2 * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
37 #include "helpers/ssltestlib.h"
39 #include "testutil/output.h"
40 #include "internal/nelem.h"
41 #include "internal/ktls.h"
42 #include "../ssl/ssl_local.h"
43 #include "filterprov.h"
45 #undef OSSL_NO_USABLE_TLS1_3
46 #if defined(OPENSSL_NO_TLS1_3) \
47 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
49 * If we don't have ec or dh then there are no built-in groups that are usable
52 # define OSSL_NO_USABLE_TLS1_3
55 /* Defined in tls-provider.c */
56 int tls_provider_init(const OSSL_CORE_HANDLE
*handle
,
57 const OSSL_DISPATCH
*in
,
58 const OSSL_DISPATCH
**out
,
61 static OSSL_LIB_CTX
*libctx
= NULL
;
62 static OSSL_PROVIDER
*defctxnull
= NULL
;
64 #ifndef OSSL_NO_USABLE_TLS1_3
66 static SSL_SESSION
*clientpsk
= NULL
;
67 static SSL_SESSION
*serverpsk
= NULL
;
68 static const char *pskid
= "Identity";
69 static const char *srvid
;
71 static int use_session_cb(SSL
*ssl
, const EVP_MD
*md
, const unsigned char **id
,
72 size_t *idlen
, SSL_SESSION
**sess
);
73 static int find_session_cb(SSL
*ssl
, const unsigned char *identity
,
74 size_t identity_len
, SSL_SESSION
**sess
);
76 static int use_session_cb_cnt
= 0;
77 static int find_session_cb_cnt
= 0;
79 static SSL_SESSION
*create_a_psk(SSL
*ssl
);
82 static char *certsdir
= NULL
;
83 static char *cert
= NULL
;
84 static char *privkey
= NULL
;
85 static char *cert2
= NULL
;
86 static char *privkey2
= NULL
;
87 static char *cert1024
= NULL
;
88 static char *privkey1024
= NULL
;
89 static char *cert3072
= NULL
;
90 static char *privkey3072
= NULL
;
91 static char *cert4096
= NULL
;
92 static char *privkey4096
= NULL
;
93 static char *cert8192
= NULL
;
94 static char *privkey8192
= NULL
;
95 static char *srpvfile
= NULL
;
96 static char *tmpfilename
= NULL
;
98 static int is_fips
= 0;
100 #define LOG_BUFFER_SIZE 2048
101 static char server_log_buffer
[LOG_BUFFER_SIZE
+ 1] = {0};
102 static size_t server_log_buffer_index
= 0;
103 static char client_log_buffer
[LOG_BUFFER_SIZE
+ 1] = {0};
104 static size_t client_log_buffer_index
= 0;
105 static int error_writing_log
= 0;
107 #ifndef OPENSSL_NO_OCSP
108 static const unsigned char orespder
[] = "Dummy OCSP Response";
109 static int ocsp_server_called
= 0;
110 static int ocsp_client_called
= 0;
112 static int cdummyarg
= 1;
113 static X509
*ocspcert
= NULL
;
116 #define NUM_EXTRA_CERTS 40
117 #define CLIENT_VERSION_LEN 2
120 * This structure is used to validate that the correct number of log messages
121 * of various types are emitted when emitting secret logs.
123 struct sslapitest_log_counts
{
124 unsigned int rsa_key_exchange_count
;
125 unsigned int master_secret_count
;
126 unsigned int client_early_secret_count
;
127 unsigned int client_handshake_secret_count
;
128 unsigned int server_handshake_secret_count
;
129 unsigned int client_application_secret_count
;
130 unsigned int server_application_secret_count
;
131 unsigned int early_exporter_secret_count
;
132 unsigned int exporter_secret_count
;
136 static unsigned char serverinfov1
[] = {
137 0xff, 0xff, /* Dummy extension type */
138 0x00, 0x01, /* Extension length is 1 byte */
139 0xff /* Dummy extension data */
142 static unsigned char serverinfov2
[] = {
144 (unsigned char)(SSL_EXT_CLIENT_HELLO
& 0xff), /* Dummy context - 4 bytes */
145 0xff, 0xff, /* Dummy extension type */
146 0x00, 0x01, /* Extension length is 1 byte */
147 0xff /* Dummy extension data */
150 static int hostname_cb(SSL
*s
, int *al
, void *arg
)
152 const char *hostname
= SSL_get_servername(s
, TLSEXT_NAMETYPE_host_name
);
154 if (hostname
!= NULL
&& (strcmp(hostname
, "goodhost") == 0
155 || strcmp(hostname
, "altgoodhost") == 0))
156 return SSL_TLSEXT_ERR_OK
;
158 return SSL_TLSEXT_ERR_NOACK
;
161 static void client_keylog_callback(const SSL
*ssl
, const char *line
)
163 int line_length
= strlen(line
);
165 /* If the log doesn't fit, error out. */
166 if (client_log_buffer_index
+ line_length
> sizeof(client_log_buffer
) - 1) {
167 TEST_info("Client log too full");
168 error_writing_log
= 1;
172 strcat(client_log_buffer
, line
);
173 client_log_buffer_index
+= line_length
;
174 client_log_buffer
[client_log_buffer_index
++] = '\n';
177 static void server_keylog_callback(const SSL
*ssl
, const char *line
)
179 int line_length
= strlen(line
);
181 /* If the log doesn't fit, error out. */
182 if (server_log_buffer_index
+ line_length
> sizeof(server_log_buffer
) - 1) {
183 TEST_info("Server log too full");
184 error_writing_log
= 1;
188 strcat(server_log_buffer
, line
);
189 server_log_buffer_index
+= line_length
;
190 server_log_buffer
[server_log_buffer_index
++] = '\n';
193 static int compare_hex_encoded_buffer(const char *hex_encoded
,
201 if (!TEST_size_t_eq(raw_length
* 2, hex_length
))
204 for (i
= j
= 0; i
< raw_length
&& j
+ 1 < hex_length
; i
++, j
+= 2) {
205 sprintf(hexed
, "%02x", raw
[i
]);
206 if (!TEST_int_eq(hexed
[0], hex_encoded
[j
])
207 || !TEST_int_eq(hexed
[1], hex_encoded
[j
+ 1]))
214 static int test_keylog_output(char *buffer
, const SSL
*ssl
,
215 const SSL_SESSION
*session
,
216 struct sslapitest_log_counts
*expected
)
219 unsigned char actual_client_random
[SSL3_RANDOM_SIZE
] = {0};
220 size_t client_random_size
= SSL3_RANDOM_SIZE
;
221 unsigned char actual_master_key
[SSL_MAX_MASTER_KEY_LENGTH
] = {0};
222 size_t master_key_size
= SSL_MAX_MASTER_KEY_LENGTH
;
223 unsigned int rsa_key_exchange_count
= 0;
224 unsigned int master_secret_count
= 0;
225 unsigned int client_early_secret_count
= 0;
226 unsigned int client_handshake_secret_count
= 0;
227 unsigned int server_handshake_secret_count
= 0;
228 unsigned int client_application_secret_count
= 0;
229 unsigned int server_application_secret_count
= 0;
230 unsigned int early_exporter_secret_count
= 0;
231 unsigned int exporter_secret_count
= 0;
233 for (token
= strtok(buffer
, " \n"); token
!= NULL
;
234 token
= strtok(NULL
, " \n")) {
235 if (strcmp(token
, "RSA") == 0) {
237 * Premaster secret. Tokens should be: 16 ASCII bytes of
238 * hex-encoded encrypted secret, then the hex-encoded pre-master
241 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
243 if (!TEST_size_t_eq(strlen(token
), 16))
245 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
248 * We can't sensibly check the log because the premaster secret is
249 * transient, and OpenSSL doesn't keep hold of it once the master
250 * secret is generated.
252 rsa_key_exchange_count
++;
253 } else if (strcmp(token
, "CLIENT_RANDOM") == 0) {
255 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
256 * client random, then the hex-encoded master secret.
258 client_random_size
= SSL_get_client_random(ssl
,
259 actual_client_random
,
261 if (!TEST_size_t_eq(client_random_size
, SSL3_RANDOM_SIZE
))
264 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
266 if (!TEST_size_t_eq(strlen(token
), 64))
268 if (!TEST_false(compare_hex_encoded_buffer(token
, 64,
269 actual_client_random
,
270 client_random_size
)))
273 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
275 master_key_size
= SSL_SESSION_get_master_key(session
,
278 if (!TEST_size_t_ne(master_key_size
, 0))
280 if (!TEST_false(compare_hex_encoded_buffer(token
, strlen(token
),
284 master_secret_count
++;
285 } else if (strcmp(token
, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
286 || strcmp(token
, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
287 || strcmp(token
, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
288 || strcmp(token
, "CLIENT_TRAFFIC_SECRET_0") == 0
289 || strcmp(token
, "SERVER_TRAFFIC_SECRET_0") == 0
290 || strcmp(token
, "EARLY_EXPORTER_SECRET") == 0
291 || strcmp(token
, "EXPORTER_SECRET") == 0) {
293 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
294 * client random, and then the hex-encoded secret. In this case,
295 * we treat all of these secrets identically and then just
296 * distinguish between them when counting what we saw.
298 if (strcmp(token
, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
299 client_early_secret_count
++;
300 else if (strcmp(token
, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
301 client_handshake_secret_count
++;
302 else if (strcmp(token
, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
303 server_handshake_secret_count
++;
304 else if (strcmp(token
, "CLIENT_TRAFFIC_SECRET_0") == 0)
305 client_application_secret_count
++;
306 else if (strcmp(token
, "SERVER_TRAFFIC_SECRET_0") == 0)
307 server_application_secret_count
++;
308 else if (strcmp(token
, "EARLY_EXPORTER_SECRET") == 0)
309 early_exporter_secret_count
++;
310 else if (strcmp(token
, "EXPORTER_SECRET") == 0)
311 exporter_secret_count
++;
313 client_random_size
= SSL_get_client_random(ssl
,
314 actual_client_random
,
316 if (!TEST_size_t_eq(client_random_size
, SSL3_RANDOM_SIZE
))
319 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
321 if (!TEST_size_t_eq(strlen(token
), 64))
323 if (!TEST_false(compare_hex_encoded_buffer(token
, 64,
324 actual_client_random
,
325 client_random_size
)))
328 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
331 TEST_info("Unexpected token %s\n", token
);
336 /* Got what we expected? */
337 if (!TEST_size_t_eq(rsa_key_exchange_count
,
338 expected
->rsa_key_exchange_count
)
339 || !TEST_size_t_eq(master_secret_count
,
340 expected
->master_secret_count
)
341 || !TEST_size_t_eq(client_early_secret_count
,
342 expected
->client_early_secret_count
)
343 || !TEST_size_t_eq(client_handshake_secret_count
,
344 expected
->client_handshake_secret_count
)
345 || !TEST_size_t_eq(server_handshake_secret_count
,
346 expected
->server_handshake_secret_count
)
347 || !TEST_size_t_eq(client_application_secret_count
,
348 expected
->client_application_secret_count
)
349 || !TEST_size_t_eq(server_application_secret_count
,
350 expected
->server_application_secret_count
)
351 || !TEST_size_t_eq(early_exporter_secret_count
,
352 expected
->early_exporter_secret_count
)
353 || !TEST_size_t_eq(exporter_secret_count
,
354 expected
->exporter_secret_count
))
359 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
360 static int test_keylog(void)
362 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
363 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
365 struct sslapitest_log_counts expected
;
367 /* Clean up logging space */
368 memset(&expected
, 0, sizeof(expected
));
369 memset(client_log_buffer
, 0, sizeof(client_log_buffer
));
370 memset(server_log_buffer
, 0, sizeof(server_log_buffer
));
371 client_log_buffer_index
= 0;
372 server_log_buffer_index
= 0;
373 error_writing_log
= 0;
375 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
378 &sctx
, &cctx
, cert
, privkey
)))
381 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
382 SSL_CTX_set_options(cctx
, SSL_OP_NO_TLSv1_3
);
383 SSL_CTX_set_options(sctx
, SSL_OP_NO_TLSv1_3
);
385 /* We also want to ensure that we use RSA-based key exchange. */
386 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
, "RSA")))
389 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx
) == NULL
)
390 || !TEST_true(SSL_CTX_get_keylog_callback(sctx
) == NULL
))
392 SSL_CTX_set_keylog_callback(cctx
, client_keylog_callback
);
393 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx
)
394 == client_keylog_callback
))
396 SSL_CTX_set_keylog_callback(sctx
, server_keylog_callback
);
397 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx
)
398 == server_keylog_callback
))
401 /* Now do a handshake and check that the logs have been written to. */
402 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
403 &clientssl
, NULL
, NULL
))
404 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
406 || !TEST_false(error_writing_log
)
407 || !TEST_int_gt(client_log_buffer_index
, 0)
408 || !TEST_int_gt(server_log_buffer_index
, 0))
412 * Now we want to test that our output data was vaguely sensible. We
413 * do that by using strtok and confirming that we have more or less the
414 * data we expect. For both client and server, we expect to see one master
415 * secret. The client should also see a RSA key exchange.
417 expected
.rsa_key_exchange_count
= 1;
418 expected
.master_secret_count
= 1;
419 if (!TEST_true(test_keylog_output(client_log_buffer
, clientssl
,
420 SSL_get_session(clientssl
), &expected
)))
423 expected
.rsa_key_exchange_count
= 0;
424 if (!TEST_true(test_keylog_output(server_log_buffer
, serverssl
,
425 SSL_get_session(serverssl
), &expected
)))
440 #ifndef OSSL_NO_USABLE_TLS1_3
441 static int test_keylog_no_master_key(void)
443 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
444 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
445 SSL_SESSION
*sess
= NULL
;
447 struct sslapitest_log_counts expected
;
448 unsigned char buf
[1];
449 size_t readbytes
, written
;
451 /* Clean up logging space */
452 memset(&expected
, 0, sizeof(expected
));
453 memset(client_log_buffer
, 0, sizeof(client_log_buffer
));
454 memset(server_log_buffer
, 0, sizeof(server_log_buffer
));
455 client_log_buffer_index
= 0;
456 server_log_buffer_index
= 0;
457 error_writing_log
= 0;
459 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
460 TLS_client_method(), TLS1_VERSION
, 0,
461 &sctx
, &cctx
, cert
, privkey
))
462 || !TEST_true(SSL_CTX_set_max_early_data(sctx
,
463 SSL3_RT_MAX_PLAIN_LENGTH
)))
466 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx
) == NULL
)
467 || !TEST_true(SSL_CTX_get_keylog_callback(sctx
) == NULL
))
470 SSL_CTX_set_keylog_callback(cctx
, client_keylog_callback
);
471 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx
)
472 == client_keylog_callback
))
475 SSL_CTX_set_keylog_callback(sctx
, server_keylog_callback
);
476 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx
)
477 == server_keylog_callback
))
480 /* Now do a handshake and check that the logs have been written to. */
481 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
482 &clientssl
, NULL
, NULL
))
483 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
485 || !TEST_false(error_writing_log
))
489 * Now we want to test that our output data was vaguely sensible. For this
490 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
491 * TLSv1.3, but we do expect both client and server to emit keys.
493 expected
.client_handshake_secret_count
= 1;
494 expected
.server_handshake_secret_count
= 1;
495 expected
.client_application_secret_count
= 1;
496 expected
.server_application_secret_count
= 1;
497 expected
.exporter_secret_count
= 1;
498 if (!TEST_true(test_keylog_output(client_log_buffer
, clientssl
,
499 SSL_get_session(clientssl
), &expected
))
500 || !TEST_true(test_keylog_output(server_log_buffer
, serverssl
,
501 SSL_get_session(serverssl
),
505 /* Terminate old session and resume with early data. */
506 sess
= SSL_get1_session(clientssl
);
507 SSL_shutdown(clientssl
);
508 SSL_shutdown(serverssl
);
511 serverssl
= clientssl
= NULL
;
514 memset(client_log_buffer
, 0, sizeof(client_log_buffer
));
515 memset(server_log_buffer
, 0, sizeof(server_log_buffer
));
516 client_log_buffer_index
= 0;
517 server_log_buffer_index
= 0;
519 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
520 &clientssl
, NULL
, NULL
))
521 || !TEST_true(SSL_set_session(clientssl
, sess
))
522 /* Here writing 0 length early data is enough. */
523 || !TEST_true(SSL_write_early_data(clientssl
, NULL
, 0, &written
))
524 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
526 SSL_READ_EARLY_DATA_ERROR
)
527 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
528 SSL_EARLY_DATA_ACCEPTED
)
529 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
531 || !TEST_true(SSL_session_reused(clientssl
)))
534 /* In addition to the previous entries, expect early secrets. */
535 expected
.client_early_secret_count
= 1;
536 expected
.early_exporter_secret_count
= 1;
537 if (!TEST_true(test_keylog_output(client_log_buffer
, clientssl
,
538 SSL_get_session(clientssl
), &expected
))
539 || !TEST_true(test_keylog_output(server_log_buffer
, serverssl
,
540 SSL_get_session(serverssl
),
547 SSL_SESSION_free(sess
);
557 static int verify_retry_cb(X509_STORE_CTX
*ctx
, void *arg
)
559 int res
= X509_verify_cert(ctx
);
561 if (res
== 0 && X509_STORE_CTX_get_error(ctx
) ==
562 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
)
563 return -1; /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
567 static int test_client_cert_verify_cb(void)
569 /* server key, cert, chain, and root */
570 char *skey
= test_mk_file_path(certsdir
, "leaf.key");
571 char *leaf
= test_mk_file_path(certsdir
, "leaf.pem");
572 char *int2
= test_mk_file_path(certsdir
, "subinterCA.pem");
573 char *int1
= test_mk_file_path(certsdir
, "interCA.pem");
574 char *root
= test_mk_file_path(certsdir
, "rootCA.pem");
575 X509
*crt1
= NULL
, *crt2
= NULL
;
576 STACK_OF(X509
) *server_chain
;
577 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
578 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
581 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
582 TLS_client_method(), TLS1_VERSION
, 0,
583 &sctx
, &cctx
, NULL
, NULL
)))
585 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx
, leaf
), 1)
586 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx
, skey
,
587 SSL_FILETYPE_PEM
), 1)
588 || !TEST_int_eq(SSL_CTX_check_private_key(sctx
), 1))
590 if (!TEST_true(SSL_CTX_load_verify_locations(cctx
, root
, NULL
)))
592 SSL_CTX_set_verify(cctx
, SSL_VERIFY_PEER
, NULL
);
593 SSL_CTX_set_cert_verify_callback(cctx
, verify_retry_cb
, NULL
);
594 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
595 &clientssl
, NULL
, NULL
)))
598 /* attempt SSL_connect() with incomplete server chain */
599 if (!TEST_false(create_ssl_connection(serverssl
, clientssl
,
600 SSL_ERROR_WANT_RETRY_VERIFY
)))
603 /* application provides intermediate certs needed to verify server cert */
604 if (!TEST_ptr((crt1
= load_cert_pem(int1
, libctx
)))
605 || !TEST_ptr((crt2
= load_cert_pem(int2
, libctx
)))
606 || !TEST_ptr((server_chain
= SSL_get_peer_cert_chain(clientssl
))))
608 /* add certs in reverse order to demonstrate real chain building */
609 if (!TEST_true(sk_X509_push(server_chain
, crt1
)))
612 if (!TEST_true(sk_X509_push(server_chain
, crt2
)))
616 /* continue SSL_connect(), must now succeed with completed server chain */
617 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
626 if (clientssl
!= NULL
) {
627 SSL_shutdown(clientssl
);
630 if (serverssl
!= NULL
) {
631 SSL_shutdown(serverssl
);
646 static int test_ssl_build_cert_chain(void)
649 SSL_CTX
*ssl_ctx
= NULL
;
651 char *skey
= test_mk_file_path(certsdir
, "leaf.key");
652 char *leaf_chain
= test_mk_file_path(certsdir
, "leaf-chain.pem");
654 if (!TEST_ptr(ssl_ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method())))
656 if (!TEST_ptr(ssl
= SSL_new(ssl_ctx
)))
658 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
659 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl
, leaf_chain
), 1)
660 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl
, skey
, SSL_FILETYPE_PEM
), 1)
661 || !TEST_int_eq(SSL_check_private_key(ssl
), 1))
663 if (!TEST_true(SSL_build_cert_chain(ssl
, SSL_BUILD_CHAIN_FLAG_NO_ROOT
664 | SSL_BUILD_CHAIN_FLAG_CHECK
)))
669 SSL_CTX_free(ssl_ctx
);
670 OPENSSL_free(leaf_chain
);
675 static int get_password_cb(char *buf
, int size
, int rw_flag
, void *userdata
)
677 static const char pass
[] = "testpass";
679 if (!TEST_int_eq(size
, PEM_BUFSIZE
))
682 memcpy(buf
, pass
, sizeof(pass
) - 1);
683 return sizeof(pass
) - 1;
686 static int test_ssl_ctx_build_cert_chain(void)
690 char *skey
= test_mk_file_path(certsdir
, "leaf-encrypted.key");
691 char *leaf_chain
= test_mk_file_path(certsdir
, "leaf-chain.pem");
693 if (!TEST_ptr(ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method())))
695 SSL_CTX_set_default_passwd_cb(ctx
, get_password_cb
);
696 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
697 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx
, leaf_chain
), 1)
698 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx
, skey
,
699 SSL_FILETYPE_PEM
), 1)
700 || !TEST_int_eq(SSL_CTX_check_private_key(ctx
), 1))
702 if (!TEST_true(SSL_CTX_build_cert_chain(ctx
, SSL_BUILD_CHAIN_FLAG_NO_ROOT
703 | SSL_BUILD_CHAIN_FLAG_CHECK
)))
708 OPENSSL_free(leaf_chain
);
713 #ifndef OPENSSL_NO_TLS1_2
714 static int full_client_hello_callback(SSL
*s
, int *al
, void *arg
)
717 const unsigned char *p
;
719 /* We only configure two ciphers, but the SCSV is added automatically. */
721 const unsigned char expected_ciphers
[] = {0x00, 0x9d, 0x00, 0xff};
723 const unsigned char expected_ciphers
[] = {0x00, 0x9d, 0xc0,
726 const int expected_extensions
[] = {
727 #ifndef OPENSSL_NO_EC
733 /* Make sure we can defer processing and get called back. */
735 return SSL_CLIENT_HELLO_RETRY
;
737 len
= SSL_client_hello_get0_ciphers(s
, &p
);
738 if (!TEST_mem_eq(p
, len
, expected_ciphers
, sizeof(expected_ciphers
))
740 SSL_client_hello_get0_compression_methods(s
, &p
), 1)
741 || !TEST_int_eq(*p
, 0))
742 return SSL_CLIENT_HELLO_ERROR
;
743 if (!SSL_client_hello_get1_extensions_present(s
, &exts
, &len
))
744 return SSL_CLIENT_HELLO_ERROR
;
745 if (len
!= OSSL_NELEM(expected_extensions
) ||
746 memcmp(exts
, expected_extensions
, len
* sizeof(*exts
)) != 0) {
747 printf("ClientHello callback expected extensions mismatch\n");
749 return SSL_CLIENT_HELLO_ERROR
;
752 return SSL_CLIENT_HELLO_SUCCESS
;
755 static int test_client_hello_cb(void)
757 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
758 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
759 int testctr
= 0, testresult
= 0;
761 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
762 TLS_client_method(), TLS1_VERSION
, 0,
763 &sctx
, &cctx
, cert
, privkey
)))
765 SSL_CTX_set_client_hello_cb(sctx
, full_client_hello_callback
, &testctr
);
767 /* The gimpy cipher list we configure can't do TLS 1.3. */
768 SSL_CTX_set_max_proto_version(cctx
, TLS1_2_VERSION
);
770 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
771 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
772 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
773 &clientssl
, NULL
, NULL
))
774 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
775 SSL_ERROR_WANT_CLIENT_HELLO_CB
))
777 * Passing a -1 literal is a hack since
778 * the real value was lost.
780 || !TEST_int_eq(SSL_get_error(serverssl
, -1),
781 SSL_ERROR_WANT_CLIENT_HELLO_CB
)
782 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
797 static int test_no_ems(void)
799 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
800 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
803 if (!create_ssl_ctx_pair(libctx
, TLS_server_method(), TLS_client_method(),
804 TLS1_VERSION
, TLS1_2_VERSION
,
805 &sctx
, &cctx
, cert
, privkey
)) {
806 printf("Unable to create SSL_CTX pair\n");
810 SSL_CTX_set_options(sctx
, SSL_OP_NO_EXTENDED_MASTER_SECRET
);
812 if (!create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
, NULL
)) {
813 printf("Unable to create SSL objects\n");
817 if (!create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)) {
818 printf("Creating SSL connection failed\n");
822 if (SSL_get_extms_support(serverssl
)) {
823 printf("Server reports Extended Master Secret support\n");
827 if (SSL_get_extms_support(clientssl
)) {
828 printf("Client reports Extended Master Secret support\n");
843 * Very focused test to exercise a single case in the server-side state
844 * machine, when the ChangeCipherState message needs to actually change
845 * from one cipher to a different cipher (i.e., not changing from null
846 * encryption to real encryption).
848 static int test_ccs_change_cipher(void)
850 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
851 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
852 SSL_SESSION
*sess
= NULL
, *sesspre
, *sesspost
;
859 * Create a conection so we can resume and potentially (but not) use
860 * a different cipher in the second connection.
862 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
864 TLS1_VERSION
, TLS1_2_VERSION
,
865 &sctx
, &cctx
, cert
, privkey
))
866 || !TEST_true(SSL_CTX_set_options(sctx
, SSL_OP_NO_TICKET
))
867 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
869 || !TEST_true(SSL_set_cipher_list(clientssl
, "AES128-GCM-SHA256"))
870 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
872 || !TEST_ptr(sesspre
= SSL_get0_session(serverssl
))
873 || !TEST_ptr(sess
= SSL_get1_session(clientssl
)))
876 shutdown_ssl_connection(serverssl
, clientssl
);
877 serverssl
= clientssl
= NULL
;
879 /* Resume, preferring a different cipher. Our server will force the
880 * same cipher to be used as the initial handshake. */
881 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
883 || !TEST_true(SSL_set_session(clientssl
, sess
))
884 || !TEST_true(SSL_set_cipher_list(clientssl
, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
885 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
887 || !TEST_true(SSL_session_reused(clientssl
))
888 || !TEST_true(SSL_session_reused(serverssl
))
889 || !TEST_ptr(sesspost
= SSL_get0_session(serverssl
))
890 || !TEST_ptr_eq(sesspre
, sesspost
)
891 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256
,
892 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl
))))
894 shutdown_ssl_connection(serverssl
, clientssl
);
895 serverssl
= clientssl
= NULL
;
898 * Now create a fresh connection and try to renegotiate a different
901 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
903 || !TEST_true(SSL_set_cipher_list(clientssl
, "AES128-GCM-SHA256"))
904 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
906 || !TEST_ptr(sesspre
= SSL_get0_session(serverssl
))
907 || !TEST_true(SSL_set_cipher_list(clientssl
, "AES256-GCM-SHA384"))
908 || !TEST_true(SSL_renegotiate(clientssl
))
909 || !TEST_true(SSL_renegotiate_pending(clientssl
)))
911 /* Actually drive the renegotiation. */
912 for (i
= 0; i
< 3; i
++) {
913 if (SSL_read_ex(clientssl
, &buf
, sizeof(buf
), &readbytes
) > 0) {
914 if (!TEST_ulong_eq(readbytes
, 0))
916 } else if (!TEST_int_eq(SSL_get_error(clientssl
, 0),
917 SSL_ERROR_WANT_READ
)) {
920 if (SSL_read_ex(serverssl
, &buf
, sizeof(buf
), &readbytes
) > 0) {
921 if (!TEST_ulong_eq(readbytes
, 0))
923 } else if (!TEST_int_eq(SSL_get_error(serverssl
, 0),
924 SSL_ERROR_WANT_READ
)) {
928 /* sesspre and sesspost should be different since the cipher changed. */
929 if (!TEST_false(SSL_renegotiate_pending(clientssl
))
930 || !TEST_false(SSL_session_reused(clientssl
))
931 || !TEST_false(SSL_session_reused(serverssl
))
932 || !TEST_ptr(sesspost
= SSL_get0_session(serverssl
))
933 || !TEST_ptr_ne(sesspre
, sesspost
)
934 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384
,
935 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl
))))
938 shutdown_ssl_connection(serverssl
, clientssl
);
939 serverssl
= clientssl
= NULL
;
948 SSL_SESSION_free(sess
);
954 static int execute_test_large_message(const SSL_METHOD
*smeth
,
955 const SSL_METHOD
*cmeth
,
956 int min_version
, int max_version
,
959 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
960 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
964 X509
*chaincert
= NULL
;
967 if (!TEST_ptr(certbio
= BIO_new_file(cert
, "r")))
970 if (!TEST_ptr(chaincert
= X509_new_ex(libctx
, NULL
)))
973 if (PEM_read_bio_X509(certbio
, &chaincert
, NULL
, NULL
) == NULL
)
978 if (!TEST_true(create_ssl_ctx_pair(libctx
, smeth
, cmeth
, min_version
,
979 max_version
, &sctx
, &cctx
, cert
,
983 #ifdef OPENSSL_NO_DTLS1_2
984 if (smeth
== DTLS_server_method()) {
986 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
989 if (!TEST_true(SSL_CTX_set_cipher_list(sctx
, "DEFAULT:@SECLEVEL=0"))
990 || !TEST_true(SSL_CTX_set_cipher_list(cctx
,
991 "DEFAULT:@SECLEVEL=0")))
998 * Test that read_ahead works correctly when dealing with large
1001 SSL_CTX_set_read_ahead(cctx
, 1);
1005 * We assume the supplied certificate is big enough so that if we add
1006 * NUM_EXTRA_CERTS it will make the overall message large enough. The
1007 * default buffer size is requested to be 16k, but due to the way BUF_MEM
1008 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
1009 * test we need to have a message larger than that.
1011 certlen
= i2d_X509(chaincert
, NULL
);
1012 OPENSSL_assert(certlen
* NUM_EXTRA_CERTS
>
1013 (SSL3_RT_MAX_PLAIN_LENGTH
* 4) / 3);
1014 for (i
= 0; i
< NUM_EXTRA_CERTS
; i
++) {
1015 if (!X509_up_ref(chaincert
))
1017 if (!SSL_CTX_add_extra_chain_cert(sctx
, chaincert
)) {
1018 X509_free(chaincert
);
1023 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
1025 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
1030 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1033 if (!TEST_true(SSL_clear(serverssl
)))
1039 X509_free(chaincert
);
1040 SSL_free(serverssl
);
1041 SSL_free(clientssl
);
1048 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1049 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1050 /* sock must be connected */
1051 static int ktls_chk_platform(int sock
)
1053 if (!ktls_enable(sock
))
1058 static int ping_pong_query(SSL
*clientssl
, SSL
*serverssl
)
1060 static char count
= 1;
1061 unsigned char cbuf
[16000] = {0};
1062 unsigned char sbuf
[16000];
1064 char crec_wseq_before
[SEQ_NUM_SIZE
];
1065 char crec_wseq_after
[SEQ_NUM_SIZE
];
1066 char crec_rseq_before
[SEQ_NUM_SIZE
];
1067 char crec_rseq_after
[SEQ_NUM_SIZE
];
1068 char srec_wseq_before
[SEQ_NUM_SIZE
];
1069 char srec_wseq_after
[SEQ_NUM_SIZE
];
1070 char srec_rseq_before
[SEQ_NUM_SIZE
];
1071 char srec_rseq_after
[SEQ_NUM_SIZE
];
1074 memcpy(crec_wseq_before
, &clientssl
->rlayer
.write_sequence
, SEQ_NUM_SIZE
);
1075 memcpy(crec_rseq_before
, &clientssl
->rlayer
.read_sequence
, SEQ_NUM_SIZE
);
1076 memcpy(srec_wseq_before
, &serverssl
->rlayer
.write_sequence
, SEQ_NUM_SIZE
);
1077 memcpy(srec_rseq_before
, &serverssl
->rlayer
.read_sequence
, SEQ_NUM_SIZE
);
1079 if (!TEST_true(SSL_write(clientssl
, cbuf
, sizeof(cbuf
)) == sizeof(cbuf
)))
1082 while ((err
= SSL_read(serverssl
, &sbuf
, sizeof(sbuf
))) != sizeof(sbuf
)) {
1083 if (SSL_get_error(serverssl
, err
) != SSL_ERROR_WANT_READ
) {
1088 if (!TEST_true(SSL_write(serverssl
, sbuf
, sizeof(sbuf
)) == sizeof(sbuf
)))
1091 while ((err
= SSL_read(clientssl
, &cbuf
, sizeof(cbuf
))) != sizeof(cbuf
)) {
1092 if (SSL_get_error(clientssl
, err
) != SSL_ERROR_WANT_READ
) {
1097 memcpy(crec_wseq_after
, &clientssl
->rlayer
.write_sequence
, SEQ_NUM_SIZE
);
1098 memcpy(crec_rseq_after
, &clientssl
->rlayer
.read_sequence
, SEQ_NUM_SIZE
);
1099 memcpy(srec_wseq_after
, &serverssl
->rlayer
.write_sequence
, SEQ_NUM_SIZE
);
1100 memcpy(srec_rseq_after
, &serverssl
->rlayer
.read_sequence
, SEQ_NUM_SIZE
);
1102 /* verify the payload */
1103 if (!TEST_mem_eq(cbuf
, sizeof(cbuf
), sbuf
, sizeof(sbuf
)))
1107 * If ktls is used then kernel sequences are used instead of
1110 if (!BIO_get_ktls_send(clientssl
->wbio
)) {
1111 if (!TEST_mem_ne(crec_wseq_before
, SEQ_NUM_SIZE
,
1112 crec_wseq_after
, SEQ_NUM_SIZE
))
1115 if (!TEST_mem_eq(crec_wseq_before
, SEQ_NUM_SIZE
,
1116 crec_wseq_after
, SEQ_NUM_SIZE
))
1120 if (!BIO_get_ktls_send(serverssl
->wbio
)) {
1121 if (!TEST_mem_ne(srec_wseq_before
, SEQ_NUM_SIZE
,
1122 srec_wseq_after
, SEQ_NUM_SIZE
))
1125 if (!TEST_mem_eq(srec_wseq_before
, SEQ_NUM_SIZE
,
1126 srec_wseq_after
, SEQ_NUM_SIZE
))
1130 if (!BIO_get_ktls_recv(clientssl
->wbio
)) {
1131 if (!TEST_mem_ne(crec_rseq_before
, SEQ_NUM_SIZE
,
1132 crec_rseq_after
, SEQ_NUM_SIZE
))
1135 if (!TEST_mem_eq(crec_rseq_before
, SEQ_NUM_SIZE
,
1136 crec_rseq_after
, SEQ_NUM_SIZE
))
1140 if (!BIO_get_ktls_recv(serverssl
->wbio
)) {
1141 if (!TEST_mem_ne(srec_rseq_before
, SEQ_NUM_SIZE
,
1142 srec_rseq_after
, SEQ_NUM_SIZE
))
1145 if (!TEST_mem_eq(srec_rseq_before
, SEQ_NUM_SIZE
,
1146 srec_rseq_after
, SEQ_NUM_SIZE
))
1155 static int execute_test_ktls(int cis_ktls
, int sis_ktls
,
1156 int tls_version
, const char *cipher
)
1158 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
1159 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
1160 int ktls_used
= 0, testresult
= 0;
1161 int cfd
= -1, sfd
= -1;
1164 if (!TEST_true(create_test_sockets(&cfd
, &sfd
)))
1167 /* Skip this test if the platform does not support ktls */
1168 if (!ktls_chk_platform(cfd
)) {
1169 testresult
= TEST_skip("Kernel does not support KTLS");
1173 if (is_fips
&& strstr(cipher
, "CHACHA") != NULL
) {
1174 testresult
= TEST_skip("CHACHA is not supported in FIPS");
1178 /* Create a session based on SHA-256 */
1179 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
1180 TLS_client_method(),
1181 tls_version
, tls_version
,
1182 &sctx
, &cctx
, cert
, privkey
)))
1185 if (tls_version
== TLS1_3_VERSION
) {
1186 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
, cipher
))
1187 || !TEST_true(SSL_CTX_set_ciphersuites(sctx
, cipher
)))
1190 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
, cipher
))
1191 || !TEST_true(SSL_CTX_set_cipher_list(sctx
, cipher
)))
1195 if (!TEST_true(create_ssl_objects2(sctx
, cctx
, &serverssl
,
1196 &clientssl
, sfd
, cfd
)))
1200 if (!TEST_true(SSL_set_options(clientssl
, SSL_OP_ENABLE_KTLS
)))
1205 if (!TEST_true(SSL_set_options(serverssl
, SSL_OP_ENABLE_KTLS
)))
1209 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
1213 * The running kernel may not support a given cipher suite
1214 * or direction, so just check that KTLS isn't used when it
1218 if (!TEST_false(BIO_get_ktls_send(clientssl
->wbio
)))
1221 if (BIO_get_ktls_send(clientssl
->wbio
))
1226 if (!TEST_false(BIO_get_ktls_send(serverssl
->wbio
)))
1229 if (BIO_get_ktls_send(serverssl
->wbio
))
1233 #if defined(OPENSSL_NO_KTLS_RX)
1236 rx_supported
= (tls_version
!= TLS1_3_VERSION
);
1238 if (!cis_ktls
|| !rx_supported
) {
1239 if (!TEST_false(BIO_get_ktls_recv(clientssl
->rbio
)))
1242 if (BIO_get_ktls_send(clientssl
->rbio
))
1246 if (!sis_ktls
|| !rx_supported
) {
1247 if (!TEST_false(BIO_get_ktls_recv(serverssl
->rbio
)))
1250 if (BIO_get_ktls_send(serverssl
->rbio
))
1254 if ((cis_ktls
|| sis_ktls
) && !ktls_used
) {
1255 testresult
= TEST_skip("KTLS not supported for %s cipher %s",
1256 tls_version
== TLS1_3_VERSION
? "TLS 1.3" :
1261 if (!TEST_true(ping_pong_query(clientssl
, serverssl
)))
1267 SSL_shutdown(clientssl
);
1268 SSL_free(clientssl
);
1271 SSL_shutdown(serverssl
);
1272 SSL_free(serverssl
);
1276 serverssl
= clientssl
= NULL
;
1284 #define SENDFILE_SZ (16 * 4096)
1285 #define SENDFILE_CHUNK (4 * 4096)
1286 #define min(a,b) ((a) > (b) ? (b) : (a))
1288 static int execute_test_ktls_sendfile(int tls_version
, const char *cipher
)
1290 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
1291 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
1292 unsigned char *buf
, *buf_dst
;
1293 BIO
*out
= NULL
, *in
= NULL
;
1294 int cfd
= -1, sfd
= -1, ffd
, err
;
1295 ssize_t chunk_size
= 0;
1296 off_t chunk_off
= 0;
1300 buf
= OPENSSL_zalloc(SENDFILE_SZ
);
1301 buf_dst
= OPENSSL_zalloc(SENDFILE_SZ
);
1302 if (!TEST_ptr(buf
) || !TEST_ptr(buf_dst
)
1303 || !TEST_true(create_test_sockets(&cfd
, &sfd
)))
1306 /* Skip this test if the platform does not support ktls */
1307 if (!ktls_chk_platform(sfd
)) {
1308 testresult
= TEST_skip("Kernel does not support KTLS");
1312 if (is_fips
&& strstr(cipher
, "CHACHA") != NULL
) {
1313 testresult
= TEST_skip("CHACHA is not supported in FIPS");
1317 /* Create a session based on SHA-256 */
1318 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
1319 TLS_client_method(),
1320 tls_version
, tls_version
,
1321 &sctx
, &cctx
, cert
, privkey
)))
1324 if (tls_version
== TLS1_3_VERSION
) {
1325 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
, cipher
))
1326 || !TEST_true(SSL_CTX_set_ciphersuites(sctx
, cipher
)))
1329 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
, cipher
))
1330 || !TEST_true(SSL_CTX_set_cipher_list(sctx
, cipher
)))
1334 if (!TEST_true(create_ssl_objects2(sctx
, cctx
, &serverssl
,
1335 &clientssl
, sfd
, cfd
)))
1338 if (!TEST_true(SSL_set_options(serverssl
, SSL_OP_ENABLE_KTLS
)))
1341 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
1345 if (!BIO_get_ktls_send(serverssl
->wbio
)) {
1346 testresult
= TEST_skip("Failed to enable KTLS for %s cipher %s",
1347 tls_version
== TLS1_3_VERSION
? "TLS 1.3" :
1352 if (!TEST_int_gt(RAND_bytes_ex(libctx
, buf
, SENDFILE_SZ
, 0), 0))
1355 out
= BIO_new_file(tmpfilename
, "wb");
1359 if (BIO_write(out
, buf
, SENDFILE_SZ
) != SENDFILE_SZ
)
1364 in
= BIO_new_file(tmpfilename
, "rb");
1365 BIO_get_fp(in
, &ffdp
);
1368 while (chunk_off
< SENDFILE_SZ
) {
1369 chunk_size
= min(SENDFILE_CHUNK
, SENDFILE_SZ
- chunk_off
);
1370 while ((err
= SSL_sendfile(serverssl
,
1374 0)) != chunk_size
) {
1375 if (SSL_get_error(serverssl
, err
) != SSL_ERROR_WANT_WRITE
)
1378 while ((err
= SSL_read(clientssl
,
1379 buf_dst
+ chunk_off
,
1380 chunk_size
)) != chunk_size
) {
1381 if (SSL_get_error(clientssl
, err
) != SSL_ERROR_WANT_READ
)
1385 /* verify the payload */
1386 if (!TEST_mem_eq(buf_dst
+ chunk_off
,
1392 chunk_off
+= chunk_size
;
1398 SSL_shutdown(clientssl
);
1399 SSL_free(clientssl
);
1402 SSL_shutdown(serverssl
);
1403 SSL_free(serverssl
);
1407 serverssl
= clientssl
= NULL
;
1415 OPENSSL_free(buf_dst
);
1419 static struct ktls_test_cipher
{
1422 } ktls_test_ciphers
[] = {
1423 # if !defined(OPENSSL_NO_TLS1_2)
1424 # ifdef OPENSSL_KTLS_AES_GCM_128
1425 { TLS1_2_VERSION
, "AES128-GCM-SHA256" },
1427 # ifdef OPENSSL_KTLS_AES_CCM_128
1428 { TLS1_2_VERSION
, "AES128-CCM"},
1430 # ifdef OPENSSL_KTLS_AES_GCM_256
1431 { TLS1_2_VERSION
, "AES256-GCM-SHA384"},
1433 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1434 { TLS1_2_VERSION
, "ECDHE-RSA-CHACHA20-POLY1305"},
1437 # if !defined(OSSL_NO_USABLE_TLS1_3)
1438 # ifdef OPENSSL_KTLS_AES_GCM_128
1439 { TLS1_3_VERSION
, "TLS_AES_128_GCM_SHA256" },
1441 # ifdef OPENSSL_KTLS_AES_CCM_128
1442 { TLS1_3_VERSION
, "TLS_AES_128_CCM_SHA256" },
1444 # ifdef OPENSSL_KTLS_AES_GCM_256
1445 { TLS1_3_VERSION
, "TLS_AES_256_GCM_SHA384" },
1447 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1448 { TLS1_3_VERSION
, "TLS_CHACHA20_POLY1305_SHA256" },
1453 #define NUM_KTLS_TEST_CIPHERS \
1454 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1456 static int test_ktls(int test
)
1458 struct ktls_test_cipher
*cipher
;
1459 int cis_ktls
, sis_ktls
;
1461 OPENSSL_assert(test
/ 4 < (int)NUM_KTLS_TEST_CIPHERS
);
1462 cipher
= &ktls_test_ciphers
[test
/ 4];
1464 cis_ktls
= (test
& 1) != 0;
1465 sis_ktls
= (test
& 2) != 0;
1467 return execute_test_ktls(cis_ktls
, sis_ktls
, cipher
->tls_version
,
1471 static int test_ktls_sendfile(int tst
)
1473 struct ktls_test_cipher
*cipher
;
1475 OPENSSL_assert(tst
< (int)NUM_KTLS_TEST_CIPHERS
);
1476 cipher
= &ktls_test_ciphers
[tst
];
1478 return execute_test_ktls_sendfile(cipher
->tls_version
, cipher
->cipher
);
1482 static int test_large_message_tls(void)
1484 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1485 TLS1_VERSION
, 0, 0);
1488 static int test_large_message_tls_read_ahead(void)
1490 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1491 TLS1_VERSION
, 0, 1);
1494 #ifndef OPENSSL_NO_DTLS
1495 static int test_large_message_dtls(void)
1497 # ifdef OPENSSL_NO_DTLS1_2
1498 /* Not supported in the FIPS provider */
1503 * read_ahead is not relevant to DTLS because DTLS always acts as if
1504 * read_ahead is set.
1506 return execute_test_large_message(DTLS_server_method(),
1507 DTLS_client_method(),
1508 DTLS1_VERSION
, 0, 0);
1512 static int execute_cleanse_plaintext(const SSL_METHOD
*smeth
,
1513 const SSL_METHOD
*cmeth
,
1514 int min_version
, int max_version
)
1517 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
1518 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
1523 static unsigned char cbuf
[16000];
1524 static unsigned char sbuf
[16000];
1526 if (!TEST_true(create_ssl_ctx_pair(libctx
,
1528 min_version
, max_version
,
1533 #ifdef OPENSSL_NO_DTLS1_2
1534 if (smeth
== DTLS_server_method()) {
1535 # ifdef OPENSSL_NO_DTLS1_2
1536 /* Not supported in the FIPS provider */
1543 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1546 if (!TEST_true(SSL_CTX_set_cipher_list(sctx
, "DEFAULT:@SECLEVEL=0"))
1547 || !TEST_true(SSL_CTX_set_cipher_list(cctx
,
1548 "DEFAULT:@SECLEVEL=0")))
1553 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
1557 if (!TEST_true(SSL_set_options(serverssl
, SSL_OP_CLEANSE_PLAINTEXT
)))
1560 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
1564 for (i
= 0; i
< sizeof(cbuf
); i
++) {
1568 if (!TEST_int_eq(SSL_write(clientssl
, cbuf
, sizeof(cbuf
)), sizeof(cbuf
)))
1571 if (!TEST_int_eq(SSL_peek(serverssl
, &sbuf
, sizeof(sbuf
)), sizeof(sbuf
)))
1574 if (!TEST_mem_eq(cbuf
, sizeof(cbuf
), sbuf
, sizeof(sbuf
)))
1578 * Since we called SSL_peek(), we know the data in the record
1579 * layer is a plaintext record. We can gather the pointer to check
1580 * for zeroization after SSL_read().
1582 rr
= serverssl
->rlayer
.rrec
;
1583 zbuf
= &rr
->data
[rr
->off
];
1584 if (!TEST_int_eq(rr
->length
, sizeof(cbuf
)))
1588 * After SSL_peek() the plaintext must still be stored in the
1591 if (!TEST_mem_eq(cbuf
, sizeof(cbuf
), zbuf
, sizeof(cbuf
)))
1594 memset(sbuf
, 0, sizeof(sbuf
));
1595 if (!TEST_int_eq(SSL_read(serverssl
, &sbuf
, sizeof(sbuf
)), sizeof(sbuf
)))
1598 if (!TEST_mem_eq(cbuf
, sizeof(cbuf
), sbuf
, sizeof(cbuf
)))
1601 /* Check if rbuf is cleansed */
1602 memset(cbuf
, 0, sizeof(cbuf
));
1603 if (!TEST_mem_eq(cbuf
, sizeof(cbuf
), zbuf
, sizeof(cbuf
)))
1608 SSL_free(serverssl
);
1609 SSL_free(clientssl
);
1616 static int test_cleanse_plaintext(void)
1618 #if !defined(OPENSSL_NO_TLS1_2)
1619 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1620 TLS_client_method(),
1627 #if !defined(OSSL_NO_USABLE_TLS1_3)
1628 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1629 TLS_client_method(),
1635 #if !defined(OPENSSL_NO_DTLS)
1637 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1638 DTLS_client_method(),
1646 #ifndef OPENSSL_NO_OCSP
1647 static int ocsp_server_cb(SSL
*s
, void *arg
)
1649 int *argi
= (int *)arg
;
1650 unsigned char *copy
= NULL
;
1651 STACK_OF(OCSP_RESPID
) *ids
= NULL
;
1652 OCSP_RESPID
*id
= NULL
;
1655 /* In this test we are expecting exactly 1 OCSP_RESPID */
1656 SSL_get_tlsext_status_ids(s
, &ids
);
1657 if (ids
== NULL
|| sk_OCSP_RESPID_num(ids
) != 1)
1658 return SSL_TLSEXT_ERR_ALERT_FATAL
;
1660 id
= sk_OCSP_RESPID_value(ids
, 0);
1661 if (id
== NULL
|| !OCSP_RESPID_match_ex(id
, ocspcert
, libctx
, NULL
))
1662 return SSL_TLSEXT_ERR_ALERT_FATAL
;
1663 } else if (*argi
!= 1) {
1664 return SSL_TLSEXT_ERR_ALERT_FATAL
;
1667 if (!TEST_ptr(copy
= OPENSSL_memdup(orespder
, sizeof(orespder
))))
1668 return SSL_TLSEXT_ERR_ALERT_FATAL
;
1670 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s
, copy
,
1671 sizeof(orespder
)))) {
1673 return SSL_TLSEXT_ERR_ALERT_FATAL
;
1675 ocsp_server_called
= 1;
1676 return SSL_TLSEXT_ERR_OK
;
1679 static int ocsp_client_cb(SSL
*s
, void *arg
)
1681 int *argi
= (int *)arg
;
1682 const unsigned char *respderin
;
1685 if (*argi
!= 1 && *argi
!= 2)
1688 len
= SSL_get_tlsext_status_ocsp_resp(s
, &respderin
);
1689 if (!TEST_mem_eq(orespder
, len
, respderin
, len
))
1692 ocsp_client_called
= 1;
1696 static int test_tlsext_status_type(void)
1698 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
1699 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
1701 STACK_OF(OCSP_RESPID
) *ids
= NULL
;
1702 OCSP_RESPID
*id
= NULL
;
1703 BIO
*certbio
= NULL
;
1705 if (!create_ssl_ctx_pair(libctx
, TLS_server_method(), TLS_client_method(),
1707 &sctx
, &cctx
, cert
, privkey
))
1710 if (SSL_CTX_get_tlsext_status_type(cctx
) != -1)
1713 /* First just do various checks getting and setting tlsext_status_type */
1715 clientssl
= SSL_new(cctx
);
1716 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl
), -1)
1717 || !TEST_true(SSL_set_tlsext_status_type(clientssl
,
1718 TLSEXT_STATUSTYPE_ocsp
))
1719 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl
),
1720 TLSEXT_STATUSTYPE_ocsp
))
1723 SSL_free(clientssl
);
1726 if (!SSL_CTX_set_tlsext_status_type(cctx
, TLSEXT_STATUSTYPE_ocsp
)
1727 || SSL_CTX_get_tlsext_status_type(cctx
) != TLSEXT_STATUSTYPE_ocsp
)
1730 clientssl
= SSL_new(cctx
);
1731 if (SSL_get_tlsext_status_type(clientssl
) != TLSEXT_STATUSTYPE_ocsp
)
1733 SSL_free(clientssl
);
1737 * Now actually do a handshake and check OCSP information is exchanged and
1738 * the callbacks get called
1740 SSL_CTX_set_tlsext_status_cb(cctx
, ocsp_client_cb
);
1741 SSL_CTX_set_tlsext_status_arg(cctx
, &cdummyarg
);
1742 SSL_CTX_set_tlsext_status_cb(sctx
, ocsp_server_cb
);
1743 SSL_CTX_set_tlsext_status_arg(sctx
, &cdummyarg
);
1744 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
1745 &clientssl
, NULL
, NULL
))
1746 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
1748 || !TEST_true(ocsp_client_called
)
1749 || !TEST_true(ocsp_server_called
))
1751 SSL_free(serverssl
);
1752 SSL_free(clientssl
);
1756 /* Try again but this time force the server side callback to fail */
1757 ocsp_client_called
= 0;
1758 ocsp_server_called
= 0;
1760 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
1761 &clientssl
, NULL
, NULL
))
1762 /* This should fail because the callback will fail */
1763 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
1765 || !TEST_false(ocsp_client_called
)
1766 || !TEST_false(ocsp_server_called
))
1768 SSL_free(serverssl
);
1769 SSL_free(clientssl
);
1774 * This time we'll get the client to send an OCSP_RESPID that it will
1777 ocsp_client_called
= 0;
1778 ocsp_server_called
= 0;
1780 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
1781 &clientssl
, NULL
, NULL
)))
1785 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1786 * specific one. We'll use the server cert.
1788 if (!TEST_ptr(certbio
= BIO_new_file(cert
, "r"))
1789 || !TEST_ptr(id
= OCSP_RESPID_new())
1790 || !TEST_ptr(ids
= sk_OCSP_RESPID_new_null())
1791 || !TEST_ptr(ocspcert
= X509_new_ex(libctx
, NULL
))
1792 || !TEST_ptr(PEM_read_bio_X509(certbio
, &ocspcert
, NULL
, NULL
))
1793 || !TEST_true(OCSP_RESPID_set_by_key_ex(id
, ocspcert
, libctx
, NULL
))
1794 || !TEST_true(sk_OCSP_RESPID_push(ids
, id
)))
1797 SSL_set_tlsext_status_ids(clientssl
, ids
);
1798 /* Control has been transferred */
1804 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
1806 || !TEST_true(ocsp_client_called
)
1807 || !TEST_true(ocsp_server_called
))
1813 SSL_free(serverssl
);
1814 SSL_free(clientssl
);
1817 sk_OCSP_RESPID_pop_free(ids
, OCSP_RESPID_free
);
1818 OCSP_RESPID_free(id
);
1820 X509_free(ocspcert
);
1827 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1828 static int new_called
, remove_called
, get_called
;
1830 static int new_session_cb(SSL
*ssl
, SSL_SESSION
*sess
)
1834 * sess has been up-refed for us, but we don't actually need it so free it
1837 SSL_SESSION_free(sess
);
1841 static void remove_session_cb(SSL_CTX
*ctx
, SSL_SESSION
*sess
)
1846 static SSL_SESSION
*get_sess_val
= NULL
;
1848 static SSL_SESSION
*get_session_cb(SSL
*ssl
, const unsigned char *id
, int len
,
1853 return get_sess_val
;
1856 static int execute_test_session(int maxprot
, int use_int_cache
,
1857 int use_ext_cache
, long s_options
)
1859 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
1860 SSL
*serverssl1
= NULL
, *clientssl1
= NULL
;
1861 SSL
*serverssl2
= NULL
, *clientssl2
= NULL
;
1862 # ifndef OPENSSL_NO_TLS1_1
1863 SSL
*serverssl3
= NULL
, *clientssl3
= NULL
;
1865 SSL_SESSION
*sess1
= NULL
, *sess2
= NULL
;
1866 int testresult
= 0, numnewsesstick
= 1;
1868 new_called
= remove_called
= 0;
1870 /* TLSv1.3 sends 2 NewSessionTickets */
1871 if (maxprot
== TLS1_3_VERSION
)
1874 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
1875 TLS_client_method(), TLS1_VERSION
, 0,
1876 &sctx
, &cctx
, cert
, privkey
)))
1880 * Only allow the max protocol version so we can force a connection failure
1883 SSL_CTX_set_min_proto_version(cctx
, maxprot
);
1884 SSL_CTX_set_max_proto_version(cctx
, maxprot
);
1886 /* Set up session cache */
1887 if (use_ext_cache
) {
1888 SSL_CTX_sess_set_new_cb(cctx
, new_session_cb
);
1889 SSL_CTX_sess_set_remove_cb(cctx
, remove_session_cb
);
1891 if (use_int_cache
) {
1892 /* Also covers instance where both are set */
1893 SSL_CTX_set_session_cache_mode(cctx
, SSL_SESS_CACHE_CLIENT
);
1895 SSL_CTX_set_session_cache_mode(cctx
,
1896 SSL_SESS_CACHE_CLIENT
1897 | SSL_SESS_CACHE_NO_INTERNAL_STORE
);
1901 SSL_CTX_set_options(sctx
, s_options
);
1904 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl1
, &clientssl1
,
1906 || !TEST_true(create_ssl_connection(serverssl1
, clientssl1
,
1908 || !TEST_ptr(sess1
= SSL_get1_session(clientssl1
)))
1911 /* Should fail because it should already be in the cache */
1912 if (use_int_cache
&& !TEST_false(SSL_CTX_add_session(cctx
, sess1
)))
1915 && (!TEST_int_eq(new_called
, numnewsesstick
)
1917 || !TEST_int_eq(remove_called
, 0)))
1920 new_called
= remove_called
= 0;
1921 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl2
,
1922 &clientssl2
, NULL
, NULL
))
1923 || !TEST_true(SSL_set_session(clientssl2
, sess1
))
1924 || !TEST_true(create_ssl_connection(serverssl2
, clientssl2
,
1926 || !TEST_true(SSL_session_reused(clientssl2
)))
1929 if (maxprot
== TLS1_3_VERSION
) {
1931 * In TLSv1.3 we should have created a new session even though we have
1932 * resumed. Since we attempted a resume we should also have removed the
1933 * old ticket from the cache so that we try to only use tickets once.
1936 && (!TEST_int_eq(new_called
, 1)
1937 || !TEST_int_eq(remove_called
, 1)))
1941 * In TLSv1.2 we expect to have resumed so no sessions added or
1945 && (!TEST_int_eq(new_called
, 0)
1946 || !TEST_int_eq(remove_called
, 0)))
1950 SSL_SESSION_free(sess1
);
1951 if (!TEST_ptr(sess1
= SSL_get1_session(clientssl2
)))
1953 shutdown_ssl_connection(serverssl2
, clientssl2
);
1954 serverssl2
= clientssl2
= NULL
;
1956 new_called
= remove_called
= 0;
1957 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl2
,
1958 &clientssl2
, NULL
, NULL
))
1959 || !TEST_true(create_ssl_connection(serverssl2
, clientssl2
,
1963 if (!TEST_ptr(sess2
= SSL_get1_session(clientssl2
)))
1967 && (!TEST_int_eq(new_called
, numnewsesstick
)
1968 || !TEST_int_eq(remove_called
, 0)))
1971 new_called
= remove_called
= 0;
1973 * This should clear sess2 from the cache because it is a "bad" session.
1974 * See SSL_set_session() documentation.
1976 if (!TEST_true(SSL_set_session(clientssl2
, sess1
)))
1979 && (!TEST_int_eq(new_called
, 0) || !TEST_int_eq(remove_called
, 1)))
1981 if (!TEST_ptr_eq(SSL_get_session(clientssl2
), sess1
))
1984 if (use_int_cache
) {
1985 /* Should succeeded because it should not already be in the cache */
1986 if (!TEST_true(SSL_CTX_add_session(cctx
, sess2
))
1987 || !TEST_true(SSL_CTX_remove_session(cctx
, sess2
)))
1991 new_called
= remove_called
= 0;
1992 /* This shouldn't be in the cache so should fail */
1993 if (!TEST_false(SSL_CTX_remove_session(cctx
, sess2
)))
1997 && (!TEST_int_eq(new_called
, 0) || !TEST_int_eq(remove_called
, 1)))
2000 # if !defined(OPENSSL_NO_TLS1_1)
2001 new_called
= remove_called
= 0;
2002 /* Force a connection failure */
2003 SSL_CTX_set_max_proto_version(sctx
, TLS1_1_VERSION
);
2004 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl3
,
2005 &clientssl3
, NULL
, NULL
))
2006 || !TEST_true(SSL_set_session(clientssl3
, sess1
))
2007 /* This should fail because of the mismatched protocol versions */
2008 || !TEST_false(create_ssl_connection(serverssl3
, clientssl3
,
2012 /* We should have automatically removed the session from the cache */
2014 && (!TEST_int_eq(new_called
, 0) || !TEST_int_eq(remove_called
, 1)))
2017 /* Should succeed because it should not already be in the cache */
2018 if (use_int_cache
&& !TEST_true(SSL_CTX_add_session(cctx
, sess2
)))
2022 /* Now do some tests for server side caching */
2023 if (use_ext_cache
) {
2024 SSL_CTX_sess_set_new_cb(cctx
, NULL
);
2025 SSL_CTX_sess_set_remove_cb(cctx
, NULL
);
2026 SSL_CTX_sess_set_new_cb(sctx
, new_session_cb
);
2027 SSL_CTX_sess_set_remove_cb(sctx
, remove_session_cb
);
2028 SSL_CTX_sess_set_get_cb(sctx
, get_session_cb
);
2029 get_sess_val
= NULL
;
2032 SSL_CTX_set_session_cache_mode(cctx
, 0);
2033 /* Internal caching is the default on the server side */
2035 SSL_CTX_set_session_cache_mode(sctx
,
2036 SSL_SESS_CACHE_SERVER
2037 | SSL_SESS_CACHE_NO_INTERNAL_STORE
);
2039 SSL_free(serverssl1
);
2040 SSL_free(clientssl1
);
2041 serverssl1
= clientssl1
= NULL
;
2042 SSL_free(serverssl2
);
2043 SSL_free(clientssl2
);
2044 serverssl2
= clientssl2
= NULL
;
2045 SSL_SESSION_free(sess1
);
2047 SSL_SESSION_free(sess2
);
2050 SSL_CTX_set_max_proto_version(sctx
, maxprot
);
2051 if (maxprot
== TLS1_2_VERSION
)
2052 SSL_CTX_set_options(sctx
, SSL_OP_NO_TICKET
);
2053 new_called
= remove_called
= get_called
= 0;
2054 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl1
, &clientssl1
,
2056 || !TEST_true(create_ssl_connection(serverssl1
, clientssl1
,
2058 || !TEST_ptr(sess1
= SSL_get1_session(clientssl1
))
2059 || !TEST_ptr(sess2
= SSL_get1_session(serverssl1
)))
2062 if (use_int_cache
) {
2063 if (maxprot
== TLS1_3_VERSION
&& !use_ext_cache
) {
2065 * In TLSv1.3 it should not have been added to the internal cache,
2066 * except in the case where we also have an external cache (in that
2067 * case it gets added to the cache in order to generate remove
2068 * events after timeout).
2070 if (!TEST_false(SSL_CTX_remove_session(sctx
, sess2
)))
2073 /* Should fail because it should already be in the cache */
2074 if (!TEST_false(SSL_CTX_add_session(sctx
, sess2
)))
2079 if (use_ext_cache
) {
2080 SSL_SESSION
*tmp
= sess2
;
2082 if (!TEST_int_eq(new_called
, numnewsesstick
)
2083 || !TEST_int_eq(remove_called
, 0)
2084 || !TEST_int_eq(get_called
, 0))
2087 * Delete the session from the internal cache to force a lookup from
2088 * the external cache. We take a copy first because
2089 * SSL_CTX_remove_session() also marks the session as non-resumable.
2091 if (use_int_cache
&& maxprot
!= TLS1_3_VERSION
) {
2092 if (!TEST_ptr(tmp
= SSL_SESSION_dup(sess2
))
2093 || !TEST_true(SSL_CTX_remove_session(sctx
, sess2
)))
2095 SSL_SESSION_free(sess2
);
2100 new_called
= remove_called
= get_called
= 0;
2101 get_sess_val
= sess2
;
2102 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl2
,
2103 &clientssl2
, NULL
, NULL
))
2104 || !TEST_true(SSL_set_session(clientssl2
, sess1
))
2105 || !TEST_true(create_ssl_connection(serverssl2
, clientssl2
,
2107 || !TEST_true(SSL_session_reused(clientssl2
)))
2110 if (use_ext_cache
) {
2111 if (!TEST_int_eq(remove_called
, 0))
2114 if (maxprot
== TLS1_3_VERSION
) {
2115 if (!TEST_int_eq(new_called
, 1)
2116 || !TEST_int_eq(get_called
, 0))
2119 if (!TEST_int_eq(new_called
, 0)
2120 || !TEST_int_eq(get_called
, 1))
2128 SSL_free(serverssl1
);
2129 SSL_free(clientssl1
);
2130 SSL_free(serverssl2
);
2131 SSL_free(clientssl2
);
2132 # ifndef OPENSSL_NO_TLS1_1
2133 SSL_free(serverssl3
);
2134 SSL_free(clientssl3
);
2136 SSL_SESSION_free(sess1
);
2137 SSL_SESSION_free(sess2
);
2143 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2145 static int test_session_with_only_int_cache(void)
2147 #ifndef OSSL_NO_USABLE_TLS1_3
2148 if (!execute_test_session(TLS1_3_VERSION
, 1, 0, 0))
2152 #ifndef OPENSSL_NO_TLS1_2
2153 return execute_test_session(TLS1_2_VERSION
, 1, 0, 0);
2159 static int test_session_with_only_ext_cache(void)
2161 #ifndef OSSL_NO_USABLE_TLS1_3
2162 if (!execute_test_session(TLS1_3_VERSION
, 0, 1, 0))
2166 #ifndef OPENSSL_NO_TLS1_2
2167 return execute_test_session(TLS1_2_VERSION
, 0, 1, 0);
2173 static int test_session_with_both_cache(void)
2175 #ifndef OSSL_NO_USABLE_TLS1_3
2176 if (!execute_test_session(TLS1_3_VERSION
, 1, 1, 0))
2180 #ifndef OPENSSL_NO_TLS1_2
2181 return execute_test_session(TLS1_2_VERSION
, 1, 1, 0);
2187 static int test_session_wo_ca_names(void)
2189 #ifndef OSSL_NO_USABLE_TLS1_3
2190 if (!execute_test_session(TLS1_3_VERSION
, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES
))
2194 #ifndef OPENSSL_NO_TLS1_2
2195 return execute_test_session(TLS1_2_VERSION
, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES
);
2202 #ifndef OSSL_NO_USABLE_TLS1_3
2203 static SSL_SESSION
*sesscache
[6];
2204 static int do_cache
;
2206 static int new_cachesession_cb(SSL
*ssl
, SSL_SESSION
*sess
)
2209 sesscache
[new_called
] = sess
;
2211 /* We don't need the reference to the session, so free it */
2212 SSL_SESSION_free(sess
);
2219 static int post_handshake_verify(SSL
*sssl
, SSL
*cssl
)
2221 SSL_set_verify(sssl
, SSL_VERIFY_PEER
, NULL
);
2222 if (!TEST_true(SSL_verify_client_post_handshake(sssl
)))
2225 /* Start handshake on the server and client */
2226 if (!TEST_int_eq(SSL_do_handshake(sssl
), 1)
2227 || !TEST_int_le(SSL_read(cssl
, NULL
, 0), 0)
2228 || !TEST_int_le(SSL_read(sssl
, NULL
, 0), 0)
2229 || !TEST_true(create_ssl_connection(sssl
, cssl
,
2236 static int setup_ticket_test(int stateful
, int idx
, SSL_CTX
**sctx
,
2239 int sess_id_ctx
= 1;
2241 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
2242 TLS_client_method(), TLS1_VERSION
, 0,
2243 sctx
, cctx
, cert
, privkey
))
2244 || !TEST_true(SSL_CTX_set_num_tickets(*sctx
, idx
))
2245 || !TEST_true(SSL_CTX_set_session_id_context(*sctx
,
2246 (void *)&sess_id_ctx
,
2247 sizeof(sess_id_ctx
))))
2251 SSL_CTX_set_options(*sctx
, SSL_OP_NO_TICKET
);
2253 SSL_CTX_set_session_cache_mode(*cctx
, SSL_SESS_CACHE_CLIENT
2254 | SSL_SESS_CACHE_NO_INTERNAL_STORE
);
2255 SSL_CTX_sess_set_new_cb(*cctx
, new_cachesession_cb
);
2260 static int check_resumption(int idx
, SSL_CTX
*sctx
, SSL_CTX
*cctx
, int succ
)
2262 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
2265 /* Test that we can resume with all the tickets we got given */
2266 for (i
= 0; i
< idx
* 2; i
++) {
2268 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
2269 &clientssl
, NULL
, NULL
))
2270 || !TEST_true(SSL_set_session(clientssl
, sesscache
[i
])))
2273 SSL_set_post_handshake_auth(clientssl
, 1);
2275 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
2280 * Following a successful resumption we only get 1 ticket. After a
2281 * failed one we should get idx tickets.
2284 if (!TEST_true(SSL_session_reused(clientssl
))
2285 || !TEST_int_eq(new_called
, 1))
2288 if (!TEST_false(SSL_session_reused(clientssl
))
2289 || !TEST_int_eq(new_called
, idx
))
2294 /* After a post-handshake authentication we should get 1 new ticket */
2296 && (!post_handshake_verify(serverssl
, clientssl
)
2297 || !TEST_int_eq(new_called
, 1)))
2300 SSL_shutdown(clientssl
);
2301 SSL_shutdown(serverssl
);
2302 SSL_free(serverssl
);
2303 SSL_free(clientssl
);
2304 serverssl
= clientssl
= NULL
;
2305 SSL_SESSION_free(sesscache
[i
]);
2306 sesscache
[i
] = NULL
;
2312 SSL_free(clientssl
);
2313 SSL_free(serverssl
);
2317 static int test_tickets(int stateful
, int idx
)
2319 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
2320 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
2324 /* idx is the test number, but also the number of tickets we want */
2329 if (!setup_ticket_test(stateful
, idx
, &sctx
, &cctx
))
2332 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
2333 &clientssl
, NULL
, NULL
)))
2336 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
2338 /* Check we got the number of tickets we were expecting */
2339 || !TEST_int_eq(idx
, new_called
))
2342 SSL_shutdown(clientssl
);
2343 SSL_shutdown(serverssl
);
2344 SSL_free(serverssl
);
2345 SSL_free(clientssl
);
2348 clientssl
= serverssl
= NULL
;
2352 * Now we try to resume with the tickets we previously created. The
2353 * resumption attempt is expected to fail (because we're now using a new
2354 * SSL_CTX). We should see idx number of tickets issued again.
2357 /* Stop caching sessions - just count them */
2360 if (!setup_ticket_test(stateful
, idx
, &sctx
, &cctx
))
2363 if (!check_resumption(idx
, sctx
, cctx
, 0))
2366 /* Start again with caching sessions */
2373 if (!setup_ticket_test(stateful
, idx
, &sctx
, &cctx
))
2376 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
2377 &clientssl
, NULL
, NULL
)))
2380 SSL_set_post_handshake_auth(clientssl
, 1);
2382 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
2384 /* Check we got the number of tickets we were expecting */
2385 || !TEST_int_eq(idx
, new_called
))
2388 /* After a post-handshake authentication we should get new tickets issued */
2389 if (!post_handshake_verify(serverssl
, clientssl
)
2390 || !TEST_int_eq(idx
* 2, new_called
))
2393 SSL_shutdown(clientssl
);
2394 SSL_shutdown(serverssl
);
2395 SSL_free(serverssl
);
2396 SSL_free(clientssl
);
2397 serverssl
= clientssl
= NULL
;
2399 /* Stop caching sessions - just count them */
2403 * Check we can resume with all the tickets we created. This time around the
2404 * resumptions should all be successful.
2406 if (!check_resumption(idx
, sctx
, cctx
, 1))
2412 SSL_free(serverssl
);
2413 SSL_free(clientssl
);
2414 for (j
= 0; j
< OSSL_NELEM(sesscache
); j
++) {
2415 SSL_SESSION_free(sesscache
[j
]);
2416 sesscache
[j
] = NULL
;
2424 static int test_stateless_tickets(int idx
)
2426 return test_tickets(0, idx
);
2429 static int test_stateful_tickets(int idx
)
2431 return test_tickets(1, idx
);
2434 static int test_psk_tickets(void)
2436 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
2437 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
2439 int sess_id_ctx
= 1;
2441 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
2442 TLS_client_method(), TLS1_VERSION
, 0,
2443 &sctx
, &cctx
, NULL
, NULL
))
2444 || !TEST_true(SSL_CTX_set_session_id_context(sctx
,
2445 (void *)&sess_id_ctx
,
2446 sizeof(sess_id_ctx
))))
2449 SSL_CTX_set_session_cache_mode(cctx
, SSL_SESS_CACHE_CLIENT
2450 | SSL_SESS_CACHE_NO_INTERNAL_STORE
);
2451 SSL_CTX_set_psk_use_session_callback(cctx
, use_session_cb
);
2452 SSL_CTX_set_psk_find_session_callback(sctx
, find_session_cb
);
2453 SSL_CTX_sess_set_new_cb(cctx
, new_session_cb
);
2454 use_session_cb_cnt
= 0;
2455 find_session_cb_cnt
= 0;
2459 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
2462 clientpsk
= serverpsk
= create_a_psk(clientssl
);
2463 if (!TEST_ptr(clientpsk
))
2465 SSL_SESSION_up_ref(clientpsk
);
2467 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
2469 || !TEST_int_eq(1, find_session_cb_cnt
)
2470 || !TEST_int_eq(1, use_session_cb_cnt
)
2471 /* We should always get 1 ticket when using external PSK */
2472 || !TEST_int_eq(1, new_called
))
2478 SSL_free(serverssl
);
2479 SSL_free(clientssl
);
2482 SSL_SESSION_free(clientpsk
);
2483 SSL_SESSION_free(serverpsk
);
2484 clientpsk
= serverpsk
= NULL
;
2489 static int test_extra_tickets(int idx
)
2491 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
2492 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
2493 BIO
*bretry
= BIO_new(bio_s_always_retry());
2498 unsigned char c
, buf
[1];
2508 if (!TEST_ptr(bretry
) || !setup_ticket_test(stateful
, idx
, &sctx
, &cctx
))
2510 SSL_CTX_sess_set_new_cb(sctx
, new_session_cb
);
2511 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2512 SSL_CTX_sess_set_new_cb(cctx
, new_session_cb
);
2514 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
2515 &clientssl
, NULL
, NULL
)))
2519 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2520 * incremented by both client and server.
2522 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
2524 /* Check we got the number of tickets we were expecting */
2525 || !TEST_int_eq(idx
* 2, new_called
)
2526 || !TEST_true(SSL_new_session_ticket(serverssl
))
2527 || !TEST_true(SSL_new_session_ticket(serverssl
))
2528 || !TEST_int_eq(idx
* 2, new_called
))
2531 /* Now try a (real) write to actually send the tickets */
2533 if (!TEST_true(SSL_write_ex(serverssl
, &c
, 1, &nbytes
))
2534 || !TEST_size_t_eq(1, nbytes
)
2535 || !TEST_int_eq(idx
* 2 + 2, new_called
)
2536 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2537 || !TEST_int_eq(idx
* 2 + 4, new_called
)
2538 || !TEST_int_eq(sizeof(buf
), nbytes
)
2539 || !TEST_int_eq(c
, buf
[0])
2540 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
)))
2543 /* Try with only requesting one new ticket, too */
2546 if (!TEST_true(SSL_new_session_ticket(serverssl
))
2547 || !TEST_true(SSL_write_ex(serverssl
, &c
, sizeof(c
), &nbytes
))
2548 || !TEST_size_t_eq(sizeof(c
), nbytes
)
2549 || !TEST_int_eq(1, new_called
)
2550 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2551 || !TEST_int_eq(2, new_called
)
2552 || !TEST_size_t_eq(sizeof(buf
), nbytes
)
2553 || !TEST_int_eq(c
, buf
[0]))
2556 /* Do it again but use dummy writes to drive the ticket generation */
2559 if (!TEST_true(SSL_new_session_ticket(serverssl
))
2560 || !TEST_true(SSL_new_session_ticket(serverssl
))
2561 || !TEST_true(SSL_write_ex(serverssl
, &c
, 0, &nbytes
))
2562 || !TEST_size_t_eq(0, nbytes
)
2563 || !TEST_int_eq(2, new_called
)
2564 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2565 || !TEST_int_eq(4, new_called
))
2568 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2571 if (!TEST_true(SSL_new_session_ticket(serverssl
))
2572 || !TEST_true(SSL_new_session_ticket(serverssl
))
2573 || !TEST_true(SSL_do_handshake(serverssl
))
2574 || !TEST_int_eq(2, new_called
)
2575 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2576 || !TEST_int_eq(4, new_called
))
2580 * Use the always-retry BIO to exercise the logic that forces ticket
2581 * generation to wait until a record boundary.
2585 tmp
= SSL_get_wbio(serverssl
);
2586 if (!TEST_ptr(tmp
) || !TEST_true(BIO_up_ref(tmp
))) {
2590 SSL_set0_wbio(serverssl
, bretry
);
2592 if (!TEST_false(SSL_write_ex(serverssl
, &c
, 1, &nbytes
))
2593 || !TEST_int_eq(SSL_get_error(serverssl
, 0), SSL_ERROR_WANT_WRITE
)
2594 || !TEST_size_t_eq(nbytes
, 0))
2596 /* Restore a BIO that will let the write succeed */
2597 SSL_set0_wbio(serverssl
, tmp
);
2600 * These calls should just queue the request and not send anything
2601 * even if we explicitly try to hit the state machine.
2603 if (!TEST_true(SSL_new_session_ticket(serverssl
))
2604 || !TEST_true(SSL_new_session_ticket(serverssl
))
2605 || !TEST_int_eq(0, new_called
)
2606 || !TEST_true(SSL_do_handshake(serverssl
))
2607 || !TEST_int_eq(0, new_called
))
2609 /* Re-do the write; still no tickets sent */
2610 if (!TEST_true(SSL_write_ex(serverssl
, &c
, 1, &nbytes
))
2611 || !TEST_size_t_eq(1, nbytes
)
2612 || !TEST_int_eq(0, new_called
)
2613 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2614 || !TEST_int_eq(0, new_called
)
2615 || !TEST_int_eq(sizeof(buf
), nbytes
)
2616 || !TEST_int_eq(c
, buf
[0])
2617 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
)))
2619 /* Even trying to hit the state machine now will still not send tickets */
2620 if (!TEST_true(SSL_do_handshake(serverssl
))
2621 || !TEST_int_eq(0, new_called
))
2623 /* Now the *next* write should send the tickets */
2625 if (!TEST_true(SSL_write_ex(serverssl
, &c
, 1, &nbytes
))
2626 || !TEST_size_t_eq(1, nbytes
)
2627 || !TEST_int_eq(2, new_called
)
2628 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2629 || !TEST_int_eq(4, new_called
)
2630 || !TEST_int_eq(sizeof(buf
), nbytes
)
2631 || !TEST_int_eq(c
, buf
[0])
2632 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
)))
2635 SSL_shutdown(clientssl
);
2636 SSL_shutdown(serverssl
);
2642 SSL_free(serverssl
);
2643 SSL_free(clientssl
);
2646 clientssl
= serverssl
= NULL
;
2655 #define USE_DEFAULT 3
2657 #define CONNTYPE_CONNECTION_SUCCESS 0
2658 #define CONNTYPE_CONNECTION_FAIL 1
2659 #define CONNTYPE_NO_CONNECTION 2
2661 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2662 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2663 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2664 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2666 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2669 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2670 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2671 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2673 static void setupbio(BIO
**res
, BIO
*bio1
, BIO
*bio2
, int type
)
2690 * Tests calls to SSL_set_bio() under various conditions.
2692 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2693 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2694 * then do more tests where we create a successful connection first using our
2695 * standard connection setup functions, and then call SSL_set_bio() with
2696 * various combinations of valid BIOs or NULL. We then repeat these tests
2697 * following a failed connection. In this last case we are looking to check that
2698 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2700 static int test_ssl_set_bio(int idx
)
2702 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
2705 BIO
*irbio
= NULL
, *iwbio
= NULL
, *nrbio
= NULL
, *nwbio
= NULL
;
2706 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
2707 int initrbio
, initwbio
, newrbio
, newwbio
, conntype
;
2710 if (idx
< TOTAL_NO_CONN_SSL_SET_BIO_TESTS
) {
2718 conntype
= CONNTYPE_NO_CONNECTION
;
2720 idx
-= TOTAL_NO_CONN_SSL_SET_BIO_TESTS
;
2721 initrbio
= initwbio
= USE_DEFAULT
;
2729 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
2730 TLS_client_method(), TLS1_VERSION
, 0,
2731 &sctx
, &cctx
, cert
, privkey
)))
2734 if (conntype
== CONNTYPE_CONNECTION_FAIL
) {
2736 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2737 * because we reduced the number of tests in the definition of
2738 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2739 * mismatched protocol versions we will force a connection failure.
2741 SSL_CTX_set_min_proto_version(sctx
, TLS1_3_VERSION
);
2742 SSL_CTX_set_max_proto_version(cctx
, TLS1_2_VERSION
);
2745 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
2749 if (initrbio
== USE_BIO_1
2750 || initwbio
== USE_BIO_1
2751 || newrbio
== USE_BIO_1
2752 || newwbio
== USE_BIO_1
) {
2753 if (!TEST_ptr(bio1
= BIO_new(BIO_s_mem())))
2757 if (initrbio
== USE_BIO_2
2758 || initwbio
== USE_BIO_2
2759 || newrbio
== USE_BIO_2
2760 || newwbio
== USE_BIO_2
) {
2761 if (!TEST_ptr(bio2
= BIO_new(BIO_s_mem())))
2765 if (initrbio
!= USE_DEFAULT
) {
2766 setupbio(&irbio
, bio1
, bio2
, initrbio
);
2767 setupbio(&iwbio
, bio1
, bio2
, initwbio
);
2768 SSL_set_bio(clientssl
, irbio
, iwbio
);
2771 * We want to maintain our own refs to these BIO, so do an up ref for
2772 * each BIO that will have ownership transferred in the SSL_set_bio()
2777 if (iwbio
!= NULL
&& iwbio
!= irbio
)
2781 if (conntype
!= CONNTYPE_NO_CONNECTION
2782 && !TEST_true(create_ssl_connection(serverssl
, clientssl
,
2784 == (conntype
== CONNTYPE_CONNECTION_SUCCESS
)))
2787 setupbio(&nrbio
, bio1
, bio2
, newrbio
);
2788 setupbio(&nwbio
, bio1
, bio2
, newwbio
);
2791 * We will (maybe) transfer ownership again so do more up refs.
2792 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2797 && (nwbio
!= iwbio
|| nrbio
!= nwbio
))
2801 && (nwbio
!= iwbio
|| (nwbio
== iwbio
&& irbio
== iwbio
)))
2804 SSL_set_bio(clientssl
, nrbio
, nwbio
);
2813 * This test is checking that the ref counting for SSL_set_bio is correct.
2814 * If we get here and we did too many frees then we will fail in the above
2817 SSL_free(serverssl
);
2818 SSL_free(clientssl
);
2824 typedef enum { NO_BIO_CHANGE
, CHANGE_RBIO
, CHANGE_WBIO
} bio_change_t
;
2826 static int execute_test_ssl_bio(int pop_ssl
, bio_change_t change_bio
)
2828 BIO
*sslbio
= NULL
, *membio1
= NULL
, *membio2
= NULL
;
2833 if (!TEST_ptr(ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_method()))
2834 || !TEST_ptr(ssl
= SSL_new(ctx
))
2835 || !TEST_ptr(sslbio
= BIO_new(BIO_f_ssl()))
2836 || !TEST_ptr(membio1
= BIO_new(BIO_s_mem())))
2839 BIO_set_ssl(sslbio
, ssl
, BIO_CLOSE
);
2842 * If anything goes wrong here then we could leak memory.
2844 BIO_push(sslbio
, membio1
);
2846 /* Verify changing the rbio/wbio directly does not cause leaks */
2847 if (change_bio
!= NO_BIO_CHANGE
) {
2848 if (!TEST_ptr(membio2
= BIO_new(BIO_s_mem()))) {
2852 if (change_bio
== CHANGE_RBIO
)
2853 SSL_set0_rbio(ssl
, membio2
);
2855 SSL_set0_wbio(ssl
, membio2
);
2874 static int test_ssl_bio_pop_next_bio(void)
2876 return execute_test_ssl_bio(0, NO_BIO_CHANGE
);
2879 static int test_ssl_bio_pop_ssl_bio(void)
2881 return execute_test_ssl_bio(1, NO_BIO_CHANGE
);
2884 static int test_ssl_bio_change_rbio(void)
2886 return execute_test_ssl_bio(0, CHANGE_RBIO
);
2889 static int test_ssl_bio_change_wbio(void)
2891 return execute_test_ssl_bio(0, CHANGE_WBIO
);
2894 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
2896 /* The list of sig algs */
2898 /* The length of the list */
2900 /* A sigalgs list in string format */
2901 const char *liststr
;
2902 /* Whether setting the list should succeed */
2904 /* Whether creating a connection with the list should succeed */
2908 static const int validlist1
[] = {NID_sha256
, EVP_PKEY_RSA
};
2909 # ifndef OPENSSL_NO_EC
2910 static const int validlist2
[] = {NID_sha256
, EVP_PKEY_RSA
, NID_sha512
, EVP_PKEY_EC
};
2911 static const int validlist3
[] = {NID_sha512
, EVP_PKEY_EC
};
2913 static const int invalidlist1
[] = {NID_undef
, EVP_PKEY_RSA
};
2914 static const int invalidlist2
[] = {NID_sha256
, NID_undef
};
2915 static const int invalidlist3
[] = {NID_sha256
, EVP_PKEY_RSA
, NID_sha256
};
2916 static const int invalidlist4
[] = {NID_sha256
};
2917 static const sigalgs_list testsigalgs
[] = {
2918 {validlist1
, OSSL_NELEM(validlist1
), NULL
, 1, 1},
2919 # ifndef OPENSSL_NO_EC
2920 {validlist2
, OSSL_NELEM(validlist2
), NULL
, 1, 1},
2921 {validlist3
, OSSL_NELEM(validlist3
), NULL
, 1, 0},
2923 {NULL
, 0, "RSA+SHA256", 1, 1},
2924 # ifndef OPENSSL_NO_EC
2925 {NULL
, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2926 {NULL
, 0, "ECDSA+SHA512", 1, 0},
2928 {invalidlist1
, OSSL_NELEM(invalidlist1
), NULL
, 0, 0},
2929 {invalidlist2
, OSSL_NELEM(invalidlist2
), NULL
, 0, 0},
2930 {invalidlist3
, OSSL_NELEM(invalidlist3
), NULL
, 0, 0},
2931 {invalidlist4
, OSSL_NELEM(invalidlist4
), NULL
, 0, 0},
2932 {NULL
, 0, "RSA", 0, 0},
2933 {NULL
, 0, "SHA256", 0, 0},
2934 {NULL
, 0, "RSA+SHA256:SHA256", 0, 0},
2935 {NULL
, 0, "Invalid", 0, 0}
2938 static int test_set_sigalgs(int idx
)
2940 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
2941 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
2943 const sigalgs_list
*curr
;
2946 /* Should never happen */
2947 if (!TEST_size_t_le((size_t)idx
, OSSL_NELEM(testsigalgs
) * 2))
2950 testctx
= ((size_t)idx
< OSSL_NELEM(testsigalgs
));
2951 curr
= testctx
? &testsigalgs
[idx
]
2952 : &testsigalgs
[idx
- OSSL_NELEM(testsigalgs
)];
2954 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
2955 TLS_client_method(), TLS1_VERSION
, 0,
2956 &sctx
, &cctx
, cert
, privkey
)))
2959 SSL_CTX_set_max_proto_version(cctx
, TLS1_2_VERSION
);
2964 if (curr
->list
!= NULL
)
2965 ret
= SSL_CTX_set1_sigalgs(cctx
, curr
->list
, curr
->listlen
);
2967 ret
= SSL_CTX_set1_sigalgs_list(cctx
, curr
->liststr
);
2971 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx
);
2977 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx
);
2982 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
2983 &clientssl
, NULL
, NULL
)))
2989 if (curr
->list
!= NULL
)
2990 ret
= SSL_set1_sigalgs(clientssl
, curr
->list
, curr
->listlen
);
2992 ret
= SSL_set1_sigalgs_list(clientssl
, curr
->liststr
);
2995 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx
);
3004 if (!TEST_int_eq(create_ssl_connection(serverssl
, clientssl
,
3012 SSL_free(serverssl
);
3013 SSL_free(clientssl
);
3021 #ifndef OSSL_NO_USABLE_TLS1_3
3022 static int psk_client_cb_cnt
= 0;
3023 static int psk_server_cb_cnt
= 0;
3025 static int use_session_cb(SSL
*ssl
, const EVP_MD
*md
, const unsigned char **id
,
3026 size_t *idlen
, SSL_SESSION
**sess
)
3028 switch (++use_session_cb_cnt
) {
3030 /* The first call should always have a NULL md */
3036 /* The second call should always have an md */
3042 /* We should only be called a maximum of twice */
3046 if (clientpsk
!= NULL
)
3047 SSL_SESSION_up_ref(clientpsk
);
3050 *id
= (const unsigned char *)pskid
;
3051 *idlen
= strlen(pskid
);
3056 #ifndef OPENSSL_NO_PSK
3057 static unsigned int psk_client_cb(SSL
*ssl
, const char *hint
, char *id
,
3058 unsigned int max_id_len
,
3060 unsigned int max_psk_len
)
3062 unsigned int psklen
= 0;
3064 psk_client_cb_cnt
++;
3066 if (strlen(pskid
) + 1 > max_id_len
)
3069 /* We should only ever be called a maximum of twice per connection */
3070 if (psk_client_cb_cnt
> 2)
3073 if (clientpsk
== NULL
)
3076 /* We'll reuse the PSK we set up for TLSv1.3 */
3077 if (SSL_SESSION_get_master_key(clientpsk
, NULL
, 0) > max_psk_len
)
3079 psklen
= SSL_SESSION_get_master_key(clientpsk
, psk
, max_psk_len
);
3080 strncpy(id
, pskid
, max_id_len
);
3084 #endif /* OPENSSL_NO_PSK */
3086 static int find_session_cb(SSL
*ssl
, const unsigned char *identity
,
3087 size_t identity_len
, SSL_SESSION
**sess
)
3089 find_session_cb_cnt
++;
3091 /* We should only ever be called a maximum of twice per connection */
3092 if (find_session_cb_cnt
> 2)
3095 if (serverpsk
== NULL
)
3098 /* Identity should match that set by the client */
3099 if (strlen(srvid
) != identity_len
3100 || strncmp(srvid
, (const char *)identity
, identity_len
) != 0) {
3101 /* No PSK found, continue but without a PSK */
3106 SSL_SESSION_up_ref(serverpsk
);
3112 #ifndef OPENSSL_NO_PSK
3113 static unsigned int psk_server_cb(SSL
*ssl
, const char *identity
,
3114 unsigned char *psk
, unsigned int max_psk_len
)
3116 unsigned int psklen
= 0;
3118 psk_server_cb_cnt
++;
3120 /* We should only ever be called a maximum of twice per connection */
3121 if (find_session_cb_cnt
> 2)
3124 if (serverpsk
== NULL
)
3127 /* Identity should match that set by the client */
3128 if (strcmp(srvid
, identity
) != 0) {
3132 /* We'll reuse the PSK we set up for TLSv1.3 */
3133 if (SSL_SESSION_get_master_key(serverpsk
, NULL
, 0) > max_psk_len
)
3135 psklen
= SSL_SESSION_get_master_key(serverpsk
, psk
, max_psk_len
);
3139 #endif /* OPENSSL_NO_PSK */
3141 #define MSG1 "Hello"
3142 #define MSG2 "World."
3147 #define MSG7 "message."
3149 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3150 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3151 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3152 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3153 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3156 static SSL_SESSION
*create_a_psk(SSL
*ssl
)
3158 const SSL_CIPHER
*cipher
= NULL
;
3159 const unsigned char key
[] = {
3160 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3161 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3162 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3163 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3164 0x2c, 0x2d, 0x2e, 0x2f
3166 SSL_SESSION
*sess
= NULL
;
3168 cipher
= SSL_CIPHER_find(ssl
, TLS13_AES_256_GCM_SHA384_BYTES
);
3169 sess
= SSL_SESSION_new();
3171 || !TEST_ptr(cipher
)
3172 || !TEST_true(SSL_SESSION_set1_master_key(sess
, key
,
3174 || !TEST_true(SSL_SESSION_set_cipher(sess
, cipher
))
3176 SSL_SESSION_set_protocol_version(sess
,
3178 SSL_SESSION_free(sess
);
3185 * Helper method to setup objects for early data test. Caller frees objects on
3188 static int setupearly_data_test(SSL_CTX
**cctx
, SSL_CTX
**sctx
, SSL
**clientssl
,
3189 SSL
**serverssl
, SSL_SESSION
**sess
, int idx
)
3192 && !TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
3193 TLS_client_method(),
3195 sctx
, cctx
, cert
, privkey
)))
3198 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx
, SSL3_RT_MAX_PLAIN_LENGTH
)))
3202 /* When idx == 1 we repeat the tests with read_ahead set */
3203 SSL_CTX_set_read_ahead(*cctx
, 1);
3204 SSL_CTX_set_read_ahead(*sctx
, 1);
3205 } else if (idx
== 2) {
3206 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3207 SSL_CTX_set_psk_use_session_callback(*cctx
, use_session_cb
);
3208 SSL_CTX_set_psk_find_session_callback(*sctx
, find_session_cb
);
3209 use_session_cb_cnt
= 0;
3210 find_session_cb_cnt
= 0;
3214 if (!TEST_true(create_ssl_objects(*sctx
, *cctx
, serverssl
, clientssl
,
3219 * For one of the run throughs (doesn't matter which one), we'll try sending
3220 * some SNI data in the initial ClientHello. This will be ignored (because
3221 * there is no SNI cb set up by the server), so it should not impact
3225 && !TEST_true(SSL_set_tlsext_host_name(*clientssl
, "localhost")))
3229 clientpsk
= create_a_psk(*clientssl
);
3230 if (!TEST_ptr(clientpsk
)
3232 * We just choose an arbitrary value for max_early_data which
3233 * should be big enough for testing purposes.
3235 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk
,
3237 || !TEST_true(SSL_SESSION_up_ref(clientpsk
))) {
3238 SSL_SESSION_free(clientpsk
);
3242 serverpsk
= clientpsk
;
3245 if (!TEST_true(SSL_SESSION_up_ref(clientpsk
))) {
3246 SSL_SESSION_free(clientpsk
);
3247 SSL_SESSION_free(serverpsk
);
3248 clientpsk
= serverpsk
= NULL
;
3259 if (!TEST_true(create_ssl_connection(*serverssl
, *clientssl
,
3263 *sess
= SSL_get1_session(*clientssl
);
3264 SSL_shutdown(*clientssl
);
3265 SSL_shutdown(*serverssl
);
3266 SSL_free(*serverssl
);
3267 SSL_free(*clientssl
);
3268 *serverssl
= *clientssl
= NULL
;
3270 if (!TEST_true(create_ssl_objects(*sctx
, *cctx
, serverssl
,
3271 clientssl
, NULL
, NULL
))
3272 || !TEST_true(SSL_set_session(*clientssl
, *sess
)))
3278 static int test_early_data_read_write(int idx
)
3280 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3281 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3283 SSL_SESSION
*sess
= NULL
;
3284 unsigned char buf
[20], data
[1024];
3285 size_t readbytes
, written
, eoedlen
, rawread
, rawwritten
;
3288 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
3289 &serverssl
, &sess
, idx
)))
3292 /* Write and read some early data */
3293 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
3295 || !TEST_size_t_eq(written
, strlen(MSG1
))
3296 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
,
3297 sizeof(buf
), &readbytes
),
3298 SSL_READ_EARLY_DATA_SUCCESS
)
3299 || !TEST_mem_eq(MSG1
, readbytes
, buf
, strlen(MSG1
))
3300 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
3301 SSL_EARLY_DATA_ACCEPTED
))
3305 * Server should be able to write data, and client should be able to
3308 if (!TEST_true(SSL_write_early_data(serverssl
, MSG2
, strlen(MSG2
),
3310 || !TEST_size_t_eq(written
, strlen(MSG2
))
3311 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3312 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
3315 /* Even after reading normal data, client should be able write early data */
3316 if (!TEST_true(SSL_write_early_data(clientssl
, MSG3
, strlen(MSG3
),
3318 || !TEST_size_t_eq(written
, strlen(MSG3
)))
3321 /* Server should still be able read early data after writing data */
3322 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3324 SSL_READ_EARLY_DATA_SUCCESS
)
3325 || !TEST_mem_eq(buf
, readbytes
, MSG3
, strlen(MSG3
)))
3328 /* Write more data from server and read it from client */
3329 if (!TEST_true(SSL_write_early_data(serverssl
, MSG4
, strlen(MSG4
),
3331 || !TEST_size_t_eq(written
, strlen(MSG4
))
3332 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3333 || !TEST_mem_eq(buf
, readbytes
, MSG4
, strlen(MSG4
)))
3337 * If client writes normal data it should mean writing early data is no
3340 if (!TEST_true(SSL_write_ex(clientssl
, MSG5
, strlen(MSG5
), &written
))
3341 || !TEST_size_t_eq(written
, strlen(MSG5
))
3342 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
3343 SSL_EARLY_DATA_ACCEPTED
))
3347 * At this point the client has written EndOfEarlyData, ClientFinished and
3348 * normal (fully protected) data. We are going to cause a delay between the
3349 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3350 * in the read BIO, and then just put back the EndOfEarlyData message.
3352 rbio
= SSL_get_rbio(serverssl
);
3353 if (!TEST_true(BIO_read_ex(rbio
, data
, sizeof(data
), &rawread
))
3354 || !TEST_size_t_lt(rawread
, sizeof(data
))
3355 || !TEST_size_t_gt(rawread
, SSL3_RT_HEADER_LENGTH
))
3358 /* Record length is in the 4th and 5th bytes of the record header */
3359 eoedlen
= SSL3_RT_HEADER_LENGTH
+ (data
[3] << 8 | data
[4]);
3360 if (!TEST_true(BIO_write_ex(rbio
, data
, eoedlen
, &rawwritten
))
3361 || !TEST_size_t_eq(rawwritten
, eoedlen
))
3364 /* Server should be told that there is no more early data */
3365 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3367 SSL_READ_EARLY_DATA_FINISH
)
3368 || !TEST_size_t_eq(readbytes
, 0))
3372 * Server has not finished init yet, so should still be able to write early
3375 if (!TEST_true(SSL_write_early_data(serverssl
, MSG6
, strlen(MSG6
),
3377 || !TEST_size_t_eq(written
, strlen(MSG6
)))
3380 /* Push the ClientFinished and the normal data back into the server rbio */
3381 if (!TEST_true(BIO_write_ex(rbio
, data
+ eoedlen
, rawread
- eoedlen
,
3383 || !TEST_size_t_eq(rawwritten
, rawread
- eoedlen
))
3386 /* Server should be able to read normal data */
3387 if (!TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
3388 || !TEST_size_t_eq(readbytes
, strlen(MSG5
)))
3391 /* Client and server should not be able to write/read early data now */
3392 if (!TEST_false(SSL_write_early_data(clientssl
, MSG6
, strlen(MSG6
),
3396 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3398 SSL_READ_EARLY_DATA_ERROR
))
3402 /* Client should be able to read the data sent by the server */
3403 if (!TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3404 || !TEST_mem_eq(buf
, readbytes
, MSG6
, strlen(MSG6
)))
3408 * Make sure we process the two NewSessionTickets. These arrive
3409 * post-handshake. We attempt reads which we do not expect to return any
3412 if (!TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3413 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
),
3417 /* Server should be able to write normal data */
3418 if (!TEST_true(SSL_write_ex(serverssl
, MSG7
, strlen(MSG7
), &written
))
3419 || !TEST_size_t_eq(written
, strlen(MSG7
))
3420 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3421 || !TEST_mem_eq(buf
, readbytes
, MSG7
, strlen(MSG7
)))
3424 SSL_SESSION_free(sess
);
3425 sess
= SSL_get1_session(clientssl
);
3426 use_session_cb_cnt
= 0;
3427 find_session_cb_cnt
= 0;
3429 SSL_shutdown(clientssl
);
3430 SSL_shutdown(serverssl
);
3431 SSL_free(serverssl
);
3432 SSL_free(clientssl
);
3433 serverssl
= clientssl
= NULL
;
3434 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
3435 &clientssl
, NULL
, NULL
))
3436 || !TEST_true(SSL_set_session(clientssl
, sess
)))
3439 /* Write and read some early data */
3440 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
3442 || !TEST_size_t_eq(written
, strlen(MSG1
))
3443 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3445 SSL_READ_EARLY_DATA_SUCCESS
)
3446 || !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
)))
3449 if (!TEST_int_gt(SSL_connect(clientssl
), 0)
3450 || !TEST_int_gt(SSL_accept(serverssl
), 0))
3453 /* Client and server should not be able to write/read early data now */
3454 if (!TEST_false(SSL_write_early_data(clientssl
, MSG6
, strlen(MSG6
),
3458 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3460 SSL_READ_EARLY_DATA_ERROR
))
3464 /* Client and server should be able to write/read normal data */
3465 if (!TEST_true(SSL_write_ex(clientssl
, MSG5
, strlen(MSG5
), &written
))
3466 || !TEST_size_t_eq(written
, strlen(MSG5
))
3467 || !TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
3468 || !TEST_size_t_eq(readbytes
, strlen(MSG5
)))
3474 SSL_SESSION_free(sess
);
3475 SSL_SESSION_free(clientpsk
);
3476 SSL_SESSION_free(serverpsk
);
3477 clientpsk
= serverpsk
= NULL
;
3478 SSL_free(serverssl
);
3479 SSL_free(clientssl
);
3485 static int allow_ed_cb_called
= 0;
3487 static int allow_early_data_cb(SSL
*s
, void *arg
)
3489 int *usecb
= (int *)arg
;
3491 allow_ed_cb_called
++;
3500 * idx == 0: Standard early_data setup
3501 * idx == 1: early_data setup using read_ahead
3502 * usecb == 0: Don't use a custom early data callback
3503 * usecb == 1: Use a custom early data callback and reject the early data
3504 * usecb == 2: Use a custom early data callback and accept the early data
3505 * confopt == 0: Configure anti-replay directly
3506 * confopt == 1: Configure anti-replay using SSL_CONF
3508 static int test_early_data_replay_int(int idx
, int usecb
, int confopt
)
3510 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3511 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3513 SSL_SESSION
*sess
= NULL
;
3514 size_t readbytes
, written
;
3515 unsigned char buf
[20];
3517 allow_ed_cb_called
= 0;
3519 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
3520 TLS_client_method(), TLS1_VERSION
, 0,
3521 &sctx
, &cctx
, cert
, privkey
)))
3526 SSL_CTX_set_options(sctx
, SSL_OP_NO_ANTI_REPLAY
);
3528 SSL_CONF_CTX
*confctx
= SSL_CONF_CTX_new();
3530 if (!TEST_ptr(confctx
))
3532 SSL_CONF_CTX_set_flags(confctx
, SSL_CONF_FLAG_FILE
3533 | SSL_CONF_FLAG_SERVER
);
3534 SSL_CONF_CTX_set_ssl_ctx(confctx
, sctx
);
3535 if (!TEST_int_eq(SSL_CONF_cmd(confctx
, "Options", "-AntiReplay"),
3537 SSL_CONF_CTX_free(confctx
);
3540 SSL_CONF_CTX_free(confctx
);
3542 SSL_CTX_set_allow_early_data_cb(sctx
, allow_early_data_cb
, &usecb
);
3545 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
3546 &serverssl
, &sess
, idx
)))
3550 * The server is configured to accept early data. Create a connection to
3551 * "use up" the ticket
3553 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
3554 || !TEST_true(SSL_session_reused(clientssl
)))
3557 SSL_shutdown(clientssl
);
3558 SSL_shutdown(serverssl
);
3559 SSL_free(serverssl
);
3560 SSL_free(clientssl
);
3561 serverssl
= clientssl
= NULL
;
3563 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
3564 &clientssl
, NULL
, NULL
))
3565 || !TEST_true(SSL_set_session(clientssl
, sess
)))
3568 /* Write and read some early data */
3569 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
3571 || !TEST_size_t_eq(written
, strlen(MSG1
)))
3575 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3577 SSL_READ_EARLY_DATA_FINISH
)
3579 * The ticket was reused, so the we should have rejected the
3582 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
3583 SSL_EARLY_DATA_REJECTED
))
3586 /* In this case the callback decides to accept the early data */
3587 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3589 SSL_READ_EARLY_DATA_SUCCESS
)
3590 || !TEST_mem_eq(MSG1
, strlen(MSG1
), buf
, readbytes
)
3592 * Server will have sent its flight so client can now send
3593 * end of early data and complete its half of the handshake
3595 || !TEST_int_gt(SSL_connect(clientssl
), 0)
3596 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3598 SSL_READ_EARLY_DATA_FINISH
)
3599 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
3600 SSL_EARLY_DATA_ACCEPTED
))
3604 /* Complete the connection */
3605 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
3606 || !TEST_int_eq(SSL_session_reused(clientssl
), (usecb
> 0) ? 1 : 0)
3607 || !TEST_int_eq(allow_ed_cb_called
, usecb
> 0 ? 1 : 0))
3613 SSL_SESSION_free(sess
);
3614 SSL_SESSION_free(clientpsk
);
3615 SSL_SESSION_free(serverpsk
);
3616 clientpsk
= serverpsk
= NULL
;
3617 SSL_free(serverssl
);
3618 SSL_free(clientssl
);
3624 static int test_early_data_replay(int idx
)
3626 int ret
= 1, usecb
, confopt
;
3628 for (usecb
= 0; usecb
< 3; usecb
++) {
3629 for (confopt
= 0; confopt
< 2; confopt
++)
3630 ret
&= test_early_data_replay_int(idx
, usecb
, confopt
);
3637 * Helper function to test that a server attempting to read early data can
3638 * handle a connection from a client where the early data should be skipped.
3639 * testtype: 0 == No HRR
3640 * testtype: 1 == HRR
3641 * testtype: 2 == HRR, invalid early_data sent after HRR
3642 * testtype: 3 == recv_max_early_data set to 0
3644 static int early_data_skip_helper(int testtype
, int idx
)
3646 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3647 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3649 SSL_SESSION
*sess
= NULL
;
3650 unsigned char buf
[20];
3651 size_t readbytes
, written
;
3653 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
3654 &serverssl
, &sess
, idx
)))
3657 if (testtype
== 1 || testtype
== 2) {
3658 /* Force an HRR to occur */
3659 #if defined(OPENSSL_NO_EC)
3660 if (!TEST_true(SSL_set1_groups_list(serverssl
, "ffdhe3072")))
3663 if (!TEST_true(SSL_set1_groups_list(serverssl
, "P-256")))
3666 } else if (idx
== 2) {
3668 * We force early_data rejection by ensuring the PSK identity is
3671 srvid
= "Dummy Identity";
3674 * Deliberately corrupt the creation time. We take 20 seconds off the
3675 * time. It could be any value as long as it is not within tolerance.
3676 * This should mean the ticket is rejected.
3678 if (!TEST_true(SSL_SESSION_set_time(sess
, (long)(time(NULL
) - 20))))
3683 && !TEST_true(SSL_set_recv_max_early_data(serverssl
, 0)))
3686 /* Write some early data */
3687 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
3689 || !TEST_size_t_eq(written
, strlen(MSG1
)))
3692 /* Server should reject the early data */
3693 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3695 SSL_READ_EARLY_DATA_FINISH
)
3696 || !TEST_size_t_eq(readbytes
, 0)
3697 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
3698 SSL_EARLY_DATA_REJECTED
))
3708 * Finish off the handshake. We perform the same writes and reads as
3709 * further down but we expect them to fail due to the incomplete
3712 if (!TEST_false(SSL_write_ex(clientssl
, MSG2
, strlen(MSG2
), &written
))
3713 || !TEST_false(SSL_read_ex(serverssl
, buf
, sizeof(buf
),
3720 BIO
*wbio
= SSL_get_wbio(clientssl
);
3721 /* A record that will appear as bad early_data */
3722 const unsigned char bad_early_data
[] = {
3723 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3727 * We force the client to attempt a write. This will fail because
3728 * we're still in the handshake. It will cause the second
3729 * ClientHello to be sent.
3731 if (!TEST_false(SSL_write_ex(clientssl
, MSG2
, strlen(MSG2
),
3736 * Inject some early_data after the second ClientHello. This should
3737 * cause the server to fail
3739 if (!TEST_true(BIO_write_ex(wbio
, bad_early_data
,
3740 sizeof(bad_early_data
), &written
)))
3747 * This client has sent more early_data than we are willing to skip
3748 * (case 3) or sent invalid early_data (case 2) so the connection should
3751 if (!TEST_false(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
3752 || !TEST_int_eq(SSL_get_error(serverssl
, 0), SSL_ERROR_SSL
))
3755 /* Connection has failed - nothing more to do */
3760 TEST_error("Invalid test type");
3765 * Should be able to send normal data despite rejection of early data. The
3766 * early_data should be skipped.
3768 if (!TEST_true(SSL_write_ex(clientssl
, MSG2
, strlen(MSG2
), &written
))
3769 || !TEST_size_t_eq(written
, strlen(MSG2
))
3770 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
3771 SSL_EARLY_DATA_REJECTED
)
3772 || !TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
3773 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
3779 SSL_SESSION_free(clientpsk
);
3780 SSL_SESSION_free(serverpsk
);
3781 clientpsk
= serverpsk
= NULL
;
3782 SSL_SESSION_free(sess
);
3783 SSL_free(serverssl
);
3784 SSL_free(clientssl
);
3791 * Test that a server attempting to read early data can handle a connection
3792 * from a client where the early data is not acceptable.
3794 static int test_early_data_skip(int idx
)
3796 return early_data_skip_helper(0, idx
);
3800 * Test that a server attempting to read early data can handle a connection
3801 * from a client where an HRR occurs.
3803 static int test_early_data_skip_hrr(int idx
)
3805 return early_data_skip_helper(1, idx
);
3809 * Test that a server attempting to read early data can handle a connection
3810 * from a client where an HRR occurs and correctly fails if early_data is sent
3813 static int test_early_data_skip_hrr_fail(int idx
)
3815 return early_data_skip_helper(2, idx
);
3819 * Test that a server attempting to read early data will abort if it tries to
3820 * skip over too much.
3822 static int test_early_data_skip_abort(int idx
)
3824 return early_data_skip_helper(3, idx
);
3828 * Test that a server attempting to read early data can handle a connection
3829 * from a client that doesn't send any.
3831 static int test_early_data_not_sent(int idx
)
3833 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3834 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3836 SSL_SESSION
*sess
= NULL
;
3837 unsigned char buf
[20];
3838 size_t readbytes
, written
;
3840 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
3841 &serverssl
, &sess
, idx
)))
3844 /* Write some data - should block due to handshake with server */
3845 SSL_set_connect_state(clientssl
);
3846 if (!TEST_false(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
)))
3849 /* Server should detect that early data has not been sent */
3850 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3852 SSL_READ_EARLY_DATA_FINISH
)
3853 || !TEST_size_t_eq(readbytes
, 0)
3854 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
3855 SSL_EARLY_DATA_NOT_SENT
)
3856 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
3857 SSL_EARLY_DATA_NOT_SENT
))
3860 /* Continue writing the message we started earlier */
3861 if (!TEST_true(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
))
3862 || !TEST_size_t_eq(written
, strlen(MSG1
))
3863 || !TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
3864 || !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
))
3865 || !SSL_write_ex(serverssl
, MSG2
, strlen(MSG2
), &written
)
3866 || !TEST_size_t_eq(written
, strlen(MSG2
)))
3869 if (!TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3870 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
3876 SSL_SESSION_free(sess
);
3877 SSL_SESSION_free(clientpsk
);
3878 SSL_SESSION_free(serverpsk
);
3879 clientpsk
= serverpsk
= NULL
;
3880 SSL_free(serverssl
);
3881 SSL_free(clientssl
);
3887 static const char *servalpn
;
3889 static int alpn_select_cb(SSL
*ssl
, const unsigned char **out
,
3890 unsigned char *outlen
, const unsigned char *in
,
3891 unsigned int inlen
, void *arg
)
3893 unsigned int protlen
= 0;
3894 const unsigned char *prot
;
3896 for (prot
= in
; prot
< in
+ inlen
; prot
+= protlen
) {
3898 if (in
+ inlen
< prot
+ protlen
)
3899 return SSL_TLSEXT_ERR_NOACK
;
3901 if (protlen
== strlen(servalpn
)
3902 && memcmp(prot
, servalpn
, protlen
) == 0) {
3905 return SSL_TLSEXT_ERR_OK
;
3909 return SSL_TLSEXT_ERR_NOACK
;
3912 /* Test that a PSK can be used to send early_data */
3913 static int test_early_data_psk(int idx
)
3915 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3916 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3918 SSL_SESSION
*sess
= NULL
;
3919 unsigned char alpnlist
[] = {
3920 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3923 #define GOODALPNLEN 9
3924 #define BADALPNLEN 8
3925 #define GOODALPN (alpnlist)
3926 #define BADALPN (alpnlist + GOODALPNLEN)
3928 unsigned char buf
[20];
3929 size_t readbytes
, written
;
3930 int readearlyres
= SSL_READ_EARLY_DATA_SUCCESS
, connectres
= 1;
3931 int edstatus
= SSL_EARLY_DATA_ACCEPTED
;
3933 /* We always set this up with a final parameter of "2" for PSK */
3934 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
3935 &serverssl
, &sess
, 2)))
3938 servalpn
= "goodalpn";
3941 * Note: There is no test for inconsistent SNI with late client detection.
3942 * This is because servers do not acknowledge SNI even if they are using
3943 * it in a resumption handshake - so it is not actually possible for a
3944 * client to detect a problem.
3948 /* Set inconsistent SNI (early client detection) */
3949 err
= SSL_R_INCONSISTENT_EARLY_DATA_SNI
;
3950 if (!TEST_true(SSL_SESSION_set1_hostname(sess
, "goodhost"))
3951 || !TEST_true(SSL_set_tlsext_host_name(clientssl
, "badhost")))
3956 /* Set inconsistent ALPN (early client detection) */
3957 err
= SSL_R_INCONSISTENT_EARLY_DATA_ALPN
;
3958 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3959 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess
, GOODALPN
,
3961 || !TEST_false(SSL_set_alpn_protos(clientssl
, BADALPN
,
3968 * Set invalid protocol version. Technically this affects PSKs without
3969 * early_data too, but we test it here because it is similar to the
3970 * SNI/ALPN consistency tests.
3972 err
= SSL_R_BAD_PSK
;
3973 if (!TEST_true(SSL_SESSION_set_protocol_version(sess
, TLS1_2_VERSION
)))
3979 * Set inconsistent SNI (server side). In this case the connection
3980 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3981 * is associated with each handshake - not the session. Therefore it
3982 * should not matter that we used a different server name last time.
3984 SSL_SESSION_free(serverpsk
);
3985 serverpsk
= SSL_SESSION_dup(clientpsk
);
3986 if (!TEST_ptr(serverpsk
)
3987 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk
, "badhost")))
3991 /* Set consistent SNI */
3992 if (!TEST_true(SSL_SESSION_set1_hostname(sess
, "goodhost"))
3993 || !TEST_true(SSL_set_tlsext_host_name(clientssl
, "goodhost"))
3994 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx
,
4001 * Set inconsistent ALPN (server detected). In this case the connection
4002 * will succeed but reject early_data.
4004 servalpn
= "badalpn";
4005 edstatus
= SSL_EARLY_DATA_REJECTED
;
4006 readearlyres
= SSL_READ_EARLY_DATA_FINISH
;
4010 * Set consistent ALPN.
4011 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4012 * accepts a list of protos (each one length prefixed).
4013 * SSL_set1_alpn_selected accepts a single protocol (not length
4016 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess
, GOODALPN
+ 1,
4018 || !TEST_false(SSL_set_alpn_protos(clientssl
, GOODALPN
,
4022 SSL_CTX_set_alpn_select_cb(sctx
, alpn_select_cb
, NULL
);
4026 /* Set inconsistent ALPN (late client detection) */
4027 SSL_SESSION_free(serverpsk
);
4028 serverpsk
= SSL_SESSION_dup(clientpsk
);
4029 if (!TEST_ptr(serverpsk
)
4030 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk
,
4033 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk
,
4036 || !TEST_false(SSL_set_alpn_protos(clientssl
, alpnlist
,
4039 SSL_CTX_set_alpn_select_cb(sctx
, alpn_select_cb
, NULL
);
4040 edstatus
= SSL_EARLY_DATA_ACCEPTED
;
4041 readearlyres
= SSL_READ_EARLY_DATA_SUCCESS
;
4042 /* SSL_connect() call should fail */
4047 TEST_error("Bad test index");
4051 SSL_set_connect_state(clientssl
);
4053 if (!TEST_false(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
4055 || !TEST_int_eq(SSL_get_error(clientssl
, 0), SSL_ERROR_SSL
)
4056 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err
))
4059 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
4063 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
4064 &readbytes
), readearlyres
)
4065 || (readearlyres
== SSL_READ_EARLY_DATA_SUCCESS
4066 && !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
)))
4067 || !TEST_int_eq(SSL_get_early_data_status(serverssl
), edstatus
)
4068 || !TEST_int_eq(SSL_connect(clientssl
), connectres
))
4075 SSL_SESSION_free(sess
);
4076 SSL_SESSION_free(clientpsk
);
4077 SSL_SESSION_free(serverpsk
);
4078 clientpsk
= serverpsk
= NULL
;
4079 SSL_free(serverssl
);
4080 SSL_free(clientssl
);
4087 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4088 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4089 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4090 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4091 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4092 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4094 static int test_early_data_psk_with_all_ciphers(int idx
)
4096 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4097 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4099 SSL_SESSION
*sess
= NULL
;
4100 unsigned char buf
[20];
4101 size_t readbytes
, written
;
4102 const SSL_CIPHER
*cipher
;
4103 const char *cipher_str
[] = {
4104 TLS1_3_RFC_AES_128_GCM_SHA256
,
4105 TLS1_3_RFC_AES_256_GCM_SHA384
,
4106 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4107 TLS1_3_RFC_CHACHA20_POLY1305_SHA256
,
4111 TLS1_3_RFC_AES_128_CCM_SHA256
,
4112 TLS1_3_RFC_AES_128_CCM_8_SHA256
4114 const unsigned char *cipher_bytes
[] = {
4115 TLS13_AES_128_GCM_SHA256_BYTES
,
4116 TLS13_AES_256_GCM_SHA384_BYTES
,
4117 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4118 TLS13_CHACHA20_POLY1305_SHA256_BYTES
,
4122 TLS13_AES_128_CCM_SHA256_BYTES
,
4123 TLS13_AES_128_CCM_8_SHA256_BYTES
4126 if (cipher_str
[idx
] == NULL
)
4128 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4129 if (idx
== 2 && is_fips
== 1)
4132 /* We always set this up with a final parameter of "2" for PSK */
4133 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
4134 &serverssl
, &sess
, 2)))
4138 /* CCM8 ciphers are considered low security due to their short tag */
4139 SSL_set_security_level(clientssl
, 0);
4140 SSL_set_security_level(serverssl
, 0);
4143 if (!TEST_true(SSL_set_ciphersuites(clientssl
, cipher_str
[idx
]))
4144 || !TEST_true(SSL_set_ciphersuites(serverssl
, cipher_str
[idx
])))
4148 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4149 * and assigns to both client and server with incremented reference
4150 * and the same instance is updated in 'sess'.
4151 * So updating ciphersuite in 'sess' which will get reflected in
4152 * PSK handshake using psk use sess and find sess cb.
4154 cipher
= SSL_CIPHER_find(clientssl
, cipher_bytes
[idx
]);
4155 if (!TEST_ptr(cipher
) || !TEST_true(SSL_SESSION_set_cipher(sess
, cipher
)))
4158 SSL_set_connect_state(clientssl
);
4159 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
4163 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
4165 SSL_READ_EARLY_DATA_SUCCESS
)
4166 || !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
))
4167 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
4168 SSL_EARLY_DATA_ACCEPTED
)
4169 || !TEST_int_eq(SSL_connect(clientssl
), 1)
4170 || !TEST_int_eq(SSL_accept(serverssl
), 1))
4173 /* Send some normal data from client to server */
4174 if (!TEST_true(SSL_write_ex(clientssl
, MSG2
, strlen(MSG2
), &written
))
4175 || !TEST_size_t_eq(written
, strlen(MSG2
)))
4178 if (!TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
4179 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
4184 SSL_SESSION_free(sess
);
4185 SSL_SESSION_free(clientpsk
);
4186 SSL_SESSION_free(serverpsk
);
4187 clientpsk
= serverpsk
= NULL
;
4188 if (clientssl
!= NULL
)
4189 SSL_shutdown(clientssl
);
4190 if (serverssl
!= NULL
)
4191 SSL_shutdown(serverssl
);
4192 SSL_free(serverssl
);
4193 SSL_free(clientssl
);
4200 * Test that a server that doesn't try to read early data can handle a
4201 * client sending some.
4203 static int test_early_data_not_expected(int idx
)
4205 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4206 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4208 SSL_SESSION
*sess
= NULL
;
4209 unsigned char buf
[20];
4210 size_t readbytes
, written
;
4212 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
4213 &serverssl
, &sess
, idx
)))
4216 /* Write some early data */
4217 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
4222 * Server should skip over early data and then block waiting for client to
4223 * continue handshake
4225 if (!TEST_int_le(SSL_accept(serverssl
), 0)
4226 || !TEST_int_gt(SSL_connect(clientssl
), 0)
4227 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
4228 SSL_EARLY_DATA_REJECTED
)
4229 || !TEST_int_gt(SSL_accept(serverssl
), 0)
4230 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
4231 SSL_EARLY_DATA_REJECTED
))
4234 /* Send some normal data from client to server */
4235 if (!TEST_true(SSL_write_ex(clientssl
, MSG2
, strlen(MSG2
), &written
))
4236 || !TEST_size_t_eq(written
, strlen(MSG2
)))
4239 if (!TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
4240 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
4246 SSL_SESSION_free(sess
);
4247 SSL_SESSION_free(clientpsk
);
4248 SSL_SESSION_free(serverpsk
);
4249 clientpsk
= serverpsk
= NULL
;
4250 SSL_free(serverssl
);
4251 SSL_free(clientssl
);
4258 # ifndef OPENSSL_NO_TLS1_2
4260 * Test that a server attempting to read early data can handle a connection
4261 * from a TLSv1.2 client.
4263 static int test_early_data_tls1_2(int idx
)
4265 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4266 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4268 unsigned char buf
[20];
4269 size_t readbytes
, written
;
4271 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
4272 &serverssl
, NULL
, idx
)))
4275 /* Write some data - should block due to handshake with server */
4276 SSL_set_max_proto_version(clientssl
, TLS1_2_VERSION
);
4277 SSL_set_connect_state(clientssl
);
4278 if (!TEST_false(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
)))
4282 * Server should do TLSv1.2 handshake. First it will block waiting for more
4283 * messages from client after ServerDone. Then SSL_read_early_data should
4284 * finish and detect that early data has not been sent
4286 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
4288 SSL_READ_EARLY_DATA_ERROR
))
4292 * Continue writing the message we started earlier. Will still block waiting
4293 * for the CCS/Finished from server
4295 if (!TEST_false(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
))
4296 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
4298 SSL_READ_EARLY_DATA_FINISH
)
4299 || !TEST_size_t_eq(readbytes
, 0)
4300 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
4301 SSL_EARLY_DATA_NOT_SENT
))
4304 /* Continue writing the message we started earlier */
4305 if (!TEST_true(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
))
4306 || !TEST_size_t_eq(written
, strlen(MSG1
))
4307 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
4308 SSL_EARLY_DATA_NOT_SENT
)
4309 || !TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
4310 || !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
))
4311 || !TEST_true(SSL_write_ex(serverssl
, MSG2
, strlen(MSG2
), &written
))
4312 || !TEST_size_t_eq(written
, strlen(MSG2
))
4313 || !SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
)
4314 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
4320 SSL_SESSION_free(clientpsk
);
4321 SSL_SESSION_free(serverpsk
);
4322 clientpsk
= serverpsk
= NULL
;
4323 SSL_free(serverssl
);
4324 SSL_free(clientssl
);
4330 # endif /* OPENSSL_NO_TLS1_2 */
4333 * Test configuring the TLSv1.3 ciphersuites
4335 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4336 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4337 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4338 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4339 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4340 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4341 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4342 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4343 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4344 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4346 static int test_set_ciphersuite(int idx
)
4348 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4349 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4352 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
4353 TLS_client_method(), TLS1_VERSION
, 0,
4354 &sctx
, &cctx
, cert
, privkey
))
4355 || !TEST_true(SSL_CTX_set_ciphersuites(sctx
,
4356 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4359 if (idx
>=4 && idx
<= 7) {
4360 /* SSL_CTX explicit cipher list */
4361 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
, "AES256-GCM-SHA384")))
4365 if (idx
== 0 || idx
== 4) {
4366 /* Default ciphersuite */
4367 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4368 "TLS_AES_128_GCM_SHA256")))
4370 } else if (idx
== 1 || idx
== 5) {
4371 /* Non default ciphersuite */
4372 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4373 "TLS_AES_128_CCM_SHA256")))
4377 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
4378 &clientssl
, NULL
, NULL
)))
4381 if (idx
== 8 || idx
== 9) {
4382 /* SSL explicit cipher list */
4383 if (!TEST_true(SSL_set_cipher_list(clientssl
, "AES256-GCM-SHA384")))
4387 if (idx
== 2 || idx
== 6 || idx
== 8) {
4388 /* Default ciphersuite */
4389 if (!TEST_true(SSL_set_ciphersuites(clientssl
,
4390 "TLS_AES_128_GCM_SHA256")))
4392 } else if (idx
== 3 || idx
== 7 || idx
== 9) {
4393 /* Non default ciphersuite */
4394 if (!TEST_true(SSL_set_ciphersuites(clientssl
,
4395 "TLS_AES_128_CCM_SHA256")))
4399 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
4405 SSL_free(serverssl
);
4406 SSL_free(clientssl
);
4413 static int test_ciphersuite_change(void)
4415 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4416 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4417 SSL_SESSION
*clntsess
= NULL
;
4419 const SSL_CIPHER
*aes_128_gcm_sha256
= NULL
;
4421 /* Create a session based on SHA-256 */
4422 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
4423 TLS_client_method(), TLS1_VERSION
, 0,
4424 &sctx
, &cctx
, cert
, privkey
))
4425 || !TEST_true(SSL_CTX_set_ciphersuites(sctx
,
4426 "TLS_AES_128_GCM_SHA256:"
4427 "TLS_AES_256_GCM_SHA384:"
4428 "TLS_AES_128_CCM_SHA256"))
4429 || !TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4430 "TLS_AES_128_GCM_SHA256")))
4433 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4435 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4439 clntsess
= SSL_get1_session(clientssl
);
4440 /* Save for later */
4441 aes_128_gcm_sha256
= SSL_SESSION_get0_cipher(clntsess
);
4442 SSL_shutdown(clientssl
);
4443 SSL_shutdown(serverssl
);
4444 SSL_free(serverssl
);
4445 SSL_free(clientssl
);
4446 serverssl
= clientssl
= NULL
;
4448 /* Check we can resume a session with a different SHA-256 ciphersuite */
4449 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4450 "TLS_AES_128_CCM_SHA256"))
4451 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
4452 &clientssl
, NULL
, NULL
))
4453 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
4454 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4456 || !TEST_true(SSL_session_reused(clientssl
)))
4459 SSL_SESSION_free(clntsess
);
4460 clntsess
= SSL_get1_session(clientssl
);
4461 SSL_shutdown(clientssl
);
4462 SSL_shutdown(serverssl
);
4463 SSL_free(serverssl
);
4464 SSL_free(clientssl
);
4465 serverssl
= clientssl
= NULL
;
4468 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4469 * succeeds but does not resume.
4471 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
, "TLS_AES_256_GCM_SHA384"))
4472 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4474 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
4475 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4477 || !TEST_false(SSL_session_reused(clientssl
)))
4480 SSL_SESSION_free(clntsess
);
4482 SSL_shutdown(clientssl
);
4483 SSL_shutdown(serverssl
);
4484 SSL_free(serverssl
);
4485 SSL_free(clientssl
);
4486 serverssl
= clientssl
= NULL
;
4488 /* Create a session based on SHA384 */
4489 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
, "TLS_AES_256_GCM_SHA384"))
4490 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
4491 &clientssl
, NULL
, NULL
))
4492 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4496 clntsess
= SSL_get1_session(clientssl
);
4497 SSL_shutdown(clientssl
);
4498 SSL_shutdown(serverssl
);
4499 SSL_free(serverssl
);
4500 SSL_free(clientssl
);
4501 serverssl
= clientssl
= NULL
;
4503 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4504 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4505 || !TEST_true(SSL_CTX_set_ciphersuites(sctx
,
4506 "TLS_AES_256_GCM_SHA384"))
4507 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4509 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
4511 * We use SSL_ERROR_WANT_READ below so that we can pause the
4512 * connection after the initial ClientHello has been sent to
4513 * enable us to make some session changes.
4515 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
4516 SSL_ERROR_WANT_READ
)))
4519 /* Trick the client into thinking this session is for a different digest */
4520 clntsess
->cipher
= aes_128_gcm_sha256
;
4521 clntsess
->cipher_id
= clntsess
->cipher
->id
;
4524 * Continue the previously started connection. Server has selected a SHA-384
4525 * ciphersuite, but client thinks the session is for SHA-256, so it should
4528 if (!TEST_false(create_ssl_connection(serverssl
, clientssl
,
4530 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4531 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED
))
4537 SSL_SESSION_free(clntsess
);
4538 SSL_free(serverssl
);
4539 SSL_free(clientssl
);
4547 * Test TLSv1.3 Key exchange
4548 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4549 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4550 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4551 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4552 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4553 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4554 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4555 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4556 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4557 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4558 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4559 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4560 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4561 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4563 # ifndef OPENSSL_NO_EC
4564 static int ecdhe_kexch_groups
[] = {NID_X9_62_prime256v1
, NID_secp384r1
,
4565 NID_secp521r1
, NID_X25519
, NID_X448
};
4567 # ifndef OPENSSL_NO_DH
4568 static int ffdhe_kexch_groups
[] = {NID_ffdhe2048
, NID_ffdhe3072
, NID_ffdhe4096
,
4569 NID_ffdhe6144
, NID_ffdhe8192
};
4571 static int test_key_exchange(int idx
)
4573 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
4574 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
4577 int *kexch_groups
= &kexch_alg
;
4578 int kexch_groups_size
= 1;
4579 int max_version
= TLS1_3_VERSION
;
4580 char *kexch_name0
= NULL
;
4583 # ifndef OPENSSL_NO_EC
4584 # ifndef OPENSSL_NO_TLS1_2
4586 max_version
= TLS1_2_VERSION
;
4590 kexch_groups
= ecdhe_kexch_groups
;
4591 kexch_groups_size
= OSSL_NELEM(ecdhe_kexch_groups
);
4592 kexch_name0
= "secp256r1";
4595 kexch_alg
= NID_X9_62_prime256v1
;
4596 kexch_name0
= "secp256r1";
4599 kexch_alg
= NID_secp384r1
;
4600 kexch_name0
= "secp384r1";
4603 kexch_alg
= NID_secp521r1
;
4604 kexch_name0
= "secp521r1";
4607 kexch_alg
= NID_X25519
;
4608 kexch_name0
= "x25519";
4611 kexch_alg
= NID_X448
;
4612 kexch_name0
= "x448";
4615 # ifndef OPENSSL_NO_DH
4616 # ifndef OPENSSL_NO_TLS1_2
4618 max_version
= TLS1_2_VERSION
;
4619 kexch_name0
= "ffdhe2048";
4623 kexch_groups
= ffdhe_kexch_groups
;
4624 kexch_groups_size
= OSSL_NELEM(ffdhe_kexch_groups
);
4625 kexch_name0
= "ffdhe2048";
4628 kexch_alg
= NID_ffdhe2048
;
4629 kexch_name0
= "ffdhe2048";
4632 kexch_alg
= NID_ffdhe3072
;
4633 kexch_name0
= "ffdhe3072";
4636 kexch_alg
= NID_ffdhe4096
;
4637 kexch_name0
= "ffdhe4096";
4640 kexch_alg
= NID_ffdhe6144
;
4641 kexch_name0
= "ffdhe6144";
4644 kexch_alg
= NID_ffdhe8192
;
4645 kexch_name0
= "ffdhe8192";
4649 /* We're skipping this test */
4653 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
4654 TLS_client_method(), TLS1_VERSION
,
4655 max_version
, &sctx
, &cctx
, cert
,
4659 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx
,
4660 TLS1_3_RFC_AES_128_GCM_SHA256
)))
4663 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4664 TLS1_3_RFC_AES_128_GCM_SHA256
)))
4667 if (!TEST_true(SSL_CTX_set_cipher_list(sctx
,
4668 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
":"
4669 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
))
4670 || !TEST_true(SSL_CTX_set_dh_auto(sctx
, 1)))
4674 * Must include an EC ciphersuite so that we send supported groups in
4677 # ifndef OPENSSL_NO_TLS1_2
4678 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
4679 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
":"
4680 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
)))
4684 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4688 if (!TEST_true(SSL_set1_groups(serverssl
, kexch_groups
, kexch_groups_size
))
4689 || !TEST_true(SSL_set1_groups(clientssl
, kexch_groups
, kexch_groups_size
)))
4692 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
4696 * If Handshake succeeds the negotiated kexch alg should be the first one in
4697 * configured, except in the case of FFDHE groups (idx 13), which are
4698 * TLSv1.3 only so we expect no shared group to exist.
4700 if (!TEST_int_eq(SSL_get_shared_group(serverssl
, 0),
4701 idx
== 13 ? 0 : kexch_groups
[0]))
4704 if (!TEST_str_eq(SSL_group_to_name(serverssl
, kexch_groups
[0]),
4708 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4710 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl
), kexch_groups
[0]))
4712 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl
), kexch_groups
[0]))
4718 SSL_free(serverssl
);
4719 SSL_free(clientssl
);
4725 # if !defined(OPENSSL_NO_TLS1_2) \
4726 && !defined(OPENSSL_NO_EC) \
4727 && !defined(OPENSSL_NO_DH)
4728 static int set_ssl_groups(SSL
*serverssl
, SSL
*clientssl
, int clientmulti
,
4729 int isecdhe
, int idx
)
4732 int *kexch_groups
= &kexch_alg
;
4735 numec
= OSSL_NELEM(ecdhe_kexch_groups
);
4736 numff
= OSSL_NELEM(ffdhe_kexch_groups
);
4738 kexch_alg
= ecdhe_kexch_groups
[idx
];
4740 kexch_alg
= ffdhe_kexch_groups
[idx
];
4743 if (!TEST_true(SSL_set1_groups(serverssl
, kexch_groups
, 1)))
4746 if (!TEST_true(SSL_set1_groups(clientssl
, ecdhe_kexch_groups
,
4750 if (!TEST_true(SSL_set1_groups(clientssl
, ffdhe_kexch_groups
,
4755 if (!TEST_true(SSL_set1_groups(clientssl
, kexch_groups
, 1)))
4758 if (!TEST_true(SSL_set1_groups(serverssl
, ecdhe_kexch_groups
,
4762 if (!TEST_true(SSL_set1_groups(serverssl
, ffdhe_kexch_groups
,
4771 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
4772 * Run through both the ECDHE and FFDHE group lists used in the previous
4773 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
4774 * confirming the expected result; then perform a resumption handshake
4775 * while offering the same group list, and another resumption handshake
4776 * offering a different group list. The returned value should be the
4777 * negotiated group for the initial handshake; for TLS 1.3 resumption
4778 * handshakes the returned value will be negotiated on the resumption
4779 * handshake itself, but for TLS 1.2 resumption handshakes the value will
4780 * be cached in the session from the original handshake, regardless of what
4781 * was offered in the resumption ClientHello.
4783 * Using E for the number of EC groups and F for the number of FF groups:
4784 * E tests of ECDHE with TLS 1.3, server only has one group
4785 * F tests of FFDHE with TLS 1.3, server only has one group
4786 * E tests of ECDHE with TLS 1.2, server only has one group
4787 * F tests of FFDHE with TLS 1.2, server only has one group
4788 * E tests of ECDHE with TLS 1.3, client sends only one group
4789 * F tests of FFDHE with TLS 1.3, client sends only one group
4790 * E tests of ECDHE with TLS 1.2, client sends only one group
4791 * F tests of FFDHE with TLS 1.2, client sends only one group
4793 static int test_negotiated_group(int idx
)
4795 int clientmulti
, istls13
, isecdhe
, numec
, numff
, numgroups
;
4797 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
4798 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
4799 SSL_SESSION
*origsess
= NULL
;
4802 int max_version
= TLS1_3_VERSION
;
4804 numec
= OSSL_NELEM(ecdhe_kexch_groups
);
4805 numff
= OSSL_NELEM(ffdhe_kexch_groups
);
4806 numgroups
= numec
+ numff
;
4807 clientmulti
= (idx
< 2 * numgroups
);
4808 idx
= idx
% (2 * numgroups
);
4809 istls13
= (idx
< numgroups
);
4810 idx
= idx
% numgroups
;
4811 isecdhe
= (idx
< numec
);
4814 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
4816 kexch_alg
= ecdhe_kexch_groups
[idx
];
4818 kexch_alg
= ffdhe_kexch_groups
[idx
];
4819 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
4820 if (!istls13
&& !isecdhe
)
4821 expectednid
= NID_undef
;
4823 expectednid
= kexch_alg
;
4826 max_version
= TLS1_2_VERSION
;
4828 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
4829 TLS_client_method(), TLS1_VERSION
,
4830 max_version
, &sctx
, &cctx
, cert
,
4835 * Force (EC)DHE ciphers for TLS 1.2.
4836 * Be sure to enable auto tmp DH so that FFDHE can succeed.
4838 if (!TEST_true(SSL_CTX_set_cipher_list(sctx
,
4839 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
":"
4840 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
))
4841 || !TEST_true(SSL_CTX_set_dh_auto(sctx
, 1)))
4843 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
4844 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
":"
4845 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
)))
4848 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4852 if (!TEST_true(set_ssl_groups(serverssl
, clientssl
, clientmulti
, isecdhe
,
4856 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
4859 /* Initial handshake; always the configured one */
4860 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl
), expectednid
)
4861 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl
), expectednid
))
4864 if (!TEST_ptr((origsess
= SSL_get1_session(clientssl
))))
4867 SSL_shutdown(clientssl
);
4868 SSL_shutdown(serverssl
);
4869 SSL_free(serverssl
);
4870 SSL_free(clientssl
);
4871 serverssl
= clientssl
= NULL
;
4873 /* First resumption attempt; use the same config as initial handshake */
4874 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4876 || !TEST_true(SSL_set_session(clientssl
, origsess
))
4877 || !TEST_true(set_ssl_groups(serverssl
, clientssl
, clientmulti
,
4881 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
4882 || !TEST_true(SSL_session_reused(clientssl
)))
4885 /* Still had better agree, since nothing changed... */
4886 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl
), expectednid
)
4887 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl
), expectednid
))
4890 SSL_shutdown(clientssl
);
4891 SSL_shutdown(serverssl
);
4892 SSL_free(serverssl
);
4893 SSL_free(clientssl
);
4894 serverssl
= clientssl
= NULL
;
4897 * Second resumption attempt
4898 * The party that picks one group changes it, which we effectuate by
4899 * changing 'idx' and updating what we expect.
4907 expectednid
= ecdhe_kexch_groups
[idx
];
4909 expectednid
= ffdhe_kexch_groups
[idx
];
4910 /* Verify that we are changing what we expect. */
4911 if (!TEST_int_ne(expectednid
, kexch_alg
))
4914 /* TLS 1.2 only supports named groups for ECDHE. */
4916 expectednid
= kexch_alg
;
4920 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4922 || !TEST_true(SSL_set_session(clientssl
, origsess
))
4923 || !TEST_true(set_ssl_groups(serverssl
, clientssl
, clientmulti
,
4927 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
4928 || !TEST_true(SSL_session_reused(clientssl
)))
4931 /* Check that we get what we expected */
4932 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl
), expectednid
)
4933 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl
), expectednid
))
4938 SSL_free(serverssl
);
4939 SSL_free(clientssl
);
4942 SSL_SESSION_free(origsess
);
4945 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
4948 * Test TLSv1.3 Cipher Suite
4949 * Test 0 = Set TLS1.3 cipher on context
4950 * Test 1 = Set TLS1.3 cipher on SSL
4951 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4952 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4954 static int test_tls13_ciphersuite(int idx
)
4956 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
4957 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
4958 static const struct {
4959 const char *ciphername
;
4963 { TLS1_3_RFC_AES_128_GCM_SHA256
, 1, 0 },
4964 { TLS1_3_RFC_AES_256_GCM_SHA384
, 1, 0 },
4965 { TLS1_3_RFC_AES_128_CCM_SHA256
, 1, 0 },
4966 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4967 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256
, 0, 0 },
4968 { TLS1_3_RFC_AES_256_GCM_SHA384
4969 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256
, 0, 0 },
4971 /* CCM8 ciphers are considered low security due to their short tag */
4972 { TLS1_3_RFC_AES_128_CCM_8_SHA256
4973 ":" TLS1_3_RFC_AES_128_CCM_SHA256
, 1, 1 }
4975 const char *t13_cipher
= NULL
;
4976 const char *t12_cipher
= NULL
;
4977 const char *negotiated_scipher
;
4978 const char *negotiated_ccipher
;
4994 t12_cipher
= TLS1_TXT_RSA_WITH_AES_128_SHA256
;
4998 t12_cipher
= TLS1_TXT_RSA_WITH_AES_128_SHA256
;
5002 for (max_ver
= TLS1_2_VERSION
; max_ver
<= TLS1_3_VERSION
; max_ver
++) {
5003 # ifdef OPENSSL_NO_TLS1_2
5004 if (max_ver
== TLS1_2_VERSION
)
5007 for (i
= 0; i
< OSSL_NELEM(t13_ciphers
); i
++) {
5008 if (is_fips
&& !t13_ciphers
[i
].fipscapable
)
5010 t13_cipher
= t13_ciphers
[i
].ciphername
;
5011 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
5012 TLS_client_method(),
5013 TLS1_VERSION
, max_ver
,
5014 &sctx
, &cctx
, cert
, privkey
)))
5017 if (t13_ciphers
[i
].low_security
) {
5018 SSL_CTX_set_security_level(sctx
, 0);
5019 SSL_CTX_set_security_level(cctx
, 0);
5023 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx
, t13_cipher
))
5024 || !TEST_true(SSL_CTX_set_ciphersuites(cctx
, t13_cipher
)))
5026 if (t12_cipher
!= NULL
) {
5027 if (!TEST_true(SSL_CTX_set_cipher_list(sctx
, t12_cipher
))
5028 || !TEST_true(SSL_CTX_set_cipher_list(cctx
,
5034 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
5035 &clientssl
, NULL
, NULL
)))
5039 if (!TEST_true(SSL_set_ciphersuites(serverssl
, t13_cipher
))
5040 || !TEST_true(SSL_set_ciphersuites(clientssl
, t13_cipher
)))
5042 if (t12_cipher
!= NULL
) {
5043 if (!TEST_true(SSL_set_cipher_list(serverssl
, t12_cipher
))
5044 || !TEST_true(SSL_set_cipher_list(clientssl
,
5050 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
5054 negotiated_scipher
= SSL_CIPHER_get_name(SSL_get_current_cipher(
5056 negotiated_ccipher
= SSL_CIPHER_get_name(SSL_get_current_cipher(
5058 if (!TEST_str_eq(negotiated_scipher
, negotiated_ccipher
))
5062 * TEST_strn_eq is used below because t13_cipher can contain
5063 * multiple ciphersuites
5065 if (max_ver
== TLS1_3_VERSION
5066 && !TEST_strn_eq(t13_cipher
, negotiated_scipher
,
5067 strlen(negotiated_scipher
)))
5070 # ifndef OPENSSL_NO_TLS1_2
5071 /* Below validation is not done when t12_cipher is NULL */
5072 if (max_ver
== TLS1_2_VERSION
&& t12_cipher
!= NULL
5073 && !TEST_str_eq(t12_cipher
, negotiated_scipher
))
5077 SSL_free(serverssl
);
5079 SSL_free(clientssl
);
5090 SSL_free(serverssl
);
5091 SSL_free(clientssl
);
5099 * Test 0 = Test new style callbacks
5100 * Test 1 = Test both new and old style callbacks
5101 * Test 2 = Test old style callbacks
5102 * Test 3 = Test old style callbacks with no certificate
5104 static int test_tls13_psk(int idx
)
5106 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
5107 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
5108 const SSL_CIPHER
*cipher
= NULL
;
5109 const unsigned char key
[] = {
5110 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5111 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5112 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5113 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5117 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
5118 TLS_client_method(), TLS1_VERSION
, 0,
5119 &sctx
, &cctx
, idx
== 3 ? NULL
: cert
,
5120 idx
== 3 ? NULL
: privkey
)))
5125 * We use a ciphersuite with SHA256 to ease testing old style PSK
5126 * callbacks which will always default to SHA256. This should not be
5127 * necessary if we have no cert/priv key. In that case the server should
5128 * prefer SHA256 automatically.
5130 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
5131 "TLS_AES_128_GCM_SHA256")))
5135 * As noted above the server should prefer SHA256 automatically. However
5136 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5137 * code works even if we are testing with only the FIPS provider loaded.
5139 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
5140 "TLS_AES_256_GCM_SHA384:"
5141 "TLS_AES_128_GCM_SHA256")))
5146 * Test 0: New style callbacks only
5147 * Test 1: New and old style callbacks (only the new ones should be used)
5148 * Test 2: Old style callbacks only
5150 if (idx
== 0 || idx
== 1) {
5151 SSL_CTX_set_psk_use_session_callback(cctx
, use_session_cb
);
5152 SSL_CTX_set_psk_find_session_callback(sctx
, find_session_cb
);
5154 #ifndef OPENSSL_NO_PSK
5156 SSL_CTX_set_psk_client_callback(cctx
, psk_client_cb
);
5157 SSL_CTX_set_psk_server_callback(sctx
, psk_server_cb
);
5161 use_session_cb_cnt
= 0;
5162 find_session_cb_cnt
= 0;
5163 psk_client_cb_cnt
= 0;
5164 psk_server_cb_cnt
= 0;
5168 * Check we can create a connection if callback decides not to send a
5171 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5173 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
5175 || !TEST_false(SSL_session_reused(clientssl
))
5176 || !TEST_false(SSL_session_reused(serverssl
)))
5179 if (idx
== 0 || idx
== 1) {
5180 if (!TEST_true(use_session_cb_cnt
== 1)
5181 || !TEST_true(find_session_cb_cnt
== 0)
5183 * If no old style callback then below should be 0
5186 || !TEST_true(psk_client_cb_cnt
== idx
)
5187 || !TEST_true(psk_server_cb_cnt
== 0))
5190 if (!TEST_true(use_session_cb_cnt
== 0)
5191 || !TEST_true(find_session_cb_cnt
== 0)
5192 || !TEST_true(psk_client_cb_cnt
== 1)
5193 || !TEST_true(psk_server_cb_cnt
== 0))
5197 shutdown_ssl_connection(serverssl
, clientssl
);
5198 serverssl
= clientssl
= NULL
;
5199 use_session_cb_cnt
= psk_client_cb_cnt
= 0;
5202 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5206 /* Create the PSK */
5207 cipher
= SSL_CIPHER_find(clientssl
, TLS13_AES_128_GCM_SHA256_BYTES
);
5208 clientpsk
= SSL_SESSION_new();
5209 if (!TEST_ptr(clientpsk
)
5210 || !TEST_ptr(cipher
)
5211 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk
, key
,
5213 || !TEST_true(SSL_SESSION_set_cipher(clientpsk
, cipher
))
5214 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk
,
5216 || !TEST_true(SSL_SESSION_up_ref(clientpsk
)))
5218 serverpsk
= clientpsk
;
5220 /* Check we can create a connection and the PSK is used */
5221 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
5222 || !TEST_true(SSL_session_reused(clientssl
))
5223 || !TEST_true(SSL_session_reused(serverssl
)))
5226 if (idx
== 0 || idx
== 1) {
5227 if (!TEST_true(use_session_cb_cnt
== 1)
5228 || !TEST_true(find_session_cb_cnt
== 1)
5229 || !TEST_true(psk_client_cb_cnt
== 0)
5230 || !TEST_true(psk_server_cb_cnt
== 0))
5233 if (!TEST_true(use_session_cb_cnt
== 0)
5234 || !TEST_true(find_session_cb_cnt
== 0)
5235 || !TEST_true(psk_client_cb_cnt
== 1)
5236 || !TEST_true(psk_server_cb_cnt
== 1))
5240 shutdown_ssl_connection(serverssl
, clientssl
);
5241 serverssl
= clientssl
= NULL
;
5242 use_session_cb_cnt
= find_session_cb_cnt
= 0;
5243 psk_client_cb_cnt
= psk_server_cb_cnt
= 0;
5245 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5250 #if defined(OPENSSL_NO_EC)
5251 if (!TEST_true(SSL_set1_groups_list(serverssl
, "ffdhe3072")))
5254 if (!TEST_true(SSL_set1_groups_list(serverssl
, "P-256")))
5259 * Check we can create a connection, the PSK is used and the callbacks are
5262 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
5263 || !TEST_true(SSL_session_reused(clientssl
))
5264 || !TEST_true(SSL_session_reused(serverssl
)))
5267 if (idx
== 0 || idx
== 1) {
5268 if (!TEST_true(use_session_cb_cnt
== 2)
5269 || !TEST_true(find_session_cb_cnt
== 2)
5270 || !TEST_true(psk_client_cb_cnt
== 0)
5271 || !TEST_true(psk_server_cb_cnt
== 0))
5274 if (!TEST_true(use_session_cb_cnt
== 0)
5275 || !TEST_true(find_session_cb_cnt
== 0)
5276 || !TEST_true(psk_client_cb_cnt
== 2)
5277 || !TEST_true(psk_server_cb_cnt
== 2))
5281 shutdown_ssl_connection(serverssl
, clientssl
);
5282 serverssl
= clientssl
= NULL
;
5283 use_session_cb_cnt
= find_session_cb_cnt
= 0;
5284 psk_client_cb_cnt
= psk_server_cb_cnt
= 0;
5288 * Check that if the server rejects the PSK we can still connect, but with
5291 srvid
= "Dummy Identity";
5292 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5294 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
5296 || !TEST_false(SSL_session_reused(clientssl
))
5297 || !TEST_false(SSL_session_reused(serverssl
)))
5300 if (idx
== 0 || idx
== 1) {
5301 if (!TEST_true(use_session_cb_cnt
== 1)
5302 || !TEST_true(find_session_cb_cnt
== 1)
5303 || !TEST_true(psk_client_cb_cnt
== 0)
5305 * If no old style callback then below should be 0
5308 || !TEST_true(psk_server_cb_cnt
== idx
))
5311 if (!TEST_true(use_session_cb_cnt
== 0)
5312 || !TEST_true(find_session_cb_cnt
== 0)
5313 || !TEST_true(psk_client_cb_cnt
== 1)
5314 || !TEST_true(psk_server_cb_cnt
== 1))
5318 shutdown_ssl_connection(serverssl
, clientssl
);
5319 serverssl
= clientssl
= NULL
;
5324 SSL_SESSION_free(clientpsk
);
5325 SSL_SESSION_free(serverpsk
);
5326 clientpsk
= serverpsk
= NULL
;
5327 SSL_free(serverssl
);
5328 SSL_free(clientssl
);
5334 static unsigned char cookie_magic_value
[] = "cookie magic";
5336 static int generate_cookie_callback(SSL
*ssl
, unsigned char *cookie
,
5337 unsigned int *cookie_len
)
5340 * Not suitable as a real cookie generation function but good enough for
5343 memcpy(cookie
, cookie_magic_value
, sizeof(cookie_magic_value
) - 1);
5344 *cookie_len
= sizeof(cookie_magic_value
) - 1;
5349 static int verify_cookie_callback(SSL
*ssl
, const unsigned char *cookie
,
5350 unsigned int cookie_len
)
5352 if (cookie_len
== sizeof(cookie_magic_value
) - 1
5353 && memcmp(cookie
, cookie_magic_value
, cookie_len
) == 0)
5359 static int generate_stateless_cookie_callback(SSL
*ssl
, unsigned char *cookie
,
5363 int res
= generate_cookie_callback(ssl
, cookie
, &temp
);
5368 static int verify_stateless_cookie_callback(SSL
*ssl
, const unsigned char *cookie
,
5371 return verify_cookie_callback(ssl
, cookie
, cookie_len
);
5374 static int test_stateless(void)
5376 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
5377 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
5380 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
5381 TLS_client_method(), TLS1_VERSION
, 0,
5382 &sctx
, &cctx
, cert
, privkey
)))
5385 /* The arrival of CCS messages can confuse the test */
5386 SSL_CTX_clear_options(cctx
, SSL_OP_ENABLE_MIDDLEBOX_COMPAT
);
5388 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5390 /* Send the first ClientHello */
5391 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
5392 SSL_ERROR_WANT_READ
))
5394 * This should fail with a -1 return because we have no callbacks
5397 || !TEST_int_eq(SSL_stateless(serverssl
), -1))
5400 /* Fatal error so abandon the connection from this client */
5401 SSL_free(clientssl
);
5404 /* Set up the cookie generation and verification callbacks */
5405 SSL_CTX_set_stateless_cookie_generate_cb(sctx
, generate_stateless_cookie_callback
);
5406 SSL_CTX_set_stateless_cookie_verify_cb(sctx
, verify_stateless_cookie_callback
);
5409 * Create a new connection from the client (we can reuse the server SSL
5412 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5414 /* Send the first ClientHello */
5415 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
5416 SSL_ERROR_WANT_READ
))
5417 /* This should fail because there is no cookie */
5418 || !TEST_int_eq(SSL_stateless(serverssl
), 0))
5421 /* Abandon the connection from this client */
5422 SSL_free(clientssl
);
5426 * Now create a connection from a new client but with the same server SSL
5429 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5431 /* Send the first ClientHello */
5432 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
5433 SSL_ERROR_WANT_READ
))
5434 /* This should fail because there is no cookie */
5435 || !TEST_int_eq(SSL_stateless(serverssl
), 0)
5436 /* Send the second ClientHello */
5437 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
5438 SSL_ERROR_WANT_READ
))
5439 /* This should succeed because a cookie is now present */
5440 || !TEST_int_eq(SSL_stateless(serverssl
), 1)
5441 /* Complete the connection */
5442 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
5446 shutdown_ssl_connection(serverssl
, clientssl
);
5447 serverssl
= clientssl
= NULL
;
5451 SSL_free(serverssl
);
5452 SSL_free(clientssl
);
5458 #endif /* OSSL_NO_USABLE_TLS1_3 */
5460 static int clntaddoldcb
= 0;
5461 static int clntparseoldcb
= 0;
5462 static int srvaddoldcb
= 0;
5463 static int srvparseoldcb
= 0;
5464 static int clntaddnewcb
= 0;
5465 static int clntparsenewcb
= 0;
5466 static int srvaddnewcb
= 0;
5467 static int srvparsenewcb
= 0;
5468 static int snicb
= 0;
5470 #define TEST_EXT_TYPE1 0xff00
5472 static int old_add_cb(SSL
*s
, unsigned int ext_type
, const unsigned char **out
,
5473 size_t *outlen
, int *al
, void *add_arg
)
5475 int *server
= (int *)add_arg
;
5476 unsigned char *data
;
5478 if (SSL_is_server(s
))
5483 if (*server
!= SSL_is_server(s
)
5484 || (data
= OPENSSL_malloc(sizeof(*data
))) == NULL
)
5489 *outlen
= sizeof(char);
5493 static void old_free_cb(SSL
*s
, unsigned int ext_type
, const unsigned char *out
,
5496 OPENSSL_free((unsigned char *)out
);
5499 static int old_parse_cb(SSL
*s
, unsigned int ext_type
, const unsigned char *in
,
5500 size_t inlen
, int *al
, void *parse_arg
)
5502 int *server
= (int *)parse_arg
;
5504 if (SSL_is_server(s
))
5509 if (*server
!= SSL_is_server(s
)
5510 || inlen
!= sizeof(char)
5517 static int new_add_cb(SSL
*s
, unsigned int ext_type
, unsigned int context
,
5518 const unsigned char **out
, size_t *outlen
, X509
*x
,
5519 size_t chainidx
, int *al
, void *add_arg
)
5521 int *server
= (int *)add_arg
;
5522 unsigned char *data
;
5524 if (SSL_is_server(s
))
5529 if (*server
!= SSL_is_server(s
)
5530 || (data
= OPENSSL_malloc(sizeof(*data
))) == NULL
)
5535 *outlen
= sizeof(*data
);
5539 static void new_free_cb(SSL
*s
, unsigned int ext_type
, unsigned int context
,
5540 const unsigned char *out
, void *add_arg
)
5542 OPENSSL_free((unsigned char *)out
);
5545 static int new_parse_cb(SSL
*s
, unsigned int ext_type
, unsigned int context
,
5546 const unsigned char *in
, size_t inlen
, X509
*x
,
5547 size_t chainidx
, int *al
, void *parse_arg
)
5549 int *server
= (int *)parse_arg
;
5551 if (SSL_is_server(s
))
5556 if (*server
!= SSL_is_server(s
)
5557 || inlen
!= sizeof(char) || *in
!= 1)
5563 static int sni_cb(SSL
*s
, int *al
, void *arg
)
5565 SSL_CTX
*ctx
= (SSL_CTX
*)arg
;
5567 if (SSL_set_SSL_CTX(s
, ctx
) == NULL
) {
5568 *al
= SSL_AD_INTERNAL_ERROR
;
5569 return SSL_TLSEXT_ERR_ALERT_FATAL
;
5572 return SSL_TLSEXT_ERR_OK
;
5575 static int verify_cb(int preverify_ok
, X509_STORE_CTX
*x509_ctx
)
5581 * Custom call back tests.
5582 * Test 0: Old style callbacks in TLSv1.2
5583 * Test 1: New style callbacks in TLSv1.2
5584 * Test 2: New style callbacks in TLSv1.2 with SNI
5585 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5586 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5587 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
5589 static int test_custom_exts(int tst
)
5591 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
, *sctx2
= NULL
;
5592 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
5594 static int server
= 1;
5595 static int client
= 0;
5596 SSL_SESSION
*sess
= NULL
;
5597 unsigned int context
;
5599 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5600 /* Skip tests for TLSv1.2 and below in this case */
5605 /* Reset callback counters */
5606 clntaddoldcb
= clntparseoldcb
= srvaddoldcb
= srvparseoldcb
= 0;
5607 clntaddnewcb
= clntparsenewcb
= srvaddnewcb
= srvparsenewcb
= 0;
5610 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
5611 TLS_client_method(), TLS1_VERSION
, 0,
5612 &sctx
, &cctx
, cert
, privkey
)))
5616 && !TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(), NULL
,
5618 &sctx2
, NULL
, cert
, privkey
)))
5623 SSL_CTX_set_options(cctx
, SSL_OP_NO_TLSv1_3
);
5624 SSL_CTX_set_options(sctx
, SSL_OP_NO_TLSv1_3
);
5626 SSL_CTX_set_options(sctx2
, SSL_OP_NO_TLSv1_3
);
5630 context
= SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5631 | SSL_EXT_TLS1_3_CERTIFICATE
;
5632 SSL_CTX_set_verify(sctx
,
5633 SSL_VERIFY_PEER
| SSL_VERIFY_FAIL_IF_NO_PEER_CERT
,
5635 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx
, cert
,
5636 SSL_FILETYPE_PEM
), 1)
5637 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx
, privkey
,
5638 SSL_FILETYPE_PEM
), 1)
5639 || !TEST_int_eq(SSL_CTX_check_private_key(cctx
), 1))
5641 } else if (tst
== 4) {
5642 context
= SSL_EXT_CLIENT_HELLO
5643 | SSL_EXT_TLS1_2_SERVER_HELLO
5644 | SSL_EXT_TLS1_3_SERVER_HELLO
5645 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5646 | SSL_EXT_TLS1_3_CERTIFICATE
5647 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET
;
5649 context
= SSL_EXT_CLIENT_HELLO
5650 | SSL_EXT_TLS1_2_SERVER_HELLO
5651 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
;
5654 /* Create a client side custom extension */
5656 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx
, TEST_EXT_TYPE1
,
5657 old_add_cb
, old_free_cb
,
5658 &client
, old_parse_cb
,
5662 if (!TEST_true(SSL_CTX_add_custom_ext(cctx
, TEST_EXT_TYPE1
, context
,
5663 new_add_cb
, new_free_cb
,
5664 &client
, new_parse_cb
, &client
)))
5668 /* Should not be able to add duplicates */
5669 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx
, TEST_EXT_TYPE1
,
5670 old_add_cb
, old_free_cb
,
5671 &client
, old_parse_cb
,
5673 || !TEST_false(SSL_CTX_add_custom_ext(cctx
, TEST_EXT_TYPE1
,
5674 context
, new_add_cb
,
5675 new_free_cb
, &client
,
5676 new_parse_cb
, &client
)))
5679 /* Create a server side custom extension */
5681 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx
, TEST_EXT_TYPE1
,
5682 old_add_cb
, old_free_cb
,
5683 &server
, old_parse_cb
,
5687 if (!TEST_true(SSL_CTX_add_custom_ext(sctx
, TEST_EXT_TYPE1
, context
,
5688 new_add_cb
, new_free_cb
,
5689 &server
, new_parse_cb
, &server
)))
5692 && !TEST_true(SSL_CTX_add_custom_ext(sctx2
, TEST_EXT_TYPE1
,
5693 context
, new_add_cb
,
5694 new_free_cb
, &server
,
5695 new_parse_cb
, &server
)))
5699 /* Should not be able to add duplicates */
5700 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx
, TEST_EXT_TYPE1
,
5701 old_add_cb
, old_free_cb
,
5702 &server
, old_parse_cb
,
5704 || !TEST_false(SSL_CTX_add_custom_ext(sctx
, TEST_EXT_TYPE1
,
5705 context
, new_add_cb
,
5706 new_free_cb
, &server
,
5707 new_parse_cb
, &server
)))
5712 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx
, sni_cb
))
5713 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx
, sctx2
)))
5717 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
5718 &clientssl
, NULL
, NULL
))
5719 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
5724 if (clntaddoldcb
!= 1
5725 || clntparseoldcb
!= 1
5727 || srvparseoldcb
!= 1)
5729 } else if (tst
== 1 || tst
== 2 || tst
== 3) {
5730 if (clntaddnewcb
!= 1
5731 || clntparsenewcb
!= 1
5733 || srvparsenewcb
!= 1
5734 || (tst
!= 2 && snicb
!= 0)
5735 || (tst
== 2 && snicb
!= 1))
5737 } else if (tst
== 5) {
5738 if (clntaddnewcb
!= 1
5739 || clntparsenewcb
!= 1
5741 || srvparsenewcb
!= 1)
5744 /* In this case there 2 NewSessionTicket messages created */
5745 if (clntaddnewcb
!= 1
5746 || clntparsenewcb
!= 5
5748 || srvparsenewcb
!= 1)
5752 sess
= SSL_get1_session(clientssl
);
5753 SSL_shutdown(clientssl
);
5754 SSL_shutdown(serverssl
);
5755 SSL_free(serverssl
);
5756 SSL_free(clientssl
);
5757 serverssl
= clientssl
= NULL
;
5759 if (tst
== 3 || tst
== 5) {
5760 /* We don't bother with the resumption aspects for these tests */
5765 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5767 || !TEST_true(SSL_set_session(clientssl
, sess
))
5768 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
5773 * For a resumed session we expect to add the ClientHello extension. For the
5774 * old style callbacks we ignore it on the server side because they set
5775 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5779 if (clntaddoldcb
!= 2
5780 || clntparseoldcb
!= 1
5782 || srvparseoldcb
!= 1)
5784 } else if (tst
== 1 || tst
== 2 || tst
== 3) {
5785 if (clntaddnewcb
!= 2
5786 || clntparsenewcb
!= 2
5788 || srvparsenewcb
!= 2)
5792 * No Certificate message extensions in the resumption handshake,
5793 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5795 if (clntaddnewcb
!= 2
5796 || clntparsenewcb
!= 8
5798 || srvparsenewcb
!= 2)
5805 SSL_SESSION_free(sess
);
5806 SSL_free(serverssl
);
5807 SSL_free(clientssl
);
5808 SSL_CTX_free(sctx2
);
5815 * Test loading of serverinfo data in various formats. test_sslmessages actually
5816 * tests to make sure the extensions appear in the handshake
5818 static int test_serverinfo(int tst
)
5820 unsigned int version
;
5821 unsigned char *sibuf
;
5823 int ret
, expected
, testresult
= 0;
5826 ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_method());
5830 if ((tst
& 0x01) == 0x01)
5831 version
= SSL_SERVERINFOV2
;
5833 version
= SSL_SERVERINFOV1
;
5835 if ((tst
& 0x02) == 0x02) {
5836 sibuf
= serverinfov2
;
5837 sibuflen
= sizeof(serverinfov2
);
5838 expected
= (version
== SSL_SERVERINFOV2
);
5840 sibuf
= serverinfov1
;
5841 sibuflen
= sizeof(serverinfov1
);
5842 expected
= (version
== SSL_SERVERINFOV1
);
5845 if ((tst
& 0x04) == 0x04) {
5846 ret
= SSL_CTX_use_serverinfo_ex(ctx
, version
, sibuf
, sibuflen
);
5848 ret
= SSL_CTX_use_serverinfo(ctx
, sibuf
, sibuflen
);
5851 * The version variable is irrelevant in this case - it's what is in the
5852 * buffer that matters
5854 if ((tst
& 0x02) == 0x02)
5860 if (!TEST_true(ret
== expected
))
5872 * Test that SSL_export_keying_material() produces expected results. There are
5873 * no test vectors so all we do is test that both sides of the communication
5874 * produce the same results for different protocol versions.
5876 #define SMALL_LABEL_LEN 10
5877 #define LONG_LABEL_LEN 249
5878 static int test_export_key_mat(int tst
)
5881 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
, *sctx2
= NULL
;
5882 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
5883 const char label
[LONG_LABEL_LEN
+ 1] = "test label";
5884 const unsigned char context
[] = "context";
5885 const unsigned char *emptycontext
= NULL
;
5886 unsigned char ckeymat1
[80], ckeymat2
[80], ckeymat3
[80];
5887 unsigned char skeymat1
[80], skeymat2
[80], skeymat3
[80];
5889 const int protocols
[] = {
5898 #ifdef OPENSSL_NO_TLS1
5902 #ifdef OPENSSL_NO_TLS1_1
5906 if (is_fips
&& (tst
== 0 || tst
== 1))
5908 #ifdef OPENSSL_NO_TLS1_2
5912 #ifdef OSSL_NO_USABLE_TLS1_3
5916 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
5917 TLS_client_method(), TLS1_VERSION
, 0,
5918 &sctx
, &cctx
, cert
, privkey
)))
5921 OPENSSL_assert(tst
>= 0 && (size_t)tst
< OSSL_NELEM(protocols
));
5922 SSL_CTX_set_max_proto_version(cctx
, protocols
[tst
]);
5923 SSL_CTX_set_min_proto_version(cctx
, protocols
[tst
]);
5924 if ((protocols
[tst
] < TLS1_2_VERSION
) &&
5925 (!SSL_CTX_set_cipher_list(cctx
, "DEFAULT:@SECLEVEL=0")
5926 || !SSL_CTX_set_cipher_list(sctx
, "DEFAULT:@SECLEVEL=0")))
5929 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
,
5934 * Premature call of SSL_export_keying_material should just fail.
5936 if (!TEST_int_le(SSL_export_keying_material(clientssl
, ckeymat1
,
5937 sizeof(ckeymat1
), label
,
5938 SMALL_LABEL_LEN
+ 1, context
,
5939 sizeof(context
) - 1, 1), 0))
5942 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
5948 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5951 if (!TEST_int_le(SSL_export_keying_material(clientssl
, ckeymat1
,
5952 sizeof(ckeymat1
), label
,
5953 LONG_LABEL_LEN
+ 1, context
,
5954 sizeof(context
) - 1, 1), 0))
5959 } else if (tst
== 4) {
5960 labellen
= LONG_LABEL_LEN
;
5962 labellen
= SMALL_LABEL_LEN
;
5965 if (!TEST_int_eq(SSL_export_keying_material(clientssl
, ckeymat1
,
5966 sizeof(ckeymat1
), label
,
5968 sizeof(context
) - 1, 1), 1)
5969 || !TEST_int_eq(SSL_export_keying_material(clientssl
, ckeymat2
,
5970 sizeof(ckeymat2
), label
,
5974 || !TEST_int_eq(SSL_export_keying_material(clientssl
, ckeymat3
,
5975 sizeof(ckeymat3
), label
,
5978 || !TEST_int_eq(SSL_export_keying_material(serverssl
, skeymat1
,
5979 sizeof(skeymat1
), label
,
5982 sizeof(context
) -1, 1),
5984 || !TEST_int_eq(SSL_export_keying_material(serverssl
, skeymat2
,
5985 sizeof(skeymat2
), label
,
5989 || !TEST_int_eq(SSL_export_keying_material(serverssl
, skeymat3
,
5990 sizeof(skeymat3
), label
,
5994 * Check that both sides created the same key material with the
5997 || !TEST_mem_eq(ckeymat1
, sizeof(ckeymat1
), skeymat1
,
6000 * Check that both sides created the same key material with an
6003 || !TEST_mem_eq(ckeymat2
, sizeof(ckeymat2
), skeymat2
,
6006 * Check that both sides created the same key material without a
6009 || !TEST_mem_eq(ckeymat3
, sizeof(ckeymat3
), skeymat3
,
6011 /* Different contexts should produce different results */
6012 || !TEST_mem_ne(ckeymat1
, sizeof(ckeymat1
), ckeymat2
,
6017 * Check that an empty context and no context produce different results in
6018 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6020 if ((tst
< 3 && !TEST_mem_ne(ckeymat2
, sizeof(ckeymat2
), ckeymat3
,
6022 || (tst
>= 3 && !TEST_mem_eq(ckeymat2
, sizeof(ckeymat2
), ckeymat3
,
6029 SSL_free(serverssl
);
6030 SSL_free(clientssl
);
6031 SSL_CTX_free(sctx2
);
6038 #ifndef OSSL_NO_USABLE_TLS1_3
6040 * Test that SSL_export_keying_material_early() produces expected
6041 * results. There are no test vectors so all we do is test that both
6042 * sides of the communication produce the same results for different
6043 * protocol versions.
6045 static int test_export_key_mat_early(int idx
)
6047 static const char label
[] = "test label";
6048 static const unsigned char context
[] = "context";
6050 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6051 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6052 SSL_SESSION
*sess
= NULL
;
6053 const unsigned char *emptycontext
= NULL
;
6054 unsigned char ckeymat1
[80], ckeymat2
[80];
6055 unsigned char skeymat1
[80], skeymat2
[80];
6056 unsigned char buf
[1];
6057 size_t readbytes
, written
;
6059 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
, &serverssl
,
6063 /* Here writing 0 length early data is enough. */
6064 if (!TEST_true(SSL_write_early_data(clientssl
, NULL
, 0, &written
))
6065 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
6067 SSL_READ_EARLY_DATA_ERROR
)
6068 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
6069 SSL_EARLY_DATA_ACCEPTED
))
6072 if (!TEST_int_eq(SSL_export_keying_material_early(
6073 clientssl
, ckeymat1
, sizeof(ckeymat1
), label
,
6074 sizeof(label
) - 1, context
, sizeof(context
) - 1), 1)
6075 || !TEST_int_eq(SSL_export_keying_material_early(
6076 clientssl
, ckeymat2
, sizeof(ckeymat2
), label
,
6077 sizeof(label
) - 1, emptycontext
, 0), 1)
6078 || !TEST_int_eq(SSL_export_keying_material_early(
6079 serverssl
, skeymat1
, sizeof(skeymat1
), label
,
6080 sizeof(label
) - 1, context
, sizeof(context
) - 1), 1)
6081 || !TEST_int_eq(SSL_export_keying_material_early(
6082 serverssl
, skeymat2
, sizeof(skeymat2
), label
,
6083 sizeof(label
) - 1, emptycontext
, 0), 1)
6085 * Check that both sides created the same key material with the
6088 || !TEST_mem_eq(ckeymat1
, sizeof(ckeymat1
), skeymat1
,
6091 * Check that both sides created the same key material with an
6094 || !TEST_mem_eq(ckeymat2
, sizeof(ckeymat2
), skeymat2
,
6096 /* Different contexts should produce different results */
6097 || !TEST_mem_ne(ckeymat1
, sizeof(ckeymat1
), ckeymat2
,
6104 SSL_SESSION_free(sess
);
6105 SSL_SESSION_free(clientpsk
);
6106 SSL_SESSION_free(serverpsk
);
6107 clientpsk
= serverpsk
= NULL
;
6108 SSL_free(serverssl
);
6109 SSL_free(clientssl
);
6116 #define NUM_KEY_UPDATE_MESSAGES 40
6120 static int test_key_update(void)
6122 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6123 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6124 int testresult
= 0, i
, j
;
6126 static char *mess
= "A test message";
6128 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6129 TLS_client_method(),
6132 &sctx
, &cctx
, cert
, privkey
))
6133 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6135 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6139 for (j
= 0; j
< 2; j
++) {
6140 /* Send lots of KeyUpdate messages */
6141 for (i
= 0; i
< NUM_KEY_UPDATE_MESSAGES
; i
++) {
6142 if (!TEST_true(SSL_key_update(clientssl
,
6144 ? SSL_KEY_UPDATE_NOT_REQUESTED
6145 : SSL_KEY_UPDATE_REQUESTED
))
6146 || !TEST_true(SSL_do_handshake(clientssl
)))
6150 /* Check that sending and receiving app data is ok */
6151 if (!TEST_int_eq(SSL_write(clientssl
, mess
, strlen(mess
)), strlen(mess
))
6152 || !TEST_int_eq(SSL_read(serverssl
, buf
, sizeof(buf
)),
6156 if (!TEST_int_eq(SSL_write(serverssl
, mess
, strlen(mess
)), strlen(mess
))
6157 || !TEST_int_eq(SSL_read(clientssl
, buf
, sizeof(buf
)),
6165 SSL_free(serverssl
);
6166 SSL_free(clientssl
);
6174 * Test we can handle a KeyUpdate (update requested) message while
6175 * write data is pending in peer.
6176 * Test 0: Client sends KeyUpdate while Server is writing
6177 * Test 1: Server sends KeyUpdate while Client is writing
6179 static int test_key_update_peer_in_write(int tst
)
6181 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6182 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6185 static char *mess
= "A test message";
6186 BIO
*bretry
= BIO_new(bio_s_always_retry());
6188 SSL
*peerupdate
= NULL
, *peerwrite
= NULL
;
6190 if (!TEST_ptr(bretry
)
6191 || !TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6192 TLS_client_method(),
6195 &sctx
, &cctx
, cert
, privkey
))
6196 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6198 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6202 peerupdate
= tst
== 0 ? clientssl
: serverssl
;
6203 peerwrite
= tst
== 0 ? serverssl
: clientssl
;
6205 if (!TEST_true(SSL_key_update(peerupdate
, SSL_KEY_UPDATE_REQUESTED
))
6206 || !TEST_int_eq(SSL_do_handshake(peerupdate
), 1))
6209 /* Swap the writing endpoint's write BIO to force a retry */
6210 tmp
= SSL_get_wbio(peerwrite
);
6211 if (!TEST_ptr(tmp
) || !TEST_true(BIO_up_ref(tmp
))) {
6215 SSL_set0_wbio(peerwrite
, bretry
);
6218 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6219 if (!TEST_int_eq(SSL_write(peerwrite
, mess
, strlen(mess
)), -1)
6220 || !TEST_int_eq(SSL_get_error(peerwrite
, 0), SSL_ERROR_WANT_WRITE
))
6223 /* Reinstate the original writing endpoint's write BIO */
6224 SSL_set0_wbio(peerwrite
, tmp
);
6227 /* Now read some data - we will read the key update */
6228 if (!TEST_int_eq(SSL_read(peerwrite
, buf
, sizeof(buf
)), -1)
6229 || !TEST_int_eq(SSL_get_error(peerwrite
, 0), SSL_ERROR_WANT_READ
))
6233 * Complete the write we started previously and read it from the other
6236 if (!TEST_int_eq(SSL_write(peerwrite
, mess
, strlen(mess
)), strlen(mess
))
6237 || !TEST_int_eq(SSL_read(peerupdate
, buf
, sizeof(buf
)), strlen(mess
)))
6240 /* Write more data to ensure we send the KeyUpdate message back */
6241 if (!TEST_int_eq(SSL_write(peerwrite
, mess
, strlen(mess
)), strlen(mess
))
6242 || !TEST_int_eq(SSL_read(peerupdate
, buf
, sizeof(buf
)), strlen(mess
)))
6248 SSL_free(serverssl
);
6249 SSL_free(clientssl
);
6259 * Test we can handle a KeyUpdate (update requested) message while
6260 * peer read data is pending after peer accepted keyupdate(the msg header
6261 * had been read 5 bytes).
6262 * Test 0: Client sends KeyUpdate while Server is reading
6263 * Test 1: Server sends KeyUpdate while Client is reading
6265 static int test_key_update_peer_in_read(int tst
)
6267 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6268 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6270 char prbuf
[515], lwbuf
[515] = {0};
6271 static char *mess
= "A test message";
6272 BIO
*lbio
= NULL
, *pbio
= NULL
;
6273 SSL
*local
= NULL
, *peer
= NULL
;
6275 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6276 TLS_client_method(),
6279 &sctx
, &cctx
, cert
, privkey
))
6280 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6282 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6286 local
= tst
== 0 ? clientssl
: serverssl
;
6287 peer
= tst
== 0 ? serverssl
: clientssl
;
6289 if (!TEST_int_eq(BIO_new_bio_pair(&lbio
, 512, &pbio
, 512), 1))
6292 SSL_set_bio(local
, lbio
, lbio
);
6293 SSL_set_bio(peer
, pbio
, pbio
);
6296 * we first write keyupdate msg then appdata in local
6297 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6298 * lwbuf app data msg size + key updata msg size > 512(the size of
6299 * the bio pair buffer)
6301 if (!TEST_true(SSL_key_update(local
, SSL_KEY_UPDATE_REQUESTED
))
6302 || !TEST_int_eq(SSL_write(local
, lwbuf
, sizeof(lwbuf
)), -1)
6303 || !TEST_int_eq(SSL_get_error(local
, -1), SSL_ERROR_WANT_WRITE
))
6307 * first read keyupdate msg in peer in peer
6308 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6310 if (!TEST_int_eq(SSL_read(peer
, prbuf
, sizeof(prbuf
)), -1)
6311 || !TEST_int_eq(SSL_get_error(peer
, -1), SSL_ERROR_WANT_READ
))
6314 /* Now write some data in peer - we will write the key update */
6315 if (!TEST_int_eq(SSL_write(peer
, mess
, strlen(mess
)), strlen(mess
)))
6319 * write data in local previously that we will complete
6320 * read data in peer previously that we will complete
6322 if (!TEST_int_eq(SSL_write(local
, lwbuf
, sizeof(lwbuf
)), sizeof(lwbuf
))
6323 || !TEST_int_eq(SSL_read(peer
, prbuf
, sizeof(prbuf
)), sizeof(prbuf
)))
6326 /* check that sending and receiving appdata ok */
6327 if (!TEST_int_eq(SSL_write(local
, mess
, strlen(mess
)), strlen(mess
))
6328 || !TEST_int_eq(SSL_read(peer
, prbuf
, sizeof(prbuf
)), strlen(mess
)))
6334 SSL_free(serverssl
);
6335 SSL_free(clientssl
);
6343 * Test we can't send a KeyUpdate (update requested) message while
6344 * local write data is pending.
6345 * Test 0: Client sends KeyUpdate while Client is writing
6346 * Test 1: Server sends KeyUpdate while Server is writing
6348 static int test_key_update_local_in_write(int tst
)
6350 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6351 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6354 static char *mess
= "A test message";
6355 BIO
*bretry
= BIO_new(bio_s_always_retry());
6357 SSL
*local
= NULL
, *peer
= NULL
;
6359 if (!TEST_ptr(bretry
)
6360 || !TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6361 TLS_client_method(),
6364 &sctx
, &cctx
, cert
, privkey
))
6365 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6367 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6371 local
= tst
== 0 ? clientssl
: serverssl
;
6372 peer
= tst
== 0 ? serverssl
: clientssl
;
6374 /* Swap the writing endpoint's write BIO to force a retry */
6375 tmp
= SSL_get_wbio(local
);
6376 if (!TEST_ptr(tmp
) || !TEST_true(BIO_up_ref(tmp
))) {
6380 SSL_set0_wbio(local
, bretry
);
6383 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6384 if (!TEST_int_eq(SSL_write(local
, mess
, strlen(mess
)), -1)
6385 || !TEST_int_eq(SSL_get_error(local
, -1), SSL_ERROR_WANT_WRITE
))
6388 /* Reinstate the original writing endpoint's write BIO */
6389 SSL_set0_wbio(local
, tmp
);
6392 /* SSL_key_update will fail, because writing in local*/
6393 if (!TEST_false(SSL_key_update(local
, SSL_KEY_UPDATE_REQUESTED
))
6394 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY
))
6398 /* write data in local previously that we will complete */
6399 if (!TEST_int_eq(SSL_write(local
, mess
, strlen(mess
)), strlen(mess
)))
6402 /* SSL_key_update will succeed because there is no pending write data */
6403 if (!TEST_true(SSL_key_update(local
, SSL_KEY_UPDATE_REQUESTED
))
6404 || !TEST_int_eq(SSL_do_handshake(local
), 1))
6408 * we write some appdata in local
6409 * read data in peer - we will read the keyupdate msg
6411 if (!TEST_int_eq(SSL_write(local
, mess
, strlen(mess
)), strlen(mess
))
6412 || !TEST_int_eq(SSL_read(peer
, buf
, sizeof(buf
)), strlen(mess
)))
6415 /* Write more peer more data to ensure we send the keyupdate message back */
6416 if (!TEST_int_eq(SSL_write(peer
, mess
, strlen(mess
)), strlen(mess
))
6417 || !TEST_int_eq(SSL_read(local
, buf
, sizeof(buf
)), strlen(mess
)))
6423 SSL_free(serverssl
);
6424 SSL_free(clientssl
);
6434 * Test we can handle a KeyUpdate (update requested) message while
6435 * local read data is pending(the msg header had been read 5 bytes).
6436 * Test 0: Client sends KeyUpdate while Client is reading
6437 * Test 1: Server sends KeyUpdate while Server is reading
6439 static int test_key_update_local_in_read(int tst
)
6441 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6442 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6444 char lrbuf
[515], pwbuf
[515] = {0}, prbuf
[20];
6445 static char *mess
= "A test message";
6446 BIO
*lbio
= NULL
, *pbio
= NULL
;
6447 SSL
*local
= NULL
, *peer
= NULL
;
6449 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6450 TLS_client_method(),
6453 &sctx
, &cctx
, cert
, privkey
))
6454 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6456 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6460 local
= tst
== 0 ? clientssl
: serverssl
;
6461 peer
= tst
== 0 ? serverssl
: clientssl
;
6463 if (!TEST_int_eq(BIO_new_bio_pair(&lbio
, 512, &pbio
, 512), 1))
6466 SSL_set_bio(local
, lbio
, lbio
);
6467 SSL_set_bio(peer
, pbio
, pbio
);
6469 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6470 if (!TEST_int_eq(SSL_write(peer
, pwbuf
, sizeof(pwbuf
)), -1)
6471 || !TEST_int_eq(SSL_get_error(peer
, -1), SSL_ERROR_WANT_WRITE
))
6474 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6475 if (!TEST_int_eq(SSL_read(local
, lrbuf
, sizeof(lrbuf
)), -1)
6476 || !TEST_int_eq(SSL_get_error(local
, -1), SSL_ERROR_WANT_READ
))
6479 /* SSL_do_handshake will send keyupdate msg */
6480 if (!TEST_true(SSL_key_update(local
, SSL_KEY_UPDATE_REQUESTED
))
6481 || !TEST_int_eq(SSL_do_handshake(local
), 1))
6485 * write data in peer previously that we will complete
6486 * read data in local previously that we will complete
6488 if (!TEST_int_eq(SSL_write(peer
, pwbuf
, sizeof(pwbuf
)), sizeof(pwbuf
))
6489 || !TEST_int_eq(SSL_read(local
, lrbuf
, sizeof(lrbuf
)), sizeof(lrbuf
)))
6493 * write data in local
6494 * read data in peer - we will read the key update
6496 if (!TEST_int_eq(SSL_write(local
, mess
, strlen(mess
)), strlen(mess
))
6497 || !TEST_int_eq(SSL_read(peer
, prbuf
, sizeof(prbuf
)), strlen(mess
)))
6500 /* Write more peer data to ensure we send the keyupdate message back */
6501 if (!TEST_int_eq(SSL_write(peer
, mess
, strlen(mess
)), strlen(mess
))
6502 || !TEST_int_eq(SSL_read(local
, lrbuf
, sizeof(lrbuf
)), strlen(mess
)))
6508 SSL_free(serverssl
);
6509 SSL_free(clientssl
);
6515 #endif /* OSSL_NO_USABLE_TLS1_3 */
6517 static int test_ssl_clear(int idx
)
6519 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6520 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6523 #ifdef OPENSSL_NO_TLS1_2
6528 /* Create an initial connection */
6529 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6530 TLS_client_method(), TLS1_VERSION
, 0,
6531 &sctx
, &cctx
, cert
, privkey
))
6533 && !TEST_true(SSL_CTX_set_max_proto_version(cctx
,
6535 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
6536 &clientssl
, NULL
, NULL
))
6537 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6541 SSL_shutdown(clientssl
);
6542 SSL_shutdown(serverssl
);
6543 SSL_free(serverssl
);
6546 /* Clear clientssl - we're going to reuse the object */
6547 if (!TEST_true(SSL_clear(clientssl
)))
6550 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6552 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6554 || !TEST_true(SSL_session_reused(clientssl
)))
6557 SSL_shutdown(clientssl
);
6558 SSL_shutdown(serverssl
);
6563 SSL_free(serverssl
);
6564 SSL_free(clientssl
);
6571 /* Parse CH and retrieve any MFL extension value if present */
6572 static int get_MFL_from_client_hello(BIO
*bio
, int *mfl_codemfl_code
)
6575 unsigned char *data
;
6576 PACKET pkt
, pkt2
, pkt3
;
6577 unsigned int MFL_code
= 0, type
= 0;
6579 if (!TEST_uint_gt(len
= BIO_get_mem_data(bio
, (char **) &data
), 0))
6582 memset(&pkt
, 0, sizeof(pkt
));
6583 memset(&pkt2
, 0, sizeof(pkt2
));
6584 memset(&pkt3
, 0, sizeof(pkt3
));
6586 if (!TEST_long_gt(len
, 0)
6587 || !TEST_true(PACKET_buf_init(&pkt
, data
, len
))
6588 /* Skip the record header */
6589 || !PACKET_forward(&pkt
, SSL3_RT_HEADER_LENGTH
)
6590 /* Skip the handshake message header */
6591 || !TEST_true(PACKET_forward(&pkt
, SSL3_HM_HEADER_LENGTH
))
6592 /* Skip client version and random */
6593 || !TEST_true(PACKET_forward(&pkt
, CLIENT_VERSION_LEN
6594 + SSL3_RANDOM_SIZE
))
6595 /* Skip session id */
6596 || !TEST_true(PACKET_get_length_prefixed_1(&pkt
, &pkt2
))
6598 || !TEST_true(PACKET_get_length_prefixed_2(&pkt
, &pkt2
))
6599 /* Skip compression */
6600 || !TEST_true(PACKET_get_length_prefixed_1(&pkt
, &pkt2
))
6601 /* Extensions len */
6602 || !TEST_true(PACKET_as_length_prefixed_2(&pkt
, &pkt2
)))
6605 /* Loop through all extensions */
6606 while (PACKET_remaining(&pkt2
)) {
6607 if (!TEST_true(PACKET_get_net_2(&pkt2
, &type
))
6608 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2
, &pkt3
)))
6611 if (type
== TLSEXT_TYPE_max_fragment_length
) {
6612 if (!TEST_uint_ne(PACKET_remaining(&pkt3
), 0)
6613 || !TEST_true(PACKET_get_1(&pkt3
, &MFL_code
)))
6616 *mfl_codemfl_code
= MFL_code
;
6625 /* Maximum-Fragment-Length TLS extension mode to test */
6626 static const unsigned char max_fragment_len_test
[] = {
6627 TLSEXT_max_fragment_length_512
,
6628 TLSEXT_max_fragment_length_1024
,
6629 TLSEXT_max_fragment_length_2048
,
6630 TLSEXT_max_fragment_length_4096
6633 static int test_max_fragment_len_ext(int idx_tst
)
6635 SSL_CTX
*ctx
= NULL
;
6637 int testresult
= 0, MFL_mode
= 0;
6640 if (!TEST_true(create_ssl_ctx_pair(libctx
, NULL
, TLS_client_method(),
6641 TLS1_VERSION
, 0, NULL
, &ctx
, NULL
,
6645 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6646 ctx
, max_fragment_len_test
[idx_tst
])))
6653 rbio
= BIO_new(BIO_s_mem());
6654 wbio
= BIO_new(BIO_s_mem());
6655 if (!TEST_ptr(rbio
)|| !TEST_ptr(wbio
)) {
6661 SSL_set_bio(con
, rbio
, wbio
);
6663 if (!TEST_int_le(SSL_connect(con
), 0)) {
6664 /* This shouldn't succeed because we don't have a server! */
6668 if (!TEST_true(get_MFL_from_client_hello(wbio
, &MFL_mode
)))
6669 /* no MFL in client hello */
6671 if (!TEST_true(max_fragment_len_test
[idx_tst
] == MFL_mode
))
6683 #ifndef OSSL_NO_USABLE_TLS1_3
6684 static int test_pha_key_update(void)
6686 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6687 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6690 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6691 TLS_client_method(), TLS1_VERSION
, 0,
6692 &sctx
, &cctx
, cert
, privkey
)))
6695 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx
, TLS1_3_VERSION
))
6696 || !TEST_true(SSL_CTX_set_max_proto_version(sctx
, TLS1_3_VERSION
))
6697 || !TEST_true(SSL_CTX_set_min_proto_version(cctx
, TLS1_3_VERSION
))
6698 || !TEST_true(SSL_CTX_set_max_proto_version(cctx
, TLS1_3_VERSION
)))
6701 SSL_CTX_set_post_handshake_auth(cctx
, 1);
6703 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6707 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
6711 SSL_set_verify(serverssl
, SSL_VERIFY_PEER
, NULL
);
6712 if (!TEST_true(SSL_verify_client_post_handshake(serverssl
)))
6715 if (!TEST_true(SSL_key_update(clientssl
, SSL_KEY_UPDATE_NOT_REQUESTED
)))
6718 /* Start handshake on the server */
6719 if (!TEST_int_eq(SSL_do_handshake(serverssl
), 1))
6722 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6723 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
6727 SSL_shutdown(clientssl
);
6728 SSL_shutdown(serverssl
);
6733 SSL_free(serverssl
);
6734 SSL_free(clientssl
);
6741 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6743 static SRP_VBASE
*vbase
= NULL
;
6745 static int ssl_srp_cb(SSL
*s
, int *ad
, void *arg
)
6747 int ret
= SSL3_AL_FATAL
;
6749 SRP_user_pwd
*user
= NULL
;
6751 username
= SSL_get_srp_username(s
);
6752 if (username
== NULL
) {
6753 *ad
= SSL_AD_INTERNAL_ERROR
;
6757 user
= SRP_VBASE_get1_by_user(vbase
, username
);
6759 *ad
= SSL_AD_INTERNAL_ERROR
;
6763 if (SSL_set_srp_server_param(s
, user
->N
, user
->g
, user
->s
, user
->v
,
6765 *ad
= SSL_AD_INTERNAL_ERROR
;
6772 SRP_user_pwd_free(user
);
6776 static int create_new_vfile(char *userid
, char *password
, const char *filename
)
6779 OPENSSL_STRING
*row
= OPENSSL_zalloc(sizeof(row
) * (DB_NUMBER
+ 1));
6782 BIO
*out
= NULL
, *dummy
= BIO_new_mem_buf("", 0);
6785 if (!TEST_ptr(dummy
) || !TEST_ptr(row
))
6788 gNid
= SRP_create_verifier_ex(userid
, password
, &row
[DB_srpsalt
],
6789 &row
[DB_srpverifier
], NULL
, NULL
, libctx
, NULL
);
6790 if (!TEST_ptr(gNid
))
6794 * The only way to create an empty TXT_DB is to provide a BIO with no data
6797 db
= TXT_DB_read(dummy
, DB_NUMBER
);
6801 out
= BIO_new_file(filename
, "w");
6805 row
[DB_srpid
] = OPENSSL_strdup(userid
);
6806 row
[DB_srptype
] = OPENSSL_strdup("V");
6807 row
[DB_srpgN
] = OPENSSL_strdup(gNid
);
6809 if (!TEST_ptr(row
[DB_srpid
])
6810 || !TEST_ptr(row
[DB_srptype
])
6811 || !TEST_ptr(row
[DB_srpgN
])
6812 || !TEST_true(TXT_DB_insert(db
, row
)))
6817 if (TXT_DB_write(out
, db
) <= 0)
6823 for (i
= 0; i
< DB_NUMBER
; i
++)
6824 OPENSSL_free(row
[i
]);
6834 static int create_new_vbase(char *userid
, char *password
)
6836 BIGNUM
*verifier
= NULL
, *salt
= NULL
;
6837 const SRP_gN
*lgN
= NULL
;
6838 SRP_user_pwd
*user_pwd
= NULL
;
6841 lgN
= SRP_get_default_gN(NULL
);
6845 if (!TEST_true(SRP_create_verifier_BN_ex(userid
, password
, &salt
, &verifier
,
6846 lgN
->N
, lgN
->g
, libctx
, NULL
)))
6849 user_pwd
= OPENSSL_zalloc(sizeof(*user_pwd
));
6850 if (!TEST_ptr(user_pwd
))
6853 user_pwd
->N
= lgN
->N
;
6854 user_pwd
->g
= lgN
->g
;
6855 user_pwd
->id
= OPENSSL_strdup(userid
);
6856 if (!TEST_ptr(user_pwd
->id
))
6859 user_pwd
->v
= verifier
;
6861 verifier
= salt
= NULL
;
6863 if (sk_SRP_user_pwd_insert(vbase
->users_pwd
, user_pwd
, 0) == 0)
6869 SRP_user_pwd_free(user_pwd
);
6879 * Test 0: Simple successful SRP connection, new vbase
6880 * Test 1: Connection failure due to bad password, new vbase
6881 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6882 * Test 3: Connection failure due to bad password, vbase loaded from existing
6884 * Test 4: Simple successful SRP connection, vbase loaded from new file
6885 * Test 5: Connection failure due to bad password, vbase loaded from new file
6887 static int test_srp(int tst
)
6889 char *userid
= "test", *password
= "password", *tstsrpfile
;
6890 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6891 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6892 int ret
, testresult
= 0;
6894 vbase
= SRP_VBASE_new(NULL
);
6895 if (!TEST_ptr(vbase
))
6898 if (tst
== 0 || tst
== 1) {
6899 if (!TEST_true(create_new_vbase(userid
, password
)))
6902 if (tst
== 4 || tst
== 5) {
6903 if (!TEST_true(create_new_vfile(userid
, password
, tmpfilename
)))
6905 tstsrpfile
= tmpfilename
;
6907 tstsrpfile
= srpvfile
;
6909 if (!TEST_int_eq(SRP_VBASE_init(vbase
, tstsrpfile
), SRP_NO_ERROR
))
6913 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6914 TLS_client_method(), TLS1_VERSION
, 0,
6915 &sctx
, &cctx
, cert
, privkey
)))
6918 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx
, ssl_srp_cb
), 0)
6919 || !TEST_true(SSL_CTX_set_cipher_list(cctx
, "SRP-AES-128-CBC-SHA"))
6920 || !TEST_true(SSL_CTX_set_max_proto_version(sctx
, TLS1_2_VERSION
))
6921 || !TEST_true(SSL_CTX_set_max_proto_version(cctx
, TLS1_2_VERSION
))
6922 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx
, userid
), 0))
6926 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx
, "badpass"), 0))
6929 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx
, password
), 0))
6933 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6937 ret
= create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
);
6939 if (!TEST_true(tst
% 2 == 0))
6942 if (!TEST_true(tst
% 2 == 1))
6949 SRP_VBASE_free(vbase
);
6951 SSL_free(serverssl
);
6952 SSL_free(clientssl
);
6960 static int info_cb_failed
= 0;
6961 static int info_cb_offset
= 0;
6962 static int info_cb_this_state
= -1;
6964 static struct info_cb_states_st
{
6966 const char *statestr
;
6967 } info_cb_states
[][60] = {
6969 /* TLSv1.2 server followed by resumption */
6970 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
6971 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TRCH"}, {SSL_CB_LOOP
, "TWSH"},
6972 {SSL_CB_LOOP
, "TWSC"}, {SSL_CB_LOOP
, "TWSKE"}, {SSL_CB_LOOP
, "TWSD"},
6973 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWSD"}, {SSL_CB_LOOP
, "TRCKE"},
6974 {SSL_CB_LOOP
, "TRCCS"}, {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_LOOP
, "TWST"},
6975 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWFIN"},
6976 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
6977 {SSL_CB_ALERT
, NULL
}, {SSL_CB_HANDSHAKE_START
, NULL
},
6978 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TRCH"},
6979 {SSL_CB_LOOP
, "TWSH"}, {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWFIN"},
6980 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_LOOP
, "TRCCS"},
6981 {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
6982 {SSL_CB_EXIT
, NULL
}, {0, NULL
},
6984 /* TLSv1.2 client followed by resumption */
6985 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
6986 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWCH"},
6987 {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TRSC"}, {SSL_CB_LOOP
, "TRSKE"},
6988 {SSL_CB_LOOP
, "TRSD"}, {SSL_CB_LOOP
, "TWCKE"}, {SSL_CB_LOOP
, "TWCCS"},
6989 {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWFIN"},
6990 {SSL_CB_LOOP
, "TRST"}, {SSL_CB_LOOP
, "TRCCS"}, {SSL_CB_LOOP
, "TRFIN"},
6991 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_ALERT
, NULL
},
6992 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
6993 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWCH"},
6994 {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TRCCS"}, {SSL_CB_LOOP
, "TRFIN"},
6995 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWFIN"},
6996 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
}, {0, NULL
},
6998 /* TLSv1.3 server followed by resumption */
6999 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7000 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TRCH"}, {SSL_CB_LOOP
, "TWSH"},
7001 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWEE"}, {SSL_CB_LOOP
, "TWSC"},
7002 {SSL_CB_LOOP
, "TWSCV"}, {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_LOOP
, "TED"},
7003 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TED"}, {SSL_CB_LOOP
, "TRFIN"},
7004 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_LOOP
, "TWST"},
7005 {SSL_CB_LOOP
, "TWST"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_ALERT
, NULL
},
7006 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7007 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TRCH"}, {SSL_CB_LOOP
, "TWSH"},
7008 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWEE"}, {SSL_CB_LOOP
, "TWFIN"},
7009 {SSL_CB_LOOP
, "TED"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TED"},
7010 {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
7011 {SSL_CB_LOOP
, "TWST"}, {SSL_CB_EXIT
, NULL
}, {0, NULL
},
7013 /* TLSv1.3 client followed by resumption */
7014 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7015 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWCH"},
7016 {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TREE"}, {SSL_CB_LOOP
, "TRSC"},
7017 {SSL_CB_LOOP
, "TRSCV"}, {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_LOOP
, "TWCCS"},
7018 {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
7019 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "SSLOK"}, {SSL_CB_LOOP
, "SSLOK"},
7020 {SSL_CB_LOOP
, "TRST"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "SSLOK"},
7021 {SSL_CB_LOOP
, "SSLOK"}, {SSL_CB_LOOP
, "TRST"}, {SSL_CB_EXIT
, NULL
},
7022 {SSL_CB_ALERT
, NULL
}, {SSL_CB_HANDSHAKE_START
, NULL
},
7023 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_EXIT
, NULL
},
7024 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TREE"},
7025 {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWFIN"},
7026 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
7027 {SSL_CB_LOOP
, "SSLOK"}, {SSL_CB_LOOP
, "SSLOK"}, {SSL_CB_LOOP
, "TRST"},
7028 {SSL_CB_EXIT
, NULL
}, {0, NULL
},
7030 /* TLSv1.3 server, early_data */
7031 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7032 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TRCH"}, {SSL_CB_LOOP
, "TWSH"},
7033 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWEE"}, {SSL_CB_LOOP
, "TWFIN"},
7034 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
7035 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "TED"},
7036 {SSL_CB_LOOP
, "TED"}, {SSL_CB_LOOP
, "TWEOED"}, {SSL_CB_LOOP
, "TRFIN"},
7037 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_LOOP
, "TWST"},
7038 {SSL_CB_EXIT
, NULL
}, {0, NULL
},
7040 /* TLSv1.3 client, early_data */
7041 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7042 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_LOOP
, "TWCCS"},
7043 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
7044 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "TED"},
7045 {SSL_CB_LOOP
, "TED"}, {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TREE"},
7046 {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_LOOP
, "TPEDE"}, {SSL_CB_LOOP
, "TWEOED"},
7047 {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
7048 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "SSLOK"}, {SSL_CB_LOOP
, "SSLOK"},
7049 {SSL_CB_LOOP
, "TRST"}, {SSL_CB_EXIT
, NULL
}, {0, NULL
},
7055 static void sslapi_info_callback(const SSL
*s
, int where
, int ret
)
7057 struct info_cb_states_st
*state
= info_cb_states
[info_cb_offset
];
7059 /* We do not ever expect a connection to fail in this test */
7060 if (!TEST_false(ret
== 0)) {
7066 * Do some sanity checks. We never expect these things to happen in this
7069 if (!TEST_false((SSL_is_server(s
) && (where
& SSL_ST_CONNECT
) != 0))
7070 || !TEST_false(!SSL_is_server(s
) && (where
& SSL_ST_ACCEPT
) != 0)
7071 || !TEST_int_ne(state
[++info_cb_this_state
].where
, 0)) {
7076 /* Now check we're in the right state */
7077 if (!TEST_true((where
& state
[info_cb_this_state
].where
) != 0)) {
7081 if ((where
& SSL_CB_LOOP
) != 0
7082 && !TEST_int_eq(strcmp(SSL_state_string(s
),
7083 state
[info_cb_this_state
].statestr
), 0)) {
7089 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7091 if ((where
& SSL_CB_HANDSHAKE_DONE
)
7092 && SSL_in_init((SSL
*)s
) != 0) {
7099 * Test the info callback gets called when we expect it to.
7101 * Test 0: TLSv1.2, server
7102 * Test 1: TLSv1.2, client
7103 * Test 2: TLSv1.3, server
7104 * Test 3: TLSv1.3, client
7105 * Test 4: TLSv1.3, server, early_data
7106 * Test 5: TLSv1.3, client, early_data
7108 static int test_info_callback(int tst
)
7110 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7111 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7112 SSL_SESSION
*clntsess
= NULL
;
7117 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
7118 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7119 || !defined(OPENSSL_NO_DH))
7120 tlsvers
= TLS1_2_VERSION
;
7125 #ifndef OSSL_NO_USABLE_TLS1_3
7126 tlsvers
= TLS1_3_VERSION
;
7134 info_cb_this_state
= -1;
7135 info_cb_offset
= tst
;
7137 #ifndef OSSL_NO_USABLE_TLS1_3
7139 SSL_SESSION
*sess
= NULL
;
7140 size_t written
, readbytes
;
7141 unsigned char buf
[80];
7143 /* early_data tests */
7144 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
7145 &serverssl
, &sess
, 0)))
7148 /* We don't actually need this reference */
7149 SSL_SESSION_free(sess
);
7151 SSL_set_info_callback((tst
% 2) == 0 ? serverssl
: clientssl
,
7152 sslapi_info_callback
);
7154 /* Write and read some early data and then complete the connection */
7155 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
7157 || !TEST_size_t_eq(written
, strlen(MSG1
))
7158 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
,
7159 sizeof(buf
), &readbytes
),
7160 SSL_READ_EARLY_DATA_SUCCESS
)
7161 || !TEST_mem_eq(MSG1
, readbytes
, buf
, strlen(MSG1
))
7162 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
7163 SSL_EARLY_DATA_ACCEPTED
)
7164 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
7166 || !TEST_false(info_cb_failed
))
7174 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
7175 TLS_client_method(),
7176 tlsvers
, tlsvers
, &sctx
, &cctx
, cert
,
7180 if (!TEST_true(SSL_CTX_set_dh_auto(sctx
, 1)))
7184 * For even numbered tests we check the server callbacks. For odd numbers we
7187 SSL_CTX_set_info_callback((tst
% 2) == 0 ? sctx
: cctx
,
7188 sslapi_info_callback
);
7190 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
7191 &clientssl
, NULL
, NULL
))
7192 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
7194 || !TEST_false(info_cb_failed
))
7199 clntsess
= SSL_get1_session(clientssl
);
7200 SSL_shutdown(clientssl
);
7201 SSL_shutdown(serverssl
);
7202 SSL_free(serverssl
);
7203 SSL_free(clientssl
);
7204 serverssl
= clientssl
= NULL
;
7206 /* Now do a resumption */
7207 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
,
7209 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
7210 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
7212 || !TEST_true(SSL_session_reused(clientssl
))
7213 || !TEST_false(info_cb_failed
))
7219 SSL_free(serverssl
);
7220 SSL_free(clientssl
);
7221 SSL_SESSION_free(clntsess
);
7227 static int test_ssl_pending(int tst
)
7229 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7230 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7232 char msg
[] = "A test message";
7234 size_t written
, readbytes
;
7237 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
7238 TLS_client_method(),
7240 &sctx
, &cctx
, cert
, privkey
)))
7243 #ifndef OPENSSL_NO_DTLS
7244 if (!TEST_true(create_ssl_ctx_pair(libctx
, DTLS_server_method(),
7245 DTLS_client_method(),
7247 &sctx
, &cctx
, cert
, privkey
)))
7250 # ifdef OPENSSL_NO_DTLS1_2
7251 /* Not supported in the FIPS provider */
7257 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7260 if (!TEST_true(SSL_CTX_set_cipher_list(sctx
, "DEFAULT:@SECLEVEL=0"))
7261 || !TEST_true(SSL_CTX_set_cipher_list(cctx
,
7262 "DEFAULT:@SECLEVEL=0")))
7270 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
7272 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
7276 if (!TEST_int_eq(SSL_pending(clientssl
), 0)
7277 || !TEST_false(SSL_has_pending(clientssl
))
7278 || !TEST_int_eq(SSL_pending(serverssl
), 0)
7279 || !TEST_false(SSL_has_pending(serverssl
))
7280 || !TEST_true(SSL_write_ex(serverssl
, msg
, sizeof(msg
), &written
))
7281 || !TEST_size_t_eq(written
, sizeof(msg
))
7282 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
7283 || !TEST_size_t_eq(readbytes
, sizeof(buf
))
7284 || !TEST_int_eq(SSL_pending(clientssl
), (int)(written
- readbytes
))
7285 || !TEST_true(SSL_has_pending(clientssl
)))
7291 SSL_free(serverssl
);
7292 SSL_free(clientssl
);
7300 unsigned int maxprot
;
7301 const char *clntciphers
;
7302 const char *clnttls13ciphers
;
7303 const char *srvrciphers
;
7304 const char *srvrtls13ciphers
;
7306 const char *fipsshared
;
7307 } shared_ciphers_data
[] = {
7309 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7310 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7312 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7315 "AES128-SHA:AES256-SHA",
7317 "AES256-SHA:DHE-RSA-AES128-SHA",
7322 # if !defined(OPENSSL_NO_CHACHA) \
7323 && !defined(OPENSSL_NO_POLY1305) \
7324 && !defined(OPENSSL_NO_EC)
7327 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7329 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7331 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7337 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7339 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7341 "AES128-SHA:AES256-SHA",
7342 "AES128-SHA:AES256-SHA"
7346 "AES128-SHA:AES256-SHA",
7348 "AES128-SHA:DHE-RSA-AES128-SHA",
7355 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7358 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7359 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7362 "AES128-SHA:AES256-SHA",
7364 "AES256-SHA:AES128-SHA256",
7366 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7367 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7368 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7371 #ifndef OSSL_NO_USABLE_TLS1_3
7375 "TLS_AES_256_GCM_SHA384",
7377 "TLS_AES_256_GCM_SHA384",
7378 "TLS_AES_256_GCM_SHA384",
7379 "TLS_AES_256_GCM_SHA384"
7384 static int int_test_ssl_get_shared_ciphers(int tst
, int clnt
)
7386 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7387 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7390 OSSL_LIB_CTX
*tmplibctx
= OSSL_LIB_CTX_new();
7392 if (!TEST_ptr(tmplibctx
))
7396 * Regardless of whether we're testing with the FIPS provider loaded into
7397 * libctx, we want one peer to always use the full set of ciphersuites
7398 * available. Therefore we use a separate libctx with the default provider
7399 * loaded into it. We run the same tests twice - once with the client side
7400 * having the full set of ciphersuites and once with the server side.
7403 cctx
= SSL_CTX_new_ex(tmplibctx
, NULL
, TLS_client_method());
7404 if (!TEST_ptr(cctx
))
7407 sctx
= SSL_CTX_new_ex(tmplibctx
, NULL
, TLS_server_method());
7408 if (!TEST_ptr(sctx
))
7412 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
7413 TLS_client_method(),
7415 shared_ciphers_data
[tst
].maxprot
,
7416 &sctx
, &cctx
, cert
, privkey
)))
7419 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
7420 shared_ciphers_data
[tst
].clntciphers
))
7421 || (shared_ciphers_data
[tst
].clnttls13ciphers
!= NULL
7422 && !TEST_true(SSL_CTX_set_ciphersuites(cctx
,
7423 shared_ciphers_data
[tst
].clnttls13ciphers
)))
7424 || !TEST_true(SSL_CTX_set_cipher_list(sctx
,
7425 shared_ciphers_data
[tst
].srvrciphers
))
7426 || (shared_ciphers_data
[tst
].srvrtls13ciphers
!= NULL
7427 && !TEST_true(SSL_CTX_set_ciphersuites(sctx
,
7428 shared_ciphers_data
[tst
].srvrtls13ciphers
))))
7432 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
7434 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
7438 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl
, buf
, sizeof(buf
)))
7439 || !TEST_int_eq(strcmp(buf
,
7441 ? shared_ciphers_data
[tst
].fipsshared
7442 : shared_ciphers_data
[tst
].shared
),
7444 TEST_info("Shared ciphers are: %s\n", buf
);
7451 SSL_free(serverssl
);
7452 SSL_free(clientssl
);
7455 OSSL_LIB_CTX_free(tmplibctx
);
7460 static int test_ssl_get_shared_ciphers(int tst
)
7462 return int_test_ssl_get_shared_ciphers(tst
, 0)
7463 && int_test_ssl_get_shared_ciphers(tst
, 1);
7467 static const char *appdata
= "Hello World";
7468 static int gen_tick_called
, dec_tick_called
, tick_key_cb_called
;
7469 static int tick_key_renew
= 0;
7470 static SSL_TICKET_RETURN tick_dec_ret
= SSL_TICKET_RETURN_ABORT
;
7472 static int gen_tick_cb(SSL
*s
, void *arg
)
7474 gen_tick_called
= 1;
7476 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s
), appdata
,
7480 static SSL_TICKET_RETURN
dec_tick_cb(SSL
*s
, SSL_SESSION
*ss
,
7481 const unsigned char *keyname
,
7482 size_t keyname_length
,
7483 SSL_TICKET_STATUS status
,
7489 dec_tick_called
= 1;
7491 if (status
== SSL_TICKET_EMPTY
)
7492 return SSL_TICKET_RETURN_IGNORE_RENEW
;
7494 if (!TEST_true(status
== SSL_TICKET_SUCCESS
7495 || status
== SSL_TICKET_SUCCESS_RENEW
))
7496 return SSL_TICKET_RETURN_ABORT
;
7498 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss
, &tickdata
,
7500 || !TEST_size_t_eq(tickdlen
, strlen(appdata
))
7501 || !TEST_int_eq(memcmp(tickdata
, appdata
, tickdlen
), 0))
7502 return SSL_TICKET_RETURN_ABORT
;
7504 if (tick_key_cb_called
) {
7505 /* Don't change what the ticket key callback wanted to do */
7507 case SSL_TICKET_NO_DECRYPT
:
7508 return SSL_TICKET_RETURN_IGNORE_RENEW
;
7510 case SSL_TICKET_SUCCESS
:
7511 return SSL_TICKET_RETURN_USE
;
7513 case SSL_TICKET_SUCCESS_RENEW
:
7514 return SSL_TICKET_RETURN_USE_RENEW
;
7517 return SSL_TICKET_RETURN_ABORT
;
7520 return tick_dec_ret
;
7524 #ifndef OPENSSL_NO_DEPRECATED_3_0
7525 static int tick_key_cb(SSL
*s
, unsigned char key_name
[16],
7526 unsigned char iv
[EVP_MAX_IV_LENGTH
], EVP_CIPHER_CTX
*ctx
,
7527 HMAC_CTX
*hctx
, int enc
)
7529 const unsigned char tick_aes_key
[16] = "0123456789abcdef";
7530 const unsigned char tick_hmac_key
[16] = "0123456789abcdef";
7531 EVP_CIPHER
*aes128cbc
= EVP_CIPHER_fetch(libctx
, "AES-128-CBC", NULL
);
7532 EVP_MD
*sha256
= EVP_MD_fetch(libctx
, "SHA-256", NULL
);
7535 tick_key_cb_called
= 1;
7536 memset(iv
, 0, AES_BLOCK_SIZE
);
7537 memset(key_name
, 0, 16);
7538 if (aes128cbc
== NULL
7540 || !EVP_CipherInit_ex(ctx
, aes128cbc
, NULL
, tick_aes_key
, iv
, enc
)
7541 || !HMAC_Init_ex(hctx
, tick_hmac_key
, sizeof(tick_hmac_key
), sha256
,
7545 ret
= tick_key_renew
? 2 : 1;
7547 EVP_CIPHER_free(aes128cbc
);
7548 EVP_MD_free(sha256
);
7554 static int tick_key_evp_cb(SSL
*s
, unsigned char key_name
[16],
7555 unsigned char iv
[EVP_MAX_IV_LENGTH
],
7556 EVP_CIPHER_CTX
*ctx
, EVP_MAC_CTX
*hctx
, int enc
)
7558 const unsigned char tick_aes_key
[16] = "0123456789abcdef";
7559 unsigned char tick_hmac_key
[16] = "0123456789abcdef";
7560 OSSL_PARAM params
[2];
7561 EVP_CIPHER
*aes128cbc
= EVP_CIPHER_fetch(libctx
, "AES-128-CBC", NULL
);
7564 tick_key_cb_called
= 1;
7565 memset(iv
, 0, AES_BLOCK_SIZE
);
7566 memset(key_name
, 0, 16);
7567 params
[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST
,
7569 params
[1] = OSSL_PARAM_construct_end();
7570 if (aes128cbc
== NULL
7571 || !EVP_CipherInit_ex(ctx
, aes128cbc
, NULL
, tick_aes_key
, iv
, enc
)
7572 || !EVP_MAC_init(hctx
, tick_hmac_key
, sizeof(tick_hmac_key
),
7576 ret
= tick_key_renew
? 2 : 1;
7578 EVP_CIPHER_free(aes128cbc
);
7584 * Test the various ticket callbacks
7585 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7586 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7587 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7588 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7589 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7590 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7591 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7592 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
7593 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7594 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7595 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7596 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7597 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
7598 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
7599 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
7600 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
7602 static int test_ticket_callbacks(int tst
)
7604 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7605 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7606 SSL_SESSION
*clntsess
= NULL
;
7609 #ifdef OPENSSL_NO_TLS1_2
7613 #ifdef OSSL_NO_USABLE_TLS1_3
7617 #ifdef OPENSSL_NO_DEPRECATED_3_0
7618 if (tst
>= 8 && tst
<= 11)
7622 gen_tick_called
= dec_tick_called
= tick_key_cb_called
= 0;
7624 /* Which tests the ticket key callback should request renewal for */
7625 if (tst
== 10 || tst
== 11 || tst
== 14 || tst
== 15)
7630 /* Which tests the decrypt ticket callback should request renewal for */
7634 tick_dec_ret
= SSL_TICKET_RETURN_IGNORE
;
7639 tick_dec_ret
= SSL_TICKET_RETURN_IGNORE_RENEW
;
7644 tick_dec_ret
= SSL_TICKET_RETURN_USE
;
7649 tick_dec_ret
= SSL_TICKET_RETURN_USE_RENEW
;
7653 tick_dec_ret
= SSL_TICKET_RETURN_ABORT
;
7656 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
7657 TLS_client_method(),
7659 ((tst
% 2) == 0) ? TLS1_2_VERSION
7661 &sctx
, &cctx
, cert
, privkey
)))
7665 * We only want sessions to resume from tickets - not the session cache. So
7666 * switch the cache off.
7668 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx
, SSL_SESS_CACHE_OFF
)))
7671 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx
, gen_tick_cb
, dec_tick_cb
,
7676 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx
, tick_key_evp_cb
)))
7678 #ifndef OPENSSL_NO_DEPRECATED_3_0
7679 } else if (tst
>= 8) {
7680 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx
, tick_key_cb
)))
7685 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
7687 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
7692 * The decrypt ticket key callback in TLSv1.2 should be called even though
7693 * we have no ticket yet, because it gets called with a status of
7694 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7695 * actually send any ticket data). This does not happen in TLSv1.3 because
7696 * it is not valid to send empty ticket data in TLSv1.3.
7698 if (!TEST_int_eq(gen_tick_called
, 1)
7699 || !TEST_int_eq(dec_tick_called
, ((tst
% 2) == 0) ? 1 : 0))
7702 gen_tick_called
= dec_tick_called
= 0;
7704 clntsess
= SSL_get1_session(clientssl
);
7705 SSL_shutdown(clientssl
);
7706 SSL_shutdown(serverssl
);
7707 SSL_free(serverssl
);
7708 SSL_free(clientssl
);
7709 serverssl
= clientssl
= NULL
;
7711 /* Now do a resumption */
7712 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
,
7714 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
7715 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
7719 if (tick_dec_ret
== SSL_TICKET_RETURN_IGNORE
7720 || tick_dec_ret
== SSL_TICKET_RETURN_IGNORE_RENEW
) {
7721 if (!TEST_false(SSL_session_reused(clientssl
)))
7724 if (!TEST_true(SSL_session_reused(clientssl
)))
7728 if (!TEST_int_eq(gen_tick_called
,
7730 || tick_dec_ret
== SSL_TICKET_RETURN_IGNORE_RENEW
7731 || tick_dec_ret
== SSL_TICKET_RETURN_USE_RENEW
)
7733 || !TEST_int_eq(dec_tick_called
, 1))
7739 SSL_SESSION_free(clntsess
);
7740 SSL_free(serverssl
);
7741 SSL_free(clientssl
);
7749 * Test incorrect shutdown.
7750 * Test 0: client does not shutdown properly,
7751 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7752 * server should get SSL_ERROR_SSL
7753 * Test 1: client does not shutdown properly,
7754 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7755 * server should get SSL_ERROR_ZERO_RETURN
7757 static int test_incorrect_shutdown(int tst
)
7759 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7760 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7765 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
7766 TLS_client_method(), 0, 0,
7767 &sctx
, &cctx
, cert
, privkey
)))
7771 SSL_CTX_set_options(sctx
, SSL_OP_IGNORE_UNEXPECTED_EOF
);
7773 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
7777 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
7781 c2s
= SSL_get_rbio(serverssl
);
7782 BIO_set_mem_eof_return(c2s
, 0);
7784 if (!TEST_false(SSL_read(serverssl
, buf
, sizeof(buf
))))
7787 if (tst
== 0 && !TEST_int_eq(SSL_get_error(serverssl
, 0), SSL_ERROR_SSL
) )
7789 if (tst
== 1 && !TEST_int_eq(SSL_get_error(serverssl
, 0), SSL_ERROR_ZERO_RETURN
) )
7795 SSL_free(serverssl
);
7796 SSL_free(clientssl
);
7804 * Test bi-directional shutdown.
7806 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7807 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7808 * Test 3: TLSv1.3, pending NewSessionTicket messages
7809 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7810 * sends key update, client reads it
7811 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7812 * sends CertificateRequest, client reads and ignores it
7813 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
7816 static int test_shutdown(int tst
)
7818 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7819 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7821 char msg
[] = "A test message";
7823 size_t written
, readbytes
;
7826 #ifdef OPENSSL_NO_TLS1_2
7830 #ifdef OSSL_NO_USABLE_TLS1_3
7835 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
7836 TLS_client_method(),
7838 (tst
<= 1) ? TLS1_2_VERSION
7840 &sctx
, &cctx
, cert
, privkey
)))
7844 SSL_CTX_set_post_handshake_auth(cctx
, 1);
7846 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
7851 if (!TEST_true(create_bare_ssl_connection(serverssl
, clientssl
,
7853 || !TEST_ptr_ne(sess
= SSL_get_session(clientssl
), NULL
)
7854 || !TEST_false(SSL_SESSION_is_resumable(sess
)))
7856 } else if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
7858 || !TEST_ptr_ne(sess
= SSL_get_session(clientssl
), NULL
)
7859 || !TEST_true(SSL_SESSION_is_resumable(sess
))) {
7863 if (!TEST_int_eq(SSL_shutdown(clientssl
), 0))
7868 * Reading on the server after the client has sent close_notify should
7869 * fail and provide SSL_ERROR_ZERO_RETURN
7871 if (!TEST_false(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
7872 || !TEST_int_eq(SSL_get_error(serverssl
, 0),
7873 SSL_ERROR_ZERO_RETURN
)
7874 || !TEST_int_eq(SSL_get_shutdown(serverssl
),
7875 SSL_RECEIVED_SHUTDOWN
)
7877 * Even though we're shutdown on receive we should still be
7880 || !TEST_true(SSL_write(serverssl
, msg
, sizeof(msg
))))
7883 && !TEST_true(SSL_key_update(serverssl
,
7884 SSL_KEY_UPDATE_REQUESTED
)))
7887 SSL_set_verify(serverssl
, SSL_VERIFY_PEER
, NULL
);
7888 if (!TEST_true(SSL_verify_client_post_handshake(serverssl
)))
7891 if ((tst
== 4 || tst
== 5)
7892 && !TEST_true(SSL_write(serverssl
, msg
, sizeof(msg
))))
7894 if (!TEST_int_eq(SSL_shutdown(serverssl
), 1))
7896 if (tst
== 4 || tst
== 5) {
7897 /* Should still be able to read data from server */
7898 if (!TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
),
7900 || !TEST_size_t_eq(readbytes
, sizeof(msg
))
7901 || !TEST_int_eq(memcmp(msg
, buf
, readbytes
), 0)
7902 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
),
7904 || !TEST_size_t_eq(readbytes
, sizeof(msg
))
7905 || !TEST_int_eq(memcmp(msg
, buf
, readbytes
), 0))
7910 /* Writing on the client after sending close_notify shouldn't be possible */
7911 if (!TEST_false(SSL_write_ex(clientssl
, msg
, sizeof(msg
), &written
)))
7916 * For these tests the client has sent close_notify but it has not yet
7917 * been received by the server. The server has not sent close_notify
7920 if (!TEST_int_eq(SSL_shutdown(serverssl
), 0)
7922 * Writing on the server after sending close_notify shouldn't
7925 || !TEST_false(SSL_write_ex(serverssl
, msg
, sizeof(msg
), &written
))
7926 || !TEST_int_eq(SSL_shutdown(clientssl
), 1)
7927 || !TEST_ptr_ne(sess
= SSL_get_session(clientssl
), NULL
)
7928 || !TEST_true(SSL_SESSION_is_resumable(sess
))
7929 || !TEST_int_eq(SSL_shutdown(serverssl
), 1))
7931 } else if (tst
== 4 || tst
== 5) {
7933 * In this test the client has sent close_notify and it has been
7934 * received by the server which has responded with a close_notify. The
7935 * client needs to read the close_notify sent by the server.
7937 if (!TEST_int_eq(SSL_shutdown(clientssl
), 1)
7938 || !TEST_ptr_ne(sess
= SSL_get_session(clientssl
), NULL
)
7939 || !TEST_true(SSL_SESSION_is_resumable(sess
)))
7945 * The client has sent close_notify and is expecting a close_notify
7946 * back, but instead there is application data first. The shutdown
7947 * should fail with a fatal error.
7949 if (!TEST_int_eq(SSL_shutdown(clientssl
), -1)
7950 || !TEST_int_eq(SSL_get_error(clientssl
, -1), SSL_ERROR_SSL
))
7957 SSL_free(serverssl
);
7958 SSL_free(clientssl
);
7965 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
7966 static int cert_cb_cnt
;
7968 static int cert_cb(SSL
*s
, void *arg
)
7970 SSL_CTX
*ctx
= (SSL_CTX
*)arg
;
7972 EVP_PKEY
*pkey
= NULL
;
7973 X509
*x509
= NULL
, *rootx
= NULL
;
7974 STACK_OF(X509
) *chain
= NULL
;
7975 char *rootfile
= NULL
, *ecdsacert
= NULL
, *ecdsakey
= NULL
;
7978 if (cert_cb_cnt
== 0) {
7979 /* Suspend the handshake */
7982 } else if (cert_cb_cnt
== 1) {
7984 * Update the SSL_CTX, set the certificate and private key and then
7985 * continue the handshake normally.
7987 if (ctx
!= NULL
&& !TEST_ptr(SSL_set_SSL_CTX(s
, ctx
)))
7990 if (!TEST_true(SSL_use_certificate_file(s
, cert
, SSL_FILETYPE_PEM
))
7991 || !TEST_true(SSL_use_PrivateKey_file(s
, privkey
,
7993 || !TEST_true(SSL_check_private_key(s
)))
7997 } else if (cert_cb_cnt
== 3) {
8000 rootfile
= test_mk_file_path(certsdir
, "rootcert.pem");
8001 ecdsacert
= test_mk_file_path(certsdir
, "server-ecdsa-cert.pem");
8002 ecdsakey
= test_mk_file_path(certsdir
, "server-ecdsa-key.pem");
8003 if (!TEST_ptr(rootfile
) || !TEST_ptr(ecdsacert
) || !TEST_ptr(ecdsakey
))
8005 chain
= sk_X509_new_null();
8006 if (!TEST_ptr(chain
))
8008 if (!TEST_ptr(in
= BIO_new(BIO_s_file()))
8009 || !TEST_int_gt(BIO_read_filename(in
, rootfile
), 0)
8010 || !TEST_ptr(rootx
= X509_new_ex(libctx
, NULL
))
8011 || !TEST_ptr(PEM_read_bio_X509(in
, &rootx
, NULL
, NULL
))
8012 || !TEST_true(sk_X509_push(chain
, rootx
)))
8016 if (!TEST_ptr(in
= BIO_new(BIO_s_file()))
8017 || !TEST_int_gt(BIO_read_filename(in
, ecdsacert
), 0)
8018 || !TEST_ptr(x509
= X509_new_ex(libctx
, NULL
))
8019 || !TEST_ptr(PEM_read_bio_X509(in
, &x509
, NULL
, NULL
)))
8022 if (!TEST_ptr(in
= BIO_new(BIO_s_file()))
8023 || !TEST_int_gt(BIO_read_filename(in
, ecdsakey
), 0)
8024 || !TEST_ptr(pkey
= PEM_read_bio_PrivateKey_ex(in
, NULL
,
8028 rv
= SSL_check_chain(s
, x509
, pkey
, chain
);
8030 * If the cert doesn't show as valid here (e.g., because we don't
8031 * have any shared sigalgs), then we will not set it, and there will
8032 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8033 * will cause tls_choose_sigalgs() to fail the connection.
8035 if ((rv
& (CERT_PKEY_VALID
| CERT_PKEY_CA_SIGNATURE
))
8036 == (CERT_PKEY_VALID
| CERT_PKEY_CA_SIGNATURE
)) {
8037 if (!SSL_use_cert_and_key(s
, x509
, pkey
, NULL
, 1))
8044 /* Abort the handshake */
8046 OPENSSL_free(ecdsacert
);
8047 OPENSSL_free(ecdsakey
);
8048 OPENSSL_free(rootfile
);
8050 EVP_PKEY_free(pkey
);
8053 OSSL_STACK_OF_X509_free(chain
);
8058 * Test the certificate callback.
8059 * Test 0: Callback fails
8060 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8061 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8062 * Test 3: Success - Call SSL_check_chain from the callback
8063 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8065 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8067 static int test_cert_cb_int(int prot
, int tst
)
8069 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
, *snictx
= NULL
;
8070 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8071 int testresult
= 0, ret
;
8073 #ifdef OPENSSL_NO_EC
8074 /* We use an EC cert in these tests, so we skip in a no-ec build */
8079 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8080 TLS_client_method(),
8083 &sctx
, &cctx
, NULL
, NULL
)))
8094 snictx
= SSL_CTX_new(TLS_server_method());
8095 SSL_CTX_set_cert_cb(sctx
, cert_cb
, snictx
);
8097 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8103 * We cause SSL_check_chain() to fail by specifying sig_algs that
8104 * the chain doesn't meet (the root uses an RSA cert)
8106 if (!TEST_true(SSL_set1_sigalgs_list(clientssl
,
8107 "ecdsa_secp256r1_sha256")))
8109 } else if (tst
== 5) {
8111 * We cause SSL_check_chain() to fail by specifying sig_algs that
8112 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8114 if (!TEST_true(SSL_set1_sigalgs_list(clientssl
,
8115 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8119 ret
= create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
);
8120 if (!TEST_true(tst
== 0 || tst
== 4 || tst
== 5 ? !ret
: ret
)
8122 && !TEST_int_eq((cert_cb_cnt
- 2) * (cert_cb_cnt
- 3), 0))) {
8129 SSL_free(serverssl
);
8130 SSL_free(clientssl
);
8133 SSL_CTX_free(snictx
);
8139 static int test_cert_cb(int tst
)
8143 #ifndef OPENSSL_NO_TLS1_2
8144 testresult
&= test_cert_cb_int(TLS1_2_VERSION
, tst
);
8146 #ifndef OSSL_NO_USABLE_TLS1_3
8147 testresult
&= test_cert_cb_int(TLS1_3_VERSION
, tst
);
8153 static int client_cert_cb(SSL
*ssl
, X509
**x509
, EVP_PKEY
**pkey
)
8158 BIO
*priv_in
= NULL
;
8160 /* Check that SSL_get0_peer_certificate() returns something sensible */
8161 if (!TEST_ptr(SSL_get0_peer_certificate(ssl
)))
8164 in
= BIO_new_file(cert
, "r");
8168 if (!TEST_ptr(xcert
= X509_new_ex(libctx
, NULL
))
8169 || !TEST_ptr(PEM_read_bio_X509(in
, &xcert
, NULL
, NULL
))
8170 || !TEST_ptr(priv_in
= BIO_new_file(privkey
, "r"))
8171 || !TEST_ptr(privpkey
= PEM_read_bio_PrivateKey_ex(priv_in
, NULL
,
8189 static int test_client_cert_cb(int tst
)
8191 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
8192 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8195 #ifdef OPENSSL_NO_TLS1_2
8199 #ifdef OSSL_NO_USABLE_TLS1_3
8204 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8205 TLS_client_method(),
8207 tst
== 0 ? TLS1_2_VERSION
8209 &sctx
, &cctx
, cert
, privkey
)))
8213 * Test that setting a client_cert_cb results in a client certificate being
8216 SSL_CTX_set_client_cert_cb(cctx
, client_cert_cb
);
8217 SSL_CTX_set_verify(sctx
,
8218 SSL_VERIFY_PEER
| SSL_VERIFY_FAIL_IF_NO_PEER_CERT
,
8221 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8223 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
8230 SSL_free(serverssl
);
8231 SSL_free(clientssl
);
8238 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8240 * Test setting certificate authorities on both client and server.
8242 * Test 0: SSL_CTX_set0_CA_list() only
8243 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8244 * Test 2: Only SSL_CTX_set_client_CA_list()
8246 static int test_ca_names_int(int prot
, int tst
)
8248 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
8249 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8252 X509_NAME
*name
[] = { NULL
, NULL
, NULL
, NULL
};
8253 char *strnames
[] = { "Jack", "Jill", "John", "Joanne" };
8254 STACK_OF(X509_NAME
) *sk1
= NULL
, *sk2
= NULL
;
8255 const STACK_OF(X509_NAME
) *sktmp
= NULL
;
8257 for (i
= 0; i
< OSSL_NELEM(name
); i
++) {
8258 name
[i
] = X509_NAME_new();
8259 if (!TEST_ptr(name
[i
])
8260 || !TEST_true(X509_NAME_add_entry_by_txt(name
[i
], "CN",
8268 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8269 TLS_client_method(),
8272 &sctx
, &cctx
, cert
, privkey
)))
8275 SSL_CTX_set_verify(sctx
, SSL_VERIFY_PEER
, NULL
);
8277 if (tst
== 0 || tst
== 1) {
8278 if (!TEST_ptr(sk1
= sk_X509_NAME_new_null())
8279 || !TEST_true(sk_X509_NAME_push(sk1
, X509_NAME_dup(name
[0])))
8280 || !TEST_true(sk_X509_NAME_push(sk1
, X509_NAME_dup(name
[1])))
8281 || !TEST_ptr(sk2
= sk_X509_NAME_new_null())
8282 || !TEST_true(sk_X509_NAME_push(sk2
, X509_NAME_dup(name
[0])))
8283 || !TEST_true(sk_X509_NAME_push(sk2
, X509_NAME_dup(name
[1]))))
8286 SSL_CTX_set0_CA_list(sctx
, sk1
);
8287 SSL_CTX_set0_CA_list(cctx
, sk2
);
8290 if (tst
== 1 || tst
== 2) {
8291 if (!TEST_ptr(sk1
= sk_X509_NAME_new_null())
8292 || !TEST_true(sk_X509_NAME_push(sk1
, X509_NAME_dup(name
[2])))
8293 || !TEST_true(sk_X509_NAME_push(sk1
, X509_NAME_dup(name
[3])))
8294 || !TEST_ptr(sk2
= sk_X509_NAME_new_null())
8295 || !TEST_true(sk_X509_NAME_push(sk2
, X509_NAME_dup(name
[2])))
8296 || !TEST_true(sk_X509_NAME_push(sk2
, X509_NAME_dup(name
[3]))))
8299 SSL_CTX_set_client_CA_list(sctx
, sk1
);
8300 SSL_CTX_set_client_CA_list(cctx
, sk2
);
8304 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8306 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
8311 * We only expect certificate authorities to have been sent to the server
8312 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8314 sktmp
= SSL_get0_peer_CA_list(serverssl
);
8315 if (prot
== TLS1_3_VERSION
8316 && (tst
== 0 || tst
== 1)) {
8317 if (!TEST_ptr(sktmp
)
8318 || !TEST_int_eq(sk_X509_NAME_num(sktmp
), 2)
8319 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp
, 0),
8321 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp
, 1),
8324 } else if (!TEST_ptr_null(sktmp
)) {
8329 * In all tests we expect certificate authorities to have been sent to the
8330 * client. However, SSL_set_client_CA_list() should override
8331 * SSL_set0_CA_list()
8333 sktmp
= SSL_get0_peer_CA_list(clientssl
);
8334 if (!TEST_ptr(sktmp
)
8335 || !TEST_int_eq(sk_X509_NAME_num(sktmp
), 2)
8336 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp
, 0),
8337 name
[tst
== 0 ? 0 : 2]), 0)
8338 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp
, 1),
8339 name
[tst
== 0 ? 1 : 3]), 0))
8345 SSL_free(serverssl
);
8346 SSL_free(clientssl
);
8349 for (i
= 0; i
< OSSL_NELEM(name
); i
++)
8350 X509_NAME_free(name
[i
]);
8351 sk_X509_NAME_pop_free(sk1
, X509_NAME_free
);
8352 sk_X509_NAME_pop_free(sk2
, X509_NAME_free
);
8358 static int test_ca_names(int tst
)
8362 #ifndef OPENSSL_NO_TLS1_2
8363 testresult
&= test_ca_names_int(TLS1_2_VERSION
, tst
);
8365 #ifndef OSSL_NO_USABLE_TLS1_3
8366 testresult
&= test_ca_names_int(TLS1_3_VERSION
, tst
);
8372 #ifndef OPENSSL_NO_TLS1_2
8373 static const char *multiblock_cipherlist_data
[]=
8381 /* Reduce the fragment size - so the multiblock test buffer can be small */
8382 # define MULTIBLOCK_FRAGSIZE 512
8384 static int test_multiblock_write(int test_index
)
8386 static const char *fetchable_ciphers
[]=
8388 "AES-128-CBC-HMAC-SHA1",
8389 "AES-128-CBC-HMAC-SHA256",
8390 "AES-256-CBC-HMAC-SHA1",
8391 "AES-256-CBC-HMAC-SHA256"
8393 const char *cipherlist
= multiblock_cipherlist_data
[test_index
];
8394 const SSL_METHOD
*smeth
= TLS_server_method();
8395 const SSL_METHOD
*cmeth
= TLS_client_method();
8396 int min_version
= TLS1_VERSION
;
8397 int max_version
= TLS1_2_VERSION
; /* Don't select TLS1_3 */
8398 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
8399 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8403 * Choose a buffer large enough to perform a multi-block operation
8404 * i.e: write_len >= 4 * frag_size
8405 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8407 unsigned char msg
[MULTIBLOCK_FRAGSIZE
* 9];
8408 unsigned char buf
[sizeof(msg
)], *p
= buf
;
8409 size_t readbytes
, written
, len
;
8410 EVP_CIPHER
*ciph
= NULL
;
8413 * Check if the cipher exists before attempting to use it since it only has
8414 * a hardware specific implementation.
8416 ciph
= EVP_CIPHER_fetch(NULL
, fetchable_ciphers
[test_index
], "");
8418 TEST_skip("Multiblock cipher is not available for %s", cipherlist
);
8421 EVP_CIPHER_free(ciph
);
8423 /* Set up a buffer with some data that will be sent to the client */
8424 RAND_bytes(msg
, sizeof(msg
));
8426 if (!TEST_true(create_ssl_ctx_pair(libctx
, smeth
, cmeth
, min_version
,
8427 max_version
, &sctx
, &cctx
, cert
,
8431 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx
, MULTIBLOCK_FRAGSIZE
)))
8434 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8438 /* settings to force it to use AES-CBC-HMAC_SHA */
8439 SSL_set_options(serverssl
, SSL_OP_NO_ENCRYPT_THEN_MAC
);
8440 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
, cipherlist
)))
8443 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
8446 if (!TEST_true(SSL_write_ex(serverssl
, msg
, sizeof(msg
), &written
))
8447 || !TEST_size_t_eq(written
, sizeof(msg
)))
8452 if (!TEST_true(SSL_read_ex(clientssl
, p
, MULTIBLOCK_FRAGSIZE
, &readbytes
)))
8457 if (!TEST_mem_eq(msg
, sizeof(msg
), buf
, sizeof(buf
)))
8462 SSL_free(serverssl
);
8463 SSL_free(clientssl
);
8469 #endif /* OPENSSL_NO_TLS1_2 */
8471 static int test_session_timeout(int test
)
8474 * Test session ordering and timeout
8475 * Can't explicitly test performance of the new code,
8476 * but can test to see if the ordering of the sessions
8477 * are correct, and they they are removed as expected
8479 SSL_SESSION
*early
= NULL
;
8480 SSL_SESSION
*middle
= NULL
;
8481 SSL_SESSION
*late
= NULL
;
8484 long now
= (long)time(NULL
);
8487 if (!TEST_ptr(ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_method()))
8488 || !TEST_ptr(early
= SSL_SESSION_new())
8489 || !TEST_ptr(middle
= SSL_SESSION_new())
8490 || !TEST_ptr(late
= SSL_SESSION_new()))
8493 /* assign unique session ids */
8494 early
->session_id_length
= SSL3_SSL_SESSION_ID_LENGTH
;
8495 memset(early
->session_id
, 1, SSL3_SSL_SESSION_ID_LENGTH
);
8496 middle
->session_id_length
= SSL3_SSL_SESSION_ID_LENGTH
;
8497 memset(middle
->session_id
, 2, SSL3_SSL_SESSION_ID_LENGTH
);
8498 late
->session_id_length
= SSL3_SSL_SESSION_ID_LENGTH
;
8499 memset(late
->session_id
, 3, SSL3_SSL_SESSION_ID_LENGTH
);
8501 if (!TEST_int_eq(SSL_CTX_add_session(ctx
, early
), 1)
8502 || !TEST_int_eq(SSL_CTX_add_session(ctx
, middle
), 1)
8503 || !TEST_int_eq(SSL_CTX_add_session(ctx
, late
), 1))
8506 /* Make sure they are all added */
8507 if (!TEST_ptr(early
->prev
)
8508 || !TEST_ptr(middle
->prev
)
8509 || !TEST_ptr(late
->prev
))
8512 if (!TEST_int_ne(SSL_SESSION_set_time(early
, now
- 10), 0)
8513 || !TEST_int_ne(SSL_SESSION_set_time(middle
, now
), 0)
8514 || !TEST_int_ne(SSL_SESSION_set_time(late
, now
+ 10), 0))
8517 if (!TEST_int_ne(SSL_SESSION_set_timeout(early
, TIMEOUT
), 0)
8518 || !TEST_int_ne(SSL_SESSION_set_timeout(middle
, TIMEOUT
), 0)
8519 || !TEST_int_ne(SSL_SESSION_set_timeout(late
, TIMEOUT
), 0))
8522 /* Make sure they are all still there */
8523 if (!TEST_ptr(early
->prev
)
8524 || !TEST_ptr(middle
->prev
)
8525 || !TEST_ptr(late
->prev
))
8528 /* Make sure they are in the expected order */
8529 if (!TEST_ptr_eq(late
->next
, middle
)
8530 || !TEST_ptr_eq(middle
->next
, early
)
8531 || !TEST_ptr_eq(early
->prev
, middle
)
8532 || !TEST_ptr_eq(middle
->prev
, late
))
8535 /* This should remove "early" */
8536 SSL_CTX_flush_sessions(ctx
, now
+ TIMEOUT
- 1);
8537 if (!TEST_ptr_null(early
->prev
)
8538 || !TEST_ptr(middle
->prev
)
8539 || !TEST_ptr(late
->prev
))
8542 /* This should remove "middle" */
8543 SSL_CTX_flush_sessions(ctx
, now
+ TIMEOUT
+ 1);
8544 if (!TEST_ptr_null(early
->prev
)
8545 || !TEST_ptr_null(middle
->prev
)
8546 || !TEST_ptr(late
->prev
))
8549 /* This should remove "late" */
8550 SSL_CTX_flush_sessions(ctx
, now
+ TIMEOUT
+ 11);
8551 if (!TEST_ptr_null(early
->prev
)
8552 || !TEST_ptr_null(middle
->prev
)
8553 || !TEST_ptr_null(late
->prev
))
8556 /* Add them back in again */
8557 if (!TEST_int_eq(SSL_CTX_add_session(ctx
, early
), 1)
8558 || !TEST_int_eq(SSL_CTX_add_session(ctx
, middle
), 1)
8559 || !TEST_int_eq(SSL_CTX_add_session(ctx
, late
), 1))
8562 /* Make sure they are all added */
8563 if (!TEST_ptr(early
->prev
)
8564 || !TEST_ptr(middle
->prev
)
8565 || !TEST_ptr(late
->prev
))
8568 /* This should remove all of them */
8569 SSL_CTX_flush_sessions(ctx
, 0);
8570 if (!TEST_ptr_null(early
->prev
)
8571 || !TEST_ptr_null(middle
->prev
)
8572 || !TEST_ptr_null(late
->prev
))
8575 (void)SSL_CTX_set_session_cache_mode(ctx
, SSL_SESS_CACHE_UPDATE_TIME
8576 | SSL_CTX_get_session_cache_mode(ctx
));
8578 /* make sure |now| is NOT equal to the current time */
8580 if (!TEST_int_ne(SSL_SESSION_set_time(early
, now
), 0)
8581 || !TEST_int_eq(SSL_CTX_add_session(ctx
, early
), 1)
8582 || !TEST_long_ne(SSL_SESSION_get_time(early
), now
))
8588 SSL_SESSION_free(early
);
8589 SSL_SESSION_free(middle
);
8590 SSL_SESSION_free(late
);
8595 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
8596 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
8597 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
8598 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
8599 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
8600 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
8601 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
8602 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
8603 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
8604 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
8606 static int test_servername(int tst
)
8608 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
8609 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8611 SSL_SESSION
*sess
= NULL
;
8612 const char *sexpectedhost
= NULL
, *cexpectedhost
= NULL
;
8614 #ifdef OPENSSL_NO_TLS1_2
8618 #ifdef OSSL_NO_USABLE_TLS1_3
8623 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8624 TLS_client_method(),
8626 (tst
<= 4) ? TLS1_2_VERSION
8628 &sctx
, &cctx
, cert
, privkey
))
8629 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8633 if (tst
!= 1 && tst
!= 6) {
8634 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx
,
8639 if (tst
!= 3 && tst
!= 8) {
8640 if (!TEST_true(SSL_set_tlsext_host_name(clientssl
, "goodhost")))
8642 sexpectedhost
= cexpectedhost
= "goodhost";
8645 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
8648 if (!TEST_str_eq(SSL_get_servername(clientssl
, TLSEXT_NAMETYPE_host_name
),
8650 || !TEST_str_eq(SSL_get_servername(serverssl
,
8651 TLSEXT_NAMETYPE_host_name
),
8655 /* Now repeat with a resumption handshake */
8657 if (!TEST_int_eq(SSL_shutdown(clientssl
), 0)
8658 || !TEST_ptr_ne(sess
= SSL_get1_session(clientssl
), NULL
)
8659 || !TEST_true(SSL_SESSION_is_resumable(sess
))
8660 || !TEST_int_eq(SSL_shutdown(serverssl
), 0))
8663 SSL_free(clientssl
);
8664 SSL_free(serverssl
);
8665 clientssl
= serverssl
= NULL
;
8667 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
,
8671 if (!TEST_true(SSL_set_session(clientssl
, sess
)))
8674 sexpectedhost
= cexpectedhost
= "goodhost";
8675 if (tst
== 2 || tst
== 7) {
8676 /* Set an inconsistent hostname */
8677 if (!TEST_true(SSL_set_tlsext_host_name(clientssl
, "altgoodhost")))
8680 * In TLSv1.2 we expect the hostname from the original handshake, in
8681 * TLSv1.3 we expect the hostname from this handshake
8684 sexpectedhost
= cexpectedhost
= "altgoodhost";
8686 if (!TEST_str_eq(SSL_get_servername(clientssl
,
8687 TLSEXT_NAMETYPE_host_name
),
8690 } else if (tst
== 4 || tst
== 9) {
8692 * A TLSv1.3 session does not associate a session with a servername,
8693 * but a TLSv1.2 session does.
8696 sexpectedhost
= cexpectedhost
= NULL
;
8698 if (!TEST_str_eq(SSL_get_servername(clientssl
,
8699 TLSEXT_NAMETYPE_host_name
),
8703 if (!TEST_true(SSL_set_tlsext_host_name(clientssl
, "goodhost")))
8706 * In a TLSv1.2 resumption where the hostname was not acknowledged
8707 * we expect the hostname on the server to be empty. On the client we
8708 * return what was requested in this case.
8710 * Similarly if the client didn't set a hostname on an original TLSv1.2
8711 * session but is now, the server hostname will be empty, but the client
8714 if (tst
== 1 || tst
== 3)
8715 sexpectedhost
= NULL
;
8717 if (!TEST_str_eq(SSL_get_servername(clientssl
,
8718 TLSEXT_NAMETYPE_host_name
),
8723 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
8726 if (!TEST_true(SSL_session_reused(clientssl
))
8727 || !TEST_true(SSL_session_reused(serverssl
))
8728 || !TEST_str_eq(SSL_get_servername(clientssl
,
8729 TLSEXT_NAMETYPE_host_name
),
8731 || !TEST_str_eq(SSL_get_servername(serverssl
,
8732 TLSEXT_NAMETYPE_host_name
),
8739 SSL_SESSION_free(sess
);
8740 SSL_free(serverssl
);
8741 SSL_free(clientssl
);
8748 #if !defined(OPENSSL_NO_EC) \
8749 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8751 * Test that if signature algorithms are not available, then we do not offer or
8753 * Test 0: Two RSA sig algs available: both RSA sig algs shared
8754 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
8755 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
8756 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
8757 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
8758 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
8760 static int test_sigalgs_available(int idx
)
8762 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
8763 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8765 OSSL_LIB_CTX
*tmpctx
= OSSL_LIB_CTX_new();
8766 OSSL_LIB_CTX
*clientctx
= libctx
, *serverctx
= libctx
;
8767 OSSL_PROVIDER
*filterprov
= NULL
;
8770 if (!TEST_ptr(tmpctx
))
8773 if (idx
!= 0 && idx
!= 3) {
8774 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx
, "filter",
8775 filter_provider_init
)))
8778 filterprov
= OSSL_PROVIDER_load(tmpctx
, "filter");
8779 if (!TEST_ptr(filterprov
))
8784 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8785 * or accepted for the peer that uses this libctx. Note that libssl
8786 * *requires* SHA2-256 to be available so we cannot disable that. We
8787 * also need SHA1 for our certificate.
8789 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST
,
8793 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE
,
8795 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT
,
8800 if (idx
== 1 || idx
== 4)
8806 cctx
= SSL_CTX_new_ex(clientctx
, NULL
, TLS_client_method());
8807 sctx
= SSL_CTX_new_ex(serverctx
, NULL
, TLS_server_method());
8808 if (!TEST_ptr(cctx
) || !TEST_ptr(sctx
))
8812 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8813 TLS_client_method(),
8816 &sctx
, &cctx
, cert
, privkey
)))
8819 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8820 TLS_client_method(),
8823 &sctx
, &cctx
, cert2
, privkey2
)))
8827 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
8829 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
8830 "ECDHE-RSA-AES128-GCM-SHA256")))
8833 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
8834 "ECDHE-ECDSA-AES128-GCM-SHA256")))
8839 if (!SSL_CTX_set1_sigalgs_list(cctx
,
8840 "rsa_pss_rsae_sha384"
8841 ":rsa_pss_rsae_sha256")
8842 || !SSL_CTX_set1_sigalgs_list(sctx
,
8843 "rsa_pss_rsae_sha384"
8844 ":rsa_pss_rsae_sha256"))
8847 if (!SSL_CTX_set1_sigalgs_list(cctx
, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8848 || !SSL_CTX_set1_sigalgs_list(sctx
,
8849 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8854 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx
, cert2
,
8855 SSL_FILETYPE_PEM
), 1)
8856 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx
,
8858 SSL_FILETYPE_PEM
), 1)
8859 || !TEST_int_eq(SSL_CTX_check_private_key(sctx
), 1)))
8862 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8866 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
8869 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8870 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl
, 0, &sig
, &hash
, NULL
,
8872 (idx
== 0 || idx
== 3) ? 2 : 1))
8875 if (!TEST_int_eq(hash
, idx
== 0 ? NID_sha384
: NID_sha256
))
8878 if (!TEST_int_eq(sig
, (idx
== 4 || idx
== 5) ? EVP_PKEY_EC
8882 testresult
= filter_provider_check_clean_finish();
8885 SSL_free(serverssl
);
8886 SSL_free(clientssl
);
8889 OSSL_PROVIDER_unload(filterprov
);
8890 OSSL_LIB_CTX_free(tmpctx
);
8895 * !defined(OPENSSL_NO_EC) \
8896 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8899 #ifndef OPENSSL_NO_TLS1_3
8900 /* This test can run in TLSv1.3 even if ec and dh are disabled */
8901 static int test_pluggable_group(int idx
)
8903 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
8904 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8906 OSSL_PROVIDER
*tlsprov
= OSSL_PROVIDER_load(libctx
, "tls-provider");
8907 /* Check that we are not impacted by a provider without any groups */
8908 OSSL_PROVIDER
*legacyprov
= OSSL_PROVIDER_load(libctx
, "legacy");
8909 const char *group_name
= idx
== 0 ? "xorgroup" : "xorkemgroup";
8911 if (!TEST_ptr(tlsprov
))
8914 if (legacyprov
== NULL
) {
8916 * In this case we assume we've been built with "no-legacy" and skip
8917 * this test (there is no OPENSSL_NO_LEGACY)
8923 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8924 TLS_client_method(),
8927 &sctx
, &cctx
, cert
, privkey
))
8928 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8932 if (!TEST_true(SSL_set1_groups_list(serverssl
, group_name
))
8933 || !TEST_true(SSL_set1_groups_list(clientssl
, group_name
)))
8936 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
8939 if (!TEST_str_eq(group_name
,
8940 SSL_group_to_name(serverssl
, SSL_get_shared_group(serverssl
, 0))))
8946 SSL_free(serverssl
);
8947 SSL_free(clientssl
);
8950 OSSL_PROVIDER_unload(tlsprov
);
8951 OSSL_PROVIDER_unload(legacyprov
);
8957 #ifndef OPENSSL_NO_TLS1_2
8958 static int test_ssl_dup(void)
8960 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
8961 SSL
*clientssl
= NULL
, *serverssl
= NULL
, *client2ssl
= NULL
;
8963 BIO
*rbio
= NULL
, *wbio
= NULL
;
8965 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8966 TLS_client_method(),
8969 &sctx
, &cctx
, cert
, privkey
)))
8972 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8976 if (!TEST_true(SSL_set_min_proto_version(clientssl
, TLS1_2_VERSION
))
8977 || !TEST_true(SSL_set_max_proto_version(clientssl
, TLS1_2_VERSION
)))
8980 client2ssl
= SSL_dup(clientssl
);
8981 rbio
= SSL_get_rbio(clientssl
);
8983 || !TEST_true(BIO_up_ref(rbio
)))
8985 SSL_set0_rbio(client2ssl
, rbio
);
8988 wbio
= SSL_get_wbio(clientssl
);
8989 if (!TEST_ptr(wbio
) || !TEST_true(BIO_up_ref(wbio
)))
8991 SSL_set0_wbio(client2ssl
, wbio
);
8994 if (!TEST_ptr(client2ssl
)
8995 /* Handshake not started so pointers should be different */
8996 || !TEST_ptr_ne(clientssl
, client2ssl
))
8999 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl
), TLS1_2_VERSION
)
9000 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl
), TLS1_2_VERSION
))
9003 if (!TEST_true(create_ssl_connection(serverssl
, client2ssl
, SSL_ERROR_NONE
)))
9006 SSL_free(clientssl
);
9007 clientssl
= SSL_dup(client2ssl
);
9008 if (!TEST_ptr(clientssl
)
9009 /* Handshake has finished so pointers should be the same */
9010 || !TEST_ptr_eq(clientssl
, client2ssl
))
9016 SSL_free(serverssl
);
9017 SSL_free(clientssl
);
9018 SSL_free(client2ssl
);
9025 # ifndef OPENSSL_NO_DH
9027 static EVP_PKEY
*tmp_dh_params
= NULL
;
9029 /* Helper function for the test_set_tmp_dh() tests */
9030 static EVP_PKEY
*get_tmp_dh_params(void)
9032 if (tmp_dh_params
== NULL
) {
9034 OSSL_PARAM_BLD
*tmpl
= NULL
;
9035 EVP_PKEY_CTX
*pctx
= NULL
;
9036 OSSL_PARAM
*params
= NULL
;
9037 EVP_PKEY
*dhpkey
= NULL
;
9039 p
= BN_get_rfc3526_prime_2048(NULL
);
9043 pctx
= EVP_PKEY_CTX_new_from_name(libctx
, "DH", NULL
);
9045 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx
), 1))
9048 tmpl
= OSSL_PARAM_BLD_new();
9050 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl
,
9051 OSSL_PKEY_PARAM_FFC_P
,
9053 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl
,
9054 OSSL_PKEY_PARAM_FFC_G
,
9058 params
= OSSL_PARAM_BLD_to_param(tmpl
);
9059 if (!TEST_ptr(params
)
9060 || !TEST_int_eq(EVP_PKEY_fromdata(pctx
, &dhpkey
,
9061 EVP_PKEY_KEY_PARAMETERS
,
9065 tmp_dh_params
= dhpkey
;
9068 EVP_PKEY_CTX_free(pctx
);
9069 OSSL_PARAM_BLD_free(tmpl
);
9070 OSSL_PARAM_free(params
);
9073 if (tmp_dh_params
!= NULL
&& !EVP_PKEY_up_ref(tmp_dh_params
))
9076 return tmp_dh_params
;
9079 # ifndef OPENSSL_NO_DEPRECATED_3_0
9080 /* Callback used by test_set_tmp_dh() */
9081 static DH
*tmp_dh_callback(SSL
*s
, int is_export
, int keylen
)
9083 EVP_PKEY
*dhpkey
= get_tmp_dh_params();
9086 if (!TEST_ptr(dhpkey
))
9090 * libssl does not free the returned DH, so we free it now knowing that even
9091 * after we free dhpkey, there will still be a reference to the owning
9092 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9093 * of time we need it for.
9095 ret
= EVP_PKEY_get1_DH(dhpkey
);
9098 EVP_PKEY_free(dhpkey
);
9105 * Test the various methods for setting temporary DH parameters
9107 * Test 0: Default (no auto) setting
9108 * Test 1: Explicit SSL_CTX auto off
9109 * Test 2: Explicit SSL auto off
9110 * Test 3: Explicit SSL_CTX auto on
9111 * Test 4: Explicit SSL auto on
9112 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9113 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9115 * The following are testing deprecated APIs, so we only run them if available
9116 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9117 * Test 8: Explicit SSL auto off, custom DH params via DH
9118 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9119 * Test 10: Explicit SSL auto off, custom DH params via callback
9121 static int test_set_tmp_dh(int idx
)
9123 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
9124 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
9126 int dhauto
= (idx
== 3 || idx
== 4) ? 1 : 0;
9127 int expected
= (idx
<= 2) ? 0 : 1;
9128 EVP_PKEY
*dhpkey
= NULL
;
9129 # ifndef OPENSSL_NO_DEPRECATED_3_0
9137 if (idx
>= 5 && idx
<= 8) {
9138 dhpkey
= get_tmp_dh_params();
9139 if (!TEST_ptr(dhpkey
))
9142 # ifndef OPENSSL_NO_DEPRECATED_3_0
9143 if (idx
== 7 || idx
== 8) {
9144 dh
= EVP_PKEY_get1_DH(dhpkey
);
9150 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
9151 TLS_client_method(),
9154 &sctx
, &cctx
, cert
, privkey
)))
9157 if ((idx
& 1) == 1) {
9158 if (!TEST_true(SSL_CTX_set_dh_auto(sctx
, dhauto
)))
9163 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx
, dhpkey
)))
9167 # ifndef OPENSSL_NO_DEPRECATED_3_0
9168 else if (idx
== 7) {
9169 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx
, dh
)))
9171 } else if (idx
== 9) {
9172 SSL_CTX_set_tmp_dh_callback(sctx
, tmp_dh_callback
);
9176 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
9180 if ((idx
& 1) == 0 && idx
!= 0) {
9181 if (!TEST_true(SSL_set_dh_auto(serverssl
, dhauto
)))
9185 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl
, dhpkey
)))
9189 # ifndef OPENSSL_NO_DEPRECATED_3_0
9190 else if (idx
== 8) {
9191 if (!TEST_true(SSL_set_tmp_dh(serverssl
, dh
)))
9193 } else if (idx
== 10) {
9194 SSL_set_tmp_dh_callback(serverssl
, tmp_dh_callback
);
9198 if (!TEST_true(SSL_set_min_proto_version(serverssl
, TLS1_2_VERSION
))
9199 || !TEST_true(SSL_set_max_proto_version(serverssl
, TLS1_2_VERSION
))
9200 || !TEST_true(SSL_set_cipher_list(serverssl
, "DHE-RSA-AES128-SHA")))
9204 * If autoon then we should succeed. Otherwise we expect failure because
9205 * there are no parameters
9207 if (!TEST_int_eq(create_ssl_connection(serverssl
, clientssl
,
9208 SSL_ERROR_NONE
), expected
))
9214 # ifndef OPENSSL_NO_DEPRECATED_3_0
9217 SSL_free(serverssl
);
9218 SSL_free(clientssl
);
9221 EVP_PKEY_free(dhpkey
);
9227 * Test the auto DH keys are appropriately sized
9229 static int test_dh_auto(int idx
)
9231 SSL_CTX
*cctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_client_method());
9232 SSL_CTX
*sctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method());
9233 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
9235 EVP_PKEY
*tmpkey
= NULL
;
9236 char *thiscert
= NULL
, *thiskey
= NULL
;
9237 size_t expdhsize
= 0;
9238 const char *ciphersuite
= "DHE-RSA-AES128-SHA";
9240 if (!TEST_ptr(sctx
) || !TEST_ptr(cctx
))
9245 /* The FIPS provider doesn't support this DH size - so we ignore it */
9250 thiscert
= cert1024
;
9251 thiskey
= privkey1024
;
9253 SSL_CTX_set_security_level(sctx
, 1);
9254 SSL_CTX_set_security_level(cctx
, 1);
9257 /* 2048 bit prime */
9263 thiscert
= cert3072
;
9264 thiskey
= privkey3072
;
9268 thiscert
= cert4096
;
9269 thiskey
= privkey4096
;
9273 thiscert
= cert8192
;
9274 thiskey
= privkey8192
;
9277 /* No certificate cases */
9279 /* The FIPS provider doesn't support this DH size - so we ignore it */
9284 ciphersuite
= "ADH-AES128-SHA256:@SECLEVEL=0";
9288 ciphersuite
= "ADH-AES256-SHA256:@SECLEVEL=0";
9292 TEST_error("Invalid text index");
9296 if (!TEST_true(create_ssl_ctx_pair(libctx
, NULL
,
9300 &sctx
, &cctx
, thiscert
, thiskey
)))
9303 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
9307 if (!TEST_true(SSL_set_dh_auto(serverssl
, 1))
9308 || !TEST_true(SSL_set_min_proto_version(serverssl
, TLS1_2_VERSION
))
9309 || !TEST_true(SSL_set_max_proto_version(serverssl
, TLS1_2_VERSION
))
9310 || !TEST_true(SSL_set_cipher_list(serverssl
, ciphersuite
))
9311 || !TEST_true(SSL_set_cipher_list(clientssl
, ciphersuite
)))
9315 * Send the server's first flight. At this point the server has created the
9316 * temporary DH key but hasn't finished using it yet. Once used it is
9317 * removed, so we cannot test it.
9319 if (!TEST_int_le(SSL_connect(clientssl
), 0)
9320 || !TEST_int_le(SSL_accept(serverssl
), 0))
9323 if (!TEST_int_gt(SSL_get_tmp_key(serverssl
, &tmpkey
), 0))
9325 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey
), expdhsize
))
9328 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
9334 SSL_free(serverssl
);
9335 SSL_free(clientssl
);
9338 EVP_PKEY_free(tmpkey
);
9343 # endif /* OPENSSL_NO_DH */
9344 #endif /* OPENSSL_NO_TLS1_2 */
9346 #ifndef OSSL_NO_USABLE_TLS1_3
9348 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9349 * that it works even without a certificate configured for the original
9352 static int test_sni_tls13(void)
9354 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
, *sctx2
= NULL
;
9355 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
9358 /* Reset callback counter */
9361 /* Create an initial SSL_CTX with no certificate configured */
9362 sctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method());
9363 if (!TEST_ptr(sctx
))
9365 /* Require TLSv1.3 as a minimum */
9366 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
9367 TLS_client_method(), TLS1_3_VERSION
, 0,
9368 &sctx2
, &cctx
, cert
, privkey
)))
9372 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx
, sni_cb
))
9373 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx
, sctx2
)))
9377 * Connection should still succeed because the final SSL_CTX has the right
9378 * certificates configured.
9380 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
9381 &clientssl
, NULL
, NULL
))
9382 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
9386 /* We should have had the SNI callback called exactly once */
9387 if (!TEST_int_eq(snicb
, 1))
9393 SSL_free(serverssl
);
9394 SSL_free(clientssl
);
9395 SSL_CTX_free(sctx2
);
9402 * Test that setting an ALPN does not violate RFC
9404 static int test_set_alpn(void)
9406 SSL_CTX
*ctx
= NULL
;
9410 unsigned char bad0
[] = { 0x00, 'b', 'a', 'd' };
9411 unsigned char good
[] = { 0x04, 'g', 'o', 'o', 'd' };
9412 unsigned char bad1
[] = { 0x01, 'b', 'a', 'd' };
9413 unsigned char bad2
[] = { 0x03, 'b', 'a', 'd', 0x00};
9414 unsigned char bad3
[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
9415 unsigned char bad4
[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
9417 /* Create an initial SSL_CTX with no certificate configured */
9418 ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method());
9422 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
9423 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx
, NULL
, 2)))
9425 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx
, good
, 0)))
9427 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx
, good
, sizeof(good
))))
9429 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx
, good
, 1)))
9431 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx
, bad0
, sizeof(bad0
))))
9433 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx
, bad1
, sizeof(bad1
))))
9435 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx
, bad2
, sizeof(bad2
))))
9437 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx
, bad3
, sizeof(bad3
))))
9439 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx
, bad4
, sizeof(bad4
))))
9446 if (!TEST_false(SSL_set_alpn_protos(ssl
, NULL
, 2)))
9448 if (!TEST_false(SSL_set_alpn_protos(ssl
, good
, 0)))
9450 if (!TEST_false(SSL_set_alpn_protos(ssl
, good
, sizeof(good
))))
9452 if (!TEST_true(SSL_set_alpn_protos(ssl
, good
, 1)))
9454 if (!TEST_true(SSL_set_alpn_protos(ssl
, bad0
, sizeof(bad0
))))
9456 if (!TEST_true(SSL_set_alpn_protos(ssl
, bad1
, sizeof(bad1
))))
9458 if (!TEST_true(SSL_set_alpn_protos(ssl
, bad2
, sizeof(bad2
))))
9460 if (!TEST_true(SSL_set_alpn_protos(ssl
, bad3
, sizeof(bad3
))))
9462 if (!TEST_true(SSL_set_alpn_protos(ssl
, bad4
, sizeof(bad4
))))
9473 static int test_inherit_verify_param(void)
9477 SSL_CTX
*ctx
= NULL
;
9478 X509_VERIFY_PARAM
*cp
= NULL
;
9480 X509_VERIFY_PARAM
*sp
= NULL
;
9481 int hostflags
= X509_CHECK_FLAG_NEVER_CHECK_SUBJECT
;
9483 ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method());
9487 cp
= SSL_CTX_get0_param(ctx
);
9490 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp
), 0))
9493 X509_VERIFY_PARAM_set_hostflags(cp
, hostflags
);
9499 sp
= SSL_get0_param(ssl
);
9502 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp
), hostflags
))
9514 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
9516 int setup_tests(void)
9521 libctx
= OSSL_LIB_CTX_new();
9522 if (!TEST_ptr(libctx
))
9525 defctxnull
= OSSL_PROVIDER_load(NULL
, "null");
9528 * Verify that the default and fips providers in the default libctx are not
9531 if (!TEST_false(OSSL_PROVIDER_available(NULL
, "default"))
9532 || !TEST_false(OSSL_PROVIDER_available(NULL
, "fips")))
9535 if (!test_skip_common_options()) {
9536 TEST_error("Error parsing test options\n");
9540 if (!TEST_ptr(certsdir
= test_get_argument(0))
9541 || !TEST_ptr(srpvfile
= test_get_argument(1))
9542 || !TEST_ptr(tmpfilename
= test_get_argument(2))
9543 || !TEST_ptr(modulename
= test_get_argument(3))
9544 || !TEST_ptr(configfile
= test_get_argument(4)))
9547 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx
, configfile
)))
9550 /* Check we have the expected provider available */
9551 if (!TEST_true(OSSL_PROVIDER_available(libctx
, modulename
)))
9554 /* Check the default provider is not available */
9555 if (strcmp(modulename
, "default") != 0
9556 && !TEST_false(OSSL_PROVIDER_available(libctx
, "default")))
9559 if (strcmp(modulename
, "fips") == 0)
9563 * We add, but don't load the test "tls-provider". We'll load it when we
9566 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx
, "tls-provider",
9567 tls_provider_init
)))
9571 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL
) {
9572 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
9573 TEST_error("not supported in this build");
9576 int i
, mcount
, rcount
, fcount
;
9578 for (i
= 0; i
< 4; i
++)
9579 test_export_key_mat(i
);
9580 CRYPTO_get_alloc_counts(&mcount
, &rcount
, &fcount
);
9581 test_printf_stdout("malloc %d realloc %d free %d\n",
9582 mcount
, rcount
, fcount
);
9587 cert
= test_mk_file_path(certsdir
, "servercert.pem");
9591 privkey
= test_mk_file_path(certsdir
, "serverkey.pem");
9592 if (privkey
== NULL
)
9595 cert2
= test_mk_file_path(certsdir
, "server-ecdsa-cert.pem");
9599 privkey2
= test_mk_file_path(certsdir
, "server-ecdsa-key.pem");
9600 if (privkey2
== NULL
)
9603 cert1024
= test_mk_file_path(certsdir
, "ee-cert-1024.pem");
9604 if (cert1024
== NULL
)
9607 privkey1024
= test_mk_file_path(certsdir
, "ee-key-1024.pem");
9608 if (privkey1024
== NULL
)
9611 cert3072
= test_mk_file_path(certsdir
, "ee-cert-3072.pem");
9612 if (cert3072
== NULL
)
9615 privkey3072
= test_mk_file_path(certsdir
, "ee-key-3072.pem");
9616 if (privkey3072
== NULL
)
9619 cert4096
= test_mk_file_path(certsdir
, "ee-cert-4096.pem");
9620 if (cert4096
== NULL
)
9623 privkey4096
= test_mk_file_path(certsdir
, "ee-key-4096.pem");
9624 if (privkey4096
== NULL
)
9627 cert8192
= test_mk_file_path(certsdir
, "ee-cert-8192.pem");
9628 if (cert8192
== NULL
)
9631 privkey8192
= test_mk_file_path(certsdir
, "ee-key-8192.pem");
9632 if (privkey8192
== NULL
)
9635 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
9636 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
9637 ADD_ALL_TESTS(test_ktls
, NUM_KTLS_TEST_CIPHERS
* 4);
9638 ADD_ALL_TESTS(test_ktls_sendfile
, NUM_KTLS_TEST_CIPHERS
);
9641 ADD_TEST(test_large_message_tls
);
9642 ADD_TEST(test_large_message_tls_read_ahead
);
9643 #ifndef OPENSSL_NO_DTLS
9644 ADD_TEST(test_large_message_dtls
);
9646 ADD_TEST(test_cleanse_plaintext
);
9647 #ifndef OPENSSL_NO_OCSP
9648 ADD_TEST(test_tlsext_status_type
);
9650 ADD_TEST(test_session_with_only_int_cache
);
9651 ADD_TEST(test_session_with_only_ext_cache
);
9652 ADD_TEST(test_session_with_both_cache
);
9653 ADD_TEST(test_session_wo_ca_names
);
9654 #ifndef OSSL_NO_USABLE_TLS1_3
9655 ADD_ALL_TESTS(test_stateful_tickets
, 3);
9656 ADD_ALL_TESTS(test_stateless_tickets
, 3);
9657 ADD_TEST(test_psk_tickets
);
9658 ADD_ALL_TESTS(test_extra_tickets
, 6);
9660 ADD_ALL_TESTS(test_ssl_set_bio
, TOTAL_SSL_SET_BIO_TESTS
);
9661 ADD_TEST(test_ssl_bio_pop_next_bio
);
9662 ADD_TEST(test_ssl_bio_pop_ssl_bio
);
9663 ADD_TEST(test_ssl_bio_change_rbio
);
9664 ADD_TEST(test_ssl_bio_change_wbio
);
9665 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
9666 ADD_ALL_TESTS(test_set_sigalgs
, OSSL_NELEM(testsigalgs
) * 2);
9667 ADD_TEST(test_keylog
);
9669 #ifndef OSSL_NO_USABLE_TLS1_3
9670 ADD_TEST(test_keylog_no_master_key
);
9672 ADD_TEST(test_client_cert_verify_cb
);
9673 ADD_TEST(test_ssl_build_cert_chain
);
9674 ADD_TEST(test_ssl_ctx_build_cert_chain
);
9675 #ifndef OPENSSL_NO_TLS1_2
9676 ADD_TEST(test_client_hello_cb
);
9677 ADD_TEST(test_no_ems
);
9678 ADD_TEST(test_ccs_change_cipher
);
9680 #ifndef OSSL_NO_USABLE_TLS1_3
9681 ADD_ALL_TESTS(test_early_data_read_write
, 3);
9683 * We don't do replay tests for external PSK. Replay protection isn't used
9686 ADD_ALL_TESTS(test_early_data_replay
, 2);
9687 ADD_ALL_TESTS(test_early_data_skip
, 3);
9688 ADD_ALL_TESTS(test_early_data_skip_hrr
, 3);
9689 ADD_ALL_TESTS(test_early_data_skip_hrr_fail
, 3);
9690 ADD_ALL_TESTS(test_early_data_skip_abort
, 3);
9691 ADD_ALL_TESTS(test_early_data_not_sent
, 3);
9692 ADD_ALL_TESTS(test_early_data_psk
, 8);
9693 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers
, 5);
9694 ADD_ALL_TESTS(test_early_data_not_expected
, 3);
9695 # ifndef OPENSSL_NO_TLS1_2
9696 ADD_ALL_TESTS(test_early_data_tls1_2
, 3);
9699 #ifndef OSSL_NO_USABLE_TLS1_3
9700 ADD_ALL_TESTS(test_set_ciphersuite
, 10);
9701 ADD_TEST(test_ciphersuite_change
);
9702 ADD_ALL_TESTS(test_tls13_ciphersuite
, 4);
9703 # ifdef OPENSSL_NO_PSK
9704 ADD_ALL_TESTS(test_tls13_psk
, 1);
9706 ADD_ALL_TESTS(test_tls13_psk
, 4);
9707 # endif /* OPENSSL_NO_PSK */
9708 # ifndef OPENSSL_NO_TLS1_2
9709 /* Test with both TLSv1.3 and 1.2 versions */
9710 ADD_ALL_TESTS(test_key_exchange
, 14);
9711 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
9712 ADD_ALL_TESTS(test_negotiated_group
,
9713 4 * (OSSL_NELEM(ecdhe_kexch_groups
)
9714 + OSSL_NELEM(ffdhe_kexch_groups
)));
9717 /* Test with only TLSv1.3 versions */
9718 ADD_ALL_TESTS(test_key_exchange
, 12);
9720 ADD_ALL_TESTS(test_custom_exts
, 6);
9721 ADD_TEST(test_stateless
);
9722 ADD_TEST(test_pha_key_update
);
9724 ADD_ALL_TESTS(test_custom_exts
, 3);
9726 ADD_ALL_TESTS(test_serverinfo
, 8);
9727 ADD_ALL_TESTS(test_export_key_mat
, 6);
9728 #ifndef OSSL_NO_USABLE_TLS1_3
9729 ADD_ALL_TESTS(test_export_key_mat_early
, 3);
9730 ADD_TEST(test_key_update
);
9731 ADD_ALL_TESTS(test_key_update_peer_in_write
, 2);
9732 ADD_ALL_TESTS(test_key_update_peer_in_read
, 2);
9733 ADD_ALL_TESTS(test_key_update_local_in_write
, 2);
9734 ADD_ALL_TESTS(test_key_update_local_in_read
, 2);
9736 ADD_ALL_TESTS(test_ssl_clear
, 2);
9737 ADD_ALL_TESTS(test_max_fragment_len_ext
, OSSL_NELEM(max_fragment_len_test
));
9738 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
9739 ADD_ALL_TESTS(test_srp
, 6);
9741 ADD_ALL_TESTS(test_info_callback
, 6);
9742 ADD_ALL_TESTS(test_ssl_pending
, 2);
9743 ADD_ALL_TESTS(test_ssl_get_shared_ciphers
, OSSL_NELEM(shared_ciphers_data
));
9744 ADD_ALL_TESTS(test_ticket_callbacks
, 16);
9745 ADD_ALL_TESTS(test_shutdown
, 7);
9746 ADD_ALL_TESTS(test_incorrect_shutdown
, 2);
9747 ADD_ALL_TESTS(test_cert_cb
, 6);
9748 ADD_ALL_TESTS(test_client_cert_cb
, 2);
9749 ADD_ALL_TESTS(test_ca_names
, 3);
9750 #ifndef OPENSSL_NO_TLS1_2
9751 ADD_ALL_TESTS(test_multiblock_write
, OSSL_NELEM(multiblock_cipherlist_data
));
9753 ADD_ALL_TESTS(test_servername
, 10);
9754 #if !defined(OPENSSL_NO_EC) \
9755 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9756 ADD_ALL_TESTS(test_sigalgs_available
, 6);
9758 #ifndef OPENSSL_NO_TLS1_3
9759 ADD_ALL_TESTS(test_pluggable_group
, 2);
9761 #ifndef OPENSSL_NO_TLS1_2
9762 ADD_TEST(test_ssl_dup
);
9763 # ifndef OPENSSL_NO_DH
9764 ADD_ALL_TESTS(test_set_tmp_dh
, 11);
9765 ADD_ALL_TESTS(test_dh_auto
, 7);
9768 #ifndef OSSL_NO_USABLE_TLS1_3
9769 ADD_TEST(test_sni_tls13
);
9771 ADD_TEST(test_inherit_verify_param
);
9772 ADD_TEST(test_set_alpn
);
9773 ADD_ALL_TESTS(test_session_timeout
, 1);
9778 OPENSSL_free(privkey
);
9779 OPENSSL_free(cert2
);
9780 OPENSSL_free(privkey2
);
9784 void cleanup_tests(void)
9786 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
9787 EVP_PKEY_free(tmp_dh_params
);
9790 OPENSSL_free(privkey
);
9791 OPENSSL_free(cert2
);
9792 OPENSSL_free(privkey2
);
9793 OPENSSL_free(cert1024
);
9794 OPENSSL_free(privkey1024
);
9795 OPENSSL_free(cert3072
);
9796 OPENSSL_free(privkey3072
);
9797 OPENSSL_free(cert4096
);
9798 OPENSSL_free(privkey4096
);
9799 OPENSSL_free(cert8192
);
9800 OPENSSL_free(privkey8192
);
9801 bio_s_mempacket_test_free();
9802 bio_s_always_retry_free();
9803 OSSL_PROVIDER_unload(defctxnull
);
9804 OSSL_LIB_CTX_free(libctx
);