2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
32 #include "ssltestlib.h"
34 #include "testutil/output.h"
35 #include "internal/nelem.h"
36 #include "internal/ktls.h"
37 #include "../ssl/ssl_local.h"
39 #ifndef OPENSSL_NO_TLS1_3
41 static SSL_SESSION *clientpsk = NULL;
42 static SSL_SESSION *serverpsk = NULL;
43 static const char *pskid = "Identity";
44 static const char *srvid;
46 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
47 size_t *idlen, SSL_SESSION **sess);
48 static int find_session_cb(SSL *ssl, const unsigned char *identity,
49 size_t identity_len, SSL_SESSION **sess);
51 static int use_session_cb_cnt = 0;
52 static int find_session_cb_cnt = 0;
54 static SSL_SESSION *create_a_psk(SSL *ssl);
57 static char *certsdir = NULL;
58 static char *cert = NULL;
59 static char *privkey = NULL;
60 static char *srpvfile = NULL;
61 static char *tmpfilename = NULL;
63 #define LOG_BUFFER_SIZE 2048
64 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
65 static size_t server_log_buffer_index = 0;
66 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
67 static size_t client_log_buffer_index = 0;
68 static int error_writing_log = 0;
70 #ifndef OPENSSL_NO_OCSP
71 static const unsigned char orespder[] = "Dummy OCSP Response";
72 static int ocsp_server_called = 0;
73 static int ocsp_client_called = 0;
75 static int cdummyarg = 1;
76 static X509 *ocspcert = NULL;
79 #define NUM_EXTRA_CERTS 40
80 #define CLIENT_VERSION_LEN 2
83 * This structure is used to validate that the correct number of log messages
84 * of various types are emitted when emitting secret logs.
86 struct sslapitest_log_counts {
87 unsigned int rsa_key_exchange_count;
88 unsigned int master_secret_count;
89 unsigned int client_early_secret_count;
90 unsigned int client_handshake_secret_count;
91 unsigned int server_handshake_secret_count;
92 unsigned int client_application_secret_count;
93 unsigned int server_application_secret_count;
94 unsigned int early_exporter_secret_count;
95 unsigned int exporter_secret_count;
99 static unsigned char serverinfov1[] = {
100 0xff, 0xff, /* Dummy extension type */
101 0x00, 0x01, /* Extension length is 1 byte */
102 0xff /* Dummy extension data */
105 static unsigned char serverinfov2[] = {
107 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
108 0xff, 0xff, /* Dummy extension type */
109 0x00, 0x01, /* Extension length is 1 byte */
110 0xff /* Dummy extension data */
113 static int hostname_cb(SSL *s, int *al, void *arg)
115 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
117 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
118 || strcmp(hostname, "altgoodhost") == 0))
119 return SSL_TLSEXT_ERR_OK;
121 return SSL_TLSEXT_ERR_NOACK;
124 static void client_keylog_callback(const SSL *ssl, const char *line)
126 int line_length = strlen(line);
128 /* If the log doesn't fit, error out. */
129 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
130 TEST_info("Client log too full");
131 error_writing_log = 1;
135 strcat(client_log_buffer, line);
136 client_log_buffer_index += line_length;
137 client_log_buffer[client_log_buffer_index++] = '\n';
140 static void server_keylog_callback(const SSL *ssl, const char *line)
142 int line_length = strlen(line);
144 /* If the log doesn't fit, error out. */
145 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
146 TEST_info("Server log too full");
147 error_writing_log = 1;
151 strcat(server_log_buffer, line);
152 server_log_buffer_index += line_length;
153 server_log_buffer[server_log_buffer_index++] = '\n';
156 static int compare_hex_encoded_buffer(const char *hex_encoded,
164 if (!TEST_size_t_eq(raw_length * 2, hex_length))
167 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
168 sprintf(hexed, "%02x", raw[i]);
169 if (!TEST_int_eq(hexed[0], hex_encoded[j])
170 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
177 static int test_keylog_output(char *buffer, const SSL *ssl,
178 const SSL_SESSION *session,
179 struct sslapitest_log_counts *expected)
182 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
183 size_t client_random_size = SSL3_RANDOM_SIZE;
184 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
185 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
186 unsigned int rsa_key_exchange_count = 0;
187 unsigned int master_secret_count = 0;
188 unsigned int client_early_secret_count = 0;
189 unsigned int client_handshake_secret_count = 0;
190 unsigned int server_handshake_secret_count = 0;
191 unsigned int client_application_secret_count = 0;
192 unsigned int server_application_secret_count = 0;
193 unsigned int early_exporter_secret_count = 0;
194 unsigned int exporter_secret_count = 0;
196 for (token = strtok(buffer, " \n"); token != NULL;
197 token = strtok(NULL, " \n")) {
198 if (strcmp(token, "RSA") == 0) {
200 * Premaster secret. Tokens should be: 16 ASCII bytes of
201 * hex-encoded encrypted secret, then the hex-encoded pre-master
204 if (!TEST_ptr(token = strtok(NULL, " \n")))
206 if (!TEST_size_t_eq(strlen(token), 16))
208 if (!TEST_ptr(token = strtok(NULL, " \n")))
211 * We can't sensibly check the log because the premaster secret is
212 * transient, and OpenSSL doesn't keep hold of it once the master
213 * secret is generated.
215 rsa_key_exchange_count++;
216 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
218 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
219 * client random, then the hex-encoded master secret.
221 client_random_size = SSL_get_client_random(ssl,
222 actual_client_random,
224 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
227 if (!TEST_ptr(token = strtok(NULL, " \n")))
229 if (!TEST_size_t_eq(strlen(token), 64))
231 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
232 actual_client_random,
233 client_random_size)))
236 if (!TEST_ptr(token = strtok(NULL, " \n")))
238 master_key_size = SSL_SESSION_get_master_key(session,
241 if (!TEST_size_t_ne(master_key_size, 0))
243 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
247 master_secret_count++;
248 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
249 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
250 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
251 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
252 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
253 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
254 || strcmp(token, "EXPORTER_SECRET") == 0) {
256 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
257 * client random, and then the hex-encoded secret. In this case,
258 * we treat all of these secrets identically and then just
259 * distinguish between them when counting what we saw.
261 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
262 client_early_secret_count++;
263 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
264 client_handshake_secret_count++;
265 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
266 server_handshake_secret_count++;
267 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
268 client_application_secret_count++;
269 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
270 server_application_secret_count++;
271 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
272 early_exporter_secret_count++;
273 else if (strcmp(token, "EXPORTER_SECRET") == 0)
274 exporter_secret_count++;
276 client_random_size = SSL_get_client_random(ssl,
277 actual_client_random,
279 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
282 if (!TEST_ptr(token = strtok(NULL, " \n")))
284 if (!TEST_size_t_eq(strlen(token), 64))
286 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
287 actual_client_random,
288 client_random_size)))
291 if (!TEST_ptr(token = strtok(NULL, " \n")))
295 * TODO(TLS1.3): test that application traffic secrets are what
298 TEST_info("Unexpected token %s\n", token);
303 /* Got what we expected? */
304 if (!TEST_size_t_eq(rsa_key_exchange_count,
305 expected->rsa_key_exchange_count)
306 || !TEST_size_t_eq(master_secret_count,
307 expected->master_secret_count)
308 || !TEST_size_t_eq(client_early_secret_count,
309 expected->client_early_secret_count)
310 || !TEST_size_t_eq(client_handshake_secret_count,
311 expected->client_handshake_secret_count)
312 || !TEST_size_t_eq(server_handshake_secret_count,
313 expected->server_handshake_secret_count)
314 || !TEST_size_t_eq(client_application_secret_count,
315 expected->client_application_secret_count)
316 || !TEST_size_t_eq(server_application_secret_count,
317 expected->server_application_secret_count)
318 || !TEST_size_t_eq(early_exporter_secret_count,
319 expected->early_exporter_secret_count)
320 || !TEST_size_t_eq(exporter_secret_count,
321 expected->exporter_secret_count))
326 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
327 static int test_keylog(void)
329 SSL_CTX *cctx = NULL, *sctx = NULL;
330 SSL *clientssl = NULL, *serverssl = NULL;
332 struct sslapitest_log_counts expected;
334 /* Clean up logging space */
335 memset(&expected, 0, sizeof(expected));
336 memset(client_log_buffer, 0, sizeof(client_log_buffer));
337 memset(server_log_buffer, 0, sizeof(server_log_buffer));
338 client_log_buffer_index = 0;
339 server_log_buffer_index = 0;
340 error_writing_log = 0;
342 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
345 &sctx, &cctx, cert, privkey)))
348 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
349 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
350 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
352 /* We also want to ensure that we use RSA-based key exchange. */
353 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
356 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
357 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
359 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
360 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
361 == client_keylog_callback))
363 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
364 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
365 == server_keylog_callback))
368 /* Now do a handshake and check that the logs have been written to. */
369 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
370 &clientssl, NULL, NULL))
371 || !TEST_true(create_ssl_connection(serverssl, clientssl,
373 || !TEST_false(error_writing_log)
374 || !TEST_int_gt(client_log_buffer_index, 0)
375 || !TEST_int_gt(server_log_buffer_index, 0))
379 * Now we want to test that our output data was vaguely sensible. We
380 * do that by using strtok and confirming that we have more or less the
381 * data we expect. For both client and server, we expect to see one master
382 * secret. The client should also see a RSA key exchange.
384 expected.rsa_key_exchange_count = 1;
385 expected.master_secret_count = 1;
386 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
387 SSL_get_session(clientssl), &expected)))
390 expected.rsa_key_exchange_count = 0;
391 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
392 SSL_get_session(serverssl), &expected)))
407 #ifndef OPENSSL_NO_TLS1_3
408 static int test_keylog_no_master_key(void)
410 SSL_CTX *cctx = NULL, *sctx = NULL;
411 SSL *clientssl = NULL, *serverssl = NULL;
412 SSL_SESSION *sess = NULL;
414 struct sslapitest_log_counts expected;
415 unsigned char buf[1];
416 size_t readbytes, written;
418 /* Clean up logging space */
419 memset(&expected, 0, sizeof(expected));
420 memset(client_log_buffer, 0, sizeof(client_log_buffer));
421 memset(server_log_buffer, 0, sizeof(server_log_buffer));
422 client_log_buffer_index = 0;
423 server_log_buffer_index = 0;
424 error_writing_log = 0;
426 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
428 &sctx, &cctx, cert, privkey))
429 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
430 SSL3_RT_MAX_PLAIN_LENGTH)))
433 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
434 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
437 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
438 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
439 == client_keylog_callback))
442 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
443 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
444 == server_keylog_callback))
447 /* Now do a handshake and check that the logs have been written to. */
448 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
449 &clientssl, NULL, NULL))
450 || !TEST_true(create_ssl_connection(serverssl, clientssl,
452 || !TEST_false(error_writing_log))
456 * Now we want to test that our output data was vaguely sensible. For this
457 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
458 * TLSv1.3, but we do expect both client and server to emit keys.
460 expected.client_handshake_secret_count = 1;
461 expected.server_handshake_secret_count = 1;
462 expected.client_application_secret_count = 1;
463 expected.server_application_secret_count = 1;
464 expected.exporter_secret_count = 1;
465 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
466 SSL_get_session(clientssl), &expected))
467 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
468 SSL_get_session(serverssl),
472 /* Terminate old session and resume with early data. */
473 sess = SSL_get1_session(clientssl);
474 SSL_shutdown(clientssl);
475 SSL_shutdown(serverssl);
478 serverssl = clientssl = NULL;
481 memset(client_log_buffer, 0, sizeof(client_log_buffer));
482 memset(server_log_buffer, 0, sizeof(server_log_buffer));
483 client_log_buffer_index = 0;
484 server_log_buffer_index = 0;
486 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
487 &clientssl, NULL, NULL))
488 || !TEST_true(SSL_set_session(clientssl, sess))
489 /* Here writing 0 length early data is enough. */
490 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
491 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
493 SSL_READ_EARLY_DATA_ERROR)
494 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
495 SSL_EARLY_DATA_ACCEPTED)
496 || !TEST_true(create_ssl_connection(serverssl, clientssl,
498 || !TEST_true(SSL_session_reused(clientssl)))
501 /* In addition to the previous entries, expect early secrets. */
502 expected.client_early_secret_count = 1;
503 expected.early_exporter_secret_count = 1;
504 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
505 SSL_get_session(clientssl), &expected))
506 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
507 SSL_get_session(serverssl),
514 SSL_SESSION_free(sess);
524 #ifndef OPENSSL_NO_TLS1_2
525 static int full_client_hello_callback(SSL *s, int *al, void *arg)
528 const unsigned char *p;
530 /* We only configure two ciphers, but the SCSV is added automatically. */
532 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
534 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
537 const int expected_extensions[] = {
538 #ifndef OPENSSL_NO_EC
544 /* Make sure we can defer processing and get called back. */
546 return SSL_CLIENT_HELLO_RETRY;
548 len = SSL_client_hello_get0_ciphers(s, &p);
549 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
551 SSL_client_hello_get0_compression_methods(s, &p), 1)
552 || !TEST_int_eq(*p, 0))
553 return SSL_CLIENT_HELLO_ERROR;
554 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
555 return SSL_CLIENT_HELLO_ERROR;
556 if (len != OSSL_NELEM(expected_extensions) ||
557 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
558 printf("ClientHello callback expected extensions mismatch\n");
560 return SSL_CLIENT_HELLO_ERROR;
563 return SSL_CLIENT_HELLO_SUCCESS;
566 static int test_client_hello_cb(void)
568 SSL_CTX *cctx = NULL, *sctx = NULL;
569 SSL *clientssl = NULL, *serverssl = NULL;
570 int testctr = 0, testresult = 0;
572 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
574 &sctx, &cctx, cert, privkey)))
576 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
578 /* The gimpy cipher list we configure can't do TLS 1.3. */
579 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
581 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
582 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
583 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
584 &clientssl, NULL, NULL))
585 || !TEST_false(create_ssl_connection(serverssl, clientssl,
586 SSL_ERROR_WANT_CLIENT_HELLO_CB))
588 * Passing a -1 literal is a hack since
589 * the real value was lost.
591 || !TEST_int_eq(SSL_get_error(serverssl, -1),
592 SSL_ERROR_WANT_CLIENT_HELLO_CB)
593 || !TEST_true(create_ssl_connection(serverssl, clientssl,
608 static int test_no_ems(void)
610 SSL_CTX *cctx = NULL, *sctx = NULL;
611 SSL *clientssl = NULL, *serverssl = NULL;
614 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
615 TLS1_VERSION, TLS1_2_VERSION,
616 &sctx, &cctx, cert, privkey)) {
617 printf("Unable to create SSL_CTX pair\n");
621 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
623 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
624 printf("Unable to create SSL objects\n");
628 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
629 printf("Creating SSL connection failed\n");
633 if (SSL_get_extms_support(serverssl)) {
634 printf("Server reports Extended Master Secret support\n");
638 if (SSL_get_extms_support(clientssl)) {
639 printf("Client reports Extended Master Secret support\n");
654 static int execute_test_large_message(const SSL_METHOD *smeth,
655 const SSL_METHOD *cmeth,
656 int min_version, int max_version,
659 SSL_CTX *cctx = NULL, *sctx = NULL;
660 SSL *clientssl = NULL, *serverssl = NULL;
664 X509 *chaincert = NULL;
667 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
669 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
672 if (!TEST_ptr(chaincert))
675 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
676 &sctx, &cctx, cert, privkey)))
681 * Test that read_ahead works correctly when dealing with large
684 SSL_CTX_set_read_ahead(cctx, 1);
688 * We assume the supplied certificate is big enough so that if we add
689 * NUM_EXTRA_CERTS it will make the overall message large enough. The
690 * default buffer size is requested to be 16k, but due to the way BUF_MEM
691 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
692 * test we need to have a message larger than that.
694 certlen = i2d_X509(chaincert, NULL);
695 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
696 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
697 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
698 if (!X509_up_ref(chaincert))
700 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
701 X509_free(chaincert);
706 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
708 || !TEST_true(create_ssl_connection(serverssl, clientssl,
713 * Calling SSL_clear() first is not required but this tests that SSL_clear()
716 if (!TEST_true(SSL_clear(serverssl)))
721 X509_free(chaincert);
730 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
731 && !defined(OPENSSL_NO_SOCK)
733 /* sock must be connected */
734 static int ktls_chk_platform(int sock)
736 if (!ktls_enable(sock))
741 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
743 static char count = 1;
744 unsigned char cbuf[16000] = {0};
745 unsigned char sbuf[16000];
747 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
748 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
749 char crec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
750 char crec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
751 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
752 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
753 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
754 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
757 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
758 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
759 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence,
760 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
761 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
762 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
763 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
764 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
766 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
769 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
770 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
775 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
778 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
779 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
784 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
785 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
786 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence,
787 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
788 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
789 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
790 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
791 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
793 /* verify the payload */
794 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
797 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
798 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
799 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
800 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
803 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
804 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
808 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
809 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
810 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
813 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
814 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
818 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
819 if (!TEST_mem_ne(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
820 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
823 if (!TEST_mem_eq(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
824 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
828 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
829 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
830 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
833 if (!TEST_mem_eq(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
834 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
843 static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
844 int sis_ktls_tx, int sis_ktls_rx)
846 SSL_CTX *cctx = NULL, *sctx = NULL;
847 SSL *clientssl = NULL, *serverssl = NULL;
851 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
854 /* Skip this test if the platform does not support ktls */
855 if (!ktls_chk_platform(cfd))
858 /* Create a session based on SHA-256 */
859 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
861 TLS1_2_VERSION, TLS1_2_VERSION,
862 &sctx, &cctx, cert, privkey))
863 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
864 "AES128-GCM-SHA256"))
865 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
866 &clientssl, sfd, cfd)))
870 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
875 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
880 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
885 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
889 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
894 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
897 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
902 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
905 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
910 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
913 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
918 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
921 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
925 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
931 SSL_shutdown(clientssl);
935 SSL_shutdown(serverssl);
940 serverssl = clientssl = NULL;
944 #define SENDFILE_SZ (16 * 4096)
945 #define SENDFILE_CHUNK (4 * 4096)
946 #define min(a,b) ((a) > (b) ? (b) : (a))
948 static int test_ktls_sendfile(void)
950 SSL_CTX *cctx = NULL, *sctx = NULL;
951 SSL *clientssl = NULL, *serverssl = NULL;
952 unsigned char *buf, *buf_dst;
953 BIO *out = NULL, *in = NULL;
954 int cfd, sfd, ffd, err;
955 ssize_t chunk_size = 0;
960 buf = OPENSSL_zalloc(SENDFILE_SZ);
961 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
962 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
963 || !TEST_true(create_test_sockets(&cfd, &sfd)))
966 /* Skip this test if the platform does not support ktls */
967 if (!ktls_chk_platform(sfd)) {
972 /* Create a session based on SHA-256 */
973 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
975 TLS1_2_VERSION, TLS1_2_VERSION,
976 &sctx, &cctx, cert, privkey))
977 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
978 "AES128-GCM-SHA256"))
979 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
980 &clientssl, sfd, cfd)))
983 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
985 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
988 RAND_bytes(buf, SENDFILE_SZ);
989 out = BIO_new_file(tmpfilename, "wb");
993 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
998 in = BIO_new_file(tmpfilename, "rb");
999 BIO_get_fp(in, &ffdp);
1002 while (chunk_off < SENDFILE_SZ) {
1003 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1004 while ((err = SSL_sendfile(serverssl,
1008 0)) != chunk_size) {
1009 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1012 while ((err = SSL_read(clientssl,
1013 buf_dst + chunk_off,
1014 chunk_size)) != chunk_size) {
1015 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1019 /* verify the payload */
1020 if (!TEST_mem_eq(buf_dst + chunk_off,
1026 chunk_off += chunk_size;
1032 SSL_shutdown(clientssl);
1033 SSL_free(clientssl);
1036 SSL_shutdown(serverssl);
1037 SSL_free(serverssl);
1041 serverssl = clientssl = NULL;
1045 OPENSSL_free(buf_dst);
1049 static int test_ktls_no_txrx_client_no_txrx_server(void)
1051 return execute_test_ktls(0, 0, 0, 0);
1054 static int test_ktls_no_rx_client_no_txrx_server(void)
1056 return execute_test_ktls(1, 0, 0, 0);
1059 static int test_ktls_no_tx_client_no_txrx_server(void)
1061 return execute_test_ktls(0, 1, 0, 0);
1064 static int test_ktls_client_no_txrx_server(void)
1066 return execute_test_ktls(1, 1, 0, 0);
1069 static int test_ktls_no_txrx_client_no_rx_server(void)
1071 return execute_test_ktls(0, 0, 1, 0);
1074 static int test_ktls_no_rx_client_no_rx_server(void)
1076 return execute_test_ktls(1, 0, 1, 0);
1079 static int test_ktls_no_tx_client_no_rx_server(void)
1081 return execute_test_ktls(0, 1, 1, 0);
1084 static int test_ktls_client_no_rx_server(void)
1086 return execute_test_ktls(1, 1, 1, 0);
1089 static int test_ktls_no_txrx_client_no_tx_server(void)
1091 return execute_test_ktls(0, 0, 0, 1);
1094 static int test_ktls_no_rx_client_no_tx_server(void)
1096 return execute_test_ktls(1, 0, 0, 1);
1099 static int test_ktls_no_tx_client_no_tx_server(void)
1101 return execute_test_ktls(0, 1, 0, 1);
1104 static int test_ktls_client_no_tx_server(void)
1106 return execute_test_ktls(1, 1, 0, 1);
1109 static int test_ktls_no_txrx_client_server(void)
1111 return execute_test_ktls(0, 0, 1, 1);
1114 static int test_ktls_no_rx_client_server(void)
1116 return execute_test_ktls(1, 0, 1, 1);
1119 static int test_ktls_no_tx_client_server(void)
1121 return execute_test_ktls(0, 1, 1, 1);
1124 static int test_ktls_client_server(void)
1126 return execute_test_ktls(1, 1, 1, 1);
1130 static int test_large_message_tls(void)
1132 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1133 TLS1_VERSION, 0, 0);
1136 static int test_large_message_tls_read_ahead(void)
1138 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1139 TLS1_VERSION, 0, 1);
1142 #ifndef OPENSSL_NO_DTLS
1143 static int test_large_message_dtls(void)
1146 * read_ahead is not relevant to DTLS because DTLS always acts as if
1147 * read_ahead is set.
1149 return execute_test_large_message(DTLS_server_method(),
1150 DTLS_client_method(),
1151 DTLS1_VERSION, 0, 0);
1155 #ifndef OPENSSL_NO_OCSP
1156 static int ocsp_server_cb(SSL *s, void *arg)
1158 int *argi = (int *)arg;
1159 unsigned char *copy = NULL;
1160 STACK_OF(OCSP_RESPID) *ids = NULL;
1161 OCSP_RESPID *id = NULL;
1164 /* In this test we are expecting exactly 1 OCSP_RESPID */
1165 SSL_get_tlsext_status_ids(s, &ids);
1166 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1167 return SSL_TLSEXT_ERR_ALERT_FATAL;
1169 id = sk_OCSP_RESPID_value(ids, 0);
1170 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
1171 return SSL_TLSEXT_ERR_ALERT_FATAL;
1172 } else if (*argi != 1) {
1173 return SSL_TLSEXT_ERR_ALERT_FATAL;
1176 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1177 return SSL_TLSEXT_ERR_ALERT_FATAL;
1179 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1180 ocsp_server_called = 1;
1181 return SSL_TLSEXT_ERR_OK;
1184 static int ocsp_client_cb(SSL *s, void *arg)
1186 int *argi = (int *)arg;
1187 const unsigned char *respderin;
1190 if (*argi != 1 && *argi != 2)
1193 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1194 if (!TEST_mem_eq(orespder, len, respderin, len))
1197 ocsp_client_called = 1;
1201 static int test_tlsext_status_type(void)
1203 SSL_CTX *cctx = NULL, *sctx = NULL;
1204 SSL *clientssl = NULL, *serverssl = NULL;
1206 STACK_OF(OCSP_RESPID) *ids = NULL;
1207 OCSP_RESPID *id = NULL;
1208 BIO *certbio = NULL;
1210 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1212 &sctx, &cctx, cert, privkey))
1215 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1218 /* First just do various checks getting and setting tlsext_status_type */
1220 clientssl = SSL_new(cctx);
1221 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1222 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1223 TLSEXT_STATUSTYPE_ocsp))
1224 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1225 TLSEXT_STATUSTYPE_ocsp))
1228 SSL_free(clientssl);
1231 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1232 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1235 clientssl = SSL_new(cctx);
1236 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1238 SSL_free(clientssl);
1242 * Now actually do a handshake and check OCSP information is exchanged and
1243 * the callbacks get called
1245 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1246 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1247 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1248 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1249 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1250 &clientssl, NULL, NULL))
1251 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1253 || !TEST_true(ocsp_client_called)
1254 || !TEST_true(ocsp_server_called))
1256 SSL_free(serverssl);
1257 SSL_free(clientssl);
1261 /* Try again but this time force the server side callback to fail */
1262 ocsp_client_called = 0;
1263 ocsp_server_called = 0;
1265 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1266 &clientssl, NULL, NULL))
1267 /* This should fail because the callback will fail */
1268 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1270 || !TEST_false(ocsp_client_called)
1271 || !TEST_false(ocsp_server_called))
1273 SSL_free(serverssl);
1274 SSL_free(clientssl);
1279 * This time we'll get the client to send an OCSP_RESPID that it will
1282 ocsp_client_called = 0;
1283 ocsp_server_called = 0;
1285 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1286 &clientssl, NULL, NULL)))
1290 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1291 * specific one. We'll use the server cert.
1293 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1294 || !TEST_ptr(id = OCSP_RESPID_new())
1295 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1296 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1298 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
1299 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1302 SSL_set_tlsext_status_ids(clientssl, ids);
1303 /* Control has been transferred */
1309 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1311 || !TEST_true(ocsp_client_called)
1312 || !TEST_true(ocsp_server_called))
1318 SSL_free(serverssl);
1319 SSL_free(clientssl);
1322 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1323 OCSP_RESPID_free(id);
1325 X509_free(ocspcert);
1332 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1333 static int new_called, remove_called, get_called;
1335 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1339 * sess has been up-refed for us, but we don't actually need it so free it
1342 SSL_SESSION_free(sess);
1346 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1351 static SSL_SESSION *get_sess_val = NULL;
1353 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1358 return get_sess_val;
1361 static int execute_test_session(int maxprot, int use_int_cache,
1364 SSL_CTX *sctx = NULL, *cctx = NULL;
1365 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1366 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1367 # ifndef OPENSSL_NO_TLS1_1
1368 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1370 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1371 int testresult = 0, numnewsesstick = 1;
1373 new_called = remove_called = 0;
1375 /* TLSv1.3 sends 2 NewSessionTickets */
1376 if (maxprot == TLS1_3_VERSION)
1379 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1381 &sctx, &cctx, cert, privkey)))
1385 * Only allow the max protocol version so we can force a connection failure
1388 SSL_CTX_set_min_proto_version(cctx, maxprot);
1389 SSL_CTX_set_max_proto_version(cctx, maxprot);
1391 /* Set up session cache */
1392 if (use_ext_cache) {
1393 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1394 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1396 if (use_int_cache) {
1397 /* Also covers instance where both are set */
1398 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1400 SSL_CTX_set_session_cache_mode(cctx,
1401 SSL_SESS_CACHE_CLIENT
1402 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1405 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1407 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1409 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1412 /* Should fail because it should already be in the cache */
1413 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1416 && (!TEST_int_eq(new_called, numnewsesstick)
1418 || !TEST_int_eq(remove_called, 0)))
1421 new_called = remove_called = 0;
1422 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1423 &clientssl2, NULL, NULL))
1424 || !TEST_true(SSL_set_session(clientssl2, sess1))
1425 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1427 || !TEST_true(SSL_session_reused(clientssl2)))
1430 if (maxprot == TLS1_3_VERSION) {
1432 * In TLSv1.3 we should have created a new session even though we have
1433 * resumed. Since we attempted a resume we should also have removed the
1434 * old ticket from the cache so that we try to only use tickets once.
1437 && (!TEST_int_eq(new_called, 1)
1438 || !TEST_int_eq(remove_called, 1)))
1442 * In TLSv1.2 we expect to have resumed so no sessions added or
1446 && (!TEST_int_eq(new_called, 0)
1447 || !TEST_int_eq(remove_called, 0)))
1451 SSL_SESSION_free(sess1);
1452 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1454 shutdown_ssl_connection(serverssl2, clientssl2);
1455 serverssl2 = clientssl2 = NULL;
1457 new_called = remove_called = 0;
1458 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1459 &clientssl2, NULL, NULL))
1460 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1464 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1468 && (!TEST_int_eq(new_called, numnewsesstick)
1469 || !TEST_int_eq(remove_called, 0)))
1472 new_called = remove_called = 0;
1474 * This should clear sess2 from the cache because it is a "bad" session.
1475 * See SSL_set_session() documentation.
1477 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1480 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1482 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1485 if (use_int_cache) {
1486 /* Should succeeded because it should not already be in the cache */
1487 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1488 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1492 new_called = remove_called = 0;
1493 /* This shouldn't be in the cache so should fail */
1494 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1498 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1501 # if !defined(OPENSSL_NO_TLS1_1)
1502 new_called = remove_called = 0;
1503 /* Force a connection failure */
1504 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1505 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1506 &clientssl3, NULL, NULL))
1507 || !TEST_true(SSL_set_session(clientssl3, sess1))
1508 /* This should fail because of the mismatched protocol versions */
1509 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1513 /* We should have automatically removed the session from the cache */
1515 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1518 /* Should succeed because it should not already be in the cache */
1519 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1523 /* Now do some tests for server side caching */
1524 if (use_ext_cache) {
1525 SSL_CTX_sess_set_new_cb(cctx, NULL);
1526 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1527 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1528 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1529 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1530 get_sess_val = NULL;
1533 SSL_CTX_set_session_cache_mode(cctx, 0);
1534 /* Internal caching is the default on the server side */
1536 SSL_CTX_set_session_cache_mode(sctx,
1537 SSL_SESS_CACHE_SERVER
1538 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1540 SSL_free(serverssl1);
1541 SSL_free(clientssl1);
1542 serverssl1 = clientssl1 = NULL;
1543 SSL_free(serverssl2);
1544 SSL_free(clientssl2);
1545 serverssl2 = clientssl2 = NULL;
1546 SSL_SESSION_free(sess1);
1548 SSL_SESSION_free(sess2);
1551 SSL_CTX_set_max_proto_version(sctx, maxprot);
1552 if (maxprot == TLS1_2_VERSION)
1553 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1554 new_called = remove_called = get_called = 0;
1555 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1557 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1559 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1560 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1563 if (use_int_cache) {
1564 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1566 * In TLSv1.3 it should not have been added to the internal cache,
1567 * except in the case where we also have an external cache (in that
1568 * case it gets added to the cache in order to generate remove
1569 * events after timeout).
1571 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1574 /* Should fail because it should already be in the cache */
1575 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1580 if (use_ext_cache) {
1581 SSL_SESSION *tmp = sess2;
1583 if (!TEST_int_eq(new_called, numnewsesstick)
1584 || !TEST_int_eq(remove_called, 0)
1585 || !TEST_int_eq(get_called, 0))
1588 * Delete the session from the internal cache to force a lookup from
1589 * the external cache. We take a copy first because
1590 * SSL_CTX_remove_session() also marks the session as non-resumable.
1592 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1593 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1594 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1596 SSL_SESSION_free(sess2);
1601 new_called = remove_called = get_called = 0;
1602 get_sess_val = sess2;
1603 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1604 &clientssl2, NULL, NULL))
1605 || !TEST_true(SSL_set_session(clientssl2, sess1))
1606 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1608 || !TEST_true(SSL_session_reused(clientssl2)))
1611 if (use_ext_cache) {
1612 if (!TEST_int_eq(remove_called, 0))
1615 if (maxprot == TLS1_3_VERSION) {
1616 if (!TEST_int_eq(new_called, 1)
1617 || !TEST_int_eq(get_called, 0))
1620 if (!TEST_int_eq(new_called, 0)
1621 || !TEST_int_eq(get_called, 1))
1629 SSL_free(serverssl1);
1630 SSL_free(clientssl1);
1631 SSL_free(serverssl2);
1632 SSL_free(clientssl2);
1633 # ifndef OPENSSL_NO_TLS1_1
1634 SSL_free(serverssl3);
1635 SSL_free(clientssl3);
1637 SSL_SESSION_free(sess1);
1638 SSL_SESSION_free(sess2);
1644 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1646 static int test_session_with_only_int_cache(void)
1648 #ifndef OPENSSL_NO_TLS1_3
1649 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1653 #ifndef OPENSSL_NO_TLS1_2
1654 return execute_test_session(TLS1_2_VERSION, 1, 0);
1660 static int test_session_with_only_ext_cache(void)
1662 #ifndef OPENSSL_NO_TLS1_3
1663 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1667 #ifndef OPENSSL_NO_TLS1_2
1668 return execute_test_session(TLS1_2_VERSION, 0, 1);
1674 static int test_session_with_both_cache(void)
1676 #ifndef OPENSSL_NO_TLS1_3
1677 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1681 #ifndef OPENSSL_NO_TLS1_2
1682 return execute_test_session(TLS1_2_VERSION, 1, 1);
1688 #ifndef OPENSSL_NO_TLS1_3
1689 static SSL_SESSION *sesscache[6];
1690 static int do_cache;
1692 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1695 sesscache[new_called] = sess;
1697 /* We don't need the reference to the session, so free it */
1698 SSL_SESSION_free(sess);
1705 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1707 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1708 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1711 /* Start handshake on the server and client */
1712 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1713 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1714 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1715 || !TEST_true(create_ssl_connection(sssl, cssl,
1722 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1725 int sess_id_ctx = 1;
1727 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1728 TLS1_VERSION, 0, sctx,
1729 cctx, cert, privkey))
1730 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1731 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1732 (void *)&sess_id_ctx,
1733 sizeof(sess_id_ctx))))
1737 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1739 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1740 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1741 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1746 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1748 SSL *serverssl = NULL, *clientssl = NULL;
1751 /* Test that we can resume with all the tickets we got given */
1752 for (i = 0; i < idx * 2; i++) {
1754 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1755 &clientssl, NULL, NULL))
1756 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1759 SSL_set_post_handshake_auth(clientssl, 1);
1761 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1766 * Following a successful resumption we only get 1 ticket. After a
1767 * failed one we should get idx tickets.
1770 if (!TEST_true(SSL_session_reused(clientssl))
1771 || !TEST_int_eq(new_called, 1))
1774 if (!TEST_false(SSL_session_reused(clientssl))
1775 || !TEST_int_eq(new_called, idx))
1780 /* After a post-handshake authentication we should get 1 new ticket */
1782 && (!post_handshake_verify(serverssl, clientssl)
1783 || !TEST_int_eq(new_called, 1)))
1786 SSL_shutdown(clientssl);
1787 SSL_shutdown(serverssl);
1788 SSL_free(serverssl);
1789 SSL_free(clientssl);
1790 serverssl = clientssl = NULL;
1791 SSL_SESSION_free(sesscache[i]);
1792 sesscache[i] = NULL;
1798 SSL_free(clientssl);
1799 SSL_free(serverssl);
1803 static int test_tickets(int stateful, int idx)
1805 SSL_CTX *sctx = NULL, *cctx = NULL;
1806 SSL *serverssl = NULL, *clientssl = NULL;
1810 /* idx is the test number, but also the number of tickets we want */
1815 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1818 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1819 &clientssl, NULL, NULL)))
1822 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1824 /* Check we got the number of tickets we were expecting */
1825 || !TEST_int_eq(idx, new_called))
1828 SSL_shutdown(clientssl);
1829 SSL_shutdown(serverssl);
1830 SSL_free(serverssl);
1831 SSL_free(clientssl);
1834 clientssl = serverssl = NULL;
1838 * Now we try to resume with the tickets we previously created. The
1839 * resumption attempt is expected to fail (because we're now using a new
1840 * SSL_CTX). We should see idx number of tickets issued again.
1843 /* Stop caching sessions - just count them */
1846 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1849 if (!check_resumption(idx, sctx, cctx, 0))
1852 /* Start again with caching sessions */
1859 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1862 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1863 &clientssl, NULL, NULL)))
1866 SSL_set_post_handshake_auth(clientssl, 1);
1868 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1870 /* Check we got the number of tickets we were expecting */
1871 || !TEST_int_eq(idx, new_called))
1874 /* After a post-handshake authentication we should get new tickets issued */
1875 if (!post_handshake_verify(serverssl, clientssl)
1876 || !TEST_int_eq(idx * 2, new_called))
1879 SSL_shutdown(clientssl);
1880 SSL_shutdown(serverssl);
1881 SSL_free(serverssl);
1882 SSL_free(clientssl);
1883 serverssl = clientssl = NULL;
1885 /* Stop caching sessions - just count them */
1889 * Check we can resume with all the tickets we created. This time around the
1890 * resumptions should all be successful.
1892 if (!check_resumption(idx, sctx, cctx, 1))
1898 SSL_free(serverssl);
1899 SSL_free(clientssl);
1900 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
1901 SSL_SESSION_free(sesscache[j]);
1902 sesscache[j] = NULL;
1910 static int test_stateless_tickets(int idx)
1912 return test_tickets(0, idx);
1915 static int test_stateful_tickets(int idx)
1917 return test_tickets(1, idx);
1920 static int test_psk_tickets(void)
1922 SSL_CTX *sctx = NULL, *cctx = NULL;
1923 SSL *serverssl = NULL, *clientssl = NULL;
1925 int sess_id_ctx = 1;
1927 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1928 TLS1_VERSION, 0, &sctx,
1930 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
1931 (void *)&sess_id_ctx,
1932 sizeof(sess_id_ctx))))
1935 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1936 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1937 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
1938 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
1939 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1940 use_session_cb_cnt = 0;
1941 find_session_cb_cnt = 0;
1945 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1948 clientpsk = serverpsk = create_a_psk(clientssl);
1949 if (!TEST_ptr(clientpsk))
1951 SSL_SESSION_up_ref(clientpsk);
1953 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1955 || !TEST_int_eq(1, find_session_cb_cnt)
1956 || !TEST_int_eq(1, use_session_cb_cnt)
1957 /* We should always get 1 ticket when using external PSK */
1958 || !TEST_int_eq(1, new_called))
1964 SSL_free(serverssl);
1965 SSL_free(clientssl);
1968 SSL_SESSION_free(clientpsk);
1969 SSL_SESSION_free(serverpsk);
1970 clientpsk = serverpsk = NULL;
1979 #define USE_DEFAULT 3
1981 #define CONNTYPE_CONNECTION_SUCCESS 0
1982 #define CONNTYPE_CONNECTION_FAIL 1
1983 #define CONNTYPE_NO_CONNECTION 2
1985 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1986 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1987 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1988 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1990 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1993 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1994 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1995 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1997 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2014 * Tests calls to SSL_set_bio() under various conditions.
2016 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2017 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2018 * then do more tests where we create a successful connection first using our
2019 * standard connection setup functions, and then call SSL_set_bio() with
2020 * various combinations of valid BIOs or NULL. We then repeat these tests
2021 * following a failed connection. In this last case we are looking to check that
2022 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2024 static int test_ssl_set_bio(int idx)
2026 SSL_CTX *sctx = NULL, *cctx = NULL;
2029 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2030 SSL *serverssl = NULL, *clientssl = NULL;
2031 int initrbio, initwbio, newrbio, newwbio, conntype;
2034 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2042 conntype = CONNTYPE_NO_CONNECTION;
2044 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2045 initrbio = initwbio = USE_DEFAULT;
2053 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2055 &sctx, &cctx, cert, privkey)))
2058 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2060 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2061 * because we reduced the number of tests in the definition of
2062 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2063 * mismatched protocol versions we will force a connection failure.
2065 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2066 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2069 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2073 if (initrbio == USE_BIO_1
2074 || initwbio == USE_BIO_1
2075 || newrbio == USE_BIO_1
2076 || newwbio == USE_BIO_1) {
2077 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2081 if (initrbio == USE_BIO_2
2082 || initwbio == USE_BIO_2
2083 || newrbio == USE_BIO_2
2084 || newwbio == USE_BIO_2) {
2085 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2089 if (initrbio != USE_DEFAULT) {
2090 setupbio(&irbio, bio1, bio2, initrbio);
2091 setupbio(&iwbio, bio1, bio2, initwbio);
2092 SSL_set_bio(clientssl, irbio, iwbio);
2095 * We want to maintain our own refs to these BIO, so do an up ref for
2096 * each BIO that will have ownership transferred in the SSL_set_bio()
2101 if (iwbio != NULL && iwbio != irbio)
2105 if (conntype != CONNTYPE_NO_CONNECTION
2106 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2108 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2111 setupbio(&nrbio, bio1, bio2, newrbio);
2112 setupbio(&nwbio, bio1, bio2, newwbio);
2115 * We will (maybe) transfer ownership again so do more up refs.
2116 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2121 && (nwbio != iwbio || nrbio != nwbio))
2125 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2128 SSL_set_bio(clientssl, nrbio, nwbio);
2137 * This test is checking that the ref counting for SSL_set_bio is correct.
2138 * If we get here and we did too many frees then we will fail in the above
2141 SSL_free(serverssl);
2142 SSL_free(clientssl);
2148 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2150 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2152 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2157 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
2158 || !TEST_ptr(ssl = SSL_new(ctx))
2159 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2160 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2163 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2166 * If anything goes wrong here then we could leak memory.
2168 BIO_push(sslbio, membio1);
2170 /* Verify changing the rbio/wbio directly does not cause leaks */
2171 if (change_bio != NO_BIO_CHANGE) {
2172 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
2174 if (change_bio == CHANGE_RBIO)
2175 SSL_set0_rbio(ssl, membio2);
2177 SSL_set0_wbio(ssl, membio2);
2196 static int test_ssl_bio_pop_next_bio(void)
2198 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2201 static int test_ssl_bio_pop_ssl_bio(void)
2203 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2206 static int test_ssl_bio_change_rbio(void)
2208 return execute_test_ssl_bio(0, CHANGE_RBIO);
2211 static int test_ssl_bio_change_wbio(void)
2213 return execute_test_ssl_bio(0, CHANGE_WBIO);
2216 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2218 /* The list of sig algs */
2220 /* The length of the list */
2222 /* A sigalgs list in string format */
2223 const char *liststr;
2224 /* Whether setting the list should succeed */
2226 /* Whether creating a connection with the list should succeed */
2230 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2231 # ifndef OPENSSL_NO_EC
2232 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2233 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2235 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2236 static const int invalidlist2[] = {NID_sha256, NID_undef};
2237 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2238 static const int invalidlist4[] = {NID_sha256};
2239 static const sigalgs_list testsigalgs[] = {
2240 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2241 # ifndef OPENSSL_NO_EC
2242 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2243 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2245 {NULL, 0, "RSA+SHA256", 1, 1},
2246 # ifndef OPENSSL_NO_EC
2247 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2248 {NULL, 0, "ECDSA+SHA512", 1, 0},
2250 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2251 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2252 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2253 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2254 {NULL, 0, "RSA", 0, 0},
2255 {NULL, 0, "SHA256", 0, 0},
2256 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2257 {NULL, 0, "Invalid", 0, 0}
2260 static int test_set_sigalgs(int idx)
2262 SSL_CTX *cctx = NULL, *sctx = NULL;
2263 SSL *clientssl = NULL, *serverssl = NULL;
2265 const sigalgs_list *curr;
2268 /* Should never happen */
2269 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2272 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2273 curr = testctx ? &testsigalgs[idx]
2274 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2276 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2278 &sctx, &cctx, cert, privkey)))
2282 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2283 * for TLSv1.2 for now until we add a new API.
2285 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2290 if (curr->list != NULL)
2291 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2293 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2297 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2303 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2308 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2309 &clientssl, NULL, NULL)))
2315 if (curr->list != NULL)
2316 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2318 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2321 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2330 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2338 SSL_free(serverssl);
2339 SSL_free(clientssl);
2347 #ifndef OPENSSL_NO_TLS1_3
2348 static int psk_client_cb_cnt = 0;
2349 static int psk_server_cb_cnt = 0;
2351 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2352 size_t *idlen, SSL_SESSION **sess)
2354 switch (++use_session_cb_cnt) {
2356 /* The first call should always have a NULL md */
2362 /* The second call should always have an md */
2368 /* We should only be called a maximum of twice */
2372 if (clientpsk != NULL)
2373 SSL_SESSION_up_ref(clientpsk);
2376 *id = (const unsigned char *)pskid;
2377 *idlen = strlen(pskid);
2382 #ifndef OPENSSL_NO_PSK
2383 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2384 unsigned int max_id_len,
2386 unsigned int max_psk_len)
2388 unsigned int psklen = 0;
2390 psk_client_cb_cnt++;
2392 if (strlen(pskid) + 1 > max_id_len)
2395 /* We should only ever be called a maximum of twice per connection */
2396 if (psk_client_cb_cnt > 2)
2399 if (clientpsk == NULL)
2402 /* We'll reuse the PSK we set up for TLSv1.3 */
2403 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2405 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2406 strncpy(id, pskid, max_id_len);
2410 #endif /* OPENSSL_NO_PSK */
2412 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2413 size_t identity_len, SSL_SESSION **sess)
2415 find_session_cb_cnt++;
2417 /* We should only ever be called a maximum of twice per connection */
2418 if (find_session_cb_cnt > 2)
2421 if (serverpsk == NULL)
2424 /* Identity should match that set by the client */
2425 if (strlen(srvid) != identity_len
2426 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2427 /* No PSK found, continue but without a PSK */
2432 SSL_SESSION_up_ref(serverpsk);
2438 #ifndef OPENSSL_NO_PSK
2439 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2440 unsigned char *psk, unsigned int max_psk_len)
2442 unsigned int psklen = 0;
2444 psk_server_cb_cnt++;
2446 /* We should only ever be called a maximum of twice per connection */
2447 if (find_session_cb_cnt > 2)
2450 if (serverpsk == NULL)
2453 /* Identity should match that set by the client */
2454 if (strcmp(srvid, identity) != 0) {
2458 /* We'll reuse the PSK we set up for TLSv1.3 */
2459 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2461 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2465 #endif /* OPENSSL_NO_PSK */
2467 #define MSG1 "Hello"
2468 #define MSG2 "World."
2473 #define MSG7 "message."
2475 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2476 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2479 static SSL_SESSION *create_a_psk(SSL *ssl)
2481 const SSL_CIPHER *cipher = NULL;
2482 const unsigned char key[] = {
2483 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2484 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2485 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2486 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2487 0x2c, 0x2d, 0x2e, 0x2f
2489 SSL_SESSION *sess = NULL;
2491 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2492 sess = SSL_SESSION_new();
2494 || !TEST_ptr(cipher)
2495 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2497 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2499 SSL_SESSION_set_protocol_version(sess,
2501 SSL_SESSION_free(sess);
2508 * Helper method to setup objects for early data test. Caller frees objects on
2511 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2512 SSL **serverssl, SSL_SESSION **sess, int idx)
2515 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2516 TLS_client_method(),
2518 sctx, cctx, cert, privkey)))
2521 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2525 /* When idx == 1 we repeat the tests with read_ahead set */
2526 SSL_CTX_set_read_ahead(*cctx, 1);
2527 SSL_CTX_set_read_ahead(*sctx, 1);
2528 } else if (idx == 2) {
2529 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2530 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2531 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2532 use_session_cb_cnt = 0;
2533 find_session_cb_cnt = 0;
2537 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2542 * For one of the run throughs (doesn't matter which one), we'll try sending
2543 * some SNI data in the initial ClientHello. This will be ignored (because
2544 * there is no SNI cb set up by the server), so it should not impact
2548 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2552 clientpsk = create_a_psk(*clientssl);
2553 if (!TEST_ptr(clientpsk)
2555 * We just choose an arbitrary value for max_early_data which
2556 * should be big enough for testing purposes.
2558 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2560 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2561 SSL_SESSION_free(clientpsk);
2565 serverpsk = clientpsk;
2568 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2569 SSL_SESSION_free(clientpsk);
2570 SSL_SESSION_free(serverpsk);
2571 clientpsk = serverpsk = NULL;
2582 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2586 *sess = SSL_get1_session(*clientssl);
2587 SSL_shutdown(*clientssl);
2588 SSL_shutdown(*serverssl);
2589 SSL_free(*serverssl);
2590 SSL_free(*clientssl);
2591 *serverssl = *clientssl = NULL;
2593 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2594 clientssl, NULL, NULL))
2595 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2601 static int test_early_data_read_write(int idx)
2603 SSL_CTX *cctx = NULL, *sctx = NULL;
2604 SSL *clientssl = NULL, *serverssl = NULL;
2606 SSL_SESSION *sess = NULL;
2607 unsigned char buf[20], data[1024];
2608 size_t readbytes, written, eoedlen, rawread, rawwritten;
2611 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2612 &serverssl, &sess, idx)))
2615 /* Write and read some early data */
2616 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2618 || !TEST_size_t_eq(written, strlen(MSG1))
2619 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2620 sizeof(buf), &readbytes),
2621 SSL_READ_EARLY_DATA_SUCCESS)
2622 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2623 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2624 SSL_EARLY_DATA_ACCEPTED))
2628 * Server should be able to write data, and client should be able to
2631 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2633 || !TEST_size_t_eq(written, strlen(MSG2))
2634 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2635 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2638 /* Even after reading normal data, client should be able write early data */
2639 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2641 || !TEST_size_t_eq(written, strlen(MSG3)))
2644 /* Server should still be able read early data after writing data */
2645 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2647 SSL_READ_EARLY_DATA_SUCCESS)
2648 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2651 /* Write more data from server and read it from client */
2652 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2654 || !TEST_size_t_eq(written, strlen(MSG4))
2655 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2656 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2660 * If client writes normal data it should mean writing early data is no
2663 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2664 || !TEST_size_t_eq(written, strlen(MSG5))
2665 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2666 SSL_EARLY_DATA_ACCEPTED))
2670 * At this point the client has written EndOfEarlyData, ClientFinished and
2671 * normal (fully protected) data. We are going to cause a delay between the
2672 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2673 * in the read BIO, and then just put back the EndOfEarlyData message.
2675 rbio = SSL_get_rbio(serverssl);
2676 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2677 || !TEST_size_t_lt(rawread, sizeof(data))
2678 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2681 /* Record length is in the 4th and 5th bytes of the record header */
2682 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2683 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2684 || !TEST_size_t_eq(rawwritten, eoedlen))
2687 /* Server should be told that there is no more early data */
2688 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2690 SSL_READ_EARLY_DATA_FINISH)
2691 || !TEST_size_t_eq(readbytes, 0))
2695 * Server has not finished init yet, so should still be able to write early
2698 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2700 || !TEST_size_t_eq(written, strlen(MSG6)))
2703 /* Push the ClientFinished and the normal data back into the server rbio */
2704 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2706 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2709 /* Server should be able to read normal data */
2710 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2711 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2714 /* Client and server should not be able to write/read early data now */
2715 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2719 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2721 SSL_READ_EARLY_DATA_ERROR))
2725 /* Client should be able to read the data sent by the server */
2726 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2727 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2731 * Make sure we process the two NewSessionTickets. These arrive
2732 * post-handshake. We attempt reads which we do not expect to return any
2735 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2736 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2740 /* Server should be able to write normal data */
2741 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2742 || !TEST_size_t_eq(written, strlen(MSG7))
2743 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2744 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2747 SSL_SESSION_free(sess);
2748 sess = SSL_get1_session(clientssl);
2749 use_session_cb_cnt = 0;
2750 find_session_cb_cnt = 0;
2752 SSL_shutdown(clientssl);
2753 SSL_shutdown(serverssl);
2754 SSL_free(serverssl);
2755 SSL_free(clientssl);
2756 serverssl = clientssl = NULL;
2757 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2758 &clientssl, NULL, NULL))
2759 || !TEST_true(SSL_set_session(clientssl, sess)))
2762 /* Write and read some early data */
2763 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2765 || !TEST_size_t_eq(written, strlen(MSG1))
2766 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2768 SSL_READ_EARLY_DATA_SUCCESS)
2769 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2772 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2773 || !TEST_int_gt(SSL_accept(serverssl), 0))
2776 /* Client and server should not be able to write/read early data now */
2777 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2781 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2783 SSL_READ_EARLY_DATA_ERROR))
2787 /* Client and server should be able to write/read normal data */
2788 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2789 || !TEST_size_t_eq(written, strlen(MSG5))
2790 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2791 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2797 SSL_SESSION_free(sess);
2798 SSL_SESSION_free(clientpsk);
2799 SSL_SESSION_free(serverpsk);
2800 clientpsk = serverpsk = NULL;
2801 SSL_free(serverssl);
2802 SSL_free(clientssl);
2808 static int allow_ed_cb_called = 0;
2810 static int allow_early_data_cb(SSL *s, void *arg)
2812 int *usecb = (int *)arg;
2814 allow_ed_cb_called++;
2823 * idx == 0: Standard early_data setup
2824 * idx == 1: early_data setup using read_ahead
2825 * usecb == 0: Don't use a custom early data callback
2826 * usecb == 1: Use a custom early data callback and reject the early data
2827 * usecb == 2: Use a custom early data callback and accept the early data
2828 * confopt == 0: Configure anti-replay directly
2829 * confopt == 1: Configure anti-replay using SSL_CONF
2831 static int test_early_data_replay_int(int idx, int usecb, int confopt)
2833 SSL_CTX *cctx = NULL, *sctx = NULL;
2834 SSL *clientssl = NULL, *serverssl = NULL;
2836 SSL_SESSION *sess = NULL;
2837 size_t readbytes, written;
2838 unsigned char buf[20];
2840 allow_ed_cb_called = 0;
2842 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2843 TLS1_VERSION, 0, &sctx,
2844 &cctx, cert, privkey)))
2849 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2851 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2853 if (!TEST_ptr(confctx))
2855 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2856 | SSL_CONF_FLAG_SERVER);
2857 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2858 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2860 SSL_CONF_CTX_free(confctx);
2863 SSL_CONF_CTX_free(confctx);
2865 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2868 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2869 &serverssl, &sess, idx)))
2873 * The server is configured to accept early data. Create a connection to
2874 * "use up" the ticket
2876 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2877 || !TEST_true(SSL_session_reused(clientssl)))
2880 SSL_shutdown(clientssl);
2881 SSL_shutdown(serverssl);
2882 SSL_free(serverssl);
2883 SSL_free(clientssl);
2884 serverssl = clientssl = NULL;
2886 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2887 &clientssl, NULL, NULL))
2888 || !TEST_true(SSL_set_session(clientssl, sess)))
2891 /* Write and read some early data */
2892 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2894 || !TEST_size_t_eq(written, strlen(MSG1)))
2898 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2900 SSL_READ_EARLY_DATA_FINISH)
2902 * The ticket was reused, so the we should have rejected the
2905 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2906 SSL_EARLY_DATA_REJECTED))
2909 /* In this case the callback decides to accept the early data */
2910 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2912 SSL_READ_EARLY_DATA_SUCCESS)
2913 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2915 * Server will have sent its flight so client can now send
2916 * end of early data and complete its half of the handshake
2918 || !TEST_int_gt(SSL_connect(clientssl), 0)
2919 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2921 SSL_READ_EARLY_DATA_FINISH)
2922 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2923 SSL_EARLY_DATA_ACCEPTED))
2927 /* Complete the connection */
2928 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2929 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2930 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
2936 SSL_SESSION_free(sess);
2937 SSL_SESSION_free(clientpsk);
2938 SSL_SESSION_free(serverpsk);
2939 clientpsk = serverpsk = NULL;
2940 SSL_free(serverssl);
2941 SSL_free(clientssl);
2947 static int test_early_data_replay(int idx)
2949 int ret = 1, usecb, confopt;
2951 for (usecb = 0; usecb < 3; usecb++) {
2952 for (confopt = 0; confopt < 2; confopt++)
2953 ret &= test_early_data_replay_int(idx, usecb, confopt);
2960 * Helper function to test that a server attempting to read early data can
2961 * handle a connection from a client where the early data should be skipped.
2962 * testtype: 0 == No HRR
2963 * testtype: 1 == HRR
2964 * testtype: 2 == HRR, invalid early_data sent after HRR
2965 * testtype: 3 == recv_max_early_data set to 0
2967 static int early_data_skip_helper(int testtype, int idx)
2969 SSL_CTX *cctx = NULL, *sctx = NULL;
2970 SSL *clientssl = NULL, *serverssl = NULL;
2972 SSL_SESSION *sess = NULL;
2973 unsigned char buf[20];
2974 size_t readbytes, written;
2976 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2977 &serverssl, &sess, idx)))
2980 if (testtype == 1 || testtype == 2) {
2981 /* Force an HRR to occur */
2982 #if defined(OPENSSL_NO_EC)
2983 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
2986 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2989 } else if (idx == 2) {
2991 * We force early_data rejection by ensuring the PSK identity is
2994 srvid = "Dummy Identity";
2997 * Deliberately corrupt the creation time. We take 20 seconds off the
2998 * time. It could be any value as long as it is not within tolerance.
2999 * This should mean the ticket is rejected.
3001 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3006 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3009 /* Write some early data */
3010 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3012 || !TEST_size_t_eq(written, strlen(MSG1)))
3015 /* Server should reject the early data */
3016 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3018 SSL_READ_EARLY_DATA_FINISH)
3019 || !TEST_size_t_eq(readbytes, 0)
3020 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3021 SSL_EARLY_DATA_REJECTED))
3031 * Finish off the handshake. We perform the same writes and reads as
3032 * further down but we expect them to fail due to the incomplete
3035 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3036 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3043 BIO *wbio = SSL_get_wbio(clientssl);
3044 /* A record that will appear as bad early_data */
3045 const unsigned char bad_early_data[] = {
3046 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3050 * We force the client to attempt a write. This will fail because
3051 * we're still in the handshake. It will cause the second
3052 * ClientHello to be sent.
3054 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3059 * Inject some early_data after the second ClientHello. This should
3060 * cause the server to fail
3062 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3063 sizeof(bad_early_data), &written)))
3070 * This client has sent more early_data than we are willing to skip
3071 * (case 3) or sent invalid early_data (case 2) so the connection should
3074 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3075 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3078 /* Connection has failed - nothing more to do */
3083 TEST_error("Invalid test type");
3088 * Should be able to send normal data despite rejection of early data. The
3089 * early_data should be skipped.
3091 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3092 || !TEST_size_t_eq(written, strlen(MSG2))
3093 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3094 SSL_EARLY_DATA_REJECTED)
3095 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3096 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3102 SSL_SESSION_free(clientpsk);
3103 SSL_SESSION_free(serverpsk);
3104 clientpsk = serverpsk = NULL;
3105 SSL_SESSION_free(sess);
3106 SSL_free(serverssl);
3107 SSL_free(clientssl);
3114 * Test that a server attempting to read early data can handle a connection
3115 * from a client where the early data is not acceptable.
3117 static int test_early_data_skip(int idx)
3119 return early_data_skip_helper(0, idx);
3123 * Test that a server attempting to read early data can handle a connection
3124 * from a client where an HRR occurs.
3126 static int test_early_data_skip_hrr(int idx)
3128 return early_data_skip_helper(1, idx);
3132 * Test that a server attempting to read early data can handle a connection
3133 * from a client where an HRR occurs and correctly fails if early_data is sent
3136 static int test_early_data_skip_hrr_fail(int idx)
3138 return early_data_skip_helper(2, idx);
3142 * Test that a server attempting to read early data will abort if it tries to
3143 * skip over too much.
3145 static int test_early_data_skip_abort(int idx)
3147 return early_data_skip_helper(3, idx);
3151 * Test that a server attempting to read early data can handle a connection
3152 * from a client that doesn't send any.
3154 static int test_early_data_not_sent(int idx)
3156 SSL_CTX *cctx = NULL, *sctx = NULL;
3157 SSL *clientssl = NULL, *serverssl = NULL;
3159 SSL_SESSION *sess = NULL;
3160 unsigned char buf[20];
3161 size_t readbytes, written;
3163 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3164 &serverssl, &sess, idx)))
3167 /* Write some data - should block due to handshake with server */
3168 SSL_set_connect_state(clientssl);
3169 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3172 /* Server should detect that early data has not been sent */
3173 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3175 SSL_READ_EARLY_DATA_FINISH)
3176 || !TEST_size_t_eq(readbytes, 0)
3177 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3178 SSL_EARLY_DATA_NOT_SENT)
3179 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3180 SSL_EARLY_DATA_NOT_SENT))
3183 /* Continue writing the message we started earlier */
3184 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3185 || !TEST_size_t_eq(written, strlen(MSG1))
3186 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3187 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3188 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3189 || !TEST_size_t_eq(written, strlen(MSG2)))
3192 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3193 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3199 SSL_SESSION_free(sess);
3200 SSL_SESSION_free(clientpsk);
3201 SSL_SESSION_free(serverpsk);
3202 clientpsk = serverpsk = NULL;
3203 SSL_free(serverssl);
3204 SSL_free(clientssl);
3210 static const char *servalpn;
3212 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3213 unsigned char *outlen, const unsigned char *in,
3214 unsigned int inlen, void *arg)
3216 unsigned int protlen = 0;
3217 const unsigned char *prot;
3219 for (prot = in; prot < in + inlen; prot += protlen) {
3221 if (in + inlen < prot + protlen)
3222 return SSL_TLSEXT_ERR_NOACK;
3224 if (protlen == strlen(servalpn)
3225 && memcmp(prot, servalpn, protlen) == 0) {
3228 return SSL_TLSEXT_ERR_OK;
3232 return SSL_TLSEXT_ERR_NOACK;
3235 /* Test that a PSK can be used to send early_data */
3236 static int test_early_data_psk(int idx)
3238 SSL_CTX *cctx = NULL, *sctx = NULL;
3239 SSL *clientssl = NULL, *serverssl = NULL;
3241 SSL_SESSION *sess = NULL;
3242 unsigned char alpnlist[] = {
3243 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3246 #define GOODALPNLEN 9
3247 #define BADALPNLEN 8
3248 #define GOODALPN (alpnlist)
3249 #define BADALPN (alpnlist + GOODALPNLEN)
3251 unsigned char buf[20];
3252 size_t readbytes, written;
3253 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3254 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3256 /* We always set this up with a final parameter of "2" for PSK */
3257 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3258 &serverssl, &sess, 2)))
3261 servalpn = "goodalpn";
3264 * Note: There is no test for inconsistent SNI with late client detection.
3265 * This is because servers do not acknowledge SNI even if they are using
3266 * it in a resumption handshake - so it is not actually possible for a
3267 * client to detect a problem.
3271 /* Set inconsistent SNI (early client detection) */
3272 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3273 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3274 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3279 /* Set inconsistent ALPN (early client detection) */
3280 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3281 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3282 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3284 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3291 * Set invalid protocol version. Technically this affects PSKs without
3292 * early_data too, but we test it here because it is similar to the
3293 * SNI/ALPN consistency tests.
3295 err = SSL_R_BAD_PSK;
3296 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3302 * Set inconsistent SNI (server side). In this case the connection
3303 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3304 * is associated with each handshake - not the session. Therefore it
3305 * should not matter that we used a different server name last time.
3307 SSL_SESSION_free(serverpsk);
3308 serverpsk = SSL_SESSION_dup(clientpsk);
3309 if (!TEST_ptr(serverpsk)
3310 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3314 /* Set consistent SNI */
3315 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3316 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3317 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3324 * Set inconsistent ALPN (server detected). In this case the connection
3325 * will succeed but reject early_data.
3327 servalpn = "badalpn";
3328 edstatus = SSL_EARLY_DATA_REJECTED;
3329 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3333 * Set consistent ALPN.
3334 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3335 * accepts a list of protos (each one length prefixed).
3336 * SSL_set1_alpn_selected accepts a single protocol (not length
3339 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3341 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3345 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3349 /* Set inconsistent ALPN (late client detection) */
3350 SSL_SESSION_free(serverpsk);
3351 serverpsk = SSL_SESSION_dup(clientpsk);
3352 if (!TEST_ptr(serverpsk)
3353 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3356 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3359 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3362 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3363 edstatus = SSL_EARLY_DATA_ACCEPTED;
3364 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3365 /* SSL_connect() call should fail */
3370 TEST_error("Bad test index");
3374 SSL_set_connect_state(clientssl);
3376 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3378 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3379 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3382 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3386 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3387 &readbytes), readearlyres)
3388 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3389 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3390 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3391 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3398 SSL_SESSION_free(sess);
3399 SSL_SESSION_free(clientpsk);
3400 SSL_SESSION_free(serverpsk);
3401 clientpsk = serverpsk = NULL;
3402 SSL_free(serverssl);
3403 SSL_free(clientssl);
3410 * Test that a server that doesn't try to read early data can handle a
3411 * client sending some.
3413 static int test_early_data_not_expected(int idx)
3415 SSL_CTX *cctx = NULL, *sctx = NULL;
3416 SSL *clientssl = NULL, *serverssl = NULL;
3418 SSL_SESSION *sess = NULL;
3419 unsigned char buf[20];
3420 size_t readbytes, written;
3422 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3423 &serverssl, &sess, idx)))
3426 /* Write some early data */
3427 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3432 * Server should skip over early data and then block waiting for client to
3433 * continue handshake
3435 if (!TEST_int_le(SSL_accept(serverssl), 0)
3436 || !TEST_int_gt(SSL_connect(clientssl), 0)
3437 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3438 SSL_EARLY_DATA_REJECTED)
3439 || !TEST_int_gt(SSL_accept(serverssl), 0)
3440 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3441 SSL_EARLY_DATA_REJECTED))
3444 /* Send some normal data from client to server */
3445 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3446 || !TEST_size_t_eq(written, strlen(MSG2)))
3449 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3450 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3456 SSL_SESSION_free(sess);
3457 SSL_SESSION_free(clientpsk);
3458 SSL_SESSION_free(serverpsk);
3459 clientpsk = serverpsk = NULL;
3460 SSL_free(serverssl);
3461 SSL_free(clientssl);
3468 # ifndef OPENSSL_NO_TLS1_2
3470 * Test that a server attempting to read early data can handle a connection
3471 * from a TLSv1.2 client.
3473 static int test_early_data_tls1_2(int idx)
3475 SSL_CTX *cctx = NULL, *sctx = NULL;
3476 SSL *clientssl = NULL, *serverssl = NULL;
3478 unsigned char buf[20];
3479 size_t readbytes, written;
3481 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3482 &serverssl, NULL, idx)))
3485 /* Write some data - should block due to handshake with server */
3486 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3487 SSL_set_connect_state(clientssl);
3488 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3492 * Server should do TLSv1.2 handshake. First it will block waiting for more
3493 * messages from client after ServerDone. Then SSL_read_early_data should
3494 * finish and detect that early data has not been sent
3496 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3498 SSL_READ_EARLY_DATA_ERROR))
3502 * Continue writing the message we started earlier. Will still block waiting
3503 * for the CCS/Finished from server
3505 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3506 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3508 SSL_READ_EARLY_DATA_FINISH)
3509 || !TEST_size_t_eq(readbytes, 0)
3510 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3511 SSL_EARLY_DATA_NOT_SENT))
3514 /* Continue writing the message we started earlier */
3515 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3516 || !TEST_size_t_eq(written, strlen(MSG1))
3517 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3518 SSL_EARLY_DATA_NOT_SENT)
3519 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3520 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3521 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3522 || !TEST_size_t_eq(written, strlen(MSG2))
3523 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3524 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3530 SSL_SESSION_free(clientpsk);
3531 SSL_SESSION_free(serverpsk);
3532 clientpsk = serverpsk = NULL;
3533 SSL_free(serverssl);
3534 SSL_free(clientssl);
3540 # endif /* OPENSSL_NO_TLS1_2 */
3543 * Test configuring the TLSv1.3 ciphersuites
3545 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3546 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3547 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3548 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3549 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3550 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3551 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3552 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3553 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3554 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3556 static int test_set_ciphersuite(int idx)
3558 SSL_CTX *cctx = NULL, *sctx = NULL;
3559 SSL *clientssl = NULL, *serverssl = NULL;
3562 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3564 &sctx, &cctx, cert, privkey))
3565 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3566 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3569 if (idx >=4 && idx <= 7) {
3570 /* SSL_CTX explicit cipher list */
3571 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3575 if (idx == 0 || idx == 4) {
3576 /* Default ciphersuite */
3577 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3578 "TLS_AES_128_GCM_SHA256")))
3580 } else if (idx == 1 || idx == 5) {
3581 /* Non default ciphersuite */
3582 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3583 "TLS_AES_128_CCM_SHA256")))
3587 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3588 &clientssl, NULL, NULL)))
3591 if (idx == 8 || idx == 9) {
3592 /* SSL explicit cipher list */
3593 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3597 if (idx == 2 || idx == 6 || idx == 8) {
3598 /* Default ciphersuite */
3599 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3600 "TLS_AES_128_GCM_SHA256")))
3602 } else if (idx == 3 || idx == 7 || idx == 9) {
3603 /* Non default ciphersuite */
3604 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3605 "TLS_AES_128_CCM_SHA256")))
3609 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3615 SSL_free(serverssl);
3616 SSL_free(clientssl);
3623 static int test_ciphersuite_change(void)
3625 SSL_CTX *cctx = NULL, *sctx = NULL;
3626 SSL *clientssl = NULL, *serverssl = NULL;
3627 SSL_SESSION *clntsess = NULL;
3629 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3631 /* Create a session based on SHA-256 */
3632 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3634 &sctx, &cctx, cert, privkey))
3635 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3636 "TLS_AES_128_GCM_SHA256"))
3637 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3638 &clientssl, NULL, NULL))
3639 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3643 clntsess = SSL_get1_session(clientssl);
3644 /* Save for later */
3645 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3646 SSL_shutdown(clientssl);
3647 SSL_shutdown(serverssl);
3648 SSL_free(serverssl);
3649 SSL_free(clientssl);
3650 serverssl = clientssl = NULL;
3652 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3653 /* Check we can resume a session with a different SHA-256 ciphersuite */
3654 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3655 "TLS_CHACHA20_POLY1305_SHA256"))
3656 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3658 || !TEST_true(SSL_set_session(clientssl, clntsess))
3659 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3661 || !TEST_true(SSL_session_reused(clientssl)))
3664 SSL_SESSION_free(clntsess);
3665 clntsess = SSL_get1_session(clientssl);
3666 SSL_shutdown(clientssl);
3667 SSL_shutdown(serverssl);
3668 SSL_free(serverssl);
3669 SSL_free(clientssl);
3670 serverssl = clientssl = NULL;
3674 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3675 * succeeds but does not resume.
3677 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3678 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3680 || !TEST_true(SSL_set_session(clientssl, clntsess))
3681 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3683 || !TEST_false(SSL_session_reused(clientssl)))
3686 SSL_SESSION_free(clntsess);
3688 SSL_shutdown(clientssl);
3689 SSL_shutdown(serverssl);
3690 SSL_free(serverssl);
3691 SSL_free(clientssl);
3692 serverssl = clientssl = NULL;
3694 /* Create a session based on SHA384 */
3695 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3696 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3697 &clientssl, NULL, NULL))
3698 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3702 clntsess = SSL_get1_session(clientssl);
3703 SSL_shutdown(clientssl);
3704 SSL_shutdown(serverssl);
3705 SSL_free(serverssl);
3706 SSL_free(clientssl);
3707 serverssl = clientssl = NULL;
3709 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3710 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3711 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3712 "TLS_AES_256_GCM_SHA384"))
3713 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3715 || !TEST_true(SSL_set_session(clientssl, clntsess))
3717 * We use SSL_ERROR_WANT_READ below so that we can pause the
3718 * connection after the initial ClientHello has been sent to
3719 * enable us to make some session changes.
3721 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3722 SSL_ERROR_WANT_READ)))
3725 /* Trick the client into thinking this session is for a different digest */
3726 clntsess->cipher = aes_128_gcm_sha256;
3727 clntsess->cipher_id = clntsess->cipher->id;
3730 * Continue the previously started connection. Server has selected a SHA-384
3731 * ciphersuite, but client thinks the session is for SHA-256, so it should
3734 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3736 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3737 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3743 SSL_SESSION_free(clntsess);
3744 SSL_free(serverssl);
3745 SSL_free(clientssl);
3753 * Test TLSv1.3 Key exchange
3754 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
3755 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
3756 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
3757 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
3758 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
3759 * Test 5 = Test NID_X448 with TLSv1.3 client and server
3760 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
3761 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
3762 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
3763 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
3764 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
3765 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
3766 * Test 12 = Test all ECDHE with TLSv1.2 client and server
3767 * Test 13 = Test all FFDHE with TLSv1.2 client and server
3769 static int test_key_exchange(int idx)
3771 SSL_CTX *sctx = NULL, *cctx = NULL;
3772 SSL *serverssl = NULL, *clientssl = NULL;
3774 # ifndef OPENSSL_NO_EC
3775 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
3776 NID_secp521r1, NID_X25519, NID_X448};
3778 # ifndef OPENSSL_NO_DH
3779 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
3780 NID_ffdhe6144, NID_ffdhe8192};
3783 int *kexch_groups = &kexch_alg;
3784 int kexch_groups_size = 1;
3785 int max_version = TLS1_3_VERSION;
3788 # ifndef OPENSSL_NO_EC
3789 # ifndef OPENSSL_NO_TLS1_2
3791 max_version = TLS1_2_VERSION;
3795 kexch_groups = ecdhe_kexch_groups;
3796 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
3799 kexch_alg = NID_X9_62_prime256v1;
3802 kexch_alg = NID_secp384r1;
3805 kexch_alg = NID_secp521r1;
3808 kexch_alg = NID_X25519;
3811 kexch_alg = NID_X448;
3814 # ifndef OPENSSL_NO_DH
3815 # ifndef OPENSSL_NO_TLS1_2
3817 max_version = TLS1_2_VERSION;
3821 kexch_groups = ffdhe_kexch_groups;
3822 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
3825 kexch_alg = NID_ffdhe2048;
3828 kexch_alg = NID_ffdhe3072;
3831 kexch_alg = NID_ffdhe4096;
3834 kexch_alg = NID_ffdhe6144;
3837 kexch_alg = NID_ffdhe8192;
3841 /* We're skipping this test */
3845 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3846 TLS1_VERSION, max_version,
3847 &sctx, &cctx, cert, privkey)))
3850 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
3851 TLS1_3_RFC_AES_128_GCM_SHA256)))
3854 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3855 TLS1_3_RFC_AES_128_GCM_SHA256)))
3858 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
3859 TLS1_TXT_RSA_WITH_AES_128_SHA)))
3863 * Must include an EC ciphersuite so that we send supported groups in
3866 # ifndef OPENSSL_NO_TLS1_2
3867 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
3868 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
3869 TLS1_TXT_RSA_WITH_AES_128_SHA)))
3873 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3877 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
3878 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
3881 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3885 * If Handshake succeeds the negotiated kexch alg should be the first one in
3886 * configured, except in the case of FFDHE groups (idx 13), which are
3887 * TLSv1.3 only so we expect no shared group to exist.
3889 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
3890 idx == 13 ? 0 : kexch_groups[0]))
3892 if (max_version == TLS1_3_VERSION) {
3893 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
3895 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
3901 SSL_free(serverssl);
3902 SSL_free(clientssl);
3909 * Test TLSv1.3 Cipher Suite
3910 * Test 0 = Set TLS1.3 cipher on context
3911 * Test 1 = Set TLS1.3 cipher on SSL
3912 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
3913 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
3915 static int test_tls13_ciphersuite(int idx)
3917 SSL_CTX *sctx = NULL, *cctx = NULL;
3918 SSL *serverssl = NULL, *clientssl = NULL;
3919 static const char *t13_ciphers[] = {
3920 TLS1_3_RFC_AES_128_GCM_SHA256,
3921 TLS1_3_RFC_AES_256_GCM_SHA384,
3922 TLS1_3_RFC_AES_128_CCM_SHA256,
3923 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3924 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3925 TLS1_3_RFC_AES_256_GCM_SHA384 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3927 TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256
3929 const char *t13_cipher = NULL;
3930 const char *t12_cipher = NULL;
3931 const char *negotiated_scipher;
3932 const char *negotiated_ccipher;
3948 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
3952 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
3956 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
3957 # ifdef OPENSSL_NO_TLS1_2
3958 if (max_ver == TLS1_2_VERSION)
3961 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
3962 t13_cipher = t13_ciphers[i];
3963 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3964 TLS_client_method(),
3965 TLS1_VERSION, max_ver,
3966 &sctx, &cctx, cert, privkey)))
3970 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
3971 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
3973 if (t12_cipher != NULL) {
3974 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
3975 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
3981 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3982 &clientssl, NULL, NULL)))
3986 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
3987 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
3989 if (t12_cipher != NULL) {
3990 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
3991 || !TEST_true(SSL_set_cipher_list(clientssl,
3997 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4001 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4003 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4005 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4009 * TEST_strn_eq is used below because t13_cipher can contain
4010 * multiple ciphersuites
4012 if (max_ver == TLS1_3_VERSION
4013 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4014 strlen(negotiated_scipher)))
4017 # ifndef OPENSSL_NO_TLS1_2
4018 /* Below validation is not done when t12_cipher is NULL */
4019 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4020 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4024 SSL_free(serverssl);
4026 SSL_free(clientssl);
4037 SSL_free(serverssl);
4038 SSL_free(clientssl);
4046 * Test 0 = Test new style callbacks
4047 * Test 1 = Test both new and old style callbacks
4048 * Test 2 = Test old style callbacks
4049 * Test 3 = Test old style callbacks with no certificate
4051 static int test_tls13_psk(int idx)
4053 SSL_CTX *sctx = NULL, *cctx = NULL;
4054 SSL *serverssl = NULL, *clientssl = NULL;
4055 const SSL_CIPHER *cipher = NULL;
4056 const unsigned char key[] = {
4057 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4058 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4059 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4060 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
4064 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4066 &sctx, &cctx, idx == 3 ? NULL : cert,
4067 idx == 3 ? NULL : privkey)))
4072 * We use a ciphersuite with SHA256 to ease testing old style PSK
4073 * callbacks which will always default to SHA256. This should not be
4074 * necessary if we have no cert/priv key. In that case the server should
4075 * prefer SHA256 automatically.
4077 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4078 "TLS_AES_128_GCM_SHA256")))
4083 * Test 0: New style callbacks only
4084 * Test 1: New and old style callbacks (only the new ones should be used)
4085 * Test 2: Old style callbacks only
4087 if (idx == 0 || idx == 1) {
4088 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4089 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4091 #ifndef OPENSSL_NO_PSK
4093 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4094 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4098 use_session_cb_cnt = 0;
4099 find_session_cb_cnt = 0;
4100 psk_client_cb_cnt = 0;
4101 psk_server_cb_cnt = 0;
4105 * Check we can create a connection if callback decides not to send a
4108 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4110 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4112 || !TEST_false(SSL_session_reused(clientssl))
4113 || !TEST_false(SSL_session_reused(serverssl)))
4116 if (idx == 0 || idx == 1) {
4117 if (!TEST_true(use_session_cb_cnt == 1)
4118 || !TEST_true(find_session_cb_cnt == 0)
4120 * If no old style callback then below should be 0
4123 || !TEST_true(psk_client_cb_cnt == idx)
4124 || !TEST_true(psk_server_cb_cnt == 0))
4127 if (!TEST_true(use_session_cb_cnt == 0)
4128 || !TEST_true(find_session_cb_cnt == 0)
4129 || !TEST_true(psk_client_cb_cnt == 1)
4130 || !TEST_true(psk_server_cb_cnt == 0))
4134 shutdown_ssl_connection(serverssl, clientssl);
4135 serverssl = clientssl = NULL;
4136 use_session_cb_cnt = psk_client_cb_cnt = 0;
4139 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4143 /* Create the PSK */
4144 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
4145 clientpsk = SSL_SESSION_new();
4146 if (!TEST_ptr(clientpsk)
4147 || !TEST_ptr(cipher)
4148 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4150 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4151 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4153 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
4155 serverpsk = clientpsk;
4157 /* Check we can create a connection and the PSK is used */
4158 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4159 || !TEST_true(SSL_session_reused(clientssl))
4160 || !TEST_true(SSL_session_reused(serverssl)))
4163 if (idx == 0 || idx == 1) {
4164 if (!TEST_true(use_session_cb_cnt == 1)
4165 || !TEST_true(find_session_cb_cnt == 1)
4166 || !TEST_true(psk_client_cb_cnt == 0)
4167 || !TEST_true(psk_server_cb_cnt == 0))
4170 if (!TEST_true(use_session_cb_cnt == 0)
4171 || !TEST_true(find_session_cb_cnt == 0)
4172 || !TEST_true(psk_client_cb_cnt == 1)
4173 || !TEST_true(psk_server_cb_cnt == 1))
4177 shutdown_ssl_connection(serverssl, clientssl);
4178 serverssl = clientssl = NULL;
4179 use_session_cb_cnt = find_session_cb_cnt = 0;
4180 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4182 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4187 #if defined(OPENSSL_NO_EC)
4188 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4191 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4196 * Check we can create a connection, the PSK is used and the callbacks are
4199 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4200 || !TEST_true(SSL_session_reused(clientssl))
4201 || !TEST_true(SSL_session_reused(serverssl)))
4204 if (idx == 0 || idx == 1) {
4205 if (!TEST_true(use_session_cb_cnt == 2)
4206 || !TEST_true(find_session_cb_cnt == 2)
4207 || !TEST_true(psk_client_cb_cnt == 0)
4208 || !TEST_true(psk_server_cb_cnt == 0))
4211 if (!TEST_true(use_session_cb_cnt == 0)
4212 || !TEST_true(find_session_cb_cnt == 0)
4213 || !TEST_true(psk_client_cb_cnt == 2)
4214 || !TEST_true(psk_server_cb_cnt == 2))
4218 shutdown_ssl_connection(serverssl, clientssl);
4219 serverssl = clientssl = NULL;
4220 use_session_cb_cnt = find_session_cb_cnt = 0;
4221 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4225 * Check that if the server rejects the PSK we can still connect, but with
4228 srvid = "Dummy Identity";
4229 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4231 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4233 || !TEST_false(SSL_session_reused(clientssl))
4234 || !TEST_false(SSL_session_reused(serverssl)))
4237 if (idx == 0 || idx == 1) {
4238 if (!TEST_true(use_session_cb_cnt == 1)
4239 || !TEST_true(find_session_cb_cnt == 1)
4240 || !TEST_true(psk_client_cb_cnt == 0)
4242 * If no old style callback then below should be 0
4245 || !TEST_true(psk_server_cb_cnt == idx))
4248 if (!TEST_true(use_session_cb_cnt == 0)
4249 || !TEST_true(find_session_cb_cnt == 0)
4250 || !TEST_true(psk_client_cb_cnt == 1)
4251 || !TEST_true(psk_server_cb_cnt == 1))
4255 shutdown_ssl_connection(serverssl, clientssl);
4256 serverssl = clientssl = NULL;
4261 SSL_SESSION_free(clientpsk);
4262 SSL_SESSION_free(serverpsk);
4263 clientpsk = serverpsk = NULL;
4264 SSL_free(serverssl);
4265 SSL_free(clientssl);
4271 static unsigned char cookie_magic_value[] = "cookie magic";
4273 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4274 unsigned int *cookie_len)
4277 * Not suitable as a real cookie generation function but good enough for
4280 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4281 *cookie_len = sizeof(cookie_magic_value) - 1;
4286 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4287 unsigned int cookie_len)
4289 if (cookie_len == sizeof(cookie_magic_value) - 1
4290 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4296 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4300 int res = generate_cookie_callback(ssl, cookie, &temp);
4305 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4308 return verify_cookie_callback(ssl, cookie, cookie_len);
4311 static int test_stateless(void)
4313 SSL_CTX *sctx = NULL, *cctx = NULL;
4314 SSL *serverssl = NULL, *clientssl = NULL;
4317 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4319 &sctx, &cctx, cert, privkey)))
4322 /* The arrival of CCS messages can confuse the test */
4323 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4325 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4327 /* Send the first ClientHello */
4328 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4329 SSL_ERROR_WANT_READ))
4331 * This should fail with a -1 return because we have no callbacks
4334 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4337 /* Fatal error so abandon the connection from this client */
4338 SSL_free(clientssl);
4341 /* Set up the cookie generation and verification callbacks */
4342 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4343 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
4346 * Create a new connection from the client (we can reuse the server SSL
4349 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4351 /* Send the first ClientHello */
4352 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4353 SSL_ERROR_WANT_READ))
4354 /* This should fail because there is no cookie */
4355 || !TEST_int_eq(SSL_stateless(serverssl), 0))
4358 /* Abandon the connection from this client */
4359 SSL_free(clientssl);
4363 * Now create a connection from a new client but with the same server SSL
4366 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4368 /* Send the first ClientHello */
4369 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4370 SSL_ERROR_WANT_READ))
4371 /* This should fail because there is no cookie */
4372 || !TEST_int_eq(SSL_stateless(serverssl), 0)
4373 /* Send the second ClientHello */
4374 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4375 SSL_ERROR_WANT_READ))
4376 /* This should succeed because a cookie is now present */
4377 || !TEST_int_eq(SSL_stateless(serverssl), 1)
4378 /* Complete the connection */
4379 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4383 shutdown_ssl_connection(serverssl, clientssl);
4384 serverssl = clientssl = NULL;
4388 SSL_free(serverssl);
4389 SSL_free(clientssl);
4395 #endif /* OPENSSL_NO_TLS1_3 */
4397 static int clntaddoldcb = 0;
4398 static int clntparseoldcb = 0;
4399 static int srvaddoldcb = 0;
4400 static int srvparseoldcb = 0;
4401 static int clntaddnewcb = 0;
4402 static int clntparsenewcb = 0;
4403 static int srvaddnewcb = 0;
4404 static int srvparsenewcb = 0;
4405 static int snicb = 0;
4407 #define TEST_EXT_TYPE1 0xff00
4409 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4410 size_t *outlen, int *al, void *add_arg)
4412 int *server = (int *)add_arg;
4413 unsigned char *data;
4415 if (SSL_is_server(s))
4420 if (*server != SSL_is_server(s)
4421 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4426 *outlen = sizeof(char);
4430 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4433 OPENSSL_free((unsigned char *)out);
4436 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4437 size_t inlen, int *al, void *parse_arg)
4439 int *server = (int *)parse_arg;
4441 if (SSL_is_server(s))
4446 if (*server != SSL_is_server(s)
4447 || inlen != sizeof(char)
4454 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4455 const unsigned char **out, size_t *outlen, X509 *x,
4456 size_t chainidx, int *al, void *add_arg)
4458 int *server = (int *)add_arg;
4459 unsigned char *data;
4461 if (SSL_is_server(s))
4466 if (*server != SSL_is_server(s)
4467 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4472 *outlen = sizeof(*data);
4476 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
4477 const unsigned char *out, void *add_arg)
4479 OPENSSL_free((unsigned char *)out);
4482 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
4483 const unsigned char *in, size_t inlen, X509 *x,
4484 size_t chainidx, int *al, void *parse_arg)
4486 int *server = (int *)parse_arg;
4488 if (SSL_is_server(s))
4493 if (*server != SSL_is_server(s)
4494 || inlen != sizeof(char) || *in != 1)
4500 static int sni_cb(SSL *s, int *al, void *arg)
4502 SSL_CTX *ctx = (SSL_CTX *)arg;
4504 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
4505 *al = SSL_AD_INTERNAL_ERROR;
4506 return SSL_TLSEXT_ERR_ALERT_FATAL;
4509 return SSL_TLSEXT_ERR_OK;
4513 * Custom call back tests.
4514 * Test 0: Old style callbacks in TLSv1.2
4515 * Test 1: New style callbacks in TLSv1.2
4516 * Test 2: New style callbacks in TLSv1.2 with SNI
4517 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4518 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
4520 static int test_custom_exts(int tst)
4522 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4523 SSL *clientssl = NULL, *serverssl = NULL;
4525 static int server = 1;
4526 static int client = 0;
4527 SSL_SESSION *sess = NULL;
4528 unsigned int context;
4530 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4531 /* Skip tests for TLSv1.2 and below in this case */
4536 /* Reset callback counters */
4537 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4538 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
4541 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4543 &sctx, &cctx, cert, privkey)))
4547 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
4549 &sctx2, NULL, cert, privkey)))
4554 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4555 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
4557 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
4561 context = SSL_EXT_CLIENT_HELLO
4562 | SSL_EXT_TLS1_2_SERVER_HELLO
4563 | SSL_EXT_TLS1_3_SERVER_HELLO
4564 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4565 | SSL_EXT_TLS1_3_CERTIFICATE
4566 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4568 context = SSL_EXT_CLIENT_HELLO
4569 | SSL_EXT_TLS1_2_SERVER_HELLO
4570 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4573 /* Create a client side custom extension */
4575 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4576 old_add_cb, old_free_cb,
4577 &client, old_parse_cb,
4581 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4582 new_add_cb, new_free_cb,
4583 &client, new_parse_cb, &client)))
4587 /* Should not be able to add duplicates */
4588 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4589 old_add_cb, old_free_cb,
4590 &client, old_parse_cb,
4592 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4593 context, new_add_cb,
4594 new_free_cb, &client,
4595 new_parse_cb, &client)))
4598 /* Create a server side custom extension */
4600 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4601 old_add_cb, old_free_cb,
4602 &server, old_parse_cb,
4606 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4607 new_add_cb, new_free_cb,
4608 &server, new_parse_cb, &server)))
4611 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4612 context, new_add_cb,
4613 new_free_cb, &server,
4614 new_parse_cb, &server)))
4618 /* Should not be able to add duplicates */
4619 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4620 old_add_cb, old_free_cb,
4621 &server, old_parse_cb,
4623 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4624 context, new_add_cb,
4625 new_free_cb, &server,
4626 new_parse_cb, &server)))
4631 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4632 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4636 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4637 &clientssl, NULL, NULL))
4638 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4643 if (clntaddoldcb != 1
4644 || clntparseoldcb != 1
4646 || srvparseoldcb != 1)
4648 } else if (tst == 1 || tst == 2 || tst == 3) {
4649 if (clntaddnewcb != 1
4650 || clntparsenewcb != 1
4652 || srvparsenewcb != 1
4653 || (tst != 2 && snicb != 0)
4654 || (tst == 2 && snicb != 1))
4657 /* In this case there 2 NewSessionTicket messages created */
4658 if (clntaddnewcb != 1
4659 || clntparsenewcb != 5
4661 || srvparsenewcb != 1)
4665 sess = SSL_get1_session(clientssl);
4666 SSL_shutdown(clientssl);
4667 SSL_shutdown(serverssl);
4668 SSL_free(serverssl);
4669 SSL_free(clientssl);
4670 serverssl = clientssl = NULL;
4673 /* We don't bother with the resumption aspects for this test */
4678 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4680 || !TEST_true(SSL_set_session(clientssl, sess))
4681 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4686 * For a resumed session we expect to add the ClientHello extension. For the
4687 * old style callbacks we ignore it on the server side because they set
4688 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4692 if (clntaddoldcb != 2
4693 || clntparseoldcb != 1
4695 || srvparseoldcb != 1)
4697 } else if (tst == 1 || tst == 2 || tst == 3) {
4698 if (clntaddnewcb != 2
4699 || clntparsenewcb != 2
4701 || srvparsenewcb != 2)
4705 * No Certificate message extensions in the resumption handshake,
4706 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4708 if (clntaddnewcb != 2
4709 || clntparsenewcb != 8
4711 || srvparsenewcb != 2)
4718 SSL_SESSION_free(sess);
4719 SSL_free(serverssl);
4720 SSL_free(clientssl);
4721 SSL_CTX_free(sctx2);
4728 * Test loading of serverinfo data in various formats. test_sslmessages actually
4729 * tests to make sure the extensions appear in the handshake
4731 static int test_serverinfo(int tst)
4733 unsigned int version;
4734 unsigned char *sibuf;
4736 int ret, expected, testresult = 0;
4739 ctx = SSL_CTX_new(TLS_method());
4743 if ((tst & 0x01) == 0x01)
4744 version = SSL_SERVERINFOV2;
4746 version = SSL_SERVERINFOV1;
4748 if ((tst & 0x02) == 0x02) {
4749 sibuf = serverinfov2;
4750 sibuflen = sizeof(serverinfov2);
4751 expected = (version == SSL_SERVERINFOV2);
4753 sibuf = serverinfov1;
4754 sibuflen = sizeof(serverinfov1);
4755 expected = (version == SSL_SERVERINFOV1);
4758 if ((tst & 0x04) == 0x04) {
4759 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4761 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4764 * The version variable is irrelevant in this case - it's what is in the
4765 * buffer that matters
4767 if ((tst & 0x02) == 0x02)
4773 if (!TEST_true(ret == expected))
4785 * Test that SSL_export_keying_material() produces expected results. There are
4786 * no test vectors so all we do is test that both sides of the communication
4787 * produce the same results for different protocol versions.
4789 #define SMALL_LABEL_LEN 10
4790 #define LONG_LABEL_LEN 249
4791 static int test_export_key_mat(int tst)
4794 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4795 SSL *clientssl = NULL, *serverssl = NULL;
4796 const char label[LONG_LABEL_LEN + 1] = "test label";
4797 const unsigned char context[] = "context";
4798 const unsigned char *emptycontext = NULL;
4799 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4800 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
4802 const int protocols[] = {
4811 #ifdef OPENSSL_NO_TLS1
4815 #ifdef OPENSSL_NO_TLS1_1
4819 #ifdef OPENSSL_NO_TLS1_2
4823 #ifdef OPENSSL_NO_TLS1_3
4827 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4829 &sctx, &cctx, cert, privkey)))
4832 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4833 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4834 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
4836 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4838 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4844 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4847 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4848 sizeof(ckeymat1), label,
4849 LONG_LABEL_LEN + 1, context,
4850 sizeof(context) - 1, 1), 0))
4855 } else if (tst == 4) {
4856 labellen = LONG_LABEL_LEN;
4858 labellen = SMALL_LABEL_LEN;
4861 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4862 sizeof(ckeymat1), label,
4864 sizeof(context) - 1, 1), 1)
4865 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4866 sizeof(ckeymat2), label,
4870 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4871 sizeof(ckeymat3), label,
4874 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4875 sizeof(skeymat1), label,
4878 sizeof(context) -1, 1),
4880 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4881 sizeof(skeymat2), label,
4885 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4886 sizeof(skeymat3), label,
4890 * Check that both sides created the same key material with the
4893 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4896 * Check that both sides created the same key material with an
4899 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4902 * Check that both sides created the same key material without a
4905 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
4907 /* Different contexts should produce different results */
4908 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4913 * Check that an empty context and no context produce different results in
4914 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
4916 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
4918 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
4925 SSL_free(serverssl);
4926 SSL_free(clientssl);
4927 SSL_CTX_free(sctx2);
4934 #ifndef OPENSSL_NO_TLS1_3
4936 * Test that SSL_export_keying_material_early() produces expected
4937 * results. There are no test vectors so all we do is test that both
4938 * sides of the communication produce the same results for different
4939 * protocol versions.
4941 static int test_export_key_mat_early(int idx)
4943 static const char label[] = "test label";
4944 static const unsigned char context[] = "context";
4946 SSL_CTX *cctx = NULL, *sctx = NULL;
4947 SSL *clientssl = NULL, *serverssl = NULL;
4948 SSL_SESSION *sess = NULL;
4949 const unsigned char *emptycontext = NULL;
4950 unsigned char ckeymat1[80], ckeymat2[80];
4951 unsigned char skeymat1[80], skeymat2[80];
4952 unsigned char buf[1];
4953 size_t readbytes, written;
4955 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
4959 /* Here writing 0 length early data is enough. */
4960 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
4961 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4963 SSL_READ_EARLY_DATA_ERROR)
4964 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4965 SSL_EARLY_DATA_ACCEPTED))
4968 if (!TEST_int_eq(SSL_export_keying_material_early(
4969 clientssl, ckeymat1, sizeof(ckeymat1), label,
4970 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4971 || !TEST_int_eq(SSL_export_keying_material_early(
4972 clientssl, ckeymat2, sizeof(ckeymat2), label,
4973 sizeof(label) - 1, emptycontext, 0), 1)
4974 || !TEST_int_eq(SSL_export_keying_material_early(
4975 serverssl, skeymat1, sizeof(skeymat1), label,
4976 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4977 || !TEST_int_eq(SSL_export_keying_material_early(
4978 serverssl, skeymat2, sizeof(skeymat2), label,
4979 sizeof(label) - 1, emptycontext, 0), 1)
4981 * Check that both sides created the same key material with the
4984 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4987 * Check that both sides created the same key material with an
4990 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4992 /* Different contexts should produce different results */
4993 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5000 SSL_SESSION_free(sess);
5001 SSL_SESSION_free(clientpsk);
5002 SSL_SESSION_free(serverpsk);
5003 clientpsk = serverpsk = NULL;
5004 SSL_free(serverssl);
5005 SSL_free(clientssl);
5012 #define NUM_KEY_UPDATE_MESSAGES 40
5016 static int test_key_update(void)
5018 SSL_CTX *cctx = NULL, *sctx = NULL;
5019 SSL *clientssl = NULL, *serverssl = NULL;
5020 int testresult = 0, i, j;
5022 static char *mess = "A test message";
5024 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5025 TLS_client_method(),
5028 &sctx, &cctx, cert, privkey))
5029 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5031 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5035 for (j = 0; j < 2; j++) {
5036 /* Send lots of KeyUpdate messages */
5037 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5038 if (!TEST_true(SSL_key_update(clientssl,
5040 ? SSL_KEY_UPDATE_NOT_REQUESTED
5041 : SSL_KEY_UPDATE_REQUESTED))
5042 || !TEST_true(SSL_do_handshake(clientssl)))
5046 /* Check that sending and receiving app data is ok */
5047 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5048 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5052 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5053 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5061 SSL_free(serverssl);
5062 SSL_free(clientssl);
5070 * Test we can handle a KeyUpdate (update requested) message while write data
5072 * Test 0: Client sends KeyUpdate while Server is writing
5073 * Test 1: Server sends KeyUpdate while Client is writing
5075 static int test_key_update_in_write(int tst)
5077 SSL_CTX *cctx = NULL, *sctx = NULL;
5078 SSL *clientssl = NULL, *serverssl = NULL;
5081 static char *mess = "A test message";
5082 BIO *bretry = BIO_new(bio_s_always_retry());
5084 SSL *peerupdate = NULL, *peerwrite = NULL;
5086 if (!TEST_ptr(bretry)
5087 || !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5088 TLS_client_method(),
5091 &sctx, &cctx, cert, privkey))
5092 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5094 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5098 peerupdate = tst == 0 ? clientssl : serverssl;
5099 peerwrite = tst == 0 ? serverssl : clientssl;
5101 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5102 || !TEST_true(SSL_do_handshake(peerupdate)))
5105 /* Swap the writing endpoint's write BIO to force a retry */
5106 tmp = SSL_get_wbio(peerwrite);
5107 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5111 SSL_set0_wbio(peerwrite, bretry);
5114 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5115 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5116 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5119 /* Reinstate the original writing endpoint's write BIO */
5120 SSL_set0_wbio(peerwrite, tmp);
5123 /* Now read some data - we will read the key update */
5124 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5125 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5129 * Complete the write we started previously and read it from the other
5132 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5133 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5136 /* Write more data to ensure we send the KeyUpdate message back */
5137 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5138 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5144 SSL_free(serverssl);
5145 SSL_free(clientssl);
5153 #endif /* OPENSSL_NO_TLS1_3 */
5155 static int test_ssl_clear(int idx)
5157 SSL_CTX *cctx = NULL, *sctx = NULL;
5158 SSL *clientssl = NULL, *serverssl = NULL;
5161 #ifdef OPENSSL_NO_TLS1_2
5166 /* Create an initial connection */
5167 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5169 &sctx, &cctx, cert, privkey))
5171 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5173 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5174 &clientssl, NULL, NULL))
5175 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5179 SSL_shutdown(clientssl);
5180 SSL_shutdown(serverssl);
5181 SSL_free(serverssl);
5184 /* Clear clientssl - we're going to reuse the object */
5185 if (!TEST_true(SSL_clear(clientssl)))
5188 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5190 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5192 || !TEST_true(SSL_session_reused(clientssl)))
5195 SSL_shutdown(clientssl);
5196 SSL_shutdown(serverssl);
5201 SSL_free(serverssl);
5202 SSL_free(clientssl);
5209 /* Parse CH and retrieve any MFL extension value if present */
5210 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5213 unsigned char *data;
5214 PACKET pkt, pkt2, pkt3;
5215 unsigned int MFL_code = 0, type = 0;
5217 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5220 memset(&pkt, 0, sizeof(pkt));
5221 memset(&pkt2, 0, sizeof(pkt2));
5222 memset(&pkt3, 0, sizeof(pkt3));
5224 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5225 /* Skip the record header */
5226 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5227 /* Skip the handshake message header */
5228 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5229 /* Skip client version and random */
5230 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5231 + SSL3_RANDOM_SIZE))
5232 /* Skip session id */
5233 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5235 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5236 /* Skip compression */
5237 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5238 /* Extensions len */
5239 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5242 /* Loop through all extensions */
5243 while (PACKET_remaining(&pkt2)) {
5244 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5245 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5248 if (type == TLSEXT_TYPE_max_fragment_length) {
5249 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5250 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5253 *mfl_codemfl_code = MFL_code;
5262 /* Maximum-Fragment-Length TLS extension mode to test */
5263 static const unsigned char max_fragment_len_test[] = {
5264 TLSEXT_max_fragment_length_512,
5265 TLSEXT_max_fragment_length_1024,
5266 TLSEXT_max_fragment_length_2048,
5267 TLSEXT_max_fragment_length_4096
5270 static int test_max_fragment_len_ext(int idx_tst)
5274 int testresult = 0, MFL_mode = 0;
5277 ctx = SSL_CTX_new(TLS_method());
5281 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5282 ctx, max_fragment_len_test[idx_tst])))
5289 rbio = BIO_new(BIO_s_mem());
5290 wbio = BIO_new(BIO_s_mem());
5291 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5297 SSL_set_bio(con, rbio, wbio);
5298 SSL_set_connect_state(con);
5300 if (!TEST_int_le(SSL_connect(con), 0)) {
5301 /* This shouldn't succeed because we don't have a server! */
5305 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5306 /* no MFL in client hello */
5308 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5320 #ifndef OPENSSL_NO_TLS1_3
5321 static int test_pha_key_update(void)
5323 SSL_CTX *cctx = NULL, *sctx = NULL;
5324 SSL *clientssl = NULL, *serverssl = NULL;
5327 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5329 &sctx, &cctx, cert, privkey)))
5332 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5333 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5334 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5335 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5338 SSL_CTX_set_post_handshake_auth(cctx, 1);
5340 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5344 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5348 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5349 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5352 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5355 /* Start handshake on the server */
5356 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5359 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5360 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5364 SSL_shutdown(clientssl);
5365 SSL_shutdown(serverssl);
5370 SSL_free(serverssl);
5371 SSL_free(clientssl);
5378 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5380 static SRP_VBASE *vbase = NULL;
5382 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5384 int ret = SSL3_AL_FATAL;
5386 SRP_user_pwd *user = NULL;
5388 username = SSL_get_srp_username(s);
5389 if (username == NULL) {
5390 *ad = SSL_AD_INTERNAL_ERROR;
5394 user = SRP_VBASE_get1_by_user(vbase, username);
5396 *ad = SSL_AD_INTERNAL_ERROR;
5400 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5402 *ad = SSL_AD_INTERNAL_ERROR;
5409 SRP_user_pwd_free(user);
5413 static int create_new_vfile(char *userid, char *password, const char *filename)
5416 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5419 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5422 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5425 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
5426 &row[DB_srpverifier], NULL, NULL);
5427 if (!TEST_ptr(gNid))
5431 * The only way to create an empty TXT_DB is to provide a BIO with no data
5434 db = TXT_DB_read(dummy, DB_NUMBER);
5438 out = BIO_new_file(filename, "w");
5442 row[DB_srpid] = OPENSSL_strdup(userid);
5443 row[DB_srptype] = OPENSSL_strdup("V");
5444 row[DB_srpgN] = OPENSSL_strdup(gNid);
5446 if (!TEST_ptr(row[DB_srpid])
5447 || !TEST_ptr(row[DB_srptype])
5448 || !TEST_ptr(row[DB_srpgN])
5449 || !TEST_true(TXT_DB_insert(db, row)))
5454 if (!TXT_DB_write(out, db))
5460 for (i = 0; i < DB_NUMBER; i++)
5461 OPENSSL_free(row[i]);
5471 static int create_new_vbase(char *userid, char *password)
5473 BIGNUM *verifier = NULL, *salt = NULL;
5474 const SRP_gN *lgN = NULL;
5475 SRP_user_pwd *user_pwd = NULL;
5478 lgN = SRP_get_default_gN(NULL);
5482 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
5486 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
5487 if (!TEST_ptr(user_pwd))
5490 user_pwd->N = lgN->N;
5491 user_pwd->g = lgN->g;
5492 user_pwd->id = OPENSSL_strdup(userid);
5493 if (!TEST_ptr(user_pwd->id))
5496 user_pwd->v = verifier;
5498 verifier = salt = NULL;
5500 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
5506 SRP_user_pwd_free(user_pwd);
5516 * Test 0: Simple successful SRP connection, new vbase
5517 * Test 1: Connection failure due to bad password, new vbase
5518 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5519 * Test 3: Connection failure due to bad password, vbase loaded from existing
5521 * Test 4: Simple successful SRP connection, vbase loaded from new file
5522 * Test 5: Connection failure due to bad password, vbase loaded from new file
5524 static int test_srp(int tst)
5526 char *userid = "test", *password = "password", *tstsrpfile;
5527 SSL_CTX *cctx = NULL, *sctx = NULL;
5528 SSL *clientssl = NULL, *serverssl = NULL;
5529 int ret, testresult = 0;
5531 vbase = SRP_VBASE_new(NULL);
5532 if (!TEST_ptr(vbase))
5535 if (tst == 0 || tst == 1) {
5536 if (!TEST_true(create_new_vbase(userid, password)))
5539 if (tst == 4 || tst == 5) {
5540 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5542 tstsrpfile = tmpfilename;
5544 tstsrpfile = srpvfile;
5546 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5550 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5552 &sctx, &cctx, cert, privkey)))
5555 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5556 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5557 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5558 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5559 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5563 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5566 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5570 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5574 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5576 if (!TEST_true(tst % 2 == 0))
5579 if (!TEST_true(tst % 2 == 1))
5586 SRP_VBASE_free(vbase);
5588 SSL_free(serverssl);
5589 SSL_free(clientssl);
5597 static int info_cb_failed = 0;
5598 static int info_cb_offset = 0;
5599 static int info_cb_this_state = -1;
5601 static struct info_cb_states_st {
5603 const char *statestr;
5604 } info_cb_states[][60] = {
5606 /* TLSv1.2 server followed by resumption */
5607 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5608 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5609 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
5610 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
5611 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
5612 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5613 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5614 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5615 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
5616 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5617 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
5618 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5619 {SSL_CB_EXIT, NULL}, {0, NULL},
5621 /* TLSv1.2 client followed by resumption */
5622 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5623 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5624 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
5625 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
5626 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
5627 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5628 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5629 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5630 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5631 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5632 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5633 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
5635 /* TLSv1.3 server followed by resumption */
5636 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5637 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5638 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
5639 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5640 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
5641 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5642 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5643 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5644 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5645 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5646 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
5647 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5648 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5650 /* TLSv1.3 client followed by resumption */
5651 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5652 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5653 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
5654 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
5655 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5656 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5657 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
5658 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5659 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5660 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5661 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5662 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5663 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5664 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
5665 {SSL_CB_EXIT, NULL}, {0, NULL},
5667 /* TLSv1.3 server, early_data */
5668 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5669 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5670 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5671 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5672 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5673 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
5674 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5675 {SSL_CB_EXIT, NULL}, {0, NULL},
5677 /* TLSv1.3 client, early_data */
5678 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5679 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5680 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5681 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5682 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5683 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5684 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5685 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5686 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5692 static void sslapi_info_callback(const SSL *s, int where, int ret)
5694 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5696 /* We do not ever expect a connection to fail in this test */
5697 if (!TEST_false(ret == 0)) {
5703 * Do some sanity checks. We never expect these things to happen in this
5706 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5707 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5708 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5713 /* Now check we're in the right state */
5714 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5718 if ((where & SSL_CB_LOOP) != 0
5719 && !TEST_int_eq(strcmp(SSL_state_string(s),
5720 state[info_cb_this_state].statestr), 0)) {
5726 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
5728 if ((where & SSL_CB_HANDSHAKE_DONE)
5729 && SSL_in_init((SSL *)s) != 0) {
5736 * Test the info callback gets called when we expect it to.
5738 * Test 0: TLSv1.2, server
5739 * Test 1: TLSv1.2, client
5740 * Test 2: TLSv1.3, server
5741 * Test 3: TLSv1.3, client
5742 * Test 4: TLSv1.3, server, early_data
5743 * Test 5: TLSv1.3, client, early_data
5745 static int test_info_callback(int tst)
5747 SSL_CTX *cctx = NULL, *sctx = NULL;
5748 SSL *clientssl = NULL, *serverssl = NULL;
5749 SSL_SESSION *clntsess = NULL;
5754 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
5755 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5756 || !defined(OPENSSL_NO_DH))
5757 tlsvers = TLS1_2_VERSION;
5762 #ifndef OPENSSL_NO_TLS1_3
5763 tlsvers = TLS1_3_VERSION;
5771 info_cb_this_state = -1;
5772 info_cb_offset = tst;
5774 #ifndef OPENSSL_NO_TLS1_3
5776 SSL_SESSION *sess = NULL;
5777 size_t written, readbytes;
5778 unsigned char buf[80];
5780 /* early_data tests */
5781 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5782 &serverssl, &sess, 0)))
5785 /* We don't actually need this reference */
5786 SSL_SESSION_free(sess);
5788 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5789 sslapi_info_callback);
5791 /* Write and read some early data and then complete the connection */
5792 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5794 || !TEST_size_t_eq(written, strlen(MSG1))
5795 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5796 sizeof(buf), &readbytes),
5797 SSL_READ_EARLY_DATA_SUCCESS)
5798 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5799 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5800 SSL_EARLY_DATA_ACCEPTED)
5801 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5803 || !TEST_false(info_cb_failed))
5811 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5812 TLS_client_method(),
5813 tlsvers, tlsvers, &sctx, &cctx, cert,
5818 * For even numbered tests we check the server callbacks. For odd numbers we
5821 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5822 sslapi_info_callback);
5824 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5825 &clientssl, NULL, NULL))
5826 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5828 || !TEST_false(info_cb_failed))
5833 clntsess = SSL_get1_session(clientssl);
5834 SSL_shutdown(clientssl);
5835 SSL_shutdown(serverssl);
5836 SSL_free(serverssl);
5837 SSL_free(clientssl);
5838 serverssl = clientssl = NULL;
5840 /* Now do a resumption */
5841 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5843 || !TEST_true(SSL_set_session(clientssl, clntsess))
5844 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5846 || !TEST_true(SSL_session_reused(clientssl))
5847 || !TEST_false(info_cb_failed))
5853 SSL_free(serverssl);
5854 SSL_free(clientssl);
5855 SSL_SESSION_free(clntsess);
5861 static int test_ssl_pending(int tst)
5863 SSL_CTX *cctx = NULL, *sctx = NULL;
5864 SSL *clientssl = NULL, *serverssl = NULL;
5866 char msg[] = "A test message";
5868 size_t written, readbytes;
5871 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5872 TLS_client_method(),
5874 &sctx, &cctx, cert, privkey)))
5877 #ifndef OPENSSL_NO_DTLS
5878 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
5879 DTLS_client_method(),
5881 &sctx, &cctx, cert, privkey)))
5888 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5890 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5894 if (!TEST_int_eq(SSL_pending(clientssl), 0)
5895 || !TEST_false(SSL_has_pending(clientssl))
5896 || !TEST_int_eq(SSL_pending(serverssl), 0)
5897 || !TEST_false(SSL_has_pending(serverssl))
5898 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5899 || !TEST_size_t_eq(written, sizeof(msg))
5900 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
5901 || !TEST_size_t_eq(readbytes, sizeof(buf))
5902 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
5903 || !TEST_true(SSL_has_pending(clientssl)))
5909 SSL_free(serverssl);
5910 SSL_free(clientssl);
5918 unsigned int maxprot;
5919 const char *clntciphers;
5920 const char *clnttls13ciphers;
5921 const char *srvrciphers;
5922 const char *srvrtls13ciphers;
5924 } shared_ciphers_data[] = {
5926 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
5927 * TLSv1.3 is enabled but TLSv1.2 is disabled.
5929 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
5932 "AES128-SHA:AES256-SHA",
5934 "AES256-SHA:DHE-RSA-AES128-SHA",
5940 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
5942 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
5944 "AES128-SHA:AES256-SHA"
5948 "AES128-SHA:AES256-SHA",
5950 "AES128-SHA:DHE-RSA-AES128-SHA",
5956 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
5959 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
5960 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5963 "AES128-SHA:AES256-SHA",
5965 "AES256-SHA:AES128-SHA256",
5967 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
5968 "TLS_AES_128_GCM_SHA256:AES256-SHA"
5971 #ifndef OPENSSL_NO_TLS1_3
5975 "TLS_AES_256_GCM_SHA384",
5977 "TLS_AES_256_GCM_SHA384",
5978 "TLS_AES_256_GCM_SHA384"
5983 static int test_ssl_get_shared_ciphers(int tst)
5985 SSL_CTX *cctx = NULL, *sctx = NULL;
5986 SSL *clientssl = NULL, *serverssl = NULL;
5990 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5991 TLS_client_method(),
5993 shared_ciphers_data[tst].maxprot,
5994 &sctx, &cctx, cert, privkey)))
5997 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5998 shared_ciphers_data[tst].clntciphers))
5999 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6000 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6001 shared_ciphers_data[tst].clnttls13ciphers)))
6002 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6003 shared_ciphers_data[tst].srvrciphers))
6004 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6005 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6006 shared_ciphers_data[tst].srvrtls13ciphers))))
6010 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6012 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6016 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6017 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
6018 TEST_info("Shared ciphers are: %s\n", buf);
6025 SSL_free(serverssl);
6026 SSL_free(clientssl);
6033 static const char *appdata = "Hello World";
6034 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6035 static int tick_key_renew = 0;
6036 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6038 static int gen_tick_cb(SSL *s, void *arg)
6040 gen_tick_called = 1;
6042 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6046 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6047 const unsigned char *keyname,
6048 size_t keyname_length,
6049 SSL_TICKET_STATUS status,
6055 dec_tick_called = 1;
6057 if (status == SSL_TICKET_EMPTY)
6058 return SSL_TICKET_RETURN_IGNORE_RENEW;
6060 if (!TEST_true(status == SSL_TICKET_SUCCESS
6061 || status == SSL_TICKET_SUCCESS_RENEW))
6062 return SSL_TICKET_RETURN_ABORT;
6064 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6066 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6067 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
6068 return SSL_TICKET_RETURN_ABORT;
6070 if (tick_key_cb_called) {
6071 /* Don't change what the ticket key callback wanted to do */
6073 case SSL_TICKET_NO_DECRYPT:
6074 return SSL_TICKET_RETURN_IGNORE_RENEW;
6076 case SSL_TICKET_SUCCESS:
6077 return SSL_TICKET_RETURN_USE;
6079 case SSL_TICKET_SUCCESS_RENEW:
6080 return SSL_TICKET_RETURN_USE_RENEW;
6083 return SSL_TICKET_RETURN_ABORT;
6086 return tick_dec_ret;
6090 #ifndef OPENSSL_NO_DEPRECATED_3_0
6091 static int tick_key_cb(SSL *s, unsigned char key_name[16],
6092 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6093 HMAC_CTX *hctx, int enc)
6095 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6096 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
6098 tick_key_cb_called = 1;
6099 memset(iv, 0, AES_BLOCK_SIZE);
6100 memset(key_name, 0, 16);
6101 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
6102 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
6103 EVP_sha256(), NULL))
6106 return tick_key_renew ? 2 : 1;
6110 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6111 unsigned char iv[EVP_MAX_IV_LENGTH],
6112 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6114 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6115 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6116 OSSL_PARAM params[3];
6118 tick_key_cb_called = 1;
6119 memset(iv, 0, AES_BLOCK_SIZE);
6120 memset(key_name, 0, 16);
6121 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6123 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6125 sizeof(tick_hmac_key));
6126 params[2] = OSSL_PARAM_construct_end();
6127 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
6128 || !EVP_MAC_CTX_set_params(hctx, params)
6129 || !EVP_MAC_init(hctx))
6132 return tick_key_renew ? 2 : 1;
6136 * Test the various ticket callbacks
6137 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6138 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6139 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6140 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6141 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6142 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6143 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6144 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
6145 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6146 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6147 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6148 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6149 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6150 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6151 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6152 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
6154 static int test_ticket_callbacks(int tst)
6156 SSL_CTX *cctx = NULL, *sctx = NULL;
6157 SSL *clientssl = NULL, *serverssl = NULL;
6158 SSL_SESSION *clntsess = NULL;
6161 #ifdef OPENSSL_NO_TLS1_2
6165 #ifdef OPENSSL_NO_TLS1_3
6169 #ifdef OPENSSL_NO_DEPRECATED_3_0
6170 if (tst >= 8 && tst <= 11)
6174 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
6176 /* Which tests the ticket key callback should request renewal for */
6177 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
6182 /* Which tests the decrypt ticket callback should request renewal for */
6186 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6191 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6196 tick_dec_ret = SSL_TICKET_RETURN_USE;
6201 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6205 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6208 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6209 TLS_client_method(),
6211 ((tst % 2) == 0) ? TLS1_2_VERSION
6213 &sctx, &cctx, cert, privkey)))
6217 * We only want sessions to resume from tickets - not the session cache. So
6218 * switch the cache off.
6220 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6223 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6228 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
6230 #ifndef OPENSSL_NO_DEPRECATED_3_0
6231 } else if (tst >= 8) {
6232 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6237 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6239 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6244 * The decrypt ticket key callback in TLSv1.2 should be called even though
6245 * we have no ticket yet, because it gets called with a status of
6246 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6247 * actually send any ticket data). This does not happen in TLSv1.3 because
6248 * it is not valid to send empty ticket data in TLSv1.3.
6250 if (!TEST_int_eq(gen_tick_called, 1)
6251 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
6254 gen_tick_called = dec_tick_called = 0;
6256 clntsess = SSL_get1_session(clientssl);
6257 SSL_shutdown(clientssl);
6258 SSL_shutdown(serverssl);
6259 SSL_free(serverssl);
6260 SSL_free(clientssl);
6261 serverssl = clientssl = NULL;
6263 /* Now do a resumption */
6264 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6266 || !TEST_true(SSL_set_session(clientssl, clntsess))
6267 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6271 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6272 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6273 if (!TEST_false(SSL_session_reused(clientssl)))
6276 if (!TEST_true(SSL_session_reused(clientssl)))
6280 if (!TEST_int_eq(gen_tick_called,
6282 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6283 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6285 || !TEST_int_eq(dec_tick_called, 1))
6291 SSL_SESSION_free(clntsess);
6292 SSL_free(serverssl);
6293 SSL_free(clientssl);
6301 * Test bi-directional shutdown.
6303 * Test 1: TLSv1.2, server continues to read/write after client shutdown
6304 * Test 2: TLSv1.3, no pending NewSessionTicket messages
6305 * Test 3: TLSv1.3, pending NewSessionTicket messages
6306 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
6307 * sends key update, client reads it
6308 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
6309 * sends CertificateRequest, client reads and ignores it
6310 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
6313 static int test_shutdown(int tst)
6315 SSL_CTX *cctx = NULL, *sctx = NULL;
6316 SSL *clientssl = NULL, *serverssl = NULL;
6318 char msg[] = "A test message";
6320 size_t written, readbytes;
6323 #ifdef OPENSSL_NO_TLS1_2
6327 #ifdef OPENSSL_NO_TLS1_3
6332 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6333 TLS_client_method(),
6335 (tst <= 1) ? TLS1_2_VERSION
6337 &sctx, &cctx, cert, privkey)))
6341 SSL_CTX_set_post_handshake_auth(cctx, 1);
6343 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6348 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
6350 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6351 || !TEST_false(SSL_SESSION_is_resumable(sess)))
6353 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6355 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6356 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
6360 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
6365 * Reading on the server after the client has sent close_notify should
6366 * fail and provide SSL_ERROR_ZERO_RETURN
6368 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
6369 || !TEST_int_eq(SSL_get_error(serverssl, 0),
6370 SSL_ERROR_ZERO_RETURN)
6371 || !TEST_int_eq(SSL_get_shutdown(serverssl),
6372 SSL_RECEIVED_SHUTDOWN)
6374 * Even though we're shutdown on receive we should still be
6377 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6380 && !TEST_true(SSL_key_update(serverssl,
6381 SSL_KEY_UPDATE_REQUESTED)))
6384 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6385 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6388 if ((tst == 4 || tst == 5)
6389 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6391 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
6393 if (tst == 4 || tst == 5) {
6394 /* Should still be able to read data from server */
6395 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6397 || !TEST_size_t_eq(readbytes, sizeof(msg))
6398 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
6399 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6401 || !TEST_size_t_eq(readbytes, sizeof(msg))
6402 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
6407 /* Writing on the client after sending close_notify shouldn't be possible */
6408 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
6413 * For these tests the client has sent close_notify but it has not yet
6414 * been received by the server. The server has not sent close_notify
6417 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
6419 * Writing on the server after sending close_notify shouldn't
6422 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6423 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
6424 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6425 || !TEST_true(SSL_SESSION_is_resumable(sess))
6426 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
6428 } else if (tst == 4 || tst == 5) {
6430 * In this test the client has sent close_notify and it has been
6431 * received by the server which has responded with a close_notify. The
6432 * client needs to read the close_notify sent by the server.
6434 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
6435 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6436 || !TEST_true(SSL_SESSION_is_resumable(sess)))
6442 * The client has sent close_notify and is expecting a close_notify
6443 * back, but instead there is application data first. The shutdown
6444 * should fail with a fatal error.
6446 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
6447 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
6454 SSL_free(serverssl);
6455 SSL_free(clientssl);
6462 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6463 static int cert_cb_cnt;
6465 static int cert_cb(SSL *s, void *arg)
6467 SSL_CTX *ctx = (SSL_CTX *)arg;
6469 EVP_PKEY *pkey = NULL;
6470 X509 *x509 = NULL, *rootx = NULL;
6471 STACK_OF(X509) *chain = NULL;
6472 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
6475 if (cert_cb_cnt == 0) {
6476 /* Suspend the handshake */
6479 } else if (cert_cb_cnt == 1) {
6481 * Update the SSL_CTX, set the certificate and private key and then
6482 * continue the handshake normally.
6484 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
6487 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
6488 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
6490 || !TEST_true(SSL_check_private_key(s)))
6494 } else if (cert_cb_cnt == 3) {
6497 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
6498 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
6499 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
6500 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
6502 chain = sk_X509_new_null();
6503 if (!TEST_ptr(chain))
6505 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6506 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
6507 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
6508 || !TEST_true(sk_X509_push(chain, rootx)))
6512 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6513 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
6514 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
6517 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6518 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
6519 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
6521 rv = SSL_check_chain(s, x509, pkey, chain);
6523 * If the cert doesn't show as valid here (e.g., because we don't
6524 * have any shared sigalgs), then we will not set it, and there will
6525 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
6526 * will cause tls_choose_sigalgs() to fail the connection.
6528 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
6529 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
6530 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
6537 /* Abort the handshake */
6539 OPENSSL_free(ecdsacert);
6540 OPENSSL_free(ecdsakey);
6541 OPENSSL_free(rootfile);
6543 EVP_PKEY_free(pkey);
6546 sk_X509_pop_free(chain, X509_free);
6551 * Test the certificate callback.
6552 * Test 0: Callback fails
6553 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
6554 * Test 2: Success - SSL_set_SSL_CTX() in the callback
6555 * Test 3: Success - Call SSL_check_chain from the callback
6556 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
6558 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
6560 static int test_cert_cb_int(int prot, int tst)
6562 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
6563 SSL *clientssl = NULL, *serverssl = NULL;
6564 int testresult = 0, ret;
6566 #ifdef OPENSSL_NO_EC
6567 /* We use an EC cert in these tests, so we skip in a no-ec build */
6572 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6573 TLS_client_method(),
6576 &sctx, &cctx, NULL, NULL)))
6587 snictx = SSL_CTX_new(TLS_server_method());
6588 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
6590 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6596 * We cause SSL_check_chain() to fail by specifying sig_algs that
6597 * the chain doesn't meet (the root uses an RSA cert)
6599 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6600 "ecdsa_secp256r1_sha256")))
6602 } else if (tst == 5) {
6604 * We cause SSL_check_chain() to fail by specifying sig_algs that
6605 * the ee cert doesn't meet (the ee uses an ECDSA cert)
6607 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6608 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
6612 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6613 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
6615 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
6622 SSL_free(serverssl);
6623 SSL_free(clientssl);
6626 SSL_CTX_free(snictx);
6632 static int test_cert_cb(int tst)
6636 #ifndef OPENSSL_NO_TLS1_2
6637 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
6639 #ifndef OPENSSL_NO_TLS1_3
6640 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
6646 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
6652 /* Check that SSL_get_peer_certificate() returns something sensible */
6653 peer = SSL_get_peer_certificate(ssl);
6654 if (!TEST_ptr(peer))
6658 in = BIO_new_file(cert, "r");
6662 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
6664 if (!TEST_ptr(xcert))
6667 in = BIO_new_file(privkey, "r");
6668 if (!TEST_ptr(in)) {
6673 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
6675 if (!TEST_ptr(privpkey)) {
6686 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6691 static int test_client_cert_cb(int tst)
6693 SSL_CTX *cctx = NULL, *sctx = NULL;
6694 SSL *clientssl = NULL, *serverssl = NULL;
6697 #ifdef OPENSSL_NO_TLS1_2
6701 #ifdef OPENSSL_NO_TLS1_3
6706 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6707 TLS_client_method(),
6709 tst == 0 ? TLS1_2_VERSION
6711 &sctx, &cctx, cert, privkey)))
6715 * Test that setting a client_cert_cb results in a client certificate being
6718 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
6719 SSL_CTX_set_verify(sctx,
6720 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6723 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6725 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6732 SSL_free(serverssl);
6733 SSL_free(clientssl);
6740 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6742 * Test setting certificate authorities on both client and server.
6744 * Test 0: SSL_CTX_set0_CA_list() only
6745 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
6746 * Test 2: Only SSL_CTX_set_client_CA_list()
6748 static int test_ca_names_int(int prot, int tst)
6750 SSL_CTX *cctx = NULL, *sctx = NULL;
6751 SSL *clientssl = NULL, *serverssl = NULL;
6754 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
6755 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
6756 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
6757 const STACK_OF(X509_NAME) *sktmp = NULL;
6759 for (i = 0; i < OSSL_NELEM(name); i++) {
6760 name[i] = X509_NAME_new();
6761 if (!TEST_ptr(name[i])
6762 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
6770 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6771 TLS_client_method(),
6774 &sctx, &cctx, cert, privkey)))
6777 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
6779 if (tst == 0 || tst == 1) {
6780 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6781 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
6782 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
6783 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6784 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
6785 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
6788 SSL_CTX_set0_CA_list(sctx, sk1);
6789 SSL_CTX_set0_CA_list(cctx, sk2);
6792 if (tst == 1 || tst == 2) {
6793 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6794 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
6795 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
6796 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6797 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
6798 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
6801 SSL_CTX_set_client_CA_list(sctx, sk1);
6802 SSL_CTX_set_client_CA_list(cctx, sk2);
6806 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6808 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6813 * We only expect certificate authorities to have been sent to the server
6814 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
6816 sktmp = SSL_get0_peer_CA_list(serverssl);
6817 if (prot == TLS1_3_VERSION
6818 && (tst == 0 || tst == 1)) {
6819 if (!TEST_ptr(sktmp)
6820 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6821 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6823 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6826 } else if (!TEST_ptr_null(sktmp)) {
6831 * In all tests we expect certificate authorities to have been sent to the
6832 * client. However, SSL_set_client_CA_list() should override
6833 * SSL_set0_CA_list()
6835 sktmp = SSL_get0_peer_CA_list(clientssl);
6836 if (!TEST_ptr(sktmp)
6837 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6838 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6839 name[tst == 0 ? 0 : 2]), 0)
6840 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6841 name[tst == 0 ? 1 : 3]), 0))
6847 SSL_free(serverssl);
6848 SSL_free(clientssl);
6851 for (i = 0; i < OSSL_NELEM(name); i++)
6852 X509_NAME_free(name[i]);
6853 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
6854 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
6860 static int test_ca_names(int tst)
6864 #ifndef OPENSSL_NO_TLS1_2
6865 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
6867 #ifndef OPENSSL_NO_TLS1_3
6868 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
6874 #ifndef OPENSSL_NO_TLS1_2
6875 static const char *multiblock_cipherlist_data[]=
6883 /* Reduce the fragment size - so the multiblock test buffer can be small */
6884 # define MULTIBLOCK_FRAGSIZE 512
6886 static int test_multiblock_write(int test_index)
6888 static const char *fetchable_ciphers[]=
6890 "AES-128-CBC-HMAC-SHA1",
6891 "AES-128-CBC-HMAC-SHA256",
6892 "AES-256-CBC-HMAC-SHA1",
6893 "AES-256-CBC-HMAC-SHA256"
6895 const char *cipherlist = multiblock_cipherlist_data[test_index];
6896 const SSL_METHOD *smeth = TLS_server_method();
6897 const SSL_METHOD *cmeth = TLS_client_method();
6898 int min_version = TLS1_VERSION;
6899 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
6900 SSL_CTX *cctx = NULL, *sctx = NULL;
6901 SSL *clientssl = NULL, *serverssl = NULL;
6905 * Choose a buffer large enough to perform a multi-block operation
6906 * i.e: write_len >= 4 * frag_size
6907 * 9 * is chosen so that multiple multiblocks are used + some leftover.
6909 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
6910 unsigned char buf[sizeof(msg)], *p = buf;
6911 size_t readbytes, written, len;
6912 EVP_CIPHER *ciph = NULL;
6915 * Check if the cipher exists before attempting to use it since it only has
6916 * a hardware specific implementation.
6918 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
6920 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
6923 EVP_CIPHER_free(ciph);
6925 /* Set up a buffer with some data that will be sent to the client */
6926 RAND_bytes(msg, sizeof(msg));
6928 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
6929 &sctx, &cctx, cert, privkey)))
6932 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
6935 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6939 /* settings to force it to use AES-CBC-HMAC_SHA */
6940 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
6941 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
6944 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
6947 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6948 || !TEST_size_t_eq(written, sizeof(msg)))
6953 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
6958 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
6963 SSL_free(serverssl);
6964 SSL_free(clientssl);
6970 #endif /* OPENSSL_NO_TLS1_2 */
6973 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
6974 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
6975 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
6976 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
6977 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
6978 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
6979 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
6980 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
6981 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
6982 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
6984 static int test_servername(int tst)
6986 SSL_CTX *cctx = NULL, *sctx = NULL;
6987 SSL *clientssl = NULL, *serverssl = NULL;
6989 SSL_SESSION *sess = NULL;
6990 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
6992 #ifdef OPENSSL_NO_TLS1_2
6996 #ifdef OPENSSL_NO_TLS1_3
7001 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
7002 TLS_client_method(),
7004 (tst <= 4) ? TLS1_2_VERSION
7006 &sctx, &cctx, cert, privkey))
7007 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7011 if (tst != 1 && tst != 6) {
7012 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7017 if (tst != 3 && tst != 8) {
7018 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7020 sexpectedhost = cexpectedhost = "goodhost";
7023 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7026 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7028 || !TEST_str_eq(SSL_get_servername(serverssl,
7029 TLSEXT_NAMETYPE_host_name),
7033 /* Now repeat with a resumption handshake */
7035 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7036 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7037 || !TEST_true(SSL_SESSION_is_resumable(sess))
7038 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7041 SSL_free(clientssl);
7042 SSL_free(serverssl);
7043 clientssl = serverssl = NULL;
7045 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7049 if (!TEST_true(SSL_set_session(clientssl, sess)))
7052 sexpectedhost = cexpectedhost = "goodhost";
7053 if (tst == 2 || tst == 7) {
7054 /* Set an inconsistent hostname */
7055 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7058 * In TLSv1.2 we expect the hostname from the original handshake, in
7059 * TLSv1.3 we expect the hostname from this handshake
7062 sexpectedhost = cexpectedhost = "altgoodhost";
7064 if (!TEST_str_eq(SSL_get_servername(clientssl,
7065 TLSEXT_NAMETYPE_host_name),
7068 } else if (tst == 4 || tst == 9) {
7070 * A TLSv1.3 session does not associate a session with a servername,
7071 * but a TLSv1.2 session does.
7074 sexpectedhost = cexpectedhost = NULL;
7076 if (!TEST_str_eq(SSL_get_servername(clientssl,
7077 TLSEXT_NAMETYPE_host_name),
7081 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7084 * In a TLSv1.2 resumption where the hostname was not acknowledged
7085 * we expect the hostname on the server to be empty. On the client we
7086 * return what was requested in this case.
7088 * Similarly if the client didn't set a hostname on an original TLSv1.2
7089 * session but is now, the server hostname will be empty, but the client
7092 if (tst == 1 || tst == 3)
7093 sexpectedhost = NULL;
7095 if (!TEST_str_eq(SSL_get_servername(clientssl,
7096 TLSEXT_NAMETYPE_host_name),
7101 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7104 if (!TEST_true(SSL_session_reused(clientssl))
7105 || !TEST_true(SSL_session_reused(serverssl))
7106 || !TEST_str_eq(SSL_get_servername(clientssl,
7107 TLSEXT_NAMETYPE_host_name),
7109 || !TEST_str_eq(SSL_get_servername(serverssl,
7110 TLSEXT_NAMETYPE_host_name),
7117 SSL_SESSION_free(sess);
7118 SSL_free(serverssl);
7119 SSL_free(clientssl);
7126 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile\n")
7128 int setup_tests(void)
7130 if (!test_skip_common_options()) {
7131 TEST_error("Error parsing test options\n");
7135 if (!TEST_ptr(certsdir = test_get_argument(0))
7136 || !TEST_ptr(srpvfile = test_get_argument(1))
7137 || !TEST_ptr(tmpfilename = test_get_argument(2)))
7140 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
7141 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
7142 TEST_error("not supported in this build");
7145 int i, mcount, rcount, fcount;
7147 for (i = 0; i < 4; i++)
7148 test_export_key_mat(i);
7149 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
7150 test_printf_stdout("malloc %d realloc %d free %d\n",
7151 mcount, rcount, fcount);
7156 cert = test_mk_file_path(certsdir, "servercert.pem");
7160 privkey = test_mk_file_path(certsdir, "serverkey.pem");
7161 if (privkey == NULL) {
7166 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
7167 && !defined(OPENSSL_NO_SOCK)
7168 ADD_TEST(test_ktls_no_txrx_client_no_txrx_server);
7169 ADD_TEST(test_ktls_no_rx_client_no_txrx_server);
7170 ADD_TEST(test_ktls_no_tx_client_no_txrx_server);
7171 ADD_TEST(test_ktls_client_no_txrx_server);
7172 ADD_TEST(test_ktls_no_txrx_client_no_rx_server);
7173 ADD_TEST(test_ktls_no_rx_client_no_rx_server);
7174 ADD_TEST(test_ktls_no_tx_client_no_rx_server);
7175 ADD_TEST(test_ktls_client_no_rx_server);
7176 ADD_TEST(test_ktls_no_txrx_client_no_tx_server);
7177 ADD_TEST(test_ktls_no_rx_client_no_tx_server);
7178 ADD_TEST(test_ktls_no_tx_client_no_tx_server);
7179 ADD_TEST(test_ktls_client_no_tx_server);
7180 ADD_TEST(test_ktls_no_txrx_client_server);
7181 ADD_TEST(test_ktls_no_rx_client_server);
7182 ADD_TEST(test_ktls_no_tx_client_server);
7183 ADD_TEST(test_ktls_client_server);
7184 ADD_TEST(test_ktls_sendfile);
7186 ADD_TEST(test_large_message_tls);
7187 ADD_TEST(test_large_message_tls_read_ahead);
7188 #ifndef OPENSSL_NO_DTLS
7189 ADD_TEST(test_large_message_dtls);
7191 #ifndef OPENSSL_NO_OCSP
7192 ADD_TEST(test_tlsext_status_type);
7194 ADD_TEST(test_session_with_only_int_cache);
7195 ADD_TEST(test_session_with_only_ext_cache);
7196 ADD_TEST(test_session_with_both_cache);
7197 #ifndef OPENSSL_NO_TLS1_3
7198 ADD_ALL_TESTS(test_stateful_tickets, 3);
7199 ADD_ALL_TESTS(test_stateless_tickets, 3);
7200 ADD_TEST(test_psk_tickets);
7202 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
7203 ADD_TEST(test_ssl_bio_pop_next_bio);
7204 ADD_TEST(test_ssl_bio_pop_ssl_bio);
7205 ADD_TEST(test_ssl_bio_change_rbio);
7206 ADD_TEST(test_ssl_bio_change_wbio);
7207 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
7208 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
7209 ADD_TEST(test_keylog);
7211 #ifndef OPENSSL_NO_TLS1_3
7212 ADD_TEST(test_keylog_no_master_key);
7214 #ifndef OPENSSL_NO_TLS1_2
7215 ADD_TEST(test_client_hello_cb);
7216 ADD_TEST(test_no_ems);
7218 #ifndef OPENSSL_NO_TLS1_3
7219 ADD_ALL_TESTS(test_early_data_read_write, 3);
7221 * We don't do replay tests for external PSK. Replay protection isn't used
7224 ADD_ALL_TESTS(test_early_data_replay, 2);
7225 ADD_ALL_TESTS(test_early_data_skip, 3);
7226 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
7227 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
7228 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
7229 ADD_ALL_TESTS(test_early_data_not_sent, 3);
7230 ADD_ALL_TESTS(test_early_data_psk, 8);
7231 ADD_ALL_TESTS(test_early_data_not_expected, 3);
7232 # ifndef OPENSSL_NO_TLS1_2
7233 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
7236 #ifndef OPENSSL_NO_TLS1_3
7237 ADD_ALL_TESTS(test_set_ciphersuite, 10);
7238 ADD_TEST(test_ciphersuite_change);
7239 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
7240 # ifdef OPENSSL_NO_PSK
7241 ADD_ALL_TESTS(test_tls13_psk, 1);
7243 ADD_ALL_TESTS(test_tls13_psk, 4);
7244 # endif /* OPENSSL_NO_PSK */
7245 # ifndef OPENSSL_NO_TLS1_2
7246 /* Test with both TLSv1.3 and 1.2 versions */
7247 ADD_ALL_TESTS(test_key_exchange, 14);
7249 /* Test with only TLSv1.3 versions */
7250 ADD_ALL_TESTS(test_key_exchange, 12);
7252 ADD_ALL_TESTS(test_custom_exts, 5);
7253 ADD_TEST(test_stateless);
7254 ADD_TEST(test_pha_key_update);
7256 ADD_ALL_TESTS(test_custom_exts, 3);
7258 ADD_ALL_TESTS(test_serverinfo, 8);
7259 ADD_ALL_TESTS(test_export_key_mat, 6);
7260 #ifndef OPENSSL_NO_TLS1_3
7261 ADD_ALL_TESTS(test_export_key_mat_early, 3);
7262 ADD_TEST(test_key_update);
7263 ADD_ALL_TESTS(test_key_update_in_write, 2);
7265 ADD_ALL_TESTS(test_ssl_clear, 2);
7266 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
7267 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7268 ADD_ALL_TESTS(test_srp, 6);
7270 ADD_ALL_TESTS(test_info_callback, 6);
7271 ADD_ALL_TESTS(test_ssl_pending, 2);
7272 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
7273 ADD_ALL_TESTS(test_ticket_callbacks, 16);
7274 ADD_ALL_TESTS(test_shutdown, 7);
7275 ADD_ALL_TESTS(test_cert_cb, 6);
7276 ADD_ALL_TESTS(test_client_cert_cb, 2);
7277 ADD_ALL_TESTS(test_ca_names, 3);
7278 #ifndef OPENSSL_NO_TLS1_2
7279 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
7281 ADD_ALL_TESTS(test_servername, 10);
7285 void cleanup_tests(void)
7288 OPENSSL_free(privkey);
7289 bio_s_mempacket_test_free();
7290 bio_s_always_retry_free();