2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
34 #include "ssltestlib.h"
36 #include "testutil/output.h"
37 #include "internal/nelem.h"
38 #include "internal/ktls.h"
39 #include "../ssl/ssl_local.h"
41 /* Defined in filterprov.c */
42 OSSL_provider_init_fn filter_provider_init;
43 int filter_provider_set_filter(int operation, const char *name);
45 /* Defined in tls-provider.c */
46 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
47 const OSSL_DISPATCH *in,
48 const OSSL_DISPATCH **out,
50 DEFINE_STACK_OF(OCSP_RESPID)
52 DEFINE_STACK_OF(X509_NAME)
54 static OPENSSL_CTX *libctx = NULL;
55 static OSSL_PROVIDER *defctxnull = NULL;
57 #ifndef OPENSSL_NO_TLS1_3
59 static SSL_SESSION *clientpsk = NULL;
60 static SSL_SESSION *serverpsk = NULL;
61 static const char *pskid = "Identity";
62 static const char *srvid;
64 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
65 size_t *idlen, SSL_SESSION **sess);
66 static int find_session_cb(SSL *ssl, const unsigned char *identity,
67 size_t identity_len, SSL_SESSION **sess);
69 static int use_session_cb_cnt = 0;
70 static int find_session_cb_cnt = 0;
72 static SSL_SESSION *create_a_psk(SSL *ssl);
75 static char *certsdir = NULL;
76 static char *cert = NULL;
77 static char *privkey = NULL;
78 static char *cert2 = NULL;
79 static char *privkey2 = NULL;
80 static char *srpvfile = NULL;
81 static char *tmpfilename = NULL;
83 static int is_fips = 0;
85 #define LOG_BUFFER_SIZE 2048
86 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
87 static size_t server_log_buffer_index = 0;
88 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
89 static size_t client_log_buffer_index = 0;
90 static int error_writing_log = 0;
92 #ifndef OPENSSL_NO_OCSP
93 static const unsigned char orespder[] = "Dummy OCSP Response";
94 static int ocsp_server_called = 0;
95 static int ocsp_client_called = 0;
97 static int cdummyarg = 1;
98 static X509 *ocspcert = NULL;
101 #define NUM_EXTRA_CERTS 40
102 #define CLIENT_VERSION_LEN 2
105 * This structure is used to validate that the correct number of log messages
106 * of various types are emitted when emitting secret logs.
108 struct sslapitest_log_counts {
109 unsigned int rsa_key_exchange_count;
110 unsigned int master_secret_count;
111 unsigned int client_early_secret_count;
112 unsigned int client_handshake_secret_count;
113 unsigned int server_handshake_secret_count;
114 unsigned int client_application_secret_count;
115 unsigned int server_application_secret_count;
116 unsigned int early_exporter_secret_count;
117 unsigned int exporter_secret_count;
121 static unsigned char serverinfov1[] = {
122 0xff, 0xff, /* Dummy extension type */
123 0x00, 0x01, /* Extension length is 1 byte */
124 0xff /* Dummy extension data */
127 static unsigned char serverinfov2[] = {
129 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
130 0xff, 0xff, /* Dummy extension type */
131 0x00, 0x01, /* Extension length is 1 byte */
132 0xff /* Dummy extension data */
135 static int hostname_cb(SSL *s, int *al, void *arg)
137 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
139 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
140 || strcmp(hostname, "altgoodhost") == 0))
141 return SSL_TLSEXT_ERR_OK;
143 return SSL_TLSEXT_ERR_NOACK;
146 static void client_keylog_callback(const SSL *ssl, const char *line)
148 int line_length = strlen(line);
150 /* If the log doesn't fit, error out. */
151 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
152 TEST_info("Client log too full");
153 error_writing_log = 1;
157 strcat(client_log_buffer, line);
158 client_log_buffer_index += line_length;
159 client_log_buffer[client_log_buffer_index++] = '\n';
162 static void server_keylog_callback(const SSL *ssl, const char *line)
164 int line_length = strlen(line);
166 /* If the log doesn't fit, error out. */
167 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
168 TEST_info("Server log too full");
169 error_writing_log = 1;
173 strcat(server_log_buffer, line);
174 server_log_buffer_index += line_length;
175 server_log_buffer[server_log_buffer_index++] = '\n';
178 static int compare_hex_encoded_buffer(const char *hex_encoded,
186 if (!TEST_size_t_eq(raw_length * 2, hex_length))
189 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
190 sprintf(hexed, "%02x", raw[i]);
191 if (!TEST_int_eq(hexed[0], hex_encoded[j])
192 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
199 static int test_keylog_output(char *buffer, const SSL *ssl,
200 const SSL_SESSION *session,
201 struct sslapitest_log_counts *expected)
204 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
205 size_t client_random_size = SSL3_RANDOM_SIZE;
206 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
207 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
208 unsigned int rsa_key_exchange_count = 0;
209 unsigned int master_secret_count = 0;
210 unsigned int client_early_secret_count = 0;
211 unsigned int client_handshake_secret_count = 0;
212 unsigned int server_handshake_secret_count = 0;
213 unsigned int client_application_secret_count = 0;
214 unsigned int server_application_secret_count = 0;
215 unsigned int early_exporter_secret_count = 0;
216 unsigned int exporter_secret_count = 0;
218 for (token = strtok(buffer, " \n"); token != NULL;
219 token = strtok(NULL, " \n")) {
220 if (strcmp(token, "RSA") == 0) {
222 * Premaster secret. Tokens should be: 16 ASCII bytes of
223 * hex-encoded encrypted secret, then the hex-encoded pre-master
226 if (!TEST_ptr(token = strtok(NULL, " \n")))
228 if (!TEST_size_t_eq(strlen(token), 16))
230 if (!TEST_ptr(token = strtok(NULL, " \n")))
233 * We can't sensibly check the log because the premaster secret is
234 * transient, and OpenSSL doesn't keep hold of it once the master
235 * secret is generated.
237 rsa_key_exchange_count++;
238 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
240 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
241 * client random, then the hex-encoded master secret.
243 client_random_size = SSL_get_client_random(ssl,
244 actual_client_random,
246 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
249 if (!TEST_ptr(token = strtok(NULL, " \n")))
251 if (!TEST_size_t_eq(strlen(token), 64))
253 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
254 actual_client_random,
255 client_random_size)))
258 if (!TEST_ptr(token = strtok(NULL, " \n")))
260 master_key_size = SSL_SESSION_get_master_key(session,
263 if (!TEST_size_t_ne(master_key_size, 0))
265 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
269 master_secret_count++;
270 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
271 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
272 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
273 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
274 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
275 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
276 || strcmp(token, "EXPORTER_SECRET") == 0) {
278 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
279 * client random, and then the hex-encoded secret. In this case,
280 * we treat all of these secrets identically and then just
281 * distinguish between them when counting what we saw.
283 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
284 client_early_secret_count++;
285 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
286 client_handshake_secret_count++;
287 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
288 server_handshake_secret_count++;
289 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
290 client_application_secret_count++;
291 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
292 server_application_secret_count++;
293 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
294 early_exporter_secret_count++;
295 else if (strcmp(token, "EXPORTER_SECRET") == 0)
296 exporter_secret_count++;
298 client_random_size = SSL_get_client_random(ssl,
299 actual_client_random,
301 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
304 if (!TEST_ptr(token = strtok(NULL, " \n")))
306 if (!TEST_size_t_eq(strlen(token), 64))
308 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
309 actual_client_random,
310 client_random_size)))
313 if (!TEST_ptr(token = strtok(NULL, " \n")))
317 * TODO(TLS1.3): test that application traffic secrets are what
320 TEST_info("Unexpected token %s\n", token);
325 /* Got what we expected? */
326 if (!TEST_size_t_eq(rsa_key_exchange_count,
327 expected->rsa_key_exchange_count)
328 || !TEST_size_t_eq(master_secret_count,
329 expected->master_secret_count)
330 || !TEST_size_t_eq(client_early_secret_count,
331 expected->client_early_secret_count)
332 || !TEST_size_t_eq(client_handshake_secret_count,
333 expected->client_handshake_secret_count)
334 || !TEST_size_t_eq(server_handshake_secret_count,
335 expected->server_handshake_secret_count)
336 || !TEST_size_t_eq(client_application_secret_count,
337 expected->client_application_secret_count)
338 || !TEST_size_t_eq(server_application_secret_count,
339 expected->server_application_secret_count)
340 || !TEST_size_t_eq(early_exporter_secret_count,
341 expected->early_exporter_secret_count)
342 || !TEST_size_t_eq(exporter_secret_count,
343 expected->exporter_secret_count))
348 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
349 static int test_keylog(void)
351 SSL_CTX *cctx = NULL, *sctx = NULL;
352 SSL *clientssl = NULL, *serverssl = NULL;
354 struct sslapitest_log_counts expected;
356 /* Clean up logging space */
357 memset(&expected, 0, sizeof(expected));
358 memset(client_log_buffer, 0, sizeof(client_log_buffer));
359 memset(server_log_buffer, 0, sizeof(server_log_buffer));
360 client_log_buffer_index = 0;
361 server_log_buffer_index = 0;
362 error_writing_log = 0;
364 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
367 &sctx, &cctx, cert, privkey)))
370 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
371 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
372 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
374 /* We also want to ensure that we use RSA-based key exchange. */
375 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
378 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
379 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
381 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
382 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
383 == client_keylog_callback))
385 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
386 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
387 == server_keylog_callback))
390 /* Now do a handshake and check that the logs have been written to. */
391 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
392 &clientssl, NULL, NULL))
393 || !TEST_true(create_ssl_connection(serverssl, clientssl,
395 || !TEST_false(error_writing_log)
396 || !TEST_int_gt(client_log_buffer_index, 0)
397 || !TEST_int_gt(server_log_buffer_index, 0))
401 * Now we want to test that our output data was vaguely sensible. We
402 * do that by using strtok and confirming that we have more or less the
403 * data we expect. For both client and server, we expect to see one master
404 * secret. The client should also see a RSA key exchange.
406 expected.rsa_key_exchange_count = 1;
407 expected.master_secret_count = 1;
408 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
409 SSL_get_session(clientssl), &expected)))
412 expected.rsa_key_exchange_count = 0;
413 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
414 SSL_get_session(serverssl), &expected)))
429 #ifndef OPENSSL_NO_TLS1_3
430 static int test_keylog_no_master_key(void)
432 SSL_CTX *cctx = NULL, *sctx = NULL;
433 SSL *clientssl = NULL, *serverssl = NULL;
434 SSL_SESSION *sess = NULL;
436 struct sslapitest_log_counts expected;
437 unsigned char buf[1];
438 size_t readbytes, written;
440 /* Clean up logging space */
441 memset(&expected, 0, sizeof(expected));
442 memset(client_log_buffer, 0, sizeof(client_log_buffer));
443 memset(server_log_buffer, 0, sizeof(server_log_buffer));
444 client_log_buffer_index = 0;
445 server_log_buffer_index = 0;
446 error_writing_log = 0;
448 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
449 TLS_client_method(), TLS1_VERSION, 0,
450 &sctx, &cctx, cert, privkey))
451 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
452 SSL3_RT_MAX_PLAIN_LENGTH)))
455 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
456 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
459 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
460 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
461 == client_keylog_callback))
464 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
465 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
466 == server_keylog_callback))
469 /* Now do a handshake and check that the logs have been written to. */
470 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
471 &clientssl, NULL, NULL))
472 || !TEST_true(create_ssl_connection(serverssl, clientssl,
474 || !TEST_false(error_writing_log))
478 * Now we want to test that our output data was vaguely sensible. For this
479 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
480 * TLSv1.3, but we do expect both client and server to emit keys.
482 expected.client_handshake_secret_count = 1;
483 expected.server_handshake_secret_count = 1;
484 expected.client_application_secret_count = 1;
485 expected.server_application_secret_count = 1;
486 expected.exporter_secret_count = 1;
487 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
488 SSL_get_session(clientssl), &expected))
489 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
490 SSL_get_session(serverssl),
494 /* Terminate old session and resume with early data. */
495 sess = SSL_get1_session(clientssl);
496 SSL_shutdown(clientssl);
497 SSL_shutdown(serverssl);
500 serverssl = clientssl = NULL;
503 memset(client_log_buffer, 0, sizeof(client_log_buffer));
504 memset(server_log_buffer, 0, sizeof(server_log_buffer));
505 client_log_buffer_index = 0;
506 server_log_buffer_index = 0;
508 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
509 &clientssl, NULL, NULL))
510 || !TEST_true(SSL_set_session(clientssl, sess))
511 /* Here writing 0 length early data is enough. */
512 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
513 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
515 SSL_READ_EARLY_DATA_ERROR)
516 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
517 SSL_EARLY_DATA_ACCEPTED)
518 || !TEST_true(create_ssl_connection(serverssl, clientssl,
520 || !TEST_true(SSL_session_reused(clientssl)))
523 /* In addition to the previous entries, expect early secrets. */
524 expected.client_early_secret_count = 1;
525 expected.early_exporter_secret_count = 1;
526 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
527 SSL_get_session(clientssl), &expected))
528 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
529 SSL_get_session(serverssl),
536 SSL_SESSION_free(sess);
546 #ifndef OPENSSL_NO_TLS1_2
547 static int full_client_hello_callback(SSL *s, int *al, void *arg)
550 const unsigned char *p;
552 /* We only configure two ciphers, but the SCSV is added automatically. */
554 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
556 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
559 const int expected_extensions[] = {
560 #ifndef OPENSSL_NO_EC
566 /* Make sure we can defer processing and get called back. */
568 return SSL_CLIENT_HELLO_RETRY;
570 len = SSL_client_hello_get0_ciphers(s, &p);
571 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
573 SSL_client_hello_get0_compression_methods(s, &p), 1)
574 || !TEST_int_eq(*p, 0))
575 return SSL_CLIENT_HELLO_ERROR;
576 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
577 return SSL_CLIENT_HELLO_ERROR;
578 if (len != OSSL_NELEM(expected_extensions) ||
579 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
580 printf("ClientHello callback expected extensions mismatch\n");
582 return SSL_CLIENT_HELLO_ERROR;
585 return SSL_CLIENT_HELLO_SUCCESS;
588 static int test_client_hello_cb(void)
590 SSL_CTX *cctx = NULL, *sctx = NULL;
591 SSL *clientssl = NULL, *serverssl = NULL;
592 int testctr = 0, testresult = 0;
594 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
595 TLS_client_method(), TLS1_VERSION, 0,
596 &sctx, &cctx, cert, privkey)))
598 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
600 /* The gimpy cipher list we configure can't do TLS 1.3. */
601 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
603 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
604 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
605 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
606 &clientssl, NULL, NULL))
607 || !TEST_false(create_ssl_connection(serverssl, clientssl,
608 SSL_ERROR_WANT_CLIENT_HELLO_CB))
610 * Passing a -1 literal is a hack since
611 * the real value was lost.
613 || !TEST_int_eq(SSL_get_error(serverssl, -1),
614 SSL_ERROR_WANT_CLIENT_HELLO_CB)
615 || !TEST_true(create_ssl_connection(serverssl, clientssl,
630 static int test_no_ems(void)
632 SSL_CTX *cctx = NULL, *sctx = NULL;
633 SSL *clientssl = NULL, *serverssl = NULL;
636 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
637 TLS1_VERSION, TLS1_2_VERSION,
638 &sctx, &cctx, cert, privkey)) {
639 printf("Unable to create SSL_CTX pair\n");
643 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
645 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
646 printf("Unable to create SSL objects\n");
650 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
651 printf("Creating SSL connection failed\n");
655 if (SSL_get_extms_support(serverssl)) {
656 printf("Server reports Extended Master Secret support\n");
660 if (SSL_get_extms_support(clientssl)) {
661 printf("Client reports Extended Master Secret support\n");
676 * Very focused test to exercise a single case in the server-side state
677 * machine, when the ChangeCipherState message needs to actually change
678 * from one cipher to a different cipher (i.e., not changing from null
679 * encryption to real encryption).
681 static int test_ccs_change_cipher(void)
683 SSL_CTX *cctx = NULL, *sctx = NULL;
684 SSL *clientssl = NULL, *serverssl = NULL;
685 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
692 * Create a conection so we can resume and potentially (but not) use
693 * a different cipher in the second connection.
695 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
697 TLS1_VERSION, TLS1_2_VERSION,
698 &sctx, &cctx, cert, privkey))
699 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
700 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
702 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
703 || !TEST_true(create_ssl_connection(serverssl, clientssl,
705 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
706 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
709 shutdown_ssl_connection(serverssl, clientssl);
710 serverssl = clientssl = NULL;
712 /* Resume, preferring a different cipher. Our server will force the
713 * same cipher to be used as the initial handshake. */
714 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
716 || !TEST_true(SSL_set_session(clientssl, sess))
717 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
718 || !TEST_true(create_ssl_connection(serverssl, clientssl,
720 || !TEST_true(SSL_session_reused(clientssl))
721 || !TEST_true(SSL_session_reused(serverssl))
722 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
723 || !TEST_ptr_eq(sesspre, sesspost)
724 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
725 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
727 shutdown_ssl_connection(serverssl, clientssl);
728 serverssl = clientssl = NULL;
731 * Now create a fresh connection and try to renegotiate a different
734 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
736 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
737 || !TEST_true(create_ssl_connection(serverssl, clientssl,
739 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
740 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
741 || !TEST_true(SSL_renegotiate(clientssl))
742 || !TEST_true(SSL_renegotiate_pending(clientssl)))
744 /* Actually drive the renegotiation. */
745 for (i = 0; i < 3; i++) {
746 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
747 if (!TEST_ulong_eq(readbytes, 0))
749 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
750 SSL_ERROR_WANT_READ)) {
753 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
754 if (!TEST_ulong_eq(readbytes, 0))
756 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
757 SSL_ERROR_WANT_READ)) {
761 /* sesspre and sesspost should be different since the cipher changed. */
762 if (!TEST_false(SSL_renegotiate_pending(clientssl))
763 || !TEST_false(SSL_session_reused(clientssl))
764 || !TEST_false(SSL_session_reused(serverssl))
765 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
766 || !TEST_ptr_ne(sesspre, sesspost)
767 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
768 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
771 shutdown_ssl_connection(serverssl, clientssl);
772 serverssl = clientssl = NULL;
781 SSL_SESSION_free(sess);
787 static int execute_test_large_message(const SSL_METHOD *smeth,
788 const SSL_METHOD *cmeth,
789 int min_version, int max_version,
792 SSL_CTX *cctx = NULL, *sctx = NULL;
793 SSL *clientssl = NULL, *serverssl = NULL;
797 X509 *chaincert = NULL;
800 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
802 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
805 if (!TEST_ptr(chaincert))
808 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
809 max_version, &sctx, &cctx, cert,
815 * Test that read_ahead works correctly when dealing with large
818 SSL_CTX_set_read_ahead(cctx, 1);
822 * We assume the supplied certificate is big enough so that if we add
823 * NUM_EXTRA_CERTS it will make the overall message large enough. The
824 * default buffer size is requested to be 16k, but due to the way BUF_MEM
825 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
826 * test we need to have a message larger than that.
828 certlen = i2d_X509(chaincert, NULL);
829 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
830 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
831 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
832 if (!X509_up_ref(chaincert))
834 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
835 X509_free(chaincert);
840 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
842 || !TEST_true(create_ssl_connection(serverssl, clientssl,
847 * Calling SSL_clear() first is not required but this tests that SSL_clear()
850 if (!TEST_true(SSL_clear(serverssl)))
855 X509_free(chaincert);
864 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
865 !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
866 #define TLS_CIPHER_MAX_REC_SEQ_SIZE 8
867 /* sock must be connected */
868 static int ktls_chk_platform(int sock)
870 if (!ktls_enable(sock))
875 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd, int rec_seq_size)
877 static char count = 1;
878 unsigned char cbuf[16000] = {0};
879 unsigned char sbuf[16000];
881 char crec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
882 char crec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
883 char crec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
884 char crec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
885 char srec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
886 char srec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
887 char srec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
888 char srec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
891 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, rec_seq_size);
892 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, rec_seq_size);
893 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, rec_seq_size);
894 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, rec_seq_size);
896 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
899 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
900 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
905 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
908 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
909 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
914 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, rec_seq_size);
915 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, rec_seq_size);
916 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, rec_seq_size);
917 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, rec_seq_size);
919 /* verify the payload */
920 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
923 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
924 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
925 if (!TEST_mem_ne(crec_wseq_before, rec_seq_size,
926 crec_wseq_after, rec_seq_size))
929 if (!TEST_mem_eq(crec_wseq_before, rec_seq_size,
930 crec_wseq_after, rec_seq_size))
934 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
935 if (!TEST_mem_ne(srec_wseq_before, rec_seq_size,
936 srec_wseq_after, rec_seq_size))
939 if (!TEST_mem_eq(srec_wseq_before, rec_seq_size,
940 srec_wseq_after, rec_seq_size))
944 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
945 if (!TEST_mem_ne(crec_rseq_before, rec_seq_size,
946 crec_rseq_after, rec_seq_size))
949 if (!TEST_mem_eq(crec_rseq_before, rec_seq_size,
950 crec_rseq_after, rec_seq_size))
954 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
955 if (!TEST_mem_ne(srec_rseq_before, rec_seq_size,
956 srec_rseq_after, rec_seq_size))
959 if (!TEST_mem_eq(srec_rseq_before, rec_seq_size,
960 srec_rseq_after, rec_seq_size))
969 static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
970 int sis_ktls_tx, int sis_ktls_rx,
971 int tls_version, const char *cipher,
974 SSL_CTX *cctx = NULL, *sctx = NULL;
975 SSL *clientssl = NULL, *serverssl = NULL;
979 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
982 /* Skip this test if the platform does not support ktls */
983 if (!ktls_chk_platform(cfd))
986 /* Create a session based on SHA-256 */
987 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
989 tls_version, tls_version,
990 &sctx, &cctx, cert, privkey))
991 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
992 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
993 &clientssl, sfd, cfd)))
997 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
1002 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
1007 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
1012 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1016 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1021 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1024 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1029 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1032 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1037 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1040 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1045 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1048 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1052 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd,
1059 SSL_shutdown(clientssl);
1060 SSL_free(clientssl);
1063 SSL_shutdown(serverssl);
1064 SSL_free(serverssl);
1068 serverssl = clientssl = NULL;
1072 #define SENDFILE_SZ (16 * 4096)
1073 #define SENDFILE_CHUNK (4 * 4096)
1074 #define min(a,b) ((a) > (b) ? (b) : (a))
1076 static int test_ktls_sendfile(int tls_version, const char *cipher)
1078 SSL_CTX *cctx = NULL, *sctx = NULL;
1079 SSL *clientssl = NULL, *serverssl = NULL;
1080 unsigned char *buf, *buf_dst;
1081 BIO *out = NULL, *in = NULL;
1082 int cfd, sfd, ffd, err;
1083 ssize_t chunk_size = 0;
1084 off_t chunk_off = 0;
1088 buf = OPENSSL_zalloc(SENDFILE_SZ);
1089 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1090 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1091 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1094 /* Skip this test if the platform does not support ktls */
1095 if (!ktls_chk_platform(sfd)) {
1100 /* Create a session based on SHA-256 */
1101 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1102 TLS_client_method(),
1103 tls_version, tls_version,
1104 &sctx, &cctx, cert, privkey))
1105 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1106 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1107 &clientssl, sfd, cfd)))
1110 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1112 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1115 RAND_bytes(buf, SENDFILE_SZ);
1116 out = BIO_new_file(tmpfilename, "wb");
1120 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1125 in = BIO_new_file(tmpfilename, "rb");
1126 BIO_get_fp(in, &ffdp);
1129 while (chunk_off < SENDFILE_SZ) {
1130 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1131 while ((err = SSL_sendfile(serverssl,
1135 0)) != chunk_size) {
1136 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1139 while ((err = SSL_read(clientssl,
1140 buf_dst + chunk_off,
1141 chunk_size)) != chunk_size) {
1142 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1146 /* verify the payload */
1147 if (!TEST_mem_eq(buf_dst + chunk_off,
1153 chunk_off += chunk_size;
1159 SSL_shutdown(clientssl);
1160 SSL_free(clientssl);
1163 SSL_shutdown(serverssl);
1164 SSL_free(serverssl);
1168 serverssl = clientssl = NULL;
1172 OPENSSL_free(buf_dst);
1176 static int test_ktls_no_txrx_client_no_txrx_server(int tlsver)
1180 #ifdef OPENSSL_KTLS_AES_GCM_128
1181 testresult &= execute_test_ktls(0, 0, 0, 0, tlsver,
1182 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1184 #ifdef OPENSSL_KTLS_AES_CCM_128
1185 testresult &= execute_test_ktls(0, 0, 0, 0, tlsver,
1186 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1188 #ifdef OPENSSL_KTLS_AES_GCM_256
1189 testresult &= execute_test_ktls(0, 0, 0, 0, tlsver,
1190 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1195 static int test_ktls_no_rx_client_no_txrx_server(int tlsver)
1199 #ifdef OPENSSL_KTLS_AES_GCM_128
1200 testresult &= execute_test_ktls(1, 0, 0, 0, tlsver,
1201 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1203 #ifdef OPENSSL_KTLS_AES_CCM_128
1204 testresult &= execute_test_ktls(1, 0, 0, 0, tlsver,
1205 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1207 #ifdef OPENSSL_KTLS_AES_GCM_256
1208 testresult &= execute_test_ktls(1, 0, 0, 0, tlsver,
1209 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1214 static int test_ktls_no_tx_client_no_txrx_server(int tlsver)
1218 #ifdef OPENSSL_KTLS_AES_GCM_128
1219 testresult &= execute_test_ktls(0, 1, 0, 0, tlsver,
1220 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1222 #ifdef OPENSSL_KTLS_AES_CCM_128
1223 testresult &= execute_test_ktls(0, 1, 0, 0, tlsver,
1224 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1226 #ifdef OPENSSL_KTLS_AES_GCM_256
1227 testresult &= execute_test_ktls(0, 1, 0, 0, tlsver,
1228 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1233 static int test_ktls_client_no_txrx_server(int tlsver)
1237 #ifdef OPENSSL_KTLS_AES_GCM_128
1238 testresult &= execute_test_ktls(1, 1, 0, 0, tlsver,
1239 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1241 #ifdef OPENSSL_KTLS_AES_CCM_128
1242 testresult &= execute_test_ktls(1, 1, 0, 0, tlsver,
1243 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1245 #ifdef OPENSSL_KTLS_AES_GCM_256
1246 testresult &= execute_test_ktls(1, 1, 0, 0, tlsver,
1247 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1252 static int test_ktls_no_txrx_client_no_rx_server(int tlsver)
1256 #ifdef OPENSSL_KTLS_AES_GCM_128
1257 testresult &= execute_test_ktls(0, 0, 1, 0, tlsver,
1258 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1260 #ifdef OPENSSL_KTLS_AES_CCM_128
1261 testresult &= execute_test_ktls(0, 0, 1, 0, tlsver,
1262 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1264 #ifdef OPENSSL_KTLS_AES_GCM_256
1265 testresult &= execute_test_ktls(0, 0, 1, 0, tlsver,
1266 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1271 static int test_ktls_no_rx_client_no_rx_server(int tlsver)
1275 #ifdef OPENSSL_KTLS_AES_GCM_128
1276 testresult &= execute_test_ktls(1, 0, 1, 0, tlsver,
1277 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1279 #ifdef OPENSSL_KTLS_AES_CCM_128
1280 testresult &= execute_test_ktls(1, 0, 1, 0, tlsver,
1281 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1283 #ifdef OPENSSL_KTLS_AES_GCM_256
1284 testresult &= execute_test_ktls(1, 0, 1, 0, tlsver,
1285 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1290 static int test_ktls_no_tx_client_no_rx_server(int tlsver)
1294 #ifdef OPENSSL_KTLS_AES_GCM_128
1295 testresult &= execute_test_ktls(0, 1, 1, 0, tlsver,
1296 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1298 #ifdef OPENSSL_KTLS_AES_CCM_128
1299 testresult &= execute_test_ktls(0, 1, 1, 0, tlsver,
1300 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1302 #ifdef OPENSSL_KTLS_AES_GCM_256
1303 testresult &= execute_test_ktls(0, 1, 1, 0, tlsver,
1304 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1309 static int test_ktls_client_no_rx_server(int tlsver)
1313 #ifdef OPENSSL_KTLS_AES_GCM_128
1314 testresult &= execute_test_ktls(1, 1, 1, 0, tlsver,
1315 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1317 #ifdef OPENSSL_KTLS_AES_CCM_128
1318 testresult &= execute_test_ktls(1, 1, 1, 0, tlsver,
1319 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1321 #ifdef OPENSSL_KTLS_AES_GCM_256
1322 testresult &= execute_test_ktls(1, 1, 1, 0, tlsver,
1323 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1328 static int test_ktls_no_txrx_client_no_tx_server(int tlsver)
1332 #ifdef OPENSSL_KTLS_AES_GCM_128
1333 testresult &= execute_test_ktls(0, 0, 0, 1, tlsver,
1334 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1336 #ifdef OPENSSL_KTLS_AES_CCM_128
1337 testresult &= execute_test_ktls(0, 0, 0, 1, tlsver,
1338 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1340 #ifdef OPENSSL_KTLS_AES_GCM_256
1341 testresult &= execute_test_ktls(0, 0, 0, 1, tlsver,
1342 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1347 static int test_ktls_no_rx_client_no_tx_server(int tlsver)
1351 #ifdef OPENSSL_KTLS_AES_GCM_128
1352 testresult &= execute_test_ktls(1, 0, 0, 1, tlsver,
1353 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1355 #ifdef OPENSSL_KTLS_AES_CCM_128
1356 testresult &= execute_test_ktls(1, 0, 0, 1, tlsver,
1357 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1359 #ifdef OPENSSL_KTLS_AES_GCM_256
1360 testresult &= execute_test_ktls(1, 0, 0, 1, tlsver,
1361 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1366 static int test_ktls_no_tx_client_no_tx_server(int tlsver)
1370 #ifdef OPENSSL_KTLS_AES_GCM_128
1371 testresult &= execute_test_ktls(0, 1, 0, 1, tlsver,
1372 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1374 #ifdef OPENSSL_KTLS_AES_CCM_128
1375 testresult &= execute_test_ktls(0, 1, 0, 1, tlsver,
1376 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1378 #ifdef OPENSSL_KTLS_AES_GCM_256
1379 testresult &= execute_test_ktls(0, 1, 0, 1, tlsver,
1380 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1385 static int test_ktls_client_no_tx_server(int tlsver)
1389 #ifdef OPENSSL_KTLS_AES_GCM_128
1390 testresult &= execute_test_ktls(1, 1, 0, 1, tlsver,
1391 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1393 #ifdef OPENSSL_KTLS_AES_CCM_128
1394 testresult &= execute_test_ktls(1, 1, 0, 1, tlsver,
1395 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1397 #ifdef OPENSSL_KTLS_AES_GCM_256
1398 testresult &= execute_test_ktls(1, 1, 0, 1, tlsver,
1399 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1404 static int test_ktls_no_txrx_client_server(int tlsver)
1408 #ifdef OPENSSL_KTLS_AES_GCM_128
1409 testresult &= execute_test_ktls(0, 0, 1, 1, tlsver,
1410 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1412 #ifdef OPENSSL_KTLS_AES_CCM_128
1413 testresult &= execute_test_ktls(0, 0, 1, 1, tlsver,
1414 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1416 #ifdef OPENSSL_KTLS_AES_GCM_256
1417 testresult &= execute_test_ktls(0, 0, 1, 1, tlsver,
1418 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1423 static int test_ktls_no_rx_client_server(int tlsver)
1427 #ifdef OPENSSL_KTLS_AES_GCM_128
1428 testresult &= execute_test_ktls(1, 0, 1, 1, tlsver,
1429 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1431 #ifdef OPENSSL_KTLS_AES_CCM_128
1432 testresult &= execute_test_ktls(1, 0, 1, 1, tlsver,
1433 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1435 #ifdef OPENSSL_KTLS_AES_GCM_256
1436 testresult &= execute_test_ktls(1, 0, 1, 1, tlsver,
1437 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1442 static int test_ktls_no_tx_client_server(int tlsver)
1446 #ifdef OPENSSL_KTLS_AES_GCM_128
1447 testresult &= execute_test_ktls(0, 1, 1, 1, tlsver,
1448 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1450 #ifdef OPENSSL_KTLS_AES_CCM_128
1451 testresult &= execute_test_ktls(0, 1, 1, 1, tlsver,
1452 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1454 #ifdef OPENSSL_KTLS_AES_GCM_256
1455 testresult &= execute_test_ktls(0, 1, 1, 1, tlsver,
1456 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1461 static int test_ktls_client_server(int tlsver)
1465 #ifdef OPENSSL_KTLS_AES_GCM_128
1466 testresult &= execute_test_ktls(1, 1, 1, 1, tlsver,
1467 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1469 #ifdef OPENSSL_KTLS_AES_CCM_128
1470 testresult &= execute_test_ktls(1, 1, 1, 1, tlsver,
1471 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1473 #ifdef OPENSSL_KTLS_AES_GCM_256
1474 testresult &= execute_test_ktls(1, 1, 1, 1, tlsver,
1475 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1480 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
1481 static int test_ktls(int test)
1486 #if defined(OPENSSL_NO_TLS1_3)
1490 tlsver = TLS1_3_VERSION;
1493 #if defined(OPENSSL_NO_TLS1_2)
1496 tlsver = TLS1_2_VERSION;
1502 return test_ktls_no_txrx_client_no_txrx_server(tlsver);
1504 return test_ktls_no_rx_client_no_txrx_server(tlsver);
1506 return test_ktls_no_tx_client_no_txrx_server(tlsver);
1508 return test_ktls_client_no_txrx_server(tlsver);
1510 return test_ktls_no_txrx_client_no_rx_server(tlsver);
1512 return test_ktls_no_rx_client_no_rx_server(tlsver);
1514 return test_ktls_no_tx_client_no_rx_server(tlsver);
1516 return test_ktls_client_no_rx_server(tlsver);
1518 return test_ktls_no_txrx_client_no_tx_server(tlsver);
1520 return test_ktls_no_rx_client_no_tx_server(tlsver);
1522 return test_ktls_no_tx_client_no_tx_server(tlsver);
1524 return test_ktls_client_no_tx_server(tlsver);
1526 return test_ktls_no_txrx_client_server(tlsver);
1528 return test_ktls_no_rx_client_server(tlsver);
1530 return test_ktls_no_tx_client_server(tlsver);
1532 return test_ktls_client_server(tlsver);
1538 static int test_ktls_sendfile_anytls(int tst)
1540 char *cipher[] = {"AES128-GCM-SHA256","AES128-CCM-SHA256","AES256-GCM-SHA384"};
1544 #if defined(OPENSSL_NO_TLS1_3)
1548 tlsver = TLS1_3_VERSION;
1551 #if defined(OPENSSL_NO_TLS1_2)
1554 tlsver = TLS1_2_VERSION;
1558 #ifndef OPENSSL_KTLS_AES_GCM_128
1559 if(tst == 0) return 1;
1561 #ifndef OPENSSL_KTLS_AES_CCM_128
1562 if(tst == 1) return 1;
1564 #ifndef OPENSSL_KTLS_AES_GCM_256
1565 if(tst == 2) return 1;
1567 return test_ktls_sendfile(tlsver, cipher[tst]);
1573 static int test_large_message_tls(void)
1575 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1576 TLS1_VERSION, 0, 0);
1579 static int test_large_message_tls_read_ahead(void)
1581 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1582 TLS1_VERSION, 0, 1);
1585 #ifndef OPENSSL_NO_DTLS
1586 static int test_large_message_dtls(void)
1589 * read_ahead is not relevant to DTLS because DTLS always acts as if
1590 * read_ahead is set.
1592 return execute_test_large_message(DTLS_server_method(),
1593 DTLS_client_method(),
1594 DTLS1_VERSION, 0, 0);
1598 #ifndef OPENSSL_NO_OCSP
1599 static int ocsp_server_cb(SSL *s, void *arg)
1601 int *argi = (int *)arg;
1602 unsigned char *copy = NULL;
1603 STACK_OF(OCSP_RESPID) *ids = NULL;
1604 OCSP_RESPID *id = NULL;
1607 /* In this test we are expecting exactly 1 OCSP_RESPID */
1608 SSL_get_tlsext_status_ids(s, &ids);
1609 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1610 return SSL_TLSEXT_ERR_ALERT_FATAL;
1612 id = sk_OCSP_RESPID_value(ids, 0);
1613 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1614 return SSL_TLSEXT_ERR_ALERT_FATAL;
1615 } else if (*argi != 1) {
1616 return SSL_TLSEXT_ERR_ALERT_FATAL;
1619 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1620 return SSL_TLSEXT_ERR_ALERT_FATAL;
1622 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1623 ocsp_server_called = 1;
1624 return SSL_TLSEXT_ERR_OK;
1627 static int ocsp_client_cb(SSL *s, void *arg)
1629 int *argi = (int *)arg;
1630 const unsigned char *respderin;
1633 if (*argi != 1 && *argi != 2)
1636 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1637 if (!TEST_mem_eq(orespder, len, respderin, len))
1640 ocsp_client_called = 1;
1644 static int test_tlsext_status_type(void)
1646 SSL_CTX *cctx = NULL, *sctx = NULL;
1647 SSL *clientssl = NULL, *serverssl = NULL;
1649 STACK_OF(OCSP_RESPID) *ids = NULL;
1650 OCSP_RESPID *id = NULL;
1651 BIO *certbio = NULL;
1653 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1655 &sctx, &cctx, cert, privkey))
1658 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1661 /* First just do various checks getting and setting tlsext_status_type */
1663 clientssl = SSL_new(cctx);
1664 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1665 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1666 TLSEXT_STATUSTYPE_ocsp))
1667 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1668 TLSEXT_STATUSTYPE_ocsp))
1671 SSL_free(clientssl);
1674 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1675 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1678 clientssl = SSL_new(cctx);
1679 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1681 SSL_free(clientssl);
1685 * Now actually do a handshake and check OCSP information is exchanged and
1686 * the callbacks get called
1688 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1689 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1690 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1691 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1692 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1693 &clientssl, NULL, NULL))
1694 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1696 || !TEST_true(ocsp_client_called)
1697 || !TEST_true(ocsp_server_called))
1699 SSL_free(serverssl);
1700 SSL_free(clientssl);
1704 /* Try again but this time force the server side callback to fail */
1705 ocsp_client_called = 0;
1706 ocsp_server_called = 0;
1708 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1709 &clientssl, NULL, NULL))
1710 /* This should fail because the callback will fail */
1711 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1713 || !TEST_false(ocsp_client_called)
1714 || !TEST_false(ocsp_server_called))
1716 SSL_free(serverssl);
1717 SSL_free(clientssl);
1722 * This time we'll get the client to send an OCSP_RESPID that it will
1725 ocsp_client_called = 0;
1726 ocsp_server_called = 0;
1728 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1729 &clientssl, NULL, NULL)))
1733 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1734 * specific one. We'll use the server cert.
1736 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1737 || !TEST_ptr(id = OCSP_RESPID_new())
1738 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1739 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1741 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1742 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1745 SSL_set_tlsext_status_ids(clientssl, ids);
1746 /* Control has been transferred */
1752 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1754 || !TEST_true(ocsp_client_called)
1755 || !TEST_true(ocsp_server_called))
1761 SSL_free(serverssl);
1762 SSL_free(clientssl);
1765 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1766 OCSP_RESPID_free(id);
1768 X509_free(ocspcert);
1775 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1776 static int new_called, remove_called, get_called;
1778 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1782 * sess has been up-refed for us, but we don't actually need it so free it
1785 SSL_SESSION_free(sess);
1789 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1794 static SSL_SESSION *get_sess_val = NULL;
1796 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1801 return get_sess_val;
1804 static int execute_test_session(int maxprot, int use_int_cache,
1805 int use_ext_cache, long s_options)
1807 SSL_CTX *sctx = NULL, *cctx = NULL;
1808 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1809 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1810 # ifndef OPENSSL_NO_TLS1_1
1811 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1813 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1814 int testresult = 0, numnewsesstick = 1;
1816 new_called = remove_called = 0;
1818 /* TLSv1.3 sends 2 NewSessionTickets */
1819 if (maxprot == TLS1_3_VERSION)
1822 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1823 TLS_client_method(), TLS1_VERSION, 0,
1824 &sctx, &cctx, cert, privkey)))
1828 * Only allow the max protocol version so we can force a connection failure
1831 SSL_CTX_set_min_proto_version(cctx, maxprot);
1832 SSL_CTX_set_max_proto_version(cctx, maxprot);
1834 /* Set up session cache */
1835 if (use_ext_cache) {
1836 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1837 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1839 if (use_int_cache) {
1840 /* Also covers instance where both are set */
1841 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1843 SSL_CTX_set_session_cache_mode(cctx,
1844 SSL_SESS_CACHE_CLIENT
1845 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1849 SSL_CTX_set_options(sctx, s_options);
1852 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1854 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1856 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1859 /* Should fail because it should already be in the cache */
1860 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1863 && (!TEST_int_eq(new_called, numnewsesstick)
1865 || !TEST_int_eq(remove_called, 0)))
1868 new_called = remove_called = 0;
1869 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1870 &clientssl2, NULL, NULL))
1871 || !TEST_true(SSL_set_session(clientssl2, sess1))
1872 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1874 || !TEST_true(SSL_session_reused(clientssl2)))
1877 if (maxprot == TLS1_3_VERSION) {
1879 * In TLSv1.3 we should have created a new session even though we have
1880 * resumed. Since we attempted a resume we should also have removed the
1881 * old ticket from the cache so that we try to only use tickets once.
1884 && (!TEST_int_eq(new_called, 1)
1885 || !TEST_int_eq(remove_called, 1)))
1889 * In TLSv1.2 we expect to have resumed so no sessions added or
1893 && (!TEST_int_eq(new_called, 0)
1894 || !TEST_int_eq(remove_called, 0)))
1898 SSL_SESSION_free(sess1);
1899 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1901 shutdown_ssl_connection(serverssl2, clientssl2);
1902 serverssl2 = clientssl2 = NULL;
1904 new_called = remove_called = 0;
1905 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1906 &clientssl2, NULL, NULL))
1907 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1911 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1915 && (!TEST_int_eq(new_called, numnewsesstick)
1916 || !TEST_int_eq(remove_called, 0)))
1919 new_called = remove_called = 0;
1921 * This should clear sess2 from the cache because it is a "bad" session.
1922 * See SSL_set_session() documentation.
1924 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1927 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1929 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1932 if (use_int_cache) {
1933 /* Should succeeded because it should not already be in the cache */
1934 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1935 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1939 new_called = remove_called = 0;
1940 /* This shouldn't be in the cache so should fail */
1941 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1945 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1948 # if !defined(OPENSSL_NO_TLS1_1)
1949 new_called = remove_called = 0;
1950 /* Force a connection failure */
1951 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1952 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1953 &clientssl3, NULL, NULL))
1954 || !TEST_true(SSL_set_session(clientssl3, sess1))
1955 /* This should fail because of the mismatched protocol versions */
1956 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1960 /* We should have automatically removed the session from the cache */
1962 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1965 /* Should succeed because it should not already be in the cache */
1966 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1970 /* Now do some tests for server side caching */
1971 if (use_ext_cache) {
1972 SSL_CTX_sess_set_new_cb(cctx, NULL);
1973 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1974 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1975 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1976 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1977 get_sess_val = NULL;
1980 SSL_CTX_set_session_cache_mode(cctx, 0);
1981 /* Internal caching is the default on the server side */
1983 SSL_CTX_set_session_cache_mode(sctx,
1984 SSL_SESS_CACHE_SERVER
1985 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1987 SSL_free(serverssl1);
1988 SSL_free(clientssl1);
1989 serverssl1 = clientssl1 = NULL;
1990 SSL_free(serverssl2);
1991 SSL_free(clientssl2);
1992 serverssl2 = clientssl2 = NULL;
1993 SSL_SESSION_free(sess1);
1995 SSL_SESSION_free(sess2);
1998 SSL_CTX_set_max_proto_version(sctx, maxprot);
1999 if (maxprot == TLS1_2_VERSION)
2000 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2001 new_called = remove_called = get_called = 0;
2002 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2004 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2006 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2007 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2010 if (use_int_cache) {
2011 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2013 * In TLSv1.3 it should not have been added to the internal cache,
2014 * except in the case where we also have an external cache (in that
2015 * case it gets added to the cache in order to generate remove
2016 * events after timeout).
2018 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2021 /* Should fail because it should already be in the cache */
2022 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2027 if (use_ext_cache) {
2028 SSL_SESSION *tmp = sess2;
2030 if (!TEST_int_eq(new_called, numnewsesstick)
2031 || !TEST_int_eq(remove_called, 0)
2032 || !TEST_int_eq(get_called, 0))
2035 * Delete the session from the internal cache to force a lookup from
2036 * the external cache. We take a copy first because
2037 * SSL_CTX_remove_session() also marks the session as non-resumable.
2039 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2040 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2041 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2043 SSL_SESSION_free(sess2);
2048 new_called = remove_called = get_called = 0;
2049 get_sess_val = sess2;
2050 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2051 &clientssl2, NULL, NULL))
2052 || !TEST_true(SSL_set_session(clientssl2, sess1))
2053 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2055 || !TEST_true(SSL_session_reused(clientssl2)))
2058 if (use_ext_cache) {
2059 if (!TEST_int_eq(remove_called, 0))
2062 if (maxprot == TLS1_3_VERSION) {
2063 if (!TEST_int_eq(new_called, 1)
2064 || !TEST_int_eq(get_called, 0))
2067 if (!TEST_int_eq(new_called, 0)
2068 || !TEST_int_eq(get_called, 1))
2076 SSL_free(serverssl1);
2077 SSL_free(clientssl1);
2078 SSL_free(serverssl2);
2079 SSL_free(clientssl2);
2080 # ifndef OPENSSL_NO_TLS1_1
2081 SSL_free(serverssl3);
2082 SSL_free(clientssl3);
2084 SSL_SESSION_free(sess1);
2085 SSL_SESSION_free(sess2);
2091 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2093 static int test_session_with_only_int_cache(void)
2095 #ifndef OPENSSL_NO_TLS1_3
2096 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2100 #ifndef OPENSSL_NO_TLS1_2
2101 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2107 static int test_session_with_only_ext_cache(void)
2109 #ifndef OPENSSL_NO_TLS1_3
2110 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2114 #ifndef OPENSSL_NO_TLS1_2
2115 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2121 static int test_session_with_both_cache(void)
2123 #ifndef OPENSSL_NO_TLS1_3
2124 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2128 #ifndef OPENSSL_NO_TLS1_2
2129 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2135 static int test_session_wo_ca_names(void)
2137 #ifndef OPENSSL_NO_TLS1_3
2138 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2142 #ifndef OPENSSL_NO_TLS1_2
2143 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2150 #ifndef OPENSSL_NO_TLS1_3
2151 static SSL_SESSION *sesscache[6];
2152 static int do_cache;
2154 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2157 sesscache[new_called] = sess;
2159 /* We don't need the reference to the session, so free it */
2160 SSL_SESSION_free(sess);
2167 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2169 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2170 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2173 /* Start handshake on the server and client */
2174 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2175 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2176 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2177 || !TEST_true(create_ssl_connection(sssl, cssl,
2184 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2187 int sess_id_ctx = 1;
2189 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2190 TLS_client_method(), TLS1_VERSION, 0,
2191 sctx, cctx, cert, privkey))
2192 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2193 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2194 (void *)&sess_id_ctx,
2195 sizeof(sess_id_ctx))))
2199 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2201 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2202 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2203 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2208 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2210 SSL *serverssl = NULL, *clientssl = NULL;
2213 /* Test that we can resume with all the tickets we got given */
2214 for (i = 0; i < idx * 2; i++) {
2216 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2217 &clientssl, NULL, NULL))
2218 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2221 SSL_set_post_handshake_auth(clientssl, 1);
2223 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2228 * Following a successful resumption we only get 1 ticket. After a
2229 * failed one we should get idx tickets.
2232 if (!TEST_true(SSL_session_reused(clientssl))
2233 || !TEST_int_eq(new_called, 1))
2236 if (!TEST_false(SSL_session_reused(clientssl))
2237 || !TEST_int_eq(new_called, idx))
2242 /* After a post-handshake authentication we should get 1 new ticket */
2244 && (!post_handshake_verify(serverssl, clientssl)
2245 || !TEST_int_eq(new_called, 1)))
2248 SSL_shutdown(clientssl);
2249 SSL_shutdown(serverssl);
2250 SSL_free(serverssl);
2251 SSL_free(clientssl);
2252 serverssl = clientssl = NULL;
2253 SSL_SESSION_free(sesscache[i]);
2254 sesscache[i] = NULL;
2260 SSL_free(clientssl);
2261 SSL_free(serverssl);
2265 static int test_tickets(int stateful, int idx)
2267 SSL_CTX *sctx = NULL, *cctx = NULL;
2268 SSL *serverssl = NULL, *clientssl = NULL;
2272 /* idx is the test number, but also the number of tickets we want */
2277 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2280 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2281 &clientssl, NULL, NULL)))
2284 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2286 /* Check we got the number of tickets we were expecting */
2287 || !TEST_int_eq(idx, new_called))
2290 SSL_shutdown(clientssl);
2291 SSL_shutdown(serverssl);
2292 SSL_free(serverssl);
2293 SSL_free(clientssl);
2296 clientssl = serverssl = NULL;
2300 * Now we try to resume with the tickets we previously created. The
2301 * resumption attempt is expected to fail (because we're now using a new
2302 * SSL_CTX). We should see idx number of tickets issued again.
2305 /* Stop caching sessions - just count them */
2308 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2311 if (!check_resumption(idx, sctx, cctx, 0))
2314 /* Start again with caching sessions */
2321 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2324 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2325 &clientssl, NULL, NULL)))
2328 SSL_set_post_handshake_auth(clientssl, 1);
2330 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2332 /* Check we got the number of tickets we were expecting */
2333 || !TEST_int_eq(idx, new_called))
2336 /* After a post-handshake authentication we should get new tickets issued */
2337 if (!post_handshake_verify(serverssl, clientssl)
2338 || !TEST_int_eq(idx * 2, new_called))
2341 SSL_shutdown(clientssl);
2342 SSL_shutdown(serverssl);
2343 SSL_free(serverssl);
2344 SSL_free(clientssl);
2345 serverssl = clientssl = NULL;
2347 /* Stop caching sessions - just count them */
2351 * Check we can resume with all the tickets we created. This time around the
2352 * resumptions should all be successful.
2354 if (!check_resumption(idx, sctx, cctx, 1))
2360 SSL_free(serverssl);
2361 SSL_free(clientssl);
2362 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2363 SSL_SESSION_free(sesscache[j]);
2364 sesscache[j] = NULL;
2372 static int test_stateless_tickets(int idx)
2374 return test_tickets(0, idx);
2377 static int test_stateful_tickets(int idx)
2379 return test_tickets(1, idx);
2382 static int test_psk_tickets(void)
2384 SSL_CTX *sctx = NULL, *cctx = NULL;
2385 SSL *serverssl = NULL, *clientssl = NULL;
2387 int sess_id_ctx = 1;
2389 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2390 TLS_client_method(), TLS1_VERSION, 0,
2391 &sctx, &cctx, NULL, NULL))
2392 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2393 (void *)&sess_id_ctx,
2394 sizeof(sess_id_ctx))))
2397 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2398 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2399 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2400 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2401 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2402 use_session_cb_cnt = 0;
2403 find_session_cb_cnt = 0;
2407 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2410 clientpsk = serverpsk = create_a_psk(clientssl);
2411 if (!TEST_ptr(clientpsk))
2413 SSL_SESSION_up_ref(clientpsk);
2415 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2417 || !TEST_int_eq(1, find_session_cb_cnt)
2418 || !TEST_int_eq(1, use_session_cb_cnt)
2419 /* We should always get 1 ticket when using external PSK */
2420 || !TEST_int_eq(1, new_called))
2426 SSL_free(serverssl);
2427 SSL_free(clientssl);
2430 SSL_SESSION_free(clientpsk);
2431 SSL_SESSION_free(serverpsk);
2432 clientpsk = serverpsk = NULL;
2437 static int test_extra_tickets(int idx)
2439 SSL_CTX *sctx = NULL, *cctx = NULL;
2440 SSL *serverssl = NULL, *clientssl = NULL;
2441 BIO *bretry = BIO_new(bio_s_always_retry());
2446 unsigned char c, buf[1];
2456 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2458 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2459 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2460 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2462 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2463 &clientssl, NULL, NULL)))
2467 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2468 * incremented by both client and server.
2470 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2472 /* Check we got the number of tickets we were expecting */
2473 || !TEST_int_eq(idx * 2, new_called)
2474 || !TEST_true(SSL_new_session_ticket(serverssl))
2475 || !TEST_true(SSL_new_session_ticket(serverssl))
2476 || !TEST_int_eq(idx * 2, new_called))
2479 /* Now try a (real) write to actually send the tickets */
2481 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2482 || !TEST_size_t_eq(1, nbytes)
2483 || !TEST_int_eq(idx * 2 + 2, new_called)
2484 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2485 || !TEST_int_eq(idx * 2 + 4, new_called)
2486 || !TEST_int_eq(sizeof(buf), nbytes)
2487 || !TEST_int_eq(c, buf[0])
2488 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2491 /* Try with only requesting one new ticket, too */
2494 if (!TEST_true(SSL_new_session_ticket(serverssl))
2495 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2496 || !TEST_size_t_eq(sizeof(c), nbytes)
2497 || !TEST_int_eq(1, new_called)
2498 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2499 || !TEST_int_eq(2, new_called)
2500 || !TEST_size_t_eq(sizeof(buf), nbytes)
2501 || !TEST_int_eq(c, buf[0]))
2504 /* Do it again but use dummy writes to drive the ticket generation */
2507 if (!TEST_true(SSL_new_session_ticket(serverssl))
2508 || !TEST_true(SSL_new_session_ticket(serverssl))
2509 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2510 || !TEST_size_t_eq(0, nbytes)
2511 || !TEST_int_eq(2, new_called)
2512 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2513 || !TEST_int_eq(4, new_called))
2517 * Use the always-retry BIO to exercise the logic that forces ticket
2518 * generation to wait until a record boundary.
2522 tmp = SSL_get_wbio(serverssl);
2523 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2527 SSL_set0_wbio(serverssl, bretry);
2529 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2530 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2531 || !TEST_size_t_eq(nbytes, 0))
2533 /* Restore a BIO that will let the write succeed */
2534 SSL_set0_wbio(serverssl, tmp);
2536 /* These calls should just queue the request and not send anything. */
2537 if (!TEST_true(SSL_new_session_ticket(serverssl))
2538 || !TEST_true(SSL_new_session_ticket(serverssl))
2539 || !TEST_int_eq(0, new_called))
2541 /* Re-do the write; still no tickets sent */
2542 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2543 || !TEST_size_t_eq(1, nbytes)
2544 || !TEST_int_eq(0, new_called)
2545 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2546 || !TEST_int_eq(0, new_called)
2547 || !TEST_int_eq(sizeof(buf), nbytes)
2548 || !TEST_int_eq(c, buf[0])
2549 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2551 /* Now the *next* write should send the tickets */
2553 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2554 || !TEST_size_t_eq(1, nbytes)
2555 || !TEST_int_eq(2, new_called)
2556 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2557 || !TEST_int_eq(4, new_called)
2558 || !TEST_int_eq(sizeof(buf), nbytes)
2559 || !TEST_int_eq(c, buf[0])
2560 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2563 SSL_shutdown(clientssl);
2564 SSL_shutdown(serverssl);
2570 SSL_free(serverssl);
2571 SSL_free(clientssl);
2574 clientssl = serverssl = NULL;
2583 #define USE_DEFAULT 3
2585 #define CONNTYPE_CONNECTION_SUCCESS 0
2586 #define CONNTYPE_CONNECTION_FAIL 1
2587 #define CONNTYPE_NO_CONNECTION 2
2589 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2590 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2591 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2592 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2594 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2597 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2598 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2599 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2601 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2618 * Tests calls to SSL_set_bio() under various conditions.
2620 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2621 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2622 * then do more tests where we create a successful connection first using our
2623 * standard connection setup functions, and then call SSL_set_bio() with
2624 * various combinations of valid BIOs or NULL. We then repeat these tests
2625 * following a failed connection. In this last case we are looking to check that
2626 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2628 static int test_ssl_set_bio(int idx)
2630 SSL_CTX *sctx = NULL, *cctx = NULL;
2633 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2634 SSL *serverssl = NULL, *clientssl = NULL;
2635 int initrbio, initwbio, newrbio, newwbio, conntype;
2638 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2646 conntype = CONNTYPE_NO_CONNECTION;
2648 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2649 initrbio = initwbio = USE_DEFAULT;
2657 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2658 TLS_client_method(), TLS1_VERSION, 0,
2659 &sctx, &cctx, cert, privkey)))
2662 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2664 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2665 * because we reduced the number of tests in the definition of
2666 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2667 * mismatched protocol versions we will force a connection failure.
2669 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2670 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2673 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2677 if (initrbio == USE_BIO_1
2678 || initwbio == USE_BIO_1
2679 || newrbio == USE_BIO_1
2680 || newwbio == USE_BIO_1) {
2681 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2685 if (initrbio == USE_BIO_2
2686 || initwbio == USE_BIO_2
2687 || newrbio == USE_BIO_2
2688 || newwbio == USE_BIO_2) {
2689 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2693 if (initrbio != USE_DEFAULT) {
2694 setupbio(&irbio, bio1, bio2, initrbio);
2695 setupbio(&iwbio, bio1, bio2, initwbio);
2696 SSL_set_bio(clientssl, irbio, iwbio);
2699 * We want to maintain our own refs to these BIO, so do an up ref for
2700 * each BIO that will have ownership transferred in the SSL_set_bio()
2705 if (iwbio != NULL && iwbio != irbio)
2709 if (conntype != CONNTYPE_NO_CONNECTION
2710 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2712 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2715 setupbio(&nrbio, bio1, bio2, newrbio);
2716 setupbio(&nwbio, bio1, bio2, newwbio);
2719 * We will (maybe) transfer ownership again so do more up refs.
2720 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2725 && (nwbio != iwbio || nrbio != nwbio))
2729 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2732 SSL_set_bio(clientssl, nrbio, nwbio);
2741 * This test is checking that the ref counting for SSL_set_bio is correct.
2742 * If we get here and we did too many frees then we will fail in the above
2745 SSL_free(serverssl);
2746 SSL_free(clientssl);
2752 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2754 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2756 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2761 if (!TEST_ptr(ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method()))
2762 || !TEST_ptr(ssl = SSL_new(ctx))
2763 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2764 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2767 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2770 * If anything goes wrong here then we could leak memory.
2772 BIO_push(sslbio, membio1);
2774 /* Verify changing the rbio/wbio directly does not cause leaks */
2775 if (change_bio != NO_BIO_CHANGE) {
2776 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
2778 if (change_bio == CHANGE_RBIO)
2779 SSL_set0_rbio(ssl, membio2);
2781 SSL_set0_wbio(ssl, membio2);
2800 static int test_ssl_bio_pop_next_bio(void)
2802 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2805 static int test_ssl_bio_pop_ssl_bio(void)
2807 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2810 static int test_ssl_bio_change_rbio(void)
2812 return execute_test_ssl_bio(0, CHANGE_RBIO);
2815 static int test_ssl_bio_change_wbio(void)
2817 return execute_test_ssl_bio(0, CHANGE_WBIO);
2820 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2822 /* The list of sig algs */
2824 /* The length of the list */
2826 /* A sigalgs list in string format */
2827 const char *liststr;
2828 /* Whether setting the list should succeed */
2830 /* Whether creating a connection with the list should succeed */
2834 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2835 # ifndef OPENSSL_NO_EC
2836 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2837 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2839 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2840 static const int invalidlist2[] = {NID_sha256, NID_undef};
2841 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2842 static const int invalidlist4[] = {NID_sha256};
2843 static const sigalgs_list testsigalgs[] = {
2844 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2845 # ifndef OPENSSL_NO_EC
2846 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2847 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2849 {NULL, 0, "RSA+SHA256", 1, 1},
2850 # ifndef OPENSSL_NO_EC
2851 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2852 {NULL, 0, "ECDSA+SHA512", 1, 0},
2854 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2855 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2856 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2857 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2858 {NULL, 0, "RSA", 0, 0},
2859 {NULL, 0, "SHA256", 0, 0},
2860 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2861 {NULL, 0, "Invalid", 0, 0}
2864 static int test_set_sigalgs(int idx)
2866 SSL_CTX *cctx = NULL, *sctx = NULL;
2867 SSL *clientssl = NULL, *serverssl = NULL;
2869 const sigalgs_list *curr;
2872 /* Should never happen */
2873 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2876 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2877 curr = testctx ? &testsigalgs[idx]
2878 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2880 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2881 TLS_client_method(), TLS1_VERSION, 0,
2882 &sctx, &cctx, cert, privkey)))
2886 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2887 * for TLSv1.2 for now until we add a new API.
2889 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2894 if (curr->list != NULL)
2895 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2897 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2901 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2907 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2912 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2913 &clientssl, NULL, NULL)))
2919 if (curr->list != NULL)
2920 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2922 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2925 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2934 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2942 SSL_free(serverssl);
2943 SSL_free(clientssl);
2951 #ifndef OPENSSL_NO_TLS1_3
2952 static int psk_client_cb_cnt = 0;
2953 static int psk_server_cb_cnt = 0;
2955 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2956 size_t *idlen, SSL_SESSION **sess)
2958 switch (++use_session_cb_cnt) {
2960 /* The first call should always have a NULL md */
2966 /* The second call should always have an md */
2972 /* We should only be called a maximum of twice */
2976 if (clientpsk != NULL)
2977 SSL_SESSION_up_ref(clientpsk);
2980 *id = (const unsigned char *)pskid;
2981 *idlen = strlen(pskid);
2986 #ifndef OPENSSL_NO_PSK
2987 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2988 unsigned int max_id_len,
2990 unsigned int max_psk_len)
2992 unsigned int psklen = 0;
2994 psk_client_cb_cnt++;
2996 if (strlen(pskid) + 1 > max_id_len)
2999 /* We should only ever be called a maximum of twice per connection */
3000 if (psk_client_cb_cnt > 2)
3003 if (clientpsk == NULL)
3006 /* We'll reuse the PSK we set up for TLSv1.3 */
3007 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3009 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3010 strncpy(id, pskid, max_id_len);
3014 #endif /* OPENSSL_NO_PSK */
3016 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3017 size_t identity_len, SSL_SESSION **sess)
3019 find_session_cb_cnt++;
3021 /* We should only ever be called a maximum of twice per connection */
3022 if (find_session_cb_cnt > 2)
3025 if (serverpsk == NULL)
3028 /* Identity should match that set by the client */
3029 if (strlen(srvid) != identity_len
3030 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3031 /* No PSK found, continue but without a PSK */
3036 SSL_SESSION_up_ref(serverpsk);
3042 #ifndef OPENSSL_NO_PSK
3043 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3044 unsigned char *psk, unsigned int max_psk_len)
3046 unsigned int psklen = 0;
3048 psk_server_cb_cnt++;
3050 /* We should only ever be called a maximum of twice per connection */
3051 if (find_session_cb_cnt > 2)
3054 if (serverpsk == NULL)
3057 /* Identity should match that set by the client */
3058 if (strcmp(srvid, identity) != 0) {
3062 /* We'll reuse the PSK we set up for TLSv1.3 */
3063 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3065 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3069 #endif /* OPENSSL_NO_PSK */
3071 #define MSG1 "Hello"
3072 #define MSG2 "World."
3077 #define MSG7 "message."
3079 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3080 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3081 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3082 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3083 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3086 static SSL_SESSION *create_a_psk(SSL *ssl)
3088 const SSL_CIPHER *cipher = NULL;
3089 const unsigned char key[] = {
3090 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3091 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3092 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3093 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3094 0x2c, 0x2d, 0x2e, 0x2f
3096 SSL_SESSION *sess = NULL;
3098 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3099 sess = SSL_SESSION_new();
3101 || !TEST_ptr(cipher)
3102 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3104 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3106 SSL_SESSION_set_protocol_version(sess,
3108 SSL_SESSION_free(sess);
3115 * Helper method to setup objects for early data test. Caller frees objects on
3118 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3119 SSL **serverssl, SSL_SESSION **sess, int idx)
3122 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3123 TLS_client_method(),
3125 sctx, cctx, cert, privkey)))
3128 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3132 /* When idx == 1 we repeat the tests with read_ahead set */
3133 SSL_CTX_set_read_ahead(*cctx, 1);
3134 SSL_CTX_set_read_ahead(*sctx, 1);
3135 } else if (idx == 2) {
3136 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3137 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3138 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3139 use_session_cb_cnt = 0;
3140 find_session_cb_cnt = 0;
3144 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3149 * For one of the run throughs (doesn't matter which one), we'll try sending
3150 * some SNI data in the initial ClientHello. This will be ignored (because
3151 * there is no SNI cb set up by the server), so it should not impact
3155 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3159 clientpsk = create_a_psk(*clientssl);
3160 if (!TEST_ptr(clientpsk)
3162 * We just choose an arbitrary value for max_early_data which
3163 * should be big enough for testing purposes.
3165 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3167 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3168 SSL_SESSION_free(clientpsk);
3172 serverpsk = clientpsk;
3175 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3176 SSL_SESSION_free(clientpsk);
3177 SSL_SESSION_free(serverpsk);
3178 clientpsk = serverpsk = NULL;
3189 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3193 *sess = SSL_get1_session(*clientssl);
3194 SSL_shutdown(*clientssl);
3195 SSL_shutdown(*serverssl);
3196 SSL_free(*serverssl);
3197 SSL_free(*clientssl);
3198 *serverssl = *clientssl = NULL;
3200 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3201 clientssl, NULL, NULL))
3202 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3208 static int test_early_data_read_write(int idx)
3210 SSL_CTX *cctx = NULL, *sctx = NULL;
3211 SSL *clientssl = NULL, *serverssl = NULL;
3213 SSL_SESSION *sess = NULL;
3214 unsigned char buf[20], data[1024];
3215 size_t readbytes, written, eoedlen, rawread, rawwritten;
3218 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3219 &serverssl, &sess, idx)))
3222 /* Write and read some early data */
3223 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3225 || !TEST_size_t_eq(written, strlen(MSG1))
3226 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3227 sizeof(buf), &readbytes),
3228 SSL_READ_EARLY_DATA_SUCCESS)
3229 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3230 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3231 SSL_EARLY_DATA_ACCEPTED))
3235 * Server should be able to write data, and client should be able to
3238 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3240 || !TEST_size_t_eq(written, strlen(MSG2))
3241 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3242 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3245 /* Even after reading normal data, client should be able write early data */
3246 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3248 || !TEST_size_t_eq(written, strlen(MSG3)))
3251 /* Server should still be able read early data after writing data */
3252 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3254 SSL_READ_EARLY_DATA_SUCCESS)
3255 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3258 /* Write more data from server and read it from client */
3259 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3261 || !TEST_size_t_eq(written, strlen(MSG4))
3262 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3263 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3267 * If client writes normal data it should mean writing early data is no
3270 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3271 || !TEST_size_t_eq(written, strlen(MSG5))
3272 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3273 SSL_EARLY_DATA_ACCEPTED))
3277 * At this point the client has written EndOfEarlyData, ClientFinished and
3278 * normal (fully protected) data. We are going to cause a delay between the
3279 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3280 * in the read BIO, and then just put back the EndOfEarlyData message.
3282 rbio = SSL_get_rbio(serverssl);
3283 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3284 || !TEST_size_t_lt(rawread, sizeof(data))
3285 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3288 /* Record length is in the 4th and 5th bytes of the record header */
3289 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3290 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3291 || !TEST_size_t_eq(rawwritten, eoedlen))
3294 /* Server should be told that there is no more early data */
3295 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3297 SSL_READ_EARLY_DATA_FINISH)
3298 || !TEST_size_t_eq(readbytes, 0))
3302 * Server has not finished init yet, so should still be able to write early
3305 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3307 || !TEST_size_t_eq(written, strlen(MSG6)))
3310 /* Push the ClientFinished and the normal data back into the server rbio */
3311 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3313 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3316 /* Server should be able to read normal data */
3317 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3318 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3321 /* Client and server should not be able to write/read early data now */
3322 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3326 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3328 SSL_READ_EARLY_DATA_ERROR))
3332 /* Client should be able to read the data sent by the server */
3333 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3334 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3338 * Make sure we process the two NewSessionTickets. These arrive
3339 * post-handshake. We attempt reads which we do not expect to return any
3342 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3343 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3347 /* Server should be able to write normal data */
3348 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3349 || !TEST_size_t_eq(written, strlen(MSG7))
3350 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3351 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3354 SSL_SESSION_free(sess);
3355 sess = SSL_get1_session(clientssl);
3356 use_session_cb_cnt = 0;
3357 find_session_cb_cnt = 0;
3359 SSL_shutdown(clientssl);
3360 SSL_shutdown(serverssl);
3361 SSL_free(serverssl);
3362 SSL_free(clientssl);
3363 serverssl = clientssl = NULL;
3364 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3365 &clientssl, NULL, NULL))
3366 || !TEST_true(SSL_set_session(clientssl, sess)))
3369 /* Write and read some early data */
3370 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3372 || !TEST_size_t_eq(written, strlen(MSG1))
3373 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3375 SSL_READ_EARLY_DATA_SUCCESS)
3376 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3379 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3380 || !TEST_int_gt(SSL_accept(serverssl), 0))
3383 /* Client and server should not be able to write/read early data now */
3384 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3388 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3390 SSL_READ_EARLY_DATA_ERROR))
3394 /* Client and server should be able to write/read normal data */
3395 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3396 || !TEST_size_t_eq(written, strlen(MSG5))
3397 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3398 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3404 SSL_SESSION_free(sess);
3405 SSL_SESSION_free(clientpsk);
3406 SSL_SESSION_free(serverpsk);
3407 clientpsk = serverpsk = NULL;
3408 SSL_free(serverssl);
3409 SSL_free(clientssl);
3415 static int allow_ed_cb_called = 0;
3417 static int allow_early_data_cb(SSL *s, void *arg)
3419 int *usecb = (int *)arg;
3421 allow_ed_cb_called++;
3430 * idx == 0: Standard early_data setup
3431 * idx == 1: early_data setup using read_ahead
3432 * usecb == 0: Don't use a custom early data callback
3433 * usecb == 1: Use a custom early data callback and reject the early data
3434 * usecb == 2: Use a custom early data callback and accept the early data
3435 * confopt == 0: Configure anti-replay directly
3436 * confopt == 1: Configure anti-replay using SSL_CONF
3438 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3440 SSL_CTX *cctx = NULL, *sctx = NULL;
3441 SSL *clientssl = NULL, *serverssl = NULL;
3443 SSL_SESSION *sess = NULL;
3444 size_t readbytes, written;
3445 unsigned char buf[20];
3447 allow_ed_cb_called = 0;
3449 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3450 TLS_client_method(), TLS1_VERSION, 0,
3451 &sctx, &cctx, cert, privkey)))
3456 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3458 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3460 if (!TEST_ptr(confctx))
3462 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3463 | SSL_CONF_FLAG_SERVER);
3464 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3465 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3467 SSL_CONF_CTX_free(confctx);
3470 SSL_CONF_CTX_free(confctx);
3472 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3475 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3476 &serverssl, &sess, idx)))
3480 * The server is configured to accept early data. Create a connection to
3481 * "use up" the ticket
3483 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3484 || !TEST_true(SSL_session_reused(clientssl)))
3487 SSL_shutdown(clientssl);
3488 SSL_shutdown(serverssl);
3489 SSL_free(serverssl);
3490 SSL_free(clientssl);
3491 serverssl = clientssl = NULL;
3493 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3494 &clientssl, NULL, NULL))
3495 || !TEST_true(SSL_set_session(clientssl, sess)))
3498 /* Write and read some early data */
3499 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3501 || !TEST_size_t_eq(written, strlen(MSG1)))
3505 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3507 SSL_READ_EARLY_DATA_FINISH)
3509 * The ticket was reused, so the we should have rejected the
3512 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3513 SSL_EARLY_DATA_REJECTED))
3516 /* In this case the callback decides to accept the early data */
3517 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3519 SSL_READ_EARLY_DATA_SUCCESS)
3520 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3522 * Server will have sent its flight so client can now send
3523 * end of early data and complete its half of the handshake
3525 || !TEST_int_gt(SSL_connect(clientssl), 0)
3526 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3528 SSL_READ_EARLY_DATA_FINISH)
3529 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3530 SSL_EARLY_DATA_ACCEPTED))
3534 /* Complete the connection */
3535 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3536 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3537 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3543 SSL_SESSION_free(sess);
3544 SSL_SESSION_free(clientpsk);
3545 SSL_SESSION_free(serverpsk);
3546 clientpsk = serverpsk = NULL;
3547 SSL_free(serverssl);
3548 SSL_free(clientssl);
3554 static int test_early_data_replay(int idx)
3556 int ret = 1, usecb, confopt;
3558 for (usecb = 0; usecb < 3; usecb++) {
3559 for (confopt = 0; confopt < 2; confopt++)
3560 ret &= test_early_data_replay_int(idx, usecb, confopt);
3567 * Helper function to test that a server attempting to read early data can
3568 * handle a connection from a client where the early data should be skipped.
3569 * testtype: 0 == No HRR
3570 * testtype: 1 == HRR
3571 * testtype: 2 == HRR, invalid early_data sent after HRR
3572 * testtype: 3 == recv_max_early_data set to 0
3574 static int early_data_skip_helper(int testtype, int idx)
3576 SSL_CTX *cctx = NULL, *sctx = NULL;
3577 SSL *clientssl = NULL, *serverssl = NULL;
3579 SSL_SESSION *sess = NULL;
3580 unsigned char buf[20];
3581 size_t readbytes, written;
3583 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3584 &serverssl, &sess, idx)))
3587 if (testtype == 1 || testtype == 2) {
3588 /* Force an HRR to occur */
3589 #if defined(OPENSSL_NO_EC)
3590 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3593 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3596 } else if (idx == 2) {
3598 * We force early_data rejection by ensuring the PSK identity is
3601 srvid = "Dummy Identity";
3604 * Deliberately corrupt the creation time. We take 20 seconds off the
3605 * time. It could be any value as long as it is not within tolerance.
3606 * This should mean the ticket is rejected.
3608 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3613 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3616 /* Write some early data */
3617 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3619 || !TEST_size_t_eq(written, strlen(MSG1)))
3622 /* Server should reject the early data */
3623 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3625 SSL_READ_EARLY_DATA_FINISH)
3626 || !TEST_size_t_eq(readbytes, 0)
3627 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3628 SSL_EARLY_DATA_REJECTED))
3638 * Finish off the handshake. We perform the same writes and reads as
3639 * further down but we expect them to fail due to the incomplete
3642 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3643 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3650 BIO *wbio = SSL_get_wbio(clientssl);
3651 /* A record that will appear as bad early_data */
3652 const unsigned char bad_early_data[] = {
3653 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3657 * We force the client to attempt a write. This will fail because
3658 * we're still in the handshake. It will cause the second
3659 * ClientHello to be sent.
3661 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3666 * Inject some early_data after the second ClientHello. This should
3667 * cause the server to fail
3669 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3670 sizeof(bad_early_data), &written)))
3677 * This client has sent more early_data than we are willing to skip
3678 * (case 3) or sent invalid early_data (case 2) so the connection should
3681 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3682 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3685 /* Connection has failed - nothing more to do */
3690 TEST_error("Invalid test type");
3695 * Should be able to send normal data despite rejection of early data. The
3696 * early_data should be skipped.
3698 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3699 || !TEST_size_t_eq(written, strlen(MSG2))
3700 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3701 SSL_EARLY_DATA_REJECTED)
3702 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3703 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3709 SSL_SESSION_free(clientpsk);
3710 SSL_SESSION_free(serverpsk);
3711 clientpsk = serverpsk = NULL;
3712 SSL_SESSION_free(sess);
3713 SSL_free(serverssl);
3714 SSL_free(clientssl);
3721 * Test that a server attempting to read early data can handle a connection
3722 * from a client where the early data is not acceptable.
3724 static int test_early_data_skip(int idx)
3726 return early_data_skip_helper(0, idx);
3730 * Test that a server attempting to read early data can handle a connection
3731 * from a client where an HRR occurs.
3733 static int test_early_data_skip_hrr(int idx)
3735 return early_data_skip_helper(1, idx);
3739 * Test that a server attempting to read early data can handle a connection
3740 * from a client where an HRR occurs and correctly fails if early_data is sent
3743 static int test_early_data_skip_hrr_fail(int idx)
3745 return early_data_skip_helper(2, idx);
3749 * Test that a server attempting to read early data will abort if it tries to
3750 * skip over too much.
3752 static int test_early_data_skip_abort(int idx)
3754 return early_data_skip_helper(3, idx);
3758 * Test that a server attempting to read early data can handle a connection
3759 * from a client that doesn't send any.
3761 static int test_early_data_not_sent(int idx)
3763 SSL_CTX *cctx = NULL, *sctx = NULL;
3764 SSL *clientssl = NULL, *serverssl = NULL;
3766 SSL_SESSION *sess = NULL;
3767 unsigned char buf[20];
3768 size_t readbytes, written;
3770 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3771 &serverssl, &sess, idx)))
3774 /* Write some data - should block due to handshake with server */
3775 SSL_set_connect_state(clientssl);
3776 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3779 /* Server should detect that early data has not been sent */
3780 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3782 SSL_READ_EARLY_DATA_FINISH)
3783 || !TEST_size_t_eq(readbytes, 0)
3784 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3785 SSL_EARLY_DATA_NOT_SENT)
3786 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3787 SSL_EARLY_DATA_NOT_SENT))
3790 /* Continue writing the message we started earlier */
3791 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3792 || !TEST_size_t_eq(written, strlen(MSG1))
3793 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3794 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3795 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3796 || !TEST_size_t_eq(written, strlen(MSG2)))
3799 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3800 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3806 SSL_SESSION_free(sess);
3807 SSL_SESSION_free(clientpsk);
3808 SSL_SESSION_free(serverpsk);
3809 clientpsk = serverpsk = NULL;
3810 SSL_free(serverssl);
3811 SSL_free(clientssl);
3817 static const char *servalpn;
3819 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3820 unsigned char *outlen, const unsigned char *in,
3821 unsigned int inlen, void *arg)
3823 unsigned int protlen = 0;
3824 const unsigned char *prot;
3826 for (prot = in; prot < in + inlen; prot += protlen) {
3828 if (in + inlen < prot + protlen)
3829 return SSL_TLSEXT_ERR_NOACK;
3831 if (protlen == strlen(servalpn)
3832 && memcmp(prot, servalpn, protlen) == 0) {
3835 return SSL_TLSEXT_ERR_OK;
3839 return SSL_TLSEXT_ERR_NOACK;
3842 /* Test that a PSK can be used to send early_data */
3843 static int test_early_data_psk(int idx)
3845 SSL_CTX *cctx = NULL, *sctx = NULL;
3846 SSL *clientssl = NULL, *serverssl = NULL;
3848 SSL_SESSION *sess = NULL;
3849 unsigned char alpnlist[] = {
3850 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3853 #define GOODALPNLEN 9
3854 #define BADALPNLEN 8
3855 #define GOODALPN (alpnlist)
3856 #define BADALPN (alpnlist + GOODALPNLEN)
3858 unsigned char buf[20];
3859 size_t readbytes, written;
3860 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3861 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3863 /* We always set this up with a final parameter of "2" for PSK */
3864 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3865 &serverssl, &sess, 2)))
3868 servalpn = "goodalpn";
3871 * Note: There is no test for inconsistent SNI with late client detection.
3872 * This is because servers do not acknowledge SNI even if they are using
3873 * it in a resumption handshake - so it is not actually possible for a
3874 * client to detect a problem.
3878 /* Set inconsistent SNI (early client detection) */
3879 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3880 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3881 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3886 /* Set inconsistent ALPN (early client detection) */
3887 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3888 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3889 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3891 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3898 * Set invalid protocol version. Technically this affects PSKs without
3899 * early_data too, but we test it here because it is similar to the
3900 * SNI/ALPN consistency tests.
3902 err = SSL_R_BAD_PSK;
3903 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3909 * Set inconsistent SNI (server side). In this case the connection
3910 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3911 * is associated with each handshake - not the session. Therefore it
3912 * should not matter that we used a different server name last time.
3914 SSL_SESSION_free(serverpsk);
3915 serverpsk = SSL_SESSION_dup(clientpsk);
3916 if (!TEST_ptr(serverpsk)
3917 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3921 /* Set consistent SNI */
3922 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3923 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3924 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3931 * Set inconsistent ALPN (server detected). In this case the connection
3932 * will succeed but reject early_data.
3934 servalpn = "badalpn";
3935 edstatus = SSL_EARLY_DATA_REJECTED;
3936 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3940 * Set consistent ALPN.
3941 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3942 * accepts a list of protos (each one length prefixed).
3943 * SSL_set1_alpn_selected accepts a single protocol (not length
3946 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3948 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3952 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3956 /* Set inconsistent ALPN (late client detection) */
3957 SSL_SESSION_free(serverpsk);
3958 serverpsk = SSL_SESSION_dup(clientpsk);
3959 if (!TEST_ptr(serverpsk)
3960 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3963 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3966 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3969 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3970 edstatus = SSL_EARLY_DATA_ACCEPTED;
3971 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3972 /* SSL_connect() call should fail */
3977 TEST_error("Bad test index");
3981 SSL_set_connect_state(clientssl);
3983 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3985 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3986 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3989 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3993 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3994 &readbytes), readearlyres)
3995 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3996 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3997 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3998 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4005 SSL_SESSION_free(sess);
4006 SSL_SESSION_free(clientpsk);
4007 SSL_SESSION_free(serverpsk);
4008 clientpsk = serverpsk = NULL;
4009 SSL_free(serverssl);
4010 SSL_free(clientssl);
4017 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4018 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4019 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4020 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4021 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4022 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4024 static int test_early_data_psk_with_all_ciphers(int idx)
4026 SSL_CTX *cctx = NULL, *sctx = NULL;
4027 SSL *clientssl = NULL, *serverssl = NULL;
4029 SSL_SESSION *sess = NULL;
4030 unsigned char buf[20];
4031 size_t readbytes, written;
4032 const SSL_CIPHER *cipher;
4033 const char *cipher_str[] = {
4034 TLS1_3_RFC_AES_128_GCM_SHA256,
4035 TLS1_3_RFC_AES_256_GCM_SHA384,
4036 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4037 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4041 TLS1_3_RFC_AES_128_CCM_SHA256,
4042 TLS1_3_RFC_AES_128_CCM_8_SHA256
4044 const unsigned char *cipher_bytes[] = {
4045 TLS13_AES_128_GCM_SHA256_BYTES,
4046 TLS13_AES_256_GCM_SHA384_BYTES,
4047 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4048 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4052 TLS13_AES_128_CCM_SHA256_BYTES,
4053 TLS13_AES_128_CCM_8_SHA256_BYTES
4056 if (cipher_str[idx] == NULL)
4058 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4059 if (idx == 2 && is_fips == 1)
4062 /* We always set this up with a final parameter of "2" for PSK */
4063 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4064 &serverssl, &sess, 2)))
4067 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4068 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4072 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4073 * and assigns to both client and server with incremented reference
4074 * and the same instance is updated in 'sess'.
4075 * So updating ciphersuite in 'sess' which will get reflected in
4076 * PSK handshake using psk use sess and find sess cb.
4078 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4079 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4082 SSL_set_connect_state(clientssl);
4083 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4087 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4089 SSL_READ_EARLY_DATA_SUCCESS)
4090 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4091 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4092 SSL_EARLY_DATA_ACCEPTED)
4093 || !TEST_int_eq(SSL_connect(clientssl), 1)
4094 || !TEST_int_eq(SSL_accept(serverssl), 1))
4097 /* Send some normal data from client to server */
4098 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4099 || !TEST_size_t_eq(written, strlen(MSG2)))
4102 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4103 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4108 SSL_SESSION_free(sess);
4109 SSL_SESSION_free(clientpsk);
4110 SSL_SESSION_free(serverpsk);
4111 clientpsk = serverpsk = NULL;
4112 if (clientssl != NULL)
4113 SSL_shutdown(clientssl);
4114 if (serverssl != NULL)
4115 SSL_shutdown(serverssl);
4116 SSL_free(serverssl);
4117 SSL_free(clientssl);
4124 * Test that a server that doesn't try to read early data can handle a
4125 * client sending some.
4127 static int test_early_data_not_expected(int idx)
4129 SSL_CTX *cctx = NULL, *sctx = NULL;
4130 SSL *clientssl = NULL, *serverssl = NULL;
4132 SSL_SESSION *sess = NULL;
4133 unsigned char buf[20];
4134 size_t readbytes, written;
4136 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4137 &serverssl, &sess, idx)))
4140 /* Write some early data */
4141 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4146 * Server should skip over early data and then block waiting for client to
4147 * continue handshake
4149 if (!TEST_int_le(SSL_accept(serverssl), 0)
4150 || !TEST_int_gt(SSL_connect(clientssl), 0)
4151 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4152 SSL_EARLY_DATA_REJECTED)
4153 || !TEST_int_gt(SSL_accept(serverssl), 0)
4154 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4155 SSL_EARLY_DATA_REJECTED))
4158 /* Send some normal data from client to server */
4159 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4160 || !TEST_size_t_eq(written, strlen(MSG2)))
4163 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4164 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4170 SSL_SESSION_free(sess);
4171 SSL_SESSION_free(clientpsk);
4172 SSL_SESSION_free(serverpsk);
4173 clientpsk = serverpsk = NULL;
4174 SSL_free(serverssl);
4175 SSL_free(clientssl);
4182 # ifndef OPENSSL_NO_TLS1_2
4184 * Test that a server attempting to read early data can handle a connection
4185 * from a TLSv1.2 client.
4187 static int test_early_data_tls1_2(int idx)
4189 SSL_CTX *cctx = NULL, *sctx = NULL;
4190 SSL *clientssl = NULL, *serverssl = NULL;
4192 unsigned char buf[20];
4193 size_t readbytes, written;
4195 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4196 &serverssl, NULL, idx)))
4199 /* Write some data - should block due to handshake with server */
4200 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4201 SSL_set_connect_state(clientssl);
4202 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4206 * Server should do TLSv1.2 handshake. First it will block waiting for more
4207 * messages from client after ServerDone. Then SSL_read_early_data should
4208 * finish and detect that early data has not been sent
4210 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4212 SSL_READ_EARLY_DATA_ERROR))
4216 * Continue writing the message we started earlier. Will still block waiting
4217 * for the CCS/Finished from server
4219 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4220 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4222 SSL_READ_EARLY_DATA_FINISH)
4223 || !TEST_size_t_eq(readbytes, 0)
4224 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4225 SSL_EARLY_DATA_NOT_SENT))
4228 /* Continue writing the message we started earlier */
4229 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4230 || !TEST_size_t_eq(written, strlen(MSG1))
4231 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4232 SSL_EARLY_DATA_NOT_SENT)
4233 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4234 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4235 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4236 || !TEST_size_t_eq(written, strlen(MSG2))
4237 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4238 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4244 SSL_SESSION_free(clientpsk);
4245 SSL_SESSION_free(serverpsk);
4246 clientpsk = serverpsk = NULL;
4247 SSL_free(serverssl);
4248 SSL_free(clientssl);
4254 # endif /* OPENSSL_NO_TLS1_2 */
4257 * Test configuring the TLSv1.3 ciphersuites
4259 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4260 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4261 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4262 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4263 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4264 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4265 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4266 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4267 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4268 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4270 static int test_set_ciphersuite(int idx)
4272 SSL_CTX *cctx = NULL, *sctx = NULL;
4273 SSL *clientssl = NULL, *serverssl = NULL;
4276 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4277 TLS_client_method(), TLS1_VERSION, 0,
4278 &sctx, &cctx, cert, privkey))
4279 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4280 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4283 if (idx >=4 && idx <= 7) {
4284 /* SSL_CTX explicit cipher list */
4285 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4289 if (idx == 0 || idx == 4) {
4290 /* Default ciphersuite */
4291 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4292 "TLS_AES_128_GCM_SHA256")))
4294 } else if (idx == 1 || idx == 5) {
4295 /* Non default ciphersuite */
4296 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4297 "TLS_AES_128_CCM_SHA256")))
4301 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4302 &clientssl, NULL, NULL)))
4305 if (idx == 8 || idx == 9) {
4306 /* SSL explicit cipher list */
4307 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4311 if (idx == 2 || idx == 6 || idx == 8) {
4312 /* Default ciphersuite */
4313 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4314 "TLS_AES_128_GCM_SHA256")))
4316 } else if (idx == 3 || idx == 7 || idx == 9) {
4317 /* Non default ciphersuite */
4318 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4319 "TLS_AES_128_CCM_SHA256")))
4323 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4329 SSL_free(serverssl);
4330 SSL_free(clientssl);
4337 static int test_ciphersuite_change(void)
4339 SSL_CTX *cctx = NULL, *sctx = NULL;
4340 SSL *clientssl = NULL, *serverssl = NULL;
4341 SSL_SESSION *clntsess = NULL;
4343 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4345 /* Create a session based on SHA-256 */
4346 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4347 TLS_client_method(), TLS1_VERSION, 0,
4348 &sctx, &cctx, cert, privkey))
4349 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4350 "TLS_AES_128_GCM_SHA256:"
4351 "TLS_AES_256_GCM_SHA384:"
4352 "TLS_AES_128_CCM_SHA256"))
4353 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4354 "TLS_AES_128_GCM_SHA256"))
4355 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4356 &clientssl, NULL, NULL))
4357 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4361 clntsess = SSL_get1_session(clientssl);
4362 /* Save for later */
4363 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4364 SSL_shutdown(clientssl);
4365 SSL_shutdown(serverssl);
4366 SSL_free(serverssl);
4367 SSL_free(clientssl);
4368 serverssl = clientssl = NULL;
4370 /* Check we can resume a session with a different SHA-256 ciphersuite */
4371 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4372 "TLS_AES_128_CCM_SHA256"))
4373 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4374 &clientssl, NULL, NULL))
4375 || !TEST_true(SSL_set_session(clientssl, clntsess))
4376 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4378 || !TEST_true(SSL_session_reused(clientssl)))
4381 SSL_SESSION_free(clntsess);
4382 clntsess = SSL_get1_session(clientssl);
4383 SSL_shutdown(clientssl);
4384 SSL_shutdown(serverssl);
4385 SSL_free(serverssl);
4386 SSL_free(clientssl);
4387 serverssl = clientssl = NULL;
4390 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4391 * succeeds but does not resume.
4393 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4394 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4396 || !TEST_true(SSL_set_session(clientssl, clntsess))
4397 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4399 || !TEST_false(SSL_session_reused(clientssl)))
4402 SSL_SESSION_free(clntsess);
4404 SSL_shutdown(clientssl);
4405 SSL_shutdown(serverssl);
4406 SSL_free(serverssl);
4407 SSL_free(clientssl);
4408 serverssl = clientssl = NULL;
4410 /* Create a session based on SHA384 */
4411 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4412 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4413 &clientssl, NULL, NULL))
4414 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4418 clntsess = SSL_get1_session(clientssl);
4419 SSL_shutdown(clientssl);
4420 SSL_shutdown(serverssl);
4421 SSL_free(serverssl);
4422 SSL_free(clientssl);
4423 serverssl = clientssl = NULL;
4425 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4426 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4427 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4428 "TLS_AES_256_GCM_SHA384"))
4429 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4431 || !TEST_true(SSL_set_session(clientssl, clntsess))
4433 * We use SSL_ERROR_WANT_READ below so that we can pause the
4434 * connection after the initial ClientHello has been sent to
4435 * enable us to make some session changes.
4437 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4438 SSL_ERROR_WANT_READ)))
4441 /* Trick the client into thinking this session is for a different digest */
4442 clntsess->cipher = aes_128_gcm_sha256;
4443 clntsess->cipher_id = clntsess->cipher->id;
4446 * Continue the previously started connection. Server has selected a SHA-384
4447 * ciphersuite, but client thinks the session is for SHA-256, so it should
4450 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4452 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4453 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4459 SSL_SESSION_free(clntsess);
4460 SSL_free(serverssl);
4461 SSL_free(clientssl);
4469 * Test TLSv1.3 Key exchange
4470 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4471 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4472 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4473 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4474 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4475 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4476 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4477 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4478 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4479 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4480 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4481 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4482 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4483 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4485 static int test_key_exchange(int idx)
4487 SSL_CTX *sctx = NULL, *cctx = NULL;
4488 SSL *serverssl = NULL, *clientssl = NULL;
4490 # ifndef OPENSSL_NO_EC
4491 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4492 NID_secp521r1, NID_X25519, NID_X448};
4494 # ifndef OPENSSL_NO_DH
4495 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4496 NID_ffdhe6144, NID_ffdhe8192};
4499 int *kexch_groups = &kexch_alg;
4500 int kexch_groups_size = 1;
4501 int max_version = TLS1_3_VERSION;
4504 # ifndef OPENSSL_NO_EC
4505 # ifndef OPENSSL_NO_TLS1_2
4507 max_version = TLS1_2_VERSION;
4511 kexch_groups = ecdhe_kexch_groups;
4512 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4515 kexch_alg = NID_X9_62_prime256v1;
4518 kexch_alg = NID_secp384r1;
4521 kexch_alg = NID_secp521r1;
4524 kexch_alg = NID_X25519;
4527 kexch_alg = NID_X448;
4530 # ifndef OPENSSL_NO_DH
4531 # ifndef OPENSSL_NO_TLS1_2
4533 max_version = TLS1_2_VERSION;
4537 kexch_groups = ffdhe_kexch_groups;
4538 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4541 kexch_alg = NID_ffdhe2048;
4544 kexch_alg = NID_ffdhe3072;
4547 kexch_alg = NID_ffdhe4096;
4550 kexch_alg = NID_ffdhe6144;
4553 kexch_alg = NID_ffdhe8192;
4557 /* We're skipping this test */
4561 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4562 TLS_client_method(), TLS1_VERSION,
4563 max_version, &sctx, &cctx, cert,
4567 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4568 TLS1_3_RFC_AES_128_GCM_SHA256)))
4571 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4572 TLS1_3_RFC_AES_128_GCM_SHA256)))
4575 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4576 TLS1_TXT_RSA_WITH_AES_128_SHA)))
4580 * Must include an EC ciphersuite so that we send supported groups in
4583 # ifndef OPENSSL_NO_TLS1_2
4584 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4585 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
4586 TLS1_TXT_RSA_WITH_AES_128_SHA)))
4590 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4594 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4595 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4598 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4602 * If Handshake succeeds the negotiated kexch alg should be the first one in
4603 * configured, except in the case of FFDHE groups (idx 13), which are
4604 * TLSv1.3 only so we expect no shared group to exist.
4606 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4607 idx == 13 ? 0 : kexch_groups[0]))
4609 if (max_version == TLS1_3_VERSION) {
4610 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4612 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4618 SSL_free(serverssl);
4619 SSL_free(clientssl);
4626 * Test TLSv1.3 Cipher Suite
4627 * Test 0 = Set TLS1.3 cipher on context
4628 * Test 1 = Set TLS1.3 cipher on SSL
4629 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4630 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4632 static int test_tls13_ciphersuite(int idx)
4634 SSL_CTX *sctx = NULL, *cctx = NULL;
4635 SSL *serverssl = NULL, *clientssl = NULL;
4636 static const struct {
4637 const char *ciphername;
4640 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4641 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4642 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
4643 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4644 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4645 { TLS1_3_RFC_AES_256_GCM_SHA384
4646 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4648 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
4650 const char *t13_cipher = NULL;
4651 const char *t12_cipher = NULL;
4652 const char *negotiated_scipher;
4653 const char *negotiated_ccipher;
4669 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4673 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4677 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4678 # ifdef OPENSSL_NO_TLS1_2
4679 if (max_ver == TLS1_2_VERSION)
4682 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4683 if (is_fips && !t13_ciphers[i].fipscapable)
4685 t13_cipher = t13_ciphers[i].ciphername;
4686 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4687 TLS_client_method(),
4688 TLS1_VERSION, max_ver,
4689 &sctx, &cctx, cert, privkey)))
4693 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4694 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4696 if (t12_cipher != NULL) {
4697 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4698 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4704 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4705 &clientssl, NULL, NULL)))
4709 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4710 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4712 if (t12_cipher != NULL) {
4713 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4714 || !TEST_true(SSL_set_cipher_list(clientssl,
4720 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4724 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4726 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4728 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4732 * TEST_strn_eq is used below because t13_cipher can contain
4733 * multiple ciphersuites
4735 if (max_ver == TLS1_3_VERSION
4736 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4737 strlen(negotiated_scipher)))
4740 # ifndef OPENSSL_NO_TLS1_2
4741 /* Below validation is not done when t12_cipher is NULL */
4742 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4743 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4747 SSL_free(serverssl);
4749 SSL_free(clientssl);
4760 SSL_free(serverssl);
4761 SSL_free(clientssl);
4769 * Test 0 = Test new style callbacks
4770 * Test 1 = Test both new and old style callbacks
4771 * Test 2 = Test old style callbacks
4772 * Test 3 = Test old style callbacks with no certificate
4774 static int test_tls13_psk(int idx)
4776 SSL_CTX *sctx = NULL, *cctx = NULL;
4777 SSL *serverssl = NULL, *clientssl = NULL;
4778 const SSL_CIPHER *cipher = NULL;
4779 const unsigned char key[] = {
4780 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4781 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4782 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4783 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
4787 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4788 TLS_client_method(), TLS1_VERSION, 0,
4789 &sctx, &cctx, idx == 3 ? NULL : cert,
4790 idx == 3 ? NULL : privkey)))
4795 * We use a ciphersuite with SHA256 to ease testing old style PSK
4796 * callbacks which will always default to SHA256. This should not be
4797 * necessary if we have no cert/priv key. In that case the server should
4798 * prefer SHA256 automatically.
4800 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4801 "TLS_AES_128_GCM_SHA256")))
4805 * As noted above the server should prefer SHA256 automatically. However
4806 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4807 * code works even if we are testing with only the FIPS provider loaded.
4809 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4810 "TLS_AES_256_GCM_SHA384:"
4811 "TLS_AES_128_GCM_SHA256")))
4816 * Test 0: New style callbacks only
4817 * Test 1: New and old style callbacks (only the new ones should be used)
4818 * Test 2: Old style callbacks only
4820 if (idx == 0 || idx == 1) {
4821 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4822 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4824 #ifndef OPENSSL_NO_PSK
4826 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4827 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4831 use_session_cb_cnt = 0;
4832 find_session_cb_cnt = 0;
4833 psk_client_cb_cnt = 0;
4834 psk_server_cb_cnt = 0;
4838 * Check we can create a connection if callback decides not to send a
4841 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4843 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4845 || !TEST_false(SSL_session_reused(clientssl))
4846 || !TEST_false(SSL_session_reused(serverssl)))
4849 if (idx == 0 || idx == 1) {
4850 if (!TEST_true(use_session_cb_cnt == 1)
4851 || !TEST_true(find_session_cb_cnt == 0)
4853 * If no old style callback then below should be 0
4856 || !TEST_true(psk_client_cb_cnt == idx)
4857 || !TEST_true(psk_server_cb_cnt == 0))
4860 if (!TEST_true(use_session_cb_cnt == 0)
4861 || !TEST_true(find_session_cb_cnt == 0)
4862 || !TEST_true(psk_client_cb_cnt == 1)
4863 || !TEST_true(psk_server_cb_cnt == 0))
4867 shutdown_ssl_connection(serverssl, clientssl);
4868 serverssl = clientssl = NULL;
4869 use_session_cb_cnt = psk_client_cb_cnt = 0;
4872 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4876 /* Create the PSK */
4877 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
4878 clientpsk = SSL_SESSION_new();
4879 if (!TEST_ptr(clientpsk)
4880 || !TEST_ptr(cipher)
4881 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4883 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4884 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4886 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
4888 serverpsk = clientpsk;
4890 /* Check we can create a connection and the PSK is used */
4891 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4892 || !TEST_true(SSL_session_reused(clientssl))
4893 || !TEST_true(SSL_session_reused(serverssl)))
4896 if (idx == 0 || idx == 1) {
4897 if (!TEST_true(use_session_cb_cnt == 1)
4898 || !TEST_true(find_session_cb_cnt == 1)
4899 || !TEST_true(psk_client_cb_cnt == 0)
4900 || !TEST_true(psk_server_cb_cnt == 0))
4903 if (!TEST_true(use_session_cb_cnt == 0)
4904 || !TEST_true(find_session_cb_cnt == 0)
4905 || !TEST_true(psk_client_cb_cnt == 1)
4906 || !TEST_true(psk_server_cb_cnt == 1))
4910 shutdown_ssl_connection(serverssl, clientssl);
4911 serverssl = clientssl = NULL;
4912 use_session_cb_cnt = find_session_cb_cnt = 0;
4913 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4915 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4920 #if defined(OPENSSL_NO_EC)
4921 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4924 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4929 * Check we can create a connection, the PSK is used and the callbacks are
4932 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4933 || !TEST_true(SSL_session_reused(clientssl))
4934 || !TEST_true(SSL_session_reused(serverssl)))
4937 if (idx == 0 || idx == 1) {
4938 if (!TEST_true(use_session_cb_cnt == 2)
4939 || !TEST_true(find_session_cb_cnt == 2)
4940 || !TEST_true(psk_client_cb_cnt == 0)
4941 || !TEST_true(psk_server_cb_cnt == 0))
4944 if (!TEST_true(use_session_cb_cnt == 0)
4945 || !TEST_true(find_session_cb_cnt == 0)
4946 || !TEST_true(psk_client_cb_cnt == 2)
4947 || !TEST_true(psk_server_cb_cnt == 2))
4951 shutdown_ssl_connection(serverssl, clientssl);
4952 serverssl = clientssl = NULL;
4953 use_session_cb_cnt = find_session_cb_cnt = 0;
4954 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4958 * Check that if the server rejects the PSK we can still connect, but with
4961 srvid = "Dummy Identity";
4962 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4964 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4966 || !TEST_false(SSL_session_reused(clientssl))
4967 || !TEST_false(SSL_session_reused(serverssl)))
4970 if (idx == 0 || idx == 1) {
4971 if (!TEST_true(use_session_cb_cnt == 1)
4972 || !TEST_true(find_session_cb_cnt == 1)
4973 || !TEST_true(psk_client_cb_cnt == 0)
4975 * If no old style callback then below should be 0
4978 || !TEST_true(psk_server_cb_cnt == idx))
4981 if (!TEST_true(use_session_cb_cnt == 0)
4982 || !TEST_true(find_session_cb_cnt == 0)
4983 || !TEST_true(psk_client_cb_cnt == 1)
4984 || !TEST_true(psk_server_cb_cnt == 1))
4988 shutdown_ssl_connection(serverssl, clientssl);
4989 serverssl = clientssl = NULL;
4994 SSL_SESSION_free(clientpsk);
4995 SSL_SESSION_free(serverpsk);
4996 clientpsk = serverpsk = NULL;
4997 SSL_free(serverssl);
4998 SSL_free(clientssl);
5004 static unsigned char cookie_magic_value[] = "cookie magic";
5006 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5007 unsigned int *cookie_len)
5010 * Not suitable as a real cookie generation function but good enough for
5013 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5014 *cookie_len = sizeof(cookie_magic_value) - 1;
5019 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5020 unsigned int cookie_len)
5022 if (cookie_len == sizeof(cookie_magic_value) - 1
5023 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5029 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5033 int res = generate_cookie_callback(ssl, cookie, &temp);
5038 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5041 return verify_cookie_callback(ssl, cookie, cookie_len);
5044 static int test_stateless(void)
5046 SSL_CTX *sctx = NULL, *cctx = NULL;
5047 SSL *serverssl = NULL, *clientssl = NULL;
5050 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5051 TLS_client_method(), TLS1_VERSION, 0,
5052 &sctx, &cctx, cert, privkey)))
5055 /* The arrival of CCS messages can confuse the test */
5056 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5058 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5060 /* Send the first ClientHello */
5061 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5062 SSL_ERROR_WANT_READ))
5064 * This should fail with a -1 return because we have no callbacks
5067 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5070 /* Fatal error so abandon the connection from this client */
5071 SSL_free(clientssl);
5074 /* Set up the cookie generation and verification callbacks */
5075 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5076 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5079 * Create a new connection from the client (we can reuse the server SSL
5082 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5084 /* Send the first ClientHello */
5085 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5086 SSL_ERROR_WANT_READ))
5087 /* This should fail because there is no cookie */
5088 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5091 /* Abandon the connection from this client */
5092 SSL_free(clientssl);
5096 * Now create a connection from a new client but with the same server SSL
5099 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5101 /* Send the first ClientHello */
5102 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5103 SSL_ERROR_WANT_READ))
5104 /* This should fail because there is no cookie */
5105 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5106 /* Send the second ClientHello */
5107 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5108 SSL_ERROR_WANT_READ))
5109 /* This should succeed because a cookie is now present */
5110 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5111 /* Complete the connection */
5112 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5116 shutdown_ssl_connection(serverssl, clientssl);
5117 serverssl = clientssl = NULL;
5121 SSL_free(serverssl);
5122 SSL_free(clientssl);
5128 #endif /* OPENSSL_NO_TLS1_3 */
5130 static int clntaddoldcb = 0;
5131 static int clntparseoldcb = 0;
5132 static int srvaddoldcb = 0;
5133 static int srvparseoldcb = 0;
5134 static int clntaddnewcb = 0;
5135 static int clntparsenewcb = 0;
5136 static int srvaddnewcb = 0;
5137 static int srvparsenewcb = 0;
5138 static int snicb = 0;
5140 #define TEST_EXT_TYPE1 0xff00
5142 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5143 size_t *outlen, int *al, void *add_arg)
5145 int *server = (int *)add_arg;
5146 unsigned char *data;
5148 if (SSL_is_server(s))
5153 if (*server != SSL_is_server(s)
5154 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5159 *outlen = sizeof(char);
5163 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5166 OPENSSL_free((unsigned char *)out);
5169 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5170 size_t inlen, int *al, void *parse_arg)
5172 int *server = (int *)parse_arg;
5174 if (SSL_is_server(s))
5179 if (*server != SSL_is_server(s)
5180 || inlen != sizeof(char)
5187 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5188 const unsigned char **out, size_t *outlen, X509 *x,
5189 size_t chainidx, int *al, void *add_arg)
5191 int *server = (int *)add_arg;
5192 unsigned char *data;
5194 if (SSL_is_server(s))
5199 if (*server != SSL_is_server(s)
5200 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5205 *outlen = sizeof(*data);
5209 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5210 const unsigned char *out, void *add_arg)
5212 OPENSSL_free((unsigned char *)out);
5215 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5216 const unsigned char *in, size_t inlen, X509 *x,
5217 size_t chainidx, int *al, void *parse_arg)
5219 int *server = (int *)parse_arg;
5221 if (SSL_is_server(s))
5226 if (*server != SSL_is_server(s)
5227 || inlen != sizeof(char) || *in != 1)
5233 static int sni_cb(SSL *s, int *al, void *arg)
5235 SSL_CTX *ctx = (SSL_CTX *)arg;
5237 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5238 *al = SSL_AD_INTERNAL_ERROR;
5239 return SSL_TLSEXT_ERR_ALERT_FATAL;
5242 return SSL_TLSEXT_ERR_OK;
5246 * Custom call back tests.
5247 * Test 0: Old style callbacks in TLSv1.2
5248 * Test 1: New style callbacks in TLSv1.2
5249 * Test 2: New style callbacks in TLSv1.2 with SNI
5250 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5251 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5253 static int test_custom_exts(int tst)
5255 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5256 SSL *clientssl = NULL, *serverssl = NULL;
5258 static int server = 1;
5259 static int client = 0;
5260 SSL_SESSION *sess = NULL;
5261 unsigned int context;
5263 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
5264 /* Skip tests for TLSv1.2 and below in this case */
5269 /* Reset callback counters */
5270 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5271 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5274 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5275 TLS_client_method(), TLS1_VERSION, 0,
5276 &sctx, &cctx, cert, privkey)))
5280 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5282 &sctx2, NULL, cert, privkey)))
5287 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5288 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5290 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5294 context = SSL_EXT_CLIENT_HELLO
5295 | SSL_EXT_TLS1_2_SERVER_HELLO
5296 | SSL_EXT_TLS1_3_SERVER_HELLO
5297 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5298 | SSL_EXT_TLS1_3_CERTIFICATE
5299 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5301 context = SSL_EXT_CLIENT_HELLO
5302 | SSL_EXT_TLS1_2_SERVER_HELLO
5303 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5306 /* Create a client side custom extension */
5308 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5309 old_add_cb, old_free_cb,
5310 &client, old_parse_cb,
5314 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5315 new_add_cb, new_free_cb,
5316 &client, new_parse_cb, &client)))
5320 /* Should not be able to add duplicates */
5321 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5322 old_add_cb, old_free_cb,
5323 &client, old_parse_cb,
5325 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5326 context, new_add_cb,
5327 new_free_cb, &client,
5328 new_parse_cb, &client)))
5331 /* Create a server side custom extension */
5333 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5334 old_add_cb, old_free_cb,
5335 &server, old_parse_cb,
5339 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5340 new_add_cb, new_free_cb,
5341 &server, new_parse_cb, &server)))
5344 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5345 context, new_add_cb,
5346 new_free_cb, &server,
5347 new_parse_cb, &server)))
5351 /* Should not be able to add duplicates */
5352 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5353 old_add_cb, old_free_cb,
5354 &server, old_parse_cb,
5356 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5357 context, new_add_cb,
5358 new_free_cb, &server,
5359 new_parse_cb, &server)))
5364 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5365 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5369 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5370 &clientssl, NULL, NULL))
5371 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5376 if (clntaddoldcb != 1
5377 || clntparseoldcb != 1
5379 || srvparseoldcb != 1)
5381 } else if (tst == 1 || tst == 2 || tst == 3) {
5382 if (clntaddnewcb != 1
5383 || clntparsenewcb != 1
5385 || srvparsenewcb != 1
5386 || (tst != 2 && snicb != 0)
5387 || (tst == 2 && snicb != 1))
5390 /* In this case there 2 NewSessionTicket messages created */
5391 if (clntaddnewcb != 1
5392 || clntparsenewcb != 5
5394 || srvparsenewcb != 1)
5398 sess = SSL_get1_session(clientssl);
5399 SSL_shutdown(clientssl);
5400 SSL_shutdown(serverssl);
5401 SSL_free(serverssl);
5402 SSL_free(clientssl);
5403 serverssl = clientssl = NULL;
5406 /* We don't bother with the resumption aspects for this test */
5411 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5413 || !TEST_true(SSL_set_session(clientssl, sess))
5414 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5419 * For a resumed session we expect to add the ClientHello extension. For the
5420 * old style callbacks we ignore it on the server side because they set
5421 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5425 if (clntaddoldcb != 2
5426 || clntparseoldcb != 1
5428 || srvparseoldcb != 1)
5430 } else if (tst == 1 || tst == 2 || tst == 3) {
5431 if (clntaddnewcb != 2
5432 || clntparsenewcb != 2
5434 || srvparsenewcb != 2)
5438 * No Certificate message extensions in the resumption handshake,
5439 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5441 if (clntaddnewcb != 2
5442 || clntparsenewcb != 8
5444 || srvparsenewcb != 2)
5451 SSL_SESSION_free(sess);
5452 SSL_free(serverssl);
5453 SSL_free(clientssl);
5454 SSL_CTX_free(sctx2);
5461 * Test loading of serverinfo data in various formats. test_sslmessages actually
5462 * tests to make sure the extensions appear in the handshake
5464 static int test_serverinfo(int tst)
5466 unsigned int version;
5467 unsigned char *sibuf;
5469 int ret, expected, testresult = 0;
5472 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
5476 if ((tst & 0x01) == 0x01)
5477 version = SSL_SERVERINFOV2;
5479 version = SSL_SERVERINFOV1;
5481 if ((tst & 0x02) == 0x02) {
5482 sibuf = serverinfov2;
5483 sibuflen = sizeof(serverinfov2);
5484 expected = (version == SSL_SERVERINFOV2);
5486 sibuf = serverinfov1;
5487 sibuflen = sizeof(serverinfov1);
5488 expected = (version == SSL_SERVERINFOV1);
5491 if ((tst & 0x04) == 0x04) {
5492 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5494 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5497 * The version variable is irrelevant in this case - it's what is in the
5498 * buffer that matters
5500 if ((tst & 0x02) == 0x02)
5506 if (!TEST_true(ret == expected))
5518 * Test that SSL_export_keying_material() produces expected results. There are
5519 * no test vectors so all we do is test that both sides of the communication
5520 * produce the same results for different protocol versions.
5522 #define SMALL_LABEL_LEN 10
5523 #define LONG_LABEL_LEN 249
5524 static int test_export_key_mat(int tst)
5527 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5528 SSL *clientssl = NULL, *serverssl = NULL;
5529 const char label[LONG_LABEL_LEN + 1] = "test label";
5530 const unsigned char context[] = "context";
5531 const unsigned char *emptycontext = NULL;
5532 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5533 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
5535 const int protocols[] = {
5544 #ifdef OPENSSL_NO_TLS1
5548 #ifdef OPENSSL_NO_TLS1_1
5552 if (is_fips && (tst == 0 || tst == 1))
5554 #ifdef OPENSSL_NO_TLS1_2
5558 #ifdef OPENSSL_NO_TLS1_3
5562 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5563 TLS_client_method(), TLS1_VERSION, 0,
5564 &sctx, &cctx, cert, privkey)))
5567 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5568 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5569 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
5570 if ((protocols[tst] < TLS1_2_VERSION) &&
5571 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5572 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5575 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5577 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5583 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5586 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5587 sizeof(ckeymat1), label,
5588 LONG_LABEL_LEN + 1, context,
5589 sizeof(context) - 1, 1), 0))
5594 } else if (tst == 4) {
5595 labellen = LONG_LABEL_LEN;
5597 labellen = SMALL_LABEL_LEN;
5600 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5601 sizeof(ckeymat1), label,
5603 sizeof(context) - 1, 1), 1)
5604 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5605 sizeof(ckeymat2), label,
5609 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5610 sizeof(ckeymat3), label,
5613 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5614 sizeof(skeymat1), label,
5617 sizeof(context) -1, 1),
5619 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5620 sizeof(skeymat2), label,
5624 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5625 sizeof(skeymat3), label,
5629 * Check that both sides created the same key material with the
5632 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5635 * Check that both sides created the same key material with an
5638 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5641 * Check that both sides created the same key material without a
5644 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5646 /* Different contexts should produce different results */
5647 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5652 * Check that an empty context and no context produce different results in
5653 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5655 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
5657 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5664 SSL_free(serverssl);
5665 SSL_free(clientssl);
5666 SSL_CTX_free(sctx2);
5673 #ifndef OPENSSL_NO_TLS1_3
5675 * Test that SSL_export_keying_material_early() produces expected
5676 * results. There are no test vectors so all we do is test that both
5677 * sides of the communication produce the same results for different
5678 * protocol versions.
5680 static int test_export_key_mat_early(int idx)
5682 static const char label[] = "test label";
5683 static const unsigned char context[] = "context";
5685 SSL_CTX *cctx = NULL, *sctx = NULL;
5686 SSL *clientssl = NULL, *serverssl = NULL;
5687 SSL_SESSION *sess = NULL;
5688 const unsigned char *emptycontext = NULL;
5689 unsigned char ckeymat1[80], ckeymat2[80];
5690 unsigned char skeymat1[80], skeymat2[80];
5691 unsigned char buf[1];
5692 size_t readbytes, written;
5694 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5698 /* Here writing 0 length early data is enough. */
5699 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5700 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5702 SSL_READ_EARLY_DATA_ERROR)
5703 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5704 SSL_EARLY_DATA_ACCEPTED))
5707 if (!TEST_int_eq(SSL_export_keying_material_early(
5708 clientssl, ckeymat1, sizeof(ckeymat1), label,
5709 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5710 || !TEST_int_eq(SSL_export_keying_material_early(
5711 clientssl, ckeymat2, sizeof(ckeymat2), label,
5712 sizeof(label) - 1, emptycontext, 0), 1)
5713 || !TEST_int_eq(SSL_export_keying_material_early(
5714 serverssl, skeymat1, sizeof(skeymat1), label,
5715 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5716 || !TEST_int_eq(SSL_export_keying_material_early(
5717 serverssl, skeymat2, sizeof(skeymat2), label,
5718 sizeof(label) - 1, emptycontext, 0), 1)
5720 * Check that both sides created the same key material with the
5723 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5726 * Check that both sides created the same key material with an
5729 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5731 /* Different contexts should produce different results */
5732 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5739 SSL_SESSION_free(sess);
5740 SSL_SESSION_free(clientpsk);
5741 SSL_SESSION_free(serverpsk);
5742 clientpsk = serverpsk = NULL;
5743 SSL_free(serverssl);
5744 SSL_free(clientssl);
5751 #define NUM_KEY_UPDATE_MESSAGES 40
5755 static int test_key_update(void)
5757 SSL_CTX *cctx = NULL, *sctx = NULL;
5758 SSL *clientssl = NULL, *serverssl = NULL;
5759 int testresult = 0, i, j;
5761 static char *mess = "A test message";
5763 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5764 TLS_client_method(),
5767 &sctx, &cctx, cert, privkey))
5768 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5770 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5774 for (j = 0; j < 2; j++) {
5775 /* Send lots of KeyUpdate messages */
5776 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5777 if (!TEST_true(SSL_key_update(clientssl,
5779 ? SSL_KEY_UPDATE_NOT_REQUESTED
5780 : SSL_KEY_UPDATE_REQUESTED))
5781 || !TEST_true(SSL_do_handshake(clientssl)))
5785 /* Check that sending and receiving app data is ok */
5786 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5787 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5791 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5792 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5800 SSL_free(serverssl);
5801 SSL_free(clientssl);
5809 * Test we can handle a KeyUpdate (update requested) message while write data
5811 * Test 0: Client sends KeyUpdate while Server is writing
5812 * Test 1: Server sends KeyUpdate while Client is writing
5814 static int test_key_update_in_write(int tst)
5816 SSL_CTX *cctx = NULL, *sctx = NULL;
5817 SSL *clientssl = NULL, *serverssl = NULL;
5820 static char *mess = "A test message";
5821 BIO *bretry = BIO_new(bio_s_always_retry());
5823 SSL *peerupdate = NULL, *peerwrite = NULL;
5825 if (!TEST_ptr(bretry)
5826 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5827 TLS_client_method(),
5830 &sctx, &cctx, cert, privkey))
5831 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5833 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5837 peerupdate = tst == 0 ? clientssl : serverssl;
5838 peerwrite = tst == 0 ? serverssl : clientssl;
5840 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5841 || !TEST_true(SSL_do_handshake(peerupdate)))
5844 /* Swap the writing endpoint's write BIO to force a retry */
5845 tmp = SSL_get_wbio(peerwrite);
5846 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5850 SSL_set0_wbio(peerwrite, bretry);
5853 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5854 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5855 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5858 /* Reinstate the original writing endpoint's write BIO */
5859 SSL_set0_wbio(peerwrite, tmp);
5862 /* Now read some data - we will read the key update */
5863 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5864 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5868 * Complete the write we started previously and read it from the other
5871 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5872 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5875 /* Write more data to ensure we send the KeyUpdate message back */
5876 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5877 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5883 SSL_free(serverssl);
5884 SSL_free(clientssl);
5892 #endif /* OPENSSL_NO_TLS1_3 */
5894 static int test_ssl_clear(int idx)
5896 SSL_CTX *cctx = NULL, *sctx = NULL;
5897 SSL *clientssl = NULL, *serverssl = NULL;
5900 #ifdef OPENSSL_NO_TLS1_2
5905 /* Create an initial connection */
5906 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5907 TLS_client_method(), TLS1_VERSION, 0,
5908 &sctx, &cctx, cert, privkey))
5910 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5912 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5913 &clientssl, NULL, NULL))
5914 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5918 SSL_shutdown(clientssl);
5919 SSL_shutdown(serverssl);
5920 SSL_free(serverssl);
5923 /* Clear clientssl - we're going to reuse the object */
5924 if (!TEST_true(SSL_clear(clientssl)))
5927 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5929 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5931 || !TEST_true(SSL_session_reused(clientssl)))
5934 SSL_shutdown(clientssl);
5935 SSL_shutdown(serverssl);
5940 SSL_free(serverssl);
5941 SSL_free(clientssl);
5948 /* Parse CH and retrieve any MFL extension value if present */
5949 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5952 unsigned char *data;
5953 PACKET pkt, pkt2, pkt3;
5954 unsigned int MFL_code = 0, type = 0;
5956 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5959 memset(&pkt, 0, sizeof(pkt));
5960 memset(&pkt2, 0, sizeof(pkt2));
5961 memset(&pkt3, 0, sizeof(pkt3));
5963 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5964 /* Skip the record header */
5965 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5966 /* Skip the handshake message header */
5967 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5968 /* Skip client version and random */
5969 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5970 + SSL3_RANDOM_SIZE))
5971 /* Skip session id */
5972 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5974 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5975 /* Skip compression */
5976 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5977 /* Extensions len */
5978 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5981 /* Loop through all extensions */
5982 while (PACKET_remaining(&pkt2)) {
5983 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5984 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5987 if (type == TLSEXT_TYPE_max_fragment_length) {
5988 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5989 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5992 *mfl_codemfl_code = MFL_code;
6001 /* Maximum-Fragment-Length TLS extension mode to test */
6002 static const unsigned char max_fragment_len_test[] = {
6003 TLSEXT_max_fragment_length_512,
6004 TLSEXT_max_fragment_length_1024,
6005 TLSEXT_max_fragment_length_2048,
6006 TLSEXT_max_fragment_length_4096
6009 static int test_max_fragment_len_ext(int idx_tst)
6013 int testresult = 0, MFL_mode = 0;
6016 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
6020 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6021 ctx, max_fragment_len_test[idx_tst])))
6028 rbio = BIO_new(BIO_s_mem());
6029 wbio = BIO_new(BIO_s_mem());
6030 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6036 SSL_set_bio(con, rbio, wbio);
6037 SSL_set_connect_state(con);
6039 if (!TEST_int_le(SSL_connect(con), 0)) {
6040 /* This shouldn't succeed because we don't have a server! */
6044 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6045 /* no MFL in client hello */
6047 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6059 #ifndef OPENSSL_NO_TLS1_3
6060 static int test_pha_key_update(void)
6062 SSL_CTX *cctx = NULL, *sctx = NULL;
6063 SSL *clientssl = NULL, *serverssl = NULL;
6066 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6067 TLS_client_method(), TLS1_VERSION, 0,
6068 &sctx, &cctx, cert, privkey)))
6071 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6072 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6073 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6074 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6077 SSL_CTX_set_post_handshake_auth(cctx, 1);
6079 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6083 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6087 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6088 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6091 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6094 /* Start handshake on the server */
6095 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6098 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6099 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6103 SSL_shutdown(clientssl);
6104 SSL_shutdown(serverssl);
6109 SSL_free(serverssl);
6110 SSL_free(clientssl);
6117 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6119 static SRP_VBASE *vbase = NULL;
6121 DEFINE_STACK_OF(SRP_user_pwd)
6123 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6125 int ret = SSL3_AL_FATAL;
6127 SRP_user_pwd *user = NULL;
6129 username = SSL_get_srp_username(s);
6130 if (username == NULL) {
6131 *ad = SSL_AD_INTERNAL_ERROR;
6135 user = SRP_VBASE_get1_by_user(vbase, username);
6137 *ad = SSL_AD_INTERNAL_ERROR;
6141 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6143 *ad = SSL_AD_INTERNAL_ERROR;
6150 SRP_user_pwd_free(user);
6154 static int create_new_vfile(char *userid, char *password, const char *filename)
6157 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6160 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6163 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6166 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
6167 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
6168 if (!TEST_ptr(gNid))
6172 * The only way to create an empty TXT_DB is to provide a BIO with no data
6175 db = TXT_DB_read(dummy, DB_NUMBER);
6179 out = BIO_new_file(filename, "w");
6183 row[DB_srpid] = OPENSSL_strdup(userid);
6184 row[DB_srptype] = OPENSSL_strdup("V");
6185 row[DB_srpgN] = OPENSSL_strdup(gNid);
6187 if (!TEST_ptr(row[DB_srpid])
6188 || !TEST_ptr(row[DB_srptype])
6189 || !TEST_ptr(row[DB_srpgN])
6190 || !TEST_true(TXT_DB_insert(db, row)))
6195 if (!TXT_DB_write(out, db))
6201 for (i = 0; i < DB_NUMBER; i++)
6202 OPENSSL_free(row[i]);
6212 static int create_new_vbase(char *userid, char *password)
6214 BIGNUM *verifier = NULL, *salt = NULL;
6215 const SRP_gN *lgN = NULL;
6216 SRP_user_pwd *user_pwd = NULL;
6219 lgN = SRP_get_default_gN(NULL);
6223 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
6224 lgN->N, lgN->g, libctx, NULL)))
6227 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6228 if (!TEST_ptr(user_pwd))
6231 user_pwd->N = lgN->N;
6232 user_pwd->g = lgN->g;
6233 user_pwd->id = OPENSSL_strdup(userid);
6234 if (!TEST_ptr(user_pwd->id))
6237 user_pwd->v = verifier;
6239 verifier = salt = NULL;
6241 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6247 SRP_user_pwd_free(user_pwd);
6257 * Test 0: Simple successful SRP connection, new vbase
6258 * Test 1: Connection failure due to bad password, new vbase
6259 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6260 * Test 3: Connection failure due to bad password, vbase loaded from existing
6262 * Test 4: Simple successful SRP connection, vbase loaded from new file
6263 * Test 5: Connection failure due to bad password, vbase loaded from new file
6265 static int test_srp(int tst)
6267 char *userid = "test", *password = "password", *tstsrpfile;
6268 SSL_CTX *cctx = NULL, *sctx = NULL;
6269 SSL *clientssl = NULL, *serverssl = NULL;
6270 int ret, testresult = 0;
6272 vbase = SRP_VBASE_new(NULL);
6273 if (!TEST_ptr(vbase))
6276 if (tst == 0 || tst == 1) {
6277 if (!TEST_true(create_new_vbase(userid, password)))
6280 if (tst == 4 || tst == 5) {
6281 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6283 tstsrpfile = tmpfilename;
6285 tstsrpfile = srpvfile;
6287 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6291 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6292 TLS_client_method(), TLS1_VERSION, 0,
6293 &sctx, &cctx, cert, privkey)))
6296 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6297 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6298 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6299 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6300 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6304 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6307 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6311 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6315 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6317 if (!TEST_true(tst % 2 == 0))
6320 if (!TEST_true(tst % 2 == 1))
6327 SRP_VBASE_free(vbase);
6329 SSL_free(serverssl);
6330 SSL_free(clientssl);
6338 static int info_cb_failed = 0;
6339 static int info_cb_offset = 0;
6340 static int info_cb_this_state = -1;
6342 static struct info_cb_states_st {
6344 const char *statestr;
6345 } info_cb_states[][60] = {
6347 /* TLSv1.2 server followed by resumption */
6348 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6349 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6350 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6351 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6352 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6353 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6354 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6355 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6356 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
6357 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6358 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6359 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6360 {SSL_CB_EXIT, NULL}, {0, NULL},
6362 /* TLSv1.2 client followed by resumption */
6363 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6364 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6365 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6366 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6367 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6368 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6369 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6370 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6371 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6372 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6373 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6374 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6376 /* TLSv1.3 server followed by resumption */
6377 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6378 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6379 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6380 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6381 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
6382 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6383 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6384 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6385 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6386 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6387 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6388 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6389 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6391 /* TLSv1.3 client followed by resumption */
6392 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6393 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6394 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
6395 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
6396 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6397 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6398 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
6399 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
6400 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6401 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
6402 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6403 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6404 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6405 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
6406 {SSL_CB_EXIT, NULL}, {0, NULL},
6408 /* TLSv1.3 server, early_data */
6409 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6410 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6411 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6412 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6413 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6414 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
6415 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6416 {SSL_CB_EXIT, NULL}, {0, NULL},
6418 /* TLSv1.3 client, early_data */
6419 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6420 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
6421 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6422 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6423 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6424 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
6425 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6426 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6427 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6433 static void sslapi_info_callback(const SSL *s, int where, int ret)
6435 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
6437 /* We do not ever expect a connection to fail in this test */
6438 if (!TEST_false(ret == 0)) {
6444 * Do some sanity checks. We never expect these things to happen in this
6447 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
6448 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
6449 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
6454 /* Now check we're in the right state */
6455 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
6459 if ((where & SSL_CB_LOOP) != 0
6460 && !TEST_int_eq(strcmp(SSL_state_string(s),
6461 state[info_cb_this_state].statestr), 0)) {
6467 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6469 if ((where & SSL_CB_HANDSHAKE_DONE)
6470 && SSL_in_init((SSL *)s) != 0) {
6477 * Test the info callback gets called when we expect it to.
6479 * Test 0: TLSv1.2, server
6480 * Test 1: TLSv1.2, client
6481 * Test 2: TLSv1.3, server
6482 * Test 3: TLSv1.3, client
6483 * Test 4: TLSv1.3, server, early_data
6484 * Test 5: TLSv1.3, client, early_data
6486 static int test_info_callback(int tst)
6488 SSL_CTX *cctx = NULL, *sctx = NULL;
6489 SSL *clientssl = NULL, *serverssl = NULL;
6490 SSL_SESSION *clntsess = NULL;
6495 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
6496 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6497 || !defined(OPENSSL_NO_DH))
6498 tlsvers = TLS1_2_VERSION;
6503 #ifndef OPENSSL_NO_TLS1_3
6504 tlsvers = TLS1_3_VERSION;
6512 info_cb_this_state = -1;
6513 info_cb_offset = tst;
6515 #ifndef OPENSSL_NO_TLS1_3
6517 SSL_SESSION *sess = NULL;
6518 size_t written, readbytes;
6519 unsigned char buf[80];
6521 /* early_data tests */
6522 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
6523 &serverssl, &sess, 0)))
6526 /* We don't actually need this reference */
6527 SSL_SESSION_free(sess);
6529 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
6530 sslapi_info_callback);
6532 /* Write and read some early data and then complete the connection */
6533 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
6535 || !TEST_size_t_eq(written, strlen(MSG1))
6536 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
6537 sizeof(buf), &readbytes),
6538 SSL_READ_EARLY_DATA_SUCCESS)
6539 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
6540 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6541 SSL_EARLY_DATA_ACCEPTED)
6542 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6544 || !TEST_false(info_cb_failed))
6552 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6553 TLS_client_method(),
6554 tlsvers, tlsvers, &sctx, &cctx, cert,
6559 * For even numbered tests we check the server callbacks. For odd numbers we
6562 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
6563 sslapi_info_callback);
6565 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6566 &clientssl, NULL, NULL))
6567 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6569 || !TEST_false(info_cb_failed))
6574 clntsess = SSL_get1_session(clientssl);
6575 SSL_shutdown(clientssl);
6576 SSL_shutdown(serverssl);
6577 SSL_free(serverssl);
6578 SSL_free(clientssl);
6579 serverssl = clientssl = NULL;
6581 /* Now do a resumption */
6582 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6584 || !TEST_true(SSL_set_session(clientssl, clntsess))
6585 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6587 || !TEST_true(SSL_session_reused(clientssl))
6588 || !TEST_false(info_cb_failed))
6594 SSL_free(serverssl);
6595 SSL_free(clientssl);
6596 SSL_SESSION_free(clntsess);
6602 static int test_ssl_pending(int tst)
6604 SSL_CTX *cctx = NULL, *sctx = NULL;
6605 SSL *clientssl = NULL, *serverssl = NULL;
6607 char msg[] = "A test message";
6609 size_t written, readbytes;
6612 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6613 TLS_client_method(),
6615 &sctx, &cctx, cert, privkey)))
6618 #ifndef OPENSSL_NO_DTLS
6619 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
6620 DTLS_client_method(),
6622 &sctx, &cctx, cert, privkey)))
6629 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6631 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6635 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6636 || !TEST_false(SSL_has_pending(clientssl))
6637 || !TEST_int_eq(SSL_pending(serverssl), 0)
6638 || !TEST_false(SSL_has_pending(serverssl))
6639 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6640 || !TEST_size_t_eq(written, sizeof(msg))
6641 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6642 || !TEST_size_t_eq(readbytes, sizeof(buf))
6643 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6644 || !TEST_true(SSL_has_pending(clientssl)))
6650 SSL_free(serverssl);
6651 SSL_free(clientssl);
6659 unsigned int maxprot;
6660 const char *clntciphers;
6661 const char *clnttls13ciphers;
6662 const char *srvrciphers;
6663 const char *srvrtls13ciphers;
6665 const char *fipsshared;
6666 } shared_ciphers_data[] = {
6668 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6669 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6671 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
6674 "AES128-SHA:AES256-SHA",
6676 "AES256-SHA:DHE-RSA-AES128-SHA",
6681 # if !defined(OPENSSL_NO_CHACHA) \
6682 && !defined(OPENSSL_NO_POLY1305) \
6683 && !defined(OPENSSL_NO_EC)
6686 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6688 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6690 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6696 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6698 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6700 "AES128-SHA:AES256-SHA",
6701 "AES128-SHA:AES256-SHA"
6705 "AES128-SHA:AES256-SHA",
6707 "AES128-SHA:DHE-RSA-AES128-SHA",
6714 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6717 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6718 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
6721 "AES128-SHA:AES256-SHA",
6723 "AES256-SHA:AES128-SHA256",
6725 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
6726 "TLS_AES_128_GCM_SHA256:AES256-SHA",
6727 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
6730 #ifndef OPENSSL_NO_TLS1_3
6734 "TLS_AES_256_GCM_SHA384",
6736 "TLS_AES_256_GCM_SHA384",
6737 "TLS_AES_256_GCM_SHA384",
6738 "TLS_AES_256_GCM_SHA384"
6743 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
6745 SSL_CTX *cctx = NULL, *sctx = NULL;
6746 SSL *clientssl = NULL, *serverssl = NULL;
6749 OPENSSL_CTX *tmplibctx = OPENSSL_CTX_new();
6751 if (!TEST_ptr(tmplibctx))
6755 * Regardless of whether we're testing with the FIPS provider loaded into
6756 * libctx, we want one peer to always use the full set of ciphersuites
6757 * available. Therefore we use a separate libctx with the default provider
6758 * loaded into it. We run the same tests twice - once with the client side
6759 * having the full set of ciphersuites and once with the server side.
6762 cctx = SSL_CTX_new_with_libctx(tmplibctx, NULL, TLS_client_method());
6763 if (!TEST_ptr(cctx))
6766 sctx = SSL_CTX_new_with_libctx(tmplibctx, NULL, TLS_server_method());
6767 if (!TEST_ptr(sctx))
6771 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6772 TLS_client_method(),
6774 shared_ciphers_data[tst].maxprot,
6775 &sctx, &cctx, cert, privkey)))
6778 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6779 shared_ciphers_data[tst].clntciphers))
6780 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6781 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6782 shared_ciphers_data[tst].clnttls13ciphers)))
6783 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6784 shared_ciphers_data[tst].srvrciphers))
6785 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6786 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6787 shared_ciphers_data[tst].srvrtls13ciphers))))
6791 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6793 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6797 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6798 || !TEST_int_eq(strcmp(buf,
6800 ? shared_ciphers_data[tst].fipsshared
6801 : shared_ciphers_data[tst].shared),
6803 TEST_info("Shared ciphers are: %s\n", buf);
6810 SSL_free(serverssl);
6811 SSL_free(clientssl);
6814 OPENSSL_CTX_free(tmplibctx);
6819 static int test_ssl_get_shared_ciphers(int tst)
6821 return int_test_ssl_get_shared_ciphers(tst, 0)
6822 && int_test_ssl_get_shared_ciphers(tst, 1);
6826 static const char *appdata = "Hello World";
6827 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6828 static int tick_key_renew = 0;
6829 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6831 static int gen_tick_cb(SSL *s, void *arg)
6833 gen_tick_called = 1;
6835 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6839 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6840 const unsigned char *keyname,
6841 size_t keyname_length,
6842 SSL_TICKET_STATUS status,
6848 dec_tick_called = 1;
6850 if (status == SSL_TICKET_EMPTY)
6851 return SSL_TICKET_RETURN_IGNORE_RENEW;
6853 if (!TEST_true(status == SSL_TICKET_SUCCESS
6854 || status == SSL_TICKET_SUCCESS_RENEW))
6855 return SSL_TICKET_RETURN_ABORT;
6857 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6859 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6860 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
6861 return SSL_TICKET_RETURN_ABORT;
6863 if (tick_key_cb_called) {
6864 /* Don't change what the ticket key callback wanted to do */
6866 case SSL_TICKET_NO_DECRYPT:
6867 return SSL_TICKET_RETURN_IGNORE_RENEW;
6869 case SSL_TICKET_SUCCESS:
6870 return SSL_TICKET_RETURN_USE;
6872 case SSL_TICKET_SUCCESS_RENEW:
6873 return SSL_TICKET_RETURN_USE_RENEW;
6876 return SSL_TICKET_RETURN_ABORT;
6879 return tick_dec_ret;
6883 #ifndef OPENSSL_NO_DEPRECATED_3_0
6884 static int tick_key_cb(SSL *s, unsigned char key_name[16],
6885 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6886 HMAC_CTX *hctx, int enc)
6888 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6889 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
6890 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6891 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
6894 tick_key_cb_called = 1;
6895 memset(iv, 0, AES_BLOCK_SIZE);
6896 memset(key_name, 0, 16);
6897 if (aes128cbc == NULL
6899 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6900 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
6904 ret = tick_key_renew ? 2 : 1;
6906 EVP_CIPHER_free(aes128cbc);
6907 EVP_MD_free(sha256);
6913 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6914 unsigned char iv[EVP_MAX_IV_LENGTH],
6915 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6917 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6918 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6919 OSSL_PARAM params[3];
6920 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6923 tick_key_cb_called = 1;
6924 memset(iv, 0, AES_BLOCK_SIZE);
6925 memset(key_name, 0, 16);
6926 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6928 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6930 sizeof(tick_hmac_key));
6931 params[2] = OSSL_PARAM_construct_end();
6932 if (aes128cbc == NULL
6933 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6934 || !EVP_MAC_set_ctx_params(hctx, params)
6935 || !EVP_MAC_init(hctx))
6938 ret = tick_key_renew ? 2 : 1;
6940 EVP_CIPHER_free(aes128cbc);
6946 * Test the various ticket callbacks
6947 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6948 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6949 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6950 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6951 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6952 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6953 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6954 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
6955 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6956 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6957 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6958 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6959 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6960 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6961 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6962 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
6964 static int test_ticket_callbacks(int tst)
6966 SSL_CTX *cctx = NULL, *sctx = NULL;
6967 SSL *clientssl = NULL, *serverssl = NULL;
6968 SSL_SESSION *clntsess = NULL;
6971 #ifdef OPENSSL_NO_TLS1_2
6975 #ifdef OPENSSL_NO_TLS1_3
6979 #ifdef OPENSSL_NO_DEPRECATED_3_0
6980 if (tst >= 8 && tst <= 11)
6984 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
6986 /* Which tests the ticket key callback should request renewal for */
6987 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
6992 /* Which tests the decrypt ticket callback should request renewal for */
6996 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7001 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7006 tick_dec_ret = SSL_TICKET_RETURN_USE;
7011 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7015 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7018 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7019 TLS_client_method(),
7021 ((tst % 2) == 0) ? TLS1_2_VERSION
7023 &sctx, &cctx, cert, privkey)))
7027 * We only want sessions to resume from tickets - not the session cache. So
7028 * switch the cache off.
7030 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7033 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7038 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7040 #ifndef OPENSSL_NO_DEPRECATED_3_0
7041 } else if (tst >= 8) {
7042 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7047 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7049 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7054 * The decrypt ticket key callback in TLSv1.2 should be called even though
7055 * we have no ticket yet, because it gets called with a status of
7056 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7057 * actually send any ticket data). This does not happen in TLSv1.3 because
7058 * it is not valid to send empty ticket data in TLSv1.3.
7060 if (!TEST_int_eq(gen_tick_called, 1)
7061 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
7064 gen_tick_called = dec_tick_called = 0;
7066 clntsess = SSL_get1_session(clientssl);
7067 SSL_shutdown(clientssl);
7068 SSL_shutdown(serverssl);
7069 SSL_free(serverssl);
7070 SSL_free(clientssl);
7071 serverssl = clientssl = NULL;
7073 /* Now do a resumption */
7074 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7076 || !TEST_true(SSL_set_session(clientssl, clntsess))
7077 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7081 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7082 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7083 if (!TEST_false(SSL_session_reused(clientssl)))
7086 if (!TEST_true(SSL_session_reused(clientssl)))
7090 if (!TEST_int_eq(gen_tick_called,
7092 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7093 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7095 || !TEST_int_eq(dec_tick_called, 1))
7101 SSL_SESSION_free(clntsess);
7102 SSL_free(serverssl);
7103 SSL_free(clientssl);
7111 * Test incorrect shutdown.
7112 * Test 0: client does not shutdown properly,
7113 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7114 * server should get SSL_ERROR_SSL
7115 * Test 1: client does not shutdown properly,
7116 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7117 * server should get SSL_ERROR_ZERO_RETURN
7119 static int test_incorrect_shutdown(int tst)
7121 SSL_CTX *cctx = NULL, *sctx = NULL;
7122 SSL *clientssl = NULL, *serverssl = NULL;
7127 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7128 TLS_client_method(), 0, 0,
7129 &sctx, &cctx, cert, privkey)))
7133 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7135 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7139 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7143 c2s = SSL_get_rbio(serverssl);
7144 BIO_set_mem_eof_return(c2s, 0);
7146 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7149 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7151 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7157 SSL_free(serverssl);
7158 SSL_free(clientssl);
7166 * Test bi-directional shutdown.
7168 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7169 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7170 * Test 3: TLSv1.3, pending NewSessionTicket messages
7171 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7172 * sends key update, client reads it
7173 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7174 * sends CertificateRequest, client reads and ignores it
7175 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
7178 static int test_shutdown(int tst)
7180 SSL_CTX *cctx = NULL, *sctx = NULL;
7181 SSL *clientssl = NULL, *serverssl = NULL;
7183 char msg[] = "A test message";
7185 size_t written, readbytes;
7188 #ifdef OPENSSL_NO_TLS1_2
7192 #ifdef OPENSSL_NO_TLS1_3
7197 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7198 TLS_client_method(),
7200 (tst <= 1) ? TLS1_2_VERSION
7202 &sctx, &cctx, cert, privkey)))
7206 SSL_CTX_set_post_handshake_auth(cctx, 1);
7208 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7213 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
7215 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7216 || !TEST_false(SSL_SESSION_is_resumable(sess)))
7218 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7220 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7221 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
7225 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7230 * Reading on the server after the client has sent close_notify should
7231 * fail and provide SSL_ERROR_ZERO_RETURN
7233 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7234 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7235 SSL_ERROR_ZERO_RETURN)
7236 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7237 SSL_RECEIVED_SHUTDOWN)
7239 * Even though we're shutdown on receive we should still be
7242 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7245 && !TEST_true(SSL_key_update(serverssl,
7246 SSL_KEY_UPDATE_REQUESTED)))
7249 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7250 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7253 if ((tst == 4 || tst == 5)
7254 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7256 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
7258 if (tst == 4 || tst == 5) {
7259 /* Should still be able to read data from server */
7260 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7262 || !TEST_size_t_eq(readbytes, sizeof(msg))
7263 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7264 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7266 || !TEST_size_t_eq(readbytes, sizeof(msg))
7267 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7272 /* Writing on the client after sending close_notify shouldn't be possible */
7273 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
7278 * For these tests the client has sent close_notify but it has not yet
7279 * been received by the server. The server has not sent close_notify
7282 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
7284 * Writing on the server after sending close_notify shouldn't
7287 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7288 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
7289 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7290 || !TEST_true(SSL_SESSION_is_resumable(sess))
7291 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7293 } else if (tst == 4 || tst == 5) {
7295 * In this test the client has sent close_notify and it has been
7296 * received by the server which has responded with a close_notify. The
7297 * client needs to read the close_notify sent by the server.
7299 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7300 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7301 || !TEST_true(SSL_SESSION_is_resumable(sess)))
7307 * The client has sent close_notify and is expecting a close_notify
7308 * back, but instead there is application data first. The shutdown
7309 * should fail with a fatal error.
7311 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7312 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7319 SSL_free(serverssl);
7320 SSL_free(clientssl);
7327 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7328 static int cert_cb_cnt;
7330 static int cert_cb(SSL *s, void *arg)
7332 SSL_CTX *ctx = (SSL_CTX *)arg;
7334 EVP_PKEY *pkey = NULL;
7335 X509 *x509 = NULL, *rootx = NULL;
7336 STACK_OF(X509) *chain = NULL;
7337 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7340 if (cert_cb_cnt == 0) {
7341 /* Suspend the handshake */
7344 } else if (cert_cb_cnt == 1) {
7346 * Update the SSL_CTX, set the certificate and private key and then
7347 * continue the handshake normally.
7349 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7352 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7353 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7355 || !TEST_true(SSL_check_private_key(s)))
7359 } else if (cert_cb_cnt == 3) {
7362 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7363 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7364 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7365 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7367 chain = sk_X509_new_null();
7368 if (!TEST_ptr(chain))
7370 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7371 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
7372 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
7373 || !TEST_true(sk_X509_push(chain, rootx)))
7377 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7378 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
7379 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
7382 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7383 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
7384 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
7386 rv = SSL_check_chain(s, x509, pkey, chain);
7388 * If the cert doesn't show as valid here (e.g., because we don't
7389 * have any shared sigalgs), then we will not set it, and there will
7390 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
7391 * will cause tls_choose_sigalgs() to fail the connection.
7393 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
7394 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7395 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
7402 /* Abort the handshake */
7404 OPENSSL_free(ecdsacert);
7405 OPENSSL_free(ecdsakey);
7406 OPENSSL_free(rootfile);
7408 EVP_PKEY_free(pkey);
7411 sk_X509_pop_free(chain, X509_free);
7416 * Test the certificate callback.
7417 * Test 0: Callback fails
7418 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
7419 * Test 2: Success - SSL_set_SSL_CTX() in the callback
7420 * Test 3: Success - Call SSL_check_chain from the callback
7421 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
7423 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
7425 static int test_cert_cb_int(int prot, int tst)
7427 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
7428 SSL *clientssl = NULL, *serverssl = NULL;
7429 int testresult = 0, ret;
7431 #ifdef OPENSSL_NO_EC
7432 /* We use an EC cert in these tests, so we skip in a no-ec build */
7437 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7438 TLS_client_method(),
7441 &sctx, &cctx, NULL, NULL)))
7452 snictx = SSL_CTX_new(TLS_server_method());
7453 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
7455 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7461 * We cause SSL_check_chain() to fail by specifying sig_algs that
7462 * the chain doesn't meet (the root uses an RSA cert)
7464 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7465 "ecdsa_secp256r1_sha256")))
7467 } else if (tst == 5) {
7469 * We cause SSL_check_chain() to fail by specifying sig_algs that
7470 * the ee cert doesn't meet (the ee uses an ECDSA cert)
7472 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7473 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
7477 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7478 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7480 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
7487 SSL_free(serverssl);
7488 SSL_free(clientssl);
7491 SSL_CTX_free(snictx);
7497 static int test_cert_cb(int tst)
7501 #ifndef OPENSSL_NO_TLS1_2
7502 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
7504 #ifndef OPENSSL_NO_TLS1_3
7505 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
7511 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
7517 /* Check that SSL_get_peer_certificate() returns something sensible */
7518 peer = SSL_get_peer_certificate(ssl);
7519 if (!TEST_ptr(peer))
7523 in = BIO_new_file(cert, "r");
7527 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
7529 if (!TEST_ptr(xcert))
7532 in = BIO_new_file(privkey, "r");
7533 if (!TEST_ptr(in)) {
7538 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
7540 if (!TEST_ptr(privpkey)) {
7551 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
7556 static int test_client_cert_cb(int tst)
7558 SSL_CTX *cctx = NULL, *sctx = NULL;
7559 SSL *clientssl = NULL, *serverssl = NULL;
7562 #ifdef OPENSSL_NO_TLS1_2
7566 #ifdef OPENSSL_NO_TLS1_3
7571 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7572 TLS_client_method(),
7574 tst == 0 ? TLS1_2_VERSION
7576 &sctx, &cctx, cert, privkey)))
7580 * Test that setting a client_cert_cb results in a client certificate being
7583 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
7584 SSL_CTX_set_verify(sctx,
7585 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
7588 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7590 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7597 SSL_free(serverssl);
7598 SSL_free(clientssl);
7605 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7607 * Test setting certificate authorities on both client and server.
7609 * Test 0: SSL_CTX_set0_CA_list() only
7610 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7611 * Test 2: Only SSL_CTX_set_client_CA_list()
7613 static int test_ca_names_int(int prot, int tst)
7615 SSL_CTX *cctx = NULL, *sctx = NULL;
7616 SSL *clientssl = NULL, *serverssl = NULL;
7619 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
7620 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
7621 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
7622 const STACK_OF(X509_NAME) *sktmp = NULL;
7624 for (i = 0; i < OSSL_NELEM(name); i++) {
7625 name[i] = X509_NAME_new();
7626 if (!TEST_ptr(name[i])
7627 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
7635 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7636 TLS_client_method(),
7639 &sctx, &cctx, cert, privkey)))
7642 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
7644 if (tst == 0 || tst == 1) {
7645 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7646 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
7647 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
7648 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7649 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
7650 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
7653 SSL_CTX_set0_CA_list(sctx, sk1);
7654 SSL_CTX_set0_CA_list(cctx, sk2);
7657 if (tst == 1 || tst == 2) {
7658 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7659 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
7660 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
7661 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7662 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
7663 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
7666 SSL_CTX_set_client_CA_list(sctx, sk1);
7667 SSL_CTX_set_client_CA_list(cctx, sk2);
7671 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7673 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7678 * We only expect certificate authorities to have been sent to the server
7679 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7681 sktmp = SSL_get0_peer_CA_list(serverssl);
7682 if (prot == TLS1_3_VERSION
7683 && (tst == 0 || tst == 1)) {
7684 if (!TEST_ptr(sktmp)
7685 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7686 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7688 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7691 } else if (!TEST_ptr_null(sktmp)) {
7696 * In all tests we expect certificate authorities to have been sent to the
7697 * client. However, SSL_set_client_CA_list() should override
7698 * SSL_set0_CA_list()
7700 sktmp = SSL_get0_peer_CA_list(clientssl);
7701 if (!TEST_ptr(sktmp)
7702 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7703 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7704 name[tst == 0 ? 0 : 2]), 0)
7705 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7706 name[tst == 0 ? 1 : 3]), 0))
7712 SSL_free(serverssl);
7713 SSL_free(clientssl);
7716 for (i = 0; i < OSSL_NELEM(name); i++)
7717 X509_NAME_free(name[i]);
7718 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
7719 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
7725 static int test_ca_names(int tst)
7729 #ifndef OPENSSL_NO_TLS1_2
7730 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
7732 #ifndef OPENSSL_NO_TLS1_3
7733 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
7739 #ifndef OPENSSL_NO_TLS1_2
7740 static const char *multiblock_cipherlist_data[]=
7748 /* Reduce the fragment size - so the multiblock test buffer can be small */
7749 # define MULTIBLOCK_FRAGSIZE 512
7751 static int test_multiblock_write(int test_index)
7753 static const char *fetchable_ciphers[]=
7755 "AES-128-CBC-HMAC-SHA1",
7756 "AES-128-CBC-HMAC-SHA256",
7757 "AES-256-CBC-HMAC-SHA1",
7758 "AES-256-CBC-HMAC-SHA256"
7760 const char *cipherlist = multiblock_cipherlist_data[test_index];
7761 const SSL_METHOD *smeth = TLS_server_method();
7762 const SSL_METHOD *cmeth = TLS_client_method();
7763 int min_version = TLS1_VERSION;
7764 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7765 SSL_CTX *cctx = NULL, *sctx = NULL;
7766 SSL *clientssl = NULL, *serverssl = NULL;
7770 * Choose a buffer large enough to perform a multi-block operation
7771 * i.e: write_len >= 4 * frag_size
7772 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7774 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7775 unsigned char buf[sizeof(msg)], *p = buf;
7776 size_t readbytes, written, len;
7777 EVP_CIPHER *ciph = NULL;
7780 * Check if the cipher exists before attempting to use it since it only has
7781 * a hardware specific implementation.
7783 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7785 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7788 EVP_CIPHER_free(ciph);
7790 /* Set up a buffer with some data that will be sent to the client */
7791 RAND_bytes(msg, sizeof(msg));
7793 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
7794 max_version, &sctx, &cctx, cert,
7798 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7801 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7805 /* settings to force it to use AES-CBC-HMAC_SHA */
7806 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7807 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7810 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7813 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7814 || !TEST_size_t_eq(written, sizeof(msg)))
7819 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7824 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7829 SSL_free(serverssl);
7830 SSL_free(clientssl);
7836 #endif /* OPENSSL_NO_TLS1_2 */
7839 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7840 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7841 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7842 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7843 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7844 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7845 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7846 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7847 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7848 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7850 static int test_servername(int tst)
7852 SSL_CTX *cctx = NULL, *sctx = NULL;
7853 SSL *clientssl = NULL, *serverssl = NULL;
7855 SSL_SESSION *sess = NULL;
7856 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7858 #ifdef OPENSSL_NO_TLS1_2
7862 #ifdef OPENSSL_NO_TLS1_3
7867 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7868 TLS_client_method(),
7870 (tst <= 4) ? TLS1_2_VERSION
7872 &sctx, &cctx, cert, privkey))
7873 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7877 if (tst != 1 && tst != 6) {
7878 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7883 if (tst != 3 && tst != 8) {
7884 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7886 sexpectedhost = cexpectedhost = "goodhost";
7889 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7892 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7894 || !TEST_str_eq(SSL_get_servername(serverssl,
7895 TLSEXT_NAMETYPE_host_name),
7899 /* Now repeat with a resumption handshake */
7901 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7902 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7903 || !TEST_true(SSL_SESSION_is_resumable(sess))
7904 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7907 SSL_free(clientssl);
7908 SSL_free(serverssl);
7909 clientssl = serverssl = NULL;
7911 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7915 if (!TEST_true(SSL_set_session(clientssl, sess)))
7918 sexpectedhost = cexpectedhost = "goodhost";
7919 if (tst == 2 || tst == 7) {
7920 /* Set an inconsistent hostname */
7921 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7924 * In TLSv1.2 we expect the hostname from the original handshake, in
7925 * TLSv1.3 we expect the hostname from this handshake
7928 sexpectedhost = cexpectedhost = "altgoodhost";
7930 if (!TEST_str_eq(SSL_get_servername(clientssl,
7931 TLSEXT_NAMETYPE_host_name),
7934 } else if (tst == 4 || tst == 9) {
7936 * A TLSv1.3 session does not associate a session with a servername,
7937 * but a TLSv1.2 session does.
7940 sexpectedhost = cexpectedhost = NULL;
7942 if (!TEST_str_eq(SSL_get_servername(clientssl,
7943 TLSEXT_NAMETYPE_host_name),
7947 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7950 * In a TLSv1.2 resumption where the hostname was not acknowledged
7951 * we expect the hostname on the server to be empty. On the client we
7952 * return what was requested in this case.
7954 * Similarly if the client didn't set a hostname on an original TLSv1.2
7955 * session but is now, the server hostname will be empty, but the client
7958 if (tst == 1 || tst == 3)
7959 sexpectedhost = NULL;
7961 if (!TEST_str_eq(SSL_get_servername(clientssl,
7962 TLSEXT_NAMETYPE_host_name),
7967 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7970 if (!TEST_true(SSL_session_reused(clientssl))
7971 || !TEST_true(SSL_session_reused(serverssl))
7972 || !TEST_str_eq(SSL_get_servername(clientssl,
7973 TLSEXT_NAMETYPE_host_name),
7975 || !TEST_str_eq(SSL_get_servername(serverssl,
7976 TLSEXT_NAMETYPE_host_name),
7983 SSL_SESSION_free(sess);
7984 SSL_free(serverssl);
7985 SSL_free(clientssl);
7992 #ifndef OPENSSL_NO_EC
7994 * Test that if signature algorithms are not available, then we do not offer or
7996 * Test 0: Two RSA sig algs available: both RSA sig algs shared
7997 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
7998 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
7999 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
8000 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
8001 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
8003 static int test_sigalgs_available(int idx)
8005 SSL_CTX *cctx = NULL, *sctx = NULL;
8006 SSL *clientssl = NULL, *serverssl = NULL;
8008 OPENSSL_CTX *tmpctx = OPENSSL_CTX_new();
8009 OPENSSL_CTX *clientctx = libctx, *serverctx = libctx;
8010 OSSL_PROVIDER *filterprov = NULL;
8013 if (!TEST_ptr(tmpctx))
8016 if (idx != 0 && idx != 3) {
8017 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
8018 filter_provider_init)))
8021 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
8022 if (!TEST_ptr(filterprov))
8027 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8028 * or accepted for the peer that uses this libctx. Note that libssl
8029 * *requires* SHA2-256 to be available so we cannot disable that. We
8030 * also need SHA1 for our certificate.
8032 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
8036 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
8038 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
8043 if (idx == 1 || idx == 4)
8049 cctx = SSL_CTX_new_with_libctx(clientctx, NULL, TLS_client_method());
8050 sctx = SSL_CTX_new_with_libctx(serverctx, NULL, TLS_server_method());
8051 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
8054 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8055 TLS_client_method(),
8058 &sctx, &cctx, cert, privkey)))
8062 if (!SSL_CTX_set1_sigalgs_list(cctx,
8063 "rsa_pss_rsae_sha384"
8064 ":rsa_pss_rsae_sha256")
8065 || !SSL_CTX_set1_sigalgs_list(sctx,
8066 "rsa_pss_rsae_sha384"
8067 ":rsa_pss_rsae_sha256"))
8070 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8071 || !SSL_CTX_set1_sigalgs_list(sctx,
8072 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8076 if (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8077 SSL_FILETYPE_PEM), 1)
8078 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8080 SSL_FILETYPE_PEM), 1)
8081 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
8084 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8088 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8091 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8092 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8094 (idx == 0 || idx == 3) ? 2 : 1))
8097 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8100 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8107 SSL_free(serverssl);
8108 SSL_free(clientssl);
8111 OSSL_PROVIDER_unload(filterprov);
8112 OPENSSL_CTX_free(tmpctx);
8116 #endif /* OPENSSL_NO_EC */
8118 #ifndef OPENSSL_NO_TLS1_3
8119 static int test_pluggable_group(void)
8121 SSL_CTX *cctx = NULL, *sctx = NULL;
8122 SSL *clientssl = NULL, *serverssl = NULL;
8124 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
8126 if (!TEST_ptr(tlsprov))
8129 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8130 TLS_client_method(),
8133 &sctx, &cctx, cert, privkey))
8134 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8138 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
8139 || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
8142 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8148 SSL_free(serverssl);
8149 SSL_free(clientssl);
8152 OSSL_PROVIDER_unload(tlsprov);
8158 #ifndef OPENSSL_NO_TLS1_2
8159 static int test_ssl_dup(void)
8161 SSL_CTX *cctx = NULL, *sctx = NULL;
8162 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
8164 BIO *rbio = NULL, *wbio = NULL;
8166 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8167 TLS_client_method(),
8170 &sctx, &cctx, cert, privkey)))
8173 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8177 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8178 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8181 client2ssl = SSL_dup(clientssl);
8182 rbio = SSL_get_rbio(clientssl);
8184 || !TEST_true(BIO_up_ref(rbio)))
8186 SSL_set0_rbio(client2ssl, rbio);
8189 wbio = SSL_get_wbio(clientssl);
8190 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
8192 SSL_set0_wbio(client2ssl, wbio);
8195 if (!TEST_ptr(client2ssl)
8196 /* Handshake not started so pointers should be different */
8197 || !TEST_ptr_ne(clientssl, client2ssl))
8200 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
8201 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
8204 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
8207 SSL_free(clientssl);
8208 clientssl = SSL_dup(client2ssl);
8209 if (!TEST_ptr(clientssl)
8210 /* Handshake has finished so pointers should be the same */
8211 || !TEST_ptr_eq(clientssl, client2ssl))
8217 SSL_free(serverssl);
8218 SSL_free(clientssl);
8219 SSL_free(client2ssl);
8227 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
8229 int setup_tests(void)
8234 libctx = OPENSSL_CTX_new();
8235 if (!TEST_ptr(libctx))
8238 defctxnull = OSSL_PROVIDER_load(NULL, "null");
8241 * Verify that the default and fips providers in the default libctx are not
8244 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
8245 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
8248 if (!test_skip_common_options()) {
8249 TEST_error("Error parsing test options\n");
8253 if (!TEST_ptr(certsdir = test_get_argument(0))
8254 || !TEST_ptr(srpvfile = test_get_argument(1))
8255 || !TEST_ptr(tmpfilename = test_get_argument(2))
8256 || !TEST_ptr(modulename = test_get_argument(3))
8257 || !TEST_ptr(configfile = test_get_argument(4)))
8260 if (!TEST_true(OPENSSL_CTX_load_config(libctx, configfile)))
8263 /* Check we have the expected provider available */
8264 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
8267 /* Check the default provider is not available */
8268 if (strcmp(modulename, "default") != 0
8269 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
8272 if (strcmp(modulename, "fips") == 0)
8276 * We add, but don't load the test "tls-provider". We'll load it when we
8279 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
8280 tls_provider_init)))
8284 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
8285 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
8286 TEST_error("not supported in this build");
8289 int i, mcount, rcount, fcount;
8291 for (i = 0; i < 4; i++)
8292 test_export_key_mat(i);
8293 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
8294 test_printf_stdout("malloc %d realloc %d free %d\n",
8295 mcount, rcount, fcount);
8300 cert = test_mk_file_path(certsdir, "servercert.pem");
8304 privkey = test_mk_file_path(certsdir, "serverkey.pem");
8305 if (privkey == NULL)
8308 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8312 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8313 if (privkey2 == NULL)
8316 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
8317 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
8318 ADD_ALL_TESTS(test_ktls, 32);
8319 ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6);
8322 ADD_TEST(test_large_message_tls);
8323 ADD_TEST(test_large_message_tls_read_ahead);
8324 #ifndef OPENSSL_NO_DTLS
8325 ADD_TEST(test_large_message_dtls);
8327 #ifndef OPENSSL_NO_OCSP
8328 ADD_TEST(test_tlsext_status_type);
8330 ADD_TEST(test_session_with_only_int_cache);
8331 ADD_TEST(test_session_with_only_ext_cache);
8332 ADD_TEST(test_session_with_both_cache);
8333 ADD_TEST(test_session_wo_ca_names);
8334 #ifndef OPENSSL_NO_TLS1_3
8335 ADD_ALL_TESTS(test_stateful_tickets, 3);
8336 ADD_ALL_TESTS(test_stateless_tickets, 3);
8337 ADD_TEST(test_psk_tickets);
8338 ADD_ALL_TESTS(test_extra_tickets, 6);
8340 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
8341 ADD_TEST(test_ssl_bio_pop_next_bio);
8342 ADD_TEST(test_ssl_bio_pop_ssl_bio);
8343 ADD_TEST(test_ssl_bio_change_rbio);
8344 ADD_TEST(test_ssl_bio_change_wbio);
8345 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
8346 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
8347 ADD_TEST(test_keylog);
8349 #ifndef OPENSSL_NO_TLS1_3
8350 ADD_TEST(test_keylog_no_master_key);
8352 #ifndef OPENSSL_NO_TLS1_2
8353 ADD_TEST(test_client_hello_cb);
8354 ADD_TEST(test_no_ems);
8355 ADD_TEST(test_ccs_change_cipher);
8357 #ifndef OPENSSL_NO_TLS1_3
8358 ADD_ALL_TESTS(test_early_data_read_write, 3);
8360 * We don't do replay tests for external PSK. Replay protection isn't used
8363 ADD_ALL_TESTS(test_early_data_replay, 2);
8364 ADD_ALL_TESTS(test_early_data_skip, 3);
8365 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
8366 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
8367 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
8368 ADD_ALL_TESTS(test_early_data_not_sent, 3);
8369 ADD_ALL_TESTS(test_early_data_psk, 8);
8370 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
8371 ADD_ALL_TESTS(test_early_data_not_expected, 3);
8372 # ifndef OPENSSL_NO_TLS1_2
8373 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
8376 #ifndef OPENSSL_NO_TLS1_3
8377 ADD_ALL_TESTS(test_set_ciphersuite, 10);
8378 ADD_TEST(test_ciphersuite_change);
8379 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
8380 # ifdef OPENSSL_NO_PSK
8381 ADD_ALL_TESTS(test_tls13_psk, 1);
8383 ADD_ALL_TESTS(test_tls13_psk, 4);
8384 # endif /* OPENSSL_NO_PSK */
8385 # ifndef OPENSSL_NO_TLS1_2
8386 /* Test with both TLSv1.3 and 1.2 versions */
8387 ADD_ALL_TESTS(test_key_exchange, 14);
8389 /* Test with only TLSv1.3 versions */
8390 ADD_ALL_TESTS(test_key_exchange, 12);
8392 ADD_ALL_TESTS(test_custom_exts, 5);
8393 ADD_TEST(test_stateless);
8394 ADD_TEST(test_pha_key_update);
8396 ADD_ALL_TESTS(test_custom_exts, 3);
8398 ADD_ALL_TESTS(test_serverinfo, 8);
8399 ADD_ALL_TESTS(test_export_key_mat, 6);
8400 #ifndef OPENSSL_NO_TLS1_3
8401 ADD_ALL_TESTS(test_export_key_mat_early, 3);
8402 ADD_TEST(test_key_update);
8403 ADD_ALL_TESTS(test_key_update_in_write, 2);
8405 ADD_ALL_TESTS(test_ssl_clear, 2);
8406 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
8407 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
8408 ADD_ALL_TESTS(test_srp, 6);
8410 ADD_ALL_TESTS(test_info_callback, 6);
8411 ADD_ALL_TESTS(test_ssl_pending, 2);
8412 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
8413 ADD_ALL_TESTS(test_ticket_callbacks, 16);
8414 ADD_ALL_TESTS(test_shutdown, 7);
8415 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
8416 ADD_ALL_TESTS(test_cert_cb, 6);
8417 ADD_ALL_TESTS(test_client_cert_cb, 2);
8418 ADD_ALL_TESTS(test_ca_names, 3);
8419 #ifndef OPENSSL_NO_TLS1_2
8420 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
8422 ADD_ALL_TESTS(test_servername, 10);
8423 #ifndef OPENSSL_NO_EC
8424 ADD_ALL_TESTS(test_sigalgs_available, 6);
8426 #ifndef OPENSSL_NO_TLS1_3
8427 ADD_TEST(test_pluggable_group);
8429 #ifndef OPENSSL_NO_TLS1_2
8430 ADD_TEST(test_ssl_dup);
8436 OPENSSL_free(privkey);
8437 OPENSSL_free(cert2);
8438 OPENSSL_free(privkey2);
8442 void cleanup_tests(void)
8445 OPENSSL_free(privkey);
8446 OPENSSL_free(cert2);
8447 OPENSSL_free(privkey2);
8448 bio_s_mempacket_test_free();
8449 bio_s_always_retry_free();
8450 OSSL_PROVIDER_unload(defctxnull);
8451 OPENSSL_CTX_free(libctx);