2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
18 #include "ssltestlib.h"
20 #include "internal/nelem.h"
21 #include "../ssl/ssl_locl.h"
23 static char *cert = NULL;
24 static char *privkey = NULL;
26 #define LOG_BUFFER_SIZE 1024
27 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
28 static size_t server_log_buffer_index = 0;
29 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
30 static size_t client_log_buffer_index = 0;
31 static int error_writing_log = 0;
33 #ifndef OPENSSL_NO_OCSP
34 static const unsigned char orespder[] = "Dummy OCSP Response";
35 static int ocsp_server_called = 0;
36 static int ocsp_client_called = 0;
38 static int cdummyarg = 1;
39 static X509 *ocspcert = NULL;
42 #define NUM_EXTRA_CERTS 40
45 * This structure is used to validate that the correct number of log messages
46 * of various types are emitted when emitting secret logs.
48 struct sslapitest_log_counts {
49 unsigned int rsa_key_exchange_count;
50 unsigned int master_secret_count;
51 unsigned int client_handshake_secret_count;
52 unsigned int server_handshake_secret_count;
53 unsigned int client_application_secret_count;
54 unsigned int server_application_secret_count;
58 static unsigned char serverinfov1[] = {
59 0xff, 0xff, /* Dummy extension type */
60 0x00, 0x01, /* Extension length is 1 byte */
61 0xff /* Dummy extension data */
64 static unsigned char serverinfov2[] = {
66 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
67 0xff, 0xff, /* Dummy extension type */
68 0x00, 0x01, /* Extension length is 1 byte */
69 0xff /* Dummy extension data */
72 static void client_keylog_callback(const SSL *ssl, const char *line)
74 int line_length = strlen(line);
76 /* If the log doesn't fit, error out. */
77 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
78 TEST_info("Client log too full");
79 error_writing_log = 1;
83 strcat(client_log_buffer, line);
84 client_log_buffer_index += line_length;
85 client_log_buffer[client_log_buffer_index++] = '\n';
88 static void server_keylog_callback(const SSL *ssl, const char *line)
90 int line_length = strlen(line);
92 /* If the log doesn't fit, error out. */
93 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
94 TEST_info("Server log too full");
95 error_writing_log = 1;
99 strcat(server_log_buffer, line);
100 server_log_buffer_index += line_length;
101 server_log_buffer[server_log_buffer_index++] = '\n';
104 static int compare_hex_encoded_buffer(const char *hex_encoded,
112 if (!TEST_size_t_eq(raw_length * 2, hex_length))
115 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
116 sprintf(hexed, "%02x", raw[i]);
117 if (!TEST_int_eq(hexed[0], hex_encoded[j])
118 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
125 static int test_keylog_output(char *buffer, const SSL *ssl,
126 const SSL_SESSION *session,
127 struct sslapitest_log_counts *expected)
130 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
131 size_t client_random_size = SSL3_RANDOM_SIZE;
132 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
133 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
134 unsigned int rsa_key_exchange_count = 0;
135 unsigned int master_secret_count = 0;
136 unsigned int client_handshake_secret_count = 0;
137 unsigned int server_handshake_secret_count = 0;
138 unsigned int client_application_secret_count = 0;
139 unsigned int server_application_secret_count = 0;
141 for (token = strtok(buffer, " \n"); token != NULL;
142 token = strtok(NULL, " \n")) {
143 if (strcmp(token, "RSA") == 0) {
145 * Premaster secret. Tokens should be: 16 ASCII bytes of
146 * hex-encoded encrypted secret, then the hex-encoded pre-master
149 if (!TEST_ptr(token = strtok(NULL, " \n")))
151 if (!TEST_size_t_eq(strlen(token), 16))
153 if (!TEST_ptr(token = strtok(NULL, " \n")))
156 * We can't sensibly check the log because the premaster secret is
157 * transient, and OpenSSL doesn't keep hold of it once the master
158 * secret is generated.
160 rsa_key_exchange_count++;
161 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
163 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
164 * client random, then the hex-encoded master secret.
166 client_random_size = SSL_get_client_random(ssl,
167 actual_client_random,
169 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
172 if (!TEST_ptr(token = strtok(NULL, " \n")))
174 if (!TEST_size_t_eq(strlen(token), 64))
176 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
177 actual_client_random,
178 client_random_size)))
181 if (!TEST_ptr(token = strtok(NULL, " \n")))
183 master_key_size = SSL_SESSION_get_master_key(session,
186 if (!TEST_size_t_ne(master_key_size, 0))
188 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
192 master_secret_count++;
193 } else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
194 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
195 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
196 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) {
198 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
199 * client random, and then the hex-encoded secret. In this case,
200 * we treat all of these secrets identically and then just
201 * distinguish between them when counting what we saw.
203 if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
204 client_handshake_secret_count++;
205 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
206 server_handshake_secret_count++;
207 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
208 client_application_secret_count++;
209 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
210 server_application_secret_count++;
212 client_random_size = SSL_get_client_random(ssl,
213 actual_client_random,
215 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
218 if (!TEST_ptr(token = strtok(NULL, " \n")))
220 if (!TEST_size_t_eq(strlen(token), 64))
222 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
223 actual_client_random,
224 client_random_size)))
227 if (!TEST_ptr(token = strtok(NULL, " \n")))
231 * TODO(TLS1.3): test that application traffic secrets are what
234 TEST_info("Unexpected token %s\n", token);
239 /* Got what we expected? */
240 if (!TEST_size_t_eq(rsa_key_exchange_count,
241 expected->rsa_key_exchange_count)
242 || !TEST_size_t_eq(master_secret_count,
243 expected->master_secret_count)
244 || !TEST_size_t_eq(client_handshake_secret_count,
245 expected->client_handshake_secret_count)
246 || !TEST_size_t_eq(server_handshake_secret_count,
247 expected->server_handshake_secret_count)
248 || !TEST_size_t_eq(client_application_secret_count,
249 expected->client_application_secret_count)
250 || !TEST_size_t_eq(server_application_secret_count,
251 expected->server_application_secret_count))
256 static int test_keylog(void)
258 SSL_CTX *cctx = NULL, *sctx = NULL;
259 SSL *clientssl = NULL, *serverssl = NULL;
261 struct sslapitest_log_counts expected = {0};
263 /* Clean up logging space */
264 memset(client_log_buffer, 0, sizeof(client_log_buffer));
265 memset(server_log_buffer, 0, sizeof(server_log_buffer));
266 client_log_buffer_index = 0;
267 server_log_buffer_index = 0;
268 error_writing_log = 0;
270 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
272 &sctx, &cctx, cert, privkey)))
275 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
276 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
277 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
279 /* We also want to ensure that we use RSA-based key exchange. */
280 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
283 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
284 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
286 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
287 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
288 == client_keylog_callback))
290 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
291 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
292 == server_keylog_callback))
295 /* Now do a handshake and check that the logs have been written to. */
296 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
297 &clientssl, NULL, NULL))
298 || !TEST_true(create_ssl_connection(serverssl, clientssl,
300 || !TEST_false(error_writing_log)
301 || !TEST_int_gt(client_log_buffer_index, 0)
302 || !TEST_int_gt(server_log_buffer_index, 0))
306 * Now we want to test that our output data was vaguely sensible. We
307 * do that by using strtok and confirming that we have more or less the
308 * data we expect. For both client and server, we expect to see one master
309 * secret. The client should also see a RSA key exchange.
311 expected.rsa_key_exchange_count = 1;
312 expected.master_secret_count = 1;
313 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
314 SSL_get_session(clientssl), &expected)))
317 expected.rsa_key_exchange_count = 0;
318 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
319 SSL_get_session(serverssl), &expected)))
333 #ifndef OPENSSL_NO_TLS1_3
334 static int test_keylog_no_master_key(void)
336 SSL_CTX *cctx = NULL, *sctx = NULL;
337 SSL *clientssl = NULL, *serverssl = NULL;
339 struct sslapitest_log_counts expected = {0};
341 /* Clean up logging space */
342 memset(client_log_buffer, 0, sizeof(client_log_buffer));
343 memset(server_log_buffer, 0, sizeof(server_log_buffer));
344 client_log_buffer_index = 0;
345 server_log_buffer_index = 0;
346 error_writing_log = 0;
348 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
349 TLS_client_method(), &sctx,
350 &cctx, cert, privkey)))
353 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
354 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
357 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
358 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
359 == client_keylog_callback))
362 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
363 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
364 == server_keylog_callback))
367 /* Now do a handshake and check that the logs have been written to. */
368 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
369 &clientssl, NULL, NULL))
370 || !TEST_true(create_ssl_connection(serverssl, clientssl,
372 || !TEST_false(error_writing_log))
376 * Now we want to test that our output data was vaguely sensible. For this
377 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
378 * TLSv1.3, but we do expect both client and server to emit keys.
380 expected.client_handshake_secret_count = 1;
381 expected.server_handshake_secret_count = 1;
382 expected.client_application_secret_count = 1;
383 expected.server_application_secret_count = 1;
384 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
385 SSL_get_session(clientssl), &expected))
386 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
387 SSL_get_session(serverssl),
403 #ifndef OPENSSL_NO_TLS1_2
404 static int full_early_callback(SSL *s, int *al, void *arg)
407 const unsigned char *p;
409 /* We only configure two ciphers, but the SCSV is added automatically. */
411 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
413 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
416 const int expected_extensions[] = {
417 #ifndef OPENSSL_NO_EC
423 /* Make sure we can defer processing and get called back. */
427 len = SSL_early_get0_ciphers(s, &p);
428 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
429 || !TEST_size_t_eq(SSL_early_get0_compression_methods(s, &p), 1)
430 || !TEST_int_eq(*p, 0))
432 if (!SSL_early_get1_extensions_present(s, &exts, &len))
434 if (len != OSSL_NELEM(expected_extensions) ||
435 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
436 printf("Early callback expected ClientHello extensions mismatch\n");
444 static int test_early_cb(void)
446 SSL_CTX *cctx = NULL, *sctx = NULL;
447 SSL *clientssl = NULL, *serverssl = NULL;
448 int testctr = 0, testresult = 0;
450 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
451 TLS_client_method(), &sctx,
452 &cctx, cert, privkey)))
454 SSL_CTX_set_early_cb(sctx, full_early_callback, &testctr);
456 /* The gimpy cipher list we configure can't do TLS 1.3. */
457 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
459 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
460 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
461 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
462 &clientssl, NULL, NULL))
463 || !TEST_false(create_ssl_connection(serverssl, clientssl,
464 SSL_ERROR_WANT_EARLY))
466 * Passing a -1 literal is a hack since
467 * the real value was lost.
469 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_EARLY)
470 || !TEST_true(create_ssl_connection(serverssl, clientssl,
486 static int execute_test_large_message(const SSL_METHOD *smeth,
487 const SSL_METHOD *cmeth, int read_ahead)
489 SSL_CTX *cctx = NULL, *sctx = NULL;
490 SSL *clientssl = NULL, *serverssl = NULL;
494 X509 *chaincert = NULL;
497 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
499 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
502 if (!TEST_ptr(chaincert))
505 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, &sctx,
506 &cctx, cert, privkey)))
511 * Test that read_ahead works correctly when dealing with large
514 SSL_CTX_set_read_ahead(cctx, 1);
518 * We assume the supplied certificate is big enough so that if we add
519 * NUM_EXTRA_CERTS it will make the overall message large enough. The
520 * default buffer size is requested to be 16k, but due to the way BUF_MEM
521 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
522 * test we need to have a message larger than that.
524 certlen = i2d_X509(chaincert, NULL);
525 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
526 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
527 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
528 if (!X509_up_ref(chaincert))
530 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
531 X509_free(chaincert);
536 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
538 || !TEST_true(create_ssl_connection(serverssl, clientssl,
543 * Calling SSL_clear() first is not required but this tests that SSL_clear()
544 * doesn't leak (when using enable-crypto-mdebug).
546 if (!TEST_true(SSL_clear(serverssl)))
551 X509_free(chaincert);
560 static int test_large_message_tls(void)
562 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
566 static int test_large_message_tls_read_ahead(void)
568 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
572 #ifndef OPENSSL_NO_DTLS
573 static int test_large_message_dtls(void)
576 * read_ahead is not relevant to DTLS because DTLS always acts as if
579 return execute_test_large_message(DTLS_server_method(),
580 DTLS_client_method(), 0);
584 #ifndef OPENSSL_NO_OCSP
585 static int ocsp_server_cb(SSL *s, void *arg)
587 int *argi = (int *)arg;
588 unsigned char *copy = NULL;
589 STACK_OF(OCSP_RESPID) *ids = NULL;
590 OCSP_RESPID *id = NULL;
593 /* In this test we are expecting exactly 1 OCSP_RESPID */
594 SSL_get_tlsext_status_ids(s, &ids);
595 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
596 return SSL_TLSEXT_ERR_ALERT_FATAL;
598 id = sk_OCSP_RESPID_value(ids, 0);
599 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
600 return SSL_TLSEXT_ERR_ALERT_FATAL;
601 } else if (*argi != 1) {
602 return SSL_TLSEXT_ERR_ALERT_FATAL;
605 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
606 return SSL_TLSEXT_ERR_ALERT_FATAL;
608 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
609 ocsp_server_called = 1;
610 return SSL_TLSEXT_ERR_OK;
613 static int ocsp_client_cb(SSL *s, void *arg)
615 int *argi = (int *)arg;
616 const unsigned char *respderin;
619 if (*argi != 1 && *argi != 2)
622 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
623 if (!TEST_mem_eq(orespder, len, respderin, len))
626 ocsp_client_called = 1;
630 static int test_tlsext_status_type(void)
632 SSL_CTX *cctx = NULL, *sctx = NULL;
633 SSL *clientssl = NULL, *serverssl = NULL;
635 STACK_OF(OCSP_RESPID) *ids = NULL;
636 OCSP_RESPID *id = NULL;
639 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
640 &cctx, cert, privkey))
643 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
646 /* First just do various checks getting and setting tlsext_status_type */
648 clientssl = SSL_new(cctx);
649 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
650 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
651 TLSEXT_STATUSTYPE_ocsp))
652 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
653 TLSEXT_STATUSTYPE_ocsp))
659 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
660 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
663 clientssl = SSL_new(cctx);
664 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
670 * Now actually do a handshake and check OCSP information is exchanged and
671 * the callbacks get called
673 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
674 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
675 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
676 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
677 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
678 &clientssl, NULL, NULL))
679 || !TEST_true(create_ssl_connection(serverssl, clientssl,
681 || !TEST_true(ocsp_client_called)
682 || !TEST_true(ocsp_server_called))
689 /* Try again but this time force the server side callback to fail */
690 ocsp_client_called = 0;
691 ocsp_server_called = 0;
693 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
694 &clientssl, NULL, NULL))
695 /* This should fail because the callback will fail */
696 || !TEST_false(create_ssl_connection(serverssl, clientssl,
698 || !TEST_false(ocsp_client_called)
699 || !TEST_false(ocsp_server_called))
707 * This time we'll get the client to send an OCSP_RESPID that it will
710 ocsp_client_called = 0;
711 ocsp_server_called = 0;
713 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
714 &clientssl, NULL, NULL)))
718 * We'll just use any old cert for this test - it doesn't have to be an OCSP
719 * specific one. We'll use the server cert.
721 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
722 || !TEST_ptr(id = OCSP_RESPID_new())
723 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
724 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
726 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
727 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
730 SSL_set_tlsext_status_ids(clientssl, ids);
731 /* Control has been transferred */
737 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
739 || !TEST_true(ocsp_client_called)
740 || !TEST_true(ocsp_server_called))
750 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
751 OCSP_RESPID_free(id);
760 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
761 static int new_called, remove_called, get_called;
763 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
767 * sess has been up-refed for us, but we don't actually need it so free it
770 SSL_SESSION_free(sess);
774 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
779 static SSL_SESSION *get_sess_val = NULL;
781 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
789 static int execute_test_session(int maxprot, int use_int_cache,
792 SSL_CTX *sctx = NULL, *cctx = NULL;
793 SSL *serverssl1 = NULL, *clientssl1 = NULL;
794 SSL *serverssl2 = NULL, *clientssl2 = NULL;
795 # ifndef OPENSSL_NO_TLS1_1
796 SSL *serverssl3 = NULL, *clientssl3 = NULL;
798 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
801 new_called = remove_called = 0;
803 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
804 TLS_client_method(), &sctx,
805 &cctx, cert, privkey)))
809 * Only allow the max protocol version so we can force a connection failure
812 SSL_CTX_set_min_proto_version(cctx, maxprot);
813 SSL_CTX_set_max_proto_version(cctx, maxprot);
815 /* Set up session cache */
817 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
818 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
821 /* Also covers instance where both are set */
822 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
824 SSL_CTX_set_session_cache_mode(cctx,
825 SSL_SESS_CACHE_CLIENT
826 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
829 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
831 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
833 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
836 /* Should fail because it should already be in the cache */
837 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
840 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
843 new_called = remove_called = 0;
844 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
845 &clientssl2, NULL, NULL))
846 || !TEST_true(SSL_set_session(clientssl2, sess1))
847 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
849 || !TEST_true(SSL_session_reused(clientssl2)))
852 if (maxprot == TLS1_3_VERSION) {
854 * In TLSv1.3 we should have created a new session even though we have
855 * resumed. The original session should also have been removed.
858 && (!TEST_int_eq(new_called, 1)
859 || !TEST_int_eq(remove_called, 1)))
863 * In TLSv1.2 we expect to have resumed so no sessions added or
867 && (!TEST_int_eq(new_called, 0)
868 || !TEST_int_eq(remove_called, 0)))
872 SSL_SESSION_free(sess1);
873 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
875 shutdown_ssl_connection(serverssl2, clientssl2);
876 serverssl2 = clientssl2 = NULL;
878 new_called = remove_called = 0;
879 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
880 &clientssl2, NULL, NULL))
881 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
885 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
889 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
892 new_called = remove_called = 0;
894 * This should clear sess2 from the cache because it is a "bad" session.
895 * See SSL_set_session() documentation.
897 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
900 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
902 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
906 /* Should succeeded because it should not already be in the cache */
907 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
908 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
912 new_called = remove_called = 0;
913 /* This shouldn't be in the cache so should fail */
914 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
918 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
921 # if !defined(OPENSSL_NO_TLS1_1)
922 new_called = remove_called = 0;
923 /* Force a connection failure */
924 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
925 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
926 &clientssl3, NULL, NULL))
927 || !TEST_true(SSL_set_session(clientssl3, sess1))
928 /* This should fail because of the mismatched protocol versions */
929 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
933 /* We should have automatically removed the session from the cache */
935 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
938 /* Should succeed because it should not already be in the cache */
939 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
943 /* Now do some tests for server side caching */
945 SSL_CTX_sess_set_new_cb(cctx, NULL);
946 SSL_CTX_sess_set_remove_cb(cctx, NULL);
947 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
948 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
949 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
953 SSL_CTX_set_session_cache_mode(cctx, 0);
954 /* Internal caching is the default on the server side */
956 SSL_CTX_set_session_cache_mode(sctx,
957 SSL_SESS_CACHE_SERVER
958 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
960 SSL_free(serverssl1);
961 SSL_free(clientssl1);
962 serverssl1 = clientssl1 = NULL;
963 SSL_free(serverssl2);
964 SSL_free(clientssl2);
965 serverssl2 = clientssl2 = NULL;
966 SSL_SESSION_free(sess1);
968 SSL_SESSION_free(sess2);
971 SSL_CTX_set_max_proto_version(sctx, maxprot);
972 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
973 new_called = remove_called = get_called = 0;
974 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
976 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
978 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
979 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
982 /* Should fail because it should already be in the cache */
983 if (use_int_cache && !TEST_false(SSL_CTX_add_session(sctx, sess2)))
987 SSL_SESSION *tmp = sess2;
989 if (!TEST_int_eq(new_called, 1)
990 || !TEST_int_eq(remove_called, 0)
991 || !TEST_int_eq(get_called, 0))
994 * Delete the session from the internal cache to force a lookup from
995 * the external cache. We take a copy first because
996 * SSL_CTX_remove_session() also marks the session as non-resumable.
999 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1000 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1002 SSL_SESSION_free(sess2);
1007 new_called = remove_called = get_called = 0;
1008 get_sess_val = sess2;
1009 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1010 &clientssl2, NULL, NULL))
1011 || !TEST_true(SSL_set_session(clientssl2, sess1))
1012 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1014 || !TEST_true(SSL_session_reused(clientssl2)))
1017 if (use_ext_cache) {
1018 if (!TEST_int_eq(new_called, 0)
1019 || !TEST_int_eq(remove_called, 0))
1022 if (maxprot == TLS1_3_VERSION) {
1023 if (!TEST_int_eq(get_called, 0))
1026 if (!TEST_int_eq(get_called, 1))
1034 SSL_free(serverssl1);
1035 SSL_free(clientssl1);
1036 SSL_free(serverssl2);
1037 SSL_free(clientssl2);
1038 # ifndef OPENSSL_NO_TLS1_1
1039 SSL_free(serverssl3);
1040 SSL_free(clientssl3);
1042 SSL_SESSION_free(sess1);
1043 SSL_SESSION_free(sess2);
1049 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1051 static int test_session_with_only_int_cache(void)
1053 #ifndef OPENSSL_NO_TLS1_3
1054 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1058 #ifndef OPENSSL_NO_TLS1_2
1059 return execute_test_session(TLS1_2_VERSION, 1, 0);
1065 static int test_session_with_only_ext_cache(void)
1067 #ifndef OPENSSL_NO_TLS1_3
1068 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1072 #ifndef OPENSSL_NO_TLS1_2
1073 return execute_test_session(TLS1_2_VERSION, 0, 1);
1079 static int test_session_with_both_cache(void)
1081 #ifndef OPENSSL_NO_TLS1_3
1082 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1086 #ifndef OPENSSL_NO_TLS1_2
1087 return execute_test_session(TLS1_2_VERSION, 1, 1);
1097 #define TOTAL_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1099 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1114 static int test_ssl_set_bio(int idx)
1119 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1121 int initrbio, initwbio, newrbio, newwbio;
1131 if (!TEST_int_le(newwbio, 2))
1134 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1135 || !TEST_ptr(ssl = SSL_new(ctx)))
1138 if (initrbio == USE_BIO_1
1139 || initwbio == USE_BIO_1
1140 || newrbio == USE_BIO_1
1141 || newwbio == USE_BIO_1) {
1142 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1146 if (initrbio == USE_BIO_2
1147 || initwbio == USE_BIO_2
1148 || newrbio == USE_BIO_2
1149 || newwbio == USE_BIO_2) {
1150 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1154 setupbio(&irbio, bio1, bio2, initrbio);
1155 setupbio(&iwbio, bio1, bio2, initwbio);
1158 * We want to maintain our own refs to these BIO, so do an up ref for each
1159 * BIO that will have ownership transferred in the SSL_set_bio() call
1163 if (iwbio != NULL && iwbio != irbio)
1166 SSL_set_bio(ssl, irbio, iwbio);
1168 setupbio(&nrbio, bio1, bio2, newrbio);
1169 setupbio(&nwbio, bio1, bio2, newwbio);
1172 * We will (maybe) transfer ownership again so do more up refs.
1173 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1178 && (nwbio != iwbio || nrbio != nwbio))
1182 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1185 SSL_set_bio(ssl, nrbio, nwbio);
1195 * This test is checking that the ref counting for SSL_set_bio is correct.
1196 * If we get here and we did too many frees then we will fail in the above
1197 * functions. If we haven't done enough then this will only be detected in
1198 * a crypto-mdebug build
1204 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1206 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1208 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1213 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1214 || !TEST_ptr(ssl = SSL_new(ctx))
1215 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1216 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1219 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1222 * If anything goes wrong here then we could leak memory, so this will
1223 * be caught in a crypto-mdebug build
1225 BIO_push(sslbio, membio1);
1227 /* Verify changing the rbio/wbio directly does not cause leaks */
1228 if (change_bio != NO_BIO_CHANGE) {
1229 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1231 if (change_bio == CHANGE_RBIO)
1232 SSL_set0_rbio(ssl, membio2);
1234 SSL_set0_wbio(ssl, membio2);
1253 static int test_ssl_bio_pop_next_bio(void)
1255 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1258 static int test_ssl_bio_pop_ssl_bio(void)
1260 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1263 static int test_ssl_bio_change_rbio(void)
1265 return execute_test_ssl_bio(0, CHANGE_RBIO);
1268 static int test_ssl_bio_change_wbio(void)
1270 return execute_test_ssl_bio(0, CHANGE_WBIO);
1274 /* The list of sig algs */
1276 /* The length of the list */
1278 /* A sigalgs list in string format */
1279 const char *liststr;
1280 /* Whether setting the list should succeed */
1282 /* Whether creating a connection with the list should succeed */
1286 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1287 #ifndef OPENSSL_NO_EC
1288 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1289 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1291 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1292 static const int invalidlist2[] = {NID_sha256, NID_undef};
1293 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1294 static const int invalidlist4[] = {NID_sha256};
1295 static const sigalgs_list testsigalgs[] = {
1296 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1297 #ifndef OPENSSL_NO_EC
1298 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1299 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1301 {NULL, 0, "RSA+SHA256", 1, 1},
1302 #ifndef OPENSSL_NO_EC
1303 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1304 {NULL, 0, "ECDSA+SHA512", 1, 0},
1306 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1307 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1308 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1309 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1310 {NULL, 0, "RSA", 0, 0},
1311 {NULL, 0, "SHA256", 0, 0},
1312 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1313 {NULL, 0, "Invalid", 0, 0}
1316 static int test_set_sigalgs(int idx)
1318 SSL_CTX *cctx = NULL, *sctx = NULL;
1319 SSL *clientssl = NULL, *serverssl = NULL;
1321 const sigalgs_list *curr;
1324 /* Should never happen */
1325 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1328 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1329 curr = testctx ? &testsigalgs[idx]
1330 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1332 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1333 TLS_client_method(), &sctx,
1334 &cctx, cert, privkey)))
1338 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1339 * for TLSv1.2 for now until we add a new API.
1341 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1346 if (curr->list != NULL)
1347 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1349 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1353 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1359 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1364 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1365 &clientssl, NULL, NULL)))
1371 if (curr->list != NULL)
1372 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1374 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1377 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1386 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1394 SSL_free(serverssl);
1395 SSL_free(clientssl);
1402 #ifndef OPENSSL_NO_TLS1_3
1404 static SSL_SESSION *clientpsk = NULL;
1405 static SSL_SESSION *serverpsk = NULL;
1406 static const char *pskid = "Identity";
1407 static const char *srvid;
1409 static int use_session_cb_cnt = 0;
1410 static int find_session_cb_cnt = 0;
1412 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1413 size_t *idlen, SSL_SESSION **sess)
1415 switch (++use_session_cb_cnt) {
1417 /* The first call should always have a NULL md */
1423 /* The second call should always have an md */
1429 /* We should only be called a maximum of twice */
1433 if (clientpsk != NULL)
1434 SSL_SESSION_up_ref(clientpsk);
1437 *id = (const unsigned char *)pskid;
1438 *idlen = strlen(pskid);
1443 static int find_session_cb(SSL *ssl, const unsigned char *identity,
1444 size_t identity_len, SSL_SESSION **sess)
1446 find_session_cb_cnt++;
1448 /* We should only ever be called a maximum of twice per connection */
1449 if (find_session_cb_cnt > 2)
1452 if (serverpsk == NULL)
1455 /* Identity should match that set by the client */
1456 if (strlen(srvid) != identity_len
1457 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1458 /* No PSK found, continue but without a PSK */
1463 SSL_SESSION_up_ref(serverpsk);
1469 #define MSG1 "Hello"
1470 #define MSG2 "World."
1475 #define MSG7 "message."
1477 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
1480 * Helper method to setup objects for early data test. Caller frees objects on
1483 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
1484 SSL **serverssl, SSL_SESSION **sess, int idx)
1486 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1487 TLS_client_method(), sctx,
1488 cctx, cert, privkey)))
1492 /* When idx == 1 we repeat the tests with read_ahead set */
1493 SSL_CTX_set_read_ahead(*cctx, 1);
1494 SSL_CTX_set_read_ahead(*sctx, 1);
1495 } else if (idx == 2) {
1496 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1497 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1498 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1499 use_session_cb_cnt = 0;
1500 find_session_cb_cnt = 0;
1504 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
1509 /* Create the PSK */
1510 const SSL_CIPHER *cipher = NULL;
1511 const unsigned char key[] = {
1512 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1513 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1514 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1515 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1516 0x2c, 0x2d, 0x2e, 0x2f
1519 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
1520 clientpsk = SSL_SESSION_new();
1521 if (!TEST_ptr(clientpsk)
1522 || !TEST_ptr(cipher)
1523 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
1525 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
1527 SSL_SESSION_set_protocol_version(clientpsk,
1530 * We just choose an arbitrary value for max_early_data which
1531 * should be big enough for testing purposes.
1533 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1535 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1536 SSL_SESSION_free(clientpsk);
1540 serverpsk = clientpsk;
1550 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1554 *sess = SSL_get1_session(*clientssl);
1555 SSL_shutdown(*clientssl);
1556 SSL_shutdown(*serverssl);
1557 SSL_free(*serverssl);
1558 SSL_free(*clientssl);
1559 *serverssl = *clientssl = NULL;
1561 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1562 clientssl, NULL, NULL))
1563 || !TEST_true(SSL_set_session(*clientssl, *sess)))
1569 static int test_early_data_read_write(int idx)
1571 SSL_CTX *cctx = NULL, *sctx = NULL;
1572 SSL *clientssl = NULL, *serverssl = NULL;
1574 SSL_SESSION *sess = NULL;
1575 unsigned char buf[20], data[1024];
1576 size_t readbytes, written, eoedlen, rawread, rawwritten;
1579 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1580 &serverssl, &sess, idx)))
1583 /* Write and read some early data */
1584 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1586 || !TEST_size_t_eq(written, strlen(MSG1))
1587 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1588 sizeof(buf), &readbytes),
1589 SSL_READ_EARLY_DATA_SUCCESS)
1590 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1591 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1592 SSL_EARLY_DATA_ACCEPTED))
1596 * Server should be able to write data, and client should be able to
1599 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1601 || !TEST_size_t_eq(written, strlen(MSG2))
1602 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1603 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1606 /* Even after reading normal data, client should be able write early data */
1607 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1609 || !TEST_size_t_eq(written, strlen(MSG3)))
1612 /* Server should still be able read early data after writing data */
1613 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1615 SSL_READ_EARLY_DATA_SUCCESS)
1616 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
1619 /* Write more data from server and read it from client */
1620 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
1622 || !TEST_size_t_eq(written, strlen(MSG4))
1623 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1624 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
1628 * If client writes normal data it should mean writing early data is no
1631 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1632 || !TEST_size_t_eq(written, strlen(MSG5))
1633 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1634 SSL_EARLY_DATA_ACCEPTED))
1638 * At this point the client has written EndOfEarlyData, ClientFinished and
1639 * normal (fully protected) data. We are going to cause a delay between the
1640 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
1641 * in the read BIO, and then just put back the EndOfEarlyData message.
1643 rbio = SSL_get_rbio(serverssl);
1644 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
1645 || !TEST_size_t_lt(rawread, sizeof(data))
1646 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
1649 /* Record length is in the 4th and 5th bytes of the record header */
1650 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
1651 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
1652 || !TEST_size_t_eq(rawwritten, eoedlen))
1655 /* Server should be told that there is no more early data */
1656 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1658 SSL_READ_EARLY_DATA_FINISH)
1659 || !TEST_size_t_eq(readbytes, 0))
1663 * Server has not finished init yet, so should still be able to write early
1666 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
1668 || !TEST_size_t_eq(written, strlen(MSG6)))
1671 /* Push the ClientFinished and the normal data back into the server rbio */
1672 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
1674 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
1677 /* Server should be able to read normal data */
1678 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1679 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1682 /* Client and server should not be able to write/read early data now */
1683 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1687 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1689 SSL_READ_EARLY_DATA_ERROR))
1693 /* Client should be able to read the data sent by the server */
1694 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1695 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
1699 * Make sure we process the NewSessionTicket. This arrives post-handshake.
1700 * We attempt a read which we do not expect to return any data.
1702 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1705 /* Server should be able to write normal data */
1706 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
1707 || !TEST_size_t_eq(written, strlen(MSG7))
1708 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1709 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
1712 /* We keep the PSK session around if using PSK */
1714 SSL_SESSION_free(sess);
1715 sess = SSL_get1_session(clientssl);
1716 use_session_cb_cnt = 0;
1717 find_session_cb_cnt = 0;
1719 SSL_shutdown(clientssl);
1720 SSL_shutdown(serverssl);
1721 SSL_free(serverssl);
1722 SSL_free(clientssl);
1723 serverssl = clientssl = NULL;
1724 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1725 &clientssl, NULL, NULL))
1726 || !TEST_true(SSL_set_session(clientssl, sess)))
1729 /* Write and read some early data */
1730 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1732 || !TEST_size_t_eq(written, strlen(MSG1))
1733 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1735 SSL_READ_EARLY_DATA_SUCCESS)
1736 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
1739 if (!TEST_int_gt(SSL_connect(clientssl), 0)
1740 || !TEST_int_gt(SSL_accept(serverssl), 0))
1743 /* Client and server should not be able to write/read early data now */
1744 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1748 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1750 SSL_READ_EARLY_DATA_ERROR))
1754 /* Client and server should be able to write/read normal data */
1755 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1756 || !TEST_size_t_eq(written, strlen(MSG5))
1757 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1758 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1764 if (sess != clientpsk)
1765 SSL_SESSION_free(sess);
1766 SSL_SESSION_free(clientpsk);
1767 SSL_SESSION_free(serverpsk);
1768 clientpsk = serverpsk = NULL;
1769 SSL_free(serverssl);
1770 SSL_free(clientssl);
1777 * Helper function to test that a server attempting to read early data can
1778 * handle a connection from a client where the early data should be skipped.
1780 static int early_data_skip_helper(int hrr, int idx)
1782 SSL_CTX *cctx = NULL, *sctx = NULL;
1783 SSL *clientssl = NULL, *serverssl = NULL;
1785 SSL_SESSION *sess = NULL;
1786 unsigned char buf[20];
1787 size_t readbytes, written;
1789 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1790 &serverssl, &sess, idx)))
1794 /* Force an HRR to occur */
1795 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
1797 } else if (idx == 2) {
1799 * We force early_data rejection by ensuring the PSK identity is
1802 srvid = "Dummy Identity";
1805 * Deliberately corrupt the creation time. We take 20 seconds off the
1806 * time. It could be any value as long as it is not within tolerance.
1807 * This should mean the ticket is rejected.
1809 if (!TEST_true(SSL_SESSION_set_time(sess, time(NULL) - 20)))
1813 /* Write some early data */
1814 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1816 || !TEST_size_t_eq(written, strlen(MSG1)))
1819 /* Server should reject the early data and skip over it */
1820 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1822 SSL_READ_EARLY_DATA_FINISH)
1823 || !TEST_size_t_eq(readbytes, 0)
1824 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1825 SSL_EARLY_DATA_REJECTED))
1830 * Finish off the handshake. We perform the same writes and reads as
1831 * further down but we expect them to fail due to the incomplete
1834 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1835 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
1840 /* Should be able to send normal data despite rejection of early data */
1841 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1842 || !TEST_size_t_eq(written, strlen(MSG2))
1843 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1844 SSL_EARLY_DATA_REJECTED)
1845 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1846 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1852 if (sess != clientpsk)
1853 SSL_SESSION_free(clientpsk);
1854 SSL_SESSION_free(serverpsk);
1855 clientpsk = serverpsk = NULL;
1856 SSL_SESSION_free(sess);
1857 SSL_free(serverssl);
1858 SSL_free(clientssl);
1865 * Test that a server attempting to read early data can handle a connection
1866 * from a client where the early data is not acceptable.
1868 static int test_early_data_skip(int idx)
1870 return early_data_skip_helper(0, idx);
1874 * Test that a server attempting to read early data can handle a connection
1875 * from a client where an HRR occurs.
1877 static int test_early_data_skip_hrr(int idx)
1879 return early_data_skip_helper(1, idx);
1883 * Test that a server attempting to read early data can handle a connection
1884 * from a client that doesn't send any.
1886 static int test_early_data_not_sent(int idx)
1888 SSL_CTX *cctx = NULL, *sctx = NULL;
1889 SSL *clientssl = NULL, *serverssl = NULL;
1891 SSL_SESSION *sess = NULL;
1892 unsigned char buf[20];
1893 size_t readbytes, written;
1895 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1896 &serverssl, &sess, idx)))
1899 /* Write some data - should block due to handshake with server */
1900 SSL_set_connect_state(clientssl);
1901 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
1904 /* Server should detect that early data has not been sent */
1905 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1907 SSL_READ_EARLY_DATA_FINISH)
1908 || !TEST_size_t_eq(readbytes, 0)
1909 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1910 SSL_EARLY_DATA_NOT_SENT)
1911 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1912 SSL_EARLY_DATA_NOT_SENT))
1915 /* Continue writing the message we started earlier */
1916 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
1917 || !TEST_size_t_eq(written, strlen(MSG1))
1918 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1919 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
1920 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
1921 || !TEST_size_t_eq(written, strlen(MSG2)))
1925 * Should block due to the NewSessionTicket arrival unless we're using
1929 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1933 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1934 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1940 /* If using PSK then clientpsk and sess are the same */
1941 SSL_SESSION_free(sess);
1942 SSL_SESSION_free(serverpsk);
1943 clientpsk = serverpsk = NULL;
1944 SSL_free(serverssl);
1945 SSL_free(clientssl);
1951 static const char *servhostname;
1953 static int hostname_cb(SSL *s, int *al, void *arg)
1955 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
1957 if (hostname != NULL && strcmp(hostname, servhostname) == 0)
1958 return SSL_TLSEXT_ERR_OK;
1960 return SSL_TLSEXT_ERR_NOACK;
1963 static const char *servalpn;
1965 static int alpn_select_cb (SSL *ssl, const unsigned char **out, unsigned char *outlen,
1966 const unsigned char *in, unsigned int inlen, void *arg)
1968 unsigned int i, protlen = 0;
1969 const unsigned char *prot;
1971 for (i = 0, prot = in; i < inlen; i += protlen, prot += protlen) {
1972 protlen = *(prot++);
1973 if (inlen - i < protlen)
1974 return SSL_TLSEXT_ERR_NOACK;
1976 if (protlen == strlen(servalpn)
1977 && memcmp(prot, "goodalpn", protlen) == 0) {
1980 return SSL_TLSEXT_ERR_OK;
1984 return SSL_TLSEXT_ERR_NOACK;
1987 /* Test that a PSK can be used to send early_data */
1988 static int test_early_data_psk(int idx)
1990 SSL_CTX *cctx = NULL, *sctx = NULL;
1991 SSL *clientssl = NULL, *serverssl = NULL;
1993 SSL_SESSION *sess = NULL;
1994 unsigned char alpnlist[] = {
1995 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
1998 #define GOODALPNLEN 9
1999 #define BADALPNLEN 8
2000 #define GOODALPN (alpnlist)
2001 #define BADALPN (alpnlist + GOODALPNLEN)
2003 unsigned char buf[20];
2004 size_t readbytes, written;
2005 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2006 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2008 /* We always set this up with a final parameter of "2" for PSK */
2009 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2010 &serverssl, &sess, 2)))
2013 servhostname = "goodhost";
2014 servalpn = "goodalpn";
2017 * Note: There is no test for inconsistent SNI with late client detection.
2018 * This is because servers do not acknowledge SNI even if they are using
2019 * it in a resumption handshake - so it is not actually possible for a
2020 * client to detect a problem.
2024 /* Set inconsistent SNI (early client detection) */
2025 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2026 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2027 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2032 /* Set inconsistent ALPN (early client detection) */
2033 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2034 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
2035 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2037 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2044 * Set invalid protocol version. Technically this affects PSKs without
2045 * early_data too, but we test it here because it is similar to the
2046 * SNI/ALPN consistency tests.
2048 err = SSL_R_BAD_PSK;
2049 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2055 * Set inconsistent SNI (server detected). In this case the connection
2056 * will succeed but reject early_data.
2058 servhostname = "badhost";
2059 edstatus = SSL_EARLY_DATA_REJECTED;
2060 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2063 /* Set consistent SNI */
2064 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2065 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2066 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2073 * Set inconsistent ALPN (server detected). In this case the connection
2074 * will succeed but reject early_data.
2076 servalpn = "badalpn";
2077 edstatus = SSL_EARLY_DATA_REJECTED;
2078 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2082 * Set consistent ALPN.
2083 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2084 * accepts a list of protos (each one length prefixed).
2085 * SSL_set1_alpn_selected accepts a single protocol (not length
2088 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2090 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2094 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2098 /* Set inconsistent ALPN (late client detection) */
2099 SSL_SESSION_free(serverpsk);
2100 serverpsk = SSL_SESSION_dup(clientpsk);
2101 if (!TEST_ptr(serverpsk)
2102 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2105 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2108 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2111 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2112 edstatus = SSL_EARLY_DATA_ACCEPTED;
2113 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2114 /* SSL_connect() call should fail */
2119 TEST_error("Bad test index");
2123 SSL_set_connect_state(clientssl);
2125 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2127 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2128 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2131 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2135 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2136 &readbytes), readearlyres)
2137 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2138 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2139 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2140 || !TEST_int_eq(SSL_connect(clientssl), connectres))
2147 SSL_SESSION_free(clientpsk);
2148 SSL_SESSION_free(serverpsk);
2149 clientpsk = serverpsk = NULL;
2150 SSL_free(serverssl);
2151 SSL_free(clientssl);
2158 * Test that a server that doesn't try to read early data can handle a
2159 * client sending some.
2161 static int test_early_data_not_expected(int idx)
2163 SSL_CTX *cctx = NULL, *sctx = NULL;
2164 SSL *clientssl = NULL, *serverssl = NULL;
2166 SSL_SESSION *sess = NULL;
2167 unsigned char buf[20];
2168 size_t readbytes, written;
2170 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2171 &serverssl, &sess, idx)))
2174 /* Write some early data */
2175 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2180 * Server should skip over early data and then block waiting for client to
2181 * continue handshake
2183 if (!TEST_int_le(SSL_accept(serverssl), 0)
2184 || !TEST_int_gt(SSL_connect(clientssl), 0)
2185 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2186 SSL_EARLY_DATA_REJECTED)
2187 || !TEST_int_gt(SSL_accept(serverssl), 0)
2188 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2189 SSL_EARLY_DATA_REJECTED))
2192 /* Send some normal data from client to server */
2193 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2194 || !TEST_size_t_eq(written, strlen(MSG2)))
2197 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2198 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2204 /* If using PSK then clientpsk and sess are the same */
2205 SSL_SESSION_free(sess);
2206 SSL_SESSION_free(serverpsk);
2207 clientpsk = serverpsk = NULL;
2208 SSL_free(serverssl);
2209 SSL_free(clientssl);
2216 # ifndef OPENSSL_NO_TLS1_2
2218 * Test that a server attempting to read early data can handle a connection
2219 * from a TLSv1.2 client.
2221 static int test_early_data_tls1_2(int idx)
2223 SSL_CTX *cctx = NULL, *sctx = NULL;
2224 SSL *clientssl = NULL, *serverssl = NULL;
2226 unsigned char buf[20];
2227 size_t readbytes, written;
2229 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2230 &serverssl, NULL, idx)))
2233 /* Write some data - should block due to handshake with server */
2234 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2235 SSL_set_connect_state(clientssl);
2236 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2240 * Server should do TLSv1.2 handshake. First it will block waiting for more
2241 * messages from client after ServerDone. Then SSL_read_early_data should
2242 * finish and detect that early data has not been sent
2244 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2246 SSL_READ_EARLY_DATA_ERROR))
2250 * Continue writing the message we started earlier. Will still block waiting
2251 * for the CCS/Finished from server
2253 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2254 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2256 SSL_READ_EARLY_DATA_FINISH)
2257 || !TEST_size_t_eq(readbytes, 0)
2258 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2259 SSL_EARLY_DATA_NOT_SENT))
2262 /* Continue writing the message we started earlier */
2263 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2264 || !TEST_size_t_eq(written, strlen(MSG1))
2265 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2266 SSL_EARLY_DATA_NOT_SENT)
2267 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2268 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2269 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2270 || !TEST_size_t_eq(written, strlen(MSG2))
2271 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2272 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2278 /* If using PSK then clientpsk and sess are the same */
2279 SSL_SESSION_free(clientpsk);
2280 SSL_SESSION_free(serverpsk);
2281 clientpsk = serverpsk = NULL;
2282 SSL_free(serverssl);
2283 SSL_free(clientssl);
2289 # endif /* OPENSSL_NO_TLS1_2 */
2291 static int test_ciphersuite_change(void)
2293 SSL_CTX *cctx = NULL, *sctx = NULL;
2294 SSL *clientssl = NULL, *serverssl = NULL;
2295 SSL_SESSION *clntsess = NULL;
2297 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2299 /* Create a session based on SHA-256 */
2300 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2301 TLS_client_method(), &sctx,
2302 &cctx, cert, privkey))
2303 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
2304 "TLS13-AES-128-GCM-SHA256"))
2305 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2306 &clientssl, NULL, NULL))
2307 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2311 clntsess = SSL_get1_session(clientssl);
2312 /* Save for later */
2313 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2314 SSL_shutdown(clientssl);
2315 SSL_shutdown(serverssl);
2316 SSL_free(serverssl);
2317 SSL_free(clientssl);
2318 serverssl = clientssl = NULL;
2320 /* Check we can resume a session with a different SHA-256 ciphersuite */
2321 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
2322 "TLS13-CHACHA20-POLY1305-SHA256"))
2323 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2325 || !TEST_true(SSL_set_session(clientssl, clntsess))
2326 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2328 || !TEST_true(SSL_session_reused(clientssl)))
2331 SSL_SESSION_free(clntsess);
2332 clntsess = SSL_get1_session(clientssl);
2333 SSL_shutdown(clientssl);
2334 SSL_shutdown(serverssl);
2335 SSL_free(serverssl);
2336 SSL_free(clientssl);
2337 serverssl = clientssl = NULL;
2340 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
2341 * succeeds but does not resume.
2343 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-256-GCM-SHA384"))
2344 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2346 || !TEST_true(SSL_set_session(clientssl, clntsess))
2347 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2349 || !TEST_false(SSL_session_reused(clientssl)))
2352 SSL_SESSION_free(clntsess);
2354 SSL_shutdown(clientssl);
2355 SSL_shutdown(serverssl);
2356 SSL_free(serverssl);
2357 SSL_free(clientssl);
2358 serverssl = clientssl = NULL;
2360 /* Create a session based on SHA384 */
2361 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-256-GCM-SHA384"))
2362 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2363 &clientssl, NULL, NULL))
2364 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2368 clntsess = SSL_get1_session(clientssl);
2369 SSL_shutdown(clientssl);
2370 SSL_shutdown(serverssl);
2371 SSL_free(serverssl);
2372 SSL_free(clientssl);
2373 serverssl = clientssl = NULL;
2375 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
2376 "TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384"))
2377 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
2378 "TLS13-AES-256-GCM-SHA384"))
2379 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2381 || !TEST_true(SSL_set_session(clientssl, clntsess))
2383 * We use SSL_ERROR_WANT_READ below so that we can pause the
2384 * connection after the initial ClientHello has been sent to
2385 * enable us to make some session changes.
2387 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2388 SSL_ERROR_WANT_READ)))
2391 /* Trick the client into thinking this session is for a different digest */
2392 clntsess->cipher = aes_128_gcm_sha256;
2393 clntsess->cipher_id = clntsess->cipher->id;
2396 * Continue the previously started connection. Server has selected a SHA-384
2397 * ciphersuite, but client thinks the session is for SHA-256, so it should
2400 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2402 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2403 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2409 SSL_SESSION_free(clntsess);
2410 SSL_free(serverssl);
2411 SSL_free(clientssl);
2418 static int test_tls13_psk(void)
2420 SSL_CTX *sctx = NULL, *cctx = NULL;
2421 SSL *serverssl = NULL, *clientssl = NULL;
2422 const SSL_CIPHER *cipher = NULL;
2423 const unsigned char key[] = {
2424 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2425 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2426 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2427 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
2431 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2432 TLS_client_method(), &sctx,
2433 &cctx, cert, privkey)))
2436 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2437 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2439 use_session_cb_cnt = 0;
2440 find_session_cb_cnt = 0;
2442 /* Check we can create a connection if callback decides not to send a PSK */
2443 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2445 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2447 || !TEST_false(SSL_session_reused(clientssl))
2448 || !TEST_false(SSL_session_reused(serverssl))
2449 || !TEST_true(use_session_cb_cnt == 1)
2450 || !TEST_true(find_session_cb_cnt == 0))
2453 shutdown_ssl_connection(serverssl, clientssl);
2454 serverssl = clientssl = NULL;
2455 use_session_cb_cnt = 0;
2457 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2461 /* Create the PSK */
2462 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
2463 clientpsk = SSL_SESSION_new();
2464 if (!TEST_ptr(clientpsk)
2465 || !TEST_ptr(cipher)
2466 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
2468 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
2469 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
2471 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
2473 serverpsk = clientpsk;
2475 /* Check we can create a connection and the PSK is used */
2476 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2477 || !TEST_true(SSL_session_reused(clientssl))
2478 || !TEST_true(SSL_session_reused(serverssl))
2479 || !TEST_true(use_session_cb_cnt == 1)
2480 || !TEST_true(find_session_cb_cnt == 1))
2483 shutdown_ssl_connection(serverssl, clientssl);
2484 serverssl = clientssl = NULL;
2485 use_session_cb_cnt = find_session_cb_cnt = 0;
2487 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2492 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2496 * Check we can create a connection, the PSK is used and the callbacks are
2499 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2500 || !TEST_true(SSL_session_reused(clientssl))
2501 || !TEST_true(SSL_session_reused(serverssl))
2502 || !TEST_true(use_session_cb_cnt == 2)
2503 || !TEST_true(find_session_cb_cnt == 2))
2506 shutdown_ssl_connection(serverssl, clientssl);
2507 serverssl = clientssl = NULL;
2508 use_session_cb_cnt = find_session_cb_cnt = 0;
2511 * Check that if the server rejects the PSK we can still connect, but with
2514 srvid = "Dummy Identity";
2515 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2517 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2519 || !TEST_false(SSL_session_reused(clientssl))
2520 || !TEST_false(SSL_session_reused(serverssl))
2521 || !TEST_true(use_session_cb_cnt == 1)
2522 || !TEST_true(find_session_cb_cnt == 1))
2525 shutdown_ssl_connection(serverssl, clientssl);
2526 serverssl = clientssl = NULL;
2530 SSL_SESSION_free(clientpsk);
2531 SSL_SESSION_free(serverpsk);
2532 clientpsk = serverpsk = NULL;
2533 SSL_free(serverssl);
2534 SSL_free(clientssl);
2540 #endif /* OPENSSL_NO_TLS1_3 */
2542 static int clntaddoldcb = 0;
2543 static int clntparseoldcb = 0;
2544 static int srvaddoldcb = 0;
2545 static int srvparseoldcb = 0;
2546 static int clntaddnewcb = 0;
2547 static int clntparsenewcb = 0;
2548 static int srvaddnewcb = 0;
2549 static int srvparsenewcb = 0;
2550 static int snicb = 0;
2552 #define TEST_EXT_TYPE1 0xff00
2554 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
2555 size_t *outlen, int *al, void *add_arg)
2557 int *server = (int *)add_arg;
2558 unsigned char *data;
2560 if (SSL_is_server(s))
2565 if (*server != SSL_is_server(s)
2566 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
2571 *outlen = sizeof(char);
2575 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
2578 OPENSSL_free((unsigned char *)out);
2581 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
2582 size_t inlen, int *al, void *parse_arg)
2584 int *server = (int *)parse_arg;
2586 if (SSL_is_server(s))
2591 if (*server != SSL_is_server(s)
2592 || inlen != sizeof(char)
2599 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
2600 const unsigned char **out, size_t *outlen, X509 *x,
2601 size_t chainidx, int *al, void *add_arg)
2603 int *server = (int *)add_arg;
2604 unsigned char *data;
2606 if (SSL_is_server(s))
2611 if (*server != SSL_is_server(s)
2612 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
2617 *outlen = sizeof(*data);
2621 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
2622 const unsigned char *out, void *add_arg)
2624 OPENSSL_free((unsigned char *)out);
2627 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
2628 const unsigned char *in, size_t inlen, X509 *x,
2629 size_t chainidx, int *al, void *parse_arg)
2631 int *server = (int *)parse_arg;
2633 if (SSL_is_server(s))
2638 if (*server != SSL_is_server(s)
2639 || inlen != sizeof(char) || *in != 1)
2645 static int sni_cb(SSL *s, int *al, void *arg)
2647 SSL_CTX *ctx = (SSL_CTX *)arg;
2649 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
2650 *al = SSL_AD_INTERNAL_ERROR;
2651 return SSL_TLSEXT_ERR_ALERT_FATAL;
2654 return SSL_TLSEXT_ERR_OK;
2658 * Custom call back tests.
2659 * Test 0: Old style callbacks in TLSv1.2
2660 * Test 1: New style callbacks in TLSv1.2
2661 * Test 2: New style callbacks in TLSv1.2 with SNI
2662 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
2663 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
2665 static int test_custom_exts(int tst)
2667 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
2668 SSL *clientssl = NULL, *serverssl = NULL;
2670 static int server = 1;
2671 static int client = 0;
2672 SSL_SESSION *sess = NULL;
2673 unsigned int context;
2675 /* Reset callback counters */
2676 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
2677 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
2680 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2681 TLS_client_method(), &sctx,
2682 &cctx, cert, privkey)))
2686 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL, &sctx2,
2687 NULL, cert, privkey)))
2692 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
2693 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
2695 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
2699 context = SSL_EXT_CLIENT_HELLO
2700 | SSL_EXT_TLS1_2_SERVER_HELLO
2701 | SSL_EXT_TLS1_3_SERVER_HELLO
2702 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
2703 | SSL_EXT_TLS1_3_CERTIFICATE
2704 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
2706 context = SSL_EXT_CLIENT_HELLO
2707 | SSL_EXT_TLS1_2_SERVER_HELLO
2708 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
2711 /* Create a client side custom extension */
2713 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
2714 old_add_cb, old_free_cb,
2715 &client, old_parse_cb,
2719 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
2720 new_add_cb, new_free_cb,
2721 &client, new_parse_cb, &client)))
2725 /* Should not be able to add duplicates */
2726 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
2727 old_add_cb, old_free_cb,
2728 &client, old_parse_cb,
2730 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
2731 context, new_add_cb,
2732 new_free_cb, &client,
2733 new_parse_cb, &client)))
2736 /* Create a server side custom extension */
2738 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
2739 old_add_cb, old_free_cb,
2740 &server, old_parse_cb,
2744 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
2745 new_add_cb, new_free_cb,
2746 &server, new_parse_cb, &server)))
2749 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
2750 context, new_add_cb,
2751 new_free_cb, &server,
2752 new_parse_cb, &server)))
2756 /* Should not be able to add duplicates */
2757 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
2758 old_add_cb, old_free_cb,
2759 &server, old_parse_cb,
2761 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
2762 context, new_add_cb,
2763 new_free_cb, &server,
2764 new_parse_cb, &server)))
2769 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
2770 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
2774 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2775 &clientssl, NULL, NULL))
2776 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2781 if (clntaddoldcb != 1
2782 || clntparseoldcb != 1
2784 || srvparseoldcb != 1)
2786 } else if (tst == 1 || tst == 2 || tst == 3) {
2787 if (clntaddnewcb != 1
2788 || clntparsenewcb != 1
2790 || srvparsenewcb != 1
2791 || (tst != 2 && snicb != 0)
2792 || (tst == 2 && snicb != 1))
2795 if (clntaddnewcb != 1
2796 || clntparsenewcb != 4
2798 || srvparsenewcb != 1)
2802 sess = SSL_get1_session(clientssl);
2803 SSL_shutdown(clientssl);
2804 SSL_shutdown(serverssl);
2805 SSL_free(serverssl);
2806 SSL_free(clientssl);
2807 serverssl = clientssl = NULL;
2810 /* We don't bother with the resumption aspects for this test */
2815 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2817 || !TEST_true(SSL_set_session(clientssl, sess))
2818 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2823 * For a resumed session we expect to add the ClientHello extension. For the
2824 * old style callbacks we ignore it on the server side because they set
2825 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
2829 if (clntaddoldcb != 2
2830 || clntparseoldcb != 1
2832 || srvparseoldcb != 1)
2834 } else if (tst == 1 || tst == 2 || tst == 3) {
2835 if (clntaddnewcb != 2
2836 || clntparsenewcb != 2
2838 || srvparsenewcb != 2)
2841 /* No Certificate message extensions in the resumption handshake */
2842 if (clntaddnewcb != 2
2843 || clntparsenewcb != 7
2845 || srvparsenewcb != 2)
2852 SSL_SESSION_free(sess);
2853 SSL_free(serverssl);
2854 SSL_free(clientssl);
2855 SSL_CTX_free(sctx2);
2862 * Test loading of serverinfo data in various formats. test_sslmessages actually
2863 * tests to make sure the extensions appear in the handshake
2865 static int test_serverinfo(int tst)
2867 unsigned int version;
2868 unsigned char *sibuf;
2870 int ret, expected, testresult = 0;
2873 ctx = SSL_CTX_new(TLS_method());
2877 if ((tst & 0x01) == 0x01)
2878 version = SSL_SERVERINFOV2;
2880 version = SSL_SERVERINFOV1;
2882 if ((tst & 0x02) == 0x02) {
2883 sibuf = serverinfov2;
2884 sibuflen = sizeof(serverinfov2);
2885 expected = (version == SSL_SERVERINFOV2);
2887 sibuf = serverinfov1;
2888 sibuflen = sizeof(serverinfov1);
2889 expected = (version == SSL_SERVERINFOV1);
2892 if ((tst & 0x04) == 0x04) {
2893 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
2895 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
2898 * The version variable is irrelevant in this case - it's what is in the
2899 * buffer that matters
2901 if ((tst & 0x02) == 0x02)
2907 if (!TEST_true(ret == expected))
2919 * Test that SSL_export_keying_material() produces expected results. There are
2920 * no test vectors so all we do is test that both sides of the communication
2921 * produce the same results for different protocol versions.
2923 static int test_export_key_mat(int tst)
2926 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
2927 SSL *clientssl = NULL, *serverssl = NULL;
2928 const char label[] = "test label";
2929 const unsigned char context[] = "context";
2930 const unsigned char *emptycontext = NULL;
2931 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
2932 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
2933 const int protocols[] = {
2940 #ifdef OPENSSL_NO_TLS1
2944 #ifdef OPENSSL_NO_TLS1_1
2948 #ifdef OPENSSL_NO_TLS1_2
2952 #ifdef OPENSSL_NO_TLS1_3
2956 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2957 TLS_client_method(), &sctx,
2958 &cctx, cert, privkey)))
2961 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
2962 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
2963 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
2965 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
2967 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2971 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
2972 sizeof(ckeymat1), label,
2973 sizeof(label) - 1, context,
2974 sizeof(context) - 1, 1), 1)
2975 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
2976 sizeof(ckeymat2), label,
2980 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
2981 sizeof(ckeymat3), label,
2984 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
2985 sizeof(skeymat1), label,
2988 sizeof(context) -1, 1),
2990 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
2991 sizeof(skeymat2), label,
2995 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
2996 sizeof(skeymat3), label,
3000 * Check that both sides created the same key material with the
3003 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3006 * Check that both sides created the same key material with an
3009 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3012 * Check that both sides created the same key material without a
3015 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3017 /* Different contexts should produce different results */
3018 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3023 * Check that an empty context and no context produce different results in
3024 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3026 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3028 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3035 SSL_free(serverssl);
3036 SSL_free(clientssl);
3037 SSL_CTX_free(sctx2);
3044 static int test_ssl_clear(int idx)
3046 SSL_CTX *cctx = NULL, *sctx = NULL;
3047 SSL *clientssl = NULL, *serverssl = NULL;
3050 #ifdef OPENSSL_NO_TLS1_2
3055 /* Create an initial connection */
3056 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3057 TLS_client_method(), &sctx,
3058 &cctx, cert, privkey))
3060 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
3062 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3063 &clientssl, NULL, NULL))
3064 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3068 SSL_shutdown(clientssl);
3069 SSL_shutdown(serverssl);
3070 SSL_free(serverssl);
3073 /* Clear clientssl - we're going to reuse the object */
3074 if (!TEST_true(SSL_clear(clientssl)))
3077 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3079 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3081 || !TEST_true(SSL_session_reused(clientssl)))
3084 SSL_shutdown(clientssl);
3085 SSL_shutdown(serverssl);
3090 SSL_free(serverssl);
3091 SSL_free(clientssl);
3098 int setup_tests(void)
3100 if (!TEST_ptr(cert = test_get_argument(0))
3101 || !TEST_ptr(privkey = test_get_argument(1)))
3104 ADD_TEST(test_large_message_tls);
3105 ADD_TEST(test_large_message_tls_read_ahead);
3106 #ifndef OPENSSL_NO_DTLS
3107 ADD_TEST(test_large_message_dtls);
3109 #ifndef OPENSSL_NO_OCSP
3110 ADD_TEST(test_tlsext_status_type);
3112 ADD_TEST(test_session_with_only_int_cache);
3113 ADD_TEST(test_session_with_only_ext_cache);
3114 ADD_TEST(test_session_with_both_cache);
3115 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
3116 ADD_TEST(test_ssl_bio_pop_next_bio);
3117 ADD_TEST(test_ssl_bio_pop_ssl_bio);
3118 ADD_TEST(test_ssl_bio_change_rbio);
3119 ADD_TEST(test_ssl_bio_change_wbio);
3120 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
3121 ADD_TEST(test_keylog);
3122 #ifndef OPENSSL_NO_TLS1_3
3123 ADD_TEST(test_keylog_no_master_key);
3125 #ifndef OPENSSL_NO_TLS1_2
3126 ADD_TEST(test_early_cb);
3128 #ifndef OPENSSL_NO_TLS1_3
3129 ADD_ALL_TESTS(test_early_data_read_write, 3);
3130 ADD_ALL_TESTS(test_early_data_skip, 3);
3131 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
3132 ADD_ALL_TESTS(test_early_data_not_sent, 3);
3133 ADD_ALL_TESTS(test_early_data_psk, 8);
3134 ADD_ALL_TESTS(test_early_data_not_expected, 3);
3135 # ifndef OPENSSL_NO_TLS1_2
3136 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
3139 #ifndef OPENSSL_NO_TLS1_3
3140 ADD_TEST(test_ciphersuite_change);
3141 ADD_TEST(test_tls13_psk);
3142 ADD_ALL_TESTS(test_custom_exts, 5);
3144 ADD_ALL_TESTS(test_custom_exts, 3);
3146 ADD_ALL_TESTS(test_serverinfo, 8);
3147 ADD_ALL_TESTS(test_export_key_mat, 4);
3148 ADD_ALL_TESTS(test_ssl_clear, 2);
3152 void cleanup_tests(void)
3154 bio_s_mempacket_test_free();