2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
18 #include "ssltestlib.h"
21 #include "../ssl/ssl_locl.h"
23 static char *cert = NULL;
24 static char *privkey = NULL;
26 #define LOG_BUFFER_SIZE 1024
27 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
28 static size_t server_log_buffer_index = 0;
29 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
30 static size_t client_log_buffer_index = 0;
31 static int error_writing_log = 0;
33 #ifndef OPENSSL_NO_OCSP
34 static const unsigned char orespder[] = "Dummy OCSP Response";
35 static int ocsp_server_called = 0;
36 static int ocsp_client_called = 0;
38 static int cdummyarg = 1;
39 static X509 *ocspcert = NULL;
42 #define NUM_EXTRA_CERTS 40
45 * This structure is used to validate that the correct number of log messages
46 * of various types are emitted when emitting secret logs.
48 struct sslapitest_log_counts {
49 unsigned int rsa_key_exchange_count;
50 unsigned int master_secret_count;
51 unsigned int client_handshake_secret_count;
52 unsigned int server_handshake_secret_count;
53 unsigned int client_application_secret_count;
54 unsigned int server_application_secret_count;
58 static unsigned char serverinfov1[] = {
59 0xff, 0xff, /* Dummy extension type */
60 0x00, 0x01, /* Extension length is 1 byte */
61 0xff /* Dummy extension data */
64 static unsigned char serverinfov2[] = {
66 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
67 0xff, 0xff, /* Dummy extension type */
68 0x00, 0x01, /* Extension length is 1 byte */
69 0xff /* Dummy extension data */
72 static void client_keylog_callback(const SSL *ssl, const char *line)
74 int line_length = strlen(line);
76 /* If the log doesn't fit, error out. */
77 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
78 TEST_info("Client log too full");
79 error_writing_log = 1;
83 strcat(client_log_buffer, line);
84 client_log_buffer_index += line_length;
85 client_log_buffer[client_log_buffer_index++] = '\n';
88 static void server_keylog_callback(const SSL *ssl, const char *line)
90 int line_length = strlen(line);
92 /* If the log doesn't fit, error out. */
93 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
94 TEST_info("Server og too full");
95 error_writing_log = 1;
99 strcat(server_log_buffer, line);
100 server_log_buffer_index += line_length;
101 server_log_buffer[server_log_buffer_index++] = '\n';
104 static int compare_hex_encoded_buffer(const char *hex_encoded,
112 if (!TEST_size_t_eq(raw_length * 2, hex_length))
115 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
116 sprintf(hexed, "%02x", raw[i]);
117 if (!TEST_int_eq(hexed[0], hex_encoded[j])
118 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
125 static int test_keylog_output(char *buffer, const SSL *ssl,
126 const SSL_SESSION *session,
127 struct sslapitest_log_counts *expected)
130 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
131 size_t client_random_size = SSL3_RANDOM_SIZE;
132 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
133 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
134 unsigned int rsa_key_exchange_count = 0;
135 unsigned int master_secret_count = 0;
136 unsigned int client_handshake_secret_count = 0;
137 unsigned int server_handshake_secret_count = 0;
138 unsigned int client_application_secret_count = 0;
139 unsigned int server_application_secret_count = 0;
141 for (token = strtok(buffer, " \n"); token != NULL;
142 token = strtok(NULL, " \n")) {
143 if (strcmp(token, "RSA") == 0) {
145 * Premaster secret. Tokens should be: 16 ASCII bytes of
146 * hex-encoded encrypted secret, then the hex-encoded pre-master
149 if (!TEST_ptr(token = strtok(NULL, " \n")))
151 if (!TEST_size_t_eq(strlen(token), 16))
153 if (!TEST_ptr(token = strtok(NULL, " \n")))
156 * We can't sensibly check the log because the premaster secret is
157 * transient, and OpenSSL doesn't keep hold of it once the master
158 * secret is generated.
160 rsa_key_exchange_count++;
161 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
163 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
164 * client random, then the hex-encoded master secret.
166 client_random_size = SSL_get_client_random(ssl,
167 actual_client_random,
169 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
172 if (!TEST_ptr(token = strtok(NULL, " \n")))
174 if (!TEST_size_t_eq(strlen(token), 64))
176 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
177 actual_client_random,
178 client_random_size)))
181 if (!TEST_ptr(token = strtok(NULL, " \n")))
183 master_key_size = SSL_SESSION_get_master_key(session,
186 if (!TEST_size_t_ne(master_key_size, 0))
188 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
192 master_secret_count++;
193 } else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
194 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
195 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
196 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) {
198 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
199 * client random, and then the hex-encoded secret. In this case,
200 * we treat all of these secrets identically and then just
201 * distinguish between them when counting what we saw.
203 if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
204 client_handshake_secret_count++;
205 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
206 server_handshake_secret_count++;
207 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
208 client_application_secret_count++;
209 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
210 server_application_secret_count++;
212 client_random_size = SSL_get_client_random(ssl,
213 actual_client_random,
215 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
218 if (!TEST_ptr(token = strtok(NULL, " \n")))
220 if (!TEST_size_t_eq(strlen(token), 64))
222 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
223 actual_client_random,
224 client_random_size)))
227 if (!TEST_ptr(token = strtok(NULL, " \n")))
231 * TODO(TLS1.3): test that application traffic secrets are what
234 TEST_info("Unexpected token %s\n", token);
239 /* Got what we expected? */
240 if (!TEST_size_t_eq(rsa_key_exchange_count,
241 expected->rsa_key_exchange_count)
242 || !TEST_size_t_eq(master_secret_count,
243 expected->master_secret_count)
244 || !TEST_size_t_eq(client_handshake_secret_count,
245 expected->client_handshake_secret_count)
246 || !TEST_size_t_eq(server_handshake_secret_count,
247 expected->server_handshake_secret_count)
248 || !TEST_size_t_eq(client_application_secret_count,
249 expected->client_application_secret_count)
250 || !TEST_size_t_eq(server_application_secret_count,
251 expected->server_application_secret_count))
256 static int test_keylog(void)
258 SSL_CTX *cctx = NULL, *sctx = NULL;
259 SSL *clientssl = NULL, *serverssl = NULL;
261 struct sslapitest_log_counts expected = {0};
263 /* Clean up logging space */
264 memset(client_log_buffer, 0, sizeof(client_log_buffer));
265 memset(server_log_buffer, 0, sizeof(server_log_buffer));
266 client_log_buffer_index = 0;
267 server_log_buffer_index = 0;
268 error_writing_log = 0;
270 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
272 &sctx, &cctx, cert, privkey)))
275 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
276 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
277 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
279 /* We also want to ensure that we use RSA-based key exchange. */
280 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
283 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
284 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
286 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
287 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
288 == client_keylog_callback))
290 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
291 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
292 == server_keylog_callback))
295 /* Now do a handshake and check that the logs have been written to. */
296 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
297 &clientssl, NULL, NULL))
298 || !TEST_true(create_ssl_connection(serverssl, clientssl,
300 || !TEST_false(error_writing_log)
301 || !TEST_int_gt(client_log_buffer_index, 0)
302 || !TEST_int_gt(server_log_buffer_index, 0))
306 * Now we want to test that our output data was vaguely sensible. We
307 * do that by using strtok and confirming that we have more or less the
308 * data we expect. For both client and server, we expect to see one master
309 * secret. The client should also see a RSA key exchange.
311 expected.rsa_key_exchange_count = 1;
312 expected.master_secret_count = 1;
313 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
314 SSL_get_session(clientssl), &expected)))
317 expected.rsa_key_exchange_count = 0;
318 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
319 SSL_get_session(serverssl), &expected)))
333 #ifndef OPENSSL_NO_TLS1_3
334 static int test_keylog_no_master_key(void)
336 SSL_CTX *cctx = NULL, *sctx = NULL;
337 SSL *clientssl = NULL, *serverssl = NULL;
339 struct sslapitest_log_counts expected = {0};
341 /* Clean up logging space */
342 memset(client_log_buffer, 0, sizeof(client_log_buffer));
343 memset(server_log_buffer, 0, sizeof(server_log_buffer));
344 client_log_buffer_index = 0;
345 server_log_buffer_index = 0;
346 error_writing_log = 0;
348 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
349 TLS_client_method(), &sctx,
350 &cctx, cert, privkey)))
353 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
354 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
357 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
358 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
359 == client_keylog_callback))
362 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
363 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
364 == server_keylog_callback))
367 /* Now do a handshake and check that the logs have been written to. */
368 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
369 &clientssl, NULL, NULL))
370 || !TEST_true(create_ssl_connection(serverssl, clientssl,
372 || !TEST_false(error_writing_log))
376 * Now we want to test that our output data was vaguely sensible. For this
377 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
378 * TLSv1.3, but we do expect both client and server to emit keys.
380 expected.client_handshake_secret_count = 1;
381 expected.server_handshake_secret_count = 1;
382 expected.client_application_secret_count = 1;
383 expected.server_application_secret_count = 1;
384 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
385 SSL_get_session(clientssl), &expected))
386 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
387 SSL_get_session(serverssl),
403 #ifndef OPENSSL_NO_TLS1_2
404 static int full_early_callback(SSL *s, int *al, void *arg)
407 const unsigned char *p;
409 /* We only configure two ciphers, but the SCSV is added automatically. */
411 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
413 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
416 const int expected_extensions[] = {
417 #ifndef OPENSSL_NO_EC
423 /* Make sure we can defer processing and get called back. */
427 len = SSL_early_get0_ciphers(s, &p);
428 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
429 || !TEST_size_t_eq(SSL_early_get0_compression_methods(s, &p), 1)
430 || !TEST_int_eq(*p, 0))
432 if (!SSL_early_get1_extensions_present(s, &exts, &len))
434 if (len != OSSL_NELEM(expected_extensions) ||
435 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
436 printf("Early callback expected ClientHello extensions mismatch\n");
444 static int test_early_cb(void)
446 SSL_CTX *cctx = NULL, *sctx = NULL;
447 SSL *clientssl = NULL, *serverssl = NULL;
448 int testctr = 0, testresult = 0;
450 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
451 TLS_client_method(), &sctx,
452 &cctx, cert, privkey)))
454 SSL_CTX_set_early_cb(sctx, full_early_callback, &testctr);
456 /* The gimpy cipher list we configure can't do TLS 1.3. */
457 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
459 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
460 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
461 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
462 &clientssl, NULL, NULL))
463 || !TEST_false(create_ssl_connection(serverssl, clientssl,
464 SSL_ERROR_WANT_EARLY))
466 * Passing a -1 literal is a hack since
467 * the real value was lost.
469 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_EARLY)
470 || !TEST_true(create_ssl_connection(serverssl, clientssl,
486 static int execute_test_large_message(const SSL_METHOD *smeth,
487 const SSL_METHOD *cmeth, int read_ahead)
489 SSL_CTX *cctx = NULL, *sctx = NULL;
490 SSL *clientssl = NULL, *serverssl = NULL;
494 X509 *chaincert = NULL;
497 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
499 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
502 if (!TEST_ptr(chaincert))
505 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, &sctx,
506 &cctx, cert, privkey)))
511 * Test that read_ahead works correctly when dealing with large
514 SSL_CTX_set_read_ahead(cctx, 1);
518 * We assume the supplied certificate is big enough so that if we add
519 * NUM_EXTRA_CERTS it will make the overall message large enough. The
520 * default buffer size is requested to be 16k, but due to the way BUF_MEM
521 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
522 * test we need to have a message larger than that.
524 certlen = i2d_X509(chaincert, NULL);
525 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
526 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
527 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
528 if (!X509_up_ref(chaincert))
530 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
531 X509_free(chaincert);
536 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
538 || !TEST_true(create_ssl_connection(serverssl, clientssl,
543 * Calling SSL_clear() first is not required but this tests that SSL_clear()
544 * doesn't leak (when using enable-crypto-mdebug).
546 if (!TEST_true(SSL_clear(serverssl)))
551 X509_free(chaincert);
560 static int test_large_message_tls(void)
562 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
566 static int test_large_message_tls_read_ahead(void)
568 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
572 #ifndef OPENSSL_NO_DTLS
573 static int test_large_message_dtls(void)
576 * read_ahead is not relevant to DTLS because DTLS always acts as if
579 return execute_test_large_message(DTLS_server_method(),
580 DTLS_client_method(), 0);
584 #ifndef OPENSSL_NO_OCSP
585 static int ocsp_server_cb(SSL *s, void *arg)
587 int *argi = (int *)arg;
588 unsigned char *copy = NULL;
589 STACK_OF(OCSP_RESPID) *ids = NULL;
590 OCSP_RESPID *id = NULL;
593 /* In this test we are expecting exactly 1 OCSP_RESPID */
594 SSL_get_tlsext_status_ids(s, &ids);
595 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
596 return SSL_TLSEXT_ERR_ALERT_FATAL;
598 id = sk_OCSP_RESPID_value(ids, 0);
599 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
600 return SSL_TLSEXT_ERR_ALERT_FATAL;
601 } else if (*argi != 1) {
602 return SSL_TLSEXT_ERR_ALERT_FATAL;
605 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
606 return SSL_TLSEXT_ERR_ALERT_FATAL;
608 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
609 ocsp_server_called = 1;
610 return SSL_TLSEXT_ERR_OK;
613 static int ocsp_client_cb(SSL *s, void *arg)
615 int *argi = (int *)arg;
616 const unsigned char *respderin;
619 if (*argi != 1 && *argi != 2)
622 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
623 if (!TEST_mem_eq(orespder, len, respderin, len))
626 ocsp_client_called = 1;
630 static int test_tlsext_status_type(void)
632 SSL_CTX *cctx = NULL, *sctx = NULL;
633 SSL *clientssl = NULL, *serverssl = NULL;
635 STACK_OF(OCSP_RESPID) *ids = NULL;
636 OCSP_RESPID *id = NULL;
639 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
640 &cctx, cert, privkey))
643 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
646 /* First just do various checks getting and setting tlsext_status_type */
648 clientssl = SSL_new(cctx);
649 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
650 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
651 TLSEXT_STATUSTYPE_ocsp))
652 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
653 TLSEXT_STATUSTYPE_ocsp))
659 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
660 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
663 clientssl = SSL_new(cctx);
664 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
670 * Now actually do a handshake and check OCSP information is exchanged and
671 * the callbacks get called
673 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
674 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
675 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
676 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
677 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
678 &clientssl, NULL, NULL))
679 || !TEST_true(create_ssl_connection(serverssl, clientssl,
681 || !TEST_true(ocsp_client_called)
682 || !TEST_true(ocsp_server_called))
689 /* Try again but this time force the server side callback to fail */
690 ocsp_client_called = 0;
691 ocsp_server_called = 0;
693 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
694 &clientssl, NULL, NULL))
695 /* This should fail because the callback will fail */
696 || !TEST_false(create_ssl_connection(serverssl, clientssl,
698 || !TEST_false(ocsp_client_called)
699 || !TEST_false(ocsp_server_called))
707 * This time we'll get the client to send an OCSP_RESPID that it will
710 ocsp_client_called = 0;
711 ocsp_server_called = 0;
713 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
714 &clientssl, NULL, NULL)))
718 * We'll just use any old cert for this test - it doesn't have to be an OCSP
719 * specific one. We'll use the server cert.
721 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
722 || !TEST_ptr(id = OCSP_RESPID_new())
723 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
724 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
726 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
727 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
730 SSL_set_tlsext_status_ids(clientssl, ids);
731 /* Control has been transferred */
737 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
739 || !TEST_true(ocsp_client_called)
740 || !TEST_true(ocsp_server_called))
750 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
751 OCSP_RESPID_free(id);
760 typedef struct ssl_session_test_fixture {
761 const char *test_case_name;
764 } SSL_SESSION_TEST_FIXTURE;
766 static int new_called = 0, remove_called = 0;
768 static SSL_SESSION_TEST_FIXTURE
769 ssl_session_set_up(const char *const test_case_name)
771 SSL_SESSION_TEST_FIXTURE fixture;
773 fixture.test_case_name = test_case_name;
774 fixture.use_ext_cache = 1;
775 fixture.use_int_cache = 1;
777 new_called = remove_called = 0;
782 static void ssl_session_tear_down(SSL_SESSION_TEST_FIXTURE fixture)
786 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
790 * sess has been up-refed for us, but we don't actually need it so free it
793 SSL_SESSION_free(sess);
797 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
802 static int execute_test_session(SSL_SESSION_TEST_FIXTURE fix)
804 SSL_CTX *sctx = NULL, *cctx = NULL;
805 SSL *serverssl1 = NULL, *clientssl1 = NULL;
806 SSL *serverssl2 = NULL, *clientssl2 = NULL;
807 #ifndef OPENSSL_NO_TLS1_1
808 SSL *serverssl3 = NULL, *clientssl3 = NULL;
810 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
813 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
814 TLS_client_method(), &sctx,
815 &cctx, cert, privkey)))
818 #ifndef OPENSSL_NO_TLS1_2
819 /* Only allow TLS1.2 so we can force a connection failure later */
820 SSL_CTX_set_min_proto_version(cctx, TLS1_2_VERSION);
823 /* Set up session cache */
824 if (fix.use_ext_cache) {
825 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
826 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
828 if (fix.use_int_cache) {
829 /* Also covers instance where both are set */
830 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
832 SSL_CTX_set_session_cache_mode(cctx,
833 SSL_SESS_CACHE_CLIENT
834 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
837 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
839 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
841 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
844 /* Should fail because it should already be in the cache */
845 if (fix.use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
847 if (fix.use_ext_cache && (new_called != 1 || remove_called != 0))
850 #if !defined(OPENSSL_NO_TLS1_3)
851 new_called = remove_called = 0;
852 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
853 &clientssl2, NULL, NULL))
854 || !TEST_true(SSL_set_session(clientssl2, sess1))
855 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
857 || !TEST_true(SSL_session_reused(clientssl2)))
861 * In TLSv1.3 we should have created a new session even though we have
862 * resumed. The original session should also have been removed.
864 if (fix.use_ext_cache && !TEST_true((new_called == 1
865 && remove_called == 1)))
868 SSL_SESSION_free(sess1);
869 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
871 shutdown_ssl_connection(serverssl2, clientssl2);
872 serverssl2 = clientssl2 = NULL;
875 new_called = remove_called = 0;
876 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
877 &clientssl2, NULL, NULL))
878 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
882 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
885 if (fix.use_ext_cache && !TEST_true(new_called == 1 && remove_called == 0))
888 new_called = remove_called = 0;
890 * This should clear sess2 from the cache because it is a "bad" session.
891 * See SSL_set_session() documentation.
893 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
895 if (fix.use_ext_cache && !TEST_true(new_called == 0 && remove_called == 1))
897 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
900 if (fix.use_int_cache) {
901 /* Should succeeded because it should not already be in the cache */
902 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
903 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
907 new_called = remove_called = 0;
908 /* This shouldn't be in the cache so should fail */
909 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
912 if (fix.use_ext_cache && !TEST_true(new_called == 0 && remove_called == 1))
915 #if !defined(OPENSSL_NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_2)
916 new_called = remove_called = 0;
917 /* Force a connection failure */
918 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
919 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
920 &clientssl3, NULL, NULL))
921 || !TEST_true(SSL_set_session(clientssl3, sess1))
922 /* This should fail because of the mismatched protocol versions */
923 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
927 /* We should have automatically removed the session from the cache */
928 if (fix.use_ext_cache && !TEST_true(new_called == 0 && remove_called == 1))
931 /* Should succeed because it should not already be in the cache */
932 if (fix.use_int_cache && !SSL_CTX_add_session(cctx, sess2))
939 SSL_free(serverssl1);
940 SSL_free(clientssl1);
941 SSL_free(serverssl2);
942 SSL_free(clientssl2);
943 #ifndef OPENSSL_NO_TLS1_1
944 SSL_free(serverssl3);
945 SSL_free(clientssl3);
947 SSL_SESSION_free(sess1);
948 SSL_SESSION_free(sess2);
955 static int test_session_with_only_int_cache(void)
957 SETUP_TEST_FIXTURE(SSL_SESSION_TEST_FIXTURE, ssl_session_set_up);
958 fixture.use_ext_cache = 0;
959 EXECUTE_TEST(execute_test_session, ssl_session_tear_down);
962 static int test_session_with_only_ext_cache(void)
964 SETUP_TEST_FIXTURE(SSL_SESSION_TEST_FIXTURE, ssl_session_set_up);
965 fixture.use_int_cache = 0;
966 EXECUTE_TEST(execute_test_session, ssl_session_tear_down);
969 static int test_session_with_both_cache(void)
971 SETUP_TEST_FIXTURE(SSL_SESSION_TEST_FIXTURE, ssl_session_set_up);
972 EXECUTE_TEST(execute_test_session, ssl_session_tear_down);
979 #define TOTAL_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
981 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
996 static int test_ssl_set_bio(int idx)
1001 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1003 int initrbio, initwbio, newrbio, newwbio;
1013 if (!TEST_int_le(newwbio, 2))
1016 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1017 || !TEST_ptr(ssl = SSL_new(ctx)))
1020 if (initrbio == USE_BIO_1
1021 || initwbio == USE_BIO_1
1022 || newrbio == USE_BIO_1
1023 || newwbio == USE_BIO_1) {
1024 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1028 if (initrbio == USE_BIO_2
1029 || initwbio == USE_BIO_2
1030 || newrbio == USE_BIO_2
1031 || newwbio == USE_BIO_2) {
1032 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1036 setupbio(&irbio, bio1, bio2, initrbio);
1037 setupbio(&iwbio, bio1, bio2, initwbio);
1040 * We want to maintain our own refs to these BIO, so do an up ref for each
1041 * BIO that will have ownership transferred in the SSL_set_bio() call
1045 if (iwbio != NULL && iwbio != irbio)
1048 SSL_set_bio(ssl, irbio, iwbio);
1050 setupbio(&nrbio, bio1, bio2, newrbio);
1051 setupbio(&nwbio, bio1, bio2, newwbio);
1054 * We will (maybe) transfer ownership again so do more up refs.
1055 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1060 && (nwbio != iwbio || nrbio != nwbio))
1064 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1067 SSL_set_bio(ssl, nrbio, nwbio);
1077 * This test is checking that the ref counting for SSL_set_bio is correct.
1078 * If we get here and we did too many frees then we will fail in the above
1079 * functions. If we haven't done enough then this will only be detected in
1080 * a crypto-mdebug build
1086 typedef struct ssl_bio_test_fixture {
1087 const char *test_case_name;
1089 enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } change_bio;
1090 } SSL_BIO_TEST_FIXTURE;
1092 static SSL_BIO_TEST_FIXTURE ssl_bio_set_up(const char *const test_case_name)
1094 SSL_BIO_TEST_FIXTURE fixture;
1096 fixture.test_case_name = test_case_name;
1097 fixture.pop_ssl = 0;
1098 fixture.change_bio = NO_BIO_CHANGE;
1102 static void ssl_bio_tear_down(SSL_BIO_TEST_FIXTURE fixture)
1106 static int execute_test_ssl_bio(SSL_BIO_TEST_FIXTURE fix)
1108 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1113 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1114 || !TEST_ptr(ssl = SSL_new(ctx))
1115 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1116 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1119 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1122 * If anything goes wrong here then we could leak memory, so this will
1123 * be caught in a crypto-mdebug build
1125 BIO_push(sslbio, membio1);
1127 /* Verify changing the rbio/wbio directly does not cause leaks */
1128 if (fix.change_bio != NO_BIO_CHANGE) {
1129 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1131 if (fix.change_bio == CHANGE_RBIO)
1132 SSL_set0_rbio(ssl, membio2);
1134 SSL_set0_wbio(ssl, membio2);
1153 static int test_ssl_bio_pop_next_bio(void)
1155 SETUP_TEST_FIXTURE(SSL_BIO_TEST_FIXTURE, ssl_bio_set_up);
1156 EXECUTE_TEST(execute_test_ssl_bio, ssl_bio_tear_down);
1159 static int test_ssl_bio_pop_ssl_bio(void)
1161 SETUP_TEST_FIXTURE(SSL_BIO_TEST_FIXTURE, ssl_bio_set_up);
1162 fixture.pop_ssl = 1;
1163 EXECUTE_TEST(execute_test_ssl_bio, ssl_bio_tear_down);
1166 static int test_ssl_bio_change_rbio(void)
1168 SETUP_TEST_FIXTURE(SSL_BIO_TEST_FIXTURE, ssl_bio_set_up);
1169 fixture.change_bio = CHANGE_RBIO;
1170 EXECUTE_TEST(execute_test_ssl_bio, ssl_bio_tear_down);
1173 static int test_ssl_bio_change_wbio(void)
1175 SETUP_TEST_FIXTURE(SSL_BIO_TEST_FIXTURE, ssl_bio_set_up);
1176 fixture.change_bio = CHANGE_WBIO;
1177 EXECUTE_TEST(execute_test_ssl_bio, ssl_bio_tear_down);
1181 /* The list of sig algs */
1183 /* The length of the list */
1185 /* A sigalgs list in string format */
1186 const char *liststr;
1187 /* Whether setting the list should succeed */
1189 /* Whether creating a connection with the list should succeed */
1193 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1194 #ifndef OPENSSL_NO_EC
1195 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1196 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1198 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1199 static const int invalidlist2[] = {NID_sha256, NID_undef};
1200 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1201 static const int invalidlist4[] = {NID_sha256};
1202 static const sigalgs_list testsigalgs[] = {
1203 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1204 #ifndef OPENSSL_NO_EC
1205 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1206 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1208 {NULL, 0, "RSA+SHA256", 1, 1},
1209 #ifndef OPENSSL_NO_EC
1210 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1211 {NULL, 0, "ECDSA+SHA512", 1, 0},
1213 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1214 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1215 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1216 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1217 {NULL, 0, "RSA", 0, 0},
1218 {NULL, 0, "SHA256", 0, 0},
1219 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1220 {NULL, 0, "Invalid", 0, 0}
1223 static int test_set_sigalgs(int idx)
1225 SSL_CTX *cctx = NULL, *sctx = NULL;
1226 SSL *clientssl = NULL, *serverssl = NULL;
1228 const sigalgs_list *curr;
1231 /* Should never happen */
1232 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1235 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1236 curr = testctx ? &testsigalgs[idx]
1237 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1239 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1240 TLS_client_method(), &sctx,
1241 &cctx, cert, privkey)))
1245 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1246 * for TLSv1.2 for now until we add a new API.
1248 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1253 if (curr->list != NULL)
1254 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1256 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1260 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1266 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1271 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1272 &clientssl, NULL, NULL)))
1278 if (curr->list != NULL)
1279 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1281 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1284 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1293 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1301 SSL_free(serverssl);
1302 SSL_free(clientssl);
1309 #ifndef OPENSSL_NO_TLS1_3
1311 #define MSG1 "Hello"
1312 #define MSG2 "World."
1317 #define MSG7 "message."
1320 * Helper method to setup objects for early data test. Caller frees objects on
1323 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
1324 SSL **serverssl, SSL_SESSION **sess, int idx)
1326 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1327 TLS_client_method(), sctx,
1328 cctx, cert, privkey)))
1331 /* When idx == 1 we repeat the tests with read_ahead set */
1333 SSL_CTX_set_read_ahead(*cctx, 1);
1334 SSL_CTX_set_read_ahead(*sctx, 1);
1337 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
1339 || !TEST_true(create_ssl_connection(*serverssl, *clientssl,
1343 *sess = SSL_get1_session(*clientssl);
1344 SSL_shutdown(*clientssl);
1345 SSL_shutdown(*serverssl);
1346 SSL_free(*serverssl);
1347 SSL_free(*clientssl);
1348 *serverssl = *clientssl = NULL;
1350 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1351 clientssl, NULL, NULL))
1352 || !TEST_true(SSL_set_session(*clientssl, *sess)))
1358 static int test_early_data_read_write(int idx)
1360 SSL_CTX *cctx = NULL, *sctx = NULL;
1361 SSL *clientssl = NULL, *serverssl = NULL;
1363 SSL_SESSION *sess = NULL;
1364 unsigned char buf[20], data[1024];
1365 size_t readbytes, written, eoedlen, rawread, rawwritten;
1368 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1369 &serverssl, &sess, idx)))
1372 /* Write and read some early data */
1373 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1375 || !TEST_size_t_eq(written, strlen(MSG1))
1376 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1377 sizeof(buf), &readbytes),
1378 SSL_READ_EARLY_DATA_SUCCESS)
1379 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1380 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1381 SSL_EARLY_DATA_ACCEPTED))
1385 * Server should be able to write data, and client should be able to
1388 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1390 || !TEST_size_t_eq(written, strlen(MSG2))
1391 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1392 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1395 /* Even after reading normal data, client should be able write early data */
1396 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1398 || !TEST_size_t_eq(written, strlen(MSG3)))
1401 /* Server should still be able read early data after writing data */
1402 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1404 SSL_READ_EARLY_DATA_SUCCESS)
1405 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
1408 /* Write more data from server and read it from client */
1409 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
1411 || !TEST_size_t_eq(written, strlen(MSG4))
1412 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1413 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
1417 * If client writes normal data it should mean writing early data is no
1420 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1421 || !TEST_size_t_eq(written, strlen(MSG5))
1422 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1423 SSL_EARLY_DATA_ACCEPTED))
1427 * At this point the client has written EndOfEarlyData, ClientFinished and
1428 * normal (fully protected) data. We are going to cause a delay between the
1429 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
1430 * in the read BIO, and then just put back the EndOfEarlyData message.
1432 rbio = SSL_get_rbio(serverssl);
1433 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
1434 || !TEST_size_t_lt(rawread, sizeof(data))
1435 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
1438 /* Record length is in the 4th and 5th bytes of the record header */
1439 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
1440 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
1441 || !TEST_size_t_eq(rawwritten, eoedlen))
1444 /* Server should be told that there is no more early data */
1445 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1447 SSL_READ_EARLY_DATA_FINISH)
1448 || !TEST_size_t_eq(readbytes, 0))
1452 * Server has not finished init yet, so should still be able to write early
1455 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
1457 || !TEST_size_t_eq(written, strlen(MSG6)))
1460 /* Push the ClientFinished and the normal data back into the server rbio */
1461 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
1463 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
1466 /* Server should be able to read normal data */
1467 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1468 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1471 /* Client and server should not be able to write/read early data now */
1472 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1476 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1478 SSL_READ_EARLY_DATA_ERROR))
1482 /* Client should be able to read the data sent by the server */
1483 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1484 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
1488 * Make sure we process the NewSessionTicket. This arrives post-handshake.
1489 * We attempt a read which we do not expect to return any data.
1491 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1494 /* Server should be able to write normal data */
1495 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
1496 || !TEST_size_t_eq(written, strlen(MSG7))
1497 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1498 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
1501 SSL_SESSION_free(sess);
1502 sess = SSL_get1_session(clientssl);
1504 SSL_shutdown(clientssl);
1505 SSL_shutdown(serverssl);
1506 SSL_free(serverssl);
1507 SSL_free(clientssl);
1508 serverssl = clientssl = NULL;
1509 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1510 &clientssl, NULL, NULL))
1511 || !TEST_true(SSL_set_session(clientssl, sess)))
1514 /* Write and read some early data */
1515 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1517 || !TEST_size_t_eq(written, strlen(MSG1))
1518 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1520 SSL_READ_EARLY_DATA_SUCCESS)
1521 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
1524 if (!TEST_int_gt(SSL_connect(clientssl), 0)
1525 || !TEST_int_gt(SSL_accept(serverssl), 0))
1528 /* Client and server should not be able to write/read early data now */
1529 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1533 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1535 SSL_READ_EARLY_DATA_ERROR))
1539 /* Client and server should be able to write/read normal data */
1540 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1541 || !TEST_size_t_eq(written, strlen(MSG5))
1542 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1543 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1549 SSL_SESSION_free(sess);
1550 SSL_free(serverssl);
1551 SSL_free(clientssl);
1558 * Helper function to test that a server attempting to read early data can
1559 * handle a connection from a client where the early data should be skipped.
1561 static int early_data_skip_helper(int hrr, int idx)
1563 SSL_CTX *cctx = NULL, *sctx = NULL;
1564 SSL *clientssl = NULL, *serverssl = NULL;
1566 SSL_SESSION *sess = NULL;
1567 unsigned char buf[20];
1568 size_t readbytes, written;
1570 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1571 &serverssl, &sess, idx)))
1575 /* Force an HRR to occur */
1576 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
1580 * Deliberately corrupt the creation time. We take 20 seconds off the
1581 * time. It could be any value as long as it is not within tolerance.
1582 * This should mean the ticket is rejected.
1584 if (!TEST_true(SSL_SESSION_set_time(sess, time(NULL) - 20)))
1588 /* Write some early data */
1589 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1591 || !TEST_size_t_eq(written, strlen(MSG1)))
1594 /* Server should reject the early data and skip over it */
1595 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1597 SSL_READ_EARLY_DATA_FINISH)
1598 || !TEST_size_t_eq(readbytes, 0)
1599 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1600 SSL_EARLY_DATA_REJECTED))
1605 * Finish off the handshake. We perform the same writes and reads as
1606 * further down but we expect them to fail due to the incomplete
1609 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1610 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
1615 /* Should be able to send normal data despite rejection of early data */
1616 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1617 || !TEST_size_t_eq(written, strlen(MSG2))
1618 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1619 SSL_EARLY_DATA_REJECTED)
1620 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1621 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1627 SSL_SESSION_free(sess);
1628 SSL_free(serverssl);
1629 SSL_free(clientssl);
1636 * Test that a server attempting to read early data can handle a connection
1637 * from a client where the early data is not acceptable.
1639 static int test_early_data_skip(int idx)
1641 return early_data_skip_helper(0, idx);
1645 * Test that a server attempting to read early data can handle a connection
1646 * from a client where an HRR occurs.
1648 static int test_early_data_skip_hrr(int idx)
1650 return early_data_skip_helper(1, idx);
1654 * Test that a server attempting to read early data can handle a connection
1655 * from a client that doesn't send any.
1657 static int test_early_data_not_sent(int idx)
1659 SSL_CTX *cctx = NULL, *sctx = NULL;
1660 SSL *clientssl = NULL, *serverssl = NULL;
1662 SSL_SESSION *sess = NULL;
1663 unsigned char buf[20];
1664 size_t readbytes, written;
1666 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1667 &serverssl, &sess, idx)))
1670 /* Write some data - should block due to handshake with server */
1671 SSL_set_connect_state(clientssl);
1672 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
1675 /* Server should detect that early data has not been sent */
1676 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1678 SSL_READ_EARLY_DATA_FINISH)
1679 || !TEST_size_t_eq(readbytes, 0)
1680 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1681 SSL_EARLY_DATA_NOT_SENT)
1682 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1683 SSL_EARLY_DATA_NOT_SENT))
1686 /* Continue writing the message we started earlier */
1687 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
1688 || !TEST_size_t_eq(written, strlen(MSG1))
1689 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1690 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
1691 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
1692 || !TEST_size_t_eq(written, strlen(MSG2)))
1696 * Should block due to the NewSessionTicket arrival unless we're using
1700 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1704 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1705 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1711 SSL_SESSION_free(sess);
1712 SSL_free(serverssl);
1713 SSL_free(clientssl);
1720 * Test that a server that doesn't try to read early data can handle a
1721 * client sending some.
1723 static int test_early_data_not_expected(int idx)
1725 SSL_CTX *cctx = NULL, *sctx = NULL;
1726 SSL *clientssl = NULL, *serverssl = NULL;
1728 SSL_SESSION *sess = NULL;
1729 unsigned char buf[20];
1730 size_t readbytes, written;
1733 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1734 &serverssl, &sess, idx)))
1737 /* Write some early data */
1738 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1743 * Server should skip over early data and then block waiting for client to
1744 * continue handshake
1746 if (!TEST_int_le(SSL_accept(serverssl), 0)
1747 || !TEST_int_gt(SSL_connect(clientssl), 0)
1748 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1749 SSL_EARLY_DATA_REJECTED)
1750 || !TEST_int_gt(SSL_accept(serverssl), 0)
1751 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1752 SSL_EARLY_DATA_REJECTED))
1755 /* Send some normal data from client to server */
1756 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1757 || !TEST_size_t_eq(written, strlen(MSG2)))
1760 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1761 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1767 SSL_SESSION_free(sess);
1768 SSL_free(serverssl);
1769 SSL_free(clientssl);
1776 # ifndef OPENSSL_NO_TLS1_2
1778 * Test that a server attempting to read early data can handle a connection
1779 * from a TLSv1.2 client.
1781 static int test_early_data_tls1_2(int idx)
1783 SSL_CTX *cctx = NULL, *sctx = NULL;
1784 SSL *clientssl = NULL, *serverssl = NULL;
1786 unsigned char buf[20];
1787 size_t readbytes, written;
1789 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1790 TLS_client_method(), &sctx,
1791 &cctx, cert, privkey)))
1794 /* When idx == 1 we repeat the tests with read_ahead set */
1796 SSL_CTX_set_read_ahead(cctx, 1);
1797 SSL_CTX_set_read_ahead(sctx, 1);
1800 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1801 &clientssl, NULL, NULL)))
1804 /* Write some data - should block due to handshake with server */
1805 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
1806 SSL_set_connect_state(clientssl);
1807 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
1811 * Server should do TLSv1.2 handshake. First it will block waiting for more
1812 * messages from client after ServerDone. Then SSL_read_early_data should
1813 * finish and detect that early data has not been sent
1815 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1817 SSL_READ_EARLY_DATA_ERROR))
1821 * Continue writing the message we started earlier. Will still block waiting
1822 * for the CCS/Finished from server
1824 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
1825 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1827 SSL_READ_EARLY_DATA_FINISH)
1828 || !TEST_size_t_eq(readbytes, 0)
1829 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1830 SSL_EARLY_DATA_NOT_SENT))
1833 /* Continue writing the message we started earlier */
1834 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
1835 || !TEST_size_t_eq(written, strlen(MSG1))
1836 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1837 SSL_EARLY_DATA_NOT_SENT)
1838 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1839 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
1840 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
1841 || !TEST_size_t_eq(written, strlen(MSG2))
1842 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
1843 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1849 SSL_free(serverssl);
1850 SSL_free(clientssl);
1856 # endif /* OPENSSL_NO_TLS1_2 */
1858 static int test_ciphersuite_change(void)
1860 SSL_CTX *cctx = NULL, *sctx = NULL;
1861 SSL *clientssl = NULL, *serverssl = NULL;
1862 SSL_SESSION *clntsess = NULL;
1864 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
1866 /* Create a session based on SHA-256 */
1867 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1868 TLS_client_method(), &sctx,
1869 &cctx, cert, privkey))
1870 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1871 "TLS13-AES-128-GCM-SHA256"))
1872 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1873 &clientssl, NULL, NULL))
1874 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1878 clntsess = SSL_get1_session(clientssl);
1879 /* Save for later */
1880 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
1881 SSL_shutdown(clientssl);
1882 SSL_shutdown(serverssl);
1883 SSL_free(serverssl);
1884 SSL_free(clientssl);
1885 serverssl = clientssl = NULL;
1887 /* Check we can resume a session with a different SHA-256 ciphersuite */
1888 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
1889 "TLS13-CHACHA20-POLY1305-SHA256"))
1890 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1892 || !TEST_true(SSL_set_session(clientssl, clntsess))
1893 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1895 || !TEST_true(SSL_session_reused(clientssl)))
1898 SSL_SESSION_free(clntsess);
1899 clntsess = SSL_get1_session(clientssl);
1900 SSL_shutdown(clientssl);
1901 SSL_shutdown(serverssl);
1902 SSL_free(serverssl);
1903 SSL_free(clientssl);
1904 serverssl = clientssl = NULL;
1907 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
1908 * succeeds but does not resume.
1910 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-256-GCM-SHA384"))
1911 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1913 || !TEST_true(SSL_set_session(clientssl, clntsess))
1914 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1916 || !TEST_false(SSL_session_reused(clientssl)))
1919 SSL_SESSION_free(clntsess);
1921 SSL_shutdown(clientssl);
1922 SSL_shutdown(serverssl);
1923 SSL_free(serverssl);
1924 SSL_free(clientssl);
1925 serverssl = clientssl = NULL;
1927 /* Create a session based on SHA384 */
1928 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-256-GCM-SHA384"))
1929 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1930 &clientssl, NULL, NULL))
1931 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1935 clntsess = SSL_get1_session(clientssl);
1936 SSL_shutdown(clientssl);
1937 SSL_shutdown(serverssl);
1938 SSL_free(serverssl);
1939 SSL_free(clientssl);
1940 serverssl = clientssl = NULL;
1942 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
1943 "TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384"))
1944 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1945 "TLS13-AES-256-GCM-SHA384"))
1946 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1948 || !TEST_true(SSL_set_session(clientssl, clntsess))
1950 * We use SSL_ERROR_WANT_READ below so that we can pause the
1951 * connection after the initial ClientHello has been sent to
1952 * enable us to make some session changes.
1954 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1955 SSL_ERROR_WANT_READ)))
1958 /* Trick the client into thinking this session is for a different digest */
1959 clntsess->cipher = aes_128_gcm_sha256;
1960 clntsess->cipher_id = clntsess->cipher->id;
1963 * Continue the previously started connection. Server has selected a SHA-384
1964 * ciphersuite, but client thinks the session is for SHA-256, so it should
1967 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
1969 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
1970 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
1976 SSL_SESSION_free(clntsess);
1977 SSL_free(serverssl);
1978 SSL_free(clientssl);
1986 static SSL_SESSION *psk = NULL;
1987 static const char *pskid = "Identity";
1988 static const char *srvid;
1990 static int use_session_cb_cnt = 0;
1991 static int find_session_cb_cnt = 0;
1993 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1994 size_t *idlen, SSL_SESSION **sess)
1996 switch (++use_session_cb_cnt) {
1998 /* The first call should always have a NULL md */
2004 /* The second call should always have an md */
2010 /* We should only be called a maximum of twice */
2015 SSL_SESSION_up_ref(psk);
2018 *id = (const unsigned char *)pskid;
2019 *idlen = strlen(pskid);
2024 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2025 size_t identity_len, SSL_SESSION **sess)
2027 find_session_cb_cnt++;
2029 /* We should only ever be called a maximum of twice per connection */
2030 if (find_session_cb_cnt > 2)
2036 /* Identity should match that set by the client */
2037 if (strlen(srvid) != identity_len
2038 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2039 /* No PSK found, continue but without a PSK */
2044 SSL_SESSION_up_ref(psk);
2050 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2052 static int test_tls13_psk(void)
2054 SSL_CTX *sctx = NULL, *cctx = NULL;
2055 SSL *serverssl = NULL, *clientssl = NULL;
2056 const SSL_CIPHER *cipher = NULL;
2057 const unsigned char key[] = {
2058 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2059 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2060 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2061 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
2065 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2066 TLS_client_method(), &sctx,
2067 &cctx, cert, privkey)))
2070 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2071 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2074 /* Check we can create a connection if callback decides not to send a PSK */
2075 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2077 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2079 || !TEST_false(SSL_session_reused(clientssl))
2080 || !TEST_false(SSL_session_reused(serverssl))
2081 || !TEST_true(use_session_cb_cnt == 1)
2082 || !TEST_true(find_session_cb_cnt == 0))
2085 shutdown_ssl_connection(serverssl, clientssl);
2086 serverssl = clientssl = NULL;
2087 use_session_cb_cnt = 0;
2089 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2093 /* Create the PSK */
2094 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
2095 psk = SSL_SESSION_new();
2097 || !TEST_ptr(cipher)
2098 || !TEST_true(SSL_SESSION_set1_master_key(psk, key, sizeof(key)))
2099 || !TEST_true(SSL_SESSION_set_cipher(psk, cipher))
2100 || !TEST_true(SSL_SESSION_set_protocol_version(psk,
2104 /* Check we can create a connection and the PSK is used */
2105 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2106 || !TEST_true(SSL_session_reused(clientssl))
2107 || !TEST_true(SSL_session_reused(serverssl))
2108 || !TEST_true(use_session_cb_cnt == 1)
2109 || !TEST_true(find_session_cb_cnt == 1))
2112 shutdown_ssl_connection(serverssl, clientssl);
2113 serverssl = clientssl = NULL;
2114 use_session_cb_cnt = find_session_cb_cnt = 0;
2116 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2121 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2125 * Check we can create a connection, the PSK is used and the callbacks are
2128 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2129 || !TEST_true(SSL_session_reused(clientssl))
2130 || !TEST_true(SSL_session_reused(serverssl))
2131 || !TEST_true(use_session_cb_cnt == 2)
2132 || !TEST_true(find_session_cb_cnt == 2))
2135 shutdown_ssl_connection(serverssl, clientssl);
2136 serverssl = clientssl = NULL;
2137 use_session_cb_cnt = find_session_cb_cnt = 0;
2140 * Check that if the server rejects the PSK we can still connect, but with
2143 srvid = "Dummy Identity";
2144 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2146 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2148 || !TEST_false(SSL_session_reused(clientssl))
2149 || !TEST_false(SSL_session_reused(serverssl))
2150 || !TEST_true(use_session_cb_cnt == 1)
2151 || !TEST_true(find_session_cb_cnt == 1))
2154 shutdown_ssl_connection(serverssl, clientssl);
2155 serverssl = clientssl = NULL;
2159 SSL_SESSION_free(psk);
2160 SSL_free(serverssl);
2161 SSL_free(clientssl);
2167 #endif /* OPENSSL_NO_TLS1_3 */
2169 static int clntaddoldcb = 0;
2170 static int clntparseoldcb = 0;
2171 static int srvaddoldcb = 0;
2172 static int srvparseoldcb = 0;
2173 static int clntaddnewcb = 0;
2174 static int clntparsenewcb = 0;
2175 static int srvaddnewcb = 0;
2176 static int srvparsenewcb = 0;
2177 static int snicb = 0;
2179 #define TEST_EXT_TYPE1 0xff00
2181 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
2182 size_t *outlen, int *al, void *add_arg)
2184 int *server = (int *)add_arg;
2185 unsigned char *data;
2187 if (SSL_is_server(s))
2192 if (*server != SSL_is_server(s)
2193 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
2198 *outlen = sizeof(char);
2202 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
2205 OPENSSL_free((unsigned char *)out);
2208 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
2209 size_t inlen, int *al, void *parse_arg)
2211 int *server = (int *)parse_arg;
2213 if (SSL_is_server(s))
2218 if (*server != SSL_is_server(s)
2219 || inlen != sizeof(char)
2226 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
2227 const unsigned char **out, size_t *outlen, X509 *x,
2228 size_t chainidx, int *al, void *add_arg)
2230 int *server = (int *)add_arg;
2231 unsigned char *data;
2233 if (SSL_is_server(s))
2238 if (*server != SSL_is_server(s)
2239 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
2244 *outlen = sizeof(*data);
2248 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
2249 const unsigned char *out, void *add_arg)
2251 OPENSSL_free((unsigned char *)out);
2254 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
2255 const unsigned char *in, size_t inlen, X509 *x,
2256 size_t chainidx, int *al, void *parse_arg)
2258 int *server = (int *)parse_arg;
2260 if (SSL_is_server(s))
2265 if (*server != SSL_is_server(s)
2266 || inlen != sizeof(char) || *in != 1)
2272 static int sni_cb(SSL *s, int *al, void *arg)
2274 SSL_CTX *ctx = (SSL_CTX *)arg;
2276 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
2277 *al = SSL_AD_INTERNAL_ERROR;
2278 return SSL_TLSEXT_ERR_ALERT_FATAL;
2281 return SSL_TLSEXT_ERR_OK;
2285 * Custom call back tests.
2286 * Test 0: Old style callbacks in TLSv1.2
2287 * Test 1: New style callbacks in TLSv1.2
2288 * Test 2: New style callbacks in TLSv1.2 with SNI
2289 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
2290 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
2292 static int test_custom_exts(int tst)
2294 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
2295 SSL *clientssl = NULL, *serverssl = NULL;
2297 static int server = 1;
2298 static int client = 0;
2299 SSL_SESSION *sess = NULL;
2300 unsigned int context;
2302 /* Reset callback counters */
2303 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
2304 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
2307 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2308 TLS_client_method(), &sctx,
2309 &cctx, cert, privkey)))
2313 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL, &sctx2,
2314 NULL, cert, privkey)))
2319 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
2320 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
2322 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
2326 context = SSL_EXT_CLIENT_HELLO
2327 | SSL_EXT_TLS1_2_SERVER_HELLO
2328 | SSL_EXT_TLS1_3_SERVER_HELLO
2329 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
2330 | SSL_EXT_TLS1_3_CERTIFICATE
2331 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
2333 context = SSL_EXT_CLIENT_HELLO
2334 | SSL_EXT_TLS1_2_SERVER_HELLO
2335 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
2338 /* Create a client side custom extension */
2340 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
2341 old_add_cb, old_free_cb,
2342 &client, old_parse_cb,
2346 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
2347 new_add_cb, new_free_cb,
2348 &client, new_parse_cb, &client)))
2352 /* Should not be able to add duplicates */
2353 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
2354 old_add_cb, old_free_cb,
2355 &client, old_parse_cb,
2357 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
2358 context, new_add_cb,
2359 new_free_cb, &client,
2360 new_parse_cb, &client)))
2363 /* Create a server side custom extension */
2365 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
2366 old_add_cb, old_free_cb,
2367 &server, old_parse_cb,
2371 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
2372 new_add_cb, new_free_cb,
2373 &server, new_parse_cb, &server)))
2376 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
2377 context, new_add_cb,
2378 new_free_cb, &server,
2379 new_parse_cb, &server)))
2383 /* Should not be able to add duplicates */
2384 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
2385 old_add_cb, old_free_cb,
2386 &server, old_parse_cb,
2388 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
2389 context, new_add_cb,
2390 new_free_cb, &server,
2391 new_parse_cb, &server)))
2396 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
2397 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
2401 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2402 &clientssl, NULL, NULL))
2403 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2408 if (clntaddoldcb != 1
2409 || clntparseoldcb != 1
2411 || srvparseoldcb != 1)
2413 } else if (tst == 1 || tst == 2 || tst == 3) {
2414 if (clntaddnewcb != 1
2415 || clntparsenewcb != 1
2417 || srvparsenewcb != 1
2418 || (tst != 2 && snicb != 0)
2419 || (tst == 2 && snicb != 1))
2422 if (clntaddnewcb != 1
2423 || clntparsenewcb != 4
2425 || srvparsenewcb != 1)
2429 sess = SSL_get1_session(clientssl);
2430 SSL_shutdown(clientssl);
2431 SSL_shutdown(serverssl);
2432 SSL_free(serverssl);
2433 SSL_free(clientssl);
2434 serverssl = clientssl = NULL;
2437 /* We don't bother with the resumption aspects for this test */
2442 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2444 || !TEST_true(SSL_set_session(clientssl, sess))
2445 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2450 * For a resumed session we expect to add the ClientHello extension. For the
2451 * old style callbacks we ignore it on the server side because they set
2452 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
2456 if (clntaddoldcb != 2
2457 || clntparseoldcb != 1
2459 || srvparseoldcb != 1)
2461 } else if (tst == 1 || tst == 2 || tst == 3) {
2462 if (clntaddnewcb != 2
2463 || clntparsenewcb != 2
2465 || srvparsenewcb != 2)
2468 /* No Certificate message extensions in the resumption handshake */
2469 if (clntaddnewcb != 2
2470 || clntparsenewcb != 7
2472 || srvparsenewcb != 2)
2479 SSL_SESSION_free(sess);
2480 SSL_free(serverssl);
2481 SSL_free(clientssl);
2482 SSL_CTX_free(sctx2);
2489 * Test loading of serverinfo data in various formats. test_sslmessages actually
2490 * tests to make sure the extensions appear in the handshake
2492 static int test_serverinfo(int tst)
2494 unsigned int version;
2495 unsigned char *sibuf;
2497 int ret, expected, testresult = 0;
2500 ctx = SSL_CTX_new(TLS_method());
2504 if ((tst & 0x01) == 0x01)
2505 version = SSL_SERVERINFOV2;
2507 version = SSL_SERVERINFOV1;
2509 if ((tst & 0x02) == 0x02) {
2510 sibuf = serverinfov2;
2511 sibuflen = sizeof(serverinfov2);
2512 expected = (version == SSL_SERVERINFOV2);
2514 sibuf = serverinfov1;
2515 sibuflen = sizeof(serverinfov1);
2516 expected = (version == SSL_SERVERINFOV1);
2519 if ((tst & 0x04) == 0x04) {
2520 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
2522 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
2525 * The version variable is irrelevant in this case - it's what is in the
2526 * buffer that matters
2528 if ((tst & 0x02) == 0x02)
2534 if (!TEST_true(ret == expected))
2546 * Test that SSL_export_keying_material() produces expected results. There are
2547 * no test vectors so all we do is test that both sides of the communication
2548 * produce the same results for different protocol versions.
2550 static int test_export_key_mat(int tst)
2553 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
2554 SSL *clientssl = NULL, *serverssl = NULL;
2555 const char label[] = "test label";
2556 const unsigned char context[] = "context";
2557 const unsigned char *emptycontext = NULL;
2558 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
2559 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
2560 const int protocols[] = {
2567 #ifdef OPENSSL_NO_TLS1
2571 #ifdef OPENSSL_NO_TLS1_1
2575 #ifdef OPENSSL_NO_TLS1_2
2579 #ifdef OPENSSL_NO_TLS1_3
2583 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2584 TLS_client_method(), &sctx,
2585 &cctx, cert, privkey)))
2588 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
2589 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
2590 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
2592 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
2594 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2598 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
2599 sizeof(ckeymat1), label,
2600 sizeof(label) - 1, context,
2601 sizeof(context) - 1, 1), 1)
2602 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
2603 sizeof(ckeymat2), label,
2607 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
2608 sizeof(ckeymat3), label,
2611 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
2612 sizeof(skeymat1), label,
2615 sizeof(context) -1, 1),
2617 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
2618 sizeof(skeymat2), label,
2622 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
2623 sizeof(skeymat3), label,
2627 * Check that both sides created the same key material with the
2630 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
2633 * Check that both sides created the same key material with an
2636 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
2639 * Check that both sides created the same key material without a
2642 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
2644 /* Different contexts should produce different results */
2645 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
2650 * Check that an empty context and no context produce different results in
2651 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
2653 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2655 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
2662 SSL_free(serverssl);
2663 SSL_free(clientssl);
2664 SSL_CTX_free(sctx2);
2671 static int test_ssl_clear(int idx)
2673 SSL_CTX *cctx = NULL, *sctx = NULL;
2674 SSL *clientssl = NULL, *serverssl = NULL;
2677 #ifdef OPENSSL_NO_TLS1_2
2682 /* Create an initial connection */
2683 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2684 TLS_client_method(), &sctx,
2685 &cctx, cert, privkey))
2687 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
2689 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2690 &clientssl, NULL, NULL))
2691 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2695 SSL_shutdown(clientssl);
2696 SSL_shutdown(serverssl);
2697 SSL_free(serverssl);
2700 /* Clear clientssl - we're going to reuse the object */
2701 if (!TEST_true(SSL_clear(clientssl)))
2704 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2706 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2708 || !TEST_true(SSL_session_reused(clientssl)))
2711 SSL_shutdown(clientssl);
2712 SSL_shutdown(serverssl);
2717 SSL_free(serverssl);
2718 SSL_free(clientssl);
2725 int setup_tests(void)
2727 if (!TEST_ptr(cert = test_get_argument(0))
2728 || !TEST_ptr(privkey = test_get_argument(1)))
2731 ADD_TEST(test_large_message_tls);
2732 ADD_TEST(test_large_message_tls_read_ahead);
2733 #ifndef OPENSSL_NO_DTLS
2734 ADD_TEST(test_large_message_dtls);
2736 #ifndef OPENSSL_NO_OCSP
2737 ADD_TEST(test_tlsext_status_type);
2739 ADD_TEST(test_session_with_only_int_cache);
2740 ADD_TEST(test_session_with_only_ext_cache);
2741 ADD_TEST(test_session_with_both_cache);
2742 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
2743 ADD_TEST(test_ssl_bio_pop_next_bio);
2744 ADD_TEST(test_ssl_bio_pop_ssl_bio);
2745 ADD_TEST(test_ssl_bio_change_rbio);
2746 ADD_TEST(test_ssl_bio_change_wbio);
2747 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
2748 ADD_TEST(test_keylog);
2749 #ifndef OPENSSL_NO_TLS1_3
2750 ADD_TEST(test_keylog_no_master_key);
2752 #ifndef OPENSSL_NO_TLS1_2
2753 ADD_TEST(test_early_cb);
2755 #ifndef OPENSSL_NO_TLS1_3
2756 ADD_ALL_TESTS(test_early_data_read_write, 2);
2757 ADD_ALL_TESTS(test_early_data_skip, 2);
2758 ADD_ALL_TESTS(test_early_data_skip_hrr, 2);
2759 ADD_ALL_TESTS(test_early_data_not_sent, 2);
2760 ADD_ALL_TESTS(test_early_data_not_expected, 2);
2761 # ifndef OPENSSL_NO_TLS1_2
2762 ADD_ALL_TESTS(test_early_data_tls1_2, 2);
2765 #ifndef OPENSSL_NO_TLS1_3
2766 ADD_TEST(test_ciphersuite_change);
2767 ADD_TEST(test_tls13_psk);
2768 ADD_ALL_TESTS(test_custom_exts, 5);
2770 ADD_ALL_TESTS(test_custom_exts, 3);
2772 ADD_ALL_TESTS(test_serverinfo, 8);
2773 ADD_ALL_TESTS(test_export_key_mat, 4);
2774 ADD_ALL_TESTS(test_ssl_clear, 2);
2778 void cleanup_tests(void)
2780 bio_s_mempacket_test_free();