2 * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
36 #include "helpers/ssltestlib.h"
38 #include "testutil/output.h"
39 #include "internal/nelem.h"
40 #include "internal/ktls.h"
41 #include "../ssl/ssl_local.h"
42 #include "filterprov.h"
44 #undef OSSL_NO_USABLE_TLS1_3
45 #if defined(OPENSSL_NO_TLS1_3) \
46 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
48 * If we don't have ec or dh then there are no built-in groups that are usable
51 # define OSSL_NO_USABLE_TLS1_3
54 /* Defined in tls-provider.c */
55 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
56 const OSSL_DISPATCH *in,
57 const OSSL_DISPATCH **out,
60 static OSSL_LIB_CTX *libctx = NULL;
61 static OSSL_PROVIDER *defctxnull = NULL;
63 #ifndef OSSL_NO_USABLE_TLS1_3
65 static SSL_SESSION *clientpsk = NULL;
66 static SSL_SESSION *serverpsk = NULL;
67 static const char *pskid = "Identity";
68 static const char *srvid;
70 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
71 size_t *idlen, SSL_SESSION **sess);
72 static int find_session_cb(SSL *ssl, const unsigned char *identity,
73 size_t identity_len, SSL_SESSION **sess);
75 static int use_session_cb_cnt = 0;
76 static int find_session_cb_cnt = 0;
78 static SSL_SESSION *create_a_psk(SSL *ssl);
81 static char *certsdir = NULL;
82 static char *cert = NULL;
83 static char *privkey = NULL;
84 static char *cert2 = NULL;
85 static char *privkey2 = NULL;
86 static char *cert1024 = NULL;
87 static char *privkey1024 = NULL;
88 static char *cert3072 = NULL;
89 static char *privkey3072 = NULL;
90 static char *cert4096 = NULL;
91 static char *privkey4096 = NULL;
92 static char *cert8192 = NULL;
93 static char *privkey8192 = NULL;
94 static char *srpvfile = NULL;
95 static char *tmpfilename = NULL;
97 static int is_fips = 0;
99 #define LOG_BUFFER_SIZE 2048
100 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
101 static size_t server_log_buffer_index = 0;
102 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
103 static size_t client_log_buffer_index = 0;
104 static int error_writing_log = 0;
106 #ifndef OPENSSL_NO_OCSP
107 static const unsigned char orespder[] = "Dummy OCSP Response";
108 static int ocsp_server_called = 0;
109 static int ocsp_client_called = 0;
111 static int cdummyarg = 1;
112 static X509 *ocspcert = NULL;
115 #define NUM_EXTRA_CERTS 40
116 #define CLIENT_VERSION_LEN 2
119 * This structure is used to validate that the correct number of log messages
120 * of various types are emitted when emitting secret logs.
122 struct sslapitest_log_counts {
123 unsigned int rsa_key_exchange_count;
124 unsigned int master_secret_count;
125 unsigned int client_early_secret_count;
126 unsigned int client_handshake_secret_count;
127 unsigned int server_handshake_secret_count;
128 unsigned int client_application_secret_count;
129 unsigned int server_application_secret_count;
130 unsigned int early_exporter_secret_count;
131 unsigned int exporter_secret_count;
135 static unsigned char serverinfov1[] = {
136 0xff, 0xff, /* Dummy extension type */
137 0x00, 0x01, /* Extension length is 1 byte */
138 0xff /* Dummy extension data */
141 static unsigned char serverinfov2[] = {
143 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
144 0xff, 0xff, /* Dummy extension type */
145 0x00, 0x01, /* Extension length is 1 byte */
146 0xff /* Dummy extension data */
149 static int hostname_cb(SSL *s, int *al, void *arg)
151 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
153 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
154 || strcmp(hostname, "altgoodhost") == 0))
155 return SSL_TLSEXT_ERR_OK;
157 return SSL_TLSEXT_ERR_NOACK;
160 static void client_keylog_callback(const SSL *ssl, const char *line)
162 int line_length = strlen(line);
164 /* If the log doesn't fit, error out. */
165 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
166 TEST_info("Client log too full");
167 error_writing_log = 1;
171 strcat(client_log_buffer, line);
172 client_log_buffer_index += line_length;
173 client_log_buffer[client_log_buffer_index++] = '\n';
176 static void server_keylog_callback(const SSL *ssl, const char *line)
178 int line_length = strlen(line);
180 /* If the log doesn't fit, error out. */
181 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
182 TEST_info("Server log too full");
183 error_writing_log = 1;
187 strcat(server_log_buffer, line);
188 server_log_buffer_index += line_length;
189 server_log_buffer[server_log_buffer_index++] = '\n';
192 static int compare_hex_encoded_buffer(const char *hex_encoded,
200 if (!TEST_size_t_eq(raw_length * 2, hex_length))
203 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
204 sprintf(hexed, "%02x", raw[i]);
205 if (!TEST_int_eq(hexed[0], hex_encoded[j])
206 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
213 static int test_keylog_output(char *buffer, const SSL *ssl,
214 const SSL_SESSION *session,
215 struct sslapitest_log_counts *expected)
218 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
219 size_t client_random_size = SSL3_RANDOM_SIZE;
220 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
221 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
222 unsigned int rsa_key_exchange_count = 0;
223 unsigned int master_secret_count = 0;
224 unsigned int client_early_secret_count = 0;
225 unsigned int client_handshake_secret_count = 0;
226 unsigned int server_handshake_secret_count = 0;
227 unsigned int client_application_secret_count = 0;
228 unsigned int server_application_secret_count = 0;
229 unsigned int early_exporter_secret_count = 0;
230 unsigned int exporter_secret_count = 0;
232 for (token = strtok(buffer, " \n"); token != NULL;
233 token = strtok(NULL, " \n")) {
234 if (strcmp(token, "RSA") == 0) {
236 * Premaster secret. Tokens should be: 16 ASCII bytes of
237 * hex-encoded encrypted secret, then the hex-encoded pre-master
240 if (!TEST_ptr(token = strtok(NULL, " \n")))
242 if (!TEST_size_t_eq(strlen(token), 16))
244 if (!TEST_ptr(token = strtok(NULL, " \n")))
247 * We can't sensibly check the log because the premaster secret is
248 * transient, and OpenSSL doesn't keep hold of it once the master
249 * secret is generated.
251 rsa_key_exchange_count++;
252 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
254 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
255 * client random, then the hex-encoded master secret.
257 client_random_size = SSL_get_client_random(ssl,
258 actual_client_random,
260 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
263 if (!TEST_ptr(token = strtok(NULL, " \n")))
265 if (!TEST_size_t_eq(strlen(token), 64))
267 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
268 actual_client_random,
269 client_random_size)))
272 if (!TEST_ptr(token = strtok(NULL, " \n")))
274 master_key_size = SSL_SESSION_get_master_key(session,
277 if (!TEST_size_t_ne(master_key_size, 0))
279 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
283 master_secret_count++;
284 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
285 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
286 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
287 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
288 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
289 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
290 || strcmp(token, "EXPORTER_SECRET") == 0) {
292 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
293 * client random, and then the hex-encoded secret. In this case,
294 * we treat all of these secrets identically and then just
295 * distinguish between them when counting what we saw.
297 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
298 client_early_secret_count++;
299 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
300 client_handshake_secret_count++;
301 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
302 server_handshake_secret_count++;
303 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
304 client_application_secret_count++;
305 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
306 server_application_secret_count++;
307 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
308 early_exporter_secret_count++;
309 else if (strcmp(token, "EXPORTER_SECRET") == 0)
310 exporter_secret_count++;
312 client_random_size = SSL_get_client_random(ssl,
313 actual_client_random,
315 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
318 if (!TEST_ptr(token = strtok(NULL, " \n")))
320 if (!TEST_size_t_eq(strlen(token), 64))
322 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
323 actual_client_random,
324 client_random_size)))
327 if (!TEST_ptr(token = strtok(NULL, " \n")))
330 TEST_info("Unexpected token %s\n", token);
335 /* Got what we expected? */
336 if (!TEST_size_t_eq(rsa_key_exchange_count,
337 expected->rsa_key_exchange_count)
338 || !TEST_size_t_eq(master_secret_count,
339 expected->master_secret_count)
340 || !TEST_size_t_eq(client_early_secret_count,
341 expected->client_early_secret_count)
342 || !TEST_size_t_eq(client_handshake_secret_count,
343 expected->client_handshake_secret_count)
344 || !TEST_size_t_eq(server_handshake_secret_count,
345 expected->server_handshake_secret_count)
346 || !TEST_size_t_eq(client_application_secret_count,
347 expected->client_application_secret_count)
348 || !TEST_size_t_eq(server_application_secret_count,
349 expected->server_application_secret_count)
350 || !TEST_size_t_eq(early_exporter_secret_count,
351 expected->early_exporter_secret_count)
352 || !TEST_size_t_eq(exporter_secret_count,
353 expected->exporter_secret_count))
358 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
359 static int test_keylog(void)
361 SSL_CTX *cctx = NULL, *sctx = NULL;
362 SSL *clientssl = NULL, *serverssl = NULL;
364 struct sslapitest_log_counts expected;
366 /* Clean up logging space */
367 memset(&expected, 0, sizeof(expected));
368 memset(client_log_buffer, 0, sizeof(client_log_buffer));
369 memset(server_log_buffer, 0, sizeof(server_log_buffer));
370 client_log_buffer_index = 0;
371 server_log_buffer_index = 0;
372 error_writing_log = 0;
374 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
377 &sctx, &cctx, cert, privkey)))
380 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
381 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
382 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
384 /* We also want to ensure that we use RSA-based key exchange. */
385 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
388 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
389 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
391 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
392 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
393 == client_keylog_callback))
395 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
396 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
397 == server_keylog_callback))
400 /* Now do a handshake and check that the logs have been written to. */
401 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
402 &clientssl, NULL, NULL))
403 || !TEST_true(create_ssl_connection(serverssl, clientssl,
405 || !TEST_false(error_writing_log)
406 || !TEST_int_gt(client_log_buffer_index, 0)
407 || !TEST_int_gt(server_log_buffer_index, 0))
411 * Now we want to test that our output data was vaguely sensible. We
412 * do that by using strtok and confirming that we have more or less the
413 * data we expect. For both client and server, we expect to see one master
414 * secret. The client should also see a RSA key exchange.
416 expected.rsa_key_exchange_count = 1;
417 expected.master_secret_count = 1;
418 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
419 SSL_get_session(clientssl), &expected)))
422 expected.rsa_key_exchange_count = 0;
423 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
424 SSL_get_session(serverssl), &expected)))
439 #ifndef OSSL_NO_USABLE_TLS1_3
440 static int test_keylog_no_master_key(void)
442 SSL_CTX *cctx = NULL, *sctx = NULL;
443 SSL *clientssl = NULL, *serverssl = NULL;
444 SSL_SESSION *sess = NULL;
446 struct sslapitest_log_counts expected;
447 unsigned char buf[1];
448 size_t readbytes, written;
450 /* Clean up logging space */
451 memset(&expected, 0, sizeof(expected));
452 memset(client_log_buffer, 0, sizeof(client_log_buffer));
453 memset(server_log_buffer, 0, sizeof(server_log_buffer));
454 client_log_buffer_index = 0;
455 server_log_buffer_index = 0;
456 error_writing_log = 0;
458 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
459 TLS_client_method(), TLS1_VERSION, 0,
460 &sctx, &cctx, cert, privkey))
461 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
462 SSL3_RT_MAX_PLAIN_LENGTH)))
465 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
466 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
469 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
470 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
471 == client_keylog_callback))
474 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
475 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
476 == server_keylog_callback))
479 /* Now do a handshake and check that the logs have been written to. */
480 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
481 &clientssl, NULL, NULL))
482 || !TEST_true(create_ssl_connection(serverssl, clientssl,
484 || !TEST_false(error_writing_log))
488 * Now we want to test that our output data was vaguely sensible. For this
489 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
490 * TLSv1.3, but we do expect both client and server to emit keys.
492 expected.client_handshake_secret_count = 1;
493 expected.server_handshake_secret_count = 1;
494 expected.client_application_secret_count = 1;
495 expected.server_application_secret_count = 1;
496 expected.exporter_secret_count = 1;
497 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
498 SSL_get_session(clientssl), &expected))
499 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
500 SSL_get_session(serverssl),
504 /* Terminate old session and resume with early data. */
505 sess = SSL_get1_session(clientssl);
506 SSL_shutdown(clientssl);
507 SSL_shutdown(serverssl);
510 serverssl = clientssl = NULL;
513 memset(client_log_buffer, 0, sizeof(client_log_buffer));
514 memset(server_log_buffer, 0, sizeof(server_log_buffer));
515 client_log_buffer_index = 0;
516 server_log_buffer_index = 0;
518 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
519 &clientssl, NULL, NULL))
520 || !TEST_true(SSL_set_session(clientssl, sess))
521 /* Here writing 0 length early data is enough. */
522 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
523 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
525 SSL_READ_EARLY_DATA_ERROR)
526 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
527 SSL_EARLY_DATA_ACCEPTED)
528 || !TEST_true(create_ssl_connection(serverssl, clientssl,
530 || !TEST_true(SSL_session_reused(clientssl)))
533 /* In addition to the previous entries, expect early secrets. */
534 expected.client_early_secret_count = 1;
535 expected.early_exporter_secret_count = 1;
536 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
537 SSL_get_session(clientssl), &expected))
538 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
539 SSL_get_session(serverssl),
546 SSL_SESSION_free(sess);
556 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
558 int res = X509_verify_cert(ctx);
560 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
561 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
562 return -1; /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
566 static int test_client_cert_verify_cb(void)
568 /* server key, cert, chain, and root */
569 char *skey = test_mk_file_path(certsdir, "leaf.key");
570 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
571 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
572 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
573 char *root = test_mk_file_path(certsdir, "rootCA.pem");
574 X509 *crt1 = NULL, *crt2 = NULL;
575 STACK_OF(X509) *server_chain;
576 SSL_CTX *cctx = NULL, *sctx = NULL;
577 SSL *clientssl = NULL, *serverssl = NULL;
580 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
581 TLS_client_method(), TLS1_VERSION, 0,
582 &sctx, &cctx, NULL, NULL)))
584 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
585 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
586 SSL_FILETYPE_PEM), 1)
587 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
589 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
591 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
592 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
593 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
594 &clientssl, NULL, NULL)))
597 /* attempt SSL_connect() with incomplete server chain */
598 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
599 SSL_ERROR_WANT_RETRY_VERIFY)))
602 /* application provides intermediate certs needed to verify server cert */
603 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
604 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
605 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
607 /* add certs in reverse order to demonstrate real chain building */
608 if (!TEST_true(sk_X509_push(server_chain, crt1)))
611 if (!TEST_true(sk_X509_push(server_chain, crt2)))
615 /* continue SSL_connect(), must now succeed with completed server chain */
616 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
625 if (clientssl != NULL) {
626 SSL_shutdown(clientssl);
629 if (serverssl != NULL) {
630 SSL_shutdown(serverssl);
645 static int test_ssl_build_cert_chain(void)
648 SSL_CTX *ssl_ctx = NULL;
650 char *skey = test_mk_file_path(certsdir, "leaf.key");
651 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
653 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
655 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
657 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
658 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
659 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
660 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
662 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
663 | SSL_BUILD_CHAIN_FLAG_CHECK)))
668 SSL_CTX_free(ssl_ctx);
669 OPENSSL_free(leaf_chain);
674 static int test_ssl_ctx_build_cert_chain(void)
678 char *skey = test_mk_file_path(certsdir, "leaf.key");
679 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
681 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
683 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
684 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
685 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
686 SSL_FILETYPE_PEM), 1)
687 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
689 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
690 | SSL_BUILD_CHAIN_FLAG_CHECK)))
695 OPENSSL_free(leaf_chain);
700 #ifndef OPENSSL_NO_TLS1_2
701 static int full_client_hello_callback(SSL *s, int *al, void *arg)
704 const unsigned char *p;
706 /* We only configure two ciphers, but the SCSV is added automatically. */
708 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
710 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
713 const int expected_extensions[] = {
714 #ifndef OPENSSL_NO_EC
720 /* Make sure we can defer processing and get called back. */
722 return SSL_CLIENT_HELLO_RETRY;
724 len = SSL_client_hello_get0_ciphers(s, &p);
725 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
727 SSL_client_hello_get0_compression_methods(s, &p), 1)
728 || !TEST_int_eq(*p, 0))
729 return SSL_CLIENT_HELLO_ERROR;
730 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
731 return SSL_CLIENT_HELLO_ERROR;
732 if (len != OSSL_NELEM(expected_extensions) ||
733 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
734 printf("ClientHello callback expected extensions mismatch\n");
736 return SSL_CLIENT_HELLO_ERROR;
739 return SSL_CLIENT_HELLO_SUCCESS;
742 static int test_client_hello_cb(void)
744 SSL_CTX *cctx = NULL, *sctx = NULL;
745 SSL *clientssl = NULL, *serverssl = NULL;
746 int testctr = 0, testresult = 0;
748 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
749 TLS_client_method(), TLS1_VERSION, 0,
750 &sctx, &cctx, cert, privkey)))
752 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
754 /* The gimpy cipher list we configure can't do TLS 1.3. */
755 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
757 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
758 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
759 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
760 &clientssl, NULL, NULL))
761 || !TEST_false(create_ssl_connection(serverssl, clientssl,
762 SSL_ERROR_WANT_CLIENT_HELLO_CB))
764 * Passing a -1 literal is a hack since
765 * the real value was lost.
767 || !TEST_int_eq(SSL_get_error(serverssl, -1),
768 SSL_ERROR_WANT_CLIENT_HELLO_CB)
769 || !TEST_true(create_ssl_connection(serverssl, clientssl,
784 static int test_no_ems(void)
786 SSL_CTX *cctx = NULL, *sctx = NULL;
787 SSL *clientssl = NULL, *serverssl = NULL;
790 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
791 TLS1_VERSION, TLS1_2_VERSION,
792 &sctx, &cctx, cert, privkey)) {
793 printf("Unable to create SSL_CTX pair\n");
797 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
799 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
800 printf("Unable to create SSL objects\n");
804 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
805 printf("Creating SSL connection failed\n");
809 if (SSL_get_extms_support(serverssl)) {
810 printf("Server reports Extended Master Secret support\n");
814 if (SSL_get_extms_support(clientssl)) {
815 printf("Client reports Extended Master Secret support\n");
830 * Very focused test to exercise a single case in the server-side state
831 * machine, when the ChangeCipherState message needs to actually change
832 * from one cipher to a different cipher (i.e., not changing from null
833 * encryption to real encryption).
835 static int test_ccs_change_cipher(void)
837 SSL_CTX *cctx = NULL, *sctx = NULL;
838 SSL *clientssl = NULL, *serverssl = NULL;
839 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
846 * Create a conection so we can resume and potentially (but not) use
847 * a different cipher in the second connection.
849 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
851 TLS1_VERSION, TLS1_2_VERSION,
852 &sctx, &cctx, cert, privkey))
853 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
854 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
856 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
857 || !TEST_true(create_ssl_connection(serverssl, clientssl,
859 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
860 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
863 shutdown_ssl_connection(serverssl, clientssl);
864 serverssl = clientssl = NULL;
866 /* Resume, preferring a different cipher. Our server will force the
867 * same cipher to be used as the initial handshake. */
868 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
870 || !TEST_true(SSL_set_session(clientssl, sess))
871 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
872 || !TEST_true(create_ssl_connection(serverssl, clientssl,
874 || !TEST_true(SSL_session_reused(clientssl))
875 || !TEST_true(SSL_session_reused(serverssl))
876 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
877 || !TEST_ptr_eq(sesspre, sesspost)
878 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
879 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
881 shutdown_ssl_connection(serverssl, clientssl);
882 serverssl = clientssl = NULL;
885 * Now create a fresh connection and try to renegotiate a different
888 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
890 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
891 || !TEST_true(create_ssl_connection(serverssl, clientssl,
893 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
894 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
895 || !TEST_true(SSL_renegotiate(clientssl))
896 || !TEST_true(SSL_renegotiate_pending(clientssl)))
898 /* Actually drive the renegotiation. */
899 for (i = 0; i < 3; i++) {
900 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
901 if (!TEST_ulong_eq(readbytes, 0))
903 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
904 SSL_ERROR_WANT_READ)) {
907 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
908 if (!TEST_ulong_eq(readbytes, 0))
910 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
911 SSL_ERROR_WANT_READ)) {
915 /* sesspre and sesspost should be different since the cipher changed. */
916 if (!TEST_false(SSL_renegotiate_pending(clientssl))
917 || !TEST_false(SSL_session_reused(clientssl))
918 || !TEST_false(SSL_session_reused(serverssl))
919 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
920 || !TEST_ptr_ne(sesspre, sesspost)
921 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
922 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
925 shutdown_ssl_connection(serverssl, clientssl);
926 serverssl = clientssl = NULL;
935 SSL_SESSION_free(sess);
941 static int execute_test_large_message(const SSL_METHOD *smeth,
942 const SSL_METHOD *cmeth,
943 int min_version, int max_version,
946 SSL_CTX *cctx = NULL, *sctx = NULL;
947 SSL *clientssl = NULL, *serverssl = NULL;
951 X509 *chaincert = NULL;
954 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
957 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
960 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
965 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
966 max_version, &sctx, &cctx, cert,
970 #ifdef OPENSSL_NO_DTLS1_2
971 if (smeth == DTLS_server_method()) {
973 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
976 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
977 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
978 "DEFAULT:@SECLEVEL=0")))
985 * Test that read_ahead works correctly when dealing with large
988 SSL_CTX_set_read_ahead(cctx, 1);
992 * We assume the supplied certificate is big enough so that if we add
993 * NUM_EXTRA_CERTS it will make the overall message large enough. The
994 * default buffer size is requested to be 16k, but due to the way BUF_MEM
995 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
996 * test we need to have a message larger than that.
998 certlen = i2d_X509(chaincert, NULL);
999 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1000 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
1001 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
1002 if (!X509_up_ref(chaincert))
1004 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
1005 X509_free(chaincert);
1010 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1012 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1017 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1020 if (!TEST_true(SSL_clear(serverssl)))
1026 X509_free(chaincert);
1027 SSL_free(serverssl);
1028 SSL_free(clientssl);
1035 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1036 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1037 /* sock must be connected */
1038 static int ktls_chk_platform(int sock)
1040 if (!ktls_enable(sock))
1045 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1047 static char count = 1;
1048 unsigned char cbuf[16000] = {0};
1049 unsigned char sbuf[16000];
1051 char crec_wseq_before[SEQ_NUM_SIZE];
1052 char crec_wseq_after[SEQ_NUM_SIZE];
1053 char crec_rseq_before[SEQ_NUM_SIZE];
1054 char crec_rseq_after[SEQ_NUM_SIZE];
1055 char srec_wseq_before[SEQ_NUM_SIZE];
1056 char srec_wseq_after[SEQ_NUM_SIZE];
1057 char srec_rseq_before[SEQ_NUM_SIZE];
1058 char srec_rseq_after[SEQ_NUM_SIZE];
1061 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1062 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1063 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1064 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1066 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1069 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1070 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1075 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1078 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1079 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1084 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1085 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1086 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1087 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1089 /* verify the payload */
1090 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1094 * If ktls is used then kernel sequences are used instead of
1097 if (!BIO_get_ktls_send(clientssl->wbio)) {
1098 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1099 crec_wseq_after, SEQ_NUM_SIZE))
1102 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1103 crec_wseq_after, SEQ_NUM_SIZE))
1107 if (!BIO_get_ktls_send(serverssl->wbio)) {
1108 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1109 srec_wseq_after, SEQ_NUM_SIZE))
1112 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1113 srec_wseq_after, SEQ_NUM_SIZE))
1117 if (!BIO_get_ktls_recv(clientssl->wbio)) {
1118 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1119 crec_rseq_after, SEQ_NUM_SIZE))
1122 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1123 crec_rseq_after, SEQ_NUM_SIZE))
1127 if (!BIO_get_ktls_recv(serverssl->wbio)) {
1128 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1129 srec_rseq_after, SEQ_NUM_SIZE))
1132 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1133 srec_rseq_after, SEQ_NUM_SIZE))
1142 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1143 int tls_version, const char *cipher)
1145 SSL_CTX *cctx = NULL, *sctx = NULL;
1146 SSL *clientssl = NULL, *serverssl = NULL;
1147 int ktls_used = 0, testresult = 0;
1148 int cfd = -1, sfd = -1;
1151 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1154 /* Skip this test if the platform does not support ktls */
1155 if (!ktls_chk_platform(cfd)) {
1156 testresult = TEST_skip("Kernel does not support KTLS");
1160 /* Create a session based on SHA-256 */
1161 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1162 TLS_client_method(),
1163 tls_version, tls_version,
1164 &sctx, &cctx, cert, privkey)))
1167 if (tls_version == TLS1_3_VERSION) {
1168 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1169 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1172 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1173 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1177 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1178 &clientssl, sfd, cfd)))
1182 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1187 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1191 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1195 * The running kernel may not support a given cipher suite
1196 * or direction, so just check that KTLS isn't used when it
1200 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1203 if (BIO_get_ktls_send(clientssl->wbio))
1208 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1211 if (BIO_get_ktls_send(serverssl->wbio))
1215 #if defined(OPENSSL_NO_KTLS_RX)
1218 rx_supported = (tls_version != TLS1_3_VERSION);
1220 if (!cis_ktls || !rx_supported) {
1221 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1224 if (BIO_get_ktls_send(clientssl->rbio))
1228 if (!sis_ktls || !rx_supported) {
1229 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1232 if (BIO_get_ktls_send(serverssl->rbio))
1236 if ((cis_ktls || sis_ktls) && !ktls_used) {
1237 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1238 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1243 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1249 SSL_shutdown(clientssl);
1250 SSL_free(clientssl);
1253 SSL_shutdown(serverssl);
1254 SSL_free(serverssl);
1258 serverssl = clientssl = NULL;
1266 #define SENDFILE_SZ (16 * 4096)
1267 #define SENDFILE_CHUNK (4 * 4096)
1268 #define min(a,b) ((a) > (b) ? (b) : (a))
1270 static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
1272 SSL_CTX *cctx = NULL, *sctx = NULL;
1273 SSL *clientssl = NULL, *serverssl = NULL;
1274 unsigned char *buf, *buf_dst;
1275 BIO *out = NULL, *in = NULL;
1276 int cfd = -1, sfd = -1, ffd, err;
1277 ssize_t chunk_size = 0;
1278 off_t chunk_off = 0;
1282 buf = OPENSSL_zalloc(SENDFILE_SZ);
1283 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1284 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1285 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1288 /* Skip this test if the platform does not support ktls */
1289 if (!ktls_chk_platform(sfd)) {
1290 testresult = TEST_skip("Kernel does not support KTLS");
1294 /* Create a session based on SHA-256 */
1295 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1296 TLS_client_method(),
1297 tls_version, tls_version,
1298 &sctx, &cctx, cert, privkey)))
1301 if (tls_version == TLS1_3_VERSION) {
1302 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1303 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1306 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1307 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1311 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1312 &clientssl, sfd, cfd)))
1315 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1318 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1322 if (!BIO_get_ktls_send(serverssl->wbio)) {
1323 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1324 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1329 if (!TEST_true(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0)))
1332 out = BIO_new_file(tmpfilename, "wb");
1336 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1341 in = BIO_new_file(tmpfilename, "rb");
1342 BIO_get_fp(in, &ffdp);
1345 while (chunk_off < SENDFILE_SZ) {
1346 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1347 while ((err = SSL_sendfile(serverssl,
1351 0)) != chunk_size) {
1352 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1355 while ((err = SSL_read(clientssl,
1356 buf_dst + chunk_off,
1357 chunk_size)) != chunk_size) {
1358 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1362 /* verify the payload */
1363 if (!TEST_mem_eq(buf_dst + chunk_off,
1369 chunk_off += chunk_size;
1375 SSL_shutdown(clientssl);
1376 SSL_free(clientssl);
1379 SSL_shutdown(serverssl);
1380 SSL_free(serverssl);
1384 serverssl = clientssl = NULL;
1392 OPENSSL_free(buf_dst);
1396 static struct ktls_test_cipher {
1399 } ktls_test_ciphers[] = {
1400 # if !defined(OPENSSL_NO_TLS1_2)
1401 # ifdef OPENSSL_KTLS_AES_GCM_128
1402 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1404 # ifdef OPENSSL_KTLS_AES_CCM_128
1405 { TLS1_2_VERSION, "AES128-CCM"},
1407 # ifdef OPENSSL_KTLS_AES_GCM_256
1408 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1410 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1411 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1414 # if !defined(OSSL_NO_USABLE_TLS1_3)
1415 # ifdef OPENSSL_KTLS_AES_GCM_128
1416 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1418 # ifdef OPENSSL_KTLS_AES_CCM_128
1419 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1421 # ifdef OPENSSL_KTLS_AES_GCM_256
1422 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1424 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1425 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1430 #define NUM_KTLS_TEST_CIPHERS \
1431 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1433 static int test_ktls(int test)
1435 struct ktls_test_cipher *cipher;
1436 int cis_ktls, sis_ktls;
1438 OPENSSL_assert(test / 4 < NUM_KTLS_TEST_CIPHERS);
1439 cipher = &ktls_test_ciphers[test / 4];
1441 cis_ktls = (test & 1) != 0;
1442 sis_ktls = (test & 2) != 0;
1444 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1448 static int test_ktls_sendfile(int tst)
1450 struct ktls_test_cipher *cipher;
1452 OPENSSL_assert(tst < NUM_KTLS_TEST_CIPHERS);
1453 cipher = &ktls_test_ciphers[tst];
1455 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher);
1459 static int test_large_message_tls(void)
1461 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1462 TLS1_VERSION, 0, 0);
1465 static int test_large_message_tls_read_ahead(void)
1467 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1468 TLS1_VERSION, 0, 1);
1471 #ifndef OPENSSL_NO_DTLS
1472 static int test_large_message_dtls(void)
1474 # ifdef OPENSSL_NO_DTLS1_2
1475 /* Not supported in the FIPS provider */
1480 * read_ahead is not relevant to DTLS because DTLS always acts as if
1481 * read_ahead is set.
1483 return execute_test_large_message(DTLS_server_method(),
1484 DTLS_client_method(),
1485 DTLS1_VERSION, 0, 0);
1489 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1490 const SSL_METHOD *cmeth,
1491 int min_version, int max_version)
1494 SSL_CTX *cctx = NULL, *sctx = NULL;
1495 SSL *clientssl = NULL, *serverssl = NULL;
1500 static unsigned char cbuf[16000];
1501 static unsigned char sbuf[16000];
1503 if (!TEST_true(create_ssl_ctx_pair(libctx,
1505 min_version, max_version,
1510 #ifdef OPENSSL_NO_DTLS1_2
1511 if (smeth == DTLS_server_method()) {
1512 # ifdef OPENSSL_NO_DTLS1_2
1513 /* Not supported in the FIPS provider */
1520 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1523 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1524 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1525 "DEFAULT:@SECLEVEL=0")))
1530 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1534 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1537 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1541 for (i = 0; i < sizeof(cbuf); i++) {
1545 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1548 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1551 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1555 * Since we called SSL_peek(), we know the data in the record
1556 * layer is a plaintext record. We can gather the pointer to check
1557 * for zeroization after SSL_read().
1559 rr = serverssl->rlayer.rrec;
1560 zbuf = &rr->data[rr->off];
1561 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1565 * After SSL_peek() the plaintext must still be stored in the
1568 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1571 memset(sbuf, 0, sizeof(sbuf));
1572 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1575 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1578 /* Check if rbuf is cleansed */
1579 memset(cbuf, 0, sizeof(cbuf));
1580 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1585 SSL_free(serverssl);
1586 SSL_free(clientssl);
1593 static int test_cleanse_plaintext(void)
1595 #if !defined(OPENSSL_NO_TLS1_2)
1596 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1597 TLS_client_method(),
1604 #if !defined(OSSL_NO_USABLE_TLS1_3)
1605 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1606 TLS_client_method(),
1612 #if !defined(OPENSSL_NO_DTLS)
1614 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1615 DTLS_client_method(),
1623 #ifndef OPENSSL_NO_OCSP
1624 static int ocsp_server_cb(SSL *s, void *arg)
1626 int *argi = (int *)arg;
1627 unsigned char *copy = NULL;
1628 STACK_OF(OCSP_RESPID) *ids = NULL;
1629 OCSP_RESPID *id = NULL;
1632 /* In this test we are expecting exactly 1 OCSP_RESPID */
1633 SSL_get_tlsext_status_ids(s, &ids);
1634 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1635 return SSL_TLSEXT_ERR_ALERT_FATAL;
1637 id = sk_OCSP_RESPID_value(ids, 0);
1638 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1639 return SSL_TLSEXT_ERR_ALERT_FATAL;
1640 } else if (*argi != 1) {
1641 return SSL_TLSEXT_ERR_ALERT_FATAL;
1644 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1645 return SSL_TLSEXT_ERR_ALERT_FATAL;
1647 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1648 sizeof(orespder)))) {
1650 return SSL_TLSEXT_ERR_ALERT_FATAL;
1652 ocsp_server_called = 1;
1653 return SSL_TLSEXT_ERR_OK;
1656 static int ocsp_client_cb(SSL *s, void *arg)
1658 int *argi = (int *)arg;
1659 const unsigned char *respderin;
1662 if (*argi != 1 && *argi != 2)
1665 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1666 if (!TEST_mem_eq(orespder, len, respderin, len))
1669 ocsp_client_called = 1;
1673 static int test_tlsext_status_type(void)
1675 SSL_CTX *cctx = NULL, *sctx = NULL;
1676 SSL *clientssl = NULL, *serverssl = NULL;
1678 STACK_OF(OCSP_RESPID) *ids = NULL;
1679 OCSP_RESPID *id = NULL;
1680 BIO *certbio = NULL;
1682 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1684 &sctx, &cctx, cert, privkey))
1687 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1690 /* First just do various checks getting and setting tlsext_status_type */
1692 clientssl = SSL_new(cctx);
1693 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1694 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1695 TLSEXT_STATUSTYPE_ocsp))
1696 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1697 TLSEXT_STATUSTYPE_ocsp))
1700 SSL_free(clientssl);
1703 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1704 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1707 clientssl = SSL_new(cctx);
1708 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1710 SSL_free(clientssl);
1714 * Now actually do a handshake and check OCSP information is exchanged and
1715 * the callbacks get called
1717 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1718 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1719 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1720 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1721 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1722 &clientssl, NULL, NULL))
1723 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1725 || !TEST_true(ocsp_client_called)
1726 || !TEST_true(ocsp_server_called))
1728 SSL_free(serverssl);
1729 SSL_free(clientssl);
1733 /* Try again but this time force the server side callback to fail */
1734 ocsp_client_called = 0;
1735 ocsp_server_called = 0;
1737 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1738 &clientssl, NULL, NULL))
1739 /* This should fail because the callback will fail */
1740 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1742 || !TEST_false(ocsp_client_called)
1743 || !TEST_false(ocsp_server_called))
1745 SSL_free(serverssl);
1746 SSL_free(clientssl);
1751 * This time we'll get the client to send an OCSP_RESPID that it will
1754 ocsp_client_called = 0;
1755 ocsp_server_called = 0;
1757 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1758 &clientssl, NULL, NULL)))
1762 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1763 * specific one. We'll use the server cert.
1765 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1766 || !TEST_ptr(id = OCSP_RESPID_new())
1767 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1768 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1769 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1770 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1771 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1774 SSL_set_tlsext_status_ids(clientssl, ids);
1775 /* Control has been transferred */
1781 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1783 || !TEST_true(ocsp_client_called)
1784 || !TEST_true(ocsp_server_called))
1790 SSL_free(serverssl);
1791 SSL_free(clientssl);
1794 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1795 OCSP_RESPID_free(id);
1797 X509_free(ocspcert);
1804 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1805 static int new_called, remove_called, get_called;
1807 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1811 * sess has been up-refed for us, but we don't actually need it so free it
1814 SSL_SESSION_free(sess);
1818 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1823 static SSL_SESSION *get_sess_val = NULL;
1825 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1830 return get_sess_val;
1833 static int execute_test_session(int maxprot, int use_int_cache,
1834 int use_ext_cache, long s_options)
1836 SSL_CTX *sctx = NULL, *cctx = NULL;
1837 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1838 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1839 # ifndef OPENSSL_NO_TLS1_1
1840 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1842 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1843 int testresult = 0, numnewsesstick = 1;
1845 new_called = remove_called = 0;
1847 /* TLSv1.3 sends 2 NewSessionTickets */
1848 if (maxprot == TLS1_3_VERSION)
1851 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1852 TLS_client_method(), TLS1_VERSION, 0,
1853 &sctx, &cctx, cert, privkey)))
1857 * Only allow the max protocol version so we can force a connection failure
1860 SSL_CTX_set_min_proto_version(cctx, maxprot);
1861 SSL_CTX_set_max_proto_version(cctx, maxprot);
1863 /* Set up session cache */
1864 if (use_ext_cache) {
1865 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1866 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1868 if (use_int_cache) {
1869 /* Also covers instance where both are set */
1870 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1872 SSL_CTX_set_session_cache_mode(cctx,
1873 SSL_SESS_CACHE_CLIENT
1874 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1878 SSL_CTX_set_options(sctx, s_options);
1881 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1883 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1885 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1888 /* Should fail because it should already be in the cache */
1889 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1892 && (!TEST_int_eq(new_called, numnewsesstick)
1894 || !TEST_int_eq(remove_called, 0)))
1897 new_called = remove_called = 0;
1898 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1899 &clientssl2, NULL, NULL))
1900 || !TEST_true(SSL_set_session(clientssl2, sess1))
1901 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1903 || !TEST_true(SSL_session_reused(clientssl2)))
1906 if (maxprot == TLS1_3_VERSION) {
1908 * In TLSv1.3 we should have created a new session even though we have
1909 * resumed. Since we attempted a resume we should also have removed the
1910 * old ticket from the cache so that we try to only use tickets once.
1913 && (!TEST_int_eq(new_called, 1)
1914 || !TEST_int_eq(remove_called, 1)))
1918 * In TLSv1.2 we expect to have resumed so no sessions added or
1922 && (!TEST_int_eq(new_called, 0)
1923 || !TEST_int_eq(remove_called, 0)))
1927 SSL_SESSION_free(sess1);
1928 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1930 shutdown_ssl_connection(serverssl2, clientssl2);
1931 serverssl2 = clientssl2 = NULL;
1933 new_called = remove_called = 0;
1934 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1935 &clientssl2, NULL, NULL))
1936 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1940 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1944 && (!TEST_int_eq(new_called, numnewsesstick)
1945 || !TEST_int_eq(remove_called, 0)))
1948 new_called = remove_called = 0;
1950 * This should clear sess2 from the cache because it is a "bad" session.
1951 * See SSL_set_session() documentation.
1953 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1956 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1958 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1961 if (use_int_cache) {
1962 /* Should succeeded because it should not already be in the cache */
1963 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1964 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1968 new_called = remove_called = 0;
1969 /* This shouldn't be in the cache so should fail */
1970 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1974 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1977 # if !defined(OPENSSL_NO_TLS1_1)
1978 new_called = remove_called = 0;
1979 /* Force a connection failure */
1980 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1981 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1982 &clientssl3, NULL, NULL))
1983 || !TEST_true(SSL_set_session(clientssl3, sess1))
1984 /* This should fail because of the mismatched protocol versions */
1985 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1989 /* We should have automatically removed the session from the cache */
1991 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1994 /* Should succeed because it should not already be in the cache */
1995 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1999 /* Now do some tests for server side caching */
2000 if (use_ext_cache) {
2001 SSL_CTX_sess_set_new_cb(cctx, NULL);
2002 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2003 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2004 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2005 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2006 get_sess_val = NULL;
2009 SSL_CTX_set_session_cache_mode(cctx, 0);
2010 /* Internal caching is the default on the server side */
2012 SSL_CTX_set_session_cache_mode(sctx,
2013 SSL_SESS_CACHE_SERVER
2014 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2016 SSL_free(serverssl1);
2017 SSL_free(clientssl1);
2018 serverssl1 = clientssl1 = NULL;
2019 SSL_free(serverssl2);
2020 SSL_free(clientssl2);
2021 serverssl2 = clientssl2 = NULL;
2022 SSL_SESSION_free(sess1);
2024 SSL_SESSION_free(sess2);
2027 SSL_CTX_set_max_proto_version(sctx, maxprot);
2028 if (maxprot == TLS1_2_VERSION)
2029 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2030 new_called = remove_called = get_called = 0;
2031 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2033 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2035 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2036 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2039 if (use_int_cache) {
2040 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2042 * In TLSv1.3 it should not have been added to the internal cache,
2043 * except in the case where we also have an external cache (in that
2044 * case it gets added to the cache in order to generate remove
2045 * events after timeout).
2047 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2050 /* Should fail because it should already be in the cache */
2051 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2056 if (use_ext_cache) {
2057 SSL_SESSION *tmp = sess2;
2059 if (!TEST_int_eq(new_called, numnewsesstick)
2060 || !TEST_int_eq(remove_called, 0)
2061 || !TEST_int_eq(get_called, 0))
2064 * Delete the session from the internal cache to force a lookup from
2065 * the external cache. We take a copy first because
2066 * SSL_CTX_remove_session() also marks the session as non-resumable.
2068 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2069 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2070 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2072 SSL_SESSION_free(sess2);
2077 new_called = remove_called = get_called = 0;
2078 get_sess_val = sess2;
2079 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2080 &clientssl2, NULL, NULL))
2081 || !TEST_true(SSL_set_session(clientssl2, sess1))
2082 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2084 || !TEST_true(SSL_session_reused(clientssl2)))
2087 if (use_ext_cache) {
2088 if (!TEST_int_eq(remove_called, 0))
2091 if (maxprot == TLS1_3_VERSION) {
2092 if (!TEST_int_eq(new_called, 1)
2093 || !TEST_int_eq(get_called, 0))
2096 if (!TEST_int_eq(new_called, 0)
2097 || !TEST_int_eq(get_called, 1))
2105 SSL_free(serverssl1);
2106 SSL_free(clientssl1);
2107 SSL_free(serverssl2);
2108 SSL_free(clientssl2);
2109 # ifndef OPENSSL_NO_TLS1_1
2110 SSL_free(serverssl3);
2111 SSL_free(clientssl3);
2113 SSL_SESSION_free(sess1);
2114 SSL_SESSION_free(sess2);
2120 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2122 static int test_session_with_only_int_cache(void)
2124 #ifndef OSSL_NO_USABLE_TLS1_3
2125 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2129 #ifndef OPENSSL_NO_TLS1_2
2130 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2136 static int test_session_with_only_ext_cache(void)
2138 #ifndef OSSL_NO_USABLE_TLS1_3
2139 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2143 #ifndef OPENSSL_NO_TLS1_2
2144 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2150 static int test_session_with_both_cache(void)
2152 #ifndef OSSL_NO_USABLE_TLS1_3
2153 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2157 #ifndef OPENSSL_NO_TLS1_2
2158 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2164 static int test_session_wo_ca_names(void)
2166 #ifndef OSSL_NO_USABLE_TLS1_3
2167 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2171 #ifndef OPENSSL_NO_TLS1_2
2172 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2179 #ifndef OSSL_NO_USABLE_TLS1_3
2180 static SSL_SESSION *sesscache[6];
2181 static int do_cache;
2183 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2186 sesscache[new_called] = sess;
2188 /* We don't need the reference to the session, so free it */
2189 SSL_SESSION_free(sess);
2196 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2198 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2199 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2202 /* Start handshake on the server and client */
2203 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2204 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2205 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2206 || !TEST_true(create_ssl_connection(sssl, cssl,
2213 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2216 int sess_id_ctx = 1;
2218 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2219 TLS_client_method(), TLS1_VERSION, 0,
2220 sctx, cctx, cert, privkey))
2221 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2222 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2223 (void *)&sess_id_ctx,
2224 sizeof(sess_id_ctx))))
2228 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2230 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2231 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2232 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2237 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2239 SSL *serverssl = NULL, *clientssl = NULL;
2242 /* Test that we can resume with all the tickets we got given */
2243 for (i = 0; i < idx * 2; i++) {
2245 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2246 &clientssl, NULL, NULL))
2247 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2250 SSL_set_post_handshake_auth(clientssl, 1);
2252 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2257 * Following a successful resumption we only get 1 ticket. After a
2258 * failed one we should get idx tickets.
2261 if (!TEST_true(SSL_session_reused(clientssl))
2262 || !TEST_int_eq(new_called, 1))
2265 if (!TEST_false(SSL_session_reused(clientssl))
2266 || !TEST_int_eq(new_called, idx))
2271 /* After a post-handshake authentication we should get 1 new ticket */
2273 && (!post_handshake_verify(serverssl, clientssl)
2274 || !TEST_int_eq(new_called, 1)))
2277 SSL_shutdown(clientssl);
2278 SSL_shutdown(serverssl);
2279 SSL_free(serverssl);
2280 SSL_free(clientssl);
2281 serverssl = clientssl = NULL;
2282 SSL_SESSION_free(sesscache[i]);
2283 sesscache[i] = NULL;
2289 SSL_free(clientssl);
2290 SSL_free(serverssl);
2294 static int test_tickets(int stateful, int idx)
2296 SSL_CTX *sctx = NULL, *cctx = NULL;
2297 SSL *serverssl = NULL, *clientssl = NULL;
2301 /* idx is the test number, but also the number of tickets we want */
2306 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2309 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2310 &clientssl, NULL, NULL)))
2313 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2315 /* Check we got the number of tickets we were expecting */
2316 || !TEST_int_eq(idx, new_called))
2319 SSL_shutdown(clientssl);
2320 SSL_shutdown(serverssl);
2321 SSL_free(serverssl);
2322 SSL_free(clientssl);
2325 clientssl = serverssl = NULL;
2329 * Now we try to resume with the tickets we previously created. The
2330 * resumption attempt is expected to fail (because we're now using a new
2331 * SSL_CTX). We should see idx number of tickets issued again.
2334 /* Stop caching sessions - just count them */
2337 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2340 if (!check_resumption(idx, sctx, cctx, 0))
2343 /* Start again with caching sessions */
2350 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2353 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2354 &clientssl, NULL, NULL)))
2357 SSL_set_post_handshake_auth(clientssl, 1);
2359 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2361 /* Check we got the number of tickets we were expecting */
2362 || !TEST_int_eq(idx, new_called))
2365 /* After a post-handshake authentication we should get new tickets issued */
2366 if (!post_handshake_verify(serverssl, clientssl)
2367 || !TEST_int_eq(idx * 2, new_called))
2370 SSL_shutdown(clientssl);
2371 SSL_shutdown(serverssl);
2372 SSL_free(serverssl);
2373 SSL_free(clientssl);
2374 serverssl = clientssl = NULL;
2376 /* Stop caching sessions - just count them */
2380 * Check we can resume with all the tickets we created. This time around the
2381 * resumptions should all be successful.
2383 if (!check_resumption(idx, sctx, cctx, 1))
2389 SSL_free(serverssl);
2390 SSL_free(clientssl);
2391 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2392 SSL_SESSION_free(sesscache[j]);
2393 sesscache[j] = NULL;
2401 static int test_stateless_tickets(int idx)
2403 return test_tickets(0, idx);
2406 static int test_stateful_tickets(int idx)
2408 return test_tickets(1, idx);
2411 static int test_psk_tickets(void)
2413 SSL_CTX *sctx = NULL, *cctx = NULL;
2414 SSL *serverssl = NULL, *clientssl = NULL;
2416 int sess_id_ctx = 1;
2418 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2419 TLS_client_method(), TLS1_VERSION, 0,
2420 &sctx, &cctx, NULL, NULL))
2421 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2422 (void *)&sess_id_ctx,
2423 sizeof(sess_id_ctx))))
2426 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2427 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2428 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2429 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2430 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2431 use_session_cb_cnt = 0;
2432 find_session_cb_cnt = 0;
2436 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2439 clientpsk = serverpsk = create_a_psk(clientssl);
2440 if (!TEST_ptr(clientpsk))
2442 SSL_SESSION_up_ref(clientpsk);
2444 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2446 || !TEST_int_eq(1, find_session_cb_cnt)
2447 || !TEST_int_eq(1, use_session_cb_cnt)
2448 /* We should always get 1 ticket when using external PSK */
2449 || !TEST_int_eq(1, new_called))
2455 SSL_free(serverssl);
2456 SSL_free(clientssl);
2459 SSL_SESSION_free(clientpsk);
2460 SSL_SESSION_free(serverpsk);
2461 clientpsk = serverpsk = NULL;
2466 static int test_extra_tickets(int idx)
2468 SSL_CTX *sctx = NULL, *cctx = NULL;
2469 SSL *serverssl = NULL, *clientssl = NULL;
2470 BIO *bretry = BIO_new(bio_s_always_retry());
2475 unsigned char c, buf[1];
2485 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2487 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2488 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2489 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2491 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2492 &clientssl, NULL, NULL)))
2496 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2497 * incremented by both client and server.
2499 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2501 /* Check we got the number of tickets we were expecting */
2502 || !TEST_int_eq(idx * 2, new_called)
2503 || !TEST_true(SSL_new_session_ticket(serverssl))
2504 || !TEST_true(SSL_new_session_ticket(serverssl))
2505 || !TEST_int_eq(idx * 2, new_called))
2508 /* Now try a (real) write to actually send the tickets */
2510 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2511 || !TEST_size_t_eq(1, nbytes)
2512 || !TEST_int_eq(idx * 2 + 2, new_called)
2513 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2514 || !TEST_int_eq(idx * 2 + 4, new_called)
2515 || !TEST_int_eq(sizeof(buf), nbytes)
2516 || !TEST_int_eq(c, buf[0])
2517 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2520 /* Try with only requesting one new ticket, too */
2523 if (!TEST_true(SSL_new_session_ticket(serverssl))
2524 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2525 || !TEST_size_t_eq(sizeof(c), nbytes)
2526 || !TEST_int_eq(1, new_called)
2527 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2528 || !TEST_int_eq(2, new_called)
2529 || !TEST_size_t_eq(sizeof(buf), nbytes)
2530 || !TEST_int_eq(c, buf[0]))
2533 /* Do it again but use dummy writes to drive the ticket generation */
2536 if (!TEST_true(SSL_new_session_ticket(serverssl))
2537 || !TEST_true(SSL_new_session_ticket(serverssl))
2538 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2539 || !TEST_size_t_eq(0, nbytes)
2540 || !TEST_int_eq(2, new_called)
2541 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2542 || !TEST_int_eq(4, new_called))
2545 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2548 if (!TEST_true(SSL_new_session_ticket(serverssl))
2549 || !TEST_true(SSL_new_session_ticket(serverssl))
2550 || !TEST_true(SSL_do_handshake(serverssl))
2551 || !TEST_int_eq(2, new_called)
2552 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2553 || !TEST_int_eq(4, new_called))
2557 * Use the always-retry BIO to exercise the logic that forces ticket
2558 * generation to wait until a record boundary.
2562 tmp = SSL_get_wbio(serverssl);
2563 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2567 SSL_set0_wbio(serverssl, bretry);
2569 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2570 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2571 || !TEST_size_t_eq(nbytes, 0))
2573 /* Restore a BIO that will let the write succeed */
2574 SSL_set0_wbio(serverssl, tmp);
2577 * These calls should just queue the request and not send anything
2578 * even if we explicitly try to hit the state machine.
2580 if (!TEST_true(SSL_new_session_ticket(serverssl))
2581 || !TEST_true(SSL_new_session_ticket(serverssl))
2582 || !TEST_int_eq(0, new_called)
2583 || !TEST_true(SSL_do_handshake(serverssl))
2584 || !TEST_int_eq(0, new_called))
2586 /* Re-do the write; still no tickets sent */
2587 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2588 || !TEST_size_t_eq(1, nbytes)
2589 || !TEST_int_eq(0, new_called)
2590 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2591 || !TEST_int_eq(0, new_called)
2592 || !TEST_int_eq(sizeof(buf), nbytes)
2593 || !TEST_int_eq(c, buf[0])
2594 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2596 /* Even trying to hit the state machine now will still not send tickets */
2597 if (!TEST_true(SSL_do_handshake(serverssl))
2598 || !TEST_int_eq(0, new_called))
2600 /* Now the *next* write should send the tickets */
2602 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2603 || !TEST_size_t_eq(1, nbytes)
2604 || !TEST_int_eq(2, new_called)
2605 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2606 || !TEST_int_eq(4, new_called)
2607 || !TEST_int_eq(sizeof(buf), nbytes)
2608 || !TEST_int_eq(c, buf[0])
2609 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2612 SSL_shutdown(clientssl);
2613 SSL_shutdown(serverssl);
2619 SSL_free(serverssl);
2620 SSL_free(clientssl);
2623 clientssl = serverssl = NULL;
2632 #define USE_DEFAULT 3
2634 #define CONNTYPE_CONNECTION_SUCCESS 0
2635 #define CONNTYPE_CONNECTION_FAIL 1
2636 #define CONNTYPE_NO_CONNECTION 2
2638 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2639 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2640 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2641 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2643 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2646 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2647 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2648 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2650 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2667 * Tests calls to SSL_set_bio() under various conditions.
2669 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2670 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2671 * then do more tests where we create a successful connection first using our
2672 * standard connection setup functions, and then call SSL_set_bio() with
2673 * various combinations of valid BIOs or NULL. We then repeat these tests
2674 * following a failed connection. In this last case we are looking to check that
2675 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2677 static int test_ssl_set_bio(int idx)
2679 SSL_CTX *sctx = NULL, *cctx = NULL;
2682 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2683 SSL *serverssl = NULL, *clientssl = NULL;
2684 int initrbio, initwbio, newrbio, newwbio, conntype;
2687 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2695 conntype = CONNTYPE_NO_CONNECTION;
2697 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2698 initrbio = initwbio = USE_DEFAULT;
2706 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2707 TLS_client_method(), TLS1_VERSION, 0,
2708 &sctx, &cctx, cert, privkey)))
2711 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2713 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2714 * because we reduced the number of tests in the definition of
2715 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2716 * mismatched protocol versions we will force a connection failure.
2718 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2719 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2722 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2726 if (initrbio == USE_BIO_1
2727 || initwbio == USE_BIO_1
2728 || newrbio == USE_BIO_1
2729 || newwbio == USE_BIO_1) {
2730 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2734 if (initrbio == USE_BIO_2
2735 || initwbio == USE_BIO_2
2736 || newrbio == USE_BIO_2
2737 || newwbio == USE_BIO_2) {
2738 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2742 if (initrbio != USE_DEFAULT) {
2743 setupbio(&irbio, bio1, bio2, initrbio);
2744 setupbio(&iwbio, bio1, bio2, initwbio);
2745 SSL_set_bio(clientssl, irbio, iwbio);
2748 * We want to maintain our own refs to these BIO, so do an up ref for
2749 * each BIO that will have ownership transferred in the SSL_set_bio()
2754 if (iwbio != NULL && iwbio != irbio)
2758 if (conntype != CONNTYPE_NO_CONNECTION
2759 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2761 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2764 setupbio(&nrbio, bio1, bio2, newrbio);
2765 setupbio(&nwbio, bio1, bio2, newwbio);
2768 * We will (maybe) transfer ownership again so do more up refs.
2769 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2774 && (nwbio != iwbio || nrbio != nwbio))
2778 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2781 SSL_set_bio(clientssl, nrbio, nwbio);
2790 * This test is checking that the ref counting for SSL_set_bio is correct.
2791 * If we get here and we did too many frees then we will fail in the above
2794 SSL_free(serverssl);
2795 SSL_free(clientssl);
2801 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2803 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2805 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2810 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
2811 || !TEST_ptr(ssl = SSL_new(ctx))
2812 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2813 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2816 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2819 * If anything goes wrong here then we could leak memory.
2821 BIO_push(sslbio, membio1);
2823 /* Verify changing the rbio/wbio directly does not cause leaks */
2824 if (change_bio != NO_BIO_CHANGE) {
2825 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
2829 if (change_bio == CHANGE_RBIO)
2830 SSL_set0_rbio(ssl, membio2);
2832 SSL_set0_wbio(ssl, membio2);
2851 static int test_ssl_bio_pop_next_bio(void)
2853 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2856 static int test_ssl_bio_pop_ssl_bio(void)
2858 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2861 static int test_ssl_bio_change_rbio(void)
2863 return execute_test_ssl_bio(0, CHANGE_RBIO);
2866 static int test_ssl_bio_change_wbio(void)
2868 return execute_test_ssl_bio(0, CHANGE_WBIO);
2871 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
2873 /* The list of sig algs */
2875 /* The length of the list */
2877 /* A sigalgs list in string format */
2878 const char *liststr;
2879 /* Whether setting the list should succeed */
2881 /* Whether creating a connection with the list should succeed */
2885 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2886 # ifndef OPENSSL_NO_EC
2887 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2888 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2890 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2891 static const int invalidlist2[] = {NID_sha256, NID_undef};
2892 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2893 static const int invalidlist4[] = {NID_sha256};
2894 static const sigalgs_list testsigalgs[] = {
2895 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2896 # ifndef OPENSSL_NO_EC
2897 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2898 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2900 {NULL, 0, "RSA+SHA256", 1, 1},
2901 # ifndef OPENSSL_NO_EC
2902 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2903 {NULL, 0, "ECDSA+SHA512", 1, 0},
2905 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2906 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2907 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2908 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2909 {NULL, 0, "RSA", 0, 0},
2910 {NULL, 0, "SHA256", 0, 0},
2911 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2912 {NULL, 0, "Invalid", 0, 0}
2915 static int test_set_sigalgs(int idx)
2917 SSL_CTX *cctx = NULL, *sctx = NULL;
2918 SSL *clientssl = NULL, *serverssl = NULL;
2920 const sigalgs_list *curr;
2923 /* Should never happen */
2924 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2927 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2928 curr = testctx ? &testsigalgs[idx]
2929 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2931 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2932 TLS_client_method(), TLS1_VERSION, 0,
2933 &sctx, &cctx, cert, privkey)))
2936 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2941 if (curr->list != NULL)
2942 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2944 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2948 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2954 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2959 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2960 &clientssl, NULL, NULL)))
2966 if (curr->list != NULL)
2967 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2969 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2972 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2981 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2989 SSL_free(serverssl);
2990 SSL_free(clientssl);
2998 #ifndef OSSL_NO_USABLE_TLS1_3
2999 static int psk_client_cb_cnt = 0;
3000 static int psk_server_cb_cnt = 0;
3002 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3003 size_t *idlen, SSL_SESSION **sess)
3005 switch (++use_session_cb_cnt) {
3007 /* The first call should always have a NULL md */
3013 /* The second call should always have an md */
3019 /* We should only be called a maximum of twice */
3023 if (clientpsk != NULL)
3024 SSL_SESSION_up_ref(clientpsk);
3027 *id = (const unsigned char *)pskid;
3028 *idlen = strlen(pskid);
3033 #ifndef OPENSSL_NO_PSK
3034 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3035 unsigned int max_id_len,
3037 unsigned int max_psk_len)
3039 unsigned int psklen = 0;
3041 psk_client_cb_cnt++;
3043 if (strlen(pskid) + 1 > max_id_len)
3046 /* We should only ever be called a maximum of twice per connection */
3047 if (psk_client_cb_cnt > 2)
3050 if (clientpsk == NULL)
3053 /* We'll reuse the PSK we set up for TLSv1.3 */
3054 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3056 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3057 strncpy(id, pskid, max_id_len);
3061 #endif /* OPENSSL_NO_PSK */
3063 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3064 size_t identity_len, SSL_SESSION **sess)
3066 find_session_cb_cnt++;
3068 /* We should only ever be called a maximum of twice per connection */
3069 if (find_session_cb_cnt > 2)
3072 if (serverpsk == NULL)
3075 /* Identity should match that set by the client */
3076 if (strlen(srvid) != identity_len
3077 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3078 /* No PSK found, continue but without a PSK */
3083 SSL_SESSION_up_ref(serverpsk);
3089 #ifndef OPENSSL_NO_PSK
3090 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3091 unsigned char *psk, unsigned int max_psk_len)
3093 unsigned int psklen = 0;
3095 psk_server_cb_cnt++;
3097 /* We should only ever be called a maximum of twice per connection */
3098 if (find_session_cb_cnt > 2)
3101 if (serverpsk == NULL)
3104 /* Identity should match that set by the client */
3105 if (strcmp(srvid, identity) != 0) {
3109 /* We'll reuse the PSK we set up for TLSv1.3 */
3110 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3112 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3116 #endif /* OPENSSL_NO_PSK */
3118 #define MSG1 "Hello"
3119 #define MSG2 "World."
3124 #define MSG7 "message."
3126 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3127 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3128 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3129 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3130 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3133 static SSL_SESSION *create_a_psk(SSL *ssl)
3135 const SSL_CIPHER *cipher = NULL;
3136 const unsigned char key[] = {
3137 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3138 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3139 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3140 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3141 0x2c, 0x2d, 0x2e, 0x2f
3143 SSL_SESSION *sess = NULL;
3145 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3146 sess = SSL_SESSION_new();
3148 || !TEST_ptr(cipher)
3149 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3151 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3153 SSL_SESSION_set_protocol_version(sess,
3155 SSL_SESSION_free(sess);
3162 * Helper method to setup objects for early data test. Caller frees objects on
3165 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3166 SSL **serverssl, SSL_SESSION **sess, int idx)
3169 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3170 TLS_client_method(),
3172 sctx, cctx, cert, privkey)))
3175 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3179 /* When idx == 1 we repeat the tests with read_ahead set */
3180 SSL_CTX_set_read_ahead(*cctx, 1);
3181 SSL_CTX_set_read_ahead(*sctx, 1);
3182 } else if (idx == 2) {
3183 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3184 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3185 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3186 use_session_cb_cnt = 0;
3187 find_session_cb_cnt = 0;
3191 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3196 * For one of the run throughs (doesn't matter which one), we'll try sending
3197 * some SNI data in the initial ClientHello. This will be ignored (because
3198 * there is no SNI cb set up by the server), so it should not impact
3202 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3206 clientpsk = create_a_psk(*clientssl);
3207 if (!TEST_ptr(clientpsk)
3209 * We just choose an arbitrary value for max_early_data which
3210 * should be big enough for testing purposes.
3212 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3214 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3215 SSL_SESSION_free(clientpsk);
3219 serverpsk = clientpsk;
3222 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3223 SSL_SESSION_free(clientpsk);
3224 SSL_SESSION_free(serverpsk);
3225 clientpsk = serverpsk = NULL;
3236 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3240 *sess = SSL_get1_session(*clientssl);
3241 SSL_shutdown(*clientssl);
3242 SSL_shutdown(*serverssl);
3243 SSL_free(*serverssl);
3244 SSL_free(*clientssl);
3245 *serverssl = *clientssl = NULL;
3247 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3248 clientssl, NULL, NULL))
3249 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3255 static int test_early_data_read_write(int idx)
3257 SSL_CTX *cctx = NULL, *sctx = NULL;
3258 SSL *clientssl = NULL, *serverssl = NULL;
3260 SSL_SESSION *sess = NULL;
3261 unsigned char buf[20], data[1024];
3262 size_t readbytes, written, eoedlen, rawread, rawwritten;
3265 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3266 &serverssl, &sess, idx)))
3269 /* Write and read some early data */
3270 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3272 || !TEST_size_t_eq(written, strlen(MSG1))
3273 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3274 sizeof(buf), &readbytes),
3275 SSL_READ_EARLY_DATA_SUCCESS)
3276 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3277 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3278 SSL_EARLY_DATA_ACCEPTED))
3282 * Server should be able to write data, and client should be able to
3285 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3287 || !TEST_size_t_eq(written, strlen(MSG2))
3288 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3289 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3292 /* Even after reading normal data, client should be able write early data */
3293 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3295 || !TEST_size_t_eq(written, strlen(MSG3)))
3298 /* Server should still be able read early data after writing data */
3299 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3301 SSL_READ_EARLY_DATA_SUCCESS)
3302 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3305 /* Write more data from server and read it from client */
3306 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3308 || !TEST_size_t_eq(written, strlen(MSG4))
3309 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3310 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3314 * If client writes normal data it should mean writing early data is no
3317 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3318 || !TEST_size_t_eq(written, strlen(MSG5))
3319 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3320 SSL_EARLY_DATA_ACCEPTED))
3324 * At this point the client has written EndOfEarlyData, ClientFinished and
3325 * normal (fully protected) data. We are going to cause a delay between the
3326 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3327 * in the read BIO, and then just put back the EndOfEarlyData message.
3329 rbio = SSL_get_rbio(serverssl);
3330 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3331 || !TEST_size_t_lt(rawread, sizeof(data))
3332 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3335 /* Record length is in the 4th and 5th bytes of the record header */
3336 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3337 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3338 || !TEST_size_t_eq(rawwritten, eoedlen))
3341 /* Server should be told that there is no more early data */
3342 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3344 SSL_READ_EARLY_DATA_FINISH)
3345 || !TEST_size_t_eq(readbytes, 0))
3349 * Server has not finished init yet, so should still be able to write early
3352 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3354 || !TEST_size_t_eq(written, strlen(MSG6)))
3357 /* Push the ClientFinished and the normal data back into the server rbio */
3358 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3360 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3363 /* Server should be able to read normal data */
3364 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3365 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3368 /* Client and server should not be able to write/read early data now */
3369 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3373 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3375 SSL_READ_EARLY_DATA_ERROR))
3379 /* Client should be able to read the data sent by the server */
3380 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3381 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3385 * Make sure we process the two NewSessionTickets. These arrive
3386 * post-handshake. We attempt reads which we do not expect to return any
3389 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3390 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3394 /* Server should be able to write normal data */
3395 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3396 || !TEST_size_t_eq(written, strlen(MSG7))
3397 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3398 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3401 SSL_SESSION_free(sess);
3402 sess = SSL_get1_session(clientssl);
3403 use_session_cb_cnt = 0;
3404 find_session_cb_cnt = 0;
3406 SSL_shutdown(clientssl);
3407 SSL_shutdown(serverssl);
3408 SSL_free(serverssl);
3409 SSL_free(clientssl);
3410 serverssl = clientssl = NULL;
3411 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3412 &clientssl, NULL, NULL))
3413 || !TEST_true(SSL_set_session(clientssl, sess)))
3416 /* Write and read some early data */
3417 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3419 || !TEST_size_t_eq(written, strlen(MSG1))
3420 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3422 SSL_READ_EARLY_DATA_SUCCESS)
3423 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3426 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3427 || !TEST_int_gt(SSL_accept(serverssl), 0))
3430 /* Client and server should not be able to write/read early data now */
3431 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3435 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3437 SSL_READ_EARLY_DATA_ERROR))
3441 /* Client and server should be able to write/read normal data */
3442 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3443 || !TEST_size_t_eq(written, strlen(MSG5))
3444 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3445 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3451 SSL_SESSION_free(sess);
3452 SSL_SESSION_free(clientpsk);
3453 SSL_SESSION_free(serverpsk);
3454 clientpsk = serverpsk = NULL;
3455 SSL_free(serverssl);
3456 SSL_free(clientssl);
3462 static int allow_ed_cb_called = 0;
3464 static int allow_early_data_cb(SSL *s, void *arg)
3466 int *usecb = (int *)arg;
3468 allow_ed_cb_called++;
3477 * idx == 0: Standard early_data setup
3478 * idx == 1: early_data setup using read_ahead
3479 * usecb == 0: Don't use a custom early data callback
3480 * usecb == 1: Use a custom early data callback and reject the early data
3481 * usecb == 2: Use a custom early data callback and accept the early data
3482 * confopt == 0: Configure anti-replay directly
3483 * confopt == 1: Configure anti-replay using SSL_CONF
3485 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3487 SSL_CTX *cctx = NULL, *sctx = NULL;
3488 SSL *clientssl = NULL, *serverssl = NULL;
3490 SSL_SESSION *sess = NULL;
3491 size_t readbytes, written;
3492 unsigned char buf[20];
3494 allow_ed_cb_called = 0;
3496 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3497 TLS_client_method(), TLS1_VERSION, 0,
3498 &sctx, &cctx, cert, privkey)))
3503 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3505 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3507 if (!TEST_ptr(confctx))
3509 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3510 | SSL_CONF_FLAG_SERVER);
3511 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3512 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3514 SSL_CONF_CTX_free(confctx);
3517 SSL_CONF_CTX_free(confctx);
3519 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3522 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3523 &serverssl, &sess, idx)))
3527 * The server is configured to accept early data. Create a connection to
3528 * "use up" the ticket
3530 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3531 || !TEST_true(SSL_session_reused(clientssl)))
3534 SSL_shutdown(clientssl);
3535 SSL_shutdown(serverssl);
3536 SSL_free(serverssl);
3537 SSL_free(clientssl);
3538 serverssl = clientssl = NULL;
3540 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3541 &clientssl, NULL, NULL))
3542 || !TEST_true(SSL_set_session(clientssl, sess)))
3545 /* Write and read some early data */
3546 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3548 || !TEST_size_t_eq(written, strlen(MSG1)))
3552 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3554 SSL_READ_EARLY_DATA_FINISH)
3556 * The ticket was reused, so the we should have rejected the
3559 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3560 SSL_EARLY_DATA_REJECTED))
3563 /* In this case the callback decides to accept the early data */
3564 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3566 SSL_READ_EARLY_DATA_SUCCESS)
3567 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3569 * Server will have sent its flight so client can now send
3570 * end of early data and complete its half of the handshake
3572 || !TEST_int_gt(SSL_connect(clientssl), 0)
3573 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3575 SSL_READ_EARLY_DATA_FINISH)
3576 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3577 SSL_EARLY_DATA_ACCEPTED))
3581 /* Complete the connection */
3582 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3583 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3584 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3590 SSL_SESSION_free(sess);
3591 SSL_SESSION_free(clientpsk);
3592 SSL_SESSION_free(serverpsk);
3593 clientpsk = serverpsk = NULL;
3594 SSL_free(serverssl);
3595 SSL_free(clientssl);
3601 static int test_early_data_replay(int idx)
3603 int ret = 1, usecb, confopt;
3605 for (usecb = 0; usecb < 3; usecb++) {
3606 for (confopt = 0; confopt < 2; confopt++)
3607 ret &= test_early_data_replay_int(idx, usecb, confopt);
3614 * Helper function to test that a server attempting to read early data can
3615 * handle a connection from a client where the early data should be skipped.
3616 * testtype: 0 == No HRR
3617 * testtype: 1 == HRR
3618 * testtype: 2 == HRR, invalid early_data sent after HRR
3619 * testtype: 3 == recv_max_early_data set to 0
3621 static int early_data_skip_helper(int testtype, int idx)
3623 SSL_CTX *cctx = NULL, *sctx = NULL;
3624 SSL *clientssl = NULL, *serverssl = NULL;
3626 SSL_SESSION *sess = NULL;
3627 unsigned char buf[20];
3628 size_t readbytes, written;
3630 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3631 &serverssl, &sess, idx)))
3634 if (testtype == 1 || testtype == 2) {
3635 /* Force an HRR to occur */
3636 #if defined(OPENSSL_NO_EC)
3637 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3640 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3643 } else if (idx == 2) {
3645 * We force early_data rejection by ensuring the PSK identity is
3648 srvid = "Dummy Identity";
3651 * Deliberately corrupt the creation time. We take 20 seconds off the
3652 * time. It could be any value as long as it is not within tolerance.
3653 * This should mean the ticket is rejected.
3655 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3660 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3663 /* Write some early data */
3664 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3666 || !TEST_size_t_eq(written, strlen(MSG1)))
3669 /* Server should reject the early data */
3670 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3672 SSL_READ_EARLY_DATA_FINISH)
3673 || !TEST_size_t_eq(readbytes, 0)
3674 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3675 SSL_EARLY_DATA_REJECTED))
3685 * Finish off the handshake. We perform the same writes and reads as
3686 * further down but we expect them to fail due to the incomplete
3689 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3690 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3697 BIO *wbio = SSL_get_wbio(clientssl);
3698 /* A record that will appear as bad early_data */
3699 const unsigned char bad_early_data[] = {
3700 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3704 * We force the client to attempt a write. This will fail because
3705 * we're still in the handshake. It will cause the second
3706 * ClientHello to be sent.
3708 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3713 * Inject some early_data after the second ClientHello. This should
3714 * cause the server to fail
3716 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3717 sizeof(bad_early_data), &written)))
3724 * This client has sent more early_data than we are willing to skip
3725 * (case 3) or sent invalid early_data (case 2) so the connection should
3728 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3729 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3732 /* Connection has failed - nothing more to do */
3737 TEST_error("Invalid test type");
3742 * Should be able to send normal data despite rejection of early data. The
3743 * early_data should be skipped.
3745 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3746 || !TEST_size_t_eq(written, strlen(MSG2))
3747 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3748 SSL_EARLY_DATA_REJECTED)
3749 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3750 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3756 SSL_SESSION_free(clientpsk);
3757 SSL_SESSION_free(serverpsk);
3758 clientpsk = serverpsk = NULL;
3759 SSL_SESSION_free(sess);
3760 SSL_free(serverssl);
3761 SSL_free(clientssl);
3768 * Test that a server attempting to read early data can handle a connection
3769 * from a client where the early data is not acceptable.
3771 static int test_early_data_skip(int idx)
3773 return early_data_skip_helper(0, idx);
3777 * Test that a server attempting to read early data can handle a connection
3778 * from a client where an HRR occurs.
3780 static int test_early_data_skip_hrr(int idx)
3782 return early_data_skip_helper(1, idx);
3786 * Test that a server attempting to read early data can handle a connection
3787 * from a client where an HRR occurs and correctly fails if early_data is sent
3790 static int test_early_data_skip_hrr_fail(int idx)
3792 return early_data_skip_helper(2, idx);
3796 * Test that a server attempting to read early data will abort if it tries to
3797 * skip over too much.
3799 static int test_early_data_skip_abort(int idx)
3801 return early_data_skip_helper(3, idx);
3805 * Test that a server attempting to read early data can handle a connection
3806 * from a client that doesn't send any.
3808 static int test_early_data_not_sent(int idx)
3810 SSL_CTX *cctx = NULL, *sctx = NULL;
3811 SSL *clientssl = NULL, *serverssl = NULL;
3813 SSL_SESSION *sess = NULL;
3814 unsigned char buf[20];
3815 size_t readbytes, written;
3817 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3818 &serverssl, &sess, idx)))
3821 /* Write some data - should block due to handshake with server */
3822 SSL_set_connect_state(clientssl);
3823 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3826 /* Server should detect that early data has not been sent */
3827 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3829 SSL_READ_EARLY_DATA_FINISH)
3830 || !TEST_size_t_eq(readbytes, 0)
3831 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3832 SSL_EARLY_DATA_NOT_SENT)
3833 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3834 SSL_EARLY_DATA_NOT_SENT))
3837 /* Continue writing the message we started earlier */
3838 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3839 || !TEST_size_t_eq(written, strlen(MSG1))
3840 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3841 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3842 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3843 || !TEST_size_t_eq(written, strlen(MSG2)))
3846 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3847 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3853 SSL_SESSION_free(sess);
3854 SSL_SESSION_free(clientpsk);
3855 SSL_SESSION_free(serverpsk);
3856 clientpsk = serverpsk = NULL;
3857 SSL_free(serverssl);
3858 SSL_free(clientssl);
3864 static const char *servalpn;
3866 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3867 unsigned char *outlen, const unsigned char *in,
3868 unsigned int inlen, void *arg)
3870 unsigned int protlen = 0;
3871 const unsigned char *prot;
3873 for (prot = in; prot < in + inlen; prot += protlen) {
3875 if (in + inlen < prot + protlen)
3876 return SSL_TLSEXT_ERR_NOACK;
3878 if (protlen == strlen(servalpn)
3879 && memcmp(prot, servalpn, protlen) == 0) {
3882 return SSL_TLSEXT_ERR_OK;
3886 return SSL_TLSEXT_ERR_NOACK;
3889 /* Test that a PSK can be used to send early_data */
3890 static int test_early_data_psk(int idx)
3892 SSL_CTX *cctx = NULL, *sctx = NULL;
3893 SSL *clientssl = NULL, *serverssl = NULL;
3895 SSL_SESSION *sess = NULL;
3896 unsigned char alpnlist[] = {
3897 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3900 #define GOODALPNLEN 9
3901 #define BADALPNLEN 8
3902 #define GOODALPN (alpnlist)
3903 #define BADALPN (alpnlist + GOODALPNLEN)
3905 unsigned char buf[20];
3906 size_t readbytes, written;
3907 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3908 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3910 /* We always set this up with a final parameter of "2" for PSK */
3911 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3912 &serverssl, &sess, 2)))
3915 servalpn = "goodalpn";
3918 * Note: There is no test for inconsistent SNI with late client detection.
3919 * This is because servers do not acknowledge SNI even if they are using
3920 * it in a resumption handshake - so it is not actually possible for a
3921 * client to detect a problem.
3925 /* Set inconsistent SNI (early client detection) */
3926 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3927 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3928 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3933 /* Set inconsistent ALPN (early client detection) */
3934 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3935 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3936 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3938 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3945 * Set invalid protocol version. Technically this affects PSKs without
3946 * early_data too, but we test it here because it is similar to the
3947 * SNI/ALPN consistency tests.
3949 err = SSL_R_BAD_PSK;
3950 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3956 * Set inconsistent SNI (server side). In this case the connection
3957 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3958 * is associated with each handshake - not the session. Therefore it
3959 * should not matter that we used a different server name last time.
3961 SSL_SESSION_free(serverpsk);
3962 serverpsk = SSL_SESSION_dup(clientpsk);
3963 if (!TEST_ptr(serverpsk)
3964 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3968 /* Set consistent SNI */
3969 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3970 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3971 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3978 * Set inconsistent ALPN (server detected). In this case the connection
3979 * will succeed but reject early_data.
3981 servalpn = "badalpn";
3982 edstatus = SSL_EARLY_DATA_REJECTED;
3983 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3987 * Set consistent ALPN.
3988 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3989 * accepts a list of protos (each one length prefixed).
3990 * SSL_set1_alpn_selected accepts a single protocol (not length
3993 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3995 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3999 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4003 /* Set inconsistent ALPN (late client detection) */
4004 SSL_SESSION_free(serverpsk);
4005 serverpsk = SSL_SESSION_dup(clientpsk);
4006 if (!TEST_ptr(serverpsk)
4007 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4010 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4013 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4016 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4017 edstatus = SSL_EARLY_DATA_ACCEPTED;
4018 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4019 /* SSL_connect() call should fail */
4024 TEST_error("Bad test index");
4028 SSL_set_connect_state(clientssl);
4030 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4032 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4033 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4036 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4040 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4041 &readbytes), readearlyres)
4042 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4043 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4044 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4045 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4052 SSL_SESSION_free(sess);
4053 SSL_SESSION_free(clientpsk);
4054 SSL_SESSION_free(serverpsk);
4055 clientpsk = serverpsk = NULL;
4056 SSL_free(serverssl);
4057 SSL_free(clientssl);
4064 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4065 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4066 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4067 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4068 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4069 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4071 static int test_early_data_psk_with_all_ciphers(int idx)
4073 SSL_CTX *cctx = NULL, *sctx = NULL;
4074 SSL *clientssl = NULL, *serverssl = NULL;
4076 SSL_SESSION *sess = NULL;
4077 unsigned char buf[20];
4078 size_t readbytes, written;
4079 const SSL_CIPHER *cipher;
4080 const char *cipher_str[] = {
4081 TLS1_3_RFC_AES_128_GCM_SHA256,
4082 TLS1_3_RFC_AES_256_GCM_SHA384,
4083 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4084 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4088 TLS1_3_RFC_AES_128_CCM_SHA256,
4089 TLS1_3_RFC_AES_128_CCM_8_SHA256
4091 const unsigned char *cipher_bytes[] = {
4092 TLS13_AES_128_GCM_SHA256_BYTES,
4093 TLS13_AES_256_GCM_SHA384_BYTES,
4094 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4095 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4099 TLS13_AES_128_CCM_SHA256_BYTES,
4100 TLS13_AES_128_CCM_8_SHA256_BYTES
4103 if (cipher_str[idx] == NULL)
4105 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4106 if (idx == 2 && is_fips == 1)
4109 /* We always set this up with a final parameter of "2" for PSK */
4110 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4111 &serverssl, &sess, 2)))
4114 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4115 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4119 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4120 * and assigns to both client and server with incremented reference
4121 * and the same instance is updated in 'sess'.
4122 * So updating ciphersuite in 'sess' which will get reflected in
4123 * PSK handshake using psk use sess and find sess cb.
4125 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4126 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4129 SSL_set_connect_state(clientssl);
4130 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4134 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4136 SSL_READ_EARLY_DATA_SUCCESS)
4137 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4138 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4139 SSL_EARLY_DATA_ACCEPTED)
4140 || !TEST_int_eq(SSL_connect(clientssl), 1)
4141 || !TEST_int_eq(SSL_accept(serverssl), 1))
4144 /* Send some normal data from client to server */
4145 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4146 || !TEST_size_t_eq(written, strlen(MSG2)))
4149 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4150 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4155 SSL_SESSION_free(sess);
4156 SSL_SESSION_free(clientpsk);
4157 SSL_SESSION_free(serverpsk);
4158 clientpsk = serverpsk = NULL;
4159 if (clientssl != NULL)
4160 SSL_shutdown(clientssl);
4161 if (serverssl != NULL)
4162 SSL_shutdown(serverssl);
4163 SSL_free(serverssl);
4164 SSL_free(clientssl);
4171 * Test that a server that doesn't try to read early data can handle a
4172 * client sending some.
4174 static int test_early_data_not_expected(int idx)
4176 SSL_CTX *cctx = NULL, *sctx = NULL;
4177 SSL *clientssl = NULL, *serverssl = NULL;
4179 SSL_SESSION *sess = NULL;
4180 unsigned char buf[20];
4181 size_t readbytes, written;
4183 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4184 &serverssl, &sess, idx)))
4187 /* Write some early data */
4188 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4193 * Server should skip over early data and then block waiting for client to
4194 * continue handshake
4196 if (!TEST_int_le(SSL_accept(serverssl), 0)
4197 || !TEST_int_gt(SSL_connect(clientssl), 0)
4198 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4199 SSL_EARLY_DATA_REJECTED)
4200 || !TEST_int_gt(SSL_accept(serverssl), 0)
4201 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4202 SSL_EARLY_DATA_REJECTED))
4205 /* Send some normal data from client to server */
4206 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4207 || !TEST_size_t_eq(written, strlen(MSG2)))
4210 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4211 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4217 SSL_SESSION_free(sess);
4218 SSL_SESSION_free(clientpsk);
4219 SSL_SESSION_free(serverpsk);
4220 clientpsk = serverpsk = NULL;
4221 SSL_free(serverssl);
4222 SSL_free(clientssl);
4229 # ifndef OPENSSL_NO_TLS1_2
4231 * Test that a server attempting to read early data can handle a connection
4232 * from a TLSv1.2 client.
4234 static int test_early_data_tls1_2(int idx)
4236 SSL_CTX *cctx = NULL, *sctx = NULL;
4237 SSL *clientssl = NULL, *serverssl = NULL;
4239 unsigned char buf[20];
4240 size_t readbytes, written;
4242 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4243 &serverssl, NULL, idx)))
4246 /* Write some data - should block due to handshake with server */
4247 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4248 SSL_set_connect_state(clientssl);
4249 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4253 * Server should do TLSv1.2 handshake. First it will block waiting for more
4254 * messages from client after ServerDone. Then SSL_read_early_data should
4255 * finish and detect that early data has not been sent
4257 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4259 SSL_READ_EARLY_DATA_ERROR))
4263 * Continue writing the message we started earlier. Will still block waiting
4264 * for the CCS/Finished from server
4266 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4267 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4269 SSL_READ_EARLY_DATA_FINISH)
4270 || !TEST_size_t_eq(readbytes, 0)
4271 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4272 SSL_EARLY_DATA_NOT_SENT))
4275 /* Continue writing the message we started earlier */
4276 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4277 || !TEST_size_t_eq(written, strlen(MSG1))
4278 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4279 SSL_EARLY_DATA_NOT_SENT)
4280 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4281 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4282 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4283 || !TEST_size_t_eq(written, strlen(MSG2))
4284 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4285 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4291 SSL_SESSION_free(clientpsk);
4292 SSL_SESSION_free(serverpsk);
4293 clientpsk = serverpsk = NULL;
4294 SSL_free(serverssl);
4295 SSL_free(clientssl);
4301 # endif /* OPENSSL_NO_TLS1_2 */
4304 * Test configuring the TLSv1.3 ciphersuites
4306 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4307 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4308 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4309 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4310 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4311 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4312 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4313 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4314 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4315 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4317 static int test_set_ciphersuite(int idx)
4319 SSL_CTX *cctx = NULL, *sctx = NULL;
4320 SSL *clientssl = NULL, *serverssl = NULL;
4323 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4324 TLS_client_method(), TLS1_VERSION, 0,
4325 &sctx, &cctx, cert, privkey))
4326 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4327 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4330 if (idx >=4 && idx <= 7) {
4331 /* SSL_CTX explicit cipher list */
4332 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4336 if (idx == 0 || idx == 4) {
4337 /* Default ciphersuite */
4338 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4339 "TLS_AES_128_GCM_SHA256")))
4341 } else if (idx == 1 || idx == 5) {
4342 /* Non default ciphersuite */
4343 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4344 "TLS_AES_128_CCM_SHA256")))
4348 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4349 &clientssl, NULL, NULL)))
4352 if (idx == 8 || idx == 9) {
4353 /* SSL explicit cipher list */
4354 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4358 if (idx == 2 || idx == 6 || idx == 8) {
4359 /* Default ciphersuite */
4360 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4361 "TLS_AES_128_GCM_SHA256")))
4363 } else if (idx == 3 || idx == 7 || idx == 9) {
4364 /* Non default ciphersuite */
4365 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4366 "TLS_AES_128_CCM_SHA256")))
4370 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4376 SSL_free(serverssl);
4377 SSL_free(clientssl);
4384 static int test_ciphersuite_change(void)
4386 SSL_CTX *cctx = NULL, *sctx = NULL;
4387 SSL *clientssl = NULL, *serverssl = NULL;
4388 SSL_SESSION *clntsess = NULL;
4390 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4392 /* Create a session based on SHA-256 */
4393 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4394 TLS_client_method(), TLS1_VERSION, 0,
4395 &sctx, &cctx, cert, privkey))
4396 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4397 "TLS_AES_128_GCM_SHA256:"
4398 "TLS_AES_256_GCM_SHA384:"
4399 "TLS_AES_128_CCM_SHA256"))
4400 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4401 "TLS_AES_128_GCM_SHA256"))
4402 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4403 &clientssl, NULL, NULL))
4404 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4408 clntsess = SSL_get1_session(clientssl);
4409 /* Save for later */
4410 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4411 SSL_shutdown(clientssl);
4412 SSL_shutdown(serverssl);
4413 SSL_free(serverssl);
4414 SSL_free(clientssl);
4415 serverssl = clientssl = NULL;
4417 /* Check we can resume a session with a different SHA-256 ciphersuite */
4418 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4419 "TLS_AES_128_CCM_SHA256"))
4420 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4421 &clientssl, NULL, NULL))
4422 || !TEST_true(SSL_set_session(clientssl, clntsess))
4423 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4425 || !TEST_true(SSL_session_reused(clientssl)))
4428 SSL_SESSION_free(clntsess);
4429 clntsess = SSL_get1_session(clientssl);
4430 SSL_shutdown(clientssl);
4431 SSL_shutdown(serverssl);
4432 SSL_free(serverssl);
4433 SSL_free(clientssl);
4434 serverssl = clientssl = NULL;
4437 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4438 * succeeds but does not resume.
4440 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4441 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4443 || !TEST_true(SSL_set_session(clientssl, clntsess))
4444 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4446 || !TEST_false(SSL_session_reused(clientssl)))
4449 SSL_SESSION_free(clntsess);
4451 SSL_shutdown(clientssl);
4452 SSL_shutdown(serverssl);
4453 SSL_free(serverssl);
4454 SSL_free(clientssl);
4455 serverssl = clientssl = NULL;
4457 /* Create a session based on SHA384 */
4458 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4459 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4460 &clientssl, NULL, NULL))
4461 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4465 clntsess = SSL_get1_session(clientssl);
4466 SSL_shutdown(clientssl);
4467 SSL_shutdown(serverssl);
4468 SSL_free(serverssl);
4469 SSL_free(clientssl);
4470 serverssl = clientssl = NULL;
4472 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4473 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4474 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4475 "TLS_AES_256_GCM_SHA384"))
4476 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4478 || !TEST_true(SSL_set_session(clientssl, clntsess))
4480 * We use SSL_ERROR_WANT_READ below so that we can pause the
4481 * connection after the initial ClientHello has been sent to
4482 * enable us to make some session changes.
4484 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4485 SSL_ERROR_WANT_READ)))
4488 /* Trick the client into thinking this session is for a different digest */
4489 clntsess->cipher = aes_128_gcm_sha256;
4490 clntsess->cipher_id = clntsess->cipher->id;
4493 * Continue the previously started connection. Server has selected a SHA-384
4494 * ciphersuite, but client thinks the session is for SHA-256, so it should
4497 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4499 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4500 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4506 SSL_SESSION_free(clntsess);
4507 SSL_free(serverssl);
4508 SSL_free(clientssl);
4516 * Test TLSv1.3 Key exchange
4517 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4518 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4519 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4520 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4521 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4522 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4523 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4524 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4525 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4526 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4527 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4528 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4529 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4530 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4532 # ifndef OPENSSL_NO_EC
4533 static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4534 NID_secp521r1, NID_X25519, NID_X448};
4536 # ifndef OPENSSL_NO_DH
4537 static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4538 NID_ffdhe6144, NID_ffdhe8192};
4540 static int test_key_exchange(int idx)
4542 SSL_CTX *sctx = NULL, *cctx = NULL;
4543 SSL *serverssl = NULL, *clientssl = NULL;
4546 int *kexch_groups = &kexch_alg;
4547 int kexch_groups_size = 1;
4548 int max_version = TLS1_3_VERSION;
4549 char *kexch_name0 = NULL;
4552 # ifndef OPENSSL_NO_EC
4553 # ifndef OPENSSL_NO_TLS1_2
4555 max_version = TLS1_2_VERSION;
4559 kexch_groups = ecdhe_kexch_groups;
4560 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4561 kexch_name0 = "secp256r1";
4564 kexch_alg = NID_X9_62_prime256v1;
4565 kexch_name0 = "secp256r1";
4568 kexch_alg = NID_secp384r1;
4569 kexch_name0 = "secp384r1";
4572 kexch_alg = NID_secp521r1;
4573 kexch_name0 = "secp521r1";
4576 kexch_alg = NID_X25519;
4577 kexch_name0 = "x25519";
4580 kexch_alg = NID_X448;
4581 kexch_name0 = "x448";
4584 # ifndef OPENSSL_NO_DH
4585 # ifndef OPENSSL_NO_TLS1_2
4587 max_version = TLS1_2_VERSION;
4588 kexch_name0 = "ffdhe2048";
4592 kexch_groups = ffdhe_kexch_groups;
4593 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4594 kexch_name0 = "ffdhe2048";
4597 kexch_alg = NID_ffdhe2048;
4598 kexch_name0 = "ffdhe2048";
4601 kexch_alg = NID_ffdhe3072;
4602 kexch_name0 = "ffdhe3072";
4605 kexch_alg = NID_ffdhe4096;
4606 kexch_name0 = "ffdhe4096";
4609 kexch_alg = NID_ffdhe6144;
4610 kexch_name0 = "ffdhe6144";
4613 kexch_alg = NID_ffdhe8192;
4614 kexch_name0 = "ffdhe8192";
4618 /* We're skipping this test */
4622 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4623 TLS_client_method(), TLS1_VERSION,
4624 max_version, &sctx, &cctx, cert,
4628 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4629 TLS1_3_RFC_AES_128_GCM_SHA256)))
4632 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4633 TLS1_3_RFC_AES_128_GCM_SHA256)))
4636 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4637 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4638 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4639 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4643 * Must include an EC ciphersuite so that we send supported groups in
4646 # ifndef OPENSSL_NO_TLS1_2
4647 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4648 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4649 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4653 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4657 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4658 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4661 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4665 * If Handshake succeeds the negotiated kexch alg should be the first one in
4666 * configured, except in the case of FFDHE groups (idx 13), which are
4667 * TLSv1.3 only so we expect no shared group to exist.
4669 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4670 idx == 13 ? 0 : kexch_groups[0]))
4673 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4677 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4679 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4681 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4687 SSL_free(serverssl);
4688 SSL_free(clientssl);
4694 # if !defined(OPENSSL_NO_TLS1_2) \
4695 && !defined(OPENSSL_NO_EC) \
4696 && !defined(OPENSSL_NO_DH)
4697 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4698 int isecdhe, int idx)
4701 int *kexch_groups = &kexch_alg;
4704 numec = OSSL_NELEM(ecdhe_kexch_groups);
4705 numff = OSSL_NELEM(ffdhe_kexch_groups);
4707 kexch_alg = ecdhe_kexch_groups[idx];
4709 kexch_alg = ffdhe_kexch_groups[idx];
4712 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
4715 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
4719 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
4724 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
4727 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
4731 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
4740 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
4741 * Run through both the ECDHE and FFDHE group lists used in the previous
4742 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
4743 * confirming the expected result; then perform a resumption handshake
4744 * while offering the same group list, and another resumption handshake
4745 * offering a different group list. The returned value should be the
4746 * negotiated group for the initial handshake; for TLS 1.3 resumption
4747 * handshakes the returned value will be negotiated on the resumption
4748 * handshake itself, but for TLS 1.2 resumption handshakes the value will
4749 * be cached in the session from the original handshake, regardless of what
4750 * was offered in the resumption ClientHello.
4752 * Using E for the number of EC groups and F for the number of FF groups:
4753 * E tests of ECDHE with TLS 1.3, client sends only one group
4754 * F tests of FFDHE with TLS 1.3, client sends only one group
4755 * E tests of ECDHE with TLS 1.2, client sends only one group
4756 * F tests of FFDHE with TLS 1.2, client sends only one group
4757 * E tests of ECDHE with TLS 1.3, server only has one group
4758 * F tests of FFDHE with TLS 1.3, server only has one group
4759 * E tests of ECDHE with TLS 1.2, server only has one group
4760 * F tests of FFDHE with TLS 1.2, server only has one group
4762 static int test_negotiated_group(int idx)
4764 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
4766 SSL_CTX *sctx = NULL, *cctx = NULL;
4767 SSL *serverssl = NULL, *clientssl = NULL;
4768 SSL_SESSION *origsess = NULL;
4771 int max_version = TLS1_3_VERSION;
4773 numec = OSSL_NELEM(ecdhe_kexch_groups);
4774 numff = OSSL_NELEM(ffdhe_kexch_groups);
4775 numgroups = numec + numff;
4776 clientmulti = (idx < 2 * numgroups);
4777 idx = idx % (2 * numgroups);
4778 istls13 = (idx < numgroups);
4779 idx = idx % numgroups;
4780 isecdhe = (idx < numec);
4783 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
4785 kexch_alg = ecdhe_kexch_groups[idx];
4787 kexch_alg = ffdhe_kexch_groups[idx];
4788 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
4789 if (!istls13 && !isecdhe)
4790 expectednid = NID_undef;
4792 expectednid = kexch_alg;
4795 max_version = TLS1_2_VERSION;
4797 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4798 TLS_client_method(), TLS1_VERSION,
4799 max_version, &sctx, &cctx, cert,
4804 * Force (EC)DHE ciphers for TLS 1.2.
4805 * Be sure to enable auto tmp DH so that FFDHE can succeed.
4807 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4808 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4809 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4810 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4812 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4813 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4814 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4817 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4821 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
4825 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4828 /* Initial handshake; always the configured one */
4829 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4830 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4833 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
4836 SSL_shutdown(clientssl);
4837 SSL_shutdown(serverssl);
4838 SSL_free(serverssl);
4839 SSL_free(clientssl);
4840 serverssl = clientssl = NULL;
4842 /* First resumption attempt; use the same config as initial handshake */
4843 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4845 || !TEST_true(SSL_set_session(clientssl, origsess))
4846 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4850 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4851 || !TEST_true(SSL_session_reused(clientssl)))
4854 /* Still had better agree, since nothing changed... */
4855 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4856 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4859 SSL_shutdown(clientssl);
4860 SSL_shutdown(serverssl);
4861 SSL_free(serverssl);
4862 SSL_free(clientssl);
4863 serverssl = clientssl = NULL;
4866 * Second resumption attempt
4867 * The party that picks one group changes it, which we effectuate by
4868 * changing 'idx' and updating what we expect.
4876 expectednid = ecdhe_kexch_groups[idx];
4878 expectednid = ffdhe_kexch_groups[idx];
4879 /* Verify that we are changing what we expect. */
4880 if (!TEST_int_ne(expectednid, kexch_alg))
4883 /* TLS 1.2 only supports named groups for ECDHE. */
4885 expectednid = kexch_alg;
4889 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4891 || !TEST_true(SSL_set_session(clientssl, origsess))
4892 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4896 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4897 || !TEST_true(SSL_session_reused(clientssl)))
4900 /* Check that we get what we expected */
4901 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4902 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4907 SSL_free(serverssl);
4908 SSL_free(clientssl);
4911 SSL_SESSION_free(origsess);
4914 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
4917 * Test TLSv1.3 Cipher Suite
4918 * Test 0 = Set TLS1.3 cipher on context
4919 * Test 1 = Set TLS1.3 cipher on SSL
4920 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4921 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4923 static int test_tls13_ciphersuite(int idx)
4925 SSL_CTX *sctx = NULL, *cctx = NULL;
4926 SSL *serverssl = NULL, *clientssl = NULL;
4927 static const struct {
4928 const char *ciphername;
4931 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4932 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4933 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
4934 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4935 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4936 { TLS1_3_RFC_AES_256_GCM_SHA384
4937 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4939 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
4941 const char *t13_cipher = NULL;
4942 const char *t12_cipher = NULL;
4943 const char *negotiated_scipher;
4944 const char *negotiated_ccipher;
4960 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4964 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4968 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4969 # ifdef OPENSSL_NO_TLS1_2
4970 if (max_ver == TLS1_2_VERSION)
4973 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4974 if (is_fips && !t13_ciphers[i].fipscapable)
4976 t13_cipher = t13_ciphers[i].ciphername;
4977 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4978 TLS_client_method(),
4979 TLS1_VERSION, max_ver,
4980 &sctx, &cctx, cert, privkey)))
4984 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4985 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4987 if (t12_cipher != NULL) {
4988 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4989 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4995 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4996 &clientssl, NULL, NULL)))
5000 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5001 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5003 if (t12_cipher != NULL) {
5004 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5005 || !TEST_true(SSL_set_cipher_list(clientssl,
5011 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5015 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5017 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5019 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5023 * TEST_strn_eq is used below because t13_cipher can contain
5024 * multiple ciphersuites
5026 if (max_ver == TLS1_3_VERSION
5027 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5028 strlen(negotiated_scipher)))
5031 # ifndef OPENSSL_NO_TLS1_2
5032 /* Below validation is not done when t12_cipher is NULL */
5033 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5034 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5038 SSL_free(serverssl);
5040 SSL_free(clientssl);
5051 SSL_free(serverssl);
5052 SSL_free(clientssl);
5060 * Test 0 = Test new style callbacks
5061 * Test 1 = Test both new and old style callbacks
5062 * Test 2 = Test old style callbacks
5063 * Test 3 = Test old style callbacks with no certificate
5065 static int test_tls13_psk(int idx)
5067 SSL_CTX *sctx = NULL, *cctx = NULL;
5068 SSL *serverssl = NULL, *clientssl = NULL;
5069 const SSL_CIPHER *cipher = NULL;
5070 const unsigned char key[] = {
5071 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5072 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5073 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5074 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5078 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5079 TLS_client_method(), TLS1_VERSION, 0,
5080 &sctx, &cctx, idx == 3 ? NULL : cert,
5081 idx == 3 ? NULL : privkey)))
5086 * We use a ciphersuite with SHA256 to ease testing old style PSK
5087 * callbacks which will always default to SHA256. This should not be
5088 * necessary if we have no cert/priv key. In that case the server should
5089 * prefer SHA256 automatically.
5091 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5092 "TLS_AES_128_GCM_SHA256")))
5096 * As noted above the server should prefer SHA256 automatically. However
5097 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5098 * code works even if we are testing with only the FIPS provider loaded.
5100 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5101 "TLS_AES_256_GCM_SHA384:"
5102 "TLS_AES_128_GCM_SHA256")))
5107 * Test 0: New style callbacks only
5108 * Test 1: New and old style callbacks (only the new ones should be used)
5109 * Test 2: Old style callbacks only
5111 if (idx == 0 || idx == 1) {
5112 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5113 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5115 #ifndef OPENSSL_NO_PSK
5117 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5118 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5122 use_session_cb_cnt = 0;
5123 find_session_cb_cnt = 0;
5124 psk_client_cb_cnt = 0;
5125 psk_server_cb_cnt = 0;
5129 * Check we can create a connection if callback decides not to send a
5132 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5134 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5136 || !TEST_false(SSL_session_reused(clientssl))
5137 || !TEST_false(SSL_session_reused(serverssl)))
5140 if (idx == 0 || idx == 1) {
5141 if (!TEST_true(use_session_cb_cnt == 1)
5142 || !TEST_true(find_session_cb_cnt == 0)
5144 * If no old style callback then below should be 0
5147 || !TEST_true(psk_client_cb_cnt == idx)
5148 || !TEST_true(psk_server_cb_cnt == 0))
5151 if (!TEST_true(use_session_cb_cnt == 0)
5152 || !TEST_true(find_session_cb_cnt == 0)
5153 || !TEST_true(psk_client_cb_cnt == 1)
5154 || !TEST_true(psk_server_cb_cnt == 0))
5158 shutdown_ssl_connection(serverssl, clientssl);
5159 serverssl = clientssl = NULL;
5160 use_session_cb_cnt = psk_client_cb_cnt = 0;
5163 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5167 /* Create the PSK */
5168 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5169 clientpsk = SSL_SESSION_new();
5170 if (!TEST_ptr(clientpsk)
5171 || !TEST_ptr(cipher)
5172 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5174 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5175 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5177 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5179 serverpsk = clientpsk;
5181 /* Check we can create a connection and the PSK is used */
5182 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5183 || !TEST_true(SSL_session_reused(clientssl))
5184 || !TEST_true(SSL_session_reused(serverssl)))
5187 if (idx == 0 || idx == 1) {
5188 if (!TEST_true(use_session_cb_cnt == 1)
5189 || !TEST_true(find_session_cb_cnt == 1)
5190 || !TEST_true(psk_client_cb_cnt == 0)
5191 || !TEST_true(psk_server_cb_cnt == 0))
5194 if (!TEST_true(use_session_cb_cnt == 0)
5195 || !TEST_true(find_session_cb_cnt == 0)
5196 || !TEST_true(psk_client_cb_cnt == 1)
5197 || !TEST_true(psk_server_cb_cnt == 1))
5201 shutdown_ssl_connection(serverssl, clientssl);
5202 serverssl = clientssl = NULL;
5203 use_session_cb_cnt = find_session_cb_cnt = 0;
5204 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5206 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5211 #if defined(OPENSSL_NO_EC)
5212 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5215 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5220 * Check we can create a connection, the PSK is used and the callbacks are
5223 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5224 || !TEST_true(SSL_session_reused(clientssl))
5225 || !TEST_true(SSL_session_reused(serverssl)))
5228 if (idx == 0 || idx == 1) {
5229 if (!TEST_true(use_session_cb_cnt == 2)
5230 || !TEST_true(find_session_cb_cnt == 2)
5231 || !TEST_true(psk_client_cb_cnt == 0)
5232 || !TEST_true(psk_server_cb_cnt == 0))
5235 if (!TEST_true(use_session_cb_cnt == 0)
5236 || !TEST_true(find_session_cb_cnt == 0)
5237 || !TEST_true(psk_client_cb_cnt == 2)
5238 || !TEST_true(psk_server_cb_cnt == 2))
5242 shutdown_ssl_connection(serverssl, clientssl);
5243 serverssl = clientssl = NULL;
5244 use_session_cb_cnt = find_session_cb_cnt = 0;
5245 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5249 * Check that if the server rejects the PSK we can still connect, but with
5252 srvid = "Dummy Identity";
5253 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5255 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5257 || !TEST_false(SSL_session_reused(clientssl))
5258 || !TEST_false(SSL_session_reused(serverssl)))
5261 if (idx == 0 || idx == 1) {
5262 if (!TEST_true(use_session_cb_cnt == 1)
5263 || !TEST_true(find_session_cb_cnt == 1)
5264 || !TEST_true(psk_client_cb_cnt == 0)
5266 * If no old style callback then below should be 0
5269 || !TEST_true(psk_server_cb_cnt == idx))
5272 if (!TEST_true(use_session_cb_cnt == 0)
5273 || !TEST_true(find_session_cb_cnt == 0)
5274 || !TEST_true(psk_client_cb_cnt == 1)
5275 || !TEST_true(psk_server_cb_cnt == 1))
5279 shutdown_ssl_connection(serverssl, clientssl);
5280 serverssl = clientssl = NULL;
5285 SSL_SESSION_free(clientpsk);
5286 SSL_SESSION_free(serverpsk);
5287 clientpsk = serverpsk = NULL;
5288 SSL_free(serverssl);
5289 SSL_free(clientssl);
5295 static unsigned char cookie_magic_value[] = "cookie magic";
5297 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5298 unsigned int *cookie_len)
5301 * Not suitable as a real cookie generation function but good enough for
5304 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5305 *cookie_len = sizeof(cookie_magic_value) - 1;
5310 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5311 unsigned int cookie_len)
5313 if (cookie_len == sizeof(cookie_magic_value) - 1
5314 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5320 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5324 int res = generate_cookie_callback(ssl, cookie, &temp);
5329 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5332 return verify_cookie_callback(ssl, cookie, cookie_len);
5335 static int test_stateless(void)
5337 SSL_CTX *sctx = NULL, *cctx = NULL;
5338 SSL *serverssl = NULL, *clientssl = NULL;
5341 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5342 TLS_client_method(), TLS1_VERSION, 0,
5343 &sctx, &cctx, cert, privkey)))
5346 /* The arrival of CCS messages can confuse the test */
5347 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5349 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5351 /* Send the first ClientHello */
5352 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5353 SSL_ERROR_WANT_READ))
5355 * This should fail with a -1 return because we have no callbacks
5358 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5361 /* Fatal error so abandon the connection from this client */
5362 SSL_free(clientssl);
5365 /* Set up the cookie generation and verification callbacks */
5366 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5367 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5370 * Create a new connection from the client (we can reuse the server SSL
5373 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5375 /* Send the first ClientHello */
5376 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5377 SSL_ERROR_WANT_READ))
5378 /* This should fail because there is no cookie */
5379 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5382 /* Abandon the connection from this client */
5383 SSL_free(clientssl);
5387 * Now create a connection from a new client but with the same server SSL
5390 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5392 /* Send the first ClientHello */
5393 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5394 SSL_ERROR_WANT_READ))
5395 /* This should fail because there is no cookie */
5396 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5397 /* Send the second ClientHello */
5398 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5399 SSL_ERROR_WANT_READ))
5400 /* This should succeed because a cookie is now present */
5401 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5402 /* Complete the connection */
5403 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5407 shutdown_ssl_connection(serverssl, clientssl);
5408 serverssl = clientssl = NULL;
5412 SSL_free(serverssl);
5413 SSL_free(clientssl);
5419 #endif /* OSSL_NO_USABLE_TLS1_3 */
5421 static int clntaddoldcb = 0;
5422 static int clntparseoldcb = 0;
5423 static int srvaddoldcb = 0;
5424 static int srvparseoldcb = 0;
5425 static int clntaddnewcb = 0;
5426 static int clntparsenewcb = 0;
5427 static int srvaddnewcb = 0;
5428 static int srvparsenewcb = 0;
5429 static int snicb = 0;
5431 #define TEST_EXT_TYPE1 0xff00
5433 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5434 size_t *outlen, int *al, void *add_arg)
5436 int *server = (int *)add_arg;
5437 unsigned char *data;
5439 if (SSL_is_server(s))
5444 if (*server != SSL_is_server(s)
5445 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5450 *outlen = sizeof(char);
5454 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5457 OPENSSL_free((unsigned char *)out);
5460 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5461 size_t inlen, int *al, void *parse_arg)
5463 int *server = (int *)parse_arg;
5465 if (SSL_is_server(s))
5470 if (*server != SSL_is_server(s)
5471 || inlen != sizeof(char)
5478 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5479 const unsigned char **out, size_t *outlen, X509 *x,
5480 size_t chainidx, int *al, void *add_arg)
5482 int *server = (int *)add_arg;
5483 unsigned char *data;
5485 if (SSL_is_server(s))
5490 if (*server != SSL_is_server(s)
5491 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5496 *outlen = sizeof(*data);
5500 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5501 const unsigned char *out, void *add_arg)
5503 OPENSSL_free((unsigned char *)out);
5506 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5507 const unsigned char *in, size_t inlen, X509 *x,
5508 size_t chainidx, int *al, void *parse_arg)
5510 int *server = (int *)parse_arg;
5512 if (SSL_is_server(s))
5517 if (*server != SSL_is_server(s)
5518 || inlen != sizeof(char) || *in != 1)
5524 static int sni_cb(SSL *s, int *al, void *arg)
5526 SSL_CTX *ctx = (SSL_CTX *)arg;
5528 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5529 *al = SSL_AD_INTERNAL_ERROR;
5530 return SSL_TLSEXT_ERR_ALERT_FATAL;
5533 return SSL_TLSEXT_ERR_OK;
5537 * Custom call back tests.
5538 * Test 0: Old style callbacks in TLSv1.2
5539 * Test 1: New style callbacks in TLSv1.2
5540 * Test 2: New style callbacks in TLSv1.2 with SNI
5541 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5542 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5544 static int test_custom_exts(int tst)
5546 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5547 SSL *clientssl = NULL, *serverssl = NULL;
5549 static int server = 1;
5550 static int client = 0;
5551 SSL_SESSION *sess = NULL;
5552 unsigned int context;
5554 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5555 /* Skip tests for TLSv1.2 and below in this case */
5560 /* Reset callback counters */
5561 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5562 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5565 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5566 TLS_client_method(), TLS1_VERSION, 0,
5567 &sctx, &cctx, cert, privkey)))
5571 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5573 &sctx2, NULL, cert, privkey)))
5578 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5579 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5581 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5585 context = SSL_EXT_CLIENT_HELLO
5586 | SSL_EXT_TLS1_2_SERVER_HELLO
5587 | SSL_EXT_TLS1_3_SERVER_HELLO
5588 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5589 | SSL_EXT_TLS1_3_CERTIFICATE
5590 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5592 context = SSL_EXT_CLIENT_HELLO
5593 | SSL_EXT_TLS1_2_SERVER_HELLO
5594 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5597 /* Create a client side custom extension */
5599 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5600 old_add_cb, old_free_cb,
5601 &client, old_parse_cb,
5605 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5606 new_add_cb, new_free_cb,
5607 &client, new_parse_cb, &client)))
5611 /* Should not be able to add duplicates */
5612 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5613 old_add_cb, old_free_cb,
5614 &client, old_parse_cb,
5616 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5617 context, new_add_cb,
5618 new_free_cb, &client,
5619 new_parse_cb, &client)))
5622 /* Create a server side custom extension */
5624 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5625 old_add_cb, old_free_cb,
5626 &server, old_parse_cb,
5630 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5631 new_add_cb, new_free_cb,
5632 &server, new_parse_cb, &server)))
5635 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5636 context, new_add_cb,
5637 new_free_cb, &server,
5638 new_parse_cb, &server)))
5642 /* Should not be able to add duplicates */
5643 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5644 old_add_cb, old_free_cb,
5645 &server, old_parse_cb,
5647 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5648 context, new_add_cb,
5649 new_free_cb, &server,
5650 new_parse_cb, &server)))
5655 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5656 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5660 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5661 &clientssl, NULL, NULL))
5662 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5667 if (clntaddoldcb != 1
5668 || clntparseoldcb != 1
5670 || srvparseoldcb != 1)
5672 } else if (tst == 1 || tst == 2 || tst == 3) {
5673 if (clntaddnewcb != 1
5674 || clntparsenewcb != 1
5676 || srvparsenewcb != 1
5677 || (tst != 2 && snicb != 0)
5678 || (tst == 2 && snicb != 1))
5681 /* In this case there 2 NewSessionTicket messages created */
5682 if (clntaddnewcb != 1
5683 || clntparsenewcb != 5
5685 || srvparsenewcb != 1)
5689 sess = SSL_get1_session(clientssl);
5690 SSL_shutdown(clientssl);
5691 SSL_shutdown(serverssl);
5692 SSL_free(serverssl);
5693 SSL_free(clientssl);
5694 serverssl = clientssl = NULL;
5697 /* We don't bother with the resumption aspects for this test */
5702 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5704 || !TEST_true(SSL_set_session(clientssl, sess))
5705 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5710 * For a resumed session we expect to add the ClientHello extension. For the
5711 * old style callbacks we ignore it on the server side because they set
5712 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5716 if (clntaddoldcb != 2
5717 || clntparseoldcb != 1
5719 || srvparseoldcb != 1)
5721 } else if (tst == 1 || tst == 2 || tst == 3) {
5722 if (clntaddnewcb != 2
5723 || clntparsenewcb != 2
5725 || srvparsenewcb != 2)
5729 * No Certificate message extensions in the resumption handshake,
5730 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5732 if (clntaddnewcb != 2
5733 || clntparsenewcb != 8
5735 || srvparsenewcb != 2)
5742 SSL_SESSION_free(sess);
5743 SSL_free(serverssl);
5744 SSL_free(clientssl);
5745 SSL_CTX_free(sctx2);
5752 * Test loading of serverinfo data in various formats. test_sslmessages actually
5753 * tests to make sure the extensions appear in the handshake
5755 static int test_serverinfo(int tst)
5757 unsigned int version;
5758 unsigned char *sibuf;
5760 int ret, expected, testresult = 0;
5763 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
5767 if ((tst & 0x01) == 0x01)
5768 version = SSL_SERVERINFOV2;
5770 version = SSL_SERVERINFOV1;
5772 if ((tst & 0x02) == 0x02) {
5773 sibuf = serverinfov2;
5774 sibuflen = sizeof(serverinfov2);
5775 expected = (version == SSL_SERVERINFOV2);
5777 sibuf = serverinfov1;
5778 sibuflen = sizeof(serverinfov1);
5779 expected = (version == SSL_SERVERINFOV1);
5782 if ((tst & 0x04) == 0x04) {
5783 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5785 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5788 * The version variable is irrelevant in this case - it's what is in the
5789 * buffer that matters
5791 if ((tst & 0x02) == 0x02)
5797 if (!TEST_true(ret == expected))
5809 * Test that SSL_export_keying_material() produces expected results. There are
5810 * no test vectors so all we do is test that both sides of the communication
5811 * produce the same results for different protocol versions.
5813 #define SMALL_LABEL_LEN 10
5814 #define LONG_LABEL_LEN 249
5815 static int test_export_key_mat(int tst)
5818 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5819 SSL *clientssl = NULL, *serverssl = NULL;
5820 const char label[LONG_LABEL_LEN + 1] = "test label";
5821 const unsigned char context[] = "context";
5822 const unsigned char *emptycontext = NULL;
5823 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5824 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
5826 const int protocols[] = {
5835 #ifdef OPENSSL_NO_TLS1
5839 #ifdef OPENSSL_NO_TLS1_1
5843 if (is_fips && (tst == 0 || tst == 1))
5845 #ifdef OPENSSL_NO_TLS1_2
5849 #ifdef OSSL_NO_USABLE_TLS1_3
5853 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5854 TLS_client_method(), TLS1_VERSION, 0,
5855 &sctx, &cctx, cert, privkey)))
5858 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5859 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5860 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
5861 if ((protocols[tst] < TLS1_2_VERSION) &&
5862 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5863 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5866 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5871 * Premature call of SSL_export_keying_material should just fail.
5873 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5874 sizeof(ckeymat1), label,
5875 SMALL_LABEL_LEN + 1, context,
5876 sizeof(context) - 1, 1), 0))
5879 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5885 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5888 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5889 sizeof(ckeymat1), label,
5890 LONG_LABEL_LEN + 1, context,
5891 sizeof(context) - 1, 1), 0))
5896 } else if (tst == 4) {
5897 labellen = LONG_LABEL_LEN;
5899 labellen = SMALL_LABEL_LEN;
5902 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5903 sizeof(ckeymat1), label,
5905 sizeof(context) - 1, 1), 1)
5906 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5907 sizeof(ckeymat2), label,
5911 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5912 sizeof(ckeymat3), label,
5915 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5916 sizeof(skeymat1), label,
5919 sizeof(context) -1, 1),
5921 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5922 sizeof(skeymat2), label,
5926 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5927 sizeof(skeymat3), label,
5931 * Check that both sides created the same key material with the
5934 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5937 * Check that both sides created the same key material with an
5940 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5943 * Check that both sides created the same key material without a
5946 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5948 /* Different contexts should produce different results */
5949 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5954 * Check that an empty context and no context produce different results in
5955 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5957 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
5959 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5966 SSL_free(serverssl);
5967 SSL_free(clientssl);
5968 SSL_CTX_free(sctx2);
5975 #ifndef OSSL_NO_USABLE_TLS1_3
5977 * Test that SSL_export_keying_material_early() produces expected
5978 * results. There are no test vectors so all we do is test that both
5979 * sides of the communication produce the same results for different
5980 * protocol versions.
5982 static int test_export_key_mat_early(int idx)
5984 static const char label[] = "test label";
5985 static const unsigned char context[] = "context";
5987 SSL_CTX *cctx = NULL, *sctx = NULL;
5988 SSL *clientssl = NULL, *serverssl = NULL;
5989 SSL_SESSION *sess = NULL;
5990 const unsigned char *emptycontext = NULL;
5991 unsigned char ckeymat1[80], ckeymat2[80];
5992 unsigned char skeymat1[80], skeymat2[80];
5993 unsigned char buf[1];
5994 size_t readbytes, written;
5996 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6000 /* Here writing 0 length early data is enough. */
6001 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6002 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6004 SSL_READ_EARLY_DATA_ERROR)
6005 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6006 SSL_EARLY_DATA_ACCEPTED))
6009 if (!TEST_int_eq(SSL_export_keying_material_early(
6010 clientssl, ckeymat1, sizeof(ckeymat1), label,
6011 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6012 || !TEST_int_eq(SSL_export_keying_material_early(
6013 clientssl, ckeymat2, sizeof(ckeymat2), label,
6014 sizeof(label) - 1, emptycontext, 0), 1)
6015 || !TEST_int_eq(SSL_export_keying_material_early(
6016 serverssl, skeymat1, sizeof(skeymat1), label,
6017 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6018 || !TEST_int_eq(SSL_export_keying_material_early(
6019 serverssl, skeymat2, sizeof(skeymat2), label,
6020 sizeof(label) - 1, emptycontext, 0), 1)
6022 * Check that both sides created the same key material with the
6025 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6028 * Check that both sides created the same key material with an
6031 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6033 /* Different contexts should produce different results */
6034 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6041 SSL_SESSION_free(sess);
6042 SSL_SESSION_free(clientpsk);
6043 SSL_SESSION_free(serverpsk);
6044 clientpsk = serverpsk = NULL;
6045 SSL_free(serverssl);
6046 SSL_free(clientssl);
6053 #define NUM_KEY_UPDATE_MESSAGES 40
6057 static int test_key_update(void)
6059 SSL_CTX *cctx = NULL, *sctx = NULL;
6060 SSL *clientssl = NULL, *serverssl = NULL;
6061 int testresult = 0, i, j;
6063 static char *mess = "A test message";
6065 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6066 TLS_client_method(),
6069 &sctx, &cctx, cert, privkey))
6070 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6072 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6076 for (j = 0; j < 2; j++) {
6077 /* Send lots of KeyUpdate messages */
6078 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6079 if (!TEST_true(SSL_key_update(clientssl,
6081 ? SSL_KEY_UPDATE_NOT_REQUESTED
6082 : SSL_KEY_UPDATE_REQUESTED))
6083 || !TEST_true(SSL_do_handshake(clientssl)))
6087 /* Check that sending and receiving app data is ok */
6088 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6089 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6093 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6094 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6102 SSL_free(serverssl);
6103 SSL_free(clientssl);
6111 * Test we can handle a KeyUpdate (update requested) message while write data
6113 * Test 0: Client sends KeyUpdate while Server is writing
6114 * Test 1: Server sends KeyUpdate while Client is writing
6116 static int test_key_update_in_write(int tst)
6118 SSL_CTX *cctx = NULL, *sctx = NULL;
6119 SSL *clientssl = NULL, *serverssl = NULL;
6122 static char *mess = "A test message";
6123 BIO *bretry = BIO_new(bio_s_always_retry());
6125 SSL *peerupdate = NULL, *peerwrite = NULL;
6127 if (!TEST_ptr(bretry)
6128 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6129 TLS_client_method(),
6132 &sctx, &cctx, cert, privkey))
6133 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6135 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6139 peerupdate = tst == 0 ? clientssl : serverssl;
6140 peerwrite = tst == 0 ? serverssl : clientssl;
6142 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6143 || !TEST_true(SSL_do_handshake(peerupdate)))
6146 /* Swap the writing endpoint's write BIO to force a retry */
6147 tmp = SSL_get_wbio(peerwrite);
6148 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6152 SSL_set0_wbio(peerwrite, bretry);
6155 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6156 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6157 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6160 /* Reinstate the original writing endpoint's write BIO */
6161 SSL_set0_wbio(peerwrite, tmp);
6164 /* Now read some data - we will read the key update */
6165 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6166 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6170 * Complete the write we started previously and read it from the other
6173 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6174 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6177 /* Write more data to ensure we send the KeyUpdate message back */
6178 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6179 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6185 SSL_free(serverssl);
6186 SSL_free(clientssl);
6194 #endif /* OSSL_NO_USABLE_TLS1_3 */
6196 static int test_ssl_clear(int idx)
6198 SSL_CTX *cctx = NULL, *sctx = NULL;
6199 SSL *clientssl = NULL, *serverssl = NULL;
6202 #ifdef OPENSSL_NO_TLS1_2
6207 /* Create an initial connection */
6208 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6209 TLS_client_method(), TLS1_VERSION, 0,
6210 &sctx, &cctx, cert, privkey))
6212 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6214 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6215 &clientssl, NULL, NULL))
6216 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6220 SSL_shutdown(clientssl);
6221 SSL_shutdown(serverssl);
6222 SSL_free(serverssl);
6225 /* Clear clientssl - we're going to reuse the object */
6226 if (!TEST_true(SSL_clear(clientssl)))
6229 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6231 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6233 || !TEST_true(SSL_session_reused(clientssl)))
6236 SSL_shutdown(clientssl);
6237 SSL_shutdown(serverssl);
6242 SSL_free(serverssl);
6243 SSL_free(clientssl);
6250 /* Parse CH and retrieve any MFL extension value if present */
6251 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6254 unsigned char *data;
6255 PACKET pkt, pkt2, pkt3;
6256 unsigned int MFL_code = 0, type = 0;
6258 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
6261 memset(&pkt, 0, sizeof(pkt));
6262 memset(&pkt2, 0, sizeof(pkt2));
6263 memset(&pkt3, 0, sizeof(pkt3));
6265 if (!TEST_long_gt(len, 0)
6266 || !TEST_true( PACKET_buf_init( &pkt, data, len ) )
6267 /* Skip the record header */
6268 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6269 /* Skip the handshake message header */
6270 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6271 /* Skip client version and random */
6272 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6273 + SSL3_RANDOM_SIZE))
6274 /* Skip session id */
6275 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6277 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6278 /* Skip compression */
6279 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6280 /* Extensions len */
6281 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6284 /* Loop through all extensions */
6285 while (PACKET_remaining(&pkt2)) {
6286 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6287 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6290 if (type == TLSEXT_TYPE_max_fragment_length) {
6291 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6292 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6295 *mfl_codemfl_code = MFL_code;
6304 /* Maximum-Fragment-Length TLS extension mode to test */
6305 static const unsigned char max_fragment_len_test[] = {
6306 TLSEXT_max_fragment_length_512,
6307 TLSEXT_max_fragment_length_1024,
6308 TLSEXT_max_fragment_length_2048,
6309 TLSEXT_max_fragment_length_4096
6312 static int test_max_fragment_len_ext(int idx_tst)
6314 SSL_CTX *ctx = NULL;
6316 int testresult = 0, MFL_mode = 0;
6319 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6320 TLS1_VERSION, 0, NULL, &ctx, NULL,
6324 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6325 ctx, max_fragment_len_test[idx_tst])))
6332 rbio = BIO_new(BIO_s_mem());
6333 wbio = BIO_new(BIO_s_mem());
6334 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6340 SSL_set_bio(con, rbio, wbio);
6342 if (!TEST_int_le(SSL_connect(con), 0)) {
6343 /* This shouldn't succeed because we don't have a server! */
6347 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6348 /* no MFL in client hello */
6350 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6362 #ifndef OSSL_NO_USABLE_TLS1_3
6363 static int test_pha_key_update(void)
6365 SSL_CTX *cctx = NULL, *sctx = NULL;
6366 SSL *clientssl = NULL, *serverssl = NULL;
6369 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6370 TLS_client_method(), TLS1_VERSION, 0,
6371 &sctx, &cctx, cert, privkey)))
6374 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6375 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6376 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6377 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6380 SSL_CTX_set_post_handshake_auth(cctx, 1);
6382 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6386 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6390 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6391 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6394 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6397 /* Start handshake on the server */
6398 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6401 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6402 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6406 SSL_shutdown(clientssl);
6407 SSL_shutdown(serverssl);
6412 SSL_free(serverssl);
6413 SSL_free(clientssl);
6420 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6422 static SRP_VBASE *vbase = NULL;
6424 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6426 int ret = SSL3_AL_FATAL;
6428 SRP_user_pwd *user = NULL;
6430 username = SSL_get_srp_username(s);
6431 if (username == NULL) {
6432 *ad = SSL_AD_INTERNAL_ERROR;
6436 user = SRP_VBASE_get1_by_user(vbase, username);
6438 *ad = SSL_AD_INTERNAL_ERROR;
6442 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6444 *ad = SSL_AD_INTERNAL_ERROR;
6451 SRP_user_pwd_free(user);
6455 static int create_new_vfile(char *userid, char *password, const char *filename)
6458 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6461 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6464 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6467 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
6468 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
6469 if (!TEST_ptr(gNid))
6473 * The only way to create an empty TXT_DB is to provide a BIO with no data
6476 db = TXT_DB_read(dummy, DB_NUMBER);
6480 out = BIO_new_file(filename, "w");
6484 row[DB_srpid] = OPENSSL_strdup(userid);
6485 row[DB_srptype] = OPENSSL_strdup("V");
6486 row[DB_srpgN] = OPENSSL_strdup(gNid);
6488 if (!TEST_ptr(row[DB_srpid])
6489 || !TEST_ptr(row[DB_srptype])
6490 || !TEST_ptr(row[DB_srpgN])
6491 || !TEST_true(TXT_DB_insert(db, row)))
6496 if (!TXT_DB_write(out, db))
6502 for (i = 0; i < DB_NUMBER; i++)
6503 OPENSSL_free(row[i]);
6513 static int create_new_vbase(char *userid, char *password)
6515 BIGNUM *verifier = NULL, *salt = NULL;
6516 const SRP_gN *lgN = NULL;
6517 SRP_user_pwd *user_pwd = NULL;
6520 lgN = SRP_get_default_gN(NULL);
6524 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
6525 lgN->N, lgN->g, libctx, NULL)))
6528 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6529 if (!TEST_ptr(user_pwd))
6532 user_pwd->N = lgN->N;
6533 user_pwd->g = lgN->g;
6534 user_pwd->id = OPENSSL_strdup(userid);
6535 if (!TEST_ptr(user_pwd->id))
6538 user_pwd->v = verifier;
6540 verifier = salt = NULL;
6542 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6548 SRP_user_pwd_free(user_pwd);
6558 * Test 0: Simple successful SRP connection, new vbase
6559 * Test 1: Connection failure due to bad password, new vbase
6560 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6561 * Test 3: Connection failure due to bad password, vbase loaded from existing
6563 * Test 4: Simple successful SRP connection, vbase loaded from new file
6564 * Test 5: Connection failure due to bad password, vbase loaded from new file
6566 static int test_srp(int tst)
6568 char *userid = "test", *password = "password", *tstsrpfile;
6569 SSL_CTX *cctx = NULL, *sctx = NULL;
6570 SSL *clientssl = NULL, *serverssl = NULL;
6571 int ret, testresult = 0;
6573 vbase = SRP_VBASE_new(NULL);
6574 if (!TEST_ptr(vbase))
6577 if (tst == 0 || tst == 1) {
6578 if (!TEST_true(create_new_vbase(userid, password)))
6581 if (tst == 4 || tst == 5) {
6582 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6584 tstsrpfile = tmpfilename;
6586 tstsrpfile = srpvfile;
6588 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6592 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6593 TLS_client_method(), TLS1_VERSION, 0,
6594 &sctx, &cctx, cert, privkey)))
6597 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6598 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6599 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6600 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6601 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6605 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6608 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6612 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6616 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6618 if (!TEST_true(tst % 2 == 0))
6621 if (!TEST_true(tst % 2 == 1))
6628 SRP_VBASE_free(vbase);
6630 SSL_free(serverssl);
6631 SSL_free(clientssl);
6639 static int info_cb_failed = 0;
6640 static int info_cb_offset = 0;
6641 static int info_cb_this_state = -1;
6643 static struct info_cb_states_st {
6645 const char *statestr;
6646 } info_cb_states[][60] = {
6648 /* TLSv1.2 server followed by resumption */
6649 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6650 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6651 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6652 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6653 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6654 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6655 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6656 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6657 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
6658 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6659 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6660 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6661 {SSL_CB_EXIT, NULL}, {0, NULL},
6663 /* TLSv1.2 client followed by resumption */
6664 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6665 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6666 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6667 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6668 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6669 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6670 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6671 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6672 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6673 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6674 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6675 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6677 /* TLSv1.3 server followed by resumption */
6678 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6679 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6680 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6681 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6682 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
6683 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6684 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6685 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6686 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6687 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6688 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6689 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6690 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6692 /* TLSv1.3 client followed by resumption */
6693 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6694 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6695 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
6696 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
6697 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6698 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6699 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
6700 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
6701 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6702 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
6703 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6704 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6705 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6706 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
6707 {SSL_CB_EXIT, NULL}, {0, NULL},
6709 /* TLSv1.3 server, early_data */
6710 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6711 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6712 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6713 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6714 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6715 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
6716 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6717 {SSL_CB_EXIT, NULL}, {0, NULL},
6719 /* TLSv1.3 client, early_data */
6720 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6721 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
6722 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6723 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6724 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6725 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
6726 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6727 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6728 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6734 static void sslapi_info_callback(const SSL *s, int where, int ret)
6736 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
6738 /* We do not ever expect a connection to fail in this test */
6739 if (!TEST_false(ret == 0)) {
6745 * Do some sanity checks. We never expect these things to happen in this
6748 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
6749 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
6750 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
6755 /* Now check we're in the right state */
6756 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
6760 if ((where & SSL_CB_LOOP) != 0
6761 && !TEST_int_eq(strcmp(SSL_state_string(s),
6762 state[info_cb_this_state].statestr), 0)) {
6768 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6770 if ((where & SSL_CB_HANDSHAKE_DONE)
6771 && SSL_in_init((SSL *)s) != 0) {
6778 * Test the info callback gets called when we expect it to.
6780 * Test 0: TLSv1.2, server
6781 * Test 1: TLSv1.2, client
6782 * Test 2: TLSv1.3, server
6783 * Test 3: TLSv1.3, client
6784 * Test 4: TLSv1.3, server, early_data
6785 * Test 5: TLSv1.3, client, early_data
6787 static int test_info_callback(int tst)
6789 SSL_CTX *cctx = NULL, *sctx = NULL;
6790 SSL *clientssl = NULL, *serverssl = NULL;
6791 SSL_SESSION *clntsess = NULL;
6796 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
6797 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6798 || !defined(OPENSSL_NO_DH))
6799 tlsvers = TLS1_2_VERSION;
6804 #ifndef OSSL_NO_USABLE_TLS1_3
6805 tlsvers = TLS1_3_VERSION;
6813 info_cb_this_state = -1;
6814 info_cb_offset = tst;
6816 #ifndef OSSL_NO_USABLE_TLS1_3
6818 SSL_SESSION *sess = NULL;
6819 size_t written, readbytes;
6820 unsigned char buf[80];
6822 /* early_data tests */
6823 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
6824 &serverssl, &sess, 0)))
6827 /* We don't actually need this reference */
6828 SSL_SESSION_free(sess);
6830 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
6831 sslapi_info_callback);
6833 /* Write and read some early data and then complete the connection */
6834 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
6836 || !TEST_size_t_eq(written, strlen(MSG1))
6837 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
6838 sizeof(buf), &readbytes),
6839 SSL_READ_EARLY_DATA_SUCCESS)
6840 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
6841 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6842 SSL_EARLY_DATA_ACCEPTED)
6843 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6845 || !TEST_false(info_cb_failed))
6853 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6854 TLS_client_method(),
6855 tlsvers, tlsvers, &sctx, &cctx, cert,
6859 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
6863 * For even numbered tests we check the server callbacks. For odd numbers we
6866 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
6867 sslapi_info_callback);
6869 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6870 &clientssl, NULL, NULL))
6871 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6873 || !TEST_false(info_cb_failed))
6878 clntsess = SSL_get1_session(clientssl);
6879 SSL_shutdown(clientssl);
6880 SSL_shutdown(serverssl);
6881 SSL_free(serverssl);
6882 SSL_free(clientssl);
6883 serverssl = clientssl = NULL;
6885 /* Now do a resumption */
6886 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6888 || !TEST_true(SSL_set_session(clientssl, clntsess))
6889 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6891 || !TEST_true(SSL_session_reused(clientssl))
6892 || !TEST_false(info_cb_failed))
6898 SSL_free(serverssl);
6899 SSL_free(clientssl);
6900 SSL_SESSION_free(clntsess);
6906 static int test_ssl_pending(int tst)
6908 SSL_CTX *cctx = NULL, *sctx = NULL;
6909 SSL *clientssl = NULL, *serverssl = NULL;
6911 char msg[] = "A test message";
6913 size_t written, readbytes;
6916 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6917 TLS_client_method(),
6919 &sctx, &cctx, cert, privkey)))
6922 #ifndef OPENSSL_NO_DTLS
6923 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
6924 DTLS_client_method(),
6926 &sctx, &cctx, cert, privkey)))
6929 # ifdef OPENSSL_NO_DTLS1_2
6930 /* Not supported in the FIPS provider */
6936 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
6939 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
6940 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
6941 "DEFAULT:@SECLEVEL=0")))
6949 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6951 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6955 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6956 || !TEST_false(SSL_has_pending(clientssl))
6957 || !TEST_int_eq(SSL_pending(serverssl), 0)
6958 || !TEST_false(SSL_has_pending(serverssl))
6959 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6960 || !TEST_size_t_eq(written, sizeof(msg))
6961 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6962 || !TEST_size_t_eq(readbytes, sizeof(buf))
6963 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6964 || !TEST_true(SSL_has_pending(clientssl)))
6970 SSL_free(serverssl);
6971 SSL_free(clientssl);
6979 unsigned int maxprot;
6980 const char *clntciphers;
6981 const char *clnttls13ciphers;
6982 const char *srvrciphers;
6983 const char *srvrtls13ciphers;
6985 const char *fipsshared;
6986 } shared_ciphers_data[] = {
6988 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6989 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6991 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
6994 "AES128-SHA:AES256-SHA",
6996 "AES256-SHA:DHE-RSA-AES128-SHA",
7001 # if !defined(OPENSSL_NO_CHACHA) \
7002 && !defined(OPENSSL_NO_POLY1305) \
7003 && !defined(OPENSSL_NO_EC)
7006 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7008 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7010 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7016 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7018 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7020 "AES128-SHA:AES256-SHA",
7021 "AES128-SHA:AES256-SHA"
7025 "AES128-SHA:AES256-SHA",
7027 "AES128-SHA:DHE-RSA-AES128-SHA",
7034 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7037 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7038 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7041 "AES128-SHA:AES256-SHA",
7043 "AES256-SHA:AES128-SHA256",
7045 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7046 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7047 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7050 #ifndef OSSL_NO_USABLE_TLS1_3
7054 "TLS_AES_256_GCM_SHA384",
7056 "TLS_AES_256_GCM_SHA384",
7057 "TLS_AES_256_GCM_SHA384",
7058 "TLS_AES_256_GCM_SHA384"
7063 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
7065 SSL_CTX *cctx = NULL, *sctx = NULL;
7066 SSL *clientssl = NULL, *serverssl = NULL;
7069 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
7071 if (!TEST_ptr(tmplibctx))
7075 * Regardless of whether we're testing with the FIPS provider loaded into
7076 * libctx, we want one peer to always use the full set of ciphersuites
7077 * available. Therefore we use a separate libctx with the default provider
7078 * loaded into it. We run the same tests twice - once with the client side
7079 * having the full set of ciphersuites and once with the server side.
7082 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
7083 if (!TEST_ptr(cctx))
7086 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
7087 if (!TEST_ptr(sctx))
7091 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7092 TLS_client_method(),
7094 shared_ciphers_data[tst].maxprot,
7095 &sctx, &cctx, cert, privkey)))
7098 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7099 shared_ciphers_data[tst].clntciphers))
7100 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7101 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7102 shared_ciphers_data[tst].clnttls13ciphers)))
7103 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7104 shared_ciphers_data[tst].srvrciphers))
7105 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7106 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7107 shared_ciphers_data[tst].srvrtls13ciphers))))
7111 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7113 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7117 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
7118 || !TEST_int_eq(strcmp(buf,
7120 ? shared_ciphers_data[tst].fipsshared
7121 : shared_ciphers_data[tst].shared),
7123 TEST_info("Shared ciphers are: %s\n", buf);
7130 SSL_free(serverssl);
7131 SSL_free(clientssl);
7134 OSSL_LIB_CTX_free(tmplibctx);
7139 static int test_ssl_get_shared_ciphers(int tst)
7141 return int_test_ssl_get_shared_ciphers(tst, 0)
7142 && int_test_ssl_get_shared_ciphers(tst, 1);
7146 static const char *appdata = "Hello World";
7147 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7148 static int tick_key_renew = 0;
7149 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7151 static int gen_tick_cb(SSL *s, void *arg)
7153 gen_tick_called = 1;
7155 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7159 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7160 const unsigned char *keyname,
7161 size_t keyname_length,
7162 SSL_TICKET_STATUS status,
7168 dec_tick_called = 1;
7170 if (status == SSL_TICKET_EMPTY)
7171 return SSL_TICKET_RETURN_IGNORE_RENEW;
7173 if (!TEST_true(status == SSL_TICKET_SUCCESS
7174 || status == SSL_TICKET_SUCCESS_RENEW))
7175 return SSL_TICKET_RETURN_ABORT;
7177 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7179 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7180 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
7181 return SSL_TICKET_RETURN_ABORT;
7183 if (tick_key_cb_called) {
7184 /* Don't change what the ticket key callback wanted to do */
7186 case SSL_TICKET_NO_DECRYPT:
7187 return SSL_TICKET_RETURN_IGNORE_RENEW;
7189 case SSL_TICKET_SUCCESS:
7190 return SSL_TICKET_RETURN_USE;
7192 case SSL_TICKET_SUCCESS_RENEW:
7193 return SSL_TICKET_RETURN_USE_RENEW;
7196 return SSL_TICKET_RETURN_ABORT;
7199 return tick_dec_ret;
7203 #ifndef OPENSSL_NO_DEPRECATED_3_0
7204 static int tick_key_cb(SSL *s, unsigned char key_name[16],
7205 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7206 HMAC_CTX *hctx, int enc)
7208 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7209 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
7210 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7211 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7214 tick_key_cb_called = 1;
7215 memset(iv, 0, AES_BLOCK_SIZE);
7216 memset(key_name, 0, 16);
7217 if (aes128cbc == NULL
7219 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7220 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7224 ret = tick_key_renew ? 2 : 1;
7226 EVP_CIPHER_free(aes128cbc);
7227 EVP_MD_free(sha256);
7233 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7234 unsigned char iv[EVP_MAX_IV_LENGTH],
7235 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7237 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7238 unsigned char tick_hmac_key[16] = "0123456789abcdef";
7239 OSSL_PARAM params[2];
7240 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7243 tick_key_cb_called = 1;
7244 memset(iv, 0, AES_BLOCK_SIZE);
7245 memset(key_name, 0, 16);
7246 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7248 params[1] = OSSL_PARAM_construct_end();
7249 if (aes128cbc == NULL
7250 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7251 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7255 ret = tick_key_renew ? 2 : 1;
7257 EVP_CIPHER_free(aes128cbc);
7263 * Test the various ticket callbacks
7264 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7265 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7266 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7267 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7268 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7269 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7270 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7271 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
7272 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7273 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7274 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7275 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7276 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
7277 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
7278 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
7279 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
7281 static int test_ticket_callbacks(int tst)
7283 SSL_CTX *cctx = NULL, *sctx = NULL;
7284 SSL *clientssl = NULL, *serverssl = NULL;
7285 SSL_SESSION *clntsess = NULL;
7288 #ifdef OPENSSL_NO_TLS1_2
7292 #ifdef OSSL_NO_USABLE_TLS1_3
7296 #ifdef OPENSSL_NO_DEPRECATED_3_0
7297 if (tst >= 8 && tst <= 11)
7301 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
7303 /* Which tests the ticket key callback should request renewal for */
7304 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
7309 /* Which tests the decrypt ticket callback should request renewal for */
7313 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7318 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7323 tick_dec_ret = SSL_TICKET_RETURN_USE;
7328 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7332 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7335 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7336 TLS_client_method(),
7338 ((tst % 2) == 0) ? TLS1_2_VERSION
7340 &sctx, &cctx, cert, privkey)))
7344 * We only want sessions to resume from tickets - not the session cache. So
7345 * switch the cache off.
7347 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7350 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7355 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7357 #ifndef OPENSSL_NO_DEPRECATED_3_0
7358 } else if (tst >= 8) {
7359 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7364 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7366 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7371 * The decrypt ticket key callback in TLSv1.2 should be called even though
7372 * we have no ticket yet, because it gets called with a status of
7373 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7374 * actually send any ticket data). This does not happen in TLSv1.3 because
7375 * it is not valid to send empty ticket data in TLSv1.3.
7377 if (!TEST_int_eq(gen_tick_called, 1)
7378 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
7381 gen_tick_called = dec_tick_called = 0;
7383 clntsess = SSL_get1_session(clientssl);
7384 SSL_shutdown(clientssl);
7385 SSL_shutdown(serverssl);
7386 SSL_free(serverssl);
7387 SSL_free(clientssl);
7388 serverssl = clientssl = NULL;
7390 /* Now do a resumption */
7391 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7393 || !TEST_true(SSL_set_session(clientssl, clntsess))
7394 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7398 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7399 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7400 if (!TEST_false(SSL_session_reused(clientssl)))
7403 if (!TEST_true(SSL_session_reused(clientssl)))
7407 if (!TEST_int_eq(gen_tick_called,
7409 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7410 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7412 || !TEST_int_eq(dec_tick_called, 1))
7418 SSL_SESSION_free(clntsess);
7419 SSL_free(serverssl);
7420 SSL_free(clientssl);
7428 * Test incorrect shutdown.
7429 * Test 0: client does not shutdown properly,
7430 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7431 * server should get SSL_ERROR_SSL
7432 * Test 1: client does not shutdown properly,
7433 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7434 * server should get SSL_ERROR_ZERO_RETURN
7436 static int test_incorrect_shutdown(int tst)
7438 SSL_CTX *cctx = NULL, *sctx = NULL;
7439 SSL *clientssl = NULL, *serverssl = NULL;
7444 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7445 TLS_client_method(), 0, 0,
7446 &sctx, &cctx, cert, privkey)))
7450 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7452 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7456 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7460 c2s = SSL_get_rbio(serverssl);
7461 BIO_set_mem_eof_return(c2s, 0);
7463 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7466 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7468 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7474 SSL_free(serverssl);
7475 SSL_free(clientssl);
7483 * Test bi-directional shutdown.
7485 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7486 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7487 * Test 3: TLSv1.3, pending NewSessionTicket messages
7488 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7489 * sends key update, client reads it
7490 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7491 * sends CertificateRequest, client reads and ignores it
7492 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
7495 static int test_shutdown(int tst)
7497 SSL_CTX *cctx = NULL, *sctx = NULL;
7498 SSL *clientssl = NULL, *serverssl = NULL;
7500 char msg[] = "A test message";
7502 size_t written, readbytes;
7505 #ifdef OPENSSL_NO_TLS1_2
7509 #ifdef OSSL_NO_USABLE_TLS1_3
7514 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7515 TLS_client_method(),
7517 (tst <= 1) ? TLS1_2_VERSION
7519 &sctx, &cctx, cert, privkey)))
7523 SSL_CTX_set_post_handshake_auth(cctx, 1);
7525 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7530 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
7532 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7533 || !TEST_false(SSL_SESSION_is_resumable(sess)))
7535 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7537 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7538 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
7542 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7547 * Reading on the server after the client has sent close_notify should
7548 * fail and provide SSL_ERROR_ZERO_RETURN
7550 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7551 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7552 SSL_ERROR_ZERO_RETURN)
7553 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7554 SSL_RECEIVED_SHUTDOWN)
7556 * Even though we're shutdown on receive we should still be
7559 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7562 && !TEST_true(SSL_key_update(serverssl,
7563 SSL_KEY_UPDATE_REQUESTED)))
7566 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7567 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7570 if ((tst == 4 || tst == 5)
7571 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7573 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
7575 if (tst == 4 || tst == 5) {
7576 /* Should still be able to read data from server */
7577 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7579 || !TEST_size_t_eq(readbytes, sizeof(msg))
7580 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7581 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7583 || !TEST_size_t_eq(readbytes, sizeof(msg))
7584 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7589 /* Writing on the client after sending close_notify shouldn't be possible */
7590 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
7595 * For these tests the client has sent close_notify but it has not yet
7596 * been received by the server. The server has not sent close_notify
7599 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
7601 * Writing on the server after sending close_notify shouldn't
7604 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7605 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
7606 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7607 || !TEST_true(SSL_SESSION_is_resumable(sess))
7608 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7610 } else if (tst == 4 || tst == 5) {
7612 * In this test the client has sent close_notify and it has been
7613 * received by the server which has responded with a close_notify. The
7614 * client needs to read the close_notify sent by the server.
7616 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7617 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7618 || !TEST_true(SSL_SESSION_is_resumable(sess)))
7624 * The client has sent close_notify and is expecting a close_notify
7625 * back, but instead there is application data first. The shutdown
7626 * should fail with a fatal error.
7628 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7629 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7636 SSL_free(serverssl);
7637 SSL_free(clientssl);
7644 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
7645 static int cert_cb_cnt;
7647 static int cert_cb(SSL *s, void *arg)
7649 SSL_CTX *ctx = (SSL_CTX *)arg;
7651 EVP_PKEY *pkey = NULL;
7652 X509 *x509 = NULL, *rootx = NULL;
7653 STACK_OF(X509) *chain = NULL;
7654 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7657 if (cert_cb_cnt == 0) {
7658 /* Suspend the handshake */
7661 } else if (cert_cb_cnt == 1) {
7663 * Update the SSL_CTX, set the certificate and private key and then
7664 * continue the handshake normally.
7666 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7669 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7670 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7672 || !TEST_true(SSL_check_private_key(s)))
7676 } else if (cert_cb_cnt == 3) {
7679 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7680 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7681 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7682 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7684 chain = sk_X509_new_null();
7685 if (!TEST_ptr(chain))
7687 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7688 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
7689 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
7690 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
7691 || !TEST_true(sk_X509_push(chain, rootx)))
7695 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7696 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
7697 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
7698 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7701 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7702 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
7703 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
7707 rv = SSL_check_chain(s, x509, pkey, chain);
7709 * If the cert doesn't show as valid here (e.g., because we don't
7710 * have any shared sigalgs), then we will not set it, and there will
7711 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
7712 * will cause tls_choose_sigalgs() to fail the connection.
7714 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
7715 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7716 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
7723 /* Abort the handshake */
7725 OPENSSL_free(ecdsacert);
7726 OPENSSL_free(ecdsakey);
7727 OPENSSL_free(rootfile);
7729 EVP_PKEY_free(pkey);
7732 sk_X509_pop_free(chain, X509_free);
7737 * Test the certificate callback.
7738 * Test 0: Callback fails
7739 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
7740 * Test 2: Success - SSL_set_SSL_CTX() in the callback
7741 * Test 3: Success - Call SSL_check_chain from the callback
7742 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
7744 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
7746 static int test_cert_cb_int(int prot, int tst)
7748 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
7749 SSL *clientssl = NULL, *serverssl = NULL;
7750 int testresult = 0, ret;
7752 #ifdef OPENSSL_NO_EC
7753 /* We use an EC cert in these tests, so we skip in a no-ec build */
7758 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7759 TLS_client_method(),
7762 &sctx, &cctx, NULL, NULL)))
7773 snictx = SSL_CTX_new(TLS_server_method());
7774 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
7776 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7782 * We cause SSL_check_chain() to fail by specifying sig_algs that
7783 * the chain doesn't meet (the root uses an RSA cert)
7785 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7786 "ecdsa_secp256r1_sha256")))
7788 } else if (tst == 5) {
7790 * We cause SSL_check_chain() to fail by specifying sig_algs that
7791 * the ee cert doesn't meet (the ee uses an ECDSA cert)
7793 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7794 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
7798 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7799 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7801 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
7808 SSL_free(serverssl);
7809 SSL_free(clientssl);
7812 SSL_CTX_free(snictx);
7818 static int test_cert_cb(int tst)
7822 #ifndef OPENSSL_NO_TLS1_2
7823 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
7825 #ifndef OSSL_NO_USABLE_TLS1_3
7826 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
7832 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
7837 BIO *priv_in = NULL;
7839 /* Check that SSL_get0_peer_certificate() returns something sensible */
7840 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
7843 in = BIO_new_file(cert, "r");
7847 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
7848 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
7849 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
7850 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
7868 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
7873 static int test_client_cert_cb(int tst)
7875 SSL_CTX *cctx = NULL, *sctx = NULL;
7876 SSL *clientssl = NULL, *serverssl = NULL;
7879 #ifdef OPENSSL_NO_TLS1_2
7883 #ifdef OSSL_NO_USABLE_TLS1_3
7888 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7889 TLS_client_method(),
7891 tst == 0 ? TLS1_2_VERSION
7893 &sctx, &cctx, cert, privkey)))
7897 * Test that setting a client_cert_cb results in a client certificate being
7900 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
7901 SSL_CTX_set_verify(sctx,
7902 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
7905 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7907 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7914 SSL_free(serverssl);
7915 SSL_free(clientssl);
7922 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
7924 * Test setting certificate authorities on both client and server.
7926 * Test 0: SSL_CTX_set0_CA_list() only
7927 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7928 * Test 2: Only SSL_CTX_set_client_CA_list()
7930 static int test_ca_names_int(int prot, int tst)
7932 SSL_CTX *cctx = NULL, *sctx = NULL;
7933 SSL *clientssl = NULL, *serverssl = NULL;
7936 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
7937 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
7938 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
7939 const STACK_OF(X509_NAME) *sktmp = NULL;
7941 for (i = 0; i < OSSL_NELEM(name); i++) {
7942 name[i] = X509_NAME_new();
7943 if (!TEST_ptr(name[i])
7944 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
7952 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7953 TLS_client_method(),
7956 &sctx, &cctx, cert, privkey)))
7959 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
7961 if (tst == 0 || tst == 1) {
7962 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7963 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
7964 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
7965 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7966 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
7967 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
7970 SSL_CTX_set0_CA_list(sctx, sk1);
7971 SSL_CTX_set0_CA_list(cctx, sk2);
7974 if (tst == 1 || tst == 2) {
7975 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7976 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
7977 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
7978 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7979 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
7980 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
7983 SSL_CTX_set_client_CA_list(sctx, sk1);
7984 SSL_CTX_set_client_CA_list(cctx, sk2);
7988 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7990 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7995 * We only expect certificate authorities to have been sent to the server
7996 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7998 sktmp = SSL_get0_peer_CA_list(serverssl);
7999 if (prot == TLS1_3_VERSION
8000 && (tst == 0 || tst == 1)) {
8001 if (!TEST_ptr(sktmp)
8002 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8003 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8005 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8008 } else if (!TEST_ptr_null(sktmp)) {
8013 * In all tests we expect certificate authorities to have been sent to the
8014 * client. However, SSL_set_client_CA_list() should override
8015 * SSL_set0_CA_list()
8017 sktmp = SSL_get0_peer_CA_list(clientssl);
8018 if (!TEST_ptr(sktmp)
8019 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8020 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8021 name[tst == 0 ? 0 : 2]), 0)
8022 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8023 name[tst == 0 ? 1 : 3]), 0))
8029 SSL_free(serverssl);
8030 SSL_free(clientssl);
8033 for (i = 0; i < OSSL_NELEM(name); i++)
8034 X509_NAME_free(name[i]);
8035 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8036 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8042 static int test_ca_names(int tst)
8046 #ifndef OPENSSL_NO_TLS1_2
8047 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8049 #ifndef OSSL_NO_USABLE_TLS1_3
8050 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8056 #ifndef OPENSSL_NO_TLS1_2
8057 static const char *multiblock_cipherlist_data[]=
8065 /* Reduce the fragment size - so the multiblock test buffer can be small */
8066 # define MULTIBLOCK_FRAGSIZE 512
8068 static int test_multiblock_write(int test_index)
8070 static const char *fetchable_ciphers[]=
8072 "AES-128-CBC-HMAC-SHA1",
8073 "AES-128-CBC-HMAC-SHA256",
8074 "AES-256-CBC-HMAC-SHA1",
8075 "AES-256-CBC-HMAC-SHA256"
8077 const char *cipherlist = multiblock_cipherlist_data[test_index];
8078 const SSL_METHOD *smeth = TLS_server_method();
8079 const SSL_METHOD *cmeth = TLS_client_method();
8080 int min_version = TLS1_VERSION;
8081 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8082 SSL_CTX *cctx = NULL, *sctx = NULL;
8083 SSL *clientssl = NULL, *serverssl = NULL;
8087 * Choose a buffer large enough to perform a multi-block operation
8088 * i.e: write_len >= 4 * frag_size
8089 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8091 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8092 unsigned char buf[sizeof(msg)], *p = buf;
8093 size_t readbytes, written, len;
8094 EVP_CIPHER *ciph = NULL;
8097 * Check if the cipher exists before attempting to use it since it only has
8098 * a hardware specific implementation.
8100 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
8102 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8105 EVP_CIPHER_free(ciph);
8107 /* Set up a buffer with some data that will be sent to the client */
8108 RAND_bytes(msg, sizeof(msg));
8110 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8111 max_version, &sctx, &cctx, cert,
8115 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8118 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8122 /* settings to force it to use AES-CBC-HMAC_SHA */
8123 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8124 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8127 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8130 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8131 || !TEST_size_t_eq(written, sizeof(msg)))
8136 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8141 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8146 SSL_free(serverssl);
8147 SSL_free(clientssl);
8153 #endif /* OPENSSL_NO_TLS1_2 */
8155 static int test_session_timeout(int test)
8158 * Test session ordering and timeout
8159 * Can't explicitly test performance of the new code,
8160 * but can test to see if the ordering of the sessions
8161 * are correct, and they they are removed as expected
8163 SSL_SESSION *early = NULL;
8164 SSL_SESSION *middle = NULL;
8165 SSL_SESSION *late = NULL;
8168 long now = (long)time(NULL);
8171 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8172 || !TEST_ptr(early = SSL_SESSION_new())
8173 || !TEST_ptr(middle = SSL_SESSION_new())
8174 || !TEST_ptr(late = SSL_SESSION_new()))
8177 /* assign unique session ids */
8178 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8179 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8180 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8181 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8182 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8183 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8185 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8186 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8187 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8190 /* Make sure they are all added */
8191 if (!TEST_ptr(early->prev)
8192 || !TEST_ptr(middle->prev)
8193 || !TEST_ptr(late->prev))
8196 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8197 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8198 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8201 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8202 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
8203 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
8206 /* Make sure they are all still there */
8207 if (!TEST_ptr(early->prev)
8208 || !TEST_ptr(middle->prev)
8209 || !TEST_ptr(late->prev))
8212 /* Make sure they are in the expected order */
8213 if (!TEST_ptr_eq(late->next, middle)
8214 || !TEST_ptr_eq(middle->next, early)
8215 || !TEST_ptr_eq(early->prev, middle)
8216 || !TEST_ptr_eq(middle->prev, late))
8219 /* This should remove "early" */
8220 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
8221 if (!TEST_ptr_null(early->prev)
8222 || !TEST_ptr(middle->prev)
8223 || !TEST_ptr(late->prev))
8226 /* This should remove "middle" */
8227 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
8228 if (!TEST_ptr_null(early->prev)
8229 || !TEST_ptr_null(middle->prev)
8230 || !TEST_ptr(late->prev))
8233 /* This should remove "late" */
8234 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
8235 if (!TEST_ptr_null(early->prev)
8236 || !TEST_ptr_null(middle->prev)
8237 || !TEST_ptr_null(late->prev))
8240 /* Add them back in again */
8241 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8242 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8243 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8246 /* Make sure they are all added */
8247 if (!TEST_ptr(early->prev)
8248 || !TEST_ptr(middle->prev)
8249 || !TEST_ptr(late->prev))
8252 /* This should remove all of them */
8253 SSL_CTX_flush_sessions(ctx, 0);
8254 if (!TEST_ptr_null(early->prev)
8255 || !TEST_ptr_null(middle->prev)
8256 || !TEST_ptr_null(late->prev))
8259 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
8260 | SSL_CTX_get_session_cache_mode(ctx));
8262 /* make sure |now| is NOT equal to the current time */
8264 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
8265 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8266 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
8272 SSL_SESSION_free(early);
8273 SSL_SESSION_free(middle);
8274 SSL_SESSION_free(late);
8279 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
8280 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
8281 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
8282 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
8283 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
8284 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
8285 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
8286 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
8287 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
8288 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
8290 static int test_servername(int tst)
8292 SSL_CTX *cctx = NULL, *sctx = NULL;
8293 SSL *clientssl = NULL, *serverssl = NULL;
8295 SSL_SESSION *sess = NULL;
8296 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
8298 #ifdef OPENSSL_NO_TLS1_2
8302 #ifdef OSSL_NO_USABLE_TLS1_3
8307 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8308 TLS_client_method(),
8310 (tst <= 4) ? TLS1_2_VERSION
8312 &sctx, &cctx, cert, privkey))
8313 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8317 if (tst != 1 && tst != 6) {
8318 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
8323 if (tst != 3 && tst != 8) {
8324 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8326 sexpectedhost = cexpectedhost = "goodhost";
8329 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8332 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
8334 || !TEST_str_eq(SSL_get_servername(serverssl,
8335 TLSEXT_NAMETYPE_host_name),
8339 /* Now repeat with a resumption handshake */
8341 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
8342 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
8343 || !TEST_true(SSL_SESSION_is_resumable(sess))
8344 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
8347 SSL_free(clientssl);
8348 SSL_free(serverssl);
8349 clientssl = serverssl = NULL;
8351 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8355 if (!TEST_true(SSL_set_session(clientssl, sess)))
8358 sexpectedhost = cexpectedhost = "goodhost";
8359 if (tst == 2 || tst == 7) {
8360 /* Set an inconsistent hostname */
8361 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
8364 * In TLSv1.2 we expect the hostname from the original handshake, in
8365 * TLSv1.3 we expect the hostname from this handshake
8368 sexpectedhost = cexpectedhost = "altgoodhost";
8370 if (!TEST_str_eq(SSL_get_servername(clientssl,
8371 TLSEXT_NAMETYPE_host_name),
8374 } else if (tst == 4 || tst == 9) {
8376 * A TLSv1.3 session does not associate a session with a servername,
8377 * but a TLSv1.2 session does.
8380 sexpectedhost = cexpectedhost = NULL;
8382 if (!TEST_str_eq(SSL_get_servername(clientssl,
8383 TLSEXT_NAMETYPE_host_name),
8387 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8390 * In a TLSv1.2 resumption where the hostname was not acknowledged
8391 * we expect the hostname on the server to be empty. On the client we
8392 * return what was requested in this case.
8394 * Similarly if the client didn't set a hostname on an original TLSv1.2
8395 * session but is now, the server hostname will be empty, but the client
8398 if (tst == 1 || tst == 3)
8399 sexpectedhost = NULL;
8401 if (!TEST_str_eq(SSL_get_servername(clientssl,
8402 TLSEXT_NAMETYPE_host_name),
8407 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8410 if (!TEST_true(SSL_session_reused(clientssl))
8411 || !TEST_true(SSL_session_reused(serverssl))
8412 || !TEST_str_eq(SSL_get_servername(clientssl,
8413 TLSEXT_NAMETYPE_host_name),
8415 || !TEST_str_eq(SSL_get_servername(serverssl,
8416 TLSEXT_NAMETYPE_host_name),
8423 SSL_SESSION_free(sess);
8424 SSL_free(serverssl);
8425 SSL_free(clientssl);
8432 #if !defined(OPENSSL_NO_EC) \
8433 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8435 * Test that if signature algorithms are not available, then we do not offer or
8437 * Test 0: Two RSA sig algs available: both RSA sig algs shared
8438 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
8439 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
8440 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
8441 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
8442 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
8444 static int test_sigalgs_available(int idx)
8446 SSL_CTX *cctx = NULL, *sctx = NULL;
8447 SSL *clientssl = NULL, *serverssl = NULL;
8449 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
8450 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
8451 OSSL_PROVIDER *filterprov = NULL;
8454 if (!TEST_ptr(tmpctx))
8457 if (idx != 0 && idx != 3) {
8458 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
8459 filter_provider_init)))
8462 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
8463 if (!TEST_ptr(filterprov))
8468 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8469 * or accepted for the peer that uses this libctx. Note that libssl
8470 * *requires* SHA2-256 to be available so we cannot disable that. We
8471 * also need SHA1 for our certificate.
8473 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
8477 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
8479 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
8484 if (idx == 1 || idx == 4)
8490 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
8491 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
8492 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
8496 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8497 TLS_client_method(),
8500 &sctx, &cctx, cert, privkey)))
8503 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8504 TLS_client_method(),
8507 &sctx, &cctx, cert2, privkey2)))
8511 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
8513 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8514 "ECDHE-RSA-AES128-GCM-SHA256")))
8517 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8518 "ECDHE-ECDSA-AES128-GCM-SHA256")))
8523 if (!SSL_CTX_set1_sigalgs_list(cctx,
8524 "rsa_pss_rsae_sha384"
8525 ":rsa_pss_rsae_sha256")
8526 || !SSL_CTX_set1_sigalgs_list(sctx,
8527 "rsa_pss_rsae_sha384"
8528 ":rsa_pss_rsae_sha256"))
8531 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8532 || !SSL_CTX_set1_sigalgs_list(sctx,
8533 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8538 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8539 SSL_FILETYPE_PEM), 1)
8540 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8542 SSL_FILETYPE_PEM), 1)
8543 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
8546 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8550 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8553 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8554 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8556 (idx == 0 || idx == 3) ? 2 : 1))
8559 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8562 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8566 testresult = filter_provider_check_clean_finish();
8569 SSL_free(serverssl);
8570 SSL_free(clientssl);
8573 OSSL_PROVIDER_unload(filterprov);
8574 OSSL_LIB_CTX_free(tmpctx);
8579 * !defined(OPENSSL_NO_EC) \
8580 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8583 #ifndef OPENSSL_NO_TLS1_3
8584 /* This test can run in TLSv1.3 even if ec and dh are disabled */
8585 static int test_pluggable_group(int idx)
8587 SSL_CTX *cctx = NULL, *sctx = NULL;
8588 SSL *clientssl = NULL, *serverssl = NULL;
8590 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
8591 /* Check that we are not impacted by a provider without any groups */
8592 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
8593 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
8595 if (!TEST_ptr(tlsprov))
8598 if (legacyprov == NULL) {
8600 * In this case we assume we've been built with "no-legacy" and skip
8601 * this test (there is no OPENSSL_NO_LEGACY)
8607 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8608 TLS_client_method(),
8611 &sctx, &cctx, cert, privkey))
8612 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8616 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
8617 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
8620 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8623 if (!TEST_str_eq(group_name,
8624 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
8630 SSL_free(serverssl);
8631 SSL_free(clientssl);
8634 OSSL_PROVIDER_unload(tlsprov);
8635 OSSL_PROVIDER_unload(legacyprov);
8641 #ifndef OPENSSL_NO_TLS1_2
8642 static int test_ssl_dup(void)
8644 SSL_CTX *cctx = NULL, *sctx = NULL;
8645 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
8647 BIO *rbio = NULL, *wbio = NULL;
8649 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8650 TLS_client_method(),
8653 &sctx, &cctx, cert, privkey)))
8656 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8660 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8661 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8664 client2ssl = SSL_dup(clientssl);
8665 rbio = SSL_get_rbio(clientssl);
8667 || !TEST_true(BIO_up_ref(rbio)))
8669 SSL_set0_rbio(client2ssl, rbio);
8672 wbio = SSL_get_wbio(clientssl);
8673 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
8675 SSL_set0_wbio(client2ssl, wbio);
8678 if (!TEST_ptr(client2ssl)
8679 /* Handshake not started so pointers should be different */
8680 || !TEST_ptr_ne(clientssl, client2ssl))
8683 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
8684 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
8687 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
8690 SSL_free(clientssl);
8691 clientssl = SSL_dup(client2ssl);
8692 if (!TEST_ptr(clientssl)
8693 /* Handshake has finished so pointers should be the same */
8694 || !TEST_ptr_eq(clientssl, client2ssl))
8700 SSL_free(serverssl);
8701 SSL_free(clientssl);
8702 SSL_free(client2ssl);
8709 # ifndef OPENSSL_NO_DH
8711 static EVP_PKEY *tmp_dh_params = NULL;
8713 /* Helper function for the test_set_tmp_dh() tests */
8714 static EVP_PKEY *get_tmp_dh_params(void)
8716 if (tmp_dh_params == NULL) {
8718 OSSL_PARAM_BLD *tmpl = NULL;
8719 EVP_PKEY_CTX *pctx = NULL;
8720 OSSL_PARAM *params = NULL;
8721 EVP_PKEY *dhpkey = NULL;
8723 p = BN_get_rfc3526_prime_2048(NULL);
8727 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
8729 || !TEST_true(EVP_PKEY_fromdata_init(pctx)))
8732 tmpl = OSSL_PARAM_BLD_new();
8734 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
8735 OSSL_PKEY_PARAM_FFC_P,
8737 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
8738 OSSL_PKEY_PARAM_FFC_G,
8742 params = OSSL_PARAM_BLD_to_param(tmpl);
8743 if (!TEST_ptr(params)
8744 || !TEST_true(EVP_PKEY_fromdata(pctx, &dhpkey,
8745 EVP_PKEY_KEY_PARAMETERS, params)))
8748 tmp_dh_params = dhpkey;
8751 EVP_PKEY_CTX_free(pctx);
8752 OSSL_PARAM_BLD_free(tmpl);
8753 OSSL_PARAM_free(params);
8756 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
8759 return tmp_dh_params;
8762 # ifndef OPENSSL_NO_DEPRECATED_3_0
8763 /* Callback used by test_set_tmp_dh() */
8764 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
8766 EVP_PKEY *dhpkey = get_tmp_dh_params();
8769 if (!TEST_ptr(dhpkey))
8773 * libssl does not free the returned DH, so we free it now knowing that even
8774 * after we free dhpkey, there will still be a reference to the owning
8775 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
8776 * of time we need it for.
8778 ret = EVP_PKEY_get1_DH(dhpkey);
8781 EVP_PKEY_free(dhpkey);
8788 * Test the various methods for setting temporary DH parameters
8790 * Test 0: Default (no auto) setting
8791 * Test 1: Explicit SSL_CTX auto off
8792 * Test 2: Explicit SSL auto off
8793 * Test 3: Explicit SSL_CTX auto on
8794 * Test 4: Explicit SSL auto on
8795 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
8796 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
8798 * The following are testing deprecated APIs, so we only run them if available
8799 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
8800 * Test 8: Explicit SSL auto off, custom DH params via DH
8801 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
8802 * Test 10: Explicit SSL auto off, custom DH params via callback
8804 static int test_set_tmp_dh(int idx)
8806 SSL_CTX *cctx = NULL, *sctx = NULL;
8807 SSL *clientssl = NULL, *serverssl = NULL;
8809 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
8810 int expected = (idx <= 2) ? 0 : 1;
8811 EVP_PKEY *dhpkey = NULL;
8812 # ifndef OPENSSL_NO_DEPRECATED_3_0
8820 if (idx >= 5 && idx <= 8) {
8821 dhpkey = get_tmp_dh_params();
8822 if (!TEST_ptr(dhpkey))
8825 # ifndef OPENSSL_NO_DEPRECATED_3_0
8826 if (idx == 7 || idx == 8) {
8827 dh = EVP_PKEY_get1_DH(dhpkey);
8833 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8834 TLS_client_method(),
8837 &sctx, &cctx, cert, privkey)))
8840 if ((idx & 1) == 1) {
8841 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
8846 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
8850 # ifndef OPENSSL_NO_DEPRECATED_3_0
8851 else if (idx == 7) {
8852 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
8854 } else if (idx == 9) {
8855 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
8859 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8863 if ((idx & 1) == 0 && idx != 0) {
8864 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
8868 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
8872 # ifndef OPENSSL_NO_DEPRECATED_3_0
8873 else if (idx == 8) {
8874 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
8876 } else if (idx == 10) {
8877 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
8881 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
8882 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
8883 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
8887 * If autoon then we should succeed. Otherwise we expect failure because
8888 * there are no parameters
8890 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
8891 SSL_ERROR_NONE), expected))
8897 # ifndef OPENSSL_NO_DEPRECATED_3_0
8900 SSL_free(serverssl);
8901 SSL_free(clientssl);
8904 EVP_PKEY_free(dhpkey);
8910 * Test the auto DH keys are appropriately sized
8912 static int test_dh_auto(int idx)
8914 SSL_CTX *cctx = NULL, *sctx = NULL;
8915 SSL *clientssl = NULL, *serverssl = NULL;
8917 EVP_PKEY *tmpkey = NULL;
8918 char *thiscert = NULL, *thiskey = NULL;
8919 size_t expdhsize = 0;
8920 const char *ciphersuite = "DHE-RSA-AES128-SHA";
8924 /* The FIPS provider doesn't support this DH size - so we ignore it */
8927 thiscert = cert1024;
8928 thiskey = privkey1024;
8932 /* 2048 bit prime */
8938 thiscert = cert3072;
8939 thiskey = privkey3072;
8943 thiscert = cert4096;
8944 thiskey = privkey4096;
8948 thiscert = cert8192;
8949 thiskey = privkey8192;
8952 /* No certificate cases */
8954 /* The FIPS provider doesn't support this DH size - so we ignore it */
8957 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
8961 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
8965 TEST_error("Invalid text index");
8969 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8970 TLS_client_method(),
8973 &sctx, &cctx, thiscert, thiskey)))
8976 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8980 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
8981 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
8982 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
8983 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
8984 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
8988 * Send the server's first flight. At this point the server has created the
8989 * temporary DH key but hasn't finished using it yet. Once used it is
8990 * removed, so we cannot test it.
8992 if (!TEST_int_le(SSL_connect(clientssl), 0)
8993 || !TEST_int_le(SSL_accept(serverssl), 0))
8996 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
8998 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
9001 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9007 SSL_free(serverssl);
9008 SSL_free(clientssl);
9011 EVP_PKEY_free(tmpkey);
9016 # endif /* OPENSSL_NO_DH */
9017 #endif /* OPENSSL_NO_TLS1_2 */
9019 #ifndef OSSL_NO_USABLE_TLS1_3
9021 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9022 * that it works even without a certificate configured for the original
9025 static int test_sni_tls13(void)
9027 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9028 SSL *clientssl = NULL, *serverssl = NULL;
9031 /* Reset callback counter */
9034 /* Create an initial SSL_CTX with no certificate configured */
9035 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9036 if (!TEST_ptr(sctx))
9038 /* Require TLSv1.3 as a minimum */
9039 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9040 TLS_client_method(), TLS1_3_VERSION, 0,
9041 &sctx2, &cctx, cert, privkey)))
9045 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9046 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9050 * Connection should still succeed because the final SSL_CTX has the right
9051 * certificates configured.
9053 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9054 &clientssl, NULL, NULL))
9055 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9059 /* We should have had the SNI callback called exactly once */
9060 if (!TEST_int_eq(snicb, 1))
9066 SSL_free(serverssl);
9067 SSL_free(clientssl);
9068 SSL_CTX_free(sctx2);
9075 * Test that setting an ALPN does not violate RFC
9077 static int test_set_alpn(void)
9079 SSL_CTX *ctx = NULL;
9083 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
9084 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
9085 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
9086 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
9087 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
9088 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
9090 /* Create an initial SSL_CTX with no certificate configured */
9091 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9095 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
9096 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
9098 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
9100 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
9102 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
9104 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
9106 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
9108 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
9110 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
9112 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
9119 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
9121 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
9123 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
9125 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
9127 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
9129 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
9131 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
9133 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
9135 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
9146 static int test_inherit_verify_param(void)
9150 SSL_CTX *ctx = NULL;
9151 X509_VERIFY_PARAM *cp = NULL;
9153 X509_VERIFY_PARAM *sp = NULL;
9154 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
9156 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9160 cp = SSL_CTX_get0_param(ctx);
9163 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
9166 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
9172 sp = SSL_get0_param(ssl);
9175 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
9187 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
9189 int setup_tests(void)
9194 libctx = OSSL_LIB_CTX_new();
9195 if (!TEST_ptr(libctx))
9198 defctxnull = OSSL_PROVIDER_load(NULL, "null");
9201 * Verify that the default and fips providers in the default libctx are not
9204 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
9205 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
9208 if (!test_skip_common_options()) {
9209 TEST_error("Error parsing test options\n");
9213 if (!TEST_ptr(certsdir = test_get_argument(0))
9214 || !TEST_ptr(srpvfile = test_get_argument(1))
9215 || !TEST_ptr(tmpfilename = test_get_argument(2))
9216 || !TEST_ptr(modulename = test_get_argument(3))
9217 || !TEST_ptr(configfile = test_get_argument(4)))
9220 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
9223 /* Check we have the expected provider available */
9224 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
9227 /* Check the default provider is not available */
9228 if (strcmp(modulename, "default") != 0
9229 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
9232 if (strcmp(modulename, "fips") == 0)
9236 * We add, but don't load the test "tls-provider". We'll load it when we
9239 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
9240 tls_provider_init)))
9244 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
9245 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
9246 TEST_error("not supported in this build");
9249 int i, mcount, rcount, fcount;
9251 for (i = 0; i < 4; i++)
9252 test_export_key_mat(i);
9253 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
9254 test_printf_stdout("malloc %d realloc %d free %d\n",
9255 mcount, rcount, fcount);
9260 cert = test_mk_file_path(certsdir, "servercert.pem");
9264 privkey = test_mk_file_path(certsdir, "serverkey.pem");
9265 if (privkey == NULL)
9268 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
9272 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
9273 if (privkey2 == NULL)
9276 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
9277 if (cert1024 == NULL)
9280 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
9281 if (privkey1024 == NULL)
9284 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
9285 if (cert3072 == NULL)
9288 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
9289 if (privkey3072 == NULL)
9292 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
9293 if (cert4096 == NULL)
9296 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
9297 if (privkey4096 == NULL)
9300 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
9301 if (cert8192 == NULL)
9304 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
9305 if (privkey8192 == NULL)
9308 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
9309 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
9310 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
9311 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS);
9314 ADD_TEST(test_large_message_tls);
9315 ADD_TEST(test_large_message_tls_read_ahead);
9316 #ifndef OPENSSL_NO_DTLS
9317 ADD_TEST(test_large_message_dtls);
9319 ADD_TEST(test_cleanse_plaintext);
9320 #ifndef OPENSSL_NO_OCSP
9321 ADD_TEST(test_tlsext_status_type);
9323 ADD_TEST(test_session_with_only_int_cache);
9324 ADD_TEST(test_session_with_only_ext_cache);
9325 ADD_TEST(test_session_with_both_cache);
9326 ADD_TEST(test_session_wo_ca_names);
9327 #ifndef OSSL_NO_USABLE_TLS1_3
9328 ADD_ALL_TESTS(test_stateful_tickets, 3);
9329 ADD_ALL_TESTS(test_stateless_tickets, 3);
9330 ADD_TEST(test_psk_tickets);
9331 ADD_ALL_TESTS(test_extra_tickets, 6);
9333 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9334 ADD_TEST(test_ssl_bio_pop_next_bio);
9335 ADD_TEST(test_ssl_bio_pop_ssl_bio);
9336 ADD_TEST(test_ssl_bio_change_rbio);
9337 ADD_TEST(test_ssl_bio_change_wbio);
9338 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
9339 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
9340 ADD_TEST(test_keylog);
9342 #ifndef OSSL_NO_USABLE_TLS1_3
9343 ADD_TEST(test_keylog_no_master_key);
9345 ADD_TEST(test_client_cert_verify_cb);
9346 ADD_TEST(test_ssl_build_cert_chain);
9347 ADD_TEST(test_ssl_ctx_build_cert_chain);
9348 #ifndef OPENSSL_NO_TLS1_2
9349 ADD_TEST(test_client_hello_cb);
9350 ADD_TEST(test_no_ems);
9351 ADD_TEST(test_ccs_change_cipher);
9353 #ifndef OSSL_NO_USABLE_TLS1_3
9354 ADD_ALL_TESTS(test_early_data_read_write, 3);
9356 * We don't do replay tests for external PSK. Replay protection isn't used
9359 ADD_ALL_TESTS(test_early_data_replay, 2);
9360 ADD_ALL_TESTS(test_early_data_skip, 3);
9361 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
9362 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
9363 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
9364 ADD_ALL_TESTS(test_early_data_not_sent, 3);
9365 ADD_ALL_TESTS(test_early_data_psk, 8);
9366 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
9367 ADD_ALL_TESTS(test_early_data_not_expected, 3);
9368 # ifndef OPENSSL_NO_TLS1_2
9369 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
9372 #ifndef OSSL_NO_USABLE_TLS1_3
9373 ADD_ALL_TESTS(test_set_ciphersuite, 10);
9374 ADD_TEST(test_ciphersuite_change);
9375 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
9376 # ifdef OPENSSL_NO_PSK
9377 ADD_ALL_TESTS(test_tls13_psk, 1);
9379 ADD_ALL_TESTS(test_tls13_psk, 4);
9380 # endif /* OPENSSL_NO_PSK */
9381 # ifndef OPENSSL_NO_TLS1_2
9382 /* Test with both TLSv1.3 and 1.2 versions */
9383 ADD_ALL_TESTS(test_key_exchange, 14);
9384 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
9385 ADD_ALL_TESTS(test_negotiated_group,
9386 4 * (OSSL_NELEM(ecdhe_kexch_groups)
9387 + OSSL_NELEM(ffdhe_kexch_groups)));
9390 /* Test with only TLSv1.3 versions */
9391 ADD_ALL_TESTS(test_key_exchange, 12);
9393 ADD_ALL_TESTS(test_custom_exts, 5);
9394 ADD_TEST(test_stateless);
9395 ADD_TEST(test_pha_key_update);
9397 ADD_ALL_TESTS(test_custom_exts, 3);
9399 ADD_ALL_TESTS(test_serverinfo, 8);
9400 ADD_ALL_TESTS(test_export_key_mat, 6);
9401 #ifndef OSSL_NO_USABLE_TLS1_3
9402 ADD_ALL_TESTS(test_export_key_mat_early, 3);
9403 ADD_TEST(test_key_update);
9404 ADD_ALL_TESTS(test_key_update_in_write, 2);
9406 ADD_ALL_TESTS(test_ssl_clear, 2);
9407 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
9408 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
9409 ADD_ALL_TESTS(test_srp, 6);
9411 ADD_ALL_TESTS(test_info_callback, 6);
9412 ADD_ALL_TESTS(test_ssl_pending, 2);
9413 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
9414 ADD_ALL_TESTS(test_ticket_callbacks, 16);
9415 ADD_ALL_TESTS(test_shutdown, 7);
9416 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
9417 ADD_ALL_TESTS(test_cert_cb, 6);
9418 ADD_ALL_TESTS(test_client_cert_cb, 2);
9419 ADD_ALL_TESTS(test_ca_names, 3);
9420 #ifndef OPENSSL_NO_TLS1_2
9421 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
9423 ADD_ALL_TESTS(test_servername, 10);
9424 #if !defined(OPENSSL_NO_EC) \
9425 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9426 ADD_ALL_TESTS(test_sigalgs_available, 6);
9428 #ifndef OPENSSL_NO_TLS1_3
9429 ADD_ALL_TESTS(test_pluggable_group, 2);
9431 #ifndef OPENSSL_NO_TLS1_2
9432 ADD_TEST(test_ssl_dup);
9433 # ifndef OPENSSL_NO_DH
9434 ADD_ALL_TESTS(test_set_tmp_dh, 11);
9435 ADD_ALL_TESTS(test_dh_auto, 7);
9438 #ifndef OSSL_NO_USABLE_TLS1_3
9439 ADD_TEST(test_sni_tls13);
9441 ADD_TEST(test_inherit_verify_param);
9442 ADD_TEST(test_set_alpn);
9443 ADD_ALL_TESTS(test_session_timeout, 1);
9448 OPENSSL_free(privkey);
9449 OPENSSL_free(cert2);
9450 OPENSSL_free(privkey2);
9454 void cleanup_tests(void)
9456 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
9457 EVP_PKEY_free(tmp_dh_params);
9460 OPENSSL_free(privkey);
9461 OPENSSL_free(cert2);
9462 OPENSSL_free(privkey2);
9463 OPENSSL_free(cert1024);
9464 OPENSSL_free(privkey1024);
9465 OPENSSL_free(cert3072);
9466 OPENSSL_free(privkey3072);
9467 OPENSSL_free(cert4096);
9468 OPENSSL_free(privkey4096);
9469 OPENSSL_free(cert8192);
9470 OPENSSL_free(privkey8192);
9471 bio_s_mempacket_test_free();
9472 bio_s_always_retry_free();
9473 OSSL_PROVIDER_unload(defctxnull);
9474 OSSL_LIB_CTX_free(libctx);