2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
17 #include <openssl/srp.h>
18 #include <openssl/txt_db.h>
19 #include <openssl/aes.h>
21 #include "ssltestlib.h"
23 #include "testutil/output.h"
24 #include "internal/nelem.h"
25 #include "../ssl/ssl_locl.h"
27 static char *cert = NULL;
28 static char *privkey = NULL;
29 static char *srpvfile = NULL;
30 static char *tmpfilename = NULL;
32 #define LOG_BUFFER_SIZE 2048
33 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
34 static size_t server_log_buffer_index = 0;
35 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
36 static size_t client_log_buffer_index = 0;
37 static int error_writing_log = 0;
39 #ifndef OPENSSL_NO_OCSP
40 static const unsigned char orespder[] = "Dummy OCSP Response";
41 static int ocsp_server_called = 0;
42 static int ocsp_client_called = 0;
44 static int cdummyarg = 1;
45 static X509 *ocspcert = NULL;
48 #define NUM_EXTRA_CERTS 40
49 #define CLIENT_VERSION_LEN 2
52 * This structure is used to validate that the correct number of log messages
53 * of various types are emitted when emitting secret logs.
55 struct sslapitest_log_counts {
56 unsigned int rsa_key_exchange_count;
57 unsigned int master_secret_count;
58 unsigned int client_early_secret_count;
59 unsigned int client_handshake_secret_count;
60 unsigned int server_handshake_secret_count;
61 unsigned int client_application_secret_count;
62 unsigned int server_application_secret_count;
63 unsigned int early_exporter_secret_count;
64 unsigned int exporter_secret_count;
68 static unsigned char serverinfov1[] = {
69 0xff, 0xff, /* Dummy extension type */
70 0x00, 0x01, /* Extension length is 1 byte */
71 0xff /* Dummy extension data */
74 static unsigned char serverinfov2[] = {
76 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
77 0xff, 0xff, /* Dummy extension type */
78 0x00, 0x01, /* Extension length is 1 byte */
79 0xff /* Dummy extension data */
82 static void client_keylog_callback(const SSL *ssl, const char *line)
84 int line_length = strlen(line);
86 /* If the log doesn't fit, error out. */
87 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
88 TEST_info("Client log too full");
89 error_writing_log = 1;
93 strcat(client_log_buffer, line);
94 client_log_buffer_index += line_length;
95 client_log_buffer[client_log_buffer_index++] = '\n';
98 static void server_keylog_callback(const SSL *ssl, const char *line)
100 int line_length = strlen(line);
102 /* If the log doesn't fit, error out. */
103 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
104 TEST_info("Server log too full");
105 error_writing_log = 1;
109 strcat(server_log_buffer, line);
110 server_log_buffer_index += line_length;
111 server_log_buffer[server_log_buffer_index++] = '\n';
114 static int compare_hex_encoded_buffer(const char *hex_encoded,
122 if (!TEST_size_t_eq(raw_length * 2, hex_length))
125 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
126 sprintf(hexed, "%02x", raw[i]);
127 if (!TEST_int_eq(hexed[0], hex_encoded[j])
128 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
135 static int test_keylog_output(char *buffer, const SSL *ssl,
136 const SSL_SESSION *session,
137 struct sslapitest_log_counts *expected)
140 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
141 size_t client_random_size = SSL3_RANDOM_SIZE;
142 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
143 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
144 unsigned int rsa_key_exchange_count = 0;
145 unsigned int master_secret_count = 0;
146 unsigned int client_early_secret_count = 0;
147 unsigned int client_handshake_secret_count = 0;
148 unsigned int server_handshake_secret_count = 0;
149 unsigned int client_application_secret_count = 0;
150 unsigned int server_application_secret_count = 0;
151 unsigned int early_exporter_secret_count = 0;
152 unsigned int exporter_secret_count = 0;
154 for (token = strtok(buffer, " \n"); token != NULL;
155 token = strtok(NULL, " \n")) {
156 if (strcmp(token, "RSA") == 0) {
158 * Premaster secret. Tokens should be: 16 ASCII bytes of
159 * hex-encoded encrypted secret, then the hex-encoded pre-master
162 if (!TEST_ptr(token = strtok(NULL, " \n")))
164 if (!TEST_size_t_eq(strlen(token), 16))
166 if (!TEST_ptr(token = strtok(NULL, " \n")))
169 * We can't sensibly check the log because the premaster secret is
170 * transient, and OpenSSL doesn't keep hold of it once the master
171 * secret is generated.
173 rsa_key_exchange_count++;
174 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
176 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
177 * client random, then the hex-encoded master secret.
179 client_random_size = SSL_get_client_random(ssl,
180 actual_client_random,
182 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
185 if (!TEST_ptr(token = strtok(NULL, " \n")))
187 if (!TEST_size_t_eq(strlen(token), 64))
189 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
190 actual_client_random,
191 client_random_size)))
194 if (!TEST_ptr(token = strtok(NULL, " \n")))
196 master_key_size = SSL_SESSION_get_master_key(session,
199 if (!TEST_size_t_ne(master_key_size, 0))
201 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
205 master_secret_count++;
206 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
207 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
208 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
209 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
210 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
211 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
212 || strcmp(token, "EXPORTER_SECRET") == 0) {
214 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
215 * client random, and then the hex-encoded secret. In this case,
216 * we treat all of these secrets identically and then just
217 * distinguish between them when counting what we saw.
219 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
220 client_early_secret_count++;
221 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
222 client_handshake_secret_count++;
223 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
224 server_handshake_secret_count++;
225 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
226 client_application_secret_count++;
227 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
228 server_application_secret_count++;
229 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
230 early_exporter_secret_count++;
231 else if (strcmp(token, "EXPORTER_SECRET") == 0)
232 exporter_secret_count++;
234 client_random_size = SSL_get_client_random(ssl,
235 actual_client_random,
237 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
240 if (!TEST_ptr(token = strtok(NULL, " \n")))
242 if (!TEST_size_t_eq(strlen(token), 64))
244 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
245 actual_client_random,
246 client_random_size)))
249 if (!TEST_ptr(token = strtok(NULL, " \n")))
253 * TODO(TLS1.3): test that application traffic secrets are what
256 TEST_info("Unexpected token %s\n", token);
261 /* Got what we expected? */
262 if (!TEST_size_t_eq(rsa_key_exchange_count,
263 expected->rsa_key_exchange_count)
264 || !TEST_size_t_eq(master_secret_count,
265 expected->master_secret_count)
266 || !TEST_size_t_eq(client_early_secret_count,
267 expected->client_early_secret_count)
268 || !TEST_size_t_eq(client_handshake_secret_count,
269 expected->client_handshake_secret_count)
270 || !TEST_size_t_eq(server_handshake_secret_count,
271 expected->server_handshake_secret_count)
272 || !TEST_size_t_eq(client_application_secret_count,
273 expected->client_application_secret_count)
274 || !TEST_size_t_eq(server_application_secret_count,
275 expected->server_application_secret_count)
276 || !TEST_size_t_eq(early_exporter_secret_count,
277 expected->early_exporter_secret_count)
278 || !TEST_size_t_eq(exporter_secret_count,
279 expected->exporter_secret_count))
284 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
285 static int test_keylog(void)
287 SSL_CTX *cctx = NULL, *sctx = NULL;
288 SSL *clientssl = NULL, *serverssl = NULL;
290 struct sslapitest_log_counts expected = {0};
292 /* Clean up logging space */
293 memset(client_log_buffer, 0, sizeof(client_log_buffer));
294 memset(server_log_buffer, 0, sizeof(server_log_buffer));
295 client_log_buffer_index = 0;
296 server_log_buffer_index = 0;
297 error_writing_log = 0;
299 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
301 TLS1_VERSION, TLS_MAX_VERSION,
302 &sctx, &cctx, cert, privkey)))
305 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
306 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
307 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
309 /* We also want to ensure that we use RSA-based key exchange. */
310 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
313 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
314 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
316 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
317 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
318 == client_keylog_callback))
320 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
321 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
322 == server_keylog_callback))
325 /* Now do a handshake and check that the logs have been written to. */
326 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
327 &clientssl, NULL, NULL))
328 || !TEST_true(create_ssl_connection(serverssl, clientssl,
330 || !TEST_false(error_writing_log)
331 || !TEST_int_gt(client_log_buffer_index, 0)
332 || !TEST_int_gt(server_log_buffer_index, 0))
336 * Now we want to test that our output data was vaguely sensible. We
337 * do that by using strtok and confirming that we have more or less the
338 * data we expect. For both client and server, we expect to see one master
339 * secret. The client should also see a RSA key exchange.
341 expected.rsa_key_exchange_count = 1;
342 expected.master_secret_count = 1;
343 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
344 SSL_get_session(clientssl), &expected)))
347 expected.rsa_key_exchange_count = 0;
348 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
349 SSL_get_session(serverssl), &expected)))
364 #ifndef OPENSSL_NO_TLS1_3
365 static int test_keylog_no_master_key(void)
367 SSL_CTX *cctx = NULL, *sctx = NULL;
368 SSL *clientssl = NULL, *serverssl = NULL;
369 SSL_SESSION *sess = NULL;
371 struct sslapitest_log_counts expected = {0};
372 unsigned char buf[1];
373 size_t readbytes, written;
375 /* Clean up logging space */
376 memset(client_log_buffer, 0, sizeof(client_log_buffer));
377 memset(server_log_buffer, 0, sizeof(server_log_buffer));
378 client_log_buffer_index = 0;
379 server_log_buffer_index = 0;
380 error_writing_log = 0;
382 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
383 TLS1_VERSION, TLS_MAX_VERSION,
384 &sctx, &cctx, cert, privkey))
385 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
386 SSL3_RT_MAX_PLAIN_LENGTH)))
389 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
390 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
393 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
394 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
395 == client_keylog_callback))
398 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
399 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
400 == server_keylog_callback))
403 /* Now do a handshake and check that the logs have been written to. */
404 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
405 &clientssl, NULL, NULL))
406 || !TEST_true(create_ssl_connection(serverssl, clientssl,
408 || !TEST_false(error_writing_log))
412 * Now we want to test that our output data was vaguely sensible. For this
413 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
414 * TLSv1.3, but we do expect both client and server to emit keys.
416 expected.client_handshake_secret_count = 1;
417 expected.server_handshake_secret_count = 1;
418 expected.client_application_secret_count = 1;
419 expected.server_application_secret_count = 1;
420 expected.exporter_secret_count = 1;
421 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
422 SSL_get_session(clientssl), &expected))
423 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
424 SSL_get_session(serverssl),
428 /* Terminate old session and resume with early data. */
429 sess = SSL_get1_session(clientssl);
430 SSL_shutdown(clientssl);
431 SSL_shutdown(serverssl);
434 serverssl = clientssl = NULL;
437 memset(client_log_buffer, 0, sizeof(client_log_buffer));
438 memset(server_log_buffer, 0, sizeof(server_log_buffer));
439 client_log_buffer_index = 0;
440 server_log_buffer_index = 0;
442 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
443 &clientssl, NULL, NULL))
444 || !TEST_true(SSL_set_session(clientssl, sess))
445 /* Here writing 0 length early data is enough. */
446 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
447 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
449 SSL_READ_EARLY_DATA_ERROR)
450 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
451 SSL_EARLY_DATA_ACCEPTED)
452 || !TEST_true(create_ssl_connection(serverssl, clientssl,
454 || !TEST_true(SSL_session_reused(clientssl)))
457 /* In addition to the previous entries, expect early secrets. */
458 expected.client_early_secret_count = 1;
459 expected.early_exporter_secret_count = 1;
460 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
461 SSL_get_session(clientssl), &expected))
462 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
463 SSL_get_session(serverssl),
470 SSL_SESSION_free(sess);
480 #ifndef OPENSSL_NO_TLS1_2
481 static int full_client_hello_callback(SSL *s, int *al, void *arg)
484 const unsigned char *p;
486 /* We only configure two ciphers, but the SCSV is added automatically. */
488 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
490 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
493 const int expected_extensions[] = {
494 #ifndef OPENSSL_NO_EC
500 /* Make sure we can defer processing and get called back. */
502 return SSL_CLIENT_HELLO_RETRY;
504 len = SSL_client_hello_get0_ciphers(s, &p);
505 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
507 SSL_client_hello_get0_compression_methods(s, &p), 1)
508 || !TEST_int_eq(*p, 0))
509 return SSL_CLIENT_HELLO_ERROR;
510 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
511 return SSL_CLIENT_HELLO_ERROR;
512 if (len != OSSL_NELEM(expected_extensions) ||
513 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
514 printf("ClientHello callback expected extensions mismatch\n");
516 return SSL_CLIENT_HELLO_ERROR;
519 return SSL_CLIENT_HELLO_SUCCESS;
522 static int test_client_hello_cb(void)
524 SSL_CTX *cctx = NULL, *sctx = NULL;
525 SSL *clientssl = NULL, *serverssl = NULL;
526 int testctr = 0, testresult = 0;
528 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
529 TLS1_VERSION, TLS_MAX_VERSION,
530 &sctx, &cctx, cert, privkey)))
532 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
534 /* The gimpy cipher list we configure can't do TLS 1.3. */
535 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
537 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
538 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
539 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
540 &clientssl, NULL, NULL))
541 || !TEST_false(create_ssl_connection(serverssl, clientssl,
542 SSL_ERROR_WANT_CLIENT_HELLO_CB))
544 * Passing a -1 literal is a hack since
545 * the real value was lost.
547 || !TEST_int_eq(SSL_get_error(serverssl, -1),
548 SSL_ERROR_WANT_CLIENT_HELLO_CB)
549 || !TEST_true(create_ssl_connection(serverssl, clientssl,
565 static int execute_test_large_message(const SSL_METHOD *smeth,
566 const SSL_METHOD *cmeth,
567 int min_version, int max_version,
570 SSL_CTX *cctx = NULL, *sctx = NULL;
571 SSL *clientssl = NULL, *serverssl = NULL;
575 X509 *chaincert = NULL;
578 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
580 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
583 if (!TEST_ptr(chaincert))
586 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
587 &sctx, &cctx, cert, privkey)))
592 * Test that read_ahead works correctly when dealing with large
595 SSL_CTX_set_read_ahead(cctx, 1);
599 * We assume the supplied certificate is big enough so that if we add
600 * NUM_EXTRA_CERTS it will make the overall message large enough. The
601 * default buffer size is requested to be 16k, but due to the way BUF_MEM
602 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
603 * test we need to have a message larger than that.
605 certlen = i2d_X509(chaincert, NULL);
606 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
607 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
608 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
609 if (!X509_up_ref(chaincert))
611 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
612 X509_free(chaincert);
617 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
619 || !TEST_true(create_ssl_connection(serverssl, clientssl,
624 * Calling SSL_clear() first is not required but this tests that SSL_clear()
625 * doesn't leak (when using enable-crypto-mdebug).
627 if (!TEST_true(SSL_clear(serverssl)))
632 X509_free(chaincert);
641 static int test_large_message_tls(void)
643 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
644 TLS1_VERSION, TLS_MAX_VERSION,
648 static int test_large_message_tls_read_ahead(void)
650 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
651 TLS1_VERSION, TLS_MAX_VERSION,
655 #ifndef OPENSSL_NO_DTLS
656 static int test_large_message_dtls(void)
659 * read_ahead is not relevant to DTLS because DTLS always acts as if
662 return execute_test_large_message(DTLS_server_method(),
663 DTLS_client_method(),
664 DTLS1_VERSION, DTLS_MAX_VERSION,
669 #ifndef OPENSSL_NO_OCSP
670 static int ocsp_server_cb(SSL *s, void *arg)
672 int *argi = (int *)arg;
673 unsigned char *copy = NULL;
674 STACK_OF(OCSP_RESPID) *ids = NULL;
675 OCSP_RESPID *id = NULL;
678 /* In this test we are expecting exactly 1 OCSP_RESPID */
679 SSL_get_tlsext_status_ids(s, &ids);
680 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
681 return SSL_TLSEXT_ERR_ALERT_FATAL;
683 id = sk_OCSP_RESPID_value(ids, 0);
684 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
685 return SSL_TLSEXT_ERR_ALERT_FATAL;
686 } else if (*argi != 1) {
687 return SSL_TLSEXT_ERR_ALERT_FATAL;
690 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
691 return SSL_TLSEXT_ERR_ALERT_FATAL;
693 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
694 ocsp_server_called = 1;
695 return SSL_TLSEXT_ERR_OK;
698 static int ocsp_client_cb(SSL *s, void *arg)
700 int *argi = (int *)arg;
701 const unsigned char *respderin;
704 if (*argi != 1 && *argi != 2)
707 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
708 if (!TEST_mem_eq(orespder, len, respderin, len))
711 ocsp_client_called = 1;
715 static int test_tlsext_status_type(void)
717 SSL_CTX *cctx = NULL, *sctx = NULL;
718 SSL *clientssl = NULL, *serverssl = NULL;
720 STACK_OF(OCSP_RESPID) *ids = NULL;
721 OCSP_RESPID *id = NULL;
724 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
725 TLS1_VERSION, TLS_MAX_VERSION,
726 &sctx, &cctx, cert, privkey))
729 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
732 /* First just do various checks getting and setting tlsext_status_type */
734 clientssl = SSL_new(cctx);
735 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
736 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
737 TLSEXT_STATUSTYPE_ocsp))
738 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
739 TLSEXT_STATUSTYPE_ocsp))
745 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
746 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
749 clientssl = SSL_new(cctx);
750 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
756 * Now actually do a handshake and check OCSP information is exchanged and
757 * the callbacks get called
759 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
760 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
761 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
762 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
763 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
764 &clientssl, NULL, NULL))
765 || !TEST_true(create_ssl_connection(serverssl, clientssl,
767 || !TEST_true(ocsp_client_called)
768 || !TEST_true(ocsp_server_called))
775 /* Try again but this time force the server side callback to fail */
776 ocsp_client_called = 0;
777 ocsp_server_called = 0;
779 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
780 &clientssl, NULL, NULL))
781 /* This should fail because the callback will fail */
782 || !TEST_false(create_ssl_connection(serverssl, clientssl,
784 || !TEST_false(ocsp_client_called)
785 || !TEST_false(ocsp_server_called))
793 * This time we'll get the client to send an OCSP_RESPID that it will
796 ocsp_client_called = 0;
797 ocsp_server_called = 0;
799 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
800 &clientssl, NULL, NULL)))
804 * We'll just use any old cert for this test - it doesn't have to be an OCSP
805 * specific one. We'll use the server cert.
807 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
808 || !TEST_ptr(id = OCSP_RESPID_new())
809 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
810 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
812 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
813 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
816 SSL_set_tlsext_status_ids(clientssl, ids);
817 /* Control has been transferred */
823 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
825 || !TEST_true(ocsp_client_called)
826 || !TEST_true(ocsp_server_called))
836 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
837 OCSP_RESPID_free(id);
846 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
847 static int new_called, remove_called, get_called;
849 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
853 * sess has been up-refed for us, but we don't actually need it so free it
856 SSL_SESSION_free(sess);
860 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
865 static SSL_SESSION *get_sess_val = NULL;
867 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
875 static int execute_test_session(int maxprot, int use_int_cache,
878 SSL_CTX *sctx = NULL, *cctx = NULL;
879 SSL *serverssl1 = NULL, *clientssl1 = NULL;
880 SSL *serverssl2 = NULL, *clientssl2 = NULL;
881 # ifndef OPENSSL_NO_TLS1_1
882 SSL *serverssl3 = NULL, *clientssl3 = NULL;
884 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
885 int testresult = 0, numnewsesstick = 1;
887 new_called = remove_called = 0;
889 /* TLSv1.3 sends 2 NewSessionTickets */
890 if (maxprot == TLS1_3_VERSION)
893 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
894 TLS1_VERSION, TLS_MAX_VERSION,
895 &sctx, &cctx, cert, privkey)))
899 * Only allow the max protocol version so we can force a connection failure
902 SSL_CTX_set_min_proto_version(cctx, maxprot);
903 SSL_CTX_set_max_proto_version(cctx, maxprot);
905 /* Set up session cache */
907 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
908 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
911 /* Also covers instance where both are set */
912 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
914 SSL_CTX_set_session_cache_mode(cctx,
915 SSL_SESS_CACHE_CLIENT
916 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
919 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
921 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
923 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
926 /* Should fail because it should already be in the cache */
927 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
930 && (!TEST_int_eq(new_called, numnewsesstick)
932 || !TEST_int_eq(remove_called, 0)))
935 new_called = remove_called = 0;
936 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
937 &clientssl2, NULL, NULL))
938 || !TEST_true(SSL_set_session(clientssl2, sess1))
939 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
941 || !TEST_true(SSL_session_reused(clientssl2)))
944 if (maxprot == TLS1_3_VERSION) {
946 * In TLSv1.3 we should have created a new session even though we have
950 && (!TEST_int_eq(new_called, 1)
951 || !TEST_int_eq(remove_called, 0)))
955 * In TLSv1.2 we expect to have resumed so no sessions added or
959 && (!TEST_int_eq(new_called, 0)
960 || !TEST_int_eq(remove_called, 0)))
964 SSL_SESSION_free(sess1);
965 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
967 shutdown_ssl_connection(serverssl2, clientssl2);
968 serverssl2 = clientssl2 = NULL;
970 new_called = remove_called = 0;
971 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
972 &clientssl2, NULL, NULL))
973 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
977 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
981 && (!TEST_int_eq(new_called, numnewsesstick)
982 || !TEST_int_eq(remove_called, 0)))
985 new_called = remove_called = 0;
987 * This should clear sess2 from the cache because it is a "bad" session.
988 * See SSL_set_session() documentation.
990 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
993 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
995 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
999 /* Should succeeded because it should not already be in the cache */
1000 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1001 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1005 new_called = remove_called = 0;
1006 /* This shouldn't be in the cache so should fail */
1007 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1011 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1014 # if !defined(OPENSSL_NO_TLS1_1)
1015 new_called = remove_called = 0;
1016 /* Force a connection failure */
1017 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1018 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1019 &clientssl3, NULL, NULL))
1020 || !TEST_true(SSL_set_session(clientssl3, sess1))
1021 /* This should fail because of the mismatched protocol versions */
1022 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1026 /* We should have automatically removed the session from the cache */
1028 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1031 /* Should succeed because it should not already be in the cache */
1032 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1036 /* Now do some tests for server side caching */
1037 if (use_ext_cache) {
1038 SSL_CTX_sess_set_new_cb(cctx, NULL);
1039 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1040 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1041 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1042 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1043 get_sess_val = NULL;
1046 SSL_CTX_set_session_cache_mode(cctx, 0);
1047 /* Internal caching is the default on the server side */
1049 SSL_CTX_set_session_cache_mode(sctx,
1050 SSL_SESS_CACHE_SERVER
1051 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1053 SSL_free(serverssl1);
1054 SSL_free(clientssl1);
1055 serverssl1 = clientssl1 = NULL;
1056 SSL_free(serverssl2);
1057 SSL_free(clientssl2);
1058 serverssl2 = clientssl2 = NULL;
1059 SSL_SESSION_free(sess1);
1061 SSL_SESSION_free(sess2);
1064 SSL_CTX_set_max_proto_version(sctx, maxprot);
1065 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1066 new_called = remove_called = get_called = 0;
1067 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1069 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1071 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1072 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1075 /* Should fail because it should already be in the cache */
1076 if (use_int_cache && !TEST_false(SSL_CTX_add_session(sctx, sess2)))
1079 if (use_ext_cache) {
1080 SSL_SESSION *tmp = sess2;
1082 if (!TEST_int_eq(new_called, numnewsesstick)
1083 || !TEST_int_eq(remove_called, 0)
1084 || !TEST_int_eq(get_called, 0))
1087 * Delete the session from the internal cache to force a lookup from
1088 * the external cache. We take a copy first because
1089 * SSL_CTX_remove_session() also marks the session as non-resumable.
1091 if (use_int_cache) {
1092 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1093 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1095 SSL_SESSION_free(sess2);
1100 new_called = remove_called = get_called = 0;
1101 get_sess_val = sess2;
1102 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1103 &clientssl2, NULL, NULL))
1104 || !TEST_true(SSL_set_session(clientssl2, sess1))
1105 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1107 || !TEST_true(SSL_session_reused(clientssl2)))
1110 if (use_ext_cache) {
1111 if (!TEST_int_eq(remove_called, 0))
1114 if (maxprot == TLS1_3_VERSION) {
1115 if (!TEST_int_eq(new_called, 1)
1116 || !TEST_int_eq(get_called, 0))
1119 if (!TEST_int_eq(new_called, 0)
1120 || !TEST_int_eq(get_called, 1))
1128 SSL_free(serverssl1);
1129 SSL_free(clientssl1);
1130 SSL_free(serverssl2);
1131 SSL_free(clientssl2);
1132 # ifndef OPENSSL_NO_TLS1_1
1133 SSL_free(serverssl3);
1134 SSL_free(clientssl3);
1136 SSL_SESSION_free(sess1);
1137 SSL_SESSION_free(sess2);
1143 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1145 static int test_session_with_only_int_cache(void)
1147 #ifndef OPENSSL_NO_TLS1_3
1148 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1152 #ifndef OPENSSL_NO_TLS1_2
1153 return execute_test_session(TLS1_2_VERSION, 1, 0);
1159 static int test_session_with_only_ext_cache(void)
1161 #ifndef OPENSSL_NO_TLS1_3
1162 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1166 #ifndef OPENSSL_NO_TLS1_2
1167 return execute_test_session(TLS1_2_VERSION, 0, 1);
1173 static int test_session_with_both_cache(void)
1175 #ifndef OPENSSL_NO_TLS1_3
1176 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1180 #ifndef OPENSSL_NO_TLS1_2
1181 return execute_test_session(TLS1_2_VERSION, 1, 1);
1187 SSL_SESSION *sesscache[9];
1189 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1191 sesscache[new_called++] = sess;
1196 static int test_tickets(int idx)
1198 SSL_CTX *sctx = NULL, *cctx = NULL;
1199 SSL *serverssl = NULL, *clientssl = NULL;
1200 int testresult = 0, i;
1203 /* idx is the test number, but also the number of tickets we want */
1207 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1208 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
1209 &cctx, cert, privkey))
1210 || !TEST_true(SSL_CTX_set_num_tickets(sctx, idx)))
1213 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1214 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1215 SSL_CTX_sess_set_new_cb(cctx, new_cachesession_cb);
1217 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1218 &clientssl, NULL, NULL)))
1221 SSL_force_post_handshake_auth(clientssl);
1223 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1225 /* Check we got the number of tickets we were expecting */
1226 || !TEST_int_eq(idx, new_called))
1229 /* After a post-handshake authentication we should get new tickets issued */
1230 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
1231 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
1234 /* Start handshake on the server and client */
1235 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1)
1236 || !TEST_int_le(SSL_read(clientssl, NULL, 0), 0)
1237 || !TEST_int_le(SSL_read(serverssl, NULL, 0), 0)
1238 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1240 || !TEST_int_eq(idx * 2, new_called))
1243 SSL_CTX_sess_set_new_cb(cctx, NULL);
1244 SSL_shutdown(clientssl);
1245 SSL_shutdown(serverssl);
1246 SSL_free(serverssl);
1247 SSL_free(clientssl);
1248 serverssl = clientssl = NULL;
1250 /* Test that we can resume with all the tickets we got given */
1251 for (i = 0; i < new_called; i++) {
1252 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1253 &clientssl, NULL, NULL))
1254 || !TEST_true(SSL_set_session(clientssl, sesscache[i]))
1255 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1257 || !TEST_true(SSL_session_reused(clientssl)))
1260 SSL_shutdown(clientssl);
1261 SSL_shutdown(serverssl);
1262 SSL_free(serverssl);
1263 SSL_free(clientssl);
1264 serverssl = clientssl = NULL;
1265 SSL_SESSION_free(sesscache[i]);
1266 sesscache[i] = NULL;
1272 SSL_free(serverssl);
1273 SSL_free(clientssl);
1274 for (j = 0; j < OSSL_NELEM(sesscache); j++)
1275 SSL_SESSION_free(sesscache[j]);
1285 #define USE_DEFAULT 3
1287 #define CONNTYPE_CONNECTION_SUCCESS 0
1288 #define CONNTYPE_CONNECTION_FAIL 1
1289 #define CONNTYPE_NO_CONNECTION 2
1291 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1292 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1293 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1294 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1296 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1299 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1300 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1301 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1303 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1320 * Tests calls to SSL_set_bio() under various conditions.
1322 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1323 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1324 * then do more tests where we create a successful connection first using our
1325 * standard connection setup functions, and then call SSL_set_bio() with
1326 * various combinations of valid BIOs or NULL. We then repeat these tests
1327 * following a failed connection. In this last case we are looking to check that
1328 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1330 static int test_ssl_set_bio(int idx)
1332 SSL_CTX *sctx = NULL, *cctx = NULL;
1335 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1336 SSL *serverssl = NULL, *clientssl = NULL;
1337 int initrbio, initwbio, newrbio, newwbio, conntype;
1340 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1348 conntype = CONNTYPE_NO_CONNECTION;
1350 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1351 initrbio = initwbio = USE_DEFAULT;
1359 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1360 TLS1_VERSION, TLS_MAX_VERSION,
1361 &sctx, &cctx, cert, privkey)))
1364 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1366 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1367 * because we reduced the number of tests in the definition of
1368 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1369 * mismatched protocol versions we will force a connection failure.
1371 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1372 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1375 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1379 if (initrbio == USE_BIO_1
1380 || initwbio == USE_BIO_1
1381 || newrbio == USE_BIO_1
1382 || newwbio == USE_BIO_1) {
1383 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1387 if (initrbio == USE_BIO_2
1388 || initwbio == USE_BIO_2
1389 || newrbio == USE_BIO_2
1390 || newwbio == USE_BIO_2) {
1391 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1395 if (initrbio != USE_DEFAULT) {
1396 setupbio(&irbio, bio1, bio2, initrbio);
1397 setupbio(&iwbio, bio1, bio2, initwbio);
1398 SSL_set_bio(clientssl, irbio, iwbio);
1401 * We want to maintain our own refs to these BIO, so do an up ref for
1402 * each BIO that will have ownership transferred in the SSL_set_bio()
1407 if (iwbio != NULL && iwbio != irbio)
1411 if (conntype != CONNTYPE_NO_CONNECTION
1412 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1414 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1417 setupbio(&nrbio, bio1, bio2, newrbio);
1418 setupbio(&nwbio, bio1, bio2, newwbio);
1421 * We will (maybe) transfer ownership again so do more up refs.
1422 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1427 && (nwbio != iwbio || nrbio != nwbio))
1431 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1434 SSL_set_bio(clientssl, nrbio, nwbio);
1443 * This test is checking that the ref counting for SSL_set_bio is correct.
1444 * If we get here and we did too many frees then we will fail in the above
1445 * functions. If we haven't done enough then this will only be detected in
1446 * a crypto-mdebug build
1448 SSL_free(serverssl);
1449 SSL_free(clientssl);
1455 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1457 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1459 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1464 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1465 || !TEST_ptr(ssl = SSL_new(ctx))
1466 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1467 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1470 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1473 * If anything goes wrong here then we could leak memory, so this will
1474 * be caught in a crypto-mdebug build
1476 BIO_push(sslbio, membio1);
1478 /* Verify changing the rbio/wbio directly does not cause leaks */
1479 if (change_bio != NO_BIO_CHANGE) {
1480 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1482 if (change_bio == CHANGE_RBIO)
1483 SSL_set0_rbio(ssl, membio2);
1485 SSL_set0_wbio(ssl, membio2);
1504 static int test_ssl_bio_pop_next_bio(void)
1506 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1509 static int test_ssl_bio_pop_ssl_bio(void)
1511 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1514 static int test_ssl_bio_change_rbio(void)
1516 return execute_test_ssl_bio(0, CHANGE_RBIO);
1519 static int test_ssl_bio_change_wbio(void)
1521 return execute_test_ssl_bio(0, CHANGE_WBIO);
1524 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
1526 /* The list of sig algs */
1528 /* The length of the list */
1530 /* A sigalgs list in string format */
1531 const char *liststr;
1532 /* Whether setting the list should succeed */
1534 /* Whether creating a connection with the list should succeed */
1538 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1539 # ifndef OPENSSL_NO_EC
1540 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1541 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1543 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1544 static const int invalidlist2[] = {NID_sha256, NID_undef};
1545 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1546 static const int invalidlist4[] = {NID_sha256};
1547 static const sigalgs_list testsigalgs[] = {
1548 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1549 # ifndef OPENSSL_NO_EC
1550 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1551 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1553 {NULL, 0, "RSA+SHA256", 1, 1},
1554 # ifndef OPENSSL_NO_EC
1555 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1556 {NULL, 0, "ECDSA+SHA512", 1, 0},
1558 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1559 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1560 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1561 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1562 {NULL, 0, "RSA", 0, 0},
1563 {NULL, 0, "SHA256", 0, 0},
1564 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1565 {NULL, 0, "Invalid", 0, 0}
1568 static int test_set_sigalgs(int idx)
1570 SSL_CTX *cctx = NULL, *sctx = NULL;
1571 SSL *clientssl = NULL, *serverssl = NULL;
1573 const sigalgs_list *curr;
1576 /* Should never happen */
1577 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1580 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1581 curr = testctx ? &testsigalgs[idx]
1582 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1584 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1585 TLS1_VERSION, TLS_MAX_VERSION,
1586 &sctx, &cctx, cert, privkey)))
1590 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1591 * for TLSv1.2 for now until we add a new API.
1593 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1598 if (curr->list != NULL)
1599 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1601 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1605 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1611 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1616 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1617 &clientssl, NULL, NULL)))
1623 if (curr->list != NULL)
1624 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1626 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1629 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1638 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1646 SSL_free(serverssl);
1647 SSL_free(clientssl);
1655 #ifndef OPENSSL_NO_TLS1_3
1657 static SSL_SESSION *clientpsk = NULL;
1658 static SSL_SESSION *serverpsk = NULL;
1659 static const char *pskid = "Identity";
1660 static const char *srvid;
1662 static int use_session_cb_cnt = 0;
1663 static int find_session_cb_cnt = 0;
1664 static int psk_client_cb_cnt = 0;
1665 static int psk_server_cb_cnt = 0;
1667 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1668 size_t *idlen, SSL_SESSION **sess)
1670 switch (++use_session_cb_cnt) {
1672 /* The first call should always have a NULL md */
1678 /* The second call should always have an md */
1684 /* We should only be called a maximum of twice */
1688 if (clientpsk != NULL)
1689 SSL_SESSION_up_ref(clientpsk);
1692 *id = (const unsigned char *)pskid;
1693 *idlen = strlen(pskid);
1698 #ifndef OPENSSL_NO_PSK
1699 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1700 unsigned int max_id_len,
1702 unsigned int max_psk_len)
1704 unsigned int psklen = 0;
1706 psk_client_cb_cnt++;
1708 if (strlen(pskid) + 1 > max_id_len)
1711 /* We should only ever be called a maximum of twice per connection */
1712 if (psk_client_cb_cnt > 2)
1715 if (clientpsk == NULL)
1718 /* We'll reuse the PSK we set up for TLSv1.3 */
1719 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1721 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1722 strncpy(id, pskid, max_id_len);
1726 #endif /* OPENSSL_NO_PSK */
1728 static int find_session_cb(SSL *ssl, const unsigned char *identity,
1729 size_t identity_len, SSL_SESSION **sess)
1731 find_session_cb_cnt++;
1733 /* We should only ever be called a maximum of twice per connection */
1734 if (find_session_cb_cnt > 2)
1737 if (serverpsk == NULL)
1740 /* Identity should match that set by the client */
1741 if (strlen(srvid) != identity_len
1742 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1743 /* No PSK found, continue but without a PSK */
1748 SSL_SESSION_up_ref(serverpsk);
1754 #ifndef OPENSSL_NO_PSK
1755 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1756 unsigned char *psk, unsigned int max_psk_len)
1758 unsigned int psklen = 0;
1760 psk_server_cb_cnt++;
1762 /* We should only ever be called a maximum of twice per connection */
1763 if (find_session_cb_cnt > 2)
1766 if (serverpsk == NULL)
1769 /* Identity should match that set by the client */
1770 if (strcmp(srvid, identity) != 0) {
1774 /* We'll reuse the PSK we set up for TLSv1.3 */
1775 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1777 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1781 #endif /* OPENSSL_NO_PSK */
1783 #define MSG1 "Hello"
1784 #define MSG2 "World."
1789 #define MSG7 "message."
1791 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
1792 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
1795 * Helper method to setup objects for early data test. Caller frees objects on
1798 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
1799 SSL **serverssl, SSL_SESSION **sess, int idx)
1801 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1802 TLS1_VERSION, TLS_MAX_VERSION,
1803 sctx, cctx, cert, privkey))
1804 || !TEST_true(SSL_CTX_set_max_early_data(*sctx,
1805 SSL3_RT_MAX_PLAIN_LENGTH)))
1809 /* When idx == 1 we repeat the tests with read_ahead set */
1810 SSL_CTX_set_read_ahead(*cctx, 1);
1811 SSL_CTX_set_read_ahead(*sctx, 1);
1812 } else if (idx == 2) {
1813 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1814 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1815 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1816 use_session_cb_cnt = 0;
1817 find_session_cb_cnt = 0;
1821 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
1826 * For one of the run throughs (doesn't matter which one), we'll try sending
1827 * some SNI data in the initial ClientHello. This will be ignored (because
1828 * there is no SNI cb set up by the server), so it should not impact
1832 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1836 /* Create the PSK */
1837 const SSL_CIPHER *cipher = NULL;
1838 const unsigned char key[] = {
1839 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1840 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1841 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1842 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1843 0x2c, 0x2d, 0x2e, 0x2f
1846 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
1847 clientpsk = SSL_SESSION_new();
1848 if (!TEST_ptr(clientpsk)
1849 || !TEST_ptr(cipher)
1850 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
1852 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
1854 SSL_SESSION_set_protocol_version(clientpsk,
1857 * We just choose an arbitrary value for max_early_data which
1858 * should be big enough for testing purposes.
1860 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1862 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1863 SSL_SESSION_free(clientpsk);
1867 serverpsk = clientpsk;
1870 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1871 SSL_SESSION_free(clientpsk);
1872 SSL_SESSION_free(serverpsk);
1873 clientpsk = serverpsk = NULL;
1884 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1888 *sess = SSL_get1_session(*clientssl);
1889 SSL_shutdown(*clientssl);
1890 SSL_shutdown(*serverssl);
1891 SSL_free(*serverssl);
1892 SSL_free(*clientssl);
1893 *serverssl = *clientssl = NULL;
1895 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1896 clientssl, NULL, NULL))
1897 || !TEST_true(SSL_set_session(*clientssl, *sess)))
1903 static int test_early_data_read_write(int idx)
1905 SSL_CTX *cctx = NULL, *sctx = NULL;
1906 SSL *clientssl = NULL, *serverssl = NULL;
1908 SSL_SESSION *sess = NULL;
1909 unsigned char buf[20], data[1024];
1910 size_t readbytes, written, eoedlen, rawread, rawwritten;
1913 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1914 &serverssl, &sess, idx)))
1917 /* Write and read some early data */
1918 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1920 || !TEST_size_t_eq(written, strlen(MSG1))
1921 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1922 sizeof(buf), &readbytes),
1923 SSL_READ_EARLY_DATA_SUCCESS)
1924 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1925 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1926 SSL_EARLY_DATA_ACCEPTED))
1930 * Server should be able to write data, and client should be able to
1933 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1935 || !TEST_size_t_eq(written, strlen(MSG2))
1936 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1937 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1940 /* Even after reading normal data, client should be able write early data */
1941 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1943 || !TEST_size_t_eq(written, strlen(MSG3)))
1946 /* Server should still be able read early data after writing data */
1947 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1949 SSL_READ_EARLY_DATA_SUCCESS)
1950 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
1953 /* Write more data from server and read it from client */
1954 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
1956 || !TEST_size_t_eq(written, strlen(MSG4))
1957 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1958 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
1962 * If client writes normal data it should mean writing early data is no
1965 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1966 || !TEST_size_t_eq(written, strlen(MSG5))
1967 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1968 SSL_EARLY_DATA_ACCEPTED))
1972 * At this point the client has written EndOfEarlyData, ClientFinished and
1973 * normal (fully protected) data. We are going to cause a delay between the
1974 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
1975 * in the read BIO, and then just put back the EndOfEarlyData message.
1977 rbio = SSL_get_rbio(serverssl);
1978 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
1979 || !TEST_size_t_lt(rawread, sizeof(data))
1980 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
1983 /* Record length is in the 4th and 5th bytes of the record header */
1984 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
1985 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
1986 || !TEST_size_t_eq(rawwritten, eoedlen))
1989 /* Server should be told that there is no more early data */
1990 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1992 SSL_READ_EARLY_DATA_FINISH)
1993 || !TEST_size_t_eq(readbytes, 0))
1997 * Server has not finished init yet, so should still be able to write early
2000 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2002 || !TEST_size_t_eq(written, strlen(MSG6)))
2005 /* Push the ClientFinished and the normal data back into the server rbio */
2006 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2008 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2011 /* Server should be able to read normal data */
2012 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2013 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2016 /* Client and server should not be able to write/read early data now */
2017 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2021 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2023 SSL_READ_EARLY_DATA_ERROR))
2027 /* Client should be able to read the data sent by the server */
2028 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2029 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2033 * Make sure we process the two NewSessionTickets. These arrive
2034 * post-handshake. We attempt reads which we do not expect to return any
2037 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2038 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2042 /* Server should be able to write normal data */
2043 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2044 || !TEST_size_t_eq(written, strlen(MSG7))
2045 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2046 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2049 SSL_SESSION_free(sess);
2050 sess = SSL_get1_session(clientssl);
2051 use_session_cb_cnt = 0;
2052 find_session_cb_cnt = 0;
2054 SSL_shutdown(clientssl);
2055 SSL_shutdown(serverssl);
2056 SSL_free(serverssl);
2057 SSL_free(clientssl);
2058 serverssl = clientssl = NULL;
2059 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2060 &clientssl, NULL, NULL))
2061 || !TEST_true(SSL_set_session(clientssl, sess)))
2064 /* Write and read some early data */
2065 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2067 || !TEST_size_t_eq(written, strlen(MSG1))
2068 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2070 SSL_READ_EARLY_DATA_SUCCESS)
2071 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2074 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2075 || !TEST_int_gt(SSL_accept(serverssl), 0))
2078 /* Client and server should not be able to write/read early data now */
2079 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2083 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2085 SSL_READ_EARLY_DATA_ERROR))
2089 /* Client and server should be able to write/read normal data */
2090 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2091 || !TEST_size_t_eq(written, strlen(MSG5))
2092 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2093 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2099 SSL_SESSION_free(sess);
2100 SSL_SESSION_free(clientpsk);
2101 SSL_SESSION_free(serverpsk);
2102 clientpsk = serverpsk = NULL;
2103 SSL_free(serverssl);
2104 SSL_free(clientssl);
2110 static int test_early_data_replay(int idx)
2112 SSL_CTX *cctx = NULL, *sctx = NULL;
2113 SSL *clientssl = NULL, *serverssl = NULL;
2115 SSL_SESSION *sess = NULL;
2117 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2118 &serverssl, &sess, idx)))
2122 * The server is configured to accept early data. Create a connection to
2123 * "use up" the ticket
2125 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2126 || !TEST_true(SSL_session_reused(clientssl)))
2129 SSL_shutdown(clientssl);
2130 SSL_shutdown(serverssl);
2131 SSL_free(serverssl);
2132 SSL_free(clientssl);
2133 serverssl = clientssl = NULL;
2135 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2136 &clientssl, NULL, NULL))
2137 || !TEST_true(SSL_set_session(clientssl, sess))
2138 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2141 * This time we should not have resumed the session because we
2142 * already used it once.
2144 || !TEST_false(SSL_session_reused(clientssl)))
2150 SSL_SESSION_free(sess);
2151 SSL_SESSION_free(clientpsk);
2152 SSL_SESSION_free(serverpsk);
2153 clientpsk = serverpsk = NULL;
2154 SSL_free(serverssl);
2155 SSL_free(clientssl);
2162 * Helper function to test that a server attempting to read early data can
2163 * handle a connection from a client where the early data should be skipped.
2165 static int early_data_skip_helper(int hrr, int idx)
2167 SSL_CTX *cctx = NULL, *sctx = NULL;
2168 SSL *clientssl = NULL, *serverssl = NULL;
2170 SSL_SESSION *sess = NULL;
2171 unsigned char buf[20];
2172 size_t readbytes, written;
2174 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2175 &serverssl, &sess, idx)))
2179 /* Force an HRR to occur */
2180 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2182 } else if (idx == 2) {
2184 * We force early_data rejection by ensuring the PSK identity is
2187 srvid = "Dummy Identity";
2190 * Deliberately corrupt the creation time. We take 20 seconds off the
2191 * time. It could be any value as long as it is not within tolerance.
2192 * This should mean the ticket is rejected.
2194 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
2198 /* Write some early data */
2199 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2201 || !TEST_size_t_eq(written, strlen(MSG1)))
2204 /* Server should reject the early data and skip over it */
2205 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2207 SSL_READ_EARLY_DATA_FINISH)
2208 || !TEST_size_t_eq(readbytes, 0)
2209 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2210 SSL_EARLY_DATA_REJECTED))
2215 * Finish off the handshake. We perform the same writes and reads as
2216 * further down but we expect them to fail due to the incomplete
2219 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2220 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2225 /* Should be able to send normal data despite rejection of early data */
2226 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2227 || !TEST_size_t_eq(written, strlen(MSG2))
2228 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2229 SSL_EARLY_DATA_REJECTED)
2230 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2231 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2237 SSL_SESSION_free(clientpsk);
2238 SSL_SESSION_free(serverpsk);
2239 clientpsk = serverpsk = NULL;
2240 SSL_SESSION_free(sess);
2241 SSL_free(serverssl);
2242 SSL_free(clientssl);
2249 * Test that a server attempting to read early data can handle a connection
2250 * from a client where the early data is not acceptable.
2252 static int test_early_data_skip(int idx)
2254 return early_data_skip_helper(0, idx);
2258 * Test that a server attempting to read early data can handle a connection
2259 * from a client where an HRR occurs.
2261 static int test_early_data_skip_hrr(int idx)
2263 return early_data_skip_helper(1, idx);
2267 * Test that a server attempting to read early data can handle a connection
2268 * from a client that doesn't send any.
2270 static int test_early_data_not_sent(int idx)
2272 SSL_CTX *cctx = NULL, *sctx = NULL;
2273 SSL *clientssl = NULL, *serverssl = NULL;
2275 SSL_SESSION *sess = NULL;
2276 unsigned char buf[20];
2277 size_t readbytes, written;
2279 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2280 &serverssl, &sess, idx)))
2283 /* Write some data - should block due to handshake with server */
2284 SSL_set_connect_state(clientssl);
2285 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2288 /* Server should detect that early data has not been sent */
2289 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2291 SSL_READ_EARLY_DATA_FINISH)
2292 || !TEST_size_t_eq(readbytes, 0)
2293 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2294 SSL_EARLY_DATA_NOT_SENT)
2295 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2296 SSL_EARLY_DATA_NOT_SENT))
2299 /* Continue writing the message we started earlier */
2300 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2301 || !TEST_size_t_eq(written, strlen(MSG1))
2302 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2303 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2304 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2305 || !TEST_size_t_eq(written, strlen(MSG2)))
2309 * Should block due to the NewSessionTicket arrival unless we're using
2310 * read_ahead, or PSKs
2312 if (idx != 1 && idx != 2) {
2313 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
2317 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2318 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2324 SSL_SESSION_free(sess);
2325 SSL_SESSION_free(clientpsk);
2326 SSL_SESSION_free(serverpsk);
2327 clientpsk = serverpsk = NULL;
2328 SSL_free(serverssl);
2329 SSL_free(clientssl);
2335 static int hostname_cb(SSL *s, int *al, void *arg)
2337 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2339 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
2340 return SSL_TLSEXT_ERR_OK;
2342 return SSL_TLSEXT_ERR_NOACK;
2345 static const char *servalpn;
2347 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2348 unsigned char *outlen, const unsigned char *in,
2349 unsigned int inlen, void *arg)
2351 unsigned int protlen = 0;
2352 const unsigned char *prot;
2354 for (prot = in; prot < in + inlen; prot += protlen) {
2356 if (in + inlen < prot + protlen)
2357 return SSL_TLSEXT_ERR_NOACK;
2359 if (protlen == strlen(servalpn)
2360 && memcmp(prot, servalpn, protlen) == 0) {
2363 return SSL_TLSEXT_ERR_OK;
2367 return SSL_TLSEXT_ERR_NOACK;
2370 /* Test that a PSK can be used to send early_data */
2371 static int test_early_data_psk(int idx)
2373 SSL_CTX *cctx = NULL, *sctx = NULL;
2374 SSL *clientssl = NULL, *serverssl = NULL;
2376 SSL_SESSION *sess = NULL;
2377 unsigned char alpnlist[] = {
2378 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2381 #define GOODALPNLEN 9
2382 #define BADALPNLEN 8
2383 #define GOODALPN (alpnlist)
2384 #define BADALPN (alpnlist + GOODALPNLEN)
2386 unsigned char buf[20];
2387 size_t readbytes, written;
2388 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2389 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2391 /* We always set this up with a final parameter of "2" for PSK */
2392 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2393 &serverssl, &sess, 2)))
2396 servalpn = "goodalpn";
2399 * Note: There is no test for inconsistent SNI with late client detection.
2400 * This is because servers do not acknowledge SNI even if they are using
2401 * it in a resumption handshake - so it is not actually possible for a
2402 * client to detect a problem.
2406 /* Set inconsistent SNI (early client detection) */
2407 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2408 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2409 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2414 /* Set inconsistent ALPN (early client detection) */
2415 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2416 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
2417 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2419 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2426 * Set invalid protocol version. Technically this affects PSKs without
2427 * early_data too, but we test it here because it is similar to the
2428 * SNI/ALPN consistency tests.
2430 err = SSL_R_BAD_PSK;
2431 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2437 * Set inconsistent SNI (server detected). In this case the connection
2438 * will succeed but reject early_data.
2440 SSL_SESSION_free(serverpsk);
2441 serverpsk = SSL_SESSION_dup(clientpsk);
2442 if (!TEST_ptr(serverpsk)
2443 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2445 edstatus = SSL_EARLY_DATA_REJECTED;
2446 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2449 /* Set consistent SNI */
2450 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2451 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2452 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2459 * Set inconsistent ALPN (server detected). In this case the connection
2460 * will succeed but reject early_data.
2462 servalpn = "badalpn";
2463 edstatus = SSL_EARLY_DATA_REJECTED;
2464 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2468 * Set consistent ALPN.
2469 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2470 * accepts a list of protos (each one length prefixed).
2471 * SSL_set1_alpn_selected accepts a single protocol (not length
2474 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2476 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2480 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2484 /* Set inconsistent ALPN (late client detection) */
2485 SSL_SESSION_free(serverpsk);
2486 serverpsk = SSL_SESSION_dup(clientpsk);
2487 if (!TEST_ptr(serverpsk)
2488 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2491 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2494 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2497 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2498 edstatus = SSL_EARLY_DATA_ACCEPTED;
2499 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2500 /* SSL_connect() call should fail */
2505 TEST_error("Bad test index");
2509 SSL_set_connect_state(clientssl);
2511 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2513 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2514 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2517 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2521 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2522 &readbytes), readearlyres)
2523 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2524 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2525 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2526 || !TEST_int_eq(SSL_connect(clientssl), connectres))
2533 SSL_SESSION_free(sess);
2534 SSL_SESSION_free(clientpsk);
2535 SSL_SESSION_free(serverpsk);
2536 clientpsk = serverpsk = NULL;
2537 SSL_free(serverssl);
2538 SSL_free(clientssl);
2545 * Test that a server that doesn't try to read early data can handle a
2546 * client sending some.
2548 static int test_early_data_not_expected(int idx)
2550 SSL_CTX *cctx = NULL, *sctx = NULL;
2551 SSL *clientssl = NULL, *serverssl = NULL;
2553 SSL_SESSION *sess = NULL;
2554 unsigned char buf[20];
2555 size_t readbytes, written;
2557 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2558 &serverssl, &sess, idx)))
2561 /* Write some early data */
2562 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2567 * Server should skip over early data and then block waiting for client to
2568 * continue handshake
2570 if (!TEST_int_le(SSL_accept(serverssl), 0)
2571 || !TEST_int_gt(SSL_connect(clientssl), 0)
2572 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2573 SSL_EARLY_DATA_REJECTED)
2574 || !TEST_int_gt(SSL_accept(serverssl), 0)
2575 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2576 SSL_EARLY_DATA_REJECTED))
2579 /* Send some normal data from client to server */
2580 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2581 || !TEST_size_t_eq(written, strlen(MSG2)))
2584 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2585 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2591 SSL_SESSION_free(sess);
2592 SSL_SESSION_free(clientpsk);
2593 SSL_SESSION_free(serverpsk);
2594 clientpsk = serverpsk = NULL;
2595 SSL_free(serverssl);
2596 SSL_free(clientssl);
2603 # ifndef OPENSSL_NO_TLS1_2
2605 * Test that a server attempting to read early data can handle a connection
2606 * from a TLSv1.2 client.
2608 static int test_early_data_tls1_2(int idx)
2610 SSL_CTX *cctx = NULL, *sctx = NULL;
2611 SSL *clientssl = NULL, *serverssl = NULL;
2613 unsigned char buf[20];
2614 size_t readbytes, written;
2616 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2617 &serverssl, NULL, idx)))
2620 /* Write some data - should block due to handshake with server */
2621 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2622 SSL_set_connect_state(clientssl);
2623 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2627 * Server should do TLSv1.2 handshake. First it will block waiting for more
2628 * messages from client after ServerDone. Then SSL_read_early_data should
2629 * finish and detect that early data has not been sent
2631 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2633 SSL_READ_EARLY_DATA_ERROR))
2637 * Continue writing the message we started earlier. Will still block waiting
2638 * for the CCS/Finished from server
2640 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2641 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2643 SSL_READ_EARLY_DATA_FINISH)
2644 || !TEST_size_t_eq(readbytes, 0)
2645 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2646 SSL_EARLY_DATA_NOT_SENT))
2649 /* Continue writing the message we started earlier */
2650 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2651 || !TEST_size_t_eq(written, strlen(MSG1))
2652 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2653 SSL_EARLY_DATA_NOT_SENT)
2654 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2655 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2656 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2657 || !TEST_size_t_eq(written, strlen(MSG2))
2658 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2659 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2665 SSL_SESSION_free(clientpsk);
2666 SSL_SESSION_free(serverpsk);
2667 clientpsk = serverpsk = NULL;
2668 SSL_free(serverssl);
2669 SSL_free(clientssl);
2675 # endif /* OPENSSL_NO_TLS1_2 */
2678 * Test configuring the TLSv1.3 ciphersuites
2680 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
2681 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
2682 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
2683 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
2684 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2685 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2686 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
2687 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
2688 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
2689 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
2691 static int test_set_ciphersuite(int idx)
2693 SSL_CTX *cctx = NULL, *sctx = NULL;
2694 SSL *clientssl = NULL, *serverssl = NULL;
2697 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2698 TLS1_VERSION, TLS_MAX_VERSION,
2699 &sctx, &cctx, cert, privkey))
2700 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2701 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
2704 if (idx >=4 && idx <= 7) {
2705 /* SSL_CTX explicit cipher list */
2706 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
2710 if (idx == 0 || idx == 4) {
2711 /* Default ciphersuite */
2712 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2713 "TLS_AES_128_GCM_SHA256")))
2715 } else if (idx == 1 || idx == 5) {
2716 /* Non default ciphersuite */
2717 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2718 "TLS_AES_128_CCM_SHA256")))
2722 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2723 &clientssl, NULL, NULL)))
2726 if (idx == 8 || idx == 9) {
2727 /* SSL explicit cipher list */
2728 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
2732 if (idx == 2 || idx == 6 || idx == 8) {
2733 /* Default ciphersuite */
2734 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2735 "TLS_AES_128_GCM_SHA256")))
2737 } else if (idx == 3 || idx == 7 || idx == 9) {
2738 /* Non default ciphersuite */
2739 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2740 "TLS_AES_128_CCM_SHA256")))
2744 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
2750 SSL_free(serverssl);
2751 SSL_free(clientssl);
2758 static int test_ciphersuite_change(void)
2760 SSL_CTX *cctx = NULL, *sctx = NULL;
2761 SSL *clientssl = NULL, *serverssl = NULL;
2762 SSL_SESSION *clntsess = NULL;
2764 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2766 /* Create a session based on SHA-256 */
2767 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2768 TLS1_VERSION, TLS_MAX_VERSION,
2769 &sctx, &cctx, cert, privkey))
2770 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
2771 "TLS_AES_128_GCM_SHA256"))
2772 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2773 &clientssl, NULL, NULL))
2774 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2778 clntsess = SSL_get1_session(clientssl);
2779 /* Save for later */
2780 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2781 SSL_shutdown(clientssl);
2782 SSL_shutdown(serverssl);
2783 SSL_free(serverssl);
2784 SSL_free(clientssl);
2785 serverssl = clientssl = NULL;
2787 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
2788 /* Check we can resume a session with a different SHA-256 ciphersuite */
2789 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2790 "TLS_CHACHA20_POLY1305_SHA256"))
2791 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2793 || !TEST_true(SSL_set_session(clientssl, clntsess))
2794 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2796 || !TEST_true(SSL_session_reused(clientssl)))
2799 SSL_SESSION_free(clntsess);
2800 clntsess = SSL_get1_session(clientssl);
2801 SSL_shutdown(clientssl);
2802 SSL_shutdown(serverssl);
2803 SSL_free(serverssl);
2804 SSL_free(clientssl);
2805 serverssl = clientssl = NULL;
2809 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
2810 * succeeds but does not resume.
2812 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
2813 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2815 || !TEST_true(SSL_set_session(clientssl, clntsess))
2816 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2818 || !TEST_false(SSL_session_reused(clientssl)))
2821 SSL_SESSION_free(clntsess);
2823 SSL_shutdown(clientssl);
2824 SSL_shutdown(serverssl);
2825 SSL_free(serverssl);
2826 SSL_free(clientssl);
2827 serverssl = clientssl = NULL;
2829 /* Create a session based on SHA384 */
2830 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
2831 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2832 &clientssl, NULL, NULL))
2833 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2837 clntsess = SSL_get1_session(clientssl);
2838 SSL_shutdown(clientssl);
2839 SSL_shutdown(serverssl);
2840 SSL_free(serverssl);
2841 SSL_free(clientssl);
2842 serverssl = clientssl = NULL;
2844 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2845 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
2846 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2847 "TLS_AES_256_GCM_SHA384"))
2848 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2850 || !TEST_true(SSL_set_session(clientssl, clntsess))
2852 * We use SSL_ERROR_WANT_READ below so that we can pause the
2853 * connection after the initial ClientHello has been sent to
2854 * enable us to make some session changes.
2856 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2857 SSL_ERROR_WANT_READ)))
2860 /* Trick the client into thinking this session is for a different digest */
2861 clntsess->cipher = aes_128_gcm_sha256;
2862 clntsess->cipher_id = clntsess->cipher->id;
2865 * Continue the previously started connection. Server has selected a SHA-384
2866 * ciphersuite, but client thinks the session is for SHA-256, so it should
2869 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2871 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2872 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2878 SSL_SESSION_free(clntsess);
2879 SSL_free(serverssl);
2880 SSL_free(clientssl);
2889 * Test 0 = Test new style callbacks
2890 * Test 1 = Test both new and old style callbacks
2891 * Test 2 = Test old style callbacks
2892 * Test 3 = Test old style callbacks with no certificate
2894 static int test_tls13_psk(int idx)
2896 SSL_CTX *sctx = NULL, *cctx = NULL;
2897 SSL *serverssl = NULL, *clientssl = NULL;
2898 const SSL_CIPHER *cipher = NULL;
2899 const unsigned char key[] = {
2900 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2901 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2902 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2903 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
2907 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2908 TLS1_VERSION, TLS_MAX_VERSION,
2909 &sctx, &cctx, idx == 3 ? NULL : cert,
2910 idx == 3 ? NULL : privkey)))
2915 * We use a ciphersuite with SHA256 to ease testing old style PSK
2916 * callbacks which will always default to SHA256. This should not be
2917 * necessary if we have no cert/priv key. In that case the server should
2918 * prefer SHA256 automatically.
2920 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2921 "TLS_AES_128_GCM_SHA256")))
2926 * Test 0: New style callbacks only
2927 * Test 1: New and old style callbacks (only the new ones should be used)
2928 * Test 2: Old style callbacks only
2930 if (idx == 0 || idx == 1) {
2931 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2932 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2934 #ifndef OPENSSL_NO_PSK
2936 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
2937 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
2941 use_session_cb_cnt = 0;
2942 find_session_cb_cnt = 0;
2943 psk_client_cb_cnt = 0;
2944 psk_server_cb_cnt = 0;
2948 * Check we can create a connection if callback decides not to send a
2951 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2953 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2955 || !TEST_false(SSL_session_reused(clientssl))
2956 || !TEST_false(SSL_session_reused(serverssl)))
2959 if (idx == 0 || idx == 1) {
2960 if (!TEST_true(use_session_cb_cnt == 1)
2961 || !TEST_true(find_session_cb_cnt == 0)
2963 * If no old style callback then below should be 0
2966 || !TEST_true(psk_client_cb_cnt == idx)
2967 || !TEST_true(psk_server_cb_cnt == 0))
2970 if (!TEST_true(use_session_cb_cnt == 0)
2971 || !TEST_true(find_session_cb_cnt == 0)
2972 || !TEST_true(psk_client_cb_cnt == 1)
2973 || !TEST_true(psk_server_cb_cnt == 0))
2977 shutdown_ssl_connection(serverssl, clientssl);
2978 serverssl = clientssl = NULL;
2979 use_session_cb_cnt = psk_client_cb_cnt = 0;
2982 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2986 /* Create the PSK */
2987 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
2988 clientpsk = SSL_SESSION_new();
2989 if (!TEST_ptr(clientpsk)
2990 || !TEST_ptr(cipher)
2991 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
2993 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
2994 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
2996 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
2998 serverpsk = clientpsk;
3000 /* Check we can create a connection and the PSK is used */
3001 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3002 || !TEST_true(SSL_session_reused(clientssl))
3003 || !TEST_true(SSL_session_reused(serverssl)))
3006 if (idx == 0 || idx == 1) {
3007 if (!TEST_true(use_session_cb_cnt == 1)
3008 || !TEST_true(find_session_cb_cnt == 1)
3009 || !TEST_true(psk_client_cb_cnt == 0)
3010 || !TEST_true(psk_server_cb_cnt == 0))
3013 if (!TEST_true(use_session_cb_cnt == 0)
3014 || !TEST_true(find_session_cb_cnt == 0)
3015 || !TEST_true(psk_client_cb_cnt == 1)
3016 || !TEST_true(psk_server_cb_cnt == 1))
3020 shutdown_ssl_connection(serverssl, clientssl);
3021 serverssl = clientssl = NULL;
3022 use_session_cb_cnt = find_session_cb_cnt = 0;
3023 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3025 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3030 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3034 * Check we can create a connection, the PSK is used and the callbacks are
3037 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3038 || !TEST_true(SSL_session_reused(clientssl))
3039 || !TEST_true(SSL_session_reused(serverssl)))
3042 if (idx == 0 || idx == 1) {
3043 if (!TEST_true(use_session_cb_cnt == 2)
3044 || !TEST_true(find_session_cb_cnt == 2)
3045 || !TEST_true(psk_client_cb_cnt == 0)
3046 || !TEST_true(psk_server_cb_cnt == 0))
3049 if (!TEST_true(use_session_cb_cnt == 0)
3050 || !TEST_true(find_session_cb_cnt == 0)
3051 || !TEST_true(psk_client_cb_cnt == 2)
3052 || !TEST_true(psk_server_cb_cnt == 2))
3056 shutdown_ssl_connection(serverssl, clientssl);
3057 serverssl = clientssl = NULL;
3058 use_session_cb_cnt = find_session_cb_cnt = 0;
3059 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3063 * Check that if the server rejects the PSK we can still connect, but with
3066 srvid = "Dummy Identity";
3067 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3069 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3071 || !TEST_false(SSL_session_reused(clientssl))
3072 || !TEST_false(SSL_session_reused(serverssl)))
3075 if (idx == 0 || idx == 1) {
3076 if (!TEST_true(use_session_cb_cnt == 1)
3077 || !TEST_true(find_session_cb_cnt == 1)
3078 || !TEST_true(psk_client_cb_cnt == 0)
3080 * If no old style callback then below should be 0
3083 || !TEST_true(psk_server_cb_cnt == idx))
3086 if (!TEST_true(use_session_cb_cnt == 0)
3087 || !TEST_true(find_session_cb_cnt == 0)
3088 || !TEST_true(psk_client_cb_cnt == 1)
3089 || !TEST_true(psk_server_cb_cnt == 1))
3093 shutdown_ssl_connection(serverssl, clientssl);
3094 serverssl = clientssl = NULL;
3099 SSL_SESSION_free(clientpsk);
3100 SSL_SESSION_free(serverpsk);
3101 clientpsk = serverpsk = NULL;
3102 SSL_free(serverssl);
3103 SSL_free(clientssl);
3109 static unsigned char cookie_magic_value[] = "cookie magic";
3111 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
3112 unsigned int *cookie_len)
3115 * Not suitable as a real cookie generation function but good enough for
3118 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3119 *cookie_len = sizeof(cookie_magic_value) - 1;
3124 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3125 unsigned int cookie_len)
3127 if (cookie_len == sizeof(cookie_magic_value) - 1
3128 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3134 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3138 int res = generate_cookie_callback(ssl, cookie, &temp);
3143 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3146 return verify_cookie_callback(ssl, cookie, cookie_len);
3149 static int test_stateless(void)
3151 SSL_CTX *sctx = NULL, *cctx = NULL;
3152 SSL *serverssl = NULL, *clientssl = NULL;
3155 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3156 TLS1_VERSION, TLS_MAX_VERSION,
3157 &sctx, &cctx, cert, privkey)))
3160 /* The arrival of CCS messages can confuse the test */
3161 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3163 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3165 /* Send the first ClientHello */
3166 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3167 SSL_ERROR_WANT_READ))
3169 * This should fail with a -1 return because we have no callbacks
3172 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3175 /* Fatal error so abandon the connection from this client */
3176 SSL_free(clientssl);
3179 /* Set up the cookie generation and verification callbacks */
3180 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3181 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
3184 * Create a new connection from the client (we can reuse the server SSL
3187 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3189 /* Send the first ClientHello */
3190 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3191 SSL_ERROR_WANT_READ))
3192 /* This should fail because there is no cookie */
3193 || !TEST_int_eq(SSL_stateless(serverssl), 0))
3196 /* Abandon the connection from this client */
3197 SSL_free(clientssl);
3201 * Now create a connection from a new client but with the same server SSL
3204 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3206 /* Send the first ClientHello */
3207 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3208 SSL_ERROR_WANT_READ))
3209 /* This should fail because there is no cookie */
3210 || !TEST_int_eq(SSL_stateless(serverssl), 0)
3211 /* Send the second ClientHello */
3212 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3213 SSL_ERROR_WANT_READ))
3214 /* This should succeed because a cookie is now present */
3215 || !TEST_int_eq(SSL_stateless(serverssl), 1)
3216 /* Complete the connection */
3217 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3221 shutdown_ssl_connection(serverssl, clientssl);
3222 serverssl = clientssl = NULL;
3226 SSL_free(serverssl);
3227 SSL_free(clientssl);
3233 #endif /* OPENSSL_NO_TLS1_3 */
3235 static int clntaddoldcb = 0;
3236 static int clntparseoldcb = 0;
3237 static int srvaddoldcb = 0;
3238 static int srvparseoldcb = 0;
3239 static int clntaddnewcb = 0;
3240 static int clntparsenewcb = 0;
3241 static int srvaddnewcb = 0;
3242 static int srvparsenewcb = 0;
3243 static int snicb = 0;
3245 #define TEST_EXT_TYPE1 0xff00
3247 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3248 size_t *outlen, int *al, void *add_arg)
3250 int *server = (int *)add_arg;
3251 unsigned char *data;
3253 if (SSL_is_server(s))
3258 if (*server != SSL_is_server(s)
3259 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3264 *outlen = sizeof(char);
3268 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3271 OPENSSL_free((unsigned char *)out);
3274 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3275 size_t inlen, int *al, void *parse_arg)
3277 int *server = (int *)parse_arg;
3279 if (SSL_is_server(s))
3284 if (*server != SSL_is_server(s)
3285 || inlen != sizeof(char)
3292 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3293 const unsigned char **out, size_t *outlen, X509 *x,
3294 size_t chainidx, int *al, void *add_arg)
3296 int *server = (int *)add_arg;
3297 unsigned char *data;
3299 if (SSL_is_server(s))
3304 if (*server != SSL_is_server(s)
3305 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3310 *outlen = sizeof(*data);
3314 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3315 const unsigned char *out, void *add_arg)
3317 OPENSSL_free((unsigned char *)out);
3320 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3321 const unsigned char *in, size_t inlen, X509 *x,
3322 size_t chainidx, int *al, void *parse_arg)
3324 int *server = (int *)parse_arg;
3326 if (SSL_is_server(s))
3331 if (*server != SSL_is_server(s)
3332 || inlen != sizeof(char) || *in != 1)
3338 static int sni_cb(SSL *s, int *al, void *arg)
3340 SSL_CTX *ctx = (SSL_CTX *)arg;
3342 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3343 *al = SSL_AD_INTERNAL_ERROR;
3344 return SSL_TLSEXT_ERR_ALERT_FATAL;
3347 return SSL_TLSEXT_ERR_OK;
3351 * Custom call back tests.
3352 * Test 0: Old style callbacks in TLSv1.2
3353 * Test 1: New style callbacks in TLSv1.2
3354 * Test 2: New style callbacks in TLSv1.2 with SNI
3355 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3356 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
3358 static int test_custom_exts(int tst)
3360 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3361 SSL *clientssl = NULL, *serverssl = NULL;
3363 static int server = 1;
3364 static int client = 0;
3365 SSL_SESSION *sess = NULL;
3366 unsigned int context;
3368 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
3369 /* Skip tests for TLSv1.2 and below in this case */
3374 /* Reset callback counters */
3375 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
3376 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
3379 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3380 TLS1_VERSION, TLS_MAX_VERSION,
3381 &sctx, &cctx, cert, privkey)))
3385 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
3386 TLS1_VERSION, TLS_MAX_VERSION,
3387 &sctx2, NULL, cert, privkey)))
3392 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
3393 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
3395 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
3399 context = SSL_EXT_CLIENT_HELLO
3400 | SSL_EXT_TLS1_2_SERVER_HELLO
3401 | SSL_EXT_TLS1_3_SERVER_HELLO
3402 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
3403 | SSL_EXT_TLS1_3_CERTIFICATE
3404 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
3406 context = SSL_EXT_CLIENT_HELLO
3407 | SSL_EXT_TLS1_2_SERVER_HELLO
3408 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3411 /* Create a client side custom extension */
3413 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3414 old_add_cb, old_free_cb,
3415 &client, old_parse_cb,
3419 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
3420 new_add_cb, new_free_cb,
3421 &client, new_parse_cb, &client)))
3425 /* Should not be able to add duplicates */
3426 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3427 old_add_cb, old_free_cb,
3428 &client, old_parse_cb,
3430 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
3431 context, new_add_cb,
3432 new_free_cb, &client,
3433 new_parse_cb, &client)))
3436 /* Create a server side custom extension */
3438 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3439 old_add_cb, old_free_cb,
3440 &server, old_parse_cb,
3444 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3445 new_add_cb, new_free_cb,
3446 &server, new_parse_cb, &server)))
3449 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3450 context, new_add_cb,
3451 new_free_cb, &server,
3452 new_parse_cb, &server)))
3456 /* Should not be able to add duplicates */
3457 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3458 old_add_cb, old_free_cb,
3459 &server, old_parse_cb,
3461 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3462 context, new_add_cb,
3463 new_free_cb, &server,
3464 new_parse_cb, &server)))
3469 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3470 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3474 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3475 &clientssl, NULL, NULL))
3476 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3481 if (clntaddoldcb != 1
3482 || clntparseoldcb != 1
3484 || srvparseoldcb != 1)
3486 } else if (tst == 1 || tst == 2 || tst == 3) {
3487 if (clntaddnewcb != 1
3488 || clntparsenewcb != 1
3490 || srvparsenewcb != 1
3491 || (tst != 2 && snicb != 0)
3492 || (tst == 2 && snicb != 1))
3495 /* In this case there 2 NewSessionTicket messages created */
3496 if (clntaddnewcb != 1
3497 || clntparsenewcb != 5
3499 || srvparsenewcb != 1)
3503 sess = SSL_get1_session(clientssl);
3504 SSL_shutdown(clientssl);
3505 SSL_shutdown(serverssl);
3506 SSL_free(serverssl);
3507 SSL_free(clientssl);
3508 serverssl = clientssl = NULL;
3511 /* We don't bother with the resumption aspects for this test */
3516 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3518 || !TEST_true(SSL_set_session(clientssl, sess))
3519 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3524 * For a resumed session we expect to add the ClientHello extension. For the
3525 * old style callbacks we ignore it on the server side because they set
3526 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3530 if (clntaddoldcb != 2
3531 || clntparseoldcb != 1
3533 || srvparseoldcb != 1)
3535 } else if (tst == 1 || tst == 2 || tst == 3) {
3536 if (clntaddnewcb != 2
3537 || clntparsenewcb != 2
3539 || srvparsenewcb != 2)
3543 * No Certificate message extensions in the resumption handshake,
3544 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
3546 if (clntaddnewcb != 2
3547 || clntparsenewcb != 8
3549 || srvparsenewcb != 2)
3556 SSL_SESSION_free(sess);
3557 SSL_free(serverssl);
3558 SSL_free(clientssl);
3559 SSL_CTX_free(sctx2);
3566 * Test loading of serverinfo data in various formats. test_sslmessages actually
3567 * tests to make sure the extensions appear in the handshake
3569 static int test_serverinfo(int tst)
3571 unsigned int version;
3572 unsigned char *sibuf;
3574 int ret, expected, testresult = 0;
3577 ctx = SSL_CTX_new(TLS_method());
3581 if ((tst & 0x01) == 0x01)
3582 version = SSL_SERVERINFOV2;
3584 version = SSL_SERVERINFOV1;
3586 if ((tst & 0x02) == 0x02) {
3587 sibuf = serverinfov2;
3588 sibuflen = sizeof(serverinfov2);
3589 expected = (version == SSL_SERVERINFOV2);
3591 sibuf = serverinfov1;
3592 sibuflen = sizeof(serverinfov1);
3593 expected = (version == SSL_SERVERINFOV1);
3596 if ((tst & 0x04) == 0x04) {
3597 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
3599 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
3602 * The version variable is irrelevant in this case - it's what is in the
3603 * buffer that matters
3605 if ((tst & 0x02) == 0x02)
3611 if (!TEST_true(ret == expected))
3623 * Test that SSL_export_keying_material() produces expected results. There are
3624 * no test vectors so all we do is test that both sides of the communication
3625 * produce the same results for different protocol versions.
3627 static int test_export_key_mat(int tst)
3630 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3631 SSL *clientssl = NULL, *serverssl = NULL;
3632 const char label[] = "test label";
3633 const unsigned char context[] = "context";
3634 const unsigned char *emptycontext = NULL;
3635 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
3636 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
3637 const int protocols[] = {
3644 #ifdef OPENSSL_NO_TLS1
3648 #ifdef OPENSSL_NO_TLS1_1
3652 #ifdef OPENSSL_NO_TLS1_2
3656 #ifdef OPENSSL_NO_TLS1_3
3660 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3661 TLS1_VERSION, TLS_MAX_VERSION,
3662 &sctx, &cctx, cert, privkey)))
3665 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
3666 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
3667 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
3669 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
3671 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3675 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
3676 sizeof(ckeymat1), label,
3677 sizeof(label) - 1, context,
3678 sizeof(context) - 1, 1), 1)
3679 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
3680 sizeof(ckeymat2), label,
3684 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
3685 sizeof(ckeymat3), label,
3688 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
3689 sizeof(skeymat1), label,
3692 sizeof(context) -1, 1),
3694 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
3695 sizeof(skeymat2), label,
3699 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
3700 sizeof(skeymat3), label,
3704 * Check that both sides created the same key material with the
3707 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3710 * Check that both sides created the same key material with an
3713 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3716 * Check that both sides created the same key material without a
3719 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3721 /* Different contexts should produce different results */
3722 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3727 * Check that an empty context and no context produce different results in
3728 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3730 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3732 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3739 SSL_free(serverssl);
3740 SSL_free(clientssl);
3741 SSL_CTX_free(sctx2);
3748 #ifndef OPENSSL_NO_TLS1_3
3750 * Test that SSL_export_keying_material_early() produces expected
3751 * results. There are no test vectors so all we do is test that both
3752 * sides of the communication produce the same results for different
3753 * protocol versions.
3755 static int test_export_key_mat_early(int idx)
3757 static const char label[] = "test label";
3758 static const unsigned char context[] = "context";
3760 SSL_CTX *cctx = NULL, *sctx = NULL;
3761 SSL *clientssl = NULL, *serverssl = NULL;
3762 SSL_SESSION *sess = NULL;
3763 const unsigned char *emptycontext = NULL;
3764 unsigned char ckeymat1[80], ckeymat2[80];
3765 unsigned char skeymat1[80], skeymat2[80];
3766 unsigned char buf[1];
3767 size_t readbytes, written;
3769 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
3773 /* Here writing 0 length early data is enough. */
3774 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
3775 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3777 SSL_READ_EARLY_DATA_ERROR)
3778 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3779 SSL_EARLY_DATA_ACCEPTED))
3782 if (!TEST_int_eq(SSL_export_keying_material_early(
3783 clientssl, ckeymat1, sizeof(ckeymat1), label,
3784 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3785 || !TEST_int_eq(SSL_export_keying_material_early(
3786 clientssl, ckeymat2, sizeof(ckeymat2), label,
3787 sizeof(label) - 1, emptycontext, 0), 1)
3788 || !TEST_int_eq(SSL_export_keying_material_early(
3789 serverssl, skeymat1, sizeof(skeymat1), label,
3790 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3791 || !TEST_int_eq(SSL_export_keying_material_early(
3792 serverssl, skeymat2, sizeof(skeymat2), label,
3793 sizeof(label) - 1, emptycontext, 0), 1)
3795 * Check that both sides created the same key material with the
3798 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3801 * Check that both sides created the same key material with an
3804 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3806 /* Different contexts should produce different results */
3807 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3814 SSL_SESSION_free(sess);
3815 SSL_SESSION_free(clientpsk);
3816 SSL_SESSION_free(serverpsk);
3817 clientpsk = serverpsk = NULL;
3818 SSL_free(serverssl);
3819 SSL_free(clientssl);
3825 #endif /* OPENSSL_NO_TLS1_3 */
3827 static int test_ssl_clear(int idx)
3829 SSL_CTX *cctx = NULL, *sctx = NULL;
3830 SSL *clientssl = NULL, *serverssl = NULL;
3833 #ifdef OPENSSL_NO_TLS1_2
3838 /* Create an initial connection */
3839 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3840 TLS1_VERSION, TLS_MAX_VERSION,
3841 &sctx, &cctx, cert, privkey))
3843 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
3845 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3846 &clientssl, NULL, NULL))
3847 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3851 SSL_shutdown(clientssl);
3852 SSL_shutdown(serverssl);
3853 SSL_free(serverssl);
3856 /* Clear clientssl - we're going to reuse the object */
3857 if (!TEST_true(SSL_clear(clientssl)))
3860 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3862 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3864 || !TEST_true(SSL_session_reused(clientssl)))
3867 SSL_shutdown(clientssl);
3868 SSL_shutdown(serverssl);
3873 SSL_free(serverssl);
3874 SSL_free(clientssl);
3881 /* Parse CH and retrieve any MFL extension value if present */
3882 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
3885 unsigned char *data;
3886 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
3887 unsigned int MFL_code = 0, type = 0;
3889 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
3892 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
3893 /* Skip the record header */
3894 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
3895 /* Skip the handshake message header */
3896 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
3897 /* Skip client version and random */
3898 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
3899 + SSL3_RANDOM_SIZE))
3900 /* Skip session id */
3901 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3903 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
3904 /* Skip compression */
3905 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3906 /* Extensions len */
3907 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
3910 /* Loop through all extensions */
3911 while (PACKET_remaining(&pkt2)) {
3912 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
3913 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
3916 if (type == TLSEXT_TYPE_max_fragment_length) {
3917 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
3918 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
3921 *mfl_codemfl_code = MFL_code;
3930 /* Maximum-Fragment-Length TLS extension mode to test */
3931 static const unsigned char max_fragment_len_test[] = {
3932 TLSEXT_max_fragment_length_512,
3933 TLSEXT_max_fragment_length_1024,
3934 TLSEXT_max_fragment_length_2048,
3935 TLSEXT_max_fragment_length_4096
3938 static int test_max_fragment_len_ext(int idx_tst)
3942 int testresult = 0, MFL_mode = 0;
3945 ctx = SSL_CTX_new(TLS_method());
3949 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
3950 ctx, max_fragment_len_test[idx_tst])))
3957 rbio = BIO_new(BIO_s_mem());
3958 wbio = BIO_new(BIO_s_mem());
3959 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
3965 SSL_set_bio(con, rbio, wbio);
3966 SSL_set_connect_state(con);
3968 if (!TEST_int_le(SSL_connect(con), 0)) {
3969 /* This shouldn't succeed because we don't have a server! */
3973 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
3974 /* no MFL in client hello */
3976 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
3988 #ifndef OPENSSL_NO_TLS1_3
3989 static int test_pha_key_update(void)
3991 SSL_CTX *cctx = NULL, *sctx = NULL;
3992 SSL *clientssl = NULL, *serverssl = NULL;
3995 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3996 TLS1_VERSION, TLS_MAX_VERSION,
3997 &sctx, &cctx, cert, privkey)))
4000 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
4001 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
4002 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
4003 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
4007 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4011 SSL_force_post_handshake_auth(clientssl);
4013 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4017 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
4018 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
4021 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
4024 /* Start handshake on the server */
4025 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
4028 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
4029 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4033 SSL_shutdown(clientssl);
4034 SSL_shutdown(serverssl);
4039 SSL_free(serverssl);
4040 SSL_free(clientssl);
4047 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4049 static SRP_VBASE *vbase = NULL;
4051 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
4053 int ret = SSL3_AL_FATAL;
4055 SRP_user_pwd *user = NULL;
4057 username = SSL_get_srp_username(s);
4058 if (username == NULL) {
4059 *ad = SSL_AD_INTERNAL_ERROR;
4063 user = SRP_VBASE_get1_by_user(vbase, username);
4065 *ad = SSL_AD_INTERNAL_ERROR;
4069 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
4071 *ad = SSL_AD_INTERNAL_ERROR;
4078 SRP_user_pwd_free(user);
4082 static int create_new_vfile(char *userid, char *password, const char *filename)
4085 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
4088 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
4091 if (!TEST_ptr(dummy) || !TEST_ptr(row))
4094 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
4095 &row[DB_srpverifier], NULL, NULL);
4096 if (!TEST_ptr(gNid))
4100 * The only way to create an empty TXT_DB is to provide a BIO with no data
4103 db = TXT_DB_read(dummy, DB_NUMBER);
4107 out = BIO_new_file(filename, "w");
4111 row[DB_srpid] = OPENSSL_strdup(userid);
4112 row[DB_srptype] = OPENSSL_strdup("V");
4113 row[DB_srpgN] = OPENSSL_strdup(gNid);
4115 if (!TEST_ptr(row[DB_srpid])
4116 || !TEST_ptr(row[DB_srptype])
4117 || !TEST_ptr(row[DB_srpgN])
4118 || !TEST_true(TXT_DB_insert(db, row)))
4123 if (!TXT_DB_write(out, db))
4129 for (i = 0; i < DB_NUMBER; i++)
4130 OPENSSL_free(row[i]);
4140 static int create_new_vbase(char *userid, char *password)
4142 BIGNUM *verifier = NULL, *salt = NULL;
4143 const SRP_gN *lgN = NULL;
4144 SRP_user_pwd *user_pwd = NULL;
4147 lgN = SRP_get_default_gN(NULL);
4151 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
4155 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
4156 if (!TEST_ptr(user_pwd))
4159 user_pwd->N = lgN->N;
4160 user_pwd->g = lgN->g;
4161 user_pwd->id = OPENSSL_strdup(userid);
4162 if (!TEST_ptr(user_pwd->id))
4165 user_pwd->v = verifier;
4167 verifier = salt = NULL;
4169 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
4175 SRP_user_pwd_free(user_pwd);
4185 * Test 0: Simple successful SRP connection, new vbase
4186 * Test 1: Connection failure due to bad password, new vbase
4187 * Test 2: Simple successful SRP connection, vbase loaded from existing file
4188 * Test 3: Connection failure due to bad password, vbase loaded from existing
4190 * Test 4: Simple successful SRP connection, vbase loaded from new file
4191 * Test 5: Connection failure due to bad password, vbase loaded from new file
4193 static int test_srp(int tst)
4195 char *userid = "test", *password = "password", *tstsrpfile;
4196 SSL_CTX *cctx = NULL, *sctx = NULL;
4197 SSL *clientssl = NULL, *serverssl = NULL;
4198 int ret, testresult = 0;
4200 vbase = SRP_VBASE_new(NULL);
4201 if (!TEST_ptr(vbase))
4204 if (tst == 0 || tst == 1) {
4205 if (!TEST_true(create_new_vbase(userid, password)))
4208 if (tst == 4 || tst == 5) {
4209 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
4211 tstsrpfile = tmpfilename;
4213 tstsrpfile = srpvfile;
4215 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
4219 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4220 TLS1_VERSION, TLS_MAX_VERSION,
4221 &sctx, &cctx, cert, privkey)))
4224 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
4225 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
4226 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
4227 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
4228 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
4232 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
4235 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
4239 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4243 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
4245 if (!TEST_true(tst % 2 == 0))
4248 if (!TEST_true(tst % 2 == 1))
4255 SRP_VBASE_free(vbase);
4257 SSL_free(serverssl);
4258 SSL_free(clientssl);
4266 static int info_cb_failed = 0;
4267 static int info_cb_offset = 0;
4268 static int info_cb_this_state = -1;
4270 static struct info_cb_states_st {
4272 const char *statestr;
4273 } info_cb_states[][60] = {
4275 /* TLSv1.2 server followed by resumption */
4276 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4277 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4278 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
4279 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
4280 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
4281 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4282 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4283 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4284 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4285 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4286 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
4287 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4288 {SSL_CB_EXIT, NULL}, {0, NULL},
4290 /* TLSv1.2 client followed by resumption */
4291 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4292 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4293 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
4294 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
4295 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
4296 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4297 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4298 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4299 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4300 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4301 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4302 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4304 /* TLSv1.3 server followed by resumption */
4305 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4306 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4307 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
4308 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
4309 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4310 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4311 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4312 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TWST"},
4313 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4314 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4315 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4316 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"},
4317 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL},
4318 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4319 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4320 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4321 {SSL_CB_EXIT, NULL}, {0, NULL},
4323 /* TLSv1.3 client followed by resumption */
4324 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4325 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4326 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
4327 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
4328 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4329 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4330 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4331 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4332 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4333 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4334 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4335 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4336 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
4337 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4338 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4339 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4340 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4341 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4342 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4344 /* TLSv1.3 server, early_data */
4345 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4346 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4347 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4348 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4349 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4350 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4351 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4352 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4353 {SSL_CB_EXIT, NULL}, {0, NULL},
4355 /* TLSv1.3 client, early_data */
4356 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4357 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
4358 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4359 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4360 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4361 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
4362 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4363 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4364 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4365 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4371 static void sslapi_info_callback(const SSL *s, int where, int ret)
4373 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
4375 /* We do not ever expect a connection to fail in this test */
4376 if (!TEST_false(ret == 0)) {
4382 * Do some sanity checks. We never expect these things to happen in this
4385 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
4386 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
4387 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
4392 /* Now check we're in the right state */
4393 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
4397 if ((where & SSL_CB_LOOP) != 0
4398 && !TEST_int_eq(strcmp(SSL_state_string(s),
4399 state[info_cb_this_state].statestr), 0)) {
4404 /* Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init */
4405 if ((where & SSL_CB_HANDSHAKE_DONE) && SSL_in_init((SSL *)s) != 0) {
4412 * Test the info callback gets called when we expect it to.
4414 * Test 0: TLSv1.2, server
4415 * Test 1: TLSv1.2, client
4416 * Test 2: TLSv1.3, server
4417 * Test 3: TLSv1.3, client
4418 * Test 4: TLSv1.3, server, early_data
4419 * Test 5: TLSv1.3, client, early_data
4421 static int test_info_callback(int tst)
4423 SSL_CTX *cctx = NULL, *sctx = NULL;
4424 SSL *clientssl = NULL, *serverssl = NULL;
4425 SSL_SESSION *clntsess = NULL;
4430 #ifndef OPENSSL_NO_TLS1_2
4431 tlsvers = TLS1_2_VERSION;
4436 #ifndef OPENSSL_NO_TLS1_3
4437 tlsvers = TLS1_3_VERSION;
4445 info_cb_this_state = -1;
4446 info_cb_offset = tst;
4448 #ifndef OPENSSL_NO_TLS1_3
4450 SSL_SESSION *sess = NULL;
4451 size_t written, readbytes;
4452 unsigned char buf[80];
4454 /* early_data tests */
4455 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4456 &serverssl, &sess, 0)))
4459 /* We don't actually need this reference */
4460 SSL_SESSION_free(sess);
4462 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
4463 sslapi_info_callback);
4465 /* Write and read some early data and then complete the connection */
4466 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4468 || !TEST_size_t_eq(written, strlen(MSG1))
4469 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
4470 sizeof(buf), &readbytes),
4471 SSL_READ_EARLY_DATA_SUCCESS)
4472 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
4473 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4474 SSL_EARLY_DATA_ACCEPTED)
4475 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4477 || !TEST_false(info_cb_failed))
4485 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4486 TLS_client_method(),
4487 tlsvers, tlsvers, &sctx, &cctx, cert,
4492 * For even numbered tests we check the server callbacks. For odd numbers we
4495 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
4496 sslapi_info_callback);
4498 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4499 &clientssl, NULL, NULL))
4500 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4502 || !TEST_false(info_cb_failed))
4507 clntsess = SSL_get1_session(clientssl);
4508 SSL_shutdown(clientssl);
4509 SSL_shutdown(serverssl);
4510 SSL_free(serverssl);
4511 SSL_free(clientssl);
4512 serverssl = clientssl = NULL;
4514 /* Now do a resumption */
4515 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4517 || !TEST_true(SSL_set_session(clientssl, clntsess))
4518 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4520 || !TEST_true(SSL_session_reused(clientssl))
4521 || !TEST_false(info_cb_failed))
4527 SSL_free(serverssl);
4528 SSL_free(clientssl);
4529 SSL_SESSION_free(clntsess);
4535 static int test_ssl_pending(int tst)
4537 SSL_CTX *cctx = NULL, *sctx = NULL;
4538 SSL *clientssl = NULL, *serverssl = NULL;
4540 char msg[] = "A test message";
4542 size_t written, readbytes;
4545 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4546 TLS_client_method(),
4547 TLS1_VERSION, TLS_MAX_VERSION,
4548 &sctx, &cctx, cert, privkey)))
4551 #ifndef OPENSSL_NO_DTLS
4552 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
4553 DTLS_client_method(),
4554 DTLS1_VERSION, DTLS_MAX_VERSION,
4555 &sctx, &cctx, cert, privkey)))
4562 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4564 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4568 if (!TEST_int_eq(SSL_pending(clientssl), 0)
4569 || !TEST_false(SSL_has_pending(clientssl))
4570 || !TEST_int_eq(SSL_pending(serverssl), 0)
4571 || !TEST_false(SSL_has_pending(serverssl))
4572 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4573 || !TEST_size_t_eq(written, sizeof(msg))
4574 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4575 || !TEST_size_t_eq(readbytes, sizeof(buf))
4576 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
4577 || !TEST_true(SSL_has_pending(clientssl)))
4583 SSL_free(serverssl);
4584 SSL_free(clientssl);
4592 unsigned int maxprot;
4593 const char *clntciphers;
4594 const char *clnttls13ciphers;
4595 const char *srvrciphers;
4596 const char *srvrtls13ciphers;
4598 } shared_ciphers_data[] = {
4600 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
4601 * TLSv1.3 is enabled but TLSv1.2 is disabled.
4603 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
4606 "AES128-SHA:AES256-SHA",
4608 "AES256-SHA:DHE-RSA-AES128-SHA",
4614 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
4616 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
4618 "AES128-SHA:AES256-SHA"
4622 "AES128-SHA:AES256-SHA",
4624 "AES128-SHA:DHE-RSA-AES128-SHA",
4630 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
4633 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
4634 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4637 "AES128-SHA:AES256-SHA",
4639 "AES256-SHA:AES128-SHA256",
4641 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
4642 "TLS_AES_128_GCM_SHA256:AES256-SHA"
4645 #ifndef OPENSSL_NO_TLS1_3
4649 "TLS_AES_256_GCM_SHA384",
4651 "TLS_AES_256_GCM_SHA384",
4652 "TLS_AES_256_GCM_SHA384"
4657 static int test_ssl_get_shared_ciphers(int tst)
4659 SSL_CTX *cctx = NULL, *sctx = NULL;
4660 SSL *clientssl = NULL, *serverssl = NULL;
4664 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4665 TLS_client_method(),
4667 shared_ciphers_data[tst].maxprot,
4668 &sctx, &cctx, cert, privkey)))
4671 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4672 shared_ciphers_data[tst].clntciphers))
4673 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
4674 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4675 shared_ciphers_data[tst].clnttls13ciphers)))
4676 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
4677 shared_ciphers_data[tst].srvrciphers))
4678 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
4679 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4680 shared_ciphers_data[tst].srvrtls13ciphers))))
4684 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4686 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4690 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
4691 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
4692 TEST_info("Shared ciphers are: %s\n", buf);
4699 SSL_free(serverssl);
4700 SSL_free(clientssl);
4707 static const char *appdata = "Hello World";
4708 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
4709 static int tick_key_renew = 0;
4710 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
4712 static int gen_tick_cb(SSL *s, void *arg)
4714 gen_tick_called = 1;
4716 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
4720 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
4721 const unsigned char *keyname,
4722 size_t keyname_length,
4723 SSL_TICKET_STATUS status,
4729 dec_tick_called = 1;
4731 if (status == SSL_TICKET_EMPTY)
4732 return SSL_TICKET_RETURN_IGNORE_RENEW;
4734 if (!TEST_true(status == SSL_TICKET_SUCCESS
4735 || status == SSL_TICKET_SUCCESS_RENEW))
4736 return SSL_TICKET_RETURN_ABORT;
4738 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
4740 || !TEST_size_t_eq(tickdlen, strlen(appdata))
4741 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
4742 return SSL_TICKET_RETURN_ABORT;
4744 if (tick_key_cb_called) {
4745 /* Don't change what the ticket key callback wanted to do */
4747 case SSL_TICKET_NO_DECRYPT:
4748 return SSL_TICKET_RETURN_IGNORE_RENEW;
4750 case SSL_TICKET_SUCCESS:
4751 return SSL_TICKET_RETURN_USE;
4753 case SSL_TICKET_SUCCESS_RENEW:
4754 return SSL_TICKET_RETURN_USE_RENEW;
4757 return SSL_TICKET_RETURN_ABORT;
4760 return tick_dec_ret;
4764 static int tick_key_cb(SSL *s, unsigned char key_name[16],
4765 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
4766 HMAC_CTX *hctx, int enc)
4768 const unsigned char tick_aes_key[16] = "0123456789abcdef";
4769 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
4771 tick_key_cb_called = 1;
4772 memset(iv, 0, AES_BLOCK_SIZE);
4773 memset(key_name, 0, 16);
4774 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
4775 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
4776 EVP_sha256(), NULL))
4779 return tick_key_renew ? 2 : 1;
4783 * Test the various ticket callbacks
4784 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
4785 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
4786 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
4787 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
4788 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
4789 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
4790 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
4791 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
4792 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
4793 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
4794 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
4795 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
4797 static int test_ticket_callbacks(int tst)
4799 SSL_CTX *cctx = NULL, *sctx = NULL;
4800 SSL *clientssl = NULL, *serverssl = NULL;
4801 SSL_SESSION *clntsess = NULL;
4804 #ifdef OPENSSL_NO_TLS1_2
4808 #ifdef OPENSSL_NO_TLS1_3
4813 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
4815 /* Which tests the ticket key callback should request renewal for */
4816 if (tst == 10 || tst == 11)
4821 /* Which tests the decrypt ticket callback should request renewal for */
4825 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
4830 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
4835 tick_dec_ret = SSL_TICKET_RETURN_USE;
4840 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
4844 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
4847 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4848 TLS_client_method(),
4850 ((tst % 2) == 0) ? TLS1_2_VERSION
4852 &sctx, &cctx, cert, privkey)))
4856 * We only want sessions to resume from tickets - not the session cache. So
4857 * switch the cache off.
4859 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
4862 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
4867 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
4870 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4872 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4877 * The decrypt ticket key callback in TLSv1.2 should be called even though
4878 * we have no ticket yet, because it gets called with a status of
4879 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
4880 * actually send any ticket data). This does not happen in TLSv1.3 because
4881 * it is not valid to send empty ticket data in TLSv1.3.
4883 if (!TEST_int_eq(gen_tick_called, 1)
4884 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
4887 gen_tick_called = dec_tick_called = 0;
4889 clntsess = SSL_get1_session(clientssl);
4890 SSL_shutdown(clientssl);
4891 SSL_shutdown(serverssl);
4892 SSL_free(serverssl);
4893 SSL_free(clientssl);
4894 serverssl = clientssl = NULL;
4896 /* Now do a resumption */
4897 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4899 || !TEST_true(SSL_set_session(clientssl, clntsess))
4900 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4904 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
4905 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
4906 if (!TEST_false(SSL_session_reused(clientssl)))
4909 if (!TEST_true(SSL_session_reused(clientssl)))
4913 if (!TEST_int_eq(gen_tick_called,
4915 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
4916 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
4918 || !TEST_int_eq(dec_tick_called, 1))
4924 SSL_SESSION_free(clntsess);
4925 SSL_free(serverssl);
4926 SSL_free(clientssl);
4933 int setup_tests(void)
4935 if (!TEST_ptr(cert = test_get_argument(0))
4936 || !TEST_ptr(privkey = test_get_argument(1))
4937 || !TEST_ptr(srpvfile = test_get_argument(2))
4938 || !TEST_ptr(tmpfilename = test_get_argument(3)))
4941 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
4942 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
4943 TEST_error("not supported in this build");
4946 int i, mcount, rcount, fcount;
4948 for (i = 0; i < 4; i++)
4949 test_export_key_mat(i);
4950 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
4951 test_printf_stdout("malloc %d realloc %d free %d\n",
4952 mcount, rcount, fcount);
4957 ADD_TEST(test_large_message_tls);
4958 ADD_TEST(test_large_message_tls_read_ahead);
4959 #ifndef OPENSSL_NO_DTLS
4960 ADD_TEST(test_large_message_dtls);
4962 #ifndef OPENSSL_NO_OCSP
4963 ADD_TEST(test_tlsext_status_type);
4965 ADD_TEST(test_session_with_only_int_cache);
4966 ADD_TEST(test_session_with_only_ext_cache);
4967 ADD_TEST(test_session_with_both_cache);
4968 #ifndef OPENSSL_NO_TLS1_3
4969 ADD_ALL_TESTS(test_tickets, 3);
4971 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
4972 ADD_TEST(test_ssl_bio_pop_next_bio);
4973 ADD_TEST(test_ssl_bio_pop_ssl_bio);
4974 ADD_TEST(test_ssl_bio_change_rbio);
4975 ADD_TEST(test_ssl_bio_change_wbio);
4976 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
4977 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
4978 ADD_TEST(test_keylog);
4980 #ifndef OPENSSL_NO_TLS1_3
4981 ADD_TEST(test_keylog_no_master_key);
4983 #ifndef OPENSSL_NO_TLS1_2
4984 ADD_TEST(test_client_hello_cb);
4986 #ifndef OPENSSL_NO_TLS1_3
4987 ADD_ALL_TESTS(test_early_data_read_write, 3);
4989 * We don't do replay tests for external PSK. Replay protection isn't used
4992 ADD_ALL_TESTS(test_early_data_replay, 2);
4993 ADD_ALL_TESTS(test_early_data_skip, 3);
4994 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
4995 ADD_ALL_TESTS(test_early_data_not_sent, 3);
4996 ADD_ALL_TESTS(test_early_data_psk, 8);
4997 ADD_ALL_TESTS(test_early_data_not_expected, 3);
4998 # ifndef OPENSSL_NO_TLS1_2
4999 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5002 #ifndef OPENSSL_NO_TLS1_3
5003 ADD_ALL_TESTS(test_set_ciphersuite, 10);
5004 ADD_TEST(test_ciphersuite_change);
5005 #ifdef OPENSSL_NO_PSK
5006 ADD_ALL_TESTS(test_tls13_psk, 1);
5008 ADD_ALL_TESTS(test_tls13_psk, 4);
5009 #endif /* OPENSSL_NO_PSK */
5010 ADD_ALL_TESTS(test_custom_exts, 5);
5011 ADD_TEST(test_stateless);
5012 ADD_TEST(test_pha_key_update);
5014 ADD_ALL_TESTS(test_custom_exts, 3);
5016 ADD_ALL_TESTS(test_serverinfo, 8);
5017 ADD_ALL_TESTS(test_export_key_mat, 4);
5018 #ifndef OPENSSL_NO_TLS1_3
5019 ADD_ALL_TESTS(test_export_key_mat_early, 3);
5021 ADD_ALL_TESTS(test_ssl_clear, 2);
5022 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
5023 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5024 ADD_ALL_TESTS(test_srp, 6);
5026 ADD_ALL_TESTS(test_info_callback, 6);
5027 ADD_ALL_TESTS(test_ssl_pending, 2);
5028 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
5029 ADD_ALL_TESTS(test_ticket_callbacks, 12);
5033 void cleanup_tests(void)
5035 bio_s_mempacket_test_free();