2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
36 #include <openssl/engine.h>
38 #include "helpers/ssltestlib.h"
40 #include "testutil/output.h"
41 #include "internal/nelem.h"
42 #include "internal/ktls.h"
43 #include "../ssl/ssl_local.h"
44 #include "../ssl/record/methods/recmethod_local.h"
45 #include "filterprov.h"
47 #undef OSSL_NO_USABLE_TLS1_3
48 #if defined(OPENSSL_NO_TLS1_3) \
49 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
51 * If we don't have ec or dh then there are no built-in groups that are usable
54 # define OSSL_NO_USABLE_TLS1_3
57 /* Defined in tls-provider.c */
58 int tls_provider_init(const OSSL_CORE_HANDLE
*handle
,
59 const OSSL_DISPATCH
*in
,
60 const OSSL_DISPATCH
**out
,
63 static OSSL_LIB_CTX
*libctx
= NULL
;
64 static OSSL_PROVIDER
*defctxnull
= NULL
;
66 #ifndef OSSL_NO_USABLE_TLS1_3
68 static SSL_SESSION
*clientpsk
= NULL
;
69 static SSL_SESSION
*serverpsk
= NULL
;
70 static const char *pskid
= "Identity";
71 static const char *srvid
;
73 static int use_session_cb(SSL
*ssl
, const EVP_MD
*md
, const unsigned char **id
,
74 size_t *idlen
, SSL_SESSION
**sess
);
75 static int find_session_cb(SSL
*ssl
, const unsigned char *identity
,
76 size_t identity_len
, SSL_SESSION
**sess
);
78 static int use_session_cb_cnt
= 0;
79 static int find_session_cb_cnt
= 0;
81 static SSL_SESSION
*create_a_psk(SSL
*ssl
);
84 static char *certsdir
= NULL
;
85 static char *cert
= NULL
;
86 static char *privkey
= NULL
;
87 static char *cert2
= NULL
;
88 static char *privkey2
= NULL
;
89 static char *cert1024
= NULL
;
90 static char *privkey1024
= NULL
;
91 static char *cert3072
= NULL
;
92 static char *privkey3072
= NULL
;
93 static char *cert4096
= NULL
;
94 static char *privkey4096
= NULL
;
95 static char *cert8192
= NULL
;
96 static char *privkey8192
= NULL
;
97 static char *srpvfile
= NULL
;
98 static char *tmpfilename
= NULL
;
99 static char *dhfile
= NULL
;
101 static int is_fips
= 0;
103 #define LOG_BUFFER_SIZE 2048
104 static char server_log_buffer
[LOG_BUFFER_SIZE
+ 1] = {0};
105 static size_t server_log_buffer_index
= 0;
106 static char client_log_buffer
[LOG_BUFFER_SIZE
+ 1] = {0};
107 static size_t client_log_buffer_index
= 0;
108 static int error_writing_log
= 0;
110 #ifndef OPENSSL_NO_OCSP
111 static const unsigned char orespder
[] = "Dummy OCSP Response";
112 static int ocsp_server_called
= 0;
113 static int ocsp_client_called
= 0;
115 static int cdummyarg
= 1;
116 static X509
*ocspcert
= NULL
;
119 #define NUM_EXTRA_CERTS 40
120 #define CLIENT_VERSION_LEN 2
123 * This structure is used to validate that the correct number of log messages
124 * of various types are emitted when emitting secret logs.
126 struct sslapitest_log_counts
{
127 unsigned int rsa_key_exchange_count
;
128 unsigned int master_secret_count
;
129 unsigned int client_early_secret_count
;
130 unsigned int client_handshake_secret_count
;
131 unsigned int server_handshake_secret_count
;
132 unsigned int client_application_secret_count
;
133 unsigned int server_application_secret_count
;
134 unsigned int early_exporter_secret_count
;
135 unsigned int exporter_secret_count
;
139 static int hostname_cb(SSL
*s
, int *al
, void *arg
)
141 const char *hostname
= SSL_get_servername(s
, TLSEXT_NAMETYPE_host_name
);
143 if (hostname
!= NULL
&& (strcmp(hostname
, "goodhost") == 0
144 || strcmp(hostname
, "altgoodhost") == 0))
145 return SSL_TLSEXT_ERR_OK
;
147 return SSL_TLSEXT_ERR_NOACK
;
150 static void client_keylog_callback(const SSL
*ssl
, const char *line
)
152 int line_length
= strlen(line
);
154 /* If the log doesn't fit, error out. */
155 if (client_log_buffer_index
+ line_length
> sizeof(client_log_buffer
) - 1) {
156 TEST_info("Client log too full");
157 error_writing_log
= 1;
161 strcat(client_log_buffer
, line
);
162 client_log_buffer_index
+= line_length
;
163 client_log_buffer
[client_log_buffer_index
++] = '\n';
166 static void server_keylog_callback(const SSL
*ssl
, const char *line
)
168 int line_length
= strlen(line
);
170 /* If the log doesn't fit, error out. */
171 if (server_log_buffer_index
+ line_length
> sizeof(server_log_buffer
) - 1) {
172 TEST_info("Server log too full");
173 error_writing_log
= 1;
177 strcat(server_log_buffer
, line
);
178 server_log_buffer_index
+= line_length
;
179 server_log_buffer
[server_log_buffer_index
++] = '\n';
182 static int compare_hex_encoded_buffer(const char *hex_encoded
,
190 if (!TEST_size_t_eq(raw_length
* 2, hex_length
))
193 for (i
= j
= 0; i
< raw_length
&& j
+ 1 < hex_length
; i
++, j
+= 2) {
194 sprintf(hexed
, "%02x", raw
[i
]);
195 if (!TEST_int_eq(hexed
[0], hex_encoded
[j
])
196 || !TEST_int_eq(hexed
[1], hex_encoded
[j
+ 1]))
203 static int test_keylog_output(char *buffer
, const SSL
*ssl
,
204 const SSL_SESSION
*session
,
205 struct sslapitest_log_counts
*expected
)
208 unsigned char actual_client_random
[SSL3_RANDOM_SIZE
] = {0};
209 size_t client_random_size
= SSL3_RANDOM_SIZE
;
210 unsigned char actual_master_key
[SSL_MAX_MASTER_KEY_LENGTH
] = {0};
211 size_t master_key_size
= SSL_MAX_MASTER_KEY_LENGTH
;
212 unsigned int rsa_key_exchange_count
= 0;
213 unsigned int master_secret_count
= 0;
214 unsigned int client_early_secret_count
= 0;
215 unsigned int client_handshake_secret_count
= 0;
216 unsigned int server_handshake_secret_count
= 0;
217 unsigned int client_application_secret_count
= 0;
218 unsigned int server_application_secret_count
= 0;
219 unsigned int early_exporter_secret_count
= 0;
220 unsigned int exporter_secret_count
= 0;
222 for (token
= strtok(buffer
, " \n"); token
!= NULL
;
223 token
= strtok(NULL
, " \n")) {
224 if (strcmp(token
, "RSA") == 0) {
226 * Premaster secret. Tokens should be: 16 ASCII bytes of
227 * hex-encoded encrypted secret, then the hex-encoded pre-master
230 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
232 if (!TEST_size_t_eq(strlen(token
), 16))
234 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
237 * We can't sensibly check the log because the premaster secret is
238 * transient, and OpenSSL doesn't keep hold of it once the master
239 * secret is generated.
241 rsa_key_exchange_count
++;
242 } else if (strcmp(token
, "CLIENT_RANDOM") == 0) {
244 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
245 * client random, then the hex-encoded master secret.
247 client_random_size
= SSL_get_client_random(ssl
,
248 actual_client_random
,
250 if (!TEST_size_t_eq(client_random_size
, SSL3_RANDOM_SIZE
))
253 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
255 if (!TEST_size_t_eq(strlen(token
), 64))
257 if (!TEST_false(compare_hex_encoded_buffer(token
, 64,
258 actual_client_random
,
259 client_random_size
)))
262 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
264 master_key_size
= SSL_SESSION_get_master_key(session
,
267 if (!TEST_size_t_ne(master_key_size
, 0))
269 if (!TEST_false(compare_hex_encoded_buffer(token
, strlen(token
),
273 master_secret_count
++;
274 } else if (strcmp(token
, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
275 || strcmp(token
, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
276 || strcmp(token
, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
277 || strcmp(token
, "CLIENT_TRAFFIC_SECRET_0") == 0
278 || strcmp(token
, "SERVER_TRAFFIC_SECRET_0") == 0
279 || strcmp(token
, "EARLY_EXPORTER_SECRET") == 0
280 || strcmp(token
, "EXPORTER_SECRET") == 0) {
282 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
283 * client random, and then the hex-encoded secret. In this case,
284 * we treat all of these secrets identically and then just
285 * distinguish between them when counting what we saw.
287 if (strcmp(token
, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
288 client_early_secret_count
++;
289 else if (strcmp(token
, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
290 client_handshake_secret_count
++;
291 else if (strcmp(token
, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
292 server_handshake_secret_count
++;
293 else if (strcmp(token
, "CLIENT_TRAFFIC_SECRET_0") == 0)
294 client_application_secret_count
++;
295 else if (strcmp(token
, "SERVER_TRAFFIC_SECRET_0") == 0)
296 server_application_secret_count
++;
297 else if (strcmp(token
, "EARLY_EXPORTER_SECRET") == 0)
298 early_exporter_secret_count
++;
299 else if (strcmp(token
, "EXPORTER_SECRET") == 0)
300 exporter_secret_count
++;
302 client_random_size
= SSL_get_client_random(ssl
,
303 actual_client_random
,
305 if (!TEST_size_t_eq(client_random_size
, SSL3_RANDOM_SIZE
))
308 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
310 if (!TEST_size_t_eq(strlen(token
), 64))
312 if (!TEST_false(compare_hex_encoded_buffer(token
, 64,
313 actual_client_random
,
314 client_random_size
)))
317 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
320 TEST_info("Unexpected token %s\n", token
);
325 /* Got what we expected? */
326 if (!TEST_size_t_eq(rsa_key_exchange_count
,
327 expected
->rsa_key_exchange_count
)
328 || !TEST_size_t_eq(master_secret_count
,
329 expected
->master_secret_count
)
330 || !TEST_size_t_eq(client_early_secret_count
,
331 expected
->client_early_secret_count
)
332 || !TEST_size_t_eq(client_handshake_secret_count
,
333 expected
->client_handshake_secret_count
)
334 || !TEST_size_t_eq(server_handshake_secret_count
,
335 expected
->server_handshake_secret_count
)
336 || !TEST_size_t_eq(client_application_secret_count
,
337 expected
->client_application_secret_count
)
338 || !TEST_size_t_eq(server_application_secret_count
,
339 expected
->server_application_secret_count
)
340 || !TEST_size_t_eq(early_exporter_secret_count
,
341 expected
->early_exporter_secret_count
)
342 || !TEST_size_t_eq(exporter_secret_count
,
343 expected
->exporter_secret_count
))
348 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
349 static int test_keylog(void)
351 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
352 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
354 struct sslapitest_log_counts expected
;
356 /* Clean up logging space */
357 memset(&expected
, 0, sizeof(expected
));
358 memset(client_log_buffer
, 0, sizeof(client_log_buffer
));
359 memset(server_log_buffer
, 0, sizeof(server_log_buffer
));
360 client_log_buffer_index
= 0;
361 server_log_buffer_index
= 0;
362 error_writing_log
= 0;
364 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
367 &sctx
, &cctx
, cert
, privkey
)))
370 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
371 SSL_CTX_set_options(cctx
, SSL_OP_NO_TLSv1_3
);
372 SSL_CTX_set_options(sctx
, SSL_OP_NO_TLSv1_3
);
374 /* We also want to ensure that we use RSA-based key exchange. */
375 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
, "RSA")))
378 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx
) == NULL
)
379 || !TEST_true(SSL_CTX_get_keylog_callback(sctx
) == NULL
))
381 SSL_CTX_set_keylog_callback(cctx
, client_keylog_callback
);
382 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx
)
383 == client_keylog_callback
))
385 SSL_CTX_set_keylog_callback(sctx
, server_keylog_callback
);
386 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx
)
387 == server_keylog_callback
))
390 /* Now do a handshake and check that the logs have been written to. */
391 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
392 &clientssl
, NULL
, NULL
))
393 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
395 || !TEST_false(error_writing_log
)
396 || !TEST_int_gt(client_log_buffer_index
, 0)
397 || !TEST_int_gt(server_log_buffer_index
, 0))
401 * Now we want to test that our output data was vaguely sensible. We
402 * do that by using strtok and confirming that we have more or less the
403 * data we expect. For both client and server, we expect to see one master
404 * secret. The client should also see an RSA key exchange.
406 expected
.rsa_key_exchange_count
= 1;
407 expected
.master_secret_count
= 1;
408 if (!TEST_true(test_keylog_output(client_log_buffer
, clientssl
,
409 SSL_get_session(clientssl
), &expected
)))
412 expected
.rsa_key_exchange_count
= 0;
413 if (!TEST_true(test_keylog_output(server_log_buffer
, serverssl
,
414 SSL_get_session(serverssl
), &expected
)))
429 #ifndef OSSL_NO_USABLE_TLS1_3
430 static int test_keylog_no_master_key(void)
432 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
433 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
434 SSL_SESSION
*sess
= NULL
;
436 struct sslapitest_log_counts expected
;
437 unsigned char buf
[1];
438 size_t readbytes
, written
;
440 /* Clean up logging space */
441 memset(&expected
, 0, sizeof(expected
));
442 memset(client_log_buffer
, 0, sizeof(client_log_buffer
));
443 memset(server_log_buffer
, 0, sizeof(server_log_buffer
));
444 client_log_buffer_index
= 0;
445 server_log_buffer_index
= 0;
446 error_writing_log
= 0;
448 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
449 TLS_client_method(), TLS1_VERSION
, 0,
450 &sctx
, &cctx
, cert
, privkey
))
451 || !TEST_true(SSL_CTX_set_max_early_data(sctx
,
452 SSL3_RT_MAX_PLAIN_LENGTH
)))
455 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx
) == NULL
)
456 || !TEST_true(SSL_CTX_get_keylog_callback(sctx
) == NULL
))
459 SSL_CTX_set_keylog_callback(cctx
, client_keylog_callback
);
460 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx
)
461 == client_keylog_callback
))
464 SSL_CTX_set_keylog_callback(sctx
, server_keylog_callback
);
465 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx
)
466 == server_keylog_callback
))
469 /* Now do a handshake and check that the logs have been written to. */
470 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
471 &clientssl
, NULL
, NULL
))
472 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
474 || !TEST_false(error_writing_log
))
478 * Now we want to test that our output data was vaguely sensible. For this
479 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
480 * TLSv1.3, but we do expect both client and server to emit keys.
482 expected
.client_handshake_secret_count
= 1;
483 expected
.server_handshake_secret_count
= 1;
484 expected
.client_application_secret_count
= 1;
485 expected
.server_application_secret_count
= 1;
486 expected
.exporter_secret_count
= 1;
487 if (!TEST_true(test_keylog_output(client_log_buffer
, clientssl
,
488 SSL_get_session(clientssl
), &expected
))
489 || !TEST_true(test_keylog_output(server_log_buffer
, serverssl
,
490 SSL_get_session(serverssl
),
494 /* Terminate old session and resume with early data. */
495 sess
= SSL_get1_session(clientssl
);
496 SSL_shutdown(clientssl
);
497 SSL_shutdown(serverssl
);
500 serverssl
= clientssl
= NULL
;
503 memset(client_log_buffer
, 0, sizeof(client_log_buffer
));
504 memset(server_log_buffer
, 0, sizeof(server_log_buffer
));
505 client_log_buffer_index
= 0;
506 server_log_buffer_index
= 0;
508 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
509 &clientssl
, NULL
, NULL
))
510 || !TEST_true(SSL_set_session(clientssl
, sess
))
511 /* Here writing 0 length early data is enough. */
512 || !TEST_true(SSL_write_early_data(clientssl
, NULL
, 0, &written
))
513 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
515 SSL_READ_EARLY_DATA_ERROR
)
516 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
517 SSL_EARLY_DATA_ACCEPTED
)
518 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
520 || !TEST_true(SSL_session_reused(clientssl
)))
523 /* In addition to the previous entries, expect early secrets. */
524 expected
.client_early_secret_count
= 1;
525 expected
.early_exporter_secret_count
= 1;
526 if (!TEST_true(test_keylog_output(client_log_buffer
, clientssl
,
527 SSL_get_session(clientssl
), &expected
))
528 || !TEST_true(test_keylog_output(server_log_buffer
, serverssl
,
529 SSL_get_session(serverssl
),
536 SSL_SESSION_free(sess
);
546 static int verify_retry_cb(X509_STORE_CTX
*ctx
, void *arg
)
548 int res
= X509_verify_cert(ctx
);
549 int idx
= SSL_get_ex_data_X509_STORE_CTX_idx();
552 /* this should not happen but check anyway */
554 || (ssl
= X509_STORE_CTX_get_ex_data(ctx
, idx
)) == NULL
)
557 if (res
== 0 && X509_STORE_CTX_get_error(ctx
) ==
558 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
)
559 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
560 return SSL_set_retry_verify(ssl
);
565 static int test_client_cert_verify_cb(void)
567 /* server key, cert, chain, and root */
568 char *skey
= test_mk_file_path(certsdir
, "leaf.key");
569 char *leaf
= test_mk_file_path(certsdir
, "leaf.pem");
570 char *int2
= test_mk_file_path(certsdir
, "subinterCA.pem");
571 char *int1
= test_mk_file_path(certsdir
, "interCA.pem");
572 char *root
= test_mk_file_path(certsdir
, "rootCA.pem");
573 X509
*crt1
= NULL
, *crt2
= NULL
;
574 STACK_OF(X509
) *server_chain
;
575 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
576 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
579 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
580 TLS_client_method(), TLS1_VERSION
, 0,
581 &sctx
, &cctx
, NULL
, NULL
)))
583 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx
, leaf
), 1)
584 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx
, skey
,
585 SSL_FILETYPE_PEM
), 1)
586 || !TEST_int_eq(SSL_CTX_check_private_key(sctx
), 1))
588 if (!TEST_true(SSL_CTX_load_verify_locations(cctx
, root
, NULL
)))
590 SSL_CTX_set_verify(cctx
, SSL_VERIFY_PEER
, NULL
);
591 SSL_CTX_set_cert_verify_callback(cctx
, verify_retry_cb
, NULL
);
592 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
593 &clientssl
, NULL
, NULL
)))
596 /* attempt SSL_connect() with incomplete server chain */
597 if (!TEST_false(create_ssl_connection(serverssl
, clientssl
,
598 SSL_ERROR_WANT_RETRY_VERIFY
)))
601 /* application provides intermediate certs needed to verify server cert */
602 if (!TEST_ptr((crt1
= load_cert_pem(int1
, libctx
)))
603 || !TEST_ptr((crt2
= load_cert_pem(int2
, libctx
)))
604 || !TEST_ptr((server_chain
= SSL_get_peer_cert_chain(clientssl
))))
606 /* add certs in reverse order to demonstrate real chain building */
607 if (!TEST_true(sk_X509_push(server_chain
, crt1
)))
610 if (!TEST_true(sk_X509_push(server_chain
, crt2
)))
614 /* continue SSL_connect(), must now succeed with completed server chain */
615 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
624 if (clientssl
!= NULL
) {
625 SSL_shutdown(clientssl
);
628 if (serverssl
!= NULL
) {
629 SSL_shutdown(serverssl
);
644 static int test_ssl_build_cert_chain(void)
647 SSL_CTX
*ssl_ctx
= NULL
;
649 char *skey
= test_mk_file_path(certsdir
, "leaf.key");
650 char *leaf_chain
= test_mk_file_path(certsdir
, "leaf-chain.pem");
652 if (!TEST_ptr(ssl_ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method())))
654 if (!TEST_ptr(ssl
= SSL_new(ssl_ctx
)))
656 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
657 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl
, leaf_chain
), 1)
658 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl
, skey
, SSL_FILETYPE_PEM
), 1)
659 || !TEST_int_eq(SSL_check_private_key(ssl
), 1))
661 if (!TEST_true(SSL_build_cert_chain(ssl
, SSL_BUILD_CHAIN_FLAG_NO_ROOT
662 | SSL_BUILD_CHAIN_FLAG_CHECK
)))
667 SSL_CTX_free(ssl_ctx
);
668 OPENSSL_free(leaf_chain
);
673 static int get_password_cb(char *buf
, int size
, int rw_flag
, void *userdata
)
675 static const char pass
[] = "testpass";
677 if (!TEST_int_eq(size
, PEM_BUFSIZE
))
680 memcpy(buf
, pass
, sizeof(pass
) - 1);
681 return sizeof(pass
) - 1;
684 static int test_ssl_ctx_build_cert_chain(void)
688 char *skey
= test_mk_file_path(certsdir
, "leaf-encrypted.key");
689 char *leaf_chain
= test_mk_file_path(certsdir
, "leaf-chain.pem");
691 if (!TEST_ptr(ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method())))
693 SSL_CTX_set_default_passwd_cb(ctx
, get_password_cb
);
694 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
695 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx
, leaf_chain
), 1)
696 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx
, skey
,
697 SSL_FILETYPE_PEM
), 1)
698 || !TEST_int_eq(SSL_CTX_check_private_key(ctx
), 1))
700 if (!TEST_true(SSL_CTX_build_cert_chain(ctx
, SSL_BUILD_CHAIN_FLAG_NO_ROOT
701 | SSL_BUILD_CHAIN_FLAG_CHECK
)))
706 OPENSSL_free(leaf_chain
);
711 #ifndef OPENSSL_NO_TLS1_2
712 static int full_client_hello_callback(SSL
*s
, int *al
, void *arg
)
715 const unsigned char *p
;
717 /* We only configure two ciphers, but the SCSV is added automatically. */
719 const unsigned char expected_ciphers
[] = {0x00, 0x9d, 0x00, 0xff};
721 const unsigned char expected_ciphers
[] = {0x00, 0x9d, 0xc0,
724 const int expected_extensions
[] = {
725 #ifndef OPENSSL_NO_EC
731 /* Make sure we can defer processing and get called back. */
733 return SSL_CLIENT_HELLO_RETRY
;
735 len
= SSL_client_hello_get0_ciphers(s
, &p
);
736 if (!TEST_mem_eq(p
, len
, expected_ciphers
, sizeof(expected_ciphers
))
738 SSL_client_hello_get0_compression_methods(s
, &p
), 1)
739 || !TEST_int_eq(*p
, 0))
740 return SSL_CLIENT_HELLO_ERROR
;
741 if (!SSL_client_hello_get1_extensions_present(s
, &exts
, &len
))
742 return SSL_CLIENT_HELLO_ERROR
;
743 if (len
!= OSSL_NELEM(expected_extensions
) ||
744 memcmp(exts
, expected_extensions
, len
* sizeof(*exts
)) != 0) {
745 printf("ClientHello callback expected extensions mismatch\n");
747 return SSL_CLIENT_HELLO_ERROR
;
750 return SSL_CLIENT_HELLO_SUCCESS
;
753 static int test_client_hello_cb(void)
755 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
756 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
757 int testctr
= 0, testresult
= 0;
759 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
760 TLS_client_method(), TLS1_VERSION
, 0,
761 &sctx
, &cctx
, cert
, privkey
)))
763 SSL_CTX_set_client_hello_cb(sctx
, full_client_hello_callback
, &testctr
);
765 /* The gimpy cipher list we configure can't do TLS 1.3. */
766 SSL_CTX_set_max_proto_version(cctx
, TLS1_2_VERSION
);
768 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
769 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
770 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
771 &clientssl
, NULL
, NULL
))
772 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
773 SSL_ERROR_WANT_CLIENT_HELLO_CB
))
775 * Passing a -1 literal is a hack since
776 * the real value was lost.
778 || !TEST_int_eq(SSL_get_error(serverssl
, -1),
779 SSL_ERROR_WANT_CLIENT_HELLO_CB
)
780 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
795 static int test_no_ems(void)
797 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
798 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
801 if (!create_ssl_ctx_pair(libctx
, TLS_server_method(), TLS_client_method(),
802 TLS1_VERSION
, TLS1_2_VERSION
,
803 &sctx
, &cctx
, cert
, privkey
)) {
804 printf("Unable to create SSL_CTX pair\n");
808 SSL_CTX_set_options(sctx
, SSL_OP_NO_EXTENDED_MASTER_SECRET
);
810 if (!create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
, NULL
)) {
811 printf("Unable to create SSL objects\n");
815 if (!create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)) {
816 printf("Creating SSL connection failed\n");
820 if (SSL_get_extms_support(serverssl
)) {
821 printf("Server reports Extended Master Secret support\n");
825 if (SSL_get_extms_support(clientssl
)) {
826 printf("Client reports Extended Master Secret support\n");
841 * Very focused test to exercise a single case in the server-side state
842 * machine, when the ChangeCipherState message needs to actually change
843 * from one cipher to a different cipher (i.e., not changing from null
844 * encryption to real encryption).
846 static int test_ccs_change_cipher(void)
848 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
849 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
850 SSL_SESSION
*sess
= NULL
, *sesspre
, *sesspost
;
857 * Create a connection so we can resume and potentially (but not) use
858 * a different cipher in the second connection.
860 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
862 TLS1_VERSION
, TLS1_2_VERSION
,
863 &sctx
, &cctx
, cert
, privkey
))
864 || !TEST_true(SSL_CTX_set_options(sctx
, SSL_OP_NO_TICKET
))
865 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
867 || !TEST_true(SSL_set_cipher_list(clientssl
, "AES128-GCM-SHA256"))
868 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
870 || !TEST_ptr(sesspre
= SSL_get0_session(serverssl
))
871 || !TEST_ptr(sess
= SSL_get1_session(clientssl
)))
874 shutdown_ssl_connection(serverssl
, clientssl
);
875 serverssl
= clientssl
= NULL
;
877 /* Resume, preferring a different cipher. Our server will force the
878 * same cipher to be used as the initial handshake. */
879 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
881 || !TEST_true(SSL_set_session(clientssl
, sess
))
882 || !TEST_true(SSL_set_cipher_list(clientssl
, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
883 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
885 || !TEST_true(SSL_session_reused(clientssl
))
886 || !TEST_true(SSL_session_reused(serverssl
))
887 || !TEST_ptr(sesspost
= SSL_get0_session(serverssl
))
888 || !TEST_ptr_eq(sesspre
, sesspost
)
889 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256
,
890 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl
))))
892 shutdown_ssl_connection(serverssl
, clientssl
);
893 serverssl
= clientssl
= NULL
;
896 * Now create a fresh connection and try to renegotiate a different
899 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
901 || !TEST_true(SSL_set_cipher_list(clientssl
, "AES128-GCM-SHA256"))
902 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
904 || !TEST_ptr(sesspre
= SSL_get0_session(serverssl
))
905 || !TEST_true(SSL_set_cipher_list(clientssl
, "AES256-GCM-SHA384"))
906 || !TEST_true(SSL_renegotiate(clientssl
))
907 || !TEST_true(SSL_renegotiate_pending(clientssl
)))
909 /* Actually drive the renegotiation. */
910 for (i
= 0; i
< 3; i
++) {
911 if (SSL_read_ex(clientssl
, &buf
, sizeof(buf
), &readbytes
) > 0) {
912 if (!TEST_ulong_eq(readbytes
, 0))
914 } else if (!TEST_int_eq(SSL_get_error(clientssl
, 0),
915 SSL_ERROR_WANT_READ
)) {
918 if (SSL_read_ex(serverssl
, &buf
, sizeof(buf
), &readbytes
) > 0) {
919 if (!TEST_ulong_eq(readbytes
, 0))
921 } else if (!TEST_int_eq(SSL_get_error(serverssl
, 0),
922 SSL_ERROR_WANT_READ
)) {
926 /* sesspre and sesspost should be different since the cipher changed. */
927 if (!TEST_false(SSL_renegotiate_pending(clientssl
))
928 || !TEST_false(SSL_session_reused(clientssl
))
929 || !TEST_false(SSL_session_reused(serverssl
))
930 || !TEST_ptr(sesspost
= SSL_get0_session(serverssl
))
931 || !TEST_ptr_ne(sesspre
, sesspost
)
932 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384
,
933 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl
))))
936 shutdown_ssl_connection(serverssl
, clientssl
);
937 serverssl
= clientssl
= NULL
;
946 SSL_SESSION_free(sess
);
952 static int execute_test_large_message(const SSL_METHOD
*smeth
,
953 const SSL_METHOD
*cmeth
,
954 int min_version
, int max_version
,
957 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
958 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
962 X509
*chaincert
= NULL
;
965 if (!TEST_ptr(certbio
= BIO_new_file(cert
, "r")))
968 if (!TEST_ptr(chaincert
= X509_new_ex(libctx
, NULL
)))
971 if (PEM_read_bio_X509(certbio
, &chaincert
, NULL
, NULL
) == NULL
)
976 if (!TEST_true(create_ssl_ctx_pair(libctx
, smeth
, cmeth
, min_version
,
977 max_version
, &sctx
, &cctx
, cert
,
981 #ifdef OPENSSL_NO_DTLS1_2
982 if (smeth
== DTLS_server_method()) {
984 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
987 if (!TEST_true(SSL_CTX_set_cipher_list(sctx
, "DEFAULT:@SECLEVEL=0"))
988 || !TEST_true(SSL_CTX_set_cipher_list(cctx
,
989 "DEFAULT:@SECLEVEL=0")))
996 * Test that read_ahead works correctly when dealing with large
999 SSL_CTX_set_read_ahead(cctx
, 1);
1003 * We assume the supplied certificate is big enough so that if we add
1004 * NUM_EXTRA_CERTS it will make the overall message large enough. The
1005 * default buffer size is requested to be 16k, but due to the way BUF_MEM
1006 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
1007 * test we need to have a message larger than that.
1009 certlen
= i2d_X509(chaincert
, NULL
);
1010 OPENSSL_assert(certlen
* NUM_EXTRA_CERTS
>
1011 (SSL3_RT_MAX_PLAIN_LENGTH
* 4) / 3);
1012 for (i
= 0; i
< NUM_EXTRA_CERTS
; i
++) {
1013 if (!X509_up_ref(chaincert
))
1015 if (!SSL_CTX_add_extra_chain_cert(sctx
, chaincert
)) {
1016 X509_free(chaincert
);
1021 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
1023 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
1028 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1031 if (!TEST_true(SSL_clear(serverssl
)))
1037 X509_free(chaincert
);
1038 SSL_free(serverssl
);
1039 SSL_free(clientssl
);
1046 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1047 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1048 /* sock must be connected */
1049 static int ktls_chk_platform(int sock
)
1051 if (!ktls_enable(sock
))
1056 static int ping_pong_query(SSL
*clientssl
, SSL
*serverssl
)
1058 static char count
= 1;
1059 unsigned char cbuf
[16000] = {0};
1060 unsigned char sbuf
[16000];
1062 char crec_wseq_before
[SEQ_NUM_SIZE
];
1063 char crec_wseq_after
[SEQ_NUM_SIZE
];
1064 char crec_rseq_before
[SEQ_NUM_SIZE
];
1065 char crec_rseq_after
[SEQ_NUM_SIZE
];
1066 char srec_wseq_before
[SEQ_NUM_SIZE
];
1067 char srec_wseq_after
[SEQ_NUM_SIZE
];
1068 char srec_rseq_before
[SEQ_NUM_SIZE
];
1069 char srec_rseq_after
[SEQ_NUM_SIZE
];
1070 SSL_CONNECTION
*clientsc
, *serversc
;
1072 if (!TEST_ptr(clientsc
= SSL_CONNECTION_FROM_SSL_ONLY(clientssl
))
1073 || !TEST_ptr(serversc
= SSL_CONNECTION_FROM_SSL_ONLY(serverssl
)))
1077 memcpy(crec_wseq_before
, &clientsc
->rlayer
.wrl
->sequence
, SEQ_NUM_SIZE
);
1078 memcpy(srec_wseq_before
, &serversc
->rlayer
.wrl
->sequence
, SEQ_NUM_SIZE
);
1079 memcpy(crec_rseq_before
, &clientsc
->rlayer
.rrl
->sequence
, SEQ_NUM_SIZE
);
1080 memcpy(srec_rseq_before
, &serversc
->rlayer
.rrl
->sequence
, SEQ_NUM_SIZE
);
1082 if (!TEST_true(SSL_write(clientssl
, cbuf
, sizeof(cbuf
)) == sizeof(cbuf
)))
1085 while ((err
= SSL_read(serverssl
, &sbuf
, sizeof(sbuf
))) != sizeof(sbuf
)) {
1086 if (SSL_get_error(serverssl
, err
) != SSL_ERROR_WANT_READ
) {
1091 if (!TEST_true(SSL_write(serverssl
, sbuf
, sizeof(sbuf
)) == sizeof(sbuf
)))
1094 while ((err
= SSL_read(clientssl
, &cbuf
, sizeof(cbuf
))) != sizeof(cbuf
)) {
1095 if (SSL_get_error(clientssl
, err
) != SSL_ERROR_WANT_READ
) {
1100 memcpy(crec_wseq_after
, &clientsc
->rlayer
.wrl
->sequence
, SEQ_NUM_SIZE
);
1101 memcpy(srec_wseq_after
, &serversc
->rlayer
.wrl
->sequence
, SEQ_NUM_SIZE
);
1102 memcpy(crec_rseq_after
, &clientsc
->rlayer
.rrl
->sequence
, SEQ_NUM_SIZE
);
1103 memcpy(srec_rseq_after
, &serversc
->rlayer
.rrl
->sequence
, SEQ_NUM_SIZE
);
1105 /* verify the payload */
1106 if (!TEST_mem_eq(cbuf
, sizeof(cbuf
), sbuf
, sizeof(sbuf
)))
1110 * If ktls is used then kernel sequences are used instead of
1113 if (!BIO_get_ktls_send(clientsc
->wbio
)) {
1114 if (!TEST_mem_ne(crec_wseq_before
, SEQ_NUM_SIZE
,
1115 crec_wseq_after
, SEQ_NUM_SIZE
))
1118 if (!TEST_mem_eq(crec_wseq_before
, SEQ_NUM_SIZE
,
1119 crec_wseq_after
, SEQ_NUM_SIZE
))
1123 if (!BIO_get_ktls_send(serversc
->wbio
)) {
1124 if (!TEST_mem_ne(srec_wseq_before
, SEQ_NUM_SIZE
,
1125 srec_wseq_after
, SEQ_NUM_SIZE
))
1128 if (!TEST_mem_eq(srec_wseq_before
, SEQ_NUM_SIZE
,
1129 srec_wseq_after
, SEQ_NUM_SIZE
))
1133 if (!BIO_get_ktls_recv(clientsc
->wbio
)) {
1134 if (!TEST_mem_ne(crec_rseq_before
, SEQ_NUM_SIZE
,
1135 crec_rseq_after
, SEQ_NUM_SIZE
))
1138 if (!TEST_mem_eq(crec_rseq_before
, SEQ_NUM_SIZE
,
1139 crec_rseq_after
, SEQ_NUM_SIZE
))
1143 if (!BIO_get_ktls_recv(serversc
->wbio
)) {
1144 if (!TEST_mem_ne(srec_rseq_before
, SEQ_NUM_SIZE
,
1145 srec_rseq_after
, SEQ_NUM_SIZE
))
1148 if (!TEST_mem_eq(srec_rseq_before
, SEQ_NUM_SIZE
,
1149 srec_rseq_after
, SEQ_NUM_SIZE
))
1158 static int execute_test_ktls(int cis_ktls
, int sis_ktls
,
1159 int tls_version
, const char *cipher
)
1161 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
1162 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
1163 int ktls_used
= 0, testresult
= 0;
1164 int cfd
= -1, sfd
= -1;
1166 SSL_CONNECTION
*clientsc
, *serversc
;
1168 if (!TEST_true(create_test_sockets(&cfd
, &sfd
)))
1171 /* Skip this test if the platform does not support ktls */
1172 if (!ktls_chk_platform(cfd
)) {
1173 testresult
= TEST_skip("Kernel does not support KTLS");
1177 if (is_fips
&& strstr(cipher
, "CHACHA") != NULL
) {
1178 testresult
= TEST_skip("CHACHA is not supported in FIPS");
1182 /* Create a session based on SHA-256 */
1183 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
1184 TLS_client_method(),
1185 tls_version
, tls_version
,
1186 &sctx
, &cctx
, cert
, privkey
)))
1189 if (tls_version
== TLS1_3_VERSION
) {
1190 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
, cipher
))
1191 || !TEST_true(SSL_CTX_set_ciphersuites(sctx
, cipher
)))
1194 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
, cipher
))
1195 || !TEST_true(SSL_CTX_set_cipher_list(sctx
, cipher
)))
1199 if (!TEST_true(create_ssl_objects2(sctx
, cctx
, &serverssl
,
1200 &clientssl
, sfd
, cfd
)))
1203 if (!TEST_ptr(clientsc
= SSL_CONNECTION_FROM_SSL_ONLY(clientssl
))
1204 || !TEST_ptr(serversc
= SSL_CONNECTION_FROM_SSL_ONLY(serverssl
)))
1208 if (!TEST_true(SSL_set_options(clientssl
, SSL_OP_ENABLE_KTLS
)))
1213 if (!TEST_true(SSL_set_options(serverssl
, SSL_OP_ENABLE_KTLS
)))
1217 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
1221 * The running kernel may not support a given cipher suite
1222 * or direction, so just check that KTLS isn't used when it
1226 if (!TEST_false(BIO_get_ktls_send(clientsc
->wbio
)))
1229 if (BIO_get_ktls_send(clientsc
->wbio
))
1234 if (!TEST_false(BIO_get_ktls_send(serversc
->wbio
)))
1237 if (BIO_get_ktls_send(serversc
->wbio
))
1241 #if defined(OPENSSL_NO_KTLS_RX)
1246 if (!cis_ktls
|| !rx_supported
) {
1247 if (!TEST_false(BIO_get_ktls_recv(clientsc
->rbio
)))
1250 if (BIO_get_ktls_send(clientsc
->rbio
))
1254 if (!sis_ktls
|| !rx_supported
) {
1255 if (!TEST_false(BIO_get_ktls_recv(serversc
->rbio
)))
1258 if (BIO_get_ktls_send(serversc
->rbio
))
1262 if ((cis_ktls
|| sis_ktls
) && !ktls_used
) {
1263 testresult
= TEST_skip("KTLS not supported for %s cipher %s",
1264 tls_version
== TLS1_3_VERSION
? "TLS 1.3" :
1269 if (!TEST_true(ping_pong_query(clientssl
, serverssl
)))
1275 SSL_shutdown(clientssl
);
1276 SSL_free(clientssl
);
1279 SSL_shutdown(serverssl
);
1280 SSL_free(serverssl
);
1284 serverssl
= clientssl
= NULL
;
1292 #define SENDFILE_SZ (16 * 4096)
1293 #define SENDFILE_CHUNK (4 * 4096)
1294 #define min(a,b) ((a) > (b) ? (b) : (a))
1296 static int execute_test_ktls_sendfile(int tls_version
, const char *cipher
,
1299 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
1300 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
1301 unsigned char *buf
, *buf_dst
;
1302 BIO
*out
= NULL
, *in
= NULL
;
1303 int cfd
= -1, sfd
= -1, ffd
, err
;
1304 ssize_t chunk_size
= 0;
1305 off_t chunk_off
= 0;
1308 SSL_CONNECTION
*serversc
;
1310 buf
= OPENSSL_zalloc(SENDFILE_SZ
);
1311 buf_dst
= OPENSSL_zalloc(SENDFILE_SZ
);
1312 if (!TEST_ptr(buf
) || !TEST_ptr(buf_dst
)
1313 || !TEST_true(create_test_sockets(&cfd
, &sfd
)))
1316 /* Skip this test if the platform does not support ktls */
1317 if (!ktls_chk_platform(sfd
)) {
1318 testresult
= TEST_skip("Kernel does not support KTLS");
1322 if (is_fips
&& strstr(cipher
, "CHACHA") != NULL
) {
1323 testresult
= TEST_skip("CHACHA is not supported in FIPS");
1327 /* Create a session based on SHA-256 */
1328 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
1329 TLS_client_method(),
1330 tls_version
, tls_version
,
1331 &sctx
, &cctx
, cert
, privkey
)))
1334 if (tls_version
== TLS1_3_VERSION
) {
1335 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
, cipher
))
1336 || !TEST_true(SSL_CTX_set_ciphersuites(sctx
, cipher
)))
1339 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
, cipher
))
1340 || !TEST_true(SSL_CTX_set_cipher_list(sctx
, cipher
)))
1344 if (!TEST_true(create_ssl_objects2(sctx
, cctx
, &serverssl
,
1345 &clientssl
, sfd
, cfd
)))
1348 if (!TEST_ptr(serversc
= SSL_CONNECTION_FROM_SSL_ONLY(serverssl
)))
1351 if (!TEST_true(SSL_set_options(serverssl
, SSL_OP_ENABLE_KTLS
)))
1355 if (!TEST_true(SSL_set_options(serverssl
,
1356 SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE
)))
1360 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
1364 if (!BIO_get_ktls_send(serversc
->wbio
)) {
1365 testresult
= TEST_skip("Failed to enable KTLS for %s cipher %s",
1366 tls_version
== TLS1_3_VERSION
? "TLS 1.3" :
1371 if (!TEST_int_gt(RAND_bytes_ex(libctx
, buf
, SENDFILE_SZ
, 0), 0))
1374 out
= BIO_new_file(tmpfilename
, "wb");
1378 if (BIO_write(out
, buf
, SENDFILE_SZ
) != SENDFILE_SZ
)
1383 in
= BIO_new_file(tmpfilename
, "rb");
1384 BIO_get_fp(in
, &ffdp
);
1387 while (chunk_off
< SENDFILE_SZ
) {
1388 chunk_size
= min(SENDFILE_CHUNK
, SENDFILE_SZ
- chunk_off
);
1389 while ((err
= SSL_sendfile(serverssl
,
1393 0)) != chunk_size
) {
1394 if (SSL_get_error(serverssl
, err
) != SSL_ERROR_WANT_WRITE
)
1397 while ((err
= SSL_read(clientssl
,
1398 buf_dst
+ chunk_off
,
1399 chunk_size
)) != chunk_size
) {
1400 if (SSL_get_error(clientssl
, err
) != SSL_ERROR_WANT_READ
)
1404 /* verify the payload */
1405 if (!TEST_mem_eq(buf_dst
+ chunk_off
,
1411 chunk_off
+= chunk_size
;
1417 SSL_shutdown(clientssl
);
1418 SSL_free(clientssl
);
1421 SSL_shutdown(serverssl
);
1422 SSL_free(serverssl
);
1426 serverssl
= clientssl
= NULL
;
1434 OPENSSL_free(buf_dst
);
1438 static struct ktls_test_cipher
{
1441 } ktls_test_ciphers
[] = {
1442 # if !defined(OPENSSL_NO_TLS1_2)
1443 # ifdef OPENSSL_KTLS_AES_GCM_128
1444 { TLS1_2_VERSION
, "AES128-GCM-SHA256" },
1446 # ifdef OPENSSL_KTLS_AES_CCM_128
1447 { TLS1_2_VERSION
, "AES128-CCM"},
1449 # ifdef OPENSSL_KTLS_AES_GCM_256
1450 { TLS1_2_VERSION
, "AES256-GCM-SHA384"},
1452 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1453 # ifndef OPENSSL_NO_EC
1454 { TLS1_2_VERSION
, "ECDHE-RSA-CHACHA20-POLY1305"},
1458 # if !defined(OSSL_NO_USABLE_TLS1_3)
1459 # ifdef OPENSSL_KTLS_AES_GCM_128
1460 { TLS1_3_VERSION
, "TLS_AES_128_GCM_SHA256" },
1462 # ifdef OPENSSL_KTLS_AES_CCM_128
1463 { TLS1_3_VERSION
, "TLS_AES_128_CCM_SHA256" },
1465 # ifdef OPENSSL_KTLS_AES_GCM_256
1466 { TLS1_3_VERSION
, "TLS_AES_256_GCM_SHA384" },
1468 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1469 { TLS1_3_VERSION
, "TLS_CHACHA20_POLY1305_SHA256" },
1474 #define NUM_KTLS_TEST_CIPHERS \
1475 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1477 static int test_ktls(int test
)
1479 struct ktls_test_cipher
*cipher
;
1480 int cis_ktls
, sis_ktls
;
1482 OPENSSL_assert(test
/ 4 < (int)NUM_KTLS_TEST_CIPHERS
);
1483 cipher
= &ktls_test_ciphers
[test
/ 4];
1485 cis_ktls
= (test
& 1) != 0;
1486 sis_ktls
= (test
& 2) != 0;
1488 return execute_test_ktls(cis_ktls
, sis_ktls
, cipher
->tls_version
,
1492 static int test_ktls_sendfile(int test
)
1494 struct ktls_test_cipher
*cipher
;
1495 int tst
= test
>> 1;
1497 OPENSSL_assert(tst
< (int)NUM_KTLS_TEST_CIPHERS
);
1498 cipher
= &ktls_test_ciphers
[tst
];
1500 return execute_test_ktls_sendfile(cipher
->tls_version
, cipher
->cipher
,
1505 static int test_large_message_tls(void)
1507 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1508 TLS1_VERSION
, 0, 0);
1511 static int test_large_message_tls_read_ahead(void)
1513 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1514 TLS1_VERSION
, 0, 1);
1517 #ifndef OPENSSL_NO_DTLS
1518 static int test_large_message_dtls(void)
1520 # ifdef OPENSSL_NO_DTLS1_2
1521 /* Not supported in the FIPS provider */
1526 * read_ahead is not relevant to DTLS because DTLS always acts as if
1527 * read_ahead is set.
1529 return execute_test_large_message(DTLS_server_method(),
1530 DTLS_client_method(),
1531 DTLS1_VERSION
, 0, 0);
1536 * Test we can successfully send the maximum amount of application data. We
1537 * test each protocol version individually, each with and without EtM enabled.
1538 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1539 * simpler this way. We also test all combinations with and without the
1540 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1541 * underlying buffer.
1543 static int test_large_app_data(int tst
)
1545 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
1546 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
1547 int testresult
= 0, prot
;
1548 unsigned char *msg
, *buf
= NULL
;
1549 size_t written
, readbytes
;
1550 const SSL_METHOD
*smeth
= TLS_server_method();
1551 const SSL_METHOD
*cmeth
= TLS_client_method();
1555 #ifndef OSSL_NO_USABLE_TLS1_3
1556 prot
= TLS1_3_VERSION
;
1563 #ifndef OPENSSL_NO_TLS1_2
1564 prot
= TLS1_2_VERSION
;
1571 #ifndef OPENSSL_NO_TLS1_1
1572 prot
= TLS1_1_VERSION
;
1579 #ifndef OPENSSL_NO_TLS1
1580 prot
= TLS1_VERSION
;
1587 #ifndef OPENSSL_NO_SSL3
1588 prot
= SSL3_VERSION
;
1595 #ifndef OPENSSL_NO_DTLS1_2
1596 prot
= DTLS1_2_VERSION
;
1597 smeth
= DTLS_server_method();
1598 cmeth
= DTLS_client_method();
1605 #ifndef OPENSSL_NO_DTLS1
1606 prot
= DTLS1_VERSION
;
1607 smeth
= DTLS_server_method();
1608 cmeth
= DTLS_client_method();
1615 /* Shouldn't happen */
1619 if ((prot
< TLS1_2_VERSION
|| prot
== DTLS1_VERSION
) && is_fips
)
1622 /* Maximal sized message of zeros */
1623 msg
= OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH
);
1627 buf
= OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH
+ 1);
1630 /* Set whole buffer to all bits set */
1631 memset(buf
, 0xff, SSL3_RT_MAX_PLAIN_LENGTH
+ 1);
1633 if (!TEST_true(create_ssl_ctx_pair(libctx
, smeth
, cmeth
, prot
, prot
,
1634 &sctx
, &cctx
, cert
, privkey
)))
1637 if (prot
< TLS1_2_VERSION
|| prot
== DTLS1_VERSION
) {
1638 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1639 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
, "DEFAULT:@SECLEVEL=0"))
1640 || !TEST_true(SSL_CTX_set_cipher_list(sctx
,
1641 "DEFAULT:@SECLEVEL=0")))
1645 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
1646 &clientssl
, NULL
, NULL
)))
1649 if ((tst
& 1) != 0) {
1650 /* Setting this option gives us a minimally sized underlying buffer */
1651 if (!TEST_true(SSL_set_options(serverssl
,
1652 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
))
1653 || !TEST_true(SSL_set_options(clientssl
,
1654 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
)))
1658 if ((tst
& 2) != 0) {
1660 * Setting this option means the MAC is added before encryption
1661 * giving us a larger record for the encryption process
1663 if (!TEST_true(SSL_set_options(serverssl
, SSL_OP_NO_ENCRYPT_THEN_MAC
))
1664 || !TEST_true(SSL_set_options(clientssl
,
1665 SSL_OP_NO_ENCRYPT_THEN_MAC
)))
1669 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
1672 if (!TEST_true(SSL_write_ex(clientssl
, msg
, SSL3_RT_MAX_PLAIN_LENGTH
,
1674 || !TEST_size_t_eq(written
, SSL3_RT_MAX_PLAIN_LENGTH
))
1677 /* We provide a buffer slightly larger than what we are actually expecting */
1678 if (!TEST_true(SSL_read_ex(serverssl
, buf
, SSL3_RT_MAX_PLAIN_LENGTH
+ 1,
1682 if (!TEST_mem_eq(msg
, written
, buf
, readbytes
))
1689 SSL_free(serverssl
);
1690 SSL_free(clientssl
);
1696 static int execute_cleanse_plaintext(const SSL_METHOD
*smeth
,
1697 const SSL_METHOD
*cmeth
,
1698 int min_version
, int max_version
)
1701 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
1702 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
1705 SSL_CONNECTION
*serversc
;
1708 static unsigned char cbuf
[16000];
1709 static unsigned char sbuf
[16000];
1711 if (!TEST_true(create_ssl_ctx_pair(libctx
,
1713 min_version
, max_version
,
1718 #ifdef OPENSSL_NO_DTLS1_2
1719 if (smeth
== DTLS_server_method()) {
1720 # ifdef OPENSSL_NO_DTLS1_2
1721 /* Not supported in the FIPS provider */
1728 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1731 if (!TEST_true(SSL_CTX_set_cipher_list(sctx
, "DEFAULT:@SECLEVEL=0"))
1732 || !TEST_true(SSL_CTX_set_cipher_list(cctx
,
1733 "DEFAULT:@SECLEVEL=0")))
1738 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
1742 if (!TEST_true(SSL_set_options(serverssl
, SSL_OP_CLEANSE_PLAINTEXT
)))
1745 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
1749 for (i
= 0; i
< sizeof(cbuf
); i
++) {
1753 if (!TEST_int_eq(SSL_write(clientssl
, cbuf
, sizeof(cbuf
)), sizeof(cbuf
)))
1756 if (!TEST_int_eq(SSL_peek(serverssl
, &sbuf
, sizeof(sbuf
)), sizeof(sbuf
)))
1759 if (!TEST_mem_eq(cbuf
, sizeof(cbuf
), sbuf
, sizeof(sbuf
)))
1763 * Since we called SSL_peek(), we know the data in the record
1764 * layer is a plaintext record. We can gather the pointer to check
1765 * for zeroization after SSL_read().
1767 if (!TEST_ptr(serversc
= SSL_CONNECTION_FROM_SSL_ONLY(serverssl
)))
1769 rr
= serversc
->rlayer
.tlsrecs
;
1771 zbuf
= &rr
->data
[rr
->off
];
1772 if (!TEST_int_eq(rr
->length
, sizeof(cbuf
)))
1776 * After SSL_peek() the plaintext must still be stored in the
1779 if (!TEST_mem_eq(cbuf
, sizeof(cbuf
), zbuf
, sizeof(cbuf
)))
1782 memset(sbuf
, 0, sizeof(sbuf
));
1783 if (!TEST_int_eq(SSL_read(serverssl
, &sbuf
, sizeof(sbuf
)), sizeof(sbuf
)))
1786 if (!TEST_mem_eq(cbuf
, sizeof(cbuf
), sbuf
, sizeof(cbuf
)))
1789 /* Check if rbuf is cleansed */
1790 memset(cbuf
, 0, sizeof(cbuf
));
1791 if (!TEST_mem_eq(cbuf
, sizeof(cbuf
), zbuf
, sizeof(cbuf
)))
1796 SSL_free(serverssl
);
1797 SSL_free(clientssl
);
1804 static int test_cleanse_plaintext(void)
1806 #if !defined(OPENSSL_NO_TLS1_2)
1807 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1808 TLS_client_method(),
1815 #if !defined(OSSL_NO_USABLE_TLS1_3)
1816 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1817 TLS_client_method(),
1823 #if !defined(OPENSSL_NO_DTLS)
1825 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1826 DTLS_client_method(),
1834 #ifndef OPENSSL_NO_OCSP
1835 static int ocsp_server_cb(SSL
*s
, void *arg
)
1837 int *argi
= (int *)arg
;
1838 unsigned char *copy
= NULL
;
1839 STACK_OF(OCSP_RESPID
) *ids
= NULL
;
1840 OCSP_RESPID
*id
= NULL
;
1843 /* In this test we are expecting exactly 1 OCSP_RESPID */
1844 SSL_get_tlsext_status_ids(s
, &ids
);
1845 if (ids
== NULL
|| sk_OCSP_RESPID_num(ids
) != 1)
1846 return SSL_TLSEXT_ERR_ALERT_FATAL
;
1848 id
= sk_OCSP_RESPID_value(ids
, 0);
1849 if (id
== NULL
|| !OCSP_RESPID_match_ex(id
, ocspcert
, libctx
, NULL
))
1850 return SSL_TLSEXT_ERR_ALERT_FATAL
;
1851 } else if (*argi
!= 1) {
1852 return SSL_TLSEXT_ERR_ALERT_FATAL
;
1855 if (!TEST_ptr(copy
= OPENSSL_memdup(orespder
, sizeof(orespder
))))
1856 return SSL_TLSEXT_ERR_ALERT_FATAL
;
1858 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s
, copy
,
1859 sizeof(orespder
)))) {
1861 return SSL_TLSEXT_ERR_ALERT_FATAL
;
1863 ocsp_server_called
= 1;
1864 return SSL_TLSEXT_ERR_OK
;
1867 static int ocsp_client_cb(SSL
*s
, void *arg
)
1869 int *argi
= (int *)arg
;
1870 const unsigned char *respderin
;
1873 if (*argi
!= 1 && *argi
!= 2)
1876 len
= SSL_get_tlsext_status_ocsp_resp(s
, &respderin
);
1877 if (!TEST_mem_eq(orespder
, len
, respderin
, len
))
1880 ocsp_client_called
= 1;
1884 static int test_tlsext_status_type(void)
1886 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
1887 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
1889 STACK_OF(OCSP_RESPID
) *ids
= NULL
;
1890 OCSP_RESPID
*id
= NULL
;
1891 BIO
*certbio
= NULL
;
1893 if (!create_ssl_ctx_pair(libctx
, TLS_server_method(), TLS_client_method(),
1895 &sctx
, &cctx
, cert
, privkey
))
1898 if (SSL_CTX_get_tlsext_status_type(cctx
) != -1)
1901 /* First just do various checks getting and setting tlsext_status_type */
1903 clientssl
= SSL_new(cctx
);
1904 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl
), -1)
1905 || !TEST_true(SSL_set_tlsext_status_type(clientssl
,
1906 TLSEXT_STATUSTYPE_ocsp
))
1907 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl
),
1908 TLSEXT_STATUSTYPE_ocsp
))
1911 SSL_free(clientssl
);
1914 if (!SSL_CTX_set_tlsext_status_type(cctx
, TLSEXT_STATUSTYPE_ocsp
)
1915 || SSL_CTX_get_tlsext_status_type(cctx
) != TLSEXT_STATUSTYPE_ocsp
)
1918 clientssl
= SSL_new(cctx
);
1919 if (SSL_get_tlsext_status_type(clientssl
) != TLSEXT_STATUSTYPE_ocsp
)
1921 SSL_free(clientssl
);
1925 * Now actually do a handshake and check OCSP information is exchanged and
1926 * the callbacks get called
1928 SSL_CTX_set_tlsext_status_cb(cctx
, ocsp_client_cb
);
1929 SSL_CTX_set_tlsext_status_arg(cctx
, &cdummyarg
);
1930 SSL_CTX_set_tlsext_status_cb(sctx
, ocsp_server_cb
);
1931 SSL_CTX_set_tlsext_status_arg(sctx
, &cdummyarg
);
1932 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
1933 &clientssl
, NULL
, NULL
))
1934 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
1936 || !TEST_true(ocsp_client_called
)
1937 || !TEST_true(ocsp_server_called
))
1939 SSL_free(serverssl
);
1940 SSL_free(clientssl
);
1944 /* Try again but this time force the server side callback to fail */
1945 ocsp_client_called
= 0;
1946 ocsp_server_called
= 0;
1948 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
1949 &clientssl
, NULL
, NULL
))
1950 /* This should fail because the callback will fail */
1951 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
1953 || !TEST_false(ocsp_client_called
)
1954 || !TEST_false(ocsp_server_called
))
1956 SSL_free(serverssl
);
1957 SSL_free(clientssl
);
1962 * This time we'll get the client to send an OCSP_RESPID that it will
1965 ocsp_client_called
= 0;
1966 ocsp_server_called
= 0;
1968 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
1969 &clientssl
, NULL
, NULL
)))
1973 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1974 * specific one. We'll use the server cert.
1976 if (!TEST_ptr(certbio
= BIO_new_file(cert
, "r"))
1977 || !TEST_ptr(id
= OCSP_RESPID_new())
1978 || !TEST_ptr(ids
= sk_OCSP_RESPID_new_null())
1979 || !TEST_ptr(ocspcert
= X509_new_ex(libctx
, NULL
))
1980 || !TEST_ptr(PEM_read_bio_X509(certbio
, &ocspcert
, NULL
, NULL
))
1981 || !TEST_true(OCSP_RESPID_set_by_key_ex(id
, ocspcert
, libctx
, NULL
))
1982 || !TEST_true(sk_OCSP_RESPID_push(ids
, id
)))
1985 SSL_set_tlsext_status_ids(clientssl
, ids
);
1986 /* Control has been transferred */
1992 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
1994 || !TEST_true(ocsp_client_called
)
1995 || !TEST_true(ocsp_server_called
))
2001 SSL_free(serverssl
);
2002 SSL_free(clientssl
);
2005 sk_OCSP_RESPID_pop_free(ids
, OCSP_RESPID_free
);
2006 OCSP_RESPID_free(id
);
2008 X509_free(ocspcert
);
2015 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
2016 static int new_called
, remove_called
, get_called
;
2018 static int new_session_cb(SSL
*ssl
, SSL_SESSION
*sess
)
2022 * sess has been up-refed for us, but we don't actually need it so free it
2025 SSL_SESSION_free(sess
);
2029 static void remove_session_cb(SSL_CTX
*ctx
, SSL_SESSION
*sess
)
2034 static SSL_SESSION
*get_sess_val
= NULL
;
2036 static SSL_SESSION
*get_session_cb(SSL
*ssl
, const unsigned char *id
, int len
,
2041 return get_sess_val
;
2044 static int execute_test_session(int maxprot
, int use_int_cache
,
2045 int use_ext_cache
, long s_options
)
2047 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
2048 SSL
*serverssl1
= NULL
, *clientssl1
= NULL
;
2049 SSL
*serverssl2
= NULL
, *clientssl2
= NULL
;
2050 # ifndef OPENSSL_NO_TLS1_1
2051 SSL
*serverssl3
= NULL
, *clientssl3
= NULL
;
2053 SSL_SESSION
*sess1
= NULL
, *sess2
= NULL
;
2054 int testresult
= 0, numnewsesstick
= 1;
2056 new_called
= remove_called
= 0;
2058 /* TLSv1.3 sends 2 NewSessionTickets */
2059 if (maxprot
== TLS1_3_VERSION
)
2062 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
2063 TLS_client_method(), TLS1_VERSION
, 0,
2064 &sctx
, &cctx
, cert
, privkey
)))
2068 * Only allow the max protocol version so we can force a connection failure
2071 SSL_CTX_set_min_proto_version(cctx
, maxprot
);
2072 SSL_CTX_set_max_proto_version(cctx
, maxprot
);
2074 /* Set up session cache */
2075 if (use_ext_cache
) {
2076 SSL_CTX_sess_set_new_cb(cctx
, new_session_cb
);
2077 SSL_CTX_sess_set_remove_cb(cctx
, remove_session_cb
);
2079 if (use_int_cache
) {
2080 /* Also covers instance where both are set */
2081 SSL_CTX_set_session_cache_mode(cctx
, SSL_SESS_CACHE_CLIENT
);
2083 SSL_CTX_set_session_cache_mode(cctx
,
2084 SSL_SESS_CACHE_CLIENT
2085 | SSL_SESS_CACHE_NO_INTERNAL_STORE
);
2089 SSL_CTX_set_options(sctx
, s_options
);
2092 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl1
, &clientssl1
,
2094 || !TEST_true(create_ssl_connection(serverssl1
, clientssl1
,
2096 || !TEST_ptr(sess1
= SSL_get1_session(clientssl1
)))
2099 /* Should fail because it should already be in the cache */
2100 if (use_int_cache
&& !TEST_false(SSL_CTX_add_session(cctx
, sess1
)))
2103 && (!TEST_int_eq(new_called
, numnewsesstick
)
2105 || !TEST_int_eq(remove_called
, 0)))
2108 new_called
= remove_called
= 0;
2109 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl2
,
2110 &clientssl2
, NULL
, NULL
))
2111 || !TEST_true(SSL_set_session(clientssl2
, sess1
))
2112 || !TEST_true(create_ssl_connection(serverssl2
, clientssl2
,
2114 || !TEST_true(SSL_session_reused(clientssl2
)))
2117 if (maxprot
== TLS1_3_VERSION
) {
2119 * In TLSv1.3 we should have created a new session even though we have
2120 * resumed. Since we attempted a resume we should also have removed the
2121 * old ticket from the cache so that we try to only use tickets once.
2124 && (!TEST_int_eq(new_called
, 1)
2125 || !TEST_int_eq(remove_called
, 1)))
2129 * In TLSv1.2 we expect to have resumed so no sessions added or
2133 && (!TEST_int_eq(new_called
, 0)
2134 || !TEST_int_eq(remove_called
, 0)))
2138 SSL_SESSION_free(sess1
);
2139 if (!TEST_ptr(sess1
= SSL_get1_session(clientssl2
)))
2141 shutdown_ssl_connection(serverssl2
, clientssl2
);
2142 serverssl2
= clientssl2
= NULL
;
2144 new_called
= remove_called
= 0;
2145 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl2
,
2146 &clientssl2
, NULL
, NULL
))
2147 || !TEST_true(create_ssl_connection(serverssl2
, clientssl2
,
2151 if (!TEST_ptr(sess2
= SSL_get1_session(clientssl2
)))
2155 && (!TEST_int_eq(new_called
, numnewsesstick
)
2156 || !TEST_int_eq(remove_called
, 0)))
2159 new_called
= remove_called
= 0;
2161 * This should clear sess2 from the cache because it is a "bad" session.
2162 * See SSL_set_session() documentation.
2164 if (!TEST_true(SSL_set_session(clientssl2
, sess1
)))
2167 && (!TEST_int_eq(new_called
, 0) || !TEST_int_eq(remove_called
, 1)))
2169 if (!TEST_ptr_eq(SSL_get_session(clientssl2
), sess1
))
2172 if (use_int_cache
) {
2173 /* Should succeeded because it should not already be in the cache */
2174 if (!TEST_true(SSL_CTX_add_session(cctx
, sess2
))
2175 || !TEST_true(SSL_CTX_remove_session(cctx
, sess2
)))
2179 new_called
= remove_called
= 0;
2180 /* This shouldn't be in the cache so should fail */
2181 if (!TEST_false(SSL_CTX_remove_session(cctx
, sess2
)))
2185 && (!TEST_int_eq(new_called
, 0) || !TEST_int_eq(remove_called
, 1)))
2188 # if !defined(OPENSSL_NO_TLS1_1)
2189 new_called
= remove_called
= 0;
2190 /* Force a connection failure */
2191 SSL_CTX_set_max_proto_version(sctx
, TLS1_1_VERSION
);
2192 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl3
,
2193 &clientssl3
, NULL
, NULL
))
2194 || !TEST_true(SSL_set_session(clientssl3
, sess1
))
2195 /* This should fail because of the mismatched protocol versions */
2196 || !TEST_false(create_ssl_connection(serverssl3
, clientssl3
,
2200 /* We should have automatically removed the session from the cache */
2202 && (!TEST_int_eq(new_called
, 0) || !TEST_int_eq(remove_called
, 1)))
2205 /* Should succeed because it should not already be in the cache */
2206 if (use_int_cache
&& !TEST_true(SSL_CTX_add_session(cctx
, sess2
)))
2210 /* Now do some tests for server side caching */
2211 if (use_ext_cache
) {
2212 SSL_CTX_sess_set_new_cb(cctx
, NULL
);
2213 SSL_CTX_sess_set_remove_cb(cctx
, NULL
);
2214 SSL_CTX_sess_set_new_cb(sctx
, new_session_cb
);
2215 SSL_CTX_sess_set_remove_cb(sctx
, remove_session_cb
);
2216 SSL_CTX_sess_set_get_cb(sctx
, get_session_cb
);
2217 get_sess_val
= NULL
;
2220 SSL_CTX_set_session_cache_mode(cctx
, 0);
2221 /* Internal caching is the default on the server side */
2223 SSL_CTX_set_session_cache_mode(sctx
,
2224 SSL_SESS_CACHE_SERVER
2225 | SSL_SESS_CACHE_NO_INTERNAL_STORE
);
2227 SSL_free(serverssl1
);
2228 SSL_free(clientssl1
);
2229 serverssl1
= clientssl1
= NULL
;
2230 SSL_free(serverssl2
);
2231 SSL_free(clientssl2
);
2232 serverssl2
= clientssl2
= NULL
;
2233 SSL_SESSION_free(sess1
);
2235 SSL_SESSION_free(sess2
);
2238 SSL_CTX_set_max_proto_version(sctx
, maxprot
);
2239 if (maxprot
== TLS1_2_VERSION
)
2240 SSL_CTX_set_options(sctx
, SSL_OP_NO_TICKET
);
2241 new_called
= remove_called
= get_called
= 0;
2242 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl1
, &clientssl1
,
2244 || !TEST_true(create_ssl_connection(serverssl1
, clientssl1
,
2246 || !TEST_ptr(sess1
= SSL_get1_session(clientssl1
))
2247 || !TEST_ptr(sess2
= SSL_get1_session(serverssl1
)))
2250 if (use_int_cache
) {
2251 if (maxprot
== TLS1_3_VERSION
&& !use_ext_cache
) {
2253 * In TLSv1.3 it should not have been added to the internal cache,
2254 * except in the case where we also have an external cache (in that
2255 * case it gets added to the cache in order to generate remove
2256 * events after timeout).
2258 if (!TEST_false(SSL_CTX_remove_session(sctx
, sess2
)))
2261 /* Should fail because it should already be in the cache */
2262 if (!TEST_false(SSL_CTX_add_session(sctx
, sess2
)))
2267 if (use_ext_cache
) {
2268 SSL_SESSION
*tmp
= sess2
;
2270 if (!TEST_int_eq(new_called
, numnewsesstick
)
2271 || !TEST_int_eq(remove_called
, 0)
2272 || !TEST_int_eq(get_called
, 0))
2275 * Delete the session from the internal cache to force a lookup from
2276 * the external cache. We take a copy first because
2277 * SSL_CTX_remove_session() also marks the session as non-resumable.
2279 if (use_int_cache
&& maxprot
!= TLS1_3_VERSION
) {
2280 if (!TEST_ptr(tmp
= SSL_SESSION_dup(sess2
))
2281 || !TEST_true(SSL_CTX_remove_session(sctx
, sess2
)))
2283 SSL_SESSION_free(sess2
);
2288 new_called
= remove_called
= get_called
= 0;
2289 get_sess_val
= sess2
;
2290 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl2
,
2291 &clientssl2
, NULL
, NULL
))
2292 || !TEST_true(SSL_set_session(clientssl2
, sess1
))
2293 || !TEST_true(create_ssl_connection(serverssl2
, clientssl2
,
2295 || !TEST_true(SSL_session_reused(clientssl2
)))
2298 if (use_ext_cache
) {
2299 if (!TEST_int_eq(remove_called
, 0))
2302 if (maxprot
== TLS1_3_VERSION
) {
2303 if (!TEST_int_eq(new_called
, 1)
2304 || !TEST_int_eq(get_called
, 0))
2307 if (!TEST_int_eq(new_called
, 0)
2308 || !TEST_int_eq(get_called
, 1))
2313 * Make a small cache, force out all other sessions but
2314 * sess2, try to add sess1, which should succeed. Then
2315 * make sure it's there by checking the owners. Despite
2316 * the timeouts, sess1 should have kicked out sess2
2319 /* Make sess1 expire before sess2 */
2320 if (!TEST_long_gt(SSL_SESSION_set_time(sess1
, 1000), 0)
2321 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1
, 1000), 0)
2322 || !TEST_long_gt(SSL_SESSION_set_time(sess2
, 2000), 0)
2323 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2
, 2000), 0))
2326 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx
, 1), 0))
2329 /* Don't care about results - cache should only be sess2 at end */
2330 SSL_CTX_add_session(sctx
, sess1
);
2331 SSL_CTX_add_session(sctx
, sess2
);
2333 /* Now add sess1, and make sure it remains, despite timeout */
2334 if (!TEST_true(SSL_CTX_add_session(sctx
, sess1
))
2335 || !TEST_ptr(sess1
->owner
)
2336 || !TEST_ptr_null(sess2
->owner
))
2342 SSL_free(serverssl1
);
2343 SSL_free(clientssl1
);
2344 SSL_free(serverssl2
);
2345 SSL_free(clientssl2
);
2346 # ifndef OPENSSL_NO_TLS1_1
2347 SSL_free(serverssl3
);
2348 SSL_free(clientssl3
);
2350 SSL_SESSION_free(sess1
);
2351 SSL_SESSION_free(sess2
);
2357 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2359 static int test_session_with_only_int_cache(void)
2361 #ifndef OSSL_NO_USABLE_TLS1_3
2362 if (!execute_test_session(TLS1_3_VERSION
, 1, 0, 0))
2366 #ifndef OPENSSL_NO_TLS1_2
2367 return execute_test_session(TLS1_2_VERSION
, 1, 0, 0);
2373 static int test_session_with_only_ext_cache(void)
2375 #ifndef OSSL_NO_USABLE_TLS1_3
2376 if (!execute_test_session(TLS1_3_VERSION
, 0, 1, 0))
2380 #ifndef OPENSSL_NO_TLS1_2
2381 return execute_test_session(TLS1_2_VERSION
, 0, 1, 0);
2387 static int test_session_with_both_cache(void)
2389 #ifndef OSSL_NO_USABLE_TLS1_3
2390 if (!execute_test_session(TLS1_3_VERSION
, 1, 1, 0))
2394 #ifndef OPENSSL_NO_TLS1_2
2395 return execute_test_session(TLS1_2_VERSION
, 1, 1, 0);
2401 static int test_session_wo_ca_names(void)
2403 #ifndef OSSL_NO_USABLE_TLS1_3
2404 if (!execute_test_session(TLS1_3_VERSION
, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES
))
2408 #ifndef OPENSSL_NO_TLS1_2
2409 return execute_test_session(TLS1_2_VERSION
, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES
);
2416 #ifndef OSSL_NO_USABLE_TLS1_3
2417 static SSL_SESSION
*sesscache
[6];
2418 static int do_cache
;
2420 static int new_cachesession_cb(SSL
*ssl
, SSL_SESSION
*sess
)
2423 sesscache
[new_called
] = sess
;
2425 /* We don't need the reference to the session, so free it */
2426 SSL_SESSION_free(sess
);
2433 static int post_handshake_verify(SSL
*sssl
, SSL
*cssl
)
2435 SSL_set_verify(sssl
, SSL_VERIFY_PEER
, NULL
);
2436 if (!TEST_true(SSL_verify_client_post_handshake(sssl
)))
2439 /* Start handshake on the server and client */
2440 if (!TEST_int_eq(SSL_do_handshake(sssl
), 1)
2441 || !TEST_int_le(SSL_read(cssl
, NULL
, 0), 0)
2442 || !TEST_int_le(SSL_read(sssl
, NULL
, 0), 0)
2443 || !TEST_true(create_ssl_connection(sssl
, cssl
,
2450 static int setup_ticket_test(int stateful
, int idx
, SSL_CTX
**sctx
,
2453 int sess_id_ctx
= 1;
2455 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
2456 TLS_client_method(), TLS1_VERSION
, 0,
2457 sctx
, cctx
, cert
, privkey
))
2458 || !TEST_true(SSL_CTX_set_num_tickets(*sctx
, idx
))
2459 || !TEST_true(SSL_CTX_set_session_id_context(*sctx
,
2460 (void *)&sess_id_ctx
,
2461 sizeof(sess_id_ctx
))))
2465 SSL_CTX_set_options(*sctx
, SSL_OP_NO_TICKET
);
2467 SSL_CTX_set_session_cache_mode(*cctx
, SSL_SESS_CACHE_CLIENT
2468 | SSL_SESS_CACHE_NO_INTERNAL_STORE
);
2469 SSL_CTX_sess_set_new_cb(*cctx
, new_cachesession_cb
);
2474 static int check_resumption(int idx
, SSL_CTX
*sctx
, SSL_CTX
*cctx
, int succ
)
2476 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
2479 /* Test that we can resume with all the tickets we got given */
2480 for (i
= 0; i
< idx
* 2; i
++) {
2482 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
2483 &clientssl
, NULL
, NULL
))
2484 || !TEST_true(SSL_set_session(clientssl
, sesscache
[i
])))
2487 SSL_set_post_handshake_auth(clientssl
, 1);
2489 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
2494 * Following a successful resumption we only get 1 ticket. After a
2495 * failed one we should get idx tickets.
2498 if (!TEST_true(SSL_session_reused(clientssl
))
2499 || !TEST_int_eq(new_called
, 1))
2502 if (!TEST_false(SSL_session_reused(clientssl
))
2503 || !TEST_int_eq(new_called
, idx
))
2508 /* After a post-handshake authentication we should get 1 new ticket */
2510 && (!post_handshake_verify(serverssl
, clientssl
)
2511 || !TEST_int_eq(new_called
, 1)))
2514 SSL_shutdown(clientssl
);
2515 SSL_shutdown(serverssl
);
2516 SSL_free(serverssl
);
2517 SSL_free(clientssl
);
2518 serverssl
= clientssl
= NULL
;
2519 SSL_SESSION_free(sesscache
[i
]);
2520 sesscache
[i
] = NULL
;
2526 SSL_free(clientssl
);
2527 SSL_free(serverssl
);
2531 static int test_tickets(int stateful
, int idx
)
2533 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
2534 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
2538 /* idx is the test number, but also the number of tickets we want */
2543 if (!setup_ticket_test(stateful
, idx
, &sctx
, &cctx
))
2546 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
2547 &clientssl
, NULL
, NULL
)))
2550 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
2552 /* Check we got the number of tickets we were expecting */
2553 || !TEST_int_eq(idx
, new_called
))
2556 SSL_shutdown(clientssl
);
2557 SSL_shutdown(serverssl
);
2558 SSL_free(serverssl
);
2559 SSL_free(clientssl
);
2562 clientssl
= serverssl
= NULL
;
2566 * Now we try to resume with the tickets we previously created. The
2567 * resumption attempt is expected to fail (because we're now using a new
2568 * SSL_CTX). We should see idx number of tickets issued again.
2571 /* Stop caching sessions - just count them */
2574 if (!setup_ticket_test(stateful
, idx
, &sctx
, &cctx
))
2577 if (!check_resumption(idx
, sctx
, cctx
, 0))
2580 /* Start again with caching sessions */
2587 if (!setup_ticket_test(stateful
, idx
, &sctx
, &cctx
))
2590 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
2591 &clientssl
, NULL
, NULL
)))
2594 SSL_set_post_handshake_auth(clientssl
, 1);
2596 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
2598 /* Check we got the number of tickets we were expecting */
2599 || !TEST_int_eq(idx
, new_called
))
2602 /* After a post-handshake authentication we should get new tickets issued */
2603 if (!post_handshake_verify(serverssl
, clientssl
)
2604 || !TEST_int_eq(idx
* 2, new_called
))
2607 SSL_shutdown(clientssl
);
2608 SSL_shutdown(serverssl
);
2609 SSL_free(serverssl
);
2610 SSL_free(clientssl
);
2611 serverssl
= clientssl
= NULL
;
2613 /* Stop caching sessions - just count them */
2617 * Check we can resume with all the tickets we created. This time around the
2618 * resumptions should all be successful.
2620 if (!check_resumption(idx
, sctx
, cctx
, 1))
2626 SSL_free(serverssl
);
2627 SSL_free(clientssl
);
2628 for (j
= 0; j
< OSSL_NELEM(sesscache
); j
++) {
2629 SSL_SESSION_free(sesscache
[j
]);
2630 sesscache
[j
] = NULL
;
2638 static int test_stateless_tickets(int idx
)
2640 return test_tickets(0, idx
);
2643 static int test_stateful_tickets(int idx
)
2645 return test_tickets(1, idx
);
2648 static int test_psk_tickets(void)
2650 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
2651 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
2653 int sess_id_ctx
= 1;
2655 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
2656 TLS_client_method(), TLS1_VERSION
, 0,
2657 &sctx
, &cctx
, NULL
, NULL
))
2658 || !TEST_true(SSL_CTX_set_session_id_context(sctx
,
2659 (void *)&sess_id_ctx
,
2660 sizeof(sess_id_ctx
))))
2663 SSL_CTX_set_session_cache_mode(cctx
, SSL_SESS_CACHE_CLIENT
2664 | SSL_SESS_CACHE_NO_INTERNAL_STORE
);
2665 SSL_CTX_set_psk_use_session_callback(cctx
, use_session_cb
);
2666 SSL_CTX_set_psk_find_session_callback(sctx
, find_session_cb
);
2667 SSL_CTX_sess_set_new_cb(cctx
, new_session_cb
);
2668 use_session_cb_cnt
= 0;
2669 find_session_cb_cnt
= 0;
2673 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
2676 clientpsk
= serverpsk
= create_a_psk(clientssl
);
2677 if (!TEST_ptr(clientpsk
))
2679 SSL_SESSION_up_ref(clientpsk
);
2681 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
2683 || !TEST_int_eq(1, find_session_cb_cnt
)
2684 || !TEST_int_eq(1, use_session_cb_cnt
)
2685 /* We should always get 1 ticket when using external PSK */
2686 || !TEST_int_eq(1, new_called
))
2692 SSL_free(serverssl
);
2693 SSL_free(clientssl
);
2696 SSL_SESSION_free(clientpsk
);
2697 SSL_SESSION_free(serverpsk
);
2698 clientpsk
= serverpsk
= NULL
;
2703 static int test_extra_tickets(int idx
)
2705 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
2706 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
2707 BIO
*bretry
= BIO_new(bio_s_always_retry());
2712 unsigned char c
, buf
[1];
2722 if (!TEST_ptr(bretry
) || !setup_ticket_test(stateful
, idx
, &sctx
, &cctx
))
2724 SSL_CTX_sess_set_new_cb(sctx
, new_session_cb
);
2725 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2726 SSL_CTX_sess_set_new_cb(cctx
, new_session_cb
);
2728 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
2729 &clientssl
, NULL
, NULL
)))
2733 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2734 * incremented by both client and server.
2736 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
2738 /* Check we got the number of tickets we were expecting */
2739 || !TEST_int_eq(idx
* 2, new_called
)
2740 || !TEST_true(SSL_new_session_ticket(serverssl
))
2741 || !TEST_true(SSL_new_session_ticket(serverssl
))
2742 || !TEST_int_eq(idx
* 2, new_called
))
2745 /* Now try a (real) write to actually send the tickets */
2747 if (!TEST_true(SSL_write_ex(serverssl
, &c
, 1, &nbytes
))
2748 || !TEST_size_t_eq(1, nbytes
)
2749 || !TEST_int_eq(idx
* 2 + 2, new_called
)
2750 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2751 || !TEST_int_eq(idx
* 2 + 4, new_called
)
2752 || !TEST_int_eq(sizeof(buf
), nbytes
)
2753 || !TEST_int_eq(c
, buf
[0])
2754 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
)))
2757 /* Try with only requesting one new ticket, too */
2760 if (!TEST_true(SSL_new_session_ticket(serverssl
))
2761 || !TEST_true(SSL_write_ex(serverssl
, &c
, sizeof(c
), &nbytes
))
2762 || !TEST_size_t_eq(sizeof(c
), nbytes
)
2763 || !TEST_int_eq(1, new_called
)
2764 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2765 || !TEST_int_eq(2, new_called
)
2766 || !TEST_size_t_eq(sizeof(buf
), nbytes
)
2767 || !TEST_int_eq(c
, buf
[0]))
2770 /* Do it again but use dummy writes to drive the ticket generation */
2773 if (!TEST_true(SSL_new_session_ticket(serverssl
))
2774 || !TEST_true(SSL_new_session_ticket(serverssl
))
2775 || !TEST_true(SSL_write_ex(serverssl
, &c
, 0, &nbytes
))
2776 || !TEST_size_t_eq(0, nbytes
)
2777 || !TEST_int_eq(2, new_called
)
2778 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2779 || !TEST_int_eq(4, new_called
))
2782 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2785 if (!TEST_true(SSL_new_session_ticket(serverssl
))
2786 || !TEST_true(SSL_new_session_ticket(serverssl
))
2787 || !TEST_true(SSL_do_handshake(serverssl
))
2788 || !TEST_int_eq(2, new_called
)
2789 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2790 || !TEST_int_eq(4, new_called
))
2794 * Use the always-retry BIO to exercise the logic that forces ticket
2795 * generation to wait until a record boundary.
2799 tmp
= SSL_get_wbio(serverssl
);
2800 if (!TEST_ptr(tmp
) || !TEST_true(BIO_up_ref(tmp
))) {
2804 SSL_set0_wbio(serverssl
, bretry
);
2806 if (!TEST_false(SSL_write_ex(serverssl
, &c
, 1, &nbytes
))
2807 || !TEST_int_eq(SSL_get_error(serverssl
, 0), SSL_ERROR_WANT_WRITE
)
2808 || !TEST_size_t_eq(nbytes
, 0))
2810 /* Restore a BIO that will let the write succeed */
2811 SSL_set0_wbio(serverssl
, tmp
);
2814 * These calls should just queue the request and not send anything
2815 * even if we explicitly try to hit the state machine.
2817 if (!TEST_true(SSL_new_session_ticket(serverssl
))
2818 || !TEST_true(SSL_new_session_ticket(serverssl
))
2819 || !TEST_int_eq(0, new_called
)
2820 || !TEST_true(SSL_do_handshake(serverssl
))
2821 || !TEST_int_eq(0, new_called
))
2823 /* Re-do the write; still no tickets sent */
2824 if (!TEST_true(SSL_write_ex(serverssl
, &c
, 1, &nbytes
))
2825 || !TEST_size_t_eq(1, nbytes
)
2826 || !TEST_int_eq(0, new_called
)
2827 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2828 || !TEST_int_eq(0, new_called
)
2829 || !TEST_int_eq(sizeof(buf
), nbytes
)
2830 || !TEST_int_eq(c
, buf
[0])
2831 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
)))
2833 /* Even trying to hit the state machine now will still not send tickets */
2834 if (!TEST_true(SSL_do_handshake(serverssl
))
2835 || !TEST_int_eq(0, new_called
))
2837 /* Now the *next* write should send the tickets */
2839 if (!TEST_true(SSL_write_ex(serverssl
, &c
, 1, &nbytes
))
2840 || !TEST_size_t_eq(1, nbytes
)
2841 || !TEST_int_eq(2, new_called
)
2842 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2843 || !TEST_int_eq(4, new_called
)
2844 || !TEST_int_eq(sizeof(buf
), nbytes
)
2845 || !TEST_int_eq(c
, buf
[0])
2846 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
)))
2849 SSL_shutdown(clientssl
);
2850 SSL_shutdown(serverssl
);
2856 SSL_free(serverssl
);
2857 SSL_free(clientssl
);
2860 clientssl
= serverssl
= NULL
;
2869 #define USE_DEFAULT 3
2871 #define CONNTYPE_CONNECTION_SUCCESS 0
2872 #define CONNTYPE_CONNECTION_FAIL 1
2873 #define CONNTYPE_NO_CONNECTION 2
2875 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2876 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2877 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2878 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2880 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2883 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2884 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2885 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2887 static void setupbio(BIO
**res
, BIO
*bio1
, BIO
*bio2
, int type
)
2904 * Tests calls to SSL_set_bio() under various conditions.
2906 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2907 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2908 * then do more tests where we create a successful connection first using our
2909 * standard connection setup functions, and then call SSL_set_bio() with
2910 * various combinations of valid BIOs or NULL. We then repeat these tests
2911 * following a failed connection. In this last case we are looking to check that
2912 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2914 static int test_ssl_set_bio(int idx
)
2916 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
2919 BIO
*irbio
= NULL
, *iwbio
= NULL
, *nrbio
= NULL
, *nwbio
= NULL
;
2920 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
2921 int initrbio
, initwbio
, newrbio
, newwbio
, conntype
;
2924 if (idx
< TOTAL_NO_CONN_SSL_SET_BIO_TESTS
) {
2932 conntype
= CONNTYPE_NO_CONNECTION
;
2934 idx
-= TOTAL_NO_CONN_SSL_SET_BIO_TESTS
;
2935 initrbio
= initwbio
= USE_DEFAULT
;
2943 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
2944 TLS_client_method(), TLS1_VERSION
, 0,
2945 &sctx
, &cctx
, cert
, privkey
)))
2948 if (conntype
== CONNTYPE_CONNECTION_FAIL
) {
2950 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2951 * because we reduced the number of tests in the definition of
2952 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2953 * mismatched protocol versions we will force a connection failure.
2955 SSL_CTX_set_min_proto_version(sctx
, TLS1_3_VERSION
);
2956 SSL_CTX_set_max_proto_version(cctx
, TLS1_2_VERSION
);
2959 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
2963 if (initrbio
== USE_BIO_1
2964 || initwbio
== USE_BIO_1
2965 || newrbio
== USE_BIO_1
2966 || newwbio
== USE_BIO_1
) {
2967 if (!TEST_ptr(bio1
= BIO_new(BIO_s_mem())))
2971 if (initrbio
== USE_BIO_2
2972 || initwbio
== USE_BIO_2
2973 || newrbio
== USE_BIO_2
2974 || newwbio
== USE_BIO_2
) {
2975 if (!TEST_ptr(bio2
= BIO_new(BIO_s_mem())))
2979 if (initrbio
!= USE_DEFAULT
) {
2980 setupbio(&irbio
, bio1
, bio2
, initrbio
);
2981 setupbio(&iwbio
, bio1
, bio2
, initwbio
);
2982 SSL_set_bio(clientssl
, irbio
, iwbio
);
2985 * We want to maintain our own refs to these BIO, so do an up ref for
2986 * each BIO that will have ownership transferred in the SSL_set_bio()
2991 if (iwbio
!= NULL
&& iwbio
!= irbio
)
2995 if (conntype
!= CONNTYPE_NO_CONNECTION
2996 && !TEST_true(create_ssl_connection(serverssl
, clientssl
,
2998 == (conntype
== CONNTYPE_CONNECTION_SUCCESS
)))
3001 setupbio(&nrbio
, bio1
, bio2
, newrbio
);
3002 setupbio(&nwbio
, bio1
, bio2
, newwbio
);
3005 * We will (maybe) transfer ownership again so do more up refs.
3006 * SSL_set_bio() has some really complicated ownership rules where BIOs have
3011 && (nwbio
!= iwbio
|| nrbio
!= nwbio
))
3015 && (nwbio
!= iwbio
|| (nwbio
== iwbio
&& irbio
== iwbio
)))
3018 SSL_set_bio(clientssl
, nrbio
, nwbio
);
3027 * This test is checking that the ref counting for SSL_set_bio is correct.
3028 * If we get here and we did too many frees then we will fail in the above
3031 SSL_free(serverssl
);
3032 SSL_free(clientssl
);
3038 typedef enum { NO_BIO_CHANGE
, CHANGE_RBIO
, CHANGE_WBIO
} bio_change_t
;
3040 static int execute_test_ssl_bio(int pop_ssl
, bio_change_t change_bio
)
3042 BIO
*sslbio
= NULL
, *membio1
= NULL
, *membio2
= NULL
;
3047 if (!TEST_ptr(ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_method()))
3048 || !TEST_ptr(ssl
= SSL_new(ctx
))
3049 || !TEST_ptr(sslbio
= BIO_new(BIO_f_ssl()))
3050 || !TEST_ptr(membio1
= BIO_new(BIO_s_mem())))
3053 BIO_set_ssl(sslbio
, ssl
, BIO_CLOSE
);
3056 * If anything goes wrong here then we could leak memory.
3058 BIO_push(sslbio
, membio1
);
3060 /* Verify changing the rbio/wbio directly does not cause leaks */
3061 if (change_bio
!= NO_BIO_CHANGE
) {
3062 if (!TEST_ptr(membio2
= BIO_new(BIO_s_mem()))) {
3066 if (change_bio
== CHANGE_RBIO
)
3067 SSL_set0_rbio(ssl
, membio2
);
3069 SSL_set0_wbio(ssl
, membio2
);
3088 static int test_ssl_bio_pop_next_bio(void)
3090 return execute_test_ssl_bio(0, NO_BIO_CHANGE
);
3093 static int test_ssl_bio_pop_ssl_bio(void)
3095 return execute_test_ssl_bio(1, NO_BIO_CHANGE
);
3098 static int test_ssl_bio_change_rbio(void)
3100 return execute_test_ssl_bio(0, CHANGE_RBIO
);
3103 static int test_ssl_bio_change_wbio(void)
3105 return execute_test_ssl_bio(0, CHANGE_WBIO
);
3108 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
3110 /* The list of sig algs */
3112 /* The length of the list */
3114 /* A sigalgs list in string format */
3115 const char *liststr
;
3116 /* Whether setting the list should succeed */
3118 /* Whether creating a connection with the list should succeed */
3122 static const int validlist1
[] = {NID_sha256
, EVP_PKEY_RSA
};
3123 # ifndef OPENSSL_NO_EC
3124 static const int validlist2
[] = {NID_sha256
, EVP_PKEY_RSA
, NID_sha512
, EVP_PKEY_EC
};
3125 static const int validlist3
[] = {NID_sha512
, EVP_PKEY_EC
};
3127 static const int invalidlist1
[] = {NID_undef
, EVP_PKEY_RSA
};
3128 static const int invalidlist2
[] = {NID_sha256
, NID_undef
};
3129 static const int invalidlist3
[] = {NID_sha256
, EVP_PKEY_RSA
, NID_sha256
};
3130 static const int invalidlist4
[] = {NID_sha256
};
3131 static const sigalgs_list testsigalgs
[] = {
3132 {validlist1
, OSSL_NELEM(validlist1
), NULL
, 1, 1},
3133 # ifndef OPENSSL_NO_EC
3134 {validlist2
, OSSL_NELEM(validlist2
), NULL
, 1, 1},
3135 {validlist3
, OSSL_NELEM(validlist3
), NULL
, 1, 0},
3137 {NULL
, 0, "RSA+SHA256", 1, 1},
3138 # ifndef OPENSSL_NO_EC
3139 {NULL
, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3140 {NULL
, 0, "ECDSA+SHA512", 1, 0},
3142 {invalidlist1
, OSSL_NELEM(invalidlist1
), NULL
, 0, 0},
3143 {invalidlist2
, OSSL_NELEM(invalidlist2
), NULL
, 0, 0},
3144 {invalidlist3
, OSSL_NELEM(invalidlist3
), NULL
, 0, 0},
3145 {invalidlist4
, OSSL_NELEM(invalidlist4
), NULL
, 0, 0},
3146 {NULL
, 0, "RSA", 0, 0},
3147 {NULL
, 0, "SHA256", 0, 0},
3148 {NULL
, 0, "RSA+SHA256:SHA256", 0, 0},
3149 {NULL
, 0, "Invalid", 0, 0}
3152 static int test_set_sigalgs(int idx
)
3154 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3155 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3157 const sigalgs_list
*curr
;
3160 /* Should never happen */
3161 if (!TEST_size_t_le((size_t)idx
, OSSL_NELEM(testsigalgs
) * 2))
3164 testctx
= ((size_t)idx
< OSSL_NELEM(testsigalgs
));
3165 curr
= testctx
? &testsigalgs
[idx
]
3166 : &testsigalgs
[idx
- OSSL_NELEM(testsigalgs
)];
3168 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
3169 TLS_client_method(), TLS1_VERSION
, 0,
3170 &sctx
, &cctx
, cert
, privkey
)))
3173 SSL_CTX_set_max_proto_version(cctx
, TLS1_2_VERSION
);
3178 if (curr
->list
!= NULL
)
3179 ret
= SSL_CTX_set1_sigalgs(cctx
, curr
->list
, curr
->listlen
);
3181 ret
= SSL_CTX_set1_sigalgs_list(cctx
, curr
->liststr
);
3185 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx
);
3191 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx
);
3196 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
3197 &clientssl
, NULL
, NULL
)))
3203 if (curr
->list
!= NULL
)
3204 ret
= SSL_set1_sigalgs(clientssl
, curr
->list
, curr
->listlen
);
3206 ret
= SSL_set1_sigalgs_list(clientssl
, curr
->liststr
);
3209 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx
);
3218 if (!TEST_int_eq(create_ssl_connection(serverssl
, clientssl
,
3226 SSL_free(serverssl
);
3227 SSL_free(clientssl
);
3235 #ifndef OSSL_NO_USABLE_TLS1_3
3236 static int psk_client_cb_cnt
= 0;
3237 static int psk_server_cb_cnt
= 0;
3239 static int use_session_cb(SSL
*ssl
, const EVP_MD
*md
, const unsigned char **id
,
3240 size_t *idlen
, SSL_SESSION
**sess
)
3242 switch (++use_session_cb_cnt
) {
3244 /* The first call should always have a NULL md */
3250 /* The second call should always have an md */
3256 /* We should only be called a maximum of twice */
3260 if (clientpsk
!= NULL
)
3261 SSL_SESSION_up_ref(clientpsk
);
3264 *id
= (const unsigned char *)pskid
;
3265 *idlen
= strlen(pskid
);
3270 #ifndef OPENSSL_NO_PSK
3271 static unsigned int psk_client_cb(SSL
*ssl
, const char *hint
, char *id
,
3272 unsigned int max_id_len
,
3274 unsigned int max_psk_len
)
3276 unsigned int psklen
= 0;
3278 psk_client_cb_cnt
++;
3280 if (strlen(pskid
) + 1 > max_id_len
)
3283 /* We should only ever be called a maximum of twice per connection */
3284 if (psk_client_cb_cnt
> 2)
3287 if (clientpsk
== NULL
)
3290 /* We'll reuse the PSK we set up for TLSv1.3 */
3291 if (SSL_SESSION_get_master_key(clientpsk
, NULL
, 0) > max_psk_len
)
3293 psklen
= SSL_SESSION_get_master_key(clientpsk
, psk
, max_psk_len
);
3294 strncpy(id
, pskid
, max_id_len
);
3298 #endif /* OPENSSL_NO_PSK */
3300 static int find_session_cb(SSL
*ssl
, const unsigned char *identity
,
3301 size_t identity_len
, SSL_SESSION
**sess
)
3303 find_session_cb_cnt
++;
3305 /* We should only ever be called a maximum of twice per connection */
3306 if (find_session_cb_cnt
> 2)
3309 if (serverpsk
== NULL
)
3312 /* Identity should match that set by the client */
3313 if (strlen(srvid
) != identity_len
3314 || strncmp(srvid
, (const char *)identity
, identity_len
) != 0) {
3315 /* No PSK found, continue but without a PSK */
3320 SSL_SESSION_up_ref(serverpsk
);
3326 #ifndef OPENSSL_NO_PSK
3327 static unsigned int psk_server_cb(SSL
*ssl
, const char *identity
,
3328 unsigned char *psk
, unsigned int max_psk_len
)
3330 unsigned int psklen
= 0;
3332 psk_server_cb_cnt
++;
3334 /* We should only ever be called a maximum of twice per connection */
3335 if (find_session_cb_cnt
> 2)
3338 if (serverpsk
== NULL
)
3341 /* Identity should match that set by the client */
3342 if (strcmp(srvid
, identity
) != 0) {
3346 /* We'll reuse the PSK we set up for TLSv1.3 */
3347 if (SSL_SESSION_get_master_key(serverpsk
, NULL
, 0) > max_psk_len
)
3349 psklen
= SSL_SESSION_get_master_key(serverpsk
, psk
, max_psk_len
);
3353 #endif /* OPENSSL_NO_PSK */
3355 #define MSG1 "Hello"
3356 #define MSG2 "World."
3361 #define MSG7 "message."
3363 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3364 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3365 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3366 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3367 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3370 static SSL_SESSION
*create_a_psk(SSL
*ssl
)
3372 const SSL_CIPHER
*cipher
= NULL
;
3373 const unsigned char key
[] = {
3374 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3375 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3376 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3377 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3378 0x2c, 0x2d, 0x2e, 0x2f
3380 SSL_SESSION
*sess
= NULL
;
3382 cipher
= SSL_CIPHER_find(ssl
, TLS13_AES_256_GCM_SHA384_BYTES
);
3383 sess
= SSL_SESSION_new();
3385 || !TEST_ptr(cipher
)
3386 || !TEST_true(SSL_SESSION_set1_master_key(sess
, key
,
3388 || !TEST_true(SSL_SESSION_set_cipher(sess
, cipher
))
3390 SSL_SESSION_set_protocol_version(sess
,
3392 SSL_SESSION_free(sess
);
3399 * Helper method to setup objects for early data test. Caller frees objects on
3402 static int setupearly_data_test(SSL_CTX
**cctx
, SSL_CTX
**sctx
, SSL
**clientssl
,
3403 SSL
**serverssl
, SSL_SESSION
**sess
, int idx
)
3406 && !TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
3407 TLS_client_method(),
3409 sctx
, cctx
, cert
, privkey
)))
3412 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx
, SSL3_RT_MAX_PLAIN_LENGTH
)))
3416 /* When idx == 1 we repeat the tests with read_ahead set */
3417 SSL_CTX_set_read_ahead(*cctx
, 1);
3418 SSL_CTX_set_read_ahead(*sctx
, 1);
3419 } else if (idx
== 2) {
3420 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3421 SSL_CTX_set_psk_use_session_callback(*cctx
, use_session_cb
);
3422 SSL_CTX_set_psk_find_session_callback(*sctx
, find_session_cb
);
3423 use_session_cb_cnt
= 0;
3424 find_session_cb_cnt
= 0;
3428 if (!TEST_true(create_ssl_objects(*sctx
, *cctx
, serverssl
, clientssl
,
3433 * For one of the run throughs (doesn't matter which one), we'll try sending
3434 * some SNI data in the initial ClientHello. This will be ignored (because
3435 * there is no SNI cb set up by the server), so it should not impact
3439 && !TEST_true(SSL_set_tlsext_host_name(*clientssl
, "localhost")))
3443 clientpsk
= create_a_psk(*clientssl
);
3444 if (!TEST_ptr(clientpsk
)
3446 * We just choose an arbitrary value for max_early_data which
3447 * should be big enough for testing purposes.
3449 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk
,
3451 || !TEST_true(SSL_SESSION_up_ref(clientpsk
))) {
3452 SSL_SESSION_free(clientpsk
);
3456 serverpsk
= clientpsk
;
3459 if (!TEST_true(SSL_SESSION_up_ref(clientpsk
))) {
3460 SSL_SESSION_free(clientpsk
);
3461 SSL_SESSION_free(serverpsk
);
3462 clientpsk
= serverpsk
= NULL
;
3473 if (!TEST_true(create_ssl_connection(*serverssl
, *clientssl
,
3477 *sess
= SSL_get1_session(*clientssl
);
3478 SSL_shutdown(*clientssl
);
3479 SSL_shutdown(*serverssl
);
3480 SSL_free(*serverssl
);
3481 SSL_free(*clientssl
);
3482 *serverssl
= *clientssl
= NULL
;
3484 if (!TEST_true(create_ssl_objects(*sctx
, *cctx
, serverssl
,
3485 clientssl
, NULL
, NULL
))
3486 || !TEST_true(SSL_set_session(*clientssl
, *sess
)))
3492 static int test_early_data_read_write(int idx
)
3494 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3495 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3497 SSL_SESSION
*sess
= NULL
;
3498 unsigned char buf
[20], data
[1024];
3499 size_t readbytes
, written
, eoedlen
, rawread
, rawwritten
;
3502 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
3503 &serverssl
, &sess
, idx
)))
3506 /* Write and read some early data */
3507 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
3509 || !TEST_size_t_eq(written
, strlen(MSG1
))
3510 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
,
3511 sizeof(buf
), &readbytes
),
3512 SSL_READ_EARLY_DATA_SUCCESS
)
3513 || !TEST_mem_eq(MSG1
, readbytes
, buf
, strlen(MSG1
))
3514 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
3515 SSL_EARLY_DATA_ACCEPTED
))
3519 * Server should be able to write data, and client should be able to
3522 if (!TEST_true(SSL_write_early_data(serverssl
, MSG2
, strlen(MSG2
),
3524 || !TEST_size_t_eq(written
, strlen(MSG2
))
3525 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3526 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
3529 /* Even after reading normal data, client should be able write early data */
3530 if (!TEST_true(SSL_write_early_data(clientssl
, MSG3
, strlen(MSG3
),
3532 || !TEST_size_t_eq(written
, strlen(MSG3
)))
3535 /* Server should still be able read early data after writing data */
3536 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3538 SSL_READ_EARLY_DATA_SUCCESS
)
3539 || !TEST_mem_eq(buf
, readbytes
, MSG3
, strlen(MSG3
)))
3542 /* Write more data from server and read it from client */
3543 if (!TEST_true(SSL_write_early_data(serverssl
, MSG4
, strlen(MSG4
),
3545 || !TEST_size_t_eq(written
, strlen(MSG4
))
3546 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3547 || !TEST_mem_eq(buf
, readbytes
, MSG4
, strlen(MSG4
)))
3551 * If client writes normal data it should mean writing early data is no
3554 if (!TEST_true(SSL_write_ex(clientssl
, MSG5
, strlen(MSG5
), &written
))
3555 || !TEST_size_t_eq(written
, strlen(MSG5
))
3556 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
3557 SSL_EARLY_DATA_ACCEPTED
))
3561 * At this point the client has written EndOfEarlyData, ClientFinished and
3562 * normal (fully protected) data. We are going to cause a delay between the
3563 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3564 * in the read BIO, and then just put back the EndOfEarlyData message.
3566 rbio
= SSL_get_rbio(serverssl
);
3567 if (!TEST_true(BIO_read_ex(rbio
, data
, sizeof(data
), &rawread
))
3568 || !TEST_size_t_lt(rawread
, sizeof(data
))
3569 || !TEST_size_t_gt(rawread
, SSL3_RT_HEADER_LENGTH
))
3572 /* Record length is in the 4th and 5th bytes of the record header */
3573 eoedlen
= SSL3_RT_HEADER_LENGTH
+ (data
[3] << 8 | data
[4]);
3574 if (!TEST_true(BIO_write_ex(rbio
, data
, eoedlen
, &rawwritten
))
3575 || !TEST_size_t_eq(rawwritten
, eoedlen
))
3578 /* Server should be told that there is no more early data */
3579 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3581 SSL_READ_EARLY_DATA_FINISH
)
3582 || !TEST_size_t_eq(readbytes
, 0))
3586 * Server has not finished init yet, so should still be able to write early
3589 if (!TEST_true(SSL_write_early_data(serverssl
, MSG6
, strlen(MSG6
),
3591 || !TEST_size_t_eq(written
, strlen(MSG6
)))
3594 /* Push the ClientFinished and the normal data back into the server rbio */
3595 if (!TEST_true(BIO_write_ex(rbio
, data
+ eoedlen
, rawread
- eoedlen
,
3597 || !TEST_size_t_eq(rawwritten
, rawread
- eoedlen
))
3600 /* Server should be able to read normal data */
3601 if (!TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
3602 || !TEST_size_t_eq(readbytes
, strlen(MSG5
)))
3605 /* Client and server should not be able to write/read early data now */
3606 if (!TEST_false(SSL_write_early_data(clientssl
, MSG6
, strlen(MSG6
),
3610 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3612 SSL_READ_EARLY_DATA_ERROR
))
3616 /* Client should be able to read the data sent by the server */
3617 if (!TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3618 || !TEST_mem_eq(buf
, readbytes
, MSG6
, strlen(MSG6
)))
3622 * Make sure we process the two NewSessionTickets. These arrive
3623 * post-handshake. We attempt reads which we do not expect to return any
3626 if (!TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3627 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
),
3631 /* Server should be able to write normal data */
3632 if (!TEST_true(SSL_write_ex(serverssl
, MSG7
, strlen(MSG7
), &written
))
3633 || !TEST_size_t_eq(written
, strlen(MSG7
))
3634 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3635 || !TEST_mem_eq(buf
, readbytes
, MSG7
, strlen(MSG7
)))
3638 SSL_SESSION_free(sess
);
3639 sess
= SSL_get1_session(clientssl
);
3640 use_session_cb_cnt
= 0;
3641 find_session_cb_cnt
= 0;
3643 SSL_shutdown(clientssl
);
3644 SSL_shutdown(serverssl
);
3645 SSL_free(serverssl
);
3646 SSL_free(clientssl
);
3647 serverssl
= clientssl
= NULL
;
3648 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
3649 &clientssl
, NULL
, NULL
))
3650 || !TEST_true(SSL_set_session(clientssl
, sess
)))
3653 /* Write and read some early data */
3654 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
3656 || !TEST_size_t_eq(written
, strlen(MSG1
))
3657 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3659 SSL_READ_EARLY_DATA_SUCCESS
)
3660 || !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
)))
3663 if (!TEST_int_gt(SSL_connect(clientssl
), 0)
3664 || !TEST_int_gt(SSL_accept(serverssl
), 0))
3667 /* Client and server should not be able to write/read early data now */
3668 if (!TEST_false(SSL_write_early_data(clientssl
, MSG6
, strlen(MSG6
),
3672 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3674 SSL_READ_EARLY_DATA_ERROR
))
3678 /* Client and server should be able to write/read normal data */
3679 if (!TEST_true(SSL_write_ex(clientssl
, MSG5
, strlen(MSG5
), &written
))
3680 || !TEST_size_t_eq(written
, strlen(MSG5
))
3681 || !TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
3682 || !TEST_size_t_eq(readbytes
, strlen(MSG5
)))
3688 SSL_SESSION_free(sess
);
3689 SSL_SESSION_free(clientpsk
);
3690 SSL_SESSION_free(serverpsk
);
3691 clientpsk
= serverpsk
= NULL
;
3692 SSL_free(serverssl
);
3693 SSL_free(clientssl
);
3699 static int allow_ed_cb_called
= 0;
3701 static int allow_early_data_cb(SSL
*s
, void *arg
)
3703 int *usecb
= (int *)arg
;
3705 allow_ed_cb_called
++;
3714 * idx == 0: Standard early_data setup
3715 * idx == 1: early_data setup using read_ahead
3716 * usecb == 0: Don't use a custom early data callback
3717 * usecb == 1: Use a custom early data callback and reject the early data
3718 * usecb == 2: Use a custom early data callback and accept the early data
3719 * confopt == 0: Configure anti-replay directly
3720 * confopt == 1: Configure anti-replay using SSL_CONF
3722 static int test_early_data_replay_int(int idx
, int usecb
, int confopt
)
3724 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3725 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3727 SSL_SESSION
*sess
= NULL
;
3728 size_t readbytes
, written
;
3729 unsigned char buf
[20];
3731 allow_ed_cb_called
= 0;
3733 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
3734 TLS_client_method(), TLS1_VERSION
, 0,
3735 &sctx
, &cctx
, cert
, privkey
)))
3740 SSL_CTX_set_options(sctx
, SSL_OP_NO_ANTI_REPLAY
);
3742 SSL_CONF_CTX
*confctx
= SSL_CONF_CTX_new();
3744 if (!TEST_ptr(confctx
))
3746 SSL_CONF_CTX_set_flags(confctx
, SSL_CONF_FLAG_FILE
3747 | SSL_CONF_FLAG_SERVER
);
3748 SSL_CONF_CTX_set_ssl_ctx(confctx
, sctx
);
3749 if (!TEST_int_eq(SSL_CONF_cmd(confctx
, "Options", "-AntiReplay"),
3751 SSL_CONF_CTX_free(confctx
);
3754 SSL_CONF_CTX_free(confctx
);
3756 SSL_CTX_set_allow_early_data_cb(sctx
, allow_early_data_cb
, &usecb
);
3759 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
3760 &serverssl
, &sess
, idx
)))
3764 * The server is configured to accept early data. Create a connection to
3765 * "use up" the ticket
3767 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
3768 || !TEST_true(SSL_session_reused(clientssl
)))
3771 SSL_shutdown(clientssl
);
3772 SSL_shutdown(serverssl
);
3773 SSL_free(serverssl
);
3774 SSL_free(clientssl
);
3775 serverssl
= clientssl
= NULL
;
3777 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
3778 &clientssl
, NULL
, NULL
))
3779 || !TEST_true(SSL_set_session(clientssl
, sess
)))
3782 /* Write and read some early data */
3783 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
3785 || !TEST_size_t_eq(written
, strlen(MSG1
)))
3789 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3791 SSL_READ_EARLY_DATA_FINISH
)
3793 * The ticket was reused, so the we should have rejected the
3796 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
3797 SSL_EARLY_DATA_REJECTED
))
3800 /* In this case the callback decides to accept the early data */
3801 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3803 SSL_READ_EARLY_DATA_SUCCESS
)
3804 || !TEST_mem_eq(MSG1
, strlen(MSG1
), buf
, readbytes
)
3806 * Server will have sent its flight so client can now send
3807 * end of early data and complete its half of the handshake
3809 || !TEST_int_gt(SSL_connect(clientssl
), 0)
3810 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3812 SSL_READ_EARLY_DATA_FINISH
)
3813 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
3814 SSL_EARLY_DATA_ACCEPTED
))
3818 /* Complete the connection */
3819 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
3820 || !TEST_int_eq(SSL_session_reused(clientssl
), (usecb
> 0) ? 1 : 0)
3821 || !TEST_int_eq(allow_ed_cb_called
, usecb
> 0 ? 1 : 0))
3827 SSL_SESSION_free(sess
);
3828 SSL_SESSION_free(clientpsk
);
3829 SSL_SESSION_free(serverpsk
);
3830 clientpsk
= serverpsk
= NULL
;
3831 SSL_free(serverssl
);
3832 SSL_free(clientssl
);
3838 static int test_early_data_replay(int idx
)
3840 int ret
= 1, usecb
, confopt
;
3842 for (usecb
= 0; usecb
< 3; usecb
++) {
3843 for (confopt
= 0; confopt
< 2; confopt
++)
3844 ret
&= test_early_data_replay_int(idx
, usecb
, confopt
);
3851 * Helper function to test that a server attempting to read early data can
3852 * handle a connection from a client where the early data should be skipped.
3853 * testtype: 0 == No HRR
3854 * testtype: 1 == HRR
3855 * testtype: 2 == HRR, invalid early_data sent after HRR
3856 * testtype: 3 == recv_max_early_data set to 0
3858 static int early_data_skip_helper(int testtype
, int idx
)
3860 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3861 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3863 SSL_SESSION
*sess
= NULL
;
3864 unsigned char buf
[20];
3865 size_t readbytes
, written
;
3867 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
3868 &serverssl
, &sess
, idx
)))
3871 if (testtype
== 1 || testtype
== 2) {
3872 /* Force an HRR to occur */
3873 #if defined(OPENSSL_NO_EC)
3874 if (!TEST_true(SSL_set1_groups_list(serverssl
, "ffdhe3072")))
3877 if (!TEST_true(SSL_set1_groups_list(serverssl
, "P-256")))
3880 } else if (idx
== 2) {
3882 * We force early_data rejection by ensuring the PSK identity is
3885 srvid
= "Dummy Identity";
3888 * Deliberately corrupt the creation time. We take 20 seconds off the
3889 * time. It could be any value as long as it is not within tolerance.
3890 * This should mean the ticket is rejected.
3892 if (!TEST_true(SSL_SESSION_set_time(sess
, (long)(time(NULL
) - 20))))
3897 && !TEST_true(SSL_set_recv_max_early_data(serverssl
, 0)))
3900 /* Write some early data */
3901 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
3903 || !TEST_size_t_eq(written
, strlen(MSG1
)))
3906 /* Server should reject the early data */
3907 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3909 SSL_READ_EARLY_DATA_FINISH
)
3910 || !TEST_size_t_eq(readbytes
, 0)
3911 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
3912 SSL_EARLY_DATA_REJECTED
))
3922 * Finish off the handshake. We perform the same writes and reads as
3923 * further down but we expect them to fail due to the incomplete
3926 if (!TEST_false(SSL_write_ex(clientssl
, MSG2
, strlen(MSG2
), &written
))
3927 || !TEST_false(SSL_read_ex(serverssl
, buf
, sizeof(buf
),
3934 BIO
*wbio
= SSL_get_wbio(clientssl
);
3935 /* A record that will appear as bad early_data */
3936 const unsigned char bad_early_data
[] = {
3937 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3941 * We force the client to attempt a write. This will fail because
3942 * we're still in the handshake. It will cause the second
3943 * ClientHello to be sent.
3945 if (!TEST_false(SSL_write_ex(clientssl
, MSG2
, strlen(MSG2
),
3950 * Inject some early_data after the second ClientHello. This should
3951 * cause the server to fail
3953 if (!TEST_true(BIO_write_ex(wbio
, bad_early_data
,
3954 sizeof(bad_early_data
), &written
)))
3961 * This client has sent more early_data than we are willing to skip
3962 * (case 3) or sent invalid early_data (case 2) so the connection should
3965 if (!TEST_false(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
3966 || !TEST_int_eq(SSL_get_error(serverssl
, 0), SSL_ERROR_SSL
))
3969 /* Connection has failed - nothing more to do */
3974 TEST_error("Invalid test type");
3979 * Should be able to send normal data despite rejection of early data. The
3980 * early_data should be skipped.
3982 if (!TEST_true(SSL_write_ex(clientssl
, MSG2
, strlen(MSG2
), &written
))
3983 || !TEST_size_t_eq(written
, strlen(MSG2
))
3984 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
3985 SSL_EARLY_DATA_REJECTED
)
3986 || !TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
3987 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
3993 SSL_SESSION_free(clientpsk
);
3994 SSL_SESSION_free(serverpsk
);
3995 clientpsk
= serverpsk
= NULL
;
3996 SSL_SESSION_free(sess
);
3997 SSL_free(serverssl
);
3998 SSL_free(clientssl
);
4005 * Test that a server attempting to read early data can handle a connection
4006 * from a client where the early data is not acceptable.
4008 static int test_early_data_skip(int idx
)
4010 return early_data_skip_helper(0, idx
);
4014 * Test that a server attempting to read early data can handle a connection
4015 * from a client where an HRR occurs.
4017 static int test_early_data_skip_hrr(int idx
)
4019 return early_data_skip_helper(1, idx
);
4023 * Test that a server attempting to read early data can handle a connection
4024 * from a client where an HRR occurs and correctly fails if early_data is sent
4027 static int test_early_data_skip_hrr_fail(int idx
)
4029 return early_data_skip_helper(2, idx
);
4033 * Test that a server attempting to read early data will abort if it tries to
4034 * skip over too much.
4036 static int test_early_data_skip_abort(int idx
)
4038 return early_data_skip_helper(3, idx
);
4042 * Test that a server attempting to read early data can handle a connection
4043 * from a client that doesn't send any.
4045 static int test_early_data_not_sent(int idx
)
4047 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4048 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4050 SSL_SESSION
*sess
= NULL
;
4051 unsigned char buf
[20];
4052 size_t readbytes
, written
;
4054 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
4055 &serverssl
, &sess
, idx
)))
4058 /* Write some data - should block due to handshake with server */
4059 SSL_set_connect_state(clientssl
);
4060 if (!TEST_false(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
)))
4063 /* Server should detect that early data has not been sent */
4064 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
4066 SSL_READ_EARLY_DATA_FINISH
)
4067 || !TEST_size_t_eq(readbytes
, 0)
4068 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
4069 SSL_EARLY_DATA_NOT_SENT
)
4070 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
4071 SSL_EARLY_DATA_NOT_SENT
))
4074 /* Continue writing the message we started earlier */
4075 if (!TEST_true(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
))
4076 || !TEST_size_t_eq(written
, strlen(MSG1
))
4077 || !TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
4078 || !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
))
4079 || !SSL_write_ex(serverssl
, MSG2
, strlen(MSG2
), &written
)
4080 || !TEST_size_t_eq(written
, strlen(MSG2
)))
4083 if (!TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
4084 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
4090 SSL_SESSION_free(sess
);
4091 SSL_SESSION_free(clientpsk
);
4092 SSL_SESSION_free(serverpsk
);
4093 clientpsk
= serverpsk
= NULL
;
4094 SSL_free(serverssl
);
4095 SSL_free(clientssl
);
4101 static const char *servalpn
;
4103 static int alpn_select_cb(SSL
*ssl
, const unsigned char **out
,
4104 unsigned char *outlen
, const unsigned char *in
,
4105 unsigned int inlen
, void *arg
)
4107 unsigned int protlen
= 0;
4108 const unsigned char *prot
;
4110 for (prot
= in
; prot
< in
+ inlen
; prot
+= protlen
) {
4112 if (in
+ inlen
< prot
+ protlen
)
4113 return SSL_TLSEXT_ERR_NOACK
;
4115 if (protlen
== strlen(servalpn
)
4116 && memcmp(prot
, servalpn
, protlen
) == 0) {
4119 return SSL_TLSEXT_ERR_OK
;
4123 return SSL_TLSEXT_ERR_NOACK
;
4126 /* Test that a PSK can be used to send early_data */
4127 static int test_early_data_psk(int idx
)
4129 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4130 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4132 SSL_SESSION
*sess
= NULL
;
4133 unsigned char alpnlist
[] = {
4134 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4137 #define GOODALPNLEN 9
4138 #define BADALPNLEN 8
4139 #define GOODALPN (alpnlist)
4140 #define BADALPN (alpnlist + GOODALPNLEN)
4142 unsigned char buf
[20];
4143 size_t readbytes
, written
;
4144 int readearlyres
= SSL_READ_EARLY_DATA_SUCCESS
, connectres
= 1;
4145 int edstatus
= SSL_EARLY_DATA_ACCEPTED
;
4147 /* We always set this up with a final parameter of "2" for PSK */
4148 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
4149 &serverssl
, &sess
, 2)))
4152 servalpn
= "goodalpn";
4155 * Note: There is no test for inconsistent SNI with late client detection.
4156 * This is because servers do not acknowledge SNI even if they are using
4157 * it in a resumption handshake - so it is not actually possible for a
4158 * client to detect a problem.
4162 /* Set inconsistent SNI (early client detection) */
4163 err
= SSL_R_INCONSISTENT_EARLY_DATA_SNI
;
4164 if (!TEST_true(SSL_SESSION_set1_hostname(sess
, "goodhost"))
4165 || !TEST_true(SSL_set_tlsext_host_name(clientssl
, "badhost")))
4170 /* Set inconsistent ALPN (early client detection) */
4171 err
= SSL_R_INCONSISTENT_EARLY_DATA_ALPN
;
4172 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4173 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess
, GOODALPN
,
4175 || !TEST_false(SSL_set_alpn_protos(clientssl
, BADALPN
,
4182 * Set invalid protocol version. Technically this affects PSKs without
4183 * early_data too, but we test it here because it is similar to the
4184 * SNI/ALPN consistency tests.
4186 err
= SSL_R_BAD_PSK
;
4187 if (!TEST_true(SSL_SESSION_set_protocol_version(sess
, TLS1_2_VERSION
)))
4193 * Set inconsistent SNI (server side). In this case the connection
4194 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4195 * is associated with each handshake - not the session. Therefore it
4196 * should not matter that we used a different server name last time.
4198 SSL_SESSION_free(serverpsk
);
4199 serverpsk
= SSL_SESSION_dup(clientpsk
);
4200 if (!TEST_ptr(serverpsk
)
4201 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk
, "badhost")))
4205 /* Set consistent SNI */
4206 if (!TEST_true(SSL_SESSION_set1_hostname(sess
, "goodhost"))
4207 || !TEST_true(SSL_set_tlsext_host_name(clientssl
, "goodhost"))
4208 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx
,
4215 * Set inconsistent ALPN (server detected). In this case the connection
4216 * will succeed but reject early_data.
4218 servalpn
= "badalpn";
4219 edstatus
= SSL_EARLY_DATA_REJECTED
;
4220 readearlyres
= SSL_READ_EARLY_DATA_FINISH
;
4224 * Set consistent ALPN.
4225 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4226 * accepts a list of protos (each one length prefixed).
4227 * SSL_set1_alpn_selected accepts a single protocol (not length
4230 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess
, GOODALPN
+ 1,
4232 || !TEST_false(SSL_set_alpn_protos(clientssl
, GOODALPN
,
4236 SSL_CTX_set_alpn_select_cb(sctx
, alpn_select_cb
, NULL
);
4240 /* Set inconsistent ALPN (late client detection) */
4241 SSL_SESSION_free(serverpsk
);
4242 serverpsk
= SSL_SESSION_dup(clientpsk
);
4243 if (!TEST_ptr(serverpsk
)
4244 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk
,
4247 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk
,
4250 || !TEST_false(SSL_set_alpn_protos(clientssl
, alpnlist
,
4253 SSL_CTX_set_alpn_select_cb(sctx
, alpn_select_cb
, NULL
);
4254 edstatus
= SSL_EARLY_DATA_ACCEPTED
;
4255 readearlyres
= SSL_READ_EARLY_DATA_SUCCESS
;
4256 /* SSL_connect() call should fail */
4261 TEST_error("Bad test index");
4265 SSL_set_connect_state(clientssl
);
4267 if (!TEST_false(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
4269 || !TEST_int_eq(SSL_get_error(clientssl
, 0), SSL_ERROR_SSL
)
4270 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err
))
4273 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
4277 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
4278 &readbytes
), readearlyres
)
4279 || (readearlyres
== SSL_READ_EARLY_DATA_SUCCESS
4280 && !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
)))
4281 || !TEST_int_eq(SSL_get_early_data_status(serverssl
), edstatus
)
4282 || !TEST_int_eq(SSL_connect(clientssl
), connectres
))
4289 SSL_SESSION_free(sess
);
4290 SSL_SESSION_free(clientpsk
);
4291 SSL_SESSION_free(serverpsk
);
4292 clientpsk
= serverpsk
= NULL
;
4293 SSL_free(serverssl
);
4294 SSL_free(clientssl
);
4301 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4302 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4303 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4304 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4305 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4306 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4308 static int test_early_data_psk_with_all_ciphers(int idx
)
4310 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4311 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4313 SSL_SESSION
*sess
= NULL
;
4314 unsigned char buf
[20];
4315 size_t readbytes
, written
;
4316 const SSL_CIPHER
*cipher
;
4317 const char *cipher_str
[] = {
4318 TLS1_3_RFC_AES_128_GCM_SHA256
,
4319 TLS1_3_RFC_AES_256_GCM_SHA384
,
4320 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4321 TLS1_3_RFC_CHACHA20_POLY1305_SHA256
,
4325 TLS1_3_RFC_AES_128_CCM_SHA256
,
4326 TLS1_3_RFC_AES_128_CCM_8_SHA256
4328 const unsigned char *cipher_bytes
[] = {
4329 TLS13_AES_128_GCM_SHA256_BYTES
,
4330 TLS13_AES_256_GCM_SHA384_BYTES
,
4331 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4332 TLS13_CHACHA20_POLY1305_SHA256_BYTES
,
4336 TLS13_AES_128_CCM_SHA256_BYTES
,
4337 TLS13_AES_128_CCM_8_SHA256_BYTES
4340 if (cipher_str
[idx
] == NULL
)
4342 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4343 if (idx
== 2 && is_fips
== 1)
4346 /* We always set this up with a final parameter of "2" for PSK */
4347 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
4348 &serverssl
, &sess
, 2)))
4352 /* CCM8 ciphers are considered low security due to their short tag */
4353 SSL_set_security_level(clientssl
, 0);
4354 SSL_set_security_level(serverssl
, 0);
4357 if (!TEST_true(SSL_set_ciphersuites(clientssl
, cipher_str
[idx
]))
4358 || !TEST_true(SSL_set_ciphersuites(serverssl
, cipher_str
[idx
])))
4362 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4363 * and assigns to both client and server with incremented reference
4364 * and the same instance is updated in 'sess'.
4365 * So updating ciphersuite in 'sess' which will get reflected in
4366 * PSK handshake using psk use sess and find sess cb.
4368 cipher
= SSL_CIPHER_find(clientssl
, cipher_bytes
[idx
]);
4369 if (!TEST_ptr(cipher
) || !TEST_true(SSL_SESSION_set_cipher(sess
, cipher
)))
4372 SSL_set_connect_state(clientssl
);
4373 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
4377 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
4379 SSL_READ_EARLY_DATA_SUCCESS
)
4380 || !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
))
4381 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
4382 SSL_EARLY_DATA_ACCEPTED
)
4383 || !TEST_int_eq(SSL_connect(clientssl
), 1)
4384 || !TEST_int_eq(SSL_accept(serverssl
), 1))
4387 /* Send some normal data from client to server */
4388 if (!TEST_true(SSL_write_ex(clientssl
, MSG2
, strlen(MSG2
), &written
))
4389 || !TEST_size_t_eq(written
, strlen(MSG2
)))
4392 if (!TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
4393 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
4398 SSL_SESSION_free(sess
);
4399 SSL_SESSION_free(clientpsk
);
4400 SSL_SESSION_free(serverpsk
);
4401 clientpsk
= serverpsk
= NULL
;
4402 if (clientssl
!= NULL
)
4403 SSL_shutdown(clientssl
);
4404 if (serverssl
!= NULL
)
4405 SSL_shutdown(serverssl
);
4406 SSL_free(serverssl
);
4407 SSL_free(clientssl
);
4414 * Test that a server that doesn't try to read early data can handle a
4415 * client sending some.
4417 static int test_early_data_not_expected(int idx
)
4419 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4420 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4422 SSL_SESSION
*sess
= NULL
;
4423 unsigned char buf
[20];
4424 size_t readbytes
, written
;
4426 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
4427 &serverssl
, &sess
, idx
)))
4430 /* Write some early data */
4431 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
4436 * Server should skip over early data and then block waiting for client to
4437 * continue handshake
4439 if (!TEST_int_le(SSL_accept(serverssl
), 0)
4440 || !TEST_int_gt(SSL_connect(clientssl
), 0)
4441 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
4442 SSL_EARLY_DATA_REJECTED
)
4443 || !TEST_int_gt(SSL_accept(serverssl
), 0)
4444 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
4445 SSL_EARLY_DATA_REJECTED
))
4448 /* Send some normal data from client to server */
4449 if (!TEST_true(SSL_write_ex(clientssl
, MSG2
, strlen(MSG2
), &written
))
4450 || !TEST_size_t_eq(written
, strlen(MSG2
)))
4453 if (!TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
4454 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
4460 SSL_SESSION_free(sess
);
4461 SSL_SESSION_free(clientpsk
);
4462 SSL_SESSION_free(serverpsk
);
4463 clientpsk
= serverpsk
= NULL
;
4464 SSL_free(serverssl
);
4465 SSL_free(clientssl
);
4472 # ifndef OPENSSL_NO_TLS1_2
4474 * Test that a server attempting to read early data can handle a connection
4475 * from a TLSv1.2 client.
4477 static int test_early_data_tls1_2(int idx
)
4479 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4480 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4482 unsigned char buf
[20];
4483 size_t readbytes
, written
;
4485 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
4486 &serverssl
, NULL
, idx
)))
4489 /* Write some data - should block due to handshake with server */
4490 SSL_set_max_proto_version(clientssl
, TLS1_2_VERSION
);
4491 SSL_set_connect_state(clientssl
);
4492 if (!TEST_false(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
)))
4496 * Server should do TLSv1.2 handshake. First it will block waiting for more
4497 * messages from client after ServerDone. Then SSL_read_early_data should
4498 * finish and detect that early data has not been sent
4500 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
4502 SSL_READ_EARLY_DATA_ERROR
))
4506 * Continue writing the message we started earlier. Will still block waiting
4507 * for the CCS/Finished from server
4509 if (!TEST_false(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
))
4510 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
4512 SSL_READ_EARLY_DATA_FINISH
)
4513 || !TEST_size_t_eq(readbytes
, 0)
4514 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
4515 SSL_EARLY_DATA_NOT_SENT
))
4518 /* Continue writing the message we started earlier */
4519 if (!TEST_true(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
))
4520 || !TEST_size_t_eq(written
, strlen(MSG1
))
4521 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
4522 SSL_EARLY_DATA_NOT_SENT
)
4523 || !TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
4524 || !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
))
4525 || !TEST_true(SSL_write_ex(serverssl
, MSG2
, strlen(MSG2
), &written
))
4526 || !TEST_size_t_eq(written
, strlen(MSG2
))
4527 || !SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
)
4528 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
4534 SSL_SESSION_free(clientpsk
);
4535 SSL_SESSION_free(serverpsk
);
4536 clientpsk
= serverpsk
= NULL
;
4537 SSL_free(serverssl
);
4538 SSL_free(clientssl
);
4544 # endif /* OPENSSL_NO_TLS1_2 */
4547 * Test configuring the TLSv1.3 ciphersuites
4549 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4550 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4551 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4552 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4553 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4554 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4555 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4556 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4557 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4558 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4560 static int test_set_ciphersuite(int idx
)
4562 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4563 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4566 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
4567 TLS_client_method(), TLS1_VERSION
, 0,
4568 &sctx
, &cctx
, cert
, privkey
))
4569 || !TEST_true(SSL_CTX_set_ciphersuites(sctx
,
4570 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4573 if (idx
>=4 && idx
<= 7) {
4574 /* SSL_CTX explicit cipher list */
4575 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
, "AES256-GCM-SHA384")))
4579 if (idx
== 0 || idx
== 4) {
4580 /* Default ciphersuite */
4581 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4582 "TLS_AES_128_GCM_SHA256")))
4584 } else if (idx
== 1 || idx
== 5) {
4585 /* Non default ciphersuite */
4586 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4587 "TLS_AES_128_CCM_SHA256")))
4591 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
4592 &clientssl
, NULL
, NULL
)))
4595 if (idx
== 8 || idx
== 9) {
4596 /* SSL explicit cipher list */
4597 if (!TEST_true(SSL_set_cipher_list(clientssl
, "AES256-GCM-SHA384")))
4601 if (idx
== 2 || idx
== 6 || idx
== 8) {
4602 /* Default ciphersuite */
4603 if (!TEST_true(SSL_set_ciphersuites(clientssl
,
4604 "TLS_AES_128_GCM_SHA256")))
4606 } else if (idx
== 3 || idx
== 7 || idx
== 9) {
4607 /* Non default ciphersuite */
4608 if (!TEST_true(SSL_set_ciphersuites(clientssl
,
4609 "TLS_AES_128_CCM_SHA256")))
4613 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
4619 SSL_free(serverssl
);
4620 SSL_free(clientssl
);
4627 static int test_ciphersuite_change(void)
4629 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4630 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4631 SSL_SESSION
*clntsess
= NULL
;
4633 const SSL_CIPHER
*aes_128_gcm_sha256
= NULL
;
4635 /* Create a session based on SHA-256 */
4636 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
4637 TLS_client_method(), TLS1_VERSION
, 0,
4638 &sctx
, &cctx
, cert
, privkey
))
4639 || !TEST_true(SSL_CTX_set_ciphersuites(sctx
,
4640 "TLS_AES_128_GCM_SHA256:"
4641 "TLS_AES_256_GCM_SHA384:"
4642 "TLS_AES_128_CCM_SHA256"))
4643 || !TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4644 "TLS_AES_128_GCM_SHA256")))
4647 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4649 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4653 clntsess
= SSL_get1_session(clientssl
);
4654 /* Save for later */
4655 aes_128_gcm_sha256
= SSL_SESSION_get0_cipher(clntsess
);
4656 SSL_shutdown(clientssl
);
4657 SSL_shutdown(serverssl
);
4658 SSL_free(serverssl
);
4659 SSL_free(clientssl
);
4660 serverssl
= clientssl
= NULL
;
4662 /* Check we can resume a session with a different SHA-256 ciphersuite */
4663 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4664 "TLS_AES_128_CCM_SHA256"))
4665 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
4666 &clientssl
, NULL
, NULL
))
4667 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
4668 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4670 || !TEST_true(SSL_session_reused(clientssl
)))
4673 SSL_SESSION_free(clntsess
);
4674 clntsess
= SSL_get1_session(clientssl
);
4675 SSL_shutdown(clientssl
);
4676 SSL_shutdown(serverssl
);
4677 SSL_free(serverssl
);
4678 SSL_free(clientssl
);
4679 serverssl
= clientssl
= NULL
;
4682 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4683 * succeeds but does not resume.
4685 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
, "TLS_AES_256_GCM_SHA384"))
4686 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4688 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
4689 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4691 || !TEST_false(SSL_session_reused(clientssl
)))
4694 SSL_SESSION_free(clntsess
);
4696 SSL_shutdown(clientssl
);
4697 SSL_shutdown(serverssl
);
4698 SSL_free(serverssl
);
4699 SSL_free(clientssl
);
4700 serverssl
= clientssl
= NULL
;
4702 /* Create a session based on SHA384 */
4703 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
, "TLS_AES_256_GCM_SHA384"))
4704 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
4705 &clientssl
, NULL
, NULL
))
4706 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4710 clntsess
= SSL_get1_session(clientssl
);
4711 SSL_shutdown(clientssl
);
4712 SSL_shutdown(serverssl
);
4713 SSL_free(serverssl
);
4714 SSL_free(clientssl
);
4715 serverssl
= clientssl
= NULL
;
4717 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4718 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4719 || !TEST_true(SSL_CTX_set_ciphersuites(sctx
,
4720 "TLS_AES_256_GCM_SHA384"))
4721 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4723 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
4725 * We use SSL_ERROR_WANT_READ below so that we can pause the
4726 * connection after the initial ClientHello has been sent to
4727 * enable us to make some session changes.
4729 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
4730 SSL_ERROR_WANT_READ
)))
4733 /* Trick the client into thinking this session is for a different digest */
4734 clntsess
->cipher
= aes_128_gcm_sha256
;
4735 clntsess
->cipher_id
= clntsess
->cipher
->id
;
4738 * Continue the previously started connection. Server has selected a SHA-384
4739 * ciphersuite, but client thinks the session is for SHA-256, so it should
4742 if (!TEST_false(create_ssl_connection(serverssl
, clientssl
,
4744 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4745 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED
))
4751 SSL_SESSION_free(clntsess
);
4752 SSL_free(serverssl
);
4753 SSL_free(clientssl
);
4761 * Test TLSv1.3 Key exchange
4762 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4763 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4764 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4765 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4766 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4767 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4768 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4769 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4770 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4771 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4772 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4773 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4774 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4775 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4777 # ifndef OPENSSL_NO_EC
4778 static int ecdhe_kexch_groups
[] = {NID_X9_62_prime256v1
, NID_secp384r1
,
4779 NID_secp521r1
, NID_X25519
, NID_X448
};
4781 # ifndef OPENSSL_NO_DH
4782 static int ffdhe_kexch_groups
[] = {NID_ffdhe2048
, NID_ffdhe3072
, NID_ffdhe4096
,
4783 NID_ffdhe6144
, NID_ffdhe8192
};
4785 static int test_key_exchange(int idx
)
4787 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
4788 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
4791 int *kexch_groups
= &kexch_alg
;
4792 int kexch_groups_size
= 1;
4793 int max_version
= TLS1_3_VERSION
;
4794 char *kexch_name0
= NULL
;
4797 # ifndef OPENSSL_NO_EC
4798 # ifndef OPENSSL_NO_TLS1_2
4800 max_version
= TLS1_2_VERSION
;
4804 kexch_groups
= ecdhe_kexch_groups
;
4805 kexch_groups_size
= OSSL_NELEM(ecdhe_kexch_groups
);
4806 kexch_name0
= "secp256r1";
4809 kexch_alg
= NID_X9_62_prime256v1
;
4810 kexch_name0
= "secp256r1";
4813 kexch_alg
= NID_secp384r1
;
4814 kexch_name0
= "secp384r1";
4817 kexch_alg
= NID_secp521r1
;
4818 kexch_name0
= "secp521r1";
4821 kexch_alg
= NID_X25519
;
4822 kexch_name0
= "x25519";
4825 kexch_alg
= NID_X448
;
4826 kexch_name0
= "x448";
4829 # ifndef OPENSSL_NO_DH
4830 # ifndef OPENSSL_NO_TLS1_2
4832 max_version
= TLS1_2_VERSION
;
4833 kexch_name0
= "ffdhe2048";
4837 kexch_groups
= ffdhe_kexch_groups
;
4838 kexch_groups_size
= OSSL_NELEM(ffdhe_kexch_groups
);
4839 kexch_name0
= "ffdhe2048";
4842 kexch_alg
= NID_ffdhe2048
;
4843 kexch_name0
= "ffdhe2048";
4846 kexch_alg
= NID_ffdhe3072
;
4847 kexch_name0
= "ffdhe3072";
4850 kexch_alg
= NID_ffdhe4096
;
4851 kexch_name0
= "ffdhe4096";
4854 kexch_alg
= NID_ffdhe6144
;
4855 kexch_name0
= "ffdhe6144";
4858 kexch_alg
= NID_ffdhe8192
;
4859 kexch_name0
= "ffdhe8192";
4863 /* We're skipping this test */
4867 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
4868 TLS_client_method(), TLS1_VERSION
,
4869 max_version
, &sctx
, &cctx
, cert
,
4873 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx
,
4874 TLS1_3_RFC_AES_128_GCM_SHA256
)))
4877 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4878 TLS1_3_RFC_AES_128_GCM_SHA256
)))
4881 if (!TEST_true(SSL_CTX_set_cipher_list(sctx
,
4882 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
":"
4883 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
))
4884 || !TEST_true(SSL_CTX_set_dh_auto(sctx
, 1)))
4888 * Must include an EC ciphersuite so that we send supported groups in
4891 # ifndef OPENSSL_NO_TLS1_2
4892 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
4893 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
":"
4894 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
)))
4898 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4902 if (!TEST_true(SSL_set1_groups(serverssl
, kexch_groups
, kexch_groups_size
))
4903 || !TEST_true(SSL_set1_groups(clientssl
, kexch_groups
, kexch_groups_size
)))
4906 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
4910 * If Handshake succeeds the negotiated kexch alg should be the first one in
4911 * configured, except in the case of FFDHE groups (idx 13), which are
4912 * TLSv1.3 only so we expect no shared group to exist.
4914 if (!TEST_int_eq(SSL_get_shared_group(serverssl
, 0),
4915 idx
== 13 ? 0 : kexch_groups
[0]))
4918 if (!TEST_str_eq(SSL_group_to_name(serverssl
, kexch_groups
[0]),
4922 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4924 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl
), kexch_groups
[0]))
4926 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl
), kexch_groups
[0]))
4932 SSL_free(serverssl
);
4933 SSL_free(clientssl
);
4939 # if !defined(OPENSSL_NO_TLS1_2) \
4940 && !defined(OPENSSL_NO_EC) \
4941 && !defined(OPENSSL_NO_DH)
4942 static int set_ssl_groups(SSL
*serverssl
, SSL
*clientssl
, int clientmulti
,
4943 int isecdhe
, int idx
)
4946 int *kexch_groups
= &kexch_alg
;
4949 numec
= OSSL_NELEM(ecdhe_kexch_groups
);
4950 numff
= OSSL_NELEM(ffdhe_kexch_groups
);
4952 kexch_alg
= ecdhe_kexch_groups
[idx
];
4954 kexch_alg
= ffdhe_kexch_groups
[idx
];
4957 if (!TEST_true(SSL_set1_groups(serverssl
, kexch_groups
, 1)))
4960 if (!TEST_true(SSL_set1_groups(clientssl
, ecdhe_kexch_groups
,
4964 if (!TEST_true(SSL_set1_groups(clientssl
, ffdhe_kexch_groups
,
4969 if (!TEST_true(SSL_set1_groups(clientssl
, kexch_groups
, 1)))
4972 if (!TEST_true(SSL_set1_groups(serverssl
, ecdhe_kexch_groups
,
4976 if (!TEST_true(SSL_set1_groups(serverssl
, ffdhe_kexch_groups
,
4985 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
4986 * Run through both the ECDHE and FFDHE group lists used in the previous
4987 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
4988 * confirming the expected result; then perform a resumption handshake
4989 * while offering the same group list, and another resumption handshake
4990 * offering a different group list. The returned value should be the
4991 * negotiated group for the initial handshake; for TLS 1.3 resumption
4992 * handshakes the returned value will be negotiated on the resumption
4993 * handshake itself, but for TLS 1.2 resumption handshakes the value will
4994 * be cached in the session from the original handshake, regardless of what
4995 * was offered in the resumption ClientHello.
4997 * Using E for the number of EC groups and F for the number of FF groups:
4998 * E tests of ECDHE with TLS 1.3, server only has one group
4999 * F tests of FFDHE with TLS 1.3, server only has one group
5000 * E tests of ECDHE with TLS 1.2, server only has one group
5001 * F tests of FFDHE with TLS 1.2, server only has one group
5002 * E tests of ECDHE with TLS 1.3, client sends only one group
5003 * F tests of FFDHE with TLS 1.3, client sends only one group
5004 * E tests of ECDHE with TLS 1.2, client sends only one group
5005 * F tests of FFDHE with TLS 1.2, client sends only one group
5007 static int test_negotiated_group(int idx
)
5009 int clientmulti
, istls13
, isecdhe
, numec
, numff
, numgroups
;
5011 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
5012 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
5013 SSL_SESSION
*origsess
= NULL
;
5016 int max_version
= TLS1_3_VERSION
;
5018 numec
= OSSL_NELEM(ecdhe_kexch_groups
);
5019 numff
= OSSL_NELEM(ffdhe_kexch_groups
);
5020 numgroups
= numec
+ numff
;
5021 clientmulti
= (idx
< 2 * numgroups
);
5022 idx
= idx
% (2 * numgroups
);
5023 istls13
= (idx
< numgroups
);
5024 idx
= idx
% numgroups
;
5025 isecdhe
= (idx
< numec
);
5028 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5030 kexch_alg
= ecdhe_kexch_groups
[idx
];
5032 kexch_alg
= ffdhe_kexch_groups
[idx
];
5033 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5034 if (!istls13
&& !isecdhe
)
5035 expectednid
= NID_undef
;
5037 expectednid
= kexch_alg
;
5040 max_version
= TLS1_2_VERSION
;
5042 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
5043 TLS_client_method(), TLS1_VERSION
,
5044 max_version
, &sctx
, &cctx
, cert
,
5049 * Force (EC)DHE ciphers for TLS 1.2.
5050 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5052 if (!TEST_true(SSL_CTX_set_cipher_list(sctx
,
5053 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
":"
5054 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
))
5055 || !TEST_true(SSL_CTX_set_dh_auto(sctx
, 1)))
5057 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
5058 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
":"
5059 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
)))
5062 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5066 if (!TEST_true(set_ssl_groups(serverssl
, clientssl
, clientmulti
, isecdhe
,
5070 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
5073 /* Initial handshake; always the configured one */
5074 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl
), expectednid
)
5075 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl
), expectednid
))
5078 if (!TEST_ptr((origsess
= SSL_get1_session(clientssl
))))
5081 SSL_shutdown(clientssl
);
5082 SSL_shutdown(serverssl
);
5083 SSL_free(serverssl
);
5084 SSL_free(clientssl
);
5085 serverssl
= clientssl
= NULL
;
5087 /* First resumption attempt; use the same config as initial handshake */
5088 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5090 || !TEST_true(SSL_set_session(clientssl
, origsess
))
5091 || !TEST_true(set_ssl_groups(serverssl
, clientssl
, clientmulti
,
5095 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
5096 || !TEST_true(SSL_session_reused(clientssl
)))
5099 /* Still had better agree, since nothing changed... */
5100 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl
), expectednid
)
5101 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl
), expectednid
))
5104 SSL_shutdown(clientssl
);
5105 SSL_shutdown(serverssl
);
5106 SSL_free(serverssl
);
5107 SSL_free(clientssl
);
5108 serverssl
= clientssl
= NULL
;
5111 * Second resumption attempt
5112 * The party that picks one group changes it, which we effectuate by
5113 * changing 'idx' and updating what we expect.
5121 expectednid
= ecdhe_kexch_groups
[idx
];
5123 expectednid
= ffdhe_kexch_groups
[idx
];
5124 /* Verify that we are changing what we expect. */
5125 if (!TEST_int_ne(expectednid
, kexch_alg
))
5128 /* TLS 1.2 only supports named groups for ECDHE. */
5130 expectednid
= kexch_alg
;
5134 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5136 || !TEST_true(SSL_set_session(clientssl
, origsess
))
5137 || !TEST_true(set_ssl_groups(serverssl
, clientssl
, clientmulti
,
5141 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
5142 || !TEST_true(SSL_session_reused(clientssl
)))
5145 /* Check that we get what we expected */
5146 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl
), expectednid
)
5147 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl
), expectednid
))
5152 SSL_free(serverssl
);
5153 SSL_free(clientssl
);
5156 SSL_SESSION_free(origsess
);
5159 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5162 * Test TLSv1.3 Cipher Suite
5163 * Test 0 = Set TLS1.3 cipher on context
5164 * Test 1 = Set TLS1.3 cipher on SSL
5165 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5166 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5168 static int test_tls13_ciphersuite(int idx
)
5170 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
5171 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
5172 static const struct {
5173 const char *ciphername
;
5177 { TLS1_3_RFC_AES_128_GCM_SHA256
, 1, 0 },
5178 { TLS1_3_RFC_AES_256_GCM_SHA384
, 1, 0 },
5179 { TLS1_3_RFC_AES_128_CCM_SHA256
, 1, 0 },
5180 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5181 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256
, 0, 0 },
5182 { TLS1_3_RFC_AES_256_GCM_SHA384
5183 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256
, 0, 0 },
5185 /* CCM8 ciphers are considered low security due to their short tag */
5186 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5187 ":" TLS1_3_RFC_AES_128_CCM_SHA256
, 1, 1 }
5189 const char *t13_cipher
= NULL
;
5190 const char *t12_cipher
= NULL
;
5191 const char *negotiated_scipher
;
5192 const char *negotiated_ccipher
;
5208 t12_cipher
= TLS1_TXT_RSA_WITH_AES_128_SHA256
;
5212 t12_cipher
= TLS1_TXT_RSA_WITH_AES_128_SHA256
;
5216 for (max_ver
= TLS1_2_VERSION
; max_ver
<= TLS1_3_VERSION
; max_ver
++) {
5217 # ifdef OPENSSL_NO_TLS1_2
5218 if (max_ver
== TLS1_2_VERSION
)
5221 for (i
= 0; i
< OSSL_NELEM(t13_ciphers
); i
++) {
5222 if (is_fips
&& !t13_ciphers
[i
].fipscapable
)
5224 t13_cipher
= t13_ciphers
[i
].ciphername
;
5225 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
5226 TLS_client_method(),
5227 TLS1_VERSION
, max_ver
,
5228 &sctx
, &cctx
, cert
, privkey
)))
5231 if (t13_ciphers
[i
].low_security
) {
5232 SSL_CTX_set_security_level(sctx
, 0);
5233 SSL_CTX_set_security_level(cctx
, 0);
5237 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx
, t13_cipher
))
5238 || !TEST_true(SSL_CTX_set_ciphersuites(cctx
, t13_cipher
)))
5240 if (t12_cipher
!= NULL
) {
5241 if (!TEST_true(SSL_CTX_set_cipher_list(sctx
, t12_cipher
))
5242 || !TEST_true(SSL_CTX_set_cipher_list(cctx
,
5248 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
5249 &clientssl
, NULL
, NULL
)))
5253 if (!TEST_true(SSL_set_ciphersuites(serverssl
, t13_cipher
))
5254 || !TEST_true(SSL_set_ciphersuites(clientssl
, t13_cipher
)))
5256 if (t12_cipher
!= NULL
) {
5257 if (!TEST_true(SSL_set_cipher_list(serverssl
, t12_cipher
))
5258 || !TEST_true(SSL_set_cipher_list(clientssl
,
5264 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
5268 negotiated_scipher
= SSL_CIPHER_get_name(SSL_get_current_cipher(
5270 negotiated_ccipher
= SSL_CIPHER_get_name(SSL_get_current_cipher(
5272 if (!TEST_str_eq(negotiated_scipher
, negotiated_ccipher
))
5276 * TEST_strn_eq is used below because t13_cipher can contain
5277 * multiple ciphersuites
5279 if (max_ver
== TLS1_3_VERSION
5280 && !TEST_strn_eq(t13_cipher
, negotiated_scipher
,
5281 strlen(negotiated_scipher
)))
5284 # ifndef OPENSSL_NO_TLS1_2
5285 /* Below validation is not done when t12_cipher is NULL */
5286 if (max_ver
== TLS1_2_VERSION
&& t12_cipher
!= NULL
5287 && !TEST_str_eq(t12_cipher
, negotiated_scipher
))
5291 SSL_free(serverssl
);
5293 SSL_free(clientssl
);
5304 SSL_free(serverssl
);
5305 SSL_free(clientssl
);
5313 * Test 0 = Test new style callbacks
5314 * Test 1 = Test both new and old style callbacks
5315 * Test 2 = Test old style callbacks
5316 * Test 3 = Test old style callbacks with no certificate
5318 static int test_tls13_psk(int idx
)
5320 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
5321 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
5322 const SSL_CIPHER
*cipher
= NULL
;
5323 const unsigned char key
[] = {
5324 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5325 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5326 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5327 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5331 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
5332 TLS_client_method(), TLS1_VERSION
, 0,
5333 &sctx
, &cctx
, idx
== 3 ? NULL
: cert
,
5334 idx
== 3 ? NULL
: privkey
)))
5339 * We use a ciphersuite with SHA256 to ease testing old style PSK
5340 * callbacks which will always default to SHA256. This should not be
5341 * necessary if we have no cert/priv key. In that case the server should
5342 * prefer SHA256 automatically.
5344 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
5345 "TLS_AES_128_GCM_SHA256")))
5349 * As noted above the server should prefer SHA256 automatically. However
5350 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5351 * code works even if we are testing with only the FIPS provider loaded.
5353 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
5354 "TLS_AES_256_GCM_SHA384:"
5355 "TLS_AES_128_GCM_SHA256")))
5360 * Test 0: New style callbacks only
5361 * Test 1: New and old style callbacks (only the new ones should be used)
5362 * Test 2: Old style callbacks only
5364 if (idx
== 0 || idx
== 1) {
5365 SSL_CTX_set_psk_use_session_callback(cctx
, use_session_cb
);
5366 SSL_CTX_set_psk_find_session_callback(sctx
, find_session_cb
);
5368 #ifndef OPENSSL_NO_PSK
5370 SSL_CTX_set_psk_client_callback(cctx
, psk_client_cb
);
5371 SSL_CTX_set_psk_server_callback(sctx
, psk_server_cb
);
5375 use_session_cb_cnt
= 0;
5376 find_session_cb_cnt
= 0;
5377 psk_client_cb_cnt
= 0;
5378 psk_server_cb_cnt
= 0;
5382 * Check we can create a connection if callback decides not to send a
5385 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5387 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
5389 || !TEST_false(SSL_session_reused(clientssl
))
5390 || !TEST_false(SSL_session_reused(serverssl
)))
5393 if (idx
== 0 || idx
== 1) {
5394 if (!TEST_true(use_session_cb_cnt
== 1)
5395 || !TEST_true(find_session_cb_cnt
== 0)
5397 * If no old style callback then below should be 0
5400 || !TEST_true(psk_client_cb_cnt
== idx
)
5401 || !TEST_true(psk_server_cb_cnt
== 0))
5404 if (!TEST_true(use_session_cb_cnt
== 0)
5405 || !TEST_true(find_session_cb_cnt
== 0)
5406 || !TEST_true(psk_client_cb_cnt
== 1)
5407 || !TEST_true(psk_server_cb_cnt
== 0))
5411 shutdown_ssl_connection(serverssl
, clientssl
);
5412 serverssl
= clientssl
= NULL
;
5413 use_session_cb_cnt
= psk_client_cb_cnt
= 0;
5416 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5420 /* Create the PSK */
5421 cipher
= SSL_CIPHER_find(clientssl
, TLS13_AES_128_GCM_SHA256_BYTES
);
5422 clientpsk
= SSL_SESSION_new();
5423 if (!TEST_ptr(clientpsk
)
5424 || !TEST_ptr(cipher
)
5425 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk
, key
,
5427 || !TEST_true(SSL_SESSION_set_cipher(clientpsk
, cipher
))
5428 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk
,
5430 || !TEST_true(SSL_SESSION_up_ref(clientpsk
)))
5432 serverpsk
= clientpsk
;
5434 /* Check we can create a connection and the PSK is used */
5435 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
5436 || !TEST_true(SSL_session_reused(clientssl
))
5437 || !TEST_true(SSL_session_reused(serverssl
)))
5440 if (idx
== 0 || idx
== 1) {
5441 if (!TEST_true(use_session_cb_cnt
== 1)
5442 || !TEST_true(find_session_cb_cnt
== 1)
5443 || !TEST_true(psk_client_cb_cnt
== 0)
5444 || !TEST_true(psk_server_cb_cnt
== 0))
5447 if (!TEST_true(use_session_cb_cnt
== 0)
5448 || !TEST_true(find_session_cb_cnt
== 0)
5449 || !TEST_true(psk_client_cb_cnt
== 1)
5450 || !TEST_true(psk_server_cb_cnt
== 1))
5454 shutdown_ssl_connection(serverssl
, clientssl
);
5455 serverssl
= clientssl
= NULL
;
5456 use_session_cb_cnt
= find_session_cb_cnt
= 0;
5457 psk_client_cb_cnt
= psk_server_cb_cnt
= 0;
5459 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5464 #if defined(OPENSSL_NO_EC)
5465 if (!TEST_true(SSL_set1_groups_list(serverssl
, "ffdhe3072")))
5468 if (!TEST_true(SSL_set1_groups_list(serverssl
, "P-256")))
5473 * Check we can create a connection, the PSK is used and the callbacks are
5476 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
5477 || !TEST_true(SSL_session_reused(clientssl
))
5478 || !TEST_true(SSL_session_reused(serverssl
)))
5481 if (idx
== 0 || idx
== 1) {
5482 if (!TEST_true(use_session_cb_cnt
== 2)
5483 || !TEST_true(find_session_cb_cnt
== 2)
5484 || !TEST_true(psk_client_cb_cnt
== 0)
5485 || !TEST_true(psk_server_cb_cnt
== 0))
5488 if (!TEST_true(use_session_cb_cnt
== 0)
5489 || !TEST_true(find_session_cb_cnt
== 0)
5490 || !TEST_true(psk_client_cb_cnt
== 2)
5491 || !TEST_true(psk_server_cb_cnt
== 2))
5495 shutdown_ssl_connection(serverssl
, clientssl
);
5496 serverssl
= clientssl
= NULL
;
5497 use_session_cb_cnt
= find_session_cb_cnt
= 0;
5498 psk_client_cb_cnt
= psk_server_cb_cnt
= 0;
5502 * Check that if the server rejects the PSK we can still connect, but with
5505 srvid
= "Dummy Identity";
5506 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5508 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
5510 || !TEST_false(SSL_session_reused(clientssl
))
5511 || !TEST_false(SSL_session_reused(serverssl
)))
5514 if (idx
== 0 || idx
== 1) {
5515 if (!TEST_true(use_session_cb_cnt
== 1)
5516 || !TEST_true(find_session_cb_cnt
== 1)
5517 || !TEST_true(psk_client_cb_cnt
== 0)
5519 * If no old style callback then below should be 0
5522 || !TEST_true(psk_server_cb_cnt
== idx
))
5525 if (!TEST_true(use_session_cb_cnt
== 0)
5526 || !TEST_true(find_session_cb_cnt
== 0)
5527 || !TEST_true(psk_client_cb_cnt
== 1)
5528 || !TEST_true(psk_server_cb_cnt
== 1))
5532 shutdown_ssl_connection(serverssl
, clientssl
);
5533 serverssl
= clientssl
= NULL
;
5538 SSL_SESSION_free(clientpsk
);
5539 SSL_SESSION_free(serverpsk
);
5540 clientpsk
= serverpsk
= NULL
;
5541 SSL_free(serverssl
);
5542 SSL_free(clientssl
);
5548 static unsigned char cookie_magic_value
[] = "cookie magic";
5550 static int generate_cookie_callback(SSL
*ssl
, unsigned char *cookie
,
5551 unsigned int *cookie_len
)
5554 * Not suitable as a real cookie generation function but good enough for
5557 memcpy(cookie
, cookie_magic_value
, sizeof(cookie_magic_value
) - 1);
5558 *cookie_len
= sizeof(cookie_magic_value
) - 1;
5563 static int verify_cookie_callback(SSL
*ssl
, const unsigned char *cookie
,
5564 unsigned int cookie_len
)
5566 if (cookie_len
== sizeof(cookie_magic_value
) - 1
5567 && memcmp(cookie
, cookie_magic_value
, cookie_len
) == 0)
5573 static int generate_stateless_cookie_callback(SSL
*ssl
, unsigned char *cookie
,
5577 int res
= generate_cookie_callback(ssl
, cookie
, &temp
);
5582 static int verify_stateless_cookie_callback(SSL
*ssl
, const unsigned char *cookie
,
5585 return verify_cookie_callback(ssl
, cookie
, cookie_len
);
5588 static int test_stateless(void)
5590 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
5591 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
5594 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
5595 TLS_client_method(), TLS1_VERSION
, 0,
5596 &sctx
, &cctx
, cert
, privkey
)))
5599 /* The arrival of CCS messages can confuse the test */
5600 SSL_CTX_clear_options(cctx
, SSL_OP_ENABLE_MIDDLEBOX_COMPAT
);
5602 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5604 /* Send the first ClientHello */
5605 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
5606 SSL_ERROR_WANT_READ
))
5608 * This should fail with a -1 return because we have no callbacks
5611 || !TEST_int_eq(SSL_stateless(serverssl
), -1))
5614 /* Fatal error so abandon the connection from this client */
5615 SSL_free(clientssl
);
5618 /* Set up the cookie generation and verification callbacks */
5619 SSL_CTX_set_stateless_cookie_generate_cb(sctx
, generate_stateless_cookie_callback
);
5620 SSL_CTX_set_stateless_cookie_verify_cb(sctx
, verify_stateless_cookie_callback
);
5623 * Create a new connection from the client (we can reuse the server SSL
5626 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5628 /* Send the first ClientHello */
5629 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
5630 SSL_ERROR_WANT_READ
))
5631 /* This should fail because there is no cookie */
5632 || !TEST_int_eq(SSL_stateless(serverssl
), 0))
5635 /* Abandon the connection from this client */
5636 SSL_free(clientssl
);
5640 * Now create a connection from a new client but with the same server SSL
5643 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5645 /* Send the first ClientHello */
5646 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
5647 SSL_ERROR_WANT_READ
))
5648 /* This should fail because there is no cookie */
5649 || !TEST_int_eq(SSL_stateless(serverssl
), 0)
5650 /* Send the second ClientHello */
5651 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
5652 SSL_ERROR_WANT_READ
))
5653 /* This should succeed because a cookie is now present */
5654 || !TEST_int_eq(SSL_stateless(serverssl
), 1)
5655 /* Complete the connection */
5656 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
5660 shutdown_ssl_connection(serverssl
, clientssl
);
5661 serverssl
= clientssl
= NULL
;
5665 SSL_free(serverssl
);
5666 SSL_free(clientssl
);
5672 #endif /* OSSL_NO_USABLE_TLS1_3 */
5674 static int clntaddoldcb
= 0;
5675 static int clntparseoldcb
= 0;
5676 static int srvaddoldcb
= 0;
5677 static int srvparseoldcb
= 0;
5678 static int clntaddnewcb
= 0;
5679 static int clntparsenewcb
= 0;
5680 static int srvaddnewcb
= 0;
5681 static int srvparsenewcb
= 0;
5682 static int snicb
= 0;
5684 #define TEST_EXT_TYPE1 0xff00
5686 static int old_add_cb(SSL
*s
, unsigned int ext_type
, const unsigned char **out
,
5687 size_t *outlen
, int *al
, void *add_arg
)
5689 int *server
= (int *)add_arg
;
5690 unsigned char *data
;
5692 if (SSL_is_server(s
))
5697 if (*server
!= SSL_is_server(s
)
5698 || (data
= OPENSSL_malloc(sizeof(*data
))) == NULL
)
5703 *outlen
= sizeof(char);
5707 static void old_free_cb(SSL
*s
, unsigned int ext_type
, const unsigned char *out
,
5710 OPENSSL_free((unsigned char *)out
);
5713 static int old_parse_cb(SSL
*s
, unsigned int ext_type
, const unsigned char *in
,
5714 size_t inlen
, int *al
, void *parse_arg
)
5716 int *server
= (int *)parse_arg
;
5718 if (SSL_is_server(s
))
5723 if (*server
!= SSL_is_server(s
)
5724 || inlen
!= sizeof(char)
5731 static int new_add_cb(SSL
*s
, unsigned int ext_type
, unsigned int context
,
5732 const unsigned char **out
, size_t *outlen
, X509
*x
,
5733 size_t chainidx
, int *al
, void *add_arg
)
5735 int *server
= (int *)add_arg
;
5736 unsigned char *data
;
5738 if (SSL_is_server(s
))
5743 if (*server
!= SSL_is_server(s
)
5744 || (data
= OPENSSL_malloc(sizeof(*data
))) == NULL
)
5749 *outlen
= sizeof(*data
);
5753 static void new_free_cb(SSL
*s
, unsigned int ext_type
, unsigned int context
,
5754 const unsigned char *out
, void *add_arg
)
5756 OPENSSL_free((unsigned char *)out
);
5759 static int new_parse_cb(SSL
*s
, unsigned int ext_type
, unsigned int context
,
5760 const unsigned char *in
, size_t inlen
, X509
*x
,
5761 size_t chainidx
, int *al
, void *parse_arg
)
5763 int *server
= (int *)parse_arg
;
5765 if (SSL_is_server(s
))
5770 if (*server
!= SSL_is_server(s
)
5771 || inlen
!= sizeof(char) || *in
!= 1)
5777 static int sni_cb(SSL
*s
, int *al
, void *arg
)
5779 SSL_CTX
*ctx
= (SSL_CTX
*)arg
;
5781 if (SSL_set_SSL_CTX(s
, ctx
) == NULL
) {
5782 *al
= SSL_AD_INTERNAL_ERROR
;
5783 return SSL_TLSEXT_ERR_ALERT_FATAL
;
5786 return SSL_TLSEXT_ERR_OK
;
5789 static int verify_cb(int preverify_ok
, X509_STORE_CTX
*x509_ctx
)
5795 * Custom call back tests.
5796 * Test 0: Old style callbacks in TLSv1.2
5797 * Test 1: New style callbacks in TLSv1.2
5798 * Test 2: New style callbacks in TLSv1.2 with SNI
5799 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5800 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5801 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
5803 static int test_custom_exts(int tst
)
5805 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
, *sctx2
= NULL
;
5806 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
5808 static int server
= 1;
5809 static int client
= 0;
5810 SSL_SESSION
*sess
= NULL
;
5811 unsigned int context
;
5813 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5814 /* Skip tests for TLSv1.2 and below in this case */
5819 /* Reset callback counters */
5820 clntaddoldcb
= clntparseoldcb
= srvaddoldcb
= srvparseoldcb
= 0;
5821 clntaddnewcb
= clntparsenewcb
= srvaddnewcb
= srvparsenewcb
= 0;
5824 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
5825 TLS_client_method(), TLS1_VERSION
, 0,
5826 &sctx
, &cctx
, cert
, privkey
)))
5830 && !TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(), NULL
,
5832 &sctx2
, NULL
, cert
, privkey
)))
5837 SSL_CTX_set_options(cctx
, SSL_OP_NO_TLSv1_3
);
5838 SSL_CTX_set_options(sctx
, SSL_OP_NO_TLSv1_3
);
5840 SSL_CTX_set_options(sctx2
, SSL_OP_NO_TLSv1_3
);
5844 context
= SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5845 | SSL_EXT_TLS1_3_CERTIFICATE
;
5846 SSL_CTX_set_verify(sctx
,
5847 SSL_VERIFY_PEER
| SSL_VERIFY_FAIL_IF_NO_PEER_CERT
,
5849 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx
, cert
,
5850 SSL_FILETYPE_PEM
), 1)
5851 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx
, privkey
,
5852 SSL_FILETYPE_PEM
), 1)
5853 || !TEST_int_eq(SSL_CTX_check_private_key(cctx
), 1))
5855 } else if (tst
== 4) {
5856 context
= SSL_EXT_CLIENT_HELLO
5857 | SSL_EXT_TLS1_2_SERVER_HELLO
5858 | SSL_EXT_TLS1_3_SERVER_HELLO
5859 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5860 | SSL_EXT_TLS1_3_CERTIFICATE
5861 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET
;
5863 context
= SSL_EXT_CLIENT_HELLO
5864 | SSL_EXT_TLS1_2_SERVER_HELLO
5865 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
;
5868 /* Create a client side custom extension */
5870 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx
, TEST_EXT_TYPE1
,
5871 old_add_cb
, old_free_cb
,
5872 &client
, old_parse_cb
,
5876 if (!TEST_true(SSL_CTX_add_custom_ext(cctx
, TEST_EXT_TYPE1
, context
,
5877 new_add_cb
, new_free_cb
,
5878 &client
, new_parse_cb
, &client
)))
5882 /* Should not be able to add duplicates */
5883 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx
, TEST_EXT_TYPE1
,
5884 old_add_cb
, old_free_cb
,
5885 &client
, old_parse_cb
,
5887 || !TEST_false(SSL_CTX_add_custom_ext(cctx
, TEST_EXT_TYPE1
,
5888 context
, new_add_cb
,
5889 new_free_cb
, &client
,
5890 new_parse_cb
, &client
)))
5893 /* Create a server side custom extension */
5895 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx
, TEST_EXT_TYPE1
,
5896 old_add_cb
, old_free_cb
,
5897 &server
, old_parse_cb
,
5901 if (!TEST_true(SSL_CTX_add_custom_ext(sctx
, TEST_EXT_TYPE1
, context
,
5902 new_add_cb
, new_free_cb
,
5903 &server
, new_parse_cb
, &server
)))
5906 && !TEST_true(SSL_CTX_add_custom_ext(sctx2
, TEST_EXT_TYPE1
,
5907 context
, new_add_cb
,
5908 new_free_cb
, &server
,
5909 new_parse_cb
, &server
)))
5913 /* Should not be able to add duplicates */
5914 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx
, TEST_EXT_TYPE1
,
5915 old_add_cb
, old_free_cb
,
5916 &server
, old_parse_cb
,
5918 || !TEST_false(SSL_CTX_add_custom_ext(sctx
, TEST_EXT_TYPE1
,
5919 context
, new_add_cb
,
5920 new_free_cb
, &server
,
5921 new_parse_cb
, &server
)))
5926 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx
, sni_cb
))
5927 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx
, sctx2
)))
5931 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
5932 &clientssl
, NULL
, NULL
))
5933 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
5938 if (clntaddoldcb
!= 1
5939 || clntparseoldcb
!= 1
5941 || srvparseoldcb
!= 1)
5943 } else if (tst
== 1 || tst
== 2 || tst
== 3) {
5944 if (clntaddnewcb
!= 1
5945 || clntparsenewcb
!= 1
5947 || srvparsenewcb
!= 1
5948 || (tst
!= 2 && snicb
!= 0)
5949 || (tst
== 2 && snicb
!= 1))
5951 } else if (tst
== 5) {
5952 if (clntaddnewcb
!= 1
5953 || clntparsenewcb
!= 1
5955 || srvparsenewcb
!= 1)
5958 /* In this case there 2 NewSessionTicket messages created */
5959 if (clntaddnewcb
!= 1
5960 || clntparsenewcb
!= 5
5962 || srvparsenewcb
!= 1)
5966 sess
= SSL_get1_session(clientssl
);
5967 SSL_shutdown(clientssl
);
5968 SSL_shutdown(serverssl
);
5969 SSL_free(serverssl
);
5970 SSL_free(clientssl
);
5971 serverssl
= clientssl
= NULL
;
5973 if (tst
== 3 || tst
== 5) {
5974 /* We don't bother with the resumption aspects for these tests */
5979 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5981 || !TEST_true(SSL_set_session(clientssl
, sess
))
5982 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
5987 * For a resumed session we expect to add the ClientHello extension. For the
5988 * old style callbacks we ignore it on the server side because they set
5989 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5993 if (clntaddoldcb
!= 2
5994 || clntparseoldcb
!= 1
5996 || srvparseoldcb
!= 1)
5998 } else if (tst
== 1 || tst
== 2 || tst
== 3) {
5999 if (clntaddnewcb
!= 2
6000 || clntparsenewcb
!= 2
6002 || srvparsenewcb
!= 2)
6006 * No Certificate message extensions in the resumption handshake,
6007 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6009 if (clntaddnewcb
!= 2
6010 || clntparsenewcb
!= 8
6012 || srvparsenewcb
!= 2)
6019 SSL_SESSION_free(sess
);
6020 SSL_free(serverssl
);
6021 SSL_free(clientssl
);
6022 SSL_CTX_free(sctx2
);
6028 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6030 #define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6031 | SSL_EXT_CLIENT_HELLO \
6032 | SSL_EXT_TLS1_2_SERVER_HELLO \
6033 | SSL_EXT_IGNORE_ON_RESUMPTION)
6035 #define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6036 | SSL_EXT_TLS1_2_SERVER_HELLO \
6037 | SSL_EXT_CLIENT_HELLO)
6039 #define SERVERINFO_CUSTOM \
6040 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6044 static const unsigned char serverinfo_custom_tls13[] = {
6045 0x00, 0x00, (TLS13CONTEXT
>> 8) & 0xff, TLS13CONTEXT
& 0xff,
6048 static const unsigned char serverinfo_custom_v2
[] = {
6049 0x00, 0x00, (SYNTHV1CONTEXT
>> 8) & 0xff, SYNTHV1CONTEXT
& 0xff,
6052 static const unsigned char serverinfo_custom_v1
[] = {
6055 static const size_t serverinfo_custom_tls13_len
= sizeof(serverinfo_custom_tls13
);
6056 static const size_t serverinfo_custom_v2_len
= sizeof(serverinfo_custom_v2
);
6057 static const size_t serverinfo_custom_v1_len
= sizeof(serverinfo_custom_v1
);
6059 static int serverinfo_custom_parse_cb(SSL
*s
, unsigned int ext_type
,
6060 unsigned int context
,
6061 const unsigned char *in
,
6062 size_t inlen
, X509
*x
,
6063 size_t chainidx
, int *al
,
6066 const size_t len
= serverinfo_custom_v1_len
;
6067 const unsigned char *si
= &serverinfo_custom_v1
[len
- 3];
6068 int *p_cb_result
= (int*)parse_arg
;
6069 *p_cb_result
= TEST_mem_eq(in
, inlen
, si
, 3);
6073 static int test_serverinfo_custom(const int idx
)
6075 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
6076 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6081 * Following variables are set in the switch statement
6082 * according to the test iteration.
6083 * Default values do not make much sense: test would fail with them.
6085 int serverinfo_version
= 0;
6086 int protocol_version
= 0;
6087 unsigned int extension_context
= 0;
6088 const unsigned char *si
= NULL
;
6091 const int call_use_serverinfo_ex
= idx
> 0;
6093 case 0: /* FALLTHROUGH */
6095 serverinfo_version
= SSL_SERVERINFOV1
;
6096 protocol_version
= TLS1_2_VERSION
;
6097 extension_context
= SYNTHV1CONTEXT
;
6098 si
= serverinfo_custom_v1
;
6099 si_len
= serverinfo_custom_v1_len
;
6102 serverinfo_version
= SSL_SERVERINFOV2
;
6103 protocol_version
= TLS1_2_VERSION
;
6104 extension_context
= SYNTHV1CONTEXT
;
6105 si
= serverinfo_custom_v2
;
6106 si_len
= serverinfo_custom_v2_len
;
6109 serverinfo_version
= SSL_SERVERINFOV2
;
6110 protocol_version
= TLS1_3_VERSION
;
6111 extension_context
= TLS13CONTEXT
;
6112 si
= serverinfo_custom_tls13
;
6113 si_len
= serverinfo_custom_tls13_len
;
6117 if (!TEST_true(create_ssl_ctx_pair(libctx
,
6122 &sctx
, &cctx
, cert
, privkey
)))
6125 if (call_use_serverinfo_ex
) {
6126 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx
, serverinfo_version
,
6130 if (!TEST_true(SSL_CTX_use_serverinfo(sctx
, si
, si_len
)))
6134 if (!TEST_true(SSL_CTX_add_custom_ext(cctx
, TLSEXT_TYPE_signed_certificate_timestamp
,
6137 serverinfo_custom_parse_cb
,
6139 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6141 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6143 || !TEST_int_eq(SSL_do_handshake(clientssl
), 1))
6146 if (!TEST_true(cb_result
))
6152 SSL_free(serverssl
);
6153 SSL_free(clientssl
);
6162 * Test that SSL_export_keying_material() produces expected results. There are
6163 * no test vectors so all we do is test that both sides of the communication
6164 * produce the same results for different protocol versions.
6166 #define SMALL_LABEL_LEN 10
6167 #define LONG_LABEL_LEN 249
6168 static int test_export_key_mat(int tst
)
6171 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
, *sctx2
= NULL
;
6172 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6173 const char label
[LONG_LABEL_LEN
+ 1] = "test label";
6174 const unsigned char context
[] = "context";
6175 const unsigned char *emptycontext
= NULL
;
6176 unsigned char ckeymat1
[80], ckeymat2
[80], ckeymat3
[80];
6177 unsigned char skeymat1
[80], skeymat2
[80], skeymat3
[80];
6179 const int protocols
[] = {
6188 #ifdef OPENSSL_NO_TLS1
6192 #ifdef OPENSSL_NO_TLS1_1
6196 if (is_fips
&& (tst
== 0 || tst
== 1))
6198 #ifdef OPENSSL_NO_TLS1_2
6202 #ifdef OSSL_NO_USABLE_TLS1_3
6206 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6207 TLS_client_method(), TLS1_VERSION
, 0,
6208 &sctx
, &cctx
, cert
, privkey
)))
6211 OPENSSL_assert(tst
>= 0 && (size_t)tst
< OSSL_NELEM(protocols
));
6212 SSL_CTX_set_max_proto_version(cctx
, protocols
[tst
]);
6213 SSL_CTX_set_min_proto_version(cctx
, protocols
[tst
]);
6214 if ((protocols
[tst
] < TLS1_2_VERSION
) &&
6215 (!SSL_CTX_set_cipher_list(cctx
, "DEFAULT:@SECLEVEL=0")
6216 || !SSL_CTX_set_cipher_list(sctx
, "DEFAULT:@SECLEVEL=0")))
6219 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
,
6224 * Premature call of SSL_export_keying_material should just fail.
6226 if (!TEST_int_le(SSL_export_keying_material(clientssl
, ckeymat1
,
6227 sizeof(ckeymat1
), label
,
6228 SMALL_LABEL_LEN
+ 1, context
,
6229 sizeof(context
) - 1, 1), 0))
6232 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
6238 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6241 if (!TEST_int_le(SSL_export_keying_material(clientssl
, ckeymat1
,
6242 sizeof(ckeymat1
), label
,
6243 LONG_LABEL_LEN
+ 1, context
,
6244 sizeof(context
) - 1, 1), 0))
6249 } else if (tst
== 4) {
6250 labellen
= LONG_LABEL_LEN
;
6252 labellen
= SMALL_LABEL_LEN
;
6255 if (!TEST_int_eq(SSL_export_keying_material(clientssl
, ckeymat1
,
6256 sizeof(ckeymat1
), label
,
6258 sizeof(context
) - 1, 1), 1)
6259 || !TEST_int_eq(SSL_export_keying_material(clientssl
, ckeymat2
,
6260 sizeof(ckeymat2
), label
,
6264 || !TEST_int_eq(SSL_export_keying_material(clientssl
, ckeymat3
,
6265 sizeof(ckeymat3
), label
,
6268 || !TEST_int_eq(SSL_export_keying_material(serverssl
, skeymat1
,
6269 sizeof(skeymat1
), label
,
6272 sizeof(context
) -1, 1),
6274 || !TEST_int_eq(SSL_export_keying_material(serverssl
, skeymat2
,
6275 sizeof(skeymat2
), label
,
6279 || !TEST_int_eq(SSL_export_keying_material(serverssl
, skeymat3
,
6280 sizeof(skeymat3
), label
,
6284 * Check that both sides created the same key material with the
6287 || !TEST_mem_eq(ckeymat1
, sizeof(ckeymat1
), skeymat1
,
6290 * Check that both sides created the same key material with an
6293 || !TEST_mem_eq(ckeymat2
, sizeof(ckeymat2
), skeymat2
,
6296 * Check that both sides created the same key material without a
6299 || !TEST_mem_eq(ckeymat3
, sizeof(ckeymat3
), skeymat3
,
6301 /* Different contexts should produce different results */
6302 || !TEST_mem_ne(ckeymat1
, sizeof(ckeymat1
), ckeymat2
,
6307 * Check that an empty context and no context produce different results in
6308 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6310 if ((tst
< 3 && !TEST_mem_ne(ckeymat2
, sizeof(ckeymat2
), ckeymat3
,
6312 || (tst
>= 3 && !TEST_mem_eq(ckeymat2
, sizeof(ckeymat2
), ckeymat3
,
6319 SSL_free(serverssl
);
6320 SSL_free(clientssl
);
6321 SSL_CTX_free(sctx2
);
6328 #ifndef OSSL_NO_USABLE_TLS1_3
6330 * Test that SSL_export_keying_material_early() produces expected
6331 * results. There are no test vectors so all we do is test that both
6332 * sides of the communication produce the same results for different
6333 * protocol versions.
6335 static int test_export_key_mat_early(int idx
)
6337 static const char label
[] = "test label";
6338 static const unsigned char context
[] = "context";
6340 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6341 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6342 SSL_SESSION
*sess
= NULL
;
6343 const unsigned char *emptycontext
= NULL
;
6344 unsigned char ckeymat1
[80], ckeymat2
[80];
6345 unsigned char skeymat1
[80], skeymat2
[80];
6346 unsigned char buf
[1];
6347 size_t readbytes
, written
;
6349 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
, &serverssl
,
6353 /* Here writing 0 length early data is enough. */
6354 if (!TEST_true(SSL_write_early_data(clientssl
, NULL
, 0, &written
))
6355 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
6357 SSL_READ_EARLY_DATA_ERROR
)
6358 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
6359 SSL_EARLY_DATA_ACCEPTED
))
6362 if (!TEST_int_eq(SSL_export_keying_material_early(
6363 clientssl
, ckeymat1
, sizeof(ckeymat1
), label
,
6364 sizeof(label
) - 1, context
, sizeof(context
) - 1), 1)
6365 || !TEST_int_eq(SSL_export_keying_material_early(
6366 clientssl
, ckeymat2
, sizeof(ckeymat2
), label
,
6367 sizeof(label
) - 1, emptycontext
, 0), 1)
6368 || !TEST_int_eq(SSL_export_keying_material_early(
6369 serverssl
, skeymat1
, sizeof(skeymat1
), label
,
6370 sizeof(label
) - 1, context
, sizeof(context
) - 1), 1)
6371 || !TEST_int_eq(SSL_export_keying_material_early(
6372 serverssl
, skeymat2
, sizeof(skeymat2
), label
,
6373 sizeof(label
) - 1, emptycontext
, 0), 1)
6375 * Check that both sides created the same key material with the
6378 || !TEST_mem_eq(ckeymat1
, sizeof(ckeymat1
), skeymat1
,
6381 * Check that both sides created the same key material with an
6384 || !TEST_mem_eq(ckeymat2
, sizeof(ckeymat2
), skeymat2
,
6386 /* Different contexts should produce different results */
6387 || !TEST_mem_ne(ckeymat1
, sizeof(ckeymat1
), ckeymat2
,
6394 SSL_SESSION_free(sess
);
6395 SSL_SESSION_free(clientpsk
);
6396 SSL_SESSION_free(serverpsk
);
6397 clientpsk
= serverpsk
= NULL
;
6398 SSL_free(serverssl
);
6399 SSL_free(clientssl
);
6406 #define NUM_KEY_UPDATE_MESSAGES 40
6410 static int test_key_update(void)
6412 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6413 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6414 int testresult
= 0, i
, j
;
6416 static char *mess
= "A test message";
6418 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6419 TLS_client_method(),
6422 &sctx
, &cctx
, cert
, privkey
))
6423 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6425 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6429 for (j
= 0; j
< 2; j
++) {
6430 /* Send lots of KeyUpdate messages */
6431 for (i
= 0; i
< NUM_KEY_UPDATE_MESSAGES
; i
++) {
6432 if (!TEST_true(SSL_key_update(clientssl
,
6434 ? SSL_KEY_UPDATE_NOT_REQUESTED
6435 : SSL_KEY_UPDATE_REQUESTED
))
6436 || !TEST_true(SSL_do_handshake(clientssl
)))
6440 /* Check that sending and receiving app data is ok */
6441 if (!TEST_int_eq(SSL_write(clientssl
, mess
, strlen(mess
)), strlen(mess
))
6442 || !TEST_int_eq(SSL_read(serverssl
, buf
, sizeof(buf
)),
6446 if (!TEST_int_eq(SSL_write(serverssl
, mess
, strlen(mess
)), strlen(mess
))
6447 || !TEST_int_eq(SSL_read(clientssl
, buf
, sizeof(buf
)),
6455 SSL_free(serverssl
);
6456 SSL_free(clientssl
);
6464 * Test we can handle a KeyUpdate (update requested) message while
6465 * write data is pending in peer.
6466 * Test 0: Client sends KeyUpdate while Server is writing
6467 * Test 1: Server sends KeyUpdate while Client is writing
6469 static int test_key_update_peer_in_write(int tst
)
6471 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6472 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6475 static char *mess
= "A test message";
6476 BIO
*bretry
= BIO_new(bio_s_always_retry());
6478 SSL
*peerupdate
= NULL
, *peerwrite
= NULL
;
6480 if (!TEST_ptr(bretry
)
6481 || !TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6482 TLS_client_method(),
6485 &sctx
, &cctx
, cert
, privkey
))
6486 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6488 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6492 peerupdate
= tst
== 0 ? clientssl
: serverssl
;
6493 peerwrite
= tst
== 0 ? serverssl
: clientssl
;
6495 if (!TEST_true(SSL_key_update(peerupdate
, SSL_KEY_UPDATE_REQUESTED
))
6496 || !TEST_int_eq(SSL_do_handshake(peerupdate
), 1))
6499 /* Swap the writing endpoint's write BIO to force a retry */
6500 tmp
= SSL_get_wbio(peerwrite
);
6501 if (!TEST_ptr(tmp
) || !TEST_true(BIO_up_ref(tmp
))) {
6505 SSL_set0_wbio(peerwrite
, bretry
);
6508 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6509 if (!TEST_int_eq(SSL_write(peerwrite
, mess
, strlen(mess
)), -1)
6510 || !TEST_int_eq(SSL_get_error(peerwrite
, 0), SSL_ERROR_WANT_WRITE
))
6513 /* Reinstate the original writing endpoint's write BIO */
6514 SSL_set0_wbio(peerwrite
, tmp
);
6517 /* Now read some data - we will read the key update */
6518 if (!TEST_int_eq(SSL_read(peerwrite
, buf
, sizeof(buf
)), -1)
6519 || !TEST_int_eq(SSL_get_error(peerwrite
, 0), SSL_ERROR_WANT_READ
))
6523 * Complete the write we started previously and read it from the other
6526 if (!TEST_int_eq(SSL_write(peerwrite
, mess
, strlen(mess
)), strlen(mess
))
6527 || !TEST_int_eq(SSL_read(peerupdate
, buf
, sizeof(buf
)), strlen(mess
)))
6530 /* Write more data to ensure we send the KeyUpdate message back */
6531 if (!TEST_int_eq(SSL_write(peerwrite
, mess
, strlen(mess
)), strlen(mess
))
6532 || !TEST_int_eq(SSL_read(peerupdate
, buf
, sizeof(buf
)), strlen(mess
)))
6538 SSL_free(serverssl
);
6539 SSL_free(clientssl
);
6549 * Test we can handle a KeyUpdate (update requested) message while
6550 * peer read data is pending after peer accepted keyupdate(the msg header
6551 * had been read 5 bytes).
6552 * Test 0: Client sends KeyUpdate while Server is reading
6553 * Test 1: Server sends KeyUpdate while Client is reading
6555 static int test_key_update_peer_in_read(int tst
)
6557 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6558 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6560 char prbuf
[515], lwbuf
[515] = {0};
6561 static char *mess
= "A test message";
6562 BIO
*lbio
= NULL
, *pbio
= NULL
;
6563 SSL
*local
= NULL
, *peer
= NULL
;
6565 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6566 TLS_client_method(),
6569 &sctx
, &cctx
, cert
, privkey
))
6570 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6572 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6576 local
= tst
== 0 ? clientssl
: serverssl
;
6577 peer
= tst
== 0 ? serverssl
: clientssl
;
6579 if (!TEST_int_eq(BIO_new_bio_pair(&lbio
, 512, &pbio
, 512), 1))
6582 SSL_set_bio(local
, lbio
, lbio
);
6583 SSL_set_bio(peer
, pbio
, pbio
);
6586 * we first write keyupdate msg then appdata in local
6587 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6588 * lwbuf app data msg size + key updata msg size > 512(the size of
6589 * the bio pair buffer)
6591 if (!TEST_true(SSL_key_update(local
, SSL_KEY_UPDATE_REQUESTED
))
6592 || !TEST_int_eq(SSL_write(local
, lwbuf
, sizeof(lwbuf
)), -1)
6593 || !TEST_int_eq(SSL_get_error(local
, -1), SSL_ERROR_WANT_WRITE
))
6597 * first read keyupdate msg in peer in peer
6598 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6600 if (!TEST_int_eq(SSL_read(peer
, prbuf
, sizeof(prbuf
)), -1)
6601 || !TEST_int_eq(SSL_get_error(peer
, -1), SSL_ERROR_WANT_READ
))
6604 /* Now write some data in peer - we will write the key update */
6605 if (!TEST_int_eq(SSL_write(peer
, mess
, strlen(mess
)), strlen(mess
)))
6609 * write data in local previously that we will complete
6610 * read data in peer previously that we will complete
6612 if (!TEST_int_eq(SSL_write(local
, lwbuf
, sizeof(lwbuf
)), sizeof(lwbuf
))
6613 || !TEST_int_eq(SSL_read(peer
, prbuf
, sizeof(prbuf
)), sizeof(prbuf
)))
6616 /* check that sending and receiving appdata ok */
6617 if (!TEST_int_eq(SSL_write(local
, mess
, strlen(mess
)), strlen(mess
))
6618 || !TEST_int_eq(SSL_read(peer
, prbuf
, sizeof(prbuf
)), strlen(mess
)))
6624 SSL_free(serverssl
);
6625 SSL_free(clientssl
);
6633 * Test we can't send a KeyUpdate (update requested) message while
6634 * local write data is pending.
6635 * Test 0: Client sends KeyUpdate while Client is writing
6636 * Test 1: Server sends KeyUpdate while Server is writing
6638 static int test_key_update_local_in_write(int tst
)
6640 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6641 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6644 static char *mess
= "A test message";
6645 BIO
*bretry
= BIO_new(bio_s_always_retry());
6647 SSL
*local
= NULL
, *peer
= NULL
;
6649 if (!TEST_ptr(bretry
)
6650 || !TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6651 TLS_client_method(),
6654 &sctx
, &cctx
, cert
, privkey
))
6655 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6657 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6661 local
= tst
== 0 ? clientssl
: serverssl
;
6662 peer
= tst
== 0 ? serverssl
: clientssl
;
6664 /* Swap the writing endpoint's write BIO to force a retry */
6665 tmp
= SSL_get_wbio(local
);
6666 if (!TEST_ptr(tmp
) || !TEST_true(BIO_up_ref(tmp
))) {
6670 SSL_set0_wbio(local
, bretry
);
6673 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6674 if (!TEST_int_eq(SSL_write(local
, mess
, strlen(mess
)), -1)
6675 || !TEST_int_eq(SSL_get_error(local
, -1), SSL_ERROR_WANT_WRITE
))
6678 /* Reinstate the original writing endpoint's write BIO */
6679 SSL_set0_wbio(local
, tmp
);
6682 /* SSL_key_update will fail, because writing in local*/
6683 if (!TEST_false(SSL_key_update(local
, SSL_KEY_UPDATE_REQUESTED
))
6684 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY
))
6688 /* write data in local previously that we will complete */
6689 if (!TEST_int_eq(SSL_write(local
, mess
, strlen(mess
)), strlen(mess
)))
6692 /* SSL_key_update will succeed because there is no pending write data */
6693 if (!TEST_true(SSL_key_update(local
, SSL_KEY_UPDATE_REQUESTED
))
6694 || !TEST_int_eq(SSL_do_handshake(local
), 1))
6698 * we write some appdata in local
6699 * read data in peer - we will read the keyupdate msg
6701 if (!TEST_int_eq(SSL_write(local
, mess
, strlen(mess
)), strlen(mess
))
6702 || !TEST_int_eq(SSL_read(peer
, buf
, sizeof(buf
)), strlen(mess
)))
6705 /* Write more peer more data to ensure we send the keyupdate message back */
6706 if (!TEST_int_eq(SSL_write(peer
, mess
, strlen(mess
)), strlen(mess
))
6707 || !TEST_int_eq(SSL_read(local
, buf
, sizeof(buf
)), strlen(mess
)))
6713 SSL_free(serverssl
);
6714 SSL_free(clientssl
);
6724 * Test we can handle a KeyUpdate (update requested) message while
6725 * local read data is pending(the msg header had been read 5 bytes).
6726 * Test 0: Client sends KeyUpdate while Client is reading
6727 * Test 1: Server sends KeyUpdate while Server is reading
6729 static int test_key_update_local_in_read(int tst
)
6731 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6732 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6734 char lrbuf
[515], pwbuf
[515] = {0}, prbuf
[20];
6735 static char *mess
= "A test message";
6736 BIO
*lbio
= NULL
, *pbio
= NULL
;
6737 SSL
*local
= NULL
, *peer
= NULL
;
6739 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6740 TLS_client_method(),
6743 &sctx
, &cctx
, cert
, privkey
))
6744 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6746 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6750 local
= tst
== 0 ? clientssl
: serverssl
;
6751 peer
= tst
== 0 ? serverssl
: clientssl
;
6753 if (!TEST_int_eq(BIO_new_bio_pair(&lbio
, 512, &pbio
, 512), 1))
6756 SSL_set_bio(local
, lbio
, lbio
);
6757 SSL_set_bio(peer
, pbio
, pbio
);
6759 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6760 if (!TEST_int_eq(SSL_write(peer
, pwbuf
, sizeof(pwbuf
)), -1)
6761 || !TEST_int_eq(SSL_get_error(peer
, -1), SSL_ERROR_WANT_WRITE
))
6764 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6765 if (!TEST_int_eq(SSL_read(local
, lrbuf
, sizeof(lrbuf
)), -1)
6766 || !TEST_int_eq(SSL_get_error(local
, -1), SSL_ERROR_WANT_READ
))
6769 /* SSL_do_handshake will send keyupdate msg */
6770 if (!TEST_true(SSL_key_update(local
, SSL_KEY_UPDATE_REQUESTED
))
6771 || !TEST_int_eq(SSL_do_handshake(local
), 1))
6775 * write data in peer previously that we will complete
6776 * read data in local previously that we will complete
6778 if (!TEST_int_eq(SSL_write(peer
, pwbuf
, sizeof(pwbuf
)), sizeof(pwbuf
))
6779 || !TEST_int_eq(SSL_read(local
, lrbuf
, sizeof(lrbuf
)), sizeof(lrbuf
)))
6783 * write data in local
6784 * read data in peer - we will read the key update
6786 if (!TEST_int_eq(SSL_write(local
, mess
, strlen(mess
)), strlen(mess
))
6787 || !TEST_int_eq(SSL_read(peer
, prbuf
, sizeof(prbuf
)), strlen(mess
)))
6790 /* Write more peer data to ensure we send the keyupdate message back */
6791 if (!TEST_int_eq(SSL_write(peer
, mess
, strlen(mess
)), strlen(mess
))
6792 || !TEST_int_eq(SSL_read(local
, lrbuf
, sizeof(lrbuf
)), strlen(mess
)))
6798 SSL_free(serverssl
);
6799 SSL_free(clientssl
);
6805 #endif /* OSSL_NO_USABLE_TLS1_3 */
6807 static int test_ssl_clear(int idx
)
6809 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6810 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6813 #ifdef OPENSSL_NO_TLS1_2
6818 /* Create an initial connection */
6819 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6820 TLS_client_method(), TLS1_VERSION
, 0,
6821 &sctx
, &cctx
, cert
, privkey
))
6823 && !TEST_true(SSL_CTX_set_max_proto_version(cctx
,
6825 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
6826 &clientssl
, NULL
, NULL
))
6827 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6831 SSL_shutdown(clientssl
);
6832 SSL_shutdown(serverssl
);
6833 SSL_free(serverssl
);
6836 /* Clear clientssl - we're going to reuse the object */
6837 if (!TEST_true(SSL_clear(clientssl
)))
6840 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6842 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6844 || !TEST_true(SSL_session_reused(clientssl
)))
6847 SSL_shutdown(clientssl
);
6848 SSL_shutdown(serverssl
);
6853 SSL_free(serverssl
);
6854 SSL_free(clientssl
);
6861 /* Parse CH and retrieve any MFL extension value if present */
6862 static int get_MFL_from_client_hello(BIO
*bio
, int *mfl_codemfl_code
)
6865 unsigned char *data
;
6866 PACKET pkt
, pkt2
, pkt3
;
6867 unsigned int MFL_code
= 0, type
= 0;
6869 if (!TEST_uint_gt(len
= BIO_get_mem_data(bio
, (char **) &data
), 0))
6872 memset(&pkt
, 0, sizeof(pkt
));
6873 memset(&pkt2
, 0, sizeof(pkt2
));
6874 memset(&pkt3
, 0, sizeof(pkt3
));
6876 if (!TEST_long_gt(len
, 0)
6877 || !TEST_true(PACKET_buf_init(&pkt
, data
, len
))
6878 /* Skip the record header */
6879 || !PACKET_forward(&pkt
, SSL3_RT_HEADER_LENGTH
)
6880 /* Skip the handshake message header */
6881 || !TEST_true(PACKET_forward(&pkt
, SSL3_HM_HEADER_LENGTH
))
6882 /* Skip client version and random */
6883 || !TEST_true(PACKET_forward(&pkt
, CLIENT_VERSION_LEN
6884 + SSL3_RANDOM_SIZE
))
6885 /* Skip session id */
6886 || !TEST_true(PACKET_get_length_prefixed_1(&pkt
, &pkt2
))
6888 || !TEST_true(PACKET_get_length_prefixed_2(&pkt
, &pkt2
))
6889 /* Skip compression */
6890 || !TEST_true(PACKET_get_length_prefixed_1(&pkt
, &pkt2
))
6891 /* Extensions len */
6892 || !TEST_true(PACKET_as_length_prefixed_2(&pkt
, &pkt2
)))
6895 /* Loop through all extensions */
6896 while (PACKET_remaining(&pkt2
)) {
6897 if (!TEST_true(PACKET_get_net_2(&pkt2
, &type
))
6898 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2
, &pkt3
)))
6901 if (type
== TLSEXT_TYPE_max_fragment_length
) {
6902 if (!TEST_uint_ne(PACKET_remaining(&pkt3
), 0)
6903 || !TEST_true(PACKET_get_1(&pkt3
, &MFL_code
)))
6906 *mfl_codemfl_code
= MFL_code
;
6915 /* Maximum-Fragment-Length TLS extension mode to test */
6916 static const unsigned char max_fragment_len_test
[] = {
6917 TLSEXT_max_fragment_length_512
,
6918 TLSEXT_max_fragment_length_1024
,
6919 TLSEXT_max_fragment_length_2048
,
6920 TLSEXT_max_fragment_length_4096
6923 static int test_max_fragment_len_ext(int idx_tst
)
6925 SSL_CTX
*ctx
= NULL
;
6927 int testresult
= 0, MFL_mode
= 0;
6930 if (!TEST_true(create_ssl_ctx_pair(libctx
, NULL
, TLS_client_method(),
6931 TLS1_VERSION
, 0, NULL
, &ctx
, NULL
,
6935 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6936 ctx
, max_fragment_len_test
[idx_tst
])))
6943 rbio
= BIO_new(BIO_s_mem());
6944 wbio
= BIO_new(BIO_s_mem());
6945 if (!TEST_ptr(rbio
)|| !TEST_ptr(wbio
)) {
6951 SSL_set_bio(con
, rbio
, wbio
);
6953 if (!TEST_int_le(SSL_connect(con
), 0)) {
6954 /* This shouldn't succeed because we don't have a server! */
6958 if (!TEST_true(get_MFL_from_client_hello(wbio
, &MFL_mode
)))
6959 /* no MFL in client hello */
6961 if (!TEST_true(max_fragment_len_test
[idx_tst
] == MFL_mode
))
6973 #ifndef OSSL_NO_USABLE_TLS1_3
6974 static int test_pha_key_update(void)
6976 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6977 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6980 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6981 TLS_client_method(), TLS1_VERSION
, 0,
6982 &sctx
, &cctx
, cert
, privkey
)))
6985 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx
, TLS1_3_VERSION
))
6986 || !TEST_true(SSL_CTX_set_max_proto_version(sctx
, TLS1_3_VERSION
))
6987 || !TEST_true(SSL_CTX_set_min_proto_version(cctx
, TLS1_3_VERSION
))
6988 || !TEST_true(SSL_CTX_set_max_proto_version(cctx
, TLS1_3_VERSION
)))
6991 SSL_CTX_set_post_handshake_auth(cctx
, 1);
6993 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6997 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
7001 SSL_set_verify(serverssl
, SSL_VERIFY_PEER
, NULL
);
7002 if (!TEST_true(SSL_verify_client_post_handshake(serverssl
)))
7005 if (!TEST_true(SSL_key_update(clientssl
, SSL_KEY_UPDATE_NOT_REQUESTED
)))
7008 /* Start handshake on the server */
7009 if (!TEST_int_eq(SSL_do_handshake(serverssl
), 1))
7012 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7013 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
7017 SSL_shutdown(clientssl
);
7018 SSL_shutdown(serverssl
);
7023 SSL_free(serverssl
);
7024 SSL_free(clientssl
);
7031 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7033 static SRP_VBASE
*vbase
= NULL
;
7035 static int ssl_srp_cb(SSL
*s
, int *ad
, void *arg
)
7037 int ret
= SSL3_AL_FATAL
;
7039 SRP_user_pwd
*user
= NULL
;
7041 username
= SSL_get_srp_username(s
);
7042 if (username
== NULL
) {
7043 *ad
= SSL_AD_INTERNAL_ERROR
;
7047 user
= SRP_VBASE_get1_by_user(vbase
, username
);
7049 *ad
= SSL_AD_INTERNAL_ERROR
;
7053 if (SSL_set_srp_server_param(s
, user
->N
, user
->g
, user
->s
, user
->v
,
7055 *ad
= SSL_AD_INTERNAL_ERROR
;
7062 SRP_user_pwd_free(user
);
7066 static int create_new_vfile(char *userid
, char *password
, const char *filename
)
7069 OPENSSL_STRING
*row
= OPENSSL_zalloc(sizeof(row
) * (DB_NUMBER
+ 1));
7072 BIO
*out
= NULL
, *dummy
= BIO_new_mem_buf("", 0);
7075 if (!TEST_ptr(dummy
) || !TEST_ptr(row
))
7078 gNid
= SRP_create_verifier_ex(userid
, password
, &row
[DB_srpsalt
],
7079 &row
[DB_srpverifier
], NULL
, NULL
, libctx
, NULL
);
7080 if (!TEST_ptr(gNid
))
7084 * The only way to create an empty TXT_DB is to provide a BIO with no data
7087 db
= TXT_DB_read(dummy
, DB_NUMBER
);
7091 out
= BIO_new_file(filename
, "w");
7095 row
[DB_srpid
] = OPENSSL_strdup(userid
);
7096 row
[DB_srptype
] = OPENSSL_strdup("V");
7097 row
[DB_srpgN
] = OPENSSL_strdup(gNid
);
7099 if (!TEST_ptr(row
[DB_srpid
])
7100 || !TEST_ptr(row
[DB_srptype
])
7101 || !TEST_ptr(row
[DB_srpgN
])
7102 || !TEST_true(TXT_DB_insert(db
, row
)))
7107 if (TXT_DB_write(out
, db
) <= 0)
7113 for (i
= 0; i
< DB_NUMBER
; i
++)
7114 OPENSSL_free(row
[i
]);
7124 static int create_new_vbase(char *userid
, char *password
)
7126 BIGNUM
*verifier
= NULL
, *salt
= NULL
;
7127 const SRP_gN
*lgN
= NULL
;
7128 SRP_user_pwd
*user_pwd
= NULL
;
7131 lgN
= SRP_get_default_gN(NULL
);
7135 if (!TEST_true(SRP_create_verifier_BN_ex(userid
, password
, &salt
, &verifier
,
7136 lgN
->N
, lgN
->g
, libctx
, NULL
)))
7139 user_pwd
= OPENSSL_zalloc(sizeof(*user_pwd
));
7140 if (!TEST_ptr(user_pwd
))
7143 user_pwd
->N
= lgN
->N
;
7144 user_pwd
->g
= lgN
->g
;
7145 user_pwd
->id
= OPENSSL_strdup(userid
);
7146 if (!TEST_ptr(user_pwd
->id
))
7149 user_pwd
->v
= verifier
;
7151 verifier
= salt
= NULL
;
7153 if (sk_SRP_user_pwd_insert(vbase
->users_pwd
, user_pwd
, 0) == 0)
7159 SRP_user_pwd_free(user_pwd
);
7169 * Test 0: Simple successful SRP connection, new vbase
7170 * Test 1: Connection failure due to bad password, new vbase
7171 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7172 * Test 3: Connection failure due to bad password, vbase loaded from existing
7174 * Test 4: Simple successful SRP connection, vbase loaded from new file
7175 * Test 5: Connection failure due to bad password, vbase loaded from new file
7177 static int test_srp(int tst
)
7179 char *userid
= "test", *password
= "password", *tstsrpfile
;
7180 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7181 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7182 int ret
, testresult
= 0;
7184 vbase
= SRP_VBASE_new(NULL
);
7185 if (!TEST_ptr(vbase
))
7188 if (tst
== 0 || tst
== 1) {
7189 if (!TEST_true(create_new_vbase(userid
, password
)))
7192 if (tst
== 4 || tst
== 5) {
7193 if (!TEST_true(create_new_vfile(userid
, password
, tmpfilename
)))
7195 tstsrpfile
= tmpfilename
;
7197 tstsrpfile
= srpvfile
;
7199 if (!TEST_int_eq(SRP_VBASE_init(vbase
, tstsrpfile
), SRP_NO_ERROR
))
7203 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
7204 TLS_client_method(), TLS1_VERSION
, 0,
7205 &sctx
, &cctx
, cert
, privkey
)))
7208 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx
, ssl_srp_cb
), 0)
7209 || !TEST_true(SSL_CTX_set_cipher_list(cctx
, "SRP-AES-128-CBC-SHA"))
7210 || !TEST_true(SSL_CTX_set_max_proto_version(sctx
, TLS1_2_VERSION
))
7211 || !TEST_true(SSL_CTX_set_max_proto_version(cctx
, TLS1_2_VERSION
))
7212 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx
, userid
), 0))
7216 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx
, "badpass"), 0))
7219 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx
, password
), 0))
7223 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
7227 ret
= create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
);
7229 if (!TEST_true(tst
% 2 == 0))
7232 if (!TEST_true(tst
% 2 == 1))
7239 SRP_VBASE_free(vbase
);
7241 SSL_free(serverssl
);
7242 SSL_free(clientssl
);
7250 static int info_cb_failed
= 0;
7251 static int info_cb_offset
= 0;
7252 static int info_cb_this_state
= -1;
7254 static struct info_cb_states_st
{
7256 const char *statestr
;
7257 } info_cb_states
[][60] = {
7259 /* TLSv1.2 server followed by resumption */
7260 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7261 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TRCH"}, {SSL_CB_LOOP
, "TWSH"},
7262 {SSL_CB_LOOP
, "TWSC"}, {SSL_CB_LOOP
, "TWSKE"}, {SSL_CB_LOOP
, "TWSD"},
7263 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWSD"}, {SSL_CB_LOOP
, "TRCKE"},
7264 {SSL_CB_LOOP
, "TRCCS"}, {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_LOOP
, "TWST"},
7265 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWFIN"},
7266 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
7267 {SSL_CB_ALERT
, NULL
}, {SSL_CB_HANDSHAKE_START
, NULL
},
7268 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TRCH"},
7269 {SSL_CB_LOOP
, "TWSH"}, {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWFIN"},
7270 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_LOOP
, "TRCCS"},
7271 {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
7272 {SSL_CB_EXIT
, NULL
}, {0, NULL
},
7274 /* TLSv1.2 client followed by resumption */
7275 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7276 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWCH"},
7277 {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TRSC"}, {SSL_CB_LOOP
, "TRSKE"},
7278 {SSL_CB_LOOP
, "TRSD"}, {SSL_CB_LOOP
, "TWCKE"}, {SSL_CB_LOOP
, "TWCCS"},
7279 {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWFIN"},
7280 {SSL_CB_LOOP
, "TRST"}, {SSL_CB_LOOP
, "TRCCS"}, {SSL_CB_LOOP
, "TRFIN"},
7281 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_ALERT
, NULL
},
7282 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7283 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWCH"},
7284 {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TRCCS"}, {SSL_CB_LOOP
, "TRFIN"},
7285 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWFIN"},
7286 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
}, {0, NULL
},
7288 /* TLSv1.3 server followed by resumption */
7289 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7290 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TRCH"}, {SSL_CB_LOOP
, "TWSH"},
7291 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWEE"}, {SSL_CB_LOOP
, "TWSC"},
7292 {SSL_CB_LOOP
, "TWSCV"}, {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_LOOP
, "TED"},
7293 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TED"}, {SSL_CB_LOOP
, "TRFIN"},
7294 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_LOOP
, "TWST"},
7295 {SSL_CB_LOOP
, "TWST"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_ALERT
, NULL
},
7296 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7297 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TRCH"}, {SSL_CB_LOOP
, "TWSH"},
7298 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWEE"}, {SSL_CB_LOOP
, "TWFIN"},
7299 {SSL_CB_LOOP
, "TED"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TED"},
7300 {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
7301 {SSL_CB_LOOP
, "TWST"}, {SSL_CB_EXIT
, NULL
}, {0, NULL
},
7303 /* TLSv1.3 client followed by resumption */
7304 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7305 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWCH"},
7306 {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TREE"}, {SSL_CB_LOOP
, "TRSC"},
7307 {SSL_CB_LOOP
, "TRSCV"}, {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_LOOP
, "TWCCS"},
7308 {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
7309 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "SSLOK"}, {SSL_CB_LOOP
, "SSLOK"},
7310 {SSL_CB_LOOP
, "TRST"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "SSLOK"},
7311 {SSL_CB_LOOP
, "SSLOK"}, {SSL_CB_LOOP
, "TRST"}, {SSL_CB_EXIT
, NULL
},
7312 {SSL_CB_ALERT
, NULL
}, {SSL_CB_HANDSHAKE_START
, NULL
},
7313 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_EXIT
, NULL
},
7314 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TREE"},
7315 {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWFIN"},
7316 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
7317 {SSL_CB_LOOP
, "SSLOK"}, {SSL_CB_LOOP
, "SSLOK"}, {SSL_CB_LOOP
, "TRST"},
7318 {SSL_CB_EXIT
, NULL
}, {0, NULL
},
7320 /* TLSv1.3 server, early_data */
7321 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7322 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TRCH"}, {SSL_CB_LOOP
, "TWSH"},
7323 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWEE"}, {SSL_CB_LOOP
, "TWFIN"},
7324 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
7325 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "TED"},
7326 {SSL_CB_LOOP
, "TED"}, {SSL_CB_LOOP
, "TWEOED"}, {SSL_CB_LOOP
, "TRFIN"},
7327 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_LOOP
, "TWST"},
7328 {SSL_CB_EXIT
, NULL
}, {0, NULL
},
7330 /* TLSv1.3 client, early_data */
7331 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7332 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_LOOP
, "TWCCS"},
7333 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
7334 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "TED"},
7335 {SSL_CB_LOOP
, "TED"}, {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TREE"},
7336 {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_LOOP
, "TPEDE"}, {SSL_CB_LOOP
, "TWEOED"},
7337 {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
7338 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "SSLOK"}, {SSL_CB_LOOP
, "SSLOK"},
7339 {SSL_CB_LOOP
, "TRST"}, {SSL_CB_EXIT
, NULL
}, {0, NULL
},
7341 /* TLSv1.3 server, certificate compression, followed by resumption */
7342 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7343 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TRCH"}, {SSL_CB_LOOP
, "TWSH"},
7344 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWEE"}, {SSL_CB_LOOP
, "TWSCC"},
7345 {SSL_CB_LOOP
, "TWSCV"}, {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_LOOP
, "TED"},
7346 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TED"}, {SSL_CB_LOOP
, "TRFIN"},
7347 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_LOOP
, "TWST"},
7348 {SSL_CB_LOOP
, "TWST"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_ALERT
, NULL
},
7349 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7350 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TRCH"}, {SSL_CB_LOOP
, "TWSH"},
7351 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWEE"}, {SSL_CB_LOOP
, "TWFIN"},
7352 {SSL_CB_LOOP
, "TED"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TED"},
7353 {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
7354 {SSL_CB_LOOP
, "TWST"}, {SSL_CB_EXIT
, NULL
}, {0, NULL
},
7356 /* TLSv1.3 client, certificate compression, followed by resumption */
7357 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7358 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWCH"},
7359 {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TREE"}, {SSL_CB_LOOP
, "TRSCC"},
7360 {SSL_CB_LOOP
, "TRSCV"}, {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_LOOP
, "TWCCS"},
7361 {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
7362 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "SSLOK"}, {SSL_CB_LOOP
, "SSLOK"},
7363 {SSL_CB_LOOP
, "TRST"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "SSLOK"},
7364 {SSL_CB_LOOP
, "SSLOK"}, {SSL_CB_LOOP
, "TRST"}, {SSL_CB_EXIT
, NULL
},
7365 {SSL_CB_ALERT
, NULL
}, {SSL_CB_HANDSHAKE_START
, NULL
},
7366 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_EXIT
, NULL
},
7367 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TREE"},
7368 {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWFIN"},
7369 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
7370 {SSL_CB_LOOP
, "SSLOK"}, {SSL_CB_LOOP
, "SSLOK"}, {SSL_CB_LOOP
, "TRST"},
7371 {SSL_CB_EXIT
, NULL
}, {0, NULL
},
7377 static void sslapi_info_callback(const SSL
*s
, int where
, int ret
)
7379 struct info_cb_states_st
*state
= info_cb_states
[info_cb_offset
];
7381 /* We do not ever expect a connection to fail in this test */
7382 if (!TEST_false(ret
== 0)) {
7388 * Do some sanity checks. We never expect these things to happen in this
7391 if (!TEST_false((SSL_is_server(s
) && (where
& SSL_ST_CONNECT
) != 0))
7392 || !TEST_false(!SSL_is_server(s
) && (where
& SSL_ST_ACCEPT
) != 0)
7393 || !TEST_int_ne(state
[++info_cb_this_state
].where
, 0)) {
7398 /* Now check we're in the right state */
7399 if (!TEST_true((where
& state
[info_cb_this_state
].where
) != 0)) {
7403 if ((where
& SSL_CB_LOOP
) != 0
7404 && !TEST_int_eq(strcmp(SSL_state_string(s
),
7405 state
[info_cb_this_state
].statestr
), 0)) {
7411 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7413 if ((where
& SSL_CB_HANDSHAKE_DONE
)
7414 && SSL_in_init((SSL
*)s
) != 0) {
7421 * Test the info callback gets called when we expect it to.
7423 * Test 0: TLSv1.2, server
7424 * Test 1: TLSv1.2, client
7425 * Test 2: TLSv1.3, server
7426 * Test 3: TLSv1.3, client
7427 * Test 4: TLSv1.3, server, early_data
7428 * Test 5: TLSv1.3, client, early_data
7429 * Test 6: TLSv1.3, server, compressed certificate
7430 * Test 7: TLSv1.3, client, compressed certificate
7432 static int test_info_callback(int tst
)
7434 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7435 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7436 SSL_SESSION
*clntsess
= NULL
;
7441 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
7442 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7443 || !defined(OPENSSL_NO_DH))
7444 tlsvers
= TLS1_2_VERSION
;
7449 #ifndef OSSL_NO_USABLE_TLS1_3
7450 tlsvers
= TLS1_3_VERSION
;
7458 info_cb_this_state
= -1;
7459 info_cb_offset
= tst
;
7461 #ifndef OSSL_NO_USABLE_TLS1_3
7462 if (tst
>= 4 && tst
< 6) {
7463 SSL_SESSION
*sess
= NULL
;
7464 size_t written
, readbytes
;
7465 unsigned char buf
[80];
7467 /* early_data tests */
7468 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
7469 &serverssl
, &sess
, 0)))
7472 /* We don't actually need this reference */
7473 SSL_SESSION_free(sess
);
7475 SSL_set_info_callback((tst
% 2) == 0 ? serverssl
: clientssl
,
7476 sslapi_info_callback
);
7478 /* Write and read some early data and then complete the connection */
7479 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
7481 || !TEST_size_t_eq(written
, strlen(MSG1
))
7482 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
,
7483 sizeof(buf
), &readbytes
),
7484 SSL_READ_EARLY_DATA_SUCCESS
)
7485 || !TEST_mem_eq(MSG1
, readbytes
, buf
, strlen(MSG1
))
7486 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
7487 SSL_EARLY_DATA_ACCEPTED
)
7488 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
7490 || !TEST_false(info_cb_failed
))
7498 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
7499 TLS_client_method(),
7500 tlsvers
, tlsvers
, &sctx
, &cctx
, cert
,
7504 if (!TEST_true(SSL_CTX_set_dh_auto(sctx
, 1)))
7508 * For even numbered tests we check the server callbacks. For odd numbers we
7511 SSL_CTX_set_info_callback((tst
% 2) == 0 ? sctx
: cctx
,
7512 sslapi_info_callback
);
7514 if (!SSL_CTX_compress_certs(sctx
, 0))
7518 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
7519 &clientssl
, NULL
, NULL
))
7520 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
7522 || !TEST_false(info_cb_failed
))
7527 clntsess
= SSL_get1_session(clientssl
);
7528 SSL_shutdown(clientssl
);
7529 SSL_shutdown(serverssl
);
7530 SSL_free(serverssl
);
7531 SSL_free(clientssl
);
7532 serverssl
= clientssl
= NULL
;
7534 /* Now do a resumption */
7535 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
,
7537 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
7538 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
7540 || !TEST_true(SSL_session_reused(clientssl
))
7541 || !TEST_false(info_cb_failed
))
7547 SSL_free(serverssl
);
7548 SSL_free(clientssl
);
7549 SSL_SESSION_free(clntsess
);
7555 static int test_ssl_pending(int tst
)
7557 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7558 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7560 char msg
[] = "A test message";
7562 size_t written
, readbytes
;
7565 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
7566 TLS_client_method(),
7568 &sctx
, &cctx
, cert
, privkey
)))
7571 #ifndef OPENSSL_NO_DTLS
7572 if (!TEST_true(create_ssl_ctx_pair(libctx
, DTLS_server_method(),
7573 DTLS_client_method(),
7575 &sctx
, &cctx
, cert
, privkey
)))
7578 # ifdef OPENSSL_NO_DTLS1_2
7579 /* Not supported in the FIPS provider */
7585 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7588 if (!TEST_true(SSL_CTX_set_cipher_list(sctx
, "DEFAULT:@SECLEVEL=0"))
7589 || !TEST_true(SSL_CTX_set_cipher_list(cctx
,
7590 "DEFAULT:@SECLEVEL=0")))
7598 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
7600 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
7604 if (!TEST_int_eq(SSL_pending(clientssl
), 0)
7605 || !TEST_false(SSL_has_pending(clientssl
))
7606 || !TEST_int_eq(SSL_pending(serverssl
), 0)
7607 || !TEST_false(SSL_has_pending(serverssl
))
7608 || !TEST_true(SSL_write_ex(serverssl
, msg
, sizeof(msg
), &written
))
7609 || !TEST_size_t_eq(written
, sizeof(msg
))
7610 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
7611 || !TEST_size_t_eq(readbytes
, sizeof(buf
))
7612 || !TEST_int_eq(SSL_pending(clientssl
), (int)(written
- readbytes
))
7613 || !TEST_true(SSL_has_pending(clientssl
)))
7619 SSL_free(serverssl
);
7620 SSL_free(clientssl
);
7628 unsigned int maxprot
;
7629 const char *clntciphers
;
7630 const char *clnttls13ciphers
;
7631 const char *srvrciphers
;
7632 const char *srvrtls13ciphers
;
7634 const char *fipsshared
;
7635 } shared_ciphers_data
[] = {
7637 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7638 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7640 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7643 "AES128-SHA:AES256-SHA",
7645 "AES256-SHA:DHE-RSA-AES128-SHA",
7650 # if !defined(OPENSSL_NO_CHACHA) \
7651 && !defined(OPENSSL_NO_POLY1305) \
7652 && !defined(OPENSSL_NO_EC)
7655 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7657 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7659 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7665 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7667 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7669 "AES128-SHA:AES256-SHA",
7670 "AES128-SHA:AES256-SHA"
7674 "AES128-SHA:AES256-SHA",
7676 "AES128-SHA:DHE-RSA-AES128-SHA",
7683 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7686 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7687 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7690 "AES128-SHA:AES256-SHA",
7692 "AES256-SHA:AES128-SHA256",
7694 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7695 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7696 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7699 #ifndef OSSL_NO_USABLE_TLS1_3
7703 "TLS_AES_256_GCM_SHA384",
7705 "TLS_AES_256_GCM_SHA384",
7706 "TLS_AES_256_GCM_SHA384",
7707 "TLS_AES_256_GCM_SHA384"
7712 static int int_test_ssl_get_shared_ciphers(int tst
, int clnt
)
7714 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7715 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7718 OSSL_LIB_CTX
*tmplibctx
= OSSL_LIB_CTX_new();
7720 if (!TEST_ptr(tmplibctx
))
7724 * Regardless of whether we're testing with the FIPS provider loaded into
7725 * libctx, we want one peer to always use the full set of ciphersuites
7726 * available. Therefore we use a separate libctx with the default provider
7727 * loaded into it. We run the same tests twice - once with the client side
7728 * having the full set of ciphersuites and once with the server side.
7731 cctx
= SSL_CTX_new_ex(tmplibctx
, NULL
, TLS_client_method());
7732 if (!TEST_ptr(cctx
))
7735 sctx
= SSL_CTX_new_ex(tmplibctx
, NULL
, TLS_server_method());
7736 if (!TEST_ptr(sctx
))
7740 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
7741 TLS_client_method(),
7743 shared_ciphers_data
[tst
].maxprot
,
7744 &sctx
, &cctx
, cert
, privkey
)))
7747 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
7748 shared_ciphers_data
[tst
].clntciphers
))
7749 || (shared_ciphers_data
[tst
].clnttls13ciphers
!= NULL
7750 && !TEST_true(SSL_CTX_set_ciphersuites(cctx
,
7751 shared_ciphers_data
[tst
].clnttls13ciphers
)))
7752 || !TEST_true(SSL_CTX_set_cipher_list(sctx
,
7753 shared_ciphers_data
[tst
].srvrciphers
))
7754 || (shared_ciphers_data
[tst
].srvrtls13ciphers
!= NULL
7755 && !TEST_true(SSL_CTX_set_ciphersuites(sctx
,
7756 shared_ciphers_data
[tst
].srvrtls13ciphers
))))
7760 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
7762 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
7766 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl
, buf
, sizeof(buf
)))
7767 || !TEST_int_eq(strcmp(buf
,
7769 ? shared_ciphers_data
[tst
].fipsshared
7770 : shared_ciphers_data
[tst
].shared
),
7772 TEST_info("Shared ciphers are: %s\n", buf
);
7779 SSL_free(serverssl
);
7780 SSL_free(clientssl
);
7783 OSSL_LIB_CTX_free(tmplibctx
);
7788 static int test_ssl_get_shared_ciphers(int tst
)
7790 return int_test_ssl_get_shared_ciphers(tst
, 0)
7791 && int_test_ssl_get_shared_ciphers(tst
, 1);
7795 static const char *appdata
= "Hello World";
7796 static int gen_tick_called
, dec_tick_called
, tick_key_cb_called
;
7797 static int tick_key_renew
= 0;
7798 static SSL_TICKET_RETURN tick_dec_ret
= SSL_TICKET_RETURN_ABORT
;
7800 static int gen_tick_cb(SSL
*s
, void *arg
)
7802 gen_tick_called
= 1;
7804 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s
), appdata
,
7808 static SSL_TICKET_RETURN
dec_tick_cb(SSL
*s
, SSL_SESSION
*ss
,
7809 const unsigned char *keyname
,
7810 size_t keyname_length
,
7811 SSL_TICKET_STATUS status
,
7817 dec_tick_called
= 1;
7819 if (status
== SSL_TICKET_EMPTY
)
7820 return SSL_TICKET_RETURN_IGNORE_RENEW
;
7822 if (!TEST_true(status
== SSL_TICKET_SUCCESS
7823 || status
== SSL_TICKET_SUCCESS_RENEW
))
7824 return SSL_TICKET_RETURN_ABORT
;
7826 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss
, &tickdata
,
7828 || !TEST_size_t_eq(tickdlen
, strlen(appdata
))
7829 || !TEST_int_eq(memcmp(tickdata
, appdata
, tickdlen
), 0))
7830 return SSL_TICKET_RETURN_ABORT
;
7832 if (tick_key_cb_called
) {
7833 /* Don't change what the ticket key callback wanted to do */
7835 case SSL_TICKET_NO_DECRYPT
:
7836 return SSL_TICKET_RETURN_IGNORE_RENEW
;
7838 case SSL_TICKET_SUCCESS
:
7839 return SSL_TICKET_RETURN_USE
;
7841 case SSL_TICKET_SUCCESS_RENEW
:
7842 return SSL_TICKET_RETURN_USE_RENEW
;
7845 return SSL_TICKET_RETURN_ABORT
;
7848 return tick_dec_ret
;
7852 #ifndef OPENSSL_NO_DEPRECATED_3_0
7853 static int tick_key_cb(SSL
*s
, unsigned char key_name
[16],
7854 unsigned char iv
[EVP_MAX_IV_LENGTH
], EVP_CIPHER_CTX
*ctx
,
7855 HMAC_CTX
*hctx
, int enc
)
7857 const unsigned char tick_aes_key
[16] = "0123456789abcdef";
7858 const unsigned char tick_hmac_key
[16] = "0123456789abcdef";
7859 EVP_CIPHER
*aes128cbc
;
7863 tick_key_cb_called
= 1;
7865 if (tick_key_renew
== -1)
7868 aes128cbc
= EVP_CIPHER_fetch(libctx
, "AES-128-CBC", NULL
);
7869 if (!TEST_ptr(aes128cbc
))
7871 sha256
= EVP_MD_fetch(libctx
, "SHA-256", NULL
);
7872 if (!TEST_ptr(sha256
)) {
7873 EVP_CIPHER_free(aes128cbc
);
7877 memset(iv
, 0, AES_BLOCK_SIZE
);
7878 memset(key_name
, 0, 16);
7879 if (aes128cbc
== NULL
7881 || !EVP_CipherInit_ex(ctx
, aes128cbc
, NULL
, tick_aes_key
, iv
, enc
)
7882 || !HMAC_Init_ex(hctx
, tick_hmac_key
, sizeof(tick_hmac_key
), sha256
,
7886 ret
= tick_key_renew
? 2 : 1;
7888 EVP_CIPHER_free(aes128cbc
);
7889 EVP_MD_free(sha256
);
7895 static int tick_key_evp_cb(SSL
*s
, unsigned char key_name
[16],
7896 unsigned char iv
[EVP_MAX_IV_LENGTH
],
7897 EVP_CIPHER_CTX
*ctx
, EVP_MAC_CTX
*hctx
, int enc
)
7899 const unsigned char tick_aes_key
[16] = "0123456789abcdef";
7900 unsigned char tick_hmac_key
[16] = "0123456789abcdef";
7901 OSSL_PARAM params
[2];
7902 EVP_CIPHER
*aes128cbc
;
7905 tick_key_cb_called
= 1;
7907 if (tick_key_renew
== -1)
7910 aes128cbc
= EVP_CIPHER_fetch(libctx
, "AES-128-CBC", NULL
);
7911 if (!TEST_ptr(aes128cbc
))
7914 memset(iv
, 0, AES_BLOCK_SIZE
);
7915 memset(key_name
, 0, 16);
7916 params
[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST
,
7918 params
[1] = OSSL_PARAM_construct_end();
7919 if (aes128cbc
== NULL
7920 || !EVP_CipherInit_ex(ctx
, aes128cbc
, NULL
, tick_aes_key
, iv
, enc
)
7921 || !EVP_MAC_init(hctx
, tick_hmac_key
, sizeof(tick_hmac_key
),
7925 ret
= tick_key_renew
? 2 : 1;
7927 EVP_CIPHER_free(aes128cbc
);
7933 * Test the various ticket callbacks
7934 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7935 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7936 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7937 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7938 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7939 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7940 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7941 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
7942 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7943 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7944 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7945 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7946 * Test 12: TLSv1.2, old ticket key callback, no ticket
7947 * Test 13: TLSv1.3, old ticket key callback, no ticket
7948 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
7949 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
7950 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
7951 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
7952 * Test 18: TLSv1.2, ticket key callback, no ticket
7953 * Test 19: TLSv1.3, ticket key callback, no ticket
7955 static int test_ticket_callbacks(int tst
)
7957 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7958 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7959 SSL_SESSION
*clntsess
= NULL
;
7962 #ifdef OPENSSL_NO_TLS1_2
7966 #ifdef OSSL_NO_USABLE_TLS1_3
7970 #ifdef OPENSSL_NO_DEPRECATED_3_0
7971 if (tst
>= 8 && tst
<= 13)
7975 gen_tick_called
= dec_tick_called
= tick_key_cb_called
= 0;
7977 /* Which tests the ticket key callback should request renewal for */
7979 if (tst
== 10 || tst
== 11 || tst
== 16 || tst
== 17)
7981 else if (tst
== 12 || tst
== 13 || tst
== 18 || tst
== 19)
7982 tick_key_renew
= -1; /* abort sending the ticket/0-length ticket */
7986 /* Which tests the decrypt ticket callback should request renewal for */
7990 tick_dec_ret
= SSL_TICKET_RETURN_IGNORE
;
7995 tick_dec_ret
= SSL_TICKET_RETURN_IGNORE_RENEW
;
8000 tick_dec_ret
= SSL_TICKET_RETURN_USE
;
8005 tick_dec_ret
= SSL_TICKET_RETURN_USE_RENEW
;
8009 tick_dec_ret
= SSL_TICKET_RETURN_ABORT
;
8012 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8013 TLS_client_method(),
8015 ((tst
% 2) == 0) ? TLS1_2_VERSION
8017 &sctx
, &cctx
, cert
, privkey
)))
8021 * We only want sessions to resume from tickets - not the session cache. So
8022 * switch the cache off.
8024 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx
, SSL_SESS_CACHE_OFF
)))
8027 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx
, gen_tick_cb
, dec_tick_cb
,
8032 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx
, tick_key_evp_cb
)))
8034 #ifndef OPENSSL_NO_DEPRECATED_3_0
8035 } else if (tst
>= 8) {
8036 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx
, tick_key_cb
)))
8041 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8043 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
8048 * The decrypt ticket key callback in TLSv1.2 should be called even though
8049 * we have no ticket yet, because it gets called with a status of
8050 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8051 * actually send any ticket data). This does not happen in TLSv1.3 because
8052 * it is not valid to send empty ticket data in TLSv1.3.
8054 if (!TEST_int_eq(gen_tick_called
, 1)
8055 || !TEST_int_eq(dec_tick_called
, ((tst
% 2) == 0) ? 1 : 0))
8058 gen_tick_called
= dec_tick_called
= 0;
8060 clntsess
= SSL_get1_session(clientssl
);
8061 SSL_shutdown(clientssl
);
8062 SSL_shutdown(serverssl
);
8063 SSL_free(serverssl
);
8064 SSL_free(clientssl
);
8065 serverssl
= clientssl
= NULL
;
8067 /* Now do a resumption */
8068 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
,
8070 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
8071 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
8075 if (tick_dec_ret
== SSL_TICKET_RETURN_IGNORE
8076 || tick_dec_ret
== SSL_TICKET_RETURN_IGNORE_RENEW
8077 || tick_key_renew
== -1) {
8078 if (!TEST_false(SSL_session_reused(clientssl
)))
8081 if (!TEST_true(SSL_session_reused(clientssl
)))
8085 if (!TEST_int_eq(gen_tick_called
,
8087 || tick_dec_ret
== SSL_TICKET_RETURN_IGNORE_RENEW
8088 || tick_dec_ret
== SSL_TICKET_RETURN_USE_RENEW
)
8090 /* There is no ticket to decrypt in tests 13 and 19 */
8091 || !TEST_int_eq(dec_tick_called
, (tst
== 13 || tst
== 19) ? 0 : 1))
8097 SSL_SESSION_free(clntsess
);
8098 SSL_free(serverssl
);
8099 SSL_free(clientssl
);
8107 * Test incorrect shutdown.
8108 * Test 0: client does not shutdown properly,
8109 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8110 * server should get SSL_ERROR_SSL
8111 * Test 1: client does not shutdown properly,
8112 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8113 * server should get SSL_ERROR_ZERO_RETURN
8115 static int test_incorrect_shutdown(int tst
)
8117 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
8118 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8123 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8124 TLS_client_method(), 0, 0,
8125 &sctx
, &cctx
, cert
, privkey
)))
8129 SSL_CTX_set_options(sctx
, SSL_OP_IGNORE_UNEXPECTED_EOF
);
8131 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8135 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
8139 c2s
= SSL_get_rbio(serverssl
);
8140 BIO_set_mem_eof_return(c2s
, 0);
8142 if (!TEST_false(SSL_read(serverssl
, buf
, sizeof(buf
))))
8145 if (tst
== 0 && !TEST_int_eq(SSL_get_error(serverssl
, 0), SSL_ERROR_SSL
) )
8147 if (tst
== 1 && !TEST_int_eq(SSL_get_error(serverssl
, 0), SSL_ERROR_ZERO_RETURN
) )
8153 SSL_free(serverssl
);
8154 SSL_free(clientssl
);
8162 * Test bi-directional shutdown.
8164 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8165 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8166 * Test 3: TLSv1.3, pending NewSessionTicket messages
8167 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8168 * sends key update, client reads it
8169 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8170 * sends CertificateRequest, client reads and ignores it
8171 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
8174 static int test_shutdown(int tst
)
8176 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
8177 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8179 char msg
[] = "A test message";
8181 size_t written
, readbytes
;
8184 #ifdef OPENSSL_NO_TLS1_2
8188 #ifdef OSSL_NO_USABLE_TLS1_3
8193 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8194 TLS_client_method(),
8196 (tst
<= 1) ? TLS1_2_VERSION
8198 &sctx
, &cctx
, cert
, privkey
)))
8202 SSL_CTX_set_post_handshake_auth(cctx
, 1);
8204 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8209 if (!TEST_true(create_bare_ssl_connection(serverssl
, clientssl
,
8210 SSL_ERROR_NONE
, 1, 0))
8211 || !TEST_ptr_ne(sess
= SSL_get_session(clientssl
), NULL
)
8212 || !TEST_false(SSL_SESSION_is_resumable(sess
)))
8214 } else if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
8216 || !TEST_ptr_ne(sess
= SSL_get_session(clientssl
), NULL
)
8217 || !TEST_true(SSL_SESSION_is_resumable(sess
))) {
8221 if (!TEST_int_eq(SSL_shutdown(clientssl
), 0))
8226 * Reading on the server after the client has sent close_notify should
8227 * fail and provide SSL_ERROR_ZERO_RETURN
8229 if (!TEST_false(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
8230 || !TEST_int_eq(SSL_get_error(serverssl
, 0),
8231 SSL_ERROR_ZERO_RETURN
)
8232 || !TEST_int_eq(SSL_get_shutdown(serverssl
),
8233 SSL_RECEIVED_SHUTDOWN
)
8235 * Even though we're shutdown on receive we should still be
8238 || !TEST_true(SSL_write(serverssl
, msg
, sizeof(msg
))))
8241 && !TEST_true(SSL_key_update(serverssl
,
8242 SSL_KEY_UPDATE_REQUESTED
)))
8245 SSL_set_verify(serverssl
, SSL_VERIFY_PEER
, NULL
);
8246 if (!TEST_true(SSL_verify_client_post_handshake(serverssl
)))
8249 if ((tst
== 4 || tst
== 5)
8250 && !TEST_true(SSL_write(serverssl
, msg
, sizeof(msg
))))
8252 if (!TEST_int_eq(SSL_shutdown(serverssl
), 1))
8254 if (tst
== 4 || tst
== 5) {
8255 /* Should still be able to read data from server */
8256 if (!TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
),
8258 || !TEST_size_t_eq(readbytes
, sizeof(msg
))
8259 || !TEST_int_eq(memcmp(msg
, buf
, readbytes
), 0)
8260 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
),
8262 || !TEST_size_t_eq(readbytes
, sizeof(msg
))
8263 || !TEST_int_eq(memcmp(msg
, buf
, readbytes
), 0))
8268 /* Writing on the client after sending close_notify shouldn't be possible */
8269 if (!TEST_false(SSL_write_ex(clientssl
, msg
, sizeof(msg
), &written
)))
8274 * For these tests the client has sent close_notify but it has not yet
8275 * been received by the server. The server has not sent close_notify
8278 if (!TEST_int_eq(SSL_shutdown(serverssl
), 0)
8280 * Writing on the server after sending close_notify shouldn't
8283 || !TEST_false(SSL_write_ex(serverssl
, msg
, sizeof(msg
), &written
))
8284 || !TEST_int_eq(SSL_shutdown(clientssl
), 1)
8285 || !TEST_ptr_ne(sess
= SSL_get_session(clientssl
), NULL
)
8286 || !TEST_true(SSL_SESSION_is_resumable(sess
))
8287 || !TEST_int_eq(SSL_shutdown(serverssl
), 1))
8289 } else if (tst
== 4 || tst
== 5) {
8291 * In this test the client has sent close_notify and it has been
8292 * received by the server which has responded with a close_notify. The
8293 * client needs to read the close_notify sent by the server.
8295 if (!TEST_int_eq(SSL_shutdown(clientssl
), 1)
8296 || !TEST_ptr_ne(sess
= SSL_get_session(clientssl
), NULL
)
8297 || !TEST_true(SSL_SESSION_is_resumable(sess
)))
8303 * The client has sent close_notify and is expecting a close_notify
8304 * back, but instead there is application data first. The shutdown
8305 * should fail with a fatal error.
8307 if (!TEST_int_eq(SSL_shutdown(clientssl
), -1)
8308 || !TEST_int_eq(SSL_get_error(clientssl
, -1), SSL_ERROR_SSL
))
8315 SSL_free(serverssl
);
8316 SSL_free(clientssl
);
8324 * Test that sending close_notify alerts works correctly in the case of a
8325 * retryable write failure.
8327 static int test_async_shutdown(void)
8329 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
8330 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8332 BIO
*bretry
= BIO_new(bio_s_always_retry()), *tmp
= NULL
;
8334 if (!TEST_ptr(bretry
))
8337 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8338 TLS_client_method(),
8340 &sctx
, &cctx
, cert
, privkey
)))
8343 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
,
8347 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
8350 /* Close write side of clientssl */
8351 if (!TEST_int_eq(SSL_shutdown(clientssl
), 0))
8354 tmp
= SSL_get_wbio(serverssl
);
8355 if (!TEST_true(BIO_up_ref(tmp
))) {
8359 SSL_set0_wbio(serverssl
, bretry
);
8362 /* First server shutdown should fail because of a retrable write failure */
8363 if (!TEST_int_eq(SSL_shutdown(serverssl
), -1)
8364 || !TEST_int_eq(SSL_get_error(serverssl
, -1), SSL_ERROR_WANT_WRITE
))
8367 /* Second server shutdown should fail for the same reason */
8368 if (!TEST_int_eq(SSL_shutdown(serverssl
), -1)
8369 || !TEST_int_eq(SSL_get_error(serverssl
, -1), SSL_ERROR_WANT_WRITE
))
8372 SSL_set0_wbio(serverssl
, tmp
);
8375 /* Third server shutdown should send close_notify */
8376 if (!TEST_int_eq(SSL_shutdown(serverssl
), 0))
8379 /* Fourth server shutdown should read close_notify from client and finish */
8380 if (!TEST_int_eq(SSL_shutdown(serverssl
), 1))
8383 /* Client should also successfully fully shutdown */
8384 if (!TEST_int_eq(SSL_shutdown(clientssl
), 1))
8389 SSL_free(serverssl
);
8390 SSL_free(clientssl
);
8399 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8400 static int cert_cb_cnt
;
8402 static int cert_cb(SSL
*s
, void *arg
)
8404 SSL_CTX
*ctx
= (SSL_CTX
*)arg
;
8406 EVP_PKEY
*pkey
= NULL
;
8407 X509
*x509
= NULL
, *rootx
= NULL
;
8408 STACK_OF(X509
) *chain
= NULL
;
8409 char *rootfile
= NULL
, *ecdsacert
= NULL
, *ecdsakey
= NULL
;
8412 if (cert_cb_cnt
== 0) {
8413 /* Suspend the handshake */
8416 } else if (cert_cb_cnt
== 1) {
8418 * Update the SSL_CTX, set the certificate and private key and then
8419 * continue the handshake normally.
8421 if (ctx
!= NULL
&& !TEST_ptr(SSL_set_SSL_CTX(s
, ctx
)))
8424 if (!TEST_true(SSL_use_certificate_file(s
, cert
, SSL_FILETYPE_PEM
))
8425 || !TEST_true(SSL_use_PrivateKey_file(s
, privkey
,
8427 || !TEST_true(SSL_check_private_key(s
)))
8431 } else if (cert_cb_cnt
== 3) {
8434 rootfile
= test_mk_file_path(certsdir
, "rootcert.pem");
8435 ecdsacert
= test_mk_file_path(certsdir
, "server-ecdsa-cert.pem");
8436 ecdsakey
= test_mk_file_path(certsdir
, "server-ecdsa-key.pem");
8437 if (!TEST_ptr(rootfile
) || !TEST_ptr(ecdsacert
) || !TEST_ptr(ecdsakey
))
8439 chain
= sk_X509_new_null();
8440 if (!TEST_ptr(chain
))
8442 if (!TEST_ptr(in
= BIO_new(BIO_s_file()))
8443 || !TEST_int_gt(BIO_read_filename(in
, rootfile
), 0)
8444 || !TEST_ptr(rootx
= X509_new_ex(libctx
, NULL
))
8445 || !TEST_ptr(PEM_read_bio_X509(in
, &rootx
, NULL
, NULL
))
8446 || !TEST_true(sk_X509_push(chain
, rootx
)))
8450 if (!TEST_ptr(in
= BIO_new(BIO_s_file()))
8451 || !TEST_int_gt(BIO_read_filename(in
, ecdsacert
), 0)
8452 || !TEST_ptr(x509
= X509_new_ex(libctx
, NULL
))
8453 || !TEST_ptr(PEM_read_bio_X509(in
, &x509
, NULL
, NULL
)))
8456 if (!TEST_ptr(in
= BIO_new(BIO_s_file()))
8457 || !TEST_int_gt(BIO_read_filename(in
, ecdsakey
), 0)
8458 || !TEST_ptr(pkey
= PEM_read_bio_PrivateKey_ex(in
, NULL
,
8462 rv
= SSL_check_chain(s
, x509
, pkey
, chain
);
8464 * If the cert doesn't show as valid here (e.g., because we don't
8465 * have any shared sigalgs), then we will not set it, and there will
8466 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8467 * will cause tls_choose_sigalgs() to fail the connection.
8469 if ((rv
& (CERT_PKEY_VALID
| CERT_PKEY_CA_SIGNATURE
))
8470 == (CERT_PKEY_VALID
| CERT_PKEY_CA_SIGNATURE
)) {
8471 if (!SSL_use_cert_and_key(s
, x509
, pkey
, NULL
, 1))
8478 /* Abort the handshake */
8480 OPENSSL_free(ecdsacert
);
8481 OPENSSL_free(ecdsakey
);
8482 OPENSSL_free(rootfile
);
8484 EVP_PKEY_free(pkey
);
8487 OSSL_STACK_OF_X509_free(chain
);
8492 * Test the certificate callback.
8493 * Test 0: Callback fails
8494 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8495 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8496 * Test 3: Success - Call SSL_check_chain from the callback
8497 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8499 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8501 static int test_cert_cb_int(int prot
, int tst
)
8503 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
, *snictx
= NULL
;
8504 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8505 int testresult
= 0, ret
;
8507 #ifdef OPENSSL_NO_EC
8508 /* We use an EC cert in these tests, so we skip in a no-ec build */
8513 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8514 TLS_client_method(),
8517 &sctx
, &cctx
, NULL
, NULL
)))
8528 snictx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method());
8529 if (!TEST_ptr(snictx
))
8533 SSL_CTX_set_cert_cb(sctx
, cert_cb
, snictx
);
8535 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8541 * We cause SSL_check_chain() to fail by specifying sig_algs that
8542 * the chain doesn't meet (the root uses an RSA cert)
8544 if (!TEST_true(SSL_set1_sigalgs_list(clientssl
,
8545 "ecdsa_secp256r1_sha256")))
8547 } else if (tst
== 5) {
8549 * We cause SSL_check_chain() to fail by specifying sig_algs that
8550 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8552 if (!TEST_true(SSL_set1_sigalgs_list(clientssl
,
8553 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8557 ret
= create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
);
8558 if (!TEST_true(tst
== 0 || tst
== 4 || tst
== 5 ? !ret
: ret
)
8560 && !TEST_int_eq((cert_cb_cnt
- 2) * (cert_cb_cnt
- 3), 0))) {
8567 SSL_free(serverssl
);
8568 SSL_free(clientssl
);
8571 SSL_CTX_free(snictx
);
8577 static int test_cert_cb(int tst
)
8581 #ifndef OPENSSL_NO_TLS1_2
8582 testresult
&= test_cert_cb_int(TLS1_2_VERSION
, tst
);
8584 #ifndef OSSL_NO_USABLE_TLS1_3
8585 testresult
&= test_cert_cb_int(TLS1_3_VERSION
, tst
);
8591 static int client_cert_cb(SSL
*ssl
, X509
**x509
, EVP_PKEY
**pkey
)
8596 BIO
*priv_in
= NULL
;
8598 /* Check that SSL_get0_peer_certificate() returns something sensible */
8599 if (!TEST_ptr(SSL_get0_peer_certificate(ssl
)))
8602 in
= BIO_new_file(cert
, "r");
8606 if (!TEST_ptr(xcert
= X509_new_ex(libctx
, NULL
))
8607 || !TEST_ptr(PEM_read_bio_X509(in
, &xcert
, NULL
, NULL
))
8608 || !TEST_ptr(priv_in
= BIO_new_file(privkey
, "r"))
8609 || !TEST_ptr(privpkey
= PEM_read_bio_PrivateKey_ex(priv_in
, NULL
,
8627 static int test_client_cert_cb(int tst
)
8629 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
8630 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8633 #ifdef OPENSSL_NO_TLS1_2
8637 #ifdef OSSL_NO_USABLE_TLS1_3
8642 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8643 TLS_client_method(),
8645 tst
== 0 ? TLS1_2_VERSION
8647 &sctx
, &cctx
, cert
, privkey
)))
8651 * Test that setting a client_cert_cb results in a client certificate being
8654 SSL_CTX_set_client_cert_cb(cctx
, client_cert_cb
);
8655 SSL_CTX_set_verify(sctx
,
8656 SSL_VERIFY_PEER
| SSL_VERIFY_FAIL_IF_NO_PEER_CERT
,
8659 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8661 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
8668 SSL_free(serverssl
);
8669 SSL_free(clientssl
);
8676 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8678 * Test setting certificate authorities on both client and server.
8680 * Test 0: SSL_CTX_set0_CA_list() only
8681 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8682 * Test 2: Only SSL_CTX_set_client_CA_list()
8684 static int test_ca_names_int(int prot
, int tst
)
8686 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
8687 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8690 X509_NAME
*name
[] = { NULL
, NULL
, NULL
, NULL
};
8691 char *strnames
[] = { "Jack", "Jill", "John", "Joanne" };
8692 STACK_OF(X509_NAME
) *sk1
= NULL
, *sk2
= NULL
;
8693 const STACK_OF(X509_NAME
) *sktmp
= NULL
;
8695 for (i
= 0; i
< OSSL_NELEM(name
); i
++) {
8696 name
[i
] = X509_NAME_new();
8697 if (!TEST_ptr(name
[i
])
8698 || !TEST_true(X509_NAME_add_entry_by_txt(name
[i
], "CN",
8706 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8707 TLS_client_method(),
8710 &sctx
, &cctx
, cert
, privkey
)))
8713 SSL_CTX_set_verify(sctx
, SSL_VERIFY_PEER
, NULL
);
8715 if (tst
== 0 || tst
== 1) {
8716 if (!TEST_ptr(sk1
= sk_X509_NAME_new_null())
8717 || !TEST_true(sk_X509_NAME_push(sk1
, X509_NAME_dup(name
[0])))
8718 || !TEST_true(sk_X509_NAME_push(sk1
, X509_NAME_dup(name
[1])))
8719 || !TEST_ptr(sk2
= sk_X509_NAME_new_null())
8720 || !TEST_true(sk_X509_NAME_push(sk2
, X509_NAME_dup(name
[0])))
8721 || !TEST_true(sk_X509_NAME_push(sk2
, X509_NAME_dup(name
[1]))))
8724 SSL_CTX_set0_CA_list(sctx
, sk1
);
8725 SSL_CTX_set0_CA_list(cctx
, sk2
);
8728 if (tst
== 1 || tst
== 2) {
8729 if (!TEST_ptr(sk1
= sk_X509_NAME_new_null())
8730 || !TEST_true(sk_X509_NAME_push(sk1
, X509_NAME_dup(name
[2])))
8731 || !TEST_true(sk_X509_NAME_push(sk1
, X509_NAME_dup(name
[3])))
8732 || !TEST_ptr(sk2
= sk_X509_NAME_new_null())
8733 || !TEST_true(sk_X509_NAME_push(sk2
, X509_NAME_dup(name
[2])))
8734 || !TEST_true(sk_X509_NAME_push(sk2
, X509_NAME_dup(name
[3]))))
8737 SSL_CTX_set_client_CA_list(sctx
, sk1
);
8738 SSL_CTX_set_client_CA_list(cctx
, sk2
);
8742 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8744 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
8749 * We only expect certificate authorities to have been sent to the server
8750 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8752 sktmp
= SSL_get0_peer_CA_list(serverssl
);
8753 if (prot
== TLS1_3_VERSION
8754 && (tst
== 0 || tst
== 1)) {
8755 if (!TEST_ptr(sktmp
)
8756 || !TEST_int_eq(sk_X509_NAME_num(sktmp
), 2)
8757 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp
, 0),
8759 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp
, 1),
8762 } else if (!TEST_ptr_null(sktmp
)) {
8767 * In all tests we expect certificate authorities to have been sent to the
8768 * client. However, SSL_set_client_CA_list() should override
8769 * SSL_set0_CA_list()
8771 sktmp
= SSL_get0_peer_CA_list(clientssl
);
8772 if (!TEST_ptr(sktmp
)
8773 || !TEST_int_eq(sk_X509_NAME_num(sktmp
), 2)
8774 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp
, 0),
8775 name
[tst
== 0 ? 0 : 2]), 0)
8776 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp
, 1),
8777 name
[tst
== 0 ? 1 : 3]), 0))
8783 SSL_free(serverssl
);
8784 SSL_free(clientssl
);
8787 for (i
= 0; i
< OSSL_NELEM(name
); i
++)
8788 X509_NAME_free(name
[i
]);
8789 sk_X509_NAME_pop_free(sk1
, X509_NAME_free
);
8790 sk_X509_NAME_pop_free(sk2
, X509_NAME_free
);
8796 static int test_ca_names(int tst
)
8800 #ifndef OPENSSL_NO_TLS1_2
8801 testresult
&= test_ca_names_int(TLS1_2_VERSION
, tst
);
8803 #ifndef OSSL_NO_USABLE_TLS1_3
8804 testresult
&= test_ca_names_int(TLS1_3_VERSION
, tst
);
8810 #ifndef OPENSSL_NO_TLS1_2
8811 static const char *multiblock_cipherlist_data
[]=
8819 /* Reduce the fragment size - so the multiblock test buffer can be small */
8820 # define MULTIBLOCK_FRAGSIZE 512
8822 static int test_multiblock_write(int test_index
)
8824 static const char *fetchable_ciphers
[]=
8826 "AES-128-CBC-HMAC-SHA1",
8827 "AES-128-CBC-HMAC-SHA256",
8828 "AES-256-CBC-HMAC-SHA1",
8829 "AES-256-CBC-HMAC-SHA256"
8831 const char *cipherlist
= multiblock_cipherlist_data
[test_index
];
8832 const SSL_METHOD
*smeth
= TLS_server_method();
8833 const SSL_METHOD
*cmeth
= TLS_client_method();
8834 int min_version
= TLS1_VERSION
;
8835 int max_version
= TLS1_2_VERSION
; /* Don't select TLS1_3 */
8836 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
8837 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8841 * Choose a buffer large enough to perform a multi-block operation
8842 * i.e: write_len >= 4 * frag_size
8843 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8845 unsigned char msg
[MULTIBLOCK_FRAGSIZE
* 9];
8846 unsigned char buf
[sizeof(msg
)], *p
= buf
;
8847 size_t readbytes
, written
, len
;
8848 EVP_CIPHER
*ciph
= NULL
;
8851 * Check if the cipher exists before attempting to use it since it only has
8852 * a hardware specific implementation.
8854 ciph
= EVP_CIPHER_fetch(libctx
, fetchable_ciphers
[test_index
], "");
8856 TEST_skip("Multiblock cipher is not available for %s", cipherlist
);
8859 EVP_CIPHER_free(ciph
);
8861 /* Set up a buffer with some data that will be sent to the client */
8862 RAND_bytes(msg
, sizeof(msg
));
8864 if (!TEST_true(create_ssl_ctx_pair(libctx
, smeth
, cmeth
, min_version
,
8865 max_version
, &sctx
, &cctx
, cert
,
8869 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx
, MULTIBLOCK_FRAGSIZE
)))
8872 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8876 /* settings to force it to use AES-CBC-HMAC_SHA */
8877 SSL_set_options(serverssl
, SSL_OP_NO_ENCRYPT_THEN_MAC
);
8878 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
, cipherlist
)))
8881 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
8884 if (!TEST_true(SSL_write_ex(serverssl
, msg
, sizeof(msg
), &written
))
8885 || !TEST_size_t_eq(written
, sizeof(msg
)))
8890 if (!TEST_true(SSL_read_ex(clientssl
, p
, MULTIBLOCK_FRAGSIZE
, &readbytes
)))
8895 if (!TEST_mem_eq(msg
, sizeof(msg
), buf
, sizeof(buf
)))
8900 SSL_free(serverssl
);
8901 SSL_free(clientssl
);
8907 #endif /* OPENSSL_NO_TLS1_2 */
8909 static int test_session_timeout(int test
)
8912 * Test session ordering and timeout
8913 * Can't explicitly test performance of the new code,
8914 * but can test to see if the ordering of the sessions
8915 * are correct, and they they are removed as expected
8917 SSL_SESSION
*early
= NULL
;
8918 SSL_SESSION
*middle
= NULL
;
8919 SSL_SESSION
*late
= NULL
;
8922 long now
= (long)time(NULL
);
8925 if (!TEST_ptr(ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_method()))
8926 || !TEST_ptr(early
= SSL_SESSION_new())
8927 || !TEST_ptr(middle
= SSL_SESSION_new())
8928 || !TEST_ptr(late
= SSL_SESSION_new()))
8931 /* assign unique session ids */
8932 early
->session_id_length
= SSL3_SSL_SESSION_ID_LENGTH
;
8933 memset(early
->session_id
, 1, SSL3_SSL_SESSION_ID_LENGTH
);
8934 middle
->session_id_length
= SSL3_SSL_SESSION_ID_LENGTH
;
8935 memset(middle
->session_id
, 2, SSL3_SSL_SESSION_ID_LENGTH
);
8936 late
->session_id_length
= SSL3_SSL_SESSION_ID_LENGTH
;
8937 memset(late
->session_id
, 3, SSL3_SSL_SESSION_ID_LENGTH
);
8939 if (!TEST_int_eq(SSL_CTX_add_session(ctx
, early
), 1)
8940 || !TEST_int_eq(SSL_CTX_add_session(ctx
, middle
), 1)
8941 || !TEST_int_eq(SSL_CTX_add_session(ctx
, late
), 1))
8944 /* Make sure they are all added */
8945 if (!TEST_ptr(early
->prev
)
8946 || !TEST_ptr(middle
->prev
)
8947 || !TEST_ptr(late
->prev
))
8950 if (!TEST_int_ne(SSL_SESSION_set_time(early
, now
- 10), 0)
8951 || !TEST_int_ne(SSL_SESSION_set_time(middle
, now
), 0)
8952 || !TEST_int_ne(SSL_SESSION_set_time(late
, now
+ 10), 0))
8955 if (!TEST_int_ne(SSL_SESSION_set_timeout(early
, TIMEOUT
), 0)
8956 || !TEST_int_ne(SSL_SESSION_set_timeout(middle
, TIMEOUT
), 0)
8957 || !TEST_int_ne(SSL_SESSION_set_timeout(late
, TIMEOUT
), 0))
8960 /* Make sure they are all still there */
8961 if (!TEST_ptr(early
->prev
)
8962 || !TEST_ptr(middle
->prev
)
8963 || !TEST_ptr(late
->prev
))
8966 /* Make sure they are in the expected order */
8967 if (!TEST_ptr_eq(late
->next
, middle
)
8968 || !TEST_ptr_eq(middle
->next
, early
)
8969 || !TEST_ptr_eq(early
->prev
, middle
)
8970 || !TEST_ptr_eq(middle
->prev
, late
))
8973 /* This should remove "early" */
8974 SSL_CTX_flush_sessions(ctx
, now
+ TIMEOUT
- 1);
8975 if (!TEST_ptr_null(early
->prev
)
8976 || !TEST_ptr(middle
->prev
)
8977 || !TEST_ptr(late
->prev
))
8980 /* This should remove "middle" */
8981 SSL_CTX_flush_sessions(ctx
, now
+ TIMEOUT
+ 1);
8982 if (!TEST_ptr_null(early
->prev
)
8983 || !TEST_ptr_null(middle
->prev
)
8984 || !TEST_ptr(late
->prev
))
8987 /* This should remove "late" */
8988 SSL_CTX_flush_sessions(ctx
, now
+ TIMEOUT
+ 11);
8989 if (!TEST_ptr_null(early
->prev
)
8990 || !TEST_ptr_null(middle
->prev
)
8991 || !TEST_ptr_null(late
->prev
))
8994 /* Add them back in again */
8995 if (!TEST_int_eq(SSL_CTX_add_session(ctx
, early
), 1)
8996 || !TEST_int_eq(SSL_CTX_add_session(ctx
, middle
), 1)
8997 || !TEST_int_eq(SSL_CTX_add_session(ctx
, late
), 1))
9000 /* Make sure they are all added */
9001 if (!TEST_ptr(early
->prev
)
9002 || !TEST_ptr(middle
->prev
)
9003 || !TEST_ptr(late
->prev
))
9006 /* This should remove all of them */
9007 SSL_CTX_flush_sessions(ctx
, 0);
9008 if (!TEST_ptr_null(early
->prev
)
9009 || !TEST_ptr_null(middle
->prev
)
9010 || !TEST_ptr_null(late
->prev
))
9013 (void)SSL_CTX_set_session_cache_mode(ctx
, SSL_SESS_CACHE_UPDATE_TIME
9014 | SSL_CTX_get_session_cache_mode(ctx
));
9016 /* make sure |now| is NOT equal to the current time */
9018 if (!TEST_int_ne(SSL_SESSION_set_time(early
, now
), 0)
9019 || !TEST_int_eq(SSL_CTX_add_session(ctx
, early
), 1)
9020 || !TEST_long_ne(SSL_SESSION_get_time(early
), now
))
9026 SSL_SESSION_free(early
);
9027 SSL_SESSION_free(middle
);
9028 SSL_SESSION_free(late
);
9033 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
9034 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
9035 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
9036 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
9037 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
9038 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
9039 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
9040 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
9041 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
9042 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
9044 static int test_servername(int tst
)
9046 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
9047 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
9049 SSL_SESSION
*sess
= NULL
;
9050 const char *sexpectedhost
= NULL
, *cexpectedhost
= NULL
;
9052 #ifdef OPENSSL_NO_TLS1_2
9056 #ifdef OSSL_NO_USABLE_TLS1_3
9061 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
9062 TLS_client_method(),
9064 (tst
<= 4) ? TLS1_2_VERSION
9066 &sctx
, &cctx
, cert
, privkey
))
9067 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
9071 if (tst
!= 1 && tst
!= 6) {
9072 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx
,
9077 if (tst
!= 3 && tst
!= 8) {
9078 if (!TEST_true(SSL_set_tlsext_host_name(clientssl
, "goodhost")))
9080 sexpectedhost
= cexpectedhost
= "goodhost";
9083 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
9086 if (!TEST_str_eq(SSL_get_servername(clientssl
, TLSEXT_NAMETYPE_host_name
),
9088 || !TEST_str_eq(SSL_get_servername(serverssl
,
9089 TLSEXT_NAMETYPE_host_name
),
9093 /* Now repeat with a resumption handshake */
9095 if (!TEST_int_eq(SSL_shutdown(clientssl
), 0)
9096 || !TEST_ptr_ne(sess
= SSL_get1_session(clientssl
), NULL
)
9097 || !TEST_true(SSL_SESSION_is_resumable(sess
))
9098 || !TEST_int_eq(SSL_shutdown(serverssl
), 0))
9101 SSL_free(clientssl
);
9102 SSL_free(serverssl
);
9103 clientssl
= serverssl
= NULL
;
9105 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
,
9109 if (!TEST_true(SSL_set_session(clientssl
, sess
)))
9112 sexpectedhost
= cexpectedhost
= "goodhost";
9113 if (tst
== 2 || tst
== 7) {
9114 /* Set an inconsistent hostname */
9115 if (!TEST_true(SSL_set_tlsext_host_name(clientssl
, "altgoodhost")))
9118 * In TLSv1.2 we expect the hostname from the original handshake, in
9119 * TLSv1.3 we expect the hostname from this handshake
9122 sexpectedhost
= cexpectedhost
= "altgoodhost";
9124 if (!TEST_str_eq(SSL_get_servername(clientssl
,
9125 TLSEXT_NAMETYPE_host_name
),
9128 } else if (tst
== 4 || tst
== 9) {
9130 * A TLSv1.3 session does not associate a session with a servername,
9131 * but a TLSv1.2 session does.
9134 sexpectedhost
= cexpectedhost
= NULL
;
9136 if (!TEST_str_eq(SSL_get_servername(clientssl
,
9137 TLSEXT_NAMETYPE_host_name
),
9141 if (!TEST_true(SSL_set_tlsext_host_name(clientssl
, "goodhost")))
9144 * In a TLSv1.2 resumption where the hostname was not acknowledged
9145 * we expect the hostname on the server to be empty. On the client we
9146 * return what was requested in this case.
9148 * Similarly if the client didn't set a hostname on an original TLSv1.2
9149 * session but is now, the server hostname will be empty, but the client
9152 if (tst
== 1 || tst
== 3)
9153 sexpectedhost
= NULL
;
9155 if (!TEST_str_eq(SSL_get_servername(clientssl
,
9156 TLSEXT_NAMETYPE_host_name
),
9161 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
9164 if (!TEST_true(SSL_session_reused(clientssl
))
9165 || !TEST_true(SSL_session_reused(serverssl
))
9166 || !TEST_str_eq(SSL_get_servername(clientssl
,
9167 TLSEXT_NAMETYPE_host_name
),
9169 || !TEST_str_eq(SSL_get_servername(serverssl
,
9170 TLSEXT_NAMETYPE_host_name
),
9177 SSL_SESSION_free(sess
);
9178 SSL_free(serverssl
);
9179 SSL_free(clientssl
);
9186 #if !defined(OPENSSL_NO_EC) \
9187 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9189 * Test that if signature algorithms are not available, then we do not offer or
9191 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9192 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9193 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9194 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9195 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9196 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9198 static int test_sigalgs_available(int idx
)
9200 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
9201 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
9203 OSSL_LIB_CTX
*tmpctx
= OSSL_LIB_CTX_new();
9204 OSSL_LIB_CTX
*clientctx
= libctx
, *serverctx
= libctx
;
9205 OSSL_PROVIDER
*filterprov
= NULL
;
9208 if (!TEST_ptr(tmpctx
))
9211 if (idx
!= 0 && idx
!= 3) {
9212 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx
, "filter",
9213 filter_provider_init
)))
9216 filterprov
= OSSL_PROVIDER_load(tmpctx
, "filter");
9217 if (!TEST_ptr(filterprov
))
9222 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9223 * or accepted for the peer that uses this libctx. Note that libssl
9224 * *requires* SHA2-256 to be available so we cannot disable that. We
9225 * also need SHA1 for our certificate.
9227 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST
,
9231 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE
,
9233 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT
,
9238 if (idx
== 1 || idx
== 4)
9244 cctx
= SSL_CTX_new_ex(clientctx
, NULL
, TLS_client_method());
9245 sctx
= SSL_CTX_new_ex(serverctx
, NULL
, TLS_server_method());
9246 if (!TEST_ptr(cctx
) || !TEST_ptr(sctx
))
9250 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
9251 TLS_client_method(),
9254 &sctx
, &cctx
, cert
, privkey
)))
9257 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
9258 TLS_client_method(),
9261 &sctx
, &cctx
, cert2
, privkey2
)))
9265 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9267 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
9268 "ECDHE-RSA-AES128-GCM-SHA256")))
9271 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
9272 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9277 if (!SSL_CTX_set1_sigalgs_list(cctx
,
9278 "rsa_pss_rsae_sha384"
9279 ":rsa_pss_rsae_sha256")
9280 || !SSL_CTX_set1_sigalgs_list(sctx
,
9281 "rsa_pss_rsae_sha384"
9282 ":rsa_pss_rsae_sha256"))
9285 if (!SSL_CTX_set1_sigalgs_list(cctx
, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9286 || !SSL_CTX_set1_sigalgs_list(sctx
,
9287 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9292 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx
, cert2
,
9293 SSL_FILETYPE_PEM
), 1)
9294 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx
,
9296 SSL_FILETYPE_PEM
), 1)
9297 || !TEST_int_eq(SSL_CTX_check_private_key(sctx
), 1)))
9300 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
9304 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
9307 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9308 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl
, 0, &sig
, &hash
, NULL
,
9310 (idx
== 0 || idx
== 3) ? 2 : 1))
9313 if (!TEST_int_eq(hash
, idx
== 0 ? NID_sha384
: NID_sha256
))
9316 if (!TEST_int_eq(sig
, (idx
== 4 || idx
== 5) ? EVP_PKEY_EC
9320 testresult
= filter_provider_check_clean_finish();
9323 SSL_free(serverssl
);
9324 SSL_free(clientssl
);
9327 OSSL_PROVIDER_unload(filterprov
);
9328 OSSL_LIB_CTX_free(tmpctx
);
9333 * !defined(OPENSSL_NO_EC) \
9334 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9337 #ifndef OPENSSL_NO_TLS1_3
9338 /* This test can run in TLSv1.3 even if ec and dh are disabled */
9339 static int test_pluggable_group(int idx
)
9341 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
9342 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
9344 OSSL_PROVIDER
*tlsprov
= OSSL_PROVIDER_load(libctx
, "tls-provider");
9345 /* Check that we are not impacted by a provider without any groups */
9346 OSSL_PROVIDER
*legacyprov
= OSSL_PROVIDER_load(libctx
, "legacy");
9347 const char *group_name
= idx
== 0 ? "xorgroup" : "xorkemgroup";
9349 if (!TEST_ptr(tlsprov
))
9352 if (legacyprov
== NULL
) {
9354 * In this case we assume we've been built with "no-legacy" and skip
9355 * this test (there is no OPENSSL_NO_LEGACY)
9361 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
9362 TLS_client_method(),
9365 &sctx
, &cctx
, cert
, privkey
))
9366 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
9370 if (!TEST_true(SSL_set1_groups_list(serverssl
, group_name
))
9371 || !TEST_true(SSL_set1_groups_list(clientssl
, group_name
)))
9374 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
9377 if (!TEST_str_eq(group_name
,
9378 SSL_group_to_name(serverssl
, SSL_get_shared_group(serverssl
, 0))))
9384 SSL_free(serverssl
);
9385 SSL_free(clientssl
);
9388 OSSL_PROVIDER_unload(tlsprov
);
9389 OSSL_PROVIDER_unload(legacyprov
);
9395 #ifndef OPENSSL_NO_TLS1_2
9396 static int test_ssl_dup(void)
9398 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
9399 SSL
*clientssl
= NULL
, *serverssl
= NULL
, *client2ssl
= NULL
;
9401 BIO
*rbio
= NULL
, *wbio
= NULL
;
9403 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
9404 TLS_client_method(),
9407 &sctx
, &cctx
, cert
, privkey
)))
9410 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
9414 if (!TEST_true(SSL_set_min_proto_version(clientssl
, TLS1_2_VERSION
))
9415 || !TEST_true(SSL_set_max_proto_version(clientssl
, TLS1_2_VERSION
)))
9418 client2ssl
= SSL_dup(clientssl
);
9419 rbio
= SSL_get_rbio(clientssl
);
9421 || !TEST_true(BIO_up_ref(rbio
)))
9423 SSL_set0_rbio(client2ssl
, rbio
);
9426 wbio
= SSL_get_wbio(clientssl
);
9427 if (!TEST_ptr(wbio
) || !TEST_true(BIO_up_ref(wbio
)))
9429 SSL_set0_wbio(client2ssl
, wbio
);
9432 if (!TEST_ptr(client2ssl
)
9433 /* Handshake not started so pointers should be different */
9434 || !TEST_ptr_ne(clientssl
, client2ssl
))
9437 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl
), TLS1_2_VERSION
)
9438 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl
), TLS1_2_VERSION
))
9441 if (!TEST_true(create_ssl_connection(serverssl
, client2ssl
, SSL_ERROR_NONE
)))
9444 SSL_free(clientssl
);
9445 clientssl
= SSL_dup(client2ssl
);
9446 if (!TEST_ptr(clientssl
)
9447 /* Handshake has finished so pointers should be the same */
9448 || !TEST_ptr_eq(clientssl
, client2ssl
))
9454 SSL_free(serverssl
);
9455 SSL_free(clientssl
);
9456 SSL_free(client2ssl
);
9463 # ifndef OPENSSL_NO_DH
9465 static EVP_PKEY
*tmp_dh_params
= NULL
;
9467 /* Helper function for the test_set_tmp_dh() tests */
9468 static EVP_PKEY
*get_tmp_dh_params(void)
9470 if (tmp_dh_params
== NULL
) {
9472 OSSL_PARAM_BLD
*tmpl
= NULL
;
9473 EVP_PKEY_CTX
*pctx
= NULL
;
9474 OSSL_PARAM
*params
= NULL
;
9475 EVP_PKEY
*dhpkey
= NULL
;
9477 p
= BN_get_rfc3526_prime_2048(NULL
);
9481 pctx
= EVP_PKEY_CTX_new_from_name(libctx
, "DH", NULL
);
9483 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx
), 1))
9486 tmpl
= OSSL_PARAM_BLD_new();
9488 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl
,
9489 OSSL_PKEY_PARAM_FFC_P
,
9491 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl
,
9492 OSSL_PKEY_PARAM_FFC_G
,
9496 params
= OSSL_PARAM_BLD_to_param(tmpl
);
9497 if (!TEST_ptr(params
)
9498 || !TEST_int_eq(EVP_PKEY_fromdata(pctx
, &dhpkey
,
9499 EVP_PKEY_KEY_PARAMETERS
,
9503 tmp_dh_params
= dhpkey
;
9506 EVP_PKEY_CTX_free(pctx
);
9507 OSSL_PARAM_BLD_free(tmpl
);
9508 OSSL_PARAM_free(params
);
9511 if (tmp_dh_params
!= NULL
&& !EVP_PKEY_up_ref(tmp_dh_params
))
9514 return tmp_dh_params
;
9517 # ifndef OPENSSL_NO_DEPRECATED_3_0
9518 /* Callback used by test_set_tmp_dh() */
9519 static DH
*tmp_dh_callback(SSL
*s
, int is_export
, int keylen
)
9521 EVP_PKEY
*dhpkey
= get_tmp_dh_params();
9524 if (!TEST_ptr(dhpkey
))
9528 * libssl does not free the returned DH, so we free it now knowing that even
9529 * after we free dhpkey, there will still be a reference to the owning
9530 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9531 * of time we need it for.
9533 ret
= EVP_PKEY_get1_DH(dhpkey
);
9536 EVP_PKEY_free(dhpkey
);
9543 * Test the various methods for setting temporary DH parameters
9545 * Test 0: Default (no auto) setting
9546 * Test 1: Explicit SSL_CTX auto off
9547 * Test 2: Explicit SSL auto off
9548 * Test 3: Explicit SSL_CTX auto on
9549 * Test 4: Explicit SSL auto on
9550 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9551 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9553 * The following are testing deprecated APIs, so we only run them if available
9554 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9555 * Test 8: Explicit SSL auto off, custom DH params via DH
9556 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9557 * Test 10: Explicit SSL auto off, custom DH params via callback
9559 static int test_set_tmp_dh(int idx
)
9561 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
9562 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
9564 int dhauto
= (idx
== 3 || idx
== 4) ? 1 : 0;
9565 int expected
= (idx
<= 2) ? 0 : 1;
9566 EVP_PKEY
*dhpkey
= NULL
;
9567 # ifndef OPENSSL_NO_DEPRECATED_3_0
9575 if (idx
>= 5 && idx
<= 8) {
9576 dhpkey
= get_tmp_dh_params();
9577 if (!TEST_ptr(dhpkey
))
9580 # ifndef OPENSSL_NO_DEPRECATED_3_0
9581 if (idx
== 7 || idx
== 8) {
9582 dh
= EVP_PKEY_get1_DH(dhpkey
);
9588 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
9589 TLS_client_method(),
9592 &sctx
, &cctx
, cert
, privkey
)))
9595 if ((idx
& 1) == 1) {
9596 if (!TEST_true(SSL_CTX_set_dh_auto(sctx
, dhauto
)))
9601 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx
, dhpkey
)))
9605 # ifndef OPENSSL_NO_DEPRECATED_3_0
9606 else if (idx
== 7) {
9607 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx
, dh
)))
9609 } else if (idx
== 9) {
9610 SSL_CTX_set_tmp_dh_callback(sctx
, tmp_dh_callback
);
9614 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
9618 if ((idx
& 1) == 0 && idx
!= 0) {
9619 if (!TEST_true(SSL_set_dh_auto(serverssl
, dhauto
)))
9623 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl
, dhpkey
)))
9627 # ifndef OPENSSL_NO_DEPRECATED_3_0
9628 else if (idx
== 8) {
9629 if (!TEST_true(SSL_set_tmp_dh(serverssl
, dh
)))
9631 } else if (idx
== 10) {
9632 SSL_set_tmp_dh_callback(serverssl
, tmp_dh_callback
);
9636 if (!TEST_true(SSL_set_min_proto_version(serverssl
, TLS1_2_VERSION
))
9637 || !TEST_true(SSL_set_max_proto_version(serverssl
, TLS1_2_VERSION
))
9638 || !TEST_true(SSL_set_cipher_list(serverssl
, "DHE-RSA-AES128-SHA")))
9642 * If autoon then we should succeed. Otherwise we expect failure because
9643 * there are no parameters
9645 if (!TEST_int_eq(create_ssl_connection(serverssl
, clientssl
,
9646 SSL_ERROR_NONE
), expected
))
9652 # ifndef OPENSSL_NO_DEPRECATED_3_0
9655 SSL_free(serverssl
);
9656 SSL_free(clientssl
);
9659 EVP_PKEY_free(dhpkey
);
9665 * Test the auto DH keys are appropriately sized
9667 static int test_dh_auto(int idx
)
9669 SSL_CTX
*cctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_client_method());
9670 SSL_CTX
*sctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method());
9671 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
9673 EVP_PKEY
*tmpkey
= NULL
;
9674 char *thiscert
= NULL
, *thiskey
= NULL
;
9675 size_t expdhsize
= 0;
9676 const char *ciphersuite
= "DHE-RSA-AES128-SHA";
9678 if (!TEST_ptr(sctx
) || !TEST_ptr(cctx
))
9683 /* The FIPS provider doesn't support this DH size - so we ignore it */
9688 thiscert
= cert1024
;
9689 thiskey
= privkey1024
;
9691 SSL_CTX_set_security_level(sctx
, 1);
9692 SSL_CTX_set_security_level(cctx
, 1);
9695 /* 2048 bit prime */
9701 thiscert
= cert3072
;
9702 thiskey
= privkey3072
;
9706 thiscert
= cert4096
;
9707 thiskey
= privkey4096
;
9711 thiscert
= cert8192
;
9712 thiskey
= privkey8192
;
9715 /* No certificate cases */
9717 /* The FIPS provider doesn't support this DH size - so we ignore it */
9722 ciphersuite
= "ADH-AES128-SHA256:@SECLEVEL=0";
9726 ciphersuite
= "ADH-AES256-SHA256:@SECLEVEL=0";
9730 TEST_error("Invalid text index");
9734 if (!TEST_true(create_ssl_ctx_pair(libctx
, NULL
,
9738 &sctx
, &cctx
, thiscert
, thiskey
)))
9741 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
9745 if (!TEST_true(SSL_set_dh_auto(serverssl
, 1))
9746 || !TEST_true(SSL_set_min_proto_version(serverssl
, TLS1_2_VERSION
))
9747 || !TEST_true(SSL_set_max_proto_version(serverssl
, TLS1_2_VERSION
))
9748 || !TEST_true(SSL_set_cipher_list(serverssl
, ciphersuite
))
9749 || !TEST_true(SSL_set_cipher_list(clientssl
, ciphersuite
)))
9753 * Send the server's first flight. At this point the server has created the
9754 * temporary DH key but hasn't finished using it yet. Once used it is
9755 * removed, so we cannot test it.
9757 if (!TEST_int_le(SSL_connect(clientssl
), 0)
9758 || !TEST_int_le(SSL_accept(serverssl
), 0))
9761 if (!TEST_int_gt(SSL_get_tmp_key(serverssl
, &tmpkey
), 0))
9763 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey
), expdhsize
))
9766 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
9772 SSL_free(serverssl
);
9773 SSL_free(clientssl
);
9776 EVP_PKEY_free(tmpkey
);
9781 # endif /* OPENSSL_NO_DH */
9782 #endif /* OPENSSL_NO_TLS1_2 */
9784 #ifndef OSSL_NO_USABLE_TLS1_3
9786 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9787 * that it works even without a certificate configured for the original
9790 static int test_sni_tls13(void)
9792 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
, *sctx2
= NULL
;
9793 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
9796 /* Reset callback counter */
9799 /* Create an initial SSL_CTX with no certificate configured */
9800 sctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method());
9801 if (!TEST_ptr(sctx
))
9803 /* Require TLSv1.3 as a minimum */
9804 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
9805 TLS_client_method(), TLS1_3_VERSION
, 0,
9806 &sctx2
, &cctx
, cert
, privkey
)))
9810 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx
, sni_cb
))
9811 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx
, sctx2
)))
9815 * Connection should still succeed because the final SSL_CTX has the right
9816 * certificates configured.
9818 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
9819 &clientssl
, NULL
, NULL
))
9820 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
9824 /* We should have had the SNI callback called exactly once */
9825 if (!TEST_int_eq(snicb
, 1))
9831 SSL_free(serverssl
);
9832 SSL_free(clientssl
);
9833 SSL_CTX_free(sctx2
);
9840 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
9844 static int test_ticket_lifetime(int idx
)
9846 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
9847 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
9849 int version
= TLS1_3_VERSION
;
9851 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
9852 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
9855 #ifdef OPENSSL_NO_TLS1_2
9856 return TEST_skip("TLS 1.2 is disabled.");
9858 version
= TLS1_2_VERSION
;
9862 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
9863 TLS_client_method(), version
, version
,
9864 &sctx
, &cctx
, cert
, privkey
)))
9867 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
9868 &clientssl
, NULL
, NULL
)))
9872 * Set the timeout to be more than 1 week
9873 * make sure the returned value is the default
9875 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx
, TWO_WEEK_SEC
),
9876 SSL_get_default_timeout(serverssl
)))
9879 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
9883 /* TLSv1.2 uses the set value */
9884 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl
)), TWO_WEEK_SEC
))
9887 /* TLSv1.3 uses the limited value */
9888 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl
)), ONE_WEEK_SEC
))
9894 SSL_free(serverssl
);
9895 SSL_free(clientssl
);
9902 * Test that setting an ALPN does not violate RFC
9904 static int test_set_alpn(void)
9906 SSL_CTX
*ctx
= NULL
;
9910 unsigned char bad0
[] = { 0x00, 'b', 'a', 'd' };
9911 unsigned char good
[] = { 0x04, 'g', 'o', 'o', 'd' };
9912 unsigned char bad1
[] = { 0x01, 'b', 'a', 'd' };
9913 unsigned char bad2
[] = { 0x03, 'b', 'a', 'd', 0x00};
9914 unsigned char bad3
[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
9915 unsigned char bad4
[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
9917 /* Create an initial SSL_CTX with no certificate configured */
9918 ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method());
9922 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
9923 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx
, NULL
, 2)))
9925 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx
, good
, 0)))
9927 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx
, good
, sizeof(good
))))
9929 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx
, good
, 1)))
9931 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx
, bad0
, sizeof(bad0
))))
9933 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx
, bad1
, sizeof(bad1
))))
9935 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx
, bad2
, sizeof(bad2
))))
9937 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx
, bad3
, sizeof(bad3
))))
9939 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx
, bad4
, sizeof(bad4
))))
9946 if (!TEST_false(SSL_set_alpn_protos(ssl
, NULL
, 2)))
9948 if (!TEST_false(SSL_set_alpn_protos(ssl
, good
, 0)))
9950 if (!TEST_false(SSL_set_alpn_protos(ssl
, good
, sizeof(good
))))
9952 if (!TEST_true(SSL_set_alpn_protos(ssl
, good
, 1)))
9954 if (!TEST_true(SSL_set_alpn_protos(ssl
, bad0
, sizeof(bad0
))))
9956 if (!TEST_true(SSL_set_alpn_protos(ssl
, bad1
, sizeof(bad1
))))
9958 if (!TEST_true(SSL_set_alpn_protos(ssl
, bad2
, sizeof(bad2
))))
9960 if (!TEST_true(SSL_set_alpn_protos(ssl
, bad3
, sizeof(bad3
))))
9962 if (!TEST_true(SSL_set_alpn_protos(ssl
, bad4
, sizeof(bad4
))))
9974 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
9976 static int test_set_verify_cert_store_ssl_ctx(void)
9978 SSL_CTX
*ctx
= NULL
;
9980 X509_STORE
*store
= NULL
, *new_store
= NULL
,
9981 *cstore
= NULL
, *new_cstore
= NULL
;
9983 /* Create an initial SSL_CTX. */
9984 ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method());
9988 /* Retrieve verify store pointer. */
9989 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx
, &store
)))
9992 /* Retrieve chain store pointer. */
9993 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx
, &cstore
)))
9996 /* We haven't set any yet, so this should be NULL. */
9997 if (!TEST_ptr_null(store
) || !TEST_ptr_null(cstore
))
10000 /* Create stores. We use separate stores so pointers are different. */
10001 new_store
= X509_STORE_new();
10002 if (!TEST_ptr(new_store
))
10005 new_cstore
= X509_STORE_new();
10006 if (!TEST_ptr(new_cstore
))
10010 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx
, new_store
)))
10013 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx
, new_cstore
)))
10016 /* Should be able to retrieve the same pointer. */
10017 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx
, &store
)))
10020 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx
, &cstore
)))
10023 if (!TEST_ptr_eq(store
, new_store
) || !TEST_ptr_eq(cstore
, new_cstore
))
10026 /* Should be able to unset again. */
10027 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx
, NULL
)))
10030 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx
, NULL
)))
10033 /* Should now be NULL. */
10034 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx
, &store
)))
10037 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx
, &cstore
)))
10040 if (!TEST_ptr_null(store
) || !TEST_ptr_null(cstore
))
10046 X509_STORE_free(new_store
);
10047 X509_STORE_free(new_cstore
);
10053 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
10055 static int test_set_verify_cert_store_ssl(void)
10057 SSL_CTX
*ctx
= NULL
;
10059 int testresult
= 0;
10060 X509_STORE
*store
= NULL
, *new_store
= NULL
,
10061 *cstore
= NULL
, *new_cstore
= NULL
;
10063 /* Create an initial SSL_CTX. */
10064 ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method());
10065 if (!TEST_ptr(ctx
))
10068 /* Create an SSL object. */
10069 ssl
= SSL_new(ctx
);
10070 if (!TEST_ptr(ssl
))
10073 /* Retrieve verify store pointer. */
10074 if (!TEST_true(SSL_get0_verify_cert_store(ssl
, &store
)))
10077 /* Retrieve chain store pointer. */
10078 if (!TEST_true(SSL_get0_chain_cert_store(ssl
, &cstore
)))
10081 /* We haven't set any yet, so this should be NULL. */
10082 if (!TEST_ptr_null(store
) || !TEST_ptr_null(cstore
))
10085 /* Create stores. We use separate stores so pointers are different. */
10086 new_store
= X509_STORE_new();
10087 if (!TEST_ptr(new_store
))
10090 new_cstore
= X509_STORE_new();
10091 if (!TEST_ptr(new_cstore
))
10095 if (!TEST_true(SSL_set1_verify_cert_store(ssl
, new_store
)))
10098 if (!TEST_true(SSL_set1_chain_cert_store(ssl
, new_cstore
)))
10101 /* Should be able to retrieve the same pointer. */
10102 if (!TEST_true(SSL_get0_verify_cert_store(ssl
, &store
)))
10105 if (!TEST_true(SSL_get0_chain_cert_store(ssl
, &cstore
)))
10108 if (!TEST_ptr_eq(store
, new_store
) || !TEST_ptr_eq(cstore
, new_cstore
))
10111 /* Should be able to unset again. */
10112 if (!TEST_true(SSL_set1_verify_cert_store(ssl
, NULL
)))
10115 if (!TEST_true(SSL_set1_chain_cert_store(ssl
, NULL
)))
10118 /* Should now be NULL. */
10119 if (!TEST_true(SSL_get0_verify_cert_store(ssl
, &store
)))
10122 if (!TEST_true(SSL_get0_chain_cert_store(ssl
, &cstore
)))
10125 if (!TEST_ptr_null(store
) || !TEST_ptr_null(cstore
))
10131 X509_STORE_free(new_store
);
10132 X509_STORE_free(new_cstore
);
10139 static int test_inherit_verify_param(void)
10141 int testresult
= 0;
10143 SSL_CTX
*ctx
= NULL
;
10144 X509_VERIFY_PARAM
*cp
= NULL
;
10146 X509_VERIFY_PARAM
*sp
= NULL
;
10147 int hostflags
= X509_CHECK_FLAG_NEVER_CHECK_SUBJECT
;
10149 ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method());
10150 if (!TEST_ptr(ctx
))
10153 cp
= SSL_CTX_get0_param(ctx
);
10156 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp
), 0))
10159 X509_VERIFY_PARAM_set_hostflags(cp
, hostflags
);
10161 ssl
= SSL_new(ctx
);
10162 if (!TEST_ptr(ssl
))
10165 sp
= SSL_get0_param(ssl
);
10168 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp
), hostflags
))
10180 static int test_load_dhfile(void)
10182 #ifndef OPENSSL_NO_DH
10183 int testresult
= 0;
10185 SSL_CTX
*ctx
= NULL
;
10186 SSL_CONF_CTX
*cctx
= NULL
;
10188 if (dhfile
== NULL
)
10191 if (!TEST_ptr(ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_client_method()))
10192 || !TEST_ptr(cctx
= SSL_CONF_CTX_new()))
10195 SSL_CONF_CTX_set_ssl_ctx(cctx
, ctx
);
10196 SSL_CONF_CTX_set_flags(cctx
,
10197 SSL_CONF_FLAG_CERTIFICATE
10198 | SSL_CONF_FLAG_SERVER
10199 | SSL_CONF_FLAG_FILE
);
10201 if (!TEST_int_eq(SSL_CONF_cmd(cctx
, "DHParameters", dhfile
), 2))
10206 SSL_CONF_CTX_free(cctx
);
10211 return TEST_skip("DH not supported by this build");
10215 #ifndef OSSL_NO_USABLE_TLS1_3
10216 /* Test that read_ahead works across a key change */
10217 static int test_read_ahead_key_change(void)
10219 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
10220 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
10221 int testresult
= 0;
10222 char *msg
= "Hello World";
10223 size_t written
, readbytes
;
10227 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
10228 TLS_client_method(), TLS1_3_VERSION
, 0,
10229 &sctx
, &cctx
, cert
, privkey
)))
10232 SSL_CTX_set_read_ahead(sctx
, 1);
10234 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
10235 &clientssl
, NULL
, NULL
)))
10238 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
10241 /* Write some data, send a key update, write more data */
10242 if (!TEST_true(SSL_write_ex(clientssl
, msg
, strlen(msg
), &written
))
10243 || !TEST_size_t_eq(written
, strlen(msg
)))
10246 if (!TEST_true(SSL_key_update(clientssl
, SSL_KEY_UPDATE_NOT_REQUESTED
)))
10249 if (!TEST_true(SSL_write_ex(clientssl
, msg
, strlen(msg
), &written
))
10250 || !TEST_size_t_eq(written
, strlen(msg
)))
10254 * Since read_ahead is on the first read below should read the record with
10255 * the first app data, the second record with the key update message, and
10256 * the third record with the app data all in one go. We should be able to
10257 * still process the read_ahead data correctly even though it crosses
10260 for (i
= 0; i
< 2; i
++) {
10261 if (!TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
) - 1,
10265 buf
[readbytes
] = '\0';
10266 if (!TEST_str_eq(buf
, msg
))
10273 SSL_free(serverssl
);
10274 SSL_free(clientssl
);
10275 SSL_CTX_free(sctx
);
10276 SSL_CTX_free(cctx
);
10280 static size_t record_pad_cb(SSL
*s
, int type
, size_t len
, void *arg
)
10284 switch ((*called
)++) {
10286 /* Add some padding to first record */
10289 /* Maximally pad the second record */
10290 return SSL3_RT_MAX_PLAIN_LENGTH
- len
;
10293 * Exceeding the maximum padding should be fine. It should just pad to
10294 * the maximum anyway
10296 return SSL3_RT_MAX_PLAIN_LENGTH
+ 1 - len
;
10299 * Very large padding should also be ok. Should just pad to the maximum
10309 * Test that setting record padding in TLSv1.3 works as expected
10310 * Test 0: Record padding callback on the SSL_CTX
10311 * Test 1: Record padding callback on the SSL
10312 * Test 2: Record block padding on the SSL_CTX
10313 * Test 3: Record block padding on the SSL
10315 static int test_tls13_record_padding(int idx
)
10317 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
10318 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
10319 int testresult
= 0;
10320 char *msg
= "Hello World";
10321 size_t written
, readbytes
;
10326 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
10327 TLS_client_method(), TLS1_3_VERSION
, 0,
10328 &sctx
, &cctx
, cert
, privkey
)))
10332 SSL_CTX_set_record_padding_callback(cctx
, record_pad_cb
);
10333 SSL_CTX_set_record_padding_callback_arg(cctx
, &called
);
10334 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx
), &called
))
10336 } else if (idx
== 2) {
10337 /* Exceeding the max plain length should fail */
10338 if (!TEST_false(SSL_CTX_set_block_padding(cctx
,
10339 SSL3_RT_MAX_PLAIN_LENGTH
+ 1)))
10341 if (!TEST_true(SSL_CTX_set_block_padding(cctx
, 512)))
10345 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
10346 &clientssl
, NULL
, NULL
)))
10350 SSL_set_record_padding_callback(clientssl
, record_pad_cb
);
10351 SSL_set_record_padding_callback_arg(clientssl
, &called
);
10352 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl
), &called
))
10354 } else if (idx
== 3) {
10355 /* Exceeding the max plain length should fail */
10356 if (!TEST_false(SSL_set_block_padding(clientssl
,
10357 SSL3_RT_MAX_PLAIN_LENGTH
+ 1)))
10359 if (!TEST_true(SSL_set_block_padding(clientssl
, 512)))
10363 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
10368 * Write some data, then check we can read it. Do this four times to check
10369 * we can continue to write and read padded data after the initial record
10370 * padding has been added. We don't actually check that the padding has
10371 * been applied to the record - just that we can continue to communicate
10372 * normally and that the callback has been called (if appropriate).
10374 for (i
= 0; i
< 4; i
++) {
10375 if (!TEST_true(SSL_write_ex(clientssl
, msg
, strlen(msg
), &written
))
10376 || !TEST_size_t_eq(written
, strlen(msg
)))
10379 if (!TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
) - 1,
10381 || !TEST_size_t_eq(written
, readbytes
))
10384 buf
[readbytes
] = '\0';
10385 if (!TEST_str_eq(buf
, msg
))
10389 if ((idx
== 0 || idx
== 1) && !TEST_int_eq(called
, 4))
10394 SSL_free(serverssl
);
10395 SSL_free(clientssl
);
10396 SSL_CTX_free(sctx
);
10397 SSL_CTX_free(cctx
);
10400 #endif /* OSSL_NO_USABLE_TLS1_3 */
10402 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10404 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
10405 * support this yet. The only pipeline capable cipher that we have is in the
10406 * dasync engine (providers don't support this yet), so we have to use
10407 * deprecated APIs for this test.
10409 * Test 0: Client has pipelining enabled, server does not
10410 * Test 1: Server has pipelining enabled, client does not
10411 * Test 2: Client has pipelining enabled, server does not: not enough data to
10412 * fill all the pipelines
10413 * Test 3: Client has pipelining enabled, server does not: not enough data to
10414 * fill all the pipelines by more than a full pipeline's worth
10415 * Test 4: Client has pipelining enabled, server does not: more data than all
10416 * the available pipelines can take
10417 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
10419 static int test_pipelining(int idx
)
10421 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
10422 SSL
*clientssl
= NULL
, *serverssl
= NULL
, *peera
, *peerb
;
10423 int testresult
= 0, numreads
;
10424 /* A 55 byte message */
10425 unsigned char *msg
= (unsigned char *)
10426 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
10427 size_t written
, readbytes
, offset
, msglen
, fragsize
= 10, numpipes
= 5;
10428 size_t expectedreads
;
10429 unsigned char *buf
= NULL
;
10432 if (!TEST_ptr(e
= ENGINE_by_id("dasync")))
10435 if (!TEST_true(ENGINE_init(e
))) {
10440 if (!TEST_true(ENGINE_register_ciphers(e
)))
10443 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
10444 TLS_client_method(), 0,
10445 TLS1_2_VERSION
, &sctx
, &cctx
, cert
,
10449 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
10450 &clientssl
, NULL
, NULL
)))
10453 if (!TEST_true(SSL_set_cipher_list(clientssl
, "AES128-SHA")))
10456 /* peera is always configured for pipelining, while peerb is not. */
10468 /* Maximum allowed fragment size */
10469 fragsize
= SSL3_RT_MAX_PLAIN_LENGTH
;
10470 msglen
= fragsize
* numpipes
;
10471 msg
= OPENSSL_malloc(msglen
);
10472 if (!TEST_ptr(msg
))
10474 if (!TEST_int_gt(RAND_bytes_ex(libctx
, msg
, msglen
, 0), 0))
10476 } else if (idx
== 4) {
10482 msglen
-= 2; /* Send 2 less bytes */
10484 msglen
-= 12; /* Send 12 less bytes */
10486 buf
= OPENSSL_malloc(msglen
);
10487 if (!TEST_ptr(buf
))
10492 * Test that setting a split send fragment longer than the maximum
10495 if (!TEST_false(SSL_set_split_send_fragment(peera
, fragsize
+ 1)))
10500 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
10501 * (50 bytes in total). This is a ridiculously small number of bytes -
10502 * but sufficient for our purposes
10504 if (!TEST_true(SSL_set_max_pipelines(peera
, numpipes
))
10505 || !TEST_true(SSL_set_split_send_fragment(peera
, fragsize
)))
10508 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
10511 /* Write some data from peera to peerb */
10512 if (!TEST_true(SSL_write_ex(peera
, msg
, msglen
, &written
))
10513 || !TEST_size_t_eq(written
, msglen
))
10517 * If the pipelining code worked, then we expect all |numpipes| pipelines to
10518 * have been used - except in test 3 where only |numpipes - 1| pipelines
10519 * will be used. This will result in |numpipes| records (|numpipes - 1| for
10520 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
10521 * expect this to be read in |numpipes| or |numpipes - 1| separate
10522 * SSL_read_ex calls. In the case of test 4, there is then one additional
10523 * read for left over data that couldn't fit in the previous pipelines
10525 for (offset
= 0, numreads
= 0;
10527 offset
+= readbytes
, numreads
++) {
10528 if (!TEST_true(SSL_read_ex(peerb
, buf
+ offset
,
10529 msglen
- offset
, &readbytes
)))
10533 expectedreads
= idx
== 4 ? numpipes
+ 1
10534 : (idx
== 3 ? numpipes
- 1 : numpipes
);
10535 if (!TEST_mem_eq(msg
, msglen
, buf
, offset
)
10536 || !TEST_int_eq(numreads
, expectedreads
))
10540 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
10541 * chunks to exercise the read pipelining code on peera.
10543 for (offset
= 0; offset
< msglen
; offset
+= fragsize
) {
10544 size_t sendlen
= msglen
- offset
;
10546 if (sendlen
> fragsize
)
10547 sendlen
= fragsize
;
10548 if (!TEST_true(SSL_write_ex(peerb
, msg
+ offset
, sendlen
, &written
))
10549 || !TEST_size_t_eq(written
, sendlen
))
10554 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
10555 * separate chunks (depending on which test we are running). If the
10556 * pipelining is working then we expect peera to read up to numpipes chunks
10557 * and process them in parallel, giving back the complete result in a single
10558 * call to SSL_read_ex
10560 if (!TEST_true(SSL_read_ex(peera
, buf
, msglen
, &readbytes
))
10561 || !TEST_size_t_le(readbytes
, msglen
))
10567 if (!TEST_true(SSL_read_ex(peera
, buf
+ readbytes
,
10568 msglen
- readbytes
, &readbytes2
)))
10570 readbytes
+= readbytes2
;
10571 if (!TEST_size_t_le(readbytes
, msglen
))
10575 if (!TEST_mem_eq(msg
, msglen
, buf
, readbytes
))
10580 SSL_free(serverssl
);
10581 SSL_free(clientssl
);
10582 SSL_CTX_free(sctx
);
10583 SSL_CTX_free(cctx
);
10584 ENGINE_unregister_ciphers(e
);
10592 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
10594 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
10596 int setup_tests(void)
10601 libctx
= OSSL_LIB_CTX_new();
10602 if (!TEST_ptr(libctx
))
10605 defctxnull
= OSSL_PROVIDER_load(NULL
, "null");
10608 * Verify that the default and fips providers in the default libctx are not
10611 if (!TEST_false(OSSL_PROVIDER_available(NULL
, "default"))
10612 || !TEST_false(OSSL_PROVIDER_available(NULL
, "fips")))
10615 if (!test_skip_common_options()) {
10616 TEST_error("Error parsing test options\n");
10620 if (!TEST_ptr(certsdir
= test_get_argument(0))
10621 || !TEST_ptr(srpvfile
= test_get_argument(1))
10622 || !TEST_ptr(tmpfilename
= test_get_argument(2))
10623 || !TEST_ptr(modulename
= test_get_argument(3))
10624 || !TEST_ptr(configfile
= test_get_argument(4))
10625 || !TEST_ptr(dhfile
= test_get_argument(5)))
10628 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx
, configfile
)))
10631 /* Check we have the expected provider available */
10632 if (!TEST_true(OSSL_PROVIDER_available(libctx
, modulename
)))
10635 /* Check the default provider is not available */
10636 if (strcmp(modulename
, "default") != 0
10637 && !TEST_false(OSSL_PROVIDER_available(libctx
, "default")))
10640 if (strcmp(modulename
, "fips") == 0)
10644 * We add, but don't load the test "tls-provider". We'll load it when we
10647 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx
, "tls-provider",
10648 tls_provider_init
)))
10652 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL
) {
10653 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
10654 TEST_error("not supported in this build");
10657 int i
, mcount
, rcount
, fcount
;
10659 for (i
= 0; i
< 4; i
++)
10660 test_export_key_mat(i
);
10661 CRYPTO_get_alloc_counts(&mcount
, &rcount
, &fcount
);
10662 test_printf_stdout("malloc %d realloc %d free %d\n",
10663 mcount
, rcount
, fcount
);
10668 cert
= test_mk_file_path(certsdir
, "servercert.pem");
10672 privkey
= test_mk_file_path(certsdir
, "serverkey.pem");
10673 if (privkey
== NULL
)
10676 cert2
= test_mk_file_path(certsdir
, "server-ecdsa-cert.pem");
10680 privkey2
= test_mk_file_path(certsdir
, "server-ecdsa-key.pem");
10681 if (privkey2
== NULL
)
10684 cert1024
= test_mk_file_path(certsdir
, "ee-cert-1024.pem");
10685 if (cert1024
== NULL
)
10688 privkey1024
= test_mk_file_path(certsdir
, "ee-key-1024.pem");
10689 if (privkey1024
== NULL
)
10692 cert3072
= test_mk_file_path(certsdir
, "ee-cert-3072.pem");
10693 if (cert3072
== NULL
)
10696 privkey3072
= test_mk_file_path(certsdir
, "ee-key-3072.pem");
10697 if (privkey3072
== NULL
)
10700 cert4096
= test_mk_file_path(certsdir
, "ee-cert-4096.pem");
10701 if (cert4096
== NULL
)
10704 privkey4096
= test_mk_file_path(certsdir
, "ee-key-4096.pem");
10705 if (privkey4096
== NULL
)
10708 cert8192
= test_mk_file_path(certsdir
, "ee-cert-8192.pem");
10709 if (cert8192
== NULL
)
10712 privkey8192
= test_mk_file_path(certsdir
, "ee-key-8192.pem");
10713 if (privkey8192
== NULL
)
10716 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
10717 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
10718 ADD_ALL_TESTS(test_ktls
, NUM_KTLS_TEST_CIPHERS
* 4);
10719 ADD_ALL_TESTS(test_ktls_sendfile
, NUM_KTLS_TEST_CIPHERS
* 2);
10722 ADD_TEST(test_large_message_tls
);
10723 ADD_TEST(test_large_message_tls_read_ahead
);
10724 #ifndef OPENSSL_NO_DTLS
10725 ADD_TEST(test_large_message_dtls
);
10727 ADD_ALL_TESTS(test_large_app_data
, 28);
10728 ADD_TEST(test_cleanse_plaintext
);
10729 #ifndef OPENSSL_NO_OCSP
10730 ADD_TEST(test_tlsext_status_type
);
10732 ADD_TEST(test_session_with_only_int_cache
);
10733 ADD_TEST(test_session_with_only_ext_cache
);
10734 ADD_TEST(test_session_with_both_cache
);
10735 ADD_TEST(test_session_wo_ca_names
);
10736 #ifndef OSSL_NO_USABLE_TLS1_3
10737 ADD_ALL_TESTS(test_stateful_tickets
, 3);
10738 ADD_ALL_TESTS(test_stateless_tickets
, 3);
10739 ADD_TEST(test_psk_tickets
);
10740 ADD_ALL_TESTS(test_extra_tickets
, 6);
10742 ADD_ALL_TESTS(test_ssl_set_bio
, TOTAL_SSL_SET_BIO_TESTS
);
10743 ADD_TEST(test_ssl_bio_pop_next_bio
);
10744 ADD_TEST(test_ssl_bio_pop_ssl_bio
);
10745 ADD_TEST(test_ssl_bio_change_rbio
);
10746 ADD_TEST(test_ssl_bio_change_wbio
);
10747 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
10748 ADD_ALL_TESTS(test_set_sigalgs
, OSSL_NELEM(testsigalgs
) * 2);
10749 ADD_TEST(test_keylog
);
10751 #ifndef OSSL_NO_USABLE_TLS1_3
10752 ADD_TEST(test_keylog_no_master_key
);
10754 ADD_TEST(test_client_cert_verify_cb
);
10755 ADD_TEST(test_ssl_build_cert_chain
);
10756 ADD_TEST(test_ssl_ctx_build_cert_chain
);
10757 #ifndef OPENSSL_NO_TLS1_2
10758 ADD_TEST(test_client_hello_cb
);
10759 ADD_TEST(test_no_ems
);
10760 ADD_TEST(test_ccs_change_cipher
);
10762 #ifndef OSSL_NO_USABLE_TLS1_3
10763 ADD_ALL_TESTS(test_early_data_read_write
, 3);
10765 * We don't do replay tests for external PSK. Replay protection isn't used
10766 * in that scenario.
10768 ADD_ALL_TESTS(test_early_data_replay
, 2);
10769 ADD_ALL_TESTS(test_early_data_skip
, 3);
10770 ADD_ALL_TESTS(test_early_data_skip_hrr
, 3);
10771 ADD_ALL_TESTS(test_early_data_skip_hrr_fail
, 3);
10772 ADD_ALL_TESTS(test_early_data_skip_abort
, 3);
10773 ADD_ALL_TESTS(test_early_data_not_sent
, 3);
10774 ADD_ALL_TESTS(test_early_data_psk
, 8);
10775 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers
, 5);
10776 ADD_ALL_TESTS(test_early_data_not_expected
, 3);
10777 # ifndef OPENSSL_NO_TLS1_2
10778 ADD_ALL_TESTS(test_early_data_tls1_2
, 3);
10781 #ifndef OSSL_NO_USABLE_TLS1_3
10782 ADD_ALL_TESTS(test_set_ciphersuite
, 10);
10783 ADD_TEST(test_ciphersuite_change
);
10784 ADD_ALL_TESTS(test_tls13_ciphersuite
, 4);
10785 # ifdef OPENSSL_NO_PSK
10786 ADD_ALL_TESTS(test_tls13_psk
, 1);
10788 ADD_ALL_TESTS(test_tls13_psk
, 4);
10789 # endif /* OPENSSL_NO_PSK */
10790 # ifndef OPENSSL_NO_TLS1_2
10791 /* Test with both TLSv1.3 and 1.2 versions */
10792 ADD_ALL_TESTS(test_key_exchange
, 14);
10793 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
10794 ADD_ALL_TESTS(test_negotiated_group
,
10795 4 * (OSSL_NELEM(ecdhe_kexch_groups
)
10796 + OSSL_NELEM(ffdhe_kexch_groups
)));
10799 /* Test with only TLSv1.3 versions */
10800 ADD_ALL_TESTS(test_key_exchange
, 12);
10802 ADD_ALL_TESTS(test_custom_exts
, 6);
10803 ADD_TEST(test_stateless
);
10804 ADD_TEST(test_pha_key_update
);
10806 ADD_ALL_TESTS(test_custom_exts
, 3);
10808 ADD_ALL_TESTS(test_export_key_mat
, 6);
10809 #ifndef OSSL_NO_USABLE_TLS1_3
10810 ADD_ALL_TESTS(test_export_key_mat_early
, 3);
10811 ADD_TEST(test_key_update
);
10812 ADD_ALL_TESTS(test_key_update_peer_in_write
, 2);
10813 ADD_ALL_TESTS(test_key_update_peer_in_read
, 2);
10814 ADD_ALL_TESTS(test_key_update_local_in_write
, 2);
10815 ADD_ALL_TESTS(test_key_update_local_in_read
, 2);
10817 ADD_ALL_TESTS(test_ssl_clear
, 2);
10818 ADD_ALL_TESTS(test_max_fragment_len_ext
, OSSL_NELEM(max_fragment_len_test
));
10819 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
10820 ADD_ALL_TESTS(test_srp
, 6);
10822 #if !defined(OPENSSL_NO_COMP_ALG)
10823 /* Add compression case */
10824 ADD_ALL_TESTS(test_info_callback
, 8);
10826 ADD_ALL_TESTS(test_info_callback
, 6);
10828 ADD_ALL_TESTS(test_ssl_pending
, 2);
10829 ADD_ALL_TESTS(test_ssl_get_shared_ciphers
, OSSL_NELEM(shared_ciphers_data
));
10830 ADD_ALL_TESTS(test_ticket_callbacks
, 20);
10831 ADD_ALL_TESTS(test_shutdown
, 7);
10832 ADD_TEST(test_async_shutdown
);
10833 ADD_ALL_TESTS(test_incorrect_shutdown
, 2);
10834 ADD_ALL_TESTS(test_cert_cb
, 6);
10835 ADD_ALL_TESTS(test_client_cert_cb
, 2);
10836 ADD_ALL_TESTS(test_ca_names
, 3);
10837 #ifndef OPENSSL_NO_TLS1_2
10838 ADD_ALL_TESTS(test_multiblock_write
, OSSL_NELEM(multiblock_cipherlist_data
));
10840 ADD_ALL_TESTS(test_servername
, 10);
10841 #if !defined(OPENSSL_NO_EC) \
10842 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
10843 ADD_ALL_TESTS(test_sigalgs_available
, 6);
10845 #ifndef OPENSSL_NO_TLS1_3
10846 ADD_ALL_TESTS(test_pluggable_group
, 2);
10848 #ifndef OPENSSL_NO_TLS1_2
10849 ADD_TEST(test_ssl_dup
);
10850 # ifndef OPENSSL_NO_DH
10851 ADD_ALL_TESTS(test_set_tmp_dh
, 11);
10852 ADD_ALL_TESTS(test_dh_auto
, 7);
10855 #ifndef OSSL_NO_USABLE_TLS1_3
10856 ADD_TEST(test_sni_tls13
);
10857 ADD_ALL_TESTS(test_ticket_lifetime
, 2);
10859 ADD_TEST(test_inherit_verify_param
);
10860 ADD_TEST(test_set_alpn
);
10861 ADD_TEST(test_set_verify_cert_store_ssl_ctx
);
10862 ADD_TEST(test_set_verify_cert_store_ssl
);
10863 ADD_ALL_TESTS(test_session_timeout
, 1);
10864 ADD_TEST(test_load_dhfile
);
10865 #ifndef OSSL_NO_USABLE_TLS1_3
10866 ADD_TEST(test_read_ahead_key_change
);
10867 ADD_ALL_TESTS(test_tls13_record_padding
, 4);
10869 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
10870 ADD_ALL_TESTS(test_serverinfo_custom
, 4);
10872 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10873 ADD_ALL_TESTS(test_pipelining
, 6);
10878 OPENSSL_free(cert
);
10879 OPENSSL_free(privkey
);
10880 OPENSSL_free(cert2
);
10881 OPENSSL_free(privkey2
);
10885 void cleanup_tests(void)
10887 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
10888 EVP_PKEY_free(tmp_dh_params
);
10890 OPENSSL_free(cert
);
10891 OPENSSL_free(privkey
);
10892 OPENSSL_free(cert2
);
10893 OPENSSL_free(privkey2
);
10894 OPENSSL_free(cert1024
);
10895 OPENSSL_free(privkey1024
);
10896 OPENSSL_free(cert3072
);
10897 OPENSSL_free(privkey3072
);
10898 OPENSSL_free(cert4096
);
10899 OPENSSL_free(privkey4096
);
10900 OPENSSL_free(cert8192
);
10901 OPENSSL_free(privkey8192
);
10902 bio_s_mempacket_test_free();
10903 bio_s_always_retry_free();
10904 OSSL_PROVIDER_unload(defctxnull
);
10905 OSSL_LIB_CTX_free(libctx
);