2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_numbers.h>
32 #include <openssl/provider.h>
34 #include "ssltestlib.h"
36 #include "testutil/output.h"
37 #include "internal/nelem.h"
38 #include "internal/ktls.h"
39 #include "../ssl/ssl_local.h"
41 /* Defined in filterprov.c */
42 OSSL_provider_init_fn filter_provider_init;
43 int filter_provider_set_filter(int operation, const char *name);
45 DEFINE_STACK_OF(OCSP_RESPID)
47 DEFINE_STACK_OF(X509_NAME)
49 static OPENSSL_CTX *libctx = NULL;
50 static OSSL_PROVIDER *defctxnull = NULL;
52 #ifndef OPENSSL_NO_TLS1_3
54 static SSL_SESSION *clientpsk = NULL;
55 static SSL_SESSION *serverpsk = NULL;
56 static const char *pskid = "Identity";
57 static const char *srvid;
59 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
60 size_t *idlen, SSL_SESSION **sess);
61 static int find_session_cb(SSL *ssl, const unsigned char *identity,
62 size_t identity_len, SSL_SESSION **sess);
64 static int use_session_cb_cnt = 0;
65 static int find_session_cb_cnt = 0;
67 static SSL_SESSION *create_a_psk(SSL *ssl);
70 static char *certsdir = NULL;
71 static char *cert = NULL;
72 static char *privkey = NULL;
73 static char *cert2 = NULL;
74 static char *privkey2 = NULL;
75 static char *srpvfile = NULL;
76 static char *tmpfilename = NULL;
78 static int is_fips = 0;
80 #define LOG_BUFFER_SIZE 2048
81 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
82 static size_t server_log_buffer_index = 0;
83 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
84 static size_t client_log_buffer_index = 0;
85 static int error_writing_log = 0;
87 #ifndef OPENSSL_NO_OCSP
88 static const unsigned char orespder[] = "Dummy OCSP Response";
89 static int ocsp_server_called = 0;
90 static int ocsp_client_called = 0;
92 static int cdummyarg = 1;
93 static X509 *ocspcert = NULL;
96 #define NUM_EXTRA_CERTS 40
97 #define CLIENT_VERSION_LEN 2
100 * This structure is used to validate that the correct number of log messages
101 * of various types are emitted when emitting secret logs.
103 struct sslapitest_log_counts {
104 unsigned int rsa_key_exchange_count;
105 unsigned int master_secret_count;
106 unsigned int client_early_secret_count;
107 unsigned int client_handshake_secret_count;
108 unsigned int server_handshake_secret_count;
109 unsigned int client_application_secret_count;
110 unsigned int server_application_secret_count;
111 unsigned int early_exporter_secret_count;
112 unsigned int exporter_secret_count;
116 static unsigned char serverinfov1[] = {
117 0xff, 0xff, /* Dummy extension type */
118 0x00, 0x01, /* Extension length is 1 byte */
119 0xff /* Dummy extension data */
122 static unsigned char serverinfov2[] = {
124 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
125 0xff, 0xff, /* Dummy extension type */
126 0x00, 0x01, /* Extension length is 1 byte */
127 0xff /* Dummy extension data */
130 static int hostname_cb(SSL *s, int *al, void *arg)
132 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
134 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
135 || strcmp(hostname, "altgoodhost") == 0))
136 return SSL_TLSEXT_ERR_OK;
138 return SSL_TLSEXT_ERR_NOACK;
141 static void client_keylog_callback(const SSL *ssl, const char *line)
143 int line_length = strlen(line);
145 /* If the log doesn't fit, error out. */
146 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
147 TEST_info("Client log too full");
148 error_writing_log = 1;
152 strcat(client_log_buffer, line);
153 client_log_buffer_index += line_length;
154 client_log_buffer[client_log_buffer_index++] = '\n';
157 static void server_keylog_callback(const SSL *ssl, const char *line)
159 int line_length = strlen(line);
161 /* If the log doesn't fit, error out. */
162 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
163 TEST_info("Server log too full");
164 error_writing_log = 1;
168 strcat(server_log_buffer, line);
169 server_log_buffer_index += line_length;
170 server_log_buffer[server_log_buffer_index++] = '\n';
173 static int compare_hex_encoded_buffer(const char *hex_encoded,
181 if (!TEST_size_t_eq(raw_length * 2, hex_length))
184 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
185 sprintf(hexed, "%02x", raw[i]);
186 if (!TEST_int_eq(hexed[0], hex_encoded[j])
187 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
194 static int test_keylog_output(char *buffer, const SSL *ssl,
195 const SSL_SESSION *session,
196 struct sslapitest_log_counts *expected)
199 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
200 size_t client_random_size = SSL3_RANDOM_SIZE;
201 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
202 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
203 unsigned int rsa_key_exchange_count = 0;
204 unsigned int master_secret_count = 0;
205 unsigned int client_early_secret_count = 0;
206 unsigned int client_handshake_secret_count = 0;
207 unsigned int server_handshake_secret_count = 0;
208 unsigned int client_application_secret_count = 0;
209 unsigned int server_application_secret_count = 0;
210 unsigned int early_exporter_secret_count = 0;
211 unsigned int exporter_secret_count = 0;
213 for (token = strtok(buffer, " \n"); token != NULL;
214 token = strtok(NULL, " \n")) {
215 if (strcmp(token, "RSA") == 0) {
217 * Premaster secret. Tokens should be: 16 ASCII bytes of
218 * hex-encoded encrypted secret, then the hex-encoded pre-master
221 if (!TEST_ptr(token = strtok(NULL, " \n")))
223 if (!TEST_size_t_eq(strlen(token), 16))
225 if (!TEST_ptr(token = strtok(NULL, " \n")))
228 * We can't sensibly check the log because the premaster secret is
229 * transient, and OpenSSL doesn't keep hold of it once the master
230 * secret is generated.
232 rsa_key_exchange_count++;
233 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
235 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
236 * client random, then the hex-encoded master secret.
238 client_random_size = SSL_get_client_random(ssl,
239 actual_client_random,
241 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
244 if (!TEST_ptr(token = strtok(NULL, " \n")))
246 if (!TEST_size_t_eq(strlen(token), 64))
248 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
249 actual_client_random,
250 client_random_size)))
253 if (!TEST_ptr(token = strtok(NULL, " \n")))
255 master_key_size = SSL_SESSION_get_master_key(session,
258 if (!TEST_size_t_ne(master_key_size, 0))
260 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
264 master_secret_count++;
265 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
266 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
267 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
268 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
269 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
270 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
271 || strcmp(token, "EXPORTER_SECRET") == 0) {
273 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
274 * client random, and then the hex-encoded secret. In this case,
275 * we treat all of these secrets identically and then just
276 * distinguish between them when counting what we saw.
278 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
279 client_early_secret_count++;
280 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
281 client_handshake_secret_count++;
282 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
283 server_handshake_secret_count++;
284 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
285 client_application_secret_count++;
286 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
287 server_application_secret_count++;
288 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
289 early_exporter_secret_count++;
290 else if (strcmp(token, "EXPORTER_SECRET") == 0)
291 exporter_secret_count++;
293 client_random_size = SSL_get_client_random(ssl,
294 actual_client_random,
296 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
299 if (!TEST_ptr(token = strtok(NULL, " \n")))
301 if (!TEST_size_t_eq(strlen(token), 64))
303 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
304 actual_client_random,
305 client_random_size)))
308 if (!TEST_ptr(token = strtok(NULL, " \n")))
312 * TODO(TLS1.3): test that application traffic secrets are what
315 TEST_info("Unexpected token %s\n", token);
320 /* Got what we expected? */
321 if (!TEST_size_t_eq(rsa_key_exchange_count,
322 expected->rsa_key_exchange_count)
323 || !TEST_size_t_eq(master_secret_count,
324 expected->master_secret_count)
325 || !TEST_size_t_eq(client_early_secret_count,
326 expected->client_early_secret_count)
327 || !TEST_size_t_eq(client_handshake_secret_count,
328 expected->client_handshake_secret_count)
329 || !TEST_size_t_eq(server_handshake_secret_count,
330 expected->server_handshake_secret_count)
331 || !TEST_size_t_eq(client_application_secret_count,
332 expected->client_application_secret_count)
333 || !TEST_size_t_eq(server_application_secret_count,
334 expected->server_application_secret_count)
335 || !TEST_size_t_eq(early_exporter_secret_count,
336 expected->early_exporter_secret_count)
337 || !TEST_size_t_eq(exporter_secret_count,
338 expected->exporter_secret_count))
343 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
344 static int test_keylog(void)
346 SSL_CTX *cctx = NULL, *sctx = NULL;
347 SSL *clientssl = NULL, *serverssl = NULL;
349 struct sslapitest_log_counts expected;
351 /* Clean up logging space */
352 memset(&expected, 0, sizeof(expected));
353 memset(client_log_buffer, 0, sizeof(client_log_buffer));
354 memset(server_log_buffer, 0, sizeof(server_log_buffer));
355 client_log_buffer_index = 0;
356 server_log_buffer_index = 0;
357 error_writing_log = 0;
359 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
362 &sctx, &cctx, cert, privkey)))
365 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
366 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
367 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
369 /* We also want to ensure that we use RSA-based key exchange. */
370 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
373 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
374 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
376 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
377 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
378 == client_keylog_callback))
380 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
381 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
382 == server_keylog_callback))
385 /* Now do a handshake and check that the logs have been written to. */
386 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
387 &clientssl, NULL, NULL))
388 || !TEST_true(create_ssl_connection(serverssl, clientssl,
390 || !TEST_false(error_writing_log)
391 || !TEST_int_gt(client_log_buffer_index, 0)
392 || !TEST_int_gt(server_log_buffer_index, 0))
396 * Now we want to test that our output data was vaguely sensible. We
397 * do that by using strtok and confirming that we have more or less the
398 * data we expect. For both client and server, we expect to see one master
399 * secret. The client should also see a RSA key exchange.
401 expected.rsa_key_exchange_count = 1;
402 expected.master_secret_count = 1;
403 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
404 SSL_get_session(clientssl), &expected)))
407 expected.rsa_key_exchange_count = 0;
408 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
409 SSL_get_session(serverssl), &expected)))
424 #ifndef OPENSSL_NO_TLS1_3
425 static int test_keylog_no_master_key(void)
427 SSL_CTX *cctx = NULL, *sctx = NULL;
428 SSL *clientssl = NULL, *serverssl = NULL;
429 SSL_SESSION *sess = NULL;
431 struct sslapitest_log_counts expected;
432 unsigned char buf[1];
433 size_t readbytes, written;
435 /* Clean up logging space */
436 memset(&expected, 0, sizeof(expected));
437 memset(client_log_buffer, 0, sizeof(client_log_buffer));
438 memset(server_log_buffer, 0, sizeof(server_log_buffer));
439 client_log_buffer_index = 0;
440 server_log_buffer_index = 0;
441 error_writing_log = 0;
443 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
444 TLS_client_method(), TLS1_VERSION, 0,
445 &sctx, &cctx, cert, privkey))
446 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
447 SSL3_RT_MAX_PLAIN_LENGTH)))
450 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
451 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
454 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
455 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
456 == client_keylog_callback))
459 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
460 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
461 == server_keylog_callback))
464 /* Now do a handshake and check that the logs have been written to. */
465 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
466 &clientssl, NULL, NULL))
467 || !TEST_true(create_ssl_connection(serverssl, clientssl,
469 || !TEST_false(error_writing_log))
473 * Now we want to test that our output data was vaguely sensible. For this
474 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
475 * TLSv1.3, but we do expect both client and server to emit keys.
477 expected.client_handshake_secret_count = 1;
478 expected.server_handshake_secret_count = 1;
479 expected.client_application_secret_count = 1;
480 expected.server_application_secret_count = 1;
481 expected.exporter_secret_count = 1;
482 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
483 SSL_get_session(clientssl), &expected))
484 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
485 SSL_get_session(serverssl),
489 /* Terminate old session and resume with early data. */
490 sess = SSL_get1_session(clientssl);
491 SSL_shutdown(clientssl);
492 SSL_shutdown(serverssl);
495 serverssl = clientssl = NULL;
498 memset(client_log_buffer, 0, sizeof(client_log_buffer));
499 memset(server_log_buffer, 0, sizeof(server_log_buffer));
500 client_log_buffer_index = 0;
501 server_log_buffer_index = 0;
503 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
504 &clientssl, NULL, NULL))
505 || !TEST_true(SSL_set_session(clientssl, sess))
506 /* Here writing 0 length early data is enough. */
507 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
508 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
510 SSL_READ_EARLY_DATA_ERROR)
511 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
512 SSL_EARLY_DATA_ACCEPTED)
513 || !TEST_true(create_ssl_connection(serverssl, clientssl,
515 || !TEST_true(SSL_session_reused(clientssl)))
518 /* In addition to the previous entries, expect early secrets. */
519 expected.client_early_secret_count = 1;
520 expected.early_exporter_secret_count = 1;
521 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
522 SSL_get_session(clientssl), &expected))
523 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
524 SSL_get_session(serverssl),
531 SSL_SESSION_free(sess);
541 #ifndef OPENSSL_NO_TLS1_2
542 static int full_client_hello_callback(SSL *s, int *al, void *arg)
545 const unsigned char *p;
547 /* We only configure two ciphers, but the SCSV is added automatically. */
549 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
551 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
554 const int expected_extensions[] = {
555 #ifndef OPENSSL_NO_EC
561 /* Make sure we can defer processing and get called back. */
563 return SSL_CLIENT_HELLO_RETRY;
565 len = SSL_client_hello_get0_ciphers(s, &p);
566 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
568 SSL_client_hello_get0_compression_methods(s, &p), 1)
569 || !TEST_int_eq(*p, 0))
570 return SSL_CLIENT_HELLO_ERROR;
571 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
572 return SSL_CLIENT_HELLO_ERROR;
573 if (len != OSSL_NELEM(expected_extensions) ||
574 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
575 printf("ClientHello callback expected extensions mismatch\n");
577 return SSL_CLIENT_HELLO_ERROR;
580 return SSL_CLIENT_HELLO_SUCCESS;
583 static int test_client_hello_cb(void)
585 SSL_CTX *cctx = NULL, *sctx = NULL;
586 SSL *clientssl = NULL, *serverssl = NULL;
587 int testctr = 0, testresult = 0;
589 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
590 TLS_client_method(), TLS1_VERSION, 0,
591 &sctx, &cctx, cert, privkey)))
593 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
595 /* The gimpy cipher list we configure can't do TLS 1.3. */
596 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
598 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
599 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
600 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
601 &clientssl, NULL, NULL))
602 || !TEST_false(create_ssl_connection(serverssl, clientssl,
603 SSL_ERROR_WANT_CLIENT_HELLO_CB))
605 * Passing a -1 literal is a hack since
606 * the real value was lost.
608 || !TEST_int_eq(SSL_get_error(serverssl, -1),
609 SSL_ERROR_WANT_CLIENT_HELLO_CB)
610 || !TEST_true(create_ssl_connection(serverssl, clientssl,
625 static int test_no_ems(void)
627 SSL_CTX *cctx = NULL, *sctx = NULL;
628 SSL *clientssl = NULL, *serverssl = NULL;
631 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
632 TLS1_VERSION, TLS1_2_VERSION,
633 &sctx, &cctx, cert, privkey)) {
634 printf("Unable to create SSL_CTX pair\n");
638 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
640 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
641 printf("Unable to create SSL objects\n");
645 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
646 printf("Creating SSL connection failed\n");
650 if (SSL_get_extms_support(serverssl)) {
651 printf("Server reports Extended Master Secret support\n");
655 if (SSL_get_extms_support(clientssl)) {
656 printf("Client reports Extended Master Secret support\n");
671 * Very focused test to exercise a single case in the server-side state
672 * machine, when the ChangeCipherState message needs to actually change
673 * from one cipher to a different cipher (i.e., not changing from null
674 * encryption to real encryption).
676 static int test_ccs_change_cipher(void)
678 SSL_CTX *cctx = NULL, *sctx = NULL;
679 SSL *clientssl = NULL, *serverssl = NULL;
680 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
687 * Create a conection so we can resume and potentially (but not) use
688 * a different cipher in the second connection.
690 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
692 TLS1_VERSION, TLS1_2_VERSION,
693 &sctx, &cctx, cert, privkey))
694 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
695 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
697 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
698 || !TEST_true(create_ssl_connection(serverssl, clientssl,
700 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
701 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
704 shutdown_ssl_connection(serverssl, clientssl);
705 serverssl = clientssl = NULL;
707 /* Resume, preferring a different cipher. Our server will force the
708 * same cipher to be used as the initial handshake. */
709 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
711 || !TEST_true(SSL_set_session(clientssl, sess))
712 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
713 || !TEST_true(create_ssl_connection(serverssl, clientssl,
715 || !TEST_true(SSL_session_reused(clientssl))
716 || !TEST_true(SSL_session_reused(serverssl))
717 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
718 || !TEST_ptr_eq(sesspre, sesspost)
719 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
720 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
722 shutdown_ssl_connection(serverssl, clientssl);
723 serverssl = clientssl = NULL;
726 * Now create a fresh connection and try to renegotiate a different
729 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
731 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
732 || !TEST_true(create_ssl_connection(serverssl, clientssl,
734 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
735 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
736 || !TEST_true(SSL_renegotiate(clientssl))
737 || !TEST_true(SSL_renegotiate_pending(clientssl)))
739 /* Actually drive the renegotiation. */
740 for (i = 0; i < 3; i++) {
741 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
742 if (!TEST_ulong_eq(readbytes, 0))
744 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
745 SSL_ERROR_WANT_READ)) {
748 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
749 if (!TEST_ulong_eq(readbytes, 0))
751 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
752 SSL_ERROR_WANT_READ)) {
756 /* sesspre and sesspost should be different since the cipher changed. */
757 if (!TEST_false(SSL_renegotiate_pending(clientssl))
758 || !TEST_false(SSL_session_reused(clientssl))
759 || !TEST_false(SSL_session_reused(serverssl))
760 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
761 || !TEST_ptr_ne(sesspre, sesspost)
762 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
763 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
766 shutdown_ssl_connection(serverssl, clientssl);
767 serverssl = clientssl = NULL;
776 SSL_SESSION_free(sess);
782 static int execute_test_large_message(const SSL_METHOD *smeth,
783 const SSL_METHOD *cmeth,
784 int min_version, int max_version,
787 SSL_CTX *cctx = NULL, *sctx = NULL;
788 SSL *clientssl = NULL, *serverssl = NULL;
792 X509 *chaincert = NULL;
795 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
797 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
800 if (!TEST_ptr(chaincert))
803 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
804 max_version, &sctx, &cctx, cert,
810 * Test that read_ahead works correctly when dealing with large
813 SSL_CTX_set_read_ahead(cctx, 1);
817 * We assume the supplied certificate is big enough so that if we add
818 * NUM_EXTRA_CERTS it will make the overall message large enough. The
819 * default buffer size is requested to be 16k, but due to the way BUF_MEM
820 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
821 * test we need to have a message larger than that.
823 certlen = i2d_X509(chaincert, NULL);
824 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
825 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
826 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
827 if (!X509_up_ref(chaincert))
829 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
830 X509_free(chaincert);
835 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
837 || !TEST_true(create_ssl_connection(serverssl, clientssl,
842 * Calling SSL_clear() first is not required but this tests that SSL_clear()
845 if (!TEST_true(SSL_clear(serverssl)))
850 X509_free(chaincert);
859 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
860 !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
861 #define TLS_CIPHER_MAX_REC_SEQ_SIZE 8
862 /* sock must be connected */
863 static int ktls_chk_platform(int sock)
865 if (!ktls_enable(sock))
870 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd, int rec_seq_size)
872 static char count = 1;
873 unsigned char cbuf[16000] = {0};
874 unsigned char sbuf[16000];
876 char crec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
877 char crec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
878 char crec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
879 char crec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
880 char srec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
881 char srec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
882 char srec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
883 char srec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
886 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, rec_seq_size);
887 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, rec_seq_size);
888 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, rec_seq_size);
889 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, rec_seq_size);
891 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
894 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
895 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
900 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
903 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
904 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
909 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, rec_seq_size);
910 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, rec_seq_size);
911 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, rec_seq_size);
912 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, rec_seq_size);
914 /* verify the payload */
915 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
918 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
919 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
920 if (!TEST_mem_ne(crec_wseq_before, rec_seq_size,
921 crec_wseq_after, rec_seq_size))
924 if (!TEST_mem_eq(crec_wseq_before, rec_seq_size,
925 crec_wseq_after, rec_seq_size))
929 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
930 if (!TEST_mem_ne(srec_wseq_before, rec_seq_size,
931 srec_wseq_after, rec_seq_size))
934 if (!TEST_mem_eq(srec_wseq_before, rec_seq_size,
935 srec_wseq_after, rec_seq_size))
939 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
940 if (!TEST_mem_ne(crec_rseq_before, rec_seq_size,
941 crec_rseq_after, rec_seq_size))
944 if (!TEST_mem_eq(crec_rseq_before, rec_seq_size,
945 crec_rseq_after, rec_seq_size))
949 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
950 if (!TEST_mem_ne(srec_rseq_before, rec_seq_size,
951 srec_rseq_after, rec_seq_size))
954 if (!TEST_mem_eq(srec_rseq_before, rec_seq_size,
955 srec_rseq_after, rec_seq_size))
964 static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
965 int sis_ktls_tx, int sis_ktls_rx,
966 int tls_version, const char *cipher,
969 SSL_CTX *cctx = NULL, *sctx = NULL;
970 SSL *clientssl = NULL, *serverssl = NULL;
974 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
977 /* Skip this test if the platform does not support ktls */
978 if (!ktls_chk_platform(cfd))
981 /* Create a session based on SHA-256 */
982 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
984 tls_version, tls_version,
985 &sctx, &cctx, cert, privkey))
986 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
987 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
988 &clientssl, sfd, cfd)))
992 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
997 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
1002 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
1007 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1011 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1016 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1019 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1024 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1027 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1032 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1035 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1040 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1043 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1047 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd,
1054 SSL_shutdown(clientssl);
1055 SSL_free(clientssl);
1058 SSL_shutdown(serverssl);
1059 SSL_free(serverssl);
1063 serverssl = clientssl = NULL;
1067 #define SENDFILE_SZ (16 * 4096)
1068 #define SENDFILE_CHUNK (4 * 4096)
1069 #define min(a,b) ((a) > (b) ? (b) : (a))
1071 static int test_ktls_sendfile(int tls_version, const char *cipher)
1073 SSL_CTX *cctx = NULL, *sctx = NULL;
1074 SSL *clientssl = NULL, *serverssl = NULL;
1075 unsigned char *buf, *buf_dst;
1076 BIO *out = NULL, *in = NULL;
1077 int cfd, sfd, ffd, err;
1078 ssize_t chunk_size = 0;
1079 off_t chunk_off = 0;
1083 buf = OPENSSL_zalloc(SENDFILE_SZ);
1084 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1085 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1086 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1089 /* Skip this test if the platform does not support ktls */
1090 if (!ktls_chk_platform(sfd)) {
1095 /* Create a session based on SHA-256 */
1096 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1097 TLS_client_method(),
1098 tls_version, tls_version,
1099 &sctx, &cctx, cert, privkey))
1100 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1101 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1102 &clientssl, sfd, cfd)))
1105 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1107 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1110 RAND_bytes(buf, SENDFILE_SZ);
1111 out = BIO_new_file(tmpfilename, "wb");
1115 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1120 in = BIO_new_file(tmpfilename, "rb");
1121 BIO_get_fp(in, &ffdp);
1124 while (chunk_off < SENDFILE_SZ) {
1125 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1126 while ((err = SSL_sendfile(serverssl,
1130 0)) != chunk_size) {
1131 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1134 while ((err = SSL_read(clientssl,
1135 buf_dst + chunk_off,
1136 chunk_size)) != chunk_size) {
1137 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1141 /* verify the payload */
1142 if (!TEST_mem_eq(buf_dst + chunk_off,
1148 chunk_off += chunk_size;
1154 SSL_shutdown(clientssl);
1155 SSL_free(clientssl);
1158 SSL_shutdown(serverssl);
1159 SSL_free(serverssl);
1163 serverssl = clientssl = NULL;
1167 OPENSSL_free(buf_dst);
1171 static int test_ktls_no_txrx_client_no_txrx_server(int tlsver)
1175 #ifdef OPENSSL_KTLS_AES_GCM_128
1176 testresult &= execute_test_ktls(0, 0, 0, 0, tlsver,
1177 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1179 #ifdef OPENSSL_KTLS_AES_CCM_128
1180 testresult &= execute_test_ktls(0, 0, 0, 0, tlsver,
1181 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1183 #ifdef OPENSSL_KTLS_AES_GCM_256
1184 testresult &= execute_test_ktls(0, 0, 0, 0, tlsver,
1185 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1190 static int test_ktls_no_rx_client_no_txrx_server(int tlsver)
1194 #ifdef OPENSSL_KTLS_AES_GCM_128
1195 testresult &= execute_test_ktls(1, 0, 0, 0, tlsver,
1196 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1198 #ifdef OPENSSL_KTLS_AES_CCM_128
1199 testresult &= execute_test_ktls(1, 0, 0, 0, tlsver,
1200 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1202 #ifdef OPENSSL_KTLS_AES_GCM_256
1203 testresult &= execute_test_ktls(1, 0, 0, 0, tlsver,
1204 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1209 static int test_ktls_no_tx_client_no_txrx_server(int tlsver)
1213 #ifdef OPENSSL_KTLS_AES_GCM_128
1214 testresult &= execute_test_ktls(0, 1, 0, 0, tlsver,
1215 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1217 #ifdef OPENSSL_KTLS_AES_CCM_128
1218 testresult &= execute_test_ktls(0, 1, 0, 0, tlsver,
1219 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1221 #ifdef OPENSSL_KTLS_AES_GCM_256
1222 testresult &= execute_test_ktls(0, 1, 0, 0, tlsver,
1223 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1228 static int test_ktls_client_no_txrx_server(int tlsver)
1232 #ifdef OPENSSL_KTLS_AES_GCM_128
1233 testresult &= execute_test_ktls(1, 1, 0, 0, tlsver,
1234 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1236 #ifdef OPENSSL_KTLS_AES_CCM_128
1237 testresult &= execute_test_ktls(1, 1, 0, 0, tlsver,
1238 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1240 #ifdef OPENSSL_KTLS_AES_GCM_256
1241 testresult &= execute_test_ktls(1, 1, 0, 0, tlsver,
1242 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1247 static int test_ktls_no_txrx_client_no_rx_server(int tlsver)
1251 #ifdef OPENSSL_KTLS_AES_GCM_128
1252 testresult &= execute_test_ktls(0, 0, 1, 0, tlsver,
1253 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1255 #ifdef OPENSSL_KTLS_AES_CCM_128
1256 testresult &= execute_test_ktls(0, 0, 1, 0, tlsver,
1257 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1259 #ifdef OPENSSL_KTLS_AES_GCM_256
1260 testresult &= execute_test_ktls(0, 0, 1, 0, tlsver,
1261 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1266 static int test_ktls_no_rx_client_no_rx_server(int tlsver)
1270 #ifdef OPENSSL_KTLS_AES_GCM_128
1271 testresult &= execute_test_ktls(1, 0, 1, 0, tlsver,
1272 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1274 #ifdef OPENSSL_KTLS_AES_CCM_128
1275 testresult &= execute_test_ktls(1, 0, 1, 0, tlsver,
1276 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1278 #ifdef OPENSSL_KTLS_AES_GCM_256
1279 testresult &= execute_test_ktls(1, 0, 1, 0, tlsver,
1280 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1285 static int test_ktls_no_tx_client_no_rx_server(int tlsver)
1289 #ifdef OPENSSL_KTLS_AES_GCM_128
1290 testresult &= execute_test_ktls(0, 1, 1, 0, tlsver,
1291 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1293 #ifdef OPENSSL_KTLS_AES_CCM_128
1294 testresult &= execute_test_ktls(0, 1, 1, 0, tlsver,
1295 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1297 #ifdef OPENSSL_KTLS_AES_GCM_256
1298 testresult &= execute_test_ktls(0, 1, 1, 0, tlsver,
1299 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1304 static int test_ktls_client_no_rx_server(int tlsver)
1308 #ifdef OPENSSL_KTLS_AES_GCM_128
1309 testresult &= execute_test_ktls(1, 1, 1, 0, tlsver,
1310 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1312 #ifdef OPENSSL_KTLS_AES_CCM_128
1313 testresult &= execute_test_ktls(1, 1, 1, 0, tlsver,
1314 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1316 #ifdef OPENSSL_KTLS_AES_GCM_256
1317 testresult &= execute_test_ktls(1, 1, 1, 0, tlsver,
1318 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1323 static int test_ktls_no_txrx_client_no_tx_server(int tlsver)
1327 #ifdef OPENSSL_KTLS_AES_GCM_128
1328 testresult &= execute_test_ktls(0, 0, 0, 1, tlsver,
1329 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1331 #ifdef OPENSSL_KTLS_AES_CCM_128
1332 testresult &= execute_test_ktls(0, 0, 0, 1, tlsver,
1333 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1335 #ifdef OPENSSL_KTLS_AES_GCM_256
1336 testresult &= execute_test_ktls(0, 0, 0, 1, tlsver,
1337 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1342 static int test_ktls_no_rx_client_no_tx_server(int tlsver)
1346 #ifdef OPENSSL_KTLS_AES_GCM_128
1347 testresult &= execute_test_ktls(1, 0, 0, 1, tlsver,
1348 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1350 #ifdef OPENSSL_KTLS_AES_CCM_128
1351 testresult &= execute_test_ktls(1, 0, 0, 1, tlsver,
1352 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1354 #ifdef OPENSSL_KTLS_AES_GCM_256
1355 testresult &= execute_test_ktls(1, 0, 0, 1, tlsver,
1356 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1361 static int test_ktls_no_tx_client_no_tx_server(int tlsver)
1365 #ifdef OPENSSL_KTLS_AES_GCM_128
1366 testresult &= execute_test_ktls(0, 1, 0, 1, tlsver,
1367 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1369 #ifdef OPENSSL_KTLS_AES_CCM_128
1370 testresult &= execute_test_ktls(0, 1, 0, 1, tlsver,
1371 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1373 #ifdef OPENSSL_KTLS_AES_GCM_256
1374 testresult &= execute_test_ktls(0, 1, 0, 1, tlsver,
1375 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1380 static int test_ktls_client_no_tx_server(int tlsver)
1384 #ifdef OPENSSL_KTLS_AES_GCM_128
1385 testresult &= execute_test_ktls(1, 1, 0, 1, tlsver,
1386 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1388 #ifdef OPENSSL_KTLS_AES_CCM_128
1389 testresult &= execute_test_ktls(1, 1, 0, 1, tlsver,
1390 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1392 #ifdef OPENSSL_KTLS_AES_GCM_256
1393 testresult &= execute_test_ktls(1, 1, 0, 1, tlsver,
1394 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1399 static int test_ktls_no_txrx_client_server(int tlsver)
1403 #ifdef OPENSSL_KTLS_AES_GCM_128
1404 testresult &= execute_test_ktls(0, 0, 1, 1, tlsver,
1405 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1407 #ifdef OPENSSL_KTLS_AES_CCM_128
1408 testresult &= execute_test_ktls(0, 0, 1, 1, tlsver,
1409 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1411 #ifdef OPENSSL_KTLS_AES_GCM_256
1412 testresult &= execute_test_ktls(0, 0, 1, 1, tlsver,
1413 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1418 static int test_ktls_no_rx_client_server(int tlsver)
1422 #ifdef OPENSSL_KTLS_AES_GCM_128
1423 testresult &= execute_test_ktls(1, 0, 1, 1, tlsver,
1424 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1426 #ifdef OPENSSL_KTLS_AES_CCM_128
1427 testresult &= execute_test_ktls(1, 0, 1, 1, tlsver,
1428 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1430 #ifdef OPENSSL_KTLS_AES_GCM_256
1431 testresult &= execute_test_ktls(1, 0, 1, 1, tlsver,
1432 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1437 static int test_ktls_no_tx_client_server(int tlsver)
1441 #ifdef OPENSSL_KTLS_AES_GCM_128
1442 testresult &= execute_test_ktls(0, 1, 1, 1, tlsver,
1443 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1445 #ifdef OPENSSL_KTLS_AES_CCM_128
1446 testresult &= execute_test_ktls(0, 1, 1, 1, tlsver,
1447 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1449 #ifdef OPENSSL_KTLS_AES_GCM_256
1450 testresult &= execute_test_ktls(0, 1, 1, 1, tlsver,
1451 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1456 static int test_ktls_client_server(int tlsver)
1460 #ifdef OPENSSL_KTLS_AES_GCM_128
1461 testresult &= execute_test_ktls(1, 1, 1, 1, tlsver,
1462 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1464 #ifdef OPENSSL_KTLS_AES_CCM_128
1465 testresult &= execute_test_ktls(1, 1, 1, 1, tlsver,
1466 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1468 #ifdef OPENSSL_KTLS_AES_GCM_256
1469 testresult &= execute_test_ktls(1, 1, 1, 1, tlsver,
1470 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1475 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
1476 static int test_ktls(int test)
1481 #if defined(OPENSSL_NO_TLS1_3)
1485 tlsver = TLS1_3_VERSION;
1488 #if defined(OPENSSL_NO_TLS1_2)
1491 tlsver = TLS1_2_VERSION;
1497 return test_ktls_no_txrx_client_no_txrx_server(tlsver);
1499 return test_ktls_no_rx_client_no_txrx_server(tlsver);
1501 return test_ktls_no_tx_client_no_txrx_server(tlsver);
1503 return test_ktls_client_no_txrx_server(tlsver);
1505 return test_ktls_no_txrx_client_no_rx_server(tlsver);
1507 return test_ktls_no_rx_client_no_rx_server(tlsver);
1509 return test_ktls_no_tx_client_no_rx_server(tlsver);
1511 return test_ktls_client_no_rx_server(tlsver);
1513 return test_ktls_no_txrx_client_no_tx_server(tlsver);
1515 return test_ktls_no_rx_client_no_tx_server(tlsver);
1517 return test_ktls_no_tx_client_no_tx_server(tlsver);
1519 return test_ktls_client_no_tx_server(tlsver);
1521 return test_ktls_no_txrx_client_server(tlsver);
1523 return test_ktls_no_rx_client_server(tlsver);
1525 return test_ktls_no_tx_client_server(tlsver);
1527 return test_ktls_client_server(tlsver);
1533 static int test_ktls_sendfile_anytls(int tst)
1535 char *cipher[] = {"AES128-GCM-SHA256","AES128-CCM-SHA256","AES256-GCM-SHA384"};
1539 #if defined(OPENSSL_NO_TLS1_3)
1543 tlsver = TLS1_3_VERSION;
1546 #if defined(OPENSSL_NO_TLS1_2)
1549 tlsver = TLS1_2_VERSION;
1553 #ifndef OPENSSL_KTLS_AES_GCM_128
1554 if(tst == 0) return 1;
1556 #ifndef OPENSSL_KTLS_AES_CCM_128
1557 if(tst == 1) return 1;
1559 #ifndef OPENSSL_KTLS_AES_GCM_256
1560 if(tst == 2) return 1;
1562 return test_ktls_sendfile(tlsver, cipher[tst]);
1568 static int test_large_message_tls(void)
1570 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1571 TLS1_VERSION, 0, 0);
1574 static int test_large_message_tls_read_ahead(void)
1576 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1577 TLS1_VERSION, 0, 1);
1580 #ifndef OPENSSL_NO_DTLS
1581 static int test_large_message_dtls(void)
1584 * read_ahead is not relevant to DTLS because DTLS always acts as if
1585 * read_ahead is set.
1587 return execute_test_large_message(DTLS_server_method(),
1588 DTLS_client_method(),
1589 DTLS1_VERSION, 0, 0);
1593 #ifndef OPENSSL_NO_OCSP
1594 static int ocsp_server_cb(SSL *s, void *arg)
1596 int *argi = (int *)arg;
1597 unsigned char *copy = NULL;
1598 STACK_OF(OCSP_RESPID) *ids = NULL;
1599 OCSP_RESPID *id = NULL;
1602 /* In this test we are expecting exactly 1 OCSP_RESPID */
1603 SSL_get_tlsext_status_ids(s, &ids);
1604 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1605 return SSL_TLSEXT_ERR_ALERT_FATAL;
1607 id = sk_OCSP_RESPID_value(ids, 0);
1608 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1609 return SSL_TLSEXT_ERR_ALERT_FATAL;
1610 } else if (*argi != 1) {
1611 return SSL_TLSEXT_ERR_ALERT_FATAL;
1614 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1615 return SSL_TLSEXT_ERR_ALERT_FATAL;
1617 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1618 ocsp_server_called = 1;
1619 return SSL_TLSEXT_ERR_OK;
1622 static int ocsp_client_cb(SSL *s, void *arg)
1624 int *argi = (int *)arg;
1625 const unsigned char *respderin;
1628 if (*argi != 1 && *argi != 2)
1631 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1632 if (!TEST_mem_eq(orespder, len, respderin, len))
1635 ocsp_client_called = 1;
1639 static int test_tlsext_status_type(void)
1641 SSL_CTX *cctx = NULL, *sctx = NULL;
1642 SSL *clientssl = NULL, *serverssl = NULL;
1644 STACK_OF(OCSP_RESPID) *ids = NULL;
1645 OCSP_RESPID *id = NULL;
1646 BIO *certbio = NULL;
1648 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1650 &sctx, &cctx, cert, privkey))
1653 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1656 /* First just do various checks getting and setting tlsext_status_type */
1658 clientssl = SSL_new(cctx);
1659 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1660 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1661 TLSEXT_STATUSTYPE_ocsp))
1662 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1663 TLSEXT_STATUSTYPE_ocsp))
1666 SSL_free(clientssl);
1669 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1670 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1673 clientssl = SSL_new(cctx);
1674 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1676 SSL_free(clientssl);
1680 * Now actually do a handshake and check OCSP information is exchanged and
1681 * the callbacks get called
1683 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1684 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1685 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1686 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1687 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1688 &clientssl, NULL, NULL))
1689 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1691 || !TEST_true(ocsp_client_called)
1692 || !TEST_true(ocsp_server_called))
1694 SSL_free(serverssl);
1695 SSL_free(clientssl);
1699 /* Try again but this time force the server side callback to fail */
1700 ocsp_client_called = 0;
1701 ocsp_server_called = 0;
1703 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1704 &clientssl, NULL, NULL))
1705 /* This should fail because the callback will fail */
1706 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1708 || !TEST_false(ocsp_client_called)
1709 || !TEST_false(ocsp_server_called))
1711 SSL_free(serverssl);
1712 SSL_free(clientssl);
1717 * This time we'll get the client to send an OCSP_RESPID that it will
1720 ocsp_client_called = 0;
1721 ocsp_server_called = 0;
1723 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1724 &clientssl, NULL, NULL)))
1728 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1729 * specific one. We'll use the server cert.
1731 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1732 || !TEST_ptr(id = OCSP_RESPID_new())
1733 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1734 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1736 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1737 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1740 SSL_set_tlsext_status_ids(clientssl, ids);
1741 /* Control has been transferred */
1747 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1749 || !TEST_true(ocsp_client_called)
1750 || !TEST_true(ocsp_server_called))
1756 SSL_free(serverssl);
1757 SSL_free(clientssl);
1760 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1761 OCSP_RESPID_free(id);
1763 X509_free(ocspcert);
1770 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1771 static int new_called, remove_called, get_called;
1773 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1777 * sess has been up-refed for us, but we don't actually need it so free it
1780 SSL_SESSION_free(sess);
1784 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1789 static SSL_SESSION *get_sess_val = NULL;
1791 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1796 return get_sess_val;
1799 static int execute_test_session(int maxprot, int use_int_cache,
1800 int use_ext_cache, long s_options)
1802 SSL_CTX *sctx = NULL, *cctx = NULL;
1803 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1804 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1805 # ifndef OPENSSL_NO_TLS1_1
1806 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1808 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1809 int testresult = 0, numnewsesstick = 1;
1811 new_called = remove_called = 0;
1813 /* TLSv1.3 sends 2 NewSessionTickets */
1814 if (maxprot == TLS1_3_VERSION)
1817 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1818 TLS_client_method(), TLS1_VERSION, 0,
1819 &sctx, &cctx, cert, privkey)))
1823 * Only allow the max protocol version so we can force a connection failure
1826 SSL_CTX_set_min_proto_version(cctx, maxprot);
1827 SSL_CTX_set_max_proto_version(cctx, maxprot);
1829 /* Set up session cache */
1830 if (use_ext_cache) {
1831 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1832 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1834 if (use_int_cache) {
1835 /* Also covers instance where both are set */
1836 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1838 SSL_CTX_set_session_cache_mode(cctx,
1839 SSL_SESS_CACHE_CLIENT
1840 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1844 SSL_CTX_set_options(sctx, s_options);
1847 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1849 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1851 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1854 /* Should fail because it should already be in the cache */
1855 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1858 && (!TEST_int_eq(new_called, numnewsesstick)
1860 || !TEST_int_eq(remove_called, 0)))
1863 new_called = remove_called = 0;
1864 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1865 &clientssl2, NULL, NULL))
1866 || !TEST_true(SSL_set_session(clientssl2, sess1))
1867 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1869 || !TEST_true(SSL_session_reused(clientssl2)))
1872 if (maxprot == TLS1_3_VERSION) {
1874 * In TLSv1.3 we should have created a new session even though we have
1875 * resumed. Since we attempted a resume we should also have removed the
1876 * old ticket from the cache so that we try to only use tickets once.
1879 && (!TEST_int_eq(new_called, 1)
1880 || !TEST_int_eq(remove_called, 1)))
1884 * In TLSv1.2 we expect to have resumed so no sessions added or
1888 && (!TEST_int_eq(new_called, 0)
1889 || !TEST_int_eq(remove_called, 0)))
1893 SSL_SESSION_free(sess1);
1894 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1896 shutdown_ssl_connection(serverssl2, clientssl2);
1897 serverssl2 = clientssl2 = NULL;
1899 new_called = remove_called = 0;
1900 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1901 &clientssl2, NULL, NULL))
1902 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1906 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1910 && (!TEST_int_eq(new_called, numnewsesstick)
1911 || !TEST_int_eq(remove_called, 0)))
1914 new_called = remove_called = 0;
1916 * This should clear sess2 from the cache because it is a "bad" session.
1917 * See SSL_set_session() documentation.
1919 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1922 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1924 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1927 if (use_int_cache) {
1928 /* Should succeeded because it should not already be in the cache */
1929 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1930 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1934 new_called = remove_called = 0;
1935 /* This shouldn't be in the cache so should fail */
1936 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1940 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1943 # if !defined(OPENSSL_NO_TLS1_1)
1944 new_called = remove_called = 0;
1945 /* Force a connection failure */
1946 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1947 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1948 &clientssl3, NULL, NULL))
1949 || !TEST_true(SSL_set_session(clientssl3, sess1))
1950 /* This should fail because of the mismatched protocol versions */
1951 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1955 /* We should have automatically removed the session from the cache */
1957 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1960 /* Should succeed because it should not already be in the cache */
1961 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1965 /* Now do some tests for server side caching */
1966 if (use_ext_cache) {
1967 SSL_CTX_sess_set_new_cb(cctx, NULL);
1968 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1969 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1970 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1971 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1972 get_sess_val = NULL;
1975 SSL_CTX_set_session_cache_mode(cctx, 0);
1976 /* Internal caching is the default on the server side */
1978 SSL_CTX_set_session_cache_mode(sctx,
1979 SSL_SESS_CACHE_SERVER
1980 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1982 SSL_free(serverssl1);
1983 SSL_free(clientssl1);
1984 serverssl1 = clientssl1 = NULL;
1985 SSL_free(serverssl2);
1986 SSL_free(clientssl2);
1987 serverssl2 = clientssl2 = NULL;
1988 SSL_SESSION_free(sess1);
1990 SSL_SESSION_free(sess2);
1993 SSL_CTX_set_max_proto_version(sctx, maxprot);
1994 if (maxprot == TLS1_2_VERSION)
1995 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1996 new_called = remove_called = get_called = 0;
1997 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1999 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2001 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2002 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2005 if (use_int_cache) {
2006 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2008 * In TLSv1.3 it should not have been added to the internal cache,
2009 * except in the case where we also have an external cache (in that
2010 * case it gets added to the cache in order to generate remove
2011 * events after timeout).
2013 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2016 /* Should fail because it should already be in the cache */
2017 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2022 if (use_ext_cache) {
2023 SSL_SESSION *tmp = sess2;
2025 if (!TEST_int_eq(new_called, numnewsesstick)
2026 || !TEST_int_eq(remove_called, 0)
2027 || !TEST_int_eq(get_called, 0))
2030 * Delete the session from the internal cache to force a lookup from
2031 * the external cache. We take a copy first because
2032 * SSL_CTX_remove_session() also marks the session as non-resumable.
2034 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2035 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2036 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2038 SSL_SESSION_free(sess2);
2043 new_called = remove_called = get_called = 0;
2044 get_sess_val = sess2;
2045 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2046 &clientssl2, NULL, NULL))
2047 || !TEST_true(SSL_set_session(clientssl2, sess1))
2048 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2050 || !TEST_true(SSL_session_reused(clientssl2)))
2053 if (use_ext_cache) {
2054 if (!TEST_int_eq(remove_called, 0))
2057 if (maxprot == TLS1_3_VERSION) {
2058 if (!TEST_int_eq(new_called, 1)
2059 || !TEST_int_eq(get_called, 0))
2062 if (!TEST_int_eq(new_called, 0)
2063 || !TEST_int_eq(get_called, 1))
2071 SSL_free(serverssl1);
2072 SSL_free(clientssl1);
2073 SSL_free(serverssl2);
2074 SSL_free(clientssl2);
2075 # ifndef OPENSSL_NO_TLS1_1
2076 SSL_free(serverssl3);
2077 SSL_free(clientssl3);
2079 SSL_SESSION_free(sess1);
2080 SSL_SESSION_free(sess2);
2086 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2088 static int test_session_with_only_int_cache(void)
2090 #ifndef OPENSSL_NO_TLS1_3
2091 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2095 #ifndef OPENSSL_NO_TLS1_2
2096 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2102 static int test_session_with_only_ext_cache(void)
2104 #ifndef OPENSSL_NO_TLS1_3
2105 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2109 #ifndef OPENSSL_NO_TLS1_2
2110 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2116 static int test_session_with_both_cache(void)
2118 #ifndef OPENSSL_NO_TLS1_3
2119 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2123 #ifndef OPENSSL_NO_TLS1_2
2124 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2130 static int test_session_wo_ca_names(void)
2132 #ifndef OPENSSL_NO_TLS1_3
2133 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2137 #ifndef OPENSSL_NO_TLS1_2
2138 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2145 #ifndef OPENSSL_NO_TLS1_3
2146 static SSL_SESSION *sesscache[6];
2147 static int do_cache;
2149 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2152 sesscache[new_called] = sess;
2154 /* We don't need the reference to the session, so free it */
2155 SSL_SESSION_free(sess);
2162 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2164 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2165 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2168 /* Start handshake on the server and client */
2169 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2170 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2171 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2172 || !TEST_true(create_ssl_connection(sssl, cssl,
2179 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2182 int sess_id_ctx = 1;
2184 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2185 TLS_client_method(), TLS1_VERSION, 0,
2186 sctx, cctx, cert, privkey))
2187 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2188 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2189 (void *)&sess_id_ctx,
2190 sizeof(sess_id_ctx))))
2194 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2196 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2197 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2198 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2203 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2205 SSL *serverssl = NULL, *clientssl = NULL;
2208 /* Test that we can resume with all the tickets we got given */
2209 for (i = 0; i < idx * 2; i++) {
2211 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2212 &clientssl, NULL, NULL))
2213 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2216 SSL_set_post_handshake_auth(clientssl, 1);
2218 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2223 * Following a successful resumption we only get 1 ticket. After a
2224 * failed one we should get idx tickets.
2227 if (!TEST_true(SSL_session_reused(clientssl))
2228 || !TEST_int_eq(new_called, 1))
2231 if (!TEST_false(SSL_session_reused(clientssl))
2232 || !TEST_int_eq(new_called, idx))
2237 /* After a post-handshake authentication we should get 1 new ticket */
2239 && (!post_handshake_verify(serverssl, clientssl)
2240 || !TEST_int_eq(new_called, 1)))
2243 SSL_shutdown(clientssl);
2244 SSL_shutdown(serverssl);
2245 SSL_free(serverssl);
2246 SSL_free(clientssl);
2247 serverssl = clientssl = NULL;
2248 SSL_SESSION_free(sesscache[i]);
2249 sesscache[i] = NULL;
2255 SSL_free(clientssl);
2256 SSL_free(serverssl);
2260 static int test_tickets(int stateful, int idx)
2262 SSL_CTX *sctx = NULL, *cctx = NULL;
2263 SSL *serverssl = NULL, *clientssl = NULL;
2267 /* idx is the test number, but also the number of tickets we want */
2272 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2275 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2276 &clientssl, NULL, NULL)))
2279 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2281 /* Check we got the number of tickets we were expecting */
2282 || !TEST_int_eq(idx, new_called))
2285 SSL_shutdown(clientssl);
2286 SSL_shutdown(serverssl);
2287 SSL_free(serverssl);
2288 SSL_free(clientssl);
2291 clientssl = serverssl = NULL;
2295 * Now we try to resume with the tickets we previously created. The
2296 * resumption attempt is expected to fail (because we're now using a new
2297 * SSL_CTX). We should see idx number of tickets issued again.
2300 /* Stop caching sessions - just count them */
2303 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2306 if (!check_resumption(idx, sctx, cctx, 0))
2309 /* Start again with caching sessions */
2316 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2319 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2320 &clientssl, NULL, NULL)))
2323 SSL_set_post_handshake_auth(clientssl, 1);
2325 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2327 /* Check we got the number of tickets we were expecting */
2328 || !TEST_int_eq(idx, new_called))
2331 /* After a post-handshake authentication we should get new tickets issued */
2332 if (!post_handshake_verify(serverssl, clientssl)
2333 || !TEST_int_eq(idx * 2, new_called))
2336 SSL_shutdown(clientssl);
2337 SSL_shutdown(serverssl);
2338 SSL_free(serverssl);
2339 SSL_free(clientssl);
2340 serverssl = clientssl = NULL;
2342 /* Stop caching sessions - just count them */
2346 * Check we can resume with all the tickets we created. This time around the
2347 * resumptions should all be successful.
2349 if (!check_resumption(idx, sctx, cctx, 1))
2355 SSL_free(serverssl);
2356 SSL_free(clientssl);
2357 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2358 SSL_SESSION_free(sesscache[j]);
2359 sesscache[j] = NULL;
2367 static int test_stateless_tickets(int idx)
2369 return test_tickets(0, idx);
2372 static int test_stateful_tickets(int idx)
2374 return test_tickets(1, idx);
2377 static int test_psk_tickets(void)
2379 SSL_CTX *sctx = NULL, *cctx = NULL;
2380 SSL *serverssl = NULL, *clientssl = NULL;
2382 int sess_id_ctx = 1;
2384 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2385 TLS_client_method(), TLS1_VERSION, 0,
2386 &sctx, &cctx, NULL, NULL))
2387 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2388 (void *)&sess_id_ctx,
2389 sizeof(sess_id_ctx))))
2392 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2393 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2394 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2395 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2396 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2397 use_session_cb_cnt = 0;
2398 find_session_cb_cnt = 0;
2402 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2405 clientpsk = serverpsk = create_a_psk(clientssl);
2406 if (!TEST_ptr(clientpsk))
2408 SSL_SESSION_up_ref(clientpsk);
2410 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2412 || !TEST_int_eq(1, find_session_cb_cnt)
2413 || !TEST_int_eq(1, use_session_cb_cnt)
2414 /* We should always get 1 ticket when using external PSK */
2415 || !TEST_int_eq(1, new_called))
2421 SSL_free(serverssl);
2422 SSL_free(clientssl);
2425 SSL_SESSION_free(clientpsk);
2426 SSL_SESSION_free(serverpsk);
2427 clientpsk = serverpsk = NULL;
2432 static int test_extra_tickets(int idx)
2434 SSL_CTX *sctx = NULL, *cctx = NULL;
2435 SSL *serverssl = NULL, *clientssl = NULL;
2436 BIO *bretry = BIO_new(bio_s_always_retry());
2441 unsigned char c, buf[1];
2451 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2453 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2454 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2455 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2457 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2458 &clientssl, NULL, NULL)))
2462 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2463 * incremented by both client and server.
2465 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2467 /* Check we got the number of tickets we were expecting */
2468 || !TEST_int_eq(idx * 2, new_called)
2469 || !TEST_true(SSL_new_session_ticket(serverssl))
2470 || !TEST_true(SSL_new_session_ticket(serverssl))
2471 || !TEST_int_eq(idx * 2, new_called))
2474 /* Now try a (real) write to actually send the tickets */
2476 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2477 || !TEST_size_t_eq(1, nbytes)
2478 || !TEST_int_eq(idx * 2 + 2, new_called)
2479 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2480 || !TEST_int_eq(idx * 2 + 4, new_called)
2481 || !TEST_int_eq(sizeof(buf), nbytes)
2482 || !TEST_int_eq(c, buf[0])
2483 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2486 /* Try with only requesting one new ticket, too */
2489 if (!TEST_true(SSL_new_session_ticket(serverssl))
2490 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2491 || !TEST_size_t_eq(sizeof(c), nbytes)
2492 || !TEST_int_eq(1, new_called)
2493 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2494 || !TEST_int_eq(2, new_called)
2495 || !TEST_size_t_eq(sizeof(buf), nbytes)
2496 || !TEST_int_eq(c, buf[0]))
2499 /* Do it again but use dummy writes to drive the ticket generation */
2502 if (!TEST_true(SSL_new_session_ticket(serverssl))
2503 || !TEST_true(SSL_new_session_ticket(serverssl))
2504 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2505 || !TEST_size_t_eq(0, nbytes)
2506 || !TEST_int_eq(2, new_called)
2507 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2508 || !TEST_int_eq(4, new_called))
2512 * Use the always-retry BIO to exercise the logic that forces ticket
2513 * generation to wait until a record boundary.
2517 tmp = SSL_get_wbio(serverssl);
2518 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2522 SSL_set0_wbio(serverssl, bretry);
2524 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2525 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2526 || !TEST_size_t_eq(nbytes, 0))
2528 /* Restore a BIO that will let the write succeed */
2529 SSL_set0_wbio(serverssl, tmp);
2531 /* These calls should just queue the request and not send anything. */
2532 if (!TEST_true(SSL_new_session_ticket(serverssl))
2533 || !TEST_true(SSL_new_session_ticket(serverssl))
2534 || !TEST_int_eq(0, new_called))
2536 /* Re-do the write; still no tickets sent */
2537 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2538 || !TEST_size_t_eq(1, nbytes)
2539 || !TEST_int_eq(0, new_called)
2540 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2541 || !TEST_int_eq(0, new_called)
2542 || !TEST_int_eq(sizeof(buf), nbytes)
2543 || !TEST_int_eq(c, buf[0])
2544 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2546 /* Now the *next* write should send the tickets */
2548 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2549 || !TEST_size_t_eq(1, nbytes)
2550 || !TEST_int_eq(2, new_called)
2551 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2552 || !TEST_int_eq(4, new_called)
2553 || !TEST_int_eq(sizeof(buf), nbytes)
2554 || !TEST_int_eq(c, buf[0])
2555 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2558 SSL_shutdown(clientssl);
2559 SSL_shutdown(serverssl);
2565 SSL_free(serverssl);
2566 SSL_free(clientssl);
2569 clientssl = serverssl = NULL;
2578 #define USE_DEFAULT 3
2580 #define CONNTYPE_CONNECTION_SUCCESS 0
2581 #define CONNTYPE_CONNECTION_FAIL 1
2582 #define CONNTYPE_NO_CONNECTION 2
2584 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2585 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2586 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2587 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2589 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2592 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2593 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2594 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2596 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2613 * Tests calls to SSL_set_bio() under various conditions.
2615 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2616 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2617 * then do more tests where we create a successful connection first using our
2618 * standard connection setup functions, and then call SSL_set_bio() with
2619 * various combinations of valid BIOs or NULL. We then repeat these tests
2620 * following a failed connection. In this last case we are looking to check that
2621 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2623 static int test_ssl_set_bio(int idx)
2625 SSL_CTX *sctx = NULL, *cctx = NULL;
2628 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2629 SSL *serverssl = NULL, *clientssl = NULL;
2630 int initrbio, initwbio, newrbio, newwbio, conntype;
2633 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2641 conntype = CONNTYPE_NO_CONNECTION;
2643 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2644 initrbio = initwbio = USE_DEFAULT;
2652 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2653 TLS_client_method(), TLS1_VERSION, 0,
2654 &sctx, &cctx, cert, privkey)))
2657 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2659 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2660 * because we reduced the number of tests in the definition of
2661 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2662 * mismatched protocol versions we will force a connection failure.
2664 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2665 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2668 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2672 if (initrbio == USE_BIO_1
2673 || initwbio == USE_BIO_1
2674 || newrbio == USE_BIO_1
2675 || newwbio == USE_BIO_1) {
2676 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2680 if (initrbio == USE_BIO_2
2681 || initwbio == USE_BIO_2
2682 || newrbio == USE_BIO_2
2683 || newwbio == USE_BIO_2) {
2684 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2688 if (initrbio != USE_DEFAULT) {
2689 setupbio(&irbio, bio1, bio2, initrbio);
2690 setupbio(&iwbio, bio1, bio2, initwbio);
2691 SSL_set_bio(clientssl, irbio, iwbio);
2694 * We want to maintain our own refs to these BIO, so do an up ref for
2695 * each BIO that will have ownership transferred in the SSL_set_bio()
2700 if (iwbio != NULL && iwbio != irbio)
2704 if (conntype != CONNTYPE_NO_CONNECTION
2705 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2707 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2710 setupbio(&nrbio, bio1, bio2, newrbio);
2711 setupbio(&nwbio, bio1, bio2, newwbio);
2714 * We will (maybe) transfer ownership again so do more up refs.
2715 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2720 && (nwbio != iwbio || nrbio != nwbio))
2724 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2727 SSL_set_bio(clientssl, nrbio, nwbio);
2736 * This test is checking that the ref counting for SSL_set_bio is correct.
2737 * If we get here and we did too many frees then we will fail in the above
2740 SSL_free(serverssl);
2741 SSL_free(clientssl);
2747 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2749 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2751 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2756 if (!TEST_ptr(ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method()))
2757 || !TEST_ptr(ssl = SSL_new(ctx))
2758 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2759 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2762 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2765 * If anything goes wrong here then we could leak memory.
2767 BIO_push(sslbio, membio1);
2769 /* Verify changing the rbio/wbio directly does not cause leaks */
2770 if (change_bio != NO_BIO_CHANGE) {
2771 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
2773 if (change_bio == CHANGE_RBIO)
2774 SSL_set0_rbio(ssl, membio2);
2776 SSL_set0_wbio(ssl, membio2);
2795 static int test_ssl_bio_pop_next_bio(void)
2797 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2800 static int test_ssl_bio_pop_ssl_bio(void)
2802 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2805 static int test_ssl_bio_change_rbio(void)
2807 return execute_test_ssl_bio(0, CHANGE_RBIO);
2810 static int test_ssl_bio_change_wbio(void)
2812 return execute_test_ssl_bio(0, CHANGE_WBIO);
2815 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2817 /* The list of sig algs */
2819 /* The length of the list */
2821 /* A sigalgs list in string format */
2822 const char *liststr;
2823 /* Whether setting the list should succeed */
2825 /* Whether creating a connection with the list should succeed */
2829 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2830 # ifndef OPENSSL_NO_EC
2831 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2832 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2834 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2835 static const int invalidlist2[] = {NID_sha256, NID_undef};
2836 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2837 static const int invalidlist4[] = {NID_sha256};
2838 static const sigalgs_list testsigalgs[] = {
2839 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2840 # ifndef OPENSSL_NO_EC
2841 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2842 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2844 {NULL, 0, "RSA+SHA256", 1, 1},
2845 # ifndef OPENSSL_NO_EC
2846 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2847 {NULL, 0, "ECDSA+SHA512", 1, 0},
2849 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2850 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2851 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2852 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2853 {NULL, 0, "RSA", 0, 0},
2854 {NULL, 0, "SHA256", 0, 0},
2855 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2856 {NULL, 0, "Invalid", 0, 0}
2859 static int test_set_sigalgs(int idx)
2861 SSL_CTX *cctx = NULL, *sctx = NULL;
2862 SSL *clientssl = NULL, *serverssl = NULL;
2864 const sigalgs_list *curr;
2867 /* Should never happen */
2868 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2871 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2872 curr = testctx ? &testsigalgs[idx]
2873 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2875 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2876 TLS_client_method(), TLS1_VERSION, 0,
2877 &sctx, &cctx, cert, privkey)))
2881 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2882 * for TLSv1.2 for now until we add a new API.
2884 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2889 if (curr->list != NULL)
2890 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2892 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2896 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2902 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2907 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2908 &clientssl, NULL, NULL)))
2914 if (curr->list != NULL)
2915 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2917 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2920 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2929 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2937 SSL_free(serverssl);
2938 SSL_free(clientssl);
2946 #ifndef OPENSSL_NO_TLS1_3
2947 static int psk_client_cb_cnt = 0;
2948 static int psk_server_cb_cnt = 0;
2950 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2951 size_t *idlen, SSL_SESSION **sess)
2953 switch (++use_session_cb_cnt) {
2955 /* The first call should always have a NULL md */
2961 /* The second call should always have an md */
2967 /* We should only be called a maximum of twice */
2971 if (clientpsk != NULL)
2972 SSL_SESSION_up_ref(clientpsk);
2975 *id = (const unsigned char *)pskid;
2976 *idlen = strlen(pskid);
2981 #ifndef OPENSSL_NO_PSK
2982 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2983 unsigned int max_id_len,
2985 unsigned int max_psk_len)
2987 unsigned int psklen = 0;
2989 psk_client_cb_cnt++;
2991 if (strlen(pskid) + 1 > max_id_len)
2994 /* We should only ever be called a maximum of twice per connection */
2995 if (psk_client_cb_cnt > 2)
2998 if (clientpsk == NULL)
3001 /* We'll reuse the PSK we set up for TLSv1.3 */
3002 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3004 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3005 strncpy(id, pskid, max_id_len);
3009 #endif /* OPENSSL_NO_PSK */
3011 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3012 size_t identity_len, SSL_SESSION **sess)
3014 find_session_cb_cnt++;
3016 /* We should only ever be called a maximum of twice per connection */
3017 if (find_session_cb_cnt > 2)
3020 if (serverpsk == NULL)
3023 /* Identity should match that set by the client */
3024 if (strlen(srvid) != identity_len
3025 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3026 /* No PSK found, continue but without a PSK */
3031 SSL_SESSION_up_ref(serverpsk);
3037 #ifndef OPENSSL_NO_PSK
3038 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3039 unsigned char *psk, unsigned int max_psk_len)
3041 unsigned int psklen = 0;
3043 psk_server_cb_cnt++;
3045 /* We should only ever be called a maximum of twice per connection */
3046 if (find_session_cb_cnt > 2)
3049 if (serverpsk == NULL)
3052 /* Identity should match that set by the client */
3053 if (strcmp(srvid, identity) != 0) {
3057 /* We'll reuse the PSK we set up for TLSv1.3 */
3058 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3060 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3064 #endif /* OPENSSL_NO_PSK */
3066 #define MSG1 "Hello"
3067 #define MSG2 "World."
3072 #define MSG7 "message."
3074 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3075 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3076 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3077 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3078 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3081 static SSL_SESSION *create_a_psk(SSL *ssl)
3083 const SSL_CIPHER *cipher = NULL;
3084 const unsigned char key[] = {
3085 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3086 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3087 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3088 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3089 0x2c, 0x2d, 0x2e, 0x2f
3091 SSL_SESSION *sess = NULL;
3093 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3094 sess = SSL_SESSION_new();
3096 || !TEST_ptr(cipher)
3097 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3099 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3101 SSL_SESSION_set_protocol_version(sess,
3103 SSL_SESSION_free(sess);
3110 * Helper method to setup objects for early data test. Caller frees objects on
3113 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3114 SSL **serverssl, SSL_SESSION **sess, int idx)
3117 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3118 TLS_client_method(),
3120 sctx, cctx, cert, privkey)))
3123 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3127 /* When idx == 1 we repeat the tests with read_ahead set */
3128 SSL_CTX_set_read_ahead(*cctx, 1);
3129 SSL_CTX_set_read_ahead(*sctx, 1);
3130 } else if (idx == 2) {
3131 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3132 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3133 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3134 use_session_cb_cnt = 0;
3135 find_session_cb_cnt = 0;
3139 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3144 * For one of the run throughs (doesn't matter which one), we'll try sending
3145 * some SNI data in the initial ClientHello. This will be ignored (because
3146 * there is no SNI cb set up by the server), so it should not impact
3150 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3154 clientpsk = create_a_psk(*clientssl);
3155 if (!TEST_ptr(clientpsk)
3157 * We just choose an arbitrary value for max_early_data which
3158 * should be big enough for testing purposes.
3160 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3162 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3163 SSL_SESSION_free(clientpsk);
3167 serverpsk = clientpsk;
3170 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3171 SSL_SESSION_free(clientpsk);
3172 SSL_SESSION_free(serverpsk);
3173 clientpsk = serverpsk = NULL;
3184 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3188 *sess = SSL_get1_session(*clientssl);
3189 SSL_shutdown(*clientssl);
3190 SSL_shutdown(*serverssl);
3191 SSL_free(*serverssl);
3192 SSL_free(*clientssl);
3193 *serverssl = *clientssl = NULL;
3195 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3196 clientssl, NULL, NULL))
3197 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3203 static int test_early_data_read_write(int idx)
3205 SSL_CTX *cctx = NULL, *sctx = NULL;
3206 SSL *clientssl = NULL, *serverssl = NULL;
3208 SSL_SESSION *sess = NULL;
3209 unsigned char buf[20], data[1024];
3210 size_t readbytes, written, eoedlen, rawread, rawwritten;
3213 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3214 &serverssl, &sess, idx)))
3217 /* Write and read some early data */
3218 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3220 || !TEST_size_t_eq(written, strlen(MSG1))
3221 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3222 sizeof(buf), &readbytes),
3223 SSL_READ_EARLY_DATA_SUCCESS)
3224 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3225 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3226 SSL_EARLY_DATA_ACCEPTED))
3230 * Server should be able to write data, and client should be able to
3233 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3235 || !TEST_size_t_eq(written, strlen(MSG2))
3236 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3237 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3240 /* Even after reading normal data, client should be able write early data */
3241 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3243 || !TEST_size_t_eq(written, strlen(MSG3)))
3246 /* Server should still be able read early data after writing data */
3247 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3249 SSL_READ_EARLY_DATA_SUCCESS)
3250 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3253 /* Write more data from server and read it from client */
3254 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3256 || !TEST_size_t_eq(written, strlen(MSG4))
3257 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3258 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3262 * If client writes normal data it should mean writing early data is no
3265 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3266 || !TEST_size_t_eq(written, strlen(MSG5))
3267 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3268 SSL_EARLY_DATA_ACCEPTED))
3272 * At this point the client has written EndOfEarlyData, ClientFinished and
3273 * normal (fully protected) data. We are going to cause a delay between the
3274 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3275 * in the read BIO, and then just put back the EndOfEarlyData message.
3277 rbio = SSL_get_rbio(serverssl);
3278 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3279 || !TEST_size_t_lt(rawread, sizeof(data))
3280 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3283 /* Record length is in the 4th and 5th bytes of the record header */
3284 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3285 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3286 || !TEST_size_t_eq(rawwritten, eoedlen))
3289 /* Server should be told that there is no more early data */
3290 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3292 SSL_READ_EARLY_DATA_FINISH)
3293 || !TEST_size_t_eq(readbytes, 0))
3297 * Server has not finished init yet, so should still be able to write early
3300 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3302 || !TEST_size_t_eq(written, strlen(MSG6)))
3305 /* Push the ClientFinished and the normal data back into the server rbio */
3306 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3308 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3311 /* Server should be able to read normal data */
3312 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3313 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3316 /* Client and server should not be able to write/read early data now */
3317 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3321 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3323 SSL_READ_EARLY_DATA_ERROR))
3327 /* Client should be able to read the data sent by the server */
3328 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3329 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3333 * Make sure we process the two NewSessionTickets. These arrive
3334 * post-handshake. We attempt reads which we do not expect to return any
3337 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3338 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3342 /* Server should be able to write normal data */
3343 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3344 || !TEST_size_t_eq(written, strlen(MSG7))
3345 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3346 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3349 SSL_SESSION_free(sess);
3350 sess = SSL_get1_session(clientssl);
3351 use_session_cb_cnt = 0;
3352 find_session_cb_cnt = 0;
3354 SSL_shutdown(clientssl);
3355 SSL_shutdown(serverssl);
3356 SSL_free(serverssl);
3357 SSL_free(clientssl);
3358 serverssl = clientssl = NULL;
3359 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3360 &clientssl, NULL, NULL))
3361 || !TEST_true(SSL_set_session(clientssl, sess)))
3364 /* Write and read some early data */
3365 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3367 || !TEST_size_t_eq(written, strlen(MSG1))
3368 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3370 SSL_READ_EARLY_DATA_SUCCESS)
3371 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3374 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3375 || !TEST_int_gt(SSL_accept(serverssl), 0))
3378 /* Client and server should not be able to write/read early data now */
3379 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3383 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3385 SSL_READ_EARLY_DATA_ERROR))
3389 /* Client and server should be able to write/read normal data */
3390 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3391 || !TEST_size_t_eq(written, strlen(MSG5))
3392 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3393 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3399 SSL_SESSION_free(sess);
3400 SSL_SESSION_free(clientpsk);
3401 SSL_SESSION_free(serverpsk);
3402 clientpsk = serverpsk = NULL;
3403 SSL_free(serverssl);
3404 SSL_free(clientssl);
3410 static int allow_ed_cb_called = 0;
3412 static int allow_early_data_cb(SSL *s, void *arg)
3414 int *usecb = (int *)arg;
3416 allow_ed_cb_called++;
3425 * idx == 0: Standard early_data setup
3426 * idx == 1: early_data setup using read_ahead
3427 * usecb == 0: Don't use a custom early data callback
3428 * usecb == 1: Use a custom early data callback and reject the early data
3429 * usecb == 2: Use a custom early data callback and accept the early data
3430 * confopt == 0: Configure anti-replay directly
3431 * confopt == 1: Configure anti-replay using SSL_CONF
3433 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3435 SSL_CTX *cctx = NULL, *sctx = NULL;
3436 SSL *clientssl = NULL, *serverssl = NULL;
3438 SSL_SESSION *sess = NULL;
3439 size_t readbytes, written;
3440 unsigned char buf[20];
3442 allow_ed_cb_called = 0;
3444 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3445 TLS_client_method(), TLS1_VERSION, 0,
3446 &sctx, &cctx, cert, privkey)))
3451 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3453 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3455 if (!TEST_ptr(confctx))
3457 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3458 | SSL_CONF_FLAG_SERVER);
3459 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3460 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3462 SSL_CONF_CTX_free(confctx);
3465 SSL_CONF_CTX_free(confctx);
3467 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3470 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3471 &serverssl, &sess, idx)))
3475 * The server is configured to accept early data. Create a connection to
3476 * "use up" the ticket
3478 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3479 || !TEST_true(SSL_session_reused(clientssl)))
3482 SSL_shutdown(clientssl);
3483 SSL_shutdown(serverssl);
3484 SSL_free(serverssl);
3485 SSL_free(clientssl);
3486 serverssl = clientssl = NULL;
3488 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3489 &clientssl, NULL, NULL))
3490 || !TEST_true(SSL_set_session(clientssl, sess)))
3493 /* Write and read some early data */
3494 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3496 || !TEST_size_t_eq(written, strlen(MSG1)))
3500 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3502 SSL_READ_EARLY_DATA_FINISH)
3504 * The ticket was reused, so the we should have rejected the
3507 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3508 SSL_EARLY_DATA_REJECTED))
3511 /* In this case the callback decides to accept the early data */
3512 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3514 SSL_READ_EARLY_DATA_SUCCESS)
3515 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3517 * Server will have sent its flight so client can now send
3518 * end of early data and complete its half of the handshake
3520 || !TEST_int_gt(SSL_connect(clientssl), 0)
3521 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3523 SSL_READ_EARLY_DATA_FINISH)
3524 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3525 SSL_EARLY_DATA_ACCEPTED))
3529 /* Complete the connection */
3530 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3531 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3532 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3538 SSL_SESSION_free(sess);
3539 SSL_SESSION_free(clientpsk);
3540 SSL_SESSION_free(serverpsk);
3541 clientpsk = serverpsk = NULL;
3542 SSL_free(serverssl);
3543 SSL_free(clientssl);
3549 static int test_early_data_replay(int idx)
3551 int ret = 1, usecb, confopt;
3553 for (usecb = 0; usecb < 3; usecb++) {
3554 for (confopt = 0; confopt < 2; confopt++)
3555 ret &= test_early_data_replay_int(idx, usecb, confopt);
3562 * Helper function to test that a server attempting to read early data can
3563 * handle a connection from a client where the early data should be skipped.
3564 * testtype: 0 == No HRR
3565 * testtype: 1 == HRR
3566 * testtype: 2 == HRR, invalid early_data sent after HRR
3567 * testtype: 3 == recv_max_early_data set to 0
3569 static int early_data_skip_helper(int testtype, int idx)
3571 SSL_CTX *cctx = NULL, *sctx = NULL;
3572 SSL *clientssl = NULL, *serverssl = NULL;
3574 SSL_SESSION *sess = NULL;
3575 unsigned char buf[20];
3576 size_t readbytes, written;
3578 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3579 &serverssl, &sess, idx)))
3582 if (testtype == 1 || testtype == 2) {
3583 /* Force an HRR to occur */
3584 #if defined(OPENSSL_NO_EC)
3585 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3588 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3591 } else if (idx == 2) {
3593 * We force early_data rejection by ensuring the PSK identity is
3596 srvid = "Dummy Identity";
3599 * Deliberately corrupt the creation time. We take 20 seconds off the
3600 * time. It could be any value as long as it is not within tolerance.
3601 * This should mean the ticket is rejected.
3603 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3608 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3611 /* Write some early data */
3612 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3614 || !TEST_size_t_eq(written, strlen(MSG1)))
3617 /* Server should reject the early data */
3618 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3620 SSL_READ_EARLY_DATA_FINISH)
3621 || !TEST_size_t_eq(readbytes, 0)
3622 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3623 SSL_EARLY_DATA_REJECTED))
3633 * Finish off the handshake. We perform the same writes and reads as
3634 * further down but we expect them to fail due to the incomplete
3637 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3638 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3645 BIO *wbio = SSL_get_wbio(clientssl);
3646 /* A record that will appear as bad early_data */
3647 const unsigned char bad_early_data[] = {
3648 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3652 * We force the client to attempt a write. This will fail because
3653 * we're still in the handshake. It will cause the second
3654 * ClientHello to be sent.
3656 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3661 * Inject some early_data after the second ClientHello. This should
3662 * cause the server to fail
3664 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3665 sizeof(bad_early_data), &written)))
3672 * This client has sent more early_data than we are willing to skip
3673 * (case 3) or sent invalid early_data (case 2) so the connection should
3676 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3677 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3680 /* Connection has failed - nothing more to do */
3685 TEST_error("Invalid test type");
3690 * Should be able to send normal data despite rejection of early data. The
3691 * early_data should be skipped.
3693 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3694 || !TEST_size_t_eq(written, strlen(MSG2))
3695 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3696 SSL_EARLY_DATA_REJECTED)
3697 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3698 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3704 SSL_SESSION_free(clientpsk);
3705 SSL_SESSION_free(serverpsk);
3706 clientpsk = serverpsk = NULL;
3707 SSL_SESSION_free(sess);
3708 SSL_free(serverssl);
3709 SSL_free(clientssl);
3716 * Test that a server attempting to read early data can handle a connection
3717 * from a client where the early data is not acceptable.
3719 static int test_early_data_skip(int idx)
3721 return early_data_skip_helper(0, idx);
3725 * Test that a server attempting to read early data can handle a connection
3726 * from a client where an HRR occurs.
3728 static int test_early_data_skip_hrr(int idx)
3730 return early_data_skip_helper(1, idx);
3734 * Test that a server attempting to read early data can handle a connection
3735 * from a client where an HRR occurs and correctly fails if early_data is sent
3738 static int test_early_data_skip_hrr_fail(int idx)
3740 return early_data_skip_helper(2, idx);
3744 * Test that a server attempting to read early data will abort if it tries to
3745 * skip over too much.
3747 static int test_early_data_skip_abort(int idx)
3749 return early_data_skip_helper(3, idx);
3753 * Test that a server attempting to read early data can handle a connection
3754 * from a client that doesn't send any.
3756 static int test_early_data_not_sent(int idx)
3758 SSL_CTX *cctx = NULL, *sctx = NULL;
3759 SSL *clientssl = NULL, *serverssl = NULL;
3761 SSL_SESSION *sess = NULL;
3762 unsigned char buf[20];
3763 size_t readbytes, written;
3765 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3766 &serverssl, &sess, idx)))
3769 /* Write some data - should block due to handshake with server */
3770 SSL_set_connect_state(clientssl);
3771 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3774 /* Server should detect that early data has not been sent */
3775 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3777 SSL_READ_EARLY_DATA_FINISH)
3778 || !TEST_size_t_eq(readbytes, 0)
3779 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3780 SSL_EARLY_DATA_NOT_SENT)
3781 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3782 SSL_EARLY_DATA_NOT_SENT))
3785 /* Continue writing the message we started earlier */
3786 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3787 || !TEST_size_t_eq(written, strlen(MSG1))
3788 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3789 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3790 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3791 || !TEST_size_t_eq(written, strlen(MSG2)))
3794 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3795 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3801 SSL_SESSION_free(sess);
3802 SSL_SESSION_free(clientpsk);
3803 SSL_SESSION_free(serverpsk);
3804 clientpsk = serverpsk = NULL;
3805 SSL_free(serverssl);
3806 SSL_free(clientssl);
3812 static const char *servalpn;
3814 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3815 unsigned char *outlen, const unsigned char *in,
3816 unsigned int inlen, void *arg)
3818 unsigned int protlen = 0;
3819 const unsigned char *prot;
3821 for (prot = in; prot < in + inlen; prot += protlen) {
3823 if (in + inlen < prot + protlen)
3824 return SSL_TLSEXT_ERR_NOACK;
3826 if (protlen == strlen(servalpn)
3827 && memcmp(prot, servalpn, protlen) == 0) {
3830 return SSL_TLSEXT_ERR_OK;
3834 return SSL_TLSEXT_ERR_NOACK;
3837 /* Test that a PSK can be used to send early_data */
3838 static int test_early_data_psk(int idx)
3840 SSL_CTX *cctx = NULL, *sctx = NULL;
3841 SSL *clientssl = NULL, *serverssl = NULL;
3843 SSL_SESSION *sess = NULL;
3844 unsigned char alpnlist[] = {
3845 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3848 #define GOODALPNLEN 9
3849 #define BADALPNLEN 8
3850 #define GOODALPN (alpnlist)
3851 #define BADALPN (alpnlist + GOODALPNLEN)
3853 unsigned char buf[20];
3854 size_t readbytes, written;
3855 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3856 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3858 /* We always set this up with a final parameter of "2" for PSK */
3859 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3860 &serverssl, &sess, 2)))
3863 servalpn = "goodalpn";
3866 * Note: There is no test for inconsistent SNI with late client detection.
3867 * This is because servers do not acknowledge SNI even if they are using
3868 * it in a resumption handshake - so it is not actually possible for a
3869 * client to detect a problem.
3873 /* Set inconsistent SNI (early client detection) */
3874 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3875 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3876 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3881 /* Set inconsistent ALPN (early client detection) */
3882 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3883 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3884 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3886 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3893 * Set invalid protocol version. Technically this affects PSKs without
3894 * early_data too, but we test it here because it is similar to the
3895 * SNI/ALPN consistency tests.
3897 err = SSL_R_BAD_PSK;
3898 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3904 * Set inconsistent SNI (server side). In this case the connection
3905 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3906 * is associated with each handshake - not the session. Therefore it
3907 * should not matter that we used a different server name last time.
3909 SSL_SESSION_free(serverpsk);
3910 serverpsk = SSL_SESSION_dup(clientpsk);
3911 if (!TEST_ptr(serverpsk)
3912 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3916 /* Set consistent SNI */
3917 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3918 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3919 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3926 * Set inconsistent ALPN (server detected). In this case the connection
3927 * will succeed but reject early_data.
3929 servalpn = "badalpn";
3930 edstatus = SSL_EARLY_DATA_REJECTED;
3931 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3935 * Set consistent ALPN.
3936 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3937 * accepts a list of protos (each one length prefixed).
3938 * SSL_set1_alpn_selected accepts a single protocol (not length
3941 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3943 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3947 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3951 /* Set inconsistent ALPN (late client detection) */
3952 SSL_SESSION_free(serverpsk);
3953 serverpsk = SSL_SESSION_dup(clientpsk);
3954 if (!TEST_ptr(serverpsk)
3955 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3958 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3961 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3964 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3965 edstatus = SSL_EARLY_DATA_ACCEPTED;
3966 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3967 /* SSL_connect() call should fail */
3972 TEST_error("Bad test index");
3976 SSL_set_connect_state(clientssl);
3978 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3980 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3981 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3984 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3988 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3989 &readbytes), readearlyres)
3990 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3991 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3992 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3993 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4000 SSL_SESSION_free(sess);
4001 SSL_SESSION_free(clientpsk);
4002 SSL_SESSION_free(serverpsk);
4003 clientpsk = serverpsk = NULL;
4004 SSL_free(serverssl);
4005 SSL_free(clientssl);
4012 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4013 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4014 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4015 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4016 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4017 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4019 static int test_early_data_psk_with_all_ciphers(int idx)
4021 SSL_CTX *cctx = NULL, *sctx = NULL;
4022 SSL *clientssl = NULL, *serverssl = NULL;
4024 SSL_SESSION *sess = NULL;
4025 unsigned char buf[20];
4026 size_t readbytes, written;
4027 const SSL_CIPHER *cipher;
4028 const char *cipher_str[] = {
4029 TLS1_3_RFC_AES_128_GCM_SHA256,
4030 TLS1_3_RFC_AES_256_GCM_SHA384,
4031 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4032 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4036 TLS1_3_RFC_AES_128_CCM_SHA256,
4037 TLS1_3_RFC_AES_128_CCM_8_SHA256
4039 const unsigned char *cipher_bytes[] = {
4040 TLS13_AES_128_GCM_SHA256_BYTES,
4041 TLS13_AES_256_GCM_SHA384_BYTES,
4042 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4043 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4047 TLS13_AES_128_CCM_SHA256_BYTES,
4048 TLS13_AES_128_CCM_8_SHA256_BYTES
4051 if (cipher_str[idx] == NULL)
4053 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4054 if (idx == 2 && is_fips == 1)
4057 /* We always set this up with a final parameter of "2" for PSK */
4058 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4059 &serverssl, &sess, 2)))
4062 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4063 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4067 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4068 * and assigns to both client and server with incremented reference
4069 * and the same instance is updated in 'sess'.
4070 * So updating ciphersuite in 'sess' which will get reflected in
4071 * PSK handshake using psk use sess and find sess cb.
4073 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4074 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4077 SSL_set_connect_state(clientssl);
4078 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4082 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4084 SSL_READ_EARLY_DATA_SUCCESS)
4085 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4086 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4087 SSL_EARLY_DATA_ACCEPTED)
4088 || !TEST_int_eq(SSL_connect(clientssl), 1)
4089 || !TEST_int_eq(SSL_accept(serverssl), 1))
4092 /* Send some normal data from client to server */
4093 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4094 || !TEST_size_t_eq(written, strlen(MSG2)))
4097 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4098 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4103 SSL_SESSION_free(sess);
4104 SSL_SESSION_free(clientpsk);
4105 SSL_SESSION_free(serverpsk);
4106 clientpsk = serverpsk = NULL;
4107 if (clientssl != NULL)
4108 SSL_shutdown(clientssl);
4109 if (serverssl != NULL)
4110 SSL_shutdown(serverssl);
4111 SSL_free(serverssl);
4112 SSL_free(clientssl);
4119 * Test that a server that doesn't try to read early data can handle a
4120 * client sending some.
4122 static int test_early_data_not_expected(int idx)
4124 SSL_CTX *cctx = NULL, *sctx = NULL;
4125 SSL *clientssl = NULL, *serverssl = NULL;
4127 SSL_SESSION *sess = NULL;
4128 unsigned char buf[20];
4129 size_t readbytes, written;
4131 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4132 &serverssl, &sess, idx)))
4135 /* Write some early data */
4136 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4141 * Server should skip over early data and then block waiting for client to
4142 * continue handshake
4144 if (!TEST_int_le(SSL_accept(serverssl), 0)
4145 || !TEST_int_gt(SSL_connect(clientssl), 0)
4146 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4147 SSL_EARLY_DATA_REJECTED)
4148 || !TEST_int_gt(SSL_accept(serverssl), 0)
4149 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4150 SSL_EARLY_DATA_REJECTED))
4153 /* Send some normal data from client to server */
4154 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4155 || !TEST_size_t_eq(written, strlen(MSG2)))
4158 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4159 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4165 SSL_SESSION_free(sess);
4166 SSL_SESSION_free(clientpsk);
4167 SSL_SESSION_free(serverpsk);
4168 clientpsk = serverpsk = NULL;
4169 SSL_free(serverssl);
4170 SSL_free(clientssl);
4177 # ifndef OPENSSL_NO_TLS1_2
4179 * Test that a server attempting to read early data can handle a connection
4180 * from a TLSv1.2 client.
4182 static int test_early_data_tls1_2(int idx)
4184 SSL_CTX *cctx = NULL, *sctx = NULL;
4185 SSL *clientssl = NULL, *serverssl = NULL;
4187 unsigned char buf[20];
4188 size_t readbytes, written;
4190 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4191 &serverssl, NULL, idx)))
4194 /* Write some data - should block due to handshake with server */
4195 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4196 SSL_set_connect_state(clientssl);
4197 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4201 * Server should do TLSv1.2 handshake. First it will block waiting for more
4202 * messages from client after ServerDone. Then SSL_read_early_data should
4203 * finish and detect that early data has not been sent
4205 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4207 SSL_READ_EARLY_DATA_ERROR))
4211 * Continue writing the message we started earlier. Will still block waiting
4212 * for the CCS/Finished from server
4214 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4215 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4217 SSL_READ_EARLY_DATA_FINISH)
4218 || !TEST_size_t_eq(readbytes, 0)
4219 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4220 SSL_EARLY_DATA_NOT_SENT))
4223 /* Continue writing the message we started earlier */
4224 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4225 || !TEST_size_t_eq(written, strlen(MSG1))
4226 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4227 SSL_EARLY_DATA_NOT_SENT)
4228 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4229 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4230 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4231 || !TEST_size_t_eq(written, strlen(MSG2))
4232 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4233 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4239 SSL_SESSION_free(clientpsk);
4240 SSL_SESSION_free(serverpsk);
4241 clientpsk = serverpsk = NULL;
4242 SSL_free(serverssl);
4243 SSL_free(clientssl);
4249 # endif /* OPENSSL_NO_TLS1_2 */
4252 * Test configuring the TLSv1.3 ciphersuites
4254 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4255 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4256 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4257 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4258 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4259 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4260 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4261 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4262 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4263 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4265 static int test_set_ciphersuite(int idx)
4267 SSL_CTX *cctx = NULL, *sctx = NULL;
4268 SSL *clientssl = NULL, *serverssl = NULL;
4271 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4272 TLS_client_method(), TLS1_VERSION, 0,
4273 &sctx, &cctx, cert, privkey))
4274 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4275 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4278 if (idx >=4 && idx <= 7) {
4279 /* SSL_CTX explicit cipher list */
4280 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4284 if (idx == 0 || idx == 4) {
4285 /* Default ciphersuite */
4286 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4287 "TLS_AES_128_GCM_SHA256")))
4289 } else if (idx == 1 || idx == 5) {
4290 /* Non default ciphersuite */
4291 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4292 "TLS_AES_128_CCM_SHA256")))
4296 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4297 &clientssl, NULL, NULL)))
4300 if (idx == 8 || idx == 9) {
4301 /* SSL explicit cipher list */
4302 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4306 if (idx == 2 || idx == 6 || idx == 8) {
4307 /* Default ciphersuite */
4308 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4309 "TLS_AES_128_GCM_SHA256")))
4311 } else if (idx == 3 || idx == 7 || idx == 9) {
4312 /* Non default ciphersuite */
4313 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4314 "TLS_AES_128_CCM_SHA256")))
4318 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4324 SSL_free(serverssl);
4325 SSL_free(clientssl);
4332 static int test_ciphersuite_change(void)
4334 SSL_CTX *cctx = NULL, *sctx = NULL;
4335 SSL *clientssl = NULL, *serverssl = NULL;
4336 SSL_SESSION *clntsess = NULL;
4338 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4340 /* Create a session based on SHA-256 */
4341 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4342 TLS_client_method(), TLS1_VERSION, 0,
4343 &sctx, &cctx, cert, privkey))
4344 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4345 "TLS_AES_128_GCM_SHA256:"
4346 "TLS_AES_256_GCM_SHA384:"
4347 "TLS_AES_128_CCM_SHA256"))
4348 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4349 "TLS_AES_128_GCM_SHA256"))
4350 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4351 &clientssl, NULL, NULL))
4352 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4356 clntsess = SSL_get1_session(clientssl);
4357 /* Save for later */
4358 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4359 SSL_shutdown(clientssl);
4360 SSL_shutdown(serverssl);
4361 SSL_free(serverssl);
4362 SSL_free(clientssl);
4363 serverssl = clientssl = NULL;
4365 /* Check we can resume a session with a different SHA-256 ciphersuite */
4366 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4367 "TLS_AES_128_CCM_SHA256"))
4368 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4369 &clientssl, NULL, NULL))
4370 || !TEST_true(SSL_set_session(clientssl, clntsess))
4371 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4373 || !TEST_true(SSL_session_reused(clientssl)))
4376 SSL_SESSION_free(clntsess);
4377 clntsess = SSL_get1_session(clientssl);
4378 SSL_shutdown(clientssl);
4379 SSL_shutdown(serverssl);
4380 SSL_free(serverssl);
4381 SSL_free(clientssl);
4382 serverssl = clientssl = NULL;
4385 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4386 * succeeds but does not resume.
4388 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4389 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4391 || !TEST_true(SSL_set_session(clientssl, clntsess))
4392 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4394 || !TEST_false(SSL_session_reused(clientssl)))
4397 SSL_SESSION_free(clntsess);
4399 SSL_shutdown(clientssl);
4400 SSL_shutdown(serverssl);
4401 SSL_free(serverssl);
4402 SSL_free(clientssl);
4403 serverssl = clientssl = NULL;
4405 /* Create a session based on SHA384 */
4406 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4407 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4408 &clientssl, NULL, NULL))
4409 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4413 clntsess = SSL_get1_session(clientssl);
4414 SSL_shutdown(clientssl);
4415 SSL_shutdown(serverssl);
4416 SSL_free(serverssl);
4417 SSL_free(clientssl);
4418 serverssl = clientssl = NULL;
4420 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4421 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4422 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4423 "TLS_AES_256_GCM_SHA384"))
4424 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4426 || !TEST_true(SSL_set_session(clientssl, clntsess))
4428 * We use SSL_ERROR_WANT_READ below so that we can pause the
4429 * connection after the initial ClientHello has been sent to
4430 * enable us to make some session changes.
4432 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4433 SSL_ERROR_WANT_READ)))
4436 /* Trick the client into thinking this session is for a different digest */
4437 clntsess->cipher = aes_128_gcm_sha256;
4438 clntsess->cipher_id = clntsess->cipher->id;
4441 * Continue the previously started connection. Server has selected a SHA-384
4442 * ciphersuite, but client thinks the session is for SHA-256, so it should
4445 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4447 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4448 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4454 SSL_SESSION_free(clntsess);
4455 SSL_free(serverssl);
4456 SSL_free(clientssl);
4464 * Test TLSv1.3 Key exchange
4465 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4466 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4467 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4468 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4469 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4470 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4471 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4472 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4473 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4474 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4475 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4476 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4477 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4478 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4480 static int test_key_exchange(int idx)
4482 SSL_CTX *sctx = NULL, *cctx = NULL;
4483 SSL *serverssl = NULL, *clientssl = NULL;
4485 # ifndef OPENSSL_NO_EC
4486 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4487 NID_secp521r1, NID_X25519, NID_X448};
4489 # ifndef OPENSSL_NO_DH
4490 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4491 NID_ffdhe6144, NID_ffdhe8192};
4494 int *kexch_groups = &kexch_alg;
4495 int kexch_groups_size = 1;
4496 int max_version = TLS1_3_VERSION;
4499 # ifndef OPENSSL_NO_EC
4500 # ifndef OPENSSL_NO_TLS1_2
4502 max_version = TLS1_2_VERSION;
4506 kexch_groups = ecdhe_kexch_groups;
4507 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4510 kexch_alg = NID_X9_62_prime256v1;
4513 kexch_alg = NID_secp384r1;
4516 kexch_alg = NID_secp521r1;
4519 kexch_alg = NID_X25519;
4522 kexch_alg = NID_X448;
4525 # ifndef OPENSSL_NO_DH
4526 # ifndef OPENSSL_NO_TLS1_2
4528 max_version = TLS1_2_VERSION;
4532 kexch_groups = ffdhe_kexch_groups;
4533 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4536 kexch_alg = NID_ffdhe2048;
4539 kexch_alg = NID_ffdhe3072;
4542 kexch_alg = NID_ffdhe4096;
4545 kexch_alg = NID_ffdhe6144;
4548 kexch_alg = NID_ffdhe8192;
4552 /* We're skipping this test */
4556 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4557 TLS_client_method(), TLS1_VERSION,
4558 max_version, &sctx, &cctx, cert,
4562 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4563 TLS1_3_RFC_AES_128_GCM_SHA256)))
4566 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4567 TLS1_3_RFC_AES_128_GCM_SHA256)))
4570 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4571 TLS1_TXT_RSA_WITH_AES_128_SHA)))
4575 * Must include an EC ciphersuite so that we send supported groups in
4578 # ifndef OPENSSL_NO_TLS1_2
4579 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4580 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
4581 TLS1_TXT_RSA_WITH_AES_128_SHA)))
4585 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4589 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4590 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4593 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4597 * If Handshake succeeds the negotiated kexch alg should be the first one in
4598 * configured, except in the case of FFDHE groups (idx 13), which are
4599 * TLSv1.3 only so we expect no shared group to exist.
4601 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4602 idx == 13 ? 0 : kexch_groups[0]))
4604 if (max_version == TLS1_3_VERSION) {
4605 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4607 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4613 SSL_free(serverssl);
4614 SSL_free(clientssl);
4621 * Test TLSv1.3 Cipher Suite
4622 * Test 0 = Set TLS1.3 cipher on context
4623 * Test 1 = Set TLS1.3 cipher on SSL
4624 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4625 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4627 static int test_tls13_ciphersuite(int idx)
4629 SSL_CTX *sctx = NULL, *cctx = NULL;
4630 SSL *serverssl = NULL, *clientssl = NULL;
4631 static const struct {
4632 const char *ciphername;
4635 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4636 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4637 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
4638 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4639 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4640 { TLS1_3_RFC_AES_256_GCM_SHA384
4641 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4643 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
4645 const char *t13_cipher = NULL;
4646 const char *t12_cipher = NULL;
4647 const char *negotiated_scipher;
4648 const char *negotiated_ccipher;
4664 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4668 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4672 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4673 # ifdef OPENSSL_NO_TLS1_2
4674 if (max_ver == TLS1_2_VERSION)
4677 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4678 if (is_fips && !t13_ciphers[i].fipscapable)
4680 t13_cipher = t13_ciphers[i].ciphername;
4681 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4682 TLS_client_method(),
4683 TLS1_VERSION, max_ver,
4684 &sctx, &cctx, cert, privkey)))
4688 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4689 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4691 if (t12_cipher != NULL) {
4692 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4693 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4699 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4700 &clientssl, NULL, NULL)))
4704 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4705 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4707 if (t12_cipher != NULL) {
4708 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4709 || !TEST_true(SSL_set_cipher_list(clientssl,
4715 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4719 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4721 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4723 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4727 * TEST_strn_eq is used below because t13_cipher can contain
4728 * multiple ciphersuites
4730 if (max_ver == TLS1_3_VERSION
4731 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4732 strlen(negotiated_scipher)))
4735 # ifndef OPENSSL_NO_TLS1_2
4736 /* Below validation is not done when t12_cipher is NULL */
4737 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4738 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4742 SSL_free(serverssl);
4744 SSL_free(clientssl);
4755 SSL_free(serverssl);
4756 SSL_free(clientssl);
4764 * Test 0 = Test new style callbacks
4765 * Test 1 = Test both new and old style callbacks
4766 * Test 2 = Test old style callbacks
4767 * Test 3 = Test old style callbacks with no certificate
4769 static int test_tls13_psk(int idx)
4771 SSL_CTX *sctx = NULL, *cctx = NULL;
4772 SSL *serverssl = NULL, *clientssl = NULL;
4773 const SSL_CIPHER *cipher = NULL;
4774 const unsigned char key[] = {
4775 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4776 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4777 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4778 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
4782 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4783 TLS_client_method(), TLS1_VERSION, 0,
4784 &sctx, &cctx, idx == 3 ? NULL : cert,
4785 idx == 3 ? NULL : privkey)))
4790 * We use a ciphersuite with SHA256 to ease testing old style PSK
4791 * callbacks which will always default to SHA256. This should not be
4792 * necessary if we have no cert/priv key. In that case the server should
4793 * prefer SHA256 automatically.
4795 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4796 "TLS_AES_128_GCM_SHA256")))
4800 * As noted above the server should prefer SHA256 automatically. However
4801 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4802 * code works even if we are testing with only the FIPS provider loaded.
4804 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4805 "TLS_AES_256_GCM_SHA384:"
4806 "TLS_AES_128_GCM_SHA256")))
4811 * Test 0: New style callbacks only
4812 * Test 1: New and old style callbacks (only the new ones should be used)
4813 * Test 2: Old style callbacks only
4815 if (idx == 0 || idx == 1) {
4816 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4817 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4819 #ifndef OPENSSL_NO_PSK
4821 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4822 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4826 use_session_cb_cnt = 0;
4827 find_session_cb_cnt = 0;
4828 psk_client_cb_cnt = 0;
4829 psk_server_cb_cnt = 0;
4833 * Check we can create a connection if callback decides not to send a
4836 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4838 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4840 || !TEST_false(SSL_session_reused(clientssl))
4841 || !TEST_false(SSL_session_reused(serverssl)))
4844 if (idx == 0 || idx == 1) {
4845 if (!TEST_true(use_session_cb_cnt == 1)
4846 || !TEST_true(find_session_cb_cnt == 0)
4848 * If no old style callback then below should be 0
4851 || !TEST_true(psk_client_cb_cnt == idx)
4852 || !TEST_true(psk_server_cb_cnt == 0))
4855 if (!TEST_true(use_session_cb_cnt == 0)
4856 || !TEST_true(find_session_cb_cnt == 0)
4857 || !TEST_true(psk_client_cb_cnt == 1)
4858 || !TEST_true(psk_server_cb_cnt == 0))
4862 shutdown_ssl_connection(serverssl, clientssl);
4863 serverssl = clientssl = NULL;
4864 use_session_cb_cnt = psk_client_cb_cnt = 0;
4867 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4871 /* Create the PSK */
4872 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
4873 clientpsk = SSL_SESSION_new();
4874 if (!TEST_ptr(clientpsk)
4875 || !TEST_ptr(cipher)
4876 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4878 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4879 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4881 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
4883 serverpsk = clientpsk;
4885 /* Check we can create a connection and the PSK is used */
4886 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4887 || !TEST_true(SSL_session_reused(clientssl))
4888 || !TEST_true(SSL_session_reused(serverssl)))
4891 if (idx == 0 || idx == 1) {
4892 if (!TEST_true(use_session_cb_cnt == 1)
4893 || !TEST_true(find_session_cb_cnt == 1)
4894 || !TEST_true(psk_client_cb_cnt == 0)
4895 || !TEST_true(psk_server_cb_cnt == 0))
4898 if (!TEST_true(use_session_cb_cnt == 0)
4899 || !TEST_true(find_session_cb_cnt == 0)
4900 || !TEST_true(psk_client_cb_cnt == 1)
4901 || !TEST_true(psk_server_cb_cnt == 1))
4905 shutdown_ssl_connection(serverssl, clientssl);
4906 serverssl = clientssl = NULL;
4907 use_session_cb_cnt = find_session_cb_cnt = 0;
4908 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4910 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4915 #if defined(OPENSSL_NO_EC)
4916 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4919 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4924 * Check we can create a connection, the PSK is used and the callbacks are
4927 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4928 || !TEST_true(SSL_session_reused(clientssl))
4929 || !TEST_true(SSL_session_reused(serverssl)))
4932 if (idx == 0 || idx == 1) {
4933 if (!TEST_true(use_session_cb_cnt == 2)
4934 || !TEST_true(find_session_cb_cnt == 2)
4935 || !TEST_true(psk_client_cb_cnt == 0)
4936 || !TEST_true(psk_server_cb_cnt == 0))
4939 if (!TEST_true(use_session_cb_cnt == 0)
4940 || !TEST_true(find_session_cb_cnt == 0)
4941 || !TEST_true(psk_client_cb_cnt == 2)
4942 || !TEST_true(psk_server_cb_cnt == 2))
4946 shutdown_ssl_connection(serverssl, clientssl);
4947 serverssl = clientssl = NULL;
4948 use_session_cb_cnt = find_session_cb_cnt = 0;
4949 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4953 * Check that if the server rejects the PSK we can still connect, but with
4956 srvid = "Dummy Identity";
4957 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4959 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4961 || !TEST_false(SSL_session_reused(clientssl))
4962 || !TEST_false(SSL_session_reused(serverssl)))
4965 if (idx == 0 || idx == 1) {
4966 if (!TEST_true(use_session_cb_cnt == 1)
4967 || !TEST_true(find_session_cb_cnt == 1)
4968 || !TEST_true(psk_client_cb_cnt == 0)
4970 * If no old style callback then below should be 0
4973 || !TEST_true(psk_server_cb_cnt == idx))
4976 if (!TEST_true(use_session_cb_cnt == 0)
4977 || !TEST_true(find_session_cb_cnt == 0)
4978 || !TEST_true(psk_client_cb_cnt == 1)
4979 || !TEST_true(psk_server_cb_cnt == 1))
4983 shutdown_ssl_connection(serverssl, clientssl);
4984 serverssl = clientssl = NULL;
4989 SSL_SESSION_free(clientpsk);
4990 SSL_SESSION_free(serverpsk);
4991 clientpsk = serverpsk = NULL;
4992 SSL_free(serverssl);
4993 SSL_free(clientssl);
4999 static unsigned char cookie_magic_value[] = "cookie magic";
5001 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5002 unsigned int *cookie_len)
5005 * Not suitable as a real cookie generation function but good enough for
5008 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5009 *cookie_len = sizeof(cookie_magic_value) - 1;
5014 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5015 unsigned int cookie_len)
5017 if (cookie_len == sizeof(cookie_magic_value) - 1
5018 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5024 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5028 int res = generate_cookie_callback(ssl, cookie, &temp);
5033 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5036 return verify_cookie_callback(ssl, cookie, cookie_len);
5039 static int test_stateless(void)
5041 SSL_CTX *sctx = NULL, *cctx = NULL;
5042 SSL *serverssl = NULL, *clientssl = NULL;
5045 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5046 TLS_client_method(), TLS1_VERSION, 0,
5047 &sctx, &cctx, cert, privkey)))
5050 /* The arrival of CCS messages can confuse the test */
5051 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5053 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5055 /* Send the first ClientHello */
5056 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5057 SSL_ERROR_WANT_READ))
5059 * This should fail with a -1 return because we have no callbacks
5062 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5065 /* Fatal error so abandon the connection from this client */
5066 SSL_free(clientssl);
5069 /* Set up the cookie generation and verification callbacks */
5070 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5071 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5074 * Create a new connection from the client (we can reuse the server SSL
5077 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5079 /* Send the first ClientHello */
5080 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5081 SSL_ERROR_WANT_READ))
5082 /* This should fail because there is no cookie */
5083 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5086 /* Abandon the connection from this client */
5087 SSL_free(clientssl);
5091 * Now create a connection from a new client but with the same server SSL
5094 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5096 /* Send the first ClientHello */
5097 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5098 SSL_ERROR_WANT_READ))
5099 /* This should fail because there is no cookie */
5100 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5101 /* Send the second ClientHello */
5102 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5103 SSL_ERROR_WANT_READ))
5104 /* This should succeed because a cookie is now present */
5105 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5106 /* Complete the connection */
5107 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5111 shutdown_ssl_connection(serverssl, clientssl);
5112 serverssl = clientssl = NULL;
5116 SSL_free(serverssl);
5117 SSL_free(clientssl);
5123 #endif /* OPENSSL_NO_TLS1_3 */
5125 static int clntaddoldcb = 0;
5126 static int clntparseoldcb = 0;
5127 static int srvaddoldcb = 0;
5128 static int srvparseoldcb = 0;
5129 static int clntaddnewcb = 0;
5130 static int clntparsenewcb = 0;
5131 static int srvaddnewcb = 0;
5132 static int srvparsenewcb = 0;
5133 static int snicb = 0;
5135 #define TEST_EXT_TYPE1 0xff00
5137 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5138 size_t *outlen, int *al, void *add_arg)
5140 int *server = (int *)add_arg;
5141 unsigned char *data;
5143 if (SSL_is_server(s))
5148 if (*server != SSL_is_server(s)
5149 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5154 *outlen = sizeof(char);
5158 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5161 OPENSSL_free((unsigned char *)out);
5164 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5165 size_t inlen, int *al, void *parse_arg)
5167 int *server = (int *)parse_arg;
5169 if (SSL_is_server(s))
5174 if (*server != SSL_is_server(s)
5175 || inlen != sizeof(char)
5182 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5183 const unsigned char **out, size_t *outlen, X509 *x,
5184 size_t chainidx, int *al, void *add_arg)
5186 int *server = (int *)add_arg;
5187 unsigned char *data;
5189 if (SSL_is_server(s))
5194 if (*server != SSL_is_server(s)
5195 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5200 *outlen = sizeof(*data);
5204 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5205 const unsigned char *out, void *add_arg)
5207 OPENSSL_free((unsigned char *)out);
5210 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5211 const unsigned char *in, size_t inlen, X509 *x,
5212 size_t chainidx, int *al, void *parse_arg)
5214 int *server = (int *)parse_arg;
5216 if (SSL_is_server(s))
5221 if (*server != SSL_is_server(s)
5222 || inlen != sizeof(char) || *in != 1)
5228 static int sni_cb(SSL *s, int *al, void *arg)
5230 SSL_CTX *ctx = (SSL_CTX *)arg;
5232 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5233 *al = SSL_AD_INTERNAL_ERROR;
5234 return SSL_TLSEXT_ERR_ALERT_FATAL;
5237 return SSL_TLSEXT_ERR_OK;
5241 * Custom call back tests.
5242 * Test 0: Old style callbacks in TLSv1.2
5243 * Test 1: New style callbacks in TLSv1.2
5244 * Test 2: New style callbacks in TLSv1.2 with SNI
5245 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5246 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5248 static int test_custom_exts(int tst)
5250 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5251 SSL *clientssl = NULL, *serverssl = NULL;
5253 static int server = 1;
5254 static int client = 0;
5255 SSL_SESSION *sess = NULL;
5256 unsigned int context;
5258 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
5259 /* Skip tests for TLSv1.2 and below in this case */
5264 /* Reset callback counters */
5265 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5266 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5269 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5270 TLS_client_method(), TLS1_VERSION, 0,
5271 &sctx, &cctx, cert, privkey)))
5275 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5277 &sctx2, NULL, cert, privkey)))
5282 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5283 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5285 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5289 context = SSL_EXT_CLIENT_HELLO
5290 | SSL_EXT_TLS1_2_SERVER_HELLO
5291 | SSL_EXT_TLS1_3_SERVER_HELLO
5292 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5293 | SSL_EXT_TLS1_3_CERTIFICATE
5294 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5296 context = SSL_EXT_CLIENT_HELLO
5297 | SSL_EXT_TLS1_2_SERVER_HELLO
5298 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5301 /* Create a client side custom extension */
5303 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5304 old_add_cb, old_free_cb,
5305 &client, old_parse_cb,
5309 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5310 new_add_cb, new_free_cb,
5311 &client, new_parse_cb, &client)))
5315 /* Should not be able to add duplicates */
5316 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5317 old_add_cb, old_free_cb,
5318 &client, old_parse_cb,
5320 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5321 context, new_add_cb,
5322 new_free_cb, &client,
5323 new_parse_cb, &client)))
5326 /* Create a server side custom extension */
5328 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5329 old_add_cb, old_free_cb,
5330 &server, old_parse_cb,
5334 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5335 new_add_cb, new_free_cb,
5336 &server, new_parse_cb, &server)))
5339 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5340 context, new_add_cb,
5341 new_free_cb, &server,
5342 new_parse_cb, &server)))
5346 /* Should not be able to add duplicates */
5347 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5348 old_add_cb, old_free_cb,
5349 &server, old_parse_cb,
5351 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5352 context, new_add_cb,
5353 new_free_cb, &server,
5354 new_parse_cb, &server)))
5359 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5360 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5364 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5365 &clientssl, NULL, NULL))
5366 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5371 if (clntaddoldcb != 1
5372 || clntparseoldcb != 1
5374 || srvparseoldcb != 1)
5376 } else if (tst == 1 || tst == 2 || tst == 3) {
5377 if (clntaddnewcb != 1
5378 || clntparsenewcb != 1
5380 || srvparsenewcb != 1
5381 || (tst != 2 && snicb != 0)
5382 || (tst == 2 && snicb != 1))
5385 /* In this case there 2 NewSessionTicket messages created */
5386 if (clntaddnewcb != 1
5387 || clntparsenewcb != 5
5389 || srvparsenewcb != 1)
5393 sess = SSL_get1_session(clientssl);
5394 SSL_shutdown(clientssl);
5395 SSL_shutdown(serverssl);
5396 SSL_free(serverssl);
5397 SSL_free(clientssl);
5398 serverssl = clientssl = NULL;
5401 /* We don't bother with the resumption aspects for this test */
5406 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5408 || !TEST_true(SSL_set_session(clientssl, sess))
5409 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5414 * For a resumed session we expect to add the ClientHello extension. For the
5415 * old style callbacks we ignore it on the server side because they set
5416 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5420 if (clntaddoldcb != 2
5421 || clntparseoldcb != 1
5423 || srvparseoldcb != 1)
5425 } else if (tst == 1 || tst == 2 || tst == 3) {
5426 if (clntaddnewcb != 2
5427 || clntparsenewcb != 2
5429 || srvparsenewcb != 2)
5433 * No Certificate message extensions in the resumption handshake,
5434 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5436 if (clntaddnewcb != 2
5437 || clntparsenewcb != 8
5439 || srvparsenewcb != 2)
5446 SSL_SESSION_free(sess);
5447 SSL_free(serverssl);
5448 SSL_free(clientssl);
5449 SSL_CTX_free(sctx2);
5456 * Test loading of serverinfo data in various formats. test_sslmessages actually
5457 * tests to make sure the extensions appear in the handshake
5459 static int test_serverinfo(int tst)
5461 unsigned int version;
5462 unsigned char *sibuf;
5464 int ret, expected, testresult = 0;
5467 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
5471 if ((tst & 0x01) == 0x01)
5472 version = SSL_SERVERINFOV2;
5474 version = SSL_SERVERINFOV1;
5476 if ((tst & 0x02) == 0x02) {
5477 sibuf = serverinfov2;
5478 sibuflen = sizeof(serverinfov2);
5479 expected = (version == SSL_SERVERINFOV2);
5481 sibuf = serverinfov1;
5482 sibuflen = sizeof(serverinfov1);
5483 expected = (version == SSL_SERVERINFOV1);
5486 if ((tst & 0x04) == 0x04) {
5487 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5489 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5492 * The version variable is irrelevant in this case - it's what is in the
5493 * buffer that matters
5495 if ((tst & 0x02) == 0x02)
5501 if (!TEST_true(ret == expected))
5513 * Test that SSL_export_keying_material() produces expected results. There are
5514 * no test vectors so all we do is test that both sides of the communication
5515 * produce the same results for different protocol versions.
5517 #define SMALL_LABEL_LEN 10
5518 #define LONG_LABEL_LEN 249
5519 static int test_export_key_mat(int tst)
5522 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5523 SSL *clientssl = NULL, *serverssl = NULL;
5524 const char label[LONG_LABEL_LEN + 1] = "test label";
5525 const unsigned char context[] = "context";
5526 const unsigned char *emptycontext = NULL;
5527 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5528 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
5530 const int protocols[] = {
5539 #ifdef OPENSSL_NO_TLS1
5543 #ifdef OPENSSL_NO_TLS1_1
5547 if (is_fips && (tst == 0 || tst == 1))
5549 #ifdef OPENSSL_NO_TLS1_2
5553 #ifdef OPENSSL_NO_TLS1_3
5557 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5558 TLS_client_method(), TLS1_VERSION, 0,
5559 &sctx, &cctx, cert, privkey)))
5562 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5563 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5564 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
5566 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5568 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5574 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5577 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5578 sizeof(ckeymat1), label,
5579 LONG_LABEL_LEN + 1, context,
5580 sizeof(context) - 1, 1), 0))
5585 } else if (tst == 4) {
5586 labellen = LONG_LABEL_LEN;
5588 labellen = SMALL_LABEL_LEN;
5591 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5592 sizeof(ckeymat1), label,
5594 sizeof(context) - 1, 1), 1)
5595 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5596 sizeof(ckeymat2), label,
5600 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5601 sizeof(ckeymat3), label,
5604 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5605 sizeof(skeymat1), label,
5608 sizeof(context) -1, 1),
5610 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5611 sizeof(skeymat2), label,
5615 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5616 sizeof(skeymat3), label,
5620 * Check that both sides created the same key material with the
5623 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5626 * Check that both sides created the same key material with an
5629 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5632 * Check that both sides created the same key material without a
5635 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5637 /* Different contexts should produce different results */
5638 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5643 * Check that an empty context and no context produce different results in
5644 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5646 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
5648 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5655 SSL_free(serverssl);
5656 SSL_free(clientssl);
5657 SSL_CTX_free(sctx2);
5664 #ifndef OPENSSL_NO_TLS1_3
5666 * Test that SSL_export_keying_material_early() produces expected
5667 * results. There are no test vectors so all we do is test that both
5668 * sides of the communication produce the same results for different
5669 * protocol versions.
5671 static int test_export_key_mat_early(int idx)
5673 static const char label[] = "test label";
5674 static const unsigned char context[] = "context";
5676 SSL_CTX *cctx = NULL, *sctx = NULL;
5677 SSL *clientssl = NULL, *serverssl = NULL;
5678 SSL_SESSION *sess = NULL;
5679 const unsigned char *emptycontext = NULL;
5680 unsigned char ckeymat1[80], ckeymat2[80];
5681 unsigned char skeymat1[80], skeymat2[80];
5682 unsigned char buf[1];
5683 size_t readbytes, written;
5685 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5689 /* Here writing 0 length early data is enough. */
5690 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5691 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5693 SSL_READ_EARLY_DATA_ERROR)
5694 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5695 SSL_EARLY_DATA_ACCEPTED))
5698 if (!TEST_int_eq(SSL_export_keying_material_early(
5699 clientssl, ckeymat1, sizeof(ckeymat1), label,
5700 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5701 || !TEST_int_eq(SSL_export_keying_material_early(
5702 clientssl, ckeymat2, sizeof(ckeymat2), label,
5703 sizeof(label) - 1, emptycontext, 0), 1)
5704 || !TEST_int_eq(SSL_export_keying_material_early(
5705 serverssl, skeymat1, sizeof(skeymat1), label,
5706 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5707 || !TEST_int_eq(SSL_export_keying_material_early(
5708 serverssl, skeymat2, sizeof(skeymat2), label,
5709 sizeof(label) - 1, emptycontext, 0), 1)
5711 * Check that both sides created the same key material with the
5714 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5717 * Check that both sides created the same key material with an
5720 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5722 /* Different contexts should produce different results */
5723 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5730 SSL_SESSION_free(sess);
5731 SSL_SESSION_free(clientpsk);
5732 SSL_SESSION_free(serverpsk);
5733 clientpsk = serverpsk = NULL;
5734 SSL_free(serverssl);
5735 SSL_free(clientssl);
5742 #define NUM_KEY_UPDATE_MESSAGES 40
5746 static int test_key_update(void)
5748 SSL_CTX *cctx = NULL, *sctx = NULL;
5749 SSL *clientssl = NULL, *serverssl = NULL;
5750 int testresult = 0, i, j;
5752 static char *mess = "A test message";
5754 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5755 TLS_client_method(),
5758 &sctx, &cctx, cert, privkey))
5759 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5761 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5765 for (j = 0; j < 2; j++) {
5766 /* Send lots of KeyUpdate messages */
5767 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5768 if (!TEST_true(SSL_key_update(clientssl,
5770 ? SSL_KEY_UPDATE_NOT_REQUESTED
5771 : SSL_KEY_UPDATE_REQUESTED))
5772 || !TEST_true(SSL_do_handshake(clientssl)))
5776 /* Check that sending and receiving app data is ok */
5777 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5778 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5782 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5783 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5791 SSL_free(serverssl);
5792 SSL_free(clientssl);
5800 * Test we can handle a KeyUpdate (update requested) message while write data
5802 * Test 0: Client sends KeyUpdate while Server is writing
5803 * Test 1: Server sends KeyUpdate while Client is writing
5805 static int test_key_update_in_write(int tst)
5807 SSL_CTX *cctx = NULL, *sctx = NULL;
5808 SSL *clientssl = NULL, *serverssl = NULL;
5811 static char *mess = "A test message";
5812 BIO *bretry = BIO_new(bio_s_always_retry());
5814 SSL *peerupdate = NULL, *peerwrite = NULL;
5816 if (!TEST_ptr(bretry)
5817 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5818 TLS_client_method(),
5821 &sctx, &cctx, cert, privkey))
5822 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5824 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5828 peerupdate = tst == 0 ? clientssl : serverssl;
5829 peerwrite = tst == 0 ? serverssl : clientssl;
5831 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5832 || !TEST_true(SSL_do_handshake(peerupdate)))
5835 /* Swap the writing endpoint's write BIO to force a retry */
5836 tmp = SSL_get_wbio(peerwrite);
5837 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5841 SSL_set0_wbio(peerwrite, bretry);
5844 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5845 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5846 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5849 /* Reinstate the original writing endpoint's write BIO */
5850 SSL_set0_wbio(peerwrite, tmp);
5853 /* Now read some data - we will read the key update */
5854 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5855 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5859 * Complete the write we started previously and read it from the other
5862 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5863 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5866 /* Write more data to ensure we send the KeyUpdate message back */
5867 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5868 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5874 SSL_free(serverssl);
5875 SSL_free(clientssl);
5883 #endif /* OPENSSL_NO_TLS1_3 */
5885 static int test_ssl_clear(int idx)
5887 SSL_CTX *cctx = NULL, *sctx = NULL;
5888 SSL *clientssl = NULL, *serverssl = NULL;
5891 #ifdef OPENSSL_NO_TLS1_2
5896 /* Create an initial connection */
5897 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5898 TLS_client_method(), TLS1_VERSION, 0,
5899 &sctx, &cctx, cert, privkey))
5901 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5903 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5904 &clientssl, NULL, NULL))
5905 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5909 SSL_shutdown(clientssl);
5910 SSL_shutdown(serverssl);
5911 SSL_free(serverssl);
5914 /* Clear clientssl - we're going to reuse the object */
5915 if (!TEST_true(SSL_clear(clientssl)))
5918 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5920 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5922 || !TEST_true(SSL_session_reused(clientssl)))
5925 SSL_shutdown(clientssl);
5926 SSL_shutdown(serverssl);
5931 SSL_free(serverssl);
5932 SSL_free(clientssl);
5939 /* Parse CH and retrieve any MFL extension value if present */
5940 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5943 unsigned char *data;
5944 PACKET pkt, pkt2, pkt3;
5945 unsigned int MFL_code = 0, type = 0;
5947 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5950 memset(&pkt, 0, sizeof(pkt));
5951 memset(&pkt2, 0, sizeof(pkt2));
5952 memset(&pkt3, 0, sizeof(pkt3));
5954 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5955 /* Skip the record header */
5956 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5957 /* Skip the handshake message header */
5958 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5959 /* Skip client version and random */
5960 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5961 + SSL3_RANDOM_SIZE))
5962 /* Skip session id */
5963 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5965 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5966 /* Skip compression */
5967 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5968 /* Extensions len */
5969 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5972 /* Loop through all extensions */
5973 while (PACKET_remaining(&pkt2)) {
5974 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5975 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5978 if (type == TLSEXT_TYPE_max_fragment_length) {
5979 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5980 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5983 *mfl_codemfl_code = MFL_code;
5992 /* Maximum-Fragment-Length TLS extension mode to test */
5993 static const unsigned char max_fragment_len_test[] = {
5994 TLSEXT_max_fragment_length_512,
5995 TLSEXT_max_fragment_length_1024,
5996 TLSEXT_max_fragment_length_2048,
5997 TLSEXT_max_fragment_length_4096
6000 static int test_max_fragment_len_ext(int idx_tst)
6004 int testresult = 0, MFL_mode = 0;
6007 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
6011 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6012 ctx, max_fragment_len_test[idx_tst])))
6019 rbio = BIO_new(BIO_s_mem());
6020 wbio = BIO_new(BIO_s_mem());
6021 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6027 SSL_set_bio(con, rbio, wbio);
6028 SSL_set_connect_state(con);
6030 if (!TEST_int_le(SSL_connect(con), 0)) {
6031 /* This shouldn't succeed because we don't have a server! */
6035 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6036 /* no MFL in client hello */
6038 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6050 #ifndef OPENSSL_NO_TLS1_3
6051 static int test_pha_key_update(void)
6053 SSL_CTX *cctx = NULL, *sctx = NULL;
6054 SSL *clientssl = NULL, *serverssl = NULL;
6057 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6058 TLS_client_method(), TLS1_VERSION, 0,
6059 &sctx, &cctx, cert, privkey)))
6062 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6063 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6064 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6065 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6068 SSL_CTX_set_post_handshake_auth(cctx, 1);
6070 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6074 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6078 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6079 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6082 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6085 /* Start handshake on the server */
6086 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6089 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6090 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6094 SSL_shutdown(clientssl);
6095 SSL_shutdown(serverssl);
6100 SSL_free(serverssl);
6101 SSL_free(clientssl);
6108 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6110 static SRP_VBASE *vbase = NULL;
6112 DEFINE_STACK_OF(SRP_user_pwd)
6114 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6116 int ret = SSL3_AL_FATAL;
6118 SRP_user_pwd *user = NULL;
6120 username = SSL_get_srp_username(s);
6121 if (username == NULL) {
6122 *ad = SSL_AD_INTERNAL_ERROR;
6126 user = SRP_VBASE_get1_by_user(vbase, username);
6128 *ad = SSL_AD_INTERNAL_ERROR;
6132 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6134 *ad = SSL_AD_INTERNAL_ERROR;
6141 SRP_user_pwd_free(user);
6145 static int create_new_vfile(char *userid, char *password, const char *filename)
6148 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6151 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6154 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6157 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
6158 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
6159 if (!TEST_ptr(gNid))
6163 * The only way to create an empty TXT_DB is to provide a BIO with no data
6166 db = TXT_DB_read(dummy, DB_NUMBER);
6170 out = BIO_new_file(filename, "w");
6174 row[DB_srpid] = OPENSSL_strdup(userid);
6175 row[DB_srptype] = OPENSSL_strdup("V");
6176 row[DB_srpgN] = OPENSSL_strdup(gNid);
6178 if (!TEST_ptr(row[DB_srpid])
6179 || !TEST_ptr(row[DB_srptype])
6180 || !TEST_ptr(row[DB_srpgN])
6181 || !TEST_true(TXT_DB_insert(db, row)))
6186 if (!TXT_DB_write(out, db))
6192 for (i = 0; i < DB_NUMBER; i++)
6193 OPENSSL_free(row[i]);
6203 static int create_new_vbase(char *userid, char *password)
6205 BIGNUM *verifier = NULL, *salt = NULL;
6206 const SRP_gN *lgN = NULL;
6207 SRP_user_pwd *user_pwd = NULL;
6210 lgN = SRP_get_default_gN(NULL);
6214 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
6215 lgN->N, lgN->g, libctx, NULL)))
6218 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6219 if (!TEST_ptr(user_pwd))
6222 user_pwd->N = lgN->N;
6223 user_pwd->g = lgN->g;
6224 user_pwd->id = OPENSSL_strdup(userid);
6225 if (!TEST_ptr(user_pwd->id))
6228 user_pwd->v = verifier;
6230 verifier = salt = NULL;
6232 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6238 SRP_user_pwd_free(user_pwd);
6248 * Test 0: Simple successful SRP connection, new vbase
6249 * Test 1: Connection failure due to bad password, new vbase
6250 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6251 * Test 3: Connection failure due to bad password, vbase loaded from existing
6253 * Test 4: Simple successful SRP connection, vbase loaded from new file
6254 * Test 5: Connection failure due to bad password, vbase loaded from new file
6256 static int test_srp(int tst)
6258 char *userid = "test", *password = "password", *tstsrpfile;
6259 SSL_CTX *cctx = NULL, *sctx = NULL;
6260 SSL *clientssl = NULL, *serverssl = NULL;
6261 int ret, testresult = 0;
6263 vbase = SRP_VBASE_new(NULL);
6264 if (!TEST_ptr(vbase))
6267 if (tst == 0 || tst == 1) {
6268 if (!TEST_true(create_new_vbase(userid, password)))
6271 if (tst == 4 || tst == 5) {
6272 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6274 tstsrpfile = tmpfilename;
6276 tstsrpfile = srpvfile;
6278 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6282 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6283 TLS_client_method(), TLS1_VERSION, 0,
6284 &sctx, &cctx, cert, privkey)))
6287 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6288 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6289 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6290 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6291 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6295 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6298 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6302 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6306 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6308 if (!TEST_true(tst % 2 == 0))
6311 if (!TEST_true(tst % 2 == 1))
6318 SRP_VBASE_free(vbase);
6320 SSL_free(serverssl);
6321 SSL_free(clientssl);
6329 static int info_cb_failed = 0;
6330 static int info_cb_offset = 0;
6331 static int info_cb_this_state = -1;
6333 static struct info_cb_states_st {
6335 const char *statestr;
6336 } info_cb_states[][60] = {
6338 /* TLSv1.2 server followed by resumption */
6339 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6340 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6341 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6342 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6343 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6344 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6345 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6346 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6347 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
6348 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6349 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6350 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6351 {SSL_CB_EXIT, NULL}, {0, NULL},
6353 /* TLSv1.2 client followed by resumption */
6354 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6355 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6356 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6357 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6358 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6359 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6360 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6361 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6362 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6363 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6364 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6365 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6367 /* TLSv1.3 server followed by resumption */
6368 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6369 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6370 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6371 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6372 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
6373 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6374 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6375 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6376 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6377 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6378 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6379 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6380 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6382 /* TLSv1.3 client followed by resumption */
6383 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6384 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6385 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
6386 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
6387 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6388 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6389 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
6390 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
6391 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6392 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
6393 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6394 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6395 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6396 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
6397 {SSL_CB_EXIT, NULL}, {0, NULL},
6399 /* TLSv1.3 server, early_data */
6400 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6401 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6402 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6403 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6404 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6405 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
6406 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6407 {SSL_CB_EXIT, NULL}, {0, NULL},
6409 /* TLSv1.3 client, early_data */
6410 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6411 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
6412 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6413 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6414 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6415 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
6416 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6417 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6418 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6424 static void sslapi_info_callback(const SSL *s, int where, int ret)
6426 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
6428 /* We do not ever expect a connection to fail in this test */
6429 if (!TEST_false(ret == 0)) {
6435 * Do some sanity checks. We never expect these things to happen in this
6438 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
6439 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
6440 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
6445 /* Now check we're in the right state */
6446 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
6450 if ((where & SSL_CB_LOOP) != 0
6451 && !TEST_int_eq(strcmp(SSL_state_string(s),
6452 state[info_cb_this_state].statestr), 0)) {
6458 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6460 if ((where & SSL_CB_HANDSHAKE_DONE)
6461 && SSL_in_init((SSL *)s) != 0) {
6468 * Test the info callback gets called when we expect it to.
6470 * Test 0: TLSv1.2, server
6471 * Test 1: TLSv1.2, client
6472 * Test 2: TLSv1.3, server
6473 * Test 3: TLSv1.3, client
6474 * Test 4: TLSv1.3, server, early_data
6475 * Test 5: TLSv1.3, client, early_data
6477 static int test_info_callback(int tst)
6479 SSL_CTX *cctx = NULL, *sctx = NULL;
6480 SSL *clientssl = NULL, *serverssl = NULL;
6481 SSL_SESSION *clntsess = NULL;
6486 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
6487 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6488 || !defined(OPENSSL_NO_DH))
6489 tlsvers = TLS1_2_VERSION;
6494 #ifndef OPENSSL_NO_TLS1_3
6495 tlsvers = TLS1_3_VERSION;
6503 info_cb_this_state = -1;
6504 info_cb_offset = tst;
6506 #ifndef OPENSSL_NO_TLS1_3
6508 SSL_SESSION *sess = NULL;
6509 size_t written, readbytes;
6510 unsigned char buf[80];
6512 /* early_data tests */
6513 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
6514 &serverssl, &sess, 0)))
6517 /* We don't actually need this reference */
6518 SSL_SESSION_free(sess);
6520 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
6521 sslapi_info_callback);
6523 /* Write and read some early data and then complete the connection */
6524 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
6526 || !TEST_size_t_eq(written, strlen(MSG1))
6527 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
6528 sizeof(buf), &readbytes),
6529 SSL_READ_EARLY_DATA_SUCCESS)
6530 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
6531 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6532 SSL_EARLY_DATA_ACCEPTED)
6533 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6535 || !TEST_false(info_cb_failed))
6543 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6544 TLS_client_method(),
6545 tlsvers, tlsvers, &sctx, &cctx, cert,
6550 * For even numbered tests we check the server callbacks. For odd numbers we
6553 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
6554 sslapi_info_callback);
6556 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6557 &clientssl, NULL, NULL))
6558 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6560 || !TEST_false(info_cb_failed))
6565 clntsess = SSL_get1_session(clientssl);
6566 SSL_shutdown(clientssl);
6567 SSL_shutdown(serverssl);
6568 SSL_free(serverssl);
6569 SSL_free(clientssl);
6570 serverssl = clientssl = NULL;
6572 /* Now do a resumption */
6573 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6575 || !TEST_true(SSL_set_session(clientssl, clntsess))
6576 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6578 || !TEST_true(SSL_session_reused(clientssl))
6579 || !TEST_false(info_cb_failed))
6585 SSL_free(serverssl);
6586 SSL_free(clientssl);
6587 SSL_SESSION_free(clntsess);
6593 static int test_ssl_pending(int tst)
6595 SSL_CTX *cctx = NULL, *sctx = NULL;
6596 SSL *clientssl = NULL, *serverssl = NULL;
6598 char msg[] = "A test message";
6600 size_t written, readbytes;
6603 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6604 TLS_client_method(),
6606 &sctx, &cctx, cert, privkey)))
6609 #ifndef OPENSSL_NO_DTLS
6610 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
6611 DTLS_client_method(),
6613 &sctx, &cctx, cert, privkey)))
6620 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6622 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6626 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6627 || !TEST_false(SSL_has_pending(clientssl))
6628 || !TEST_int_eq(SSL_pending(serverssl), 0)
6629 || !TEST_false(SSL_has_pending(serverssl))
6630 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6631 || !TEST_size_t_eq(written, sizeof(msg))
6632 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6633 || !TEST_size_t_eq(readbytes, sizeof(buf))
6634 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6635 || !TEST_true(SSL_has_pending(clientssl)))
6641 SSL_free(serverssl);
6642 SSL_free(clientssl);
6650 unsigned int maxprot;
6651 const char *clntciphers;
6652 const char *clnttls13ciphers;
6653 const char *srvrciphers;
6654 const char *srvrtls13ciphers;
6656 const char *fipsshared;
6657 } shared_ciphers_data[] = {
6659 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6660 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6662 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
6665 "AES128-SHA:AES256-SHA",
6667 "AES256-SHA:DHE-RSA-AES128-SHA",
6672 # if !defined(OPENSSL_NO_CHACHA) \
6673 && !defined(OPENSSL_NO_POLY1305) \
6674 && !defined(OPENSSL_NO_EC)
6677 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6679 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6681 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6687 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6689 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6691 "AES128-SHA:AES256-SHA",
6692 "AES128-SHA:AES256-SHA"
6696 "AES128-SHA:AES256-SHA",
6698 "AES128-SHA:DHE-RSA-AES128-SHA",
6705 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6708 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6709 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
6712 "AES128-SHA:AES256-SHA",
6714 "AES256-SHA:AES128-SHA256",
6716 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
6717 "TLS_AES_128_GCM_SHA256:AES256-SHA",
6718 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
6721 #ifndef OPENSSL_NO_TLS1_3
6725 "TLS_AES_256_GCM_SHA384",
6727 "TLS_AES_256_GCM_SHA384",
6728 "TLS_AES_256_GCM_SHA384",
6729 "TLS_AES_256_GCM_SHA384"
6734 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
6736 SSL_CTX *cctx = NULL, *sctx = NULL;
6737 SSL *clientssl = NULL, *serverssl = NULL;
6740 OPENSSL_CTX *tmplibctx = OPENSSL_CTX_new();
6742 if (!TEST_ptr(tmplibctx))
6746 * Regardless of whether we're testing with the FIPS provider loaded into
6747 * libctx, we want one peer to always use the full set of ciphersuites
6748 * available. Therefore we use a separate libctx with the default provider
6749 * loaded into it. We run the same tests twice - once with the client side
6750 * having the full set of ciphersuites and once with the server side.
6753 cctx = SSL_CTX_new_with_libctx(tmplibctx, NULL, TLS_client_method());
6754 if (!TEST_ptr(cctx))
6757 sctx = SSL_CTX_new_with_libctx(tmplibctx, NULL, TLS_server_method());
6758 if (!TEST_ptr(sctx))
6762 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6763 TLS_client_method(),
6765 shared_ciphers_data[tst].maxprot,
6766 &sctx, &cctx, cert, privkey)))
6769 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6770 shared_ciphers_data[tst].clntciphers))
6771 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6772 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6773 shared_ciphers_data[tst].clnttls13ciphers)))
6774 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6775 shared_ciphers_data[tst].srvrciphers))
6776 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6777 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6778 shared_ciphers_data[tst].srvrtls13ciphers))))
6782 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6784 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6788 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6789 || !TEST_int_eq(strcmp(buf,
6791 ? shared_ciphers_data[tst].fipsshared
6792 : shared_ciphers_data[tst].shared),
6794 TEST_info("Shared ciphers are: %s\n", buf);
6801 SSL_free(serverssl);
6802 SSL_free(clientssl);
6805 OPENSSL_CTX_free(tmplibctx);
6810 static int test_ssl_get_shared_ciphers(int tst)
6812 return int_test_ssl_get_shared_ciphers(tst, 0)
6813 && int_test_ssl_get_shared_ciphers(tst, 1);
6817 static const char *appdata = "Hello World";
6818 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6819 static int tick_key_renew = 0;
6820 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6822 static int gen_tick_cb(SSL *s, void *arg)
6824 gen_tick_called = 1;
6826 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6830 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6831 const unsigned char *keyname,
6832 size_t keyname_length,
6833 SSL_TICKET_STATUS status,
6839 dec_tick_called = 1;
6841 if (status == SSL_TICKET_EMPTY)
6842 return SSL_TICKET_RETURN_IGNORE_RENEW;
6844 if (!TEST_true(status == SSL_TICKET_SUCCESS
6845 || status == SSL_TICKET_SUCCESS_RENEW))
6846 return SSL_TICKET_RETURN_ABORT;
6848 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6850 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6851 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
6852 return SSL_TICKET_RETURN_ABORT;
6854 if (tick_key_cb_called) {
6855 /* Don't change what the ticket key callback wanted to do */
6857 case SSL_TICKET_NO_DECRYPT:
6858 return SSL_TICKET_RETURN_IGNORE_RENEW;
6860 case SSL_TICKET_SUCCESS:
6861 return SSL_TICKET_RETURN_USE;
6863 case SSL_TICKET_SUCCESS_RENEW:
6864 return SSL_TICKET_RETURN_USE_RENEW;
6867 return SSL_TICKET_RETURN_ABORT;
6870 return tick_dec_ret;
6874 #ifndef OPENSSL_NO_DEPRECATED_3_0
6875 static int tick_key_cb(SSL *s, unsigned char key_name[16],
6876 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6877 HMAC_CTX *hctx, int enc)
6879 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6880 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
6881 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6882 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
6885 tick_key_cb_called = 1;
6886 memset(iv, 0, AES_BLOCK_SIZE);
6887 memset(key_name, 0, 16);
6888 if (aes128cbc == NULL
6890 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6891 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
6895 ret = tick_key_renew ? 2 : 1;
6897 EVP_CIPHER_free(aes128cbc);
6898 EVP_MD_free(sha256);
6904 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6905 unsigned char iv[EVP_MAX_IV_LENGTH],
6906 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6908 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6909 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6910 OSSL_PARAM params[3];
6911 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6914 tick_key_cb_called = 1;
6915 memset(iv, 0, AES_BLOCK_SIZE);
6916 memset(key_name, 0, 16);
6917 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6919 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6921 sizeof(tick_hmac_key));
6922 params[2] = OSSL_PARAM_construct_end();
6923 if (aes128cbc == NULL
6924 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6925 || !EVP_MAC_CTX_set_params(hctx, params)
6926 || !EVP_MAC_init(hctx))
6929 ret = tick_key_renew ? 2 : 1;
6931 EVP_CIPHER_free(aes128cbc);
6937 * Test the various ticket callbacks
6938 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6939 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6940 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6941 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6942 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6943 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6944 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6945 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
6946 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6947 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6948 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6949 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6950 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6951 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6952 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6953 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
6955 static int test_ticket_callbacks(int tst)
6957 SSL_CTX *cctx = NULL, *sctx = NULL;
6958 SSL *clientssl = NULL, *serverssl = NULL;
6959 SSL_SESSION *clntsess = NULL;
6962 #ifdef OPENSSL_NO_TLS1_2
6966 #ifdef OPENSSL_NO_TLS1_3
6970 #ifdef OPENSSL_NO_DEPRECATED_3_0
6971 if (tst >= 8 && tst <= 11)
6975 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
6977 /* Which tests the ticket key callback should request renewal for */
6978 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
6983 /* Which tests the decrypt ticket callback should request renewal for */
6987 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6992 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6997 tick_dec_ret = SSL_TICKET_RETURN_USE;
7002 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7006 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7009 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7010 TLS_client_method(),
7012 ((tst % 2) == 0) ? TLS1_2_VERSION
7014 &sctx, &cctx, cert, privkey)))
7018 * We only want sessions to resume from tickets - not the session cache. So
7019 * switch the cache off.
7021 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7024 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7029 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7031 #ifndef OPENSSL_NO_DEPRECATED_3_0
7032 } else if (tst >= 8) {
7033 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7038 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7040 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7045 * The decrypt ticket key callback in TLSv1.2 should be called even though
7046 * we have no ticket yet, because it gets called with a status of
7047 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7048 * actually send any ticket data). This does not happen in TLSv1.3 because
7049 * it is not valid to send empty ticket data in TLSv1.3.
7051 if (!TEST_int_eq(gen_tick_called, 1)
7052 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
7055 gen_tick_called = dec_tick_called = 0;
7057 clntsess = SSL_get1_session(clientssl);
7058 SSL_shutdown(clientssl);
7059 SSL_shutdown(serverssl);
7060 SSL_free(serverssl);
7061 SSL_free(clientssl);
7062 serverssl = clientssl = NULL;
7064 /* Now do a resumption */
7065 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7067 || !TEST_true(SSL_set_session(clientssl, clntsess))
7068 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7072 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7073 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7074 if (!TEST_false(SSL_session_reused(clientssl)))
7077 if (!TEST_true(SSL_session_reused(clientssl)))
7081 if (!TEST_int_eq(gen_tick_called,
7083 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7084 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7086 || !TEST_int_eq(dec_tick_called, 1))
7092 SSL_SESSION_free(clntsess);
7093 SSL_free(serverssl);
7094 SSL_free(clientssl);
7102 * Test incorrect shutdown.
7103 * Test 0: client does not shutdown properly,
7104 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7105 * server should get SSL_ERROR_SSL
7106 * Test 1: client does not shutdown properly,
7107 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7108 * server should get SSL_ERROR_ZERO_RETURN
7110 static int test_incorrect_shutdown(int tst)
7112 SSL_CTX *cctx = NULL, *sctx = NULL;
7113 SSL *clientssl = NULL, *serverssl = NULL;
7118 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7119 TLS_client_method(), 0, 0,
7120 &sctx, &cctx, cert, privkey)))
7124 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7126 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7130 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7134 c2s = SSL_get_rbio(serverssl);
7135 BIO_set_mem_eof_return(c2s, 0);
7137 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7140 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7142 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7148 SSL_free(serverssl);
7149 SSL_free(clientssl);
7157 * Test bi-directional shutdown.
7159 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7160 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7161 * Test 3: TLSv1.3, pending NewSessionTicket messages
7162 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7163 * sends key update, client reads it
7164 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7165 * sends CertificateRequest, client reads and ignores it
7166 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
7169 static int test_shutdown(int tst)
7171 SSL_CTX *cctx = NULL, *sctx = NULL;
7172 SSL *clientssl = NULL, *serverssl = NULL;
7174 char msg[] = "A test message";
7176 size_t written, readbytes;
7179 #ifdef OPENSSL_NO_TLS1_2
7183 #ifdef OPENSSL_NO_TLS1_3
7188 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7189 TLS_client_method(),
7191 (tst <= 1) ? TLS1_2_VERSION
7193 &sctx, &cctx, cert, privkey)))
7197 SSL_CTX_set_post_handshake_auth(cctx, 1);
7199 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7204 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
7206 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7207 || !TEST_false(SSL_SESSION_is_resumable(sess)))
7209 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7211 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7212 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
7216 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7221 * Reading on the server after the client has sent close_notify should
7222 * fail and provide SSL_ERROR_ZERO_RETURN
7224 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7225 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7226 SSL_ERROR_ZERO_RETURN)
7227 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7228 SSL_RECEIVED_SHUTDOWN)
7230 * Even though we're shutdown on receive we should still be
7233 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7236 && !TEST_true(SSL_key_update(serverssl,
7237 SSL_KEY_UPDATE_REQUESTED)))
7240 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7241 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7244 if ((tst == 4 || tst == 5)
7245 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7247 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
7249 if (tst == 4 || tst == 5) {
7250 /* Should still be able to read data from server */
7251 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7253 || !TEST_size_t_eq(readbytes, sizeof(msg))
7254 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7255 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7257 || !TEST_size_t_eq(readbytes, sizeof(msg))
7258 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7263 /* Writing on the client after sending close_notify shouldn't be possible */
7264 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
7269 * For these tests the client has sent close_notify but it has not yet
7270 * been received by the server. The server has not sent close_notify
7273 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
7275 * Writing on the server after sending close_notify shouldn't
7278 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7279 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
7280 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7281 || !TEST_true(SSL_SESSION_is_resumable(sess))
7282 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7284 } else if (tst == 4 || tst == 5) {
7286 * In this test the client has sent close_notify and it has been
7287 * received by the server which has responded with a close_notify. The
7288 * client needs to read the close_notify sent by the server.
7290 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7291 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7292 || !TEST_true(SSL_SESSION_is_resumable(sess)))
7298 * The client has sent close_notify and is expecting a close_notify
7299 * back, but instead there is application data first. The shutdown
7300 * should fail with a fatal error.
7302 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7303 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7310 SSL_free(serverssl);
7311 SSL_free(clientssl);
7318 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7319 static int cert_cb_cnt;
7321 static int cert_cb(SSL *s, void *arg)
7323 SSL_CTX *ctx = (SSL_CTX *)arg;
7325 EVP_PKEY *pkey = NULL;
7326 X509 *x509 = NULL, *rootx = NULL;
7327 STACK_OF(X509) *chain = NULL;
7328 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7331 if (cert_cb_cnt == 0) {
7332 /* Suspend the handshake */
7335 } else if (cert_cb_cnt == 1) {
7337 * Update the SSL_CTX, set the certificate and private key and then
7338 * continue the handshake normally.
7340 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7343 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7344 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7346 || !TEST_true(SSL_check_private_key(s)))
7350 } else if (cert_cb_cnt == 3) {
7353 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7354 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7355 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7356 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7358 chain = sk_X509_new_null();
7359 if (!TEST_ptr(chain))
7361 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7362 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
7363 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
7364 || !TEST_true(sk_X509_push(chain, rootx)))
7368 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7369 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
7370 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
7373 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7374 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
7375 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
7377 rv = SSL_check_chain(s, x509, pkey, chain);
7379 * If the cert doesn't show as valid here (e.g., because we don't
7380 * have any shared sigalgs), then we will not set it, and there will
7381 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
7382 * will cause tls_choose_sigalgs() to fail the connection.
7384 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
7385 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7386 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
7393 /* Abort the handshake */
7395 OPENSSL_free(ecdsacert);
7396 OPENSSL_free(ecdsakey);
7397 OPENSSL_free(rootfile);
7399 EVP_PKEY_free(pkey);
7402 sk_X509_pop_free(chain, X509_free);
7407 * Test the certificate callback.
7408 * Test 0: Callback fails
7409 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
7410 * Test 2: Success - SSL_set_SSL_CTX() in the callback
7411 * Test 3: Success - Call SSL_check_chain from the callback
7412 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
7414 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
7416 static int test_cert_cb_int(int prot, int tst)
7418 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
7419 SSL *clientssl = NULL, *serverssl = NULL;
7420 int testresult = 0, ret;
7422 #ifdef OPENSSL_NO_EC
7423 /* We use an EC cert in these tests, so we skip in a no-ec build */
7428 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7429 TLS_client_method(),
7432 &sctx, &cctx, NULL, NULL)))
7443 snictx = SSL_CTX_new(TLS_server_method());
7444 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
7446 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7452 * We cause SSL_check_chain() to fail by specifying sig_algs that
7453 * the chain doesn't meet (the root uses an RSA cert)
7455 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7456 "ecdsa_secp256r1_sha256")))
7458 } else if (tst == 5) {
7460 * We cause SSL_check_chain() to fail by specifying sig_algs that
7461 * the ee cert doesn't meet (the ee uses an ECDSA cert)
7463 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7464 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
7468 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7469 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7471 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
7478 SSL_free(serverssl);
7479 SSL_free(clientssl);
7482 SSL_CTX_free(snictx);
7488 static int test_cert_cb(int tst)
7492 #ifndef OPENSSL_NO_TLS1_2
7493 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
7495 #ifndef OPENSSL_NO_TLS1_3
7496 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
7502 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
7508 /* Check that SSL_get_peer_certificate() returns something sensible */
7509 peer = SSL_get_peer_certificate(ssl);
7510 if (!TEST_ptr(peer))
7514 in = BIO_new_file(cert, "r");
7518 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
7520 if (!TEST_ptr(xcert))
7523 in = BIO_new_file(privkey, "r");
7524 if (!TEST_ptr(in)) {
7529 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
7531 if (!TEST_ptr(privpkey)) {
7542 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
7547 static int test_client_cert_cb(int tst)
7549 SSL_CTX *cctx = NULL, *sctx = NULL;
7550 SSL *clientssl = NULL, *serverssl = NULL;
7553 #ifdef OPENSSL_NO_TLS1_2
7557 #ifdef OPENSSL_NO_TLS1_3
7562 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7563 TLS_client_method(),
7565 tst == 0 ? TLS1_2_VERSION
7567 &sctx, &cctx, cert, privkey)))
7571 * Test that setting a client_cert_cb results in a client certificate being
7574 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
7575 SSL_CTX_set_verify(sctx,
7576 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
7579 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7581 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7588 SSL_free(serverssl);
7589 SSL_free(clientssl);
7596 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7598 * Test setting certificate authorities on both client and server.
7600 * Test 0: SSL_CTX_set0_CA_list() only
7601 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7602 * Test 2: Only SSL_CTX_set_client_CA_list()
7604 static int test_ca_names_int(int prot, int tst)
7606 SSL_CTX *cctx = NULL, *sctx = NULL;
7607 SSL *clientssl = NULL, *serverssl = NULL;
7610 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
7611 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
7612 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
7613 const STACK_OF(X509_NAME) *sktmp = NULL;
7615 for (i = 0; i < OSSL_NELEM(name); i++) {
7616 name[i] = X509_NAME_new();
7617 if (!TEST_ptr(name[i])
7618 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
7626 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7627 TLS_client_method(),
7630 &sctx, &cctx, cert, privkey)))
7633 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
7635 if (tst == 0 || tst == 1) {
7636 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7637 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
7638 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
7639 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7640 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
7641 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
7644 SSL_CTX_set0_CA_list(sctx, sk1);
7645 SSL_CTX_set0_CA_list(cctx, sk2);
7648 if (tst == 1 || tst == 2) {
7649 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7650 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
7651 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
7652 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7653 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
7654 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
7657 SSL_CTX_set_client_CA_list(sctx, sk1);
7658 SSL_CTX_set_client_CA_list(cctx, sk2);
7662 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7664 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7669 * We only expect certificate authorities to have been sent to the server
7670 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7672 sktmp = SSL_get0_peer_CA_list(serverssl);
7673 if (prot == TLS1_3_VERSION
7674 && (tst == 0 || tst == 1)) {
7675 if (!TEST_ptr(sktmp)
7676 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7677 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7679 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7682 } else if (!TEST_ptr_null(sktmp)) {
7687 * In all tests we expect certificate authorities to have been sent to the
7688 * client. However, SSL_set_client_CA_list() should override
7689 * SSL_set0_CA_list()
7691 sktmp = SSL_get0_peer_CA_list(clientssl);
7692 if (!TEST_ptr(sktmp)
7693 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7694 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7695 name[tst == 0 ? 0 : 2]), 0)
7696 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7697 name[tst == 0 ? 1 : 3]), 0))
7703 SSL_free(serverssl);
7704 SSL_free(clientssl);
7707 for (i = 0; i < OSSL_NELEM(name); i++)
7708 X509_NAME_free(name[i]);
7709 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
7710 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
7716 static int test_ca_names(int tst)
7720 #ifndef OPENSSL_NO_TLS1_2
7721 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
7723 #ifndef OPENSSL_NO_TLS1_3
7724 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
7730 #ifndef OPENSSL_NO_TLS1_2
7731 static const char *multiblock_cipherlist_data[]=
7739 /* Reduce the fragment size - so the multiblock test buffer can be small */
7740 # define MULTIBLOCK_FRAGSIZE 512
7742 static int test_multiblock_write(int test_index)
7744 static const char *fetchable_ciphers[]=
7746 "AES-128-CBC-HMAC-SHA1",
7747 "AES-128-CBC-HMAC-SHA256",
7748 "AES-256-CBC-HMAC-SHA1",
7749 "AES-256-CBC-HMAC-SHA256"
7751 const char *cipherlist = multiblock_cipherlist_data[test_index];
7752 const SSL_METHOD *smeth = TLS_server_method();
7753 const SSL_METHOD *cmeth = TLS_client_method();
7754 int min_version = TLS1_VERSION;
7755 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7756 SSL_CTX *cctx = NULL, *sctx = NULL;
7757 SSL *clientssl = NULL, *serverssl = NULL;
7761 * Choose a buffer large enough to perform a multi-block operation
7762 * i.e: write_len >= 4 * frag_size
7763 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7765 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7766 unsigned char buf[sizeof(msg)], *p = buf;
7767 size_t readbytes, written, len;
7768 EVP_CIPHER *ciph = NULL;
7771 * Check if the cipher exists before attempting to use it since it only has
7772 * a hardware specific implementation.
7774 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7776 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7779 EVP_CIPHER_free(ciph);
7781 /* Set up a buffer with some data that will be sent to the client */
7782 RAND_bytes(msg, sizeof(msg));
7784 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
7785 max_version, &sctx, &cctx, cert,
7789 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7792 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7796 /* settings to force it to use AES-CBC-HMAC_SHA */
7797 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7798 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7801 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7804 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7805 || !TEST_size_t_eq(written, sizeof(msg)))
7810 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7815 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7820 SSL_free(serverssl);
7821 SSL_free(clientssl);
7827 #endif /* OPENSSL_NO_TLS1_2 */
7830 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7831 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7832 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7833 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7834 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7835 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7836 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7837 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7838 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7839 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7841 static int test_servername(int tst)
7843 SSL_CTX *cctx = NULL, *sctx = NULL;
7844 SSL *clientssl = NULL, *serverssl = NULL;
7846 SSL_SESSION *sess = NULL;
7847 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7849 #ifdef OPENSSL_NO_TLS1_2
7853 #ifdef OPENSSL_NO_TLS1_3
7858 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7859 TLS_client_method(),
7861 (tst <= 4) ? TLS1_2_VERSION
7863 &sctx, &cctx, cert, privkey))
7864 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7868 if (tst != 1 && tst != 6) {
7869 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7874 if (tst != 3 && tst != 8) {
7875 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7877 sexpectedhost = cexpectedhost = "goodhost";
7880 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7883 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7885 || !TEST_str_eq(SSL_get_servername(serverssl,
7886 TLSEXT_NAMETYPE_host_name),
7890 /* Now repeat with a resumption handshake */
7892 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7893 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7894 || !TEST_true(SSL_SESSION_is_resumable(sess))
7895 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7898 SSL_free(clientssl);
7899 SSL_free(serverssl);
7900 clientssl = serverssl = NULL;
7902 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7906 if (!TEST_true(SSL_set_session(clientssl, sess)))
7909 sexpectedhost = cexpectedhost = "goodhost";
7910 if (tst == 2 || tst == 7) {
7911 /* Set an inconsistent hostname */
7912 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7915 * In TLSv1.2 we expect the hostname from the original handshake, in
7916 * TLSv1.3 we expect the hostname from this handshake
7919 sexpectedhost = cexpectedhost = "altgoodhost";
7921 if (!TEST_str_eq(SSL_get_servername(clientssl,
7922 TLSEXT_NAMETYPE_host_name),
7925 } else if (tst == 4 || tst == 9) {
7927 * A TLSv1.3 session does not associate a session with a servername,
7928 * but a TLSv1.2 session does.
7931 sexpectedhost = cexpectedhost = NULL;
7933 if (!TEST_str_eq(SSL_get_servername(clientssl,
7934 TLSEXT_NAMETYPE_host_name),
7938 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7941 * In a TLSv1.2 resumption where the hostname was not acknowledged
7942 * we expect the hostname on the server to be empty. On the client we
7943 * return what was requested in this case.
7945 * Similarly if the client didn't set a hostname on an original TLSv1.2
7946 * session but is now, the server hostname will be empty, but the client
7949 if (tst == 1 || tst == 3)
7950 sexpectedhost = NULL;
7952 if (!TEST_str_eq(SSL_get_servername(clientssl,
7953 TLSEXT_NAMETYPE_host_name),
7958 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7961 if (!TEST_true(SSL_session_reused(clientssl))
7962 || !TEST_true(SSL_session_reused(serverssl))
7963 || !TEST_str_eq(SSL_get_servername(clientssl,
7964 TLSEXT_NAMETYPE_host_name),
7966 || !TEST_str_eq(SSL_get_servername(serverssl,
7967 TLSEXT_NAMETYPE_host_name),
7974 SSL_SESSION_free(sess);
7975 SSL_free(serverssl);
7976 SSL_free(clientssl);
7983 #ifndef OPENSSL_NO_EC
7985 * Test that if signature algorithms are not available, then we do not offer or
7987 * Test 0: Two RSA sig algs available: both RSA sig algs shared
7988 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
7989 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
7990 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
7991 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
7992 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
7994 static int test_sigalgs_available(int idx)
7996 SSL_CTX *cctx = NULL, *sctx = NULL;
7997 SSL *clientssl = NULL, *serverssl = NULL;
7999 OPENSSL_CTX *tmpctx = OPENSSL_CTX_new();
8000 OPENSSL_CTX *clientctx = libctx, *serverctx = libctx;
8001 OSSL_PROVIDER *filterprov = NULL;
8004 if (!TEST_ptr(tmpctx))
8007 if (idx != 0 && idx != 3) {
8008 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
8009 filter_provider_init)))
8012 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
8013 if (!TEST_ptr(filterprov))
8018 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8019 * or accepted for the peer that uses this libctx. Note that libssl
8020 * *requires* SHA2-256 to be available so we cannot disable that. We
8021 * also need SHA1 for our certificate.
8023 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
8027 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
8029 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
8034 if (idx == 1 || idx == 4)
8040 cctx = SSL_CTX_new_with_libctx(clientctx, NULL, TLS_client_method());
8041 sctx = SSL_CTX_new_with_libctx(serverctx, NULL, TLS_server_method());
8043 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8044 TLS_client_method(),
8047 &sctx, &cctx, cert, privkey)))
8051 if (!SSL_CTX_set1_sigalgs_list(cctx,
8052 "rsa_pss_rsae_sha384"
8053 ":rsa_pss_rsae_sha256")
8054 || !SSL_CTX_set1_sigalgs_list(sctx,
8055 "rsa_pss_rsae_sha384"
8056 ":rsa_pss_rsae_sha256"))
8059 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8060 || !SSL_CTX_set1_sigalgs_list(sctx,
8061 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8065 if (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8066 SSL_FILETYPE_PEM), 1)
8067 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8069 SSL_FILETYPE_PEM), 1)
8070 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
8073 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8077 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8080 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8081 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8083 (idx == 0 || idx == 3) ? 2 : 1))
8086 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8089 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8096 SSL_free(serverssl);
8097 SSL_free(clientssl);
8100 OSSL_PROVIDER_unload(filterprov);
8101 OPENSSL_CTX_free(tmpctx);
8105 #endif /* OPENSSL_NO_EC */
8108 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
8110 int setup_tests(void)
8115 libctx = OPENSSL_CTX_new();
8116 if (!TEST_ptr(libctx))
8119 defctxnull = OSSL_PROVIDER_load(NULL, "null");
8122 * Verify that the default and fips providers in the default libctx are not
8125 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
8126 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
8129 if (!test_skip_common_options()) {
8130 TEST_error("Error parsing test options\n");
8134 if (!TEST_ptr(certsdir = test_get_argument(0))
8135 || !TEST_ptr(srpvfile = test_get_argument(1))
8136 || !TEST_ptr(tmpfilename = test_get_argument(2))
8137 || !TEST_ptr(modulename = test_get_argument(3))
8138 || !TEST_ptr(configfile = test_get_argument(4)))
8141 if (!TEST_true(OPENSSL_CTX_load_config(libctx, configfile)))
8144 /* Check we have the expected provider available */
8145 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
8148 /* Check the default provider is not available */
8149 if (strcmp(modulename, "default") != 0
8150 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
8153 if (strcmp(modulename, "fips") == 0)
8156 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
8157 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
8158 TEST_error("not supported in this build");
8161 int i, mcount, rcount, fcount;
8163 for (i = 0; i < 4; i++)
8164 test_export_key_mat(i);
8165 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
8166 test_printf_stdout("malloc %d realloc %d free %d\n",
8167 mcount, rcount, fcount);
8172 cert = test_mk_file_path(certsdir, "servercert.pem");
8176 privkey = test_mk_file_path(certsdir, "serverkey.pem");
8177 if (privkey == NULL)
8180 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8184 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8185 if (privkey2 == NULL)
8188 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
8189 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
8190 ADD_ALL_TESTS(test_ktls, 32);
8191 ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6);
8194 ADD_TEST(test_large_message_tls);
8195 ADD_TEST(test_large_message_tls_read_ahead);
8196 #ifndef OPENSSL_NO_DTLS
8197 ADD_TEST(test_large_message_dtls);
8199 #ifndef OPENSSL_NO_OCSP
8200 ADD_TEST(test_tlsext_status_type);
8202 ADD_TEST(test_session_with_only_int_cache);
8203 ADD_TEST(test_session_with_only_ext_cache);
8204 ADD_TEST(test_session_with_both_cache);
8205 ADD_TEST(test_session_wo_ca_names);
8206 #ifndef OPENSSL_NO_TLS1_3
8207 ADD_ALL_TESTS(test_stateful_tickets, 3);
8208 ADD_ALL_TESTS(test_stateless_tickets, 3);
8209 ADD_TEST(test_psk_tickets);
8210 ADD_ALL_TESTS(test_extra_tickets, 6);
8212 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
8213 ADD_TEST(test_ssl_bio_pop_next_bio);
8214 ADD_TEST(test_ssl_bio_pop_ssl_bio);
8215 ADD_TEST(test_ssl_bio_change_rbio);
8216 ADD_TEST(test_ssl_bio_change_wbio);
8217 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
8218 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
8219 ADD_TEST(test_keylog);
8221 #ifndef OPENSSL_NO_TLS1_3
8222 ADD_TEST(test_keylog_no_master_key);
8224 #ifndef OPENSSL_NO_TLS1_2
8225 ADD_TEST(test_client_hello_cb);
8226 ADD_TEST(test_no_ems);
8227 ADD_TEST(test_ccs_change_cipher);
8229 #ifndef OPENSSL_NO_TLS1_3
8230 ADD_ALL_TESTS(test_early_data_read_write, 3);
8232 * We don't do replay tests for external PSK. Replay protection isn't used
8235 ADD_ALL_TESTS(test_early_data_replay, 2);
8236 ADD_ALL_TESTS(test_early_data_skip, 3);
8237 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
8238 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
8239 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
8240 ADD_ALL_TESTS(test_early_data_not_sent, 3);
8241 ADD_ALL_TESTS(test_early_data_psk, 8);
8242 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
8243 ADD_ALL_TESTS(test_early_data_not_expected, 3);
8244 # ifndef OPENSSL_NO_TLS1_2
8245 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
8248 #ifndef OPENSSL_NO_TLS1_3
8249 ADD_ALL_TESTS(test_set_ciphersuite, 10);
8250 ADD_TEST(test_ciphersuite_change);
8251 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
8252 # ifdef OPENSSL_NO_PSK
8253 ADD_ALL_TESTS(test_tls13_psk, 1);
8255 ADD_ALL_TESTS(test_tls13_psk, 4);
8256 # endif /* OPENSSL_NO_PSK */
8257 # ifndef OPENSSL_NO_TLS1_2
8258 /* Test with both TLSv1.3 and 1.2 versions */
8259 ADD_ALL_TESTS(test_key_exchange, 14);
8261 /* Test with only TLSv1.3 versions */
8262 ADD_ALL_TESTS(test_key_exchange, 12);
8264 ADD_ALL_TESTS(test_custom_exts, 5);
8265 ADD_TEST(test_stateless);
8266 ADD_TEST(test_pha_key_update);
8268 ADD_ALL_TESTS(test_custom_exts, 3);
8270 ADD_ALL_TESTS(test_serverinfo, 8);
8271 ADD_ALL_TESTS(test_export_key_mat, 6);
8272 #ifndef OPENSSL_NO_TLS1_3
8273 ADD_ALL_TESTS(test_export_key_mat_early, 3);
8274 ADD_TEST(test_key_update);
8275 ADD_ALL_TESTS(test_key_update_in_write, 2);
8277 ADD_ALL_TESTS(test_ssl_clear, 2);
8278 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
8279 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
8280 ADD_ALL_TESTS(test_srp, 6);
8282 ADD_ALL_TESTS(test_info_callback, 6);
8283 ADD_ALL_TESTS(test_ssl_pending, 2);
8284 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
8285 ADD_ALL_TESTS(test_ticket_callbacks, 16);
8286 ADD_ALL_TESTS(test_shutdown, 7);
8287 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
8288 ADD_ALL_TESTS(test_cert_cb, 6);
8289 ADD_ALL_TESTS(test_client_cert_cb, 2);
8290 ADD_ALL_TESTS(test_ca_names, 3);
8291 #ifndef OPENSSL_NO_TLS1_2
8292 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
8294 ADD_ALL_TESTS(test_servername, 10);
8295 #ifndef OPENSSL_NO_EC
8296 ADD_ALL_TESTS(test_sigalgs_available, 6);
8302 OPENSSL_free(privkey);
8303 OPENSSL_free(cert2);
8304 OPENSSL_free(privkey2);
8308 void cleanup_tests(void)
8311 OPENSSL_free(privkey);
8312 OPENSSL_free(cert2);
8313 OPENSSL_free(privkey2);
8314 bio_s_mempacket_test_free();
8315 bio_s_always_retry_free();
8316 OSSL_PROVIDER_unload(defctxnull);
8317 OPENSSL_CTX_free(libctx);