2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
17 #include <openssl/srp.h>
18 #include <openssl/txt_db.h>
20 #include "ssltestlib.h"
22 #include "testutil/output.h"
23 #include "internal/nelem.h"
24 #include "../ssl/ssl_locl.h"
26 static char *cert = NULL;
27 static char *privkey = NULL;
28 static char *srpvfile = NULL;
29 static char *tmpfilename = NULL;
31 #define LOG_BUFFER_SIZE 2048
32 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
33 static size_t server_log_buffer_index = 0;
34 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
35 static size_t client_log_buffer_index = 0;
36 static int error_writing_log = 0;
38 #ifndef OPENSSL_NO_OCSP
39 static const unsigned char orespder[] = "Dummy OCSP Response";
40 static int ocsp_server_called = 0;
41 static int ocsp_client_called = 0;
43 static int cdummyarg = 1;
44 static X509 *ocspcert = NULL;
47 #define NUM_EXTRA_CERTS 40
48 #define CLIENT_VERSION_LEN 2
51 * This structure is used to validate that the correct number of log messages
52 * of various types are emitted when emitting secret logs.
54 struct sslapitest_log_counts {
55 unsigned int rsa_key_exchange_count;
56 unsigned int master_secret_count;
57 unsigned int client_early_secret_count;
58 unsigned int client_handshake_secret_count;
59 unsigned int server_handshake_secret_count;
60 unsigned int client_application_secret_count;
61 unsigned int server_application_secret_count;
62 unsigned int early_exporter_secret_count;
63 unsigned int exporter_secret_count;
67 static unsigned char serverinfov1[] = {
68 0xff, 0xff, /* Dummy extension type */
69 0x00, 0x01, /* Extension length is 1 byte */
70 0xff /* Dummy extension data */
73 static unsigned char serverinfov2[] = {
75 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
76 0xff, 0xff, /* Dummy extension type */
77 0x00, 0x01, /* Extension length is 1 byte */
78 0xff /* Dummy extension data */
81 static void client_keylog_callback(const SSL *ssl, const char *line)
83 int line_length = strlen(line);
85 /* If the log doesn't fit, error out. */
86 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
87 TEST_info("Client log too full");
88 error_writing_log = 1;
92 strcat(client_log_buffer, line);
93 client_log_buffer_index += line_length;
94 client_log_buffer[client_log_buffer_index++] = '\n';
97 static void server_keylog_callback(const SSL *ssl, const char *line)
99 int line_length = strlen(line);
101 /* If the log doesn't fit, error out. */
102 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
103 TEST_info("Server log too full");
104 error_writing_log = 1;
108 strcat(server_log_buffer, line);
109 server_log_buffer_index += line_length;
110 server_log_buffer[server_log_buffer_index++] = '\n';
113 static int compare_hex_encoded_buffer(const char *hex_encoded,
121 if (!TEST_size_t_eq(raw_length * 2, hex_length))
124 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
125 sprintf(hexed, "%02x", raw[i]);
126 if (!TEST_int_eq(hexed[0], hex_encoded[j])
127 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
134 static int test_keylog_output(char *buffer, const SSL *ssl,
135 const SSL_SESSION *session,
136 struct sslapitest_log_counts *expected)
139 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
140 size_t client_random_size = SSL3_RANDOM_SIZE;
141 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
142 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
143 unsigned int rsa_key_exchange_count = 0;
144 unsigned int master_secret_count = 0;
145 unsigned int client_early_secret_count = 0;
146 unsigned int client_handshake_secret_count = 0;
147 unsigned int server_handshake_secret_count = 0;
148 unsigned int client_application_secret_count = 0;
149 unsigned int server_application_secret_count = 0;
150 unsigned int early_exporter_secret_count = 0;
151 unsigned int exporter_secret_count = 0;
153 for (token = strtok(buffer, " \n"); token != NULL;
154 token = strtok(NULL, " \n")) {
155 if (strcmp(token, "RSA") == 0) {
157 * Premaster secret. Tokens should be: 16 ASCII bytes of
158 * hex-encoded encrypted secret, then the hex-encoded pre-master
161 if (!TEST_ptr(token = strtok(NULL, " \n")))
163 if (!TEST_size_t_eq(strlen(token), 16))
165 if (!TEST_ptr(token = strtok(NULL, " \n")))
168 * We can't sensibly check the log because the premaster secret is
169 * transient, and OpenSSL doesn't keep hold of it once the master
170 * secret is generated.
172 rsa_key_exchange_count++;
173 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
175 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
176 * client random, then the hex-encoded master secret.
178 client_random_size = SSL_get_client_random(ssl,
179 actual_client_random,
181 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
184 if (!TEST_ptr(token = strtok(NULL, " \n")))
186 if (!TEST_size_t_eq(strlen(token), 64))
188 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
189 actual_client_random,
190 client_random_size)))
193 if (!TEST_ptr(token = strtok(NULL, " \n")))
195 master_key_size = SSL_SESSION_get_master_key(session,
198 if (!TEST_size_t_ne(master_key_size, 0))
200 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
204 master_secret_count++;
205 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
206 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
207 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
208 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
209 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
210 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
211 || strcmp(token, "EXPORTER_SECRET") == 0) {
213 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
214 * client random, and then the hex-encoded secret. In this case,
215 * we treat all of these secrets identically and then just
216 * distinguish between them when counting what we saw.
218 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
219 client_early_secret_count++;
220 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
221 client_handshake_secret_count++;
222 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
223 server_handshake_secret_count++;
224 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
225 client_application_secret_count++;
226 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
227 server_application_secret_count++;
228 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
229 early_exporter_secret_count++;
230 else if (strcmp(token, "EXPORTER_SECRET") == 0)
231 exporter_secret_count++;
233 client_random_size = SSL_get_client_random(ssl,
234 actual_client_random,
236 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
239 if (!TEST_ptr(token = strtok(NULL, " \n")))
241 if (!TEST_size_t_eq(strlen(token), 64))
243 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
244 actual_client_random,
245 client_random_size)))
248 if (!TEST_ptr(token = strtok(NULL, " \n")))
252 * TODO(TLS1.3): test that application traffic secrets are what
255 TEST_info("Unexpected token %s\n", token);
260 /* Got what we expected? */
261 if (!TEST_size_t_eq(rsa_key_exchange_count,
262 expected->rsa_key_exchange_count)
263 || !TEST_size_t_eq(master_secret_count,
264 expected->master_secret_count)
265 || !TEST_size_t_eq(client_early_secret_count,
266 expected->client_early_secret_count)
267 || !TEST_size_t_eq(client_handshake_secret_count,
268 expected->client_handshake_secret_count)
269 || !TEST_size_t_eq(server_handshake_secret_count,
270 expected->server_handshake_secret_count)
271 || !TEST_size_t_eq(client_application_secret_count,
272 expected->client_application_secret_count)
273 || !TEST_size_t_eq(server_application_secret_count,
274 expected->server_application_secret_count)
275 || !TEST_size_t_eq(early_exporter_secret_count,
276 expected->early_exporter_secret_count)
277 || !TEST_size_t_eq(exporter_secret_count,
278 expected->exporter_secret_count))
283 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
284 static int test_keylog(void)
286 SSL_CTX *cctx = NULL, *sctx = NULL;
287 SSL *clientssl = NULL, *serverssl = NULL;
289 struct sslapitest_log_counts expected = {0};
291 /* Clean up logging space */
292 memset(client_log_buffer, 0, sizeof(client_log_buffer));
293 memset(server_log_buffer, 0, sizeof(server_log_buffer));
294 client_log_buffer_index = 0;
295 server_log_buffer_index = 0;
296 error_writing_log = 0;
298 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
300 TLS1_VERSION, TLS_MAX_VERSION,
301 &sctx, &cctx, cert, privkey)))
304 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
305 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
306 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
308 /* We also want to ensure that we use RSA-based key exchange. */
309 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
312 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
313 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
315 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
316 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
317 == client_keylog_callback))
319 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
320 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
321 == server_keylog_callback))
324 /* Now do a handshake and check that the logs have been written to. */
325 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
326 &clientssl, NULL, NULL))
327 || !TEST_true(create_ssl_connection(serverssl, clientssl,
329 || !TEST_false(error_writing_log)
330 || !TEST_int_gt(client_log_buffer_index, 0)
331 || !TEST_int_gt(server_log_buffer_index, 0))
335 * Now we want to test that our output data was vaguely sensible. We
336 * do that by using strtok and confirming that we have more or less the
337 * data we expect. For both client and server, we expect to see one master
338 * secret. The client should also see a RSA key exchange.
340 expected.rsa_key_exchange_count = 1;
341 expected.master_secret_count = 1;
342 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
343 SSL_get_session(clientssl), &expected)))
346 expected.rsa_key_exchange_count = 0;
347 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
348 SSL_get_session(serverssl), &expected)))
363 #ifndef OPENSSL_NO_TLS1_3
364 static int test_keylog_no_master_key(void)
366 SSL_CTX *cctx = NULL, *sctx = NULL;
367 SSL *clientssl = NULL, *serverssl = NULL;
368 SSL_SESSION *sess = NULL;
370 struct sslapitest_log_counts expected = {0};
371 unsigned char buf[1];
372 size_t readbytes, written;
374 /* Clean up logging space */
375 memset(client_log_buffer, 0, sizeof(client_log_buffer));
376 memset(server_log_buffer, 0, sizeof(server_log_buffer));
377 client_log_buffer_index = 0;
378 server_log_buffer_index = 0;
379 error_writing_log = 0;
381 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
382 TLS1_VERSION, TLS_MAX_VERSION,
383 &sctx, &cctx, cert, privkey))
384 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
385 SSL3_RT_MAX_PLAIN_LENGTH))
386 || !TEST_true(SSL_CTX_set_max_early_data(cctx,
387 SSL3_RT_MAX_PLAIN_LENGTH)))
390 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
391 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
394 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
395 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
396 == client_keylog_callback))
399 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
400 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
401 == server_keylog_callback))
404 /* Now do a handshake and check that the logs have been written to. */
405 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
406 &clientssl, NULL, NULL))
407 || !TEST_true(create_ssl_connection(serverssl, clientssl,
409 || !TEST_false(error_writing_log))
413 * Now we want to test that our output data was vaguely sensible. For this
414 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
415 * TLSv1.3, but we do expect both client and server to emit keys.
417 expected.client_handshake_secret_count = 1;
418 expected.server_handshake_secret_count = 1;
419 expected.client_application_secret_count = 1;
420 expected.server_application_secret_count = 1;
421 expected.exporter_secret_count = 1;
422 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
423 SSL_get_session(clientssl), &expected))
424 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
425 SSL_get_session(serverssl),
429 /* Terminate old session and resume with early data. */
430 sess = SSL_get1_session(clientssl);
431 SSL_shutdown(clientssl);
432 SSL_shutdown(serverssl);
435 serverssl = clientssl = NULL;
438 memset(client_log_buffer, 0, sizeof(client_log_buffer));
439 memset(server_log_buffer, 0, sizeof(server_log_buffer));
440 client_log_buffer_index = 0;
441 server_log_buffer_index = 0;
443 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
444 &clientssl, NULL, NULL))
445 || !TEST_true(SSL_set_session(clientssl, sess))
446 /* Here writing 0 length early data is enough. */
447 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
448 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
450 SSL_READ_EARLY_DATA_ERROR)
451 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
452 SSL_EARLY_DATA_ACCEPTED)
453 || !TEST_true(create_ssl_connection(serverssl, clientssl,
455 || !TEST_true(SSL_session_reused(clientssl)))
458 /* In addition to the previous entries, expect early secrets. */
459 expected.client_early_secret_count = 1;
460 expected.early_exporter_secret_count = 1;
461 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
462 SSL_get_session(clientssl), &expected))
463 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
464 SSL_get_session(serverssl),
471 SSL_SESSION_free(sess);
481 #ifndef OPENSSL_NO_TLS1_2
482 static int full_client_hello_callback(SSL *s, int *al, void *arg)
485 const unsigned char *p;
487 /* We only configure two ciphers, but the SCSV is added automatically. */
489 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
491 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
494 const int expected_extensions[] = {
495 #ifndef OPENSSL_NO_EC
501 /* Make sure we can defer processing and get called back. */
503 return SSL_CLIENT_HELLO_RETRY;
505 len = SSL_client_hello_get0_ciphers(s, &p);
506 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
508 SSL_client_hello_get0_compression_methods(s, &p), 1)
509 || !TEST_int_eq(*p, 0))
510 return SSL_CLIENT_HELLO_ERROR;
511 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
512 return SSL_CLIENT_HELLO_ERROR;
513 if (len != OSSL_NELEM(expected_extensions) ||
514 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
515 printf("ClientHello callback expected extensions mismatch\n");
517 return SSL_CLIENT_HELLO_ERROR;
520 return SSL_CLIENT_HELLO_SUCCESS;
523 static int test_client_hello_cb(void)
525 SSL_CTX *cctx = NULL, *sctx = NULL;
526 SSL *clientssl = NULL, *serverssl = NULL;
527 int testctr = 0, testresult = 0;
529 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
530 TLS1_VERSION, TLS_MAX_VERSION,
531 &sctx, &cctx, cert, privkey)))
533 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
535 /* The gimpy cipher list we configure can't do TLS 1.3. */
536 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
538 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
539 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
540 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
541 &clientssl, NULL, NULL))
542 || !TEST_false(create_ssl_connection(serverssl, clientssl,
543 SSL_ERROR_WANT_CLIENT_HELLO_CB))
545 * Passing a -1 literal is a hack since
546 * the real value was lost.
548 || !TEST_int_eq(SSL_get_error(serverssl, -1),
549 SSL_ERROR_WANT_CLIENT_HELLO_CB)
550 || !TEST_true(create_ssl_connection(serverssl, clientssl,
566 static int execute_test_large_message(const SSL_METHOD *smeth,
567 const SSL_METHOD *cmeth,
568 int min_version, int max_version,
571 SSL_CTX *cctx = NULL, *sctx = NULL;
572 SSL *clientssl = NULL, *serverssl = NULL;
576 X509 *chaincert = NULL;
579 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
581 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
584 if (!TEST_ptr(chaincert))
587 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
588 &sctx, &cctx, cert, privkey)))
593 * Test that read_ahead works correctly when dealing with large
596 SSL_CTX_set_read_ahead(cctx, 1);
600 * We assume the supplied certificate is big enough so that if we add
601 * NUM_EXTRA_CERTS it will make the overall message large enough. The
602 * default buffer size is requested to be 16k, but due to the way BUF_MEM
603 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
604 * test we need to have a message larger than that.
606 certlen = i2d_X509(chaincert, NULL);
607 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
608 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
609 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
610 if (!X509_up_ref(chaincert))
612 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
613 X509_free(chaincert);
618 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
620 || !TEST_true(create_ssl_connection(serverssl, clientssl,
625 * Calling SSL_clear() first is not required but this tests that SSL_clear()
626 * doesn't leak (when using enable-crypto-mdebug).
628 if (!TEST_true(SSL_clear(serverssl)))
633 X509_free(chaincert);
642 static int test_large_message_tls(void)
644 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
645 TLS1_VERSION, TLS_MAX_VERSION,
649 static int test_large_message_tls_read_ahead(void)
651 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
652 TLS1_VERSION, TLS_MAX_VERSION,
656 #ifndef OPENSSL_NO_DTLS
657 static int test_large_message_dtls(void)
660 * read_ahead is not relevant to DTLS because DTLS always acts as if
663 return execute_test_large_message(DTLS_server_method(),
664 DTLS_client_method(),
665 DTLS1_VERSION, DTLS_MAX_VERSION,
670 #ifndef OPENSSL_NO_OCSP
671 static int ocsp_server_cb(SSL *s, void *arg)
673 int *argi = (int *)arg;
674 unsigned char *copy = NULL;
675 STACK_OF(OCSP_RESPID) *ids = NULL;
676 OCSP_RESPID *id = NULL;
679 /* In this test we are expecting exactly 1 OCSP_RESPID */
680 SSL_get_tlsext_status_ids(s, &ids);
681 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
682 return SSL_TLSEXT_ERR_ALERT_FATAL;
684 id = sk_OCSP_RESPID_value(ids, 0);
685 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
686 return SSL_TLSEXT_ERR_ALERT_FATAL;
687 } else if (*argi != 1) {
688 return SSL_TLSEXT_ERR_ALERT_FATAL;
691 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
692 return SSL_TLSEXT_ERR_ALERT_FATAL;
694 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
695 ocsp_server_called = 1;
696 return SSL_TLSEXT_ERR_OK;
699 static int ocsp_client_cb(SSL *s, void *arg)
701 int *argi = (int *)arg;
702 const unsigned char *respderin;
705 if (*argi != 1 && *argi != 2)
708 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
709 if (!TEST_mem_eq(orespder, len, respderin, len))
712 ocsp_client_called = 1;
716 static int test_tlsext_status_type(void)
718 SSL_CTX *cctx = NULL, *sctx = NULL;
719 SSL *clientssl = NULL, *serverssl = NULL;
721 STACK_OF(OCSP_RESPID) *ids = NULL;
722 OCSP_RESPID *id = NULL;
725 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
726 TLS1_VERSION, TLS_MAX_VERSION,
727 &sctx, &cctx, cert, privkey))
730 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
733 /* First just do various checks getting and setting tlsext_status_type */
735 clientssl = SSL_new(cctx);
736 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
737 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
738 TLSEXT_STATUSTYPE_ocsp))
739 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
740 TLSEXT_STATUSTYPE_ocsp))
746 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
747 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
750 clientssl = SSL_new(cctx);
751 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
757 * Now actually do a handshake and check OCSP information is exchanged and
758 * the callbacks get called
760 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
761 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
762 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
763 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
764 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
765 &clientssl, NULL, NULL))
766 || !TEST_true(create_ssl_connection(serverssl, clientssl,
768 || !TEST_true(ocsp_client_called)
769 || !TEST_true(ocsp_server_called))
776 /* Try again but this time force the server side callback to fail */
777 ocsp_client_called = 0;
778 ocsp_server_called = 0;
780 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
781 &clientssl, NULL, NULL))
782 /* This should fail because the callback will fail */
783 || !TEST_false(create_ssl_connection(serverssl, clientssl,
785 || !TEST_false(ocsp_client_called)
786 || !TEST_false(ocsp_server_called))
794 * This time we'll get the client to send an OCSP_RESPID that it will
797 ocsp_client_called = 0;
798 ocsp_server_called = 0;
800 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
801 &clientssl, NULL, NULL)))
805 * We'll just use any old cert for this test - it doesn't have to be an OCSP
806 * specific one. We'll use the server cert.
808 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
809 || !TEST_ptr(id = OCSP_RESPID_new())
810 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
811 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
813 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
814 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
817 SSL_set_tlsext_status_ids(clientssl, ids);
818 /* Control has been transferred */
824 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
826 || !TEST_true(ocsp_client_called)
827 || !TEST_true(ocsp_server_called))
837 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
838 OCSP_RESPID_free(id);
847 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
848 static int new_called, remove_called, get_called;
850 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
854 * sess has been up-refed for us, but we don't actually need it so free it
857 SSL_SESSION_free(sess);
861 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
866 static SSL_SESSION *get_sess_val = NULL;
868 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
876 static int execute_test_session(int maxprot, int use_int_cache,
879 SSL_CTX *sctx = NULL, *cctx = NULL;
880 SSL *serverssl1 = NULL, *clientssl1 = NULL;
881 SSL *serverssl2 = NULL, *clientssl2 = NULL;
882 # ifndef OPENSSL_NO_TLS1_1
883 SSL *serverssl3 = NULL, *clientssl3 = NULL;
885 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
888 new_called = remove_called = 0;
890 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
891 TLS1_VERSION, TLS_MAX_VERSION,
892 &sctx, &cctx, cert, privkey)))
896 * Only allow the max protocol version so we can force a connection failure
899 SSL_CTX_set_min_proto_version(cctx, maxprot);
900 SSL_CTX_set_max_proto_version(cctx, maxprot);
902 /* Set up session cache */
904 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
905 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
908 /* Also covers instance where both are set */
909 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
911 SSL_CTX_set_session_cache_mode(cctx,
912 SSL_SESS_CACHE_CLIENT
913 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
916 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
918 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
920 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
923 /* Should fail because it should already be in the cache */
924 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
927 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
930 new_called = remove_called = 0;
931 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
932 &clientssl2, NULL, NULL))
933 || !TEST_true(SSL_set_session(clientssl2, sess1))
934 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
936 || !TEST_true(SSL_session_reused(clientssl2)))
939 if (maxprot == TLS1_3_VERSION) {
941 * In TLSv1.3 we should have created a new session even though we have
942 * resumed. The original session should also have been removed.
945 && (!TEST_int_eq(new_called, 1)
946 || !TEST_int_eq(remove_called, 1)))
950 * In TLSv1.2 we expect to have resumed so no sessions added or
954 && (!TEST_int_eq(new_called, 0)
955 || !TEST_int_eq(remove_called, 0)))
959 SSL_SESSION_free(sess1);
960 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
962 shutdown_ssl_connection(serverssl2, clientssl2);
963 serverssl2 = clientssl2 = NULL;
965 new_called = remove_called = 0;
966 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
967 &clientssl2, NULL, NULL))
968 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
972 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
976 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
979 new_called = remove_called = 0;
981 * This should clear sess2 from the cache because it is a "bad" session.
982 * See SSL_set_session() documentation.
984 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
987 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
989 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
993 /* Should succeeded because it should not already be in the cache */
994 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
995 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
999 new_called = remove_called = 0;
1000 /* This shouldn't be in the cache so should fail */
1001 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1005 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1008 # if !defined(OPENSSL_NO_TLS1_1)
1009 new_called = remove_called = 0;
1010 /* Force a connection failure */
1011 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1012 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1013 &clientssl3, NULL, NULL))
1014 || !TEST_true(SSL_set_session(clientssl3, sess1))
1015 /* This should fail because of the mismatched protocol versions */
1016 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1020 /* We should have automatically removed the session from the cache */
1022 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1025 /* Should succeed because it should not already be in the cache */
1026 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1030 /* Now do some tests for server side caching */
1031 if (use_ext_cache) {
1032 SSL_CTX_sess_set_new_cb(cctx, NULL);
1033 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1034 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1035 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1036 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1037 get_sess_val = NULL;
1040 SSL_CTX_set_session_cache_mode(cctx, 0);
1041 /* Internal caching is the default on the server side */
1043 SSL_CTX_set_session_cache_mode(sctx,
1044 SSL_SESS_CACHE_SERVER
1045 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1047 SSL_free(serverssl1);
1048 SSL_free(clientssl1);
1049 serverssl1 = clientssl1 = NULL;
1050 SSL_free(serverssl2);
1051 SSL_free(clientssl2);
1052 serverssl2 = clientssl2 = NULL;
1053 SSL_SESSION_free(sess1);
1055 SSL_SESSION_free(sess2);
1058 SSL_CTX_set_max_proto_version(sctx, maxprot);
1059 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1060 new_called = remove_called = get_called = 0;
1061 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1063 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1065 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1066 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1069 /* Should fail because it should already be in the cache */
1070 if (use_int_cache && !TEST_false(SSL_CTX_add_session(sctx, sess2)))
1073 if (use_ext_cache) {
1074 SSL_SESSION *tmp = sess2;
1076 if (!TEST_int_eq(new_called, 1)
1077 || !TEST_int_eq(remove_called, 0)
1078 || !TEST_int_eq(get_called, 0))
1081 * Delete the session from the internal cache to force a lookup from
1082 * the external cache. We take a copy first because
1083 * SSL_CTX_remove_session() also marks the session as non-resumable.
1085 if (use_int_cache) {
1086 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1087 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1089 SSL_SESSION_free(sess2);
1094 new_called = remove_called = get_called = 0;
1095 get_sess_val = sess2;
1096 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1097 &clientssl2, NULL, NULL))
1098 || !TEST_true(SSL_set_session(clientssl2, sess1))
1099 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1101 || !TEST_true(SSL_session_reused(clientssl2)))
1104 if (use_ext_cache) {
1105 if (!TEST_int_eq(remove_called, 0))
1108 if (maxprot == TLS1_3_VERSION) {
1110 * Every time we issue a NewSessionTicket we are creating a new
1111 * session for next time in TLSv1.3
1113 if (!TEST_int_eq(new_called, 1)
1114 || !TEST_int_eq(get_called, 0))
1117 if (!TEST_int_eq(new_called, 0)
1118 || !TEST_int_eq(get_called, 1))
1126 SSL_free(serverssl1);
1127 SSL_free(clientssl1);
1128 SSL_free(serverssl2);
1129 SSL_free(clientssl2);
1130 # ifndef OPENSSL_NO_TLS1_1
1131 SSL_free(serverssl3);
1132 SSL_free(clientssl3);
1134 SSL_SESSION_free(sess1);
1135 SSL_SESSION_free(sess2);
1141 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1143 static int test_session_with_only_int_cache(void)
1145 #ifndef OPENSSL_NO_TLS1_3
1146 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1150 #ifndef OPENSSL_NO_TLS1_2
1151 return execute_test_session(TLS1_2_VERSION, 1, 0);
1157 static int test_session_with_only_ext_cache(void)
1159 #ifndef OPENSSL_NO_TLS1_3
1160 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1164 #ifndef OPENSSL_NO_TLS1_2
1165 return execute_test_session(TLS1_2_VERSION, 0, 1);
1171 static int test_session_with_both_cache(void)
1173 #ifndef OPENSSL_NO_TLS1_3
1174 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1178 #ifndef OPENSSL_NO_TLS1_2
1179 return execute_test_session(TLS1_2_VERSION, 1, 1);
1188 #define USE_DEFAULT 3
1190 #define CONNTYPE_CONNECTION_SUCCESS 0
1191 #define CONNTYPE_CONNECTION_FAIL 1
1192 #define CONNTYPE_NO_CONNECTION 2
1194 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1195 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1196 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1197 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1199 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1203 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1204 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1205 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1207 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1224 * Tests calls to SSL_set_bio() under various conditions.
1226 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1227 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1228 * then do more tests where we create a successful connection first using our
1229 * standard connection setup functions, and then call SSL_set_bio() with
1230 * various combinations of valid BIOs or NULL. We then repeat these tests
1231 * following a failed connection. In this last case we are looking to check that
1232 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1234 static int test_ssl_set_bio(int idx)
1236 SSL_CTX *sctx = NULL, *cctx = NULL;
1239 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1240 SSL *serverssl = NULL, *clientssl = NULL;
1241 int initrbio, initwbio, newrbio, newwbio, conntype;
1244 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1252 conntype = CONNTYPE_NO_CONNECTION;
1254 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1255 initrbio = initwbio = USE_DEFAULT;
1263 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1264 TLS1_VERSION, TLS_MAX_VERSION,
1265 &sctx, &cctx, cert, privkey)))
1268 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1270 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1271 * because we reduced the number of tests in the definition of
1272 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1273 * mismatched protocol versions we will force a connection failure.
1275 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1276 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1279 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1283 if (initrbio == USE_BIO_1
1284 || initwbio == USE_BIO_1
1285 || newrbio == USE_BIO_1
1286 || newwbio == USE_BIO_1) {
1287 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1291 if (initrbio == USE_BIO_2
1292 || initwbio == USE_BIO_2
1293 || newrbio == USE_BIO_2
1294 || newwbio == USE_BIO_2) {
1295 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1299 if (initrbio != USE_DEFAULT) {
1300 setupbio(&irbio, bio1, bio2, initrbio);
1301 setupbio(&iwbio, bio1, bio2, initwbio);
1302 SSL_set_bio(clientssl, irbio, iwbio);
1305 * We want to maintain our own refs to these BIO, so do an up ref for
1306 * each BIO that will have ownership transferred in the SSL_set_bio()
1311 if (iwbio != NULL && iwbio != irbio)
1315 if (conntype != CONNTYPE_NO_CONNECTION
1316 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1318 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1321 setupbio(&nrbio, bio1, bio2, newrbio);
1322 setupbio(&nwbio, bio1, bio2, newwbio);
1325 * We will (maybe) transfer ownership again so do more up refs.
1326 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1331 && (nwbio != iwbio || nrbio != nwbio))
1335 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1338 SSL_set_bio(clientssl, nrbio, nwbio);
1347 * This test is checking that the ref counting for SSL_set_bio is correct.
1348 * If we get here and we did too many frees then we will fail in the above
1349 * functions. If we haven't done enough then this will only be detected in
1350 * a crypto-mdebug build
1352 SSL_free(serverssl);
1353 SSL_free(clientssl);
1359 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1361 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1363 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1368 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1369 || !TEST_ptr(ssl = SSL_new(ctx))
1370 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1371 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1374 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1377 * If anything goes wrong here then we could leak memory, so this will
1378 * be caught in a crypto-mdebug build
1380 BIO_push(sslbio, membio1);
1382 /* Verify changing the rbio/wbio directly does not cause leaks */
1383 if (change_bio != NO_BIO_CHANGE) {
1384 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1386 if (change_bio == CHANGE_RBIO)
1387 SSL_set0_rbio(ssl, membio2);
1389 SSL_set0_wbio(ssl, membio2);
1408 static int test_ssl_bio_pop_next_bio(void)
1410 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1413 static int test_ssl_bio_pop_ssl_bio(void)
1415 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1418 static int test_ssl_bio_change_rbio(void)
1420 return execute_test_ssl_bio(0, CHANGE_RBIO);
1423 static int test_ssl_bio_change_wbio(void)
1425 return execute_test_ssl_bio(0, CHANGE_WBIO);
1428 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
1430 /* The list of sig algs */
1432 /* The length of the list */
1434 /* A sigalgs list in string format */
1435 const char *liststr;
1436 /* Whether setting the list should succeed */
1438 /* Whether creating a connection with the list should succeed */
1442 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1443 # ifndef OPENSSL_NO_EC
1444 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1445 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1447 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1448 static const int invalidlist2[] = {NID_sha256, NID_undef};
1449 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1450 static const int invalidlist4[] = {NID_sha256};
1451 static const sigalgs_list testsigalgs[] = {
1452 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1453 # ifndef OPENSSL_NO_EC
1454 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1455 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1457 {NULL, 0, "RSA+SHA256", 1, 1},
1458 # ifndef OPENSSL_NO_EC
1459 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1460 {NULL, 0, "ECDSA+SHA512", 1, 0},
1462 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1463 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1464 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1465 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1466 {NULL, 0, "RSA", 0, 0},
1467 {NULL, 0, "SHA256", 0, 0},
1468 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1469 {NULL, 0, "Invalid", 0, 0}
1472 static int test_set_sigalgs(int idx)
1474 SSL_CTX *cctx = NULL, *sctx = NULL;
1475 SSL *clientssl = NULL, *serverssl = NULL;
1477 const sigalgs_list *curr;
1480 /* Should never happen */
1481 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1484 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1485 curr = testctx ? &testsigalgs[idx]
1486 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1488 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1489 TLS1_VERSION, TLS_MAX_VERSION,
1490 &sctx, &cctx, cert, privkey)))
1494 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1495 * for TLSv1.2 for now until we add a new API.
1497 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1502 if (curr->list != NULL)
1503 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1505 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1509 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1515 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1520 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1521 &clientssl, NULL, NULL)))
1527 if (curr->list != NULL)
1528 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1530 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1533 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1542 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1550 SSL_free(serverssl);
1551 SSL_free(clientssl);
1559 #ifndef OPENSSL_NO_TLS1_3
1561 static SSL_SESSION *clientpsk = NULL;
1562 static SSL_SESSION *serverpsk = NULL;
1563 static const char *pskid = "Identity";
1564 static const char *srvid;
1566 static int use_session_cb_cnt = 0;
1567 static int find_session_cb_cnt = 0;
1568 static int psk_client_cb_cnt = 0;
1569 static int psk_server_cb_cnt = 0;
1571 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1572 size_t *idlen, SSL_SESSION **sess)
1574 switch (++use_session_cb_cnt) {
1576 /* The first call should always have a NULL md */
1582 /* The second call should always have an md */
1588 /* We should only be called a maximum of twice */
1592 if (clientpsk != NULL)
1593 SSL_SESSION_up_ref(clientpsk);
1596 *id = (const unsigned char *)pskid;
1597 *idlen = strlen(pskid);
1602 #ifndef OPENSSL_NO_PSK
1603 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1604 unsigned int max_id_len,
1606 unsigned int max_psk_len)
1608 unsigned int psklen = 0;
1610 psk_client_cb_cnt++;
1612 if (strlen(pskid) + 1 > max_id_len)
1615 /* We should only ever be called a maximum of twice per connection */
1616 if (psk_client_cb_cnt > 2)
1619 if (clientpsk == NULL)
1622 /* We'll reuse the PSK we set up for TLSv1.3 */
1623 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1625 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1626 strncpy(id, pskid, max_id_len);
1630 #endif /* OPENSSL_NO_PSK */
1632 static int find_session_cb(SSL *ssl, const unsigned char *identity,
1633 size_t identity_len, SSL_SESSION **sess)
1635 find_session_cb_cnt++;
1637 /* We should only ever be called a maximum of twice per connection */
1638 if (find_session_cb_cnt > 2)
1641 if (serverpsk == NULL)
1644 /* Identity should match that set by the client */
1645 if (strlen(srvid) != identity_len
1646 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1647 /* No PSK found, continue but without a PSK */
1652 SSL_SESSION_up_ref(serverpsk);
1658 #ifndef OPENSSL_NO_PSK
1659 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1660 unsigned char *psk, unsigned int max_psk_len)
1662 unsigned int psklen = 0;
1664 psk_server_cb_cnt++;
1666 /* We should only ever be called a maximum of twice per connection */
1667 if (find_session_cb_cnt > 2)
1670 if (serverpsk == NULL)
1673 /* Identity should match that set by the client */
1674 if (strcmp(srvid, identity) != 0) {
1678 /* We'll reuse the PSK we set up for TLSv1.3 */
1679 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1681 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1685 #endif /* OPENSSL_NO_PSK */
1687 #define MSG1 "Hello"
1688 #define MSG2 "World."
1693 #define MSG7 "message."
1695 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
1696 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
1699 * Helper method to setup objects for early data test. Caller frees objects on
1702 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
1703 SSL **serverssl, SSL_SESSION **sess, int idx)
1705 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1706 TLS1_VERSION, TLS_MAX_VERSION,
1707 sctx, cctx, cert, privkey))
1708 || !TEST_true(SSL_CTX_set_max_early_data(*sctx,
1709 SSL3_RT_MAX_PLAIN_LENGTH))
1710 || !TEST_true(SSL_CTX_set_max_early_data(*cctx,
1711 SSL3_RT_MAX_PLAIN_LENGTH)))
1715 /* When idx == 1 we repeat the tests with read_ahead set */
1716 SSL_CTX_set_read_ahead(*cctx, 1);
1717 SSL_CTX_set_read_ahead(*sctx, 1);
1718 } else if (idx == 2) {
1719 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1720 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1721 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1722 use_session_cb_cnt = 0;
1723 find_session_cb_cnt = 0;
1727 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
1732 * For one of the run throughs (doesn't matter which one), we'll try sending
1733 * some SNI data in the initial ClientHello. This will be ignored (because
1734 * there is no SNI cb set up by the server), so it should not impact
1738 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1742 /* Create the PSK */
1743 const SSL_CIPHER *cipher = NULL;
1744 const unsigned char key[] = {
1745 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1746 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1747 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1748 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1749 0x2c, 0x2d, 0x2e, 0x2f
1752 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
1753 clientpsk = SSL_SESSION_new();
1754 if (!TEST_ptr(clientpsk)
1755 || !TEST_ptr(cipher)
1756 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
1758 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
1760 SSL_SESSION_set_protocol_version(clientpsk,
1763 * We just choose an arbitrary value for max_early_data which
1764 * should be big enough for testing purposes.
1766 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1768 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1769 SSL_SESSION_free(clientpsk);
1773 serverpsk = clientpsk;
1783 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1787 *sess = SSL_get1_session(*clientssl);
1788 SSL_shutdown(*clientssl);
1789 SSL_shutdown(*serverssl);
1790 SSL_free(*serverssl);
1791 SSL_free(*clientssl);
1792 *serverssl = *clientssl = NULL;
1794 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1795 clientssl, NULL, NULL))
1796 || !TEST_true(SSL_set_session(*clientssl, *sess)))
1802 static int test_early_data_read_write(int idx)
1804 SSL_CTX *cctx = NULL, *sctx = NULL;
1805 SSL *clientssl = NULL, *serverssl = NULL;
1807 SSL_SESSION *sess = NULL;
1808 unsigned char buf[20], data[1024];
1809 size_t readbytes, written, eoedlen, rawread, rawwritten;
1812 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1813 &serverssl, &sess, idx)))
1816 /* Write and read some early data */
1817 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1819 || !TEST_size_t_eq(written, strlen(MSG1))
1820 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1821 sizeof(buf), &readbytes),
1822 SSL_READ_EARLY_DATA_SUCCESS)
1823 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1824 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1825 SSL_EARLY_DATA_ACCEPTED))
1829 * Server should be able to write data, and client should be able to
1832 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1834 || !TEST_size_t_eq(written, strlen(MSG2))
1835 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1836 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1839 /* Even after reading normal data, client should be able write early data */
1840 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1842 || !TEST_size_t_eq(written, strlen(MSG3)))
1845 /* Server should still be able read early data after writing data */
1846 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1848 SSL_READ_EARLY_DATA_SUCCESS)
1849 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
1852 /* Write more data from server and read it from client */
1853 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
1855 || !TEST_size_t_eq(written, strlen(MSG4))
1856 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1857 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
1861 * If client writes normal data it should mean writing early data is no
1864 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1865 || !TEST_size_t_eq(written, strlen(MSG5))
1866 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1867 SSL_EARLY_DATA_ACCEPTED))
1871 * At this point the client has written EndOfEarlyData, ClientFinished and
1872 * normal (fully protected) data. We are going to cause a delay between the
1873 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
1874 * in the read BIO, and then just put back the EndOfEarlyData message.
1876 rbio = SSL_get_rbio(serverssl);
1877 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
1878 || !TEST_size_t_lt(rawread, sizeof(data))
1879 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
1882 /* Record length is in the 4th and 5th bytes of the record header */
1883 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
1884 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
1885 || !TEST_size_t_eq(rawwritten, eoedlen))
1888 /* Server should be told that there is no more early data */
1889 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1891 SSL_READ_EARLY_DATA_FINISH)
1892 || !TEST_size_t_eq(readbytes, 0))
1896 * Server has not finished init yet, so should still be able to write early
1899 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
1901 || !TEST_size_t_eq(written, strlen(MSG6)))
1904 /* Push the ClientFinished and the normal data back into the server rbio */
1905 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
1907 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
1910 /* Server should be able to read normal data */
1911 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1912 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1915 /* Client and server should not be able to write/read early data now */
1916 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1920 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1922 SSL_READ_EARLY_DATA_ERROR))
1926 /* Client should be able to read the data sent by the server */
1927 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1928 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
1932 * Make sure we process the NewSessionTicket. This arrives post-handshake.
1933 * We attempt a read which we do not expect to return any data.
1935 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1938 /* Server should be able to write normal data */
1939 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
1940 || !TEST_size_t_eq(written, strlen(MSG7))
1941 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1942 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
1945 /* We keep the PSK session around if using PSK */
1947 SSL_SESSION_free(sess);
1948 sess = SSL_get1_session(clientssl);
1949 use_session_cb_cnt = 0;
1950 find_session_cb_cnt = 0;
1952 SSL_shutdown(clientssl);
1953 SSL_shutdown(serverssl);
1954 SSL_free(serverssl);
1955 SSL_free(clientssl);
1956 serverssl = clientssl = NULL;
1957 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1958 &clientssl, NULL, NULL))
1959 || !TEST_true(SSL_set_session(clientssl, sess)))
1962 /* Write and read some early data */
1963 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1965 || !TEST_size_t_eq(written, strlen(MSG1))
1966 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1968 SSL_READ_EARLY_DATA_SUCCESS)
1969 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
1972 if (!TEST_int_gt(SSL_connect(clientssl), 0)
1973 || !TEST_int_gt(SSL_accept(serverssl), 0))
1976 /* Client and server should not be able to write/read early data now */
1977 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1981 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1983 SSL_READ_EARLY_DATA_ERROR))
1987 /* Client and server should be able to write/read normal data */
1988 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1989 || !TEST_size_t_eq(written, strlen(MSG5))
1990 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1991 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1997 if (sess != clientpsk)
1998 SSL_SESSION_free(sess);
1999 SSL_SESSION_free(clientpsk);
2000 SSL_SESSION_free(serverpsk);
2001 clientpsk = serverpsk = NULL;
2002 SSL_free(serverssl);
2003 SSL_free(clientssl);
2009 static int test_early_data_replay(int idx)
2011 SSL_CTX *cctx = NULL, *sctx = NULL;
2012 SSL *clientssl = NULL, *serverssl = NULL;
2014 SSL_SESSION *sess = NULL;
2016 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2017 &serverssl, &sess, idx)))
2021 * The server is configured to accept early data. Create a connection to
2022 * "use up" the ticket
2024 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2025 || !TEST_true(SSL_session_reused(clientssl)))
2028 SSL_shutdown(clientssl);
2029 SSL_shutdown(serverssl);
2030 SSL_free(serverssl);
2031 SSL_free(clientssl);
2032 serverssl = clientssl = NULL;
2034 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2035 &clientssl, NULL, NULL))
2036 || !TEST_true(SSL_set_session(clientssl, sess))
2037 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2040 * This time we should not have resumed the session because we
2041 * already used it once.
2043 || !TEST_false(SSL_session_reused(clientssl)))
2049 if (sess != clientpsk)
2050 SSL_SESSION_free(sess);
2051 SSL_SESSION_free(clientpsk);
2052 SSL_SESSION_free(serverpsk);
2053 clientpsk = serverpsk = NULL;
2054 SSL_free(serverssl);
2055 SSL_free(clientssl);
2062 * Helper function to test that a server attempting to read early data can
2063 * handle a connection from a client where the early data should be skipped.
2065 static int early_data_skip_helper(int hrr, int idx)
2067 SSL_CTX *cctx = NULL, *sctx = NULL;
2068 SSL *clientssl = NULL, *serverssl = NULL;
2070 SSL_SESSION *sess = NULL;
2071 unsigned char buf[20];
2072 size_t readbytes, written;
2074 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2075 &serverssl, &sess, idx)))
2079 /* Force an HRR to occur */
2080 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2082 } else if (idx == 2) {
2084 * We force early_data rejection by ensuring the PSK identity is
2087 srvid = "Dummy Identity";
2090 * Deliberately corrupt the creation time. We take 20 seconds off the
2091 * time. It could be any value as long as it is not within tolerance.
2092 * This should mean the ticket is rejected.
2094 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
2098 /* Write some early data */
2099 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2101 || !TEST_size_t_eq(written, strlen(MSG1)))
2104 /* Server should reject the early data and skip over it */
2105 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2107 SSL_READ_EARLY_DATA_FINISH)
2108 || !TEST_size_t_eq(readbytes, 0)
2109 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2110 SSL_EARLY_DATA_REJECTED))
2115 * Finish off the handshake. We perform the same writes and reads as
2116 * further down but we expect them to fail due to the incomplete
2119 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2120 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2125 /* Should be able to send normal data despite rejection of early data */
2126 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2127 || !TEST_size_t_eq(written, strlen(MSG2))
2128 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2129 SSL_EARLY_DATA_REJECTED)
2130 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2131 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2137 if (sess != clientpsk)
2138 SSL_SESSION_free(clientpsk);
2139 SSL_SESSION_free(serverpsk);
2140 clientpsk = serverpsk = NULL;
2141 SSL_SESSION_free(sess);
2142 SSL_free(serverssl);
2143 SSL_free(clientssl);
2150 * Test that a server attempting to read early data can handle a connection
2151 * from a client where the early data is not acceptable.
2153 static int test_early_data_skip(int idx)
2155 return early_data_skip_helper(0, idx);
2159 * Test that a server attempting to read early data can handle a connection
2160 * from a client where an HRR occurs.
2162 static int test_early_data_skip_hrr(int idx)
2164 return early_data_skip_helper(1, idx);
2168 * Test that a server attempting to read early data can handle a connection
2169 * from a client that doesn't send any.
2171 static int test_early_data_not_sent(int idx)
2173 SSL_CTX *cctx = NULL, *sctx = NULL;
2174 SSL *clientssl = NULL, *serverssl = NULL;
2176 SSL_SESSION *sess = NULL;
2177 unsigned char buf[20];
2178 size_t readbytes, written;
2180 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2181 &serverssl, &sess, idx)))
2184 /* Write some data - should block due to handshake with server */
2185 SSL_set_connect_state(clientssl);
2186 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2189 /* Server should detect that early data has not been sent */
2190 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2192 SSL_READ_EARLY_DATA_FINISH)
2193 || !TEST_size_t_eq(readbytes, 0)
2194 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2195 SSL_EARLY_DATA_NOT_SENT)
2196 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2197 SSL_EARLY_DATA_NOT_SENT))
2200 /* Continue writing the message we started earlier */
2201 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2202 || !TEST_size_t_eq(written, strlen(MSG1))
2203 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2204 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2205 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2206 || !TEST_size_t_eq(written, strlen(MSG2)))
2210 * Should block due to the NewSessionTicket arrival unless we're using
2214 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
2218 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2219 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2225 /* If using PSK then clientpsk and sess are the same */
2226 SSL_SESSION_free(sess);
2227 SSL_SESSION_free(serverpsk);
2228 clientpsk = serverpsk = NULL;
2229 SSL_free(serverssl);
2230 SSL_free(clientssl);
2236 static int hostname_cb(SSL *s, int *al, void *arg)
2238 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2240 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
2241 return SSL_TLSEXT_ERR_OK;
2243 return SSL_TLSEXT_ERR_NOACK;
2246 static const char *servalpn;
2248 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2249 unsigned char *outlen, const unsigned char *in,
2250 unsigned int inlen, void *arg)
2252 unsigned int protlen = 0;
2253 const unsigned char *prot;
2255 for (prot = in; prot < in + inlen; prot += protlen) {
2257 if (in + inlen < prot + protlen)
2258 return SSL_TLSEXT_ERR_NOACK;
2260 if (protlen == strlen(servalpn)
2261 && memcmp(prot, servalpn, protlen) == 0) {
2264 return SSL_TLSEXT_ERR_OK;
2268 return SSL_TLSEXT_ERR_NOACK;
2271 /* Test that a PSK can be used to send early_data */
2272 static int test_early_data_psk(int idx)
2274 SSL_CTX *cctx = NULL, *sctx = NULL;
2275 SSL *clientssl = NULL, *serverssl = NULL;
2277 SSL_SESSION *sess = NULL;
2278 unsigned char alpnlist[] = {
2279 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2282 #define GOODALPNLEN 9
2283 #define BADALPNLEN 8
2284 #define GOODALPN (alpnlist)
2285 #define BADALPN (alpnlist + GOODALPNLEN)
2287 unsigned char buf[20];
2288 size_t readbytes, written;
2289 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2290 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2292 /* We always set this up with a final parameter of "2" for PSK */
2293 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2294 &serverssl, &sess, 2)))
2297 servalpn = "goodalpn";
2300 * Note: There is no test for inconsistent SNI with late client detection.
2301 * This is because servers do not acknowledge SNI even if they are using
2302 * it in a resumption handshake - so it is not actually possible for a
2303 * client to detect a problem.
2307 /* Set inconsistent SNI (early client detection) */
2308 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2309 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2310 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2315 /* Set inconsistent ALPN (early client detection) */
2316 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2317 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
2318 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2320 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2327 * Set invalid protocol version. Technically this affects PSKs without
2328 * early_data too, but we test it here because it is similar to the
2329 * SNI/ALPN consistency tests.
2331 err = SSL_R_BAD_PSK;
2332 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2338 * Set inconsistent SNI (server detected). In this case the connection
2339 * will succeed but reject early_data.
2341 SSL_SESSION_free(serverpsk);
2342 serverpsk = SSL_SESSION_dup(clientpsk);
2343 if (!TEST_ptr(serverpsk)
2344 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2346 edstatus = SSL_EARLY_DATA_REJECTED;
2347 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2350 /* Set consistent SNI */
2351 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2352 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2353 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2360 * Set inconsistent ALPN (server detected). In this case the connection
2361 * will succeed but reject early_data.
2363 servalpn = "badalpn";
2364 edstatus = SSL_EARLY_DATA_REJECTED;
2365 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2369 * Set consistent ALPN.
2370 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2371 * accepts a list of protos (each one length prefixed).
2372 * SSL_set1_alpn_selected accepts a single protocol (not length
2375 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2377 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2381 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2385 /* Set inconsistent ALPN (late client detection) */
2386 SSL_SESSION_free(serverpsk);
2387 serverpsk = SSL_SESSION_dup(clientpsk);
2388 if (!TEST_ptr(serverpsk)
2389 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2392 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2395 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2398 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2399 edstatus = SSL_EARLY_DATA_ACCEPTED;
2400 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2401 /* SSL_connect() call should fail */
2406 TEST_error("Bad test index");
2410 SSL_set_connect_state(clientssl);
2412 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2414 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2415 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2418 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2422 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2423 &readbytes), readearlyres)
2424 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2425 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2426 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2427 || !TEST_int_eq(SSL_connect(clientssl), connectres))
2434 SSL_SESSION_free(clientpsk);
2435 SSL_SESSION_free(serverpsk);
2436 clientpsk = serverpsk = NULL;
2437 SSL_free(serverssl);
2438 SSL_free(clientssl);
2445 * Test that a server that doesn't try to read early data can handle a
2446 * client sending some.
2448 static int test_early_data_not_expected(int idx)
2450 SSL_CTX *cctx = NULL, *sctx = NULL;
2451 SSL *clientssl = NULL, *serverssl = NULL;
2453 SSL_SESSION *sess = NULL;
2454 unsigned char buf[20];
2455 size_t readbytes, written;
2457 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2458 &serverssl, &sess, idx)))
2461 /* Write some early data */
2462 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2467 * Server should skip over early data and then block waiting for client to
2468 * continue handshake
2470 if (!TEST_int_le(SSL_accept(serverssl), 0)
2471 || !TEST_int_gt(SSL_connect(clientssl), 0)
2472 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2473 SSL_EARLY_DATA_REJECTED)
2474 || !TEST_int_gt(SSL_accept(serverssl), 0)
2475 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2476 SSL_EARLY_DATA_REJECTED))
2479 /* Send some normal data from client to server */
2480 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2481 || !TEST_size_t_eq(written, strlen(MSG2)))
2484 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2485 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2491 /* If using PSK then clientpsk and sess are the same */
2492 SSL_SESSION_free(sess);
2493 SSL_SESSION_free(serverpsk);
2494 clientpsk = serverpsk = NULL;
2495 SSL_free(serverssl);
2496 SSL_free(clientssl);
2503 # ifndef OPENSSL_NO_TLS1_2
2505 * Test that a server attempting to read early data can handle a connection
2506 * from a TLSv1.2 client.
2508 static int test_early_data_tls1_2(int idx)
2510 SSL_CTX *cctx = NULL, *sctx = NULL;
2511 SSL *clientssl = NULL, *serverssl = NULL;
2513 unsigned char buf[20];
2514 size_t readbytes, written;
2516 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2517 &serverssl, NULL, idx)))
2520 /* Write some data - should block due to handshake with server */
2521 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2522 SSL_set_connect_state(clientssl);
2523 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2527 * Server should do TLSv1.2 handshake. First it will block waiting for more
2528 * messages from client after ServerDone. Then SSL_read_early_data should
2529 * finish and detect that early data has not been sent
2531 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2533 SSL_READ_EARLY_DATA_ERROR))
2537 * Continue writing the message we started earlier. Will still block waiting
2538 * for the CCS/Finished from server
2540 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2541 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2543 SSL_READ_EARLY_DATA_FINISH)
2544 || !TEST_size_t_eq(readbytes, 0)
2545 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2546 SSL_EARLY_DATA_NOT_SENT))
2549 /* Continue writing the message we started earlier */
2550 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2551 || !TEST_size_t_eq(written, strlen(MSG1))
2552 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2553 SSL_EARLY_DATA_NOT_SENT)
2554 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2555 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2556 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2557 || !TEST_size_t_eq(written, strlen(MSG2))
2558 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2559 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2565 /* If using PSK then clientpsk and sess are the same */
2566 SSL_SESSION_free(clientpsk);
2567 SSL_SESSION_free(serverpsk);
2568 clientpsk = serverpsk = NULL;
2569 SSL_free(serverssl);
2570 SSL_free(clientssl);
2576 # endif /* OPENSSL_NO_TLS1_2 */
2579 * Test configuring the TLSv1.3 ciphersuites
2581 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
2582 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
2583 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
2584 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
2585 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2586 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2587 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
2588 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
2589 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
2590 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
2592 static int test_set_ciphersuite(int idx)
2594 SSL_CTX *cctx = NULL, *sctx = NULL;
2595 SSL *clientssl = NULL, *serverssl = NULL;
2598 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2599 TLS1_VERSION, TLS_MAX_VERSION,
2600 &sctx, &cctx, cert, privkey))
2601 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2602 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
2605 if (idx >=4 && idx <= 7) {
2606 /* SSL_CTX explicit cipher list */
2607 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
2611 if (idx == 0 || idx == 4) {
2612 /* Default ciphersuite */
2613 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2614 "TLS_AES_128_GCM_SHA256")))
2616 } else if (idx == 1 || idx == 5) {
2617 /* Non default ciphersuite */
2618 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2619 "TLS_AES_128_CCM_SHA256")))
2623 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2624 &clientssl, NULL, NULL)))
2627 if (idx == 8 || idx == 9) {
2628 /* SSL explicit cipher list */
2629 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
2633 if (idx == 2 || idx == 6 || idx == 8) {
2634 /* Default ciphersuite */
2635 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2636 "TLS_AES_128_GCM_SHA256")))
2638 } else if (idx == 3 || idx == 7 || idx == 9) {
2639 /* Non default ciphersuite */
2640 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2641 "TLS_AES_128_CCM_SHA256")))
2645 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
2651 SSL_free(serverssl);
2652 SSL_free(clientssl);
2659 static int test_ciphersuite_change(void)
2661 SSL_CTX *cctx = NULL, *sctx = NULL;
2662 SSL *clientssl = NULL, *serverssl = NULL;
2663 SSL_SESSION *clntsess = NULL;
2665 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2667 /* Create a session based on SHA-256 */
2668 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2669 TLS1_VERSION, TLS_MAX_VERSION,
2670 &sctx, &cctx, cert, privkey))
2671 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
2672 "TLS_AES_128_GCM_SHA256"))
2673 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2674 &clientssl, NULL, NULL))
2675 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2679 clntsess = SSL_get1_session(clientssl);
2680 /* Save for later */
2681 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2682 SSL_shutdown(clientssl);
2683 SSL_shutdown(serverssl);
2684 SSL_free(serverssl);
2685 SSL_free(clientssl);
2686 serverssl = clientssl = NULL;
2688 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
2689 /* Check we can resume a session with a different SHA-256 ciphersuite */
2690 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2691 "TLS_CHACHA20_POLY1305_SHA256"))
2692 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2694 || !TEST_true(SSL_set_session(clientssl, clntsess))
2695 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2697 || !TEST_true(SSL_session_reused(clientssl)))
2700 SSL_SESSION_free(clntsess);
2701 clntsess = SSL_get1_session(clientssl);
2702 SSL_shutdown(clientssl);
2703 SSL_shutdown(serverssl);
2704 SSL_free(serverssl);
2705 SSL_free(clientssl);
2706 serverssl = clientssl = NULL;
2710 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
2711 * succeeds but does not resume.
2713 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
2714 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2716 || !TEST_true(SSL_set_session(clientssl, clntsess))
2717 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2719 || !TEST_false(SSL_session_reused(clientssl)))
2722 SSL_SESSION_free(clntsess);
2724 SSL_shutdown(clientssl);
2725 SSL_shutdown(serverssl);
2726 SSL_free(serverssl);
2727 SSL_free(clientssl);
2728 serverssl = clientssl = NULL;
2730 /* Create a session based on SHA384 */
2731 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
2732 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2733 &clientssl, NULL, NULL))
2734 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2738 clntsess = SSL_get1_session(clientssl);
2739 SSL_shutdown(clientssl);
2740 SSL_shutdown(serverssl);
2741 SSL_free(serverssl);
2742 SSL_free(clientssl);
2743 serverssl = clientssl = NULL;
2745 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2746 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
2747 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2748 "TLS_AES_256_GCM_SHA384"))
2749 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2751 || !TEST_true(SSL_set_session(clientssl, clntsess))
2753 * We use SSL_ERROR_WANT_READ below so that we can pause the
2754 * connection after the initial ClientHello has been sent to
2755 * enable us to make some session changes.
2757 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2758 SSL_ERROR_WANT_READ)))
2761 /* Trick the client into thinking this session is for a different digest */
2762 clntsess->cipher = aes_128_gcm_sha256;
2763 clntsess->cipher_id = clntsess->cipher->id;
2766 * Continue the previously started connection. Server has selected a SHA-384
2767 * ciphersuite, but client thinks the session is for SHA-256, so it should
2770 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2772 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2773 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2779 SSL_SESSION_free(clntsess);
2780 SSL_free(serverssl);
2781 SSL_free(clientssl);
2788 static int test_tls13_psk(int idx)
2790 SSL_CTX *sctx = NULL, *cctx = NULL;
2791 SSL *serverssl = NULL, *clientssl = NULL;
2792 const SSL_CIPHER *cipher = NULL;
2793 const unsigned char key[] = {
2794 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2795 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2796 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2797 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
2801 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2802 TLS1_VERSION, TLS_MAX_VERSION,
2803 &sctx, &cctx, cert, privkey)))
2807 * We use a ciphersuite with SHA256 to ease testing old style PSK callbacks
2808 * which will always default to SHA256
2810 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_128_GCM_SHA256")))
2814 * Test 0: New style callbacks only
2815 * Test 1: New and old style callbacks (only the new ones should be used)
2816 * Test 2: Old style callbacks only
2818 if (idx == 0 || idx == 1) {
2819 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2820 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2822 #ifndef OPENSSL_NO_PSK
2823 if (idx == 1 || idx == 2) {
2824 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
2825 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
2829 use_session_cb_cnt = 0;
2830 find_session_cb_cnt = 0;
2831 psk_client_cb_cnt = 0;
2832 psk_server_cb_cnt = 0;
2834 /* Check we can create a connection if callback decides not to send a PSK */
2835 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2837 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2839 || !TEST_false(SSL_session_reused(clientssl))
2840 || !TEST_false(SSL_session_reused(serverssl)))
2843 if (idx == 0 || idx == 1) {
2844 if (!TEST_true(use_session_cb_cnt == 1)
2845 || !TEST_true(find_session_cb_cnt == 0)
2847 * If no old style callback then below should be 0
2850 || !TEST_true(psk_client_cb_cnt == idx)
2851 || !TEST_true(psk_server_cb_cnt == 0))
2854 if (!TEST_true(use_session_cb_cnt == 0)
2855 || !TEST_true(find_session_cb_cnt == 0)
2856 || !TEST_true(psk_client_cb_cnt == 1)
2857 || !TEST_true(psk_server_cb_cnt == 0))
2861 shutdown_ssl_connection(serverssl, clientssl);
2862 serverssl = clientssl = NULL;
2863 use_session_cb_cnt = psk_client_cb_cnt = 0;
2865 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2869 /* Create the PSK */
2870 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
2871 clientpsk = SSL_SESSION_new();
2872 if (!TEST_ptr(clientpsk)
2873 || !TEST_ptr(cipher)
2874 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
2876 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
2877 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
2879 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
2881 serverpsk = clientpsk;
2883 /* Check we can create a connection and the PSK is used */
2884 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2885 || !TEST_true(SSL_session_reused(clientssl))
2886 || !TEST_true(SSL_session_reused(serverssl)))
2889 if (idx == 0 || idx == 1) {
2890 if (!TEST_true(use_session_cb_cnt == 1)
2891 || !TEST_true(find_session_cb_cnt == 1)
2892 || !TEST_true(psk_client_cb_cnt == 0)
2893 || !TEST_true(psk_server_cb_cnt == 0))
2896 if (!TEST_true(use_session_cb_cnt == 0)
2897 || !TEST_true(find_session_cb_cnt == 0)
2898 || !TEST_true(psk_client_cb_cnt == 1)
2899 || !TEST_true(psk_server_cb_cnt == 1))
2903 shutdown_ssl_connection(serverssl, clientssl);
2904 serverssl = clientssl = NULL;
2905 use_session_cb_cnt = find_session_cb_cnt = 0;
2906 psk_client_cb_cnt = psk_server_cb_cnt = 0;
2908 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2913 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2917 * Check we can create a connection, the PSK is used and the callbacks are
2920 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2921 || !TEST_true(SSL_session_reused(clientssl))
2922 || !TEST_true(SSL_session_reused(serverssl)))
2925 if (idx == 0 || idx == 1) {
2926 if (!TEST_true(use_session_cb_cnt == 2)
2927 || !TEST_true(find_session_cb_cnt == 2)
2928 || !TEST_true(psk_client_cb_cnt == 0)
2929 || !TEST_true(psk_server_cb_cnt == 0))
2932 if (!TEST_true(use_session_cb_cnt == 0)
2933 || !TEST_true(find_session_cb_cnt == 0)
2934 || !TEST_true(psk_client_cb_cnt == 2)
2935 || !TEST_true(psk_server_cb_cnt == 2))
2939 shutdown_ssl_connection(serverssl, clientssl);
2940 serverssl = clientssl = NULL;
2941 use_session_cb_cnt = find_session_cb_cnt = 0;
2942 psk_client_cb_cnt = psk_server_cb_cnt = 0;
2945 * Check that if the server rejects the PSK we can still connect, but with
2948 srvid = "Dummy Identity";
2949 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2951 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2953 || !TEST_false(SSL_session_reused(clientssl))
2954 || !TEST_false(SSL_session_reused(serverssl)))
2957 if (idx == 0 || idx == 1) {
2958 if (!TEST_true(use_session_cb_cnt == 1)
2959 || !TEST_true(find_session_cb_cnt == 1)
2960 || !TEST_true(psk_client_cb_cnt == 0)
2962 * If no old style callback then below should be 0
2965 || !TEST_true(psk_server_cb_cnt == idx))
2968 if (!TEST_true(use_session_cb_cnt == 0)
2969 || !TEST_true(find_session_cb_cnt == 0)
2970 || !TEST_true(psk_client_cb_cnt == 1)
2971 || !TEST_true(psk_server_cb_cnt == 1))
2975 shutdown_ssl_connection(serverssl, clientssl);
2976 serverssl = clientssl = NULL;
2980 SSL_SESSION_free(clientpsk);
2981 SSL_SESSION_free(serverpsk);
2982 clientpsk = serverpsk = NULL;
2983 SSL_free(serverssl);
2984 SSL_free(clientssl);
2990 static unsigned char cookie_magic_value[] = "cookie magic";
2992 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
2993 unsigned int *cookie_len)
2996 * Not suitable as a real cookie generation function but good enough for
2999 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3000 *cookie_len = sizeof(cookie_magic_value) - 1;
3005 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3006 unsigned int cookie_len)
3008 if (cookie_len == sizeof(cookie_magic_value) - 1
3009 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3015 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3019 int res = generate_cookie_callback(ssl, cookie, &temp);
3024 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3027 return verify_cookie_callback(ssl, cookie, cookie_len);
3030 static int test_stateless(void)
3032 SSL_CTX *sctx = NULL, *cctx = NULL;
3033 SSL *serverssl = NULL, *clientssl = NULL;
3036 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3037 TLS1_VERSION, TLS_MAX_VERSION,
3038 &sctx, &cctx, cert, privkey)))
3041 /* The arrival of CCS messages can confuse the test */
3042 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3044 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3046 /* Send the first ClientHello */
3047 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3048 SSL_ERROR_WANT_READ))
3050 * This should fail with a -1 return because we have no callbacks
3053 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3056 /* Fatal error so abandon the connection from this client */
3057 SSL_free(clientssl);
3060 /* Set up the cookie generation and verification callbacks */
3061 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3062 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
3065 * Create a new connection from the client (we can reuse the server SSL
3068 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3070 /* Send the first ClientHello */
3071 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3072 SSL_ERROR_WANT_READ))
3073 /* This should fail because there is no cookie */
3074 || !TEST_int_eq(SSL_stateless(serverssl), 0))
3077 /* Abandon the connection from this client */
3078 SSL_free(clientssl);
3082 * Now create a connection from a new client but with the same server SSL
3085 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3087 /* Send the first ClientHello */
3088 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3089 SSL_ERROR_WANT_READ))
3090 /* This should fail because there is no cookie */
3091 || !TEST_int_eq(SSL_stateless(serverssl), 0)
3092 /* Send the second ClientHello */
3093 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3094 SSL_ERROR_WANT_READ))
3095 /* This should succeed because a cookie is now present */
3096 || !TEST_int_eq(SSL_stateless(serverssl), 1)
3097 /* Complete the connection */
3098 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3102 shutdown_ssl_connection(serverssl, clientssl);
3103 serverssl = clientssl = NULL;
3107 SSL_free(serverssl);
3108 SSL_free(clientssl);
3114 #endif /* OPENSSL_NO_TLS1_3 */
3116 static int clntaddoldcb = 0;
3117 static int clntparseoldcb = 0;
3118 static int srvaddoldcb = 0;
3119 static int srvparseoldcb = 0;
3120 static int clntaddnewcb = 0;
3121 static int clntparsenewcb = 0;
3122 static int srvaddnewcb = 0;
3123 static int srvparsenewcb = 0;
3124 static int snicb = 0;
3126 #define TEST_EXT_TYPE1 0xff00
3128 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3129 size_t *outlen, int *al, void *add_arg)
3131 int *server = (int *)add_arg;
3132 unsigned char *data;
3134 if (SSL_is_server(s))
3139 if (*server != SSL_is_server(s)
3140 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3145 *outlen = sizeof(char);
3149 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3152 OPENSSL_free((unsigned char *)out);
3155 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3156 size_t inlen, int *al, void *parse_arg)
3158 int *server = (int *)parse_arg;
3160 if (SSL_is_server(s))
3165 if (*server != SSL_is_server(s)
3166 || inlen != sizeof(char)
3173 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3174 const unsigned char **out, size_t *outlen, X509 *x,
3175 size_t chainidx, int *al, void *add_arg)
3177 int *server = (int *)add_arg;
3178 unsigned char *data;
3180 if (SSL_is_server(s))
3185 if (*server != SSL_is_server(s)
3186 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3191 *outlen = sizeof(*data);
3195 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3196 const unsigned char *out, void *add_arg)
3198 OPENSSL_free((unsigned char *)out);
3201 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3202 const unsigned char *in, size_t inlen, X509 *x,
3203 size_t chainidx, int *al, void *parse_arg)
3205 int *server = (int *)parse_arg;
3207 if (SSL_is_server(s))
3212 if (*server != SSL_is_server(s)
3213 || inlen != sizeof(char) || *in != 1)
3219 static int sni_cb(SSL *s, int *al, void *arg)
3221 SSL_CTX *ctx = (SSL_CTX *)arg;
3223 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3224 *al = SSL_AD_INTERNAL_ERROR;
3225 return SSL_TLSEXT_ERR_ALERT_FATAL;
3228 return SSL_TLSEXT_ERR_OK;
3232 * Custom call back tests.
3233 * Test 0: Old style callbacks in TLSv1.2
3234 * Test 1: New style callbacks in TLSv1.2
3235 * Test 2: New style callbacks in TLSv1.2 with SNI
3236 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3237 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
3239 static int test_custom_exts(int tst)
3241 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3242 SSL *clientssl = NULL, *serverssl = NULL;
3244 static int server = 1;
3245 static int client = 0;
3246 SSL_SESSION *sess = NULL;
3247 unsigned int context;
3249 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
3250 /* Skip tests for TLSv1.2 and below in this case */
3255 /* Reset callback counters */
3256 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
3257 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
3260 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3261 TLS1_VERSION, TLS_MAX_VERSION,
3262 &sctx, &cctx, cert, privkey)))
3266 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
3267 TLS1_VERSION, TLS_MAX_VERSION,
3268 &sctx2, NULL, cert, privkey)))
3273 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
3274 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
3276 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
3280 context = SSL_EXT_CLIENT_HELLO
3281 | SSL_EXT_TLS1_2_SERVER_HELLO
3282 | SSL_EXT_TLS1_3_SERVER_HELLO
3283 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
3284 | SSL_EXT_TLS1_3_CERTIFICATE
3285 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
3287 context = SSL_EXT_CLIENT_HELLO
3288 | SSL_EXT_TLS1_2_SERVER_HELLO
3289 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3292 /* Create a client side custom extension */
3294 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3295 old_add_cb, old_free_cb,
3296 &client, old_parse_cb,
3300 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
3301 new_add_cb, new_free_cb,
3302 &client, new_parse_cb, &client)))
3306 /* Should not be able to add duplicates */
3307 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3308 old_add_cb, old_free_cb,
3309 &client, old_parse_cb,
3311 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
3312 context, new_add_cb,
3313 new_free_cb, &client,
3314 new_parse_cb, &client)))
3317 /* Create a server side custom extension */
3319 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3320 old_add_cb, old_free_cb,
3321 &server, old_parse_cb,
3325 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3326 new_add_cb, new_free_cb,
3327 &server, new_parse_cb, &server)))
3330 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3331 context, new_add_cb,
3332 new_free_cb, &server,
3333 new_parse_cb, &server)))
3337 /* Should not be able to add duplicates */
3338 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3339 old_add_cb, old_free_cb,
3340 &server, old_parse_cb,
3342 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3343 context, new_add_cb,
3344 new_free_cb, &server,
3345 new_parse_cb, &server)))
3350 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3351 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3355 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3356 &clientssl, NULL, NULL))
3357 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3362 if (clntaddoldcb != 1
3363 || clntparseoldcb != 1
3365 || srvparseoldcb != 1)
3367 } else if (tst == 1 || tst == 2 || tst == 3) {
3368 if (clntaddnewcb != 1
3369 || clntparsenewcb != 1
3371 || srvparsenewcb != 1
3372 || (tst != 2 && snicb != 0)
3373 || (tst == 2 && snicb != 1))
3376 if (clntaddnewcb != 1
3377 || clntparsenewcb != 4
3379 || srvparsenewcb != 1)
3383 sess = SSL_get1_session(clientssl);
3384 SSL_shutdown(clientssl);
3385 SSL_shutdown(serverssl);
3386 SSL_free(serverssl);
3387 SSL_free(clientssl);
3388 serverssl = clientssl = NULL;
3391 /* We don't bother with the resumption aspects for this test */
3396 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3398 || !TEST_true(SSL_set_session(clientssl, sess))
3399 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3404 * For a resumed session we expect to add the ClientHello extension. For the
3405 * old style callbacks we ignore it on the server side because they set
3406 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3410 if (clntaddoldcb != 2
3411 || clntparseoldcb != 1
3413 || srvparseoldcb != 1)
3415 } else if (tst == 1 || tst == 2 || tst == 3) {
3416 if (clntaddnewcb != 2
3417 || clntparsenewcb != 2
3419 || srvparsenewcb != 2)
3422 /* No Certificate message extensions in the resumption handshake */
3423 if (clntaddnewcb != 2
3424 || clntparsenewcb != 7
3426 || srvparsenewcb != 2)
3433 SSL_SESSION_free(sess);
3434 SSL_free(serverssl);
3435 SSL_free(clientssl);
3436 SSL_CTX_free(sctx2);
3443 * Test loading of serverinfo data in various formats. test_sslmessages actually
3444 * tests to make sure the extensions appear in the handshake
3446 static int test_serverinfo(int tst)
3448 unsigned int version;
3449 unsigned char *sibuf;
3451 int ret, expected, testresult = 0;
3454 ctx = SSL_CTX_new(TLS_method());
3458 if ((tst & 0x01) == 0x01)
3459 version = SSL_SERVERINFOV2;
3461 version = SSL_SERVERINFOV1;
3463 if ((tst & 0x02) == 0x02) {
3464 sibuf = serverinfov2;
3465 sibuflen = sizeof(serverinfov2);
3466 expected = (version == SSL_SERVERINFOV2);
3468 sibuf = serverinfov1;
3469 sibuflen = sizeof(serverinfov1);
3470 expected = (version == SSL_SERVERINFOV1);
3473 if ((tst & 0x04) == 0x04) {
3474 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
3476 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
3479 * The version variable is irrelevant in this case - it's what is in the
3480 * buffer that matters
3482 if ((tst & 0x02) == 0x02)
3488 if (!TEST_true(ret == expected))
3500 * Test that SSL_export_keying_material() produces expected results. There are
3501 * no test vectors so all we do is test that both sides of the communication
3502 * produce the same results for different protocol versions.
3504 static int test_export_key_mat(int tst)
3507 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3508 SSL *clientssl = NULL, *serverssl = NULL;
3509 const char label[] = "test label";
3510 const unsigned char context[] = "context";
3511 const unsigned char *emptycontext = NULL;
3512 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
3513 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
3514 const int protocols[] = {
3521 #ifdef OPENSSL_NO_TLS1
3525 #ifdef OPENSSL_NO_TLS1_1
3529 #ifdef OPENSSL_NO_TLS1_2
3533 #ifdef OPENSSL_NO_TLS1_3
3537 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3538 TLS1_VERSION, TLS_MAX_VERSION,
3539 &sctx, &cctx, cert, privkey)))
3542 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
3543 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
3544 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
3546 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
3548 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3552 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
3553 sizeof(ckeymat1), label,
3554 sizeof(label) - 1, context,
3555 sizeof(context) - 1, 1), 1)
3556 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
3557 sizeof(ckeymat2), label,
3561 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
3562 sizeof(ckeymat3), label,
3565 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
3566 sizeof(skeymat1), label,
3569 sizeof(context) -1, 1),
3571 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
3572 sizeof(skeymat2), label,
3576 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
3577 sizeof(skeymat3), label,
3581 * Check that both sides created the same key material with the
3584 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3587 * Check that both sides created the same key material with an
3590 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3593 * Check that both sides created the same key material without a
3596 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3598 /* Different contexts should produce different results */
3599 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3604 * Check that an empty context and no context produce different results in
3605 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3607 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3609 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3616 SSL_free(serverssl);
3617 SSL_free(clientssl);
3618 SSL_CTX_free(sctx2);
3625 #ifndef OPENSSL_NO_TLS1_3
3627 * Test that SSL_export_keying_material_early() produces expected
3628 * results. There are no test vectors so all we do is test that both
3629 * sides of the communication produce the same results for different
3630 * protocol versions.
3632 static int test_export_key_mat_early(int idx)
3634 static const char label[] = "test label";
3635 static const unsigned char context[] = "context";
3637 SSL_CTX *cctx = NULL, *sctx = NULL;
3638 SSL *clientssl = NULL, *serverssl = NULL;
3639 SSL_SESSION *sess = NULL;
3640 const unsigned char *emptycontext = NULL;
3641 unsigned char ckeymat1[80], ckeymat2[80];
3642 unsigned char skeymat1[80], skeymat2[80];
3643 unsigned char buf[1];
3644 size_t readbytes, written;
3646 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
3650 /* Here writing 0 length early data is enough. */
3651 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
3652 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3654 SSL_READ_EARLY_DATA_ERROR)
3655 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3656 SSL_EARLY_DATA_ACCEPTED))
3659 if (!TEST_int_eq(SSL_export_keying_material_early(
3660 clientssl, ckeymat1, sizeof(ckeymat1), label,
3661 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3662 || !TEST_int_eq(SSL_export_keying_material_early(
3663 clientssl, ckeymat2, sizeof(ckeymat2), label,
3664 sizeof(label) - 1, emptycontext, 0), 1)
3665 || !TEST_int_eq(SSL_export_keying_material_early(
3666 serverssl, skeymat1, sizeof(skeymat1), label,
3667 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3668 || !TEST_int_eq(SSL_export_keying_material_early(
3669 serverssl, skeymat2, sizeof(skeymat2), label,
3670 sizeof(label) - 1, emptycontext, 0), 1)
3672 * Check that both sides created the same key material with the
3675 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3678 * Check that both sides created the same key material with an
3681 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3683 /* Different contexts should produce different results */
3684 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3691 if (sess != clientpsk)
3692 SSL_SESSION_free(sess);
3693 SSL_SESSION_free(clientpsk);
3694 SSL_SESSION_free(serverpsk);
3695 clientpsk = serverpsk = NULL;
3696 SSL_free(serverssl);
3697 SSL_free(clientssl);
3703 #endif /* OPENSSL_NO_TLS1_3 */
3705 static int test_ssl_clear(int idx)
3707 SSL_CTX *cctx = NULL, *sctx = NULL;
3708 SSL *clientssl = NULL, *serverssl = NULL;
3711 #ifdef OPENSSL_NO_TLS1_2
3716 /* Create an initial connection */
3717 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3718 TLS1_VERSION, TLS_MAX_VERSION,
3719 &sctx, &cctx, cert, privkey))
3721 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
3723 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3724 &clientssl, NULL, NULL))
3725 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3729 SSL_shutdown(clientssl);
3730 SSL_shutdown(serverssl);
3731 SSL_free(serverssl);
3734 /* Clear clientssl - we're going to reuse the object */
3735 if (!TEST_true(SSL_clear(clientssl)))
3738 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3740 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3742 || !TEST_true(SSL_session_reused(clientssl)))
3745 SSL_shutdown(clientssl);
3746 SSL_shutdown(serverssl);
3751 SSL_free(serverssl);
3752 SSL_free(clientssl);
3759 /* Parse CH and retrieve any MFL extension value if present */
3760 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
3763 unsigned char *data;
3764 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
3765 unsigned int MFL_code = 0, type = 0;
3767 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
3770 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
3771 /* Skip the record header */
3772 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
3773 /* Skip the handshake message header */
3774 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
3775 /* Skip client version and random */
3776 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
3777 + SSL3_RANDOM_SIZE))
3778 /* Skip session id */
3779 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3781 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
3782 /* Skip compression */
3783 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3784 /* Extensions len */
3785 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
3788 /* Loop through all extensions */
3789 while (PACKET_remaining(&pkt2)) {
3790 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
3791 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
3794 if (type == TLSEXT_TYPE_max_fragment_length) {
3795 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
3796 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
3799 *mfl_codemfl_code = MFL_code;
3808 /* Maximum-Fragment-Length TLS extension mode to test */
3809 static const unsigned char max_fragment_len_test[] = {
3810 TLSEXT_max_fragment_length_512,
3811 TLSEXT_max_fragment_length_1024,
3812 TLSEXT_max_fragment_length_2048,
3813 TLSEXT_max_fragment_length_4096
3816 static int test_max_fragment_len_ext(int idx_tst)
3820 int testresult = 0, MFL_mode = 0;
3823 ctx = SSL_CTX_new(TLS_method());
3827 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
3828 ctx, max_fragment_len_test[idx_tst])))
3835 rbio = BIO_new(BIO_s_mem());
3836 wbio = BIO_new(BIO_s_mem());
3837 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
3843 SSL_set_bio(con, rbio, wbio);
3844 SSL_set_connect_state(con);
3846 if (!TEST_int_le(SSL_connect(con), 0)) {
3847 /* This shouldn't succeed because we don't have a server! */
3851 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
3852 /* no MFL in client hello */
3854 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
3866 #ifndef OPENSSL_NO_TLS1_3
3867 static int test_pha_key_update(void)
3869 SSL_CTX *cctx = NULL, *sctx = NULL;
3870 SSL *clientssl = NULL, *serverssl = NULL;
3873 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3874 TLS1_VERSION, TLS_MAX_VERSION,
3875 &sctx, &cctx, cert, privkey)))
3878 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
3879 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
3880 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
3881 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
3885 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3889 SSL_force_post_handshake_auth(clientssl);
3891 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3895 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
3896 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
3899 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
3902 /* Start handshake on the server */
3903 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
3906 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
3907 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3911 SSL_shutdown(clientssl);
3912 SSL_shutdown(serverssl);
3917 SSL_free(serverssl);
3918 SSL_free(clientssl);
3925 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
3927 static SRP_VBASE *vbase = NULL;
3929 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
3931 int ret = SSL3_AL_FATAL;
3933 SRP_user_pwd *user = NULL;
3935 username = SSL_get_srp_username(s);
3936 if (username == NULL) {
3937 *ad = SSL_AD_INTERNAL_ERROR;
3941 user = SRP_VBASE_get1_by_user(vbase, username);
3943 *ad = SSL_AD_INTERNAL_ERROR;
3947 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
3949 *ad = SSL_AD_INTERNAL_ERROR;
3956 SRP_user_pwd_free(user);
3960 static int create_new_vfile(char *userid, char *password, const char *filename)
3963 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
3966 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
3969 if (!TEST_ptr(dummy) || !TEST_ptr(row))
3972 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
3973 &row[DB_srpverifier], NULL, NULL);
3974 if (!TEST_ptr(gNid))
3978 * The only way to create an empty TXT_DB is to provide a BIO with no data
3981 db = TXT_DB_read(dummy, DB_NUMBER);
3985 out = BIO_new_file(filename, "w");
3989 row[DB_srpid] = OPENSSL_strdup(userid);
3990 row[DB_srptype] = OPENSSL_strdup("V");
3991 row[DB_srpgN] = OPENSSL_strdup(gNid);
3993 if (!TEST_ptr(row[DB_srpid])
3994 || !TEST_ptr(row[DB_srptype])
3995 || !TEST_ptr(row[DB_srpgN])
3996 || !TEST_true(TXT_DB_insert(db, row)))
4001 if (!TXT_DB_write(out, db))
4007 for (i = 0; i < DB_NUMBER; i++)
4008 OPENSSL_free(row[i]);
4018 static int create_new_vbase(char *userid, char *password)
4020 BIGNUM *verifier = NULL, *salt = NULL;
4021 const SRP_gN *lgN = NULL;
4022 SRP_user_pwd *user_pwd = NULL;
4025 lgN = SRP_get_default_gN(NULL);
4029 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
4033 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
4034 if (!TEST_ptr(user_pwd))
4037 user_pwd->N = lgN->N;
4038 user_pwd->g = lgN->g;
4039 user_pwd->id = OPENSSL_strdup(userid);
4040 if (!TEST_ptr(user_pwd->id))
4043 user_pwd->v = verifier;
4045 verifier = salt = NULL;
4047 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
4053 SRP_user_pwd_free(user_pwd);
4063 * Test 0: Simple successful SRP connection, new vbase
4064 * Test 1: Connection failure due to bad password, new vbase
4065 * Test 2: Simple successful SRP connection, vbase loaded from existing file
4066 * Test 3: Connection failure due to bad password, vbase loaded from existing
4068 * Test 4: Simple successful SRP connection, vbase loaded from new file
4069 * Test 5: Connection failure due to bad password, vbase loaded from new file
4071 static int test_srp(int tst)
4073 char *userid = "test", *password = "password", *tstsrpfile;
4074 SSL_CTX *cctx = NULL, *sctx = NULL;
4075 SSL *clientssl = NULL, *serverssl = NULL;
4076 int ret, testresult = 0;
4078 vbase = SRP_VBASE_new(NULL);
4079 if (!TEST_ptr(vbase))
4082 if (tst == 0 || tst == 1) {
4083 if (!TEST_true(create_new_vbase(userid, password)))
4086 if (tst == 4 || tst == 5) {
4087 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
4089 tstsrpfile = tmpfilename;
4091 tstsrpfile = srpvfile;
4093 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
4097 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4098 TLS1_VERSION, TLS_MAX_VERSION,
4099 &sctx, &cctx, cert, privkey)))
4102 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
4103 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
4104 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
4105 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
4106 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
4110 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
4113 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
4117 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4121 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
4123 if (!TEST_true(tst % 2 == 0))
4126 if (!TEST_true(tst % 2 == 1))
4133 SRP_VBASE_free(vbase);
4135 SSL_free(serverssl);
4136 SSL_free(clientssl);
4144 static int info_cb_failed = 0;
4145 static int info_cb_offset = 0;
4146 static int info_cb_this_state = -1;
4148 static struct info_cb_states_st {
4150 const char *statestr;
4151 } info_cb_states[][60] = {
4153 /* TLSv1.2 server followed by resumption */
4154 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4155 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4156 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
4157 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
4158 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
4159 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4160 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4161 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4162 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4163 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4164 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
4165 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4166 {SSL_CB_EXIT, NULL}, {0, NULL},
4168 /* TLSv1.2 client followed by resumption */
4169 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4170 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4171 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
4172 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
4173 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
4174 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4175 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4176 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4177 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4178 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4179 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4180 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4182 /* TLSv1.3 server followed by resumption */
4183 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4184 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4185 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
4186 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
4187 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4188 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4189 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4190 {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4191 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4192 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4193 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4194 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
4195 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4196 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TWST"},
4197 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4199 /* TLSv1.3 client followed by resumption */
4200 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4201 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4202 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
4203 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
4204 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4205 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4206 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4207 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4208 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4209 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
4210 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4211 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4212 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4213 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4214 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4215 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4217 /* TLSv1.3 server, early_data */
4218 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4219 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4220 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4221 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4222 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4223 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4224 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4225 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4226 {SSL_CB_EXIT, NULL}, {0, NULL},
4228 /* TLSv1.3 client, early_data */
4229 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4230 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
4231 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4232 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4233 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4234 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
4235 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4236 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4237 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4238 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4244 static void sslapi_info_callback(const SSL *s, int where, int ret)
4246 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
4248 /* We do not ever expect a connection to fail in this test */
4249 if (!TEST_false(ret == 0)) {
4255 * Do some sanity checks. We never expect these things to happen in this
4258 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
4259 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
4260 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
4265 /* Now check we're in the right state */
4266 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
4270 if ((where & SSL_CB_LOOP) != 0
4271 && !TEST_int_eq(strcmp(SSL_state_string(s),
4272 state[info_cb_this_state].statestr), 0)) {
4279 * Test the info callback gets called when we expect it to.
4281 * Test 0: TLSv1.2, server
4282 * Test 1: TLSv1.2, client
4283 * Test 2: TLSv1.3, server
4284 * Test 3: TLSv1.3, client
4285 * Test 4: TLSv1.3, server, early_data
4286 * Test 5: TLSv1.3, client, early_data
4288 static int test_info_callback(int tst)
4290 SSL_CTX *cctx = NULL, *sctx = NULL;
4291 SSL *clientssl = NULL, *serverssl = NULL;
4292 SSL_SESSION *clntsess = NULL;
4297 #ifndef OPENSSL_NO_TLS1_2
4298 tlsvers = TLS1_2_VERSION;
4303 #ifndef OPENSSL_NO_TLS1_3
4304 tlsvers = TLS1_3_VERSION;
4312 info_cb_this_state = -1;
4313 info_cb_offset = tst;
4316 SSL_SESSION *sess = NULL;
4317 size_t written, readbytes;
4318 unsigned char buf[80];
4320 /* early_data tests */
4321 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4322 &serverssl, &sess, 0)))
4325 /* We don't actually need this reference */
4326 SSL_SESSION_free(sess);
4328 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
4329 sslapi_info_callback);
4331 /* Write and read some early data and then complete the connection */
4332 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4334 || !TEST_size_t_eq(written, strlen(MSG1))
4335 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
4336 sizeof(buf), &readbytes),
4337 SSL_READ_EARLY_DATA_SUCCESS)
4338 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
4339 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4340 SSL_EARLY_DATA_ACCEPTED)
4341 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4343 || !TEST_false(info_cb_failed))
4350 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4351 TLS_client_method(),
4352 tlsvers, tlsvers, &sctx, &cctx, cert,
4357 * For even numbered tests we check the server callbacks. For odd numbers we
4360 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
4361 sslapi_info_callback);
4363 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4364 &clientssl, NULL, NULL))
4365 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4367 || !TEST_false(info_cb_failed))
4372 clntsess = SSL_get1_session(clientssl);
4373 SSL_shutdown(clientssl);
4374 SSL_shutdown(serverssl);
4375 SSL_free(serverssl);
4376 SSL_free(clientssl);
4377 serverssl = clientssl = NULL;
4379 /* Now do a resumption */
4380 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4382 || !TEST_true(SSL_set_session(clientssl, clntsess))
4383 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4385 || !TEST_true(SSL_session_reused(clientssl))
4386 || !TEST_false(info_cb_failed))
4392 SSL_free(serverssl);
4393 SSL_free(clientssl);
4394 SSL_SESSION_free(clntsess);
4400 int setup_tests(void)
4402 if (!TEST_ptr(cert = test_get_argument(0))
4403 || !TEST_ptr(privkey = test_get_argument(1))
4404 || !TEST_ptr(srpvfile = test_get_argument(2))
4405 || !TEST_ptr(tmpfilename = test_get_argument(3)))
4408 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
4409 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
4410 TEST_error("not supported in this build");
4413 int i, mcount, rcount, fcount;
4415 for (i = 0; i < 4; i++)
4416 test_export_key_mat(i);
4417 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
4418 test_printf_stdout("malloc %d realloc %d free %d\n",
4419 mcount, rcount, fcount);
4424 ADD_TEST(test_large_message_tls);
4425 ADD_TEST(test_large_message_tls_read_ahead);
4426 #ifndef OPENSSL_NO_DTLS
4427 ADD_TEST(test_large_message_dtls);
4429 #ifndef OPENSSL_NO_OCSP
4430 ADD_TEST(test_tlsext_status_type);
4432 ADD_TEST(test_session_with_only_int_cache);
4433 ADD_TEST(test_session_with_only_ext_cache);
4434 ADD_TEST(test_session_with_both_cache);
4435 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
4436 ADD_TEST(test_ssl_bio_pop_next_bio);
4437 ADD_TEST(test_ssl_bio_pop_ssl_bio);
4438 ADD_TEST(test_ssl_bio_change_rbio);
4439 ADD_TEST(test_ssl_bio_change_wbio);
4440 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
4441 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
4442 ADD_TEST(test_keylog);
4444 #ifndef OPENSSL_NO_TLS1_3
4445 ADD_TEST(test_keylog_no_master_key);
4447 #ifndef OPENSSL_NO_TLS1_2
4448 ADD_TEST(test_client_hello_cb);
4450 #ifndef OPENSSL_NO_TLS1_3
4451 ADD_ALL_TESTS(test_early_data_read_write, 3);
4453 * We don't do replay tests for external PSK. Replay protection isn't used
4456 ADD_ALL_TESTS(test_early_data_replay, 2);
4457 ADD_ALL_TESTS(test_early_data_skip, 3);
4458 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
4459 ADD_ALL_TESTS(test_early_data_not_sent, 3);
4460 ADD_ALL_TESTS(test_early_data_psk, 8);
4461 ADD_ALL_TESTS(test_early_data_not_expected, 3);
4462 # ifndef OPENSSL_NO_TLS1_2
4463 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
4466 #ifndef OPENSSL_NO_TLS1_3
4467 ADD_ALL_TESTS(test_set_ciphersuite, 10);
4468 ADD_TEST(test_ciphersuite_change);
4469 #ifdef OPENSSL_NO_PSK
4470 ADD_ALL_TESTS(test_tls13_psk, 1);
4472 ADD_ALL_TESTS(test_tls13_psk, 3);
4473 #endif /* OPENSSL_NO_PSK */
4474 ADD_ALL_TESTS(test_custom_exts, 5);
4475 ADD_TEST(test_stateless);
4476 ADD_TEST(test_pha_key_update);
4478 ADD_ALL_TESTS(test_custom_exts, 3);
4480 ADD_ALL_TESTS(test_serverinfo, 8);
4481 ADD_ALL_TESTS(test_export_key_mat, 4);
4482 #ifndef OPENSSL_NO_TLS1_3
4483 ADD_ALL_TESTS(test_export_key_mat_early, 3);
4485 ADD_ALL_TESTS(test_ssl_clear, 2);
4486 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
4487 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4488 ADD_ALL_TESTS(test_srp, 6);
4490 ADD_ALL_TESTS(test_info_callback, 6);
4494 void cleanup_tests(void)
4496 bio_s_mempacket_test_free();