2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
18 #include "ssltestlib.h"
20 #include "internal/nelem.h"
21 #include "../ssl/ssl_locl.h"
23 static char *cert = NULL;
24 static char *privkey = NULL;
26 #define LOG_BUFFER_SIZE 1024
27 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
28 static size_t server_log_buffer_index = 0;
29 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
30 static size_t client_log_buffer_index = 0;
31 static int error_writing_log = 0;
33 #ifndef OPENSSL_NO_OCSP
34 static const unsigned char orespder[] = "Dummy OCSP Response";
35 static int ocsp_server_called = 0;
36 static int ocsp_client_called = 0;
38 static int cdummyarg = 1;
39 static X509 *ocspcert = NULL;
42 #define NUM_EXTRA_CERTS 40
45 * This structure is used to validate that the correct number of log messages
46 * of various types are emitted when emitting secret logs.
48 struct sslapitest_log_counts {
49 unsigned int rsa_key_exchange_count;
50 unsigned int master_secret_count;
51 unsigned int client_handshake_secret_count;
52 unsigned int server_handshake_secret_count;
53 unsigned int client_application_secret_count;
54 unsigned int server_application_secret_count;
58 static unsigned char serverinfov1[] = {
59 0xff, 0xff, /* Dummy extension type */
60 0x00, 0x01, /* Extension length is 1 byte */
61 0xff /* Dummy extension data */
64 static unsigned char serverinfov2[] = {
66 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
67 0xff, 0xff, /* Dummy extension type */
68 0x00, 0x01, /* Extension length is 1 byte */
69 0xff /* Dummy extension data */
72 static void client_keylog_callback(const SSL *ssl, const char *line)
74 int line_length = strlen(line);
76 /* If the log doesn't fit, error out. */
77 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
78 TEST_info("Client log too full");
79 error_writing_log = 1;
83 strcat(client_log_buffer, line);
84 client_log_buffer_index += line_length;
85 client_log_buffer[client_log_buffer_index++] = '\n';
88 static void server_keylog_callback(const SSL *ssl, const char *line)
90 int line_length = strlen(line);
92 /* If the log doesn't fit, error out. */
93 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
94 TEST_info("Server log too full");
95 error_writing_log = 1;
99 strcat(server_log_buffer, line);
100 server_log_buffer_index += line_length;
101 server_log_buffer[server_log_buffer_index++] = '\n';
104 static int compare_hex_encoded_buffer(const char *hex_encoded,
112 if (!TEST_size_t_eq(raw_length * 2, hex_length))
115 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
116 sprintf(hexed, "%02x", raw[i]);
117 if (!TEST_int_eq(hexed[0], hex_encoded[j])
118 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
125 static int test_keylog_output(char *buffer, const SSL *ssl,
126 const SSL_SESSION *session,
127 struct sslapitest_log_counts *expected)
130 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
131 size_t client_random_size = SSL3_RANDOM_SIZE;
132 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
133 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
134 unsigned int rsa_key_exchange_count = 0;
135 unsigned int master_secret_count = 0;
136 unsigned int client_handshake_secret_count = 0;
137 unsigned int server_handshake_secret_count = 0;
138 unsigned int client_application_secret_count = 0;
139 unsigned int server_application_secret_count = 0;
141 for (token = strtok(buffer, " \n"); token != NULL;
142 token = strtok(NULL, " \n")) {
143 if (strcmp(token, "RSA") == 0) {
145 * Premaster secret. Tokens should be: 16 ASCII bytes of
146 * hex-encoded encrypted secret, then the hex-encoded pre-master
149 if (!TEST_ptr(token = strtok(NULL, " \n")))
151 if (!TEST_size_t_eq(strlen(token), 16))
153 if (!TEST_ptr(token = strtok(NULL, " \n")))
156 * We can't sensibly check the log because the premaster secret is
157 * transient, and OpenSSL doesn't keep hold of it once the master
158 * secret is generated.
160 rsa_key_exchange_count++;
161 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
163 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
164 * client random, then the hex-encoded master secret.
166 client_random_size = SSL_get_client_random(ssl,
167 actual_client_random,
169 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
172 if (!TEST_ptr(token = strtok(NULL, " \n")))
174 if (!TEST_size_t_eq(strlen(token), 64))
176 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
177 actual_client_random,
178 client_random_size)))
181 if (!TEST_ptr(token = strtok(NULL, " \n")))
183 master_key_size = SSL_SESSION_get_master_key(session,
186 if (!TEST_size_t_ne(master_key_size, 0))
188 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
192 master_secret_count++;
193 } else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
194 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
195 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
196 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) {
198 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
199 * client random, and then the hex-encoded secret. In this case,
200 * we treat all of these secrets identically and then just
201 * distinguish between them when counting what we saw.
203 if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
204 client_handshake_secret_count++;
205 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
206 server_handshake_secret_count++;
207 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
208 client_application_secret_count++;
209 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
210 server_application_secret_count++;
212 client_random_size = SSL_get_client_random(ssl,
213 actual_client_random,
215 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
218 if (!TEST_ptr(token = strtok(NULL, " \n")))
220 if (!TEST_size_t_eq(strlen(token), 64))
222 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
223 actual_client_random,
224 client_random_size)))
227 if (!TEST_ptr(token = strtok(NULL, " \n")))
231 * TODO(TLS1.3): test that application traffic secrets are what
234 TEST_info("Unexpected token %s\n", token);
239 /* Got what we expected? */
240 if (!TEST_size_t_eq(rsa_key_exchange_count,
241 expected->rsa_key_exchange_count)
242 || !TEST_size_t_eq(master_secret_count,
243 expected->master_secret_count)
244 || !TEST_size_t_eq(client_handshake_secret_count,
245 expected->client_handshake_secret_count)
246 || !TEST_size_t_eq(server_handshake_secret_count,
247 expected->server_handshake_secret_count)
248 || !TEST_size_t_eq(client_application_secret_count,
249 expected->client_application_secret_count)
250 || !TEST_size_t_eq(server_application_secret_count,
251 expected->server_application_secret_count))
256 static int test_keylog(void)
258 SSL_CTX *cctx = NULL, *sctx = NULL;
259 SSL *clientssl = NULL, *serverssl = NULL;
261 struct sslapitest_log_counts expected = {0};
263 /* Clean up logging space */
264 memset(client_log_buffer, 0, sizeof(client_log_buffer));
265 memset(server_log_buffer, 0, sizeof(server_log_buffer));
266 client_log_buffer_index = 0;
267 server_log_buffer_index = 0;
268 error_writing_log = 0;
270 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
272 &sctx, &cctx, cert, privkey)))
275 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
276 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
277 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
279 /* We also want to ensure that we use RSA-based key exchange. */
280 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
283 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
284 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
286 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
287 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
288 == client_keylog_callback))
290 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
291 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
292 == server_keylog_callback))
295 /* Now do a handshake and check that the logs have been written to. */
296 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
297 &clientssl, NULL, NULL))
298 || !TEST_true(create_ssl_connection(serverssl, clientssl,
300 || !TEST_false(error_writing_log)
301 || !TEST_int_gt(client_log_buffer_index, 0)
302 || !TEST_int_gt(server_log_buffer_index, 0))
306 * Now we want to test that our output data was vaguely sensible. We
307 * do that by using strtok and confirming that we have more or less the
308 * data we expect. For both client and server, we expect to see one master
309 * secret. The client should also see a RSA key exchange.
311 expected.rsa_key_exchange_count = 1;
312 expected.master_secret_count = 1;
313 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
314 SSL_get_session(clientssl), &expected)))
317 expected.rsa_key_exchange_count = 0;
318 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
319 SSL_get_session(serverssl), &expected)))
333 #ifndef OPENSSL_NO_TLS1_3
334 static int test_keylog_no_master_key(void)
336 SSL_CTX *cctx = NULL, *sctx = NULL;
337 SSL *clientssl = NULL, *serverssl = NULL;
339 struct sslapitest_log_counts expected = {0};
341 /* Clean up logging space */
342 memset(client_log_buffer, 0, sizeof(client_log_buffer));
343 memset(server_log_buffer, 0, sizeof(server_log_buffer));
344 client_log_buffer_index = 0;
345 server_log_buffer_index = 0;
346 error_writing_log = 0;
348 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
349 TLS_client_method(), &sctx,
350 &cctx, cert, privkey)))
353 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
354 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
357 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
358 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
359 == client_keylog_callback))
362 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
363 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
364 == server_keylog_callback))
367 /* Now do a handshake and check that the logs have been written to. */
368 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
369 &clientssl, NULL, NULL))
370 || !TEST_true(create_ssl_connection(serverssl, clientssl,
372 || !TEST_false(error_writing_log))
376 * Now we want to test that our output data was vaguely sensible. For this
377 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
378 * TLSv1.3, but we do expect both client and server to emit keys.
380 expected.client_handshake_secret_count = 1;
381 expected.server_handshake_secret_count = 1;
382 expected.client_application_secret_count = 1;
383 expected.server_application_secret_count = 1;
384 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
385 SSL_get_session(clientssl), &expected))
386 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
387 SSL_get_session(serverssl),
403 #ifndef OPENSSL_NO_TLS1_2
404 static int full_client_hello_callback(SSL *s, int *al, void *arg)
407 const unsigned char *p;
409 /* We only configure two ciphers, but the SCSV is added automatically. */
411 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
413 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
416 const int expected_extensions[] = {
417 #ifndef OPENSSL_NO_EC
423 /* Make sure we can defer processing and get called back. */
425 return SSL_CLIENT_HELLO_RETRY;
427 len = SSL_client_hello_get0_ciphers(s, &p);
428 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
430 SSL_client_hello_get0_compression_methods(s, &p), 1)
431 || !TEST_int_eq(*p, 0))
432 return SSL_CLIENT_HELLO_ERROR;
433 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
434 return SSL_CLIENT_HELLO_ERROR;
435 if (len != OSSL_NELEM(expected_extensions) ||
436 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
437 printf("ClientHello callback expected extensions mismatch\n");
439 return SSL_CLIENT_HELLO_ERROR;
442 return SSL_CLIENT_HELLO_SUCCESS;
445 static int test_client_hello_cb(void)
447 SSL_CTX *cctx = NULL, *sctx = NULL;
448 SSL *clientssl = NULL, *serverssl = NULL;
449 int testctr = 0, testresult = 0;
451 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
452 TLS_client_method(), &sctx,
453 &cctx, cert, privkey)))
455 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
457 /* The gimpy cipher list we configure can't do TLS 1.3. */
458 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
460 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
461 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
462 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
463 &clientssl, NULL, NULL))
464 || !TEST_false(create_ssl_connection(serverssl, clientssl,
465 SSL_ERROR_WANT_CLIENT_HELLO_CB))
467 * Passing a -1 literal is a hack since
468 * the real value was lost.
470 || !TEST_int_eq(SSL_get_error(serverssl, -1),
471 SSL_ERROR_WANT_CLIENT_HELLO_CB)
472 || !TEST_true(create_ssl_connection(serverssl, clientssl,
488 static int execute_test_large_message(const SSL_METHOD *smeth,
489 const SSL_METHOD *cmeth, int read_ahead)
491 SSL_CTX *cctx = NULL, *sctx = NULL;
492 SSL *clientssl = NULL, *serverssl = NULL;
496 X509 *chaincert = NULL;
499 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
501 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
504 if (!TEST_ptr(chaincert))
507 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, &sctx,
508 &cctx, cert, privkey)))
513 * Test that read_ahead works correctly when dealing with large
516 SSL_CTX_set_read_ahead(cctx, 1);
520 * We assume the supplied certificate is big enough so that if we add
521 * NUM_EXTRA_CERTS it will make the overall message large enough. The
522 * default buffer size is requested to be 16k, but due to the way BUF_MEM
523 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
524 * test we need to have a message larger than that.
526 certlen = i2d_X509(chaincert, NULL);
527 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
528 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
529 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
530 if (!X509_up_ref(chaincert))
532 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
533 X509_free(chaincert);
538 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
540 || !TEST_true(create_ssl_connection(serverssl, clientssl,
545 * Calling SSL_clear() first is not required but this tests that SSL_clear()
546 * doesn't leak (when using enable-crypto-mdebug).
548 if (!TEST_true(SSL_clear(serverssl)))
553 X509_free(chaincert);
562 static int test_large_message_tls(void)
564 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
568 static int test_large_message_tls_read_ahead(void)
570 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
574 #ifndef OPENSSL_NO_DTLS
575 static int test_large_message_dtls(void)
578 * read_ahead is not relevant to DTLS because DTLS always acts as if
581 return execute_test_large_message(DTLS_server_method(),
582 DTLS_client_method(), 0);
586 #ifndef OPENSSL_NO_OCSP
587 static int ocsp_server_cb(SSL *s, void *arg)
589 int *argi = (int *)arg;
590 unsigned char *copy = NULL;
591 STACK_OF(OCSP_RESPID) *ids = NULL;
592 OCSP_RESPID *id = NULL;
595 /* In this test we are expecting exactly 1 OCSP_RESPID */
596 SSL_get_tlsext_status_ids(s, &ids);
597 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
598 return SSL_TLSEXT_ERR_ALERT_FATAL;
600 id = sk_OCSP_RESPID_value(ids, 0);
601 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
602 return SSL_TLSEXT_ERR_ALERT_FATAL;
603 } else if (*argi != 1) {
604 return SSL_TLSEXT_ERR_ALERT_FATAL;
607 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
608 return SSL_TLSEXT_ERR_ALERT_FATAL;
610 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
611 ocsp_server_called = 1;
612 return SSL_TLSEXT_ERR_OK;
615 static int ocsp_client_cb(SSL *s, void *arg)
617 int *argi = (int *)arg;
618 const unsigned char *respderin;
621 if (*argi != 1 && *argi != 2)
624 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
625 if (!TEST_mem_eq(orespder, len, respderin, len))
628 ocsp_client_called = 1;
632 static int test_tlsext_status_type(void)
634 SSL_CTX *cctx = NULL, *sctx = NULL;
635 SSL *clientssl = NULL, *serverssl = NULL;
637 STACK_OF(OCSP_RESPID) *ids = NULL;
638 OCSP_RESPID *id = NULL;
641 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
642 &cctx, cert, privkey))
645 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
648 /* First just do various checks getting and setting tlsext_status_type */
650 clientssl = SSL_new(cctx);
651 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
652 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
653 TLSEXT_STATUSTYPE_ocsp))
654 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
655 TLSEXT_STATUSTYPE_ocsp))
661 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
662 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
665 clientssl = SSL_new(cctx);
666 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
672 * Now actually do a handshake and check OCSP information is exchanged and
673 * the callbacks get called
675 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
676 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
677 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
678 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
679 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
680 &clientssl, NULL, NULL))
681 || !TEST_true(create_ssl_connection(serverssl, clientssl,
683 || !TEST_true(ocsp_client_called)
684 || !TEST_true(ocsp_server_called))
691 /* Try again but this time force the server side callback to fail */
692 ocsp_client_called = 0;
693 ocsp_server_called = 0;
695 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
696 &clientssl, NULL, NULL))
697 /* This should fail because the callback will fail */
698 || !TEST_false(create_ssl_connection(serverssl, clientssl,
700 || !TEST_false(ocsp_client_called)
701 || !TEST_false(ocsp_server_called))
709 * This time we'll get the client to send an OCSP_RESPID that it will
712 ocsp_client_called = 0;
713 ocsp_server_called = 0;
715 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
716 &clientssl, NULL, NULL)))
720 * We'll just use any old cert for this test - it doesn't have to be an OCSP
721 * specific one. We'll use the server cert.
723 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
724 || !TEST_ptr(id = OCSP_RESPID_new())
725 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
726 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
728 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
729 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
732 SSL_set_tlsext_status_ids(clientssl, ids);
733 /* Control has been transferred */
739 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
741 || !TEST_true(ocsp_client_called)
742 || !TEST_true(ocsp_server_called))
752 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
753 OCSP_RESPID_free(id);
762 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
763 static int new_called, remove_called, get_called;
765 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
769 * sess has been up-refed for us, but we don't actually need it so free it
772 SSL_SESSION_free(sess);
776 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
781 static SSL_SESSION *get_sess_val = NULL;
783 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
791 static int execute_test_session(int maxprot, int use_int_cache,
794 SSL_CTX *sctx = NULL, *cctx = NULL;
795 SSL *serverssl1 = NULL, *clientssl1 = NULL;
796 SSL *serverssl2 = NULL, *clientssl2 = NULL;
797 # ifndef OPENSSL_NO_TLS1_1
798 SSL *serverssl3 = NULL, *clientssl3 = NULL;
800 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
803 new_called = remove_called = 0;
805 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
806 TLS_client_method(), &sctx,
807 &cctx, cert, privkey)))
811 * Only allow the max protocol version so we can force a connection failure
814 SSL_CTX_set_min_proto_version(cctx, maxprot);
815 SSL_CTX_set_max_proto_version(cctx, maxprot);
817 /* Set up session cache */
819 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
820 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
823 /* Also covers instance where both are set */
824 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
826 SSL_CTX_set_session_cache_mode(cctx,
827 SSL_SESS_CACHE_CLIENT
828 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
831 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
833 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
835 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
838 /* Should fail because it should already be in the cache */
839 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
842 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
845 new_called = remove_called = 0;
846 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
847 &clientssl2, NULL, NULL))
848 || !TEST_true(SSL_set_session(clientssl2, sess1))
849 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
851 || !TEST_true(SSL_session_reused(clientssl2)))
854 if (maxprot == TLS1_3_VERSION) {
856 * In TLSv1.3 we should have created a new session even though we have
857 * resumed. The original session should also have been removed.
860 && (!TEST_int_eq(new_called, 1)
861 || !TEST_int_eq(remove_called, 1)))
865 * In TLSv1.2 we expect to have resumed so no sessions added or
869 && (!TEST_int_eq(new_called, 0)
870 || !TEST_int_eq(remove_called, 0)))
874 SSL_SESSION_free(sess1);
875 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
877 shutdown_ssl_connection(serverssl2, clientssl2);
878 serverssl2 = clientssl2 = NULL;
880 new_called = remove_called = 0;
881 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
882 &clientssl2, NULL, NULL))
883 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
887 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
891 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
894 new_called = remove_called = 0;
896 * This should clear sess2 from the cache because it is a "bad" session.
897 * See SSL_set_session() documentation.
899 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
902 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
904 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
908 /* Should succeeded because it should not already be in the cache */
909 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
910 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
914 new_called = remove_called = 0;
915 /* This shouldn't be in the cache so should fail */
916 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
920 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
923 # if !defined(OPENSSL_NO_TLS1_1)
924 new_called = remove_called = 0;
925 /* Force a connection failure */
926 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
927 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
928 &clientssl3, NULL, NULL))
929 || !TEST_true(SSL_set_session(clientssl3, sess1))
930 /* This should fail because of the mismatched protocol versions */
931 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
935 /* We should have automatically removed the session from the cache */
937 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
940 /* Should succeed because it should not already be in the cache */
941 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
945 /* Now do some tests for server side caching */
947 SSL_CTX_sess_set_new_cb(cctx, NULL);
948 SSL_CTX_sess_set_remove_cb(cctx, NULL);
949 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
950 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
951 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
955 SSL_CTX_set_session_cache_mode(cctx, 0);
956 /* Internal caching is the default on the server side */
958 SSL_CTX_set_session_cache_mode(sctx,
959 SSL_SESS_CACHE_SERVER
960 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
962 SSL_free(serverssl1);
963 SSL_free(clientssl1);
964 serverssl1 = clientssl1 = NULL;
965 SSL_free(serverssl2);
966 SSL_free(clientssl2);
967 serverssl2 = clientssl2 = NULL;
968 SSL_SESSION_free(sess1);
970 SSL_SESSION_free(sess2);
973 SSL_CTX_set_max_proto_version(sctx, maxprot);
974 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
975 new_called = remove_called = get_called = 0;
976 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
978 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
980 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
981 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
984 /* Should fail because it should already be in the cache */
985 if (use_int_cache && !TEST_false(SSL_CTX_add_session(sctx, sess2)))
989 SSL_SESSION *tmp = sess2;
991 if (!TEST_int_eq(new_called, 1)
992 || !TEST_int_eq(remove_called, 0)
993 || !TEST_int_eq(get_called, 0))
996 * Delete the session from the internal cache to force a lookup from
997 * the external cache. We take a copy first because
998 * SSL_CTX_remove_session() also marks the session as non-resumable.
1000 if (use_int_cache) {
1001 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1002 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1004 SSL_SESSION_free(sess2);
1009 new_called = remove_called = get_called = 0;
1010 get_sess_val = sess2;
1011 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1012 &clientssl2, NULL, NULL))
1013 || !TEST_true(SSL_set_session(clientssl2, sess1))
1014 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1016 || !TEST_true(SSL_session_reused(clientssl2)))
1019 if (use_ext_cache) {
1020 if (!TEST_int_eq(new_called, 0)
1021 || !TEST_int_eq(remove_called, 0))
1024 if (maxprot == TLS1_3_VERSION) {
1025 if (!TEST_int_eq(get_called, 0))
1028 if (!TEST_int_eq(get_called, 1))
1036 SSL_free(serverssl1);
1037 SSL_free(clientssl1);
1038 SSL_free(serverssl2);
1039 SSL_free(clientssl2);
1040 # ifndef OPENSSL_NO_TLS1_1
1041 SSL_free(serverssl3);
1042 SSL_free(clientssl3);
1044 SSL_SESSION_free(sess1);
1045 SSL_SESSION_free(sess2);
1051 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1053 static int test_session_with_only_int_cache(void)
1055 #ifndef OPENSSL_NO_TLS1_3
1056 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1060 #ifndef OPENSSL_NO_TLS1_2
1061 return execute_test_session(TLS1_2_VERSION, 1, 0);
1067 static int test_session_with_only_ext_cache(void)
1069 #ifndef OPENSSL_NO_TLS1_3
1070 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1074 #ifndef OPENSSL_NO_TLS1_2
1075 return execute_test_session(TLS1_2_VERSION, 0, 1);
1081 static int test_session_with_both_cache(void)
1083 #ifndef OPENSSL_NO_TLS1_3
1084 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1088 #ifndef OPENSSL_NO_TLS1_2
1089 return execute_test_session(TLS1_2_VERSION, 1, 1);
1099 #define TOTAL_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1101 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1116 static int test_ssl_set_bio(int idx)
1121 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1123 int initrbio, initwbio, newrbio, newwbio;
1133 if (!TEST_int_le(newwbio, 2))
1136 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1137 || !TEST_ptr(ssl = SSL_new(ctx)))
1140 if (initrbio == USE_BIO_1
1141 || initwbio == USE_BIO_1
1142 || newrbio == USE_BIO_1
1143 || newwbio == USE_BIO_1) {
1144 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1148 if (initrbio == USE_BIO_2
1149 || initwbio == USE_BIO_2
1150 || newrbio == USE_BIO_2
1151 || newwbio == USE_BIO_2) {
1152 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1156 setupbio(&irbio, bio1, bio2, initrbio);
1157 setupbio(&iwbio, bio1, bio2, initwbio);
1160 * We want to maintain our own refs to these BIO, so do an up ref for each
1161 * BIO that will have ownership transferred in the SSL_set_bio() call
1165 if (iwbio != NULL && iwbio != irbio)
1168 SSL_set_bio(ssl, irbio, iwbio);
1170 setupbio(&nrbio, bio1, bio2, newrbio);
1171 setupbio(&nwbio, bio1, bio2, newwbio);
1174 * We will (maybe) transfer ownership again so do more up refs.
1175 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1180 && (nwbio != iwbio || nrbio != nwbio))
1184 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1187 SSL_set_bio(ssl, nrbio, nwbio);
1197 * This test is checking that the ref counting for SSL_set_bio is correct.
1198 * If we get here and we did too many frees then we will fail in the above
1199 * functions. If we haven't done enough then this will only be detected in
1200 * a crypto-mdebug build
1206 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1208 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1210 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1215 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1216 || !TEST_ptr(ssl = SSL_new(ctx))
1217 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1218 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1221 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1224 * If anything goes wrong here then we could leak memory, so this will
1225 * be caught in a crypto-mdebug build
1227 BIO_push(sslbio, membio1);
1229 /* Verify changing the rbio/wbio directly does not cause leaks */
1230 if (change_bio != NO_BIO_CHANGE) {
1231 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1233 if (change_bio == CHANGE_RBIO)
1234 SSL_set0_rbio(ssl, membio2);
1236 SSL_set0_wbio(ssl, membio2);
1255 static int test_ssl_bio_pop_next_bio(void)
1257 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1260 static int test_ssl_bio_pop_ssl_bio(void)
1262 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1265 static int test_ssl_bio_change_rbio(void)
1267 return execute_test_ssl_bio(0, CHANGE_RBIO);
1270 static int test_ssl_bio_change_wbio(void)
1272 return execute_test_ssl_bio(0, CHANGE_WBIO);
1276 /* The list of sig algs */
1278 /* The length of the list */
1280 /* A sigalgs list in string format */
1281 const char *liststr;
1282 /* Whether setting the list should succeed */
1284 /* Whether creating a connection with the list should succeed */
1288 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1289 #ifndef OPENSSL_NO_EC
1290 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1291 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1293 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1294 static const int invalidlist2[] = {NID_sha256, NID_undef};
1295 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1296 static const int invalidlist4[] = {NID_sha256};
1297 static const sigalgs_list testsigalgs[] = {
1298 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1299 #ifndef OPENSSL_NO_EC
1300 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1301 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1303 {NULL, 0, "RSA+SHA256", 1, 1},
1304 #ifndef OPENSSL_NO_EC
1305 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1306 {NULL, 0, "ECDSA+SHA512", 1, 0},
1308 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1309 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1310 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1311 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1312 {NULL, 0, "RSA", 0, 0},
1313 {NULL, 0, "SHA256", 0, 0},
1314 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1315 {NULL, 0, "Invalid", 0, 0}
1318 static int test_set_sigalgs(int idx)
1320 SSL_CTX *cctx = NULL, *sctx = NULL;
1321 SSL *clientssl = NULL, *serverssl = NULL;
1323 const sigalgs_list *curr;
1326 /* Should never happen */
1327 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1330 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1331 curr = testctx ? &testsigalgs[idx]
1332 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1334 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1335 TLS_client_method(), &sctx,
1336 &cctx, cert, privkey)))
1340 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1341 * for TLSv1.2 for now until we add a new API.
1343 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1348 if (curr->list != NULL)
1349 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1351 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1355 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1361 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1366 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1367 &clientssl, NULL, NULL)))
1373 if (curr->list != NULL)
1374 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1376 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1379 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1388 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1396 SSL_free(serverssl);
1397 SSL_free(clientssl);
1404 #ifndef OPENSSL_NO_TLS1_3
1406 static SSL_SESSION *clientpsk = NULL;
1407 static SSL_SESSION *serverpsk = NULL;
1408 static const char *pskid = "Identity";
1409 static const char *srvid;
1411 static int use_session_cb_cnt = 0;
1412 static int find_session_cb_cnt = 0;
1414 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1415 size_t *idlen, SSL_SESSION **sess)
1417 switch (++use_session_cb_cnt) {
1419 /* The first call should always have a NULL md */
1425 /* The second call should always have an md */
1431 /* We should only be called a maximum of twice */
1435 if (clientpsk != NULL)
1436 SSL_SESSION_up_ref(clientpsk);
1439 *id = (const unsigned char *)pskid;
1440 *idlen = strlen(pskid);
1445 static int find_session_cb(SSL *ssl, const unsigned char *identity,
1446 size_t identity_len, SSL_SESSION **sess)
1448 find_session_cb_cnt++;
1450 /* We should only ever be called a maximum of twice per connection */
1451 if (find_session_cb_cnt > 2)
1454 if (serverpsk == NULL)
1457 /* Identity should match that set by the client */
1458 if (strlen(srvid) != identity_len
1459 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1460 /* No PSK found, continue but without a PSK */
1465 SSL_SESSION_up_ref(serverpsk);
1471 #define MSG1 "Hello"
1472 #define MSG2 "World."
1477 #define MSG7 "message."
1479 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
1482 * Helper method to setup objects for early data test. Caller frees objects on
1485 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
1486 SSL **serverssl, SSL_SESSION **sess, int idx)
1488 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1489 TLS_client_method(), sctx,
1490 cctx, cert, privkey)))
1494 /* When idx == 1 we repeat the tests with read_ahead set */
1495 SSL_CTX_set_read_ahead(*cctx, 1);
1496 SSL_CTX_set_read_ahead(*sctx, 1);
1497 } else if (idx == 2) {
1498 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1499 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1500 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1501 use_session_cb_cnt = 0;
1502 find_session_cb_cnt = 0;
1506 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
1511 * For one of the run throughs (doesn't matter which one), we'll try sending
1512 * some SNI data in the initial ClientHello. This will be ignored (because
1513 * there is no SNI cb set up by the server), so it should not impact
1517 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1521 /* Create the PSK */
1522 const SSL_CIPHER *cipher = NULL;
1523 const unsigned char key[] = {
1524 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1525 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1526 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1527 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1528 0x2c, 0x2d, 0x2e, 0x2f
1531 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
1532 clientpsk = SSL_SESSION_new();
1533 if (!TEST_ptr(clientpsk)
1534 || !TEST_ptr(cipher)
1535 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
1537 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
1539 SSL_SESSION_set_protocol_version(clientpsk,
1542 * We just choose an arbitrary value for max_early_data which
1543 * should be big enough for testing purposes.
1545 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1547 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1548 SSL_SESSION_free(clientpsk);
1552 serverpsk = clientpsk;
1562 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1566 *sess = SSL_get1_session(*clientssl);
1567 SSL_shutdown(*clientssl);
1568 SSL_shutdown(*serverssl);
1569 SSL_free(*serverssl);
1570 SSL_free(*clientssl);
1571 *serverssl = *clientssl = NULL;
1573 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1574 clientssl, NULL, NULL))
1575 || !TEST_true(SSL_set_session(*clientssl, *sess)))
1581 static int test_early_data_read_write(int idx)
1583 SSL_CTX *cctx = NULL, *sctx = NULL;
1584 SSL *clientssl = NULL, *serverssl = NULL;
1586 SSL_SESSION *sess = NULL;
1587 unsigned char buf[20], data[1024];
1588 size_t readbytes, written, eoedlen, rawread, rawwritten;
1591 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1592 &serverssl, &sess, idx)))
1595 /* Write and read some early data */
1596 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1598 || !TEST_size_t_eq(written, strlen(MSG1))
1599 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1600 sizeof(buf), &readbytes),
1601 SSL_READ_EARLY_DATA_SUCCESS)
1602 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1603 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1604 SSL_EARLY_DATA_ACCEPTED))
1608 * Server should be able to write data, and client should be able to
1611 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1613 || !TEST_size_t_eq(written, strlen(MSG2))
1614 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1615 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1618 /* Even after reading normal data, client should be able write early data */
1619 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1621 || !TEST_size_t_eq(written, strlen(MSG3)))
1624 /* Server should still be able read early data after writing data */
1625 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1627 SSL_READ_EARLY_DATA_SUCCESS)
1628 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
1631 /* Write more data from server and read it from client */
1632 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
1634 || !TEST_size_t_eq(written, strlen(MSG4))
1635 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1636 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
1640 * If client writes normal data it should mean writing early data is no
1643 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1644 || !TEST_size_t_eq(written, strlen(MSG5))
1645 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1646 SSL_EARLY_DATA_ACCEPTED))
1650 * At this point the client has written EndOfEarlyData, ClientFinished and
1651 * normal (fully protected) data. We are going to cause a delay between the
1652 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
1653 * in the read BIO, and then just put back the EndOfEarlyData message.
1655 rbio = SSL_get_rbio(serverssl);
1656 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
1657 || !TEST_size_t_lt(rawread, sizeof(data))
1658 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
1661 /* Record length is in the 4th and 5th bytes of the record header */
1662 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
1663 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
1664 || !TEST_size_t_eq(rawwritten, eoedlen))
1667 /* Server should be told that there is no more early data */
1668 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1670 SSL_READ_EARLY_DATA_FINISH)
1671 || !TEST_size_t_eq(readbytes, 0))
1675 * Server has not finished init yet, so should still be able to write early
1678 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
1680 || !TEST_size_t_eq(written, strlen(MSG6)))
1683 /* Push the ClientFinished and the normal data back into the server rbio */
1684 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
1686 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
1689 /* Server should be able to read normal data */
1690 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1691 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1694 /* Client and server should not be able to write/read early data now */
1695 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1699 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1701 SSL_READ_EARLY_DATA_ERROR))
1705 /* Client should be able to read the data sent by the server */
1706 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1707 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
1711 * Make sure we process the NewSessionTicket. This arrives post-handshake.
1712 * We attempt a read which we do not expect to return any data.
1714 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1717 /* Server should be able to write normal data */
1718 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
1719 || !TEST_size_t_eq(written, strlen(MSG7))
1720 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1721 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
1724 /* We keep the PSK session around if using PSK */
1726 SSL_SESSION_free(sess);
1727 sess = SSL_get1_session(clientssl);
1728 use_session_cb_cnt = 0;
1729 find_session_cb_cnt = 0;
1731 SSL_shutdown(clientssl);
1732 SSL_shutdown(serverssl);
1733 SSL_free(serverssl);
1734 SSL_free(clientssl);
1735 serverssl = clientssl = NULL;
1736 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1737 &clientssl, NULL, NULL))
1738 || !TEST_true(SSL_set_session(clientssl, sess)))
1741 /* Write and read some early data */
1742 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1744 || !TEST_size_t_eq(written, strlen(MSG1))
1745 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1747 SSL_READ_EARLY_DATA_SUCCESS)
1748 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
1751 if (!TEST_int_gt(SSL_connect(clientssl), 0)
1752 || !TEST_int_gt(SSL_accept(serverssl), 0))
1755 /* Client and server should not be able to write/read early data now */
1756 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1760 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1762 SSL_READ_EARLY_DATA_ERROR))
1766 /* Client and server should be able to write/read normal data */
1767 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1768 || !TEST_size_t_eq(written, strlen(MSG5))
1769 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1770 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1776 if (sess != clientpsk)
1777 SSL_SESSION_free(sess);
1778 SSL_SESSION_free(clientpsk);
1779 SSL_SESSION_free(serverpsk);
1780 clientpsk = serverpsk = NULL;
1781 SSL_free(serverssl);
1782 SSL_free(clientssl);
1789 * Helper function to test that a server attempting to read early data can
1790 * handle a connection from a client where the early data should be skipped.
1792 static int early_data_skip_helper(int hrr, int idx)
1794 SSL_CTX *cctx = NULL, *sctx = NULL;
1795 SSL *clientssl = NULL, *serverssl = NULL;
1797 SSL_SESSION *sess = NULL;
1798 unsigned char buf[20];
1799 size_t readbytes, written;
1801 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1802 &serverssl, &sess, idx)))
1806 /* Force an HRR to occur */
1807 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
1809 } else if (idx == 2) {
1811 * We force early_data rejection by ensuring the PSK identity is
1814 srvid = "Dummy Identity";
1817 * Deliberately corrupt the creation time. We take 20 seconds off the
1818 * time. It could be any value as long as it is not within tolerance.
1819 * This should mean the ticket is rejected.
1821 if (!TEST_true(SSL_SESSION_set_time(sess, time(NULL) - 20)))
1825 /* Write some early data */
1826 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1828 || !TEST_size_t_eq(written, strlen(MSG1)))
1831 /* Server should reject the early data and skip over it */
1832 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1834 SSL_READ_EARLY_DATA_FINISH)
1835 || !TEST_size_t_eq(readbytes, 0)
1836 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1837 SSL_EARLY_DATA_REJECTED))
1842 * Finish off the handshake. We perform the same writes and reads as
1843 * further down but we expect them to fail due to the incomplete
1846 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1847 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
1852 /* Should be able to send normal data despite rejection of early data */
1853 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1854 || !TEST_size_t_eq(written, strlen(MSG2))
1855 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1856 SSL_EARLY_DATA_REJECTED)
1857 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1858 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1864 if (sess != clientpsk)
1865 SSL_SESSION_free(clientpsk);
1866 SSL_SESSION_free(serverpsk);
1867 clientpsk = serverpsk = NULL;
1868 SSL_SESSION_free(sess);
1869 SSL_free(serverssl);
1870 SSL_free(clientssl);
1877 * Test that a server attempting to read early data can handle a connection
1878 * from a client where the early data is not acceptable.
1880 static int test_early_data_skip(int idx)
1882 return early_data_skip_helper(0, idx);
1886 * Test that a server attempting to read early data can handle a connection
1887 * from a client where an HRR occurs.
1889 static int test_early_data_skip_hrr(int idx)
1891 return early_data_skip_helper(1, idx);
1895 * Test that a server attempting to read early data can handle a connection
1896 * from a client that doesn't send any.
1898 static int test_early_data_not_sent(int idx)
1900 SSL_CTX *cctx = NULL, *sctx = NULL;
1901 SSL *clientssl = NULL, *serverssl = NULL;
1903 SSL_SESSION *sess = NULL;
1904 unsigned char buf[20];
1905 size_t readbytes, written;
1907 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1908 &serverssl, &sess, idx)))
1911 /* Write some data - should block due to handshake with server */
1912 SSL_set_connect_state(clientssl);
1913 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
1916 /* Server should detect that early data has not been sent */
1917 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1919 SSL_READ_EARLY_DATA_FINISH)
1920 || !TEST_size_t_eq(readbytes, 0)
1921 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1922 SSL_EARLY_DATA_NOT_SENT)
1923 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1924 SSL_EARLY_DATA_NOT_SENT))
1927 /* Continue writing the message we started earlier */
1928 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
1929 || !TEST_size_t_eq(written, strlen(MSG1))
1930 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1931 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
1932 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
1933 || !TEST_size_t_eq(written, strlen(MSG2)))
1937 * Should block due to the NewSessionTicket arrival unless we're using
1941 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1945 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1946 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1952 /* If using PSK then clientpsk and sess are the same */
1953 SSL_SESSION_free(sess);
1954 SSL_SESSION_free(serverpsk);
1955 clientpsk = serverpsk = NULL;
1956 SSL_free(serverssl);
1957 SSL_free(clientssl);
1963 static const char *servhostname;
1965 static int hostname_cb(SSL *s, int *al, void *arg)
1967 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
1969 if (hostname != NULL && strcmp(hostname, servhostname) == 0)
1970 return SSL_TLSEXT_ERR_OK;
1972 return SSL_TLSEXT_ERR_NOACK;
1975 static const char *servalpn;
1977 static int alpn_select_cb (SSL *ssl, const unsigned char **out, unsigned char *outlen,
1978 const unsigned char *in, unsigned int inlen, void *arg)
1980 unsigned int i, protlen = 0;
1981 const unsigned char *prot;
1983 for (i = 0, prot = in; i < inlen; i += protlen, prot += protlen) {
1984 protlen = *(prot++);
1985 if (inlen - i < protlen)
1986 return SSL_TLSEXT_ERR_NOACK;
1988 if (protlen == strlen(servalpn)
1989 && memcmp(prot, "goodalpn", protlen) == 0) {
1992 return SSL_TLSEXT_ERR_OK;
1996 return SSL_TLSEXT_ERR_NOACK;
1999 /* Test that a PSK can be used to send early_data */
2000 static int test_early_data_psk(int idx)
2002 SSL_CTX *cctx = NULL, *sctx = NULL;
2003 SSL *clientssl = NULL, *serverssl = NULL;
2005 SSL_SESSION *sess = NULL;
2006 unsigned char alpnlist[] = {
2007 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2010 #define GOODALPNLEN 9
2011 #define BADALPNLEN 8
2012 #define GOODALPN (alpnlist)
2013 #define BADALPN (alpnlist + GOODALPNLEN)
2015 unsigned char buf[20];
2016 size_t readbytes, written;
2017 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2018 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2020 /* We always set this up with a final parameter of "2" for PSK */
2021 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2022 &serverssl, &sess, 2)))
2025 servhostname = "goodhost";
2026 servalpn = "goodalpn";
2029 * Note: There is no test for inconsistent SNI with late client detection.
2030 * This is because servers do not acknowledge SNI even if they are using
2031 * it in a resumption handshake - so it is not actually possible for a
2032 * client to detect a problem.
2036 /* Set inconsistent SNI (early client detection) */
2037 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2038 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2039 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2044 /* Set inconsistent ALPN (early client detection) */
2045 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2046 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
2047 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2049 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2056 * Set invalid protocol version. Technically this affects PSKs without
2057 * early_data too, but we test it here because it is similar to the
2058 * SNI/ALPN consistency tests.
2060 err = SSL_R_BAD_PSK;
2061 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2067 * Set inconsistent SNI (server detected). In this case the connection
2068 * will succeed but reject early_data.
2070 servhostname = "badhost";
2071 edstatus = SSL_EARLY_DATA_REJECTED;
2072 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2075 /* Set consistent SNI */
2076 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2077 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2078 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2085 * Set inconsistent ALPN (server detected). In this case the connection
2086 * will succeed but reject early_data.
2088 servalpn = "badalpn";
2089 edstatus = SSL_EARLY_DATA_REJECTED;
2090 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2094 * Set consistent ALPN.
2095 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2096 * accepts a list of protos (each one length prefixed).
2097 * SSL_set1_alpn_selected accepts a single protocol (not length
2100 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2102 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2106 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2110 /* Set inconsistent ALPN (late client detection) */
2111 SSL_SESSION_free(serverpsk);
2112 serverpsk = SSL_SESSION_dup(clientpsk);
2113 if (!TEST_ptr(serverpsk)
2114 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2117 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2120 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2123 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2124 edstatus = SSL_EARLY_DATA_ACCEPTED;
2125 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2126 /* SSL_connect() call should fail */
2131 TEST_error("Bad test index");
2135 SSL_set_connect_state(clientssl);
2137 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2139 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2140 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2143 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2147 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2148 &readbytes), readearlyres)
2149 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2150 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2151 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2152 || !TEST_int_eq(SSL_connect(clientssl), connectres))
2159 SSL_SESSION_free(clientpsk);
2160 SSL_SESSION_free(serverpsk);
2161 clientpsk = serverpsk = NULL;
2162 SSL_free(serverssl);
2163 SSL_free(clientssl);
2170 * Test that a server that doesn't try to read early data can handle a
2171 * client sending some.
2173 static int test_early_data_not_expected(int idx)
2175 SSL_CTX *cctx = NULL, *sctx = NULL;
2176 SSL *clientssl = NULL, *serverssl = NULL;
2178 SSL_SESSION *sess = NULL;
2179 unsigned char buf[20];
2180 size_t readbytes, written;
2182 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2183 &serverssl, &sess, idx)))
2186 /* Write some early data */
2187 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2192 * Server should skip over early data and then block waiting for client to
2193 * continue handshake
2195 if (!TEST_int_le(SSL_accept(serverssl), 0)
2196 || !TEST_int_gt(SSL_connect(clientssl), 0)
2197 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2198 SSL_EARLY_DATA_REJECTED)
2199 || !TEST_int_gt(SSL_accept(serverssl), 0)
2200 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2201 SSL_EARLY_DATA_REJECTED))
2204 /* Send some normal data from client to server */
2205 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2206 || !TEST_size_t_eq(written, strlen(MSG2)))
2209 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2210 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2216 /* If using PSK then clientpsk and sess are the same */
2217 SSL_SESSION_free(sess);
2218 SSL_SESSION_free(serverpsk);
2219 clientpsk = serverpsk = NULL;
2220 SSL_free(serverssl);
2221 SSL_free(clientssl);
2228 # ifndef OPENSSL_NO_TLS1_2
2230 * Test that a server attempting to read early data can handle a connection
2231 * from a TLSv1.2 client.
2233 static int test_early_data_tls1_2(int idx)
2235 SSL_CTX *cctx = NULL, *sctx = NULL;
2236 SSL *clientssl = NULL, *serverssl = NULL;
2238 unsigned char buf[20];
2239 size_t readbytes, written;
2241 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2242 &serverssl, NULL, idx)))
2245 /* Write some data - should block due to handshake with server */
2246 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2247 SSL_set_connect_state(clientssl);
2248 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2252 * Server should do TLSv1.2 handshake. First it will block waiting for more
2253 * messages from client after ServerDone. Then SSL_read_early_data should
2254 * finish and detect that early data has not been sent
2256 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2258 SSL_READ_EARLY_DATA_ERROR))
2262 * Continue writing the message we started earlier. Will still block waiting
2263 * for the CCS/Finished from server
2265 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2266 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2268 SSL_READ_EARLY_DATA_FINISH)
2269 || !TEST_size_t_eq(readbytes, 0)
2270 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2271 SSL_EARLY_DATA_NOT_SENT))
2274 /* Continue writing the message we started earlier */
2275 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2276 || !TEST_size_t_eq(written, strlen(MSG1))
2277 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2278 SSL_EARLY_DATA_NOT_SENT)
2279 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2280 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2281 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2282 || !TEST_size_t_eq(written, strlen(MSG2))
2283 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2284 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2290 /* If using PSK then clientpsk and sess are the same */
2291 SSL_SESSION_free(clientpsk);
2292 SSL_SESSION_free(serverpsk);
2293 clientpsk = serverpsk = NULL;
2294 SSL_free(serverssl);
2295 SSL_free(clientssl);
2301 # endif /* OPENSSL_NO_TLS1_2 */
2303 static int test_ciphersuite_change(void)
2305 SSL_CTX *cctx = NULL, *sctx = NULL;
2306 SSL *clientssl = NULL, *serverssl = NULL;
2307 SSL_SESSION *clntsess = NULL;
2309 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2311 /* Create a session based on SHA-256 */
2312 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2313 TLS_client_method(), &sctx,
2314 &cctx, cert, privkey))
2315 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
2316 "TLS13-AES-128-GCM-SHA256"))
2317 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2318 &clientssl, NULL, NULL))
2319 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2323 clntsess = SSL_get1_session(clientssl);
2324 /* Save for later */
2325 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2326 SSL_shutdown(clientssl);
2327 SSL_shutdown(serverssl);
2328 SSL_free(serverssl);
2329 SSL_free(clientssl);
2330 serverssl = clientssl = NULL;
2332 /* Check we can resume a session with a different SHA-256 ciphersuite */
2333 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
2334 "TLS13-CHACHA20-POLY1305-SHA256"))
2335 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2337 || !TEST_true(SSL_set_session(clientssl, clntsess))
2338 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2340 || !TEST_true(SSL_session_reused(clientssl)))
2343 SSL_SESSION_free(clntsess);
2344 clntsess = SSL_get1_session(clientssl);
2345 SSL_shutdown(clientssl);
2346 SSL_shutdown(serverssl);
2347 SSL_free(serverssl);
2348 SSL_free(clientssl);
2349 serverssl = clientssl = NULL;
2352 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
2353 * succeeds but does not resume.
2355 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-256-GCM-SHA384"))
2356 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2358 || !TEST_true(SSL_set_session(clientssl, clntsess))
2359 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2361 || !TEST_false(SSL_session_reused(clientssl)))
2364 SSL_SESSION_free(clntsess);
2366 SSL_shutdown(clientssl);
2367 SSL_shutdown(serverssl);
2368 SSL_free(serverssl);
2369 SSL_free(clientssl);
2370 serverssl = clientssl = NULL;
2372 /* Create a session based on SHA384 */
2373 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-256-GCM-SHA384"))
2374 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2375 &clientssl, NULL, NULL))
2376 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2380 clntsess = SSL_get1_session(clientssl);
2381 SSL_shutdown(clientssl);
2382 SSL_shutdown(serverssl);
2383 SSL_free(serverssl);
2384 SSL_free(clientssl);
2385 serverssl = clientssl = NULL;
2387 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
2388 "TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384"))
2389 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
2390 "TLS13-AES-256-GCM-SHA384"))
2391 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2393 || !TEST_true(SSL_set_session(clientssl, clntsess))
2395 * We use SSL_ERROR_WANT_READ below so that we can pause the
2396 * connection after the initial ClientHello has been sent to
2397 * enable us to make some session changes.
2399 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2400 SSL_ERROR_WANT_READ)))
2403 /* Trick the client into thinking this session is for a different digest */
2404 clntsess->cipher = aes_128_gcm_sha256;
2405 clntsess->cipher_id = clntsess->cipher->id;
2408 * Continue the previously started connection. Server has selected a SHA-384
2409 * ciphersuite, but client thinks the session is for SHA-256, so it should
2412 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2414 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2415 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2421 SSL_SESSION_free(clntsess);
2422 SSL_free(serverssl);
2423 SSL_free(clientssl);
2430 static int test_tls13_psk(void)
2432 SSL_CTX *sctx = NULL, *cctx = NULL;
2433 SSL *serverssl = NULL, *clientssl = NULL;
2434 const SSL_CIPHER *cipher = NULL;
2435 const unsigned char key[] = {
2436 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2437 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2438 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2439 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
2443 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2444 TLS_client_method(), &sctx,
2445 &cctx, cert, privkey)))
2448 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2449 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2451 use_session_cb_cnt = 0;
2452 find_session_cb_cnt = 0;
2454 /* Check we can create a connection if callback decides not to send a PSK */
2455 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2457 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2459 || !TEST_false(SSL_session_reused(clientssl))
2460 || !TEST_false(SSL_session_reused(serverssl))
2461 || !TEST_true(use_session_cb_cnt == 1)
2462 || !TEST_true(find_session_cb_cnt == 0))
2465 shutdown_ssl_connection(serverssl, clientssl);
2466 serverssl = clientssl = NULL;
2467 use_session_cb_cnt = 0;
2469 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2473 /* Create the PSK */
2474 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
2475 clientpsk = SSL_SESSION_new();
2476 if (!TEST_ptr(clientpsk)
2477 || !TEST_ptr(cipher)
2478 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
2480 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
2481 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
2483 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
2485 serverpsk = clientpsk;
2487 /* Check we can create a connection and the PSK is used */
2488 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2489 || !TEST_true(SSL_session_reused(clientssl))
2490 || !TEST_true(SSL_session_reused(serverssl))
2491 || !TEST_true(use_session_cb_cnt == 1)
2492 || !TEST_true(find_session_cb_cnt == 1))
2495 shutdown_ssl_connection(serverssl, clientssl);
2496 serverssl = clientssl = NULL;
2497 use_session_cb_cnt = find_session_cb_cnt = 0;
2499 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2504 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2508 * Check we can create a connection, the PSK is used and the callbacks are
2511 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2512 || !TEST_true(SSL_session_reused(clientssl))
2513 || !TEST_true(SSL_session_reused(serverssl))
2514 || !TEST_true(use_session_cb_cnt == 2)
2515 || !TEST_true(find_session_cb_cnt == 2))
2518 shutdown_ssl_connection(serverssl, clientssl);
2519 serverssl = clientssl = NULL;
2520 use_session_cb_cnt = find_session_cb_cnt = 0;
2523 * Check that if the server rejects the PSK we can still connect, but with
2526 srvid = "Dummy Identity";
2527 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2529 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2531 || !TEST_false(SSL_session_reused(clientssl))
2532 || !TEST_false(SSL_session_reused(serverssl))
2533 || !TEST_true(use_session_cb_cnt == 1)
2534 || !TEST_true(find_session_cb_cnt == 1))
2537 shutdown_ssl_connection(serverssl, clientssl);
2538 serverssl = clientssl = NULL;
2542 SSL_SESSION_free(clientpsk);
2543 SSL_SESSION_free(serverpsk);
2544 clientpsk = serverpsk = NULL;
2545 SSL_free(serverssl);
2546 SSL_free(clientssl);
2552 #endif /* OPENSSL_NO_TLS1_3 */
2554 static int clntaddoldcb = 0;
2555 static int clntparseoldcb = 0;
2556 static int srvaddoldcb = 0;
2557 static int srvparseoldcb = 0;
2558 static int clntaddnewcb = 0;
2559 static int clntparsenewcb = 0;
2560 static int srvaddnewcb = 0;
2561 static int srvparsenewcb = 0;
2562 static int snicb = 0;
2564 #define TEST_EXT_TYPE1 0xff00
2566 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
2567 size_t *outlen, int *al, void *add_arg)
2569 int *server = (int *)add_arg;
2570 unsigned char *data;
2572 if (SSL_is_server(s))
2577 if (*server != SSL_is_server(s)
2578 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
2583 *outlen = sizeof(char);
2587 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
2590 OPENSSL_free((unsigned char *)out);
2593 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
2594 size_t inlen, int *al, void *parse_arg)
2596 int *server = (int *)parse_arg;
2598 if (SSL_is_server(s))
2603 if (*server != SSL_is_server(s)
2604 || inlen != sizeof(char)
2611 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
2612 const unsigned char **out, size_t *outlen, X509 *x,
2613 size_t chainidx, int *al, void *add_arg)
2615 int *server = (int *)add_arg;
2616 unsigned char *data;
2618 if (SSL_is_server(s))
2623 if (*server != SSL_is_server(s)
2624 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
2629 *outlen = sizeof(*data);
2633 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
2634 const unsigned char *out, void *add_arg)
2636 OPENSSL_free((unsigned char *)out);
2639 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
2640 const unsigned char *in, size_t inlen, X509 *x,
2641 size_t chainidx, int *al, void *parse_arg)
2643 int *server = (int *)parse_arg;
2645 if (SSL_is_server(s))
2650 if (*server != SSL_is_server(s)
2651 || inlen != sizeof(char) || *in != 1)
2657 static int sni_cb(SSL *s, int *al, void *arg)
2659 SSL_CTX *ctx = (SSL_CTX *)arg;
2661 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
2662 *al = SSL_AD_INTERNAL_ERROR;
2663 return SSL_TLSEXT_ERR_ALERT_FATAL;
2666 return SSL_TLSEXT_ERR_OK;
2670 * Custom call back tests.
2671 * Test 0: Old style callbacks in TLSv1.2
2672 * Test 1: New style callbacks in TLSv1.2
2673 * Test 2: New style callbacks in TLSv1.2 with SNI
2674 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
2675 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
2677 static int test_custom_exts(int tst)
2679 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
2680 SSL *clientssl = NULL, *serverssl = NULL;
2682 static int server = 1;
2683 static int client = 0;
2684 SSL_SESSION *sess = NULL;
2685 unsigned int context;
2687 /* Reset callback counters */
2688 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
2689 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
2692 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2693 TLS_client_method(), &sctx,
2694 &cctx, cert, privkey)))
2698 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL, &sctx2,
2699 NULL, cert, privkey)))
2704 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
2705 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
2707 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
2711 context = SSL_EXT_CLIENT_HELLO
2712 | SSL_EXT_TLS1_2_SERVER_HELLO
2713 | SSL_EXT_TLS1_3_SERVER_HELLO
2714 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
2715 | SSL_EXT_TLS1_3_CERTIFICATE
2716 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
2718 context = SSL_EXT_CLIENT_HELLO
2719 | SSL_EXT_TLS1_2_SERVER_HELLO
2720 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
2723 /* Create a client side custom extension */
2725 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
2726 old_add_cb, old_free_cb,
2727 &client, old_parse_cb,
2731 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
2732 new_add_cb, new_free_cb,
2733 &client, new_parse_cb, &client)))
2737 /* Should not be able to add duplicates */
2738 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
2739 old_add_cb, old_free_cb,
2740 &client, old_parse_cb,
2742 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
2743 context, new_add_cb,
2744 new_free_cb, &client,
2745 new_parse_cb, &client)))
2748 /* Create a server side custom extension */
2750 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
2751 old_add_cb, old_free_cb,
2752 &server, old_parse_cb,
2756 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
2757 new_add_cb, new_free_cb,
2758 &server, new_parse_cb, &server)))
2761 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
2762 context, new_add_cb,
2763 new_free_cb, &server,
2764 new_parse_cb, &server)))
2768 /* Should not be able to add duplicates */
2769 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
2770 old_add_cb, old_free_cb,
2771 &server, old_parse_cb,
2773 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
2774 context, new_add_cb,
2775 new_free_cb, &server,
2776 new_parse_cb, &server)))
2781 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
2782 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
2786 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2787 &clientssl, NULL, NULL))
2788 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2793 if (clntaddoldcb != 1
2794 || clntparseoldcb != 1
2796 || srvparseoldcb != 1)
2798 } else if (tst == 1 || tst == 2 || tst == 3) {
2799 if (clntaddnewcb != 1
2800 || clntparsenewcb != 1
2802 || srvparsenewcb != 1
2803 || (tst != 2 && snicb != 0)
2804 || (tst == 2 && snicb != 1))
2807 if (clntaddnewcb != 1
2808 || clntparsenewcb != 4
2810 || srvparsenewcb != 1)
2814 sess = SSL_get1_session(clientssl);
2815 SSL_shutdown(clientssl);
2816 SSL_shutdown(serverssl);
2817 SSL_free(serverssl);
2818 SSL_free(clientssl);
2819 serverssl = clientssl = NULL;
2822 /* We don't bother with the resumption aspects for this test */
2827 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2829 || !TEST_true(SSL_set_session(clientssl, sess))
2830 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2835 * For a resumed session we expect to add the ClientHello extension. For the
2836 * old style callbacks we ignore it on the server side because they set
2837 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
2841 if (clntaddoldcb != 2
2842 || clntparseoldcb != 1
2844 || srvparseoldcb != 1)
2846 } else if (tst == 1 || tst == 2 || tst == 3) {
2847 if (clntaddnewcb != 2
2848 || clntparsenewcb != 2
2850 || srvparsenewcb != 2)
2853 /* No Certificate message extensions in the resumption handshake */
2854 if (clntaddnewcb != 2
2855 || clntparsenewcb != 7
2857 || srvparsenewcb != 2)
2864 SSL_SESSION_free(sess);
2865 SSL_free(serverssl);
2866 SSL_free(clientssl);
2867 SSL_CTX_free(sctx2);
2874 * Test loading of serverinfo data in various formats. test_sslmessages actually
2875 * tests to make sure the extensions appear in the handshake
2877 static int test_serverinfo(int tst)
2879 unsigned int version;
2880 unsigned char *sibuf;
2882 int ret, expected, testresult = 0;
2885 ctx = SSL_CTX_new(TLS_method());
2889 if ((tst & 0x01) == 0x01)
2890 version = SSL_SERVERINFOV2;
2892 version = SSL_SERVERINFOV1;
2894 if ((tst & 0x02) == 0x02) {
2895 sibuf = serverinfov2;
2896 sibuflen = sizeof(serverinfov2);
2897 expected = (version == SSL_SERVERINFOV2);
2899 sibuf = serverinfov1;
2900 sibuflen = sizeof(serverinfov1);
2901 expected = (version == SSL_SERVERINFOV1);
2904 if ((tst & 0x04) == 0x04) {
2905 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
2907 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
2910 * The version variable is irrelevant in this case - it's what is in the
2911 * buffer that matters
2913 if ((tst & 0x02) == 0x02)
2919 if (!TEST_true(ret == expected))
2931 * Test that SSL_export_keying_material() produces expected results. There are
2932 * no test vectors so all we do is test that both sides of the communication
2933 * produce the same results for different protocol versions.
2935 static int test_export_key_mat(int tst)
2938 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
2939 SSL *clientssl = NULL, *serverssl = NULL;
2940 const char label[] = "test label";
2941 const unsigned char context[] = "context";
2942 const unsigned char *emptycontext = NULL;
2943 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
2944 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
2945 const int protocols[] = {
2952 #ifdef OPENSSL_NO_TLS1
2956 #ifdef OPENSSL_NO_TLS1_1
2960 #ifdef OPENSSL_NO_TLS1_2
2964 #ifdef OPENSSL_NO_TLS1_3
2968 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2969 TLS_client_method(), &sctx,
2970 &cctx, cert, privkey)))
2973 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
2974 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
2975 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
2977 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
2979 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2983 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
2984 sizeof(ckeymat1), label,
2985 sizeof(label) - 1, context,
2986 sizeof(context) - 1, 1), 1)
2987 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
2988 sizeof(ckeymat2), label,
2992 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
2993 sizeof(ckeymat3), label,
2996 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
2997 sizeof(skeymat1), label,
3000 sizeof(context) -1, 1),
3002 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
3003 sizeof(skeymat2), label,
3007 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
3008 sizeof(skeymat3), label,
3012 * Check that both sides created the same key material with the
3015 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3018 * Check that both sides created the same key material with an
3021 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3024 * Check that both sides created the same key material without a
3027 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3029 /* Different contexts should produce different results */
3030 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3035 * Check that an empty context and no context produce different results in
3036 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3038 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3040 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3047 SSL_free(serverssl);
3048 SSL_free(clientssl);
3049 SSL_CTX_free(sctx2);
3056 static int test_ssl_clear(int idx)
3058 SSL_CTX *cctx = NULL, *sctx = NULL;
3059 SSL *clientssl = NULL, *serverssl = NULL;
3062 #ifdef OPENSSL_NO_TLS1_2
3067 /* Create an initial connection */
3068 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3069 TLS_client_method(), &sctx,
3070 &cctx, cert, privkey))
3072 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
3074 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3075 &clientssl, NULL, NULL))
3076 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3080 SSL_shutdown(clientssl);
3081 SSL_shutdown(serverssl);
3082 SSL_free(serverssl);
3085 /* Clear clientssl - we're going to reuse the object */
3086 if (!TEST_true(SSL_clear(clientssl)))
3089 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3091 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3093 || !TEST_true(SSL_session_reused(clientssl)))
3096 SSL_shutdown(clientssl);
3097 SSL_shutdown(serverssl);
3102 SSL_free(serverssl);
3103 SSL_free(clientssl);
3110 int setup_tests(void)
3112 if (!TEST_ptr(cert = test_get_argument(0))
3113 || !TEST_ptr(privkey = test_get_argument(1)))
3116 ADD_TEST(test_large_message_tls);
3117 ADD_TEST(test_large_message_tls_read_ahead);
3118 #ifndef OPENSSL_NO_DTLS
3119 ADD_TEST(test_large_message_dtls);
3121 #ifndef OPENSSL_NO_OCSP
3122 ADD_TEST(test_tlsext_status_type);
3124 ADD_TEST(test_session_with_only_int_cache);
3125 ADD_TEST(test_session_with_only_ext_cache);
3126 ADD_TEST(test_session_with_both_cache);
3127 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
3128 ADD_TEST(test_ssl_bio_pop_next_bio);
3129 ADD_TEST(test_ssl_bio_pop_ssl_bio);
3130 ADD_TEST(test_ssl_bio_change_rbio);
3131 ADD_TEST(test_ssl_bio_change_wbio);
3132 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
3133 ADD_TEST(test_keylog);
3134 #ifndef OPENSSL_NO_TLS1_3
3135 ADD_TEST(test_keylog_no_master_key);
3137 #ifndef OPENSSL_NO_TLS1_2
3138 ADD_TEST(test_client_hello_cb);
3140 #ifndef OPENSSL_NO_TLS1_3
3141 ADD_ALL_TESTS(test_early_data_read_write, 3);
3142 ADD_ALL_TESTS(test_early_data_skip, 3);
3143 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
3144 ADD_ALL_TESTS(test_early_data_not_sent, 3);
3145 ADD_ALL_TESTS(test_early_data_psk, 8);
3146 ADD_ALL_TESTS(test_early_data_not_expected, 3);
3147 # ifndef OPENSSL_NO_TLS1_2
3148 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
3151 #ifndef OPENSSL_NO_TLS1_3
3152 ADD_TEST(test_ciphersuite_change);
3153 ADD_TEST(test_tls13_psk);
3154 ADD_ALL_TESTS(test_custom_exts, 5);
3156 ADD_ALL_TESTS(test_custom_exts, 3);
3158 ADD_ALL_TESTS(test_serverinfo, 8);
3159 ADD_ALL_TESTS(test_export_key_mat, 4);
3160 ADD_ALL_TESTS(test_ssl_clear, 2);
3164 void cleanup_tests(void)
3166 bio_s_mempacket_test_free();