2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
17 #include <openssl/srp.h>
18 #include <openssl/txt_db.h>
19 #include <openssl/aes.h>
21 #include "ssltestlib.h"
23 #include "testutil/output.h"
24 #include "internal/nelem.h"
25 #include "../ssl/ssl_locl.h"
27 static char *cert = NULL;
28 static char *privkey = NULL;
29 static char *srpvfile = NULL;
30 static char *tmpfilename = NULL;
32 #define LOG_BUFFER_SIZE 2048
33 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
34 static size_t server_log_buffer_index = 0;
35 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
36 static size_t client_log_buffer_index = 0;
37 static int error_writing_log = 0;
39 #ifndef OPENSSL_NO_OCSP
40 static const unsigned char orespder[] = "Dummy OCSP Response";
41 static int ocsp_server_called = 0;
42 static int ocsp_client_called = 0;
44 static int cdummyarg = 1;
45 static X509 *ocspcert = NULL;
48 #define NUM_EXTRA_CERTS 40
49 #define CLIENT_VERSION_LEN 2
52 * This structure is used to validate that the correct number of log messages
53 * of various types are emitted when emitting secret logs.
55 struct sslapitest_log_counts {
56 unsigned int rsa_key_exchange_count;
57 unsigned int master_secret_count;
58 unsigned int client_early_secret_count;
59 unsigned int client_handshake_secret_count;
60 unsigned int server_handshake_secret_count;
61 unsigned int client_application_secret_count;
62 unsigned int server_application_secret_count;
63 unsigned int early_exporter_secret_count;
64 unsigned int exporter_secret_count;
68 static unsigned char serverinfov1[] = {
69 0xff, 0xff, /* Dummy extension type */
70 0x00, 0x01, /* Extension length is 1 byte */
71 0xff /* Dummy extension data */
74 static unsigned char serverinfov2[] = {
76 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
77 0xff, 0xff, /* Dummy extension type */
78 0x00, 0x01, /* Extension length is 1 byte */
79 0xff /* Dummy extension data */
82 static void client_keylog_callback(const SSL *ssl, const char *line)
84 int line_length = strlen(line);
86 /* If the log doesn't fit, error out. */
87 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
88 TEST_info("Client log too full");
89 error_writing_log = 1;
93 strcat(client_log_buffer, line);
94 client_log_buffer_index += line_length;
95 client_log_buffer[client_log_buffer_index++] = '\n';
98 static void server_keylog_callback(const SSL *ssl, const char *line)
100 int line_length = strlen(line);
102 /* If the log doesn't fit, error out. */
103 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
104 TEST_info("Server log too full");
105 error_writing_log = 1;
109 strcat(server_log_buffer, line);
110 server_log_buffer_index += line_length;
111 server_log_buffer[server_log_buffer_index++] = '\n';
114 static int compare_hex_encoded_buffer(const char *hex_encoded,
122 if (!TEST_size_t_eq(raw_length * 2, hex_length))
125 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
126 sprintf(hexed, "%02x", raw[i]);
127 if (!TEST_int_eq(hexed[0], hex_encoded[j])
128 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
135 static int test_keylog_output(char *buffer, const SSL *ssl,
136 const SSL_SESSION *session,
137 struct sslapitest_log_counts *expected)
140 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
141 size_t client_random_size = SSL3_RANDOM_SIZE;
142 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
143 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
144 unsigned int rsa_key_exchange_count = 0;
145 unsigned int master_secret_count = 0;
146 unsigned int client_early_secret_count = 0;
147 unsigned int client_handshake_secret_count = 0;
148 unsigned int server_handshake_secret_count = 0;
149 unsigned int client_application_secret_count = 0;
150 unsigned int server_application_secret_count = 0;
151 unsigned int early_exporter_secret_count = 0;
152 unsigned int exporter_secret_count = 0;
154 for (token = strtok(buffer, " \n"); token != NULL;
155 token = strtok(NULL, " \n")) {
156 if (strcmp(token, "RSA") == 0) {
158 * Premaster secret. Tokens should be: 16 ASCII bytes of
159 * hex-encoded encrypted secret, then the hex-encoded pre-master
162 if (!TEST_ptr(token = strtok(NULL, " \n")))
164 if (!TEST_size_t_eq(strlen(token), 16))
166 if (!TEST_ptr(token = strtok(NULL, " \n")))
169 * We can't sensibly check the log because the premaster secret is
170 * transient, and OpenSSL doesn't keep hold of it once the master
171 * secret is generated.
173 rsa_key_exchange_count++;
174 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
176 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
177 * client random, then the hex-encoded master secret.
179 client_random_size = SSL_get_client_random(ssl,
180 actual_client_random,
182 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
185 if (!TEST_ptr(token = strtok(NULL, " \n")))
187 if (!TEST_size_t_eq(strlen(token), 64))
189 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
190 actual_client_random,
191 client_random_size)))
194 if (!TEST_ptr(token = strtok(NULL, " \n")))
196 master_key_size = SSL_SESSION_get_master_key(session,
199 if (!TEST_size_t_ne(master_key_size, 0))
201 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
205 master_secret_count++;
206 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
207 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
208 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
209 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
210 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
211 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
212 || strcmp(token, "EXPORTER_SECRET") == 0) {
214 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
215 * client random, and then the hex-encoded secret. In this case,
216 * we treat all of these secrets identically and then just
217 * distinguish between them when counting what we saw.
219 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
220 client_early_secret_count++;
221 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
222 client_handshake_secret_count++;
223 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
224 server_handshake_secret_count++;
225 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
226 client_application_secret_count++;
227 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
228 server_application_secret_count++;
229 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
230 early_exporter_secret_count++;
231 else if (strcmp(token, "EXPORTER_SECRET") == 0)
232 exporter_secret_count++;
234 client_random_size = SSL_get_client_random(ssl,
235 actual_client_random,
237 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
240 if (!TEST_ptr(token = strtok(NULL, " \n")))
242 if (!TEST_size_t_eq(strlen(token), 64))
244 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
245 actual_client_random,
246 client_random_size)))
249 if (!TEST_ptr(token = strtok(NULL, " \n")))
253 * TODO(TLS1.3): test that application traffic secrets are what
256 TEST_info("Unexpected token %s\n", token);
261 /* Got what we expected? */
262 if (!TEST_size_t_eq(rsa_key_exchange_count,
263 expected->rsa_key_exchange_count)
264 || !TEST_size_t_eq(master_secret_count,
265 expected->master_secret_count)
266 || !TEST_size_t_eq(client_early_secret_count,
267 expected->client_early_secret_count)
268 || !TEST_size_t_eq(client_handshake_secret_count,
269 expected->client_handshake_secret_count)
270 || !TEST_size_t_eq(server_handshake_secret_count,
271 expected->server_handshake_secret_count)
272 || !TEST_size_t_eq(client_application_secret_count,
273 expected->client_application_secret_count)
274 || !TEST_size_t_eq(server_application_secret_count,
275 expected->server_application_secret_count)
276 || !TEST_size_t_eq(early_exporter_secret_count,
277 expected->early_exporter_secret_count)
278 || !TEST_size_t_eq(exporter_secret_count,
279 expected->exporter_secret_count))
284 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
285 static int test_keylog(void)
287 SSL_CTX *cctx = NULL, *sctx = NULL;
288 SSL *clientssl = NULL, *serverssl = NULL;
290 struct sslapitest_log_counts expected = {0};
292 /* Clean up logging space */
293 memset(client_log_buffer, 0, sizeof(client_log_buffer));
294 memset(server_log_buffer, 0, sizeof(server_log_buffer));
295 client_log_buffer_index = 0;
296 server_log_buffer_index = 0;
297 error_writing_log = 0;
299 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
301 TLS1_VERSION, TLS_MAX_VERSION,
302 &sctx, &cctx, cert, privkey)))
305 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
306 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
307 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
309 /* We also want to ensure that we use RSA-based key exchange. */
310 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
313 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
314 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
316 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
317 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
318 == client_keylog_callback))
320 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
321 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
322 == server_keylog_callback))
325 /* Now do a handshake and check that the logs have been written to. */
326 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
327 &clientssl, NULL, NULL))
328 || !TEST_true(create_ssl_connection(serverssl, clientssl,
330 || !TEST_false(error_writing_log)
331 || !TEST_int_gt(client_log_buffer_index, 0)
332 || !TEST_int_gt(server_log_buffer_index, 0))
336 * Now we want to test that our output data was vaguely sensible. We
337 * do that by using strtok and confirming that we have more or less the
338 * data we expect. For both client and server, we expect to see one master
339 * secret. The client should also see a RSA key exchange.
341 expected.rsa_key_exchange_count = 1;
342 expected.master_secret_count = 1;
343 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
344 SSL_get_session(clientssl), &expected)))
347 expected.rsa_key_exchange_count = 0;
348 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
349 SSL_get_session(serverssl), &expected)))
364 #ifndef OPENSSL_NO_TLS1_3
365 static int test_keylog_no_master_key(void)
367 SSL_CTX *cctx = NULL, *sctx = NULL;
368 SSL *clientssl = NULL, *serverssl = NULL;
369 SSL_SESSION *sess = NULL;
371 struct sslapitest_log_counts expected = {0};
372 unsigned char buf[1];
373 size_t readbytes, written;
375 /* Clean up logging space */
376 memset(client_log_buffer, 0, sizeof(client_log_buffer));
377 memset(server_log_buffer, 0, sizeof(server_log_buffer));
378 client_log_buffer_index = 0;
379 server_log_buffer_index = 0;
380 error_writing_log = 0;
382 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
383 TLS1_VERSION, TLS_MAX_VERSION,
384 &sctx, &cctx, cert, privkey))
385 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
386 SSL3_RT_MAX_PLAIN_LENGTH)))
389 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
390 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
393 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
394 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
395 == client_keylog_callback))
398 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
399 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
400 == server_keylog_callback))
403 /* Now do a handshake and check that the logs have been written to. */
404 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
405 &clientssl, NULL, NULL))
406 || !TEST_true(create_ssl_connection(serverssl, clientssl,
408 || !TEST_false(error_writing_log))
412 * Now we want to test that our output data was vaguely sensible. For this
413 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
414 * TLSv1.3, but we do expect both client and server to emit keys.
416 expected.client_handshake_secret_count = 1;
417 expected.server_handshake_secret_count = 1;
418 expected.client_application_secret_count = 1;
419 expected.server_application_secret_count = 1;
420 expected.exporter_secret_count = 1;
421 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
422 SSL_get_session(clientssl), &expected))
423 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
424 SSL_get_session(serverssl),
428 /* Terminate old session and resume with early data. */
429 sess = SSL_get1_session(clientssl);
430 SSL_shutdown(clientssl);
431 SSL_shutdown(serverssl);
434 serverssl = clientssl = NULL;
437 memset(client_log_buffer, 0, sizeof(client_log_buffer));
438 memset(server_log_buffer, 0, sizeof(server_log_buffer));
439 client_log_buffer_index = 0;
440 server_log_buffer_index = 0;
442 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
443 &clientssl, NULL, NULL))
444 || !TEST_true(SSL_set_session(clientssl, sess))
445 /* Here writing 0 length early data is enough. */
446 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
447 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
449 SSL_READ_EARLY_DATA_ERROR)
450 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
451 SSL_EARLY_DATA_ACCEPTED)
452 || !TEST_true(create_ssl_connection(serverssl, clientssl,
454 || !TEST_true(SSL_session_reused(clientssl)))
457 /* In addition to the previous entries, expect early secrets. */
458 expected.client_early_secret_count = 1;
459 expected.early_exporter_secret_count = 1;
460 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
461 SSL_get_session(clientssl), &expected))
462 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
463 SSL_get_session(serverssl),
470 SSL_SESSION_free(sess);
480 #ifndef OPENSSL_NO_TLS1_2
481 static int full_client_hello_callback(SSL *s, int *al, void *arg)
484 const unsigned char *p;
486 /* We only configure two ciphers, but the SCSV is added automatically. */
488 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
490 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
493 const int expected_extensions[] = {
494 #ifndef OPENSSL_NO_EC
500 /* Make sure we can defer processing and get called back. */
502 return SSL_CLIENT_HELLO_RETRY;
504 len = SSL_client_hello_get0_ciphers(s, &p);
505 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
507 SSL_client_hello_get0_compression_methods(s, &p), 1)
508 || !TEST_int_eq(*p, 0))
509 return SSL_CLIENT_HELLO_ERROR;
510 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
511 return SSL_CLIENT_HELLO_ERROR;
512 if (len != OSSL_NELEM(expected_extensions) ||
513 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
514 printf("ClientHello callback expected extensions mismatch\n");
516 return SSL_CLIENT_HELLO_ERROR;
519 return SSL_CLIENT_HELLO_SUCCESS;
522 static int test_client_hello_cb(void)
524 SSL_CTX *cctx = NULL, *sctx = NULL;
525 SSL *clientssl = NULL, *serverssl = NULL;
526 int testctr = 0, testresult = 0;
528 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
529 TLS1_VERSION, TLS_MAX_VERSION,
530 &sctx, &cctx, cert, privkey)))
532 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
534 /* The gimpy cipher list we configure can't do TLS 1.3. */
535 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
537 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
538 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
539 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
540 &clientssl, NULL, NULL))
541 || !TEST_false(create_ssl_connection(serverssl, clientssl,
542 SSL_ERROR_WANT_CLIENT_HELLO_CB))
544 * Passing a -1 literal is a hack since
545 * the real value was lost.
547 || !TEST_int_eq(SSL_get_error(serverssl, -1),
548 SSL_ERROR_WANT_CLIENT_HELLO_CB)
549 || !TEST_true(create_ssl_connection(serverssl, clientssl,
565 static int execute_test_large_message(const SSL_METHOD *smeth,
566 const SSL_METHOD *cmeth,
567 int min_version, int max_version,
570 SSL_CTX *cctx = NULL, *sctx = NULL;
571 SSL *clientssl = NULL, *serverssl = NULL;
575 X509 *chaincert = NULL;
578 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
580 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
583 if (!TEST_ptr(chaincert))
586 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
587 &sctx, &cctx, cert, privkey)))
592 * Test that read_ahead works correctly when dealing with large
595 SSL_CTX_set_read_ahead(cctx, 1);
599 * We assume the supplied certificate is big enough so that if we add
600 * NUM_EXTRA_CERTS it will make the overall message large enough. The
601 * default buffer size is requested to be 16k, but due to the way BUF_MEM
602 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
603 * test we need to have a message larger than that.
605 certlen = i2d_X509(chaincert, NULL);
606 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
607 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
608 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
609 if (!X509_up_ref(chaincert))
611 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
612 X509_free(chaincert);
617 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
619 || !TEST_true(create_ssl_connection(serverssl, clientssl,
624 * Calling SSL_clear() first is not required but this tests that SSL_clear()
625 * doesn't leak (when using enable-crypto-mdebug).
627 if (!TEST_true(SSL_clear(serverssl)))
632 X509_free(chaincert);
641 static int test_large_message_tls(void)
643 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
644 TLS1_VERSION, TLS_MAX_VERSION,
648 static int test_large_message_tls_read_ahead(void)
650 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
651 TLS1_VERSION, TLS_MAX_VERSION,
655 #ifndef OPENSSL_NO_DTLS
656 static int test_large_message_dtls(void)
659 * read_ahead is not relevant to DTLS because DTLS always acts as if
662 return execute_test_large_message(DTLS_server_method(),
663 DTLS_client_method(),
664 DTLS1_VERSION, DTLS_MAX_VERSION,
669 #ifndef OPENSSL_NO_OCSP
670 static int ocsp_server_cb(SSL *s, void *arg)
672 int *argi = (int *)arg;
673 unsigned char *copy = NULL;
674 STACK_OF(OCSP_RESPID) *ids = NULL;
675 OCSP_RESPID *id = NULL;
678 /* In this test we are expecting exactly 1 OCSP_RESPID */
679 SSL_get_tlsext_status_ids(s, &ids);
680 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
681 return SSL_TLSEXT_ERR_ALERT_FATAL;
683 id = sk_OCSP_RESPID_value(ids, 0);
684 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
685 return SSL_TLSEXT_ERR_ALERT_FATAL;
686 } else if (*argi != 1) {
687 return SSL_TLSEXT_ERR_ALERT_FATAL;
690 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
691 return SSL_TLSEXT_ERR_ALERT_FATAL;
693 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
694 ocsp_server_called = 1;
695 return SSL_TLSEXT_ERR_OK;
698 static int ocsp_client_cb(SSL *s, void *arg)
700 int *argi = (int *)arg;
701 const unsigned char *respderin;
704 if (*argi != 1 && *argi != 2)
707 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
708 if (!TEST_mem_eq(orespder, len, respderin, len))
711 ocsp_client_called = 1;
715 static int test_tlsext_status_type(void)
717 SSL_CTX *cctx = NULL, *sctx = NULL;
718 SSL *clientssl = NULL, *serverssl = NULL;
720 STACK_OF(OCSP_RESPID) *ids = NULL;
721 OCSP_RESPID *id = NULL;
724 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
725 TLS1_VERSION, TLS_MAX_VERSION,
726 &sctx, &cctx, cert, privkey))
729 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
732 /* First just do various checks getting and setting tlsext_status_type */
734 clientssl = SSL_new(cctx);
735 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
736 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
737 TLSEXT_STATUSTYPE_ocsp))
738 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
739 TLSEXT_STATUSTYPE_ocsp))
745 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
746 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
749 clientssl = SSL_new(cctx);
750 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
756 * Now actually do a handshake and check OCSP information is exchanged and
757 * the callbacks get called
759 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
760 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
761 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
762 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
763 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
764 &clientssl, NULL, NULL))
765 || !TEST_true(create_ssl_connection(serverssl, clientssl,
767 || !TEST_true(ocsp_client_called)
768 || !TEST_true(ocsp_server_called))
775 /* Try again but this time force the server side callback to fail */
776 ocsp_client_called = 0;
777 ocsp_server_called = 0;
779 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
780 &clientssl, NULL, NULL))
781 /* This should fail because the callback will fail */
782 || !TEST_false(create_ssl_connection(serverssl, clientssl,
784 || !TEST_false(ocsp_client_called)
785 || !TEST_false(ocsp_server_called))
793 * This time we'll get the client to send an OCSP_RESPID that it will
796 ocsp_client_called = 0;
797 ocsp_server_called = 0;
799 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
800 &clientssl, NULL, NULL)))
804 * We'll just use any old cert for this test - it doesn't have to be an OCSP
805 * specific one. We'll use the server cert.
807 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
808 || !TEST_ptr(id = OCSP_RESPID_new())
809 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
810 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
812 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
813 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
816 SSL_set_tlsext_status_ids(clientssl, ids);
817 /* Control has been transferred */
823 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
825 || !TEST_true(ocsp_client_called)
826 || !TEST_true(ocsp_server_called))
836 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
837 OCSP_RESPID_free(id);
846 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
847 static int new_called, remove_called, get_called;
849 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
853 * sess has been up-refed for us, but we don't actually need it so free it
856 SSL_SESSION_free(sess);
860 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
865 static SSL_SESSION *get_sess_val = NULL;
867 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
875 static int execute_test_session(int maxprot, int use_int_cache,
878 SSL_CTX *sctx = NULL, *cctx = NULL;
879 SSL *serverssl1 = NULL, *clientssl1 = NULL;
880 SSL *serverssl2 = NULL, *clientssl2 = NULL;
881 # ifndef OPENSSL_NO_TLS1_1
882 SSL *serverssl3 = NULL, *clientssl3 = NULL;
884 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
885 int testresult = 0, numnewsesstick = 1;
887 new_called = remove_called = 0;
889 /* TLSv1.3 sends 2 NewSessionTickets */
890 if (maxprot == TLS1_3_VERSION)
893 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
894 TLS1_VERSION, TLS_MAX_VERSION,
895 &sctx, &cctx, cert, privkey)))
899 * Only allow the max protocol version so we can force a connection failure
902 SSL_CTX_set_min_proto_version(cctx, maxprot);
903 SSL_CTX_set_max_proto_version(cctx, maxprot);
905 /* Set up session cache */
907 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
908 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
911 /* Also covers instance where both are set */
912 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
914 SSL_CTX_set_session_cache_mode(cctx,
915 SSL_SESS_CACHE_CLIENT
916 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
919 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
921 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
923 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
926 /* Should fail because it should already be in the cache */
927 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
930 && (!TEST_int_eq(new_called, numnewsesstick)
932 || !TEST_int_eq(remove_called, 0)))
935 new_called = remove_called = 0;
936 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
937 &clientssl2, NULL, NULL))
938 || !TEST_true(SSL_set_session(clientssl2, sess1))
939 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
941 || !TEST_true(SSL_session_reused(clientssl2)))
944 if (maxprot == TLS1_3_VERSION) {
946 * In TLSv1.3 we should have created a new session even though we have
950 && (!TEST_int_eq(new_called, 1)
951 || !TEST_int_eq(remove_called, 0)))
955 * In TLSv1.2 we expect to have resumed so no sessions added or
959 && (!TEST_int_eq(new_called, 0)
960 || !TEST_int_eq(remove_called, 0)))
964 SSL_SESSION_free(sess1);
965 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
967 shutdown_ssl_connection(serverssl2, clientssl2);
968 serverssl2 = clientssl2 = NULL;
970 new_called = remove_called = 0;
971 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
972 &clientssl2, NULL, NULL))
973 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
977 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
981 && (!TEST_int_eq(new_called, numnewsesstick)
982 || !TEST_int_eq(remove_called, 0)))
985 new_called = remove_called = 0;
987 * This should clear sess2 from the cache because it is a "bad" session.
988 * See SSL_set_session() documentation.
990 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
993 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
995 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
999 /* Should succeeded because it should not already be in the cache */
1000 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1001 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1005 new_called = remove_called = 0;
1006 /* This shouldn't be in the cache so should fail */
1007 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1011 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1014 # if !defined(OPENSSL_NO_TLS1_1)
1015 new_called = remove_called = 0;
1016 /* Force a connection failure */
1017 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1018 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1019 &clientssl3, NULL, NULL))
1020 || !TEST_true(SSL_set_session(clientssl3, sess1))
1021 /* This should fail because of the mismatched protocol versions */
1022 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1026 /* We should have automatically removed the session from the cache */
1028 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1031 /* Should succeed because it should not already be in the cache */
1032 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1036 /* Now do some tests for server side caching */
1037 if (use_ext_cache) {
1038 SSL_CTX_sess_set_new_cb(cctx, NULL);
1039 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1040 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1041 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1042 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1043 get_sess_val = NULL;
1046 SSL_CTX_set_session_cache_mode(cctx, 0);
1047 /* Internal caching is the default on the server side */
1049 SSL_CTX_set_session_cache_mode(sctx,
1050 SSL_SESS_CACHE_SERVER
1051 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1053 SSL_free(serverssl1);
1054 SSL_free(clientssl1);
1055 serverssl1 = clientssl1 = NULL;
1056 SSL_free(serverssl2);
1057 SSL_free(clientssl2);
1058 serverssl2 = clientssl2 = NULL;
1059 SSL_SESSION_free(sess1);
1061 SSL_SESSION_free(sess2);
1064 SSL_CTX_set_max_proto_version(sctx, maxprot);
1065 if (maxprot == TLS1_2_VERSION)
1066 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1067 new_called = remove_called = get_called = 0;
1068 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1070 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1072 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1073 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1076 if (use_int_cache) {
1077 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1079 * In TLSv1.3 it should not have been added to the internal cache,
1080 * except in the case where we also have an external cache (in that
1081 * case it gets added to the cache in order to generate remove
1082 * events after timeout).
1084 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1087 /* Should fail because it should already be in the cache */
1088 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1093 if (use_ext_cache) {
1094 SSL_SESSION *tmp = sess2;
1096 if (!TEST_int_eq(new_called, numnewsesstick)
1097 || !TEST_int_eq(remove_called, 0)
1098 || !TEST_int_eq(get_called, 0))
1101 * Delete the session from the internal cache to force a lookup from
1102 * the external cache. We take a copy first because
1103 * SSL_CTX_remove_session() also marks the session as non-resumable.
1105 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1106 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1107 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1109 SSL_SESSION_free(sess2);
1114 new_called = remove_called = get_called = 0;
1115 get_sess_val = sess2;
1116 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1117 &clientssl2, NULL, NULL))
1118 || !TEST_true(SSL_set_session(clientssl2, sess1))
1119 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1121 || !TEST_true(SSL_session_reused(clientssl2)))
1124 if (use_ext_cache) {
1125 if (!TEST_int_eq(remove_called, 0))
1128 if (maxprot == TLS1_3_VERSION) {
1129 if (!TEST_int_eq(new_called, 1)
1130 || !TEST_int_eq(get_called, 0))
1133 if (!TEST_int_eq(new_called, 0)
1134 || !TEST_int_eq(get_called, 1))
1142 SSL_free(serverssl1);
1143 SSL_free(clientssl1);
1144 SSL_free(serverssl2);
1145 SSL_free(clientssl2);
1146 # ifndef OPENSSL_NO_TLS1_1
1147 SSL_free(serverssl3);
1148 SSL_free(clientssl3);
1150 SSL_SESSION_free(sess1);
1151 SSL_SESSION_free(sess2);
1157 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1159 static int test_session_with_only_int_cache(void)
1161 #ifndef OPENSSL_NO_TLS1_3
1162 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1166 #ifndef OPENSSL_NO_TLS1_2
1167 return execute_test_session(TLS1_2_VERSION, 1, 0);
1173 static int test_session_with_only_ext_cache(void)
1175 #ifndef OPENSSL_NO_TLS1_3
1176 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1180 #ifndef OPENSSL_NO_TLS1_2
1181 return execute_test_session(TLS1_2_VERSION, 0, 1);
1187 static int test_session_with_both_cache(void)
1189 #ifndef OPENSSL_NO_TLS1_3
1190 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1194 #ifndef OPENSSL_NO_TLS1_2
1195 return execute_test_session(TLS1_2_VERSION, 1, 1);
1201 #ifndef OPENSSL_NO_TLS1_3
1202 static SSL_SESSION *sesscache[6];
1203 static int do_cache;
1205 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1208 sesscache[new_called] = sess;
1210 /* We don't need the reference to the session, so free it */
1211 SSL_SESSION_free(sess);
1218 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1220 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1221 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1224 /* Start handshake on the server and client */
1225 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1226 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1227 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1228 || !TEST_true(create_ssl_connection(sssl, cssl,
1235 static int test_tickets(int idx)
1237 SSL_CTX *sctx = NULL, *cctx = NULL;
1238 SSL *serverssl = NULL, *clientssl = NULL;
1239 int testresult = 0, i;
1242 /* idx is the test number, but also the number of tickets we want */
1247 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1248 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
1249 &cctx, cert, privkey))
1250 || !TEST_true(SSL_CTX_set_num_tickets(sctx, idx)))
1253 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1254 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1255 SSL_CTX_sess_set_new_cb(cctx, new_cachesession_cb);
1257 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1258 &clientssl, NULL, NULL)))
1261 SSL_force_post_handshake_auth(clientssl);
1263 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1265 /* Check we got the number of tickets we were expecting */
1266 || !TEST_int_eq(idx, new_called))
1269 /* After a post-handshake authentication we should get new tickets issued */
1270 if (!post_handshake_verify(serverssl, clientssl)
1271 || !TEST_int_eq(idx * 2, new_called))
1274 SSL_shutdown(clientssl);
1275 SSL_shutdown(serverssl);
1276 SSL_free(serverssl);
1277 SSL_free(clientssl);
1278 serverssl = clientssl = NULL;
1280 /* Stop caching sessions - just count them */
1283 /* Test that we can resume with all the tickets we got given */
1284 for (i = 0; i < idx * 2; i++) {
1286 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1287 &clientssl, NULL, NULL))
1288 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1291 SSL_force_post_handshake_auth(clientssl);
1293 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1295 || !TEST_true(SSL_session_reused(clientssl))
1296 /* Following a resumption we only get 1 ticket */
1297 || !TEST_int_eq(new_called, 1))
1301 /* After a post-handshake authentication we should get 1 new ticket */
1302 if (!post_handshake_verify(serverssl, clientssl)
1303 || !TEST_int_eq(new_called, 1))
1306 SSL_shutdown(clientssl);
1307 SSL_shutdown(serverssl);
1308 SSL_free(serverssl);
1309 SSL_free(clientssl);
1310 serverssl = clientssl = NULL;
1311 SSL_SESSION_free(sesscache[i]);
1312 sesscache[i] = NULL;
1318 SSL_free(serverssl);
1319 SSL_free(clientssl);
1320 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
1321 SSL_SESSION_free(sesscache[j]);
1322 sesscache[j] = NULL;
1334 #define USE_DEFAULT 3
1336 #define CONNTYPE_CONNECTION_SUCCESS 0
1337 #define CONNTYPE_CONNECTION_FAIL 1
1338 #define CONNTYPE_NO_CONNECTION 2
1340 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1341 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1342 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1343 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1345 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1348 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1349 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1350 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1352 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1369 * Tests calls to SSL_set_bio() under various conditions.
1371 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1372 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1373 * then do more tests where we create a successful connection first using our
1374 * standard connection setup functions, and then call SSL_set_bio() with
1375 * various combinations of valid BIOs or NULL. We then repeat these tests
1376 * following a failed connection. In this last case we are looking to check that
1377 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1379 static int test_ssl_set_bio(int idx)
1381 SSL_CTX *sctx = NULL, *cctx = NULL;
1384 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1385 SSL *serverssl = NULL, *clientssl = NULL;
1386 int initrbio, initwbio, newrbio, newwbio, conntype;
1389 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1397 conntype = CONNTYPE_NO_CONNECTION;
1399 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1400 initrbio = initwbio = USE_DEFAULT;
1408 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1409 TLS1_VERSION, TLS_MAX_VERSION,
1410 &sctx, &cctx, cert, privkey)))
1413 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1415 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1416 * because we reduced the number of tests in the definition of
1417 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1418 * mismatched protocol versions we will force a connection failure.
1420 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1421 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1424 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1428 if (initrbio == USE_BIO_1
1429 || initwbio == USE_BIO_1
1430 || newrbio == USE_BIO_1
1431 || newwbio == USE_BIO_1) {
1432 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1436 if (initrbio == USE_BIO_2
1437 || initwbio == USE_BIO_2
1438 || newrbio == USE_BIO_2
1439 || newwbio == USE_BIO_2) {
1440 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1444 if (initrbio != USE_DEFAULT) {
1445 setupbio(&irbio, bio1, bio2, initrbio);
1446 setupbio(&iwbio, bio1, bio2, initwbio);
1447 SSL_set_bio(clientssl, irbio, iwbio);
1450 * We want to maintain our own refs to these BIO, so do an up ref for
1451 * each BIO that will have ownership transferred in the SSL_set_bio()
1456 if (iwbio != NULL && iwbio != irbio)
1460 if (conntype != CONNTYPE_NO_CONNECTION
1461 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1463 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1466 setupbio(&nrbio, bio1, bio2, newrbio);
1467 setupbio(&nwbio, bio1, bio2, newwbio);
1470 * We will (maybe) transfer ownership again so do more up refs.
1471 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1476 && (nwbio != iwbio || nrbio != nwbio))
1480 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1483 SSL_set_bio(clientssl, nrbio, nwbio);
1492 * This test is checking that the ref counting for SSL_set_bio is correct.
1493 * If we get here and we did too many frees then we will fail in the above
1494 * functions. If we haven't done enough then this will only be detected in
1495 * a crypto-mdebug build
1497 SSL_free(serverssl);
1498 SSL_free(clientssl);
1504 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1506 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1508 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1513 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1514 || !TEST_ptr(ssl = SSL_new(ctx))
1515 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1516 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1519 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1522 * If anything goes wrong here then we could leak memory, so this will
1523 * be caught in a crypto-mdebug build
1525 BIO_push(sslbio, membio1);
1527 /* Verify changing the rbio/wbio directly does not cause leaks */
1528 if (change_bio != NO_BIO_CHANGE) {
1529 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1531 if (change_bio == CHANGE_RBIO)
1532 SSL_set0_rbio(ssl, membio2);
1534 SSL_set0_wbio(ssl, membio2);
1553 static int test_ssl_bio_pop_next_bio(void)
1555 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1558 static int test_ssl_bio_pop_ssl_bio(void)
1560 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1563 static int test_ssl_bio_change_rbio(void)
1565 return execute_test_ssl_bio(0, CHANGE_RBIO);
1568 static int test_ssl_bio_change_wbio(void)
1570 return execute_test_ssl_bio(0, CHANGE_WBIO);
1573 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
1575 /* The list of sig algs */
1577 /* The length of the list */
1579 /* A sigalgs list in string format */
1580 const char *liststr;
1581 /* Whether setting the list should succeed */
1583 /* Whether creating a connection with the list should succeed */
1587 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1588 # ifndef OPENSSL_NO_EC
1589 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1590 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1592 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1593 static const int invalidlist2[] = {NID_sha256, NID_undef};
1594 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1595 static const int invalidlist4[] = {NID_sha256};
1596 static const sigalgs_list testsigalgs[] = {
1597 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1598 # ifndef OPENSSL_NO_EC
1599 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1600 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1602 {NULL, 0, "RSA+SHA256", 1, 1},
1603 # ifndef OPENSSL_NO_EC
1604 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1605 {NULL, 0, "ECDSA+SHA512", 1, 0},
1607 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1608 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1609 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1610 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1611 {NULL, 0, "RSA", 0, 0},
1612 {NULL, 0, "SHA256", 0, 0},
1613 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1614 {NULL, 0, "Invalid", 0, 0}
1617 static int test_set_sigalgs(int idx)
1619 SSL_CTX *cctx = NULL, *sctx = NULL;
1620 SSL *clientssl = NULL, *serverssl = NULL;
1622 const sigalgs_list *curr;
1625 /* Should never happen */
1626 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1629 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1630 curr = testctx ? &testsigalgs[idx]
1631 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1633 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1634 TLS1_VERSION, TLS_MAX_VERSION,
1635 &sctx, &cctx, cert, privkey)))
1639 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1640 * for TLSv1.2 for now until we add a new API.
1642 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1647 if (curr->list != NULL)
1648 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1650 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1654 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1660 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1665 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1666 &clientssl, NULL, NULL)))
1672 if (curr->list != NULL)
1673 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1675 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1678 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1687 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1695 SSL_free(serverssl);
1696 SSL_free(clientssl);
1704 #ifndef OPENSSL_NO_TLS1_3
1706 static SSL_SESSION *clientpsk = NULL;
1707 static SSL_SESSION *serverpsk = NULL;
1708 static const char *pskid = "Identity";
1709 static const char *srvid;
1711 static int use_session_cb_cnt = 0;
1712 static int find_session_cb_cnt = 0;
1713 static int psk_client_cb_cnt = 0;
1714 static int psk_server_cb_cnt = 0;
1716 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1717 size_t *idlen, SSL_SESSION **sess)
1719 switch (++use_session_cb_cnt) {
1721 /* The first call should always have a NULL md */
1727 /* The second call should always have an md */
1733 /* We should only be called a maximum of twice */
1737 if (clientpsk != NULL)
1738 SSL_SESSION_up_ref(clientpsk);
1741 *id = (const unsigned char *)pskid;
1742 *idlen = strlen(pskid);
1747 #ifndef OPENSSL_NO_PSK
1748 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1749 unsigned int max_id_len,
1751 unsigned int max_psk_len)
1753 unsigned int psklen = 0;
1755 psk_client_cb_cnt++;
1757 if (strlen(pskid) + 1 > max_id_len)
1760 /* We should only ever be called a maximum of twice per connection */
1761 if (psk_client_cb_cnt > 2)
1764 if (clientpsk == NULL)
1767 /* We'll reuse the PSK we set up for TLSv1.3 */
1768 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1770 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1771 strncpy(id, pskid, max_id_len);
1775 #endif /* OPENSSL_NO_PSK */
1777 static int find_session_cb(SSL *ssl, const unsigned char *identity,
1778 size_t identity_len, SSL_SESSION **sess)
1780 find_session_cb_cnt++;
1782 /* We should only ever be called a maximum of twice per connection */
1783 if (find_session_cb_cnt > 2)
1786 if (serverpsk == NULL)
1789 /* Identity should match that set by the client */
1790 if (strlen(srvid) != identity_len
1791 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1792 /* No PSK found, continue but without a PSK */
1797 SSL_SESSION_up_ref(serverpsk);
1803 #ifndef OPENSSL_NO_PSK
1804 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1805 unsigned char *psk, unsigned int max_psk_len)
1807 unsigned int psklen = 0;
1809 psk_server_cb_cnt++;
1811 /* We should only ever be called a maximum of twice per connection */
1812 if (find_session_cb_cnt > 2)
1815 if (serverpsk == NULL)
1818 /* Identity should match that set by the client */
1819 if (strcmp(srvid, identity) != 0) {
1823 /* We'll reuse the PSK we set up for TLSv1.3 */
1824 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1826 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1830 #endif /* OPENSSL_NO_PSK */
1832 #define MSG1 "Hello"
1833 #define MSG2 "World."
1838 #define MSG7 "message."
1840 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
1841 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
1844 * Helper method to setup objects for early data test. Caller frees objects on
1847 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
1848 SSL **serverssl, SSL_SESSION **sess, int idx)
1851 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1852 TLS_client_method(),
1853 TLS1_VERSION, TLS_MAX_VERSION,
1854 sctx, cctx, cert, privkey)))
1857 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
1861 /* When idx == 1 we repeat the tests with read_ahead set */
1862 SSL_CTX_set_read_ahead(*cctx, 1);
1863 SSL_CTX_set_read_ahead(*sctx, 1);
1864 } else if (idx == 2) {
1865 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1866 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1867 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1868 use_session_cb_cnt = 0;
1869 find_session_cb_cnt = 0;
1873 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
1878 * For one of the run throughs (doesn't matter which one), we'll try sending
1879 * some SNI data in the initial ClientHello. This will be ignored (because
1880 * there is no SNI cb set up by the server), so it should not impact
1884 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1888 /* Create the PSK */
1889 const SSL_CIPHER *cipher = NULL;
1890 const unsigned char key[] = {
1891 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1892 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1893 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1894 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1895 0x2c, 0x2d, 0x2e, 0x2f
1898 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
1899 clientpsk = SSL_SESSION_new();
1900 if (!TEST_ptr(clientpsk)
1901 || !TEST_ptr(cipher)
1902 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
1904 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
1906 SSL_SESSION_set_protocol_version(clientpsk,
1909 * We just choose an arbitrary value for max_early_data which
1910 * should be big enough for testing purposes.
1912 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1914 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1915 SSL_SESSION_free(clientpsk);
1919 serverpsk = clientpsk;
1922 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1923 SSL_SESSION_free(clientpsk);
1924 SSL_SESSION_free(serverpsk);
1925 clientpsk = serverpsk = NULL;
1936 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1940 *sess = SSL_get1_session(*clientssl);
1941 SSL_shutdown(*clientssl);
1942 SSL_shutdown(*serverssl);
1943 SSL_free(*serverssl);
1944 SSL_free(*clientssl);
1945 *serverssl = *clientssl = NULL;
1947 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1948 clientssl, NULL, NULL))
1949 || !TEST_true(SSL_set_session(*clientssl, *sess)))
1955 static int test_early_data_read_write(int idx)
1957 SSL_CTX *cctx = NULL, *sctx = NULL;
1958 SSL *clientssl = NULL, *serverssl = NULL;
1960 SSL_SESSION *sess = NULL;
1961 unsigned char buf[20], data[1024];
1962 size_t readbytes, written, eoedlen, rawread, rawwritten;
1965 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1966 &serverssl, &sess, idx)))
1969 /* Write and read some early data */
1970 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1972 || !TEST_size_t_eq(written, strlen(MSG1))
1973 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1974 sizeof(buf), &readbytes),
1975 SSL_READ_EARLY_DATA_SUCCESS)
1976 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1977 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1978 SSL_EARLY_DATA_ACCEPTED))
1982 * Server should be able to write data, and client should be able to
1985 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1987 || !TEST_size_t_eq(written, strlen(MSG2))
1988 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1989 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1992 /* Even after reading normal data, client should be able write early data */
1993 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1995 || !TEST_size_t_eq(written, strlen(MSG3)))
1998 /* Server should still be able read early data after writing data */
1999 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2001 SSL_READ_EARLY_DATA_SUCCESS)
2002 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2005 /* Write more data from server and read it from client */
2006 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2008 || !TEST_size_t_eq(written, strlen(MSG4))
2009 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2010 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2014 * If client writes normal data it should mean writing early data is no
2017 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2018 || !TEST_size_t_eq(written, strlen(MSG5))
2019 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2020 SSL_EARLY_DATA_ACCEPTED))
2024 * At this point the client has written EndOfEarlyData, ClientFinished and
2025 * normal (fully protected) data. We are going to cause a delay between the
2026 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2027 * in the read BIO, and then just put back the EndOfEarlyData message.
2029 rbio = SSL_get_rbio(serverssl);
2030 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2031 || !TEST_size_t_lt(rawread, sizeof(data))
2032 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2035 /* Record length is in the 4th and 5th bytes of the record header */
2036 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2037 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2038 || !TEST_size_t_eq(rawwritten, eoedlen))
2041 /* Server should be told that there is no more early data */
2042 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2044 SSL_READ_EARLY_DATA_FINISH)
2045 || !TEST_size_t_eq(readbytes, 0))
2049 * Server has not finished init yet, so should still be able to write early
2052 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2054 || !TEST_size_t_eq(written, strlen(MSG6)))
2057 /* Push the ClientFinished and the normal data back into the server rbio */
2058 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2060 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2063 /* Server should be able to read normal data */
2064 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2065 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2068 /* Client and server should not be able to write/read early data now */
2069 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2073 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2075 SSL_READ_EARLY_DATA_ERROR))
2079 /* Client should be able to read the data sent by the server */
2080 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2081 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2085 * Make sure we process the two NewSessionTickets. These arrive
2086 * post-handshake. We attempt reads which we do not expect to return any
2089 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2090 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2094 /* Server should be able to write normal data */
2095 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2096 || !TEST_size_t_eq(written, strlen(MSG7))
2097 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2098 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2101 SSL_SESSION_free(sess);
2102 sess = SSL_get1_session(clientssl);
2103 use_session_cb_cnt = 0;
2104 find_session_cb_cnt = 0;
2106 SSL_shutdown(clientssl);
2107 SSL_shutdown(serverssl);
2108 SSL_free(serverssl);
2109 SSL_free(clientssl);
2110 serverssl = clientssl = NULL;
2111 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2112 &clientssl, NULL, NULL))
2113 || !TEST_true(SSL_set_session(clientssl, sess)))
2116 /* Write and read some early data */
2117 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2119 || !TEST_size_t_eq(written, strlen(MSG1))
2120 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2122 SSL_READ_EARLY_DATA_SUCCESS)
2123 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2126 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2127 || !TEST_int_gt(SSL_accept(serverssl), 0))
2130 /* Client and server should not be able to write/read early data now */
2131 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2135 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2137 SSL_READ_EARLY_DATA_ERROR))
2141 /* Client and server should be able to write/read normal data */
2142 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2143 || !TEST_size_t_eq(written, strlen(MSG5))
2144 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2145 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2151 SSL_SESSION_free(sess);
2152 SSL_SESSION_free(clientpsk);
2153 SSL_SESSION_free(serverpsk);
2154 clientpsk = serverpsk = NULL;
2155 SSL_free(serverssl);
2156 SSL_free(clientssl);
2162 static int allow_ed_cb_called = 0;
2164 static int allow_early_data_cb(SSL *s, void *arg)
2166 int *usecb = (int *)arg;
2168 allow_ed_cb_called++;
2177 * idx == 0: Standard early_data setup
2178 * idx == 1: early_data setup using read_ahead
2179 * usecb == 0: Don't use a custom early data callback
2180 * usecb == 1: Use a custom early data callback and reject the early data
2181 * usecb == 2: Use a custom early data callback and accept the early data
2182 * confopt == 0: Configure anti-replay directly
2183 * confopt == 1: Configure anti-replay using SSL_CONF
2185 static int test_early_data_replay_int(int idx, int usecb, int confopt)
2187 SSL_CTX *cctx = NULL, *sctx = NULL;
2188 SSL *clientssl = NULL, *serverssl = NULL;
2190 SSL_SESSION *sess = NULL;
2191 size_t readbytes, written;
2192 unsigned char buf[20];
2194 allow_ed_cb_called = 0;
2196 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2197 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
2198 &cctx, cert, privkey)))
2203 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2205 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2207 if (!TEST_ptr(confctx))
2209 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2210 | SSL_CONF_FLAG_SERVER);
2211 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2212 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2214 SSL_CONF_CTX_free(confctx);
2217 SSL_CONF_CTX_free(confctx);
2219 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2222 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2223 &serverssl, &sess, idx)))
2227 * The server is configured to accept early data. Create a connection to
2228 * "use up" the ticket
2230 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2231 || !TEST_true(SSL_session_reused(clientssl)))
2234 SSL_shutdown(clientssl);
2235 SSL_shutdown(serverssl);
2236 SSL_free(serverssl);
2237 SSL_free(clientssl);
2238 serverssl = clientssl = NULL;
2240 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2241 &clientssl, NULL, NULL))
2242 || !TEST_true(SSL_set_session(clientssl, sess)))
2245 /* Write and read some early data */
2246 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2248 || !TEST_size_t_eq(written, strlen(MSG1)))
2252 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2254 SSL_READ_EARLY_DATA_FINISH)
2256 * The ticket was reused, so the we should have rejected the
2259 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2260 SSL_EARLY_DATA_REJECTED))
2263 /* In this case the callback decides to accept the early data */
2264 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2266 SSL_READ_EARLY_DATA_SUCCESS)
2267 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2269 * Server will have sent its flight so client can now send
2270 * end of early data and complete its half of the handshake
2272 || !TEST_int_gt(SSL_connect(clientssl), 0)
2273 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2275 SSL_READ_EARLY_DATA_FINISH)
2276 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2277 SSL_EARLY_DATA_ACCEPTED))
2281 /* Complete the connection */
2282 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2283 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2284 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
2290 SSL_SESSION_free(sess);
2291 SSL_SESSION_free(clientpsk);
2292 SSL_SESSION_free(serverpsk);
2293 clientpsk = serverpsk = NULL;
2294 SSL_free(serverssl);
2295 SSL_free(clientssl);
2301 static int test_early_data_replay(int idx)
2303 int ret = 1, usecb, confopt;
2305 for (usecb = 0; usecb < 3; usecb++) {
2306 for (confopt = 0; confopt < 2; confopt++)
2307 ret &= test_early_data_replay_int(idx, usecb, confopt);
2314 * Helper function to test that a server attempting to read early data can
2315 * handle a connection from a client where the early data should be skipped.
2317 static int early_data_skip_helper(int hrr, int idx)
2319 SSL_CTX *cctx = NULL, *sctx = NULL;
2320 SSL *clientssl = NULL, *serverssl = NULL;
2322 SSL_SESSION *sess = NULL;
2323 unsigned char buf[20];
2324 size_t readbytes, written;
2326 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2327 &serverssl, &sess, idx)))
2331 /* Force an HRR to occur */
2332 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2334 } else if (idx == 2) {
2336 * We force early_data rejection by ensuring the PSK identity is
2339 srvid = "Dummy Identity";
2342 * Deliberately corrupt the creation time. We take 20 seconds off the
2343 * time. It could be any value as long as it is not within tolerance.
2344 * This should mean the ticket is rejected.
2346 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
2350 /* Write some early data */
2351 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2353 || !TEST_size_t_eq(written, strlen(MSG1)))
2356 /* Server should reject the early data and skip over it */
2357 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2359 SSL_READ_EARLY_DATA_FINISH)
2360 || !TEST_size_t_eq(readbytes, 0)
2361 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2362 SSL_EARLY_DATA_REJECTED))
2367 * Finish off the handshake. We perform the same writes and reads as
2368 * further down but we expect them to fail due to the incomplete
2371 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2372 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2377 /* Should be able to send normal data despite rejection of early data */
2378 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2379 || !TEST_size_t_eq(written, strlen(MSG2))
2380 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2381 SSL_EARLY_DATA_REJECTED)
2382 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2383 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2389 SSL_SESSION_free(clientpsk);
2390 SSL_SESSION_free(serverpsk);
2391 clientpsk = serverpsk = NULL;
2392 SSL_SESSION_free(sess);
2393 SSL_free(serverssl);
2394 SSL_free(clientssl);
2401 * Test that a server attempting to read early data can handle a connection
2402 * from a client where the early data is not acceptable.
2404 static int test_early_data_skip(int idx)
2406 return early_data_skip_helper(0, idx);
2410 * Test that a server attempting to read early data can handle a connection
2411 * from a client where an HRR occurs.
2413 static int test_early_data_skip_hrr(int idx)
2415 return early_data_skip_helper(1, idx);
2419 * Test that a server attempting to read early data can handle a connection
2420 * from a client that doesn't send any.
2422 static int test_early_data_not_sent(int idx)
2424 SSL_CTX *cctx = NULL, *sctx = NULL;
2425 SSL *clientssl = NULL, *serverssl = NULL;
2427 SSL_SESSION *sess = NULL;
2428 unsigned char buf[20];
2429 size_t readbytes, written;
2431 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2432 &serverssl, &sess, idx)))
2435 /* Write some data - should block due to handshake with server */
2436 SSL_set_connect_state(clientssl);
2437 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2440 /* Server should detect that early data has not been sent */
2441 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2443 SSL_READ_EARLY_DATA_FINISH)
2444 || !TEST_size_t_eq(readbytes, 0)
2445 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2446 SSL_EARLY_DATA_NOT_SENT)
2447 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2448 SSL_EARLY_DATA_NOT_SENT))
2451 /* Continue writing the message we started earlier */
2452 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2453 || !TEST_size_t_eq(written, strlen(MSG1))
2454 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2455 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2456 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2457 || !TEST_size_t_eq(written, strlen(MSG2)))
2460 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2461 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2467 SSL_SESSION_free(sess);
2468 SSL_SESSION_free(clientpsk);
2469 SSL_SESSION_free(serverpsk);
2470 clientpsk = serverpsk = NULL;
2471 SSL_free(serverssl);
2472 SSL_free(clientssl);
2478 static int hostname_cb(SSL *s, int *al, void *arg)
2480 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2482 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
2483 return SSL_TLSEXT_ERR_OK;
2485 return SSL_TLSEXT_ERR_NOACK;
2488 static const char *servalpn;
2490 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2491 unsigned char *outlen, const unsigned char *in,
2492 unsigned int inlen, void *arg)
2494 unsigned int protlen = 0;
2495 const unsigned char *prot;
2497 for (prot = in; prot < in + inlen; prot += protlen) {
2499 if (in + inlen < prot + protlen)
2500 return SSL_TLSEXT_ERR_NOACK;
2502 if (protlen == strlen(servalpn)
2503 && memcmp(prot, servalpn, protlen) == 0) {
2506 return SSL_TLSEXT_ERR_OK;
2510 return SSL_TLSEXT_ERR_NOACK;
2513 /* Test that a PSK can be used to send early_data */
2514 static int test_early_data_psk(int idx)
2516 SSL_CTX *cctx = NULL, *sctx = NULL;
2517 SSL *clientssl = NULL, *serverssl = NULL;
2519 SSL_SESSION *sess = NULL;
2520 unsigned char alpnlist[] = {
2521 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2524 #define GOODALPNLEN 9
2525 #define BADALPNLEN 8
2526 #define GOODALPN (alpnlist)
2527 #define BADALPN (alpnlist + GOODALPNLEN)
2529 unsigned char buf[20];
2530 size_t readbytes, written;
2531 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2532 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2534 /* We always set this up with a final parameter of "2" for PSK */
2535 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2536 &serverssl, &sess, 2)))
2539 servalpn = "goodalpn";
2542 * Note: There is no test for inconsistent SNI with late client detection.
2543 * This is because servers do not acknowledge SNI even if they are using
2544 * it in a resumption handshake - so it is not actually possible for a
2545 * client to detect a problem.
2549 /* Set inconsistent SNI (early client detection) */
2550 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2551 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2552 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2557 /* Set inconsistent ALPN (early client detection) */
2558 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2559 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
2560 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2562 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2569 * Set invalid protocol version. Technically this affects PSKs without
2570 * early_data too, but we test it here because it is similar to the
2571 * SNI/ALPN consistency tests.
2573 err = SSL_R_BAD_PSK;
2574 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2580 * Set inconsistent SNI (server detected). In this case the connection
2581 * will succeed but reject early_data.
2583 SSL_SESSION_free(serverpsk);
2584 serverpsk = SSL_SESSION_dup(clientpsk);
2585 if (!TEST_ptr(serverpsk)
2586 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2588 edstatus = SSL_EARLY_DATA_REJECTED;
2589 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2592 /* Set consistent SNI */
2593 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2594 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2595 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2602 * Set inconsistent ALPN (server detected). In this case the connection
2603 * will succeed but reject early_data.
2605 servalpn = "badalpn";
2606 edstatus = SSL_EARLY_DATA_REJECTED;
2607 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2611 * Set consistent ALPN.
2612 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2613 * accepts a list of protos (each one length prefixed).
2614 * SSL_set1_alpn_selected accepts a single protocol (not length
2617 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2619 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2623 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2627 /* Set inconsistent ALPN (late client detection) */
2628 SSL_SESSION_free(serverpsk);
2629 serverpsk = SSL_SESSION_dup(clientpsk);
2630 if (!TEST_ptr(serverpsk)
2631 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2634 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2637 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2640 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2641 edstatus = SSL_EARLY_DATA_ACCEPTED;
2642 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2643 /* SSL_connect() call should fail */
2648 TEST_error("Bad test index");
2652 SSL_set_connect_state(clientssl);
2654 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2656 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2657 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2660 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2664 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2665 &readbytes), readearlyres)
2666 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2667 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2668 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2669 || !TEST_int_eq(SSL_connect(clientssl), connectres))
2676 SSL_SESSION_free(sess);
2677 SSL_SESSION_free(clientpsk);
2678 SSL_SESSION_free(serverpsk);
2679 clientpsk = serverpsk = NULL;
2680 SSL_free(serverssl);
2681 SSL_free(clientssl);
2688 * Test that a server that doesn't try to read early data can handle a
2689 * client sending some.
2691 static int test_early_data_not_expected(int idx)
2693 SSL_CTX *cctx = NULL, *sctx = NULL;
2694 SSL *clientssl = NULL, *serverssl = NULL;
2696 SSL_SESSION *sess = NULL;
2697 unsigned char buf[20];
2698 size_t readbytes, written;
2700 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2701 &serverssl, &sess, idx)))
2704 /* Write some early data */
2705 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2710 * Server should skip over early data and then block waiting for client to
2711 * continue handshake
2713 if (!TEST_int_le(SSL_accept(serverssl), 0)
2714 || !TEST_int_gt(SSL_connect(clientssl), 0)
2715 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2716 SSL_EARLY_DATA_REJECTED)
2717 || !TEST_int_gt(SSL_accept(serverssl), 0)
2718 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2719 SSL_EARLY_DATA_REJECTED))
2722 /* Send some normal data from client to server */
2723 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2724 || !TEST_size_t_eq(written, strlen(MSG2)))
2727 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2728 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2734 SSL_SESSION_free(sess);
2735 SSL_SESSION_free(clientpsk);
2736 SSL_SESSION_free(serverpsk);
2737 clientpsk = serverpsk = NULL;
2738 SSL_free(serverssl);
2739 SSL_free(clientssl);
2746 # ifndef OPENSSL_NO_TLS1_2
2748 * Test that a server attempting to read early data can handle a connection
2749 * from a TLSv1.2 client.
2751 static int test_early_data_tls1_2(int idx)
2753 SSL_CTX *cctx = NULL, *sctx = NULL;
2754 SSL *clientssl = NULL, *serverssl = NULL;
2756 unsigned char buf[20];
2757 size_t readbytes, written;
2759 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2760 &serverssl, NULL, idx)))
2763 /* Write some data - should block due to handshake with server */
2764 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2765 SSL_set_connect_state(clientssl);
2766 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2770 * Server should do TLSv1.2 handshake. First it will block waiting for more
2771 * messages from client after ServerDone. Then SSL_read_early_data should
2772 * finish and detect that early data has not been sent
2774 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2776 SSL_READ_EARLY_DATA_ERROR))
2780 * Continue writing the message we started earlier. Will still block waiting
2781 * for the CCS/Finished from server
2783 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2784 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2786 SSL_READ_EARLY_DATA_FINISH)
2787 || !TEST_size_t_eq(readbytes, 0)
2788 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2789 SSL_EARLY_DATA_NOT_SENT))
2792 /* Continue writing the message we started earlier */
2793 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2794 || !TEST_size_t_eq(written, strlen(MSG1))
2795 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2796 SSL_EARLY_DATA_NOT_SENT)
2797 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2798 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2799 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2800 || !TEST_size_t_eq(written, strlen(MSG2))
2801 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2802 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2808 SSL_SESSION_free(clientpsk);
2809 SSL_SESSION_free(serverpsk);
2810 clientpsk = serverpsk = NULL;
2811 SSL_free(serverssl);
2812 SSL_free(clientssl);
2818 # endif /* OPENSSL_NO_TLS1_2 */
2821 * Test configuring the TLSv1.3 ciphersuites
2823 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
2824 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
2825 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
2826 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
2827 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2828 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2829 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
2830 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
2831 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
2832 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
2834 static int test_set_ciphersuite(int idx)
2836 SSL_CTX *cctx = NULL, *sctx = NULL;
2837 SSL *clientssl = NULL, *serverssl = NULL;
2840 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2841 TLS1_VERSION, TLS_MAX_VERSION,
2842 &sctx, &cctx, cert, privkey))
2843 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2844 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
2847 if (idx >=4 && idx <= 7) {
2848 /* SSL_CTX explicit cipher list */
2849 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
2853 if (idx == 0 || idx == 4) {
2854 /* Default ciphersuite */
2855 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2856 "TLS_AES_128_GCM_SHA256")))
2858 } else if (idx == 1 || idx == 5) {
2859 /* Non default ciphersuite */
2860 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2861 "TLS_AES_128_CCM_SHA256")))
2865 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2866 &clientssl, NULL, NULL)))
2869 if (idx == 8 || idx == 9) {
2870 /* SSL explicit cipher list */
2871 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
2875 if (idx == 2 || idx == 6 || idx == 8) {
2876 /* Default ciphersuite */
2877 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2878 "TLS_AES_128_GCM_SHA256")))
2880 } else if (idx == 3 || idx == 7 || idx == 9) {
2881 /* Non default ciphersuite */
2882 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2883 "TLS_AES_128_CCM_SHA256")))
2887 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
2893 SSL_free(serverssl);
2894 SSL_free(clientssl);
2901 static int test_ciphersuite_change(void)
2903 SSL_CTX *cctx = NULL, *sctx = NULL;
2904 SSL *clientssl = NULL, *serverssl = NULL;
2905 SSL_SESSION *clntsess = NULL;
2907 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2909 /* Create a session based on SHA-256 */
2910 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2911 TLS1_VERSION, TLS_MAX_VERSION,
2912 &sctx, &cctx, cert, privkey))
2913 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
2914 "TLS_AES_128_GCM_SHA256"))
2915 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2916 &clientssl, NULL, NULL))
2917 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2921 clntsess = SSL_get1_session(clientssl);
2922 /* Save for later */
2923 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2924 SSL_shutdown(clientssl);
2925 SSL_shutdown(serverssl);
2926 SSL_free(serverssl);
2927 SSL_free(clientssl);
2928 serverssl = clientssl = NULL;
2930 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
2931 /* Check we can resume a session with a different SHA-256 ciphersuite */
2932 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2933 "TLS_CHACHA20_POLY1305_SHA256"))
2934 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2936 || !TEST_true(SSL_set_session(clientssl, clntsess))
2937 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2939 || !TEST_true(SSL_session_reused(clientssl)))
2942 SSL_SESSION_free(clntsess);
2943 clntsess = SSL_get1_session(clientssl);
2944 SSL_shutdown(clientssl);
2945 SSL_shutdown(serverssl);
2946 SSL_free(serverssl);
2947 SSL_free(clientssl);
2948 serverssl = clientssl = NULL;
2952 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
2953 * succeeds but does not resume.
2955 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
2956 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2958 || !TEST_true(SSL_set_session(clientssl, clntsess))
2959 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2961 || !TEST_false(SSL_session_reused(clientssl)))
2964 SSL_SESSION_free(clntsess);
2966 SSL_shutdown(clientssl);
2967 SSL_shutdown(serverssl);
2968 SSL_free(serverssl);
2969 SSL_free(clientssl);
2970 serverssl = clientssl = NULL;
2972 /* Create a session based on SHA384 */
2973 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
2974 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2975 &clientssl, NULL, NULL))
2976 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2980 clntsess = SSL_get1_session(clientssl);
2981 SSL_shutdown(clientssl);
2982 SSL_shutdown(serverssl);
2983 SSL_free(serverssl);
2984 SSL_free(clientssl);
2985 serverssl = clientssl = NULL;
2987 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2988 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
2989 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2990 "TLS_AES_256_GCM_SHA384"))
2991 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2993 || !TEST_true(SSL_set_session(clientssl, clntsess))
2995 * We use SSL_ERROR_WANT_READ below so that we can pause the
2996 * connection after the initial ClientHello has been sent to
2997 * enable us to make some session changes.
2999 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3000 SSL_ERROR_WANT_READ)))
3003 /* Trick the client into thinking this session is for a different digest */
3004 clntsess->cipher = aes_128_gcm_sha256;
3005 clntsess->cipher_id = clntsess->cipher->id;
3008 * Continue the previously started connection. Server has selected a SHA-384
3009 * ciphersuite, but client thinks the session is for SHA-256, so it should
3012 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3014 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3015 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3021 SSL_SESSION_free(clntsess);
3022 SSL_free(serverssl);
3023 SSL_free(clientssl);
3032 * Test 0 = Test new style callbacks
3033 * Test 1 = Test both new and old style callbacks
3034 * Test 2 = Test old style callbacks
3035 * Test 3 = Test old style callbacks with no certificate
3037 static int test_tls13_psk(int idx)
3039 SSL_CTX *sctx = NULL, *cctx = NULL;
3040 SSL *serverssl = NULL, *clientssl = NULL;
3041 const SSL_CIPHER *cipher = NULL;
3042 const unsigned char key[] = {
3043 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
3044 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
3045 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
3046 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
3050 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3051 TLS1_VERSION, TLS_MAX_VERSION,
3052 &sctx, &cctx, idx == 3 ? NULL : cert,
3053 idx == 3 ? NULL : privkey)))
3058 * We use a ciphersuite with SHA256 to ease testing old style PSK
3059 * callbacks which will always default to SHA256. This should not be
3060 * necessary if we have no cert/priv key. In that case the server should
3061 * prefer SHA256 automatically.
3063 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3064 "TLS_AES_128_GCM_SHA256")))
3069 * Test 0: New style callbacks only
3070 * Test 1: New and old style callbacks (only the new ones should be used)
3071 * Test 2: Old style callbacks only
3073 if (idx == 0 || idx == 1) {
3074 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
3075 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
3077 #ifndef OPENSSL_NO_PSK
3079 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
3080 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
3084 use_session_cb_cnt = 0;
3085 find_session_cb_cnt = 0;
3086 psk_client_cb_cnt = 0;
3087 psk_server_cb_cnt = 0;
3091 * Check we can create a connection if callback decides not to send a
3094 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3096 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3098 || !TEST_false(SSL_session_reused(clientssl))
3099 || !TEST_false(SSL_session_reused(serverssl)))
3102 if (idx == 0 || idx == 1) {
3103 if (!TEST_true(use_session_cb_cnt == 1)
3104 || !TEST_true(find_session_cb_cnt == 0)
3106 * If no old style callback then below should be 0
3109 || !TEST_true(psk_client_cb_cnt == idx)
3110 || !TEST_true(psk_server_cb_cnt == 0))
3113 if (!TEST_true(use_session_cb_cnt == 0)
3114 || !TEST_true(find_session_cb_cnt == 0)
3115 || !TEST_true(psk_client_cb_cnt == 1)
3116 || !TEST_true(psk_server_cb_cnt == 0))
3120 shutdown_ssl_connection(serverssl, clientssl);
3121 serverssl = clientssl = NULL;
3122 use_session_cb_cnt = psk_client_cb_cnt = 0;
3125 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3129 /* Create the PSK */
3130 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
3131 clientpsk = SSL_SESSION_new();
3132 if (!TEST_ptr(clientpsk)
3133 || !TEST_ptr(cipher)
3134 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
3136 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
3137 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
3139 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
3141 serverpsk = clientpsk;
3143 /* Check we can create a connection and the PSK is used */
3144 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3145 || !TEST_true(SSL_session_reused(clientssl))
3146 || !TEST_true(SSL_session_reused(serverssl)))
3149 if (idx == 0 || idx == 1) {
3150 if (!TEST_true(use_session_cb_cnt == 1)
3151 || !TEST_true(find_session_cb_cnt == 1)
3152 || !TEST_true(psk_client_cb_cnt == 0)
3153 || !TEST_true(psk_server_cb_cnt == 0))
3156 if (!TEST_true(use_session_cb_cnt == 0)
3157 || !TEST_true(find_session_cb_cnt == 0)
3158 || !TEST_true(psk_client_cb_cnt == 1)
3159 || !TEST_true(psk_server_cb_cnt == 1))
3163 shutdown_ssl_connection(serverssl, clientssl);
3164 serverssl = clientssl = NULL;
3165 use_session_cb_cnt = find_session_cb_cnt = 0;
3166 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3168 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3173 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3177 * Check we can create a connection, the PSK is used and the callbacks are
3180 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3181 || !TEST_true(SSL_session_reused(clientssl))
3182 || !TEST_true(SSL_session_reused(serverssl)))
3185 if (idx == 0 || idx == 1) {
3186 if (!TEST_true(use_session_cb_cnt == 2)
3187 || !TEST_true(find_session_cb_cnt == 2)
3188 || !TEST_true(psk_client_cb_cnt == 0)
3189 || !TEST_true(psk_server_cb_cnt == 0))
3192 if (!TEST_true(use_session_cb_cnt == 0)
3193 || !TEST_true(find_session_cb_cnt == 0)
3194 || !TEST_true(psk_client_cb_cnt == 2)
3195 || !TEST_true(psk_server_cb_cnt == 2))
3199 shutdown_ssl_connection(serverssl, clientssl);
3200 serverssl = clientssl = NULL;
3201 use_session_cb_cnt = find_session_cb_cnt = 0;
3202 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3206 * Check that if the server rejects the PSK we can still connect, but with
3209 srvid = "Dummy Identity";
3210 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3212 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3214 || !TEST_false(SSL_session_reused(clientssl))
3215 || !TEST_false(SSL_session_reused(serverssl)))
3218 if (idx == 0 || idx == 1) {
3219 if (!TEST_true(use_session_cb_cnt == 1)
3220 || !TEST_true(find_session_cb_cnt == 1)
3221 || !TEST_true(psk_client_cb_cnt == 0)
3223 * If no old style callback then below should be 0
3226 || !TEST_true(psk_server_cb_cnt == idx))
3229 if (!TEST_true(use_session_cb_cnt == 0)
3230 || !TEST_true(find_session_cb_cnt == 0)
3231 || !TEST_true(psk_client_cb_cnt == 1)
3232 || !TEST_true(psk_server_cb_cnt == 1))
3236 shutdown_ssl_connection(serverssl, clientssl);
3237 serverssl = clientssl = NULL;
3242 SSL_SESSION_free(clientpsk);
3243 SSL_SESSION_free(serverpsk);
3244 clientpsk = serverpsk = NULL;
3245 SSL_free(serverssl);
3246 SSL_free(clientssl);
3252 static unsigned char cookie_magic_value[] = "cookie magic";
3254 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
3255 unsigned int *cookie_len)
3258 * Not suitable as a real cookie generation function but good enough for
3261 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3262 *cookie_len = sizeof(cookie_magic_value) - 1;
3267 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3268 unsigned int cookie_len)
3270 if (cookie_len == sizeof(cookie_magic_value) - 1
3271 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3277 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3281 int res = generate_cookie_callback(ssl, cookie, &temp);
3286 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3289 return verify_cookie_callback(ssl, cookie, cookie_len);
3292 static int test_stateless(void)
3294 SSL_CTX *sctx = NULL, *cctx = NULL;
3295 SSL *serverssl = NULL, *clientssl = NULL;
3298 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3299 TLS1_VERSION, TLS_MAX_VERSION,
3300 &sctx, &cctx, cert, privkey)))
3303 /* The arrival of CCS messages can confuse the test */
3304 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3306 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3308 /* Send the first ClientHello */
3309 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3310 SSL_ERROR_WANT_READ))
3312 * This should fail with a -1 return because we have no callbacks
3315 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3318 /* Fatal error so abandon the connection from this client */
3319 SSL_free(clientssl);
3322 /* Set up the cookie generation and verification callbacks */
3323 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3324 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
3327 * Create a new connection from the client (we can reuse the server SSL
3330 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3332 /* Send the first ClientHello */
3333 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3334 SSL_ERROR_WANT_READ))
3335 /* This should fail because there is no cookie */
3336 || !TEST_int_eq(SSL_stateless(serverssl), 0))
3339 /* Abandon the connection from this client */
3340 SSL_free(clientssl);
3344 * Now create a connection from a new client but with the same server SSL
3347 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3349 /* Send the first ClientHello */
3350 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3351 SSL_ERROR_WANT_READ))
3352 /* This should fail because there is no cookie */
3353 || !TEST_int_eq(SSL_stateless(serverssl), 0)
3354 /* Send the second ClientHello */
3355 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3356 SSL_ERROR_WANT_READ))
3357 /* This should succeed because a cookie is now present */
3358 || !TEST_int_eq(SSL_stateless(serverssl), 1)
3359 /* Complete the connection */
3360 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3364 shutdown_ssl_connection(serverssl, clientssl);
3365 serverssl = clientssl = NULL;
3369 SSL_free(serverssl);
3370 SSL_free(clientssl);
3376 #endif /* OPENSSL_NO_TLS1_3 */
3378 static int clntaddoldcb = 0;
3379 static int clntparseoldcb = 0;
3380 static int srvaddoldcb = 0;
3381 static int srvparseoldcb = 0;
3382 static int clntaddnewcb = 0;
3383 static int clntparsenewcb = 0;
3384 static int srvaddnewcb = 0;
3385 static int srvparsenewcb = 0;
3386 static int snicb = 0;
3388 #define TEST_EXT_TYPE1 0xff00
3390 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3391 size_t *outlen, int *al, void *add_arg)
3393 int *server = (int *)add_arg;
3394 unsigned char *data;
3396 if (SSL_is_server(s))
3401 if (*server != SSL_is_server(s)
3402 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3407 *outlen = sizeof(char);
3411 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3414 OPENSSL_free((unsigned char *)out);
3417 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3418 size_t inlen, int *al, void *parse_arg)
3420 int *server = (int *)parse_arg;
3422 if (SSL_is_server(s))
3427 if (*server != SSL_is_server(s)
3428 || inlen != sizeof(char)
3435 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3436 const unsigned char **out, size_t *outlen, X509 *x,
3437 size_t chainidx, int *al, void *add_arg)
3439 int *server = (int *)add_arg;
3440 unsigned char *data;
3442 if (SSL_is_server(s))
3447 if (*server != SSL_is_server(s)
3448 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3453 *outlen = sizeof(*data);
3457 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3458 const unsigned char *out, void *add_arg)
3460 OPENSSL_free((unsigned char *)out);
3463 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3464 const unsigned char *in, size_t inlen, X509 *x,
3465 size_t chainidx, int *al, void *parse_arg)
3467 int *server = (int *)parse_arg;
3469 if (SSL_is_server(s))
3474 if (*server != SSL_is_server(s)
3475 || inlen != sizeof(char) || *in != 1)
3481 static int sni_cb(SSL *s, int *al, void *arg)
3483 SSL_CTX *ctx = (SSL_CTX *)arg;
3485 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3486 *al = SSL_AD_INTERNAL_ERROR;
3487 return SSL_TLSEXT_ERR_ALERT_FATAL;
3490 return SSL_TLSEXT_ERR_OK;
3494 * Custom call back tests.
3495 * Test 0: Old style callbacks in TLSv1.2
3496 * Test 1: New style callbacks in TLSv1.2
3497 * Test 2: New style callbacks in TLSv1.2 with SNI
3498 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3499 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
3501 static int test_custom_exts(int tst)
3503 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3504 SSL *clientssl = NULL, *serverssl = NULL;
3506 static int server = 1;
3507 static int client = 0;
3508 SSL_SESSION *sess = NULL;
3509 unsigned int context;
3511 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
3512 /* Skip tests for TLSv1.2 and below in this case */
3517 /* Reset callback counters */
3518 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
3519 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
3522 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3523 TLS1_VERSION, TLS_MAX_VERSION,
3524 &sctx, &cctx, cert, privkey)))
3528 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
3529 TLS1_VERSION, TLS_MAX_VERSION,
3530 &sctx2, NULL, cert, privkey)))
3535 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
3536 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
3538 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
3542 context = SSL_EXT_CLIENT_HELLO
3543 | SSL_EXT_TLS1_2_SERVER_HELLO
3544 | SSL_EXT_TLS1_3_SERVER_HELLO
3545 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
3546 | SSL_EXT_TLS1_3_CERTIFICATE
3547 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
3549 context = SSL_EXT_CLIENT_HELLO
3550 | SSL_EXT_TLS1_2_SERVER_HELLO
3551 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3554 /* Create a client side custom extension */
3556 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3557 old_add_cb, old_free_cb,
3558 &client, old_parse_cb,
3562 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
3563 new_add_cb, new_free_cb,
3564 &client, new_parse_cb, &client)))
3568 /* Should not be able to add duplicates */
3569 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3570 old_add_cb, old_free_cb,
3571 &client, old_parse_cb,
3573 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
3574 context, new_add_cb,
3575 new_free_cb, &client,
3576 new_parse_cb, &client)))
3579 /* Create a server side custom extension */
3581 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3582 old_add_cb, old_free_cb,
3583 &server, old_parse_cb,
3587 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3588 new_add_cb, new_free_cb,
3589 &server, new_parse_cb, &server)))
3592 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3593 context, new_add_cb,
3594 new_free_cb, &server,
3595 new_parse_cb, &server)))
3599 /* Should not be able to add duplicates */
3600 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3601 old_add_cb, old_free_cb,
3602 &server, old_parse_cb,
3604 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3605 context, new_add_cb,
3606 new_free_cb, &server,
3607 new_parse_cb, &server)))
3612 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3613 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3617 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3618 &clientssl, NULL, NULL))
3619 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3624 if (clntaddoldcb != 1
3625 || clntparseoldcb != 1
3627 || srvparseoldcb != 1)
3629 } else if (tst == 1 || tst == 2 || tst == 3) {
3630 if (clntaddnewcb != 1
3631 || clntparsenewcb != 1
3633 || srvparsenewcb != 1
3634 || (tst != 2 && snicb != 0)
3635 || (tst == 2 && snicb != 1))
3638 /* In this case there 2 NewSessionTicket messages created */
3639 if (clntaddnewcb != 1
3640 || clntparsenewcb != 5
3642 || srvparsenewcb != 1)
3646 sess = SSL_get1_session(clientssl);
3647 SSL_shutdown(clientssl);
3648 SSL_shutdown(serverssl);
3649 SSL_free(serverssl);
3650 SSL_free(clientssl);
3651 serverssl = clientssl = NULL;
3654 /* We don't bother with the resumption aspects for this test */
3659 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3661 || !TEST_true(SSL_set_session(clientssl, sess))
3662 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3667 * For a resumed session we expect to add the ClientHello extension. For the
3668 * old style callbacks we ignore it on the server side because they set
3669 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3673 if (clntaddoldcb != 2
3674 || clntparseoldcb != 1
3676 || srvparseoldcb != 1)
3678 } else if (tst == 1 || tst == 2 || tst == 3) {
3679 if (clntaddnewcb != 2
3680 || clntparsenewcb != 2
3682 || srvparsenewcb != 2)
3686 * No Certificate message extensions in the resumption handshake,
3687 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
3689 if (clntaddnewcb != 2
3690 || clntparsenewcb != 8
3692 || srvparsenewcb != 2)
3699 SSL_SESSION_free(sess);
3700 SSL_free(serverssl);
3701 SSL_free(clientssl);
3702 SSL_CTX_free(sctx2);
3709 * Test loading of serverinfo data in various formats. test_sslmessages actually
3710 * tests to make sure the extensions appear in the handshake
3712 static int test_serverinfo(int tst)
3714 unsigned int version;
3715 unsigned char *sibuf;
3717 int ret, expected, testresult = 0;
3720 ctx = SSL_CTX_new(TLS_method());
3724 if ((tst & 0x01) == 0x01)
3725 version = SSL_SERVERINFOV2;
3727 version = SSL_SERVERINFOV1;
3729 if ((tst & 0x02) == 0x02) {
3730 sibuf = serverinfov2;
3731 sibuflen = sizeof(serverinfov2);
3732 expected = (version == SSL_SERVERINFOV2);
3734 sibuf = serverinfov1;
3735 sibuflen = sizeof(serverinfov1);
3736 expected = (version == SSL_SERVERINFOV1);
3739 if ((tst & 0x04) == 0x04) {
3740 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
3742 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
3745 * The version variable is irrelevant in this case - it's what is in the
3746 * buffer that matters
3748 if ((tst & 0x02) == 0x02)
3754 if (!TEST_true(ret == expected))
3766 * Test that SSL_export_keying_material() produces expected results. There are
3767 * no test vectors so all we do is test that both sides of the communication
3768 * produce the same results for different protocol versions.
3770 static int test_export_key_mat(int tst)
3773 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3774 SSL *clientssl = NULL, *serverssl = NULL;
3775 const char label[] = "test label";
3776 const unsigned char context[] = "context";
3777 const unsigned char *emptycontext = NULL;
3778 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
3779 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
3780 const int protocols[] = {
3787 #ifdef OPENSSL_NO_TLS1
3791 #ifdef OPENSSL_NO_TLS1_1
3795 #ifdef OPENSSL_NO_TLS1_2
3799 #ifdef OPENSSL_NO_TLS1_3
3803 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3804 TLS1_VERSION, TLS_MAX_VERSION,
3805 &sctx, &cctx, cert, privkey)))
3808 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
3809 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
3810 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
3812 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
3814 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3818 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
3819 sizeof(ckeymat1), label,
3820 sizeof(label) - 1, context,
3821 sizeof(context) - 1, 1), 1)
3822 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
3823 sizeof(ckeymat2), label,
3827 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
3828 sizeof(ckeymat3), label,
3831 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
3832 sizeof(skeymat1), label,
3835 sizeof(context) -1, 1),
3837 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
3838 sizeof(skeymat2), label,
3842 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
3843 sizeof(skeymat3), label,
3847 * Check that both sides created the same key material with the
3850 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3853 * Check that both sides created the same key material with an
3856 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3859 * Check that both sides created the same key material without a
3862 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3864 /* Different contexts should produce different results */
3865 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3870 * Check that an empty context and no context produce different results in
3871 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3873 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3875 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3882 SSL_free(serverssl);
3883 SSL_free(clientssl);
3884 SSL_CTX_free(sctx2);
3891 #ifndef OPENSSL_NO_TLS1_3
3893 * Test that SSL_export_keying_material_early() produces expected
3894 * results. There are no test vectors so all we do is test that both
3895 * sides of the communication produce the same results for different
3896 * protocol versions.
3898 static int test_export_key_mat_early(int idx)
3900 static const char label[] = "test label";
3901 static const unsigned char context[] = "context";
3903 SSL_CTX *cctx = NULL, *sctx = NULL;
3904 SSL *clientssl = NULL, *serverssl = NULL;
3905 SSL_SESSION *sess = NULL;
3906 const unsigned char *emptycontext = NULL;
3907 unsigned char ckeymat1[80], ckeymat2[80];
3908 unsigned char skeymat1[80], skeymat2[80];
3909 unsigned char buf[1];
3910 size_t readbytes, written;
3912 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
3916 /* Here writing 0 length early data is enough. */
3917 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
3918 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3920 SSL_READ_EARLY_DATA_ERROR)
3921 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3922 SSL_EARLY_DATA_ACCEPTED))
3925 if (!TEST_int_eq(SSL_export_keying_material_early(
3926 clientssl, ckeymat1, sizeof(ckeymat1), label,
3927 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3928 || !TEST_int_eq(SSL_export_keying_material_early(
3929 clientssl, ckeymat2, sizeof(ckeymat2), label,
3930 sizeof(label) - 1, emptycontext, 0), 1)
3931 || !TEST_int_eq(SSL_export_keying_material_early(
3932 serverssl, skeymat1, sizeof(skeymat1), label,
3933 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3934 || !TEST_int_eq(SSL_export_keying_material_early(
3935 serverssl, skeymat2, sizeof(skeymat2), label,
3936 sizeof(label) - 1, emptycontext, 0), 1)
3938 * Check that both sides created the same key material with the
3941 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3944 * Check that both sides created the same key material with an
3947 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3949 /* Different contexts should produce different results */
3950 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3957 SSL_SESSION_free(sess);
3958 SSL_SESSION_free(clientpsk);
3959 SSL_SESSION_free(serverpsk);
3960 clientpsk = serverpsk = NULL;
3961 SSL_free(serverssl);
3962 SSL_free(clientssl);
3968 #endif /* OPENSSL_NO_TLS1_3 */
3970 static int test_ssl_clear(int idx)
3972 SSL_CTX *cctx = NULL, *sctx = NULL;
3973 SSL *clientssl = NULL, *serverssl = NULL;
3976 #ifdef OPENSSL_NO_TLS1_2
3981 /* Create an initial connection */
3982 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3983 TLS1_VERSION, TLS_MAX_VERSION,
3984 &sctx, &cctx, cert, privkey))
3986 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
3988 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3989 &clientssl, NULL, NULL))
3990 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3994 SSL_shutdown(clientssl);
3995 SSL_shutdown(serverssl);
3996 SSL_free(serverssl);
3999 /* Clear clientssl - we're going to reuse the object */
4000 if (!TEST_true(SSL_clear(clientssl)))
4003 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4005 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4007 || !TEST_true(SSL_session_reused(clientssl)))
4010 SSL_shutdown(clientssl);
4011 SSL_shutdown(serverssl);
4016 SSL_free(serverssl);
4017 SSL_free(clientssl);
4024 /* Parse CH and retrieve any MFL extension value if present */
4025 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
4028 unsigned char *data;
4029 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
4030 unsigned int MFL_code = 0, type = 0;
4032 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
4035 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
4036 /* Skip the record header */
4037 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
4038 /* Skip the handshake message header */
4039 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
4040 /* Skip client version and random */
4041 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
4042 + SSL3_RANDOM_SIZE))
4043 /* Skip session id */
4044 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4046 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
4047 /* Skip compression */
4048 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4049 /* Extensions len */
4050 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
4053 /* Loop through all extensions */
4054 while (PACKET_remaining(&pkt2)) {
4055 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
4056 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
4059 if (type == TLSEXT_TYPE_max_fragment_length) {
4060 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
4061 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
4064 *mfl_codemfl_code = MFL_code;
4073 /* Maximum-Fragment-Length TLS extension mode to test */
4074 static const unsigned char max_fragment_len_test[] = {
4075 TLSEXT_max_fragment_length_512,
4076 TLSEXT_max_fragment_length_1024,
4077 TLSEXT_max_fragment_length_2048,
4078 TLSEXT_max_fragment_length_4096
4081 static int test_max_fragment_len_ext(int idx_tst)
4085 int testresult = 0, MFL_mode = 0;
4088 ctx = SSL_CTX_new(TLS_method());
4092 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
4093 ctx, max_fragment_len_test[idx_tst])))
4100 rbio = BIO_new(BIO_s_mem());
4101 wbio = BIO_new(BIO_s_mem());
4102 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
4108 SSL_set_bio(con, rbio, wbio);
4109 SSL_set_connect_state(con);
4111 if (!TEST_int_le(SSL_connect(con), 0)) {
4112 /* This shouldn't succeed because we don't have a server! */
4116 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
4117 /* no MFL in client hello */
4119 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
4131 #ifndef OPENSSL_NO_TLS1_3
4132 static int test_pha_key_update(void)
4134 SSL_CTX *cctx = NULL, *sctx = NULL;
4135 SSL *clientssl = NULL, *serverssl = NULL;
4138 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4139 TLS1_VERSION, TLS_MAX_VERSION,
4140 &sctx, &cctx, cert, privkey)))
4143 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
4144 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
4145 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
4146 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
4150 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4154 SSL_force_post_handshake_auth(clientssl);
4156 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4160 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
4161 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
4164 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
4167 /* Start handshake on the server */
4168 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
4171 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
4172 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4176 SSL_shutdown(clientssl);
4177 SSL_shutdown(serverssl);
4182 SSL_free(serverssl);
4183 SSL_free(clientssl);
4190 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4192 static SRP_VBASE *vbase = NULL;
4194 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
4196 int ret = SSL3_AL_FATAL;
4198 SRP_user_pwd *user = NULL;
4200 username = SSL_get_srp_username(s);
4201 if (username == NULL) {
4202 *ad = SSL_AD_INTERNAL_ERROR;
4206 user = SRP_VBASE_get1_by_user(vbase, username);
4208 *ad = SSL_AD_INTERNAL_ERROR;
4212 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
4214 *ad = SSL_AD_INTERNAL_ERROR;
4221 SRP_user_pwd_free(user);
4225 static int create_new_vfile(char *userid, char *password, const char *filename)
4228 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
4231 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
4234 if (!TEST_ptr(dummy) || !TEST_ptr(row))
4237 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
4238 &row[DB_srpverifier], NULL, NULL);
4239 if (!TEST_ptr(gNid))
4243 * The only way to create an empty TXT_DB is to provide a BIO with no data
4246 db = TXT_DB_read(dummy, DB_NUMBER);
4250 out = BIO_new_file(filename, "w");
4254 row[DB_srpid] = OPENSSL_strdup(userid);
4255 row[DB_srptype] = OPENSSL_strdup("V");
4256 row[DB_srpgN] = OPENSSL_strdup(gNid);
4258 if (!TEST_ptr(row[DB_srpid])
4259 || !TEST_ptr(row[DB_srptype])
4260 || !TEST_ptr(row[DB_srpgN])
4261 || !TEST_true(TXT_DB_insert(db, row)))
4266 if (!TXT_DB_write(out, db))
4272 for (i = 0; i < DB_NUMBER; i++)
4273 OPENSSL_free(row[i]);
4283 static int create_new_vbase(char *userid, char *password)
4285 BIGNUM *verifier = NULL, *salt = NULL;
4286 const SRP_gN *lgN = NULL;
4287 SRP_user_pwd *user_pwd = NULL;
4290 lgN = SRP_get_default_gN(NULL);
4294 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
4298 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
4299 if (!TEST_ptr(user_pwd))
4302 user_pwd->N = lgN->N;
4303 user_pwd->g = lgN->g;
4304 user_pwd->id = OPENSSL_strdup(userid);
4305 if (!TEST_ptr(user_pwd->id))
4308 user_pwd->v = verifier;
4310 verifier = salt = NULL;
4312 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
4318 SRP_user_pwd_free(user_pwd);
4328 * Test 0: Simple successful SRP connection, new vbase
4329 * Test 1: Connection failure due to bad password, new vbase
4330 * Test 2: Simple successful SRP connection, vbase loaded from existing file
4331 * Test 3: Connection failure due to bad password, vbase loaded from existing
4333 * Test 4: Simple successful SRP connection, vbase loaded from new file
4334 * Test 5: Connection failure due to bad password, vbase loaded from new file
4336 static int test_srp(int tst)
4338 char *userid = "test", *password = "password", *tstsrpfile;
4339 SSL_CTX *cctx = NULL, *sctx = NULL;
4340 SSL *clientssl = NULL, *serverssl = NULL;
4341 int ret, testresult = 0;
4343 vbase = SRP_VBASE_new(NULL);
4344 if (!TEST_ptr(vbase))
4347 if (tst == 0 || tst == 1) {
4348 if (!TEST_true(create_new_vbase(userid, password)))
4351 if (tst == 4 || tst == 5) {
4352 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
4354 tstsrpfile = tmpfilename;
4356 tstsrpfile = srpvfile;
4358 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
4362 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4363 TLS1_VERSION, TLS_MAX_VERSION,
4364 &sctx, &cctx, cert, privkey)))
4367 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
4368 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
4369 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
4370 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
4371 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
4375 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
4378 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
4382 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4386 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
4388 if (!TEST_true(tst % 2 == 0))
4391 if (!TEST_true(tst % 2 == 1))
4398 SRP_VBASE_free(vbase);
4400 SSL_free(serverssl);
4401 SSL_free(clientssl);
4409 static int info_cb_failed = 0;
4410 static int info_cb_offset = 0;
4411 static int info_cb_this_state = -1;
4413 static struct info_cb_states_st {
4415 const char *statestr;
4416 } info_cb_states[][60] = {
4418 /* TLSv1.2 server followed by resumption */
4419 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4420 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4421 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
4422 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
4423 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
4424 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4425 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4426 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4427 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4428 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4429 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
4430 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4431 {SSL_CB_EXIT, NULL}, {0, NULL},
4433 /* TLSv1.2 client followed by resumption */
4434 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4435 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4436 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
4437 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
4438 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
4439 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4440 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4441 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4442 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4443 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4444 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4445 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4447 /* TLSv1.3 server followed by resumption */
4448 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4449 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4450 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
4451 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
4452 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4453 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4454 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4455 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TWST"},
4456 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4457 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4458 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4459 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"},
4460 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL},
4461 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4462 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4463 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4464 {SSL_CB_EXIT, NULL}, {0, NULL},
4466 /* TLSv1.3 client followed by resumption */
4467 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4468 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4469 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
4470 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
4471 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4472 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4473 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4474 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4475 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4476 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4477 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4478 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4479 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
4480 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4481 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4482 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4483 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4484 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4485 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4487 /* TLSv1.3 server, early_data */
4488 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4489 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4490 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4491 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4492 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4493 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4494 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4495 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4496 {SSL_CB_EXIT, NULL}, {0, NULL},
4498 /* TLSv1.3 client, early_data */
4499 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4500 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
4501 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4502 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4503 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4504 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
4505 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4506 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4507 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4508 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4514 static void sslapi_info_callback(const SSL *s, int where, int ret)
4516 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
4518 /* We do not ever expect a connection to fail in this test */
4519 if (!TEST_false(ret == 0)) {
4525 * Do some sanity checks. We never expect these things to happen in this
4528 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
4529 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
4530 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
4535 /* Now check we're in the right state */
4536 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
4540 if ((where & SSL_CB_LOOP) != 0
4541 && !TEST_int_eq(strcmp(SSL_state_string(s),
4542 state[info_cb_this_state].statestr), 0)) {
4547 /* Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init */
4548 if ((where & SSL_CB_HANDSHAKE_DONE) && SSL_in_init((SSL *)s) != 0) {
4555 * Test the info callback gets called when we expect it to.
4557 * Test 0: TLSv1.2, server
4558 * Test 1: TLSv1.2, client
4559 * Test 2: TLSv1.3, server
4560 * Test 3: TLSv1.3, client
4561 * Test 4: TLSv1.3, server, early_data
4562 * Test 5: TLSv1.3, client, early_data
4564 static int test_info_callback(int tst)
4566 SSL_CTX *cctx = NULL, *sctx = NULL;
4567 SSL *clientssl = NULL, *serverssl = NULL;
4568 SSL_SESSION *clntsess = NULL;
4573 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
4574 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
4575 || !defined(OPENSSL_NO_DH))
4576 tlsvers = TLS1_2_VERSION;
4581 #ifndef OPENSSL_NO_TLS1_3
4582 tlsvers = TLS1_3_VERSION;
4590 info_cb_this_state = -1;
4591 info_cb_offset = tst;
4593 #ifndef OPENSSL_NO_TLS1_3
4595 SSL_SESSION *sess = NULL;
4596 size_t written, readbytes;
4597 unsigned char buf[80];
4599 /* early_data tests */
4600 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4601 &serverssl, &sess, 0)))
4604 /* We don't actually need this reference */
4605 SSL_SESSION_free(sess);
4607 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
4608 sslapi_info_callback);
4610 /* Write and read some early data and then complete the connection */
4611 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4613 || !TEST_size_t_eq(written, strlen(MSG1))
4614 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
4615 sizeof(buf), &readbytes),
4616 SSL_READ_EARLY_DATA_SUCCESS)
4617 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
4618 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4619 SSL_EARLY_DATA_ACCEPTED)
4620 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4622 || !TEST_false(info_cb_failed))
4630 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4631 TLS_client_method(),
4632 tlsvers, tlsvers, &sctx, &cctx, cert,
4637 * For even numbered tests we check the server callbacks. For odd numbers we
4640 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
4641 sslapi_info_callback);
4643 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4644 &clientssl, NULL, NULL))
4645 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4647 || !TEST_false(info_cb_failed))
4652 clntsess = SSL_get1_session(clientssl);
4653 SSL_shutdown(clientssl);
4654 SSL_shutdown(serverssl);
4655 SSL_free(serverssl);
4656 SSL_free(clientssl);
4657 serverssl = clientssl = NULL;
4659 /* Now do a resumption */
4660 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4662 || !TEST_true(SSL_set_session(clientssl, clntsess))
4663 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4665 || !TEST_true(SSL_session_reused(clientssl))
4666 || !TEST_false(info_cb_failed))
4672 SSL_free(serverssl);
4673 SSL_free(clientssl);
4674 SSL_SESSION_free(clntsess);
4680 static int test_ssl_pending(int tst)
4682 SSL_CTX *cctx = NULL, *sctx = NULL;
4683 SSL *clientssl = NULL, *serverssl = NULL;
4685 char msg[] = "A test message";
4687 size_t written, readbytes;
4690 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4691 TLS_client_method(),
4692 TLS1_VERSION, TLS_MAX_VERSION,
4693 &sctx, &cctx, cert, privkey)))
4696 #ifndef OPENSSL_NO_DTLS
4697 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
4698 DTLS_client_method(),
4699 DTLS1_VERSION, DTLS_MAX_VERSION,
4700 &sctx, &cctx, cert, privkey)))
4707 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4709 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4713 if (!TEST_int_eq(SSL_pending(clientssl), 0)
4714 || !TEST_false(SSL_has_pending(clientssl))
4715 || !TEST_int_eq(SSL_pending(serverssl), 0)
4716 || !TEST_false(SSL_has_pending(serverssl))
4717 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4718 || !TEST_size_t_eq(written, sizeof(msg))
4719 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4720 || !TEST_size_t_eq(readbytes, sizeof(buf))
4721 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
4722 || !TEST_true(SSL_has_pending(clientssl)))
4728 SSL_free(serverssl);
4729 SSL_free(clientssl);
4737 unsigned int maxprot;
4738 const char *clntciphers;
4739 const char *clnttls13ciphers;
4740 const char *srvrciphers;
4741 const char *srvrtls13ciphers;
4743 } shared_ciphers_data[] = {
4745 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
4746 * TLSv1.3 is enabled but TLSv1.2 is disabled.
4748 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
4751 "AES128-SHA:AES256-SHA",
4753 "AES256-SHA:DHE-RSA-AES128-SHA",
4759 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
4761 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
4763 "AES128-SHA:AES256-SHA"
4767 "AES128-SHA:AES256-SHA",
4769 "AES128-SHA:DHE-RSA-AES128-SHA",
4775 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
4778 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
4779 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4782 "AES128-SHA:AES256-SHA",
4784 "AES256-SHA:AES128-SHA256",
4786 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
4787 "TLS_AES_128_GCM_SHA256:AES256-SHA"
4790 #ifndef OPENSSL_NO_TLS1_3
4794 "TLS_AES_256_GCM_SHA384",
4796 "TLS_AES_256_GCM_SHA384",
4797 "TLS_AES_256_GCM_SHA384"
4802 static int test_ssl_get_shared_ciphers(int tst)
4804 SSL_CTX *cctx = NULL, *sctx = NULL;
4805 SSL *clientssl = NULL, *serverssl = NULL;
4809 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4810 TLS_client_method(),
4812 shared_ciphers_data[tst].maxprot,
4813 &sctx, &cctx, cert, privkey)))
4816 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4817 shared_ciphers_data[tst].clntciphers))
4818 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
4819 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4820 shared_ciphers_data[tst].clnttls13ciphers)))
4821 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
4822 shared_ciphers_data[tst].srvrciphers))
4823 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
4824 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4825 shared_ciphers_data[tst].srvrtls13ciphers))))
4829 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4831 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4835 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
4836 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
4837 TEST_info("Shared ciphers are: %s\n", buf);
4844 SSL_free(serverssl);
4845 SSL_free(clientssl);
4852 static const char *appdata = "Hello World";
4853 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
4854 static int tick_key_renew = 0;
4855 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
4857 static int gen_tick_cb(SSL *s, void *arg)
4859 gen_tick_called = 1;
4861 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
4865 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
4866 const unsigned char *keyname,
4867 size_t keyname_length,
4868 SSL_TICKET_STATUS status,
4874 dec_tick_called = 1;
4876 if (status == SSL_TICKET_EMPTY)
4877 return SSL_TICKET_RETURN_IGNORE_RENEW;
4879 if (!TEST_true(status == SSL_TICKET_SUCCESS
4880 || status == SSL_TICKET_SUCCESS_RENEW))
4881 return SSL_TICKET_RETURN_ABORT;
4883 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
4885 || !TEST_size_t_eq(tickdlen, strlen(appdata))
4886 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
4887 return SSL_TICKET_RETURN_ABORT;
4889 if (tick_key_cb_called) {
4890 /* Don't change what the ticket key callback wanted to do */
4892 case SSL_TICKET_NO_DECRYPT:
4893 return SSL_TICKET_RETURN_IGNORE_RENEW;
4895 case SSL_TICKET_SUCCESS:
4896 return SSL_TICKET_RETURN_USE;
4898 case SSL_TICKET_SUCCESS_RENEW:
4899 return SSL_TICKET_RETURN_USE_RENEW;
4902 return SSL_TICKET_RETURN_ABORT;
4905 return tick_dec_ret;
4909 static int tick_key_cb(SSL *s, unsigned char key_name[16],
4910 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
4911 HMAC_CTX *hctx, int enc)
4913 const unsigned char tick_aes_key[16] = "0123456789abcdef";
4914 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
4916 tick_key_cb_called = 1;
4917 memset(iv, 0, AES_BLOCK_SIZE);
4918 memset(key_name, 0, 16);
4919 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
4920 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
4921 EVP_sha256(), NULL))
4924 return tick_key_renew ? 2 : 1;
4928 * Test the various ticket callbacks
4929 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
4930 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
4931 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
4932 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
4933 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
4934 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
4935 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
4936 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
4937 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
4938 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
4939 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
4940 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
4942 static int test_ticket_callbacks(int tst)
4944 SSL_CTX *cctx = NULL, *sctx = NULL;
4945 SSL *clientssl = NULL, *serverssl = NULL;
4946 SSL_SESSION *clntsess = NULL;
4949 #ifdef OPENSSL_NO_TLS1_2
4953 #ifdef OPENSSL_NO_TLS1_3
4958 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
4960 /* Which tests the ticket key callback should request renewal for */
4961 if (tst == 10 || tst == 11)
4966 /* Which tests the decrypt ticket callback should request renewal for */
4970 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
4975 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
4980 tick_dec_ret = SSL_TICKET_RETURN_USE;
4985 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
4989 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
4992 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4993 TLS_client_method(),
4995 ((tst % 2) == 0) ? TLS1_2_VERSION
4997 &sctx, &cctx, cert, privkey)))
5001 * We only want sessions to resume from tickets - not the session cache. So
5002 * switch the cache off.
5004 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
5007 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
5012 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
5015 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5017 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5022 * The decrypt ticket key callback in TLSv1.2 should be called even though
5023 * we have no ticket yet, because it gets called with a status of
5024 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
5025 * actually send any ticket data). This does not happen in TLSv1.3 because
5026 * it is not valid to send empty ticket data in TLSv1.3.
5028 if (!TEST_int_eq(gen_tick_called, 1)
5029 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
5032 gen_tick_called = dec_tick_called = 0;
5034 clntsess = SSL_get1_session(clientssl);
5035 SSL_shutdown(clientssl);
5036 SSL_shutdown(serverssl);
5037 SSL_free(serverssl);
5038 SSL_free(clientssl);
5039 serverssl = clientssl = NULL;
5041 /* Now do a resumption */
5042 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5044 || !TEST_true(SSL_set_session(clientssl, clntsess))
5045 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5049 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
5050 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
5051 if (!TEST_false(SSL_session_reused(clientssl)))
5054 if (!TEST_true(SSL_session_reused(clientssl)))
5058 if (!TEST_int_eq(gen_tick_called,
5060 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
5061 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
5063 || !TEST_int_eq(dec_tick_called, 1))
5069 SSL_SESSION_free(clntsess);
5070 SSL_free(serverssl);
5071 SSL_free(clientssl);
5079 * Test bi-directional shutdown.
5081 * Test 1: TLSv1.2, server continues to read/write after client shutdown
5082 * Test 2: TLSv1.3, no pending NewSessionTicket messages
5083 * Test 3: TLSv1.3, pending NewSessionTicket messages
5084 * Test 4: TLSv1.3, server continues to read/write after client shutdown, client
5086 * Test 5: TLSv1.3, server continues to read/write after client shutdown, client
5089 static int test_shutdown(int tst)
5091 SSL_CTX *cctx = NULL, *sctx = NULL;
5092 SSL *clientssl = NULL, *serverssl = NULL;
5094 char msg[] = "A test message";
5096 size_t written, readbytes;
5098 #ifdef OPENSSL_NO_TLS1_2
5102 #ifdef OPENSSL_NO_TLS1_3
5107 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5108 TLS_client_method(),
5110 (tst <= 1) ? TLS1_2_VERSION
5112 &sctx, &cctx, cert, privkey))
5113 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5118 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
5121 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5126 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
5131 * Reading on the server after the client has sent close_notify should
5132 * fail and provide SSL_ERROR_ZERO_RETURN
5134 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
5135 || !TEST_int_eq(SSL_get_error(serverssl, 0),
5136 SSL_ERROR_ZERO_RETURN)
5137 || !TEST_int_eq(SSL_get_shutdown(serverssl),
5138 SSL_RECEIVED_SHUTDOWN)
5140 * Even though we're shutdown on receive we should still be
5143 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg)))
5144 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
5147 /* Should still be able to read data from server */
5148 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5150 || !TEST_size_t_eq(readbytes, sizeof(msg))
5151 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
5156 /* Writing on the client after sending close_notify shouldn't be possible */
5157 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
5162 * For these tests the client has sent close_notify but it has not yet
5163 * been received by the server. The server has not sent close_notify
5166 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
5168 * Writing on the server after sending close_notify shouldn't
5171 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5172 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
5173 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
5175 } else if (tst == 4) {
5177 * In this test the client has sent close_notify and it has been
5178 * received by the server which has responded with a close_notify. The
5179 * client needs to read the close_notify sent by the server.
5181 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
5187 * The client has sent close_notify and is expecting a close_notify
5188 * back, but instead there is application data first. The shutdown
5189 * should fail with a fatal error.
5191 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
5192 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
5199 SSL_free(serverssl);
5200 SSL_free(clientssl);
5207 int setup_tests(void)
5209 if (!TEST_ptr(cert = test_get_argument(0))
5210 || !TEST_ptr(privkey = test_get_argument(1))
5211 || !TEST_ptr(srpvfile = test_get_argument(2))
5212 || !TEST_ptr(tmpfilename = test_get_argument(3)))
5215 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
5216 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
5217 TEST_error("not supported in this build");
5220 int i, mcount, rcount, fcount;
5222 for (i = 0; i < 4; i++)
5223 test_export_key_mat(i);
5224 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
5225 test_printf_stdout("malloc %d realloc %d free %d\n",
5226 mcount, rcount, fcount);
5231 ADD_TEST(test_large_message_tls);
5232 ADD_TEST(test_large_message_tls_read_ahead);
5233 #ifndef OPENSSL_NO_DTLS
5234 ADD_TEST(test_large_message_dtls);
5236 #ifndef OPENSSL_NO_OCSP
5237 ADD_TEST(test_tlsext_status_type);
5239 ADD_TEST(test_session_with_only_int_cache);
5240 ADD_TEST(test_session_with_only_ext_cache);
5241 ADD_TEST(test_session_with_both_cache);
5242 #ifndef OPENSSL_NO_TLS1_3
5243 ADD_ALL_TESTS(test_tickets, 3);
5245 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
5246 ADD_TEST(test_ssl_bio_pop_next_bio);
5247 ADD_TEST(test_ssl_bio_pop_ssl_bio);
5248 ADD_TEST(test_ssl_bio_change_rbio);
5249 ADD_TEST(test_ssl_bio_change_wbio);
5250 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
5251 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
5252 ADD_TEST(test_keylog);
5254 #ifndef OPENSSL_NO_TLS1_3
5255 ADD_TEST(test_keylog_no_master_key);
5257 #ifndef OPENSSL_NO_TLS1_2
5258 ADD_TEST(test_client_hello_cb);
5260 #ifndef OPENSSL_NO_TLS1_3
5261 ADD_ALL_TESTS(test_early_data_read_write, 3);
5263 * We don't do replay tests for external PSK. Replay protection isn't used
5266 ADD_ALL_TESTS(test_early_data_replay, 2);
5267 ADD_ALL_TESTS(test_early_data_skip, 3);
5268 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
5269 ADD_ALL_TESTS(test_early_data_not_sent, 3);
5270 ADD_ALL_TESTS(test_early_data_psk, 8);
5271 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5272 # ifndef OPENSSL_NO_TLS1_2
5273 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5276 #ifndef OPENSSL_NO_TLS1_3
5277 ADD_ALL_TESTS(test_set_ciphersuite, 10);
5278 ADD_TEST(test_ciphersuite_change);
5279 #ifdef OPENSSL_NO_PSK
5280 ADD_ALL_TESTS(test_tls13_psk, 1);
5282 ADD_ALL_TESTS(test_tls13_psk, 4);
5283 #endif /* OPENSSL_NO_PSK */
5284 ADD_ALL_TESTS(test_custom_exts, 5);
5285 ADD_TEST(test_stateless);
5286 ADD_TEST(test_pha_key_update);
5288 ADD_ALL_TESTS(test_custom_exts, 3);
5290 ADD_ALL_TESTS(test_serverinfo, 8);
5291 ADD_ALL_TESTS(test_export_key_mat, 4);
5292 #ifndef OPENSSL_NO_TLS1_3
5293 ADD_ALL_TESTS(test_export_key_mat_early, 3);
5295 ADD_ALL_TESTS(test_ssl_clear, 2);
5296 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
5297 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5298 ADD_ALL_TESTS(test_srp, 6);
5300 ADD_ALL_TESTS(test_info_callback, 6);
5301 ADD_ALL_TESTS(test_ssl_pending, 2);
5302 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
5303 ADD_ALL_TESTS(test_ticket_callbacks, 12);
5304 ADD_ALL_TESTS(test_shutdown, 6);
5308 void cleanup_tests(void)
5310 bio_s_mempacket_test_free();