2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
18 #include "ssltestlib.h"
20 #include "internal/nelem.h"
21 #include "../ssl/ssl_locl.h"
23 static char *cert = NULL;
24 static char *privkey = NULL;
26 #define LOG_BUFFER_SIZE 1024
27 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
28 static size_t server_log_buffer_index = 0;
29 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
30 static size_t client_log_buffer_index = 0;
31 static int error_writing_log = 0;
33 #ifndef OPENSSL_NO_OCSP
34 static const unsigned char orespder[] = "Dummy OCSP Response";
35 static int ocsp_server_called = 0;
36 static int ocsp_client_called = 0;
38 static int cdummyarg = 1;
39 static X509 *ocspcert = NULL;
42 #define NUM_EXTRA_CERTS 40
43 #define CLIENT_VERSION_LEN 2
46 * This structure is used to validate that the correct number of log messages
47 * of various types are emitted when emitting secret logs.
49 struct sslapitest_log_counts {
50 unsigned int rsa_key_exchange_count;
51 unsigned int master_secret_count;
52 unsigned int client_handshake_secret_count;
53 unsigned int server_handshake_secret_count;
54 unsigned int client_application_secret_count;
55 unsigned int server_application_secret_count;
59 static unsigned char serverinfov1[] = {
60 0xff, 0xff, /* Dummy extension type */
61 0x00, 0x01, /* Extension length is 1 byte */
62 0xff /* Dummy extension data */
65 static unsigned char serverinfov2[] = {
67 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
68 0xff, 0xff, /* Dummy extension type */
69 0x00, 0x01, /* Extension length is 1 byte */
70 0xff /* Dummy extension data */
73 static void client_keylog_callback(const SSL *ssl, const char *line)
75 int line_length = strlen(line);
77 /* If the log doesn't fit, error out. */
78 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
79 TEST_info("Client log too full");
80 error_writing_log = 1;
84 strcat(client_log_buffer, line);
85 client_log_buffer_index += line_length;
86 client_log_buffer[client_log_buffer_index++] = '\n';
89 static void server_keylog_callback(const SSL *ssl, const char *line)
91 int line_length = strlen(line);
93 /* If the log doesn't fit, error out. */
94 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
95 TEST_info("Server log too full");
96 error_writing_log = 1;
100 strcat(server_log_buffer, line);
101 server_log_buffer_index += line_length;
102 server_log_buffer[server_log_buffer_index++] = '\n';
105 static int compare_hex_encoded_buffer(const char *hex_encoded,
113 if (!TEST_size_t_eq(raw_length * 2, hex_length))
116 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
117 sprintf(hexed, "%02x", raw[i]);
118 if (!TEST_int_eq(hexed[0], hex_encoded[j])
119 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
126 static int test_keylog_output(char *buffer, const SSL *ssl,
127 const SSL_SESSION *session,
128 struct sslapitest_log_counts *expected)
131 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
132 size_t client_random_size = SSL3_RANDOM_SIZE;
133 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
134 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
135 unsigned int rsa_key_exchange_count = 0;
136 unsigned int master_secret_count = 0;
137 unsigned int client_handshake_secret_count = 0;
138 unsigned int server_handshake_secret_count = 0;
139 unsigned int client_application_secret_count = 0;
140 unsigned int server_application_secret_count = 0;
142 for (token = strtok(buffer, " \n"); token != NULL;
143 token = strtok(NULL, " \n")) {
144 if (strcmp(token, "RSA") == 0) {
146 * Premaster secret. Tokens should be: 16 ASCII bytes of
147 * hex-encoded encrypted secret, then the hex-encoded pre-master
150 if (!TEST_ptr(token = strtok(NULL, " \n")))
152 if (!TEST_size_t_eq(strlen(token), 16))
154 if (!TEST_ptr(token = strtok(NULL, " \n")))
157 * We can't sensibly check the log because the premaster secret is
158 * transient, and OpenSSL doesn't keep hold of it once the master
159 * secret is generated.
161 rsa_key_exchange_count++;
162 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
164 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
165 * client random, then the hex-encoded master secret.
167 client_random_size = SSL_get_client_random(ssl,
168 actual_client_random,
170 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
173 if (!TEST_ptr(token = strtok(NULL, " \n")))
175 if (!TEST_size_t_eq(strlen(token), 64))
177 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
178 actual_client_random,
179 client_random_size)))
182 if (!TEST_ptr(token = strtok(NULL, " \n")))
184 master_key_size = SSL_SESSION_get_master_key(session,
187 if (!TEST_size_t_ne(master_key_size, 0))
189 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
193 master_secret_count++;
194 } else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
195 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
196 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
197 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) {
199 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
200 * client random, and then the hex-encoded secret. In this case,
201 * we treat all of these secrets identically and then just
202 * distinguish between them when counting what we saw.
204 if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
205 client_handshake_secret_count++;
206 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
207 server_handshake_secret_count++;
208 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
209 client_application_secret_count++;
210 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
211 server_application_secret_count++;
213 client_random_size = SSL_get_client_random(ssl,
214 actual_client_random,
216 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
219 if (!TEST_ptr(token = strtok(NULL, " \n")))
221 if (!TEST_size_t_eq(strlen(token), 64))
223 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
224 actual_client_random,
225 client_random_size)))
228 if (!TEST_ptr(token = strtok(NULL, " \n")))
232 * TODO(TLS1.3): test that application traffic secrets are what
235 TEST_info("Unexpected token %s\n", token);
240 /* Got what we expected? */
241 if (!TEST_size_t_eq(rsa_key_exchange_count,
242 expected->rsa_key_exchange_count)
243 || !TEST_size_t_eq(master_secret_count,
244 expected->master_secret_count)
245 || !TEST_size_t_eq(client_handshake_secret_count,
246 expected->client_handshake_secret_count)
247 || !TEST_size_t_eq(server_handshake_secret_count,
248 expected->server_handshake_secret_count)
249 || !TEST_size_t_eq(client_application_secret_count,
250 expected->client_application_secret_count)
251 || !TEST_size_t_eq(server_application_secret_count,
252 expected->server_application_secret_count))
257 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
258 static int test_keylog(void)
260 SSL_CTX *cctx = NULL, *sctx = NULL;
261 SSL *clientssl = NULL, *serverssl = NULL;
263 struct sslapitest_log_counts expected = {0};
265 /* Clean up logging space */
266 memset(client_log_buffer, 0, sizeof(client_log_buffer));
267 memset(server_log_buffer, 0, sizeof(server_log_buffer));
268 client_log_buffer_index = 0;
269 server_log_buffer_index = 0;
270 error_writing_log = 0;
272 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
274 &sctx, &cctx, cert, privkey)))
277 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
278 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
279 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
281 /* We also want to ensure that we use RSA-based key exchange. */
282 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
285 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
286 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
288 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
289 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
290 == client_keylog_callback))
292 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
293 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
294 == server_keylog_callback))
297 /* Now do a handshake and check that the logs have been written to. */
298 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
299 &clientssl, NULL, NULL))
300 || !TEST_true(create_ssl_connection(serverssl, clientssl,
302 || !TEST_false(error_writing_log)
303 || !TEST_int_gt(client_log_buffer_index, 0)
304 || !TEST_int_gt(server_log_buffer_index, 0))
308 * Now we want to test that our output data was vaguely sensible. We
309 * do that by using strtok and confirming that we have more or less the
310 * data we expect. For both client and server, we expect to see one master
311 * secret. The client should also see a RSA key exchange.
313 expected.rsa_key_exchange_count = 1;
314 expected.master_secret_count = 1;
315 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
316 SSL_get_session(clientssl), &expected)))
319 expected.rsa_key_exchange_count = 0;
320 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
321 SSL_get_session(serverssl), &expected)))
336 #ifndef OPENSSL_NO_TLS1_3
337 static int test_keylog_no_master_key(void)
339 SSL_CTX *cctx = NULL, *sctx = NULL;
340 SSL *clientssl = NULL, *serverssl = NULL;
342 struct sslapitest_log_counts expected = {0};
344 /* Clean up logging space */
345 memset(client_log_buffer, 0, sizeof(client_log_buffer));
346 memset(server_log_buffer, 0, sizeof(server_log_buffer));
347 client_log_buffer_index = 0;
348 server_log_buffer_index = 0;
349 error_writing_log = 0;
351 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
352 TLS_client_method(), &sctx,
353 &cctx, cert, privkey)))
356 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
357 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
360 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
361 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
362 == client_keylog_callback))
365 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
366 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
367 == server_keylog_callback))
370 /* Now do a handshake and check that the logs have been written to. */
371 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
372 &clientssl, NULL, NULL))
373 || !TEST_true(create_ssl_connection(serverssl, clientssl,
375 || !TEST_false(error_writing_log))
379 * Now we want to test that our output data was vaguely sensible. For this
380 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
381 * TLSv1.3, but we do expect both client and server to emit keys.
383 expected.client_handshake_secret_count = 1;
384 expected.server_handshake_secret_count = 1;
385 expected.client_application_secret_count = 1;
386 expected.server_application_secret_count = 1;
387 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
388 SSL_get_session(clientssl), &expected))
389 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
390 SSL_get_session(serverssl),
406 #ifndef OPENSSL_NO_TLS1_2
407 static int full_client_hello_callback(SSL *s, int *al, void *arg)
410 const unsigned char *p;
412 /* We only configure two ciphers, but the SCSV is added automatically. */
414 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
416 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
419 const int expected_extensions[] = {
420 #ifndef OPENSSL_NO_EC
426 /* Make sure we can defer processing and get called back. */
428 return SSL_CLIENT_HELLO_RETRY;
430 len = SSL_client_hello_get0_ciphers(s, &p);
431 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
433 SSL_client_hello_get0_compression_methods(s, &p), 1)
434 || !TEST_int_eq(*p, 0))
435 return SSL_CLIENT_HELLO_ERROR;
436 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
437 return SSL_CLIENT_HELLO_ERROR;
438 if (len != OSSL_NELEM(expected_extensions) ||
439 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
440 printf("ClientHello callback expected extensions mismatch\n");
442 return SSL_CLIENT_HELLO_ERROR;
445 return SSL_CLIENT_HELLO_SUCCESS;
448 static int test_client_hello_cb(void)
450 SSL_CTX *cctx = NULL, *sctx = NULL;
451 SSL *clientssl = NULL, *serverssl = NULL;
452 int testctr = 0, testresult = 0;
454 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
455 TLS_client_method(), &sctx,
456 &cctx, cert, privkey)))
458 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
460 /* The gimpy cipher list we configure can't do TLS 1.3. */
461 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
463 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
464 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
465 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
466 &clientssl, NULL, NULL))
467 || !TEST_false(create_ssl_connection(serverssl, clientssl,
468 SSL_ERROR_WANT_CLIENT_HELLO_CB))
470 * Passing a -1 literal is a hack since
471 * the real value was lost.
473 || !TEST_int_eq(SSL_get_error(serverssl, -1),
474 SSL_ERROR_WANT_CLIENT_HELLO_CB)
475 || !TEST_true(create_ssl_connection(serverssl, clientssl,
491 static int execute_test_large_message(const SSL_METHOD *smeth,
492 const SSL_METHOD *cmeth, int read_ahead)
494 SSL_CTX *cctx = NULL, *sctx = NULL;
495 SSL *clientssl = NULL, *serverssl = NULL;
499 X509 *chaincert = NULL;
502 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
504 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
507 if (!TEST_ptr(chaincert))
510 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, &sctx,
511 &cctx, cert, privkey)))
516 * Test that read_ahead works correctly when dealing with large
519 SSL_CTX_set_read_ahead(cctx, 1);
523 * We assume the supplied certificate is big enough so that if we add
524 * NUM_EXTRA_CERTS it will make the overall message large enough. The
525 * default buffer size is requested to be 16k, but due to the way BUF_MEM
526 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
527 * test we need to have a message larger than that.
529 certlen = i2d_X509(chaincert, NULL);
530 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
531 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
532 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
533 if (!X509_up_ref(chaincert))
535 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
536 X509_free(chaincert);
541 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
543 || !TEST_true(create_ssl_connection(serverssl, clientssl,
548 * Calling SSL_clear() first is not required but this tests that SSL_clear()
549 * doesn't leak (when using enable-crypto-mdebug).
551 if (!TEST_true(SSL_clear(serverssl)))
556 X509_free(chaincert);
565 static int test_large_message_tls(void)
567 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
571 static int test_large_message_tls_read_ahead(void)
573 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
577 #ifndef OPENSSL_NO_DTLS
578 static int test_large_message_dtls(void)
581 * read_ahead is not relevant to DTLS because DTLS always acts as if
584 return execute_test_large_message(DTLS_server_method(),
585 DTLS_client_method(), 0);
589 #ifndef OPENSSL_NO_OCSP
590 static int ocsp_server_cb(SSL *s, void *arg)
592 int *argi = (int *)arg;
593 unsigned char *copy = NULL;
594 STACK_OF(OCSP_RESPID) *ids = NULL;
595 OCSP_RESPID *id = NULL;
598 /* In this test we are expecting exactly 1 OCSP_RESPID */
599 SSL_get_tlsext_status_ids(s, &ids);
600 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
601 return SSL_TLSEXT_ERR_ALERT_FATAL;
603 id = sk_OCSP_RESPID_value(ids, 0);
604 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
605 return SSL_TLSEXT_ERR_ALERT_FATAL;
606 } else if (*argi != 1) {
607 return SSL_TLSEXT_ERR_ALERT_FATAL;
610 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
611 return SSL_TLSEXT_ERR_ALERT_FATAL;
613 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
614 ocsp_server_called = 1;
615 return SSL_TLSEXT_ERR_OK;
618 static int ocsp_client_cb(SSL *s, void *arg)
620 int *argi = (int *)arg;
621 const unsigned char *respderin;
624 if (*argi != 1 && *argi != 2)
627 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
628 if (!TEST_mem_eq(orespder, len, respderin, len))
631 ocsp_client_called = 1;
635 static int test_tlsext_status_type(void)
637 SSL_CTX *cctx = NULL, *sctx = NULL;
638 SSL *clientssl = NULL, *serverssl = NULL;
640 STACK_OF(OCSP_RESPID) *ids = NULL;
641 OCSP_RESPID *id = NULL;
644 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
645 &cctx, cert, privkey))
648 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
651 /* First just do various checks getting and setting tlsext_status_type */
653 clientssl = SSL_new(cctx);
654 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
655 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
656 TLSEXT_STATUSTYPE_ocsp))
657 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
658 TLSEXT_STATUSTYPE_ocsp))
664 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
665 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
668 clientssl = SSL_new(cctx);
669 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
675 * Now actually do a handshake and check OCSP information is exchanged and
676 * the callbacks get called
678 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
679 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
680 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
681 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
682 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
683 &clientssl, NULL, NULL))
684 || !TEST_true(create_ssl_connection(serverssl, clientssl,
686 || !TEST_true(ocsp_client_called)
687 || !TEST_true(ocsp_server_called))
694 /* Try again but this time force the server side callback to fail */
695 ocsp_client_called = 0;
696 ocsp_server_called = 0;
698 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
699 &clientssl, NULL, NULL))
700 /* This should fail because the callback will fail */
701 || !TEST_false(create_ssl_connection(serverssl, clientssl,
703 || !TEST_false(ocsp_client_called)
704 || !TEST_false(ocsp_server_called))
712 * This time we'll get the client to send an OCSP_RESPID that it will
715 ocsp_client_called = 0;
716 ocsp_server_called = 0;
718 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
719 &clientssl, NULL, NULL)))
723 * We'll just use any old cert for this test - it doesn't have to be an OCSP
724 * specific one. We'll use the server cert.
726 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
727 || !TEST_ptr(id = OCSP_RESPID_new())
728 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
729 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
731 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
732 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
735 SSL_set_tlsext_status_ids(clientssl, ids);
736 /* Control has been transferred */
742 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
744 || !TEST_true(ocsp_client_called)
745 || !TEST_true(ocsp_server_called))
755 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
756 OCSP_RESPID_free(id);
765 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
766 static int new_called, remove_called, get_called;
768 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
772 * sess has been up-refed for us, but we don't actually need it so free it
775 SSL_SESSION_free(sess);
779 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
784 static SSL_SESSION *get_sess_val = NULL;
786 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
794 static int execute_test_session(int maxprot, int use_int_cache,
797 SSL_CTX *sctx = NULL, *cctx = NULL;
798 SSL *serverssl1 = NULL, *clientssl1 = NULL;
799 SSL *serverssl2 = NULL, *clientssl2 = NULL;
800 # ifndef OPENSSL_NO_TLS1_1
801 SSL *serverssl3 = NULL, *clientssl3 = NULL;
803 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
806 new_called = remove_called = 0;
808 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
809 TLS_client_method(), &sctx,
810 &cctx, cert, privkey)))
814 * Only allow the max protocol version so we can force a connection failure
817 SSL_CTX_set_min_proto_version(cctx, maxprot);
818 SSL_CTX_set_max_proto_version(cctx, maxprot);
820 /* Set up session cache */
822 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
823 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
826 /* Also covers instance where both are set */
827 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
829 SSL_CTX_set_session_cache_mode(cctx,
830 SSL_SESS_CACHE_CLIENT
831 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
834 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
836 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
838 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
841 /* Should fail because it should already be in the cache */
842 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
845 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
848 new_called = remove_called = 0;
849 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
850 &clientssl2, NULL, NULL))
851 || !TEST_true(SSL_set_session(clientssl2, sess1))
852 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
854 || !TEST_true(SSL_session_reused(clientssl2)))
857 if (maxprot == TLS1_3_VERSION) {
859 * In TLSv1.3 we should have created a new session even though we have
860 * resumed. The original session should also have been removed.
863 && (!TEST_int_eq(new_called, 1)
864 || !TEST_int_eq(remove_called, 1)))
868 * In TLSv1.2 we expect to have resumed so no sessions added or
872 && (!TEST_int_eq(new_called, 0)
873 || !TEST_int_eq(remove_called, 0)))
877 SSL_SESSION_free(sess1);
878 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
880 shutdown_ssl_connection(serverssl2, clientssl2);
881 serverssl2 = clientssl2 = NULL;
883 new_called = remove_called = 0;
884 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
885 &clientssl2, NULL, NULL))
886 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
890 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
894 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
897 new_called = remove_called = 0;
899 * This should clear sess2 from the cache because it is a "bad" session.
900 * See SSL_set_session() documentation.
902 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
905 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
907 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
911 /* Should succeeded because it should not already be in the cache */
912 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
913 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
917 new_called = remove_called = 0;
918 /* This shouldn't be in the cache so should fail */
919 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
923 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
926 # if !defined(OPENSSL_NO_TLS1_1)
927 new_called = remove_called = 0;
928 /* Force a connection failure */
929 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
930 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
931 &clientssl3, NULL, NULL))
932 || !TEST_true(SSL_set_session(clientssl3, sess1))
933 /* This should fail because of the mismatched protocol versions */
934 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
938 /* We should have automatically removed the session from the cache */
940 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
943 /* Should succeed because it should not already be in the cache */
944 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
948 /* Now do some tests for server side caching */
950 SSL_CTX_sess_set_new_cb(cctx, NULL);
951 SSL_CTX_sess_set_remove_cb(cctx, NULL);
952 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
953 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
954 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
958 SSL_CTX_set_session_cache_mode(cctx, 0);
959 /* Internal caching is the default on the server side */
961 SSL_CTX_set_session_cache_mode(sctx,
962 SSL_SESS_CACHE_SERVER
963 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
965 SSL_free(serverssl1);
966 SSL_free(clientssl1);
967 serverssl1 = clientssl1 = NULL;
968 SSL_free(serverssl2);
969 SSL_free(clientssl2);
970 serverssl2 = clientssl2 = NULL;
971 SSL_SESSION_free(sess1);
973 SSL_SESSION_free(sess2);
976 SSL_CTX_set_max_proto_version(sctx, maxprot);
977 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
978 new_called = remove_called = get_called = 0;
979 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
981 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
983 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
984 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
987 /* Should fail because it should already be in the cache */
988 if (use_int_cache && !TEST_false(SSL_CTX_add_session(sctx, sess2)))
992 SSL_SESSION *tmp = sess2;
994 if (!TEST_int_eq(new_called, 1)
995 || !TEST_int_eq(remove_called, 0)
996 || !TEST_int_eq(get_called, 0))
999 * Delete the session from the internal cache to force a lookup from
1000 * the external cache. We take a copy first because
1001 * SSL_CTX_remove_session() also marks the session as non-resumable.
1003 if (use_int_cache) {
1004 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1005 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1007 SSL_SESSION_free(sess2);
1012 new_called = remove_called = get_called = 0;
1013 get_sess_val = sess2;
1014 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1015 &clientssl2, NULL, NULL))
1016 || !TEST_true(SSL_set_session(clientssl2, sess1))
1017 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1019 || !TEST_true(SSL_session_reused(clientssl2)))
1022 if (use_ext_cache) {
1023 if (!TEST_int_eq(new_called, 0)
1024 || !TEST_int_eq(remove_called, 0))
1027 if (maxprot == TLS1_3_VERSION) {
1028 if (!TEST_int_eq(get_called, 0))
1031 if (!TEST_int_eq(get_called, 1))
1039 SSL_free(serverssl1);
1040 SSL_free(clientssl1);
1041 SSL_free(serverssl2);
1042 SSL_free(clientssl2);
1043 # ifndef OPENSSL_NO_TLS1_1
1044 SSL_free(serverssl3);
1045 SSL_free(clientssl3);
1047 SSL_SESSION_free(sess1);
1048 SSL_SESSION_free(sess2);
1054 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1056 static int test_session_with_only_int_cache(void)
1058 #ifndef OPENSSL_NO_TLS1_3
1059 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1063 #ifndef OPENSSL_NO_TLS1_2
1064 return execute_test_session(TLS1_2_VERSION, 1, 0);
1070 static int test_session_with_only_ext_cache(void)
1072 #ifndef OPENSSL_NO_TLS1_3
1073 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1077 #ifndef OPENSSL_NO_TLS1_2
1078 return execute_test_session(TLS1_2_VERSION, 0, 1);
1084 static int test_session_with_both_cache(void)
1086 #ifndef OPENSSL_NO_TLS1_3
1087 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1091 #ifndef OPENSSL_NO_TLS1_2
1092 return execute_test_session(TLS1_2_VERSION, 1, 1);
1102 #define TOTAL_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1104 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1119 static int test_ssl_set_bio(int idx)
1124 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1126 int initrbio, initwbio, newrbio, newwbio;
1136 if (!TEST_int_le(newwbio, 2))
1139 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1140 || !TEST_ptr(ssl = SSL_new(ctx)))
1143 if (initrbio == USE_BIO_1
1144 || initwbio == USE_BIO_1
1145 || newrbio == USE_BIO_1
1146 || newwbio == USE_BIO_1) {
1147 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1151 if (initrbio == USE_BIO_2
1152 || initwbio == USE_BIO_2
1153 || newrbio == USE_BIO_2
1154 || newwbio == USE_BIO_2) {
1155 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1159 setupbio(&irbio, bio1, bio2, initrbio);
1160 setupbio(&iwbio, bio1, bio2, initwbio);
1163 * We want to maintain our own refs to these BIO, so do an up ref for each
1164 * BIO that will have ownership transferred in the SSL_set_bio() call
1168 if (iwbio != NULL && iwbio != irbio)
1171 SSL_set_bio(ssl, irbio, iwbio);
1173 setupbio(&nrbio, bio1, bio2, newrbio);
1174 setupbio(&nwbio, bio1, bio2, newwbio);
1177 * We will (maybe) transfer ownership again so do more up refs.
1178 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1183 && (nwbio != iwbio || nrbio != nwbio))
1187 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1190 SSL_set_bio(ssl, nrbio, nwbio);
1200 * This test is checking that the ref counting for SSL_set_bio is correct.
1201 * If we get here and we did too many frees then we will fail in the above
1202 * functions. If we haven't done enough then this will only be detected in
1203 * a crypto-mdebug build
1209 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1211 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1213 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1218 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1219 || !TEST_ptr(ssl = SSL_new(ctx))
1220 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1221 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1224 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1227 * If anything goes wrong here then we could leak memory, so this will
1228 * be caught in a crypto-mdebug build
1230 BIO_push(sslbio, membio1);
1232 /* Verify changing the rbio/wbio directly does not cause leaks */
1233 if (change_bio != NO_BIO_CHANGE) {
1234 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1236 if (change_bio == CHANGE_RBIO)
1237 SSL_set0_rbio(ssl, membio2);
1239 SSL_set0_wbio(ssl, membio2);
1258 static int test_ssl_bio_pop_next_bio(void)
1260 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1263 static int test_ssl_bio_pop_ssl_bio(void)
1265 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1268 static int test_ssl_bio_change_rbio(void)
1270 return execute_test_ssl_bio(0, CHANGE_RBIO);
1273 static int test_ssl_bio_change_wbio(void)
1275 return execute_test_ssl_bio(0, CHANGE_WBIO);
1278 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
1280 /* The list of sig algs */
1282 /* The length of the list */
1284 /* A sigalgs list in string format */
1285 const char *liststr;
1286 /* Whether setting the list should succeed */
1288 /* Whether creating a connection with the list should succeed */
1292 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1293 # ifndef OPENSSL_NO_EC
1294 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1295 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1297 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1298 static const int invalidlist2[] = {NID_sha256, NID_undef};
1299 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1300 static const int invalidlist4[] = {NID_sha256};
1301 static const sigalgs_list testsigalgs[] = {
1302 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1303 # ifndef OPENSSL_NO_EC
1304 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1305 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1307 {NULL, 0, "RSA+SHA256", 1, 1},
1308 # ifndef OPENSSL_NO_EC
1309 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1310 {NULL, 0, "ECDSA+SHA512", 1, 0},
1312 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1313 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1314 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1315 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1316 {NULL, 0, "RSA", 0, 0},
1317 {NULL, 0, "SHA256", 0, 0},
1318 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1319 {NULL, 0, "Invalid", 0, 0}
1322 static int test_set_sigalgs(int idx)
1324 SSL_CTX *cctx = NULL, *sctx = NULL;
1325 SSL *clientssl = NULL, *serverssl = NULL;
1327 const sigalgs_list *curr;
1330 /* Should never happen */
1331 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1334 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1335 curr = testctx ? &testsigalgs[idx]
1336 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1338 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1339 TLS_client_method(), &sctx,
1340 &cctx, cert, privkey)))
1344 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1345 * for TLSv1.2 for now until we add a new API.
1347 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1352 if (curr->list != NULL)
1353 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1355 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1359 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1365 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1370 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1371 &clientssl, NULL, NULL)))
1377 if (curr->list != NULL)
1378 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1380 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1383 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1392 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1400 SSL_free(serverssl);
1401 SSL_free(clientssl);
1409 #ifndef OPENSSL_NO_TLS1_3
1411 static SSL_SESSION *clientpsk = NULL;
1412 static SSL_SESSION *serverpsk = NULL;
1413 static const char *pskid = "Identity";
1414 static const char *srvid;
1416 static int use_session_cb_cnt = 0;
1417 static int find_session_cb_cnt = 0;
1418 static int psk_client_cb_cnt = 0;
1419 static int psk_server_cb_cnt = 0;
1421 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1422 size_t *idlen, SSL_SESSION **sess)
1424 switch (++use_session_cb_cnt) {
1426 /* The first call should always have a NULL md */
1432 /* The second call should always have an md */
1438 /* We should only be called a maximum of twice */
1442 if (clientpsk != NULL)
1443 SSL_SESSION_up_ref(clientpsk);
1446 *id = (const unsigned char *)pskid;
1447 *idlen = strlen(pskid);
1452 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1453 unsigned int max_id_len,
1455 unsigned int max_psk_len)
1457 unsigned int psklen = 0;
1459 psk_client_cb_cnt++;
1461 if (strlen(pskid) + 1 > max_id_len)
1464 /* We should only ever be called a maximum of twice per connection */
1465 if (psk_client_cb_cnt > 2)
1468 if (clientpsk == NULL)
1471 /* We'll reuse the PSK we set up for TLSv1.3 */
1472 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1474 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1475 strncpy(id, pskid, max_id_len);
1480 static int find_session_cb(SSL *ssl, const unsigned char *identity,
1481 size_t identity_len, SSL_SESSION **sess)
1483 find_session_cb_cnt++;
1485 /* We should only ever be called a maximum of twice per connection */
1486 if (find_session_cb_cnt > 2)
1489 if (serverpsk == NULL)
1492 /* Identity should match that set by the client */
1493 if (strlen(srvid) != identity_len
1494 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1495 /* No PSK found, continue but without a PSK */
1500 SSL_SESSION_up_ref(serverpsk);
1506 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1507 unsigned char *psk, unsigned int max_psk_len)
1509 unsigned int psklen = 0;
1511 psk_server_cb_cnt++;
1513 /* We should only ever be called a maximum of twice per connection */
1514 if (find_session_cb_cnt > 2)
1517 if (serverpsk == NULL)
1520 /* Identity should match that set by the client */
1521 if (strcmp(srvid, identity) != 0) {
1525 /* We'll reuse the PSK we set up for TLSv1.3 */
1526 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1528 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1533 #define MSG1 "Hello"
1534 #define MSG2 "World."
1539 #define MSG7 "message."
1541 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
1542 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
1545 * Helper method to setup objects for early data test. Caller frees objects on
1548 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
1549 SSL **serverssl, SSL_SESSION **sess, int idx)
1551 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1552 TLS_client_method(), sctx,
1553 cctx, cert, privkey))
1554 || !TEST_true(SSL_CTX_set_max_early_data(*sctx,
1555 SSL3_RT_MAX_PLAIN_LENGTH))
1556 || !TEST_true(SSL_CTX_set_max_early_data(*cctx,
1557 SSL3_RT_MAX_PLAIN_LENGTH)))
1561 /* When idx == 1 we repeat the tests with read_ahead set */
1562 SSL_CTX_set_read_ahead(*cctx, 1);
1563 SSL_CTX_set_read_ahead(*sctx, 1);
1564 } else if (idx == 2) {
1565 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1566 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1567 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1568 use_session_cb_cnt = 0;
1569 find_session_cb_cnt = 0;
1573 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
1578 * For one of the run throughs (doesn't matter which one), we'll try sending
1579 * some SNI data in the initial ClientHello. This will be ignored (because
1580 * there is no SNI cb set up by the server), so it should not impact
1584 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1588 /* Create the PSK */
1589 const SSL_CIPHER *cipher = NULL;
1590 const unsigned char key[] = {
1591 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1592 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1593 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1594 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1595 0x2c, 0x2d, 0x2e, 0x2f
1598 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
1599 clientpsk = SSL_SESSION_new();
1600 if (!TEST_ptr(clientpsk)
1601 || !TEST_ptr(cipher)
1602 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
1604 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
1606 SSL_SESSION_set_protocol_version(clientpsk,
1609 * We just choose an arbitrary value for max_early_data which
1610 * should be big enough for testing purposes.
1612 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1614 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1615 SSL_SESSION_free(clientpsk);
1619 serverpsk = clientpsk;
1629 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1633 *sess = SSL_get1_session(*clientssl);
1634 SSL_shutdown(*clientssl);
1635 SSL_shutdown(*serverssl);
1636 SSL_free(*serverssl);
1637 SSL_free(*clientssl);
1638 *serverssl = *clientssl = NULL;
1640 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1641 clientssl, NULL, NULL))
1642 || !TEST_true(SSL_set_session(*clientssl, *sess)))
1648 static int test_early_data_read_write(int idx)
1650 SSL_CTX *cctx = NULL, *sctx = NULL;
1651 SSL *clientssl = NULL, *serverssl = NULL;
1653 SSL_SESSION *sess = NULL;
1654 unsigned char buf[20], data[1024];
1655 size_t readbytes, written, eoedlen, rawread, rawwritten;
1658 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1659 &serverssl, &sess, idx)))
1662 /* Write and read some early data */
1663 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1665 || !TEST_size_t_eq(written, strlen(MSG1))
1666 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1667 sizeof(buf), &readbytes),
1668 SSL_READ_EARLY_DATA_SUCCESS)
1669 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1670 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1671 SSL_EARLY_DATA_ACCEPTED))
1675 * Server should be able to write data, and client should be able to
1678 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1680 || !TEST_size_t_eq(written, strlen(MSG2))
1681 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1682 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1685 /* Even after reading normal data, client should be able write early data */
1686 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1688 || !TEST_size_t_eq(written, strlen(MSG3)))
1691 /* Server should still be able read early data after writing data */
1692 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1694 SSL_READ_EARLY_DATA_SUCCESS)
1695 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
1698 /* Write more data from server and read it from client */
1699 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
1701 || !TEST_size_t_eq(written, strlen(MSG4))
1702 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1703 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
1707 * If client writes normal data it should mean writing early data is no
1710 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1711 || !TEST_size_t_eq(written, strlen(MSG5))
1712 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1713 SSL_EARLY_DATA_ACCEPTED))
1717 * At this point the client has written EndOfEarlyData, ClientFinished and
1718 * normal (fully protected) data. We are going to cause a delay between the
1719 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
1720 * in the read BIO, and then just put back the EndOfEarlyData message.
1722 rbio = SSL_get_rbio(serverssl);
1723 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
1724 || !TEST_size_t_lt(rawread, sizeof(data))
1725 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
1728 /* Record length is in the 4th and 5th bytes of the record header */
1729 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
1730 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
1731 || !TEST_size_t_eq(rawwritten, eoedlen))
1734 /* Server should be told that there is no more early data */
1735 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1737 SSL_READ_EARLY_DATA_FINISH)
1738 || !TEST_size_t_eq(readbytes, 0))
1742 * Server has not finished init yet, so should still be able to write early
1745 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
1747 || !TEST_size_t_eq(written, strlen(MSG6)))
1750 /* Push the ClientFinished and the normal data back into the server rbio */
1751 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
1753 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
1756 /* Server should be able to read normal data */
1757 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1758 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1761 /* Client and server should not be able to write/read early data now */
1762 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1766 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1768 SSL_READ_EARLY_DATA_ERROR))
1772 /* Client should be able to read the data sent by the server */
1773 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1774 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
1778 * Make sure we process the NewSessionTicket. This arrives post-handshake.
1779 * We attempt a read which we do not expect to return any data.
1781 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1784 /* Server should be able to write normal data */
1785 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
1786 || !TEST_size_t_eq(written, strlen(MSG7))
1787 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1788 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
1791 /* We keep the PSK session around if using PSK */
1793 SSL_SESSION_free(sess);
1794 sess = SSL_get1_session(clientssl);
1795 use_session_cb_cnt = 0;
1796 find_session_cb_cnt = 0;
1798 SSL_shutdown(clientssl);
1799 SSL_shutdown(serverssl);
1800 SSL_free(serverssl);
1801 SSL_free(clientssl);
1802 serverssl = clientssl = NULL;
1803 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1804 &clientssl, NULL, NULL))
1805 || !TEST_true(SSL_set_session(clientssl, sess)))
1808 /* Write and read some early data */
1809 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1811 || !TEST_size_t_eq(written, strlen(MSG1))
1812 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1814 SSL_READ_EARLY_DATA_SUCCESS)
1815 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
1818 if (!TEST_int_gt(SSL_connect(clientssl), 0)
1819 || !TEST_int_gt(SSL_accept(serverssl), 0))
1822 /* Client and server should not be able to write/read early data now */
1823 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1827 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1829 SSL_READ_EARLY_DATA_ERROR))
1833 /* Client and server should be able to write/read normal data */
1834 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1835 || !TEST_size_t_eq(written, strlen(MSG5))
1836 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1837 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1843 if (sess != clientpsk)
1844 SSL_SESSION_free(sess);
1845 SSL_SESSION_free(clientpsk);
1846 SSL_SESSION_free(serverpsk);
1847 clientpsk = serverpsk = NULL;
1848 SSL_free(serverssl);
1849 SSL_free(clientssl);
1856 * Helper function to test that a server attempting to read early data can
1857 * handle a connection from a client where the early data should be skipped.
1859 static int early_data_skip_helper(int hrr, int idx)
1861 SSL_CTX *cctx = NULL, *sctx = NULL;
1862 SSL *clientssl = NULL, *serverssl = NULL;
1864 SSL_SESSION *sess = NULL;
1865 unsigned char buf[20];
1866 size_t readbytes, written;
1868 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1869 &serverssl, &sess, idx)))
1873 /* Force an HRR to occur */
1874 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
1876 } else if (idx == 2) {
1878 * We force early_data rejection by ensuring the PSK identity is
1881 srvid = "Dummy Identity";
1884 * Deliberately corrupt the creation time. We take 20 seconds off the
1885 * time. It could be any value as long as it is not within tolerance.
1886 * This should mean the ticket is rejected.
1888 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
1892 /* Write some early data */
1893 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1895 || !TEST_size_t_eq(written, strlen(MSG1)))
1898 /* Server should reject the early data and skip over it */
1899 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1901 SSL_READ_EARLY_DATA_FINISH)
1902 || !TEST_size_t_eq(readbytes, 0)
1903 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1904 SSL_EARLY_DATA_REJECTED))
1909 * Finish off the handshake. We perform the same writes and reads as
1910 * further down but we expect them to fail due to the incomplete
1913 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1914 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
1919 /* Should be able to send normal data despite rejection of early data */
1920 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1921 || !TEST_size_t_eq(written, strlen(MSG2))
1922 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1923 SSL_EARLY_DATA_REJECTED)
1924 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1925 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1931 if (sess != clientpsk)
1932 SSL_SESSION_free(clientpsk);
1933 SSL_SESSION_free(serverpsk);
1934 clientpsk = serverpsk = NULL;
1935 SSL_SESSION_free(sess);
1936 SSL_free(serverssl);
1937 SSL_free(clientssl);
1944 * Test that a server attempting to read early data can handle a connection
1945 * from a client where the early data is not acceptable.
1947 static int test_early_data_skip(int idx)
1949 return early_data_skip_helper(0, idx);
1953 * Test that a server attempting to read early data can handle a connection
1954 * from a client where an HRR occurs.
1956 static int test_early_data_skip_hrr(int idx)
1958 return early_data_skip_helper(1, idx);
1962 * Test that a server attempting to read early data can handle a connection
1963 * from a client that doesn't send any.
1965 static int test_early_data_not_sent(int idx)
1967 SSL_CTX *cctx = NULL, *sctx = NULL;
1968 SSL *clientssl = NULL, *serverssl = NULL;
1970 SSL_SESSION *sess = NULL;
1971 unsigned char buf[20];
1972 size_t readbytes, written;
1974 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1975 &serverssl, &sess, idx)))
1978 /* Write some data - should block due to handshake with server */
1979 SSL_set_connect_state(clientssl);
1980 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
1983 /* Server should detect that early data has not been sent */
1984 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1986 SSL_READ_EARLY_DATA_FINISH)
1987 || !TEST_size_t_eq(readbytes, 0)
1988 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1989 SSL_EARLY_DATA_NOT_SENT)
1990 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1991 SSL_EARLY_DATA_NOT_SENT))
1994 /* Continue writing the message we started earlier */
1995 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
1996 || !TEST_size_t_eq(written, strlen(MSG1))
1997 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1998 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
1999 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2000 || !TEST_size_t_eq(written, strlen(MSG2)))
2004 * Should block due to the NewSessionTicket arrival unless we're using
2008 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
2012 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2013 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2019 /* If using PSK then clientpsk and sess are the same */
2020 SSL_SESSION_free(sess);
2021 SSL_SESSION_free(serverpsk);
2022 clientpsk = serverpsk = NULL;
2023 SSL_free(serverssl);
2024 SSL_free(clientssl);
2030 static int hostname_cb(SSL *s, int *al, void *arg)
2032 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2034 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
2035 return SSL_TLSEXT_ERR_OK;
2037 return SSL_TLSEXT_ERR_NOACK;
2040 static const char *servalpn;
2042 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2043 unsigned char *outlen, const unsigned char *in,
2044 unsigned int inlen, void *arg)
2046 unsigned int protlen = 0;
2047 const unsigned char *prot;
2049 for (prot = in; prot < in + inlen; prot += protlen) {
2051 if (in + inlen < prot + protlen)
2052 return SSL_TLSEXT_ERR_NOACK;
2054 if (protlen == strlen(servalpn)
2055 && memcmp(prot, servalpn, protlen) == 0) {
2058 return SSL_TLSEXT_ERR_OK;
2062 return SSL_TLSEXT_ERR_NOACK;
2065 /* Test that a PSK can be used to send early_data */
2066 static int test_early_data_psk(int idx)
2068 SSL_CTX *cctx = NULL, *sctx = NULL;
2069 SSL *clientssl = NULL, *serverssl = NULL;
2071 SSL_SESSION *sess = NULL;
2072 unsigned char alpnlist[] = {
2073 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2076 #define GOODALPNLEN 9
2077 #define BADALPNLEN 8
2078 #define GOODALPN (alpnlist)
2079 #define BADALPN (alpnlist + GOODALPNLEN)
2081 unsigned char buf[20];
2082 size_t readbytes, written;
2083 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2084 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2086 /* We always set this up with a final parameter of "2" for PSK */
2087 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2088 &serverssl, &sess, 2)))
2091 servalpn = "goodalpn";
2094 * Note: There is no test for inconsistent SNI with late client detection.
2095 * This is because servers do not acknowledge SNI even if they are using
2096 * it in a resumption handshake - so it is not actually possible for a
2097 * client to detect a problem.
2101 /* Set inconsistent SNI (early client detection) */
2102 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2103 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2104 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2109 /* Set inconsistent ALPN (early client detection) */
2110 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2111 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
2112 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2114 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2121 * Set invalid protocol version. Technically this affects PSKs without
2122 * early_data too, but we test it here because it is similar to the
2123 * SNI/ALPN consistency tests.
2125 err = SSL_R_BAD_PSK;
2126 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2132 * Set inconsistent SNI (server detected). In this case the connection
2133 * will succeed but reject early_data.
2135 SSL_SESSION_free(serverpsk);
2136 serverpsk = SSL_SESSION_dup(clientpsk);
2137 if (!TEST_ptr(serverpsk)
2138 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2140 edstatus = SSL_EARLY_DATA_REJECTED;
2141 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2144 /* Set consistent SNI */
2145 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2146 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2147 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2154 * Set inconsistent ALPN (server detected). In this case the connection
2155 * will succeed but reject early_data.
2157 servalpn = "badalpn";
2158 edstatus = SSL_EARLY_DATA_REJECTED;
2159 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2163 * Set consistent ALPN.
2164 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2165 * accepts a list of protos (each one length prefixed).
2166 * SSL_set1_alpn_selected accepts a single protocol (not length
2169 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2171 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2175 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2179 /* Set inconsistent ALPN (late client detection) */
2180 SSL_SESSION_free(serverpsk);
2181 serverpsk = SSL_SESSION_dup(clientpsk);
2182 if (!TEST_ptr(serverpsk)
2183 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2186 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2189 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2192 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2193 edstatus = SSL_EARLY_DATA_ACCEPTED;
2194 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2195 /* SSL_connect() call should fail */
2200 TEST_error("Bad test index");
2204 SSL_set_connect_state(clientssl);
2206 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2208 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2209 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2212 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2216 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2217 &readbytes), readearlyres)
2218 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2219 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2220 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2221 || !TEST_int_eq(SSL_connect(clientssl), connectres))
2228 SSL_SESSION_free(clientpsk);
2229 SSL_SESSION_free(serverpsk);
2230 clientpsk = serverpsk = NULL;
2231 SSL_free(serverssl);
2232 SSL_free(clientssl);
2239 * Test that a server that doesn't try to read early data can handle a
2240 * client sending some.
2242 static int test_early_data_not_expected(int idx)
2244 SSL_CTX *cctx = NULL, *sctx = NULL;
2245 SSL *clientssl = NULL, *serverssl = NULL;
2247 SSL_SESSION *sess = NULL;
2248 unsigned char buf[20];
2249 size_t readbytes, written;
2251 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2252 &serverssl, &sess, idx)))
2255 /* Write some early data */
2256 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2261 * Server should skip over early data and then block waiting for client to
2262 * continue handshake
2264 if (!TEST_int_le(SSL_accept(serverssl), 0)
2265 || !TEST_int_gt(SSL_connect(clientssl), 0)
2266 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2267 SSL_EARLY_DATA_REJECTED)
2268 || !TEST_int_gt(SSL_accept(serverssl), 0)
2269 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2270 SSL_EARLY_DATA_REJECTED))
2273 /* Send some normal data from client to server */
2274 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2275 || !TEST_size_t_eq(written, strlen(MSG2)))
2278 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2279 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2285 /* If using PSK then clientpsk and sess are the same */
2286 SSL_SESSION_free(sess);
2287 SSL_SESSION_free(serverpsk);
2288 clientpsk = serverpsk = NULL;
2289 SSL_free(serverssl);
2290 SSL_free(clientssl);
2297 # ifndef OPENSSL_NO_TLS1_2
2299 * Test that a server attempting to read early data can handle a connection
2300 * from a TLSv1.2 client.
2302 static int test_early_data_tls1_2(int idx)
2304 SSL_CTX *cctx = NULL, *sctx = NULL;
2305 SSL *clientssl = NULL, *serverssl = NULL;
2307 unsigned char buf[20];
2308 size_t readbytes, written;
2310 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2311 &serverssl, NULL, idx)))
2314 /* Write some data - should block due to handshake with server */
2315 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2316 SSL_set_connect_state(clientssl);
2317 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2321 * Server should do TLSv1.2 handshake. First it will block waiting for more
2322 * messages from client after ServerDone. Then SSL_read_early_data should
2323 * finish and detect that early data has not been sent
2325 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2327 SSL_READ_EARLY_DATA_ERROR))
2331 * Continue writing the message we started earlier. Will still block waiting
2332 * for the CCS/Finished from server
2334 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2335 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2337 SSL_READ_EARLY_DATA_FINISH)
2338 || !TEST_size_t_eq(readbytes, 0)
2339 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2340 SSL_EARLY_DATA_NOT_SENT))
2343 /* Continue writing the message we started earlier */
2344 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2345 || !TEST_size_t_eq(written, strlen(MSG1))
2346 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2347 SSL_EARLY_DATA_NOT_SENT)
2348 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2349 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2350 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2351 || !TEST_size_t_eq(written, strlen(MSG2))
2352 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2353 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2359 /* If using PSK then clientpsk and sess are the same */
2360 SSL_SESSION_free(clientpsk);
2361 SSL_SESSION_free(serverpsk);
2362 clientpsk = serverpsk = NULL;
2363 SSL_free(serverssl);
2364 SSL_free(clientssl);
2370 # endif /* OPENSSL_NO_TLS1_2 */
2372 static int test_ciphersuite_change(void)
2374 SSL_CTX *cctx = NULL, *sctx = NULL;
2375 SSL *clientssl = NULL, *serverssl = NULL;
2376 SSL_SESSION *clntsess = NULL;
2378 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2380 /* Create a session based on SHA-256 */
2381 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2382 TLS_client_method(), &sctx,
2383 &cctx, cert, privkey))
2384 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
2385 "TLS_AES_128_GCM_SHA256"))
2386 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2387 &clientssl, NULL, NULL))
2388 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2392 clntsess = SSL_get1_session(clientssl);
2393 /* Save for later */
2394 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2395 SSL_shutdown(clientssl);
2396 SSL_shutdown(serverssl);
2397 SSL_free(serverssl);
2398 SSL_free(clientssl);
2399 serverssl = clientssl = NULL;
2401 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
2402 /* Check we can resume a session with a different SHA-256 ciphersuite */
2403 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2404 "TLS_CHACHA20_POLY1305_SHA256"))
2405 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2407 || !TEST_true(SSL_set_session(clientssl, clntsess))
2408 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2410 || !TEST_true(SSL_session_reused(clientssl)))
2413 SSL_SESSION_free(clntsess);
2414 clntsess = SSL_get1_session(clientssl);
2415 SSL_shutdown(clientssl);
2416 SSL_shutdown(serverssl);
2417 SSL_free(serverssl);
2418 SSL_free(clientssl);
2419 serverssl = clientssl = NULL;
2423 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
2424 * succeeds but does not resume.
2426 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
2427 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2429 || !TEST_true(SSL_set_session(clientssl, clntsess))
2430 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2432 || !TEST_false(SSL_session_reused(clientssl)))
2435 SSL_SESSION_free(clntsess);
2437 SSL_shutdown(clientssl);
2438 SSL_shutdown(serverssl);
2439 SSL_free(serverssl);
2440 SSL_free(clientssl);
2441 serverssl = clientssl = NULL;
2443 /* Create a session based on SHA384 */
2444 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
2445 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2446 &clientssl, NULL, NULL))
2447 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2451 clntsess = SSL_get1_session(clientssl);
2452 SSL_shutdown(clientssl);
2453 SSL_shutdown(serverssl);
2454 SSL_free(serverssl);
2455 SSL_free(clientssl);
2456 serverssl = clientssl = NULL;
2458 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2459 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
2460 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2461 "TLS_AES_256_GCM_SHA384"))
2462 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2464 || !TEST_true(SSL_set_session(clientssl, clntsess))
2466 * We use SSL_ERROR_WANT_READ below so that we can pause the
2467 * connection after the initial ClientHello has been sent to
2468 * enable us to make some session changes.
2470 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2471 SSL_ERROR_WANT_READ)))
2474 /* Trick the client into thinking this session is for a different digest */
2475 clntsess->cipher = aes_128_gcm_sha256;
2476 clntsess->cipher_id = clntsess->cipher->id;
2479 * Continue the previously started connection. Server has selected a SHA-384
2480 * ciphersuite, but client thinks the session is for SHA-256, so it should
2483 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2485 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2486 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2492 SSL_SESSION_free(clntsess);
2493 SSL_free(serverssl);
2494 SSL_free(clientssl);
2501 static int test_tls13_psk(int idx)
2503 SSL_CTX *sctx = NULL, *cctx = NULL;
2504 SSL *serverssl = NULL, *clientssl = NULL;
2505 const SSL_CIPHER *cipher = NULL;
2506 const unsigned char key[] = {
2507 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2508 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2509 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2510 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
2514 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2515 TLS_client_method(), &sctx,
2516 &cctx, cert, privkey)))
2520 * We use a ciphersuite with SHA256 to ease testing old style PSK callbacks
2521 * which will always default to SHA256
2523 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_128_GCM_SHA256")))
2527 * Test 0: New style callbacks only
2528 * Test 1: New and old style callbacks (only the new ones should be used)
2529 * Test 2: Old style callbacks only
2531 if (idx == 0 || idx == 1) {
2532 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2533 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2535 if (idx == 1 || idx == 2) {
2536 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
2537 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
2540 use_session_cb_cnt = 0;
2541 find_session_cb_cnt = 0;
2542 psk_client_cb_cnt = 0;
2543 psk_server_cb_cnt = 0;
2545 /* Check we can create a connection if callback decides not to send a PSK */
2546 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2548 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2550 || !TEST_false(SSL_session_reused(clientssl))
2551 || !TEST_false(SSL_session_reused(serverssl)))
2554 if (idx == 0 || idx == 1) {
2555 if (!TEST_true(use_session_cb_cnt == 1)
2556 || !TEST_true(find_session_cb_cnt == 0)
2558 * If no old style callback then below should be 0
2561 || !TEST_true(psk_client_cb_cnt == idx)
2562 || !TEST_true(psk_server_cb_cnt == 0))
2565 if (!TEST_true(use_session_cb_cnt == 0)
2566 || !TEST_true(find_session_cb_cnt == 0)
2567 || !TEST_true(psk_client_cb_cnt == 1)
2568 || !TEST_true(psk_server_cb_cnt == 0))
2572 shutdown_ssl_connection(serverssl, clientssl);
2573 serverssl = clientssl = NULL;
2574 use_session_cb_cnt = psk_client_cb_cnt = 0;
2576 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2580 /* Create the PSK */
2581 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
2582 clientpsk = SSL_SESSION_new();
2583 if (!TEST_ptr(clientpsk)
2584 || !TEST_ptr(cipher)
2585 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
2587 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
2588 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
2590 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
2592 serverpsk = clientpsk;
2594 /* Check we can create a connection and the PSK is used */
2595 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2596 || !TEST_true(SSL_session_reused(clientssl))
2597 || !TEST_true(SSL_session_reused(serverssl)))
2600 if (idx == 0 || idx == 1) {
2601 if (!TEST_true(use_session_cb_cnt == 1)
2602 || !TEST_true(find_session_cb_cnt == 1)
2603 || !TEST_true(psk_client_cb_cnt == 0)
2604 || !TEST_true(psk_server_cb_cnt == 0))
2607 if (!TEST_true(use_session_cb_cnt == 0)
2608 || !TEST_true(find_session_cb_cnt == 0)
2609 || !TEST_true(psk_client_cb_cnt == 1)
2610 || !TEST_true(psk_server_cb_cnt == 1))
2614 shutdown_ssl_connection(serverssl, clientssl);
2615 serverssl = clientssl = NULL;
2616 use_session_cb_cnt = find_session_cb_cnt = 0;
2617 psk_client_cb_cnt = psk_server_cb_cnt = 0;
2619 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2624 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2628 * Check we can create a connection, the PSK is used and the callbacks are
2631 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2632 || !TEST_true(SSL_session_reused(clientssl))
2633 || !TEST_true(SSL_session_reused(serverssl)))
2636 if (idx == 0 || idx == 1) {
2637 if (!TEST_true(use_session_cb_cnt == 2)
2638 || !TEST_true(find_session_cb_cnt == 2)
2639 || !TEST_true(psk_client_cb_cnt == 0)
2640 || !TEST_true(psk_server_cb_cnt == 0))
2643 if (!TEST_true(use_session_cb_cnt == 0)
2644 || !TEST_true(find_session_cb_cnt == 0)
2645 || !TEST_true(psk_client_cb_cnt == 2)
2646 || !TEST_true(psk_server_cb_cnt == 2))
2650 shutdown_ssl_connection(serverssl, clientssl);
2651 serverssl = clientssl = NULL;
2652 use_session_cb_cnt = find_session_cb_cnt = 0;
2653 psk_client_cb_cnt = psk_server_cb_cnt = 0;
2656 * Check that if the server rejects the PSK we can still connect, but with
2659 srvid = "Dummy Identity";
2660 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2662 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2664 || !TEST_false(SSL_session_reused(clientssl))
2665 || !TEST_false(SSL_session_reused(serverssl)))
2668 if (idx == 0 || idx == 1) {
2669 if (!TEST_true(use_session_cb_cnt == 1)
2670 || !TEST_true(find_session_cb_cnt == 1)
2671 || !TEST_true(psk_client_cb_cnt == 0)
2673 * If no old style callback then below should be 0
2676 || !TEST_true(psk_server_cb_cnt == idx))
2679 if (!TEST_true(use_session_cb_cnt == 0)
2680 || !TEST_true(find_session_cb_cnt == 0)
2681 || !TEST_true(psk_client_cb_cnt == 1)
2682 || !TEST_true(psk_server_cb_cnt == 1))
2686 shutdown_ssl_connection(serverssl, clientssl);
2687 serverssl = clientssl = NULL;
2691 SSL_SESSION_free(clientpsk);
2692 SSL_SESSION_free(serverpsk);
2693 clientpsk = serverpsk = NULL;
2694 SSL_free(serverssl);
2695 SSL_free(clientssl);
2701 static unsigned char cookie_magic_value[] = "cookie magic";
2703 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
2704 unsigned int *cookie_len)
2707 * Not suitable as a real cookie generation function but good enough for
2710 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
2711 *cookie_len = sizeof(cookie_magic_value) - 1;
2716 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
2717 unsigned int cookie_len)
2719 if (cookie_len == sizeof(cookie_magic_value) - 1
2720 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
2726 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
2730 int res = generate_cookie_callback(ssl, cookie, &temp);
2735 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
2738 return verify_cookie_callback(ssl, cookie, cookie_len);
2741 static int test_stateless(void)
2743 SSL_CTX *sctx = NULL, *cctx = NULL;
2744 SSL *serverssl = NULL, *clientssl = NULL;
2747 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2748 TLS_client_method(), &sctx,
2749 &cctx, cert, privkey)))
2752 /* The arrival of CCS messages can confuse the test */
2753 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
2755 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2757 /* Send the first ClientHello */
2758 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2759 SSL_ERROR_WANT_READ))
2761 * This should fail with a -1 return because we have no callbacks
2764 || !TEST_int_eq(SSL_stateless(serverssl), -1))
2767 /* Fatal error so abandon the connection from this client */
2768 SSL_free(clientssl);
2771 /* Set up the cookie generation and verification callbacks */
2772 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
2773 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
2776 * Create a new connection from the client (we can reuse the server SSL
2779 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2781 /* Send the first ClientHello */
2782 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2783 SSL_ERROR_WANT_READ))
2784 /* This should fail because there is no cookie */
2785 || !TEST_int_eq(SSL_stateless(serverssl), 0))
2788 /* Abandon the connection from this client */
2789 SSL_free(clientssl);
2793 * Now create a connection from a new client but with the same server SSL
2796 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2798 /* Send the first ClientHello */
2799 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2800 SSL_ERROR_WANT_READ))
2801 /* This should fail because there is no cookie */
2802 || !TEST_int_eq(SSL_stateless(serverssl), 0)
2803 /* Send the second ClientHello */
2804 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2805 SSL_ERROR_WANT_READ))
2806 /* This should succeed because a cookie is now present */
2807 || !TEST_int_eq(SSL_stateless(serverssl), 1)
2808 /* Complete the connection */
2809 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2813 shutdown_ssl_connection(serverssl, clientssl);
2814 serverssl = clientssl = NULL;
2818 SSL_free(serverssl);
2819 SSL_free(clientssl);
2825 #endif /* OPENSSL_NO_TLS1_3 */
2827 static int clntaddoldcb = 0;
2828 static int clntparseoldcb = 0;
2829 static int srvaddoldcb = 0;
2830 static int srvparseoldcb = 0;
2831 static int clntaddnewcb = 0;
2832 static int clntparsenewcb = 0;
2833 static int srvaddnewcb = 0;
2834 static int srvparsenewcb = 0;
2835 static int snicb = 0;
2837 #define TEST_EXT_TYPE1 0xff00
2839 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
2840 size_t *outlen, int *al, void *add_arg)
2842 int *server = (int *)add_arg;
2843 unsigned char *data;
2845 if (SSL_is_server(s))
2850 if (*server != SSL_is_server(s)
2851 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
2856 *outlen = sizeof(char);
2860 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
2863 OPENSSL_free((unsigned char *)out);
2866 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
2867 size_t inlen, int *al, void *parse_arg)
2869 int *server = (int *)parse_arg;
2871 if (SSL_is_server(s))
2876 if (*server != SSL_is_server(s)
2877 || inlen != sizeof(char)
2884 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
2885 const unsigned char **out, size_t *outlen, X509 *x,
2886 size_t chainidx, int *al, void *add_arg)
2888 int *server = (int *)add_arg;
2889 unsigned char *data;
2891 if (SSL_is_server(s))
2896 if (*server != SSL_is_server(s)
2897 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
2902 *outlen = sizeof(*data);
2906 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
2907 const unsigned char *out, void *add_arg)
2909 OPENSSL_free((unsigned char *)out);
2912 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
2913 const unsigned char *in, size_t inlen, X509 *x,
2914 size_t chainidx, int *al, void *parse_arg)
2916 int *server = (int *)parse_arg;
2918 if (SSL_is_server(s))
2923 if (*server != SSL_is_server(s)
2924 || inlen != sizeof(char) || *in != 1)
2930 static int sni_cb(SSL *s, int *al, void *arg)
2932 SSL_CTX *ctx = (SSL_CTX *)arg;
2934 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
2935 *al = SSL_AD_INTERNAL_ERROR;
2936 return SSL_TLSEXT_ERR_ALERT_FATAL;
2939 return SSL_TLSEXT_ERR_OK;
2943 * Custom call back tests.
2944 * Test 0: Old style callbacks in TLSv1.2
2945 * Test 1: New style callbacks in TLSv1.2
2946 * Test 2: New style callbacks in TLSv1.2 with SNI
2947 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
2948 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
2950 static int test_custom_exts(int tst)
2952 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
2953 SSL *clientssl = NULL, *serverssl = NULL;
2955 static int server = 1;
2956 static int client = 0;
2957 SSL_SESSION *sess = NULL;
2958 unsigned int context;
2960 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
2961 /* Skip tests for TLSv1.2 and below in this case */
2966 /* Reset callback counters */
2967 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
2968 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
2971 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2972 TLS_client_method(), &sctx,
2973 &cctx, cert, privkey)))
2977 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL, &sctx2,
2978 NULL, cert, privkey)))
2983 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
2984 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
2986 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
2990 context = SSL_EXT_CLIENT_HELLO
2991 | SSL_EXT_TLS1_2_SERVER_HELLO
2992 | SSL_EXT_TLS1_3_SERVER_HELLO
2993 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
2994 | SSL_EXT_TLS1_3_CERTIFICATE
2995 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
2997 context = SSL_EXT_CLIENT_HELLO
2998 | SSL_EXT_TLS1_2_SERVER_HELLO
2999 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3002 /* Create a client side custom extension */
3004 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3005 old_add_cb, old_free_cb,
3006 &client, old_parse_cb,
3010 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
3011 new_add_cb, new_free_cb,
3012 &client, new_parse_cb, &client)))
3016 /* Should not be able to add duplicates */
3017 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3018 old_add_cb, old_free_cb,
3019 &client, old_parse_cb,
3021 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
3022 context, new_add_cb,
3023 new_free_cb, &client,
3024 new_parse_cb, &client)))
3027 /* Create a server side custom extension */
3029 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3030 old_add_cb, old_free_cb,
3031 &server, old_parse_cb,
3035 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3036 new_add_cb, new_free_cb,
3037 &server, new_parse_cb, &server)))
3040 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3041 context, new_add_cb,
3042 new_free_cb, &server,
3043 new_parse_cb, &server)))
3047 /* Should not be able to add duplicates */
3048 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3049 old_add_cb, old_free_cb,
3050 &server, old_parse_cb,
3052 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3053 context, new_add_cb,
3054 new_free_cb, &server,
3055 new_parse_cb, &server)))
3060 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3061 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3065 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3066 &clientssl, NULL, NULL))
3067 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3072 if (clntaddoldcb != 1
3073 || clntparseoldcb != 1
3075 || srvparseoldcb != 1)
3077 } else if (tst == 1 || tst == 2 || tst == 3) {
3078 if (clntaddnewcb != 1
3079 || clntparsenewcb != 1
3081 || srvparsenewcb != 1
3082 || (tst != 2 && snicb != 0)
3083 || (tst == 2 && snicb != 1))
3086 if (clntaddnewcb != 1
3087 || clntparsenewcb != 4
3089 || srvparsenewcb != 1)
3093 sess = SSL_get1_session(clientssl);
3094 SSL_shutdown(clientssl);
3095 SSL_shutdown(serverssl);
3096 SSL_free(serverssl);
3097 SSL_free(clientssl);
3098 serverssl = clientssl = NULL;
3101 /* We don't bother with the resumption aspects for this test */
3106 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3108 || !TEST_true(SSL_set_session(clientssl, sess))
3109 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3114 * For a resumed session we expect to add the ClientHello extension. For the
3115 * old style callbacks we ignore it on the server side because they set
3116 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3120 if (clntaddoldcb != 2
3121 || clntparseoldcb != 1
3123 || srvparseoldcb != 1)
3125 } else if (tst == 1 || tst == 2 || tst == 3) {
3126 if (clntaddnewcb != 2
3127 || clntparsenewcb != 2
3129 || srvparsenewcb != 2)
3132 /* No Certificate message extensions in the resumption handshake */
3133 if (clntaddnewcb != 2
3134 || clntparsenewcb != 7
3136 || srvparsenewcb != 2)
3143 SSL_SESSION_free(sess);
3144 SSL_free(serverssl);
3145 SSL_free(clientssl);
3146 SSL_CTX_free(sctx2);
3153 * Test loading of serverinfo data in various formats. test_sslmessages actually
3154 * tests to make sure the extensions appear in the handshake
3156 static int test_serverinfo(int tst)
3158 unsigned int version;
3159 unsigned char *sibuf;
3161 int ret, expected, testresult = 0;
3164 ctx = SSL_CTX_new(TLS_method());
3168 if ((tst & 0x01) == 0x01)
3169 version = SSL_SERVERINFOV2;
3171 version = SSL_SERVERINFOV1;
3173 if ((tst & 0x02) == 0x02) {
3174 sibuf = serverinfov2;
3175 sibuflen = sizeof(serverinfov2);
3176 expected = (version == SSL_SERVERINFOV2);
3178 sibuf = serverinfov1;
3179 sibuflen = sizeof(serverinfov1);
3180 expected = (version == SSL_SERVERINFOV1);
3183 if ((tst & 0x04) == 0x04) {
3184 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
3186 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
3189 * The version variable is irrelevant in this case - it's what is in the
3190 * buffer that matters
3192 if ((tst & 0x02) == 0x02)
3198 if (!TEST_true(ret == expected))
3210 * Test that SSL_export_keying_material() produces expected results. There are
3211 * no test vectors so all we do is test that both sides of the communication
3212 * produce the same results for different protocol versions.
3214 static int test_export_key_mat(int tst)
3217 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3218 SSL *clientssl = NULL, *serverssl = NULL;
3219 const char label[] = "test label";
3220 const unsigned char context[] = "context";
3221 const unsigned char *emptycontext = NULL;
3222 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
3223 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
3224 const int protocols[] = {
3231 #ifdef OPENSSL_NO_TLS1
3235 #ifdef OPENSSL_NO_TLS1_1
3239 #ifdef OPENSSL_NO_TLS1_2
3243 #ifdef OPENSSL_NO_TLS1_3
3247 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3248 TLS_client_method(), &sctx,
3249 &cctx, cert, privkey)))
3252 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
3253 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
3254 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
3256 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
3258 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3262 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
3263 sizeof(ckeymat1), label,
3264 sizeof(label) - 1, context,
3265 sizeof(context) - 1, 1), 1)
3266 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
3267 sizeof(ckeymat2), label,
3271 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
3272 sizeof(ckeymat3), label,
3275 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
3276 sizeof(skeymat1), label,
3279 sizeof(context) -1, 1),
3281 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
3282 sizeof(skeymat2), label,
3286 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
3287 sizeof(skeymat3), label,
3291 * Check that both sides created the same key material with the
3294 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3297 * Check that both sides created the same key material with an
3300 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3303 * Check that both sides created the same key material without a
3306 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3308 /* Different contexts should produce different results */
3309 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3314 * Check that an empty context and no context produce different results in
3315 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3317 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3319 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3326 SSL_free(serverssl);
3327 SSL_free(clientssl);
3328 SSL_CTX_free(sctx2);
3335 #ifndef OPENSSL_NO_TLS1_3
3337 * Test that SSL_export_keying_material_early() produces expected
3338 * results. There are no test vectors so all we do is test that both
3339 * sides of the communication produce the same results for different
3340 * protocol versions.
3342 static int test_export_key_mat_early(int idx)
3344 static const char label[] = "test label";
3345 static const unsigned char context[] = "context";
3347 SSL_CTX *cctx = NULL, *sctx = NULL;
3348 SSL *clientssl = NULL, *serverssl = NULL;
3349 SSL_SESSION *sess = NULL;
3350 const unsigned char *emptycontext = NULL;
3351 unsigned char ckeymat1[80], ckeymat2[80];
3352 unsigned char skeymat1[80], skeymat2[80];
3353 unsigned char buf[1];
3354 size_t readbytes, written;
3356 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
3360 /* Here writing 0 length early data is enough. */
3361 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
3362 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3364 SSL_READ_EARLY_DATA_ERROR)
3365 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3366 SSL_EARLY_DATA_ACCEPTED))
3369 if (!TEST_int_eq(SSL_export_keying_material_early(
3370 clientssl, ckeymat1, sizeof(ckeymat1), label,
3371 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3372 || !TEST_int_eq(SSL_export_keying_material_early(
3373 clientssl, ckeymat2, sizeof(ckeymat2), label,
3374 sizeof(label) - 1, emptycontext, 0), 1)
3375 || !TEST_int_eq(SSL_export_keying_material_early(
3376 serverssl, skeymat1, sizeof(skeymat1), label,
3377 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3378 || !TEST_int_eq(SSL_export_keying_material_early(
3379 serverssl, skeymat2, sizeof(skeymat2), label,
3380 sizeof(label) - 1, emptycontext, 0), 1)
3382 * Check that both sides created the same key material with the
3385 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3388 * Check that both sides created the same key material with an
3391 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3393 /* Different contexts should produce different results */
3394 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3401 if (sess != clientpsk)
3402 SSL_SESSION_free(sess);
3403 SSL_SESSION_free(clientpsk);
3404 SSL_SESSION_free(serverpsk);
3405 clientpsk = serverpsk = NULL;
3406 SSL_free(serverssl);
3407 SSL_free(clientssl);
3413 #endif /* OPENSSL_NO_TLS1_3 */
3415 static int test_ssl_clear(int idx)
3417 SSL_CTX *cctx = NULL, *sctx = NULL;
3418 SSL *clientssl = NULL, *serverssl = NULL;
3421 #ifdef OPENSSL_NO_TLS1_2
3426 /* Create an initial connection */
3427 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3428 TLS_client_method(), &sctx,
3429 &cctx, cert, privkey))
3431 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
3433 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3434 &clientssl, NULL, NULL))
3435 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3439 SSL_shutdown(clientssl);
3440 SSL_shutdown(serverssl);
3441 SSL_free(serverssl);
3444 /* Clear clientssl - we're going to reuse the object */
3445 if (!TEST_true(SSL_clear(clientssl)))
3448 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3450 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3452 || !TEST_true(SSL_session_reused(clientssl)))
3455 SSL_shutdown(clientssl);
3456 SSL_shutdown(serverssl);
3461 SSL_free(serverssl);
3462 SSL_free(clientssl);
3469 /* Parse CH and retrieve any MFL extension value if present */
3470 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
3473 unsigned char *data;
3474 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
3475 unsigned int MFL_code = 0, type = 0;
3477 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
3480 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
3481 /* Skip the record header */
3482 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
3483 /* Skip the handshake message header */
3484 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
3485 /* Skip client version and random */
3486 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
3487 + SSL3_RANDOM_SIZE))
3488 /* Skip session id */
3489 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3491 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
3492 /* Skip compression */
3493 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3494 /* Extensions len */
3495 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
3498 /* Loop through all extensions */
3499 while (PACKET_remaining(&pkt2)) {
3500 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
3501 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
3504 if (type == TLSEXT_TYPE_max_fragment_length) {
3505 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
3506 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
3509 *mfl_codemfl_code = MFL_code;
3518 /* Maximum-Fragment-Length TLS extension mode to test */
3519 static const unsigned char max_fragment_len_test[] = {
3520 TLSEXT_max_fragment_length_512,
3521 TLSEXT_max_fragment_length_1024,
3522 TLSEXT_max_fragment_length_2048,
3523 TLSEXT_max_fragment_length_4096
3526 static int test_max_fragment_len_ext(int idx_tst)
3530 int testresult = 0, MFL_mode = 0;
3533 ctx = SSL_CTX_new(TLS_method());
3537 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
3538 ctx, max_fragment_len_test[idx_tst])))
3545 rbio = BIO_new(BIO_s_mem());
3546 wbio = BIO_new(BIO_s_mem());
3547 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
3553 SSL_set_bio(con, rbio, wbio);
3554 SSL_set_connect_state(con);
3556 if (!TEST_int_le(SSL_connect(con), 0)) {
3557 /* This shouldn't succeed because we don't have a server! */
3561 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
3562 /* no MFL in client hello */
3564 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
3576 #ifndef OPENSSL_NO_TLS1_3
3577 static int test_pha_key_update(void)
3579 SSL_CTX *cctx = NULL, *sctx = NULL;
3580 SSL *clientssl = NULL, *serverssl = NULL;
3583 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3584 TLS_client_method(),
3585 &sctx, &cctx, cert, privkey)))
3588 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
3589 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
3590 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
3591 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
3595 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3599 SSL_force_post_handshake_auth(clientssl);
3601 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3605 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
3606 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
3609 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
3612 /* Start handshake on the server */
3613 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
3616 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
3617 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3621 SSL_shutdown(clientssl);
3622 SSL_shutdown(serverssl);
3627 SSL_free(serverssl);
3628 SSL_free(clientssl);
3635 int setup_tests(void)
3637 if (!TEST_ptr(cert = test_get_argument(0))
3638 || !TEST_ptr(privkey = test_get_argument(1)))
3641 ADD_TEST(test_large_message_tls);
3642 ADD_TEST(test_large_message_tls_read_ahead);
3643 #ifndef OPENSSL_NO_DTLS
3644 ADD_TEST(test_large_message_dtls);
3646 #ifndef OPENSSL_NO_OCSP
3647 ADD_TEST(test_tlsext_status_type);
3649 ADD_TEST(test_session_with_only_int_cache);
3650 ADD_TEST(test_session_with_only_ext_cache);
3651 ADD_TEST(test_session_with_both_cache);
3652 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
3653 ADD_TEST(test_ssl_bio_pop_next_bio);
3654 ADD_TEST(test_ssl_bio_pop_ssl_bio);
3655 ADD_TEST(test_ssl_bio_change_rbio);
3656 ADD_TEST(test_ssl_bio_change_wbio);
3657 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
3658 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
3659 ADD_TEST(test_keylog);
3661 #ifndef OPENSSL_NO_TLS1_3
3662 ADD_TEST(test_keylog_no_master_key);
3664 #ifndef OPENSSL_NO_TLS1_2
3665 ADD_TEST(test_client_hello_cb);
3667 #ifndef OPENSSL_NO_TLS1_3
3668 ADD_ALL_TESTS(test_early_data_read_write, 3);
3669 ADD_ALL_TESTS(test_early_data_skip, 3);
3670 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
3671 ADD_ALL_TESTS(test_early_data_not_sent, 3);
3672 ADD_ALL_TESTS(test_early_data_psk, 8);
3673 ADD_ALL_TESTS(test_early_data_not_expected, 3);
3674 # ifndef OPENSSL_NO_TLS1_2
3675 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
3678 #ifndef OPENSSL_NO_TLS1_3
3679 ADD_TEST(test_ciphersuite_change);
3680 ADD_ALL_TESTS(test_tls13_psk, 3);
3681 ADD_ALL_TESTS(test_custom_exts, 5);
3682 ADD_TEST(test_stateless);
3683 ADD_TEST(test_pha_key_update);
3685 ADD_ALL_TESTS(test_custom_exts, 3);
3687 ADD_ALL_TESTS(test_serverinfo, 8);
3688 ADD_ALL_TESTS(test_export_key_mat, 4);
3689 #ifndef OPENSSL_NO_TLS1_3
3690 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3692 ADD_ALL_TESTS(test_ssl_clear, 2);
3693 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
3697 void cleanup_tests(void)
3699 bio_s_mempacket_test_free();