2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/provider.h>
33 #include "ssltestlib.h"
35 #include "testutil/output.h"
36 #include "internal/nelem.h"
37 #include "internal/ktls.h"
38 #include "../ssl/ssl_local.h"
40 DEFINE_STACK_OF(OCSP_RESPID)
42 DEFINE_STACK_OF(X509_NAME)
44 static OPENSSL_CTX *libctx = NULL;
45 static OSSL_PROVIDER *defctxnull = NULL;
47 #ifndef OPENSSL_NO_TLS1_3
49 static SSL_SESSION *clientpsk = NULL;
50 static SSL_SESSION *serverpsk = NULL;
51 static const char *pskid = "Identity";
52 static const char *srvid;
54 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
55 size_t *idlen, SSL_SESSION **sess);
56 static int find_session_cb(SSL *ssl, const unsigned char *identity,
57 size_t identity_len, SSL_SESSION **sess);
59 static int use_session_cb_cnt = 0;
60 static int find_session_cb_cnt = 0;
62 static SSL_SESSION *create_a_psk(SSL *ssl);
65 static char *certsdir = NULL;
66 static char *cert = NULL;
67 static char *privkey = NULL;
68 static char *srpvfile = NULL;
69 static char *tmpfilename = NULL;
71 static int is_fips = 0;
73 #define LOG_BUFFER_SIZE 2048
74 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
75 static size_t server_log_buffer_index = 0;
76 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
77 static size_t client_log_buffer_index = 0;
78 static int error_writing_log = 0;
80 #ifndef OPENSSL_NO_OCSP
81 static const unsigned char orespder[] = "Dummy OCSP Response";
82 static int ocsp_server_called = 0;
83 static int ocsp_client_called = 0;
85 static int cdummyarg = 1;
86 static X509 *ocspcert = NULL;
89 #define NUM_EXTRA_CERTS 40
90 #define CLIENT_VERSION_LEN 2
93 * This structure is used to validate that the correct number of log messages
94 * of various types are emitted when emitting secret logs.
96 struct sslapitest_log_counts {
97 unsigned int rsa_key_exchange_count;
98 unsigned int master_secret_count;
99 unsigned int client_early_secret_count;
100 unsigned int client_handshake_secret_count;
101 unsigned int server_handshake_secret_count;
102 unsigned int client_application_secret_count;
103 unsigned int server_application_secret_count;
104 unsigned int early_exporter_secret_count;
105 unsigned int exporter_secret_count;
109 static unsigned char serverinfov1[] = {
110 0xff, 0xff, /* Dummy extension type */
111 0x00, 0x01, /* Extension length is 1 byte */
112 0xff /* Dummy extension data */
115 static unsigned char serverinfov2[] = {
117 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
118 0xff, 0xff, /* Dummy extension type */
119 0x00, 0x01, /* Extension length is 1 byte */
120 0xff /* Dummy extension data */
123 static int hostname_cb(SSL *s, int *al, void *arg)
125 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
127 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
128 || strcmp(hostname, "altgoodhost") == 0))
129 return SSL_TLSEXT_ERR_OK;
131 return SSL_TLSEXT_ERR_NOACK;
134 static void client_keylog_callback(const SSL *ssl, const char *line)
136 int line_length = strlen(line);
138 /* If the log doesn't fit, error out. */
139 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
140 TEST_info("Client log too full");
141 error_writing_log = 1;
145 strcat(client_log_buffer, line);
146 client_log_buffer_index += line_length;
147 client_log_buffer[client_log_buffer_index++] = '\n';
150 static void server_keylog_callback(const SSL *ssl, const char *line)
152 int line_length = strlen(line);
154 /* If the log doesn't fit, error out. */
155 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
156 TEST_info("Server log too full");
157 error_writing_log = 1;
161 strcat(server_log_buffer, line);
162 server_log_buffer_index += line_length;
163 server_log_buffer[server_log_buffer_index++] = '\n';
166 static int compare_hex_encoded_buffer(const char *hex_encoded,
174 if (!TEST_size_t_eq(raw_length * 2, hex_length))
177 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
178 sprintf(hexed, "%02x", raw[i]);
179 if (!TEST_int_eq(hexed[0], hex_encoded[j])
180 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
187 static int test_keylog_output(char *buffer, const SSL *ssl,
188 const SSL_SESSION *session,
189 struct sslapitest_log_counts *expected)
192 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
193 size_t client_random_size = SSL3_RANDOM_SIZE;
194 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
195 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
196 unsigned int rsa_key_exchange_count = 0;
197 unsigned int master_secret_count = 0;
198 unsigned int client_early_secret_count = 0;
199 unsigned int client_handshake_secret_count = 0;
200 unsigned int server_handshake_secret_count = 0;
201 unsigned int client_application_secret_count = 0;
202 unsigned int server_application_secret_count = 0;
203 unsigned int early_exporter_secret_count = 0;
204 unsigned int exporter_secret_count = 0;
206 for (token = strtok(buffer, " \n"); token != NULL;
207 token = strtok(NULL, " \n")) {
208 if (strcmp(token, "RSA") == 0) {
210 * Premaster secret. Tokens should be: 16 ASCII bytes of
211 * hex-encoded encrypted secret, then the hex-encoded pre-master
214 if (!TEST_ptr(token = strtok(NULL, " \n")))
216 if (!TEST_size_t_eq(strlen(token), 16))
218 if (!TEST_ptr(token = strtok(NULL, " \n")))
221 * We can't sensibly check the log because the premaster secret is
222 * transient, and OpenSSL doesn't keep hold of it once the master
223 * secret is generated.
225 rsa_key_exchange_count++;
226 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
228 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
229 * client random, then the hex-encoded master secret.
231 client_random_size = SSL_get_client_random(ssl,
232 actual_client_random,
234 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
237 if (!TEST_ptr(token = strtok(NULL, " \n")))
239 if (!TEST_size_t_eq(strlen(token), 64))
241 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
242 actual_client_random,
243 client_random_size)))
246 if (!TEST_ptr(token = strtok(NULL, " \n")))
248 master_key_size = SSL_SESSION_get_master_key(session,
251 if (!TEST_size_t_ne(master_key_size, 0))
253 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
257 master_secret_count++;
258 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
259 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
260 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
261 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
262 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
263 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
264 || strcmp(token, "EXPORTER_SECRET") == 0) {
266 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
267 * client random, and then the hex-encoded secret. In this case,
268 * we treat all of these secrets identically and then just
269 * distinguish between them when counting what we saw.
271 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
272 client_early_secret_count++;
273 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
274 client_handshake_secret_count++;
275 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
276 server_handshake_secret_count++;
277 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
278 client_application_secret_count++;
279 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
280 server_application_secret_count++;
281 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
282 early_exporter_secret_count++;
283 else if (strcmp(token, "EXPORTER_SECRET") == 0)
284 exporter_secret_count++;
286 client_random_size = SSL_get_client_random(ssl,
287 actual_client_random,
289 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
292 if (!TEST_ptr(token = strtok(NULL, " \n")))
294 if (!TEST_size_t_eq(strlen(token), 64))
296 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
297 actual_client_random,
298 client_random_size)))
301 if (!TEST_ptr(token = strtok(NULL, " \n")))
305 * TODO(TLS1.3): test that application traffic secrets are what
308 TEST_info("Unexpected token %s\n", token);
313 /* Got what we expected? */
314 if (!TEST_size_t_eq(rsa_key_exchange_count,
315 expected->rsa_key_exchange_count)
316 || !TEST_size_t_eq(master_secret_count,
317 expected->master_secret_count)
318 || !TEST_size_t_eq(client_early_secret_count,
319 expected->client_early_secret_count)
320 || !TEST_size_t_eq(client_handshake_secret_count,
321 expected->client_handshake_secret_count)
322 || !TEST_size_t_eq(server_handshake_secret_count,
323 expected->server_handshake_secret_count)
324 || !TEST_size_t_eq(client_application_secret_count,
325 expected->client_application_secret_count)
326 || !TEST_size_t_eq(server_application_secret_count,
327 expected->server_application_secret_count)
328 || !TEST_size_t_eq(early_exporter_secret_count,
329 expected->early_exporter_secret_count)
330 || !TEST_size_t_eq(exporter_secret_count,
331 expected->exporter_secret_count))
336 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
337 static int test_keylog(void)
339 SSL_CTX *cctx = NULL, *sctx = NULL;
340 SSL *clientssl = NULL, *serverssl = NULL;
342 struct sslapitest_log_counts expected;
344 /* Clean up logging space */
345 memset(&expected, 0, sizeof(expected));
346 memset(client_log_buffer, 0, sizeof(client_log_buffer));
347 memset(server_log_buffer, 0, sizeof(server_log_buffer));
348 client_log_buffer_index = 0;
349 server_log_buffer_index = 0;
350 error_writing_log = 0;
352 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
355 &sctx, &cctx, cert, privkey)))
358 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
359 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
360 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
362 /* We also want to ensure that we use RSA-based key exchange. */
363 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
366 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
367 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
369 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
370 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
371 == client_keylog_callback))
373 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
374 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
375 == server_keylog_callback))
378 /* Now do a handshake and check that the logs have been written to. */
379 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
380 &clientssl, NULL, NULL))
381 || !TEST_true(create_ssl_connection(serverssl, clientssl,
383 || !TEST_false(error_writing_log)
384 || !TEST_int_gt(client_log_buffer_index, 0)
385 || !TEST_int_gt(server_log_buffer_index, 0))
389 * Now we want to test that our output data was vaguely sensible. We
390 * do that by using strtok and confirming that we have more or less the
391 * data we expect. For both client and server, we expect to see one master
392 * secret. The client should also see a RSA key exchange.
394 expected.rsa_key_exchange_count = 1;
395 expected.master_secret_count = 1;
396 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
397 SSL_get_session(clientssl), &expected)))
400 expected.rsa_key_exchange_count = 0;
401 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
402 SSL_get_session(serverssl), &expected)))
417 #ifndef OPENSSL_NO_TLS1_3
418 static int test_keylog_no_master_key(void)
420 SSL_CTX *cctx = NULL, *sctx = NULL;
421 SSL *clientssl = NULL, *serverssl = NULL;
422 SSL_SESSION *sess = NULL;
424 struct sslapitest_log_counts expected;
425 unsigned char buf[1];
426 size_t readbytes, written;
428 /* Clean up logging space */
429 memset(&expected, 0, sizeof(expected));
430 memset(client_log_buffer, 0, sizeof(client_log_buffer));
431 memset(server_log_buffer, 0, sizeof(server_log_buffer));
432 client_log_buffer_index = 0;
433 server_log_buffer_index = 0;
434 error_writing_log = 0;
436 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
437 TLS_client_method(), TLS1_VERSION, 0,
438 &sctx, &cctx, cert, privkey))
439 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
440 SSL3_RT_MAX_PLAIN_LENGTH)))
443 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
444 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
447 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
448 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
449 == client_keylog_callback))
452 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
453 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
454 == server_keylog_callback))
457 /* Now do a handshake and check that the logs have been written to. */
458 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
459 &clientssl, NULL, NULL))
460 || !TEST_true(create_ssl_connection(serverssl, clientssl,
462 || !TEST_false(error_writing_log))
466 * Now we want to test that our output data was vaguely sensible. For this
467 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
468 * TLSv1.3, but we do expect both client and server to emit keys.
470 expected.client_handshake_secret_count = 1;
471 expected.server_handshake_secret_count = 1;
472 expected.client_application_secret_count = 1;
473 expected.server_application_secret_count = 1;
474 expected.exporter_secret_count = 1;
475 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
476 SSL_get_session(clientssl), &expected))
477 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
478 SSL_get_session(serverssl),
482 /* Terminate old session and resume with early data. */
483 sess = SSL_get1_session(clientssl);
484 SSL_shutdown(clientssl);
485 SSL_shutdown(serverssl);
488 serverssl = clientssl = NULL;
491 memset(client_log_buffer, 0, sizeof(client_log_buffer));
492 memset(server_log_buffer, 0, sizeof(server_log_buffer));
493 client_log_buffer_index = 0;
494 server_log_buffer_index = 0;
496 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
497 &clientssl, NULL, NULL))
498 || !TEST_true(SSL_set_session(clientssl, sess))
499 /* Here writing 0 length early data is enough. */
500 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
501 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
503 SSL_READ_EARLY_DATA_ERROR)
504 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
505 SSL_EARLY_DATA_ACCEPTED)
506 || !TEST_true(create_ssl_connection(serverssl, clientssl,
508 || !TEST_true(SSL_session_reused(clientssl)))
511 /* In addition to the previous entries, expect early secrets. */
512 expected.client_early_secret_count = 1;
513 expected.early_exporter_secret_count = 1;
514 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
515 SSL_get_session(clientssl), &expected))
516 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
517 SSL_get_session(serverssl),
524 SSL_SESSION_free(sess);
534 #ifndef OPENSSL_NO_TLS1_2
535 static int full_client_hello_callback(SSL *s, int *al, void *arg)
538 const unsigned char *p;
540 /* We only configure two ciphers, but the SCSV is added automatically. */
542 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
544 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
547 const int expected_extensions[] = {
548 #ifndef OPENSSL_NO_EC
554 /* Make sure we can defer processing and get called back. */
556 return SSL_CLIENT_HELLO_RETRY;
558 len = SSL_client_hello_get0_ciphers(s, &p);
559 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
561 SSL_client_hello_get0_compression_methods(s, &p), 1)
562 || !TEST_int_eq(*p, 0))
563 return SSL_CLIENT_HELLO_ERROR;
564 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
565 return SSL_CLIENT_HELLO_ERROR;
566 if (len != OSSL_NELEM(expected_extensions) ||
567 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
568 printf("ClientHello callback expected extensions mismatch\n");
570 return SSL_CLIENT_HELLO_ERROR;
573 return SSL_CLIENT_HELLO_SUCCESS;
576 static int test_client_hello_cb(void)
578 SSL_CTX *cctx = NULL, *sctx = NULL;
579 SSL *clientssl = NULL, *serverssl = NULL;
580 int testctr = 0, testresult = 0;
582 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
583 TLS_client_method(), TLS1_VERSION, 0,
584 &sctx, &cctx, cert, privkey)))
586 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
588 /* The gimpy cipher list we configure can't do TLS 1.3. */
589 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
591 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
592 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
593 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
594 &clientssl, NULL, NULL))
595 || !TEST_false(create_ssl_connection(serverssl, clientssl,
596 SSL_ERROR_WANT_CLIENT_HELLO_CB))
598 * Passing a -1 literal is a hack since
599 * the real value was lost.
601 || !TEST_int_eq(SSL_get_error(serverssl, -1),
602 SSL_ERROR_WANT_CLIENT_HELLO_CB)
603 || !TEST_true(create_ssl_connection(serverssl, clientssl,
618 static int test_no_ems(void)
620 SSL_CTX *cctx = NULL, *sctx = NULL;
621 SSL *clientssl = NULL, *serverssl = NULL;
624 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
625 TLS1_VERSION, TLS1_2_VERSION,
626 &sctx, &cctx, cert, privkey)) {
627 printf("Unable to create SSL_CTX pair\n");
631 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
633 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
634 printf("Unable to create SSL objects\n");
638 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
639 printf("Creating SSL connection failed\n");
643 if (SSL_get_extms_support(serverssl)) {
644 printf("Server reports Extended Master Secret support\n");
648 if (SSL_get_extms_support(clientssl)) {
649 printf("Client reports Extended Master Secret support\n");
664 * Very focused test to exercise a single case in the server-side state
665 * machine, when the ChangeCipherState message needs to actually change
666 * from one cipher to a different cipher (i.e., not changing from null
667 * encryption to real encryption).
669 static int test_ccs_change_cipher(void)
671 SSL_CTX *cctx = NULL, *sctx = NULL;
672 SSL *clientssl = NULL, *serverssl = NULL;
673 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
680 * Create a conection so we can resume and potentially (but not) use
681 * a different cipher in the second connection.
683 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
685 TLS1_VERSION, TLS1_2_VERSION,
686 &sctx, &cctx, cert, privkey))
687 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
688 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
690 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
691 || !TEST_true(create_ssl_connection(serverssl, clientssl,
693 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
694 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
697 shutdown_ssl_connection(serverssl, clientssl);
698 serverssl = clientssl = NULL;
700 /* Resume, preferring a different cipher. Our server will force the
701 * same cipher to be used as the initial handshake. */
702 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
704 || !TEST_true(SSL_set_session(clientssl, sess))
705 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
706 || !TEST_true(create_ssl_connection(serverssl, clientssl,
708 || !TEST_true(SSL_session_reused(clientssl))
709 || !TEST_true(SSL_session_reused(serverssl))
710 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
711 || !TEST_ptr_eq(sesspre, sesspost)
712 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
713 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
715 shutdown_ssl_connection(serverssl, clientssl);
716 serverssl = clientssl = NULL;
719 * Now create a fresh connection and try to renegotiate a different
722 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
724 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
725 || !TEST_true(create_ssl_connection(serverssl, clientssl,
727 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
728 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
729 || !TEST_true(SSL_renegotiate(clientssl))
730 || !TEST_true(SSL_renegotiate_pending(clientssl)))
732 /* Actually drive the renegotiation. */
733 for (i = 0; i < 3; i++) {
734 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
735 if (!TEST_ulong_eq(readbytes, 0))
737 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
738 SSL_ERROR_WANT_READ)) {
741 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
742 if (!TEST_ulong_eq(readbytes, 0))
744 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
745 SSL_ERROR_WANT_READ)) {
749 /* sesspre and sesspost should be different since the cipher changed. */
750 if (!TEST_false(SSL_renegotiate_pending(clientssl))
751 || !TEST_false(SSL_session_reused(clientssl))
752 || !TEST_false(SSL_session_reused(serverssl))
753 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
754 || !TEST_ptr_ne(sesspre, sesspost)
755 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
756 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
759 shutdown_ssl_connection(serverssl, clientssl);
760 serverssl = clientssl = NULL;
769 SSL_SESSION_free(sess);
775 static int execute_test_large_message(const SSL_METHOD *smeth,
776 const SSL_METHOD *cmeth,
777 int min_version, int max_version,
780 SSL_CTX *cctx = NULL, *sctx = NULL;
781 SSL *clientssl = NULL, *serverssl = NULL;
785 X509 *chaincert = NULL;
788 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
790 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
793 if (!TEST_ptr(chaincert))
796 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
797 max_version, &sctx, &cctx, cert,
803 * Test that read_ahead works correctly when dealing with large
806 SSL_CTX_set_read_ahead(cctx, 1);
810 * We assume the supplied certificate is big enough so that if we add
811 * NUM_EXTRA_CERTS it will make the overall message large enough. The
812 * default buffer size is requested to be 16k, but due to the way BUF_MEM
813 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
814 * test we need to have a message larger than that.
816 certlen = i2d_X509(chaincert, NULL);
817 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
818 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
819 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
820 if (!X509_up_ref(chaincert))
822 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
823 X509_free(chaincert);
828 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
830 || !TEST_true(create_ssl_connection(serverssl, clientssl,
835 * Calling SSL_clear() first is not required but this tests that SSL_clear()
838 if (!TEST_true(SSL_clear(serverssl)))
843 X509_free(chaincert);
852 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
853 && !defined(OPENSSL_NO_SOCK)
855 /* sock must be connected */
856 static int ktls_chk_platform(int sock)
858 if (!ktls_enable(sock))
863 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
865 static char count = 1;
866 unsigned char cbuf[16000] = {0};
867 unsigned char sbuf[16000];
869 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
870 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
871 char crec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
872 char crec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
873 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
874 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
875 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
876 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
879 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
880 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
881 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence,
882 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
883 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
884 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
885 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
886 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
888 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
891 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
892 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
897 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
900 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
901 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
906 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
907 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
908 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence,
909 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
910 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
911 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
912 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
913 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
915 /* verify the payload */
916 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
919 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
920 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
921 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
922 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
925 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
926 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
930 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
931 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
932 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
935 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
936 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
940 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
941 if (!TEST_mem_ne(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
942 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
945 if (!TEST_mem_eq(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
946 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
950 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
951 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
952 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
955 if (!TEST_mem_eq(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
956 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
965 static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
966 int sis_ktls_tx, int sis_ktls_rx)
968 SSL_CTX *cctx = NULL, *sctx = NULL;
969 SSL *clientssl = NULL, *serverssl = NULL;
973 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
976 /* Skip this test if the platform does not support ktls */
977 if (!ktls_chk_platform(cfd))
980 /* Create a session based on SHA-256 */
981 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
983 TLS1_2_VERSION, TLS1_2_VERSION,
984 &sctx, &cctx, cert, privkey))
985 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
986 "AES128-GCM-SHA256"))
987 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
988 &clientssl, sfd, cfd)))
992 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
997 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
1002 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
1007 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1011 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1016 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1019 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1024 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1027 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1032 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1035 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1040 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1043 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1047 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
1053 SSL_shutdown(clientssl);
1054 SSL_free(clientssl);
1057 SSL_shutdown(serverssl);
1058 SSL_free(serverssl);
1062 serverssl = clientssl = NULL;
1066 #define SENDFILE_SZ (16 * 4096)
1067 #define SENDFILE_CHUNK (4 * 4096)
1068 #define min(a,b) ((a) > (b) ? (b) : (a))
1070 static int test_ktls_sendfile(void)
1072 SSL_CTX *cctx = NULL, *sctx = NULL;
1073 SSL *clientssl = NULL, *serverssl = NULL;
1074 unsigned char *buf, *buf_dst;
1075 BIO *out = NULL, *in = NULL;
1076 int cfd, sfd, ffd, err;
1077 ssize_t chunk_size = 0;
1078 off_t chunk_off = 0;
1082 buf = OPENSSL_zalloc(SENDFILE_SZ);
1083 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1084 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1085 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1088 /* Skip this test if the platform does not support ktls */
1089 if (!ktls_chk_platform(sfd)) {
1094 /* Create a session based on SHA-256 */
1095 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1096 TLS_client_method(),
1097 TLS1_2_VERSION, TLS1_2_VERSION,
1098 &sctx, &cctx, cert, privkey))
1099 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1100 "AES128-GCM-SHA256"))
1101 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1102 &clientssl, sfd, cfd)))
1105 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1107 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1110 RAND_bytes(buf, SENDFILE_SZ);
1111 out = BIO_new_file(tmpfilename, "wb");
1115 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1120 in = BIO_new_file(tmpfilename, "rb");
1121 BIO_get_fp(in, &ffdp);
1124 while (chunk_off < SENDFILE_SZ) {
1125 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1126 while ((err = SSL_sendfile(serverssl,
1130 0)) != chunk_size) {
1131 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1134 while ((err = SSL_read(clientssl,
1135 buf_dst + chunk_off,
1136 chunk_size)) != chunk_size) {
1137 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1141 /* verify the payload */
1142 if (!TEST_mem_eq(buf_dst + chunk_off,
1148 chunk_off += chunk_size;
1154 SSL_shutdown(clientssl);
1155 SSL_free(clientssl);
1158 SSL_shutdown(serverssl);
1159 SSL_free(serverssl);
1163 serverssl = clientssl = NULL;
1167 OPENSSL_free(buf_dst);
1171 static int test_ktls_no_txrx_client_no_txrx_server(void)
1173 return execute_test_ktls(0, 0, 0, 0);
1176 static int test_ktls_no_rx_client_no_txrx_server(void)
1178 return execute_test_ktls(1, 0, 0, 0);
1181 static int test_ktls_no_tx_client_no_txrx_server(void)
1183 return execute_test_ktls(0, 1, 0, 0);
1186 static int test_ktls_client_no_txrx_server(void)
1188 return execute_test_ktls(1, 1, 0, 0);
1191 static int test_ktls_no_txrx_client_no_rx_server(void)
1193 return execute_test_ktls(0, 0, 1, 0);
1196 static int test_ktls_no_rx_client_no_rx_server(void)
1198 return execute_test_ktls(1, 0, 1, 0);
1201 static int test_ktls_no_tx_client_no_rx_server(void)
1203 return execute_test_ktls(0, 1, 1, 0);
1206 static int test_ktls_client_no_rx_server(void)
1208 return execute_test_ktls(1, 1, 1, 0);
1211 static int test_ktls_no_txrx_client_no_tx_server(void)
1213 return execute_test_ktls(0, 0, 0, 1);
1216 static int test_ktls_no_rx_client_no_tx_server(void)
1218 return execute_test_ktls(1, 0, 0, 1);
1221 static int test_ktls_no_tx_client_no_tx_server(void)
1223 return execute_test_ktls(0, 1, 0, 1);
1226 static int test_ktls_client_no_tx_server(void)
1228 return execute_test_ktls(1, 1, 0, 1);
1231 static int test_ktls_no_txrx_client_server(void)
1233 return execute_test_ktls(0, 0, 1, 1);
1236 static int test_ktls_no_rx_client_server(void)
1238 return execute_test_ktls(1, 0, 1, 1);
1241 static int test_ktls_no_tx_client_server(void)
1243 return execute_test_ktls(0, 1, 1, 1);
1246 static int test_ktls_client_server(void)
1248 return execute_test_ktls(1, 1, 1, 1);
1252 static int test_large_message_tls(void)
1254 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1255 TLS1_VERSION, 0, 0);
1258 static int test_large_message_tls_read_ahead(void)
1260 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1261 TLS1_VERSION, 0, 1);
1264 #ifndef OPENSSL_NO_DTLS
1265 static int test_large_message_dtls(void)
1268 * read_ahead is not relevant to DTLS because DTLS always acts as if
1269 * read_ahead is set.
1271 return execute_test_large_message(DTLS_server_method(),
1272 DTLS_client_method(),
1273 DTLS1_VERSION, 0, 0);
1277 #ifndef OPENSSL_NO_OCSP
1278 static int ocsp_server_cb(SSL *s, void *arg)
1280 int *argi = (int *)arg;
1281 unsigned char *copy = NULL;
1282 STACK_OF(OCSP_RESPID) *ids = NULL;
1283 OCSP_RESPID *id = NULL;
1286 /* In this test we are expecting exactly 1 OCSP_RESPID */
1287 SSL_get_tlsext_status_ids(s, &ids);
1288 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1289 return SSL_TLSEXT_ERR_ALERT_FATAL;
1291 id = sk_OCSP_RESPID_value(ids, 0);
1292 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1293 return SSL_TLSEXT_ERR_ALERT_FATAL;
1294 } else if (*argi != 1) {
1295 return SSL_TLSEXT_ERR_ALERT_FATAL;
1298 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1299 return SSL_TLSEXT_ERR_ALERT_FATAL;
1301 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1302 ocsp_server_called = 1;
1303 return SSL_TLSEXT_ERR_OK;
1306 static int ocsp_client_cb(SSL *s, void *arg)
1308 int *argi = (int *)arg;
1309 const unsigned char *respderin;
1312 if (*argi != 1 && *argi != 2)
1315 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1316 if (!TEST_mem_eq(orespder, len, respderin, len))
1319 ocsp_client_called = 1;
1323 static int test_tlsext_status_type(void)
1325 SSL_CTX *cctx = NULL, *sctx = NULL;
1326 SSL *clientssl = NULL, *serverssl = NULL;
1328 STACK_OF(OCSP_RESPID) *ids = NULL;
1329 OCSP_RESPID *id = NULL;
1330 BIO *certbio = NULL;
1332 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1334 &sctx, &cctx, cert, privkey))
1337 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1340 /* First just do various checks getting and setting tlsext_status_type */
1342 clientssl = SSL_new(cctx);
1343 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1344 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1345 TLSEXT_STATUSTYPE_ocsp))
1346 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1347 TLSEXT_STATUSTYPE_ocsp))
1350 SSL_free(clientssl);
1353 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1354 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1357 clientssl = SSL_new(cctx);
1358 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1360 SSL_free(clientssl);
1364 * Now actually do a handshake and check OCSP information is exchanged and
1365 * the callbacks get called
1367 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1368 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1369 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1370 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1371 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1372 &clientssl, NULL, NULL))
1373 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1375 || !TEST_true(ocsp_client_called)
1376 || !TEST_true(ocsp_server_called))
1378 SSL_free(serverssl);
1379 SSL_free(clientssl);
1383 /* Try again but this time force the server side callback to fail */
1384 ocsp_client_called = 0;
1385 ocsp_server_called = 0;
1387 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1388 &clientssl, NULL, NULL))
1389 /* This should fail because the callback will fail */
1390 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1392 || !TEST_false(ocsp_client_called)
1393 || !TEST_false(ocsp_server_called))
1395 SSL_free(serverssl);
1396 SSL_free(clientssl);
1401 * This time we'll get the client to send an OCSP_RESPID that it will
1404 ocsp_client_called = 0;
1405 ocsp_server_called = 0;
1407 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1408 &clientssl, NULL, NULL)))
1412 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1413 * specific one. We'll use the server cert.
1415 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1416 || !TEST_ptr(id = OCSP_RESPID_new())
1417 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1418 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1420 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1421 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1424 SSL_set_tlsext_status_ids(clientssl, ids);
1425 /* Control has been transferred */
1431 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1433 || !TEST_true(ocsp_client_called)
1434 || !TEST_true(ocsp_server_called))
1440 SSL_free(serverssl);
1441 SSL_free(clientssl);
1444 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1445 OCSP_RESPID_free(id);
1447 X509_free(ocspcert);
1454 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1455 static int new_called, remove_called, get_called;
1457 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1461 * sess has been up-refed for us, but we don't actually need it so free it
1464 SSL_SESSION_free(sess);
1468 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1473 static SSL_SESSION *get_sess_val = NULL;
1475 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1480 return get_sess_val;
1483 static int execute_test_session(int maxprot, int use_int_cache,
1484 int use_ext_cache, long s_options)
1486 SSL_CTX *sctx = NULL, *cctx = NULL;
1487 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1488 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1489 # ifndef OPENSSL_NO_TLS1_1
1490 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1492 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1493 int testresult = 0, numnewsesstick = 1;
1495 new_called = remove_called = 0;
1497 /* TLSv1.3 sends 2 NewSessionTickets */
1498 if (maxprot == TLS1_3_VERSION)
1501 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1502 TLS_client_method(), TLS1_VERSION, 0,
1503 &sctx, &cctx, cert, privkey)))
1507 * Only allow the max protocol version so we can force a connection failure
1510 SSL_CTX_set_min_proto_version(cctx, maxprot);
1511 SSL_CTX_set_max_proto_version(cctx, maxprot);
1513 /* Set up session cache */
1514 if (use_ext_cache) {
1515 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1516 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1518 if (use_int_cache) {
1519 /* Also covers instance where both are set */
1520 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1522 SSL_CTX_set_session_cache_mode(cctx,
1523 SSL_SESS_CACHE_CLIENT
1524 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1528 SSL_CTX_set_options(sctx, s_options);
1531 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1533 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1535 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1538 /* Should fail because it should already be in the cache */
1539 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1542 && (!TEST_int_eq(new_called, numnewsesstick)
1544 || !TEST_int_eq(remove_called, 0)))
1547 new_called = remove_called = 0;
1548 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1549 &clientssl2, NULL, NULL))
1550 || !TEST_true(SSL_set_session(clientssl2, sess1))
1551 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1553 || !TEST_true(SSL_session_reused(clientssl2)))
1556 if (maxprot == TLS1_3_VERSION) {
1558 * In TLSv1.3 we should have created a new session even though we have
1559 * resumed. Since we attempted a resume we should also have removed the
1560 * old ticket from the cache so that we try to only use tickets once.
1563 && (!TEST_int_eq(new_called, 1)
1564 || !TEST_int_eq(remove_called, 1)))
1568 * In TLSv1.2 we expect to have resumed so no sessions added or
1572 && (!TEST_int_eq(new_called, 0)
1573 || !TEST_int_eq(remove_called, 0)))
1577 SSL_SESSION_free(sess1);
1578 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1580 shutdown_ssl_connection(serverssl2, clientssl2);
1581 serverssl2 = clientssl2 = NULL;
1583 new_called = remove_called = 0;
1584 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1585 &clientssl2, NULL, NULL))
1586 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1590 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1594 && (!TEST_int_eq(new_called, numnewsesstick)
1595 || !TEST_int_eq(remove_called, 0)))
1598 new_called = remove_called = 0;
1600 * This should clear sess2 from the cache because it is a "bad" session.
1601 * See SSL_set_session() documentation.
1603 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1606 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1608 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1611 if (use_int_cache) {
1612 /* Should succeeded because it should not already be in the cache */
1613 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1614 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1618 new_called = remove_called = 0;
1619 /* This shouldn't be in the cache so should fail */
1620 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1624 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1627 # if !defined(OPENSSL_NO_TLS1_1)
1628 new_called = remove_called = 0;
1629 /* Force a connection failure */
1630 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1631 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1632 &clientssl3, NULL, NULL))
1633 || !TEST_true(SSL_set_session(clientssl3, sess1))
1634 /* This should fail because of the mismatched protocol versions */
1635 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1639 /* We should have automatically removed the session from the cache */
1641 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1644 /* Should succeed because it should not already be in the cache */
1645 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1649 /* Now do some tests for server side caching */
1650 if (use_ext_cache) {
1651 SSL_CTX_sess_set_new_cb(cctx, NULL);
1652 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1653 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1654 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1655 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1656 get_sess_val = NULL;
1659 SSL_CTX_set_session_cache_mode(cctx, 0);
1660 /* Internal caching is the default on the server side */
1662 SSL_CTX_set_session_cache_mode(sctx,
1663 SSL_SESS_CACHE_SERVER
1664 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1666 SSL_free(serverssl1);
1667 SSL_free(clientssl1);
1668 serverssl1 = clientssl1 = NULL;
1669 SSL_free(serverssl2);
1670 SSL_free(clientssl2);
1671 serverssl2 = clientssl2 = NULL;
1672 SSL_SESSION_free(sess1);
1674 SSL_SESSION_free(sess2);
1677 SSL_CTX_set_max_proto_version(sctx, maxprot);
1678 if (maxprot == TLS1_2_VERSION)
1679 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1680 new_called = remove_called = get_called = 0;
1681 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1683 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1685 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1686 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1689 if (use_int_cache) {
1690 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1692 * In TLSv1.3 it should not have been added to the internal cache,
1693 * except in the case where we also have an external cache (in that
1694 * case it gets added to the cache in order to generate remove
1695 * events after timeout).
1697 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1700 /* Should fail because it should already be in the cache */
1701 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1706 if (use_ext_cache) {
1707 SSL_SESSION *tmp = sess2;
1709 if (!TEST_int_eq(new_called, numnewsesstick)
1710 || !TEST_int_eq(remove_called, 0)
1711 || !TEST_int_eq(get_called, 0))
1714 * Delete the session from the internal cache to force a lookup from
1715 * the external cache. We take a copy first because
1716 * SSL_CTX_remove_session() also marks the session as non-resumable.
1718 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1719 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1720 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1722 SSL_SESSION_free(sess2);
1727 new_called = remove_called = get_called = 0;
1728 get_sess_val = sess2;
1729 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1730 &clientssl2, NULL, NULL))
1731 || !TEST_true(SSL_set_session(clientssl2, sess1))
1732 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1734 || !TEST_true(SSL_session_reused(clientssl2)))
1737 if (use_ext_cache) {
1738 if (!TEST_int_eq(remove_called, 0))
1741 if (maxprot == TLS1_3_VERSION) {
1742 if (!TEST_int_eq(new_called, 1)
1743 || !TEST_int_eq(get_called, 0))
1746 if (!TEST_int_eq(new_called, 0)
1747 || !TEST_int_eq(get_called, 1))
1755 SSL_free(serverssl1);
1756 SSL_free(clientssl1);
1757 SSL_free(serverssl2);
1758 SSL_free(clientssl2);
1759 # ifndef OPENSSL_NO_TLS1_1
1760 SSL_free(serverssl3);
1761 SSL_free(clientssl3);
1763 SSL_SESSION_free(sess1);
1764 SSL_SESSION_free(sess2);
1770 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1772 static int test_session_with_only_int_cache(void)
1774 #ifndef OPENSSL_NO_TLS1_3
1775 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
1779 #ifndef OPENSSL_NO_TLS1_2
1780 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
1786 static int test_session_with_only_ext_cache(void)
1788 #ifndef OPENSSL_NO_TLS1_3
1789 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
1793 #ifndef OPENSSL_NO_TLS1_2
1794 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
1800 static int test_session_with_both_cache(void)
1802 #ifndef OPENSSL_NO_TLS1_3
1803 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
1807 #ifndef OPENSSL_NO_TLS1_2
1808 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
1814 static int test_session_wo_ca_names(void)
1816 #ifndef OPENSSL_NO_TLS1_3
1817 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
1821 #ifndef OPENSSL_NO_TLS1_2
1822 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
1829 #ifndef OPENSSL_NO_TLS1_3
1830 static SSL_SESSION *sesscache[6];
1831 static int do_cache;
1833 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1836 sesscache[new_called] = sess;
1838 /* We don't need the reference to the session, so free it */
1839 SSL_SESSION_free(sess);
1846 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1848 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1849 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1852 /* Start handshake on the server and client */
1853 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1854 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1855 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1856 || !TEST_true(create_ssl_connection(sssl, cssl,
1863 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1866 int sess_id_ctx = 1;
1868 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1869 TLS_client_method(), TLS1_VERSION, 0,
1870 sctx, cctx, cert, privkey))
1871 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1872 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1873 (void *)&sess_id_ctx,
1874 sizeof(sess_id_ctx))))
1878 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1880 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1881 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1882 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1887 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1889 SSL *serverssl = NULL, *clientssl = NULL;
1892 /* Test that we can resume with all the tickets we got given */
1893 for (i = 0; i < idx * 2; i++) {
1895 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1896 &clientssl, NULL, NULL))
1897 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1900 SSL_set_post_handshake_auth(clientssl, 1);
1902 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1907 * Following a successful resumption we only get 1 ticket. After a
1908 * failed one we should get idx tickets.
1911 if (!TEST_true(SSL_session_reused(clientssl))
1912 || !TEST_int_eq(new_called, 1))
1915 if (!TEST_false(SSL_session_reused(clientssl))
1916 || !TEST_int_eq(new_called, idx))
1921 /* After a post-handshake authentication we should get 1 new ticket */
1923 && (!post_handshake_verify(serverssl, clientssl)
1924 || !TEST_int_eq(new_called, 1)))
1927 SSL_shutdown(clientssl);
1928 SSL_shutdown(serverssl);
1929 SSL_free(serverssl);
1930 SSL_free(clientssl);
1931 serverssl = clientssl = NULL;
1932 SSL_SESSION_free(sesscache[i]);
1933 sesscache[i] = NULL;
1939 SSL_free(clientssl);
1940 SSL_free(serverssl);
1944 static int test_tickets(int stateful, int idx)
1946 SSL_CTX *sctx = NULL, *cctx = NULL;
1947 SSL *serverssl = NULL, *clientssl = NULL;
1951 /* idx is the test number, but also the number of tickets we want */
1956 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1959 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1960 &clientssl, NULL, NULL)))
1963 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1965 /* Check we got the number of tickets we were expecting */
1966 || !TEST_int_eq(idx, new_called))
1969 SSL_shutdown(clientssl);
1970 SSL_shutdown(serverssl);
1971 SSL_free(serverssl);
1972 SSL_free(clientssl);
1975 clientssl = serverssl = NULL;
1979 * Now we try to resume with the tickets we previously created. The
1980 * resumption attempt is expected to fail (because we're now using a new
1981 * SSL_CTX). We should see idx number of tickets issued again.
1984 /* Stop caching sessions - just count them */
1987 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1990 if (!check_resumption(idx, sctx, cctx, 0))
1993 /* Start again with caching sessions */
2000 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2003 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2004 &clientssl, NULL, NULL)))
2007 SSL_set_post_handshake_auth(clientssl, 1);
2009 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2011 /* Check we got the number of tickets we were expecting */
2012 || !TEST_int_eq(idx, new_called))
2015 /* After a post-handshake authentication we should get new tickets issued */
2016 if (!post_handshake_verify(serverssl, clientssl)
2017 || !TEST_int_eq(idx * 2, new_called))
2020 SSL_shutdown(clientssl);
2021 SSL_shutdown(serverssl);
2022 SSL_free(serverssl);
2023 SSL_free(clientssl);
2024 serverssl = clientssl = NULL;
2026 /* Stop caching sessions - just count them */
2030 * Check we can resume with all the tickets we created. This time around the
2031 * resumptions should all be successful.
2033 if (!check_resumption(idx, sctx, cctx, 1))
2039 SSL_free(serverssl);
2040 SSL_free(clientssl);
2041 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2042 SSL_SESSION_free(sesscache[j]);
2043 sesscache[j] = NULL;
2051 static int test_stateless_tickets(int idx)
2053 return test_tickets(0, idx);
2056 static int test_stateful_tickets(int idx)
2058 return test_tickets(1, idx);
2061 static int test_psk_tickets(void)
2063 SSL_CTX *sctx = NULL, *cctx = NULL;
2064 SSL *serverssl = NULL, *clientssl = NULL;
2066 int sess_id_ctx = 1;
2068 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2069 TLS_client_method(), TLS1_VERSION, 0,
2070 &sctx, &cctx, NULL, NULL))
2071 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2072 (void *)&sess_id_ctx,
2073 sizeof(sess_id_ctx))))
2076 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2077 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2078 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2079 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2080 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2081 use_session_cb_cnt = 0;
2082 find_session_cb_cnt = 0;
2086 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2089 clientpsk = serverpsk = create_a_psk(clientssl);
2090 if (!TEST_ptr(clientpsk))
2092 SSL_SESSION_up_ref(clientpsk);
2094 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2096 || !TEST_int_eq(1, find_session_cb_cnt)
2097 || !TEST_int_eq(1, use_session_cb_cnt)
2098 /* We should always get 1 ticket when using external PSK */
2099 || !TEST_int_eq(1, new_called))
2105 SSL_free(serverssl);
2106 SSL_free(clientssl);
2109 SSL_SESSION_free(clientpsk);
2110 SSL_SESSION_free(serverpsk);
2111 clientpsk = serverpsk = NULL;
2116 static int test_extra_tickets(int idx)
2118 SSL_CTX *sctx = NULL, *cctx = NULL;
2119 SSL *serverssl = NULL, *clientssl = NULL;
2120 BIO *bretry = BIO_new(bio_s_always_retry());
2125 unsigned char c, buf[1];
2135 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2137 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2138 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2139 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2141 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2142 &clientssl, NULL, NULL)))
2146 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2147 * incremented by both client and server.
2149 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2151 /* Check we got the number of tickets we were expecting */
2152 || !TEST_int_eq(idx * 2, new_called)
2153 || !TEST_true(SSL_new_session_ticket(serverssl))
2154 || !TEST_true(SSL_new_session_ticket(serverssl))
2155 || !TEST_int_eq(idx * 2, new_called))
2158 /* Now try a (real) write to actually send the tickets */
2160 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2161 || !TEST_size_t_eq(1, nbytes)
2162 || !TEST_int_eq(idx * 2 + 2, new_called)
2163 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2164 || !TEST_int_eq(idx * 2 + 4, new_called)
2165 || !TEST_int_eq(sizeof(buf), nbytes)
2166 || !TEST_int_eq(c, buf[0])
2167 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2170 /* Try with only requesting one new ticket, too */
2173 if (!TEST_true(SSL_new_session_ticket(serverssl))
2174 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2175 || !TEST_size_t_eq(sizeof(c), nbytes)
2176 || !TEST_int_eq(1, new_called)
2177 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2178 || !TEST_int_eq(2, new_called)
2179 || !TEST_size_t_eq(sizeof(buf), nbytes)
2180 || !TEST_int_eq(c, buf[0]))
2183 /* Do it again but use dummy writes to drive the ticket generation */
2186 if (!TEST_true(SSL_new_session_ticket(serverssl))
2187 || !TEST_true(SSL_new_session_ticket(serverssl))
2188 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2189 || !TEST_size_t_eq(0, nbytes)
2190 || !TEST_int_eq(2, new_called)
2191 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2192 || !TEST_int_eq(4, new_called))
2196 * Use the always-retry BIO to exercise the logic that forces ticket
2197 * generation to wait until a record boundary.
2201 tmp = SSL_get_wbio(serverssl);
2202 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2206 SSL_set0_wbio(serverssl, bretry);
2208 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2209 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2210 || !TEST_size_t_eq(nbytes, 0))
2212 /* Restore a BIO that will let the write succeed */
2213 SSL_set0_wbio(serverssl, tmp);
2215 /* These calls should just queue the request and not send anything. */
2216 if (!TEST_true(SSL_new_session_ticket(serverssl))
2217 || !TEST_true(SSL_new_session_ticket(serverssl))
2218 || !TEST_int_eq(0, new_called))
2220 /* Re-do the write; still no tickets sent */
2221 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2222 || !TEST_size_t_eq(1, nbytes)
2223 || !TEST_int_eq(0, new_called)
2224 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2225 || !TEST_int_eq(0, new_called)
2226 || !TEST_int_eq(sizeof(buf), nbytes)
2227 || !TEST_int_eq(c, buf[0])
2228 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2230 /* Now the *next* write should send the tickets */
2232 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2233 || !TEST_size_t_eq(1, nbytes)
2234 || !TEST_int_eq(2, new_called)
2235 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2236 || !TEST_int_eq(4, new_called)
2237 || !TEST_int_eq(sizeof(buf), nbytes)
2238 || !TEST_int_eq(c, buf[0])
2239 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2242 SSL_shutdown(clientssl);
2243 SSL_shutdown(serverssl);
2249 SSL_free(serverssl);
2250 SSL_free(clientssl);
2253 clientssl = serverssl = NULL;
2262 #define USE_DEFAULT 3
2264 #define CONNTYPE_CONNECTION_SUCCESS 0
2265 #define CONNTYPE_CONNECTION_FAIL 1
2266 #define CONNTYPE_NO_CONNECTION 2
2268 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2269 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2270 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2271 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2273 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2276 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2277 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2278 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2280 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2297 * Tests calls to SSL_set_bio() under various conditions.
2299 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2300 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2301 * then do more tests where we create a successful connection first using our
2302 * standard connection setup functions, and then call SSL_set_bio() with
2303 * various combinations of valid BIOs or NULL. We then repeat these tests
2304 * following a failed connection. In this last case we are looking to check that
2305 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2307 static int test_ssl_set_bio(int idx)
2309 SSL_CTX *sctx = NULL, *cctx = NULL;
2312 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2313 SSL *serverssl = NULL, *clientssl = NULL;
2314 int initrbio, initwbio, newrbio, newwbio, conntype;
2317 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2325 conntype = CONNTYPE_NO_CONNECTION;
2327 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2328 initrbio = initwbio = USE_DEFAULT;
2336 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2337 TLS_client_method(), TLS1_VERSION, 0,
2338 &sctx, &cctx, cert, privkey)))
2341 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2343 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2344 * because we reduced the number of tests in the definition of
2345 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2346 * mismatched protocol versions we will force a connection failure.
2348 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2349 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2352 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2356 if (initrbio == USE_BIO_1
2357 || initwbio == USE_BIO_1
2358 || newrbio == USE_BIO_1
2359 || newwbio == USE_BIO_1) {
2360 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2364 if (initrbio == USE_BIO_2
2365 || initwbio == USE_BIO_2
2366 || newrbio == USE_BIO_2
2367 || newwbio == USE_BIO_2) {
2368 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2372 if (initrbio != USE_DEFAULT) {
2373 setupbio(&irbio, bio1, bio2, initrbio);
2374 setupbio(&iwbio, bio1, bio2, initwbio);
2375 SSL_set_bio(clientssl, irbio, iwbio);
2378 * We want to maintain our own refs to these BIO, so do an up ref for
2379 * each BIO that will have ownership transferred in the SSL_set_bio()
2384 if (iwbio != NULL && iwbio != irbio)
2388 if (conntype != CONNTYPE_NO_CONNECTION
2389 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2391 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2394 setupbio(&nrbio, bio1, bio2, newrbio);
2395 setupbio(&nwbio, bio1, bio2, newwbio);
2398 * We will (maybe) transfer ownership again so do more up refs.
2399 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2404 && (nwbio != iwbio || nrbio != nwbio))
2408 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2411 SSL_set_bio(clientssl, nrbio, nwbio);
2420 * This test is checking that the ref counting for SSL_set_bio is correct.
2421 * If we get here and we did too many frees then we will fail in the above
2424 SSL_free(serverssl);
2425 SSL_free(clientssl);
2431 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2433 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2435 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2440 if (!TEST_ptr(ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method()))
2441 || !TEST_ptr(ssl = SSL_new(ctx))
2442 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2443 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2446 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2449 * If anything goes wrong here then we could leak memory.
2451 BIO_push(sslbio, membio1);
2453 /* Verify changing the rbio/wbio directly does not cause leaks */
2454 if (change_bio != NO_BIO_CHANGE) {
2455 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
2457 if (change_bio == CHANGE_RBIO)
2458 SSL_set0_rbio(ssl, membio2);
2460 SSL_set0_wbio(ssl, membio2);
2479 static int test_ssl_bio_pop_next_bio(void)
2481 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2484 static int test_ssl_bio_pop_ssl_bio(void)
2486 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2489 static int test_ssl_bio_change_rbio(void)
2491 return execute_test_ssl_bio(0, CHANGE_RBIO);
2494 static int test_ssl_bio_change_wbio(void)
2496 return execute_test_ssl_bio(0, CHANGE_WBIO);
2499 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2501 /* The list of sig algs */
2503 /* The length of the list */
2505 /* A sigalgs list in string format */
2506 const char *liststr;
2507 /* Whether setting the list should succeed */
2509 /* Whether creating a connection with the list should succeed */
2513 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2514 # ifndef OPENSSL_NO_EC
2515 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2516 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2518 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2519 static const int invalidlist2[] = {NID_sha256, NID_undef};
2520 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2521 static const int invalidlist4[] = {NID_sha256};
2522 static const sigalgs_list testsigalgs[] = {
2523 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2524 # ifndef OPENSSL_NO_EC
2525 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2526 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2528 {NULL, 0, "RSA+SHA256", 1, 1},
2529 # ifndef OPENSSL_NO_EC
2530 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2531 {NULL, 0, "ECDSA+SHA512", 1, 0},
2533 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2534 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2535 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2536 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2537 {NULL, 0, "RSA", 0, 0},
2538 {NULL, 0, "SHA256", 0, 0},
2539 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2540 {NULL, 0, "Invalid", 0, 0}
2543 static int test_set_sigalgs(int idx)
2545 SSL_CTX *cctx = NULL, *sctx = NULL;
2546 SSL *clientssl = NULL, *serverssl = NULL;
2548 const sigalgs_list *curr;
2551 /* Should never happen */
2552 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2555 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2556 curr = testctx ? &testsigalgs[idx]
2557 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2559 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2560 TLS_client_method(), TLS1_VERSION, 0,
2561 &sctx, &cctx, cert, privkey)))
2565 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2566 * for TLSv1.2 for now until we add a new API.
2568 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2573 if (curr->list != NULL)
2574 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2576 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2580 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2586 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2592 &clientssl, NULL, NULL)))
2598 if (curr->list != NULL)
2599 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2601 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2604 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2613 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2621 SSL_free(serverssl);
2622 SSL_free(clientssl);
2630 #ifndef OPENSSL_NO_TLS1_3
2631 static int psk_client_cb_cnt = 0;
2632 static int psk_server_cb_cnt = 0;
2634 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2635 size_t *idlen, SSL_SESSION **sess)
2637 switch (++use_session_cb_cnt) {
2639 /* The first call should always have a NULL md */
2645 /* The second call should always have an md */
2651 /* We should only be called a maximum of twice */
2655 if (clientpsk != NULL)
2656 SSL_SESSION_up_ref(clientpsk);
2659 *id = (const unsigned char *)pskid;
2660 *idlen = strlen(pskid);
2665 #ifndef OPENSSL_NO_PSK
2666 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2667 unsigned int max_id_len,
2669 unsigned int max_psk_len)
2671 unsigned int psklen = 0;
2673 psk_client_cb_cnt++;
2675 if (strlen(pskid) + 1 > max_id_len)
2678 /* We should only ever be called a maximum of twice per connection */
2679 if (psk_client_cb_cnt > 2)
2682 if (clientpsk == NULL)
2685 /* We'll reuse the PSK we set up for TLSv1.3 */
2686 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2688 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2689 strncpy(id, pskid, max_id_len);
2693 #endif /* OPENSSL_NO_PSK */
2695 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2696 size_t identity_len, SSL_SESSION **sess)
2698 find_session_cb_cnt++;
2700 /* We should only ever be called a maximum of twice per connection */
2701 if (find_session_cb_cnt > 2)
2704 if (serverpsk == NULL)
2707 /* Identity should match that set by the client */
2708 if (strlen(srvid) != identity_len
2709 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2710 /* No PSK found, continue but without a PSK */
2715 SSL_SESSION_up_ref(serverpsk);
2721 #ifndef OPENSSL_NO_PSK
2722 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2723 unsigned char *psk, unsigned int max_psk_len)
2725 unsigned int psklen = 0;
2727 psk_server_cb_cnt++;
2729 /* We should only ever be called a maximum of twice per connection */
2730 if (find_session_cb_cnt > 2)
2733 if (serverpsk == NULL)
2736 /* Identity should match that set by the client */
2737 if (strcmp(srvid, identity) != 0) {
2741 /* We'll reuse the PSK we set up for TLSv1.3 */
2742 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2744 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2748 #endif /* OPENSSL_NO_PSK */
2750 #define MSG1 "Hello"
2751 #define MSG2 "World."
2756 #define MSG7 "message."
2758 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2759 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2762 static SSL_SESSION *create_a_psk(SSL *ssl)
2764 const SSL_CIPHER *cipher = NULL;
2765 const unsigned char key[] = {
2766 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2767 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2768 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2769 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2770 0x2c, 0x2d, 0x2e, 0x2f
2772 SSL_SESSION *sess = NULL;
2774 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2775 sess = SSL_SESSION_new();
2777 || !TEST_ptr(cipher)
2778 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2780 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2782 SSL_SESSION_set_protocol_version(sess,
2784 SSL_SESSION_free(sess);
2791 * Helper method to setup objects for early data test. Caller frees objects on
2794 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2795 SSL **serverssl, SSL_SESSION **sess, int idx)
2798 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2799 TLS_client_method(),
2801 sctx, cctx, cert, privkey)))
2804 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2808 /* When idx == 1 we repeat the tests with read_ahead set */
2809 SSL_CTX_set_read_ahead(*cctx, 1);
2810 SSL_CTX_set_read_ahead(*sctx, 1);
2811 } else if (idx == 2) {
2812 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2813 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2814 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2815 use_session_cb_cnt = 0;
2816 find_session_cb_cnt = 0;
2820 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2825 * For one of the run throughs (doesn't matter which one), we'll try sending
2826 * some SNI data in the initial ClientHello. This will be ignored (because
2827 * there is no SNI cb set up by the server), so it should not impact
2831 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2835 clientpsk = create_a_psk(*clientssl);
2836 if (!TEST_ptr(clientpsk)
2838 * We just choose an arbitrary value for max_early_data which
2839 * should be big enough for testing purposes.
2841 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2843 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2844 SSL_SESSION_free(clientpsk);
2848 serverpsk = clientpsk;
2851 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2852 SSL_SESSION_free(clientpsk);
2853 SSL_SESSION_free(serverpsk);
2854 clientpsk = serverpsk = NULL;
2865 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2869 *sess = SSL_get1_session(*clientssl);
2870 SSL_shutdown(*clientssl);
2871 SSL_shutdown(*serverssl);
2872 SSL_free(*serverssl);
2873 SSL_free(*clientssl);
2874 *serverssl = *clientssl = NULL;
2876 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2877 clientssl, NULL, NULL))
2878 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2884 static int test_early_data_read_write(int idx)
2886 SSL_CTX *cctx = NULL, *sctx = NULL;
2887 SSL *clientssl = NULL, *serverssl = NULL;
2889 SSL_SESSION *sess = NULL;
2890 unsigned char buf[20], data[1024];
2891 size_t readbytes, written, eoedlen, rawread, rawwritten;
2894 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2895 &serverssl, &sess, idx)))
2898 /* Write and read some early data */
2899 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2901 || !TEST_size_t_eq(written, strlen(MSG1))
2902 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2903 sizeof(buf), &readbytes),
2904 SSL_READ_EARLY_DATA_SUCCESS)
2905 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2906 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2907 SSL_EARLY_DATA_ACCEPTED))
2911 * Server should be able to write data, and client should be able to
2914 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2916 || !TEST_size_t_eq(written, strlen(MSG2))
2917 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2918 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2921 /* Even after reading normal data, client should be able write early data */
2922 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2924 || !TEST_size_t_eq(written, strlen(MSG3)))
2927 /* Server should still be able read early data after writing data */
2928 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2930 SSL_READ_EARLY_DATA_SUCCESS)
2931 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2934 /* Write more data from server and read it from client */
2935 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2937 || !TEST_size_t_eq(written, strlen(MSG4))
2938 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2939 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2943 * If client writes normal data it should mean writing early data is no
2946 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2947 || !TEST_size_t_eq(written, strlen(MSG5))
2948 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2949 SSL_EARLY_DATA_ACCEPTED))
2953 * At this point the client has written EndOfEarlyData, ClientFinished and
2954 * normal (fully protected) data. We are going to cause a delay between the
2955 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2956 * in the read BIO, and then just put back the EndOfEarlyData message.
2958 rbio = SSL_get_rbio(serverssl);
2959 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2960 || !TEST_size_t_lt(rawread, sizeof(data))
2961 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2964 /* Record length is in the 4th and 5th bytes of the record header */
2965 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2966 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2967 || !TEST_size_t_eq(rawwritten, eoedlen))
2970 /* Server should be told that there is no more early data */
2971 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2973 SSL_READ_EARLY_DATA_FINISH)
2974 || !TEST_size_t_eq(readbytes, 0))
2978 * Server has not finished init yet, so should still be able to write early
2981 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2983 || !TEST_size_t_eq(written, strlen(MSG6)))
2986 /* Push the ClientFinished and the normal data back into the server rbio */
2987 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2989 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2992 /* Server should be able to read normal data */
2993 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2994 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2997 /* Client and server should not be able to write/read early data now */
2998 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3002 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3004 SSL_READ_EARLY_DATA_ERROR))
3008 /* Client should be able to read the data sent by the server */
3009 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3010 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3014 * Make sure we process the two NewSessionTickets. These arrive
3015 * post-handshake. We attempt reads which we do not expect to return any
3018 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3019 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3023 /* Server should be able to write normal data */
3024 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3025 || !TEST_size_t_eq(written, strlen(MSG7))
3026 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3027 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3030 SSL_SESSION_free(sess);
3031 sess = SSL_get1_session(clientssl);
3032 use_session_cb_cnt = 0;
3033 find_session_cb_cnt = 0;
3035 SSL_shutdown(clientssl);
3036 SSL_shutdown(serverssl);
3037 SSL_free(serverssl);
3038 SSL_free(clientssl);
3039 serverssl = clientssl = NULL;
3040 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3041 &clientssl, NULL, NULL))
3042 || !TEST_true(SSL_set_session(clientssl, sess)))
3045 /* Write and read some early data */
3046 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3048 || !TEST_size_t_eq(written, strlen(MSG1))
3049 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3051 SSL_READ_EARLY_DATA_SUCCESS)
3052 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3055 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3056 || !TEST_int_gt(SSL_accept(serverssl), 0))
3059 /* Client and server should not be able to write/read early data now */
3060 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3064 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3066 SSL_READ_EARLY_DATA_ERROR))
3070 /* Client and server should be able to write/read normal data */
3071 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3072 || !TEST_size_t_eq(written, strlen(MSG5))
3073 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3074 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3080 SSL_SESSION_free(sess);
3081 SSL_SESSION_free(clientpsk);
3082 SSL_SESSION_free(serverpsk);
3083 clientpsk = serverpsk = NULL;
3084 SSL_free(serverssl);
3085 SSL_free(clientssl);
3091 static int allow_ed_cb_called = 0;
3093 static int allow_early_data_cb(SSL *s, void *arg)
3095 int *usecb = (int *)arg;
3097 allow_ed_cb_called++;
3106 * idx == 0: Standard early_data setup
3107 * idx == 1: early_data setup using read_ahead
3108 * usecb == 0: Don't use a custom early data callback
3109 * usecb == 1: Use a custom early data callback and reject the early data
3110 * usecb == 2: Use a custom early data callback and accept the early data
3111 * confopt == 0: Configure anti-replay directly
3112 * confopt == 1: Configure anti-replay using SSL_CONF
3114 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3116 SSL_CTX *cctx = NULL, *sctx = NULL;
3117 SSL *clientssl = NULL, *serverssl = NULL;
3119 SSL_SESSION *sess = NULL;
3120 size_t readbytes, written;
3121 unsigned char buf[20];
3123 allow_ed_cb_called = 0;
3125 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3126 TLS_client_method(), TLS1_VERSION, 0,
3127 &sctx, &cctx, cert, privkey)))
3132 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3134 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3136 if (!TEST_ptr(confctx))
3138 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3139 | SSL_CONF_FLAG_SERVER);
3140 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3141 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3143 SSL_CONF_CTX_free(confctx);
3146 SSL_CONF_CTX_free(confctx);
3148 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3151 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3152 &serverssl, &sess, idx)))
3156 * The server is configured to accept early data. Create a connection to
3157 * "use up" the ticket
3159 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3160 || !TEST_true(SSL_session_reused(clientssl)))
3163 SSL_shutdown(clientssl);
3164 SSL_shutdown(serverssl);
3165 SSL_free(serverssl);
3166 SSL_free(clientssl);
3167 serverssl = clientssl = NULL;
3169 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3170 &clientssl, NULL, NULL))
3171 || !TEST_true(SSL_set_session(clientssl, sess)))
3174 /* Write and read some early data */
3175 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3177 || !TEST_size_t_eq(written, strlen(MSG1)))
3181 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3183 SSL_READ_EARLY_DATA_FINISH)
3185 * The ticket was reused, so the we should have rejected the
3188 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3189 SSL_EARLY_DATA_REJECTED))
3192 /* In this case the callback decides to accept the early data */
3193 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3195 SSL_READ_EARLY_DATA_SUCCESS)
3196 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3198 * Server will have sent its flight so client can now send
3199 * end of early data and complete its half of the handshake
3201 || !TEST_int_gt(SSL_connect(clientssl), 0)
3202 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3204 SSL_READ_EARLY_DATA_FINISH)
3205 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3206 SSL_EARLY_DATA_ACCEPTED))
3210 /* Complete the connection */
3211 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3212 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3213 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3219 SSL_SESSION_free(sess);
3220 SSL_SESSION_free(clientpsk);
3221 SSL_SESSION_free(serverpsk);
3222 clientpsk = serverpsk = NULL;
3223 SSL_free(serverssl);
3224 SSL_free(clientssl);
3230 static int test_early_data_replay(int idx)
3232 int ret = 1, usecb, confopt;
3234 for (usecb = 0; usecb < 3; usecb++) {
3235 for (confopt = 0; confopt < 2; confopt++)
3236 ret &= test_early_data_replay_int(idx, usecb, confopt);
3243 * Helper function to test that a server attempting to read early data can
3244 * handle a connection from a client where the early data should be skipped.
3245 * testtype: 0 == No HRR
3246 * testtype: 1 == HRR
3247 * testtype: 2 == HRR, invalid early_data sent after HRR
3248 * testtype: 3 == recv_max_early_data set to 0
3250 static int early_data_skip_helper(int testtype, int idx)
3252 SSL_CTX *cctx = NULL, *sctx = NULL;
3253 SSL *clientssl = NULL, *serverssl = NULL;
3255 SSL_SESSION *sess = NULL;
3256 unsigned char buf[20];
3257 size_t readbytes, written;
3259 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3260 &serverssl, &sess, idx)))
3263 if (testtype == 1 || testtype == 2) {
3264 /* Force an HRR to occur */
3265 #if defined(OPENSSL_NO_EC)
3266 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3269 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3272 } else if (idx == 2) {
3274 * We force early_data rejection by ensuring the PSK identity is
3277 srvid = "Dummy Identity";
3280 * Deliberately corrupt the creation time. We take 20 seconds off the
3281 * time. It could be any value as long as it is not within tolerance.
3282 * This should mean the ticket is rejected.
3284 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3289 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3292 /* Write some early data */
3293 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3295 || !TEST_size_t_eq(written, strlen(MSG1)))
3298 /* Server should reject the early data */
3299 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3301 SSL_READ_EARLY_DATA_FINISH)
3302 || !TEST_size_t_eq(readbytes, 0)
3303 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3304 SSL_EARLY_DATA_REJECTED))
3314 * Finish off the handshake. We perform the same writes and reads as
3315 * further down but we expect them to fail due to the incomplete
3318 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3319 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3326 BIO *wbio = SSL_get_wbio(clientssl);
3327 /* A record that will appear as bad early_data */
3328 const unsigned char bad_early_data[] = {
3329 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3333 * We force the client to attempt a write. This will fail because
3334 * we're still in the handshake. It will cause the second
3335 * ClientHello to be sent.
3337 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3342 * Inject some early_data after the second ClientHello. This should
3343 * cause the server to fail
3345 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3346 sizeof(bad_early_data), &written)))
3353 * This client has sent more early_data than we are willing to skip
3354 * (case 3) or sent invalid early_data (case 2) so the connection should
3357 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3358 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3361 /* Connection has failed - nothing more to do */
3366 TEST_error("Invalid test type");
3371 * Should be able to send normal data despite rejection of early data. The
3372 * early_data should be skipped.
3374 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3375 || !TEST_size_t_eq(written, strlen(MSG2))
3376 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3377 SSL_EARLY_DATA_REJECTED)
3378 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3379 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3385 SSL_SESSION_free(clientpsk);
3386 SSL_SESSION_free(serverpsk);
3387 clientpsk = serverpsk = NULL;
3388 SSL_SESSION_free(sess);
3389 SSL_free(serverssl);
3390 SSL_free(clientssl);
3397 * Test that a server attempting to read early data can handle a connection
3398 * from a client where the early data is not acceptable.
3400 static int test_early_data_skip(int idx)
3402 return early_data_skip_helper(0, idx);
3406 * Test that a server attempting to read early data can handle a connection
3407 * from a client where an HRR occurs.
3409 static int test_early_data_skip_hrr(int idx)
3411 return early_data_skip_helper(1, idx);
3415 * Test that a server attempting to read early data can handle a connection
3416 * from a client where an HRR occurs and correctly fails if early_data is sent
3419 static int test_early_data_skip_hrr_fail(int idx)
3421 return early_data_skip_helper(2, idx);
3425 * Test that a server attempting to read early data will abort if it tries to
3426 * skip over too much.
3428 static int test_early_data_skip_abort(int idx)
3430 return early_data_skip_helper(3, idx);
3434 * Test that a server attempting to read early data can handle a connection
3435 * from a client that doesn't send any.
3437 static int test_early_data_not_sent(int idx)
3439 SSL_CTX *cctx = NULL, *sctx = NULL;
3440 SSL *clientssl = NULL, *serverssl = NULL;
3442 SSL_SESSION *sess = NULL;
3443 unsigned char buf[20];
3444 size_t readbytes, written;
3446 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3447 &serverssl, &sess, idx)))
3450 /* Write some data - should block due to handshake with server */
3451 SSL_set_connect_state(clientssl);
3452 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3455 /* Server should detect that early data has not been sent */
3456 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3458 SSL_READ_EARLY_DATA_FINISH)
3459 || !TEST_size_t_eq(readbytes, 0)
3460 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3461 SSL_EARLY_DATA_NOT_SENT)
3462 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3463 SSL_EARLY_DATA_NOT_SENT))
3466 /* Continue writing the message we started earlier */
3467 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3468 || !TEST_size_t_eq(written, strlen(MSG1))
3469 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3470 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3471 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3472 || !TEST_size_t_eq(written, strlen(MSG2)))
3475 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3476 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3482 SSL_SESSION_free(sess);
3483 SSL_SESSION_free(clientpsk);
3484 SSL_SESSION_free(serverpsk);
3485 clientpsk = serverpsk = NULL;
3486 SSL_free(serverssl);
3487 SSL_free(clientssl);
3493 static const char *servalpn;
3495 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3496 unsigned char *outlen, const unsigned char *in,
3497 unsigned int inlen, void *arg)
3499 unsigned int protlen = 0;
3500 const unsigned char *prot;
3502 for (prot = in; prot < in + inlen; prot += protlen) {
3504 if (in + inlen < prot + protlen)
3505 return SSL_TLSEXT_ERR_NOACK;
3507 if (protlen == strlen(servalpn)
3508 && memcmp(prot, servalpn, protlen) == 0) {
3511 return SSL_TLSEXT_ERR_OK;
3515 return SSL_TLSEXT_ERR_NOACK;
3518 /* Test that a PSK can be used to send early_data */
3519 static int test_early_data_psk(int idx)
3521 SSL_CTX *cctx = NULL, *sctx = NULL;
3522 SSL *clientssl = NULL, *serverssl = NULL;
3524 SSL_SESSION *sess = NULL;
3525 unsigned char alpnlist[] = {
3526 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3529 #define GOODALPNLEN 9
3530 #define BADALPNLEN 8
3531 #define GOODALPN (alpnlist)
3532 #define BADALPN (alpnlist + GOODALPNLEN)
3534 unsigned char buf[20];
3535 size_t readbytes, written;
3536 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3537 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3539 /* We always set this up with a final parameter of "2" for PSK */
3540 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3541 &serverssl, &sess, 2)))
3544 servalpn = "goodalpn";
3547 * Note: There is no test for inconsistent SNI with late client detection.
3548 * This is because servers do not acknowledge SNI even if they are using
3549 * it in a resumption handshake - so it is not actually possible for a
3550 * client to detect a problem.
3554 /* Set inconsistent SNI (early client detection) */
3555 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3556 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3557 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3562 /* Set inconsistent ALPN (early client detection) */
3563 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3564 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3565 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3567 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3574 * Set invalid protocol version. Technically this affects PSKs without
3575 * early_data too, but we test it here because it is similar to the
3576 * SNI/ALPN consistency tests.
3578 err = SSL_R_BAD_PSK;
3579 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3585 * Set inconsistent SNI (server side). In this case the connection
3586 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3587 * is associated with each handshake - not the session. Therefore it
3588 * should not matter that we used a different server name last time.
3590 SSL_SESSION_free(serverpsk);
3591 serverpsk = SSL_SESSION_dup(clientpsk);
3592 if (!TEST_ptr(serverpsk)
3593 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3597 /* Set consistent SNI */
3598 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3599 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3600 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3607 * Set inconsistent ALPN (server detected). In this case the connection
3608 * will succeed but reject early_data.
3610 servalpn = "badalpn";
3611 edstatus = SSL_EARLY_DATA_REJECTED;
3612 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3616 * Set consistent ALPN.
3617 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3618 * accepts a list of protos (each one length prefixed).
3619 * SSL_set1_alpn_selected accepts a single protocol (not length
3622 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3624 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3628 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3632 /* Set inconsistent ALPN (late client detection) */
3633 SSL_SESSION_free(serverpsk);
3634 serverpsk = SSL_SESSION_dup(clientpsk);
3635 if (!TEST_ptr(serverpsk)
3636 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3639 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3642 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3645 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3646 edstatus = SSL_EARLY_DATA_ACCEPTED;
3647 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3648 /* SSL_connect() call should fail */
3653 TEST_error("Bad test index");
3657 SSL_set_connect_state(clientssl);
3659 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3661 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3662 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3665 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3669 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3670 &readbytes), readearlyres)
3671 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3672 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3673 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3674 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3681 SSL_SESSION_free(sess);
3682 SSL_SESSION_free(clientpsk);
3683 SSL_SESSION_free(serverpsk);
3684 clientpsk = serverpsk = NULL;
3685 SSL_free(serverssl);
3686 SSL_free(clientssl);
3693 * Test that a server that doesn't try to read early data can handle a
3694 * client sending some.
3696 static int test_early_data_not_expected(int idx)
3698 SSL_CTX *cctx = NULL, *sctx = NULL;
3699 SSL *clientssl = NULL, *serverssl = NULL;
3701 SSL_SESSION *sess = NULL;
3702 unsigned char buf[20];
3703 size_t readbytes, written;
3705 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3706 &serverssl, &sess, idx)))
3709 /* Write some early data */
3710 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3715 * Server should skip over early data and then block waiting for client to
3716 * continue handshake
3718 if (!TEST_int_le(SSL_accept(serverssl), 0)
3719 || !TEST_int_gt(SSL_connect(clientssl), 0)
3720 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3721 SSL_EARLY_DATA_REJECTED)
3722 || !TEST_int_gt(SSL_accept(serverssl), 0)
3723 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3724 SSL_EARLY_DATA_REJECTED))
3727 /* Send some normal data from client to server */
3728 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3729 || !TEST_size_t_eq(written, strlen(MSG2)))
3732 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3733 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3739 SSL_SESSION_free(sess);
3740 SSL_SESSION_free(clientpsk);
3741 SSL_SESSION_free(serverpsk);
3742 clientpsk = serverpsk = NULL;
3743 SSL_free(serverssl);
3744 SSL_free(clientssl);
3751 # ifndef OPENSSL_NO_TLS1_2
3753 * Test that a server attempting to read early data can handle a connection
3754 * from a TLSv1.2 client.
3756 static int test_early_data_tls1_2(int idx)
3758 SSL_CTX *cctx = NULL, *sctx = NULL;
3759 SSL *clientssl = NULL, *serverssl = NULL;
3761 unsigned char buf[20];
3762 size_t readbytes, written;
3764 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3765 &serverssl, NULL, idx)))
3768 /* Write some data - should block due to handshake with server */
3769 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3770 SSL_set_connect_state(clientssl);
3771 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3775 * Server should do TLSv1.2 handshake. First it will block waiting for more
3776 * messages from client after ServerDone. Then SSL_read_early_data should
3777 * finish and detect that early data has not been sent
3779 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3781 SSL_READ_EARLY_DATA_ERROR))
3785 * Continue writing the message we started earlier. Will still block waiting
3786 * for the CCS/Finished from server
3788 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3789 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3791 SSL_READ_EARLY_DATA_FINISH)
3792 || !TEST_size_t_eq(readbytes, 0)
3793 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3794 SSL_EARLY_DATA_NOT_SENT))
3797 /* Continue writing the message we started earlier */
3798 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3799 || !TEST_size_t_eq(written, strlen(MSG1))
3800 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3801 SSL_EARLY_DATA_NOT_SENT)
3802 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3803 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3804 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3805 || !TEST_size_t_eq(written, strlen(MSG2))
3806 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3807 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3813 SSL_SESSION_free(clientpsk);
3814 SSL_SESSION_free(serverpsk);
3815 clientpsk = serverpsk = NULL;
3816 SSL_free(serverssl);
3817 SSL_free(clientssl);
3823 # endif /* OPENSSL_NO_TLS1_2 */
3826 * Test configuring the TLSv1.3 ciphersuites
3828 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3829 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3830 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3831 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3832 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3833 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3834 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3835 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3836 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3837 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3839 static int test_set_ciphersuite(int idx)
3841 SSL_CTX *cctx = NULL, *sctx = NULL;
3842 SSL *clientssl = NULL, *serverssl = NULL;
3845 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3846 TLS_client_method(), TLS1_VERSION, 0,
3847 &sctx, &cctx, cert, privkey))
3848 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3849 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3852 if (idx >=4 && idx <= 7) {
3853 /* SSL_CTX explicit cipher list */
3854 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3858 if (idx == 0 || idx == 4) {
3859 /* Default ciphersuite */
3860 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3861 "TLS_AES_128_GCM_SHA256")))
3863 } else if (idx == 1 || idx == 5) {
3864 /* Non default ciphersuite */
3865 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3866 "TLS_AES_128_CCM_SHA256")))
3870 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3871 &clientssl, NULL, NULL)))
3874 if (idx == 8 || idx == 9) {
3875 /* SSL explicit cipher list */
3876 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3880 if (idx == 2 || idx == 6 || idx == 8) {
3881 /* Default ciphersuite */
3882 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3883 "TLS_AES_128_GCM_SHA256")))
3885 } else if (idx == 3 || idx == 7 || idx == 9) {
3886 /* Non default ciphersuite */
3887 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3888 "TLS_AES_128_CCM_SHA256")))
3892 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3898 SSL_free(serverssl);
3899 SSL_free(clientssl);
3906 static int test_ciphersuite_change(void)
3908 SSL_CTX *cctx = NULL, *sctx = NULL;
3909 SSL *clientssl = NULL, *serverssl = NULL;
3910 SSL_SESSION *clntsess = NULL;
3912 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3914 /* Create a session based on SHA-256 */
3915 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3916 TLS_client_method(), TLS1_VERSION, 0,
3917 &sctx, &cctx, cert, privkey))
3918 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3919 "TLS_AES_128_GCM_SHA256:"
3920 "TLS_AES_256_GCM_SHA384:"
3921 "TLS_AES_128_CCM_SHA256"))
3922 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3923 "TLS_AES_128_GCM_SHA256"))
3924 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3925 &clientssl, NULL, NULL))
3926 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3930 clntsess = SSL_get1_session(clientssl);
3931 /* Save for later */
3932 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3933 SSL_shutdown(clientssl);
3934 SSL_shutdown(serverssl);
3935 SSL_free(serverssl);
3936 SSL_free(clientssl);
3937 serverssl = clientssl = NULL;
3939 /* Check we can resume a session with a different SHA-256 ciphersuite */
3940 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3941 "TLS_AES_128_CCM_SHA256"))
3942 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3943 &clientssl, NULL, NULL))
3944 || !TEST_true(SSL_set_session(clientssl, clntsess))
3945 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3947 || !TEST_true(SSL_session_reused(clientssl)))
3950 SSL_SESSION_free(clntsess);
3951 clntsess = SSL_get1_session(clientssl);
3952 SSL_shutdown(clientssl);
3953 SSL_shutdown(serverssl);
3954 SSL_free(serverssl);
3955 SSL_free(clientssl);
3956 serverssl = clientssl = NULL;
3959 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3960 * succeeds but does not resume.
3962 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3963 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3965 || !TEST_true(SSL_set_session(clientssl, clntsess))
3966 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3968 || !TEST_false(SSL_session_reused(clientssl)))
3971 SSL_SESSION_free(clntsess);
3973 SSL_shutdown(clientssl);
3974 SSL_shutdown(serverssl);
3975 SSL_free(serverssl);
3976 SSL_free(clientssl);
3977 serverssl = clientssl = NULL;
3979 /* Create a session based on SHA384 */
3980 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3981 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3982 &clientssl, NULL, NULL))
3983 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3987 clntsess = SSL_get1_session(clientssl);
3988 SSL_shutdown(clientssl);
3989 SSL_shutdown(serverssl);
3990 SSL_free(serverssl);
3991 SSL_free(clientssl);
3992 serverssl = clientssl = NULL;
3994 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3995 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3996 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3997 "TLS_AES_256_GCM_SHA384"))
3998 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4000 || !TEST_true(SSL_set_session(clientssl, clntsess))
4002 * We use SSL_ERROR_WANT_READ below so that we can pause the
4003 * connection after the initial ClientHello has been sent to
4004 * enable us to make some session changes.
4006 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4007 SSL_ERROR_WANT_READ)))
4010 /* Trick the client into thinking this session is for a different digest */
4011 clntsess->cipher = aes_128_gcm_sha256;
4012 clntsess->cipher_id = clntsess->cipher->id;
4015 * Continue the previously started connection. Server has selected a SHA-384
4016 * ciphersuite, but client thinks the session is for SHA-256, so it should
4019 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4021 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4022 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4028 SSL_SESSION_free(clntsess);
4029 SSL_free(serverssl);
4030 SSL_free(clientssl);
4038 * Test TLSv1.3 Key exchange
4039 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4040 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4041 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4042 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4043 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4044 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4045 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4046 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4047 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4048 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4049 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4050 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4051 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4052 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4054 static int test_key_exchange(int idx)
4056 SSL_CTX *sctx = NULL, *cctx = NULL;
4057 SSL *serverssl = NULL, *clientssl = NULL;
4059 # ifndef OPENSSL_NO_EC
4060 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4061 NID_secp521r1, NID_X25519, NID_X448};
4063 # ifndef OPENSSL_NO_DH
4064 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4065 NID_ffdhe6144, NID_ffdhe8192};
4068 int *kexch_groups = &kexch_alg;
4069 int kexch_groups_size = 1;
4070 int max_version = TLS1_3_VERSION;
4073 # ifndef OPENSSL_NO_EC
4074 # ifndef OPENSSL_NO_TLS1_2
4076 max_version = TLS1_2_VERSION;
4080 kexch_groups = ecdhe_kexch_groups;
4081 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4084 kexch_alg = NID_X9_62_prime256v1;
4087 kexch_alg = NID_secp384r1;
4090 kexch_alg = NID_secp521r1;
4093 kexch_alg = NID_X25519;
4096 kexch_alg = NID_X448;
4099 # ifndef OPENSSL_NO_DH
4100 # ifndef OPENSSL_NO_TLS1_2
4102 max_version = TLS1_2_VERSION;
4106 kexch_groups = ffdhe_kexch_groups;
4107 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4110 kexch_alg = NID_ffdhe2048;
4113 kexch_alg = NID_ffdhe3072;
4116 kexch_alg = NID_ffdhe4096;
4119 kexch_alg = NID_ffdhe6144;
4122 kexch_alg = NID_ffdhe8192;
4126 /* We're skipping this test */
4130 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4131 TLS_client_method(), TLS1_VERSION,
4132 max_version, &sctx, &cctx, cert,
4136 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4137 TLS1_3_RFC_AES_128_GCM_SHA256)))
4140 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4141 TLS1_3_RFC_AES_128_GCM_SHA256)))
4144 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4145 TLS1_TXT_RSA_WITH_AES_128_SHA)))
4149 * Must include an EC ciphersuite so that we send supported groups in
4152 # ifndef OPENSSL_NO_TLS1_2
4153 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4154 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
4155 TLS1_TXT_RSA_WITH_AES_128_SHA)))
4159 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4163 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4164 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4167 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4171 * If Handshake succeeds the negotiated kexch alg should be the first one in
4172 * configured, except in the case of FFDHE groups (idx 13), which are
4173 * TLSv1.3 only so we expect no shared group to exist.
4175 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4176 idx == 13 ? 0 : kexch_groups[0]))
4178 if (max_version == TLS1_3_VERSION) {
4179 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4181 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4187 SSL_free(serverssl);
4188 SSL_free(clientssl);
4195 * Test TLSv1.3 Cipher Suite
4196 * Test 0 = Set TLS1.3 cipher on context
4197 * Test 1 = Set TLS1.3 cipher on SSL
4198 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4199 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4201 static int test_tls13_ciphersuite(int idx)
4203 SSL_CTX *sctx = NULL, *cctx = NULL;
4204 SSL *serverssl = NULL, *clientssl = NULL;
4205 static const struct {
4206 const char *ciphername;
4209 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4210 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4211 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
4212 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4213 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4214 { TLS1_3_RFC_AES_256_GCM_SHA384
4215 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4217 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
4219 const char *t13_cipher = NULL;
4220 const char *t12_cipher = NULL;
4221 const char *negotiated_scipher;
4222 const char *negotiated_ccipher;
4238 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4242 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4246 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4247 # ifdef OPENSSL_NO_TLS1_2
4248 if (max_ver == TLS1_2_VERSION)
4251 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4252 if (is_fips && !t13_ciphers[i].fipscapable)
4254 t13_cipher = t13_ciphers[i].ciphername;
4255 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4256 TLS_client_method(),
4257 TLS1_VERSION, max_ver,
4258 &sctx, &cctx, cert, privkey)))
4262 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4263 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4265 if (t12_cipher != NULL) {
4266 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4267 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4273 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4274 &clientssl, NULL, NULL)))
4278 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4279 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4281 if (t12_cipher != NULL) {
4282 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4283 || !TEST_true(SSL_set_cipher_list(clientssl,
4289 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4293 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4295 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4297 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4301 * TEST_strn_eq is used below because t13_cipher can contain
4302 * multiple ciphersuites
4304 if (max_ver == TLS1_3_VERSION
4305 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4306 strlen(negotiated_scipher)))
4309 # ifndef OPENSSL_NO_TLS1_2
4310 /* Below validation is not done when t12_cipher is NULL */
4311 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4312 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4316 SSL_free(serverssl);
4318 SSL_free(clientssl);
4329 SSL_free(serverssl);
4330 SSL_free(clientssl);
4338 * Test 0 = Test new style callbacks
4339 * Test 1 = Test both new and old style callbacks
4340 * Test 2 = Test old style callbacks
4341 * Test 3 = Test old style callbacks with no certificate
4343 static int test_tls13_psk(int idx)
4345 SSL_CTX *sctx = NULL, *cctx = NULL;
4346 SSL *serverssl = NULL, *clientssl = NULL;
4347 const SSL_CIPHER *cipher = NULL;
4348 const unsigned char key[] = {
4349 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4350 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4351 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4352 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
4356 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4357 TLS_client_method(), TLS1_VERSION, 0,
4358 &sctx, &cctx, idx == 3 ? NULL : cert,
4359 idx == 3 ? NULL : privkey)))
4364 * We use a ciphersuite with SHA256 to ease testing old style PSK
4365 * callbacks which will always default to SHA256. This should not be
4366 * necessary if we have no cert/priv key. In that case the server should
4367 * prefer SHA256 automatically.
4369 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4370 "TLS_AES_128_GCM_SHA256")))
4374 * As noted above the server should prefer SHA256 automatically. However
4375 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4376 * code works even if we are testing with only the FIPS provider loaded.
4378 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4379 "TLS_AES_256_GCM_SHA384:"
4380 "TLS_AES_128_GCM_SHA256")))
4385 * Test 0: New style callbacks only
4386 * Test 1: New and old style callbacks (only the new ones should be used)
4387 * Test 2: Old style callbacks only
4389 if (idx == 0 || idx == 1) {
4390 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4391 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4393 #ifndef OPENSSL_NO_PSK
4395 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4396 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4400 use_session_cb_cnt = 0;
4401 find_session_cb_cnt = 0;
4402 psk_client_cb_cnt = 0;
4403 psk_server_cb_cnt = 0;
4407 * Check we can create a connection if callback decides not to send a
4410 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4412 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4414 || !TEST_false(SSL_session_reused(clientssl))
4415 || !TEST_false(SSL_session_reused(serverssl)))
4418 if (idx == 0 || idx == 1) {
4419 if (!TEST_true(use_session_cb_cnt == 1)
4420 || !TEST_true(find_session_cb_cnt == 0)
4422 * If no old style callback then below should be 0
4425 || !TEST_true(psk_client_cb_cnt == idx)
4426 || !TEST_true(psk_server_cb_cnt == 0))
4429 if (!TEST_true(use_session_cb_cnt == 0)
4430 || !TEST_true(find_session_cb_cnt == 0)
4431 || !TEST_true(psk_client_cb_cnt == 1)
4432 || !TEST_true(psk_server_cb_cnt == 0))
4436 shutdown_ssl_connection(serverssl, clientssl);
4437 serverssl = clientssl = NULL;
4438 use_session_cb_cnt = psk_client_cb_cnt = 0;
4441 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4445 /* Create the PSK */
4446 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
4447 clientpsk = SSL_SESSION_new();
4448 if (!TEST_ptr(clientpsk)
4449 || !TEST_ptr(cipher)
4450 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4452 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4453 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4455 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
4457 serverpsk = clientpsk;
4459 /* Check we can create a connection and the PSK is used */
4460 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4461 || !TEST_true(SSL_session_reused(clientssl))
4462 || !TEST_true(SSL_session_reused(serverssl)))
4465 if (idx == 0 || idx == 1) {
4466 if (!TEST_true(use_session_cb_cnt == 1)
4467 || !TEST_true(find_session_cb_cnt == 1)
4468 || !TEST_true(psk_client_cb_cnt == 0)
4469 || !TEST_true(psk_server_cb_cnt == 0))
4472 if (!TEST_true(use_session_cb_cnt == 0)
4473 || !TEST_true(find_session_cb_cnt == 0)
4474 || !TEST_true(psk_client_cb_cnt == 1)
4475 || !TEST_true(psk_server_cb_cnt == 1))
4479 shutdown_ssl_connection(serverssl, clientssl);
4480 serverssl = clientssl = NULL;
4481 use_session_cb_cnt = find_session_cb_cnt = 0;
4482 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4484 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4489 #if defined(OPENSSL_NO_EC)
4490 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4493 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4498 * Check we can create a connection, the PSK is used and the callbacks are
4501 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4502 || !TEST_true(SSL_session_reused(clientssl))
4503 || !TEST_true(SSL_session_reused(serverssl)))
4506 if (idx == 0 || idx == 1) {
4507 if (!TEST_true(use_session_cb_cnt == 2)
4508 || !TEST_true(find_session_cb_cnt == 2)
4509 || !TEST_true(psk_client_cb_cnt == 0)
4510 || !TEST_true(psk_server_cb_cnt == 0))
4513 if (!TEST_true(use_session_cb_cnt == 0)
4514 || !TEST_true(find_session_cb_cnt == 0)
4515 || !TEST_true(psk_client_cb_cnt == 2)
4516 || !TEST_true(psk_server_cb_cnt == 2))
4520 shutdown_ssl_connection(serverssl, clientssl);
4521 serverssl = clientssl = NULL;
4522 use_session_cb_cnt = find_session_cb_cnt = 0;
4523 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4527 * Check that if the server rejects the PSK we can still connect, but with
4530 srvid = "Dummy Identity";
4531 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4533 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4535 || !TEST_false(SSL_session_reused(clientssl))
4536 || !TEST_false(SSL_session_reused(serverssl)))
4539 if (idx == 0 || idx == 1) {
4540 if (!TEST_true(use_session_cb_cnt == 1)
4541 || !TEST_true(find_session_cb_cnt == 1)
4542 || !TEST_true(psk_client_cb_cnt == 0)
4544 * If no old style callback then below should be 0
4547 || !TEST_true(psk_server_cb_cnt == idx))
4550 if (!TEST_true(use_session_cb_cnt == 0)
4551 || !TEST_true(find_session_cb_cnt == 0)
4552 || !TEST_true(psk_client_cb_cnt == 1)
4553 || !TEST_true(psk_server_cb_cnt == 1))
4557 shutdown_ssl_connection(serverssl, clientssl);
4558 serverssl = clientssl = NULL;
4563 SSL_SESSION_free(clientpsk);
4564 SSL_SESSION_free(serverpsk);
4565 clientpsk = serverpsk = NULL;
4566 SSL_free(serverssl);
4567 SSL_free(clientssl);
4573 static unsigned char cookie_magic_value[] = "cookie magic";
4575 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4576 unsigned int *cookie_len)
4579 * Not suitable as a real cookie generation function but good enough for
4582 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4583 *cookie_len = sizeof(cookie_magic_value) - 1;
4588 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4589 unsigned int cookie_len)
4591 if (cookie_len == sizeof(cookie_magic_value) - 1
4592 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4598 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4602 int res = generate_cookie_callback(ssl, cookie, &temp);
4607 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4610 return verify_cookie_callback(ssl, cookie, cookie_len);
4613 static int test_stateless(void)
4615 SSL_CTX *sctx = NULL, *cctx = NULL;
4616 SSL *serverssl = NULL, *clientssl = NULL;
4619 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4620 TLS_client_method(), TLS1_VERSION, 0,
4621 &sctx, &cctx, cert, privkey)))
4624 /* The arrival of CCS messages can confuse the test */
4625 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4627 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4629 /* Send the first ClientHello */
4630 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4631 SSL_ERROR_WANT_READ))
4633 * This should fail with a -1 return because we have no callbacks
4636 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4639 /* Fatal error so abandon the connection from this client */
4640 SSL_free(clientssl);
4643 /* Set up the cookie generation and verification callbacks */
4644 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4645 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
4648 * Create a new connection from the client (we can reuse the server SSL
4651 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4653 /* Send the first ClientHello */
4654 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4655 SSL_ERROR_WANT_READ))
4656 /* This should fail because there is no cookie */
4657 || !TEST_int_eq(SSL_stateless(serverssl), 0))
4660 /* Abandon the connection from this client */
4661 SSL_free(clientssl);
4665 * Now create a connection from a new client but with the same server SSL
4668 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4670 /* Send the first ClientHello */
4671 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4672 SSL_ERROR_WANT_READ))
4673 /* This should fail because there is no cookie */
4674 || !TEST_int_eq(SSL_stateless(serverssl), 0)
4675 /* Send the second ClientHello */
4676 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4677 SSL_ERROR_WANT_READ))
4678 /* This should succeed because a cookie is now present */
4679 || !TEST_int_eq(SSL_stateless(serverssl), 1)
4680 /* Complete the connection */
4681 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4685 shutdown_ssl_connection(serverssl, clientssl);
4686 serverssl = clientssl = NULL;
4690 SSL_free(serverssl);
4691 SSL_free(clientssl);
4697 #endif /* OPENSSL_NO_TLS1_3 */
4699 static int clntaddoldcb = 0;
4700 static int clntparseoldcb = 0;
4701 static int srvaddoldcb = 0;
4702 static int srvparseoldcb = 0;
4703 static int clntaddnewcb = 0;
4704 static int clntparsenewcb = 0;
4705 static int srvaddnewcb = 0;
4706 static int srvparsenewcb = 0;
4707 static int snicb = 0;
4709 #define TEST_EXT_TYPE1 0xff00
4711 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4712 size_t *outlen, int *al, void *add_arg)
4714 int *server = (int *)add_arg;
4715 unsigned char *data;
4717 if (SSL_is_server(s))
4722 if (*server != SSL_is_server(s)
4723 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4728 *outlen = sizeof(char);
4732 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4735 OPENSSL_free((unsigned char *)out);
4738 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4739 size_t inlen, int *al, void *parse_arg)
4741 int *server = (int *)parse_arg;
4743 if (SSL_is_server(s))
4748 if (*server != SSL_is_server(s)
4749 || inlen != sizeof(char)
4756 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4757 const unsigned char **out, size_t *outlen, X509 *x,
4758 size_t chainidx, int *al, void *add_arg)
4760 int *server = (int *)add_arg;
4761 unsigned char *data;
4763 if (SSL_is_server(s))
4768 if (*server != SSL_is_server(s)
4769 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4774 *outlen = sizeof(*data);
4778 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
4779 const unsigned char *out, void *add_arg)
4781 OPENSSL_free((unsigned char *)out);
4784 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
4785 const unsigned char *in, size_t inlen, X509 *x,
4786 size_t chainidx, int *al, void *parse_arg)
4788 int *server = (int *)parse_arg;
4790 if (SSL_is_server(s))
4795 if (*server != SSL_is_server(s)
4796 || inlen != sizeof(char) || *in != 1)
4802 static int sni_cb(SSL *s, int *al, void *arg)
4804 SSL_CTX *ctx = (SSL_CTX *)arg;
4806 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
4807 *al = SSL_AD_INTERNAL_ERROR;
4808 return SSL_TLSEXT_ERR_ALERT_FATAL;
4811 return SSL_TLSEXT_ERR_OK;
4815 * Custom call back tests.
4816 * Test 0: Old style callbacks in TLSv1.2
4817 * Test 1: New style callbacks in TLSv1.2
4818 * Test 2: New style callbacks in TLSv1.2 with SNI
4819 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4820 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
4822 static int test_custom_exts(int tst)
4824 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4825 SSL *clientssl = NULL, *serverssl = NULL;
4827 static int server = 1;
4828 static int client = 0;
4829 SSL_SESSION *sess = NULL;
4830 unsigned int context;
4832 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4833 /* Skip tests for TLSv1.2 and below in this case */
4838 /* Reset callback counters */
4839 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4840 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
4843 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4844 TLS_client_method(), TLS1_VERSION, 0,
4845 &sctx, &cctx, cert, privkey)))
4849 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
4851 &sctx2, NULL, cert, privkey)))
4856 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4857 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
4859 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
4863 context = SSL_EXT_CLIENT_HELLO
4864 | SSL_EXT_TLS1_2_SERVER_HELLO
4865 | SSL_EXT_TLS1_3_SERVER_HELLO
4866 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4867 | SSL_EXT_TLS1_3_CERTIFICATE
4868 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4870 context = SSL_EXT_CLIENT_HELLO
4871 | SSL_EXT_TLS1_2_SERVER_HELLO
4872 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4875 /* Create a client side custom extension */
4877 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4878 old_add_cb, old_free_cb,
4879 &client, old_parse_cb,
4883 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4884 new_add_cb, new_free_cb,
4885 &client, new_parse_cb, &client)))
4889 /* Should not be able to add duplicates */
4890 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4891 old_add_cb, old_free_cb,
4892 &client, old_parse_cb,
4894 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4895 context, new_add_cb,
4896 new_free_cb, &client,
4897 new_parse_cb, &client)))
4900 /* Create a server side custom extension */
4902 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4903 old_add_cb, old_free_cb,
4904 &server, old_parse_cb,
4908 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4909 new_add_cb, new_free_cb,
4910 &server, new_parse_cb, &server)))
4913 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4914 context, new_add_cb,
4915 new_free_cb, &server,
4916 new_parse_cb, &server)))
4920 /* Should not be able to add duplicates */
4921 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4922 old_add_cb, old_free_cb,
4923 &server, old_parse_cb,
4925 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4926 context, new_add_cb,
4927 new_free_cb, &server,
4928 new_parse_cb, &server)))
4933 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4934 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4938 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4939 &clientssl, NULL, NULL))
4940 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4945 if (clntaddoldcb != 1
4946 || clntparseoldcb != 1
4948 || srvparseoldcb != 1)
4950 } else if (tst == 1 || tst == 2 || tst == 3) {
4951 if (clntaddnewcb != 1
4952 || clntparsenewcb != 1
4954 || srvparsenewcb != 1
4955 || (tst != 2 && snicb != 0)
4956 || (tst == 2 && snicb != 1))
4959 /* In this case there 2 NewSessionTicket messages created */
4960 if (clntaddnewcb != 1
4961 || clntparsenewcb != 5
4963 || srvparsenewcb != 1)
4967 sess = SSL_get1_session(clientssl);
4968 SSL_shutdown(clientssl);
4969 SSL_shutdown(serverssl);
4970 SSL_free(serverssl);
4971 SSL_free(clientssl);
4972 serverssl = clientssl = NULL;
4975 /* We don't bother with the resumption aspects for this test */
4980 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4982 || !TEST_true(SSL_set_session(clientssl, sess))
4983 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4988 * For a resumed session we expect to add the ClientHello extension. For the
4989 * old style callbacks we ignore it on the server side because they set
4990 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4994 if (clntaddoldcb != 2
4995 || clntparseoldcb != 1
4997 || srvparseoldcb != 1)
4999 } else if (tst == 1 || tst == 2 || tst == 3) {
5000 if (clntaddnewcb != 2
5001 || clntparsenewcb != 2
5003 || srvparsenewcb != 2)
5007 * No Certificate message extensions in the resumption handshake,
5008 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5010 if (clntaddnewcb != 2
5011 || clntparsenewcb != 8
5013 || srvparsenewcb != 2)
5020 SSL_SESSION_free(sess);
5021 SSL_free(serverssl);
5022 SSL_free(clientssl);
5023 SSL_CTX_free(sctx2);
5030 * Test loading of serverinfo data in various formats. test_sslmessages actually
5031 * tests to make sure the extensions appear in the handshake
5033 static int test_serverinfo(int tst)
5035 unsigned int version;
5036 unsigned char *sibuf;
5038 int ret, expected, testresult = 0;
5041 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
5045 if ((tst & 0x01) == 0x01)
5046 version = SSL_SERVERINFOV2;
5048 version = SSL_SERVERINFOV1;
5050 if ((tst & 0x02) == 0x02) {
5051 sibuf = serverinfov2;
5052 sibuflen = sizeof(serverinfov2);
5053 expected = (version == SSL_SERVERINFOV2);
5055 sibuf = serverinfov1;
5056 sibuflen = sizeof(serverinfov1);
5057 expected = (version == SSL_SERVERINFOV1);
5060 if ((tst & 0x04) == 0x04) {
5061 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5063 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5066 * The version variable is irrelevant in this case - it's what is in the
5067 * buffer that matters
5069 if ((tst & 0x02) == 0x02)
5075 if (!TEST_true(ret == expected))
5087 * Test that SSL_export_keying_material() produces expected results. There are
5088 * no test vectors so all we do is test that both sides of the communication
5089 * produce the same results for different protocol versions.
5091 #define SMALL_LABEL_LEN 10
5092 #define LONG_LABEL_LEN 249
5093 static int test_export_key_mat(int tst)
5096 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5097 SSL *clientssl = NULL, *serverssl = NULL;
5098 const char label[LONG_LABEL_LEN + 1] = "test label";
5099 const unsigned char context[] = "context";
5100 const unsigned char *emptycontext = NULL;
5101 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5102 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
5104 const int protocols[] = {
5113 #ifdef OPENSSL_NO_TLS1
5117 #ifdef OPENSSL_NO_TLS1_1
5121 if (is_fips && (tst == 0 || tst == 1))
5123 #ifdef OPENSSL_NO_TLS1_2
5127 #ifdef OPENSSL_NO_TLS1_3
5131 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5132 TLS_client_method(), TLS1_VERSION, 0,
5133 &sctx, &cctx, cert, privkey)))
5136 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5137 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5138 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
5140 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5142 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5148 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5151 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5152 sizeof(ckeymat1), label,
5153 LONG_LABEL_LEN + 1, context,
5154 sizeof(context) - 1, 1), 0))
5159 } else if (tst == 4) {
5160 labellen = LONG_LABEL_LEN;
5162 labellen = SMALL_LABEL_LEN;
5165 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5166 sizeof(ckeymat1), label,
5168 sizeof(context) - 1, 1), 1)
5169 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5170 sizeof(ckeymat2), label,
5174 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5175 sizeof(ckeymat3), label,
5178 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5179 sizeof(skeymat1), label,
5182 sizeof(context) -1, 1),
5184 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5185 sizeof(skeymat2), label,
5189 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5190 sizeof(skeymat3), label,
5194 * Check that both sides created the same key material with the
5197 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5200 * Check that both sides created the same key material with an
5203 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5206 * Check that both sides created the same key material without a
5209 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5211 /* Different contexts should produce different results */
5212 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5217 * Check that an empty context and no context produce different results in
5218 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5220 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
5222 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5229 SSL_free(serverssl);
5230 SSL_free(clientssl);
5231 SSL_CTX_free(sctx2);
5238 #ifndef OPENSSL_NO_TLS1_3
5240 * Test that SSL_export_keying_material_early() produces expected
5241 * results. There are no test vectors so all we do is test that both
5242 * sides of the communication produce the same results for different
5243 * protocol versions.
5245 static int test_export_key_mat_early(int idx)
5247 static const char label[] = "test label";
5248 static const unsigned char context[] = "context";
5250 SSL_CTX *cctx = NULL, *sctx = NULL;
5251 SSL *clientssl = NULL, *serverssl = NULL;
5252 SSL_SESSION *sess = NULL;
5253 const unsigned char *emptycontext = NULL;
5254 unsigned char ckeymat1[80], ckeymat2[80];
5255 unsigned char skeymat1[80], skeymat2[80];
5256 unsigned char buf[1];
5257 size_t readbytes, written;
5259 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5263 /* Here writing 0 length early data is enough. */
5264 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5265 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5267 SSL_READ_EARLY_DATA_ERROR)
5268 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5269 SSL_EARLY_DATA_ACCEPTED))
5272 if (!TEST_int_eq(SSL_export_keying_material_early(
5273 clientssl, ckeymat1, sizeof(ckeymat1), label,
5274 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5275 || !TEST_int_eq(SSL_export_keying_material_early(
5276 clientssl, ckeymat2, sizeof(ckeymat2), label,
5277 sizeof(label) - 1, emptycontext, 0), 1)
5278 || !TEST_int_eq(SSL_export_keying_material_early(
5279 serverssl, skeymat1, sizeof(skeymat1), label,
5280 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5281 || !TEST_int_eq(SSL_export_keying_material_early(
5282 serverssl, skeymat2, sizeof(skeymat2), label,
5283 sizeof(label) - 1, emptycontext, 0), 1)
5285 * Check that both sides created the same key material with the
5288 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5291 * Check that both sides created the same key material with an
5294 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5296 /* Different contexts should produce different results */
5297 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5304 SSL_SESSION_free(sess);
5305 SSL_SESSION_free(clientpsk);
5306 SSL_SESSION_free(serverpsk);
5307 clientpsk = serverpsk = NULL;
5308 SSL_free(serverssl);
5309 SSL_free(clientssl);
5316 #define NUM_KEY_UPDATE_MESSAGES 40
5320 static int test_key_update(void)
5322 SSL_CTX *cctx = NULL, *sctx = NULL;
5323 SSL *clientssl = NULL, *serverssl = NULL;
5324 int testresult = 0, i, j;
5326 static char *mess = "A test message";
5328 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5329 TLS_client_method(),
5332 &sctx, &cctx, cert, privkey))
5333 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5335 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5339 for (j = 0; j < 2; j++) {
5340 /* Send lots of KeyUpdate messages */
5341 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5342 if (!TEST_true(SSL_key_update(clientssl,
5344 ? SSL_KEY_UPDATE_NOT_REQUESTED
5345 : SSL_KEY_UPDATE_REQUESTED))
5346 || !TEST_true(SSL_do_handshake(clientssl)))
5350 /* Check that sending and receiving app data is ok */
5351 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5352 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5356 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5357 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5365 SSL_free(serverssl);
5366 SSL_free(clientssl);
5374 * Test we can handle a KeyUpdate (update requested) message while write data
5376 * Test 0: Client sends KeyUpdate while Server is writing
5377 * Test 1: Server sends KeyUpdate while Client is writing
5379 static int test_key_update_in_write(int tst)
5381 SSL_CTX *cctx = NULL, *sctx = NULL;
5382 SSL *clientssl = NULL, *serverssl = NULL;
5385 static char *mess = "A test message";
5386 BIO *bretry = BIO_new(bio_s_always_retry());
5388 SSL *peerupdate = NULL, *peerwrite = NULL;
5390 if (!TEST_ptr(bretry)
5391 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5392 TLS_client_method(),
5395 &sctx, &cctx, cert, privkey))
5396 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5398 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5402 peerupdate = tst == 0 ? clientssl : serverssl;
5403 peerwrite = tst == 0 ? serverssl : clientssl;
5405 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5406 || !TEST_true(SSL_do_handshake(peerupdate)))
5409 /* Swap the writing endpoint's write BIO to force a retry */
5410 tmp = SSL_get_wbio(peerwrite);
5411 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5415 SSL_set0_wbio(peerwrite, bretry);
5418 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5419 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5420 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5423 /* Reinstate the original writing endpoint's write BIO */
5424 SSL_set0_wbio(peerwrite, tmp);
5427 /* Now read some data - we will read the key update */
5428 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5429 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5433 * Complete the write we started previously and read it from the other
5436 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5437 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5440 /* Write more data to ensure we send the KeyUpdate message back */
5441 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5442 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5448 SSL_free(serverssl);
5449 SSL_free(clientssl);
5457 #endif /* OPENSSL_NO_TLS1_3 */
5459 static int test_ssl_clear(int idx)
5461 SSL_CTX *cctx = NULL, *sctx = NULL;
5462 SSL *clientssl = NULL, *serverssl = NULL;
5465 #ifdef OPENSSL_NO_TLS1_2
5470 /* Create an initial connection */
5471 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5472 TLS_client_method(), TLS1_VERSION, 0,
5473 &sctx, &cctx, cert, privkey))
5475 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5477 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5478 &clientssl, NULL, NULL))
5479 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5483 SSL_shutdown(clientssl);
5484 SSL_shutdown(serverssl);
5485 SSL_free(serverssl);
5488 /* Clear clientssl - we're going to reuse the object */
5489 if (!TEST_true(SSL_clear(clientssl)))
5492 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5494 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5496 || !TEST_true(SSL_session_reused(clientssl)))
5499 SSL_shutdown(clientssl);
5500 SSL_shutdown(serverssl);
5505 SSL_free(serverssl);
5506 SSL_free(clientssl);
5513 /* Parse CH and retrieve any MFL extension value if present */
5514 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5517 unsigned char *data;
5518 PACKET pkt, pkt2, pkt3;
5519 unsigned int MFL_code = 0, type = 0;
5521 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5524 memset(&pkt, 0, sizeof(pkt));
5525 memset(&pkt2, 0, sizeof(pkt2));
5526 memset(&pkt3, 0, sizeof(pkt3));
5528 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5529 /* Skip the record header */
5530 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5531 /* Skip the handshake message header */
5532 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5533 /* Skip client version and random */
5534 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5535 + SSL3_RANDOM_SIZE))
5536 /* Skip session id */
5537 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5539 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5540 /* Skip compression */
5541 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5542 /* Extensions len */
5543 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5546 /* Loop through all extensions */
5547 while (PACKET_remaining(&pkt2)) {
5548 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5549 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5552 if (type == TLSEXT_TYPE_max_fragment_length) {
5553 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5554 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5557 *mfl_codemfl_code = MFL_code;
5566 /* Maximum-Fragment-Length TLS extension mode to test */
5567 static const unsigned char max_fragment_len_test[] = {
5568 TLSEXT_max_fragment_length_512,
5569 TLSEXT_max_fragment_length_1024,
5570 TLSEXT_max_fragment_length_2048,
5571 TLSEXT_max_fragment_length_4096
5574 static int test_max_fragment_len_ext(int idx_tst)
5578 int testresult = 0, MFL_mode = 0;
5581 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
5585 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5586 ctx, max_fragment_len_test[idx_tst])))
5593 rbio = BIO_new(BIO_s_mem());
5594 wbio = BIO_new(BIO_s_mem());
5595 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5601 SSL_set_bio(con, rbio, wbio);
5602 SSL_set_connect_state(con);
5604 if (!TEST_int_le(SSL_connect(con), 0)) {
5605 /* This shouldn't succeed because we don't have a server! */
5609 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5610 /* no MFL in client hello */
5612 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5624 #ifndef OPENSSL_NO_TLS1_3
5625 static int test_pha_key_update(void)
5627 SSL_CTX *cctx = NULL, *sctx = NULL;
5628 SSL *clientssl = NULL, *serverssl = NULL;
5631 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5632 TLS_client_method(), TLS1_VERSION, 0,
5633 &sctx, &cctx, cert, privkey)))
5636 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5637 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5638 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5639 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5642 SSL_CTX_set_post_handshake_auth(cctx, 1);
5644 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5648 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5652 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5653 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5656 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5659 /* Start handshake on the server */
5660 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5663 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5664 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5668 SSL_shutdown(clientssl);
5669 SSL_shutdown(serverssl);
5674 SSL_free(serverssl);
5675 SSL_free(clientssl);
5682 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5684 static SRP_VBASE *vbase = NULL;
5686 DEFINE_STACK_OF(SRP_user_pwd)
5688 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5690 int ret = SSL3_AL_FATAL;
5692 SRP_user_pwd *user = NULL;
5694 username = SSL_get_srp_username(s);
5695 if (username == NULL) {
5696 *ad = SSL_AD_INTERNAL_ERROR;
5700 user = SRP_VBASE_get1_by_user(vbase, username);
5702 *ad = SSL_AD_INTERNAL_ERROR;
5706 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5708 *ad = SSL_AD_INTERNAL_ERROR;
5715 SRP_user_pwd_free(user);
5719 static int create_new_vfile(char *userid, char *password, const char *filename)
5722 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5725 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5728 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5731 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5732 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
5733 if (!TEST_ptr(gNid))
5737 * The only way to create an empty TXT_DB is to provide a BIO with no data
5740 db = TXT_DB_read(dummy, DB_NUMBER);
5744 out = BIO_new_file(filename, "w");
5748 row[DB_srpid] = OPENSSL_strdup(userid);
5749 row[DB_srptype] = OPENSSL_strdup("V");
5750 row[DB_srpgN] = OPENSSL_strdup(gNid);
5752 if (!TEST_ptr(row[DB_srpid])
5753 || !TEST_ptr(row[DB_srptype])
5754 || !TEST_ptr(row[DB_srpgN])
5755 || !TEST_true(TXT_DB_insert(db, row)))
5760 if (!TXT_DB_write(out, db))
5766 for (i = 0; i < DB_NUMBER; i++)
5767 OPENSSL_free(row[i]);
5777 static int create_new_vbase(char *userid, char *password)
5779 BIGNUM *verifier = NULL, *salt = NULL;
5780 const SRP_gN *lgN = NULL;
5781 SRP_user_pwd *user_pwd = NULL;
5784 lgN = SRP_get_default_gN(NULL);
5788 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5789 lgN->N, lgN->g, libctx, NULL)))
5792 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
5793 if (!TEST_ptr(user_pwd))
5796 user_pwd->N = lgN->N;
5797 user_pwd->g = lgN->g;
5798 user_pwd->id = OPENSSL_strdup(userid);
5799 if (!TEST_ptr(user_pwd->id))
5802 user_pwd->v = verifier;
5804 verifier = salt = NULL;
5806 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
5812 SRP_user_pwd_free(user_pwd);
5822 * Test 0: Simple successful SRP connection, new vbase
5823 * Test 1: Connection failure due to bad password, new vbase
5824 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5825 * Test 3: Connection failure due to bad password, vbase loaded from existing
5827 * Test 4: Simple successful SRP connection, vbase loaded from new file
5828 * Test 5: Connection failure due to bad password, vbase loaded from new file
5830 static int test_srp(int tst)
5832 char *userid = "test", *password = "password", *tstsrpfile;
5833 SSL_CTX *cctx = NULL, *sctx = NULL;
5834 SSL *clientssl = NULL, *serverssl = NULL;
5835 int ret, testresult = 0;
5837 vbase = SRP_VBASE_new(NULL);
5838 if (!TEST_ptr(vbase))
5841 if (tst == 0 || tst == 1) {
5842 if (!TEST_true(create_new_vbase(userid, password)))
5845 if (tst == 4 || tst == 5) {
5846 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5848 tstsrpfile = tmpfilename;
5850 tstsrpfile = srpvfile;
5852 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5856 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5857 TLS_client_method(), TLS1_VERSION, 0,
5858 &sctx, &cctx, cert, privkey)))
5861 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5862 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5863 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5864 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5865 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5869 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5872 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5876 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5880 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5882 if (!TEST_true(tst % 2 == 0))
5885 if (!TEST_true(tst % 2 == 1))
5892 SRP_VBASE_free(vbase);
5894 SSL_free(serverssl);
5895 SSL_free(clientssl);
5903 static int info_cb_failed = 0;
5904 static int info_cb_offset = 0;
5905 static int info_cb_this_state = -1;
5907 static struct info_cb_states_st {
5909 const char *statestr;
5910 } info_cb_states[][60] = {
5912 /* TLSv1.2 server followed by resumption */
5913 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5914 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5915 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
5916 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
5917 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
5918 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5919 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5920 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5921 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
5922 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5923 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
5924 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5925 {SSL_CB_EXIT, NULL}, {0, NULL},
5927 /* TLSv1.2 client followed by resumption */
5928 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5929 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5930 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
5931 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
5932 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
5933 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5934 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5935 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5936 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5937 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5938 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5939 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
5941 /* TLSv1.3 server followed by resumption */
5942 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5943 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5944 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
5945 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5946 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
5947 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5948 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5949 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5950 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5951 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5952 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
5953 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5954 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5956 /* TLSv1.3 client followed by resumption */
5957 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5958 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5959 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
5960 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
5961 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5962 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5963 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
5964 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5965 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5966 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5967 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5968 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5969 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5970 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
5971 {SSL_CB_EXIT, NULL}, {0, NULL},
5973 /* TLSv1.3 server, early_data */
5974 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5975 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5976 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5977 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5978 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5979 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
5980 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5981 {SSL_CB_EXIT, NULL}, {0, NULL},
5983 /* TLSv1.3 client, early_data */
5984 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5985 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5986 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5987 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5988 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5989 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5990 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5991 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5992 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5998 static void sslapi_info_callback(const SSL *s, int where, int ret)
6000 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
6002 /* We do not ever expect a connection to fail in this test */
6003 if (!TEST_false(ret == 0)) {
6009 * Do some sanity checks. We never expect these things to happen in this
6012 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
6013 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
6014 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
6019 /* Now check we're in the right state */
6020 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
6024 if ((where & SSL_CB_LOOP) != 0
6025 && !TEST_int_eq(strcmp(SSL_state_string(s),
6026 state[info_cb_this_state].statestr), 0)) {
6032 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6034 if ((where & SSL_CB_HANDSHAKE_DONE)
6035 && SSL_in_init((SSL *)s) != 0) {
6042 * Test the info callback gets called when we expect it to.
6044 * Test 0: TLSv1.2, server
6045 * Test 1: TLSv1.2, client
6046 * Test 2: TLSv1.3, server
6047 * Test 3: TLSv1.3, client
6048 * Test 4: TLSv1.3, server, early_data
6049 * Test 5: TLSv1.3, client, early_data
6051 static int test_info_callback(int tst)
6053 SSL_CTX *cctx = NULL, *sctx = NULL;
6054 SSL *clientssl = NULL, *serverssl = NULL;
6055 SSL_SESSION *clntsess = NULL;
6060 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
6061 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6062 || !defined(OPENSSL_NO_DH))
6063 tlsvers = TLS1_2_VERSION;
6068 #ifndef OPENSSL_NO_TLS1_3
6069 tlsvers = TLS1_3_VERSION;
6077 info_cb_this_state = -1;
6078 info_cb_offset = tst;
6080 #ifndef OPENSSL_NO_TLS1_3
6082 SSL_SESSION *sess = NULL;
6083 size_t written, readbytes;
6084 unsigned char buf[80];
6086 /* early_data tests */
6087 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
6088 &serverssl, &sess, 0)))
6091 /* We don't actually need this reference */
6092 SSL_SESSION_free(sess);
6094 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
6095 sslapi_info_callback);
6097 /* Write and read some early data and then complete the connection */
6098 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
6100 || !TEST_size_t_eq(written, strlen(MSG1))
6101 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
6102 sizeof(buf), &readbytes),
6103 SSL_READ_EARLY_DATA_SUCCESS)
6104 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
6105 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6106 SSL_EARLY_DATA_ACCEPTED)
6107 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6109 || !TEST_false(info_cb_failed))
6117 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6118 TLS_client_method(),
6119 tlsvers, tlsvers, &sctx, &cctx, cert,
6124 * For even numbered tests we check the server callbacks. For odd numbers we
6127 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
6128 sslapi_info_callback);
6130 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6131 &clientssl, NULL, NULL))
6132 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6134 || !TEST_false(info_cb_failed))
6139 clntsess = SSL_get1_session(clientssl);
6140 SSL_shutdown(clientssl);
6141 SSL_shutdown(serverssl);
6142 SSL_free(serverssl);
6143 SSL_free(clientssl);
6144 serverssl = clientssl = NULL;
6146 /* Now do a resumption */
6147 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6149 || !TEST_true(SSL_set_session(clientssl, clntsess))
6150 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6152 || !TEST_true(SSL_session_reused(clientssl))
6153 || !TEST_false(info_cb_failed))
6159 SSL_free(serverssl);
6160 SSL_free(clientssl);
6161 SSL_SESSION_free(clntsess);
6167 static int test_ssl_pending(int tst)
6169 SSL_CTX *cctx = NULL, *sctx = NULL;
6170 SSL *clientssl = NULL, *serverssl = NULL;
6172 char msg[] = "A test message";
6174 size_t written, readbytes;
6177 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6178 TLS_client_method(),
6180 &sctx, &cctx, cert, privkey)))
6183 #ifndef OPENSSL_NO_DTLS
6184 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
6185 DTLS_client_method(),
6187 &sctx, &cctx, cert, privkey)))
6194 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6196 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6200 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6201 || !TEST_false(SSL_has_pending(clientssl))
6202 || !TEST_int_eq(SSL_pending(serverssl), 0)
6203 || !TEST_false(SSL_has_pending(serverssl))
6204 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6205 || !TEST_size_t_eq(written, sizeof(msg))
6206 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6207 || !TEST_size_t_eq(readbytes, sizeof(buf))
6208 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6209 || !TEST_true(SSL_has_pending(clientssl)))
6215 SSL_free(serverssl);
6216 SSL_free(clientssl);
6224 unsigned int maxprot;
6225 const char *clntciphers;
6226 const char *clnttls13ciphers;
6227 const char *srvrciphers;
6228 const char *srvrtls13ciphers;
6230 const char *fipsshared;
6231 } shared_ciphers_data[] = {
6233 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6234 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6236 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
6239 "AES128-SHA:AES256-SHA",
6241 "AES256-SHA:DHE-RSA-AES128-SHA",
6246 # if !defined(OPENSSL_NO_CHACHA) \
6247 && !defined(OPENSSL_NO_POLY1305) \
6248 && !defined(OPENSSL_NO_EC)
6251 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6253 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6255 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6261 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6263 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6265 "AES128-SHA:AES256-SHA",
6266 "AES128-SHA:AES256-SHA"
6270 "AES128-SHA:AES256-SHA",
6272 "AES128-SHA:DHE-RSA-AES128-SHA",
6279 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6282 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6283 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
6286 "AES128-SHA:AES256-SHA",
6288 "AES256-SHA:AES128-SHA256",
6290 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
6291 "TLS_AES_128_GCM_SHA256:AES256-SHA",
6292 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
6295 #ifndef OPENSSL_NO_TLS1_3
6299 "TLS_AES_256_GCM_SHA384",
6301 "TLS_AES_256_GCM_SHA384",
6302 "TLS_AES_256_GCM_SHA384",
6303 "TLS_AES_256_GCM_SHA384"
6308 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
6310 SSL_CTX *cctx = NULL, *sctx = NULL;
6311 SSL *clientssl = NULL, *serverssl = NULL;
6314 OPENSSL_CTX *tmplibctx = OPENSSL_CTX_new();
6316 if (!TEST_ptr(tmplibctx))
6320 * Regardless of whether we're testing with the FIPS provider loaded into
6321 * libctx, we want one peer to always use the full set of ciphersuites
6322 * available. Therefore we use a separate libctx with the default provider
6323 * loaded into it. We run the same tests twice - once with the client side
6324 * having the full set of ciphersuites and once with the server side.
6327 cctx = SSL_CTX_new_with_libctx(tmplibctx, NULL, TLS_client_method());
6328 if (!TEST_ptr(cctx))
6331 sctx = SSL_CTX_new_with_libctx(tmplibctx, NULL, TLS_server_method());
6332 if (!TEST_ptr(sctx))
6336 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6337 TLS_client_method(),
6339 shared_ciphers_data[tst].maxprot,
6340 &sctx, &cctx, cert, privkey)))
6343 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6344 shared_ciphers_data[tst].clntciphers))
6345 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6346 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6347 shared_ciphers_data[tst].clnttls13ciphers)))
6348 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6349 shared_ciphers_data[tst].srvrciphers))
6350 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6351 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6352 shared_ciphers_data[tst].srvrtls13ciphers))))
6356 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6358 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6362 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6363 || !TEST_int_eq(strcmp(buf,
6365 ? shared_ciphers_data[tst].fipsshared
6366 : shared_ciphers_data[tst].shared),
6368 TEST_info("Shared ciphers are: %s\n", buf);
6375 SSL_free(serverssl);
6376 SSL_free(clientssl);
6379 OPENSSL_CTX_free(tmplibctx);
6384 static int test_ssl_get_shared_ciphers(int tst)
6386 return int_test_ssl_get_shared_ciphers(tst, 0)
6387 && int_test_ssl_get_shared_ciphers(tst, 1);
6391 static const char *appdata = "Hello World";
6392 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6393 static int tick_key_renew = 0;
6394 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6396 static int gen_tick_cb(SSL *s, void *arg)
6398 gen_tick_called = 1;
6400 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6404 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6405 const unsigned char *keyname,
6406 size_t keyname_length,
6407 SSL_TICKET_STATUS status,
6413 dec_tick_called = 1;
6415 if (status == SSL_TICKET_EMPTY)
6416 return SSL_TICKET_RETURN_IGNORE_RENEW;
6418 if (!TEST_true(status == SSL_TICKET_SUCCESS
6419 || status == SSL_TICKET_SUCCESS_RENEW))
6420 return SSL_TICKET_RETURN_ABORT;
6422 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6424 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6425 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
6426 return SSL_TICKET_RETURN_ABORT;
6428 if (tick_key_cb_called) {
6429 /* Don't change what the ticket key callback wanted to do */
6431 case SSL_TICKET_NO_DECRYPT:
6432 return SSL_TICKET_RETURN_IGNORE_RENEW;
6434 case SSL_TICKET_SUCCESS:
6435 return SSL_TICKET_RETURN_USE;
6437 case SSL_TICKET_SUCCESS_RENEW:
6438 return SSL_TICKET_RETURN_USE_RENEW;
6441 return SSL_TICKET_RETURN_ABORT;
6444 return tick_dec_ret;
6448 #ifndef OPENSSL_NO_DEPRECATED_3_0
6449 static int tick_key_cb(SSL *s, unsigned char key_name[16],
6450 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6451 HMAC_CTX *hctx, int enc)
6453 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6454 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
6455 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6456 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
6459 tick_key_cb_called = 1;
6460 memset(iv, 0, AES_BLOCK_SIZE);
6461 memset(key_name, 0, 16);
6462 if (aes128cbc == NULL
6464 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6465 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
6469 ret = tick_key_renew ? 2 : 1;
6471 EVP_CIPHER_free(aes128cbc);
6472 EVP_MD_free(sha256);
6478 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6479 unsigned char iv[EVP_MAX_IV_LENGTH],
6480 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6482 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6483 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6484 OSSL_PARAM params[3];
6485 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6488 tick_key_cb_called = 1;
6489 memset(iv, 0, AES_BLOCK_SIZE);
6490 memset(key_name, 0, 16);
6491 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6493 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6495 sizeof(tick_hmac_key));
6496 params[2] = OSSL_PARAM_construct_end();
6497 if (aes128cbc == NULL
6498 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6499 || !EVP_MAC_CTX_set_params(hctx, params)
6500 || !EVP_MAC_init(hctx))
6503 ret = tick_key_renew ? 2 : 1;
6505 EVP_CIPHER_free(aes128cbc);
6511 * Test the various ticket callbacks
6512 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6513 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6514 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6515 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6516 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6517 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6518 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6519 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
6520 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6521 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6522 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6523 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6524 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6525 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6526 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6527 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
6529 static int test_ticket_callbacks(int tst)
6531 SSL_CTX *cctx = NULL, *sctx = NULL;
6532 SSL *clientssl = NULL, *serverssl = NULL;
6533 SSL_SESSION *clntsess = NULL;
6536 #ifdef OPENSSL_NO_TLS1_2
6540 #ifdef OPENSSL_NO_TLS1_3
6544 #ifdef OPENSSL_NO_DEPRECATED_3_0
6545 if (tst >= 8 && tst <= 11)
6549 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
6551 /* Which tests the ticket key callback should request renewal for */
6552 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
6557 /* Which tests the decrypt ticket callback should request renewal for */
6561 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6566 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6571 tick_dec_ret = SSL_TICKET_RETURN_USE;
6576 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6580 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6583 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6584 TLS_client_method(),
6586 ((tst % 2) == 0) ? TLS1_2_VERSION
6588 &sctx, &cctx, cert, privkey)))
6592 * We only want sessions to resume from tickets - not the session cache. So
6593 * switch the cache off.
6595 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6598 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6603 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
6605 #ifndef OPENSSL_NO_DEPRECATED_3_0
6606 } else if (tst >= 8) {
6607 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6612 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6614 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6619 * The decrypt ticket key callback in TLSv1.2 should be called even though
6620 * we have no ticket yet, because it gets called with a status of
6621 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6622 * actually send any ticket data). This does not happen in TLSv1.3 because
6623 * it is not valid to send empty ticket data in TLSv1.3.
6625 if (!TEST_int_eq(gen_tick_called, 1)
6626 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
6629 gen_tick_called = dec_tick_called = 0;
6631 clntsess = SSL_get1_session(clientssl);
6632 SSL_shutdown(clientssl);
6633 SSL_shutdown(serverssl);
6634 SSL_free(serverssl);
6635 SSL_free(clientssl);
6636 serverssl = clientssl = NULL;
6638 /* Now do a resumption */
6639 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6641 || !TEST_true(SSL_set_session(clientssl, clntsess))
6642 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6646 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6647 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6648 if (!TEST_false(SSL_session_reused(clientssl)))
6651 if (!TEST_true(SSL_session_reused(clientssl)))
6655 if (!TEST_int_eq(gen_tick_called,
6657 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6658 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6660 || !TEST_int_eq(dec_tick_called, 1))
6666 SSL_SESSION_free(clntsess);
6667 SSL_free(serverssl);
6668 SSL_free(clientssl);
6676 * Test bi-directional shutdown.
6678 * Test 1: TLSv1.2, server continues to read/write after client shutdown
6679 * Test 2: TLSv1.3, no pending NewSessionTicket messages
6680 * Test 3: TLSv1.3, pending NewSessionTicket messages
6681 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
6682 * sends key update, client reads it
6683 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
6684 * sends CertificateRequest, client reads and ignores it
6685 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
6688 static int test_shutdown(int tst)
6690 SSL_CTX *cctx = NULL, *sctx = NULL;
6691 SSL *clientssl = NULL, *serverssl = NULL;
6693 char msg[] = "A test message";
6695 size_t written, readbytes;
6698 #ifdef OPENSSL_NO_TLS1_2
6702 #ifdef OPENSSL_NO_TLS1_3
6707 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6708 TLS_client_method(),
6710 (tst <= 1) ? TLS1_2_VERSION
6712 &sctx, &cctx, cert, privkey)))
6716 SSL_CTX_set_post_handshake_auth(cctx, 1);
6718 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6723 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
6725 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6726 || !TEST_false(SSL_SESSION_is_resumable(sess)))
6728 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6730 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6731 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
6735 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
6740 * Reading on the server after the client has sent close_notify should
6741 * fail and provide SSL_ERROR_ZERO_RETURN
6743 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
6744 || !TEST_int_eq(SSL_get_error(serverssl, 0),
6745 SSL_ERROR_ZERO_RETURN)
6746 || !TEST_int_eq(SSL_get_shutdown(serverssl),
6747 SSL_RECEIVED_SHUTDOWN)
6749 * Even though we're shutdown on receive we should still be
6752 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6755 && !TEST_true(SSL_key_update(serverssl,
6756 SSL_KEY_UPDATE_REQUESTED)))
6759 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6760 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6763 if ((tst == 4 || tst == 5)
6764 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6766 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
6768 if (tst == 4 || tst == 5) {
6769 /* Should still be able to read data from server */
6770 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6772 || !TEST_size_t_eq(readbytes, sizeof(msg))
6773 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
6774 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6776 || !TEST_size_t_eq(readbytes, sizeof(msg))
6777 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
6782 /* Writing on the client after sending close_notify shouldn't be possible */
6783 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
6788 * For these tests the client has sent close_notify but it has not yet
6789 * been received by the server. The server has not sent close_notify
6792 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
6794 * Writing on the server after sending close_notify shouldn't
6797 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6798 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
6799 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6800 || !TEST_true(SSL_SESSION_is_resumable(sess))
6801 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
6803 } else if (tst == 4 || tst == 5) {
6805 * In this test the client has sent close_notify and it has been
6806 * received by the server which has responded with a close_notify. The
6807 * client needs to read the close_notify sent by the server.
6809 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
6810 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6811 || !TEST_true(SSL_SESSION_is_resumable(sess)))
6817 * The client has sent close_notify and is expecting a close_notify
6818 * back, but instead there is application data first. The shutdown
6819 * should fail with a fatal error.
6821 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
6822 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
6829 SSL_free(serverssl);
6830 SSL_free(clientssl);
6837 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6838 static int cert_cb_cnt;
6840 static int cert_cb(SSL *s, void *arg)
6842 SSL_CTX *ctx = (SSL_CTX *)arg;
6844 EVP_PKEY *pkey = NULL;
6845 X509 *x509 = NULL, *rootx = NULL;
6846 STACK_OF(X509) *chain = NULL;
6847 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
6850 if (cert_cb_cnt == 0) {
6851 /* Suspend the handshake */
6854 } else if (cert_cb_cnt == 1) {
6856 * Update the SSL_CTX, set the certificate and private key and then
6857 * continue the handshake normally.
6859 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
6862 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
6863 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
6865 || !TEST_true(SSL_check_private_key(s)))
6869 } else if (cert_cb_cnt == 3) {
6872 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
6873 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
6874 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
6875 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
6877 chain = sk_X509_new_null();
6878 if (!TEST_ptr(chain))
6880 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6881 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
6882 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
6883 || !TEST_true(sk_X509_push(chain, rootx)))
6887 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6888 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
6889 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
6892 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6893 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
6894 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
6896 rv = SSL_check_chain(s, x509, pkey, chain);
6898 * If the cert doesn't show as valid here (e.g., because we don't
6899 * have any shared sigalgs), then we will not set it, and there will
6900 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
6901 * will cause tls_choose_sigalgs() to fail the connection.
6903 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
6904 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
6905 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
6912 /* Abort the handshake */
6914 OPENSSL_free(ecdsacert);
6915 OPENSSL_free(ecdsakey);
6916 OPENSSL_free(rootfile);
6918 EVP_PKEY_free(pkey);
6921 sk_X509_pop_free(chain, X509_free);
6926 * Test the certificate callback.
6927 * Test 0: Callback fails
6928 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
6929 * Test 2: Success - SSL_set_SSL_CTX() in the callback
6930 * Test 3: Success - Call SSL_check_chain from the callback
6931 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
6933 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
6935 static int test_cert_cb_int(int prot, int tst)
6937 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
6938 SSL *clientssl = NULL, *serverssl = NULL;
6939 int testresult = 0, ret;
6941 #ifdef OPENSSL_NO_EC
6942 /* We use an EC cert in these tests, so we skip in a no-ec build */
6947 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6948 TLS_client_method(),
6951 &sctx, &cctx, NULL, NULL)))
6962 snictx = SSL_CTX_new(TLS_server_method());
6963 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
6965 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6971 * We cause SSL_check_chain() to fail by specifying sig_algs that
6972 * the chain doesn't meet (the root uses an RSA cert)
6974 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6975 "ecdsa_secp256r1_sha256")))
6977 } else if (tst == 5) {
6979 * We cause SSL_check_chain() to fail by specifying sig_algs that
6980 * the ee cert doesn't meet (the ee uses an ECDSA cert)
6982 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6983 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
6987 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6988 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
6990 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
6997 SSL_free(serverssl);
6998 SSL_free(clientssl);
7001 SSL_CTX_free(snictx);
7007 static int test_cert_cb(int tst)
7011 #ifndef OPENSSL_NO_TLS1_2
7012 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
7014 #ifndef OPENSSL_NO_TLS1_3
7015 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
7021 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
7027 /* Check that SSL_get_peer_certificate() returns something sensible */
7028 peer = SSL_get_peer_certificate(ssl);
7029 if (!TEST_ptr(peer))
7033 in = BIO_new_file(cert, "r");
7037 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
7039 if (!TEST_ptr(xcert))
7042 in = BIO_new_file(privkey, "r");
7043 if (!TEST_ptr(in)) {
7048 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
7050 if (!TEST_ptr(privpkey)) {
7061 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
7066 static int test_client_cert_cb(int tst)
7068 SSL_CTX *cctx = NULL, *sctx = NULL;
7069 SSL *clientssl = NULL, *serverssl = NULL;
7072 #ifdef OPENSSL_NO_TLS1_2
7076 #ifdef OPENSSL_NO_TLS1_3
7081 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7082 TLS_client_method(),
7084 tst == 0 ? TLS1_2_VERSION
7086 &sctx, &cctx, cert, privkey)))
7090 * Test that setting a client_cert_cb results in a client certificate being
7093 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
7094 SSL_CTX_set_verify(sctx,
7095 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
7098 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7100 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7107 SSL_free(serverssl);
7108 SSL_free(clientssl);
7115 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7117 * Test setting certificate authorities on both client and server.
7119 * Test 0: SSL_CTX_set0_CA_list() only
7120 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7121 * Test 2: Only SSL_CTX_set_client_CA_list()
7123 static int test_ca_names_int(int prot, int tst)
7125 SSL_CTX *cctx = NULL, *sctx = NULL;
7126 SSL *clientssl = NULL, *serverssl = NULL;
7129 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
7130 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
7131 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
7132 const STACK_OF(X509_NAME) *sktmp = NULL;
7134 for (i = 0; i < OSSL_NELEM(name); i++) {
7135 name[i] = X509_NAME_new();
7136 if (!TEST_ptr(name[i])
7137 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
7145 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7146 TLS_client_method(),
7149 &sctx, &cctx, cert, privkey)))
7152 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
7154 if (tst == 0 || tst == 1) {
7155 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7156 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
7157 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
7158 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7159 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
7160 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
7163 SSL_CTX_set0_CA_list(sctx, sk1);
7164 SSL_CTX_set0_CA_list(cctx, sk2);
7167 if (tst == 1 || tst == 2) {
7168 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7169 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
7170 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
7171 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7172 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
7173 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
7176 SSL_CTX_set_client_CA_list(sctx, sk1);
7177 SSL_CTX_set_client_CA_list(cctx, sk2);
7181 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7183 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7188 * We only expect certificate authorities to have been sent to the server
7189 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7191 sktmp = SSL_get0_peer_CA_list(serverssl);
7192 if (prot == TLS1_3_VERSION
7193 && (tst == 0 || tst == 1)) {
7194 if (!TEST_ptr(sktmp)
7195 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7196 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7198 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7201 } else if (!TEST_ptr_null(sktmp)) {
7206 * In all tests we expect certificate authorities to have been sent to the
7207 * client. However, SSL_set_client_CA_list() should override
7208 * SSL_set0_CA_list()
7210 sktmp = SSL_get0_peer_CA_list(clientssl);
7211 if (!TEST_ptr(sktmp)
7212 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7213 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7214 name[tst == 0 ? 0 : 2]), 0)
7215 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7216 name[tst == 0 ? 1 : 3]), 0))
7222 SSL_free(serverssl);
7223 SSL_free(clientssl);
7226 for (i = 0; i < OSSL_NELEM(name); i++)
7227 X509_NAME_free(name[i]);
7228 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
7229 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
7235 static int test_ca_names(int tst)
7239 #ifndef OPENSSL_NO_TLS1_2
7240 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
7242 #ifndef OPENSSL_NO_TLS1_3
7243 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
7249 #ifndef OPENSSL_NO_TLS1_2
7250 static const char *multiblock_cipherlist_data[]=
7258 /* Reduce the fragment size - so the multiblock test buffer can be small */
7259 # define MULTIBLOCK_FRAGSIZE 512
7261 static int test_multiblock_write(int test_index)
7263 static const char *fetchable_ciphers[]=
7265 "AES-128-CBC-HMAC-SHA1",
7266 "AES-128-CBC-HMAC-SHA256",
7267 "AES-256-CBC-HMAC-SHA1",
7268 "AES-256-CBC-HMAC-SHA256"
7270 const char *cipherlist = multiblock_cipherlist_data[test_index];
7271 const SSL_METHOD *smeth = TLS_server_method();
7272 const SSL_METHOD *cmeth = TLS_client_method();
7273 int min_version = TLS1_VERSION;
7274 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7275 SSL_CTX *cctx = NULL, *sctx = NULL;
7276 SSL *clientssl = NULL, *serverssl = NULL;
7280 * Choose a buffer large enough to perform a multi-block operation
7281 * i.e: write_len >= 4 * frag_size
7282 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7284 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7285 unsigned char buf[sizeof(msg)], *p = buf;
7286 size_t readbytes, written, len;
7287 EVP_CIPHER *ciph = NULL;
7290 * Check if the cipher exists before attempting to use it since it only has
7291 * a hardware specific implementation.
7293 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7295 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7298 EVP_CIPHER_free(ciph);
7300 /* Set up a buffer with some data that will be sent to the client */
7301 RAND_bytes(msg, sizeof(msg));
7303 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
7304 max_version, &sctx, &cctx, cert,
7308 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7311 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7315 /* settings to force it to use AES-CBC-HMAC_SHA */
7316 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7317 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7320 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7323 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7324 || !TEST_size_t_eq(written, sizeof(msg)))
7329 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7334 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7339 SSL_free(serverssl);
7340 SSL_free(clientssl);
7346 #endif /* OPENSSL_NO_TLS1_2 */
7349 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7350 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7351 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7352 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7353 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7354 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7355 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7356 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7357 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7358 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7360 static int test_servername(int tst)
7362 SSL_CTX *cctx = NULL, *sctx = NULL;
7363 SSL *clientssl = NULL, *serverssl = NULL;
7365 SSL_SESSION *sess = NULL;
7366 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7368 #ifdef OPENSSL_NO_TLS1_2
7372 #ifdef OPENSSL_NO_TLS1_3
7377 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7378 TLS_client_method(),
7380 (tst <= 4) ? TLS1_2_VERSION
7382 &sctx, &cctx, cert, privkey))
7383 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7387 if (tst != 1 && tst != 6) {
7388 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7393 if (tst != 3 && tst != 8) {
7394 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7396 sexpectedhost = cexpectedhost = "goodhost";
7399 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7402 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7404 || !TEST_str_eq(SSL_get_servername(serverssl,
7405 TLSEXT_NAMETYPE_host_name),
7409 /* Now repeat with a resumption handshake */
7411 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7412 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7413 || !TEST_true(SSL_SESSION_is_resumable(sess))
7414 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7417 SSL_free(clientssl);
7418 SSL_free(serverssl);
7419 clientssl = serverssl = NULL;
7421 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7425 if (!TEST_true(SSL_set_session(clientssl, sess)))
7428 sexpectedhost = cexpectedhost = "goodhost";
7429 if (tst == 2 || tst == 7) {
7430 /* Set an inconsistent hostname */
7431 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7434 * In TLSv1.2 we expect the hostname from the original handshake, in
7435 * TLSv1.3 we expect the hostname from this handshake
7438 sexpectedhost = cexpectedhost = "altgoodhost";
7440 if (!TEST_str_eq(SSL_get_servername(clientssl,
7441 TLSEXT_NAMETYPE_host_name),
7444 } else if (tst == 4 || tst == 9) {
7446 * A TLSv1.3 session does not associate a session with a servername,
7447 * but a TLSv1.2 session does.
7450 sexpectedhost = cexpectedhost = NULL;
7452 if (!TEST_str_eq(SSL_get_servername(clientssl,
7453 TLSEXT_NAMETYPE_host_name),
7457 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7460 * In a TLSv1.2 resumption where the hostname was not acknowledged
7461 * we expect the hostname on the server to be empty. On the client we
7462 * return what was requested in this case.
7464 * Similarly if the client didn't set a hostname on an original TLSv1.2
7465 * session but is now, the server hostname will be empty, but the client
7468 if (tst == 1 || tst == 3)
7469 sexpectedhost = NULL;
7471 if (!TEST_str_eq(SSL_get_servername(clientssl,
7472 TLSEXT_NAMETYPE_host_name),
7477 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7480 if (!TEST_true(SSL_session_reused(clientssl))
7481 || !TEST_true(SSL_session_reused(serverssl))
7482 || !TEST_str_eq(SSL_get_servername(clientssl,
7483 TLSEXT_NAMETYPE_host_name),
7485 || !TEST_str_eq(SSL_get_servername(serverssl,
7486 TLSEXT_NAMETYPE_host_name),
7493 SSL_SESSION_free(sess);
7494 SSL_free(serverssl);
7495 SSL_free(clientssl);
7502 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
7504 int setup_tests(void)
7509 libctx = OPENSSL_CTX_new();
7510 if (!TEST_ptr(libctx))
7513 defctxnull = OSSL_PROVIDER_load(NULL, "null");
7516 * Verify that the default and fips providers in the default libctx are not
7519 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
7520 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
7523 if (!test_skip_common_options()) {
7524 TEST_error("Error parsing test options\n");
7528 if (!TEST_ptr(certsdir = test_get_argument(0))
7529 || !TEST_ptr(srpvfile = test_get_argument(1))
7530 || !TEST_ptr(tmpfilename = test_get_argument(2))
7531 || !TEST_ptr(modulename = test_get_argument(3))
7532 || !TEST_ptr(configfile = test_get_argument(4)))
7535 if (!TEST_true(OPENSSL_CTX_load_config(libctx, configfile)))
7538 /* Check we have the expected provider available */
7539 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
7542 /* Check the default provider is not available */
7543 if (strcmp(modulename, "default") != 0
7544 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
7547 if (strcmp(modulename, "fips") == 0)
7550 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
7551 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
7552 TEST_error("not supported in this build");
7555 int i, mcount, rcount, fcount;
7557 for (i = 0; i < 4; i++)
7558 test_export_key_mat(i);
7559 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
7560 test_printf_stdout("malloc %d realloc %d free %d\n",
7561 mcount, rcount, fcount);
7566 cert = test_mk_file_path(certsdir, "servercert.pem");
7570 privkey = test_mk_file_path(certsdir, "serverkey.pem");
7571 if (privkey == NULL) {
7576 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
7577 && !defined(OPENSSL_NO_SOCK)
7578 ADD_TEST(test_ktls_no_txrx_client_no_txrx_server);
7579 ADD_TEST(test_ktls_no_rx_client_no_txrx_server);
7580 ADD_TEST(test_ktls_no_tx_client_no_txrx_server);
7581 ADD_TEST(test_ktls_client_no_txrx_server);
7582 ADD_TEST(test_ktls_no_txrx_client_no_rx_server);
7583 ADD_TEST(test_ktls_no_rx_client_no_rx_server);
7584 ADD_TEST(test_ktls_no_tx_client_no_rx_server);
7585 ADD_TEST(test_ktls_client_no_rx_server);
7586 ADD_TEST(test_ktls_no_txrx_client_no_tx_server);
7587 ADD_TEST(test_ktls_no_rx_client_no_tx_server);
7588 ADD_TEST(test_ktls_no_tx_client_no_tx_server);
7589 ADD_TEST(test_ktls_client_no_tx_server);
7590 ADD_TEST(test_ktls_no_txrx_client_server);
7591 ADD_TEST(test_ktls_no_rx_client_server);
7592 ADD_TEST(test_ktls_no_tx_client_server);
7593 ADD_TEST(test_ktls_client_server);
7594 ADD_TEST(test_ktls_sendfile);
7596 ADD_TEST(test_large_message_tls);
7597 ADD_TEST(test_large_message_tls_read_ahead);
7598 #ifndef OPENSSL_NO_DTLS
7599 ADD_TEST(test_large_message_dtls);
7601 #ifndef OPENSSL_NO_OCSP
7602 ADD_TEST(test_tlsext_status_type);
7604 ADD_TEST(test_session_with_only_int_cache);
7605 ADD_TEST(test_session_with_only_ext_cache);
7606 ADD_TEST(test_session_with_both_cache);
7607 ADD_TEST(test_session_wo_ca_names);
7608 #ifndef OPENSSL_NO_TLS1_3
7609 ADD_ALL_TESTS(test_stateful_tickets, 3);
7610 ADD_ALL_TESTS(test_stateless_tickets, 3);
7611 ADD_TEST(test_psk_tickets);
7612 ADD_ALL_TESTS(test_extra_tickets, 6);
7614 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
7615 ADD_TEST(test_ssl_bio_pop_next_bio);
7616 ADD_TEST(test_ssl_bio_pop_ssl_bio);
7617 ADD_TEST(test_ssl_bio_change_rbio);
7618 ADD_TEST(test_ssl_bio_change_wbio);
7619 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
7620 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
7621 ADD_TEST(test_keylog);
7623 #ifndef OPENSSL_NO_TLS1_3
7624 ADD_TEST(test_keylog_no_master_key);
7626 #ifndef OPENSSL_NO_TLS1_2
7627 ADD_TEST(test_client_hello_cb);
7628 ADD_TEST(test_no_ems);
7629 ADD_TEST(test_ccs_change_cipher);
7631 #ifndef OPENSSL_NO_TLS1_3
7632 ADD_ALL_TESTS(test_early_data_read_write, 3);
7634 * We don't do replay tests for external PSK. Replay protection isn't used
7637 ADD_ALL_TESTS(test_early_data_replay, 2);
7638 ADD_ALL_TESTS(test_early_data_skip, 3);
7639 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
7640 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
7641 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
7642 ADD_ALL_TESTS(test_early_data_not_sent, 3);
7643 ADD_ALL_TESTS(test_early_data_psk, 8);
7644 ADD_ALL_TESTS(test_early_data_not_expected, 3);
7645 # ifndef OPENSSL_NO_TLS1_2
7646 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
7649 #ifndef OPENSSL_NO_TLS1_3
7650 ADD_ALL_TESTS(test_set_ciphersuite, 10);
7651 ADD_TEST(test_ciphersuite_change);
7652 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
7653 # ifdef OPENSSL_NO_PSK
7654 ADD_ALL_TESTS(test_tls13_psk, 1);
7656 ADD_ALL_TESTS(test_tls13_psk, 4);
7657 # endif /* OPENSSL_NO_PSK */
7658 # ifndef OPENSSL_NO_TLS1_2
7659 /* Test with both TLSv1.3 and 1.2 versions */
7660 ADD_ALL_TESTS(test_key_exchange, 14);
7662 /* Test with only TLSv1.3 versions */
7663 ADD_ALL_TESTS(test_key_exchange, 12);
7665 ADD_ALL_TESTS(test_custom_exts, 5);
7666 ADD_TEST(test_stateless);
7667 ADD_TEST(test_pha_key_update);
7669 ADD_ALL_TESTS(test_custom_exts, 3);
7671 ADD_ALL_TESTS(test_serverinfo, 8);
7672 ADD_ALL_TESTS(test_export_key_mat, 6);
7673 #ifndef OPENSSL_NO_TLS1_3
7674 ADD_ALL_TESTS(test_export_key_mat_early, 3);
7675 ADD_TEST(test_key_update);
7676 ADD_ALL_TESTS(test_key_update_in_write, 2);
7678 ADD_ALL_TESTS(test_ssl_clear, 2);
7679 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
7680 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7681 ADD_ALL_TESTS(test_srp, 6);
7683 ADD_ALL_TESTS(test_info_callback, 6);
7684 ADD_ALL_TESTS(test_ssl_pending, 2);
7685 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
7686 ADD_ALL_TESTS(test_ticket_callbacks, 16);
7687 ADD_ALL_TESTS(test_shutdown, 7);
7688 ADD_ALL_TESTS(test_cert_cb, 6);
7689 ADD_ALL_TESTS(test_client_cert_cb, 2);
7690 ADD_ALL_TESTS(test_ca_names, 3);
7691 #ifndef OPENSSL_NO_TLS1_2
7692 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
7694 ADD_ALL_TESTS(test_servername, 10);
7698 void cleanup_tests(void)
7701 OPENSSL_free(privkey);
7702 bio_s_mempacket_test_free();
7703 bio_s_always_retry_free();
7704 OSSL_PROVIDER_unload(defctxnull);
7705 OPENSSL_CTX_free(libctx);