2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
18 #include "ssltestlib.h"
20 #include "testutil/output.h"
21 #include "internal/nelem.h"
22 #include "../ssl/ssl_locl.h"
24 static char *cert = NULL;
25 static char *privkey = NULL;
27 #define LOG_BUFFER_SIZE 1024
28 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
29 static size_t server_log_buffer_index = 0;
30 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
31 static size_t client_log_buffer_index = 0;
32 static int error_writing_log = 0;
34 #ifndef OPENSSL_NO_OCSP
35 static const unsigned char orespder[] = "Dummy OCSP Response";
36 static int ocsp_server_called = 0;
37 static int ocsp_client_called = 0;
39 static int cdummyarg = 1;
40 static X509 *ocspcert = NULL;
43 #define NUM_EXTRA_CERTS 40
44 #define CLIENT_VERSION_LEN 2
47 * This structure is used to validate that the correct number of log messages
48 * of various types are emitted when emitting secret logs.
50 struct sslapitest_log_counts {
51 unsigned int rsa_key_exchange_count;
52 unsigned int master_secret_count;
53 unsigned int client_handshake_secret_count;
54 unsigned int server_handshake_secret_count;
55 unsigned int client_application_secret_count;
56 unsigned int server_application_secret_count;
60 static unsigned char serverinfov1[] = {
61 0xff, 0xff, /* Dummy extension type */
62 0x00, 0x01, /* Extension length is 1 byte */
63 0xff /* Dummy extension data */
66 static unsigned char serverinfov2[] = {
68 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
69 0xff, 0xff, /* Dummy extension type */
70 0x00, 0x01, /* Extension length is 1 byte */
71 0xff /* Dummy extension data */
74 static void client_keylog_callback(const SSL *ssl, const char *line)
76 int line_length = strlen(line);
78 /* If the log doesn't fit, error out. */
79 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
80 TEST_info("Client log too full");
81 error_writing_log = 1;
85 strcat(client_log_buffer, line);
86 client_log_buffer_index += line_length;
87 client_log_buffer[client_log_buffer_index++] = '\n';
90 static void server_keylog_callback(const SSL *ssl, const char *line)
92 int line_length = strlen(line);
94 /* If the log doesn't fit, error out. */
95 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
96 TEST_info("Server log too full");
97 error_writing_log = 1;
101 strcat(server_log_buffer, line);
102 server_log_buffer_index += line_length;
103 server_log_buffer[server_log_buffer_index++] = '\n';
106 static int compare_hex_encoded_buffer(const char *hex_encoded,
114 if (!TEST_size_t_eq(raw_length * 2, hex_length))
117 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
118 sprintf(hexed, "%02x", raw[i]);
119 if (!TEST_int_eq(hexed[0], hex_encoded[j])
120 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
127 static int test_keylog_output(char *buffer, const SSL *ssl,
128 const SSL_SESSION *session,
129 struct sslapitest_log_counts *expected)
132 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
133 size_t client_random_size = SSL3_RANDOM_SIZE;
134 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
135 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
136 unsigned int rsa_key_exchange_count = 0;
137 unsigned int master_secret_count = 0;
138 unsigned int client_handshake_secret_count = 0;
139 unsigned int server_handshake_secret_count = 0;
140 unsigned int client_application_secret_count = 0;
141 unsigned int server_application_secret_count = 0;
143 for (token = strtok(buffer, " \n"); token != NULL;
144 token = strtok(NULL, " \n")) {
145 if (strcmp(token, "RSA") == 0) {
147 * Premaster secret. Tokens should be: 16 ASCII bytes of
148 * hex-encoded encrypted secret, then the hex-encoded pre-master
151 if (!TEST_ptr(token = strtok(NULL, " \n")))
153 if (!TEST_size_t_eq(strlen(token), 16))
155 if (!TEST_ptr(token = strtok(NULL, " \n")))
158 * We can't sensibly check the log because the premaster secret is
159 * transient, and OpenSSL doesn't keep hold of it once the master
160 * secret is generated.
162 rsa_key_exchange_count++;
163 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
165 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
166 * client random, then the hex-encoded master secret.
168 client_random_size = SSL_get_client_random(ssl,
169 actual_client_random,
171 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
174 if (!TEST_ptr(token = strtok(NULL, " \n")))
176 if (!TEST_size_t_eq(strlen(token), 64))
178 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
179 actual_client_random,
180 client_random_size)))
183 if (!TEST_ptr(token = strtok(NULL, " \n")))
185 master_key_size = SSL_SESSION_get_master_key(session,
188 if (!TEST_size_t_ne(master_key_size, 0))
190 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
194 master_secret_count++;
195 } else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
196 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
197 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
198 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) {
200 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
201 * client random, and then the hex-encoded secret. In this case,
202 * we treat all of these secrets identically and then just
203 * distinguish between them when counting what we saw.
205 if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
206 client_handshake_secret_count++;
207 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
208 server_handshake_secret_count++;
209 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
210 client_application_secret_count++;
211 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
212 server_application_secret_count++;
214 client_random_size = SSL_get_client_random(ssl,
215 actual_client_random,
217 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
220 if (!TEST_ptr(token = strtok(NULL, " \n")))
222 if (!TEST_size_t_eq(strlen(token), 64))
224 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
225 actual_client_random,
226 client_random_size)))
229 if (!TEST_ptr(token = strtok(NULL, " \n")))
233 * TODO(TLS1.3): test that application traffic secrets are what
236 TEST_info("Unexpected token %s\n", token);
241 /* Got what we expected? */
242 if (!TEST_size_t_eq(rsa_key_exchange_count,
243 expected->rsa_key_exchange_count)
244 || !TEST_size_t_eq(master_secret_count,
245 expected->master_secret_count)
246 || !TEST_size_t_eq(client_handshake_secret_count,
247 expected->client_handshake_secret_count)
248 || !TEST_size_t_eq(server_handshake_secret_count,
249 expected->server_handshake_secret_count)
250 || !TEST_size_t_eq(client_application_secret_count,
251 expected->client_application_secret_count)
252 || !TEST_size_t_eq(server_application_secret_count,
253 expected->server_application_secret_count))
258 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
259 static int test_keylog(void)
261 SSL_CTX *cctx = NULL, *sctx = NULL;
262 SSL *clientssl = NULL, *serverssl = NULL;
264 struct sslapitest_log_counts expected = {0};
266 /* Clean up logging space */
267 memset(client_log_buffer, 0, sizeof(client_log_buffer));
268 memset(server_log_buffer, 0, sizeof(server_log_buffer));
269 client_log_buffer_index = 0;
270 server_log_buffer_index = 0;
271 error_writing_log = 0;
273 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
275 &sctx, &cctx, cert, privkey)))
278 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
279 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
280 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
282 /* We also want to ensure that we use RSA-based key exchange. */
283 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
286 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
287 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
289 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
290 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
291 == client_keylog_callback))
293 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
294 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
295 == server_keylog_callback))
298 /* Now do a handshake and check that the logs have been written to. */
299 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
300 &clientssl, NULL, NULL))
301 || !TEST_true(create_ssl_connection(serverssl, clientssl,
303 || !TEST_false(error_writing_log)
304 || !TEST_int_gt(client_log_buffer_index, 0)
305 || !TEST_int_gt(server_log_buffer_index, 0))
309 * Now we want to test that our output data was vaguely sensible. We
310 * do that by using strtok and confirming that we have more or less the
311 * data we expect. For both client and server, we expect to see one master
312 * secret. The client should also see a RSA key exchange.
314 expected.rsa_key_exchange_count = 1;
315 expected.master_secret_count = 1;
316 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
317 SSL_get_session(clientssl), &expected)))
320 expected.rsa_key_exchange_count = 0;
321 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
322 SSL_get_session(serverssl), &expected)))
337 #ifndef OPENSSL_NO_TLS1_3
338 static int test_keylog_no_master_key(void)
340 SSL_CTX *cctx = NULL, *sctx = NULL;
341 SSL *clientssl = NULL, *serverssl = NULL;
343 struct sslapitest_log_counts expected = {0};
345 /* Clean up logging space */
346 memset(client_log_buffer, 0, sizeof(client_log_buffer));
347 memset(server_log_buffer, 0, sizeof(server_log_buffer));
348 client_log_buffer_index = 0;
349 server_log_buffer_index = 0;
350 error_writing_log = 0;
352 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
353 TLS_client_method(), &sctx,
354 &cctx, cert, privkey)))
357 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
358 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
361 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
362 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
363 == client_keylog_callback))
366 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
367 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
368 == server_keylog_callback))
371 /* Now do a handshake and check that the logs have been written to. */
372 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
373 &clientssl, NULL, NULL))
374 || !TEST_true(create_ssl_connection(serverssl, clientssl,
376 || !TEST_false(error_writing_log))
380 * Now we want to test that our output data was vaguely sensible. For this
381 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
382 * TLSv1.3, but we do expect both client and server to emit keys.
384 expected.client_handshake_secret_count = 1;
385 expected.server_handshake_secret_count = 1;
386 expected.client_application_secret_count = 1;
387 expected.server_application_secret_count = 1;
388 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
389 SSL_get_session(clientssl), &expected))
390 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
391 SSL_get_session(serverssl),
407 #ifndef OPENSSL_NO_TLS1_2
408 static int full_client_hello_callback(SSL *s, int *al, void *arg)
411 const unsigned char *p;
413 /* We only configure two ciphers, but the SCSV is added automatically. */
415 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
417 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
420 const int expected_extensions[] = {
421 #ifndef OPENSSL_NO_EC
427 /* Make sure we can defer processing and get called back. */
429 return SSL_CLIENT_HELLO_RETRY;
431 len = SSL_client_hello_get0_ciphers(s, &p);
432 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
434 SSL_client_hello_get0_compression_methods(s, &p), 1)
435 || !TEST_int_eq(*p, 0))
436 return SSL_CLIENT_HELLO_ERROR;
437 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
438 return SSL_CLIENT_HELLO_ERROR;
439 if (len != OSSL_NELEM(expected_extensions) ||
440 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
441 printf("ClientHello callback expected extensions mismatch\n");
443 return SSL_CLIENT_HELLO_ERROR;
446 return SSL_CLIENT_HELLO_SUCCESS;
449 static int test_client_hello_cb(void)
451 SSL_CTX *cctx = NULL, *sctx = NULL;
452 SSL *clientssl = NULL, *serverssl = NULL;
453 int testctr = 0, testresult = 0;
455 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
456 TLS_client_method(), &sctx,
457 &cctx, cert, privkey)))
459 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
461 /* The gimpy cipher list we configure can't do TLS 1.3. */
462 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
464 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
465 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
466 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
467 &clientssl, NULL, NULL))
468 || !TEST_false(create_ssl_connection(serverssl, clientssl,
469 SSL_ERROR_WANT_CLIENT_HELLO_CB))
471 * Passing a -1 literal is a hack since
472 * the real value was lost.
474 || !TEST_int_eq(SSL_get_error(serverssl, -1),
475 SSL_ERROR_WANT_CLIENT_HELLO_CB)
476 || !TEST_true(create_ssl_connection(serverssl, clientssl,
492 static int execute_test_large_message(const SSL_METHOD *smeth,
493 const SSL_METHOD *cmeth, int read_ahead)
495 SSL_CTX *cctx = NULL, *sctx = NULL;
496 SSL *clientssl = NULL, *serverssl = NULL;
500 X509 *chaincert = NULL;
503 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
505 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
508 if (!TEST_ptr(chaincert))
511 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, &sctx,
512 &cctx, cert, privkey)))
517 * Test that read_ahead works correctly when dealing with large
520 SSL_CTX_set_read_ahead(cctx, 1);
524 * We assume the supplied certificate is big enough so that if we add
525 * NUM_EXTRA_CERTS it will make the overall message large enough. The
526 * default buffer size is requested to be 16k, but due to the way BUF_MEM
527 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
528 * test we need to have a message larger than that.
530 certlen = i2d_X509(chaincert, NULL);
531 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
532 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
533 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
534 if (!X509_up_ref(chaincert))
536 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
537 X509_free(chaincert);
542 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
544 || !TEST_true(create_ssl_connection(serverssl, clientssl,
549 * Calling SSL_clear() first is not required but this tests that SSL_clear()
550 * doesn't leak (when using enable-crypto-mdebug).
552 if (!TEST_true(SSL_clear(serverssl)))
557 X509_free(chaincert);
566 static int test_large_message_tls(void)
568 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
572 static int test_large_message_tls_read_ahead(void)
574 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
578 #ifndef OPENSSL_NO_DTLS
579 static int test_large_message_dtls(void)
582 * read_ahead is not relevant to DTLS because DTLS always acts as if
585 return execute_test_large_message(DTLS_server_method(),
586 DTLS_client_method(), 0);
590 #ifndef OPENSSL_NO_OCSP
591 static int ocsp_server_cb(SSL *s, void *arg)
593 int *argi = (int *)arg;
594 unsigned char *copy = NULL;
595 STACK_OF(OCSP_RESPID) *ids = NULL;
596 OCSP_RESPID *id = NULL;
599 /* In this test we are expecting exactly 1 OCSP_RESPID */
600 SSL_get_tlsext_status_ids(s, &ids);
601 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
602 return SSL_TLSEXT_ERR_ALERT_FATAL;
604 id = sk_OCSP_RESPID_value(ids, 0);
605 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
606 return SSL_TLSEXT_ERR_ALERT_FATAL;
607 } else if (*argi != 1) {
608 return SSL_TLSEXT_ERR_ALERT_FATAL;
611 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
612 return SSL_TLSEXT_ERR_ALERT_FATAL;
614 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
615 ocsp_server_called = 1;
616 return SSL_TLSEXT_ERR_OK;
619 static int ocsp_client_cb(SSL *s, void *arg)
621 int *argi = (int *)arg;
622 const unsigned char *respderin;
625 if (*argi != 1 && *argi != 2)
628 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
629 if (!TEST_mem_eq(orespder, len, respderin, len))
632 ocsp_client_called = 1;
636 static int test_tlsext_status_type(void)
638 SSL_CTX *cctx = NULL, *sctx = NULL;
639 SSL *clientssl = NULL, *serverssl = NULL;
641 STACK_OF(OCSP_RESPID) *ids = NULL;
642 OCSP_RESPID *id = NULL;
645 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
646 &cctx, cert, privkey))
649 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
652 /* First just do various checks getting and setting tlsext_status_type */
654 clientssl = SSL_new(cctx);
655 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
656 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
657 TLSEXT_STATUSTYPE_ocsp))
658 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
659 TLSEXT_STATUSTYPE_ocsp))
665 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
666 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
669 clientssl = SSL_new(cctx);
670 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
676 * Now actually do a handshake and check OCSP information is exchanged and
677 * the callbacks get called
679 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
680 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
681 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
682 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
683 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
684 &clientssl, NULL, NULL))
685 || !TEST_true(create_ssl_connection(serverssl, clientssl,
687 || !TEST_true(ocsp_client_called)
688 || !TEST_true(ocsp_server_called))
695 /* Try again but this time force the server side callback to fail */
696 ocsp_client_called = 0;
697 ocsp_server_called = 0;
699 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
700 &clientssl, NULL, NULL))
701 /* This should fail because the callback will fail */
702 || !TEST_false(create_ssl_connection(serverssl, clientssl,
704 || !TEST_false(ocsp_client_called)
705 || !TEST_false(ocsp_server_called))
713 * This time we'll get the client to send an OCSP_RESPID that it will
716 ocsp_client_called = 0;
717 ocsp_server_called = 0;
719 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
720 &clientssl, NULL, NULL)))
724 * We'll just use any old cert for this test - it doesn't have to be an OCSP
725 * specific one. We'll use the server cert.
727 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
728 || !TEST_ptr(id = OCSP_RESPID_new())
729 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
730 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
732 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
733 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
736 SSL_set_tlsext_status_ids(clientssl, ids);
737 /* Control has been transferred */
743 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
745 || !TEST_true(ocsp_client_called)
746 || !TEST_true(ocsp_server_called))
756 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
757 OCSP_RESPID_free(id);
766 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
767 static int new_called, remove_called, get_called;
769 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
773 * sess has been up-refed for us, but we don't actually need it so free it
776 SSL_SESSION_free(sess);
780 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
785 static SSL_SESSION *get_sess_val = NULL;
787 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
795 static int execute_test_session(int maxprot, int use_int_cache,
798 SSL_CTX *sctx = NULL, *cctx = NULL;
799 SSL *serverssl1 = NULL, *clientssl1 = NULL;
800 SSL *serverssl2 = NULL, *clientssl2 = NULL;
801 # ifndef OPENSSL_NO_TLS1_1
802 SSL *serverssl3 = NULL, *clientssl3 = NULL;
804 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
807 new_called = remove_called = 0;
809 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
810 TLS_client_method(), &sctx,
811 &cctx, cert, privkey)))
815 * Only allow the max protocol version so we can force a connection failure
818 SSL_CTX_set_min_proto_version(cctx, maxprot);
819 SSL_CTX_set_max_proto_version(cctx, maxprot);
821 /* Set up session cache */
823 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
824 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
827 /* Also covers instance where both are set */
828 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
830 SSL_CTX_set_session_cache_mode(cctx,
831 SSL_SESS_CACHE_CLIENT
832 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
835 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
837 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
839 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
842 /* Should fail because it should already be in the cache */
843 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
846 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
849 new_called = remove_called = 0;
850 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
851 &clientssl2, NULL, NULL))
852 || !TEST_true(SSL_set_session(clientssl2, sess1))
853 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
855 || !TEST_true(SSL_session_reused(clientssl2)))
858 if (maxprot == TLS1_3_VERSION) {
860 * In TLSv1.3 we should have created a new session even though we have
861 * resumed. The original session should also have been removed.
864 && (!TEST_int_eq(new_called, 1)
865 || !TEST_int_eq(remove_called, 1)))
869 * In TLSv1.2 we expect to have resumed so no sessions added or
873 && (!TEST_int_eq(new_called, 0)
874 || !TEST_int_eq(remove_called, 0)))
878 SSL_SESSION_free(sess1);
879 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
881 shutdown_ssl_connection(serverssl2, clientssl2);
882 serverssl2 = clientssl2 = NULL;
884 new_called = remove_called = 0;
885 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
886 &clientssl2, NULL, NULL))
887 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
891 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
895 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
898 new_called = remove_called = 0;
900 * This should clear sess2 from the cache because it is a "bad" session.
901 * See SSL_set_session() documentation.
903 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
906 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
908 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
912 /* Should succeeded because it should not already be in the cache */
913 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
914 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
918 new_called = remove_called = 0;
919 /* This shouldn't be in the cache so should fail */
920 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
924 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
927 # if !defined(OPENSSL_NO_TLS1_1)
928 new_called = remove_called = 0;
929 /* Force a connection failure */
930 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
931 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
932 &clientssl3, NULL, NULL))
933 || !TEST_true(SSL_set_session(clientssl3, sess1))
934 /* This should fail because of the mismatched protocol versions */
935 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
939 /* We should have automatically removed the session from the cache */
941 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
944 /* Should succeed because it should not already be in the cache */
945 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
949 /* Now do some tests for server side caching */
951 SSL_CTX_sess_set_new_cb(cctx, NULL);
952 SSL_CTX_sess_set_remove_cb(cctx, NULL);
953 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
954 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
955 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
959 SSL_CTX_set_session_cache_mode(cctx, 0);
960 /* Internal caching is the default on the server side */
962 SSL_CTX_set_session_cache_mode(sctx,
963 SSL_SESS_CACHE_SERVER
964 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
966 SSL_free(serverssl1);
967 SSL_free(clientssl1);
968 serverssl1 = clientssl1 = NULL;
969 SSL_free(serverssl2);
970 SSL_free(clientssl2);
971 serverssl2 = clientssl2 = NULL;
972 SSL_SESSION_free(sess1);
974 SSL_SESSION_free(sess2);
977 SSL_CTX_set_max_proto_version(sctx, maxprot);
978 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
979 new_called = remove_called = get_called = 0;
980 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
982 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
984 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
985 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
988 /* Should fail because it should already be in the cache */
989 if (use_int_cache && !TEST_false(SSL_CTX_add_session(sctx, sess2)))
993 SSL_SESSION *tmp = sess2;
995 if (!TEST_int_eq(new_called, 1)
996 || !TEST_int_eq(remove_called, 0)
997 || !TEST_int_eq(get_called, 0))
1000 * Delete the session from the internal cache to force a lookup from
1001 * the external cache. We take a copy first because
1002 * SSL_CTX_remove_session() also marks the session as non-resumable.
1004 if (use_int_cache) {
1005 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1006 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1008 SSL_SESSION_free(sess2);
1013 new_called = remove_called = get_called = 0;
1014 get_sess_val = sess2;
1015 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1016 &clientssl2, NULL, NULL))
1017 || !TEST_true(SSL_set_session(clientssl2, sess1))
1018 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1020 || !TEST_true(SSL_session_reused(clientssl2)))
1023 if (use_ext_cache) {
1024 if (!TEST_int_eq(new_called, 0)
1025 || !TEST_int_eq(remove_called, 0))
1028 if (maxprot == TLS1_3_VERSION) {
1029 if (!TEST_int_eq(get_called, 0))
1032 if (!TEST_int_eq(get_called, 1))
1040 SSL_free(serverssl1);
1041 SSL_free(clientssl1);
1042 SSL_free(serverssl2);
1043 SSL_free(clientssl2);
1044 # ifndef OPENSSL_NO_TLS1_1
1045 SSL_free(serverssl3);
1046 SSL_free(clientssl3);
1048 SSL_SESSION_free(sess1);
1049 SSL_SESSION_free(sess2);
1055 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1057 static int test_session_with_only_int_cache(void)
1059 #ifndef OPENSSL_NO_TLS1_3
1060 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1064 #ifndef OPENSSL_NO_TLS1_2
1065 return execute_test_session(TLS1_2_VERSION, 1, 0);
1071 static int test_session_with_only_ext_cache(void)
1073 #ifndef OPENSSL_NO_TLS1_3
1074 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1078 #ifndef OPENSSL_NO_TLS1_2
1079 return execute_test_session(TLS1_2_VERSION, 0, 1);
1085 static int test_session_with_both_cache(void)
1087 #ifndef OPENSSL_NO_TLS1_3
1088 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1092 #ifndef OPENSSL_NO_TLS1_2
1093 return execute_test_session(TLS1_2_VERSION, 1, 1);
1103 #define TOTAL_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1105 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1120 static int test_ssl_set_bio(int idx)
1125 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1127 int initrbio, initwbio, newrbio, newwbio;
1137 if (!TEST_int_le(newwbio, 2))
1140 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1141 || !TEST_ptr(ssl = SSL_new(ctx)))
1144 if (initrbio == USE_BIO_1
1145 || initwbio == USE_BIO_1
1146 || newrbio == USE_BIO_1
1147 || newwbio == USE_BIO_1) {
1148 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1152 if (initrbio == USE_BIO_2
1153 || initwbio == USE_BIO_2
1154 || newrbio == USE_BIO_2
1155 || newwbio == USE_BIO_2) {
1156 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1160 setupbio(&irbio, bio1, bio2, initrbio);
1161 setupbio(&iwbio, bio1, bio2, initwbio);
1164 * We want to maintain our own refs to these BIO, so do an up ref for each
1165 * BIO that will have ownership transferred in the SSL_set_bio() call
1169 if (iwbio != NULL && iwbio != irbio)
1172 SSL_set_bio(ssl, irbio, iwbio);
1174 setupbio(&nrbio, bio1, bio2, newrbio);
1175 setupbio(&nwbio, bio1, bio2, newwbio);
1178 * We will (maybe) transfer ownership again so do more up refs.
1179 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1184 && (nwbio != iwbio || nrbio != nwbio))
1188 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1191 SSL_set_bio(ssl, nrbio, nwbio);
1201 * This test is checking that the ref counting for SSL_set_bio is correct.
1202 * If we get here and we did too many frees then we will fail in the above
1203 * functions. If we haven't done enough then this will only be detected in
1204 * a crypto-mdebug build
1210 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1212 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1214 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1219 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1220 || !TEST_ptr(ssl = SSL_new(ctx))
1221 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1222 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1225 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1228 * If anything goes wrong here then we could leak memory, so this will
1229 * be caught in a crypto-mdebug build
1231 BIO_push(sslbio, membio1);
1233 /* Verify changing the rbio/wbio directly does not cause leaks */
1234 if (change_bio != NO_BIO_CHANGE) {
1235 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1237 if (change_bio == CHANGE_RBIO)
1238 SSL_set0_rbio(ssl, membio2);
1240 SSL_set0_wbio(ssl, membio2);
1259 static int test_ssl_bio_pop_next_bio(void)
1261 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1264 static int test_ssl_bio_pop_ssl_bio(void)
1266 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1269 static int test_ssl_bio_change_rbio(void)
1271 return execute_test_ssl_bio(0, CHANGE_RBIO);
1274 static int test_ssl_bio_change_wbio(void)
1276 return execute_test_ssl_bio(0, CHANGE_WBIO);
1279 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
1281 /* The list of sig algs */
1283 /* The length of the list */
1285 /* A sigalgs list in string format */
1286 const char *liststr;
1287 /* Whether setting the list should succeed */
1289 /* Whether creating a connection with the list should succeed */
1293 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1294 # ifndef OPENSSL_NO_EC
1295 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1296 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1298 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1299 static const int invalidlist2[] = {NID_sha256, NID_undef};
1300 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1301 static const int invalidlist4[] = {NID_sha256};
1302 static const sigalgs_list testsigalgs[] = {
1303 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1304 # ifndef OPENSSL_NO_EC
1305 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1306 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1308 {NULL, 0, "RSA+SHA256", 1, 1},
1309 # ifndef OPENSSL_NO_EC
1310 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1311 {NULL, 0, "ECDSA+SHA512", 1, 0},
1313 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1314 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1315 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1316 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1317 {NULL, 0, "RSA", 0, 0},
1318 {NULL, 0, "SHA256", 0, 0},
1319 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1320 {NULL, 0, "Invalid", 0, 0}
1323 static int test_set_sigalgs(int idx)
1325 SSL_CTX *cctx = NULL, *sctx = NULL;
1326 SSL *clientssl = NULL, *serverssl = NULL;
1328 const sigalgs_list *curr;
1331 /* Should never happen */
1332 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1335 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1336 curr = testctx ? &testsigalgs[idx]
1337 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1339 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1340 TLS_client_method(), &sctx,
1341 &cctx, cert, privkey)))
1345 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1346 * for TLSv1.2 for now until we add a new API.
1348 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1353 if (curr->list != NULL)
1354 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1356 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1360 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1366 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1371 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1372 &clientssl, NULL, NULL)))
1378 if (curr->list != NULL)
1379 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1381 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1384 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1393 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1401 SSL_free(serverssl);
1402 SSL_free(clientssl);
1410 #ifndef OPENSSL_NO_TLS1_3
1412 static SSL_SESSION *clientpsk = NULL;
1413 static SSL_SESSION *serverpsk = NULL;
1414 static const char *pskid = "Identity";
1415 static const char *srvid;
1417 static int use_session_cb_cnt = 0;
1418 static int find_session_cb_cnt = 0;
1419 static int psk_client_cb_cnt = 0;
1420 static int psk_server_cb_cnt = 0;
1422 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1423 size_t *idlen, SSL_SESSION **sess)
1425 switch (++use_session_cb_cnt) {
1427 /* The first call should always have a NULL md */
1433 /* The second call should always have an md */
1439 /* We should only be called a maximum of twice */
1443 if (clientpsk != NULL)
1444 SSL_SESSION_up_ref(clientpsk);
1447 *id = (const unsigned char *)pskid;
1448 *idlen = strlen(pskid);
1453 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1454 unsigned int max_id_len,
1456 unsigned int max_psk_len)
1458 unsigned int psklen = 0;
1460 psk_client_cb_cnt++;
1462 if (strlen(pskid) + 1 > max_id_len)
1465 /* We should only ever be called a maximum of twice per connection */
1466 if (psk_client_cb_cnt > 2)
1469 if (clientpsk == NULL)
1472 /* We'll reuse the PSK we set up for TLSv1.3 */
1473 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1475 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1476 strncpy(id, pskid, max_id_len);
1481 static int find_session_cb(SSL *ssl, const unsigned char *identity,
1482 size_t identity_len, SSL_SESSION **sess)
1484 find_session_cb_cnt++;
1486 /* We should only ever be called a maximum of twice per connection */
1487 if (find_session_cb_cnt > 2)
1490 if (serverpsk == NULL)
1493 /* Identity should match that set by the client */
1494 if (strlen(srvid) != identity_len
1495 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1496 /* No PSK found, continue but without a PSK */
1501 SSL_SESSION_up_ref(serverpsk);
1507 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1508 unsigned char *psk, unsigned int max_psk_len)
1510 unsigned int psklen = 0;
1512 psk_server_cb_cnt++;
1514 /* We should only ever be called a maximum of twice per connection */
1515 if (find_session_cb_cnt > 2)
1518 if (serverpsk == NULL)
1521 /* Identity should match that set by the client */
1522 if (strcmp(srvid, identity) != 0) {
1526 /* We'll reuse the PSK we set up for TLSv1.3 */
1527 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1529 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1534 #define MSG1 "Hello"
1535 #define MSG2 "World."
1540 #define MSG7 "message."
1542 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
1543 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
1546 * Helper method to setup objects for early data test. Caller frees objects on
1549 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
1550 SSL **serverssl, SSL_SESSION **sess, int idx)
1552 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1553 TLS_client_method(), sctx,
1554 cctx, cert, privkey))
1555 || !TEST_true(SSL_CTX_set_max_early_data(*sctx,
1556 SSL3_RT_MAX_PLAIN_LENGTH))
1557 || !TEST_true(SSL_CTX_set_max_early_data(*cctx,
1558 SSL3_RT_MAX_PLAIN_LENGTH)))
1562 /* When idx == 1 we repeat the tests with read_ahead set */
1563 SSL_CTX_set_read_ahead(*cctx, 1);
1564 SSL_CTX_set_read_ahead(*sctx, 1);
1565 } else if (idx == 2) {
1566 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1567 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1568 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1569 use_session_cb_cnt = 0;
1570 find_session_cb_cnt = 0;
1574 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
1579 * For one of the run throughs (doesn't matter which one), we'll try sending
1580 * some SNI data in the initial ClientHello. This will be ignored (because
1581 * there is no SNI cb set up by the server), so it should not impact
1585 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1589 /* Create the PSK */
1590 const SSL_CIPHER *cipher = NULL;
1591 const unsigned char key[] = {
1592 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1593 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1594 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1595 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1596 0x2c, 0x2d, 0x2e, 0x2f
1599 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
1600 clientpsk = SSL_SESSION_new();
1601 if (!TEST_ptr(clientpsk)
1602 || !TEST_ptr(cipher)
1603 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
1605 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
1607 SSL_SESSION_set_protocol_version(clientpsk,
1610 * We just choose an arbitrary value for max_early_data which
1611 * should be big enough for testing purposes.
1613 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1615 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1616 SSL_SESSION_free(clientpsk);
1620 serverpsk = clientpsk;
1630 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1634 *sess = SSL_get1_session(*clientssl);
1635 SSL_shutdown(*clientssl);
1636 SSL_shutdown(*serverssl);
1637 SSL_free(*serverssl);
1638 SSL_free(*clientssl);
1639 *serverssl = *clientssl = NULL;
1641 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1642 clientssl, NULL, NULL))
1643 || !TEST_true(SSL_set_session(*clientssl, *sess)))
1649 static int test_early_data_read_write(int idx)
1651 SSL_CTX *cctx = NULL, *sctx = NULL;
1652 SSL *clientssl = NULL, *serverssl = NULL;
1654 SSL_SESSION *sess = NULL;
1655 unsigned char buf[20], data[1024];
1656 size_t readbytes, written, eoedlen, rawread, rawwritten;
1659 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1660 &serverssl, &sess, idx)))
1663 /* Write and read some early data */
1664 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1666 || !TEST_size_t_eq(written, strlen(MSG1))
1667 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1668 sizeof(buf), &readbytes),
1669 SSL_READ_EARLY_DATA_SUCCESS)
1670 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1671 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1672 SSL_EARLY_DATA_ACCEPTED))
1676 * Server should be able to write data, and client should be able to
1679 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1681 || !TEST_size_t_eq(written, strlen(MSG2))
1682 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1683 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1686 /* Even after reading normal data, client should be able write early data */
1687 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1689 || !TEST_size_t_eq(written, strlen(MSG3)))
1692 /* Server should still be able read early data after writing data */
1693 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1695 SSL_READ_EARLY_DATA_SUCCESS)
1696 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
1699 /* Write more data from server and read it from client */
1700 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
1702 || !TEST_size_t_eq(written, strlen(MSG4))
1703 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1704 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
1708 * If client writes normal data it should mean writing early data is no
1711 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1712 || !TEST_size_t_eq(written, strlen(MSG5))
1713 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1714 SSL_EARLY_DATA_ACCEPTED))
1718 * At this point the client has written EndOfEarlyData, ClientFinished and
1719 * normal (fully protected) data. We are going to cause a delay between the
1720 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
1721 * in the read BIO, and then just put back the EndOfEarlyData message.
1723 rbio = SSL_get_rbio(serverssl);
1724 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
1725 || !TEST_size_t_lt(rawread, sizeof(data))
1726 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
1729 /* Record length is in the 4th and 5th bytes of the record header */
1730 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
1731 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
1732 || !TEST_size_t_eq(rawwritten, eoedlen))
1735 /* Server should be told that there is no more early data */
1736 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1738 SSL_READ_EARLY_DATA_FINISH)
1739 || !TEST_size_t_eq(readbytes, 0))
1743 * Server has not finished init yet, so should still be able to write early
1746 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
1748 || !TEST_size_t_eq(written, strlen(MSG6)))
1751 /* Push the ClientFinished and the normal data back into the server rbio */
1752 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
1754 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
1757 /* Server should be able to read normal data */
1758 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1759 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1762 /* Client and server should not be able to write/read early data now */
1763 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1767 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1769 SSL_READ_EARLY_DATA_ERROR))
1773 /* Client should be able to read the data sent by the server */
1774 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1775 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
1779 * Make sure we process the NewSessionTicket. This arrives post-handshake.
1780 * We attempt a read which we do not expect to return any data.
1782 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1785 /* Server should be able to write normal data */
1786 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
1787 || !TEST_size_t_eq(written, strlen(MSG7))
1788 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1789 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
1792 /* We keep the PSK session around if using PSK */
1794 SSL_SESSION_free(sess);
1795 sess = SSL_get1_session(clientssl);
1796 use_session_cb_cnt = 0;
1797 find_session_cb_cnt = 0;
1799 SSL_shutdown(clientssl);
1800 SSL_shutdown(serverssl);
1801 SSL_free(serverssl);
1802 SSL_free(clientssl);
1803 serverssl = clientssl = NULL;
1804 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1805 &clientssl, NULL, NULL))
1806 || !TEST_true(SSL_set_session(clientssl, sess)))
1809 /* Write and read some early data */
1810 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1812 || !TEST_size_t_eq(written, strlen(MSG1))
1813 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1815 SSL_READ_EARLY_DATA_SUCCESS)
1816 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
1819 if (!TEST_int_gt(SSL_connect(clientssl), 0)
1820 || !TEST_int_gt(SSL_accept(serverssl), 0))
1823 /* Client and server should not be able to write/read early data now */
1824 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1828 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1830 SSL_READ_EARLY_DATA_ERROR))
1834 /* Client and server should be able to write/read normal data */
1835 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1836 || !TEST_size_t_eq(written, strlen(MSG5))
1837 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1838 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1844 if (sess != clientpsk)
1845 SSL_SESSION_free(sess);
1846 SSL_SESSION_free(clientpsk);
1847 SSL_SESSION_free(serverpsk);
1848 clientpsk = serverpsk = NULL;
1849 SSL_free(serverssl);
1850 SSL_free(clientssl);
1857 * Helper function to test that a server attempting to read early data can
1858 * handle a connection from a client where the early data should be skipped.
1860 static int early_data_skip_helper(int hrr, int idx)
1862 SSL_CTX *cctx = NULL, *sctx = NULL;
1863 SSL *clientssl = NULL, *serverssl = NULL;
1865 SSL_SESSION *sess = NULL;
1866 unsigned char buf[20];
1867 size_t readbytes, written;
1869 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1870 &serverssl, &sess, idx)))
1874 /* Force an HRR to occur */
1875 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
1877 } else if (idx == 2) {
1879 * We force early_data rejection by ensuring the PSK identity is
1882 srvid = "Dummy Identity";
1885 * Deliberately corrupt the creation time. We take 20 seconds off the
1886 * time. It could be any value as long as it is not within tolerance.
1887 * This should mean the ticket is rejected.
1889 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
1893 /* Write some early data */
1894 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1896 || !TEST_size_t_eq(written, strlen(MSG1)))
1899 /* Server should reject the early data and skip over it */
1900 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1902 SSL_READ_EARLY_DATA_FINISH)
1903 || !TEST_size_t_eq(readbytes, 0)
1904 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1905 SSL_EARLY_DATA_REJECTED))
1910 * Finish off the handshake. We perform the same writes and reads as
1911 * further down but we expect them to fail due to the incomplete
1914 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1915 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
1920 /* Should be able to send normal data despite rejection of early data */
1921 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1922 || !TEST_size_t_eq(written, strlen(MSG2))
1923 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1924 SSL_EARLY_DATA_REJECTED)
1925 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1926 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1932 if (sess != clientpsk)
1933 SSL_SESSION_free(clientpsk);
1934 SSL_SESSION_free(serverpsk);
1935 clientpsk = serverpsk = NULL;
1936 SSL_SESSION_free(sess);
1937 SSL_free(serverssl);
1938 SSL_free(clientssl);
1945 * Test that a server attempting to read early data can handle a connection
1946 * from a client where the early data is not acceptable.
1948 static int test_early_data_skip(int idx)
1950 return early_data_skip_helper(0, idx);
1954 * Test that a server attempting to read early data can handle a connection
1955 * from a client where an HRR occurs.
1957 static int test_early_data_skip_hrr(int idx)
1959 return early_data_skip_helper(1, idx);
1963 * Test that a server attempting to read early data can handle a connection
1964 * from a client that doesn't send any.
1966 static int test_early_data_not_sent(int idx)
1968 SSL_CTX *cctx = NULL, *sctx = NULL;
1969 SSL *clientssl = NULL, *serverssl = NULL;
1971 SSL_SESSION *sess = NULL;
1972 unsigned char buf[20];
1973 size_t readbytes, written;
1975 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1976 &serverssl, &sess, idx)))
1979 /* Write some data - should block due to handshake with server */
1980 SSL_set_connect_state(clientssl);
1981 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
1984 /* Server should detect that early data has not been sent */
1985 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1987 SSL_READ_EARLY_DATA_FINISH)
1988 || !TEST_size_t_eq(readbytes, 0)
1989 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1990 SSL_EARLY_DATA_NOT_SENT)
1991 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1992 SSL_EARLY_DATA_NOT_SENT))
1995 /* Continue writing the message we started earlier */
1996 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
1997 || !TEST_size_t_eq(written, strlen(MSG1))
1998 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1999 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2000 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2001 || !TEST_size_t_eq(written, strlen(MSG2)))
2005 * Should block due to the NewSessionTicket arrival unless we're using
2009 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
2013 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2014 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2020 /* If using PSK then clientpsk and sess are the same */
2021 SSL_SESSION_free(sess);
2022 SSL_SESSION_free(serverpsk);
2023 clientpsk = serverpsk = NULL;
2024 SSL_free(serverssl);
2025 SSL_free(clientssl);
2031 static int hostname_cb(SSL *s, int *al, void *arg)
2033 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2035 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
2036 return SSL_TLSEXT_ERR_OK;
2038 return SSL_TLSEXT_ERR_NOACK;
2041 static const char *servalpn;
2043 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2044 unsigned char *outlen, const unsigned char *in,
2045 unsigned int inlen, void *arg)
2047 unsigned int protlen = 0;
2048 const unsigned char *prot;
2050 for (prot = in; prot < in + inlen; prot += protlen) {
2052 if (in + inlen < prot + protlen)
2053 return SSL_TLSEXT_ERR_NOACK;
2055 if (protlen == strlen(servalpn)
2056 && memcmp(prot, servalpn, protlen) == 0) {
2059 return SSL_TLSEXT_ERR_OK;
2063 return SSL_TLSEXT_ERR_NOACK;
2066 /* Test that a PSK can be used to send early_data */
2067 static int test_early_data_psk(int idx)
2069 SSL_CTX *cctx = NULL, *sctx = NULL;
2070 SSL *clientssl = NULL, *serverssl = NULL;
2072 SSL_SESSION *sess = NULL;
2073 unsigned char alpnlist[] = {
2074 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2077 #define GOODALPNLEN 9
2078 #define BADALPNLEN 8
2079 #define GOODALPN (alpnlist)
2080 #define BADALPN (alpnlist + GOODALPNLEN)
2082 unsigned char buf[20];
2083 size_t readbytes, written;
2084 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2085 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2087 /* We always set this up with a final parameter of "2" for PSK */
2088 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2089 &serverssl, &sess, 2)))
2092 servalpn = "goodalpn";
2095 * Note: There is no test for inconsistent SNI with late client detection.
2096 * This is because servers do not acknowledge SNI even if they are using
2097 * it in a resumption handshake - so it is not actually possible for a
2098 * client to detect a problem.
2102 /* Set inconsistent SNI (early client detection) */
2103 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2104 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2105 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2110 /* Set inconsistent ALPN (early client detection) */
2111 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2112 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
2113 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2115 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2122 * Set invalid protocol version. Technically this affects PSKs without
2123 * early_data too, but we test it here because it is similar to the
2124 * SNI/ALPN consistency tests.
2126 err = SSL_R_BAD_PSK;
2127 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2133 * Set inconsistent SNI (server detected). In this case the connection
2134 * will succeed but reject early_data.
2136 SSL_SESSION_free(serverpsk);
2137 serverpsk = SSL_SESSION_dup(clientpsk);
2138 if (!TEST_ptr(serverpsk)
2139 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2141 edstatus = SSL_EARLY_DATA_REJECTED;
2142 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2145 /* Set consistent SNI */
2146 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2147 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2148 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2155 * Set inconsistent ALPN (server detected). In this case the connection
2156 * will succeed but reject early_data.
2158 servalpn = "badalpn";
2159 edstatus = SSL_EARLY_DATA_REJECTED;
2160 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2164 * Set consistent ALPN.
2165 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2166 * accepts a list of protos (each one length prefixed).
2167 * SSL_set1_alpn_selected accepts a single protocol (not length
2170 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2172 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2176 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2180 /* Set inconsistent ALPN (late client detection) */
2181 SSL_SESSION_free(serverpsk);
2182 serverpsk = SSL_SESSION_dup(clientpsk);
2183 if (!TEST_ptr(serverpsk)
2184 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2187 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2190 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2193 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2194 edstatus = SSL_EARLY_DATA_ACCEPTED;
2195 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2196 /* SSL_connect() call should fail */
2201 TEST_error("Bad test index");
2205 SSL_set_connect_state(clientssl);
2207 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2209 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2210 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2213 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2217 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2218 &readbytes), readearlyres)
2219 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2220 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2221 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2222 || !TEST_int_eq(SSL_connect(clientssl), connectres))
2229 SSL_SESSION_free(clientpsk);
2230 SSL_SESSION_free(serverpsk);
2231 clientpsk = serverpsk = NULL;
2232 SSL_free(serverssl);
2233 SSL_free(clientssl);
2240 * Test that a server that doesn't try to read early data can handle a
2241 * client sending some.
2243 static int test_early_data_not_expected(int idx)
2245 SSL_CTX *cctx = NULL, *sctx = NULL;
2246 SSL *clientssl = NULL, *serverssl = NULL;
2248 SSL_SESSION *sess = NULL;
2249 unsigned char buf[20];
2250 size_t readbytes, written;
2252 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2253 &serverssl, &sess, idx)))
2256 /* Write some early data */
2257 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2262 * Server should skip over early data and then block waiting for client to
2263 * continue handshake
2265 if (!TEST_int_le(SSL_accept(serverssl), 0)
2266 || !TEST_int_gt(SSL_connect(clientssl), 0)
2267 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2268 SSL_EARLY_DATA_REJECTED)
2269 || !TEST_int_gt(SSL_accept(serverssl), 0)
2270 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2271 SSL_EARLY_DATA_REJECTED))
2274 /* Send some normal data from client to server */
2275 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2276 || !TEST_size_t_eq(written, strlen(MSG2)))
2279 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2280 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2286 /* If using PSK then clientpsk and sess are the same */
2287 SSL_SESSION_free(sess);
2288 SSL_SESSION_free(serverpsk);
2289 clientpsk = serverpsk = NULL;
2290 SSL_free(serverssl);
2291 SSL_free(clientssl);
2298 # ifndef OPENSSL_NO_TLS1_2
2300 * Test that a server attempting to read early data can handle a connection
2301 * from a TLSv1.2 client.
2303 static int test_early_data_tls1_2(int idx)
2305 SSL_CTX *cctx = NULL, *sctx = NULL;
2306 SSL *clientssl = NULL, *serverssl = NULL;
2308 unsigned char buf[20];
2309 size_t readbytes, written;
2311 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2312 &serverssl, NULL, idx)))
2315 /* Write some data - should block due to handshake with server */
2316 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2317 SSL_set_connect_state(clientssl);
2318 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2322 * Server should do TLSv1.2 handshake. First it will block waiting for more
2323 * messages from client after ServerDone. Then SSL_read_early_data should
2324 * finish and detect that early data has not been sent
2326 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2328 SSL_READ_EARLY_DATA_ERROR))
2332 * Continue writing the message we started earlier. Will still block waiting
2333 * for the CCS/Finished from server
2335 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2336 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2338 SSL_READ_EARLY_DATA_FINISH)
2339 || !TEST_size_t_eq(readbytes, 0)
2340 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2341 SSL_EARLY_DATA_NOT_SENT))
2344 /* Continue writing the message we started earlier */
2345 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2346 || !TEST_size_t_eq(written, strlen(MSG1))
2347 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2348 SSL_EARLY_DATA_NOT_SENT)
2349 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2350 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2351 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2352 || !TEST_size_t_eq(written, strlen(MSG2))
2353 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2354 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2360 /* If using PSK then clientpsk and sess are the same */
2361 SSL_SESSION_free(clientpsk);
2362 SSL_SESSION_free(serverpsk);
2363 clientpsk = serverpsk = NULL;
2364 SSL_free(serverssl);
2365 SSL_free(clientssl);
2371 # endif /* OPENSSL_NO_TLS1_2 */
2373 static int test_ciphersuite_change(void)
2375 SSL_CTX *cctx = NULL, *sctx = NULL;
2376 SSL *clientssl = NULL, *serverssl = NULL;
2377 SSL_SESSION *clntsess = NULL;
2379 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2381 /* Create a session based on SHA-256 */
2382 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2383 TLS_client_method(), &sctx,
2384 &cctx, cert, privkey))
2385 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
2386 "TLS_AES_128_GCM_SHA256"))
2387 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2388 &clientssl, NULL, NULL))
2389 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2393 clntsess = SSL_get1_session(clientssl);
2394 /* Save for later */
2395 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2396 SSL_shutdown(clientssl);
2397 SSL_shutdown(serverssl);
2398 SSL_free(serverssl);
2399 SSL_free(clientssl);
2400 serverssl = clientssl = NULL;
2402 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
2403 /* Check we can resume a session with a different SHA-256 ciphersuite */
2404 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2405 "TLS_CHACHA20_POLY1305_SHA256"))
2406 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2408 || !TEST_true(SSL_set_session(clientssl, clntsess))
2409 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2411 || !TEST_true(SSL_session_reused(clientssl)))
2414 SSL_SESSION_free(clntsess);
2415 clntsess = SSL_get1_session(clientssl);
2416 SSL_shutdown(clientssl);
2417 SSL_shutdown(serverssl);
2418 SSL_free(serverssl);
2419 SSL_free(clientssl);
2420 serverssl = clientssl = NULL;
2424 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
2425 * succeeds but does not resume.
2427 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
2428 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2430 || !TEST_true(SSL_set_session(clientssl, clntsess))
2431 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2433 || !TEST_false(SSL_session_reused(clientssl)))
2436 SSL_SESSION_free(clntsess);
2438 SSL_shutdown(clientssl);
2439 SSL_shutdown(serverssl);
2440 SSL_free(serverssl);
2441 SSL_free(clientssl);
2442 serverssl = clientssl = NULL;
2444 /* Create a session based on SHA384 */
2445 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
2446 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2447 &clientssl, NULL, NULL))
2448 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2452 clntsess = SSL_get1_session(clientssl);
2453 SSL_shutdown(clientssl);
2454 SSL_shutdown(serverssl);
2455 SSL_free(serverssl);
2456 SSL_free(clientssl);
2457 serverssl = clientssl = NULL;
2459 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2460 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
2461 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2462 "TLS_AES_256_GCM_SHA384"))
2463 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2465 || !TEST_true(SSL_set_session(clientssl, clntsess))
2467 * We use SSL_ERROR_WANT_READ below so that we can pause the
2468 * connection after the initial ClientHello has been sent to
2469 * enable us to make some session changes.
2471 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2472 SSL_ERROR_WANT_READ)))
2475 /* Trick the client into thinking this session is for a different digest */
2476 clntsess->cipher = aes_128_gcm_sha256;
2477 clntsess->cipher_id = clntsess->cipher->id;
2480 * Continue the previously started connection. Server has selected a SHA-384
2481 * ciphersuite, but client thinks the session is for SHA-256, so it should
2484 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2486 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2487 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2493 SSL_SESSION_free(clntsess);
2494 SSL_free(serverssl);
2495 SSL_free(clientssl);
2502 static int test_tls13_psk(int idx)
2504 SSL_CTX *sctx = NULL, *cctx = NULL;
2505 SSL *serverssl = NULL, *clientssl = NULL;
2506 const SSL_CIPHER *cipher = NULL;
2507 const unsigned char key[] = {
2508 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2509 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2510 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2511 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
2515 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2516 TLS_client_method(), &sctx,
2517 &cctx, cert, privkey)))
2521 * We use a ciphersuite with SHA256 to ease testing old style PSK callbacks
2522 * which will always default to SHA256
2524 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_128_GCM_SHA256")))
2528 * Test 0: New style callbacks only
2529 * Test 1: New and old style callbacks (only the new ones should be used)
2530 * Test 2: Old style callbacks only
2532 if (idx == 0 || idx == 1) {
2533 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2534 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2536 if (idx == 1 || idx == 2) {
2537 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
2538 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
2541 use_session_cb_cnt = 0;
2542 find_session_cb_cnt = 0;
2543 psk_client_cb_cnt = 0;
2544 psk_server_cb_cnt = 0;
2546 /* Check we can create a connection if callback decides not to send a PSK */
2547 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2549 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2551 || !TEST_false(SSL_session_reused(clientssl))
2552 || !TEST_false(SSL_session_reused(serverssl)))
2555 if (idx == 0 || idx == 1) {
2556 if (!TEST_true(use_session_cb_cnt == 1)
2557 || !TEST_true(find_session_cb_cnt == 0)
2559 * If no old style callback then below should be 0
2562 || !TEST_true(psk_client_cb_cnt == idx)
2563 || !TEST_true(psk_server_cb_cnt == 0))
2566 if (!TEST_true(use_session_cb_cnt == 0)
2567 || !TEST_true(find_session_cb_cnt == 0)
2568 || !TEST_true(psk_client_cb_cnt == 1)
2569 || !TEST_true(psk_server_cb_cnt == 0))
2573 shutdown_ssl_connection(serverssl, clientssl);
2574 serverssl = clientssl = NULL;
2575 use_session_cb_cnt = psk_client_cb_cnt = 0;
2577 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2581 /* Create the PSK */
2582 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
2583 clientpsk = SSL_SESSION_new();
2584 if (!TEST_ptr(clientpsk)
2585 || !TEST_ptr(cipher)
2586 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
2588 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
2589 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
2591 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
2593 serverpsk = clientpsk;
2595 /* Check we can create a connection and the PSK is used */
2596 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2597 || !TEST_true(SSL_session_reused(clientssl))
2598 || !TEST_true(SSL_session_reused(serverssl)))
2601 if (idx == 0 || idx == 1) {
2602 if (!TEST_true(use_session_cb_cnt == 1)
2603 || !TEST_true(find_session_cb_cnt == 1)
2604 || !TEST_true(psk_client_cb_cnt == 0)
2605 || !TEST_true(psk_server_cb_cnt == 0))
2608 if (!TEST_true(use_session_cb_cnt == 0)
2609 || !TEST_true(find_session_cb_cnt == 0)
2610 || !TEST_true(psk_client_cb_cnt == 1)
2611 || !TEST_true(psk_server_cb_cnt == 1))
2615 shutdown_ssl_connection(serverssl, clientssl);
2616 serverssl = clientssl = NULL;
2617 use_session_cb_cnt = find_session_cb_cnt = 0;
2618 psk_client_cb_cnt = psk_server_cb_cnt = 0;
2620 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2625 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2629 * Check we can create a connection, the PSK is used and the callbacks are
2632 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2633 || !TEST_true(SSL_session_reused(clientssl))
2634 || !TEST_true(SSL_session_reused(serverssl)))
2637 if (idx == 0 || idx == 1) {
2638 if (!TEST_true(use_session_cb_cnt == 2)
2639 || !TEST_true(find_session_cb_cnt == 2)
2640 || !TEST_true(psk_client_cb_cnt == 0)
2641 || !TEST_true(psk_server_cb_cnt == 0))
2644 if (!TEST_true(use_session_cb_cnt == 0)
2645 || !TEST_true(find_session_cb_cnt == 0)
2646 || !TEST_true(psk_client_cb_cnt == 2)
2647 || !TEST_true(psk_server_cb_cnt == 2))
2651 shutdown_ssl_connection(serverssl, clientssl);
2652 serverssl = clientssl = NULL;
2653 use_session_cb_cnt = find_session_cb_cnt = 0;
2654 psk_client_cb_cnt = psk_server_cb_cnt = 0;
2657 * Check that if the server rejects the PSK we can still connect, but with
2660 srvid = "Dummy Identity";
2661 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2663 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2665 || !TEST_false(SSL_session_reused(clientssl))
2666 || !TEST_false(SSL_session_reused(serverssl)))
2669 if (idx == 0 || idx == 1) {
2670 if (!TEST_true(use_session_cb_cnt == 1)
2671 || !TEST_true(find_session_cb_cnt == 1)
2672 || !TEST_true(psk_client_cb_cnt == 0)
2674 * If no old style callback then below should be 0
2677 || !TEST_true(psk_server_cb_cnt == idx))
2680 if (!TEST_true(use_session_cb_cnt == 0)
2681 || !TEST_true(find_session_cb_cnt == 0)
2682 || !TEST_true(psk_client_cb_cnt == 1)
2683 || !TEST_true(psk_server_cb_cnt == 1))
2687 shutdown_ssl_connection(serverssl, clientssl);
2688 serverssl = clientssl = NULL;
2692 SSL_SESSION_free(clientpsk);
2693 SSL_SESSION_free(serverpsk);
2694 clientpsk = serverpsk = NULL;
2695 SSL_free(serverssl);
2696 SSL_free(clientssl);
2702 static unsigned char cookie_magic_value[] = "cookie magic";
2704 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
2705 unsigned int *cookie_len)
2708 * Not suitable as a real cookie generation function but good enough for
2711 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
2712 *cookie_len = sizeof(cookie_magic_value) - 1;
2717 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
2718 unsigned int cookie_len)
2720 if (cookie_len == sizeof(cookie_magic_value) - 1
2721 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
2727 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
2731 int res = generate_cookie_callback(ssl, cookie, &temp);
2736 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
2739 return verify_cookie_callback(ssl, cookie, cookie_len);
2742 static int test_stateless(void)
2744 SSL_CTX *sctx = NULL, *cctx = NULL;
2745 SSL *serverssl = NULL, *clientssl = NULL;
2748 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2749 TLS_client_method(), &sctx,
2750 &cctx, cert, privkey)))
2753 /* The arrival of CCS messages can confuse the test */
2754 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
2756 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2758 /* Send the first ClientHello */
2759 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2760 SSL_ERROR_WANT_READ))
2762 * This should fail with a -1 return because we have no callbacks
2765 || !TEST_int_eq(SSL_stateless(serverssl), -1))
2768 /* Fatal error so abandon the connection from this client */
2769 SSL_free(clientssl);
2772 /* Set up the cookie generation and verification callbacks */
2773 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
2774 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
2777 * Create a new connection from the client (we can reuse the server SSL
2780 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2782 /* Send the first ClientHello */
2783 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2784 SSL_ERROR_WANT_READ))
2785 /* This should fail because there is no cookie */
2786 || !TEST_int_eq(SSL_stateless(serverssl), 0))
2789 /* Abandon the connection from this client */
2790 SSL_free(clientssl);
2794 * Now create a connection from a new client but with the same server SSL
2797 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2799 /* Send the first ClientHello */
2800 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2801 SSL_ERROR_WANT_READ))
2802 /* This should fail because there is no cookie */
2803 || !TEST_int_eq(SSL_stateless(serverssl), 0)
2804 /* Send the second ClientHello */
2805 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2806 SSL_ERROR_WANT_READ))
2807 /* This should succeed because a cookie is now present */
2808 || !TEST_int_eq(SSL_stateless(serverssl), 1)
2809 /* Complete the connection */
2810 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2814 shutdown_ssl_connection(serverssl, clientssl);
2815 serverssl = clientssl = NULL;
2819 SSL_free(serverssl);
2820 SSL_free(clientssl);
2826 #endif /* OPENSSL_NO_TLS1_3 */
2828 static int clntaddoldcb = 0;
2829 static int clntparseoldcb = 0;
2830 static int srvaddoldcb = 0;
2831 static int srvparseoldcb = 0;
2832 static int clntaddnewcb = 0;
2833 static int clntparsenewcb = 0;
2834 static int srvaddnewcb = 0;
2835 static int srvparsenewcb = 0;
2836 static int snicb = 0;
2838 #define TEST_EXT_TYPE1 0xff00
2840 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
2841 size_t *outlen, int *al, void *add_arg)
2843 int *server = (int *)add_arg;
2844 unsigned char *data;
2846 if (SSL_is_server(s))
2851 if (*server != SSL_is_server(s)
2852 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
2857 *outlen = sizeof(char);
2861 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
2864 OPENSSL_free((unsigned char *)out);
2867 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
2868 size_t inlen, int *al, void *parse_arg)
2870 int *server = (int *)parse_arg;
2872 if (SSL_is_server(s))
2877 if (*server != SSL_is_server(s)
2878 || inlen != sizeof(char)
2885 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
2886 const unsigned char **out, size_t *outlen, X509 *x,
2887 size_t chainidx, int *al, void *add_arg)
2889 int *server = (int *)add_arg;
2890 unsigned char *data;
2892 if (SSL_is_server(s))
2897 if (*server != SSL_is_server(s)
2898 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
2903 *outlen = sizeof(*data);
2907 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
2908 const unsigned char *out, void *add_arg)
2910 OPENSSL_free((unsigned char *)out);
2913 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
2914 const unsigned char *in, size_t inlen, X509 *x,
2915 size_t chainidx, int *al, void *parse_arg)
2917 int *server = (int *)parse_arg;
2919 if (SSL_is_server(s))
2924 if (*server != SSL_is_server(s)
2925 || inlen != sizeof(char) || *in != 1)
2931 static int sni_cb(SSL *s, int *al, void *arg)
2933 SSL_CTX *ctx = (SSL_CTX *)arg;
2935 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
2936 *al = SSL_AD_INTERNAL_ERROR;
2937 return SSL_TLSEXT_ERR_ALERT_FATAL;
2940 return SSL_TLSEXT_ERR_OK;
2944 * Custom call back tests.
2945 * Test 0: Old style callbacks in TLSv1.2
2946 * Test 1: New style callbacks in TLSv1.2
2947 * Test 2: New style callbacks in TLSv1.2 with SNI
2948 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
2949 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
2951 static int test_custom_exts(int tst)
2953 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
2954 SSL *clientssl = NULL, *serverssl = NULL;
2956 static int server = 1;
2957 static int client = 0;
2958 SSL_SESSION *sess = NULL;
2959 unsigned int context;
2961 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
2962 /* Skip tests for TLSv1.2 and below in this case */
2967 /* Reset callback counters */
2968 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
2969 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
2972 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2973 TLS_client_method(), &sctx,
2974 &cctx, cert, privkey)))
2978 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL, &sctx2,
2979 NULL, cert, privkey)))
2984 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
2985 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
2987 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
2991 context = SSL_EXT_CLIENT_HELLO
2992 | SSL_EXT_TLS1_2_SERVER_HELLO
2993 | SSL_EXT_TLS1_3_SERVER_HELLO
2994 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
2995 | SSL_EXT_TLS1_3_CERTIFICATE
2996 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
2998 context = SSL_EXT_CLIENT_HELLO
2999 | SSL_EXT_TLS1_2_SERVER_HELLO
3000 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3003 /* Create a client side custom extension */
3005 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3006 old_add_cb, old_free_cb,
3007 &client, old_parse_cb,
3011 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
3012 new_add_cb, new_free_cb,
3013 &client, new_parse_cb, &client)))
3017 /* Should not be able to add duplicates */
3018 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3019 old_add_cb, old_free_cb,
3020 &client, old_parse_cb,
3022 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
3023 context, new_add_cb,
3024 new_free_cb, &client,
3025 new_parse_cb, &client)))
3028 /* Create a server side custom extension */
3030 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3031 old_add_cb, old_free_cb,
3032 &server, old_parse_cb,
3036 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3037 new_add_cb, new_free_cb,
3038 &server, new_parse_cb, &server)))
3041 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3042 context, new_add_cb,
3043 new_free_cb, &server,
3044 new_parse_cb, &server)))
3048 /* Should not be able to add duplicates */
3049 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3050 old_add_cb, old_free_cb,
3051 &server, old_parse_cb,
3053 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3054 context, new_add_cb,
3055 new_free_cb, &server,
3056 new_parse_cb, &server)))
3061 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3062 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3066 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3067 &clientssl, NULL, NULL))
3068 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3073 if (clntaddoldcb != 1
3074 || clntparseoldcb != 1
3076 || srvparseoldcb != 1)
3078 } else if (tst == 1 || tst == 2 || tst == 3) {
3079 if (clntaddnewcb != 1
3080 || clntparsenewcb != 1
3082 || srvparsenewcb != 1
3083 || (tst != 2 && snicb != 0)
3084 || (tst == 2 && snicb != 1))
3087 if (clntaddnewcb != 1
3088 || clntparsenewcb != 4
3090 || srvparsenewcb != 1)
3094 sess = SSL_get1_session(clientssl);
3095 SSL_shutdown(clientssl);
3096 SSL_shutdown(serverssl);
3097 SSL_free(serverssl);
3098 SSL_free(clientssl);
3099 serverssl = clientssl = NULL;
3102 /* We don't bother with the resumption aspects for this test */
3107 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3109 || !TEST_true(SSL_set_session(clientssl, sess))
3110 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3115 * For a resumed session we expect to add the ClientHello extension. For the
3116 * old style callbacks we ignore it on the server side because they set
3117 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3121 if (clntaddoldcb != 2
3122 || clntparseoldcb != 1
3124 || srvparseoldcb != 1)
3126 } else if (tst == 1 || tst == 2 || tst == 3) {
3127 if (clntaddnewcb != 2
3128 || clntparsenewcb != 2
3130 || srvparsenewcb != 2)
3133 /* No Certificate message extensions in the resumption handshake */
3134 if (clntaddnewcb != 2
3135 || clntparsenewcb != 7
3137 || srvparsenewcb != 2)
3144 SSL_SESSION_free(sess);
3145 SSL_free(serverssl);
3146 SSL_free(clientssl);
3147 SSL_CTX_free(sctx2);
3154 * Test loading of serverinfo data in various formats. test_sslmessages actually
3155 * tests to make sure the extensions appear in the handshake
3157 static int test_serverinfo(int tst)
3159 unsigned int version;
3160 unsigned char *sibuf;
3162 int ret, expected, testresult = 0;
3165 ctx = SSL_CTX_new(TLS_method());
3169 if ((tst & 0x01) == 0x01)
3170 version = SSL_SERVERINFOV2;
3172 version = SSL_SERVERINFOV1;
3174 if ((tst & 0x02) == 0x02) {
3175 sibuf = serverinfov2;
3176 sibuflen = sizeof(serverinfov2);
3177 expected = (version == SSL_SERVERINFOV2);
3179 sibuf = serverinfov1;
3180 sibuflen = sizeof(serverinfov1);
3181 expected = (version == SSL_SERVERINFOV1);
3184 if ((tst & 0x04) == 0x04) {
3185 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
3187 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
3190 * The version variable is irrelevant in this case - it's what is in the
3191 * buffer that matters
3193 if ((tst & 0x02) == 0x02)
3199 if (!TEST_true(ret == expected))
3211 * Test that SSL_export_keying_material() produces expected results. There are
3212 * no test vectors so all we do is test that both sides of the communication
3213 * produce the same results for different protocol versions.
3215 static int test_export_key_mat(int tst)
3218 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3219 SSL *clientssl = NULL, *serverssl = NULL;
3220 const char label[] = "test label";
3221 const unsigned char context[] = "context";
3222 const unsigned char *emptycontext = NULL;
3223 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
3224 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
3225 const int protocols[] = {
3232 #ifdef OPENSSL_NO_TLS1
3236 #ifdef OPENSSL_NO_TLS1_1
3240 #ifdef OPENSSL_NO_TLS1_2
3244 #ifdef OPENSSL_NO_TLS1_3
3248 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3249 TLS_client_method(), &sctx,
3250 &cctx, cert, privkey)))
3253 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
3254 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
3255 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
3257 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
3259 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3263 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
3264 sizeof(ckeymat1), label,
3265 sizeof(label) - 1, context,
3266 sizeof(context) - 1, 1), 1)
3267 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
3268 sizeof(ckeymat2), label,
3272 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
3273 sizeof(ckeymat3), label,
3276 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
3277 sizeof(skeymat1), label,
3280 sizeof(context) -1, 1),
3282 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
3283 sizeof(skeymat2), label,
3287 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
3288 sizeof(skeymat3), label,
3292 * Check that both sides created the same key material with the
3295 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3298 * Check that both sides created the same key material with an
3301 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3304 * Check that both sides created the same key material without a
3307 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3309 /* Different contexts should produce different results */
3310 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3315 * Check that an empty context and no context produce different results in
3316 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3318 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3320 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3327 SSL_free(serverssl);
3328 SSL_free(clientssl);
3329 SSL_CTX_free(sctx2);
3336 #ifndef OPENSSL_NO_TLS1_3
3338 * Test that SSL_export_keying_material_early() produces expected
3339 * results. There are no test vectors so all we do is test that both
3340 * sides of the communication produce the same results for different
3341 * protocol versions.
3343 static int test_export_key_mat_early(int idx)
3345 static const char label[] = "test label";
3346 static const unsigned char context[] = "context";
3348 SSL_CTX *cctx = NULL, *sctx = NULL;
3349 SSL *clientssl = NULL, *serverssl = NULL;
3350 SSL_SESSION *sess = NULL;
3351 const unsigned char *emptycontext = NULL;
3352 unsigned char ckeymat1[80], ckeymat2[80];
3353 unsigned char skeymat1[80], skeymat2[80];
3354 unsigned char buf[1];
3355 size_t readbytes, written;
3357 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
3361 /* Here writing 0 length early data is enough. */
3362 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
3363 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3365 SSL_READ_EARLY_DATA_ERROR)
3366 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3367 SSL_EARLY_DATA_ACCEPTED))
3370 if (!TEST_int_eq(SSL_export_keying_material_early(
3371 clientssl, ckeymat1, sizeof(ckeymat1), label,
3372 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3373 || !TEST_int_eq(SSL_export_keying_material_early(
3374 clientssl, ckeymat2, sizeof(ckeymat2), label,
3375 sizeof(label) - 1, emptycontext, 0), 1)
3376 || !TEST_int_eq(SSL_export_keying_material_early(
3377 serverssl, skeymat1, sizeof(skeymat1), label,
3378 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3379 || !TEST_int_eq(SSL_export_keying_material_early(
3380 serverssl, skeymat2, sizeof(skeymat2), label,
3381 sizeof(label) - 1, emptycontext, 0), 1)
3383 * Check that both sides created the same key material with the
3386 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3389 * Check that both sides created the same key material with an
3392 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3394 /* Different contexts should produce different results */
3395 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3402 if (sess != clientpsk)
3403 SSL_SESSION_free(sess);
3404 SSL_SESSION_free(clientpsk);
3405 SSL_SESSION_free(serverpsk);
3406 clientpsk = serverpsk = NULL;
3407 SSL_free(serverssl);
3408 SSL_free(clientssl);
3414 #endif /* OPENSSL_NO_TLS1_3 */
3416 static int test_ssl_clear(int idx)
3418 SSL_CTX *cctx = NULL, *sctx = NULL;
3419 SSL *clientssl = NULL, *serverssl = NULL;
3422 #ifdef OPENSSL_NO_TLS1_2
3427 /* Create an initial connection */
3428 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3429 TLS_client_method(), &sctx,
3430 &cctx, cert, privkey))
3432 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
3434 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3435 &clientssl, NULL, NULL))
3436 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3440 SSL_shutdown(clientssl);
3441 SSL_shutdown(serverssl);
3442 SSL_free(serverssl);
3445 /* Clear clientssl - we're going to reuse the object */
3446 if (!TEST_true(SSL_clear(clientssl)))
3449 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3451 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3453 || !TEST_true(SSL_session_reused(clientssl)))
3456 SSL_shutdown(clientssl);
3457 SSL_shutdown(serverssl);
3462 SSL_free(serverssl);
3463 SSL_free(clientssl);
3470 /* Parse CH and retrieve any MFL extension value if present */
3471 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
3474 unsigned char *data;
3475 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
3476 unsigned int MFL_code = 0, type = 0;
3478 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
3481 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
3482 /* Skip the record header */
3483 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
3484 /* Skip the handshake message header */
3485 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
3486 /* Skip client version and random */
3487 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
3488 + SSL3_RANDOM_SIZE))
3489 /* Skip session id */
3490 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3492 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
3493 /* Skip compression */
3494 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3495 /* Extensions len */
3496 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
3499 /* Loop through all extensions */
3500 while (PACKET_remaining(&pkt2)) {
3501 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
3502 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
3505 if (type == TLSEXT_TYPE_max_fragment_length) {
3506 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
3507 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
3510 *mfl_codemfl_code = MFL_code;
3519 /* Maximum-Fragment-Length TLS extension mode to test */
3520 static const unsigned char max_fragment_len_test[] = {
3521 TLSEXT_max_fragment_length_512,
3522 TLSEXT_max_fragment_length_1024,
3523 TLSEXT_max_fragment_length_2048,
3524 TLSEXT_max_fragment_length_4096
3527 static int test_max_fragment_len_ext(int idx_tst)
3531 int testresult = 0, MFL_mode = 0;
3534 ctx = SSL_CTX_new(TLS_method());
3538 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
3539 ctx, max_fragment_len_test[idx_tst])))
3546 rbio = BIO_new(BIO_s_mem());
3547 wbio = BIO_new(BIO_s_mem());
3548 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
3554 SSL_set_bio(con, rbio, wbio);
3555 SSL_set_connect_state(con);
3557 if (!TEST_int_le(SSL_connect(con), 0)) {
3558 /* This shouldn't succeed because we don't have a server! */
3562 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
3563 /* no MFL in client hello */
3565 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
3577 #ifndef OPENSSL_NO_TLS1_3
3578 static int test_pha_key_update(void)
3580 SSL_CTX *cctx = NULL, *sctx = NULL;
3581 SSL *clientssl = NULL, *serverssl = NULL;
3584 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3585 TLS_client_method(),
3586 &sctx, &cctx, cert, privkey)))
3589 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
3590 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
3591 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
3592 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
3596 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3600 SSL_force_post_handshake_auth(clientssl);
3602 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3606 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
3607 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
3610 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
3613 /* Start handshake on the server */
3614 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
3617 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
3618 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3622 SSL_shutdown(clientssl);
3623 SSL_shutdown(serverssl);
3628 SSL_free(serverssl);
3629 SSL_free(clientssl);
3636 int setup_tests(void)
3638 if (!TEST_ptr(cert = test_get_argument(0))
3639 || !TEST_ptr(privkey = test_get_argument(1)))
3642 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
3643 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
3644 TEST_error("not supported in this build");
3647 int i, mcount, rcount, fcount;
3649 for (i = 0; i < 4; i++)
3650 test_export_key_mat(i);
3651 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
3652 test_printf_stdout("malloc %d realloc %d free %d\n",
3653 mcount, rcount, fcount);
3658 ADD_TEST(test_large_message_tls);
3659 ADD_TEST(test_large_message_tls_read_ahead);
3660 #ifndef OPENSSL_NO_DTLS
3661 ADD_TEST(test_large_message_dtls);
3663 #ifndef OPENSSL_NO_OCSP
3664 ADD_TEST(test_tlsext_status_type);
3666 ADD_TEST(test_session_with_only_int_cache);
3667 ADD_TEST(test_session_with_only_ext_cache);
3668 ADD_TEST(test_session_with_both_cache);
3669 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
3670 ADD_TEST(test_ssl_bio_pop_next_bio);
3671 ADD_TEST(test_ssl_bio_pop_ssl_bio);
3672 ADD_TEST(test_ssl_bio_change_rbio);
3673 ADD_TEST(test_ssl_bio_change_wbio);
3674 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
3675 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
3676 ADD_TEST(test_keylog);
3678 #ifndef OPENSSL_NO_TLS1_3
3679 ADD_TEST(test_keylog_no_master_key);
3681 #ifndef OPENSSL_NO_TLS1_2
3682 ADD_TEST(test_client_hello_cb);
3684 #ifndef OPENSSL_NO_TLS1_3
3685 ADD_ALL_TESTS(test_early_data_read_write, 3);
3686 ADD_ALL_TESTS(test_early_data_skip, 3);
3687 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
3688 ADD_ALL_TESTS(test_early_data_not_sent, 3);
3689 ADD_ALL_TESTS(test_early_data_psk, 8);
3690 ADD_ALL_TESTS(test_early_data_not_expected, 3);
3691 # ifndef OPENSSL_NO_TLS1_2
3692 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
3695 #ifndef OPENSSL_NO_TLS1_3
3696 ADD_TEST(test_ciphersuite_change);
3697 ADD_ALL_TESTS(test_tls13_psk, 3);
3698 ADD_ALL_TESTS(test_custom_exts, 5);
3699 ADD_TEST(test_stateless);
3700 ADD_TEST(test_pha_key_update);
3702 ADD_ALL_TESTS(test_custom_exts, 3);
3704 ADD_ALL_TESTS(test_serverinfo, 8);
3705 ADD_ALL_TESTS(test_export_key_mat, 4);
3706 #ifndef OPENSSL_NO_TLS1_3
3707 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3709 ADD_ALL_TESTS(test_ssl_clear, 2);
3710 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
3714 void cleanup_tests(void)
3716 bio_s_mempacket_test_free();