2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
32 #include "ssltestlib.h"
34 #include "testutil/output.h"
35 #include "internal/nelem.h"
36 #include "internal/ktls.h"
37 #include "../ssl/ssl_local.h"
39 #ifndef OPENSSL_NO_TLS1_3
41 static SSL_SESSION *clientpsk = NULL;
42 static SSL_SESSION *serverpsk = NULL;
43 static const char *pskid = "Identity";
44 static const char *srvid;
46 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
47 size_t *idlen, SSL_SESSION **sess);
48 static int find_session_cb(SSL *ssl, const unsigned char *identity,
49 size_t identity_len, SSL_SESSION **sess);
51 static int use_session_cb_cnt = 0;
52 static int find_session_cb_cnt = 0;
54 static SSL_SESSION *create_a_psk(SSL *ssl);
57 static char *certsdir = NULL;
58 static char *cert = NULL;
59 static char *privkey = NULL;
60 static char *srpvfile = NULL;
61 static char *tmpfilename = NULL;
63 #define LOG_BUFFER_SIZE 2048
64 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
65 static size_t server_log_buffer_index = 0;
66 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
67 static size_t client_log_buffer_index = 0;
68 static int error_writing_log = 0;
70 #ifndef OPENSSL_NO_OCSP
71 static const unsigned char orespder[] = "Dummy OCSP Response";
72 static int ocsp_server_called = 0;
73 static int ocsp_client_called = 0;
75 static int cdummyarg = 1;
76 static X509 *ocspcert = NULL;
79 #define NUM_EXTRA_CERTS 40
80 #define CLIENT_VERSION_LEN 2
83 * This structure is used to validate that the correct number of log messages
84 * of various types are emitted when emitting secret logs.
86 struct sslapitest_log_counts {
87 unsigned int rsa_key_exchange_count;
88 unsigned int master_secret_count;
89 unsigned int client_early_secret_count;
90 unsigned int client_handshake_secret_count;
91 unsigned int server_handshake_secret_count;
92 unsigned int client_application_secret_count;
93 unsigned int server_application_secret_count;
94 unsigned int early_exporter_secret_count;
95 unsigned int exporter_secret_count;
99 static unsigned char serverinfov1[] = {
100 0xff, 0xff, /* Dummy extension type */
101 0x00, 0x01, /* Extension length is 1 byte */
102 0xff /* Dummy extension data */
105 static unsigned char serverinfov2[] = {
107 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
108 0xff, 0xff, /* Dummy extension type */
109 0x00, 0x01, /* Extension length is 1 byte */
110 0xff /* Dummy extension data */
113 static int hostname_cb(SSL *s, int *al, void *arg)
115 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
117 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
118 || strcmp(hostname, "altgoodhost") == 0))
119 return SSL_TLSEXT_ERR_OK;
121 return SSL_TLSEXT_ERR_NOACK;
124 static void client_keylog_callback(const SSL *ssl, const char *line)
126 int line_length = strlen(line);
128 /* If the log doesn't fit, error out. */
129 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
130 TEST_info("Client log too full");
131 error_writing_log = 1;
135 strcat(client_log_buffer, line);
136 client_log_buffer_index += line_length;
137 client_log_buffer[client_log_buffer_index++] = '\n';
140 static void server_keylog_callback(const SSL *ssl, const char *line)
142 int line_length = strlen(line);
144 /* If the log doesn't fit, error out. */
145 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
146 TEST_info("Server log too full");
147 error_writing_log = 1;
151 strcat(server_log_buffer, line);
152 server_log_buffer_index += line_length;
153 server_log_buffer[server_log_buffer_index++] = '\n';
156 static int compare_hex_encoded_buffer(const char *hex_encoded,
164 if (!TEST_size_t_eq(raw_length * 2, hex_length))
167 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
168 sprintf(hexed, "%02x", raw[i]);
169 if (!TEST_int_eq(hexed[0], hex_encoded[j])
170 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
177 static int test_keylog_output(char *buffer, const SSL *ssl,
178 const SSL_SESSION *session,
179 struct sslapitest_log_counts *expected)
182 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
183 size_t client_random_size = SSL3_RANDOM_SIZE;
184 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
185 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
186 unsigned int rsa_key_exchange_count = 0;
187 unsigned int master_secret_count = 0;
188 unsigned int client_early_secret_count = 0;
189 unsigned int client_handshake_secret_count = 0;
190 unsigned int server_handshake_secret_count = 0;
191 unsigned int client_application_secret_count = 0;
192 unsigned int server_application_secret_count = 0;
193 unsigned int early_exporter_secret_count = 0;
194 unsigned int exporter_secret_count = 0;
196 for (token = strtok(buffer, " \n"); token != NULL;
197 token = strtok(NULL, " \n")) {
198 if (strcmp(token, "RSA") == 0) {
200 * Premaster secret. Tokens should be: 16 ASCII bytes of
201 * hex-encoded encrypted secret, then the hex-encoded pre-master
204 if (!TEST_ptr(token = strtok(NULL, " \n")))
206 if (!TEST_size_t_eq(strlen(token), 16))
208 if (!TEST_ptr(token = strtok(NULL, " \n")))
211 * We can't sensibly check the log because the premaster secret is
212 * transient, and OpenSSL doesn't keep hold of it once the master
213 * secret is generated.
215 rsa_key_exchange_count++;
216 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
218 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
219 * client random, then the hex-encoded master secret.
221 client_random_size = SSL_get_client_random(ssl,
222 actual_client_random,
224 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
227 if (!TEST_ptr(token = strtok(NULL, " \n")))
229 if (!TEST_size_t_eq(strlen(token), 64))
231 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
232 actual_client_random,
233 client_random_size)))
236 if (!TEST_ptr(token = strtok(NULL, " \n")))
238 master_key_size = SSL_SESSION_get_master_key(session,
241 if (!TEST_size_t_ne(master_key_size, 0))
243 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
247 master_secret_count++;
248 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
249 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
250 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
251 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
252 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
253 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
254 || strcmp(token, "EXPORTER_SECRET") == 0) {
256 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
257 * client random, and then the hex-encoded secret. In this case,
258 * we treat all of these secrets identically and then just
259 * distinguish between them when counting what we saw.
261 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
262 client_early_secret_count++;
263 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
264 client_handshake_secret_count++;
265 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
266 server_handshake_secret_count++;
267 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
268 client_application_secret_count++;
269 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
270 server_application_secret_count++;
271 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
272 early_exporter_secret_count++;
273 else if (strcmp(token, "EXPORTER_SECRET") == 0)
274 exporter_secret_count++;
276 client_random_size = SSL_get_client_random(ssl,
277 actual_client_random,
279 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
282 if (!TEST_ptr(token = strtok(NULL, " \n")))
284 if (!TEST_size_t_eq(strlen(token), 64))
286 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
287 actual_client_random,
288 client_random_size)))
291 if (!TEST_ptr(token = strtok(NULL, " \n")))
295 * TODO(TLS1.3): test that application traffic secrets are what
298 TEST_info("Unexpected token %s\n", token);
303 /* Got what we expected? */
304 if (!TEST_size_t_eq(rsa_key_exchange_count,
305 expected->rsa_key_exchange_count)
306 || !TEST_size_t_eq(master_secret_count,
307 expected->master_secret_count)
308 || !TEST_size_t_eq(client_early_secret_count,
309 expected->client_early_secret_count)
310 || !TEST_size_t_eq(client_handshake_secret_count,
311 expected->client_handshake_secret_count)
312 || !TEST_size_t_eq(server_handshake_secret_count,
313 expected->server_handshake_secret_count)
314 || !TEST_size_t_eq(client_application_secret_count,
315 expected->client_application_secret_count)
316 || !TEST_size_t_eq(server_application_secret_count,
317 expected->server_application_secret_count)
318 || !TEST_size_t_eq(early_exporter_secret_count,
319 expected->early_exporter_secret_count)
320 || !TEST_size_t_eq(exporter_secret_count,
321 expected->exporter_secret_count))
326 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
327 static int test_keylog(void)
329 SSL_CTX *cctx = NULL, *sctx = NULL;
330 SSL *clientssl = NULL, *serverssl = NULL;
332 struct sslapitest_log_counts expected;
334 /* Clean up logging space */
335 memset(&expected, 0, sizeof(expected));
336 memset(client_log_buffer, 0, sizeof(client_log_buffer));
337 memset(server_log_buffer, 0, sizeof(server_log_buffer));
338 client_log_buffer_index = 0;
339 server_log_buffer_index = 0;
340 error_writing_log = 0;
342 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
345 &sctx, &cctx, cert, privkey)))
348 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
349 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
350 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
352 /* We also want to ensure that we use RSA-based key exchange. */
353 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
356 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
357 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
359 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
360 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
361 == client_keylog_callback))
363 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
364 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
365 == server_keylog_callback))
368 /* Now do a handshake and check that the logs have been written to. */
369 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
370 &clientssl, NULL, NULL))
371 || !TEST_true(create_ssl_connection(serverssl, clientssl,
373 || !TEST_false(error_writing_log)
374 || !TEST_int_gt(client_log_buffer_index, 0)
375 || !TEST_int_gt(server_log_buffer_index, 0))
379 * Now we want to test that our output data was vaguely sensible. We
380 * do that by using strtok and confirming that we have more or less the
381 * data we expect. For both client and server, we expect to see one master
382 * secret. The client should also see a RSA key exchange.
384 expected.rsa_key_exchange_count = 1;
385 expected.master_secret_count = 1;
386 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
387 SSL_get_session(clientssl), &expected)))
390 expected.rsa_key_exchange_count = 0;
391 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
392 SSL_get_session(serverssl), &expected)))
407 #ifndef OPENSSL_NO_TLS1_3
408 static int test_keylog_no_master_key(void)
410 SSL_CTX *cctx = NULL, *sctx = NULL;
411 SSL *clientssl = NULL, *serverssl = NULL;
412 SSL_SESSION *sess = NULL;
414 struct sslapitest_log_counts expected;
415 unsigned char buf[1];
416 size_t readbytes, written;
418 /* Clean up logging space */
419 memset(&expected, 0, sizeof(expected));
420 memset(client_log_buffer, 0, sizeof(client_log_buffer));
421 memset(server_log_buffer, 0, sizeof(server_log_buffer));
422 client_log_buffer_index = 0;
423 server_log_buffer_index = 0;
424 error_writing_log = 0;
426 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
428 &sctx, &cctx, cert, privkey))
429 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
430 SSL3_RT_MAX_PLAIN_LENGTH)))
433 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
434 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
437 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
438 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
439 == client_keylog_callback))
442 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
443 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
444 == server_keylog_callback))
447 /* Now do a handshake and check that the logs have been written to. */
448 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
449 &clientssl, NULL, NULL))
450 || !TEST_true(create_ssl_connection(serverssl, clientssl,
452 || !TEST_false(error_writing_log))
456 * Now we want to test that our output data was vaguely sensible. For this
457 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
458 * TLSv1.3, but we do expect both client and server to emit keys.
460 expected.client_handshake_secret_count = 1;
461 expected.server_handshake_secret_count = 1;
462 expected.client_application_secret_count = 1;
463 expected.server_application_secret_count = 1;
464 expected.exporter_secret_count = 1;
465 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
466 SSL_get_session(clientssl), &expected))
467 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
468 SSL_get_session(serverssl),
472 /* Terminate old session and resume with early data. */
473 sess = SSL_get1_session(clientssl);
474 SSL_shutdown(clientssl);
475 SSL_shutdown(serverssl);
478 serverssl = clientssl = NULL;
481 memset(client_log_buffer, 0, sizeof(client_log_buffer));
482 memset(server_log_buffer, 0, sizeof(server_log_buffer));
483 client_log_buffer_index = 0;
484 server_log_buffer_index = 0;
486 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
487 &clientssl, NULL, NULL))
488 || !TEST_true(SSL_set_session(clientssl, sess))
489 /* Here writing 0 length early data is enough. */
490 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
491 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
493 SSL_READ_EARLY_DATA_ERROR)
494 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
495 SSL_EARLY_DATA_ACCEPTED)
496 || !TEST_true(create_ssl_connection(serverssl, clientssl,
498 || !TEST_true(SSL_session_reused(clientssl)))
501 /* In addition to the previous entries, expect early secrets. */
502 expected.client_early_secret_count = 1;
503 expected.early_exporter_secret_count = 1;
504 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
505 SSL_get_session(clientssl), &expected))
506 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
507 SSL_get_session(serverssl),
514 SSL_SESSION_free(sess);
524 #ifndef OPENSSL_NO_TLS1_2
525 static int full_client_hello_callback(SSL *s, int *al, void *arg)
528 const unsigned char *p;
530 /* We only configure two ciphers, but the SCSV is added automatically. */
532 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
534 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
537 const int expected_extensions[] = {
538 #ifndef OPENSSL_NO_EC
544 /* Make sure we can defer processing and get called back. */
546 return SSL_CLIENT_HELLO_RETRY;
548 len = SSL_client_hello_get0_ciphers(s, &p);
549 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
551 SSL_client_hello_get0_compression_methods(s, &p), 1)
552 || !TEST_int_eq(*p, 0))
553 return SSL_CLIENT_HELLO_ERROR;
554 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
555 return SSL_CLIENT_HELLO_ERROR;
556 if (len != OSSL_NELEM(expected_extensions) ||
557 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
558 printf("ClientHello callback expected extensions mismatch\n");
560 return SSL_CLIENT_HELLO_ERROR;
563 return SSL_CLIENT_HELLO_SUCCESS;
566 static int test_client_hello_cb(void)
568 SSL_CTX *cctx = NULL, *sctx = NULL;
569 SSL *clientssl = NULL, *serverssl = NULL;
570 int testctr = 0, testresult = 0;
572 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
574 &sctx, &cctx, cert, privkey)))
576 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
578 /* The gimpy cipher list we configure can't do TLS 1.3. */
579 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
581 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
582 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
583 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
584 &clientssl, NULL, NULL))
585 || !TEST_false(create_ssl_connection(serverssl, clientssl,
586 SSL_ERROR_WANT_CLIENT_HELLO_CB))
588 * Passing a -1 literal is a hack since
589 * the real value was lost.
591 || !TEST_int_eq(SSL_get_error(serverssl, -1),
592 SSL_ERROR_WANT_CLIENT_HELLO_CB)
593 || !TEST_true(create_ssl_connection(serverssl, clientssl,
608 static int test_no_ems(void)
610 SSL_CTX *cctx = NULL, *sctx = NULL;
611 SSL *clientssl = NULL, *serverssl = NULL;
614 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
615 TLS1_VERSION, TLS1_2_VERSION,
616 &sctx, &cctx, cert, privkey)) {
617 printf("Unable to create SSL_CTX pair\n");
621 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
623 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
624 printf("Unable to create SSL objects\n");
628 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
629 printf("Creating SSL connection failed\n");
633 if (SSL_get_extms_support(serverssl)) {
634 printf("Server reports Extended Master Secret support\n");
638 if (SSL_get_extms_support(clientssl)) {
639 printf("Client reports Extended Master Secret support\n");
655 * Very focused test to exercise a single case in the server-side state
656 * machine, when the ChangeCipherState message needs to actually change
657 * from one cipher to a different cipher (i.e., not changing from null
658 * encryption to reall encryption).
660 static int test_ccs_change_cipher(void)
662 SSL_CTX *cctx = NULL, *sctx = NULL;
663 SSL *clientssl = NULL, *serverssl = NULL;
664 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
671 * Create a conection so we can resume and potentially (but not) use
672 * a different cipher in the second connection.
674 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
676 TLS1_VERSION, TLS1_2_VERSION,
677 &sctx, &cctx, cert, privkey))
678 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
679 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
681 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
682 || !TEST_true(create_ssl_connection(serverssl, clientssl,
684 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
685 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
688 shutdown_ssl_connection(serverssl, clientssl);
689 serverssl = clientssl = NULL;
691 /* Resume, preferring a different cipher. Our server will force the
692 * same cipher to be used as the initial handshake. */
693 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
695 || !TEST_true(SSL_set_session(clientssl, sess))
696 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
697 || !TEST_true(create_ssl_connection(serverssl, clientssl,
699 || !TEST_true(SSL_session_reused(clientssl))
700 || !TEST_true(SSL_session_reused(serverssl))
701 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
702 || !TEST_ptr_eq(sesspre, sesspost)
703 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
704 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
706 shutdown_ssl_connection(serverssl, clientssl);
707 serverssl = clientssl = NULL;
710 * Now create a fresh connection and try to renegotiate a different
713 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
715 TLS1_VERSION, TLS1_2_VERSION,
716 &sctx, &cctx, cert, privkey))
717 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
719 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
720 || !TEST_true(create_ssl_connection(serverssl, clientssl,
722 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
723 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
724 || !TEST_true(SSL_renegotiate(clientssl))
725 || !TEST_true(SSL_renegotiate_pending(clientssl)))
727 /* Actually drive the renegotiation. */
728 for (i = 0; i < 3; i++) {
729 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
730 if (!TEST_ulong_eq(readbytes, 0))
732 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
733 SSL_ERROR_WANT_READ)) {
736 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
737 if (!TEST_ulong_eq(readbytes, 0))
739 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
740 SSL_ERROR_WANT_READ)) {
744 /* sesspre and sesspost should be different since the cipher changed. */
745 if (!TEST_false(SSL_renegotiate_pending(clientssl))
746 || !TEST_false(SSL_session_reused(clientssl))
747 || !TEST_false(SSL_session_reused(serverssl))
748 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
749 || !TEST_ptr_ne(sesspre, sesspost)
750 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
751 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
754 shutdown_ssl_connection(serverssl, clientssl);
755 serverssl = clientssl = NULL;
764 SSL_SESSION_free(sess);
769 static int execute_test_large_message(const SSL_METHOD *smeth,
770 const SSL_METHOD *cmeth,
771 int min_version, int max_version,
774 SSL_CTX *cctx = NULL, *sctx = NULL;
775 SSL *clientssl = NULL, *serverssl = NULL;
779 X509 *chaincert = NULL;
782 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
784 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
787 if (!TEST_ptr(chaincert))
790 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
791 &sctx, &cctx, cert, privkey)))
796 * Test that read_ahead works correctly when dealing with large
799 SSL_CTX_set_read_ahead(cctx, 1);
803 * We assume the supplied certificate is big enough so that if we add
804 * NUM_EXTRA_CERTS it will make the overall message large enough. The
805 * default buffer size is requested to be 16k, but due to the way BUF_MEM
806 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
807 * test we need to have a message larger than that.
809 certlen = i2d_X509(chaincert, NULL);
810 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
811 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
812 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
813 if (!X509_up_ref(chaincert))
815 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
816 X509_free(chaincert);
821 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
823 || !TEST_true(create_ssl_connection(serverssl, clientssl,
828 * Calling SSL_clear() first is not required but this tests that SSL_clear()
831 if (!TEST_true(SSL_clear(serverssl)))
836 X509_free(chaincert);
845 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
846 && !defined(OPENSSL_NO_SOCK)
848 /* sock must be connected */
849 static int ktls_chk_platform(int sock)
851 if (!ktls_enable(sock))
856 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
858 static char count = 1;
859 unsigned char cbuf[16000] = {0};
860 unsigned char sbuf[16000];
862 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
863 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
864 char crec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
865 char crec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
866 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
867 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
868 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
869 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
872 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
873 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
874 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence,
875 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
876 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
877 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
878 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
879 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
881 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
884 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
885 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
890 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
893 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
894 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
899 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
900 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
901 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence,
902 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
903 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
904 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
905 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
906 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
908 /* verify the payload */
909 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
912 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
913 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
914 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
915 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
918 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
919 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
923 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
924 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
925 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
928 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
929 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
933 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
934 if (!TEST_mem_ne(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
935 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
938 if (!TEST_mem_eq(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
939 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
943 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
944 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
945 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
948 if (!TEST_mem_eq(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
949 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
958 static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
959 int sis_ktls_tx, int sis_ktls_rx)
961 SSL_CTX *cctx = NULL, *sctx = NULL;
962 SSL *clientssl = NULL, *serverssl = NULL;
966 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
969 /* Skip this test if the platform does not support ktls */
970 if (!ktls_chk_platform(cfd))
973 /* Create a session based on SHA-256 */
974 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
976 TLS1_2_VERSION, TLS1_2_VERSION,
977 &sctx, &cctx, cert, privkey))
978 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
979 "AES128-GCM-SHA256"))
980 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
981 &clientssl, sfd, cfd)))
985 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
990 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
995 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
1000 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1004 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1009 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1012 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1017 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1020 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1025 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1028 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1033 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1036 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1040 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
1046 SSL_shutdown(clientssl);
1047 SSL_free(clientssl);
1050 SSL_shutdown(serverssl);
1051 SSL_free(serverssl);
1055 serverssl = clientssl = NULL;
1059 #define SENDFILE_SZ (16 * 4096)
1060 #define SENDFILE_CHUNK (4 * 4096)
1061 #define min(a,b) ((a) > (b) ? (b) : (a))
1063 static int test_ktls_sendfile(void)
1065 SSL_CTX *cctx = NULL, *sctx = NULL;
1066 SSL *clientssl = NULL, *serverssl = NULL;
1067 unsigned char *buf, *buf_dst;
1068 BIO *out = NULL, *in = NULL;
1069 int cfd, sfd, ffd, err;
1070 ssize_t chunk_size = 0;
1071 off_t chunk_off = 0;
1075 buf = OPENSSL_zalloc(SENDFILE_SZ);
1076 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1077 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1078 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1081 /* Skip this test if the platform does not support ktls */
1082 if (!ktls_chk_platform(sfd)) {
1087 /* Create a session based on SHA-256 */
1088 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1089 TLS_client_method(),
1090 TLS1_2_VERSION, TLS1_2_VERSION,
1091 &sctx, &cctx, cert, privkey))
1092 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1093 "AES128-GCM-SHA256"))
1094 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1095 &clientssl, sfd, cfd)))
1098 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1100 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1103 RAND_bytes(buf, SENDFILE_SZ);
1104 out = BIO_new_file(tmpfilename, "wb");
1108 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1113 in = BIO_new_file(tmpfilename, "rb");
1114 BIO_get_fp(in, &ffdp);
1117 while (chunk_off < SENDFILE_SZ) {
1118 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1119 while ((err = SSL_sendfile(serverssl,
1123 0)) != chunk_size) {
1124 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1127 while ((err = SSL_read(clientssl,
1128 buf_dst + chunk_off,
1129 chunk_size)) != chunk_size) {
1130 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1134 /* verify the payload */
1135 if (!TEST_mem_eq(buf_dst + chunk_off,
1141 chunk_off += chunk_size;
1147 SSL_shutdown(clientssl);
1148 SSL_free(clientssl);
1151 SSL_shutdown(serverssl);
1152 SSL_free(serverssl);
1156 serverssl = clientssl = NULL;
1160 OPENSSL_free(buf_dst);
1164 static int test_ktls_no_txrx_client_no_txrx_server(void)
1166 return execute_test_ktls(0, 0, 0, 0);
1169 static int test_ktls_no_rx_client_no_txrx_server(void)
1171 return execute_test_ktls(1, 0, 0, 0);
1174 static int test_ktls_no_tx_client_no_txrx_server(void)
1176 return execute_test_ktls(0, 1, 0, 0);
1179 static int test_ktls_client_no_txrx_server(void)
1181 return execute_test_ktls(1, 1, 0, 0);
1184 static int test_ktls_no_txrx_client_no_rx_server(void)
1186 return execute_test_ktls(0, 0, 1, 0);
1189 static int test_ktls_no_rx_client_no_rx_server(void)
1191 return execute_test_ktls(1, 0, 1, 0);
1194 static int test_ktls_no_tx_client_no_rx_server(void)
1196 return execute_test_ktls(0, 1, 1, 0);
1199 static int test_ktls_client_no_rx_server(void)
1201 return execute_test_ktls(1, 1, 1, 0);
1204 static int test_ktls_no_txrx_client_no_tx_server(void)
1206 return execute_test_ktls(0, 0, 0, 1);
1209 static int test_ktls_no_rx_client_no_tx_server(void)
1211 return execute_test_ktls(1, 0, 0, 1);
1214 static int test_ktls_no_tx_client_no_tx_server(void)
1216 return execute_test_ktls(0, 1, 0, 1);
1219 static int test_ktls_client_no_tx_server(void)
1221 return execute_test_ktls(1, 1, 0, 1);
1224 static int test_ktls_no_txrx_client_server(void)
1226 return execute_test_ktls(0, 0, 1, 1);
1229 static int test_ktls_no_rx_client_server(void)
1231 return execute_test_ktls(1, 0, 1, 1);
1234 static int test_ktls_no_tx_client_server(void)
1236 return execute_test_ktls(0, 1, 1, 1);
1239 static int test_ktls_client_server(void)
1241 return execute_test_ktls(1, 1, 1, 1);
1245 static int test_large_message_tls(void)
1247 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1248 TLS1_VERSION, 0, 0);
1251 static int test_large_message_tls_read_ahead(void)
1253 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1254 TLS1_VERSION, 0, 1);
1257 #ifndef OPENSSL_NO_DTLS
1258 static int test_large_message_dtls(void)
1261 * read_ahead is not relevant to DTLS because DTLS always acts as if
1262 * read_ahead is set.
1264 return execute_test_large_message(DTLS_server_method(),
1265 DTLS_client_method(),
1266 DTLS1_VERSION, 0, 0);
1270 #ifndef OPENSSL_NO_OCSP
1271 static int ocsp_server_cb(SSL *s, void *arg)
1273 int *argi = (int *)arg;
1274 unsigned char *copy = NULL;
1275 STACK_OF(OCSP_RESPID) *ids = NULL;
1276 OCSP_RESPID *id = NULL;
1279 /* In this test we are expecting exactly 1 OCSP_RESPID */
1280 SSL_get_tlsext_status_ids(s, &ids);
1281 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1282 return SSL_TLSEXT_ERR_ALERT_FATAL;
1284 id = sk_OCSP_RESPID_value(ids, 0);
1285 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
1286 return SSL_TLSEXT_ERR_ALERT_FATAL;
1287 } else if (*argi != 1) {
1288 return SSL_TLSEXT_ERR_ALERT_FATAL;
1291 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1292 return SSL_TLSEXT_ERR_ALERT_FATAL;
1294 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1295 ocsp_server_called = 1;
1296 return SSL_TLSEXT_ERR_OK;
1299 static int ocsp_client_cb(SSL *s, void *arg)
1301 int *argi = (int *)arg;
1302 const unsigned char *respderin;
1305 if (*argi != 1 && *argi != 2)
1308 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1309 if (!TEST_mem_eq(orespder, len, respderin, len))
1312 ocsp_client_called = 1;
1316 static int test_tlsext_status_type(void)
1318 SSL_CTX *cctx = NULL, *sctx = NULL;
1319 SSL *clientssl = NULL, *serverssl = NULL;
1321 STACK_OF(OCSP_RESPID) *ids = NULL;
1322 OCSP_RESPID *id = NULL;
1323 BIO *certbio = NULL;
1325 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1327 &sctx, &cctx, cert, privkey))
1330 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1333 /* First just do various checks getting and setting tlsext_status_type */
1335 clientssl = SSL_new(cctx);
1336 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1337 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1338 TLSEXT_STATUSTYPE_ocsp))
1339 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1340 TLSEXT_STATUSTYPE_ocsp))
1343 SSL_free(clientssl);
1346 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1347 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1350 clientssl = SSL_new(cctx);
1351 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1353 SSL_free(clientssl);
1357 * Now actually do a handshake and check OCSP information is exchanged and
1358 * the callbacks get called
1360 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1361 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1362 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1363 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1364 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1365 &clientssl, NULL, NULL))
1366 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1368 || !TEST_true(ocsp_client_called)
1369 || !TEST_true(ocsp_server_called))
1371 SSL_free(serverssl);
1372 SSL_free(clientssl);
1376 /* Try again but this time force the server side callback to fail */
1377 ocsp_client_called = 0;
1378 ocsp_server_called = 0;
1380 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1381 &clientssl, NULL, NULL))
1382 /* This should fail because the callback will fail */
1383 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1385 || !TEST_false(ocsp_client_called)
1386 || !TEST_false(ocsp_server_called))
1388 SSL_free(serverssl);
1389 SSL_free(clientssl);
1394 * This time we'll get the client to send an OCSP_RESPID that it will
1397 ocsp_client_called = 0;
1398 ocsp_server_called = 0;
1400 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1401 &clientssl, NULL, NULL)))
1405 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1406 * specific one. We'll use the server cert.
1408 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1409 || !TEST_ptr(id = OCSP_RESPID_new())
1410 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1411 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1413 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
1414 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1417 SSL_set_tlsext_status_ids(clientssl, ids);
1418 /* Control has been transferred */
1424 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1426 || !TEST_true(ocsp_client_called)
1427 || !TEST_true(ocsp_server_called))
1433 SSL_free(serverssl);
1434 SSL_free(clientssl);
1437 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1438 OCSP_RESPID_free(id);
1440 X509_free(ocspcert);
1447 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1448 static int new_called, remove_called, get_called;
1450 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1454 * sess has been up-refed for us, but we don't actually need it so free it
1457 SSL_SESSION_free(sess);
1461 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1466 static SSL_SESSION *get_sess_val = NULL;
1468 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1473 return get_sess_val;
1476 static int execute_test_session(int maxprot, int use_int_cache,
1479 SSL_CTX *sctx = NULL, *cctx = NULL;
1480 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1481 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1482 # ifndef OPENSSL_NO_TLS1_1
1483 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1485 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1486 int testresult = 0, numnewsesstick = 1;
1488 new_called = remove_called = 0;
1490 /* TLSv1.3 sends 2 NewSessionTickets */
1491 if (maxprot == TLS1_3_VERSION)
1494 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1496 &sctx, &cctx, cert, privkey)))
1500 * Only allow the max protocol version so we can force a connection failure
1503 SSL_CTX_set_min_proto_version(cctx, maxprot);
1504 SSL_CTX_set_max_proto_version(cctx, maxprot);
1506 /* Set up session cache */
1507 if (use_ext_cache) {
1508 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1509 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1511 if (use_int_cache) {
1512 /* Also covers instance where both are set */
1513 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1515 SSL_CTX_set_session_cache_mode(cctx,
1516 SSL_SESS_CACHE_CLIENT
1517 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1520 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1522 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1524 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1527 /* Should fail because it should already be in the cache */
1528 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1531 && (!TEST_int_eq(new_called, numnewsesstick)
1533 || !TEST_int_eq(remove_called, 0)))
1536 new_called = remove_called = 0;
1537 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1538 &clientssl2, NULL, NULL))
1539 || !TEST_true(SSL_set_session(clientssl2, sess1))
1540 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1542 || !TEST_true(SSL_session_reused(clientssl2)))
1545 if (maxprot == TLS1_3_VERSION) {
1547 * In TLSv1.3 we should have created a new session even though we have
1548 * resumed. Since we attempted a resume we should also have removed the
1549 * old ticket from the cache so that we try to only use tickets once.
1552 && (!TEST_int_eq(new_called, 1)
1553 || !TEST_int_eq(remove_called, 1)))
1557 * In TLSv1.2 we expect to have resumed so no sessions added or
1561 && (!TEST_int_eq(new_called, 0)
1562 || !TEST_int_eq(remove_called, 0)))
1566 SSL_SESSION_free(sess1);
1567 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1569 shutdown_ssl_connection(serverssl2, clientssl2);
1570 serverssl2 = clientssl2 = NULL;
1572 new_called = remove_called = 0;
1573 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1574 &clientssl2, NULL, NULL))
1575 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1579 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1583 && (!TEST_int_eq(new_called, numnewsesstick)
1584 || !TEST_int_eq(remove_called, 0)))
1587 new_called = remove_called = 0;
1589 * This should clear sess2 from the cache because it is a "bad" session.
1590 * See SSL_set_session() documentation.
1592 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1595 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1597 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1600 if (use_int_cache) {
1601 /* Should succeeded because it should not already be in the cache */
1602 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1603 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1607 new_called = remove_called = 0;
1608 /* This shouldn't be in the cache so should fail */
1609 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1613 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1616 # if !defined(OPENSSL_NO_TLS1_1)
1617 new_called = remove_called = 0;
1618 /* Force a connection failure */
1619 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1620 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1621 &clientssl3, NULL, NULL))
1622 || !TEST_true(SSL_set_session(clientssl3, sess1))
1623 /* This should fail because of the mismatched protocol versions */
1624 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1628 /* We should have automatically removed the session from the cache */
1630 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1633 /* Should succeed because it should not already be in the cache */
1634 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1638 /* Now do some tests for server side caching */
1639 if (use_ext_cache) {
1640 SSL_CTX_sess_set_new_cb(cctx, NULL);
1641 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1642 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1643 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1644 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1645 get_sess_val = NULL;
1648 SSL_CTX_set_session_cache_mode(cctx, 0);
1649 /* Internal caching is the default on the server side */
1651 SSL_CTX_set_session_cache_mode(sctx,
1652 SSL_SESS_CACHE_SERVER
1653 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1655 SSL_free(serverssl1);
1656 SSL_free(clientssl1);
1657 serverssl1 = clientssl1 = NULL;
1658 SSL_free(serverssl2);
1659 SSL_free(clientssl2);
1660 serverssl2 = clientssl2 = NULL;
1661 SSL_SESSION_free(sess1);
1663 SSL_SESSION_free(sess2);
1666 SSL_CTX_set_max_proto_version(sctx, maxprot);
1667 if (maxprot == TLS1_2_VERSION)
1668 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1669 new_called = remove_called = get_called = 0;
1670 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1672 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1674 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1675 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1678 if (use_int_cache) {
1679 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1681 * In TLSv1.3 it should not have been added to the internal cache,
1682 * except in the case where we also have an external cache (in that
1683 * case it gets added to the cache in order to generate remove
1684 * events after timeout).
1686 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1689 /* Should fail because it should already be in the cache */
1690 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1695 if (use_ext_cache) {
1696 SSL_SESSION *tmp = sess2;
1698 if (!TEST_int_eq(new_called, numnewsesstick)
1699 || !TEST_int_eq(remove_called, 0)
1700 || !TEST_int_eq(get_called, 0))
1703 * Delete the session from the internal cache to force a lookup from
1704 * the external cache. We take a copy first because
1705 * SSL_CTX_remove_session() also marks the session as non-resumable.
1707 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1708 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1709 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1711 SSL_SESSION_free(sess2);
1716 new_called = remove_called = get_called = 0;
1717 get_sess_val = sess2;
1718 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1719 &clientssl2, NULL, NULL))
1720 || !TEST_true(SSL_set_session(clientssl2, sess1))
1721 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1723 || !TEST_true(SSL_session_reused(clientssl2)))
1726 if (use_ext_cache) {
1727 if (!TEST_int_eq(remove_called, 0))
1730 if (maxprot == TLS1_3_VERSION) {
1731 if (!TEST_int_eq(new_called, 1)
1732 || !TEST_int_eq(get_called, 0))
1735 if (!TEST_int_eq(new_called, 0)
1736 || !TEST_int_eq(get_called, 1))
1744 SSL_free(serverssl1);
1745 SSL_free(clientssl1);
1746 SSL_free(serverssl2);
1747 SSL_free(clientssl2);
1748 # ifndef OPENSSL_NO_TLS1_1
1749 SSL_free(serverssl3);
1750 SSL_free(clientssl3);
1752 SSL_SESSION_free(sess1);
1753 SSL_SESSION_free(sess2);
1759 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1761 static int test_session_with_only_int_cache(void)
1763 #ifndef OPENSSL_NO_TLS1_3
1764 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1768 #ifndef OPENSSL_NO_TLS1_2
1769 return execute_test_session(TLS1_2_VERSION, 1, 0);
1775 static int test_session_with_only_ext_cache(void)
1777 #ifndef OPENSSL_NO_TLS1_3
1778 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1782 #ifndef OPENSSL_NO_TLS1_2
1783 return execute_test_session(TLS1_2_VERSION, 0, 1);
1789 static int test_session_with_both_cache(void)
1791 #ifndef OPENSSL_NO_TLS1_3
1792 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1796 #ifndef OPENSSL_NO_TLS1_2
1797 return execute_test_session(TLS1_2_VERSION, 1, 1);
1803 #ifndef OPENSSL_NO_TLS1_3
1804 static SSL_SESSION *sesscache[6];
1805 static int do_cache;
1807 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1810 sesscache[new_called] = sess;
1812 /* We don't need the reference to the session, so free it */
1813 SSL_SESSION_free(sess);
1820 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1822 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1823 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1826 /* Start handshake on the server and client */
1827 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1828 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1829 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1830 || !TEST_true(create_ssl_connection(sssl, cssl,
1837 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1840 int sess_id_ctx = 1;
1842 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1843 TLS1_VERSION, 0, sctx,
1844 cctx, cert, privkey))
1845 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1846 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1847 (void *)&sess_id_ctx,
1848 sizeof(sess_id_ctx))))
1852 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1854 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1855 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1856 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1861 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1863 SSL *serverssl = NULL, *clientssl = NULL;
1866 /* Test that we can resume with all the tickets we got given */
1867 for (i = 0; i < idx * 2; i++) {
1869 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1870 &clientssl, NULL, NULL))
1871 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1874 SSL_set_post_handshake_auth(clientssl, 1);
1876 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1881 * Following a successful resumption we only get 1 ticket. After a
1882 * failed one we should get idx tickets.
1885 if (!TEST_true(SSL_session_reused(clientssl))
1886 || !TEST_int_eq(new_called, 1))
1889 if (!TEST_false(SSL_session_reused(clientssl))
1890 || !TEST_int_eq(new_called, idx))
1895 /* After a post-handshake authentication we should get 1 new ticket */
1897 && (!post_handshake_verify(serverssl, clientssl)
1898 || !TEST_int_eq(new_called, 1)))
1901 SSL_shutdown(clientssl);
1902 SSL_shutdown(serverssl);
1903 SSL_free(serverssl);
1904 SSL_free(clientssl);
1905 serverssl = clientssl = NULL;
1906 SSL_SESSION_free(sesscache[i]);
1907 sesscache[i] = NULL;
1913 SSL_free(clientssl);
1914 SSL_free(serverssl);
1918 static int test_tickets(int stateful, int idx)
1920 SSL_CTX *sctx = NULL, *cctx = NULL;
1921 SSL *serverssl = NULL, *clientssl = NULL;
1925 /* idx is the test number, but also the number of tickets we want */
1930 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1933 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1934 &clientssl, NULL, NULL)))
1937 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1939 /* Check we got the number of tickets we were expecting */
1940 || !TEST_int_eq(idx, new_called))
1943 SSL_shutdown(clientssl);
1944 SSL_shutdown(serverssl);
1945 SSL_free(serverssl);
1946 SSL_free(clientssl);
1949 clientssl = serverssl = NULL;
1953 * Now we try to resume with the tickets we previously created. The
1954 * resumption attempt is expected to fail (because we're now using a new
1955 * SSL_CTX). We should see idx number of tickets issued again.
1958 /* Stop caching sessions - just count them */
1961 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1964 if (!check_resumption(idx, sctx, cctx, 0))
1967 /* Start again with caching sessions */
1974 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1977 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1978 &clientssl, NULL, NULL)))
1981 SSL_set_post_handshake_auth(clientssl, 1);
1983 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1985 /* Check we got the number of tickets we were expecting */
1986 || !TEST_int_eq(idx, new_called))
1989 /* After a post-handshake authentication we should get new tickets issued */
1990 if (!post_handshake_verify(serverssl, clientssl)
1991 || !TEST_int_eq(idx * 2, new_called))
1994 SSL_shutdown(clientssl);
1995 SSL_shutdown(serverssl);
1996 SSL_free(serverssl);
1997 SSL_free(clientssl);
1998 serverssl = clientssl = NULL;
2000 /* Stop caching sessions - just count them */
2004 * Check we can resume with all the tickets we created. This time around the
2005 * resumptions should all be successful.
2007 if (!check_resumption(idx, sctx, cctx, 1))
2013 SSL_free(serverssl);
2014 SSL_free(clientssl);
2015 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2016 SSL_SESSION_free(sesscache[j]);
2017 sesscache[j] = NULL;
2025 static int test_stateless_tickets(int idx)
2027 return test_tickets(0, idx);
2030 static int test_stateful_tickets(int idx)
2032 return test_tickets(1, idx);
2035 static int test_psk_tickets(void)
2037 SSL_CTX *sctx = NULL, *cctx = NULL;
2038 SSL *serverssl = NULL, *clientssl = NULL;
2040 int sess_id_ctx = 1;
2042 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2043 TLS1_VERSION, 0, &sctx,
2045 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2046 (void *)&sess_id_ctx,
2047 sizeof(sess_id_ctx))))
2050 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2051 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2052 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2053 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2054 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2055 use_session_cb_cnt = 0;
2056 find_session_cb_cnt = 0;
2060 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2063 clientpsk = serverpsk = create_a_psk(clientssl);
2064 if (!TEST_ptr(clientpsk))
2066 SSL_SESSION_up_ref(clientpsk);
2068 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2070 || !TEST_int_eq(1, find_session_cb_cnt)
2071 || !TEST_int_eq(1, use_session_cb_cnt)
2072 /* We should always get 1 ticket when using external PSK */
2073 || !TEST_int_eq(1, new_called))
2079 SSL_free(serverssl);
2080 SSL_free(clientssl);
2083 SSL_SESSION_free(clientpsk);
2084 SSL_SESSION_free(serverpsk);
2085 clientpsk = serverpsk = NULL;
2094 #define USE_DEFAULT 3
2096 #define CONNTYPE_CONNECTION_SUCCESS 0
2097 #define CONNTYPE_CONNECTION_FAIL 1
2098 #define CONNTYPE_NO_CONNECTION 2
2100 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2101 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2102 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2103 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2105 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2108 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2109 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2110 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2112 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2129 * Tests calls to SSL_set_bio() under various conditions.
2131 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2132 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2133 * then do more tests where we create a successful connection first using our
2134 * standard connection setup functions, and then call SSL_set_bio() with
2135 * various combinations of valid BIOs or NULL. We then repeat these tests
2136 * following a failed connection. In this last case we are looking to check that
2137 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2139 static int test_ssl_set_bio(int idx)
2141 SSL_CTX *sctx = NULL, *cctx = NULL;
2144 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2145 SSL *serverssl = NULL, *clientssl = NULL;
2146 int initrbio, initwbio, newrbio, newwbio, conntype;
2149 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2157 conntype = CONNTYPE_NO_CONNECTION;
2159 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2160 initrbio = initwbio = USE_DEFAULT;
2168 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2170 &sctx, &cctx, cert, privkey)))
2173 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2175 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2176 * because we reduced the number of tests in the definition of
2177 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2178 * mismatched protocol versions we will force a connection failure.
2180 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2181 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2184 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2188 if (initrbio == USE_BIO_1
2189 || initwbio == USE_BIO_1
2190 || newrbio == USE_BIO_1
2191 || newwbio == USE_BIO_1) {
2192 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2196 if (initrbio == USE_BIO_2
2197 || initwbio == USE_BIO_2
2198 || newrbio == USE_BIO_2
2199 || newwbio == USE_BIO_2) {
2200 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2204 if (initrbio != USE_DEFAULT) {
2205 setupbio(&irbio, bio1, bio2, initrbio);
2206 setupbio(&iwbio, bio1, bio2, initwbio);
2207 SSL_set_bio(clientssl, irbio, iwbio);
2210 * We want to maintain our own refs to these BIO, so do an up ref for
2211 * each BIO that will have ownership transferred in the SSL_set_bio()
2216 if (iwbio != NULL && iwbio != irbio)
2220 if (conntype != CONNTYPE_NO_CONNECTION
2221 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2223 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2226 setupbio(&nrbio, bio1, bio2, newrbio);
2227 setupbio(&nwbio, bio1, bio2, newwbio);
2230 * We will (maybe) transfer ownership again so do more up refs.
2231 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2236 && (nwbio != iwbio || nrbio != nwbio))
2240 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2243 SSL_set_bio(clientssl, nrbio, nwbio);
2252 * This test is checking that the ref counting for SSL_set_bio is correct.
2253 * If we get here and we did too many frees then we will fail in the above
2256 SSL_free(serverssl);
2257 SSL_free(clientssl);
2263 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2265 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2267 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2272 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
2273 || !TEST_ptr(ssl = SSL_new(ctx))
2274 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2275 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2278 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2281 * If anything goes wrong here then we could leak memory.
2283 BIO_push(sslbio, membio1);
2285 /* Verify changing the rbio/wbio directly does not cause leaks */
2286 if (change_bio != NO_BIO_CHANGE) {
2287 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
2289 if (change_bio == CHANGE_RBIO)
2290 SSL_set0_rbio(ssl, membio2);
2292 SSL_set0_wbio(ssl, membio2);
2311 static int test_ssl_bio_pop_next_bio(void)
2313 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2316 static int test_ssl_bio_pop_ssl_bio(void)
2318 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2321 static int test_ssl_bio_change_rbio(void)
2323 return execute_test_ssl_bio(0, CHANGE_RBIO);
2326 static int test_ssl_bio_change_wbio(void)
2328 return execute_test_ssl_bio(0, CHANGE_WBIO);
2331 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2333 /* The list of sig algs */
2335 /* The length of the list */
2337 /* A sigalgs list in string format */
2338 const char *liststr;
2339 /* Whether setting the list should succeed */
2341 /* Whether creating a connection with the list should succeed */
2345 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2346 # ifndef OPENSSL_NO_EC
2347 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2348 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2350 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2351 static const int invalidlist2[] = {NID_sha256, NID_undef};
2352 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2353 static const int invalidlist4[] = {NID_sha256};
2354 static const sigalgs_list testsigalgs[] = {
2355 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2356 # ifndef OPENSSL_NO_EC
2357 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2358 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2360 {NULL, 0, "RSA+SHA256", 1, 1},
2361 # ifndef OPENSSL_NO_EC
2362 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2363 {NULL, 0, "ECDSA+SHA512", 1, 0},
2365 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2366 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2367 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2368 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2369 {NULL, 0, "RSA", 0, 0},
2370 {NULL, 0, "SHA256", 0, 0},
2371 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2372 {NULL, 0, "Invalid", 0, 0}
2375 static int test_set_sigalgs(int idx)
2377 SSL_CTX *cctx = NULL, *sctx = NULL;
2378 SSL *clientssl = NULL, *serverssl = NULL;
2380 const sigalgs_list *curr;
2383 /* Should never happen */
2384 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2387 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2388 curr = testctx ? &testsigalgs[idx]
2389 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2391 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2393 &sctx, &cctx, cert, privkey)))
2397 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2398 * for TLSv1.2 for now until we add a new API.
2400 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2405 if (curr->list != NULL)
2406 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2408 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2412 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2418 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2423 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2424 &clientssl, NULL, NULL)))
2430 if (curr->list != NULL)
2431 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2433 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2436 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2445 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2453 SSL_free(serverssl);
2454 SSL_free(clientssl);
2462 #ifndef OPENSSL_NO_TLS1_3
2463 static int psk_client_cb_cnt = 0;
2464 static int psk_server_cb_cnt = 0;
2466 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2467 size_t *idlen, SSL_SESSION **sess)
2469 switch (++use_session_cb_cnt) {
2471 /* The first call should always have a NULL md */
2477 /* The second call should always have an md */
2483 /* We should only be called a maximum of twice */
2487 if (clientpsk != NULL)
2488 SSL_SESSION_up_ref(clientpsk);
2491 *id = (const unsigned char *)pskid;
2492 *idlen = strlen(pskid);
2497 #ifndef OPENSSL_NO_PSK
2498 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2499 unsigned int max_id_len,
2501 unsigned int max_psk_len)
2503 unsigned int psklen = 0;
2505 psk_client_cb_cnt++;
2507 if (strlen(pskid) + 1 > max_id_len)
2510 /* We should only ever be called a maximum of twice per connection */
2511 if (psk_client_cb_cnt > 2)
2514 if (clientpsk == NULL)
2517 /* We'll reuse the PSK we set up for TLSv1.3 */
2518 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2520 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2521 strncpy(id, pskid, max_id_len);
2525 #endif /* OPENSSL_NO_PSK */
2527 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2528 size_t identity_len, SSL_SESSION **sess)
2530 find_session_cb_cnt++;
2532 /* We should only ever be called a maximum of twice per connection */
2533 if (find_session_cb_cnt > 2)
2536 if (serverpsk == NULL)
2539 /* Identity should match that set by the client */
2540 if (strlen(srvid) != identity_len
2541 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2542 /* No PSK found, continue but without a PSK */
2547 SSL_SESSION_up_ref(serverpsk);
2553 #ifndef OPENSSL_NO_PSK
2554 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2555 unsigned char *psk, unsigned int max_psk_len)
2557 unsigned int psklen = 0;
2559 psk_server_cb_cnt++;
2561 /* We should only ever be called a maximum of twice per connection */
2562 if (find_session_cb_cnt > 2)
2565 if (serverpsk == NULL)
2568 /* Identity should match that set by the client */
2569 if (strcmp(srvid, identity) != 0) {
2573 /* We'll reuse the PSK we set up for TLSv1.3 */
2574 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2576 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2580 #endif /* OPENSSL_NO_PSK */
2582 #define MSG1 "Hello"
2583 #define MSG2 "World."
2588 #define MSG7 "message."
2590 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2591 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2594 static SSL_SESSION *create_a_psk(SSL *ssl)
2596 const SSL_CIPHER *cipher = NULL;
2597 const unsigned char key[] = {
2598 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2599 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2600 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2601 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2602 0x2c, 0x2d, 0x2e, 0x2f
2604 SSL_SESSION *sess = NULL;
2606 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2607 sess = SSL_SESSION_new();
2609 || !TEST_ptr(cipher)
2610 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2612 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2614 SSL_SESSION_set_protocol_version(sess,
2616 SSL_SESSION_free(sess);
2623 * Helper method to setup objects for early data test. Caller frees objects on
2626 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2627 SSL **serverssl, SSL_SESSION **sess, int idx)
2630 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2631 TLS_client_method(),
2633 sctx, cctx, cert, privkey)))
2636 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2640 /* When idx == 1 we repeat the tests with read_ahead set */
2641 SSL_CTX_set_read_ahead(*cctx, 1);
2642 SSL_CTX_set_read_ahead(*sctx, 1);
2643 } else if (idx == 2) {
2644 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2645 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2646 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2647 use_session_cb_cnt = 0;
2648 find_session_cb_cnt = 0;
2652 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2657 * For one of the run throughs (doesn't matter which one), we'll try sending
2658 * some SNI data in the initial ClientHello. This will be ignored (because
2659 * there is no SNI cb set up by the server), so it should not impact
2663 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2667 clientpsk = create_a_psk(*clientssl);
2668 if (!TEST_ptr(clientpsk)
2670 * We just choose an arbitrary value for max_early_data which
2671 * should be big enough for testing purposes.
2673 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2675 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2676 SSL_SESSION_free(clientpsk);
2680 serverpsk = clientpsk;
2683 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2684 SSL_SESSION_free(clientpsk);
2685 SSL_SESSION_free(serverpsk);
2686 clientpsk = serverpsk = NULL;
2697 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2701 *sess = SSL_get1_session(*clientssl);
2702 SSL_shutdown(*clientssl);
2703 SSL_shutdown(*serverssl);
2704 SSL_free(*serverssl);
2705 SSL_free(*clientssl);
2706 *serverssl = *clientssl = NULL;
2708 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2709 clientssl, NULL, NULL))
2710 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2716 static int test_early_data_read_write(int idx)
2718 SSL_CTX *cctx = NULL, *sctx = NULL;
2719 SSL *clientssl = NULL, *serverssl = NULL;
2721 SSL_SESSION *sess = NULL;
2722 unsigned char buf[20], data[1024];
2723 size_t readbytes, written, eoedlen, rawread, rawwritten;
2726 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2727 &serverssl, &sess, idx)))
2730 /* Write and read some early data */
2731 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2733 || !TEST_size_t_eq(written, strlen(MSG1))
2734 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2735 sizeof(buf), &readbytes),
2736 SSL_READ_EARLY_DATA_SUCCESS)
2737 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2738 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2739 SSL_EARLY_DATA_ACCEPTED))
2743 * Server should be able to write data, and client should be able to
2746 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2748 || !TEST_size_t_eq(written, strlen(MSG2))
2749 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2750 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2753 /* Even after reading normal data, client should be able write early data */
2754 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2756 || !TEST_size_t_eq(written, strlen(MSG3)))
2759 /* Server should still be able read early data after writing data */
2760 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2762 SSL_READ_EARLY_DATA_SUCCESS)
2763 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2766 /* Write more data from server and read it from client */
2767 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2769 || !TEST_size_t_eq(written, strlen(MSG4))
2770 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2771 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2775 * If client writes normal data it should mean writing early data is no
2778 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2779 || !TEST_size_t_eq(written, strlen(MSG5))
2780 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2781 SSL_EARLY_DATA_ACCEPTED))
2785 * At this point the client has written EndOfEarlyData, ClientFinished and
2786 * normal (fully protected) data. We are going to cause a delay between the
2787 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2788 * in the read BIO, and then just put back the EndOfEarlyData message.
2790 rbio = SSL_get_rbio(serverssl);
2791 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2792 || !TEST_size_t_lt(rawread, sizeof(data))
2793 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2796 /* Record length is in the 4th and 5th bytes of the record header */
2797 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2798 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2799 || !TEST_size_t_eq(rawwritten, eoedlen))
2802 /* Server should be told that there is no more early data */
2803 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2805 SSL_READ_EARLY_DATA_FINISH)
2806 || !TEST_size_t_eq(readbytes, 0))
2810 * Server has not finished init yet, so should still be able to write early
2813 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2815 || !TEST_size_t_eq(written, strlen(MSG6)))
2818 /* Push the ClientFinished and the normal data back into the server rbio */
2819 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2821 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2824 /* Server should be able to read normal data */
2825 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2826 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2829 /* Client and server should not be able to write/read early data now */
2830 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2834 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2836 SSL_READ_EARLY_DATA_ERROR))
2840 /* Client should be able to read the data sent by the server */
2841 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2842 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2846 * Make sure we process the two NewSessionTickets. These arrive
2847 * post-handshake. We attempt reads which we do not expect to return any
2850 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2851 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2855 /* Server should be able to write normal data */
2856 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2857 || !TEST_size_t_eq(written, strlen(MSG7))
2858 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2859 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2862 SSL_SESSION_free(sess);
2863 sess = SSL_get1_session(clientssl);
2864 use_session_cb_cnt = 0;
2865 find_session_cb_cnt = 0;
2867 SSL_shutdown(clientssl);
2868 SSL_shutdown(serverssl);
2869 SSL_free(serverssl);
2870 SSL_free(clientssl);
2871 serverssl = clientssl = NULL;
2872 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2873 &clientssl, NULL, NULL))
2874 || !TEST_true(SSL_set_session(clientssl, sess)))
2877 /* Write and read some early data */
2878 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2880 || !TEST_size_t_eq(written, strlen(MSG1))
2881 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2883 SSL_READ_EARLY_DATA_SUCCESS)
2884 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2887 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2888 || !TEST_int_gt(SSL_accept(serverssl), 0))
2891 /* Client and server should not be able to write/read early data now */
2892 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2896 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2898 SSL_READ_EARLY_DATA_ERROR))
2902 /* Client and server should be able to write/read normal data */
2903 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2904 || !TEST_size_t_eq(written, strlen(MSG5))
2905 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2906 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2912 SSL_SESSION_free(sess);
2913 SSL_SESSION_free(clientpsk);
2914 SSL_SESSION_free(serverpsk);
2915 clientpsk = serverpsk = NULL;
2916 SSL_free(serverssl);
2917 SSL_free(clientssl);
2923 static int allow_ed_cb_called = 0;
2925 static int allow_early_data_cb(SSL *s, void *arg)
2927 int *usecb = (int *)arg;
2929 allow_ed_cb_called++;
2938 * idx == 0: Standard early_data setup
2939 * idx == 1: early_data setup using read_ahead
2940 * usecb == 0: Don't use a custom early data callback
2941 * usecb == 1: Use a custom early data callback and reject the early data
2942 * usecb == 2: Use a custom early data callback and accept the early data
2943 * confopt == 0: Configure anti-replay directly
2944 * confopt == 1: Configure anti-replay using SSL_CONF
2946 static int test_early_data_replay_int(int idx, int usecb, int confopt)
2948 SSL_CTX *cctx = NULL, *sctx = NULL;
2949 SSL *clientssl = NULL, *serverssl = NULL;
2951 SSL_SESSION *sess = NULL;
2952 size_t readbytes, written;
2953 unsigned char buf[20];
2955 allow_ed_cb_called = 0;
2957 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2958 TLS1_VERSION, 0, &sctx,
2959 &cctx, cert, privkey)))
2964 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2966 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2968 if (!TEST_ptr(confctx))
2970 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2971 | SSL_CONF_FLAG_SERVER);
2972 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2973 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2975 SSL_CONF_CTX_free(confctx);
2978 SSL_CONF_CTX_free(confctx);
2980 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2983 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2984 &serverssl, &sess, idx)))
2988 * The server is configured to accept early data. Create a connection to
2989 * "use up" the ticket
2991 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2992 || !TEST_true(SSL_session_reused(clientssl)))
2995 SSL_shutdown(clientssl);
2996 SSL_shutdown(serverssl);
2997 SSL_free(serverssl);
2998 SSL_free(clientssl);
2999 serverssl = clientssl = NULL;
3001 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3002 &clientssl, NULL, NULL))
3003 || !TEST_true(SSL_set_session(clientssl, sess)))
3006 /* Write and read some early data */
3007 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3009 || !TEST_size_t_eq(written, strlen(MSG1)))
3013 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3015 SSL_READ_EARLY_DATA_FINISH)
3017 * The ticket was reused, so the we should have rejected the
3020 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3021 SSL_EARLY_DATA_REJECTED))
3024 /* In this case the callback decides to accept the early data */
3025 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3027 SSL_READ_EARLY_DATA_SUCCESS)
3028 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3030 * Server will have sent its flight so client can now send
3031 * end of early data and complete its half of the handshake
3033 || !TEST_int_gt(SSL_connect(clientssl), 0)
3034 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3036 SSL_READ_EARLY_DATA_FINISH)
3037 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3038 SSL_EARLY_DATA_ACCEPTED))
3042 /* Complete the connection */
3043 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3044 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3045 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3051 SSL_SESSION_free(sess);
3052 SSL_SESSION_free(clientpsk);
3053 SSL_SESSION_free(serverpsk);
3054 clientpsk = serverpsk = NULL;
3055 SSL_free(serverssl);
3056 SSL_free(clientssl);
3062 static int test_early_data_replay(int idx)
3064 int ret = 1, usecb, confopt;
3066 for (usecb = 0; usecb < 3; usecb++) {
3067 for (confopt = 0; confopt < 2; confopt++)
3068 ret &= test_early_data_replay_int(idx, usecb, confopt);
3075 * Helper function to test that a server attempting to read early data can
3076 * handle a connection from a client where the early data should be skipped.
3077 * testtype: 0 == No HRR
3078 * testtype: 1 == HRR
3079 * testtype: 2 == HRR, invalid early_data sent after HRR
3080 * testtype: 3 == recv_max_early_data set to 0
3082 static int early_data_skip_helper(int testtype, int idx)
3084 SSL_CTX *cctx = NULL, *sctx = NULL;
3085 SSL *clientssl = NULL, *serverssl = NULL;
3087 SSL_SESSION *sess = NULL;
3088 unsigned char buf[20];
3089 size_t readbytes, written;
3091 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3092 &serverssl, &sess, idx)))
3095 if (testtype == 1 || testtype == 2) {
3096 /* Force an HRR to occur */
3097 #if defined(OPENSSL_NO_EC)
3098 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3101 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3104 } else if (idx == 2) {
3106 * We force early_data rejection by ensuring the PSK identity is
3109 srvid = "Dummy Identity";
3112 * Deliberately corrupt the creation time. We take 20 seconds off the
3113 * time. It could be any value as long as it is not within tolerance.
3114 * This should mean the ticket is rejected.
3116 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3121 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3124 /* Write some early data */
3125 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3127 || !TEST_size_t_eq(written, strlen(MSG1)))
3130 /* Server should reject the early data */
3131 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3133 SSL_READ_EARLY_DATA_FINISH)
3134 || !TEST_size_t_eq(readbytes, 0)
3135 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3136 SSL_EARLY_DATA_REJECTED))
3146 * Finish off the handshake. We perform the same writes and reads as
3147 * further down but we expect them to fail due to the incomplete
3150 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3151 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3158 BIO *wbio = SSL_get_wbio(clientssl);
3159 /* A record that will appear as bad early_data */
3160 const unsigned char bad_early_data[] = {
3161 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3165 * We force the client to attempt a write. This will fail because
3166 * we're still in the handshake. It will cause the second
3167 * ClientHello to be sent.
3169 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3174 * Inject some early_data after the second ClientHello. This should
3175 * cause the server to fail
3177 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3178 sizeof(bad_early_data), &written)))
3185 * This client has sent more early_data than we are willing to skip
3186 * (case 3) or sent invalid early_data (case 2) so the connection should
3189 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3190 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3193 /* Connection has failed - nothing more to do */
3198 TEST_error("Invalid test type");
3203 * Should be able to send normal data despite rejection of early data. The
3204 * early_data should be skipped.
3206 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3207 || !TEST_size_t_eq(written, strlen(MSG2))
3208 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3209 SSL_EARLY_DATA_REJECTED)
3210 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3211 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3217 SSL_SESSION_free(clientpsk);
3218 SSL_SESSION_free(serverpsk);
3219 clientpsk = serverpsk = NULL;
3220 SSL_SESSION_free(sess);
3221 SSL_free(serverssl);
3222 SSL_free(clientssl);
3229 * Test that a server attempting to read early data can handle a connection
3230 * from a client where the early data is not acceptable.
3232 static int test_early_data_skip(int idx)
3234 return early_data_skip_helper(0, idx);
3238 * Test that a server attempting to read early data can handle a connection
3239 * from a client where an HRR occurs.
3241 static int test_early_data_skip_hrr(int idx)
3243 return early_data_skip_helper(1, idx);
3247 * Test that a server attempting to read early data can handle a connection
3248 * from a client where an HRR occurs and correctly fails if early_data is sent
3251 static int test_early_data_skip_hrr_fail(int idx)
3253 return early_data_skip_helper(2, idx);
3257 * Test that a server attempting to read early data will abort if it tries to
3258 * skip over too much.
3260 static int test_early_data_skip_abort(int idx)
3262 return early_data_skip_helper(3, idx);
3266 * Test that a server attempting to read early data can handle a connection
3267 * from a client that doesn't send any.
3269 static int test_early_data_not_sent(int idx)
3271 SSL_CTX *cctx = NULL, *sctx = NULL;
3272 SSL *clientssl = NULL, *serverssl = NULL;
3274 SSL_SESSION *sess = NULL;
3275 unsigned char buf[20];
3276 size_t readbytes, written;
3278 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3279 &serverssl, &sess, idx)))
3282 /* Write some data - should block due to handshake with server */
3283 SSL_set_connect_state(clientssl);
3284 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3287 /* Server should detect that early data has not been sent */
3288 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3290 SSL_READ_EARLY_DATA_FINISH)
3291 || !TEST_size_t_eq(readbytes, 0)
3292 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3293 SSL_EARLY_DATA_NOT_SENT)
3294 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3295 SSL_EARLY_DATA_NOT_SENT))
3298 /* Continue writing the message we started earlier */
3299 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3300 || !TEST_size_t_eq(written, strlen(MSG1))
3301 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3302 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3303 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3304 || !TEST_size_t_eq(written, strlen(MSG2)))
3307 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3308 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3314 SSL_SESSION_free(sess);
3315 SSL_SESSION_free(clientpsk);
3316 SSL_SESSION_free(serverpsk);
3317 clientpsk = serverpsk = NULL;
3318 SSL_free(serverssl);
3319 SSL_free(clientssl);
3325 static const char *servalpn;
3327 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3328 unsigned char *outlen, const unsigned char *in,
3329 unsigned int inlen, void *arg)
3331 unsigned int protlen = 0;
3332 const unsigned char *prot;
3334 for (prot = in; prot < in + inlen; prot += protlen) {
3336 if (in + inlen < prot + protlen)
3337 return SSL_TLSEXT_ERR_NOACK;
3339 if (protlen == strlen(servalpn)
3340 && memcmp(prot, servalpn, protlen) == 0) {
3343 return SSL_TLSEXT_ERR_OK;
3347 return SSL_TLSEXT_ERR_NOACK;
3350 /* Test that a PSK can be used to send early_data */
3351 static int test_early_data_psk(int idx)
3353 SSL_CTX *cctx = NULL, *sctx = NULL;
3354 SSL *clientssl = NULL, *serverssl = NULL;
3356 SSL_SESSION *sess = NULL;
3357 unsigned char alpnlist[] = {
3358 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3361 #define GOODALPNLEN 9
3362 #define BADALPNLEN 8
3363 #define GOODALPN (alpnlist)
3364 #define BADALPN (alpnlist + GOODALPNLEN)
3366 unsigned char buf[20];
3367 size_t readbytes, written;
3368 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3369 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3371 /* We always set this up with a final parameter of "2" for PSK */
3372 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3373 &serverssl, &sess, 2)))
3376 servalpn = "goodalpn";
3379 * Note: There is no test for inconsistent SNI with late client detection.
3380 * This is because servers do not acknowledge SNI even if they are using
3381 * it in a resumption handshake - so it is not actually possible for a
3382 * client to detect a problem.
3386 /* Set inconsistent SNI (early client detection) */
3387 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3388 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3389 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3394 /* Set inconsistent ALPN (early client detection) */
3395 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3396 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3397 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3399 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3406 * Set invalid protocol version. Technically this affects PSKs without
3407 * early_data too, but we test it here because it is similar to the
3408 * SNI/ALPN consistency tests.
3410 err = SSL_R_BAD_PSK;
3411 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3417 * Set inconsistent SNI (server side). In this case the connection
3418 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3419 * is associated with each handshake - not the session. Therefore it
3420 * should not matter that we used a different server name last time.
3422 SSL_SESSION_free(serverpsk);
3423 serverpsk = SSL_SESSION_dup(clientpsk);
3424 if (!TEST_ptr(serverpsk)
3425 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3429 /* Set consistent SNI */
3430 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3431 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3432 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3439 * Set inconsistent ALPN (server detected). In this case the connection
3440 * will succeed but reject early_data.
3442 servalpn = "badalpn";
3443 edstatus = SSL_EARLY_DATA_REJECTED;
3444 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3448 * Set consistent ALPN.
3449 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3450 * accepts a list of protos (each one length prefixed).
3451 * SSL_set1_alpn_selected accepts a single protocol (not length
3454 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3456 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3460 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3464 /* Set inconsistent ALPN (late client detection) */
3465 SSL_SESSION_free(serverpsk);
3466 serverpsk = SSL_SESSION_dup(clientpsk);
3467 if (!TEST_ptr(serverpsk)
3468 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3471 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3474 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3477 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3478 edstatus = SSL_EARLY_DATA_ACCEPTED;
3479 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3480 /* SSL_connect() call should fail */
3485 TEST_error("Bad test index");
3489 SSL_set_connect_state(clientssl);
3491 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3493 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3494 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3497 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3501 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3502 &readbytes), readearlyres)
3503 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3504 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3505 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3506 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3513 SSL_SESSION_free(sess);
3514 SSL_SESSION_free(clientpsk);
3515 SSL_SESSION_free(serverpsk);
3516 clientpsk = serverpsk = NULL;
3517 SSL_free(serverssl);
3518 SSL_free(clientssl);
3525 * Test that a server that doesn't try to read early data can handle a
3526 * client sending some.
3528 static int test_early_data_not_expected(int idx)
3530 SSL_CTX *cctx = NULL, *sctx = NULL;
3531 SSL *clientssl = NULL, *serverssl = NULL;
3533 SSL_SESSION *sess = NULL;
3534 unsigned char buf[20];
3535 size_t readbytes, written;
3537 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3538 &serverssl, &sess, idx)))
3541 /* Write some early data */
3542 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3547 * Server should skip over early data and then block waiting for client to
3548 * continue handshake
3550 if (!TEST_int_le(SSL_accept(serverssl), 0)
3551 || !TEST_int_gt(SSL_connect(clientssl), 0)
3552 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3553 SSL_EARLY_DATA_REJECTED)
3554 || !TEST_int_gt(SSL_accept(serverssl), 0)
3555 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3556 SSL_EARLY_DATA_REJECTED))
3559 /* Send some normal data from client to server */
3560 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3561 || !TEST_size_t_eq(written, strlen(MSG2)))
3564 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3565 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3571 SSL_SESSION_free(sess);
3572 SSL_SESSION_free(clientpsk);
3573 SSL_SESSION_free(serverpsk);
3574 clientpsk = serverpsk = NULL;
3575 SSL_free(serverssl);
3576 SSL_free(clientssl);
3583 # ifndef OPENSSL_NO_TLS1_2
3585 * Test that a server attempting to read early data can handle a connection
3586 * from a TLSv1.2 client.
3588 static int test_early_data_tls1_2(int idx)
3590 SSL_CTX *cctx = NULL, *sctx = NULL;
3591 SSL *clientssl = NULL, *serverssl = NULL;
3593 unsigned char buf[20];
3594 size_t readbytes, written;
3596 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3597 &serverssl, NULL, idx)))
3600 /* Write some data - should block due to handshake with server */
3601 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3602 SSL_set_connect_state(clientssl);
3603 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3607 * Server should do TLSv1.2 handshake. First it will block waiting for more
3608 * messages from client after ServerDone. Then SSL_read_early_data should
3609 * finish and detect that early data has not been sent
3611 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3613 SSL_READ_EARLY_DATA_ERROR))
3617 * Continue writing the message we started earlier. Will still block waiting
3618 * for the CCS/Finished from server
3620 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3621 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3623 SSL_READ_EARLY_DATA_FINISH)
3624 || !TEST_size_t_eq(readbytes, 0)
3625 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3626 SSL_EARLY_DATA_NOT_SENT))
3629 /* Continue writing the message we started earlier */
3630 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3631 || !TEST_size_t_eq(written, strlen(MSG1))
3632 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3633 SSL_EARLY_DATA_NOT_SENT)
3634 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3635 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3636 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3637 || !TEST_size_t_eq(written, strlen(MSG2))
3638 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3639 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3645 SSL_SESSION_free(clientpsk);
3646 SSL_SESSION_free(serverpsk);
3647 clientpsk = serverpsk = NULL;
3648 SSL_free(serverssl);
3649 SSL_free(clientssl);
3655 # endif /* OPENSSL_NO_TLS1_2 */
3658 * Test configuring the TLSv1.3 ciphersuites
3660 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3661 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3662 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3663 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3664 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3665 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3666 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3667 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3668 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3669 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3671 static int test_set_ciphersuite(int idx)
3673 SSL_CTX *cctx = NULL, *sctx = NULL;
3674 SSL *clientssl = NULL, *serverssl = NULL;
3677 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3679 &sctx, &cctx, cert, privkey))
3680 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3681 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3684 if (idx >=4 && idx <= 7) {
3685 /* SSL_CTX explicit cipher list */
3686 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3690 if (idx == 0 || idx == 4) {
3691 /* Default ciphersuite */
3692 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3693 "TLS_AES_128_GCM_SHA256")))
3695 } else if (idx == 1 || idx == 5) {
3696 /* Non default ciphersuite */
3697 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3698 "TLS_AES_128_CCM_SHA256")))
3702 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3703 &clientssl, NULL, NULL)))
3706 if (idx == 8 || idx == 9) {
3707 /* SSL explicit cipher list */
3708 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3712 if (idx == 2 || idx == 6 || idx == 8) {
3713 /* Default ciphersuite */
3714 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3715 "TLS_AES_128_GCM_SHA256")))
3717 } else if (idx == 3 || idx == 7 || idx == 9) {
3718 /* Non default ciphersuite */
3719 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3720 "TLS_AES_128_CCM_SHA256")))
3724 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3730 SSL_free(serverssl);
3731 SSL_free(clientssl);
3738 static int test_ciphersuite_change(void)
3740 SSL_CTX *cctx = NULL, *sctx = NULL;
3741 SSL *clientssl = NULL, *serverssl = NULL;
3742 SSL_SESSION *clntsess = NULL;
3744 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3746 /* Create a session based on SHA-256 */
3747 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3749 &sctx, &cctx, cert, privkey))
3750 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3751 "TLS_AES_128_GCM_SHA256"))
3752 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3753 &clientssl, NULL, NULL))
3754 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3758 clntsess = SSL_get1_session(clientssl);
3759 /* Save for later */
3760 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3761 SSL_shutdown(clientssl);
3762 SSL_shutdown(serverssl);
3763 SSL_free(serverssl);
3764 SSL_free(clientssl);
3765 serverssl = clientssl = NULL;
3767 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3768 /* Check we can resume a session with a different SHA-256 ciphersuite */
3769 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3770 "TLS_CHACHA20_POLY1305_SHA256"))
3771 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3773 || !TEST_true(SSL_set_session(clientssl, clntsess))
3774 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3776 || !TEST_true(SSL_session_reused(clientssl)))
3779 SSL_SESSION_free(clntsess);
3780 clntsess = SSL_get1_session(clientssl);
3781 SSL_shutdown(clientssl);
3782 SSL_shutdown(serverssl);
3783 SSL_free(serverssl);
3784 SSL_free(clientssl);
3785 serverssl = clientssl = NULL;
3789 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3790 * succeeds but does not resume.
3792 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3793 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3795 || !TEST_true(SSL_set_session(clientssl, clntsess))
3796 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3798 || !TEST_false(SSL_session_reused(clientssl)))
3801 SSL_SESSION_free(clntsess);
3803 SSL_shutdown(clientssl);
3804 SSL_shutdown(serverssl);
3805 SSL_free(serverssl);
3806 SSL_free(clientssl);
3807 serverssl = clientssl = NULL;
3809 /* Create a session based on SHA384 */
3810 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3811 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3812 &clientssl, NULL, NULL))
3813 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3817 clntsess = SSL_get1_session(clientssl);
3818 SSL_shutdown(clientssl);
3819 SSL_shutdown(serverssl);
3820 SSL_free(serverssl);
3821 SSL_free(clientssl);
3822 serverssl = clientssl = NULL;
3824 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3825 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3826 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3827 "TLS_AES_256_GCM_SHA384"))
3828 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3830 || !TEST_true(SSL_set_session(clientssl, clntsess))
3832 * We use SSL_ERROR_WANT_READ below so that we can pause the
3833 * connection after the initial ClientHello has been sent to
3834 * enable us to make some session changes.
3836 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3837 SSL_ERROR_WANT_READ)))
3840 /* Trick the client into thinking this session is for a different digest */
3841 clntsess->cipher = aes_128_gcm_sha256;
3842 clntsess->cipher_id = clntsess->cipher->id;
3845 * Continue the previously started connection. Server has selected a SHA-384
3846 * ciphersuite, but client thinks the session is for SHA-256, so it should
3849 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3851 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3852 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3858 SSL_SESSION_free(clntsess);
3859 SSL_free(serverssl);
3860 SSL_free(clientssl);
3868 * Test TLSv1.3 Key exchange
3869 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
3870 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
3871 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
3872 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
3873 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
3874 * Test 5 = Test NID_X448 with TLSv1.3 client and server
3875 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
3876 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
3877 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
3878 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
3879 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
3880 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
3881 * Test 12 = Test all ECDHE with TLSv1.2 client and server
3882 * Test 13 = Test all FFDHE with TLSv1.2 client and server
3884 static int test_key_exchange(int idx)
3886 SSL_CTX *sctx = NULL, *cctx = NULL;
3887 SSL *serverssl = NULL, *clientssl = NULL;
3889 # ifndef OPENSSL_NO_EC
3890 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
3891 NID_secp521r1, NID_X25519, NID_X448};
3893 # ifndef OPENSSL_NO_DH
3894 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
3895 NID_ffdhe6144, NID_ffdhe8192};
3898 int *kexch_groups = &kexch_alg;
3899 int kexch_groups_size = 1;
3900 int max_version = TLS1_3_VERSION;
3903 # ifndef OPENSSL_NO_EC
3904 # ifndef OPENSSL_NO_TLS1_2
3906 max_version = TLS1_2_VERSION;
3910 kexch_groups = ecdhe_kexch_groups;
3911 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
3914 kexch_alg = NID_X9_62_prime256v1;
3917 kexch_alg = NID_secp384r1;
3920 kexch_alg = NID_secp521r1;
3923 kexch_alg = NID_X25519;
3926 kexch_alg = NID_X448;
3929 # ifndef OPENSSL_NO_DH
3930 # ifndef OPENSSL_NO_TLS1_2
3932 max_version = TLS1_2_VERSION;
3936 kexch_groups = ffdhe_kexch_groups;
3937 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
3940 kexch_alg = NID_ffdhe2048;
3943 kexch_alg = NID_ffdhe3072;
3946 kexch_alg = NID_ffdhe4096;
3949 kexch_alg = NID_ffdhe6144;
3952 kexch_alg = NID_ffdhe8192;
3956 /* We're skipping this test */
3960 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3961 TLS1_VERSION, max_version,
3962 &sctx, &cctx, cert, privkey)))
3965 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
3966 TLS1_3_RFC_AES_128_GCM_SHA256)))
3969 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3970 TLS1_3_RFC_AES_128_GCM_SHA256)))
3973 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
3974 TLS1_TXT_RSA_WITH_AES_128_SHA)))
3978 * Must include an EC ciphersuite so that we send supported groups in
3981 # ifndef OPENSSL_NO_TLS1_2
3982 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
3983 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
3984 TLS1_TXT_RSA_WITH_AES_128_SHA)))
3988 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3992 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
3993 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
3996 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4000 * If Handshake succeeds the negotiated kexch alg should be the first one in
4001 * configured, except in the case of FFDHE groups (idx 13), which are
4002 * TLSv1.3 only so we expect no shared group to exist.
4004 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4005 idx == 13 ? 0 : kexch_groups[0]))
4007 if (max_version == TLS1_3_VERSION) {
4008 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4010 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4016 SSL_free(serverssl);
4017 SSL_free(clientssl);
4024 * Test TLSv1.3 Cipher Suite
4025 * Test 0 = Set TLS1.3 cipher on context
4026 * Test 1 = Set TLS1.3 cipher on SSL
4027 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4028 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4030 static int test_tls13_ciphersuite(int idx)
4032 SSL_CTX *sctx = NULL, *cctx = NULL;
4033 SSL *serverssl = NULL, *clientssl = NULL;
4034 static const char *t13_ciphers[] = {
4035 TLS1_3_RFC_AES_128_GCM_SHA256,
4036 TLS1_3_RFC_AES_256_GCM_SHA384,
4037 TLS1_3_RFC_AES_128_CCM_SHA256,
4038 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4039 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4040 TLS1_3_RFC_AES_256_GCM_SHA384 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4042 TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256
4044 const char *t13_cipher = NULL;
4045 const char *t12_cipher = NULL;
4046 const char *negotiated_scipher;
4047 const char *negotiated_ccipher;
4063 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4067 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4071 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4072 # ifdef OPENSSL_NO_TLS1_2
4073 if (max_ver == TLS1_2_VERSION)
4076 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4077 t13_cipher = t13_ciphers[i];
4078 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4079 TLS_client_method(),
4080 TLS1_VERSION, max_ver,
4081 &sctx, &cctx, cert, privkey)))
4085 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4086 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4088 if (t12_cipher != NULL) {
4089 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4090 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4096 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4097 &clientssl, NULL, NULL)))
4101 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4102 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4104 if (t12_cipher != NULL) {
4105 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4106 || !TEST_true(SSL_set_cipher_list(clientssl,
4112 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4116 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4118 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4120 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4124 * TEST_strn_eq is used below because t13_cipher can contain
4125 * multiple ciphersuites
4127 if (max_ver == TLS1_3_VERSION
4128 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4129 strlen(negotiated_scipher)))
4132 # ifndef OPENSSL_NO_TLS1_2
4133 /* Below validation is not done when t12_cipher is NULL */
4134 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4135 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4139 SSL_free(serverssl);
4141 SSL_free(clientssl);
4152 SSL_free(serverssl);
4153 SSL_free(clientssl);
4161 * Test 0 = Test new style callbacks
4162 * Test 1 = Test both new and old style callbacks
4163 * Test 2 = Test old style callbacks
4164 * Test 3 = Test old style callbacks with no certificate
4166 static int test_tls13_psk(int idx)
4168 SSL_CTX *sctx = NULL, *cctx = NULL;
4169 SSL *serverssl = NULL, *clientssl = NULL;
4170 const SSL_CIPHER *cipher = NULL;
4171 const unsigned char key[] = {
4172 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4173 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4174 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4175 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
4179 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4181 &sctx, &cctx, idx == 3 ? NULL : cert,
4182 idx == 3 ? NULL : privkey)))
4187 * We use a ciphersuite with SHA256 to ease testing old style PSK
4188 * callbacks which will always default to SHA256. This should not be
4189 * necessary if we have no cert/priv key. In that case the server should
4190 * prefer SHA256 automatically.
4192 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4193 "TLS_AES_128_GCM_SHA256")))
4198 * Test 0: New style callbacks only
4199 * Test 1: New and old style callbacks (only the new ones should be used)
4200 * Test 2: Old style callbacks only
4202 if (idx == 0 || idx == 1) {
4203 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4204 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4206 #ifndef OPENSSL_NO_PSK
4208 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4209 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4213 use_session_cb_cnt = 0;
4214 find_session_cb_cnt = 0;
4215 psk_client_cb_cnt = 0;
4216 psk_server_cb_cnt = 0;
4220 * Check we can create a connection if callback decides not to send a
4223 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4225 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4227 || !TEST_false(SSL_session_reused(clientssl))
4228 || !TEST_false(SSL_session_reused(serverssl)))
4231 if (idx == 0 || idx == 1) {
4232 if (!TEST_true(use_session_cb_cnt == 1)
4233 || !TEST_true(find_session_cb_cnt == 0)
4235 * If no old style callback then below should be 0
4238 || !TEST_true(psk_client_cb_cnt == idx)
4239 || !TEST_true(psk_server_cb_cnt == 0))
4242 if (!TEST_true(use_session_cb_cnt == 0)
4243 || !TEST_true(find_session_cb_cnt == 0)
4244 || !TEST_true(psk_client_cb_cnt == 1)
4245 || !TEST_true(psk_server_cb_cnt == 0))
4249 shutdown_ssl_connection(serverssl, clientssl);
4250 serverssl = clientssl = NULL;
4251 use_session_cb_cnt = psk_client_cb_cnt = 0;
4254 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4258 /* Create the PSK */
4259 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
4260 clientpsk = SSL_SESSION_new();
4261 if (!TEST_ptr(clientpsk)
4262 || !TEST_ptr(cipher)
4263 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4265 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4266 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4268 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
4270 serverpsk = clientpsk;
4272 /* Check we can create a connection and the PSK is used */
4273 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4274 || !TEST_true(SSL_session_reused(clientssl))
4275 || !TEST_true(SSL_session_reused(serverssl)))
4278 if (idx == 0 || idx == 1) {
4279 if (!TEST_true(use_session_cb_cnt == 1)
4280 || !TEST_true(find_session_cb_cnt == 1)
4281 || !TEST_true(psk_client_cb_cnt == 0)
4282 || !TEST_true(psk_server_cb_cnt == 0))
4285 if (!TEST_true(use_session_cb_cnt == 0)
4286 || !TEST_true(find_session_cb_cnt == 0)
4287 || !TEST_true(psk_client_cb_cnt == 1)
4288 || !TEST_true(psk_server_cb_cnt == 1))
4292 shutdown_ssl_connection(serverssl, clientssl);
4293 serverssl = clientssl = NULL;
4294 use_session_cb_cnt = find_session_cb_cnt = 0;
4295 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4297 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4302 #if defined(OPENSSL_NO_EC)
4303 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4306 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4311 * Check we can create a connection, the PSK is used and the callbacks are
4314 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4315 || !TEST_true(SSL_session_reused(clientssl))
4316 || !TEST_true(SSL_session_reused(serverssl)))
4319 if (idx == 0 || idx == 1) {
4320 if (!TEST_true(use_session_cb_cnt == 2)
4321 || !TEST_true(find_session_cb_cnt == 2)
4322 || !TEST_true(psk_client_cb_cnt == 0)
4323 || !TEST_true(psk_server_cb_cnt == 0))
4326 if (!TEST_true(use_session_cb_cnt == 0)
4327 || !TEST_true(find_session_cb_cnt == 0)
4328 || !TEST_true(psk_client_cb_cnt == 2)
4329 || !TEST_true(psk_server_cb_cnt == 2))
4333 shutdown_ssl_connection(serverssl, clientssl);
4334 serverssl = clientssl = NULL;
4335 use_session_cb_cnt = find_session_cb_cnt = 0;
4336 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4340 * Check that if the server rejects the PSK we can still connect, but with
4343 srvid = "Dummy Identity";
4344 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4346 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4348 || !TEST_false(SSL_session_reused(clientssl))
4349 || !TEST_false(SSL_session_reused(serverssl)))
4352 if (idx == 0 || idx == 1) {
4353 if (!TEST_true(use_session_cb_cnt == 1)
4354 || !TEST_true(find_session_cb_cnt == 1)
4355 || !TEST_true(psk_client_cb_cnt == 0)
4357 * If no old style callback then below should be 0
4360 || !TEST_true(psk_server_cb_cnt == idx))
4363 if (!TEST_true(use_session_cb_cnt == 0)
4364 || !TEST_true(find_session_cb_cnt == 0)
4365 || !TEST_true(psk_client_cb_cnt == 1)
4366 || !TEST_true(psk_server_cb_cnt == 1))
4370 shutdown_ssl_connection(serverssl, clientssl);
4371 serverssl = clientssl = NULL;
4376 SSL_SESSION_free(clientpsk);
4377 SSL_SESSION_free(serverpsk);
4378 clientpsk = serverpsk = NULL;
4379 SSL_free(serverssl);
4380 SSL_free(clientssl);
4386 static unsigned char cookie_magic_value[] = "cookie magic";
4388 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4389 unsigned int *cookie_len)
4392 * Not suitable as a real cookie generation function but good enough for
4395 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4396 *cookie_len = sizeof(cookie_magic_value) - 1;
4401 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4402 unsigned int cookie_len)
4404 if (cookie_len == sizeof(cookie_magic_value) - 1
4405 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4411 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4415 int res = generate_cookie_callback(ssl, cookie, &temp);
4420 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4423 return verify_cookie_callback(ssl, cookie, cookie_len);
4426 static int test_stateless(void)
4428 SSL_CTX *sctx = NULL, *cctx = NULL;
4429 SSL *serverssl = NULL, *clientssl = NULL;
4432 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4434 &sctx, &cctx, cert, privkey)))
4437 /* The arrival of CCS messages can confuse the test */
4438 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4440 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4442 /* Send the first ClientHello */
4443 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4444 SSL_ERROR_WANT_READ))
4446 * This should fail with a -1 return because we have no callbacks
4449 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4452 /* Fatal error so abandon the connection from this client */
4453 SSL_free(clientssl);
4456 /* Set up the cookie generation and verification callbacks */
4457 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4458 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
4461 * Create a new connection from the client (we can reuse the server SSL
4464 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4466 /* Send the first ClientHello */
4467 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4468 SSL_ERROR_WANT_READ))
4469 /* This should fail because there is no cookie */
4470 || !TEST_int_eq(SSL_stateless(serverssl), 0))
4473 /* Abandon the connection from this client */
4474 SSL_free(clientssl);
4478 * Now create a connection from a new client but with the same server SSL
4481 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4483 /* Send the first ClientHello */
4484 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4485 SSL_ERROR_WANT_READ))
4486 /* This should fail because there is no cookie */
4487 || !TEST_int_eq(SSL_stateless(serverssl), 0)
4488 /* Send the second ClientHello */
4489 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4490 SSL_ERROR_WANT_READ))
4491 /* This should succeed because a cookie is now present */
4492 || !TEST_int_eq(SSL_stateless(serverssl), 1)
4493 /* Complete the connection */
4494 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4498 shutdown_ssl_connection(serverssl, clientssl);
4499 serverssl = clientssl = NULL;
4503 SSL_free(serverssl);
4504 SSL_free(clientssl);
4510 #endif /* OPENSSL_NO_TLS1_3 */
4512 static int clntaddoldcb = 0;
4513 static int clntparseoldcb = 0;
4514 static int srvaddoldcb = 0;
4515 static int srvparseoldcb = 0;
4516 static int clntaddnewcb = 0;
4517 static int clntparsenewcb = 0;
4518 static int srvaddnewcb = 0;
4519 static int srvparsenewcb = 0;
4520 static int snicb = 0;
4522 #define TEST_EXT_TYPE1 0xff00
4524 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4525 size_t *outlen, int *al, void *add_arg)
4527 int *server = (int *)add_arg;
4528 unsigned char *data;
4530 if (SSL_is_server(s))
4535 if (*server != SSL_is_server(s)
4536 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4541 *outlen = sizeof(char);
4545 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4548 OPENSSL_free((unsigned char *)out);
4551 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4552 size_t inlen, int *al, void *parse_arg)
4554 int *server = (int *)parse_arg;
4556 if (SSL_is_server(s))
4561 if (*server != SSL_is_server(s)
4562 || inlen != sizeof(char)
4569 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4570 const unsigned char **out, size_t *outlen, X509 *x,
4571 size_t chainidx, int *al, void *add_arg)
4573 int *server = (int *)add_arg;
4574 unsigned char *data;
4576 if (SSL_is_server(s))
4581 if (*server != SSL_is_server(s)
4582 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4587 *outlen = sizeof(*data);
4591 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
4592 const unsigned char *out, void *add_arg)
4594 OPENSSL_free((unsigned char *)out);
4597 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
4598 const unsigned char *in, size_t inlen, X509 *x,
4599 size_t chainidx, int *al, void *parse_arg)
4601 int *server = (int *)parse_arg;
4603 if (SSL_is_server(s))
4608 if (*server != SSL_is_server(s)
4609 || inlen != sizeof(char) || *in != 1)
4615 static int sni_cb(SSL *s, int *al, void *arg)
4617 SSL_CTX *ctx = (SSL_CTX *)arg;
4619 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
4620 *al = SSL_AD_INTERNAL_ERROR;
4621 return SSL_TLSEXT_ERR_ALERT_FATAL;
4624 return SSL_TLSEXT_ERR_OK;
4628 * Custom call back tests.
4629 * Test 0: Old style callbacks in TLSv1.2
4630 * Test 1: New style callbacks in TLSv1.2
4631 * Test 2: New style callbacks in TLSv1.2 with SNI
4632 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4633 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
4635 static int test_custom_exts(int tst)
4637 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4638 SSL *clientssl = NULL, *serverssl = NULL;
4640 static int server = 1;
4641 static int client = 0;
4642 SSL_SESSION *sess = NULL;
4643 unsigned int context;
4645 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4646 /* Skip tests for TLSv1.2 and below in this case */
4651 /* Reset callback counters */
4652 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4653 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
4656 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4658 &sctx, &cctx, cert, privkey)))
4662 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
4664 &sctx2, NULL, cert, privkey)))
4669 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4670 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
4672 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
4676 context = SSL_EXT_CLIENT_HELLO
4677 | SSL_EXT_TLS1_2_SERVER_HELLO
4678 | SSL_EXT_TLS1_3_SERVER_HELLO
4679 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4680 | SSL_EXT_TLS1_3_CERTIFICATE
4681 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4683 context = SSL_EXT_CLIENT_HELLO
4684 | SSL_EXT_TLS1_2_SERVER_HELLO
4685 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4688 /* Create a client side custom extension */
4690 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4691 old_add_cb, old_free_cb,
4692 &client, old_parse_cb,
4696 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4697 new_add_cb, new_free_cb,
4698 &client, new_parse_cb, &client)))
4702 /* Should not be able to add duplicates */
4703 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4704 old_add_cb, old_free_cb,
4705 &client, old_parse_cb,
4707 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4708 context, new_add_cb,
4709 new_free_cb, &client,
4710 new_parse_cb, &client)))
4713 /* Create a server side custom extension */
4715 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4716 old_add_cb, old_free_cb,
4717 &server, old_parse_cb,
4721 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4722 new_add_cb, new_free_cb,
4723 &server, new_parse_cb, &server)))
4726 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4727 context, new_add_cb,
4728 new_free_cb, &server,
4729 new_parse_cb, &server)))
4733 /* Should not be able to add duplicates */
4734 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4735 old_add_cb, old_free_cb,
4736 &server, old_parse_cb,
4738 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4739 context, new_add_cb,
4740 new_free_cb, &server,
4741 new_parse_cb, &server)))
4746 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4747 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4751 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4752 &clientssl, NULL, NULL))
4753 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4758 if (clntaddoldcb != 1
4759 || clntparseoldcb != 1
4761 || srvparseoldcb != 1)
4763 } else if (tst == 1 || tst == 2 || tst == 3) {
4764 if (clntaddnewcb != 1
4765 || clntparsenewcb != 1
4767 || srvparsenewcb != 1
4768 || (tst != 2 && snicb != 0)
4769 || (tst == 2 && snicb != 1))
4772 /* In this case there 2 NewSessionTicket messages created */
4773 if (clntaddnewcb != 1
4774 || clntparsenewcb != 5
4776 || srvparsenewcb != 1)
4780 sess = SSL_get1_session(clientssl);
4781 SSL_shutdown(clientssl);
4782 SSL_shutdown(serverssl);
4783 SSL_free(serverssl);
4784 SSL_free(clientssl);
4785 serverssl = clientssl = NULL;
4788 /* We don't bother with the resumption aspects for this test */
4793 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4795 || !TEST_true(SSL_set_session(clientssl, sess))
4796 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4801 * For a resumed session we expect to add the ClientHello extension. For the
4802 * old style callbacks we ignore it on the server side because they set
4803 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4807 if (clntaddoldcb != 2
4808 || clntparseoldcb != 1
4810 || srvparseoldcb != 1)
4812 } else if (tst == 1 || tst == 2 || tst == 3) {
4813 if (clntaddnewcb != 2
4814 || clntparsenewcb != 2
4816 || srvparsenewcb != 2)
4820 * No Certificate message extensions in the resumption handshake,
4821 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4823 if (clntaddnewcb != 2
4824 || clntparsenewcb != 8
4826 || srvparsenewcb != 2)
4833 SSL_SESSION_free(sess);
4834 SSL_free(serverssl);
4835 SSL_free(clientssl);
4836 SSL_CTX_free(sctx2);
4843 * Test loading of serverinfo data in various formats. test_sslmessages actually
4844 * tests to make sure the extensions appear in the handshake
4846 static int test_serverinfo(int tst)
4848 unsigned int version;
4849 unsigned char *sibuf;
4851 int ret, expected, testresult = 0;
4854 ctx = SSL_CTX_new(TLS_method());
4858 if ((tst & 0x01) == 0x01)
4859 version = SSL_SERVERINFOV2;
4861 version = SSL_SERVERINFOV1;
4863 if ((tst & 0x02) == 0x02) {
4864 sibuf = serverinfov2;
4865 sibuflen = sizeof(serverinfov2);
4866 expected = (version == SSL_SERVERINFOV2);
4868 sibuf = serverinfov1;
4869 sibuflen = sizeof(serverinfov1);
4870 expected = (version == SSL_SERVERINFOV1);
4873 if ((tst & 0x04) == 0x04) {
4874 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4876 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4879 * The version variable is irrelevant in this case - it's what is in the
4880 * buffer that matters
4882 if ((tst & 0x02) == 0x02)
4888 if (!TEST_true(ret == expected))
4900 * Test that SSL_export_keying_material() produces expected results. There are
4901 * no test vectors so all we do is test that both sides of the communication
4902 * produce the same results for different protocol versions.
4904 #define SMALL_LABEL_LEN 10
4905 #define LONG_LABEL_LEN 249
4906 static int test_export_key_mat(int tst)
4909 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4910 SSL *clientssl = NULL, *serverssl = NULL;
4911 const char label[LONG_LABEL_LEN + 1] = "test label";
4912 const unsigned char context[] = "context";
4913 const unsigned char *emptycontext = NULL;
4914 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4915 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
4917 const int protocols[] = {
4926 #ifdef OPENSSL_NO_TLS1
4930 #ifdef OPENSSL_NO_TLS1_1
4934 #ifdef OPENSSL_NO_TLS1_2
4938 #ifdef OPENSSL_NO_TLS1_3
4942 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4944 &sctx, &cctx, cert, privkey)))
4947 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4948 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4949 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
4951 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4953 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4959 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4962 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4963 sizeof(ckeymat1), label,
4964 LONG_LABEL_LEN + 1, context,
4965 sizeof(context) - 1, 1), 0))
4970 } else if (tst == 4) {
4971 labellen = LONG_LABEL_LEN;
4973 labellen = SMALL_LABEL_LEN;
4976 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4977 sizeof(ckeymat1), label,
4979 sizeof(context) - 1, 1), 1)
4980 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4981 sizeof(ckeymat2), label,
4985 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4986 sizeof(ckeymat3), label,
4989 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4990 sizeof(skeymat1), label,
4993 sizeof(context) -1, 1),
4995 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4996 sizeof(skeymat2), label,
5000 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5001 sizeof(skeymat3), label,
5005 * Check that both sides created the same key material with the
5008 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5011 * Check that both sides created the same key material with an
5014 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5017 * Check that both sides created the same key material without a
5020 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5022 /* Different contexts should produce different results */
5023 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5028 * Check that an empty context and no context produce different results in
5029 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5031 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
5033 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5040 SSL_free(serverssl);
5041 SSL_free(clientssl);
5042 SSL_CTX_free(sctx2);
5049 #ifndef OPENSSL_NO_TLS1_3
5051 * Test that SSL_export_keying_material_early() produces expected
5052 * results. There are no test vectors so all we do is test that both
5053 * sides of the communication produce the same results for different
5054 * protocol versions.
5056 static int test_export_key_mat_early(int idx)
5058 static const char label[] = "test label";
5059 static const unsigned char context[] = "context";
5061 SSL_CTX *cctx = NULL, *sctx = NULL;
5062 SSL *clientssl = NULL, *serverssl = NULL;
5063 SSL_SESSION *sess = NULL;
5064 const unsigned char *emptycontext = NULL;
5065 unsigned char ckeymat1[80], ckeymat2[80];
5066 unsigned char skeymat1[80], skeymat2[80];
5067 unsigned char buf[1];
5068 size_t readbytes, written;
5070 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5074 /* Here writing 0 length early data is enough. */
5075 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5076 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5078 SSL_READ_EARLY_DATA_ERROR)
5079 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5080 SSL_EARLY_DATA_ACCEPTED))
5083 if (!TEST_int_eq(SSL_export_keying_material_early(
5084 clientssl, ckeymat1, sizeof(ckeymat1), label,
5085 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5086 || !TEST_int_eq(SSL_export_keying_material_early(
5087 clientssl, ckeymat2, sizeof(ckeymat2), label,
5088 sizeof(label) - 1, emptycontext, 0), 1)
5089 || !TEST_int_eq(SSL_export_keying_material_early(
5090 serverssl, skeymat1, sizeof(skeymat1), label,
5091 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5092 || !TEST_int_eq(SSL_export_keying_material_early(
5093 serverssl, skeymat2, sizeof(skeymat2), label,
5094 sizeof(label) - 1, emptycontext, 0), 1)
5096 * Check that both sides created the same key material with the
5099 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5102 * Check that both sides created the same key material with an
5105 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5107 /* Different contexts should produce different results */
5108 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5115 SSL_SESSION_free(sess);
5116 SSL_SESSION_free(clientpsk);
5117 SSL_SESSION_free(serverpsk);
5118 clientpsk = serverpsk = NULL;
5119 SSL_free(serverssl);
5120 SSL_free(clientssl);
5127 #define NUM_KEY_UPDATE_MESSAGES 40
5131 static int test_key_update(void)
5133 SSL_CTX *cctx = NULL, *sctx = NULL;
5134 SSL *clientssl = NULL, *serverssl = NULL;
5135 int testresult = 0, i, j;
5137 static char *mess = "A test message";
5139 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5140 TLS_client_method(),
5143 &sctx, &cctx, cert, privkey))
5144 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5146 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5150 for (j = 0; j < 2; j++) {
5151 /* Send lots of KeyUpdate messages */
5152 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5153 if (!TEST_true(SSL_key_update(clientssl,
5155 ? SSL_KEY_UPDATE_NOT_REQUESTED
5156 : SSL_KEY_UPDATE_REQUESTED))
5157 || !TEST_true(SSL_do_handshake(clientssl)))
5161 /* Check that sending and receiving app data is ok */
5162 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5163 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5167 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5168 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5176 SSL_free(serverssl);
5177 SSL_free(clientssl);
5185 * Test we can handle a KeyUpdate (update requested) message while write data
5187 * Test 0: Client sends KeyUpdate while Server is writing
5188 * Test 1: Server sends KeyUpdate while Client is writing
5190 static int test_key_update_in_write(int tst)
5192 SSL_CTX *cctx = NULL, *sctx = NULL;
5193 SSL *clientssl = NULL, *serverssl = NULL;
5196 static char *mess = "A test message";
5197 BIO *bretry = BIO_new(bio_s_always_retry());
5199 SSL *peerupdate = NULL, *peerwrite = NULL;
5201 if (!TEST_ptr(bretry)
5202 || !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5203 TLS_client_method(),
5206 &sctx, &cctx, cert, privkey))
5207 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5209 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5213 peerupdate = tst == 0 ? clientssl : serverssl;
5214 peerwrite = tst == 0 ? serverssl : clientssl;
5216 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5217 || !TEST_true(SSL_do_handshake(peerupdate)))
5220 /* Swap the writing endpoint's write BIO to force a retry */
5221 tmp = SSL_get_wbio(peerwrite);
5222 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5226 SSL_set0_wbio(peerwrite, bretry);
5229 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5230 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5231 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5234 /* Reinstate the original writing endpoint's write BIO */
5235 SSL_set0_wbio(peerwrite, tmp);
5238 /* Now read some data - we will read the key update */
5239 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5240 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5244 * Complete the write we started previously and read it from the other
5247 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5248 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5251 /* Write more data to ensure we send the KeyUpdate message back */
5252 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5253 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5259 SSL_free(serverssl);
5260 SSL_free(clientssl);
5268 #endif /* OPENSSL_NO_TLS1_3 */
5270 static int test_ssl_clear(int idx)
5272 SSL_CTX *cctx = NULL, *sctx = NULL;
5273 SSL *clientssl = NULL, *serverssl = NULL;
5276 #ifdef OPENSSL_NO_TLS1_2
5281 /* Create an initial connection */
5282 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5284 &sctx, &cctx, cert, privkey))
5286 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5288 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5289 &clientssl, NULL, NULL))
5290 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5294 SSL_shutdown(clientssl);
5295 SSL_shutdown(serverssl);
5296 SSL_free(serverssl);
5299 /* Clear clientssl - we're going to reuse the object */
5300 if (!TEST_true(SSL_clear(clientssl)))
5303 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5305 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5307 || !TEST_true(SSL_session_reused(clientssl)))
5310 SSL_shutdown(clientssl);
5311 SSL_shutdown(serverssl);
5316 SSL_free(serverssl);
5317 SSL_free(clientssl);
5324 /* Parse CH and retrieve any MFL extension value if present */
5325 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5328 unsigned char *data;
5329 PACKET pkt, pkt2, pkt3;
5330 unsigned int MFL_code = 0, type = 0;
5332 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5335 memset(&pkt, 0, sizeof(pkt));
5336 memset(&pkt2, 0, sizeof(pkt2));
5337 memset(&pkt3, 0, sizeof(pkt3));
5339 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5340 /* Skip the record header */
5341 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5342 /* Skip the handshake message header */
5343 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5344 /* Skip client version and random */
5345 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5346 + SSL3_RANDOM_SIZE))
5347 /* Skip session id */
5348 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5350 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5351 /* Skip compression */
5352 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5353 /* Extensions len */
5354 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5357 /* Loop through all extensions */
5358 while (PACKET_remaining(&pkt2)) {
5359 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5360 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5363 if (type == TLSEXT_TYPE_max_fragment_length) {
5364 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5365 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5368 *mfl_codemfl_code = MFL_code;
5377 /* Maximum-Fragment-Length TLS extension mode to test */
5378 static const unsigned char max_fragment_len_test[] = {
5379 TLSEXT_max_fragment_length_512,
5380 TLSEXT_max_fragment_length_1024,
5381 TLSEXT_max_fragment_length_2048,
5382 TLSEXT_max_fragment_length_4096
5385 static int test_max_fragment_len_ext(int idx_tst)
5389 int testresult = 0, MFL_mode = 0;
5392 ctx = SSL_CTX_new(TLS_method());
5396 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5397 ctx, max_fragment_len_test[idx_tst])))
5404 rbio = BIO_new(BIO_s_mem());
5405 wbio = BIO_new(BIO_s_mem());
5406 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5412 SSL_set_bio(con, rbio, wbio);
5413 SSL_set_connect_state(con);
5415 if (!TEST_int_le(SSL_connect(con), 0)) {
5416 /* This shouldn't succeed because we don't have a server! */
5420 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5421 /* no MFL in client hello */
5423 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5435 #ifndef OPENSSL_NO_TLS1_3
5436 static int test_pha_key_update(void)
5438 SSL_CTX *cctx = NULL, *sctx = NULL;
5439 SSL *clientssl = NULL, *serverssl = NULL;
5442 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5444 &sctx, &cctx, cert, privkey)))
5447 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5448 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5449 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5450 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5453 SSL_CTX_set_post_handshake_auth(cctx, 1);
5455 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5459 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5463 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5464 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5467 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5470 /* Start handshake on the server */
5471 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5474 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5475 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5479 SSL_shutdown(clientssl);
5480 SSL_shutdown(serverssl);
5485 SSL_free(serverssl);
5486 SSL_free(clientssl);
5493 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5495 static SRP_VBASE *vbase = NULL;
5497 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5499 int ret = SSL3_AL_FATAL;
5501 SRP_user_pwd *user = NULL;
5503 username = SSL_get_srp_username(s);
5504 if (username == NULL) {
5505 *ad = SSL_AD_INTERNAL_ERROR;
5509 user = SRP_VBASE_get1_by_user(vbase, username);
5511 *ad = SSL_AD_INTERNAL_ERROR;
5515 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5517 *ad = SSL_AD_INTERNAL_ERROR;
5524 SRP_user_pwd_free(user);
5528 static int create_new_vfile(char *userid, char *password, const char *filename)
5531 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5534 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5537 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5540 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
5541 &row[DB_srpverifier], NULL, NULL);
5542 if (!TEST_ptr(gNid))
5546 * The only way to create an empty TXT_DB is to provide a BIO with no data
5549 db = TXT_DB_read(dummy, DB_NUMBER);
5553 out = BIO_new_file(filename, "w");
5557 row[DB_srpid] = OPENSSL_strdup(userid);
5558 row[DB_srptype] = OPENSSL_strdup("V");
5559 row[DB_srpgN] = OPENSSL_strdup(gNid);
5561 if (!TEST_ptr(row[DB_srpid])
5562 || !TEST_ptr(row[DB_srptype])
5563 || !TEST_ptr(row[DB_srpgN])
5564 || !TEST_true(TXT_DB_insert(db, row)))
5569 if (!TXT_DB_write(out, db))
5575 for (i = 0; i < DB_NUMBER; i++)
5576 OPENSSL_free(row[i]);
5586 static int create_new_vbase(char *userid, char *password)
5588 BIGNUM *verifier = NULL, *salt = NULL;
5589 const SRP_gN *lgN = NULL;
5590 SRP_user_pwd *user_pwd = NULL;
5593 lgN = SRP_get_default_gN(NULL);
5597 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
5601 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
5602 if (!TEST_ptr(user_pwd))
5605 user_pwd->N = lgN->N;
5606 user_pwd->g = lgN->g;
5607 user_pwd->id = OPENSSL_strdup(userid);
5608 if (!TEST_ptr(user_pwd->id))
5611 user_pwd->v = verifier;
5613 verifier = salt = NULL;
5615 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
5621 SRP_user_pwd_free(user_pwd);
5631 * Test 0: Simple successful SRP connection, new vbase
5632 * Test 1: Connection failure due to bad password, new vbase
5633 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5634 * Test 3: Connection failure due to bad password, vbase loaded from existing
5636 * Test 4: Simple successful SRP connection, vbase loaded from new file
5637 * Test 5: Connection failure due to bad password, vbase loaded from new file
5639 static int test_srp(int tst)
5641 char *userid = "test", *password = "password", *tstsrpfile;
5642 SSL_CTX *cctx = NULL, *sctx = NULL;
5643 SSL *clientssl = NULL, *serverssl = NULL;
5644 int ret, testresult = 0;
5646 vbase = SRP_VBASE_new(NULL);
5647 if (!TEST_ptr(vbase))
5650 if (tst == 0 || tst == 1) {
5651 if (!TEST_true(create_new_vbase(userid, password)))
5654 if (tst == 4 || tst == 5) {
5655 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5657 tstsrpfile = tmpfilename;
5659 tstsrpfile = srpvfile;
5661 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5665 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5667 &sctx, &cctx, cert, privkey)))
5670 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5671 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5672 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5673 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5674 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5678 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5681 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5685 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5689 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5691 if (!TEST_true(tst % 2 == 0))
5694 if (!TEST_true(tst % 2 == 1))
5701 SRP_VBASE_free(vbase);
5703 SSL_free(serverssl);
5704 SSL_free(clientssl);
5712 static int info_cb_failed = 0;
5713 static int info_cb_offset = 0;
5714 static int info_cb_this_state = -1;
5716 static struct info_cb_states_st {
5718 const char *statestr;
5719 } info_cb_states[][60] = {
5721 /* TLSv1.2 server followed by resumption */
5722 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5723 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5724 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
5725 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
5726 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
5727 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5728 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5729 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5730 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
5731 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5732 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
5733 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5734 {SSL_CB_EXIT, NULL}, {0, NULL},
5736 /* TLSv1.2 client followed by resumption */
5737 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5738 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5739 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
5740 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
5741 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
5742 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5743 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5744 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5745 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5746 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5747 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5748 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
5750 /* TLSv1.3 server followed by resumption */
5751 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5752 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5753 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
5754 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5755 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
5756 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5757 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5758 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5759 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5760 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5761 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
5762 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5763 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5765 /* TLSv1.3 client followed by resumption */
5766 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5767 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5768 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
5769 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
5770 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5771 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5772 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
5773 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5774 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5775 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5776 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5777 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5778 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5779 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
5780 {SSL_CB_EXIT, NULL}, {0, NULL},
5782 /* TLSv1.3 server, early_data */
5783 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5784 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5785 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5786 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5787 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5788 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
5789 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5790 {SSL_CB_EXIT, NULL}, {0, NULL},
5792 /* TLSv1.3 client, early_data */
5793 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5794 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5795 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5796 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5797 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5798 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5799 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5800 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5801 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5807 static void sslapi_info_callback(const SSL *s, int where, int ret)
5809 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5811 /* We do not ever expect a connection to fail in this test */
5812 if (!TEST_false(ret == 0)) {
5818 * Do some sanity checks. We never expect these things to happen in this
5821 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5822 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5823 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5828 /* Now check we're in the right state */
5829 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5833 if ((where & SSL_CB_LOOP) != 0
5834 && !TEST_int_eq(strcmp(SSL_state_string(s),
5835 state[info_cb_this_state].statestr), 0)) {
5841 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
5843 if ((where & SSL_CB_HANDSHAKE_DONE)
5844 && SSL_in_init((SSL *)s) != 0) {
5851 * Test the info callback gets called when we expect it to.
5853 * Test 0: TLSv1.2, server
5854 * Test 1: TLSv1.2, client
5855 * Test 2: TLSv1.3, server
5856 * Test 3: TLSv1.3, client
5857 * Test 4: TLSv1.3, server, early_data
5858 * Test 5: TLSv1.3, client, early_data
5860 static int test_info_callback(int tst)
5862 SSL_CTX *cctx = NULL, *sctx = NULL;
5863 SSL *clientssl = NULL, *serverssl = NULL;
5864 SSL_SESSION *clntsess = NULL;
5869 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
5870 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5871 || !defined(OPENSSL_NO_DH))
5872 tlsvers = TLS1_2_VERSION;
5877 #ifndef OPENSSL_NO_TLS1_3
5878 tlsvers = TLS1_3_VERSION;
5886 info_cb_this_state = -1;
5887 info_cb_offset = tst;
5889 #ifndef OPENSSL_NO_TLS1_3
5891 SSL_SESSION *sess = NULL;
5892 size_t written, readbytes;
5893 unsigned char buf[80];
5895 /* early_data tests */
5896 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5897 &serverssl, &sess, 0)))
5900 /* We don't actually need this reference */
5901 SSL_SESSION_free(sess);
5903 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5904 sslapi_info_callback);
5906 /* Write and read some early data and then complete the connection */
5907 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5909 || !TEST_size_t_eq(written, strlen(MSG1))
5910 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5911 sizeof(buf), &readbytes),
5912 SSL_READ_EARLY_DATA_SUCCESS)
5913 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5914 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5915 SSL_EARLY_DATA_ACCEPTED)
5916 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5918 || !TEST_false(info_cb_failed))
5926 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5927 TLS_client_method(),
5928 tlsvers, tlsvers, &sctx, &cctx, cert,
5933 * For even numbered tests we check the server callbacks. For odd numbers we
5936 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5937 sslapi_info_callback);
5939 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5940 &clientssl, NULL, NULL))
5941 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5943 || !TEST_false(info_cb_failed))
5948 clntsess = SSL_get1_session(clientssl);
5949 SSL_shutdown(clientssl);
5950 SSL_shutdown(serverssl);
5951 SSL_free(serverssl);
5952 SSL_free(clientssl);
5953 serverssl = clientssl = NULL;
5955 /* Now do a resumption */
5956 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5958 || !TEST_true(SSL_set_session(clientssl, clntsess))
5959 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5961 || !TEST_true(SSL_session_reused(clientssl))
5962 || !TEST_false(info_cb_failed))
5968 SSL_free(serverssl);
5969 SSL_free(clientssl);
5970 SSL_SESSION_free(clntsess);
5976 static int test_ssl_pending(int tst)
5978 SSL_CTX *cctx = NULL, *sctx = NULL;
5979 SSL *clientssl = NULL, *serverssl = NULL;
5981 char msg[] = "A test message";
5983 size_t written, readbytes;
5986 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5987 TLS_client_method(),
5989 &sctx, &cctx, cert, privkey)))
5992 #ifndef OPENSSL_NO_DTLS
5993 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
5994 DTLS_client_method(),
5996 &sctx, &cctx, cert, privkey)))
6003 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6005 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6009 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6010 || !TEST_false(SSL_has_pending(clientssl))
6011 || !TEST_int_eq(SSL_pending(serverssl), 0)
6012 || !TEST_false(SSL_has_pending(serverssl))
6013 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6014 || !TEST_size_t_eq(written, sizeof(msg))
6015 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6016 || !TEST_size_t_eq(readbytes, sizeof(buf))
6017 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6018 || !TEST_true(SSL_has_pending(clientssl)))
6024 SSL_free(serverssl);
6025 SSL_free(clientssl);
6033 unsigned int maxprot;
6034 const char *clntciphers;
6035 const char *clnttls13ciphers;
6036 const char *srvrciphers;
6037 const char *srvrtls13ciphers;
6039 } shared_ciphers_data[] = {
6041 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6042 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6044 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
6047 "AES128-SHA:AES256-SHA",
6049 "AES256-SHA:DHE-RSA-AES128-SHA",
6055 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6057 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6059 "AES128-SHA:AES256-SHA"
6063 "AES128-SHA:AES256-SHA",
6065 "AES128-SHA:DHE-RSA-AES128-SHA",
6071 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6074 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6075 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
6078 "AES128-SHA:AES256-SHA",
6080 "AES256-SHA:AES128-SHA256",
6082 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
6083 "TLS_AES_128_GCM_SHA256:AES256-SHA"
6086 #ifndef OPENSSL_NO_TLS1_3
6090 "TLS_AES_256_GCM_SHA384",
6092 "TLS_AES_256_GCM_SHA384",
6093 "TLS_AES_256_GCM_SHA384"
6098 static int test_ssl_get_shared_ciphers(int tst)
6100 SSL_CTX *cctx = NULL, *sctx = NULL;
6101 SSL *clientssl = NULL, *serverssl = NULL;
6105 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6106 TLS_client_method(),
6108 shared_ciphers_data[tst].maxprot,
6109 &sctx, &cctx, cert, privkey)))
6112 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6113 shared_ciphers_data[tst].clntciphers))
6114 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6115 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6116 shared_ciphers_data[tst].clnttls13ciphers)))
6117 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6118 shared_ciphers_data[tst].srvrciphers))
6119 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6120 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6121 shared_ciphers_data[tst].srvrtls13ciphers))))
6125 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6127 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6131 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6132 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
6133 TEST_info("Shared ciphers are: %s\n", buf);
6140 SSL_free(serverssl);
6141 SSL_free(clientssl);
6148 static const char *appdata = "Hello World";
6149 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6150 static int tick_key_renew = 0;
6151 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6153 static int gen_tick_cb(SSL *s, void *arg)
6155 gen_tick_called = 1;
6157 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6161 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6162 const unsigned char *keyname,
6163 size_t keyname_length,
6164 SSL_TICKET_STATUS status,
6170 dec_tick_called = 1;
6172 if (status == SSL_TICKET_EMPTY)
6173 return SSL_TICKET_RETURN_IGNORE_RENEW;
6175 if (!TEST_true(status == SSL_TICKET_SUCCESS
6176 || status == SSL_TICKET_SUCCESS_RENEW))
6177 return SSL_TICKET_RETURN_ABORT;
6179 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6181 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6182 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
6183 return SSL_TICKET_RETURN_ABORT;
6185 if (tick_key_cb_called) {
6186 /* Don't change what the ticket key callback wanted to do */
6188 case SSL_TICKET_NO_DECRYPT:
6189 return SSL_TICKET_RETURN_IGNORE_RENEW;
6191 case SSL_TICKET_SUCCESS:
6192 return SSL_TICKET_RETURN_USE;
6194 case SSL_TICKET_SUCCESS_RENEW:
6195 return SSL_TICKET_RETURN_USE_RENEW;
6198 return SSL_TICKET_RETURN_ABORT;
6201 return tick_dec_ret;
6205 #ifndef OPENSSL_NO_DEPRECATED_3_0
6206 static int tick_key_cb(SSL *s, unsigned char key_name[16],
6207 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6208 HMAC_CTX *hctx, int enc)
6210 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6211 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
6213 tick_key_cb_called = 1;
6214 memset(iv, 0, AES_BLOCK_SIZE);
6215 memset(key_name, 0, 16);
6216 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
6217 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
6218 EVP_sha256(), NULL))
6221 return tick_key_renew ? 2 : 1;
6225 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6226 unsigned char iv[EVP_MAX_IV_LENGTH],
6227 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6229 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6230 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6231 OSSL_PARAM params[3];
6233 tick_key_cb_called = 1;
6234 memset(iv, 0, AES_BLOCK_SIZE);
6235 memset(key_name, 0, 16);
6236 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6238 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6240 sizeof(tick_hmac_key));
6241 params[2] = OSSL_PARAM_construct_end();
6242 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
6243 || !EVP_MAC_CTX_set_params(hctx, params)
6244 || !EVP_MAC_init(hctx))
6247 return tick_key_renew ? 2 : 1;
6251 * Test the various ticket callbacks
6252 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6253 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6254 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6255 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6256 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6257 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6258 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6259 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
6260 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6261 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6262 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6263 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6264 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6265 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6266 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6267 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
6269 static int test_ticket_callbacks(int tst)
6271 SSL_CTX *cctx = NULL, *sctx = NULL;
6272 SSL *clientssl = NULL, *serverssl = NULL;
6273 SSL_SESSION *clntsess = NULL;
6276 #ifdef OPENSSL_NO_TLS1_2
6280 #ifdef OPENSSL_NO_TLS1_3
6284 #ifdef OPENSSL_NO_DEPRECATED_3_0
6285 if (tst >= 8 && tst <= 11)
6289 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
6291 /* Which tests the ticket key callback should request renewal for */
6292 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
6297 /* Which tests the decrypt ticket callback should request renewal for */
6301 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6306 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6311 tick_dec_ret = SSL_TICKET_RETURN_USE;
6316 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6320 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6323 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6324 TLS_client_method(),
6326 ((tst % 2) == 0) ? TLS1_2_VERSION
6328 &sctx, &cctx, cert, privkey)))
6332 * We only want sessions to resume from tickets - not the session cache. So
6333 * switch the cache off.
6335 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6338 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6343 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
6345 #ifndef OPENSSL_NO_DEPRECATED_3_0
6346 } else if (tst >= 8) {
6347 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6352 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6354 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6359 * The decrypt ticket key callback in TLSv1.2 should be called even though
6360 * we have no ticket yet, because it gets called with a status of
6361 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6362 * actually send any ticket data). This does not happen in TLSv1.3 because
6363 * it is not valid to send empty ticket data in TLSv1.3.
6365 if (!TEST_int_eq(gen_tick_called, 1)
6366 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
6369 gen_tick_called = dec_tick_called = 0;
6371 clntsess = SSL_get1_session(clientssl);
6372 SSL_shutdown(clientssl);
6373 SSL_shutdown(serverssl);
6374 SSL_free(serverssl);
6375 SSL_free(clientssl);
6376 serverssl = clientssl = NULL;
6378 /* Now do a resumption */
6379 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6381 || !TEST_true(SSL_set_session(clientssl, clntsess))
6382 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6386 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6387 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6388 if (!TEST_false(SSL_session_reused(clientssl)))
6391 if (!TEST_true(SSL_session_reused(clientssl)))
6395 if (!TEST_int_eq(gen_tick_called,
6397 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6398 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6400 || !TEST_int_eq(dec_tick_called, 1))
6406 SSL_SESSION_free(clntsess);
6407 SSL_free(serverssl);
6408 SSL_free(clientssl);
6416 * Test bi-directional shutdown.
6418 * Test 1: TLSv1.2, server continues to read/write after client shutdown
6419 * Test 2: TLSv1.3, no pending NewSessionTicket messages
6420 * Test 3: TLSv1.3, pending NewSessionTicket messages
6421 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
6422 * sends key update, client reads it
6423 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
6424 * sends CertificateRequest, client reads and ignores it
6425 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
6428 static int test_shutdown(int tst)
6430 SSL_CTX *cctx = NULL, *sctx = NULL;
6431 SSL *clientssl = NULL, *serverssl = NULL;
6433 char msg[] = "A test message";
6435 size_t written, readbytes;
6438 #ifdef OPENSSL_NO_TLS1_2
6442 #ifdef OPENSSL_NO_TLS1_3
6447 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6448 TLS_client_method(),
6450 (tst <= 1) ? TLS1_2_VERSION
6452 &sctx, &cctx, cert, privkey)))
6456 SSL_CTX_set_post_handshake_auth(cctx, 1);
6458 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6463 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
6465 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6466 || !TEST_false(SSL_SESSION_is_resumable(sess)))
6468 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6470 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6471 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
6475 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
6480 * Reading on the server after the client has sent close_notify should
6481 * fail and provide SSL_ERROR_ZERO_RETURN
6483 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
6484 || !TEST_int_eq(SSL_get_error(serverssl, 0),
6485 SSL_ERROR_ZERO_RETURN)
6486 || !TEST_int_eq(SSL_get_shutdown(serverssl),
6487 SSL_RECEIVED_SHUTDOWN)
6489 * Even though we're shutdown on receive we should still be
6492 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6495 && !TEST_true(SSL_key_update(serverssl,
6496 SSL_KEY_UPDATE_REQUESTED)))
6499 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6500 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6503 if ((tst == 4 || tst == 5)
6504 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6506 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
6508 if (tst == 4 || tst == 5) {
6509 /* Should still be able to read data from server */
6510 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6512 || !TEST_size_t_eq(readbytes, sizeof(msg))
6513 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
6514 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6516 || !TEST_size_t_eq(readbytes, sizeof(msg))
6517 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
6522 /* Writing on the client after sending close_notify shouldn't be possible */
6523 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
6528 * For these tests the client has sent close_notify but it has not yet
6529 * been received by the server. The server has not sent close_notify
6532 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
6534 * Writing on the server after sending close_notify shouldn't
6537 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6538 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
6539 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6540 || !TEST_true(SSL_SESSION_is_resumable(sess))
6541 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
6543 } else if (tst == 4 || tst == 5) {
6545 * In this test the client has sent close_notify and it has been
6546 * received by the server which has responded with a close_notify. The
6547 * client needs to read the close_notify sent by the server.
6549 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
6550 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6551 || !TEST_true(SSL_SESSION_is_resumable(sess)))
6557 * The client has sent close_notify and is expecting a close_notify
6558 * back, but instead there is application data first. The shutdown
6559 * should fail with a fatal error.
6561 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
6562 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
6569 SSL_free(serverssl);
6570 SSL_free(clientssl);
6577 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6578 static int cert_cb_cnt;
6580 static int cert_cb(SSL *s, void *arg)
6582 SSL_CTX *ctx = (SSL_CTX *)arg;
6584 EVP_PKEY *pkey = NULL;
6585 X509 *x509 = NULL, *rootx = NULL;
6586 STACK_OF(X509) *chain = NULL;
6587 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
6590 if (cert_cb_cnt == 0) {
6591 /* Suspend the handshake */
6594 } else if (cert_cb_cnt == 1) {
6596 * Update the SSL_CTX, set the certificate and private key and then
6597 * continue the handshake normally.
6599 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
6602 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
6603 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
6605 || !TEST_true(SSL_check_private_key(s)))
6609 } else if (cert_cb_cnt == 3) {
6612 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
6613 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
6614 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
6615 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
6617 chain = sk_X509_new_null();
6618 if (!TEST_ptr(chain))
6620 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6621 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
6622 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
6623 || !TEST_true(sk_X509_push(chain, rootx)))
6627 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6628 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
6629 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
6632 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6633 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
6634 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
6636 rv = SSL_check_chain(s, x509, pkey, chain);
6638 * If the cert doesn't show as valid here (e.g., because we don't
6639 * have any shared sigalgs), then we will not set it, and there will
6640 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
6641 * will cause tls_choose_sigalgs() to fail the connection.
6643 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
6644 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
6645 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
6652 /* Abort the handshake */
6654 OPENSSL_free(ecdsacert);
6655 OPENSSL_free(ecdsakey);
6656 OPENSSL_free(rootfile);
6658 EVP_PKEY_free(pkey);
6661 sk_X509_pop_free(chain, X509_free);
6666 * Test the certificate callback.
6667 * Test 0: Callback fails
6668 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
6669 * Test 2: Success - SSL_set_SSL_CTX() in the callback
6670 * Test 3: Success - Call SSL_check_chain from the callback
6671 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
6673 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
6675 static int test_cert_cb_int(int prot, int tst)
6677 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
6678 SSL *clientssl = NULL, *serverssl = NULL;
6679 int testresult = 0, ret;
6681 #ifdef OPENSSL_NO_EC
6682 /* We use an EC cert in these tests, so we skip in a no-ec build */
6687 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6688 TLS_client_method(),
6691 &sctx, &cctx, NULL, NULL)))
6702 snictx = SSL_CTX_new(TLS_server_method());
6703 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
6705 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6711 * We cause SSL_check_chain() to fail by specifying sig_algs that
6712 * the chain doesn't meet (the root uses an RSA cert)
6714 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6715 "ecdsa_secp256r1_sha256")))
6717 } else if (tst == 5) {
6719 * We cause SSL_check_chain() to fail by specifying sig_algs that
6720 * the ee cert doesn't meet (the ee uses an ECDSA cert)
6722 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6723 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
6727 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6728 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
6730 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
6737 SSL_free(serverssl);
6738 SSL_free(clientssl);
6741 SSL_CTX_free(snictx);
6747 static int test_cert_cb(int tst)
6751 #ifndef OPENSSL_NO_TLS1_2
6752 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
6754 #ifndef OPENSSL_NO_TLS1_3
6755 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
6761 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
6767 /* Check that SSL_get_peer_certificate() returns something sensible */
6768 peer = SSL_get_peer_certificate(ssl);
6769 if (!TEST_ptr(peer))
6773 in = BIO_new_file(cert, "r");
6777 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
6779 if (!TEST_ptr(xcert))
6782 in = BIO_new_file(privkey, "r");
6783 if (!TEST_ptr(in)) {
6788 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
6790 if (!TEST_ptr(privpkey)) {
6801 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6806 static int test_client_cert_cb(int tst)
6808 SSL_CTX *cctx = NULL, *sctx = NULL;
6809 SSL *clientssl = NULL, *serverssl = NULL;
6812 #ifdef OPENSSL_NO_TLS1_2
6816 #ifdef OPENSSL_NO_TLS1_3
6821 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6822 TLS_client_method(),
6824 tst == 0 ? TLS1_2_VERSION
6826 &sctx, &cctx, cert, privkey)))
6830 * Test that setting a client_cert_cb results in a client certificate being
6833 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
6834 SSL_CTX_set_verify(sctx,
6835 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6838 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6840 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6847 SSL_free(serverssl);
6848 SSL_free(clientssl);
6855 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6857 * Test setting certificate authorities on both client and server.
6859 * Test 0: SSL_CTX_set0_CA_list() only
6860 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
6861 * Test 2: Only SSL_CTX_set_client_CA_list()
6863 static int test_ca_names_int(int prot, int tst)
6865 SSL_CTX *cctx = NULL, *sctx = NULL;
6866 SSL *clientssl = NULL, *serverssl = NULL;
6869 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
6870 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
6871 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
6872 const STACK_OF(X509_NAME) *sktmp = NULL;
6874 for (i = 0; i < OSSL_NELEM(name); i++) {
6875 name[i] = X509_NAME_new();
6876 if (!TEST_ptr(name[i])
6877 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
6885 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6886 TLS_client_method(),
6889 &sctx, &cctx, cert, privkey)))
6892 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
6894 if (tst == 0 || tst == 1) {
6895 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6896 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
6897 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
6898 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6899 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
6900 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
6903 SSL_CTX_set0_CA_list(sctx, sk1);
6904 SSL_CTX_set0_CA_list(cctx, sk2);
6907 if (tst == 1 || tst == 2) {
6908 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6909 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
6910 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
6911 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6912 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
6913 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
6916 SSL_CTX_set_client_CA_list(sctx, sk1);
6917 SSL_CTX_set_client_CA_list(cctx, sk2);
6921 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6923 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6928 * We only expect certificate authorities to have been sent to the server
6929 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
6931 sktmp = SSL_get0_peer_CA_list(serverssl);
6932 if (prot == TLS1_3_VERSION
6933 && (tst == 0 || tst == 1)) {
6934 if (!TEST_ptr(sktmp)
6935 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6936 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6938 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6941 } else if (!TEST_ptr_null(sktmp)) {
6946 * In all tests we expect certificate authorities to have been sent to the
6947 * client. However, SSL_set_client_CA_list() should override
6948 * SSL_set0_CA_list()
6950 sktmp = SSL_get0_peer_CA_list(clientssl);
6951 if (!TEST_ptr(sktmp)
6952 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6953 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6954 name[tst == 0 ? 0 : 2]), 0)
6955 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6956 name[tst == 0 ? 1 : 3]), 0))
6962 SSL_free(serverssl);
6963 SSL_free(clientssl);
6966 for (i = 0; i < OSSL_NELEM(name); i++)
6967 X509_NAME_free(name[i]);
6968 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
6969 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
6975 static int test_ca_names(int tst)
6979 #ifndef OPENSSL_NO_TLS1_2
6980 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
6982 #ifndef OPENSSL_NO_TLS1_3
6983 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
6989 #ifndef OPENSSL_NO_TLS1_2
6990 static const char *multiblock_cipherlist_data[]=
6998 /* Reduce the fragment size - so the multiblock test buffer can be small */
6999 # define MULTIBLOCK_FRAGSIZE 512
7001 static int test_multiblock_write(int test_index)
7003 static const char *fetchable_ciphers[]=
7005 "AES-128-CBC-HMAC-SHA1",
7006 "AES-128-CBC-HMAC-SHA256",
7007 "AES-256-CBC-HMAC-SHA1",
7008 "AES-256-CBC-HMAC-SHA256"
7010 const char *cipherlist = multiblock_cipherlist_data[test_index];
7011 const SSL_METHOD *smeth = TLS_server_method();
7012 const SSL_METHOD *cmeth = TLS_client_method();
7013 int min_version = TLS1_VERSION;
7014 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7015 SSL_CTX *cctx = NULL, *sctx = NULL;
7016 SSL *clientssl = NULL, *serverssl = NULL;
7020 * Choose a buffer large enough to perform a multi-block operation
7021 * i.e: write_len >= 4 * frag_size
7022 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7024 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7025 unsigned char buf[sizeof(msg)], *p = buf;
7026 size_t readbytes, written, len;
7027 EVP_CIPHER *ciph = NULL;
7030 * Check if the cipher exists before attempting to use it since it only has
7031 * a hardware specific implementation.
7033 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7035 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7038 EVP_CIPHER_free(ciph);
7040 /* Set up a buffer with some data that will be sent to the client */
7041 RAND_bytes(msg, sizeof(msg));
7043 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
7044 &sctx, &cctx, cert, privkey)))
7047 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7050 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7054 /* settings to force it to use AES-CBC-HMAC_SHA */
7055 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7056 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7059 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7062 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7063 || !TEST_size_t_eq(written, sizeof(msg)))
7068 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7073 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7078 SSL_free(serverssl);
7079 SSL_free(clientssl);
7085 #endif /* OPENSSL_NO_TLS1_2 */
7088 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7089 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7090 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7091 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7092 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7093 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7094 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7095 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7096 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7097 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7099 static int test_servername(int tst)
7101 SSL_CTX *cctx = NULL, *sctx = NULL;
7102 SSL *clientssl = NULL, *serverssl = NULL;
7104 SSL_SESSION *sess = NULL;
7105 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7107 #ifdef OPENSSL_NO_TLS1_2
7111 #ifdef OPENSSL_NO_TLS1_3
7116 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
7117 TLS_client_method(),
7119 (tst <= 4) ? TLS1_2_VERSION
7121 &sctx, &cctx, cert, privkey))
7122 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7126 if (tst != 1 && tst != 6) {
7127 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7132 if (tst != 3 && tst != 8) {
7133 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7135 sexpectedhost = cexpectedhost = "goodhost";
7138 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7141 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7143 || !TEST_str_eq(SSL_get_servername(serverssl,
7144 TLSEXT_NAMETYPE_host_name),
7148 /* Now repeat with a resumption handshake */
7150 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7151 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7152 || !TEST_true(SSL_SESSION_is_resumable(sess))
7153 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7156 SSL_free(clientssl);
7157 SSL_free(serverssl);
7158 clientssl = serverssl = NULL;
7160 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7164 if (!TEST_true(SSL_set_session(clientssl, sess)))
7167 sexpectedhost = cexpectedhost = "goodhost";
7168 if (tst == 2 || tst == 7) {
7169 /* Set an inconsistent hostname */
7170 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7173 * In TLSv1.2 we expect the hostname from the original handshake, in
7174 * TLSv1.3 we expect the hostname from this handshake
7177 sexpectedhost = cexpectedhost = "altgoodhost";
7179 if (!TEST_str_eq(SSL_get_servername(clientssl,
7180 TLSEXT_NAMETYPE_host_name),
7183 } else if (tst == 4 || tst == 9) {
7185 * A TLSv1.3 session does not associate a session with a servername,
7186 * but a TLSv1.2 session does.
7189 sexpectedhost = cexpectedhost = NULL;
7191 if (!TEST_str_eq(SSL_get_servername(clientssl,
7192 TLSEXT_NAMETYPE_host_name),
7196 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7199 * In a TLSv1.2 resumption where the hostname was not acknowledged
7200 * we expect the hostname on the server to be empty. On the client we
7201 * return what was requested in this case.
7203 * Similarly if the client didn't set a hostname on an original TLSv1.2
7204 * session but is now, the server hostname will be empty, but the client
7207 if (tst == 1 || tst == 3)
7208 sexpectedhost = NULL;
7210 if (!TEST_str_eq(SSL_get_servername(clientssl,
7211 TLSEXT_NAMETYPE_host_name),
7216 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7219 if (!TEST_true(SSL_session_reused(clientssl))
7220 || !TEST_true(SSL_session_reused(serverssl))
7221 || !TEST_str_eq(SSL_get_servername(clientssl,
7222 TLSEXT_NAMETYPE_host_name),
7224 || !TEST_str_eq(SSL_get_servername(serverssl,
7225 TLSEXT_NAMETYPE_host_name),
7232 SSL_SESSION_free(sess);
7233 SSL_free(serverssl);
7234 SSL_free(clientssl);
7241 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile\n")
7243 int setup_tests(void)
7245 if (!test_skip_common_options()) {
7246 TEST_error("Error parsing test options\n");
7250 if (!TEST_ptr(certsdir = test_get_argument(0))
7251 || !TEST_ptr(srpvfile = test_get_argument(1))
7252 || !TEST_ptr(tmpfilename = test_get_argument(2)))
7255 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
7256 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
7257 TEST_error("not supported in this build");
7260 int i, mcount, rcount, fcount;
7262 for (i = 0; i < 4; i++)
7263 test_export_key_mat(i);
7264 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
7265 test_printf_stdout("malloc %d realloc %d free %d\n",
7266 mcount, rcount, fcount);
7271 cert = test_mk_file_path(certsdir, "servercert.pem");
7275 privkey = test_mk_file_path(certsdir, "serverkey.pem");
7276 if (privkey == NULL) {
7281 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
7282 && !defined(OPENSSL_NO_SOCK)
7283 ADD_TEST(test_ktls_no_txrx_client_no_txrx_server);
7284 ADD_TEST(test_ktls_no_rx_client_no_txrx_server);
7285 ADD_TEST(test_ktls_no_tx_client_no_txrx_server);
7286 ADD_TEST(test_ktls_client_no_txrx_server);
7287 ADD_TEST(test_ktls_no_txrx_client_no_rx_server);
7288 ADD_TEST(test_ktls_no_rx_client_no_rx_server);
7289 ADD_TEST(test_ktls_no_tx_client_no_rx_server);
7290 ADD_TEST(test_ktls_client_no_rx_server);
7291 ADD_TEST(test_ktls_no_txrx_client_no_tx_server);
7292 ADD_TEST(test_ktls_no_rx_client_no_tx_server);
7293 ADD_TEST(test_ktls_no_tx_client_no_tx_server);
7294 ADD_TEST(test_ktls_client_no_tx_server);
7295 ADD_TEST(test_ktls_no_txrx_client_server);
7296 ADD_TEST(test_ktls_no_rx_client_server);
7297 ADD_TEST(test_ktls_no_tx_client_server);
7298 ADD_TEST(test_ktls_client_server);
7299 ADD_TEST(test_ktls_sendfile);
7301 ADD_TEST(test_large_message_tls);
7302 ADD_TEST(test_large_message_tls_read_ahead);
7303 #ifndef OPENSSL_NO_DTLS
7304 ADD_TEST(test_large_message_dtls);
7306 #ifndef OPENSSL_NO_OCSP
7307 ADD_TEST(test_tlsext_status_type);
7309 ADD_TEST(test_session_with_only_int_cache);
7310 ADD_TEST(test_session_with_only_ext_cache);
7311 ADD_TEST(test_session_with_both_cache);
7312 #ifndef OPENSSL_NO_TLS1_3
7313 ADD_ALL_TESTS(test_stateful_tickets, 3);
7314 ADD_ALL_TESTS(test_stateless_tickets, 3);
7315 ADD_TEST(test_psk_tickets);
7317 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
7318 ADD_TEST(test_ssl_bio_pop_next_bio);
7319 ADD_TEST(test_ssl_bio_pop_ssl_bio);
7320 ADD_TEST(test_ssl_bio_change_rbio);
7321 ADD_TEST(test_ssl_bio_change_wbio);
7322 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
7323 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
7324 ADD_TEST(test_keylog);
7326 #ifndef OPENSSL_NO_TLS1_3
7327 ADD_TEST(test_keylog_no_master_key);
7329 #ifndef OPENSSL_NO_TLS1_2
7330 ADD_TEST(test_client_hello_cb);
7331 ADD_TEST(test_no_ems);
7332 ADD_TEST(test_ccs_change_cipher);
7334 #ifndef OPENSSL_NO_TLS1_3
7335 ADD_ALL_TESTS(test_early_data_read_write, 3);
7337 * We don't do replay tests for external PSK. Replay protection isn't used
7340 ADD_ALL_TESTS(test_early_data_replay, 2);
7341 ADD_ALL_TESTS(test_early_data_skip, 3);
7342 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
7343 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
7344 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
7345 ADD_ALL_TESTS(test_early_data_not_sent, 3);
7346 ADD_ALL_TESTS(test_early_data_psk, 8);
7347 ADD_ALL_TESTS(test_early_data_not_expected, 3);
7348 # ifndef OPENSSL_NO_TLS1_2
7349 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
7352 #ifndef OPENSSL_NO_TLS1_3
7353 ADD_ALL_TESTS(test_set_ciphersuite, 10);
7354 ADD_TEST(test_ciphersuite_change);
7355 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
7356 # ifdef OPENSSL_NO_PSK
7357 ADD_ALL_TESTS(test_tls13_psk, 1);
7359 ADD_ALL_TESTS(test_tls13_psk, 4);
7360 # endif /* OPENSSL_NO_PSK */
7361 # ifndef OPENSSL_NO_TLS1_2
7362 /* Test with both TLSv1.3 and 1.2 versions */
7363 ADD_ALL_TESTS(test_key_exchange, 14);
7365 /* Test with only TLSv1.3 versions */
7366 ADD_ALL_TESTS(test_key_exchange, 12);
7368 ADD_ALL_TESTS(test_custom_exts, 5);
7369 ADD_TEST(test_stateless);
7370 ADD_TEST(test_pha_key_update);
7372 ADD_ALL_TESTS(test_custom_exts, 3);
7374 ADD_ALL_TESTS(test_serverinfo, 8);
7375 ADD_ALL_TESTS(test_export_key_mat, 6);
7376 #ifndef OPENSSL_NO_TLS1_3
7377 ADD_ALL_TESTS(test_export_key_mat_early, 3);
7378 ADD_TEST(test_key_update);
7379 ADD_ALL_TESTS(test_key_update_in_write, 2);
7381 ADD_ALL_TESTS(test_ssl_clear, 2);
7382 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
7383 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7384 ADD_ALL_TESTS(test_srp, 6);
7386 ADD_ALL_TESTS(test_info_callback, 6);
7387 ADD_ALL_TESTS(test_ssl_pending, 2);
7388 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
7389 ADD_ALL_TESTS(test_ticket_callbacks, 16);
7390 ADD_ALL_TESTS(test_shutdown, 7);
7391 ADD_ALL_TESTS(test_cert_cb, 6);
7392 ADD_ALL_TESTS(test_client_cert_cb, 2);
7393 ADD_ALL_TESTS(test_ca_names, 3);
7394 #ifndef OPENSSL_NO_TLS1_2
7395 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
7397 ADD_ALL_TESTS(test_servername, 10);
7401 void cleanup_tests(void)
7404 OPENSSL_free(privkey);
7405 bio_s_mempacket_test_free();
7406 bio_s_always_retry_free();