8601 if (strcmp(modulename, "default") != 0
8602 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
8605 if (strcmp(modulename, "fips") == 0)
8609 * We add, but don't load the test "tls-provider". We'll load it when we
8612 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
8613 tls_provider_init)))
8617 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
8618 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
8619 TEST_error("not supported in this build");
8622 int i, mcount, rcount, fcount;
8624 for (i = 0; i < 4; i++)
8625 test_export_key_mat(i);
8626 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
8627 test_printf_stdout("malloc %d realloc %d free %d\n",
8628 mcount, rcount, fcount);
8633 cert = test_mk_file_path(certsdir, "servercert.pem");
8637 privkey = test_mk_file_path(certsdir, "serverkey.pem");
8638 if (privkey == NULL)
8641 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8645 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8646 if (privkey2 == NULL)
8649 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
8650 if (cert1024 == NULL)
8653 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
8654 if (privkey1024 == NULL)
8657 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
8658 if (cert3072 == NULL)
8661 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
8662 if (privkey3072 == NULL)
8665 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
8666 if (cert4096 == NULL)
8669 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
8670 if (privkey4096 == NULL)
8673 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
8674 if (cert8192 == NULL)
8677 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
8678 if (privkey8192 == NULL)
8681 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
8682 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8683 ADD_ALL_TESTS(test_ktls, 32);
8684 ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6);
8687 ADD_TEST(test_large_message_tls);
8688 ADD_TEST(test_large_message_tls_read_ahead);
8689 #ifndef OPENSSL_NO_DTLS
8690 ADD_TEST(test_large_message_dtls);
8692 ADD_TEST(test_cleanse_plaintext);
8693 #ifndef OPENSSL_NO_OCSP
8694 ADD_TEST(test_tlsext_status_type);
8696 ADD_TEST(test_session_with_only_int_cache);
8697 ADD_TEST(test_session_with_only_ext_cache);
8698 ADD_TEST(test_session_with_both_cache);
8699 ADD_TEST(test_session_wo_ca_names);
8700 #ifndef OSSL_NO_USABLE_TLS1_3
8701 ADD_ALL_TESTS(test_stateful_tickets, 3);
8702 ADD_ALL_TESTS(test_stateless_tickets, 3);
8703 ADD_TEST(test_psk_tickets);
8704 ADD_ALL_TESTS(test_extra_tickets, 6);
8706 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
8707 ADD_TEST(test_ssl_bio_pop_next_bio);
8708 ADD_TEST(test_ssl_bio_pop_ssl_bio);
8709 ADD_TEST(test_ssl_bio_change_rbio);
8710 ADD_TEST(test_ssl_bio_change_wbio);
8711 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
8712 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
8713 ADD_TEST(test_keylog);
8715 #ifndef OSSL_NO_USABLE_TLS1_3
8716 ADD_TEST(test_keylog_no_master_key);
8718 ADD_TEST(test_client_cert_verify_cb);
8719 #ifndef OPENSSL_NO_TLS1_2
8720 ADD_TEST(test_client_hello_cb);
8721 ADD_TEST(test_no_ems);
8722 ADD_TEST(test_ccs_change_cipher);
8724 #ifndef OSSL_NO_USABLE_TLS1_3
8725 ADD_ALL_TESTS(test_early_data_read_write, 3);
8727 * We don't do replay tests for external PSK. Replay protection isn't used
8730 ADD_ALL_TESTS(test_early_data_replay, 2);
8731 ADD_ALL_TESTS(test_early_data_skip, 3);
8732 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
8733 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
8734 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
8735 ADD_ALL_TESTS(test_early_data_not_sent, 3);
8736 ADD_ALL_TESTS(test_early_data_psk, 8);
8737 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
8738 ADD_ALL_TESTS(test_early_data_not_expected, 3);
8739 # ifndef OPENSSL_NO_TLS1_2
8740 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
8743 #ifndef OSSL_NO_USABLE_TLS1_3
8744 ADD_ALL_TESTS(test_set_ciphersuite, 10);
8745 ADD_TEST(test_ciphersuite_change);
8746 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
8747 # ifdef OPENSSL_NO_PSK
8748 ADD_ALL_TESTS(test_tls13_psk, 1);
8750 ADD_ALL_TESTS(test_tls13_psk, 4);
8751 # endif /* OPENSSL_NO_PSK */
8752 # ifndef OPENSSL_NO_TLS1_2
8753 /* Test with both TLSv1.3 and 1.2 versions */
8754 ADD_ALL_TESTS(test_key_exchange, 14);
8756 /* Test with only TLSv1.3 versions */
8757 ADD_ALL_TESTS(test_key_exchange, 12);
8759 ADD_ALL_TESTS(test_custom_exts, 5);
8760 ADD_TEST(test_stateless);
8761 ADD_TEST(test_pha_key_update);
8763 ADD_ALL_TESTS(test_custom_exts, 3);
8765 ADD_ALL_TESTS(test_serverinfo, 8);
8766 ADD_ALL_TESTS(test_export_key_mat, 6);
8767 #ifndef OSSL_NO_USABLE_TLS1_3
8768 ADD_ALL_TESTS(test_export_key_mat_early, 3);
8769 ADD_TEST(test_key_update);
8770 ADD_ALL_TESTS(test_key_update_in_write, 2);
8772 ADD_ALL_TESTS(test_ssl_clear, 2);
8773 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
8774 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
8775 ADD_ALL_TESTS(test_srp, 6);
8777 ADD_ALL_TESTS(test_info_callback, 6);
8778 ADD_ALL_TESTS(test_ssl_pending, 2);
8779 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
8780 ADD_ALL_TESTS(test_ticket_callbacks, 16);
8781 ADD_ALL_TESTS(test_shutdown, 7);
8782 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
8783 ADD_ALL_TESTS(test_cert_cb, 6);
8784 ADD_ALL_TESTS(test_client_cert_cb, 2);
8785 ADD_ALL_TESTS(test_ca_names, 3);
8786 #ifndef OPENSSL_NO_TLS1_2
8787 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
8789 ADD_ALL_TESTS(test_servername, 10);
8790 #if !defined(OPENSSL_NO_EC) \
8791 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8792 ADD_ALL_TESTS(test_sigalgs_available, 6);
8794 #ifndef OPENSSL_NO_TLS1_3
8795 ADD_ALL_TESTS(test_pluggable_group, 2);
8797 #ifndef OPENSSL_NO_TLS1_2
8798 ADD_TEST(test_ssl_dup);
8799 # ifndef OPENSSL_NO_DH
8800 ADD_ALL_TESTS(test_set_tmp_dh, 11);
8801 ADD_ALL_TESTS(test_dh_auto, 7);
8804 #ifndef OSSL_NO_USABLE_TLS1_3
8805 ADD_TEST(test_sni_tls13);
8811 OPENSSL_free(privkey);
8812 OPENSSL_free(cert2);
8813 OPENSSL_free(privkey2);
8817 void cleanup_tests(void)
8819 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
8820 EVP_PKEY_free(tmp_dh_params);
8823 OPENSSL_free(privkey);
8824 OPENSSL_free(cert2);
8825 OPENSSL_free(privkey2);
8826 OPENSSL_free(cert1024);
8827 OPENSSL_free(privkey1024);
8828 OPENSSL_free(cert3072);
8829 OPENSSL_free(privkey3072);
8830 OPENSSL_free(cert4096);
8831 OPENSSL_free(privkey4096);
8832 OPENSSL_free(cert8192);
8833 OPENSSL_free(privkey8192);
8834 bio_s_mempacket_test_free();
8835 bio_s_always_retry_free();
8836 OSSL_PROVIDER_unload(defctxnull);
8837 OSSL_LIB_CTX_free(libctx);