2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
17 #include <openssl/srp.h>
18 #include <openssl/txt_db.h>
19 #include <openssl/aes.h>
21 #include "ssltestlib.h"
23 #include "testutil/output.h"
24 #include "internal/nelem.h"
25 #include "../ssl/ssl_locl.h"
27 #ifndef OPENSSL_NO_TLS1_3
29 static SSL_SESSION *clientpsk = NULL;
30 static SSL_SESSION *serverpsk = NULL;
31 static const char *pskid = "Identity";
32 static const char *srvid;
34 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
35 size_t *idlen, SSL_SESSION **sess);
36 static int find_session_cb(SSL *ssl, const unsigned char *identity,
37 size_t identity_len, SSL_SESSION **sess);
39 static int use_session_cb_cnt = 0;
40 static int find_session_cb_cnt = 0;
42 static SSL_SESSION *create_a_psk(SSL *ssl);
45 static char *cert = NULL;
46 static char *privkey = NULL;
47 static char *srpvfile = NULL;
48 static char *tmpfilename = NULL;
50 #define LOG_BUFFER_SIZE 2048
51 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
52 static size_t server_log_buffer_index = 0;
53 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
54 static size_t client_log_buffer_index = 0;
55 static int error_writing_log = 0;
57 #ifndef OPENSSL_NO_OCSP
58 static const unsigned char orespder[] = "Dummy OCSP Response";
59 static int ocsp_server_called = 0;
60 static int ocsp_client_called = 0;
62 static int cdummyarg = 1;
63 static X509 *ocspcert = NULL;
66 #define NUM_EXTRA_CERTS 40
67 #define CLIENT_VERSION_LEN 2
70 * This structure is used to validate that the correct number of log messages
71 * of various types are emitted when emitting secret logs.
73 struct sslapitest_log_counts {
74 unsigned int rsa_key_exchange_count;
75 unsigned int master_secret_count;
76 unsigned int client_early_secret_count;
77 unsigned int client_handshake_secret_count;
78 unsigned int server_handshake_secret_count;
79 unsigned int client_application_secret_count;
80 unsigned int server_application_secret_count;
81 unsigned int early_exporter_secret_count;
82 unsigned int exporter_secret_count;
86 static unsigned char serverinfov1[] = {
87 0xff, 0xff, /* Dummy extension type */
88 0x00, 0x01, /* Extension length is 1 byte */
89 0xff /* Dummy extension data */
92 static unsigned char serverinfov2[] = {
94 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
95 0xff, 0xff, /* Dummy extension type */
96 0x00, 0x01, /* Extension length is 1 byte */
97 0xff /* Dummy extension data */
100 static void client_keylog_callback(const SSL *ssl, const char *line)
102 int line_length = strlen(line);
104 /* If the log doesn't fit, error out. */
105 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
106 TEST_info("Client log too full");
107 error_writing_log = 1;
111 strcat(client_log_buffer, line);
112 client_log_buffer_index += line_length;
113 client_log_buffer[client_log_buffer_index++] = '\n';
116 static void server_keylog_callback(const SSL *ssl, const char *line)
118 int line_length = strlen(line);
120 /* If the log doesn't fit, error out. */
121 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
122 TEST_info("Server log too full");
123 error_writing_log = 1;
127 strcat(server_log_buffer, line);
128 server_log_buffer_index += line_length;
129 server_log_buffer[server_log_buffer_index++] = '\n';
132 static int compare_hex_encoded_buffer(const char *hex_encoded,
140 if (!TEST_size_t_eq(raw_length * 2, hex_length))
143 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
144 sprintf(hexed, "%02x", raw[i]);
145 if (!TEST_int_eq(hexed[0], hex_encoded[j])
146 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
153 static int test_keylog_output(char *buffer, const SSL *ssl,
154 const SSL_SESSION *session,
155 struct sslapitest_log_counts *expected)
158 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
159 size_t client_random_size = SSL3_RANDOM_SIZE;
160 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
161 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
162 unsigned int rsa_key_exchange_count = 0;
163 unsigned int master_secret_count = 0;
164 unsigned int client_early_secret_count = 0;
165 unsigned int client_handshake_secret_count = 0;
166 unsigned int server_handshake_secret_count = 0;
167 unsigned int client_application_secret_count = 0;
168 unsigned int server_application_secret_count = 0;
169 unsigned int early_exporter_secret_count = 0;
170 unsigned int exporter_secret_count = 0;
172 for (token = strtok(buffer, " \n"); token != NULL;
173 token = strtok(NULL, " \n")) {
174 if (strcmp(token, "RSA") == 0) {
176 * Premaster secret. Tokens should be: 16 ASCII bytes of
177 * hex-encoded encrypted secret, then the hex-encoded pre-master
180 if (!TEST_ptr(token = strtok(NULL, " \n")))
182 if (!TEST_size_t_eq(strlen(token), 16))
184 if (!TEST_ptr(token = strtok(NULL, " \n")))
187 * We can't sensibly check the log because the premaster secret is
188 * transient, and OpenSSL doesn't keep hold of it once the master
189 * secret is generated.
191 rsa_key_exchange_count++;
192 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
194 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
195 * client random, then the hex-encoded master secret.
197 client_random_size = SSL_get_client_random(ssl,
198 actual_client_random,
200 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
203 if (!TEST_ptr(token = strtok(NULL, " \n")))
205 if (!TEST_size_t_eq(strlen(token), 64))
207 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
208 actual_client_random,
209 client_random_size)))
212 if (!TEST_ptr(token = strtok(NULL, " \n")))
214 master_key_size = SSL_SESSION_get_master_key(session,
217 if (!TEST_size_t_ne(master_key_size, 0))
219 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
223 master_secret_count++;
224 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
225 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
226 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
227 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
228 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
229 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
230 || strcmp(token, "EXPORTER_SECRET") == 0) {
232 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
233 * client random, and then the hex-encoded secret. In this case,
234 * we treat all of these secrets identically and then just
235 * distinguish between them when counting what we saw.
237 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
238 client_early_secret_count++;
239 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
240 client_handshake_secret_count++;
241 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
242 server_handshake_secret_count++;
243 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
244 client_application_secret_count++;
245 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
246 server_application_secret_count++;
247 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
248 early_exporter_secret_count++;
249 else if (strcmp(token, "EXPORTER_SECRET") == 0)
250 exporter_secret_count++;
252 client_random_size = SSL_get_client_random(ssl,
253 actual_client_random,
255 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
258 if (!TEST_ptr(token = strtok(NULL, " \n")))
260 if (!TEST_size_t_eq(strlen(token), 64))
262 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
263 actual_client_random,
264 client_random_size)))
267 if (!TEST_ptr(token = strtok(NULL, " \n")))
271 * TODO(TLS1.3): test that application traffic secrets are what
274 TEST_info("Unexpected token %s\n", token);
279 /* Got what we expected? */
280 if (!TEST_size_t_eq(rsa_key_exchange_count,
281 expected->rsa_key_exchange_count)
282 || !TEST_size_t_eq(master_secret_count,
283 expected->master_secret_count)
284 || !TEST_size_t_eq(client_early_secret_count,
285 expected->client_early_secret_count)
286 || !TEST_size_t_eq(client_handshake_secret_count,
287 expected->client_handshake_secret_count)
288 || !TEST_size_t_eq(server_handshake_secret_count,
289 expected->server_handshake_secret_count)
290 || !TEST_size_t_eq(client_application_secret_count,
291 expected->client_application_secret_count)
292 || !TEST_size_t_eq(server_application_secret_count,
293 expected->server_application_secret_count)
294 || !TEST_size_t_eq(early_exporter_secret_count,
295 expected->early_exporter_secret_count)
296 || !TEST_size_t_eq(exporter_secret_count,
297 expected->exporter_secret_count))
302 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
303 static int test_keylog(void)
305 SSL_CTX *cctx = NULL, *sctx = NULL;
306 SSL *clientssl = NULL, *serverssl = NULL;
308 struct sslapitest_log_counts expected = {0};
310 /* Clean up logging space */
311 memset(client_log_buffer, 0, sizeof(client_log_buffer));
312 memset(server_log_buffer, 0, sizeof(server_log_buffer));
313 client_log_buffer_index = 0;
314 server_log_buffer_index = 0;
315 error_writing_log = 0;
317 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
319 TLS1_VERSION, TLS_MAX_VERSION,
320 &sctx, &cctx, cert, privkey)))
323 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
324 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
325 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
327 /* We also want to ensure that we use RSA-based key exchange. */
328 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
331 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
332 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
334 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
335 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
336 == client_keylog_callback))
338 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
339 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
340 == server_keylog_callback))
343 /* Now do a handshake and check that the logs have been written to. */
344 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
345 &clientssl, NULL, NULL))
346 || !TEST_true(create_ssl_connection(serverssl, clientssl,
348 || !TEST_false(error_writing_log)
349 || !TEST_int_gt(client_log_buffer_index, 0)
350 || !TEST_int_gt(server_log_buffer_index, 0))
354 * Now we want to test that our output data was vaguely sensible. We
355 * do that by using strtok and confirming that we have more or less the
356 * data we expect. For both client and server, we expect to see one master
357 * secret. The client should also see a RSA key exchange.
359 expected.rsa_key_exchange_count = 1;
360 expected.master_secret_count = 1;
361 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
362 SSL_get_session(clientssl), &expected)))
365 expected.rsa_key_exchange_count = 0;
366 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
367 SSL_get_session(serverssl), &expected)))
382 #ifndef OPENSSL_NO_TLS1_3
383 static int test_keylog_no_master_key(void)
385 SSL_CTX *cctx = NULL, *sctx = NULL;
386 SSL *clientssl = NULL, *serverssl = NULL;
387 SSL_SESSION *sess = NULL;
389 struct sslapitest_log_counts expected = {0};
390 unsigned char buf[1];
391 size_t readbytes, written;
393 /* Clean up logging space */
394 memset(client_log_buffer, 0, sizeof(client_log_buffer));
395 memset(server_log_buffer, 0, sizeof(server_log_buffer));
396 client_log_buffer_index = 0;
397 server_log_buffer_index = 0;
398 error_writing_log = 0;
400 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
401 TLS1_VERSION, TLS_MAX_VERSION,
402 &sctx, &cctx, cert, privkey))
403 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
404 SSL3_RT_MAX_PLAIN_LENGTH)))
407 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
408 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
411 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
412 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
413 == client_keylog_callback))
416 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
417 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
418 == server_keylog_callback))
421 /* Now do a handshake and check that the logs have been written to. */
422 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
423 &clientssl, NULL, NULL))
424 || !TEST_true(create_ssl_connection(serverssl, clientssl,
426 || !TEST_false(error_writing_log))
430 * Now we want to test that our output data was vaguely sensible. For this
431 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
432 * TLSv1.3, but we do expect both client and server to emit keys.
434 expected.client_handshake_secret_count = 1;
435 expected.server_handshake_secret_count = 1;
436 expected.client_application_secret_count = 1;
437 expected.server_application_secret_count = 1;
438 expected.exporter_secret_count = 1;
439 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
440 SSL_get_session(clientssl), &expected))
441 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
442 SSL_get_session(serverssl),
446 /* Terminate old session and resume with early data. */
447 sess = SSL_get1_session(clientssl);
448 SSL_shutdown(clientssl);
449 SSL_shutdown(serverssl);
452 serverssl = clientssl = NULL;
455 memset(client_log_buffer, 0, sizeof(client_log_buffer));
456 memset(server_log_buffer, 0, sizeof(server_log_buffer));
457 client_log_buffer_index = 0;
458 server_log_buffer_index = 0;
460 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
461 &clientssl, NULL, NULL))
462 || !TEST_true(SSL_set_session(clientssl, sess))
463 /* Here writing 0 length early data is enough. */
464 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
465 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
467 SSL_READ_EARLY_DATA_ERROR)
468 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
469 SSL_EARLY_DATA_ACCEPTED)
470 || !TEST_true(create_ssl_connection(serverssl, clientssl,
472 || !TEST_true(SSL_session_reused(clientssl)))
475 /* In addition to the previous entries, expect early secrets. */
476 expected.client_early_secret_count = 1;
477 expected.early_exporter_secret_count = 1;
478 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
479 SSL_get_session(clientssl), &expected))
480 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
481 SSL_get_session(serverssl),
488 SSL_SESSION_free(sess);
498 #ifndef OPENSSL_NO_TLS1_2
499 static int full_client_hello_callback(SSL *s, int *al, void *arg)
502 const unsigned char *p;
504 /* We only configure two ciphers, but the SCSV is added automatically. */
506 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
508 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
511 const int expected_extensions[] = {
512 #ifndef OPENSSL_NO_EC
518 /* Make sure we can defer processing and get called back. */
520 return SSL_CLIENT_HELLO_RETRY;
522 len = SSL_client_hello_get0_ciphers(s, &p);
523 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
525 SSL_client_hello_get0_compression_methods(s, &p), 1)
526 || !TEST_int_eq(*p, 0))
527 return SSL_CLIENT_HELLO_ERROR;
528 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
529 return SSL_CLIENT_HELLO_ERROR;
530 if (len != OSSL_NELEM(expected_extensions) ||
531 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
532 printf("ClientHello callback expected extensions mismatch\n");
534 return SSL_CLIENT_HELLO_ERROR;
537 return SSL_CLIENT_HELLO_SUCCESS;
540 static int test_client_hello_cb(void)
542 SSL_CTX *cctx = NULL, *sctx = NULL;
543 SSL *clientssl = NULL, *serverssl = NULL;
544 int testctr = 0, testresult = 0;
546 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
547 TLS1_VERSION, TLS_MAX_VERSION,
548 &sctx, &cctx, cert, privkey)))
550 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
552 /* The gimpy cipher list we configure can't do TLS 1.3. */
553 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
555 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
556 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
557 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
558 &clientssl, NULL, NULL))
559 || !TEST_false(create_ssl_connection(serverssl, clientssl,
560 SSL_ERROR_WANT_CLIENT_HELLO_CB))
562 * Passing a -1 literal is a hack since
563 * the real value was lost.
565 || !TEST_int_eq(SSL_get_error(serverssl, -1),
566 SSL_ERROR_WANT_CLIENT_HELLO_CB)
567 || !TEST_true(create_ssl_connection(serverssl, clientssl,
583 static int execute_test_large_message(const SSL_METHOD *smeth,
584 const SSL_METHOD *cmeth,
585 int min_version, int max_version,
588 SSL_CTX *cctx = NULL, *sctx = NULL;
589 SSL *clientssl = NULL, *serverssl = NULL;
593 X509 *chaincert = NULL;
596 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
598 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
601 if (!TEST_ptr(chaincert))
604 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
605 &sctx, &cctx, cert, privkey)))
610 * Test that read_ahead works correctly when dealing with large
613 SSL_CTX_set_read_ahead(cctx, 1);
617 * We assume the supplied certificate is big enough so that if we add
618 * NUM_EXTRA_CERTS it will make the overall message large enough. The
619 * default buffer size is requested to be 16k, but due to the way BUF_MEM
620 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
621 * test we need to have a message larger than that.
623 certlen = i2d_X509(chaincert, NULL);
624 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
625 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
626 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
627 if (!X509_up_ref(chaincert))
629 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
630 X509_free(chaincert);
635 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
637 || !TEST_true(create_ssl_connection(serverssl, clientssl,
642 * Calling SSL_clear() first is not required but this tests that SSL_clear()
643 * doesn't leak (when using enable-crypto-mdebug).
645 if (!TEST_true(SSL_clear(serverssl)))
650 X509_free(chaincert);
659 static int test_large_message_tls(void)
661 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
662 TLS1_VERSION, TLS_MAX_VERSION,
666 static int test_large_message_tls_read_ahead(void)
668 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
669 TLS1_VERSION, TLS_MAX_VERSION,
673 #ifndef OPENSSL_NO_DTLS
674 static int test_large_message_dtls(void)
677 * read_ahead is not relevant to DTLS because DTLS always acts as if
680 return execute_test_large_message(DTLS_server_method(),
681 DTLS_client_method(),
682 DTLS1_VERSION, DTLS_MAX_VERSION,
687 #ifndef OPENSSL_NO_OCSP
688 static int ocsp_server_cb(SSL *s, void *arg)
690 int *argi = (int *)arg;
691 unsigned char *copy = NULL;
692 STACK_OF(OCSP_RESPID) *ids = NULL;
693 OCSP_RESPID *id = NULL;
696 /* In this test we are expecting exactly 1 OCSP_RESPID */
697 SSL_get_tlsext_status_ids(s, &ids);
698 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
699 return SSL_TLSEXT_ERR_ALERT_FATAL;
701 id = sk_OCSP_RESPID_value(ids, 0);
702 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
703 return SSL_TLSEXT_ERR_ALERT_FATAL;
704 } else if (*argi != 1) {
705 return SSL_TLSEXT_ERR_ALERT_FATAL;
708 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
709 return SSL_TLSEXT_ERR_ALERT_FATAL;
711 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
712 ocsp_server_called = 1;
713 return SSL_TLSEXT_ERR_OK;
716 static int ocsp_client_cb(SSL *s, void *arg)
718 int *argi = (int *)arg;
719 const unsigned char *respderin;
722 if (*argi != 1 && *argi != 2)
725 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
726 if (!TEST_mem_eq(orespder, len, respderin, len))
729 ocsp_client_called = 1;
733 static int test_tlsext_status_type(void)
735 SSL_CTX *cctx = NULL, *sctx = NULL;
736 SSL *clientssl = NULL, *serverssl = NULL;
738 STACK_OF(OCSP_RESPID) *ids = NULL;
739 OCSP_RESPID *id = NULL;
742 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
743 TLS1_VERSION, TLS_MAX_VERSION,
744 &sctx, &cctx, cert, privkey))
747 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
750 /* First just do various checks getting and setting tlsext_status_type */
752 clientssl = SSL_new(cctx);
753 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
754 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
755 TLSEXT_STATUSTYPE_ocsp))
756 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
757 TLSEXT_STATUSTYPE_ocsp))
763 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
764 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
767 clientssl = SSL_new(cctx);
768 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
774 * Now actually do a handshake and check OCSP information is exchanged and
775 * the callbacks get called
777 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
778 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
779 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
780 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
781 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
782 &clientssl, NULL, NULL))
783 || !TEST_true(create_ssl_connection(serverssl, clientssl,
785 || !TEST_true(ocsp_client_called)
786 || !TEST_true(ocsp_server_called))
793 /* Try again but this time force the server side callback to fail */
794 ocsp_client_called = 0;
795 ocsp_server_called = 0;
797 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
798 &clientssl, NULL, NULL))
799 /* This should fail because the callback will fail */
800 || !TEST_false(create_ssl_connection(serverssl, clientssl,
802 || !TEST_false(ocsp_client_called)
803 || !TEST_false(ocsp_server_called))
811 * This time we'll get the client to send an OCSP_RESPID that it will
814 ocsp_client_called = 0;
815 ocsp_server_called = 0;
817 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
818 &clientssl, NULL, NULL)))
822 * We'll just use any old cert for this test - it doesn't have to be an OCSP
823 * specific one. We'll use the server cert.
825 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
826 || !TEST_ptr(id = OCSP_RESPID_new())
827 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
828 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
830 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
831 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
834 SSL_set_tlsext_status_ids(clientssl, ids);
835 /* Control has been transferred */
841 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
843 || !TEST_true(ocsp_client_called)
844 || !TEST_true(ocsp_server_called))
854 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
855 OCSP_RESPID_free(id);
864 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
865 static int new_called, remove_called, get_called;
867 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
871 * sess has been up-refed for us, but we don't actually need it so free it
874 SSL_SESSION_free(sess);
878 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
883 static SSL_SESSION *get_sess_val = NULL;
885 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
893 static int execute_test_session(int maxprot, int use_int_cache,
896 SSL_CTX *sctx = NULL, *cctx = NULL;
897 SSL *serverssl1 = NULL, *clientssl1 = NULL;
898 SSL *serverssl2 = NULL, *clientssl2 = NULL;
899 # ifndef OPENSSL_NO_TLS1_1
900 SSL *serverssl3 = NULL, *clientssl3 = NULL;
902 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
903 int testresult = 0, numnewsesstick = 1;
905 new_called = remove_called = 0;
907 /* TLSv1.3 sends 2 NewSessionTickets */
908 if (maxprot == TLS1_3_VERSION)
911 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
912 TLS1_VERSION, TLS_MAX_VERSION,
913 &sctx, &cctx, cert, privkey)))
917 * Only allow the max protocol version so we can force a connection failure
920 SSL_CTX_set_min_proto_version(cctx, maxprot);
921 SSL_CTX_set_max_proto_version(cctx, maxprot);
923 /* Set up session cache */
925 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
926 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
929 /* Also covers instance where both are set */
930 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
932 SSL_CTX_set_session_cache_mode(cctx,
933 SSL_SESS_CACHE_CLIENT
934 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
937 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
939 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
941 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
944 /* Should fail because it should already be in the cache */
945 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
948 && (!TEST_int_eq(new_called, numnewsesstick)
950 || !TEST_int_eq(remove_called, 0)))
953 new_called = remove_called = 0;
954 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
955 &clientssl2, NULL, NULL))
956 || !TEST_true(SSL_set_session(clientssl2, sess1))
957 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
959 || !TEST_true(SSL_session_reused(clientssl2)))
962 if (maxprot == TLS1_3_VERSION) {
964 * In TLSv1.3 we should have created a new session even though we have
965 * resumed. Since we attempted a resume we should also have removed the
966 * old ticket from the cache so that we try to only use tickets once.
969 && (!TEST_int_eq(new_called, 1)
970 || !TEST_int_eq(remove_called, 1)))
974 * In TLSv1.2 we expect to have resumed so no sessions added or
978 && (!TEST_int_eq(new_called, 0)
979 || !TEST_int_eq(remove_called, 0)))
983 SSL_SESSION_free(sess1);
984 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
986 shutdown_ssl_connection(serverssl2, clientssl2);
987 serverssl2 = clientssl2 = NULL;
989 new_called = remove_called = 0;
990 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
991 &clientssl2, NULL, NULL))
992 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
996 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1000 && (!TEST_int_eq(new_called, numnewsesstick)
1001 || !TEST_int_eq(remove_called, 0)))
1004 new_called = remove_called = 0;
1006 * This should clear sess2 from the cache because it is a "bad" session.
1007 * See SSL_set_session() documentation.
1009 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1012 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1014 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1017 if (use_int_cache) {
1018 /* Should succeeded because it should not already be in the cache */
1019 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1020 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1024 new_called = remove_called = 0;
1025 /* This shouldn't be in the cache so should fail */
1026 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1030 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1033 # if !defined(OPENSSL_NO_TLS1_1)
1034 new_called = remove_called = 0;
1035 /* Force a connection failure */
1036 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1037 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1038 &clientssl3, NULL, NULL))
1039 || !TEST_true(SSL_set_session(clientssl3, sess1))
1040 /* This should fail because of the mismatched protocol versions */
1041 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1045 /* We should have automatically removed the session from the cache */
1047 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1050 /* Should succeed because it should not already be in the cache */
1051 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1055 /* Now do some tests for server side caching */
1056 if (use_ext_cache) {
1057 SSL_CTX_sess_set_new_cb(cctx, NULL);
1058 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1059 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1060 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1061 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1062 get_sess_val = NULL;
1065 SSL_CTX_set_session_cache_mode(cctx, 0);
1066 /* Internal caching is the default on the server side */
1068 SSL_CTX_set_session_cache_mode(sctx,
1069 SSL_SESS_CACHE_SERVER
1070 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1072 SSL_free(serverssl1);
1073 SSL_free(clientssl1);
1074 serverssl1 = clientssl1 = NULL;
1075 SSL_free(serverssl2);
1076 SSL_free(clientssl2);
1077 serverssl2 = clientssl2 = NULL;
1078 SSL_SESSION_free(sess1);
1080 SSL_SESSION_free(sess2);
1083 SSL_CTX_set_max_proto_version(sctx, maxprot);
1084 if (maxprot == TLS1_2_VERSION)
1085 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1086 new_called = remove_called = get_called = 0;
1087 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1089 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1091 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1092 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1095 if (use_int_cache) {
1096 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1098 * In TLSv1.3 it should not have been added to the internal cache,
1099 * except in the case where we also have an external cache (in that
1100 * case it gets added to the cache in order to generate remove
1101 * events after timeout).
1103 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1106 /* Should fail because it should already be in the cache */
1107 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1112 if (use_ext_cache) {
1113 SSL_SESSION *tmp = sess2;
1115 if (!TEST_int_eq(new_called, numnewsesstick)
1116 || !TEST_int_eq(remove_called, 0)
1117 || !TEST_int_eq(get_called, 0))
1120 * Delete the session from the internal cache to force a lookup from
1121 * the external cache. We take a copy first because
1122 * SSL_CTX_remove_session() also marks the session as non-resumable.
1124 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1125 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1126 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1128 SSL_SESSION_free(sess2);
1133 new_called = remove_called = get_called = 0;
1134 get_sess_val = sess2;
1135 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1136 &clientssl2, NULL, NULL))
1137 || !TEST_true(SSL_set_session(clientssl2, sess1))
1138 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1140 || !TEST_true(SSL_session_reused(clientssl2)))
1143 if (use_ext_cache) {
1144 if (!TEST_int_eq(remove_called, 0))
1147 if (maxprot == TLS1_3_VERSION) {
1148 if (!TEST_int_eq(new_called, 1)
1149 || !TEST_int_eq(get_called, 0))
1152 if (!TEST_int_eq(new_called, 0)
1153 || !TEST_int_eq(get_called, 1))
1161 SSL_free(serverssl1);
1162 SSL_free(clientssl1);
1163 SSL_free(serverssl2);
1164 SSL_free(clientssl2);
1165 # ifndef OPENSSL_NO_TLS1_1
1166 SSL_free(serverssl3);
1167 SSL_free(clientssl3);
1169 SSL_SESSION_free(sess1);
1170 SSL_SESSION_free(sess2);
1176 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1178 static int test_session_with_only_int_cache(void)
1180 #ifndef OPENSSL_NO_TLS1_3
1181 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1185 #ifndef OPENSSL_NO_TLS1_2
1186 return execute_test_session(TLS1_2_VERSION, 1, 0);
1192 static int test_session_with_only_ext_cache(void)
1194 #ifndef OPENSSL_NO_TLS1_3
1195 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1199 #ifndef OPENSSL_NO_TLS1_2
1200 return execute_test_session(TLS1_2_VERSION, 0, 1);
1206 static int test_session_with_both_cache(void)
1208 #ifndef OPENSSL_NO_TLS1_3
1209 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1213 #ifndef OPENSSL_NO_TLS1_2
1214 return execute_test_session(TLS1_2_VERSION, 1, 1);
1220 #ifndef OPENSSL_NO_TLS1_3
1221 static SSL_SESSION *sesscache[6];
1222 static int do_cache;
1224 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1227 sesscache[new_called] = sess;
1229 /* We don't need the reference to the session, so free it */
1230 SSL_SESSION_free(sess);
1237 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1239 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1240 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1243 /* Start handshake on the server and client */
1244 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1245 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1246 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1247 || !TEST_true(create_ssl_connection(sssl, cssl,
1254 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1257 int sess_id_ctx = 1;
1259 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1260 TLS1_VERSION, TLS_MAX_VERSION, sctx,
1261 cctx, cert, privkey))
1262 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1263 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1264 (void *)&sess_id_ctx,
1265 sizeof(sess_id_ctx))))
1269 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1271 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1272 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1273 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1278 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1280 SSL *serverssl = NULL, *clientssl = NULL;
1283 /* Test that we can resume with all the tickets we got given */
1284 for (i = 0; i < idx * 2; i++) {
1286 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1287 &clientssl, NULL, NULL))
1288 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1291 SSL_set_post_handshake_auth(clientssl, 1);
1293 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1298 * Following a successful resumption we only get 1 ticket. After a
1299 * failed one we should get idx tickets.
1302 if (!TEST_true(SSL_session_reused(clientssl))
1303 || !TEST_int_eq(new_called, 1))
1306 if (!TEST_false(SSL_session_reused(clientssl))
1307 || !TEST_int_eq(new_called, idx))
1312 /* After a post-handshake authentication we should get 1 new ticket */
1314 && (!post_handshake_verify(serverssl, clientssl)
1315 || !TEST_int_eq(new_called, 1)))
1318 SSL_shutdown(clientssl);
1319 SSL_shutdown(serverssl);
1320 SSL_free(serverssl);
1321 SSL_free(clientssl);
1322 serverssl = clientssl = NULL;
1323 SSL_SESSION_free(sesscache[i]);
1324 sesscache[i] = NULL;
1330 SSL_free(clientssl);
1331 SSL_free(serverssl);
1335 static int test_tickets(int stateful, int idx)
1337 SSL_CTX *sctx = NULL, *cctx = NULL;
1338 SSL *serverssl = NULL, *clientssl = NULL;
1342 /* idx is the test number, but also the number of tickets we want */
1347 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1350 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1351 &clientssl, NULL, NULL)))
1354 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1356 /* Check we got the number of tickets we were expecting */
1357 || !TEST_int_eq(idx, new_called))
1360 SSL_shutdown(clientssl);
1361 SSL_shutdown(serverssl);
1362 SSL_free(serverssl);
1363 SSL_free(clientssl);
1366 clientssl = serverssl = NULL;
1370 * Now we try to resume with the tickets we previously created. The
1371 * resumption attempt is expected to fail (because we're now using a new
1372 * SSL_CTX). We should see idx number of tickets issued again.
1375 /* Stop caching sessions - just count them */
1378 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1381 if (!check_resumption(idx, sctx, cctx, 0))
1384 /* Start again with caching sessions */
1391 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1394 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1395 &clientssl, NULL, NULL)))
1398 SSL_set_post_handshake_auth(clientssl, 1);
1400 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1402 /* Check we got the number of tickets we were expecting */
1403 || !TEST_int_eq(idx, new_called))
1406 /* After a post-handshake authentication we should get new tickets issued */
1407 if (!post_handshake_verify(serverssl, clientssl)
1408 || !TEST_int_eq(idx * 2, new_called))
1411 SSL_shutdown(clientssl);
1412 SSL_shutdown(serverssl);
1413 SSL_free(serverssl);
1414 SSL_free(clientssl);
1415 serverssl = clientssl = NULL;
1417 /* Stop caching sessions - just count them */
1421 * Check we can resume with all the tickets we created. This time around the
1422 * resumptions should all be successful.
1424 if (!check_resumption(idx, sctx, cctx, 1))
1430 SSL_free(serverssl);
1431 SSL_free(clientssl);
1432 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
1433 SSL_SESSION_free(sesscache[j]);
1434 sesscache[j] = NULL;
1442 static int test_stateless_tickets(int idx)
1444 return test_tickets(0, idx);
1447 static int test_stateful_tickets(int idx)
1449 return test_tickets(1, idx);
1452 static int test_psk_tickets(void)
1454 SSL_CTX *sctx = NULL, *cctx = NULL;
1455 SSL *serverssl = NULL, *clientssl = NULL;
1457 int sess_id_ctx = 1;
1459 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1460 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
1462 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
1463 (void *)&sess_id_ctx,
1464 sizeof(sess_id_ctx))))
1467 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1468 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1469 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
1470 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
1471 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1472 use_session_cb_cnt = 0;
1473 find_session_cb_cnt = 0;
1477 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1480 clientpsk = serverpsk = create_a_psk(clientssl);
1481 if (!TEST_ptr(clientpsk))
1483 SSL_SESSION_up_ref(clientpsk);
1485 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1487 || !TEST_int_eq(1, find_session_cb_cnt)
1488 || !TEST_int_eq(1, use_session_cb_cnt)
1489 /* We should always get 1 ticket when using external PSK */
1490 || !TEST_int_eq(1, new_called))
1496 SSL_free(serverssl);
1497 SSL_free(clientssl);
1500 SSL_SESSION_free(clientpsk);
1501 SSL_SESSION_free(serverpsk);
1502 clientpsk = serverpsk = NULL;
1511 #define USE_DEFAULT 3
1513 #define CONNTYPE_CONNECTION_SUCCESS 0
1514 #define CONNTYPE_CONNECTION_FAIL 1
1515 #define CONNTYPE_NO_CONNECTION 2
1517 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1518 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1519 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1520 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1522 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1525 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1526 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1527 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1529 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1546 * Tests calls to SSL_set_bio() under various conditions.
1548 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1549 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1550 * then do more tests where we create a successful connection first using our
1551 * standard connection setup functions, and then call SSL_set_bio() with
1552 * various combinations of valid BIOs or NULL. We then repeat these tests
1553 * following a failed connection. In this last case we are looking to check that
1554 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1556 static int test_ssl_set_bio(int idx)
1558 SSL_CTX *sctx = NULL, *cctx = NULL;
1561 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1562 SSL *serverssl = NULL, *clientssl = NULL;
1563 int initrbio, initwbio, newrbio, newwbio, conntype;
1566 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1574 conntype = CONNTYPE_NO_CONNECTION;
1576 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1577 initrbio = initwbio = USE_DEFAULT;
1585 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1586 TLS1_VERSION, TLS_MAX_VERSION,
1587 &sctx, &cctx, cert, privkey)))
1590 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1592 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1593 * because we reduced the number of tests in the definition of
1594 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1595 * mismatched protocol versions we will force a connection failure.
1597 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1598 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1601 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1605 if (initrbio == USE_BIO_1
1606 || initwbio == USE_BIO_1
1607 || newrbio == USE_BIO_1
1608 || newwbio == USE_BIO_1) {
1609 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1613 if (initrbio == USE_BIO_2
1614 || initwbio == USE_BIO_2
1615 || newrbio == USE_BIO_2
1616 || newwbio == USE_BIO_2) {
1617 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1621 if (initrbio != USE_DEFAULT) {
1622 setupbio(&irbio, bio1, bio2, initrbio);
1623 setupbio(&iwbio, bio1, bio2, initwbio);
1624 SSL_set_bio(clientssl, irbio, iwbio);
1627 * We want to maintain our own refs to these BIO, so do an up ref for
1628 * each BIO that will have ownership transferred in the SSL_set_bio()
1633 if (iwbio != NULL && iwbio != irbio)
1637 if (conntype != CONNTYPE_NO_CONNECTION
1638 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1640 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1643 setupbio(&nrbio, bio1, bio2, newrbio);
1644 setupbio(&nwbio, bio1, bio2, newwbio);
1647 * We will (maybe) transfer ownership again so do more up refs.
1648 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1653 && (nwbio != iwbio || nrbio != nwbio))
1657 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1660 SSL_set_bio(clientssl, nrbio, nwbio);
1669 * This test is checking that the ref counting for SSL_set_bio is correct.
1670 * If we get here and we did too many frees then we will fail in the above
1671 * functions. If we haven't done enough then this will only be detected in
1672 * a crypto-mdebug build
1674 SSL_free(serverssl);
1675 SSL_free(clientssl);
1681 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1683 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1685 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1690 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1691 || !TEST_ptr(ssl = SSL_new(ctx))
1692 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1693 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1696 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1699 * If anything goes wrong here then we could leak memory, so this will
1700 * be caught in a crypto-mdebug build
1702 BIO_push(sslbio, membio1);
1704 /* Verify changing the rbio/wbio directly does not cause leaks */
1705 if (change_bio != NO_BIO_CHANGE) {
1706 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1708 if (change_bio == CHANGE_RBIO)
1709 SSL_set0_rbio(ssl, membio2);
1711 SSL_set0_wbio(ssl, membio2);
1730 static int test_ssl_bio_pop_next_bio(void)
1732 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1735 static int test_ssl_bio_pop_ssl_bio(void)
1737 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1740 static int test_ssl_bio_change_rbio(void)
1742 return execute_test_ssl_bio(0, CHANGE_RBIO);
1745 static int test_ssl_bio_change_wbio(void)
1747 return execute_test_ssl_bio(0, CHANGE_WBIO);
1750 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
1752 /* The list of sig algs */
1754 /* The length of the list */
1756 /* A sigalgs list in string format */
1757 const char *liststr;
1758 /* Whether setting the list should succeed */
1760 /* Whether creating a connection with the list should succeed */
1764 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1765 # ifndef OPENSSL_NO_EC
1766 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1767 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1769 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1770 static const int invalidlist2[] = {NID_sha256, NID_undef};
1771 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1772 static const int invalidlist4[] = {NID_sha256};
1773 static const sigalgs_list testsigalgs[] = {
1774 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1775 # ifndef OPENSSL_NO_EC
1776 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1777 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1779 {NULL, 0, "RSA+SHA256", 1, 1},
1780 # ifndef OPENSSL_NO_EC
1781 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1782 {NULL, 0, "ECDSA+SHA512", 1, 0},
1784 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1785 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1786 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1787 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1788 {NULL, 0, "RSA", 0, 0},
1789 {NULL, 0, "SHA256", 0, 0},
1790 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1791 {NULL, 0, "Invalid", 0, 0}
1794 static int test_set_sigalgs(int idx)
1796 SSL_CTX *cctx = NULL, *sctx = NULL;
1797 SSL *clientssl = NULL, *serverssl = NULL;
1799 const sigalgs_list *curr;
1802 /* Should never happen */
1803 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1806 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1807 curr = testctx ? &testsigalgs[idx]
1808 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1810 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1811 TLS1_VERSION, TLS_MAX_VERSION,
1812 &sctx, &cctx, cert, privkey)))
1816 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1817 * for TLSv1.2 for now until we add a new API.
1819 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1824 if (curr->list != NULL)
1825 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1827 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1831 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1837 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1842 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1843 &clientssl, NULL, NULL)))
1849 if (curr->list != NULL)
1850 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1852 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1855 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1864 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1872 SSL_free(serverssl);
1873 SSL_free(clientssl);
1881 #ifndef OPENSSL_NO_TLS1_3
1882 static int psk_client_cb_cnt = 0;
1883 static int psk_server_cb_cnt = 0;
1885 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1886 size_t *idlen, SSL_SESSION **sess)
1888 switch (++use_session_cb_cnt) {
1890 /* The first call should always have a NULL md */
1896 /* The second call should always have an md */
1902 /* We should only be called a maximum of twice */
1906 if (clientpsk != NULL)
1907 SSL_SESSION_up_ref(clientpsk);
1910 *id = (const unsigned char *)pskid;
1911 *idlen = strlen(pskid);
1916 #ifndef OPENSSL_NO_PSK
1917 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1918 unsigned int max_id_len,
1920 unsigned int max_psk_len)
1922 unsigned int psklen = 0;
1924 psk_client_cb_cnt++;
1926 if (strlen(pskid) + 1 > max_id_len)
1929 /* We should only ever be called a maximum of twice per connection */
1930 if (psk_client_cb_cnt > 2)
1933 if (clientpsk == NULL)
1936 /* We'll reuse the PSK we set up for TLSv1.3 */
1937 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1939 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1940 strncpy(id, pskid, max_id_len);
1944 #endif /* OPENSSL_NO_PSK */
1946 static int find_session_cb(SSL *ssl, const unsigned char *identity,
1947 size_t identity_len, SSL_SESSION **sess)
1949 find_session_cb_cnt++;
1951 /* We should only ever be called a maximum of twice per connection */
1952 if (find_session_cb_cnt > 2)
1955 if (serverpsk == NULL)
1958 /* Identity should match that set by the client */
1959 if (strlen(srvid) != identity_len
1960 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1961 /* No PSK found, continue but without a PSK */
1966 SSL_SESSION_up_ref(serverpsk);
1972 #ifndef OPENSSL_NO_PSK
1973 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1974 unsigned char *psk, unsigned int max_psk_len)
1976 unsigned int psklen = 0;
1978 psk_server_cb_cnt++;
1980 /* We should only ever be called a maximum of twice per connection */
1981 if (find_session_cb_cnt > 2)
1984 if (serverpsk == NULL)
1987 /* Identity should match that set by the client */
1988 if (strcmp(srvid, identity) != 0) {
1992 /* We'll reuse the PSK we set up for TLSv1.3 */
1993 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1995 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1999 #endif /* OPENSSL_NO_PSK */
2001 #define MSG1 "Hello"
2002 #define MSG2 "World."
2007 #define MSG7 "message."
2009 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2010 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2013 static SSL_SESSION *create_a_psk(SSL *ssl)
2015 const SSL_CIPHER *cipher = NULL;
2016 const unsigned char key[] = {
2017 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2018 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2019 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2020 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2021 0x2c, 0x2d, 0x2e, 0x2f
2023 SSL_SESSION *sess = NULL;
2025 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2026 sess = SSL_SESSION_new();
2028 || !TEST_ptr(cipher)
2029 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2031 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2033 SSL_SESSION_set_protocol_version(sess,
2035 SSL_SESSION_free(sess);
2042 * Helper method to setup objects for early data test. Caller frees objects on
2045 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2046 SSL **serverssl, SSL_SESSION **sess, int idx)
2049 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2050 TLS_client_method(),
2051 TLS1_VERSION, TLS_MAX_VERSION,
2052 sctx, cctx, cert, privkey)))
2055 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2059 /* When idx == 1 we repeat the tests with read_ahead set */
2060 SSL_CTX_set_read_ahead(*cctx, 1);
2061 SSL_CTX_set_read_ahead(*sctx, 1);
2062 } else if (idx == 2) {
2063 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2064 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2065 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2066 use_session_cb_cnt = 0;
2067 find_session_cb_cnt = 0;
2071 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2076 * For one of the run throughs (doesn't matter which one), we'll try sending
2077 * some SNI data in the initial ClientHello. This will be ignored (because
2078 * there is no SNI cb set up by the server), so it should not impact
2082 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2086 clientpsk = create_a_psk(*clientssl);
2087 if (!TEST_ptr(clientpsk)
2089 * We just choose an arbitrary value for max_early_data which
2090 * should be big enough for testing purposes.
2092 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2094 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2095 SSL_SESSION_free(clientpsk);
2099 serverpsk = clientpsk;
2102 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2103 SSL_SESSION_free(clientpsk);
2104 SSL_SESSION_free(serverpsk);
2105 clientpsk = serverpsk = NULL;
2116 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2120 *sess = SSL_get1_session(*clientssl);
2121 SSL_shutdown(*clientssl);
2122 SSL_shutdown(*serverssl);
2123 SSL_free(*serverssl);
2124 SSL_free(*clientssl);
2125 *serverssl = *clientssl = NULL;
2127 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2128 clientssl, NULL, NULL))
2129 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2135 static int test_early_data_read_write(int idx)
2137 SSL_CTX *cctx = NULL, *sctx = NULL;
2138 SSL *clientssl = NULL, *serverssl = NULL;
2140 SSL_SESSION *sess = NULL;
2141 unsigned char buf[20], data[1024];
2142 size_t readbytes, written, eoedlen, rawread, rawwritten;
2145 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2146 &serverssl, &sess, idx)))
2149 /* Write and read some early data */
2150 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2152 || !TEST_size_t_eq(written, strlen(MSG1))
2153 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2154 sizeof(buf), &readbytes),
2155 SSL_READ_EARLY_DATA_SUCCESS)
2156 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2157 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2158 SSL_EARLY_DATA_ACCEPTED))
2162 * Server should be able to write data, and client should be able to
2165 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2167 || !TEST_size_t_eq(written, strlen(MSG2))
2168 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2169 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2172 /* Even after reading normal data, client should be able write early data */
2173 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2175 || !TEST_size_t_eq(written, strlen(MSG3)))
2178 /* Server should still be able read early data after writing data */
2179 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2181 SSL_READ_EARLY_DATA_SUCCESS)
2182 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2185 /* Write more data from server and read it from client */
2186 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2188 || !TEST_size_t_eq(written, strlen(MSG4))
2189 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2190 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2194 * If client writes normal data it should mean writing early data is no
2197 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2198 || !TEST_size_t_eq(written, strlen(MSG5))
2199 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2200 SSL_EARLY_DATA_ACCEPTED))
2204 * At this point the client has written EndOfEarlyData, ClientFinished and
2205 * normal (fully protected) data. We are going to cause a delay between the
2206 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2207 * in the read BIO, and then just put back the EndOfEarlyData message.
2209 rbio = SSL_get_rbio(serverssl);
2210 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2211 || !TEST_size_t_lt(rawread, sizeof(data))
2212 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2215 /* Record length is in the 4th and 5th bytes of the record header */
2216 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2217 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2218 || !TEST_size_t_eq(rawwritten, eoedlen))
2221 /* Server should be told that there is no more early data */
2222 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2224 SSL_READ_EARLY_DATA_FINISH)
2225 || !TEST_size_t_eq(readbytes, 0))
2229 * Server has not finished init yet, so should still be able to write early
2232 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2234 || !TEST_size_t_eq(written, strlen(MSG6)))
2237 /* Push the ClientFinished and the normal data back into the server rbio */
2238 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2240 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2243 /* Server should be able to read normal data */
2244 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2245 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2248 /* Client and server should not be able to write/read early data now */
2249 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2253 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2255 SSL_READ_EARLY_DATA_ERROR))
2259 /* Client should be able to read the data sent by the server */
2260 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2261 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2265 * Make sure we process the two NewSessionTickets. These arrive
2266 * post-handshake. We attempt reads which we do not expect to return any
2269 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2270 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2274 /* Server should be able to write normal data */
2275 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2276 || !TEST_size_t_eq(written, strlen(MSG7))
2277 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2278 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2281 SSL_SESSION_free(sess);
2282 sess = SSL_get1_session(clientssl);
2283 use_session_cb_cnt = 0;
2284 find_session_cb_cnt = 0;
2286 SSL_shutdown(clientssl);
2287 SSL_shutdown(serverssl);
2288 SSL_free(serverssl);
2289 SSL_free(clientssl);
2290 serverssl = clientssl = NULL;
2291 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2292 &clientssl, NULL, NULL))
2293 || !TEST_true(SSL_set_session(clientssl, sess)))
2296 /* Write and read some early data */
2297 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2299 || !TEST_size_t_eq(written, strlen(MSG1))
2300 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2302 SSL_READ_EARLY_DATA_SUCCESS)
2303 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2306 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2307 || !TEST_int_gt(SSL_accept(serverssl), 0))
2310 /* Client and server should not be able to write/read early data now */
2311 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2315 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2317 SSL_READ_EARLY_DATA_ERROR))
2321 /* Client and server should be able to write/read normal data */
2322 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2323 || !TEST_size_t_eq(written, strlen(MSG5))
2324 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2325 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2331 SSL_SESSION_free(sess);
2332 SSL_SESSION_free(clientpsk);
2333 SSL_SESSION_free(serverpsk);
2334 clientpsk = serverpsk = NULL;
2335 SSL_free(serverssl);
2336 SSL_free(clientssl);
2342 static int allow_ed_cb_called = 0;
2344 static int allow_early_data_cb(SSL *s, void *arg)
2346 int *usecb = (int *)arg;
2348 allow_ed_cb_called++;
2357 * idx == 0: Standard early_data setup
2358 * idx == 1: early_data setup using read_ahead
2359 * usecb == 0: Don't use a custom early data callback
2360 * usecb == 1: Use a custom early data callback and reject the early data
2361 * usecb == 2: Use a custom early data callback and accept the early data
2362 * confopt == 0: Configure anti-replay directly
2363 * confopt == 1: Configure anti-replay using SSL_CONF
2365 static int test_early_data_replay_int(int idx, int usecb, int confopt)
2367 SSL_CTX *cctx = NULL, *sctx = NULL;
2368 SSL *clientssl = NULL, *serverssl = NULL;
2370 SSL_SESSION *sess = NULL;
2371 size_t readbytes, written;
2372 unsigned char buf[20];
2374 allow_ed_cb_called = 0;
2376 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2377 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
2378 &cctx, cert, privkey)))
2383 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2385 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2387 if (!TEST_ptr(confctx))
2389 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2390 | SSL_CONF_FLAG_SERVER);
2391 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2392 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2394 SSL_CONF_CTX_free(confctx);
2397 SSL_CONF_CTX_free(confctx);
2399 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2402 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2403 &serverssl, &sess, idx)))
2407 * The server is configured to accept early data. Create a connection to
2408 * "use up" the ticket
2410 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2411 || !TEST_true(SSL_session_reused(clientssl)))
2414 SSL_shutdown(clientssl);
2415 SSL_shutdown(serverssl);
2416 SSL_free(serverssl);
2417 SSL_free(clientssl);
2418 serverssl = clientssl = NULL;
2420 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2421 &clientssl, NULL, NULL))
2422 || !TEST_true(SSL_set_session(clientssl, sess)))
2425 /* Write and read some early data */
2426 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2428 || !TEST_size_t_eq(written, strlen(MSG1)))
2432 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2434 SSL_READ_EARLY_DATA_FINISH)
2436 * The ticket was reused, so the we should have rejected the
2439 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2440 SSL_EARLY_DATA_REJECTED))
2443 /* In this case the callback decides to accept the early data */
2444 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2446 SSL_READ_EARLY_DATA_SUCCESS)
2447 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2449 * Server will have sent its flight so client can now send
2450 * end of early data and complete its half of the handshake
2452 || !TEST_int_gt(SSL_connect(clientssl), 0)
2453 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2455 SSL_READ_EARLY_DATA_FINISH)
2456 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2457 SSL_EARLY_DATA_ACCEPTED))
2461 /* Complete the connection */
2462 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2463 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2464 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
2470 SSL_SESSION_free(sess);
2471 SSL_SESSION_free(clientpsk);
2472 SSL_SESSION_free(serverpsk);
2473 clientpsk = serverpsk = NULL;
2474 SSL_free(serverssl);
2475 SSL_free(clientssl);
2481 static int test_early_data_replay(int idx)
2483 int ret = 1, usecb, confopt;
2485 for (usecb = 0; usecb < 3; usecb++) {
2486 for (confopt = 0; confopt < 2; confopt++)
2487 ret &= test_early_data_replay_int(idx, usecb, confopt);
2494 * Helper function to test that a server attempting to read early data can
2495 * handle a connection from a client where the early data should be skipped.
2496 * testtype: 0 == No HRR
2497 * testtype: 1 == HRR
2498 * testtype: 2 == HRR, invalid early_data sent after HRR
2499 * testtype: 3 == recv_max_early_data set to 0
2501 static int early_data_skip_helper(int testtype, int idx)
2503 SSL_CTX *cctx = NULL, *sctx = NULL;
2504 SSL *clientssl = NULL, *serverssl = NULL;
2506 SSL_SESSION *sess = NULL;
2507 unsigned char buf[20];
2508 size_t readbytes, written;
2510 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2511 &serverssl, &sess, idx)))
2514 if (testtype == 1 || testtype == 2) {
2515 /* Force an HRR to occur */
2516 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2518 } else if (idx == 2) {
2520 * We force early_data rejection by ensuring the PSK identity is
2523 srvid = "Dummy Identity";
2526 * Deliberately corrupt the creation time. We take 20 seconds off the
2527 * time. It could be any value as long as it is not within tolerance.
2528 * This should mean the ticket is rejected.
2530 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
2535 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
2538 /* Write some early data */
2539 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2541 || !TEST_size_t_eq(written, strlen(MSG1)))
2544 /* Server should reject the early data */
2545 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2547 SSL_READ_EARLY_DATA_FINISH)
2548 || !TEST_size_t_eq(readbytes, 0)
2549 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2550 SSL_EARLY_DATA_REJECTED))
2560 * Finish off the handshake. We perform the same writes and reads as
2561 * further down but we expect them to fail due to the incomplete
2564 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2565 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2572 BIO *wbio = SSL_get_wbio(clientssl);
2573 /* A record that will appear as bad early_data */
2574 const unsigned char bad_early_data[] = {
2575 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
2579 * We force the client to attempt a write. This will fail because
2580 * we're still in the handshake. It will cause the second
2581 * ClientHello to be sent.
2583 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
2588 * Inject some early_data after the second ClientHello. This should
2589 * cause the server to fail
2591 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
2592 sizeof(bad_early_data), &written)))
2599 * This client has sent more early_data than we are willing to skip
2600 * (case 3) or sent invalid early_data (case 2) so the connection should
2603 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2604 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
2607 /* Connection has failed - nothing more to do */
2612 TEST_error("Invalid test type");
2617 * Should be able to send normal data despite rejection of early data. The
2618 * early_data should be skipped.
2620 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2621 || !TEST_size_t_eq(written, strlen(MSG2))
2622 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2623 SSL_EARLY_DATA_REJECTED)
2624 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2625 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2631 SSL_SESSION_free(clientpsk);
2632 SSL_SESSION_free(serverpsk);
2633 clientpsk = serverpsk = NULL;
2634 SSL_SESSION_free(sess);
2635 SSL_free(serverssl);
2636 SSL_free(clientssl);
2643 * Test that a server attempting to read early data can handle a connection
2644 * from a client where the early data is not acceptable.
2646 static int test_early_data_skip(int idx)
2648 return early_data_skip_helper(0, idx);
2652 * Test that a server attempting to read early data can handle a connection
2653 * from a client where an HRR occurs.
2655 static int test_early_data_skip_hrr(int idx)
2657 return early_data_skip_helper(1, idx);
2661 * Test that a server attempting to read early data can handle a connection
2662 * from a client where an HRR occurs and correctly fails if early_data is sent
2665 static int test_early_data_skip_hrr_fail(int idx)
2667 return early_data_skip_helper(2, idx);
2671 * Test that a server attempting to read early data will abort if it tries to
2672 * skip over too much.
2674 static int test_early_data_skip_abort(int idx)
2676 return early_data_skip_helper(3, idx);
2680 * Test that a server attempting to read early data can handle a connection
2681 * from a client that doesn't send any.
2683 static int test_early_data_not_sent(int idx)
2685 SSL_CTX *cctx = NULL, *sctx = NULL;
2686 SSL *clientssl = NULL, *serverssl = NULL;
2688 SSL_SESSION *sess = NULL;
2689 unsigned char buf[20];
2690 size_t readbytes, written;
2692 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2693 &serverssl, &sess, idx)))
2696 /* Write some data - should block due to handshake with server */
2697 SSL_set_connect_state(clientssl);
2698 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2701 /* Server should detect that early data has not been sent */
2702 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2704 SSL_READ_EARLY_DATA_FINISH)
2705 || !TEST_size_t_eq(readbytes, 0)
2706 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2707 SSL_EARLY_DATA_NOT_SENT)
2708 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2709 SSL_EARLY_DATA_NOT_SENT))
2712 /* Continue writing the message we started earlier */
2713 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2714 || !TEST_size_t_eq(written, strlen(MSG1))
2715 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2716 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2717 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2718 || !TEST_size_t_eq(written, strlen(MSG2)))
2721 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2722 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2728 SSL_SESSION_free(sess);
2729 SSL_SESSION_free(clientpsk);
2730 SSL_SESSION_free(serverpsk);
2731 clientpsk = serverpsk = NULL;
2732 SSL_free(serverssl);
2733 SSL_free(clientssl);
2739 static int hostname_cb(SSL *s, int *al, void *arg)
2741 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2743 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
2744 return SSL_TLSEXT_ERR_OK;
2746 return SSL_TLSEXT_ERR_NOACK;
2749 static const char *servalpn;
2751 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2752 unsigned char *outlen, const unsigned char *in,
2753 unsigned int inlen, void *arg)
2755 unsigned int protlen = 0;
2756 const unsigned char *prot;
2758 for (prot = in; prot < in + inlen; prot += protlen) {
2760 if (in + inlen < prot + protlen)
2761 return SSL_TLSEXT_ERR_NOACK;
2763 if (protlen == strlen(servalpn)
2764 && memcmp(prot, servalpn, protlen) == 0) {
2767 return SSL_TLSEXT_ERR_OK;
2771 return SSL_TLSEXT_ERR_NOACK;
2774 /* Test that a PSK can be used to send early_data */
2775 static int test_early_data_psk(int idx)
2777 SSL_CTX *cctx = NULL, *sctx = NULL;
2778 SSL *clientssl = NULL, *serverssl = NULL;
2780 SSL_SESSION *sess = NULL;
2781 unsigned char alpnlist[] = {
2782 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2785 #define GOODALPNLEN 9
2786 #define BADALPNLEN 8
2787 #define GOODALPN (alpnlist)
2788 #define BADALPN (alpnlist + GOODALPNLEN)
2790 unsigned char buf[20];
2791 size_t readbytes, written;
2792 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2793 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2795 /* We always set this up with a final parameter of "2" for PSK */
2796 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2797 &serverssl, &sess, 2)))
2800 servalpn = "goodalpn";
2803 * Note: There is no test for inconsistent SNI with late client detection.
2804 * This is because servers do not acknowledge SNI even if they are using
2805 * it in a resumption handshake - so it is not actually possible for a
2806 * client to detect a problem.
2810 /* Set inconsistent SNI (early client detection) */
2811 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2812 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2813 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2818 /* Set inconsistent ALPN (early client detection) */
2819 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2820 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
2821 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2823 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2830 * Set invalid protocol version. Technically this affects PSKs without
2831 * early_data too, but we test it here because it is similar to the
2832 * SNI/ALPN consistency tests.
2834 err = SSL_R_BAD_PSK;
2835 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2841 * Set inconsistent SNI (server detected). In this case the connection
2842 * will succeed but reject early_data.
2844 SSL_SESSION_free(serverpsk);
2845 serverpsk = SSL_SESSION_dup(clientpsk);
2846 if (!TEST_ptr(serverpsk)
2847 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2849 edstatus = SSL_EARLY_DATA_REJECTED;
2850 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2853 /* Set consistent SNI */
2854 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2855 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2856 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2863 * Set inconsistent ALPN (server detected). In this case the connection
2864 * will succeed but reject early_data.
2866 servalpn = "badalpn";
2867 edstatus = SSL_EARLY_DATA_REJECTED;
2868 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2872 * Set consistent ALPN.
2873 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2874 * accepts a list of protos (each one length prefixed).
2875 * SSL_set1_alpn_selected accepts a single protocol (not length
2878 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2880 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2884 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2888 /* Set inconsistent ALPN (late client detection) */
2889 SSL_SESSION_free(serverpsk);
2890 serverpsk = SSL_SESSION_dup(clientpsk);
2891 if (!TEST_ptr(serverpsk)
2892 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2895 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2898 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2901 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2902 edstatus = SSL_EARLY_DATA_ACCEPTED;
2903 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2904 /* SSL_connect() call should fail */
2909 TEST_error("Bad test index");
2913 SSL_set_connect_state(clientssl);
2915 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2917 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2918 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2921 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2925 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2926 &readbytes), readearlyres)
2927 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2928 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2929 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2930 || !TEST_int_eq(SSL_connect(clientssl), connectres))
2937 SSL_SESSION_free(sess);
2938 SSL_SESSION_free(clientpsk);
2939 SSL_SESSION_free(serverpsk);
2940 clientpsk = serverpsk = NULL;
2941 SSL_free(serverssl);
2942 SSL_free(clientssl);
2949 * Test that a server that doesn't try to read early data can handle a
2950 * client sending some.
2952 static int test_early_data_not_expected(int idx)
2954 SSL_CTX *cctx = NULL, *sctx = NULL;
2955 SSL *clientssl = NULL, *serverssl = NULL;
2957 SSL_SESSION *sess = NULL;
2958 unsigned char buf[20];
2959 size_t readbytes, written;
2961 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2962 &serverssl, &sess, idx)))
2965 /* Write some early data */
2966 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2971 * Server should skip over early data and then block waiting for client to
2972 * continue handshake
2974 if (!TEST_int_le(SSL_accept(serverssl), 0)
2975 || !TEST_int_gt(SSL_connect(clientssl), 0)
2976 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2977 SSL_EARLY_DATA_REJECTED)
2978 || !TEST_int_gt(SSL_accept(serverssl), 0)
2979 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2980 SSL_EARLY_DATA_REJECTED))
2983 /* Send some normal data from client to server */
2984 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2985 || !TEST_size_t_eq(written, strlen(MSG2)))
2988 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2989 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2995 SSL_SESSION_free(sess);
2996 SSL_SESSION_free(clientpsk);
2997 SSL_SESSION_free(serverpsk);
2998 clientpsk = serverpsk = NULL;
2999 SSL_free(serverssl);
3000 SSL_free(clientssl);
3007 # ifndef OPENSSL_NO_TLS1_2
3009 * Test that a server attempting to read early data can handle a connection
3010 * from a TLSv1.2 client.
3012 static int test_early_data_tls1_2(int idx)
3014 SSL_CTX *cctx = NULL, *sctx = NULL;
3015 SSL *clientssl = NULL, *serverssl = NULL;
3017 unsigned char buf[20];
3018 size_t readbytes, written;
3020 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3021 &serverssl, NULL, idx)))
3024 /* Write some data - should block due to handshake with server */
3025 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3026 SSL_set_connect_state(clientssl);
3027 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3031 * Server should do TLSv1.2 handshake. First it will block waiting for more
3032 * messages from client after ServerDone. Then SSL_read_early_data should
3033 * finish and detect that early data has not been sent
3035 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3037 SSL_READ_EARLY_DATA_ERROR))
3041 * Continue writing the message we started earlier. Will still block waiting
3042 * for the CCS/Finished from server
3044 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3045 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3047 SSL_READ_EARLY_DATA_FINISH)
3048 || !TEST_size_t_eq(readbytes, 0)
3049 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3050 SSL_EARLY_DATA_NOT_SENT))
3053 /* Continue writing the message we started earlier */
3054 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3055 || !TEST_size_t_eq(written, strlen(MSG1))
3056 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3057 SSL_EARLY_DATA_NOT_SENT)
3058 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3059 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3060 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3061 || !TEST_size_t_eq(written, strlen(MSG2))
3062 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3063 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3069 SSL_SESSION_free(clientpsk);
3070 SSL_SESSION_free(serverpsk);
3071 clientpsk = serverpsk = NULL;
3072 SSL_free(serverssl);
3073 SSL_free(clientssl);
3079 # endif /* OPENSSL_NO_TLS1_2 */
3082 * Test configuring the TLSv1.3 ciphersuites
3084 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3085 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3086 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3087 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3088 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3089 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3090 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3091 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3092 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3093 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3095 static int test_set_ciphersuite(int idx)
3097 SSL_CTX *cctx = NULL, *sctx = NULL;
3098 SSL *clientssl = NULL, *serverssl = NULL;
3101 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3102 TLS1_VERSION, TLS_MAX_VERSION,
3103 &sctx, &cctx, cert, privkey))
3104 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3105 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3108 if (idx >=4 && idx <= 7) {
3109 /* SSL_CTX explicit cipher list */
3110 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3114 if (idx == 0 || idx == 4) {
3115 /* Default ciphersuite */
3116 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3117 "TLS_AES_128_GCM_SHA256")))
3119 } else if (idx == 1 || idx == 5) {
3120 /* Non default ciphersuite */
3121 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3122 "TLS_AES_128_CCM_SHA256")))
3126 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3127 &clientssl, NULL, NULL)))
3130 if (idx == 8 || idx == 9) {
3131 /* SSL explicit cipher list */
3132 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3136 if (idx == 2 || idx == 6 || idx == 8) {
3137 /* Default ciphersuite */
3138 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3139 "TLS_AES_128_GCM_SHA256")))
3141 } else if (idx == 3 || idx == 7 || idx == 9) {
3142 /* Non default ciphersuite */
3143 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3144 "TLS_AES_128_CCM_SHA256")))
3148 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3154 SSL_free(serverssl);
3155 SSL_free(clientssl);
3162 static int test_ciphersuite_change(void)
3164 SSL_CTX *cctx = NULL, *sctx = NULL;
3165 SSL *clientssl = NULL, *serverssl = NULL;
3166 SSL_SESSION *clntsess = NULL;
3168 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3170 /* Create a session based on SHA-256 */
3171 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3172 TLS1_VERSION, TLS_MAX_VERSION,
3173 &sctx, &cctx, cert, privkey))
3174 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3175 "TLS_AES_128_GCM_SHA256"))
3176 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3177 &clientssl, NULL, NULL))
3178 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3182 clntsess = SSL_get1_session(clientssl);
3183 /* Save for later */
3184 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3185 SSL_shutdown(clientssl);
3186 SSL_shutdown(serverssl);
3187 SSL_free(serverssl);
3188 SSL_free(clientssl);
3189 serverssl = clientssl = NULL;
3191 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3192 /* Check we can resume a session with a different SHA-256 ciphersuite */
3193 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3194 "TLS_CHACHA20_POLY1305_SHA256"))
3195 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3197 || !TEST_true(SSL_set_session(clientssl, clntsess))
3198 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3200 || !TEST_true(SSL_session_reused(clientssl)))
3203 SSL_SESSION_free(clntsess);
3204 clntsess = SSL_get1_session(clientssl);
3205 SSL_shutdown(clientssl);
3206 SSL_shutdown(serverssl);
3207 SSL_free(serverssl);
3208 SSL_free(clientssl);
3209 serverssl = clientssl = NULL;
3213 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3214 * succeeds but does not resume.
3216 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3217 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3219 || !TEST_true(SSL_set_session(clientssl, clntsess))
3220 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3222 || !TEST_false(SSL_session_reused(clientssl)))
3225 SSL_SESSION_free(clntsess);
3227 SSL_shutdown(clientssl);
3228 SSL_shutdown(serverssl);
3229 SSL_free(serverssl);
3230 SSL_free(clientssl);
3231 serverssl = clientssl = NULL;
3233 /* Create a session based on SHA384 */
3234 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3235 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3236 &clientssl, NULL, NULL))
3237 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3241 clntsess = SSL_get1_session(clientssl);
3242 SSL_shutdown(clientssl);
3243 SSL_shutdown(serverssl);
3244 SSL_free(serverssl);
3245 SSL_free(clientssl);
3246 serverssl = clientssl = NULL;
3248 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3249 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3250 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3251 "TLS_AES_256_GCM_SHA384"))
3252 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3254 || !TEST_true(SSL_set_session(clientssl, clntsess))
3256 * We use SSL_ERROR_WANT_READ below so that we can pause the
3257 * connection after the initial ClientHello has been sent to
3258 * enable us to make some session changes.
3260 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3261 SSL_ERROR_WANT_READ)))
3264 /* Trick the client into thinking this session is for a different digest */
3265 clntsess->cipher = aes_128_gcm_sha256;
3266 clntsess->cipher_id = clntsess->cipher->id;
3269 * Continue the previously started connection. Server has selected a SHA-384
3270 * ciphersuite, but client thinks the session is for SHA-256, so it should
3273 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3275 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3276 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3282 SSL_SESSION_free(clntsess);
3283 SSL_free(serverssl);
3284 SSL_free(clientssl);
3293 * Test 0 = Test new style callbacks
3294 * Test 1 = Test both new and old style callbacks
3295 * Test 2 = Test old style callbacks
3296 * Test 3 = Test old style callbacks with no certificate
3298 static int test_tls13_psk(int idx)
3300 SSL_CTX *sctx = NULL, *cctx = NULL;
3301 SSL *serverssl = NULL, *clientssl = NULL;
3302 const SSL_CIPHER *cipher = NULL;
3303 const unsigned char key[] = {
3304 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
3305 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
3306 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
3307 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
3311 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3312 TLS1_VERSION, TLS_MAX_VERSION,
3313 &sctx, &cctx, idx == 3 ? NULL : cert,
3314 idx == 3 ? NULL : privkey)))
3319 * We use a ciphersuite with SHA256 to ease testing old style PSK
3320 * callbacks which will always default to SHA256. This should not be
3321 * necessary if we have no cert/priv key. In that case the server should
3322 * prefer SHA256 automatically.
3324 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3325 "TLS_AES_128_GCM_SHA256")))
3330 * Test 0: New style callbacks only
3331 * Test 1: New and old style callbacks (only the new ones should be used)
3332 * Test 2: Old style callbacks only
3334 if (idx == 0 || idx == 1) {
3335 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
3336 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
3338 #ifndef OPENSSL_NO_PSK
3340 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
3341 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
3345 use_session_cb_cnt = 0;
3346 find_session_cb_cnt = 0;
3347 psk_client_cb_cnt = 0;
3348 psk_server_cb_cnt = 0;
3352 * Check we can create a connection if callback decides not to send a
3355 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3357 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3359 || !TEST_false(SSL_session_reused(clientssl))
3360 || !TEST_false(SSL_session_reused(serverssl)))
3363 if (idx == 0 || idx == 1) {
3364 if (!TEST_true(use_session_cb_cnt == 1)
3365 || !TEST_true(find_session_cb_cnt == 0)
3367 * If no old style callback then below should be 0
3370 || !TEST_true(psk_client_cb_cnt == idx)
3371 || !TEST_true(psk_server_cb_cnt == 0))
3374 if (!TEST_true(use_session_cb_cnt == 0)
3375 || !TEST_true(find_session_cb_cnt == 0)
3376 || !TEST_true(psk_client_cb_cnt == 1)
3377 || !TEST_true(psk_server_cb_cnt == 0))
3381 shutdown_ssl_connection(serverssl, clientssl);
3382 serverssl = clientssl = NULL;
3383 use_session_cb_cnt = psk_client_cb_cnt = 0;
3386 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3390 /* Create the PSK */
3391 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
3392 clientpsk = SSL_SESSION_new();
3393 if (!TEST_ptr(clientpsk)
3394 || !TEST_ptr(cipher)
3395 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
3397 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
3398 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
3400 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
3402 serverpsk = clientpsk;
3404 /* Check we can create a connection and the PSK is used */
3405 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3406 || !TEST_true(SSL_session_reused(clientssl))
3407 || !TEST_true(SSL_session_reused(serverssl)))
3410 if (idx == 0 || idx == 1) {
3411 if (!TEST_true(use_session_cb_cnt == 1)
3412 || !TEST_true(find_session_cb_cnt == 1)
3413 || !TEST_true(psk_client_cb_cnt == 0)
3414 || !TEST_true(psk_server_cb_cnt == 0))
3417 if (!TEST_true(use_session_cb_cnt == 0)
3418 || !TEST_true(find_session_cb_cnt == 0)
3419 || !TEST_true(psk_client_cb_cnt == 1)
3420 || !TEST_true(psk_server_cb_cnt == 1))
3424 shutdown_ssl_connection(serverssl, clientssl);
3425 serverssl = clientssl = NULL;
3426 use_session_cb_cnt = find_session_cb_cnt = 0;
3427 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3429 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3434 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3438 * Check we can create a connection, the PSK is used and the callbacks are
3441 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3442 || !TEST_true(SSL_session_reused(clientssl))
3443 || !TEST_true(SSL_session_reused(serverssl)))
3446 if (idx == 0 || idx == 1) {
3447 if (!TEST_true(use_session_cb_cnt == 2)
3448 || !TEST_true(find_session_cb_cnt == 2)
3449 || !TEST_true(psk_client_cb_cnt == 0)
3450 || !TEST_true(psk_server_cb_cnt == 0))
3453 if (!TEST_true(use_session_cb_cnt == 0)
3454 || !TEST_true(find_session_cb_cnt == 0)
3455 || !TEST_true(psk_client_cb_cnt == 2)
3456 || !TEST_true(psk_server_cb_cnt == 2))
3460 shutdown_ssl_connection(serverssl, clientssl);
3461 serverssl = clientssl = NULL;
3462 use_session_cb_cnt = find_session_cb_cnt = 0;
3463 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3467 * Check that if the server rejects the PSK we can still connect, but with
3470 srvid = "Dummy Identity";
3471 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3473 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3475 || !TEST_false(SSL_session_reused(clientssl))
3476 || !TEST_false(SSL_session_reused(serverssl)))
3479 if (idx == 0 || idx == 1) {
3480 if (!TEST_true(use_session_cb_cnt == 1)
3481 || !TEST_true(find_session_cb_cnt == 1)
3482 || !TEST_true(psk_client_cb_cnt == 0)
3484 * If no old style callback then below should be 0
3487 || !TEST_true(psk_server_cb_cnt == idx))
3490 if (!TEST_true(use_session_cb_cnt == 0)
3491 || !TEST_true(find_session_cb_cnt == 0)
3492 || !TEST_true(psk_client_cb_cnt == 1)
3493 || !TEST_true(psk_server_cb_cnt == 1))
3497 shutdown_ssl_connection(serverssl, clientssl);
3498 serverssl = clientssl = NULL;
3503 SSL_SESSION_free(clientpsk);
3504 SSL_SESSION_free(serverpsk);
3505 clientpsk = serverpsk = NULL;
3506 SSL_free(serverssl);
3507 SSL_free(clientssl);
3513 static unsigned char cookie_magic_value[] = "cookie magic";
3515 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
3516 unsigned int *cookie_len)
3519 * Not suitable as a real cookie generation function but good enough for
3522 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3523 *cookie_len = sizeof(cookie_magic_value) - 1;
3528 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3529 unsigned int cookie_len)
3531 if (cookie_len == sizeof(cookie_magic_value) - 1
3532 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3538 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3542 int res = generate_cookie_callback(ssl, cookie, &temp);
3547 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3550 return verify_cookie_callback(ssl, cookie, cookie_len);
3553 static int test_stateless(void)
3555 SSL_CTX *sctx = NULL, *cctx = NULL;
3556 SSL *serverssl = NULL, *clientssl = NULL;
3559 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3560 TLS1_VERSION, TLS_MAX_VERSION,
3561 &sctx, &cctx, cert, privkey)))
3564 /* The arrival of CCS messages can confuse the test */
3565 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3567 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3569 /* Send the first ClientHello */
3570 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3571 SSL_ERROR_WANT_READ))
3573 * This should fail with a -1 return because we have no callbacks
3576 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3579 /* Fatal error so abandon the connection from this client */
3580 SSL_free(clientssl);
3583 /* Set up the cookie generation and verification callbacks */
3584 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3585 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
3588 * Create a new connection from the client (we can reuse the server SSL
3591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3593 /* Send the first ClientHello */
3594 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3595 SSL_ERROR_WANT_READ))
3596 /* This should fail because there is no cookie */
3597 || !TEST_int_eq(SSL_stateless(serverssl), 0))
3600 /* Abandon the connection from this client */
3601 SSL_free(clientssl);
3605 * Now create a connection from a new client but with the same server SSL
3608 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3610 /* Send the first ClientHello */
3611 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3612 SSL_ERROR_WANT_READ))
3613 /* This should fail because there is no cookie */
3614 || !TEST_int_eq(SSL_stateless(serverssl), 0)
3615 /* Send the second ClientHello */
3616 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3617 SSL_ERROR_WANT_READ))
3618 /* This should succeed because a cookie is now present */
3619 || !TEST_int_eq(SSL_stateless(serverssl), 1)
3620 /* Complete the connection */
3621 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3625 shutdown_ssl_connection(serverssl, clientssl);
3626 serverssl = clientssl = NULL;
3630 SSL_free(serverssl);
3631 SSL_free(clientssl);
3637 #endif /* OPENSSL_NO_TLS1_3 */
3639 static int clntaddoldcb = 0;
3640 static int clntparseoldcb = 0;
3641 static int srvaddoldcb = 0;
3642 static int srvparseoldcb = 0;
3643 static int clntaddnewcb = 0;
3644 static int clntparsenewcb = 0;
3645 static int srvaddnewcb = 0;
3646 static int srvparsenewcb = 0;
3647 static int snicb = 0;
3649 #define TEST_EXT_TYPE1 0xff00
3651 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3652 size_t *outlen, int *al, void *add_arg)
3654 int *server = (int *)add_arg;
3655 unsigned char *data;
3657 if (SSL_is_server(s))
3662 if (*server != SSL_is_server(s)
3663 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3668 *outlen = sizeof(char);
3672 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3675 OPENSSL_free((unsigned char *)out);
3678 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3679 size_t inlen, int *al, void *parse_arg)
3681 int *server = (int *)parse_arg;
3683 if (SSL_is_server(s))
3688 if (*server != SSL_is_server(s)
3689 || inlen != sizeof(char)
3696 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3697 const unsigned char **out, size_t *outlen, X509 *x,
3698 size_t chainidx, int *al, void *add_arg)
3700 int *server = (int *)add_arg;
3701 unsigned char *data;
3703 if (SSL_is_server(s))
3708 if (*server != SSL_is_server(s)
3709 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3714 *outlen = sizeof(*data);
3718 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3719 const unsigned char *out, void *add_arg)
3721 OPENSSL_free((unsigned char *)out);
3724 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3725 const unsigned char *in, size_t inlen, X509 *x,
3726 size_t chainidx, int *al, void *parse_arg)
3728 int *server = (int *)parse_arg;
3730 if (SSL_is_server(s))
3735 if (*server != SSL_is_server(s)
3736 || inlen != sizeof(char) || *in != 1)
3742 static int sni_cb(SSL *s, int *al, void *arg)
3744 SSL_CTX *ctx = (SSL_CTX *)arg;
3746 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3747 *al = SSL_AD_INTERNAL_ERROR;
3748 return SSL_TLSEXT_ERR_ALERT_FATAL;
3751 return SSL_TLSEXT_ERR_OK;
3755 * Custom call back tests.
3756 * Test 0: Old style callbacks in TLSv1.2
3757 * Test 1: New style callbacks in TLSv1.2
3758 * Test 2: New style callbacks in TLSv1.2 with SNI
3759 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3760 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
3762 static int test_custom_exts(int tst)
3764 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3765 SSL *clientssl = NULL, *serverssl = NULL;
3767 static int server = 1;
3768 static int client = 0;
3769 SSL_SESSION *sess = NULL;
3770 unsigned int context;
3772 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
3773 /* Skip tests for TLSv1.2 and below in this case */
3778 /* Reset callback counters */
3779 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
3780 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
3783 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3784 TLS1_VERSION, TLS_MAX_VERSION,
3785 &sctx, &cctx, cert, privkey)))
3789 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
3790 TLS1_VERSION, TLS_MAX_VERSION,
3791 &sctx2, NULL, cert, privkey)))
3796 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
3797 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
3799 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
3803 context = SSL_EXT_CLIENT_HELLO
3804 | SSL_EXT_TLS1_2_SERVER_HELLO
3805 | SSL_EXT_TLS1_3_SERVER_HELLO
3806 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
3807 | SSL_EXT_TLS1_3_CERTIFICATE
3808 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
3810 context = SSL_EXT_CLIENT_HELLO
3811 | SSL_EXT_TLS1_2_SERVER_HELLO
3812 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3815 /* Create a client side custom extension */
3817 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3818 old_add_cb, old_free_cb,
3819 &client, old_parse_cb,
3823 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
3824 new_add_cb, new_free_cb,
3825 &client, new_parse_cb, &client)))
3829 /* Should not be able to add duplicates */
3830 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3831 old_add_cb, old_free_cb,
3832 &client, old_parse_cb,
3834 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
3835 context, new_add_cb,
3836 new_free_cb, &client,
3837 new_parse_cb, &client)))
3840 /* Create a server side custom extension */
3842 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3843 old_add_cb, old_free_cb,
3844 &server, old_parse_cb,
3848 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3849 new_add_cb, new_free_cb,
3850 &server, new_parse_cb, &server)))
3853 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3854 context, new_add_cb,
3855 new_free_cb, &server,
3856 new_parse_cb, &server)))
3860 /* Should not be able to add duplicates */
3861 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3862 old_add_cb, old_free_cb,
3863 &server, old_parse_cb,
3865 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3866 context, new_add_cb,
3867 new_free_cb, &server,
3868 new_parse_cb, &server)))
3873 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3874 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3878 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3879 &clientssl, NULL, NULL))
3880 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3885 if (clntaddoldcb != 1
3886 || clntparseoldcb != 1
3888 || srvparseoldcb != 1)
3890 } else if (tst == 1 || tst == 2 || tst == 3) {
3891 if (clntaddnewcb != 1
3892 || clntparsenewcb != 1
3894 || srvparsenewcb != 1
3895 || (tst != 2 && snicb != 0)
3896 || (tst == 2 && snicb != 1))
3899 /* In this case there 2 NewSessionTicket messages created */
3900 if (clntaddnewcb != 1
3901 || clntparsenewcb != 5
3903 || srvparsenewcb != 1)
3907 sess = SSL_get1_session(clientssl);
3908 SSL_shutdown(clientssl);
3909 SSL_shutdown(serverssl);
3910 SSL_free(serverssl);
3911 SSL_free(clientssl);
3912 serverssl = clientssl = NULL;
3915 /* We don't bother with the resumption aspects for this test */
3920 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3922 || !TEST_true(SSL_set_session(clientssl, sess))
3923 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3928 * For a resumed session we expect to add the ClientHello extension. For the
3929 * old style callbacks we ignore it on the server side because they set
3930 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3934 if (clntaddoldcb != 2
3935 || clntparseoldcb != 1
3937 || srvparseoldcb != 1)
3939 } else if (tst == 1 || tst == 2 || tst == 3) {
3940 if (clntaddnewcb != 2
3941 || clntparsenewcb != 2
3943 || srvparsenewcb != 2)
3947 * No Certificate message extensions in the resumption handshake,
3948 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
3950 if (clntaddnewcb != 2
3951 || clntparsenewcb != 8
3953 || srvparsenewcb != 2)
3960 SSL_SESSION_free(sess);
3961 SSL_free(serverssl);
3962 SSL_free(clientssl);
3963 SSL_CTX_free(sctx2);
3970 * Test loading of serverinfo data in various formats. test_sslmessages actually
3971 * tests to make sure the extensions appear in the handshake
3973 static int test_serverinfo(int tst)
3975 unsigned int version;
3976 unsigned char *sibuf;
3978 int ret, expected, testresult = 0;
3981 ctx = SSL_CTX_new(TLS_method());
3985 if ((tst & 0x01) == 0x01)
3986 version = SSL_SERVERINFOV2;
3988 version = SSL_SERVERINFOV1;
3990 if ((tst & 0x02) == 0x02) {
3991 sibuf = serverinfov2;
3992 sibuflen = sizeof(serverinfov2);
3993 expected = (version == SSL_SERVERINFOV2);
3995 sibuf = serverinfov1;
3996 sibuflen = sizeof(serverinfov1);
3997 expected = (version == SSL_SERVERINFOV1);
4000 if ((tst & 0x04) == 0x04) {
4001 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4003 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4006 * The version variable is irrelevant in this case - it's what is in the
4007 * buffer that matters
4009 if ((tst & 0x02) == 0x02)
4015 if (!TEST_true(ret == expected))
4027 * Test that SSL_export_keying_material() produces expected results. There are
4028 * no test vectors so all we do is test that both sides of the communication
4029 * produce the same results for different protocol versions.
4031 #define SMALL_LABEL_LEN 10
4032 #define LONG_LABEL_LEN 249
4033 static int test_export_key_mat(int tst)
4036 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4037 SSL *clientssl = NULL, *serverssl = NULL;
4038 const char label[LONG_LABEL_LEN + 1] = "test label";
4039 const unsigned char context[] = "context";
4040 const unsigned char *emptycontext = NULL;
4041 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4042 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
4044 const int protocols[] = {
4053 #ifdef OPENSSL_NO_TLS1
4057 #ifdef OPENSSL_NO_TLS1_1
4061 #ifdef OPENSSL_NO_TLS1_2
4065 #ifdef OPENSSL_NO_TLS1_3
4069 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4070 TLS1_VERSION, TLS_MAX_VERSION,
4071 &sctx, &cctx, cert, privkey)))
4074 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4075 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4076 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
4078 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4080 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4086 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4089 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4090 sizeof(ckeymat1), label,
4091 LONG_LABEL_LEN + 1, context,
4092 sizeof(context) - 1, 1), 0))
4097 } else if (tst == 4) {
4098 labellen = LONG_LABEL_LEN;
4100 labellen = SMALL_LABEL_LEN;
4103 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4104 sizeof(ckeymat1), label,
4106 sizeof(context) - 1, 1), 1)
4107 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4108 sizeof(ckeymat2), label,
4112 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4113 sizeof(ckeymat3), label,
4116 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4117 sizeof(skeymat1), label,
4120 sizeof(context) -1, 1),
4122 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4123 sizeof(skeymat2), label,
4127 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4128 sizeof(skeymat3), label,
4132 * Check that both sides created the same key material with the
4135 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4138 * Check that both sides created the same key material with an
4141 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4144 * Check that both sides created the same key material without a
4147 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
4149 /* Different contexts should produce different results */
4150 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4155 * Check that an empty context and no context produce different results in
4156 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
4158 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
4160 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
4167 SSL_free(serverssl);
4168 SSL_free(clientssl);
4169 SSL_CTX_free(sctx2);
4176 #ifndef OPENSSL_NO_TLS1_3
4178 * Test that SSL_export_keying_material_early() produces expected
4179 * results. There are no test vectors so all we do is test that both
4180 * sides of the communication produce the same results for different
4181 * protocol versions.
4183 static int test_export_key_mat_early(int idx)
4185 static const char label[] = "test label";
4186 static const unsigned char context[] = "context";
4188 SSL_CTX *cctx = NULL, *sctx = NULL;
4189 SSL *clientssl = NULL, *serverssl = NULL;
4190 SSL_SESSION *sess = NULL;
4191 const unsigned char *emptycontext = NULL;
4192 unsigned char ckeymat1[80], ckeymat2[80];
4193 unsigned char skeymat1[80], skeymat2[80];
4194 unsigned char buf[1];
4195 size_t readbytes, written;
4197 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
4201 /* Here writing 0 length early data is enough. */
4202 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
4203 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4205 SSL_READ_EARLY_DATA_ERROR)
4206 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4207 SSL_EARLY_DATA_ACCEPTED))
4210 if (!TEST_int_eq(SSL_export_keying_material_early(
4211 clientssl, ckeymat1, sizeof(ckeymat1), label,
4212 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4213 || !TEST_int_eq(SSL_export_keying_material_early(
4214 clientssl, ckeymat2, sizeof(ckeymat2), label,
4215 sizeof(label) - 1, emptycontext, 0), 1)
4216 || !TEST_int_eq(SSL_export_keying_material_early(
4217 serverssl, skeymat1, sizeof(skeymat1), label,
4218 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4219 || !TEST_int_eq(SSL_export_keying_material_early(
4220 serverssl, skeymat2, sizeof(skeymat2), label,
4221 sizeof(label) - 1, emptycontext, 0), 1)
4223 * Check that both sides created the same key material with the
4226 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4229 * Check that both sides created the same key material with an
4232 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4234 /* Different contexts should produce different results */
4235 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4242 SSL_SESSION_free(sess);
4243 SSL_SESSION_free(clientpsk);
4244 SSL_SESSION_free(serverpsk);
4245 clientpsk = serverpsk = NULL;
4246 SSL_free(serverssl);
4247 SSL_free(clientssl);
4253 #endif /* OPENSSL_NO_TLS1_3 */
4255 static int test_ssl_clear(int idx)
4257 SSL_CTX *cctx = NULL, *sctx = NULL;
4258 SSL *clientssl = NULL, *serverssl = NULL;
4261 #ifdef OPENSSL_NO_TLS1_2
4266 /* Create an initial connection */
4267 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4268 TLS1_VERSION, TLS_MAX_VERSION,
4269 &sctx, &cctx, cert, privkey))
4271 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
4273 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4274 &clientssl, NULL, NULL))
4275 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4279 SSL_shutdown(clientssl);
4280 SSL_shutdown(serverssl);
4281 SSL_free(serverssl);
4284 /* Clear clientssl - we're going to reuse the object */
4285 if (!TEST_true(SSL_clear(clientssl)))
4288 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4290 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4292 || !TEST_true(SSL_session_reused(clientssl)))
4295 SSL_shutdown(clientssl);
4296 SSL_shutdown(serverssl);
4301 SSL_free(serverssl);
4302 SSL_free(clientssl);
4309 /* Parse CH and retrieve any MFL extension value if present */
4310 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
4313 unsigned char *data;
4314 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
4315 unsigned int MFL_code = 0, type = 0;
4317 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
4320 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
4321 /* Skip the record header */
4322 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
4323 /* Skip the handshake message header */
4324 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
4325 /* Skip client version and random */
4326 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
4327 + SSL3_RANDOM_SIZE))
4328 /* Skip session id */
4329 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4331 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
4332 /* Skip compression */
4333 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4334 /* Extensions len */
4335 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
4338 /* Loop through all extensions */
4339 while (PACKET_remaining(&pkt2)) {
4340 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
4341 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
4344 if (type == TLSEXT_TYPE_max_fragment_length) {
4345 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
4346 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
4349 *mfl_codemfl_code = MFL_code;
4358 /* Maximum-Fragment-Length TLS extension mode to test */
4359 static const unsigned char max_fragment_len_test[] = {
4360 TLSEXT_max_fragment_length_512,
4361 TLSEXT_max_fragment_length_1024,
4362 TLSEXT_max_fragment_length_2048,
4363 TLSEXT_max_fragment_length_4096
4366 static int test_max_fragment_len_ext(int idx_tst)
4370 int testresult = 0, MFL_mode = 0;
4373 ctx = SSL_CTX_new(TLS_method());
4377 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
4378 ctx, max_fragment_len_test[idx_tst])))
4385 rbio = BIO_new(BIO_s_mem());
4386 wbio = BIO_new(BIO_s_mem());
4387 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
4393 SSL_set_bio(con, rbio, wbio);
4394 SSL_set_connect_state(con);
4396 if (!TEST_int_le(SSL_connect(con), 0)) {
4397 /* This shouldn't succeed because we don't have a server! */
4401 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
4402 /* no MFL in client hello */
4404 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
4416 #ifndef OPENSSL_NO_TLS1_3
4417 static int test_pha_key_update(void)
4419 SSL_CTX *cctx = NULL, *sctx = NULL;
4420 SSL *clientssl = NULL, *serverssl = NULL;
4423 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4424 TLS1_VERSION, TLS_MAX_VERSION,
4425 &sctx, &cctx, cert, privkey)))
4428 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
4429 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
4430 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
4431 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
4434 SSL_CTX_set_post_handshake_auth(cctx, 1);
4436 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4440 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4444 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
4445 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
4448 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
4451 /* Start handshake on the server */
4452 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
4455 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
4456 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4460 SSL_shutdown(clientssl);
4461 SSL_shutdown(serverssl);
4466 SSL_free(serverssl);
4467 SSL_free(clientssl);
4474 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4476 static SRP_VBASE *vbase = NULL;
4478 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
4480 int ret = SSL3_AL_FATAL;
4482 SRP_user_pwd *user = NULL;
4484 username = SSL_get_srp_username(s);
4485 if (username == NULL) {
4486 *ad = SSL_AD_INTERNAL_ERROR;
4490 user = SRP_VBASE_get1_by_user(vbase, username);
4492 *ad = SSL_AD_INTERNAL_ERROR;
4496 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
4498 *ad = SSL_AD_INTERNAL_ERROR;
4505 SRP_user_pwd_free(user);
4509 static int create_new_vfile(char *userid, char *password, const char *filename)
4512 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
4515 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
4518 if (!TEST_ptr(dummy) || !TEST_ptr(row))
4521 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
4522 &row[DB_srpverifier], NULL, NULL);
4523 if (!TEST_ptr(gNid))
4527 * The only way to create an empty TXT_DB is to provide a BIO with no data
4530 db = TXT_DB_read(dummy, DB_NUMBER);
4534 out = BIO_new_file(filename, "w");
4538 row[DB_srpid] = OPENSSL_strdup(userid);
4539 row[DB_srptype] = OPENSSL_strdup("V");
4540 row[DB_srpgN] = OPENSSL_strdup(gNid);
4542 if (!TEST_ptr(row[DB_srpid])
4543 || !TEST_ptr(row[DB_srptype])
4544 || !TEST_ptr(row[DB_srpgN])
4545 || !TEST_true(TXT_DB_insert(db, row)))
4550 if (!TXT_DB_write(out, db))
4556 for (i = 0; i < DB_NUMBER; i++)
4557 OPENSSL_free(row[i]);
4567 static int create_new_vbase(char *userid, char *password)
4569 BIGNUM *verifier = NULL, *salt = NULL;
4570 const SRP_gN *lgN = NULL;
4571 SRP_user_pwd *user_pwd = NULL;
4574 lgN = SRP_get_default_gN(NULL);
4578 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
4582 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
4583 if (!TEST_ptr(user_pwd))
4586 user_pwd->N = lgN->N;
4587 user_pwd->g = lgN->g;
4588 user_pwd->id = OPENSSL_strdup(userid);
4589 if (!TEST_ptr(user_pwd->id))
4592 user_pwd->v = verifier;
4594 verifier = salt = NULL;
4596 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
4602 SRP_user_pwd_free(user_pwd);
4612 * Test 0: Simple successful SRP connection, new vbase
4613 * Test 1: Connection failure due to bad password, new vbase
4614 * Test 2: Simple successful SRP connection, vbase loaded from existing file
4615 * Test 3: Connection failure due to bad password, vbase loaded from existing
4617 * Test 4: Simple successful SRP connection, vbase loaded from new file
4618 * Test 5: Connection failure due to bad password, vbase loaded from new file
4620 static int test_srp(int tst)
4622 char *userid = "test", *password = "password", *tstsrpfile;
4623 SSL_CTX *cctx = NULL, *sctx = NULL;
4624 SSL *clientssl = NULL, *serverssl = NULL;
4625 int ret, testresult = 0;
4627 vbase = SRP_VBASE_new(NULL);
4628 if (!TEST_ptr(vbase))
4631 if (tst == 0 || tst == 1) {
4632 if (!TEST_true(create_new_vbase(userid, password)))
4635 if (tst == 4 || tst == 5) {
4636 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
4638 tstsrpfile = tmpfilename;
4640 tstsrpfile = srpvfile;
4642 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
4646 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4647 TLS1_VERSION, TLS_MAX_VERSION,
4648 &sctx, &cctx, cert, privkey)))
4651 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
4652 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
4653 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
4654 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
4655 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
4659 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
4662 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
4666 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4670 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
4672 if (!TEST_true(tst % 2 == 0))
4675 if (!TEST_true(tst % 2 == 1))
4682 SRP_VBASE_free(vbase);
4684 SSL_free(serverssl);
4685 SSL_free(clientssl);
4693 static int info_cb_failed = 0;
4694 static int info_cb_offset = 0;
4695 static int info_cb_this_state = -1;
4697 static struct info_cb_states_st {
4699 const char *statestr;
4700 } info_cb_states[][60] = {
4702 /* TLSv1.2 server followed by resumption */
4703 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4704 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4705 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
4706 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
4707 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
4708 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4709 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4710 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4711 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4712 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4713 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
4714 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4715 {SSL_CB_EXIT, NULL}, {0, NULL},
4717 /* TLSv1.2 client followed by resumption */
4718 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4719 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4720 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
4721 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
4722 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
4723 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4724 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4725 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4726 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4727 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4728 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4729 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4731 /* TLSv1.3 server followed by resumption */
4732 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4733 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4734 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
4735 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
4736 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4737 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4738 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4739 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TWST"},
4740 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4741 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4742 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4743 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"},
4744 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL},
4745 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4746 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4747 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4748 {SSL_CB_EXIT, NULL}, {0, NULL},
4750 /* TLSv1.3 client followed by resumption */
4751 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4752 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4753 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
4754 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
4755 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4756 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4757 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4758 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4759 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4760 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4761 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4762 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4763 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
4764 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4765 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4766 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4767 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4768 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4769 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4771 /* TLSv1.3 server, early_data */
4772 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4773 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4774 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4775 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4776 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4777 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4778 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4779 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4780 {SSL_CB_EXIT, NULL}, {0, NULL},
4782 /* TLSv1.3 client, early_data */
4783 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4784 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
4785 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4786 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4787 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4788 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
4789 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4790 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4791 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4792 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4798 static void sslapi_info_callback(const SSL *s, int where, int ret)
4800 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
4802 /* We do not ever expect a connection to fail in this test */
4803 if (!TEST_false(ret == 0)) {
4809 * Do some sanity checks. We never expect these things to happen in this
4812 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
4813 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
4814 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
4819 /* Now check we're in the right state */
4820 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
4824 if ((where & SSL_CB_LOOP) != 0
4825 && !TEST_int_eq(strcmp(SSL_state_string(s),
4826 state[info_cb_this_state].statestr), 0)) {
4831 /* Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init */
4832 if ((where & SSL_CB_HANDSHAKE_DONE) && SSL_in_init((SSL *)s) != 0) {
4839 * Test the info callback gets called when we expect it to.
4841 * Test 0: TLSv1.2, server
4842 * Test 1: TLSv1.2, client
4843 * Test 2: TLSv1.3, server
4844 * Test 3: TLSv1.3, client
4845 * Test 4: TLSv1.3, server, early_data
4846 * Test 5: TLSv1.3, client, early_data
4848 static int test_info_callback(int tst)
4850 SSL_CTX *cctx = NULL, *sctx = NULL;
4851 SSL *clientssl = NULL, *serverssl = NULL;
4852 SSL_SESSION *clntsess = NULL;
4857 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
4858 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
4859 || !defined(OPENSSL_NO_DH))
4860 tlsvers = TLS1_2_VERSION;
4865 #ifndef OPENSSL_NO_TLS1_3
4866 tlsvers = TLS1_3_VERSION;
4874 info_cb_this_state = -1;
4875 info_cb_offset = tst;
4877 #ifndef OPENSSL_NO_TLS1_3
4879 SSL_SESSION *sess = NULL;
4880 size_t written, readbytes;
4881 unsigned char buf[80];
4883 /* early_data tests */
4884 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4885 &serverssl, &sess, 0)))
4888 /* We don't actually need this reference */
4889 SSL_SESSION_free(sess);
4891 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
4892 sslapi_info_callback);
4894 /* Write and read some early data and then complete the connection */
4895 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4897 || !TEST_size_t_eq(written, strlen(MSG1))
4898 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
4899 sizeof(buf), &readbytes),
4900 SSL_READ_EARLY_DATA_SUCCESS)
4901 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
4902 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4903 SSL_EARLY_DATA_ACCEPTED)
4904 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4906 || !TEST_false(info_cb_failed))
4914 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4915 TLS_client_method(),
4916 tlsvers, tlsvers, &sctx, &cctx, cert,
4921 * For even numbered tests we check the server callbacks. For odd numbers we
4924 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
4925 sslapi_info_callback);
4927 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4928 &clientssl, NULL, NULL))
4929 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4931 || !TEST_false(info_cb_failed))
4936 clntsess = SSL_get1_session(clientssl);
4937 SSL_shutdown(clientssl);
4938 SSL_shutdown(serverssl);
4939 SSL_free(serverssl);
4940 SSL_free(clientssl);
4941 serverssl = clientssl = NULL;
4943 /* Now do a resumption */
4944 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4946 || !TEST_true(SSL_set_session(clientssl, clntsess))
4947 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4949 || !TEST_true(SSL_session_reused(clientssl))
4950 || !TEST_false(info_cb_failed))
4956 SSL_free(serverssl);
4957 SSL_free(clientssl);
4958 SSL_SESSION_free(clntsess);
4964 static int test_ssl_pending(int tst)
4966 SSL_CTX *cctx = NULL, *sctx = NULL;
4967 SSL *clientssl = NULL, *serverssl = NULL;
4969 char msg[] = "A test message";
4971 size_t written, readbytes;
4974 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4975 TLS_client_method(),
4976 TLS1_VERSION, TLS_MAX_VERSION,
4977 &sctx, &cctx, cert, privkey)))
4980 #ifndef OPENSSL_NO_DTLS
4981 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
4982 DTLS_client_method(),
4983 DTLS1_VERSION, DTLS_MAX_VERSION,
4984 &sctx, &cctx, cert, privkey)))
4991 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4993 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4997 if (!TEST_int_eq(SSL_pending(clientssl), 0)
4998 || !TEST_false(SSL_has_pending(clientssl))
4999 || !TEST_int_eq(SSL_pending(serverssl), 0)
5000 || !TEST_false(SSL_has_pending(serverssl))
5001 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5002 || !TEST_size_t_eq(written, sizeof(msg))
5003 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
5004 || !TEST_size_t_eq(readbytes, sizeof(buf))
5005 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
5006 || !TEST_true(SSL_has_pending(clientssl)))
5012 SSL_free(serverssl);
5013 SSL_free(clientssl);
5021 unsigned int maxprot;
5022 const char *clntciphers;
5023 const char *clnttls13ciphers;
5024 const char *srvrciphers;
5025 const char *srvrtls13ciphers;
5027 } shared_ciphers_data[] = {
5029 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
5030 * TLSv1.3 is enabled but TLSv1.2 is disabled.
5032 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
5035 "AES128-SHA:AES256-SHA",
5037 "AES256-SHA:DHE-RSA-AES128-SHA",
5043 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
5045 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
5047 "AES128-SHA:AES256-SHA"
5051 "AES128-SHA:AES256-SHA",
5053 "AES128-SHA:DHE-RSA-AES128-SHA",
5059 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
5062 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
5063 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5066 "AES128-SHA:AES256-SHA",
5068 "AES256-SHA:AES128-SHA256",
5070 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
5071 "TLS_AES_128_GCM_SHA256:AES256-SHA"
5074 #ifndef OPENSSL_NO_TLS1_3
5078 "TLS_AES_256_GCM_SHA384",
5080 "TLS_AES_256_GCM_SHA384",
5081 "TLS_AES_256_GCM_SHA384"
5086 static int test_ssl_get_shared_ciphers(int tst)
5088 SSL_CTX *cctx = NULL, *sctx = NULL;
5089 SSL *clientssl = NULL, *serverssl = NULL;
5093 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5094 TLS_client_method(),
5096 shared_ciphers_data[tst].maxprot,
5097 &sctx, &cctx, cert, privkey)))
5100 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5101 shared_ciphers_data[tst].clntciphers))
5102 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
5103 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
5104 shared_ciphers_data[tst].clnttls13ciphers)))
5105 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
5106 shared_ciphers_data[tst].srvrciphers))
5107 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
5108 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
5109 shared_ciphers_data[tst].srvrtls13ciphers))))
5113 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5115 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5119 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
5120 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
5121 TEST_info("Shared ciphers are: %s\n", buf);
5128 SSL_free(serverssl);
5129 SSL_free(clientssl);
5136 static const char *appdata = "Hello World";
5137 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
5138 static int tick_key_renew = 0;
5139 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5141 static int gen_tick_cb(SSL *s, void *arg)
5143 gen_tick_called = 1;
5145 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
5149 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
5150 const unsigned char *keyname,
5151 size_t keyname_length,
5152 SSL_TICKET_STATUS status,
5158 dec_tick_called = 1;
5160 if (status == SSL_TICKET_EMPTY)
5161 return SSL_TICKET_RETURN_IGNORE_RENEW;
5163 if (!TEST_true(status == SSL_TICKET_SUCCESS
5164 || status == SSL_TICKET_SUCCESS_RENEW))
5165 return SSL_TICKET_RETURN_ABORT;
5167 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
5169 || !TEST_size_t_eq(tickdlen, strlen(appdata))
5170 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
5171 return SSL_TICKET_RETURN_ABORT;
5173 if (tick_key_cb_called) {
5174 /* Don't change what the ticket key callback wanted to do */
5176 case SSL_TICKET_NO_DECRYPT:
5177 return SSL_TICKET_RETURN_IGNORE_RENEW;
5179 case SSL_TICKET_SUCCESS:
5180 return SSL_TICKET_RETURN_USE;
5182 case SSL_TICKET_SUCCESS_RENEW:
5183 return SSL_TICKET_RETURN_USE_RENEW;
5186 return SSL_TICKET_RETURN_ABORT;
5189 return tick_dec_ret;
5193 static int tick_key_cb(SSL *s, unsigned char key_name[16],
5194 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
5195 HMAC_CTX *hctx, int enc)
5197 const unsigned char tick_aes_key[16] = "0123456789abcdef";
5198 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5200 tick_key_cb_called = 1;
5201 memset(iv, 0, AES_BLOCK_SIZE);
5202 memset(key_name, 0, 16);
5203 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
5204 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
5205 EVP_sha256(), NULL))
5208 return tick_key_renew ? 2 : 1;
5212 * Test the various ticket callbacks
5213 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
5214 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
5215 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
5216 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
5217 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
5218 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
5219 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
5220 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
5221 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
5222 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
5223 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
5224 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
5226 static int test_ticket_callbacks(int tst)
5228 SSL_CTX *cctx = NULL, *sctx = NULL;
5229 SSL *clientssl = NULL, *serverssl = NULL;
5230 SSL_SESSION *clntsess = NULL;
5233 #ifdef OPENSSL_NO_TLS1_2
5237 #ifdef OPENSSL_NO_TLS1_3
5242 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
5244 /* Which tests the ticket key callback should request renewal for */
5245 if (tst == 10 || tst == 11)
5250 /* Which tests the decrypt ticket callback should request renewal for */
5254 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
5259 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
5264 tick_dec_ret = SSL_TICKET_RETURN_USE;
5269 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
5273 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5276 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5277 TLS_client_method(),
5279 ((tst % 2) == 0) ? TLS1_2_VERSION
5281 &sctx, &cctx, cert, privkey)))
5285 * We only want sessions to resume from tickets - not the session cache. So
5286 * switch the cache off.
5288 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
5291 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
5296 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
5299 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5301 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5306 * The decrypt ticket key callback in TLSv1.2 should be called even though
5307 * we have no ticket yet, because it gets called with a status of
5308 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
5309 * actually send any ticket data). This does not happen in TLSv1.3 because
5310 * it is not valid to send empty ticket data in TLSv1.3.
5312 if (!TEST_int_eq(gen_tick_called, 1)
5313 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
5316 gen_tick_called = dec_tick_called = 0;
5318 clntsess = SSL_get1_session(clientssl);
5319 SSL_shutdown(clientssl);
5320 SSL_shutdown(serverssl);
5321 SSL_free(serverssl);
5322 SSL_free(clientssl);
5323 serverssl = clientssl = NULL;
5325 /* Now do a resumption */
5326 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5328 || !TEST_true(SSL_set_session(clientssl, clntsess))
5329 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5333 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
5334 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
5335 if (!TEST_false(SSL_session_reused(clientssl)))
5338 if (!TEST_true(SSL_session_reused(clientssl)))
5342 if (!TEST_int_eq(gen_tick_called,
5344 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
5345 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
5347 || !TEST_int_eq(dec_tick_called, 1))
5353 SSL_SESSION_free(clntsess);
5354 SSL_free(serverssl);
5355 SSL_free(clientssl);
5363 * Test bi-directional shutdown.
5365 * Test 1: TLSv1.2, server continues to read/write after client shutdown
5366 * Test 2: TLSv1.3, no pending NewSessionTicket messages
5367 * Test 3: TLSv1.3, pending NewSessionTicket messages
5368 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
5369 * sends key update, client reads it
5370 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
5371 * sends CertificateRequest, client reads and ignores it
5372 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
5375 static int test_shutdown(int tst)
5377 SSL_CTX *cctx = NULL, *sctx = NULL;
5378 SSL *clientssl = NULL, *serverssl = NULL;
5380 char msg[] = "A test message";
5382 size_t written, readbytes;
5385 #ifdef OPENSSL_NO_TLS1_2
5389 #ifdef OPENSSL_NO_TLS1_3
5394 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5395 TLS_client_method(),
5397 (tst <= 1) ? TLS1_2_VERSION
5399 &sctx, &cctx, cert, privkey)))
5403 SSL_CTX_set_post_handshake_auth(cctx, 1);
5405 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5410 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
5412 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5413 || !TEST_false(SSL_SESSION_is_resumable(sess)))
5415 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5417 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5418 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
5422 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
5427 * Reading on the server after the client has sent close_notify should
5428 * fail and provide SSL_ERROR_ZERO_RETURN
5430 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
5431 || !TEST_int_eq(SSL_get_error(serverssl, 0),
5432 SSL_ERROR_ZERO_RETURN)
5433 || !TEST_int_eq(SSL_get_shutdown(serverssl),
5434 SSL_RECEIVED_SHUTDOWN)
5436 * Even though we're shutdown on receive we should still be
5439 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
5442 && !TEST_true(SSL_key_update(serverssl,
5443 SSL_KEY_UPDATE_REQUESTED)))
5446 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5447 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5450 if ((tst == 4 || tst == 5)
5451 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
5453 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
5455 if (tst == 4 || tst == 5) {
5456 /* Should still be able to read data from server */
5457 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5459 || !TEST_size_t_eq(readbytes, sizeof(msg))
5460 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
5461 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5463 || !TEST_size_t_eq(readbytes, sizeof(msg))
5464 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
5469 /* Writing on the client after sending close_notify shouldn't be possible */
5470 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
5475 * For these tests the client has sent close_notify but it has not yet
5476 * been received by the server. The server has not sent close_notify
5479 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
5481 * Writing on the server after sending close_notify shouldn't
5484 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5485 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
5486 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5487 || !TEST_true(SSL_SESSION_is_resumable(sess))
5488 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
5490 } else if (tst == 4 || tst == 5) {
5492 * In this test the client has sent close_notify and it has been
5493 * received by the server which has responded with a close_notify. The
5494 * client needs to read the close_notify sent by the server.
5496 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
5497 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5498 || !TEST_true(SSL_SESSION_is_resumable(sess)))
5504 * The client has sent close_notify and is expecting a close_notify
5505 * back, but instead there is application data first. The shutdown
5506 * should fail with a fatal error.
5508 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
5509 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
5516 SSL_free(serverssl);
5517 SSL_free(clientssl);
5524 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
5525 static int cert_cb_cnt;
5527 static int cert_cb(SSL *s, void *arg)
5529 SSL_CTX *ctx = (SSL_CTX *)arg;
5531 if (cert_cb_cnt == 0) {
5532 /* Suspend the handshake */
5535 } else if (cert_cb_cnt == 1) {
5537 * Update the SSL_CTX, set the certificate and private key and then
5538 * continue the handshake normally.
5540 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
5543 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
5544 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
5546 || !TEST_true(SSL_check_private_key(s)))
5552 /* Abort the handshake */
5557 * Test the certificate callback.
5558 * Test 0: Callback fails
5559 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
5560 * Test 2: Success - SSL_set_SSL_CTX() in the callback
5562 static int test_cert_cb_int(int prot, int tst)
5564 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
5565 SSL *clientssl = NULL, *serverssl = NULL;
5566 int testresult = 0, ret;
5568 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5569 TLS_client_method(),
5572 &sctx, &cctx, NULL, NULL)))
5580 snictx = SSL_CTX_new(TLS_server_method());
5581 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
5583 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5587 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5588 if (!TEST_true(tst == 0 ? !ret : ret)
5589 || (tst > 0 && !TEST_int_eq(cert_cb_cnt, 2))) {
5596 SSL_free(serverssl);
5597 SSL_free(clientssl);
5600 SSL_CTX_free(snictx);
5606 static int test_cert_cb(int tst)
5610 #ifndef OPENSSL_NO_TLS1_2
5611 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
5613 #ifndef OPENSSL_NO_TLS1_3
5614 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
5620 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
5626 /* Check that SSL_get_peer_certificate() returns something sensible */
5627 peer = SSL_get_peer_certificate(ssl);
5628 if (!TEST_ptr(peer))
5632 in = BIO_new_file(cert, "r");
5636 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
5638 if (!TEST_ptr(xcert))
5641 in = BIO_new_file(privkey, "r");
5642 if (!TEST_ptr(in)) {
5647 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
5649 if (!TEST_ptr(privpkey)) {
5660 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5665 static int test_client_cert_cb(int tst)
5667 SSL_CTX *cctx = NULL, *sctx = NULL;
5668 SSL *clientssl = NULL, *serverssl = NULL;
5671 #ifdef OPENSSL_NO_TLS1_2
5675 #ifdef OPENSSL_NO_TLS1_3
5680 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5681 TLS_client_method(),
5683 tst == 0 ? TLS1_2_VERSION
5685 &sctx, &cctx, cert, privkey)))
5689 * Test that setting a client_cert_cb results in a client certificate being
5692 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
5693 SSL_CTX_set_verify(sctx,
5694 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5697 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5699 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5706 SSL_free(serverssl);
5707 SSL_free(clientssl);
5714 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
5716 * Test setting certificate authorities on both client and server.
5718 * Test 0: SSL_CTX_set0_CA_list() only
5719 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
5720 * Test 2: Only SSL_CTX_set_client_CA_list()
5722 static int test_ca_names_int(int prot, int tst)
5724 SSL_CTX *cctx = NULL, *sctx = NULL;
5725 SSL *clientssl = NULL, *serverssl = NULL;
5728 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
5729 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
5730 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
5731 const STACK_OF(X509_NAME) *sktmp = NULL;
5733 for (i = 0; i < OSSL_NELEM(name); i++) {
5734 name[i] = X509_NAME_new();
5735 if (!TEST_ptr(name[i])
5736 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
5744 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5745 TLS_client_method(),
5748 &sctx, &cctx, cert, privkey)))
5751 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
5753 if (tst == 0 || tst == 1) {
5754 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
5755 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
5756 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
5757 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
5758 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
5759 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
5762 SSL_CTX_set0_CA_list(sctx, sk1);
5763 SSL_CTX_set0_CA_list(cctx, sk2);
5766 if (tst == 1 || tst == 2) {
5767 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
5768 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
5769 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
5770 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
5771 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
5772 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
5775 SSL_CTX_set_client_CA_list(sctx, sk1);
5776 SSL_CTX_set_client_CA_list(cctx, sk2);
5780 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5782 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5787 * We only expect certificate authorities to have been sent to the server
5788 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
5790 sktmp = SSL_get0_peer_CA_list(serverssl);
5791 if (prot == TLS1_3_VERSION
5792 && (tst == 0 || tst == 1)) {
5793 if (!TEST_ptr(sktmp)
5794 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
5795 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
5797 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
5800 } else if (!TEST_ptr_null(sktmp)) {
5805 * In all tests we expect certificate authorities to have been sent to the
5806 * client. However, SSL_set_client_CA_list() should override
5807 * SSL_set0_CA_list()
5809 sktmp = SSL_get0_peer_CA_list(clientssl);
5810 if (!TEST_ptr(sktmp)
5811 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
5812 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
5813 name[tst == 0 ? 0 : 2]), 0)
5814 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
5815 name[tst == 0 ? 1 : 3]), 0))
5821 SSL_free(serverssl);
5822 SSL_free(clientssl);
5825 for (i = 0; i < OSSL_NELEM(name); i++)
5826 X509_NAME_free(name[i]);
5827 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
5828 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
5834 static int test_ca_names(int tst)
5838 #ifndef OPENSSL_NO_TLS1_2
5839 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
5841 #ifndef OPENSSL_NO_TLS1_3
5842 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
5848 int setup_tests(void)
5850 if (!TEST_ptr(cert = test_get_argument(0))
5851 || !TEST_ptr(privkey = test_get_argument(1))
5852 || !TEST_ptr(srpvfile = test_get_argument(2))
5853 || !TEST_ptr(tmpfilename = test_get_argument(3)))
5856 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
5857 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
5858 TEST_error("not supported in this build");
5861 int i, mcount, rcount, fcount;
5863 for (i = 0; i < 4; i++)
5864 test_export_key_mat(i);
5865 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
5866 test_printf_stdout("malloc %d realloc %d free %d\n",
5867 mcount, rcount, fcount);
5872 ADD_TEST(test_large_message_tls);
5873 ADD_TEST(test_large_message_tls_read_ahead);
5874 #ifndef OPENSSL_NO_DTLS
5875 ADD_TEST(test_large_message_dtls);
5877 #ifndef OPENSSL_NO_OCSP
5878 ADD_TEST(test_tlsext_status_type);
5880 ADD_TEST(test_session_with_only_int_cache);
5881 ADD_TEST(test_session_with_only_ext_cache);
5882 ADD_TEST(test_session_with_both_cache);
5883 #ifndef OPENSSL_NO_TLS1_3
5884 ADD_ALL_TESTS(test_stateful_tickets, 3);
5885 ADD_ALL_TESTS(test_stateless_tickets, 3);
5886 ADD_TEST(test_psk_tickets);
5888 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
5889 ADD_TEST(test_ssl_bio_pop_next_bio);
5890 ADD_TEST(test_ssl_bio_pop_ssl_bio);
5891 ADD_TEST(test_ssl_bio_change_rbio);
5892 ADD_TEST(test_ssl_bio_change_wbio);
5893 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
5894 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
5895 ADD_TEST(test_keylog);
5897 #ifndef OPENSSL_NO_TLS1_3
5898 ADD_TEST(test_keylog_no_master_key);
5900 #ifndef OPENSSL_NO_TLS1_2
5901 ADD_TEST(test_client_hello_cb);
5903 #ifndef OPENSSL_NO_TLS1_3
5904 ADD_ALL_TESTS(test_early_data_read_write, 3);
5906 * We don't do replay tests for external PSK. Replay protection isn't used
5909 ADD_ALL_TESTS(test_early_data_replay, 2);
5910 ADD_ALL_TESTS(test_early_data_skip, 3);
5911 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
5912 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
5913 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
5914 ADD_ALL_TESTS(test_early_data_not_sent, 3);
5915 ADD_ALL_TESTS(test_early_data_psk, 8);
5916 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5917 # ifndef OPENSSL_NO_TLS1_2
5918 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5921 #ifndef OPENSSL_NO_TLS1_3
5922 ADD_ALL_TESTS(test_set_ciphersuite, 10);
5923 ADD_TEST(test_ciphersuite_change);
5924 #ifdef OPENSSL_NO_PSK
5925 ADD_ALL_TESTS(test_tls13_psk, 1);
5927 ADD_ALL_TESTS(test_tls13_psk, 4);
5928 #endif /* OPENSSL_NO_PSK */
5929 ADD_ALL_TESTS(test_custom_exts, 5);
5930 ADD_TEST(test_stateless);
5931 ADD_TEST(test_pha_key_update);
5933 ADD_ALL_TESTS(test_custom_exts, 3);
5935 ADD_ALL_TESTS(test_serverinfo, 8);
5936 ADD_ALL_TESTS(test_export_key_mat, 6);
5937 #ifndef OPENSSL_NO_TLS1_3
5938 ADD_ALL_TESTS(test_export_key_mat_early, 3);
5940 ADD_ALL_TESTS(test_ssl_clear, 2);
5941 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
5942 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5943 ADD_ALL_TESTS(test_srp, 6);
5945 ADD_ALL_TESTS(test_info_callback, 6);
5946 ADD_ALL_TESTS(test_ssl_pending, 2);
5947 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
5948 ADD_ALL_TESTS(test_ticket_callbacks, 12);
5949 ADD_ALL_TESTS(test_shutdown, 7);
5950 ADD_ALL_TESTS(test_cert_cb, 3);
5951 ADD_ALL_TESTS(test_client_cert_cb, 2);
5952 ADD_ALL_TESTS(test_ca_names, 3);
5956 void cleanup_tests(void)
5958 bio_s_mempacket_test_free();
projects / openssl.git / blob