2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
35 #include "helpers/ssltestlib.h"
37 #include "testutil/output.h"
38 #include "internal/nelem.h"
39 #include "internal/ktls.h"
40 #include "../ssl/ssl_local.h"
42 /* Defined in filterprov.c */
43 OSSL_provider_init_fn filter_provider_init
;
44 int filter_provider_set_filter(int operation
, const char *name
);
46 /* Defined in tls-provider.c */
47 int tls_provider_init(const OSSL_CORE_HANDLE
*handle
,
48 const OSSL_DISPATCH
*in
,
49 const OSSL_DISPATCH
**out
,
52 static OSSL_LIB_CTX
*libctx
= NULL
;
53 static OSSL_PROVIDER
*defctxnull
= NULL
;
55 #ifndef OPENSSL_NO_TLS1_3
57 static SSL_SESSION
*clientpsk
= NULL
;
58 static SSL_SESSION
*serverpsk
= NULL
;
59 static const char *pskid
= "Identity";
60 static const char *srvid
;
62 static int use_session_cb(SSL
*ssl
, const EVP_MD
*md
, const unsigned char **id
,
63 size_t *idlen
, SSL_SESSION
**sess
);
64 static int find_session_cb(SSL
*ssl
, const unsigned char *identity
,
65 size_t identity_len
, SSL_SESSION
**sess
);
67 static int use_session_cb_cnt
= 0;
68 static int find_session_cb_cnt
= 0;
70 static SSL_SESSION
*create_a_psk(SSL
*ssl
);
73 static char *certsdir
= NULL
;
74 static char *cert
= NULL
;
75 static char *privkey
= NULL
;
76 static char *cert2
= NULL
;
77 static char *privkey2
= NULL
;
78 static char *cert1024
= NULL
;
79 static char *privkey1024
= NULL
;
80 static char *cert3072
= NULL
;
81 static char *privkey3072
= NULL
;
82 static char *cert4096
= NULL
;
83 static char *privkey4096
= NULL
;
84 static char *cert8192
= NULL
;
85 static char *privkey8192
= NULL
;
86 static char *srpvfile
= NULL
;
87 static char *tmpfilename
= NULL
;
89 static int is_fips
= 0;
91 #define LOG_BUFFER_SIZE 2048
92 static char server_log_buffer
[LOG_BUFFER_SIZE
+ 1] = {0};
93 static size_t server_log_buffer_index
= 0;
94 static char client_log_buffer
[LOG_BUFFER_SIZE
+ 1] = {0};
95 static size_t client_log_buffer_index
= 0;
96 static int error_writing_log
= 0;
98 #ifndef OPENSSL_NO_OCSP
99 static const unsigned char orespder
[] = "Dummy OCSP Response";
100 static int ocsp_server_called
= 0;
101 static int ocsp_client_called
= 0;
103 static int cdummyarg
= 1;
104 static X509
*ocspcert
= NULL
;
107 #define NUM_EXTRA_CERTS 40
108 #define CLIENT_VERSION_LEN 2
111 * This structure is used to validate that the correct number of log messages
112 * of various types are emitted when emitting secret logs.
114 struct sslapitest_log_counts
{
115 unsigned int rsa_key_exchange_count
;
116 unsigned int master_secret_count
;
117 unsigned int client_early_secret_count
;
118 unsigned int client_handshake_secret_count
;
119 unsigned int server_handshake_secret_count
;
120 unsigned int client_application_secret_count
;
121 unsigned int server_application_secret_count
;
122 unsigned int early_exporter_secret_count
;
123 unsigned int exporter_secret_count
;
127 static unsigned char serverinfov1
[] = {
128 0xff, 0xff, /* Dummy extension type */
129 0x00, 0x01, /* Extension length is 1 byte */
130 0xff /* Dummy extension data */
133 static unsigned char serverinfov2
[] = {
135 (unsigned char)(SSL_EXT_CLIENT_HELLO
& 0xff), /* Dummy context - 4 bytes */
136 0xff, 0xff, /* Dummy extension type */
137 0x00, 0x01, /* Extension length is 1 byte */
138 0xff /* Dummy extension data */
141 static int hostname_cb(SSL
*s
, int *al
, void *arg
)
143 const char *hostname
= SSL_get_servername(s
, TLSEXT_NAMETYPE_host_name
);
145 if (hostname
!= NULL
&& (strcmp(hostname
, "goodhost") == 0
146 || strcmp(hostname
, "altgoodhost") == 0))
147 return SSL_TLSEXT_ERR_OK
;
149 return SSL_TLSEXT_ERR_NOACK
;
152 static void client_keylog_callback(const SSL
*ssl
, const char *line
)
154 int line_length
= strlen(line
);
156 /* If the log doesn't fit, error out. */
157 if (client_log_buffer_index
+ line_length
> sizeof(client_log_buffer
) - 1) {
158 TEST_info("Client log too full");
159 error_writing_log
= 1;
163 strcat(client_log_buffer
, line
);
164 client_log_buffer_index
+= line_length
;
165 client_log_buffer
[client_log_buffer_index
++] = '\n';
168 static void server_keylog_callback(const SSL
*ssl
, const char *line
)
170 int line_length
= strlen(line
);
172 /* If the log doesn't fit, error out. */
173 if (server_log_buffer_index
+ line_length
> sizeof(server_log_buffer
) - 1) {
174 TEST_info("Server log too full");
175 error_writing_log
= 1;
179 strcat(server_log_buffer
, line
);
180 server_log_buffer_index
+= line_length
;
181 server_log_buffer
[server_log_buffer_index
++] = '\n';
184 static int compare_hex_encoded_buffer(const char *hex_encoded
,
192 if (!TEST_size_t_eq(raw_length
* 2, hex_length
))
195 for (i
= j
= 0; i
< raw_length
&& j
+ 1 < hex_length
; i
++, j
+= 2) {
196 sprintf(hexed
, "%02x", raw
[i
]);
197 if (!TEST_int_eq(hexed
[0], hex_encoded
[j
])
198 || !TEST_int_eq(hexed
[1], hex_encoded
[j
+ 1]))
205 static int test_keylog_output(char *buffer
, const SSL
*ssl
,
206 const SSL_SESSION
*session
,
207 struct sslapitest_log_counts
*expected
)
210 unsigned char actual_client_random
[SSL3_RANDOM_SIZE
] = {0};
211 size_t client_random_size
= SSL3_RANDOM_SIZE
;
212 unsigned char actual_master_key
[SSL_MAX_MASTER_KEY_LENGTH
] = {0};
213 size_t master_key_size
= SSL_MAX_MASTER_KEY_LENGTH
;
214 unsigned int rsa_key_exchange_count
= 0;
215 unsigned int master_secret_count
= 0;
216 unsigned int client_early_secret_count
= 0;
217 unsigned int client_handshake_secret_count
= 0;
218 unsigned int server_handshake_secret_count
= 0;
219 unsigned int client_application_secret_count
= 0;
220 unsigned int server_application_secret_count
= 0;
221 unsigned int early_exporter_secret_count
= 0;
222 unsigned int exporter_secret_count
= 0;
224 for (token
= strtok(buffer
, " \n"); token
!= NULL
;
225 token
= strtok(NULL
, " \n")) {
226 if (strcmp(token
, "RSA") == 0) {
228 * Premaster secret. Tokens should be: 16 ASCII bytes of
229 * hex-encoded encrypted secret, then the hex-encoded pre-master
232 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
234 if (!TEST_size_t_eq(strlen(token
), 16))
236 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
239 * We can't sensibly check the log because the premaster secret is
240 * transient, and OpenSSL doesn't keep hold of it once the master
241 * secret is generated.
243 rsa_key_exchange_count
++;
244 } else if (strcmp(token
, "CLIENT_RANDOM") == 0) {
246 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
247 * client random, then the hex-encoded master secret.
249 client_random_size
= SSL_get_client_random(ssl
,
250 actual_client_random
,
252 if (!TEST_size_t_eq(client_random_size
, SSL3_RANDOM_SIZE
))
255 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
257 if (!TEST_size_t_eq(strlen(token
), 64))
259 if (!TEST_false(compare_hex_encoded_buffer(token
, 64,
260 actual_client_random
,
261 client_random_size
)))
264 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
266 master_key_size
= SSL_SESSION_get_master_key(session
,
269 if (!TEST_size_t_ne(master_key_size
, 0))
271 if (!TEST_false(compare_hex_encoded_buffer(token
, strlen(token
),
275 master_secret_count
++;
276 } else if (strcmp(token
, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
277 || strcmp(token
, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
278 || strcmp(token
, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
279 || strcmp(token
, "CLIENT_TRAFFIC_SECRET_0") == 0
280 || strcmp(token
, "SERVER_TRAFFIC_SECRET_0") == 0
281 || strcmp(token
, "EARLY_EXPORTER_SECRET") == 0
282 || strcmp(token
, "EXPORTER_SECRET") == 0) {
284 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
285 * client random, and then the hex-encoded secret. In this case,
286 * we treat all of these secrets identically and then just
287 * distinguish between them when counting what we saw.
289 if (strcmp(token
, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
290 client_early_secret_count
++;
291 else if (strcmp(token
, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
292 client_handshake_secret_count
++;
293 else if (strcmp(token
, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
294 server_handshake_secret_count
++;
295 else if (strcmp(token
, "CLIENT_TRAFFIC_SECRET_0") == 0)
296 client_application_secret_count
++;
297 else if (strcmp(token
, "SERVER_TRAFFIC_SECRET_0") == 0)
298 server_application_secret_count
++;
299 else if (strcmp(token
, "EARLY_EXPORTER_SECRET") == 0)
300 early_exporter_secret_count
++;
301 else if (strcmp(token
, "EXPORTER_SECRET") == 0)
302 exporter_secret_count
++;
304 client_random_size
= SSL_get_client_random(ssl
,
305 actual_client_random
,
307 if (!TEST_size_t_eq(client_random_size
, SSL3_RANDOM_SIZE
))
310 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
312 if (!TEST_size_t_eq(strlen(token
), 64))
314 if (!TEST_false(compare_hex_encoded_buffer(token
, 64,
315 actual_client_random
,
316 client_random_size
)))
319 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
323 * TODO(TLS1.3): test that application traffic secrets are what
326 TEST_info("Unexpected token %s\n", token
);
331 /* Got what we expected? */
332 if (!TEST_size_t_eq(rsa_key_exchange_count
,
333 expected
->rsa_key_exchange_count
)
334 || !TEST_size_t_eq(master_secret_count
,
335 expected
->master_secret_count
)
336 || !TEST_size_t_eq(client_early_secret_count
,
337 expected
->client_early_secret_count
)
338 || !TEST_size_t_eq(client_handshake_secret_count
,
339 expected
->client_handshake_secret_count
)
340 || !TEST_size_t_eq(server_handshake_secret_count
,
341 expected
->server_handshake_secret_count
)
342 || !TEST_size_t_eq(client_application_secret_count
,
343 expected
->client_application_secret_count
)
344 || !TEST_size_t_eq(server_application_secret_count
,
345 expected
->server_application_secret_count
)
346 || !TEST_size_t_eq(early_exporter_secret_count
,
347 expected
->early_exporter_secret_count
)
348 || !TEST_size_t_eq(exporter_secret_count
,
349 expected
->exporter_secret_count
))
354 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
355 static int test_keylog(void)
357 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
358 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
360 struct sslapitest_log_counts expected
;
362 /* Clean up logging space */
363 memset(&expected
, 0, sizeof(expected
));
364 memset(client_log_buffer
, 0, sizeof(client_log_buffer
));
365 memset(server_log_buffer
, 0, sizeof(server_log_buffer
));
366 client_log_buffer_index
= 0;
367 server_log_buffer_index
= 0;
368 error_writing_log
= 0;
370 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
373 &sctx
, &cctx
, cert
, privkey
)))
376 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
377 SSL_CTX_set_options(cctx
, SSL_OP_NO_TLSv1_3
);
378 SSL_CTX_set_options(sctx
, SSL_OP_NO_TLSv1_3
);
380 /* We also want to ensure that we use RSA-based key exchange. */
381 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
, "RSA")))
384 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx
) == NULL
)
385 || !TEST_true(SSL_CTX_get_keylog_callback(sctx
) == NULL
))
387 SSL_CTX_set_keylog_callback(cctx
, client_keylog_callback
);
388 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx
)
389 == client_keylog_callback
))
391 SSL_CTX_set_keylog_callback(sctx
, server_keylog_callback
);
392 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx
)
393 == server_keylog_callback
))
396 /* Now do a handshake and check that the logs have been written to. */
397 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
398 &clientssl
, NULL
, NULL
))
399 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
401 || !TEST_false(error_writing_log
)
402 || !TEST_int_gt(client_log_buffer_index
, 0)
403 || !TEST_int_gt(server_log_buffer_index
, 0))
407 * Now we want to test that our output data was vaguely sensible. We
408 * do that by using strtok and confirming that we have more or less the
409 * data we expect. For both client and server, we expect to see one master
410 * secret. The client should also see a RSA key exchange.
412 expected
.rsa_key_exchange_count
= 1;
413 expected
.master_secret_count
= 1;
414 if (!TEST_true(test_keylog_output(client_log_buffer
, clientssl
,
415 SSL_get_session(clientssl
), &expected
)))
418 expected
.rsa_key_exchange_count
= 0;
419 if (!TEST_true(test_keylog_output(server_log_buffer
, serverssl
,
420 SSL_get_session(serverssl
), &expected
)))
435 #ifndef OPENSSL_NO_TLS1_3
436 static int test_keylog_no_master_key(void)
438 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
439 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
440 SSL_SESSION
*sess
= NULL
;
442 struct sslapitest_log_counts expected
;
443 unsigned char buf
[1];
444 size_t readbytes
, written
;
446 /* Clean up logging space */
447 memset(&expected
, 0, sizeof(expected
));
448 memset(client_log_buffer
, 0, sizeof(client_log_buffer
));
449 memset(server_log_buffer
, 0, sizeof(server_log_buffer
));
450 client_log_buffer_index
= 0;
451 server_log_buffer_index
= 0;
452 error_writing_log
= 0;
454 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
455 TLS_client_method(), TLS1_VERSION
, 0,
456 &sctx
, &cctx
, cert
, privkey
))
457 || !TEST_true(SSL_CTX_set_max_early_data(sctx
,
458 SSL3_RT_MAX_PLAIN_LENGTH
)))
461 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx
) == NULL
)
462 || !TEST_true(SSL_CTX_get_keylog_callback(sctx
) == NULL
))
465 SSL_CTX_set_keylog_callback(cctx
, client_keylog_callback
);
466 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx
)
467 == client_keylog_callback
))
470 SSL_CTX_set_keylog_callback(sctx
, server_keylog_callback
);
471 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx
)
472 == server_keylog_callback
))
475 /* Now do a handshake and check that the logs have been written to. */
476 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
477 &clientssl
, NULL
, NULL
))
478 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
480 || !TEST_false(error_writing_log
))
484 * Now we want to test that our output data was vaguely sensible. For this
485 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
486 * TLSv1.3, but we do expect both client and server to emit keys.
488 expected
.client_handshake_secret_count
= 1;
489 expected
.server_handshake_secret_count
= 1;
490 expected
.client_application_secret_count
= 1;
491 expected
.server_application_secret_count
= 1;
492 expected
.exporter_secret_count
= 1;
493 if (!TEST_true(test_keylog_output(client_log_buffer
, clientssl
,
494 SSL_get_session(clientssl
), &expected
))
495 || !TEST_true(test_keylog_output(server_log_buffer
, serverssl
,
496 SSL_get_session(serverssl
),
500 /* Terminate old session and resume with early data. */
501 sess
= SSL_get1_session(clientssl
);
502 SSL_shutdown(clientssl
);
503 SSL_shutdown(serverssl
);
506 serverssl
= clientssl
= NULL
;
509 memset(client_log_buffer
, 0, sizeof(client_log_buffer
));
510 memset(server_log_buffer
, 0, sizeof(server_log_buffer
));
511 client_log_buffer_index
= 0;
512 server_log_buffer_index
= 0;
514 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
515 &clientssl
, NULL
, NULL
))
516 || !TEST_true(SSL_set_session(clientssl
, sess
))
517 /* Here writing 0 length early data is enough. */
518 || !TEST_true(SSL_write_early_data(clientssl
, NULL
, 0, &written
))
519 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
521 SSL_READ_EARLY_DATA_ERROR
)
522 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
523 SSL_EARLY_DATA_ACCEPTED
)
524 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
526 || !TEST_true(SSL_session_reused(clientssl
)))
529 /* In addition to the previous entries, expect early secrets. */
530 expected
.client_early_secret_count
= 1;
531 expected
.early_exporter_secret_count
= 1;
532 if (!TEST_true(test_keylog_output(client_log_buffer
, clientssl
,
533 SSL_get_session(clientssl
), &expected
))
534 || !TEST_true(test_keylog_output(server_log_buffer
, serverssl
,
535 SSL_get_session(serverssl
),
542 SSL_SESSION_free(sess
);
552 #ifndef OPENSSL_NO_TLS1_2
553 static int full_client_hello_callback(SSL
*s
, int *al
, void *arg
)
556 const unsigned char *p
;
558 /* We only configure two ciphers, but the SCSV is added automatically. */
560 const unsigned char expected_ciphers
[] = {0x00, 0x9d, 0x00, 0xff};
562 const unsigned char expected_ciphers
[] = {0x00, 0x9d, 0xc0,
565 const int expected_extensions
[] = {
566 #ifndef OPENSSL_NO_EC
572 /* Make sure we can defer processing and get called back. */
574 return SSL_CLIENT_HELLO_RETRY
;
576 len
= SSL_client_hello_get0_ciphers(s
, &p
);
577 if (!TEST_mem_eq(p
, len
, expected_ciphers
, sizeof(expected_ciphers
))
579 SSL_client_hello_get0_compression_methods(s
, &p
), 1)
580 || !TEST_int_eq(*p
, 0))
581 return SSL_CLIENT_HELLO_ERROR
;
582 if (!SSL_client_hello_get1_extensions_present(s
, &exts
, &len
))
583 return SSL_CLIENT_HELLO_ERROR
;
584 if (len
!= OSSL_NELEM(expected_extensions
) ||
585 memcmp(exts
, expected_extensions
, len
* sizeof(*exts
)) != 0) {
586 printf("ClientHello callback expected extensions mismatch\n");
588 return SSL_CLIENT_HELLO_ERROR
;
591 return SSL_CLIENT_HELLO_SUCCESS
;
594 static int test_client_hello_cb(void)
596 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
597 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
598 int testctr
= 0, testresult
= 0;
600 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
601 TLS_client_method(), TLS1_VERSION
, 0,
602 &sctx
, &cctx
, cert
, privkey
)))
604 SSL_CTX_set_client_hello_cb(sctx
, full_client_hello_callback
, &testctr
);
606 /* The gimpy cipher list we configure can't do TLS 1.3. */
607 SSL_CTX_set_max_proto_version(cctx
, TLS1_2_VERSION
);
609 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
610 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
611 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
612 &clientssl
, NULL
, NULL
))
613 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
614 SSL_ERROR_WANT_CLIENT_HELLO_CB
))
616 * Passing a -1 literal is a hack since
617 * the real value was lost.
619 || !TEST_int_eq(SSL_get_error(serverssl
, -1),
620 SSL_ERROR_WANT_CLIENT_HELLO_CB
)
621 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
636 static int test_no_ems(void)
638 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
639 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
642 if (!create_ssl_ctx_pair(libctx
, TLS_server_method(), TLS_client_method(),
643 TLS1_VERSION
, TLS1_2_VERSION
,
644 &sctx
, &cctx
, cert
, privkey
)) {
645 printf("Unable to create SSL_CTX pair\n");
649 SSL_CTX_set_options(sctx
, SSL_OP_NO_EXTENDED_MASTER_SECRET
);
651 if (!create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
, NULL
)) {
652 printf("Unable to create SSL objects\n");
656 if (!create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)) {
657 printf("Creating SSL connection failed\n");
661 if (SSL_get_extms_support(serverssl
)) {
662 printf("Server reports Extended Master Secret support\n");
666 if (SSL_get_extms_support(clientssl
)) {
667 printf("Client reports Extended Master Secret support\n");
682 * Very focused test to exercise a single case in the server-side state
683 * machine, when the ChangeCipherState message needs to actually change
684 * from one cipher to a different cipher (i.e., not changing from null
685 * encryption to real encryption).
687 static int test_ccs_change_cipher(void)
689 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
690 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
691 SSL_SESSION
*sess
= NULL
, *sesspre
, *sesspost
;
698 * Create a conection so we can resume and potentially (but not) use
699 * a different cipher in the second connection.
701 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
703 TLS1_VERSION
, TLS1_2_VERSION
,
704 &sctx
, &cctx
, cert
, privkey
))
705 || !TEST_true(SSL_CTX_set_options(sctx
, SSL_OP_NO_TICKET
))
706 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
708 || !TEST_true(SSL_set_cipher_list(clientssl
, "AES128-GCM-SHA256"))
709 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
711 || !TEST_ptr(sesspre
= SSL_get0_session(serverssl
))
712 || !TEST_ptr(sess
= SSL_get1_session(clientssl
)))
715 shutdown_ssl_connection(serverssl
, clientssl
);
716 serverssl
= clientssl
= NULL
;
718 /* Resume, preferring a different cipher. Our server will force the
719 * same cipher to be used as the initial handshake. */
720 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
722 || !TEST_true(SSL_set_session(clientssl
, sess
))
723 || !TEST_true(SSL_set_cipher_list(clientssl
, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
724 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
726 || !TEST_true(SSL_session_reused(clientssl
))
727 || !TEST_true(SSL_session_reused(serverssl
))
728 || !TEST_ptr(sesspost
= SSL_get0_session(serverssl
))
729 || !TEST_ptr_eq(sesspre
, sesspost
)
730 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256
,
731 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl
))))
733 shutdown_ssl_connection(serverssl
, clientssl
);
734 serverssl
= clientssl
= NULL
;
737 * Now create a fresh connection and try to renegotiate a different
740 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
742 || !TEST_true(SSL_set_cipher_list(clientssl
, "AES128-GCM-SHA256"))
743 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
745 || !TEST_ptr(sesspre
= SSL_get0_session(serverssl
))
746 || !TEST_true(SSL_set_cipher_list(clientssl
, "AES256-GCM-SHA384"))
747 || !TEST_true(SSL_renegotiate(clientssl
))
748 || !TEST_true(SSL_renegotiate_pending(clientssl
)))
750 /* Actually drive the renegotiation. */
751 for (i
= 0; i
< 3; i
++) {
752 if (SSL_read_ex(clientssl
, &buf
, sizeof(buf
), &readbytes
) > 0) {
753 if (!TEST_ulong_eq(readbytes
, 0))
755 } else if (!TEST_int_eq(SSL_get_error(clientssl
, 0),
756 SSL_ERROR_WANT_READ
)) {
759 if (SSL_read_ex(serverssl
, &buf
, sizeof(buf
), &readbytes
) > 0) {
760 if (!TEST_ulong_eq(readbytes
, 0))
762 } else if (!TEST_int_eq(SSL_get_error(serverssl
, 0),
763 SSL_ERROR_WANT_READ
)) {
767 /* sesspre and sesspost should be different since the cipher changed. */
768 if (!TEST_false(SSL_renegotiate_pending(clientssl
))
769 || !TEST_false(SSL_session_reused(clientssl
))
770 || !TEST_false(SSL_session_reused(serverssl
))
771 || !TEST_ptr(sesspost
= SSL_get0_session(serverssl
))
772 || !TEST_ptr_ne(sesspre
, sesspost
)
773 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384
,
774 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl
))))
777 shutdown_ssl_connection(serverssl
, clientssl
);
778 serverssl
= clientssl
= NULL
;
787 SSL_SESSION_free(sess
);
793 static int execute_test_large_message(const SSL_METHOD
*smeth
,
794 const SSL_METHOD
*cmeth
,
795 int min_version
, int max_version
,
798 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
799 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
803 X509
*chaincert
= NULL
;
806 if (!TEST_ptr(certbio
= BIO_new_file(cert
, "r")))
809 if (!TEST_ptr(chaincert
= X509_new_ex(libctx
, NULL
)))
812 if (PEM_read_bio_X509(certbio
, &chaincert
, NULL
, NULL
) == NULL
)
817 if (!TEST_true(create_ssl_ctx_pair(libctx
, smeth
, cmeth
, min_version
,
818 max_version
, &sctx
, &cctx
, cert
,
824 * Test that read_ahead works correctly when dealing with large
827 SSL_CTX_set_read_ahead(cctx
, 1);
831 * We assume the supplied certificate is big enough so that if we add
832 * NUM_EXTRA_CERTS it will make the overall message large enough. The
833 * default buffer size is requested to be 16k, but due to the way BUF_MEM
834 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
835 * test we need to have a message larger than that.
837 certlen
= i2d_X509(chaincert
, NULL
);
838 OPENSSL_assert(certlen
* NUM_EXTRA_CERTS
>
839 (SSL3_RT_MAX_PLAIN_LENGTH
* 4) / 3);
840 for (i
= 0; i
< NUM_EXTRA_CERTS
; i
++) {
841 if (!X509_up_ref(chaincert
))
843 if (!SSL_CTX_add_extra_chain_cert(sctx
, chaincert
)) {
844 X509_free(chaincert
);
849 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
851 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
856 * Calling SSL_clear() first is not required but this tests that SSL_clear()
859 if (!TEST_true(SSL_clear(serverssl
)))
865 X509_free(chaincert
);
874 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
875 !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
876 #define TLS_CIPHER_MAX_REC_SEQ_SIZE 8
877 /* sock must be connected */
878 static int ktls_chk_platform(int sock
)
880 if (!ktls_enable(sock
))
885 static int ping_pong_query(SSL
*clientssl
, SSL
*serverssl
, int cfd
, int sfd
, int rec_seq_size
)
887 static char count
= 1;
888 unsigned char cbuf
[16000] = {0};
889 unsigned char sbuf
[16000];
891 char crec_wseq_before
[TLS_CIPHER_MAX_REC_SEQ_SIZE
];
892 char crec_wseq_after
[TLS_CIPHER_MAX_REC_SEQ_SIZE
];
893 char crec_rseq_before
[TLS_CIPHER_MAX_REC_SEQ_SIZE
];
894 char crec_rseq_after
[TLS_CIPHER_MAX_REC_SEQ_SIZE
];
895 char srec_wseq_before
[TLS_CIPHER_MAX_REC_SEQ_SIZE
];
896 char srec_wseq_after
[TLS_CIPHER_MAX_REC_SEQ_SIZE
];
897 char srec_rseq_before
[TLS_CIPHER_MAX_REC_SEQ_SIZE
];
898 char srec_rseq_after
[TLS_CIPHER_MAX_REC_SEQ_SIZE
];
901 memcpy(crec_wseq_before
, &clientssl
->rlayer
.write_sequence
, rec_seq_size
);
902 memcpy(crec_rseq_before
, &clientssl
->rlayer
.read_sequence
, rec_seq_size
);
903 memcpy(srec_wseq_before
, &serverssl
->rlayer
.write_sequence
, rec_seq_size
);
904 memcpy(srec_rseq_before
, &serverssl
->rlayer
.read_sequence
, rec_seq_size
);
906 if (!TEST_true(SSL_write(clientssl
, cbuf
, sizeof(cbuf
)) == sizeof(cbuf
)))
909 while ((err
= SSL_read(serverssl
, &sbuf
, sizeof(sbuf
))) != sizeof(sbuf
)) {
910 if (SSL_get_error(serverssl
, err
) != SSL_ERROR_WANT_READ
) {
915 if (!TEST_true(SSL_write(serverssl
, sbuf
, sizeof(sbuf
)) == sizeof(sbuf
)))
918 while ((err
= SSL_read(clientssl
, &cbuf
, sizeof(cbuf
))) != sizeof(cbuf
)) {
919 if (SSL_get_error(clientssl
, err
) != SSL_ERROR_WANT_READ
) {
924 memcpy(crec_wseq_after
, &clientssl
->rlayer
.write_sequence
, rec_seq_size
);
925 memcpy(crec_rseq_after
, &clientssl
->rlayer
.read_sequence
, rec_seq_size
);
926 memcpy(srec_wseq_after
, &serverssl
->rlayer
.write_sequence
, rec_seq_size
);
927 memcpy(srec_rseq_after
, &serverssl
->rlayer
.read_sequence
, rec_seq_size
);
929 /* verify the payload */
930 if (!TEST_mem_eq(cbuf
, sizeof(cbuf
), sbuf
, sizeof(sbuf
)))
933 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
934 if (clientssl
->mode
& SSL_MODE_NO_KTLS_TX
) {
935 if (!TEST_mem_ne(crec_wseq_before
, rec_seq_size
,
936 crec_wseq_after
, rec_seq_size
))
939 if (!TEST_mem_eq(crec_wseq_before
, rec_seq_size
,
940 crec_wseq_after
, rec_seq_size
))
944 if (serverssl
->mode
& SSL_MODE_NO_KTLS_TX
) {
945 if (!TEST_mem_ne(srec_wseq_before
, rec_seq_size
,
946 srec_wseq_after
, rec_seq_size
))
949 if (!TEST_mem_eq(srec_wseq_before
, rec_seq_size
,
950 srec_wseq_after
, rec_seq_size
))
954 if (clientssl
->mode
& SSL_MODE_NO_KTLS_RX
) {
955 if (!TEST_mem_ne(crec_rseq_before
, rec_seq_size
,
956 crec_rseq_after
, rec_seq_size
))
959 if (!TEST_mem_eq(crec_rseq_before
, rec_seq_size
,
960 crec_rseq_after
, rec_seq_size
))
964 if (serverssl
->mode
& SSL_MODE_NO_KTLS_RX
) {
965 if (!TEST_mem_ne(srec_rseq_before
, rec_seq_size
,
966 srec_rseq_after
, rec_seq_size
))
969 if (!TEST_mem_eq(srec_rseq_before
, rec_seq_size
,
970 srec_rseq_after
, rec_seq_size
))
979 static int execute_test_ktls(int cis_ktls_tx
, int cis_ktls_rx
,
980 int sis_ktls_tx
, int sis_ktls_rx
,
981 int tls_version
, const char *cipher
,
984 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
985 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
989 if (!TEST_true(create_test_sockets(&cfd
, &sfd
)))
992 /* Skip this test if the platform does not support ktls */
993 if (!ktls_chk_platform(cfd
))
996 /* Create a session based on SHA-256 */
997 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
999 tls_version
, tls_version
,
1000 &sctx
, &cctx
, cert
, privkey
))
1001 || !TEST_true(SSL_CTX_set_cipher_list(cctx
, cipher
))
1002 || !TEST_true(SSL_CTX_set_cipher_list(sctx
, cipher
))
1003 || !TEST_true(create_ssl_objects2(sctx
, cctx
, &serverssl
,
1004 &clientssl
, sfd
, cfd
)))
1008 if (!TEST_true(SSL_set_mode(clientssl
, SSL_MODE_NO_KTLS_TX
)))
1013 if (!TEST_true(SSL_set_mode(serverssl
, SSL_MODE_NO_KTLS_TX
)))
1018 if (!TEST_true(SSL_set_mode(clientssl
, SSL_MODE_NO_KTLS_RX
)))
1023 if (!TEST_true(SSL_set_mode(serverssl
, SSL_MODE_NO_KTLS_RX
)))
1027 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
1032 if (!TEST_false(BIO_get_ktls_send(clientssl
->wbio
)))
1035 if (!TEST_true(BIO_get_ktls_send(clientssl
->wbio
)))
1040 if (!TEST_false(BIO_get_ktls_send(serverssl
->wbio
)))
1043 if (!TEST_true(BIO_get_ktls_send(serverssl
->wbio
)))
1048 if (!TEST_false(BIO_get_ktls_recv(clientssl
->rbio
)))
1051 if (!TEST_true(BIO_get_ktls_recv(clientssl
->rbio
)))
1056 if (!TEST_false(BIO_get_ktls_recv(serverssl
->rbio
)))
1059 if (!TEST_true(BIO_get_ktls_recv(serverssl
->rbio
)))
1063 if (!TEST_true(ping_pong_query(clientssl
, serverssl
, cfd
, sfd
,
1070 SSL_shutdown(clientssl
);
1071 SSL_free(clientssl
);
1074 SSL_shutdown(serverssl
);
1075 SSL_free(serverssl
);
1079 serverssl
= clientssl
= NULL
;
1083 #define SENDFILE_SZ (16 * 4096)
1084 #define SENDFILE_CHUNK (4 * 4096)
1085 #define min(a,b) ((a) > (b) ? (b) : (a))
1087 static int test_ktls_sendfile(int tls_version
, const char *cipher
)
1089 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
1090 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
1091 unsigned char *buf
, *buf_dst
;
1092 BIO
*out
= NULL
, *in
= NULL
;
1093 int cfd
, sfd
, ffd
, err
;
1094 ssize_t chunk_size
= 0;
1095 off_t chunk_off
= 0;
1099 buf
= OPENSSL_zalloc(SENDFILE_SZ
);
1100 buf_dst
= OPENSSL_zalloc(SENDFILE_SZ
);
1101 if (!TEST_ptr(buf
) || !TEST_ptr(buf_dst
)
1102 || !TEST_true(create_test_sockets(&cfd
, &sfd
)))
1105 /* Skip this test if the platform does not support ktls */
1106 if (!ktls_chk_platform(sfd
)) {
1111 /* Create a session based on SHA-256 */
1112 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
1113 TLS_client_method(),
1114 tls_version
, tls_version
,
1115 &sctx
, &cctx
, cert
, privkey
))
1116 || !TEST_true(SSL_CTX_set_cipher_list(cctx
, cipher
))
1117 || !TEST_true(SSL_CTX_set_cipher_list(sctx
, cipher
))
1118 || !TEST_true(create_ssl_objects2(sctx
, cctx
, &serverssl
,
1119 &clientssl
, sfd
, cfd
)))
1122 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
1124 || !TEST_true(BIO_get_ktls_send(serverssl
->wbio
)))
1127 if (!TEST_true(RAND_bytes_ex(libctx
, buf
, SENDFILE_SZ
)))
1130 out
= BIO_new_file(tmpfilename
, "wb");
1134 if (BIO_write(out
, buf
, SENDFILE_SZ
) != SENDFILE_SZ
)
1139 in
= BIO_new_file(tmpfilename
, "rb");
1140 BIO_get_fp(in
, &ffdp
);
1143 while (chunk_off
< SENDFILE_SZ
) {
1144 chunk_size
= min(SENDFILE_CHUNK
, SENDFILE_SZ
- chunk_off
);
1145 while ((err
= SSL_sendfile(serverssl
,
1149 0)) != chunk_size
) {
1150 if (SSL_get_error(serverssl
, err
) != SSL_ERROR_WANT_WRITE
)
1153 while ((err
= SSL_read(clientssl
,
1154 buf_dst
+ chunk_off
,
1155 chunk_size
)) != chunk_size
) {
1156 if (SSL_get_error(clientssl
, err
) != SSL_ERROR_WANT_READ
)
1160 /* verify the payload */
1161 if (!TEST_mem_eq(buf_dst
+ chunk_off
,
1167 chunk_off
+= chunk_size
;
1173 SSL_shutdown(clientssl
);
1174 SSL_free(clientssl
);
1177 SSL_shutdown(serverssl
);
1178 SSL_free(serverssl
);
1182 serverssl
= clientssl
= NULL
;
1186 OPENSSL_free(buf_dst
);
1190 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
1191 static int test_ktls(int test
)
1193 int cis_ktls_tx
, cis_ktls_rx
, sis_ktls_tx
, sis_ktls_rx
;
1194 int tlsver
, testresult
;
1197 #if defined(OPENSSL_NO_TLS1_3)
1201 tlsver
= TLS1_3_VERSION
;
1204 #if defined(OPENSSL_NO_TLS1_2)
1207 tlsver
= TLS1_2_VERSION
;
1211 cis_ktls_tx
= (test
& 1) != 0;
1212 cis_ktls_rx
= (test
& 2) != 0;
1213 sis_ktls_tx
= (test
& 4) != 0;
1214 sis_ktls_rx
= (test
& 8) != 0;
1216 #if defined(OPENSSL_NO_KTLS_RX)
1217 if (cis_ktls_rx
|| sis_ktls_rx
)
1220 #if !defined(OPENSSL_NO_TLS1_3)
1221 if (tlsver
== TLS1_3_VERSION
&& (cis_ktls_rx
|| sis_ktls_rx
))
1226 #ifdef OPENSSL_KTLS_AES_GCM_128
1227 testresult
&= execute_test_ktls(cis_ktls_tx
, cis_ktls_rx
, sis_ktls_tx
,
1228 sis_ktls_rx
, tlsver
, "AES128-GCM-SHA256",
1229 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE
);
1231 #ifdef OPENSSL_KTLS_AES_CCM_128
1232 testresult
&= execute_test_ktls(cis_ktls_tx
, cis_ktls_rx
, sis_ktls_tx
,
1233 sis_ktls_rx
, tlsver
, "AES128-CCM",
1234 TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE
);
1236 #ifdef OPENSSL_KTLS_AES_GCM_256
1237 testresult
&= execute_test_ktls(cis_ktls_tx
, cis_ktls_rx
, sis_ktls_tx
,
1238 sis_ktls_rx
, tlsver
, "AES256-GCM-SHA384",
1239 TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE
);
1244 static int test_ktls_sendfile_anytls(int tst
)
1246 char *cipher
[] = {"AES128-GCM-SHA256","AES128-CCM","AES256-GCM-SHA384"};
1250 #if defined(OPENSSL_NO_TLS1_3)
1254 tlsver
= TLS1_3_VERSION
;
1257 #if defined(OPENSSL_NO_TLS1_2)
1260 tlsver
= TLS1_2_VERSION
;
1264 #ifndef OPENSSL_KTLS_AES_GCM_128
1265 if(tst
== 0) return 1;
1267 #ifndef OPENSSL_KTLS_AES_CCM_128
1268 if(tst
== 1) return 1;
1270 #ifndef OPENSSL_KTLS_AES_GCM_256
1271 if(tst
== 2) return 1;
1273 return test_ktls_sendfile(tlsver
, cipher
[tst
]);
1279 static int test_large_message_tls(void)
1281 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1282 TLS1_VERSION
, 0, 0);
1285 static int test_large_message_tls_read_ahead(void)
1287 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1288 TLS1_VERSION
, 0, 1);
1291 #ifndef OPENSSL_NO_DTLS
1292 static int test_large_message_dtls(void)
1295 * read_ahead is not relevant to DTLS because DTLS always acts as if
1296 * read_ahead is set.
1298 return execute_test_large_message(DTLS_server_method(),
1299 DTLS_client_method(),
1300 DTLS1_VERSION
, 0, 0);
1304 static int execute_cleanse_plaintext(const SSL_METHOD
*smeth
,
1305 const SSL_METHOD
*cmeth
,
1306 int min_version
, int max_version
)
1309 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
1310 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
1315 static unsigned char cbuf
[16000];
1316 static unsigned char sbuf
[16000];
1318 if (!TEST_true(create_ssl_ctx_pair(libctx
,
1320 min_version
, max_version
,
1325 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
1329 if (!TEST_true(SSL_set_options(serverssl
, SSL_OP_CLEANSE_PLAINTEXT
)))
1332 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
1336 for (i
= 0; i
< sizeof(cbuf
); i
++) {
1340 if (!TEST_int_eq(SSL_write(clientssl
, cbuf
, sizeof(cbuf
)), sizeof(cbuf
)))
1343 if (!TEST_int_eq(SSL_peek(serverssl
, &sbuf
, sizeof(sbuf
)), sizeof(sbuf
)))
1346 if (!TEST_mem_eq(cbuf
, sizeof(cbuf
), sbuf
, sizeof(sbuf
)))
1350 * Since we called SSL_peek(), we know the data in the record
1351 * layer is a plaintext record. We can gather the pointer to check
1352 * for zeroization after SSL_read().
1354 rr
= serverssl
->rlayer
.rrec
;
1355 zbuf
= &rr
->data
[rr
->off
];
1356 if (!TEST_int_eq(rr
->length
, sizeof(cbuf
)))
1360 * After SSL_peek() the plaintext must still be stored in the
1363 if (!TEST_mem_eq(cbuf
, sizeof(cbuf
), zbuf
, sizeof(cbuf
)))
1366 memset(sbuf
, 0, sizeof(sbuf
));
1367 if (!TEST_int_eq(SSL_read(serverssl
, &sbuf
, sizeof(sbuf
)), sizeof(sbuf
)))
1370 if (!TEST_mem_eq(cbuf
, sizeof(cbuf
), sbuf
, sizeof(cbuf
)))
1373 /* Check if rbuf is cleansed */
1374 memset(cbuf
, 0, sizeof(cbuf
));
1375 if (!TEST_mem_eq(cbuf
, sizeof(cbuf
), zbuf
, sizeof(cbuf
)))
1380 SSL_free(serverssl
);
1381 SSL_free(clientssl
);
1388 static int test_cleanse_plaintext(void)
1390 #if !defined(OPENSSL_NO_TLS1_2)
1391 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1392 TLS_client_method(),
1399 #if !defined(OPENSSL_NO_TLS1_3)
1400 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1401 TLS_client_method(),
1407 #if !defined(OPENSSL_NO_DTLS)
1408 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1409 DTLS_client_method(),
1417 #ifndef OPENSSL_NO_OCSP
1418 static int ocsp_server_cb(SSL
*s
, void *arg
)
1420 int *argi
= (int *)arg
;
1421 unsigned char *copy
= NULL
;
1422 STACK_OF(OCSP_RESPID
) *ids
= NULL
;
1423 OCSP_RESPID
*id
= NULL
;
1426 /* In this test we are expecting exactly 1 OCSP_RESPID */
1427 SSL_get_tlsext_status_ids(s
, &ids
);
1428 if (ids
== NULL
|| sk_OCSP_RESPID_num(ids
) != 1)
1429 return SSL_TLSEXT_ERR_ALERT_FATAL
;
1431 id
= sk_OCSP_RESPID_value(ids
, 0);
1432 if (id
== NULL
|| !OCSP_RESPID_match_ex(id
, ocspcert
, libctx
, NULL
))
1433 return SSL_TLSEXT_ERR_ALERT_FATAL
;
1434 } else if (*argi
!= 1) {
1435 return SSL_TLSEXT_ERR_ALERT_FATAL
;
1438 if (!TEST_ptr(copy
= OPENSSL_memdup(orespder
, sizeof(orespder
))))
1439 return SSL_TLSEXT_ERR_ALERT_FATAL
;
1441 SSL_set_tlsext_status_ocsp_resp(s
, copy
, sizeof(orespder
));
1442 ocsp_server_called
= 1;
1443 return SSL_TLSEXT_ERR_OK
;
1446 static int ocsp_client_cb(SSL
*s
, void *arg
)
1448 int *argi
= (int *)arg
;
1449 const unsigned char *respderin
;
1452 if (*argi
!= 1 && *argi
!= 2)
1455 len
= SSL_get_tlsext_status_ocsp_resp(s
, &respderin
);
1456 if (!TEST_mem_eq(orespder
, len
, respderin
, len
))
1459 ocsp_client_called
= 1;
1463 static int test_tlsext_status_type(void)
1465 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
1466 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
1468 STACK_OF(OCSP_RESPID
) *ids
= NULL
;
1469 OCSP_RESPID
*id
= NULL
;
1470 BIO
*certbio
= NULL
;
1472 if (!create_ssl_ctx_pair(libctx
, TLS_server_method(), TLS_client_method(),
1474 &sctx
, &cctx
, cert
, privkey
))
1477 if (SSL_CTX_get_tlsext_status_type(cctx
) != -1)
1480 /* First just do various checks getting and setting tlsext_status_type */
1482 clientssl
= SSL_new(cctx
);
1483 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl
), -1)
1484 || !TEST_true(SSL_set_tlsext_status_type(clientssl
,
1485 TLSEXT_STATUSTYPE_ocsp
))
1486 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl
),
1487 TLSEXT_STATUSTYPE_ocsp
))
1490 SSL_free(clientssl
);
1493 if (!SSL_CTX_set_tlsext_status_type(cctx
, TLSEXT_STATUSTYPE_ocsp
)
1494 || SSL_CTX_get_tlsext_status_type(cctx
) != TLSEXT_STATUSTYPE_ocsp
)
1497 clientssl
= SSL_new(cctx
);
1498 if (SSL_get_tlsext_status_type(clientssl
) != TLSEXT_STATUSTYPE_ocsp
)
1500 SSL_free(clientssl
);
1504 * Now actually do a handshake and check OCSP information is exchanged and
1505 * the callbacks get called
1507 SSL_CTX_set_tlsext_status_cb(cctx
, ocsp_client_cb
);
1508 SSL_CTX_set_tlsext_status_arg(cctx
, &cdummyarg
);
1509 SSL_CTX_set_tlsext_status_cb(sctx
, ocsp_server_cb
);
1510 SSL_CTX_set_tlsext_status_arg(sctx
, &cdummyarg
);
1511 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
1512 &clientssl
, NULL
, NULL
))
1513 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
1515 || !TEST_true(ocsp_client_called
)
1516 || !TEST_true(ocsp_server_called
))
1518 SSL_free(serverssl
);
1519 SSL_free(clientssl
);
1523 /* Try again but this time force the server side callback to fail */
1524 ocsp_client_called
= 0;
1525 ocsp_server_called
= 0;
1527 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
1528 &clientssl
, NULL
, NULL
))
1529 /* This should fail because the callback will fail */
1530 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
1532 || !TEST_false(ocsp_client_called
)
1533 || !TEST_false(ocsp_server_called
))
1535 SSL_free(serverssl
);
1536 SSL_free(clientssl
);
1541 * This time we'll get the client to send an OCSP_RESPID that it will
1544 ocsp_client_called
= 0;
1545 ocsp_server_called
= 0;
1547 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
1548 &clientssl
, NULL
, NULL
)))
1552 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1553 * specific one. We'll use the server cert.
1555 if (!TEST_ptr(certbio
= BIO_new_file(cert
, "r"))
1556 || !TEST_ptr(id
= OCSP_RESPID_new())
1557 || !TEST_ptr(ids
= sk_OCSP_RESPID_new_null())
1558 || !TEST_ptr(ocspcert
= X509_new_ex(libctx
, NULL
))
1559 || !TEST_ptr(PEM_read_bio_X509(certbio
, &ocspcert
, NULL
, NULL
))
1560 || !TEST_true(OCSP_RESPID_set_by_key_ex(id
, ocspcert
, libctx
, NULL
))
1561 || !TEST_true(sk_OCSP_RESPID_push(ids
, id
)))
1564 SSL_set_tlsext_status_ids(clientssl
, ids
);
1565 /* Control has been transferred */
1571 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
1573 || !TEST_true(ocsp_client_called
)
1574 || !TEST_true(ocsp_server_called
))
1580 SSL_free(serverssl
);
1581 SSL_free(clientssl
);
1584 sk_OCSP_RESPID_pop_free(ids
, OCSP_RESPID_free
);
1585 OCSP_RESPID_free(id
);
1587 X509_free(ocspcert
);
1594 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1595 static int new_called
, remove_called
, get_called
;
1597 static int new_session_cb(SSL
*ssl
, SSL_SESSION
*sess
)
1601 * sess has been up-refed for us, but we don't actually need it so free it
1604 SSL_SESSION_free(sess
);
1608 static void remove_session_cb(SSL_CTX
*ctx
, SSL_SESSION
*sess
)
1613 static SSL_SESSION
*get_sess_val
= NULL
;
1615 static SSL_SESSION
*get_session_cb(SSL
*ssl
, const unsigned char *id
, int len
,
1620 return get_sess_val
;
1623 static int execute_test_session(int maxprot
, int use_int_cache
,
1624 int use_ext_cache
, long s_options
)
1626 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
1627 SSL
*serverssl1
= NULL
, *clientssl1
= NULL
;
1628 SSL
*serverssl2
= NULL
, *clientssl2
= NULL
;
1629 # ifndef OPENSSL_NO_TLS1_1
1630 SSL
*serverssl3
= NULL
, *clientssl3
= NULL
;
1632 SSL_SESSION
*sess1
= NULL
, *sess2
= NULL
;
1633 int testresult
= 0, numnewsesstick
= 1;
1635 new_called
= remove_called
= 0;
1637 /* TLSv1.3 sends 2 NewSessionTickets */
1638 if (maxprot
== TLS1_3_VERSION
)
1641 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
1642 TLS_client_method(), TLS1_VERSION
, 0,
1643 &sctx
, &cctx
, cert
, privkey
)))
1647 * Only allow the max protocol version so we can force a connection failure
1650 SSL_CTX_set_min_proto_version(cctx
, maxprot
);
1651 SSL_CTX_set_max_proto_version(cctx
, maxprot
);
1653 /* Set up session cache */
1654 if (use_ext_cache
) {
1655 SSL_CTX_sess_set_new_cb(cctx
, new_session_cb
);
1656 SSL_CTX_sess_set_remove_cb(cctx
, remove_session_cb
);
1658 if (use_int_cache
) {
1659 /* Also covers instance where both are set */
1660 SSL_CTX_set_session_cache_mode(cctx
, SSL_SESS_CACHE_CLIENT
);
1662 SSL_CTX_set_session_cache_mode(cctx
,
1663 SSL_SESS_CACHE_CLIENT
1664 | SSL_SESS_CACHE_NO_INTERNAL_STORE
);
1668 SSL_CTX_set_options(sctx
, s_options
);
1671 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl1
, &clientssl1
,
1673 || !TEST_true(create_ssl_connection(serverssl1
, clientssl1
,
1675 || !TEST_ptr(sess1
= SSL_get1_session(clientssl1
)))
1678 /* Should fail because it should already be in the cache */
1679 if (use_int_cache
&& !TEST_false(SSL_CTX_add_session(cctx
, sess1
)))
1682 && (!TEST_int_eq(new_called
, numnewsesstick
)
1684 || !TEST_int_eq(remove_called
, 0)))
1687 new_called
= remove_called
= 0;
1688 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl2
,
1689 &clientssl2
, NULL
, NULL
))
1690 || !TEST_true(SSL_set_session(clientssl2
, sess1
))
1691 || !TEST_true(create_ssl_connection(serverssl2
, clientssl2
,
1693 || !TEST_true(SSL_session_reused(clientssl2
)))
1696 if (maxprot
== TLS1_3_VERSION
) {
1698 * In TLSv1.3 we should have created a new session even though we have
1699 * resumed. Since we attempted a resume we should also have removed the
1700 * old ticket from the cache so that we try to only use tickets once.
1703 && (!TEST_int_eq(new_called
, 1)
1704 || !TEST_int_eq(remove_called
, 1)))
1708 * In TLSv1.2 we expect to have resumed so no sessions added or
1712 && (!TEST_int_eq(new_called
, 0)
1713 || !TEST_int_eq(remove_called
, 0)))
1717 SSL_SESSION_free(sess1
);
1718 if (!TEST_ptr(sess1
= SSL_get1_session(clientssl2
)))
1720 shutdown_ssl_connection(serverssl2
, clientssl2
);
1721 serverssl2
= clientssl2
= NULL
;
1723 new_called
= remove_called
= 0;
1724 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl2
,
1725 &clientssl2
, NULL
, NULL
))
1726 || !TEST_true(create_ssl_connection(serverssl2
, clientssl2
,
1730 if (!TEST_ptr(sess2
= SSL_get1_session(clientssl2
)))
1734 && (!TEST_int_eq(new_called
, numnewsesstick
)
1735 || !TEST_int_eq(remove_called
, 0)))
1738 new_called
= remove_called
= 0;
1740 * This should clear sess2 from the cache because it is a "bad" session.
1741 * See SSL_set_session() documentation.
1743 if (!TEST_true(SSL_set_session(clientssl2
, sess1
)))
1746 && (!TEST_int_eq(new_called
, 0) || !TEST_int_eq(remove_called
, 1)))
1748 if (!TEST_ptr_eq(SSL_get_session(clientssl2
), sess1
))
1751 if (use_int_cache
) {
1752 /* Should succeeded because it should not already be in the cache */
1753 if (!TEST_true(SSL_CTX_add_session(cctx
, sess2
))
1754 || !TEST_true(SSL_CTX_remove_session(cctx
, sess2
)))
1758 new_called
= remove_called
= 0;
1759 /* This shouldn't be in the cache so should fail */
1760 if (!TEST_false(SSL_CTX_remove_session(cctx
, sess2
)))
1764 && (!TEST_int_eq(new_called
, 0) || !TEST_int_eq(remove_called
, 1)))
1767 # if !defined(OPENSSL_NO_TLS1_1)
1768 new_called
= remove_called
= 0;
1769 /* Force a connection failure */
1770 SSL_CTX_set_max_proto_version(sctx
, TLS1_1_VERSION
);
1771 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl3
,
1772 &clientssl3
, NULL
, NULL
))
1773 || !TEST_true(SSL_set_session(clientssl3
, sess1
))
1774 /* This should fail because of the mismatched protocol versions */
1775 || !TEST_false(create_ssl_connection(serverssl3
, clientssl3
,
1779 /* We should have automatically removed the session from the cache */
1781 && (!TEST_int_eq(new_called
, 0) || !TEST_int_eq(remove_called
, 1)))
1784 /* Should succeed because it should not already be in the cache */
1785 if (use_int_cache
&& !TEST_true(SSL_CTX_add_session(cctx
, sess2
)))
1789 /* Now do some tests for server side caching */
1790 if (use_ext_cache
) {
1791 SSL_CTX_sess_set_new_cb(cctx
, NULL
);
1792 SSL_CTX_sess_set_remove_cb(cctx
, NULL
);
1793 SSL_CTX_sess_set_new_cb(sctx
, new_session_cb
);
1794 SSL_CTX_sess_set_remove_cb(sctx
, remove_session_cb
);
1795 SSL_CTX_sess_set_get_cb(sctx
, get_session_cb
);
1796 get_sess_val
= NULL
;
1799 SSL_CTX_set_session_cache_mode(cctx
, 0);
1800 /* Internal caching is the default on the server side */
1802 SSL_CTX_set_session_cache_mode(sctx
,
1803 SSL_SESS_CACHE_SERVER
1804 | SSL_SESS_CACHE_NO_INTERNAL_STORE
);
1806 SSL_free(serverssl1
);
1807 SSL_free(clientssl1
);
1808 serverssl1
= clientssl1
= NULL
;
1809 SSL_free(serverssl2
);
1810 SSL_free(clientssl2
);
1811 serverssl2
= clientssl2
= NULL
;
1812 SSL_SESSION_free(sess1
);
1814 SSL_SESSION_free(sess2
);
1817 SSL_CTX_set_max_proto_version(sctx
, maxprot
);
1818 if (maxprot
== TLS1_2_VERSION
)
1819 SSL_CTX_set_options(sctx
, SSL_OP_NO_TICKET
);
1820 new_called
= remove_called
= get_called
= 0;
1821 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl1
, &clientssl1
,
1823 || !TEST_true(create_ssl_connection(serverssl1
, clientssl1
,
1825 || !TEST_ptr(sess1
= SSL_get1_session(clientssl1
))
1826 || !TEST_ptr(sess2
= SSL_get1_session(serverssl1
)))
1829 if (use_int_cache
) {
1830 if (maxprot
== TLS1_3_VERSION
&& !use_ext_cache
) {
1832 * In TLSv1.3 it should not have been added to the internal cache,
1833 * except in the case where we also have an external cache (in that
1834 * case it gets added to the cache in order to generate remove
1835 * events after timeout).
1837 if (!TEST_false(SSL_CTX_remove_session(sctx
, sess2
)))
1840 /* Should fail because it should already be in the cache */
1841 if (!TEST_false(SSL_CTX_add_session(sctx
, sess2
)))
1846 if (use_ext_cache
) {
1847 SSL_SESSION
*tmp
= sess2
;
1849 if (!TEST_int_eq(new_called
, numnewsesstick
)
1850 || !TEST_int_eq(remove_called
, 0)
1851 || !TEST_int_eq(get_called
, 0))
1854 * Delete the session from the internal cache to force a lookup from
1855 * the external cache. We take a copy first because
1856 * SSL_CTX_remove_session() also marks the session as non-resumable.
1858 if (use_int_cache
&& maxprot
!= TLS1_3_VERSION
) {
1859 if (!TEST_ptr(tmp
= SSL_SESSION_dup(sess2
))
1860 || !TEST_true(SSL_CTX_remove_session(sctx
, sess2
)))
1862 SSL_SESSION_free(sess2
);
1867 new_called
= remove_called
= get_called
= 0;
1868 get_sess_val
= sess2
;
1869 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl2
,
1870 &clientssl2
, NULL
, NULL
))
1871 || !TEST_true(SSL_set_session(clientssl2
, sess1
))
1872 || !TEST_true(create_ssl_connection(serverssl2
, clientssl2
,
1874 || !TEST_true(SSL_session_reused(clientssl2
)))
1877 if (use_ext_cache
) {
1878 if (!TEST_int_eq(remove_called
, 0))
1881 if (maxprot
== TLS1_3_VERSION
) {
1882 if (!TEST_int_eq(new_called
, 1)
1883 || !TEST_int_eq(get_called
, 0))
1886 if (!TEST_int_eq(new_called
, 0)
1887 || !TEST_int_eq(get_called
, 1))
1895 SSL_free(serverssl1
);
1896 SSL_free(clientssl1
);
1897 SSL_free(serverssl2
);
1898 SSL_free(clientssl2
);
1899 # ifndef OPENSSL_NO_TLS1_1
1900 SSL_free(serverssl3
);
1901 SSL_free(clientssl3
);
1903 SSL_SESSION_free(sess1
);
1904 SSL_SESSION_free(sess2
);
1910 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1912 static int test_session_with_only_int_cache(void)
1914 #ifndef OPENSSL_NO_TLS1_3
1915 if (!execute_test_session(TLS1_3_VERSION
, 1, 0, 0))
1919 #ifndef OPENSSL_NO_TLS1_2
1920 return execute_test_session(TLS1_2_VERSION
, 1, 0, 0);
1926 static int test_session_with_only_ext_cache(void)
1928 #ifndef OPENSSL_NO_TLS1_3
1929 if (!execute_test_session(TLS1_3_VERSION
, 0, 1, 0))
1933 #ifndef OPENSSL_NO_TLS1_2
1934 return execute_test_session(TLS1_2_VERSION
, 0, 1, 0);
1940 static int test_session_with_both_cache(void)
1942 #ifndef OPENSSL_NO_TLS1_3
1943 if (!execute_test_session(TLS1_3_VERSION
, 1, 1, 0))
1947 #ifndef OPENSSL_NO_TLS1_2
1948 return execute_test_session(TLS1_2_VERSION
, 1, 1, 0);
1954 static int test_session_wo_ca_names(void)
1956 #ifndef OPENSSL_NO_TLS1_3
1957 if (!execute_test_session(TLS1_3_VERSION
, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES
))
1961 #ifndef OPENSSL_NO_TLS1_2
1962 return execute_test_session(TLS1_2_VERSION
, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES
);
1969 #ifndef OPENSSL_NO_TLS1_3
1970 static SSL_SESSION
*sesscache
[6];
1971 static int do_cache
;
1973 static int new_cachesession_cb(SSL
*ssl
, SSL_SESSION
*sess
)
1976 sesscache
[new_called
] = sess
;
1978 /* We don't need the reference to the session, so free it */
1979 SSL_SESSION_free(sess
);
1986 static int post_handshake_verify(SSL
*sssl
, SSL
*cssl
)
1988 SSL_set_verify(sssl
, SSL_VERIFY_PEER
, NULL
);
1989 if (!TEST_true(SSL_verify_client_post_handshake(sssl
)))
1992 /* Start handshake on the server and client */
1993 if (!TEST_int_eq(SSL_do_handshake(sssl
), 1)
1994 || !TEST_int_le(SSL_read(cssl
, NULL
, 0), 0)
1995 || !TEST_int_le(SSL_read(sssl
, NULL
, 0), 0)
1996 || !TEST_true(create_ssl_connection(sssl
, cssl
,
2003 static int setup_ticket_test(int stateful
, int idx
, SSL_CTX
**sctx
,
2006 int sess_id_ctx
= 1;
2008 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
2009 TLS_client_method(), TLS1_VERSION
, 0,
2010 sctx
, cctx
, cert
, privkey
))
2011 || !TEST_true(SSL_CTX_set_num_tickets(*sctx
, idx
))
2012 || !TEST_true(SSL_CTX_set_session_id_context(*sctx
,
2013 (void *)&sess_id_ctx
,
2014 sizeof(sess_id_ctx
))))
2018 SSL_CTX_set_options(*sctx
, SSL_OP_NO_TICKET
);
2020 SSL_CTX_set_session_cache_mode(*cctx
, SSL_SESS_CACHE_CLIENT
2021 | SSL_SESS_CACHE_NO_INTERNAL_STORE
);
2022 SSL_CTX_sess_set_new_cb(*cctx
, new_cachesession_cb
);
2027 static int check_resumption(int idx
, SSL_CTX
*sctx
, SSL_CTX
*cctx
, int succ
)
2029 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
2032 /* Test that we can resume with all the tickets we got given */
2033 for (i
= 0; i
< idx
* 2; i
++) {
2035 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
2036 &clientssl
, NULL
, NULL
))
2037 || !TEST_true(SSL_set_session(clientssl
, sesscache
[i
])))
2040 SSL_set_post_handshake_auth(clientssl
, 1);
2042 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
2047 * Following a successful resumption we only get 1 ticket. After a
2048 * failed one we should get idx tickets.
2051 if (!TEST_true(SSL_session_reused(clientssl
))
2052 || !TEST_int_eq(new_called
, 1))
2055 if (!TEST_false(SSL_session_reused(clientssl
))
2056 || !TEST_int_eq(new_called
, idx
))
2061 /* After a post-handshake authentication we should get 1 new ticket */
2063 && (!post_handshake_verify(serverssl
, clientssl
)
2064 || !TEST_int_eq(new_called
, 1)))
2067 SSL_shutdown(clientssl
);
2068 SSL_shutdown(serverssl
);
2069 SSL_free(serverssl
);
2070 SSL_free(clientssl
);
2071 serverssl
= clientssl
= NULL
;
2072 SSL_SESSION_free(sesscache
[i
]);
2073 sesscache
[i
] = NULL
;
2079 SSL_free(clientssl
);
2080 SSL_free(serverssl
);
2084 static int test_tickets(int stateful
, int idx
)
2086 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
2087 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
2091 /* idx is the test number, but also the number of tickets we want */
2096 if (!setup_ticket_test(stateful
, idx
, &sctx
, &cctx
))
2099 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
2100 &clientssl
, NULL
, NULL
)))
2103 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
2105 /* Check we got the number of tickets we were expecting */
2106 || !TEST_int_eq(idx
, new_called
))
2109 SSL_shutdown(clientssl
);
2110 SSL_shutdown(serverssl
);
2111 SSL_free(serverssl
);
2112 SSL_free(clientssl
);
2115 clientssl
= serverssl
= NULL
;
2119 * Now we try to resume with the tickets we previously created. The
2120 * resumption attempt is expected to fail (because we're now using a new
2121 * SSL_CTX). We should see idx number of tickets issued again.
2124 /* Stop caching sessions - just count them */
2127 if (!setup_ticket_test(stateful
, idx
, &sctx
, &cctx
))
2130 if (!check_resumption(idx
, sctx
, cctx
, 0))
2133 /* Start again with caching sessions */
2140 if (!setup_ticket_test(stateful
, idx
, &sctx
, &cctx
))
2143 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
2144 &clientssl
, NULL
, NULL
)))
2147 SSL_set_post_handshake_auth(clientssl
, 1);
2149 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
2151 /* Check we got the number of tickets we were expecting */
2152 || !TEST_int_eq(idx
, new_called
))
2155 /* After a post-handshake authentication we should get new tickets issued */
2156 if (!post_handshake_verify(serverssl
, clientssl
)
2157 || !TEST_int_eq(idx
* 2, new_called
))
2160 SSL_shutdown(clientssl
);
2161 SSL_shutdown(serverssl
);
2162 SSL_free(serverssl
);
2163 SSL_free(clientssl
);
2164 serverssl
= clientssl
= NULL
;
2166 /* Stop caching sessions - just count them */
2170 * Check we can resume with all the tickets we created. This time around the
2171 * resumptions should all be successful.
2173 if (!check_resumption(idx
, sctx
, cctx
, 1))
2179 SSL_free(serverssl
);
2180 SSL_free(clientssl
);
2181 for (j
= 0; j
< OSSL_NELEM(sesscache
); j
++) {
2182 SSL_SESSION_free(sesscache
[j
]);
2183 sesscache
[j
] = NULL
;
2191 static int test_stateless_tickets(int idx
)
2193 return test_tickets(0, idx
);
2196 static int test_stateful_tickets(int idx
)
2198 return test_tickets(1, idx
);
2201 static int test_psk_tickets(void)
2203 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
2204 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
2206 int sess_id_ctx
= 1;
2208 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
2209 TLS_client_method(), TLS1_VERSION
, 0,
2210 &sctx
, &cctx
, NULL
, NULL
))
2211 || !TEST_true(SSL_CTX_set_session_id_context(sctx
,
2212 (void *)&sess_id_ctx
,
2213 sizeof(sess_id_ctx
))))
2216 SSL_CTX_set_session_cache_mode(cctx
, SSL_SESS_CACHE_CLIENT
2217 | SSL_SESS_CACHE_NO_INTERNAL_STORE
);
2218 SSL_CTX_set_psk_use_session_callback(cctx
, use_session_cb
);
2219 SSL_CTX_set_psk_find_session_callback(sctx
, find_session_cb
);
2220 SSL_CTX_sess_set_new_cb(cctx
, new_session_cb
);
2221 use_session_cb_cnt
= 0;
2222 find_session_cb_cnt
= 0;
2226 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
2229 clientpsk
= serverpsk
= create_a_psk(clientssl
);
2230 if (!TEST_ptr(clientpsk
))
2232 SSL_SESSION_up_ref(clientpsk
);
2234 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
2236 || !TEST_int_eq(1, find_session_cb_cnt
)
2237 || !TEST_int_eq(1, use_session_cb_cnt
)
2238 /* We should always get 1 ticket when using external PSK */
2239 || !TEST_int_eq(1, new_called
))
2245 SSL_free(serverssl
);
2246 SSL_free(clientssl
);
2249 SSL_SESSION_free(clientpsk
);
2250 SSL_SESSION_free(serverpsk
);
2251 clientpsk
= serverpsk
= NULL
;
2256 static int test_extra_tickets(int idx
)
2258 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
2259 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
2260 BIO
*bretry
= BIO_new(bio_s_always_retry());
2265 unsigned char c
, buf
[1];
2275 if (!TEST_ptr(bretry
) || !setup_ticket_test(stateful
, idx
, &sctx
, &cctx
))
2277 SSL_CTX_sess_set_new_cb(sctx
, new_session_cb
);
2278 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2279 SSL_CTX_sess_set_new_cb(cctx
, new_session_cb
);
2281 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
2282 &clientssl
, NULL
, NULL
)))
2286 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2287 * incremented by both client and server.
2289 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
2291 /* Check we got the number of tickets we were expecting */
2292 || !TEST_int_eq(idx
* 2, new_called
)
2293 || !TEST_true(SSL_new_session_ticket(serverssl
))
2294 || !TEST_true(SSL_new_session_ticket(serverssl
))
2295 || !TEST_int_eq(idx
* 2, new_called
))
2298 /* Now try a (real) write to actually send the tickets */
2300 if (!TEST_true(SSL_write_ex(serverssl
, &c
, 1, &nbytes
))
2301 || !TEST_size_t_eq(1, nbytes
)
2302 || !TEST_int_eq(idx
* 2 + 2, new_called
)
2303 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2304 || !TEST_int_eq(idx
* 2 + 4, new_called
)
2305 || !TEST_int_eq(sizeof(buf
), nbytes
)
2306 || !TEST_int_eq(c
, buf
[0])
2307 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
)))
2310 /* Try with only requesting one new ticket, too */
2313 if (!TEST_true(SSL_new_session_ticket(serverssl
))
2314 || !TEST_true(SSL_write_ex(serverssl
, &c
, sizeof(c
), &nbytes
))
2315 || !TEST_size_t_eq(sizeof(c
), nbytes
)
2316 || !TEST_int_eq(1, new_called
)
2317 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2318 || !TEST_int_eq(2, new_called
)
2319 || !TEST_size_t_eq(sizeof(buf
), nbytes
)
2320 || !TEST_int_eq(c
, buf
[0]))
2323 /* Do it again but use dummy writes to drive the ticket generation */
2326 if (!TEST_true(SSL_new_session_ticket(serverssl
))
2327 || !TEST_true(SSL_new_session_ticket(serverssl
))
2328 || !TEST_true(SSL_write_ex(serverssl
, &c
, 0, &nbytes
))
2329 || !TEST_size_t_eq(0, nbytes
)
2330 || !TEST_int_eq(2, new_called
)
2331 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2332 || !TEST_int_eq(4, new_called
))
2336 * Use the always-retry BIO to exercise the logic that forces ticket
2337 * generation to wait until a record boundary.
2341 tmp
= SSL_get_wbio(serverssl
);
2342 if (!TEST_ptr(tmp
) || !TEST_true(BIO_up_ref(tmp
))) {
2346 SSL_set0_wbio(serverssl
, bretry
);
2348 if (!TEST_false(SSL_write_ex(serverssl
, &c
, 1, &nbytes
))
2349 || !TEST_int_eq(SSL_get_error(serverssl
, 0), SSL_ERROR_WANT_WRITE
)
2350 || !TEST_size_t_eq(nbytes
, 0))
2352 /* Restore a BIO that will let the write succeed */
2353 SSL_set0_wbio(serverssl
, tmp
);
2355 /* These calls should just queue the request and not send anything. */
2356 if (!TEST_true(SSL_new_session_ticket(serverssl
))
2357 || !TEST_true(SSL_new_session_ticket(serverssl
))
2358 || !TEST_int_eq(0, new_called
))
2360 /* Re-do the write; still no tickets sent */
2361 if (!TEST_true(SSL_write_ex(serverssl
, &c
, 1, &nbytes
))
2362 || !TEST_size_t_eq(1, nbytes
)
2363 || !TEST_int_eq(0, new_called
)
2364 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2365 || !TEST_int_eq(0, new_called
)
2366 || !TEST_int_eq(sizeof(buf
), nbytes
)
2367 || !TEST_int_eq(c
, buf
[0])
2368 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
)))
2370 /* Now the *next* write should send the tickets */
2372 if (!TEST_true(SSL_write_ex(serverssl
, &c
, 1, &nbytes
))
2373 || !TEST_size_t_eq(1, nbytes
)
2374 || !TEST_int_eq(2, new_called
)
2375 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2376 || !TEST_int_eq(4, new_called
)
2377 || !TEST_int_eq(sizeof(buf
), nbytes
)
2378 || !TEST_int_eq(c
, buf
[0])
2379 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
)))
2382 SSL_shutdown(clientssl
);
2383 SSL_shutdown(serverssl
);
2389 SSL_free(serverssl
);
2390 SSL_free(clientssl
);
2393 clientssl
= serverssl
= NULL
;
2402 #define USE_DEFAULT 3
2404 #define CONNTYPE_CONNECTION_SUCCESS 0
2405 #define CONNTYPE_CONNECTION_FAIL 1
2406 #define CONNTYPE_NO_CONNECTION 2
2408 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2409 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2410 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2411 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2413 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2416 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2417 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2418 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2420 static void setupbio(BIO
**res
, BIO
*bio1
, BIO
*bio2
, int type
)
2437 * Tests calls to SSL_set_bio() under various conditions.
2439 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2440 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2441 * then do more tests where we create a successful connection first using our
2442 * standard connection setup functions, and then call SSL_set_bio() with
2443 * various combinations of valid BIOs or NULL. We then repeat these tests
2444 * following a failed connection. In this last case we are looking to check that
2445 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2447 static int test_ssl_set_bio(int idx
)
2449 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
2452 BIO
*irbio
= NULL
, *iwbio
= NULL
, *nrbio
= NULL
, *nwbio
= NULL
;
2453 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
2454 int initrbio
, initwbio
, newrbio
, newwbio
, conntype
;
2457 if (idx
< TOTAL_NO_CONN_SSL_SET_BIO_TESTS
) {
2465 conntype
= CONNTYPE_NO_CONNECTION
;
2467 idx
-= TOTAL_NO_CONN_SSL_SET_BIO_TESTS
;
2468 initrbio
= initwbio
= USE_DEFAULT
;
2476 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
2477 TLS_client_method(), TLS1_VERSION
, 0,
2478 &sctx
, &cctx
, cert
, privkey
)))
2481 if (conntype
== CONNTYPE_CONNECTION_FAIL
) {
2483 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2484 * because we reduced the number of tests in the definition of
2485 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2486 * mismatched protocol versions we will force a connection failure.
2488 SSL_CTX_set_min_proto_version(sctx
, TLS1_3_VERSION
);
2489 SSL_CTX_set_max_proto_version(cctx
, TLS1_2_VERSION
);
2492 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
2496 if (initrbio
== USE_BIO_1
2497 || initwbio
== USE_BIO_1
2498 || newrbio
== USE_BIO_1
2499 || newwbio
== USE_BIO_1
) {
2500 if (!TEST_ptr(bio1
= BIO_new(BIO_s_mem())))
2504 if (initrbio
== USE_BIO_2
2505 || initwbio
== USE_BIO_2
2506 || newrbio
== USE_BIO_2
2507 || newwbio
== USE_BIO_2
) {
2508 if (!TEST_ptr(bio2
= BIO_new(BIO_s_mem())))
2512 if (initrbio
!= USE_DEFAULT
) {
2513 setupbio(&irbio
, bio1
, bio2
, initrbio
);
2514 setupbio(&iwbio
, bio1
, bio2
, initwbio
);
2515 SSL_set_bio(clientssl
, irbio
, iwbio
);
2518 * We want to maintain our own refs to these BIO, so do an up ref for
2519 * each BIO that will have ownership transferred in the SSL_set_bio()
2524 if (iwbio
!= NULL
&& iwbio
!= irbio
)
2528 if (conntype
!= CONNTYPE_NO_CONNECTION
2529 && !TEST_true(create_ssl_connection(serverssl
, clientssl
,
2531 == (conntype
== CONNTYPE_CONNECTION_SUCCESS
)))
2534 setupbio(&nrbio
, bio1
, bio2
, newrbio
);
2535 setupbio(&nwbio
, bio1
, bio2
, newwbio
);
2538 * We will (maybe) transfer ownership again so do more up refs.
2539 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2544 && (nwbio
!= iwbio
|| nrbio
!= nwbio
))
2548 && (nwbio
!= iwbio
|| (nwbio
== iwbio
&& irbio
== iwbio
)))
2551 SSL_set_bio(clientssl
, nrbio
, nwbio
);
2560 * This test is checking that the ref counting for SSL_set_bio is correct.
2561 * If we get here and we did too many frees then we will fail in the above
2564 SSL_free(serverssl
);
2565 SSL_free(clientssl
);
2571 typedef enum { NO_BIO_CHANGE
, CHANGE_RBIO
, CHANGE_WBIO
} bio_change_t
;
2573 static int execute_test_ssl_bio(int pop_ssl
, bio_change_t change_bio
)
2575 BIO
*sslbio
= NULL
, *membio1
= NULL
, *membio2
= NULL
;
2580 if (!TEST_ptr(ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_method()))
2581 || !TEST_ptr(ssl
= SSL_new(ctx
))
2582 || !TEST_ptr(sslbio
= BIO_new(BIO_f_ssl()))
2583 || !TEST_ptr(membio1
= BIO_new(BIO_s_mem())))
2586 BIO_set_ssl(sslbio
, ssl
, BIO_CLOSE
);
2589 * If anything goes wrong here then we could leak memory.
2591 BIO_push(sslbio
, membio1
);
2593 /* Verify changing the rbio/wbio directly does not cause leaks */
2594 if (change_bio
!= NO_BIO_CHANGE
) {
2595 if (!TEST_ptr(membio2
= BIO_new(BIO_s_mem())))
2597 if (change_bio
== CHANGE_RBIO
)
2598 SSL_set0_rbio(ssl
, membio2
);
2600 SSL_set0_wbio(ssl
, membio2
);
2619 static int test_ssl_bio_pop_next_bio(void)
2621 return execute_test_ssl_bio(0, NO_BIO_CHANGE
);
2624 static int test_ssl_bio_pop_ssl_bio(void)
2626 return execute_test_ssl_bio(1, NO_BIO_CHANGE
);
2629 static int test_ssl_bio_change_rbio(void)
2631 return execute_test_ssl_bio(0, CHANGE_RBIO
);
2634 static int test_ssl_bio_change_wbio(void)
2636 return execute_test_ssl_bio(0, CHANGE_WBIO
);
2639 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2641 /* The list of sig algs */
2643 /* The length of the list */
2645 /* A sigalgs list in string format */
2646 const char *liststr
;
2647 /* Whether setting the list should succeed */
2649 /* Whether creating a connection with the list should succeed */
2653 static const int validlist1
[] = {NID_sha256
, EVP_PKEY_RSA
};
2654 # ifndef OPENSSL_NO_EC
2655 static const int validlist2
[] = {NID_sha256
, EVP_PKEY_RSA
, NID_sha512
, EVP_PKEY_EC
};
2656 static const int validlist3
[] = {NID_sha512
, EVP_PKEY_EC
};
2658 static const int invalidlist1
[] = {NID_undef
, EVP_PKEY_RSA
};
2659 static const int invalidlist2
[] = {NID_sha256
, NID_undef
};
2660 static const int invalidlist3
[] = {NID_sha256
, EVP_PKEY_RSA
, NID_sha256
};
2661 static const int invalidlist4
[] = {NID_sha256
};
2662 static const sigalgs_list testsigalgs
[] = {
2663 {validlist1
, OSSL_NELEM(validlist1
), NULL
, 1, 1},
2664 # ifndef OPENSSL_NO_EC
2665 {validlist2
, OSSL_NELEM(validlist2
), NULL
, 1, 1},
2666 {validlist3
, OSSL_NELEM(validlist3
), NULL
, 1, 0},
2668 {NULL
, 0, "RSA+SHA256", 1, 1},
2669 # ifndef OPENSSL_NO_EC
2670 {NULL
, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2671 {NULL
, 0, "ECDSA+SHA512", 1, 0},
2673 {invalidlist1
, OSSL_NELEM(invalidlist1
), NULL
, 0, 0},
2674 {invalidlist2
, OSSL_NELEM(invalidlist2
), NULL
, 0, 0},
2675 {invalidlist3
, OSSL_NELEM(invalidlist3
), NULL
, 0, 0},
2676 {invalidlist4
, OSSL_NELEM(invalidlist4
), NULL
, 0, 0},
2677 {NULL
, 0, "RSA", 0, 0},
2678 {NULL
, 0, "SHA256", 0, 0},
2679 {NULL
, 0, "RSA+SHA256:SHA256", 0, 0},
2680 {NULL
, 0, "Invalid", 0, 0}
2683 static int test_set_sigalgs(int idx
)
2685 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
2686 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
2688 const sigalgs_list
*curr
;
2691 /* Should never happen */
2692 if (!TEST_size_t_le((size_t)idx
, OSSL_NELEM(testsigalgs
) * 2))
2695 testctx
= ((size_t)idx
< OSSL_NELEM(testsigalgs
));
2696 curr
= testctx
? &testsigalgs
[idx
]
2697 : &testsigalgs
[idx
- OSSL_NELEM(testsigalgs
)];
2699 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
2700 TLS_client_method(), TLS1_VERSION
, 0,
2701 &sctx
, &cctx
, cert
, privkey
)))
2705 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2706 * for TLSv1.2 for now until we add a new API.
2708 SSL_CTX_set_max_proto_version(cctx
, TLS1_2_VERSION
);
2713 if (curr
->list
!= NULL
)
2714 ret
= SSL_CTX_set1_sigalgs(cctx
, curr
->list
, curr
->listlen
);
2716 ret
= SSL_CTX_set1_sigalgs_list(cctx
, curr
->liststr
);
2720 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx
);
2726 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx
);
2731 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
2732 &clientssl
, NULL
, NULL
)))
2738 if (curr
->list
!= NULL
)
2739 ret
= SSL_set1_sigalgs(clientssl
, curr
->list
, curr
->listlen
);
2741 ret
= SSL_set1_sigalgs_list(clientssl
, curr
->liststr
);
2744 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx
);
2753 if (!TEST_int_eq(create_ssl_connection(serverssl
, clientssl
,
2761 SSL_free(serverssl
);
2762 SSL_free(clientssl
);
2770 #ifndef OPENSSL_NO_TLS1_3
2771 static int psk_client_cb_cnt
= 0;
2772 static int psk_server_cb_cnt
= 0;
2774 static int use_session_cb(SSL
*ssl
, const EVP_MD
*md
, const unsigned char **id
,
2775 size_t *idlen
, SSL_SESSION
**sess
)
2777 switch (++use_session_cb_cnt
) {
2779 /* The first call should always have a NULL md */
2785 /* The second call should always have an md */
2791 /* We should only be called a maximum of twice */
2795 if (clientpsk
!= NULL
)
2796 SSL_SESSION_up_ref(clientpsk
);
2799 *id
= (const unsigned char *)pskid
;
2800 *idlen
= strlen(pskid
);
2805 #ifndef OPENSSL_NO_PSK
2806 static unsigned int psk_client_cb(SSL
*ssl
, const char *hint
, char *id
,
2807 unsigned int max_id_len
,
2809 unsigned int max_psk_len
)
2811 unsigned int psklen
= 0;
2813 psk_client_cb_cnt
++;
2815 if (strlen(pskid
) + 1 > max_id_len
)
2818 /* We should only ever be called a maximum of twice per connection */
2819 if (psk_client_cb_cnt
> 2)
2822 if (clientpsk
== NULL
)
2825 /* We'll reuse the PSK we set up for TLSv1.3 */
2826 if (SSL_SESSION_get_master_key(clientpsk
, NULL
, 0) > max_psk_len
)
2828 psklen
= SSL_SESSION_get_master_key(clientpsk
, psk
, max_psk_len
);
2829 strncpy(id
, pskid
, max_id_len
);
2833 #endif /* OPENSSL_NO_PSK */
2835 static int find_session_cb(SSL
*ssl
, const unsigned char *identity
,
2836 size_t identity_len
, SSL_SESSION
**sess
)
2838 find_session_cb_cnt
++;
2840 /* We should only ever be called a maximum of twice per connection */
2841 if (find_session_cb_cnt
> 2)
2844 if (serverpsk
== NULL
)
2847 /* Identity should match that set by the client */
2848 if (strlen(srvid
) != identity_len
2849 || strncmp(srvid
, (const char *)identity
, identity_len
) != 0) {
2850 /* No PSK found, continue but without a PSK */
2855 SSL_SESSION_up_ref(serverpsk
);
2861 #ifndef OPENSSL_NO_PSK
2862 static unsigned int psk_server_cb(SSL
*ssl
, const char *identity
,
2863 unsigned char *psk
, unsigned int max_psk_len
)
2865 unsigned int psklen
= 0;
2867 psk_server_cb_cnt
++;
2869 /* We should only ever be called a maximum of twice per connection */
2870 if (find_session_cb_cnt
> 2)
2873 if (serverpsk
== NULL
)
2876 /* Identity should match that set by the client */
2877 if (strcmp(srvid
, identity
) != 0) {
2881 /* We'll reuse the PSK we set up for TLSv1.3 */
2882 if (SSL_SESSION_get_master_key(serverpsk
, NULL
, 0) > max_psk_len
)
2884 psklen
= SSL_SESSION_get_master_key(serverpsk
, psk
, max_psk_len
);
2888 #endif /* OPENSSL_NO_PSK */
2890 #define MSG1 "Hello"
2891 #define MSG2 "World."
2896 #define MSG7 "message."
2898 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2899 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2900 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
2901 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
2902 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
2905 static SSL_SESSION
*create_a_psk(SSL
*ssl
)
2907 const SSL_CIPHER
*cipher
= NULL
;
2908 const unsigned char key
[] = {
2909 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2910 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2911 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2912 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2913 0x2c, 0x2d, 0x2e, 0x2f
2915 SSL_SESSION
*sess
= NULL
;
2917 cipher
= SSL_CIPHER_find(ssl
, TLS13_AES_256_GCM_SHA384_BYTES
);
2918 sess
= SSL_SESSION_new();
2920 || !TEST_ptr(cipher
)
2921 || !TEST_true(SSL_SESSION_set1_master_key(sess
, key
,
2923 || !TEST_true(SSL_SESSION_set_cipher(sess
, cipher
))
2925 SSL_SESSION_set_protocol_version(sess
,
2927 SSL_SESSION_free(sess
);
2934 * Helper method to setup objects for early data test. Caller frees objects on
2937 static int setupearly_data_test(SSL_CTX
**cctx
, SSL_CTX
**sctx
, SSL
**clientssl
,
2938 SSL
**serverssl
, SSL_SESSION
**sess
, int idx
)
2941 && !TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
2942 TLS_client_method(),
2944 sctx
, cctx
, cert
, privkey
)))
2947 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx
, SSL3_RT_MAX_PLAIN_LENGTH
)))
2951 /* When idx == 1 we repeat the tests with read_ahead set */
2952 SSL_CTX_set_read_ahead(*cctx
, 1);
2953 SSL_CTX_set_read_ahead(*sctx
, 1);
2954 } else if (idx
== 2) {
2955 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2956 SSL_CTX_set_psk_use_session_callback(*cctx
, use_session_cb
);
2957 SSL_CTX_set_psk_find_session_callback(*sctx
, find_session_cb
);
2958 use_session_cb_cnt
= 0;
2959 find_session_cb_cnt
= 0;
2963 if (!TEST_true(create_ssl_objects(*sctx
, *cctx
, serverssl
, clientssl
,
2968 * For one of the run throughs (doesn't matter which one), we'll try sending
2969 * some SNI data in the initial ClientHello. This will be ignored (because
2970 * there is no SNI cb set up by the server), so it should not impact
2974 && !TEST_true(SSL_set_tlsext_host_name(*clientssl
, "localhost")))
2978 clientpsk
= create_a_psk(*clientssl
);
2979 if (!TEST_ptr(clientpsk
)
2981 * We just choose an arbitrary value for max_early_data which
2982 * should be big enough for testing purposes.
2984 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk
,
2986 || !TEST_true(SSL_SESSION_up_ref(clientpsk
))) {
2987 SSL_SESSION_free(clientpsk
);
2991 serverpsk
= clientpsk
;
2994 if (!TEST_true(SSL_SESSION_up_ref(clientpsk
))) {
2995 SSL_SESSION_free(clientpsk
);
2996 SSL_SESSION_free(serverpsk
);
2997 clientpsk
= serverpsk
= NULL
;
3008 if (!TEST_true(create_ssl_connection(*serverssl
, *clientssl
,
3012 *sess
= SSL_get1_session(*clientssl
);
3013 SSL_shutdown(*clientssl
);
3014 SSL_shutdown(*serverssl
);
3015 SSL_free(*serverssl
);
3016 SSL_free(*clientssl
);
3017 *serverssl
= *clientssl
= NULL
;
3019 if (!TEST_true(create_ssl_objects(*sctx
, *cctx
, serverssl
,
3020 clientssl
, NULL
, NULL
))
3021 || !TEST_true(SSL_set_session(*clientssl
, *sess
)))
3027 static int test_early_data_read_write(int idx
)
3029 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3030 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3032 SSL_SESSION
*sess
= NULL
;
3033 unsigned char buf
[20], data
[1024];
3034 size_t readbytes
, written
, eoedlen
, rawread
, rawwritten
;
3037 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
3038 &serverssl
, &sess
, idx
)))
3041 /* Write and read some early data */
3042 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
3044 || !TEST_size_t_eq(written
, strlen(MSG1
))
3045 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
,
3046 sizeof(buf
), &readbytes
),
3047 SSL_READ_EARLY_DATA_SUCCESS
)
3048 || !TEST_mem_eq(MSG1
, readbytes
, buf
, strlen(MSG1
))
3049 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
3050 SSL_EARLY_DATA_ACCEPTED
))
3054 * Server should be able to write data, and client should be able to
3057 if (!TEST_true(SSL_write_early_data(serverssl
, MSG2
, strlen(MSG2
),
3059 || !TEST_size_t_eq(written
, strlen(MSG2
))
3060 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3061 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
3064 /* Even after reading normal data, client should be able write early data */
3065 if (!TEST_true(SSL_write_early_data(clientssl
, MSG3
, strlen(MSG3
),
3067 || !TEST_size_t_eq(written
, strlen(MSG3
)))
3070 /* Server should still be able read early data after writing data */
3071 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3073 SSL_READ_EARLY_DATA_SUCCESS
)
3074 || !TEST_mem_eq(buf
, readbytes
, MSG3
, strlen(MSG3
)))
3077 /* Write more data from server and read it from client */
3078 if (!TEST_true(SSL_write_early_data(serverssl
, MSG4
, strlen(MSG4
),
3080 || !TEST_size_t_eq(written
, strlen(MSG4
))
3081 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3082 || !TEST_mem_eq(buf
, readbytes
, MSG4
, strlen(MSG4
)))
3086 * If client writes normal data it should mean writing early data is no
3089 if (!TEST_true(SSL_write_ex(clientssl
, MSG5
, strlen(MSG5
), &written
))
3090 || !TEST_size_t_eq(written
, strlen(MSG5
))
3091 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
3092 SSL_EARLY_DATA_ACCEPTED
))
3096 * At this point the client has written EndOfEarlyData, ClientFinished and
3097 * normal (fully protected) data. We are going to cause a delay between the
3098 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3099 * in the read BIO, and then just put back the EndOfEarlyData message.
3101 rbio
= SSL_get_rbio(serverssl
);
3102 if (!TEST_true(BIO_read_ex(rbio
, data
, sizeof(data
), &rawread
))
3103 || !TEST_size_t_lt(rawread
, sizeof(data
))
3104 || !TEST_size_t_gt(rawread
, SSL3_RT_HEADER_LENGTH
))
3107 /* Record length is in the 4th and 5th bytes of the record header */
3108 eoedlen
= SSL3_RT_HEADER_LENGTH
+ (data
[3] << 8 | data
[4]);
3109 if (!TEST_true(BIO_write_ex(rbio
, data
, eoedlen
, &rawwritten
))
3110 || !TEST_size_t_eq(rawwritten
, eoedlen
))
3113 /* Server should be told that there is no more early data */
3114 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3116 SSL_READ_EARLY_DATA_FINISH
)
3117 || !TEST_size_t_eq(readbytes
, 0))
3121 * Server has not finished init yet, so should still be able to write early
3124 if (!TEST_true(SSL_write_early_data(serverssl
, MSG6
, strlen(MSG6
),
3126 || !TEST_size_t_eq(written
, strlen(MSG6
)))
3129 /* Push the ClientFinished and the normal data back into the server rbio */
3130 if (!TEST_true(BIO_write_ex(rbio
, data
+ eoedlen
, rawread
- eoedlen
,
3132 || !TEST_size_t_eq(rawwritten
, rawread
- eoedlen
))
3135 /* Server should be able to read normal data */
3136 if (!TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
3137 || !TEST_size_t_eq(readbytes
, strlen(MSG5
)))
3140 /* Client and server should not be able to write/read early data now */
3141 if (!TEST_false(SSL_write_early_data(clientssl
, MSG6
, strlen(MSG6
),
3145 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3147 SSL_READ_EARLY_DATA_ERROR
))
3151 /* Client should be able to read the data sent by the server */
3152 if (!TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3153 || !TEST_mem_eq(buf
, readbytes
, MSG6
, strlen(MSG6
)))
3157 * Make sure we process the two NewSessionTickets. These arrive
3158 * post-handshake. We attempt reads which we do not expect to return any
3161 if (!TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3162 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
),
3166 /* Server should be able to write normal data */
3167 if (!TEST_true(SSL_write_ex(serverssl
, MSG7
, strlen(MSG7
), &written
))
3168 || !TEST_size_t_eq(written
, strlen(MSG7
))
3169 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3170 || !TEST_mem_eq(buf
, readbytes
, MSG7
, strlen(MSG7
)))
3173 SSL_SESSION_free(sess
);
3174 sess
= SSL_get1_session(clientssl
);
3175 use_session_cb_cnt
= 0;
3176 find_session_cb_cnt
= 0;
3178 SSL_shutdown(clientssl
);
3179 SSL_shutdown(serverssl
);
3180 SSL_free(serverssl
);
3181 SSL_free(clientssl
);
3182 serverssl
= clientssl
= NULL
;
3183 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
3184 &clientssl
, NULL
, NULL
))
3185 || !TEST_true(SSL_set_session(clientssl
, sess
)))
3188 /* Write and read some early data */
3189 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
3191 || !TEST_size_t_eq(written
, strlen(MSG1
))
3192 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3194 SSL_READ_EARLY_DATA_SUCCESS
)
3195 || !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
)))
3198 if (!TEST_int_gt(SSL_connect(clientssl
), 0)
3199 || !TEST_int_gt(SSL_accept(serverssl
), 0))
3202 /* Client and server should not be able to write/read early data now */
3203 if (!TEST_false(SSL_write_early_data(clientssl
, MSG6
, strlen(MSG6
),
3207 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3209 SSL_READ_EARLY_DATA_ERROR
))
3213 /* Client and server should be able to write/read normal data */
3214 if (!TEST_true(SSL_write_ex(clientssl
, MSG5
, strlen(MSG5
), &written
))
3215 || !TEST_size_t_eq(written
, strlen(MSG5
))
3216 || !TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
3217 || !TEST_size_t_eq(readbytes
, strlen(MSG5
)))
3223 SSL_SESSION_free(sess
);
3224 SSL_SESSION_free(clientpsk
);
3225 SSL_SESSION_free(serverpsk
);
3226 clientpsk
= serverpsk
= NULL
;
3227 SSL_free(serverssl
);
3228 SSL_free(clientssl
);
3234 static int allow_ed_cb_called
= 0;
3236 static int allow_early_data_cb(SSL
*s
, void *arg
)
3238 int *usecb
= (int *)arg
;
3240 allow_ed_cb_called
++;
3249 * idx == 0: Standard early_data setup
3250 * idx == 1: early_data setup using read_ahead
3251 * usecb == 0: Don't use a custom early data callback
3252 * usecb == 1: Use a custom early data callback and reject the early data
3253 * usecb == 2: Use a custom early data callback and accept the early data
3254 * confopt == 0: Configure anti-replay directly
3255 * confopt == 1: Configure anti-replay using SSL_CONF
3257 static int test_early_data_replay_int(int idx
, int usecb
, int confopt
)
3259 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3260 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3262 SSL_SESSION
*sess
= NULL
;
3263 size_t readbytes
, written
;
3264 unsigned char buf
[20];
3266 allow_ed_cb_called
= 0;
3268 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
3269 TLS_client_method(), TLS1_VERSION
, 0,
3270 &sctx
, &cctx
, cert
, privkey
)))
3275 SSL_CTX_set_options(sctx
, SSL_OP_NO_ANTI_REPLAY
);
3277 SSL_CONF_CTX
*confctx
= SSL_CONF_CTX_new();
3279 if (!TEST_ptr(confctx
))
3281 SSL_CONF_CTX_set_flags(confctx
, SSL_CONF_FLAG_FILE
3282 | SSL_CONF_FLAG_SERVER
);
3283 SSL_CONF_CTX_set_ssl_ctx(confctx
, sctx
);
3284 if (!TEST_int_eq(SSL_CONF_cmd(confctx
, "Options", "-AntiReplay"),
3286 SSL_CONF_CTX_free(confctx
);
3289 SSL_CONF_CTX_free(confctx
);
3291 SSL_CTX_set_allow_early_data_cb(sctx
, allow_early_data_cb
, &usecb
);
3294 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
3295 &serverssl
, &sess
, idx
)))
3299 * The server is configured to accept early data. Create a connection to
3300 * "use up" the ticket
3302 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
3303 || !TEST_true(SSL_session_reused(clientssl
)))
3306 SSL_shutdown(clientssl
);
3307 SSL_shutdown(serverssl
);
3308 SSL_free(serverssl
);
3309 SSL_free(clientssl
);
3310 serverssl
= clientssl
= NULL
;
3312 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
3313 &clientssl
, NULL
, NULL
))
3314 || !TEST_true(SSL_set_session(clientssl
, sess
)))
3317 /* Write and read some early data */
3318 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
3320 || !TEST_size_t_eq(written
, strlen(MSG1
)))
3324 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3326 SSL_READ_EARLY_DATA_FINISH
)
3328 * The ticket was reused, so the we should have rejected the
3331 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
3332 SSL_EARLY_DATA_REJECTED
))
3335 /* In this case the callback decides to accept the early data */
3336 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3338 SSL_READ_EARLY_DATA_SUCCESS
)
3339 || !TEST_mem_eq(MSG1
, strlen(MSG1
), buf
, readbytes
)
3341 * Server will have sent its flight so client can now send
3342 * end of early data and complete its half of the handshake
3344 || !TEST_int_gt(SSL_connect(clientssl
), 0)
3345 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3347 SSL_READ_EARLY_DATA_FINISH
)
3348 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
3349 SSL_EARLY_DATA_ACCEPTED
))
3353 /* Complete the connection */
3354 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
3355 || !TEST_int_eq(SSL_session_reused(clientssl
), (usecb
> 0) ? 1 : 0)
3356 || !TEST_int_eq(allow_ed_cb_called
, usecb
> 0 ? 1 : 0))
3362 SSL_SESSION_free(sess
);
3363 SSL_SESSION_free(clientpsk
);
3364 SSL_SESSION_free(serverpsk
);
3365 clientpsk
= serverpsk
= NULL
;
3366 SSL_free(serverssl
);
3367 SSL_free(clientssl
);
3373 static int test_early_data_replay(int idx
)
3375 int ret
= 1, usecb
, confopt
;
3377 for (usecb
= 0; usecb
< 3; usecb
++) {
3378 for (confopt
= 0; confopt
< 2; confopt
++)
3379 ret
&= test_early_data_replay_int(idx
, usecb
, confopt
);
3386 * Helper function to test that a server attempting to read early data can
3387 * handle a connection from a client where the early data should be skipped.
3388 * testtype: 0 == No HRR
3389 * testtype: 1 == HRR
3390 * testtype: 2 == HRR, invalid early_data sent after HRR
3391 * testtype: 3 == recv_max_early_data set to 0
3393 static int early_data_skip_helper(int testtype
, int idx
)
3395 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3396 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3398 SSL_SESSION
*sess
= NULL
;
3399 unsigned char buf
[20];
3400 size_t readbytes
, written
;
3402 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
3403 &serverssl
, &sess
, idx
)))
3406 if (testtype
== 1 || testtype
== 2) {
3407 /* Force an HRR to occur */
3408 #if defined(OPENSSL_NO_EC)
3409 if (!TEST_true(SSL_set1_groups_list(serverssl
, "ffdhe3072")))
3412 if (!TEST_true(SSL_set1_groups_list(serverssl
, "P-256")))
3415 } else if (idx
== 2) {
3417 * We force early_data rejection by ensuring the PSK identity is
3420 srvid
= "Dummy Identity";
3423 * Deliberately corrupt the creation time. We take 20 seconds off the
3424 * time. It could be any value as long as it is not within tolerance.
3425 * This should mean the ticket is rejected.
3427 if (!TEST_true(SSL_SESSION_set_time(sess
, (long)(time(NULL
) - 20))))
3432 && !TEST_true(SSL_set_recv_max_early_data(serverssl
, 0)))
3435 /* Write some early data */
3436 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
3438 || !TEST_size_t_eq(written
, strlen(MSG1
)))
3441 /* Server should reject the early data */
3442 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3444 SSL_READ_EARLY_DATA_FINISH
)
3445 || !TEST_size_t_eq(readbytes
, 0)
3446 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
3447 SSL_EARLY_DATA_REJECTED
))
3457 * Finish off the handshake. We perform the same writes and reads as
3458 * further down but we expect them to fail due to the incomplete
3461 if (!TEST_false(SSL_write_ex(clientssl
, MSG2
, strlen(MSG2
), &written
))
3462 || !TEST_false(SSL_read_ex(serverssl
, buf
, sizeof(buf
),
3469 BIO
*wbio
= SSL_get_wbio(clientssl
);
3470 /* A record that will appear as bad early_data */
3471 const unsigned char bad_early_data
[] = {
3472 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3476 * We force the client to attempt a write. This will fail because
3477 * we're still in the handshake. It will cause the second
3478 * ClientHello to be sent.
3480 if (!TEST_false(SSL_write_ex(clientssl
, MSG2
, strlen(MSG2
),
3485 * Inject some early_data after the second ClientHello. This should
3486 * cause the server to fail
3488 if (!TEST_true(BIO_write_ex(wbio
, bad_early_data
,
3489 sizeof(bad_early_data
), &written
)))
3496 * This client has sent more early_data than we are willing to skip
3497 * (case 3) or sent invalid early_data (case 2) so the connection should
3500 if (!TEST_false(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
3501 || !TEST_int_eq(SSL_get_error(serverssl
, 0), SSL_ERROR_SSL
))
3504 /* Connection has failed - nothing more to do */
3509 TEST_error("Invalid test type");
3514 * Should be able to send normal data despite rejection of early data. The
3515 * early_data should be skipped.
3517 if (!TEST_true(SSL_write_ex(clientssl
, MSG2
, strlen(MSG2
), &written
))
3518 || !TEST_size_t_eq(written
, strlen(MSG2
))
3519 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
3520 SSL_EARLY_DATA_REJECTED
)
3521 || !TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
3522 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
3528 SSL_SESSION_free(clientpsk
);
3529 SSL_SESSION_free(serverpsk
);
3530 clientpsk
= serverpsk
= NULL
;
3531 SSL_SESSION_free(sess
);
3532 SSL_free(serverssl
);
3533 SSL_free(clientssl
);
3540 * Test that a server attempting to read early data can handle a connection
3541 * from a client where the early data is not acceptable.
3543 static int test_early_data_skip(int idx
)
3545 return early_data_skip_helper(0, idx
);
3549 * Test that a server attempting to read early data can handle a connection
3550 * from a client where an HRR occurs.
3552 static int test_early_data_skip_hrr(int idx
)
3554 return early_data_skip_helper(1, idx
);
3558 * Test that a server attempting to read early data can handle a connection
3559 * from a client where an HRR occurs and correctly fails if early_data is sent
3562 static int test_early_data_skip_hrr_fail(int idx
)
3564 return early_data_skip_helper(2, idx
);
3568 * Test that a server attempting to read early data will abort if it tries to
3569 * skip over too much.
3571 static int test_early_data_skip_abort(int idx
)
3573 return early_data_skip_helper(3, idx
);
3577 * Test that a server attempting to read early data can handle a connection
3578 * from a client that doesn't send any.
3580 static int test_early_data_not_sent(int idx
)
3582 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3583 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3585 SSL_SESSION
*sess
= NULL
;
3586 unsigned char buf
[20];
3587 size_t readbytes
, written
;
3589 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
3590 &serverssl
, &sess
, idx
)))
3593 /* Write some data - should block due to handshake with server */
3594 SSL_set_connect_state(clientssl
);
3595 if (!TEST_false(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
)))
3598 /* Server should detect that early data has not been sent */
3599 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3601 SSL_READ_EARLY_DATA_FINISH
)
3602 || !TEST_size_t_eq(readbytes
, 0)
3603 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
3604 SSL_EARLY_DATA_NOT_SENT
)
3605 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
3606 SSL_EARLY_DATA_NOT_SENT
))
3609 /* Continue writing the message we started earlier */
3610 if (!TEST_true(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
))
3611 || !TEST_size_t_eq(written
, strlen(MSG1
))
3612 || !TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
3613 || !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
))
3614 || !SSL_write_ex(serverssl
, MSG2
, strlen(MSG2
), &written
)
3615 || !TEST_size_t_eq(written
, strlen(MSG2
)))
3618 if (!TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3619 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
3625 SSL_SESSION_free(sess
);
3626 SSL_SESSION_free(clientpsk
);
3627 SSL_SESSION_free(serverpsk
);
3628 clientpsk
= serverpsk
= NULL
;
3629 SSL_free(serverssl
);
3630 SSL_free(clientssl
);
3636 static const char *servalpn
;
3638 static int alpn_select_cb(SSL
*ssl
, const unsigned char **out
,
3639 unsigned char *outlen
, const unsigned char *in
,
3640 unsigned int inlen
, void *arg
)
3642 unsigned int protlen
= 0;
3643 const unsigned char *prot
;
3645 for (prot
= in
; prot
< in
+ inlen
; prot
+= protlen
) {
3647 if (in
+ inlen
< prot
+ protlen
)
3648 return SSL_TLSEXT_ERR_NOACK
;
3650 if (protlen
== strlen(servalpn
)
3651 && memcmp(prot
, servalpn
, protlen
) == 0) {
3654 return SSL_TLSEXT_ERR_OK
;
3658 return SSL_TLSEXT_ERR_NOACK
;
3661 /* Test that a PSK can be used to send early_data */
3662 static int test_early_data_psk(int idx
)
3664 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3665 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3667 SSL_SESSION
*sess
= NULL
;
3668 unsigned char alpnlist
[] = {
3669 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3672 #define GOODALPNLEN 9
3673 #define BADALPNLEN 8
3674 #define GOODALPN (alpnlist)
3675 #define BADALPN (alpnlist + GOODALPNLEN)
3677 unsigned char buf
[20];
3678 size_t readbytes
, written
;
3679 int readearlyres
= SSL_READ_EARLY_DATA_SUCCESS
, connectres
= 1;
3680 int edstatus
= SSL_EARLY_DATA_ACCEPTED
;
3682 /* We always set this up with a final parameter of "2" for PSK */
3683 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
3684 &serverssl
, &sess
, 2)))
3687 servalpn
= "goodalpn";
3690 * Note: There is no test for inconsistent SNI with late client detection.
3691 * This is because servers do not acknowledge SNI even if they are using
3692 * it in a resumption handshake - so it is not actually possible for a
3693 * client to detect a problem.
3697 /* Set inconsistent SNI (early client detection) */
3698 err
= SSL_R_INCONSISTENT_EARLY_DATA_SNI
;
3699 if (!TEST_true(SSL_SESSION_set1_hostname(sess
, "goodhost"))
3700 || !TEST_true(SSL_set_tlsext_host_name(clientssl
, "badhost")))
3705 /* Set inconsistent ALPN (early client detection) */
3706 err
= SSL_R_INCONSISTENT_EARLY_DATA_ALPN
;
3707 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3708 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess
, GOODALPN
,
3710 || !TEST_false(SSL_set_alpn_protos(clientssl
, BADALPN
,
3717 * Set invalid protocol version. Technically this affects PSKs without
3718 * early_data too, but we test it here because it is similar to the
3719 * SNI/ALPN consistency tests.
3721 err
= SSL_R_BAD_PSK
;
3722 if (!TEST_true(SSL_SESSION_set_protocol_version(sess
, TLS1_2_VERSION
)))
3728 * Set inconsistent SNI (server side). In this case the connection
3729 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3730 * is associated with each handshake - not the session. Therefore it
3731 * should not matter that we used a different server name last time.
3733 SSL_SESSION_free(serverpsk
);
3734 serverpsk
= SSL_SESSION_dup(clientpsk
);
3735 if (!TEST_ptr(serverpsk
)
3736 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk
, "badhost")))
3740 /* Set consistent SNI */
3741 if (!TEST_true(SSL_SESSION_set1_hostname(sess
, "goodhost"))
3742 || !TEST_true(SSL_set_tlsext_host_name(clientssl
, "goodhost"))
3743 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx
,
3750 * Set inconsistent ALPN (server detected). In this case the connection
3751 * will succeed but reject early_data.
3753 servalpn
= "badalpn";
3754 edstatus
= SSL_EARLY_DATA_REJECTED
;
3755 readearlyres
= SSL_READ_EARLY_DATA_FINISH
;
3759 * Set consistent ALPN.
3760 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3761 * accepts a list of protos (each one length prefixed).
3762 * SSL_set1_alpn_selected accepts a single protocol (not length
3765 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess
, GOODALPN
+ 1,
3767 || !TEST_false(SSL_set_alpn_protos(clientssl
, GOODALPN
,
3771 SSL_CTX_set_alpn_select_cb(sctx
, alpn_select_cb
, NULL
);
3775 /* Set inconsistent ALPN (late client detection) */
3776 SSL_SESSION_free(serverpsk
);
3777 serverpsk
= SSL_SESSION_dup(clientpsk
);
3778 if (!TEST_ptr(serverpsk
)
3779 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk
,
3782 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk
,
3785 || !TEST_false(SSL_set_alpn_protos(clientssl
, alpnlist
,
3788 SSL_CTX_set_alpn_select_cb(sctx
, alpn_select_cb
, NULL
);
3789 edstatus
= SSL_EARLY_DATA_ACCEPTED
;
3790 readearlyres
= SSL_READ_EARLY_DATA_SUCCESS
;
3791 /* SSL_connect() call should fail */
3796 TEST_error("Bad test index");
3800 SSL_set_connect_state(clientssl
);
3802 if (!TEST_false(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
3804 || !TEST_int_eq(SSL_get_error(clientssl
, 0), SSL_ERROR_SSL
)
3805 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err
))
3808 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
3812 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3813 &readbytes
), readearlyres
)
3814 || (readearlyres
== SSL_READ_EARLY_DATA_SUCCESS
3815 && !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
)))
3816 || !TEST_int_eq(SSL_get_early_data_status(serverssl
), edstatus
)
3817 || !TEST_int_eq(SSL_connect(clientssl
), connectres
))
3824 SSL_SESSION_free(sess
);
3825 SSL_SESSION_free(clientpsk
);
3826 SSL_SESSION_free(serverpsk
);
3827 clientpsk
= serverpsk
= NULL
;
3828 SSL_free(serverssl
);
3829 SSL_free(clientssl
);
3836 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
3837 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
3838 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
3839 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3840 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
3841 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
3843 static int test_early_data_psk_with_all_ciphers(int idx
)
3845 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3846 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3848 SSL_SESSION
*sess
= NULL
;
3849 unsigned char buf
[20];
3850 size_t readbytes
, written
;
3851 const SSL_CIPHER
*cipher
;
3852 const char *cipher_str
[] = {
3853 TLS1_3_RFC_AES_128_GCM_SHA256
,
3854 TLS1_3_RFC_AES_256_GCM_SHA384
,
3855 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3856 TLS1_3_RFC_CHACHA20_POLY1305_SHA256
,
3860 TLS1_3_RFC_AES_128_CCM_SHA256
,
3861 TLS1_3_RFC_AES_128_CCM_8_SHA256
3863 const unsigned char *cipher_bytes
[] = {
3864 TLS13_AES_128_GCM_SHA256_BYTES
,
3865 TLS13_AES_256_GCM_SHA384_BYTES
,
3866 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3867 TLS13_CHACHA20_POLY1305_SHA256_BYTES
,
3871 TLS13_AES_128_CCM_SHA256_BYTES
,
3872 TLS13_AES_128_CCM_8_SHA256_BYTES
3875 if (cipher_str
[idx
] == NULL
)
3877 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
3878 if (idx
== 2 && is_fips
== 1)
3881 /* We always set this up with a final parameter of "2" for PSK */
3882 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
3883 &serverssl
, &sess
, 2)))
3886 if (!TEST_true(SSL_set_ciphersuites(clientssl
, cipher_str
[idx
]))
3887 || !TEST_true(SSL_set_ciphersuites(serverssl
, cipher_str
[idx
])))
3891 * 'setupearly_data_test' creates only one instance of SSL_SESSION
3892 * and assigns to both client and server with incremented reference
3893 * and the same instance is updated in 'sess'.
3894 * So updating ciphersuite in 'sess' which will get reflected in
3895 * PSK handshake using psk use sess and find sess cb.
3897 cipher
= SSL_CIPHER_find(clientssl
, cipher_bytes
[idx
]);
3898 if (!TEST_ptr(cipher
) || !TEST_true(SSL_SESSION_set_cipher(sess
, cipher
)))
3901 SSL_set_connect_state(clientssl
);
3902 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
3906 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3908 SSL_READ_EARLY_DATA_SUCCESS
)
3909 || !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
))
3910 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
3911 SSL_EARLY_DATA_ACCEPTED
)
3912 || !TEST_int_eq(SSL_connect(clientssl
), 1)
3913 || !TEST_int_eq(SSL_accept(serverssl
), 1))
3916 /* Send some normal data from client to server */
3917 if (!TEST_true(SSL_write_ex(clientssl
, MSG2
, strlen(MSG2
), &written
))
3918 || !TEST_size_t_eq(written
, strlen(MSG2
)))
3921 if (!TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
3922 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
3927 SSL_SESSION_free(sess
);
3928 SSL_SESSION_free(clientpsk
);
3929 SSL_SESSION_free(serverpsk
);
3930 clientpsk
= serverpsk
= NULL
;
3931 if (clientssl
!= NULL
)
3932 SSL_shutdown(clientssl
);
3933 if (serverssl
!= NULL
)
3934 SSL_shutdown(serverssl
);
3935 SSL_free(serverssl
);
3936 SSL_free(clientssl
);
3943 * Test that a server that doesn't try to read early data can handle a
3944 * client sending some.
3946 static int test_early_data_not_expected(int idx
)
3948 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3949 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3951 SSL_SESSION
*sess
= NULL
;
3952 unsigned char buf
[20];
3953 size_t readbytes
, written
;
3955 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
3956 &serverssl
, &sess
, idx
)))
3959 /* Write some early data */
3960 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
3965 * Server should skip over early data and then block waiting for client to
3966 * continue handshake
3968 if (!TEST_int_le(SSL_accept(serverssl
), 0)
3969 || !TEST_int_gt(SSL_connect(clientssl
), 0)
3970 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
3971 SSL_EARLY_DATA_REJECTED
)
3972 || !TEST_int_gt(SSL_accept(serverssl
), 0)
3973 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
3974 SSL_EARLY_DATA_REJECTED
))
3977 /* Send some normal data from client to server */
3978 if (!TEST_true(SSL_write_ex(clientssl
, MSG2
, strlen(MSG2
), &written
))
3979 || !TEST_size_t_eq(written
, strlen(MSG2
)))
3982 if (!TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
3983 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
3989 SSL_SESSION_free(sess
);
3990 SSL_SESSION_free(clientpsk
);
3991 SSL_SESSION_free(serverpsk
);
3992 clientpsk
= serverpsk
= NULL
;
3993 SSL_free(serverssl
);
3994 SSL_free(clientssl
);
4001 # ifndef OPENSSL_NO_TLS1_2
4003 * Test that a server attempting to read early data can handle a connection
4004 * from a TLSv1.2 client.
4006 static int test_early_data_tls1_2(int idx
)
4008 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4009 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4011 unsigned char buf
[20];
4012 size_t readbytes
, written
;
4014 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
4015 &serverssl
, NULL
, idx
)))
4018 /* Write some data - should block due to handshake with server */
4019 SSL_set_max_proto_version(clientssl
, TLS1_2_VERSION
);
4020 SSL_set_connect_state(clientssl
);
4021 if (!TEST_false(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
)))
4025 * Server should do TLSv1.2 handshake. First it will block waiting for more
4026 * messages from client after ServerDone. Then SSL_read_early_data should
4027 * finish and detect that early data has not been sent
4029 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
4031 SSL_READ_EARLY_DATA_ERROR
))
4035 * Continue writing the message we started earlier. Will still block waiting
4036 * for the CCS/Finished from server
4038 if (!TEST_false(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
))
4039 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
4041 SSL_READ_EARLY_DATA_FINISH
)
4042 || !TEST_size_t_eq(readbytes
, 0)
4043 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
4044 SSL_EARLY_DATA_NOT_SENT
))
4047 /* Continue writing the message we started earlier */
4048 if (!TEST_true(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
))
4049 || !TEST_size_t_eq(written
, strlen(MSG1
))
4050 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
4051 SSL_EARLY_DATA_NOT_SENT
)
4052 || !TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
4053 || !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
))
4054 || !TEST_true(SSL_write_ex(serverssl
, MSG2
, strlen(MSG2
), &written
))
4055 || !TEST_size_t_eq(written
, strlen(MSG2
))
4056 || !SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
)
4057 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
4063 SSL_SESSION_free(clientpsk
);
4064 SSL_SESSION_free(serverpsk
);
4065 clientpsk
= serverpsk
= NULL
;
4066 SSL_free(serverssl
);
4067 SSL_free(clientssl
);
4073 # endif /* OPENSSL_NO_TLS1_2 */
4076 * Test configuring the TLSv1.3 ciphersuites
4078 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4079 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4080 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4081 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4082 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4083 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4084 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4085 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4086 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4087 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4089 static int test_set_ciphersuite(int idx
)
4091 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4092 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4095 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
4096 TLS_client_method(), TLS1_VERSION
, 0,
4097 &sctx
, &cctx
, cert
, privkey
))
4098 || !TEST_true(SSL_CTX_set_ciphersuites(sctx
,
4099 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4102 if (idx
>=4 && idx
<= 7) {
4103 /* SSL_CTX explicit cipher list */
4104 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
, "AES256-GCM-SHA384")))
4108 if (idx
== 0 || idx
== 4) {
4109 /* Default ciphersuite */
4110 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4111 "TLS_AES_128_GCM_SHA256")))
4113 } else if (idx
== 1 || idx
== 5) {
4114 /* Non default ciphersuite */
4115 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4116 "TLS_AES_128_CCM_SHA256")))
4120 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
4121 &clientssl
, NULL
, NULL
)))
4124 if (idx
== 8 || idx
== 9) {
4125 /* SSL explicit cipher list */
4126 if (!TEST_true(SSL_set_cipher_list(clientssl
, "AES256-GCM-SHA384")))
4130 if (idx
== 2 || idx
== 6 || idx
== 8) {
4131 /* Default ciphersuite */
4132 if (!TEST_true(SSL_set_ciphersuites(clientssl
,
4133 "TLS_AES_128_GCM_SHA256")))
4135 } else if (idx
== 3 || idx
== 7 || idx
== 9) {
4136 /* Non default ciphersuite */
4137 if (!TEST_true(SSL_set_ciphersuites(clientssl
,
4138 "TLS_AES_128_CCM_SHA256")))
4142 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
4148 SSL_free(serverssl
);
4149 SSL_free(clientssl
);
4156 static int test_ciphersuite_change(void)
4158 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4159 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4160 SSL_SESSION
*clntsess
= NULL
;
4162 const SSL_CIPHER
*aes_128_gcm_sha256
= NULL
;
4164 /* Create a session based on SHA-256 */
4165 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
4166 TLS_client_method(), TLS1_VERSION
, 0,
4167 &sctx
, &cctx
, cert
, privkey
))
4168 || !TEST_true(SSL_CTX_set_ciphersuites(sctx
,
4169 "TLS_AES_128_GCM_SHA256:"
4170 "TLS_AES_256_GCM_SHA384:"
4171 "TLS_AES_128_CCM_SHA256"))
4172 || !TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4173 "TLS_AES_128_GCM_SHA256"))
4174 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
4175 &clientssl
, NULL
, NULL
))
4176 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4180 clntsess
= SSL_get1_session(clientssl
);
4181 /* Save for later */
4182 aes_128_gcm_sha256
= SSL_SESSION_get0_cipher(clntsess
);
4183 SSL_shutdown(clientssl
);
4184 SSL_shutdown(serverssl
);
4185 SSL_free(serverssl
);
4186 SSL_free(clientssl
);
4187 serverssl
= clientssl
= NULL
;
4189 /* Check we can resume a session with a different SHA-256 ciphersuite */
4190 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4191 "TLS_AES_128_CCM_SHA256"))
4192 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
4193 &clientssl
, NULL
, NULL
))
4194 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
4195 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4197 || !TEST_true(SSL_session_reused(clientssl
)))
4200 SSL_SESSION_free(clntsess
);
4201 clntsess
= SSL_get1_session(clientssl
);
4202 SSL_shutdown(clientssl
);
4203 SSL_shutdown(serverssl
);
4204 SSL_free(serverssl
);
4205 SSL_free(clientssl
);
4206 serverssl
= clientssl
= NULL
;
4209 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4210 * succeeds but does not resume.
4212 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
, "TLS_AES_256_GCM_SHA384"))
4213 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4215 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
4216 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4218 || !TEST_false(SSL_session_reused(clientssl
)))
4221 SSL_SESSION_free(clntsess
);
4223 SSL_shutdown(clientssl
);
4224 SSL_shutdown(serverssl
);
4225 SSL_free(serverssl
);
4226 SSL_free(clientssl
);
4227 serverssl
= clientssl
= NULL
;
4229 /* Create a session based on SHA384 */
4230 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
, "TLS_AES_256_GCM_SHA384"))
4231 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
4232 &clientssl
, NULL
, NULL
))
4233 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4237 clntsess
= SSL_get1_session(clientssl
);
4238 SSL_shutdown(clientssl
);
4239 SSL_shutdown(serverssl
);
4240 SSL_free(serverssl
);
4241 SSL_free(clientssl
);
4242 serverssl
= clientssl
= NULL
;
4244 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4245 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4246 || !TEST_true(SSL_CTX_set_ciphersuites(sctx
,
4247 "TLS_AES_256_GCM_SHA384"))
4248 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4250 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
4252 * We use SSL_ERROR_WANT_READ below so that we can pause the
4253 * connection after the initial ClientHello has been sent to
4254 * enable us to make some session changes.
4256 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
4257 SSL_ERROR_WANT_READ
)))
4260 /* Trick the client into thinking this session is for a different digest */
4261 clntsess
->cipher
= aes_128_gcm_sha256
;
4262 clntsess
->cipher_id
= clntsess
->cipher
->id
;
4265 * Continue the previously started connection. Server has selected a SHA-384
4266 * ciphersuite, but client thinks the session is for SHA-256, so it should
4269 if (!TEST_false(create_ssl_connection(serverssl
, clientssl
,
4271 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4272 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED
))
4278 SSL_SESSION_free(clntsess
);
4279 SSL_free(serverssl
);
4280 SSL_free(clientssl
);
4288 * Test TLSv1.3 Key exchange
4289 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4290 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4291 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4292 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4293 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4294 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4295 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4296 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4297 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4298 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4299 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4300 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4301 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4302 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4304 static int test_key_exchange(int idx
)
4306 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
4307 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
4309 # ifndef OPENSSL_NO_EC
4310 int ecdhe_kexch_groups
[] = {NID_X9_62_prime256v1
, NID_secp384r1
,
4311 NID_secp521r1
, NID_X25519
, NID_X448
};
4313 # ifndef OPENSSL_NO_DH
4314 int ffdhe_kexch_groups
[] = {NID_ffdhe2048
, NID_ffdhe3072
, NID_ffdhe4096
,
4315 NID_ffdhe6144
, NID_ffdhe8192
};
4318 int *kexch_groups
= &kexch_alg
;
4319 int kexch_groups_size
= 1;
4320 int max_version
= TLS1_3_VERSION
;
4321 char *kexch_name0
= NULL
;
4324 # ifndef OPENSSL_NO_EC
4325 # ifndef OPENSSL_NO_TLS1_2
4327 max_version
= TLS1_2_VERSION
;
4331 kexch_groups
= ecdhe_kexch_groups
;
4332 kexch_groups_size
= OSSL_NELEM(ecdhe_kexch_groups
);
4333 kexch_name0
= "secp256r1";
4336 kexch_alg
= NID_X9_62_prime256v1
;
4337 kexch_name0
= "secp256r1";
4340 kexch_alg
= NID_secp384r1
;
4341 kexch_name0
= "secp384r1";
4344 kexch_alg
= NID_secp521r1
;
4345 kexch_name0
= "secp521r1";
4348 kexch_alg
= NID_X25519
;
4349 kexch_name0
= "x25519";
4352 kexch_alg
= NID_X448
;
4353 kexch_name0
= "x448";
4356 # ifndef OPENSSL_NO_DH
4357 # ifndef OPENSSL_NO_TLS1_2
4359 max_version
= TLS1_2_VERSION
;
4360 kexch_name0
= "ffdhe2048";
4364 kexch_groups
= ffdhe_kexch_groups
;
4365 kexch_groups_size
= OSSL_NELEM(ffdhe_kexch_groups
);
4366 kexch_name0
= "ffdhe2048";
4369 kexch_alg
= NID_ffdhe2048
;
4370 kexch_name0
= "ffdhe2048";
4373 kexch_alg
= NID_ffdhe3072
;
4374 kexch_name0
= "ffdhe3072";
4377 kexch_alg
= NID_ffdhe4096
;
4378 kexch_name0
= "ffdhe4096";
4381 kexch_alg
= NID_ffdhe6144
;
4382 kexch_name0
= "ffdhe6144";
4385 kexch_alg
= NID_ffdhe8192
;
4386 kexch_name0
= "ffdhe8192";
4390 /* We're skipping this test */
4394 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
4395 TLS_client_method(), TLS1_VERSION
,
4396 max_version
, &sctx
, &cctx
, cert
,
4400 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx
,
4401 TLS1_3_RFC_AES_128_GCM_SHA256
)))
4404 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4405 TLS1_3_RFC_AES_128_GCM_SHA256
)))
4408 if (!TEST_true(SSL_CTX_set_cipher_list(sctx
,
4409 TLS1_TXT_RSA_WITH_AES_128_SHA
)))
4413 * Must include an EC ciphersuite so that we send supported groups in
4416 # ifndef OPENSSL_NO_TLS1_2
4417 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
4418 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM
":"
4419 TLS1_TXT_RSA_WITH_AES_128_SHA
)))
4423 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4427 if (!TEST_true(SSL_set1_groups(serverssl
, kexch_groups
, kexch_groups_size
))
4428 || !TEST_true(SSL_set1_groups(clientssl
, kexch_groups
, kexch_groups_size
)))
4431 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
4435 * If Handshake succeeds the negotiated kexch alg should be the first one in
4436 * configured, except in the case of FFDHE groups (idx 13), which are
4437 * TLSv1.3 only so we expect no shared group to exist.
4439 if (!TEST_int_eq(SSL_get_shared_group(serverssl
, 0),
4440 idx
== 13 ? 0 : kexch_groups
[0]))
4443 if (!TEST_str_eq(SSL_group_to_name(serverssl
, kexch_groups
[0]),
4447 if (max_version
== TLS1_3_VERSION
) {
4448 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl
), kexch_groups
[0]))
4450 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl
), kexch_groups
[0]))
4456 SSL_free(serverssl
);
4457 SSL_free(clientssl
);
4464 * Test TLSv1.3 Cipher Suite
4465 * Test 0 = Set TLS1.3 cipher on context
4466 * Test 1 = Set TLS1.3 cipher on SSL
4467 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4468 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4470 static int test_tls13_ciphersuite(int idx
)
4472 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
4473 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
4474 static const struct {
4475 const char *ciphername
;
4478 { TLS1_3_RFC_AES_128_GCM_SHA256
, 1 },
4479 { TLS1_3_RFC_AES_256_GCM_SHA384
, 1 },
4480 { TLS1_3_RFC_AES_128_CCM_SHA256
, 1 },
4481 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4482 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256
, 0 },
4483 { TLS1_3_RFC_AES_256_GCM_SHA384
4484 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256
, 0 },
4486 { TLS1_3_RFC_AES_128_CCM_8_SHA256
":" TLS1_3_RFC_AES_128_CCM_SHA256
, 1 }
4488 const char *t13_cipher
= NULL
;
4489 const char *t12_cipher
= NULL
;
4490 const char *negotiated_scipher
;
4491 const char *negotiated_ccipher
;
4507 t12_cipher
= TLS1_TXT_RSA_WITH_AES_128_SHA256
;
4511 t12_cipher
= TLS1_TXT_RSA_WITH_AES_128_SHA256
;
4515 for (max_ver
= TLS1_2_VERSION
; max_ver
<= TLS1_3_VERSION
; max_ver
++) {
4516 # ifdef OPENSSL_NO_TLS1_2
4517 if (max_ver
== TLS1_2_VERSION
)
4520 for (i
= 0; i
< OSSL_NELEM(t13_ciphers
); i
++) {
4521 if (is_fips
&& !t13_ciphers
[i
].fipscapable
)
4523 t13_cipher
= t13_ciphers
[i
].ciphername
;
4524 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
4525 TLS_client_method(),
4526 TLS1_VERSION
, max_ver
,
4527 &sctx
, &cctx
, cert
, privkey
)))
4531 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx
, t13_cipher
))
4532 || !TEST_true(SSL_CTX_set_ciphersuites(cctx
, t13_cipher
)))
4534 if (t12_cipher
!= NULL
) {
4535 if (!TEST_true(SSL_CTX_set_cipher_list(sctx
, t12_cipher
))
4536 || !TEST_true(SSL_CTX_set_cipher_list(cctx
,
4542 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
4543 &clientssl
, NULL
, NULL
)))
4547 if (!TEST_true(SSL_set_ciphersuites(serverssl
, t13_cipher
))
4548 || !TEST_true(SSL_set_ciphersuites(clientssl
, t13_cipher
)))
4550 if (t12_cipher
!= NULL
) {
4551 if (!TEST_true(SSL_set_cipher_list(serverssl
, t12_cipher
))
4552 || !TEST_true(SSL_set_cipher_list(clientssl
,
4558 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
4562 negotiated_scipher
= SSL_CIPHER_get_name(SSL_get_current_cipher(
4564 negotiated_ccipher
= SSL_CIPHER_get_name(SSL_get_current_cipher(
4566 if (!TEST_str_eq(negotiated_scipher
, negotiated_ccipher
))
4570 * TEST_strn_eq is used below because t13_cipher can contain
4571 * multiple ciphersuites
4573 if (max_ver
== TLS1_3_VERSION
4574 && !TEST_strn_eq(t13_cipher
, negotiated_scipher
,
4575 strlen(negotiated_scipher
)))
4578 # ifndef OPENSSL_NO_TLS1_2
4579 /* Below validation is not done when t12_cipher is NULL */
4580 if (max_ver
== TLS1_2_VERSION
&& t12_cipher
!= NULL
4581 && !TEST_str_eq(t12_cipher
, negotiated_scipher
))
4585 SSL_free(serverssl
);
4587 SSL_free(clientssl
);
4598 SSL_free(serverssl
);
4599 SSL_free(clientssl
);
4607 * Test 0 = Test new style callbacks
4608 * Test 1 = Test both new and old style callbacks
4609 * Test 2 = Test old style callbacks
4610 * Test 3 = Test old style callbacks with no certificate
4612 static int test_tls13_psk(int idx
)
4614 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
4615 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
4616 const SSL_CIPHER
*cipher
= NULL
;
4617 const unsigned char key
[] = {
4618 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4619 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4620 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4621 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
4625 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
4626 TLS_client_method(), TLS1_VERSION
, 0,
4627 &sctx
, &cctx
, idx
== 3 ? NULL
: cert
,
4628 idx
== 3 ? NULL
: privkey
)))
4633 * We use a ciphersuite with SHA256 to ease testing old style PSK
4634 * callbacks which will always default to SHA256. This should not be
4635 * necessary if we have no cert/priv key. In that case the server should
4636 * prefer SHA256 automatically.
4638 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4639 "TLS_AES_128_GCM_SHA256")))
4643 * As noted above the server should prefer SHA256 automatically. However
4644 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4645 * code works even if we are testing with only the FIPS provider loaded.
4647 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4648 "TLS_AES_256_GCM_SHA384:"
4649 "TLS_AES_128_GCM_SHA256")))
4654 * Test 0: New style callbacks only
4655 * Test 1: New and old style callbacks (only the new ones should be used)
4656 * Test 2: Old style callbacks only
4658 if (idx
== 0 || idx
== 1) {
4659 SSL_CTX_set_psk_use_session_callback(cctx
, use_session_cb
);
4660 SSL_CTX_set_psk_find_session_callback(sctx
, find_session_cb
);
4662 #ifndef OPENSSL_NO_PSK
4664 SSL_CTX_set_psk_client_callback(cctx
, psk_client_cb
);
4665 SSL_CTX_set_psk_server_callback(sctx
, psk_server_cb
);
4669 use_session_cb_cnt
= 0;
4670 find_session_cb_cnt
= 0;
4671 psk_client_cb_cnt
= 0;
4672 psk_server_cb_cnt
= 0;
4676 * Check we can create a connection if callback decides not to send a
4679 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4681 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4683 || !TEST_false(SSL_session_reused(clientssl
))
4684 || !TEST_false(SSL_session_reused(serverssl
)))
4687 if (idx
== 0 || idx
== 1) {
4688 if (!TEST_true(use_session_cb_cnt
== 1)
4689 || !TEST_true(find_session_cb_cnt
== 0)
4691 * If no old style callback then below should be 0
4694 || !TEST_true(psk_client_cb_cnt
== idx
)
4695 || !TEST_true(psk_server_cb_cnt
== 0))
4698 if (!TEST_true(use_session_cb_cnt
== 0)
4699 || !TEST_true(find_session_cb_cnt
== 0)
4700 || !TEST_true(psk_client_cb_cnt
== 1)
4701 || !TEST_true(psk_server_cb_cnt
== 0))
4705 shutdown_ssl_connection(serverssl
, clientssl
);
4706 serverssl
= clientssl
= NULL
;
4707 use_session_cb_cnt
= psk_client_cb_cnt
= 0;
4710 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4714 /* Create the PSK */
4715 cipher
= SSL_CIPHER_find(clientssl
, TLS13_AES_128_GCM_SHA256_BYTES
);
4716 clientpsk
= SSL_SESSION_new();
4717 if (!TEST_ptr(clientpsk
)
4718 || !TEST_ptr(cipher
)
4719 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk
, key
,
4721 || !TEST_true(SSL_SESSION_set_cipher(clientpsk
, cipher
))
4722 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk
,
4724 || !TEST_true(SSL_SESSION_up_ref(clientpsk
)))
4726 serverpsk
= clientpsk
;
4728 /* Check we can create a connection and the PSK is used */
4729 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
4730 || !TEST_true(SSL_session_reused(clientssl
))
4731 || !TEST_true(SSL_session_reused(serverssl
)))
4734 if (idx
== 0 || idx
== 1) {
4735 if (!TEST_true(use_session_cb_cnt
== 1)
4736 || !TEST_true(find_session_cb_cnt
== 1)
4737 || !TEST_true(psk_client_cb_cnt
== 0)
4738 || !TEST_true(psk_server_cb_cnt
== 0))
4741 if (!TEST_true(use_session_cb_cnt
== 0)
4742 || !TEST_true(find_session_cb_cnt
== 0)
4743 || !TEST_true(psk_client_cb_cnt
== 1)
4744 || !TEST_true(psk_server_cb_cnt
== 1))
4748 shutdown_ssl_connection(serverssl
, clientssl
);
4749 serverssl
= clientssl
= NULL
;
4750 use_session_cb_cnt
= find_session_cb_cnt
= 0;
4751 psk_client_cb_cnt
= psk_server_cb_cnt
= 0;
4753 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4758 #if defined(OPENSSL_NO_EC)
4759 if (!TEST_true(SSL_set1_groups_list(serverssl
, "ffdhe3072")))
4762 if (!TEST_true(SSL_set1_groups_list(serverssl
, "P-256")))
4767 * Check we can create a connection, the PSK is used and the callbacks are
4770 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
4771 || !TEST_true(SSL_session_reused(clientssl
))
4772 || !TEST_true(SSL_session_reused(serverssl
)))
4775 if (idx
== 0 || idx
== 1) {
4776 if (!TEST_true(use_session_cb_cnt
== 2)
4777 || !TEST_true(find_session_cb_cnt
== 2)
4778 || !TEST_true(psk_client_cb_cnt
== 0)
4779 || !TEST_true(psk_server_cb_cnt
== 0))
4782 if (!TEST_true(use_session_cb_cnt
== 0)
4783 || !TEST_true(find_session_cb_cnt
== 0)
4784 || !TEST_true(psk_client_cb_cnt
== 2)
4785 || !TEST_true(psk_server_cb_cnt
== 2))
4789 shutdown_ssl_connection(serverssl
, clientssl
);
4790 serverssl
= clientssl
= NULL
;
4791 use_session_cb_cnt
= find_session_cb_cnt
= 0;
4792 psk_client_cb_cnt
= psk_server_cb_cnt
= 0;
4796 * Check that if the server rejects the PSK we can still connect, but with
4799 srvid
= "Dummy Identity";
4800 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4802 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4804 || !TEST_false(SSL_session_reused(clientssl
))
4805 || !TEST_false(SSL_session_reused(serverssl
)))
4808 if (idx
== 0 || idx
== 1) {
4809 if (!TEST_true(use_session_cb_cnt
== 1)
4810 || !TEST_true(find_session_cb_cnt
== 1)
4811 || !TEST_true(psk_client_cb_cnt
== 0)
4813 * If no old style callback then below should be 0
4816 || !TEST_true(psk_server_cb_cnt
== idx
))
4819 if (!TEST_true(use_session_cb_cnt
== 0)
4820 || !TEST_true(find_session_cb_cnt
== 0)
4821 || !TEST_true(psk_client_cb_cnt
== 1)
4822 || !TEST_true(psk_server_cb_cnt
== 1))
4826 shutdown_ssl_connection(serverssl
, clientssl
);
4827 serverssl
= clientssl
= NULL
;
4832 SSL_SESSION_free(clientpsk
);
4833 SSL_SESSION_free(serverpsk
);
4834 clientpsk
= serverpsk
= NULL
;
4835 SSL_free(serverssl
);
4836 SSL_free(clientssl
);
4842 static unsigned char cookie_magic_value
[] = "cookie magic";
4844 static int generate_cookie_callback(SSL
*ssl
, unsigned char *cookie
,
4845 unsigned int *cookie_len
)
4848 * Not suitable as a real cookie generation function but good enough for
4851 memcpy(cookie
, cookie_magic_value
, sizeof(cookie_magic_value
) - 1);
4852 *cookie_len
= sizeof(cookie_magic_value
) - 1;
4857 static int verify_cookie_callback(SSL
*ssl
, const unsigned char *cookie
,
4858 unsigned int cookie_len
)
4860 if (cookie_len
== sizeof(cookie_magic_value
) - 1
4861 && memcmp(cookie
, cookie_magic_value
, cookie_len
) == 0)
4867 static int generate_stateless_cookie_callback(SSL
*ssl
, unsigned char *cookie
,
4871 int res
= generate_cookie_callback(ssl
, cookie
, &temp
);
4876 static int verify_stateless_cookie_callback(SSL
*ssl
, const unsigned char *cookie
,
4879 return verify_cookie_callback(ssl
, cookie
, cookie_len
);
4882 static int test_stateless(void)
4884 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
4885 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
4888 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
4889 TLS_client_method(), TLS1_VERSION
, 0,
4890 &sctx
, &cctx
, cert
, privkey
)))
4893 /* The arrival of CCS messages can confuse the test */
4894 SSL_CTX_clear_options(cctx
, SSL_OP_ENABLE_MIDDLEBOX_COMPAT
);
4896 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4898 /* Send the first ClientHello */
4899 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
4900 SSL_ERROR_WANT_READ
))
4902 * This should fail with a -1 return because we have no callbacks
4905 || !TEST_int_eq(SSL_stateless(serverssl
), -1))
4908 /* Fatal error so abandon the connection from this client */
4909 SSL_free(clientssl
);
4912 /* Set up the cookie generation and verification callbacks */
4913 SSL_CTX_set_stateless_cookie_generate_cb(sctx
, generate_stateless_cookie_callback
);
4914 SSL_CTX_set_stateless_cookie_verify_cb(sctx
, verify_stateless_cookie_callback
);
4917 * Create a new connection from the client (we can reuse the server SSL
4920 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4922 /* Send the first ClientHello */
4923 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
4924 SSL_ERROR_WANT_READ
))
4925 /* This should fail because there is no cookie */
4926 || !TEST_int_eq(SSL_stateless(serverssl
), 0))
4929 /* Abandon the connection from this client */
4930 SSL_free(clientssl
);
4934 * Now create a connection from a new client but with the same server SSL
4937 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4939 /* Send the first ClientHello */
4940 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
4941 SSL_ERROR_WANT_READ
))
4942 /* This should fail because there is no cookie */
4943 || !TEST_int_eq(SSL_stateless(serverssl
), 0)
4944 /* Send the second ClientHello */
4945 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
4946 SSL_ERROR_WANT_READ
))
4947 /* This should succeed because a cookie is now present */
4948 || !TEST_int_eq(SSL_stateless(serverssl
), 1)
4949 /* Complete the connection */
4950 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4954 shutdown_ssl_connection(serverssl
, clientssl
);
4955 serverssl
= clientssl
= NULL
;
4959 SSL_free(serverssl
);
4960 SSL_free(clientssl
);
4966 #endif /* OPENSSL_NO_TLS1_3 */
4968 static int clntaddoldcb
= 0;
4969 static int clntparseoldcb
= 0;
4970 static int srvaddoldcb
= 0;
4971 static int srvparseoldcb
= 0;
4972 static int clntaddnewcb
= 0;
4973 static int clntparsenewcb
= 0;
4974 static int srvaddnewcb
= 0;
4975 static int srvparsenewcb
= 0;
4976 static int snicb
= 0;
4978 #define TEST_EXT_TYPE1 0xff00
4980 static int old_add_cb(SSL
*s
, unsigned int ext_type
, const unsigned char **out
,
4981 size_t *outlen
, int *al
, void *add_arg
)
4983 int *server
= (int *)add_arg
;
4984 unsigned char *data
;
4986 if (SSL_is_server(s
))
4991 if (*server
!= SSL_is_server(s
)
4992 || (data
= OPENSSL_malloc(sizeof(*data
))) == NULL
)
4997 *outlen
= sizeof(char);
5001 static void old_free_cb(SSL
*s
, unsigned int ext_type
, const unsigned char *out
,
5004 OPENSSL_free((unsigned char *)out
);
5007 static int old_parse_cb(SSL
*s
, unsigned int ext_type
, const unsigned char *in
,
5008 size_t inlen
, int *al
, void *parse_arg
)
5010 int *server
= (int *)parse_arg
;
5012 if (SSL_is_server(s
))
5017 if (*server
!= SSL_is_server(s
)
5018 || inlen
!= sizeof(char)
5025 static int new_add_cb(SSL
*s
, unsigned int ext_type
, unsigned int context
,
5026 const unsigned char **out
, size_t *outlen
, X509
*x
,
5027 size_t chainidx
, int *al
, void *add_arg
)
5029 int *server
= (int *)add_arg
;
5030 unsigned char *data
;
5032 if (SSL_is_server(s
))
5037 if (*server
!= SSL_is_server(s
)
5038 || (data
= OPENSSL_malloc(sizeof(*data
))) == NULL
)
5043 *outlen
= sizeof(*data
);
5047 static void new_free_cb(SSL
*s
, unsigned int ext_type
, unsigned int context
,
5048 const unsigned char *out
, void *add_arg
)
5050 OPENSSL_free((unsigned char *)out
);
5053 static int new_parse_cb(SSL
*s
, unsigned int ext_type
, unsigned int context
,
5054 const unsigned char *in
, size_t inlen
, X509
*x
,
5055 size_t chainidx
, int *al
, void *parse_arg
)
5057 int *server
= (int *)parse_arg
;
5059 if (SSL_is_server(s
))
5064 if (*server
!= SSL_is_server(s
)
5065 || inlen
!= sizeof(char) || *in
!= 1)
5071 static int sni_cb(SSL
*s
, int *al
, void *arg
)
5073 SSL_CTX
*ctx
= (SSL_CTX
*)arg
;
5075 if (SSL_set_SSL_CTX(s
, ctx
) == NULL
) {
5076 *al
= SSL_AD_INTERNAL_ERROR
;
5077 return SSL_TLSEXT_ERR_ALERT_FATAL
;
5080 return SSL_TLSEXT_ERR_OK
;
5084 * Custom call back tests.
5085 * Test 0: Old style callbacks in TLSv1.2
5086 * Test 1: New style callbacks in TLSv1.2
5087 * Test 2: New style callbacks in TLSv1.2 with SNI
5088 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5089 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5091 static int test_custom_exts(int tst
)
5093 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
, *sctx2
= NULL
;
5094 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
5096 static int server
= 1;
5097 static int client
= 0;
5098 SSL_SESSION
*sess
= NULL
;
5099 unsigned int context
;
5101 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
5102 /* Skip tests for TLSv1.2 and below in this case */
5107 /* Reset callback counters */
5108 clntaddoldcb
= clntparseoldcb
= srvaddoldcb
= srvparseoldcb
= 0;
5109 clntaddnewcb
= clntparsenewcb
= srvaddnewcb
= srvparsenewcb
= 0;
5112 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
5113 TLS_client_method(), TLS1_VERSION
, 0,
5114 &sctx
, &cctx
, cert
, privkey
)))
5118 && !TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(), NULL
,
5120 &sctx2
, NULL
, cert
, privkey
)))
5125 SSL_CTX_set_options(cctx
, SSL_OP_NO_TLSv1_3
);
5126 SSL_CTX_set_options(sctx
, SSL_OP_NO_TLSv1_3
);
5128 SSL_CTX_set_options(sctx2
, SSL_OP_NO_TLSv1_3
);
5132 context
= SSL_EXT_CLIENT_HELLO
5133 | SSL_EXT_TLS1_2_SERVER_HELLO
5134 | SSL_EXT_TLS1_3_SERVER_HELLO
5135 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5136 | SSL_EXT_TLS1_3_CERTIFICATE
5137 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET
;
5139 context
= SSL_EXT_CLIENT_HELLO
5140 | SSL_EXT_TLS1_2_SERVER_HELLO
5141 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
;
5144 /* Create a client side custom extension */
5146 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx
, TEST_EXT_TYPE1
,
5147 old_add_cb
, old_free_cb
,
5148 &client
, old_parse_cb
,
5152 if (!TEST_true(SSL_CTX_add_custom_ext(cctx
, TEST_EXT_TYPE1
, context
,
5153 new_add_cb
, new_free_cb
,
5154 &client
, new_parse_cb
, &client
)))
5158 /* Should not be able to add duplicates */
5159 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx
, TEST_EXT_TYPE1
,
5160 old_add_cb
, old_free_cb
,
5161 &client
, old_parse_cb
,
5163 || !TEST_false(SSL_CTX_add_custom_ext(cctx
, TEST_EXT_TYPE1
,
5164 context
, new_add_cb
,
5165 new_free_cb
, &client
,
5166 new_parse_cb
, &client
)))
5169 /* Create a server side custom extension */
5171 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx
, TEST_EXT_TYPE1
,
5172 old_add_cb
, old_free_cb
,
5173 &server
, old_parse_cb
,
5177 if (!TEST_true(SSL_CTX_add_custom_ext(sctx
, TEST_EXT_TYPE1
, context
,
5178 new_add_cb
, new_free_cb
,
5179 &server
, new_parse_cb
, &server
)))
5182 && !TEST_true(SSL_CTX_add_custom_ext(sctx2
, TEST_EXT_TYPE1
,
5183 context
, new_add_cb
,
5184 new_free_cb
, &server
,
5185 new_parse_cb
, &server
)))
5189 /* Should not be able to add duplicates */
5190 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx
, TEST_EXT_TYPE1
,
5191 old_add_cb
, old_free_cb
,
5192 &server
, old_parse_cb
,
5194 || !TEST_false(SSL_CTX_add_custom_ext(sctx
, TEST_EXT_TYPE1
,
5195 context
, new_add_cb
,
5196 new_free_cb
, &server
,
5197 new_parse_cb
, &server
)))
5202 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx
, sni_cb
))
5203 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx
, sctx2
)))
5207 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
5208 &clientssl
, NULL
, NULL
))
5209 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
5214 if (clntaddoldcb
!= 1
5215 || clntparseoldcb
!= 1
5217 || srvparseoldcb
!= 1)
5219 } else if (tst
== 1 || tst
== 2 || tst
== 3) {
5220 if (clntaddnewcb
!= 1
5221 || clntparsenewcb
!= 1
5223 || srvparsenewcb
!= 1
5224 || (tst
!= 2 && snicb
!= 0)
5225 || (tst
== 2 && snicb
!= 1))
5228 /* In this case there 2 NewSessionTicket messages created */
5229 if (clntaddnewcb
!= 1
5230 || clntparsenewcb
!= 5
5232 || srvparsenewcb
!= 1)
5236 sess
= SSL_get1_session(clientssl
);
5237 SSL_shutdown(clientssl
);
5238 SSL_shutdown(serverssl
);
5239 SSL_free(serverssl
);
5240 SSL_free(clientssl
);
5241 serverssl
= clientssl
= NULL
;
5244 /* We don't bother with the resumption aspects for this test */
5249 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5251 || !TEST_true(SSL_set_session(clientssl
, sess
))
5252 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
5257 * For a resumed session we expect to add the ClientHello extension. For the
5258 * old style callbacks we ignore it on the server side because they set
5259 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5263 if (clntaddoldcb
!= 2
5264 || clntparseoldcb
!= 1
5266 || srvparseoldcb
!= 1)
5268 } else if (tst
== 1 || tst
== 2 || tst
== 3) {
5269 if (clntaddnewcb
!= 2
5270 || clntparsenewcb
!= 2
5272 || srvparsenewcb
!= 2)
5276 * No Certificate message extensions in the resumption handshake,
5277 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5279 if (clntaddnewcb
!= 2
5280 || clntparsenewcb
!= 8
5282 || srvparsenewcb
!= 2)
5289 SSL_SESSION_free(sess
);
5290 SSL_free(serverssl
);
5291 SSL_free(clientssl
);
5292 SSL_CTX_free(sctx2
);
5299 * Test loading of serverinfo data in various formats. test_sslmessages actually
5300 * tests to make sure the extensions appear in the handshake
5302 static int test_serverinfo(int tst
)
5304 unsigned int version
;
5305 unsigned char *sibuf
;
5307 int ret
, expected
, testresult
= 0;
5310 ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_method());
5314 if ((tst
& 0x01) == 0x01)
5315 version
= SSL_SERVERINFOV2
;
5317 version
= SSL_SERVERINFOV1
;
5319 if ((tst
& 0x02) == 0x02) {
5320 sibuf
= serverinfov2
;
5321 sibuflen
= sizeof(serverinfov2
);
5322 expected
= (version
== SSL_SERVERINFOV2
);
5324 sibuf
= serverinfov1
;
5325 sibuflen
= sizeof(serverinfov1
);
5326 expected
= (version
== SSL_SERVERINFOV1
);
5329 if ((tst
& 0x04) == 0x04) {
5330 ret
= SSL_CTX_use_serverinfo_ex(ctx
, version
, sibuf
, sibuflen
);
5332 ret
= SSL_CTX_use_serverinfo(ctx
, sibuf
, sibuflen
);
5335 * The version variable is irrelevant in this case - it's what is in the
5336 * buffer that matters
5338 if ((tst
& 0x02) == 0x02)
5344 if (!TEST_true(ret
== expected
))
5356 * Test that SSL_export_keying_material() produces expected results. There are
5357 * no test vectors so all we do is test that both sides of the communication
5358 * produce the same results for different protocol versions.
5360 #define SMALL_LABEL_LEN 10
5361 #define LONG_LABEL_LEN 249
5362 static int test_export_key_mat(int tst
)
5365 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
, *sctx2
= NULL
;
5366 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
5367 const char label
[LONG_LABEL_LEN
+ 1] = "test label";
5368 const unsigned char context
[] = "context";
5369 const unsigned char *emptycontext
= NULL
;
5370 unsigned char ckeymat1
[80], ckeymat2
[80], ckeymat3
[80];
5371 unsigned char skeymat1
[80], skeymat2
[80], skeymat3
[80];
5373 const int protocols
[] = {
5382 #ifdef OPENSSL_NO_TLS1
5386 #ifdef OPENSSL_NO_TLS1_1
5390 if (is_fips
&& (tst
== 0 || tst
== 1))
5392 #ifdef OPENSSL_NO_TLS1_2
5396 #ifdef OPENSSL_NO_TLS1_3
5400 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
5401 TLS_client_method(), TLS1_VERSION
, 0,
5402 &sctx
, &cctx
, cert
, privkey
)))
5405 OPENSSL_assert(tst
>= 0 && (size_t)tst
< OSSL_NELEM(protocols
));
5406 SSL_CTX_set_max_proto_version(cctx
, protocols
[tst
]);
5407 SSL_CTX_set_min_proto_version(cctx
, protocols
[tst
]);
5408 if ((protocols
[tst
] < TLS1_2_VERSION
) &&
5409 (!SSL_CTX_set_cipher_list(cctx
, "DEFAULT:@SECLEVEL=0")
5410 || !SSL_CTX_set_cipher_list(sctx
, "DEFAULT:@SECLEVEL=0")))
5413 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
,
5418 * Premature call of SSL_export_keying_material should just fail.
5420 if (!TEST_int_le(SSL_export_keying_material(clientssl
, ckeymat1
,
5421 sizeof(ckeymat1
), label
,
5422 SMALL_LABEL_LEN
+ 1, context
,
5423 sizeof(context
) - 1, 1), 0))
5426 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
5432 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5435 if (!TEST_int_le(SSL_export_keying_material(clientssl
, ckeymat1
,
5436 sizeof(ckeymat1
), label
,
5437 LONG_LABEL_LEN
+ 1, context
,
5438 sizeof(context
) - 1, 1), 0))
5443 } else if (tst
== 4) {
5444 labellen
= LONG_LABEL_LEN
;
5446 labellen
= SMALL_LABEL_LEN
;
5449 if (!TEST_int_eq(SSL_export_keying_material(clientssl
, ckeymat1
,
5450 sizeof(ckeymat1
), label
,
5452 sizeof(context
) - 1, 1), 1)
5453 || !TEST_int_eq(SSL_export_keying_material(clientssl
, ckeymat2
,
5454 sizeof(ckeymat2
), label
,
5458 || !TEST_int_eq(SSL_export_keying_material(clientssl
, ckeymat3
,
5459 sizeof(ckeymat3
), label
,
5462 || !TEST_int_eq(SSL_export_keying_material(serverssl
, skeymat1
,
5463 sizeof(skeymat1
), label
,
5466 sizeof(context
) -1, 1),
5468 || !TEST_int_eq(SSL_export_keying_material(serverssl
, skeymat2
,
5469 sizeof(skeymat2
), label
,
5473 || !TEST_int_eq(SSL_export_keying_material(serverssl
, skeymat3
,
5474 sizeof(skeymat3
), label
,
5478 * Check that both sides created the same key material with the
5481 || !TEST_mem_eq(ckeymat1
, sizeof(ckeymat1
), skeymat1
,
5484 * Check that both sides created the same key material with an
5487 || !TEST_mem_eq(ckeymat2
, sizeof(ckeymat2
), skeymat2
,
5490 * Check that both sides created the same key material without a
5493 || !TEST_mem_eq(ckeymat3
, sizeof(ckeymat3
), skeymat3
,
5495 /* Different contexts should produce different results */
5496 || !TEST_mem_ne(ckeymat1
, sizeof(ckeymat1
), ckeymat2
,
5501 * Check that an empty context and no context produce different results in
5502 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5504 if ((tst
< 3 && !TEST_mem_ne(ckeymat2
, sizeof(ckeymat2
), ckeymat3
,
5506 || (tst
>= 3 && !TEST_mem_eq(ckeymat2
, sizeof(ckeymat2
), ckeymat3
,
5513 SSL_free(serverssl
);
5514 SSL_free(clientssl
);
5515 SSL_CTX_free(sctx2
);
5522 #ifndef OPENSSL_NO_TLS1_3
5524 * Test that SSL_export_keying_material_early() produces expected
5525 * results. There are no test vectors so all we do is test that both
5526 * sides of the communication produce the same results for different
5527 * protocol versions.
5529 static int test_export_key_mat_early(int idx
)
5531 static const char label
[] = "test label";
5532 static const unsigned char context
[] = "context";
5534 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
5535 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
5536 SSL_SESSION
*sess
= NULL
;
5537 const unsigned char *emptycontext
= NULL
;
5538 unsigned char ckeymat1
[80], ckeymat2
[80];
5539 unsigned char skeymat1
[80], skeymat2
[80];
5540 unsigned char buf
[1];
5541 size_t readbytes
, written
;
5543 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
, &serverssl
,
5547 /* Here writing 0 length early data is enough. */
5548 if (!TEST_true(SSL_write_early_data(clientssl
, NULL
, 0, &written
))
5549 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
5551 SSL_READ_EARLY_DATA_ERROR
)
5552 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
5553 SSL_EARLY_DATA_ACCEPTED
))
5556 if (!TEST_int_eq(SSL_export_keying_material_early(
5557 clientssl
, ckeymat1
, sizeof(ckeymat1
), label
,
5558 sizeof(label
) - 1, context
, sizeof(context
) - 1), 1)
5559 || !TEST_int_eq(SSL_export_keying_material_early(
5560 clientssl
, ckeymat2
, sizeof(ckeymat2
), label
,
5561 sizeof(label
) - 1, emptycontext
, 0), 1)
5562 || !TEST_int_eq(SSL_export_keying_material_early(
5563 serverssl
, skeymat1
, sizeof(skeymat1
), label
,
5564 sizeof(label
) - 1, context
, sizeof(context
) - 1), 1)
5565 || !TEST_int_eq(SSL_export_keying_material_early(
5566 serverssl
, skeymat2
, sizeof(skeymat2
), label
,
5567 sizeof(label
) - 1, emptycontext
, 0), 1)
5569 * Check that both sides created the same key material with the
5572 || !TEST_mem_eq(ckeymat1
, sizeof(ckeymat1
), skeymat1
,
5575 * Check that both sides created the same key material with an
5578 || !TEST_mem_eq(ckeymat2
, sizeof(ckeymat2
), skeymat2
,
5580 /* Different contexts should produce different results */
5581 || !TEST_mem_ne(ckeymat1
, sizeof(ckeymat1
), ckeymat2
,
5588 SSL_SESSION_free(sess
);
5589 SSL_SESSION_free(clientpsk
);
5590 SSL_SESSION_free(serverpsk
);
5591 clientpsk
= serverpsk
= NULL
;
5592 SSL_free(serverssl
);
5593 SSL_free(clientssl
);
5600 #define NUM_KEY_UPDATE_MESSAGES 40
5604 static int test_key_update(void)
5606 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
5607 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
5608 int testresult
= 0, i
, j
;
5610 static char *mess
= "A test message";
5612 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
5613 TLS_client_method(),
5616 &sctx
, &cctx
, cert
, privkey
))
5617 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5619 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
5623 for (j
= 0; j
< 2; j
++) {
5624 /* Send lots of KeyUpdate messages */
5625 for (i
= 0; i
< NUM_KEY_UPDATE_MESSAGES
; i
++) {
5626 if (!TEST_true(SSL_key_update(clientssl
,
5628 ? SSL_KEY_UPDATE_NOT_REQUESTED
5629 : SSL_KEY_UPDATE_REQUESTED
))
5630 || !TEST_true(SSL_do_handshake(clientssl
)))
5634 /* Check that sending and receiving app data is ok */
5635 if (!TEST_int_eq(SSL_write(clientssl
, mess
, strlen(mess
)), strlen(mess
))
5636 || !TEST_int_eq(SSL_read(serverssl
, buf
, sizeof(buf
)),
5640 if (!TEST_int_eq(SSL_write(serverssl
, mess
, strlen(mess
)), strlen(mess
))
5641 || !TEST_int_eq(SSL_read(clientssl
, buf
, sizeof(buf
)),
5649 SSL_free(serverssl
);
5650 SSL_free(clientssl
);
5658 * Test we can handle a KeyUpdate (update requested) message while write data
5660 * Test 0: Client sends KeyUpdate while Server is writing
5661 * Test 1: Server sends KeyUpdate while Client is writing
5663 static int test_key_update_in_write(int tst
)
5665 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
5666 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
5669 static char *mess
= "A test message";
5670 BIO
*bretry
= BIO_new(bio_s_always_retry());
5672 SSL
*peerupdate
= NULL
, *peerwrite
= NULL
;
5674 if (!TEST_ptr(bretry
)
5675 || !TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
5676 TLS_client_method(),
5679 &sctx
, &cctx
, cert
, privkey
))
5680 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5682 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
5686 peerupdate
= tst
== 0 ? clientssl
: serverssl
;
5687 peerwrite
= tst
== 0 ? serverssl
: clientssl
;
5689 if (!TEST_true(SSL_key_update(peerupdate
, SSL_KEY_UPDATE_REQUESTED
))
5690 || !TEST_true(SSL_do_handshake(peerupdate
)))
5693 /* Swap the writing endpoint's write BIO to force a retry */
5694 tmp
= SSL_get_wbio(peerwrite
);
5695 if (!TEST_ptr(tmp
) || !TEST_true(BIO_up_ref(tmp
))) {
5699 SSL_set0_wbio(peerwrite
, bretry
);
5702 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5703 if (!TEST_int_eq(SSL_write(peerwrite
, mess
, strlen(mess
)), -1)
5704 || !TEST_int_eq(SSL_get_error(peerwrite
, 0), SSL_ERROR_WANT_WRITE
))
5707 /* Reinstate the original writing endpoint's write BIO */
5708 SSL_set0_wbio(peerwrite
, tmp
);
5711 /* Now read some data - we will read the key update */
5712 if (!TEST_int_eq(SSL_read(peerwrite
, buf
, sizeof(buf
)), -1)
5713 || !TEST_int_eq(SSL_get_error(peerwrite
, 0), SSL_ERROR_WANT_READ
))
5717 * Complete the write we started previously and read it from the other
5720 if (!TEST_int_eq(SSL_write(peerwrite
, mess
, strlen(mess
)), strlen(mess
))
5721 || !TEST_int_eq(SSL_read(peerupdate
, buf
, sizeof(buf
)), strlen(mess
)))
5724 /* Write more data to ensure we send the KeyUpdate message back */
5725 if (!TEST_int_eq(SSL_write(peerwrite
, mess
, strlen(mess
)), strlen(mess
))
5726 || !TEST_int_eq(SSL_read(peerupdate
, buf
, sizeof(buf
)), strlen(mess
)))
5732 SSL_free(serverssl
);
5733 SSL_free(clientssl
);
5741 #endif /* OPENSSL_NO_TLS1_3 */
5743 static int test_ssl_clear(int idx
)
5745 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
5746 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
5749 #ifdef OPENSSL_NO_TLS1_2
5754 /* Create an initial connection */
5755 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
5756 TLS_client_method(), TLS1_VERSION
, 0,
5757 &sctx
, &cctx
, cert
, privkey
))
5759 && !TEST_true(SSL_CTX_set_max_proto_version(cctx
,
5761 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
5762 &clientssl
, NULL
, NULL
))
5763 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
5767 SSL_shutdown(clientssl
);
5768 SSL_shutdown(serverssl
);
5769 SSL_free(serverssl
);
5772 /* Clear clientssl - we're going to reuse the object */
5773 if (!TEST_true(SSL_clear(clientssl
)))
5776 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5778 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
5780 || !TEST_true(SSL_session_reused(clientssl
)))
5783 SSL_shutdown(clientssl
);
5784 SSL_shutdown(serverssl
);
5789 SSL_free(serverssl
);
5790 SSL_free(clientssl
);
5797 /* Parse CH and retrieve any MFL extension value if present */
5798 static int get_MFL_from_client_hello(BIO
*bio
, int *mfl_codemfl_code
)
5801 unsigned char *data
;
5802 PACKET pkt
, pkt2
, pkt3
;
5803 unsigned int MFL_code
= 0, type
= 0;
5805 if (!TEST_uint_gt( len
= BIO_get_mem_data( bio
, (char **) &data
), 0 ) )
5808 memset(&pkt
, 0, sizeof(pkt
));
5809 memset(&pkt2
, 0, sizeof(pkt2
));
5810 memset(&pkt3
, 0, sizeof(pkt3
));
5812 if (!TEST_true( PACKET_buf_init( &pkt
, data
, len
) )
5813 /* Skip the record header */
5814 || !PACKET_forward(&pkt
, SSL3_RT_HEADER_LENGTH
)
5815 /* Skip the handshake message header */
5816 || !TEST_true(PACKET_forward(&pkt
, SSL3_HM_HEADER_LENGTH
))
5817 /* Skip client version and random */
5818 || !TEST_true(PACKET_forward(&pkt
, CLIENT_VERSION_LEN
5819 + SSL3_RANDOM_SIZE
))
5820 /* Skip session id */
5821 || !TEST_true(PACKET_get_length_prefixed_1(&pkt
, &pkt2
))
5823 || !TEST_true(PACKET_get_length_prefixed_2(&pkt
, &pkt2
))
5824 /* Skip compression */
5825 || !TEST_true(PACKET_get_length_prefixed_1(&pkt
, &pkt2
))
5826 /* Extensions len */
5827 || !TEST_true(PACKET_as_length_prefixed_2(&pkt
, &pkt2
)))
5830 /* Loop through all extensions */
5831 while (PACKET_remaining(&pkt2
)) {
5832 if (!TEST_true(PACKET_get_net_2(&pkt2
, &type
))
5833 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2
, &pkt3
)))
5836 if (type
== TLSEXT_TYPE_max_fragment_length
) {
5837 if (!TEST_uint_ne(PACKET_remaining(&pkt3
), 0)
5838 || !TEST_true(PACKET_get_1(&pkt3
, &MFL_code
)))
5841 *mfl_codemfl_code
= MFL_code
;
5850 /* Maximum-Fragment-Length TLS extension mode to test */
5851 static const unsigned char max_fragment_len_test
[] = {
5852 TLSEXT_max_fragment_length_512
,
5853 TLSEXT_max_fragment_length_1024
,
5854 TLSEXT_max_fragment_length_2048
,
5855 TLSEXT_max_fragment_length_4096
5858 static int test_max_fragment_len_ext(int idx_tst
)
5862 int testresult
= 0, MFL_mode
= 0;
5865 ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_method());
5869 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5870 ctx
, max_fragment_len_test
[idx_tst
])))
5877 rbio
= BIO_new(BIO_s_mem());
5878 wbio
= BIO_new(BIO_s_mem());
5879 if (!TEST_ptr(rbio
)|| !TEST_ptr(wbio
)) {
5885 SSL_set_bio(con
, rbio
, wbio
);
5886 SSL_set_connect_state(con
);
5888 if (!TEST_int_le(SSL_connect(con
), 0)) {
5889 /* This shouldn't succeed because we don't have a server! */
5893 if (!TEST_true(get_MFL_from_client_hello(wbio
, &MFL_mode
)))
5894 /* no MFL in client hello */
5896 if (!TEST_true(max_fragment_len_test
[idx_tst
] == MFL_mode
))
5908 #ifndef OPENSSL_NO_TLS1_3
5909 static int test_pha_key_update(void)
5911 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
5912 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
5915 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
5916 TLS_client_method(), TLS1_VERSION
, 0,
5917 &sctx
, &cctx
, cert
, privkey
)))
5920 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx
, TLS1_3_VERSION
))
5921 || !TEST_true(SSL_CTX_set_max_proto_version(sctx
, TLS1_3_VERSION
))
5922 || !TEST_true(SSL_CTX_set_min_proto_version(cctx
, TLS1_3_VERSION
))
5923 || !TEST_true(SSL_CTX_set_max_proto_version(cctx
, TLS1_3_VERSION
)))
5926 SSL_CTX_set_post_handshake_auth(cctx
, 1);
5928 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5932 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
5936 SSL_set_verify(serverssl
, SSL_VERIFY_PEER
, NULL
);
5937 if (!TEST_true(SSL_verify_client_post_handshake(serverssl
)))
5940 if (!TEST_true(SSL_key_update(clientssl
, SSL_KEY_UPDATE_NOT_REQUESTED
)))
5943 /* Start handshake on the server */
5944 if (!TEST_int_eq(SSL_do_handshake(serverssl
), 1))
5947 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5948 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
5952 SSL_shutdown(clientssl
);
5953 SSL_shutdown(serverssl
);
5958 SSL_free(serverssl
);
5959 SSL_free(clientssl
);
5966 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5968 static SRP_VBASE
*vbase
= NULL
;
5970 static int ssl_srp_cb(SSL
*s
, int *ad
, void *arg
)
5972 int ret
= SSL3_AL_FATAL
;
5974 SRP_user_pwd
*user
= NULL
;
5976 username
= SSL_get_srp_username(s
);
5977 if (username
== NULL
) {
5978 *ad
= SSL_AD_INTERNAL_ERROR
;
5982 user
= SRP_VBASE_get1_by_user(vbase
, username
);
5984 *ad
= SSL_AD_INTERNAL_ERROR
;
5988 if (SSL_set_srp_server_param(s
, user
->N
, user
->g
, user
->s
, user
->v
,
5990 *ad
= SSL_AD_INTERNAL_ERROR
;
5997 SRP_user_pwd_free(user
);
6001 static int create_new_vfile(char *userid
, char *password
, const char *filename
)
6004 OPENSSL_STRING
*row
= OPENSSL_zalloc(sizeof(row
) * (DB_NUMBER
+ 1));
6007 BIO
*out
= NULL
, *dummy
= BIO_new_mem_buf("", 0);
6010 if (!TEST_ptr(dummy
) || !TEST_ptr(row
))
6013 gNid
= SRP_create_verifier_ex(userid
, password
, &row
[DB_srpsalt
],
6014 &row
[DB_srpverifier
], NULL
, NULL
, libctx
, NULL
);
6015 if (!TEST_ptr(gNid
))
6019 * The only way to create an empty TXT_DB is to provide a BIO with no data
6022 db
= TXT_DB_read(dummy
, DB_NUMBER
);
6026 out
= BIO_new_file(filename
, "w");
6030 row
[DB_srpid
] = OPENSSL_strdup(userid
);
6031 row
[DB_srptype
] = OPENSSL_strdup("V");
6032 row
[DB_srpgN
] = OPENSSL_strdup(gNid
);
6034 if (!TEST_ptr(row
[DB_srpid
])
6035 || !TEST_ptr(row
[DB_srptype
])
6036 || !TEST_ptr(row
[DB_srpgN
])
6037 || !TEST_true(TXT_DB_insert(db
, row
)))
6042 if (!TXT_DB_write(out
, db
))
6048 for (i
= 0; i
< DB_NUMBER
; i
++)
6049 OPENSSL_free(row
[i
]);
6059 static int create_new_vbase(char *userid
, char *password
)
6061 BIGNUM
*verifier
= NULL
, *salt
= NULL
;
6062 const SRP_gN
*lgN
= NULL
;
6063 SRP_user_pwd
*user_pwd
= NULL
;
6066 lgN
= SRP_get_default_gN(NULL
);
6070 if (!TEST_true(SRP_create_verifier_BN_ex(userid
, password
, &salt
, &verifier
,
6071 lgN
->N
, lgN
->g
, libctx
, NULL
)))
6074 user_pwd
= OPENSSL_zalloc(sizeof(*user_pwd
));
6075 if (!TEST_ptr(user_pwd
))
6078 user_pwd
->N
= lgN
->N
;
6079 user_pwd
->g
= lgN
->g
;
6080 user_pwd
->id
= OPENSSL_strdup(userid
);
6081 if (!TEST_ptr(user_pwd
->id
))
6084 user_pwd
->v
= verifier
;
6086 verifier
= salt
= NULL
;
6088 if (sk_SRP_user_pwd_insert(vbase
->users_pwd
, user_pwd
, 0) == 0)
6094 SRP_user_pwd_free(user_pwd
);
6104 * Test 0: Simple successful SRP connection, new vbase
6105 * Test 1: Connection failure due to bad password, new vbase
6106 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6107 * Test 3: Connection failure due to bad password, vbase loaded from existing
6109 * Test 4: Simple successful SRP connection, vbase loaded from new file
6110 * Test 5: Connection failure due to bad password, vbase loaded from new file
6112 static int test_srp(int tst
)
6114 char *userid
= "test", *password
= "password", *tstsrpfile
;
6115 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6116 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6117 int ret
, testresult
= 0;
6119 vbase
= SRP_VBASE_new(NULL
);
6120 if (!TEST_ptr(vbase
))
6123 if (tst
== 0 || tst
== 1) {
6124 if (!TEST_true(create_new_vbase(userid
, password
)))
6127 if (tst
== 4 || tst
== 5) {
6128 if (!TEST_true(create_new_vfile(userid
, password
, tmpfilename
)))
6130 tstsrpfile
= tmpfilename
;
6132 tstsrpfile
= srpvfile
;
6134 if (!TEST_int_eq(SRP_VBASE_init(vbase
, tstsrpfile
), SRP_NO_ERROR
))
6138 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6139 TLS_client_method(), TLS1_VERSION
, 0,
6140 &sctx
, &cctx
, cert
, privkey
)))
6143 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx
, ssl_srp_cb
), 0)
6144 || !TEST_true(SSL_CTX_set_cipher_list(cctx
, "SRP-AES-128-CBC-SHA"))
6145 || !TEST_true(SSL_CTX_set_max_proto_version(sctx
, TLS1_2_VERSION
))
6146 || !TEST_true(SSL_CTX_set_max_proto_version(cctx
, TLS1_2_VERSION
))
6147 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx
, userid
), 0))
6151 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx
, "badpass"), 0))
6154 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx
, password
), 0))
6158 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6162 ret
= create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
);
6164 if (!TEST_true(tst
% 2 == 0))
6167 if (!TEST_true(tst
% 2 == 1))
6174 SRP_VBASE_free(vbase
);
6176 SSL_free(serverssl
);
6177 SSL_free(clientssl
);
6185 static int info_cb_failed
= 0;
6186 static int info_cb_offset
= 0;
6187 static int info_cb_this_state
= -1;
6189 static struct info_cb_states_st
{
6191 const char *statestr
;
6192 } info_cb_states
[][60] = {
6194 /* TLSv1.2 server followed by resumption */
6195 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT "},
6196 {SSL_CB_LOOP
, "PINIT "}, {SSL_CB_LOOP
, "TRCH"}, {SSL_CB_LOOP
, "TWSH"},
6197 {SSL_CB_LOOP
, "TWSC"}, {SSL_CB_LOOP
, "TWSKE"}, {SSL_CB_LOOP
, "TWSD"},
6198 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWSD"}, {SSL_CB_LOOP
, "TRCKE"},
6199 {SSL_CB_LOOP
, "TRCCS"}, {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_LOOP
, "TWST"},
6200 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWFIN"},
6201 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
6202 {SSL_CB_ALERT
, NULL
}, {SSL_CB_HANDSHAKE_START
, NULL
},
6203 {SSL_CB_LOOP
, "PINIT "}, {SSL_CB_LOOP
, "PINIT "}, {SSL_CB_LOOP
, "TRCH"},
6204 {SSL_CB_LOOP
, "TWSH"}, {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWFIN"},
6205 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_LOOP
, "TRCCS"},
6206 {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
6207 {SSL_CB_EXIT
, NULL
}, {0, NULL
},
6209 /* TLSv1.2 client followed by resumption */
6210 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT "},
6211 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWCH"},
6212 {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TRSC"}, {SSL_CB_LOOP
, "TRSKE"},
6213 {SSL_CB_LOOP
, "TRSD"}, {SSL_CB_LOOP
, "TWCKE"}, {SSL_CB_LOOP
, "TWCCS"},
6214 {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWFIN"},
6215 {SSL_CB_LOOP
, "TRST"}, {SSL_CB_LOOP
, "TRCCS"}, {SSL_CB_LOOP
, "TRFIN"},
6216 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_ALERT
, NULL
},
6217 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT "},
6218 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWCH"},
6219 {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TRCCS"}, {SSL_CB_LOOP
, "TRFIN"},
6220 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWFIN"},
6221 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
}, {0, NULL
},
6223 /* TLSv1.3 server followed by resumption */
6224 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT "},
6225 {SSL_CB_LOOP
, "PINIT "}, {SSL_CB_LOOP
, "TRCH"}, {SSL_CB_LOOP
, "TWSH"},
6226 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWEE"}, {SSL_CB_LOOP
, "TWSC"},
6227 {SSL_CB_LOOP
, "TRSCV"}, {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_LOOP
, "TED"},
6228 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TED"}, {SSL_CB_LOOP
, "TRFIN"},
6229 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_LOOP
, "TWST"},
6230 {SSL_CB_LOOP
, "TWST"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_ALERT
, NULL
},
6231 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT "},
6232 {SSL_CB_LOOP
, "PINIT "}, {SSL_CB_LOOP
, "TRCH"}, {SSL_CB_LOOP
, "TWSH"},
6233 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWEE"}, {SSL_CB_LOOP
, "TWFIN"},
6234 {SSL_CB_LOOP
, "TED"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TED"},
6235 {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
6236 {SSL_CB_LOOP
, "TWST"}, {SSL_CB_EXIT
, NULL
}, {0, NULL
},
6238 /* TLSv1.3 client followed by resumption */
6239 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT "},
6240 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWCH"},
6241 {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TREE"}, {SSL_CB_LOOP
, "TRSC"},
6242 {SSL_CB_LOOP
, "TRSCV"}, {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_LOOP
, "TWCCS"},
6243 {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
6244 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "SSLOK "}, {SSL_CB_LOOP
, "SSLOK "},
6245 {SSL_CB_LOOP
, "TRST"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "SSLOK "},
6246 {SSL_CB_LOOP
, "SSLOK "}, {SSL_CB_LOOP
, "TRST"}, {SSL_CB_EXIT
, NULL
},
6247 {SSL_CB_ALERT
, NULL
}, {SSL_CB_HANDSHAKE_START
, NULL
},
6248 {SSL_CB_LOOP
, "PINIT "}, {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_EXIT
, NULL
},
6249 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TREE"},
6250 {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWFIN"},
6251 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
6252 {SSL_CB_LOOP
, "SSLOK "}, {SSL_CB_LOOP
, "SSLOK "}, {SSL_CB_LOOP
, "TRST"},
6253 {SSL_CB_EXIT
, NULL
}, {0, NULL
},
6255 /* TLSv1.3 server, early_data */
6256 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT "},
6257 {SSL_CB_LOOP
, "PINIT "}, {SSL_CB_LOOP
, "TRCH"}, {SSL_CB_LOOP
, "TWSH"},
6258 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWEE"}, {SSL_CB_LOOP
, "TWFIN"},
6259 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
6260 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "TED"},
6261 {SSL_CB_LOOP
, "TED"}, {SSL_CB_LOOP
, "TWEOED"}, {SSL_CB_LOOP
, "TRFIN"},
6262 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_LOOP
, "TWST"},
6263 {SSL_CB_EXIT
, NULL
}, {0, NULL
},
6265 /* TLSv1.3 client, early_data */
6266 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT "},
6267 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_LOOP
, "TWCCS"},
6268 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
6269 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "TED"},
6270 {SSL_CB_LOOP
, "TED"}, {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TREE"},
6271 {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_LOOP
, "TPEDE"}, {SSL_CB_LOOP
, "TWEOED"},
6272 {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
6273 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "SSLOK "}, {SSL_CB_LOOP
, "SSLOK "},
6274 {SSL_CB_LOOP
, "TRST"}, {SSL_CB_EXIT
, NULL
}, {0, NULL
},
6280 static void sslapi_info_callback(const SSL
*s
, int where
, int ret
)
6282 struct info_cb_states_st
*state
= info_cb_states
[info_cb_offset
];
6284 /* We do not ever expect a connection to fail in this test */
6285 if (!TEST_false(ret
== 0)) {
6291 * Do some sanity checks. We never expect these things to happen in this
6294 if (!TEST_false((SSL_is_server(s
) && (where
& SSL_ST_CONNECT
) != 0))
6295 || !TEST_false(!SSL_is_server(s
) && (where
& SSL_ST_ACCEPT
) != 0)
6296 || !TEST_int_ne(state
[++info_cb_this_state
].where
, 0)) {
6301 /* Now check we're in the right state */
6302 if (!TEST_true((where
& state
[info_cb_this_state
].where
) != 0)) {
6306 if ((where
& SSL_CB_LOOP
) != 0
6307 && !TEST_int_eq(strcmp(SSL_state_string(s
),
6308 state
[info_cb_this_state
].statestr
), 0)) {
6314 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6316 if ((where
& SSL_CB_HANDSHAKE_DONE
)
6317 && SSL_in_init((SSL
*)s
) != 0) {
6324 * Test the info callback gets called when we expect it to.
6326 * Test 0: TLSv1.2, server
6327 * Test 1: TLSv1.2, client
6328 * Test 2: TLSv1.3, server
6329 * Test 3: TLSv1.3, client
6330 * Test 4: TLSv1.3, server, early_data
6331 * Test 5: TLSv1.3, client, early_data
6333 static int test_info_callback(int tst
)
6335 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6336 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6337 SSL_SESSION
*clntsess
= NULL
;
6342 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
6343 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6344 || !defined(OPENSSL_NO_DH))
6345 tlsvers
= TLS1_2_VERSION
;
6350 #ifndef OPENSSL_NO_TLS1_3
6351 tlsvers
= TLS1_3_VERSION
;
6359 info_cb_this_state
= -1;
6360 info_cb_offset
= tst
;
6362 #ifndef OPENSSL_NO_TLS1_3
6364 SSL_SESSION
*sess
= NULL
;
6365 size_t written
, readbytes
;
6366 unsigned char buf
[80];
6368 /* early_data tests */
6369 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
6370 &serverssl
, &sess
, 0)))
6373 /* We don't actually need this reference */
6374 SSL_SESSION_free(sess
);
6376 SSL_set_info_callback((tst
% 2) == 0 ? serverssl
: clientssl
,
6377 sslapi_info_callback
);
6379 /* Write and read some early data and then complete the connection */
6380 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
6382 || !TEST_size_t_eq(written
, strlen(MSG1
))
6383 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
,
6384 sizeof(buf
), &readbytes
),
6385 SSL_READ_EARLY_DATA_SUCCESS
)
6386 || !TEST_mem_eq(MSG1
, readbytes
, buf
, strlen(MSG1
))
6387 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
6388 SSL_EARLY_DATA_ACCEPTED
)
6389 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6391 || !TEST_false(info_cb_failed
))
6399 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6400 TLS_client_method(),
6401 tlsvers
, tlsvers
, &sctx
, &cctx
, cert
,
6405 if (!TEST_true(SSL_CTX_set_dh_auto(sctx
, 1)))
6409 * For even numbered tests we check the server callbacks. For odd numbers we
6412 SSL_CTX_set_info_callback((tst
% 2) == 0 ? sctx
: cctx
,
6413 sslapi_info_callback
);
6415 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
6416 &clientssl
, NULL
, NULL
))
6417 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6419 || !TEST_false(info_cb_failed
))
6424 clntsess
= SSL_get1_session(clientssl
);
6425 SSL_shutdown(clientssl
);
6426 SSL_shutdown(serverssl
);
6427 SSL_free(serverssl
);
6428 SSL_free(clientssl
);
6429 serverssl
= clientssl
= NULL
;
6431 /* Now do a resumption */
6432 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
,
6434 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
6435 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6437 || !TEST_true(SSL_session_reused(clientssl
))
6438 || !TEST_false(info_cb_failed
))
6444 SSL_free(serverssl
);
6445 SSL_free(clientssl
);
6446 SSL_SESSION_free(clntsess
);
6452 static int test_ssl_pending(int tst
)
6454 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6455 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6457 char msg
[] = "A test message";
6459 size_t written
, readbytes
;
6462 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6463 TLS_client_method(),
6465 &sctx
, &cctx
, cert
, privkey
)))
6468 #ifndef OPENSSL_NO_DTLS
6469 if (!TEST_true(create_ssl_ctx_pair(libctx
, DTLS_server_method(),
6470 DTLS_client_method(),
6472 &sctx
, &cctx
, cert
, privkey
)))
6479 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6481 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6485 if (!TEST_int_eq(SSL_pending(clientssl
), 0)
6486 || !TEST_false(SSL_has_pending(clientssl
))
6487 || !TEST_int_eq(SSL_pending(serverssl
), 0)
6488 || !TEST_false(SSL_has_pending(serverssl
))
6489 || !TEST_true(SSL_write_ex(serverssl
, msg
, sizeof(msg
), &written
))
6490 || !TEST_size_t_eq(written
, sizeof(msg
))
6491 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
6492 || !TEST_size_t_eq(readbytes
, sizeof(buf
))
6493 || !TEST_int_eq(SSL_pending(clientssl
), (int)(written
- readbytes
))
6494 || !TEST_true(SSL_has_pending(clientssl
)))
6500 SSL_free(serverssl
);
6501 SSL_free(clientssl
);
6509 unsigned int maxprot
;
6510 const char *clntciphers
;
6511 const char *clnttls13ciphers
;
6512 const char *srvrciphers
;
6513 const char *srvrtls13ciphers
;
6515 const char *fipsshared
;
6516 } shared_ciphers_data
[] = {
6518 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6519 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6521 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
6524 "AES128-SHA:AES256-SHA",
6526 "AES256-SHA:DHE-RSA-AES128-SHA",
6531 # if !defined(OPENSSL_NO_CHACHA) \
6532 && !defined(OPENSSL_NO_POLY1305) \
6533 && !defined(OPENSSL_NO_EC)
6536 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6538 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6540 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6546 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6548 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6550 "AES128-SHA:AES256-SHA",
6551 "AES128-SHA:AES256-SHA"
6555 "AES128-SHA:AES256-SHA",
6557 "AES128-SHA:DHE-RSA-AES128-SHA",
6564 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6567 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6568 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
6571 "AES128-SHA:AES256-SHA",
6573 "AES256-SHA:AES128-SHA256",
6575 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
6576 "TLS_AES_128_GCM_SHA256:AES256-SHA",
6577 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
6580 #ifndef OPENSSL_NO_TLS1_3
6584 "TLS_AES_256_GCM_SHA384",
6586 "TLS_AES_256_GCM_SHA384",
6587 "TLS_AES_256_GCM_SHA384",
6588 "TLS_AES_256_GCM_SHA384"
6593 static int int_test_ssl_get_shared_ciphers(int tst
, int clnt
)
6595 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6596 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6599 OSSL_LIB_CTX
*tmplibctx
= OSSL_LIB_CTX_new();
6601 if (!TEST_ptr(tmplibctx
))
6605 * Regardless of whether we're testing with the FIPS provider loaded into
6606 * libctx, we want one peer to always use the full set of ciphersuites
6607 * available. Therefore we use a separate libctx with the default provider
6608 * loaded into it. We run the same tests twice - once with the client side
6609 * having the full set of ciphersuites and once with the server side.
6612 cctx
= SSL_CTX_new_ex(tmplibctx
, NULL
, TLS_client_method());
6613 if (!TEST_ptr(cctx
))
6616 sctx
= SSL_CTX_new_ex(tmplibctx
, NULL
, TLS_server_method());
6617 if (!TEST_ptr(sctx
))
6621 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6622 TLS_client_method(),
6624 shared_ciphers_data
[tst
].maxprot
,
6625 &sctx
, &cctx
, cert
, privkey
)))
6628 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
6629 shared_ciphers_data
[tst
].clntciphers
))
6630 || (shared_ciphers_data
[tst
].clnttls13ciphers
!= NULL
6631 && !TEST_true(SSL_CTX_set_ciphersuites(cctx
,
6632 shared_ciphers_data
[tst
].clnttls13ciphers
)))
6633 || !TEST_true(SSL_CTX_set_cipher_list(sctx
,
6634 shared_ciphers_data
[tst
].srvrciphers
))
6635 || (shared_ciphers_data
[tst
].srvrtls13ciphers
!= NULL
6636 && !TEST_true(SSL_CTX_set_ciphersuites(sctx
,
6637 shared_ciphers_data
[tst
].srvrtls13ciphers
))))
6641 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6643 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6647 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl
, buf
, sizeof(buf
)))
6648 || !TEST_int_eq(strcmp(buf
,
6650 ? shared_ciphers_data
[tst
].fipsshared
6651 : shared_ciphers_data
[tst
].shared
),
6653 TEST_info("Shared ciphers are: %s\n", buf
);
6660 SSL_free(serverssl
);
6661 SSL_free(clientssl
);
6664 OSSL_LIB_CTX_free(tmplibctx
);
6669 static int test_ssl_get_shared_ciphers(int tst
)
6671 return int_test_ssl_get_shared_ciphers(tst
, 0)
6672 && int_test_ssl_get_shared_ciphers(tst
, 1);
6676 static const char *appdata
= "Hello World";
6677 static int gen_tick_called
, dec_tick_called
, tick_key_cb_called
;
6678 static int tick_key_renew
= 0;
6679 static SSL_TICKET_RETURN tick_dec_ret
= SSL_TICKET_RETURN_ABORT
;
6681 static int gen_tick_cb(SSL
*s
, void *arg
)
6683 gen_tick_called
= 1;
6685 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s
), appdata
,
6689 static SSL_TICKET_RETURN
dec_tick_cb(SSL
*s
, SSL_SESSION
*ss
,
6690 const unsigned char *keyname
,
6691 size_t keyname_length
,
6692 SSL_TICKET_STATUS status
,
6698 dec_tick_called
= 1;
6700 if (status
== SSL_TICKET_EMPTY
)
6701 return SSL_TICKET_RETURN_IGNORE_RENEW
;
6703 if (!TEST_true(status
== SSL_TICKET_SUCCESS
6704 || status
== SSL_TICKET_SUCCESS_RENEW
))
6705 return SSL_TICKET_RETURN_ABORT
;
6707 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss
, &tickdata
,
6709 || !TEST_size_t_eq(tickdlen
, strlen(appdata
))
6710 || !TEST_int_eq(memcmp(tickdata
, appdata
, tickdlen
), 0))
6711 return SSL_TICKET_RETURN_ABORT
;
6713 if (tick_key_cb_called
) {
6714 /* Don't change what the ticket key callback wanted to do */
6716 case SSL_TICKET_NO_DECRYPT
:
6717 return SSL_TICKET_RETURN_IGNORE_RENEW
;
6719 case SSL_TICKET_SUCCESS
:
6720 return SSL_TICKET_RETURN_USE
;
6722 case SSL_TICKET_SUCCESS_RENEW
:
6723 return SSL_TICKET_RETURN_USE_RENEW
;
6726 return SSL_TICKET_RETURN_ABORT
;
6729 return tick_dec_ret
;
6733 #ifndef OPENSSL_NO_DEPRECATED_3_0
6734 static int tick_key_cb(SSL
*s
, unsigned char key_name
[16],
6735 unsigned char iv
[EVP_MAX_IV_LENGTH
], EVP_CIPHER_CTX
*ctx
,
6736 HMAC_CTX
*hctx
, int enc
)
6738 const unsigned char tick_aes_key
[16] = "0123456789abcdef";
6739 const unsigned char tick_hmac_key
[16] = "0123456789abcdef";
6740 EVP_CIPHER
*aes128cbc
= EVP_CIPHER_fetch(libctx
, "AES-128-CBC", NULL
);
6741 EVP_MD
*sha256
= EVP_MD_fetch(libctx
, "SHA-256", NULL
);
6744 tick_key_cb_called
= 1;
6745 memset(iv
, 0, AES_BLOCK_SIZE
);
6746 memset(key_name
, 0, 16);
6747 if (aes128cbc
== NULL
6749 || !EVP_CipherInit_ex(ctx
, aes128cbc
, NULL
, tick_aes_key
, iv
, enc
)
6750 || !HMAC_Init_ex(hctx
, tick_hmac_key
, sizeof(tick_hmac_key
), sha256
,
6754 ret
= tick_key_renew
? 2 : 1;
6756 EVP_CIPHER_free(aes128cbc
);
6757 EVP_MD_free(sha256
);
6763 static int tick_key_evp_cb(SSL
*s
, unsigned char key_name
[16],
6764 unsigned char iv
[EVP_MAX_IV_LENGTH
],
6765 EVP_CIPHER_CTX
*ctx
, EVP_MAC_CTX
*hctx
, int enc
)
6767 const unsigned char tick_aes_key
[16] = "0123456789abcdef";
6768 unsigned char tick_hmac_key
[16] = "0123456789abcdef";
6769 OSSL_PARAM params
[3];
6770 EVP_CIPHER
*aes128cbc
= EVP_CIPHER_fetch(libctx
, "AES-128-CBC", NULL
);
6773 tick_key_cb_called
= 1;
6774 memset(iv
, 0, AES_BLOCK_SIZE
);
6775 memset(key_name
, 0, 16);
6776 params
[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST
,
6778 params
[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY
,
6780 sizeof(tick_hmac_key
));
6781 params
[2] = OSSL_PARAM_construct_end();
6782 if (aes128cbc
== NULL
6783 || !EVP_CipherInit_ex(ctx
, aes128cbc
, NULL
, tick_aes_key
, iv
, enc
)
6784 || !EVP_MAC_CTX_set_params(hctx
, params
)
6785 || !EVP_MAC_init(hctx
))
6788 ret
= tick_key_renew
? 2 : 1;
6790 EVP_CIPHER_free(aes128cbc
);
6796 * Test the various ticket callbacks
6797 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6798 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6799 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6800 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6801 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6802 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6803 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6804 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
6805 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6806 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6807 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6808 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6809 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6810 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6811 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6812 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
6814 static int test_ticket_callbacks(int tst
)
6816 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6817 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6818 SSL_SESSION
*clntsess
= NULL
;
6821 #ifdef OPENSSL_NO_TLS1_2
6825 #ifdef OPENSSL_NO_TLS1_3
6829 #ifdef OPENSSL_NO_DEPRECATED_3_0
6830 if (tst
>= 8 && tst
<= 11)
6834 gen_tick_called
= dec_tick_called
= tick_key_cb_called
= 0;
6836 /* Which tests the ticket key callback should request renewal for */
6837 if (tst
== 10 || tst
== 11 || tst
== 14 || tst
== 15)
6842 /* Which tests the decrypt ticket callback should request renewal for */
6846 tick_dec_ret
= SSL_TICKET_RETURN_IGNORE
;
6851 tick_dec_ret
= SSL_TICKET_RETURN_IGNORE_RENEW
;
6856 tick_dec_ret
= SSL_TICKET_RETURN_USE
;
6861 tick_dec_ret
= SSL_TICKET_RETURN_USE_RENEW
;
6865 tick_dec_ret
= SSL_TICKET_RETURN_ABORT
;
6868 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6869 TLS_client_method(),
6871 ((tst
% 2) == 0) ? TLS1_2_VERSION
6873 &sctx
, &cctx
, cert
, privkey
)))
6877 * We only want sessions to resume from tickets - not the session cache. So
6878 * switch the cache off.
6880 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx
, SSL_SESS_CACHE_OFF
)))
6883 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx
, gen_tick_cb
, dec_tick_cb
,
6888 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx
, tick_key_evp_cb
)))
6890 #ifndef OPENSSL_NO_DEPRECATED_3_0
6891 } else if (tst
>= 8) {
6892 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx
, tick_key_cb
)))
6897 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6899 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6904 * The decrypt ticket key callback in TLSv1.2 should be called even though
6905 * we have no ticket yet, because it gets called with a status of
6906 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6907 * actually send any ticket data). This does not happen in TLSv1.3 because
6908 * it is not valid to send empty ticket data in TLSv1.3.
6910 if (!TEST_int_eq(gen_tick_called
, 1)
6911 || !TEST_int_eq(dec_tick_called
, ((tst
% 2) == 0) ? 1 : 0))
6914 gen_tick_called
= dec_tick_called
= 0;
6916 clntsess
= SSL_get1_session(clientssl
);
6917 SSL_shutdown(clientssl
);
6918 SSL_shutdown(serverssl
);
6919 SSL_free(serverssl
);
6920 SSL_free(clientssl
);
6921 serverssl
= clientssl
= NULL
;
6923 /* Now do a resumption */
6924 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
,
6926 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
6927 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6931 if (tick_dec_ret
== SSL_TICKET_RETURN_IGNORE
6932 || tick_dec_ret
== SSL_TICKET_RETURN_IGNORE_RENEW
) {
6933 if (!TEST_false(SSL_session_reused(clientssl
)))
6936 if (!TEST_true(SSL_session_reused(clientssl
)))
6940 if (!TEST_int_eq(gen_tick_called
,
6942 || tick_dec_ret
== SSL_TICKET_RETURN_IGNORE_RENEW
6943 || tick_dec_ret
== SSL_TICKET_RETURN_USE_RENEW
)
6945 || !TEST_int_eq(dec_tick_called
, 1))
6951 SSL_SESSION_free(clntsess
);
6952 SSL_free(serverssl
);
6953 SSL_free(clientssl
);
6961 * Test incorrect shutdown.
6962 * Test 0: client does not shutdown properly,
6963 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
6964 * server should get SSL_ERROR_SSL
6965 * Test 1: client does not shutdown properly,
6966 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
6967 * server should get SSL_ERROR_ZERO_RETURN
6969 static int test_incorrect_shutdown(int tst
)
6971 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6972 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6977 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6978 TLS_client_method(), 0, 0,
6979 &sctx
, &cctx
, cert
, privkey
)))
6983 SSL_CTX_set_options(sctx
, SSL_OP_IGNORE_UNEXPECTED_EOF
);
6985 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6989 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
6993 c2s
= SSL_get_rbio(serverssl
);
6994 BIO_set_mem_eof_return(c2s
, 0);
6996 if (!TEST_false(SSL_read(serverssl
, buf
, sizeof(buf
))))
6999 if (tst
== 0 && !TEST_int_eq(SSL_get_error(serverssl
, 0), SSL_ERROR_SSL
) )
7001 if (tst
== 1 && !TEST_int_eq(SSL_get_error(serverssl
, 0), SSL_ERROR_ZERO_RETURN
) )
7007 SSL_free(serverssl
);
7008 SSL_free(clientssl
);
7016 * Test bi-directional shutdown.
7018 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7019 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7020 * Test 3: TLSv1.3, pending NewSessionTicket messages
7021 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7022 * sends key update, client reads it
7023 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7024 * sends CertificateRequest, client reads and ignores it
7025 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
7028 static int test_shutdown(int tst
)
7030 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7031 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7033 char msg
[] = "A test message";
7035 size_t written
, readbytes
;
7038 #ifdef OPENSSL_NO_TLS1_2
7042 #ifdef OPENSSL_NO_TLS1_3
7047 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
7048 TLS_client_method(),
7050 (tst
<= 1) ? TLS1_2_VERSION
7052 &sctx
, &cctx
, cert
, privkey
)))
7056 SSL_CTX_set_post_handshake_auth(cctx
, 1);
7058 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
7063 if (!TEST_true(create_bare_ssl_connection(serverssl
, clientssl
,
7065 || !TEST_ptr_ne(sess
= SSL_get_session(clientssl
), NULL
)
7066 || !TEST_false(SSL_SESSION_is_resumable(sess
)))
7068 } else if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
7070 || !TEST_ptr_ne(sess
= SSL_get_session(clientssl
), NULL
)
7071 || !TEST_true(SSL_SESSION_is_resumable(sess
))) {
7075 if (!TEST_int_eq(SSL_shutdown(clientssl
), 0))
7080 * Reading on the server after the client has sent close_notify should
7081 * fail and provide SSL_ERROR_ZERO_RETURN
7083 if (!TEST_false(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
7084 || !TEST_int_eq(SSL_get_error(serverssl
, 0),
7085 SSL_ERROR_ZERO_RETURN
)
7086 || !TEST_int_eq(SSL_get_shutdown(serverssl
),
7087 SSL_RECEIVED_SHUTDOWN
)
7089 * Even though we're shutdown on receive we should still be
7092 || !TEST_true(SSL_write(serverssl
, msg
, sizeof(msg
))))
7095 && !TEST_true(SSL_key_update(serverssl
,
7096 SSL_KEY_UPDATE_REQUESTED
)))
7099 SSL_set_verify(serverssl
, SSL_VERIFY_PEER
, NULL
);
7100 if (!TEST_true(SSL_verify_client_post_handshake(serverssl
)))
7103 if ((tst
== 4 || tst
== 5)
7104 && !TEST_true(SSL_write(serverssl
, msg
, sizeof(msg
))))
7106 if (!TEST_int_eq(SSL_shutdown(serverssl
), 1))
7108 if (tst
== 4 || tst
== 5) {
7109 /* Should still be able to read data from server */
7110 if (!TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
),
7112 || !TEST_size_t_eq(readbytes
, sizeof(msg
))
7113 || !TEST_int_eq(memcmp(msg
, buf
, readbytes
), 0)
7114 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
),
7116 || !TEST_size_t_eq(readbytes
, sizeof(msg
))
7117 || !TEST_int_eq(memcmp(msg
, buf
, readbytes
), 0))
7122 /* Writing on the client after sending close_notify shouldn't be possible */
7123 if (!TEST_false(SSL_write_ex(clientssl
, msg
, sizeof(msg
), &written
)))
7128 * For these tests the client has sent close_notify but it has not yet
7129 * been received by the server. The server has not sent close_notify
7132 if (!TEST_int_eq(SSL_shutdown(serverssl
), 0)
7134 * Writing on the server after sending close_notify shouldn't
7137 || !TEST_false(SSL_write_ex(serverssl
, msg
, sizeof(msg
), &written
))
7138 || !TEST_int_eq(SSL_shutdown(clientssl
), 1)
7139 || !TEST_ptr_ne(sess
= SSL_get_session(clientssl
), NULL
)
7140 || !TEST_true(SSL_SESSION_is_resumable(sess
))
7141 || !TEST_int_eq(SSL_shutdown(serverssl
), 1))
7143 } else if (tst
== 4 || tst
== 5) {
7145 * In this test the client has sent close_notify and it has been
7146 * received by the server which has responded with a close_notify. The
7147 * client needs to read the close_notify sent by the server.
7149 if (!TEST_int_eq(SSL_shutdown(clientssl
), 1)
7150 || !TEST_ptr_ne(sess
= SSL_get_session(clientssl
), NULL
)
7151 || !TEST_true(SSL_SESSION_is_resumable(sess
)))
7157 * The client has sent close_notify and is expecting a close_notify
7158 * back, but instead there is application data first. The shutdown
7159 * should fail with a fatal error.
7161 if (!TEST_int_eq(SSL_shutdown(clientssl
), -1)
7162 || !TEST_int_eq(SSL_get_error(clientssl
, -1), SSL_ERROR_SSL
))
7169 SSL_free(serverssl
);
7170 SSL_free(clientssl
);
7177 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7178 static int cert_cb_cnt
;
7180 static int cert_cb(SSL
*s
, void *arg
)
7182 SSL_CTX
*ctx
= (SSL_CTX
*)arg
;
7184 EVP_PKEY
*pkey
= NULL
;
7185 X509
*x509
= NULL
, *rootx
= NULL
;
7186 STACK_OF(X509
) *chain
= NULL
;
7187 char *rootfile
= NULL
, *ecdsacert
= NULL
, *ecdsakey
= NULL
;
7190 if (cert_cb_cnt
== 0) {
7191 /* Suspend the handshake */
7194 } else if (cert_cb_cnt
== 1) {
7196 * Update the SSL_CTX, set the certificate and private key and then
7197 * continue the handshake normally.
7199 if (ctx
!= NULL
&& !TEST_ptr(SSL_set_SSL_CTX(s
, ctx
)))
7202 if (!TEST_true(SSL_use_certificate_file(s
, cert
, SSL_FILETYPE_PEM
))
7203 || !TEST_true(SSL_use_PrivateKey_file(s
, privkey
,
7205 || !TEST_true(SSL_check_private_key(s
)))
7209 } else if (cert_cb_cnt
== 3) {
7212 rootfile
= test_mk_file_path(certsdir
, "rootcert.pem");
7213 ecdsacert
= test_mk_file_path(certsdir
, "server-ecdsa-cert.pem");
7214 ecdsakey
= test_mk_file_path(certsdir
, "server-ecdsa-key.pem");
7215 if (!TEST_ptr(rootfile
) || !TEST_ptr(ecdsacert
) || !TEST_ptr(ecdsakey
))
7217 chain
= sk_X509_new_null();
7218 if (!TEST_ptr(chain
))
7220 if (!TEST_ptr(in
= BIO_new(BIO_s_file()))
7221 || !TEST_int_ge(BIO_read_filename(in
, rootfile
), 0)
7222 || !TEST_ptr(rootx
= X509_new_ex(libctx
, NULL
))
7223 || !TEST_ptr(PEM_read_bio_X509(in
, &rootx
, NULL
, NULL
))
7224 || !TEST_true(sk_X509_push(chain
, rootx
)))
7228 if (!TEST_ptr(in
= BIO_new(BIO_s_file()))
7229 || !TEST_int_ge(BIO_read_filename(in
, ecdsacert
), 0)
7230 || !TEST_ptr(x509
= X509_new_ex(libctx
, NULL
))
7231 || !TEST_ptr(PEM_read_bio_X509(in
, &x509
, NULL
, NULL
)))
7234 if (!TEST_ptr(in
= BIO_new(BIO_s_file()))
7235 || !TEST_int_ge(BIO_read_filename(in
, ecdsakey
), 0)
7236 || !TEST_ptr(pkey
= PEM_read_bio_PrivateKey_ex(in
, NULL
,
7240 rv
= SSL_check_chain(s
, x509
, pkey
, chain
);
7242 * If the cert doesn't show as valid here (e.g., because we don't
7243 * have any shared sigalgs), then we will not set it, and there will
7244 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
7245 * will cause tls_choose_sigalgs() to fail the connection.
7247 if ((rv
& (CERT_PKEY_VALID
| CERT_PKEY_CA_SIGNATURE
))
7248 == (CERT_PKEY_VALID
| CERT_PKEY_CA_SIGNATURE
)) {
7249 if (!SSL_use_cert_and_key(s
, x509
, pkey
, NULL
, 1))
7256 /* Abort the handshake */
7258 OPENSSL_free(ecdsacert
);
7259 OPENSSL_free(ecdsakey
);
7260 OPENSSL_free(rootfile
);
7262 EVP_PKEY_free(pkey
);
7265 sk_X509_pop_free(chain
, X509_free
);
7270 * Test the certificate callback.
7271 * Test 0: Callback fails
7272 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
7273 * Test 2: Success - SSL_set_SSL_CTX() in the callback
7274 * Test 3: Success - Call SSL_check_chain from the callback
7275 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
7277 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
7279 static int test_cert_cb_int(int prot
, int tst
)
7281 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
, *snictx
= NULL
;
7282 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7283 int testresult
= 0, ret
;
7285 #ifdef OPENSSL_NO_EC
7286 /* We use an EC cert in these tests, so we skip in a no-ec build */
7291 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
7292 TLS_client_method(),
7295 &sctx
, &cctx
, NULL
, NULL
)))
7306 snictx
= SSL_CTX_new(TLS_server_method());
7307 SSL_CTX_set_cert_cb(sctx
, cert_cb
, snictx
);
7309 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
7315 * We cause SSL_check_chain() to fail by specifying sig_algs that
7316 * the chain doesn't meet (the root uses an RSA cert)
7318 if (!TEST_true(SSL_set1_sigalgs_list(clientssl
,
7319 "ecdsa_secp256r1_sha256")))
7321 } else if (tst
== 5) {
7323 * We cause SSL_check_chain() to fail by specifying sig_algs that
7324 * the ee cert doesn't meet (the ee uses an ECDSA cert)
7326 if (!TEST_true(SSL_set1_sigalgs_list(clientssl
,
7327 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
7331 ret
= create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
);
7332 if (!TEST_true(tst
== 0 || tst
== 4 || tst
== 5 ? !ret
: ret
)
7334 && !TEST_int_eq((cert_cb_cnt
- 2) * (cert_cb_cnt
- 3), 0))) {
7341 SSL_free(serverssl
);
7342 SSL_free(clientssl
);
7345 SSL_CTX_free(snictx
);
7351 static int test_cert_cb(int tst
)
7355 #ifndef OPENSSL_NO_TLS1_2
7356 testresult
&= test_cert_cb_int(TLS1_2_VERSION
, tst
);
7358 #ifndef OPENSSL_NO_TLS1_3
7359 testresult
&= test_cert_cb_int(TLS1_3_VERSION
, tst
);
7365 static int client_cert_cb(SSL
*ssl
, X509
**x509
, EVP_PKEY
**pkey
)
7370 BIO
*priv_in
= NULL
;
7372 /* Check that SSL_get0_peer_certificate() returns something sensible */
7373 if (!TEST_ptr(SSL_get0_peer_certificate(ssl
)))
7376 in
= BIO_new_file(cert
, "r");
7380 if (!TEST_ptr(xcert
= X509_new_ex(libctx
, NULL
))
7381 || !TEST_ptr(PEM_read_bio_X509(in
, &xcert
, NULL
, NULL
))
7382 || !TEST_ptr(priv_in
= BIO_new_file(privkey
, "r"))
7383 || !TEST_ptr(privpkey
= PEM_read_bio_PrivateKey_ex(priv_in
, NULL
,
7401 static int verify_cb(int preverify_ok
, X509_STORE_CTX
*x509_ctx
)
7406 static int test_client_cert_cb(int tst
)
7408 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7409 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7412 #ifdef OPENSSL_NO_TLS1_2
7416 #ifdef OPENSSL_NO_TLS1_3
7421 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
7422 TLS_client_method(),
7424 tst
== 0 ? TLS1_2_VERSION
7426 &sctx
, &cctx
, cert
, privkey
)))
7430 * Test that setting a client_cert_cb results in a client certificate being
7433 SSL_CTX_set_client_cert_cb(cctx
, client_cert_cb
);
7434 SSL_CTX_set_verify(sctx
,
7435 SSL_VERIFY_PEER
| SSL_VERIFY_FAIL_IF_NO_PEER_CERT
,
7438 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
7440 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
7447 SSL_free(serverssl
);
7448 SSL_free(clientssl
);
7455 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7457 * Test setting certificate authorities on both client and server.
7459 * Test 0: SSL_CTX_set0_CA_list() only
7460 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7461 * Test 2: Only SSL_CTX_set_client_CA_list()
7463 static int test_ca_names_int(int prot
, int tst
)
7465 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7466 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7469 X509_NAME
*name
[] = { NULL
, NULL
, NULL
, NULL
};
7470 char *strnames
[] = { "Jack", "Jill", "John", "Joanne" };
7471 STACK_OF(X509_NAME
) *sk1
= NULL
, *sk2
= NULL
;
7472 const STACK_OF(X509_NAME
) *sktmp
= NULL
;
7474 for (i
= 0; i
< OSSL_NELEM(name
); i
++) {
7475 name
[i
] = X509_NAME_new();
7476 if (!TEST_ptr(name
[i
])
7477 || !TEST_true(X509_NAME_add_entry_by_txt(name
[i
], "CN",
7485 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
7486 TLS_client_method(),
7489 &sctx
, &cctx
, cert
, privkey
)))
7492 SSL_CTX_set_verify(sctx
, SSL_VERIFY_PEER
, NULL
);
7494 if (tst
== 0 || tst
== 1) {
7495 if (!TEST_ptr(sk1
= sk_X509_NAME_new_null())
7496 || !TEST_true(sk_X509_NAME_push(sk1
, X509_NAME_dup(name
[0])))
7497 || !TEST_true(sk_X509_NAME_push(sk1
, X509_NAME_dup(name
[1])))
7498 || !TEST_ptr(sk2
= sk_X509_NAME_new_null())
7499 || !TEST_true(sk_X509_NAME_push(sk2
, X509_NAME_dup(name
[0])))
7500 || !TEST_true(sk_X509_NAME_push(sk2
, X509_NAME_dup(name
[1]))))
7503 SSL_CTX_set0_CA_list(sctx
, sk1
);
7504 SSL_CTX_set0_CA_list(cctx
, sk2
);
7507 if (tst
== 1 || tst
== 2) {
7508 if (!TEST_ptr(sk1
= sk_X509_NAME_new_null())
7509 || !TEST_true(sk_X509_NAME_push(sk1
, X509_NAME_dup(name
[2])))
7510 || !TEST_true(sk_X509_NAME_push(sk1
, X509_NAME_dup(name
[3])))
7511 || !TEST_ptr(sk2
= sk_X509_NAME_new_null())
7512 || !TEST_true(sk_X509_NAME_push(sk2
, X509_NAME_dup(name
[2])))
7513 || !TEST_true(sk_X509_NAME_push(sk2
, X509_NAME_dup(name
[3]))))
7516 SSL_CTX_set_client_CA_list(sctx
, sk1
);
7517 SSL_CTX_set_client_CA_list(cctx
, sk2
);
7521 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
7523 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
7528 * We only expect certificate authorities to have been sent to the server
7529 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7531 sktmp
= SSL_get0_peer_CA_list(serverssl
);
7532 if (prot
== TLS1_3_VERSION
7533 && (tst
== 0 || tst
== 1)) {
7534 if (!TEST_ptr(sktmp
)
7535 || !TEST_int_eq(sk_X509_NAME_num(sktmp
), 2)
7536 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp
, 0),
7538 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp
, 1),
7541 } else if (!TEST_ptr_null(sktmp
)) {
7546 * In all tests we expect certificate authorities to have been sent to the
7547 * client. However, SSL_set_client_CA_list() should override
7548 * SSL_set0_CA_list()
7550 sktmp
= SSL_get0_peer_CA_list(clientssl
);
7551 if (!TEST_ptr(sktmp
)
7552 || !TEST_int_eq(sk_X509_NAME_num(sktmp
), 2)
7553 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp
, 0),
7554 name
[tst
== 0 ? 0 : 2]), 0)
7555 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp
, 1),
7556 name
[tst
== 0 ? 1 : 3]), 0))
7562 SSL_free(serverssl
);
7563 SSL_free(clientssl
);
7566 for (i
= 0; i
< OSSL_NELEM(name
); i
++)
7567 X509_NAME_free(name
[i
]);
7568 sk_X509_NAME_pop_free(sk1
, X509_NAME_free
);
7569 sk_X509_NAME_pop_free(sk2
, X509_NAME_free
);
7575 static int test_ca_names(int tst
)
7579 #ifndef OPENSSL_NO_TLS1_2
7580 testresult
&= test_ca_names_int(TLS1_2_VERSION
, tst
);
7582 #ifndef OPENSSL_NO_TLS1_3
7583 testresult
&= test_ca_names_int(TLS1_3_VERSION
, tst
);
7589 #ifndef OPENSSL_NO_TLS1_2
7590 static const char *multiblock_cipherlist_data
[]=
7598 /* Reduce the fragment size - so the multiblock test buffer can be small */
7599 # define MULTIBLOCK_FRAGSIZE 512
7601 static int test_multiblock_write(int test_index
)
7603 static const char *fetchable_ciphers
[]=
7605 "AES-128-CBC-HMAC-SHA1",
7606 "AES-128-CBC-HMAC-SHA256",
7607 "AES-256-CBC-HMAC-SHA1",
7608 "AES-256-CBC-HMAC-SHA256"
7610 const char *cipherlist
= multiblock_cipherlist_data
[test_index
];
7611 const SSL_METHOD
*smeth
= TLS_server_method();
7612 const SSL_METHOD
*cmeth
= TLS_client_method();
7613 int min_version
= TLS1_VERSION
;
7614 int max_version
= TLS1_2_VERSION
; /* Don't select TLS1_3 */
7615 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7616 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7620 * Choose a buffer large enough to perform a multi-block operation
7621 * i.e: write_len >= 4 * frag_size
7622 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7624 unsigned char msg
[MULTIBLOCK_FRAGSIZE
* 9];
7625 unsigned char buf
[sizeof(msg
)], *p
= buf
;
7626 size_t readbytes
, written
, len
;
7627 EVP_CIPHER
*ciph
= NULL
;
7630 * Check if the cipher exists before attempting to use it since it only has
7631 * a hardware specific implementation.
7633 ciph
= EVP_CIPHER_fetch(NULL
, fetchable_ciphers
[test_index
], "");
7635 TEST_skip("Multiblock cipher is not available for %s", cipherlist
);
7638 EVP_CIPHER_free(ciph
);
7640 /* Set up a buffer with some data that will be sent to the client */
7641 RAND_bytes(msg
, sizeof(msg
));
7643 if (!TEST_true(create_ssl_ctx_pair(libctx
, smeth
, cmeth
, min_version
,
7644 max_version
, &sctx
, &cctx
, cert
,
7648 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx
, MULTIBLOCK_FRAGSIZE
)))
7651 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
7655 /* settings to force it to use AES-CBC-HMAC_SHA */
7656 SSL_set_options(serverssl
, SSL_OP_NO_ENCRYPT_THEN_MAC
);
7657 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
, cipherlist
)))
7660 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
7663 if (!TEST_true(SSL_write_ex(serverssl
, msg
, sizeof(msg
), &written
))
7664 || !TEST_size_t_eq(written
, sizeof(msg
)))
7669 if (!TEST_true(SSL_read_ex(clientssl
, p
, MULTIBLOCK_FRAGSIZE
, &readbytes
)))
7674 if (!TEST_mem_eq(msg
, sizeof(msg
), buf
, sizeof(buf
)))
7679 SSL_free(serverssl
);
7680 SSL_free(clientssl
);
7686 #endif /* OPENSSL_NO_TLS1_2 */
7689 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7690 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7691 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7692 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7693 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7694 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7695 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7696 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7697 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7698 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7700 static int test_servername(int tst
)
7702 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7703 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7705 SSL_SESSION
*sess
= NULL
;
7706 const char *sexpectedhost
= NULL
, *cexpectedhost
= NULL
;
7708 #ifdef OPENSSL_NO_TLS1_2
7712 #ifdef OPENSSL_NO_TLS1_3
7717 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
7718 TLS_client_method(),
7720 (tst
<= 4) ? TLS1_2_VERSION
7722 &sctx
, &cctx
, cert
, privkey
))
7723 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
7727 if (tst
!= 1 && tst
!= 6) {
7728 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx
,
7733 if (tst
!= 3 && tst
!= 8) {
7734 if (!TEST_true(SSL_set_tlsext_host_name(clientssl
, "goodhost")))
7736 sexpectedhost
= cexpectedhost
= "goodhost";
7739 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
7742 if (!TEST_str_eq(SSL_get_servername(clientssl
, TLSEXT_NAMETYPE_host_name
),
7744 || !TEST_str_eq(SSL_get_servername(serverssl
,
7745 TLSEXT_NAMETYPE_host_name
),
7749 /* Now repeat with a resumption handshake */
7751 if (!TEST_int_eq(SSL_shutdown(clientssl
), 0)
7752 || !TEST_ptr_ne(sess
= SSL_get1_session(clientssl
), NULL
)
7753 || !TEST_true(SSL_SESSION_is_resumable(sess
))
7754 || !TEST_int_eq(SSL_shutdown(serverssl
), 0))
7757 SSL_free(clientssl
);
7758 SSL_free(serverssl
);
7759 clientssl
= serverssl
= NULL
;
7761 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
,
7765 if (!TEST_true(SSL_set_session(clientssl
, sess
)))
7768 sexpectedhost
= cexpectedhost
= "goodhost";
7769 if (tst
== 2 || tst
== 7) {
7770 /* Set an inconsistent hostname */
7771 if (!TEST_true(SSL_set_tlsext_host_name(clientssl
, "altgoodhost")))
7774 * In TLSv1.2 we expect the hostname from the original handshake, in
7775 * TLSv1.3 we expect the hostname from this handshake
7778 sexpectedhost
= cexpectedhost
= "altgoodhost";
7780 if (!TEST_str_eq(SSL_get_servername(clientssl
,
7781 TLSEXT_NAMETYPE_host_name
),
7784 } else if (tst
== 4 || tst
== 9) {
7786 * A TLSv1.3 session does not associate a session with a servername,
7787 * but a TLSv1.2 session does.
7790 sexpectedhost
= cexpectedhost
= NULL
;
7792 if (!TEST_str_eq(SSL_get_servername(clientssl
,
7793 TLSEXT_NAMETYPE_host_name
),
7797 if (!TEST_true(SSL_set_tlsext_host_name(clientssl
, "goodhost")))
7800 * In a TLSv1.2 resumption where the hostname was not acknowledged
7801 * we expect the hostname on the server to be empty. On the client we
7802 * return what was requested in this case.
7804 * Similarly if the client didn't set a hostname on an original TLSv1.2
7805 * session but is now, the server hostname will be empty, but the client
7808 if (tst
== 1 || tst
== 3)
7809 sexpectedhost
= NULL
;
7811 if (!TEST_str_eq(SSL_get_servername(clientssl
,
7812 TLSEXT_NAMETYPE_host_name
),
7817 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
7820 if (!TEST_true(SSL_session_reused(clientssl
))
7821 || !TEST_true(SSL_session_reused(serverssl
))
7822 || !TEST_str_eq(SSL_get_servername(clientssl
,
7823 TLSEXT_NAMETYPE_host_name
),
7825 || !TEST_str_eq(SSL_get_servername(serverssl
,
7826 TLSEXT_NAMETYPE_host_name
),
7833 SSL_SESSION_free(sess
);
7834 SSL_free(serverssl
);
7835 SSL_free(clientssl
);
7842 #if !defined(OPENSSL_NO_EC) \
7843 && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
7845 * Test that if signature algorithms are not available, then we do not offer or
7847 * Test 0: Two RSA sig algs available: both RSA sig algs shared
7848 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
7849 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
7850 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
7851 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
7852 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
7854 static int test_sigalgs_available(int idx
)
7856 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7857 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7859 OSSL_LIB_CTX
*tmpctx
= OSSL_LIB_CTX_new();
7860 OSSL_LIB_CTX
*clientctx
= libctx
, *serverctx
= libctx
;
7861 OSSL_PROVIDER
*filterprov
= NULL
;
7864 if (!TEST_ptr(tmpctx
))
7867 if (idx
!= 0 && idx
!= 3) {
7868 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx
, "filter",
7869 filter_provider_init
)))
7872 filterprov
= OSSL_PROVIDER_load(tmpctx
, "filter");
7873 if (!TEST_ptr(filterprov
))
7878 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
7879 * or accepted for the peer that uses this libctx. Note that libssl
7880 * *requires* SHA2-256 to be available so we cannot disable that. We
7881 * also need SHA1 for our certificate.
7883 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST
,
7887 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE
,
7889 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT
,
7894 if (idx
== 1 || idx
== 4)
7900 cctx
= SSL_CTX_new_ex(clientctx
, NULL
, TLS_client_method());
7901 sctx
= SSL_CTX_new_ex(serverctx
, NULL
, TLS_server_method());
7902 if (!TEST_ptr(cctx
) || !TEST_ptr(sctx
))
7905 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
7906 TLS_client_method(),
7909 &sctx
, &cctx
, cert
, privkey
)))
7912 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
7914 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
7915 "ECDHE-RSA-AES128-GCM-SHA256")))
7918 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
7919 "ECDHE-ECDSA-AES128-GCM-SHA256")))
7924 if (!SSL_CTX_set1_sigalgs_list(cctx
,
7925 "rsa_pss_rsae_sha384"
7926 ":rsa_pss_rsae_sha256")
7927 || !SSL_CTX_set1_sigalgs_list(sctx
,
7928 "rsa_pss_rsae_sha384"
7929 ":rsa_pss_rsae_sha256"))
7932 if (!SSL_CTX_set1_sigalgs_list(cctx
, "rsa_pss_rsae_sha256:ECDSA+SHA256")
7933 || !SSL_CTX_set1_sigalgs_list(sctx
,
7934 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
7938 if (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx
, cert2
,
7939 SSL_FILETYPE_PEM
), 1)
7940 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx
,
7942 SSL_FILETYPE_PEM
), 1)
7943 || !TEST_int_eq(SSL_CTX_check_private_key(sctx
), 1))
7946 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
7950 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
7953 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
7954 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl
, 0, &sig
, &hash
, NULL
,
7956 (idx
== 0 || idx
== 3) ? 2 : 1))
7959 if (!TEST_int_eq(hash
, idx
== 0 ? NID_sha384
: NID_sha256
))
7962 if (!TEST_int_eq(sig
, (idx
== 4 || idx
== 5) ? EVP_PKEY_EC
7969 SSL_free(serverssl
);
7970 SSL_free(clientssl
);
7973 OSSL_PROVIDER_unload(filterprov
);
7974 OSSL_LIB_CTX_free(tmpctx
);
7979 * !defined(OPENSSL_NO_EC) \
7980 * && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
7983 #ifndef OPENSSL_NO_TLS1_3
7984 static int test_pluggable_group(int idx
)
7986 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7987 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7989 OSSL_PROVIDER
*tlsprov
= OSSL_PROVIDER_load(libctx
, "tls-provider");
7990 /* Check that we are not impacted by a provider without any groups */
7991 OSSL_PROVIDER
*legacyprov
= OSSL_PROVIDER_load(libctx
, "legacy");
7992 const char *group_name
= idx
== 0 ? "xorgroup" : "xorkemgroup";
7994 if (!TEST_ptr(tlsprov
))
7997 if (legacyprov
== NULL
) {
7999 * In this case we assume we've been built with "no-legacy" and skip
8000 * this test (there is no OPENSSL_NO_LEGACY)
8006 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8007 TLS_client_method(),
8010 &sctx
, &cctx
, cert
, privkey
))
8011 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8015 if (!TEST_true(SSL_set1_groups_list(serverssl
, group_name
))
8016 || !TEST_true(SSL_set1_groups_list(clientssl
, group_name
)))
8019 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
8022 if (!TEST_str_eq(group_name
,
8023 SSL_group_to_name(serverssl
, SSL_get_shared_group(serverssl
, 0))))
8029 SSL_free(serverssl
);
8030 SSL_free(clientssl
);
8033 OSSL_PROVIDER_unload(tlsprov
);
8034 OSSL_PROVIDER_unload(legacyprov
);
8040 #ifndef OPENSSL_NO_TLS1_2
8041 static int test_ssl_dup(void)
8043 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
8044 SSL
*clientssl
= NULL
, *serverssl
= NULL
, *client2ssl
= NULL
;
8046 BIO
*rbio
= NULL
, *wbio
= NULL
;
8048 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8049 TLS_client_method(),
8052 &sctx
, &cctx
, cert
, privkey
)))
8055 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8059 if (!TEST_true(SSL_set_min_proto_version(clientssl
, TLS1_2_VERSION
))
8060 || !TEST_true(SSL_set_max_proto_version(clientssl
, TLS1_2_VERSION
)))
8063 client2ssl
= SSL_dup(clientssl
);
8064 rbio
= SSL_get_rbio(clientssl
);
8066 || !TEST_true(BIO_up_ref(rbio
)))
8068 SSL_set0_rbio(client2ssl
, rbio
);
8071 wbio
= SSL_get_wbio(clientssl
);
8072 if (!TEST_ptr(wbio
) || !TEST_true(BIO_up_ref(wbio
)))
8074 SSL_set0_wbio(client2ssl
, wbio
);
8077 if (!TEST_ptr(client2ssl
)
8078 /* Handshake not started so pointers should be different */
8079 || !TEST_ptr_ne(clientssl
, client2ssl
))
8082 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl
), TLS1_2_VERSION
)
8083 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl
), TLS1_2_VERSION
))
8086 if (!TEST_true(create_ssl_connection(serverssl
, client2ssl
, SSL_ERROR_NONE
)))
8089 SSL_free(clientssl
);
8090 clientssl
= SSL_dup(client2ssl
);
8091 if (!TEST_ptr(clientssl
)
8092 /* Handshake has finished so pointers should be the same */
8093 || !TEST_ptr_eq(clientssl
, client2ssl
))
8099 SSL_free(serverssl
);
8100 SSL_free(clientssl
);
8101 SSL_free(client2ssl
);
8108 # ifndef OPENSSL_NO_DH
8110 static EVP_PKEY
*tmp_dh_params
= NULL
;
8112 /* Helper function for the test_set_tmp_dh() tests */
8113 static EVP_PKEY
*get_tmp_dh_params(void)
8115 if (tmp_dh_params
== NULL
) {
8117 OSSL_PARAM_BLD
*tmpl
= NULL
;
8118 EVP_PKEY_CTX
*pctx
= NULL
;
8119 OSSL_PARAM
*params
= NULL
;
8120 EVP_PKEY
*dhpkey
= NULL
;
8122 p
= BN_get_rfc3526_prime_2048(NULL
);
8126 pctx
= EVP_PKEY_CTX_new_from_name(libctx
, "DH", NULL
);
8128 || !TEST_true(EVP_PKEY_key_fromdata_init(pctx
)))
8131 tmpl
= OSSL_PARAM_BLD_new();
8133 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl
,
8134 OSSL_PKEY_PARAM_FFC_P
,
8136 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl
,
8137 OSSL_PKEY_PARAM_FFC_G
,
8141 params
= OSSL_PARAM_BLD_to_param(tmpl
);
8142 if (!TEST_ptr(params
)
8143 || !TEST_true(EVP_PKEY_fromdata(pctx
, &dhpkey
, params
)))
8146 tmp_dh_params
= dhpkey
;
8149 EVP_PKEY_CTX_free(pctx
);
8150 OSSL_PARAM_BLD_free(tmpl
);
8151 OSSL_PARAM_BLD_free_params(params
);
8154 if (!EVP_PKEY_up_ref(tmp_dh_params
))
8157 return tmp_dh_params
;
8160 # ifndef OPENSSL_NO_DEPRECATED_3_0
8161 /* Callback used by test_set_tmp_dh() */
8162 static DH
*tmp_dh_callback(SSL
*s
, int is_export
, int keylen
)
8164 EVP_PKEY
*dhpkey
= get_tmp_dh_params();
8167 if (!TEST_ptr(dhpkey
))
8170 ret
= EVP_PKEY_get0_DH(dhpkey
);
8172 EVP_PKEY_free(dhpkey
);
8179 * Test the various methods for setting temporary DH parameters
8181 * Test 0: Default (no auto) setting
8182 * Test 1: Explicit SSL_CTX auto off
8183 * Test 2: Explicit SSL auto off
8184 * Test 3: Explicit SSL_CTX auto on
8185 * Test 4: Explicit SSL auto on
8186 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
8187 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
8189 * The following are testing deprecated APIs, so we only run them if available
8190 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
8191 * Test 8: Explicit SSL auto off, custom DH params via DH
8192 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
8193 * Test 10: Explicit SSL auto off, custom DH params via callback
8195 static int test_set_tmp_dh(int idx
)
8197 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
8198 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8200 int dhauto
= (idx
== 3 || idx
== 4) ? 1 : 0;
8201 int expected
= (idx
<= 2) ? 0 : 1;
8202 EVP_PKEY
*dhpkey
= NULL
;
8203 # ifndef OPENSSL_NO_DEPRECATED_3_0
8211 if (idx
>= 5 && idx
<= 8) {
8212 dhpkey
= get_tmp_dh_params();
8213 if (!TEST_ptr(dhpkey
))
8216 # ifndef OPENSSL_NO_DEPRECATED_3_0
8217 if (idx
== 7 || idx
== 8) {
8218 dh
= EVP_PKEY_get0_DH(dhpkey
);
8224 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8225 TLS_client_method(),
8228 &sctx
, &cctx
, cert
, privkey
)))
8231 if ((idx
& 1) == 1) {
8232 if (!TEST_true(SSL_CTX_set_dh_auto(sctx
, dhauto
)))
8237 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx
, dhpkey
)))
8241 # ifndef OPENSSL_NO_DEPRECATED_3_0
8242 else if (idx
== 7) {
8243 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx
, dh
)))
8245 } else if (idx
== 9) {
8246 SSL_CTX_set_tmp_dh_callback(sctx
, tmp_dh_callback
);
8250 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8254 if ((idx
& 1) == 0 && idx
!= 0) {
8255 if (!TEST_true(SSL_set_dh_auto(serverssl
, dhauto
)))
8259 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl
, dhpkey
)))
8263 # ifndef OPENSSL_NO_DEPRECATED_3_0
8264 else if (idx
== 8) {
8265 if (!TEST_true(SSL_set_tmp_dh(serverssl
, dh
)))
8267 } else if (idx
== 10) {
8268 SSL_set_tmp_dh_callback(serverssl
, tmp_dh_callback
);
8272 if (!TEST_true(SSL_set_min_proto_version(serverssl
, TLS1_2_VERSION
))
8273 || !TEST_true(SSL_set_max_proto_version(serverssl
, TLS1_2_VERSION
))
8274 || !TEST_true(SSL_set_cipher_list(serverssl
, "DHE-RSA-AES128-SHA")))
8278 * If autoon then we should succeed. Otherwise we expect failure because
8279 * there are no parameters
8281 if (!TEST_int_eq(create_ssl_connection(serverssl
, clientssl
,
8282 SSL_ERROR_NONE
), expected
))
8288 SSL_free(serverssl
);
8289 SSL_free(clientssl
);
8292 EVP_PKEY_free(dhpkey
);
8298 * Test the auto DH keys are appropriately sized
8300 static int test_dh_auto(int idx
)
8302 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
8303 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8305 EVP_PKEY
*tmpkey
= NULL
;
8306 char *thiscert
= NULL
, *thiskey
= NULL
;
8307 size_t expdhsize
= 0;
8308 const char *ciphersuite
= "DHE-RSA-AES128-SHA";
8312 /* The FIPS provider doesn't support this DH size - so we ignore it */
8315 thiscert
= cert1024
;
8316 thiskey
= privkey1024
;
8320 /* 2048 bit prime */
8326 thiscert
= cert3072
;
8327 thiskey
= privkey3072
;
8331 thiscert
= cert4096
;
8332 thiskey
= privkey4096
;
8336 thiscert
= cert8192
;
8337 thiskey
= privkey8192
;
8340 /* No certificate cases */
8342 /* The FIPS provider doesn't support this DH size - so we ignore it */
8345 ciphersuite
= "ADH-AES128-SHA256:@SECLEVEL=0";
8349 ciphersuite
= "ADH-AES256-SHA256:@SECLEVEL=0";
8353 TEST_error("Invalid text index");
8357 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8358 TLS_client_method(),
8361 &sctx
, &cctx
, thiscert
, thiskey
)))
8364 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8368 if (!TEST_true(SSL_set_dh_auto(serverssl
, 1))
8369 || !TEST_true(SSL_set_min_proto_version(serverssl
, TLS1_2_VERSION
))
8370 || !TEST_true(SSL_set_max_proto_version(serverssl
, TLS1_2_VERSION
))
8371 || !TEST_true(SSL_set_cipher_list(serverssl
, ciphersuite
))
8372 || !TEST_true(SSL_set_cipher_list(clientssl
, ciphersuite
)))
8376 * Send the server's first flight. At this point the server has created the
8377 * temporary DH key but hasn't finished using it yet. Once used it is
8378 * removed, so we cannot test it.
8380 if (!TEST_int_le(SSL_connect(clientssl
), 0)
8381 || !TEST_int_le(SSL_accept(serverssl
), 0))
8384 if (!TEST_int_gt(SSL_get_tmp_key(serverssl
, &tmpkey
), 0))
8386 if (!TEST_size_t_eq(EVP_PKEY_bits(tmpkey
), expdhsize
))
8389 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
8395 SSL_free(serverssl
);
8396 SSL_free(clientssl
);
8399 EVP_PKEY_free(tmpkey
);
8404 # endif /* OPENSSL_NO_DH */
8405 #endif /* OPENSSL_NO_TLS1_2 */
8407 #ifndef OPENSSL_NO_TLS1_3
8409 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
8410 * that it works even without a certificate configured for the original
8413 static int test_sni_tls13(void)
8415 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
, *sctx2
= NULL
;
8416 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8419 /* Reset callback counter */
8422 /* Create an initial SSL_CTX with no certificate configured */
8423 sctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method());
8424 if (!TEST_ptr(sctx
))
8426 /* Require TLSv1.3 as a minimum */
8427 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8428 TLS_client_method(), TLS1_3_VERSION
, 0,
8429 &sctx2
, &cctx
, cert
, privkey
)))
8433 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx
, sni_cb
))
8434 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx
, sctx2
)))
8438 * Connection should still succeed because the final SSL_CTX has the right
8439 * certificates configured.
8441 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
8442 &clientssl
, NULL
, NULL
))
8443 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
8447 /* We should have had the SNI callback called exactly once */
8448 if (!TEST_int_eq(snicb
, 1))
8454 SSL_free(serverssl
);
8455 SSL_free(clientssl
);
8456 SSL_CTX_free(sctx2
);
8463 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
8465 int setup_tests(void)
8470 libctx
= OSSL_LIB_CTX_new();
8471 if (!TEST_ptr(libctx
))
8474 defctxnull
= OSSL_PROVIDER_load(NULL
, "null");
8477 * Verify that the default and fips providers in the default libctx are not
8480 if (!TEST_false(OSSL_PROVIDER_available(NULL
, "default"))
8481 || !TEST_false(OSSL_PROVIDER_available(NULL
, "fips")))
8484 if (!test_skip_common_options()) {
8485 TEST_error("Error parsing test options\n");
8489 if (!TEST_ptr(certsdir
= test_get_argument(0))
8490 || !TEST_ptr(srpvfile
= test_get_argument(1))
8491 || !TEST_ptr(tmpfilename
= test_get_argument(2))
8492 || !TEST_ptr(modulename
= test_get_argument(3))
8493 || !TEST_ptr(configfile
= test_get_argument(4)))
8496 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx
, configfile
)))
8499 /* Check we have the expected provider available */
8500 if (!TEST_true(OSSL_PROVIDER_available(libctx
, modulename
)))
8503 /* Check the default provider is not available */
8504 if (strcmp(modulename
, "default") != 0
8505 && !TEST_false(OSSL_PROVIDER_available(libctx
, "default")))
8508 if (strcmp(modulename
, "fips") == 0)
8512 * We add, but don't load the test "tls-provider". We'll load it when we
8515 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx
, "tls-provider",
8516 tls_provider_init
)))
8520 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL
) {
8521 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
8522 TEST_error("not supported in this build");
8525 int i
, mcount
, rcount
, fcount
;
8527 for (i
= 0; i
< 4; i
++)
8528 test_export_key_mat(i
);
8529 CRYPTO_get_alloc_counts(&mcount
, &rcount
, &fcount
);
8530 test_printf_stdout("malloc %d realloc %d free %d\n",
8531 mcount
, rcount
, fcount
);
8536 cert
= test_mk_file_path(certsdir
, "servercert.pem");
8540 privkey
= test_mk_file_path(certsdir
, "serverkey.pem");
8541 if (privkey
== NULL
)
8544 cert2
= test_mk_file_path(certsdir
, "server-ecdsa-cert.pem");
8548 privkey2
= test_mk_file_path(certsdir
, "server-ecdsa-key.pem");
8549 if (privkey2
== NULL
)
8552 cert1024
= test_mk_file_path(certsdir
, "ee-cert-1024.pem");
8553 if (cert1024
== NULL
)
8556 privkey1024
= test_mk_file_path(certsdir
, "ee-key-1024.pem");
8557 if (privkey1024
== NULL
)
8560 cert3072
= test_mk_file_path(certsdir
, "ee-cert-3072.pem");
8561 if (cert3072
== NULL
)
8564 privkey3072
= test_mk_file_path(certsdir
, "ee-key-3072.pem");
8565 if (privkey3072
== NULL
)
8568 cert4096
= test_mk_file_path(certsdir
, "ee-cert-4096.pem");
8569 if (cert4096
== NULL
)
8572 privkey4096
= test_mk_file_path(certsdir
, "ee-key-4096.pem");
8573 if (privkey4096
== NULL
)
8576 cert8192
= test_mk_file_path(certsdir
, "ee-cert-8192.pem");
8577 if (cert8192
== NULL
)
8580 privkey8192
= test_mk_file_path(certsdir
, "ee-key-8192.pem");
8581 if (privkey8192
== NULL
)
8584 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
8585 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
8586 ADD_ALL_TESTS(test_ktls
, 32);
8587 ADD_ALL_TESTS(test_ktls_sendfile_anytls
, 6);
8590 ADD_TEST(test_large_message_tls
);
8591 ADD_TEST(test_large_message_tls_read_ahead
);
8592 #ifndef OPENSSL_NO_DTLS
8593 ADD_TEST(test_large_message_dtls
);
8595 ADD_TEST(test_cleanse_plaintext
);
8596 #ifndef OPENSSL_NO_OCSP
8597 ADD_TEST(test_tlsext_status_type
);
8599 ADD_TEST(test_session_with_only_int_cache
);
8600 ADD_TEST(test_session_with_only_ext_cache
);
8601 ADD_TEST(test_session_with_both_cache
);
8602 ADD_TEST(test_session_wo_ca_names
);
8603 #ifndef OPENSSL_NO_TLS1_3
8604 ADD_ALL_TESTS(test_stateful_tickets
, 3);
8605 ADD_ALL_TESTS(test_stateless_tickets
, 3);
8606 ADD_TEST(test_psk_tickets
);
8607 ADD_ALL_TESTS(test_extra_tickets
, 6);
8609 ADD_ALL_TESTS(test_ssl_set_bio
, TOTAL_SSL_SET_BIO_TESTS
);
8610 ADD_TEST(test_ssl_bio_pop_next_bio
);
8611 ADD_TEST(test_ssl_bio_pop_ssl_bio
);
8612 ADD_TEST(test_ssl_bio_change_rbio
);
8613 ADD_TEST(test_ssl_bio_change_wbio
);
8614 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
8615 ADD_ALL_TESTS(test_set_sigalgs
, OSSL_NELEM(testsigalgs
) * 2);
8616 ADD_TEST(test_keylog
);
8618 #ifndef OPENSSL_NO_TLS1_3
8619 ADD_TEST(test_keylog_no_master_key
);
8621 #ifndef OPENSSL_NO_TLS1_2
8622 ADD_TEST(test_client_hello_cb
);
8623 ADD_TEST(test_no_ems
);
8624 ADD_TEST(test_ccs_change_cipher
);
8626 #ifndef OPENSSL_NO_TLS1_3
8627 ADD_ALL_TESTS(test_early_data_read_write
, 3);
8629 * We don't do replay tests for external PSK. Replay protection isn't used
8632 ADD_ALL_TESTS(test_early_data_replay
, 2);
8633 ADD_ALL_TESTS(test_early_data_skip
, 3);
8634 ADD_ALL_TESTS(test_early_data_skip_hrr
, 3);
8635 ADD_ALL_TESTS(test_early_data_skip_hrr_fail
, 3);
8636 ADD_ALL_TESTS(test_early_data_skip_abort
, 3);
8637 ADD_ALL_TESTS(test_early_data_not_sent
, 3);
8638 ADD_ALL_TESTS(test_early_data_psk
, 8);
8639 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers
, 5);
8640 ADD_ALL_TESTS(test_early_data_not_expected
, 3);
8641 # ifndef OPENSSL_NO_TLS1_2
8642 ADD_ALL_TESTS(test_early_data_tls1_2
, 3);
8645 #ifndef OPENSSL_NO_TLS1_3
8646 ADD_ALL_TESTS(test_set_ciphersuite
, 10);
8647 ADD_TEST(test_ciphersuite_change
);
8648 ADD_ALL_TESTS(test_tls13_ciphersuite
, 4);
8649 # ifdef OPENSSL_NO_PSK
8650 ADD_ALL_TESTS(test_tls13_psk
, 1);
8652 ADD_ALL_TESTS(test_tls13_psk
, 4);
8653 # endif /* OPENSSL_NO_PSK */
8654 # ifndef OPENSSL_NO_TLS1_2
8655 /* Test with both TLSv1.3 and 1.2 versions */
8656 ADD_ALL_TESTS(test_key_exchange
, 14);
8658 /* Test with only TLSv1.3 versions */
8659 ADD_ALL_TESTS(test_key_exchange
, 12);
8661 ADD_ALL_TESTS(test_custom_exts
, 5);
8662 ADD_TEST(test_stateless
);
8663 ADD_TEST(test_pha_key_update
);
8665 ADD_ALL_TESTS(test_custom_exts
, 3);
8667 ADD_ALL_TESTS(test_serverinfo
, 8);
8668 ADD_ALL_TESTS(test_export_key_mat
, 6);
8669 #ifndef OPENSSL_NO_TLS1_3
8670 ADD_ALL_TESTS(test_export_key_mat_early
, 3);
8671 ADD_TEST(test_key_update
);
8672 ADD_ALL_TESTS(test_key_update_in_write
, 2);
8674 ADD_ALL_TESTS(test_ssl_clear
, 2);
8675 ADD_ALL_TESTS(test_max_fragment_len_ext
, OSSL_NELEM(max_fragment_len_test
));
8676 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
8677 ADD_ALL_TESTS(test_srp
, 6);
8679 ADD_ALL_TESTS(test_info_callback
, 6);
8680 ADD_ALL_TESTS(test_ssl_pending
, 2);
8681 ADD_ALL_TESTS(test_ssl_get_shared_ciphers
, OSSL_NELEM(shared_ciphers_data
));
8682 ADD_ALL_TESTS(test_ticket_callbacks
, 16);
8683 ADD_ALL_TESTS(test_shutdown
, 7);
8684 ADD_ALL_TESTS(test_incorrect_shutdown
, 2);
8685 ADD_ALL_TESTS(test_cert_cb
, 6);
8686 ADD_ALL_TESTS(test_client_cert_cb
, 2);
8687 ADD_ALL_TESTS(test_ca_names
, 3);
8688 #ifndef OPENSSL_NO_TLS1_2
8689 ADD_ALL_TESTS(test_multiblock_write
, OSSL_NELEM(multiblock_cipherlist_data
));
8691 ADD_ALL_TESTS(test_servername
, 10);
8692 #if !defined(OPENSSL_NO_EC) \
8693 && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8694 ADD_ALL_TESTS(test_sigalgs_available
, 6);
8696 #ifndef OPENSSL_NO_TLS1_3
8697 ADD_ALL_TESTS(test_pluggable_group
, 2);
8699 #ifndef OPENSSL_NO_TLS1_2
8700 ADD_TEST(test_ssl_dup
);
8701 # ifndef OPENSSL_NO_DH
8702 ADD_ALL_TESTS(test_set_tmp_dh
, 11);
8703 ADD_ALL_TESTS(test_dh_auto
, 7);
8706 #ifndef OPENSSL_NO_TLS1_3
8707 ADD_TEST(test_sni_tls13
);
8713 OPENSSL_free(privkey
);
8714 OPENSSL_free(cert2
);
8715 OPENSSL_free(privkey2
);
8719 void cleanup_tests(void)
8721 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
8722 EVP_PKEY_free(tmp_dh_params
);
8725 OPENSSL_free(privkey
);
8726 OPENSSL_free(cert2
);
8727 OPENSSL_free(privkey2
);
8728 OPENSSL_free(cert1024
);
8729 OPENSSL_free(privkey1024
);
8730 OPENSSL_free(cert3072
);
8731 OPENSSL_free(privkey3072
);
8732 OPENSSL_free(cert4096
);
8733 OPENSSL_free(privkey4096
);
8734 OPENSSL_free(cert8192
);
8735 OPENSSL_free(privkey8192
);
8736 bio_s_mempacket_test_free();
8737 bio_s_always_retry_free();
8738 OSSL_PROVIDER_unload(defctxnull
);
8739 OSSL_LIB_CTX_free(libctx
);