2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
37 #include "helpers/ssltestlib.h"
39 #include "testutil/output.h"
40 #include "internal/nelem.h"
41 #include "internal/ktls.h"
42 #include "../ssl/ssl_local.h"
43 #include "filterprov.h"
45 #undef OSSL_NO_USABLE_TLS1_3
46 #if defined(OPENSSL_NO_TLS1_3) \
47 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
49 * If we don't have ec or dh then there are no built-in groups that are usable
52 # define OSSL_NO_USABLE_TLS1_3
55 /* Defined in tls-provider.c */
56 int tls_provider_init(const OSSL_CORE_HANDLE
*handle
,
57 const OSSL_DISPATCH
*in
,
58 const OSSL_DISPATCH
**out
,
61 static OSSL_LIB_CTX
*libctx
= NULL
;
62 static OSSL_PROVIDER
*defctxnull
= NULL
;
64 #ifndef OSSL_NO_USABLE_TLS1_3
66 static SSL_SESSION
*clientpsk
= NULL
;
67 static SSL_SESSION
*serverpsk
= NULL
;
68 static const char *pskid
= "Identity";
69 static const char *srvid
;
71 static int use_session_cb(SSL
*ssl
, const EVP_MD
*md
, const unsigned char **id
,
72 size_t *idlen
, SSL_SESSION
**sess
);
73 static int find_session_cb(SSL
*ssl
, const unsigned char *identity
,
74 size_t identity_len
, SSL_SESSION
**sess
);
76 static int use_session_cb_cnt
= 0;
77 static int find_session_cb_cnt
= 0;
79 static SSL_SESSION
*create_a_psk(SSL
*ssl
);
82 static char *certsdir
= NULL
;
83 static char *cert
= NULL
;
84 static char *privkey
= NULL
;
85 static char *cert2
= NULL
;
86 static char *privkey2
= NULL
;
87 static char *cert1024
= NULL
;
88 static char *privkey1024
= NULL
;
89 static char *cert3072
= NULL
;
90 static char *privkey3072
= NULL
;
91 static char *cert4096
= NULL
;
92 static char *privkey4096
= NULL
;
93 static char *cert8192
= NULL
;
94 static char *privkey8192
= NULL
;
95 static char *srpvfile
= NULL
;
96 static char *tmpfilename
= NULL
;
97 static char *dhfile
= NULL
;
99 static int is_fips
= 0;
101 #define LOG_BUFFER_SIZE 2048
102 static char server_log_buffer
[LOG_BUFFER_SIZE
+ 1] = {0};
103 static size_t server_log_buffer_index
= 0;
104 static char client_log_buffer
[LOG_BUFFER_SIZE
+ 1] = {0};
105 static size_t client_log_buffer_index
= 0;
106 static int error_writing_log
= 0;
108 #ifndef OPENSSL_NO_OCSP
109 static const unsigned char orespder
[] = "Dummy OCSP Response";
110 static int ocsp_server_called
= 0;
111 static int ocsp_client_called
= 0;
113 static int cdummyarg
= 1;
114 static X509
*ocspcert
= NULL
;
117 #define NUM_EXTRA_CERTS 40
118 #define CLIENT_VERSION_LEN 2
121 * This structure is used to validate that the correct number of log messages
122 * of various types are emitted when emitting secret logs.
124 struct sslapitest_log_counts
{
125 unsigned int rsa_key_exchange_count
;
126 unsigned int master_secret_count
;
127 unsigned int client_early_secret_count
;
128 unsigned int client_handshake_secret_count
;
129 unsigned int server_handshake_secret_count
;
130 unsigned int client_application_secret_count
;
131 unsigned int server_application_secret_count
;
132 unsigned int early_exporter_secret_count
;
133 unsigned int exporter_secret_count
;
137 static unsigned char serverinfov1
[] = {
138 0xff, 0xff, /* Dummy extension type */
139 0x00, 0x01, /* Extension length is 1 byte */
140 0xff /* Dummy extension data */
143 static unsigned char serverinfov2
[] = {
145 (unsigned char)(SSL_EXT_CLIENT_HELLO
& 0xff), /* Dummy context - 4 bytes */
146 0xff, 0xff, /* Dummy extension type */
147 0x00, 0x01, /* Extension length is 1 byte */
148 0xff /* Dummy extension data */
151 static int hostname_cb(SSL
*s
, int *al
, void *arg
)
153 const char *hostname
= SSL_get_servername(s
, TLSEXT_NAMETYPE_host_name
);
155 if (hostname
!= NULL
&& (strcmp(hostname
, "goodhost") == 0
156 || strcmp(hostname
, "altgoodhost") == 0))
157 return SSL_TLSEXT_ERR_OK
;
159 return SSL_TLSEXT_ERR_NOACK
;
162 static void client_keylog_callback(const SSL
*ssl
, const char *line
)
164 int line_length
= strlen(line
);
166 /* If the log doesn't fit, error out. */
167 if (client_log_buffer_index
+ line_length
> sizeof(client_log_buffer
) - 1) {
168 TEST_info("Client log too full");
169 error_writing_log
= 1;
173 strcat(client_log_buffer
, line
);
174 client_log_buffer_index
+= line_length
;
175 client_log_buffer
[client_log_buffer_index
++] = '\n';
178 static void server_keylog_callback(const SSL
*ssl
, const char *line
)
180 int line_length
= strlen(line
);
182 /* If the log doesn't fit, error out. */
183 if (server_log_buffer_index
+ line_length
> sizeof(server_log_buffer
) - 1) {
184 TEST_info("Server log too full");
185 error_writing_log
= 1;
189 strcat(server_log_buffer
, line
);
190 server_log_buffer_index
+= line_length
;
191 server_log_buffer
[server_log_buffer_index
++] = '\n';
194 static int compare_hex_encoded_buffer(const char *hex_encoded
,
202 if (!TEST_size_t_eq(raw_length
* 2, hex_length
))
205 for (i
= j
= 0; i
< raw_length
&& j
+ 1 < hex_length
; i
++, j
+= 2) {
206 sprintf(hexed
, "%02x", raw
[i
]);
207 if (!TEST_int_eq(hexed
[0], hex_encoded
[j
])
208 || !TEST_int_eq(hexed
[1], hex_encoded
[j
+ 1]))
215 static int test_keylog_output(char *buffer
, const SSL
*ssl
,
216 const SSL_SESSION
*session
,
217 struct sslapitest_log_counts
*expected
)
220 unsigned char actual_client_random
[SSL3_RANDOM_SIZE
] = {0};
221 size_t client_random_size
= SSL3_RANDOM_SIZE
;
222 unsigned char actual_master_key
[SSL_MAX_MASTER_KEY_LENGTH
] = {0};
223 size_t master_key_size
= SSL_MAX_MASTER_KEY_LENGTH
;
224 unsigned int rsa_key_exchange_count
= 0;
225 unsigned int master_secret_count
= 0;
226 unsigned int client_early_secret_count
= 0;
227 unsigned int client_handshake_secret_count
= 0;
228 unsigned int server_handshake_secret_count
= 0;
229 unsigned int client_application_secret_count
= 0;
230 unsigned int server_application_secret_count
= 0;
231 unsigned int early_exporter_secret_count
= 0;
232 unsigned int exporter_secret_count
= 0;
234 for (token
= strtok(buffer
, " \n"); token
!= NULL
;
235 token
= strtok(NULL
, " \n")) {
236 if (strcmp(token
, "RSA") == 0) {
238 * Premaster secret. Tokens should be: 16 ASCII bytes of
239 * hex-encoded encrypted secret, then the hex-encoded pre-master
242 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
244 if (!TEST_size_t_eq(strlen(token
), 16))
246 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
249 * We can't sensibly check the log because the premaster secret is
250 * transient, and OpenSSL doesn't keep hold of it once the master
251 * secret is generated.
253 rsa_key_exchange_count
++;
254 } else if (strcmp(token
, "CLIENT_RANDOM") == 0) {
256 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
257 * client random, then the hex-encoded master secret.
259 client_random_size
= SSL_get_client_random(ssl
,
260 actual_client_random
,
262 if (!TEST_size_t_eq(client_random_size
, SSL3_RANDOM_SIZE
))
265 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
267 if (!TEST_size_t_eq(strlen(token
), 64))
269 if (!TEST_false(compare_hex_encoded_buffer(token
, 64,
270 actual_client_random
,
271 client_random_size
)))
274 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
276 master_key_size
= SSL_SESSION_get_master_key(session
,
279 if (!TEST_size_t_ne(master_key_size
, 0))
281 if (!TEST_false(compare_hex_encoded_buffer(token
, strlen(token
),
285 master_secret_count
++;
286 } else if (strcmp(token
, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
287 || strcmp(token
, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
288 || strcmp(token
, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
289 || strcmp(token
, "CLIENT_TRAFFIC_SECRET_0") == 0
290 || strcmp(token
, "SERVER_TRAFFIC_SECRET_0") == 0
291 || strcmp(token
, "EARLY_EXPORTER_SECRET") == 0
292 || strcmp(token
, "EXPORTER_SECRET") == 0) {
294 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
295 * client random, and then the hex-encoded secret. In this case,
296 * we treat all of these secrets identically and then just
297 * distinguish between them when counting what we saw.
299 if (strcmp(token
, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
300 client_early_secret_count
++;
301 else if (strcmp(token
, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
302 client_handshake_secret_count
++;
303 else if (strcmp(token
, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
304 server_handshake_secret_count
++;
305 else if (strcmp(token
, "CLIENT_TRAFFIC_SECRET_0") == 0)
306 client_application_secret_count
++;
307 else if (strcmp(token
, "SERVER_TRAFFIC_SECRET_0") == 0)
308 server_application_secret_count
++;
309 else if (strcmp(token
, "EARLY_EXPORTER_SECRET") == 0)
310 early_exporter_secret_count
++;
311 else if (strcmp(token
, "EXPORTER_SECRET") == 0)
312 exporter_secret_count
++;
314 client_random_size
= SSL_get_client_random(ssl
,
315 actual_client_random
,
317 if (!TEST_size_t_eq(client_random_size
, SSL3_RANDOM_SIZE
))
320 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
322 if (!TEST_size_t_eq(strlen(token
), 64))
324 if (!TEST_false(compare_hex_encoded_buffer(token
, 64,
325 actual_client_random
,
326 client_random_size
)))
329 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
332 TEST_info("Unexpected token %s\n", token
);
337 /* Got what we expected? */
338 if (!TEST_size_t_eq(rsa_key_exchange_count
,
339 expected
->rsa_key_exchange_count
)
340 || !TEST_size_t_eq(master_secret_count
,
341 expected
->master_secret_count
)
342 || !TEST_size_t_eq(client_early_secret_count
,
343 expected
->client_early_secret_count
)
344 || !TEST_size_t_eq(client_handshake_secret_count
,
345 expected
->client_handshake_secret_count
)
346 || !TEST_size_t_eq(server_handshake_secret_count
,
347 expected
->server_handshake_secret_count
)
348 || !TEST_size_t_eq(client_application_secret_count
,
349 expected
->client_application_secret_count
)
350 || !TEST_size_t_eq(server_application_secret_count
,
351 expected
->server_application_secret_count
)
352 || !TEST_size_t_eq(early_exporter_secret_count
,
353 expected
->early_exporter_secret_count
)
354 || !TEST_size_t_eq(exporter_secret_count
,
355 expected
->exporter_secret_count
))
360 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
361 static int test_keylog(void)
363 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
364 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
366 struct sslapitest_log_counts expected
;
368 /* Clean up logging space */
369 memset(&expected
, 0, sizeof(expected
));
370 memset(client_log_buffer
, 0, sizeof(client_log_buffer
));
371 memset(server_log_buffer
, 0, sizeof(server_log_buffer
));
372 client_log_buffer_index
= 0;
373 server_log_buffer_index
= 0;
374 error_writing_log
= 0;
376 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
379 &sctx
, &cctx
, cert
, privkey
)))
382 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
383 SSL_CTX_set_options(cctx
, SSL_OP_NO_TLSv1_3
);
384 SSL_CTX_set_options(sctx
, SSL_OP_NO_TLSv1_3
);
386 /* We also want to ensure that we use RSA-based key exchange. */
387 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
, "RSA")))
390 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx
) == NULL
)
391 || !TEST_true(SSL_CTX_get_keylog_callback(sctx
) == NULL
))
393 SSL_CTX_set_keylog_callback(cctx
, client_keylog_callback
);
394 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx
)
395 == client_keylog_callback
))
397 SSL_CTX_set_keylog_callback(sctx
, server_keylog_callback
);
398 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx
)
399 == server_keylog_callback
))
402 /* Now do a handshake and check that the logs have been written to. */
403 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
404 &clientssl
, NULL
, NULL
))
405 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
407 || !TEST_false(error_writing_log
)
408 || !TEST_int_gt(client_log_buffer_index
, 0)
409 || !TEST_int_gt(server_log_buffer_index
, 0))
413 * Now we want to test that our output data was vaguely sensible. We
414 * do that by using strtok and confirming that we have more or less the
415 * data we expect. For both client and server, we expect to see one master
416 * secret. The client should also see a RSA key exchange.
418 expected
.rsa_key_exchange_count
= 1;
419 expected
.master_secret_count
= 1;
420 if (!TEST_true(test_keylog_output(client_log_buffer
, clientssl
,
421 SSL_get_session(clientssl
), &expected
)))
424 expected
.rsa_key_exchange_count
= 0;
425 if (!TEST_true(test_keylog_output(server_log_buffer
, serverssl
,
426 SSL_get_session(serverssl
), &expected
)))
441 #ifndef OSSL_NO_USABLE_TLS1_3
442 static int test_keylog_no_master_key(void)
444 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
445 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
446 SSL_SESSION
*sess
= NULL
;
448 struct sslapitest_log_counts expected
;
449 unsigned char buf
[1];
450 size_t readbytes
, written
;
452 /* Clean up logging space */
453 memset(&expected
, 0, sizeof(expected
));
454 memset(client_log_buffer
, 0, sizeof(client_log_buffer
));
455 memset(server_log_buffer
, 0, sizeof(server_log_buffer
));
456 client_log_buffer_index
= 0;
457 server_log_buffer_index
= 0;
458 error_writing_log
= 0;
460 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
461 TLS_client_method(), TLS1_VERSION
, 0,
462 &sctx
, &cctx
, cert
, privkey
))
463 || !TEST_true(SSL_CTX_set_max_early_data(sctx
,
464 SSL3_RT_MAX_PLAIN_LENGTH
)))
467 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx
) == NULL
)
468 || !TEST_true(SSL_CTX_get_keylog_callback(sctx
) == NULL
))
471 SSL_CTX_set_keylog_callback(cctx
, client_keylog_callback
);
472 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx
)
473 == client_keylog_callback
))
476 SSL_CTX_set_keylog_callback(sctx
, server_keylog_callback
);
477 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx
)
478 == server_keylog_callback
))
481 /* Now do a handshake and check that the logs have been written to. */
482 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
483 &clientssl
, NULL
, NULL
))
484 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
486 || !TEST_false(error_writing_log
))
490 * Now we want to test that our output data was vaguely sensible. For this
491 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
492 * TLSv1.3, but we do expect both client and server to emit keys.
494 expected
.client_handshake_secret_count
= 1;
495 expected
.server_handshake_secret_count
= 1;
496 expected
.client_application_secret_count
= 1;
497 expected
.server_application_secret_count
= 1;
498 expected
.exporter_secret_count
= 1;
499 if (!TEST_true(test_keylog_output(client_log_buffer
, clientssl
,
500 SSL_get_session(clientssl
), &expected
))
501 || !TEST_true(test_keylog_output(server_log_buffer
, serverssl
,
502 SSL_get_session(serverssl
),
506 /* Terminate old session and resume with early data. */
507 sess
= SSL_get1_session(clientssl
);
508 SSL_shutdown(clientssl
);
509 SSL_shutdown(serverssl
);
512 serverssl
= clientssl
= NULL
;
515 memset(client_log_buffer
, 0, sizeof(client_log_buffer
));
516 memset(server_log_buffer
, 0, sizeof(server_log_buffer
));
517 client_log_buffer_index
= 0;
518 server_log_buffer_index
= 0;
520 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
521 &clientssl
, NULL
, NULL
))
522 || !TEST_true(SSL_set_session(clientssl
, sess
))
523 /* Here writing 0 length early data is enough. */
524 || !TEST_true(SSL_write_early_data(clientssl
, NULL
, 0, &written
))
525 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
527 SSL_READ_EARLY_DATA_ERROR
)
528 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
529 SSL_EARLY_DATA_ACCEPTED
)
530 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
532 || !TEST_true(SSL_session_reused(clientssl
)))
535 /* In addition to the previous entries, expect early secrets. */
536 expected
.client_early_secret_count
= 1;
537 expected
.early_exporter_secret_count
= 1;
538 if (!TEST_true(test_keylog_output(client_log_buffer
, clientssl
,
539 SSL_get_session(clientssl
), &expected
))
540 || !TEST_true(test_keylog_output(server_log_buffer
, serverssl
,
541 SSL_get_session(serverssl
),
548 SSL_SESSION_free(sess
);
558 static int verify_retry_cb(X509_STORE_CTX
*ctx
, void *arg
)
560 int res
= X509_verify_cert(ctx
);
561 int idx
= SSL_get_ex_data_X509_STORE_CTX_idx();
564 /* this should not happen but check anyway */
566 || (ssl
= X509_STORE_CTX_get_ex_data(ctx
, idx
)) == NULL
)
569 if (res
== 0 && X509_STORE_CTX_get_error(ctx
) ==
570 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
)
571 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
572 return SSL_set_retry_verify(ssl
);
577 static int test_client_cert_verify_cb(void)
579 /* server key, cert, chain, and root */
580 char *skey
= test_mk_file_path(certsdir
, "leaf.key");
581 char *leaf
= test_mk_file_path(certsdir
, "leaf.pem");
582 char *int2
= test_mk_file_path(certsdir
, "subinterCA.pem");
583 char *int1
= test_mk_file_path(certsdir
, "interCA.pem");
584 char *root
= test_mk_file_path(certsdir
, "rootCA.pem");
585 X509
*crt1
= NULL
, *crt2
= NULL
;
586 STACK_OF(X509
) *server_chain
;
587 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
588 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
591 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
592 TLS_client_method(), TLS1_VERSION
, 0,
593 &sctx
, &cctx
, NULL
, NULL
)))
595 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx
, leaf
), 1)
596 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx
, skey
,
597 SSL_FILETYPE_PEM
), 1)
598 || !TEST_int_eq(SSL_CTX_check_private_key(sctx
), 1))
600 if (!TEST_true(SSL_CTX_load_verify_locations(cctx
, root
, NULL
)))
602 SSL_CTX_set_verify(cctx
, SSL_VERIFY_PEER
, NULL
);
603 SSL_CTX_set_cert_verify_callback(cctx
, verify_retry_cb
, NULL
);
604 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
605 &clientssl
, NULL
, NULL
)))
608 /* attempt SSL_connect() with incomplete server chain */
609 if (!TEST_false(create_ssl_connection(serverssl
, clientssl
,
610 SSL_ERROR_WANT_RETRY_VERIFY
)))
613 /* application provides intermediate certs needed to verify server cert */
614 if (!TEST_ptr((crt1
= load_cert_pem(int1
, libctx
)))
615 || !TEST_ptr((crt2
= load_cert_pem(int2
, libctx
)))
616 || !TEST_ptr((server_chain
= SSL_get_peer_cert_chain(clientssl
))))
618 /* add certs in reverse order to demonstrate real chain building */
619 if (!TEST_true(sk_X509_push(server_chain
, crt1
)))
622 if (!TEST_true(sk_X509_push(server_chain
, crt2
)))
626 /* continue SSL_connect(), must now succeed with completed server chain */
627 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
636 if (clientssl
!= NULL
) {
637 SSL_shutdown(clientssl
);
640 if (serverssl
!= NULL
) {
641 SSL_shutdown(serverssl
);
656 static int test_ssl_build_cert_chain(void)
659 SSL_CTX
*ssl_ctx
= NULL
;
661 char *skey
= test_mk_file_path(certsdir
, "leaf.key");
662 char *leaf_chain
= test_mk_file_path(certsdir
, "leaf-chain.pem");
664 if (!TEST_ptr(ssl_ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method())))
666 if (!TEST_ptr(ssl
= SSL_new(ssl_ctx
)))
668 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
669 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl
, leaf_chain
), 1)
670 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl
, skey
, SSL_FILETYPE_PEM
), 1)
671 || !TEST_int_eq(SSL_check_private_key(ssl
), 1))
673 if (!TEST_true(SSL_build_cert_chain(ssl
, SSL_BUILD_CHAIN_FLAG_NO_ROOT
674 | SSL_BUILD_CHAIN_FLAG_CHECK
)))
679 SSL_CTX_free(ssl_ctx
);
680 OPENSSL_free(leaf_chain
);
685 static int get_password_cb(char *buf
, int size
, int rw_flag
, void *userdata
)
687 static const char pass
[] = "testpass";
689 if (!TEST_int_eq(size
, PEM_BUFSIZE
))
692 memcpy(buf
, pass
, sizeof(pass
) - 1);
693 return sizeof(pass
) - 1;
696 static int test_ssl_ctx_build_cert_chain(void)
700 char *skey
= test_mk_file_path(certsdir
, "leaf-encrypted.key");
701 char *leaf_chain
= test_mk_file_path(certsdir
, "leaf-chain.pem");
703 if (!TEST_ptr(ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method())))
705 SSL_CTX_set_default_passwd_cb(ctx
, get_password_cb
);
706 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
707 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx
, leaf_chain
), 1)
708 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx
, skey
,
709 SSL_FILETYPE_PEM
), 1)
710 || !TEST_int_eq(SSL_CTX_check_private_key(ctx
), 1))
712 if (!TEST_true(SSL_CTX_build_cert_chain(ctx
, SSL_BUILD_CHAIN_FLAG_NO_ROOT
713 | SSL_BUILD_CHAIN_FLAG_CHECK
)))
718 OPENSSL_free(leaf_chain
);
723 #ifndef OPENSSL_NO_TLS1_2
724 static int full_client_hello_callback(SSL
*s
, int *al
, void *arg
)
727 const unsigned char *p
;
729 /* We only configure two ciphers, but the SCSV is added automatically. */
731 const unsigned char expected_ciphers
[] = {0x00, 0x9d, 0x00, 0xff};
733 const unsigned char expected_ciphers
[] = {0x00, 0x9d, 0xc0,
736 const int expected_extensions
[] = {
737 #ifndef OPENSSL_NO_EC
743 /* Make sure we can defer processing and get called back. */
745 return SSL_CLIENT_HELLO_RETRY
;
747 len
= SSL_client_hello_get0_ciphers(s
, &p
);
748 if (!TEST_mem_eq(p
, len
, expected_ciphers
, sizeof(expected_ciphers
))
750 SSL_client_hello_get0_compression_methods(s
, &p
), 1)
751 || !TEST_int_eq(*p
, 0))
752 return SSL_CLIENT_HELLO_ERROR
;
753 if (!SSL_client_hello_get1_extensions_present(s
, &exts
, &len
))
754 return SSL_CLIENT_HELLO_ERROR
;
755 if (len
!= OSSL_NELEM(expected_extensions
) ||
756 memcmp(exts
, expected_extensions
, len
* sizeof(*exts
)) != 0) {
757 printf("ClientHello callback expected extensions mismatch\n");
759 return SSL_CLIENT_HELLO_ERROR
;
762 return SSL_CLIENT_HELLO_SUCCESS
;
765 static int test_client_hello_cb(void)
767 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
768 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
769 int testctr
= 0, testresult
= 0;
771 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
772 TLS_client_method(), TLS1_VERSION
, 0,
773 &sctx
, &cctx
, cert
, privkey
)))
775 SSL_CTX_set_client_hello_cb(sctx
, full_client_hello_callback
, &testctr
);
777 /* The gimpy cipher list we configure can't do TLS 1.3. */
778 SSL_CTX_set_max_proto_version(cctx
, TLS1_2_VERSION
);
780 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
781 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
782 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
783 &clientssl
, NULL
, NULL
))
784 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
785 SSL_ERROR_WANT_CLIENT_HELLO_CB
))
787 * Passing a -1 literal is a hack since
788 * the real value was lost.
790 || !TEST_int_eq(SSL_get_error(serverssl
, -1),
791 SSL_ERROR_WANT_CLIENT_HELLO_CB
)
792 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
807 static int test_no_ems(void)
809 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
810 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
813 if (!create_ssl_ctx_pair(libctx
, TLS_server_method(), TLS_client_method(),
814 TLS1_VERSION
, TLS1_2_VERSION
,
815 &sctx
, &cctx
, cert
, privkey
)) {
816 printf("Unable to create SSL_CTX pair\n");
820 SSL_CTX_set_options(sctx
, SSL_OP_NO_EXTENDED_MASTER_SECRET
);
822 if (!create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
, NULL
)) {
823 printf("Unable to create SSL objects\n");
827 if (!create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)) {
828 printf("Creating SSL connection failed\n");
832 if (SSL_get_extms_support(serverssl
)) {
833 printf("Server reports Extended Master Secret support\n");
837 if (SSL_get_extms_support(clientssl
)) {
838 printf("Client reports Extended Master Secret support\n");
853 * Very focused test to exercise a single case in the server-side state
854 * machine, when the ChangeCipherState message needs to actually change
855 * from one cipher to a different cipher (i.e., not changing from null
856 * encryption to real encryption).
858 static int test_ccs_change_cipher(void)
860 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
861 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
862 SSL_SESSION
*sess
= NULL
, *sesspre
, *sesspost
;
869 * Create a connection so we can resume and potentially (but not) use
870 * a different cipher in the second connection.
872 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
874 TLS1_VERSION
, TLS1_2_VERSION
,
875 &sctx
, &cctx
, cert
, privkey
))
876 || !TEST_true(SSL_CTX_set_options(sctx
, SSL_OP_NO_TICKET
))
877 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
879 || !TEST_true(SSL_set_cipher_list(clientssl
, "AES128-GCM-SHA256"))
880 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
882 || !TEST_ptr(sesspre
= SSL_get0_session(serverssl
))
883 || !TEST_ptr(sess
= SSL_get1_session(clientssl
)))
886 shutdown_ssl_connection(serverssl
, clientssl
);
887 serverssl
= clientssl
= NULL
;
889 /* Resume, preferring a different cipher. Our server will force the
890 * same cipher to be used as the initial handshake. */
891 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
893 || !TEST_true(SSL_set_session(clientssl
, sess
))
894 || !TEST_true(SSL_set_cipher_list(clientssl
, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
895 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
897 || !TEST_true(SSL_session_reused(clientssl
))
898 || !TEST_true(SSL_session_reused(serverssl
))
899 || !TEST_ptr(sesspost
= SSL_get0_session(serverssl
))
900 || !TEST_ptr_eq(sesspre
, sesspost
)
901 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256
,
902 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl
))))
904 shutdown_ssl_connection(serverssl
, clientssl
);
905 serverssl
= clientssl
= NULL
;
908 * Now create a fresh connection and try to renegotiate a different
911 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
913 || !TEST_true(SSL_set_cipher_list(clientssl
, "AES128-GCM-SHA256"))
914 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
916 || !TEST_ptr(sesspre
= SSL_get0_session(serverssl
))
917 || !TEST_true(SSL_set_cipher_list(clientssl
, "AES256-GCM-SHA384"))
918 || !TEST_true(SSL_renegotiate(clientssl
))
919 || !TEST_true(SSL_renegotiate_pending(clientssl
)))
921 /* Actually drive the renegotiation. */
922 for (i
= 0; i
< 3; i
++) {
923 if (SSL_read_ex(clientssl
, &buf
, sizeof(buf
), &readbytes
) > 0) {
924 if (!TEST_ulong_eq(readbytes
, 0))
926 } else if (!TEST_int_eq(SSL_get_error(clientssl
, 0),
927 SSL_ERROR_WANT_READ
)) {
930 if (SSL_read_ex(serverssl
, &buf
, sizeof(buf
), &readbytes
) > 0) {
931 if (!TEST_ulong_eq(readbytes
, 0))
933 } else if (!TEST_int_eq(SSL_get_error(serverssl
, 0),
934 SSL_ERROR_WANT_READ
)) {
938 /* sesspre and sesspost should be different since the cipher changed. */
939 if (!TEST_false(SSL_renegotiate_pending(clientssl
))
940 || !TEST_false(SSL_session_reused(clientssl
))
941 || !TEST_false(SSL_session_reused(serverssl
))
942 || !TEST_ptr(sesspost
= SSL_get0_session(serverssl
))
943 || !TEST_ptr_ne(sesspre
, sesspost
)
944 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384
,
945 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl
))))
948 shutdown_ssl_connection(serverssl
, clientssl
);
949 serverssl
= clientssl
= NULL
;
958 SSL_SESSION_free(sess
);
964 static int execute_test_large_message(const SSL_METHOD
*smeth
,
965 const SSL_METHOD
*cmeth
,
966 int min_version
, int max_version
,
969 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
970 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
974 X509
*chaincert
= NULL
;
977 if (!TEST_ptr(certbio
= BIO_new_file(cert
, "r")))
980 if (!TEST_ptr(chaincert
= X509_new_ex(libctx
, NULL
)))
983 if (PEM_read_bio_X509(certbio
, &chaincert
, NULL
, NULL
) == NULL
)
988 if (!TEST_true(create_ssl_ctx_pair(libctx
, smeth
, cmeth
, min_version
,
989 max_version
, &sctx
, &cctx
, cert
,
993 #ifdef OPENSSL_NO_DTLS1_2
994 if (smeth
== DTLS_server_method()) {
996 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
999 if (!TEST_true(SSL_CTX_set_cipher_list(sctx
, "DEFAULT:@SECLEVEL=0"))
1000 || !TEST_true(SSL_CTX_set_cipher_list(cctx
,
1001 "DEFAULT:@SECLEVEL=0")))
1008 * Test that read_ahead works correctly when dealing with large
1011 SSL_CTX_set_read_ahead(cctx
, 1);
1015 * We assume the supplied certificate is big enough so that if we add
1016 * NUM_EXTRA_CERTS it will make the overall message large enough. The
1017 * default buffer size is requested to be 16k, but due to the way BUF_MEM
1018 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
1019 * test we need to have a message larger than that.
1021 certlen
= i2d_X509(chaincert
, NULL
);
1022 OPENSSL_assert(certlen
* NUM_EXTRA_CERTS
>
1023 (SSL3_RT_MAX_PLAIN_LENGTH
* 4) / 3);
1024 for (i
= 0; i
< NUM_EXTRA_CERTS
; i
++) {
1025 if (!X509_up_ref(chaincert
))
1027 if (!SSL_CTX_add_extra_chain_cert(sctx
, chaincert
)) {
1028 X509_free(chaincert
);
1033 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
1035 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
1040 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1043 if (!TEST_true(SSL_clear(serverssl
)))
1049 X509_free(chaincert
);
1050 SSL_free(serverssl
);
1051 SSL_free(clientssl
);
1058 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1059 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1060 /* sock must be connected */
1061 static int ktls_chk_platform(int sock
)
1063 if (!ktls_enable(sock
))
1068 static int ping_pong_query(SSL
*clientssl
, SSL
*serverssl
)
1070 static char count
= 1;
1071 unsigned char cbuf
[16000] = {0};
1072 unsigned char sbuf
[16000];
1074 char crec_wseq_before
[SEQ_NUM_SIZE
];
1075 char crec_wseq_after
[SEQ_NUM_SIZE
];
1076 char crec_rseq_before
[SEQ_NUM_SIZE
];
1077 char crec_rseq_after
[SEQ_NUM_SIZE
];
1078 char srec_wseq_before
[SEQ_NUM_SIZE
];
1079 char srec_wseq_after
[SEQ_NUM_SIZE
];
1080 char srec_rseq_before
[SEQ_NUM_SIZE
];
1081 char srec_rseq_after
[SEQ_NUM_SIZE
];
1082 SSL_CONNECTION
*clientsc
, *serversc
;
1084 if (!TEST_ptr(clientsc
= SSL_CONNECTION_FROM_SSL_ONLY(clientssl
))
1085 || !TEST_ptr(serversc
= SSL_CONNECTION_FROM_SSL_ONLY(serverssl
)))
1089 memcpy(crec_wseq_before
, &clientsc
->rlayer
.write_sequence
, SEQ_NUM_SIZE
);
1090 memcpy(crec_rseq_before
, &clientsc
->rlayer
.read_sequence
, SEQ_NUM_SIZE
);
1091 memcpy(srec_wseq_before
, &serversc
->rlayer
.write_sequence
, SEQ_NUM_SIZE
);
1092 memcpy(srec_rseq_before
, &serversc
->rlayer
.read_sequence
, SEQ_NUM_SIZE
);
1094 if (!TEST_true(SSL_write(clientssl
, cbuf
, sizeof(cbuf
)) == sizeof(cbuf
)))
1097 while ((err
= SSL_read(serverssl
, &sbuf
, sizeof(sbuf
))) != sizeof(sbuf
)) {
1098 if (SSL_get_error(serverssl
, err
) != SSL_ERROR_WANT_READ
) {
1103 if (!TEST_true(SSL_write(serverssl
, sbuf
, sizeof(sbuf
)) == sizeof(sbuf
)))
1106 while ((err
= SSL_read(clientssl
, &cbuf
, sizeof(cbuf
))) != sizeof(cbuf
)) {
1107 if (SSL_get_error(clientssl
, err
) != SSL_ERROR_WANT_READ
) {
1112 memcpy(crec_wseq_after
, &clientsc
->rlayer
.write_sequence
, SEQ_NUM_SIZE
);
1113 memcpy(crec_rseq_after
, &clientsc
->rlayer
.read_sequence
, SEQ_NUM_SIZE
);
1114 memcpy(srec_wseq_after
, &serversc
->rlayer
.write_sequence
, SEQ_NUM_SIZE
);
1115 memcpy(srec_rseq_after
, &serversc
->rlayer
.read_sequence
, SEQ_NUM_SIZE
);
1117 /* verify the payload */
1118 if (!TEST_mem_eq(cbuf
, sizeof(cbuf
), sbuf
, sizeof(sbuf
)))
1122 * If ktls is used then kernel sequences are used instead of
1125 if (!BIO_get_ktls_send(clientsc
->wbio
)) {
1126 if (!TEST_mem_ne(crec_wseq_before
, SEQ_NUM_SIZE
,
1127 crec_wseq_after
, SEQ_NUM_SIZE
))
1130 if (!TEST_mem_eq(crec_wseq_before
, SEQ_NUM_SIZE
,
1131 crec_wseq_after
, SEQ_NUM_SIZE
))
1135 if (!BIO_get_ktls_send(serversc
->wbio
)) {
1136 if (!TEST_mem_ne(srec_wseq_before
, SEQ_NUM_SIZE
,
1137 srec_wseq_after
, SEQ_NUM_SIZE
))
1140 if (!TEST_mem_eq(srec_wseq_before
, SEQ_NUM_SIZE
,
1141 srec_wseq_after
, SEQ_NUM_SIZE
))
1145 if (!BIO_get_ktls_recv(clientsc
->wbio
)) {
1146 if (!TEST_mem_ne(crec_rseq_before
, SEQ_NUM_SIZE
,
1147 crec_rseq_after
, SEQ_NUM_SIZE
))
1150 if (!TEST_mem_eq(crec_rseq_before
, SEQ_NUM_SIZE
,
1151 crec_rseq_after
, SEQ_NUM_SIZE
))
1155 if (!BIO_get_ktls_recv(serversc
->wbio
)) {
1156 if (!TEST_mem_ne(srec_rseq_before
, SEQ_NUM_SIZE
,
1157 srec_rseq_after
, SEQ_NUM_SIZE
))
1160 if (!TEST_mem_eq(srec_rseq_before
, SEQ_NUM_SIZE
,
1161 srec_rseq_after
, SEQ_NUM_SIZE
))
1170 static int execute_test_ktls(int cis_ktls
, int sis_ktls
,
1171 int tls_version
, const char *cipher
)
1173 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
1174 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
1175 int ktls_used
= 0, testresult
= 0;
1176 int cfd
= -1, sfd
= -1;
1178 SSL_CONNECTION
*clientsc
, *serversc
;
1180 if (!TEST_true(create_test_sockets(&cfd
, &sfd
)))
1183 /* Skip this test if the platform does not support ktls */
1184 if (!ktls_chk_platform(cfd
)) {
1185 testresult
= TEST_skip("Kernel does not support KTLS");
1189 if (is_fips
&& strstr(cipher
, "CHACHA") != NULL
) {
1190 testresult
= TEST_skip("CHACHA is not supported in FIPS");
1194 /* Create a session based on SHA-256 */
1195 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
1196 TLS_client_method(),
1197 tls_version
, tls_version
,
1198 &sctx
, &cctx
, cert
, privkey
)))
1201 if (tls_version
== TLS1_3_VERSION
) {
1202 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
, cipher
))
1203 || !TEST_true(SSL_CTX_set_ciphersuites(sctx
, cipher
)))
1206 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
, cipher
))
1207 || !TEST_true(SSL_CTX_set_cipher_list(sctx
, cipher
)))
1211 if (!TEST_true(create_ssl_objects2(sctx
, cctx
, &serverssl
,
1212 &clientssl
, sfd
, cfd
)))
1215 if (!TEST_ptr(clientsc
= SSL_CONNECTION_FROM_SSL_ONLY(clientssl
))
1216 || !TEST_ptr(serversc
= SSL_CONNECTION_FROM_SSL_ONLY(serverssl
)))
1220 if (!TEST_true(SSL_set_options(clientssl
, SSL_OP_ENABLE_KTLS
)))
1225 if (!TEST_true(SSL_set_options(serverssl
, SSL_OP_ENABLE_KTLS
)))
1229 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
1233 * The running kernel may not support a given cipher suite
1234 * or direction, so just check that KTLS isn't used when it
1238 if (!TEST_false(BIO_get_ktls_send(clientsc
->wbio
)))
1241 if (BIO_get_ktls_send(clientsc
->wbio
))
1246 if (!TEST_false(BIO_get_ktls_send(serversc
->wbio
)))
1249 if (BIO_get_ktls_send(serversc
->wbio
))
1253 #if defined(OPENSSL_NO_KTLS_RX)
1258 if (!cis_ktls
|| !rx_supported
) {
1259 if (!TEST_false(BIO_get_ktls_recv(clientsc
->rbio
)))
1262 if (BIO_get_ktls_send(clientsc
->rbio
))
1266 if (!sis_ktls
|| !rx_supported
) {
1267 if (!TEST_false(BIO_get_ktls_recv(serversc
->rbio
)))
1270 if (BIO_get_ktls_send(serversc
->rbio
))
1274 if ((cis_ktls
|| sis_ktls
) && !ktls_used
) {
1275 testresult
= TEST_skip("KTLS not supported for %s cipher %s",
1276 tls_version
== TLS1_3_VERSION
? "TLS 1.3" :
1281 if (!TEST_true(ping_pong_query(clientssl
, serverssl
)))
1287 SSL_shutdown(clientssl
);
1288 SSL_free(clientssl
);
1291 SSL_shutdown(serverssl
);
1292 SSL_free(serverssl
);
1296 serverssl
= clientssl
= NULL
;
1304 #define SENDFILE_SZ (16 * 4096)
1305 #define SENDFILE_CHUNK (4 * 4096)
1306 #define min(a,b) ((a) > (b) ? (b) : (a))
1308 static int execute_test_ktls_sendfile(int tls_version
, const char *cipher
)
1310 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
1311 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
1312 unsigned char *buf
, *buf_dst
;
1313 BIO
*out
= NULL
, *in
= NULL
;
1314 int cfd
= -1, sfd
= -1, ffd
, err
;
1315 ssize_t chunk_size
= 0;
1316 off_t chunk_off
= 0;
1319 SSL_CONNECTION
*serversc
;
1321 buf
= OPENSSL_zalloc(SENDFILE_SZ
);
1322 buf_dst
= OPENSSL_zalloc(SENDFILE_SZ
);
1323 if (!TEST_ptr(buf
) || !TEST_ptr(buf_dst
)
1324 || !TEST_true(create_test_sockets(&cfd
, &sfd
)))
1327 /* Skip this test if the platform does not support ktls */
1328 if (!ktls_chk_platform(sfd
)) {
1329 testresult
= TEST_skip("Kernel does not support KTLS");
1333 if (is_fips
&& strstr(cipher
, "CHACHA") != NULL
) {
1334 testresult
= TEST_skip("CHACHA is not supported in FIPS");
1338 /* Create a session based on SHA-256 */
1339 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
1340 TLS_client_method(),
1341 tls_version
, tls_version
,
1342 &sctx
, &cctx
, cert
, privkey
)))
1345 if (tls_version
== TLS1_3_VERSION
) {
1346 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
, cipher
))
1347 || !TEST_true(SSL_CTX_set_ciphersuites(sctx
, cipher
)))
1350 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
, cipher
))
1351 || !TEST_true(SSL_CTX_set_cipher_list(sctx
, cipher
)))
1355 if (!TEST_true(create_ssl_objects2(sctx
, cctx
, &serverssl
,
1356 &clientssl
, sfd
, cfd
)))
1359 if (!TEST_ptr(serversc
= SSL_CONNECTION_FROM_SSL_ONLY(serverssl
)))
1362 if (!TEST_true(SSL_set_options(serverssl
, SSL_OP_ENABLE_KTLS
)))
1365 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
1369 if (!BIO_get_ktls_send(serversc
->wbio
)) {
1370 testresult
= TEST_skip("Failed to enable KTLS for %s cipher %s",
1371 tls_version
== TLS1_3_VERSION
? "TLS 1.3" :
1376 if (!TEST_int_gt(RAND_bytes_ex(libctx
, buf
, SENDFILE_SZ
, 0), 0))
1379 out
= BIO_new_file(tmpfilename
, "wb");
1383 if (BIO_write(out
, buf
, SENDFILE_SZ
) != SENDFILE_SZ
)
1388 in
= BIO_new_file(tmpfilename
, "rb");
1389 BIO_get_fp(in
, &ffdp
);
1392 while (chunk_off
< SENDFILE_SZ
) {
1393 chunk_size
= min(SENDFILE_CHUNK
, SENDFILE_SZ
- chunk_off
);
1394 while ((err
= SSL_sendfile(serverssl
,
1398 0)) != chunk_size
) {
1399 if (SSL_get_error(serverssl
, err
) != SSL_ERROR_WANT_WRITE
)
1402 while ((err
= SSL_read(clientssl
,
1403 buf_dst
+ chunk_off
,
1404 chunk_size
)) != chunk_size
) {
1405 if (SSL_get_error(clientssl
, err
) != SSL_ERROR_WANT_READ
)
1409 /* verify the payload */
1410 if (!TEST_mem_eq(buf_dst
+ chunk_off
,
1416 chunk_off
+= chunk_size
;
1422 SSL_shutdown(clientssl
);
1423 SSL_free(clientssl
);
1426 SSL_shutdown(serverssl
);
1427 SSL_free(serverssl
);
1431 serverssl
= clientssl
= NULL
;
1439 OPENSSL_free(buf_dst
);
1443 static struct ktls_test_cipher
{
1446 } ktls_test_ciphers
[] = {
1447 # if !defined(OPENSSL_NO_TLS1_2)
1448 # ifdef OPENSSL_KTLS_AES_GCM_128
1449 { TLS1_2_VERSION
, "AES128-GCM-SHA256" },
1451 # ifdef OPENSSL_KTLS_AES_CCM_128
1452 { TLS1_2_VERSION
, "AES128-CCM"},
1454 # ifdef OPENSSL_KTLS_AES_GCM_256
1455 { TLS1_2_VERSION
, "AES256-GCM-SHA384"},
1457 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1458 { TLS1_2_VERSION
, "ECDHE-RSA-CHACHA20-POLY1305"},
1461 # if !defined(OSSL_NO_USABLE_TLS1_3)
1462 # ifdef OPENSSL_KTLS_AES_GCM_128
1463 { TLS1_3_VERSION
, "TLS_AES_128_GCM_SHA256" },
1465 # ifdef OPENSSL_KTLS_AES_CCM_128
1466 { TLS1_3_VERSION
, "TLS_AES_128_CCM_SHA256" },
1468 # ifdef OPENSSL_KTLS_AES_GCM_256
1469 { TLS1_3_VERSION
, "TLS_AES_256_GCM_SHA384" },
1471 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1472 { TLS1_3_VERSION
, "TLS_CHACHA20_POLY1305_SHA256" },
1477 #define NUM_KTLS_TEST_CIPHERS \
1478 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1480 static int test_ktls(int test
)
1482 struct ktls_test_cipher
*cipher
;
1483 int cis_ktls
, sis_ktls
;
1485 OPENSSL_assert(test
/ 4 < (int)NUM_KTLS_TEST_CIPHERS
);
1486 cipher
= &ktls_test_ciphers
[test
/ 4];
1488 cis_ktls
= (test
& 1) != 0;
1489 sis_ktls
= (test
& 2) != 0;
1491 return execute_test_ktls(cis_ktls
, sis_ktls
, cipher
->tls_version
,
1495 static int test_ktls_sendfile(int tst
)
1497 struct ktls_test_cipher
*cipher
;
1499 OPENSSL_assert(tst
< (int)NUM_KTLS_TEST_CIPHERS
);
1500 cipher
= &ktls_test_ciphers
[tst
];
1502 return execute_test_ktls_sendfile(cipher
->tls_version
, cipher
->cipher
);
1506 static int test_large_message_tls(void)
1508 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1509 TLS1_VERSION
, 0, 0);
1512 static int test_large_message_tls_read_ahead(void)
1514 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1515 TLS1_VERSION
, 0, 1);
1518 #ifndef OPENSSL_NO_DTLS
1519 static int test_large_message_dtls(void)
1521 # ifdef OPENSSL_NO_DTLS1_2
1522 /* Not supported in the FIPS provider */
1527 * read_ahead is not relevant to DTLS because DTLS always acts as if
1528 * read_ahead is set.
1530 return execute_test_large_message(DTLS_server_method(),
1531 DTLS_client_method(),
1532 DTLS1_VERSION
, 0, 0);
1536 static int execute_cleanse_plaintext(const SSL_METHOD
*smeth
,
1537 const SSL_METHOD
*cmeth
,
1538 int min_version
, int max_version
)
1541 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
1542 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
1545 SSL_CONNECTION
*serversc
;
1547 static unsigned char cbuf
[16000];
1548 static unsigned char sbuf
[16000];
1550 if (!TEST_true(create_ssl_ctx_pair(libctx
,
1552 min_version
, max_version
,
1557 #ifdef OPENSSL_NO_DTLS1_2
1558 if (smeth
== DTLS_server_method()) {
1559 # ifdef OPENSSL_NO_DTLS1_2
1560 /* Not supported in the FIPS provider */
1567 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1570 if (!TEST_true(SSL_CTX_set_cipher_list(sctx
, "DEFAULT:@SECLEVEL=0"))
1571 || !TEST_true(SSL_CTX_set_cipher_list(cctx
,
1572 "DEFAULT:@SECLEVEL=0")))
1577 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
1581 if (!TEST_true(SSL_set_options(serverssl
, SSL_OP_CLEANSE_PLAINTEXT
)))
1584 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
1588 for (i
= 0; i
< sizeof(cbuf
); i
++) {
1592 if (!TEST_int_eq(SSL_write(clientssl
, cbuf
, sizeof(cbuf
)), sizeof(cbuf
)))
1595 if (!TEST_int_eq(SSL_peek(serverssl
, &sbuf
, sizeof(sbuf
)), sizeof(sbuf
)))
1598 if (!TEST_mem_eq(cbuf
, sizeof(cbuf
), sbuf
, sizeof(sbuf
)))
1602 * Since we called SSL_peek(), we know the data in the record
1603 * layer is a plaintext record. We can gather the pointer to check
1604 * for zeroization after SSL_read().
1606 if (!TEST_ptr(serversc
= SSL_CONNECTION_FROM_SSL_ONLY(serverssl
)))
1610 * TODO(RECLAYER): This is temporary until DTLS is converted to use the new
1611 * record layer code.
1613 if (!SSL_is_dtls(serverssl
)) {
1614 TLS_RECORD
*rr
= serversc
->rlayer
.tlsrecs
;
1616 zbuf
= &rr
->data
[rr
->off
];
1617 if (!TEST_int_eq(rr
->length
, sizeof(cbuf
)))
1620 SSL3_RECORD
*rr
= serversc
->rlayer
.rrec
;
1622 zbuf
= &rr
->data
[rr
->off
];
1623 if (!TEST_int_eq(rr
->length
, sizeof(cbuf
)))
1628 * After SSL_peek() the plaintext must still be stored in the
1631 if (!TEST_mem_eq(cbuf
, sizeof(cbuf
), zbuf
, sizeof(cbuf
)))
1634 memset(sbuf
, 0, sizeof(sbuf
));
1635 if (!TEST_int_eq(SSL_read(serverssl
, &sbuf
, sizeof(sbuf
)), sizeof(sbuf
)))
1638 if (!TEST_mem_eq(cbuf
, sizeof(cbuf
), sbuf
, sizeof(cbuf
)))
1641 /* Check if rbuf is cleansed */
1642 memset(cbuf
, 0, sizeof(cbuf
));
1643 if (!TEST_mem_eq(cbuf
, sizeof(cbuf
), zbuf
, sizeof(cbuf
)))
1648 SSL_free(serverssl
);
1649 SSL_free(clientssl
);
1656 static int test_cleanse_plaintext(void)
1658 #if !defined(OPENSSL_NO_TLS1_2)
1659 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1660 TLS_client_method(),
1667 #if !defined(OSSL_NO_USABLE_TLS1_3)
1668 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1669 TLS_client_method(),
1675 #if !defined(OPENSSL_NO_DTLS)
1677 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1678 DTLS_client_method(),
1686 #ifndef OPENSSL_NO_OCSP
1687 static int ocsp_server_cb(SSL
*s
, void *arg
)
1689 int *argi
= (int *)arg
;
1690 unsigned char *copy
= NULL
;
1691 STACK_OF(OCSP_RESPID
) *ids
= NULL
;
1692 OCSP_RESPID
*id
= NULL
;
1695 /* In this test we are expecting exactly 1 OCSP_RESPID */
1696 SSL_get_tlsext_status_ids(s
, &ids
);
1697 if (ids
== NULL
|| sk_OCSP_RESPID_num(ids
) != 1)
1698 return SSL_TLSEXT_ERR_ALERT_FATAL
;
1700 id
= sk_OCSP_RESPID_value(ids
, 0);
1701 if (id
== NULL
|| !OCSP_RESPID_match_ex(id
, ocspcert
, libctx
, NULL
))
1702 return SSL_TLSEXT_ERR_ALERT_FATAL
;
1703 } else if (*argi
!= 1) {
1704 return SSL_TLSEXT_ERR_ALERT_FATAL
;
1707 if (!TEST_ptr(copy
= OPENSSL_memdup(orespder
, sizeof(orespder
))))
1708 return SSL_TLSEXT_ERR_ALERT_FATAL
;
1710 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s
, copy
,
1711 sizeof(orespder
)))) {
1713 return SSL_TLSEXT_ERR_ALERT_FATAL
;
1715 ocsp_server_called
= 1;
1716 return SSL_TLSEXT_ERR_OK
;
1719 static int ocsp_client_cb(SSL
*s
, void *arg
)
1721 int *argi
= (int *)arg
;
1722 const unsigned char *respderin
;
1725 if (*argi
!= 1 && *argi
!= 2)
1728 len
= SSL_get_tlsext_status_ocsp_resp(s
, &respderin
);
1729 if (!TEST_mem_eq(orespder
, len
, respderin
, len
))
1732 ocsp_client_called
= 1;
1736 static int test_tlsext_status_type(void)
1738 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
1739 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
1741 STACK_OF(OCSP_RESPID
) *ids
= NULL
;
1742 OCSP_RESPID
*id
= NULL
;
1743 BIO
*certbio
= NULL
;
1745 if (!create_ssl_ctx_pair(libctx
, TLS_server_method(), TLS_client_method(),
1747 &sctx
, &cctx
, cert
, privkey
))
1750 if (SSL_CTX_get_tlsext_status_type(cctx
) != -1)
1753 /* First just do various checks getting and setting tlsext_status_type */
1755 clientssl
= SSL_new(cctx
);
1756 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl
), -1)
1757 || !TEST_true(SSL_set_tlsext_status_type(clientssl
,
1758 TLSEXT_STATUSTYPE_ocsp
))
1759 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl
),
1760 TLSEXT_STATUSTYPE_ocsp
))
1763 SSL_free(clientssl
);
1766 if (!SSL_CTX_set_tlsext_status_type(cctx
, TLSEXT_STATUSTYPE_ocsp
)
1767 || SSL_CTX_get_tlsext_status_type(cctx
) != TLSEXT_STATUSTYPE_ocsp
)
1770 clientssl
= SSL_new(cctx
);
1771 if (SSL_get_tlsext_status_type(clientssl
) != TLSEXT_STATUSTYPE_ocsp
)
1773 SSL_free(clientssl
);
1777 * Now actually do a handshake and check OCSP information is exchanged and
1778 * the callbacks get called
1780 SSL_CTX_set_tlsext_status_cb(cctx
, ocsp_client_cb
);
1781 SSL_CTX_set_tlsext_status_arg(cctx
, &cdummyarg
);
1782 SSL_CTX_set_tlsext_status_cb(sctx
, ocsp_server_cb
);
1783 SSL_CTX_set_tlsext_status_arg(sctx
, &cdummyarg
);
1784 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
1785 &clientssl
, NULL
, NULL
))
1786 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
1788 || !TEST_true(ocsp_client_called
)
1789 || !TEST_true(ocsp_server_called
))
1791 SSL_free(serverssl
);
1792 SSL_free(clientssl
);
1796 /* Try again but this time force the server side callback to fail */
1797 ocsp_client_called
= 0;
1798 ocsp_server_called
= 0;
1800 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
1801 &clientssl
, NULL
, NULL
))
1802 /* This should fail because the callback will fail */
1803 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
1805 || !TEST_false(ocsp_client_called
)
1806 || !TEST_false(ocsp_server_called
))
1808 SSL_free(serverssl
);
1809 SSL_free(clientssl
);
1814 * This time we'll get the client to send an OCSP_RESPID that it will
1817 ocsp_client_called
= 0;
1818 ocsp_server_called
= 0;
1820 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
1821 &clientssl
, NULL
, NULL
)))
1825 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1826 * specific one. We'll use the server cert.
1828 if (!TEST_ptr(certbio
= BIO_new_file(cert
, "r"))
1829 || !TEST_ptr(id
= OCSP_RESPID_new())
1830 || !TEST_ptr(ids
= sk_OCSP_RESPID_new_null())
1831 || !TEST_ptr(ocspcert
= X509_new_ex(libctx
, NULL
))
1832 || !TEST_ptr(PEM_read_bio_X509(certbio
, &ocspcert
, NULL
, NULL
))
1833 || !TEST_true(OCSP_RESPID_set_by_key_ex(id
, ocspcert
, libctx
, NULL
))
1834 || !TEST_true(sk_OCSP_RESPID_push(ids
, id
)))
1837 SSL_set_tlsext_status_ids(clientssl
, ids
);
1838 /* Control has been transferred */
1844 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
1846 || !TEST_true(ocsp_client_called
)
1847 || !TEST_true(ocsp_server_called
))
1853 SSL_free(serverssl
);
1854 SSL_free(clientssl
);
1857 sk_OCSP_RESPID_pop_free(ids
, OCSP_RESPID_free
);
1858 OCSP_RESPID_free(id
);
1860 X509_free(ocspcert
);
1867 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1868 static int new_called
, remove_called
, get_called
;
1870 static int new_session_cb(SSL
*ssl
, SSL_SESSION
*sess
)
1874 * sess has been up-refed for us, but we don't actually need it so free it
1877 SSL_SESSION_free(sess
);
1881 static void remove_session_cb(SSL_CTX
*ctx
, SSL_SESSION
*sess
)
1886 static SSL_SESSION
*get_sess_val
= NULL
;
1888 static SSL_SESSION
*get_session_cb(SSL
*ssl
, const unsigned char *id
, int len
,
1893 return get_sess_val
;
1896 static int execute_test_session(int maxprot
, int use_int_cache
,
1897 int use_ext_cache
, long s_options
)
1899 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
1900 SSL
*serverssl1
= NULL
, *clientssl1
= NULL
;
1901 SSL
*serverssl2
= NULL
, *clientssl2
= NULL
;
1902 # ifndef OPENSSL_NO_TLS1_1
1903 SSL
*serverssl3
= NULL
, *clientssl3
= NULL
;
1905 SSL_SESSION
*sess1
= NULL
, *sess2
= NULL
;
1906 int testresult
= 0, numnewsesstick
= 1;
1908 new_called
= remove_called
= 0;
1910 /* TLSv1.3 sends 2 NewSessionTickets */
1911 if (maxprot
== TLS1_3_VERSION
)
1914 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
1915 TLS_client_method(), TLS1_VERSION
, 0,
1916 &sctx
, &cctx
, cert
, privkey
)))
1920 * Only allow the max protocol version so we can force a connection failure
1923 SSL_CTX_set_min_proto_version(cctx
, maxprot
);
1924 SSL_CTX_set_max_proto_version(cctx
, maxprot
);
1926 /* Set up session cache */
1927 if (use_ext_cache
) {
1928 SSL_CTX_sess_set_new_cb(cctx
, new_session_cb
);
1929 SSL_CTX_sess_set_remove_cb(cctx
, remove_session_cb
);
1931 if (use_int_cache
) {
1932 /* Also covers instance where both are set */
1933 SSL_CTX_set_session_cache_mode(cctx
, SSL_SESS_CACHE_CLIENT
);
1935 SSL_CTX_set_session_cache_mode(cctx
,
1936 SSL_SESS_CACHE_CLIENT
1937 | SSL_SESS_CACHE_NO_INTERNAL_STORE
);
1941 SSL_CTX_set_options(sctx
, s_options
);
1944 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl1
, &clientssl1
,
1946 || !TEST_true(create_ssl_connection(serverssl1
, clientssl1
,
1948 || !TEST_ptr(sess1
= SSL_get1_session(clientssl1
)))
1951 /* Should fail because it should already be in the cache */
1952 if (use_int_cache
&& !TEST_false(SSL_CTX_add_session(cctx
, sess1
)))
1955 && (!TEST_int_eq(new_called
, numnewsesstick
)
1957 || !TEST_int_eq(remove_called
, 0)))
1960 new_called
= remove_called
= 0;
1961 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl2
,
1962 &clientssl2
, NULL
, NULL
))
1963 || !TEST_true(SSL_set_session(clientssl2
, sess1
))
1964 || !TEST_true(create_ssl_connection(serverssl2
, clientssl2
,
1966 || !TEST_true(SSL_session_reused(clientssl2
)))
1969 if (maxprot
== TLS1_3_VERSION
) {
1971 * In TLSv1.3 we should have created a new session even though we have
1972 * resumed. Since we attempted a resume we should also have removed the
1973 * old ticket from the cache so that we try to only use tickets once.
1976 && (!TEST_int_eq(new_called
, 1)
1977 || !TEST_int_eq(remove_called
, 1)))
1981 * In TLSv1.2 we expect to have resumed so no sessions added or
1985 && (!TEST_int_eq(new_called
, 0)
1986 || !TEST_int_eq(remove_called
, 0)))
1990 SSL_SESSION_free(sess1
);
1991 if (!TEST_ptr(sess1
= SSL_get1_session(clientssl2
)))
1993 shutdown_ssl_connection(serverssl2
, clientssl2
);
1994 serverssl2
= clientssl2
= NULL
;
1996 new_called
= remove_called
= 0;
1997 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl2
,
1998 &clientssl2
, NULL
, NULL
))
1999 || !TEST_true(create_ssl_connection(serverssl2
, clientssl2
,
2003 if (!TEST_ptr(sess2
= SSL_get1_session(clientssl2
)))
2007 && (!TEST_int_eq(new_called
, numnewsesstick
)
2008 || !TEST_int_eq(remove_called
, 0)))
2011 new_called
= remove_called
= 0;
2013 * This should clear sess2 from the cache because it is a "bad" session.
2014 * See SSL_set_session() documentation.
2016 if (!TEST_true(SSL_set_session(clientssl2
, sess1
)))
2019 && (!TEST_int_eq(new_called
, 0) || !TEST_int_eq(remove_called
, 1)))
2021 if (!TEST_ptr_eq(SSL_get_session(clientssl2
), sess1
))
2024 if (use_int_cache
) {
2025 /* Should succeeded because it should not already be in the cache */
2026 if (!TEST_true(SSL_CTX_add_session(cctx
, sess2
))
2027 || !TEST_true(SSL_CTX_remove_session(cctx
, sess2
)))
2031 new_called
= remove_called
= 0;
2032 /* This shouldn't be in the cache so should fail */
2033 if (!TEST_false(SSL_CTX_remove_session(cctx
, sess2
)))
2037 && (!TEST_int_eq(new_called
, 0) || !TEST_int_eq(remove_called
, 1)))
2040 # if !defined(OPENSSL_NO_TLS1_1)
2041 new_called
= remove_called
= 0;
2042 /* Force a connection failure */
2043 SSL_CTX_set_max_proto_version(sctx
, TLS1_1_VERSION
);
2044 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl3
,
2045 &clientssl3
, NULL
, NULL
))
2046 || !TEST_true(SSL_set_session(clientssl3
, sess1
))
2047 /* This should fail because of the mismatched protocol versions */
2048 || !TEST_false(create_ssl_connection(serverssl3
, clientssl3
,
2052 /* We should have automatically removed the session from the cache */
2054 && (!TEST_int_eq(new_called
, 0) || !TEST_int_eq(remove_called
, 1)))
2057 /* Should succeed because it should not already be in the cache */
2058 if (use_int_cache
&& !TEST_true(SSL_CTX_add_session(cctx
, sess2
)))
2062 /* Now do some tests for server side caching */
2063 if (use_ext_cache
) {
2064 SSL_CTX_sess_set_new_cb(cctx
, NULL
);
2065 SSL_CTX_sess_set_remove_cb(cctx
, NULL
);
2066 SSL_CTX_sess_set_new_cb(sctx
, new_session_cb
);
2067 SSL_CTX_sess_set_remove_cb(sctx
, remove_session_cb
);
2068 SSL_CTX_sess_set_get_cb(sctx
, get_session_cb
);
2069 get_sess_val
= NULL
;
2072 SSL_CTX_set_session_cache_mode(cctx
, 0);
2073 /* Internal caching is the default on the server side */
2075 SSL_CTX_set_session_cache_mode(sctx
,
2076 SSL_SESS_CACHE_SERVER
2077 | SSL_SESS_CACHE_NO_INTERNAL_STORE
);
2079 SSL_free(serverssl1
);
2080 SSL_free(clientssl1
);
2081 serverssl1
= clientssl1
= NULL
;
2082 SSL_free(serverssl2
);
2083 SSL_free(clientssl2
);
2084 serverssl2
= clientssl2
= NULL
;
2085 SSL_SESSION_free(sess1
);
2087 SSL_SESSION_free(sess2
);
2090 SSL_CTX_set_max_proto_version(sctx
, maxprot
);
2091 if (maxprot
== TLS1_2_VERSION
)
2092 SSL_CTX_set_options(sctx
, SSL_OP_NO_TICKET
);
2093 new_called
= remove_called
= get_called
= 0;
2094 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl1
, &clientssl1
,
2096 || !TEST_true(create_ssl_connection(serverssl1
, clientssl1
,
2098 || !TEST_ptr(sess1
= SSL_get1_session(clientssl1
))
2099 || !TEST_ptr(sess2
= SSL_get1_session(serverssl1
)))
2102 if (use_int_cache
) {
2103 if (maxprot
== TLS1_3_VERSION
&& !use_ext_cache
) {
2105 * In TLSv1.3 it should not have been added to the internal cache,
2106 * except in the case where we also have an external cache (in that
2107 * case it gets added to the cache in order to generate remove
2108 * events after timeout).
2110 if (!TEST_false(SSL_CTX_remove_session(sctx
, sess2
)))
2113 /* Should fail because it should already be in the cache */
2114 if (!TEST_false(SSL_CTX_add_session(sctx
, sess2
)))
2119 if (use_ext_cache
) {
2120 SSL_SESSION
*tmp
= sess2
;
2122 if (!TEST_int_eq(new_called
, numnewsesstick
)
2123 || !TEST_int_eq(remove_called
, 0)
2124 || !TEST_int_eq(get_called
, 0))
2127 * Delete the session from the internal cache to force a lookup from
2128 * the external cache. We take a copy first because
2129 * SSL_CTX_remove_session() also marks the session as non-resumable.
2131 if (use_int_cache
&& maxprot
!= TLS1_3_VERSION
) {
2132 if (!TEST_ptr(tmp
= SSL_SESSION_dup(sess2
))
2133 || !TEST_true(SSL_CTX_remove_session(sctx
, sess2
)))
2135 SSL_SESSION_free(sess2
);
2140 new_called
= remove_called
= get_called
= 0;
2141 get_sess_val
= sess2
;
2142 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl2
,
2143 &clientssl2
, NULL
, NULL
))
2144 || !TEST_true(SSL_set_session(clientssl2
, sess1
))
2145 || !TEST_true(create_ssl_connection(serverssl2
, clientssl2
,
2147 || !TEST_true(SSL_session_reused(clientssl2
)))
2150 if (use_ext_cache
) {
2151 if (!TEST_int_eq(remove_called
, 0))
2154 if (maxprot
== TLS1_3_VERSION
) {
2155 if (!TEST_int_eq(new_called
, 1)
2156 || !TEST_int_eq(get_called
, 0))
2159 if (!TEST_int_eq(new_called
, 0)
2160 || !TEST_int_eq(get_called
, 1))
2165 * Make a small cache, force out all other sessions but
2166 * sess2, try to add sess1, which should succeed. Then
2167 * make sure it's there by checking the owners. Despite
2168 * the timeouts, sess1 should have kicked out sess2
2171 /* Make sess1 expire before sess2 */
2172 if (!TEST_long_gt(SSL_SESSION_set_time(sess1
, 1000), 0)
2173 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1
, 1000), 0)
2174 || !TEST_long_gt(SSL_SESSION_set_time(sess2
, 2000), 0)
2175 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2
, 2000), 0))
2178 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx
, 1), 0))
2181 /* Don't care about results - cache should only be sess2 at end */
2182 SSL_CTX_add_session(sctx
, sess1
);
2183 SSL_CTX_add_session(sctx
, sess2
);
2185 /* Now add sess1, and make sure it remains, despite timeout */
2186 if (!TEST_true(SSL_CTX_add_session(sctx
, sess1
))
2187 || !TEST_ptr(sess1
->owner
)
2188 || !TEST_ptr_null(sess2
->owner
))
2194 SSL_free(serverssl1
);
2195 SSL_free(clientssl1
);
2196 SSL_free(serverssl2
);
2197 SSL_free(clientssl2
);
2198 # ifndef OPENSSL_NO_TLS1_1
2199 SSL_free(serverssl3
);
2200 SSL_free(clientssl3
);
2202 SSL_SESSION_free(sess1
);
2203 SSL_SESSION_free(sess2
);
2209 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2211 static int test_session_with_only_int_cache(void)
2213 #ifndef OSSL_NO_USABLE_TLS1_3
2214 if (!execute_test_session(TLS1_3_VERSION
, 1, 0, 0))
2218 #ifndef OPENSSL_NO_TLS1_2
2219 return execute_test_session(TLS1_2_VERSION
, 1, 0, 0);
2225 static int test_session_with_only_ext_cache(void)
2227 #ifndef OSSL_NO_USABLE_TLS1_3
2228 if (!execute_test_session(TLS1_3_VERSION
, 0, 1, 0))
2232 #ifndef OPENSSL_NO_TLS1_2
2233 return execute_test_session(TLS1_2_VERSION
, 0, 1, 0);
2239 static int test_session_with_both_cache(void)
2241 #ifndef OSSL_NO_USABLE_TLS1_3
2242 if (!execute_test_session(TLS1_3_VERSION
, 1, 1, 0))
2246 #ifndef OPENSSL_NO_TLS1_2
2247 return execute_test_session(TLS1_2_VERSION
, 1, 1, 0);
2253 static int test_session_wo_ca_names(void)
2255 #ifndef OSSL_NO_USABLE_TLS1_3
2256 if (!execute_test_session(TLS1_3_VERSION
, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES
))
2260 #ifndef OPENSSL_NO_TLS1_2
2261 return execute_test_session(TLS1_2_VERSION
, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES
);
2268 #ifndef OSSL_NO_USABLE_TLS1_3
2269 static SSL_SESSION
*sesscache
[6];
2270 static int do_cache
;
2272 static int new_cachesession_cb(SSL
*ssl
, SSL_SESSION
*sess
)
2275 sesscache
[new_called
] = sess
;
2277 /* We don't need the reference to the session, so free it */
2278 SSL_SESSION_free(sess
);
2285 static int post_handshake_verify(SSL
*sssl
, SSL
*cssl
)
2287 SSL_set_verify(sssl
, SSL_VERIFY_PEER
, NULL
);
2288 if (!TEST_true(SSL_verify_client_post_handshake(sssl
)))
2291 /* Start handshake on the server and client */
2292 if (!TEST_int_eq(SSL_do_handshake(sssl
), 1)
2293 || !TEST_int_le(SSL_read(cssl
, NULL
, 0), 0)
2294 || !TEST_int_le(SSL_read(sssl
, NULL
, 0), 0)
2295 || !TEST_true(create_ssl_connection(sssl
, cssl
,
2302 static int setup_ticket_test(int stateful
, int idx
, SSL_CTX
**sctx
,
2305 int sess_id_ctx
= 1;
2307 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
2308 TLS_client_method(), TLS1_VERSION
, 0,
2309 sctx
, cctx
, cert
, privkey
))
2310 || !TEST_true(SSL_CTX_set_num_tickets(*sctx
, idx
))
2311 || !TEST_true(SSL_CTX_set_session_id_context(*sctx
,
2312 (void *)&sess_id_ctx
,
2313 sizeof(sess_id_ctx
))))
2317 SSL_CTX_set_options(*sctx
, SSL_OP_NO_TICKET
);
2319 SSL_CTX_set_session_cache_mode(*cctx
, SSL_SESS_CACHE_CLIENT
2320 | SSL_SESS_CACHE_NO_INTERNAL_STORE
);
2321 SSL_CTX_sess_set_new_cb(*cctx
, new_cachesession_cb
);
2326 static int check_resumption(int idx
, SSL_CTX
*sctx
, SSL_CTX
*cctx
, int succ
)
2328 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
2331 /* Test that we can resume with all the tickets we got given */
2332 for (i
= 0; i
< idx
* 2; i
++) {
2334 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
2335 &clientssl
, NULL
, NULL
))
2336 || !TEST_true(SSL_set_session(clientssl
, sesscache
[i
])))
2339 SSL_set_post_handshake_auth(clientssl
, 1);
2341 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
2346 * Following a successful resumption we only get 1 ticket. After a
2347 * failed one we should get idx tickets.
2350 if (!TEST_true(SSL_session_reused(clientssl
))
2351 || !TEST_int_eq(new_called
, 1))
2354 if (!TEST_false(SSL_session_reused(clientssl
))
2355 || !TEST_int_eq(new_called
, idx
))
2360 /* After a post-handshake authentication we should get 1 new ticket */
2362 && (!post_handshake_verify(serverssl
, clientssl
)
2363 || !TEST_int_eq(new_called
, 1)))
2366 SSL_shutdown(clientssl
);
2367 SSL_shutdown(serverssl
);
2368 SSL_free(serverssl
);
2369 SSL_free(clientssl
);
2370 serverssl
= clientssl
= NULL
;
2371 SSL_SESSION_free(sesscache
[i
]);
2372 sesscache
[i
] = NULL
;
2378 SSL_free(clientssl
);
2379 SSL_free(serverssl
);
2383 static int test_tickets(int stateful
, int idx
)
2385 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
2386 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
2390 /* idx is the test number, but also the number of tickets we want */
2395 if (!setup_ticket_test(stateful
, idx
, &sctx
, &cctx
))
2398 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
2399 &clientssl
, NULL
, NULL
)))
2402 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
2404 /* Check we got the number of tickets we were expecting */
2405 || !TEST_int_eq(idx
, new_called
))
2408 SSL_shutdown(clientssl
);
2409 SSL_shutdown(serverssl
);
2410 SSL_free(serverssl
);
2411 SSL_free(clientssl
);
2414 clientssl
= serverssl
= NULL
;
2418 * Now we try to resume with the tickets we previously created. The
2419 * resumption attempt is expected to fail (because we're now using a new
2420 * SSL_CTX). We should see idx number of tickets issued again.
2423 /* Stop caching sessions - just count them */
2426 if (!setup_ticket_test(stateful
, idx
, &sctx
, &cctx
))
2429 if (!check_resumption(idx
, sctx
, cctx
, 0))
2432 /* Start again with caching sessions */
2439 if (!setup_ticket_test(stateful
, idx
, &sctx
, &cctx
))
2442 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
2443 &clientssl
, NULL
, NULL
)))
2446 SSL_set_post_handshake_auth(clientssl
, 1);
2448 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
2450 /* Check we got the number of tickets we were expecting */
2451 || !TEST_int_eq(idx
, new_called
))
2454 /* After a post-handshake authentication we should get new tickets issued */
2455 if (!post_handshake_verify(serverssl
, clientssl
)
2456 || !TEST_int_eq(idx
* 2, new_called
))
2459 SSL_shutdown(clientssl
);
2460 SSL_shutdown(serverssl
);
2461 SSL_free(serverssl
);
2462 SSL_free(clientssl
);
2463 serverssl
= clientssl
= NULL
;
2465 /* Stop caching sessions - just count them */
2469 * Check we can resume with all the tickets we created. This time around the
2470 * resumptions should all be successful.
2472 if (!check_resumption(idx
, sctx
, cctx
, 1))
2478 SSL_free(serverssl
);
2479 SSL_free(clientssl
);
2480 for (j
= 0; j
< OSSL_NELEM(sesscache
); j
++) {
2481 SSL_SESSION_free(sesscache
[j
]);
2482 sesscache
[j
] = NULL
;
2490 static int test_stateless_tickets(int idx
)
2492 return test_tickets(0, idx
);
2495 static int test_stateful_tickets(int idx
)
2497 return test_tickets(1, idx
);
2500 static int test_psk_tickets(void)
2502 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
2503 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
2505 int sess_id_ctx
= 1;
2507 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
2508 TLS_client_method(), TLS1_VERSION
, 0,
2509 &sctx
, &cctx
, NULL
, NULL
))
2510 || !TEST_true(SSL_CTX_set_session_id_context(sctx
,
2511 (void *)&sess_id_ctx
,
2512 sizeof(sess_id_ctx
))))
2515 SSL_CTX_set_session_cache_mode(cctx
, SSL_SESS_CACHE_CLIENT
2516 | SSL_SESS_CACHE_NO_INTERNAL_STORE
);
2517 SSL_CTX_set_psk_use_session_callback(cctx
, use_session_cb
);
2518 SSL_CTX_set_psk_find_session_callback(sctx
, find_session_cb
);
2519 SSL_CTX_sess_set_new_cb(cctx
, new_session_cb
);
2520 use_session_cb_cnt
= 0;
2521 find_session_cb_cnt
= 0;
2525 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
2528 clientpsk
= serverpsk
= create_a_psk(clientssl
);
2529 if (!TEST_ptr(clientpsk
))
2531 SSL_SESSION_up_ref(clientpsk
);
2533 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
2535 || !TEST_int_eq(1, find_session_cb_cnt
)
2536 || !TEST_int_eq(1, use_session_cb_cnt
)
2537 /* We should always get 1 ticket when using external PSK */
2538 || !TEST_int_eq(1, new_called
))
2544 SSL_free(serverssl
);
2545 SSL_free(clientssl
);
2548 SSL_SESSION_free(clientpsk
);
2549 SSL_SESSION_free(serverpsk
);
2550 clientpsk
= serverpsk
= NULL
;
2555 static int test_extra_tickets(int idx
)
2557 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
2558 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
2559 BIO
*bretry
= BIO_new(bio_s_always_retry());
2564 unsigned char c
, buf
[1];
2574 if (!TEST_ptr(bretry
) || !setup_ticket_test(stateful
, idx
, &sctx
, &cctx
))
2576 SSL_CTX_sess_set_new_cb(sctx
, new_session_cb
);
2577 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2578 SSL_CTX_sess_set_new_cb(cctx
, new_session_cb
);
2580 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
2581 &clientssl
, NULL
, NULL
)))
2585 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2586 * incremented by both client and server.
2588 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
2590 /* Check we got the number of tickets we were expecting */
2591 || !TEST_int_eq(idx
* 2, new_called
)
2592 || !TEST_true(SSL_new_session_ticket(serverssl
))
2593 || !TEST_true(SSL_new_session_ticket(serverssl
))
2594 || !TEST_int_eq(idx
* 2, new_called
))
2597 /* Now try a (real) write to actually send the tickets */
2599 if (!TEST_true(SSL_write_ex(serverssl
, &c
, 1, &nbytes
))
2600 || !TEST_size_t_eq(1, nbytes
)
2601 || !TEST_int_eq(idx
* 2 + 2, new_called
)
2602 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2603 || !TEST_int_eq(idx
* 2 + 4, new_called
)
2604 || !TEST_int_eq(sizeof(buf
), nbytes
)
2605 || !TEST_int_eq(c
, buf
[0])
2606 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
)))
2609 /* Try with only requesting one new ticket, too */
2612 if (!TEST_true(SSL_new_session_ticket(serverssl
))
2613 || !TEST_true(SSL_write_ex(serverssl
, &c
, sizeof(c
), &nbytes
))
2614 || !TEST_size_t_eq(sizeof(c
), nbytes
)
2615 || !TEST_int_eq(1, new_called
)
2616 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2617 || !TEST_int_eq(2, new_called
)
2618 || !TEST_size_t_eq(sizeof(buf
), nbytes
)
2619 || !TEST_int_eq(c
, buf
[0]))
2622 /* Do it again but use dummy writes to drive the ticket generation */
2625 if (!TEST_true(SSL_new_session_ticket(serverssl
))
2626 || !TEST_true(SSL_new_session_ticket(serverssl
))
2627 || !TEST_true(SSL_write_ex(serverssl
, &c
, 0, &nbytes
))
2628 || !TEST_size_t_eq(0, nbytes
)
2629 || !TEST_int_eq(2, new_called
)
2630 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2631 || !TEST_int_eq(4, new_called
))
2634 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2637 if (!TEST_true(SSL_new_session_ticket(serverssl
))
2638 || !TEST_true(SSL_new_session_ticket(serverssl
))
2639 || !TEST_true(SSL_do_handshake(serverssl
))
2640 || !TEST_int_eq(2, new_called
)
2641 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2642 || !TEST_int_eq(4, new_called
))
2646 * Use the always-retry BIO to exercise the logic that forces ticket
2647 * generation to wait until a record boundary.
2651 tmp
= SSL_get_wbio(serverssl
);
2652 if (!TEST_ptr(tmp
) || !TEST_true(BIO_up_ref(tmp
))) {
2656 SSL_set0_wbio(serverssl
, bretry
);
2658 if (!TEST_false(SSL_write_ex(serverssl
, &c
, 1, &nbytes
))
2659 || !TEST_int_eq(SSL_get_error(serverssl
, 0), SSL_ERROR_WANT_WRITE
)
2660 || !TEST_size_t_eq(nbytes
, 0))
2662 /* Restore a BIO that will let the write succeed */
2663 SSL_set0_wbio(serverssl
, tmp
);
2666 * These calls should just queue the request and not send anything
2667 * even if we explicitly try to hit the state machine.
2669 if (!TEST_true(SSL_new_session_ticket(serverssl
))
2670 || !TEST_true(SSL_new_session_ticket(serverssl
))
2671 || !TEST_int_eq(0, new_called
)
2672 || !TEST_true(SSL_do_handshake(serverssl
))
2673 || !TEST_int_eq(0, new_called
))
2675 /* Re-do the write; still no tickets sent */
2676 if (!TEST_true(SSL_write_ex(serverssl
, &c
, 1, &nbytes
))
2677 || !TEST_size_t_eq(1, nbytes
)
2678 || !TEST_int_eq(0, new_called
)
2679 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2680 || !TEST_int_eq(0, new_called
)
2681 || !TEST_int_eq(sizeof(buf
), nbytes
)
2682 || !TEST_int_eq(c
, buf
[0])
2683 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
)))
2685 /* Even trying to hit the state machine now will still not send tickets */
2686 if (!TEST_true(SSL_do_handshake(serverssl
))
2687 || !TEST_int_eq(0, new_called
))
2689 /* Now the *next* write should send the tickets */
2691 if (!TEST_true(SSL_write_ex(serverssl
, &c
, 1, &nbytes
))
2692 || !TEST_size_t_eq(1, nbytes
)
2693 || !TEST_int_eq(2, new_called
)
2694 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
))
2695 || !TEST_int_eq(4, new_called
)
2696 || !TEST_int_eq(sizeof(buf
), nbytes
)
2697 || !TEST_int_eq(c
, buf
[0])
2698 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &nbytes
)))
2701 SSL_shutdown(clientssl
);
2702 SSL_shutdown(serverssl
);
2708 SSL_free(serverssl
);
2709 SSL_free(clientssl
);
2712 clientssl
= serverssl
= NULL
;
2721 #define USE_DEFAULT 3
2723 #define CONNTYPE_CONNECTION_SUCCESS 0
2724 #define CONNTYPE_CONNECTION_FAIL 1
2725 #define CONNTYPE_NO_CONNECTION 2
2727 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2728 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2729 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2730 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2732 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2735 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2736 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2737 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2739 static void setupbio(BIO
**res
, BIO
*bio1
, BIO
*bio2
, int type
)
2756 * Tests calls to SSL_set_bio() under various conditions.
2758 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2759 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2760 * then do more tests where we create a successful connection first using our
2761 * standard connection setup functions, and then call SSL_set_bio() with
2762 * various combinations of valid BIOs or NULL. We then repeat these tests
2763 * following a failed connection. In this last case we are looking to check that
2764 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2766 static int test_ssl_set_bio(int idx
)
2768 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
2771 BIO
*irbio
= NULL
, *iwbio
= NULL
, *nrbio
= NULL
, *nwbio
= NULL
;
2772 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
2773 int initrbio
, initwbio
, newrbio
, newwbio
, conntype
;
2776 if (idx
< TOTAL_NO_CONN_SSL_SET_BIO_TESTS
) {
2784 conntype
= CONNTYPE_NO_CONNECTION
;
2786 idx
-= TOTAL_NO_CONN_SSL_SET_BIO_TESTS
;
2787 initrbio
= initwbio
= USE_DEFAULT
;
2795 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
2796 TLS_client_method(), TLS1_VERSION
, 0,
2797 &sctx
, &cctx
, cert
, privkey
)))
2800 if (conntype
== CONNTYPE_CONNECTION_FAIL
) {
2802 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2803 * because we reduced the number of tests in the definition of
2804 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2805 * mismatched protocol versions we will force a connection failure.
2807 SSL_CTX_set_min_proto_version(sctx
, TLS1_3_VERSION
);
2808 SSL_CTX_set_max_proto_version(cctx
, TLS1_2_VERSION
);
2811 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
2815 if (initrbio
== USE_BIO_1
2816 || initwbio
== USE_BIO_1
2817 || newrbio
== USE_BIO_1
2818 || newwbio
== USE_BIO_1
) {
2819 if (!TEST_ptr(bio1
= BIO_new(BIO_s_mem())))
2823 if (initrbio
== USE_BIO_2
2824 || initwbio
== USE_BIO_2
2825 || newrbio
== USE_BIO_2
2826 || newwbio
== USE_BIO_2
) {
2827 if (!TEST_ptr(bio2
= BIO_new(BIO_s_mem())))
2831 if (initrbio
!= USE_DEFAULT
) {
2832 setupbio(&irbio
, bio1
, bio2
, initrbio
);
2833 setupbio(&iwbio
, bio1
, bio2
, initwbio
);
2834 SSL_set_bio(clientssl
, irbio
, iwbio
);
2837 * We want to maintain our own refs to these BIO, so do an up ref for
2838 * each BIO that will have ownership transferred in the SSL_set_bio()
2843 if (iwbio
!= NULL
&& iwbio
!= irbio
)
2847 if (conntype
!= CONNTYPE_NO_CONNECTION
2848 && !TEST_true(create_ssl_connection(serverssl
, clientssl
,
2850 == (conntype
== CONNTYPE_CONNECTION_SUCCESS
)))
2853 setupbio(&nrbio
, bio1
, bio2
, newrbio
);
2854 setupbio(&nwbio
, bio1
, bio2
, newwbio
);
2857 * We will (maybe) transfer ownership again so do more up refs.
2858 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2863 && (nwbio
!= iwbio
|| nrbio
!= nwbio
))
2867 && (nwbio
!= iwbio
|| (nwbio
== iwbio
&& irbio
== iwbio
)))
2870 SSL_set_bio(clientssl
, nrbio
, nwbio
);
2879 * This test is checking that the ref counting for SSL_set_bio is correct.
2880 * If we get here and we did too many frees then we will fail in the above
2883 SSL_free(serverssl
);
2884 SSL_free(clientssl
);
2890 typedef enum { NO_BIO_CHANGE
, CHANGE_RBIO
, CHANGE_WBIO
} bio_change_t
;
2892 static int execute_test_ssl_bio(int pop_ssl
, bio_change_t change_bio
)
2894 BIO
*sslbio
= NULL
, *membio1
= NULL
, *membio2
= NULL
;
2899 if (!TEST_ptr(ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_method()))
2900 || !TEST_ptr(ssl
= SSL_new(ctx
))
2901 || !TEST_ptr(sslbio
= BIO_new(BIO_f_ssl()))
2902 || !TEST_ptr(membio1
= BIO_new(BIO_s_mem())))
2905 BIO_set_ssl(sslbio
, ssl
, BIO_CLOSE
);
2908 * If anything goes wrong here then we could leak memory.
2910 BIO_push(sslbio
, membio1
);
2912 /* Verify changing the rbio/wbio directly does not cause leaks */
2913 if (change_bio
!= NO_BIO_CHANGE
) {
2914 if (!TEST_ptr(membio2
= BIO_new(BIO_s_mem()))) {
2918 if (change_bio
== CHANGE_RBIO
)
2919 SSL_set0_rbio(ssl
, membio2
);
2921 SSL_set0_wbio(ssl
, membio2
);
2940 static int test_ssl_bio_pop_next_bio(void)
2942 return execute_test_ssl_bio(0, NO_BIO_CHANGE
);
2945 static int test_ssl_bio_pop_ssl_bio(void)
2947 return execute_test_ssl_bio(1, NO_BIO_CHANGE
);
2950 static int test_ssl_bio_change_rbio(void)
2952 return execute_test_ssl_bio(0, CHANGE_RBIO
);
2955 static int test_ssl_bio_change_wbio(void)
2957 return execute_test_ssl_bio(0, CHANGE_WBIO
);
2960 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
2962 /* The list of sig algs */
2964 /* The length of the list */
2966 /* A sigalgs list in string format */
2967 const char *liststr
;
2968 /* Whether setting the list should succeed */
2970 /* Whether creating a connection with the list should succeed */
2974 static const int validlist1
[] = {NID_sha256
, EVP_PKEY_RSA
};
2975 # ifndef OPENSSL_NO_EC
2976 static const int validlist2
[] = {NID_sha256
, EVP_PKEY_RSA
, NID_sha512
, EVP_PKEY_EC
};
2977 static const int validlist3
[] = {NID_sha512
, EVP_PKEY_EC
};
2979 static const int invalidlist1
[] = {NID_undef
, EVP_PKEY_RSA
};
2980 static const int invalidlist2
[] = {NID_sha256
, NID_undef
};
2981 static const int invalidlist3
[] = {NID_sha256
, EVP_PKEY_RSA
, NID_sha256
};
2982 static const int invalidlist4
[] = {NID_sha256
};
2983 static const sigalgs_list testsigalgs
[] = {
2984 {validlist1
, OSSL_NELEM(validlist1
), NULL
, 1, 1},
2985 # ifndef OPENSSL_NO_EC
2986 {validlist2
, OSSL_NELEM(validlist2
), NULL
, 1, 1},
2987 {validlist3
, OSSL_NELEM(validlist3
), NULL
, 1, 0},
2989 {NULL
, 0, "RSA+SHA256", 1, 1},
2990 # ifndef OPENSSL_NO_EC
2991 {NULL
, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2992 {NULL
, 0, "ECDSA+SHA512", 1, 0},
2994 {invalidlist1
, OSSL_NELEM(invalidlist1
), NULL
, 0, 0},
2995 {invalidlist2
, OSSL_NELEM(invalidlist2
), NULL
, 0, 0},
2996 {invalidlist3
, OSSL_NELEM(invalidlist3
), NULL
, 0, 0},
2997 {invalidlist4
, OSSL_NELEM(invalidlist4
), NULL
, 0, 0},
2998 {NULL
, 0, "RSA", 0, 0},
2999 {NULL
, 0, "SHA256", 0, 0},
3000 {NULL
, 0, "RSA+SHA256:SHA256", 0, 0},
3001 {NULL
, 0, "Invalid", 0, 0}
3004 static int test_set_sigalgs(int idx
)
3006 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3007 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3009 const sigalgs_list
*curr
;
3012 /* Should never happen */
3013 if (!TEST_size_t_le((size_t)idx
, OSSL_NELEM(testsigalgs
) * 2))
3016 testctx
= ((size_t)idx
< OSSL_NELEM(testsigalgs
));
3017 curr
= testctx
? &testsigalgs
[idx
]
3018 : &testsigalgs
[idx
- OSSL_NELEM(testsigalgs
)];
3020 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
3021 TLS_client_method(), TLS1_VERSION
, 0,
3022 &sctx
, &cctx
, cert
, privkey
)))
3025 SSL_CTX_set_max_proto_version(cctx
, TLS1_2_VERSION
);
3030 if (curr
->list
!= NULL
)
3031 ret
= SSL_CTX_set1_sigalgs(cctx
, curr
->list
, curr
->listlen
);
3033 ret
= SSL_CTX_set1_sigalgs_list(cctx
, curr
->liststr
);
3037 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx
);
3043 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx
);
3048 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
3049 &clientssl
, NULL
, NULL
)))
3055 if (curr
->list
!= NULL
)
3056 ret
= SSL_set1_sigalgs(clientssl
, curr
->list
, curr
->listlen
);
3058 ret
= SSL_set1_sigalgs_list(clientssl
, curr
->liststr
);
3061 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx
);
3070 if (!TEST_int_eq(create_ssl_connection(serverssl
, clientssl
,
3078 SSL_free(serverssl
);
3079 SSL_free(clientssl
);
3087 #ifndef OSSL_NO_USABLE_TLS1_3
3088 static int psk_client_cb_cnt
= 0;
3089 static int psk_server_cb_cnt
= 0;
3091 static int use_session_cb(SSL
*ssl
, const EVP_MD
*md
, const unsigned char **id
,
3092 size_t *idlen
, SSL_SESSION
**sess
)
3094 switch (++use_session_cb_cnt
) {
3096 /* The first call should always have a NULL md */
3102 /* The second call should always have an md */
3108 /* We should only be called a maximum of twice */
3112 if (clientpsk
!= NULL
)
3113 SSL_SESSION_up_ref(clientpsk
);
3116 *id
= (const unsigned char *)pskid
;
3117 *idlen
= strlen(pskid
);
3122 #ifndef OPENSSL_NO_PSK
3123 static unsigned int psk_client_cb(SSL
*ssl
, const char *hint
, char *id
,
3124 unsigned int max_id_len
,
3126 unsigned int max_psk_len
)
3128 unsigned int psklen
= 0;
3130 psk_client_cb_cnt
++;
3132 if (strlen(pskid
) + 1 > max_id_len
)
3135 /* We should only ever be called a maximum of twice per connection */
3136 if (psk_client_cb_cnt
> 2)
3139 if (clientpsk
== NULL
)
3142 /* We'll reuse the PSK we set up for TLSv1.3 */
3143 if (SSL_SESSION_get_master_key(clientpsk
, NULL
, 0) > max_psk_len
)
3145 psklen
= SSL_SESSION_get_master_key(clientpsk
, psk
, max_psk_len
);
3146 strncpy(id
, pskid
, max_id_len
);
3150 #endif /* OPENSSL_NO_PSK */
3152 static int find_session_cb(SSL
*ssl
, const unsigned char *identity
,
3153 size_t identity_len
, SSL_SESSION
**sess
)
3155 find_session_cb_cnt
++;
3157 /* We should only ever be called a maximum of twice per connection */
3158 if (find_session_cb_cnt
> 2)
3161 if (serverpsk
== NULL
)
3164 /* Identity should match that set by the client */
3165 if (strlen(srvid
) != identity_len
3166 || strncmp(srvid
, (const char *)identity
, identity_len
) != 0) {
3167 /* No PSK found, continue but without a PSK */
3172 SSL_SESSION_up_ref(serverpsk
);
3178 #ifndef OPENSSL_NO_PSK
3179 static unsigned int psk_server_cb(SSL
*ssl
, const char *identity
,
3180 unsigned char *psk
, unsigned int max_psk_len
)
3182 unsigned int psklen
= 0;
3184 psk_server_cb_cnt
++;
3186 /* We should only ever be called a maximum of twice per connection */
3187 if (find_session_cb_cnt
> 2)
3190 if (serverpsk
== NULL
)
3193 /* Identity should match that set by the client */
3194 if (strcmp(srvid
, identity
) != 0) {
3198 /* We'll reuse the PSK we set up for TLSv1.3 */
3199 if (SSL_SESSION_get_master_key(serverpsk
, NULL
, 0) > max_psk_len
)
3201 psklen
= SSL_SESSION_get_master_key(serverpsk
, psk
, max_psk_len
);
3205 #endif /* OPENSSL_NO_PSK */
3207 #define MSG1 "Hello"
3208 #define MSG2 "World."
3213 #define MSG7 "message."
3215 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3216 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3217 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3218 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3219 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3222 static SSL_SESSION
*create_a_psk(SSL
*ssl
)
3224 const SSL_CIPHER
*cipher
= NULL
;
3225 const unsigned char key
[] = {
3226 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3227 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3228 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3229 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3230 0x2c, 0x2d, 0x2e, 0x2f
3232 SSL_SESSION
*sess
= NULL
;
3234 cipher
= SSL_CIPHER_find(ssl
, TLS13_AES_256_GCM_SHA384_BYTES
);
3235 sess
= SSL_SESSION_new();
3237 || !TEST_ptr(cipher
)
3238 || !TEST_true(SSL_SESSION_set1_master_key(sess
, key
,
3240 || !TEST_true(SSL_SESSION_set_cipher(sess
, cipher
))
3242 SSL_SESSION_set_protocol_version(sess
,
3244 SSL_SESSION_free(sess
);
3251 * Helper method to setup objects for early data test. Caller frees objects on
3254 static int setupearly_data_test(SSL_CTX
**cctx
, SSL_CTX
**sctx
, SSL
**clientssl
,
3255 SSL
**serverssl
, SSL_SESSION
**sess
, int idx
)
3258 && !TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
3259 TLS_client_method(),
3261 sctx
, cctx
, cert
, privkey
)))
3264 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx
, SSL3_RT_MAX_PLAIN_LENGTH
)))
3268 /* When idx == 1 we repeat the tests with read_ahead set */
3269 SSL_CTX_set_read_ahead(*cctx
, 1);
3270 SSL_CTX_set_read_ahead(*sctx
, 1);
3271 } else if (idx
== 2) {
3272 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3273 SSL_CTX_set_psk_use_session_callback(*cctx
, use_session_cb
);
3274 SSL_CTX_set_psk_find_session_callback(*sctx
, find_session_cb
);
3275 use_session_cb_cnt
= 0;
3276 find_session_cb_cnt
= 0;
3280 if (!TEST_true(create_ssl_objects(*sctx
, *cctx
, serverssl
, clientssl
,
3285 * For one of the run throughs (doesn't matter which one), we'll try sending
3286 * some SNI data in the initial ClientHello. This will be ignored (because
3287 * there is no SNI cb set up by the server), so it should not impact
3291 && !TEST_true(SSL_set_tlsext_host_name(*clientssl
, "localhost")))
3295 clientpsk
= create_a_psk(*clientssl
);
3296 if (!TEST_ptr(clientpsk
)
3298 * We just choose an arbitrary value for max_early_data which
3299 * should be big enough for testing purposes.
3301 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk
,
3303 || !TEST_true(SSL_SESSION_up_ref(clientpsk
))) {
3304 SSL_SESSION_free(clientpsk
);
3308 serverpsk
= clientpsk
;
3311 if (!TEST_true(SSL_SESSION_up_ref(clientpsk
))) {
3312 SSL_SESSION_free(clientpsk
);
3313 SSL_SESSION_free(serverpsk
);
3314 clientpsk
= serverpsk
= NULL
;
3325 if (!TEST_true(create_ssl_connection(*serverssl
, *clientssl
,
3329 *sess
= SSL_get1_session(*clientssl
);
3330 SSL_shutdown(*clientssl
);
3331 SSL_shutdown(*serverssl
);
3332 SSL_free(*serverssl
);
3333 SSL_free(*clientssl
);
3334 *serverssl
= *clientssl
= NULL
;
3336 if (!TEST_true(create_ssl_objects(*sctx
, *cctx
, serverssl
,
3337 clientssl
, NULL
, NULL
))
3338 || !TEST_true(SSL_set_session(*clientssl
, *sess
)))
3344 static int test_early_data_read_write(int idx
)
3346 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3347 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3349 SSL_SESSION
*sess
= NULL
;
3350 unsigned char buf
[20], data
[1024];
3351 size_t readbytes
, written
, eoedlen
, rawread
, rawwritten
;
3354 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
3355 &serverssl
, &sess
, idx
)))
3358 /* Write and read some early data */
3359 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
3361 || !TEST_size_t_eq(written
, strlen(MSG1
))
3362 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
,
3363 sizeof(buf
), &readbytes
),
3364 SSL_READ_EARLY_DATA_SUCCESS
)
3365 || !TEST_mem_eq(MSG1
, readbytes
, buf
, strlen(MSG1
))
3366 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
3367 SSL_EARLY_DATA_ACCEPTED
))
3371 * Server should be able to write data, and client should be able to
3374 if (!TEST_true(SSL_write_early_data(serverssl
, MSG2
, strlen(MSG2
),
3376 || !TEST_size_t_eq(written
, strlen(MSG2
))
3377 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3378 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
3381 /* Even after reading normal data, client should be able write early data */
3382 if (!TEST_true(SSL_write_early_data(clientssl
, MSG3
, strlen(MSG3
),
3384 || !TEST_size_t_eq(written
, strlen(MSG3
)))
3387 /* Server should still be able read early data after writing data */
3388 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3390 SSL_READ_EARLY_DATA_SUCCESS
)
3391 || !TEST_mem_eq(buf
, readbytes
, MSG3
, strlen(MSG3
)))
3394 /* Write more data from server and read it from client */
3395 if (!TEST_true(SSL_write_early_data(serverssl
, MSG4
, strlen(MSG4
),
3397 || !TEST_size_t_eq(written
, strlen(MSG4
))
3398 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3399 || !TEST_mem_eq(buf
, readbytes
, MSG4
, strlen(MSG4
)))
3403 * If client writes normal data it should mean writing early data is no
3406 if (!TEST_true(SSL_write_ex(clientssl
, MSG5
, strlen(MSG5
), &written
))
3407 || !TEST_size_t_eq(written
, strlen(MSG5
))
3408 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
3409 SSL_EARLY_DATA_ACCEPTED
))
3413 * At this point the client has written EndOfEarlyData, ClientFinished and
3414 * normal (fully protected) data. We are going to cause a delay between the
3415 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3416 * in the read BIO, and then just put back the EndOfEarlyData message.
3418 rbio
= SSL_get_rbio(serverssl
);
3419 if (!TEST_true(BIO_read_ex(rbio
, data
, sizeof(data
), &rawread
))
3420 || !TEST_size_t_lt(rawread
, sizeof(data
))
3421 || !TEST_size_t_gt(rawread
, SSL3_RT_HEADER_LENGTH
))
3424 /* Record length is in the 4th and 5th bytes of the record header */
3425 eoedlen
= SSL3_RT_HEADER_LENGTH
+ (data
[3] << 8 | data
[4]);
3426 if (!TEST_true(BIO_write_ex(rbio
, data
, eoedlen
, &rawwritten
))
3427 || !TEST_size_t_eq(rawwritten
, eoedlen
))
3430 /* Server should be told that there is no more early data */
3431 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3433 SSL_READ_EARLY_DATA_FINISH
)
3434 || !TEST_size_t_eq(readbytes
, 0))
3438 * Server has not finished init yet, so should still be able to write early
3441 if (!TEST_true(SSL_write_early_data(serverssl
, MSG6
, strlen(MSG6
),
3443 || !TEST_size_t_eq(written
, strlen(MSG6
)))
3446 /* Push the ClientFinished and the normal data back into the server rbio */
3447 if (!TEST_true(BIO_write_ex(rbio
, data
+ eoedlen
, rawread
- eoedlen
,
3449 || !TEST_size_t_eq(rawwritten
, rawread
- eoedlen
))
3452 /* Server should be able to read normal data */
3453 if (!TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
3454 || !TEST_size_t_eq(readbytes
, strlen(MSG5
)))
3457 /* Client and server should not be able to write/read early data now */
3458 if (!TEST_false(SSL_write_early_data(clientssl
, MSG6
, strlen(MSG6
),
3462 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3464 SSL_READ_EARLY_DATA_ERROR
))
3468 /* Client should be able to read the data sent by the server */
3469 if (!TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3470 || !TEST_mem_eq(buf
, readbytes
, MSG6
, strlen(MSG6
)))
3474 * Make sure we process the two NewSessionTickets. These arrive
3475 * post-handshake. We attempt reads which we do not expect to return any
3478 if (!TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3479 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
),
3483 /* Server should be able to write normal data */
3484 if (!TEST_true(SSL_write_ex(serverssl
, MSG7
, strlen(MSG7
), &written
))
3485 || !TEST_size_t_eq(written
, strlen(MSG7
))
3486 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3487 || !TEST_mem_eq(buf
, readbytes
, MSG7
, strlen(MSG7
)))
3490 SSL_SESSION_free(sess
);
3491 sess
= SSL_get1_session(clientssl
);
3492 use_session_cb_cnt
= 0;
3493 find_session_cb_cnt
= 0;
3495 SSL_shutdown(clientssl
);
3496 SSL_shutdown(serverssl
);
3497 SSL_free(serverssl
);
3498 SSL_free(clientssl
);
3499 serverssl
= clientssl
= NULL
;
3500 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
3501 &clientssl
, NULL
, NULL
))
3502 || !TEST_true(SSL_set_session(clientssl
, sess
)))
3505 /* Write and read some early data */
3506 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
3508 || !TEST_size_t_eq(written
, strlen(MSG1
))
3509 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3511 SSL_READ_EARLY_DATA_SUCCESS
)
3512 || !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
)))
3515 if (!TEST_int_gt(SSL_connect(clientssl
), 0)
3516 || !TEST_int_gt(SSL_accept(serverssl
), 0))
3519 /* Client and server should not be able to write/read early data now */
3520 if (!TEST_false(SSL_write_early_data(clientssl
, MSG6
, strlen(MSG6
),
3524 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3526 SSL_READ_EARLY_DATA_ERROR
))
3530 /* Client and server should be able to write/read normal data */
3531 if (!TEST_true(SSL_write_ex(clientssl
, MSG5
, strlen(MSG5
), &written
))
3532 || !TEST_size_t_eq(written
, strlen(MSG5
))
3533 || !TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
3534 || !TEST_size_t_eq(readbytes
, strlen(MSG5
)))
3540 SSL_SESSION_free(sess
);
3541 SSL_SESSION_free(clientpsk
);
3542 SSL_SESSION_free(serverpsk
);
3543 clientpsk
= serverpsk
= NULL
;
3544 SSL_free(serverssl
);
3545 SSL_free(clientssl
);
3551 static int allow_ed_cb_called
= 0;
3553 static int allow_early_data_cb(SSL
*s
, void *arg
)
3555 int *usecb
= (int *)arg
;
3557 allow_ed_cb_called
++;
3566 * idx == 0: Standard early_data setup
3567 * idx == 1: early_data setup using read_ahead
3568 * usecb == 0: Don't use a custom early data callback
3569 * usecb == 1: Use a custom early data callback and reject the early data
3570 * usecb == 2: Use a custom early data callback and accept the early data
3571 * confopt == 0: Configure anti-replay directly
3572 * confopt == 1: Configure anti-replay using SSL_CONF
3574 static int test_early_data_replay_int(int idx
, int usecb
, int confopt
)
3576 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3577 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3579 SSL_SESSION
*sess
= NULL
;
3580 size_t readbytes
, written
;
3581 unsigned char buf
[20];
3583 allow_ed_cb_called
= 0;
3585 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
3586 TLS_client_method(), TLS1_VERSION
, 0,
3587 &sctx
, &cctx
, cert
, privkey
)))
3592 SSL_CTX_set_options(sctx
, SSL_OP_NO_ANTI_REPLAY
);
3594 SSL_CONF_CTX
*confctx
= SSL_CONF_CTX_new();
3596 if (!TEST_ptr(confctx
))
3598 SSL_CONF_CTX_set_flags(confctx
, SSL_CONF_FLAG_FILE
3599 | SSL_CONF_FLAG_SERVER
);
3600 SSL_CONF_CTX_set_ssl_ctx(confctx
, sctx
);
3601 if (!TEST_int_eq(SSL_CONF_cmd(confctx
, "Options", "-AntiReplay"),
3603 SSL_CONF_CTX_free(confctx
);
3606 SSL_CONF_CTX_free(confctx
);
3608 SSL_CTX_set_allow_early_data_cb(sctx
, allow_early_data_cb
, &usecb
);
3611 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
3612 &serverssl
, &sess
, idx
)))
3616 * The server is configured to accept early data. Create a connection to
3617 * "use up" the ticket
3619 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
3620 || !TEST_true(SSL_session_reused(clientssl
)))
3623 SSL_shutdown(clientssl
);
3624 SSL_shutdown(serverssl
);
3625 SSL_free(serverssl
);
3626 SSL_free(clientssl
);
3627 serverssl
= clientssl
= NULL
;
3629 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
3630 &clientssl
, NULL
, NULL
))
3631 || !TEST_true(SSL_set_session(clientssl
, sess
)))
3634 /* Write and read some early data */
3635 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
3637 || !TEST_size_t_eq(written
, strlen(MSG1
)))
3641 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3643 SSL_READ_EARLY_DATA_FINISH
)
3645 * The ticket was reused, so the we should have rejected the
3648 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
3649 SSL_EARLY_DATA_REJECTED
))
3652 /* In this case the callback decides to accept the early data */
3653 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3655 SSL_READ_EARLY_DATA_SUCCESS
)
3656 || !TEST_mem_eq(MSG1
, strlen(MSG1
), buf
, readbytes
)
3658 * Server will have sent its flight so client can now send
3659 * end of early data and complete its half of the handshake
3661 || !TEST_int_gt(SSL_connect(clientssl
), 0)
3662 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3664 SSL_READ_EARLY_DATA_FINISH
)
3665 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
3666 SSL_EARLY_DATA_ACCEPTED
))
3670 /* Complete the connection */
3671 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
3672 || !TEST_int_eq(SSL_session_reused(clientssl
), (usecb
> 0) ? 1 : 0)
3673 || !TEST_int_eq(allow_ed_cb_called
, usecb
> 0 ? 1 : 0))
3679 SSL_SESSION_free(sess
);
3680 SSL_SESSION_free(clientpsk
);
3681 SSL_SESSION_free(serverpsk
);
3682 clientpsk
= serverpsk
= NULL
;
3683 SSL_free(serverssl
);
3684 SSL_free(clientssl
);
3690 static int test_early_data_replay(int idx
)
3692 int ret
= 1, usecb
, confopt
;
3694 for (usecb
= 0; usecb
< 3; usecb
++) {
3695 for (confopt
= 0; confopt
< 2; confopt
++)
3696 ret
&= test_early_data_replay_int(idx
, usecb
, confopt
);
3703 * Helper function to test that a server attempting to read early data can
3704 * handle a connection from a client where the early data should be skipped.
3705 * testtype: 0 == No HRR
3706 * testtype: 1 == HRR
3707 * testtype: 2 == HRR, invalid early_data sent after HRR
3708 * testtype: 3 == recv_max_early_data set to 0
3710 static int early_data_skip_helper(int testtype
, int idx
)
3712 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3713 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3715 SSL_SESSION
*sess
= NULL
;
3716 unsigned char buf
[20];
3717 size_t readbytes
, written
;
3719 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
3720 &serverssl
, &sess
, idx
)))
3723 if (testtype
== 1 || testtype
== 2) {
3724 /* Force an HRR to occur */
3725 #if defined(OPENSSL_NO_EC)
3726 if (!TEST_true(SSL_set1_groups_list(serverssl
, "ffdhe3072")))
3729 if (!TEST_true(SSL_set1_groups_list(serverssl
, "P-256")))
3732 } else if (idx
== 2) {
3734 * We force early_data rejection by ensuring the PSK identity is
3737 srvid
= "Dummy Identity";
3740 * Deliberately corrupt the creation time. We take 20 seconds off the
3741 * time. It could be any value as long as it is not within tolerance.
3742 * This should mean the ticket is rejected.
3744 if (!TEST_true(SSL_SESSION_set_time(sess
, (long)(time(NULL
) - 20))))
3749 && !TEST_true(SSL_set_recv_max_early_data(serverssl
, 0)))
3752 /* Write some early data */
3753 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
3755 || !TEST_size_t_eq(written
, strlen(MSG1
)))
3758 /* Server should reject the early data */
3759 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3761 SSL_READ_EARLY_DATA_FINISH
)
3762 || !TEST_size_t_eq(readbytes
, 0)
3763 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
3764 SSL_EARLY_DATA_REJECTED
))
3774 * Finish off the handshake. We perform the same writes and reads as
3775 * further down but we expect them to fail due to the incomplete
3778 if (!TEST_false(SSL_write_ex(clientssl
, MSG2
, strlen(MSG2
), &written
))
3779 || !TEST_false(SSL_read_ex(serverssl
, buf
, sizeof(buf
),
3786 BIO
*wbio
= SSL_get_wbio(clientssl
);
3787 /* A record that will appear as bad early_data */
3788 const unsigned char bad_early_data
[] = {
3789 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3793 * We force the client to attempt a write. This will fail because
3794 * we're still in the handshake. It will cause the second
3795 * ClientHello to be sent.
3797 if (!TEST_false(SSL_write_ex(clientssl
, MSG2
, strlen(MSG2
),
3802 * Inject some early_data after the second ClientHello. This should
3803 * cause the server to fail
3805 if (!TEST_true(BIO_write_ex(wbio
, bad_early_data
,
3806 sizeof(bad_early_data
), &written
)))
3813 * This client has sent more early_data than we are willing to skip
3814 * (case 3) or sent invalid early_data (case 2) so the connection should
3817 if (!TEST_false(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
3818 || !TEST_int_eq(SSL_get_error(serverssl
, 0), SSL_ERROR_SSL
))
3821 /* Connection has failed - nothing more to do */
3826 TEST_error("Invalid test type");
3831 * Should be able to send normal data despite rejection of early data. The
3832 * early_data should be skipped.
3834 if (!TEST_true(SSL_write_ex(clientssl
, MSG2
, strlen(MSG2
), &written
))
3835 || !TEST_size_t_eq(written
, strlen(MSG2
))
3836 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
3837 SSL_EARLY_DATA_REJECTED
)
3838 || !TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
3839 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
3845 SSL_SESSION_free(clientpsk
);
3846 SSL_SESSION_free(serverpsk
);
3847 clientpsk
= serverpsk
= NULL
;
3848 SSL_SESSION_free(sess
);
3849 SSL_free(serverssl
);
3850 SSL_free(clientssl
);
3857 * Test that a server attempting to read early data can handle a connection
3858 * from a client where the early data is not acceptable.
3860 static int test_early_data_skip(int idx
)
3862 return early_data_skip_helper(0, idx
);
3866 * Test that a server attempting to read early data can handle a connection
3867 * from a client where an HRR occurs.
3869 static int test_early_data_skip_hrr(int idx
)
3871 return early_data_skip_helper(1, idx
);
3875 * Test that a server attempting to read early data can handle a connection
3876 * from a client where an HRR occurs and correctly fails if early_data is sent
3879 static int test_early_data_skip_hrr_fail(int idx
)
3881 return early_data_skip_helper(2, idx
);
3885 * Test that a server attempting to read early data will abort if it tries to
3886 * skip over too much.
3888 static int test_early_data_skip_abort(int idx
)
3890 return early_data_skip_helper(3, idx
);
3894 * Test that a server attempting to read early data can handle a connection
3895 * from a client that doesn't send any.
3897 static int test_early_data_not_sent(int idx
)
3899 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3900 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3902 SSL_SESSION
*sess
= NULL
;
3903 unsigned char buf
[20];
3904 size_t readbytes
, written
;
3906 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
3907 &serverssl
, &sess
, idx
)))
3910 /* Write some data - should block due to handshake with server */
3911 SSL_set_connect_state(clientssl
);
3912 if (!TEST_false(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
)))
3915 /* Server should detect that early data has not been sent */
3916 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3918 SSL_READ_EARLY_DATA_FINISH
)
3919 || !TEST_size_t_eq(readbytes
, 0)
3920 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
3921 SSL_EARLY_DATA_NOT_SENT
)
3922 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
3923 SSL_EARLY_DATA_NOT_SENT
))
3926 /* Continue writing the message we started earlier */
3927 if (!TEST_true(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
))
3928 || !TEST_size_t_eq(written
, strlen(MSG1
))
3929 || !TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
3930 || !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
))
3931 || !SSL_write_ex(serverssl
, MSG2
, strlen(MSG2
), &written
)
3932 || !TEST_size_t_eq(written
, strlen(MSG2
)))
3935 if (!TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
3936 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
3942 SSL_SESSION_free(sess
);
3943 SSL_SESSION_free(clientpsk
);
3944 SSL_SESSION_free(serverpsk
);
3945 clientpsk
= serverpsk
= NULL
;
3946 SSL_free(serverssl
);
3947 SSL_free(clientssl
);
3953 static const char *servalpn
;
3955 static int alpn_select_cb(SSL
*ssl
, const unsigned char **out
,
3956 unsigned char *outlen
, const unsigned char *in
,
3957 unsigned int inlen
, void *arg
)
3959 unsigned int protlen
= 0;
3960 const unsigned char *prot
;
3962 for (prot
= in
; prot
< in
+ inlen
; prot
+= protlen
) {
3964 if (in
+ inlen
< prot
+ protlen
)
3965 return SSL_TLSEXT_ERR_NOACK
;
3967 if (protlen
== strlen(servalpn
)
3968 && memcmp(prot
, servalpn
, protlen
) == 0) {
3971 return SSL_TLSEXT_ERR_OK
;
3975 return SSL_TLSEXT_ERR_NOACK
;
3978 /* Test that a PSK can be used to send early_data */
3979 static int test_early_data_psk(int idx
)
3981 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3982 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3984 SSL_SESSION
*sess
= NULL
;
3985 unsigned char alpnlist
[] = {
3986 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3989 #define GOODALPNLEN 9
3990 #define BADALPNLEN 8
3991 #define GOODALPN (alpnlist)
3992 #define BADALPN (alpnlist + GOODALPNLEN)
3994 unsigned char buf
[20];
3995 size_t readbytes
, written
;
3996 int readearlyres
= SSL_READ_EARLY_DATA_SUCCESS
, connectres
= 1;
3997 int edstatus
= SSL_EARLY_DATA_ACCEPTED
;
3999 /* We always set this up with a final parameter of "2" for PSK */
4000 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
4001 &serverssl
, &sess
, 2)))
4004 servalpn
= "goodalpn";
4007 * Note: There is no test for inconsistent SNI with late client detection.
4008 * This is because servers do not acknowledge SNI even if they are using
4009 * it in a resumption handshake - so it is not actually possible for a
4010 * client to detect a problem.
4014 /* Set inconsistent SNI (early client detection) */
4015 err
= SSL_R_INCONSISTENT_EARLY_DATA_SNI
;
4016 if (!TEST_true(SSL_SESSION_set1_hostname(sess
, "goodhost"))
4017 || !TEST_true(SSL_set_tlsext_host_name(clientssl
, "badhost")))
4022 /* Set inconsistent ALPN (early client detection) */
4023 err
= SSL_R_INCONSISTENT_EARLY_DATA_ALPN
;
4024 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4025 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess
, GOODALPN
,
4027 || !TEST_false(SSL_set_alpn_protos(clientssl
, BADALPN
,
4034 * Set invalid protocol version. Technically this affects PSKs without
4035 * early_data too, but we test it here because it is similar to the
4036 * SNI/ALPN consistency tests.
4038 err
= SSL_R_BAD_PSK
;
4039 if (!TEST_true(SSL_SESSION_set_protocol_version(sess
, TLS1_2_VERSION
)))
4045 * Set inconsistent SNI (server side). In this case the connection
4046 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4047 * is associated with each handshake - not the session. Therefore it
4048 * should not matter that we used a different server name last time.
4050 SSL_SESSION_free(serverpsk
);
4051 serverpsk
= SSL_SESSION_dup(clientpsk
);
4052 if (!TEST_ptr(serverpsk
)
4053 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk
, "badhost")))
4057 /* Set consistent SNI */
4058 if (!TEST_true(SSL_SESSION_set1_hostname(sess
, "goodhost"))
4059 || !TEST_true(SSL_set_tlsext_host_name(clientssl
, "goodhost"))
4060 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx
,
4067 * Set inconsistent ALPN (server detected). In this case the connection
4068 * will succeed but reject early_data.
4070 servalpn
= "badalpn";
4071 edstatus
= SSL_EARLY_DATA_REJECTED
;
4072 readearlyres
= SSL_READ_EARLY_DATA_FINISH
;
4076 * Set consistent ALPN.
4077 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4078 * accepts a list of protos (each one length prefixed).
4079 * SSL_set1_alpn_selected accepts a single protocol (not length
4082 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess
, GOODALPN
+ 1,
4084 || !TEST_false(SSL_set_alpn_protos(clientssl
, GOODALPN
,
4088 SSL_CTX_set_alpn_select_cb(sctx
, alpn_select_cb
, NULL
);
4092 /* Set inconsistent ALPN (late client detection) */
4093 SSL_SESSION_free(serverpsk
);
4094 serverpsk
= SSL_SESSION_dup(clientpsk
);
4095 if (!TEST_ptr(serverpsk
)
4096 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk
,
4099 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk
,
4102 || !TEST_false(SSL_set_alpn_protos(clientssl
, alpnlist
,
4105 SSL_CTX_set_alpn_select_cb(sctx
, alpn_select_cb
, NULL
);
4106 edstatus
= SSL_EARLY_DATA_ACCEPTED
;
4107 readearlyres
= SSL_READ_EARLY_DATA_SUCCESS
;
4108 /* SSL_connect() call should fail */
4113 TEST_error("Bad test index");
4117 SSL_set_connect_state(clientssl
);
4119 if (!TEST_false(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
4121 || !TEST_int_eq(SSL_get_error(clientssl
, 0), SSL_ERROR_SSL
)
4122 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err
))
4125 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
4129 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
4130 &readbytes
), readearlyres
)
4131 || (readearlyres
== SSL_READ_EARLY_DATA_SUCCESS
4132 && !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
)))
4133 || !TEST_int_eq(SSL_get_early_data_status(serverssl
), edstatus
)
4134 || !TEST_int_eq(SSL_connect(clientssl
), connectres
))
4141 SSL_SESSION_free(sess
);
4142 SSL_SESSION_free(clientpsk
);
4143 SSL_SESSION_free(serverpsk
);
4144 clientpsk
= serverpsk
= NULL
;
4145 SSL_free(serverssl
);
4146 SSL_free(clientssl
);
4153 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4154 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4155 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4156 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4157 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4158 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4160 static int test_early_data_psk_with_all_ciphers(int idx
)
4162 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4163 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4165 SSL_SESSION
*sess
= NULL
;
4166 unsigned char buf
[20];
4167 size_t readbytes
, written
;
4168 const SSL_CIPHER
*cipher
;
4169 const char *cipher_str
[] = {
4170 TLS1_3_RFC_AES_128_GCM_SHA256
,
4171 TLS1_3_RFC_AES_256_GCM_SHA384
,
4172 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4173 TLS1_3_RFC_CHACHA20_POLY1305_SHA256
,
4177 TLS1_3_RFC_AES_128_CCM_SHA256
,
4178 TLS1_3_RFC_AES_128_CCM_8_SHA256
4180 const unsigned char *cipher_bytes
[] = {
4181 TLS13_AES_128_GCM_SHA256_BYTES
,
4182 TLS13_AES_256_GCM_SHA384_BYTES
,
4183 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4184 TLS13_CHACHA20_POLY1305_SHA256_BYTES
,
4188 TLS13_AES_128_CCM_SHA256_BYTES
,
4189 TLS13_AES_128_CCM_8_SHA256_BYTES
4192 if (cipher_str
[idx
] == NULL
)
4194 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4195 if (idx
== 2 && is_fips
== 1)
4198 /* We always set this up with a final parameter of "2" for PSK */
4199 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
4200 &serverssl
, &sess
, 2)))
4204 /* CCM8 ciphers are considered low security due to their short tag */
4205 SSL_set_security_level(clientssl
, 0);
4206 SSL_set_security_level(serverssl
, 0);
4209 if (!TEST_true(SSL_set_ciphersuites(clientssl
, cipher_str
[idx
]))
4210 || !TEST_true(SSL_set_ciphersuites(serverssl
, cipher_str
[idx
])))
4214 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4215 * and assigns to both client and server with incremented reference
4216 * and the same instance is updated in 'sess'.
4217 * So updating ciphersuite in 'sess' which will get reflected in
4218 * PSK handshake using psk use sess and find sess cb.
4220 cipher
= SSL_CIPHER_find(clientssl
, cipher_bytes
[idx
]);
4221 if (!TEST_ptr(cipher
) || !TEST_true(SSL_SESSION_set_cipher(sess
, cipher
)))
4224 SSL_set_connect_state(clientssl
);
4225 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
4229 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
4231 SSL_READ_EARLY_DATA_SUCCESS
)
4232 || !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
))
4233 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
4234 SSL_EARLY_DATA_ACCEPTED
)
4235 || !TEST_int_eq(SSL_connect(clientssl
), 1)
4236 || !TEST_int_eq(SSL_accept(serverssl
), 1))
4239 /* Send some normal data from client to server */
4240 if (!TEST_true(SSL_write_ex(clientssl
, MSG2
, strlen(MSG2
), &written
))
4241 || !TEST_size_t_eq(written
, strlen(MSG2
)))
4244 if (!TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
4245 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
4250 SSL_SESSION_free(sess
);
4251 SSL_SESSION_free(clientpsk
);
4252 SSL_SESSION_free(serverpsk
);
4253 clientpsk
= serverpsk
= NULL
;
4254 if (clientssl
!= NULL
)
4255 SSL_shutdown(clientssl
);
4256 if (serverssl
!= NULL
)
4257 SSL_shutdown(serverssl
);
4258 SSL_free(serverssl
);
4259 SSL_free(clientssl
);
4266 * Test that a server that doesn't try to read early data can handle a
4267 * client sending some.
4269 static int test_early_data_not_expected(int idx
)
4271 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4272 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4274 SSL_SESSION
*sess
= NULL
;
4275 unsigned char buf
[20];
4276 size_t readbytes
, written
;
4278 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
4279 &serverssl
, &sess
, idx
)))
4282 /* Write some early data */
4283 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
4288 * Server should skip over early data and then block waiting for client to
4289 * continue handshake
4291 if (!TEST_int_le(SSL_accept(serverssl
), 0)
4292 || !TEST_int_gt(SSL_connect(clientssl
), 0)
4293 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
4294 SSL_EARLY_DATA_REJECTED
)
4295 || !TEST_int_gt(SSL_accept(serverssl
), 0)
4296 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
4297 SSL_EARLY_DATA_REJECTED
))
4300 /* Send some normal data from client to server */
4301 if (!TEST_true(SSL_write_ex(clientssl
, MSG2
, strlen(MSG2
), &written
))
4302 || !TEST_size_t_eq(written
, strlen(MSG2
)))
4305 if (!TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
4306 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
4312 SSL_SESSION_free(sess
);
4313 SSL_SESSION_free(clientpsk
);
4314 SSL_SESSION_free(serverpsk
);
4315 clientpsk
= serverpsk
= NULL
;
4316 SSL_free(serverssl
);
4317 SSL_free(clientssl
);
4324 # ifndef OPENSSL_NO_TLS1_2
4326 * Test that a server attempting to read early data can handle a connection
4327 * from a TLSv1.2 client.
4329 static int test_early_data_tls1_2(int idx
)
4331 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4332 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4334 unsigned char buf
[20];
4335 size_t readbytes
, written
;
4337 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
4338 &serverssl
, NULL
, idx
)))
4341 /* Write some data - should block due to handshake with server */
4342 SSL_set_max_proto_version(clientssl
, TLS1_2_VERSION
);
4343 SSL_set_connect_state(clientssl
);
4344 if (!TEST_false(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
)))
4348 * Server should do TLSv1.2 handshake. First it will block waiting for more
4349 * messages from client after ServerDone. Then SSL_read_early_data should
4350 * finish and detect that early data has not been sent
4352 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
4354 SSL_READ_EARLY_DATA_ERROR
))
4358 * Continue writing the message we started earlier. Will still block waiting
4359 * for the CCS/Finished from server
4361 if (!TEST_false(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
))
4362 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
4364 SSL_READ_EARLY_DATA_FINISH
)
4365 || !TEST_size_t_eq(readbytes
, 0)
4366 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
4367 SSL_EARLY_DATA_NOT_SENT
))
4370 /* Continue writing the message we started earlier */
4371 if (!TEST_true(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
))
4372 || !TEST_size_t_eq(written
, strlen(MSG1
))
4373 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
4374 SSL_EARLY_DATA_NOT_SENT
)
4375 || !TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
4376 || !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
))
4377 || !TEST_true(SSL_write_ex(serverssl
, MSG2
, strlen(MSG2
), &written
))
4378 || !TEST_size_t_eq(written
, strlen(MSG2
))
4379 || !SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
)
4380 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
4386 SSL_SESSION_free(clientpsk
);
4387 SSL_SESSION_free(serverpsk
);
4388 clientpsk
= serverpsk
= NULL
;
4389 SSL_free(serverssl
);
4390 SSL_free(clientssl
);
4396 # endif /* OPENSSL_NO_TLS1_2 */
4399 * Test configuring the TLSv1.3 ciphersuites
4401 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4402 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4403 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4404 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4405 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4406 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4407 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4408 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4409 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4410 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4412 static int test_set_ciphersuite(int idx
)
4414 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4415 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4418 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
4419 TLS_client_method(), TLS1_VERSION
, 0,
4420 &sctx
, &cctx
, cert
, privkey
))
4421 || !TEST_true(SSL_CTX_set_ciphersuites(sctx
,
4422 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4425 if (idx
>=4 && idx
<= 7) {
4426 /* SSL_CTX explicit cipher list */
4427 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
, "AES256-GCM-SHA384")))
4431 if (idx
== 0 || idx
== 4) {
4432 /* Default ciphersuite */
4433 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4434 "TLS_AES_128_GCM_SHA256")))
4436 } else if (idx
== 1 || idx
== 5) {
4437 /* Non default ciphersuite */
4438 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4439 "TLS_AES_128_CCM_SHA256")))
4443 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
4444 &clientssl
, NULL
, NULL
)))
4447 if (idx
== 8 || idx
== 9) {
4448 /* SSL explicit cipher list */
4449 if (!TEST_true(SSL_set_cipher_list(clientssl
, "AES256-GCM-SHA384")))
4453 if (idx
== 2 || idx
== 6 || idx
== 8) {
4454 /* Default ciphersuite */
4455 if (!TEST_true(SSL_set_ciphersuites(clientssl
,
4456 "TLS_AES_128_GCM_SHA256")))
4458 } else if (idx
== 3 || idx
== 7 || idx
== 9) {
4459 /* Non default ciphersuite */
4460 if (!TEST_true(SSL_set_ciphersuites(clientssl
,
4461 "TLS_AES_128_CCM_SHA256")))
4465 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
4471 SSL_free(serverssl
);
4472 SSL_free(clientssl
);
4479 static int test_ciphersuite_change(void)
4481 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4482 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4483 SSL_SESSION
*clntsess
= NULL
;
4485 const SSL_CIPHER
*aes_128_gcm_sha256
= NULL
;
4487 /* Create a session based on SHA-256 */
4488 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
4489 TLS_client_method(), TLS1_VERSION
, 0,
4490 &sctx
, &cctx
, cert
, privkey
))
4491 || !TEST_true(SSL_CTX_set_ciphersuites(sctx
,
4492 "TLS_AES_128_GCM_SHA256:"
4493 "TLS_AES_256_GCM_SHA384:"
4494 "TLS_AES_128_CCM_SHA256"))
4495 || !TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4496 "TLS_AES_128_GCM_SHA256")))
4499 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4501 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4505 clntsess
= SSL_get1_session(clientssl
);
4506 /* Save for later */
4507 aes_128_gcm_sha256
= SSL_SESSION_get0_cipher(clntsess
);
4508 SSL_shutdown(clientssl
);
4509 SSL_shutdown(serverssl
);
4510 SSL_free(serverssl
);
4511 SSL_free(clientssl
);
4512 serverssl
= clientssl
= NULL
;
4514 /* Check we can resume a session with a different SHA-256 ciphersuite */
4515 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4516 "TLS_AES_128_CCM_SHA256"))
4517 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
4518 &clientssl
, NULL
, NULL
))
4519 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
4520 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4522 || !TEST_true(SSL_session_reused(clientssl
)))
4525 SSL_SESSION_free(clntsess
);
4526 clntsess
= SSL_get1_session(clientssl
);
4527 SSL_shutdown(clientssl
);
4528 SSL_shutdown(serverssl
);
4529 SSL_free(serverssl
);
4530 SSL_free(clientssl
);
4531 serverssl
= clientssl
= NULL
;
4534 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4535 * succeeds but does not resume.
4537 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
, "TLS_AES_256_GCM_SHA384"))
4538 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4540 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
4541 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4543 || !TEST_false(SSL_session_reused(clientssl
)))
4546 SSL_SESSION_free(clntsess
);
4548 SSL_shutdown(clientssl
);
4549 SSL_shutdown(serverssl
);
4550 SSL_free(serverssl
);
4551 SSL_free(clientssl
);
4552 serverssl
= clientssl
= NULL
;
4554 /* Create a session based on SHA384 */
4555 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
, "TLS_AES_256_GCM_SHA384"))
4556 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
4557 &clientssl
, NULL
, NULL
))
4558 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4562 clntsess
= SSL_get1_session(clientssl
);
4563 SSL_shutdown(clientssl
);
4564 SSL_shutdown(serverssl
);
4565 SSL_free(serverssl
);
4566 SSL_free(clientssl
);
4567 serverssl
= clientssl
= NULL
;
4569 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4570 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4571 || !TEST_true(SSL_CTX_set_ciphersuites(sctx
,
4572 "TLS_AES_256_GCM_SHA384"))
4573 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4575 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
4577 * We use SSL_ERROR_WANT_READ below so that we can pause the
4578 * connection after the initial ClientHello has been sent to
4579 * enable us to make some session changes.
4581 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
4582 SSL_ERROR_WANT_READ
)))
4585 /* Trick the client into thinking this session is for a different digest */
4586 clntsess
->cipher
= aes_128_gcm_sha256
;
4587 clntsess
->cipher_id
= clntsess
->cipher
->id
;
4590 * Continue the previously started connection. Server has selected a SHA-384
4591 * ciphersuite, but client thinks the session is for SHA-256, so it should
4594 if (!TEST_false(create_ssl_connection(serverssl
, clientssl
,
4596 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4597 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED
))
4603 SSL_SESSION_free(clntsess
);
4604 SSL_free(serverssl
);
4605 SSL_free(clientssl
);
4613 * Test TLSv1.3 Key exchange
4614 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4615 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4616 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4617 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4618 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4619 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4620 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4621 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4622 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4623 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4624 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4625 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4626 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4627 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4629 # ifndef OPENSSL_NO_EC
4630 static int ecdhe_kexch_groups
[] = {NID_X9_62_prime256v1
, NID_secp384r1
,
4631 NID_secp521r1
, NID_X25519
, NID_X448
};
4633 # ifndef OPENSSL_NO_DH
4634 static int ffdhe_kexch_groups
[] = {NID_ffdhe2048
, NID_ffdhe3072
, NID_ffdhe4096
,
4635 NID_ffdhe6144
, NID_ffdhe8192
};
4637 static int test_key_exchange(int idx
)
4639 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
4640 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
4643 int *kexch_groups
= &kexch_alg
;
4644 int kexch_groups_size
= 1;
4645 int max_version
= TLS1_3_VERSION
;
4646 char *kexch_name0
= NULL
;
4649 # ifndef OPENSSL_NO_EC
4650 # ifndef OPENSSL_NO_TLS1_2
4652 max_version
= TLS1_2_VERSION
;
4656 kexch_groups
= ecdhe_kexch_groups
;
4657 kexch_groups_size
= OSSL_NELEM(ecdhe_kexch_groups
);
4658 kexch_name0
= "secp256r1";
4661 kexch_alg
= NID_X9_62_prime256v1
;
4662 kexch_name0
= "secp256r1";
4665 kexch_alg
= NID_secp384r1
;
4666 kexch_name0
= "secp384r1";
4669 kexch_alg
= NID_secp521r1
;
4670 kexch_name0
= "secp521r1";
4673 kexch_alg
= NID_X25519
;
4674 kexch_name0
= "x25519";
4677 kexch_alg
= NID_X448
;
4678 kexch_name0
= "x448";
4681 # ifndef OPENSSL_NO_DH
4682 # ifndef OPENSSL_NO_TLS1_2
4684 max_version
= TLS1_2_VERSION
;
4685 kexch_name0
= "ffdhe2048";
4689 kexch_groups
= ffdhe_kexch_groups
;
4690 kexch_groups_size
= OSSL_NELEM(ffdhe_kexch_groups
);
4691 kexch_name0
= "ffdhe2048";
4694 kexch_alg
= NID_ffdhe2048
;
4695 kexch_name0
= "ffdhe2048";
4698 kexch_alg
= NID_ffdhe3072
;
4699 kexch_name0
= "ffdhe3072";
4702 kexch_alg
= NID_ffdhe4096
;
4703 kexch_name0
= "ffdhe4096";
4706 kexch_alg
= NID_ffdhe6144
;
4707 kexch_name0
= "ffdhe6144";
4710 kexch_alg
= NID_ffdhe8192
;
4711 kexch_name0
= "ffdhe8192";
4715 /* We're skipping this test */
4719 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
4720 TLS_client_method(), TLS1_VERSION
,
4721 max_version
, &sctx
, &cctx
, cert
,
4725 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx
,
4726 TLS1_3_RFC_AES_128_GCM_SHA256
)))
4729 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4730 TLS1_3_RFC_AES_128_GCM_SHA256
)))
4733 if (!TEST_true(SSL_CTX_set_cipher_list(sctx
,
4734 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
":"
4735 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
))
4736 || !TEST_true(SSL_CTX_set_dh_auto(sctx
, 1)))
4740 * Must include an EC ciphersuite so that we send supported groups in
4743 # ifndef OPENSSL_NO_TLS1_2
4744 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
4745 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
":"
4746 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
)))
4750 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4754 if (!TEST_true(SSL_set1_groups(serverssl
, kexch_groups
, kexch_groups_size
))
4755 || !TEST_true(SSL_set1_groups(clientssl
, kexch_groups
, kexch_groups_size
)))
4758 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
4762 * If Handshake succeeds the negotiated kexch alg should be the first one in
4763 * configured, except in the case of FFDHE groups (idx 13), which are
4764 * TLSv1.3 only so we expect no shared group to exist.
4766 if (!TEST_int_eq(SSL_get_shared_group(serverssl
, 0),
4767 idx
== 13 ? 0 : kexch_groups
[0]))
4770 if (!TEST_str_eq(SSL_group_to_name(serverssl
, kexch_groups
[0]),
4774 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4776 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl
), kexch_groups
[0]))
4778 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl
), kexch_groups
[0]))
4784 SSL_free(serverssl
);
4785 SSL_free(clientssl
);
4791 # if !defined(OPENSSL_NO_TLS1_2) \
4792 && !defined(OPENSSL_NO_EC) \
4793 && !defined(OPENSSL_NO_DH)
4794 static int set_ssl_groups(SSL
*serverssl
, SSL
*clientssl
, int clientmulti
,
4795 int isecdhe
, int idx
)
4798 int *kexch_groups
= &kexch_alg
;
4801 numec
= OSSL_NELEM(ecdhe_kexch_groups
);
4802 numff
= OSSL_NELEM(ffdhe_kexch_groups
);
4804 kexch_alg
= ecdhe_kexch_groups
[idx
];
4806 kexch_alg
= ffdhe_kexch_groups
[idx
];
4809 if (!TEST_true(SSL_set1_groups(serverssl
, kexch_groups
, 1)))
4812 if (!TEST_true(SSL_set1_groups(clientssl
, ecdhe_kexch_groups
,
4816 if (!TEST_true(SSL_set1_groups(clientssl
, ffdhe_kexch_groups
,
4821 if (!TEST_true(SSL_set1_groups(clientssl
, kexch_groups
, 1)))
4824 if (!TEST_true(SSL_set1_groups(serverssl
, ecdhe_kexch_groups
,
4828 if (!TEST_true(SSL_set1_groups(serverssl
, ffdhe_kexch_groups
,
4837 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
4838 * Run through both the ECDHE and FFDHE group lists used in the previous
4839 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
4840 * confirming the expected result; then perform a resumption handshake
4841 * while offering the same group list, and another resumption handshake
4842 * offering a different group list. The returned value should be the
4843 * negotiated group for the initial handshake; for TLS 1.3 resumption
4844 * handshakes the returned value will be negotiated on the resumption
4845 * handshake itself, but for TLS 1.2 resumption handshakes the value will
4846 * be cached in the session from the original handshake, regardless of what
4847 * was offered in the resumption ClientHello.
4849 * Using E for the number of EC groups and F for the number of FF groups:
4850 * E tests of ECDHE with TLS 1.3, server only has one group
4851 * F tests of FFDHE with TLS 1.3, server only has one group
4852 * E tests of ECDHE with TLS 1.2, server only has one group
4853 * F tests of FFDHE with TLS 1.2, server only has one group
4854 * E tests of ECDHE with TLS 1.3, client sends only one group
4855 * F tests of FFDHE with TLS 1.3, client sends only one group
4856 * E tests of ECDHE with TLS 1.2, client sends only one group
4857 * F tests of FFDHE with TLS 1.2, client sends only one group
4859 static int test_negotiated_group(int idx
)
4861 int clientmulti
, istls13
, isecdhe
, numec
, numff
, numgroups
;
4863 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
4864 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
4865 SSL_SESSION
*origsess
= NULL
;
4868 int max_version
= TLS1_3_VERSION
;
4870 numec
= OSSL_NELEM(ecdhe_kexch_groups
);
4871 numff
= OSSL_NELEM(ffdhe_kexch_groups
);
4872 numgroups
= numec
+ numff
;
4873 clientmulti
= (idx
< 2 * numgroups
);
4874 idx
= idx
% (2 * numgroups
);
4875 istls13
= (idx
< numgroups
);
4876 idx
= idx
% numgroups
;
4877 isecdhe
= (idx
< numec
);
4880 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
4882 kexch_alg
= ecdhe_kexch_groups
[idx
];
4884 kexch_alg
= ffdhe_kexch_groups
[idx
];
4885 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
4886 if (!istls13
&& !isecdhe
)
4887 expectednid
= NID_undef
;
4889 expectednid
= kexch_alg
;
4892 max_version
= TLS1_2_VERSION
;
4894 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
4895 TLS_client_method(), TLS1_VERSION
,
4896 max_version
, &sctx
, &cctx
, cert
,
4901 * Force (EC)DHE ciphers for TLS 1.2.
4902 * Be sure to enable auto tmp DH so that FFDHE can succeed.
4904 if (!TEST_true(SSL_CTX_set_cipher_list(sctx
,
4905 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
":"
4906 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
))
4907 || !TEST_true(SSL_CTX_set_dh_auto(sctx
, 1)))
4909 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
4910 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
":"
4911 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
)))
4914 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4918 if (!TEST_true(set_ssl_groups(serverssl
, clientssl
, clientmulti
, isecdhe
,
4922 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
4925 /* Initial handshake; always the configured one */
4926 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl
), expectednid
)
4927 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl
), expectednid
))
4930 if (!TEST_ptr((origsess
= SSL_get1_session(clientssl
))))
4933 SSL_shutdown(clientssl
);
4934 SSL_shutdown(serverssl
);
4935 SSL_free(serverssl
);
4936 SSL_free(clientssl
);
4937 serverssl
= clientssl
= NULL
;
4939 /* First resumption attempt; use the same config as initial handshake */
4940 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4942 || !TEST_true(SSL_set_session(clientssl
, origsess
))
4943 || !TEST_true(set_ssl_groups(serverssl
, clientssl
, clientmulti
,
4947 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
4948 || !TEST_true(SSL_session_reused(clientssl
)))
4951 /* Still had better agree, since nothing changed... */
4952 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl
), expectednid
)
4953 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl
), expectednid
))
4956 SSL_shutdown(clientssl
);
4957 SSL_shutdown(serverssl
);
4958 SSL_free(serverssl
);
4959 SSL_free(clientssl
);
4960 serverssl
= clientssl
= NULL
;
4963 * Second resumption attempt
4964 * The party that picks one group changes it, which we effectuate by
4965 * changing 'idx' and updating what we expect.
4973 expectednid
= ecdhe_kexch_groups
[idx
];
4975 expectednid
= ffdhe_kexch_groups
[idx
];
4976 /* Verify that we are changing what we expect. */
4977 if (!TEST_int_ne(expectednid
, kexch_alg
))
4980 /* TLS 1.2 only supports named groups for ECDHE. */
4982 expectednid
= kexch_alg
;
4986 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4988 || !TEST_true(SSL_set_session(clientssl
, origsess
))
4989 || !TEST_true(set_ssl_groups(serverssl
, clientssl
, clientmulti
,
4993 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
4994 || !TEST_true(SSL_session_reused(clientssl
)))
4997 /* Check that we get what we expected */
4998 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl
), expectednid
)
4999 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl
), expectednid
))
5004 SSL_free(serverssl
);
5005 SSL_free(clientssl
);
5008 SSL_SESSION_free(origsess
);
5011 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5014 * Test TLSv1.3 Cipher Suite
5015 * Test 0 = Set TLS1.3 cipher on context
5016 * Test 1 = Set TLS1.3 cipher on SSL
5017 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5018 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5020 static int test_tls13_ciphersuite(int idx
)
5022 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
5023 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
5024 static const struct {
5025 const char *ciphername
;
5029 { TLS1_3_RFC_AES_128_GCM_SHA256
, 1, 0 },
5030 { TLS1_3_RFC_AES_256_GCM_SHA384
, 1, 0 },
5031 { TLS1_3_RFC_AES_128_CCM_SHA256
, 1, 0 },
5032 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5033 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256
, 0, 0 },
5034 { TLS1_3_RFC_AES_256_GCM_SHA384
5035 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256
, 0, 0 },
5037 /* CCM8 ciphers are considered low security due to their short tag */
5038 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5039 ":" TLS1_3_RFC_AES_128_CCM_SHA256
, 1, 1 }
5041 const char *t13_cipher
= NULL
;
5042 const char *t12_cipher
= NULL
;
5043 const char *negotiated_scipher
;
5044 const char *negotiated_ccipher
;
5060 t12_cipher
= TLS1_TXT_RSA_WITH_AES_128_SHA256
;
5064 t12_cipher
= TLS1_TXT_RSA_WITH_AES_128_SHA256
;
5068 for (max_ver
= TLS1_2_VERSION
; max_ver
<= TLS1_3_VERSION
; max_ver
++) {
5069 # ifdef OPENSSL_NO_TLS1_2
5070 if (max_ver
== TLS1_2_VERSION
)
5073 for (i
= 0; i
< OSSL_NELEM(t13_ciphers
); i
++) {
5074 if (is_fips
&& !t13_ciphers
[i
].fipscapable
)
5076 t13_cipher
= t13_ciphers
[i
].ciphername
;
5077 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
5078 TLS_client_method(),
5079 TLS1_VERSION
, max_ver
,
5080 &sctx
, &cctx
, cert
, privkey
)))
5083 if (t13_ciphers
[i
].low_security
) {
5084 SSL_CTX_set_security_level(sctx
, 0);
5085 SSL_CTX_set_security_level(cctx
, 0);
5089 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx
, t13_cipher
))
5090 || !TEST_true(SSL_CTX_set_ciphersuites(cctx
, t13_cipher
)))
5092 if (t12_cipher
!= NULL
) {
5093 if (!TEST_true(SSL_CTX_set_cipher_list(sctx
, t12_cipher
))
5094 || !TEST_true(SSL_CTX_set_cipher_list(cctx
,
5100 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
5101 &clientssl
, NULL
, NULL
)))
5105 if (!TEST_true(SSL_set_ciphersuites(serverssl
, t13_cipher
))
5106 || !TEST_true(SSL_set_ciphersuites(clientssl
, t13_cipher
)))
5108 if (t12_cipher
!= NULL
) {
5109 if (!TEST_true(SSL_set_cipher_list(serverssl
, t12_cipher
))
5110 || !TEST_true(SSL_set_cipher_list(clientssl
,
5116 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
5120 negotiated_scipher
= SSL_CIPHER_get_name(SSL_get_current_cipher(
5122 negotiated_ccipher
= SSL_CIPHER_get_name(SSL_get_current_cipher(
5124 if (!TEST_str_eq(negotiated_scipher
, negotiated_ccipher
))
5128 * TEST_strn_eq is used below because t13_cipher can contain
5129 * multiple ciphersuites
5131 if (max_ver
== TLS1_3_VERSION
5132 && !TEST_strn_eq(t13_cipher
, negotiated_scipher
,
5133 strlen(negotiated_scipher
)))
5136 # ifndef OPENSSL_NO_TLS1_2
5137 /* Below validation is not done when t12_cipher is NULL */
5138 if (max_ver
== TLS1_2_VERSION
&& t12_cipher
!= NULL
5139 && !TEST_str_eq(t12_cipher
, negotiated_scipher
))
5143 SSL_free(serverssl
);
5145 SSL_free(clientssl
);
5156 SSL_free(serverssl
);
5157 SSL_free(clientssl
);
5165 * Test 0 = Test new style callbacks
5166 * Test 1 = Test both new and old style callbacks
5167 * Test 2 = Test old style callbacks
5168 * Test 3 = Test old style callbacks with no certificate
5170 static int test_tls13_psk(int idx
)
5172 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
5173 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
5174 const SSL_CIPHER
*cipher
= NULL
;
5175 const unsigned char key
[] = {
5176 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5177 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5178 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5179 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5183 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
5184 TLS_client_method(), TLS1_VERSION
, 0,
5185 &sctx
, &cctx
, idx
== 3 ? NULL
: cert
,
5186 idx
== 3 ? NULL
: privkey
)))
5191 * We use a ciphersuite with SHA256 to ease testing old style PSK
5192 * callbacks which will always default to SHA256. This should not be
5193 * necessary if we have no cert/priv key. In that case the server should
5194 * prefer SHA256 automatically.
5196 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
5197 "TLS_AES_128_GCM_SHA256")))
5201 * As noted above the server should prefer SHA256 automatically. However
5202 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5203 * code works even if we are testing with only the FIPS provider loaded.
5205 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
5206 "TLS_AES_256_GCM_SHA384:"
5207 "TLS_AES_128_GCM_SHA256")))
5212 * Test 0: New style callbacks only
5213 * Test 1: New and old style callbacks (only the new ones should be used)
5214 * Test 2: Old style callbacks only
5216 if (idx
== 0 || idx
== 1) {
5217 SSL_CTX_set_psk_use_session_callback(cctx
, use_session_cb
);
5218 SSL_CTX_set_psk_find_session_callback(sctx
, find_session_cb
);
5220 #ifndef OPENSSL_NO_PSK
5222 SSL_CTX_set_psk_client_callback(cctx
, psk_client_cb
);
5223 SSL_CTX_set_psk_server_callback(sctx
, psk_server_cb
);
5227 use_session_cb_cnt
= 0;
5228 find_session_cb_cnt
= 0;
5229 psk_client_cb_cnt
= 0;
5230 psk_server_cb_cnt
= 0;
5234 * Check we can create a connection if callback decides not to send a
5237 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5239 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
5241 || !TEST_false(SSL_session_reused(clientssl
))
5242 || !TEST_false(SSL_session_reused(serverssl
)))
5245 if (idx
== 0 || idx
== 1) {
5246 if (!TEST_true(use_session_cb_cnt
== 1)
5247 || !TEST_true(find_session_cb_cnt
== 0)
5249 * If no old style callback then below should be 0
5252 || !TEST_true(psk_client_cb_cnt
== idx
)
5253 || !TEST_true(psk_server_cb_cnt
== 0))
5256 if (!TEST_true(use_session_cb_cnt
== 0)
5257 || !TEST_true(find_session_cb_cnt
== 0)
5258 || !TEST_true(psk_client_cb_cnt
== 1)
5259 || !TEST_true(psk_server_cb_cnt
== 0))
5263 shutdown_ssl_connection(serverssl
, clientssl
);
5264 serverssl
= clientssl
= NULL
;
5265 use_session_cb_cnt
= psk_client_cb_cnt
= 0;
5268 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5272 /* Create the PSK */
5273 cipher
= SSL_CIPHER_find(clientssl
, TLS13_AES_128_GCM_SHA256_BYTES
);
5274 clientpsk
= SSL_SESSION_new();
5275 if (!TEST_ptr(clientpsk
)
5276 || !TEST_ptr(cipher
)
5277 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk
, key
,
5279 || !TEST_true(SSL_SESSION_set_cipher(clientpsk
, cipher
))
5280 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk
,
5282 || !TEST_true(SSL_SESSION_up_ref(clientpsk
)))
5284 serverpsk
= clientpsk
;
5286 /* Check we can create a connection and the PSK is used */
5287 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
5288 || !TEST_true(SSL_session_reused(clientssl
))
5289 || !TEST_true(SSL_session_reused(serverssl
)))
5292 if (idx
== 0 || idx
== 1) {
5293 if (!TEST_true(use_session_cb_cnt
== 1)
5294 || !TEST_true(find_session_cb_cnt
== 1)
5295 || !TEST_true(psk_client_cb_cnt
== 0)
5296 || !TEST_true(psk_server_cb_cnt
== 0))
5299 if (!TEST_true(use_session_cb_cnt
== 0)
5300 || !TEST_true(find_session_cb_cnt
== 0)
5301 || !TEST_true(psk_client_cb_cnt
== 1)
5302 || !TEST_true(psk_server_cb_cnt
== 1))
5306 shutdown_ssl_connection(serverssl
, clientssl
);
5307 serverssl
= clientssl
= NULL
;
5308 use_session_cb_cnt
= find_session_cb_cnt
= 0;
5309 psk_client_cb_cnt
= psk_server_cb_cnt
= 0;
5311 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5316 #if defined(OPENSSL_NO_EC)
5317 if (!TEST_true(SSL_set1_groups_list(serverssl
, "ffdhe3072")))
5320 if (!TEST_true(SSL_set1_groups_list(serverssl
, "P-256")))
5325 * Check we can create a connection, the PSK is used and the callbacks are
5328 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
5329 || !TEST_true(SSL_session_reused(clientssl
))
5330 || !TEST_true(SSL_session_reused(serverssl
)))
5333 if (idx
== 0 || idx
== 1) {
5334 if (!TEST_true(use_session_cb_cnt
== 2)
5335 || !TEST_true(find_session_cb_cnt
== 2)
5336 || !TEST_true(psk_client_cb_cnt
== 0)
5337 || !TEST_true(psk_server_cb_cnt
== 0))
5340 if (!TEST_true(use_session_cb_cnt
== 0)
5341 || !TEST_true(find_session_cb_cnt
== 0)
5342 || !TEST_true(psk_client_cb_cnt
== 2)
5343 || !TEST_true(psk_server_cb_cnt
== 2))
5347 shutdown_ssl_connection(serverssl
, clientssl
);
5348 serverssl
= clientssl
= NULL
;
5349 use_session_cb_cnt
= find_session_cb_cnt
= 0;
5350 psk_client_cb_cnt
= psk_server_cb_cnt
= 0;
5354 * Check that if the server rejects the PSK we can still connect, but with
5357 srvid
= "Dummy Identity";
5358 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5360 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
5362 || !TEST_false(SSL_session_reused(clientssl
))
5363 || !TEST_false(SSL_session_reused(serverssl
)))
5366 if (idx
== 0 || idx
== 1) {
5367 if (!TEST_true(use_session_cb_cnt
== 1)
5368 || !TEST_true(find_session_cb_cnt
== 1)
5369 || !TEST_true(psk_client_cb_cnt
== 0)
5371 * If no old style callback then below should be 0
5374 || !TEST_true(psk_server_cb_cnt
== idx
))
5377 if (!TEST_true(use_session_cb_cnt
== 0)
5378 || !TEST_true(find_session_cb_cnt
== 0)
5379 || !TEST_true(psk_client_cb_cnt
== 1)
5380 || !TEST_true(psk_server_cb_cnt
== 1))
5384 shutdown_ssl_connection(serverssl
, clientssl
);
5385 serverssl
= clientssl
= NULL
;
5390 SSL_SESSION_free(clientpsk
);
5391 SSL_SESSION_free(serverpsk
);
5392 clientpsk
= serverpsk
= NULL
;
5393 SSL_free(serverssl
);
5394 SSL_free(clientssl
);
5400 static unsigned char cookie_magic_value
[] = "cookie magic";
5402 static int generate_cookie_callback(SSL
*ssl
, unsigned char *cookie
,
5403 unsigned int *cookie_len
)
5406 * Not suitable as a real cookie generation function but good enough for
5409 memcpy(cookie
, cookie_magic_value
, sizeof(cookie_magic_value
) - 1);
5410 *cookie_len
= sizeof(cookie_magic_value
) - 1;
5415 static int verify_cookie_callback(SSL
*ssl
, const unsigned char *cookie
,
5416 unsigned int cookie_len
)
5418 if (cookie_len
== sizeof(cookie_magic_value
) - 1
5419 && memcmp(cookie
, cookie_magic_value
, cookie_len
) == 0)
5425 static int generate_stateless_cookie_callback(SSL
*ssl
, unsigned char *cookie
,
5429 int res
= generate_cookie_callback(ssl
, cookie
, &temp
);
5434 static int verify_stateless_cookie_callback(SSL
*ssl
, const unsigned char *cookie
,
5437 return verify_cookie_callback(ssl
, cookie
, cookie_len
);
5440 static int test_stateless(void)
5442 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
5443 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
5446 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
5447 TLS_client_method(), TLS1_VERSION
, 0,
5448 &sctx
, &cctx
, cert
, privkey
)))
5451 /* The arrival of CCS messages can confuse the test */
5452 SSL_CTX_clear_options(cctx
, SSL_OP_ENABLE_MIDDLEBOX_COMPAT
);
5454 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5456 /* Send the first ClientHello */
5457 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
5458 SSL_ERROR_WANT_READ
))
5460 * This should fail with a -1 return because we have no callbacks
5463 || !TEST_int_eq(SSL_stateless(serverssl
), -1))
5466 /* Fatal error so abandon the connection from this client */
5467 SSL_free(clientssl
);
5470 /* Set up the cookie generation and verification callbacks */
5471 SSL_CTX_set_stateless_cookie_generate_cb(sctx
, generate_stateless_cookie_callback
);
5472 SSL_CTX_set_stateless_cookie_verify_cb(sctx
, verify_stateless_cookie_callback
);
5475 * Create a new connection from the client (we can reuse the server SSL
5478 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5480 /* Send the first ClientHello */
5481 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
5482 SSL_ERROR_WANT_READ
))
5483 /* This should fail because there is no cookie */
5484 || !TEST_int_eq(SSL_stateless(serverssl
), 0))
5487 /* Abandon the connection from this client */
5488 SSL_free(clientssl
);
5492 * Now create a connection from a new client but with the same server SSL
5495 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5497 /* Send the first ClientHello */
5498 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
5499 SSL_ERROR_WANT_READ
))
5500 /* This should fail because there is no cookie */
5501 || !TEST_int_eq(SSL_stateless(serverssl
), 0)
5502 /* Send the second ClientHello */
5503 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
5504 SSL_ERROR_WANT_READ
))
5505 /* This should succeed because a cookie is now present */
5506 || !TEST_int_eq(SSL_stateless(serverssl
), 1)
5507 /* Complete the connection */
5508 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
5512 shutdown_ssl_connection(serverssl
, clientssl
);
5513 serverssl
= clientssl
= NULL
;
5517 SSL_free(serverssl
);
5518 SSL_free(clientssl
);
5524 #endif /* OSSL_NO_USABLE_TLS1_3 */
5526 static int clntaddoldcb
= 0;
5527 static int clntparseoldcb
= 0;
5528 static int srvaddoldcb
= 0;
5529 static int srvparseoldcb
= 0;
5530 static int clntaddnewcb
= 0;
5531 static int clntparsenewcb
= 0;
5532 static int srvaddnewcb
= 0;
5533 static int srvparsenewcb
= 0;
5534 static int snicb
= 0;
5536 #define TEST_EXT_TYPE1 0xff00
5538 static int old_add_cb(SSL
*s
, unsigned int ext_type
, const unsigned char **out
,
5539 size_t *outlen
, int *al
, void *add_arg
)
5541 int *server
= (int *)add_arg
;
5542 unsigned char *data
;
5544 if (SSL_is_server(s
))
5549 if (*server
!= SSL_is_server(s
)
5550 || (data
= OPENSSL_malloc(sizeof(*data
))) == NULL
)
5555 *outlen
= sizeof(char);
5559 static void old_free_cb(SSL
*s
, unsigned int ext_type
, const unsigned char *out
,
5562 OPENSSL_free((unsigned char *)out
);
5565 static int old_parse_cb(SSL
*s
, unsigned int ext_type
, const unsigned char *in
,
5566 size_t inlen
, int *al
, void *parse_arg
)
5568 int *server
= (int *)parse_arg
;
5570 if (SSL_is_server(s
))
5575 if (*server
!= SSL_is_server(s
)
5576 || inlen
!= sizeof(char)
5583 static int new_add_cb(SSL
*s
, unsigned int ext_type
, unsigned int context
,
5584 const unsigned char **out
, size_t *outlen
, X509
*x
,
5585 size_t chainidx
, int *al
, void *add_arg
)
5587 int *server
= (int *)add_arg
;
5588 unsigned char *data
;
5590 if (SSL_is_server(s
))
5595 if (*server
!= SSL_is_server(s
)
5596 || (data
= OPENSSL_malloc(sizeof(*data
))) == NULL
)
5601 *outlen
= sizeof(*data
);
5605 static void new_free_cb(SSL
*s
, unsigned int ext_type
, unsigned int context
,
5606 const unsigned char *out
, void *add_arg
)
5608 OPENSSL_free((unsigned char *)out
);
5611 static int new_parse_cb(SSL
*s
, unsigned int ext_type
, unsigned int context
,
5612 const unsigned char *in
, size_t inlen
, X509
*x
,
5613 size_t chainidx
, int *al
, void *parse_arg
)
5615 int *server
= (int *)parse_arg
;
5617 if (SSL_is_server(s
))
5622 if (*server
!= SSL_is_server(s
)
5623 || inlen
!= sizeof(char) || *in
!= 1)
5629 static int sni_cb(SSL
*s
, int *al
, void *arg
)
5631 SSL_CTX
*ctx
= (SSL_CTX
*)arg
;
5633 if (SSL_set_SSL_CTX(s
, ctx
) == NULL
) {
5634 *al
= SSL_AD_INTERNAL_ERROR
;
5635 return SSL_TLSEXT_ERR_ALERT_FATAL
;
5638 return SSL_TLSEXT_ERR_OK
;
5641 static int verify_cb(int preverify_ok
, X509_STORE_CTX
*x509_ctx
)
5647 * Custom call back tests.
5648 * Test 0: Old style callbacks in TLSv1.2
5649 * Test 1: New style callbacks in TLSv1.2
5650 * Test 2: New style callbacks in TLSv1.2 with SNI
5651 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5652 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5653 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
5655 static int test_custom_exts(int tst
)
5657 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
, *sctx2
= NULL
;
5658 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
5660 static int server
= 1;
5661 static int client
= 0;
5662 SSL_SESSION
*sess
= NULL
;
5663 unsigned int context
;
5665 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5666 /* Skip tests for TLSv1.2 and below in this case */
5671 /* Reset callback counters */
5672 clntaddoldcb
= clntparseoldcb
= srvaddoldcb
= srvparseoldcb
= 0;
5673 clntaddnewcb
= clntparsenewcb
= srvaddnewcb
= srvparsenewcb
= 0;
5676 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
5677 TLS_client_method(), TLS1_VERSION
, 0,
5678 &sctx
, &cctx
, cert
, privkey
)))
5682 && !TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(), NULL
,
5684 &sctx2
, NULL
, cert
, privkey
)))
5689 SSL_CTX_set_options(cctx
, SSL_OP_NO_TLSv1_3
);
5690 SSL_CTX_set_options(sctx
, SSL_OP_NO_TLSv1_3
);
5692 SSL_CTX_set_options(sctx2
, SSL_OP_NO_TLSv1_3
);
5696 context
= SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5697 | SSL_EXT_TLS1_3_CERTIFICATE
;
5698 SSL_CTX_set_verify(sctx
,
5699 SSL_VERIFY_PEER
| SSL_VERIFY_FAIL_IF_NO_PEER_CERT
,
5701 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx
, cert
,
5702 SSL_FILETYPE_PEM
), 1)
5703 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx
, privkey
,
5704 SSL_FILETYPE_PEM
), 1)
5705 || !TEST_int_eq(SSL_CTX_check_private_key(cctx
), 1))
5707 } else if (tst
== 4) {
5708 context
= SSL_EXT_CLIENT_HELLO
5709 | SSL_EXT_TLS1_2_SERVER_HELLO
5710 | SSL_EXT_TLS1_3_SERVER_HELLO
5711 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5712 | SSL_EXT_TLS1_3_CERTIFICATE
5713 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET
;
5715 context
= SSL_EXT_CLIENT_HELLO
5716 | SSL_EXT_TLS1_2_SERVER_HELLO
5717 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
;
5720 /* Create a client side custom extension */
5722 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx
, TEST_EXT_TYPE1
,
5723 old_add_cb
, old_free_cb
,
5724 &client
, old_parse_cb
,
5728 if (!TEST_true(SSL_CTX_add_custom_ext(cctx
, TEST_EXT_TYPE1
, context
,
5729 new_add_cb
, new_free_cb
,
5730 &client
, new_parse_cb
, &client
)))
5734 /* Should not be able to add duplicates */
5735 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx
, TEST_EXT_TYPE1
,
5736 old_add_cb
, old_free_cb
,
5737 &client
, old_parse_cb
,
5739 || !TEST_false(SSL_CTX_add_custom_ext(cctx
, TEST_EXT_TYPE1
,
5740 context
, new_add_cb
,
5741 new_free_cb
, &client
,
5742 new_parse_cb
, &client
)))
5745 /* Create a server side custom extension */
5747 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx
, TEST_EXT_TYPE1
,
5748 old_add_cb
, old_free_cb
,
5749 &server
, old_parse_cb
,
5753 if (!TEST_true(SSL_CTX_add_custom_ext(sctx
, TEST_EXT_TYPE1
, context
,
5754 new_add_cb
, new_free_cb
,
5755 &server
, new_parse_cb
, &server
)))
5758 && !TEST_true(SSL_CTX_add_custom_ext(sctx2
, TEST_EXT_TYPE1
,
5759 context
, new_add_cb
,
5760 new_free_cb
, &server
,
5761 new_parse_cb
, &server
)))
5765 /* Should not be able to add duplicates */
5766 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx
, TEST_EXT_TYPE1
,
5767 old_add_cb
, old_free_cb
,
5768 &server
, old_parse_cb
,
5770 || !TEST_false(SSL_CTX_add_custom_ext(sctx
, TEST_EXT_TYPE1
,
5771 context
, new_add_cb
,
5772 new_free_cb
, &server
,
5773 new_parse_cb
, &server
)))
5778 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx
, sni_cb
))
5779 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx
, sctx2
)))
5783 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
5784 &clientssl
, NULL
, NULL
))
5785 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
5790 if (clntaddoldcb
!= 1
5791 || clntparseoldcb
!= 1
5793 || srvparseoldcb
!= 1)
5795 } else if (tst
== 1 || tst
== 2 || tst
== 3) {
5796 if (clntaddnewcb
!= 1
5797 || clntparsenewcb
!= 1
5799 || srvparsenewcb
!= 1
5800 || (tst
!= 2 && snicb
!= 0)
5801 || (tst
== 2 && snicb
!= 1))
5803 } else if (tst
== 5) {
5804 if (clntaddnewcb
!= 1
5805 || clntparsenewcb
!= 1
5807 || srvparsenewcb
!= 1)
5810 /* In this case there 2 NewSessionTicket messages created */
5811 if (clntaddnewcb
!= 1
5812 || clntparsenewcb
!= 5
5814 || srvparsenewcb
!= 1)
5818 sess
= SSL_get1_session(clientssl
);
5819 SSL_shutdown(clientssl
);
5820 SSL_shutdown(serverssl
);
5821 SSL_free(serverssl
);
5822 SSL_free(clientssl
);
5823 serverssl
= clientssl
= NULL
;
5825 if (tst
== 3 || tst
== 5) {
5826 /* We don't bother with the resumption aspects for these tests */
5831 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
5833 || !TEST_true(SSL_set_session(clientssl
, sess
))
5834 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
5839 * For a resumed session we expect to add the ClientHello extension. For the
5840 * old style callbacks we ignore it on the server side because they set
5841 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5845 if (clntaddoldcb
!= 2
5846 || clntparseoldcb
!= 1
5848 || srvparseoldcb
!= 1)
5850 } else if (tst
== 1 || tst
== 2 || tst
== 3) {
5851 if (clntaddnewcb
!= 2
5852 || clntparsenewcb
!= 2
5854 || srvparsenewcb
!= 2)
5858 * No Certificate message extensions in the resumption handshake,
5859 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5861 if (clntaddnewcb
!= 2
5862 || clntparsenewcb
!= 8
5864 || srvparsenewcb
!= 2)
5871 SSL_SESSION_free(sess
);
5872 SSL_free(serverssl
);
5873 SSL_free(clientssl
);
5874 SSL_CTX_free(sctx2
);
5881 * Test loading of serverinfo data in various formats. test_sslmessages actually
5882 * tests to make sure the extensions appear in the handshake
5884 static int test_serverinfo(int tst
)
5886 unsigned int version
;
5887 unsigned char *sibuf
;
5889 int ret
, expected
, testresult
= 0;
5892 ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_method());
5896 if ((tst
& 0x01) == 0x01)
5897 version
= SSL_SERVERINFOV2
;
5899 version
= SSL_SERVERINFOV1
;
5901 if ((tst
& 0x02) == 0x02) {
5902 sibuf
= serverinfov2
;
5903 sibuflen
= sizeof(serverinfov2
);
5904 expected
= (version
== SSL_SERVERINFOV2
);
5906 sibuf
= serverinfov1
;
5907 sibuflen
= sizeof(serverinfov1
);
5908 expected
= (version
== SSL_SERVERINFOV1
);
5911 if ((tst
& 0x04) == 0x04) {
5912 ret
= SSL_CTX_use_serverinfo_ex(ctx
, version
, sibuf
, sibuflen
);
5914 ret
= SSL_CTX_use_serverinfo(ctx
, sibuf
, sibuflen
);
5917 * The version variable is irrelevant in this case - it's what is in the
5918 * buffer that matters
5920 if ((tst
& 0x02) == 0x02)
5926 if (!TEST_true(ret
== expected
))
5938 * Test that SSL_export_keying_material() produces expected results. There are
5939 * no test vectors so all we do is test that both sides of the communication
5940 * produce the same results for different protocol versions.
5942 #define SMALL_LABEL_LEN 10
5943 #define LONG_LABEL_LEN 249
5944 static int test_export_key_mat(int tst
)
5947 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
, *sctx2
= NULL
;
5948 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
5949 const char label
[LONG_LABEL_LEN
+ 1] = "test label";
5950 const unsigned char context
[] = "context";
5951 const unsigned char *emptycontext
= NULL
;
5952 unsigned char ckeymat1
[80], ckeymat2
[80], ckeymat3
[80];
5953 unsigned char skeymat1
[80], skeymat2
[80], skeymat3
[80];
5955 const int protocols
[] = {
5964 #ifdef OPENSSL_NO_TLS1
5968 #ifdef OPENSSL_NO_TLS1_1
5972 if (is_fips
&& (tst
== 0 || tst
== 1))
5974 #ifdef OPENSSL_NO_TLS1_2
5978 #ifdef OSSL_NO_USABLE_TLS1_3
5982 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
5983 TLS_client_method(), TLS1_VERSION
, 0,
5984 &sctx
, &cctx
, cert
, privkey
)))
5987 OPENSSL_assert(tst
>= 0 && (size_t)tst
< OSSL_NELEM(protocols
));
5988 SSL_CTX_set_max_proto_version(cctx
, protocols
[tst
]);
5989 SSL_CTX_set_min_proto_version(cctx
, protocols
[tst
]);
5990 if ((protocols
[tst
] < TLS1_2_VERSION
) &&
5991 (!SSL_CTX_set_cipher_list(cctx
, "DEFAULT:@SECLEVEL=0")
5992 || !SSL_CTX_set_cipher_list(sctx
, "DEFAULT:@SECLEVEL=0")))
5995 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
,
6000 * Premature call of SSL_export_keying_material should just fail.
6002 if (!TEST_int_le(SSL_export_keying_material(clientssl
, ckeymat1
,
6003 sizeof(ckeymat1
), label
,
6004 SMALL_LABEL_LEN
+ 1, context
,
6005 sizeof(context
) - 1, 1), 0))
6008 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
6014 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6017 if (!TEST_int_le(SSL_export_keying_material(clientssl
, ckeymat1
,
6018 sizeof(ckeymat1
), label
,
6019 LONG_LABEL_LEN
+ 1, context
,
6020 sizeof(context
) - 1, 1), 0))
6025 } else if (tst
== 4) {
6026 labellen
= LONG_LABEL_LEN
;
6028 labellen
= SMALL_LABEL_LEN
;
6031 if (!TEST_int_eq(SSL_export_keying_material(clientssl
, ckeymat1
,
6032 sizeof(ckeymat1
), label
,
6034 sizeof(context
) - 1, 1), 1)
6035 || !TEST_int_eq(SSL_export_keying_material(clientssl
, ckeymat2
,
6036 sizeof(ckeymat2
), label
,
6040 || !TEST_int_eq(SSL_export_keying_material(clientssl
, ckeymat3
,
6041 sizeof(ckeymat3
), label
,
6044 || !TEST_int_eq(SSL_export_keying_material(serverssl
, skeymat1
,
6045 sizeof(skeymat1
), label
,
6048 sizeof(context
) -1, 1),
6050 || !TEST_int_eq(SSL_export_keying_material(serverssl
, skeymat2
,
6051 sizeof(skeymat2
), label
,
6055 || !TEST_int_eq(SSL_export_keying_material(serverssl
, skeymat3
,
6056 sizeof(skeymat3
), label
,
6060 * Check that both sides created the same key material with the
6063 || !TEST_mem_eq(ckeymat1
, sizeof(ckeymat1
), skeymat1
,
6066 * Check that both sides created the same key material with an
6069 || !TEST_mem_eq(ckeymat2
, sizeof(ckeymat2
), skeymat2
,
6072 * Check that both sides created the same key material without a
6075 || !TEST_mem_eq(ckeymat3
, sizeof(ckeymat3
), skeymat3
,
6077 /* Different contexts should produce different results */
6078 || !TEST_mem_ne(ckeymat1
, sizeof(ckeymat1
), ckeymat2
,
6083 * Check that an empty context and no context produce different results in
6084 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6086 if ((tst
< 3 && !TEST_mem_ne(ckeymat2
, sizeof(ckeymat2
), ckeymat3
,
6088 || (tst
>= 3 && !TEST_mem_eq(ckeymat2
, sizeof(ckeymat2
), ckeymat3
,
6095 SSL_free(serverssl
);
6096 SSL_free(clientssl
);
6097 SSL_CTX_free(sctx2
);
6104 #ifndef OSSL_NO_USABLE_TLS1_3
6106 * Test that SSL_export_keying_material_early() produces expected
6107 * results. There are no test vectors so all we do is test that both
6108 * sides of the communication produce the same results for different
6109 * protocol versions.
6111 static int test_export_key_mat_early(int idx
)
6113 static const char label
[] = "test label";
6114 static const unsigned char context
[] = "context";
6116 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6117 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6118 SSL_SESSION
*sess
= NULL
;
6119 const unsigned char *emptycontext
= NULL
;
6120 unsigned char ckeymat1
[80], ckeymat2
[80];
6121 unsigned char skeymat1
[80], skeymat2
[80];
6122 unsigned char buf
[1];
6123 size_t readbytes
, written
;
6125 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
, &serverssl
,
6129 /* Here writing 0 length early data is enough. */
6130 if (!TEST_true(SSL_write_early_data(clientssl
, NULL
, 0, &written
))
6131 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
6133 SSL_READ_EARLY_DATA_ERROR
)
6134 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
6135 SSL_EARLY_DATA_ACCEPTED
))
6138 if (!TEST_int_eq(SSL_export_keying_material_early(
6139 clientssl
, ckeymat1
, sizeof(ckeymat1
), label
,
6140 sizeof(label
) - 1, context
, sizeof(context
) - 1), 1)
6141 || !TEST_int_eq(SSL_export_keying_material_early(
6142 clientssl
, ckeymat2
, sizeof(ckeymat2
), label
,
6143 sizeof(label
) - 1, emptycontext
, 0), 1)
6144 || !TEST_int_eq(SSL_export_keying_material_early(
6145 serverssl
, skeymat1
, sizeof(skeymat1
), label
,
6146 sizeof(label
) - 1, context
, sizeof(context
) - 1), 1)
6147 || !TEST_int_eq(SSL_export_keying_material_early(
6148 serverssl
, skeymat2
, sizeof(skeymat2
), label
,
6149 sizeof(label
) - 1, emptycontext
, 0), 1)
6151 * Check that both sides created the same key material with the
6154 || !TEST_mem_eq(ckeymat1
, sizeof(ckeymat1
), skeymat1
,
6157 * Check that both sides created the same key material with an
6160 || !TEST_mem_eq(ckeymat2
, sizeof(ckeymat2
), skeymat2
,
6162 /* Different contexts should produce different results */
6163 || !TEST_mem_ne(ckeymat1
, sizeof(ckeymat1
), ckeymat2
,
6170 SSL_SESSION_free(sess
);
6171 SSL_SESSION_free(clientpsk
);
6172 SSL_SESSION_free(serverpsk
);
6173 clientpsk
= serverpsk
= NULL
;
6174 SSL_free(serverssl
);
6175 SSL_free(clientssl
);
6182 #define NUM_KEY_UPDATE_MESSAGES 40
6186 static int test_key_update(void)
6188 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6189 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6190 int testresult
= 0, i
, j
;
6192 static char *mess
= "A test message";
6194 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6195 TLS_client_method(),
6198 &sctx
, &cctx
, cert
, privkey
))
6199 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6201 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6205 for (j
= 0; j
< 2; j
++) {
6206 /* Send lots of KeyUpdate messages */
6207 for (i
= 0; i
< NUM_KEY_UPDATE_MESSAGES
; i
++) {
6208 if (!TEST_true(SSL_key_update(clientssl
,
6210 ? SSL_KEY_UPDATE_NOT_REQUESTED
6211 : SSL_KEY_UPDATE_REQUESTED
))
6212 || !TEST_true(SSL_do_handshake(clientssl
)))
6216 /* Check that sending and receiving app data is ok */
6217 if (!TEST_int_eq(SSL_write(clientssl
, mess
, strlen(mess
)), strlen(mess
))
6218 || !TEST_int_eq(SSL_read(serverssl
, buf
, sizeof(buf
)),
6222 if (!TEST_int_eq(SSL_write(serverssl
, mess
, strlen(mess
)), strlen(mess
))
6223 || !TEST_int_eq(SSL_read(clientssl
, buf
, sizeof(buf
)),
6231 SSL_free(serverssl
);
6232 SSL_free(clientssl
);
6240 * Test we can handle a KeyUpdate (update requested) message while
6241 * write data is pending in peer.
6242 * Test 0: Client sends KeyUpdate while Server is writing
6243 * Test 1: Server sends KeyUpdate while Client is writing
6245 static int test_key_update_peer_in_write(int tst
)
6247 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6248 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6251 static char *mess
= "A test message";
6252 BIO
*bretry
= BIO_new(bio_s_always_retry());
6254 SSL
*peerupdate
= NULL
, *peerwrite
= NULL
;
6256 if (!TEST_ptr(bretry
)
6257 || !TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6258 TLS_client_method(),
6261 &sctx
, &cctx
, cert
, privkey
))
6262 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6264 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6268 peerupdate
= tst
== 0 ? clientssl
: serverssl
;
6269 peerwrite
= tst
== 0 ? serverssl
: clientssl
;
6271 if (!TEST_true(SSL_key_update(peerupdate
, SSL_KEY_UPDATE_REQUESTED
))
6272 || !TEST_int_eq(SSL_do_handshake(peerupdate
), 1))
6275 /* Swap the writing endpoint's write BIO to force a retry */
6276 tmp
= SSL_get_wbio(peerwrite
);
6277 if (!TEST_ptr(tmp
) || !TEST_true(BIO_up_ref(tmp
))) {
6281 SSL_set0_wbio(peerwrite
, bretry
);
6284 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6285 if (!TEST_int_eq(SSL_write(peerwrite
, mess
, strlen(mess
)), -1)
6286 || !TEST_int_eq(SSL_get_error(peerwrite
, 0), SSL_ERROR_WANT_WRITE
))
6289 /* Reinstate the original writing endpoint's write BIO */
6290 SSL_set0_wbio(peerwrite
, tmp
);
6293 /* Now read some data - we will read the key update */
6294 if (!TEST_int_eq(SSL_read(peerwrite
, buf
, sizeof(buf
)), -1)
6295 || !TEST_int_eq(SSL_get_error(peerwrite
, 0), SSL_ERROR_WANT_READ
))
6299 * Complete the write we started previously and read it from the other
6302 if (!TEST_int_eq(SSL_write(peerwrite
, mess
, strlen(mess
)), strlen(mess
))
6303 || !TEST_int_eq(SSL_read(peerupdate
, buf
, sizeof(buf
)), strlen(mess
)))
6306 /* Write more data to ensure we send the KeyUpdate message back */
6307 if (!TEST_int_eq(SSL_write(peerwrite
, mess
, strlen(mess
)), strlen(mess
))
6308 || !TEST_int_eq(SSL_read(peerupdate
, buf
, sizeof(buf
)), strlen(mess
)))
6314 SSL_free(serverssl
);
6315 SSL_free(clientssl
);
6325 * Test we can handle a KeyUpdate (update requested) message while
6326 * peer read data is pending after peer accepted keyupdate(the msg header
6327 * had been read 5 bytes).
6328 * Test 0: Client sends KeyUpdate while Server is reading
6329 * Test 1: Server sends KeyUpdate while Client is reading
6331 static int test_key_update_peer_in_read(int tst
)
6333 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6334 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6336 char prbuf
[515], lwbuf
[515] = {0};
6337 static char *mess
= "A test message";
6338 BIO
*lbio
= NULL
, *pbio
= NULL
;
6339 SSL
*local
= NULL
, *peer
= NULL
;
6341 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6342 TLS_client_method(),
6345 &sctx
, &cctx
, cert
, privkey
))
6346 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6348 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6352 local
= tst
== 0 ? clientssl
: serverssl
;
6353 peer
= tst
== 0 ? serverssl
: clientssl
;
6355 if (!TEST_int_eq(BIO_new_bio_pair(&lbio
, 512, &pbio
, 512), 1))
6358 SSL_set_bio(local
, lbio
, lbio
);
6359 SSL_set_bio(peer
, pbio
, pbio
);
6362 * we first write keyupdate msg then appdata in local
6363 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6364 * lwbuf app data msg size + key updata msg size > 512(the size of
6365 * the bio pair buffer)
6367 if (!TEST_true(SSL_key_update(local
, SSL_KEY_UPDATE_REQUESTED
))
6368 || !TEST_int_eq(SSL_write(local
, lwbuf
, sizeof(lwbuf
)), -1)
6369 || !TEST_int_eq(SSL_get_error(local
, -1), SSL_ERROR_WANT_WRITE
))
6373 * first read keyupdate msg in peer in peer
6374 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6376 if (!TEST_int_eq(SSL_read(peer
, prbuf
, sizeof(prbuf
)), -1)
6377 || !TEST_int_eq(SSL_get_error(peer
, -1), SSL_ERROR_WANT_READ
))
6380 /* Now write some data in peer - we will write the key update */
6381 if (!TEST_int_eq(SSL_write(peer
, mess
, strlen(mess
)), strlen(mess
)))
6385 * write data in local previously that we will complete
6386 * read data in peer previously that we will complete
6388 if (!TEST_int_eq(SSL_write(local
, lwbuf
, sizeof(lwbuf
)), sizeof(lwbuf
))
6389 || !TEST_int_eq(SSL_read(peer
, prbuf
, sizeof(prbuf
)), sizeof(prbuf
)))
6392 /* check that sending and receiving appdata ok */
6393 if (!TEST_int_eq(SSL_write(local
, mess
, strlen(mess
)), strlen(mess
))
6394 || !TEST_int_eq(SSL_read(peer
, prbuf
, sizeof(prbuf
)), strlen(mess
)))
6400 SSL_free(serverssl
);
6401 SSL_free(clientssl
);
6409 * Test we can't send a KeyUpdate (update requested) message while
6410 * local write data is pending.
6411 * Test 0: Client sends KeyUpdate while Client is writing
6412 * Test 1: Server sends KeyUpdate while Server is writing
6414 static int test_key_update_local_in_write(int tst
)
6416 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6417 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6420 static char *mess
= "A test message";
6421 BIO
*bretry
= BIO_new(bio_s_always_retry());
6423 SSL
*local
= NULL
, *peer
= NULL
;
6425 if (!TEST_ptr(bretry
)
6426 || !TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6427 TLS_client_method(),
6430 &sctx
, &cctx
, cert
, privkey
))
6431 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6433 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6437 local
= tst
== 0 ? clientssl
: serverssl
;
6438 peer
= tst
== 0 ? serverssl
: clientssl
;
6440 /* Swap the writing endpoint's write BIO to force a retry */
6441 tmp
= SSL_get_wbio(local
);
6442 if (!TEST_ptr(tmp
) || !TEST_true(BIO_up_ref(tmp
))) {
6446 SSL_set0_wbio(local
, bretry
);
6449 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6450 if (!TEST_int_eq(SSL_write(local
, mess
, strlen(mess
)), -1)
6451 || !TEST_int_eq(SSL_get_error(local
, -1), SSL_ERROR_WANT_WRITE
))
6454 /* Reinstate the original writing endpoint's write BIO */
6455 SSL_set0_wbio(local
, tmp
);
6458 /* SSL_key_update will fail, because writing in local*/
6459 if (!TEST_false(SSL_key_update(local
, SSL_KEY_UPDATE_REQUESTED
))
6460 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY
))
6464 /* write data in local previously that we will complete */
6465 if (!TEST_int_eq(SSL_write(local
, mess
, strlen(mess
)), strlen(mess
)))
6468 /* SSL_key_update will succeed because there is no pending write data */
6469 if (!TEST_true(SSL_key_update(local
, SSL_KEY_UPDATE_REQUESTED
))
6470 || !TEST_int_eq(SSL_do_handshake(local
), 1))
6474 * we write some appdata in local
6475 * read data in peer - we will read the keyupdate msg
6477 if (!TEST_int_eq(SSL_write(local
, mess
, strlen(mess
)), strlen(mess
))
6478 || !TEST_int_eq(SSL_read(peer
, buf
, sizeof(buf
)), strlen(mess
)))
6481 /* Write more peer more data to ensure we send the keyupdate message back */
6482 if (!TEST_int_eq(SSL_write(peer
, mess
, strlen(mess
)), strlen(mess
))
6483 || !TEST_int_eq(SSL_read(local
, buf
, sizeof(buf
)), strlen(mess
)))
6489 SSL_free(serverssl
);
6490 SSL_free(clientssl
);
6500 * Test we can handle a KeyUpdate (update requested) message while
6501 * local read data is pending(the msg header had been read 5 bytes).
6502 * Test 0: Client sends KeyUpdate while Client is reading
6503 * Test 1: Server sends KeyUpdate while Server is reading
6505 static int test_key_update_local_in_read(int tst
)
6507 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6508 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6510 char lrbuf
[515], pwbuf
[515] = {0}, prbuf
[20];
6511 static char *mess
= "A test message";
6512 BIO
*lbio
= NULL
, *pbio
= NULL
;
6513 SSL
*local
= NULL
, *peer
= NULL
;
6515 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6516 TLS_client_method(),
6519 &sctx
, &cctx
, cert
, privkey
))
6520 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6522 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6526 local
= tst
== 0 ? clientssl
: serverssl
;
6527 peer
= tst
== 0 ? serverssl
: clientssl
;
6529 if (!TEST_int_eq(BIO_new_bio_pair(&lbio
, 512, &pbio
, 512), 1))
6532 SSL_set_bio(local
, lbio
, lbio
);
6533 SSL_set_bio(peer
, pbio
, pbio
);
6535 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6536 if (!TEST_int_eq(SSL_write(peer
, pwbuf
, sizeof(pwbuf
)), -1)
6537 || !TEST_int_eq(SSL_get_error(peer
, -1), SSL_ERROR_WANT_WRITE
))
6540 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6541 if (!TEST_int_eq(SSL_read(local
, lrbuf
, sizeof(lrbuf
)), -1)
6542 || !TEST_int_eq(SSL_get_error(local
, -1), SSL_ERROR_WANT_READ
))
6545 /* SSL_do_handshake will send keyupdate msg */
6546 if (!TEST_true(SSL_key_update(local
, SSL_KEY_UPDATE_REQUESTED
))
6547 || !TEST_int_eq(SSL_do_handshake(local
), 1))
6551 * write data in peer previously that we will complete
6552 * read data in local previously that we will complete
6554 if (!TEST_int_eq(SSL_write(peer
, pwbuf
, sizeof(pwbuf
)), sizeof(pwbuf
))
6555 || !TEST_int_eq(SSL_read(local
, lrbuf
, sizeof(lrbuf
)), sizeof(lrbuf
)))
6559 * write data in local
6560 * read data in peer - we will read the key update
6562 if (!TEST_int_eq(SSL_write(local
, mess
, strlen(mess
)), strlen(mess
))
6563 || !TEST_int_eq(SSL_read(peer
, prbuf
, sizeof(prbuf
)), strlen(mess
)))
6566 /* Write more peer data to ensure we send the keyupdate message back */
6567 if (!TEST_int_eq(SSL_write(peer
, mess
, strlen(mess
)), strlen(mess
))
6568 || !TEST_int_eq(SSL_read(local
, lrbuf
, sizeof(lrbuf
)), strlen(mess
)))
6574 SSL_free(serverssl
);
6575 SSL_free(clientssl
);
6581 #endif /* OSSL_NO_USABLE_TLS1_3 */
6583 static int test_ssl_clear(int idx
)
6585 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6586 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6589 #ifdef OPENSSL_NO_TLS1_2
6594 /* Create an initial connection */
6595 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6596 TLS_client_method(), TLS1_VERSION
, 0,
6597 &sctx
, &cctx
, cert
, privkey
))
6599 && !TEST_true(SSL_CTX_set_max_proto_version(cctx
,
6601 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
6602 &clientssl
, NULL
, NULL
))
6603 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6607 SSL_shutdown(clientssl
);
6608 SSL_shutdown(serverssl
);
6609 SSL_free(serverssl
);
6612 /* Clear clientssl - we're going to reuse the object */
6613 if (!TEST_true(SSL_clear(clientssl
)))
6616 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6618 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
6620 || !TEST_true(SSL_session_reused(clientssl
)))
6623 SSL_shutdown(clientssl
);
6624 SSL_shutdown(serverssl
);
6629 SSL_free(serverssl
);
6630 SSL_free(clientssl
);
6637 /* Parse CH and retrieve any MFL extension value if present */
6638 static int get_MFL_from_client_hello(BIO
*bio
, int *mfl_codemfl_code
)
6641 unsigned char *data
;
6642 PACKET pkt
, pkt2
, pkt3
;
6643 unsigned int MFL_code
= 0, type
= 0;
6645 if (!TEST_uint_gt(len
= BIO_get_mem_data(bio
, (char **) &data
), 0))
6648 memset(&pkt
, 0, sizeof(pkt
));
6649 memset(&pkt2
, 0, sizeof(pkt2
));
6650 memset(&pkt3
, 0, sizeof(pkt3
));
6652 if (!TEST_long_gt(len
, 0)
6653 || !TEST_true(PACKET_buf_init(&pkt
, data
, len
))
6654 /* Skip the record header */
6655 || !PACKET_forward(&pkt
, SSL3_RT_HEADER_LENGTH
)
6656 /* Skip the handshake message header */
6657 || !TEST_true(PACKET_forward(&pkt
, SSL3_HM_HEADER_LENGTH
))
6658 /* Skip client version and random */
6659 || !TEST_true(PACKET_forward(&pkt
, CLIENT_VERSION_LEN
6660 + SSL3_RANDOM_SIZE
))
6661 /* Skip session id */
6662 || !TEST_true(PACKET_get_length_prefixed_1(&pkt
, &pkt2
))
6664 || !TEST_true(PACKET_get_length_prefixed_2(&pkt
, &pkt2
))
6665 /* Skip compression */
6666 || !TEST_true(PACKET_get_length_prefixed_1(&pkt
, &pkt2
))
6667 /* Extensions len */
6668 || !TEST_true(PACKET_as_length_prefixed_2(&pkt
, &pkt2
)))
6671 /* Loop through all extensions */
6672 while (PACKET_remaining(&pkt2
)) {
6673 if (!TEST_true(PACKET_get_net_2(&pkt2
, &type
))
6674 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2
, &pkt3
)))
6677 if (type
== TLSEXT_TYPE_max_fragment_length
) {
6678 if (!TEST_uint_ne(PACKET_remaining(&pkt3
), 0)
6679 || !TEST_true(PACKET_get_1(&pkt3
, &MFL_code
)))
6682 *mfl_codemfl_code
= MFL_code
;
6691 /* Maximum-Fragment-Length TLS extension mode to test */
6692 static const unsigned char max_fragment_len_test
[] = {
6693 TLSEXT_max_fragment_length_512
,
6694 TLSEXT_max_fragment_length_1024
,
6695 TLSEXT_max_fragment_length_2048
,
6696 TLSEXT_max_fragment_length_4096
6699 static int test_max_fragment_len_ext(int idx_tst
)
6701 SSL_CTX
*ctx
= NULL
;
6703 int testresult
= 0, MFL_mode
= 0;
6706 if (!TEST_true(create_ssl_ctx_pair(libctx
, NULL
, TLS_client_method(),
6707 TLS1_VERSION
, 0, NULL
, &ctx
, NULL
,
6711 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6712 ctx
, max_fragment_len_test
[idx_tst
])))
6719 rbio
= BIO_new(BIO_s_mem());
6720 wbio
= BIO_new(BIO_s_mem());
6721 if (!TEST_ptr(rbio
)|| !TEST_ptr(wbio
)) {
6727 SSL_set_bio(con
, rbio
, wbio
);
6729 if (!TEST_int_le(SSL_connect(con
), 0)) {
6730 /* This shouldn't succeed because we don't have a server! */
6734 if (!TEST_true(get_MFL_from_client_hello(wbio
, &MFL_mode
)))
6735 /* no MFL in client hello */
6737 if (!TEST_true(max_fragment_len_test
[idx_tst
] == MFL_mode
))
6749 #ifndef OSSL_NO_USABLE_TLS1_3
6750 static int test_pha_key_update(void)
6752 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6753 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6756 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6757 TLS_client_method(), TLS1_VERSION
, 0,
6758 &sctx
, &cctx
, cert
, privkey
)))
6761 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx
, TLS1_3_VERSION
))
6762 || !TEST_true(SSL_CTX_set_max_proto_version(sctx
, TLS1_3_VERSION
))
6763 || !TEST_true(SSL_CTX_set_min_proto_version(cctx
, TLS1_3_VERSION
))
6764 || !TEST_true(SSL_CTX_set_max_proto_version(cctx
, TLS1_3_VERSION
)))
6767 SSL_CTX_set_post_handshake_auth(cctx
, 1);
6769 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
6773 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
6777 SSL_set_verify(serverssl
, SSL_VERIFY_PEER
, NULL
);
6778 if (!TEST_true(SSL_verify_client_post_handshake(serverssl
)))
6781 if (!TEST_true(SSL_key_update(clientssl
, SSL_KEY_UPDATE_NOT_REQUESTED
)))
6784 /* Start handshake on the server */
6785 if (!TEST_int_eq(SSL_do_handshake(serverssl
), 1))
6788 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6789 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
6793 SSL_shutdown(clientssl
);
6794 SSL_shutdown(serverssl
);
6799 SSL_free(serverssl
);
6800 SSL_free(clientssl
);
6807 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6809 static SRP_VBASE
*vbase
= NULL
;
6811 static int ssl_srp_cb(SSL
*s
, int *ad
, void *arg
)
6813 int ret
= SSL3_AL_FATAL
;
6815 SRP_user_pwd
*user
= NULL
;
6817 username
= SSL_get_srp_username(s
);
6818 if (username
== NULL
) {
6819 *ad
= SSL_AD_INTERNAL_ERROR
;
6823 user
= SRP_VBASE_get1_by_user(vbase
, username
);
6825 *ad
= SSL_AD_INTERNAL_ERROR
;
6829 if (SSL_set_srp_server_param(s
, user
->N
, user
->g
, user
->s
, user
->v
,
6831 *ad
= SSL_AD_INTERNAL_ERROR
;
6838 SRP_user_pwd_free(user
);
6842 static int create_new_vfile(char *userid
, char *password
, const char *filename
)
6845 OPENSSL_STRING
*row
= OPENSSL_zalloc(sizeof(row
) * (DB_NUMBER
+ 1));
6848 BIO
*out
= NULL
, *dummy
= BIO_new_mem_buf("", 0);
6851 if (!TEST_ptr(dummy
) || !TEST_ptr(row
))
6854 gNid
= SRP_create_verifier_ex(userid
, password
, &row
[DB_srpsalt
],
6855 &row
[DB_srpverifier
], NULL
, NULL
, libctx
, NULL
);
6856 if (!TEST_ptr(gNid
))
6860 * The only way to create an empty TXT_DB is to provide a BIO with no data
6863 db
= TXT_DB_read(dummy
, DB_NUMBER
);
6867 out
= BIO_new_file(filename
, "w");
6871 row
[DB_srpid
] = OPENSSL_strdup(userid
);
6872 row
[DB_srptype
] = OPENSSL_strdup("V");
6873 row
[DB_srpgN
] = OPENSSL_strdup(gNid
);
6875 if (!TEST_ptr(row
[DB_srpid
])
6876 || !TEST_ptr(row
[DB_srptype
])
6877 || !TEST_ptr(row
[DB_srpgN
])
6878 || !TEST_true(TXT_DB_insert(db
, row
)))
6883 if (TXT_DB_write(out
, db
) <= 0)
6889 for (i
= 0; i
< DB_NUMBER
; i
++)
6890 OPENSSL_free(row
[i
]);
6900 static int create_new_vbase(char *userid
, char *password
)
6902 BIGNUM
*verifier
= NULL
, *salt
= NULL
;
6903 const SRP_gN
*lgN
= NULL
;
6904 SRP_user_pwd
*user_pwd
= NULL
;
6907 lgN
= SRP_get_default_gN(NULL
);
6911 if (!TEST_true(SRP_create_verifier_BN_ex(userid
, password
, &salt
, &verifier
,
6912 lgN
->N
, lgN
->g
, libctx
, NULL
)))
6915 user_pwd
= OPENSSL_zalloc(sizeof(*user_pwd
));
6916 if (!TEST_ptr(user_pwd
))
6919 user_pwd
->N
= lgN
->N
;
6920 user_pwd
->g
= lgN
->g
;
6921 user_pwd
->id
= OPENSSL_strdup(userid
);
6922 if (!TEST_ptr(user_pwd
->id
))
6925 user_pwd
->v
= verifier
;
6927 verifier
= salt
= NULL
;
6929 if (sk_SRP_user_pwd_insert(vbase
->users_pwd
, user_pwd
, 0) == 0)
6935 SRP_user_pwd_free(user_pwd
);
6945 * Test 0: Simple successful SRP connection, new vbase
6946 * Test 1: Connection failure due to bad password, new vbase
6947 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6948 * Test 3: Connection failure due to bad password, vbase loaded from existing
6950 * Test 4: Simple successful SRP connection, vbase loaded from new file
6951 * Test 5: Connection failure due to bad password, vbase loaded from new file
6953 static int test_srp(int tst
)
6955 char *userid
= "test", *password
= "password", *tstsrpfile
;
6956 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
6957 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
6958 int ret
, testresult
= 0;
6960 vbase
= SRP_VBASE_new(NULL
);
6961 if (!TEST_ptr(vbase
))
6964 if (tst
== 0 || tst
== 1) {
6965 if (!TEST_true(create_new_vbase(userid
, password
)))
6968 if (tst
== 4 || tst
== 5) {
6969 if (!TEST_true(create_new_vfile(userid
, password
, tmpfilename
)))
6971 tstsrpfile
= tmpfilename
;
6973 tstsrpfile
= srpvfile
;
6975 if (!TEST_int_eq(SRP_VBASE_init(vbase
, tstsrpfile
), SRP_NO_ERROR
))
6979 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
6980 TLS_client_method(), TLS1_VERSION
, 0,
6981 &sctx
, &cctx
, cert
, privkey
)))
6984 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx
, ssl_srp_cb
), 0)
6985 || !TEST_true(SSL_CTX_set_cipher_list(cctx
, "SRP-AES-128-CBC-SHA"))
6986 || !TEST_true(SSL_CTX_set_max_proto_version(sctx
, TLS1_2_VERSION
))
6987 || !TEST_true(SSL_CTX_set_max_proto_version(cctx
, TLS1_2_VERSION
))
6988 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx
, userid
), 0))
6992 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx
, "badpass"), 0))
6995 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx
, password
), 0))
6999 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
7003 ret
= create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
);
7005 if (!TEST_true(tst
% 2 == 0))
7008 if (!TEST_true(tst
% 2 == 1))
7015 SRP_VBASE_free(vbase
);
7017 SSL_free(serverssl
);
7018 SSL_free(clientssl
);
7026 static int info_cb_failed
= 0;
7027 static int info_cb_offset
= 0;
7028 static int info_cb_this_state
= -1;
7030 static struct info_cb_states_st
{
7032 const char *statestr
;
7033 } info_cb_states
[][60] = {
7035 /* TLSv1.2 server followed by resumption */
7036 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7037 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TRCH"}, {SSL_CB_LOOP
, "TWSH"},
7038 {SSL_CB_LOOP
, "TWSC"}, {SSL_CB_LOOP
, "TWSKE"}, {SSL_CB_LOOP
, "TWSD"},
7039 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWSD"}, {SSL_CB_LOOP
, "TRCKE"},
7040 {SSL_CB_LOOP
, "TRCCS"}, {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_LOOP
, "TWST"},
7041 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWFIN"},
7042 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
7043 {SSL_CB_ALERT
, NULL
}, {SSL_CB_HANDSHAKE_START
, NULL
},
7044 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TRCH"},
7045 {SSL_CB_LOOP
, "TWSH"}, {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWFIN"},
7046 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_LOOP
, "TRCCS"},
7047 {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
7048 {SSL_CB_EXIT
, NULL
}, {0, NULL
},
7050 /* TLSv1.2 client followed by resumption */
7051 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7052 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWCH"},
7053 {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TRSC"}, {SSL_CB_LOOP
, "TRSKE"},
7054 {SSL_CB_LOOP
, "TRSD"}, {SSL_CB_LOOP
, "TWCKE"}, {SSL_CB_LOOP
, "TWCCS"},
7055 {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWFIN"},
7056 {SSL_CB_LOOP
, "TRST"}, {SSL_CB_LOOP
, "TRCCS"}, {SSL_CB_LOOP
, "TRFIN"},
7057 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_ALERT
, NULL
},
7058 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7059 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWCH"},
7060 {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TRCCS"}, {SSL_CB_LOOP
, "TRFIN"},
7061 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWFIN"},
7062 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
}, {0, NULL
},
7064 /* TLSv1.3 server followed by resumption */
7065 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7066 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TRCH"}, {SSL_CB_LOOP
, "TWSH"},
7067 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWEE"}, {SSL_CB_LOOP
, "TWSC"},
7068 {SSL_CB_LOOP
, "TWSCV"}, {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_LOOP
, "TED"},
7069 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TED"}, {SSL_CB_LOOP
, "TRFIN"},
7070 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_LOOP
, "TWST"},
7071 {SSL_CB_LOOP
, "TWST"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_ALERT
, NULL
},
7072 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7073 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TRCH"}, {SSL_CB_LOOP
, "TWSH"},
7074 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWEE"}, {SSL_CB_LOOP
, "TWFIN"},
7075 {SSL_CB_LOOP
, "TED"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TED"},
7076 {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
7077 {SSL_CB_LOOP
, "TWST"}, {SSL_CB_EXIT
, NULL
}, {0, NULL
},
7079 /* TLSv1.3 client followed by resumption */
7080 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7081 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWCH"},
7082 {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TREE"}, {SSL_CB_LOOP
, "TRSC"},
7083 {SSL_CB_LOOP
, "TRSCV"}, {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_LOOP
, "TWCCS"},
7084 {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
7085 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "SSLOK"}, {SSL_CB_LOOP
, "SSLOK"},
7086 {SSL_CB_LOOP
, "TRST"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "SSLOK"},
7087 {SSL_CB_LOOP
, "SSLOK"}, {SSL_CB_LOOP
, "TRST"}, {SSL_CB_EXIT
, NULL
},
7088 {SSL_CB_ALERT
, NULL
}, {SSL_CB_HANDSHAKE_START
, NULL
},
7089 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_EXIT
, NULL
},
7090 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TREE"},
7091 {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWFIN"},
7092 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
7093 {SSL_CB_LOOP
, "SSLOK"}, {SSL_CB_LOOP
, "SSLOK"}, {SSL_CB_LOOP
, "TRST"},
7094 {SSL_CB_EXIT
, NULL
}, {0, NULL
},
7096 /* TLSv1.3 server, early_data */
7097 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7098 {SSL_CB_LOOP
, "PINIT"}, {SSL_CB_LOOP
, "TRCH"}, {SSL_CB_LOOP
, "TWSH"},
7099 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWEE"}, {SSL_CB_LOOP
, "TWFIN"},
7100 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
7101 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "TED"},
7102 {SSL_CB_LOOP
, "TED"}, {SSL_CB_LOOP
, "TWEOED"}, {SSL_CB_LOOP
, "TRFIN"},
7103 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_LOOP
, "TWST"},
7104 {SSL_CB_EXIT
, NULL
}, {0, NULL
},
7106 /* TLSv1.3 client, early_data */
7107 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT"},
7108 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_LOOP
, "TWCCS"},
7109 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
7110 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "TED"},
7111 {SSL_CB_LOOP
, "TED"}, {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TREE"},
7112 {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_LOOP
, "TPEDE"}, {SSL_CB_LOOP
, "TWEOED"},
7113 {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
7114 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "SSLOK"}, {SSL_CB_LOOP
, "SSLOK"},
7115 {SSL_CB_LOOP
, "TRST"}, {SSL_CB_EXIT
, NULL
}, {0, NULL
},
7121 static void sslapi_info_callback(const SSL
*s
, int where
, int ret
)
7123 struct info_cb_states_st
*state
= info_cb_states
[info_cb_offset
];
7125 /* We do not ever expect a connection to fail in this test */
7126 if (!TEST_false(ret
== 0)) {
7132 * Do some sanity checks. We never expect these things to happen in this
7135 if (!TEST_false((SSL_is_server(s
) && (where
& SSL_ST_CONNECT
) != 0))
7136 || !TEST_false(!SSL_is_server(s
) && (where
& SSL_ST_ACCEPT
) != 0)
7137 || !TEST_int_ne(state
[++info_cb_this_state
].where
, 0)) {
7142 /* Now check we're in the right state */
7143 if (!TEST_true((where
& state
[info_cb_this_state
].where
) != 0)) {
7147 if ((where
& SSL_CB_LOOP
) != 0
7148 && !TEST_int_eq(strcmp(SSL_state_string(s
),
7149 state
[info_cb_this_state
].statestr
), 0)) {
7155 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7157 if ((where
& SSL_CB_HANDSHAKE_DONE
)
7158 && SSL_in_init((SSL
*)s
) != 0) {
7165 * Test the info callback gets called when we expect it to.
7167 * Test 0: TLSv1.2, server
7168 * Test 1: TLSv1.2, client
7169 * Test 2: TLSv1.3, server
7170 * Test 3: TLSv1.3, client
7171 * Test 4: TLSv1.3, server, early_data
7172 * Test 5: TLSv1.3, client, early_data
7174 static int test_info_callback(int tst
)
7176 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7177 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7178 SSL_SESSION
*clntsess
= NULL
;
7183 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
7184 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7185 || !defined(OPENSSL_NO_DH))
7186 tlsvers
= TLS1_2_VERSION
;
7191 #ifndef OSSL_NO_USABLE_TLS1_3
7192 tlsvers
= TLS1_3_VERSION
;
7200 info_cb_this_state
= -1;
7201 info_cb_offset
= tst
;
7203 #ifndef OSSL_NO_USABLE_TLS1_3
7205 SSL_SESSION
*sess
= NULL
;
7206 size_t written
, readbytes
;
7207 unsigned char buf
[80];
7209 /* early_data tests */
7210 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
7211 &serverssl
, &sess
, 0)))
7214 /* We don't actually need this reference */
7215 SSL_SESSION_free(sess
);
7217 SSL_set_info_callback((tst
% 2) == 0 ? serverssl
: clientssl
,
7218 sslapi_info_callback
);
7220 /* Write and read some early data and then complete the connection */
7221 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
7223 || !TEST_size_t_eq(written
, strlen(MSG1
))
7224 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
,
7225 sizeof(buf
), &readbytes
),
7226 SSL_READ_EARLY_DATA_SUCCESS
)
7227 || !TEST_mem_eq(MSG1
, readbytes
, buf
, strlen(MSG1
))
7228 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
7229 SSL_EARLY_DATA_ACCEPTED
)
7230 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
7232 || !TEST_false(info_cb_failed
))
7240 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
7241 TLS_client_method(),
7242 tlsvers
, tlsvers
, &sctx
, &cctx
, cert
,
7246 if (!TEST_true(SSL_CTX_set_dh_auto(sctx
, 1)))
7250 * For even numbered tests we check the server callbacks. For odd numbers we
7253 SSL_CTX_set_info_callback((tst
% 2) == 0 ? sctx
: cctx
,
7254 sslapi_info_callback
);
7256 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
7257 &clientssl
, NULL
, NULL
))
7258 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
7260 || !TEST_false(info_cb_failed
))
7265 clntsess
= SSL_get1_session(clientssl
);
7266 SSL_shutdown(clientssl
);
7267 SSL_shutdown(serverssl
);
7268 SSL_free(serverssl
);
7269 SSL_free(clientssl
);
7270 serverssl
= clientssl
= NULL
;
7272 /* Now do a resumption */
7273 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
,
7275 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
7276 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
7278 || !TEST_true(SSL_session_reused(clientssl
))
7279 || !TEST_false(info_cb_failed
))
7285 SSL_free(serverssl
);
7286 SSL_free(clientssl
);
7287 SSL_SESSION_free(clntsess
);
7293 static int test_ssl_pending(int tst
)
7295 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7296 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7298 char msg
[] = "A test message";
7300 size_t written
, readbytes
;
7303 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
7304 TLS_client_method(),
7306 &sctx
, &cctx
, cert
, privkey
)))
7309 #ifndef OPENSSL_NO_DTLS
7310 if (!TEST_true(create_ssl_ctx_pair(libctx
, DTLS_server_method(),
7311 DTLS_client_method(),
7313 &sctx
, &cctx
, cert
, privkey
)))
7316 # ifdef OPENSSL_NO_DTLS1_2
7317 /* Not supported in the FIPS provider */
7323 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7326 if (!TEST_true(SSL_CTX_set_cipher_list(sctx
, "DEFAULT:@SECLEVEL=0"))
7327 || !TEST_true(SSL_CTX_set_cipher_list(cctx
,
7328 "DEFAULT:@SECLEVEL=0")))
7336 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
7338 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
7342 if (!TEST_int_eq(SSL_pending(clientssl
), 0)
7343 || !TEST_false(SSL_has_pending(clientssl
))
7344 || !TEST_int_eq(SSL_pending(serverssl
), 0)
7345 || !TEST_false(SSL_has_pending(serverssl
))
7346 || !TEST_true(SSL_write_ex(serverssl
, msg
, sizeof(msg
), &written
))
7347 || !TEST_size_t_eq(written
, sizeof(msg
))
7348 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
7349 || !TEST_size_t_eq(readbytes
, sizeof(buf
))
7350 || !TEST_int_eq(SSL_pending(clientssl
), (int)(written
- readbytes
))
7351 || !TEST_true(SSL_has_pending(clientssl
)))
7357 SSL_free(serverssl
);
7358 SSL_free(clientssl
);
7366 unsigned int maxprot
;
7367 const char *clntciphers
;
7368 const char *clnttls13ciphers
;
7369 const char *srvrciphers
;
7370 const char *srvrtls13ciphers
;
7372 const char *fipsshared
;
7373 } shared_ciphers_data
[] = {
7375 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7376 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7378 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7381 "AES128-SHA:AES256-SHA",
7383 "AES256-SHA:DHE-RSA-AES128-SHA",
7388 # if !defined(OPENSSL_NO_CHACHA) \
7389 && !defined(OPENSSL_NO_POLY1305) \
7390 && !defined(OPENSSL_NO_EC)
7393 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7395 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7397 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7403 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7405 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7407 "AES128-SHA:AES256-SHA",
7408 "AES128-SHA:AES256-SHA"
7412 "AES128-SHA:AES256-SHA",
7414 "AES128-SHA:DHE-RSA-AES128-SHA",
7421 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7424 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7425 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7428 "AES128-SHA:AES256-SHA",
7430 "AES256-SHA:AES128-SHA256",
7432 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7433 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7434 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7437 #ifndef OSSL_NO_USABLE_TLS1_3
7441 "TLS_AES_256_GCM_SHA384",
7443 "TLS_AES_256_GCM_SHA384",
7444 "TLS_AES_256_GCM_SHA384",
7445 "TLS_AES_256_GCM_SHA384"
7450 static int int_test_ssl_get_shared_ciphers(int tst
, int clnt
)
7452 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7453 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7456 OSSL_LIB_CTX
*tmplibctx
= OSSL_LIB_CTX_new();
7458 if (!TEST_ptr(tmplibctx
))
7462 * Regardless of whether we're testing with the FIPS provider loaded into
7463 * libctx, we want one peer to always use the full set of ciphersuites
7464 * available. Therefore we use a separate libctx with the default provider
7465 * loaded into it. We run the same tests twice - once with the client side
7466 * having the full set of ciphersuites and once with the server side.
7469 cctx
= SSL_CTX_new_ex(tmplibctx
, NULL
, TLS_client_method());
7470 if (!TEST_ptr(cctx
))
7473 sctx
= SSL_CTX_new_ex(tmplibctx
, NULL
, TLS_server_method());
7474 if (!TEST_ptr(sctx
))
7478 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
7479 TLS_client_method(),
7481 shared_ciphers_data
[tst
].maxprot
,
7482 &sctx
, &cctx
, cert
, privkey
)))
7485 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
7486 shared_ciphers_data
[tst
].clntciphers
))
7487 || (shared_ciphers_data
[tst
].clnttls13ciphers
!= NULL
7488 && !TEST_true(SSL_CTX_set_ciphersuites(cctx
,
7489 shared_ciphers_data
[tst
].clnttls13ciphers
)))
7490 || !TEST_true(SSL_CTX_set_cipher_list(sctx
,
7491 shared_ciphers_data
[tst
].srvrciphers
))
7492 || (shared_ciphers_data
[tst
].srvrtls13ciphers
!= NULL
7493 && !TEST_true(SSL_CTX_set_ciphersuites(sctx
,
7494 shared_ciphers_data
[tst
].srvrtls13ciphers
))))
7498 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
7500 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
7504 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl
, buf
, sizeof(buf
)))
7505 || !TEST_int_eq(strcmp(buf
,
7507 ? shared_ciphers_data
[tst
].fipsshared
7508 : shared_ciphers_data
[tst
].shared
),
7510 TEST_info("Shared ciphers are: %s\n", buf
);
7517 SSL_free(serverssl
);
7518 SSL_free(clientssl
);
7521 OSSL_LIB_CTX_free(tmplibctx
);
7526 static int test_ssl_get_shared_ciphers(int tst
)
7528 return int_test_ssl_get_shared_ciphers(tst
, 0)
7529 && int_test_ssl_get_shared_ciphers(tst
, 1);
7533 static const char *appdata
= "Hello World";
7534 static int gen_tick_called
, dec_tick_called
, tick_key_cb_called
;
7535 static int tick_key_renew
= 0;
7536 static SSL_TICKET_RETURN tick_dec_ret
= SSL_TICKET_RETURN_ABORT
;
7538 static int gen_tick_cb(SSL
*s
, void *arg
)
7540 gen_tick_called
= 1;
7542 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s
), appdata
,
7546 static SSL_TICKET_RETURN
dec_tick_cb(SSL
*s
, SSL_SESSION
*ss
,
7547 const unsigned char *keyname
,
7548 size_t keyname_length
,
7549 SSL_TICKET_STATUS status
,
7555 dec_tick_called
= 1;
7557 if (status
== SSL_TICKET_EMPTY
)
7558 return SSL_TICKET_RETURN_IGNORE_RENEW
;
7560 if (!TEST_true(status
== SSL_TICKET_SUCCESS
7561 || status
== SSL_TICKET_SUCCESS_RENEW
))
7562 return SSL_TICKET_RETURN_ABORT
;
7564 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss
, &tickdata
,
7566 || !TEST_size_t_eq(tickdlen
, strlen(appdata
))
7567 || !TEST_int_eq(memcmp(tickdata
, appdata
, tickdlen
), 0))
7568 return SSL_TICKET_RETURN_ABORT
;
7570 if (tick_key_cb_called
) {
7571 /* Don't change what the ticket key callback wanted to do */
7573 case SSL_TICKET_NO_DECRYPT
:
7574 return SSL_TICKET_RETURN_IGNORE_RENEW
;
7576 case SSL_TICKET_SUCCESS
:
7577 return SSL_TICKET_RETURN_USE
;
7579 case SSL_TICKET_SUCCESS_RENEW
:
7580 return SSL_TICKET_RETURN_USE_RENEW
;
7583 return SSL_TICKET_RETURN_ABORT
;
7586 return tick_dec_ret
;
7590 #ifndef OPENSSL_NO_DEPRECATED_3_0
7591 static int tick_key_cb(SSL
*s
, unsigned char key_name
[16],
7592 unsigned char iv
[EVP_MAX_IV_LENGTH
], EVP_CIPHER_CTX
*ctx
,
7593 HMAC_CTX
*hctx
, int enc
)
7595 const unsigned char tick_aes_key
[16] = "0123456789abcdef";
7596 const unsigned char tick_hmac_key
[16] = "0123456789abcdef";
7597 EVP_CIPHER
*aes128cbc
= EVP_CIPHER_fetch(libctx
, "AES-128-CBC", NULL
);
7598 EVP_MD
*sha256
= EVP_MD_fetch(libctx
, "SHA-256", NULL
);
7601 tick_key_cb_called
= 1;
7602 memset(iv
, 0, AES_BLOCK_SIZE
);
7603 memset(key_name
, 0, 16);
7604 if (aes128cbc
== NULL
7606 || !EVP_CipherInit_ex(ctx
, aes128cbc
, NULL
, tick_aes_key
, iv
, enc
)
7607 || !HMAC_Init_ex(hctx
, tick_hmac_key
, sizeof(tick_hmac_key
), sha256
,
7611 ret
= tick_key_renew
? 2 : 1;
7613 EVP_CIPHER_free(aes128cbc
);
7614 EVP_MD_free(sha256
);
7620 static int tick_key_evp_cb(SSL
*s
, unsigned char key_name
[16],
7621 unsigned char iv
[EVP_MAX_IV_LENGTH
],
7622 EVP_CIPHER_CTX
*ctx
, EVP_MAC_CTX
*hctx
, int enc
)
7624 const unsigned char tick_aes_key
[16] = "0123456789abcdef";
7625 unsigned char tick_hmac_key
[16] = "0123456789abcdef";
7626 OSSL_PARAM params
[2];
7627 EVP_CIPHER
*aes128cbc
= EVP_CIPHER_fetch(libctx
, "AES-128-CBC", NULL
);
7630 tick_key_cb_called
= 1;
7631 memset(iv
, 0, AES_BLOCK_SIZE
);
7632 memset(key_name
, 0, 16);
7633 params
[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST
,
7635 params
[1] = OSSL_PARAM_construct_end();
7636 if (aes128cbc
== NULL
7637 || !EVP_CipherInit_ex(ctx
, aes128cbc
, NULL
, tick_aes_key
, iv
, enc
)
7638 || !EVP_MAC_init(hctx
, tick_hmac_key
, sizeof(tick_hmac_key
),
7642 ret
= tick_key_renew
? 2 : 1;
7644 EVP_CIPHER_free(aes128cbc
);
7650 * Test the various ticket callbacks
7651 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7652 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7653 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7654 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7655 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7656 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7657 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7658 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
7659 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7660 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7661 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7662 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7663 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
7664 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
7665 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
7666 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
7668 static int test_ticket_callbacks(int tst
)
7670 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7671 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7672 SSL_SESSION
*clntsess
= NULL
;
7675 #ifdef OPENSSL_NO_TLS1_2
7679 #ifdef OSSL_NO_USABLE_TLS1_3
7683 #ifdef OPENSSL_NO_DEPRECATED_3_0
7684 if (tst
>= 8 && tst
<= 11)
7688 gen_tick_called
= dec_tick_called
= tick_key_cb_called
= 0;
7690 /* Which tests the ticket key callback should request renewal for */
7691 if (tst
== 10 || tst
== 11 || tst
== 14 || tst
== 15)
7696 /* Which tests the decrypt ticket callback should request renewal for */
7700 tick_dec_ret
= SSL_TICKET_RETURN_IGNORE
;
7705 tick_dec_ret
= SSL_TICKET_RETURN_IGNORE_RENEW
;
7710 tick_dec_ret
= SSL_TICKET_RETURN_USE
;
7715 tick_dec_ret
= SSL_TICKET_RETURN_USE_RENEW
;
7719 tick_dec_ret
= SSL_TICKET_RETURN_ABORT
;
7722 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
7723 TLS_client_method(),
7725 ((tst
% 2) == 0) ? TLS1_2_VERSION
7727 &sctx
, &cctx
, cert
, privkey
)))
7731 * We only want sessions to resume from tickets - not the session cache. So
7732 * switch the cache off.
7734 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx
, SSL_SESS_CACHE_OFF
)))
7737 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx
, gen_tick_cb
, dec_tick_cb
,
7742 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx
, tick_key_evp_cb
)))
7744 #ifndef OPENSSL_NO_DEPRECATED_3_0
7745 } else if (tst
>= 8) {
7746 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx
, tick_key_cb
)))
7751 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
7753 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
7758 * The decrypt ticket key callback in TLSv1.2 should be called even though
7759 * we have no ticket yet, because it gets called with a status of
7760 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7761 * actually send any ticket data). This does not happen in TLSv1.3 because
7762 * it is not valid to send empty ticket data in TLSv1.3.
7764 if (!TEST_int_eq(gen_tick_called
, 1)
7765 || !TEST_int_eq(dec_tick_called
, ((tst
% 2) == 0) ? 1 : 0))
7768 gen_tick_called
= dec_tick_called
= 0;
7770 clntsess
= SSL_get1_session(clientssl
);
7771 SSL_shutdown(clientssl
);
7772 SSL_shutdown(serverssl
);
7773 SSL_free(serverssl
);
7774 SSL_free(clientssl
);
7775 serverssl
= clientssl
= NULL
;
7777 /* Now do a resumption */
7778 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
,
7780 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
7781 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
7785 if (tick_dec_ret
== SSL_TICKET_RETURN_IGNORE
7786 || tick_dec_ret
== SSL_TICKET_RETURN_IGNORE_RENEW
) {
7787 if (!TEST_false(SSL_session_reused(clientssl
)))
7790 if (!TEST_true(SSL_session_reused(clientssl
)))
7794 if (!TEST_int_eq(gen_tick_called
,
7796 || tick_dec_ret
== SSL_TICKET_RETURN_IGNORE_RENEW
7797 || tick_dec_ret
== SSL_TICKET_RETURN_USE_RENEW
)
7799 || !TEST_int_eq(dec_tick_called
, 1))
7805 SSL_SESSION_free(clntsess
);
7806 SSL_free(serverssl
);
7807 SSL_free(clientssl
);
7815 * Test incorrect shutdown.
7816 * Test 0: client does not shutdown properly,
7817 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7818 * server should get SSL_ERROR_SSL
7819 * Test 1: client does not shutdown properly,
7820 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7821 * server should get SSL_ERROR_ZERO_RETURN
7823 static int test_incorrect_shutdown(int tst
)
7825 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7826 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7831 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
7832 TLS_client_method(), 0, 0,
7833 &sctx
, &cctx
, cert
, privkey
)))
7837 SSL_CTX_set_options(sctx
, SSL_OP_IGNORE_UNEXPECTED_EOF
);
7839 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
7843 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
7847 c2s
= SSL_get_rbio(serverssl
);
7848 BIO_set_mem_eof_return(c2s
, 0);
7850 if (!TEST_false(SSL_read(serverssl
, buf
, sizeof(buf
))))
7853 if (tst
== 0 && !TEST_int_eq(SSL_get_error(serverssl
, 0), SSL_ERROR_SSL
) )
7855 if (tst
== 1 && !TEST_int_eq(SSL_get_error(serverssl
, 0), SSL_ERROR_ZERO_RETURN
) )
7861 SSL_free(serverssl
);
7862 SSL_free(clientssl
);
7870 * Test bi-directional shutdown.
7872 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7873 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7874 * Test 3: TLSv1.3, pending NewSessionTicket messages
7875 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7876 * sends key update, client reads it
7877 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7878 * sends CertificateRequest, client reads and ignores it
7879 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
7882 static int test_shutdown(int tst
)
7884 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
7885 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
7887 char msg
[] = "A test message";
7889 size_t written
, readbytes
;
7892 #ifdef OPENSSL_NO_TLS1_2
7896 #ifdef OSSL_NO_USABLE_TLS1_3
7901 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
7902 TLS_client_method(),
7904 (tst
<= 1) ? TLS1_2_VERSION
7906 &sctx
, &cctx
, cert
, privkey
)))
7910 SSL_CTX_set_post_handshake_auth(cctx
, 1);
7912 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
7917 if (!TEST_true(create_bare_ssl_connection(serverssl
, clientssl
,
7918 SSL_ERROR_NONE
, 1, 0))
7919 || !TEST_ptr_ne(sess
= SSL_get_session(clientssl
), NULL
)
7920 || !TEST_false(SSL_SESSION_is_resumable(sess
)))
7922 } else if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
7924 || !TEST_ptr_ne(sess
= SSL_get_session(clientssl
), NULL
)
7925 || !TEST_true(SSL_SESSION_is_resumable(sess
))) {
7929 if (!TEST_int_eq(SSL_shutdown(clientssl
), 0))
7934 * Reading on the server after the client has sent close_notify should
7935 * fail and provide SSL_ERROR_ZERO_RETURN
7937 if (!TEST_false(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
7938 || !TEST_int_eq(SSL_get_error(serverssl
, 0),
7939 SSL_ERROR_ZERO_RETURN
)
7940 || !TEST_int_eq(SSL_get_shutdown(serverssl
),
7941 SSL_RECEIVED_SHUTDOWN
)
7943 * Even though we're shutdown on receive we should still be
7946 || !TEST_true(SSL_write(serverssl
, msg
, sizeof(msg
))))
7949 && !TEST_true(SSL_key_update(serverssl
,
7950 SSL_KEY_UPDATE_REQUESTED
)))
7953 SSL_set_verify(serverssl
, SSL_VERIFY_PEER
, NULL
);
7954 if (!TEST_true(SSL_verify_client_post_handshake(serverssl
)))
7957 if ((tst
== 4 || tst
== 5)
7958 && !TEST_true(SSL_write(serverssl
, msg
, sizeof(msg
))))
7960 if (!TEST_int_eq(SSL_shutdown(serverssl
), 1))
7962 if (tst
== 4 || tst
== 5) {
7963 /* Should still be able to read data from server */
7964 if (!TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
),
7966 || !TEST_size_t_eq(readbytes
, sizeof(msg
))
7967 || !TEST_int_eq(memcmp(msg
, buf
, readbytes
), 0)
7968 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
),
7970 || !TEST_size_t_eq(readbytes
, sizeof(msg
))
7971 || !TEST_int_eq(memcmp(msg
, buf
, readbytes
), 0))
7976 /* Writing on the client after sending close_notify shouldn't be possible */
7977 if (!TEST_false(SSL_write_ex(clientssl
, msg
, sizeof(msg
), &written
)))
7982 * For these tests the client has sent close_notify but it has not yet
7983 * been received by the server. The server has not sent close_notify
7986 if (!TEST_int_eq(SSL_shutdown(serverssl
), 0)
7988 * Writing on the server after sending close_notify shouldn't
7991 || !TEST_false(SSL_write_ex(serverssl
, msg
, sizeof(msg
), &written
))
7992 || !TEST_int_eq(SSL_shutdown(clientssl
), 1)
7993 || !TEST_ptr_ne(sess
= SSL_get_session(clientssl
), NULL
)
7994 || !TEST_true(SSL_SESSION_is_resumable(sess
))
7995 || !TEST_int_eq(SSL_shutdown(serverssl
), 1))
7997 } else if (tst
== 4 || tst
== 5) {
7999 * In this test the client has sent close_notify and it has been
8000 * received by the server which has responded with a close_notify. The
8001 * client needs to read the close_notify sent by the server.
8003 if (!TEST_int_eq(SSL_shutdown(clientssl
), 1)
8004 || !TEST_ptr_ne(sess
= SSL_get_session(clientssl
), NULL
)
8005 || !TEST_true(SSL_SESSION_is_resumable(sess
)))
8011 * The client has sent close_notify and is expecting a close_notify
8012 * back, but instead there is application data first. The shutdown
8013 * should fail with a fatal error.
8015 if (!TEST_int_eq(SSL_shutdown(clientssl
), -1)
8016 || !TEST_int_eq(SSL_get_error(clientssl
, -1), SSL_ERROR_SSL
))
8023 SSL_free(serverssl
);
8024 SSL_free(clientssl
);
8031 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8032 static int cert_cb_cnt
;
8034 static int cert_cb(SSL
*s
, void *arg
)
8036 SSL_CTX
*ctx
= (SSL_CTX
*)arg
;
8038 EVP_PKEY
*pkey
= NULL
;
8039 X509
*x509
= NULL
, *rootx
= NULL
;
8040 STACK_OF(X509
) *chain
= NULL
;
8041 char *rootfile
= NULL
, *ecdsacert
= NULL
, *ecdsakey
= NULL
;
8044 if (cert_cb_cnt
== 0) {
8045 /* Suspend the handshake */
8048 } else if (cert_cb_cnt
== 1) {
8050 * Update the SSL_CTX, set the certificate and private key and then
8051 * continue the handshake normally.
8053 if (ctx
!= NULL
&& !TEST_ptr(SSL_set_SSL_CTX(s
, ctx
)))
8056 if (!TEST_true(SSL_use_certificate_file(s
, cert
, SSL_FILETYPE_PEM
))
8057 || !TEST_true(SSL_use_PrivateKey_file(s
, privkey
,
8059 || !TEST_true(SSL_check_private_key(s
)))
8063 } else if (cert_cb_cnt
== 3) {
8066 rootfile
= test_mk_file_path(certsdir
, "rootcert.pem");
8067 ecdsacert
= test_mk_file_path(certsdir
, "server-ecdsa-cert.pem");
8068 ecdsakey
= test_mk_file_path(certsdir
, "server-ecdsa-key.pem");
8069 if (!TEST_ptr(rootfile
) || !TEST_ptr(ecdsacert
) || !TEST_ptr(ecdsakey
))
8071 chain
= sk_X509_new_null();
8072 if (!TEST_ptr(chain
))
8074 if (!TEST_ptr(in
= BIO_new(BIO_s_file()))
8075 || !TEST_int_gt(BIO_read_filename(in
, rootfile
), 0)
8076 || !TEST_ptr(rootx
= X509_new_ex(libctx
, NULL
))
8077 || !TEST_ptr(PEM_read_bio_X509(in
, &rootx
, NULL
, NULL
))
8078 || !TEST_true(sk_X509_push(chain
, rootx
)))
8082 if (!TEST_ptr(in
= BIO_new(BIO_s_file()))
8083 || !TEST_int_gt(BIO_read_filename(in
, ecdsacert
), 0)
8084 || !TEST_ptr(x509
= X509_new_ex(libctx
, NULL
))
8085 || !TEST_ptr(PEM_read_bio_X509(in
, &x509
, NULL
, NULL
)))
8088 if (!TEST_ptr(in
= BIO_new(BIO_s_file()))
8089 || !TEST_int_gt(BIO_read_filename(in
, ecdsakey
), 0)
8090 || !TEST_ptr(pkey
= PEM_read_bio_PrivateKey_ex(in
, NULL
,
8094 rv
= SSL_check_chain(s
, x509
, pkey
, chain
);
8096 * If the cert doesn't show as valid here (e.g., because we don't
8097 * have any shared sigalgs), then we will not set it, and there will
8098 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8099 * will cause tls_choose_sigalgs() to fail the connection.
8101 if ((rv
& (CERT_PKEY_VALID
| CERT_PKEY_CA_SIGNATURE
))
8102 == (CERT_PKEY_VALID
| CERT_PKEY_CA_SIGNATURE
)) {
8103 if (!SSL_use_cert_and_key(s
, x509
, pkey
, NULL
, 1))
8110 /* Abort the handshake */
8112 OPENSSL_free(ecdsacert
);
8113 OPENSSL_free(ecdsakey
);
8114 OPENSSL_free(rootfile
);
8116 EVP_PKEY_free(pkey
);
8119 OSSL_STACK_OF_X509_free(chain
);
8124 * Test the certificate callback.
8125 * Test 0: Callback fails
8126 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8127 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8128 * Test 3: Success - Call SSL_check_chain from the callback
8129 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8131 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8133 static int test_cert_cb_int(int prot
, int tst
)
8135 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
, *snictx
= NULL
;
8136 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8137 int testresult
= 0, ret
;
8139 #ifdef OPENSSL_NO_EC
8140 /* We use an EC cert in these tests, so we skip in a no-ec build */
8145 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8146 TLS_client_method(),
8149 &sctx
, &cctx
, NULL
, NULL
)))
8160 snictx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method());
8161 if (!TEST_ptr(snictx
))
8165 SSL_CTX_set_cert_cb(sctx
, cert_cb
, snictx
);
8167 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8173 * We cause SSL_check_chain() to fail by specifying sig_algs that
8174 * the chain doesn't meet (the root uses an RSA cert)
8176 if (!TEST_true(SSL_set1_sigalgs_list(clientssl
,
8177 "ecdsa_secp256r1_sha256")))
8179 } else if (tst
== 5) {
8181 * We cause SSL_check_chain() to fail by specifying sig_algs that
8182 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8184 if (!TEST_true(SSL_set1_sigalgs_list(clientssl
,
8185 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8189 ret
= create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
);
8190 if (!TEST_true(tst
== 0 || tst
== 4 || tst
== 5 ? !ret
: ret
)
8192 && !TEST_int_eq((cert_cb_cnt
- 2) * (cert_cb_cnt
- 3), 0))) {
8199 SSL_free(serverssl
);
8200 SSL_free(clientssl
);
8203 SSL_CTX_free(snictx
);
8209 static int test_cert_cb(int tst
)
8213 #ifndef OPENSSL_NO_TLS1_2
8214 testresult
&= test_cert_cb_int(TLS1_2_VERSION
, tst
);
8216 #ifndef OSSL_NO_USABLE_TLS1_3
8217 testresult
&= test_cert_cb_int(TLS1_3_VERSION
, tst
);
8223 static int client_cert_cb(SSL
*ssl
, X509
**x509
, EVP_PKEY
**pkey
)
8228 BIO
*priv_in
= NULL
;
8230 /* Check that SSL_get0_peer_certificate() returns something sensible */
8231 if (!TEST_ptr(SSL_get0_peer_certificate(ssl
)))
8234 in
= BIO_new_file(cert
, "r");
8238 if (!TEST_ptr(xcert
= X509_new_ex(libctx
, NULL
))
8239 || !TEST_ptr(PEM_read_bio_X509(in
, &xcert
, NULL
, NULL
))
8240 || !TEST_ptr(priv_in
= BIO_new_file(privkey
, "r"))
8241 || !TEST_ptr(privpkey
= PEM_read_bio_PrivateKey_ex(priv_in
, NULL
,
8259 static int test_client_cert_cb(int tst
)
8261 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
8262 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8265 #ifdef OPENSSL_NO_TLS1_2
8269 #ifdef OSSL_NO_USABLE_TLS1_3
8274 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8275 TLS_client_method(),
8277 tst
== 0 ? TLS1_2_VERSION
8279 &sctx
, &cctx
, cert
, privkey
)))
8283 * Test that setting a client_cert_cb results in a client certificate being
8286 SSL_CTX_set_client_cert_cb(cctx
, client_cert_cb
);
8287 SSL_CTX_set_verify(sctx
,
8288 SSL_VERIFY_PEER
| SSL_VERIFY_FAIL_IF_NO_PEER_CERT
,
8291 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8293 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
8300 SSL_free(serverssl
);
8301 SSL_free(clientssl
);
8308 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8310 * Test setting certificate authorities on both client and server.
8312 * Test 0: SSL_CTX_set0_CA_list() only
8313 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8314 * Test 2: Only SSL_CTX_set_client_CA_list()
8316 static int test_ca_names_int(int prot
, int tst
)
8318 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
8319 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8322 X509_NAME
*name
[] = { NULL
, NULL
, NULL
, NULL
};
8323 char *strnames
[] = { "Jack", "Jill", "John", "Joanne" };
8324 STACK_OF(X509_NAME
) *sk1
= NULL
, *sk2
= NULL
;
8325 const STACK_OF(X509_NAME
) *sktmp
= NULL
;
8327 for (i
= 0; i
< OSSL_NELEM(name
); i
++) {
8328 name
[i
] = X509_NAME_new();
8329 if (!TEST_ptr(name
[i
])
8330 || !TEST_true(X509_NAME_add_entry_by_txt(name
[i
], "CN",
8338 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8339 TLS_client_method(),
8342 &sctx
, &cctx
, cert
, privkey
)))
8345 SSL_CTX_set_verify(sctx
, SSL_VERIFY_PEER
, NULL
);
8347 if (tst
== 0 || tst
== 1) {
8348 if (!TEST_ptr(sk1
= sk_X509_NAME_new_null())
8349 || !TEST_true(sk_X509_NAME_push(sk1
, X509_NAME_dup(name
[0])))
8350 || !TEST_true(sk_X509_NAME_push(sk1
, X509_NAME_dup(name
[1])))
8351 || !TEST_ptr(sk2
= sk_X509_NAME_new_null())
8352 || !TEST_true(sk_X509_NAME_push(sk2
, X509_NAME_dup(name
[0])))
8353 || !TEST_true(sk_X509_NAME_push(sk2
, X509_NAME_dup(name
[1]))))
8356 SSL_CTX_set0_CA_list(sctx
, sk1
);
8357 SSL_CTX_set0_CA_list(cctx
, sk2
);
8360 if (tst
== 1 || tst
== 2) {
8361 if (!TEST_ptr(sk1
= sk_X509_NAME_new_null())
8362 || !TEST_true(sk_X509_NAME_push(sk1
, X509_NAME_dup(name
[2])))
8363 || !TEST_true(sk_X509_NAME_push(sk1
, X509_NAME_dup(name
[3])))
8364 || !TEST_ptr(sk2
= sk_X509_NAME_new_null())
8365 || !TEST_true(sk_X509_NAME_push(sk2
, X509_NAME_dup(name
[2])))
8366 || !TEST_true(sk_X509_NAME_push(sk2
, X509_NAME_dup(name
[3]))))
8369 SSL_CTX_set_client_CA_list(sctx
, sk1
);
8370 SSL_CTX_set_client_CA_list(cctx
, sk2
);
8374 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8376 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
8381 * We only expect certificate authorities to have been sent to the server
8382 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8384 sktmp
= SSL_get0_peer_CA_list(serverssl
);
8385 if (prot
== TLS1_3_VERSION
8386 && (tst
== 0 || tst
== 1)) {
8387 if (!TEST_ptr(sktmp
)
8388 || !TEST_int_eq(sk_X509_NAME_num(sktmp
), 2)
8389 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp
, 0),
8391 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp
, 1),
8394 } else if (!TEST_ptr_null(sktmp
)) {
8399 * In all tests we expect certificate authorities to have been sent to the
8400 * client. However, SSL_set_client_CA_list() should override
8401 * SSL_set0_CA_list()
8403 sktmp
= SSL_get0_peer_CA_list(clientssl
);
8404 if (!TEST_ptr(sktmp
)
8405 || !TEST_int_eq(sk_X509_NAME_num(sktmp
), 2)
8406 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp
, 0),
8407 name
[tst
== 0 ? 0 : 2]), 0)
8408 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp
, 1),
8409 name
[tst
== 0 ? 1 : 3]), 0))
8415 SSL_free(serverssl
);
8416 SSL_free(clientssl
);
8419 for (i
= 0; i
< OSSL_NELEM(name
); i
++)
8420 X509_NAME_free(name
[i
]);
8421 sk_X509_NAME_pop_free(sk1
, X509_NAME_free
);
8422 sk_X509_NAME_pop_free(sk2
, X509_NAME_free
);
8428 static int test_ca_names(int tst
)
8432 #ifndef OPENSSL_NO_TLS1_2
8433 testresult
&= test_ca_names_int(TLS1_2_VERSION
, tst
);
8435 #ifndef OSSL_NO_USABLE_TLS1_3
8436 testresult
&= test_ca_names_int(TLS1_3_VERSION
, tst
);
8442 #ifndef OPENSSL_NO_TLS1_2
8443 static const char *multiblock_cipherlist_data
[]=
8451 /* Reduce the fragment size - so the multiblock test buffer can be small */
8452 # define MULTIBLOCK_FRAGSIZE 512
8454 static int test_multiblock_write(int test_index
)
8456 static const char *fetchable_ciphers
[]=
8458 "AES-128-CBC-HMAC-SHA1",
8459 "AES-128-CBC-HMAC-SHA256",
8460 "AES-256-CBC-HMAC-SHA1",
8461 "AES-256-CBC-HMAC-SHA256"
8463 const char *cipherlist
= multiblock_cipherlist_data
[test_index
];
8464 const SSL_METHOD
*smeth
= TLS_server_method();
8465 const SSL_METHOD
*cmeth
= TLS_client_method();
8466 int min_version
= TLS1_VERSION
;
8467 int max_version
= TLS1_2_VERSION
; /* Don't select TLS1_3 */
8468 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
8469 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8473 * Choose a buffer large enough to perform a multi-block operation
8474 * i.e: write_len >= 4 * frag_size
8475 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8477 unsigned char msg
[MULTIBLOCK_FRAGSIZE
* 9];
8478 unsigned char buf
[sizeof(msg
)], *p
= buf
;
8479 size_t readbytes
, written
, len
;
8480 EVP_CIPHER
*ciph
= NULL
;
8483 * Check if the cipher exists before attempting to use it since it only has
8484 * a hardware specific implementation.
8486 ciph
= EVP_CIPHER_fetch(libctx
, fetchable_ciphers
[test_index
], "");
8488 TEST_skip("Multiblock cipher is not available for %s", cipherlist
);
8491 EVP_CIPHER_free(ciph
);
8493 /* Set up a buffer with some data that will be sent to the client */
8494 RAND_bytes(msg
, sizeof(msg
));
8496 if (!TEST_true(create_ssl_ctx_pair(libctx
, smeth
, cmeth
, min_version
,
8497 max_version
, &sctx
, &cctx
, cert
,
8501 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx
, MULTIBLOCK_FRAGSIZE
)))
8504 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8508 /* settings to force it to use AES-CBC-HMAC_SHA */
8509 SSL_set_options(serverssl
, SSL_OP_NO_ENCRYPT_THEN_MAC
);
8510 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
, cipherlist
)))
8513 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
8516 if (!TEST_true(SSL_write_ex(serverssl
, msg
, sizeof(msg
), &written
))
8517 || !TEST_size_t_eq(written
, sizeof(msg
)))
8522 if (!TEST_true(SSL_read_ex(clientssl
, p
, MULTIBLOCK_FRAGSIZE
, &readbytes
)))
8527 if (!TEST_mem_eq(msg
, sizeof(msg
), buf
, sizeof(buf
)))
8532 SSL_free(serverssl
);
8533 SSL_free(clientssl
);
8539 #endif /* OPENSSL_NO_TLS1_2 */
8541 static int test_session_timeout(int test
)
8544 * Test session ordering and timeout
8545 * Can't explicitly test performance of the new code,
8546 * but can test to see if the ordering of the sessions
8547 * are correct, and they they are removed as expected
8549 SSL_SESSION
*early
= NULL
;
8550 SSL_SESSION
*middle
= NULL
;
8551 SSL_SESSION
*late
= NULL
;
8554 long now
= (long)time(NULL
);
8557 if (!TEST_ptr(ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_method()))
8558 || !TEST_ptr(early
= SSL_SESSION_new())
8559 || !TEST_ptr(middle
= SSL_SESSION_new())
8560 || !TEST_ptr(late
= SSL_SESSION_new()))
8563 /* assign unique session ids */
8564 early
->session_id_length
= SSL3_SSL_SESSION_ID_LENGTH
;
8565 memset(early
->session_id
, 1, SSL3_SSL_SESSION_ID_LENGTH
);
8566 middle
->session_id_length
= SSL3_SSL_SESSION_ID_LENGTH
;
8567 memset(middle
->session_id
, 2, SSL3_SSL_SESSION_ID_LENGTH
);
8568 late
->session_id_length
= SSL3_SSL_SESSION_ID_LENGTH
;
8569 memset(late
->session_id
, 3, SSL3_SSL_SESSION_ID_LENGTH
);
8571 if (!TEST_int_eq(SSL_CTX_add_session(ctx
, early
), 1)
8572 || !TEST_int_eq(SSL_CTX_add_session(ctx
, middle
), 1)
8573 || !TEST_int_eq(SSL_CTX_add_session(ctx
, late
), 1))
8576 /* Make sure they are all added */
8577 if (!TEST_ptr(early
->prev
)
8578 || !TEST_ptr(middle
->prev
)
8579 || !TEST_ptr(late
->prev
))
8582 if (!TEST_int_ne(SSL_SESSION_set_time(early
, now
- 10), 0)
8583 || !TEST_int_ne(SSL_SESSION_set_time(middle
, now
), 0)
8584 || !TEST_int_ne(SSL_SESSION_set_time(late
, now
+ 10), 0))
8587 if (!TEST_int_ne(SSL_SESSION_set_timeout(early
, TIMEOUT
), 0)
8588 || !TEST_int_ne(SSL_SESSION_set_timeout(middle
, TIMEOUT
), 0)
8589 || !TEST_int_ne(SSL_SESSION_set_timeout(late
, TIMEOUT
), 0))
8592 /* Make sure they are all still there */
8593 if (!TEST_ptr(early
->prev
)
8594 || !TEST_ptr(middle
->prev
)
8595 || !TEST_ptr(late
->prev
))
8598 /* Make sure they are in the expected order */
8599 if (!TEST_ptr_eq(late
->next
, middle
)
8600 || !TEST_ptr_eq(middle
->next
, early
)
8601 || !TEST_ptr_eq(early
->prev
, middle
)
8602 || !TEST_ptr_eq(middle
->prev
, late
))
8605 /* This should remove "early" */
8606 SSL_CTX_flush_sessions(ctx
, now
+ TIMEOUT
- 1);
8607 if (!TEST_ptr_null(early
->prev
)
8608 || !TEST_ptr(middle
->prev
)
8609 || !TEST_ptr(late
->prev
))
8612 /* This should remove "middle" */
8613 SSL_CTX_flush_sessions(ctx
, now
+ TIMEOUT
+ 1);
8614 if (!TEST_ptr_null(early
->prev
)
8615 || !TEST_ptr_null(middle
->prev
)
8616 || !TEST_ptr(late
->prev
))
8619 /* This should remove "late" */
8620 SSL_CTX_flush_sessions(ctx
, now
+ TIMEOUT
+ 11);
8621 if (!TEST_ptr_null(early
->prev
)
8622 || !TEST_ptr_null(middle
->prev
)
8623 || !TEST_ptr_null(late
->prev
))
8626 /* Add them back in again */
8627 if (!TEST_int_eq(SSL_CTX_add_session(ctx
, early
), 1)
8628 || !TEST_int_eq(SSL_CTX_add_session(ctx
, middle
), 1)
8629 || !TEST_int_eq(SSL_CTX_add_session(ctx
, late
), 1))
8632 /* Make sure they are all added */
8633 if (!TEST_ptr(early
->prev
)
8634 || !TEST_ptr(middle
->prev
)
8635 || !TEST_ptr(late
->prev
))
8638 /* This should remove all of them */
8639 SSL_CTX_flush_sessions(ctx
, 0);
8640 if (!TEST_ptr_null(early
->prev
)
8641 || !TEST_ptr_null(middle
->prev
)
8642 || !TEST_ptr_null(late
->prev
))
8645 (void)SSL_CTX_set_session_cache_mode(ctx
, SSL_SESS_CACHE_UPDATE_TIME
8646 | SSL_CTX_get_session_cache_mode(ctx
));
8648 /* make sure |now| is NOT equal to the current time */
8650 if (!TEST_int_ne(SSL_SESSION_set_time(early
, now
), 0)
8651 || !TEST_int_eq(SSL_CTX_add_session(ctx
, early
), 1)
8652 || !TEST_long_ne(SSL_SESSION_get_time(early
), now
))
8658 SSL_SESSION_free(early
);
8659 SSL_SESSION_free(middle
);
8660 SSL_SESSION_free(late
);
8665 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
8666 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
8667 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
8668 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
8669 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
8670 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
8671 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
8672 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
8673 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
8674 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
8676 static int test_servername(int tst
)
8678 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
8679 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8681 SSL_SESSION
*sess
= NULL
;
8682 const char *sexpectedhost
= NULL
, *cexpectedhost
= NULL
;
8684 #ifdef OPENSSL_NO_TLS1_2
8688 #ifdef OSSL_NO_USABLE_TLS1_3
8693 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8694 TLS_client_method(),
8696 (tst
<= 4) ? TLS1_2_VERSION
8698 &sctx
, &cctx
, cert
, privkey
))
8699 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8703 if (tst
!= 1 && tst
!= 6) {
8704 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx
,
8709 if (tst
!= 3 && tst
!= 8) {
8710 if (!TEST_true(SSL_set_tlsext_host_name(clientssl
, "goodhost")))
8712 sexpectedhost
= cexpectedhost
= "goodhost";
8715 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
8718 if (!TEST_str_eq(SSL_get_servername(clientssl
, TLSEXT_NAMETYPE_host_name
),
8720 || !TEST_str_eq(SSL_get_servername(serverssl
,
8721 TLSEXT_NAMETYPE_host_name
),
8725 /* Now repeat with a resumption handshake */
8727 if (!TEST_int_eq(SSL_shutdown(clientssl
), 0)
8728 || !TEST_ptr_ne(sess
= SSL_get1_session(clientssl
), NULL
)
8729 || !TEST_true(SSL_SESSION_is_resumable(sess
))
8730 || !TEST_int_eq(SSL_shutdown(serverssl
), 0))
8733 SSL_free(clientssl
);
8734 SSL_free(serverssl
);
8735 clientssl
= serverssl
= NULL
;
8737 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
,
8741 if (!TEST_true(SSL_set_session(clientssl
, sess
)))
8744 sexpectedhost
= cexpectedhost
= "goodhost";
8745 if (tst
== 2 || tst
== 7) {
8746 /* Set an inconsistent hostname */
8747 if (!TEST_true(SSL_set_tlsext_host_name(clientssl
, "altgoodhost")))
8750 * In TLSv1.2 we expect the hostname from the original handshake, in
8751 * TLSv1.3 we expect the hostname from this handshake
8754 sexpectedhost
= cexpectedhost
= "altgoodhost";
8756 if (!TEST_str_eq(SSL_get_servername(clientssl
,
8757 TLSEXT_NAMETYPE_host_name
),
8760 } else if (tst
== 4 || tst
== 9) {
8762 * A TLSv1.3 session does not associate a session with a servername,
8763 * but a TLSv1.2 session does.
8766 sexpectedhost
= cexpectedhost
= NULL
;
8768 if (!TEST_str_eq(SSL_get_servername(clientssl
,
8769 TLSEXT_NAMETYPE_host_name
),
8773 if (!TEST_true(SSL_set_tlsext_host_name(clientssl
, "goodhost")))
8776 * In a TLSv1.2 resumption where the hostname was not acknowledged
8777 * we expect the hostname on the server to be empty. On the client we
8778 * return what was requested in this case.
8780 * Similarly if the client didn't set a hostname on an original TLSv1.2
8781 * session but is now, the server hostname will be empty, but the client
8784 if (tst
== 1 || tst
== 3)
8785 sexpectedhost
= NULL
;
8787 if (!TEST_str_eq(SSL_get_servername(clientssl
,
8788 TLSEXT_NAMETYPE_host_name
),
8793 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
8796 if (!TEST_true(SSL_session_reused(clientssl
))
8797 || !TEST_true(SSL_session_reused(serverssl
))
8798 || !TEST_str_eq(SSL_get_servername(clientssl
,
8799 TLSEXT_NAMETYPE_host_name
),
8801 || !TEST_str_eq(SSL_get_servername(serverssl
,
8802 TLSEXT_NAMETYPE_host_name
),
8809 SSL_SESSION_free(sess
);
8810 SSL_free(serverssl
);
8811 SSL_free(clientssl
);
8818 #if !defined(OPENSSL_NO_EC) \
8819 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8821 * Test that if signature algorithms are not available, then we do not offer or
8823 * Test 0: Two RSA sig algs available: both RSA sig algs shared
8824 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
8825 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
8826 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
8827 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
8828 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
8830 static int test_sigalgs_available(int idx
)
8832 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
8833 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8835 OSSL_LIB_CTX
*tmpctx
= OSSL_LIB_CTX_new();
8836 OSSL_LIB_CTX
*clientctx
= libctx
, *serverctx
= libctx
;
8837 OSSL_PROVIDER
*filterprov
= NULL
;
8840 if (!TEST_ptr(tmpctx
))
8843 if (idx
!= 0 && idx
!= 3) {
8844 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx
, "filter",
8845 filter_provider_init
)))
8848 filterprov
= OSSL_PROVIDER_load(tmpctx
, "filter");
8849 if (!TEST_ptr(filterprov
))
8854 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8855 * or accepted for the peer that uses this libctx. Note that libssl
8856 * *requires* SHA2-256 to be available so we cannot disable that. We
8857 * also need SHA1 for our certificate.
8859 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST
,
8863 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE
,
8865 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT
,
8870 if (idx
== 1 || idx
== 4)
8876 cctx
= SSL_CTX_new_ex(clientctx
, NULL
, TLS_client_method());
8877 sctx
= SSL_CTX_new_ex(serverctx
, NULL
, TLS_server_method());
8878 if (!TEST_ptr(cctx
) || !TEST_ptr(sctx
))
8882 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8883 TLS_client_method(),
8886 &sctx
, &cctx
, cert
, privkey
)))
8889 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8890 TLS_client_method(),
8893 &sctx
, &cctx
, cert2
, privkey2
)))
8897 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
8899 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
8900 "ECDHE-RSA-AES128-GCM-SHA256")))
8903 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
8904 "ECDHE-ECDSA-AES128-GCM-SHA256")))
8909 if (!SSL_CTX_set1_sigalgs_list(cctx
,
8910 "rsa_pss_rsae_sha384"
8911 ":rsa_pss_rsae_sha256")
8912 || !SSL_CTX_set1_sigalgs_list(sctx
,
8913 "rsa_pss_rsae_sha384"
8914 ":rsa_pss_rsae_sha256"))
8917 if (!SSL_CTX_set1_sigalgs_list(cctx
, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8918 || !SSL_CTX_set1_sigalgs_list(sctx
,
8919 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8924 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx
, cert2
,
8925 SSL_FILETYPE_PEM
), 1)
8926 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx
,
8928 SSL_FILETYPE_PEM
), 1)
8929 || !TEST_int_eq(SSL_CTX_check_private_key(sctx
), 1)))
8932 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
8936 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
8939 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8940 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl
, 0, &sig
, &hash
, NULL
,
8942 (idx
== 0 || idx
== 3) ? 2 : 1))
8945 if (!TEST_int_eq(hash
, idx
== 0 ? NID_sha384
: NID_sha256
))
8948 if (!TEST_int_eq(sig
, (idx
== 4 || idx
== 5) ? EVP_PKEY_EC
8952 testresult
= filter_provider_check_clean_finish();
8955 SSL_free(serverssl
);
8956 SSL_free(clientssl
);
8959 OSSL_PROVIDER_unload(filterprov
);
8960 OSSL_LIB_CTX_free(tmpctx
);
8965 * !defined(OPENSSL_NO_EC) \
8966 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8969 #ifndef OPENSSL_NO_TLS1_3
8970 /* This test can run in TLSv1.3 even if ec and dh are disabled */
8971 static int test_pluggable_group(int idx
)
8973 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
8974 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
8976 OSSL_PROVIDER
*tlsprov
= OSSL_PROVIDER_load(libctx
, "tls-provider");
8977 /* Check that we are not impacted by a provider without any groups */
8978 OSSL_PROVIDER
*legacyprov
= OSSL_PROVIDER_load(libctx
, "legacy");
8979 const char *group_name
= idx
== 0 ? "xorgroup" : "xorkemgroup";
8981 if (!TEST_ptr(tlsprov
))
8984 if (legacyprov
== NULL
) {
8986 * In this case we assume we've been built with "no-legacy" and skip
8987 * this test (there is no OPENSSL_NO_LEGACY)
8993 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
8994 TLS_client_method(),
8997 &sctx
, &cctx
, cert
, privkey
))
8998 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
9002 if (!TEST_true(SSL_set1_groups_list(serverssl
, group_name
))
9003 || !TEST_true(SSL_set1_groups_list(clientssl
, group_name
)))
9006 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
9009 if (!TEST_str_eq(group_name
,
9010 SSL_group_to_name(serverssl
, SSL_get_shared_group(serverssl
, 0))))
9016 SSL_free(serverssl
);
9017 SSL_free(clientssl
);
9020 OSSL_PROVIDER_unload(tlsprov
);
9021 OSSL_PROVIDER_unload(legacyprov
);
9027 #ifndef OPENSSL_NO_TLS1_2
9028 static int test_ssl_dup(void)
9030 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
9031 SSL
*clientssl
= NULL
, *serverssl
= NULL
, *client2ssl
= NULL
;
9033 BIO
*rbio
= NULL
, *wbio
= NULL
;
9035 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
9036 TLS_client_method(),
9039 &sctx
, &cctx
, cert
, privkey
)))
9042 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
9046 if (!TEST_true(SSL_set_min_proto_version(clientssl
, TLS1_2_VERSION
))
9047 || !TEST_true(SSL_set_max_proto_version(clientssl
, TLS1_2_VERSION
)))
9050 client2ssl
= SSL_dup(clientssl
);
9051 rbio
= SSL_get_rbio(clientssl
);
9053 || !TEST_true(BIO_up_ref(rbio
)))
9055 SSL_set0_rbio(client2ssl
, rbio
);
9058 wbio
= SSL_get_wbio(clientssl
);
9059 if (!TEST_ptr(wbio
) || !TEST_true(BIO_up_ref(wbio
)))
9061 SSL_set0_wbio(client2ssl
, wbio
);
9064 if (!TEST_ptr(client2ssl
)
9065 /* Handshake not started so pointers should be different */
9066 || !TEST_ptr_ne(clientssl
, client2ssl
))
9069 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl
), TLS1_2_VERSION
)
9070 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl
), TLS1_2_VERSION
))
9073 if (!TEST_true(create_ssl_connection(serverssl
, client2ssl
, SSL_ERROR_NONE
)))
9076 SSL_free(clientssl
);
9077 clientssl
= SSL_dup(client2ssl
);
9078 if (!TEST_ptr(clientssl
)
9079 /* Handshake has finished so pointers should be the same */
9080 || !TEST_ptr_eq(clientssl
, client2ssl
))
9086 SSL_free(serverssl
);
9087 SSL_free(clientssl
);
9088 SSL_free(client2ssl
);
9095 # ifndef OPENSSL_NO_DH
9097 static EVP_PKEY
*tmp_dh_params
= NULL
;
9099 /* Helper function for the test_set_tmp_dh() tests */
9100 static EVP_PKEY
*get_tmp_dh_params(void)
9102 if (tmp_dh_params
== NULL
) {
9104 OSSL_PARAM_BLD
*tmpl
= NULL
;
9105 EVP_PKEY_CTX
*pctx
= NULL
;
9106 OSSL_PARAM
*params
= NULL
;
9107 EVP_PKEY
*dhpkey
= NULL
;
9109 p
= BN_get_rfc3526_prime_2048(NULL
);
9113 pctx
= EVP_PKEY_CTX_new_from_name(libctx
, "DH", NULL
);
9115 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx
), 1))
9118 tmpl
= OSSL_PARAM_BLD_new();
9120 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl
,
9121 OSSL_PKEY_PARAM_FFC_P
,
9123 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl
,
9124 OSSL_PKEY_PARAM_FFC_G
,
9128 params
= OSSL_PARAM_BLD_to_param(tmpl
);
9129 if (!TEST_ptr(params
)
9130 || !TEST_int_eq(EVP_PKEY_fromdata(pctx
, &dhpkey
,
9131 EVP_PKEY_KEY_PARAMETERS
,
9135 tmp_dh_params
= dhpkey
;
9138 EVP_PKEY_CTX_free(pctx
);
9139 OSSL_PARAM_BLD_free(tmpl
);
9140 OSSL_PARAM_free(params
);
9143 if (tmp_dh_params
!= NULL
&& !EVP_PKEY_up_ref(tmp_dh_params
))
9146 return tmp_dh_params
;
9149 # ifndef OPENSSL_NO_DEPRECATED_3_0
9150 /* Callback used by test_set_tmp_dh() */
9151 static DH
*tmp_dh_callback(SSL
*s
, int is_export
, int keylen
)
9153 EVP_PKEY
*dhpkey
= get_tmp_dh_params();
9156 if (!TEST_ptr(dhpkey
))
9160 * libssl does not free the returned DH, so we free it now knowing that even
9161 * after we free dhpkey, there will still be a reference to the owning
9162 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9163 * of time we need it for.
9165 ret
= EVP_PKEY_get1_DH(dhpkey
);
9168 EVP_PKEY_free(dhpkey
);
9175 * Test the various methods for setting temporary DH parameters
9177 * Test 0: Default (no auto) setting
9178 * Test 1: Explicit SSL_CTX auto off
9179 * Test 2: Explicit SSL auto off
9180 * Test 3: Explicit SSL_CTX auto on
9181 * Test 4: Explicit SSL auto on
9182 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9183 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9185 * The following are testing deprecated APIs, so we only run them if available
9186 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9187 * Test 8: Explicit SSL auto off, custom DH params via DH
9188 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9189 * Test 10: Explicit SSL auto off, custom DH params via callback
9191 static int test_set_tmp_dh(int idx
)
9193 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
9194 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
9196 int dhauto
= (idx
== 3 || idx
== 4) ? 1 : 0;
9197 int expected
= (idx
<= 2) ? 0 : 1;
9198 EVP_PKEY
*dhpkey
= NULL
;
9199 # ifndef OPENSSL_NO_DEPRECATED_3_0
9207 if (idx
>= 5 && idx
<= 8) {
9208 dhpkey
= get_tmp_dh_params();
9209 if (!TEST_ptr(dhpkey
))
9212 # ifndef OPENSSL_NO_DEPRECATED_3_0
9213 if (idx
== 7 || idx
== 8) {
9214 dh
= EVP_PKEY_get1_DH(dhpkey
);
9220 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
9221 TLS_client_method(),
9224 &sctx
, &cctx
, cert
, privkey
)))
9227 if ((idx
& 1) == 1) {
9228 if (!TEST_true(SSL_CTX_set_dh_auto(sctx
, dhauto
)))
9233 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx
, dhpkey
)))
9237 # ifndef OPENSSL_NO_DEPRECATED_3_0
9238 else if (idx
== 7) {
9239 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx
, dh
)))
9241 } else if (idx
== 9) {
9242 SSL_CTX_set_tmp_dh_callback(sctx
, tmp_dh_callback
);
9246 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
9250 if ((idx
& 1) == 0 && idx
!= 0) {
9251 if (!TEST_true(SSL_set_dh_auto(serverssl
, dhauto
)))
9255 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl
, dhpkey
)))
9259 # ifndef OPENSSL_NO_DEPRECATED_3_0
9260 else if (idx
== 8) {
9261 if (!TEST_true(SSL_set_tmp_dh(serverssl
, dh
)))
9263 } else if (idx
== 10) {
9264 SSL_set_tmp_dh_callback(serverssl
, tmp_dh_callback
);
9268 if (!TEST_true(SSL_set_min_proto_version(serverssl
, TLS1_2_VERSION
))
9269 || !TEST_true(SSL_set_max_proto_version(serverssl
, TLS1_2_VERSION
))
9270 || !TEST_true(SSL_set_cipher_list(serverssl
, "DHE-RSA-AES128-SHA")))
9274 * If autoon then we should succeed. Otherwise we expect failure because
9275 * there are no parameters
9277 if (!TEST_int_eq(create_ssl_connection(serverssl
, clientssl
,
9278 SSL_ERROR_NONE
), expected
))
9284 # ifndef OPENSSL_NO_DEPRECATED_3_0
9287 SSL_free(serverssl
);
9288 SSL_free(clientssl
);
9291 EVP_PKEY_free(dhpkey
);
9297 * Test the auto DH keys are appropriately sized
9299 static int test_dh_auto(int idx
)
9301 SSL_CTX
*cctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_client_method());
9302 SSL_CTX
*sctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method());
9303 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
9305 EVP_PKEY
*tmpkey
= NULL
;
9306 char *thiscert
= NULL
, *thiskey
= NULL
;
9307 size_t expdhsize
= 0;
9308 const char *ciphersuite
= "DHE-RSA-AES128-SHA";
9310 if (!TEST_ptr(sctx
) || !TEST_ptr(cctx
))
9315 /* The FIPS provider doesn't support this DH size - so we ignore it */
9320 thiscert
= cert1024
;
9321 thiskey
= privkey1024
;
9323 SSL_CTX_set_security_level(sctx
, 1);
9324 SSL_CTX_set_security_level(cctx
, 1);
9327 /* 2048 bit prime */
9333 thiscert
= cert3072
;
9334 thiskey
= privkey3072
;
9338 thiscert
= cert4096
;
9339 thiskey
= privkey4096
;
9343 thiscert
= cert8192
;
9344 thiskey
= privkey8192
;
9347 /* No certificate cases */
9349 /* The FIPS provider doesn't support this DH size - so we ignore it */
9354 ciphersuite
= "ADH-AES128-SHA256:@SECLEVEL=0";
9358 ciphersuite
= "ADH-AES256-SHA256:@SECLEVEL=0";
9362 TEST_error("Invalid text index");
9366 if (!TEST_true(create_ssl_ctx_pair(libctx
, NULL
,
9370 &sctx
, &cctx
, thiscert
, thiskey
)))
9373 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
9377 if (!TEST_true(SSL_set_dh_auto(serverssl
, 1))
9378 || !TEST_true(SSL_set_min_proto_version(serverssl
, TLS1_2_VERSION
))
9379 || !TEST_true(SSL_set_max_proto_version(serverssl
, TLS1_2_VERSION
))
9380 || !TEST_true(SSL_set_cipher_list(serverssl
, ciphersuite
))
9381 || !TEST_true(SSL_set_cipher_list(clientssl
, ciphersuite
)))
9385 * Send the server's first flight. At this point the server has created the
9386 * temporary DH key but hasn't finished using it yet. Once used it is
9387 * removed, so we cannot test it.
9389 if (!TEST_int_le(SSL_connect(clientssl
), 0)
9390 || !TEST_int_le(SSL_accept(serverssl
), 0))
9393 if (!TEST_int_gt(SSL_get_tmp_key(serverssl
, &tmpkey
), 0))
9395 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey
), expdhsize
))
9398 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
9404 SSL_free(serverssl
);
9405 SSL_free(clientssl
);
9408 EVP_PKEY_free(tmpkey
);
9413 # endif /* OPENSSL_NO_DH */
9414 #endif /* OPENSSL_NO_TLS1_2 */
9416 #ifndef OSSL_NO_USABLE_TLS1_3
9418 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9419 * that it works even without a certificate configured for the original
9422 static int test_sni_tls13(void)
9424 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
, *sctx2
= NULL
;
9425 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
9428 /* Reset callback counter */
9431 /* Create an initial SSL_CTX with no certificate configured */
9432 sctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method());
9433 if (!TEST_ptr(sctx
))
9435 /* Require TLSv1.3 as a minimum */
9436 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
9437 TLS_client_method(), TLS1_3_VERSION
, 0,
9438 &sctx2
, &cctx
, cert
, privkey
)))
9442 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx
, sni_cb
))
9443 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx
, sctx2
)))
9447 * Connection should still succeed because the final SSL_CTX has the right
9448 * certificates configured.
9450 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
9451 &clientssl
, NULL
, NULL
))
9452 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
9456 /* We should have had the SNI callback called exactly once */
9457 if (!TEST_int_eq(snicb
, 1))
9463 SSL_free(serverssl
);
9464 SSL_free(clientssl
);
9465 SSL_CTX_free(sctx2
);
9472 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
9476 static int test_ticket_lifetime(int idx
)
9478 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
9479 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
9481 int version
= TLS1_3_VERSION
;
9483 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
9484 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
9487 #ifdef OPENSSL_NO_TLS1_2
9488 return TEST_skip("TLS 1.2 is disabled.");
9490 version
= TLS1_2_VERSION
;
9494 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
9495 TLS_client_method(), version
, version
,
9496 &sctx
, &cctx
, cert
, privkey
)))
9499 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
9500 &clientssl
, NULL
, NULL
)))
9504 * Set the timeout to be more than 1 week
9505 * make sure the returned value is the default
9507 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx
, TWO_WEEK_SEC
),
9508 SSL_get_default_timeout(serverssl
)))
9511 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
9515 /* TLSv1.2 uses the set value */
9516 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl
)), TWO_WEEK_SEC
))
9519 /* TLSv1.3 uses the limited value */
9520 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl
)), ONE_WEEK_SEC
))
9526 SSL_free(serverssl
);
9527 SSL_free(clientssl
);
9534 * Test that setting an ALPN does not violate RFC
9536 static int test_set_alpn(void)
9538 SSL_CTX
*ctx
= NULL
;
9542 unsigned char bad0
[] = { 0x00, 'b', 'a', 'd' };
9543 unsigned char good
[] = { 0x04, 'g', 'o', 'o', 'd' };
9544 unsigned char bad1
[] = { 0x01, 'b', 'a', 'd' };
9545 unsigned char bad2
[] = { 0x03, 'b', 'a', 'd', 0x00};
9546 unsigned char bad3
[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
9547 unsigned char bad4
[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
9549 /* Create an initial SSL_CTX with no certificate configured */
9550 ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method());
9554 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
9555 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx
, NULL
, 2)))
9557 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx
, good
, 0)))
9559 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx
, good
, sizeof(good
))))
9561 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx
, good
, 1)))
9563 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx
, bad0
, sizeof(bad0
))))
9565 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx
, bad1
, sizeof(bad1
))))
9567 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx
, bad2
, sizeof(bad2
))))
9569 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx
, bad3
, sizeof(bad3
))))
9571 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx
, bad4
, sizeof(bad4
))))
9578 if (!TEST_false(SSL_set_alpn_protos(ssl
, NULL
, 2)))
9580 if (!TEST_false(SSL_set_alpn_protos(ssl
, good
, 0)))
9582 if (!TEST_false(SSL_set_alpn_protos(ssl
, good
, sizeof(good
))))
9584 if (!TEST_true(SSL_set_alpn_protos(ssl
, good
, 1)))
9586 if (!TEST_true(SSL_set_alpn_protos(ssl
, bad0
, sizeof(bad0
))))
9588 if (!TEST_true(SSL_set_alpn_protos(ssl
, bad1
, sizeof(bad1
))))
9590 if (!TEST_true(SSL_set_alpn_protos(ssl
, bad2
, sizeof(bad2
))))
9592 if (!TEST_true(SSL_set_alpn_protos(ssl
, bad3
, sizeof(bad3
))))
9594 if (!TEST_true(SSL_set_alpn_protos(ssl
, bad4
, sizeof(bad4
))))
9606 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
9608 static int test_set_verify_cert_store_ssl_ctx(void)
9610 SSL_CTX
*ctx
= NULL
;
9612 X509_STORE
*store
= NULL
, *new_store
= NULL
,
9613 *cstore
= NULL
, *new_cstore
= NULL
;
9615 /* Create an initial SSL_CTX. */
9616 ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method());
9620 /* Retrieve verify store pointer. */
9621 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx
, &store
)))
9624 /* Retrieve chain store pointer. */
9625 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx
, &cstore
)))
9628 /* We haven't set any yet, so this should be NULL. */
9629 if (!TEST_ptr_null(store
) || !TEST_ptr_null(cstore
))
9632 /* Create stores. We use separate stores so pointers are different. */
9633 new_store
= X509_STORE_new();
9634 if (!TEST_ptr(new_store
))
9637 new_cstore
= X509_STORE_new();
9638 if (!TEST_ptr(new_cstore
))
9642 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx
, new_store
)))
9645 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx
, new_cstore
)))
9648 /* Should be able to retrieve the same pointer. */
9649 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx
, &store
)))
9652 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx
, &cstore
)))
9655 if (!TEST_ptr_eq(store
, new_store
) || !TEST_ptr_eq(cstore
, new_cstore
))
9658 /* Should be able to unset again. */
9659 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx
, NULL
)))
9662 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx
, NULL
)))
9665 /* Should now be NULL. */
9666 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx
, &store
)))
9669 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx
, &cstore
)))
9672 if (!TEST_ptr_null(store
) || !TEST_ptr_null(cstore
))
9678 X509_STORE_free(new_store
);
9679 X509_STORE_free(new_cstore
);
9685 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
9687 static int test_set_verify_cert_store_ssl(void)
9689 SSL_CTX
*ctx
= NULL
;
9692 X509_STORE
*store
= NULL
, *new_store
= NULL
,
9693 *cstore
= NULL
, *new_cstore
= NULL
;
9695 /* Create an initial SSL_CTX. */
9696 ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method());
9700 /* Create an SSL object. */
9705 /* Retrieve verify store pointer. */
9706 if (!TEST_true(SSL_get0_verify_cert_store(ssl
, &store
)))
9709 /* Retrieve chain store pointer. */
9710 if (!TEST_true(SSL_get0_chain_cert_store(ssl
, &cstore
)))
9713 /* We haven't set any yet, so this should be NULL. */
9714 if (!TEST_ptr_null(store
) || !TEST_ptr_null(cstore
))
9717 /* Create stores. We use separate stores so pointers are different. */
9718 new_store
= X509_STORE_new();
9719 if (!TEST_ptr(new_store
))
9722 new_cstore
= X509_STORE_new();
9723 if (!TEST_ptr(new_cstore
))
9727 if (!TEST_true(SSL_set1_verify_cert_store(ssl
, new_store
)))
9730 if (!TEST_true(SSL_set1_chain_cert_store(ssl
, new_cstore
)))
9733 /* Should be able to retrieve the same pointer. */
9734 if (!TEST_true(SSL_get0_verify_cert_store(ssl
, &store
)))
9737 if (!TEST_true(SSL_get0_chain_cert_store(ssl
, &cstore
)))
9740 if (!TEST_ptr_eq(store
, new_store
) || !TEST_ptr_eq(cstore
, new_cstore
))
9743 /* Should be able to unset again. */
9744 if (!TEST_true(SSL_set1_verify_cert_store(ssl
, NULL
)))
9747 if (!TEST_true(SSL_set1_chain_cert_store(ssl
, NULL
)))
9750 /* Should now be NULL. */
9751 if (!TEST_true(SSL_get0_verify_cert_store(ssl
, &store
)))
9754 if (!TEST_true(SSL_get0_chain_cert_store(ssl
, &cstore
)))
9757 if (!TEST_ptr_null(store
) || !TEST_ptr_null(cstore
))
9763 X509_STORE_free(new_store
);
9764 X509_STORE_free(new_cstore
);
9771 static int test_inherit_verify_param(void)
9775 SSL_CTX
*ctx
= NULL
;
9776 X509_VERIFY_PARAM
*cp
= NULL
;
9778 X509_VERIFY_PARAM
*sp
= NULL
;
9779 int hostflags
= X509_CHECK_FLAG_NEVER_CHECK_SUBJECT
;
9781 ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_server_method());
9785 cp
= SSL_CTX_get0_param(ctx
);
9788 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp
), 0))
9791 X509_VERIFY_PARAM_set_hostflags(cp
, hostflags
);
9797 sp
= SSL_get0_param(ssl
);
9800 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp
), hostflags
))
9812 static int test_load_dhfile(void)
9814 #ifndef OPENSSL_NO_DH
9817 SSL_CTX
*ctx
= NULL
;
9818 SSL_CONF_CTX
*cctx
= NULL
;
9823 if (!TEST_ptr(ctx
= SSL_CTX_new_ex(libctx
, NULL
, TLS_client_method()))
9824 || !TEST_ptr(cctx
= SSL_CONF_CTX_new()))
9827 SSL_CONF_CTX_set_ssl_ctx(cctx
, ctx
);
9828 SSL_CONF_CTX_set_flags(cctx
,
9829 SSL_CONF_FLAG_CERTIFICATE
9830 | SSL_CONF_FLAG_SERVER
9831 | SSL_CONF_FLAG_FILE
);
9833 if (!TEST_int_eq(SSL_CONF_cmd(cctx
, "DHParameters", dhfile
), 2))
9838 SSL_CONF_CTX_free(cctx
);
9843 return TEST_skip("DH not supported by this build");
9847 #ifndef OSSL_NO_USABLE_TLS1_3
9848 /* Test that read_ahead works across a key change */
9849 static int test_read_ahead_key_change(void)
9851 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
9852 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
9854 char *msg
= "Hello World";
9855 size_t written
, readbytes
;
9859 if (!TEST_true(create_ssl_ctx_pair(libctx
, TLS_server_method(),
9860 TLS_client_method(), TLS1_3_VERSION
, 0,
9861 &sctx
, &cctx
, cert
, privkey
)))
9864 SSL_CTX_set_read_ahead(sctx
, 1);
9866 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
9867 &clientssl
, NULL
, NULL
)))
9870 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
9873 /* Write some data, send a key update, write more data */
9874 if (!TEST_true(SSL_write_ex(clientssl
, msg
, strlen(msg
), &written
))
9875 || !TEST_size_t_eq(written
, strlen(msg
)))
9878 if (!TEST_true(SSL_key_update(clientssl
, SSL_KEY_UPDATE_NOT_REQUESTED
)))
9881 if (!TEST_true(SSL_write_ex(clientssl
, msg
, strlen(msg
), &written
))
9882 || !TEST_size_t_eq(written
, strlen(msg
)))
9886 * Since read_ahead is on the first read below should read the record with
9887 * the first app data, the second record with the key update message, and
9888 * the third record with the app data all in one go. We should be able to
9889 * still process the read_ahead data correctly even though it crosses
9892 for (i
= 0; i
< 2; i
++) {
9893 if (!TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
) - 1,
9897 buf
[readbytes
] = '\0';
9898 if (!TEST_str_eq(buf
, msg
))
9905 SSL_free(serverssl
);
9906 SSL_free(clientssl
);
9911 #endif /* OSSL_NO_USABLE_TLS1_3 */
9913 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
9915 int setup_tests(void)
9920 libctx
= OSSL_LIB_CTX_new();
9921 if (!TEST_ptr(libctx
))
9924 defctxnull
= OSSL_PROVIDER_load(NULL
, "null");
9927 * Verify that the default and fips providers in the default libctx are not
9930 if (!TEST_false(OSSL_PROVIDER_available(NULL
, "default"))
9931 || !TEST_false(OSSL_PROVIDER_available(NULL
, "fips")))
9934 if (!test_skip_common_options()) {
9935 TEST_error("Error parsing test options\n");
9939 if (!TEST_ptr(certsdir
= test_get_argument(0))
9940 || !TEST_ptr(srpvfile
= test_get_argument(1))
9941 || !TEST_ptr(tmpfilename
= test_get_argument(2))
9942 || !TEST_ptr(modulename
= test_get_argument(3))
9943 || !TEST_ptr(configfile
= test_get_argument(4))
9944 || !TEST_ptr(dhfile
= test_get_argument(5)))
9947 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx
, configfile
)))
9950 /* Check we have the expected provider available */
9951 if (!TEST_true(OSSL_PROVIDER_available(libctx
, modulename
)))
9954 /* Check the default provider is not available */
9955 if (strcmp(modulename
, "default") != 0
9956 && !TEST_false(OSSL_PROVIDER_available(libctx
, "default")))
9959 if (strcmp(modulename
, "fips") == 0)
9963 * We add, but don't load the test "tls-provider". We'll load it when we
9966 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx
, "tls-provider",
9967 tls_provider_init
)))
9971 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL
) {
9972 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
9973 TEST_error("not supported in this build");
9976 int i
, mcount
, rcount
, fcount
;
9978 for (i
= 0; i
< 4; i
++)
9979 test_export_key_mat(i
);
9980 CRYPTO_get_alloc_counts(&mcount
, &rcount
, &fcount
);
9981 test_printf_stdout("malloc %d realloc %d free %d\n",
9982 mcount
, rcount
, fcount
);
9987 cert
= test_mk_file_path(certsdir
, "servercert.pem");
9991 privkey
= test_mk_file_path(certsdir
, "serverkey.pem");
9992 if (privkey
== NULL
)
9995 cert2
= test_mk_file_path(certsdir
, "server-ecdsa-cert.pem");
9999 privkey2
= test_mk_file_path(certsdir
, "server-ecdsa-key.pem");
10000 if (privkey2
== NULL
)
10003 cert1024
= test_mk_file_path(certsdir
, "ee-cert-1024.pem");
10004 if (cert1024
== NULL
)
10007 privkey1024
= test_mk_file_path(certsdir
, "ee-key-1024.pem");
10008 if (privkey1024
== NULL
)
10011 cert3072
= test_mk_file_path(certsdir
, "ee-cert-3072.pem");
10012 if (cert3072
== NULL
)
10015 privkey3072
= test_mk_file_path(certsdir
, "ee-key-3072.pem");
10016 if (privkey3072
== NULL
)
10019 cert4096
= test_mk_file_path(certsdir
, "ee-cert-4096.pem");
10020 if (cert4096
== NULL
)
10023 privkey4096
= test_mk_file_path(certsdir
, "ee-key-4096.pem");
10024 if (privkey4096
== NULL
)
10027 cert8192
= test_mk_file_path(certsdir
, "ee-cert-8192.pem");
10028 if (cert8192
== NULL
)
10031 privkey8192
= test_mk_file_path(certsdir
, "ee-key-8192.pem");
10032 if (privkey8192
== NULL
)
10035 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
10036 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
10037 ADD_ALL_TESTS(test_ktls
, NUM_KTLS_TEST_CIPHERS
* 4);
10038 ADD_ALL_TESTS(test_ktls_sendfile
, NUM_KTLS_TEST_CIPHERS
);
10041 ADD_TEST(test_large_message_tls
);
10042 ADD_TEST(test_large_message_tls_read_ahead
);
10043 #ifndef OPENSSL_NO_DTLS
10044 ADD_TEST(test_large_message_dtls
);
10046 ADD_TEST(test_cleanse_plaintext
);
10047 #ifndef OPENSSL_NO_OCSP
10048 ADD_TEST(test_tlsext_status_type
);
10050 ADD_TEST(test_session_with_only_int_cache
);
10051 ADD_TEST(test_session_with_only_ext_cache
);
10052 ADD_TEST(test_session_with_both_cache
);
10053 ADD_TEST(test_session_wo_ca_names
);
10054 #ifndef OSSL_NO_USABLE_TLS1_3
10055 ADD_ALL_TESTS(test_stateful_tickets
, 3);
10056 ADD_ALL_TESTS(test_stateless_tickets
, 3);
10057 ADD_TEST(test_psk_tickets
);
10058 ADD_ALL_TESTS(test_extra_tickets
, 6);
10060 ADD_ALL_TESTS(test_ssl_set_bio
, TOTAL_SSL_SET_BIO_TESTS
);
10061 ADD_TEST(test_ssl_bio_pop_next_bio
);
10062 ADD_TEST(test_ssl_bio_pop_ssl_bio
);
10063 ADD_TEST(test_ssl_bio_change_rbio
);
10064 ADD_TEST(test_ssl_bio_change_wbio
);
10065 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
10066 ADD_ALL_TESTS(test_set_sigalgs
, OSSL_NELEM(testsigalgs
) * 2);
10067 ADD_TEST(test_keylog
);
10069 #ifndef OSSL_NO_USABLE_TLS1_3
10070 ADD_TEST(test_keylog_no_master_key
);
10072 ADD_TEST(test_client_cert_verify_cb
);
10073 ADD_TEST(test_ssl_build_cert_chain
);
10074 ADD_TEST(test_ssl_ctx_build_cert_chain
);
10075 #ifndef OPENSSL_NO_TLS1_2
10076 ADD_TEST(test_client_hello_cb
);
10077 ADD_TEST(test_no_ems
);
10078 ADD_TEST(test_ccs_change_cipher
);
10080 #ifndef OSSL_NO_USABLE_TLS1_3
10081 ADD_ALL_TESTS(test_early_data_read_write
, 3);
10083 * We don't do replay tests for external PSK. Replay protection isn't used
10084 * in that scenario.
10086 ADD_ALL_TESTS(test_early_data_replay
, 2);
10087 ADD_ALL_TESTS(test_early_data_skip
, 3);
10088 ADD_ALL_TESTS(test_early_data_skip_hrr
, 3);
10089 ADD_ALL_TESTS(test_early_data_skip_hrr_fail
, 3);
10090 ADD_ALL_TESTS(test_early_data_skip_abort
, 3);
10091 ADD_ALL_TESTS(test_early_data_not_sent
, 3);
10092 ADD_ALL_TESTS(test_early_data_psk
, 8);
10093 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers
, 5);
10094 ADD_ALL_TESTS(test_early_data_not_expected
, 3);
10095 # ifndef OPENSSL_NO_TLS1_2
10096 ADD_ALL_TESTS(test_early_data_tls1_2
, 3);
10099 #ifndef OSSL_NO_USABLE_TLS1_3
10100 ADD_ALL_TESTS(test_set_ciphersuite
, 10);
10101 ADD_TEST(test_ciphersuite_change
);
10102 ADD_ALL_TESTS(test_tls13_ciphersuite
, 4);
10103 # ifdef OPENSSL_NO_PSK
10104 ADD_ALL_TESTS(test_tls13_psk
, 1);
10106 ADD_ALL_TESTS(test_tls13_psk
, 4);
10107 # endif /* OPENSSL_NO_PSK */
10108 # ifndef OPENSSL_NO_TLS1_2
10109 /* Test with both TLSv1.3 and 1.2 versions */
10110 ADD_ALL_TESTS(test_key_exchange
, 14);
10111 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
10112 ADD_ALL_TESTS(test_negotiated_group
,
10113 4 * (OSSL_NELEM(ecdhe_kexch_groups
)
10114 + OSSL_NELEM(ffdhe_kexch_groups
)));
10117 /* Test with only TLSv1.3 versions */
10118 ADD_ALL_TESTS(test_key_exchange
, 12);
10120 ADD_ALL_TESTS(test_custom_exts
, 6);
10121 ADD_TEST(test_stateless
);
10122 ADD_TEST(test_pha_key_update
);
10124 ADD_ALL_TESTS(test_custom_exts
, 3);
10126 ADD_ALL_TESTS(test_serverinfo
, 8);
10127 ADD_ALL_TESTS(test_export_key_mat
, 6);
10128 #ifndef OSSL_NO_USABLE_TLS1_3
10129 ADD_ALL_TESTS(test_export_key_mat_early
, 3);
10130 ADD_TEST(test_key_update
);
10131 ADD_ALL_TESTS(test_key_update_peer_in_write
, 2);
10132 ADD_ALL_TESTS(test_key_update_peer_in_read
, 2);
10133 ADD_ALL_TESTS(test_key_update_local_in_write
, 2);
10134 ADD_ALL_TESTS(test_key_update_local_in_read
, 2);
10136 ADD_ALL_TESTS(test_ssl_clear
, 2);
10137 ADD_ALL_TESTS(test_max_fragment_len_ext
, OSSL_NELEM(max_fragment_len_test
));
10138 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
10139 ADD_ALL_TESTS(test_srp
, 6);
10141 ADD_ALL_TESTS(test_info_callback
, 6);
10142 ADD_ALL_TESTS(test_ssl_pending
, 2);
10143 ADD_ALL_TESTS(test_ssl_get_shared_ciphers
, OSSL_NELEM(shared_ciphers_data
));
10144 ADD_ALL_TESTS(test_ticket_callbacks
, 16);
10145 ADD_ALL_TESTS(test_shutdown
, 7);
10146 ADD_ALL_TESTS(test_incorrect_shutdown
, 2);
10147 ADD_ALL_TESTS(test_cert_cb
, 6);
10148 ADD_ALL_TESTS(test_client_cert_cb
, 2);
10149 ADD_ALL_TESTS(test_ca_names
, 3);
10150 #ifndef OPENSSL_NO_TLS1_2
10151 ADD_ALL_TESTS(test_multiblock_write
, OSSL_NELEM(multiblock_cipherlist_data
));
10153 ADD_ALL_TESTS(test_servername
, 10);
10154 #if !defined(OPENSSL_NO_EC) \
10155 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
10156 ADD_ALL_TESTS(test_sigalgs_available
, 6);
10158 #ifndef OPENSSL_NO_TLS1_3
10159 ADD_ALL_TESTS(test_pluggable_group
, 2);
10161 #ifndef OPENSSL_NO_TLS1_2
10162 ADD_TEST(test_ssl_dup
);
10163 # ifndef OPENSSL_NO_DH
10164 ADD_ALL_TESTS(test_set_tmp_dh
, 11);
10165 ADD_ALL_TESTS(test_dh_auto
, 7);
10168 #ifndef OSSL_NO_USABLE_TLS1_3
10169 ADD_TEST(test_sni_tls13
);
10170 ADD_ALL_TESTS(test_ticket_lifetime
, 2);
10172 ADD_TEST(test_inherit_verify_param
);
10173 ADD_TEST(test_set_alpn
);
10174 ADD_TEST(test_set_verify_cert_store_ssl_ctx
);
10175 ADD_TEST(test_set_verify_cert_store_ssl
);
10176 ADD_ALL_TESTS(test_session_timeout
, 1);
10177 ADD_TEST(test_load_dhfile
);
10178 #ifndef OSSL_NO_USABLE_TLS1_3
10179 ADD_TEST(test_read_ahead_key_change
);
10184 OPENSSL_free(cert
);
10185 OPENSSL_free(privkey
);
10186 OPENSSL_free(cert2
);
10187 OPENSSL_free(privkey2
);
10191 void cleanup_tests(void)
10193 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
10194 EVP_PKEY_free(tmp_dh_params
);
10196 OPENSSL_free(cert
);
10197 OPENSSL_free(privkey
);
10198 OPENSSL_free(cert2
);
10199 OPENSSL_free(privkey2
);
10200 OPENSSL_free(cert1024
);
10201 OPENSSL_free(privkey1024
);
10202 OPENSSL_free(cert3072
);
10203 OPENSSL_free(privkey3072
);
10204 OPENSSL_free(cert4096
);
10205 OPENSSL_free(privkey4096
);
10206 OPENSSL_free(cert8192
);
10207 OPENSSL_free(privkey8192
);
10208 bio_s_mempacket_test_free();
10209 bio_s_always_retry_free();
10210 OSSL_PROVIDER_unload(defctxnull
);
10211 OSSL_LIB_CTX_free(libctx
);