2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
18 #include "ssltestlib.h"
20 #include "testutil/output.h"
21 #include "internal/nelem.h"
22 #include "../ssl/ssl_locl.h"
24 static char *cert = NULL;
25 static char *privkey = NULL;
27 #define LOG_BUFFER_SIZE 1024
28 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
29 static size_t server_log_buffer_index = 0;
30 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
31 static size_t client_log_buffer_index = 0;
32 static int error_writing_log = 0;
34 #ifndef OPENSSL_NO_OCSP
35 static const unsigned char orespder[] = "Dummy OCSP Response";
36 static int ocsp_server_called = 0;
37 static int ocsp_client_called = 0;
39 static int cdummyarg = 1;
40 static X509 *ocspcert = NULL;
43 #define NUM_EXTRA_CERTS 40
44 #define CLIENT_VERSION_LEN 2
47 * This structure is used to validate that the correct number of log messages
48 * of various types are emitted when emitting secret logs.
50 struct sslapitest_log_counts {
51 unsigned int rsa_key_exchange_count;
52 unsigned int master_secret_count;
53 unsigned int client_handshake_secret_count;
54 unsigned int server_handshake_secret_count;
55 unsigned int client_application_secret_count;
56 unsigned int server_application_secret_count;
60 static unsigned char serverinfov1[] = {
61 0xff, 0xff, /* Dummy extension type */
62 0x00, 0x01, /* Extension length is 1 byte */
63 0xff /* Dummy extension data */
66 static unsigned char serverinfov2[] = {
68 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
69 0xff, 0xff, /* Dummy extension type */
70 0x00, 0x01, /* Extension length is 1 byte */
71 0xff /* Dummy extension data */
74 static void client_keylog_callback(const SSL *ssl, const char *line)
76 int line_length = strlen(line);
78 /* If the log doesn't fit, error out. */
79 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
80 TEST_info("Client log too full");
81 error_writing_log = 1;
85 strcat(client_log_buffer, line);
86 client_log_buffer_index += line_length;
87 client_log_buffer[client_log_buffer_index++] = '\n';
90 static void server_keylog_callback(const SSL *ssl, const char *line)
92 int line_length = strlen(line);
94 /* If the log doesn't fit, error out. */
95 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
96 TEST_info("Server log too full");
97 error_writing_log = 1;
101 strcat(server_log_buffer, line);
102 server_log_buffer_index += line_length;
103 server_log_buffer[server_log_buffer_index++] = '\n';
106 static int compare_hex_encoded_buffer(const char *hex_encoded,
114 if (!TEST_size_t_eq(raw_length * 2, hex_length))
117 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
118 sprintf(hexed, "%02x", raw[i]);
119 if (!TEST_int_eq(hexed[0], hex_encoded[j])
120 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
127 static int test_keylog_output(char *buffer, const SSL *ssl,
128 const SSL_SESSION *session,
129 struct sslapitest_log_counts *expected)
132 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
133 size_t client_random_size = SSL3_RANDOM_SIZE;
134 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
135 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
136 unsigned int rsa_key_exchange_count = 0;
137 unsigned int master_secret_count = 0;
138 unsigned int client_handshake_secret_count = 0;
139 unsigned int server_handshake_secret_count = 0;
140 unsigned int client_application_secret_count = 0;
141 unsigned int server_application_secret_count = 0;
143 for (token = strtok(buffer, " \n"); token != NULL;
144 token = strtok(NULL, " \n")) {
145 if (strcmp(token, "RSA") == 0) {
147 * Premaster secret. Tokens should be: 16 ASCII bytes of
148 * hex-encoded encrypted secret, then the hex-encoded pre-master
151 if (!TEST_ptr(token = strtok(NULL, " \n")))
153 if (!TEST_size_t_eq(strlen(token), 16))
155 if (!TEST_ptr(token = strtok(NULL, " \n")))
158 * We can't sensibly check the log because the premaster secret is
159 * transient, and OpenSSL doesn't keep hold of it once the master
160 * secret is generated.
162 rsa_key_exchange_count++;
163 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
165 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
166 * client random, then the hex-encoded master secret.
168 client_random_size = SSL_get_client_random(ssl,
169 actual_client_random,
171 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
174 if (!TEST_ptr(token = strtok(NULL, " \n")))
176 if (!TEST_size_t_eq(strlen(token), 64))
178 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
179 actual_client_random,
180 client_random_size)))
183 if (!TEST_ptr(token = strtok(NULL, " \n")))
185 master_key_size = SSL_SESSION_get_master_key(session,
188 if (!TEST_size_t_ne(master_key_size, 0))
190 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
194 master_secret_count++;
195 } else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
196 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
197 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
198 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) {
200 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
201 * client random, and then the hex-encoded secret. In this case,
202 * we treat all of these secrets identically and then just
203 * distinguish between them when counting what we saw.
205 if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
206 client_handshake_secret_count++;
207 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
208 server_handshake_secret_count++;
209 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
210 client_application_secret_count++;
211 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
212 server_application_secret_count++;
214 client_random_size = SSL_get_client_random(ssl,
215 actual_client_random,
217 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
220 if (!TEST_ptr(token = strtok(NULL, " \n")))
222 if (!TEST_size_t_eq(strlen(token), 64))
224 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
225 actual_client_random,
226 client_random_size)))
229 if (!TEST_ptr(token = strtok(NULL, " \n")))
233 * TODO(TLS1.3): test that application traffic secrets are what
236 TEST_info("Unexpected token %s\n", token);
241 /* Got what we expected? */
242 if (!TEST_size_t_eq(rsa_key_exchange_count,
243 expected->rsa_key_exchange_count)
244 || !TEST_size_t_eq(master_secret_count,
245 expected->master_secret_count)
246 || !TEST_size_t_eq(client_handshake_secret_count,
247 expected->client_handshake_secret_count)
248 || !TEST_size_t_eq(server_handshake_secret_count,
249 expected->server_handshake_secret_count)
250 || !TEST_size_t_eq(client_application_secret_count,
251 expected->client_application_secret_count)
252 || !TEST_size_t_eq(server_application_secret_count,
253 expected->server_application_secret_count))
258 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
259 static int test_keylog(void)
261 SSL_CTX *cctx = NULL, *sctx = NULL;
262 SSL *clientssl = NULL, *serverssl = NULL;
264 struct sslapitest_log_counts expected = {0};
266 /* Clean up logging space */
267 memset(client_log_buffer, 0, sizeof(client_log_buffer));
268 memset(server_log_buffer, 0, sizeof(server_log_buffer));
269 client_log_buffer_index = 0;
270 server_log_buffer_index = 0;
271 error_writing_log = 0;
273 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
275 &sctx, &cctx, cert, privkey)))
278 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
279 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
280 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
282 /* We also want to ensure that we use RSA-based key exchange. */
283 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
286 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
287 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
289 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
290 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
291 == client_keylog_callback))
293 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
294 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
295 == server_keylog_callback))
298 /* Now do a handshake and check that the logs have been written to. */
299 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
300 &clientssl, NULL, NULL))
301 || !TEST_true(create_ssl_connection(serverssl, clientssl,
303 || !TEST_false(error_writing_log)
304 || !TEST_int_gt(client_log_buffer_index, 0)
305 || !TEST_int_gt(server_log_buffer_index, 0))
309 * Now we want to test that our output data was vaguely sensible. We
310 * do that by using strtok and confirming that we have more or less the
311 * data we expect. For both client and server, we expect to see one master
312 * secret. The client should also see a RSA key exchange.
314 expected.rsa_key_exchange_count = 1;
315 expected.master_secret_count = 1;
316 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
317 SSL_get_session(clientssl), &expected)))
320 expected.rsa_key_exchange_count = 0;
321 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
322 SSL_get_session(serverssl), &expected)))
337 #ifndef OPENSSL_NO_TLS1_3
338 static int test_keylog_no_master_key(void)
340 SSL_CTX *cctx = NULL, *sctx = NULL;
341 SSL *clientssl = NULL, *serverssl = NULL;
343 struct sslapitest_log_counts expected = {0};
345 /* Clean up logging space */
346 memset(client_log_buffer, 0, sizeof(client_log_buffer));
347 memset(server_log_buffer, 0, sizeof(server_log_buffer));
348 client_log_buffer_index = 0;
349 server_log_buffer_index = 0;
350 error_writing_log = 0;
352 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
353 TLS_client_method(), &sctx,
354 &cctx, cert, privkey)))
357 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
358 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
361 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
362 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
363 == client_keylog_callback))
366 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
367 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
368 == server_keylog_callback))
371 /* Now do a handshake and check that the logs have been written to. */
372 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
373 &clientssl, NULL, NULL))
374 || !TEST_true(create_ssl_connection(serverssl, clientssl,
376 || !TEST_false(error_writing_log))
380 * Now we want to test that our output data was vaguely sensible. For this
381 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
382 * TLSv1.3, but we do expect both client and server to emit keys.
384 expected.client_handshake_secret_count = 1;
385 expected.server_handshake_secret_count = 1;
386 expected.client_application_secret_count = 1;
387 expected.server_application_secret_count = 1;
388 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
389 SSL_get_session(clientssl), &expected))
390 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
391 SSL_get_session(serverssl),
407 #ifndef OPENSSL_NO_TLS1_2
408 static int full_client_hello_callback(SSL *s, int *al, void *arg)
411 const unsigned char *p;
413 /* We only configure two ciphers, but the SCSV is added automatically. */
415 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
417 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
420 const int expected_extensions[] = {
421 #ifndef OPENSSL_NO_EC
427 /* Make sure we can defer processing and get called back. */
429 return SSL_CLIENT_HELLO_RETRY;
431 len = SSL_client_hello_get0_ciphers(s, &p);
432 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
434 SSL_client_hello_get0_compression_methods(s, &p), 1)
435 || !TEST_int_eq(*p, 0))
436 return SSL_CLIENT_HELLO_ERROR;
437 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
438 return SSL_CLIENT_HELLO_ERROR;
439 if (len != OSSL_NELEM(expected_extensions) ||
440 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
441 printf("ClientHello callback expected extensions mismatch\n");
443 return SSL_CLIENT_HELLO_ERROR;
446 return SSL_CLIENT_HELLO_SUCCESS;
449 static int test_client_hello_cb(void)
451 SSL_CTX *cctx = NULL, *sctx = NULL;
452 SSL *clientssl = NULL, *serverssl = NULL;
453 int testctr = 0, testresult = 0;
455 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
456 TLS_client_method(), &sctx,
457 &cctx, cert, privkey)))
459 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
461 /* The gimpy cipher list we configure can't do TLS 1.3. */
462 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
464 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
465 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
466 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
467 &clientssl, NULL, NULL))
468 || !TEST_false(create_ssl_connection(serverssl, clientssl,
469 SSL_ERROR_WANT_CLIENT_HELLO_CB))
471 * Passing a -1 literal is a hack since
472 * the real value was lost.
474 || !TEST_int_eq(SSL_get_error(serverssl, -1),
475 SSL_ERROR_WANT_CLIENT_HELLO_CB)
476 || !TEST_true(create_ssl_connection(serverssl, clientssl,
492 static int execute_test_large_message(const SSL_METHOD *smeth,
493 const SSL_METHOD *cmeth, int read_ahead)
495 SSL_CTX *cctx = NULL, *sctx = NULL;
496 SSL *clientssl = NULL, *serverssl = NULL;
500 X509 *chaincert = NULL;
503 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
505 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
508 if (!TEST_ptr(chaincert))
511 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, &sctx,
512 &cctx, cert, privkey)))
517 * Test that read_ahead works correctly when dealing with large
520 SSL_CTX_set_read_ahead(cctx, 1);
524 * We assume the supplied certificate is big enough so that if we add
525 * NUM_EXTRA_CERTS it will make the overall message large enough. The
526 * default buffer size is requested to be 16k, but due to the way BUF_MEM
527 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
528 * test we need to have a message larger than that.
530 certlen = i2d_X509(chaincert, NULL);
531 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
532 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
533 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
534 if (!X509_up_ref(chaincert))
536 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
537 X509_free(chaincert);
542 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
544 || !TEST_true(create_ssl_connection(serverssl, clientssl,
549 * Calling SSL_clear() first is not required but this tests that SSL_clear()
550 * doesn't leak (when using enable-crypto-mdebug).
552 if (!TEST_true(SSL_clear(serverssl)))
557 X509_free(chaincert);
566 static int test_large_message_tls(void)
568 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
572 static int test_large_message_tls_read_ahead(void)
574 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
578 #ifndef OPENSSL_NO_DTLS
579 static int test_large_message_dtls(void)
582 * read_ahead is not relevant to DTLS because DTLS always acts as if
585 return execute_test_large_message(DTLS_server_method(),
586 DTLS_client_method(), 0);
590 #ifndef OPENSSL_NO_OCSP
591 static int ocsp_server_cb(SSL *s, void *arg)
593 int *argi = (int *)arg;
594 unsigned char *copy = NULL;
595 STACK_OF(OCSP_RESPID) *ids = NULL;
596 OCSP_RESPID *id = NULL;
599 /* In this test we are expecting exactly 1 OCSP_RESPID */
600 SSL_get_tlsext_status_ids(s, &ids);
601 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
602 return SSL_TLSEXT_ERR_ALERT_FATAL;
604 id = sk_OCSP_RESPID_value(ids, 0);
605 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
606 return SSL_TLSEXT_ERR_ALERT_FATAL;
607 } else if (*argi != 1) {
608 return SSL_TLSEXT_ERR_ALERT_FATAL;
611 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
612 return SSL_TLSEXT_ERR_ALERT_FATAL;
614 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
615 ocsp_server_called = 1;
616 return SSL_TLSEXT_ERR_OK;
619 static int ocsp_client_cb(SSL *s, void *arg)
621 int *argi = (int *)arg;
622 const unsigned char *respderin;
625 if (*argi != 1 && *argi != 2)
628 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
629 if (!TEST_mem_eq(orespder, len, respderin, len))
632 ocsp_client_called = 1;
636 static int test_tlsext_status_type(void)
638 SSL_CTX *cctx = NULL, *sctx = NULL;
639 SSL *clientssl = NULL, *serverssl = NULL;
641 STACK_OF(OCSP_RESPID) *ids = NULL;
642 OCSP_RESPID *id = NULL;
645 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
646 &cctx, cert, privkey))
649 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
652 /* First just do various checks getting and setting tlsext_status_type */
654 clientssl = SSL_new(cctx);
655 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
656 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
657 TLSEXT_STATUSTYPE_ocsp))
658 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
659 TLSEXT_STATUSTYPE_ocsp))
665 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
666 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
669 clientssl = SSL_new(cctx);
670 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
676 * Now actually do a handshake and check OCSP information is exchanged and
677 * the callbacks get called
679 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
680 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
681 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
682 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
683 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
684 &clientssl, NULL, NULL))
685 || !TEST_true(create_ssl_connection(serverssl, clientssl,
687 || !TEST_true(ocsp_client_called)
688 || !TEST_true(ocsp_server_called))
695 /* Try again but this time force the server side callback to fail */
696 ocsp_client_called = 0;
697 ocsp_server_called = 0;
699 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
700 &clientssl, NULL, NULL))
701 /* This should fail because the callback will fail */
702 || !TEST_false(create_ssl_connection(serverssl, clientssl,
704 || !TEST_false(ocsp_client_called)
705 || !TEST_false(ocsp_server_called))
713 * This time we'll get the client to send an OCSP_RESPID that it will
716 ocsp_client_called = 0;
717 ocsp_server_called = 0;
719 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
720 &clientssl, NULL, NULL)))
724 * We'll just use any old cert for this test - it doesn't have to be an OCSP
725 * specific one. We'll use the server cert.
727 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
728 || !TEST_ptr(id = OCSP_RESPID_new())
729 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
730 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
732 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
733 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
736 SSL_set_tlsext_status_ids(clientssl, ids);
737 /* Control has been transferred */
743 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
745 || !TEST_true(ocsp_client_called)
746 || !TEST_true(ocsp_server_called))
756 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
757 OCSP_RESPID_free(id);
766 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
767 static int new_called, remove_called, get_called;
769 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
773 * sess has been up-refed for us, but we don't actually need it so free it
776 SSL_SESSION_free(sess);
780 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
785 static SSL_SESSION *get_sess_val = NULL;
787 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
795 static int execute_test_session(int maxprot, int use_int_cache,
798 SSL_CTX *sctx = NULL, *cctx = NULL;
799 SSL *serverssl1 = NULL, *clientssl1 = NULL;
800 SSL *serverssl2 = NULL, *clientssl2 = NULL;
801 # ifndef OPENSSL_NO_TLS1_1
802 SSL *serverssl3 = NULL, *clientssl3 = NULL;
804 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
807 new_called = remove_called = 0;
809 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
810 TLS_client_method(), &sctx,
811 &cctx, cert, privkey)))
815 * Only allow the max protocol version so we can force a connection failure
818 SSL_CTX_set_min_proto_version(cctx, maxprot);
819 SSL_CTX_set_max_proto_version(cctx, maxprot);
821 /* Set up session cache */
823 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
824 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
827 /* Also covers instance where both are set */
828 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
830 SSL_CTX_set_session_cache_mode(cctx,
831 SSL_SESS_CACHE_CLIENT
832 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
835 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
837 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
839 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
842 /* Should fail because it should already be in the cache */
843 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
846 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
849 new_called = remove_called = 0;
850 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
851 &clientssl2, NULL, NULL))
852 || !TEST_true(SSL_set_session(clientssl2, sess1))
853 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
855 || !TEST_true(SSL_session_reused(clientssl2)))
858 if (maxprot == TLS1_3_VERSION) {
860 * In TLSv1.3 we should have created a new session even though we have
861 * resumed. The original session should also have been removed.
864 && (!TEST_int_eq(new_called, 1)
865 || !TEST_int_eq(remove_called, 1)))
869 * In TLSv1.2 we expect to have resumed so no sessions added or
873 && (!TEST_int_eq(new_called, 0)
874 || !TEST_int_eq(remove_called, 0)))
878 SSL_SESSION_free(sess1);
879 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
881 shutdown_ssl_connection(serverssl2, clientssl2);
882 serverssl2 = clientssl2 = NULL;
884 new_called = remove_called = 0;
885 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
886 &clientssl2, NULL, NULL))
887 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
891 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
895 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
898 new_called = remove_called = 0;
900 * This should clear sess2 from the cache because it is a "bad" session.
901 * See SSL_set_session() documentation.
903 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
906 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
908 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
912 /* Should succeeded because it should not already be in the cache */
913 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
914 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
918 new_called = remove_called = 0;
919 /* This shouldn't be in the cache so should fail */
920 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
924 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
927 # if !defined(OPENSSL_NO_TLS1_1)
928 new_called = remove_called = 0;
929 /* Force a connection failure */
930 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
931 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
932 &clientssl3, NULL, NULL))
933 || !TEST_true(SSL_set_session(clientssl3, sess1))
934 /* This should fail because of the mismatched protocol versions */
935 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
939 /* We should have automatically removed the session from the cache */
941 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
944 /* Should succeed because it should not already be in the cache */
945 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
949 /* Now do some tests for server side caching */
951 SSL_CTX_sess_set_new_cb(cctx, NULL);
952 SSL_CTX_sess_set_remove_cb(cctx, NULL);
953 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
954 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
955 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
959 SSL_CTX_set_session_cache_mode(cctx, 0);
960 /* Internal caching is the default on the server side */
962 SSL_CTX_set_session_cache_mode(sctx,
963 SSL_SESS_CACHE_SERVER
964 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
966 SSL_free(serverssl1);
967 SSL_free(clientssl1);
968 serverssl1 = clientssl1 = NULL;
969 SSL_free(serverssl2);
970 SSL_free(clientssl2);
971 serverssl2 = clientssl2 = NULL;
972 SSL_SESSION_free(sess1);
974 SSL_SESSION_free(sess2);
977 SSL_CTX_set_max_proto_version(sctx, maxprot);
978 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
979 new_called = remove_called = get_called = 0;
980 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
982 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
984 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
985 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
988 /* Should fail because it should already be in the cache */
989 if (use_int_cache && !TEST_false(SSL_CTX_add_session(sctx, sess2)))
993 SSL_SESSION *tmp = sess2;
995 if (!TEST_int_eq(new_called, 1)
996 || !TEST_int_eq(remove_called, 0)
997 || !TEST_int_eq(get_called, 0))
1000 * Delete the session from the internal cache to force a lookup from
1001 * the external cache. We take a copy first because
1002 * SSL_CTX_remove_session() also marks the session as non-resumable.
1004 if (use_int_cache) {
1005 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1006 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1008 SSL_SESSION_free(sess2);
1013 new_called = remove_called = get_called = 0;
1014 get_sess_val = sess2;
1015 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1016 &clientssl2, NULL, NULL))
1017 || !TEST_true(SSL_set_session(clientssl2, sess1))
1018 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1020 || !TEST_true(SSL_session_reused(clientssl2)))
1023 if (use_ext_cache) {
1024 if (!TEST_int_eq(remove_called, 0))
1027 if (maxprot == TLS1_3_VERSION) {
1029 * Every time we issue a NewSessionTicket we are creating a new
1030 * session for next time in TLSv1.3
1032 if (!TEST_int_eq(new_called, 1)
1033 || !TEST_int_eq(get_called, 0))
1036 if (!TEST_int_eq(new_called, 0)
1037 || !TEST_int_eq(get_called, 1))
1045 SSL_free(serverssl1);
1046 SSL_free(clientssl1);
1047 SSL_free(serverssl2);
1048 SSL_free(clientssl2);
1049 # ifndef OPENSSL_NO_TLS1_1
1050 SSL_free(serverssl3);
1051 SSL_free(clientssl3);
1053 SSL_SESSION_free(sess1);
1054 SSL_SESSION_free(sess2);
1060 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1062 static int test_session_with_only_int_cache(void)
1064 #ifndef OPENSSL_NO_TLS1_3
1065 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1069 #ifndef OPENSSL_NO_TLS1_2
1070 return execute_test_session(TLS1_2_VERSION, 1, 0);
1076 static int test_session_with_only_ext_cache(void)
1078 #ifndef OPENSSL_NO_TLS1_3
1079 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1083 #ifndef OPENSSL_NO_TLS1_2
1084 return execute_test_session(TLS1_2_VERSION, 0, 1);
1090 static int test_session_with_both_cache(void)
1092 #ifndef OPENSSL_NO_TLS1_3
1093 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1097 #ifndef OPENSSL_NO_TLS1_2
1098 return execute_test_session(TLS1_2_VERSION, 1, 1);
1108 #define TOTAL_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1110 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1125 static int test_ssl_set_bio(int idx)
1130 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1132 int initrbio, initwbio, newrbio, newwbio;
1142 if (!TEST_int_le(newwbio, 2))
1145 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1146 || !TEST_ptr(ssl = SSL_new(ctx)))
1149 if (initrbio == USE_BIO_1
1150 || initwbio == USE_BIO_1
1151 || newrbio == USE_BIO_1
1152 || newwbio == USE_BIO_1) {
1153 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1157 if (initrbio == USE_BIO_2
1158 || initwbio == USE_BIO_2
1159 || newrbio == USE_BIO_2
1160 || newwbio == USE_BIO_2) {
1161 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1165 setupbio(&irbio, bio1, bio2, initrbio);
1166 setupbio(&iwbio, bio1, bio2, initwbio);
1169 * We want to maintain our own refs to these BIO, so do an up ref for each
1170 * BIO that will have ownership transferred in the SSL_set_bio() call
1174 if (iwbio != NULL && iwbio != irbio)
1177 SSL_set_bio(ssl, irbio, iwbio);
1179 setupbio(&nrbio, bio1, bio2, newrbio);
1180 setupbio(&nwbio, bio1, bio2, newwbio);
1183 * We will (maybe) transfer ownership again so do more up refs.
1184 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1189 && (nwbio != iwbio || nrbio != nwbio))
1193 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1196 SSL_set_bio(ssl, nrbio, nwbio);
1206 * This test is checking that the ref counting for SSL_set_bio is correct.
1207 * If we get here and we did too many frees then we will fail in the above
1208 * functions. If we haven't done enough then this will only be detected in
1209 * a crypto-mdebug build
1215 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1217 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1219 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1224 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1225 || !TEST_ptr(ssl = SSL_new(ctx))
1226 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1227 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1230 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1233 * If anything goes wrong here then we could leak memory, so this will
1234 * be caught in a crypto-mdebug build
1236 BIO_push(sslbio, membio1);
1238 /* Verify changing the rbio/wbio directly does not cause leaks */
1239 if (change_bio != NO_BIO_CHANGE) {
1240 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1242 if (change_bio == CHANGE_RBIO)
1243 SSL_set0_rbio(ssl, membio2);
1245 SSL_set0_wbio(ssl, membio2);
1264 static int test_ssl_bio_pop_next_bio(void)
1266 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1269 static int test_ssl_bio_pop_ssl_bio(void)
1271 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1274 static int test_ssl_bio_change_rbio(void)
1276 return execute_test_ssl_bio(0, CHANGE_RBIO);
1279 static int test_ssl_bio_change_wbio(void)
1281 return execute_test_ssl_bio(0, CHANGE_WBIO);
1284 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
1286 /* The list of sig algs */
1288 /* The length of the list */
1290 /* A sigalgs list in string format */
1291 const char *liststr;
1292 /* Whether setting the list should succeed */
1294 /* Whether creating a connection with the list should succeed */
1298 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1299 # ifndef OPENSSL_NO_EC
1300 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1301 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1303 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1304 static const int invalidlist2[] = {NID_sha256, NID_undef};
1305 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1306 static const int invalidlist4[] = {NID_sha256};
1307 static const sigalgs_list testsigalgs[] = {
1308 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1309 # ifndef OPENSSL_NO_EC
1310 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1311 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1313 {NULL, 0, "RSA+SHA256", 1, 1},
1314 # ifndef OPENSSL_NO_EC
1315 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1316 {NULL, 0, "ECDSA+SHA512", 1, 0},
1318 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1319 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1320 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1321 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1322 {NULL, 0, "RSA", 0, 0},
1323 {NULL, 0, "SHA256", 0, 0},
1324 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1325 {NULL, 0, "Invalid", 0, 0}
1328 static int test_set_sigalgs(int idx)
1330 SSL_CTX *cctx = NULL, *sctx = NULL;
1331 SSL *clientssl = NULL, *serverssl = NULL;
1333 const sigalgs_list *curr;
1336 /* Should never happen */
1337 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1340 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1341 curr = testctx ? &testsigalgs[idx]
1342 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1344 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1345 TLS_client_method(), &sctx,
1346 &cctx, cert, privkey)))
1350 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1351 * for TLSv1.2 for now until we add a new API.
1353 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1358 if (curr->list != NULL)
1359 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1361 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1365 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1371 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1376 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1377 &clientssl, NULL, NULL)))
1383 if (curr->list != NULL)
1384 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1386 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1389 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1398 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1406 SSL_free(serverssl);
1407 SSL_free(clientssl);
1415 #ifndef OPENSSL_NO_TLS1_3
1417 static SSL_SESSION *clientpsk = NULL;
1418 static SSL_SESSION *serverpsk = NULL;
1419 static const char *pskid = "Identity";
1420 static const char *srvid;
1422 static int use_session_cb_cnt = 0;
1423 static int find_session_cb_cnt = 0;
1424 static int psk_client_cb_cnt = 0;
1425 static int psk_server_cb_cnt = 0;
1427 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1428 size_t *idlen, SSL_SESSION **sess)
1430 switch (++use_session_cb_cnt) {
1432 /* The first call should always have a NULL md */
1438 /* The second call should always have an md */
1444 /* We should only be called a maximum of twice */
1448 if (clientpsk != NULL)
1449 SSL_SESSION_up_ref(clientpsk);
1452 *id = (const unsigned char *)pskid;
1453 *idlen = strlen(pskid);
1458 #ifndef OPENSSL_NO_PSK
1459 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1460 unsigned int max_id_len,
1462 unsigned int max_psk_len)
1464 unsigned int psklen = 0;
1466 psk_client_cb_cnt++;
1468 if (strlen(pskid) + 1 > max_id_len)
1471 /* We should only ever be called a maximum of twice per connection */
1472 if (psk_client_cb_cnt > 2)
1475 if (clientpsk == NULL)
1478 /* We'll reuse the PSK we set up for TLSv1.3 */
1479 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1481 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1482 strncpy(id, pskid, max_id_len);
1486 #endif /* OPENSSL_NO_PSK */
1488 static int find_session_cb(SSL *ssl, const unsigned char *identity,
1489 size_t identity_len, SSL_SESSION **sess)
1491 find_session_cb_cnt++;
1493 /* We should only ever be called a maximum of twice per connection */
1494 if (find_session_cb_cnt > 2)
1497 if (serverpsk == NULL)
1500 /* Identity should match that set by the client */
1501 if (strlen(srvid) != identity_len
1502 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1503 /* No PSK found, continue but without a PSK */
1508 SSL_SESSION_up_ref(serverpsk);
1514 #ifndef OPENSSL_NO_PSK
1515 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1516 unsigned char *psk, unsigned int max_psk_len)
1518 unsigned int psklen = 0;
1520 psk_server_cb_cnt++;
1522 /* We should only ever be called a maximum of twice per connection */
1523 if (find_session_cb_cnt > 2)
1526 if (serverpsk == NULL)
1529 /* Identity should match that set by the client */
1530 if (strcmp(srvid, identity) != 0) {
1534 /* We'll reuse the PSK we set up for TLSv1.3 */
1535 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1537 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1541 #endif /* OPENSSL_NO_PSK */
1543 #define MSG1 "Hello"
1544 #define MSG2 "World."
1549 #define MSG7 "message."
1551 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
1552 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
1555 * Helper method to setup objects for early data test. Caller frees objects on
1558 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
1559 SSL **serverssl, SSL_SESSION **sess, int idx)
1561 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1562 TLS_client_method(), sctx,
1563 cctx, cert, privkey))
1564 || !TEST_true(SSL_CTX_set_max_early_data(*sctx,
1565 SSL3_RT_MAX_PLAIN_LENGTH))
1566 || !TEST_true(SSL_CTX_set_max_early_data(*cctx,
1567 SSL3_RT_MAX_PLAIN_LENGTH)))
1571 /* When idx == 1 we repeat the tests with read_ahead set */
1572 SSL_CTX_set_read_ahead(*cctx, 1);
1573 SSL_CTX_set_read_ahead(*sctx, 1);
1574 } else if (idx == 2) {
1575 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1576 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1577 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1578 use_session_cb_cnt = 0;
1579 find_session_cb_cnt = 0;
1583 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
1588 * For one of the run throughs (doesn't matter which one), we'll try sending
1589 * some SNI data in the initial ClientHello. This will be ignored (because
1590 * there is no SNI cb set up by the server), so it should not impact
1594 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1598 /* Create the PSK */
1599 const SSL_CIPHER *cipher = NULL;
1600 const unsigned char key[] = {
1601 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1602 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1603 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1604 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1605 0x2c, 0x2d, 0x2e, 0x2f
1608 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
1609 clientpsk = SSL_SESSION_new();
1610 if (!TEST_ptr(clientpsk)
1611 || !TEST_ptr(cipher)
1612 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
1614 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
1616 SSL_SESSION_set_protocol_version(clientpsk,
1619 * We just choose an arbitrary value for max_early_data which
1620 * should be big enough for testing purposes.
1622 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1624 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1625 SSL_SESSION_free(clientpsk);
1629 serverpsk = clientpsk;
1639 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1643 *sess = SSL_get1_session(*clientssl);
1644 SSL_shutdown(*clientssl);
1645 SSL_shutdown(*serverssl);
1646 SSL_free(*serverssl);
1647 SSL_free(*clientssl);
1648 *serverssl = *clientssl = NULL;
1650 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1651 clientssl, NULL, NULL))
1652 || !TEST_true(SSL_set_session(*clientssl, *sess)))
1658 static int test_early_data_read_write(int idx)
1660 SSL_CTX *cctx = NULL, *sctx = NULL;
1661 SSL *clientssl = NULL, *serverssl = NULL;
1663 SSL_SESSION *sess = NULL;
1664 unsigned char buf[20], data[1024];
1665 size_t readbytes, written, eoedlen, rawread, rawwritten;
1668 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1669 &serverssl, &sess, idx)))
1672 /* Write and read some early data */
1673 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1675 || !TEST_size_t_eq(written, strlen(MSG1))
1676 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1677 sizeof(buf), &readbytes),
1678 SSL_READ_EARLY_DATA_SUCCESS)
1679 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1680 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1681 SSL_EARLY_DATA_ACCEPTED))
1685 * Server should be able to write data, and client should be able to
1688 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1690 || !TEST_size_t_eq(written, strlen(MSG2))
1691 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1692 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1695 /* Even after reading normal data, client should be able write early data */
1696 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1698 || !TEST_size_t_eq(written, strlen(MSG3)))
1701 /* Server should still be able read early data after writing data */
1702 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1704 SSL_READ_EARLY_DATA_SUCCESS)
1705 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
1708 /* Write more data from server and read it from client */
1709 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
1711 || !TEST_size_t_eq(written, strlen(MSG4))
1712 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1713 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
1717 * If client writes normal data it should mean writing early data is no
1720 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1721 || !TEST_size_t_eq(written, strlen(MSG5))
1722 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1723 SSL_EARLY_DATA_ACCEPTED))
1727 * At this point the client has written EndOfEarlyData, ClientFinished and
1728 * normal (fully protected) data. We are going to cause a delay between the
1729 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
1730 * in the read BIO, and then just put back the EndOfEarlyData message.
1732 rbio = SSL_get_rbio(serverssl);
1733 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
1734 || !TEST_size_t_lt(rawread, sizeof(data))
1735 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
1738 /* Record length is in the 4th and 5th bytes of the record header */
1739 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
1740 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
1741 || !TEST_size_t_eq(rawwritten, eoedlen))
1744 /* Server should be told that there is no more early data */
1745 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1747 SSL_READ_EARLY_DATA_FINISH)
1748 || !TEST_size_t_eq(readbytes, 0))
1752 * Server has not finished init yet, so should still be able to write early
1755 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
1757 || !TEST_size_t_eq(written, strlen(MSG6)))
1760 /* Push the ClientFinished and the normal data back into the server rbio */
1761 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
1763 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
1766 /* Server should be able to read normal data */
1767 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1768 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1771 /* Client and server should not be able to write/read early data now */
1772 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1776 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1778 SSL_READ_EARLY_DATA_ERROR))
1782 /* Client should be able to read the data sent by the server */
1783 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1784 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
1788 * Make sure we process the NewSessionTicket. This arrives post-handshake.
1789 * We attempt a read which we do not expect to return any data.
1791 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1794 /* Server should be able to write normal data */
1795 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
1796 || !TEST_size_t_eq(written, strlen(MSG7))
1797 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1798 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
1801 /* We keep the PSK session around if using PSK */
1803 SSL_SESSION_free(sess);
1804 sess = SSL_get1_session(clientssl);
1805 use_session_cb_cnt = 0;
1806 find_session_cb_cnt = 0;
1808 SSL_shutdown(clientssl);
1809 SSL_shutdown(serverssl);
1810 SSL_free(serverssl);
1811 SSL_free(clientssl);
1812 serverssl = clientssl = NULL;
1813 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1814 &clientssl, NULL, NULL))
1815 || !TEST_true(SSL_set_session(clientssl, sess)))
1818 /* Write and read some early data */
1819 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1821 || !TEST_size_t_eq(written, strlen(MSG1))
1822 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1824 SSL_READ_EARLY_DATA_SUCCESS)
1825 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
1828 if (!TEST_int_gt(SSL_connect(clientssl), 0)
1829 || !TEST_int_gt(SSL_accept(serverssl), 0))
1832 /* Client and server should not be able to write/read early data now */
1833 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1837 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1839 SSL_READ_EARLY_DATA_ERROR))
1843 /* Client and server should be able to write/read normal data */
1844 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1845 || !TEST_size_t_eq(written, strlen(MSG5))
1846 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1847 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1853 if (sess != clientpsk)
1854 SSL_SESSION_free(sess);
1855 SSL_SESSION_free(clientpsk);
1856 SSL_SESSION_free(serverpsk);
1857 clientpsk = serverpsk = NULL;
1858 SSL_free(serverssl);
1859 SSL_free(clientssl);
1865 static int test_early_data_replay(int idx)
1867 SSL_CTX *cctx = NULL, *sctx = NULL;
1868 SSL *clientssl = NULL, *serverssl = NULL;
1870 SSL_SESSION *sess = NULL;
1872 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1873 &serverssl, &sess, idx)))
1877 * The server is configured to accept early data. Create a connection to
1878 * "use up" the ticket
1880 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
1881 || !TEST_true(SSL_session_reused(clientssl)))
1884 SSL_shutdown(clientssl);
1885 SSL_shutdown(serverssl);
1886 SSL_free(serverssl);
1887 SSL_free(clientssl);
1888 serverssl = clientssl = NULL;
1890 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1891 &clientssl, NULL, NULL))
1892 || !TEST_true(SSL_set_session(clientssl, sess))
1893 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1896 * This time we should not have resumed the session because we
1897 * already used it once.
1899 || !TEST_false(SSL_session_reused(clientssl)))
1905 if (sess != clientpsk)
1906 SSL_SESSION_free(sess);
1907 SSL_SESSION_free(clientpsk);
1908 SSL_SESSION_free(serverpsk);
1909 clientpsk = serverpsk = NULL;
1910 SSL_free(serverssl);
1911 SSL_free(clientssl);
1918 * Helper function to test that a server attempting to read early data can
1919 * handle a connection from a client where the early data should be skipped.
1921 static int early_data_skip_helper(int hrr, int idx)
1923 SSL_CTX *cctx = NULL, *sctx = NULL;
1924 SSL *clientssl = NULL, *serverssl = NULL;
1926 SSL_SESSION *sess = NULL;
1927 unsigned char buf[20];
1928 size_t readbytes, written;
1930 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1931 &serverssl, &sess, idx)))
1935 /* Force an HRR to occur */
1936 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
1938 } else if (idx == 2) {
1940 * We force early_data rejection by ensuring the PSK identity is
1943 srvid = "Dummy Identity";
1946 * Deliberately corrupt the creation time. We take 20 seconds off the
1947 * time. It could be any value as long as it is not within tolerance.
1948 * This should mean the ticket is rejected.
1950 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
1954 /* Write some early data */
1955 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1957 || !TEST_size_t_eq(written, strlen(MSG1)))
1960 /* Server should reject the early data and skip over it */
1961 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1963 SSL_READ_EARLY_DATA_FINISH)
1964 || !TEST_size_t_eq(readbytes, 0)
1965 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1966 SSL_EARLY_DATA_REJECTED))
1971 * Finish off the handshake. We perform the same writes and reads as
1972 * further down but we expect them to fail due to the incomplete
1975 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1976 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
1981 /* Should be able to send normal data despite rejection of early data */
1982 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1983 || !TEST_size_t_eq(written, strlen(MSG2))
1984 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1985 SSL_EARLY_DATA_REJECTED)
1986 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1987 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1993 if (sess != clientpsk)
1994 SSL_SESSION_free(clientpsk);
1995 SSL_SESSION_free(serverpsk);
1996 clientpsk = serverpsk = NULL;
1997 SSL_SESSION_free(sess);
1998 SSL_free(serverssl);
1999 SSL_free(clientssl);
2006 * Test that a server attempting to read early data can handle a connection
2007 * from a client where the early data is not acceptable.
2009 static int test_early_data_skip(int idx)
2011 return early_data_skip_helper(0, idx);
2015 * Test that a server attempting to read early data can handle a connection
2016 * from a client where an HRR occurs.
2018 static int test_early_data_skip_hrr(int idx)
2020 return early_data_skip_helper(1, idx);
2024 * Test that a server attempting to read early data can handle a connection
2025 * from a client that doesn't send any.
2027 static int test_early_data_not_sent(int idx)
2029 SSL_CTX *cctx = NULL, *sctx = NULL;
2030 SSL *clientssl = NULL, *serverssl = NULL;
2032 SSL_SESSION *sess = NULL;
2033 unsigned char buf[20];
2034 size_t readbytes, written;
2036 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2037 &serverssl, &sess, idx)))
2040 /* Write some data - should block due to handshake with server */
2041 SSL_set_connect_state(clientssl);
2042 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2045 /* Server should detect that early data has not been sent */
2046 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2048 SSL_READ_EARLY_DATA_FINISH)
2049 || !TEST_size_t_eq(readbytes, 0)
2050 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2051 SSL_EARLY_DATA_NOT_SENT)
2052 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2053 SSL_EARLY_DATA_NOT_SENT))
2056 /* Continue writing the message we started earlier */
2057 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2058 || !TEST_size_t_eq(written, strlen(MSG1))
2059 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2060 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2061 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2062 || !TEST_size_t_eq(written, strlen(MSG2)))
2066 * Should block due to the NewSessionTicket arrival unless we're using
2070 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
2074 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2075 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2081 /* If using PSK then clientpsk and sess are the same */
2082 SSL_SESSION_free(sess);
2083 SSL_SESSION_free(serverpsk);
2084 clientpsk = serverpsk = NULL;
2085 SSL_free(serverssl);
2086 SSL_free(clientssl);
2092 static int hostname_cb(SSL *s, int *al, void *arg)
2094 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2096 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
2097 return SSL_TLSEXT_ERR_OK;
2099 return SSL_TLSEXT_ERR_NOACK;
2102 static const char *servalpn;
2104 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2105 unsigned char *outlen, const unsigned char *in,
2106 unsigned int inlen, void *arg)
2108 unsigned int protlen = 0;
2109 const unsigned char *prot;
2111 for (prot = in; prot < in + inlen; prot += protlen) {
2113 if (in + inlen < prot + protlen)
2114 return SSL_TLSEXT_ERR_NOACK;
2116 if (protlen == strlen(servalpn)
2117 && memcmp(prot, servalpn, protlen) == 0) {
2120 return SSL_TLSEXT_ERR_OK;
2124 return SSL_TLSEXT_ERR_NOACK;
2127 /* Test that a PSK can be used to send early_data */
2128 static int test_early_data_psk(int idx)
2130 SSL_CTX *cctx = NULL, *sctx = NULL;
2131 SSL *clientssl = NULL, *serverssl = NULL;
2133 SSL_SESSION *sess = NULL;
2134 unsigned char alpnlist[] = {
2135 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2138 #define GOODALPNLEN 9
2139 #define BADALPNLEN 8
2140 #define GOODALPN (alpnlist)
2141 #define BADALPN (alpnlist + GOODALPNLEN)
2143 unsigned char buf[20];
2144 size_t readbytes, written;
2145 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2146 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2148 /* We always set this up with a final parameter of "2" for PSK */
2149 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2150 &serverssl, &sess, 2)))
2153 servalpn = "goodalpn";
2156 * Note: There is no test for inconsistent SNI with late client detection.
2157 * This is because servers do not acknowledge SNI even if they are using
2158 * it in a resumption handshake - so it is not actually possible for a
2159 * client to detect a problem.
2163 /* Set inconsistent SNI (early client detection) */
2164 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2165 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2166 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2171 /* Set inconsistent ALPN (early client detection) */
2172 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2173 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
2174 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2176 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2183 * Set invalid protocol version. Technically this affects PSKs without
2184 * early_data too, but we test it here because it is similar to the
2185 * SNI/ALPN consistency tests.
2187 err = SSL_R_BAD_PSK;
2188 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2194 * Set inconsistent SNI (server detected). In this case the connection
2195 * will succeed but reject early_data.
2197 SSL_SESSION_free(serverpsk);
2198 serverpsk = SSL_SESSION_dup(clientpsk);
2199 if (!TEST_ptr(serverpsk)
2200 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2202 edstatus = SSL_EARLY_DATA_REJECTED;
2203 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2206 /* Set consistent SNI */
2207 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2208 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2209 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2216 * Set inconsistent ALPN (server detected). In this case the connection
2217 * will succeed but reject early_data.
2219 servalpn = "badalpn";
2220 edstatus = SSL_EARLY_DATA_REJECTED;
2221 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2225 * Set consistent ALPN.
2226 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2227 * accepts a list of protos (each one length prefixed).
2228 * SSL_set1_alpn_selected accepts a single protocol (not length
2231 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2233 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2237 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2241 /* Set inconsistent ALPN (late client detection) */
2242 SSL_SESSION_free(serverpsk);
2243 serverpsk = SSL_SESSION_dup(clientpsk);
2244 if (!TEST_ptr(serverpsk)
2245 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2248 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2251 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2254 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2255 edstatus = SSL_EARLY_DATA_ACCEPTED;
2256 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2257 /* SSL_connect() call should fail */
2262 TEST_error("Bad test index");
2266 SSL_set_connect_state(clientssl);
2268 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2270 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2271 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2274 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2278 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2279 &readbytes), readearlyres)
2280 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2281 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2282 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2283 || !TEST_int_eq(SSL_connect(clientssl), connectres))
2290 SSL_SESSION_free(clientpsk);
2291 SSL_SESSION_free(serverpsk);
2292 clientpsk = serverpsk = NULL;
2293 SSL_free(serverssl);
2294 SSL_free(clientssl);
2301 * Test that a server that doesn't try to read early data can handle a
2302 * client sending some.
2304 static int test_early_data_not_expected(int idx)
2306 SSL_CTX *cctx = NULL, *sctx = NULL;
2307 SSL *clientssl = NULL, *serverssl = NULL;
2309 SSL_SESSION *sess = NULL;
2310 unsigned char buf[20];
2311 size_t readbytes, written;
2313 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2314 &serverssl, &sess, idx)))
2317 /* Write some early data */
2318 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2323 * Server should skip over early data and then block waiting for client to
2324 * continue handshake
2326 if (!TEST_int_le(SSL_accept(serverssl), 0)
2327 || !TEST_int_gt(SSL_connect(clientssl), 0)
2328 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2329 SSL_EARLY_DATA_REJECTED)
2330 || !TEST_int_gt(SSL_accept(serverssl), 0)
2331 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2332 SSL_EARLY_DATA_REJECTED))
2335 /* Send some normal data from client to server */
2336 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2337 || !TEST_size_t_eq(written, strlen(MSG2)))
2340 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2341 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2347 /* If using PSK then clientpsk and sess are the same */
2348 SSL_SESSION_free(sess);
2349 SSL_SESSION_free(serverpsk);
2350 clientpsk = serverpsk = NULL;
2351 SSL_free(serverssl);
2352 SSL_free(clientssl);
2359 # ifndef OPENSSL_NO_TLS1_2
2361 * Test that a server attempting to read early data can handle a connection
2362 * from a TLSv1.2 client.
2364 static int test_early_data_tls1_2(int idx)
2366 SSL_CTX *cctx = NULL, *sctx = NULL;
2367 SSL *clientssl = NULL, *serverssl = NULL;
2369 unsigned char buf[20];
2370 size_t readbytes, written;
2372 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2373 &serverssl, NULL, idx)))
2376 /* Write some data - should block due to handshake with server */
2377 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2378 SSL_set_connect_state(clientssl);
2379 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2383 * Server should do TLSv1.2 handshake. First it will block waiting for more
2384 * messages from client after ServerDone. Then SSL_read_early_data should
2385 * finish and detect that early data has not been sent
2387 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2389 SSL_READ_EARLY_DATA_ERROR))
2393 * Continue writing the message we started earlier. Will still block waiting
2394 * for the CCS/Finished from server
2396 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2397 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2399 SSL_READ_EARLY_DATA_FINISH)
2400 || !TEST_size_t_eq(readbytes, 0)
2401 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2402 SSL_EARLY_DATA_NOT_SENT))
2405 /* Continue writing the message we started earlier */
2406 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2407 || !TEST_size_t_eq(written, strlen(MSG1))
2408 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2409 SSL_EARLY_DATA_NOT_SENT)
2410 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2411 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2412 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2413 || !TEST_size_t_eq(written, strlen(MSG2))
2414 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2415 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2421 /* If using PSK then clientpsk and sess are the same */
2422 SSL_SESSION_free(clientpsk);
2423 SSL_SESSION_free(serverpsk);
2424 clientpsk = serverpsk = NULL;
2425 SSL_free(serverssl);
2426 SSL_free(clientssl);
2432 # endif /* OPENSSL_NO_TLS1_2 */
2434 static int test_ciphersuite_change(void)
2436 SSL_CTX *cctx = NULL, *sctx = NULL;
2437 SSL *clientssl = NULL, *serverssl = NULL;
2438 SSL_SESSION *clntsess = NULL;
2440 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2442 /* Create a session based on SHA-256 */
2443 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2444 TLS_client_method(), &sctx,
2445 &cctx, cert, privkey))
2446 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
2447 "TLS_AES_128_GCM_SHA256"))
2448 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2449 &clientssl, NULL, NULL))
2450 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2454 clntsess = SSL_get1_session(clientssl);
2455 /* Save for later */
2456 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2457 SSL_shutdown(clientssl);
2458 SSL_shutdown(serverssl);
2459 SSL_free(serverssl);
2460 SSL_free(clientssl);
2461 serverssl = clientssl = NULL;
2463 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
2464 /* Check we can resume a session with a different SHA-256 ciphersuite */
2465 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2466 "TLS_CHACHA20_POLY1305_SHA256"))
2467 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2469 || !TEST_true(SSL_set_session(clientssl, clntsess))
2470 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2472 || !TEST_true(SSL_session_reused(clientssl)))
2475 SSL_SESSION_free(clntsess);
2476 clntsess = SSL_get1_session(clientssl);
2477 SSL_shutdown(clientssl);
2478 SSL_shutdown(serverssl);
2479 SSL_free(serverssl);
2480 SSL_free(clientssl);
2481 serverssl = clientssl = NULL;
2485 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
2486 * succeeds but does not resume.
2488 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
2489 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2491 || !TEST_true(SSL_set_session(clientssl, clntsess))
2492 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2494 || !TEST_false(SSL_session_reused(clientssl)))
2497 SSL_SESSION_free(clntsess);
2499 SSL_shutdown(clientssl);
2500 SSL_shutdown(serverssl);
2501 SSL_free(serverssl);
2502 SSL_free(clientssl);
2503 serverssl = clientssl = NULL;
2505 /* Create a session based on SHA384 */
2506 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
2507 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2508 &clientssl, NULL, NULL))
2509 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2513 clntsess = SSL_get1_session(clientssl);
2514 SSL_shutdown(clientssl);
2515 SSL_shutdown(serverssl);
2516 SSL_free(serverssl);
2517 SSL_free(clientssl);
2518 serverssl = clientssl = NULL;
2520 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2521 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
2522 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2523 "TLS_AES_256_GCM_SHA384"))
2524 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2526 || !TEST_true(SSL_set_session(clientssl, clntsess))
2528 * We use SSL_ERROR_WANT_READ below so that we can pause the
2529 * connection after the initial ClientHello has been sent to
2530 * enable us to make some session changes.
2532 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2533 SSL_ERROR_WANT_READ)))
2536 /* Trick the client into thinking this session is for a different digest */
2537 clntsess->cipher = aes_128_gcm_sha256;
2538 clntsess->cipher_id = clntsess->cipher->id;
2541 * Continue the previously started connection. Server has selected a SHA-384
2542 * ciphersuite, but client thinks the session is for SHA-256, so it should
2545 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2547 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2548 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2554 SSL_SESSION_free(clntsess);
2555 SSL_free(serverssl);
2556 SSL_free(clientssl);
2563 static int test_tls13_psk(int idx)
2565 SSL_CTX *sctx = NULL, *cctx = NULL;
2566 SSL *serverssl = NULL, *clientssl = NULL;
2567 const SSL_CIPHER *cipher = NULL;
2568 const unsigned char key[] = {
2569 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2570 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2571 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2572 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
2576 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2577 TLS_client_method(), &sctx,
2578 &cctx, cert, privkey)))
2582 * We use a ciphersuite with SHA256 to ease testing old style PSK callbacks
2583 * which will always default to SHA256
2585 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_128_GCM_SHA256")))
2589 * Test 0: New style callbacks only
2590 * Test 1: New and old style callbacks (only the new ones should be used)
2591 * Test 2: Old style callbacks only
2593 if (idx == 0 || idx == 1) {
2594 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2595 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2597 #ifndef OPENSSL_NO_PSK
2598 if (idx == 1 || idx == 2) {
2599 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
2600 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
2604 use_session_cb_cnt = 0;
2605 find_session_cb_cnt = 0;
2606 psk_client_cb_cnt = 0;
2607 psk_server_cb_cnt = 0;
2609 /* Check we can create a connection if callback decides not to send a PSK */
2610 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2612 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2614 || !TEST_false(SSL_session_reused(clientssl))
2615 || !TEST_false(SSL_session_reused(serverssl)))
2618 if (idx == 0 || idx == 1) {
2619 if (!TEST_true(use_session_cb_cnt == 1)
2620 || !TEST_true(find_session_cb_cnt == 0)
2622 * If no old style callback then below should be 0
2625 || !TEST_true(psk_client_cb_cnt == idx)
2626 || !TEST_true(psk_server_cb_cnt == 0))
2629 if (!TEST_true(use_session_cb_cnt == 0)
2630 || !TEST_true(find_session_cb_cnt == 0)
2631 || !TEST_true(psk_client_cb_cnt == 1)
2632 || !TEST_true(psk_server_cb_cnt == 0))
2636 shutdown_ssl_connection(serverssl, clientssl);
2637 serverssl = clientssl = NULL;
2638 use_session_cb_cnt = psk_client_cb_cnt = 0;
2640 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2644 /* Create the PSK */
2645 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
2646 clientpsk = SSL_SESSION_new();
2647 if (!TEST_ptr(clientpsk)
2648 || !TEST_ptr(cipher)
2649 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
2651 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
2652 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
2654 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
2656 serverpsk = clientpsk;
2658 /* Check we can create a connection and the PSK is used */
2659 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2660 || !TEST_true(SSL_session_reused(clientssl))
2661 || !TEST_true(SSL_session_reused(serverssl)))
2664 if (idx == 0 || idx == 1) {
2665 if (!TEST_true(use_session_cb_cnt == 1)
2666 || !TEST_true(find_session_cb_cnt == 1)
2667 || !TEST_true(psk_client_cb_cnt == 0)
2668 || !TEST_true(psk_server_cb_cnt == 0))
2671 if (!TEST_true(use_session_cb_cnt == 0)
2672 || !TEST_true(find_session_cb_cnt == 0)
2673 || !TEST_true(psk_client_cb_cnt == 1)
2674 || !TEST_true(psk_server_cb_cnt == 1))
2678 shutdown_ssl_connection(serverssl, clientssl);
2679 serverssl = clientssl = NULL;
2680 use_session_cb_cnt = find_session_cb_cnt = 0;
2681 psk_client_cb_cnt = psk_server_cb_cnt = 0;
2683 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2688 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2692 * Check we can create a connection, the PSK is used and the callbacks are
2695 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2696 || !TEST_true(SSL_session_reused(clientssl))
2697 || !TEST_true(SSL_session_reused(serverssl)))
2700 if (idx == 0 || idx == 1) {
2701 if (!TEST_true(use_session_cb_cnt == 2)
2702 || !TEST_true(find_session_cb_cnt == 2)
2703 || !TEST_true(psk_client_cb_cnt == 0)
2704 || !TEST_true(psk_server_cb_cnt == 0))
2707 if (!TEST_true(use_session_cb_cnt == 0)
2708 || !TEST_true(find_session_cb_cnt == 0)
2709 || !TEST_true(psk_client_cb_cnt == 2)
2710 || !TEST_true(psk_server_cb_cnt == 2))
2714 shutdown_ssl_connection(serverssl, clientssl);
2715 serverssl = clientssl = NULL;
2716 use_session_cb_cnt = find_session_cb_cnt = 0;
2717 psk_client_cb_cnt = psk_server_cb_cnt = 0;
2720 * Check that if the server rejects the PSK we can still connect, but with
2723 srvid = "Dummy Identity";
2724 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2726 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2728 || !TEST_false(SSL_session_reused(clientssl))
2729 || !TEST_false(SSL_session_reused(serverssl)))
2732 if (idx == 0 || idx == 1) {
2733 if (!TEST_true(use_session_cb_cnt == 1)
2734 || !TEST_true(find_session_cb_cnt == 1)
2735 || !TEST_true(psk_client_cb_cnt == 0)
2737 * If no old style callback then below should be 0
2740 || !TEST_true(psk_server_cb_cnt == idx))
2743 if (!TEST_true(use_session_cb_cnt == 0)
2744 || !TEST_true(find_session_cb_cnt == 0)
2745 || !TEST_true(psk_client_cb_cnt == 1)
2746 || !TEST_true(psk_server_cb_cnt == 1))
2750 shutdown_ssl_connection(serverssl, clientssl);
2751 serverssl = clientssl = NULL;
2755 SSL_SESSION_free(clientpsk);
2756 SSL_SESSION_free(serverpsk);
2757 clientpsk = serverpsk = NULL;
2758 SSL_free(serverssl);
2759 SSL_free(clientssl);
2765 static unsigned char cookie_magic_value[] = "cookie magic";
2767 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
2768 unsigned int *cookie_len)
2771 * Not suitable as a real cookie generation function but good enough for
2774 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
2775 *cookie_len = sizeof(cookie_magic_value) - 1;
2780 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
2781 unsigned int cookie_len)
2783 if (cookie_len == sizeof(cookie_magic_value) - 1
2784 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
2790 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
2794 int res = generate_cookie_callback(ssl, cookie, &temp);
2799 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
2802 return verify_cookie_callback(ssl, cookie, cookie_len);
2805 static int test_stateless(void)
2807 SSL_CTX *sctx = NULL, *cctx = NULL;
2808 SSL *serverssl = NULL, *clientssl = NULL;
2811 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2812 TLS_client_method(), &sctx,
2813 &cctx, cert, privkey)))
2816 /* The arrival of CCS messages can confuse the test */
2817 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
2819 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2821 /* Send the first ClientHello */
2822 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2823 SSL_ERROR_WANT_READ))
2825 * This should fail with a -1 return because we have no callbacks
2828 || !TEST_int_eq(SSL_stateless(serverssl), -1))
2831 /* Fatal error so abandon the connection from this client */
2832 SSL_free(clientssl);
2835 /* Set up the cookie generation and verification callbacks */
2836 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
2837 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
2840 * Create a new connection from the client (we can reuse the server SSL
2843 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2845 /* Send the first ClientHello */
2846 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2847 SSL_ERROR_WANT_READ))
2848 /* This should fail because there is no cookie */
2849 || !TEST_int_eq(SSL_stateless(serverssl), 0))
2852 /* Abandon the connection from this client */
2853 SSL_free(clientssl);
2857 * Now create a connection from a new client but with the same server SSL
2860 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2862 /* Send the first ClientHello */
2863 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2864 SSL_ERROR_WANT_READ))
2865 /* This should fail because there is no cookie */
2866 || !TEST_int_eq(SSL_stateless(serverssl), 0)
2867 /* Send the second ClientHello */
2868 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2869 SSL_ERROR_WANT_READ))
2870 /* This should succeed because a cookie is now present */
2871 || !TEST_int_eq(SSL_stateless(serverssl), 1)
2872 /* Complete the connection */
2873 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2877 shutdown_ssl_connection(serverssl, clientssl);
2878 serverssl = clientssl = NULL;
2882 SSL_free(serverssl);
2883 SSL_free(clientssl);
2889 #endif /* OPENSSL_NO_TLS1_3 */
2891 static int clntaddoldcb = 0;
2892 static int clntparseoldcb = 0;
2893 static int srvaddoldcb = 0;
2894 static int srvparseoldcb = 0;
2895 static int clntaddnewcb = 0;
2896 static int clntparsenewcb = 0;
2897 static int srvaddnewcb = 0;
2898 static int srvparsenewcb = 0;
2899 static int snicb = 0;
2901 #define TEST_EXT_TYPE1 0xff00
2903 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
2904 size_t *outlen, int *al, void *add_arg)
2906 int *server = (int *)add_arg;
2907 unsigned char *data;
2909 if (SSL_is_server(s))
2914 if (*server != SSL_is_server(s)
2915 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
2920 *outlen = sizeof(char);
2924 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
2927 OPENSSL_free((unsigned char *)out);
2930 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
2931 size_t inlen, int *al, void *parse_arg)
2933 int *server = (int *)parse_arg;
2935 if (SSL_is_server(s))
2940 if (*server != SSL_is_server(s)
2941 || inlen != sizeof(char)
2948 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
2949 const unsigned char **out, size_t *outlen, X509 *x,
2950 size_t chainidx, int *al, void *add_arg)
2952 int *server = (int *)add_arg;
2953 unsigned char *data;
2955 if (SSL_is_server(s))
2960 if (*server != SSL_is_server(s)
2961 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
2966 *outlen = sizeof(*data);
2970 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
2971 const unsigned char *out, void *add_arg)
2973 OPENSSL_free((unsigned char *)out);
2976 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
2977 const unsigned char *in, size_t inlen, X509 *x,
2978 size_t chainidx, int *al, void *parse_arg)
2980 int *server = (int *)parse_arg;
2982 if (SSL_is_server(s))
2987 if (*server != SSL_is_server(s)
2988 || inlen != sizeof(char) || *in != 1)
2994 static int sni_cb(SSL *s, int *al, void *arg)
2996 SSL_CTX *ctx = (SSL_CTX *)arg;
2998 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
2999 *al = SSL_AD_INTERNAL_ERROR;
3000 return SSL_TLSEXT_ERR_ALERT_FATAL;
3003 return SSL_TLSEXT_ERR_OK;
3007 * Custom call back tests.
3008 * Test 0: Old style callbacks in TLSv1.2
3009 * Test 1: New style callbacks in TLSv1.2
3010 * Test 2: New style callbacks in TLSv1.2 with SNI
3011 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3012 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
3014 static int test_custom_exts(int tst)
3016 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3017 SSL *clientssl = NULL, *serverssl = NULL;
3019 static int server = 1;
3020 static int client = 0;
3021 SSL_SESSION *sess = NULL;
3022 unsigned int context;
3024 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
3025 /* Skip tests for TLSv1.2 and below in this case */
3030 /* Reset callback counters */
3031 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
3032 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
3035 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3036 TLS_client_method(), &sctx,
3037 &cctx, cert, privkey)))
3041 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL, &sctx2,
3042 NULL, cert, privkey)))
3047 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
3048 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
3050 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
3054 context = SSL_EXT_CLIENT_HELLO
3055 | SSL_EXT_TLS1_2_SERVER_HELLO
3056 | SSL_EXT_TLS1_3_SERVER_HELLO
3057 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
3058 | SSL_EXT_TLS1_3_CERTIFICATE
3059 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
3061 context = SSL_EXT_CLIENT_HELLO
3062 | SSL_EXT_TLS1_2_SERVER_HELLO
3063 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3066 /* Create a client side custom extension */
3068 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3069 old_add_cb, old_free_cb,
3070 &client, old_parse_cb,
3074 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
3075 new_add_cb, new_free_cb,
3076 &client, new_parse_cb, &client)))
3080 /* Should not be able to add duplicates */
3081 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3082 old_add_cb, old_free_cb,
3083 &client, old_parse_cb,
3085 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
3086 context, new_add_cb,
3087 new_free_cb, &client,
3088 new_parse_cb, &client)))
3091 /* Create a server side custom extension */
3093 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3094 old_add_cb, old_free_cb,
3095 &server, old_parse_cb,
3099 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3100 new_add_cb, new_free_cb,
3101 &server, new_parse_cb, &server)))
3104 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3105 context, new_add_cb,
3106 new_free_cb, &server,
3107 new_parse_cb, &server)))
3111 /* Should not be able to add duplicates */
3112 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3113 old_add_cb, old_free_cb,
3114 &server, old_parse_cb,
3116 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3117 context, new_add_cb,
3118 new_free_cb, &server,
3119 new_parse_cb, &server)))
3124 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3125 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3129 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3130 &clientssl, NULL, NULL))
3131 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3136 if (clntaddoldcb != 1
3137 || clntparseoldcb != 1
3139 || srvparseoldcb != 1)
3141 } else if (tst == 1 || tst == 2 || tst == 3) {
3142 if (clntaddnewcb != 1
3143 || clntparsenewcb != 1
3145 || srvparsenewcb != 1
3146 || (tst != 2 && snicb != 0)
3147 || (tst == 2 && snicb != 1))
3150 if (clntaddnewcb != 1
3151 || clntparsenewcb != 4
3153 || srvparsenewcb != 1)
3157 sess = SSL_get1_session(clientssl);
3158 SSL_shutdown(clientssl);
3159 SSL_shutdown(serverssl);
3160 SSL_free(serverssl);
3161 SSL_free(clientssl);
3162 serverssl = clientssl = NULL;
3165 /* We don't bother with the resumption aspects for this test */
3170 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3172 || !TEST_true(SSL_set_session(clientssl, sess))
3173 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3178 * For a resumed session we expect to add the ClientHello extension. For the
3179 * old style callbacks we ignore it on the server side because they set
3180 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3184 if (clntaddoldcb != 2
3185 || clntparseoldcb != 1
3187 || srvparseoldcb != 1)
3189 } else if (tst == 1 || tst == 2 || tst == 3) {
3190 if (clntaddnewcb != 2
3191 || clntparsenewcb != 2
3193 || srvparsenewcb != 2)
3196 /* No Certificate message extensions in the resumption handshake */
3197 if (clntaddnewcb != 2
3198 || clntparsenewcb != 7
3200 || srvparsenewcb != 2)
3207 SSL_SESSION_free(sess);
3208 SSL_free(serverssl);
3209 SSL_free(clientssl);
3210 SSL_CTX_free(sctx2);
3217 * Test loading of serverinfo data in various formats. test_sslmessages actually
3218 * tests to make sure the extensions appear in the handshake
3220 static int test_serverinfo(int tst)
3222 unsigned int version;
3223 unsigned char *sibuf;
3225 int ret, expected, testresult = 0;
3228 ctx = SSL_CTX_new(TLS_method());
3232 if ((tst & 0x01) == 0x01)
3233 version = SSL_SERVERINFOV2;
3235 version = SSL_SERVERINFOV1;
3237 if ((tst & 0x02) == 0x02) {
3238 sibuf = serverinfov2;
3239 sibuflen = sizeof(serverinfov2);
3240 expected = (version == SSL_SERVERINFOV2);
3242 sibuf = serverinfov1;
3243 sibuflen = sizeof(serverinfov1);
3244 expected = (version == SSL_SERVERINFOV1);
3247 if ((tst & 0x04) == 0x04) {
3248 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
3250 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
3253 * The version variable is irrelevant in this case - it's what is in the
3254 * buffer that matters
3256 if ((tst & 0x02) == 0x02)
3262 if (!TEST_true(ret == expected))
3274 * Test that SSL_export_keying_material() produces expected results. There are
3275 * no test vectors so all we do is test that both sides of the communication
3276 * produce the same results for different protocol versions.
3278 static int test_export_key_mat(int tst)
3281 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3282 SSL *clientssl = NULL, *serverssl = NULL;
3283 const char label[] = "test label";
3284 const unsigned char context[] = "context";
3285 const unsigned char *emptycontext = NULL;
3286 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
3287 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
3288 const int protocols[] = {
3295 #ifdef OPENSSL_NO_TLS1
3299 #ifdef OPENSSL_NO_TLS1_1
3303 #ifdef OPENSSL_NO_TLS1_2
3307 #ifdef OPENSSL_NO_TLS1_3
3311 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3312 TLS_client_method(), &sctx,
3313 &cctx, cert, privkey)))
3316 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
3317 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
3318 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
3320 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
3322 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3326 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
3327 sizeof(ckeymat1), label,
3328 sizeof(label) - 1, context,
3329 sizeof(context) - 1, 1), 1)
3330 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
3331 sizeof(ckeymat2), label,
3335 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
3336 sizeof(ckeymat3), label,
3339 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
3340 sizeof(skeymat1), label,
3343 sizeof(context) -1, 1),
3345 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
3346 sizeof(skeymat2), label,
3350 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
3351 sizeof(skeymat3), label,
3355 * Check that both sides created the same key material with the
3358 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3361 * Check that both sides created the same key material with an
3364 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3367 * Check that both sides created the same key material without a
3370 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3372 /* Different contexts should produce different results */
3373 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3378 * Check that an empty context and no context produce different results in
3379 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3381 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3383 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3390 SSL_free(serverssl);
3391 SSL_free(clientssl);
3392 SSL_CTX_free(sctx2);
3399 #ifndef OPENSSL_NO_TLS1_3
3401 * Test that SSL_export_keying_material_early() produces expected
3402 * results. There are no test vectors so all we do is test that both
3403 * sides of the communication produce the same results for different
3404 * protocol versions.
3406 static int test_export_key_mat_early(int idx)
3408 static const char label[] = "test label";
3409 static const unsigned char context[] = "context";
3411 SSL_CTX *cctx = NULL, *sctx = NULL;
3412 SSL *clientssl = NULL, *serverssl = NULL;
3413 SSL_SESSION *sess = NULL;
3414 const unsigned char *emptycontext = NULL;
3415 unsigned char ckeymat1[80], ckeymat2[80];
3416 unsigned char skeymat1[80], skeymat2[80];
3417 unsigned char buf[1];
3418 size_t readbytes, written;
3420 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
3424 /* Here writing 0 length early data is enough. */
3425 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
3426 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3428 SSL_READ_EARLY_DATA_ERROR)
3429 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3430 SSL_EARLY_DATA_ACCEPTED))
3433 if (!TEST_int_eq(SSL_export_keying_material_early(
3434 clientssl, ckeymat1, sizeof(ckeymat1), label,
3435 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3436 || !TEST_int_eq(SSL_export_keying_material_early(
3437 clientssl, ckeymat2, sizeof(ckeymat2), label,
3438 sizeof(label) - 1, emptycontext, 0), 1)
3439 || !TEST_int_eq(SSL_export_keying_material_early(
3440 serverssl, skeymat1, sizeof(skeymat1), label,
3441 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3442 || !TEST_int_eq(SSL_export_keying_material_early(
3443 serverssl, skeymat2, sizeof(skeymat2), label,
3444 sizeof(label) - 1, emptycontext, 0), 1)
3446 * Check that both sides created the same key material with the
3449 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3452 * Check that both sides created the same key material with an
3455 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3457 /* Different contexts should produce different results */
3458 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3465 if (sess != clientpsk)
3466 SSL_SESSION_free(sess);
3467 SSL_SESSION_free(clientpsk);
3468 SSL_SESSION_free(serverpsk);
3469 clientpsk = serverpsk = NULL;
3470 SSL_free(serverssl);
3471 SSL_free(clientssl);
3477 #endif /* OPENSSL_NO_TLS1_3 */
3479 static int test_ssl_clear(int idx)
3481 SSL_CTX *cctx = NULL, *sctx = NULL;
3482 SSL *clientssl = NULL, *serverssl = NULL;
3485 #ifdef OPENSSL_NO_TLS1_2
3490 /* Create an initial connection */
3491 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3492 TLS_client_method(), &sctx,
3493 &cctx, cert, privkey))
3495 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
3497 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3498 &clientssl, NULL, NULL))
3499 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3503 SSL_shutdown(clientssl);
3504 SSL_shutdown(serverssl);
3505 SSL_free(serverssl);
3508 /* Clear clientssl - we're going to reuse the object */
3509 if (!TEST_true(SSL_clear(clientssl)))
3512 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3514 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3516 || !TEST_true(SSL_session_reused(clientssl)))
3519 SSL_shutdown(clientssl);
3520 SSL_shutdown(serverssl);
3525 SSL_free(serverssl);
3526 SSL_free(clientssl);
3533 /* Parse CH and retrieve any MFL extension value if present */
3534 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
3537 unsigned char *data;
3538 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
3539 unsigned int MFL_code = 0, type = 0;
3541 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
3544 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
3545 /* Skip the record header */
3546 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
3547 /* Skip the handshake message header */
3548 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
3549 /* Skip client version and random */
3550 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
3551 + SSL3_RANDOM_SIZE))
3552 /* Skip session id */
3553 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3555 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
3556 /* Skip compression */
3557 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3558 /* Extensions len */
3559 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
3562 /* Loop through all extensions */
3563 while (PACKET_remaining(&pkt2)) {
3564 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
3565 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
3568 if (type == TLSEXT_TYPE_max_fragment_length) {
3569 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
3570 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
3573 *mfl_codemfl_code = MFL_code;
3582 /* Maximum-Fragment-Length TLS extension mode to test */
3583 static const unsigned char max_fragment_len_test[] = {
3584 TLSEXT_max_fragment_length_512,
3585 TLSEXT_max_fragment_length_1024,
3586 TLSEXT_max_fragment_length_2048,
3587 TLSEXT_max_fragment_length_4096
3590 static int test_max_fragment_len_ext(int idx_tst)
3594 int testresult = 0, MFL_mode = 0;
3597 ctx = SSL_CTX_new(TLS_method());
3601 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
3602 ctx, max_fragment_len_test[idx_tst])))
3609 rbio = BIO_new(BIO_s_mem());
3610 wbio = BIO_new(BIO_s_mem());
3611 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
3617 SSL_set_bio(con, rbio, wbio);
3618 SSL_set_connect_state(con);
3620 if (!TEST_int_le(SSL_connect(con), 0)) {
3621 /* This shouldn't succeed because we don't have a server! */
3625 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
3626 /* no MFL in client hello */
3628 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
3640 #ifndef OPENSSL_NO_TLS1_3
3641 static int test_pha_key_update(void)
3643 SSL_CTX *cctx = NULL, *sctx = NULL;
3644 SSL *clientssl = NULL, *serverssl = NULL;
3647 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3648 TLS_client_method(),
3649 &sctx, &cctx, cert, privkey)))
3652 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
3653 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
3654 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
3655 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
3659 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3663 SSL_force_post_handshake_auth(clientssl);
3665 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3669 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
3670 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
3673 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
3676 /* Start handshake on the server */
3677 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
3680 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
3681 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3685 SSL_shutdown(clientssl);
3686 SSL_shutdown(serverssl);
3691 SSL_free(serverssl);
3692 SSL_free(clientssl);
3699 int setup_tests(void)
3701 if (!TEST_ptr(cert = test_get_argument(0))
3702 || !TEST_ptr(privkey = test_get_argument(1)))
3705 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
3706 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
3707 TEST_error("not supported in this build");
3710 int i, mcount, rcount, fcount;
3712 for (i = 0; i < 4; i++)
3713 test_export_key_mat(i);
3714 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
3715 test_printf_stdout("malloc %d realloc %d free %d\n",
3716 mcount, rcount, fcount);
3721 ADD_TEST(test_large_message_tls);
3722 ADD_TEST(test_large_message_tls_read_ahead);
3723 #ifndef OPENSSL_NO_DTLS
3724 ADD_TEST(test_large_message_dtls);
3726 #ifndef OPENSSL_NO_OCSP
3727 ADD_TEST(test_tlsext_status_type);
3729 ADD_TEST(test_session_with_only_int_cache);
3730 ADD_TEST(test_session_with_only_ext_cache);
3731 ADD_TEST(test_session_with_both_cache);
3732 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
3733 ADD_TEST(test_ssl_bio_pop_next_bio);
3734 ADD_TEST(test_ssl_bio_pop_ssl_bio);
3735 ADD_TEST(test_ssl_bio_change_rbio);
3736 ADD_TEST(test_ssl_bio_change_wbio);
3737 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
3738 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
3739 ADD_TEST(test_keylog);
3741 #ifndef OPENSSL_NO_TLS1_3
3742 ADD_TEST(test_keylog_no_master_key);
3744 #ifndef OPENSSL_NO_TLS1_2
3745 ADD_TEST(test_client_hello_cb);
3747 #ifndef OPENSSL_NO_TLS1_3
3748 ADD_ALL_TESTS(test_early_data_read_write, 3);
3750 * We don't do replay tests for external PSK. Replay protection isn't used
3753 ADD_ALL_TESTS(test_early_data_replay, 2);
3754 ADD_ALL_TESTS(test_early_data_skip, 3);
3755 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
3756 ADD_ALL_TESTS(test_early_data_not_sent, 3);
3757 ADD_ALL_TESTS(test_early_data_psk, 8);
3758 ADD_ALL_TESTS(test_early_data_not_expected, 3);
3759 # ifndef OPENSSL_NO_TLS1_2
3760 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
3763 #ifndef OPENSSL_NO_TLS1_3
3764 ADD_TEST(test_ciphersuite_change);
3765 #ifdef OPENSSL_NO_PSK
3766 ADD_ALL_TESTS(test_tls13_psk, 1);
3768 ADD_ALL_TESTS(test_tls13_psk, 3);
3769 #endif /* OPENSSL_NO_PSK */
3770 ADD_ALL_TESTS(test_custom_exts, 5);
3771 ADD_TEST(test_stateless);
3772 ADD_TEST(test_pha_key_update);
3774 ADD_ALL_TESTS(test_custom_exts, 3);
3776 ADD_ALL_TESTS(test_serverinfo, 8);
3777 ADD_ALL_TESTS(test_export_key_mat, 4);
3778 #ifndef OPENSSL_NO_TLS1_3
3779 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3781 ADD_ALL_TESTS(test_ssl_clear, 2);
3782 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
3786 void cleanup_tests(void)
3788 bio_s_mempacket_test_free();