2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
37 #include "helpers/ssltestlib.h"
39 #include "testutil/output.h"
40 #include "internal/nelem.h"
41 #include "internal/ktls.h"
42 #include "../ssl/ssl_local.h"
43 #include "../ssl/record/methods/recmethod_local.h"
44 #include "filterprov.h"
46 #undef OSSL_NO_USABLE_TLS1_3
47 #if defined(OPENSSL_NO_TLS1_3) \
48 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
50 * If we don't have ec or dh then there are no built-in groups that are usable
53 # define OSSL_NO_USABLE_TLS1_3
56 /* Defined in tls-provider.c */
57 int tls_provider_init(const OSSL_CORE_HANDLE
*handle
,
58 const OSSL_DISPATCH
*in
,
59 const OSSL_DISPATCH
**out
,
62 static OSSL_LIB_CTX
*libctx
= NULL
;
63 static OSSL_PROVIDER
*defctxnull
= NULL
;
65 #ifndef OSSL_NO_USABLE_TLS1_3
67 static SSL_SESSION
*clientpsk
= NULL
;
68 static SSL_SESSION
*serverpsk
= NULL
;
69 static const char *pskid
= "Identity";
70 static const char *srvid
;
72 static int use_session_cb(SSL
*ssl
, const EVP_MD
*md
, const unsigned char **id
,
73 size_t *idlen
, SSL_SESSION
**sess
);
74 static int find_session_cb(SSL
*ssl
, const unsigned char *identity
,
75 size_t identity_len
, SSL_SESSION
**sess
);
77 static int use_session_cb_cnt
= 0;
78 static int find_session_cb_cnt
= 0;
80 static SSL_SESSION
*create_a_psk(SSL
*ssl
);
83 static char *certsdir
= NULL
;
84 static char *cert
= NULL
;
85 static char *privkey
= NULL
;
86 static char *cert2
= NULL
;
87 static char *privkey2
= NULL
;
88 static char *cert1024
= NULL
;
89 static char *privkey1024
= NULL
;
90 static char *cert3072
= NULL
;
91 static char *privkey3072
= NULL
;
92 static char *cert4096
= NULL
;
93 static char *privkey4096
= NULL
;
94 static char *cert8192
= NULL
;
95 static char *privkey8192
= NULL
;
96 static char *srpvfile
= NULL
;
97 static char *tmpfilename
= NULL
;
98 static char *dhfile
= NULL
;
100 static int is_fips
= 0;
102 #define LOG_BUFFER_SIZE 2048
103 static char server_log_buffer
[LOG_BUFFER_SIZE
+ 1] = {0};
104 static size_t server_log_buffer_index
= 0;
105 static char client_log_buffer
[LOG_BUFFER_SIZE
+ 1] = {0};
106 static size_t client_log_buffer_index
= 0;
107 static int error_writing_log
= 0;
109 #ifndef OPENSSL_NO_OCSP
110 static const unsigned char orespder
[] = "Dummy OCSP Response";
111 static int ocsp_server_called
= 0;
112 static int ocsp_client_called
= 0;
114 static int cdummyarg
= 1;
115 static X509
*ocspcert
= NULL
;
118 #define NUM_EXTRA_CERTS 40
119 #define CLIENT_VERSION_LEN 2
122 * This structure is used to validate that the correct number of log messages
123 * of various types are emitted when emitting secret logs.
125 struct sslapitest_log_counts
{
126 unsigned int rsa_key_exchange_count
;
127 unsigned int master_secret_count
;
128 unsigned int client_early_secret_count
;
129 unsigned int client_handshake_secret_count
;
130 unsigned int server_handshake_secret_count
;
131 unsigned int client_application_secret_count
;
132 unsigned int server_application_secret_count
;
133 unsigned int early_exporter_secret_count
;
134 unsigned int exporter_secret_count
;
138 static int hostname_cb(SSL
*s
, int *al
, void *arg
)
140 const char *hostname
= SSL_get_servername(s
, TLSEXT_NAMETYPE_host_name
);
142 if (hostname
!= NULL
&& (strcmp(hostname
, "goodhost") == 0
143 || strcmp(hostname
, "altgoodhost") == 0))
144 return SSL_TLSEXT_ERR_OK
;
146 return SSL_TLSEXT_ERR_NOACK
;
149 static void client_keylog_callback(const SSL
*ssl
, const char *line
)
151 int line_length
= strlen(line
);
153 /* If the log doesn't fit, error out. */
154 if (client_log_buffer_index
+ line_length
> sizeof(client_log_buffer
) - 1) {
155 TEST_info("Client log too full");
156 error_writing_log
= 1;
160 strcat(client_log_buffer
, line
);
161 client_log_buffer_index
+= line_length
;
162 client_log_buffer
[client_log_buffer_index
++] = '\n';
165 static void server_keylog_callback(const SSL
*ssl
, const char *line
)
167 int line_length
= strlen(line
);
169 /* If the log doesn't fit, error out. */
170 if (server_log_buffer_index
+ line_length
> sizeof(server_log_buffer
) - 1) {
171 TEST_info("Server log too full");
172 error_writing_log
= 1;
176 strcat(server_log_buffer
, line
);
177 server_log_buffer_index
+= line_length
;
178 server_log_buffer
[server_log_buffer_index
++] = '\n';
181 static int compare_hex_encoded_buffer(const char *hex_encoded
,
189 if (!TEST_size_t_eq(raw_length
* 2, hex_length
))
192 for (i
= j
= 0; i
< raw_length
&& j
+ 1 < hex_length
; i
++, j
+= 2) {
193 sprintf(hexed
, "%02x", raw
[i
]);
194 if (!TEST_int_eq(hexed
[0], hex_encoded
[j
])
195 || !TEST_int_eq(hexed
[1], hex_encoded
[j
+ 1]))
202 static int test_keylog_output(char *buffer
, const SSL
*ssl
,
203 const SSL_SESSION
*session
,
204 struct sslapitest_log_counts
*expected
)
207 unsigned char actual_client_random
[SSL3_RANDOM_SIZE
] = {0};
208 size_t client_random_size
= SSL3_RANDOM_SIZE
;
209 unsigned char actual_master_key
[SSL_MAX_MASTER_KEY_LENGTH
] = {0};
210 size_t master_key_size
= SSL_MAX_MASTER_KEY_LENGTH
;
211 unsigned int rsa_key_exchange_count
= 0;
212 unsigned int master_secret_count
= 0;
213 unsigned int client_early_secret_count
= 0;
214 unsigned int client_handshake_secret_count
= 0;
215 unsigned int server_handshake_secret_count
= 0;
216 unsigned int client_application_secret_count
= 0;
217 unsigned int server_application_secret_count
= 0;
218 unsigned int early_exporter_secret_count
= 0;
219 unsigned int exporter_secret_count
= 0;
221 for (token
= strtok(buffer
, " \n"); token
!= NULL
;
222 token
= strtok(NULL
, " \n")) {
223 if (strcmp(token
, "RSA") == 0) {
225 * Premaster secret. Tokens should be: 16 ASCII bytes of
226 * hex-encoded encrypted secret, then the hex-encoded pre-master
229 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
231 if (!TEST_size_t_eq(strlen(token
), 16))
233 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
236 * We can't sensibly check the log because the premaster secret is
237 * transient, and OpenSSL doesn't keep hold of it once the master
238 * secret is generated.
240 rsa_key_exchange_count
++;
241 } else if (strcmp(token
, "CLIENT_RANDOM") == 0) {
243 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
244 * client random, then the hex-encoded master secret.
246 client_random_size
= SSL_get_client_random(ssl
,
247 actual_client_random
,
249 if (!TEST_size_t_eq(client_random_size
, SSL3_RANDOM_SIZE
))
252 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
254 if (!TEST_size_t_eq(strlen(token
), 64))
256 if (!TEST_false(compare_hex_encoded_buffer(token
, 64,
257 actual_client_random
,
258 client_random_size
)))
261 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
263 master_key_size
= SSL_SESSION_get_master_key(session
,
266 if (!TEST_size_t_ne(master_key_size
, 0))
268 if (!TEST_false(compare_hex_encoded_buffer(token
, strlen(token
),
272 master_secret_count
++;
273 } else if (strcmp(token
, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
274 || strcmp(token
, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
275 || strcmp(token
, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
276 || strcmp(token
, "CLIENT_TRAFFIC_SECRET_0") == 0
277 || strcmp(token
, "SERVER_TRAFFIC_SECRET_0") == 0
278 || strcmp(token
, "EARLY_EXPORTER_SECRET") == 0
279 || strcmp(token
, "EXPORTER_SECRET") == 0) {
281 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
282 * client random, and then the hex-encoded secret. In this case,
283 * we treat all of these secrets identically and then just
284 * distinguish between them when counting what we saw.
286 if (strcmp(token
, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
287 client_early_secret_count
++;
288 else if (strcmp(token
, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
289 client_handshake_secret_count
++;
290 else if (strcmp(token
, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
291 server_handshake_secret_count
++;
292 else if (strcmp(token
, "CLIENT_TRAFFIC_SECRET_0") == 0)
293 client_application_secret_count
++;
294 else if (strcmp(token
, "SERVER_TRAFFIC_SECRET_0") == 0)
295 server_application_secret_count
++;
296 else if (strcmp(token
, "EARLY_EXPORTER_SECRET") == 0)
297 early_exporter_secret_count
++;
298 else if (strcmp(token
, "EXPORTER_SECRET") == 0)
299 exporter_secret_count
++;
301 client_random_size
= SSL_get_client_random(ssl
,
302 actual_client_random
,
304 if (!TEST_size_t_eq(client_random_size
, SSL3_RANDOM_SIZE
))
307 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
309 if (!TEST_size_t_eq(strlen(token
), 64))
311 if (!TEST_false(compare_hex_encoded_buffer(token
, 64,
312 actual_client_random
,
313 client_random_size
)))
316 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
319 TEST_info("Unexpected token %s\n", token
);
324 /* Got what we expected? */
325 if (!TEST_size_t_eq(rsa_key_exchange_count
,
326 expected
->rsa_key_exchange_count
)
327 || !TEST_size_t_eq(master_secret_count
,
328 expected
->master_secret_count
)
329 || !TEST_size_t_eq(client_early_secret_count
,
330 expected
->client_early_secret_count
)
331 || !TEST_size_t_eq(client_handshake_secret_count
,
332 expected
->client_handshake_secret_count
)
333 || !TEST_size_t_eq(server_handshake_secret_count
,
334 expected
->server_handshake_secret_count
)
335 || !TEST_size_t_eq(client_application_secret_count
,
336 expected
->client_application_secret_count
)
337 || !TEST_size_t_eq(server_application_secret_count
,
338 expected
->server_application_secret_count
)
339 || !TEST_size_t_eq(early_exporter_secret_count
,
340 expected
->early_exporter_secret_count
)
341 || !TEST_size_t_eq(exporter_secret_count
,
342 expected
->exporter_secret_count
))
347 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
348 static int test_keylog(void)
350 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
351 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
353 struct sslapitest_log_counts expected
;
355 /* Clean up logging space */
356 memset(&expected
, 0, sizeof(expected
));
357 memset(client_log_buffer
, 0, sizeof(client_log_buffer
));
358 memset(server_log_buffer
, 0, sizeof(server_log_buffer
));
359 client_log_buffer_index
= 0;
360 server_log_buffer_index
= 0;
361 error_writing_log
= 0;
363 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
366 &sctx
, &cctx
, cert
, privkey
)))
369 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
370 SSL_CTX_set_options(cctx
, SSL_OP_NO_TLSv1_3
);
371 SSL_CTX_set_options(sctx
, SSL_OP_NO_TLSv1_3
);
373 /* We also want to ensure that we use RSA-based key exchange. */
374 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
, "RSA")))
377 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx
) == NULL
)
378 || !TEST_true(SSL_CTX_get_keylog_callback(sctx
) == NULL
))
380 SSL_CTX_set_keylog_callback(cctx
, client_keylog_callback
);
381 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx
)
382 == client_keylog_callback
))
384 SSL_CTX_set_keylog_callback(sctx
, server_keylog_callback
);
385 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx
)
386 == server_keylog_callback
))
389 /* Now do a handshake and check that the logs have been written to. */
390 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
391 &clientssl
, NULL
, NULL
))
392 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
394 || !TEST_false(error_writing_log
)
395 || !TEST_int_gt(client_log_buffer_index
, 0)
396 || !TEST_int_gt(server_log_buffer_index
, 0))
400 * Now we want to test that our output data was vaguely sensible. We
401 * do that by using strtok and confirming that we have more or less the
402 * data we expect. For both client and server, we expect to see one master
403 * secret. The client should also see a RSA key exchange.
405 expected
.rsa_key_exchange_count
= 1;
406 expected
.master_secret_count
= 1;
407 if (!TEST_true(test_keylog_output(client_log_buffer
, clientssl
,
408 SSL_get_session(clientssl
), &expected
)))
411 expected
.rsa_key_exchange_count
= 0;
412 if (!TEST_true(test_keylog_output(server_log_buffer
, serverssl
,
413 SSL_get_session(serverssl
), &expected
)))
428 #ifndef OSSL_NO_USABLE_TLS1_3
429 static int test_keylog_no_master_key(void)
431 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
432 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
433 SSL_SESSION
*sess
= NULL
;
435 struct sslapitest_log_counts expected
;
436 unsigned char buf
[1];
437 size_t readbytes
, written
;
439 /* Clean up logging space */
440 memset(&expected
, 0, sizeof(expected
));
441 memset(client_log_buffer
, 0, sizeof(client_log_buffer
));
442 memset(server_log_buffer
, 0, sizeof(server_log_buffer
));
443 client_log_buffer_index
= 0;
444 server_log_buffer_index
= 0;
445 error_writing_log
= 0;
447 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
448 TLS_client_method(), TLS1_VERSION
, 0,
449 &sctx
, &cctx
, cert
, privkey
))
450 || !TEST_true(SSL_CTX_set_max_early_data(sctx
,
451 SSL3_RT_MAX_PLAIN_LENGTH
)))
454 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx
) == NULL
)
455 || !TEST_true(SSL_CTX_get_keylog_callback(sctx
) == NULL
))
458 SSL_CTX_set_keylog_callback(cctx
, client_keylog_callback
);
459 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx
)
460 == client_keylog_callback
))
463 SSL_CTX_set_keylog_callback(sctx
, server_keylog_callback
);
464 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx
)
465 == server_keylog_callback
))
468 /* Now do a handshake and check that the logs have been written to. */
469 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
470 &clientssl
, NULL
, NULL
))
471 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
473 || !TEST_false(error_writing_log
))
477 * Now we want to test that our output data was vaguely sensible. For this
478 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
479 * TLSv1.3, but we do expect both client and server to emit keys.
481 expected
.client_handshake_secret_count
= 1;
482 expected
.server_handshake_secret_count
= 1;
483 expected
.client_application_secret_count
= 1;
484 expected
.server_application_secret_count
= 1;
485 expected
.exporter_secret_count
= 1;
486 if (!TEST_true(test_keylog_output(client_log_buffer
, clientssl
,
487 SSL_get_session(clientssl
), &expected
))
488 || !TEST_true(test_keylog_output(server_log_buffer
, serverssl
,
489 SSL_get_session(serverssl
),
493 /* Terminate old session and resume with early data. */
494 sess
= SSL_get1_session(clientssl
);
495 SSL_shutdown(clientssl
);
496 SSL_shutdown(serverssl
);
499 serverssl
= clientssl
= NULL
;
502 memset(client_log_buffer
, 0, sizeof(client_log_buffer
));
503 memset(server_log_buffer
, 0, sizeof(server_log_buffer
));
504 client_log_buffer_index
= 0;
505 server_log_buffer_index
= 0;
507 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
508 &clientssl
, NULL
, NULL
))
509 || !TEST_true(SSL_set_session(clientssl
, sess
))
510 /* Here writing 0 length early data is enough. */
511 || !TEST_true(SSL_write_early_data(clientssl
, NULL
, 0, &written
))
512 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
514 SSL_READ_EARLY_DATA_ERROR
)
515 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
516 SSL_EARLY_DATA_ACCEPTED
)
517 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
519 || !TEST_true(SSL_session_reused(clientssl
)))
522 /* In addition to the previous entries, expect early secrets. */
523 expected
.client_early_secret_count
= 1;
524 expected
.early_exporter_secret_count
= 1;
525 if (!TEST_true(test_keylog_output(client_log_buffer
, clientssl
,
526 SSL_get_session(clientssl
), &expected
))
527 || !TEST_true(test_keylog_output(server_log_buffer
, serverssl
,
528 SSL_get_session(serverssl
),
535 SSL_SESSION_free(sess
);
545 static int verify_retry_cb(X509_STORE_CTX
*ctx
, void *arg
)
547 int res
= X509_verify_cert(ctx
);
548 int idx
= SSL_get_ex_data_X509_STORE_CTX_idx();
551 /* this should not happen but check anyway */
553 || (ssl
= X509_STORE_CTX_get_ex_data(ctx
, idx
)) == NULL
)
556 if (res
== 0 && X509_STORE_CTX_get_error(ctx
) ==
557 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
)
558 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
559 return SSL_set_retry_verify(ssl
);
564 static int test_client_cert_verify_cb(void)
566 /* server key, cert, chain, and root */
567 char *skey
= test_mk_file_path(certsdir
, "leaf.key");
568 char *leaf
= test_mk_file_path(certsdir
, "leaf.pem");
569 char *int2
= test_mk_file_path(certsdir
, "subinterCA.pem");
570 char *int1
= test_mk_file_path(certsdir
, "interCA.pem");
571 char *root
= test_mk_file_path(certsdir
, "rootCA.pem");
572 X509
*crt1
= NULL
, *crt2
= NULL
;
573 STACK_OF(X509
) *server_chain
;
574 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
575 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
578 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
579 TLS_client_method(), TLS1_VERSION
, 0,
580 &sctx
, &cctx
, NULL
, NULL
)))
582 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx
, leaf
), 1)
583 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx
, skey
,
584 SSL_FILETYPE_PEM
), 1)
585 || !TEST_int_eq(SSL_CTX_check_private_key(sctx
), 1))
587 if (!TEST_true(SSL_CTX_load_verify_locations(cctx
, root
, NULL
)))
589 SSL_CTX_set_verify(cctx
, SSL_VERIFY_PEER
, NULL
);
590 SSL_CTX_set_cert_verify_callback(cctx
, verify_retry_cb
, NULL
);
591 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
592 &clientssl
, NULL
, NULL
)))
595 /* attempt SSL_connect() with incomplete server chain */
596 if (!TEST_false(create_ssl_connection(serverssl
, clientssl
,
597 SSL_ERROR_WANT_RETRY_VERIFY
)))
600 /* application provides intermediate certs needed to verify server cert */
601 if (!TEST_ptr((crt1
= load_cert_pem(int1
, libctx
)))
602 || !TEST_ptr((crt2
= load_cert_pem(int2
, libctx
)))
603 || !TEST_ptr((server_chain
= SSL_get_peer_cert_chain(clientssl
))))
605 /* add certs in reverse order to demonstrate real chain building */
606 if (!TEST_true(sk_X509_push(server_chain
, crt1
)))
609 if (!TEST_true(sk_X509_push(server_chain
, crt2
)))
613 /* continue SSL_connect(), must now succeed with completed server chain */
614 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
623 if (clientssl
!= NULL
) {
624 SSL_shutdown(clientssl
);
627 if (serverssl
!= NULL
) {
628 SSL_shutdown(serverssl
);
643 static int test_ssl_build_cert_chain(void)
646 SSL_CTX
*ssl_ctx
= NULL
;
648 char *skey
= test_mk_file_path(certsdir
, "leaf.key");
649 char *leaf_chain
= test_mk_file_path(certsdir
, "leaf-chain.pem");
651 if (!TEST_ptr(ssl_ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method())))
653 if (!TEST_ptr(ssl
= SSL_new(ssl_ctx
)))
655 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
656 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl
, leaf_chain
), 1)
657 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl
, skey
, SSL_FILETYPE_PEM
), 1)
658 || !TEST_int_eq(SSL_check_private_key(ssl
), 1))
660 if (!TEST_true(SSL_build_cert_chain(ssl
, SSL_BUILD_CHAIN_FLAG_NO_ROOT
661 | SSL_BUILD_CHAIN_FLAG_CHECK
)))
666 SSL_CTX_free(ssl_ctx
);
667 OPENSSL_free(leaf_chain
);
672 static int get_password_cb(char *buf
, int size
, int rw_flag
, void *userdata
)
674 static const char pass
[] = "testpass";
676 if (!TEST_int_eq(size
, PEM_BUFSIZE
))
679 memcpy(buf
, pass
, sizeof(pass
) - 1);
680 return sizeof(pass
) - 1;
683 static int test_ssl_ctx_build_cert_chain(void)
687 char *skey
= test_mk_file_path(certsdir
, "leaf-encrypted.key");
688 char *leaf_chain
= test_mk_file_path(certsdir
, "leaf-chain.pem");
690 if (!TEST_ptr(ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method())))
692 SSL_CTX_set_default_passwd_cb(ctx
, get_password_cb
);
693 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
694 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx
, leaf_chain
), 1)
695 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx
, skey
,
696 SSL_FILETYPE_PEM
), 1)
697 || !TEST_int_eq(SSL_CTX_check_private_key(ctx
), 1))
699 if (!TEST_true(SSL_CTX_build_cert_chain(ctx
, SSL_BUILD_CHAIN_FLAG_NO_ROOT
700 | SSL_BUILD_CHAIN_FLAG_CHECK
)))
705 OPENSSL_free(leaf_chain
);
710 #ifndef OPENSSL_NO_TLS1_2
711 static int full_client_hello_callback(SSL
*s
, int *al
, void *arg
)
714 const unsigned char *p
;
716 /* We only configure two ciphers, but the SCSV is added automatically. */
718 const unsigned char expected_ciphers
[] = {0x00, 0x9d, 0x00, 0xff};
720 const unsigned char expected_ciphers
[] = {0x00, 0x9d, 0xc0,
723 const int expected_extensions
[] = {
724 #ifndef OPENSSL_NO_EC
730 /* Make sure we can defer processing and get called back. */
732 return SSL_CLIENT_HELLO_RETRY
;
734 len
= SSL_client_hello_get0_ciphers(s
, &p
);
735 if (!TEST_mem_eq(p
, len
, expected_ciphers
, sizeof(expected_ciphers
))
737 SSL_client_hello_get0_compression_methods(s
, &p
), 1)
738 || !TEST_int_eq(*p
, 0))
739 return SSL_CLIENT_HELLO_ERROR
;
740 if (!SSL_client_hello_get1_extensions_present(s
, &exts
, &len
))
741 return SSL_CLIENT_HELLO_ERROR
;
742 if (len
!= OSSL_NELEM(expected_extensions
) ||
743 memcmp(exts
, expected_extensions
, len
* sizeof(*exts
)) != 0) {
744 printf("ClientHello callback expected extensions mismatch\n");
746 return SSL_CLIENT_HELLO_ERROR
;
749 return SSL_CLIENT_HELLO_SUCCESS
;
752 static int test_client_hello_cb(void)
754 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
755 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
756 int testctr
= 0, testresult
= 0;
758 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
759 TLS_client_method(), TLS1_VERSION
, 0,
760 &sctx
, &cctx
, cert
, privkey
)))
762 SSL_CTX_set_client_hello_cb(sctx
, full_client_hello_callback
, &testctr
);
764 /* The gimpy cipher list we configure can't do TLS 1.3. */
765 SSL_CTX_set_max_proto_version(cctx
, TLS1_2_VERSION
);
767 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
768 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
769 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
770 &clientssl
, NULL
, NULL
))
771 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
772 SSL_ERROR_WANT_CLIENT_HELLO_CB
))
774 * Passing a -1 literal is a hack since
775 * the real value was lost.
777 || !TEST_int_eq(SSL_get_error(serverssl
, -1),
778 SSL_ERROR_WANT_CLIENT_HELLO_CB
)
779 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
794 static int test_no_ems(void)
796 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
797 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
800 if (!create_ssl_ctx_pair(libctx
, TLS_server_method(), TLS_client_method(),
801 TLS1_VERSION
, TLS1_2_VERSION
,
802 &sctx
, &cctx
, cert
, privkey
)) {
803 printf("Unable to create SSL_CTX pair\n");
807 SSL_CTX_set_options(sctx
, SSL_OP_NO_EXTENDED_MASTER_SECRET
);
809 if (!create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
, NULL
)) {
810 printf("Unable to create SSL objects\n");
814 if (!create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)) {
815 printf("Creating SSL connection failed\n");
819 if (SSL_get_extms_support(serverssl
)) {
820 printf("Server reports Extended Master Secret support\n");
824 if (SSL_get_extms_support(clientssl
)) {
825 printf("Client reports Extended Master Secret support\n");
840 * Very focused test to exercise a single case in the server-side state
841 * machine, when the ChangeCipherState message needs to actually change
842 * from one cipher to a different cipher (i.e., not changing from null
843 * encryption to real encryption).
845 static int test_ccs_change_cipher(void)
847 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
848 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
849 SSL_SESSION
*sess
= NULL
, *sesspre
, *sesspost
;
856 * Create a connection so we can resume and potentially (but not) use
857 * a different cipher in the second connection.
859 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
861 TLS1_VERSION
, TLS1_2_VERSION
,
862 &sctx
, &cctx
, cert
, privkey
))
863 || !TEST_true(SSL_CTX_set_options(sctx
, SSL_OP_NO_TICKET
))
864 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
866 || !TEST_true(SSL_set_cipher_list(clientssl
, "AES128-GCM-SHA256"))
867 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
869 || !TEST_ptr(sesspre
= SSL_get0_session(serverssl
))
870 || !TEST_ptr(sess
= SSL_get1_session(clientssl
)))
873 shutdown_ssl_connection(serverssl
, clientssl
);
874 serverssl
= clientssl
= NULL
;
876 /* Resume, preferring a different cipher. Our server will force the
877 * same cipher to be used as the initial handshake. */
878 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
880 || !TEST_true(SSL_set_session(clientssl
, sess
))
881 || !TEST_true(SSL_set_cipher_list(clientssl
, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
882 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
884 || !TEST_true(SSL_session_reused(clientssl
))
885 || !TEST_true(SSL_session_reused(serverssl
))
886 || !TEST_ptr(sesspost
= SSL_get0_session(serverssl
))
887 || !TEST_ptr_eq(sesspre
, sesspost
)
888 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256
,
889 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl
))))
891 shutdown_ssl_connection(serverssl
, clientssl
);
892 serverssl
= clientssl
= NULL
;
895 * Now create a fresh connection and try to renegotiate a different
898 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
900 || !TEST_true(SSL_set_cipher_list(clientssl
, "AES128-GCM-SHA256"))
901 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
903 || !TEST_ptr(sesspre
= SSL_get0_session(serverssl
))
904 || !TEST_true(SSL_set_cipher_list(clientssl
, "AES256-GCM-SHA384"))
905 || !TEST_true(SSL_renegotiate(clientssl
))
906 || !TEST_true(SSL_renegotiate_pending(clientssl
)))
908 /* Actually drive the renegotiation. */
909 for (i
= 0; i
< 3; i
++) {
910 if (SSL_read_ex(clientssl
, &buf
, sizeof(buf
), &readbytes
) > 0) {
911 if (!TEST_ulong_eq(readbytes
, 0))
913 } else if (!TEST_int_eq(SSL_get_error(clientssl
, 0),
914 SSL_ERROR_WANT_READ
)) {
917 if (SSL_read_ex(serverssl
, &buf
, sizeof(buf
), &readbytes
) > 0) {
918 if (!TEST_ulong_eq(readbytes
, 0))
920 } else if (!TEST_int_eq(SSL_get_error(serverssl
, 0),
921 SSL_ERROR_WANT_READ
)) {
925 /* sesspre and sesspost should be different since the cipher changed. */
926 if (!TEST_false(SSL_renegotiate_pending(clientssl
))
927 || !TEST_false(SSL_session_reused(clientssl
))
928 || !TEST_false(SSL_session_reused(serverssl
))
929 || !TEST_ptr(sesspost
= SSL_get0_session(serverssl
))
930 || !TEST_ptr_ne(sesspre
, sesspost
)
931 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384
,
932 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl
))))
935 shutdown_ssl_connection(serverssl
, clientssl
);
936 serverssl
= clientssl
= NULL
;
945 SSL_SESSION_free(sess
);
951 static int execute_test_large_message(const SSL_METHOD
*smeth
,
952 const SSL_METHOD
*cmeth
,
953 int min_version
, int max_version
,
956 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
957 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
961 X509
*chaincert
= NULL
;
964 if (!TEST_ptr(certbio
= BIO_new_file(cert
, "r")))
967 if (!TEST_ptr(chaincert
= X509_new_ex(libctx
, NULL
)))
970 if (PEM_read_bio_X509(certbio
, &chaincert
, NULL
, NULL
) == NULL
)
975 if (!TEST_true(create_ssl_ctx_pair(libctx
, smeth
, cmeth
, min_version
,
976 max_version
, &sctx
, &cctx
, cert
,
980 #ifdef OPENSSL_NO_DTLS1_2
981 if (smeth
== DTLS_server_method()) {
983 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
986 if (!TEST_true(SSL_CTX_set_cipher_list(sctx
, "DEFAULT:@SECLEVEL=0"))
987 || !TEST_true(SSL_CTX_set_cipher_list(cctx
,
988 "DEFAULT:@SECLEVEL=0")))
995 * Test that read_ahead works correctly when dealing with large
998 SSL_CTX_set_read_ahead(cctx
, 1);
1002 * We assume the supplied certificate is big enough so that if we add
1003 * NUM_EXTRA_CERTS it will make the overall message large enough. The
1004 * default buffer size is requested to be 16k, but due to the way BUF_MEM
1005 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
1006 * test we need to have a message larger than that.
1008 certlen
= i2d_X509(chaincert
, NULL
);
1009 OPENSSL_assert(certlen
* NUM_EXTRA_CERTS
>
1010 (SSL3_RT_MAX_PLAIN_LENGTH
* 4) / 3);
1011 for (i
= 0; i
< NUM_EXTRA_CERTS
; i
++) {
1012 if (!X509_up_ref(chaincert
))
1014 if (!SSL_CTX_add_extra_chain_cert(sctx
, chaincert
)) {
1015 X509_free(chaincert
);
1020 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
1022 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
1027 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1030 if (!TEST_true(SSL_clear(serverssl
)))
1036 X509_free(chaincert
);
1037 SSL_free(serverssl
);
1038 SSL_free(clientssl
);
1045 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1046 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1047 /* sock must be connected */
1048 static int ktls_chk_platform(int sock
)
1050 if (!ktls_enable(sock
))
1055 static int ping_pong_query(SSL
*clientssl
, SSL
*serverssl
)
1057 static char count
= 1;
1058 unsigned char cbuf
[16000] = {0};
1059 unsigned char sbuf
[16000];
1061 char crec_wseq_before
[SEQ_NUM_SIZE
];
1062 char crec_wseq_after
[SEQ_NUM_SIZE
];
1063 char crec_rseq_before
[SEQ_NUM_SIZE
];
1064 char crec_rseq_after
[SEQ_NUM_SIZE
];
1065 char srec_wseq_before
[SEQ_NUM_SIZE
];
1066 char srec_wseq_after
[SEQ_NUM_SIZE
];
1067 char srec_rseq_before
[SEQ_NUM_SIZE
];
1068 char srec_rseq_after
[SEQ_NUM_SIZE
];
1069 SSL_CONNECTION
*clientsc
, *serversc
;
1071 if (!TEST_ptr(clientsc
= SSL_CONNECTION_FROM_SSL_ONLY(clientssl
))
1072 || !TEST_ptr(serversc
= SSL_CONNECTION_FROM_SSL_ONLY(serverssl
)))
1076 memcpy(crec_wseq_before
, &clientsc
->rlayer
.wrl
->sequence
, SEQ_NUM_SIZE
);
1077 memcpy(srec_wseq_before
, &serversc
->rlayer
.wrl
->sequence
, SEQ_NUM_SIZE
);
1078 memcpy(crec_rseq_before
, &clientsc
->rlayer
.rrl
->sequence
, SEQ_NUM_SIZE
);
1079 memcpy(srec_rseq_before
, &serversc
->rlayer
.rrl
->sequence
, SEQ_NUM_SIZE
);
1081 if (!TEST_true(SSL_write(clientssl
, cbuf
, sizeof(cbuf
)) == sizeof(cbuf
)))
1084 while ((err
= SSL_read(serverssl
, &sbuf
, sizeof(sbuf
))) != sizeof(sbuf
)) {
1085 if (SSL_get_error(serverssl
, err
) != SSL_ERROR_WANT_READ
) {
1090 if (!TEST_true(SSL_write(serverssl
, sbuf
, sizeof(sbuf
)) == sizeof(sbuf
)))
1093 while ((err
= SSL_read(clientssl
, &cbuf
, sizeof(cbuf
))) != sizeof(cbuf
)) {
1094 if (SSL_get_error(clientssl
, err
) != SSL_ERROR_WANT_READ
) {
1099 memcpy(crec_wseq_after
, &clientsc
->rlayer
.wrl
->sequence
, SEQ_NUM_SIZE
);
1100 memcpy(srec_wseq_after
, &serversc
->rlayer
.wrl
->sequence
, SEQ_NUM_SIZE
);
1101 memcpy(crec_rseq_after
, &clientsc
->rlayer
.rrl
->sequence
, SEQ_NUM_SIZE
);
1102 memcpy(srec_rseq_after
, &serversc
->rlayer
.rrl
->sequence
, SEQ_NUM_SIZE
);
1104 /* verify the payload */
1105 if (!TEST_mem_eq(cbuf
, sizeof(cbuf
), sbuf
, sizeof(sbuf
)))
1109 * If ktls is used then kernel sequences are used instead of
1112 if (!BIO_get_ktls_send(clientsc
->wbio
)) {
1113 if (!TEST_mem_ne(crec_wseq_before
, SEQ_NUM_SIZE
,
1114 crec_wseq_after
, SEQ_NUM_SIZE
))
1117 if (!TEST_mem_eq(crec_wseq_before
, SEQ_NUM_SIZE
,
1118 crec_wseq_after
, SEQ_NUM_SIZE
))
1122 if (!BIO_get_ktls_send(serversc
->wbio
)) {
1123 if (!TEST_mem_ne(srec_wseq_before
, SEQ_NUM_SIZE
,
1124 srec_wseq_after
, SEQ_NUM_SIZE
))
1127 if (!TEST_mem_eq(srec_wseq_before
, SEQ_NUM_SIZE
,
1128 srec_wseq_after
, SEQ_NUM_SIZE
))
1132 if (!BIO_get_ktls_recv(clientsc
->wbio
)) {
1133 if (!TEST_mem_ne(crec_rseq_before
, SEQ_NUM_SIZE
,
1134 crec_rseq_after
, SEQ_NUM_SIZE
))
1137 if (!TEST_mem_eq(crec_rseq_before
, SEQ_NUM_SIZE
,
1138 crec_rseq_after
, SEQ_NUM_SIZE
))
1142 if (!BIO_get_ktls_recv(serversc
->wbio
)) {
1143 if (!TEST_mem_ne(srec_rseq_before
, SEQ_NUM_SIZE
,
1144 srec_rseq_after
, SEQ_NUM_SIZE
))
1147 if (!TEST_mem_eq(srec_rseq_before
, SEQ_NUM_SIZE
,
1148 srec_rseq_after
, SEQ_NUM_SIZE
))
1157 static int execute_test_ktls(int cis_ktls
, int sis_ktls
,
1158 int tls_version
, const char *cipher
)
1160 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
1161 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
1162 int ktls_used
= 0, testresult
= 0;
1163 int cfd
= -1, sfd
= -1;
1165 SSL_CONNECTION
*clientsc
, *serversc
;
1167 if (!TEST_true(create_test_sockets(&cfd
, &sfd
)))
1170 /* Skip this test if the platform does not support ktls */
1171 if (!ktls_chk_platform(cfd
)) {
1172 testresult
= TEST_skip("Kernel does not support KTLS");
1176 if (is_fips
&& strstr(cipher
, "CHACHA") != NULL
) {
1177 testresult
= TEST_skip("CHACHA is not supported in FIPS");
1181 /* Create a session based on SHA-256 */
1182 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
1183 TLS_client_method(),
1184 tls_version
, tls_version
,
1185 &sctx
, &cctx
, cert
, privkey
)))
1188 if (tls_version
== TLS1_3_VERSION
) {
1189 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
, cipher
))
1190 || !TEST_true(SSL_CTX_set_ciphersuites(sctx
, cipher
)))
1193 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
, cipher
))
1194 || !TEST_true(SSL_CTX_set_cipher_list(sctx
, cipher
)))
1198 if (!TEST_true(create_ssl_objects2(sctx
, cctx
, &serverssl
,
1199 &clientssl
, sfd
, cfd
)))
1202 if (!TEST_ptr(clientsc
= SSL_CONNECTION_FROM_SSL_ONLY(clientssl
))
1203 || !TEST_ptr(serversc
= SSL_CONNECTION_FROM_SSL_ONLY(serverssl
)))
1207 if (!TEST_true(SSL_set_options(clientssl
, SSL_OP_ENABLE_KTLS
)))
1212 if (!TEST_true(SSL_set_options(serverssl
, SSL_OP_ENABLE_KTLS
)))
1216 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
1220 * The running kernel may not support a given cipher suite
1221 * or direction, so just check that KTLS isn't used when it
1225 if (!TEST_false(BIO_get_ktls_send(clientsc
->wbio
)))
1228 if (BIO_get_ktls_send(clientsc
->wbio
))
1233 if (!TEST_false(BIO_get_ktls_send(serversc
->wbio
)))
1236 if (BIO_get_ktls_send(serversc
->wbio
))
1240 #if defined(OPENSSL_NO_KTLS_RX)
1245 if (!cis_ktls
|| !rx_supported
) {
1246 if (!TEST_false(BIO_get_ktls_recv(clientsc
->rbio
)))
1249 if (BIO_get_ktls_send(clientsc
->rbio
))
1253 if (!sis_ktls
|| !rx_supported
) {
1254 if (!TEST_false(BIO_get_ktls_recv(serversc
->rbio
)))
1257 if (BIO_get_ktls_send(serversc
->rbio
))
1261 if ((cis_ktls
|| sis_ktls
) && !ktls_used
) {
1262 testresult
= TEST_skip("KTLS not supported for %s cipher %s",
1263 tls_version
== TLS1_3_VERSION
? "TLS 1.3" :
1268 if (!TEST_true(ping_pong_query(clientssl
, serverssl
)))
1274 SSL_shutdown(clientssl
);
1275 SSL_free(clientssl
);
1278 SSL_shutdown(serverssl
);
1279 SSL_free(serverssl
);
1283 serverssl
= clientssl
= NULL
;
1291 #define SENDFILE_SZ (16 * 4096)
1292 #define SENDFILE_CHUNK (4 * 4096)
1293 #define min(a,b) ((a) > (b) ? (b) : (a))
1295 static int execute_test_ktls_sendfile(int tls_version
, const char *cipher
)
1297 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
1298 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
1299 unsigned char *buf
, *buf_dst
;
1300 BIO
*out
= NULL
, *in
= NULL
;
1301 int cfd
= -1, sfd
= -1, ffd
, err
;
1302 ssize_t chunk_size
= 0;
1303 off_t chunk_off
= 0;
1306 SSL_CONNECTION
*serversc
;
1308 buf
= OPENSSL_zalloc(SENDFILE_SZ
);
1309 buf_dst
= OPENSSL_zalloc(SENDFILE_SZ
);
1310 if (!TEST_ptr(buf
) || !TEST_ptr(buf_dst
)
1311 || !TEST_true(create_test_sockets(&cfd
, &sfd
)))
1314 /* Skip this test if the platform does not support ktls */
1315 if (!ktls_chk_platform(sfd
)) {
1316 testresult
= TEST_skip("Kernel does not support KTLS");
1320 if (is_fips
&& strstr(cipher
, "CHACHA") != NULL
) {
1321 testresult
= TEST_skip("CHACHA is not supported in FIPS");
1325 /* Create a session based on SHA-256 */
1326 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
1327 TLS_client_method(),
1328 tls_version
, tls_version
,
1329 &sctx
, &cctx
, cert
, privkey
)))
1332 if (tls_version
== TLS1_3_VERSION
) {
1333 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
, cipher
))
1334 || !TEST_true(SSL_CTX_set_ciphersuites(sctx
, cipher
)))
1337 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
, cipher
))
1338 || !TEST_true(SSL_CTX_set_cipher_list(sctx
, cipher
)))
1342 if (!TEST_true(create_ssl_objects2(sctx
, cctx
, &serverssl
,
1343 &clientssl
, sfd
, cfd
)))
1346 if (!TEST_ptr(serversc
= SSL_CONNECTION_FROM_SSL_ONLY(serverssl
)))
1349 if (!TEST_true(SSL_set_options(serverssl
, SSL_OP_ENABLE_KTLS
)))
1352 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
1356 if (!BIO_get_ktls_send(serversc
->wbio
)) {
1357 testresult
= TEST_skip("Failed to enable KTLS for %s cipher %s",
1358 tls_version
== TLS1_3_VERSION
? "TLS 1.3" :
1363 if (!TEST_int_gt(RAND_bytes_ex(libctx
, buf
, SENDFILE_SZ
, 0), 0))
1366 out
= BIO_new_file(tmpfilename
, "wb");
1370 if (BIO_write(out
, buf
, SENDFILE_SZ
) != SENDFILE_SZ
)
1375 in
= BIO_new_file(tmpfilename
, "rb");
1376 BIO_get_fp(in
, &ffdp
);
1379 while (chunk_off
< SENDFILE_SZ
) {
1380 chunk_size
= min(SENDFILE_CHUNK
, SENDFILE_SZ
- chunk_off
);
1381 while ((err
= SSL_sendfile(serverssl
,
1385 0)) != chunk_size
) {
1386 if (SSL_get_error(serverssl
, err
) != SSL_ERROR_WANT_WRITE
)
1389 while ((err
= SSL_read(clientssl
,
1390 buf_dst
+ chunk_off
,
1391 chunk_size
)) != chunk_size
) {
1392 if (SSL_get_error(clientssl
, err
) != SSL_ERROR_WANT_READ
)
1396 /* verify the payload */
1397 if (!TEST_mem_eq(buf_dst
+ chunk_off
,
1403 chunk_off
+= chunk_size
;
1409 SSL_shutdown(clientssl
);
1410 SSL_free(clientssl
);
1413 SSL_shutdown(serverssl
);
1414 SSL_free(serverssl
);
1418 serverssl
= clientssl
= NULL
;
1426 OPENSSL_free(buf_dst
);
1430 static struct ktls_test_cipher
{
1433 } ktls_test_ciphers
[] = {
1434 # if !defined(OPENSSL_NO_TLS1_2)
1435 # ifdef OPENSSL_KTLS_AES_GCM_128
1436 { TLS1_2_VERSION
, "AES128-GCM-SHA256" },
1438 # ifdef OPENSSL_KTLS_AES_CCM_128
1439 { TLS1_2_VERSION
, "AES128-CCM"},
1441 # ifdef OPENSSL_KTLS_AES_GCM_256
1442 { TLS1_2_VERSION
, "AES256-GCM-SHA384"},
1444 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1445 { TLS1_2_VERSION
, "ECDHE-RSA-CHACHA20-POLY1305"},
1448 # if !defined(OSSL_NO_USABLE_TLS1_3)
1449 # ifdef OPENSSL_KTLS_AES_GCM_128
1450 { TLS1_3_VERSION
, "TLS_AES_128_GCM_SHA256" },
1452 # ifdef OPENSSL_KTLS_AES_CCM_128
1453 { TLS1_3_VERSION
, "TLS_AES_128_CCM_SHA256" },
1455 # ifdef OPENSSL_KTLS_AES_GCM_256
1456 { TLS1_3_VERSION
, "TLS_AES_256_GCM_SHA384" },
1458 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1459 { TLS1_3_VERSION
, "TLS_CHACHA20_POLY1305_SHA256" },
1464 #define NUM_KTLS_TEST_CIPHERS \
1465 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1467 static int test_ktls(int test
)
1469 struct ktls_test_cipher
*cipher
;
1470 int cis_ktls
, sis_ktls
;
1472 OPENSSL_assert(test
/ 4 < (int)NUM_KTLS_TEST_CIPHERS
);
1473 cipher
= &ktls_test_ciphers
[test
/ 4];
1475 cis_ktls
= (test
& 1) != 0;
1476 sis_ktls
= (test
& 2) != 0;
1478 return execute_test_ktls(cis_ktls
, sis_ktls
, cipher
->tls_version
,
1482 static int test_ktls_sendfile(int tst
)
1484 struct ktls_test_cipher
*cipher
;
1486 OPENSSL_assert(tst
< (int)NUM_KTLS_TEST_CIPHERS
);
1487 cipher
= &ktls_test_ciphers
[tst
];
1489 return execute_test_ktls_sendfile(cipher
->tls_version
, cipher
->cipher
);
1493 static int test_large_message_tls(void)
1495 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1496 TLS1_VERSION
, 0, 0);
1499 static int test_large_message_tls_read_ahead(void)
1501 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1502 TLS1_VERSION
, 0, 1);
1505 #ifndef OPENSSL_NO_DTLS
1506 static int test_large_message_dtls(void)
1508 # ifdef OPENSSL_NO_DTLS1_2
1509 /* Not supported in the FIPS provider */
1514 * read_ahead is not relevant to DTLS because DTLS always acts as if
1515 * read_ahead is set.
1517 return execute_test_large_message(DTLS_server_method(),
1518 DTLS_client_method(),
1519 DTLS1_VERSION
, 0, 0);
1523 static int execute_cleanse_plaintext(const SSL_METHOD
*smeth
,
1524 const SSL_METHOD
*cmeth
,
1525 int min_version
, int max_version
)
1528 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
1529 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
1532 SSL_CONNECTION
*serversc
;
1535 static unsigned char cbuf
[16000];
1536 static unsigned char sbuf
[16000];
1538 if (!TEST_true(create_ssl_ctx_pair(libctx
,
1540 min_version
, max_version
,
1545 #ifdef OPENSSL_NO_DTLS1_2
1546 if (smeth
== DTLS_server_method()) {
1547 # ifdef OPENSSL_NO_DTLS1_2
1548 /* Not supported in the FIPS provider */
1555 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1558 if (!TEST_true(SSL_CTX_set_cipher_list(sctx
, "DEFAULT:@SECLEVEL=0"))
1559 || !TEST_true(SSL_CTX_set_cipher_list(cctx
,
1560 "DEFAULT:@SECLEVEL=0")))
1565 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
1569 if (!TEST_true(SSL_set_options(serverssl
, SSL_OP_CLEANSE_PLAINTEXT
)))
1572 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
1576 for (i
= 0; i
< sizeof(cbuf
); i
++) {
1580 if (!TEST_int_eq(SSL_write(clientssl
, cbuf
, sizeof(cbuf
)), sizeof(cbuf
)))
1583 if (!TEST_int_eq(SSL_peek(serverssl
, &sbuf
, sizeof(sbuf
)), sizeof(sbuf
)))
1586 if (!TEST_mem_eq(cbuf
, sizeof(cbuf
), sbuf
, sizeof(sbuf
)))
1590 * Since we called SSL_peek(), we know the data in the record
1591 * layer is a plaintext record. We can gather the pointer to check
1592 * for zeroization after SSL_read().
1594 if (!TEST_ptr(serversc
= SSL_CONNECTION_FROM_SSL_ONLY(serverssl
)))
1596 rr
= serversc
->rlayer
.tlsrecs
;
1598 zbuf
= &rr
->data
[rr
->off
];
1599 if (!TEST_int_eq(rr
->length
, sizeof(cbuf
)))
1603 * After SSL_peek() the plaintext must still be stored in the
1606 if (!TEST_mem_eq(cbuf
, sizeof(cbuf
), zbuf
, sizeof(cbuf
)))
1609 memset(sbuf
, 0, sizeof(sbuf
));
1610 if (!TEST_int_eq(SSL_read(serverssl
, &sbuf
, sizeof(sbuf
)), sizeof(sbuf
)))
1613 if (!TEST_mem_eq(cbuf
, sizeof(cbuf
), sbuf
, sizeof(cbuf
)))
1616 /* Check if rbuf is cleansed */
1617 memset(cbuf
, 0, sizeof(cbuf
));
1618 if (!TEST_mem_eq(cbuf
, sizeof(cbuf
), zbuf
, sizeof(cbuf
)))
1623 SSL_free(serverssl
);
1624 SSL_free(clientssl
);
1631 static int test_cleanse_plaintext(void)
1633 #if !defined(OPENSSL_NO_TLS1_2)
1634 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1635 TLS_client_method(),
1642 #if !defined(OSSL_NO_USABLE_TLS1_3)
1643 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1644 TLS_client_method(),
1650 #if !defined(OPENSSL_NO_DTLS)
1652 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1653 DTLS_client_method(),
1661 #ifndef OPENSSL_NO_OCSP
1662 static int ocsp_server_cb(SSL
*s
, void *arg
)
1664 int *argi
= (int *)arg
;
1665 unsigned char *copy
= NULL
;
1666 STACK_OF(OCSP_RESPID
) *ids
= NULL
;
1667 OCSP_RESPID
*id
= NULL
;
1670 /* In this test we are expecting exactly 1 OCSP_RESPID */
1671 SSL_get_tlsext_status_ids(s
, &ids
);
1672 if (ids
== NULL
|| sk_OCSP_RESPID_num(ids
) != 1)
1673 return SSL_TLSEXT_ERR_ALERT_FATAL
;
1675 id
= sk_OCSP_RESPID_value(ids
, 0);
1676 if (id
== NULL
|| !OCSP_RESPID_match_ex(id
, ocspcert
, libctx
, NULL
))
1677 return SSL_TLSEXT_ERR_ALERT_FATAL
;
1678 } else if (*argi
!= 1) {
1679 return SSL_TLSEXT_ERR_ALERT_FATAL
;
1682 if (!TEST_ptr(copy
= OPENSSL_memdup(orespder
, sizeof(orespder
))))
1683 return SSL_TLSEXT_ERR_ALERT_FATAL
;
1685 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s
, copy
,
1686 sizeof(orespder
)))) {
1688 return SSL_TLSEXT_ERR_ALERT_FATAL
;
1690 ocsp_server_called
= 1;
1691 return SSL_TLSEXT_ERR_OK
;
1694 static int ocsp_client_cb(SSL
*s
, void *arg
)
1696 int *argi
= (int *)arg
;
1697 const unsigned char *respderin
;
1700 if (*argi
!= 1 && *argi
!= 2)
1703 len
= SSL_get_tlsext_status_ocsp_resp(s
, &respderin
);
1704 if (!TEST_mem_eq(orespder
, len
, respderin
, len
))
1707 ocsp_client_called
= 1;
1711 static int test_tlsext_status_type(void)
1713 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
1714 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
1716 STACK_OF(OCSP_RESPID
) *ids
= NULL
;
1717 OCSP_RESPID
*id
= NULL
;
1718 BIO
*certbio
= NULL
;
1720 if (!create_ssl_ctx_pair(libctx
, TLS_server_method(), TLS_client_method(),
1722 &sctx
, &cctx
, cert
, privkey
))
1725 if (SSL_CTX_get_tlsext_status_type(cctx
) != -1)
1728 /* First just do various checks getting and setting tlsext_status_type */
1730 clientssl
= SSL_new(cctx
);
1731 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl
), -1)
1732 || !TEST_true(SSL_set_tlsext_status_type(clientssl
,
1733 TLSEXT_STATUSTYPE_ocsp
))
1734 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl
),
1735 TLSEXT_STATUSTYPE_ocsp
))
1738 SSL_free(clientssl
);
1741 if (!SSL_CTX_set_tlsext_status_type(cctx
, TLSEXT_STATUSTYPE_ocsp
)
1742 || SSL_CTX_get_tlsext_status_type(cctx
) != TLSEXT_STATUSTYPE_ocsp
)
1745 clientssl
= SSL_new(cctx
);
1746 if (SSL_get_tlsext_status_type(clientssl
) != TLSEXT_STATUSTYPE_ocsp
)
1748 SSL_free(clientssl
);
1752 * Now actually do a handshake and check OCSP information is exchanged and
1753 * the callbacks get called
1755 SSL_CTX_set_tlsext_status_cb(cctx
, ocsp_client_cb
);
1756 SSL_CTX_set_tlsext_status_arg(cctx
, &cdummyarg
);
1757 SSL_CTX_set_tlsext_status_cb(sctx
, ocsp_server_cb
);
1758 SSL_CTX_set_tlsext_status_arg(sctx
, &cdummyarg
);
1759 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
1760 &clientssl
, NULL
, NULL
))
1761 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
1763 || !TEST_true(ocsp_client_called
)
1764 || !TEST_true(ocsp_server_called
))
1766 SSL_free(serverssl
);
1767 SSL_free(clientssl
);
1771 /* Try again but this time force the server side callback to fail */
1772 ocsp_client_called
= 0;
1773 ocsp_server_called
= 0;
1775 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
1776 &clientssl
, NULL
, NULL
))
1777 /* This should fail because the callback will fail */
1778 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
1780 || !TEST_false(ocsp_client_called
)
1781 || !TEST_false(ocsp_server_called
))
1783 SSL_free(serverssl
);
1784 SSL_free(clientssl
);
1789 * This time we'll get the client to send an OCSP_RESPID that it will
1792 ocsp_client_called
= 0;
1793 ocsp_server_called
= 0;
1795 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
1796 &clientssl
, NULL
, NULL
)))
1800 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1801 * specific one. We'll use the server cert.
1803 if (!TEST_ptr(certbio
= BIO_new_file(cert
, "r"))
1804 || !TEST_ptr(id
= OCSP_RESPID_new())
1805 || !TEST_ptr(ids
= sk_OCSP_RESPID_new_null())
1806 || !TEST_ptr(ocspcert
= X509_new_ex(libctx
, NULL
))
1807 || !TEST_ptr(PEM_read_bio_X509(certbio
, &ocspcert
, NULL
, NULL
))
1808 || !TEST_true(OCSP_RESPID_set_by_key_ex(id
, ocspcert
, libctx
, NULL
))
1809 || !TEST_true(sk_OCSP_RESPID_push(ids
, id
)))
1812 SSL_set_tlsext_status_ids(clientssl
, ids
);
1813 /* Control has been transferred */
1819 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
1821 || !TEST_true(ocsp_client_called
)
1822 || !TEST_true(ocsp_server_called
))
1828 SSL_free(serverssl
);
1829 SSL_free(clientssl
);
1832 sk_OCSP_RESPID_pop_free(ids
, OCSP_RESPID_free
);
1833 OCSP_RESPID_free(id
);
1835 X509_free(ocspcert
);
1842 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1843 static int new_called
, remove_called
, get_called
;
1845 static int new_session_cb(SSL
*ssl
, SSL_SESSION
*sess
)
1849 * sess has been up-refed for us, but we don't actually need it so free it
1852 SSL_SESSION_free(sess
);
1856 static void remove_session_cb(SSL_CTX
*ctx
, SSL_SESSION
*sess
)
1861 static SSL_SESSION
*get_sess_val
= NULL
;
1863 static SSL_SESSION
*get_session_cb(SSL
*ssl
, const unsigned char *id
, int len
,
1868 return get_sess_val
;
1871 static int execute_test_session(int maxprot
, int use_int_cache
,
1872 int use_ext_cache
, long s_options
)
1874 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
1875 SSL
*serverssl1
= NULL
, *clientssl1
= NULL
;
1876 SSL
*serverssl2
= NULL
, *clientssl2
= NULL
;
1877 # ifndef OPENSSL_NO_TLS1_1
1878 SSL
*serverssl3
= NULL
, *clientssl3
= NULL
;
1880 SSL_SESSION
*sess1
= NULL
, *sess2
= NULL
;
1881 int testresult
= 0, numnewsesstick
= 1;
1883 new_called
= remove_called
= 0;
1885 /* TLSv1.3 sends 2 NewSessionTickets */
1886 if (maxprot
== TLS1_3_VERSION
)
1889 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
1890 TLS_client_method(), TLS1_VERSION
, 0,
1891 &sctx
, &cctx
, cert
, privkey
)))
1895 * Only allow the max protocol version so we can force a connection failure
1898 SSL_CTX_set_min_proto_version(cctx
, maxprot
);
1899 SSL_CTX_set_max_proto_version(cctx
, maxprot
);
1901 /* Set up session cache */
1902 if (use_ext_cache
) {
1903 SSL_CTX_sess_set_new_cb(cctx
, new_session_cb
);
1904 SSL_CTX_sess_set_remove_cb(cctx
, remove_session_cb
);
1906 if (use_int_cache
) {
1907 /* Also covers instance where both are set */
1908 SSL_CTX_set_session_cache_mode(cctx
, SSL_SESS_CACHE_CLIENT
);
1910 SSL_CTX_set_session_cache_mode(cctx
,
1911 SSL_SESS_CACHE_CLIENT
1912 | SSL_SESS_CACHE_NO_INTERNAL_STORE
);
1916 SSL_CTX_set_options(sctx
, s_options
);
1919 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl1
, &clientssl1
,
1921 || !TEST_true(create_ssl_connection(serverssl1
, clientssl1
,
1923 || !TEST_ptr(sess1
= SSL_get1_session(clientssl1
)))
1926 /* Should fail because it should already be in the cache */
1927 if (use_int_cache
&& !TEST_false(SSL_CTX_add_session(cctx
, sess1
)))
1930 && (!TEST_int_eq(new_called
, numnewsesstick
)
1932 || !TEST_int_eq(remove_called
, 0)))
1935 new_called
= remove_called
= 0;
1936 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl2
,
1937 &clientssl2
, NULL
, NULL
))
1938 || !TEST_true(SSL_set_session(clientssl2
, sess1
))
1939 || !TEST_true(create_ssl_connection(serverssl2
, clientssl2
,
1941 || !TEST_true(SSL_session_reused(clientssl2
)))
1944 if (maxprot
== TLS1_3_VERSION
) {
1946 * In TLSv1.3 we should have created a new session even though we have
1947 * resumed. Since we attempted a resume we should also have removed the
1948 * old ticket from the cache so that we try to only use tickets once.
1951 && (!TEST_int_eq(new_called
, 1)
1952 || !TEST_int_eq(remove_called
, 1)))
1956 * In TLSv1.2 we expect to have resumed so no sessions added or
1960 && (!TEST_int_eq(new_called
, 0)
1961 || !TEST_int_eq(remove_called
, 0)))
1965 SSL_SESSION_free(sess1
);
1966 if (!TEST_ptr(sess1
= SSL_get1_session(clientssl2
)))
1968 shutdown_ssl_connection(serverssl2
, clientssl2
);
1969 serverssl2
= clientssl2
= NULL
;
1971 new_called
= remove_called
= 0;
1972 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl2
,
1973 &clientssl2
, NULL
, NULL
))
1974 || !TEST_true(create_ssl_connection(serverssl2
, clientssl2
,
1978 if (!TEST_ptr(sess2
= SSL_get1_session(clientssl2
)))
1982 && (!TEST_int_eq(new_called
, numnewsesstick
)
1983 || !TEST_int_eq(remove_called
, 0)))
1986 new_called
= remove_called
= 0;
1988 * This should clear sess2 from the cache because it is a "bad" session.
1989 * See SSL_set_session() documentation.
1991 if (!TEST_true(SSL_set_session(clientssl2
, sess1
)))
1994 && (!TEST_int_eq(new_called
, 0) || !TEST_int_eq(remove_called
, 1)))
1996 if (!TEST_ptr_eq(SSL_get_session(clientssl2
), sess1
))
1999 if (use_int_cache
) {
2000 /* Should succeeded because it should not already be in the cache */
2001 if (!TEST_true(SSL_CTX_add_session(cctx
, sess2
))
2002 || !TEST_true(SSL_CTX_remove_session(cctx
, sess2
)))
2006 new_called
= remove_called
= 0;
2007 /* This shouldn't be in the cache so should fail */
2008 if (!TEST_false(SSL_CTX_remove_session(cctx
, sess2
)))
2012 && (!TEST_int_eq(new_called
, 0) || !TEST_int_eq(remove_called
, 1)))
2015 # if !defined(OPENSSL_NO_TLS1_1)
2016 new_called
= remove_called
= 0;
2017 /* Force a connection failure */
2018 SSL_CTX_set_max_proto_version(sctx
, TLS1_1_VERSION
);
2019 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl3
,
2020 &clientssl3
, NULL
, NULL
))
2021 || !TEST_true(SSL_set_session(clientssl3
, sess1
))
2022 /* This should fail because of the mismatched protocol versions */
2023 || !TEST_false(create_ssl_connection(serverssl3
, clientssl3
,
2027 /* We should have automatically removed the session from the cache */
2029 && (!TEST_int_eq(new_called
, 0) || !TEST_int_eq(remove_called
, 1)))
2032 /* Should succeed because it should not already be in the cache */
2033 if (use_int_cache
&& !TEST_true(SSL_CTX_add_session(cctx
, sess2
)))
2037 /* Now do some tests for server side caching */
2038 if (use_ext_cache
) {
2039 SSL_CTX_sess_set_new_cb(cctx
, NULL
);
2040 SSL_CTX_sess_set_remove_cb(cctx
, NULL
);
2041 SSL_CTX_sess_set_new_cb(sctx
, new_session_cb
);
2042 SSL_CTX_sess_set_remove_cb(sctx
, remove_session_cb
);
2043 SSL_CTX_sess_set_get_cb(sctx
, get_session_cb
);
2044 get_sess_val
= NULL
;
2047 SSL_CTX_set_session_cache_mode(cctx
, 0);
2048 /* Internal caching is the default on the server side */
2050 SSL_CTX_set_session_cache_mode(sctx
,
2051 SSL_SESS_CACHE_SERVER
2052 | SSL_SESS_CACHE_NO_INTERNAL_STORE
);
2054 SSL_free(serverssl1
);
2055 SSL_free(clientssl1
);
2056 serverssl1
= clientssl1
= NULL
;
2057 SSL_free(serverssl2
);
2058 SSL_free(clientssl2
);
2059 serverssl2
= clientssl2
= NULL
;
2060 SSL_SESSION_free(sess1
);
2062 SSL_SESSION_free(sess2
);
2065 SSL_CTX_set_max_proto_version(sctx
, maxprot
);
2066 if (maxprot
== TLS1_2_VERSION
)
2067 SSL_CTX_set_options(sctx
, SSL_OP_NO_TICKET
);
2068 new_called
= remove_called
= get_called
= 0;
2069 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl1
, &clientssl1
,
2071 || !TEST_true(create_ssl_connection(serverssl1
, clientssl1
,
2073 || !TEST_ptr(sess1
= SSL_get1_session(clientssl1
))
2074 || !TEST_ptr(sess2
= SSL_get1_session(serverssl1
)))
2077 if (use_int_cache
) {
2078 if (maxprot
== TLS1_3_VERSION
&& !use_ext_cache
) {
2080 * In TLSv1.3 it should not have been added to the internal cache,
2081 * except in the case where we also have an external cache (in that
2082 * case it gets added to the cache in order to generate remove
2083 * events after timeout).
2085 if (!TEST_false(SSL_CTX_remove_session(sctx
, sess2
)))
2088 /* Should fail because it should already be in the cache */
2089 if (!TEST_false(SSL_CTX_add_session(sctx
, sess2
)))
2094 if (use_ext_cache
) {
2095 SSL_SESSION
*tmp
= sess2
;
2097 if (!TEST_int_eq(new_called
, numnewsesstick
)
2098 || !TEST_int_eq(remove_called
, 0)
2099 || !TEST_int_eq(get_called
, 0))
2102 * Delete the session from the internal cache to force a lookup from
2103 * the external cache. We take a copy first because
2104 * SSL_CTX_remove_session() also marks the session as non-resumable.
2106 if (use_int_cache
&& maxprot
!= TLS1_3_VERSION
) {
2107 if (!TEST_ptr(tmp
= SSL_SESSION_dup(sess2
))
2108 || !TEST_true(SSL_CTX_remove_session(sctx
, sess2
)))
2110 SSL_SESSION_free(sess2
);
2115 new_called
= remove_called
= get_called
= 0;
2116 get_sess_val
= sess2
;
2117 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl2
,
2118 &clientssl2
, NULL
, NULL
))
2119 || !TEST_true(SSL_set_session(clientssl2
, sess1
))
2120 || !TEST_true(create_ssl_connection(serverssl2
, clientssl2
,
2122 || !TEST_true(SSL_session_reused(clientssl2
)))
2125 if (use_ext_cache
) {
2126 if (!TEST_int_eq(remove_called
, 0))
2129 if (maxprot
== TLS1_3_VERSION
) {
2130 if (!TEST_int_eq(new_called
, 1)
2131 || !TEST_int_eq(get_called
, 0))
2134 if (!TEST_int_eq(new_called
, 0)
2135 || !TEST_int_eq(get_called
, 1))
2140 * Make a small cache, force out all other sessions but
2141 * sess2, try to add sess1, which should succeed. Then
2142 * make sure it's there by checking the owners. Despite
2143 * the timeouts, sess1 should have kicked out sess2
2146 /* Make sess1 expire before sess2 */
2147 if (!TEST_long_gt(SSL_SESSION_set_time(sess1
, 1000), 0)
2148 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1
, 1000), 0)
2149 || !TEST_long_gt(SSL_SESSION_set_time(sess2
, 2000), 0)
2150 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2
, 2000), 0))
2153 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx
, 1), 0))
2156 /* Don't care about results - cache should only be sess2 at end */
2157 SSL_CTX_add_session(sctx
, sess1
);
2158 SSL_CTX_add_session(sctx
, sess2
);
2160 /* Now add sess1, and make sure it remains, despite timeout */
2161 if (!TEST_true(SSL_CTX_add_session(sctx
, sess1
))
2162 || !TEST_ptr(sess1
->owner
)
2163 || !TEST_ptr_null(sess2
->owner
))
2169 SSL_free(serverssl1
);
2170 SSL_free(clientssl1
);
2171 SSL_free(serverssl2
);
2172 SSL_free(clientssl2
);
2173 # ifndef OPENSSL_NO_TLS1_1
2174 SSL_free(serverssl3
);
2175 SSL_free(clientssl3
);
2177 SSL_SESSION_free(sess1
);
2178 SSL_SESSION_free(sess2
);
2184 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2186 static int test_session_with_only_int_cache(void)
2188 #ifndef OSSL_NO_USABLE_TLS1_3
2189 if (!execute_test_session(TLS1_3_VERSION
, 1, 0, 0))
2193 #ifndef OPENSSL_NO_TLS1_2
2194 return execute_test_session(TLS1_2_VERSION
, 1, 0, 0);
2200 static int test_session_with_only_ext_cache(void)
2202 #ifndef OSSL_NO_USABLE_TLS1_3
2203 if (!execute_test_session(TLS1_3_VERSION
, 0, 1, 0))
2207 #ifndef OPENSSL_NO_TLS1_2
2208 return execute_test_session(TLS1_2_VERSION
, 0, 1, 0);
2214 static int test_session_with_both_cache(void)
2216 #ifndef OSSL_NO_USABLE_TLS1_3
2217 if (!execute_test_session(TLS1_3_VERSION
, 1, 1, 0))
2221 #ifndef OPENSSL_NO_TLS1_2
2222 return execute_test_session(TLS1_2_VERSION
, 1, 1, 0);
2228 static int test_session_wo_ca_names(void)
2230 #ifndef OSSL_NO_USABLE_TLS1_3
2231 if (!execute_test_session(TLS1_3_VERSION
, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES
))
2235 #ifndef OPENSSL_NO_TLS1_2
2236 return execute_test_session(TLS1_2_VERSION
, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES
);
2243 #ifndef OSSL_NO_USABLE_TLS1_3
2244 static SSL_SESSION
*sesscache
[6];
2245 static int do_cache
;
2247 static int new_cachesession_cb(SSL
*ssl
, SSL_SESSION
*sess
)
2250 sesscache
[new_called
] = sess
;
2252 /* We don't need the reference to the session, so free it */
2253 SSL_SESSION_free(sess
);
2260 static int post_handshake_verify(SSL
*sssl
, SSL
*cssl
)
2262 SSL_set_verify(sssl
, SSL_VERIFY_PEER
, NULL
);
2263 if (!TEST_true(SSL_verify_client_post_handshake(sssl
)))
2266 /* Start handshake on the server and client */
2267 if (!TEST_int_eq(SSL_do_handshake(sssl
), 1)
2268 || !TEST_int_le(SSL_read(cssl
, NULL
, 0), 0)
2269 || !TEST_int_le(SSL_read(sssl
, NULL
, 0), 0)
2270 || !TEST_true(create_ssl_connection(sssl
, cssl
,
2277 static int setup_ticket_test(int stateful
, int idx
, SSL_CTX
**sctx
,
2280 int sess_id_ctx
= 1;
2282 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
2283 TLS_client_method(), TLS1_VERSION
, 0,
2284 sctx
, cctx
, cert
, privkey
))
2285 || !TEST_true(SSL_CTX_set_num_tickets(*sctx
, idx
))
2286 || !TEST_true(SSL_CTX_set_session_id_context(*sctx
,
2287 (void *)&sess_id_ctx
,
2288 sizeof(sess_id_ctx
))))
2292 SSL_CTX_set_options(*sctx
, SSL_OP_NO_TICKET
);
2294 SSL_CTX_set_session_cache_mode(*cctx
, SSL_SESS_CACHE_CLIENT
2295 | SSL_SESS_CACHE_NO_INTERNAL_STORE
);
2296 SSL_CTX_sess_set_new_cb(*cctx
, new_cachesession_cb
);
2301 static int check_resumption(int idx
, SSL_CTX
*sctx
, SSL_CTX
*cctx
, int succ
)
2303 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
2306 /* Test that we can resume with all the tickets we got given */
2307 for (i
= 0; i
< idx
* 2; i
++) {
2309 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
2310 &clientssl
, NULL
, NULL
))
2311 || !TEST_true(SSL_set_session(clientssl
, sesscache
[i
])))
2314 SSL_set_post_handshake_auth(clientssl
, 1);
2316 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
2321 * Following a successful resumption we only get 1 ticket. After a
2322 * failed one we should get idx tickets.
2325 if (!TEST_true(SSL_session_reused(clientssl
))
2326 || !TEST_int_eq(new_called
, 1))
2329 if (!TEST_false(SSL_session_reused(clientssl
))
2330 || !TEST_int_eq(new_called
, idx
))
2335 /* After a post-handshake authentication we should get 1 new ticket */
2337 && (!post_handshake_verify(serverssl
, clientssl
)
2338 || !TEST_int_eq(new_called
, 1)))
2341 SSL_shutdown(clientssl
);
2342 SSL_shutdown(serverssl
);
2343 SSL_free(serverssl
);
2344 SSL_free(clientssl
);
2345 serverssl
= clientssl
= NULL
;
2346 SSL_SESSION_free(sesscache
[i
]);
2347 sesscache
[i
] = NULL
;
2353 SSL_free(clientssl
);
2354 SSL_free(serverssl
);
2358 static int test_tickets(int stateful
, int idx
)
2360 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
2361 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
2365 /* idx is the test number, but also the number of tickets we want */
2370 if (!setup_ticket_test(stateful
, idx
, &sctx
, &cctx
))
2373 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
2374 &clientssl
, NULL
, NULL
)))
2377 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
2379 /* Check we got the number of tickets we were expecting */
2380 || !TEST_int_eq(idx
, new_called
))
2383 SSL_shutdown(clientssl
);
2384 SSL_shutdown(serverssl
);
2385 SSL_free(serverssl
);
2386 SSL_free(clientssl
);
2389 clientssl
= serverssl
= NULL
;
2393 * Now we try to resume with the tickets we previously created. The
2394 * resumption attempt is expected to fail (because we're now using a new
2395 * SSL_CTX). We should see idx number of tickets issued again.
2398 /* Stop caching sessions - just count them */
2401 if (!setup_ticket_test(stateful
, idx
, &sctx
, &cctx
))
2404 if (!check_resumption(idx
, sctx
, cctx
, 0))
2407 /* Start again with caching sessions */
2414 if (!setup_ticket_test(stateful
, idx
, &sctx
, &cctx
))
2417 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
2418 &clientssl
, NULL
, NULL
)))
2421 SSL_set_post_handshake_auth(clientssl
, 1);
2423 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
2425 /* Check we got the number of tickets we were expecting */
2426 || !TEST_int_eq(idx
, new_called
))
2429 /* After a post-handshake authentication we should get new tickets issued */
2430 if (!post_handshake_verify(serverssl
, clientssl
)
2431 || !TEST_int_eq(idx
* 2, new_called
))
2434 SSL_shutdown(clientssl
);
2435 SSL_shutdown(serverssl
);
2436 SSL_free(serverssl
);
2437 SSL_free(clientssl
);
2438 serverssl
= clientssl
= NULL
;
2440 /* Stop caching sessions - just count them */
2444 * Check we can resume with all the tickets we created. This time around the
2445 * resumptions should all be successful.
2447 if (!check_resumption(idx
, sctx
, cctx
, 1))
2453 SSL_free(serverssl
);
2454 SSL_free(clientssl
);
2455 for (j
= 0; j
< OSSL_NELEM(sesscache
); j
++) {
2456 SSL_SESSION_free(sesscache
[j
]);
2457 sesscache
[j
] = NULL
;
2465 static int test_stateless_tickets(int idx
)
2467 return test_tickets(0, idx
);
2470 static int test_stateful_tickets(int idx
)
2472 return test_tickets(1, idx
);
2475 static int test_psk_tickets(void)
2477 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
2478 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
2480 int sess_id_ctx
= 1;
2482 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
2483 TLS_client_method(), TLS1_VERSION
, 0,
2484 &sctx
, &cctx
, NULL
, NULL
))
2485 || !TEST_true(SSL_CTX_set_session_id_context(sctx
,
2486 (void *)&sess_id_ctx
,
2487 sizeof(sess_id_ctx
))))
2490 SSL_CTX_set_session_cache_mode(cctx
, SSL_SESS_CACHE_CLIENT
2491 | SSL_SESS_CACHE_NO_INTERNAL_STORE
);
2492 SSL_CTX_set_psk_use_session_callback(cctx
, use_session_cb
);
2493 SSL_CTX_set_psk_find_session_callback(sctx
, find_session_cb
);
2494 SSL_CTX_sess_set_new_cb(cctx
, new_session_cb
);
2495 use_session_cb_cnt
= 0;
2496 find_session_cb_cnt
= 0;
2500 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
2503 clientpsk
= serverpsk
= create_a_psk(clientssl
);
2504 if (!TEST_ptr(clientpsk
))
2506 SSL_SESSION_up_ref(clientpsk
);
2508 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
2510 || !TEST_int_eq(1, find_session_cb_cnt
)
2511 || !TEST_int_eq(1, use_session_cb_cnt
)
2512 /* We should always get 1 ticket when using external PSK */
2513 || !TEST_int_eq(1, new_called
))
2519 SSL_free(serverssl
);
2520 SSL_free(clientssl
);
2523 SSL_SESSION_free(clientpsk
);
2524 SSL_SESSION_free(serverpsk
);
2525 clientpsk
= serverpsk
= NULL
;
2530 static int test_extra_tickets(int idx
)
2532 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
2533 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
2534 BIO
*bretry
= BIO_new(bio_s_always_retry());
2539 unsigned char c
, buf
[1];
2549 if (!TEST_ptr(bretry
) || !setup_ticket_test(stateful
, idx
, &sctx
, &cctx
))
2551 SSL_CTX_sess_set_new_cb(sctx
, new_session_cb
);
2552 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2553 SSL_CTX_sess_set_new_cb(cctx
, new_session_cb
);
2555 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
2556 &clientssl
, NULL
, NULL
)))
2560 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2561 * incremented by both client and server.
2563 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
2565 /* Check we got the number of tickets we were expecting */
2566 || !TEST_int_eq(idx
* 2, new_called
)
2567 || !TEST_true(SSL_new_session_ticket(serverssl
))
2568 || !TEST_true(SSL_new_session_ticket(serverssl
))
2569 || !TEST_int_eq(idx
* 2, new_called
))
2572 /* Now try a (real) write to actually send the tickets */
2574 if (!TEST_true(SSL_write_ex(serverssl
, &c
, 1, &nbytes
))
2575 || !TEST_size_t_eq(1, nbytes
)
2576 || !TEST_int_eq(idx
* 2 + 2, new_called
)
2577 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2578 || !TEST_int_eq(idx
* 2 + 4, new_called
)
2579 || !TEST_int_eq(sizeof(buf
), nbytes
)
2580 || !TEST_int_eq(c
, buf
[0])
2581 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
)))
2584 /* Try with only requesting one new ticket, too */
2587 if (!TEST_true(SSL_new_session_ticket(serverssl
))
2588 || !TEST_true(SSL_write_ex(serverssl
, &c
, sizeof(c
), &nbytes
))
2589 || !TEST_size_t_eq(sizeof(c
), nbytes
)
2590 || !TEST_int_eq(1, new_called
)
2591 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2592 || !TEST_int_eq(2, new_called
)
2593 || !TEST_size_t_eq(sizeof(buf
), nbytes
)
2594 || !TEST_int_eq(c
, buf
[0]))
2597 /* Do it again but use dummy writes to drive the ticket generation */
2600 if (!TEST_true(SSL_new_session_ticket(serverssl
))
2601 || !TEST_true(SSL_new_session_ticket(serverssl
))
2602 || !TEST_true(SSL_write_ex(serverssl
, &c
, 0, &nbytes
))
2603 || !TEST_size_t_eq(0, nbytes
)
2604 || !TEST_int_eq(2, new_called
)
2605 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2606 || !TEST_int_eq(4, new_called
))
2609 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2612 if (!TEST_true(SSL_new_session_ticket(serverssl
))
2613 || !TEST_true(SSL_new_session_ticket(serverssl
))
2614 || !TEST_true(SSL_do_handshake(serverssl
))
2615 || !TEST_int_eq(2, new_called
)
2616 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2617 || !TEST_int_eq(4, new_called
))
2621 * Use the always-retry BIO to exercise the logic that forces ticket
2622 * generation to wait until a record boundary.
2626 tmp
= SSL_get_wbio(serverssl
);
2627 if (!TEST_ptr(tmp
) || !TEST_true(BIO_up_ref(tmp
))) {
2631 SSL_set0_wbio(serverssl
, bretry
);
2633 if (!TEST_false(SSL_write_ex(serverssl
, &c
, 1, &nbytes
))
2634 || !TEST_int_eq(SSL_get_error(serverssl
, 0), SSL_ERROR_WANT_WRITE
)
2635 || !TEST_size_t_eq(nbytes
, 0))
2637 /* Restore a BIO that will let the write succeed */
2638 SSL_set0_wbio(serverssl
, tmp
);
2641 * These calls should just queue the request and not send anything
2642 * even if we explicitly try to hit the state machine.
2644 if (!TEST_true(SSL_new_session_ticket(serverssl
))
2645 || !TEST_true(SSL_new_session_ticket(serverssl
))
2646 || !TEST_int_eq(0, new_called
)
2647 || !TEST_true(SSL_do_handshake(serverssl
))
2648 || !TEST_int_eq(0, new_called
))
2650 /* Re-do the write; still no tickets sent */
2651 if (!TEST_true(SSL_write_ex(serverssl
, &c
, 1, &nbytes
))
2652 || !TEST_size_t_eq(1, nbytes
)
2653 || !TEST_int_eq(0, new_called
)
2654 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2655 || !TEST_int_eq(0, new_called
)
2656 || !TEST_int_eq(sizeof(buf
), nbytes
)
2657 || !TEST_int_eq(c
, buf
[0])
2658 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
)))
2660 /* Even trying to hit the state machine now will still not send tickets */
2661 if (!TEST_true(SSL_do_handshake(serverssl
))
2662 || !TEST_int_eq(0, new_called
))
2664 /* Now the *next* write should send the tickets */
2666 if (!TEST_true(SSL_write_ex(serverssl
, &c
, 1, &nbytes
))
2667 || !TEST_size_t_eq(1, nbytes
)
2668 || !TEST_int_eq(2, new_called
)
2669 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2670 || !TEST_int_eq(4, new_called
)
2671 || !TEST_int_eq(sizeof(buf
), nbytes
)
2672 || !TEST_int_eq(c
, buf
[0])
2673 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
)))
2676 SSL_shutdown(clientssl
);
2677 SSL_shutdown(serverssl
);
2683 SSL_free(serverssl
);
2684 SSL_free(clientssl
);
2687 clientssl
= serverssl
= NULL
;
2696 #define USE_DEFAULT 3
2698 #define CONNTYPE_CONNECTION_SUCCESS 0
2699 #define CONNTYPE_CONNECTION_FAIL 1
2700 #define CONNTYPE_NO_CONNECTION 2
2702 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2703 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2704 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2705 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2707 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2710 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2711 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2712 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2714 static void setupbio(BIO
**res
, BIO
*bio1
, BIO
*bio2
, int type
)
2731 * Tests calls to SSL_set_bio() under various conditions.
2733 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2734 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2735 * then do more tests where we create a successful connection first using our
2736 * standard connection setup functions, and then call SSL_set_bio() with
2737 * various combinations of valid BIOs or NULL. We then repeat these tests
2738 * following a failed connection. In this last case we are looking to check that
2739 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2741 static int test_ssl_set_bio(int idx
)
2743 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
2746 BIO
*irbio
= NULL
, *iwbio
= NULL
, *nrbio
= NULL
, *nwbio
= NULL
;
2747 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
2748 int initrbio
, initwbio
, newrbio
, newwbio
, conntype
;
2751 if (idx
< TOTAL_NO_CONN_SSL_SET_BIO_TESTS
) {
2759 conntype
= CONNTYPE_NO_CONNECTION
;
2761 idx
-= TOTAL_NO_CONN_SSL_SET_BIO_TESTS
;
2762 initrbio
= initwbio
= USE_DEFAULT
;
2770 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
2771 TLS_client_method(), TLS1_VERSION
, 0,
2772 &sctx
, &cctx
, cert
, privkey
)))
2775 if (conntype
== CONNTYPE_CONNECTION_FAIL
) {
2777 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2778 * because we reduced the number of tests in the definition of
2779 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2780 * mismatched protocol versions we will force a connection failure.
2782 SSL_CTX_set_min_proto_version(sctx
, TLS1_3_VERSION
);
2783 SSL_CTX_set_max_proto_version(cctx
, TLS1_2_VERSION
);
2786 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
2790 if (initrbio
== USE_BIO_1
2791 || initwbio
== USE_BIO_1
2792 || newrbio
== USE_BIO_1
2793 || newwbio
== USE_BIO_1
) {
2794 if (!TEST_ptr(bio1
= BIO_new(BIO_s_mem())))
2798 if (initrbio
== USE_BIO_2
2799 || initwbio
== USE_BIO_2
2800 || newrbio
== USE_BIO_2
2801 || newwbio
== USE_BIO_2
) {
2802 if (!TEST_ptr(bio2
= BIO_new(BIO_s_mem())))
2806 if (initrbio
!= USE_DEFAULT
) {
2807 setupbio(&irbio
, bio1
, bio2
, initrbio
);
2808 setupbio(&iwbio
, bio1
, bio2
, initwbio
);
2809 SSL_set_bio(clientssl
, irbio
, iwbio
);
2812 * We want to maintain our own refs to these BIO, so do an up ref for
2813 * each BIO that will have ownership transferred in the SSL_set_bio()
2818 if (iwbio
!= NULL
&& iwbio
!= irbio
)
2822 if (conntype
!= CONNTYPE_NO_CONNECTION
2823 && !TEST_true(create_ssl_connection(serverssl
, clientssl
,
2825 == (conntype
== CONNTYPE_CONNECTION_SUCCESS
)))
2828 setupbio(&nrbio
, bio1
, bio2
, newrbio
);
2829 setupbio(&nwbio
, bio1
, bio2
, newwbio
);
2832 * We will (maybe) transfer ownership again so do more up refs.
2833 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2838 && (nwbio
!= iwbio
|| nrbio
!= nwbio
))
2842 && (nwbio
!= iwbio
|| (nwbio
== iwbio
&& irbio
== iwbio
)))
2845 SSL_set_bio(clientssl
, nrbio
, nwbio
);
2854 * This test is checking that the ref counting for SSL_set_bio is correct.
2855 * If we get here and we did too many frees then we will fail in the above
2858 SSL_free(serverssl
);
2859 SSL_free(clientssl
);
2865 typedef enum { NO_BIO_CHANGE
, CHANGE_RBIO
, CHANGE_WBIO
} bio_change_t
;
2867 static int execute_test_ssl_bio(int pop_ssl
, bio_change_t change_bio
)
2869 BIO
*sslbio
= NULL
, *membio1
= NULL
, *membio2
= NULL
;
2874 if (!TEST_ptr(ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_method()))
2875 || !TEST_ptr(ssl
= SSL_new(ctx
))
2876 || !TEST_ptr(sslbio
= BIO_new(BIO_f_ssl()))
2877 || !TEST_ptr(membio1
= BIO_new(BIO_s_mem())))
2880 BIO_set_ssl(sslbio
, ssl
, BIO_CLOSE
);
2883 * If anything goes wrong here then we could leak memory.
2885 BIO_push(sslbio
, membio1
);
2887 /* Verify changing the rbio/wbio directly does not cause leaks */
2888 if (change_bio
!= NO_BIO_CHANGE
) {
2889 if (!TEST_ptr(membio2
= BIO_new(BIO_s_mem()))) {
2893 if (change_bio
== CHANGE_RBIO
)
2894 SSL_set0_rbio(ssl
, membio2
);
2896 SSL_set0_wbio(ssl
, membio2
);
2915 static int test_ssl_bio_pop_next_bio(void)
2917 return execute_test_ssl_bio(0, NO_BIO_CHANGE
);
2920 static int test_ssl_bio_pop_ssl_bio(void)
2922 return execute_test_ssl_bio(1, NO_BIO_CHANGE
);
2925 static int test_ssl_bio_change_rbio(void)
2927 return execute_test_ssl_bio(0, CHANGE_RBIO
);
2930 static int test_ssl_bio_change_wbio(void)
2932 return execute_test_ssl_bio(0, CHANGE_WBIO
);
2935 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
2937 /* The list of sig algs */
2939 /* The length of the list */
2941 /* A sigalgs list in string format */
2942 const char *liststr
;
2943 /* Whether setting the list should succeed */
2945 /* Whether creating a connection with the list should succeed */
2949 static const int validlist1
[] = {NID_sha256
, EVP_PKEY_RSA
};
2950 # ifndef OPENSSL_NO_EC
2951 static const int validlist2
[] = {NID_sha256
, EVP_PKEY_RSA
, NID_sha512
, EVP_PKEY_EC
};
2952 static const int validlist3
[] = {NID_sha512
, EVP_PKEY_EC
};
2954 static const int invalidlist1
[] = {NID_undef
, EVP_PKEY_RSA
};
2955 static const int invalidlist2
[] = {NID_sha256
, NID_undef
};
2956 static const int invalidlist3
[] = {NID_sha256
, EVP_PKEY_RSA
, NID_sha256
};
2957 static const int invalidlist4
[] = {NID_sha256
};
2958 static const sigalgs_list testsigalgs
[] = {
2959 {validlist1
, OSSL_NELEM(validlist1
), NULL
, 1, 1},
2960 # ifndef OPENSSL_NO_EC
2961 {validlist2
, OSSL_NELEM(validlist2
), NULL
, 1, 1},
2962 {validlist3
, OSSL_NELEM(validlist3
), NULL
, 1, 0},
2964 {NULL
, 0, "RSA+SHA256", 1, 1},
2965 # ifndef OPENSSL_NO_EC
2966 {NULL
, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2967 {NULL
, 0, "ECDSA+SHA512", 1, 0},
2969 {invalidlist1
, OSSL_NELEM(invalidlist1
), NULL
, 0, 0},
2970 {invalidlist2
, OSSL_NELEM(invalidlist2
), NULL
, 0, 0},
2971 {invalidlist3
, OSSL_NELEM(invalidlist3
), NULL
, 0, 0},
2972 {invalidlist4
, OSSL_NELEM(invalidlist4
), NULL
, 0, 0},
2973 {NULL
, 0, "RSA", 0, 0},
2974 {NULL
, 0, "SHA256", 0, 0},
2975 {NULL
, 0, "RSA+SHA256:SHA256", 0, 0},
2976 {NULL
, 0, "Invalid", 0, 0}
2979 static int test_set_sigalgs(int idx
)
2981 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
2982 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
2984 const sigalgs_list
*curr
;
2987 /* Should never happen */
2988 if (!TEST_size_t_le((size_t)idx
, OSSL_NELEM(testsigalgs
) * 2))
2991 testctx
= ((size_t)idx
< OSSL_NELEM(testsigalgs
));
2992 curr
= testctx
? &testsigalgs
[idx
]
2993 : &testsigalgs
[idx
- OSSL_NELEM(testsigalgs
)];
2995 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
2996 TLS_client_method(), TLS1_VERSION
, 0,
2997 &sctx
, &cctx
, cert
, privkey
)))
3000 SSL_CTX_set_max_proto_version(cctx
, TLS1_2_VERSION
);
3005 if (curr
->list
!= NULL
)
3006 ret
= SSL_CTX_set1_sigalgs(cctx
, curr
->list
, curr
->listlen
);
3008 ret
= SSL_CTX_set1_sigalgs_list(cctx
, curr
->liststr
);
3012 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx
);
3018 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx
);
3023 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
3024 &clientssl
, NULL
, NULL
)))
3030 if (curr
->list
!= NULL
)
3031 ret
= SSL_set1_sigalgs(clientssl
, curr
->list
, curr
->listlen
);
3033 ret
= SSL_set1_sigalgs_list(clientssl
, curr
->liststr
);
3036 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx
);
3045 if (!TEST_int_eq(create_ssl_connection(serverssl
, clientssl
,
3053 SSL_free(serverssl
);
3054 SSL_free(clientssl
);
3062 #ifndef OSSL_NO_USABLE_TLS1_3
3063 static int psk_client_cb_cnt
= 0;
3064 static int psk_server_cb_cnt
= 0;
3066 static int use_session_cb(SSL
*ssl
, const EVP_MD
*md
, const unsigned char **id
,
3067 size_t *idlen
, SSL_SESSION
**sess
)
3069 switch (++use_session_cb_cnt
) {
3071 /* The first call should always have a NULL md */
3077 /* The second call should always have an md */
3083 /* We should only be called a maximum of twice */
3087 if (clientpsk
!= NULL
)
3088 SSL_SESSION_up_ref(clientpsk
);
3091 *id
= (const unsigned char *)pskid
;
3092 *idlen
= strlen(pskid
);
3097 #ifndef OPENSSL_NO_PSK
3098 static unsigned int psk_client_cb(SSL
*ssl
, const char *hint
, char *id
,
3099 unsigned int max_id_len
,
3101 unsigned int max_psk_len
)
3103 unsigned int psklen
= 0;
3105 psk_client_cb_cnt
++;
3107 if (strlen(pskid
) + 1 > max_id_len
)
3110 /* We should only ever be called a maximum of twice per connection */
3111 if (psk_client_cb_cnt
> 2)
3114 if (clientpsk
== NULL
)
3117 /* We'll reuse the PSK we set up for TLSv1.3 */
3118 if (SSL_SESSION_get_master_key(clientpsk
, NULL
, 0) > max_psk_len
)
3120 psklen
= SSL_SESSION_get_master_key(clientpsk
, psk
, max_psk_len
);
3121 strncpy(id
, pskid
, max_id_len
);
3125 #endif /* OPENSSL_NO_PSK */
3127 static int find_session_cb(SSL
*ssl
, const unsigned char *identity
,
3128 size_t identity_len
, SSL_SESSION
**sess
)
3130 find_session_cb_cnt
++;
3132 /* We should only ever be called a maximum of twice per connection */
3133 if (find_session_cb_cnt
> 2)
3136 if (serverpsk
== NULL
)
3139 /* Identity should match that set by the client */
3140 if (strlen(srvid
) != identity_len
3141 || strncmp(srvid
, (const char *)identity
, identity_len
) != 0) {
3142 /* No PSK found, continue but without a PSK */
3147 SSL_SESSION_up_ref(serverpsk
);
3153 #ifndef OPENSSL_NO_PSK
3154 static unsigned int psk_server_cb(SSL
*ssl
, const char *identity
,
3155 unsigned char *psk
, unsigned int max_psk_len
)
3157 unsigned int psklen
= 0;
3159 psk_server_cb_cnt
++;
3161 /* We should only ever be called a maximum of twice per connection */
3162 if (find_session_cb_cnt
> 2)
3165 if (serverpsk
== NULL
)
3168 /* Identity should match that set by the client */
3169 if (strcmp(srvid
, identity
) != 0) {
3173 /* We'll reuse the PSK we set up for TLSv1.3 */
3174 if (SSL_SESSION_get_master_key(serverpsk
, NULL
, 0) > max_psk_len
)
3176 psklen
= SSL_SESSION_get_master_key(serverpsk
, psk
, max_psk_len
);
3180 #endif /* OPENSSL_NO_PSK */
3182 #define MSG1 "Hello"
3183 #define MSG2 "World."
3188 #define MSG7 "message."
3190 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3191 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3192 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3193 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3194 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3197 static SSL_SESSION
*create_a_psk(SSL
*ssl
)
3199 const SSL_CIPHER
*cipher
= NULL
;
3200 const unsigned char key
[] = {
3201 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3202 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3203 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3204 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3205 0x2c, 0x2d, 0x2e, 0x2f
3207 SSL_SESSION
*sess
= NULL
;
3209 cipher
= SSL_CIPHER_find(ssl
, TLS13_AES_256_GCM_SHA384_BYTES
);
3210 sess
= SSL_SESSION_new();
3212 || !TEST_ptr(cipher
)
3213 || !TEST_true(SSL_SESSION_set1_master_key(sess
, key
,
3215 || !TEST_true(SSL_SESSION_set_cipher(sess
, cipher
))
3217 SSL_SESSION_set_protocol_version(sess
,
3219 SSL_SESSION_free(sess
);
3226 * Helper method to setup objects for early data test. Caller frees objects on
3229 static int setupearly_data_test(SSL_CTX
**cctx
, SSL_CTX
**sctx
, SSL
**clientssl
,
3230 SSL
**serverssl
, SSL_SESSION
**sess
, int idx
)
3233 && !TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
3234 TLS_client_method(),
3236 sctx
, cctx
, cert
, privkey
)))
3239 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx
, SSL3_RT_MAX_PLAIN_LENGTH
)))
3243 /* When idx == 1 we repeat the tests with read_ahead set */
3244 SSL_CTX_set_read_ahead(*cctx
, 1);
3245 SSL_CTX_set_read_ahead(*sctx
, 1);
3246 } else if (idx
== 2) {
3247 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3248 SSL_CTX_set_psk_use_session_callback(*cctx
, use_session_cb
);
3249 SSL_CTX_set_psk_find_session_callback(*sctx
, find_session_cb
);
3250 use_session_cb_cnt
= 0;
3251 find_session_cb_cnt
= 0;
3255 if (!TEST_true(create_ssl_objects(*sctx
, *cctx
, serverssl
, clientssl
,
3260 * For one of the run throughs (doesn't matter which one), we'll try sending
3261 * some SNI data in the initial ClientHello. This will be ignored (because
3262 * there is no SNI cb set up by the server), so it should not impact
3266 && !TEST_true(SSL_set_tlsext_host_name(*clientssl
, "localhost")))
3270 clientpsk
= create_a_psk(*clientssl
);
3271 if (!TEST_ptr(clientpsk
)
3273 * We just choose an arbitrary value for max_early_data which
3274 * should be big enough for testing purposes.
3276 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk
,
3278 || !TEST_true(SSL_SESSION_up_ref(clientpsk
))) {
3279 SSL_SESSION_free(clientpsk
);
3283 serverpsk
= clientpsk
;
3286 if (!TEST_true(SSL_SESSION_up_ref(clientpsk
))) {
3287 SSL_SESSION_free(clientpsk
);
3288 SSL_SESSION_free(serverpsk
);
3289 clientpsk
= serverpsk
= NULL
;
3300 if (!TEST_true(create_ssl_connection(*serverssl
, *clientssl
,
3304 *sess
= SSL_get1_session(*clientssl
);
3305 SSL_shutdown(*clientssl
);
3306 SSL_shutdown(*serverssl
);
3307 SSL_free(*serverssl
);
3308 SSL_free(*clientssl
);
3309 *serverssl
= *clientssl
= NULL
;
3311 if (!TEST_true(create_ssl_objects(*sctx
, *cctx
, serverssl
,
3312 clientssl
, NULL
, NULL
))
3313 || !TEST_true(SSL_set_session(*clientssl
, *sess
)))
3319 static int test_early_data_read_write(int idx
)
3321 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3322 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3324 SSL_SESSION
*sess
= NULL
;
3325 unsigned char buf
[20], data
[1024];
3326 size_t readbytes
, written
, eoedlen
, rawread
, rawwritten
;
3329 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
3330 &serverssl
, &sess
, idx
)))
3333 /* Write and read some early data */
3334 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
3336 || !TEST_size_t_eq(written
, strlen(MSG1
))
3337 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
,
3338 sizeof(buf
), &readbytes
),
3339 SSL_READ_EARLY_DATA_SUCCESS
)
3340 || !TEST_mem_eq(MSG1
, readbytes
, buf
, strlen(MSG1
))
3341 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
3342 SSL_EARLY_DATA_ACCEPTED
))
3346 * Server should be able to write data, and client should be able to
3349 if (!TEST_true(SSL_write_early_data(serverssl
, MSG2
, strlen(MSG2
),
3351 || !TEST_size_t_eq(written
, strlen(MSG2
))
3352 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3353 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
3356 /* Even after reading normal data, client should be able write early data */
3357 if (!TEST_true(SSL_write_early_data(clientssl
, MSG3
, strlen(MSG3
),
3359 || !TEST_size_t_eq(written
, strlen(MSG3
)))
3362 /* Server should still be able read early data after writing data */
3363 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3365 SSL_READ_EARLY_DATA_SUCCESS
)
3366 || !TEST_mem_eq(buf
, readbytes
, MSG3
, strlen(MSG3
)))
3369 /* Write more data from server and read it from client */
3370 if (!TEST_true(SSL_write_early_data(serverssl
, MSG4
, strlen(MSG4
),
3372 || !TEST_size_t_eq(written
, strlen(MSG4
))
3373 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3374 || !TEST_mem_eq(buf
, readbytes
, MSG4
, strlen(MSG4
)))
3378 * If client writes normal data it should mean writing early data is no
3381 if (!TEST_true(SSL_write_ex(clientssl
, MSG5
, strlen(MSG5
), &written
))
3382 || !TEST_size_t_eq(written
, strlen(MSG5
))
3383 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
3384 SSL_EARLY_DATA_ACCEPTED
))
3388 * At this point the client has written EndOfEarlyData, ClientFinished and
3389 * normal (fully protected) data. We are going to cause a delay between the
3390 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3391 * in the read BIO, and then just put back the EndOfEarlyData message.
3393 rbio
= SSL_get_rbio(serverssl
);
3394 if (!TEST_true(BIO_read_ex(rbio
, data
, sizeof(data
), &rawread
))
3395 || !TEST_size_t_lt(rawread
, sizeof(data
))
3396 || !TEST_size_t_gt(rawread
, SSL3_RT_HEADER_LENGTH
))
3399 /* Record length is in the 4th and 5th bytes of the record header */
3400 eoedlen
= SSL3_RT_HEADER_LENGTH
+ (data
[3] << 8 | data
[4]);
3401 if (!TEST_true(BIO_write_ex(rbio
, data
, eoedlen
, &rawwritten
))
3402 || !TEST_size_t_eq(rawwritten
, eoedlen
))
3405 /* Server should be told that there is no more early data */
3406 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3408 SSL_READ_EARLY_DATA_FINISH
)
3409 || !TEST_size_t_eq(readbytes
, 0))
3413 * Server has not finished init yet, so should still be able to write early
3416 if (!TEST_true(SSL_write_early_data(serverssl
, MSG6
, strlen(MSG6
),
3418 || !TEST_size_t_eq(written
, strlen(MSG6
)))
3421 /* Push the ClientFinished and the normal data back into the server rbio */
3422 if (!TEST_true(BIO_write_ex(rbio
, data
+ eoedlen
, rawread
- eoedlen
,
3424 || !TEST_size_t_eq(rawwritten
, rawread
- eoedlen
))
3427 /* Server should be able to read normal data */
3428 if (!TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
3429 || !TEST_size_t_eq(readbytes
, strlen(MSG5
)))
3432 /* Client and server should not be able to write/read early data now */
3433 if (!TEST_false(SSL_write_early_data(clientssl
, MSG6
, strlen(MSG6
),
3437 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3439 SSL_READ_EARLY_DATA_ERROR
))
3443 /* Client should be able to read the data sent by the server */
3444 if (!TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3445 || !TEST_mem_eq(buf
, readbytes
, MSG6
, strlen(MSG6
)))
3449 * Make sure we process the two NewSessionTickets. These arrive
3450 * post-handshake. We attempt reads which we do not expect to return any
3453 if (!TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3454 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
),
3458 /* Server should be able to write normal data */
3459 if (!TEST_true(SSL_write_ex(serverssl
, MSG7
, strlen(MSG7
), &written
))
3460 || !TEST_size_t_eq(written
, strlen(MSG7
))
3461 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3462 || !TEST_mem_eq(buf
, readbytes
, MSG7
, strlen(MSG7
)))
3465 SSL_SESSION_free(sess
);
3466 sess
= SSL_get1_session(clientssl
);
3467 use_session_cb_cnt
= 0;
3468 find_session_cb_cnt
= 0;
3470 SSL_shutdown(clientssl
);
3471 SSL_shutdown(serverssl
);
3472 SSL_free(serverssl
);
3473 SSL_free(clientssl
);
3474 serverssl
= clientssl
= NULL
;
3475 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
3476 &clientssl
, NULL
, NULL
))
3477 || !TEST_true(SSL_set_session(clientssl
, sess
)))
3480 /* Write and read some early data */
3481 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
3483 || !TEST_size_t_eq(written
, strlen(MSG1
))
3484 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3486 SSL_READ_EARLY_DATA_SUCCESS
)
3487 || !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
)))
3490 if (!TEST_int_gt(SSL_connect(clientssl
), 0)
3491 || !TEST_int_gt(SSL_accept(serverssl
), 0))
3494 /* Client and server should not be able to write/read early data now */
3495 if (!TEST_false(SSL_write_early_data(clientssl
, MSG6
, strlen(MSG6
),
3499 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3501 SSL_READ_EARLY_DATA_ERROR
))
3505 /* Client and server should be able to write/read normal data */
3506 if (!TEST_true(SSL_write_ex(clientssl
, MSG5
, strlen(MSG5
), &written
))
3507 || !TEST_size_t_eq(written
, strlen(MSG5
))
3508 || !TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
3509 || !TEST_size_t_eq(readbytes
, strlen(MSG5
)))
3515 SSL_SESSION_free(sess
);
3516 SSL_SESSION_free(clientpsk
);
3517 SSL_SESSION_free(serverpsk
);
3518 clientpsk
= serverpsk
= NULL
;
3519 SSL_free(serverssl
);
3520 SSL_free(clientssl
);
3526 static int allow_ed_cb_called
= 0;
3528 static int allow_early_data_cb(SSL
*s
, void *arg
)
3530 int *usecb
= (int *)arg
;
3532 allow_ed_cb_called
++;
3541 * idx == 0: Standard early_data setup
3542 * idx == 1: early_data setup using read_ahead
3543 * usecb == 0: Don't use a custom early data callback
3544 * usecb == 1: Use a custom early data callback and reject the early data
3545 * usecb == 2: Use a custom early data callback and accept the early data
3546 * confopt == 0: Configure anti-replay directly
3547 * confopt == 1: Configure anti-replay using SSL_CONF
3549 static int test_early_data_replay_int(int idx
, int usecb
, int confopt
)
3551 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3552 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3554 SSL_SESSION
*sess
= NULL
;
3555 size_t readbytes
, written
;
3556 unsigned char buf
[20];
3558 allow_ed_cb_called
= 0;
3560 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
3561 TLS_client_method(), TLS1_VERSION
, 0,
3562 &sctx
, &cctx
, cert
, privkey
)))
3567 SSL_CTX_set_options(sctx
, SSL_OP_NO_ANTI_REPLAY
);
3569 SSL_CONF_CTX
*confctx
= SSL_CONF_CTX_new();
3571 if (!TEST_ptr(confctx
))
3573 SSL_CONF_CTX_set_flags(confctx
, SSL_CONF_FLAG_FILE
3574 | SSL_CONF_FLAG_SERVER
);
3575 SSL_CONF_CTX_set_ssl_ctx(confctx
, sctx
);
3576 if (!TEST_int_eq(SSL_CONF_cmd(confctx
, "Options", "-AntiReplay"),
3578 SSL_CONF_CTX_free(confctx
);
3581 SSL_CONF_CTX_free(confctx
);
3583 SSL_CTX_set_allow_early_data_cb(sctx
, allow_early_data_cb
, &usecb
);
3586 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
3587 &serverssl
, &sess
, idx
)))
3591 * The server is configured to accept early data. Create a connection to
3592 * "use up" the ticket
3594 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
3595 || !TEST_true(SSL_session_reused(clientssl
)))
3598 SSL_shutdown(clientssl
);
3599 SSL_shutdown(serverssl
);
3600 SSL_free(serverssl
);
3601 SSL_free(clientssl
);
3602 serverssl
= clientssl
= NULL
;
3604 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
3605 &clientssl
, NULL
, NULL
))
3606 || !TEST_true(SSL_set_session(clientssl
, sess
)))
3609 /* Write and read some early data */
3610 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
3612 || !TEST_size_t_eq(written
, strlen(MSG1
)))
3616 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3618 SSL_READ_EARLY_DATA_FINISH
)
3620 * The ticket was reused, so the we should have rejected the
3623 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
3624 SSL_EARLY_DATA_REJECTED
))
3627 /* In this case the callback decides to accept the early data */
3628 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3630 SSL_READ_EARLY_DATA_SUCCESS
)
3631 || !TEST_mem_eq(MSG1
, strlen(MSG1
), buf
, readbytes
)
3633 * Server will have sent its flight so client can now send
3634 * end of early data and complete its half of the handshake
3636 || !TEST_int_gt(SSL_connect(clientssl
), 0)
3637 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3639 SSL_READ_EARLY_DATA_FINISH
)
3640 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
3641 SSL_EARLY_DATA_ACCEPTED
))
3645 /* Complete the connection */
3646 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
3647 || !TEST_int_eq(SSL_session_reused(clientssl
), (usecb
> 0) ? 1 : 0)
3648 || !TEST_int_eq(allow_ed_cb_called
, usecb
> 0 ? 1 : 0))
3654 SSL_SESSION_free(sess
);
3655 SSL_SESSION_free(clientpsk
);
3656 SSL_SESSION_free(serverpsk
);
3657 clientpsk
= serverpsk
= NULL
;
3658 SSL_free(serverssl
);
3659 SSL_free(clientssl
);
3665 static int test_early_data_replay(int idx
)
3667 int ret
= 1, usecb
, confopt
;
3669 for (usecb
= 0; usecb
< 3; usecb
++) {
3670 for (confopt
= 0; confopt
< 2; confopt
++)
3671 ret
&= test_early_data_replay_int(idx
, usecb
, confopt
);
3678 * Helper function to test that a server attempting to read early data can
3679 * handle a connection from a client where the early data should be skipped.
3680 * testtype: 0 == No HRR
3681 * testtype: 1 == HRR
3682 * testtype: 2 == HRR, invalid early_data sent after HRR
3683 * testtype: 3 == recv_max_early_data set to 0
3685 static int early_data_skip_helper(int testtype
, int idx
)
3687 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3688 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3690 SSL_SESSION
*sess
= NULL
;
3691 unsigned char buf
[20];
3692 size_t readbytes
, written
;
3694 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
3695 &serverssl
, &sess
, idx
)))
3698 if (testtype
== 1 || testtype
== 2) {
3699 /* Force an HRR to occur */
3700 #if defined(OPENSSL_NO_EC)
3701 if (!TEST_true(SSL_set1_groups_list(serverssl
, "ffdhe3072")))
3704 if (!TEST_true(SSL_set1_groups_list(serverssl
, "P-256")))
3707 } else if (idx
== 2) {
3709 * We force early_data rejection by ensuring the PSK identity is
3712 srvid
= "Dummy Identity";
3715 * Deliberately corrupt the creation time. We take 20 seconds off the
3716 * time. It could be any value as long as it is not within tolerance.
3717 * This should mean the ticket is rejected.
3719 if (!TEST_true(SSL_SESSION_set_time(sess
, (long)(time(NULL
) - 20))))
3724 && !TEST_true(SSL_set_recv_max_early_data(serverssl
, 0)))
3727 /* Write some early data */
3728 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
3730 || !TEST_size_t_eq(written
, strlen(MSG1
)))
3733 /* Server should reject the early data */
3734 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3736 SSL_READ_EARLY_DATA_FINISH
)
3737 || !TEST_size_t_eq(readbytes
, 0)
3738 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
3739 SSL_EARLY_DATA_REJECTED
))
3749 * Finish off the handshake. We perform the same writes and reads as
3750 * further down but we expect them to fail due to the incomplete
3753 if (!TEST_false(SSL_write_ex(clientssl
, MSG2
, strlen(MSG2
), &written
))
3754 || !TEST_false(SSL_read_ex(serverssl
, buf
, sizeof(buf
),
3761 BIO
*wbio
= SSL_get_wbio(clientssl
);
3762 /* A record that will appear as bad early_data */
3763 const unsigned char bad_early_data
[] = {
3764 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3768 * We force the client to attempt a write. This will fail because
3769 * we're still in the handshake. It will cause the second
3770 * ClientHello to be sent.
3772 if (!TEST_false(SSL_write_ex(clientssl
, MSG2
, strlen(MSG2
),
3777 * Inject some early_data after the second ClientHello. This should
3778 * cause the server to fail
3780 if (!TEST_true(BIO_write_ex(wbio
, bad_early_data
,
3781 sizeof(bad_early_data
), &written
)))
3788 * This client has sent more early_data than we are willing to skip
3789 * (case 3) or sent invalid early_data (case 2) so the connection should
3792 if (!TEST_false(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
3793 || !TEST_int_eq(SSL_get_error(serverssl
, 0), SSL_ERROR_SSL
))
3796 /* Connection has failed - nothing more to do */
3801 TEST_error("Invalid test type");
3806 * Should be able to send normal data despite rejection of early data. The
3807 * early_data should be skipped.
3809 if (!TEST_true(SSL_write_ex(clientssl
, MSG2
, strlen(MSG2
), &written
))
3810 || !TEST_size_t_eq(written
, strlen(MSG2
))
3811 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
3812 SSL_EARLY_DATA_REJECTED
)
3813 || !TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
3814 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
3820 SSL_SESSION_free(clientpsk
);
3821 SSL_SESSION_free(serverpsk
);
3822 clientpsk
= serverpsk
= NULL
;
3823 SSL_SESSION_free(sess
);
3824 SSL_free(serverssl
);
3825 SSL_free(clientssl
);
3832 * Test that a server attempting to read early data can handle a connection
3833 * from a client where the early data is not acceptable.
3835 static int test_early_data_skip(int idx
)
3837 return early_data_skip_helper(0, idx
);
3841 * Test that a server attempting to read early data can handle a connection
3842 * from a client where an HRR occurs.
3844 static int test_early_data_skip_hrr(int idx
)
3846 return early_data_skip_helper(1, idx
);
3850 * Test that a server attempting to read early data can handle a connection
3851 * from a client where an HRR occurs and correctly fails if early_data is sent
3854 static int test_early_data_skip_hrr_fail(int idx
)
3856 return early_data_skip_helper(2, idx
);
3860 * Test that a server attempting to read early data will abort if it tries to
3861 * skip over too much.
3863 static int test_early_data_skip_abort(int idx
)
3865 return early_data_skip_helper(3, idx
);
3869 * Test that a server attempting to read early data can handle a connection
3870 * from a client that doesn't send any.
3872 static int test_early_data_not_sent(int idx
)
3874 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3875 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3877 SSL_SESSION
*sess
= NULL
;
3878 unsigned char buf
[20];
3879 size_t readbytes
, written
;
3881 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
3882 &serverssl
, &sess
, idx
)))
3885 /* Write some data - should block due to handshake with server */
3886 SSL_set_connect_state(clientssl
);
3887 if (!TEST_false(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
)))
3890 /* Server should detect that early data has not been sent */
3891 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3893 SSL_READ_EARLY_DATA_FINISH
)
3894 || !TEST_size_t_eq(readbytes
, 0)
3895 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
3896 SSL_EARLY_DATA_NOT_SENT
)
3897 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
3898 SSL_EARLY_DATA_NOT_SENT
))
3901 /* Continue writing the message we started earlier */
3902 if (!TEST_true(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
))
3903 || !TEST_size_t_eq(written
, strlen(MSG1
))
3904 || !TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
3905 || !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
))
3906 || !SSL_write_ex(serverssl
, MSG2
, strlen(MSG2
), &written
)
3907 || !TEST_size_t_eq(written
, strlen(MSG2
)))
3910 if (!TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3911 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
3917 SSL_SESSION_free(sess
);
3918 SSL_SESSION_free(clientpsk
);
3919 SSL_SESSION_free(serverpsk
);
3920 clientpsk
= serverpsk
= NULL
;
3921 SSL_free(serverssl
);
3922 SSL_free(clientssl
);
3928 static const char *servalpn
;
3930 static int alpn_select_cb(SSL
*ssl
, const unsigned char **out
,
3931 unsigned char *outlen
, const unsigned char *in
,
3932 unsigned int inlen
, void *arg
)
3934 unsigned int protlen
= 0;
3935 const unsigned char *prot
;
3937 for (prot
= in
; prot
< in
+ inlen
; prot
+= protlen
) {
3939 if (in
+ inlen
< prot
+ protlen
)
3940 return SSL_TLSEXT_ERR_NOACK
;
3942 if (protlen
== strlen(servalpn
)
3943 && memcmp(prot
, servalpn
, protlen
) == 0) {
3946 return SSL_TLSEXT_ERR_OK
;
3950 return SSL_TLSEXT_ERR_NOACK
;
3953 /* Test that a PSK can be used to send early_data */
3954 static int test_early_data_psk(int idx
)
3956 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3957 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3959 SSL_SESSION
*sess
= NULL
;
3960 unsigned char alpnlist
[] = {
3961 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3964 #define GOODALPNLEN 9
3965 #define BADALPNLEN 8
3966 #define GOODALPN (alpnlist)
3967 #define BADALPN (alpnlist + GOODALPNLEN)
3969 unsigned char buf
[20];
3970 size_t readbytes
, written
;
3971 int readearlyres
= SSL_READ_EARLY_DATA_SUCCESS
, connectres
= 1;
3972 int edstatus
= SSL_EARLY_DATA_ACCEPTED
;
3974 /* We always set this up with a final parameter of "2" for PSK */
3975 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
3976 &serverssl
, &sess
, 2)))
3979 servalpn
= "goodalpn";
3982 * Note: There is no test for inconsistent SNI with late client detection.
3983 * This is because servers do not acknowledge SNI even if they are using
3984 * it in a resumption handshake - so it is not actually possible for a
3985 * client to detect a problem.
3989 /* Set inconsistent SNI (early client detection) */
3990 err
= SSL_R_INCONSISTENT_EARLY_DATA_SNI
;
3991 if (!TEST_true(SSL_SESSION_set1_hostname(sess
, "goodhost"))
3992 || !TEST_true(SSL_set_tlsext_host_name(clientssl
, "badhost")))
3997 /* Set inconsistent ALPN (early client detection) */
3998 err
= SSL_R_INCONSISTENT_EARLY_DATA_ALPN
;
3999 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4000 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess
, GOODALPN
,
4002 || !TEST_false(SSL_set_alpn_protos(clientssl
, BADALPN
,
4009 * Set invalid protocol version. Technically this affects PSKs without
4010 * early_data too, but we test it here because it is similar to the
4011 * SNI/ALPN consistency tests.
4013 err
= SSL_R_BAD_PSK
;
4014 if (!TEST_true(SSL_SESSION_set_protocol_version(sess
, TLS1_2_VERSION
)))
4020 * Set inconsistent SNI (server side). In this case the connection
4021 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4022 * is associated with each handshake - not the session. Therefore it
4023 * should not matter that we used a different server name last time.
4025 SSL_SESSION_free(serverpsk
);
4026 serverpsk
= SSL_SESSION_dup(clientpsk
);
4027 if (!TEST_ptr(serverpsk
)
4028 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk
, "badhost")))
4032 /* Set consistent SNI */
4033 if (!TEST_true(SSL_SESSION_set1_hostname(sess
, "goodhost"))
4034 || !TEST_true(SSL_set_tlsext_host_name(clientssl
, "goodhost"))
4035 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx
,
4042 * Set inconsistent ALPN (server detected). In this case the connection
4043 * will succeed but reject early_data.
4045 servalpn
= "badalpn";
4046 edstatus
= SSL_EARLY_DATA_REJECTED
;
4047 readearlyres
= SSL_READ_EARLY_DATA_FINISH
;
4051 * Set consistent ALPN.
4052 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4053 * accepts a list of protos (each one length prefixed).
4054 * SSL_set1_alpn_selected accepts a single protocol (not length
4057 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess
, GOODALPN
+ 1,
4059 || !TEST_false(SSL_set_alpn_protos(clientssl
, GOODALPN
,
4063 SSL_CTX_set_alpn_select_cb(sctx
, alpn_select_cb
, NULL
);
4067 /* Set inconsistent ALPN (late client detection) */
4068 SSL_SESSION_free(serverpsk
);
4069 serverpsk
= SSL_SESSION_dup(clientpsk
);
4070 if (!TEST_ptr(serverpsk
)
4071 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk
,
4074 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk
,
4077 || !TEST_false(SSL_set_alpn_protos(clientssl
, alpnlist
,
4080 SSL_CTX_set_alpn_select_cb(sctx
, alpn_select_cb
, NULL
);
4081 edstatus
= SSL_EARLY_DATA_ACCEPTED
;
4082 readearlyres
= SSL_READ_EARLY_DATA_SUCCESS
;
4083 /* SSL_connect() call should fail */
4088 TEST_error("Bad test index");
4092 SSL_set_connect_state(clientssl
);
4094 if (!TEST_false(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
4096 || !TEST_int_eq(SSL_get_error(clientssl
, 0), SSL_ERROR_SSL
)
4097 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err
))
4100 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
4104 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
4105 &readbytes
), readearlyres
)
4106 || (readearlyres
== SSL_READ_EARLY_DATA_SUCCESS
4107 && !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
)))
4108 || !TEST_int_eq(SSL_get_early_data_status(serverssl
), edstatus
)
4109 || !TEST_int_eq(SSL_connect(clientssl
), connectres
))
4116 SSL_SESSION_free(sess
);
4117 SSL_SESSION_free(clientpsk
);
4118 SSL_SESSION_free(serverpsk
);
4119 clientpsk
= serverpsk
= NULL
;
4120 SSL_free(serverssl
);
4121 SSL_free(clientssl
);
4128 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4129 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4130 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4131 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4132 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4133 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4135 static int test_early_data_psk_with_all_ciphers(int idx
)
4137 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4138 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4140 SSL_SESSION
*sess
= NULL
;
4141 unsigned char buf
[20];
4142 size_t readbytes
, written
;
4143 const SSL_CIPHER
*cipher
;
4144 const char *cipher_str
[] = {
4145 TLS1_3_RFC_AES_128_GCM_SHA256
,
4146 TLS1_3_RFC_AES_256_GCM_SHA384
,
4147 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4148 TLS1_3_RFC_CHACHA20_POLY1305_SHA256
,
4152 TLS1_3_RFC_AES_128_CCM_SHA256
,
4153 TLS1_3_RFC_AES_128_CCM_8_SHA256
4155 const unsigned char *cipher_bytes
[] = {
4156 TLS13_AES_128_GCM_SHA256_BYTES
,
4157 TLS13_AES_256_GCM_SHA384_BYTES
,
4158 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4159 TLS13_CHACHA20_POLY1305_SHA256_BYTES
,
4163 TLS13_AES_128_CCM_SHA256_BYTES
,
4164 TLS13_AES_128_CCM_8_SHA256_BYTES
4167 if (cipher_str
[idx
] == NULL
)
4169 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4170 if (idx
== 2 && is_fips
== 1)
4173 /* We always set this up with a final parameter of "2" for PSK */
4174 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
4175 &serverssl
, &sess
, 2)))
4179 /* CCM8 ciphers are considered low security due to their short tag */
4180 SSL_set_security_level(clientssl
, 0);
4181 SSL_set_security_level(serverssl
, 0);
4184 if (!TEST_true(SSL_set_ciphersuites(clientssl
, cipher_str
[idx
]))
4185 || !TEST_true(SSL_set_ciphersuites(serverssl
, cipher_str
[idx
])))
4189 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4190 * and assigns to both client and server with incremented reference
4191 * and the same instance is updated in 'sess'.
4192 * So updating ciphersuite in 'sess' which will get reflected in
4193 * PSK handshake using psk use sess and find sess cb.
4195 cipher
= SSL_CIPHER_find(clientssl
, cipher_bytes
[idx
]);
4196 if (!TEST_ptr(cipher
) || !TEST_true(SSL_SESSION_set_cipher(sess
, cipher
)))
4199 SSL_set_connect_state(clientssl
);
4200 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
4204 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
4206 SSL_READ_EARLY_DATA_SUCCESS
)
4207 || !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
))
4208 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
4209 SSL_EARLY_DATA_ACCEPTED
)
4210 || !TEST_int_eq(SSL_connect(clientssl
), 1)
4211 || !TEST_int_eq(SSL_accept(serverssl
), 1))
4214 /* Send some normal data from client to server */
4215 if (!TEST_true(SSL_write_ex(clientssl
, MSG2
, strlen(MSG2
), &written
))
4216 || !TEST_size_t_eq(written
, strlen(MSG2
)))
4219 if (!TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
4220 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
4225 SSL_SESSION_free(sess
);
4226 SSL_SESSION_free(clientpsk
);
4227 SSL_SESSION_free(serverpsk
);
4228 clientpsk
= serverpsk
= NULL
;
4229 if (clientssl
!= NULL
)
4230 SSL_shutdown(clientssl
);
4231 if (serverssl
!= NULL
)
4232 SSL_shutdown(serverssl
);
4233 SSL_free(serverssl
);
4234 SSL_free(clientssl
);
4241 * Test that a server that doesn't try to read early data can handle a
4242 * client sending some.
4244 static int test_early_data_not_expected(int idx
)
4246 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4247 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4249 SSL_SESSION
*sess
= NULL
;
4250 unsigned char buf
[20];
4251 size_t readbytes
, written
;
4253 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
4254 &serverssl
, &sess
, idx
)))
4257 /* Write some early data */
4258 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
4263 * Server should skip over early data and then block waiting for client to
4264 * continue handshake
4266 if (!TEST_int_le(SSL_accept(serverssl
), 0)
4267 || !TEST_int_gt(SSL_connect(clientssl
), 0)
4268 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
4269 SSL_EARLY_DATA_REJECTED
)
4270 || !TEST_int_gt(SSL_accept(serverssl
), 0)
4271 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
4272 SSL_EARLY_DATA_REJECTED
))
4275 /* Send some normal data from client to server */
4276 if (!TEST_true(SSL_write_ex(clientssl
, MSG2
, strlen(MSG2
), &written
))
4277 || !TEST_size_t_eq(written
, strlen(MSG2
)))
4280 if (!TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
4281 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
4287 SSL_SESSION_free(sess
);
4288 SSL_SESSION_free(clientpsk
);
4289 SSL_SESSION_free(serverpsk
);
4290 clientpsk
= serverpsk
= NULL
;
4291 SSL_free(serverssl
);
4292 SSL_free(clientssl
);
4299 # ifndef OPENSSL_NO_TLS1_2
4301 * Test that a server attempting to read early data can handle a connection
4302 * from a TLSv1.2 client.
4304 static int test_early_data_tls1_2(int idx
)
4306 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4307 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4309 unsigned char buf
[20];
4310 size_t readbytes
, written
;
4312 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
4313 &serverssl
, NULL
, idx
)))
4316 /* Write some data - should block due to handshake with server */
4317 SSL_set_max_proto_version(clientssl
, TLS1_2_VERSION
);
4318 SSL_set_connect_state(clientssl
);
4319 if (!TEST_false(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
)))
4323 * Server should do TLSv1.2 handshake. First it will block waiting for more
4324 * messages from client after ServerDone. Then SSL_read_early_data should
4325 * finish and detect that early data has not been sent
4327 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
4329 SSL_READ_EARLY_DATA_ERROR
))
4333 * Continue writing the message we started earlier. Will still block waiting
4334 * for the CCS/Finished from server
4336 if (!TEST_false(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
))
4337 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
4339 SSL_READ_EARLY_DATA_FINISH
)
4340 || !TEST_size_t_eq(readbytes
, 0)
4341 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
4342 SSL_EARLY_DATA_NOT_SENT
))
4345 /* Continue writing the message we started earlier */
4346 if (!TEST_true(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
))
4347 || !TEST_size_t_eq(written
, strlen(MSG1
))
4348 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
4349 SSL_EARLY_DATA_NOT_SENT
)
4350 || !TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
4351 || !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
))
4352 || !TEST_true(SSL_write_ex(serverssl
, MSG2
, strlen(MSG2
), &written
))
4353 || !TEST_size_t_eq(written
, strlen(MSG2
))
4354 || !SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
)
4355 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
4361 SSL_SESSION_free(clientpsk
);
4362 SSL_SESSION_free(serverpsk
);
4363 clientpsk
= serverpsk
= NULL
;
4364 SSL_free(serverssl
);
4365 SSL_free(clientssl
);
4371 # endif /* OPENSSL_NO_TLS1_2 */
4374 * Test configuring the TLSv1.3 ciphersuites
4376 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4377 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4378 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4379 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4380 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4381 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4382 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4383 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4384 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4385 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4387 static int test_set_ciphersuite(int idx
)
4389 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4390 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4393 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
4394 TLS_client_method(), TLS1_VERSION
, 0,
4395 &sctx
, &cctx
, cert
, privkey
))
4396 || !TEST_true(SSL_CTX_set_ciphersuites(sctx
,
4397 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4400 if (idx
>=4 && idx
<= 7) {
4401 /* SSL_CTX explicit cipher list */
4402 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
, "AES256-GCM-SHA384")))
4406 if (idx
== 0 || idx
== 4) {
4407 /* Default ciphersuite */
4408 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4409 "TLS_AES_128_GCM_SHA256")))
4411 } else if (idx
== 1 || idx
== 5) {
4412 /* Non default ciphersuite */
4413 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4414 "TLS_AES_128_CCM_SHA256")))
4418 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
4419 &clientssl
, NULL
, NULL
)))
4422 if (idx
== 8 || idx
== 9) {
4423 /* SSL explicit cipher list */
4424 if (!TEST_true(SSL_set_cipher_list(clientssl
, "AES256-GCM-SHA384")))
4428 if (idx
== 2 || idx
== 6 || idx
== 8) {
4429 /* Default ciphersuite */
4430 if (!TEST_true(SSL_set_ciphersuites(clientssl
,
4431 "TLS_AES_128_GCM_SHA256")))
4433 } else if (idx
== 3 || idx
== 7 || idx
== 9) {
4434 /* Non default ciphersuite */
4435 if (!TEST_true(SSL_set_ciphersuites(clientssl
,
4436 "TLS_AES_128_CCM_SHA256")))
4440 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
4446 SSL_free(serverssl
);
4447 SSL_free(clientssl
);
4454 static int test_ciphersuite_change(void)
4456 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4457 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4458 SSL_SESSION
*clntsess
= NULL
;
4460 const SSL_CIPHER
*aes_128_gcm_sha256
= NULL
;
4462 /* Create a session based on SHA-256 */
4463 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
4464 TLS_client_method(), TLS1_VERSION
, 0,
4465 &sctx
, &cctx
, cert
, privkey
))
4466 || !TEST_true(SSL_CTX_set_ciphersuites(sctx
,
4467 "TLS_AES_128_GCM_SHA256:"
4468 "TLS_AES_256_GCM_SHA384:"
4469 "TLS_AES_128_CCM_SHA256"))
4470 || !TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4471 "TLS_AES_128_GCM_SHA256")))
4474 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4476 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4480 clntsess
= SSL_get1_session(clientssl
);
4481 /* Save for later */
4482 aes_128_gcm_sha256
= SSL_SESSION_get0_cipher(clntsess
);
4483 SSL_shutdown(clientssl
);
4484 SSL_shutdown(serverssl
);
4485 SSL_free(serverssl
);
4486 SSL_free(clientssl
);
4487 serverssl
= clientssl
= NULL
;
4489 /* Check we can resume a session with a different SHA-256 ciphersuite */
4490 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4491 "TLS_AES_128_CCM_SHA256"))
4492 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
4493 &clientssl
, NULL
, NULL
))
4494 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
4495 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4497 || !TEST_true(SSL_session_reused(clientssl
)))
4500 SSL_SESSION_free(clntsess
);
4501 clntsess
= SSL_get1_session(clientssl
);
4502 SSL_shutdown(clientssl
);
4503 SSL_shutdown(serverssl
);
4504 SSL_free(serverssl
);
4505 SSL_free(clientssl
);
4506 serverssl
= clientssl
= NULL
;
4509 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4510 * succeeds but does not resume.
4512 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
, "TLS_AES_256_GCM_SHA384"))
4513 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4515 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
4516 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4518 || !TEST_false(SSL_session_reused(clientssl
)))
4521 SSL_SESSION_free(clntsess
);
4523 SSL_shutdown(clientssl
);
4524 SSL_shutdown(serverssl
);
4525 SSL_free(serverssl
);
4526 SSL_free(clientssl
);
4527 serverssl
= clientssl
= NULL
;
4529 /* Create a session based on SHA384 */
4530 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
, "TLS_AES_256_GCM_SHA384"))
4531 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
4532 &clientssl
, NULL
, NULL
))
4533 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4537 clntsess
= SSL_get1_session(clientssl
);
4538 SSL_shutdown(clientssl
);
4539 SSL_shutdown(serverssl
);
4540 SSL_free(serverssl
);
4541 SSL_free(clientssl
);
4542 serverssl
= clientssl
= NULL
;
4544 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4545 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4546 || !TEST_true(SSL_CTX_set_ciphersuites(sctx
,
4547 "TLS_AES_256_GCM_SHA384"))
4548 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4550 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
4552 * We use SSL_ERROR_WANT_READ below so that we can pause the
4553 * connection after the initial ClientHello has been sent to
4554 * enable us to make some session changes.
4556 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
4557 SSL_ERROR_WANT_READ
)))
4560 /* Trick the client into thinking this session is for a different digest */
4561 clntsess
->cipher
= aes_128_gcm_sha256
;
4562 clntsess
->cipher_id
= clntsess
->cipher
->id
;
4565 * Continue the previously started connection. Server has selected a SHA-384
4566 * ciphersuite, but client thinks the session is for SHA-256, so it should
4569 if (!TEST_false(create_ssl_connection(serverssl
, clientssl
,
4571 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4572 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED
))
4578 SSL_SESSION_free(clntsess
);
4579 SSL_free(serverssl
);
4580 SSL_free(clientssl
);
4588 * Test TLSv1.3 Key exchange
4589 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4590 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4591 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4592 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4593 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4594 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4595 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4596 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4597 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4598 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4599 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4600 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4601 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4602 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4604 # ifndef OPENSSL_NO_EC
4605 static int ecdhe_kexch_groups
[] = {NID_X9_62_prime256v1
, NID_secp384r1
,
4606 NID_secp521r1
, NID_X25519
, NID_X448
};
4608 # ifndef OPENSSL_NO_DH
4609 static int ffdhe_kexch_groups
[] = {NID_ffdhe2048
, NID_ffdhe3072
, NID_ffdhe4096
,
4610 NID_ffdhe6144
, NID_ffdhe8192
};
4612 static int test_key_exchange(int idx
)
4614 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
4615 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
4618 int *kexch_groups
= &kexch_alg
;
4619 int kexch_groups_size
= 1;
4620 int max_version
= TLS1_3_VERSION
;
4621 char *kexch_name0
= NULL
;
4624 # ifndef OPENSSL_NO_EC
4625 # ifndef OPENSSL_NO_TLS1_2
4627 max_version
= TLS1_2_VERSION
;
4631 kexch_groups
= ecdhe_kexch_groups
;
4632 kexch_groups_size
= OSSL_NELEM(ecdhe_kexch_groups
);
4633 kexch_name0
= "secp256r1";
4636 kexch_alg
= NID_X9_62_prime256v1
;
4637 kexch_name0
= "secp256r1";
4640 kexch_alg
= NID_secp384r1
;
4641 kexch_name0
= "secp384r1";
4644 kexch_alg
= NID_secp521r1
;
4645 kexch_name0
= "secp521r1";
4648 kexch_alg
= NID_X25519
;
4649 kexch_name0
= "x25519";
4652 kexch_alg
= NID_X448
;
4653 kexch_name0
= "x448";
4656 # ifndef OPENSSL_NO_DH
4657 # ifndef OPENSSL_NO_TLS1_2
4659 max_version
= TLS1_2_VERSION
;
4660 kexch_name0
= "ffdhe2048";
4664 kexch_groups
= ffdhe_kexch_groups
;
4665 kexch_groups_size
= OSSL_NELEM(ffdhe_kexch_groups
);
4666 kexch_name0
= "ffdhe2048";
4669 kexch_alg
= NID_ffdhe2048
;
4670 kexch_name0
= "ffdhe2048";
4673 kexch_alg
= NID_ffdhe3072
;
4674 kexch_name0
= "ffdhe3072";
4677 kexch_alg
= NID_ffdhe4096
;
4678 kexch_name0
= "ffdhe4096";
4681 kexch_alg
= NID_ffdhe6144
;
4682 kexch_name0
= "ffdhe6144";
4685 kexch_alg
= NID_ffdhe8192
;
4686 kexch_name0
= "ffdhe8192";
4690 /* We're skipping this test */
4694 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
4695 TLS_client_method(), TLS1_VERSION
,
4696 max_version
, &sctx
, &cctx
, cert
,
4700 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx
,
4701 TLS1_3_RFC_AES_128_GCM_SHA256
)))
4704 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4705 TLS1_3_RFC_AES_128_GCM_SHA256
)))
4708 if (!TEST_true(SSL_CTX_set_cipher_list(sctx
,
4709 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
":"
4710 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
))
4711 || !TEST_true(SSL_CTX_set_dh_auto(sctx
, 1)))
4715 * Must include an EC ciphersuite so that we send supported groups in
4718 # ifndef OPENSSL_NO_TLS1_2
4719 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
4720 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
":"
4721 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
)))
4725 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4729 if (!TEST_true(SSL_set1_groups(serverssl
, kexch_groups
, kexch_groups_size
))
4730 || !TEST_true(SSL_set1_groups(clientssl
, kexch_groups
, kexch_groups_size
)))
4733 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
4737 * If Handshake succeeds the negotiated kexch alg should be the first one in
4738 * configured, except in the case of FFDHE groups (idx 13), which are
4739 * TLSv1.3 only so we expect no shared group to exist.
4741 if (!TEST_int_eq(SSL_get_shared_group(serverssl
, 0),
4742 idx
== 13 ? 0 : kexch_groups
[0]))
4745 if (!TEST_str_eq(SSL_group_to_name(serverssl
, kexch_groups
[0]),
4749 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4751 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl
), kexch_groups
[0]))
4753 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl
), kexch_groups
[0]))
4759 SSL_free(serverssl
);
4760 SSL_free(clientssl
);
4766 # if !defined(OPENSSL_NO_TLS1_2) \
4767 && !defined(OPENSSL_NO_EC) \
4768 && !defined(OPENSSL_NO_DH)
4769 static int set_ssl_groups(SSL
*serverssl
, SSL
*clientssl
, int clientmulti
,
4770 int isecdhe
, int idx
)
4773 int *kexch_groups
= &kexch_alg
;
4776 numec
= OSSL_NELEM(ecdhe_kexch_groups
);
4777 numff
= OSSL_NELEM(ffdhe_kexch_groups
);
4779 kexch_alg
= ecdhe_kexch_groups
[idx
];
4781 kexch_alg
= ffdhe_kexch_groups
[idx
];
4784 if (!TEST_true(SSL_set1_groups(serverssl
, kexch_groups
, 1)))
4787 if (!TEST_true(SSL_set1_groups(clientssl
, ecdhe_kexch_groups
,
4791 if (!TEST_true(SSL_set1_groups(clientssl
, ffdhe_kexch_groups
,
4796 if (!TEST_true(SSL_set1_groups(clientssl
, kexch_groups
, 1)))
4799 if (!TEST_true(SSL_set1_groups(serverssl
, ecdhe_kexch_groups
,
4803 if (!TEST_true(SSL_set1_groups(serverssl
, ffdhe_kexch_groups
,
4812 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
4813 * Run through both the ECDHE and FFDHE group lists used in the previous
4814 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
4815 * confirming the expected result; then perform a resumption handshake
4816 * while offering the same group list, and another resumption handshake
4817 * offering a different group list. The returned value should be the
4818 * negotiated group for the initial handshake; for TLS 1.3 resumption
4819 * handshakes the returned value will be negotiated on the resumption
4820 * handshake itself, but for TLS 1.2 resumption handshakes the value will
4821 * be cached in the session from the original handshake, regardless of what
4822 * was offered in the resumption ClientHello.
4824 * Using E for the number of EC groups and F for the number of FF groups:
4825 * E tests of ECDHE with TLS 1.3, server only has one group
4826 * F tests of FFDHE with TLS 1.3, server only has one group
4827 * E tests of ECDHE with TLS 1.2, server only has one group
4828 * F tests of FFDHE with TLS 1.2, server only has one group
4829 * E tests of ECDHE with TLS 1.3, client sends only one group
4830 * F tests of FFDHE with TLS 1.3, client sends only one group
4831 * E tests of ECDHE with TLS 1.2, client sends only one group
4832 * F tests of FFDHE with TLS 1.2, client sends only one group
4834 static int test_negotiated_group(int idx
)
4836 int clientmulti
, istls13
, isecdhe
, numec
, numff
, numgroups
;
4838 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
4839 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
4840 SSL_SESSION
*origsess
= NULL
;
4843 int max_version
= TLS1_3_VERSION
;
4845 numec
= OSSL_NELEM(ecdhe_kexch_groups
);
4846 numff
= OSSL_NELEM(ffdhe_kexch_groups
);
4847 numgroups
= numec
+ numff
;
4848 clientmulti
= (idx
< 2 * numgroups
);
4849 idx
= idx
% (2 * numgroups
);
4850 istls13
= (idx
< numgroups
);
4851 idx
= idx
% numgroups
;
4852 isecdhe
= (idx
< numec
);
4855 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
4857 kexch_alg
= ecdhe_kexch_groups
[idx
];
4859 kexch_alg
= ffdhe_kexch_groups
[idx
];
4860 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
4861 if (!istls13
&& !isecdhe
)
4862 expectednid
= NID_undef
;
4864 expectednid
= kexch_alg
;
4867 max_version
= TLS1_2_VERSION
;
4869 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
4870 TLS_client_method(), TLS1_VERSION
,
4871 max_version
, &sctx
, &cctx
, cert
,
4876 * Force (EC)DHE ciphers for TLS 1.2.
4877 * Be sure to enable auto tmp DH so that FFDHE can succeed.
4879 if (!TEST_true(SSL_CTX_set_cipher_list(sctx
,
4880 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
":"
4881 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
))
4882 || !TEST_true(SSL_CTX_set_dh_auto(sctx
, 1)))
4884 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
4885 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
":"
4886 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
)))
4889 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4893 if (!TEST_true(set_ssl_groups(serverssl
, clientssl
, clientmulti
, isecdhe
,
4897 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
4900 /* Initial handshake; always the configured one */
4901 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl
), expectednid
)
4902 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl
), expectednid
))
4905 if (!TEST_ptr((origsess
= SSL_get1_session(clientssl
))))
4908 SSL_shutdown(clientssl
);
4909 SSL_shutdown(serverssl
);
4910 SSL_free(serverssl
);
4911 SSL_free(clientssl
);
4912 serverssl
= clientssl
= NULL
;
4914 /* First resumption attempt; use the same config as initial handshake */
4915 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4917 || !TEST_true(SSL_set_session(clientssl
, origsess
))
4918 || !TEST_true(set_ssl_groups(serverssl
, clientssl
, clientmulti
,
4922 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
4923 || !TEST_true(SSL_session_reused(clientssl
)))
4926 /* Still had better agree, since nothing changed... */
4927 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl
), expectednid
)
4928 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl
), expectednid
))
4931 SSL_shutdown(clientssl
);
4932 SSL_shutdown(serverssl
);
4933 SSL_free(serverssl
);
4934 SSL_free(clientssl
);
4935 serverssl
= clientssl
= NULL
;
4938 * Second resumption attempt
4939 * The party that picks one group changes it, which we effectuate by
4940 * changing 'idx' and updating what we expect.
4948 expectednid
= ecdhe_kexch_groups
[idx
];
4950 expectednid
= ffdhe_kexch_groups
[idx
];
4951 /* Verify that we are changing what we expect. */
4952 if (!TEST_int_ne(expectednid
, kexch_alg
))
4955 /* TLS 1.2 only supports named groups for ECDHE. */
4957 expectednid
= kexch_alg
;
4961 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4963 || !TEST_true(SSL_set_session(clientssl
, origsess
))
4964 || !TEST_true(set_ssl_groups(serverssl
, clientssl
, clientmulti
,
4968 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
4969 || !TEST_true(SSL_session_reused(clientssl
)))
4972 /* Check that we get what we expected */
4973 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl
), expectednid
)
4974 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl
), expectednid
))
4979 SSL_free(serverssl
);
4980 SSL_free(clientssl
);
4983 SSL_SESSION_free(origsess
);
4986 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
4989 * Test TLSv1.3 Cipher Suite
4990 * Test 0 = Set TLS1.3 cipher on context
4991 * Test 1 = Set TLS1.3 cipher on SSL
4992 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4993 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4995 static int test_tls13_ciphersuite(int idx
)
4997 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
4998 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
4999 static const struct {
5000 const char *ciphername
;
5004 { TLS1_3_RFC_AES_128_GCM_SHA256
, 1, 0 },
5005 { TLS1_3_RFC_AES_256_GCM_SHA384
, 1, 0 },
5006 { TLS1_3_RFC_AES_128_CCM_SHA256
, 1, 0 },
5007 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5008 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256
, 0, 0 },
5009 { TLS1_3_RFC_AES_256_GCM_SHA384
5010 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256
, 0, 0 },
5012 /* CCM8 ciphers are considered low security due to their short tag */
5013 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5014 ":" TLS1_3_RFC_AES_128_CCM_SHA256
, 1, 1 }
5016 const char *t13_cipher
= NULL
;
5017 const char *t12_cipher
= NULL
;
5018 const char *negotiated_scipher
;
5019 const char *negotiated_ccipher
;
5035 t12_cipher
= TLS1_TXT_RSA_WITH_AES_128_SHA256
;
5039 t12_cipher
= TLS1_TXT_RSA_WITH_AES_128_SHA256
;
5043 for (max_ver
= TLS1_2_VERSION
; max_ver
<= TLS1_3_VERSION
; max_ver
++) {
5044 # ifdef OPENSSL_NO_TLS1_2
5045 if (max_ver
== TLS1_2_VERSION
)
5048 for (i
= 0; i
< OSSL_NELEM(t13_ciphers
); i
++) {
5049 if (is_fips
&& !t13_ciphers
[i
].fipscapable
)
5051 t13_cipher
= t13_ciphers
[i
].ciphername
;
5052 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
5053 TLS_client_method(),
5054 TLS1_VERSION
, max_ver
,
5055 &sctx
, &cctx
, cert
, privkey
)))
5058 if (t13_ciphers
[i
].low_security
) {
5059 SSL_CTX_set_security_level(sctx
, 0);
5060 SSL_CTX_set_security_level(cctx
, 0);
5064 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx
, t13_cipher
))
5065 || !TEST_true(SSL_CTX_set_ciphersuites(cctx
, t13_cipher
)))
5067 if (t12_cipher
!= NULL
) {
5068 if (!TEST_true(SSL_CTX_set_cipher_list(sctx
, t12_cipher
))
5069 || !TEST_true(SSL_CTX_set_cipher_list(cctx
,
5075 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
5076 &clientssl
, NULL
, NULL
)))
5080 if (!TEST_true(SSL_set_ciphersuites(serverssl
, t13_cipher
))
5081 || !TEST_true(SSL_set_ciphersuites(clientssl
, t13_cipher
)))
5083 if (t12_cipher
!= NULL
) {
5084 if (!TEST_true(SSL_set_cipher_list(serverssl
, t12_cipher
))
5085 || !TEST_true(SSL_set_cipher_list(clientssl
,
5091 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
5095 negotiated_scipher
= SSL_CIPHER_get_name(SSL_get_current_cipher(
5097 negotiated_ccipher
= SSL_CIPHER_get_name(SSL_get_current_cipher(
5099 if (!TEST_str_eq(negotiated_scipher
, negotiated_ccipher
))
5103 * TEST_strn_eq is used below because t13_cipher can contain
5104 * multiple ciphersuites
5106 if (max_ver
== TLS1_3_VERSION
5107 && !TEST_strn_eq(t13_cipher
, negotiated_scipher
,
5108 strlen(negotiated_scipher
)))
5111 # ifndef OPENSSL_NO_TLS1_2
5112 /* Below validation is not done when t12_cipher is NULL */
5113 if (max_ver
== TLS1_2_VERSION
&& t12_cipher
!= NULL
5114 && !TEST_str_eq(t12_cipher
, negotiated_scipher
))
5118 SSL_free(serverssl
);
5120 SSL_free(clientssl
);
5131 SSL_free(serverssl
);
5132 SSL_free(clientssl
);
5140 * Test 0 = Test new style callbacks
5141 * Test 1 = Test both new and old style callbacks
5142 * Test 2 = Test old style callbacks
5143 * Test 3 = Test old style callbacks with no certificate
5145 static int test_tls13_psk(int idx
)
5147 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
5148 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
5149 const SSL_CIPHER
*cipher
= NULL
;
5150 const unsigned char key
[] = {
5151 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5152 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5153 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5154 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5158 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
5159 TLS_client_method(), TLS1_VERSION
, 0,
5160 &sctx
, &cctx
, idx
== 3 ? NULL
: cert
,
5161 idx
== 3 ? NULL
: privkey
)))
5166 * We use a ciphersuite with SHA256 to ease testing old style PSK
5167 * callbacks which will always default to SHA256. This should not be
5168 * necessary if we have no cert/priv key. In that case the server should
5169 * prefer SHA256 automatically.
5171 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
5172 "TLS_AES_128_GCM_SHA256")))
5176 * As noted above the server should prefer SHA256 automatically. However
5177 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5178 * code works even if we are testing with only the FIPS provider loaded.
5180 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
5181 "TLS_AES_256_GCM_SHA384:"
5182 "TLS_AES_128_GCM_SHA256")))
5187 * Test 0: New style callbacks only
5188 * Test 1: New and old style callbacks (only the new ones should be used)
5189 * Test 2: Old style callbacks only
5191 if (idx
== 0 || idx
== 1) {
5192 SSL_CTX_set_psk_use_session_callback(cctx
, use_session_cb
);
5193 SSL_CTX_set_psk_find_session_callback(sctx
, find_session_cb
);
5195 #ifndef OPENSSL_NO_PSK
5197 SSL_CTX_set_psk_client_callback(cctx
, psk_client_cb
);
5198 SSL_CTX_set_psk_server_callback(sctx
, psk_server_cb
);
5202 use_session_cb_cnt
= 0;
5203 find_session_cb_cnt
= 0;
5204 psk_client_cb_cnt
= 0;
5205 psk_server_cb_cnt
= 0;
5209 * Check we can create a connection if callback decides not to send a
5212 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5214 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
5216 || !TEST_false(SSL_session_reused(clientssl
))
5217 || !TEST_false(SSL_session_reused(serverssl
)))
5220 if (idx
== 0 || idx
== 1) {
5221 if (!TEST_true(use_session_cb_cnt
== 1)
5222 || !TEST_true(find_session_cb_cnt
== 0)
5224 * If no old style callback then below should be 0
5227 || !TEST_true(psk_client_cb_cnt
== idx
)
5228 || !TEST_true(psk_server_cb_cnt
== 0))
5231 if (!TEST_true(use_session_cb_cnt
== 0)
5232 || !TEST_true(find_session_cb_cnt
== 0)
5233 || !TEST_true(psk_client_cb_cnt
== 1)
5234 || !TEST_true(psk_server_cb_cnt
== 0))
5238 shutdown_ssl_connection(serverssl
, clientssl
);
5239 serverssl
= clientssl
= NULL
;
5240 use_session_cb_cnt
= psk_client_cb_cnt
= 0;
5243 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5247 /* Create the PSK */
5248 cipher
= SSL_CIPHER_find(clientssl
, TLS13_AES_128_GCM_SHA256_BYTES
);
5249 clientpsk
= SSL_SESSION_new();
5250 if (!TEST_ptr(clientpsk
)
5251 || !TEST_ptr(cipher
)
5252 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk
, key
,
5254 || !TEST_true(SSL_SESSION_set_cipher(clientpsk
, cipher
))
5255 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk
,
5257 || !TEST_true(SSL_SESSION_up_ref(clientpsk
)))
5259 serverpsk
= clientpsk
;
5261 /* Check we can create a connection and the PSK is used */
5262 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
5263 || !TEST_true(SSL_session_reused(clientssl
))
5264 || !TEST_true(SSL_session_reused(serverssl
)))
5267 if (idx
== 0 || idx
== 1) {
5268 if (!TEST_true(use_session_cb_cnt
== 1)
5269 || !TEST_true(find_session_cb_cnt
== 1)
5270 || !TEST_true(psk_client_cb_cnt
== 0)
5271 || !TEST_true(psk_server_cb_cnt
== 0))
5274 if (!TEST_true(use_session_cb_cnt
== 0)
5275 || !TEST_true(find_session_cb_cnt
== 0)
5276 || !TEST_true(psk_client_cb_cnt
== 1)
5277 || !TEST_true(psk_server_cb_cnt
== 1))
5281 shutdown_ssl_connection(serverssl
, clientssl
);
5282 serverssl
= clientssl
= NULL
;
5283 use_session_cb_cnt
= find_session_cb_cnt
= 0;
5284 psk_client_cb_cnt
= psk_server_cb_cnt
= 0;
5286 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5291 #if defined(OPENSSL_NO_EC)
5292 if (!TEST_true(SSL_set1_groups_list(serverssl
, "ffdhe3072")))
5295 if (!TEST_true(SSL_set1_groups_list(serverssl
, "P-256")))
5300 * Check we can create a connection, the PSK is used and the callbacks are
5303 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
5304 || !TEST_true(SSL_session_reused(clientssl
))
5305 || !TEST_true(SSL_session_reused(serverssl
)))
5308 if (idx
== 0 || idx
== 1) {
5309 if (!TEST_true(use_session_cb_cnt
== 2)
5310 || !TEST_true(find_session_cb_cnt
== 2)
5311 || !TEST_true(psk_client_cb_cnt
== 0)
5312 || !TEST_true(psk_server_cb_cnt
== 0))
5315 if (!TEST_true(use_session_cb_cnt
== 0)
5316 || !TEST_true(find_session_cb_cnt
== 0)
5317 || !TEST_true(psk_client_cb_cnt
== 2)
5318 || !TEST_true(psk_server_cb_cnt
== 2))
5322 shutdown_ssl_connection(serverssl
, clientssl
);
5323 serverssl
= clientssl
= NULL
;
5324 use_session_cb_cnt
= find_session_cb_cnt
= 0;
5325 psk_client_cb_cnt
= psk_server_cb_cnt
= 0;
5329 * Check that if the server rejects the PSK we can still connect, but with
5332 srvid
= "Dummy Identity";
5333 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5335 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
5337 || !TEST_false(SSL_session_reused(clientssl
))
5338 || !TEST_false(SSL_session_reused(serverssl
)))
5341 if (idx
== 0 || idx
== 1) {
5342 if (!TEST_true(use_session_cb_cnt
== 1)
5343 || !TEST_true(find_session_cb_cnt
== 1)
5344 || !TEST_true(psk_client_cb_cnt
== 0)
5346 * If no old style callback then below should be 0
5349 || !TEST_true(psk_server_cb_cnt
== idx
))
5352 if (!TEST_true(use_session_cb_cnt
== 0)
5353 || !TEST_true(find_session_cb_cnt
== 0)
5354 || !TEST_true(psk_client_cb_cnt
== 1)
5355 || !TEST_true(psk_server_cb_cnt
== 1))
5359 shutdown_ssl_connection(serverssl
, clientssl
);
5360 serverssl
= clientssl
= NULL
;
5365 SSL_SESSION_free(clientpsk
);
5366 SSL_SESSION_free(serverpsk
);
5367 clientpsk
= serverpsk
= NULL
;
5368 SSL_free(serverssl
);
5369 SSL_free(clientssl
);
5375 static unsigned char cookie_magic_value
[] = "cookie magic";
5377 static int generate_cookie_callback(SSL
*ssl
, unsigned char *cookie
,
5378 unsigned int *cookie_len
)
5381 * Not suitable as a real cookie generation function but good enough for
5384 memcpy(cookie
, cookie_magic_value
, sizeof(cookie_magic_value
) - 1);
5385 *cookie_len
= sizeof(cookie_magic_value
) - 1;
5390 static int verify_cookie_callback(SSL
*ssl
, const unsigned char *cookie
,
5391 unsigned int cookie_len
)
5393 if (cookie_len
== sizeof(cookie_magic_value
) - 1
5394 && memcmp(cookie
, cookie_magic_value
, cookie_len
) == 0)
5400 static int generate_stateless_cookie_callback(SSL
*ssl
, unsigned char *cookie
,
5404 int res
= generate_cookie_callback(ssl
, cookie
, &temp
);
5409 static int verify_stateless_cookie_callback(SSL
*ssl
, const unsigned char *cookie
,
5412 return verify_cookie_callback(ssl
, cookie
, cookie_len
);
5415 static int test_stateless(void)
5417 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
5418 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
5421 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
5422 TLS_client_method(), TLS1_VERSION
, 0,
5423 &sctx
, &cctx
, cert
, privkey
)))
5426 /* The arrival of CCS messages can confuse the test */
5427 SSL_CTX_clear_options(cctx
, SSL_OP_ENABLE_MIDDLEBOX_COMPAT
);
5429 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5431 /* Send the first ClientHello */
5432 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
5433 SSL_ERROR_WANT_READ
))
5435 * This should fail with a -1 return because we have no callbacks
5438 || !TEST_int_eq(SSL_stateless(serverssl
), -1))
5441 /* Fatal error so abandon the connection from this client */
5442 SSL_free(clientssl
);
5445 /* Set up the cookie generation and verification callbacks */
5446 SSL_CTX_set_stateless_cookie_generate_cb(sctx
, generate_stateless_cookie_callback
);
5447 SSL_CTX_set_stateless_cookie_verify_cb(sctx
, verify_stateless_cookie_callback
);
5450 * Create a new connection from the client (we can reuse the server SSL
5453 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5455 /* Send the first ClientHello */
5456 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
5457 SSL_ERROR_WANT_READ
))
5458 /* This should fail because there is no cookie */
5459 || !TEST_int_eq(SSL_stateless(serverssl
), 0))
5462 /* Abandon the connection from this client */
5463 SSL_free(clientssl
);
5467 * Now create a connection from a new client but with the same server SSL
5470 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5472 /* Send the first ClientHello */
5473 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
5474 SSL_ERROR_WANT_READ
))
5475 /* This should fail because there is no cookie */
5476 || !TEST_int_eq(SSL_stateless(serverssl
), 0)
5477 /* Send the second ClientHello */
5478 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
5479 SSL_ERROR_WANT_READ
))
5480 /* This should succeed because a cookie is now present */
5481 || !TEST_int_eq(SSL_stateless(serverssl
), 1)
5482 /* Complete the connection */
5483 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
5487 shutdown_ssl_connection(serverssl
, clientssl
);
5488 serverssl
= clientssl
= NULL
;
5492 SSL_free(serverssl
);
5493 SSL_free(clientssl
);
5499 #endif /* OSSL_NO_USABLE_TLS1_3 */
5501 static int clntaddoldcb
= 0;
5502 static int clntparseoldcb
= 0;
5503 static int srvaddoldcb
= 0;
5504 static int srvparseoldcb
= 0;
5505 static int clntaddnewcb
= 0;
5506 static int clntparsenewcb
= 0;
5507 static int srvaddnewcb
= 0;
5508 static int srvparsenewcb
= 0;
5509 static int snicb
= 0;
5511 #define TEST_EXT_TYPE1 0xff00
5513 static int old_add_cb(SSL
*s
, unsigned int ext_type
, const unsigned char **out
,
5514 size_t *outlen
, int *al
, void *add_arg
)
5516 int *server
= (int *)add_arg
;
5517 unsigned char *data
;
5519 if (SSL_is_server(s
))
5524 if (*server
!= SSL_is_server(s
)
5525 || (data
= OPENSSL_malloc(sizeof(*data
))) == NULL
)
5530 *outlen
= sizeof(char);
5534 static void old_free_cb(SSL
*s
, unsigned int ext_type
, const unsigned char *out
,
5537 OPENSSL_free((unsigned char *)out
);
5540 static int old_parse_cb(SSL
*s
, unsigned int ext_type
, const unsigned char *in
,
5541 size_t inlen
, int *al
, void *parse_arg
)
5543 int *server
= (int *)parse_arg
;
5545 if (SSL_is_server(s
))
5550 if (*server
!= SSL_is_server(s
)
5551 || inlen
!= sizeof(char)
5558 static int new_add_cb(SSL
*s
, unsigned int ext_type
, unsigned int context
,
5559 const unsigned char **out
, size_t *outlen
, X509
*x
,
5560 size_t chainidx
, int *al
, void *add_arg
)
5562 int *server
= (int *)add_arg
;
5563 unsigned char *data
;
5565 if (SSL_is_server(s
))
5570 if (*server
!= SSL_is_server(s
)
5571 || (data
= OPENSSL_malloc(sizeof(*data
))) == NULL
)
5576 *outlen
= sizeof(*data
);
5580 static void new_free_cb(SSL
*s
, unsigned int ext_type
, unsigned int context
,
5581 const unsigned char *out
, void *add_arg
)
5583 OPENSSL_free((unsigned char *)out
);
5586 static int new_parse_cb(SSL
*s
, unsigned int ext_type
, unsigned int context
,
5587 const unsigned char *in
, size_t inlen
, X509
*x
,
5588 size_t chainidx
, int *al
, void *parse_arg
)
5590 int *server
= (int *)parse_arg
;
5592 if (SSL_is_server(s
))
5597 if (*server
!= SSL_is_server(s
)
5598 || inlen
!= sizeof(char) || *in
!= 1)
5604 static int sni_cb(SSL
*s
, int *al
, void *arg
)
5606 SSL_CTX
*ctx
= (SSL_CTX
*)arg
;
5608 if (SSL_set_SSL_CTX(s
, ctx
) == NULL
) {
5609 *al
= SSL_AD_INTERNAL_ERROR
;
5610 return SSL_TLSEXT_ERR_ALERT_FATAL
;
5613 return SSL_TLSEXT_ERR_OK
;
5616 static int verify_cb(int preverify_ok
, X509_STORE_CTX
*x509_ctx
)
5622 * Custom call back tests.
5623 * Test 0: Old style callbacks in TLSv1.2
5624 * Test 1: New style callbacks in TLSv1.2
5625 * Test 2: New style callbacks in TLSv1.2 with SNI
5626 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5627 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5628 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
5630 static int test_custom_exts(int tst
)
5632 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
, *sctx2
= NULL
;
5633 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
5635 static int server
= 1;
5636 static int client
= 0;
5637 SSL_SESSION
*sess
= NULL
;
5638 unsigned int context
;
5640 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5641 /* Skip tests for TLSv1.2 and below in this case */
5646 /* Reset callback counters */
5647 clntaddoldcb
= clntparseoldcb
= srvaddoldcb
= srvparseoldcb
= 0;
5648 clntaddnewcb
= clntparsenewcb
= srvaddnewcb
= srvparsenewcb
= 0;
5651 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
5652 TLS_client_method(), TLS1_VERSION
, 0,
5653 &sctx
, &cctx
, cert
, privkey
)))
5657 && !TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(), NULL
,
5659 &sctx2
, NULL
, cert
, privkey
)))
5664 SSL_CTX_set_options(cctx
, SSL_OP_NO_TLSv1_3
);
5665 SSL_CTX_set_options(sctx
, SSL_OP_NO_TLSv1_3
);
5667 SSL_CTX_set_options(sctx2
, SSL_OP_NO_TLSv1_3
);
5671 context
= SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5672 | SSL_EXT_TLS1_3_CERTIFICATE
;
5673 SSL_CTX_set_verify(sctx
,
5674 SSL_VERIFY_PEER
| SSL_VERIFY_FAIL_IF_NO_PEER_CERT
,
5676 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx
, cert
,
5677 SSL_FILETYPE_PEM
), 1)
5678 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx
, privkey
,
5679 SSL_FILETYPE_PEM
), 1)
5680 || !TEST_int_eq(SSL_CTX_check_private_key(cctx
), 1))
5682 } else if (tst
== 4) {
5683 context
= SSL_EXT_CLIENT_HELLO
5684 | SSL_EXT_TLS1_2_SERVER_HELLO
5685 | SSL_EXT_TLS1_3_SERVER_HELLO
5686 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5687 | SSL_EXT_TLS1_3_CERTIFICATE
5688 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET
;
5690 context
= SSL_EXT_CLIENT_HELLO
5691 | SSL_EXT_TLS1_2_SERVER_HELLO
5692 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
;
5695 /* Create a client side custom extension */
5697 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx
, TEST_EXT_TYPE1
,
5698 old_add_cb
, old_free_cb
,
5699 &client
, old_parse_cb
,
5703 if (!TEST_true(SSL_CTX_add_custom_ext(cctx
, TEST_EXT_TYPE1
, context
,
5704 new_add_cb
, new_free_cb
,
5705 &client
, new_parse_cb
, &client
)))
5709 /* Should not be able to add duplicates */
5710 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx
, TEST_EXT_TYPE1
,
5711 old_add_cb
, old_free_cb
,
5712 &client
, old_parse_cb
,
5714 || !TEST_false(SSL_CTX_add_custom_ext(cctx
, TEST_EXT_TYPE1
,
5715 context
, new_add_cb
,
5716 new_free_cb
, &client
,
5717 new_parse_cb
, &client
)))
5720 /* Create a server side custom extension */
5722 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx
, TEST_EXT_TYPE1
,
5723 old_add_cb
, old_free_cb
,
5724 &server
, old_parse_cb
,
5728 if (!TEST_true(SSL_CTX_add_custom_ext(sctx
, TEST_EXT_TYPE1
, context
,
5729 new_add_cb
, new_free_cb
,
5730 &server
, new_parse_cb
, &server
)))
5733 && !TEST_true(SSL_CTX_add_custom_ext(sctx2
, TEST_EXT_TYPE1
,
5734 context
, new_add_cb
,
5735 new_free_cb
, &server
,
5736 new_parse_cb
, &server
)))
5740 /* Should not be able to add duplicates */
5741 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx
, TEST_EXT_TYPE1
,
5742 old_add_cb
, old_free_cb
,
5743 &server
, old_parse_cb
,
5745 || !TEST_false(SSL_CTX_add_custom_ext(sctx
, TEST_EXT_TYPE1
,
5746 context
, new_add_cb
,
5747 new_free_cb
, &server
,
5748 new_parse_cb
, &server
)))
5753 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx
, sni_cb
))
5754 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx
, sctx2
)))
5758 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
5759 &clientssl
, NULL
, NULL
))
5760 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
5765 if (clntaddoldcb
!= 1
5766 || clntparseoldcb
!= 1
5768 || srvparseoldcb
!= 1)
5770 } else if (tst
== 1 || tst
== 2 || tst
== 3) {
5771 if (clntaddnewcb
!= 1
5772 || clntparsenewcb
!= 1
5774 || srvparsenewcb
!= 1
5775 || (tst
!= 2 && snicb
!= 0)
5776 || (tst
== 2 && snicb
!= 1))
5778 } else if (tst
== 5) {
5779 if (clntaddnewcb
!= 1
5780 || clntparsenewcb
!= 1
5782 || srvparsenewcb
!= 1)
5785 /* In this case there 2 NewSessionTicket messages created */
5786 if (clntaddnewcb
!= 1
5787 || clntparsenewcb
!= 5
5789 || srvparsenewcb
!= 1)
5793 sess
= SSL_get1_session(clientssl
);
5794 SSL_shutdown(clientssl
);
5795 SSL_shutdown(serverssl
);
5796 SSL_free(serverssl
);
5797 SSL_free(clientssl
);
5798 serverssl
= clientssl
= NULL
;
5800 if (tst
== 3 || tst
== 5) {
5801 /* We don't bother with the resumption aspects for these tests */
5806 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5808 || !TEST_true(SSL_set_session(clientssl
, sess
))
5809 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
5814 * For a resumed session we expect to add the ClientHello extension. For the
5815 * old style callbacks we ignore it on the server side because they set
5816 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5820 if (clntaddoldcb
!= 2
5821 || clntparseoldcb
!= 1
5823 || srvparseoldcb
!= 1)
5825 } else if (tst
== 1 || tst
== 2 || tst
== 3) {
5826 if (clntaddnewcb
!= 2
5827 || clntparsenewcb
!= 2
5829 || srvparsenewcb
!= 2)
5833 * No Certificate message extensions in the resumption handshake,
5834 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5836 if (clntaddnewcb
!= 2
5837 || clntparsenewcb
!= 8
5839 || srvparsenewcb
!= 2)
5846 SSL_SESSION_free(sess
);
5847 SSL_free(serverssl
);
5848 SSL_free(clientssl
);
5849 SSL_CTX_free(sctx2
);
5855 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5857 #define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
5858 | SSL_EXT_CLIENT_HELLO \
5859 | SSL_EXT_TLS1_2_SERVER_HELLO \
5860 | SSL_EXT_IGNORE_ON_RESUMPTION)
5862 #define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
5863 | SSL_EXT_TLS1_2_SERVER_HELLO \
5864 | SSL_EXT_CLIENT_HELLO)
5866 #define SERVERINFO_CUSTOM \
5867 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
5871 static const unsigned char serverinfo_custom_tls13[] = {
5872 0x00, 0x00, (TLS13CONTEXT
>> 8) & 0xff, TLS13CONTEXT
& 0xff,
5875 static const unsigned char serverinfo_custom_v2
[] = {
5876 0x00, 0x00, (SYNTHV1CONTEXT
>> 8) & 0xff, SYNTHV1CONTEXT
& 0xff,
5879 static const unsigned char serverinfo_custom_v1
[] = {
5882 static const size_t serverinfo_custom_tls13_len
= sizeof(serverinfo_custom_tls13
);
5883 static const size_t serverinfo_custom_v2_len
= sizeof(serverinfo_custom_v2
);
5884 static const size_t serverinfo_custom_v1_len
= sizeof(serverinfo_custom_v1
);
5886 static int serverinfo_custom_parse_cb(SSL
*s
, unsigned int ext_type
,
5887 unsigned int context
,
5888 const unsigned char *in
,
5889 size_t inlen
, X509
*x
,
5890 size_t chainidx
, int *al
,
5893 const size_t len
= serverinfo_custom_v1_len
;
5894 const unsigned char *si
= &serverinfo_custom_v1
[len
- 3];
5895 int *p_cb_result
= (int*)parse_arg
;
5896 *p_cb_result
= TEST_mem_eq(in
, inlen
, si
, 3);
5900 static int test_serverinfo_custom(const int idx
)
5902 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
5903 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
5908 * Following variables are set in the switch statement
5909 * according to the test iteration.
5910 * Default values do not make much sense: test would fail with them.
5912 int serverinfo_version
= 0;
5913 int protocol_version
= 0;
5914 unsigned int extension_context
= 0;
5915 const unsigned char *si
= NULL
;
5918 const int call_use_serverinfo_ex
= idx
> 0;
5920 case 0: /* FALLTHROUGH */
5922 serverinfo_version
= SSL_SERVERINFOV1
;
5923 protocol_version
= TLS1_2_VERSION
;
5924 extension_context
= SYNTHV1CONTEXT
;
5925 si
= serverinfo_custom_v1
;
5926 si_len
= serverinfo_custom_v1_len
;
5929 serverinfo_version
= SSL_SERVERINFOV2
;
5930 protocol_version
= TLS1_2_VERSION
;
5931 extension_context
= SYNTHV1CONTEXT
;
5932 si
= serverinfo_custom_v2
;
5933 si_len
= serverinfo_custom_v2_len
;
5936 serverinfo_version
= SSL_SERVERINFOV2
;
5937 protocol_version
= TLS1_3_VERSION
;
5938 extension_context
= TLS13CONTEXT
;
5939 si
= serverinfo_custom_tls13
;
5940 si_len
= serverinfo_custom_tls13_len
;
5944 if (!TEST_true(create_ssl_ctx_pair(libctx
,
5949 &sctx
, &cctx
, cert
, privkey
)))
5952 if (call_use_serverinfo_ex
) {
5953 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx
, serverinfo_version
,
5957 if (!TEST_true(SSL_CTX_use_serverinfo(sctx
, si
, si_len
)))
5961 if (!TEST_true(SSL_CTX_add_custom_ext(cctx
, TLSEXT_TYPE_signed_certificate_timestamp
,
5964 serverinfo_custom_parse_cb
,
5966 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5968 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
5970 || !TEST_int_eq(SSL_do_handshake(clientssl
), 1))
5973 if (!TEST_true(cb_result
))
5979 SSL_free(serverssl
);
5980 SSL_free(clientssl
);
5989 * Test that SSL_export_keying_material() produces expected results. There are
5990 * no test vectors so all we do is test that both sides of the communication
5991 * produce the same results for different protocol versions.
5993 #define SMALL_LABEL_LEN 10
5994 #define LONG_LABEL_LEN 249
5995 static int test_export_key_mat(int tst
)
5998 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
, *sctx2
= NULL
;
5999 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6000 const char label
[LONG_LABEL_LEN
+ 1] = "test label";
6001 const unsigned char context
[] = "context";
6002 const unsigned char *emptycontext
= NULL
;
6003 unsigned char ckeymat1
[80], ckeymat2
[80], ckeymat3
[80];
6004 unsigned char skeymat1
[80], skeymat2
[80], skeymat3
[80];
6006 const int protocols
[] = {
6015 #ifdef OPENSSL_NO_TLS1
6019 #ifdef OPENSSL_NO_TLS1_1
6023 if (is_fips
&& (tst
== 0 || tst
== 1))
6025 #ifdef OPENSSL_NO_TLS1_2
6029 #ifdef OSSL_NO_USABLE_TLS1_3
6033 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6034 TLS_client_method(), TLS1_VERSION
, 0,
6035 &sctx
, &cctx
, cert
, privkey
)))
6038 OPENSSL_assert(tst
>= 0 && (size_t)tst
< OSSL_NELEM(protocols
));
6039 SSL_CTX_set_max_proto_version(cctx
, protocols
[tst
]);
6040 SSL_CTX_set_min_proto_version(cctx
, protocols
[tst
]);
6041 if ((protocols
[tst
] < TLS1_2_VERSION
) &&
6042 (!SSL_CTX_set_cipher_list(cctx
, "DEFAULT:@SECLEVEL=0")
6043 || !SSL_CTX_set_cipher_list(sctx
, "DEFAULT:@SECLEVEL=0")))
6046 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
,
6051 * Premature call of SSL_export_keying_material should just fail.
6053 if (!TEST_int_le(SSL_export_keying_material(clientssl
, ckeymat1
,
6054 sizeof(ckeymat1
), label
,
6055 SMALL_LABEL_LEN
+ 1, context
,
6056 sizeof(context
) - 1, 1), 0))
6059 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
6065 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6068 if (!TEST_int_le(SSL_export_keying_material(clientssl
, ckeymat1
,
6069 sizeof(ckeymat1
), label
,
6070 LONG_LABEL_LEN
+ 1, context
,
6071 sizeof(context
) - 1, 1), 0))
6076 } else if (tst
== 4) {
6077 labellen
= LONG_LABEL_LEN
;
6079 labellen
= SMALL_LABEL_LEN
;
6082 if (!TEST_int_eq(SSL_export_keying_material(clientssl
, ckeymat1
,
6083 sizeof(ckeymat1
), label
,
6085 sizeof(context
) - 1, 1), 1)
6086 || !TEST_int_eq(SSL_export_keying_material(clientssl
, ckeymat2
,
6087 sizeof(ckeymat2
), label
,
6091 || !TEST_int_eq(SSL_export_keying_material(clientssl
, ckeymat3
,
6092 sizeof(ckeymat3
), label
,
6095 || !TEST_int_eq(SSL_export_keying_material(serverssl
, skeymat1
,
6096 sizeof(skeymat1
), label
,
6099 sizeof(context
) -1, 1),
6101 || !TEST_int_eq(SSL_export_keying_material(serverssl
, skeymat2
,
6102 sizeof(skeymat2
), label
,
6106 || !TEST_int_eq(SSL_export_keying_material(serverssl
, skeymat3
,
6107 sizeof(skeymat3
), label
,
6111 * Check that both sides created the same key material with the
6114 || !TEST_mem_eq(ckeymat1
, sizeof(ckeymat1
), skeymat1
,
6117 * Check that both sides created the same key material with an
6120 || !TEST_mem_eq(ckeymat2
, sizeof(ckeymat2
), skeymat2
,
6123 * Check that both sides created the same key material without a
6126 || !TEST_mem_eq(ckeymat3
, sizeof(ckeymat3
), skeymat3
,
6128 /* Different contexts should produce different results */
6129 || !TEST_mem_ne(ckeymat1
, sizeof(ckeymat1
), ckeymat2
,
6134 * Check that an empty context and no context produce different results in
6135 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6137 if ((tst
< 3 && !TEST_mem_ne(ckeymat2
, sizeof(ckeymat2
), ckeymat3
,
6139 || (tst
>= 3 && !TEST_mem_eq(ckeymat2
, sizeof(ckeymat2
), ckeymat3
,
6146 SSL_free(serverssl
);
6147 SSL_free(clientssl
);
6148 SSL_CTX_free(sctx2
);
6155 #ifndef OSSL_NO_USABLE_TLS1_3
6157 * Test that SSL_export_keying_material_early() produces expected
6158 * results. There are no test vectors so all we do is test that both
6159 * sides of the communication produce the same results for different
6160 * protocol versions.
6162 static int test_export_key_mat_early(int idx
)
6164 static const char label
[] = "test label";
6165 static const unsigned char context
[] = "context";
6167 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6168 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6169 SSL_SESSION
*sess
= NULL
;
6170 const unsigned char *emptycontext
= NULL
;
6171 unsigned char ckeymat1
[80], ckeymat2
[80];
6172 unsigned char skeymat1
[80], skeymat2
[80];
6173 unsigned char buf
[1];
6174 size_t readbytes
, written
;
6176 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
, &serverssl
,
6180 /* Here writing 0 length early data is enough. */
6181 if (!TEST_true(SSL_write_early_data(clientssl
, NULL
, 0, &written
))
6182 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
6184 SSL_READ_EARLY_DATA_ERROR
)
6185 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
6186 SSL_EARLY_DATA_ACCEPTED
))
6189 if (!TEST_int_eq(SSL_export_keying_material_early(
6190 clientssl
, ckeymat1
, sizeof(ckeymat1
), label
,
6191 sizeof(label
) - 1, context
, sizeof(context
) - 1), 1)
6192 || !TEST_int_eq(SSL_export_keying_material_early(
6193 clientssl
, ckeymat2
, sizeof(ckeymat2
), label
,
6194 sizeof(label
) - 1, emptycontext
, 0), 1)
6195 || !TEST_int_eq(SSL_export_keying_material_early(
6196 serverssl
, skeymat1
, sizeof(skeymat1
), label
,
6197 sizeof(label
) - 1, context
, sizeof(context
) - 1), 1)
6198 || !TEST_int_eq(SSL_export_keying_material_early(
6199 serverssl
, skeymat2
, sizeof(skeymat2
), label
,
6200 sizeof(label
) - 1, emptycontext
, 0), 1)
6202 * Check that both sides created the same key material with the
6205 || !TEST_mem_eq(ckeymat1
, sizeof(ckeymat1
), skeymat1
,
6208 * Check that both sides created the same key material with an
6211 || !TEST_mem_eq(ckeymat2
, sizeof(ckeymat2
), skeymat2
,
6213 /* Different contexts should produce different results */
6214 || !TEST_mem_ne(ckeymat1
, sizeof(ckeymat1
), ckeymat2
,
6221 SSL_SESSION_free(sess
);
6222 SSL_SESSION_free(clientpsk
);
6223 SSL_SESSION_free(serverpsk
);
6224 clientpsk
= serverpsk
= NULL
;
6225 SSL_free(serverssl
);
6226 SSL_free(clientssl
);
6233 #define NUM_KEY_UPDATE_MESSAGES 40
6237 static int test_key_update(void)
6239 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6240 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6241 int testresult
= 0, i
, j
;
6243 static char *mess
= "A test message";
6245 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6246 TLS_client_method(),
6249 &sctx
, &cctx
, cert
, privkey
))
6250 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6252 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6256 for (j
= 0; j
< 2; j
++) {
6257 /* Send lots of KeyUpdate messages */
6258 for (i
= 0; i
< NUM_KEY_UPDATE_MESSAGES
; i
++) {
6259 if (!TEST_true(SSL_key_update(clientssl
,
6261 ? SSL_KEY_UPDATE_NOT_REQUESTED
6262 : SSL_KEY_UPDATE_REQUESTED
))
6263 || !TEST_true(SSL_do_handshake(clientssl
)))
6267 /* Check that sending and receiving app data is ok */
6268 if (!TEST_int_eq(SSL_write(clientssl
, mess
, strlen(mess
)), strlen(mess
))
6269 || !TEST_int_eq(SSL_read(serverssl
, buf
, sizeof(buf
)),
6273 if (!TEST_int_eq(SSL_write(serverssl
, mess
, strlen(mess
)), strlen(mess
))
6274 || !TEST_int_eq(SSL_read(clientssl
, buf
, sizeof(buf
)),
6282 SSL_free(serverssl
);
6283 SSL_free(clientssl
);
6291 * Test we can handle a KeyUpdate (update requested) message while
6292 * write data is pending in peer.
6293 * Test 0: Client sends KeyUpdate while Server is writing
6294 * Test 1: Server sends KeyUpdate while Client is writing
6296 static int test_key_update_peer_in_write(int tst
)
6298 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6299 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6302 static char *mess
= "A test message";
6303 BIO
*bretry
= BIO_new(bio_s_always_retry());
6305 SSL
*peerupdate
= NULL
, *peerwrite
= NULL
;
6307 if (!TEST_ptr(bretry
)
6308 || !TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6309 TLS_client_method(),
6312 &sctx
, &cctx
, cert
, privkey
))
6313 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6315 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6319 peerupdate
= tst
== 0 ? clientssl
: serverssl
;
6320 peerwrite
= tst
== 0 ? serverssl
: clientssl
;
6322 if (!TEST_true(SSL_key_update(peerupdate
, SSL_KEY_UPDATE_REQUESTED
))
6323 || !TEST_int_eq(SSL_do_handshake(peerupdate
), 1))
6326 /* Swap the writing endpoint's write BIO to force a retry */
6327 tmp
= SSL_get_wbio(peerwrite
);
6328 if (!TEST_ptr(tmp
) || !TEST_true(BIO_up_ref(tmp
))) {
6332 SSL_set0_wbio(peerwrite
, bretry
);
6335 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6336 if (!TEST_int_eq(SSL_write(peerwrite
, mess
, strlen(mess
)), -1)
6337 || !TEST_int_eq(SSL_get_error(peerwrite
, 0), SSL_ERROR_WANT_WRITE
))
6340 /* Reinstate the original writing endpoint's write BIO */
6341 SSL_set0_wbio(peerwrite
, tmp
);
6344 /* Now read some data - we will read the key update */
6345 if (!TEST_int_eq(SSL_read(peerwrite
, buf
, sizeof(buf
)), -1)
6346 || !TEST_int_eq(SSL_get_error(peerwrite
, 0), SSL_ERROR_WANT_READ
))
6350 * Complete the write we started previously and read it from the other
6353 if (!TEST_int_eq(SSL_write(peerwrite
, mess
, strlen(mess
)), strlen(mess
))
6354 || !TEST_int_eq(SSL_read(peerupdate
, buf
, sizeof(buf
)), strlen(mess
)))
6357 /* Write more data to ensure we send the KeyUpdate message back */
6358 if (!TEST_int_eq(SSL_write(peerwrite
, mess
, strlen(mess
)), strlen(mess
))
6359 || !TEST_int_eq(SSL_read(peerupdate
, buf
, sizeof(buf
)), strlen(mess
)))
6365 SSL_free(serverssl
);
6366 SSL_free(clientssl
);
6376 * Test we can handle a KeyUpdate (update requested) message while
6377 * peer read data is pending after peer accepted keyupdate(the msg header
6378 * had been read 5 bytes).
6379 * Test 0: Client sends KeyUpdate while Server is reading
6380 * Test 1: Server sends KeyUpdate while Client is reading
6382 static int test_key_update_peer_in_read(int tst
)
6384 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6385 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6387 char prbuf
[515], lwbuf
[515] = {0};
6388 static char *mess
= "A test message";
6389 BIO
*lbio
= NULL
, *pbio
= NULL
;
6390 SSL
*local
= NULL
, *peer
= NULL
;
6392 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6393 TLS_client_method(),
6396 &sctx
, &cctx
, cert
, privkey
))
6397 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6399 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6403 local
= tst
== 0 ? clientssl
: serverssl
;
6404 peer
= tst
== 0 ? serverssl
: clientssl
;
6406 if (!TEST_int_eq(BIO_new_bio_pair(&lbio
, 512, &pbio
, 512), 1))
6409 SSL_set_bio(local
, lbio
, lbio
);
6410 SSL_set_bio(peer
, pbio
, pbio
);
6413 * we first write keyupdate msg then appdata in local
6414 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6415 * lwbuf app data msg size + key updata msg size > 512(the size of
6416 * the bio pair buffer)
6418 if (!TEST_true(SSL_key_update(local
, SSL_KEY_UPDATE_REQUESTED
))
6419 || !TEST_int_eq(SSL_write(local
, lwbuf
, sizeof(lwbuf
)), -1)
6420 || !TEST_int_eq(SSL_get_error(local
, -1), SSL_ERROR_WANT_WRITE
))
6424 * first read keyupdate msg in peer in peer
6425 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6427 if (!TEST_int_eq(SSL_read(peer
, prbuf
, sizeof(prbuf
)), -1)
6428 || !TEST_int_eq(SSL_get_error(peer
, -1), SSL_ERROR_WANT_READ
))
6431 /* Now write some data in peer - we will write the key update */
6432 if (!TEST_int_eq(SSL_write(peer
, mess
, strlen(mess
)), strlen(mess
)))
6436 * write data in local previously that we will complete
6437 * read data in peer previously that we will complete
6439 if (!TEST_int_eq(SSL_write(local
, lwbuf
, sizeof(lwbuf
)), sizeof(lwbuf
))
6440 || !TEST_int_eq(SSL_read(peer
, prbuf
, sizeof(prbuf
)), sizeof(prbuf
)))
6443 /* check that sending and receiving appdata ok */
6444 if (!TEST_int_eq(SSL_write(local
, mess
, strlen(mess
)), strlen(mess
))
6445 || !TEST_int_eq(SSL_read(peer
, prbuf
, sizeof(prbuf
)), strlen(mess
)))
6451 SSL_free(serverssl
);
6452 SSL_free(clientssl
);
6460 * Test we can't send a KeyUpdate (update requested) message while
6461 * local write data is pending.
6462 * Test 0: Client sends KeyUpdate while Client is writing
6463 * Test 1: Server sends KeyUpdate while Server is writing
6465 static int test_key_update_local_in_write(int tst
)
6467 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6468 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6471 static char *mess
= "A test message";
6472 BIO
*bretry
= BIO_new(bio_s_always_retry());
6474 SSL
*local
= NULL
, *peer
= NULL
;
6476 if (!TEST_ptr(bretry
)
6477 || !TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6478 TLS_client_method(),
6481 &sctx
, &cctx
, cert
, privkey
))
6482 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6484 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6488 local
= tst
== 0 ? clientssl
: serverssl
;
6489 peer
= tst
== 0 ? serverssl
: clientssl
;
6491 /* Swap the writing endpoint's write BIO to force a retry */
6492 tmp
= SSL_get_wbio(local
);
6493 if (!TEST_ptr(tmp
) || !TEST_true(BIO_up_ref(tmp
))) {
6497 SSL_set0_wbio(local
, bretry
);
6500 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6501 if (!TEST_int_eq(SSL_write(local
, mess
, strlen(mess
)), -1)
6502 || !TEST_int_eq(SSL_get_error(local
, -1), SSL_ERROR_WANT_WRITE
))
6505 /* Reinstate the original writing endpoint's write BIO */
6506 SSL_set0_wbio(local
, tmp
);
6509 /* SSL_key_update will fail, because writing in local*/
6510 if (!TEST_false(SSL_key_update(local
, SSL_KEY_UPDATE_REQUESTED
))
6511 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY
))
6515 /* write data in local previously that we will complete */
6516 if (!TEST_int_eq(SSL_write(local
, mess
, strlen(mess
)), strlen(mess
)))
6519 /* SSL_key_update will succeed because there is no pending write data */
6520 if (!TEST_true(SSL_key_update(local
, SSL_KEY_UPDATE_REQUESTED
))
6521 || !TEST_int_eq(SSL_do_handshake(local
), 1))
6525 * we write some appdata in local
6526 * read data in peer - we will read the keyupdate msg
6528 if (!TEST_int_eq(SSL_write(local
, mess
, strlen(mess
)), strlen(mess
))
6529 || !TEST_int_eq(SSL_read(peer
, buf
, sizeof(buf
)), strlen(mess
)))
6532 /* Write more peer more data to ensure we send the keyupdate message back */
6533 if (!TEST_int_eq(SSL_write(peer
, mess
, strlen(mess
)), strlen(mess
))
6534 || !TEST_int_eq(SSL_read(local
, buf
, sizeof(buf
)), strlen(mess
)))
6540 SSL_free(serverssl
);
6541 SSL_free(clientssl
);
6551 * Test we can handle a KeyUpdate (update requested) message while
6552 * local read data is pending(the msg header had been read 5 bytes).
6553 * Test 0: Client sends KeyUpdate while Client is reading
6554 * Test 1: Server sends KeyUpdate while Server is reading
6556 static int test_key_update_local_in_read(int tst
)
6558 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6559 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6561 char lrbuf
[515], pwbuf
[515] = {0}, prbuf
[20];
6562 static char *mess
= "A test message";
6563 BIO
*lbio
= NULL
, *pbio
= NULL
;
6564 SSL
*local
= NULL
, *peer
= NULL
;
6566 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6567 TLS_client_method(),
6570 &sctx
, &cctx
, cert
, privkey
))
6571 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6573 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6577 local
= tst
== 0 ? clientssl
: serverssl
;
6578 peer
= tst
== 0 ? serverssl
: clientssl
;
6580 if (!TEST_int_eq(BIO_new_bio_pair(&lbio
, 512, &pbio
, 512), 1))
6583 SSL_set_bio(local
, lbio
, lbio
);
6584 SSL_set_bio(peer
, pbio
, pbio
);
6586 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6587 if (!TEST_int_eq(SSL_write(peer
, pwbuf
, sizeof(pwbuf
)), -1)
6588 || !TEST_int_eq(SSL_get_error(peer
, -1), SSL_ERROR_WANT_WRITE
))
6591 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6592 if (!TEST_int_eq(SSL_read(local
, lrbuf
, sizeof(lrbuf
)), -1)
6593 || !TEST_int_eq(SSL_get_error(local
, -1), SSL_ERROR_WANT_READ
))
6596 /* SSL_do_handshake will send keyupdate msg */
6597 if (!TEST_true(SSL_key_update(local
, SSL_KEY_UPDATE_REQUESTED
))
6598 || !TEST_int_eq(SSL_do_handshake(local
), 1))
6602 * write data in peer previously that we will complete
6603 * read data in local previously that we will complete
6605 if (!TEST_int_eq(SSL_write(peer
, pwbuf
, sizeof(pwbuf
)), sizeof(pwbuf
))
6606 || !TEST_int_eq(SSL_read(local
, lrbuf
, sizeof(lrbuf
)), sizeof(lrbuf
)))
6610 * write data in local
6611 * read data in peer - we will read the key update
6613 if (!TEST_int_eq(SSL_write(local
, mess
, strlen(mess
)), strlen(mess
))
6614 || !TEST_int_eq(SSL_read(peer
, prbuf
, sizeof(prbuf
)), strlen(mess
)))
6617 /* Write more peer data to ensure we send the keyupdate message back */
6618 if (!TEST_int_eq(SSL_write(peer
, mess
, strlen(mess
)), strlen(mess
))
6619 || !TEST_int_eq(SSL_read(local
, lrbuf
, sizeof(lrbuf
)), strlen(mess
)))
6625 SSL_free(serverssl
);
6626 SSL_free(clientssl
);
6632 #endif /* OSSL_NO_USABLE_TLS1_3 */
6634 static int test_ssl_clear(int idx
)
6636 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6637 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6640 #ifdef OPENSSL_NO_TLS1_2
6645 /* Create an initial connection */
6646 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6647 TLS_client_method(), TLS1_VERSION
, 0,
6648 &sctx
, &cctx
, cert
, privkey
))
6650 && !TEST_true(SSL_CTX_set_max_proto_version(cctx
,
6652 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
6653 &clientssl
, NULL
, NULL
))
6654 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6658 SSL_shutdown(clientssl
);
6659 SSL_shutdown(serverssl
);
6660 SSL_free(serverssl
);
6663 /* Clear clientssl - we're going to reuse the object */
6664 if (!TEST_true(SSL_clear(clientssl
)))
6667 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6669 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6671 || !TEST_true(SSL_session_reused(clientssl
)))
6674 SSL_shutdown(clientssl
);
6675 SSL_shutdown(serverssl
);
6680 SSL_free(serverssl
);
6681 SSL_free(clientssl
);
6688 /* Parse CH and retrieve any MFL extension value if present */
6689 static int get_MFL_from_client_hello(BIO
*bio
, int *mfl_codemfl_code
)
6692 unsigned char *data
;
6693 PACKET pkt
, pkt2
, pkt3
;
6694 unsigned int MFL_code
= 0, type
= 0;
6696 if (!TEST_uint_gt(len
= BIO_get_mem_data(bio
, (char **) &data
), 0))
6699 memset(&pkt
, 0, sizeof(pkt
));
6700 memset(&pkt2
, 0, sizeof(pkt2
));
6701 memset(&pkt3
, 0, sizeof(pkt3
));
6703 if (!TEST_long_gt(len
, 0)
6704 || !TEST_true(PACKET_buf_init(&pkt
, data
, len
))
6705 /* Skip the record header */
6706 || !PACKET_forward(&pkt
, SSL3_RT_HEADER_LENGTH
)
6707 /* Skip the handshake message header */
6708 || !TEST_true(PACKET_forward(&pkt
, SSL3_HM_HEADER_LENGTH
))
6709 /* Skip client version and random */
6710 || !TEST_true(PACKET_forward(&pkt
, CLIENT_VERSION_LEN
6711 + SSL3_RANDOM_SIZE
))
6712 /* Skip session id */
6713 || !TEST_true(PACKET_get_length_prefixed_1(&pkt
, &pkt2
))
6715 || !TEST_true(PACKET_get_length_prefixed_2(&pkt
, &pkt2
))
6716 /* Skip compression */
6717 || !TEST_true(PACKET_get_length_prefixed_1(&pkt
, &pkt2
))
6718 /* Extensions len */
6719 || !TEST_true(PACKET_as_length_prefixed_2(&pkt
, &pkt2
)))
6722 /* Loop through all extensions */
6723 while (PACKET_remaining(&pkt2
)) {
6724 if (!TEST_true(PACKET_get_net_2(&pkt2
, &type
))
6725 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2
, &pkt3
)))
6728 if (type
== TLSEXT_TYPE_max_fragment_length
) {
6729 if (!TEST_uint_ne(PACKET_remaining(&pkt3
), 0)
6730 || !TEST_true(PACKET_get_1(&pkt3
, &MFL_code
)))
6733 *mfl_codemfl_code
= MFL_code
;
6742 /* Maximum-Fragment-Length TLS extension mode to test */
6743 static const unsigned char max_fragment_len_test
[] = {
6744 TLSEXT_max_fragment_length_512
,
6745 TLSEXT_max_fragment_length_1024
,
6746 TLSEXT_max_fragment_length_2048
,
6747 TLSEXT_max_fragment_length_4096
6750 static int test_max_fragment_len_ext(int idx_tst
)
6752 SSL_CTX
*ctx
= NULL
;
6754 int testresult
= 0, MFL_mode
= 0;
6757 if (!TEST_true(create_ssl_ctx_pair(libctx
, NULL
, TLS_client_method(),
6758 TLS1_VERSION
, 0, NULL
, &ctx
, NULL
,
6762 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6763 ctx
, max_fragment_len_test
[idx_tst
])))
6770 rbio
= BIO_new(BIO_s_mem());
6771 wbio
= BIO_new(BIO_s_mem());
6772 if (!TEST_ptr(rbio
)|| !TEST_ptr(wbio
)) {
6778 SSL_set_bio(con
, rbio
, wbio
);
6780 if (!TEST_int_le(SSL_connect(con
), 0)) {
6781 /* This shouldn't succeed because we don't have a server! */
6785 if (!TEST_true(get_MFL_from_client_hello(wbio
, &MFL_mode
)))
6786 /* no MFL in client hello */
6788 if (!TEST_true(max_fragment_len_test
[idx_tst
] == MFL_mode
))
6800 #ifndef OSSL_NO_USABLE_TLS1_3
6801 static int test_pha_key_update(void)
6803 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6804 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6807 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6808 TLS_client_method(), TLS1_VERSION
, 0,
6809 &sctx
, &cctx
, cert
, privkey
)))
6812 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx
, TLS1_3_VERSION
))
6813 || !TEST_true(SSL_CTX_set_max_proto_version(sctx
, TLS1_3_VERSION
))
6814 || !TEST_true(SSL_CTX_set_min_proto_version(cctx
, TLS1_3_VERSION
))
6815 || !TEST_true(SSL_CTX_set_max_proto_version(cctx
, TLS1_3_VERSION
)))
6818 SSL_CTX_set_post_handshake_auth(cctx
, 1);
6820 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6824 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
6828 SSL_set_verify(serverssl
, SSL_VERIFY_PEER
, NULL
);
6829 if (!TEST_true(SSL_verify_client_post_handshake(serverssl
)))
6832 if (!TEST_true(SSL_key_update(clientssl
, SSL_KEY_UPDATE_NOT_REQUESTED
)))
6835 /* Start handshake on the server */
6836 if (!TEST_int_eq(SSL_do_handshake(serverssl
), 1))
6839 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6840 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
6844 SSL_shutdown(clientssl
);
6845 SSL_shutdown(serverssl
);
6850 SSL_free(serverssl
);
6851 SSL_free(clientssl
);
6858 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6860 static SRP_VBASE
*vbase
= NULL
;
6862 static int ssl_srp_cb(SSL
*s
, int *ad
, void *arg
)
6864 int ret
= SSL3_AL_FATAL
;
6866 SRP_user_pwd
*user
= NULL
;
6868 username
= SSL_get_srp_username(s
);
6869 if (username
== NULL
) {
6870 *ad
= SSL_AD_INTERNAL_ERROR
;
6874 user
= SRP_VBASE_get1_by_user(vbase
, username
);
6876 *ad
= SSL_AD_INTERNAL_ERROR
;
6880 if (SSL_set_srp_server_param(s
, user
->N
, user
->g
, user
->s
, user
->v
,
6882 *ad
= SSL_AD_INTERNAL_ERROR
;
6889 SRP_user_pwd_free(user
);
6893 static int create_new_vfile(char *userid
, char *password
, const char *filename
)
6896 OPENSSL_STRING
*row
= OPENSSL_zalloc(sizeof(row
) * (DB_NUMBER
+ 1));
6899 BIO
*out
= NULL
, *dummy
= BIO_new_mem_buf("", 0);
6902 if (!TEST_ptr(dummy
) || !TEST_ptr(row
))
6905 gNid
= SRP_create_verifier_ex(userid
, password
, &row
[DB_srpsalt
],
6906 &row
[DB_srpverifier
], NULL
, NULL
, libctx
, NULL
);
6907 if (!TEST_ptr(gNid
))
6911 * The only way to create an empty TXT_DB is to provide a BIO with no data
6914 db
= TXT_DB_read(dummy
, DB_NUMBER
);
6918 out
= BIO_new_file(filename
, "w");
6922 row
[DB_srpid
] = OPENSSL_strdup(userid
);
6923 row
[DB_srptype
] = OPENSSL_strdup("V");
6924 row
[DB_srpgN
] = OPENSSL_strdup(gNid
);
6926 if (!TEST_ptr(row
[DB_srpid
])
6927 || !TEST_ptr(row
[DB_srptype
])
6928 || !TEST_ptr(row
[DB_srpgN
])
6929 || !TEST_true(TXT_DB_insert(db
, row
)))
6934 if (TXT_DB_write(out
, db
) <= 0)
6940 for (i
= 0; i
< DB_NUMBER
; i
++)
6941 OPENSSL_free(row
[i
]);
6951 static int create_new_vbase(char *userid
, char *password
)
6953 BIGNUM
*verifier
= NULL
, *salt
= NULL
;
6954 const SRP_gN
*lgN
= NULL
;
6955 SRP_user_pwd
*user_pwd
= NULL
;
6958 lgN
= SRP_get_default_gN(NULL
);
6962 if (!TEST_true(SRP_create_verifier_BN_ex(userid
, password
, &salt
, &verifier
,
6963 lgN
->N
, lgN
->g
, libctx
, NULL
)))
6966 user_pwd
= OPENSSL_zalloc(sizeof(*user_pwd
));
6967 if (!TEST_ptr(user_pwd
))
6970 user_pwd
->N
= lgN
->N
;
6971 user_pwd
->g
= lgN
->g
;
6972 user_pwd
->id
= OPENSSL_strdup(userid
);
6973 if (!TEST_ptr(user_pwd
->id
))
6976 user_pwd
->v
= verifier
;
6978 verifier
= salt
= NULL
;
6980 if (sk_SRP_user_pwd_insert(vbase
->users_pwd
, user_pwd
, 0) == 0)
6986 SRP_user_pwd_free(user_pwd
);
6996 * Test 0: Simple successful SRP connection, new vbase
6997 * Test 1: Connection failure due to bad password, new vbase
6998 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6999 * Test 3: Connection failure due to bad password, vbase loaded from existing
7001 * Test 4: Simple successful SRP connection, vbase loaded from new file
7002 * Test 5: Connection failure due to bad password, vbase loaded from new file
7004 static int test_srp(int tst
)
7006 char *userid
= "test", *password
= "password", *tstsrpfile
;
7007 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7008 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7009 int ret
, testresult
= 0;
7011 vbase
= SRP_VBASE_new(NULL
);
7012 if (!TEST_ptr(vbase
))
7015 if (tst
== 0 || tst
== 1) {
7016 if (!TEST_true(create_new_vbase(userid
, password
)))
7019 if (tst
== 4 || tst
== 5) {
7020 if (!TEST_true(create_new_vfile(userid
, password
, tmpfilename
)))
7022 tstsrpfile
= tmpfilename
;
7024 tstsrpfile
= srpvfile
;
7026 if (!TEST_int_eq(SRP_VBASE_init(vbase
, tstsrpfile
), SRP_NO_ERROR
))
7030 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
7031 TLS_client_method(), TLS1_VERSION
, 0,
7032 &sctx
, &cctx
, cert
, privkey
)))
7035 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx
, ssl_srp_cb
), 0)
7036 || !TEST_true(SSL_CTX_set_cipher_list(cctx
, "SRP-AES-128-CBC-SHA"))
7037 || !TEST_true(SSL_CTX_set_max_proto_version(sctx
, TLS1_2_VERSION
))
7038 || !TEST_true(SSL_CTX_set_max_proto_version(cctx
, TLS1_2_VERSION
))
7039 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx
, userid
), 0))
7043 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx
, "badpass"), 0))
7046 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx
, password
), 0))
7050 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
7054 ret
= create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
);
7056 if (!TEST_true(tst
% 2 == 0))
7059 if (!TEST_true(tst
% 2 == 1))
7066 SRP_VBASE_free(vbase
);
7068 SSL_free(serverssl
);
7069 SSL_free(clientssl
);
7077 static int info_cb_failed
= 0;
7078 static int info_cb_offset
= 0;
7079 static int info_cb_this_state
= -1;
7081 static struct info_cb_states_st
{
7083 const char *statestr
;
7084 } info_cb_states
[][60] = {
7086 /* TLSv1.2 server followed by resumption */
7087 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7088 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TRCH"}, {SSL_CB_LOOP
, "TWSH"},
7089 {SSL_CB_LOOP
, "TWSC"}, {SSL_CB_LOOP
, "TWSKE"}, {SSL_CB_LOOP
, "TWSD"},
7090 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWSD"}, {SSL_CB_LOOP
, "TRCKE"},
7091 {SSL_CB_LOOP
, "TRCCS"}, {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_LOOP
, "TWST"},
7092 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWFIN"},
7093 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
7094 {SSL_CB_ALERT
, NULL
}, {SSL_CB_HANDSHAKE_START
, NULL
},
7095 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TRCH"},
7096 {SSL_CB_LOOP
, "TWSH"}, {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWFIN"},
7097 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_LOOP
, "TRCCS"},
7098 {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
7099 {SSL_CB_EXIT
, NULL
}, {0, NULL
},
7101 /* TLSv1.2 client followed by resumption */
7102 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7103 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWCH"},
7104 {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TRSC"}, {SSL_CB_LOOP
, "TRSKE"},
7105 {SSL_CB_LOOP
, "TRSD"}, {SSL_CB_LOOP
, "TWCKE"}, {SSL_CB_LOOP
, "TWCCS"},
7106 {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWFIN"},
7107 {SSL_CB_LOOP
, "TRST"}, {SSL_CB_LOOP
, "TRCCS"}, {SSL_CB_LOOP
, "TRFIN"},
7108 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_ALERT
, NULL
},
7109 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7110 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWCH"},
7111 {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TRCCS"}, {SSL_CB_LOOP
, "TRFIN"},
7112 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWFIN"},
7113 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
}, {0, NULL
},
7115 /* TLSv1.3 server followed by resumption */
7116 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7117 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TRCH"}, {SSL_CB_LOOP
, "TWSH"},
7118 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWEE"}, {SSL_CB_LOOP
, "TWSC"},
7119 {SSL_CB_LOOP
, "TWSCV"}, {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_LOOP
, "TED"},
7120 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TED"}, {SSL_CB_LOOP
, "TRFIN"},
7121 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_LOOP
, "TWST"},
7122 {SSL_CB_LOOP
, "TWST"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_ALERT
, NULL
},
7123 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7124 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TRCH"}, {SSL_CB_LOOP
, "TWSH"},
7125 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWEE"}, {SSL_CB_LOOP
, "TWFIN"},
7126 {SSL_CB_LOOP
, "TED"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TED"},
7127 {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
7128 {SSL_CB_LOOP
, "TWST"}, {SSL_CB_EXIT
, NULL
}, {0, NULL
},
7130 /* TLSv1.3 client followed by resumption */
7131 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7132 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWCH"},
7133 {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TREE"}, {SSL_CB_LOOP
, "TRSC"},
7134 {SSL_CB_LOOP
, "TRSCV"}, {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_LOOP
, "TWCCS"},
7135 {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
7136 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "SSLOK"}, {SSL_CB_LOOP
, "SSLOK"},
7137 {SSL_CB_LOOP
, "TRST"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "SSLOK"},
7138 {SSL_CB_LOOP
, "SSLOK"}, {SSL_CB_LOOP
, "TRST"}, {SSL_CB_EXIT
, NULL
},
7139 {SSL_CB_ALERT
, NULL
}, {SSL_CB_HANDSHAKE_START
, NULL
},
7140 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_EXIT
, NULL
},
7141 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TREE"},
7142 {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWFIN"},
7143 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
7144 {SSL_CB_LOOP
, "SSLOK"}, {SSL_CB_LOOP
, "SSLOK"}, {SSL_CB_LOOP
, "TRST"},
7145 {SSL_CB_EXIT
, NULL
}, {0, NULL
},
7147 /* TLSv1.3 server, early_data */
7148 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7149 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TRCH"}, {SSL_CB_LOOP
, "TWSH"},
7150 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWEE"}, {SSL_CB_LOOP
, "TWFIN"},
7151 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
7152 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "TED"},
7153 {SSL_CB_LOOP
, "TED"}, {SSL_CB_LOOP
, "TWEOED"}, {SSL_CB_LOOP
, "TRFIN"},
7154 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_LOOP
, "TWST"},
7155 {SSL_CB_EXIT
, NULL
}, {0, NULL
},
7157 /* TLSv1.3 client, early_data */
7158 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7159 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_LOOP
, "TWCCS"},
7160 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
7161 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "TED"},
7162 {SSL_CB_LOOP
, "TED"}, {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TREE"},
7163 {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_LOOP
, "TPEDE"}, {SSL_CB_LOOP
, "TWEOED"},
7164 {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
7165 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "SSLOK"}, {SSL_CB_LOOP
, "SSLOK"},
7166 {SSL_CB_LOOP
, "TRST"}, {SSL_CB_EXIT
, NULL
}, {0, NULL
},
7168 /* TLSv1.3 server, certificate compression, followed by resumption */
7169 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7170 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TRCH"}, {SSL_CB_LOOP
, "TWSH"},
7171 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWEE"}, {SSL_CB_LOOP
, "TWSCC"},
7172 {SSL_CB_LOOP
, "TWSCV"}, {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_LOOP
, "TED"},
7173 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TED"}, {SSL_CB_LOOP
, "TRFIN"},
7174 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_LOOP
, "TWST"},
7175 {SSL_CB_LOOP
, "TWST"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_ALERT
, NULL
},
7176 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7177 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TRCH"}, {SSL_CB_LOOP
, "TWSH"},
7178 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWEE"}, {SSL_CB_LOOP
, "TWFIN"},
7179 {SSL_CB_LOOP
, "TED"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TED"},
7180 {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
7181 {SSL_CB_LOOP
, "TWST"}, {SSL_CB_EXIT
, NULL
}, {0, NULL
},
7183 /* TLSv1.3 client, certificate compression, followed by resumption */
7184 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7185 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWCH"},
7186 {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TREE"}, {SSL_CB_LOOP
, "TRSCC"},
7187 {SSL_CB_LOOP
, "TRSCV"}, {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_LOOP
, "TWCCS"},
7188 {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
7189 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "SSLOK"}, {SSL_CB_LOOP
, "SSLOK"},
7190 {SSL_CB_LOOP
, "TRST"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "SSLOK"},
7191 {SSL_CB_LOOP
, "SSLOK"}, {SSL_CB_LOOP
, "TRST"}, {SSL_CB_EXIT
, NULL
},
7192 {SSL_CB_ALERT
, NULL
}, {SSL_CB_HANDSHAKE_START
, NULL
},
7193 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_EXIT
, NULL
},
7194 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TREE"},
7195 {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWFIN"},
7196 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
7197 {SSL_CB_LOOP
, "SSLOK"}, {SSL_CB_LOOP
, "SSLOK"}, {SSL_CB_LOOP
, "TRST"},
7198 {SSL_CB_EXIT
, NULL
}, {0, NULL
},
7204 static void sslapi_info_callback(const SSL
*s
, int where
, int ret
)
7206 struct info_cb_states_st
*state
= info_cb_states
[info_cb_offset
];
7208 /* We do not ever expect a connection to fail in this test */
7209 if (!TEST_false(ret
== 0)) {
7215 * Do some sanity checks. We never expect these things to happen in this
7218 if (!TEST_false((SSL_is_server(s
) && (where
& SSL_ST_CONNECT
) != 0))
7219 || !TEST_false(!SSL_is_server(s
) && (where
& SSL_ST_ACCEPT
) != 0)
7220 || !TEST_int_ne(state
[++info_cb_this_state
].where
, 0)) {
7225 /* Now check we're in the right state */
7226 if (!TEST_true((where
& state
[info_cb_this_state
].where
) != 0)) {
7230 if ((where
& SSL_CB_LOOP
) != 0
7231 && !TEST_int_eq(strcmp(SSL_state_string(s
),
7232 state
[info_cb_this_state
].statestr
), 0)) {
7238 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7240 if ((where
& SSL_CB_HANDSHAKE_DONE
)
7241 && SSL_in_init((SSL
*)s
) != 0) {
7248 * Test the info callback gets called when we expect it to.
7250 * Test 0: TLSv1.2, server
7251 * Test 1: TLSv1.2, client
7252 * Test 2: TLSv1.3, server
7253 * Test 3: TLSv1.3, client
7254 * Test 4: TLSv1.3, server, early_data
7255 * Test 5: TLSv1.3, client, early_data
7256 * Test 6: TLSv1.3, server, compressed certificate
7257 * Test 7: TLSv1.3, client, compressed certificate
7259 static int test_info_callback(int tst
)
7261 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7262 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7263 SSL_SESSION
*clntsess
= NULL
;
7268 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
7269 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7270 || !defined(OPENSSL_NO_DH))
7271 tlsvers
= TLS1_2_VERSION
;
7276 #ifndef OSSL_NO_USABLE_TLS1_3
7277 tlsvers
= TLS1_3_VERSION
;
7285 info_cb_this_state
= -1;
7286 info_cb_offset
= tst
;
7288 #ifndef OSSL_NO_USABLE_TLS1_3
7289 if (tst
>= 4 && tst
< 6) {
7290 SSL_SESSION
*sess
= NULL
;
7291 size_t written
, readbytes
;
7292 unsigned char buf
[80];
7294 /* early_data tests */
7295 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
7296 &serverssl
, &sess
, 0)))
7299 /* We don't actually need this reference */
7300 SSL_SESSION_free(sess
);
7302 SSL_set_info_callback((tst
% 2) == 0 ? serverssl
: clientssl
,
7303 sslapi_info_callback
);
7305 /* Write and read some early data and then complete the connection */
7306 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
7308 || !TEST_size_t_eq(written
, strlen(MSG1
))
7309 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
,
7310 sizeof(buf
), &readbytes
),
7311 SSL_READ_EARLY_DATA_SUCCESS
)
7312 || !TEST_mem_eq(MSG1
, readbytes
, buf
, strlen(MSG1
))
7313 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
7314 SSL_EARLY_DATA_ACCEPTED
)
7315 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
7317 || !TEST_false(info_cb_failed
))
7325 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
7326 TLS_client_method(),
7327 tlsvers
, tlsvers
, &sctx
, &cctx
, cert
,
7331 if (!TEST_true(SSL_CTX_set_dh_auto(sctx
, 1)))
7335 * For even numbered tests we check the server callbacks. For odd numbers we
7338 SSL_CTX_set_info_callback((tst
% 2) == 0 ? sctx
: cctx
,
7339 sslapi_info_callback
);
7341 if (!SSL_CTX_compress_certs(sctx
, 0))
7345 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
7346 &clientssl
, NULL
, NULL
))
7347 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
7349 || !TEST_false(info_cb_failed
))
7354 clntsess
= SSL_get1_session(clientssl
);
7355 SSL_shutdown(clientssl
);
7356 SSL_shutdown(serverssl
);
7357 SSL_free(serverssl
);
7358 SSL_free(clientssl
);
7359 serverssl
= clientssl
= NULL
;
7361 /* Now do a resumption */
7362 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
,
7364 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
7365 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
7367 || !TEST_true(SSL_session_reused(clientssl
))
7368 || !TEST_false(info_cb_failed
))
7374 SSL_free(serverssl
);
7375 SSL_free(clientssl
);
7376 SSL_SESSION_free(clntsess
);
7382 static int test_ssl_pending(int tst
)
7384 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7385 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7387 char msg
[] = "A test message";
7389 size_t written
, readbytes
;
7392 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
7393 TLS_client_method(),
7395 &sctx
, &cctx
, cert
, privkey
)))
7398 #ifndef OPENSSL_NO_DTLS
7399 if (!TEST_true(create_ssl_ctx_pair(libctx
, DTLS_server_method(),
7400 DTLS_client_method(),
7402 &sctx
, &cctx
, cert
, privkey
)))
7405 # ifdef OPENSSL_NO_DTLS1_2
7406 /* Not supported in the FIPS provider */
7412 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7415 if (!TEST_true(SSL_CTX_set_cipher_list(sctx
, "DEFAULT:@SECLEVEL=0"))
7416 || !TEST_true(SSL_CTX_set_cipher_list(cctx
,
7417 "DEFAULT:@SECLEVEL=0")))
7425 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
7427 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
7431 if (!TEST_int_eq(SSL_pending(clientssl
), 0)
7432 || !TEST_false(SSL_has_pending(clientssl
))
7433 || !TEST_int_eq(SSL_pending(serverssl
), 0)
7434 || !TEST_false(SSL_has_pending(serverssl
))
7435 || !TEST_true(SSL_write_ex(serverssl
, msg
, sizeof(msg
), &written
))
7436 || !TEST_size_t_eq(written
, sizeof(msg
))
7437 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
7438 || !TEST_size_t_eq(readbytes
, sizeof(buf
))
7439 || !TEST_int_eq(SSL_pending(clientssl
), (int)(written
- readbytes
))
7440 || !TEST_true(SSL_has_pending(clientssl
)))
7446 SSL_free(serverssl
);
7447 SSL_free(clientssl
);
7455 unsigned int maxprot
;
7456 const char *clntciphers
;
7457 const char *clnttls13ciphers
;
7458 const char *srvrciphers
;
7459 const char *srvrtls13ciphers
;
7461 const char *fipsshared
;
7462 } shared_ciphers_data
[] = {
7464 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7465 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7467 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7470 "AES128-SHA:AES256-SHA",
7472 "AES256-SHA:DHE-RSA-AES128-SHA",
7477 # if !defined(OPENSSL_NO_CHACHA) \
7478 && !defined(OPENSSL_NO_POLY1305) \
7479 && !defined(OPENSSL_NO_EC)
7482 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7484 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7486 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7492 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7494 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7496 "AES128-SHA:AES256-SHA",
7497 "AES128-SHA:AES256-SHA"
7501 "AES128-SHA:AES256-SHA",
7503 "AES128-SHA:DHE-RSA-AES128-SHA",
7510 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7513 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7514 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7517 "AES128-SHA:AES256-SHA",
7519 "AES256-SHA:AES128-SHA256",
7521 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7522 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7523 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7526 #ifndef OSSL_NO_USABLE_TLS1_3
7530 "TLS_AES_256_GCM_SHA384",
7532 "TLS_AES_256_GCM_SHA384",
7533 "TLS_AES_256_GCM_SHA384",
7534 "TLS_AES_256_GCM_SHA384"
7539 static int int_test_ssl_get_shared_ciphers(int tst
, int clnt
)
7541 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7542 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7545 OSSL_LIB_CTX
*tmplibctx
= OSSL_LIB_CTX_new();
7547 if (!TEST_ptr(tmplibctx
))
7551 * Regardless of whether we're testing with the FIPS provider loaded into
7552 * libctx, we want one peer to always use the full set of ciphersuites
7553 * available. Therefore we use a separate libctx with the default provider
7554 * loaded into it. We run the same tests twice - once with the client side
7555 * having the full set of ciphersuites and once with the server side.
7558 cctx
= SSL_CTX_new_ex(tmplibctx
, NULL
, TLS_client_method());
7559 if (!TEST_ptr(cctx
))
7562 sctx
= SSL_CTX_new_ex(tmplibctx
, NULL
, TLS_server_method());
7563 if (!TEST_ptr(sctx
))
7567 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
7568 TLS_client_method(),
7570 shared_ciphers_data
[tst
].maxprot
,
7571 &sctx
, &cctx
, cert
, privkey
)))
7574 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
7575 shared_ciphers_data
[tst
].clntciphers
))
7576 || (shared_ciphers_data
[tst
].clnttls13ciphers
!= NULL
7577 && !TEST_true(SSL_CTX_set_ciphersuites(cctx
,
7578 shared_ciphers_data
[tst
].clnttls13ciphers
)))
7579 || !TEST_true(SSL_CTX_set_cipher_list(sctx
,
7580 shared_ciphers_data
[tst
].srvrciphers
))
7581 || (shared_ciphers_data
[tst
].srvrtls13ciphers
!= NULL
7582 && !TEST_true(SSL_CTX_set_ciphersuites(sctx
,
7583 shared_ciphers_data
[tst
].srvrtls13ciphers
))))
7587 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
7589 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
7593 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl
, buf
, sizeof(buf
)))
7594 || !TEST_int_eq(strcmp(buf
,
7596 ? shared_ciphers_data
[tst
].fipsshared
7597 : shared_ciphers_data
[tst
].shared
),
7599 TEST_info("Shared ciphers are: %s\n", buf
);
7606 SSL_free(serverssl
);
7607 SSL_free(clientssl
);
7610 OSSL_LIB_CTX_free(tmplibctx
);
7615 static int test_ssl_get_shared_ciphers(int tst
)
7617 return int_test_ssl_get_shared_ciphers(tst
, 0)
7618 && int_test_ssl_get_shared_ciphers(tst
, 1);
7622 static const char *appdata
= "Hello World";
7623 static int gen_tick_called
, dec_tick_called
, tick_key_cb_called
;
7624 static int tick_key_renew
= 0;
7625 static SSL_TICKET_RETURN tick_dec_ret
= SSL_TICKET_RETURN_ABORT
;
7627 static int gen_tick_cb(SSL
*s
, void *arg
)
7629 gen_tick_called
= 1;
7631 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s
), appdata
,
7635 static SSL_TICKET_RETURN
dec_tick_cb(SSL
*s
, SSL_SESSION
*ss
,
7636 const unsigned char *keyname
,
7637 size_t keyname_length
,
7638 SSL_TICKET_STATUS status
,
7644 dec_tick_called
= 1;
7646 if (status
== SSL_TICKET_EMPTY
)
7647 return SSL_TICKET_RETURN_IGNORE_RENEW
;
7649 if (!TEST_true(status
== SSL_TICKET_SUCCESS
7650 || status
== SSL_TICKET_SUCCESS_RENEW
))
7651 return SSL_TICKET_RETURN_ABORT
;
7653 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss
, &tickdata
,
7655 || !TEST_size_t_eq(tickdlen
, strlen(appdata
))
7656 || !TEST_int_eq(memcmp(tickdata
, appdata
, tickdlen
), 0))
7657 return SSL_TICKET_RETURN_ABORT
;
7659 if (tick_key_cb_called
) {
7660 /* Don't change what the ticket key callback wanted to do */
7662 case SSL_TICKET_NO_DECRYPT
:
7663 return SSL_TICKET_RETURN_IGNORE_RENEW
;
7665 case SSL_TICKET_SUCCESS
:
7666 return SSL_TICKET_RETURN_USE
;
7668 case SSL_TICKET_SUCCESS_RENEW
:
7669 return SSL_TICKET_RETURN_USE_RENEW
;
7672 return SSL_TICKET_RETURN_ABORT
;
7675 return tick_dec_ret
;
7679 #ifndef OPENSSL_NO_DEPRECATED_3_0
7680 static int tick_key_cb(SSL
*s
, unsigned char key_name
[16],
7681 unsigned char iv
[EVP_MAX_IV_LENGTH
], EVP_CIPHER_CTX
*ctx
,
7682 HMAC_CTX
*hctx
, int enc
)
7684 const unsigned char tick_aes_key
[16] = "0123456789abcdef";
7685 const unsigned char tick_hmac_key
[16] = "0123456789abcdef";
7686 EVP_CIPHER
*aes128cbc
;
7690 tick_key_cb_called
= 1;
7692 if (tick_key_renew
== -1)
7695 aes128cbc
= EVP_CIPHER_fetch(libctx
, "AES-128-CBC", NULL
);
7696 if (!TEST_ptr(aes128cbc
))
7698 sha256
= EVP_MD_fetch(libctx
, "SHA-256", NULL
);
7699 if (!TEST_ptr(sha256
)) {
7700 EVP_CIPHER_free(aes128cbc
);
7704 memset(iv
, 0, AES_BLOCK_SIZE
);
7705 memset(key_name
, 0, 16);
7706 if (aes128cbc
== NULL
7708 || !EVP_CipherInit_ex(ctx
, aes128cbc
, NULL
, tick_aes_key
, iv
, enc
)
7709 || !HMAC_Init_ex(hctx
, tick_hmac_key
, sizeof(tick_hmac_key
), sha256
,
7713 ret
= tick_key_renew
? 2 : 1;
7715 EVP_CIPHER_free(aes128cbc
);
7716 EVP_MD_free(sha256
);
7722 static int tick_key_evp_cb(SSL
*s
, unsigned char key_name
[16],
7723 unsigned char iv
[EVP_MAX_IV_LENGTH
],
7724 EVP_CIPHER_CTX
*ctx
, EVP_MAC_CTX
*hctx
, int enc
)
7726 const unsigned char tick_aes_key
[16] = "0123456789abcdef";
7727 unsigned char tick_hmac_key
[16] = "0123456789abcdef";
7728 OSSL_PARAM params
[2];
7729 EVP_CIPHER
*aes128cbc
;
7732 tick_key_cb_called
= 1;
7734 if (tick_key_renew
== -1)
7737 aes128cbc
= EVP_CIPHER_fetch(libctx
, "AES-128-CBC", NULL
);
7738 if (!TEST_ptr(aes128cbc
))
7741 memset(iv
, 0, AES_BLOCK_SIZE
);
7742 memset(key_name
, 0, 16);
7743 params
[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST
,
7745 params
[1] = OSSL_PARAM_construct_end();
7746 if (aes128cbc
== NULL
7747 || !EVP_CipherInit_ex(ctx
, aes128cbc
, NULL
, tick_aes_key
, iv
, enc
)
7748 || !EVP_MAC_init(hctx
, tick_hmac_key
, sizeof(tick_hmac_key
),
7752 ret
= tick_key_renew
? 2 : 1;
7754 EVP_CIPHER_free(aes128cbc
);
7760 * Test the various ticket callbacks
7761 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7762 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7763 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7764 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7765 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7766 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7767 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7768 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
7769 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7770 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7771 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7772 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7773 * Test 12: TLSv1.2, old ticket key callback, no ticket
7774 * Test 13: TLSv1.3, old ticket key callback, no ticket
7775 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
7776 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
7777 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
7778 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
7779 * Test 18: TLSv1.2, ticket key callback, no ticket
7780 * Test 19: TLSv1.3, ticket key callback, no ticket
7782 static int test_ticket_callbacks(int tst
)
7784 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7785 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7786 SSL_SESSION
*clntsess
= NULL
;
7789 #ifdef OPENSSL_NO_TLS1_2
7793 #ifdef OSSL_NO_USABLE_TLS1_3
7797 #ifdef OPENSSL_NO_DEPRECATED_3_0
7798 if (tst
>= 8 && tst
<= 13)
7802 gen_tick_called
= dec_tick_called
= tick_key_cb_called
= 0;
7804 /* Which tests the ticket key callback should request renewal for */
7806 if (tst
== 10 || tst
== 11 || tst
== 16 || tst
== 17)
7808 else if (tst
== 12 || tst
== 13 || tst
== 18 || tst
== 19)
7809 tick_key_renew
= -1; /* abort sending the ticket/0-length ticket */
7813 /* Which tests the decrypt ticket callback should request renewal for */
7817 tick_dec_ret
= SSL_TICKET_RETURN_IGNORE
;
7822 tick_dec_ret
= SSL_TICKET_RETURN_IGNORE_RENEW
;
7827 tick_dec_ret
= SSL_TICKET_RETURN_USE
;
7832 tick_dec_ret
= SSL_TICKET_RETURN_USE_RENEW
;
7836 tick_dec_ret
= SSL_TICKET_RETURN_ABORT
;
7839 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
7840 TLS_client_method(),
7842 ((tst
% 2) == 0) ? TLS1_2_VERSION
7844 &sctx
, &cctx
, cert
, privkey
)))
7848 * We only want sessions to resume from tickets - not the session cache. So
7849 * switch the cache off.
7851 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx
, SSL_SESS_CACHE_OFF
)))
7854 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx
, gen_tick_cb
, dec_tick_cb
,
7859 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx
, tick_key_evp_cb
)))
7861 #ifndef OPENSSL_NO_DEPRECATED_3_0
7862 } else if (tst
>= 8) {
7863 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx
, tick_key_cb
)))
7868 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
7870 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
7875 * The decrypt ticket key callback in TLSv1.2 should be called even though
7876 * we have no ticket yet, because it gets called with a status of
7877 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7878 * actually send any ticket data). This does not happen in TLSv1.3 because
7879 * it is not valid to send empty ticket data in TLSv1.3.
7881 if (!TEST_int_eq(gen_tick_called
, 1)
7882 || !TEST_int_eq(dec_tick_called
, ((tst
% 2) == 0) ? 1 : 0))
7885 gen_tick_called
= dec_tick_called
= 0;
7887 clntsess
= SSL_get1_session(clientssl
);
7888 SSL_shutdown(clientssl
);
7889 SSL_shutdown(serverssl
);
7890 SSL_free(serverssl
);
7891 SSL_free(clientssl
);
7892 serverssl
= clientssl
= NULL
;
7894 /* Now do a resumption */
7895 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
,
7897 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
7898 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
7902 if (tick_dec_ret
== SSL_TICKET_RETURN_IGNORE
7903 || tick_dec_ret
== SSL_TICKET_RETURN_IGNORE_RENEW
7904 || tick_key_renew
== -1) {
7905 if (!TEST_false(SSL_session_reused(clientssl
)))
7908 if (!TEST_true(SSL_session_reused(clientssl
)))
7912 if (!TEST_int_eq(gen_tick_called
,
7914 || tick_dec_ret
== SSL_TICKET_RETURN_IGNORE_RENEW
7915 || tick_dec_ret
== SSL_TICKET_RETURN_USE_RENEW
)
7917 /* There is no ticket to decrypt in tests 13 and 19 */
7918 || !TEST_int_eq(dec_tick_called
, (tst
== 13 || tst
== 19) ? 0 : 1))
7924 SSL_SESSION_free(clntsess
);
7925 SSL_free(serverssl
);
7926 SSL_free(clientssl
);
7934 * Test incorrect shutdown.
7935 * Test 0: client does not shutdown properly,
7936 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7937 * server should get SSL_ERROR_SSL
7938 * Test 1: client does not shutdown properly,
7939 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7940 * server should get SSL_ERROR_ZERO_RETURN
7942 static int test_incorrect_shutdown(int tst
)
7944 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7945 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7950 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
7951 TLS_client_method(), 0, 0,
7952 &sctx
, &cctx
, cert
, privkey
)))
7956 SSL_CTX_set_options(sctx
, SSL_OP_IGNORE_UNEXPECTED_EOF
);
7958 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
7962 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
7966 c2s
= SSL_get_rbio(serverssl
);
7967 BIO_set_mem_eof_return(c2s
, 0);
7969 if (!TEST_false(SSL_read(serverssl
, buf
, sizeof(buf
))))
7972 if (tst
== 0 && !TEST_int_eq(SSL_get_error(serverssl
, 0), SSL_ERROR_SSL
) )
7974 if (tst
== 1 && !TEST_int_eq(SSL_get_error(serverssl
, 0), SSL_ERROR_ZERO_RETURN
) )
7980 SSL_free(serverssl
);
7981 SSL_free(clientssl
);
7989 * Test bi-directional shutdown.
7991 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7992 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7993 * Test 3: TLSv1.3, pending NewSessionTicket messages
7994 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7995 * sends key update, client reads it
7996 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7997 * sends CertificateRequest, client reads and ignores it
7998 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
8001 static int test_shutdown(int tst
)
8003 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
8004 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8006 char msg
[] = "A test message";
8008 size_t written
, readbytes
;
8011 #ifdef OPENSSL_NO_TLS1_2
8015 #ifdef OSSL_NO_USABLE_TLS1_3
8020 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8021 TLS_client_method(),
8023 (tst
<= 1) ? TLS1_2_VERSION
8025 &sctx
, &cctx
, cert
, privkey
)))
8029 SSL_CTX_set_post_handshake_auth(cctx
, 1);
8031 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8036 if (!TEST_true(create_bare_ssl_connection(serverssl
, clientssl
,
8037 SSL_ERROR_NONE
, 1, 0))
8038 || !TEST_ptr_ne(sess
= SSL_get_session(clientssl
), NULL
)
8039 || !TEST_false(SSL_SESSION_is_resumable(sess
)))
8041 } else if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
8043 || !TEST_ptr_ne(sess
= SSL_get_session(clientssl
), NULL
)
8044 || !TEST_true(SSL_SESSION_is_resumable(sess
))) {
8048 if (!TEST_int_eq(SSL_shutdown(clientssl
), 0))
8053 * Reading on the server after the client has sent close_notify should
8054 * fail and provide SSL_ERROR_ZERO_RETURN
8056 if (!TEST_false(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
8057 || !TEST_int_eq(SSL_get_error(serverssl
, 0),
8058 SSL_ERROR_ZERO_RETURN
)
8059 || !TEST_int_eq(SSL_get_shutdown(serverssl
),
8060 SSL_RECEIVED_SHUTDOWN
)
8062 * Even though we're shutdown on receive we should still be
8065 || !TEST_true(SSL_write(serverssl
, msg
, sizeof(msg
))))
8068 && !TEST_true(SSL_key_update(serverssl
,
8069 SSL_KEY_UPDATE_REQUESTED
)))
8072 SSL_set_verify(serverssl
, SSL_VERIFY_PEER
, NULL
);
8073 if (!TEST_true(SSL_verify_client_post_handshake(serverssl
)))
8076 if ((tst
== 4 || tst
== 5)
8077 && !TEST_true(SSL_write(serverssl
, msg
, sizeof(msg
))))
8079 if (!TEST_int_eq(SSL_shutdown(serverssl
), 1))
8081 if (tst
== 4 || tst
== 5) {
8082 /* Should still be able to read data from server */
8083 if (!TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
),
8085 || !TEST_size_t_eq(readbytes
, sizeof(msg
))
8086 || !TEST_int_eq(memcmp(msg
, buf
, readbytes
), 0)
8087 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
),
8089 || !TEST_size_t_eq(readbytes
, sizeof(msg
))
8090 || !TEST_int_eq(memcmp(msg
, buf
, readbytes
), 0))
8095 /* Writing on the client after sending close_notify shouldn't be possible */
8096 if (!TEST_false(SSL_write_ex(clientssl
, msg
, sizeof(msg
), &written
)))
8101 * For these tests the client has sent close_notify but it has not yet
8102 * been received by the server. The server has not sent close_notify
8105 if (!TEST_int_eq(SSL_shutdown(serverssl
), 0)
8107 * Writing on the server after sending close_notify shouldn't
8110 || !TEST_false(SSL_write_ex(serverssl
, msg
, sizeof(msg
), &written
))
8111 || !TEST_int_eq(SSL_shutdown(clientssl
), 1)
8112 || !TEST_ptr_ne(sess
= SSL_get_session(clientssl
), NULL
)
8113 || !TEST_true(SSL_SESSION_is_resumable(sess
))
8114 || !TEST_int_eq(SSL_shutdown(serverssl
), 1))
8116 } else if (tst
== 4 || tst
== 5) {
8118 * In this test the client has sent close_notify and it has been
8119 * received by the server which has responded with a close_notify. The
8120 * client needs to read the close_notify sent by the server.
8122 if (!TEST_int_eq(SSL_shutdown(clientssl
), 1)
8123 || !TEST_ptr_ne(sess
= SSL_get_session(clientssl
), NULL
)
8124 || !TEST_true(SSL_SESSION_is_resumable(sess
)))
8130 * The client has sent close_notify and is expecting a close_notify
8131 * back, but instead there is application data first. The shutdown
8132 * should fail with a fatal error.
8134 if (!TEST_int_eq(SSL_shutdown(clientssl
), -1)
8135 || !TEST_int_eq(SSL_get_error(clientssl
, -1), SSL_ERROR_SSL
))
8142 SSL_free(serverssl
);
8143 SSL_free(clientssl
);
8150 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8151 static int cert_cb_cnt
;
8153 static int cert_cb(SSL
*s
, void *arg
)
8155 SSL_CTX
*ctx
= (SSL_CTX
*)arg
;
8157 EVP_PKEY
*pkey
= NULL
;
8158 X509
*x509
= NULL
, *rootx
= NULL
;
8159 STACK_OF(X509
) *chain
= NULL
;
8160 char *rootfile
= NULL
, *ecdsacert
= NULL
, *ecdsakey
= NULL
;
8163 if (cert_cb_cnt
== 0) {
8164 /* Suspend the handshake */
8167 } else if (cert_cb_cnt
== 1) {
8169 * Update the SSL_CTX, set the certificate and private key and then
8170 * continue the handshake normally.
8172 if (ctx
!= NULL
&& !TEST_ptr(SSL_set_SSL_CTX(s
, ctx
)))
8175 if (!TEST_true(SSL_use_certificate_file(s
, cert
, SSL_FILETYPE_PEM
))
8176 || !TEST_true(SSL_use_PrivateKey_file(s
, privkey
,
8178 || !TEST_true(SSL_check_private_key(s
)))
8182 } else if (cert_cb_cnt
== 3) {
8185 rootfile
= test_mk_file_path(certsdir
, "rootcert.pem");
8186 ecdsacert
= test_mk_file_path(certsdir
, "server-ecdsa-cert.pem");
8187 ecdsakey
= test_mk_file_path(certsdir
, "server-ecdsa-key.pem");
8188 if (!TEST_ptr(rootfile
) || !TEST_ptr(ecdsacert
) || !TEST_ptr(ecdsakey
))
8190 chain
= sk_X509_new_null();
8191 if (!TEST_ptr(chain
))
8193 if (!TEST_ptr(in
= BIO_new(BIO_s_file()))
8194 || !TEST_int_gt(BIO_read_filename(in
, rootfile
), 0)
8195 || !TEST_ptr(rootx
= X509_new_ex(libctx
, NULL
))
8196 || !TEST_ptr(PEM_read_bio_X509(in
, &rootx
, NULL
, NULL
))
8197 || !TEST_true(sk_X509_push(chain
, rootx
)))
8201 if (!TEST_ptr(in
= BIO_new(BIO_s_file()))
8202 || !TEST_int_gt(BIO_read_filename(in
, ecdsacert
), 0)
8203 || !TEST_ptr(x509
= X509_new_ex(libctx
, NULL
))
8204 || !TEST_ptr(PEM_read_bio_X509(in
, &x509
, NULL
, NULL
)))
8207 if (!TEST_ptr(in
= BIO_new(BIO_s_file()))
8208 || !TEST_int_gt(BIO_read_filename(in
, ecdsakey
), 0)
8209 || !TEST_ptr(pkey
= PEM_read_bio_PrivateKey_ex(in
, NULL
,
8213 rv
= SSL_check_chain(s
, x509
, pkey
, chain
);
8215 * If the cert doesn't show as valid here (e.g., because we don't
8216 * have any shared sigalgs), then we will not set it, and there will
8217 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8218 * will cause tls_choose_sigalgs() to fail the connection.
8220 if ((rv
& (CERT_PKEY_VALID
| CERT_PKEY_CA_SIGNATURE
))
8221 == (CERT_PKEY_VALID
| CERT_PKEY_CA_SIGNATURE
)) {
8222 if (!SSL_use_cert_and_key(s
, x509
, pkey
, NULL
, 1))
8229 /* Abort the handshake */
8231 OPENSSL_free(ecdsacert
);
8232 OPENSSL_free(ecdsakey
);
8233 OPENSSL_free(rootfile
);
8235 EVP_PKEY_free(pkey
);
8238 OSSL_STACK_OF_X509_free(chain
);
8243 * Test the certificate callback.
8244 * Test 0: Callback fails
8245 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8246 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8247 * Test 3: Success - Call SSL_check_chain from the callback
8248 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8250 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8252 static int test_cert_cb_int(int prot
, int tst
)
8254 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
, *snictx
= NULL
;
8255 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8256 int testresult
= 0, ret
;
8258 #ifdef OPENSSL_NO_EC
8259 /* We use an EC cert in these tests, so we skip in a no-ec build */
8264 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8265 TLS_client_method(),
8268 &sctx
, &cctx
, NULL
, NULL
)))
8279 snictx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method());
8280 if (!TEST_ptr(snictx
))
8284 SSL_CTX_set_cert_cb(sctx
, cert_cb
, snictx
);
8286 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8292 * We cause SSL_check_chain() to fail by specifying sig_algs that
8293 * the chain doesn't meet (the root uses an RSA cert)
8295 if (!TEST_true(SSL_set1_sigalgs_list(clientssl
,
8296 "ecdsa_secp256r1_sha256")))
8298 } else if (tst
== 5) {
8300 * We cause SSL_check_chain() to fail by specifying sig_algs that
8301 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8303 if (!TEST_true(SSL_set1_sigalgs_list(clientssl
,
8304 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8308 ret
= create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
);
8309 if (!TEST_true(tst
== 0 || tst
== 4 || tst
== 5 ? !ret
: ret
)
8311 && !TEST_int_eq((cert_cb_cnt
- 2) * (cert_cb_cnt
- 3), 0))) {
8318 SSL_free(serverssl
);
8319 SSL_free(clientssl
);
8322 SSL_CTX_free(snictx
);
8328 static int test_cert_cb(int tst
)
8332 #ifndef OPENSSL_NO_TLS1_2
8333 testresult
&= test_cert_cb_int(TLS1_2_VERSION
, tst
);
8335 #ifndef OSSL_NO_USABLE_TLS1_3
8336 testresult
&= test_cert_cb_int(TLS1_3_VERSION
, tst
);
8342 static int client_cert_cb(SSL
*ssl
, X509
**x509
, EVP_PKEY
**pkey
)
8347 BIO
*priv_in
= NULL
;
8349 /* Check that SSL_get0_peer_certificate() returns something sensible */
8350 if (!TEST_ptr(SSL_get0_peer_certificate(ssl
)))
8353 in
= BIO_new_file(cert
, "r");
8357 if (!TEST_ptr(xcert
= X509_new_ex(libctx
, NULL
))
8358 || !TEST_ptr(PEM_read_bio_X509(in
, &xcert
, NULL
, NULL
))
8359 || !TEST_ptr(priv_in
= BIO_new_file(privkey
, "r"))
8360 || !TEST_ptr(privpkey
= PEM_read_bio_PrivateKey_ex(priv_in
, NULL
,
8378 static int test_client_cert_cb(int tst
)
8380 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
8381 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8384 #ifdef OPENSSL_NO_TLS1_2
8388 #ifdef OSSL_NO_USABLE_TLS1_3
8393 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8394 TLS_client_method(),
8396 tst
== 0 ? TLS1_2_VERSION
8398 &sctx
, &cctx
, cert
, privkey
)))
8402 * Test that setting a client_cert_cb results in a client certificate being
8405 SSL_CTX_set_client_cert_cb(cctx
, client_cert_cb
);
8406 SSL_CTX_set_verify(sctx
,
8407 SSL_VERIFY_PEER
| SSL_VERIFY_FAIL_IF_NO_PEER_CERT
,
8410 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8412 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
8419 SSL_free(serverssl
);
8420 SSL_free(clientssl
);
8427 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8429 * Test setting certificate authorities on both client and server.
8431 * Test 0: SSL_CTX_set0_CA_list() only
8432 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8433 * Test 2: Only SSL_CTX_set_client_CA_list()
8435 static int test_ca_names_int(int prot
, int tst
)
8437 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
8438 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8441 X509_NAME
*name
[] = { NULL
, NULL
, NULL
, NULL
};
8442 char *strnames
[] = { "Jack", "Jill", "John", "Joanne" };
8443 STACK_OF(X509_NAME
) *sk1
= NULL
, *sk2
= NULL
;
8444 const STACK_OF(X509_NAME
) *sktmp
= NULL
;
8446 for (i
= 0; i
< OSSL_NELEM(name
); i
++) {
8447 name
[i
] = X509_NAME_new();
8448 if (!TEST_ptr(name
[i
])
8449 || !TEST_true(X509_NAME_add_entry_by_txt(name
[i
], "CN",
8457 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8458 TLS_client_method(),
8461 &sctx
, &cctx
, cert
, privkey
)))
8464 SSL_CTX_set_verify(sctx
, SSL_VERIFY_PEER
, NULL
);
8466 if (tst
== 0 || tst
== 1) {
8467 if (!TEST_ptr(sk1
= sk_X509_NAME_new_null())
8468 || !TEST_true(sk_X509_NAME_push(sk1
, X509_NAME_dup(name
[0])))
8469 || !TEST_true(sk_X509_NAME_push(sk1
, X509_NAME_dup(name
[1])))
8470 || !TEST_ptr(sk2
= sk_X509_NAME_new_null())
8471 || !TEST_true(sk_X509_NAME_push(sk2
, X509_NAME_dup(name
[0])))
8472 || !TEST_true(sk_X509_NAME_push(sk2
, X509_NAME_dup(name
[1]))))
8475 SSL_CTX_set0_CA_list(sctx
, sk1
);
8476 SSL_CTX_set0_CA_list(cctx
, sk2
);
8479 if (tst
== 1 || tst
== 2) {
8480 if (!TEST_ptr(sk1
= sk_X509_NAME_new_null())
8481 || !TEST_true(sk_X509_NAME_push(sk1
, X509_NAME_dup(name
[2])))
8482 || !TEST_true(sk_X509_NAME_push(sk1
, X509_NAME_dup(name
[3])))
8483 || !TEST_ptr(sk2
= sk_X509_NAME_new_null())
8484 || !TEST_true(sk_X509_NAME_push(sk2
, X509_NAME_dup(name
[2])))
8485 || !TEST_true(sk_X509_NAME_push(sk2
, X509_NAME_dup(name
[3]))))
8488 SSL_CTX_set_client_CA_list(sctx
, sk1
);
8489 SSL_CTX_set_client_CA_list(cctx
, sk2
);
8493 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8495 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
8500 * We only expect certificate authorities to have been sent to the server
8501 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8503 sktmp
= SSL_get0_peer_CA_list(serverssl
);
8504 if (prot
== TLS1_3_VERSION
8505 && (tst
== 0 || tst
== 1)) {
8506 if (!TEST_ptr(sktmp
)
8507 || !TEST_int_eq(sk_X509_NAME_num(sktmp
), 2)
8508 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp
, 0),
8510 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp
, 1),
8513 } else if (!TEST_ptr_null(sktmp
)) {
8518 * In all tests we expect certificate authorities to have been sent to the
8519 * client. However, SSL_set_client_CA_list() should override
8520 * SSL_set0_CA_list()
8522 sktmp
= SSL_get0_peer_CA_list(clientssl
);
8523 if (!TEST_ptr(sktmp
)
8524 || !TEST_int_eq(sk_X509_NAME_num(sktmp
), 2)
8525 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp
, 0),
8526 name
[tst
== 0 ? 0 : 2]), 0)
8527 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp
, 1),
8528 name
[tst
== 0 ? 1 : 3]), 0))
8534 SSL_free(serverssl
);
8535 SSL_free(clientssl
);
8538 for (i
= 0; i
< OSSL_NELEM(name
); i
++)
8539 X509_NAME_free(name
[i
]);
8540 sk_X509_NAME_pop_free(sk1
, X509_NAME_free
);
8541 sk_X509_NAME_pop_free(sk2
, X509_NAME_free
);
8547 static int test_ca_names(int tst
)
8551 #ifndef OPENSSL_NO_TLS1_2
8552 testresult
&= test_ca_names_int(TLS1_2_VERSION
, tst
);
8554 #ifndef OSSL_NO_USABLE_TLS1_3
8555 testresult
&= test_ca_names_int(TLS1_3_VERSION
, tst
);
8561 #ifndef OPENSSL_NO_TLS1_2
8562 static const char *multiblock_cipherlist_data
[]=
8570 /* Reduce the fragment size - so the multiblock test buffer can be small */
8571 # define MULTIBLOCK_FRAGSIZE 512
8573 static int test_multiblock_write(int test_index
)
8575 static const char *fetchable_ciphers
[]=
8577 "AES-128-CBC-HMAC-SHA1",
8578 "AES-128-CBC-HMAC-SHA256",
8579 "AES-256-CBC-HMAC-SHA1",
8580 "AES-256-CBC-HMAC-SHA256"
8582 const char *cipherlist
= multiblock_cipherlist_data
[test_index
];
8583 const SSL_METHOD
*smeth
= TLS_server_method();
8584 const SSL_METHOD
*cmeth
= TLS_client_method();
8585 int min_version
= TLS1_VERSION
;
8586 int max_version
= TLS1_2_VERSION
; /* Don't select TLS1_3 */
8587 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
8588 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8592 * Choose a buffer large enough to perform a multi-block operation
8593 * i.e: write_len >= 4 * frag_size
8594 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8596 unsigned char msg
[MULTIBLOCK_FRAGSIZE
* 9];
8597 unsigned char buf
[sizeof(msg
)], *p
= buf
;
8598 size_t readbytes
, written
, len
;
8599 EVP_CIPHER
*ciph
= NULL
;
8602 * Check if the cipher exists before attempting to use it since it only has
8603 * a hardware specific implementation.
8605 ciph
= EVP_CIPHER_fetch(libctx
, fetchable_ciphers
[test_index
], "");
8607 TEST_skip("Multiblock cipher is not available for %s", cipherlist
);
8610 EVP_CIPHER_free(ciph
);
8612 /* Set up a buffer with some data that will be sent to the client */
8613 RAND_bytes(msg
, sizeof(msg
));
8615 if (!TEST_true(create_ssl_ctx_pair(libctx
, smeth
, cmeth
, min_version
,
8616 max_version
, &sctx
, &cctx
, cert
,
8620 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx
, MULTIBLOCK_FRAGSIZE
)))
8623 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8627 /* settings to force it to use AES-CBC-HMAC_SHA */
8628 SSL_set_options(serverssl
, SSL_OP_NO_ENCRYPT_THEN_MAC
);
8629 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
, cipherlist
)))
8632 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
8635 if (!TEST_true(SSL_write_ex(serverssl
, msg
, sizeof(msg
), &written
))
8636 || !TEST_size_t_eq(written
, sizeof(msg
)))
8641 if (!TEST_true(SSL_read_ex(clientssl
, p
, MULTIBLOCK_FRAGSIZE
, &readbytes
)))
8646 if (!TEST_mem_eq(msg
, sizeof(msg
), buf
, sizeof(buf
)))
8651 SSL_free(serverssl
);
8652 SSL_free(clientssl
);
8658 #endif /* OPENSSL_NO_TLS1_2 */
8660 static int test_session_timeout(int test
)
8663 * Test session ordering and timeout
8664 * Can't explicitly test performance of the new code,
8665 * but can test to see if the ordering of the sessions
8666 * are correct, and they they are removed as expected
8668 SSL_SESSION
*early
= NULL
;
8669 SSL_SESSION
*middle
= NULL
;
8670 SSL_SESSION
*late
= NULL
;
8673 long now
= (long)time(NULL
);
8676 if (!TEST_ptr(ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_method()))
8677 || !TEST_ptr(early
= SSL_SESSION_new())
8678 || !TEST_ptr(middle
= SSL_SESSION_new())
8679 || !TEST_ptr(late
= SSL_SESSION_new()))
8682 /* assign unique session ids */
8683 early
->session_id_length
= SSL3_SSL_SESSION_ID_LENGTH
;
8684 memset(early
->session_id
, 1, SSL3_SSL_SESSION_ID_LENGTH
);
8685 middle
->session_id_length
= SSL3_SSL_SESSION_ID_LENGTH
;
8686 memset(middle
->session_id
, 2, SSL3_SSL_SESSION_ID_LENGTH
);
8687 late
->session_id_length
= SSL3_SSL_SESSION_ID_LENGTH
;
8688 memset(late
->session_id
, 3, SSL3_SSL_SESSION_ID_LENGTH
);
8690 if (!TEST_int_eq(SSL_CTX_add_session(ctx
, early
), 1)
8691 || !TEST_int_eq(SSL_CTX_add_session(ctx
, middle
), 1)
8692 || !TEST_int_eq(SSL_CTX_add_session(ctx
, late
), 1))
8695 /* Make sure they are all added */
8696 if (!TEST_ptr(early
->prev
)
8697 || !TEST_ptr(middle
->prev
)
8698 || !TEST_ptr(late
->prev
))
8701 if (!TEST_int_ne(SSL_SESSION_set_time(early
, now
- 10), 0)
8702 || !TEST_int_ne(SSL_SESSION_set_time(middle
, now
), 0)
8703 || !TEST_int_ne(SSL_SESSION_set_time(late
, now
+ 10), 0))
8706 if (!TEST_int_ne(SSL_SESSION_set_timeout(early
, TIMEOUT
), 0)
8707 || !TEST_int_ne(SSL_SESSION_set_timeout(middle
, TIMEOUT
), 0)
8708 || !TEST_int_ne(SSL_SESSION_set_timeout(late
, TIMEOUT
), 0))
8711 /* Make sure they are all still there */
8712 if (!TEST_ptr(early
->prev
)
8713 || !TEST_ptr(middle
->prev
)
8714 || !TEST_ptr(late
->prev
))
8717 /* Make sure they are in the expected order */
8718 if (!TEST_ptr_eq(late
->next
, middle
)
8719 || !TEST_ptr_eq(middle
->next
, early
)
8720 || !TEST_ptr_eq(early
->prev
, middle
)
8721 || !TEST_ptr_eq(middle
->prev
, late
))
8724 /* This should remove "early" */
8725 SSL_CTX_flush_sessions(ctx
, now
+ TIMEOUT
- 1);
8726 if (!TEST_ptr_null(early
->prev
)
8727 || !TEST_ptr(middle
->prev
)
8728 || !TEST_ptr(late
->prev
))
8731 /* This should remove "middle" */
8732 SSL_CTX_flush_sessions(ctx
, now
+ TIMEOUT
+ 1);
8733 if (!TEST_ptr_null(early
->prev
)
8734 || !TEST_ptr_null(middle
->prev
)
8735 || !TEST_ptr(late
->prev
))
8738 /* This should remove "late" */
8739 SSL_CTX_flush_sessions(ctx
, now
+ TIMEOUT
+ 11);
8740 if (!TEST_ptr_null(early
->prev
)
8741 || !TEST_ptr_null(middle
->prev
)
8742 || !TEST_ptr_null(late
->prev
))
8745 /* Add them back in again */
8746 if (!TEST_int_eq(SSL_CTX_add_session(ctx
, early
), 1)
8747 || !TEST_int_eq(SSL_CTX_add_session(ctx
, middle
), 1)
8748 || !TEST_int_eq(SSL_CTX_add_session(ctx
, late
), 1))
8751 /* Make sure they are all added */
8752 if (!TEST_ptr(early
->prev
)
8753 || !TEST_ptr(middle
->prev
)
8754 || !TEST_ptr(late
->prev
))
8757 /* This should remove all of them */
8758 SSL_CTX_flush_sessions(ctx
, 0);
8759 if (!TEST_ptr_null(early
->prev
)
8760 || !TEST_ptr_null(middle
->prev
)
8761 || !TEST_ptr_null(late
->prev
))
8764 (void)SSL_CTX_set_session_cache_mode(ctx
, SSL_SESS_CACHE_UPDATE_TIME
8765 | SSL_CTX_get_session_cache_mode(ctx
));
8767 /* make sure |now| is NOT equal to the current time */
8769 if (!TEST_int_ne(SSL_SESSION_set_time(early
, now
), 0)
8770 || !TEST_int_eq(SSL_CTX_add_session(ctx
, early
), 1)
8771 || !TEST_long_ne(SSL_SESSION_get_time(early
), now
))
8777 SSL_SESSION_free(early
);
8778 SSL_SESSION_free(middle
);
8779 SSL_SESSION_free(late
);
8784 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
8785 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
8786 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
8787 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
8788 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
8789 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
8790 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
8791 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
8792 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
8793 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
8795 static int test_servername(int tst
)
8797 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
8798 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8800 SSL_SESSION
*sess
= NULL
;
8801 const char *sexpectedhost
= NULL
, *cexpectedhost
= NULL
;
8803 #ifdef OPENSSL_NO_TLS1_2
8807 #ifdef OSSL_NO_USABLE_TLS1_3
8812 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8813 TLS_client_method(),
8815 (tst
<= 4) ? TLS1_2_VERSION
8817 &sctx
, &cctx
, cert
, privkey
))
8818 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8822 if (tst
!= 1 && tst
!= 6) {
8823 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx
,
8828 if (tst
!= 3 && tst
!= 8) {
8829 if (!TEST_true(SSL_set_tlsext_host_name(clientssl
, "goodhost")))
8831 sexpectedhost
= cexpectedhost
= "goodhost";
8834 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
8837 if (!TEST_str_eq(SSL_get_servername(clientssl
, TLSEXT_NAMETYPE_host_name
),
8839 || !TEST_str_eq(SSL_get_servername(serverssl
,
8840 TLSEXT_NAMETYPE_host_name
),
8844 /* Now repeat with a resumption handshake */
8846 if (!TEST_int_eq(SSL_shutdown(clientssl
), 0)
8847 || !TEST_ptr_ne(sess
= SSL_get1_session(clientssl
), NULL
)
8848 || !TEST_true(SSL_SESSION_is_resumable(sess
))
8849 || !TEST_int_eq(SSL_shutdown(serverssl
), 0))
8852 SSL_free(clientssl
);
8853 SSL_free(serverssl
);
8854 clientssl
= serverssl
= NULL
;
8856 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
,
8860 if (!TEST_true(SSL_set_session(clientssl
, sess
)))
8863 sexpectedhost
= cexpectedhost
= "goodhost";
8864 if (tst
== 2 || tst
== 7) {
8865 /* Set an inconsistent hostname */
8866 if (!TEST_true(SSL_set_tlsext_host_name(clientssl
, "altgoodhost")))
8869 * In TLSv1.2 we expect the hostname from the original handshake, in
8870 * TLSv1.3 we expect the hostname from this handshake
8873 sexpectedhost
= cexpectedhost
= "altgoodhost";
8875 if (!TEST_str_eq(SSL_get_servername(clientssl
,
8876 TLSEXT_NAMETYPE_host_name
),
8879 } else if (tst
== 4 || tst
== 9) {
8881 * A TLSv1.3 session does not associate a session with a servername,
8882 * but a TLSv1.2 session does.
8885 sexpectedhost
= cexpectedhost
= NULL
;
8887 if (!TEST_str_eq(SSL_get_servername(clientssl
,
8888 TLSEXT_NAMETYPE_host_name
),
8892 if (!TEST_true(SSL_set_tlsext_host_name(clientssl
, "goodhost")))
8895 * In a TLSv1.2 resumption where the hostname was not acknowledged
8896 * we expect the hostname on the server to be empty. On the client we
8897 * return what was requested in this case.
8899 * Similarly if the client didn't set a hostname on an original TLSv1.2
8900 * session but is now, the server hostname will be empty, but the client
8903 if (tst
== 1 || tst
== 3)
8904 sexpectedhost
= NULL
;
8906 if (!TEST_str_eq(SSL_get_servername(clientssl
,
8907 TLSEXT_NAMETYPE_host_name
),
8912 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
8915 if (!TEST_true(SSL_session_reused(clientssl
))
8916 || !TEST_true(SSL_session_reused(serverssl
))
8917 || !TEST_str_eq(SSL_get_servername(clientssl
,
8918 TLSEXT_NAMETYPE_host_name
),
8920 || !TEST_str_eq(SSL_get_servername(serverssl
,
8921 TLSEXT_NAMETYPE_host_name
),
8928 SSL_SESSION_free(sess
);
8929 SSL_free(serverssl
);
8930 SSL_free(clientssl
);
8937 #if !defined(OPENSSL_NO_EC) \
8938 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8940 * Test that if signature algorithms are not available, then we do not offer or
8942 * Test 0: Two RSA sig algs available: both RSA sig algs shared
8943 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
8944 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
8945 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
8946 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
8947 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
8949 static int test_sigalgs_available(int idx
)
8951 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
8952 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8954 OSSL_LIB_CTX
*tmpctx
= OSSL_LIB_CTX_new();
8955 OSSL_LIB_CTX
*clientctx
= libctx
, *serverctx
= libctx
;
8956 OSSL_PROVIDER
*filterprov
= NULL
;
8959 if (!TEST_ptr(tmpctx
))
8962 if (idx
!= 0 && idx
!= 3) {
8963 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx
, "filter",
8964 filter_provider_init
)))
8967 filterprov
= OSSL_PROVIDER_load(tmpctx
, "filter");
8968 if (!TEST_ptr(filterprov
))
8973 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8974 * or accepted for the peer that uses this libctx. Note that libssl
8975 * *requires* SHA2-256 to be available so we cannot disable that. We
8976 * also need SHA1 for our certificate.
8978 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST
,
8982 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE
,
8984 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT
,
8989 if (idx
== 1 || idx
== 4)
8995 cctx
= SSL_CTX_new_ex(clientctx
, NULL
, TLS_client_method());
8996 sctx
= SSL_CTX_new_ex(serverctx
, NULL
, TLS_server_method());
8997 if (!TEST_ptr(cctx
) || !TEST_ptr(sctx
))
9001 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
9002 TLS_client_method(),
9005 &sctx
, &cctx
, cert
, privkey
)))
9008 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
9009 TLS_client_method(),
9012 &sctx
, &cctx
, cert2
, privkey2
)))
9016 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9018 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
9019 "ECDHE-RSA-AES128-GCM-SHA256")))
9022 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
9023 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9028 if (!SSL_CTX_set1_sigalgs_list(cctx
,
9029 "rsa_pss_rsae_sha384"
9030 ":rsa_pss_rsae_sha256")
9031 || !SSL_CTX_set1_sigalgs_list(sctx
,
9032 "rsa_pss_rsae_sha384"
9033 ":rsa_pss_rsae_sha256"))
9036 if (!SSL_CTX_set1_sigalgs_list(cctx
, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9037 || !SSL_CTX_set1_sigalgs_list(sctx
,
9038 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9043 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx
, cert2
,
9044 SSL_FILETYPE_PEM
), 1)
9045 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx
,
9047 SSL_FILETYPE_PEM
), 1)
9048 || !TEST_int_eq(SSL_CTX_check_private_key(sctx
), 1)))
9051 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
9055 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
9058 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9059 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl
, 0, &sig
, &hash
, NULL
,
9061 (idx
== 0 || idx
== 3) ? 2 : 1))
9064 if (!TEST_int_eq(hash
, idx
== 0 ? NID_sha384
: NID_sha256
))
9067 if (!TEST_int_eq(sig
, (idx
== 4 || idx
== 5) ? EVP_PKEY_EC
9071 testresult
= filter_provider_check_clean_finish();
9074 SSL_free(serverssl
);
9075 SSL_free(clientssl
);
9078 OSSL_PROVIDER_unload(filterprov
);
9079 OSSL_LIB_CTX_free(tmpctx
);
9084 * !defined(OPENSSL_NO_EC) \
9085 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9088 #ifndef OPENSSL_NO_TLS1_3
9089 /* This test can run in TLSv1.3 even if ec and dh are disabled */
9090 static int test_pluggable_group(int idx
)
9092 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
9093 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
9095 OSSL_PROVIDER
*tlsprov
= OSSL_PROVIDER_load(libctx
, "tls-provider");
9096 /* Check that we are not impacted by a provider without any groups */
9097 OSSL_PROVIDER
*legacyprov
= OSSL_PROVIDER_load(libctx
, "legacy");
9098 const char *group_name
= idx
== 0 ? "xorgroup" : "xorkemgroup";
9100 if (!TEST_ptr(tlsprov
))
9103 if (legacyprov
== NULL
) {
9105 * In this case we assume we've been built with "no-legacy" and skip
9106 * this test (there is no OPENSSL_NO_LEGACY)
9112 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
9113 TLS_client_method(),
9116 &sctx
, &cctx
, cert
, privkey
))
9117 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
9121 if (!TEST_true(SSL_set1_groups_list(serverssl
, group_name
))
9122 || !TEST_true(SSL_set1_groups_list(clientssl
, group_name
)))
9125 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
9128 if (!TEST_str_eq(group_name
,
9129 SSL_group_to_name(serverssl
, SSL_get_shared_group(serverssl
, 0))))
9135 SSL_free(serverssl
);
9136 SSL_free(clientssl
);
9139 OSSL_PROVIDER_unload(tlsprov
);
9140 OSSL_PROVIDER_unload(legacyprov
);
9146 #ifndef OPENSSL_NO_TLS1_2
9147 static int test_ssl_dup(void)
9149 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
9150 SSL
*clientssl
= NULL
, *serverssl
= NULL
, *client2ssl
= NULL
;
9152 BIO
*rbio
= NULL
, *wbio
= NULL
;
9154 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
9155 TLS_client_method(),
9158 &sctx
, &cctx
, cert
, privkey
)))
9161 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
9165 if (!TEST_true(SSL_set_min_proto_version(clientssl
, TLS1_2_VERSION
))
9166 || !TEST_true(SSL_set_max_proto_version(clientssl
, TLS1_2_VERSION
)))
9169 client2ssl
= SSL_dup(clientssl
);
9170 rbio
= SSL_get_rbio(clientssl
);
9172 || !TEST_true(BIO_up_ref(rbio
)))
9174 SSL_set0_rbio(client2ssl
, rbio
);
9177 wbio
= SSL_get_wbio(clientssl
);
9178 if (!TEST_ptr(wbio
) || !TEST_true(BIO_up_ref(wbio
)))
9180 SSL_set0_wbio(client2ssl
, wbio
);
9183 if (!TEST_ptr(client2ssl
)
9184 /* Handshake not started so pointers should be different */
9185 || !TEST_ptr_ne(clientssl
, client2ssl
))
9188 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl
), TLS1_2_VERSION
)
9189 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl
), TLS1_2_VERSION
))
9192 if (!TEST_true(create_ssl_connection(serverssl
, client2ssl
, SSL_ERROR_NONE
)))
9195 SSL_free(clientssl
);
9196 clientssl
= SSL_dup(client2ssl
);
9197 if (!TEST_ptr(clientssl
)
9198 /* Handshake has finished so pointers should be the same */
9199 || !TEST_ptr_eq(clientssl
, client2ssl
))
9205 SSL_free(serverssl
);
9206 SSL_free(clientssl
);
9207 SSL_free(client2ssl
);
9214 # ifndef OPENSSL_NO_DH
9216 static EVP_PKEY
*tmp_dh_params
= NULL
;
9218 /* Helper function for the test_set_tmp_dh() tests */
9219 static EVP_PKEY
*get_tmp_dh_params(void)
9221 if (tmp_dh_params
== NULL
) {
9223 OSSL_PARAM_BLD
*tmpl
= NULL
;
9224 EVP_PKEY_CTX
*pctx
= NULL
;
9225 OSSL_PARAM
*params
= NULL
;
9226 EVP_PKEY
*dhpkey
= NULL
;
9228 p
= BN_get_rfc3526_prime_2048(NULL
);
9232 pctx
= EVP_PKEY_CTX_new_from_name(libctx
, "DH", NULL
);
9234 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx
), 1))
9237 tmpl
= OSSL_PARAM_BLD_new();
9239 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl
,
9240 OSSL_PKEY_PARAM_FFC_P
,
9242 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl
,
9243 OSSL_PKEY_PARAM_FFC_G
,
9247 params
= OSSL_PARAM_BLD_to_param(tmpl
);
9248 if (!TEST_ptr(params
)
9249 || !TEST_int_eq(EVP_PKEY_fromdata(pctx
, &dhpkey
,
9250 EVP_PKEY_KEY_PARAMETERS
,
9254 tmp_dh_params
= dhpkey
;
9257 EVP_PKEY_CTX_free(pctx
);
9258 OSSL_PARAM_BLD_free(tmpl
);
9259 OSSL_PARAM_free(params
);
9262 if (tmp_dh_params
!= NULL
&& !EVP_PKEY_up_ref(tmp_dh_params
))
9265 return tmp_dh_params
;
9268 # ifndef OPENSSL_NO_DEPRECATED_3_0
9269 /* Callback used by test_set_tmp_dh() */
9270 static DH
*tmp_dh_callback(SSL
*s
, int is_export
, int keylen
)
9272 EVP_PKEY
*dhpkey
= get_tmp_dh_params();
9275 if (!TEST_ptr(dhpkey
))
9279 * libssl does not free the returned DH, so we free it now knowing that even
9280 * after we free dhpkey, there will still be a reference to the owning
9281 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9282 * of time we need it for.
9284 ret
= EVP_PKEY_get1_DH(dhpkey
);
9287 EVP_PKEY_free(dhpkey
);
9294 * Test the various methods for setting temporary DH parameters
9296 * Test 0: Default (no auto) setting
9297 * Test 1: Explicit SSL_CTX auto off
9298 * Test 2: Explicit SSL auto off
9299 * Test 3: Explicit SSL_CTX auto on
9300 * Test 4: Explicit SSL auto on
9301 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9302 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9304 * The following are testing deprecated APIs, so we only run them if available
9305 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9306 * Test 8: Explicit SSL auto off, custom DH params via DH
9307 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9308 * Test 10: Explicit SSL auto off, custom DH params via callback
9310 static int test_set_tmp_dh(int idx
)
9312 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
9313 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
9315 int dhauto
= (idx
== 3 || idx
== 4) ? 1 : 0;
9316 int expected
= (idx
<= 2) ? 0 : 1;
9317 EVP_PKEY
*dhpkey
= NULL
;
9318 # ifndef OPENSSL_NO_DEPRECATED_3_0
9326 if (idx
>= 5 && idx
<= 8) {
9327 dhpkey
= get_tmp_dh_params();
9328 if (!TEST_ptr(dhpkey
))
9331 # ifndef OPENSSL_NO_DEPRECATED_3_0
9332 if (idx
== 7 || idx
== 8) {
9333 dh
= EVP_PKEY_get1_DH(dhpkey
);
9339 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
9340 TLS_client_method(),
9343 &sctx
, &cctx
, cert
, privkey
)))
9346 if ((idx
& 1) == 1) {
9347 if (!TEST_true(SSL_CTX_set_dh_auto(sctx
, dhauto
)))
9352 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx
, dhpkey
)))
9356 # ifndef OPENSSL_NO_DEPRECATED_3_0
9357 else if (idx
== 7) {
9358 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx
, dh
)))
9360 } else if (idx
== 9) {
9361 SSL_CTX_set_tmp_dh_callback(sctx
, tmp_dh_callback
);
9365 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
9369 if ((idx
& 1) == 0 && idx
!= 0) {
9370 if (!TEST_true(SSL_set_dh_auto(serverssl
, dhauto
)))
9374 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl
, dhpkey
)))
9378 # ifndef OPENSSL_NO_DEPRECATED_3_0
9379 else if (idx
== 8) {
9380 if (!TEST_true(SSL_set_tmp_dh(serverssl
, dh
)))
9382 } else if (idx
== 10) {
9383 SSL_set_tmp_dh_callback(serverssl
, tmp_dh_callback
);
9387 if (!TEST_true(SSL_set_min_proto_version(serverssl
, TLS1_2_VERSION
))
9388 || !TEST_true(SSL_set_max_proto_version(serverssl
, TLS1_2_VERSION
))
9389 || !TEST_true(SSL_set_cipher_list(serverssl
, "DHE-RSA-AES128-SHA")))
9393 * If autoon then we should succeed. Otherwise we expect failure because
9394 * there are no parameters
9396 if (!TEST_int_eq(create_ssl_connection(serverssl
, clientssl
,
9397 SSL_ERROR_NONE
), expected
))
9403 # ifndef OPENSSL_NO_DEPRECATED_3_0
9406 SSL_free(serverssl
);
9407 SSL_free(clientssl
);
9410 EVP_PKEY_free(dhpkey
);
9416 * Test the auto DH keys are appropriately sized
9418 static int test_dh_auto(int idx
)
9420 SSL_CTX
*cctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_client_method());
9421 SSL_CTX
*sctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method());
9422 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
9424 EVP_PKEY
*tmpkey
= NULL
;
9425 char *thiscert
= NULL
, *thiskey
= NULL
;
9426 size_t expdhsize
= 0;
9427 const char *ciphersuite
= "DHE-RSA-AES128-SHA";
9429 if (!TEST_ptr(sctx
) || !TEST_ptr(cctx
))
9434 /* The FIPS provider doesn't support this DH size - so we ignore it */
9439 thiscert
= cert1024
;
9440 thiskey
= privkey1024
;
9442 SSL_CTX_set_security_level(sctx
, 1);
9443 SSL_CTX_set_security_level(cctx
, 1);
9446 /* 2048 bit prime */
9452 thiscert
= cert3072
;
9453 thiskey
= privkey3072
;
9457 thiscert
= cert4096
;
9458 thiskey
= privkey4096
;
9462 thiscert
= cert8192
;
9463 thiskey
= privkey8192
;
9466 /* No certificate cases */
9468 /* The FIPS provider doesn't support this DH size - so we ignore it */
9473 ciphersuite
= "ADH-AES128-SHA256:@SECLEVEL=0";
9477 ciphersuite
= "ADH-AES256-SHA256:@SECLEVEL=0";
9481 TEST_error("Invalid text index");
9485 if (!TEST_true(create_ssl_ctx_pair(libctx
, NULL
,
9489 &sctx
, &cctx
, thiscert
, thiskey
)))
9492 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
9496 if (!TEST_true(SSL_set_dh_auto(serverssl
, 1))
9497 || !TEST_true(SSL_set_min_proto_version(serverssl
, TLS1_2_VERSION
))
9498 || !TEST_true(SSL_set_max_proto_version(serverssl
, TLS1_2_VERSION
))
9499 || !TEST_true(SSL_set_cipher_list(serverssl
, ciphersuite
))
9500 || !TEST_true(SSL_set_cipher_list(clientssl
, ciphersuite
)))
9504 * Send the server's first flight. At this point the server has created the
9505 * temporary DH key but hasn't finished using it yet. Once used it is
9506 * removed, so we cannot test it.
9508 if (!TEST_int_le(SSL_connect(clientssl
), 0)
9509 || !TEST_int_le(SSL_accept(serverssl
), 0))
9512 if (!TEST_int_gt(SSL_get_tmp_key(serverssl
, &tmpkey
), 0))
9514 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey
), expdhsize
))
9517 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
9523 SSL_free(serverssl
);
9524 SSL_free(clientssl
);
9527 EVP_PKEY_free(tmpkey
);
9532 # endif /* OPENSSL_NO_DH */
9533 #endif /* OPENSSL_NO_TLS1_2 */
9535 #ifndef OSSL_NO_USABLE_TLS1_3
9537 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9538 * that it works even without a certificate configured for the original
9541 static int test_sni_tls13(void)
9543 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
, *sctx2
= NULL
;
9544 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
9547 /* Reset callback counter */
9550 /* Create an initial SSL_CTX with no certificate configured */
9551 sctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method());
9552 if (!TEST_ptr(sctx
))
9554 /* Require TLSv1.3 as a minimum */
9555 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
9556 TLS_client_method(), TLS1_3_VERSION
, 0,
9557 &sctx2
, &cctx
, cert
, privkey
)))
9561 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx
, sni_cb
))
9562 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx
, sctx2
)))
9566 * Connection should still succeed because the final SSL_CTX has the right
9567 * certificates configured.
9569 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
9570 &clientssl
, NULL
, NULL
))
9571 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
9575 /* We should have had the SNI callback called exactly once */
9576 if (!TEST_int_eq(snicb
, 1))
9582 SSL_free(serverssl
);
9583 SSL_free(clientssl
);
9584 SSL_CTX_free(sctx2
);
9591 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
9595 static int test_ticket_lifetime(int idx
)
9597 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
9598 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
9600 int version
= TLS1_3_VERSION
;
9602 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
9603 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
9606 #ifdef OPENSSL_NO_TLS1_2
9607 return TEST_skip("TLS 1.2 is disabled.");
9609 version
= TLS1_2_VERSION
;
9613 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
9614 TLS_client_method(), version
, version
,
9615 &sctx
, &cctx
, cert
, privkey
)))
9618 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
9619 &clientssl
, NULL
, NULL
)))
9623 * Set the timeout to be more than 1 week
9624 * make sure the returned value is the default
9626 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx
, TWO_WEEK_SEC
),
9627 SSL_get_default_timeout(serverssl
)))
9630 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
9634 /* TLSv1.2 uses the set value */
9635 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl
)), TWO_WEEK_SEC
))
9638 /* TLSv1.3 uses the limited value */
9639 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl
)), ONE_WEEK_SEC
))
9645 SSL_free(serverssl
);
9646 SSL_free(clientssl
);
9653 * Test that setting an ALPN does not violate RFC
9655 static int test_set_alpn(void)
9657 SSL_CTX
*ctx
= NULL
;
9661 unsigned char bad0
[] = { 0x00, 'b', 'a', 'd' };
9662 unsigned char good
[] = { 0x04, 'g', 'o', 'o', 'd' };
9663 unsigned char bad1
[] = { 0x01, 'b', 'a', 'd' };
9664 unsigned char bad2
[] = { 0x03, 'b', 'a', 'd', 0x00};
9665 unsigned char bad3
[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
9666 unsigned char bad4
[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
9668 /* Create an initial SSL_CTX with no certificate configured */
9669 ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method());
9673 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
9674 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx
, NULL
, 2)))
9676 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx
, good
, 0)))
9678 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx
, good
, sizeof(good
))))
9680 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx
, good
, 1)))
9682 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx
, bad0
, sizeof(bad0
))))
9684 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx
, bad1
, sizeof(bad1
))))
9686 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx
, bad2
, sizeof(bad2
))))
9688 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx
, bad3
, sizeof(bad3
))))
9690 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx
, bad4
, sizeof(bad4
))))
9697 if (!TEST_false(SSL_set_alpn_protos(ssl
, NULL
, 2)))
9699 if (!TEST_false(SSL_set_alpn_protos(ssl
, good
, 0)))
9701 if (!TEST_false(SSL_set_alpn_protos(ssl
, good
, sizeof(good
))))
9703 if (!TEST_true(SSL_set_alpn_protos(ssl
, good
, 1)))
9705 if (!TEST_true(SSL_set_alpn_protos(ssl
, bad0
, sizeof(bad0
))))
9707 if (!TEST_true(SSL_set_alpn_protos(ssl
, bad1
, sizeof(bad1
))))
9709 if (!TEST_true(SSL_set_alpn_protos(ssl
, bad2
, sizeof(bad2
))))
9711 if (!TEST_true(SSL_set_alpn_protos(ssl
, bad3
, sizeof(bad3
))))
9713 if (!TEST_true(SSL_set_alpn_protos(ssl
, bad4
, sizeof(bad4
))))
9725 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
9727 static int test_set_verify_cert_store_ssl_ctx(void)
9729 SSL_CTX
*ctx
= NULL
;
9731 X509_STORE
*store
= NULL
, *new_store
= NULL
,
9732 *cstore
= NULL
, *new_cstore
= NULL
;
9734 /* Create an initial SSL_CTX. */
9735 ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method());
9739 /* Retrieve verify store pointer. */
9740 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx
, &store
)))
9743 /* Retrieve chain store pointer. */
9744 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx
, &cstore
)))
9747 /* We haven't set any yet, so this should be NULL. */
9748 if (!TEST_ptr_null(store
) || !TEST_ptr_null(cstore
))
9751 /* Create stores. We use separate stores so pointers are different. */
9752 new_store
= X509_STORE_new();
9753 if (!TEST_ptr(new_store
))
9756 new_cstore
= X509_STORE_new();
9757 if (!TEST_ptr(new_cstore
))
9761 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx
, new_store
)))
9764 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx
, new_cstore
)))
9767 /* Should be able to retrieve the same pointer. */
9768 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx
, &store
)))
9771 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx
, &cstore
)))
9774 if (!TEST_ptr_eq(store
, new_store
) || !TEST_ptr_eq(cstore
, new_cstore
))
9777 /* Should be able to unset again. */
9778 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx
, NULL
)))
9781 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx
, NULL
)))
9784 /* Should now be NULL. */
9785 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx
, &store
)))
9788 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx
, &cstore
)))
9791 if (!TEST_ptr_null(store
) || !TEST_ptr_null(cstore
))
9797 X509_STORE_free(new_store
);
9798 X509_STORE_free(new_cstore
);
9804 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
9806 static int test_set_verify_cert_store_ssl(void)
9808 SSL_CTX
*ctx
= NULL
;
9811 X509_STORE
*store
= NULL
, *new_store
= NULL
,
9812 *cstore
= NULL
, *new_cstore
= NULL
;
9814 /* Create an initial SSL_CTX. */
9815 ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method());
9819 /* Create an SSL object. */
9824 /* Retrieve verify store pointer. */
9825 if (!TEST_true(SSL_get0_verify_cert_store(ssl
, &store
)))
9828 /* Retrieve chain store pointer. */
9829 if (!TEST_true(SSL_get0_chain_cert_store(ssl
, &cstore
)))
9832 /* We haven't set any yet, so this should be NULL. */
9833 if (!TEST_ptr_null(store
) || !TEST_ptr_null(cstore
))
9836 /* Create stores. We use separate stores so pointers are different. */
9837 new_store
= X509_STORE_new();
9838 if (!TEST_ptr(new_store
))
9841 new_cstore
= X509_STORE_new();
9842 if (!TEST_ptr(new_cstore
))
9846 if (!TEST_true(SSL_set1_verify_cert_store(ssl
, new_store
)))
9849 if (!TEST_true(SSL_set1_chain_cert_store(ssl
, new_cstore
)))
9852 /* Should be able to retrieve the same pointer. */
9853 if (!TEST_true(SSL_get0_verify_cert_store(ssl
, &store
)))
9856 if (!TEST_true(SSL_get0_chain_cert_store(ssl
, &cstore
)))
9859 if (!TEST_ptr_eq(store
, new_store
) || !TEST_ptr_eq(cstore
, new_cstore
))
9862 /* Should be able to unset again. */
9863 if (!TEST_true(SSL_set1_verify_cert_store(ssl
, NULL
)))
9866 if (!TEST_true(SSL_set1_chain_cert_store(ssl
, NULL
)))
9869 /* Should now be NULL. */
9870 if (!TEST_true(SSL_get0_verify_cert_store(ssl
, &store
)))
9873 if (!TEST_true(SSL_get0_chain_cert_store(ssl
, &cstore
)))
9876 if (!TEST_ptr_null(store
) || !TEST_ptr_null(cstore
))
9882 X509_STORE_free(new_store
);
9883 X509_STORE_free(new_cstore
);
9890 static int test_inherit_verify_param(void)
9894 SSL_CTX
*ctx
= NULL
;
9895 X509_VERIFY_PARAM
*cp
= NULL
;
9897 X509_VERIFY_PARAM
*sp
= NULL
;
9898 int hostflags
= X509_CHECK_FLAG_NEVER_CHECK_SUBJECT
;
9900 ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method());
9904 cp
= SSL_CTX_get0_param(ctx
);
9907 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp
), 0))
9910 X509_VERIFY_PARAM_set_hostflags(cp
, hostflags
);
9916 sp
= SSL_get0_param(ssl
);
9919 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp
), hostflags
))
9931 static int test_load_dhfile(void)
9933 #ifndef OPENSSL_NO_DH
9936 SSL_CTX
*ctx
= NULL
;
9937 SSL_CONF_CTX
*cctx
= NULL
;
9942 if (!TEST_ptr(ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_client_method()))
9943 || !TEST_ptr(cctx
= SSL_CONF_CTX_new()))
9946 SSL_CONF_CTX_set_ssl_ctx(cctx
, ctx
);
9947 SSL_CONF_CTX_set_flags(cctx
,
9948 SSL_CONF_FLAG_CERTIFICATE
9949 | SSL_CONF_FLAG_SERVER
9950 | SSL_CONF_FLAG_FILE
);
9952 if (!TEST_int_eq(SSL_CONF_cmd(cctx
, "DHParameters", dhfile
), 2))
9957 SSL_CONF_CTX_free(cctx
);
9962 return TEST_skip("DH not supported by this build");
9966 #ifndef OSSL_NO_USABLE_TLS1_3
9967 /* Test that read_ahead works across a key change */
9968 static int test_read_ahead_key_change(void)
9970 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
9971 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
9973 char *msg
= "Hello World";
9974 size_t written
, readbytes
;
9978 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
9979 TLS_client_method(), TLS1_3_VERSION
, 0,
9980 &sctx
, &cctx
, cert
, privkey
)))
9983 SSL_CTX_set_read_ahead(sctx
, 1);
9985 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
9986 &clientssl
, NULL
, NULL
)))
9989 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
9992 /* Write some data, send a key update, write more data */
9993 if (!TEST_true(SSL_write_ex(clientssl
, msg
, strlen(msg
), &written
))
9994 || !TEST_size_t_eq(written
, strlen(msg
)))
9997 if (!TEST_true(SSL_key_update(clientssl
, SSL_KEY_UPDATE_NOT_REQUESTED
)))
10000 if (!TEST_true(SSL_write_ex(clientssl
, msg
, strlen(msg
), &written
))
10001 || !TEST_size_t_eq(written
, strlen(msg
)))
10005 * Since read_ahead is on the first read below should read the record with
10006 * the first app data, the second record with the key update message, and
10007 * the third record with the app data all in one go. We should be able to
10008 * still process the read_ahead data correctly even though it crosses
10011 for (i
= 0; i
< 2; i
++) {
10012 if (!TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
) - 1,
10016 buf
[readbytes
] = '\0';
10017 if (!TEST_str_eq(buf
, msg
))
10024 SSL_free(serverssl
);
10025 SSL_free(clientssl
);
10026 SSL_CTX_free(sctx
);
10027 SSL_CTX_free(cctx
);
10031 static size_t record_pad_cb(SSL
*s
, int type
, size_t len
, void *arg
)
10035 switch ((*called
)++) {
10037 /* Add some padding to first record */
10040 /* Maximally pad the second record */
10041 return SSL3_RT_MAX_PLAIN_LENGTH
- len
;
10044 * Exceeding the maximum padding should be fine. It should just pad to
10045 * the maximum anyway
10047 return SSL3_RT_MAX_PLAIN_LENGTH
+ 1 - len
;
10050 * Very large padding should also be ok. Should just pad to the maximum
10060 * Test that setting record padding in TLSv1.3 works as expected
10061 * Test 0: Record padding callback on the SSL_CTX
10062 * Test 1: Record padding callback on the SSL
10063 * Test 2: Record block padding on the SSL_CTX
10064 * Test 3: Record block padding on the SSL
10066 static int test_tls13_record_padding(int idx
)
10068 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
10069 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
10070 int testresult
= 0;
10071 char *msg
= "Hello World";
10072 size_t written
, readbytes
;
10077 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
10078 TLS_client_method(), TLS1_3_VERSION
, 0,
10079 &sctx
, &cctx
, cert
, privkey
)))
10083 SSL_CTX_set_record_padding_callback(cctx
, record_pad_cb
);
10084 SSL_CTX_set_record_padding_callback_arg(cctx
, &called
);
10085 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx
), &called
))
10087 } else if (idx
== 2) {
10088 /* Exceeding the max plain length should fail */
10089 if (!TEST_false(SSL_CTX_set_block_padding(cctx
,
10090 SSL3_RT_MAX_PLAIN_LENGTH
+ 1)))
10092 if (!TEST_true(SSL_CTX_set_block_padding(cctx
, 512)))
10096 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
10097 &clientssl
, NULL
, NULL
)))
10101 SSL_set_record_padding_callback(clientssl
, record_pad_cb
);
10102 SSL_set_record_padding_callback_arg(clientssl
, &called
);
10103 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl
), &called
))
10105 } else if (idx
== 3) {
10106 /* Exceeding the max plain length should fail */
10107 if (!TEST_false(SSL_set_block_padding(clientssl
,
10108 SSL3_RT_MAX_PLAIN_LENGTH
+ 1)))
10110 if (!TEST_true(SSL_set_block_padding(clientssl
, 512)))
10114 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
10119 * Write some data, then check we can read it. Do this four times to check
10120 * we can continue to write and read padded data after the initial record
10121 * padding has been added. We don't actually check that the padding has
10122 * been applied to the record - just that we can continue to communicate
10123 * normally and that the callback has been called (if appropriate).
10125 for (i
= 0; i
< 4; i
++) {
10126 if (!TEST_true(SSL_write_ex(clientssl
, msg
, strlen(msg
), &written
))
10127 || !TEST_size_t_eq(written
, strlen(msg
)))
10130 if (!TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
) - 1,
10132 || !TEST_size_t_eq(written
, readbytes
))
10135 buf
[readbytes
] = '\0';
10136 if (!TEST_str_eq(buf
, msg
))
10140 if ((idx
== 0 || idx
== 1) && !TEST_int_eq(called
, 4))
10145 SSL_free(serverssl
);
10146 SSL_free(clientssl
);
10147 SSL_CTX_free(sctx
);
10148 SSL_CTX_free(cctx
);
10151 #endif /* OSSL_NO_USABLE_TLS1_3 */
10153 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
10155 int setup_tests(void)
10160 libctx
= OSSL_LIB_CTX_new();
10161 if (!TEST_ptr(libctx
))
10164 defctxnull
= OSSL_PROVIDER_load(NULL
, "null");
10167 * Verify that the default and fips providers in the default libctx are not
10170 if (!TEST_false(OSSL_PROVIDER_available(NULL
, "default"))
10171 || !TEST_false(OSSL_PROVIDER_available(NULL
, "fips")))
10174 if (!test_skip_common_options()) {
10175 TEST_error("Error parsing test options\n");
10179 if (!TEST_ptr(certsdir
= test_get_argument(0))
10180 || !TEST_ptr(srpvfile
= test_get_argument(1))
10181 || !TEST_ptr(tmpfilename
= test_get_argument(2))
10182 || !TEST_ptr(modulename
= test_get_argument(3))
10183 || !TEST_ptr(configfile
= test_get_argument(4))
10184 || !TEST_ptr(dhfile
= test_get_argument(5)))
10187 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx
, configfile
)))
10190 /* Check we have the expected provider available */
10191 if (!TEST_true(OSSL_PROVIDER_available(libctx
, modulename
)))
10194 /* Check the default provider is not available */
10195 if (strcmp(modulename
, "default") != 0
10196 && !TEST_false(OSSL_PROVIDER_available(libctx
, "default")))
10199 if (strcmp(modulename
, "fips") == 0)
10203 * We add, but don't load the test "tls-provider". We'll load it when we
10206 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx
, "tls-provider",
10207 tls_provider_init
)))
10211 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL
) {
10212 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
10213 TEST_error("not supported in this build");
10216 int i
, mcount
, rcount
, fcount
;
10218 for (i
= 0; i
< 4; i
++)
10219 test_export_key_mat(i
);
10220 CRYPTO_get_alloc_counts(&mcount
, &rcount
, &fcount
);
10221 test_printf_stdout("malloc %d realloc %d free %d\n",
10222 mcount
, rcount
, fcount
);
10227 cert
= test_mk_file_path(certsdir
, "servercert.pem");
10231 privkey
= test_mk_file_path(certsdir
, "serverkey.pem");
10232 if (privkey
== NULL
)
10235 cert2
= test_mk_file_path(certsdir
, "server-ecdsa-cert.pem");
10239 privkey2
= test_mk_file_path(certsdir
, "server-ecdsa-key.pem");
10240 if (privkey2
== NULL
)
10243 cert1024
= test_mk_file_path(certsdir
, "ee-cert-1024.pem");
10244 if (cert1024
== NULL
)
10247 privkey1024
= test_mk_file_path(certsdir
, "ee-key-1024.pem");
10248 if (privkey1024
== NULL
)
10251 cert3072
= test_mk_file_path(certsdir
, "ee-cert-3072.pem");
10252 if (cert3072
== NULL
)
10255 privkey3072
= test_mk_file_path(certsdir
, "ee-key-3072.pem");
10256 if (privkey3072
== NULL
)
10259 cert4096
= test_mk_file_path(certsdir
, "ee-cert-4096.pem");
10260 if (cert4096
== NULL
)
10263 privkey4096
= test_mk_file_path(certsdir
, "ee-key-4096.pem");
10264 if (privkey4096
== NULL
)
10267 cert8192
= test_mk_file_path(certsdir
, "ee-cert-8192.pem");
10268 if (cert8192
== NULL
)
10271 privkey8192
= test_mk_file_path(certsdir
, "ee-key-8192.pem");
10272 if (privkey8192
== NULL
)
10275 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
10276 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
10277 ADD_ALL_TESTS(test_ktls
, NUM_KTLS_TEST_CIPHERS
* 4);
10278 ADD_ALL_TESTS(test_ktls_sendfile
, NUM_KTLS_TEST_CIPHERS
);
10281 ADD_TEST(test_large_message_tls
);
10282 ADD_TEST(test_large_message_tls_read_ahead
);
10283 #ifndef OPENSSL_NO_DTLS
10284 ADD_TEST(test_large_message_dtls
);
10286 ADD_TEST(test_cleanse_plaintext
);
10287 #ifndef OPENSSL_NO_OCSP
10288 ADD_TEST(test_tlsext_status_type
);
10290 ADD_TEST(test_session_with_only_int_cache
);
10291 ADD_TEST(test_session_with_only_ext_cache
);
10292 ADD_TEST(test_session_with_both_cache
);
10293 ADD_TEST(test_session_wo_ca_names
);
10294 #ifndef OSSL_NO_USABLE_TLS1_3
10295 ADD_ALL_TESTS(test_stateful_tickets
, 3);
10296 ADD_ALL_TESTS(test_stateless_tickets
, 3);
10297 ADD_TEST(test_psk_tickets
);
10298 ADD_ALL_TESTS(test_extra_tickets
, 6);
10300 ADD_ALL_TESTS(test_ssl_set_bio
, TOTAL_SSL_SET_BIO_TESTS
);
10301 ADD_TEST(test_ssl_bio_pop_next_bio
);
10302 ADD_TEST(test_ssl_bio_pop_ssl_bio
);
10303 ADD_TEST(test_ssl_bio_change_rbio
);
10304 ADD_TEST(test_ssl_bio_change_wbio
);
10305 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
10306 ADD_ALL_TESTS(test_set_sigalgs
, OSSL_NELEM(testsigalgs
) * 2);
10307 ADD_TEST(test_keylog
);
10309 #ifndef OSSL_NO_USABLE_TLS1_3
10310 ADD_TEST(test_keylog_no_master_key
);
10312 ADD_TEST(test_client_cert_verify_cb
);
10313 ADD_TEST(test_ssl_build_cert_chain
);
10314 ADD_TEST(test_ssl_ctx_build_cert_chain
);
10315 #ifndef OPENSSL_NO_TLS1_2
10316 ADD_TEST(test_client_hello_cb
);
10317 ADD_TEST(test_no_ems
);
10318 ADD_TEST(test_ccs_change_cipher
);
10320 #ifndef OSSL_NO_USABLE_TLS1_3
10321 ADD_ALL_TESTS(test_early_data_read_write
, 3);
10323 * We don't do replay tests for external PSK. Replay protection isn't used
10324 * in that scenario.
10326 ADD_ALL_TESTS(test_early_data_replay
, 2);
10327 ADD_ALL_TESTS(test_early_data_skip
, 3);
10328 ADD_ALL_TESTS(test_early_data_skip_hrr
, 3);
10329 ADD_ALL_TESTS(test_early_data_skip_hrr_fail
, 3);
10330 ADD_ALL_TESTS(test_early_data_skip_abort
, 3);
10331 ADD_ALL_TESTS(test_early_data_not_sent
, 3);
10332 ADD_ALL_TESTS(test_early_data_psk
, 8);
10333 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers
, 5);
10334 ADD_ALL_TESTS(test_early_data_not_expected
, 3);
10335 # ifndef OPENSSL_NO_TLS1_2
10336 ADD_ALL_TESTS(test_early_data_tls1_2
, 3);
10339 #ifndef OSSL_NO_USABLE_TLS1_3
10340 ADD_ALL_TESTS(test_set_ciphersuite
, 10);
10341 ADD_TEST(test_ciphersuite_change
);
10342 ADD_ALL_TESTS(test_tls13_ciphersuite
, 4);
10343 # ifdef OPENSSL_NO_PSK
10344 ADD_ALL_TESTS(test_tls13_psk
, 1);
10346 ADD_ALL_TESTS(test_tls13_psk
, 4);
10347 # endif /* OPENSSL_NO_PSK */
10348 # ifndef OPENSSL_NO_TLS1_2
10349 /* Test with both TLSv1.3 and 1.2 versions */
10350 ADD_ALL_TESTS(test_key_exchange
, 14);
10351 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
10352 ADD_ALL_TESTS(test_negotiated_group
,
10353 4 * (OSSL_NELEM(ecdhe_kexch_groups
)
10354 + OSSL_NELEM(ffdhe_kexch_groups
)));
10357 /* Test with only TLSv1.3 versions */
10358 ADD_ALL_TESTS(test_key_exchange
, 12);
10360 ADD_ALL_TESTS(test_custom_exts
, 6);
10361 ADD_TEST(test_stateless
);
10362 ADD_TEST(test_pha_key_update
);
10364 ADD_ALL_TESTS(test_custom_exts
, 3);
10366 ADD_ALL_TESTS(test_export_key_mat
, 6);
10367 #ifndef OSSL_NO_USABLE_TLS1_3
10368 ADD_ALL_TESTS(test_export_key_mat_early
, 3);
10369 ADD_TEST(test_key_update
);
10370 ADD_ALL_TESTS(test_key_update_peer_in_write
, 2);
10371 ADD_ALL_TESTS(test_key_update_peer_in_read
, 2);
10372 ADD_ALL_TESTS(test_key_update_local_in_write
, 2);
10373 ADD_ALL_TESTS(test_key_update_local_in_read
, 2);
10375 ADD_ALL_TESTS(test_ssl_clear
, 2);
10376 ADD_ALL_TESTS(test_max_fragment_len_ext
, OSSL_NELEM(max_fragment_len_test
));
10377 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
10378 ADD_ALL_TESTS(test_srp
, 6);
10380 #if !defined(OPENSSL_NO_COMP_ALG)
10381 /* Add compression case */
10382 ADD_ALL_TESTS(test_info_callback
, 8);
10384 ADD_ALL_TESTS(test_info_callback
, 6);
10386 ADD_ALL_TESTS(test_ssl_pending
, 2);
10387 ADD_ALL_TESTS(test_ssl_get_shared_ciphers
, OSSL_NELEM(shared_ciphers_data
));
10388 ADD_ALL_TESTS(test_ticket_callbacks
, 20);
10389 ADD_ALL_TESTS(test_shutdown
, 7);
10390 ADD_ALL_TESTS(test_incorrect_shutdown
, 2);
10391 ADD_ALL_TESTS(test_cert_cb
, 6);
10392 ADD_ALL_TESTS(test_client_cert_cb
, 2);
10393 ADD_ALL_TESTS(test_ca_names
, 3);
10394 #ifndef OPENSSL_NO_TLS1_2
10395 ADD_ALL_TESTS(test_multiblock_write
, OSSL_NELEM(multiblock_cipherlist_data
));
10397 ADD_ALL_TESTS(test_servername
, 10);
10398 #if !defined(OPENSSL_NO_EC) \
10399 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
10400 ADD_ALL_TESTS(test_sigalgs_available
, 6);
10402 #ifndef OPENSSL_NO_TLS1_3
10403 ADD_ALL_TESTS(test_pluggable_group
, 2);
10405 #ifndef OPENSSL_NO_TLS1_2
10406 ADD_TEST(test_ssl_dup
);
10407 # ifndef OPENSSL_NO_DH
10408 ADD_ALL_TESTS(test_set_tmp_dh
, 11);
10409 ADD_ALL_TESTS(test_dh_auto
, 7);
10412 #ifndef OSSL_NO_USABLE_TLS1_3
10413 ADD_TEST(test_sni_tls13
);
10414 ADD_ALL_TESTS(test_ticket_lifetime
, 2);
10416 ADD_TEST(test_inherit_verify_param
);
10417 ADD_TEST(test_set_alpn
);
10418 ADD_TEST(test_set_verify_cert_store_ssl_ctx
);
10419 ADD_TEST(test_set_verify_cert_store_ssl
);
10420 ADD_ALL_TESTS(test_session_timeout
, 1);
10421 ADD_TEST(test_load_dhfile
);
10422 #ifndef OSSL_NO_USABLE_TLS1_3
10423 ADD_TEST(test_read_ahead_key_change
);
10424 ADD_ALL_TESTS(test_tls13_record_padding
, 4);
10426 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
10427 ADD_ALL_TESTS(test_serverinfo_custom
, 4);
10432 OPENSSL_free(cert
);
10433 OPENSSL_free(privkey
);
10434 OPENSSL_free(cert2
);
10435 OPENSSL_free(privkey2
);
10439 void cleanup_tests(void)
10441 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
10442 EVP_PKEY_free(tmp_dh_params
);
10444 OPENSSL_free(cert
);
10445 OPENSSL_free(privkey
);
10446 OPENSSL_free(cert2
);
10447 OPENSSL_free(privkey2
);
10448 OPENSSL_free(cert1024
);
10449 OPENSSL_free(privkey1024
);
10450 OPENSSL_free(cert3072
);
10451 OPENSSL_free(privkey3072
);
10452 OPENSSL_free(cert4096
);
10453 OPENSSL_free(privkey4096
);
10454 OPENSSL_free(cert8192
);
10455 OPENSSL_free(privkey8192
);
10456 bio_s_mempacket_test_free();
10457 bio_s_always_retry_free();
10458 OSSL_PROVIDER_unload(defctxnull
);
10459 OSSL_LIB_CTX_free(libctx
);