2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_numbers.h>
32 #include <openssl/provider.h>
34 #include "ssltestlib.h"
36 #include "testutil/output.h"
37 #include "internal/nelem.h"
38 #include "internal/ktls.h"
39 #include "../ssl/ssl_local.h"
41 /* Defined in filterprov.c */
42 OSSL_provider_init_fn filter_provider_init;
43 int filter_provider_set_filter(int operation, const char *name);
45 /* Defined in tls-provider.c */
46 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
47 const OSSL_DISPATCH *in,
48 const OSSL_DISPATCH **out,
50 DEFINE_STACK_OF(OCSP_RESPID)
52 DEFINE_STACK_OF(X509_NAME)
54 static OPENSSL_CTX *libctx = NULL;
55 static OSSL_PROVIDER *defctxnull = NULL;
57 #ifndef OPENSSL_NO_TLS1_3
59 static SSL_SESSION *clientpsk = NULL;
60 static SSL_SESSION *serverpsk = NULL;
61 static const char *pskid = "Identity";
62 static const char *srvid;
64 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
65 size_t *idlen, SSL_SESSION **sess);
66 static int find_session_cb(SSL *ssl, const unsigned char *identity,
67 size_t identity_len, SSL_SESSION **sess);
69 static int use_session_cb_cnt = 0;
70 static int find_session_cb_cnt = 0;
72 static SSL_SESSION *create_a_psk(SSL *ssl);
75 static char *certsdir = NULL;
76 static char *cert = NULL;
77 static char *privkey = NULL;
78 static char *cert2 = NULL;
79 static char *privkey2 = NULL;
80 static char *srpvfile = NULL;
81 static char *tmpfilename = NULL;
83 static int is_fips = 0;
85 #define LOG_BUFFER_SIZE 2048
86 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
87 static size_t server_log_buffer_index = 0;
88 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
89 static size_t client_log_buffer_index = 0;
90 static int error_writing_log = 0;
92 #ifndef OPENSSL_NO_OCSP
93 static const unsigned char orespder[] = "Dummy OCSP Response";
94 static int ocsp_server_called = 0;
95 static int ocsp_client_called = 0;
97 static int cdummyarg = 1;
98 static X509 *ocspcert = NULL;
101 #define NUM_EXTRA_CERTS 40
102 #define CLIENT_VERSION_LEN 2
105 * This structure is used to validate that the correct number of log messages
106 * of various types are emitted when emitting secret logs.
108 struct sslapitest_log_counts {
109 unsigned int rsa_key_exchange_count;
110 unsigned int master_secret_count;
111 unsigned int client_early_secret_count;
112 unsigned int client_handshake_secret_count;
113 unsigned int server_handshake_secret_count;
114 unsigned int client_application_secret_count;
115 unsigned int server_application_secret_count;
116 unsigned int early_exporter_secret_count;
117 unsigned int exporter_secret_count;
121 static unsigned char serverinfov1[] = {
122 0xff, 0xff, /* Dummy extension type */
123 0x00, 0x01, /* Extension length is 1 byte */
124 0xff /* Dummy extension data */
127 static unsigned char serverinfov2[] = {
129 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
130 0xff, 0xff, /* Dummy extension type */
131 0x00, 0x01, /* Extension length is 1 byte */
132 0xff /* Dummy extension data */
135 static int hostname_cb(SSL *s, int *al, void *arg)
137 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
139 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
140 || strcmp(hostname, "altgoodhost") == 0))
141 return SSL_TLSEXT_ERR_OK;
143 return SSL_TLSEXT_ERR_NOACK;
146 static void client_keylog_callback(const SSL *ssl, const char *line)
148 int line_length = strlen(line);
150 /* If the log doesn't fit, error out. */
151 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
152 TEST_info("Client log too full");
153 error_writing_log = 1;
157 strcat(client_log_buffer, line);
158 client_log_buffer_index += line_length;
159 client_log_buffer[client_log_buffer_index++] = '\n';
162 static void server_keylog_callback(const SSL *ssl, const char *line)
164 int line_length = strlen(line);
166 /* If the log doesn't fit, error out. */
167 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
168 TEST_info("Server log too full");
169 error_writing_log = 1;
173 strcat(server_log_buffer, line);
174 server_log_buffer_index += line_length;
175 server_log_buffer[server_log_buffer_index++] = '\n';
178 static int compare_hex_encoded_buffer(const char *hex_encoded,
186 if (!TEST_size_t_eq(raw_length * 2, hex_length))
189 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
190 sprintf(hexed, "%02x", raw[i]);
191 if (!TEST_int_eq(hexed[0], hex_encoded[j])
192 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
199 static int test_keylog_output(char *buffer, const SSL *ssl,
200 const SSL_SESSION *session,
201 struct sslapitest_log_counts *expected)
204 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
205 size_t client_random_size = SSL3_RANDOM_SIZE;
206 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
207 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
208 unsigned int rsa_key_exchange_count = 0;
209 unsigned int master_secret_count = 0;
210 unsigned int client_early_secret_count = 0;
211 unsigned int client_handshake_secret_count = 0;
212 unsigned int server_handshake_secret_count = 0;
213 unsigned int client_application_secret_count = 0;
214 unsigned int server_application_secret_count = 0;
215 unsigned int early_exporter_secret_count = 0;
216 unsigned int exporter_secret_count = 0;
218 for (token = strtok(buffer, " \n"); token != NULL;
219 token = strtok(NULL, " \n")) {
220 if (strcmp(token, "RSA") == 0) {
222 * Premaster secret. Tokens should be: 16 ASCII bytes of
223 * hex-encoded encrypted secret, then the hex-encoded pre-master
226 if (!TEST_ptr(token = strtok(NULL, " \n")))
228 if (!TEST_size_t_eq(strlen(token), 16))
230 if (!TEST_ptr(token = strtok(NULL, " \n")))
233 * We can't sensibly check the log because the premaster secret is
234 * transient, and OpenSSL doesn't keep hold of it once the master
235 * secret is generated.
237 rsa_key_exchange_count++;
238 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
240 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
241 * client random, then the hex-encoded master secret.
243 client_random_size = SSL_get_client_random(ssl,
244 actual_client_random,
246 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
249 if (!TEST_ptr(token = strtok(NULL, " \n")))
251 if (!TEST_size_t_eq(strlen(token), 64))
253 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
254 actual_client_random,
255 client_random_size)))
258 if (!TEST_ptr(token = strtok(NULL, " \n")))
260 master_key_size = SSL_SESSION_get_master_key(session,
263 if (!TEST_size_t_ne(master_key_size, 0))
265 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
269 master_secret_count++;
270 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
271 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
272 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
273 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
274 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
275 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
276 || strcmp(token, "EXPORTER_SECRET") == 0) {
278 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
279 * client random, and then the hex-encoded secret. In this case,
280 * we treat all of these secrets identically and then just
281 * distinguish between them when counting what we saw.
283 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
284 client_early_secret_count++;
285 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
286 client_handshake_secret_count++;
287 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
288 server_handshake_secret_count++;
289 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
290 client_application_secret_count++;
291 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
292 server_application_secret_count++;
293 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
294 early_exporter_secret_count++;
295 else if (strcmp(token, "EXPORTER_SECRET") == 0)
296 exporter_secret_count++;
298 client_random_size = SSL_get_client_random(ssl,
299 actual_client_random,
301 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
304 if (!TEST_ptr(token = strtok(NULL, " \n")))
306 if (!TEST_size_t_eq(strlen(token), 64))
308 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
309 actual_client_random,
310 client_random_size)))
313 if (!TEST_ptr(token = strtok(NULL, " \n")))
317 * TODO(TLS1.3): test that application traffic secrets are what
320 TEST_info("Unexpected token %s\n", token);
325 /* Got what we expected? */
326 if (!TEST_size_t_eq(rsa_key_exchange_count,
327 expected->rsa_key_exchange_count)
328 || !TEST_size_t_eq(master_secret_count,
329 expected->master_secret_count)
330 || !TEST_size_t_eq(client_early_secret_count,
331 expected->client_early_secret_count)
332 || !TEST_size_t_eq(client_handshake_secret_count,
333 expected->client_handshake_secret_count)
334 || !TEST_size_t_eq(server_handshake_secret_count,
335 expected->server_handshake_secret_count)
336 || !TEST_size_t_eq(client_application_secret_count,
337 expected->client_application_secret_count)
338 || !TEST_size_t_eq(server_application_secret_count,
339 expected->server_application_secret_count)
340 || !TEST_size_t_eq(early_exporter_secret_count,
341 expected->early_exporter_secret_count)
342 || !TEST_size_t_eq(exporter_secret_count,
343 expected->exporter_secret_count))
348 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
349 static int test_keylog(void)
351 SSL_CTX *cctx = NULL, *sctx = NULL;
352 SSL *clientssl = NULL, *serverssl = NULL;
354 struct sslapitest_log_counts expected;
356 /* Clean up logging space */
357 memset(&expected, 0, sizeof(expected));
358 memset(client_log_buffer, 0, sizeof(client_log_buffer));
359 memset(server_log_buffer, 0, sizeof(server_log_buffer));
360 client_log_buffer_index = 0;
361 server_log_buffer_index = 0;
362 error_writing_log = 0;
364 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
367 &sctx, &cctx, cert, privkey)))
370 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
371 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
372 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
374 /* We also want to ensure that we use RSA-based key exchange. */
375 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
378 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
379 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
381 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
382 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
383 == client_keylog_callback))
385 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
386 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
387 == server_keylog_callback))
390 /* Now do a handshake and check that the logs have been written to. */
391 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
392 &clientssl, NULL, NULL))
393 || !TEST_true(create_ssl_connection(serverssl, clientssl,
395 || !TEST_false(error_writing_log)
396 || !TEST_int_gt(client_log_buffer_index, 0)
397 || !TEST_int_gt(server_log_buffer_index, 0))
401 * Now we want to test that our output data was vaguely sensible. We
402 * do that by using strtok and confirming that we have more or less the
403 * data we expect. For both client and server, we expect to see one master
404 * secret. The client should also see a RSA key exchange.
406 expected.rsa_key_exchange_count = 1;
407 expected.master_secret_count = 1;
408 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
409 SSL_get_session(clientssl), &expected)))
412 expected.rsa_key_exchange_count = 0;
413 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
414 SSL_get_session(serverssl), &expected)))
429 #ifndef OPENSSL_NO_TLS1_3
430 static int test_keylog_no_master_key(void)
432 SSL_CTX *cctx = NULL, *sctx = NULL;
433 SSL *clientssl = NULL, *serverssl = NULL;
434 SSL_SESSION *sess = NULL;
436 struct sslapitest_log_counts expected;
437 unsigned char buf[1];
438 size_t readbytes, written;
440 /* Clean up logging space */
441 memset(&expected, 0, sizeof(expected));
442 memset(client_log_buffer, 0, sizeof(client_log_buffer));
443 memset(server_log_buffer, 0, sizeof(server_log_buffer));
444 client_log_buffer_index = 0;
445 server_log_buffer_index = 0;
446 error_writing_log = 0;
448 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
449 TLS_client_method(), TLS1_VERSION, 0,
450 &sctx, &cctx, cert, privkey))
451 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
452 SSL3_RT_MAX_PLAIN_LENGTH)))
455 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
456 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
459 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
460 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
461 == client_keylog_callback))
464 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
465 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
466 == server_keylog_callback))
469 /* Now do a handshake and check that the logs have been written to. */
470 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
471 &clientssl, NULL, NULL))
472 || !TEST_true(create_ssl_connection(serverssl, clientssl,
474 || !TEST_false(error_writing_log))
478 * Now we want to test that our output data was vaguely sensible. For this
479 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
480 * TLSv1.3, but we do expect both client and server to emit keys.
482 expected.client_handshake_secret_count = 1;
483 expected.server_handshake_secret_count = 1;
484 expected.client_application_secret_count = 1;
485 expected.server_application_secret_count = 1;
486 expected.exporter_secret_count = 1;
487 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
488 SSL_get_session(clientssl), &expected))
489 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
490 SSL_get_session(serverssl),
494 /* Terminate old session and resume with early data. */
495 sess = SSL_get1_session(clientssl);
496 SSL_shutdown(clientssl);
497 SSL_shutdown(serverssl);
500 serverssl = clientssl = NULL;
503 memset(client_log_buffer, 0, sizeof(client_log_buffer));
504 memset(server_log_buffer, 0, sizeof(server_log_buffer));
505 client_log_buffer_index = 0;
506 server_log_buffer_index = 0;
508 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
509 &clientssl, NULL, NULL))
510 || !TEST_true(SSL_set_session(clientssl, sess))
511 /* Here writing 0 length early data is enough. */
512 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
513 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
515 SSL_READ_EARLY_DATA_ERROR)
516 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
517 SSL_EARLY_DATA_ACCEPTED)
518 || !TEST_true(create_ssl_connection(serverssl, clientssl,
520 || !TEST_true(SSL_session_reused(clientssl)))
523 /* In addition to the previous entries, expect early secrets. */
524 expected.client_early_secret_count = 1;
525 expected.early_exporter_secret_count = 1;
526 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
527 SSL_get_session(clientssl), &expected))
528 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
529 SSL_get_session(serverssl),
536 SSL_SESSION_free(sess);
546 #ifndef OPENSSL_NO_TLS1_2
547 static int full_client_hello_callback(SSL *s, int *al, void *arg)
550 const unsigned char *p;
552 /* We only configure two ciphers, but the SCSV is added automatically. */
554 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
556 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
559 const int expected_extensions[] = {
560 #ifndef OPENSSL_NO_EC
566 /* Make sure we can defer processing and get called back. */
568 return SSL_CLIENT_HELLO_RETRY;
570 len = SSL_client_hello_get0_ciphers(s, &p);
571 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
573 SSL_client_hello_get0_compression_methods(s, &p), 1)
574 || !TEST_int_eq(*p, 0))
575 return SSL_CLIENT_HELLO_ERROR;
576 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
577 return SSL_CLIENT_HELLO_ERROR;
578 if (len != OSSL_NELEM(expected_extensions) ||
579 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
580 printf("ClientHello callback expected extensions mismatch\n");
582 return SSL_CLIENT_HELLO_ERROR;
585 return SSL_CLIENT_HELLO_SUCCESS;
588 static int test_client_hello_cb(void)
590 SSL_CTX *cctx = NULL, *sctx = NULL;
591 SSL *clientssl = NULL, *serverssl = NULL;
592 int testctr = 0, testresult = 0;
594 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
595 TLS_client_method(), TLS1_VERSION, 0,
596 &sctx, &cctx, cert, privkey)))
598 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
600 /* The gimpy cipher list we configure can't do TLS 1.3. */
601 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
603 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
604 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
605 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
606 &clientssl, NULL, NULL))
607 || !TEST_false(create_ssl_connection(serverssl, clientssl,
608 SSL_ERROR_WANT_CLIENT_HELLO_CB))
610 * Passing a -1 literal is a hack since
611 * the real value was lost.
613 || !TEST_int_eq(SSL_get_error(serverssl, -1),
614 SSL_ERROR_WANT_CLIENT_HELLO_CB)
615 || !TEST_true(create_ssl_connection(serverssl, clientssl,
630 static int test_no_ems(void)
632 SSL_CTX *cctx = NULL, *sctx = NULL;
633 SSL *clientssl = NULL, *serverssl = NULL;
636 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
637 TLS1_VERSION, TLS1_2_VERSION,
638 &sctx, &cctx, cert, privkey)) {
639 printf("Unable to create SSL_CTX pair\n");
643 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
645 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
646 printf("Unable to create SSL objects\n");
650 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
651 printf("Creating SSL connection failed\n");
655 if (SSL_get_extms_support(serverssl)) {
656 printf("Server reports Extended Master Secret support\n");
660 if (SSL_get_extms_support(clientssl)) {
661 printf("Client reports Extended Master Secret support\n");
676 * Very focused test to exercise a single case in the server-side state
677 * machine, when the ChangeCipherState message needs to actually change
678 * from one cipher to a different cipher (i.e., not changing from null
679 * encryption to real encryption).
681 static int test_ccs_change_cipher(void)
683 SSL_CTX *cctx = NULL, *sctx = NULL;
684 SSL *clientssl = NULL, *serverssl = NULL;
685 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
692 * Create a conection so we can resume and potentially (but not) use
693 * a different cipher in the second connection.
695 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
697 TLS1_VERSION, TLS1_2_VERSION,
698 &sctx, &cctx, cert, privkey))
699 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
700 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
702 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
703 || !TEST_true(create_ssl_connection(serverssl, clientssl,
705 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
706 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
709 shutdown_ssl_connection(serverssl, clientssl);
710 serverssl = clientssl = NULL;
712 /* Resume, preferring a different cipher. Our server will force the
713 * same cipher to be used as the initial handshake. */
714 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
716 || !TEST_true(SSL_set_session(clientssl, sess))
717 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
718 || !TEST_true(create_ssl_connection(serverssl, clientssl,
720 || !TEST_true(SSL_session_reused(clientssl))
721 || !TEST_true(SSL_session_reused(serverssl))
722 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
723 || !TEST_ptr_eq(sesspre, sesspost)
724 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
725 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
727 shutdown_ssl_connection(serverssl, clientssl);
728 serverssl = clientssl = NULL;
731 * Now create a fresh connection and try to renegotiate a different
734 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
736 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
737 || !TEST_true(create_ssl_connection(serverssl, clientssl,
739 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
740 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
741 || !TEST_true(SSL_renegotiate(clientssl))
742 || !TEST_true(SSL_renegotiate_pending(clientssl)))
744 /* Actually drive the renegotiation. */
745 for (i = 0; i < 3; i++) {
746 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
747 if (!TEST_ulong_eq(readbytes, 0))
749 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
750 SSL_ERROR_WANT_READ)) {
753 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
754 if (!TEST_ulong_eq(readbytes, 0))
756 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
757 SSL_ERROR_WANT_READ)) {
761 /* sesspre and sesspost should be different since the cipher changed. */
762 if (!TEST_false(SSL_renegotiate_pending(clientssl))
763 || !TEST_false(SSL_session_reused(clientssl))
764 || !TEST_false(SSL_session_reused(serverssl))
765 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
766 || !TEST_ptr_ne(sesspre, sesspost)
767 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
768 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
771 shutdown_ssl_connection(serverssl, clientssl);
772 serverssl = clientssl = NULL;
781 SSL_SESSION_free(sess);
787 static int execute_test_large_message(const SSL_METHOD *smeth,
788 const SSL_METHOD *cmeth,
789 int min_version, int max_version,
792 SSL_CTX *cctx = NULL, *sctx = NULL;
793 SSL *clientssl = NULL, *serverssl = NULL;
797 X509 *chaincert = NULL;
800 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
802 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
805 if (!TEST_ptr(chaincert))
808 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
809 max_version, &sctx, &cctx, cert,
815 * Test that read_ahead works correctly when dealing with large
818 SSL_CTX_set_read_ahead(cctx, 1);
822 * We assume the supplied certificate is big enough so that if we add
823 * NUM_EXTRA_CERTS it will make the overall message large enough. The
824 * default buffer size is requested to be 16k, but due to the way BUF_MEM
825 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
826 * test we need to have a message larger than that.
828 certlen = i2d_X509(chaincert, NULL);
829 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
830 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
831 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
832 if (!X509_up_ref(chaincert))
834 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
835 X509_free(chaincert);
840 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
842 || !TEST_true(create_ssl_connection(serverssl, clientssl,
847 * Calling SSL_clear() first is not required but this tests that SSL_clear()
850 if (!TEST_true(SSL_clear(serverssl)))
855 X509_free(chaincert);
864 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
865 !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
866 #define TLS_CIPHER_MAX_REC_SEQ_SIZE 8
867 /* sock must be connected */
868 static int ktls_chk_platform(int sock)
870 if (!ktls_enable(sock))
875 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd, int rec_seq_size)
877 static char count = 1;
878 unsigned char cbuf[16000] = {0};
879 unsigned char sbuf[16000];
881 char crec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
882 char crec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
883 char crec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
884 char crec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
885 char srec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
886 char srec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
887 char srec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
888 char srec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
891 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, rec_seq_size);
892 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, rec_seq_size);
893 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, rec_seq_size);
894 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, rec_seq_size);
896 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
899 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
900 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
905 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
908 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
909 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
914 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, rec_seq_size);
915 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, rec_seq_size);
916 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, rec_seq_size);
917 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, rec_seq_size);
919 /* verify the payload */
920 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
923 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
924 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
925 if (!TEST_mem_ne(crec_wseq_before, rec_seq_size,
926 crec_wseq_after, rec_seq_size))
929 if (!TEST_mem_eq(crec_wseq_before, rec_seq_size,
930 crec_wseq_after, rec_seq_size))
934 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
935 if (!TEST_mem_ne(srec_wseq_before, rec_seq_size,
936 srec_wseq_after, rec_seq_size))
939 if (!TEST_mem_eq(srec_wseq_before, rec_seq_size,
940 srec_wseq_after, rec_seq_size))
944 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
945 if (!TEST_mem_ne(crec_rseq_before, rec_seq_size,
946 crec_rseq_after, rec_seq_size))
949 if (!TEST_mem_eq(crec_rseq_before, rec_seq_size,
950 crec_rseq_after, rec_seq_size))
954 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
955 if (!TEST_mem_ne(srec_rseq_before, rec_seq_size,
956 srec_rseq_after, rec_seq_size))
959 if (!TEST_mem_eq(srec_rseq_before, rec_seq_size,
960 srec_rseq_after, rec_seq_size))
969 static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
970 int sis_ktls_tx, int sis_ktls_rx,
971 int tls_version, const char *cipher,
974 SSL_CTX *cctx = NULL, *sctx = NULL;
975 SSL *clientssl = NULL, *serverssl = NULL;
979 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
982 /* Skip this test if the platform does not support ktls */
983 if (!ktls_chk_platform(cfd))
986 /* Create a session based on SHA-256 */
987 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
989 tls_version, tls_version,
990 &sctx, &cctx, cert, privkey))
991 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
992 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
993 &clientssl, sfd, cfd)))
997 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
1002 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
1007 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
1012 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1016 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1021 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1024 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1029 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1032 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1037 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1040 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1045 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1048 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1052 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd,
1059 SSL_shutdown(clientssl);
1060 SSL_free(clientssl);
1063 SSL_shutdown(serverssl);
1064 SSL_free(serverssl);
1068 serverssl = clientssl = NULL;
1072 #define SENDFILE_SZ (16 * 4096)
1073 #define SENDFILE_CHUNK (4 * 4096)
1074 #define min(a,b) ((a) > (b) ? (b) : (a))
1076 static int test_ktls_sendfile(int tls_version, const char *cipher)
1078 SSL_CTX *cctx = NULL, *sctx = NULL;
1079 SSL *clientssl = NULL, *serverssl = NULL;
1080 unsigned char *buf, *buf_dst;
1081 BIO *out = NULL, *in = NULL;
1082 int cfd, sfd, ffd, err;
1083 ssize_t chunk_size = 0;
1084 off_t chunk_off = 0;
1088 buf = OPENSSL_zalloc(SENDFILE_SZ);
1089 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1090 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1091 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1094 /* Skip this test if the platform does not support ktls */
1095 if (!ktls_chk_platform(sfd)) {
1100 /* Create a session based on SHA-256 */
1101 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1102 TLS_client_method(),
1103 tls_version, tls_version,
1104 &sctx, &cctx, cert, privkey))
1105 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1106 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1107 &clientssl, sfd, cfd)))
1110 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1112 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1115 RAND_bytes(buf, SENDFILE_SZ);
1116 out = BIO_new_file(tmpfilename, "wb");
1120 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1125 in = BIO_new_file(tmpfilename, "rb");
1126 BIO_get_fp(in, &ffdp);
1129 while (chunk_off < SENDFILE_SZ) {
1130 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1131 while ((err = SSL_sendfile(serverssl,
1135 0)) != chunk_size) {
1136 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1139 while ((err = SSL_read(clientssl,
1140 buf_dst + chunk_off,
1141 chunk_size)) != chunk_size) {
1142 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1146 /* verify the payload */
1147 if (!TEST_mem_eq(buf_dst + chunk_off,
1153 chunk_off += chunk_size;
1159 SSL_shutdown(clientssl);
1160 SSL_free(clientssl);
1163 SSL_shutdown(serverssl);
1164 SSL_free(serverssl);
1168 serverssl = clientssl = NULL;
1172 OPENSSL_free(buf_dst);
1176 static int test_ktls_no_txrx_client_no_txrx_server(int tlsver)
1180 #ifdef OPENSSL_KTLS_AES_GCM_128
1181 testresult &= execute_test_ktls(0, 0, 0, 0, tlsver,
1182 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1184 #ifdef OPENSSL_KTLS_AES_CCM_128
1185 testresult &= execute_test_ktls(0, 0, 0, 0, tlsver,
1186 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1188 #ifdef OPENSSL_KTLS_AES_GCM_256
1189 testresult &= execute_test_ktls(0, 0, 0, 0, tlsver,
1190 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1195 static int test_ktls_no_rx_client_no_txrx_server(int tlsver)
1199 #ifdef OPENSSL_KTLS_AES_GCM_128
1200 testresult &= execute_test_ktls(1, 0, 0, 0, tlsver,
1201 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1203 #ifdef OPENSSL_KTLS_AES_CCM_128
1204 testresult &= execute_test_ktls(1, 0, 0, 0, tlsver,
1205 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1207 #ifdef OPENSSL_KTLS_AES_GCM_256
1208 testresult &= execute_test_ktls(1, 0, 0, 0, tlsver,
1209 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1214 static int test_ktls_no_tx_client_no_txrx_server(int tlsver)
1218 #ifdef OPENSSL_KTLS_AES_GCM_128
1219 testresult &= execute_test_ktls(0, 1, 0, 0, tlsver,
1220 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1222 #ifdef OPENSSL_KTLS_AES_CCM_128
1223 testresult &= execute_test_ktls(0, 1, 0, 0, tlsver,
1224 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1226 #ifdef OPENSSL_KTLS_AES_GCM_256
1227 testresult &= execute_test_ktls(0, 1, 0, 0, tlsver,
1228 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1233 static int test_ktls_client_no_txrx_server(int tlsver)
1237 #ifdef OPENSSL_KTLS_AES_GCM_128
1238 testresult &= execute_test_ktls(1, 1, 0, 0, tlsver,
1239 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1241 #ifdef OPENSSL_KTLS_AES_CCM_128
1242 testresult &= execute_test_ktls(1, 1, 0, 0, tlsver,
1243 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1245 #ifdef OPENSSL_KTLS_AES_GCM_256
1246 testresult &= execute_test_ktls(1, 1, 0, 0, tlsver,
1247 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1252 static int test_ktls_no_txrx_client_no_rx_server(int tlsver)
1256 #ifdef OPENSSL_KTLS_AES_GCM_128
1257 testresult &= execute_test_ktls(0, 0, 1, 0, tlsver,
1258 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1260 #ifdef OPENSSL_KTLS_AES_CCM_128
1261 testresult &= execute_test_ktls(0, 0, 1, 0, tlsver,
1262 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1264 #ifdef OPENSSL_KTLS_AES_GCM_256
1265 testresult &= execute_test_ktls(0, 0, 1, 0, tlsver,
1266 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1271 static int test_ktls_no_rx_client_no_rx_server(int tlsver)
1275 #ifdef OPENSSL_KTLS_AES_GCM_128
1276 testresult &= execute_test_ktls(1, 0, 1, 0, tlsver,
1277 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1279 #ifdef OPENSSL_KTLS_AES_CCM_128
1280 testresult &= execute_test_ktls(1, 0, 1, 0, tlsver,
1281 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1283 #ifdef OPENSSL_KTLS_AES_GCM_256
1284 testresult &= execute_test_ktls(1, 0, 1, 0, tlsver,
1285 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1290 static int test_ktls_no_tx_client_no_rx_server(int tlsver)
1294 #ifdef OPENSSL_KTLS_AES_GCM_128
1295 testresult &= execute_test_ktls(0, 1, 1, 0, tlsver,
1296 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1298 #ifdef OPENSSL_KTLS_AES_CCM_128
1299 testresult &= execute_test_ktls(0, 1, 1, 0, tlsver,
1300 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1302 #ifdef OPENSSL_KTLS_AES_GCM_256
1303 testresult &= execute_test_ktls(0, 1, 1, 0, tlsver,
1304 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1309 static int test_ktls_client_no_rx_server(int tlsver)
1313 #ifdef OPENSSL_KTLS_AES_GCM_128
1314 testresult &= execute_test_ktls(1, 1, 1, 0, tlsver,
1315 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1317 #ifdef OPENSSL_KTLS_AES_CCM_128
1318 testresult &= execute_test_ktls(1, 1, 1, 0, tlsver,
1319 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1321 #ifdef OPENSSL_KTLS_AES_GCM_256
1322 testresult &= execute_test_ktls(1, 1, 1, 0, tlsver,
1323 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1328 static int test_ktls_no_txrx_client_no_tx_server(int tlsver)
1332 #ifdef OPENSSL_KTLS_AES_GCM_128
1333 testresult &= execute_test_ktls(0, 0, 0, 1, tlsver,
1334 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1336 #ifdef OPENSSL_KTLS_AES_CCM_128
1337 testresult &= execute_test_ktls(0, 0, 0, 1, tlsver,
1338 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1340 #ifdef OPENSSL_KTLS_AES_GCM_256
1341 testresult &= execute_test_ktls(0, 0, 0, 1, tlsver,
1342 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1347 static int test_ktls_no_rx_client_no_tx_server(int tlsver)
1351 #ifdef OPENSSL_KTLS_AES_GCM_128
1352 testresult &= execute_test_ktls(1, 0, 0, 1, tlsver,
1353 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1355 #ifdef OPENSSL_KTLS_AES_CCM_128
1356 testresult &= execute_test_ktls(1, 0, 0, 1, tlsver,
1357 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1359 #ifdef OPENSSL_KTLS_AES_GCM_256
1360 testresult &= execute_test_ktls(1, 0, 0, 1, tlsver,
1361 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1366 static int test_ktls_no_tx_client_no_tx_server(int tlsver)
1370 #ifdef OPENSSL_KTLS_AES_GCM_128
1371 testresult &= execute_test_ktls(0, 1, 0, 1, tlsver,
1372 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1374 #ifdef OPENSSL_KTLS_AES_CCM_128
1375 testresult &= execute_test_ktls(0, 1, 0, 1, tlsver,
1376 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1378 #ifdef OPENSSL_KTLS_AES_GCM_256
1379 testresult &= execute_test_ktls(0, 1, 0, 1, tlsver,
1380 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1385 static int test_ktls_client_no_tx_server(int tlsver)
1389 #ifdef OPENSSL_KTLS_AES_GCM_128
1390 testresult &= execute_test_ktls(1, 1, 0, 1, tlsver,
1391 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1393 #ifdef OPENSSL_KTLS_AES_CCM_128
1394 testresult &= execute_test_ktls(1, 1, 0, 1, tlsver,
1395 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1397 #ifdef OPENSSL_KTLS_AES_GCM_256
1398 testresult &= execute_test_ktls(1, 1, 0, 1, tlsver,
1399 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1404 static int test_ktls_no_txrx_client_server(int tlsver)
1408 #ifdef OPENSSL_KTLS_AES_GCM_128
1409 testresult &= execute_test_ktls(0, 0, 1, 1, tlsver,
1410 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1412 #ifdef OPENSSL_KTLS_AES_CCM_128
1413 testresult &= execute_test_ktls(0, 0, 1, 1, tlsver,
1414 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1416 #ifdef OPENSSL_KTLS_AES_GCM_256
1417 testresult &= execute_test_ktls(0, 0, 1, 1, tlsver,
1418 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1423 static int test_ktls_no_rx_client_server(int tlsver)
1427 #ifdef OPENSSL_KTLS_AES_GCM_128
1428 testresult &= execute_test_ktls(1, 0, 1, 1, tlsver,
1429 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1431 #ifdef OPENSSL_KTLS_AES_CCM_128
1432 testresult &= execute_test_ktls(1, 0, 1, 1, tlsver,
1433 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1435 #ifdef OPENSSL_KTLS_AES_GCM_256
1436 testresult &= execute_test_ktls(1, 0, 1, 1, tlsver,
1437 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1442 static int test_ktls_no_tx_client_server(int tlsver)
1446 #ifdef OPENSSL_KTLS_AES_GCM_128
1447 testresult &= execute_test_ktls(0, 1, 1, 1, tlsver,
1448 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1450 #ifdef OPENSSL_KTLS_AES_CCM_128
1451 testresult &= execute_test_ktls(0, 1, 1, 1, tlsver,
1452 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1454 #ifdef OPENSSL_KTLS_AES_GCM_256
1455 testresult &= execute_test_ktls(0, 1, 1, 1, tlsver,
1456 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1461 static int test_ktls_client_server(int tlsver)
1465 #ifdef OPENSSL_KTLS_AES_GCM_128
1466 testresult &= execute_test_ktls(1, 1, 1, 1, tlsver,
1467 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1469 #ifdef OPENSSL_KTLS_AES_CCM_128
1470 testresult &= execute_test_ktls(1, 1, 1, 1, tlsver,
1471 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1473 #ifdef OPENSSL_KTLS_AES_GCM_256
1474 testresult &= execute_test_ktls(1, 1, 1, 1, tlsver,
1475 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1480 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
1481 static int test_ktls(int test)
1486 #if defined(OPENSSL_NO_TLS1_3)
1490 tlsver = TLS1_3_VERSION;
1493 #if defined(OPENSSL_NO_TLS1_2)
1496 tlsver = TLS1_2_VERSION;
1502 return test_ktls_no_txrx_client_no_txrx_server(tlsver);
1504 return test_ktls_no_rx_client_no_txrx_server(tlsver);
1506 return test_ktls_no_tx_client_no_txrx_server(tlsver);
1508 return test_ktls_client_no_txrx_server(tlsver);
1510 return test_ktls_no_txrx_client_no_rx_server(tlsver);
1512 return test_ktls_no_rx_client_no_rx_server(tlsver);
1514 return test_ktls_no_tx_client_no_rx_server(tlsver);
1516 return test_ktls_client_no_rx_server(tlsver);
1518 return test_ktls_no_txrx_client_no_tx_server(tlsver);
1520 return test_ktls_no_rx_client_no_tx_server(tlsver);
1522 return test_ktls_no_tx_client_no_tx_server(tlsver);
1524 return test_ktls_client_no_tx_server(tlsver);
1526 return test_ktls_no_txrx_client_server(tlsver);
1528 return test_ktls_no_rx_client_server(tlsver);
1530 return test_ktls_no_tx_client_server(tlsver);
1532 return test_ktls_client_server(tlsver);
1538 static int test_ktls_sendfile_anytls(int tst)
1540 char *cipher[] = {"AES128-GCM-SHA256","AES128-CCM-SHA256","AES256-GCM-SHA384"};
1544 #if defined(OPENSSL_NO_TLS1_3)
1548 tlsver = TLS1_3_VERSION;
1551 #if defined(OPENSSL_NO_TLS1_2)
1554 tlsver = TLS1_2_VERSION;
1558 #ifndef OPENSSL_KTLS_AES_GCM_128
1559 if(tst == 0) return 1;
1561 #ifndef OPENSSL_KTLS_AES_CCM_128
1562 if(tst == 1) return 1;
1564 #ifndef OPENSSL_KTLS_AES_GCM_256
1565 if(tst == 2) return 1;
1567 return test_ktls_sendfile(tlsver, cipher[tst]);
1573 static int test_large_message_tls(void)
1575 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1576 TLS1_VERSION, 0, 0);
1579 static int test_large_message_tls_read_ahead(void)
1581 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1582 TLS1_VERSION, 0, 1);
1585 #ifndef OPENSSL_NO_DTLS
1586 static int test_large_message_dtls(void)
1589 * read_ahead is not relevant to DTLS because DTLS always acts as if
1590 * read_ahead is set.
1592 return execute_test_large_message(DTLS_server_method(),
1593 DTLS_client_method(),
1594 DTLS1_VERSION, 0, 0);
1598 #ifndef OPENSSL_NO_OCSP
1599 static int ocsp_server_cb(SSL *s, void *arg)
1601 int *argi = (int *)arg;
1602 unsigned char *copy = NULL;
1603 STACK_OF(OCSP_RESPID) *ids = NULL;
1604 OCSP_RESPID *id = NULL;
1607 /* In this test we are expecting exactly 1 OCSP_RESPID */
1608 SSL_get_tlsext_status_ids(s, &ids);
1609 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1610 return SSL_TLSEXT_ERR_ALERT_FATAL;
1612 id = sk_OCSP_RESPID_value(ids, 0);
1613 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1614 return SSL_TLSEXT_ERR_ALERT_FATAL;
1615 } else if (*argi != 1) {
1616 return SSL_TLSEXT_ERR_ALERT_FATAL;
1619 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1620 return SSL_TLSEXT_ERR_ALERT_FATAL;
1622 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1623 ocsp_server_called = 1;
1624 return SSL_TLSEXT_ERR_OK;
1627 static int ocsp_client_cb(SSL *s, void *arg)
1629 int *argi = (int *)arg;
1630 const unsigned char *respderin;
1633 if (*argi != 1 && *argi != 2)
1636 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1637 if (!TEST_mem_eq(orespder, len, respderin, len))
1640 ocsp_client_called = 1;
1644 static int test_tlsext_status_type(void)
1646 SSL_CTX *cctx = NULL, *sctx = NULL;
1647 SSL *clientssl = NULL, *serverssl = NULL;
1649 STACK_OF(OCSP_RESPID) *ids = NULL;
1650 OCSP_RESPID *id = NULL;
1651 BIO *certbio = NULL;
1653 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1655 &sctx, &cctx, cert, privkey))
1658 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1661 /* First just do various checks getting and setting tlsext_status_type */
1663 clientssl = SSL_new(cctx);
1664 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1665 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1666 TLSEXT_STATUSTYPE_ocsp))
1667 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1668 TLSEXT_STATUSTYPE_ocsp))
1671 SSL_free(clientssl);
1674 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1675 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1678 clientssl = SSL_new(cctx);
1679 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1681 SSL_free(clientssl);
1685 * Now actually do a handshake and check OCSP information is exchanged and
1686 * the callbacks get called
1688 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1689 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1690 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1691 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1692 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1693 &clientssl, NULL, NULL))
1694 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1696 || !TEST_true(ocsp_client_called)
1697 || !TEST_true(ocsp_server_called))
1699 SSL_free(serverssl);
1700 SSL_free(clientssl);
1704 /* Try again but this time force the server side callback to fail */
1705 ocsp_client_called = 0;
1706 ocsp_server_called = 0;
1708 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1709 &clientssl, NULL, NULL))
1710 /* This should fail because the callback will fail */
1711 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1713 || !TEST_false(ocsp_client_called)
1714 || !TEST_false(ocsp_server_called))
1716 SSL_free(serverssl);
1717 SSL_free(clientssl);
1722 * This time we'll get the client to send an OCSP_RESPID that it will
1725 ocsp_client_called = 0;
1726 ocsp_server_called = 0;
1728 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1729 &clientssl, NULL, NULL)))
1733 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1734 * specific one. We'll use the server cert.
1736 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1737 || !TEST_ptr(id = OCSP_RESPID_new())
1738 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1739 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1741 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1742 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1745 SSL_set_tlsext_status_ids(clientssl, ids);
1746 /* Control has been transferred */
1752 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1754 || !TEST_true(ocsp_client_called)
1755 || !TEST_true(ocsp_server_called))
1761 SSL_free(serverssl);
1762 SSL_free(clientssl);
1765 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1766 OCSP_RESPID_free(id);
1768 X509_free(ocspcert);
1775 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1776 static int new_called, remove_called, get_called;
1778 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1782 * sess has been up-refed for us, but we don't actually need it so free it
1785 SSL_SESSION_free(sess);
1789 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1794 static SSL_SESSION *get_sess_val = NULL;
1796 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1801 return get_sess_val;
1804 static int execute_test_session(int maxprot, int use_int_cache,
1805 int use_ext_cache, long s_options)
1807 SSL_CTX *sctx = NULL, *cctx = NULL;
1808 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1809 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1810 # ifndef OPENSSL_NO_TLS1_1
1811 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1813 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1814 int testresult = 0, numnewsesstick = 1;
1816 new_called = remove_called = 0;
1818 /* TLSv1.3 sends 2 NewSessionTickets */
1819 if (maxprot == TLS1_3_VERSION)
1822 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1823 TLS_client_method(), TLS1_VERSION, 0,
1824 &sctx, &cctx, cert, privkey)))
1828 * Only allow the max protocol version so we can force a connection failure
1831 SSL_CTX_set_min_proto_version(cctx, maxprot);
1832 SSL_CTX_set_max_proto_version(cctx, maxprot);
1834 /* Set up session cache */
1835 if (use_ext_cache) {
1836 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1837 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1839 if (use_int_cache) {
1840 /* Also covers instance where both are set */
1841 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1843 SSL_CTX_set_session_cache_mode(cctx,
1844 SSL_SESS_CACHE_CLIENT
1845 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1849 SSL_CTX_set_options(sctx, s_options);
1852 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1854 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1856 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1859 /* Should fail because it should already be in the cache */
1860 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1863 && (!TEST_int_eq(new_called, numnewsesstick)
1865 || !TEST_int_eq(remove_called, 0)))
1868 new_called = remove_called = 0;
1869 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1870 &clientssl2, NULL, NULL))
1871 || !TEST_true(SSL_set_session(clientssl2, sess1))
1872 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1874 || !TEST_true(SSL_session_reused(clientssl2)))
1877 if (maxprot == TLS1_3_VERSION) {
1879 * In TLSv1.3 we should have created a new session even though we have
1880 * resumed. Since we attempted a resume we should also have removed the
1881 * old ticket from the cache so that we try to only use tickets once.
1884 && (!TEST_int_eq(new_called, 1)
1885 || !TEST_int_eq(remove_called, 1)))
1889 * In TLSv1.2 we expect to have resumed so no sessions added or
1893 && (!TEST_int_eq(new_called, 0)
1894 || !TEST_int_eq(remove_called, 0)))
1898 SSL_SESSION_free(sess1);
1899 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1901 shutdown_ssl_connection(serverssl2, clientssl2);
1902 serverssl2 = clientssl2 = NULL;
1904 new_called = remove_called = 0;
1905 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1906 &clientssl2, NULL, NULL))
1907 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1911 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1915 && (!TEST_int_eq(new_called, numnewsesstick)
1916 || !TEST_int_eq(remove_called, 0)))
1919 new_called = remove_called = 0;
1921 * This should clear sess2 from the cache because it is a "bad" session.
1922 * See SSL_set_session() documentation.
1924 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1927 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1929 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1932 if (use_int_cache) {
1933 /* Should succeeded because it should not already be in the cache */
1934 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1935 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1939 new_called = remove_called = 0;
1940 /* This shouldn't be in the cache so should fail */
1941 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1945 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1948 # if !defined(OPENSSL_NO_TLS1_1)
1949 new_called = remove_called = 0;
1950 /* Force a connection failure */
1951 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1952 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1953 &clientssl3, NULL, NULL))
1954 || !TEST_true(SSL_set_session(clientssl3, sess1))
1955 /* This should fail because of the mismatched protocol versions */
1956 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1960 /* We should have automatically removed the session from the cache */
1962 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1965 /* Should succeed because it should not already be in the cache */
1966 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1970 /* Now do some tests for server side caching */
1971 if (use_ext_cache) {
1972 SSL_CTX_sess_set_new_cb(cctx, NULL);
1973 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1974 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1975 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1976 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1977 get_sess_val = NULL;
1980 SSL_CTX_set_session_cache_mode(cctx, 0);
1981 /* Internal caching is the default on the server side */
1983 SSL_CTX_set_session_cache_mode(sctx,
1984 SSL_SESS_CACHE_SERVER
1985 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1987 SSL_free(serverssl1);
1988 SSL_free(clientssl1);
1989 serverssl1 = clientssl1 = NULL;
1990 SSL_free(serverssl2);
1991 SSL_free(clientssl2);
1992 serverssl2 = clientssl2 = NULL;
1993 SSL_SESSION_free(sess1);
1995 SSL_SESSION_free(sess2);
1998 SSL_CTX_set_max_proto_version(sctx, maxprot);
1999 if (maxprot == TLS1_2_VERSION)
2000 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2001 new_called = remove_called = get_called = 0;
2002 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2004 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2006 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2007 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2010 if (use_int_cache) {
2011 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2013 * In TLSv1.3 it should not have been added to the internal cache,
2014 * except in the case where we also have an external cache (in that
2015 * case it gets added to the cache in order to generate remove
2016 * events after timeout).
2018 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2021 /* Should fail because it should already be in the cache */
2022 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2027 if (use_ext_cache) {
2028 SSL_SESSION *tmp = sess2;
2030 if (!TEST_int_eq(new_called, numnewsesstick)
2031 || !TEST_int_eq(remove_called, 0)
2032 || !TEST_int_eq(get_called, 0))
2035 * Delete the session from the internal cache to force a lookup from
2036 * the external cache. We take a copy first because
2037 * SSL_CTX_remove_session() also marks the session as non-resumable.
2039 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2040 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2041 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2043 SSL_SESSION_free(sess2);
2048 new_called = remove_called = get_called = 0;
2049 get_sess_val = sess2;
2050 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2051 &clientssl2, NULL, NULL))
2052 || !TEST_true(SSL_set_session(clientssl2, sess1))
2053 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2055 || !TEST_true(SSL_session_reused(clientssl2)))
2058 if (use_ext_cache) {
2059 if (!TEST_int_eq(remove_called, 0))
2062 if (maxprot == TLS1_3_VERSION) {
2063 if (!TEST_int_eq(new_called, 1)
2064 || !TEST_int_eq(get_called, 0))
2067 if (!TEST_int_eq(new_called, 0)
2068 || !TEST_int_eq(get_called, 1))
2076 SSL_free(serverssl1);
2077 SSL_free(clientssl1);
2078 SSL_free(serverssl2);
2079 SSL_free(clientssl2);
2080 # ifndef OPENSSL_NO_TLS1_1
2081 SSL_free(serverssl3);
2082 SSL_free(clientssl3);
2084 SSL_SESSION_free(sess1);
2085 SSL_SESSION_free(sess2);
2091 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2093 static int test_session_with_only_int_cache(void)
2095 #ifndef OPENSSL_NO_TLS1_3
2096 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2100 #ifndef OPENSSL_NO_TLS1_2
2101 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2107 static int test_session_with_only_ext_cache(void)
2109 #ifndef OPENSSL_NO_TLS1_3
2110 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2114 #ifndef OPENSSL_NO_TLS1_2
2115 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2121 static int test_session_with_both_cache(void)
2123 #ifndef OPENSSL_NO_TLS1_3
2124 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2128 #ifndef OPENSSL_NO_TLS1_2
2129 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2135 static int test_session_wo_ca_names(void)
2137 #ifndef OPENSSL_NO_TLS1_3
2138 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2142 #ifndef OPENSSL_NO_TLS1_2
2143 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2150 #ifndef OPENSSL_NO_TLS1_3
2151 static SSL_SESSION *sesscache[6];
2152 static int do_cache;
2154 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2157 sesscache[new_called] = sess;
2159 /* We don't need the reference to the session, so free it */
2160 SSL_SESSION_free(sess);
2167 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2169 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2170 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2173 /* Start handshake on the server and client */
2174 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2175 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2176 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2177 || !TEST_true(create_ssl_connection(sssl, cssl,
2184 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2187 int sess_id_ctx = 1;
2189 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2190 TLS_client_method(), TLS1_VERSION, 0,
2191 sctx, cctx, cert, privkey))
2192 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2193 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2194 (void *)&sess_id_ctx,
2195 sizeof(sess_id_ctx))))
2199 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2201 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2202 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2203 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2208 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2210 SSL *serverssl = NULL, *clientssl = NULL;
2213 /* Test that we can resume with all the tickets we got given */
2214 for (i = 0; i < idx * 2; i++) {
2216 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2217 &clientssl, NULL, NULL))
2218 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2221 SSL_set_post_handshake_auth(clientssl, 1);
2223 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2228 * Following a successful resumption we only get 1 ticket. After a
2229 * failed one we should get idx tickets.
2232 if (!TEST_true(SSL_session_reused(clientssl))
2233 || !TEST_int_eq(new_called, 1))
2236 if (!TEST_false(SSL_session_reused(clientssl))
2237 || !TEST_int_eq(new_called, idx))
2242 /* After a post-handshake authentication we should get 1 new ticket */
2244 && (!post_handshake_verify(serverssl, clientssl)
2245 || !TEST_int_eq(new_called, 1)))
2248 SSL_shutdown(clientssl);
2249 SSL_shutdown(serverssl);
2250 SSL_free(serverssl);
2251 SSL_free(clientssl);
2252 serverssl = clientssl = NULL;
2253 SSL_SESSION_free(sesscache[i]);
2254 sesscache[i] = NULL;
2260 SSL_free(clientssl);
2261 SSL_free(serverssl);
2265 static int test_tickets(int stateful, int idx)
2267 SSL_CTX *sctx = NULL, *cctx = NULL;
2268 SSL *serverssl = NULL, *clientssl = NULL;
2272 /* idx is the test number, but also the number of tickets we want */
2277 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2280 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2281 &clientssl, NULL, NULL)))
2284 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2286 /* Check we got the number of tickets we were expecting */
2287 || !TEST_int_eq(idx, new_called))
2290 SSL_shutdown(clientssl);
2291 SSL_shutdown(serverssl);
2292 SSL_free(serverssl);
2293 SSL_free(clientssl);
2296 clientssl = serverssl = NULL;
2300 * Now we try to resume with the tickets we previously created. The
2301 * resumption attempt is expected to fail (because we're now using a new
2302 * SSL_CTX). We should see idx number of tickets issued again.
2305 /* Stop caching sessions - just count them */
2308 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2311 if (!check_resumption(idx, sctx, cctx, 0))
2314 /* Start again with caching sessions */
2321 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2324 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2325 &clientssl, NULL, NULL)))
2328 SSL_set_post_handshake_auth(clientssl, 1);
2330 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2332 /* Check we got the number of tickets we were expecting */
2333 || !TEST_int_eq(idx, new_called))
2336 /* After a post-handshake authentication we should get new tickets issued */
2337 if (!post_handshake_verify(serverssl, clientssl)
2338 || !TEST_int_eq(idx * 2, new_called))
2341 SSL_shutdown(clientssl);
2342 SSL_shutdown(serverssl);
2343 SSL_free(serverssl);
2344 SSL_free(clientssl);
2345 serverssl = clientssl = NULL;
2347 /* Stop caching sessions - just count them */
2351 * Check we can resume with all the tickets we created. This time around the
2352 * resumptions should all be successful.
2354 if (!check_resumption(idx, sctx, cctx, 1))
2360 SSL_free(serverssl);
2361 SSL_free(clientssl);
2362 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2363 SSL_SESSION_free(sesscache[j]);
2364 sesscache[j] = NULL;
2372 static int test_stateless_tickets(int idx)
2374 return test_tickets(0, idx);
2377 static int test_stateful_tickets(int idx)
2379 return test_tickets(1, idx);
2382 static int test_psk_tickets(void)
2384 SSL_CTX *sctx = NULL, *cctx = NULL;
2385 SSL *serverssl = NULL, *clientssl = NULL;
2387 int sess_id_ctx = 1;
2389 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2390 TLS_client_method(), TLS1_VERSION, 0,
2391 &sctx, &cctx, NULL, NULL))
2392 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2393 (void *)&sess_id_ctx,
2394 sizeof(sess_id_ctx))))
2397 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2398 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2399 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2400 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2401 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2402 use_session_cb_cnt = 0;
2403 find_session_cb_cnt = 0;
2407 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2410 clientpsk = serverpsk = create_a_psk(clientssl);
2411 if (!TEST_ptr(clientpsk))
2413 SSL_SESSION_up_ref(clientpsk);
2415 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2417 || !TEST_int_eq(1, find_session_cb_cnt)
2418 || !TEST_int_eq(1, use_session_cb_cnt)
2419 /* We should always get 1 ticket when using external PSK */
2420 || !TEST_int_eq(1, new_called))
2426 SSL_free(serverssl);
2427 SSL_free(clientssl);
2430 SSL_SESSION_free(clientpsk);
2431 SSL_SESSION_free(serverpsk);
2432 clientpsk = serverpsk = NULL;
2437 static int test_extra_tickets(int idx)
2439 SSL_CTX *sctx = NULL, *cctx = NULL;
2440 SSL *serverssl = NULL, *clientssl = NULL;
2441 BIO *bretry = BIO_new(bio_s_always_retry());
2446 unsigned char c, buf[1];
2456 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2458 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2459 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2460 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2462 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2463 &clientssl, NULL, NULL)))
2467 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2468 * incremented by both client and server.
2470 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2472 /* Check we got the number of tickets we were expecting */
2473 || !TEST_int_eq(idx * 2, new_called)
2474 || !TEST_true(SSL_new_session_ticket(serverssl))
2475 || !TEST_true(SSL_new_session_ticket(serverssl))
2476 || !TEST_int_eq(idx * 2, new_called))
2479 /* Now try a (real) write to actually send the tickets */
2481 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2482 || !TEST_size_t_eq(1, nbytes)
2483 || !TEST_int_eq(idx * 2 + 2, new_called)
2484 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2485 || !TEST_int_eq(idx * 2 + 4, new_called)
2486 || !TEST_int_eq(sizeof(buf), nbytes)
2487 || !TEST_int_eq(c, buf[0])
2488 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2491 /* Try with only requesting one new ticket, too */
2494 if (!TEST_true(SSL_new_session_ticket(serverssl))
2495 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2496 || !TEST_size_t_eq(sizeof(c), nbytes)
2497 || !TEST_int_eq(1, new_called)
2498 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2499 || !TEST_int_eq(2, new_called)
2500 || !TEST_size_t_eq(sizeof(buf), nbytes)
2501 || !TEST_int_eq(c, buf[0]))
2504 /* Do it again but use dummy writes to drive the ticket generation */
2507 if (!TEST_true(SSL_new_session_ticket(serverssl))
2508 || !TEST_true(SSL_new_session_ticket(serverssl))
2509 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2510 || !TEST_size_t_eq(0, nbytes)
2511 || !TEST_int_eq(2, new_called)
2512 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2513 || !TEST_int_eq(4, new_called))
2517 * Use the always-retry BIO to exercise the logic that forces ticket
2518 * generation to wait until a record boundary.
2522 tmp = SSL_get_wbio(serverssl);
2523 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2527 SSL_set0_wbio(serverssl, bretry);
2529 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2530 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2531 || !TEST_size_t_eq(nbytes, 0))
2533 /* Restore a BIO that will let the write succeed */
2534 SSL_set0_wbio(serverssl, tmp);
2536 /* These calls should just queue the request and not send anything. */
2537 if (!TEST_true(SSL_new_session_ticket(serverssl))
2538 || !TEST_true(SSL_new_session_ticket(serverssl))
2539 || !TEST_int_eq(0, new_called))
2541 /* Re-do the write; still no tickets sent */
2542 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2543 || !TEST_size_t_eq(1, nbytes)
2544 || !TEST_int_eq(0, new_called)
2545 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2546 || !TEST_int_eq(0, new_called)
2547 || !TEST_int_eq(sizeof(buf), nbytes)
2548 || !TEST_int_eq(c, buf[0])
2549 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2551 /* Now the *next* write should send the tickets */
2553 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2554 || !TEST_size_t_eq(1, nbytes)
2555 || !TEST_int_eq(2, new_called)
2556 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2557 || !TEST_int_eq(4, new_called)
2558 || !TEST_int_eq(sizeof(buf), nbytes)
2559 || !TEST_int_eq(c, buf[0])
2560 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2563 SSL_shutdown(clientssl);
2564 SSL_shutdown(serverssl);
2570 SSL_free(serverssl);
2571 SSL_free(clientssl);
2574 clientssl = serverssl = NULL;
2583 #define USE_DEFAULT 3
2585 #define CONNTYPE_CONNECTION_SUCCESS 0
2586 #define CONNTYPE_CONNECTION_FAIL 1
2587 #define CONNTYPE_NO_CONNECTION 2
2589 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2590 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2591 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2592 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2594 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2597 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2598 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2599 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2601 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2618 * Tests calls to SSL_set_bio() under various conditions.
2620 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2621 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2622 * then do more tests where we create a successful connection first using our
2623 * standard connection setup functions, and then call SSL_set_bio() with
2624 * various combinations of valid BIOs or NULL. We then repeat these tests
2625 * following a failed connection. In this last case we are looking to check that
2626 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2628 static int test_ssl_set_bio(int idx)
2630 SSL_CTX *sctx = NULL, *cctx = NULL;
2633 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2634 SSL *serverssl = NULL, *clientssl = NULL;
2635 int initrbio, initwbio, newrbio, newwbio, conntype;
2638 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2646 conntype = CONNTYPE_NO_CONNECTION;
2648 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2649 initrbio = initwbio = USE_DEFAULT;
2657 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2658 TLS_client_method(), TLS1_VERSION, 0,
2659 &sctx, &cctx, cert, privkey)))
2662 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2664 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2665 * because we reduced the number of tests in the definition of
2666 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2667 * mismatched protocol versions we will force a connection failure.
2669 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2670 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2673 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2677 if (initrbio == USE_BIO_1
2678 || initwbio == USE_BIO_1
2679 || newrbio == USE_BIO_1
2680 || newwbio == USE_BIO_1) {
2681 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2685 if (initrbio == USE_BIO_2
2686 || initwbio == USE_BIO_2
2687 || newrbio == USE_BIO_2
2688 || newwbio == USE_BIO_2) {
2689 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2693 if (initrbio != USE_DEFAULT) {
2694 setupbio(&irbio, bio1, bio2, initrbio);
2695 setupbio(&iwbio, bio1, bio2, initwbio);
2696 SSL_set_bio(clientssl, irbio, iwbio);
2699 * We want to maintain our own refs to these BIO, so do an up ref for
2700 * each BIO that will have ownership transferred in the SSL_set_bio()
2705 if (iwbio != NULL && iwbio != irbio)
2709 if (conntype != CONNTYPE_NO_CONNECTION
2710 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2712 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2715 setupbio(&nrbio, bio1, bio2, newrbio);
2716 setupbio(&nwbio, bio1, bio2, newwbio);
2719 * We will (maybe) transfer ownership again so do more up refs.
2720 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2725 && (nwbio != iwbio || nrbio != nwbio))
2729 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2732 SSL_set_bio(clientssl, nrbio, nwbio);
2741 * This test is checking that the ref counting for SSL_set_bio is correct.
2742 * If we get here and we did too many frees then we will fail in the above
2745 SSL_free(serverssl);
2746 SSL_free(clientssl);
2752 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2754 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2756 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2761 if (!TEST_ptr(ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method()))
2762 || !TEST_ptr(ssl = SSL_new(ctx))
2763 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2764 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2767 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2770 * If anything goes wrong here then we could leak memory.
2772 BIO_push(sslbio, membio1);
2774 /* Verify changing the rbio/wbio directly does not cause leaks */
2775 if (change_bio != NO_BIO_CHANGE) {
2776 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
2778 if (change_bio == CHANGE_RBIO)
2779 SSL_set0_rbio(ssl, membio2);
2781 SSL_set0_wbio(ssl, membio2);
2800 static int test_ssl_bio_pop_next_bio(void)
2802 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2805 static int test_ssl_bio_pop_ssl_bio(void)
2807 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2810 static int test_ssl_bio_change_rbio(void)
2812 return execute_test_ssl_bio(0, CHANGE_RBIO);
2815 static int test_ssl_bio_change_wbio(void)
2817 return execute_test_ssl_bio(0, CHANGE_WBIO);
2820 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2822 /* The list of sig algs */
2824 /* The length of the list */
2826 /* A sigalgs list in string format */
2827 const char *liststr;
2828 /* Whether setting the list should succeed */
2830 /* Whether creating a connection with the list should succeed */
2834 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2835 # ifndef OPENSSL_NO_EC
2836 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2837 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2839 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2840 static const int invalidlist2[] = {NID_sha256, NID_undef};
2841 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2842 static const int invalidlist4[] = {NID_sha256};
2843 static const sigalgs_list testsigalgs[] = {
2844 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2845 # ifndef OPENSSL_NO_EC
2846 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2847 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2849 {NULL, 0, "RSA+SHA256", 1, 1},
2850 # ifndef OPENSSL_NO_EC
2851 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2852 {NULL, 0, "ECDSA+SHA512", 1, 0},
2854 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2855 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2856 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2857 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2858 {NULL, 0, "RSA", 0, 0},
2859 {NULL, 0, "SHA256", 0, 0},
2860 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2861 {NULL, 0, "Invalid", 0, 0}
2864 static int test_set_sigalgs(int idx)
2866 SSL_CTX *cctx = NULL, *sctx = NULL;
2867 SSL *clientssl = NULL, *serverssl = NULL;
2869 const sigalgs_list *curr;
2872 /* Should never happen */
2873 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2876 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2877 curr = testctx ? &testsigalgs[idx]
2878 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2880 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2881 TLS_client_method(), TLS1_VERSION, 0,
2882 &sctx, &cctx, cert, privkey)))
2886 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2887 * for TLSv1.2 for now until we add a new API.
2889 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2894 if (curr->list != NULL)
2895 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2897 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2901 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2907 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2912 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2913 &clientssl, NULL, NULL)))
2919 if (curr->list != NULL)
2920 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2922 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2925 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2934 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2942 SSL_free(serverssl);
2943 SSL_free(clientssl);
2951 #ifndef OPENSSL_NO_TLS1_3
2952 static int psk_client_cb_cnt = 0;
2953 static int psk_server_cb_cnt = 0;
2955 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2956 size_t *idlen, SSL_SESSION **sess)
2958 switch (++use_session_cb_cnt) {
2960 /* The first call should always have a NULL md */
2966 /* The second call should always have an md */
2972 /* We should only be called a maximum of twice */
2976 if (clientpsk != NULL)
2977 SSL_SESSION_up_ref(clientpsk);
2980 *id = (const unsigned char *)pskid;
2981 *idlen = strlen(pskid);
2986 #ifndef OPENSSL_NO_PSK
2987 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2988 unsigned int max_id_len,
2990 unsigned int max_psk_len)
2992 unsigned int psklen = 0;
2994 psk_client_cb_cnt++;
2996 if (strlen(pskid) + 1 > max_id_len)
2999 /* We should only ever be called a maximum of twice per connection */
3000 if (psk_client_cb_cnt > 2)
3003 if (clientpsk == NULL)
3006 /* We'll reuse the PSK we set up for TLSv1.3 */
3007 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3009 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3010 strncpy(id, pskid, max_id_len);
3014 #endif /* OPENSSL_NO_PSK */
3016 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3017 size_t identity_len, SSL_SESSION **sess)
3019 find_session_cb_cnt++;
3021 /* We should only ever be called a maximum of twice per connection */
3022 if (find_session_cb_cnt > 2)
3025 if (serverpsk == NULL)
3028 /* Identity should match that set by the client */
3029 if (strlen(srvid) != identity_len
3030 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3031 /* No PSK found, continue but without a PSK */
3036 SSL_SESSION_up_ref(serverpsk);
3042 #ifndef OPENSSL_NO_PSK
3043 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3044 unsigned char *psk, unsigned int max_psk_len)
3046 unsigned int psklen = 0;
3048 psk_server_cb_cnt++;
3050 /* We should only ever be called a maximum of twice per connection */
3051 if (find_session_cb_cnt > 2)
3054 if (serverpsk == NULL)
3057 /* Identity should match that set by the client */
3058 if (strcmp(srvid, identity) != 0) {
3062 /* We'll reuse the PSK we set up for TLSv1.3 */
3063 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3065 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3069 #endif /* OPENSSL_NO_PSK */
3071 #define MSG1 "Hello"
3072 #define MSG2 "World."
3077 #define MSG7 "message."
3079 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3080 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3081 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3082 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3083 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3086 static SSL_SESSION *create_a_psk(SSL *ssl)
3088 const SSL_CIPHER *cipher = NULL;
3089 const unsigned char key[] = {
3090 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3091 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3092 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3093 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3094 0x2c, 0x2d, 0x2e, 0x2f
3096 SSL_SESSION *sess = NULL;
3098 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3099 sess = SSL_SESSION_new();
3101 || !TEST_ptr(cipher)
3102 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3104 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3106 SSL_SESSION_set_protocol_version(sess,
3108 SSL_SESSION_free(sess);
3115 * Helper method to setup objects for early data test. Caller frees objects on
3118 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3119 SSL **serverssl, SSL_SESSION **sess, int idx)
3122 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3123 TLS_client_method(),
3125 sctx, cctx, cert, privkey)))
3128 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3132 /* When idx == 1 we repeat the tests with read_ahead set */
3133 SSL_CTX_set_read_ahead(*cctx, 1);
3134 SSL_CTX_set_read_ahead(*sctx, 1);
3135 } else if (idx == 2) {
3136 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3137 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3138 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3139 use_session_cb_cnt = 0;
3140 find_session_cb_cnt = 0;
3144 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3149 * For one of the run throughs (doesn't matter which one), we'll try sending
3150 * some SNI data in the initial ClientHello. This will be ignored (because
3151 * there is no SNI cb set up by the server), so it should not impact
3155 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3159 clientpsk = create_a_psk(*clientssl);
3160 if (!TEST_ptr(clientpsk)
3162 * We just choose an arbitrary value for max_early_data which
3163 * should be big enough for testing purposes.
3165 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3167 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3168 SSL_SESSION_free(clientpsk);
3172 serverpsk = clientpsk;
3175 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3176 SSL_SESSION_free(clientpsk);
3177 SSL_SESSION_free(serverpsk);
3178 clientpsk = serverpsk = NULL;
3189 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3193 *sess = SSL_get1_session(*clientssl);
3194 SSL_shutdown(*clientssl);
3195 SSL_shutdown(*serverssl);
3196 SSL_free(*serverssl);
3197 SSL_free(*clientssl);
3198 *serverssl = *clientssl = NULL;
3200 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3201 clientssl, NULL, NULL))
3202 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3208 static int test_early_data_read_write(int idx)
3210 SSL_CTX *cctx = NULL, *sctx = NULL;
3211 SSL *clientssl = NULL, *serverssl = NULL;
3213 SSL_SESSION *sess = NULL;
3214 unsigned char buf[20], data[1024];
3215 size_t readbytes, written, eoedlen, rawread, rawwritten;
3218 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3219 &serverssl, &sess, idx)))
3222 /* Write and read some early data */
3223 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3225 || !TEST_size_t_eq(written, strlen(MSG1))
3226 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3227 sizeof(buf), &readbytes),
3228 SSL_READ_EARLY_DATA_SUCCESS)
3229 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3230 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3231 SSL_EARLY_DATA_ACCEPTED))
3235 * Server should be able to write data, and client should be able to
3238 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3240 || !TEST_size_t_eq(written, strlen(MSG2))
3241 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3242 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3245 /* Even after reading normal data, client should be able write early data */
3246 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3248 || !TEST_size_t_eq(written, strlen(MSG3)))
3251 /* Server should still be able read early data after writing data */
3252 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3254 SSL_READ_EARLY_DATA_SUCCESS)
3255 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3258 /* Write more data from server and read it from client */
3259 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3261 || !TEST_size_t_eq(written, strlen(MSG4))
3262 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3263 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3267 * If client writes normal data it should mean writing early data is no
3270 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3271 || !TEST_size_t_eq(written, strlen(MSG5))
3272 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3273 SSL_EARLY_DATA_ACCEPTED))
3277 * At this point the client has written EndOfEarlyData, ClientFinished and
3278 * normal (fully protected) data. We are going to cause a delay between the
3279 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3280 * in the read BIO, and then just put back the EndOfEarlyData message.
3282 rbio = SSL_get_rbio(serverssl);
3283 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3284 || !TEST_size_t_lt(rawread, sizeof(data))
3285 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3288 /* Record length is in the 4th and 5th bytes of the record header */
3289 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3290 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3291 || !TEST_size_t_eq(rawwritten, eoedlen))
3294 /* Server should be told that there is no more early data */
3295 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3297 SSL_READ_EARLY_DATA_FINISH)
3298 || !TEST_size_t_eq(readbytes, 0))
3302 * Server has not finished init yet, so should still be able to write early
3305 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3307 || !TEST_size_t_eq(written, strlen(MSG6)))
3310 /* Push the ClientFinished and the normal data back into the server rbio */
3311 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3313 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3316 /* Server should be able to read normal data */
3317 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3318 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3321 /* Client and server should not be able to write/read early data now */
3322 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3326 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3328 SSL_READ_EARLY_DATA_ERROR))
3332 /* Client should be able to read the data sent by the server */
3333 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3334 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3338 * Make sure we process the two NewSessionTickets. These arrive
3339 * post-handshake. We attempt reads which we do not expect to return any
3342 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3343 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3347 /* Server should be able to write normal data */
3348 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3349 || !TEST_size_t_eq(written, strlen(MSG7))
3350 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3351 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3354 SSL_SESSION_free(sess);
3355 sess = SSL_get1_session(clientssl);
3356 use_session_cb_cnt = 0;
3357 find_session_cb_cnt = 0;
3359 SSL_shutdown(clientssl);
3360 SSL_shutdown(serverssl);
3361 SSL_free(serverssl);
3362 SSL_free(clientssl);
3363 serverssl = clientssl = NULL;
3364 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3365 &clientssl, NULL, NULL))
3366 || !TEST_true(SSL_set_session(clientssl, sess)))
3369 /* Write and read some early data */
3370 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3372 || !TEST_size_t_eq(written, strlen(MSG1))
3373 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3375 SSL_READ_EARLY_DATA_SUCCESS)
3376 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3379 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3380 || !TEST_int_gt(SSL_accept(serverssl), 0))
3383 /* Client and server should not be able to write/read early data now */
3384 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3388 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3390 SSL_READ_EARLY_DATA_ERROR))
3394 /* Client and server should be able to write/read normal data */
3395 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3396 || !TEST_size_t_eq(written, strlen(MSG5))
3397 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3398 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3404 SSL_SESSION_free(sess);
3405 SSL_SESSION_free(clientpsk);
3406 SSL_SESSION_free(serverpsk);
3407 clientpsk = serverpsk = NULL;
3408 SSL_free(serverssl);
3409 SSL_free(clientssl);
3415 static int allow_ed_cb_called = 0;
3417 static int allow_early_data_cb(SSL *s, void *arg)
3419 int *usecb = (int *)arg;
3421 allow_ed_cb_called++;
3430 * idx == 0: Standard early_data setup
3431 * idx == 1: early_data setup using read_ahead
3432 * usecb == 0: Don't use a custom early data callback
3433 * usecb == 1: Use a custom early data callback and reject the early data
3434 * usecb == 2: Use a custom early data callback and accept the early data
3435 * confopt == 0: Configure anti-replay directly
3436 * confopt == 1: Configure anti-replay using SSL_CONF
3438 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3440 SSL_CTX *cctx = NULL, *sctx = NULL;
3441 SSL *clientssl = NULL, *serverssl = NULL;
3443 SSL_SESSION *sess = NULL;
3444 size_t readbytes, written;
3445 unsigned char buf[20];
3447 allow_ed_cb_called = 0;
3449 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3450 TLS_client_method(), TLS1_VERSION, 0,
3451 &sctx, &cctx, cert, privkey)))
3456 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3458 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3460 if (!TEST_ptr(confctx))
3462 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3463 | SSL_CONF_FLAG_SERVER);
3464 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3465 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3467 SSL_CONF_CTX_free(confctx);
3470 SSL_CONF_CTX_free(confctx);
3472 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3475 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3476 &serverssl, &sess, idx)))
3480 * The server is configured to accept early data. Create a connection to
3481 * "use up" the ticket
3483 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3484 || !TEST_true(SSL_session_reused(clientssl)))
3487 SSL_shutdown(clientssl);
3488 SSL_shutdown(serverssl);
3489 SSL_free(serverssl);
3490 SSL_free(clientssl);
3491 serverssl = clientssl = NULL;
3493 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3494 &clientssl, NULL, NULL))
3495 || !TEST_true(SSL_set_session(clientssl, sess)))
3498 /* Write and read some early data */
3499 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3501 || !TEST_size_t_eq(written, strlen(MSG1)))
3505 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3507 SSL_READ_EARLY_DATA_FINISH)
3509 * The ticket was reused, so the we should have rejected the
3512 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3513 SSL_EARLY_DATA_REJECTED))
3516 /* In this case the callback decides to accept the early data */
3517 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3519 SSL_READ_EARLY_DATA_SUCCESS)
3520 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3522 * Server will have sent its flight so client can now send
3523 * end of early data and complete its half of the handshake
3525 || !TEST_int_gt(SSL_connect(clientssl), 0)
3526 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3528 SSL_READ_EARLY_DATA_FINISH)
3529 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3530 SSL_EARLY_DATA_ACCEPTED))
3534 /* Complete the connection */
3535 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3536 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3537 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3543 SSL_SESSION_free(sess);
3544 SSL_SESSION_free(clientpsk);
3545 SSL_SESSION_free(serverpsk);
3546 clientpsk = serverpsk = NULL;
3547 SSL_free(serverssl);
3548 SSL_free(clientssl);
3554 static int test_early_data_replay(int idx)
3556 int ret = 1, usecb, confopt;
3558 for (usecb = 0; usecb < 3; usecb++) {
3559 for (confopt = 0; confopt < 2; confopt++)
3560 ret &= test_early_data_replay_int(idx, usecb, confopt);
3567 * Helper function to test that a server attempting to read early data can
3568 * handle a connection from a client where the early data should be skipped.
3569 * testtype: 0 == No HRR
3570 * testtype: 1 == HRR
3571 * testtype: 2 == HRR, invalid early_data sent after HRR
3572 * testtype: 3 == recv_max_early_data set to 0
3574 static int early_data_skip_helper(int testtype, int idx)
3576 SSL_CTX *cctx = NULL, *sctx = NULL;
3577 SSL *clientssl = NULL, *serverssl = NULL;
3579 SSL_SESSION *sess = NULL;
3580 unsigned char buf[20];
3581 size_t readbytes, written;
3583 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3584 &serverssl, &sess, idx)))
3587 if (testtype == 1 || testtype == 2) {
3588 /* Force an HRR to occur */
3589 #if defined(OPENSSL_NO_EC)
3590 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3593 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3596 } else if (idx == 2) {
3598 * We force early_data rejection by ensuring the PSK identity is
3601 srvid = "Dummy Identity";
3604 * Deliberately corrupt the creation time. We take 20 seconds off the
3605 * time. It could be any value as long as it is not within tolerance.
3606 * This should mean the ticket is rejected.
3608 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3613 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3616 /* Write some early data */
3617 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3619 || !TEST_size_t_eq(written, strlen(MSG1)))
3622 /* Server should reject the early data */
3623 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3625 SSL_READ_EARLY_DATA_FINISH)
3626 || !TEST_size_t_eq(readbytes, 0)
3627 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3628 SSL_EARLY_DATA_REJECTED))
3638 * Finish off the handshake. We perform the same writes and reads as
3639 * further down but we expect them to fail due to the incomplete
3642 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3643 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3650 BIO *wbio = SSL_get_wbio(clientssl);
3651 /* A record that will appear as bad early_data */
3652 const unsigned char bad_early_data[] = {
3653 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3657 * We force the client to attempt a write. This will fail because
3658 * we're still in the handshake. It will cause the second
3659 * ClientHello to be sent.
3661 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3666 * Inject some early_data after the second ClientHello. This should
3667 * cause the server to fail
3669 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3670 sizeof(bad_early_data), &written)))
3677 * This client has sent more early_data than we are willing to skip
3678 * (case 3) or sent invalid early_data (case 2) so the connection should
3681 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3682 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3685 /* Connection has failed - nothing more to do */
3690 TEST_error("Invalid test type");
3695 * Should be able to send normal data despite rejection of early data. The
3696 * early_data should be skipped.
3698 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3699 || !TEST_size_t_eq(written, strlen(MSG2))
3700 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3701 SSL_EARLY_DATA_REJECTED)
3702 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3703 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3709 SSL_SESSION_free(clientpsk);
3710 SSL_SESSION_free(serverpsk);
3711 clientpsk = serverpsk = NULL;
3712 SSL_SESSION_free(sess);
3713 SSL_free(serverssl);
3714 SSL_free(clientssl);
3721 * Test that a server attempting to read early data can handle a connection
3722 * from a client where the early data is not acceptable.
3724 static int test_early_data_skip(int idx)
3726 return early_data_skip_helper(0, idx);
3730 * Test that a server attempting to read early data can handle a connection
3731 * from a client where an HRR occurs.
3733 static int test_early_data_skip_hrr(int idx)
3735 return early_data_skip_helper(1, idx);
3739 * Test that a server attempting to read early data can handle a connection
3740 * from a client where an HRR occurs and correctly fails if early_data is sent
3743 static int test_early_data_skip_hrr_fail(int idx)
3745 return early_data_skip_helper(2, idx);
3749 * Test that a server attempting to read early data will abort if it tries to
3750 * skip over too much.
3752 static int test_early_data_skip_abort(int idx)
3754 return early_data_skip_helper(3, idx);
3758 * Test that a server attempting to read early data can handle a connection
3759 * from a client that doesn't send any.
3761 static int test_early_data_not_sent(int idx)
3763 SSL_CTX *cctx = NULL, *sctx = NULL;
3764 SSL *clientssl = NULL, *serverssl = NULL;
3766 SSL_SESSION *sess = NULL;
3767 unsigned char buf[20];
3768 size_t readbytes, written;
3770 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3771 &serverssl, &sess, idx)))
3774 /* Write some data - should block due to handshake with server */
3775 SSL_set_connect_state(clientssl);
3776 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3779 /* Server should detect that early data has not been sent */
3780 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3782 SSL_READ_EARLY_DATA_FINISH)
3783 || !TEST_size_t_eq(readbytes, 0)
3784 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3785 SSL_EARLY_DATA_NOT_SENT)
3786 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3787 SSL_EARLY_DATA_NOT_SENT))
3790 /* Continue writing the message we started earlier */
3791 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3792 || !TEST_size_t_eq(written, strlen(MSG1))
3793 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3794 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3795 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3796 || !TEST_size_t_eq(written, strlen(MSG2)))
3799 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3800 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3806 SSL_SESSION_free(sess);
3807 SSL_SESSION_free(clientpsk);
3808 SSL_SESSION_free(serverpsk);
3809 clientpsk = serverpsk = NULL;
3810 SSL_free(serverssl);
3811 SSL_free(clientssl);
3817 static const char *servalpn;
3819 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3820 unsigned char *outlen, const unsigned char *in,
3821 unsigned int inlen, void *arg)
3823 unsigned int protlen = 0;
3824 const unsigned char *prot;
3826 for (prot = in; prot < in + inlen; prot += protlen) {
3828 if (in + inlen < prot + protlen)
3829 return SSL_TLSEXT_ERR_NOACK;
3831 if (protlen == strlen(servalpn)
3832 && memcmp(prot, servalpn, protlen) == 0) {
3835 return SSL_TLSEXT_ERR_OK;
3839 return SSL_TLSEXT_ERR_NOACK;
3842 /* Test that a PSK can be used to send early_data */
3843 static int test_early_data_psk(int idx)
3845 SSL_CTX *cctx = NULL, *sctx = NULL;
3846 SSL *clientssl = NULL, *serverssl = NULL;
3848 SSL_SESSION *sess = NULL;
3849 unsigned char alpnlist[] = {
3850 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3853 #define GOODALPNLEN 9
3854 #define BADALPNLEN 8
3855 #define GOODALPN (alpnlist)
3856 #define BADALPN (alpnlist + GOODALPNLEN)
3858 unsigned char buf[20];
3859 size_t readbytes, written;
3860 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3861 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3863 /* We always set this up with a final parameter of "2" for PSK */
3864 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3865 &serverssl, &sess, 2)))
3868 servalpn = "goodalpn";
3871 * Note: There is no test for inconsistent SNI with late client detection.
3872 * This is because servers do not acknowledge SNI even if they are using
3873 * it in a resumption handshake - so it is not actually possible for a
3874 * client to detect a problem.
3878 /* Set inconsistent SNI (early client detection) */
3879 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3880 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3881 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3886 /* Set inconsistent ALPN (early client detection) */
3887 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3888 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3889 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3891 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3898 * Set invalid protocol version. Technically this affects PSKs without
3899 * early_data too, but we test it here because it is similar to the
3900 * SNI/ALPN consistency tests.
3902 err = SSL_R_BAD_PSK;
3903 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3909 * Set inconsistent SNI (server side). In this case the connection
3910 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3911 * is associated with each handshake - not the session. Therefore it
3912 * should not matter that we used a different server name last time.
3914 SSL_SESSION_free(serverpsk);
3915 serverpsk = SSL_SESSION_dup(clientpsk);
3916 if (!TEST_ptr(serverpsk)
3917 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3921 /* Set consistent SNI */
3922 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3923 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3924 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3931 * Set inconsistent ALPN (server detected). In this case the connection
3932 * will succeed but reject early_data.
3934 servalpn = "badalpn";
3935 edstatus = SSL_EARLY_DATA_REJECTED;
3936 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3940 * Set consistent ALPN.
3941 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3942 * accepts a list of protos (each one length prefixed).
3943 * SSL_set1_alpn_selected accepts a single protocol (not length
3946 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3948 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3952 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3956 /* Set inconsistent ALPN (late client detection) */
3957 SSL_SESSION_free(serverpsk);
3958 serverpsk = SSL_SESSION_dup(clientpsk);
3959 if (!TEST_ptr(serverpsk)
3960 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3963 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3966 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3969 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3970 edstatus = SSL_EARLY_DATA_ACCEPTED;
3971 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3972 /* SSL_connect() call should fail */
3977 TEST_error("Bad test index");
3981 SSL_set_connect_state(clientssl);
3983 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3985 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3986 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3989 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3993 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3994 &readbytes), readearlyres)
3995 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3996 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3997 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3998 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4005 SSL_SESSION_free(sess);
4006 SSL_SESSION_free(clientpsk);
4007 SSL_SESSION_free(serverpsk);
4008 clientpsk = serverpsk = NULL;
4009 SSL_free(serverssl);
4010 SSL_free(clientssl);
4017 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4018 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4019 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4020 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4021 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4022 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4024 static int test_early_data_psk_with_all_ciphers(int idx)
4026 SSL_CTX *cctx = NULL, *sctx = NULL;
4027 SSL *clientssl = NULL, *serverssl = NULL;
4029 SSL_SESSION *sess = NULL;
4030 unsigned char buf[20];
4031 size_t readbytes, written;
4032 const SSL_CIPHER *cipher;
4033 const char *cipher_str[] = {
4034 TLS1_3_RFC_AES_128_GCM_SHA256,
4035 TLS1_3_RFC_AES_256_GCM_SHA384,
4036 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4037 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4041 TLS1_3_RFC_AES_128_CCM_SHA256,
4042 TLS1_3_RFC_AES_128_CCM_8_SHA256
4044 const unsigned char *cipher_bytes[] = {
4045 TLS13_AES_128_GCM_SHA256_BYTES,
4046 TLS13_AES_256_GCM_SHA384_BYTES,
4047 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4048 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4052 TLS13_AES_128_CCM_SHA256_BYTES,
4053 TLS13_AES_128_CCM_8_SHA256_BYTES
4056 if (cipher_str[idx] == NULL)
4058 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4059 if (idx == 2 && is_fips == 1)
4062 /* We always set this up with a final parameter of "2" for PSK */
4063 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4064 &serverssl, &sess, 2)))
4067 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4068 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4072 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4073 * and assigns to both client and server with incremented reference
4074 * and the same instance is updated in 'sess'.
4075 * So updating ciphersuite in 'sess' which will get reflected in
4076 * PSK handshake using psk use sess and find sess cb.
4078 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4079 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4082 SSL_set_connect_state(clientssl);
4083 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4087 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4089 SSL_READ_EARLY_DATA_SUCCESS)
4090 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4091 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4092 SSL_EARLY_DATA_ACCEPTED)
4093 || !TEST_int_eq(SSL_connect(clientssl), 1)
4094 || !TEST_int_eq(SSL_accept(serverssl), 1))
4097 /* Send some normal data from client to server */
4098 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4099 || !TEST_size_t_eq(written, strlen(MSG2)))
4102 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4103 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4108 SSL_SESSION_free(sess);
4109 SSL_SESSION_free(clientpsk);
4110 SSL_SESSION_free(serverpsk);
4111 clientpsk = serverpsk = NULL;
4112 if (clientssl != NULL)
4113 SSL_shutdown(clientssl);
4114 if (serverssl != NULL)
4115 SSL_shutdown(serverssl);
4116 SSL_free(serverssl);
4117 SSL_free(clientssl);
4124 * Test that a server that doesn't try to read early data can handle a
4125 * client sending some.
4127 static int test_early_data_not_expected(int idx)
4129 SSL_CTX *cctx = NULL, *sctx = NULL;
4130 SSL *clientssl = NULL, *serverssl = NULL;
4132 SSL_SESSION *sess = NULL;
4133 unsigned char buf[20];
4134 size_t readbytes, written;
4136 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4137 &serverssl, &sess, idx)))
4140 /* Write some early data */
4141 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4146 * Server should skip over early data and then block waiting for client to
4147 * continue handshake
4149 if (!TEST_int_le(SSL_accept(serverssl), 0)
4150 || !TEST_int_gt(SSL_connect(clientssl), 0)
4151 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4152 SSL_EARLY_DATA_REJECTED)
4153 || !TEST_int_gt(SSL_accept(serverssl), 0)
4154 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4155 SSL_EARLY_DATA_REJECTED))
4158 /* Send some normal data from client to server */
4159 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4160 || !TEST_size_t_eq(written, strlen(MSG2)))
4163 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4164 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4170 SSL_SESSION_free(sess);
4171 SSL_SESSION_free(clientpsk);
4172 SSL_SESSION_free(serverpsk);
4173 clientpsk = serverpsk = NULL;
4174 SSL_free(serverssl);
4175 SSL_free(clientssl);
4182 # ifndef OPENSSL_NO_TLS1_2
4184 * Test that a server attempting to read early data can handle a connection
4185 * from a TLSv1.2 client.
4187 static int test_early_data_tls1_2(int idx)
4189 SSL_CTX *cctx = NULL, *sctx = NULL;
4190 SSL *clientssl = NULL, *serverssl = NULL;
4192 unsigned char buf[20];
4193 size_t readbytes, written;
4195 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4196 &serverssl, NULL, idx)))
4199 /* Write some data - should block due to handshake with server */
4200 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4201 SSL_set_connect_state(clientssl);
4202 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4206 * Server should do TLSv1.2 handshake. First it will block waiting for more
4207 * messages from client after ServerDone. Then SSL_read_early_data should
4208 * finish and detect that early data has not been sent
4210 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4212 SSL_READ_EARLY_DATA_ERROR))
4216 * Continue writing the message we started earlier. Will still block waiting
4217 * for the CCS/Finished from server
4219 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4220 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4222 SSL_READ_EARLY_DATA_FINISH)
4223 || !TEST_size_t_eq(readbytes, 0)
4224 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4225 SSL_EARLY_DATA_NOT_SENT))
4228 /* Continue writing the message we started earlier */
4229 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4230 || !TEST_size_t_eq(written, strlen(MSG1))
4231 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4232 SSL_EARLY_DATA_NOT_SENT)
4233 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4234 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4235 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4236 || !TEST_size_t_eq(written, strlen(MSG2))
4237 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4238 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4244 SSL_SESSION_free(clientpsk);
4245 SSL_SESSION_free(serverpsk);
4246 clientpsk = serverpsk = NULL;
4247 SSL_free(serverssl);
4248 SSL_free(clientssl);
4254 # endif /* OPENSSL_NO_TLS1_2 */
4257 * Test configuring the TLSv1.3 ciphersuites
4259 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4260 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4261 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4262 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4263 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4264 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4265 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4266 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4267 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4268 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4270 static int test_set_ciphersuite(int idx)
4272 SSL_CTX *cctx = NULL, *sctx = NULL;
4273 SSL *clientssl = NULL, *serverssl = NULL;
4276 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4277 TLS_client_method(), TLS1_VERSION, 0,
4278 &sctx, &cctx, cert, privkey))
4279 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4280 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4283 if (idx >=4 && idx <= 7) {
4284 /* SSL_CTX explicit cipher list */
4285 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4289 if (idx == 0 || idx == 4) {
4290 /* Default ciphersuite */
4291 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4292 "TLS_AES_128_GCM_SHA256")))
4294 } else if (idx == 1 || idx == 5) {
4295 /* Non default ciphersuite */
4296 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4297 "TLS_AES_128_CCM_SHA256")))
4301 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4302 &clientssl, NULL, NULL)))
4305 if (idx == 8 || idx == 9) {
4306 /* SSL explicit cipher list */
4307 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4311 if (idx == 2 || idx == 6 || idx == 8) {
4312 /* Default ciphersuite */
4313 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4314 "TLS_AES_128_GCM_SHA256")))
4316 } else if (idx == 3 || idx == 7 || idx == 9) {
4317 /* Non default ciphersuite */
4318 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4319 "TLS_AES_128_CCM_SHA256")))
4323 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4329 SSL_free(serverssl);
4330 SSL_free(clientssl);
4337 static int test_ciphersuite_change(void)
4339 SSL_CTX *cctx = NULL, *sctx = NULL;
4340 SSL *clientssl = NULL, *serverssl = NULL;
4341 SSL_SESSION *clntsess = NULL;
4343 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4345 /* Create a session based on SHA-256 */
4346 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4347 TLS_client_method(), TLS1_VERSION, 0,
4348 &sctx, &cctx, cert, privkey))
4349 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4350 "TLS_AES_128_GCM_SHA256:"
4351 "TLS_AES_256_GCM_SHA384:"
4352 "TLS_AES_128_CCM_SHA256"))
4353 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4354 "TLS_AES_128_GCM_SHA256"))
4355 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4356 &clientssl, NULL, NULL))
4357 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4361 clntsess = SSL_get1_session(clientssl);
4362 /* Save for later */
4363 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4364 SSL_shutdown(clientssl);
4365 SSL_shutdown(serverssl);
4366 SSL_free(serverssl);
4367 SSL_free(clientssl);
4368 serverssl = clientssl = NULL;
4370 /* Check we can resume a session with a different SHA-256 ciphersuite */
4371 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4372 "TLS_AES_128_CCM_SHA256"))
4373 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4374 &clientssl, NULL, NULL))
4375 || !TEST_true(SSL_set_session(clientssl, clntsess))
4376 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4378 || !TEST_true(SSL_session_reused(clientssl)))
4381 SSL_SESSION_free(clntsess);
4382 clntsess = SSL_get1_session(clientssl);
4383 SSL_shutdown(clientssl);
4384 SSL_shutdown(serverssl);
4385 SSL_free(serverssl);
4386 SSL_free(clientssl);
4387 serverssl = clientssl = NULL;
4390 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4391 * succeeds but does not resume.
4393 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4394 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4396 || !TEST_true(SSL_set_session(clientssl, clntsess))
4397 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4399 || !TEST_false(SSL_session_reused(clientssl)))
4402 SSL_SESSION_free(clntsess);
4404 SSL_shutdown(clientssl);
4405 SSL_shutdown(serverssl);
4406 SSL_free(serverssl);
4407 SSL_free(clientssl);
4408 serverssl = clientssl = NULL;
4410 /* Create a session based on SHA384 */
4411 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4412 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4413 &clientssl, NULL, NULL))
4414 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4418 clntsess = SSL_get1_session(clientssl);
4419 SSL_shutdown(clientssl);
4420 SSL_shutdown(serverssl);
4421 SSL_free(serverssl);
4422 SSL_free(clientssl);
4423 serverssl = clientssl = NULL;
4425 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4426 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4427 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4428 "TLS_AES_256_GCM_SHA384"))
4429 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4431 || !TEST_true(SSL_set_session(clientssl, clntsess))
4433 * We use SSL_ERROR_WANT_READ below so that we can pause the
4434 * connection after the initial ClientHello has been sent to
4435 * enable us to make some session changes.
4437 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4438 SSL_ERROR_WANT_READ)))
4441 /* Trick the client into thinking this session is for a different digest */
4442 clntsess->cipher = aes_128_gcm_sha256;
4443 clntsess->cipher_id = clntsess->cipher->id;
4446 * Continue the previously started connection. Server has selected a SHA-384
4447 * ciphersuite, but client thinks the session is for SHA-256, so it should
4450 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4452 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4453 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4459 SSL_SESSION_free(clntsess);
4460 SSL_free(serverssl);
4461 SSL_free(clientssl);
4469 * Test TLSv1.3 Key exchange
4470 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4471 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4472 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4473 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4474 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4475 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4476 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4477 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4478 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4479 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4480 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4481 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4482 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4483 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4485 static int test_key_exchange(int idx)
4487 SSL_CTX *sctx = NULL, *cctx = NULL;
4488 SSL *serverssl = NULL, *clientssl = NULL;
4490 # ifndef OPENSSL_NO_EC
4491 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4492 NID_secp521r1, NID_X25519, NID_X448};
4494 # ifndef OPENSSL_NO_DH
4495 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4496 NID_ffdhe6144, NID_ffdhe8192};
4499 int *kexch_groups = &kexch_alg;
4500 int kexch_groups_size = 1;
4501 int max_version = TLS1_3_VERSION;
4504 # ifndef OPENSSL_NO_EC
4505 # ifndef OPENSSL_NO_TLS1_2
4507 max_version = TLS1_2_VERSION;
4511 kexch_groups = ecdhe_kexch_groups;
4512 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4515 kexch_alg = NID_X9_62_prime256v1;
4518 kexch_alg = NID_secp384r1;
4521 kexch_alg = NID_secp521r1;
4524 kexch_alg = NID_X25519;
4527 kexch_alg = NID_X448;
4530 # ifndef OPENSSL_NO_DH
4531 # ifndef OPENSSL_NO_TLS1_2
4533 max_version = TLS1_2_VERSION;
4537 kexch_groups = ffdhe_kexch_groups;
4538 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4541 kexch_alg = NID_ffdhe2048;
4544 kexch_alg = NID_ffdhe3072;
4547 kexch_alg = NID_ffdhe4096;
4550 kexch_alg = NID_ffdhe6144;
4553 kexch_alg = NID_ffdhe8192;
4557 /* We're skipping this test */
4561 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4562 TLS_client_method(), TLS1_VERSION,
4563 max_version, &sctx, &cctx, cert,
4567 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4568 TLS1_3_RFC_AES_128_GCM_SHA256)))
4571 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4572 TLS1_3_RFC_AES_128_GCM_SHA256)))
4575 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4576 TLS1_TXT_RSA_WITH_AES_128_SHA)))
4580 * Must include an EC ciphersuite so that we send supported groups in
4583 # ifndef OPENSSL_NO_TLS1_2
4584 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4585 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
4586 TLS1_TXT_RSA_WITH_AES_128_SHA)))
4590 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4594 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4595 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4598 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4602 * If Handshake succeeds the negotiated kexch alg should be the first one in
4603 * configured, except in the case of FFDHE groups (idx 13), which are
4604 * TLSv1.3 only so we expect no shared group to exist.
4606 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4607 idx == 13 ? 0 : kexch_groups[0]))
4609 if (max_version == TLS1_3_VERSION) {
4610 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4612 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4618 SSL_free(serverssl);
4619 SSL_free(clientssl);
4626 * Test TLSv1.3 Cipher Suite
4627 * Test 0 = Set TLS1.3 cipher on context
4628 * Test 1 = Set TLS1.3 cipher on SSL
4629 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4630 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4632 static int test_tls13_ciphersuite(int idx)
4634 SSL_CTX *sctx = NULL, *cctx = NULL;
4635 SSL *serverssl = NULL, *clientssl = NULL;
4636 static const struct {
4637 const char *ciphername;
4640 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4641 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4642 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
4643 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4644 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4645 { TLS1_3_RFC_AES_256_GCM_SHA384
4646 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4648 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
4650 const char *t13_cipher = NULL;
4651 const char *t12_cipher = NULL;
4652 const char *negotiated_scipher;
4653 const char *negotiated_ccipher;
4669 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4673 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4677 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4678 # ifdef OPENSSL_NO_TLS1_2
4679 if (max_ver == TLS1_2_VERSION)
4682 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4683 if (is_fips && !t13_ciphers[i].fipscapable)
4685 t13_cipher = t13_ciphers[i].ciphername;
4686 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4687 TLS_client_method(),
4688 TLS1_VERSION, max_ver,
4689 &sctx, &cctx, cert, privkey)))
4693 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4694 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4696 if (t12_cipher != NULL) {
4697 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4698 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4704 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4705 &clientssl, NULL, NULL)))
4709 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4710 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4712 if (t12_cipher != NULL) {
4713 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4714 || !TEST_true(SSL_set_cipher_list(clientssl,
4720 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4724 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4726 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4728 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4732 * TEST_strn_eq is used below because t13_cipher can contain
4733 * multiple ciphersuites
4735 if (max_ver == TLS1_3_VERSION
4736 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4737 strlen(negotiated_scipher)))
4740 # ifndef OPENSSL_NO_TLS1_2
4741 /* Below validation is not done when t12_cipher is NULL */
4742 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4743 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4747 SSL_free(serverssl);
4749 SSL_free(clientssl);
4760 SSL_free(serverssl);
4761 SSL_free(clientssl);
4769 * Test 0 = Test new style callbacks
4770 * Test 1 = Test both new and old style callbacks
4771 * Test 2 = Test old style callbacks
4772 * Test 3 = Test old style callbacks with no certificate
4774 static int test_tls13_psk(int idx)
4776 SSL_CTX *sctx = NULL, *cctx = NULL;
4777 SSL *serverssl = NULL, *clientssl = NULL;
4778 const SSL_CIPHER *cipher = NULL;
4779 const unsigned char key[] = {
4780 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4781 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4782 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4783 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
4787 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4788 TLS_client_method(), TLS1_VERSION, 0,
4789 &sctx, &cctx, idx == 3 ? NULL : cert,
4790 idx == 3 ? NULL : privkey)))
4795 * We use a ciphersuite with SHA256 to ease testing old style PSK
4796 * callbacks which will always default to SHA256. This should not be
4797 * necessary if we have no cert/priv key. In that case the server should
4798 * prefer SHA256 automatically.
4800 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4801 "TLS_AES_128_GCM_SHA256")))
4805 * As noted above the server should prefer SHA256 automatically. However
4806 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4807 * code works even if we are testing with only the FIPS provider loaded.
4809 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4810 "TLS_AES_256_GCM_SHA384:"
4811 "TLS_AES_128_GCM_SHA256")))
4816 * Test 0: New style callbacks only
4817 * Test 1: New and old style callbacks (only the new ones should be used)
4818 * Test 2: Old style callbacks only
4820 if (idx == 0 || idx == 1) {
4821 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4822 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4824 #ifndef OPENSSL_NO_PSK
4826 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4827 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4831 use_session_cb_cnt = 0;
4832 find_session_cb_cnt = 0;
4833 psk_client_cb_cnt = 0;
4834 psk_server_cb_cnt = 0;
4838 * Check we can create a connection if callback decides not to send a
4841 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4843 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4845 || !TEST_false(SSL_session_reused(clientssl))
4846 || !TEST_false(SSL_session_reused(serverssl)))
4849 if (idx == 0 || idx == 1) {
4850 if (!TEST_true(use_session_cb_cnt == 1)
4851 || !TEST_true(find_session_cb_cnt == 0)
4853 * If no old style callback then below should be 0
4856 || !TEST_true(psk_client_cb_cnt == idx)
4857 || !TEST_true(psk_server_cb_cnt == 0))
4860 if (!TEST_true(use_session_cb_cnt == 0)
4861 || !TEST_true(find_session_cb_cnt == 0)
4862 || !TEST_true(psk_client_cb_cnt == 1)
4863 || !TEST_true(psk_server_cb_cnt == 0))
4867 shutdown_ssl_connection(serverssl, clientssl);
4868 serverssl = clientssl = NULL;
4869 use_session_cb_cnt = psk_client_cb_cnt = 0;
4872 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4876 /* Create the PSK */
4877 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
4878 clientpsk = SSL_SESSION_new();
4879 if (!TEST_ptr(clientpsk)
4880 || !TEST_ptr(cipher)
4881 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4883 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4884 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4886 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
4888 serverpsk = clientpsk;
4890 /* Check we can create a connection and the PSK is used */
4891 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4892 || !TEST_true(SSL_session_reused(clientssl))
4893 || !TEST_true(SSL_session_reused(serverssl)))
4896 if (idx == 0 || idx == 1) {
4897 if (!TEST_true(use_session_cb_cnt == 1)
4898 || !TEST_true(find_session_cb_cnt == 1)
4899 || !TEST_true(psk_client_cb_cnt == 0)
4900 || !TEST_true(psk_server_cb_cnt == 0))
4903 if (!TEST_true(use_session_cb_cnt == 0)
4904 || !TEST_true(find_session_cb_cnt == 0)
4905 || !TEST_true(psk_client_cb_cnt == 1)
4906 || !TEST_true(psk_server_cb_cnt == 1))
4910 shutdown_ssl_connection(serverssl, clientssl);
4911 serverssl = clientssl = NULL;
4912 use_session_cb_cnt = find_session_cb_cnt = 0;
4913 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4915 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4920 #if defined(OPENSSL_NO_EC)
4921 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4924 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4929 * Check we can create a connection, the PSK is used and the callbacks are
4932 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4933 || !TEST_true(SSL_session_reused(clientssl))
4934 || !TEST_true(SSL_session_reused(serverssl)))
4937 if (idx == 0 || idx == 1) {
4938 if (!TEST_true(use_session_cb_cnt == 2)
4939 || !TEST_true(find_session_cb_cnt == 2)
4940 || !TEST_true(psk_client_cb_cnt == 0)
4941 || !TEST_true(psk_server_cb_cnt == 0))
4944 if (!TEST_true(use_session_cb_cnt == 0)
4945 || !TEST_true(find_session_cb_cnt == 0)
4946 || !TEST_true(psk_client_cb_cnt == 2)
4947 || !TEST_true(psk_server_cb_cnt == 2))
4951 shutdown_ssl_connection(serverssl, clientssl);
4952 serverssl = clientssl = NULL;
4953 use_session_cb_cnt = find_session_cb_cnt = 0;
4954 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4958 * Check that if the server rejects the PSK we can still connect, but with
4961 srvid = "Dummy Identity";
4962 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4964 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4966 || !TEST_false(SSL_session_reused(clientssl))
4967 || !TEST_false(SSL_session_reused(serverssl)))
4970 if (idx == 0 || idx == 1) {
4971 if (!TEST_true(use_session_cb_cnt == 1)
4972 || !TEST_true(find_session_cb_cnt == 1)
4973 || !TEST_true(psk_client_cb_cnt == 0)
4975 * If no old style callback then below should be 0
4978 || !TEST_true(psk_server_cb_cnt == idx))
4981 if (!TEST_true(use_session_cb_cnt == 0)
4982 || !TEST_true(find_session_cb_cnt == 0)
4983 || !TEST_true(psk_client_cb_cnt == 1)
4984 || !TEST_true(psk_server_cb_cnt == 1))
4988 shutdown_ssl_connection(serverssl, clientssl);
4989 serverssl = clientssl = NULL;
4994 SSL_SESSION_free(clientpsk);
4995 SSL_SESSION_free(serverpsk);
4996 clientpsk = serverpsk = NULL;
4997 SSL_free(serverssl);
4998 SSL_free(clientssl);
5004 static unsigned char cookie_magic_value[] = "cookie magic";
5006 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5007 unsigned int *cookie_len)
5010 * Not suitable as a real cookie generation function but good enough for
5013 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5014 *cookie_len = sizeof(cookie_magic_value) - 1;
5019 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5020 unsigned int cookie_len)
5022 if (cookie_len == sizeof(cookie_magic_value) - 1
5023 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5029 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5033 int res = generate_cookie_callback(ssl, cookie, &temp);
5038 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5041 return verify_cookie_callback(ssl, cookie, cookie_len);
5044 static int test_stateless(void)
5046 SSL_CTX *sctx = NULL, *cctx = NULL;
5047 SSL *serverssl = NULL, *clientssl = NULL;
5050 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5051 TLS_client_method(), TLS1_VERSION, 0,
5052 &sctx, &cctx, cert, privkey)))
5055 /* The arrival of CCS messages can confuse the test */
5056 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5058 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5060 /* Send the first ClientHello */
5061 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5062 SSL_ERROR_WANT_READ))
5064 * This should fail with a -1 return because we have no callbacks
5067 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5070 /* Fatal error so abandon the connection from this client */
5071 SSL_free(clientssl);
5074 /* Set up the cookie generation and verification callbacks */
5075 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5076 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5079 * Create a new connection from the client (we can reuse the server SSL
5082 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5084 /* Send the first ClientHello */
5085 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5086 SSL_ERROR_WANT_READ))
5087 /* This should fail because there is no cookie */
5088 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5091 /* Abandon the connection from this client */
5092 SSL_free(clientssl);
5096 * Now create a connection from a new client but with the same server SSL
5099 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5101 /* Send the first ClientHello */
5102 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5103 SSL_ERROR_WANT_READ))
5104 /* This should fail because there is no cookie */
5105 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5106 /* Send the second ClientHello */
5107 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5108 SSL_ERROR_WANT_READ))
5109 /* This should succeed because a cookie is now present */
5110 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5111 /* Complete the connection */
5112 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5116 shutdown_ssl_connection(serverssl, clientssl);
5117 serverssl = clientssl = NULL;
5121 SSL_free(serverssl);
5122 SSL_free(clientssl);
5128 #endif /* OPENSSL_NO_TLS1_3 */
5130 static int clntaddoldcb = 0;
5131 static int clntparseoldcb = 0;
5132 static int srvaddoldcb = 0;
5133 static int srvparseoldcb = 0;
5134 static int clntaddnewcb = 0;
5135 static int clntparsenewcb = 0;
5136 static int srvaddnewcb = 0;
5137 static int srvparsenewcb = 0;
5138 static int snicb = 0;
5140 #define TEST_EXT_TYPE1 0xff00
5142 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5143 size_t *outlen, int *al, void *add_arg)
5145 int *server = (int *)add_arg;
5146 unsigned char *data;
5148 if (SSL_is_server(s))
5153 if (*server != SSL_is_server(s)
5154 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5159 *outlen = sizeof(char);
5163 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5166 OPENSSL_free((unsigned char *)out);
5169 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5170 size_t inlen, int *al, void *parse_arg)
5172 int *server = (int *)parse_arg;
5174 if (SSL_is_server(s))
5179 if (*server != SSL_is_server(s)
5180 || inlen != sizeof(char)
5187 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5188 const unsigned char **out, size_t *outlen, X509 *x,
5189 size_t chainidx, int *al, void *add_arg)
5191 int *server = (int *)add_arg;
5192 unsigned char *data;
5194 if (SSL_is_server(s))
5199 if (*server != SSL_is_server(s)
5200 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5205 *outlen = sizeof(*data);
5209 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5210 const unsigned char *out, void *add_arg)
5212 OPENSSL_free((unsigned char *)out);
5215 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5216 const unsigned char *in, size_t inlen, X509 *x,
5217 size_t chainidx, int *al, void *parse_arg)
5219 int *server = (int *)parse_arg;
5221 if (SSL_is_server(s))
5226 if (*server != SSL_is_server(s)
5227 || inlen != sizeof(char) || *in != 1)
5233 static int sni_cb(SSL *s, int *al, void *arg)
5235 SSL_CTX *ctx = (SSL_CTX *)arg;
5237 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5238 *al = SSL_AD_INTERNAL_ERROR;
5239 return SSL_TLSEXT_ERR_ALERT_FATAL;
5242 return SSL_TLSEXT_ERR_OK;
5246 * Custom call back tests.
5247 * Test 0: Old style callbacks in TLSv1.2
5248 * Test 1: New style callbacks in TLSv1.2
5249 * Test 2: New style callbacks in TLSv1.2 with SNI
5250 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5251 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5253 static int test_custom_exts(int tst)
5255 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5256 SSL *clientssl = NULL, *serverssl = NULL;
5258 static int server = 1;
5259 static int client = 0;
5260 SSL_SESSION *sess = NULL;
5261 unsigned int context;
5263 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
5264 /* Skip tests for TLSv1.2 and below in this case */
5269 /* Reset callback counters */
5270 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5271 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5274 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5275 TLS_client_method(), TLS1_VERSION, 0,
5276 &sctx, &cctx, cert, privkey)))
5280 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5282 &sctx2, NULL, cert, privkey)))
5287 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5288 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5290 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5294 context = SSL_EXT_CLIENT_HELLO
5295 | SSL_EXT_TLS1_2_SERVER_HELLO
5296 | SSL_EXT_TLS1_3_SERVER_HELLO
5297 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5298 | SSL_EXT_TLS1_3_CERTIFICATE
5299 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5301 context = SSL_EXT_CLIENT_HELLO
5302 | SSL_EXT_TLS1_2_SERVER_HELLO
5303 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5306 /* Create a client side custom extension */
5308 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5309 old_add_cb, old_free_cb,
5310 &client, old_parse_cb,
5314 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5315 new_add_cb, new_free_cb,
5316 &client, new_parse_cb, &client)))
5320 /* Should not be able to add duplicates */
5321 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5322 old_add_cb, old_free_cb,
5323 &client, old_parse_cb,
5325 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5326 context, new_add_cb,
5327 new_free_cb, &client,
5328 new_parse_cb, &client)))
5331 /* Create a server side custom extension */
5333 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5334 old_add_cb, old_free_cb,
5335 &server, old_parse_cb,
5339 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5340 new_add_cb, new_free_cb,
5341 &server, new_parse_cb, &server)))
5344 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5345 context, new_add_cb,
5346 new_free_cb, &server,
5347 new_parse_cb, &server)))
5351 /* Should not be able to add duplicates */
5352 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5353 old_add_cb, old_free_cb,
5354 &server, old_parse_cb,
5356 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5357 context, new_add_cb,
5358 new_free_cb, &server,
5359 new_parse_cb, &server)))
5364 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5365 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5369 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5370 &clientssl, NULL, NULL))
5371 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5376 if (clntaddoldcb != 1
5377 || clntparseoldcb != 1
5379 || srvparseoldcb != 1)
5381 } else if (tst == 1 || tst == 2 || tst == 3) {
5382 if (clntaddnewcb != 1
5383 || clntparsenewcb != 1
5385 || srvparsenewcb != 1
5386 || (tst != 2 && snicb != 0)
5387 || (tst == 2 && snicb != 1))
5390 /* In this case there 2 NewSessionTicket messages created */
5391 if (clntaddnewcb != 1
5392 || clntparsenewcb != 5
5394 || srvparsenewcb != 1)
5398 sess = SSL_get1_session(clientssl);
5399 SSL_shutdown(clientssl);
5400 SSL_shutdown(serverssl);
5401 SSL_free(serverssl);
5402 SSL_free(clientssl);
5403 serverssl = clientssl = NULL;
5406 /* We don't bother with the resumption aspects for this test */
5411 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5413 || !TEST_true(SSL_set_session(clientssl, sess))
5414 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5419 * For a resumed session we expect to add the ClientHello extension. For the
5420 * old style callbacks we ignore it on the server side because they set
5421 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5425 if (clntaddoldcb != 2
5426 || clntparseoldcb != 1
5428 || srvparseoldcb != 1)
5430 } else if (tst == 1 || tst == 2 || tst == 3) {
5431 if (clntaddnewcb != 2
5432 || clntparsenewcb != 2
5434 || srvparsenewcb != 2)
5438 * No Certificate message extensions in the resumption handshake,
5439 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5441 if (clntaddnewcb != 2
5442 || clntparsenewcb != 8
5444 || srvparsenewcb != 2)
5451 SSL_SESSION_free(sess);
5452 SSL_free(serverssl);
5453 SSL_free(clientssl);
5454 SSL_CTX_free(sctx2);
5461 * Test loading of serverinfo data in various formats. test_sslmessages actually
5462 * tests to make sure the extensions appear in the handshake
5464 static int test_serverinfo(int tst)
5466 unsigned int version;
5467 unsigned char *sibuf;
5469 int ret, expected, testresult = 0;
5472 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
5476 if ((tst & 0x01) == 0x01)
5477 version = SSL_SERVERINFOV2;
5479 version = SSL_SERVERINFOV1;
5481 if ((tst & 0x02) == 0x02) {
5482 sibuf = serverinfov2;
5483 sibuflen = sizeof(serverinfov2);
5484 expected = (version == SSL_SERVERINFOV2);
5486 sibuf = serverinfov1;
5487 sibuflen = sizeof(serverinfov1);
5488 expected = (version == SSL_SERVERINFOV1);
5491 if ((tst & 0x04) == 0x04) {
5492 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5494 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5497 * The version variable is irrelevant in this case - it's what is in the
5498 * buffer that matters
5500 if ((tst & 0x02) == 0x02)
5506 if (!TEST_true(ret == expected))
5518 * Test that SSL_export_keying_material() produces expected results. There are
5519 * no test vectors so all we do is test that both sides of the communication
5520 * produce the same results for different protocol versions.
5522 #define SMALL_LABEL_LEN 10
5523 #define LONG_LABEL_LEN 249
5524 static int test_export_key_mat(int tst)
5527 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5528 SSL *clientssl = NULL, *serverssl = NULL;
5529 const char label[LONG_LABEL_LEN + 1] = "test label";
5530 const unsigned char context[] = "context";
5531 const unsigned char *emptycontext = NULL;
5532 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5533 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
5535 const int protocols[] = {
5544 #ifdef OPENSSL_NO_TLS1
5548 #ifdef OPENSSL_NO_TLS1_1
5552 if (is_fips && (tst == 0 || tst == 1))
5554 #ifdef OPENSSL_NO_TLS1_2
5558 #ifdef OPENSSL_NO_TLS1_3
5562 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5563 TLS_client_method(), TLS1_VERSION, 0,
5564 &sctx, &cctx, cert, privkey)))
5567 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5568 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5569 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
5571 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5573 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5579 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5582 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5583 sizeof(ckeymat1), label,
5584 LONG_LABEL_LEN + 1, context,
5585 sizeof(context) - 1, 1), 0))
5590 } else if (tst == 4) {
5591 labellen = LONG_LABEL_LEN;
5593 labellen = SMALL_LABEL_LEN;
5596 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5597 sizeof(ckeymat1), label,
5599 sizeof(context) - 1, 1), 1)
5600 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5601 sizeof(ckeymat2), label,
5605 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5606 sizeof(ckeymat3), label,
5609 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5610 sizeof(skeymat1), label,
5613 sizeof(context) -1, 1),
5615 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5616 sizeof(skeymat2), label,
5620 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5621 sizeof(skeymat3), label,
5625 * Check that both sides created the same key material with the
5628 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5631 * Check that both sides created the same key material with an
5634 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5637 * Check that both sides created the same key material without a
5640 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5642 /* Different contexts should produce different results */
5643 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5648 * Check that an empty context and no context produce different results in
5649 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5651 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
5653 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5660 SSL_free(serverssl);
5661 SSL_free(clientssl);
5662 SSL_CTX_free(sctx2);
5669 #ifndef OPENSSL_NO_TLS1_3
5671 * Test that SSL_export_keying_material_early() produces expected
5672 * results. There are no test vectors so all we do is test that both
5673 * sides of the communication produce the same results for different
5674 * protocol versions.
5676 static int test_export_key_mat_early(int idx)
5678 static const char label[] = "test label";
5679 static const unsigned char context[] = "context";
5681 SSL_CTX *cctx = NULL, *sctx = NULL;
5682 SSL *clientssl = NULL, *serverssl = NULL;
5683 SSL_SESSION *sess = NULL;
5684 const unsigned char *emptycontext = NULL;
5685 unsigned char ckeymat1[80], ckeymat2[80];
5686 unsigned char skeymat1[80], skeymat2[80];
5687 unsigned char buf[1];
5688 size_t readbytes, written;
5690 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5694 /* Here writing 0 length early data is enough. */
5695 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5696 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5698 SSL_READ_EARLY_DATA_ERROR)
5699 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5700 SSL_EARLY_DATA_ACCEPTED))
5703 if (!TEST_int_eq(SSL_export_keying_material_early(
5704 clientssl, ckeymat1, sizeof(ckeymat1), label,
5705 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5706 || !TEST_int_eq(SSL_export_keying_material_early(
5707 clientssl, ckeymat2, sizeof(ckeymat2), label,
5708 sizeof(label) - 1, emptycontext, 0), 1)
5709 || !TEST_int_eq(SSL_export_keying_material_early(
5710 serverssl, skeymat1, sizeof(skeymat1), label,
5711 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5712 || !TEST_int_eq(SSL_export_keying_material_early(
5713 serverssl, skeymat2, sizeof(skeymat2), label,
5714 sizeof(label) - 1, emptycontext, 0), 1)
5716 * Check that both sides created the same key material with the
5719 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5722 * Check that both sides created the same key material with an
5725 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5727 /* Different contexts should produce different results */
5728 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5735 SSL_SESSION_free(sess);
5736 SSL_SESSION_free(clientpsk);
5737 SSL_SESSION_free(serverpsk);
5738 clientpsk = serverpsk = NULL;
5739 SSL_free(serverssl);
5740 SSL_free(clientssl);
5747 #define NUM_KEY_UPDATE_MESSAGES 40
5751 static int test_key_update(void)
5753 SSL_CTX *cctx = NULL, *sctx = NULL;
5754 SSL *clientssl = NULL, *serverssl = NULL;
5755 int testresult = 0, i, j;
5757 static char *mess = "A test message";
5759 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5760 TLS_client_method(),
5763 &sctx, &cctx, cert, privkey))
5764 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5766 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5770 for (j = 0; j < 2; j++) {
5771 /* Send lots of KeyUpdate messages */
5772 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5773 if (!TEST_true(SSL_key_update(clientssl,
5775 ? SSL_KEY_UPDATE_NOT_REQUESTED
5776 : SSL_KEY_UPDATE_REQUESTED))
5777 || !TEST_true(SSL_do_handshake(clientssl)))
5781 /* Check that sending and receiving app data is ok */
5782 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5783 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5787 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5788 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5796 SSL_free(serverssl);
5797 SSL_free(clientssl);
5805 * Test we can handle a KeyUpdate (update requested) message while write data
5807 * Test 0: Client sends KeyUpdate while Server is writing
5808 * Test 1: Server sends KeyUpdate while Client is writing
5810 static int test_key_update_in_write(int tst)
5812 SSL_CTX *cctx = NULL, *sctx = NULL;
5813 SSL *clientssl = NULL, *serverssl = NULL;
5816 static char *mess = "A test message";
5817 BIO *bretry = BIO_new(bio_s_always_retry());
5819 SSL *peerupdate = NULL, *peerwrite = NULL;
5821 if (!TEST_ptr(bretry)
5822 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5823 TLS_client_method(),
5826 &sctx, &cctx, cert, privkey))
5827 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5829 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5833 peerupdate = tst == 0 ? clientssl : serverssl;
5834 peerwrite = tst == 0 ? serverssl : clientssl;
5836 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5837 || !TEST_true(SSL_do_handshake(peerupdate)))
5840 /* Swap the writing endpoint's write BIO to force a retry */
5841 tmp = SSL_get_wbio(peerwrite);
5842 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5846 SSL_set0_wbio(peerwrite, bretry);
5849 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5850 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5851 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5854 /* Reinstate the original writing endpoint's write BIO */
5855 SSL_set0_wbio(peerwrite, tmp);
5858 /* Now read some data - we will read the key update */
5859 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5860 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5864 * Complete the write we started previously and read it from the other
5867 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5868 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5871 /* Write more data to ensure we send the KeyUpdate message back */
5872 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5873 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5879 SSL_free(serverssl);
5880 SSL_free(clientssl);
5888 #endif /* OPENSSL_NO_TLS1_3 */
5890 static int test_ssl_clear(int idx)
5892 SSL_CTX *cctx = NULL, *sctx = NULL;
5893 SSL *clientssl = NULL, *serverssl = NULL;
5896 #ifdef OPENSSL_NO_TLS1_2
5901 /* Create an initial connection */
5902 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5903 TLS_client_method(), TLS1_VERSION, 0,
5904 &sctx, &cctx, cert, privkey))
5906 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5908 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5909 &clientssl, NULL, NULL))
5910 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5914 SSL_shutdown(clientssl);
5915 SSL_shutdown(serverssl);
5916 SSL_free(serverssl);
5919 /* Clear clientssl - we're going to reuse the object */
5920 if (!TEST_true(SSL_clear(clientssl)))
5923 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5925 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5927 || !TEST_true(SSL_session_reused(clientssl)))
5930 SSL_shutdown(clientssl);
5931 SSL_shutdown(serverssl);
5936 SSL_free(serverssl);
5937 SSL_free(clientssl);
5944 /* Parse CH and retrieve any MFL extension value if present */
5945 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5948 unsigned char *data;
5949 PACKET pkt, pkt2, pkt3;
5950 unsigned int MFL_code = 0, type = 0;
5952 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5955 memset(&pkt, 0, sizeof(pkt));
5956 memset(&pkt2, 0, sizeof(pkt2));
5957 memset(&pkt3, 0, sizeof(pkt3));
5959 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5960 /* Skip the record header */
5961 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5962 /* Skip the handshake message header */
5963 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5964 /* Skip client version and random */
5965 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5966 + SSL3_RANDOM_SIZE))
5967 /* Skip session id */
5968 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5970 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5971 /* Skip compression */
5972 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5973 /* Extensions len */
5974 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5977 /* Loop through all extensions */
5978 while (PACKET_remaining(&pkt2)) {
5979 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5980 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5983 if (type == TLSEXT_TYPE_max_fragment_length) {
5984 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5985 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5988 *mfl_codemfl_code = MFL_code;
5997 /* Maximum-Fragment-Length TLS extension mode to test */
5998 static const unsigned char max_fragment_len_test[] = {
5999 TLSEXT_max_fragment_length_512,
6000 TLSEXT_max_fragment_length_1024,
6001 TLSEXT_max_fragment_length_2048,
6002 TLSEXT_max_fragment_length_4096
6005 static int test_max_fragment_len_ext(int idx_tst)
6009 int testresult = 0, MFL_mode = 0;
6012 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
6016 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6017 ctx, max_fragment_len_test[idx_tst])))
6024 rbio = BIO_new(BIO_s_mem());
6025 wbio = BIO_new(BIO_s_mem());
6026 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6032 SSL_set_bio(con, rbio, wbio);
6033 SSL_set_connect_state(con);
6035 if (!TEST_int_le(SSL_connect(con), 0)) {
6036 /* This shouldn't succeed because we don't have a server! */
6040 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6041 /* no MFL in client hello */
6043 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6055 #ifndef OPENSSL_NO_TLS1_3
6056 static int test_pha_key_update(void)
6058 SSL_CTX *cctx = NULL, *sctx = NULL;
6059 SSL *clientssl = NULL, *serverssl = NULL;
6062 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6063 TLS_client_method(), TLS1_VERSION, 0,
6064 &sctx, &cctx, cert, privkey)))
6067 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6068 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6069 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6070 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6073 SSL_CTX_set_post_handshake_auth(cctx, 1);
6075 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6079 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6083 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6084 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6087 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6090 /* Start handshake on the server */
6091 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6094 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6095 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6099 SSL_shutdown(clientssl);
6100 SSL_shutdown(serverssl);
6105 SSL_free(serverssl);
6106 SSL_free(clientssl);
6113 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6115 static SRP_VBASE *vbase = NULL;
6117 DEFINE_STACK_OF(SRP_user_pwd)
6119 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6121 int ret = SSL3_AL_FATAL;
6123 SRP_user_pwd *user = NULL;
6125 username = SSL_get_srp_username(s);
6126 if (username == NULL) {
6127 *ad = SSL_AD_INTERNAL_ERROR;
6131 user = SRP_VBASE_get1_by_user(vbase, username);
6133 *ad = SSL_AD_INTERNAL_ERROR;
6137 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6139 *ad = SSL_AD_INTERNAL_ERROR;
6146 SRP_user_pwd_free(user);
6150 static int create_new_vfile(char *userid, char *password, const char *filename)
6153 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6156 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6159 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6162 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
6163 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
6164 if (!TEST_ptr(gNid))
6168 * The only way to create an empty TXT_DB is to provide a BIO with no data
6171 db = TXT_DB_read(dummy, DB_NUMBER);
6175 out = BIO_new_file(filename, "w");
6179 row[DB_srpid] = OPENSSL_strdup(userid);
6180 row[DB_srptype] = OPENSSL_strdup("V");
6181 row[DB_srpgN] = OPENSSL_strdup(gNid);
6183 if (!TEST_ptr(row[DB_srpid])
6184 || !TEST_ptr(row[DB_srptype])
6185 || !TEST_ptr(row[DB_srpgN])
6186 || !TEST_true(TXT_DB_insert(db, row)))
6191 if (!TXT_DB_write(out, db))
6197 for (i = 0; i < DB_NUMBER; i++)
6198 OPENSSL_free(row[i]);
6208 static int create_new_vbase(char *userid, char *password)
6210 BIGNUM *verifier = NULL, *salt = NULL;
6211 const SRP_gN *lgN = NULL;
6212 SRP_user_pwd *user_pwd = NULL;
6215 lgN = SRP_get_default_gN(NULL);
6219 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
6220 lgN->N, lgN->g, libctx, NULL)))
6223 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6224 if (!TEST_ptr(user_pwd))
6227 user_pwd->N = lgN->N;
6228 user_pwd->g = lgN->g;
6229 user_pwd->id = OPENSSL_strdup(userid);
6230 if (!TEST_ptr(user_pwd->id))
6233 user_pwd->v = verifier;
6235 verifier = salt = NULL;
6237 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6243 SRP_user_pwd_free(user_pwd);
6253 * Test 0: Simple successful SRP connection, new vbase
6254 * Test 1: Connection failure due to bad password, new vbase
6255 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6256 * Test 3: Connection failure due to bad password, vbase loaded from existing
6258 * Test 4: Simple successful SRP connection, vbase loaded from new file
6259 * Test 5: Connection failure due to bad password, vbase loaded from new file
6261 static int test_srp(int tst)
6263 char *userid = "test", *password = "password", *tstsrpfile;
6264 SSL_CTX *cctx = NULL, *sctx = NULL;
6265 SSL *clientssl = NULL, *serverssl = NULL;
6266 int ret, testresult = 0;
6268 vbase = SRP_VBASE_new(NULL);
6269 if (!TEST_ptr(vbase))
6272 if (tst == 0 || tst == 1) {
6273 if (!TEST_true(create_new_vbase(userid, password)))
6276 if (tst == 4 || tst == 5) {
6277 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6279 tstsrpfile = tmpfilename;
6281 tstsrpfile = srpvfile;
6283 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6287 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6288 TLS_client_method(), TLS1_VERSION, 0,
6289 &sctx, &cctx, cert, privkey)))
6292 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6293 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6294 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6295 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6296 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6300 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6303 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6307 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6311 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6313 if (!TEST_true(tst % 2 == 0))
6316 if (!TEST_true(tst % 2 == 1))
6323 SRP_VBASE_free(vbase);
6325 SSL_free(serverssl);
6326 SSL_free(clientssl);
6334 static int info_cb_failed = 0;
6335 static int info_cb_offset = 0;
6336 static int info_cb_this_state = -1;
6338 static struct info_cb_states_st {
6340 const char *statestr;
6341 } info_cb_states[][60] = {
6343 /* TLSv1.2 server followed by resumption */
6344 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6345 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6346 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6347 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6348 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6349 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6350 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6351 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6352 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
6353 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6354 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6355 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6356 {SSL_CB_EXIT, NULL}, {0, NULL},
6358 /* TLSv1.2 client followed by resumption */
6359 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6360 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6361 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6362 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6363 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6364 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6365 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6366 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6367 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6368 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6369 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6370 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6372 /* TLSv1.3 server followed by resumption */
6373 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6374 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6375 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6376 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6377 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
6378 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6379 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6380 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6381 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6382 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6383 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6384 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6385 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6387 /* TLSv1.3 client followed by resumption */
6388 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6389 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6390 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
6391 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
6392 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6393 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6394 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
6395 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
6396 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6397 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
6398 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6399 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6400 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6401 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
6402 {SSL_CB_EXIT, NULL}, {0, NULL},
6404 /* TLSv1.3 server, early_data */
6405 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6406 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6407 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6408 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6409 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6410 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
6411 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6412 {SSL_CB_EXIT, NULL}, {0, NULL},
6414 /* TLSv1.3 client, early_data */
6415 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6416 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
6417 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6418 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6419 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6420 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
6421 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6422 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6423 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6429 static void sslapi_info_callback(const SSL *s, int where, int ret)
6431 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
6433 /* We do not ever expect a connection to fail in this test */
6434 if (!TEST_false(ret == 0)) {
6440 * Do some sanity checks. We never expect these things to happen in this
6443 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
6444 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
6445 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
6450 /* Now check we're in the right state */
6451 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
6455 if ((where & SSL_CB_LOOP) != 0
6456 && !TEST_int_eq(strcmp(SSL_state_string(s),
6457 state[info_cb_this_state].statestr), 0)) {
6463 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6465 if ((where & SSL_CB_HANDSHAKE_DONE)
6466 && SSL_in_init((SSL *)s) != 0) {
6473 * Test the info callback gets called when we expect it to.
6475 * Test 0: TLSv1.2, server
6476 * Test 1: TLSv1.2, client
6477 * Test 2: TLSv1.3, server
6478 * Test 3: TLSv1.3, client
6479 * Test 4: TLSv1.3, server, early_data
6480 * Test 5: TLSv1.3, client, early_data
6482 static int test_info_callback(int tst)
6484 SSL_CTX *cctx = NULL, *sctx = NULL;
6485 SSL *clientssl = NULL, *serverssl = NULL;
6486 SSL_SESSION *clntsess = NULL;
6491 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
6492 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6493 || !defined(OPENSSL_NO_DH))
6494 tlsvers = TLS1_2_VERSION;
6499 #ifndef OPENSSL_NO_TLS1_3
6500 tlsvers = TLS1_3_VERSION;
6508 info_cb_this_state = -1;
6509 info_cb_offset = tst;
6511 #ifndef OPENSSL_NO_TLS1_3
6513 SSL_SESSION *sess = NULL;
6514 size_t written, readbytes;
6515 unsigned char buf[80];
6517 /* early_data tests */
6518 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
6519 &serverssl, &sess, 0)))
6522 /* We don't actually need this reference */
6523 SSL_SESSION_free(sess);
6525 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
6526 sslapi_info_callback);
6528 /* Write and read some early data and then complete the connection */
6529 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
6531 || !TEST_size_t_eq(written, strlen(MSG1))
6532 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
6533 sizeof(buf), &readbytes),
6534 SSL_READ_EARLY_DATA_SUCCESS)
6535 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
6536 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6537 SSL_EARLY_DATA_ACCEPTED)
6538 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6540 || !TEST_false(info_cb_failed))
6548 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6549 TLS_client_method(),
6550 tlsvers, tlsvers, &sctx, &cctx, cert,
6555 * For even numbered tests we check the server callbacks. For odd numbers we
6558 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
6559 sslapi_info_callback);
6561 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6562 &clientssl, NULL, NULL))
6563 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6565 || !TEST_false(info_cb_failed))
6570 clntsess = SSL_get1_session(clientssl);
6571 SSL_shutdown(clientssl);
6572 SSL_shutdown(serverssl);
6573 SSL_free(serverssl);
6574 SSL_free(clientssl);
6575 serverssl = clientssl = NULL;
6577 /* Now do a resumption */
6578 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6580 || !TEST_true(SSL_set_session(clientssl, clntsess))
6581 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6583 || !TEST_true(SSL_session_reused(clientssl))
6584 || !TEST_false(info_cb_failed))
6590 SSL_free(serverssl);
6591 SSL_free(clientssl);
6592 SSL_SESSION_free(clntsess);
6598 static int test_ssl_pending(int tst)
6600 SSL_CTX *cctx = NULL, *sctx = NULL;
6601 SSL *clientssl = NULL, *serverssl = NULL;
6603 char msg[] = "A test message";
6605 size_t written, readbytes;
6608 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6609 TLS_client_method(),
6611 &sctx, &cctx, cert, privkey)))
6614 #ifndef OPENSSL_NO_DTLS
6615 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
6616 DTLS_client_method(),
6618 &sctx, &cctx, cert, privkey)))
6625 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6627 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6631 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6632 || !TEST_false(SSL_has_pending(clientssl))
6633 || !TEST_int_eq(SSL_pending(serverssl), 0)
6634 || !TEST_false(SSL_has_pending(serverssl))
6635 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6636 || !TEST_size_t_eq(written, sizeof(msg))
6637 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6638 || !TEST_size_t_eq(readbytes, sizeof(buf))
6639 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6640 || !TEST_true(SSL_has_pending(clientssl)))
6646 SSL_free(serverssl);
6647 SSL_free(clientssl);
6655 unsigned int maxprot;
6656 const char *clntciphers;
6657 const char *clnttls13ciphers;
6658 const char *srvrciphers;
6659 const char *srvrtls13ciphers;
6661 const char *fipsshared;
6662 } shared_ciphers_data[] = {
6664 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6665 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6667 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
6670 "AES128-SHA:AES256-SHA",
6672 "AES256-SHA:DHE-RSA-AES128-SHA",
6677 # if !defined(OPENSSL_NO_CHACHA) \
6678 && !defined(OPENSSL_NO_POLY1305) \
6679 && !defined(OPENSSL_NO_EC)
6682 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6684 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6686 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6692 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6694 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6696 "AES128-SHA:AES256-SHA",
6697 "AES128-SHA:AES256-SHA"
6701 "AES128-SHA:AES256-SHA",
6703 "AES128-SHA:DHE-RSA-AES128-SHA",
6710 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6713 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6714 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
6717 "AES128-SHA:AES256-SHA",
6719 "AES256-SHA:AES128-SHA256",
6721 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
6722 "TLS_AES_128_GCM_SHA256:AES256-SHA",
6723 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
6726 #ifndef OPENSSL_NO_TLS1_3
6730 "TLS_AES_256_GCM_SHA384",
6732 "TLS_AES_256_GCM_SHA384",
6733 "TLS_AES_256_GCM_SHA384",
6734 "TLS_AES_256_GCM_SHA384"
6739 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
6741 SSL_CTX *cctx = NULL, *sctx = NULL;
6742 SSL *clientssl = NULL, *serverssl = NULL;
6745 OPENSSL_CTX *tmplibctx = OPENSSL_CTX_new();
6747 if (!TEST_ptr(tmplibctx))
6751 * Regardless of whether we're testing with the FIPS provider loaded into
6752 * libctx, we want one peer to always use the full set of ciphersuites
6753 * available. Therefore we use a separate libctx with the default provider
6754 * loaded into it. We run the same tests twice - once with the client side
6755 * having the full set of ciphersuites and once with the server side.
6758 cctx = SSL_CTX_new_with_libctx(tmplibctx, NULL, TLS_client_method());
6759 if (!TEST_ptr(cctx))
6762 sctx = SSL_CTX_new_with_libctx(tmplibctx, NULL, TLS_server_method());
6763 if (!TEST_ptr(sctx))
6767 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6768 TLS_client_method(),
6770 shared_ciphers_data[tst].maxprot,
6771 &sctx, &cctx, cert, privkey)))
6774 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6775 shared_ciphers_data[tst].clntciphers))
6776 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6777 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6778 shared_ciphers_data[tst].clnttls13ciphers)))
6779 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6780 shared_ciphers_data[tst].srvrciphers))
6781 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6782 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6783 shared_ciphers_data[tst].srvrtls13ciphers))))
6787 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6789 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6793 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6794 || !TEST_int_eq(strcmp(buf,
6796 ? shared_ciphers_data[tst].fipsshared
6797 : shared_ciphers_data[tst].shared),
6799 TEST_info("Shared ciphers are: %s\n", buf);
6806 SSL_free(serverssl);
6807 SSL_free(clientssl);
6810 OPENSSL_CTX_free(tmplibctx);
6815 static int test_ssl_get_shared_ciphers(int tst)
6817 return int_test_ssl_get_shared_ciphers(tst, 0)
6818 && int_test_ssl_get_shared_ciphers(tst, 1);
6822 static const char *appdata = "Hello World";
6823 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6824 static int tick_key_renew = 0;
6825 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6827 static int gen_tick_cb(SSL *s, void *arg)
6829 gen_tick_called = 1;
6831 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6835 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6836 const unsigned char *keyname,
6837 size_t keyname_length,
6838 SSL_TICKET_STATUS status,
6844 dec_tick_called = 1;
6846 if (status == SSL_TICKET_EMPTY)
6847 return SSL_TICKET_RETURN_IGNORE_RENEW;
6849 if (!TEST_true(status == SSL_TICKET_SUCCESS
6850 || status == SSL_TICKET_SUCCESS_RENEW))
6851 return SSL_TICKET_RETURN_ABORT;
6853 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6855 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6856 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
6857 return SSL_TICKET_RETURN_ABORT;
6859 if (tick_key_cb_called) {
6860 /* Don't change what the ticket key callback wanted to do */
6862 case SSL_TICKET_NO_DECRYPT:
6863 return SSL_TICKET_RETURN_IGNORE_RENEW;
6865 case SSL_TICKET_SUCCESS:
6866 return SSL_TICKET_RETURN_USE;
6868 case SSL_TICKET_SUCCESS_RENEW:
6869 return SSL_TICKET_RETURN_USE_RENEW;
6872 return SSL_TICKET_RETURN_ABORT;
6875 return tick_dec_ret;
6879 #ifndef OPENSSL_NO_DEPRECATED_3_0
6880 static int tick_key_cb(SSL *s, unsigned char key_name[16],
6881 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6882 HMAC_CTX *hctx, int enc)
6884 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6885 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
6886 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6887 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
6890 tick_key_cb_called = 1;
6891 memset(iv, 0, AES_BLOCK_SIZE);
6892 memset(key_name, 0, 16);
6893 if (aes128cbc == NULL
6895 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6896 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
6900 ret = tick_key_renew ? 2 : 1;
6902 EVP_CIPHER_free(aes128cbc);
6903 EVP_MD_free(sha256);
6909 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6910 unsigned char iv[EVP_MAX_IV_LENGTH],
6911 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6913 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6914 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6915 OSSL_PARAM params[3];
6916 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6919 tick_key_cb_called = 1;
6920 memset(iv, 0, AES_BLOCK_SIZE);
6921 memset(key_name, 0, 16);
6922 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6924 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6926 sizeof(tick_hmac_key));
6927 params[2] = OSSL_PARAM_construct_end();
6928 if (aes128cbc == NULL
6929 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6930 || !EVP_MAC_set_ctx_params(hctx, params)
6931 || !EVP_MAC_init(hctx))
6934 ret = tick_key_renew ? 2 : 1;
6936 EVP_CIPHER_free(aes128cbc);
6942 * Test the various ticket callbacks
6943 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6944 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6945 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6946 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6947 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6948 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6949 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6950 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
6951 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6952 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6953 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6954 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6955 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6956 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6957 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6958 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
6960 static int test_ticket_callbacks(int tst)
6962 SSL_CTX *cctx = NULL, *sctx = NULL;
6963 SSL *clientssl = NULL, *serverssl = NULL;
6964 SSL_SESSION *clntsess = NULL;
6967 #ifdef OPENSSL_NO_TLS1_2
6971 #ifdef OPENSSL_NO_TLS1_3
6975 #ifdef OPENSSL_NO_DEPRECATED_3_0
6976 if (tst >= 8 && tst <= 11)
6980 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
6982 /* Which tests the ticket key callback should request renewal for */
6983 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
6988 /* Which tests the decrypt ticket callback should request renewal for */
6992 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6997 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7002 tick_dec_ret = SSL_TICKET_RETURN_USE;
7007 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7011 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7014 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7015 TLS_client_method(),
7017 ((tst % 2) == 0) ? TLS1_2_VERSION
7019 &sctx, &cctx, cert, privkey)))
7023 * We only want sessions to resume from tickets - not the session cache. So
7024 * switch the cache off.
7026 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7029 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7034 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7036 #ifndef OPENSSL_NO_DEPRECATED_3_0
7037 } else if (tst >= 8) {
7038 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7043 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7045 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7050 * The decrypt ticket key callback in TLSv1.2 should be called even though
7051 * we have no ticket yet, because it gets called with a status of
7052 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7053 * actually send any ticket data). This does not happen in TLSv1.3 because
7054 * it is not valid to send empty ticket data in TLSv1.3.
7056 if (!TEST_int_eq(gen_tick_called, 1)
7057 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
7060 gen_tick_called = dec_tick_called = 0;
7062 clntsess = SSL_get1_session(clientssl);
7063 SSL_shutdown(clientssl);
7064 SSL_shutdown(serverssl);
7065 SSL_free(serverssl);
7066 SSL_free(clientssl);
7067 serverssl = clientssl = NULL;
7069 /* Now do a resumption */
7070 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7072 || !TEST_true(SSL_set_session(clientssl, clntsess))
7073 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7077 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7078 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7079 if (!TEST_false(SSL_session_reused(clientssl)))
7082 if (!TEST_true(SSL_session_reused(clientssl)))
7086 if (!TEST_int_eq(gen_tick_called,
7088 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7089 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7091 || !TEST_int_eq(dec_tick_called, 1))
7097 SSL_SESSION_free(clntsess);
7098 SSL_free(serverssl);
7099 SSL_free(clientssl);
7107 * Test incorrect shutdown.
7108 * Test 0: client does not shutdown properly,
7109 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7110 * server should get SSL_ERROR_SSL
7111 * Test 1: client does not shutdown properly,
7112 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7113 * server should get SSL_ERROR_ZERO_RETURN
7115 static int test_incorrect_shutdown(int tst)
7117 SSL_CTX *cctx = NULL, *sctx = NULL;
7118 SSL *clientssl = NULL, *serverssl = NULL;
7123 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7124 TLS_client_method(), 0, 0,
7125 &sctx, &cctx, cert, privkey)))
7129 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7131 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7135 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7139 c2s = SSL_get_rbio(serverssl);
7140 BIO_set_mem_eof_return(c2s, 0);
7142 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7145 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7147 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7153 SSL_free(serverssl);
7154 SSL_free(clientssl);
7162 * Test bi-directional shutdown.
7164 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7165 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7166 * Test 3: TLSv1.3, pending NewSessionTicket messages
7167 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7168 * sends key update, client reads it
7169 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7170 * sends CertificateRequest, client reads and ignores it
7171 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
7174 static int test_shutdown(int tst)
7176 SSL_CTX *cctx = NULL, *sctx = NULL;
7177 SSL *clientssl = NULL, *serverssl = NULL;
7179 char msg[] = "A test message";
7181 size_t written, readbytes;
7184 #ifdef OPENSSL_NO_TLS1_2
7188 #ifdef OPENSSL_NO_TLS1_3
7193 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7194 TLS_client_method(),
7196 (tst <= 1) ? TLS1_2_VERSION
7198 &sctx, &cctx, cert, privkey)))
7202 SSL_CTX_set_post_handshake_auth(cctx, 1);
7204 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7209 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
7211 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7212 || !TEST_false(SSL_SESSION_is_resumable(sess)))
7214 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7216 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7217 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
7221 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7226 * Reading on the server after the client has sent close_notify should
7227 * fail and provide SSL_ERROR_ZERO_RETURN
7229 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7230 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7231 SSL_ERROR_ZERO_RETURN)
7232 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7233 SSL_RECEIVED_SHUTDOWN)
7235 * Even though we're shutdown on receive we should still be
7238 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7241 && !TEST_true(SSL_key_update(serverssl,
7242 SSL_KEY_UPDATE_REQUESTED)))
7245 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7246 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7249 if ((tst == 4 || tst == 5)
7250 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7252 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
7254 if (tst == 4 || tst == 5) {
7255 /* Should still be able to read data from server */
7256 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7258 || !TEST_size_t_eq(readbytes, sizeof(msg))
7259 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7260 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7262 || !TEST_size_t_eq(readbytes, sizeof(msg))
7263 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7268 /* Writing on the client after sending close_notify shouldn't be possible */
7269 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
7274 * For these tests the client has sent close_notify but it has not yet
7275 * been received by the server. The server has not sent close_notify
7278 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
7280 * Writing on the server after sending close_notify shouldn't
7283 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7284 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
7285 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7286 || !TEST_true(SSL_SESSION_is_resumable(sess))
7287 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7289 } else if (tst == 4 || tst == 5) {
7291 * In this test the client has sent close_notify and it has been
7292 * received by the server which has responded with a close_notify. The
7293 * client needs to read the close_notify sent by the server.
7295 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7296 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7297 || !TEST_true(SSL_SESSION_is_resumable(sess)))
7303 * The client has sent close_notify and is expecting a close_notify
7304 * back, but instead there is application data first. The shutdown
7305 * should fail with a fatal error.
7307 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7308 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7315 SSL_free(serverssl);
7316 SSL_free(clientssl);
7323 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7324 static int cert_cb_cnt;
7326 static int cert_cb(SSL *s, void *arg)
7328 SSL_CTX *ctx = (SSL_CTX *)arg;
7330 EVP_PKEY *pkey = NULL;
7331 X509 *x509 = NULL, *rootx = NULL;
7332 STACK_OF(X509) *chain = NULL;
7333 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7336 if (cert_cb_cnt == 0) {
7337 /* Suspend the handshake */
7340 } else if (cert_cb_cnt == 1) {
7342 * Update the SSL_CTX, set the certificate and private key and then
7343 * continue the handshake normally.
7345 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7348 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7349 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7351 || !TEST_true(SSL_check_private_key(s)))
7355 } else if (cert_cb_cnt == 3) {
7358 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7359 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7360 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7361 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7363 chain = sk_X509_new_null();
7364 if (!TEST_ptr(chain))
7366 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7367 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
7368 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
7369 || !TEST_true(sk_X509_push(chain, rootx)))
7373 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7374 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
7375 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
7378 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7379 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
7380 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
7382 rv = SSL_check_chain(s, x509, pkey, chain);
7384 * If the cert doesn't show as valid here (e.g., because we don't
7385 * have any shared sigalgs), then we will not set it, and there will
7386 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
7387 * will cause tls_choose_sigalgs() to fail the connection.
7389 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
7390 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7391 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
7398 /* Abort the handshake */
7400 OPENSSL_free(ecdsacert);
7401 OPENSSL_free(ecdsakey);
7402 OPENSSL_free(rootfile);
7404 EVP_PKEY_free(pkey);
7407 sk_X509_pop_free(chain, X509_free);
7412 * Test the certificate callback.
7413 * Test 0: Callback fails
7414 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
7415 * Test 2: Success - SSL_set_SSL_CTX() in the callback
7416 * Test 3: Success - Call SSL_check_chain from the callback
7417 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
7419 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
7421 static int test_cert_cb_int(int prot, int tst)
7423 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
7424 SSL *clientssl = NULL, *serverssl = NULL;
7425 int testresult = 0, ret;
7427 #ifdef OPENSSL_NO_EC
7428 /* We use an EC cert in these tests, so we skip in a no-ec build */
7433 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7434 TLS_client_method(),
7437 &sctx, &cctx, NULL, NULL)))
7448 snictx = SSL_CTX_new(TLS_server_method());
7449 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
7451 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7457 * We cause SSL_check_chain() to fail by specifying sig_algs that
7458 * the chain doesn't meet (the root uses an RSA cert)
7460 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7461 "ecdsa_secp256r1_sha256")))
7463 } else if (tst == 5) {
7465 * We cause SSL_check_chain() to fail by specifying sig_algs that
7466 * the ee cert doesn't meet (the ee uses an ECDSA cert)
7468 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7469 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
7473 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7474 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7476 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
7483 SSL_free(serverssl);
7484 SSL_free(clientssl);
7487 SSL_CTX_free(snictx);
7493 static int test_cert_cb(int tst)
7497 #ifndef OPENSSL_NO_TLS1_2
7498 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
7500 #ifndef OPENSSL_NO_TLS1_3
7501 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
7507 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
7513 /* Check that SSL_get_peer_certificate() returns something sensible */
7514 peer = SSL_get_peer_certificate(ssl);
7515 if (!TEST_ptr(peer))
7519 in = BIO_new_file(cert, "r");
7523 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
7525 if (!TEST_ptr(xcert))
7528 in = BIO_new_file(privkey, "r");
7529 if (!TEST_ptr(in)) {
7534 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
7536 if (!TEST_ptr(privpkey)) {
7547 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
7552 static int test_client_cert_cb(int tst)
7554 SSL_CTX *cctx = NULL, *sctx = NULL;
7555 SSL *clientssl = NULL, *serverssl = NULL;
7558 #ifdef OPENSSL_NO_TLS1_2
7562 #ifdef OPENSSL_NO_TLS1_3
7567 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7568 TLS_client_method(),
7570 tst == 0 ? TLS1_2_VERSION
7572 &sctx, &cctx, cert, privkey)))
7576 * Test that setting a client_cert_cb results in a client certificate being
7579 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
7580 SSL_CTX_set_verify(sctx,
7581 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
7584 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7586 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7593 SSL_free(serverssl);
7594 SSL_free(clientssl);
7601 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7603 * Test setting certificate authorities on both client and server.
7605 * Test 0: SSL_CTX_set0_CA_list() only
7606 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7607 * Test 2: Only SSL_CTX_set_client_CA_list()
7609 static int test_ca_names_int(int prot, int tst)
7611 SSL_CTX *cctx = NULL, *sctx = NULL;
7612 SSL *clientssl = NULL, *serverssl = NULL;
7615 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
7616 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
7617 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
7618 const STACK_OF(X509_NAME) *sktmp = NULL;
7620 for (i = 0; i < OSSL_NELEM(name); i++) {
7621 name[i] = X509_NAME_new();
7622 if (!TEST_ptr(name[i])
7623 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
7631 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7632 TLS_client_method(),
7635 &sctx, &cctx, cert, privkey)))
7638 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
7640 if (tst == 0 || tst == 1) {
7641 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7642 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
7643 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
7644 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7645 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
7646 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
7649 SSL_CTX_set0_CA_list(sctx, sk1);
7650 SSL_CTX_set0_CA_list(cctx, sk2);
7653 if (tst == 1 || tst == 2) {
7654 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7655 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
7656 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
7657 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7658 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
7659 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
7662 SSL_CTX_set_client_CA_list(sctx, sk1);
7663 SSL_CTX_set_client_CA_list(cctx, sk2);
7667 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7669 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7674 * We only expect certificate authorities to have been sent to the server
7675 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7677 sktmp = SSL_get0_peer_CA_list(serverssl);
7678 if (prot == TLS1_3_VERSION
7679 && (tst == 0 || tst == 1)) {
7680 if (!TEST_ptr(sktmp)
7681 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7682 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7684 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7687 } else if (!TEST_ptr_null(sktmp)) {
7692 * In all tests we expect certificate authorities to have been sent to the
7693 * client. However, SSL_set_client_CA_list() should override
7694 * SSL_set0_CA_list()
7696 sktmp = SSL_get0_peer_CA_list(clientssl);
7697 if (!TEST_ptr(sktmp)
7698 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7699 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7700 name[tst == 0 ? 0 : 2]), 0)
7701 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7702 name[tst == 0 ? 1 : 3]), 0))
7708 SSL_free(serverssl);
7709 SSL_free(clientssl);
7712 for (i = 0; i < OSSL_NELEM(name); i++)
7713 X509_NAME_free(name[i]);
7714 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
7715 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
7721 static int test_ca_names(int tst)
7725 #ifndef OPENSSL_NO_TLS1_2
7726 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
7728 #ifndef OPENSSL_NO_TLS1_3
7729 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
7735 #ifndef OPENSSL_NO_TLS1_2
7736 static const char *multiblock_cipherlist_data[]=
7744 /* Reduce the fragment size - so the multiblock test buffer can be small */
7745 # define MULTIBLOCK_FRAGSIZE 512
7747 static int test_multiblock_write(int test_index)
7749 static const char *fetchable_ciphers[]=
7751 "AES-128-CBC-HMAC-SHA1",
7752 "AES-128-CBC-HMAC-SHA256",
7753 "AES-256-CBC-HMAC-SHA1",
7754 "AES-256-CBC-HMAC-SHA256"
7756 const char *cipherlist = multiblock_cipherlist_data[test_index];
7757 const SSL_METHOD *smeth = TLS_server_method();
7758 const SSL_METHOD *cmeth = TLS_client_method();
7759 int min_version = TLS1_VERSION;
7760 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7761 SSL_CTX *cctx = NULL, *sctx = NULL;
7762 SSL *clientssl = NULL, *serverssl = NULL;
7766 * Choose a buffer large enough to perform a multi-block operation
7767 * i.e: write_len >= 4 * frag_size
7768 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7770 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7771 unsigned char buf[sizeof(msg)], *p = buf;
7772 size_t readbytes, written, len;
7773 EVP_CIPHER *ciph = NULL;
7776 * Check if the cipher exists before attempting to use it since it only has
7777 * a hardware specific implementation.
7779 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7781 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7784 EVP_CIPHER_free(ciph);
7786 /* Set up a buffer with some data that will be sent to the client */
7787 RAND_bytes(msg, sizeof(msg));
7789 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
7790 max_version, &sctx, &cctx, cert,
7794 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7797 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7801 /* settings to force it to use AES-CBC-HMAC_SHA */
7802 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7803 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7806 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7809 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7810 || !TEST_size_t_eq(written, sizeof(msg)))
7815 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7820 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7825 SSL_free(serverssl);
7826 SSL_free(clientssl);
7832 #endif /* OPENSSL_NO_TLS1_2 */
7835 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7836 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7837 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7838 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7839 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7840 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7841 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7842 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7843 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7844 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7846 static int test_servername(int tst)
7848 SSL_CTX *cctx = NULL, *sctx = NULL;
7849 SSL *clientssl = NULL, *serverssl = NULL;
7851 SSL_SESSION *sess = NULL;
7852 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7854 #ifdef OPENSSL_NO_TLS1_2
7858 #ifdef OPENSSL_NO_TLS1_3
7863 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7864 TLS_client_method(),
7866 (tst <= 4) ? TLS1_2_VERSION
7868 &sctx, &cctx, cert, privkey))
7869 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7873 if (tst != 1 && tst != 6) {
7874 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7879 if (tst != 3 && tst != 8) {
7880 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7882 sexpectedhost = cexpectedhost = "goodhost";
7885 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7888 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7890 || !TEST_str_eq(SSL_get_servername(serverssl,
7891 TLSEXT_NAMETYPE_host_name),
7895 /* Now repeat with a resumption handshake */
7897 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7898 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7899 || !TEST_true(SSL_SESSION_is_resumable(sess))
7900 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7903 SSL_free(clientssl);
7904 SSL_free(serverssl);
7905 clientssl = serverssl = NULL;
7907 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7911 if (!TEST_true(SSL_set_session(clientssl, sess)))
7914 sexpectedhost = cexpectedhost = "goodhost";
7915 if (tst == 2 || tst == 7) {
7916 /* Set an inconsistent hostname */
7917 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7920 * In TLSv1.2 we expect the hostname from the original handshake, in
7921 * TLSv1.3 we expect the hostname from this handshake
7924 sexpectedhost = cexpectedhost = "altgoodhost";
7926 if (!TEST_str_eq(SSL_get_servername(clientssl,
7927 TLSEXT_NAMETYPE_host_name),
7930 } else if (tst == 4 || tst == 9) {
7932 * A TLSv1.3 session does not associate a session with a servername,
7933 * but a TLSv1.2 session does.
7936 sexpectedhost = cexpectedhost = NULL;
7938 if (!TEST_str_eq(SSL_get_servername(clientssl,
7939 TLSEXT_NAMETYPE_host_name),
7943 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7946 * In a TLSv1.2 resumption where the hostname was not acknowledged
7947 * we expect the hostname on the server to be empty. On the client we
7948 * return what was requested in this case.
7950 * Similarly if the client didn't set a hostname on an original TLSv1.2
7951 * session but is now, the server hostname will be empty, but the client
7954 if (tst == 1 || tst == 3)
7955 sexpectedhost = NULL;
7957 if (!TEST_str_eq(SSL_get_servername(clientssl,
7958 TLSEXT_NAMETYPE_host_name),
7963 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7966 if (!TEST_true(SSL_session_reused(clientssl))
7967 || !TEST_true(SSL_session_reused(serverssl))
7968 || !TEST_str_eq(SSL_get_servername(clientssl,
7969 TLSEXT_NAMETYPE_host_name),
7971 || !TEST_str_eq(SSL_get_servername(serverssl,
7972 TLSEXT_NAMETYPE_host_name),
7979 SSL_SESSION_free(sess);
7980 SSL_free(serverssl);
7981 SSL_free(clientssl);
7988 #ifndef OPENSSL_NO_EC
7990 * Test that if signature algorithms are not available, then we do not offer or
7992 * Test 0: Two RSA sig algs available: both RSA sig algs shared
7993 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
7994 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
7995 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
7996 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
7997 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
7999 static int test_sigalgs_available(int idx)
8001 SSL_CTX *cctx = NULL, *sctx = NULL;
8002 SSL *clientssl = NULL, *serverssl = NULL;
8004 OPENSSL_CTX *tmpctx = OPENSSL_CTX_new();
8005 OPENSSL_CTX *clientctx = libctx, *serverctx = libctx;
8006 OSSL_PROVIDER *filterprov = NULL;
8009 if (!TEST_ptr(tmpctx))
8012 if (idx != 0 && idx != 3) {
8013 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
8014 filter_provider_init)))
8017 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
8018 if (!TEST_ptr(filterprov))
8023 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8024 * or accepted for the peer that uses this libctx. Note that libssl
8025 * *requires* SHA2-256 to be available so we cannot disable that. We
8026 * also need SHA1 for our certificate.
8028 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
8032 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
8034 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
8039 if (idx == 1 || idx == 4)
8045 cctx = SSL_CTX_new_with_libctx(clientctx, NULL, TLS_client_method());
8046 sctx = SSL_CTX_new_with_libctx(serverctx, NULL, TLS_server_method());
8047 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
8050 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8051 TLS_client_method(),
8054 &sctx, &cctx, cert, privkey)))
8058 if (!SSL_CTX_set1_sigalgs_list(cctx,
8059 "rsa_pss_rsae_sha384"
8060 ":rsa_pss_rsae_sha256")
8061 || !SSL_CTX_set1_sigalgs_list(sctx,
8062 "rsa_pss_rsae_sha384"
8063 ":rsa_pss_rsae_sha256"))
8066 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8067 || !SSL_CTX_set1_sigalgs_list(sctx,
8068 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8072 if (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8073 SSL_FILETYPE_PEM), 1)
8074 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8076 SSL_FILETYPE_PEM), 1)
8077 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
8080 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8084 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8087 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8088 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8090 (idx == 0 || idx == 3) ? 2 : 1))
8093 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8096 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8103 SSL_free(serverssl);
8104 SSL_free(clientssl);
8107 OSSL_PROVIDER_unload(filterprov);
8108 OPENSSL_CTX_free(tmpctx);
8112 #endif /* OPENSSL_NO_EC */
8114 #ifndef OPENSSL_NO_TLS1_3
8115 static int test_pluggable_group(void)
8117 SSL_CTX *cctx = NULL, *sctx = NULL;
8118 SSL *clientssl = NULL, *serverssl = NULL;
8120 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
8122 if (!TEST_ptr(tlsprov))
8125 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8126 TLS_client_method(),
8129 &sctx, &cctx, cert, privkey))
8130 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8134 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
8135 || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
8138 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8144 SSL_free(serverssl);
8145 SSL_free(clientssl);
8148 OSSL_PROVIDER_unload(tlsprov);
8154 #ifndef OPENSSL_NO_TLS1_2
8155 static int test_ssl_dup(void)
8157 SSL_CTX *cctx = NULL, *sctx = NULL;
8158 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
8160 BIO *rbio = NULL, *wbio = NULL;
8162 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8163 TLS_client_method(),
8166 &sctx, &cctx, cert, privkey)))
8169 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8173 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8174 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8177 client2ssl = SSL_dup(clientssl);
8178 rbio = SSL_get_rbio(clientssl);
8180 || !TEST_true(BIO_up_ref(rbio)))
8182 SSL_set0_rbio(client2ssl, rbio);
8185 wbio = SSL_get_wbio(clientssl);
8186 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
8188 SSL_set0_wbio(client2ssl, wbio);
8191 if (!TEST_ptr(client2ssl)
8192 /* Handshake not started so pointers should be different */
8193 || !TEST_ptr_ne(clientssl, client2ssl))
8196 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
8197 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
8200 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
8203 SSL_free(clientssl);
8204 clientssl = SSL_dup(client2ssl);
8205 if (!TEST_ptr(clientssl)
8206 /* Handshake has finished so pointers should be the same */
8207 || !TEST_ptr_eq(clientssl, client2ssl))
8213 SSL_free(serverssl);
8214 SSL_free(clientssl);
8215 SSL_free(client2ssl);
8223 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
8225 int setup_tests(void)
8230 libctx = OPENSSL_CTX_new();
8231 if (!TEST_ptr(libctx))
8234 defctxnull = OSSL_PROVIDER_load(NULL, "null");
8237 * Verify that the default and fips providers in the default libctx are not
8240 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
8241 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
8244 if (!test_skip_common_options()) {
8245 TEST_error("Error parsing test options\n");
8249 if (!TEST_ptr(certsdir = test_get_argument(0))
8250 || !TEST_ptr(srpvfile = test_get_argument(1))
8251 || !TEST_ptr(tmpfilename = test_get_argument(2))
8252 || !TEST_ptr(modulename = test_get_argument(3))
8253 || !TEST_ptr(configfile = test_get_argument(4)))
8256 if (!TEST_true(OPENSSL_CTX_load_config(libctx, configfile)))
8259 /* Check we have the expected provider available */
8260 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
8263 /* Check the default provider is not available */
8264 if (strcmp(modulename, "default") != 0
8265 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
8268 if (strcmp(modulename, "fips") == 0)
8272 * We add, but don't load the test "tls-provider". We'll load it when we
8275 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
8276 tls_provider_init)))
8280 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
8281 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
8282 TEST_error("not supported in this build");
8285 int i, mcount, rcount, fcount;
8287 for (i = 0; i < 4; i++)
8288 test_export_key_mat(i);
8289 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
8290 test_printf_stdout("malloc %d realloc %d free %d\n",
8291 mcount, rcount, fcount);
8296 cert = test_mk_file_path(certsdir, "servercert.pem");
8300 privkey = test_mk_file_path(certsdir, "serverkey.pem");
8301 if (privkey == NULL)
8304 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8308 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8309 if (privkey2 == NULL)
8312 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
8313 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
8314 ADD_ALL_TESTS(test_ktls, 32);
8315 ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6);
8318 ADD_TEST(test_large_message_tls);
8319 ADD_TEST(test_large_message_tls_read_ahead);
8320 #ifndef OPENSSL_NO_DTLS
8321 ADD_TEST(test_large_message_dtls);
8323 #ifndef OPENSSL_NO_OCSP
8324 ADD_TEST(test_tlsext_status_type);
8326 ADD_TEST(test_session_with_only_int_cache);
8327 ADD_TEST(test_session_with_only_ext_cache);
8328 ADD_TEST(test_session_with_both_cache);
8329 ADD_TEST(test_session_wo_ca_names);
8330 #ifndef OPENSSL_NO_TLS1_3
8331 ADD_ALL_TESTS(test_stateful_tickets, 3);
8332 ADD_ALL_TESTS(test_stateless_tickets, 3);
8333 ADD_TEST(test_psk_tickets);
8334 ADD_ALL_TESTS(test_extra_tickets, 6);
8336 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
8337 ADD_TEST(test_ssl_bio_pop_next_bio);
8338 ADD_TEST(test_ssl_bio_pop_ssl_bio);
8339 ADD_TEST(test_ssl_bio_change_rbio);
8340 ADD_TEST(test_ssl_bio_change_wbio);
8341 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
8342 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
8343 ADD_TEST(test_keylog);
8345 #ifndef OPENSSL_NO_TLS1_3
8346 ADD_TEST(test_keylog_no_master_key);
8348 #ifndef OPENSSL_NO_TLS1_2
8349 ADD_TEST(test_client_hello_cb);
8350 ADD_TEST(test_no_ems);
8351 ADD_TEST(test_ccs_change_cipher);
8353 #ifndef OPENSSL_NO_TLS1_3
8354 ADD_ALL_TESTS(test_early_data_read_write, 3);
8356 * We don't do replay tests for external PSK. Replay protection isn't used
8359 ADD_ALL_TESTS(test_early_data_replay, 2);
8360 ADD_ALL_TESTS(test_early_data_skip, 3);
8361 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
8362 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
8363 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
8364 ADD_ALL_TESTS(test_early_data_not_sent, 3);
8365 ADD_ALL_TESTS(test_early_data_psk, 8);
8366 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
8367 ADD_ALL_TESTS(test_early_data_not_expected, 3);
8368 # ifndef OPENSSL_NO_TLS1_2
8369 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
8372 #ifndef OPENSSL_NO_TLS1_3
8373 ADD_ALL_TESTS(test_set_ciphersuite, 10);
8374 ADD_TEST(test_ciphersuite_change);
8375 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
8376 # ifdef OPENSSL_NO_PSK
8377 ADD_ALL_TESTS(test_tls13_psk, 1);
8379 ADD_ALL_TESTS(test_tls13_psk, 4);
8380 # endif /* OPENSSL_NO_PSK */
8381 # ifndef OPENSSL_NO_TLS1_2
8382 /* Test with both TLSv1.3 and 1.2 versions */
8383 ADD_ALL_TESTS(test_key_exchange, 14);
8385 /* Test with only TLSv1.3 versions */
8386 ADD_ALL_TESTS(test_key_exchange, 12);
8388 ADD_ALL_TESTS(test_custom_exts, 5);
8389 ADD_TEST(test_stateless);
8390 ADD_TEST(test_pha_key_update);
8392 ADD_ALL_TESTS(test_custom_exts, 3);
8394 ADD_ALL_TESTS(test_serverinfo, 8);
8395 ADD_ALL_TESTS(test_export_key_mat, 6);
8396 #ifndef OPENSSL_NO_TLS1_3
8397 ADD_ALL_TESTS(test_export_key_mat_early, 3);
8398 ADD_TEST(test_key_update);
8399 ADD_ALL_TESTS(test_key_update_in_write, 2);
8401 ADD_ALL_TESTS(test_ssl_clear, 2);
8402 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
8403 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
8404 ADD_ALL_TESTS(test_srp, 6);
8406 ADD_ALL_TESTS(test_info_callback, 6);
8407 ADD_ALL_TESTS(test_ssl_pending, 2);
8408 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
8409 ADD_ALL_TESTS(test_ticket_callbacks, 16);
8410 ADD_ALL_TESTS(test_shutdown, 7);
8411 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
8412 ADD_ALL_TESTS(test_cert_cb, 6);
8413 ADD_ALL_TESTS(test_client_cert_cb, 2);
8414 ADD_ALL_TESTS(test_ca_names, 3);
8415 #ifndef OPENSSL_NO_TLS1_2
8416 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
8418 ADD_ALL_TESTS(test_servername, 10);
8419 #ifndef OPENSSL_NO_EC
8420 ADD_ALL_TESTS(test_sigalgs_available, 6);
8422 #ifndef OPENSSL_NO_TLS1_3
8423 ADD_TEST(test_pluggable_group);
8425 #ifndef OPENSSL_NO_TLS1_2
8426 ADD_TEST(test_ssl_dup);
8432 OPENSSL_free(privkey);
8433 OPENSSL_free(cert2);
8434 OPENSSL_free(privkey2);
8438 void cleanup_tests(void)
8441 OPENSSL_free(privkey);
8442 OPENSSL_free(cert2);
8443 OPENSSL_free(privkey2);
8444 bio_s_mempacket_test_free();
8445 bio_s_always_retry_free();
8446 OSSL_PROVIDER_unload(defctxnull);
8447 OPENSSL_CTX_free(libctx);