2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
17 #include <openssl/srp.h>
18 #include <openssl/txt_db.h>
19 #include <openssl/aes.h>
21 #include "ssltestlib.h"
23 #include "testutil/output.h"
24 #include "internal/nelem.h"
25 #include "../ssl/ssl_local.h"
27 #ifndef OPENSSL_NO_TLS1_3
29 static SSL_SESSION *clientpsk = NULL;
30 static SSL_SESSION *serverpsk = NULL;
31 static const char *pskid = "Identity";
32 static const char *srvid;
34 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
35 size_t *idlen, SSL_SESSION **sess);
36 static int find_session_cb(SSL *ssl, const unsigned char *identity,
37 size_t identity_len, SSL_SESSION **sess);
39 static int use_session_cb_cnt = 0;
40 static int find_session_cb_cnt = 0;
42 static SSL_SESSION *create_a_psk(SSL *ssl);
45 static char *certsdir = NULL;
46 static char *cert = NULL;
47 static char *privkey = NULL;
48 static char *srpvfile = NULL;
49 static char *tmpfilename = NULL;
51 #define LOG_BUFFER_SIZE 2048
52 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
53 static size_t server_log_buffer_index = 0;
54 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
55 static size_t client_log_buffer_index = 0;
56 static int error_writing_log = 0;
58 #ifndef OPENSSL_NO_OCSP
59 static const unsigned char orespder[] = "Dummy OCSP Response";
60 static int ocsp_server_called = 0;
61 static int ocsp_client_called = 0;
63 static int cdummyarg = 1;
64 static X509 *ocspcert = NULL;
67 #define NUM_EXTRA_CERTS 40
68 #define CLIENT_VERSION_LEN 2
71 * This structure is used to validate that the correct number of log messages
72 * of various types are emitted when emitting secret logs.
74 struct sslapitest_log_counts {
75 unsigned int rsa_key_exchange_count;
76 unsigned int master_secret_count;
77 unsigned int client_early_secret_count;
78 unsigned int client_handshake_secret_count;
79 unsigned int server_handshake_secret_count;
80 unsigned int client_application_secret_count;
81 unsigned int server_application_secret_count;
82 unsigned int early_exporter_secret_count;
83 unsigned int exporter_secret_count;
87 static unsigned char serverinfov1[] = {
88 0xff, 0xff, /* Dummy extension type */
89 0x00, 0x01, /* Extension length is 1 byte */
90 0xff /* Dummy extension data */
93 static unsigned char serverinfov2[] = {
95 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
96 0xff, 0xff, /* Dummy extension type */
97 0x00, 0x01, /* Extension length is 1 byte */
98 0xff /* Dummy extension data */
101 static int hostname_cb(SSL *s, int *al, void *arg)
103 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
105 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
106 || strcmp(hostname, "altgoodhost") == 0))
107 return SSL_TLSEXT_ERR_OK;
109 return SSL_TLSEXT_ERR_NOACK;
112 static void client_keylog_callback(const SSL *ssl, const char *line)
114 int line_length = strlen(line);
116 /* If the log doesn't fit, error out. */
117 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
118 TEST_info("Client log too full");
119 error_writing_log = 1;
123 strcat(client_log_buffer, line);
124 client_log_buffer_index += line_length;
125 client_log_buffer[client_log_buffer_index++] = '\n';
128 static void server_keylog_callback(const SSL *ssl, const char *line)
130 int line_length = strlen(line);
132 /* If the log doesn't fit, error out. */
133 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
134 TEST_info("Server log too full");
135 error_writing_log = 1;
139 strcat(server_log_buffer, line);
140 server_log_buffer_index += line_length;
141 server_log_buffer[server_log_buffer_index++] = '\n';
144 static int compare_hex_encoded_buffer(const char *hex_encoded,
152 if (!TEST_size_t_eq(raw_length * 2, hex_length))
155 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
156 sprintf(hexed, "%02x", raw[i]);
157 if (!TEST_int_eq(hexed[0], hex_encoded[j])
158 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
165 static int test_keylog_output(char *buffer, const SSL *ssl,
166 const SSL_SESSION *session,
167 struct sslapitest_log_counts *expected)
170 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
171 size_t client_random_size = SSL3_RANDOM_SIZE;
172 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
173 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
174 unsigned int rsa_key_exchange_count = 0;
175 unsigned int master_secret_count = 0;
176 unsigned int client_early_secret_count = 0;
177 unsigned int client_handshake_secret_count = 0;
178 unsigned int server_handshake_secret_count = 0;
179 unsigned int client_application_secret_count = 0;
180 unsigned int server_application_secret_count = 0;
181 unsigned int early_exporter_secret_count = 0;
182 unsigned int exporter_secret_count = 0;
184 for (token = strtok(buffer, " \n"); token != NULL;
185 token = strtok(NULL, " \n")) {
186 if (strcmp(token, "RSA") == 0) {
188 * Premaster secret. Tokens should be: 16 ASCII bytes of
189 * hex-encoded encrypted secret, then the hex-encoded pre-master
192 if (!TEST_ptr(token = strtok(NULL, " \n")))
194 if (!TEST_size_t_eq(strlen(token), 16))
196 if (!TEST_ptr(token = strtok(NULL, " \n")))
199 * We can't sensibly check the log because the premaster secret is
200 * transient, and OpenSSL doesn't keep hold of it once the master
201 * secret is generated.
203 rsa_key_exchange_count++;
204 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
206 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
207 * client random, then the hex-encoded master secret.
209 client_random_size = SSL_get_client_random(ssl,
210 actual_client_random,
212 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
215 if (!TEST_ptr(token = strtok(NULL, " \n")))
217 if (!TEST_size_t_eq(strlen(token), 64))
219 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
220 actual_client_random,
221 client_random_size)))
224 if (!TEST_ptr(token = strtok(NULL, " \n")))
226 master_key_size = SSL_SESSION_get_master_key(session,
229 if (!TEST_size_t_ne(master_key_size, 0))
231 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
235 master_secret_count++;
236 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
237 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
238 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
239 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
240 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
241 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
242 || strcmp(token, "EXPORTER_SECRET") == 0) {
244 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
245 * client random, and then the hex-encoded secret. In this case,
246 * we treat all of these secrets identically and then just
247 * distinguish between them when counting what we saw.
249 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
250 client_early_secret_count++;
251 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
252 client_handshake_secret_count++;
253 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
254 server_handshake_secret_count++;
255 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
256 client_application_secret_count++;
257 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
258 server_application_secret_count++;
259 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
260 early_exporter_secret_count++;
261 else if (strcmp(token, "EXPORTER_SECRET") == 0)
262 exporter_secret_count++;
264 client_random_size = SSL_get_client_random(ssl,
265 actual_client_random,
267 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
270 if (!TEST_ptr(token = strtok(NULL, " \n")))
272 if (!TEST_size_t_eq(strlen(token), 64))
274 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
275 actual_client_random,
276 client_random_size)))
279 if (!TEST_ptr(token = strtok(NULL, " \n")))
283 * TODO(TLS1.3): test that application traffic secrets are what
286 TEST_info("Unexpected token %s\n", token);
291 /* Got what we expected? */
292 if (!TEST_size_t_eq(rsa_key_exchange_count,
293 expected->rsa_key_exchange_count)
294 || !TEST_size_t_eq(master_secret_count,
295 expected->master_secret_count)
296 || !TEST_size_t_eq(client_early_secret_count,
297 expected->client_early_secret_count)
298 || !TEST_size_t_eq(client_handshake_secret_count,
299 expected->client_handshake_secret_count)
300 || !TEST_size_t_eq(server_handshake_secret_count,
301 expected->server_handshake_secret_count)
302 || !TEST_size_t_eq(client_application_secret_count,
303 expected->client_application_secret_count)
304 || !TEST_size_t_eq(server_application_secret_count,
305 expected->server_application_secret_count)
306 || !TEST_size_t_eq(early_exporter_secret_count,
307 expected->early_exporter_secret_count)
308 || !TEST_size_t_eq(exporter_secret_count,
309 expected->exporter_secret_count))
314 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
315 static int test_keylog(void)
317 SSL_CTX *cctx = NULL, *sctx = NULL;
318 SSL *clientssl = NULL, *serverssl = NULL;
320 struct sslapitest_log_counts expected = {0};
322 /* Clean up logging space */
323 memset(client_log_buffer, 0, sizeof(client_log_buffer));
324 memset(server_log_buffer, 0, sizeof(server_log_buffer));
325 client_log_buffer_index = 0;
326 server_log_buffer_index = 0;
327 error_writing_log = 0;
329 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
331 TLS1_VERSION, TLS_MAX_VERSION,
332 &sctx, &cctx, cert, privkey)))
335 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
336 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
337 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
339 /* We also want to ensure that we use RSA-based key exchange. */
340 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
343 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
344 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
346 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
347 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
348 == client_keylog_callback))
350 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
351 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
352 == server_keylog_callback))
355 /* Now do a handshake and check that the logs have been written to. */
356 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
357 &clientssl, NULL, NULL))
358 || !TEST_true(create_ssl_connection(serverssl, clientssl,
360 || !TEST_false(error_writing_log)
361 || !TEST_int_gt(client_log_buffer_index, 0)
362 || !TEST_int_gt(server_log_buffer_index, 0))
366 * Now we want to test that our output data was vaguely sensible. We
367 * do that by using strtok and confirming that we have more or less the
368 * data we expect. For both client and server, we expect to see one master
369 * secret. The client should also see a RSA key exchange.
371 expected.rsa_key_exchange_count = 1;
372 expected.master_secret_count = 1;
373 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
374 SSL_get_session(clientssl), &expected)))
377 expected.rsa_key_exchange_count = 0;
378 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
379 SSL_get_session(serverssl), &expected)))
394 #ifndef OPENSSL_NO_TLS1_3
395 static int test_keylog_no_master_key(void)
397 SSL_CTX *cctx = NULL, *sctx = NULL;
398 SSL *clientssl = NULL, *serverssl = NULL;
399 SSL_SESSION *sess = NULL;
401 struct sslapitest_log_counts expected = {0};
402 unsigned char buf[1];
403 size_t readbytes, written;
405 /* Clean up logging space */
406 memset(client_log_buffer, 0, sizeof(client_log_buffer));
407 memset(server_log_buffer, 0, sizeof(server_log_buffer));
408 client_log_buffer_index = 0;
409 server_log_buffer_index = 0;
410 error_writing_log = 0;
412 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
413 TLS1_VERSION, TLS_MAX_VERSION,
414 &sctx, &cctx, cert, privkey))
415 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
416 SSL3_RT_MAX_PLAIN_LENGTH)))
419 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
420 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
423 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
424 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
425 == client_keylog_callback))
428 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
429 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
430 == server_keylog_callback))
433 /* Now do a handshake and check that the logs have been written to. */
434 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
435 &clientssl, NULL, NULL))
436 || !TEST_true(create_ssl_connection(serverssl, clientssl,
438 || !TEST_false(error_writing_log))
442 * Now we want to test that our output data was vaguely sensible. For this
443 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
444 * TLSv1.3, but we do expect both client and server to emit keys.
446 expected.client_handshake_secret_count = 1;
447 expected.server_handshake_secret_count = 1;
448 expected.client_application_secret_count = 1;
449 expected.server_application_secret_count = 1;
450 expected.exporter_secret_count = 1;
451 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
452 SSL_get_session(clientssl), &expected))
453 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
454 SSL_get_session(serverssl),
458 /* Terminate old session and resume with early data. */
459 sess = SSL_get1_session(clientssl);
460 SSL_shutdown(clientssl);
461 SSL_shutdown(serverssl);
464 serverssl = clientssl = NULL;
467 memset(client_log_buffer, 0, sizeof(client_log_buffer));
468 memset(server_log_buffer, 0, sizeof(server_log_buffer));
469 client_log_buffer_index = 0;
470 server_log_buffer_index = 0;
472 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
473 &clientssl, NULL, NULL))
474 || !TEST_true(SSL_set_session(clientssl, sess))
475 /* Here writing 0 length early data is enough. */
476 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
477 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
479 SSL_READ_EARLY_DATA_ERROR)
480 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
481 SSL_EARLY_DATA_ACCEPTED)
482 || !TEST_true(create_ssl_connection(serverssl, clientssl,
484 || !TEST_true(SSL_session_reused(clientssl)))
487 /* In addition to the previous entries, expect early secrets. */
488 expected.client_early_secret_count = 1;
489 expected.early_exporter_secret_count = 1;
490 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
491 SSL_get_session(clientssl), &expected))
492 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
493 SSL_get_session(serverssl),
500 SSL_SESSION_free(sess);
510 #ifndef OPENSSL_NO_TLS1_2
511 static int full_client_hello_callback(SSL *s, int *al, void *arg)
514 const unsigned char *p;
516 /* We only configure two ciphers, but the SCSV is added automatically. */
518 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
520 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
523 const int expected_extensions[] = {
524 #ifndef OPENSSL_NO_EC
530 /* Make sure we can defer processing and get called back. */
532 return SSL_CLIENT_HELLO_RETRY;
534 len = SSL_client_hello_get0_ciphers(s, &p);
535 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
537 SSL_client_hello_get0_compression_methods(s, &p), 1)
538 || !TEST_int_eq(*p, 0))
539 return SSL_CLIENT_HELLO_ERROR;
540 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
541 return SSL_CLIENT_HELLO_ERROR;
542 if (len != OSSL_NELEM(expected_extensions) ||
543 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
544 printf("ClientHello callback expected extensions mismatch\n");
546 return SSL_CLIENT_HELLO_ERROR;
549 return SSL_CLIENT_HELLO_SUCCESS;
552 static int test_client_hello_cb(void)
554 SSL_CTX *cctx = NULL, *sctx = NULL;
555 SSL *clientssl = NULL, *serverssl = NULL;
556 int testctr = 0, testresult = 0;
558 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
559 TLS1_VERSION, TLS_MAX_VERSION,
560 &sctx, &cctx, cert, privkey)))
562 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
564 /* The gimpy cipher list we configure can't do TLS 1.3. */
565 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
567 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
568 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
569 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
570 &clientssl, NULL, NULL))
571 || !TEST_false(create_ssl_connection(serverssl, clientssl,
572 SSL_ERROR_WANT_CLIENT_HELLO_CB))
574 * Passing a -1 literal is a hack since
575 * the real value was lost.
577 || !TEST_int_eq(SSL_get_error(serverssl, -1),
578 SSL_ERROR_WANT_CLIENT_HELLO_CB)
579 || !TEST_true(create_ssl_connection(serverssl, clientssl,
595 * Very focused test to exercise a single case in the server-side state
596 * machine, when the ChangeCipherState message needs to actually change
597 * from one cipher to a different cipher (i.e., not changing from null
598 * encryption to real encryption).
600 static int test_ccs_change_cipher(void)
602 SSL_CTX *cctx = NULL, *sctx = NULL;
603 SSL *clientssl = NULL, *serverssl = NULL;
604 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
611 * Create a conection so we can resume and potentially (but not) use
612 * a different cipher in the second connection.
614 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
616 TLS1_VERSION, TLS1_2_VERSION,
617 &sctx, &cctx, cert, privkey))
618 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
619 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
621 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
622 || !TEST_true(create_ssl_connection(serverssl, clientssl,
624 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
625 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
628 shutdown_ssl_connection(serverssl, clientssl);
629 serverssl = clientssl = NULL;
631 /* Resume, preferring a different cipher. Our server will force the
632 * same cipher to be used as the initial handshake. */
633 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
635 || !TEST_true(SSL_set_session(clientssl, sess))
636 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
637 || !TEST_true(create_ssl_connection(serverssl, clientssl,
639 || !TEST_true(SSL_session_reused(clientssl))
640 || !TEST_true(SSL_session_reused(serverssl))
641 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
642 || !TEST_ptr_eq(sesspre, sesspost)
643 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
644 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
646 shutdown_ssl_connection(serverssl, clientssl);
647 serverssl = clientssl = NULL;
650 * Now create a fresh connection and try to renegotiate a different
653 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
655 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
656 || !TEST_true(create_ssl_connection(serverssl, clientssl,
658 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
659 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
660 || !TEST_true(SSL_renegotiate(clientssl))
661 || !TEST_true(SSL_renegotiate_pending(clientssl)))
663 /* Actually drive the renegotiation. */
664 for (i = 0; i < 3; i++) {
665 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
666 if (!TEST_ulong_eq(readbytes, 0))
668 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
669 SSL_ERROR_WANT_READ)) {
672 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
673 if (!TEST_ulong_eq(readbytes, 0))
675 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
676 SSL_ERROR_WANT_READ)) {
680 /* sesspre and sesspost should be different since the cipher changed. */
681 if (!TEST_false(SSL_renegotiate_pending(clientssl))
682 || !TEST_false(SSL_session_reused(clientssl))
683 || !TEST_false(SSL_session_reused(serverssl))
684 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
685 || !TEST_ptr_ne(sesspre, sesspost)
686 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
687 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
690 shutdown_ssl_connection(serverssl, clientssl);
691 serverssl = clientssl = NULL;
700 SSL_SESSION_free(sess);
706 static int execute_test_large_message(const SSL_METHOD *smeth,
707 const SSL_METHOD *cmeth,
708 int min_version, int max_version,
711 SSL_CTX *cctx = NULL, *sctx = NULL;
712 SSL *clientssl = NULL, *serverssl = NULL;
716 X509 *chaincert = NULL;
719 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
721 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
724 if (!TEST_ptr(chaincert))
727 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
728 &sctx, &cctx, cert, privkey)))
733 * Test that read_ahead works correctly when dealing with large
736 SSL_CTX_set_read_ahead(cctx, 1);
740 * We assume the supplied certificate is big enough so that if we add
741 * NUM_EXTRA_CERTS it will make the overall message large enough. The
742 * default buffer size is requested to be 16k, but due to the way BUF_MEM
743 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
744 * test we need to have a message larger than that.
746 certlen = i2d_X509(chaincert, NULL);
747 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
748 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
749 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
750 if (!X509_up_ref(chaincert))
752 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
753 X509_free(chaincert);
758 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
760 || !TEST_true(create_ssl_connection(serverssl, clientssl,
765 * Calling SSL_clear() first is not required but this tests that SSL_clear()
766 * doesn't leak (when using enable-crypto-mdebug).
768 if (!TEST_true(SSL_clear(serverssl)))
773 X509_free(chaincert);
782 static int test_large_message_tls(void)
784 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
785 TLS1_VERSION, TLS_MAX_VERSION,
789 static int test_large_message_tls_read_ahead(void)
791 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
792 TLS1_VERSION, TLS_MAX_VERSION,
796 #ifndef OPENSSL_NO_DTLS
797 static int test_large_message_dtls(void)
800 * read_ahead is not relevant to DTLS because DTLS always acts as if
803 return execute_test_large_message(DTLS_server_method(),
804 DTLS_client_method(),
805 DTLS1_VERSION, DTLS_MAX_VERSION,
810 #ifndef OPENSSL_NO_OCSP
811 static int ocsp_server_cb(SSL *s, void *arg)
813 int *argi = (int *)arg;
814 unsigned char *copy = NULL;
815 STACK_OF(OCSP_RESPID) *ids = NULL;
816 OCSP_RESPID *id = NULL;
819 /* In this test we are expecting exactly 1 OCSP_RESPID */
820 SSL_get_tlsext_status_ids(s, &ids);
821 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
822 return SSL_TLSEXT_ERR_ALERT_FATAL;
824 id = sk_OCSP_RESPID_value(ids, 0);
825 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
826 return SSL_TLSEXT_ERR_ALERT_FATAL;
827 } else if (*argi != 1) {
828 return SSL_TLSEXT_ERR_ALERT_FATAL;
831 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
832 return SSL_TLSEXT_ERR_ALERT_FATAL;
834 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
835 ocsp_server_called = 1;
836 return SSL_TLSEXT_ERR_OK;
839 static int ocsp_client_cb(SSL *s, void *arg)
841 int *argi = (int *)arg;
842 const unsigned char *respderin;
845 if (*argi != 1 && *argi != 2)
848 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
849 if (!TEST_mem_eq(orespder, len, respderin, len))
852 ocsp_client_called = 1;
856 static int test_tlsext_status_type(void)
858 SSL_CTX *cctx = NULL, *sctx = NULL;
859 SSL *clientssl = NULL, *serverssl = NULL;
861 STACK_OF(OCSP_RESPID) *ids = NULL;
862 OCSP_RESPID *id = NULL;
865 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
866 TLS1_VERSION, TLS_MAX_VERSION,
867 &sctx, &cctx, cert, privkey))
870 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
873 /* First just do various checks getting and setting tlsext_status_type */
875 clientssl = SSL_new(cctx);
876 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
877 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
878 TLSEXT_STATUSTYPE_ocsp))
879 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
880 TLSEXT_STATUSTYPE_ocsp))
886 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
887 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
890 clientssl = SSL_new(cctx);
891 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
897 * Now actually do a handshake and check OCSP information is exchanged and
898 * the callbacks get called
900 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
901 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
902 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
903 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
904 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
905 &clientssl, NULL, NULL))
906 || !TEST_true(create_ssl_connection(serverssl, clientssl,
908 || !TEST_true(ocsp_client_called)
909 || !TEST_true(ocsp_server_called))
916 /* Try again but this time force the server side callback to fail */
917 ocsp_client_called = 0;
918 ocsp_server_called = 0;
920 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
921 &clientssl, NULL, NULL))
922 /* This should fail because the callback will fail */
923 || !TEST_false(create_ssl_connection(serverssl, clientssl,
925 || !TEST_false(ocsp_client_called)
926 || !TEST_false(ocsp_server_called))
934 * This time we'll get the client to send an OCSP_RESPID that it will
937 ocsp_client_called = 0;
938 ocsp_server_called = 0;
940 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
941 &clientssl, NULL, NULL)))
945 * We'll just use any old cert for this test - it doesn't have to be an OCSP
946 * specific one. We'll use the server cert.
948 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
949 || !TEST_ptr(id = OCSP_RESPID_new())
950 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
951 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
953 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
954 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
957 SSL_set_tlsext_status_ids(clientssl, ids);
958 /* Control has been transferred */
964 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
966 || !TEST_true(ocsp_client_called)
967 || !TEST_true(ocsp_server_called))
977 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
978 OCSP_RESPID_free(id);
987 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
988 static int new_called, remove_called, get_called;
990 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
994 * sess has been up-refed for us, but we don't actually need it so free it
997 SSL_SESSION_free(sess);
1001 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1006 static SSL_SESSION *get_sess_val = NULL;
1008 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1013 return get_sess_val;
1016 static int execute_test_session(int maxprot, int use_int_cache,
1019 SSL_CTX *sctx = NULL, *cctx = NULL;
1020 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1021 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1022 # ifndef OPENSSL_NO_TLS1_1
1023 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1025 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1026 int testresult = 0, numnewsesstick = 1;
1028 new_called = remove_called = 0;
1030 /* TLSv1.3 sends 2 NewSessionTickets */
1031 if (maxprot == TLS1_3_VERSION)
1034 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1035 TLS1_VERSION, TLS_MAX_VERSION,
1036 &sctx, &cctx, cert, privkey)))
1040 * Only allow the max protocol version so we can force a connection failure
1043 SSL_CTX_set_min_proto_version(cctx, maxprot);
1044 SSL_CTX_set_max_proto_version(cctx, maxprot);
1046 /* Set up session cache */
1047 if (use_ext_cache) {
1048 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1049 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1051 if (use_int_cache) {
1052 /* Also covers instance where both are set */
1053 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1055 SSL_CTX_set_session_cache_mode(cctx,
1056 SSL_SESS_CACHE_CLIENT
1057 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1060 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1062 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1064 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1067 /* Should fail because it should already be in the cache */
1068 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1071 && (!TEST_int_eq(new_called, numnewsesstick)
1073 || !TEST_int_eq(remove_called, 0)))
1076 new_called = remove_called = 0;
1077 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1078 &clientssl2, NULL, NULL))
1079 || !TEST_true(SSL_set_session(clientssl2, sess1))
1080 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1082 || !TEST_true(SSL_session_reused(clientssl2)))
1085 if (maxprot == TLS1_3_VERSION) {
1087 * In TLSv1.3 we should have created a new session even though we have
1088 * resumed. Since we attempted a resume we should also have removed the
1089 * old ticket from the cache so that we try to only use tickets once.
1092 && (!TEST_int_eq(new_called, 1)
1093 || !TEST_int_eq(remove_called, 1)))
1097 * In TLSv1.2 we expect to have resumed so no sessions added or
1101 && (!TEST_int_eq(new_called, 0)
1102 || !TEST_int_eq(remove_called, 0)))
1106 SSL_SESSION_free(sess1);
1107 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1109 shutdown_ssl_connection(serverssl2, clientssl2);
1110 serverssl2 = clientssl2 = NULL;
1112 new_called = remove_called = 0;
1113 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1114 &clientssl2, NULL, NULL))
1115 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1119 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1123 && (!TEST_int_eq(new_called, numnewsesstick)
1124 || !TEST_int_eq(remove_called, 0)))
1127 new_called = remove_called = 0;
1129 * This should clear sess2 from the cache because it is a "bad" session.
1130 * See SSL_set_session() documentation.
1132 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1135 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1137 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1140 if (use_int_cache) {
1141 /* Should succeeded because it should not already be in the cache */
1142 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1143 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1147 new_called = remove_called = 0;
1148 /* This shouldn't be in the cache so should fail */
1149 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1153 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1156 # if !defined(OPENSSL_NO_TLS1_1)
1157 new_called = remove_called = 0;
1158 /* Force a connection failure */
1159 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1160 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1161 &clientssl3, NULL, NULL))
1162 || !TEST_true(SSL_set_session(clientssl3, sess1))
1163 /* This should fail because of the mismatched protocol versions */
1164 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1168 /* We should have automatically removed the session from the cache */
1170 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1173 /* Should succeed because it should not already be in the cache */
1174 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1178 /* Now do some tests for server side caching */
1179 if (use_ext_cache) {
1180 SSL_CTX_sess_set_new_cb(cctx, NULL);
1181 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1182 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1183 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1184 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1185 get_sess_val = NULL;
1188 SSL_CTX_set_session_cache_mode(cctx, 0);
1189 /* Internal caching is the default on the server side */
1191 SSL_CTX_set_session_cache_mode(sctx,
1192 SSL_SESS_CACHE_SERVER
1193 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1195 SSL_free(serverssl1);
1196 SSL_free(clientssl1);
1197 serverssl1 = clientssl1 = NULL;
1198 SSL_free(serverssl2);
1199 SSL_free(clientssl2);
1200 serverssl2 = clientssl2 = NULL;
1201 SSL_SESSION_free(sess1);
1203 SSL_SESSION_free(sess2);
1206 SSL_CTX_set_max_proto_version(sctx, maxprot);
1207 if (maxprot == TLS1_2_VERSION)
1208 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1209 new_called = remove_called = get_called = 0;
1210 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1212 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1214 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1215 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1218 if (use_int_cache) {
1219 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1221 * In TLSv1.3 it should not have been added to the internal cache,
1222 * except in the case where we also have an external cache (in that
1223 * case it gets added to the cache in order to generate remove
1224 * events after timeout).
1226 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1229 /* Should fail because it should already be in the cache */
1230 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1235 if (use_ext_cache) {
1236 SSL_SESSION *tmp = sess2;
1238 if (!TEST_int_eq(new_called, numnewsesstick)
1239 || !TEST_int_eq(remove_called, 0)
1240 || !TEST_int_eq(get_called, 0))
1243 * Delete the session from the internal cache to force a lookup from
1244 * the external cache. We take a copy first because
1245 * SSL_CTX_remove_session() also marks the session as non-resumable.
1247 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1248 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1249 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1251 SSL_SESSION_free(sess2);
1256 new_called = remove_called = get_called = 0;
1257 get_sess_val = sess2;
1258 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1259 &clientssl2, NULL, NULL))
1260 || !TEST_true(SSL_set_session(clientssl2, sess1))
1261 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1263 || !TEST_true(SSL_session_reused(clientssl2)))
1266 if (use_ext_cache) {
1267 if (!TEST_int_eq(remove_called, 0))
1270 if (maxprot == TLS1_3_VERSION) {
1271 if (!TEST_int_eq(new_called, 1)
1272 || !TEST_int_eq(get_called, 0))
1275 if (!TEST_int_eq(new_called, 0)
1276 || !TEST_int_eq(get_called, 1))
1284 SSL_free(serverssl1);
1285 SSL_free(clientssl1);
1286 SSL_free(serverssl2);
1287 SSL_free(clientssl2);
1288 # ifndef OPENSSL_NO_TLS1_1
1289 SSL_free(serverssl3);
1290 SSL_free(clientssl3);
1292 SSL_SESSION_free(sess1);
1293 SSL_SESSION_free(sess2);
1299 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1301 static int test_session_with_only_int_cache(void)
1303 #ifndef OPENSSL_NO_TLS1_3
1304 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1308 #ifndef OPENSSL_NO_TLS1_2
1309 return execute_test_session(TLS1_2_VERSION, 1, 0);
1315 static int test_session_with_only_ext_cache(void)
1317 #ifndef OPENSSL_NO_TLS1_3
1318 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1322 #ifndef OPENSSL_NO_TLS1_2
1323 return execute_test_session(TLS1_2_VERSION, 0, 1);
1329 static int test_session_with_both_cache(void)
1331 #ifndef OPENSSL_NO_TLS1_3
1332 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1336 #ifndef OPENSSL_NO_TLS1_2
1337 return execute_test_session(TLS1_2_VERSION, 1, 1);
1343 #ifndef OPENSSL_NO_TLS1_3
1344 static SSL_SESSION *sesscache[6];
1345 static int do_cache;
1347 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1350 sesscache[new_called] = sess;
1352 /* We don't need the reference to the session, so free it */
1353 SSL_SESSION_free(sess);
1360 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1362 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1363 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1366 /* Start handshake on the server and client */
1367 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1368 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1369 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1370 || !TEST_true(create_ssl_connection(sssl, cssl,
1377 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1380 int sess_id_ctx = 1;
1382 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1383 TLS1_VERSION, TLS_MAX_VERSION, sctx,
1384 cctx, cert, privkey))
1385 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1386 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1387 (void *)&sess_id_ctx,
1388 sizeof(sess_id_ctx))))
1392 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1394 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1395 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1396 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1401 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1403 SSL *serverssl = NULL, *clientssl = NULL;
1406 /* Test that we can resume with all the tickets we got given */
1407 for (i = 0; i < idx * 2; i++) {
1409 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1410 &clientssl, NULL, NULL))
1411 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1414 SSL_set_post_handshake_auth(clientssl, 1);
1416 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1421 * Following a successful resumption we only get 1 ticket. After a
1422 * failed one we should get idx tickets.
1425 if (!TEST_true(SSL_session_reused(clientssl))
1426 || !TEST_int_eq(new_called, 1))
1429 if (!TEST_false(SSL_session_reused(clientssl))
1430 || !TEST_int_eq(new_called, idx))
1435 /* After a post-handshake authentication we should get 1 new ticket */
1437 && (!post_handshake_verify(serverssl, clientssl)
1438 || !TEST_int_eq(new_called, 1)))
1441 SSL_shutdown(clientssl);
1442 SSL_shutdown(serverssl);
1443 SSL_free(serverssl);
1444 SSL_free(clientssl);
1445 serverssl = clientssl = NULL;
1446 SSL_SESSION_free(sesscache[i]);
1447 sesscache[i] = NULL;
1453 SSL_free(clientssl);
1454 SSL_free(serverssl);
1458 static int test_tickets(int stateful, int idx)
1460 SSL_CTX *sctx = NULL, *cctx = NULL;
1461 SSL *serverssl = NULL, *clientssl = NULL;
1465 /* idx is the test number, but also the number of tickets we want */
1470 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1473 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1474 &clientssl, NULL, NULL)))
1477 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1479 /* Check we got the number of tickets we were expecting */
1480 || !TEST_int_eq(idx, new_called))
1483 SSL_shutdown(clientssl);
1484 SSL_shutdown(serverssl);
1485 SSL_free(serverssl);
1486 SSL_free(clientssl);
1489 clientssl = serverssl = NULL;
1493 * Now we try to resume with the tickets we previously created. The
1494 * resumption attempt is expected to fail (because we're now using a new
1495 * SSL_CTX). We should see idx number of tickets issued again.
1498 /* Stop caching sessions - just count them */
1501 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1504 if (!check_resumption(idx, sctx, cctx, 0))
1507 /* Start again with caching sessions */
1514 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1517 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1518 &clientssl, NULL, NULL)))
1521 SSL_set_post_handshake_auth(clientssl, 1);
1523 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1525 /* Check we got the number of tickets we were expecting */
1526 || !TEST_int_eq(idx, new_called))
1529 /* After a post-handshake authentication we should get new tickets issued */
1530 if (!post_handshake_verify(serverssl, clientssl)
1531 || !TEST_int_eq(idx * 2, new_called))
1534 SSL_shutdown(clientssl);
1535 SSL_shutdown(serverssl);
1536 SSL_free(serverssl);
1537 SSL_free(clientssl);
1538 serverssl = clientssl = NULL;
1540 /* Stop caching sessions - just count them */
1544 * Check we can resume with all the tickets we created. This time around the
1545 * resumptions should all be successful.
1547 if (!check_resumption(idx, sctx, cctx, 1))
1553 SSL_free(serverssl);
1554 SSL_free(clientssl);
1555 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
1556 SSL_SESSION_free(sesscache[j]);
1557 sesscache[j] = NULL;
1565 static int test_stateless_tickets(int idx)
1567 return test_tickets(0, idx);
1570 static int test_stateful_tickets(int idx)
1572 return test_tickets(1, idx);
1575 static int test_psk_tickets(void)
1577 SSL_CTX *sctx = NULL, *cctx = NULL;
1578 SSL *serverssl = NULL, *clientssl = NULL;
1580 int sess_id_ctx = 1;
1582 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1583 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
1585 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
1586 (void *)&sess_id_ctx,
1587 sizeof(sess_id_ctx))))
1590 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1591 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1592 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
1593 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
1594 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1595 use_session_cb_cnt = 0;
1596 find_session_cb_cnt = 0;
1600 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1603 clientpsk = serverpsk = create_a_psk(clientssl);
1604 if (!TEST_ptr(clientpsk))
1606 SSL_SESSION_up_ref(clientpsk);
1608 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1610 || !TEST_int_eq(1, find_session_cb_cnt)
1611 || !TEST_int_eq(1, use_session_cb_cnt)
1612 /* We should always get 1 ticket when using external PSK */
1613 || !TEST_int_eq(1, new_called))
1619 SSL_free(serverssl);
1620 SSL_free(clientssl);
1623 SSL_SESSION_free(clientpsk);
1624 SSL_SESSION_free(serverpsk);
1625 clientpsk = serverpsk = NULL;
1634 #define USE_DEFAULT 3
1636 #define CONNTYPE_CONNECTION_SUCCESS 0
1637 #define CONNTYPE_CONNECTION_FAIL 1
1638 #define CONNTYPE_NO_CONNECTION 2
1640 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1641 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1642 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1643 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1645 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1648 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1649 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1650 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1652 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1669 * Tests calls to SSL_set_bio() under various conditions.
1671 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1672 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1673 * then do more tests where we create a successful connection first using our
1674 * standard connection setup functions, and then call SSL_set_bio() with
1675 * various combinations of valid BIOs or NULL. We then repeat these tests
1676 * following a failed connection. In this last case we are looking to check that
1677 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1679 static int test_ssl_set_bio(int idx)
1681 SSL_CTX *sctx = NULL, *cctx = NULL;
1684 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1685 SSL *serverssl = NULL, *clientssl = NULL;
1686 int initrbio, initwbio, newrbio, newwbio, conntype;
1689 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1697 conntype = CONNTYPE_NO_CONNECTION;
1699 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1700 initrbio = initwbio = USE_DEFAULT;
1708 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1709 TLS1_VERSION, TLS_MAX_VERSION,
1710 &sctx, &cctx, cert, privkey)))
1713 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1715 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1716 * because we reduced the number of tests in the definition of
1717 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1718 * mismatched protocol versions we will force a connection failure.
1720 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1721 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1724 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1728 if (initrbio == USE_BIO_1
1729 || initwbio == USE_BIO_1
1730 || newrbio == USE_BIO_1
1731 || newwbio == USE_BIO_1) {
1732 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1736 if (initrbio == USE_BIO_2
1737 || initwbio == USE_BIO_2
1738 || newrbio == USE_BIO_2
1739 || newwbio == USE_BIO_2) {
1740 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1744 if (initrbio != USE_DEFAULT) {
1745 setupbio(&irbio, bio1, bio2, initrbio);
1746 setupbio(&iwbio, bio1, bio2, initwbio);
1747 SSL_set_bio(clientssl, irbio, iwbio);
1750 * We want to maintain our own refs to these BIO, so do an up ref for
1751 * each BIO that will have ownership transferred in the SSL_set_bio()
1756 if (iwbio != NULL && iwbio != irbio)
1760 if (conntype != CONNTYPE_NO_CONNECTION
1761 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1763 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1766 setupbio(&nrbio, bio1, bio2, newrbio);
1767 setupbio(&nwbio, bio1, bio2, newwbio);
1770 * We will (maybe) transfer ownership again so do more up refs.
1771 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1776 && (nwbio != iwbio || nrbio != nwbio))
1780 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1783 SSL_set_bio(clientssl, nrbio, nwbio);
1792 * This test is checking that the ref counting for SSL_set_bio is correct.
1793 * If we get here and we did too many frees then we will fail in the above
1794 * functions. If we haven't done enough then this will only be detected in
1795 * a crypto-mdebug build
1797 SSL_free(serverssl);
1798 SSL_free(clientssl);
1804 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1806 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1808 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1813 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1814 || !TEST_ptr(ssl = SSL_new(ctx))
1815 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1816 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1819 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1822 * If anything goes wrong here then we could leak memory, so this will
1823 * be caught in a crypto-mdebug build
1825 BIO_push(sslbio, membio1);
1827 /* Verify changing the rbio/wbio directly does not cause leaks */
1828 if (change_bio != NO_BIO_CHANGE) {
1829 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1831 if (change_bio == CHANGE_RBIO)
1832 SSL_set0_rbio(ssl, membio2);
1834 SSL_set0_wbio(ssl, membio2);
1853 static int test_ssl_bio_pop_next_bio(void)
1855 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1858 static int test_ssl_bio_pop_ssl_bio(void)
1860 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1863 static int test_ssl_bio_change_rbio(void)
1865 return execute_test_ssl_bio(0, CHANGE_RBIO);
1868 static int test_ssl_bio_change_wbio(void)
1870 return execute_test_ssl_bio(0, CHANGE_WBIO);
1873 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
1875 /* The list of sig algs */
1877 /* The length of the list */
1879 /* A sigalgs list in string format */
1880 const char *liststr;
1881 /* Whether setting the list should succeed */
1883 /* Whether creating a connection with the list should succeed */
1887 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1888 # ifndef OPENSSL_NO_EC
1889 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1890 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1892 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1893 static const int invalidlist2[] = {NID_sha256, NID_undef};
1894 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1895 static const int invalidlist4[] = {NID_sha256};
1896 static const sigalgs_list testsigalgs[] = {
1897 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1898 # ifndef OPENSSL_NO_EC
1899 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1900 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1902 {NULL, 0, "RSA+SHA256", 1, 1},
1903 # ifndef OPENSSL_NO_EC
1904 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1905 {NULL, 0, "ECDSA+SHA512", 1, 0},
1907 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1908 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1909 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1910 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1911 {NULL, 0, "RSA", 0, 0},
1912 {NULL, 0, "SHA256", 0, 0},
1913 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1914 {NULL, 0, "Invalid", 0, 0}
1917 static int test_set_sigalgs(int idx)
1919 SSL_CTX *cctx = NULL, *sctx = NULL;
1920 SSL *clientssl = NULL, *serverssl = NULL;
1922 const sigalgs_list *curr;
1925 /* Should never happen */
1926 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1929 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1930 curr = testctx ? &testsigalgs[idx]
1931 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1933 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1934 TLS1_VERSION, TLS_MAX_VERSION,
1935 &sctx, &cctx, cert, privkey)))
1939 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1940 * for TLSv1.2 for now until we add a new API.
1942 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1947 if (curr->list != NULL)
1948 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1950 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1954 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1960 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1965 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1966 &clientssl, NULL, NULL)))
1972 if (curr->list != NULL)
1973 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1975 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1978 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1987 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1995 SSL_free(serverssl);
1996 SSL_free(clientssl);
2004 #ifndef OPENSSL_NO_TLS1_3
2005 static int psk_client_cb_cnt = 0;
2006 static int psk_server_cb_cnt = 0;
2008 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2009 size_t *idlen, SSL_SESSION **sess)
2011 switch (++use_session_cb_cnt) {
2013 /* The first call should always have a NULL md */
2019 /* The second call should always have an md */
2025 /* We should only be called a maximum of twice */
2029 if (clientpsk != NULL)
2030 SSL_SESSION_up_ref(clientpsk);
2033 *id = (const unsigned char *)pskid;
2034 *idlen = strlen(pskid);
2039 #ifndef OPENSSL_NO_PSK
2040 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2041 unsigned int max_id_len,
2043 unsigned int max_psk_len)
2045 unsigned int psklen = 0;
2047 psk_client_cb_cnt++;
2049 if (strlen(pskid) + 1 > max_id_len)
2052 /* We should only ever be called a maximum of twice per connection */
2053 if (psk_client_cb_cnt > 2)
2056 if (clientpsk == NULL)
2059 /* We'll reuse the PSK we set up for TLSv1.3 */
2060 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2062 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2063 strncpy(id, pskid, max_id_len);
2067 #endif /* OPENSSL_NO_PSK */
2069 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2070 size_t identity_len, SSL_SESSION **sess)
2072 find_session_cb_cnt++;
2074 /* We should only ever be called a maximum of twice per connection */
2075 if (find_session_cb_cnt > 2)
2078 if (serverpsk == NULL)
2081 /* Identity should match that set by the client */
2082 if (strlen(srvid) != identity_len
2083 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2084 /* No PSK found, continue but without a PSK */
2089 SSL_SESSION_up_ref(serverpsk);
2095 #ifndef OPENSSL_NO_PSK
2096 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2097 unsigned char *psk, unsigned int max_psk_len)
2099 unsigned int psklen = 0;
2101 psk_server_cb_cnt++;
2103 /* We should only ever be called a maximum of twice per connection */
2104 if (find_session_cb_cnt > 2)
2107 if (serverpsk == NULL)
2110 /* Identity should match that set by the client */
2111 if (strcmp(srvid, identity) != 0) {
2115 /* We'll reuse the PSK we set up for TLSv1.3 */
2116 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2118 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2122 #endif /* OPENSSL_NO_PSK */
2124 #define MSG1 "Hello"
2125 #define MSG2 "World."
2130 #define MSG7 "message."
2132 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2133 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2136 static SSL_SESSION *create_a_psk(SSL *ssl)
2138 const SSL_CIPHER *cipher = NULL;
2139 const unsigned char key[] = {
2140 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2141 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2142 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2143 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2144 0x2c, 0x2d, 0x2e, 0x2f
2146 SSL_SESSION *sess = NULL;
2148 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2149 sess = SSL_SESSION_new();
2151 || !TEST_ptr(cipher)
2152 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2154 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2156 SSL_SESSION_set_protocol_version(sess,
2158 SSL_SESSION_free(sess);
2165 * Helper method to setup objects for early data test. Caller frees objects on
2168 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2169 SSL **serverssl, SSL_SESSION **sess, int idx)
2172 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2173 TLS_client_method(),
2174 TLS1_VERSION, TLS_MAX_VERSION,
2175 sctx, cctx, cert, privkey)))
2178 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2182 /* When idx == 1 we repeat the tests with read_ahead set */
2183 SSL_CTX_set_read_ahead(*cctx, 1);
2184 SSL_CTX_set_read_ahead(*sctx, 1);
2185 } else if (idx == 2) {
2186 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2187 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2188 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2189 use_session_cb_cnt = 0;
2190 find_session_cb_cnt = 0;
2194 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2199 * For one of the run throughs (doesn't matter which one), we'll try sending
2200 * some SNI data in the initial ClientHello. This will be ignored (because
2201 * there is no SNI cb set up by the server), so it should not impact
2205 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2209 clientpsk = create_a_psk(*clientssl);
2210 if (!TEST_ptr(clientpsk)
2212 * We just choose an arbitrary value for max_early_data which
2213 * should be big enough for testing purposes.
2215 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2217 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2218 SSL_SESSION_free(clientpsk);
2222 serverpsk = clientpsk;
2225 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2226 SSL_SESSION_free(clientpsk);
2227 SSL_SESSION_free(serverpsk);
2228 clientpsk = serverpsk = NULL;
2239 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2243 *sess = SSL_get1_session(*clientssl);
2244 SSL_shutdown(*clientssl);
2245 SSL_shutdown(*serverssl);
2246 SSL_free(*serverssl);
2247 SSL_free(*clientssl);
2248 *serverssl = *clientssl = NULL;
2250 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2251 clientssl, NULL, NULL))
2252 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2258 static int test_early_data_read_write(int idx)
2260 SSL_CTX *cctx = NULL, *sctx = NULL;
2261 SSL *clientssl = NULL, *serverssl = NULL;
2263 SSL_SESSION *sess = NULL;
2264 unsigned char buf[20], data[1024];
2265 size_t readbytes, written, eoedlen, rawread, rawwritten;
2268 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2269 &serverssl, &sess, idx)))
2272 /* Write and read some early data */
2273 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2275 || !TEST_size_t_eq(written, strlen(MSG1))
2276 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2277 sizeof(buf), &readbytes),
2278 SSL_READ_EARLY_DATA_SUCCESS)
2279 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2280 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2281 SSL_EARLY_DATA_ACCEPTED))
2285 * Server should be able to write data, and client should be able to
2288 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2290 || !TEST_size_t_eq(written, strlen(MSG2))
2291 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2292 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2295 /* Even after reading normal data, client should be able write early data */
2296 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2298 || !TEST_size_t_eq(written, strlen(MSG3)))
2301 /* Server should still be able read early data after writing data */
2302 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2304 SSL_READ_EARLY_DATA_SUCCESS)
2305 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2308 /* Write more data from server and read it from client */
2309 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2311 || !TEST_size_t_eq(written, strlen(MSG4))
2312 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2313 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2317 * If client writes normal data it should mean writing early data is no
2320 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2321 || !TEST_size_t_eq(written, strlen(MSG5))
2322 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2323 SSL_EARLY_DATA_ACCEPTED))
2327 * At this point the client has written EndOfEarlyData, ClientFinished and
2328 * normal (fully protected) data. We are going to cause a delay between the
2329 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2330 * in the read BIO, and then just put back the EndOfEarlyData message.
2332 rbio = SSL_get_rbio(serverssl);
2333 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2334 || !TEST_size_t_lt(rawread, sizeof(data))
2335 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2338 /* Record length is in the 4th and 5th bytes of the record header */
2339 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2340 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2341 || !TEST_size_t_eq(rawwritten, eoedlen))
2344 /* Server should be told that there is no more early data */
2345 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2347 SSL_READ_EARLY_DATA_FINISH)
2348 || !TEST_size_t_eq(readbytes, 0))
2352 * Server has not finished init yet, so should still be able to write early
2355 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2357 || !TEST_size_t_eq(written, strlen(MSG6)))
2360 /* Push the ClientFinished and the normal data back into the server rbio */
2361 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2363 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2366 /* Server should be able to read normal data */
2367 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2368 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2371 /* Client and server should not be able to write/read early data now */
2372 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2376 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2378 SSL_READ_EARLY_DATA_ERROR))
2382 /* Client should be able to read the data sent by the server */
2383 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2384 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2388 * Make sure we process the two NewSessionTickets. These arrive
2389 * post-handshake. We attempt reads which we do not expect to return any
2392 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2393 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2397 /* Server should be able to write normal data */
2398 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2399 || !TEST_size_t_eq(written, strlen(MSG7))
2400 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2401 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2404 SSL_SESSION_free(sess);
2405 sess = SSL_get1_session(clientssl);
2406 use_session_cb_cnt = 0;
2407 find_session_cb_cnt = 0;
2409 SSL_shutdown(clientssl);
2410 SSL_shutdown(serverssl);
2411 SSL_free(serverssl);
2412 SSL_free(clientssl);
2413 serverssl = clientssl = NULL;
2414 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2415 &clientssl, NULL, NULL))
2416 || !TEST_true(SSL_set_session(clientssl, sess)))
2419 /* Write and read some early data */
2420 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2422 || !TEST_size_t_eq(written, strlen(MSG1))
2423 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2425 SSL_READ_EARLY_DATA_SUCCESS)
2426 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2429 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2430 || !TEST_int_gt(SSL_accept(serverssl), 0))
2433 /* Client and server should not be able to write/read early data now */
2434 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2438 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2440 SSL_READ_EARLY_DATA_ERROR))
2444 /* Client and server should be able to write/read normal data */
2445 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2446 || !TEST_size_t_eq(written, strlen(MSG5))
2447 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2448 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2454 SSL_SESSION_free(sess);
2455 SSL_SESSION_free(clientpsk);
2456 SSL_SESSION_free(serverpsk);
2457 clientpsk = serverpsk = NULL;
2458 SSL_free(serverssl);
2459 SSL_free(clientssl);
2465 static int allow_ed_cb_called = 0;
2467 static int allow_early_data_cb(SSL *s, void *arg)
2469 int *usecb = (int *)arg;
2471 allow_ed_cb_called++;
2480 * idx == 0: Standard early_data setup
2481 * idx == 1: early_data setup using read_ahead
2482 * usecb == 0: Don't use a custom early data callback
2483 * usecb == 1: Use a custom early data callback and reject the early data
2484 * usecb == 2: Use a custom early data callback and accept the early data
2485 * confopt == 0: Configure anti-replay directly
2486 * confopt == 1: Configure anti-replay using SSL_CONF
2488 static int test_early_data_replay_int(int idx, int usecb, int confopt)
2490 SSL_CTX *cctx = NULL, *sctx = NULL;
2491 SSL *clientssl = NULL, *serverssl = NULL;
2493 SSL_SESSION *sess = NULL;
2494 size_t readbytes, written;
2495 unsigned char buf[20];
2497 allow_ed_cb_called = 0;
2499 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2500 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
2501 &cctx, cert, privkey)))
2506 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2508 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2510 if (!TEST_ptr(confctx))
2512 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2513 | SSL_CONF_FLAG_SERVER);
2514 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2515 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2517 SSL_CONF_CTX_free(confctx);
2520 SSL_CONF_CTX_free(confctx);
2522 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2525 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2526 &serverssl, &sess, idx)))
2530 * The server is configured to accept early data. Create a connection to
2531 * "use up" the ticket
2533 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2534 || !TEST_true(SSL_session_reused(clientssl)))
2537 SSL_shutdown(clientssl);
2538 SSL_shutdown(serverssl);
2539 SSL_free(serverssl);
2540 SSL_free(clientssl);
2541 serverssl = clientssl = NULL;
2543 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2544 &clientssl, NULL, NULL))
2545 || !TEST_true(SSL_set_session(clientssl, sess)))
2548 /* Write and read some early data */
2549 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2551 || !TEST_size_t_eq(written, strlen(MSG1)))
2555 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2557 SSL_READ_EARLY_DATA_FINISH)
2559 * The ticket was reused, so the we should have rejected the
2562 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2563 SSL_EARLY_DATA_REJECTED))
2566 /* In this case the callback decides to accept the early data */
2567 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2569 SSL_READ_EARLY_DATA_SUCCESS)
2570 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2572 * Server will have sent its flight so client can now send
2573 * end of early data and complete its half of the handshake
2575 || !TEST_int_gt(SSL_connect(clientssl), 0)
2576 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2578 SSL_READ_EARLY_DATA_FINISH)
2579 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2580 SSL_EARLY_DATA_ACCEPTED))
2584 /* Complete the connection */
2585 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2586 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2587 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
2593 SSL_SESSION_free(sess);
2594 SSL_SESSION_free(clientpsk);
2595 SSL_SESSION_free(serverpsk);
2596 clientpsk = serverpsk = NULL;
2597 SSL_free(serverssl);
2598 SSL_free(clientssl);
2604 static int test_early_data_replay(int idx)
2606 int ret = 1, usecb, confopt;
2608 for (usecb = 0; usecb < 3; usecb++) {
2609 for (confopt = 0; confopt < 2; confopt++)
2610 ret &= test_early_data_replay_int(idx, usecb, confopt);
2617 * Helper function to test that a server attempting to read early data can
2618 * handle a connection from a client where the early data should be skipped.
2619 * testtype: 0 == No HRR
2620 * testtype: 1 == HRR
2621 * testtype: 2 == HRR, invalid early_data sent after HRR
2622 * testtype: 3 == recv_max_early_data set to 0
2624 static int early_data_skip_helper(int testtype, int idx)
2626 SSL_CTX *cctx = NULL, *sctx = NULL;
2627 SSL *clientssl = NULL, *serverssl = NULL;
2629 SSL_SESSION *sess = NULL;
2630 unsigned char buf[20];
2631 size_t readbytes, written;
2633 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2634 &serverssl, &sess, idx)))
2637 if (testtype == 1 || testtype == 2) {
2638 /* Force an HRR to occur */
2639 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2641 } else if (idx == 2) {
2643 * We force early_data rejection by ensuring the PSK identity is
2646 srvid = "Dummy Identity";
2649 * Deliberately corrupt the creation time. We take 20 seconds off the
2650 * time. It could be any value as long as it is not within tolerance.
2651 * This should mean the ticket is rejected.
2653 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
2658 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
2661 /* Write some early data */
2662 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2664 || !TEST_size_t_eq(written, strlen(MSG1)))
2667 /* Server should reject the early data */
2668 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2670 SSL_READ_EARLY_DATA_FINISH)
2671 || !TEST_size_t_eq(readbytes, 0)
2672 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2673 SSL_EARLY_DATA_REJECTED))
2683 * Finish off the handshake. We perform the same writes and reads as
2684 * further down but we expect them to fail due to the incomplete
2687 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2688 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2695 BIO *wbio = SSL_get_wbio(clientssl);
2696 /* A record that will appear as bad early_data */
2697 const unsigned char bad_early_data[] = {
2698 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
2702 * We force the client to attempt a write. This will fail because
2703 * we're still in the handshake. It will cause the second
2704 * ClientHello to be sent.
2706 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
2711 * Inject some early_data after the second ClientHello. This should
2712 * cause the server to fail
2714 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
2715 sizeof(bad_early_data), &written)))
2722 * This client has sent more early_data than we are willing to skip
2723 * (case 3) or sent invalid early_data (case 2) so the connection should
2726 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2727 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
2730 /* Connection has failed - nothing more to do */
2735 TEST_error("Invalid test type");
2740 * Should be able to send normal data despite rejection of early data. The
2741 * early_data should be skipped.
2743 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2744 || !TEST_size_t_eq(written, strlen(MSG2))
2745 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2746 SSL_EARLY_DATA_REJECTED)
2747 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2748 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2754 SSL_SESSION_free(clientpsk);
2755 SSL_SESSION_free(serverpsk);
2756 clientpsk = serverpsk = NULL;
2757 SSL_SESSION_free(sess);
2758 SSL_free(serverssl);
2759 SSL_free(clientssl);
2766 * Test that a server attempting to read early data can handle a connection
2767 * from a client where the early data is not acceptable.
2769 static int test_early_data_skip(int idx)
2771 return early_data_skip_helper(0, idx);
2775 * Test that a server attempting to read early data can handle a connection
2776 * from a client where an HRR occurs.
2778 static int test_early_data_skip_hrr(int idx)
2780 return early_data_skip_helper(1, idx);
2784 * Test that a server attempting to read early data can handle a connection
2785 * from a client where an HRR occurs and correctly fails if early_data is sent
2788 static int test_early_data_skip_hrr_fail(int idx)
2790 return early_data_skip_helper(2, idx);
2794 * Test that a server attempting to read early data will abort if it tries to
2795 * skip over too much.
2797 static int test_early_data_skip_abort(int idx)
2799 return early_data_skip_helper(3, idx);
2803 * Test that a server attempting to read early data can handle a connection
2804 * from a client that doesn't send any.
2806 static int test_early_data_not_sent(int idx)
2808 SSL_CTX *cctx = NULL, *sctx = NULL;
2809 SSL *clientssl = NULL, *serverssl = NULL;
2811 SSL_SESSION *sess = NULL;
2812 unsigned char buf[20];
2813 size_t readbytes, written;
2815 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2816 &serverssl, &sess, idx)))
2819 /* Write some data - should block due to handshake with server */
2820 SSL_set_connect_state(clientssl);
2821 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2824 /* Server should detect that early data has not been sent */
2825 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2827 SSL_READ_EARLY_DATA_FINISH)
2828 || !TEST_size_t_eq(readbytes, 0)
2829 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2830 SSL_EARLY_DATA_NOT_SENT)
2831 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2832 SSL_EARLY_DATA_NOT_SENT))
2835 /* Continue writing the message we started earlier */
2836 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2837 || !TEST_size_t_eq(written, strlen(MSG1))
2838 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2839 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2840 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2841 || !TEST_size_t_eq(written, strlen(MSG2)))
2844 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2845 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2851 SSL_SESSION_free(sess);
2852 SSL_SESSION_free(clientpsk);
2853 SSL_SESSION_free(serverpsk);
2854 clientpsk = serverpsk = NULL;
2855 SSL_free(serverssl);
2856 SSL_free(clientssl);
2862 static const char *servalpn;
2864 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2865 unsigned char *outlen, const unsigned char *in,
2866 unsigned int inlen, void *arg)
2868 unsigned int protlen = 0;
2869 const unsigned char *prot;
2871 for (prot = in; prot < in + inlen; prot += protlen) {
2873 if (in + inlen < prot + protlen)
2874 return SSL_TLSEXT_ERR_NOACK;
2876 if (protlen == strlen(servalpn)
2877 && memcmp(prot, servalpn, protlen) == 0) {
2880 return SSL_TLSEXT_ERR_OK;
2884 return SSL_TLSEXT_ERR_NOACK;
2887 /* Test that a PSK can be used to send early_data */
2888 static int test_early_data_psk(int idx)
2890 SSL_CTX *cctx = NULL, *sctx = NULL;
2891 SSL *clientssl = NULL, *serverssl = NULL;
2893 SSL_SESSION *sess = NULL;
2894 unsigned char alpnlist[] = {
2895 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2898 #define GOODALPNLEN 9
2899 #define BADALPNLEN 8
2900 #define GOODALPN (alpnlist)
2901 #define BADALPN (alpnlist + GOODALPNLEN)
2903 unsigned char buf[20];
2904 size_t readbytes, written;
2905 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2906 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2908 /* We always set this up with a final parameter of "2" for PSK */
2909 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2910 &serverssl, &sess, 2)))
2913 servalpn = "goodalpn";
2916 * Note: There is no test for inconsistent SNI with late client detection.
2917 * This is because servers do not acknowledge SNI even if they are using
2918 * it in a resumption handshake - so it is not actually possible for a
2919 * client to detect a problem.
2923 /* Set inconsistent SNI (early client detection) */
2924 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2925 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2926 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2931 /* Set inconsistent ALPN (early client detection) */
2932 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2933 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
2934 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2936 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2943 * Set invalid protocol version. Technically this affects PSKs without
2944 * early_data too, but we test it here because it is similar to the
2945 * SNI/ALPN consistency tests.
2947 err = SSL_R_BAD_PSK;
2948 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2954 * Set inconsistent SNI (server side). In this case the connection
2955 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
2956 * is associated with each handshake - not the session. Therefore it
2957 * should not matter that we used a different server name last time.
2959 SSL_SESSION_free(serverpsk);
2960 serverpsk = SSL_SESSION_dup(clientpsk);
2961 if (!TEST_ptr(serverpsk)
2962 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2966 /* Set consistent SNI */
2967 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2968 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2969 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2976 * Set inconsistent ALPN (server detected). In this case the connection
2977 * will succeed but reject early_data.
2979 servalpn = "badalpn";
2980 edstatus = SSL_EARLY_DATA_REJECTED;
2981 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2985 * Set consistent ALPN.
2986 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2987 * accepts a list of protos (each one length prefixed).
2988 * SSL_set1_alpn_selected accepts a single protocol (not length
2991 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2993 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2997 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3001 /* Set inconsistent ALPN (late client detection) */
3002 SSL_SESSION_free(serverpsk);
3003 serverpsk = SSL_SESSION_dup(clientpsk);
3004 if (!TEST_ptr(serverpsk)
3005 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3008 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3011 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3014 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3015 edstatus = SSL_EARLY_DATA_ACCEPTED;
3016 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3017 /* SSL_connect() call should fail */
3022 TEST_error("Bad test index");
3026 SSL_set_connect_state(clientssl);
3028 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3030 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3031 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3034 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3038 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3039 &readbytes), readearlyres)
3040 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3041 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3042 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3043 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3050 SSL_SESSION_free(sess);
3051 SSL_SESSION_free(clientpsk);
3052 SSL_SESSION_free(serverpsk);
3053 clientpsk = serverpsk = NULL;
3054 SSL_free(serverssl);
3055 SSL_free(clientssl);
3062 * Test that a server that doesn't try to read early data can handle a
3063 * client sending some.
3065 static int test_early_data_not_expected(int idx)
3067 SSL_CTX *cctx = NULL, *sctx = NULL;
3068 SSL *clientssl = NULL, *serverssl = NULL;
3070 SSL_SESSION *sess = NULL;
3071 unsigned char buf[20];
3072 size_t readbytes, written;
3074 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3075 &serverssl, &sess, idx)))
3078 /* Write some early data */
3079 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3084 * Server should skip over early data and then block waiting for client to
3085 * continue handshake
3087 if (!TEST_int_le(SSL_accept(serverssl), 0)
3088 || !TEST_int_gt(SSL_connect(clientssl), 0)
3089 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3090 SSL_EARLY_DATA_REJECTED)
3091 || !TEST_int_gt(SSL_accept(serverssl), 0)
3092 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3093 SSL_EARLY_DATA_REJECTED))
3096 /* Send some normal data from client to server */
3097 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3098 || !TEST_size_t_eq(written, strlen(MSG2)))
3101 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3102 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3108 SSL_SESSION_free(sess);
3109 SSL_SESSION_free(clientpsk);
3110 SSL_SESSION_free(serverpsk);
3111 clientpsk = serverpsk = NULL;
3112 SSL_free(serverssl);
3113 SSL_free(clientssl);
3120 # ifndef OPENSSL_NO_TLS1_2
3122 * Test that a server attempting to read early data can handle a connection
3123 * from a TLSv1.2 client.
3125 static int test_early_data_tls1_2(int idx)
3127 SSL_CTX *cctx = NULL, *sctx = NULL;
3128 SSL *clientssl = NULL, *serverssl = NULL;
3130 unsigned char buf[20];
3131 size_t readbytes, written;
3133 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3134 &serverssl, NULL, idx)))
3137 /* Write some data - should block due to handshake with server */
3138 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3139 SSL_set_connect_state(clientssl);
3140 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3144 * Server should do TLSv1.2 handshake. First it will block waiting for more
3145 * messages from client after ServerDone. Then SSL_read_early_data should
3146 * finish and detect that early data has not been sent
3148 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3150 SSL_READ_EARLY_DATA_ERROR))
3154 * Continue writing the message we started earlier. Will still block waiting
3155 * for the CCS/Finished from server
3157 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3158 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3160 SSL_READ_EARLY_DATA_FINISH)
3161 || !TEST_size_t_eq(readbytes, 0)
3162 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3163 SSL_EARLY_DATA_NOT_SENT))
3166 /* Continue writing the message we started earlier */
3167 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3168 || !TEST_size_t_eq(written, strlen(MSG1))
3169 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3170 SSL_EARLY_DATA_NOT_SENT)
3171 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3172 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3173 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3174 || !TEST_size_t_eq(written, strlen(MSG2))
3175 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3176 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3182 SSL_SESSION_free(clientpsk);
3183 SSL_SESSION_free(serverpsk);
3184 clientpsk = serverpsk = NULL;
3185 SSL_free(serverssl);
3186 SSL_free(clientssl);
3192 # endif /* OPENSSL_NO_TLS1_2 */
3195 * Test configuring the TLSv1.3 ciphersuites
3197 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3198 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3199 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3200 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3201 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3202 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3203 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3204 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3205 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3206 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3208 static int test_set_ciphersuite(int idx)
3210 SSL_CTX *cctx = NULL, *sctx = NULL;
3211 SSL *clientssl = NULL, *serverssl = NULL;
3214 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3215 TLS1_VERSION, TLS_MAX_VERSION,
3216 &sctx, &cctx, cert, privkey))
3217 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3218 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3221 if (idx >=4 && idx <= 7) {
3222 /* SSL_CTX explicit cipher list */
3223 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3227 if (idx == 0 || idx == 4) {
3228 /* Default ciphersuite */
3229 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3230 "TLS_AES_128_GCM_SHA256")))
3232 } else if (idx == 1 || idx == 5) {
3233 /* Non default ciphersuite */
3234 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3235 "TLS_AES_128_CCM_SHA256")))
3239 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3240 &clientssl, NULL, NULL)))
3243 if (idx == 8 || idx == 9) {
3244 /* SSL explicit cipher list */
3245 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3249 if (idx == 2 || idx == 6 || idx == 8) {
3250 /* Default ciphersuite */
3251 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3252 "TLS_AES_128_GCM_SHA256")))
3254 } else if (idx == 3 || idx == 7 || idx == 9) {
3255 /* Non default ciphersuite */
3256 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3257 "TLS_AES_128_CCM_SHA256")))
3261 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3267 SSL_free(serverssl);
3268 SSL_free(clientssl);
3275 static int test_ciphersuite_change(void)
3277 SSL_CTX *cctx = NULL, *sctx = NULL;
3278 SSL *clientssl = NULL, *serverssl = NULL;
3279 SSL_SESSION *clntsess = NULL;
3281 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3283 /* Create a session based on SHA-256 */
3284 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3285 TLS1_VERSION, TLS_MAX_VERSION,
3286 &sctx, &cctx, cert, privkey))
3287 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3288 "TLS_AES_128_GCM_SHA256"))
3289 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3290 &clientssl, NULL, NULL))
3291 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3295 clntsess = SSL_get1_session(clientssl);
3296 /* Save for later */
3297 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3298 SSL_shutdown(clientssl);
3299 SSL_shutdown(serverssl);
3300 SSL_free(serverssl);
3301 SSL_free(clientssl);
3302 serverssl = clientssl = NULL;
3304 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3305 /* Check we can resume a session with a different SHA-256 ciphersuite */
3306 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3307 "TLS_CHACHA20_POLY1305_SHA256"))
3308 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3310 || !TEST_true(SSL_set_session(clientssl, clntsess))
3311 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3313 || !TEST_true(SSL_session_reused(clientssl)))
3316 SSL_SESSION_free(clntsess);
3317 clntsess = SSL_get1_session(clientssl);
3318 SSL_shutdown(clientssl);
3319 SSL_shutdown(serverssl);
3320 SSL_free(serverssl);
3321 SSL_free(clientssl);
3322 serverssl = clientssl = NULL;
3326 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3327 * succeeds but does not resume.
3329 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3330 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3332 || !TEST_true(SSL_set_session(clientssl, clntsess))
3333 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3335 || !TEST_false(SSL_session_reused(clientssl)))
3338 SSL_SESSION_free(clntsess);
3340 SSL_shutdown(clientssl);
3341 SSL_shutdown(serverssl);
3342 SSL_free(serverssl);
3343 SSL_free(clientssl);
3344 serverssl = clientssl = NULL;
3346 /* Create a session based on SHA384 */
3347 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3348 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3349 &clientssl, NULL, NULL))
3350 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3354 clntsess = SSL_get1_session(clientssl);
3355 SSL_shutdown(clientssl);
3356 SSL_shutdown(serverssl);
3357 SSL_free(serverssl);
3358 SSL_free(clientssl);
3359 serverssl = clientssl = NULL;
3361 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3362 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3363 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3364 "TLS_AES_256_GCM_SHA384"))
3365 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3367 || !TEST_true(SSL_set_session(clientssl, clntsess))
3369 * We use SSL_ERROR_WANT_READ below so that we can pause the
3370 * connection after the initial ClientHello has been sent to
3371 * enable us to make some session changes.
3373 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3374 SSL_ERROR_WANT_READ)))
3377 /* Trick the client into thinking this session is for a different digest */
3378 clntsess->cipher = aes_128_gcm_sha256;
3379 clntsess->cipher_id = clntsess->cipher->id;
3382 * Continue the previously started connection. Server has selected a SHA-384
3383 * ciphersuite, but client thinks the session is for SHA-256, so it should
3386 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3388 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3389 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3395 SSL_SESSION_free(clntsess);
3396 SSL_free(serverssl);
3397 SSL_free(clientssl);
3405 * Test TLSv1.3 Cipher Suite
3406 * Test 0 = Set TLS1.3 cipher on context
3407 * Test 1 = Set TLS1.3 cipher on SSL
3408 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
3409 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
3411 static int test_tls13_ciphersuite(int idx)
3413 SSL_CTX *sctx = NULL, *cctx = NULL;
3414 SSL *serverssl = NULL, *clientssl = NULL;
3415 static const char *t13_ciphers[] = {
3416 TLS1_3_RFC_AES_128_GCM_SHA256,
3417 TLS1_3_RFC_AES_256_GCM_SHA384,
3418 TLS1_3_RFC_AES_128_CCM_SHA256,
3419 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3420 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3421 TLS1_3_RFC_AES_256_GCM_SHA384 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3423 TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256
3425 const char *t13_cipher = NULL;
3426 const char *t12_cipher = NULL;
3427 const char *negotiated_scipher;
3428 const char *negotiated_ccipher;
3444 t12_cipher = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
3448 t12_cipher = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
3452 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
3453 # ifdef OPENSSL_NO_TLS1_2
3454 if (max_ver == TLS1_2_VERSION)
3457 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
3458 t13_cipher = t13_ciphers[i];
3459 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3460 TLS_client_method(),
3461 TLS1_VERSION, max_ver,
3462 &sctx, &cctx, cert, privkey)))
3466 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
3467 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
3469 if (t12_cipher != NULL) {
3470 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
3471 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
3477 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3478 &clientssl, NULL, NULL)))
3482 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
3483 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
3485 if (t12_cipher != NULL) {
3486 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
3487 || !TEST_true(SSL_set_cipher_list(clientssl,
3493 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3497 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
3499 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
3501 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
3505 * TEST_strn_eq is used below because t13_cipher can contain
3506 * multiple ciphersuites
3508 if (max_ver == TLS1_3_VERSION
3509 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
3510 strlen(negotiated_scipher)))
3513 # ifndef OPENSSL_NO_TLS1_2
3514 /* Below validation is not done when t12_cipher is NULL */
3515 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
3516 && !TEST_str_eq(t12_cipher, negotiated_scipher))
3520 SSL_free(serverssl);
3522 SSL_free(clientssl);
3533 SSL_free(serverssl);
3534 SSL_free(clientssl);
3542 * Test 0 = Test new style callbacks
3543 * Test 1 = Test both new and old style callbacks
3544 * Test 2 = Test old style callbacks
3545 * Test 3 = Test old style callbacks with no certificate
3547 static int test_tls13_psk(int idx)
3549 SSL_CTX *sctx = NULL, *cctx = NULL;
3550 SSL *serverssl = NULL, *clientssl = NULL;
3551 const SSL_CIPHER *cipher = NULL;
3552 const unsigned char key[] = {
3553 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
3554 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
3555 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
3556 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
3560 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3561 TLS1_VERSION, TLS_MAX_VERSION,
3562 &sctx, &cctx, idx == 3 ? NULL : cert,
3563 idx == 3 ? NULL : privkey)))
3568 * We use a ciphersuite with SHA256 to ease testing old style PSK
3569 * callbacks which will always default to SHA256. This should not be
3570 * necessary if we have no cert/priv key. In that case the server should
3571 * prefer SHA256 automatically.
3573 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3574 "TLS_AES_128_GCM_SHA256")))
3579 * Test 0: New style callbacks only
3580 * Test 1: New and old style callbacks (only the new ones should be used)
3581 * Test 2: Old style callbacks only
3583 if (idx == 0 || idx == 1) {
3584 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
3585 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
3587 #ifndef OPENSSL_NO_PSK
3589 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
3590 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
3594 use_session_cb_cnt = 0;
3595 find_session_cb_cnt = 0;
3596 psk_client_cb_cnt = 0;
3597 psk_server_cb_cnt = 0;
3601 * Check we can create a connection if callback decides not to send a
3604 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3606 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3608 || !TEST_false(SSL_session_reused(clientssl))
3609 || !TEST_false(SSL_session_reused(serverssl)))
3612 if (idx == 0 || idx == 1) {
3613 if (!TEST_true(use_session_cb_cnt == 1)
3614 || !TEST_true(find_session_cb_cnt == 0)
3616 * If no old style callback then below should be 0
3619 || !TEST_true(psk_client_cb_cnt == idx)
3620 || !TEST_true(psk_server_cb_cnt == 0))
3623 if (!TEST_true(use_session_cb_cnt == 0)
3624 || !TEST_true(find_session_cb_cnt == 0)
3625 || !TEST_true(psk_client_cb_cnt == 1)
3626 || !TEST_true(psk_server_cb_cnt == 0))
3630 shutdown_ssl_connection(serverssl, clientssl);
3631 serverssl = clientssl = NULL;
3632 use_session_cb_cnt = psk_client_cb_cnt = 0;
3635 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3639 /* Create the PSK */
3640 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
3641 clientpsk = SSL_SESSION_new();
3642 if (!TEST_ptr(clientpsk)
3643 || !TEST_ptr(cipher)
3644 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
3646 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
3647 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
3649 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
3651 serverpsk = clientpsk;
3653 /* Check we can create a connection and the PSK is used */
3654 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3655 || !TEST_true(SSL_session_reused(clientssl))
3656 || !TEST_true(SSL_session_reused(serverssl)))
3659 if (idx == 0 || idx == 1) {
3660 if (!TEST_true(use_session_cb_cnt == 1)
3661 || !TEST_true(find_session_cb_cnt == 1)
3662 || !TEST_true(psk_client_cb_cnt == 0)
3663 || !TEST_true(psk_server_cb_cnt == 0))
3666 if (!TEST_true(use_session_cb_cnt == 0)
3667 || !TEST_true(find_session_cb_cnt == 0)
3668 || !TEST_true(psk_client_cb_cnt == 1)
3669 || !TEST_true(psk_server_cb_cnt == 1))
3673 shutdown_ssl_connection(serverssl, clientssl);
3674 serverssl = clientssl = NULL;
3675 use_session_cb_cnt = find_session_cb_cnt = 0;
3676 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3678 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3683 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3687 * Check we can create a connection, the PSK is used and the callbacks are
3690 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3691 || !TEST_true(SSL_session_reused(clientssl))
3692 || !TEST_true(SSL_session_reused(serverssl)))
3695 if (idx == 0 || idx == 1) {
3696 if (!TEST_true(use_session_cb_cnt == 2)
3697 || !TEST_true(find_session_cb_cnt == 2)
3698 || !TEST_true(psk_client_cb_cnt == 0)
3699 || !TEST_true(psk_server_cb_cnt == 0))
3702 if (!TEST_true(use_session_cb_cnt == 0)
3703 || !TEST_true(find_session_cb_cnt == 0)
3704 || !TEST_true(psk_client_cb_cnt == 2)
3705 || !TEST_true(psk_server_cb_cnt == 2))
3709 shutdown_ssl_connection(serverssl, clientssl);
3710 serverssl = clientssl = NULL;
3711 use_session_cb_cnt = find_session_cb_cnt = 0;
3712 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3716 * Check that if the server rejects the PSK we can still connect, but with
3719 srvid = "Dummy Identity";
3720 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3722 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3724 || !TEST_false(SSL_session_reused(clientssl))
3725 || !TEST_false(SSL_session_reused(serverssl)))
3728 if (idx == 0 || idx == 1) {
3729 if (!TEST_true(use_session_cb_cnt == 1)
3730 || !TEST_true(find_session_cb_cnt == 1)
3731 || !TEST_true(psk_client_cb_cnt == 0)
3733 * If no old style callback then below should be 0
3736 || !TEST_true(psk_server_cb_cnt == idx))
3739 if (!TEST_true(use_session_cb_cnt == 0)
3740 || !TEST_true(find_session_cb_cnt == 0)
3741 || !TEST_true(psk_client_cb_cnt == 1)
3742 || !TEST_true(psk_server_cb_cnt == 1))
3746 shutdown_ssl_connection(serverssl, clientssl);
3747 serverssl = clientssl = NULL;
3752 SSL_SESSION_free(clientpsk);
3753 SSL_SESSION_free(serverpsk);
3754 clientpsk = serverpsk = NULL;
3755 SSL_free(serverssl);
3756 SSL_free(clientssl);
3762 static unsigned char cookie_magic_value[] = "cookie magic";
3764 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
3765 unsigned int *cookie_len)
3768 * Not suitable as a real cookie generation function but good enough for
3771 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3772 *cookie_len = sizeof(cookie_magic_value) - 1;
3777 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3778 unsigned int cookie_len)
3780 if (cookie_len == sizeof(cookie_magic_value) - 1
3781 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3787 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3791 int res = generate_cookie_callback(ssl, cookie, &temp);
3796 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3799 return verify_cookie_callback(ssl, cookie, cookie_len);
3802 static int test_stateless(void)
3804 SSL_CTX *sctx = NULL, *cctx = NULL;
3805 SSL *serverssl = NULL, *clientssl = NULL;
3808 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3809 TLS1_VERSION, TLS_MAX_VERSION,
3810 &sctx, &cctx, cert, privkey)))
3813 /* The arrival of CCS messages can confuse the test */
3814 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3816 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3818 /* Send the first ClientHello */
3819 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3820 SSL_ERROR_WANT_READ))
3822 * This should fail with a -1 return because we have no callbacks
3825 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3828 /* Fatal error so abandon the connection from this client */
3829 SSL_free(clientssl);
3832 /* Set up the cookie generation and verification callbacks */
3833 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3834 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
3837 * Create a new connection from the client (we can reuse the server SSL
3840 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3842 /* Send the first ClientHello */
3843 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3844 SSL_ERROR_WANT_READ))
3845 /* This should fail because there is no cookie */
3846 || !TEST_int_eq(SSL_stateless(serverssl), 0))
3849 /* Abandon the connection from this client */
3850 SSL_free(clientssl);
3854 * Now create a connection from a new client but with the same server SSL
3857 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3859 /* Send the first ClientHello */
3860 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3861 SSL_ERROR_WANT_READ))
3862 /* This should fail because there is no cookie */
3863 || !TEST_int_eq(SSL_stateless(serverssl), 0)
3864 /* Send the second ClientHello */
3865 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3866 SSL_ERROR_WANT_READ))
3867 /* This should succeed because a cookie is now present */
3868 || !TEST_int_eq(SSL_stateless(serverssl), 1)
3869 /* Complete the connection */
3870 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3874 shutdown_ssl_connection(serverssl, clientssl);
3875 serverssl = clientssl = NULL;
3879 SSL_free(serverssl);
3880 SSL_free(clientssl);
3886 #endif /* OPENSSL_NO_TLS1_3 */
3888 static int clntaddoldcb = 0;
3889 static int clntparseoldcb = 0;
3890 static int srvaddoldcb = 0;
3891 static int srvparseoldcb = 0;
3892 static int clntaddnewcb = 0;
3893 static int clntparsenewcb = 0;
3894 static int srvaddnewcb = 0;
3895 static int srvparsenewcb = 0;
3896 static int snicb = 0;
3898 #define TEST_EXT_TYPE1 0xff00
3900 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3901 size_t *outlen, int *al, void *add_arg)
3903 int *server = (int *)add_arg;
3904 unsigned char *data;
3906 if (SSL_is_server(s))
3911 if (*server != SSL_is_server(s)
3912 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3917 *outlen = sizeof(char);
3921 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3924 OPENSSL_free((unsigned char *)out);
3927 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3928 size_t inlen, int *al, void *parse_arg)
3930 int *server = (int *)parse_arg;
3932 if (SSL_is_server(s))
3937 if (*server != SSL_is_server(s)
3938 || inlen != sizeof(char)
3945 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3946 const unsigned char **out, size_t *outlen, X509 *x,
3947 size_t chainidx, int *al, void *add_arg)
3949 int *server = (int *)add_arg;
3950 unsigned char *data;
3952 if (SSL_is_server(s))
3957 if (*server != SSL_is_server(s)
3958 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3963 *outlen = sizeof(*data);
3967 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3968 const unsigned char *out, void *add_arg)
3970 OPENSSL_free((unsigned char *)out);
3973 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3974 const unsigned char *in, size_t inlen, X509 *x,
3975 size_t chainidx, int *al, void *parse_arg)
3977 int *server = (int *)parse_arg;
3979 if (SSL_is_server(s))
3984 if (*server != SSL_is_server(s)
3985 || inlen != sizeof(char) || *in != 1)
3991 static int sni_cb(SSL *s, int *al, void *arg)
3993 SSL_CTX *ctx = (SSL_CTX *)arg;
3995 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3996 *al = SSL_AD_INTERNAL_ERROR;
3997 return SSL_TLSEXT_ERR_ALERT_FATAL;
4000 return SSL_TLSEXT_ERR_OK;
4004 * Custom call back tests.
4005 * Test 0: Old style callbacks in TLSv1.2
4006 * Test 1: New style callbacks in TLSv1.2
4007 * Test 2: New style callbacks in TLSv1.2 with SNI
4008 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4009 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
4011 static int test_custom_exts(int tst)
4013 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4014 SSL *clientssl = NULL, *serverssl = NULL;
4016 static int server = 1;
4017 static int client = 0;
4018 SSL_SESSION *sess = NULL;
4019 unsigned int context;
4021 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4022 /* Skip tests for TLSv1.2 and below in this case */
4027 /* Reset callback counters */
4028 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4029 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
4032 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4033 TLS1_VERSION, TLS_MAX_VERSION,
4034 &sctx, &cctx, cert, privkey)))
4038 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
4039 TLS1_VERSION, TLS_MAX_VERSION,
4040 &sctx2, NULL, cert, privkey)))
4045 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4046 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
4048 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
4052 context = SSL_EXT_CLIENT_HELLO
4053 | SSL_EXT_TLS1_2_SERVER_HELLO
4054 | SSL_EXT_TLS1_3_SERVER_HELLO
4055 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4056 | SSL_EXT_TLS1_3_CERTIFICATE
4057 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4059 context = SSL_EXT_CLIENT_HELLO
4060 | SSL_EXT_TLS1_2_SERVER_HELLO
4061 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4064 /* Create a client side custom extension */
4066 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4067 old_add_cb, old_free_cb,
4068 &client, old_parse_cb,
4072 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4073 new_add_cb, new_free_cb,
4074 &client, new_parse_cb, &client)))
4078 /* Should not be able to add duplicates */
4079 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4080 old_add_cb, old_free_cb,
4081 &client, old_parse_cb,
4083 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4084 context, new_add_cb,
4085 new_free_cb, &client,
4086 new_parse_cb, &client)))
4089 /* Create a server side custom extension */
4091 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4092 old_add_cb, old_free_cb,
4093 &server, old_parse_cb,
4097 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4098 new_add_cb, new_free_cb,
4099 &server, new_parse_cb, &server)))
4102 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4103 context, new_add_cb,
4104 new_free_cb, &server,
4105 new_parse_cb, &server)))
4109 /* Should not be able to add duplicates */
4110 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4111 old_add_cb, old_free_cb,
4112 &server, old_parse_cb,
4114 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4115 context, new_add_cb,
4116 new_free_cb, &server,
4117 new_parse_cb, &server)))
4122 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4123 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4127 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4128 &clientssl, NULL, NULL))
4129 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4134 if (clntaddoldcb != 1
4135 || clntparseoldcb != 1
4137 || srvparseoldcb != 1)
4139 } else if (tst == 1 || tst == 2 || tst == 3) {
4140 if (clntaddnewcb != 1
4141 || clntparsenewcb != 1
4143 || srvparsenewcb != 1
4144 || (tst != 2 && snicb != 0)
4145 || (tst == 2 && snicb != 1))
4148 /* In this case there 2 NewSessionTicket messages created */
4149 if (clntaddnewcb != 1
4150 || clntparsenewcb != 5
4152 || srvparsenewcb != 1)
4156 sess = SSL_get1_session(clientssl);
4157 SSL_shutdown(clientssl);
4158 SSL_shutdown(serverssl);
4159 SSL_free(serverssl);
4160 SSL_free(clientssl);
4161 serverssl = clientssl = NULL;
4164 /* We don't bother with the resumption aspects for this test */
4169 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4171 || !TEST_true(SSL_set_session(clientssl, sess))
4172 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4177 * For a resumed session we expect to add the ClientHello extension. For the
4178 * old style callbacks we ignore it on the server side because they set
4179 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4183 if (clntaddoldcb != 2
4184 || clntparseoldcb != 1
4186 || srvparseoldcb != 1)
4188 } else if (tst == 1 || tst == 2 || tst == 3) {
4189 if (clntaddnewcb != 2
4190 || clntparsenewcb != 2
4192 || srvparsenewcb != 2)
4196 * No Certificate message extensions in the resumption handshake,
4197 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4199 if (clntaddnewcb != 2
4200 || clntparsenewcb != 8
4202 || srvparsenewcb != 2)
4209 SSL_SESSION_free(sess);
4210 SSL_free(serverssl);
4211 SSL_free(clientssl);
4212 SSL_CTX_free(sctx2);
4219 * Test loading of serverinfo data in various formats. test_sslmessages actually
4220 * tests to make sure the extensions appear in the handshake
4222 static int test_serverinfo(int tst)
4224 unsigned int version;
4225 unsigned char *sibuf;
4227 int ret, expected, testresult = 0;
4230 ctx = SSL_CTX_new(TLS_method());
4234 if ((tst & 0x01) == 0x01)
4235 version = SSL_SERVERINFOV2;
4237 version = SSL_SERVERINFOV1;
4239 if ((tst & 0x02) == 0x02) {
4240 sibuf = serverinfov2;
4241 sibuflen = sizeof(serverinfov2);
4242 expected = (version == SSL_SERVERINFOV2);
4244 sibuf = serverinfov1;
4245 sibuflen = sizeof(serverinfov1);
4246 expected = (version == SSL_SERVERINFOV1);
4249 if ((tst & 0x04) == 0x04) {
4250 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4252 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4255 * The version variable is irrelevant in this case - it's what is in the
4256 * buffer that matters
4258 if ((tst & 0x02) == 0x02)
4264 if (!TEST_true(ret == expected))
4276 * Test that SSL_export_keying_material() produces expected results. There are
4277 * no test vectors so all we do is test that both sides of the communication
4278 * produce the same results for different protocol versions.
4280 #define SMALL_LABEL_LEN 10
4281 #define LONG_LABEL_LEN 249
4282 static int test_export_key_mat(int tst)
4285 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4286 SSL *clientssl = NULL, *serverssl = NULL;
4287 const char label[LONG_LABEL_LEN + 1] = "test label";
4288 const unsigned char context[] = "context";
4289 const unsigned char *emptycontext = NULL;
4290 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4291 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
4293 const int protocols[] = {
4302 #ifdef OPENSSL_NO_TLS1
4306 #ifdef OPENSSL_NO_TLS1_1
4310 #ifdef OPENSSL_NO_TLS1_2
4314 #ifdef OPENSSL_NO_TLS1_3
4318 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4319 TLS1_VERSION, TLS_MAX_VERSION,
4320 &sctx, &cctx, cert, privkey)))
4323 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4324 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4325 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
4327 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4329 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4335 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4338 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4339 sizeof(ckeymat1), label,
4340 LONG_LABEL_LEN + 1, context,
4341 sizeof(context) - 1, 1), 0))
4346 } else if (tst == 4) {
4347 labellen = LONG_LABEL_LEN;
4349 labellen = SMALL_LABEL_LEN;
4352 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4353 sizeof(ckeymat1), label,
4355 sizeof(context) - 1, 1), 1)
4356 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4357 sizeof(ckeymat2), label,
4361 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4362 sizeof(ckeymat3), label,
4365 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4366 sizeof(skeymat1), label,
4369 sizeof(context) -1, 1),
4371 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4372 sizeof(skeymat2), label,
4376 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4377 sizeof(skeymat3), label,
4381 * Check that both sides created the same key material with the
4384 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4387 * Check that both sides created the same key material with an
4390 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4393 * Check that both sides created the same key material without a
4396 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
4398 /* Different contexts should produce different results */
4399 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4404 * Check that an empty context and no context produce different results in
4405 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
4407 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
4409 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
4416 SSL_free(serverssl);
4417 SSL_free(clientssl);
4418 SSL_CTX_free(sctx2);
4425 #ifndef OPENSSL_NO_TLS1_3
4427 * Test that SSL_export_keying_material_early() produces expected
4428 * results. There are no test vectors so all we do is test that both
4429 * sides of the communication produce the same results for different
4430 * protocol versions.
4432 static int test_export_key_mat_early(int idx)
4434 static const char label[] = "test label";
4435 static const unsigned char context[] = "context";
4437 SSL_CTX *cctx = NULL, *sctx = NULL;
4438 SSL *clientssl = NULL, *serverssl = NULL;
4439 SSL_SESSION *sess = NULL;
4440 const unsigned char *emptycontext = NULL;
4441 unsigned char ckeymat1[80], ckeymat2[80];
4442 unsigned char skeymat1[80], skeymat2[80];
4443 unsigned char buf[1];
4444 size_t readbytes, written;
4446 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
4450 /* Here writing 0 length early data is enough. */
4451 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
4452 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4454 SSL_READ_EARLY_DATA_ERROR)
4455 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4456 SSL_EARLY_DATA_ACCEPTED))
4459 if (!TEST_int_eq(SSL_export_keying_material_early(
4460 clientssl, ckeymat1, sizeof(ckeymat1), label,
4461 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4462 || !TEST_int_eq(SSL_export_keying_material_early(
4463 clientssl, ckeymat2, sizeof(ckeymat2), label,
4464 sizeof(label) - 1, emptycontext, 0), 1)
4465 || !TEST_int_eq(SSL_export_keying_material_early(
4466 serverssl, skeymat1, sizeof(skeymat1), label,
4467 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4468 || !TEST_int_eq(SSL_export_keying_material_early(
4469 serverssl, skeymat2, sizeof(skeymat2), label,
4470 sizeof(label) - 1, emptycontext, 0), 1)
4472 * Check that both sides created the same key material with the
4475 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4478 * Check that both sides created the same key material with an
4481 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4483 /* Different contexts should produce different results */
4484 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4491 SSL_SESSION_free(sess);
4492 SSL_SESSION_free(clientpsk);
4493 SSL_SESSION_free(serverpsk);
4494 clientpsk = serverpsk = NULL;
4495 SSL_free(serverssl);
4496 SSL_free(clientssl);
4503 #define NUM_KEY_UPDATE_MESSAGES 40
4507 static int test_key_update(void)
4509 SSL_CTX *cctx = NULL, *sctx = NULL;
4510 SSL *clientssl = NULL, *serverssl = NULL;
4511 int testresult = 0, i, j;
4513 static char *mess = "A test message";
4515 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4516 TLS_client_method(),
4519 &sctx, &cctx, cert, privkey))
4520 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4522 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4526 for (j = 0; j < 2; j++) {
4527 /* Send lots of KeyUpdate messages */
4528 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
4529 if (!TEST_true(SSL_key_update(clientssl,
4531 ? SSL_KEY_UPDATE_NOT_REQUESTED
4532 : SSL_KEY_UPDATE_REQUESTED))
4533 || !TEST_true(SSL_do_handshake(clientssl)))
4537 /* Check that sending and receiving app data is ok */
4538 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
4539 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
4543 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
4544 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
4552 SSL_free(serverssl);
4553 SSL_free(clientssl);
4561 * Test we can handle a KeyUpdate (update requested) message while write data
4563 * Test 0: Client sends KeyUpdate while Server is writing
4564 * Test 1: Server sends KeyUpdate while Client is writing
4566 static int test_key_update_in_write(int tst)
4568 SSL_CTX *cctx = NULL, *sctx = NULL;
4569 SSL *clientssl = NULL, *serverssl = NULL;
4572 static char *mess = "A test message";
4573 BIO *bretry = BIO_new(bio_s_always_retry());
4575 SSL *peerupdate = NULL, *peerwrite = NULL;
4577 if (!TEST_ptr(bretry)
4578 || !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4579 TLS_client_method(),
4582 &sctx, &cctx, cert, privkey))
4583 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4585 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4589 peerupdate = tst == 0 ? clientssl : serverssl;
4590 peerwrite = tst == 0 ? serverssl : clientssl;
4592 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
4593 || !TEST_true(SSL_do_handshake(peerupdate)))
4596 /* Swap the writing endpoint's write BIO to force a retry */
4597 tmp = SSL_get_wbio(peerwrite);
4598 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
4602 SSL_set0_wbio(peerwrite, bretry);
4605 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
4606 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
4607 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
4610 /* Reinstate the original writing endpoint's write BIO */
4611 SSL_set0_wbio(peerwrite, tmp);
4614 /* Now read some data - we will read the key update */
4615 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
4616 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
4620 * Complete the write we started previously and read it from the other
4623 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
4624 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
4627 /* Write more data to ensure we send the KeyUpdate message back */
4628 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
4629 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
4635 SSL_free(serverssl);
4636 SSL_free(clientssl);
4644 #endif /* OPENSSL_NO_TLS1_3 */
4646 static int test_ssl_clear(int idx)
4648 SSL_CTX *cctx = NULL, *sctx = NULL;
4649 SSL *clientssl = NULL, *serverssl = NULL;
4652 #ifdef OPENSSL_NO_TLS1_2
4657 /* Create an initial connection */
4658 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4659 TLS1_VERSION, TLS_MAX_VERSION,
4660 &sctx, &cctx, cert, privkey))
4662 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
4664 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4665 &clientssl, NULL, NULL))
4666 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4670 SSL_shutdown(clientssl);
4671 SSL_shutdown(serverssl);
4672 SSL_free(serverssl);
4675 /* Clear clientssl - we're going to reuse the object */
4676 if (!TEST_true(SSL_clear(clientssl)))
4679 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4681 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4683 || !TEST_true(SSL_session_reused(clientssl)))
4686 SSL_shutdown(clientssl);
4687 SSL_shutdown(serverssl);
4692 SSL_free(serverssl);
4693 SSL_free(clientssl);
4700 /* Parse CH and retrieve any MFL extension value if present */
4701 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
4704 unsigned char *data;
4705 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
4706 unsigned int MFL_code = 0, type = 0;
4708 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
4711 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
4712 /* Skip the record header */
4713 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
4714 /* Skip the handshake message header */
4715 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
4716 /* Skip client version and random */
4717 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
4718 + SSL3_RANDOM_SIZE))
4719 /* Skip session id */
4720 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4722 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
4723 /* Skip compression */
4724 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4725 /* Extensions len */
4726 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
4729 /* Loop through all extensions */
4730 while (PACKET_remaining(&pkt2)) {
4731 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
4732 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
4735 if (type == TLSEXT_TYPE_max_fragment_length) {
4736 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
4737 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
4740 *mfl_codemfl_code = MFL_code;
4749 /* Maximum-Fragment-Length TLS extension mode to test */
4750 static const unsigned char max_fragment_len_test[] = {
4751 TLSEXT_max_fragment_length_512,
4752 TLSEXT_max_fragment_length_1024,
4753 TLSEXT_max_fragment_length_2048,
4754 TLSEXT_max_fragment_length_4096
4757 static int test_max_fragment_len_ext(int idx_tst)
4761 int testresult = 0, MFL_mode = 0;
4764 ctx = SSL_CTX_new(TLS_method());
4768 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
4769 ctx, max_fragment_len_test[idx_tst])))
4776 rbio = BIO_new(BIO_s_mem());
4777 wbio = BIO_new(BIO_s_mem());
4778 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
4784 SSL_set_bio(con, rbio, wbio);
4785 SSL_set_connect_state(con);
4787 if (!TEST_int_le(SSL_connect(con), 0)) {
4788 /* This shouldn't succeed because we don't have a server! */
4792 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
4793 /* no MFL in client hello */
4795 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
4807 #ifndef OPENSSL_NO_TLS1_3
4808 static int test_pha_key_update(void)
4810 SSL_CTX *cctx = NULL, *sctx = NULL;
4811 SSL *clientssl = NULL, *serverssl = NULL;
4814 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4815 TLS1_VERSION, TLS_MAX_VERSION,
4816 &sctx, &cctx, cert, privkey)))
4819 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
4820 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
4821 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
4822 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
4825 SSL_CTX_set_post_handshake_auth(cctx, 1);
4827 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4831 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4835 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
4836 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
4839 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
4842 /* Start handshake on the server */
4843 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
4846 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
4847 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4851 SSL_shutdown(clientssl);
4852 SSL_shutdown(serverssl);
4857 SSL_free(serverssl);
4858 SSL_free(clientssl);
4865 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4867 static SRP_VBASE *vbase = NULL;
4869 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
4871 int ret = SSL3_AL_FATAL;
4873 SRP_user_pwd *user = NULL;
4875 username = SSL_get_srp_username(s);
4876 if (username == NULL) {
4877 *ad = SSL_AD_INTERNAL_ERROR;
4881 user = SRP_VBASE_get1_by_user(vbase, username);
4883 *ad = SSL_AD_INTERNAL_ERROR;
4887 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
4889 *ad = SSL_AD_INTERNAL_ERROR;
4896 SRP_user_pwd_free(user);
4900 static int create_new_vfile(char *userid, char *password, const char *filename)
4903 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
4906 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
4909 if (!TEST_ptr(dummy) || !TEST_ptr(row))
4912 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
4913 &row[DB_srpverifier], NULL, NULL);
4914 if (!TEST_ptr(gNid))
4918 * The only way to create an empty TXT_DB is to provide a BIO with no data
4921 db = TXT_DB_read(dummy, DB_NUMBER);
4925 out = BIO_new_file(filename, "w");
4929 row[DB_srpid] = OPENSSL_strdup(userid);
4930 row[DB_srptype] = OPENSSL_strdup("V");
4931 row[DB_srpgN] = OPENSSL_strdup(gNid);
4933 if (!TEST_ptr(row[DB_srpid])
4934 || !TEST_ptr(row[DB_srptype])
4935 || !TEST_ptr(row[DB_srpgN])
4936 || !TEST_true(TXT_DB_insert(db, row)))
4941 if (!TXT_DB_write(out, db))
4947 for (i = 0; i < DB_NUMBER; i++)
4948 OPENSSL_free(row[i]);
4958 static int create_new_vbase(char *userid, char *password)
4960 BIGNUM *verifier = NULL, *salt = NULL;
4961 const SRP_gN *lgN = NULL;
4962 SRP_user_pwd *user_pwd = NULL;
4965 lgN = SRP_get_default_gN(NULL);
4969 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
4973 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
4974 if (!TEST_ptr(user_pwd))
4977 user_pwd->N = lgN->N;
4978 user_pwd->g = lgN->g;
4979 user_pwd->id = OPENSSL_strdup(userid);
4980 if (!TEST_ptr(user_pwd->id))
4983 user_pwd->v = verifier;
4985 verifier = salt = NULL;
4987 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
4993 SRP_user_pwd_free(user_pwd);
5003 * Test 0: Simple successful SRP connection, new vbase
5004 * Test 1: Connection failure due to bad password, new vbase
5005 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5006 * Test 3: Connection failure due to bad password, vbase loaded from existing
5008 * Test 4: Simple successful SRP connection, vbase loaded from new file
5009 * Test 5: Connection failure due to bad password, vbase loaded from new file
5011 static int test_srp(int tst)
5013 char *userid = "test", *password = "password", *tstsrpfile;
5014 SSL_CTX *cctx = NULL, *sctx = NULL;
5015 SSL *clientssl = NULL, *serverssl = NULL;
5016 int ret, testresult = 0;
5018 vbase = SRP_VBASE_new(NULL);
5019 if (!TEST_ptr(vbase))
5022 if (tst == 0 || tst == 1) {
5023 if (!TEST_true(create_new_vbase(userid, password)))
5026 if (tst == 4 || tst == 5) {
5027 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5029 tstsrpfile = tmpfilename;
5031 tstsrpfile = srpvfile;
5033 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5037 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5038 TLS1_VERSION, TLS_MAX_VERSION,
5039 &sctx, &cctx, cert, privkey)))
5042 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5043 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5044 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5045 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5046 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5050 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5053 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5057 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5061 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5063 if (!TEST_true(tst % 2 == 0))
5066 if (!TEST_true(tst % 2 == 1))
5073 SRP_VBASE_free(vbase);
5075 SSL_free(serverssl);
5076 SSL_free(clientssl);
5084 static int info_cb_failed = 0;
5085 static int info_cb_offset = 0;
5086 static int info_cb_this_state = -1;
5088 static struct info_cb_states_st {
5090 const char *statestr;
5091 } info_cb_states[][60] = {
5093 /* TLSv1.2 server followed by resumption */
5094 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5095 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5096 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
5097 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
5098 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
5099 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5100 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5101 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5102 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
5103 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5104 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
5105 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5106 {SSL_CB_EXIT, NULL}, {0, NULL},
5108 /* TLSv1.2 client followed by resumption */
5109 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5110 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5111 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
5112 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
5113 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
5114 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5115 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5116 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5117 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5118 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5119 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5120 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
5122 /* TLSv1.3 server followed by resumption */
5123 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5124 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5125 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
5126 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5127 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
5128 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5129 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5130 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5131 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5132 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5133 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
5134 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5135 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5137 /* TLSv1.3 client followed by resumption */
5138 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5139 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5140 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
5141 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
5142 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5143 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5144 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
5145 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5146 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5147 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5148 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5149 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5150 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5151 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
5152 {SSL_CB_EXIT, NULL}, {0, NULL},
5154 /* TLSv1.3 server, early_data */
5155 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5156 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5157 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5158 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5159 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5160 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
5161 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5162 {SSL_CB_EXIT, NULL}, {0, NULL},
5164 /* TLSv1.3 client, early_data */
5165 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5166 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5167 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5168 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5169 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5170 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5171 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5172 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5173 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5179 static void sslapi_info_callback(const SSL *s, int where, int ret)
5181 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5183 /* We do not ever expect a connection to fail in this test */
5184 if (!TEST_false(ret == 0)) {
5190 * Do some sanity checks. We never expect these things to happen in this
5193 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5194 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5195 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5200 /* Now check we're in the right state */
5201 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5205 if ((where & SSL_CB_LOOP) != 0
5206 && !TEST_int_eq(strcmp(SSL_state_string(s),
5207 state[info_cb_this_state].statestr), 0)) {
5213 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
5215 if ((where & SSL_CB_HANDSHAKE_DONE)
5216 && SSL_in_init((SSL *)s) != 0) {
5223 * Test the info callback gets called when we expect it to.
5225 * Test 0: TLSv1.2, server
5226 * Test 1: TLSv1.2, client
5227 * Test 2: TLSv1.3, server
5228 * Test 3: TLSv1.3, client
5229 * Test 4: TLSv1.3, server, early_data
5230 * Test 5: TLSv1.3, client, early_data
5232 static int test_info_callback(int tst)
5234 SSL_CTX *cctx = NULL, *sctx = NULL;
5235 SSL *clientssl = NULL, *serverssl = NULL;
5236 SSL_SESSION *clntsess = NULL;
5241 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
5242 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5243 || !defined(OPENSSL_NO_DH))
5244 tlsvers = TLS1_2_VERSION;
5249 #ifndef OPENSSL_NO_TLS1_3
5250 tlsvers = TLS1_3_VERSION;
5258 info_cb_this_state = -1;
5259 info_cb_offset = tst;
5261 #ifndef OPENSSL_NO_TLS1_3
5263 SSL_SESSION *sess = NULL;
5264 size_t written, readbytes;
5265 unsigned char buf[80];
5267 /* early_data tests */
5268 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5269 &serverssl, &sess, 0)))
5272 /* We don't actually need this reference */
5273 SSL_SESSION_free(sess);
5275 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5276 sslapi_info_callback);
5278 /* Write and read some early data and then complete the connection */
5279 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5281 || !TEST_size_t_eq(written, strlen(MSG1))
5282 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5283 sizeof(buf), &readbytes),
5284 SSL_READ_EARLY_DATA_SUCCESS)
5285 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5286 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5287 SSL_EARLY_DATA_ACCEPTED)
5288 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5290 || !TEST_false(info_cb_failed))
5298 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5299 TLS_client_method(),
5300 tlsvers, tlsvers, &sctx, &cctx, cert,
5305 * For even numbered tests we check the server callbacks. For odd numbers we
5308 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5309 sslapi_info_callback);
5311 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5312 &clientssl, NULL, NULL))
5313 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5315 || !TEST_false(info_cb_failed))
5320 clntsess = SSL_get1_session(clientssl);
5321 SSL_shutdown(clientssl);
5322 SSL_shutdown(serverssl);
5323 SSL_free(serverssl);
5324 SSL_free(clientssl);
5325 serverssl = clientssl = NULL;
5327 /* Now do a resumption */
5328 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5330 || !TEST_true(SSL_set_session(clientssl, clntsess))
5331 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5333 || !TEST_true(SSL_session_reused(clientssl))
5334 || !TEST_false(info_cb_failed))
5340 SSL_free(serverssl);
5341 SSL_free(clientssl);
5342 SSL_SESSION_free(clntsess);
5348 static int test_ssl_pending(int tst)
5350 SSL_CTX *cctx = NULL, *sctx = NULL;
5351 SSL *clientssl = NULL, *serverssl = NULL;
5353 char msg[] = "A test message";
5355 size_t written, readbytes;
5358 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5359 TLS_client_method(),
5360 TLS1_VERSION, TLS_MAX_VERSION,
5361 &sctx, &cctx, cert, privkey)))
5364 #ifndef OPENSSL_NO_DTLS
5365 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
5366 DTLS_client_method(),
5367 DTLS1_VERSION, DTLS_MAX_VERSION,
5368 &sctx, &cctx, cert, privkey)))
5375 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5377 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5381 if (!TEST_int_eq(SSL_pending(clientssl), 0)
5382 || !TEST_false(SSL_has_pending(clientssl))
5383 || !TEST_int_eq(SSL_pending(serverssl), 0)
5384 || !TEST_false(SSL_has_pending(serverssl))
5385 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5386 || !TEST_size_t_eq(written, sizeof(msg))
5387 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
5388 || !TEST_size_t_eq(readbytes, sizeof(buf))
5389 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
5390 || !TEST_true(SSL_has_pending(clientssl)))
5396 SSL_free(serverssl);
5397 SSL_free(clientssl);
5405 unsigned int maxprot;
5406 const char *clntciphers;
5407 const char *clnttls13ciphers;
5408 const char *srvrciphers;
5409 const char *srvrtls13ciphers;
5411 } shared_ciphers_data[] = {
5413 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
5414 * TLSv1.3 is enabled but TLSv1.2 is disabled.
5416 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
5419 "AES128-SHA:AES256-SHA",
5421 "AES256-SHA:DHE-RSA-AES128-SHA",
5427 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
5429 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
5431 "AES128-SHA:AES256-SHA"
5435 "AES128-SHA:AES256-SHA",
5437 "AES128-SHA:DHE-RSA-AES128-SHA",
5443 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
5446 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
5447 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5450 "AES128-SHA:AES256-SHA",
5452 "AES256-SHA:AES128-SHA256",
5454 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
5455 "TLS_AES_128_GCM_SHA256:AES256-SHA"
5458 #ifndef OPENSSL_NO_TLS1_3
5462 "TLS_AES_256_GCM_SHA384",
5464 "TLS_AES_256_GCM_SHA384",
5465 "TLS_AES_256_GCM_SHA384"
5470 static int test_ssl_get_shared_ciphers(int tst)
5472 SSL_CTX *cctx = NULL, *sctx = NULL;
5473 SSL *clientssl = NULL, *serverssl = NULL;
5477 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5478 TLS_client_method(),
5480 shared_ciphers_data[tst].maxprot,
5481 &sctx, &cctx, cert, privkey)))
5484 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5485 shared_ciphers_data[tst].clntciphers))
5486 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
5487 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
5488 shared_ciphers_data[tst].clnttls13ciphers)))
5489 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
5490 shared_ciphers_data[tst].srvrciphers))
5491 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
5492 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
5493 shared_ciphers_data[tst].srvrtls13ciphers))))
5497 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5499 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5503 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
5504 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
5505 TEST_info("Shared ciphers are: %s\n", buf);
5512 SSL_free(serverssl);
5513 SSL_free(clientssl);
5520 static const char *appdata = "Hello World";
5521 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
5522 static int tick_key_renew = 0;
5523 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5525 static int gen_tick_cb(SSL *s, void *arg)
5527 gen_tick_called = 1;
5529 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
5533 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
5534 const unsigned char *keyname,
5535 size_t keyname_length,
5536 SSL_TICKET_STATUS status,
5542 dec_tick_called = 1;
5544 if (status == SSL_TICKET_EMPTY)
5545 return SSL_TICKET_RETURN_IGNORE_RENEW;
5547 if (!TEST_true(status == SSL_TICKET_SUCCESS
5548 || status == SSL_TICKET_SUCCESS_RENEW))
5549 return SSL_TICKET_RETURN_ABORT;
5551 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
5553 || !TEST_size_t_eq(tickdlen, strlen(appdata))
5554 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
5555 return SSL_TICKET_RETURN_ABORT;
5557 if (tick_key_cb_called) {
5558 /* Don't change what the ticket key callback wanted to do */
5560 case SSL_TICKET_NO_DECRYPT:
5561 return SSL_TICKET_RETURN_IGNORE_RENEW;
5563 case SSL_TICKET_SUCCESS:
5564 return SSL_TICKET_RETURN_USE;
5566 case SSL_TICKET_SUCCESS_RENEW:
5567 return SSL_TICKET_RETURN_USE_RENEW;
5570 return SSL_TICKET_RETURN_ABORT;
5573 return tick_dec_ret;
5577 static int tick_key_cb(SSL *s, unsigned char key_name[16],
5578 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
5579 HMAC_CTX *hctx, int enc)
5581 const unsigned char tick_aes_key[16] = "0123456789abcdef";
5582 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5584 tick_key_cb_called = 1;
5585 memset(iv, 0, AES_BLOCK_SIZE);
5586 memset(key_name, 0, 16);
5587 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
5588 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
5589 EVP_sha256(), NULL))
5592 return tick_key_renew ? 2 : 1;
5596 * Test the various ticket callbacks
5597 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
5598 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
5599 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
5600 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
5601 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
5602 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
5603 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
5604 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
5605 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
5606 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
5607 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
5608 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
5610 static int test_ticket_callbacks(int tst)
5612 SSL_CTX *cctx = NULL, *sctx = NULL;
5613 SSL *clientssl = NULL, *serverssl = NULL;
5614 SSL_SESSION *clntsess = NULL;
5617 #ifdef OPENSSL_NO_TLS1_2
5621 #ifdef OPENSSL_NO_TLS1_3
5626 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
5628 /* Which tests the ticket key callback should request renewal for */
5629 if (tst == 10 || tst == 11)
5634 /* Which tests the decrypt ticket callback should request renewal for */
5638 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
5643 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
5648 tick_dec_ret = SSL_TICKET_RETURN_USE;
5653 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
5657 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5660 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5661 TLS_client_method(),
5663 ((tst % 2) == 0) ? TLS1_2_VERSION
5665 &sctx, &cctx, cert, privkey)))
5669 * We only want sessions to resume from tickets - not the session cache. So
5670 * switch the cache off.
5672 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
5675 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
5680 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
5683 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5685 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5690 * The decrypt ticket key callback in TLSv1.2 should be called even though
5691 * we have no ticket yet, because it gets called with a status of
5692 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
5693 * actually send any ticket data). This does not happen in TLSv1.3 because
5694 * it is not valid to send empty ticket data in TLSv1.3.
5696 if (!TEST_int_eq(gen_tick_called, 1)
5697 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
5700 gen_tick_called = dec_tick_called = 0;
5702 clntsess = SSL_get1_session(clientssl);
5703 SSL_shutdown(clientssl);
5704 SSL_shutdown(serverssl);
5705 SSL_free(serverssl);
5706 SSL_free(clientssl);
5707 serverssl = clientssl = NULL;
5709 /* Now do a resumption */
5710 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5712 || !TEST_true(SSL_set_session(clientssl, clntsess))
5713 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5717 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
5718 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
5719 if (!TEST_false(SSL_session_reused(clientssl)))
5722 if (!TEST_true(SSL_session_reused(clientssl)))
5726 if (!TEST_int_eq(gen_tick_called,
5728 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
5729 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
5731 || !TEST_int_eq(dec_tick_called, 1))
5737 SSL_SESSION_free(clntsess);
5738 SSL_free(serverssl);
5739 SSL_free(clientssl);
5747 * Test bi-directional shutdown.
5749 * Test 1: TLSv1.2, server continues to read/write after client shutdown
5750 * Test 2: TLSv1.3, no pending NewSessionTicket messages
5751 * Test 3: TLSv1.3, pending NewSessionTicket messages
5752 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
5753 * sends key update, client reads it
5754 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
5755 * sends CertificateRequest, client reads and ignores it
5756 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
5759 static int test_shutdown(int tst)
5761 SSL_CTX *cctx = NULL, *sctx = NULL;
5762 SSL *clientssl = NULL, *serverssl = NULL;
5764 char msg[] = "A test message";
5766 size_t written, readbytes;
5769 #ifdef OPENSSL_NO_TLS1_2
5773 #ifdef OPENSSL_NO_TLS1_3
5778 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5779 TLS_client_method(),
5781 (tst <= 1) ? TLS1_2_VERSION
5783 &sctx, &cctx, cert, privkey)))
5787 SSL_CTX_set_post_handshake_auth(cctx, 1);
5789 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5794 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
5796 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5797 || !TEST_false(SSL_SESSION_is_resumable(sess)))
5799 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5801 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5802 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
5806 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
5811 * Reading on the server after the client has sent close_notify should
5812 * fail and provide SSL_ERROR_ZERO_RETURN
5814 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
5815 || !TEST_int_eq(SSL_get_error(serverssl, 0),
5816 SSL_ERROR_ZERO_RETURN)
5817 || !TEST_int_eq(SSL_get_shutdown(serverssl),
5818 SSL_RECEIVED_SHUTDOWN)
5820 * Even though we're shutdown on receive we should still be
5823 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
5826 && !TEST_true(SSL_key_update(serverssl,
5827 SSL_KEY_UPDATE_REQUESTED)))
5830 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5831 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5834 if ((tst == 4 || tst == 5)
5835 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
5837 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
5839 if (tst == 4 || tst == 5) {
5840 /* Should still be able to read data from server */
5841 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5843 || !TEST_size_t_eq(readbytes, sizeof(msg))
5844 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
5845 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5847 || !TEST_size_t_eq(readbytes, sizeof(msg))
5848 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
5853 /* Writing on the client after sending close_notify shouldn't be possible */
5854 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
5859 * For these tests the client has sent close_notify but it has not yet
5860 * been received by the server. The server has not sent close_notify
5863 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
5865 * Writing on the server after sending close_notify shouldn't
5868 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5869 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
5870 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5871 || !TEST_true(SSL_SESSION_is_resumable(sess))
5872 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
5874 } else if (tst == 4 || tst == 5) {
5876 * In this test the client has sent close_notify and it has been
5877 * received by the server which has responded with a close_notify. The
5878 * client needs to read the close_notify sent by the server.
5880 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
5881 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5882 || !TEST_true(SSL_SESSION_is_resumable(sess)))
5888 * The client has sent close_notify and is expecting a close_notify
5889 * back, but instead there is application data first. The shutdown
5890 * should fail with a fatal error.
5892 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
5893 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
5900 SSL_free(serverssl);
5901 SSL_free(clientssl);
5908 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
5909 static int cert_cb_cnt;
5911 static int cert_cb(SSL *s, void *arg)
5913 SSL_CTX *ctx = (SSL_CTX *)arg;
5915 EVP_PKEY *pkey = NULL;
5916 X509 *x509 = NULL, *rootx = NULL;
5917 STACK_OF(X509) *chain = NULL;
5918 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
5921 if (cert_cb_cnt == 0) {
5922 /* Suspend the handshake */
5925 } else if (cert_cb_cnt == 1) {
5927 * Update the SSL_CTX, set the certificate and private key and then
5928 * continue the handshake normally.
5930 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
5933 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
5934 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
5936 || !TEST_true(SSL_check_private_key(s)))
5940 } else if (cert_cb_cnt == 3) {
5943 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
5944 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
5945 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
5946 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
5948 chain = sk_X509_new_null();
5949 if (!TEST_ptr(chain))
5951 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
5952 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
5953 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
5954 || !TEST_true(sk_X509_push(chain, rootx)))
5958 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
5959 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
5960 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
5963 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
5964 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
5965 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
5967 rv = SSL_check_chain(s, x509, pkey, chain);
5969 * If the cert doesn't show as valid here (e.g., because we don't
5970 * have any shared sigalgs), then we will not set it, and there will
5971 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
5972 * will cause tls_choose_sigalgs() to fail the connection.
5974 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
5975 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
5976 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
5983 /* Abort the handshake */
5985 OPENSSL_free(ecdsacert);
5986 OPENSSL_free(ecdsakey);
5987 OPENSSL_free(rootfile);
5989 EVP_PKEY_free(pkey);
5992 sk_X509_pop_free(chain, X509_free);
5997 * Test the certificate callback.
5998 * Test 0: Callback fails
5999 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
6000 * Test 2: Success - SSL_set_SSL_CTX() in the callback
6001 * Test 3: Success - Call SSL_check_chain from the callback
6002 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
6004 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
6006 static int test_cert_cb_int(int prot, int tst)
6008 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
6009 SSL *clientssl = NULL, *serverssl = NULL;
6010 int testresult = 0, ret;
6012 #ifdef OPENSSL_NO_EC
6013 /* We use an EC cert in these tests, so we skip in a no-ec build */
6018 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6019 TLS_client_method(),
6022 &sctx, &cctx, NULL, NULL)))
6033 snictx = SSL_CTX_new(TLS_server_method());
6034 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
6036 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6042 * We cause SSL_check_chain() to fail by specifying sig_algs that
6043 * the chain doesn't meet (the root uses an RSA cert)
6045 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6046 "ecdsa_secp256r1_sha256")))
6048 } else if (tst == 5) {
6050 * We cause SSL_check_chain() to fail by specifying sig_algs that
6051 * the ee cert doesn't meet (the ee uses an ECDSA cert)
6053 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6054 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
6058 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6059 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
6061 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
6068 SSL_free(serverssl);
6069 SSL_free(clientssl);
6072 SSL_CTX_free(snictx);
6078 static int test_cert_cb(int tst)
6082 #ifndef OPENSSL_NO_TLS1_2
6083 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
6085 #ifndef OPENSSL_NO_TLS1_3
6086 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
6092 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
6098 /* Check that SSL_get_peer_certificate() returns something sensible */
6099 peer = SSL_get_peer_certificate(ssl);
6100 if (!TEST_ptr(peer))
6104 in = BIO_new_file(cert, "r");
6108 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
6110 if (!TEST_ptr(xcert))
6113 in = BIO_new_file(privkey, "r");
6114 if (!TEST_ptr(in)) {
6119 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
6121 if (!TEST_ptr(privpkey)) {
6132 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6137 static int test_client_cert_cb(int tst)
6139 SSL_CTX *cctx = NULL, *sctx = NULL;
6140 SSL *clientssl = NULL, *serverssl = NULL;
6143 #ifdef OPENSSL_NO_TLS1_2
6147 #ifdef OPENSSL_NO_TLS1_3
6152 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6153 TLS_client_method(),
6155 tst == 0 ? TLS1_2_VERSION
6157 &sctx, &cctx, cert, privkey)))
6161 * Test that setting a client_cert_cb results in a client certificate being
6164 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
6165 SSL_CTX_set_verify(sctx,
6166 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6169 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6171 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6178 SSL_free(serverssl);
6179 SSL_free(clientssl);
6186 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6188 * Test setting certificate authorities on both client and server.
6190 * Test 0: SSL_CTX_set0_CA_list() only
6191 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
6192 * Test 2: Only SSL_CTX_set_client_CA_list()
6194 static int test_ca_names_int(int prot, int tst)
6196 SSL_CTX *cctx = NULL, *sctx = NULL;
6197 SSL *clientssl = NULL, *serverssl = NULL;
6200 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
6201 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
6202 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
6203 const STACK_OF(X509_NAME) *sktmp = NULL;
6205 for (i = 0; i < OSSL_NELEM(name); i++) {
6206 name[i] = X509_NAME_new();
6207 if (!TEST_ptr(name[i])
6208 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
6216 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6217 TLS_client_method(),
6220 &sctx, &cctx, cert, privkey)))
6223 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
6225 if (tst == 0 || tst == 1) {
6226 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6227 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
6228 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
6229 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6230 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
6231 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
6234 SSL_CTX_set0_CA_list(sctx, sk1);
6235 SSL_CTX_set0_CA_list(cctx, sk2);
6238 if (tst == 1 || tst == 2) {
6239 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6240 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
6241 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
6242 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6243 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
6244 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
6247 SSL_CTX_set_client_CA_list(sctx, sk1);
6248 SSL_CTX_set_client_CA_list(cctx, sk2);
6252 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6254 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6259 * We only expect certificate authorities to have been sent to the server
6260 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
6262 sktmp = SSL_get0_peer_CA_list(serverssl);
6263 if (prot == TLS1_3_VERSION
6264 && (tst == 0 || tst == 1)) {
6265 if (!TEST_ptr(sktmp)
6266 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6267 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6269 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6272 } else if (!TEST_ptr_null(sktmp)) {
6277 * In all tests we expect certificate authorities to have been sent to the
6278 * client. However, SSL_set_client_CA_list() should override
6279 * SSL_set0_CA_list()
6281 sktmp = SSL_get0_peer_CA_list(clientssl);
6282 if (!TEST_ptr(sktmp)
6283 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6284 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6285 name[tst == 0 ? 0 : 2]), 0)
6286 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6287 name[tst == 0 ? 1 : 3]), 0))
6293 SSL_free(serverssl);
6294 SSL_free(clientssl);
6297 for (i = 0; i < OSSL_NELEM(name); i++)
6298 X509_NAME_free(name[i]);
6299 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
6300 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
6306 static int test_ca_names(int tst)
6310 #ifndef OPENSSL_NO_TLS1_2
6311 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
6313 #ifndef OPENSSL_NO_TLS1_3
6314 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
6321 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
6322 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
6323 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
6324 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
6325 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
6326 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
6327 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
6328 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
6329 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
6330 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
6332 static int test_servername(int tst)
6334 SSL_CTX *cctx = NULL, *sctx = NULL;
6335 SSL *clientssl = NULL, *serverssl = NULL;
6337 SSL_SESSION *sess = NULL;
6338 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
6340 #ifdef OPENSSL_NO_TLS1_2
6344 #ifdef OPENSSL_NO_TLS1_3
6349 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6350 TLS_client_method(),
6352 (tst <= 4) ? TLS1_2_VERSION
6354 &sctx, &cctx, cert, privkey))
6355 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6359 if (tst != 1 && tst != 6) {
6360 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
6365 if (tst != 3 && tst != 8) {
6366 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
6368 sexpectedhost = cexpectedhost = "goodhost";
6371 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
6374 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
6376 || !TEST_str_eq(SSL_get_servername(serverssl,
6377 TLSEXT_NAMETYPE_host_name),
6381 /* Now repeat with a resumption handshake */
6383 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
6384 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
6385 || !TEST_true(SSL_SESSION_is_resumable(sess))
6386 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
6389 SSL_free(clientssl);
6390 SSL_free(serverssl);
6391 clientssl = serverssl = NULL;
6393 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6397 if (!TEST_true(SSL_set_session(clientssl, sess)))
6400 sexpectedhost = cexpectedhost = "goodhost";
6401 if (tst == 2 || tst == 7) {
6402 /* Set an inconsistent hostname */
6403 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
6406 * In TLSv1.2 we expect the hostname from the original handshake, in
6407 * TLSv1.3 we expect the hostname from this handshake
6410 sexpectedhost = cexpectedhost = "altgoodhost";
6412 if (!TEST_str_eq(SSL_get_servername(clientssl,
6413 TLSEXT_NAMETYPE_host_name),
6416 } else if (tst == 4 || tst == 9) {
6418 * A TLSv1.3 session does not associate a session with a servername,
6419 * but a TLSv1.2 session does.
6422 sexpectedhost = cexpectedhost = NULL;
6424 if (!TEST_str_eq(SSL_get_servername(clientssl,
6425 TLSEXT_NAMETYPE_host_name),
6429 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
6432 * In a TLSv1.2 resumption where the hostname was not acknowledged
6433 * we expect the hostname on the server to be empty. On the client we
6434 * return what was requested in this case.
6436 * Similarly if the client didn't set a hostname on an original TLSv1.2
6437 * session but is now, the server hostname will be empty, but the client
6440 if (tst == 1 || tst == 3)
6441 sexpectedhost = NULL;
6443 if (!TEST_str_eq(SSL_get_servername(clientssl,
6444 TLSEXT_NAMETYPE_host_name),
6449 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
6452 if (!TEST_true(SSL_session_reused(clientssl))
6453 || !TEST_true(SSL_session_reused(serverssl))
6454 || !TEST_str_eq(SSL_get_servername(clientssl,
6455 TLSEXT_NAMETYPE_host_name),
6457 || !TEST_str_eq(SSL_get_servername(serverssl,
6458 TLSEXT_NAMETYPE_host_name),
6465 SSL_SESSION_free(sess);
6466 SSL_free(serverssl);
6467 SSL_free(clientssl);
6474 int setup_tests(void)
6476 if (!TEST_ptr(certsdir = test_get_argument(0))
6477 || !TEST_ptr(srpvfile = test_get_argument(1))
6478 || !TEST_ptr(tmpfilename = test_get_argument(2)))
6481 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
6482 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
6483 TEST_error("not supported in this build");
6486 int i, mcount, rcount, fcount;
6488 for (i = 0; i < 4; i++)
6489 test_export_key_mat(i);
6490 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
6491 test_printf_stdout("malloc %d realloc %d free %d\n",
6492 mcount, rcount, fcount);
6497 cert = test_mk_file_path(certsdir, "servercert.pem");
6501 privkey = test_mk_file_path(certsdir, "serverkey.pem");
6502 if (privkey == NULL) {
6507 ADD_TEST(test_large_message_tls);
6508 ADD_TEST(test_large_message_tls_read_ahead);
6509 #ifndef OPENSSL_NO_DTLS
6510 ADD_TEST(test_large_message_dtls);
6512 #ifndef OPENSSL_NO_OCSP
6513 ADD_TEST(test_tlsext_status_type);
6515 ADD_TEST(test_session_with_only_int_cache);
6516 ADD_TEST(test_session_with_only_ext_cache);
6517 ADD_TEST(test_session_with_both_cache);
6518 #ifndef OPENSSL_NO_TLS1_3
6519 ADD_ALL_TESTS(test_stateful_tickets, 3);
6520 ADD_ALL_TESTS(test_stateless_tickets, 3);
6521 ADD_TEST(test_psk_tickets);
6523 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
6524 ADD_TEST(test_ssl_bio_pop_next_bio);
6525 ADD_TEST(test_ssl_bio_pop_ssl_bio);
6526 ADD_TEST(test_ssl_bio_change_rbio);
6527 ADD_TEST(test_ssl_bio_change_wbio);
6528 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
6529 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6530 ADD_TEST(test_keylog);
6532 #ifndef OPENSSL_NO_TLS1_3
6533 ADD_TEST(test_keylog_no_master_key);
6535 #ifndef OPENSSL_NO_TLS1_2
6536 ADD_TEST(test_client_hello_cb);
6537 ADD_TEST(test_ccs_change_cipher);
6539 #ifndef OPENSSL_NO_TLS1_3
6540 ADD_ALL_TESTS(test_early_data_read_write, 3);
6542 * We don't do replay tests for external PSK. Replay protection isn't used
6545 ADD_ALL_TESTS(test_early_data_replay, 2);
6546 ADD_ALL_TESTS(test_early_data_skip, 3);
6547 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
6548 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
6549 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
6550 ADD_ALL_TESTS(test_early_data_not_sent, 3);
6551 ADD_ALL_TESTS(test_early_data_psk, 8);
6552 ADD_ALL_TESTS(test_early_data_not_expected, 3);
6553 # ifndef OPENSSL_NO_TLS1_2
6554 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
6557 #ifndef OPENSSL_NO_TLS1_3
6558 ADD_ALL_TESTS(test_set_ciphersuite, 10);
6559 ADD_TEST(test_ciphersuite_change);
6560 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
6561 #ifdef OPENSSL_NO_PSK
6562 ADD_ALL_TESTS(test_tls13_psk, 1);
6564 ADD_ALL_TESTS(test_tls13_psk, 4);
6565 #endif /* OPENSSL_NO_PSK */
6566 ADD_ALL_TESTS(test_custom_exts, 5);
6567 ADD_TEST(test_stateless);
6568 ADD_TEST(test_pha_key_update);
6570 ADD_ALL_TESTS(test_custom_exts, 3);
6572 ADD_ALL_TESTS(test_serverinfo, 8);
6573 ADD_ALL_TESTS(test_export_key_mat, 6);
6574 #ifndef OPENSSL_NO_TLS1_3
6575 ADD_ALL_TESTS(test_export_key_mat_early, 3);
6576 ADD_TEST(test_key_update);
6577 ADD_ALL_TESTS(test_key_update_in_write, 2);
6579 ADD_ALL_TESTS(test_ssl_clear, 2);
6580 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
6581 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6582 ADD_ALL_TESTS(test_srp, 6);
6584 ADD_ALL_TESTS(test_info_callback, 6);
6585 ADD_ALL_TESTS(test_ssl_pending, 2);
6586 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
6587 ADD_ALL_TESTS(test_ticket_callbacks, 12);
6588 ADD_ALL_TESTS(test_shutdown, 7);
6589 ADD_ALL_TESTS(test_cert_cb, 6);
6590 ADD_ALL_TESTS(test_client_cert_cb, 2);
6591 ADD_ALL_TESTS(test_ca_names, 3);
6592 ADD_ALL_TESTS(test_servername, 10);
6596 void cleanup_tests(void)
6599 OPENSSL_free(privkey);
6600 bio_s_mempacket_test_free();
6601 bio_s_always_retry_free();