2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
17 #include <openssl/srp.h>
18 #include <openssl/txt_db.h>
20 #include "ssltestlib.h"
22 #include "testutil/output.h"
23 #include "internal/nelem.h"
24 #include "../ssl/ssl_locl.h"
26 static char *cert = NULL;
27 static char *privkey = NULL;
28 static char *srpvfile = NULL;
29 static char *tmpfilename = NULL;
31 #define LOG_BUFFER_SIZE 1024
32 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
33 static size_t server_log_buffer_index = 0;
34 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
35 static size_t client_log_buffer_index = 0;
36 static int error_writing_log = 0;
38 #ifndef OPENSSL_NO_OCSP
39 static const unsigned char orespder[] = "Dummy OCSP Response";
40 static int ocsp_server_called = 0;
41 static int ocsp_client_called = 0;
43 static int cdummyarg = 1;
44 static X509 *ocspcert = NULL;
47 #define NUM_EXTRA_CERTS 40
48 #define CLIENT_VERSION_LEN 2
51 * This structure is used to validate that the correct number of log messages
52 * of various types are emitted when emitting secret logs.
54 struct sslapitest_log_counts {
55 unsigned int rsa_key_exchange_count;
56 unsigned int master_secret_count;
57 unsigned int client_handshake_secret_count;
58 unsigned int server_handshake_secret_count;
59 unsigned int client_application_secret_count;
60 unsigned int server_application_secret_count;
64 static unsigned char serverinfov1[] = {
65 0xff, 0xff, /* Dummy extension type */
66 0x00, 0x01, /* Extension length is 1 byte */
67 0xff /* Dummy extension data */
70 static unsigned char serverinfov2[] = {
72 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
73 0xff, 0xff, /* Dummy extension type */
74 0x00, 0x01, /* Extension length is 1 byte */
75 0xff /* Dummy extension data */
78 static void client_keylog_callback(const SSL *ssl, const char *line)
80 int line_length = strlen(line);
82 /* If the log doesn't fit, error out. */
83 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
84 TEST_info("Client log too full");
85 error_writing_log = 1;
89 strcat(client_log_buffer, line);
90 client_log_buffer_index += line_length;
91 client_log_buffer[client_log_buffer_index++] = '\n';
94 static void server_keylog_callback(const SSL *ssl, const char *line)
96 int line_length = strlen(line);
98 /* If the log doesn't fit, error out. */
99 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
100 TEST_info("Server log too full");
101 error_writing_log = 1;
105 strcat(server_log_buffer, line);
106 server_log_buffer_index += line_length;
107 server_log_buffer[server_log_buffer_index++] = '\n';
110 static int compare_hex_encoded_buffer(const char *hex_encoded,
118 if (!TEST_size_t_eq(raw_length * 2, hex_length))
121 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
122 sprintf(hexed, "%02x", raw[i]);
123 if (!TEST_int_eq(hexed[0], hex_encoded[j])
124 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
131 static int test_keylog_output(char *buffer, const SSL *ssl,
132 const SSL_SESSION *session,
133 struct sslapitest_log_counts *expected)
136 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
137 size_t client_random_size = SSL3_RANDOM_SIZE;
138 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
139 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
140 unsigned int rsa_key_exchange_count = 0;
141 unsigned int master_secret_count = 0;
142 unsigned int client_handshake_secret_count = 0;
143 unsigned int server_handshake_secret_count = 0;
144 unsigned int client_application_secret_count = 0;
145 unsigned int server_application_secret_count = 0;
147 for (token = strtok(buffer, " \n"); token != NULL;
148 token = strtok(NULL, " \n")) {
149 if (strcmp(token, "RSA") == 0) {
151 * Premaster secret. Tokens should be: 16 ASCII bytes of
152 * hex-encoded encrypted secret, then the hex-encoded pre-master
155 if (!TEST_ptr(token = strtok(NULL, " \n")))
157 if (!TEST_size_t_eq(strlen(token), 16))
159 if (!TEST_ptr(token = strtok(NULL, " \n")))
162 * We can't sensibly check the log because the premaster secret is
163 * transient, and OpenSSL doesn't keep hold of it once the master
164 * secret is generated.
166 rsa_key_exchange_count++;
167 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
169 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
170 * client random, then the hex-encoded master secret.
172 client_random_size = SSL_get_client_random(ssl,
173 actual_client_random,
175 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
178 if (!TEST_ptr(token = strtok(NULL, " \n")))
180 if (!TEST_size_t_eq(strlen(token), 64))
182 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
183 actual_client_random,
184 client_random_size)))
187 if (!TEST_ptr(token = strtok(NULL, " \n")))
189 master_key_size = SSL_SESSION_get_master_key(session,
192 if (!TEST_size_t_ne(master_key_size, 0))
194 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
198 master_secret_count++;
199 } else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
200 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
201 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
202 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) {
204 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
205 * client random, and then the hex-encoded secret. In this case,
206 * we treat all of these secrets identically and then just
207 * distinguish between them when counting what we saw.
209 if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
210 client_handshake_secret_count++;
211 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
212 server_handshake_secret_count++;
213 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
214 client_application_secret_count++;
215 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
216 server_application_secret_count++;
218 client_random_size = SSL_get_client_random(ssl,
219 actual_client_random,
221 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
224 if (!TEST_ptr(token = strtok(NULL, " \n")))
226 if (!TEST_size_t_eq(strlen(token), 64))
228 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
229 actual_client_random,
230 client_random_size)))
233 if (!TEST_ptr(token = strtok(NULL, " \n")))
237 * TODO(TLS1.3): test that application traffic secrets are what
240 TEST_info("Unexpected token %s\n", token);
245 /* Got what we expected? */
246 if (!TEST_size_t_eq(rsa_key_exchange_count,
247 expected->rsa_key_exchange_count)
248 || !TEST_size_t_eq(master_secret_count,
249 expected->master_secret_count)
250 || !TEST_size_t_eq(client_handshake_secret_count,
251 expected->client_handshake_secret_count)
252 || !TEST_size_t_eq(server_handshake_secret_count,
253 expected->server_handshake_secret_count)
254 || !TEST_size_t_eq(client_application_secret_count,
255 expected->client_application_secret_count)
256 || !TEST_size_t_eq(server_application_secret_count,
257 expected->server_application_secret_count))
262 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
263 static int test_keylog(void)
265 SSL_CTX *cctx = NULL, *sctx = NULL;
266 SSL *clientssl = NULL, *serverssl = NULL;
268 struct sslapitest_log_counts expected = {0};
270 /* Clean up logging space */
271 memset(client_log_buffer, 0, sizeof(client_log_buffer));
272 memset(server_log_buffer, 0, sizeof(server_log_buffer));
273 client_log_buffer_index = 0;
274 server_log_buffer_index = 0;
275 error_writing_log = 0;
277 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
279 TLS1_VERSION, TLS_MAX_VERSION,
280 &sctx, &cctx, cert, privkey)))
283 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
284 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
285 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
287 /* We also want to ensure that we use RSA-based key exchange. */
288 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
291 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
292 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
294 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
295 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
296 == client_keylog_callback))
298 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
299 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
300 == server_keylog_callback))
303 /* Now do a handshake and check that the logs have been written to. */
304 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
305 &clientssl, NULL, NULL))
306 || !TEST_true(create_ssl_connection(serverssl, clientssl,
308 || !TEST_false(error_writing_log)
309 || !TEST_int_gt(client_log_buffer_index, 0)
310 || !TEST_int_gt(server_log_buffer_index, 0))
314 * Now we want to test that our output data was vaguely sensible. We
315 * do that by using strtok and confirming that we have more or less the
316 * data we expect. For both client and server, we expect to see one master
317 * secret. The client should also see a RSA key exchange.
319 expected.rsa_key_exchange_count = 1;
320 expected.master_secret_count = 1;
321 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
322 SSL_get_session(clientssl), &expected)))
325 expected.rsa_key_exchange_count = 0;
326 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
327 SSL_get_session(serverssl), &expected)))
342 #ifndef OPENSSL_NO_TLS1_3
343 static int test_keylog_no_master_key(void)
345 SSL_CTX *cctx = NULL, *sctx = NULL;
346 SSL *clientssl = NULL, *serverssl = NULL;
348 struct sslapitest_log_counts expected = {0};
350 /* Clean up logging space */
351 memset(client_log_buffer, 0, sizeof(client_log_buffer));
352 memset(server_log_buffer, 0, sizeof(server_log_buffer));
353 client_log_buffer_index = 0;
354 server_log_buffer_index = 0;
355 error_writing_log = 0;
357 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
358 TLS1_VERSION, TLS_MAX_VERSION,
359 &sctx, &cctx, cert, privkey)))
362 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
363 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
366 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
367 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
368 == client_keylog_callback))
371 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
372 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
373 == server_keylog_callback))
376 /* Now do a handshake and check that the logs have been written to. */
377 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
378 &clientssl, NULL, NULL))
379 || !TEST_true(create_ssl_connection(serverssl, clientssl,
381 || !TEST_false(error_writing_log))
385 * Now we want to test that our output data was vaguely sensible. For this
386 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
387 * TLSv1.3, but we do expect both client and server to emit keys.
389 expected.client_handshake_secret_count = 1;
390 expected.server_handshake_secret_count = 1;
391 expected.client_application_secret_count = 1;
392 expected.server_application_secret_count = 1;
393 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
394 SSL_get_session(clientssl), &expected))
395 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
396 SSL_get_session(serverssl),
412 #ifndef OPENSSL_NO_TLS1_2
413 static int full_client_hello_callback(SSL *s, int *al, void *arg)
416 const unsigned char *p;
418 /* We only configure two ciphers, but the SCSV is added automatically. */
420 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
422 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
425 const int expected_extensions[] = {
426 #ifndef OPENSSL_NO_EC
432 /* Make sure we can defer processing and get called back. */
434 return SSL_CLIENT_HELLO_RETRY;
436 len = SSL_client_hello_get0_ciphers(s, &p);
437 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
439 SSL_client_hello_get0_compression_methods(s, &p), 1)
440 || !TEST_int_eq(*p, 0))
441 return SSL_CLIENT_HELLO_ERROR;
442 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
443 return SSL_CLIENT_HELLO_ERROR;
444 if (len != OSSL_NELEM(expected_extensions) ||
445 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
446 printf("ClientHello callback expected extensions mismatch\n");
448 return SSL_CLIENT_HELLO_ERROR;
451 return SSL_CLIENT_HELLO_SUCCESS;
454 static int test_client_hello_cb(void)
456 SSL_CTX *cctx = NULL, *sctx = NULL;
457 SSL *clientssl = NULL, *serverssl = NULL;
458 int testctr = 0, testresult = 0;
460 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
461 TLS1_VERSION, TLS_MAX_VERSION,
462 &sctx, &cctx, cert, privkey)))
464 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
466 /* The gimpy cipher list we configure can't do TLS 1.3. */
467 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
469 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
470 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
471 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
472 &clientssl, NULL, NULL))
473 || !TEST_false(create_ssl_connection(serverssl, clientssl,
474 SSL_ERROR_WANT_CLIENT_HELLO_CB))
476 * Passing a -1 literal is a hack since
477 * the real value was lost.
479 || !TEST_int_eq(SSL_get_error(serverssl, -1),
480 SSL_ERROR_WANT_CLIENT_HELLO_CB)
481 || !TEST_true(create_ssl_connection(serverssl, clientssl,
497 static int execute_test_large_message(const SSL_METHOD *smeth,
498 const SSL_METHOD *cmeth,
499 int min_version, int max_version,
502 SSL_CTX *cctx = NULL, *sctx = NULL;
503 SSL *clientssl = NULL, *serverssl = NULL;
507 X509 *chaincert = NULL;
510 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
512 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
515 if (!TEST_ptr(chaincert))
518 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
519 &sctx, &cctx, cert, privkey)))
524 * Test that read_ahead works correctly when dealing with large
527 SSL_CTX_set_read_ahead(cctx, 1);
531 * We assume the supplied certificate is big enough so that if we add
532 * NUM_EXTRA_CERTS it will make the overall message large enough. The
533 * default buffer size is requested to be 16k, but due to the way BUF_MEM
534 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
535 * test we need to have a message larger than that.
537 certlen = i2d_X509(chaincert, NULL);
538 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
539 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
540 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
541 if (!X509_up_ref(chaincert))
543 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
544 X509_free(chaincert);
549 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
551 || !TEST_true(create_ssl_connection(serverssl, clientssl,
556 * Calling SSL_clear() first is not required but this tests that SSL_clear()
557 * doesn't leak (when using enable-crypto-mdebug).
559 if (!TEST_true(SSL_clear(serverssl)))
564 X509_free(chaincert);
573 static int test_large_message_tls(void)
575 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
576 TLS1_VERSION, TLS_MAX_VERSION,
580 static int test_large_message_tls_read_ahead(void)
582 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
583 TLS1_VERSION, TLS_MAX_VERSION,
587 #ifndef OPENSSL_NO_DTLS
588 static int test_large_message_dtls(void)
591 * read_ahead is not relevant to DTLS because DTLS always acts as if
594 return execute_test_large_message(DTLS_server_method(),
595 DTLS_client_method(),
596 DTLS1_VERSION, DTLS_MAX_VERSION,
601 #ifndef OPENSSL_NO_OCSP
602 static int ocsp_server_cb(SSL *s, void *arg)
604 int *argi = (int *)arg;
605 unsigned char *copy = NULL;
606 STACK_OF(OCSP_RESPID) *ids = NULL;
607 OCSP_RESPID *id = NULL;
610 /* In this test we are expecting exactly 1 OCSP_RESPID */
611 SSL_get_tlsext_status_ids(s, &ids);
612 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
613 return SSL_TLSEXT_ERR_ALERT_FATAL;
615 id = sk_OCSP_RESPID_value(ids, 0);
616 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
617 return SSL_TLSEXT_ERR_ALERT_FATAL;
618 } else if (*argi != 1) {
619 return SSL_TLSEXT_ERR_ALERT_FATAL;
622 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
623 return SSL_TLSEXT_ERR_ALERT_FATAL;
625 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
626 ocsp_server_called = 1;
627 return SSL_TLSEXT_ERR_OK;
630 static int ocsp_client_cb(SSL *s, void *arg)
632 int *argi = (int *)arg;
633 const unsigned char *respderin;
636 if (*argi != 1 && *argi != 2)
639 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
640 if (!TEST_mem_eq(orespder, len, respderin, len))
643 ocsp_client_called = 1;
647 static int test_tlsext_status_type(void)
649 SSL_CTX *cctx = NULL, *sctx = NULL;
650 SSL *clientssl = NULL, *serverssl = NULL;
652 STACK_OF(OCSP_RESPID) *ids = NULL;
653 OCSP_RESPID *id = NULL;
656 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
657 TLS1_VERSION, TLS_MAX_VERSION,
658 &sctx, &cctx, cert, privkey))
661 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
664 /* First just do various checks getting and setting tlsext_status_type */
666 clientssl = SSL_new(cctx);
667 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
668 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
669 TLSEXT_STATUSTYPE_ocsp))
670 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
671 TLSEXT_STATUSTYPE_ocsp))
677 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
678 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
681 clientssl = SSL_new(cctx);
682 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
688 * Now actually do a handshake and check OCSP information is exchanged and
689 * the callbacks get called
691 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
692 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
693 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
694 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
695 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
696 &clientssl, NULL, NULL))
697 || !TEST_true(create_ssl_connection(serverssl, clientssl,
699 || !TEST_true(ocsp_client_called)
700 || !TEST_true(ocsp_server_called))
707 /* Try again but this time force the server side callback to fail */
708 ocsp_client_called = 0;
709 ocsp_server_called = 0;
711 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
712 &clientssl, NULL, NULL))
713 /* This should fail because the callback will fail */
714 || !TEST_false(create_ssl_connection(serverssl, clientssl,
716 || !TEST_false(ocsp_client_called)
717 || !TEST_false(ocsp_server_called))
725 * This time we'll get the client to send an OCSP_RESPID that it will
728 ocsp_client_called = 0;
729 ocsp_server_called = 0;
731 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
732 &clientssl, NULL, NULL)))
736 * We'll just use any old cert for this test - it doesn't have to be an OCSP
737 * specific one. We'll use the server cert.
739 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
740 || !TEST_ptr(id = OCSP_RESPID_new())
741 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
742 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
744 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
745 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
748 SSL_set_tlsext_status_ids(clientssl, ids);
749 /* Control has been transferred */
755 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
757 || !TEST_true(ocsp_client_called)
758 || !TEST_true(ocsp_server_called))
768 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
769 OCSP_RESPID_free(id);
778 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
779 static int new_called, remove_called, get_called;
781 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
785 * sess has been up-refed for us, but we don't actually need it so free it
788 SSL_SESSION_free(sess);
792 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
797 static SSL_SESSION *get_sess_val = NULL;
799 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
807 static int execute_test_session(int maxprot, int use_int_cache,
810 SSL_CTX *sctx = NULL, *cctx = NULL;
811 SSL *serverssl1 = NULL, *clientssl1 = NULL;
812 SSL *serverssl2 = NULL, *clientssl2 = NULL;
813 # ifndef OPENSSL_NO_TLS1_1
814 SSL *serverssl3 = NULL, *clientssl3 = NULL;
816 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
819 new_called = remove_called = 0;
821 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
822 TLS1_VERSION, TLS_MAX_VERSION,
823 &sctx, &cctx, cert, privkey)))
827 * Only allow the max protocol version so we can force a connection failure
830 SSL_CTX_set_min_proto_version(cctx, maxprot);
831 SSL_CTX_set_max_proto_version(cctx, maxprot);
833 /* Set up session cache */
835 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
836 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
839 /* Also covers instance where both are set */
840 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
842 SSL_CTX_set_session_cache_mode(cctx,
843 SSL_SESS_CACHE_CLIENT
844 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
847 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
849 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
851 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
854 /* Should fail because it should already be in the cache */
855 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
858 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
861 new_called = remove_called = 0;
862 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
863 &clientssl2, NULL, NULL))
864 || !TEST_true(SSL_set_session(clientssl2, sess1))
865 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
867 || !TEST_true(SSL_session_reused(clientssl2)))
870 if (maxprot == TLS1_3_VERSION) {
872 * In TLSv1.3 we should have created a new session even though we have
873 * resumed. The original session should also have been removed.
876 && (!TEST_int_eq(new_called, 1)
877 || !TEST_int_eq(remove_called, 1)))
881 * In TLSv1.2 we expect to have resumed so no sessions added or
885 && (!TEST_int_eq(new_called, 0)
886 || !TEST_int_eq(remove_called, 0)))
890 SSL_SESSION_free(sess1);
891 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
893 shutdown_ssl_connection(serverssl2, clientssl2);
894 serverssl2 = clientssl2 = NULL;
896 new_called = remove_called = 0;
897 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
898 &clientssl2, NULL, NULL))
899 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
903 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
907 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
910 new_called = remove_called = 0;
912 * This should clear sess2 from the cache because it is a "bad" session.
913 * See SSL_set_session() documentation.
915 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
918 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
920 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
924 /* Should succeeded because it should not already be in the cache */
925 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
926 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
930 new_called = remove_called = 0;
931 /* This shouldn't be in the cache so should fail */
932 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
936 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
939 # if !defined(OPENSSL_NO_TLS1_1)
940 new_called = remove_called = 0;
941 /* Force a connection failure */
942 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
943 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
944 &clientssl3, NULL, NULL))
945 || !TEST_true(SSL_set_session(clientssl3, sess1))
946 /* This should fail because of the mismatched protocol versions */
947 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
951 /* We should have automatically removed the session from the cache */
953 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
956 /* Should succeed because it should not already be in the cache */
957 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
961 /* Now do some tests for server side caching */
963 SSL_CTX_sess_set_new_cb(cctx, NULL);
964 SSL_CTX_sess_set_remove_cb(cctx, NULL);
965 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
966 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
967 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
971 SSL_CTX_set_session_cache_mode(cctx, 0);
972 /* Internal caching is the default on the server side */
974 SSL_CTX_set_session_cache_mode(sctx,
975 SSL_SESS_CACHE_SERVER
976 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
978 SSL_free(serverssl1);
979 SSL_free(clientssl1);
980 serverssl1 = clientssl1 = NULL;
981 SSL_free(serverssl2);
982 SSL_free(clientssl2);
983 serverssl2 = clientssl2 = NULL;
984 SSL_SESSION_free(sess1);
986 SSL_SESSION_free(sess2);
989 SSL_CTX_set_max_proto_version(sctx, maxprot);
990 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
991 new_called = remove_called = get_called = 0;
992 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
994 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
996 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
997 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1000 /* Should fail because it should already be in the cache */
1001 if (use_int_cache && !TEST_false(SSL_CTX_add_session(sctx, sess2)))
1004 if (use_ext_cache) {
1005 SSL_SESSION *tmp = sess2;
1007 if (!TEST_int_eq(new_called, 1)
1008 || !TEST_int_eq(remove_called, 0)
1009 || !TEST_int_eq(get_called, 0))
1012 * Delete the session from the internal cache to force a lookup from
1013 * the external cache. We take a copy first because
1014 * SSL_CTX_remove_session() also marks the session as non-resumable.
1016 if (use_int_cache) {
1017 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1018 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1020 SSL_SESSION_free(sess2);
1025 new_called = remove_called = get_called = 0;
1026 get_sess_val = sess2;
1027 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1028 &clientssl2, NULL, NULL))
1029 || !TEST_true(SSL_set_session(clientssl2, sess1))
1030 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1032 || !TEST_true(SSL_session_reused(clientssl2)))
1035 if (use_ext_cache) {
1036 if (!TEST_int_eq(remove_called, 0))
1039 if (maxprot == TLS1_3_VERSION) {
1041 * Every time we issue a NewSessionTicket we are creating a new
1042 * session for next time in TLSv1.3
1044 if (!TEST_int_eq(new_called, 1)
1045 || !TEST_int_eq(get_called, 0))
1048 if (!TEST_int_eq(new_called, 0)
1049 || !TEST_int_eq(get_called, 1))
1057 SSL_free(serverssl1);
1058 SSL_free(clientssl1);
1059 SSL_free(serverssl2);
1060 SSL_free(clientssl2);
1061 # ifndef OPENSSL_NO_TLS1_1
1062 SSL_free(serverssl3);
1063 SSL_free(clientssl3);
1065 SSL_SESSION_free(sess1);
1066 SSL_SESSION_free(sess2);
1072 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1074 static int test_session_with_only_int_cache(void)
1076 #ifndef OPENSSL_NO_TLS1_3
1077 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1081 #ifndef OPENSSL_NO_TLS1_2
1082 return execute_test_session(TLS1_2_VERSION, 1, 0);
1088 static int test_session_with_only_ext_cache(void)
1090 #ifndef OPENSSL_NO_TLS1_3
1091 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1095 #ifndef OPENSSL_NO_TLS1_2
1096 return execute_test_session(TLS1_2_VERSION, 0, 1);
1102 static int test_session_with_both_cache(void)
1104 #ifndef OPENSSL_NO_TLS1_3
1105 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1109 #ifndef OPENSSL_NO_TLS1_2
1110 return execute_test_session(TLS1_2_VERSION, 1, 1);
1120 #define TOTAL_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1122 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1137 static int test_ssl_set_bio(int idx)
1142 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1144 int initrbio, initwbio, newrbio, newwbio;
1154 if (!TEST_int_le(newwbio, 2))
1157 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1158 || !TEST_ptr(ssl = SSL_new(ctx)))
1161 if (initrbio == USE_BIO_1
1162 || initwbio == USE_BIO_1
1163 || newrbio == USE_BIO_1
1164 || newwbio == USE_BIO_1) {
1165 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1169 if (initrbio == USE_BIO_2
1170 || initwbio == USE_BIO_2
1171 || newrbio == USE_BIO_2
1172 || newwbio == USE_BIO_2) {
1173 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1177 setupbio(&irbio, bio1, bio2, initrbio);
1178 setupbio(&iwbio, bio1, bio2, initwbio);
1181 * We want to maintain our own refs to these BIO, so do an up ref for each
1182 * BIO that will have ownership transferred in the SSL_set_bio() call
1186 if (iwbio != NULL && iwbio != irbio)
1189 SSL_set_bio(ssl, irbio, iwbio);
1191 setupbio(&nrbio, bio1, bio2, newrbio);
1192 setupbio(&nwbio, bio1, bio2, newwbio);
1195 * We will (maybe) transfer ownership again so do more up refs.
1196 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1201 && (nwbio != iwbio || nrbio != nwbio))
1205 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1208 SSL_set_bio(ssl, nrbio, nwbio);
1218 * This test is checking that the ref counting for SSL_set_bio is correct.
1219 * If we get here and we did too many frees then we will fail in the above
1220 * functions. If we haven't done enough then this will only be detected in
1221 * a crypto-mdebug build
1227 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1229 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1231 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1236 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1237 || !TEST_ptr(ssl = SSL_new(ctx))
1238 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1239 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1242 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1245 * If anything goes wrong here then we could leak memory, so this will
1246 * be caught in a crypto-mdebug build
1248 BIO_push(sslbio, membio1);
1250 /* Verify changing the rbio/wbio directly does not cause leaks */
1251 if (change_bio != NO_BIO_CHANGE) {
1252 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1254 if (change_bio == CHANGE_RBIO)
1255 SSL_set0_rbio(ssl, membio2);
1257 SSL_set0_wbio(ssl, membio2);
1276 static int test_ssl_bio_pop_next_bio(void)
1278 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1281 static int test_ssl_bio_pop_ssl_bio(void)
1283 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1286 static int test_ssl_bio_change_rbio(void)
1288 return execute_test_ssl_bio(0, CHANGE_RBIO);
1291 static int test_ssl_bio_change_wbio(void)
1293 return execute_test_ssl_bio(0, CHANGE_WBIO);
1296 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
1298 /* The list of sig algs */
1300 /* The length of the list */
1302 /* A sigalgs list in string format */
1303 const char *liststr;
1304 /* Whether setting the list should succeed */
1306 /* Whether creating a connection with the list should succeed */
1310 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1311 # ifndef OPENSSL_NO_EC
1312 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1313 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1315 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1316 static const int invalidlist2[] = {NID_sha256, NID_undef};
1317 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1318 static const int invalidlist4[] = {NID_sha256};
1319 static const sigalgs_list testsigalgs[] = {
1320 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1321 # ifndef OPENSSL_NO_EC
1322 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1323 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1325 {NULL, 0, "RSA+SHA256", 1, 1},
1326 # ifndef OPENSSL_NO_EC
1327 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1328 {NULL, 0, "ECDSA+SHA512", 1, 0},
1330 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1331 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1332 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1333 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1334 {NULL, 0, "RSA", 0, 0},
1335 {NULL, 0, "SHA256", 0, 0},
1336 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1337 {NULL, 0, "Invalid", 0, 0}
1340 static int test_set_sigalgs(int idx)
1342 SSL_CTX *cctx = NULL, *sctx = NULL;
1343 SSL *clientssl = NULL, *serverssl = NULL;
1345 const sigalgs_list *curr;
1348 /* Should never happen */
1349 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1352 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1353 curr = testctx ? &testsigalgs[idx]
1354 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1356 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1357 TLS1_VERSION, TLS_MAX_VERSION,
1358 &sctx, &cctx, cert, privkey)))
1362 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1363 * for TLSv1.2 for now until we add a new API.
1365 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1370 if (curr->list != NULL)
1371 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1373 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1377 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1383 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1388 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1389 &clientssl, NULL, NULL)))
1395 if (curr->list != NULL)
1396 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1398 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1401 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1410 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1418 SSL_free(serverssl);
1419 SSL_free(clientssl);
1427 #ifndef OPENSSL_NO_TLS1_3
1429 static SSL_SESSION *clientpsk = NULL;
1430 static SSL_SESSION *serverpsk = NULL;
1431 static const char *pskid = "Identity";
1432 static const char *srvid;
1434 static int use_session_cb_cnt = 0;
1435 static int find_session_cb_cnt = 0;
1436 static int psk_client_cb_cnt = 0;
1437 static int psk_server_cb_cnt = 0;
1439 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1440 size_t *idlen, SSL_SESSION **sess)
1442 switch (++use_session_cb_cnt) {
1444 /* The first call should always have a NULL md */
1450 /* The second call should always have an md */
1456 /* We should only be called a maximum of twice */
1460 if (clientpsk != NULL)
1461 SSL_SESSION_up_ref(clientpsk);
1464 *id = (const unsigned char *)pskid;
1465 *idlen = strlen(pskid);
1470 #ifndef OPENSSL_NO_PSK
1471 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1472 unsigned int max_id_len,
1474 unsigned int max_psk_len)
1476 unsigned int psklen = 0;
1478 psk_client_cb_cnt++;
1480 if (strlen(pskid) + 1 > max_id_len)
1483 /* We should only ever be called a maximum of twice per connection */
1484 if (psk_client_cb_cnt > 2)
1487 if (clientpsk == NULL)
1490 /* We'll reuse the PSK we set up for TLSv1.3 */
1491 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1493 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1494 strncpy(id, pskid, max_id_len);
1498 #endif /* OPENSSL_NO_PSK */
1500 static int find_session_cb(SSL *ssl, const unsigned char *identity,
1501 size_t identity_len, SSL_SESSION **sess)
1503 find_session_cb_cnt++;
1505 /* We should only ever be called a maximum of twice per connection */
1506 if (find_session_cb_cnt > 2)
1509 if (serverpsk == NULL)
1512 /* Identity should match that set by the client */
1513 if (strlen(srvid) != identity_len
1514 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1515 /* No PSK found, continue but without a PSK */
1520 SSL_SESSION_up_ref(serverpsk);
1526 #ifndef OPENSSL_NO_PSK
1527 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1528 unsigned char *psk, unsigned int max_psk_len)
1530 unsigned int psklen = 0;
1532 psk_server_cb_cnt++;
1534 /* We should only ever be called a maximum of twice per connection */
1535 if (find_session_cb_cnt > 2)
1538 if (serverpsk == NULL)
1541 /* Identity should match that set by the client */
1542 if (strcmp(srvid, identity) != 0) {
1546 /* We'll reuse the PSK we set up for TLSv1.3 */
1547 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1549 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1553 #endif /* OPENSSL_NO_PSK */
1555 #define MSG1 "Hello"
1556 #define MSG2 "World."
1561 #define MSG7 "message."
1563 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
1564 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
1567 * Helper method to setup objects for early data test. Caller frees objects on
1570 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
1571 SSL **serverssl, SSL_SESSION **sess, int idx)
1573 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1574 TLS1_VERSION, TLS_MAX_VERSION,
1575 sctx, cctx, cert, privkey))
1576 || !TEST_true(SSL_CTX_set_max_early_data(*sctx,
1577 SSL3_RT_MAX_PLAIN_LENGTH))
1578 || !TEST_true(SSL_CTX_set_max_early_data(*cctx,
1579 SSL3_RT_MAX_PLAIN_LENGTH)))
1583 /* When idx == 1 we repeat the tests with read_ahead set */
1584 SSL_CTX_set_read_ahead(*cctx, 1);
1585 SSL_CTX_set_read_ahead(*sctx, 1);
1586 } else if (idx == 2) {
1587 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1588 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1589 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1590 use_session_cb_cnt = 0;
1591 find_session_cb_cnt = 0;
1595 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
1600 * For one of the run throughs (doesn't matter which one), we'll try sending
1601 * some SNI data in the initial ClientHello. This will be ignored (because
1602 * there is no SNI cb set up by the server), so it should not impact
1606 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1610 /* Create the PSK */
1611 const SSL_CIPHER *cipher = NULL;
1612 const unsigned char key[] = {
1613 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1614 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1615 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1616 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1617 0x2c, 0x2d, 0x2e, 0x2f
1620 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
1621 clientpsk = SSL_SESSION_new();
1622 if (!TEST_ptr(clientpsk)
1623 || !TEST_ptr(cipher)
1624 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
1626 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
1628 SSL_SESSION_set_protocol_version(clientpsk,
1631 * We just choose an arbitrary value for max_early_data which
1632 * should be big enough for testing purposes.
1634 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1636 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1637 SSL_SESSION_free(clientpsk);
1641 serverpsk = clientpsk;
1651 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1655 *sess = SSL_get1_session(*clientssl);
1656 SSL_shutdown(*clientssl);
1657 SSL_shutdown(*serverssl);
1658 SSL_free(*serverssl);
1659 SSL_free(*clientssl);
1660 *serverssl = *clientssl = NULL;
1662 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1663 clientssl, NULL, NULL))
1664 || !TEST_true(SSL_set_session(*clientssl, *sess)))
1670 static int test_early_data_read_write(int idx)
1672 SSL_CTX *cctx = NULL, *sctx = NULL;
1673 SSL *clientssl = NULL, *serverssl = NULL;
1675 SSL_SESSION *sess = NULL;
1676 unsigned char buf[20], data[1024];
1677 size_t readbytes, written, eoedlen, rawread, rawwritten;
1680 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1681 &serverssl, &sess, idx)))
1684 /* Write and read some early data */
1685 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1687 || !TEST_size_t_eq(written, strlen(MSG1))
1688 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1689 sizeof(buf), &readbytes),
1690 SSL_READ_EARLY_DATA_SUCCESS)
1691 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1692 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1693 SSL_EARLY_DATA_ACCEPTED))
1697 * Server should be able to write data, and client should be able to
1700 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1702 || !TEST_size_t_eq(written, strlen(MSG2))
1703 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1704 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1707 /* Even after reading normal data, client should be able write early data */
1708 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1710 || !TEST_size_t_eq(written, strlen(MSG3)))
1713 /* Server should still be able read early data after writing data */
1714 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1716 SSL_READ_EARLY_DATA_SUCCESS)
1717 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
1720 /* Write more data from server and read it from client */
1721 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
1723 || !TEST_size_t_eq(written, strlen(MSG4))
1724 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1725 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
1729 * If client writes normal data it should mean writing early data is no
1732 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1733 || !TEST_size_t_eq(written, strlen(MSG5))
1734 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1735 SSL_EARLY_DATA_ACCEPTED))
1739 * At this point the client has written EndOfEarlyData, ClientFinished and
1740 * normal (fully protected) data. We are going to cause a delay between the
1741 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
1742 * in the read BIO, and then just put back the EndOfEarlyData message.
1744 rbio = SSL_get_rbio(serverssl);
1745 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
1746 || !TEST_size_t_lt(rawread, sizeof(data))
1747 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
1750 /* Record length is in the 4th and 5th bytes of the record header */
1751 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
1752 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
1753 || !TEST_size_t_eq(rawwritten, eoedlen))
1756 /* Server should be told that there is no more early data */
1757 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1759 SSL_READ_EARLY_DATA_FINISH)
1760 || !TEST_size_t_eq(readbytes, 0))
1764 * Server has not finished init yet, so should still be able to write early
1767 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
1769 || !TEST_size_t_eq(written, strlen(MSG6)))
1772 /* Push the ClientFinished and the normal data back into the server rbio */
1773 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
1775 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
1778 /* Server should be able to read normal data */
1779 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1780 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1783 /* Client and server should not be able to write/read early data now */
1784 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1788 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1790 SSL_READ_EARLY_DATA_ERROR))
1794 /* Client should be able to read the data sent by the server */
1795 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1796 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
1800 * Make sure we process the NewSessionTicket. This arrives post-handshake.
1801 * We attempt a read which we do not expect to return any data.
1803 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1806 /* Server should be able to write normal data */
1807 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
1808 || !TEST_size_t_eq(written, strlen(MSG7))
1809 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1810 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
1813 /* We keep the PSK session around if using PSK */
1815 SSL_SESSION_free(sess);
1816 sess = SSL_get1_session(clientssl);
1817 use_session_cb_cnt = 0;
1818 find_session_cb_cnt = 0;
1820 SSL_shutdown(clientssl);
1821 SSL_shutdown(serverssl);
1822 SSL_free(serverssl);
1823 SSL_free(clientssl);
1824 serverssl = clientssl = NULL;
1825 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1826 &clientssl, NULL, NULL))
1827 || !TEST_true(SSL_set_session(clientssl, sess)))
1830 /* Write and read some early data */
1831 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1833 || !TEST_size_t_eq(written, strlen(MSG1))
1834 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1836 SSL_READ_EARLY_DATA_SUCCESS)
1837 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
1840 if (!TEST_int_gt(SSL_connect(clientssl), 0)
1841 || !TEST_int_gt(SSL_accept(serverssl), 0))
1844 /* Client and server should not be able to write/read early data now */
1845 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1849 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1851 SSL_READ_EARLY_DATA_ERROR))
1855 /* Client and server should be able to write/read normal data */
1856 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1857 || !TEST_size_t_eq(written, strlen(MSG5))
1858 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1859 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1865 if (sess != clientpsk)
1866 SSL_SESSION_free(sess);
1867 SSL_SESSION_free(clientpsk);
1868 SSL_SESSION_free(serverpsk);
1869 clientpsk = serverpsk = NULL;
1870 SSL_free(serverssl);
1871 SSL_free(clientssl);
1877 static int test_early_data_replay(int idx)
1879 SSL_CTX *cctx = NULL, *sctx = NULL;
1880 SSL *clientssl = NULL, *serverssl = NULL;
1882 SSL_SESSION *sess = NULL;
1884 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1885 &serverssl, &sess, idx)))
1889 * The server is configured to accept early data. Create a connection to
1890 * "use up" the ticket
1892 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
1893 || !TEST_true(SSL_session_reused(clientssl)))
1896 SSL_shutdown(clientssl);
1897 SSL_shutdown(serverssl);
1898 SSL_free(serverssl);
1899 SSL_free(clientssl);
1900 serverssl = clientssl = NULL;
1902 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1903 &clientssl, NULL, NULL))
1904 || !TEST_true(SSL_set_session(clientssl, sess))
1905 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1908 * This time we should not have resumed the session because we
1909 * already used it once.
1911 || !TEST_false(SSL_session_reused(clientssl)))
1917 if (sess != clientpsk)
1918 SSL_SESSION_free(sess);
1919 SSL_SESSION_free(clientpsk);
1920 SSL_SESSION_free(serverpsk);
1921 clientpsk = serverpsk = NULL;
1922 SSL_free(serverssl);
1923 SSL_free(clientssl);
1930 * Helper function to test that a server attempting to read early data can
1931 * handle a connection from a client where the early data should be skipped.
1933 static int early_data_skip_helper(int hrr, int idx)
1935 SSL_CTX *cctx = NULL, *sctx = NULL;
1936 SSL *clientssl = NULL, *serverssl = NULL;
1938 SSL_SESSION *sess = NULL;
1939 unsigned char buf[20];
1940 size_t readbytes, written;
1942 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1943 &serverssl, &sess, idx)))
1947 /* Force an HRR to occur */
1948 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
1950 } else if (idx == 2) {
1952 * We force early_data rejection by ensuring the PSK identity is
1955 srvid = "Dummy Identity";
1958 * Deliberately corrupt the creation time. We take 20 seconds off the
1959 * time. It could be any value as long as it is not within tolerance.
1960 * This should mean the ticket is rejected.
1962 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
1966 /* Write some early data */
1967 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1969 || !TEST_size_t_eq(written, strlen(MSG1)))
1972 /* Server should reject the early data and skip over it */
1973 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1975 SSL_READ_EARLY_DATA_FINISH)
1976 || !TEST_size_t_eq(readbytes, 0)
1977 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1978 SSL_EARLY_DATA_REJECTED))
1983 * Finish off the handshake. We perform the same writes and reads as
1984 * further down but we expect them to fail due to the incomplete
1987 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1988 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
1993 /* Should be able to send normal data despite rejection of early data */
1994 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1995 || !TEST_size_t_eq(written, strlen(MSG2))
1996 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1997 SSL_EARLY_DATA_REJECTED)
1998 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1999 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2005 if (sess != clientpsk)
2006 SSL_SESSION_free(clientpsk);
2007 SSL_SESSION_free(serverpsk);
2008 clientpsk = serverpsk = NULL;
2009 SSL_SESSION_free(sess);
2010 SSL_free(serverssl);
2011 SSL_free(clientssl);
2018 * Test that a server attempting to read early data can handle a connection
2019 * from a client where the early data is not acceptable.
2021 static int test_early_data_skip(int idx)
2023 return early_data_skip_helper(0, idx);
2027 * Test that a server attempting to read early data can handle a connection
2028 * from a client where an HRR occurs.
2030 static int test_early_data_skip_hrr(int idx)
2032 return early_data_skip_helper(1, idx);
2036 * Test that a server attempting to read early data can handle a connection
2037 * from a client that doesn't send any.
2039 static int test_early_data_not_sent(int idx)
2041 SSL_CTX *cctx = NULL, *sctx = NULL;
2042 SSL *clientssl = NULL, *serverssl = NULL;
2044 SSL_SESSION *sess = NULL;
2045 unsigned char buf[20];
2046 size_t readbytes, written;
2048 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2049 &serverssl, &sess, idx)))
2052 /* Write some data - should block due to handshake with server */
2053 SSL_set_connect_state(clientssl);
2054 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2057 /* Server should detect that early data has not been sent */
2058 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2060 SSL_READ_EARLY_DATA_FINISH)
2061 || !TEST_size_t_eq(readbytes, 0)
2062 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2063 SSL_EARLY_DATA_NOT_SENT)
2064 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2065 SSL_EARLY_DATA_NOT_SENT))
2068 /* Continue writing the message we started earlier */
2069 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2070 || !TEST_size_t_eq(written, strlen(MSG1))
2071 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2072 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2073 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2074 || !TEST_size_t_eq(written, strlen(MSG2)))
2078 * Should block due to the NewSessionTicket arrival unless we're using
2082 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
2086 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2087 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2093 /* If using PSK then clientpsk and sess are the same */
2094 SSL_SESSION_free(sess);
2095 SSL_SESSION_free(serverpsk);
2096 clientpsk = serverpsk = NULL;
2097 SSL_free(serverssl);
2098 SSL_free(clientssl);
2104 static int hostname_cb(SSL *s, int *al, void *arg)
2106 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2108 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
2109 return SSL_TLSEXT_ERR_OK;
2111 return SSL_TLSEXT_ERR_NOACK;
2114 static const char *servalpn;
2116 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2117 unsigned char *outlen, const unsigned char *in,
2118 unsigned int inlen, void *arg)
2120 unsigned int protlen = 0;
2121 const unsigned char *prot;
2123 for (prot = in; prot < in + inlen; prot += protlen) {
2125 if (in + inlen < prot + protlen)
2126 return SSL_TLSEXT_ERR_NOACK;
2128 if (protlen == strlen(servalpn)
2129 && memcmp(prot, servalpn, protlen) == 0) {
2132 return SSL_TLSEXT_ERR_OK;
2136 return SSL_TLSEXT_ERR_NOACK;
2139 /* Test that a PSK can be used to send early_data */
2140 static int test_early_data_psk(int idx)
2142 SSL_CTX *cctx = NULL, *sctx = NULL;
2143 SSL *clientssl = NULL, *serverssl = NULL;
2145 SSL_SESSION *sess = NULL;
2146 unsigned char alpnlist[] = {
2147 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2150 #define GOODALPNLEN 9
2151 #define BADALPNLEN 8
2152 #define GOODALPN (alpnlist)
2153 #define BADALPN (alpnlist + GOODALPNLEN)
2155 unsigned char buf[20];
2156 size_t readbytes, written;
2157 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2158 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2160 /* We always set this up with a final parameter of "2" for PSK */
2161 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2162 &serverssl, &sess, 2)))
2165 servalpn = "goodalpn";
2168 * Note: There is no test for inconsistent SNI with late client detection.
2169 * This is because servers do not acknowledge SNI even if they are using
2170 * it in a resumption handshake - so it is not actually possible for a
2171 * client to detect a problem.
2175 /* Set inconsistent SNI (early client detection) */
2176 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2177 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2178 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2183 /* Set inconsistent ALPN (early client detection) */
2184 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2185 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
2186 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2188 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2195 * Set invalid protocol version. Technically this affects PSKs without
2196 * early_data too, but we test it here because it is similar to the
2197 * SNI/ALPN consistency tests.
2199 err = SSL_R_BAD_PSK;
2200 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2206 * Set inconsistent SNI (server detected). In this case the connection
2207 * will succeed but reject early_data.
2209 SSL_SESSION_free(serverpsk);
2210 serverpsk = SSL_SESSION_dup(clientpsk);
2211 if (!TEST_ptr(serverpsk)
2212 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2214 edstatus = SSL_EARLY_DATA_REJECTED;
2215 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2218 /* Set consistent SNI */
2219 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2220 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2221 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2228 * Set inconsistent ALPN (server detected). In this case the connection
2229 * will succeed but reject early_data.
2231 servalpn = "badalpn";
2232 edstatus = SSL_EARLY_DATA_REJECTED;
2233 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2237 * Set consistent ALPN.
2238 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2239 * accepts a list of protos (each one length prefixed).
2240 * SSL_set1_alpn_selected accepts a single protocol (not length
2243 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2245 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2249 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2253 /* Set inconsistent ALPN (late client detection) */
2254 SSL_SESSION_free(serverpsk);
2255 serverpsk = SSL_SESSION_dup(clientpsk);
2256 if (!TEST_ptr(serverpsk)
2257 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2260 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2263 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2266 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2267 edstatus = SSL_EARLY_DATA_ACCEPTED;
2268 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2269 /* SSL_connect() call should fail */
2274 TEST_error("Bad test index");
2278 SSL_set_connect_state(clientssl);
2280 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2282 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2283 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2286 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2290 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2291 &readbytes), readearlyres)
2292 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2293 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2294 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2295 || !TEST_int_eq(SSL_connect(clientssl), connectres))
2302 SSL_SESSION_free(clientpsk);
2303 SSL_SESSION_free(serverpsk);
2304 clientpsk = serverpsk = NULL;
2305 SSL_free(serverssl);
2306 SSL_free(clientssl);
2313 * Test that a server that doesn't try to read early data can handle a
2314 * client sending some.
2316 static int test_early_data_not_expected(int idx)
2318 SSL_CTX *cctx = NULL, *sctx = NULL;
2319 SSL *clientssl = NULL, *serverssl = NULL;
2321 SSL_SESSION *sess = NULL;
2322 unsigned char buf[20];
2323 size_t readbytes, written;
2325 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2326 &serverssl, &sess, idx)))
2329 /* Write some early data */
2330 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2335 * Server should skip over early data and then block waiting for client to
2336 * continue handshake
2338 if (!TEST_int_le(SSL_accept(serverssl), 0)
2339 || !TEST_int_gt(SSL_connect(clientssl), 0)
2340 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2341 SSL_EARLY_DATA_REJECTED)
2342 || !TEST_int_gt(SSL_accept(serverssl), 0)
2343 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2344 SSL_EARLY_DATA_REJECTED))
2347 /* Send some normal data from client to server */
2348 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2349 || !TEST_size_t_eq(written, strlen(MSG2)))
2352 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2353 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2359 /* If using PSK then clientpsk and sess are the same */
2360 SSL_SESSION_free(sess);
2361 SSL_SESSION_free(serverpsk);
2362 clientpsk = serverpsk = NULL;
2363 SSL_free(serverssl);
2364 SSL_free(clientssl);
2371 # ifndef OPENSSL_NO_TLS1_2
2373 * Test that a server attempting to read early data can handle a connection
2374 * from a TLSv1.2 client.
2376 static int test_early_data_tls1_2(int idx)
2378 SSL_CTX *cctx = NULL, *sctx = NULL;
2379 SSL *clientssl = NULL, *serverssl = NULL;
2381 unsigned char buf[20];
2382 size_t readbytes, written;
2384 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2385 &serverssl, NULL, idx)))
2388 /* Write some data - should block due to handshake with server */
2389 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2390 SSL_set_connect_state(clientssl);
2391 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2395 * Server should do TLSv1.2 handshake. First it will block waiting for more
2396 * messages from client after ServerDone. Then SSL_read_early_data should
2397 * finish and detect that early data has not been sent
2399 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2401 SSL_READ_EARLY_DATA_ERROR))
2405 * Continue writing the message we started earlier. Will still block waiting
2406 * for the CCS/Finished from server
2408 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2409 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2411 SSL_READ_EARLY_DATA_FINISH)
2412 || !TEST_size_t_eq(readbytes, 0)
2413 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2414 SSL_EARLY_DATA_NOT_SENT))
2417 /* Continue writing the message we started earlier */
2418 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2419 || !TEST_size_t_eq(written, strlen(MSG1))
2420 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2421 SSL_EARLY_DATA_NOT_SENT)
2422 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2423 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2424 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2425 || !TEST_size_t_eq(written, strlen(MSG2))
2426 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2427 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2433 /* If using PSK then clientpsk and sess are the same */
2434 SSL_SESSION_free(clientpsk);
2435 SSL_SESSION_free(serverpsk);
2436 clientpsk = serverpsk = NULL;
2437 SSL_free(serverssl);
2438 SSL_free(clientssl);
2444 # endif /* OPENSSL_NO_TLS1_2 */
2447 * Test configuring the TLSv1.3 ciphersuites
2449 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
2450 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
2451 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
2452 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
2453 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2454 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2455 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
2456 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
2457 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
2458 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
2460 static int test_set_ciphersuite(int idx)
2462 SSL_CTX *cctx = NULL, *sctx = NULL;
2463 SSL *clientssl = NULL, *serverssl = NULL;
2466 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2467 TLS1_VERSION, TLS_MAX_VERSION,
2468 &sctx, &cctx, cert, privkey))
2469 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2470 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
2473 if (idx >=4 && idx <= 7) {
2474 /* SSL_CTX explicit cipher list */
2475 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
2479 if (idx == 0 || idx == 4) {
2480 /* Default ciphersuite */
2481 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2482 "TLS_AES_128_GCM_SHA256")))
2484 } else if (idx == 1 || idx == 5) {
2485 /* Non default ciphersuite */
2486 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2487 "TLS_AES_128_CCM_SHA256")))
2491 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2492 &clientssl, NULL, NULL)))
2495 if (idx == 8 || idx == 9) {
2496 /* SSL explicit cipher list */
2497 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
2501 if (idx == 2 || idx == 6 || idx == 8) {
2502 /* Default ciphersuite */
2503 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2504 "TLS_AES_128_GCM_SHA256")))
2506 } else if (idx == 3 || idx == 7 || idx == 9) {
2507 /* Non default ciphersuite */
2508 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2509 "TLS_AES_128_CCM_SHA256")))
2513 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
2519 SSL_free(serverssl);
2520 SSL_free(clientssl);
2527 static int test_ciphersuite_change(void)
2529 SSL_CTX *cctx = NULL, *sctx = NULL;
2530 SSL *clientssl = NULL, *serverssl = NULL;
2531 SSL_SESSION *clntsess = NULL;
2533 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2535 /* Create a session based on SHA-256 */
2536 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2537 TLS1_VERSION, TLS_MAX_VERSION,
2538 &sctx, &cctx, cert, privkey))
2539 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
2540 "TLS_AES_128_GCM_SHA256"))
2541 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2542 &clientssl, NULL, NULL))
2543 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2547 clntsess = SSL_get1_session(clientssl);
2548 /* Save for later */
2549 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2550 SSL_shutdown(clientssl);
2551 SSL_shutdown(serverssl);
2552 SSL_free(serverssl);
2553 SSL_free(clientssl);
2554 serverssl = clientssl = NULL;
2556 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
2557 /* Check we can resume a session with a different SHA-256 ciphersuite */
2558 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2559 "TLS_CHACHA20_POLY1305_SHA256"))
2560 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2562 || !TEST_true(SSL_set_session(clientssl, clntsess))
2563 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2565 || !TEST_true(SSL_session_reused(clientssl)))
2568 SSL_SESSION_free(clntsess);
2569 clntsess = SSL_get1_session(clientssl);
2570 SSL_shutdown(clientssl);
2571 SSL_shutdown(serverssl);
2572 SSL_free(serverssl);
2573 SSL_free(clientssl);
2574 serverssl = clientssl = NULL;
2578 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
2579 * succeeds but does not resume.
2581 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
2582 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2584 || !TEST_true(SSL_set_session(clientssl, clntsess))
2585 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2587 || !TEST_false(SSL_session_reused(clientssl)))
2590 SSL_SESSION_free(clntsess);
2592 SSL_shutdown(clientssl);
2593 SSL_shutdown(serverssl);
2594 SSL_free(serverssl);
2595 SSL_free(clientssl);
2596 serverssl = clientssl = NULL;
2598 /* Create a session based on SHA384 */
2599 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
2600 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2601 &clientssl, NULL, NULL))
2602 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2606 clntsess = SSL_get1_session(clientssl);
2607 SSL_shutdown(clientssl);
2608 SSL_shutdown(serverssl);
2609 SSL_free(serverssl);
2610 SSL_free(clientssl);
2611 serverssl = clientssl = NULL;
2613 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2614 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
2615 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2616 "TLS_AES_256_GCM_SHA384"))
2617 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2619 || !TEST_true(SSL_set_session(clientssl, clntsess))
2621 * We use SSL_ERROR_WANT_READ below so that we can pause the
2622 * connection after the initial ClientHello has been sent to
2623 * enable us to make some session changes.
2625 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2626 SSL_ERROR_WANT_READ)))
2629 /* Trick the client into thinking this session is for a different digest */
2630 clntsess->cipher = aes_128_gcm_sha256;
2631 clntsess->cipher_id = clntsess->cipher->id;
2634 * Continue the previously started connection. Server has selected a SHA-384
2635 * ciphersuite, but client thinks the session is for SHA-256, so it should
2638 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2640 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2641 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2647 SSL_SESSION_free(clntsess);
2648 SSL_free(serverssl);
2649 SSL_free(clientssl);
2656 static int test_tls13_psk(int idx)
2658 SSL_CTX *sctx = NULL, *cctx = NULL;
2659 SSL *serverssl = NULL, *clientssl = NULL;
2660 const SSL_CIPHER *cipher = NULL;
2661 const unsigned char key[] = {
2662 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2663 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2664 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2665 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
2669 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2670 TLS1_VERSION, TLS_MAX_VERSION,
2671 &sctx, &cctx, cert, privkey)))
2675 * We use a ciphersuite with SHA256 to ease testing old style PSK callbacks
2676 * which will always default to SHA256
2678 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_128_GCM_SHA256")))
2682 * Test 0: New style callbacks only
2683 * Test 1: New and old style callbacks (only the new ones should be used)
2684 * Test 2: Old style callbacks only
2686 if (idx == 0 || idx == 1) {
2687 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2688 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2690 #ifndef OPENSSL_NO_PSK
2691 if (idx == 1 || idx == 2) {
2692 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
2693 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
2697 use_session_cb_cnt = 0;
2698 find_session_cb_cnt = 0;
2699 psk_client_cb_cnt = 0;
2700 psk_server_cb_cnt = 0;
2702 /* Check we can create a connection if callback decides not to send a PSK */
2703 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2705 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2707 || !TEST_false(SSL_session_reused(clientssl))
2708 || !TEST_false(SSL_session_reused(serverssl)))
2711 if (idx == 0 || idx == 1) {
2712 if (!TEST_true(use_session_cb_cnt == 1)
2713 || !TEST_true(find_session_cb_cnt == 0)
2715 * If no old style callback then below should be 0
2718 || !TEST_true(psk_client_cb_cnt == idx)
2719 || !TEST_true(psk_server_cb_cnt == 0))
2722 if (!TEST_true(use_session_cb_cnt == 0)
2723 || !TEST_true(find_session_cb_cnt == 0)
2724 || !TEST_true(psk_client_cb_cnt == 1)
2725 || !TEST_true(psk_server_cb_cnt == 0))
2729 shutdown_ssl_connection(serverssl, clientssl);
2730 serverssl = clientssl = NULL;
2731 use_session_cb_cnt = psk_client_cb_cnt = 0;
2733 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2737 /* Create the PSK */
2738 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
2739 clientpsk = SSL_SESSION_new();
2740 if (!TEST_ptr(clientpsk)
2741 || !TEST_ptr(cipher)
2742 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
2744 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
2745 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
2747 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
2749 serverpsk = clientpsk;
2751 /* Check we can create a connection and the PSK is used */
2752 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2753 || !TEST_true(SSL_session_reused(clientssl))
2754 || !TEST_true(SSL_session_reused(serverssl)))
2757 if (idx == 0 || idx == 1) {
2758 if (!TEST_true(use_session_cb_cnt == 1)
2759 || !TEST_true(find_session_cb_cnt == 1)
2760 || !TEST_true(psk_client_cb_cnt == 0)
2761 || !TEST_true(psk_server_cb_cnt == 0))
2764 if (!TEST_true(use_session_cb_cnt == 0)
2765 || !TEST_true(find_session_cb_cnt == 0)
2766 || !TEST_true(psk_client_cb_cnt == 1)
2767 || !TEST_true(psk_server_cb_cnt == 1))
2771 shutdown_ssl_connection(serverssl, clientssl);
2772 serverssl = clientssl = NULL;
2773 use_session_cb_cnt = find_session_cb_cnt = 0;
2774 psk_client_cb_cnt = psk_server_cb_cnt = 0;
2776 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2781 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2785 * Check we can create a connection, the PSK is used and the callbacks are
2788 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2789 || !TEST_true(SSL_session_reused(clientssl))
2790 || !TEST_true(SSL_session_reused(serverssl)))
2793 if (idx == 0 || idx == 1) {
2794 if (!TEST_true(use_session_cb_cnt == 2)
2795 || !TEST_true(find_session_cb_cnt == 2)
2796 || !TEST_true(psk_client_cb_cnt == 0)
2797 || !TEST_true(psk_server_cb_cnt == 0))
2800 if (!TEST_true(use_session_cb_cnt == 0)
2801 || !TEST_true(find_session_cb_cnt == 0)
2802 || !TEST_true(psk_client_cb_cnt == 2)
2803 || !TEST_true(psk_server_cb_cnt == 2))
2807 shutdown_ssl_connection(serverssl, clientssl);
2808 serverssl = clientssl = NULL;
2809 use_session_cb_cnt = find_session_cb_cnt = 0;
2810 psk_client_cb_cnt = psk_server_cb_cnt = 0;
2813 * Check that if the server rejects the PSK we can still connect, but with
2816 srvid = "Dummy Identity";
2817 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2819 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2821 || !TEST_false(SSL_session_reused(clientssl))
2822 || !TEST_false(SSL_session_reused(serverssl)))
2825 if (idx == 0 || idx == 1) {
2826 if (!TEST_true(use_session_cb_cnt == 1)
2827 || !TEST_true(find_session_cb_cnt == 1)
2828 || !TEST_true(psk_client_cb_cnt == 0)
2830 * If no old style callback then below should be 0
2833 || !TEST_true(psk_server_cb_cnt == idx))
2836 if (!TEST_true(use_session_cb_cnt == 0)
2837 || !TEST_true(find_session_cb_cnt == 0)
2838 || !TEST_true(psk_client_cb_cnt == 1)
2839 || !TEST_true(psk_server_cb_cnt == 1))
2843 shutdown_ssl_connection(serverssl, clientssl);
2844 serverssl = clientssl = NULL;
2848 SSL_SESSION_free(clientpsk);
2849 SSL_SESSION_free(serverpsk);
2850 clientpsk = serverpsk = NULL;
2851 SSL_free(serverssl);
2852 SSL_free(clientssl);
2858 static unsigned char cookie_magic_value[] = "cookie magic";
2860 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
2861 unsigned int *cookie_len)
2864 * Not suitable as a real cookie generation function but good enough for
2867 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
2868 *cookie_len = sizeof(cookie_magic_value) - 1;
2873 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
2874 unsigned int cookie_len)
2876 if (cookie_len == sizeof(cookie_magic_value) - 1
2877 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
2883 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
2887 int res = generate_cookie_callback(ssl, cookie, &temp);
2892 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
2895 return verify_cookie_callback(ssl, cookie, cookie_len);
2898 static int test_stateless(void)
2900 SSL_CTX *sctx = NULL, *cctx = NULL;
2901 SSL *serverssl = NULL, *clientssl = NULL;
2904 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2905 TLS1_VERSION, TLS_MAX_VERSION,
2906 &sctx, &cctx, cert, privkey)))
2909 /* The arrival of CCS messages can confuse the test */
2910 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
2912 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2914 /* Send the first ClientHello */
2915 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2916 SSL_ERROR_WANT_READ))
2918 * This should fail with a -1 return because we have no callbacks
2921 || !TEST_int_eq(SSL_stateless(serverssl), -1))
2924 /* Fatal error so abandon the connection from this client */
2925 SSL_free(clientssl);
2928 /* Set up the cookie generation and verification callbacks */
2929 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
2930 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
2933 * Create a new connection from the client (we can reuse the server SSL
2936 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2938 /* Send the first ClientHello */
2939 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2940 SSL_ERROR_WANT_READ))
2941 /* This should fail because there is no cookie */
2942 || !TEST_int_eq(SSL_stateless(serverssl), 0))
2945 /* Abandon the connection from this client */
2946 SSL_free(clientssl);
2950 * Now create a connection from a new client but with the same server SSL
2953 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2955 /* Send the first ClientHello */
2956 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2957 SSL_ERROR_WANT_READ))
2958 /* This should fail because there is no cookie */
2959 || !TEST_int_eq(SSL_stateless(serverssl), 0)
2960 /* Send the second ClientHello */
2961 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2962 SSL_ERROR_WANT_READ))
2963 /* This should succeed because a cookie is now present */
2964 || !TEST_int_eq(SSL_stateless(serverssl), 1)
2965 /* Complete the connection */
2966 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2970 shutdown_ssl_connection(serverssl, clientssl);
2971 serverssl = clientssl = NULL;
2975 SSL_free(serverssl);
2976 SSL_free(clientssl);
2982 #endif /* OPENSSL_NO_TLS1_3 */
2984 static int clntaddoldcb = 0;
2985 static int clntparseoldcb = 0;
2986 static int srvaddoldcb = 0;
2987 static int srvparseoldcb = 0;
2988 static int clntaddnewcb = 0;
2989 static int clntparsenewcb = 0;
2990 static int srvaddnewcb = 0;
2991 static int srvparsenewcb = 0;
2992 static int snicb = 0;
2994 #define TEST_EXT_TYPE1 0xff00
2996 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
2997 size_t *outlen, int *al, void *add_arg)
2999 int *server = (int *)add_arg;
3000 unsigned char *data;
3002 if (SSL_is_server(s))
3007 if (*server != SSL_is_server(s)
3008 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3013 *outlen = sizeof(char);
3017 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3020 OPENSSL_free((unsigned char *)out);
3023 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3024 size_t inlen, int *al, void *parse_arg)
3026 int *server = (int *)parse_arg;
3028 if (SSL_is_server(s))
3033 if (*server != SSL_is_server(s)
3034 || inlen != sizeof(char)
3041 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3042 const unsigned char **out, size_t *outlen, X509 *x,
3043 size_t chainidx, int *al, void *add_arg)
3045 int *server = (int *)add_arg;
3046 unsigned char *data;
3048 if (SSL_is_server(s))
3053 if (*server != SSL_is_server(s)
3054 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3059 *outlen = sizeof(*data);
3063 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3064 const unsigned char *out, void *add_arg)
3066 OPENSSL_free((unsigned char *)out);
3069 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3070 const unsigned char *in, size_t inlen, X509 *x,
3071 size_t chainidx, int *al, void *parse_arg)
3073 int *server = (int *)parse_arg;
3075 if (SSL_is_server(s))
3080 if (*server != SSL_is_server(s)
3081 || inlen != sizeof(char) || *in != 1)
3087 static int sni_cb(SSL *s, int *al, void *arg)
3089 SSL_CTX *ctx = (SSL_CTX *)arg;
3091 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3092 *al = SSL_AD_INTERNAL_ERROR;
3093 return SSL_TLSEXT_ERR_ALERT_FATAL;
3096 return SSL_TLSEXT_ERR_OK;
3100 * Custom call back tests.
3101 * Test 0: Old style callbacks in TLSv1.2
3102 * Test 1: New style callbacks in TLSv1.2
3103 * Test 2: New style callbacks in TLSv1.2 with SNI
3104 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3105 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
3107 static int test_custom_exts(int tst)
3109 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3110 SSL *clientssl = NULL, *serverssl = NULL;
3112 static int server = 1;
3113 static int client = 0;
3114 SSL_SESSION *sess = NULL;
3115 unsigned int context;
3117 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
3118 /* Skip tests for TLSv1.2 and below in this case */
3123 /* Reset callback counters */
3124 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
3125 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
3128 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3129 TLS1_VERSION, TLS_MAX_VERSION,
3130 &sctx, &cctx, cert, privkey)))
3134 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
3135 TLS1_VERSION, TLS_MAX_VERSION,
3136 &sctx2, NULL, cert, privkey)))
3141 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
3142 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
3144 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
3148 context = SSL_EXT_CLIENT_HELLO
3149 | SSL_EXT_TLS1_2_SERVER_HELLO
3150 | SSL_EXT_TLS1_3_SERVER_HELLO
3151 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
3152 | SSL_EXT_TLS1_3_CERTIFICATE
3153 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
3155 context = SSL_EXT_CLIENT_HELLO
3156 | SSL_EXT_TLS1_2_SERVER_HELLO
3157 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3160 /* Create a client side custom extension */
3162 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3163 old_add_cb, old_free_cb,
3164 &client, old_parse_cb,
3168 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
3169 new_add_cb, new_free_cb,
3170 &client, new_parse_cb, &client)))
3174 /* Should not be able to add duplicates */
3175 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3176 old_add_cb, old_free_cb,
3177 &client, old_parse_cb,
3179 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
3180 context, new_add_cb,
3181 new_free_cb, &client,
3182 new_parse_cb, &client)))
3185 /* Create a server side custom extension */
3187 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3188 old_add_cb, old_free_cb,
3189 &server, old_parse_cb,
3193 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3194 new_add_cb, new_free_cb,
3195 &server, new_parse_cb, &server)))
3198 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3199 context, new_add_cb,
3200 new_free_cb, &server,
3201 new_parse_cb, &server)))
3205 /* Should not be able to add duplicates */
3206 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3207 old_add_cb, old_free_cb,
3208 &server, old_parse_cb,
3210 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3211 context, new_add_cb,
3212 new_free_cb, &server,
3213 new_parse_cb, &server)))
3218 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3219 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3223 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3224 &clientssl, NULL, NULL))
3225 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3230 if (clntaddoldcb != 1
3231 || clntparseoldcb != 1
3233 || srvparseoldcb != 1)
3235 } else if (tst == 1 || tst == 2 || tst == 3) {
3236 if (clntaddnewcb != 1
3237 || clntparsenewcb != 1
3239 || srvparsenewcb != 1
3240 || (tst != 2 && snicb != 0)
3241 || (tst == 2 && snicb != 1))
3244 if (clntaddnewcb != 1
3245 || clntparsenewcb != 4
3247 || srvparsenewcb != 1)
3251 sess = SSL_get1_session(clientssl);
3252 SSL_shutdown(clientssl);
3253 SSL_shutdown(serverssl);
3254 SSL_free(serverssl);
3255 SSL_free(clientssl);
3256 serverssl = clientssl = NULL;
3259 /* We don't bother with the resumption aspects for this test */
3264 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3266 || !TEST_true(SSL_set_session(clientssl, sess))
3267 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3272 * For a resumed session we expect to add the ClientHello extension. For the
3273 * old style callbacks we ignore it on the server side because they set
3274 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3278 if (clntaddoldcb != 2
3279 || clntparseoldcb != 1
3281 || srvparseoldcb != 1)
3283 } else if (tst == 1 || tst == 2 || tst == 3) {
3284 if (clntaddnewcb != 2
3285 || clntparsenewcb != 2
3287 || srvparsenewcb != 2)
3290 /* No Certificate message extensions in the resumption handshake */
3291 if (clntaddnewcb != 2
3292 || clntparsenewcb != 7
3294 || srvparsenewcb != 2)
3301 SSL_SESSION_free(sess);
3302 SSL_free(serverssl);
3303 SSL_free(clientssl);
3304 SSL_CTX_free(sctx2);
3311 * Test loading of serverinfo data in various formats. test_sslmessages actually
3312 * tests to make sure the extensions appear in the handshake
3314 static int test_serverinfo(int tst)
3316 unsigned int version;
3317 unsigned char *sibuf;
3319 int ret, expected, testresult = 0;
3322 ctx = SSL_CTX_new(TLS_method());
3326 if ((tst & 0x01) == 0x01)
3327 version = SSL_SERVERINFOV2;
3329 version = SSL_SERVERINFOV1;
3331 if ((tst & 0x02) == 0x02) {
3332 sibuf = serverinfov2;
3333 sibuflen = sizeof(serverinfov2);
3334 expected = (version == SSL_SERVERINFOV2);
3336 sibuf = serverinfov1;
3337 sibuflen = sizeof(serverinfov1);
3338 expected = (version == SSL_SERVERINFOV1);
3341 if ((tst & 0x04) == 0x04) {
3342 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
3344 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
3347 * The version variable is irrelevant in this case - it's what is in the
3348 * buffer that matters
3350 if ((tst & 0x02) == 0x02)
3356 if (!TEST_true(ret == expected))
3368 * Test that SSL_export_keying_material() produces expected results. There are
3369 * no test vectors so all we do is test that both sides of the communication
3370 * produce the same results for different protocol versions.
3372 static int test_export_key_mat(int tst)
3375 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3376 SSL *clientssl = NULL, *serverssl = NULL;
3377 const char label[] = "test label";
3378 const unsigned char context[] = "context";
3379 const unsigned char *emptycontext = NULL;
3380 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
3381 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
3382 const int protocols[] = {
3389 #ifdef OPENSSL_NO_TLS1
3393 #ifdef OPENSSL_NO_TLS1_1
3397 #ifdef OPENSSL_NO_TLS1_2
3401 #ifdef OPENSSL_NO_TLS1_3
3405 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3406 TLS1_VERSION, TLS_MAX_VERSION,
3407 &sctx, &cctx, cert, privkey)))
3410 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
3411 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
3412 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
3414 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
3416 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3420 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
3421 sizeof(ckeymat1), label,
3422 sizeof(label) - 1, context,
3423 sizeof(context) - 1, 1), 1)
3424 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
3425 sizeof(ckeymat2), label,
3429 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
3430 sizeof(ckeymat3), label,
3433 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
3434 sizeof(skeymat1), label,
3437 sizeof(context) -1, 1),
3439 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
3440 sizeof(skeymat2), label,
3444 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
3445 sizeof(skeymat3), label,
3449 * Check that both sides created the same key material with the
3452 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3455 * Check that both sides created the same key material with an
3458 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3461 * Check that both sides created the same key material without a
3464 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3466 /* Different contexts should produce different results */
3467 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3472 * Check that an empty context and no context produce different results in
3473 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3475 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3477 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3484 SSL_free(serverssl);
3485 SSL_free(clientssl);
3486 SSL_CTX_free(sctx2);
3493 #ifndef OPENSSL_NO_TLS1_3
3495 * Test that SSL_export_keying_material_early() produces expected
3496 * results. There are no test vectors so all we do is test that both
3497 * sides of the communication produce the same results for different
3498 * protocol versions.
3500 static int test_export_key_mat_early(int idx)
3502 static const char label[] = "test label";
3503 static const unsigned char context[] = "context";
3505 SSL_CTX *cctx = NULL, *sctx = NULL;
3506 SSL *clientssl = NULL, *serverssl = NULL;
3507 SSL_SESSION *sess = NULL;
3508 const unsigned char *emptycontext = NULL;
3509 unsigned char ckeymat1[80], ckeymat2[80];
3510 unsigned char skeymat1[80], skeymat2[80];
3511 unsigned char buf[1];
3512 size_t readbytes, written;
3514 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
3518 /* Here writing 0 length early data is enough. */
3519 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
3520 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3522 SSL_READ_EARLY_DATA_ERROR)
3523 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3524 SSL_EARLY_DATA_ACCEPTED))
3527 if (!TEST_int_eq(SSL_export_keying_material_early(
3528 clientssl, ckeymat1, sizeof(ckeymat1), label,
3529 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3530 || !TEST_int_eq(SSL_export_keying_material_early(
3531 clientssl, ckeymat2, sizeof(ckeymat2), label,
3532 sizeof(label) - 1, emptycontext, 0), 1)
3533 || !TEST_int_eq(SSL_export_keying_material_early(
3534 serverssl, skeymat1, sizeof(skeymat1), label,
3535 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3536 || !TEST_int_eq(SSL_export_keying_material_early(
3537 serverssl, skeymat2, sizeof(skeymat2), label,
3538 sizeof(label) - 1, emptycontext, 0), 1)
3540 * Check that both sides created the same key material with the
3543 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3546 * Check that both sides created the same key material with an
3549 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3551 /* Different contexts should produce different results */
3552 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3559 if (sess != clientpsk)
3560 SSL_SESSION_free(sess);
3561 SSL_SESSION_free(clientpsk);
3562 SSL_SESSION_free(serverpsk);
3563 clientpsk = serverpsk = NULL;
3564 SSL_free(serverssl);
3565 SSL_free(clientssl);
3571 #endif /* OPENSSL_NO_TLS1_3 */
3573 static int test_ssl_clear(int idx)
3575 SSL_CTX *cctx = NULL, *sctx = NULL;
3576 SSL *clientssl = NULL, *serverssl = NULL;
3579 #ifdef OPENSSL_NO_TLS1_2
3584 /* Create an initial connection */
3585 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3586 TLS1_VERSION, TLS_MAX_VERSION,
3587 &sctx, &cctx, cert, privkey))
3589 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
3591 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3592 &clientssl, NULL, NULL))
3593 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3597 SSL_shutdown(clientssl);
3598 SSL_shutdown(serverssl);
3599 SSL_free(serverssl);
3602 /* Clear clientssl - we're going to reuse the object */
3603 if (!TEST_true(SSL_clear(clientssl)))
3606 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3608 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3610 || !TEST_true(SSL_session_reused(clientssl)))
3613 SSL_shutdown(clientssl);
3614 SSL_shutdown(serverssl);
3619 SSL_free(serverssl);
3620 SSL_free(clientssl);
3627 /* Parse CH and retrieve any MFL extension value if present */
3628 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
3631 unsigned char *data;
3632 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
3633 unsigned int MFL_code = 0, type = 0;
3635 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
3638 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
3639 /* Skip the record header */
3640 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
3641 /* Skip the handshake message header */
3642 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
3643 /* Skip client version and random */
3644 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
3645 + SSL3_RANDOM_SIZE))
3646 /* Skip session id */
3647 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3649 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
3650 /* Skip compression */
3651 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3652 /* Extensions len */
3653 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
3656 /* Loop through all extensions */
3657 while (PACKET_remaining(&pkt2)) {
3658 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
3659 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
3662 if (type == TLSEXT_TYPE_max_fragment_length) {
3663 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
3664 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
3667 *mfl_codemfl_code = MFL_code;
3676 /* Maximum-Fragment-Length TLS extension mode to test */
3677 static const unsigned char max_fragment_len_test[] = {
3678 TLSEXT_max_fragment_length_512,
3679 TLSEXT_max_fragment_length_1024,
3680 TLSEXT_max_fragment_length_2048,
3681 TLSEXT_max_fragment_length_4096
3684 static int test_max_fragment_len_ext(int idx_tst)
3688 int testresult = 0, MFL_mode = 0;
3691 ctx = SSL_CTX_new(TLS_method());
3695 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
3696 ctx, max_fragment_len_test[idx_tst])))
3703 rbio = BIO_new(BIO_s_mem());
3704 wbio = BIO_new(BIO_s_mem());
3705 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
3711 SSL_set_bio(con, rbio, wbio);
3712 SSL_set_connect_state(con);
3714 if (!TEST_int_le(SSL_connect(con), 0)) {
3715 /* This shouldn't succeed because we don't have a server! */
3719 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
3720 /* no MFL in client hello */
3722 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
3734 #ifndef OPENSSL_NO_TLS1_3
3735 static int test_pha_key_update(void)
3737 SSL_CTX *cctx = NULL, *sctx = NULL;
3738 SSL *clientssl = NULL, *serverssl = NULL;
3741 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3742 TLS1_VERSION, TLS_MAX_VERSION,
3743 &sctx, &cctx, cert, privkey)))
3746 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
3747 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
3748 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
3749 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
3753 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3757 SSL_force_post_handshake_auth(clientssl);
3759 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3763 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
3764 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
3767 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
3770 /* Start handshake on the server */
3771 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
3774 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
3775 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3779 SSL_shutdown(clientssl);
3780 SSL_shutdown(serverssl);
3785 SSL_free(serverssl);
3786 SSL_free(clientssl);
3793 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
3795 static SRP_VBASE *vbase = NULL;
3797 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
3799 int ret = SSL3_AL_FATAL;
3801 SRP_user_pwd *user = NULL;
3803 username = SSL_get_srp_username(s);
3804 if (username == NULL) {
3805 *ad = SSL_AD_INTERNAL_ERROR;
3809 user = SRP_VBASE_get1_by_user(vbase, username);
3811 *ad = SSL_AD_INTERNAL_ERROR;
3815 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
3817 *ad = SSL_AD_INTERNAL_ERROR;
3824 SRP_user_pwd_free(user);
3828 static int create_new_vfile(char *userid, char *password, const char *filename)
3831 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
3834 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
3837 if (!TEST_ptr(dummy) || !TEST_ptr(row))
3840 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
3841 &row[DB_srpverifier], NULL, NULL);
3842 if (!TEST_ptr(gNid))
3846 * The only way to create an empty TXT_DB is to provide a BIO with no data
3849 db = TXT_DB_read(dummy, DB_NUMBER);
3853 out = BIO_new_file(filename, "w");
3857 row[DB_srpid] = OPENSSL_strdup(userid);
3858 row[DB_srptype] = OPENSSL_strdup("V");
3859 row[DB_srpgN] = OPENSSL_strdup(gNid);
3861 if (!TEST_ptr(row[DB_srpid])
3862 || !TEST_ptr(row[DB_srptype])
3863 || !TEST_ptr(row[DB_srpgN])
3864 || !TEST_true(TXT_DB_insert(db, row)))
3869 if (!TXT_DB_write(out, db))
3875 for (i = 0; i < DB_NUMBER; i++)
3876 OPENSSL_free(row[i]);
3886 static int create_new_vbase(char *userid, char *password)
3888 BIGNUM *verifier = NULL, *salt = NULL;
3889 const SRP_gN *lgN = NULL;
3890 SRP_user_pwd *user_pwd = NULL;
3893 lgN = SRP_get_default_gN(NULL);
3897 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
3901 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
3902 if (!TEST_ptr(user_pwd))
3905 user_pwd->N = lgN->N;
3906 user_pwd->g = lgN->g;
3907 user_pwd->id = OPENSSL_strdup(userid);
3908 if (!TEST_ptr(user_pwd->id))
3911 user_pwd->v = verifier;
3913 verifier = salt = NULL;
3915 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
3921 SRP_user_pwd_free(user_pwd);
3931 * Test 0: Simple successful SRP connection, new vbase
3932 * Test 1: Connection failure due to bad password, new vbase
3933 * Test 2: Simple successful SRP connection, vbase loaded from existing file
3934 * Test 3: Connection failure due to bad password, vbase loaded from existing
3936 * Test 4: Simple successful SRP connection, vbase loaded from new file
3937 * Test 5: Connection failure due to bad password, vbase loaded from new file
3939 static int test_srp(int tst)
3941 char *userid = "test", *password = "password", *tstsrpfile;
3942 SSL_CTX *cctx = NULL, *sctx = NULL;
3943 SSL *clientssl = NULL, *serverssl = NULL;
3944 int ret, testresult = 0;
3946 vbase = SRP_VBASE_new(NULL);
3947 if (!TEST_ptr(vbase))
3950 if (tst == 0 || tst == 1) {
3951 if (!TEST_true(create_new_vbase(userid, password)))
3954 if (tst == 4 || tst == 5) {
3955 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
3957 tstsrpfile = tmpfilename;
3959 tstsrpfile = srpvfile;
3961 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
3965 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3966 TLS1_VERSION, TLS_MAX_VERSION,
3967 &sctx, &cctx, cert, privkey)))
3970 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
3971 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
3972 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
3973 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
3974 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
3978 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
3981 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
3985 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3989 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
3991 if (!TEST_true(tst % 2 == 0))
3994 if (!TEST_true(tst % 2 == 1))
4001 SRP_VBASE_free(vbase);
4003 SSL_free(serverssl);
4004 SSL_free(clientssl);
4012 int setup_tests(void)
4014 if (!TEST_ptr(cert = test_get_argument(0))
4015 || !TEST_ptr(privkey = test_get_argument(1))
4016 || !TEST_ptr(srpvfile = test_get_argument(2))
4017 || !TEST_ptr(tmpfilename = test_get_argument(3)))
4020 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
4021 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
4022 TEST_error("not supported in this build");
4025 int i, mcount, rcount, fcount;
4027 for (i = 0; i < 4; i++)
4028 test_export_key_mat(i);
4029 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
4030 test_printf_stdout("malloc %d realloc %d free %d\n",
4031 mcount, rcount, fcount);
4036 ADD_TEST(test_large_message_tls);
4037 ADD_TEST(test_large_message_tls_read_ahead);
4038 #ifndef OPENSSL_NO_DTLS
4039 ADD_TEST(test_large_message_dtls);
4041 #ifndef OPENSSL_NO_OCSP
4042 ADD_TEST(test_tlsext_status_type);
4044 ADD_TEST(test_session_with_only_int_cache);
4045 ADD_TEST(test_session_with_only_ext_cache);
4046 ADD_TEST(test_session_with_both_cache);
4047 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
4048 ADD_TEST(test_ssl_bio_pop_next_bio);
4049 ADD_TEST(test_ssl_bio_pop_ssl_bio);
4050 ADD_TEST(test_ssl_bio_change_rbio);
4051 ADD_TEST(test_ssl_bio_change_wbio);
4052 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
4053 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
4054 ADD_TEST(test_keylog);
4056 #ifndef OPENSSL_NO_TLS1_3
4057 ADD_TEST(test_keylog_no_master_key);
4059 #ifndef OPENSSL_NO_TLS1_2
4060 ADD_TEST(test_client_hello_cb);
4062 #ifndef OPENSSL_NO_TLS1_3
4063 ADD_ALL_TESTS(test_early_data_read_write, 3);
4065 * We don't do replay tests for external PSK. Replay protection isn't used
4068 ADD_ALL_TESTS(test_early_data_replay, 2);
4069 ADD_ALL_TESTS(test_early_data_skip, 3);
4070 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
4071 ADD_ALL_TESTS(test_early_data_not_sent, 3);
4072 ADD_ALL_TESTS(test_early_data_psk, 8);
4073 ADD_ALL_TESTS(test_early_data_not_expected, 3);
4074 # ifndef OPENSSL_NO_TLS1_2
4075 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
4078 #ifndef OPENSSL_NO_TLS1_3
4079 ADD_ALL_TESTS(test_set_ciphersuite, 10);
4080 ADD_TEST(test_ciphersuite_change);
4081 #ifdef OPENSSL_NO_PSK
4082 ADD_ALL_TESTS(test_tls13_psk, 1);
4084 ADD_ALL_TESTS(test_tls13_psk, 3);
4085 #endif /* OPENSSL_NO_PSK */
4086 ADD_ALL_TESTS(test_custom_exts, 5);
4087 ADD_TEST(test_stateless);
4088 ADD_TEST(test_pha_key_update);
4090 ADD_ALL_TESTS(test_custom_exts, 3);
4092 ADD_ALL_TESTS(test_serverinfo, 8);
4093 ADD_ALL_TESTS(test_export_key_mat, 4);
4094 #ifndef OPENSSL_NO_TLS1_3
4095 ADD_ALL_TESTS(test_export_key_mat_early, 3);
4097 ADD_ALL_TESTS(test_ssl_clear, 2);
4098 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
4099 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4100 ADD_ALL_TESTS(test_srp, 6);
4105 void cleanup_tests(void)
4107 bio_s_mempacket_test_free();