2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/provider.h>
33 #include "ssltestlib.h"
35 #include "testutil/output.h"
36 #include "internal/nelem.h"
37 #include "internal/ktls.h"
38 #include "../ssl/ssl_local.h"
40 DEFINE_STACK_OF(OCSP_RESPID)
42 DEFINE_STACK_OF(X509_NAME)
44 static OPENSSL_CTX *libctx = NULL;
45 static OSSL_PROVIDER *defctxnull = NULL;
47 #ifndef OPENSSL_NO_TLS1_3
49 static SSL_SESSION *clientpsk = NULL;
50 static SSL_SESSION *serverpsk = NULL;
51 static const char *pskid = "Identity";
52 static const char *srvid;
54 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
55 size_t *idlen, SSL_SESSION **sess);
56 static int find_session_cb(SSL *ssl, const unsigned char *identity,
57 size_t identity_len, SSL_SESSION **sess);
59 static int use_session_cb_cnt = 0;
60 static int find_session_cb_cnt = 0;
62 static SSL_SESSION *create_a_psk(SSL *ssl);
65 static char *certsdir = NULL;
66 static char *cert = NULL;
67 static char *privkey = NULL;
68 static char *srpvfile = NULL;
69 static char *tmpfilename = NULL;
71 static int is_fips = 0;
73 #define LOG_BUFFER_SIZE 2048
74 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
75 static size_t server_log_buffer_index = 0;
76 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
77 static size_t client_log_buffer_index = 0;
78 static int error_writing_log = 0;
80 #ifndef OPENSSL_NO_OCSP
81 static const unsigned char orespder[] = "Dummy OCSP Response";
82 static int ocsp_server_called = 0;
83 static int ocsp_client_called = 0;
85 static int cdummyarg = 1;
86 static X509 *ocspcert = NULL;
89 #define NUM_EXTRA_CERTS 40
90 #define CLIENT_VERSION_LEN 2
93 * This structure is used to validate that the correct number of log messages
94 * of various types are emitted when emitting secret logs.
96 struct sslapitest_log_counts {
97 unsigned int rsa_key_exchange_count;
98 unsigned int master_secret_count;
99 unsigned int client_early_secret_count;
100 unsigned int client_handshake_secret_count;
101 unsigned int server_handshake_secret_count;
102 unsigned int client_application_secret_count;
103 unsigned int server_application_secret_count;
104 unsigned int early_exporter_secret_count;
105 unsigned int exporter_secret_count;
109 static unsigned char serverinfov1[] = {
110 0xff, 0xff, /* Dummy extension type */
111 0x00, 0x01, /* Extension length is 1 byte */
112 0xff /* Dummy extension data */
115 static unsigned char serverinfov2[] = {
117 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
118 0xff, 0xff, /* Dummy extension type */
119 0x00, 0x01, /* Extension length is 1 byte */
120 0xff /* Dummy extension data */
123 static int hostname_cb(SSL *s, int *al, void *arg)
125 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
127 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
128 || strcmp(hostname, "altgoodhost") == 0))
129 return SSL_TLSEXT_ERR_OK;
131 return SSL_TLSEXT_ERR_NOACK;
134 static void client_keylog_callback(const SSL *ssl, const char *line)
136 int line_length = strlen(line);
138 /* If the log doesn't fit, error out. */
139 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
140 TEST_info("Client log too full");
141 error_writing_log = 1;
145 strcat(client_log_buffer, line);
146 client_log_buffer_index += line_length;
147 client_log_buffer[client_log_buffer_index++] = '\n';
150 static void server_keylog_callback(const SSL *ssl, const char *line)
152 int line_length = strlen(line);
154 /* If the log doesn't fit, error out. */
155 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
156 TEST_info("Server log too full");
157 error_writing_log = 1;
161 strcat(server_log_buffer, line);
162 server_log_buffer_index += line_length;
163 server_log_buffer[server_log_buffer_index++] = '\n';
166 static int compare_hex_encoded_buffer(const char *hex_encoded,
174 if (!TEST_size_t_eq(raw_length * 2, hex_length))
177 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
178 sprintf(hexed, "%02x", raw[i]);
179 if (!TEST_int_eq(hexed[0], hex_encoded[j])
180 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
187 static int test_keylog_output(char *buffer, const SSL *ssl,
188 const SSL_SESSION *session,
189 struct sslapitest_log_counts *expected)
192 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
193 size_t client_random_size = SSL3_RANDOM_SIZE;
194 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
195 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
196 unsigned int rsa_key_exchange_count = 0;
197 unsigned int master_secret_count = 0;
198 unsigned int client_early_secret_count = 0;
199 unsigned int client_handshake_secret_count = 0;
200 unsigned int server_handshake_secret_count = 0;
201 unsigned int client_application_secret_count = 0;
202 unsigned int server_application_secret_count = 0;
203 unsigned int early_exporter_secret_count = 0;
204 unsigned int exporter_secret_count = 0;
206 for (token = strtok(buffer, " \n"); token != NULL;
207 token = strtok(NULL, " \n")) {
208 if (strcmp(token, "RSA") == 0) {
210 * Premaster secret. Tokens should be: 16 ASCII bytes of
211 * hex-encoded encrypted secret, then the hex-encoded pre-master
214 if (!TEST_ptr(token = strtok(NULL, " \n")))
216 if (!TEST_size_t_eq(strlen(token), 16))
218 if (!TEST_ptr(token = strtok(NULL, " \n")))
221 * We can't sensibly check the log because the premaster secret is
222 * transient, and OpenSSL doesn't keep hold of it once the master
223 * secret is generated.
225 rsa_key_exchange_count++;
226 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
228 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
229 * client random, then the hex-encoded master secret.
231 client_random_size = SSL_get_client_random(ssl,
232 actual_client_random,
234 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
237 if (!TEST_ptr(token = strtok(NULL, " \n")))
239 if (!TEST_size_t_eq(strlen(token), 64))
241 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
242 actual_client_random,
243 client_random_size)))
246 if (!TEST_ptr(token = strtok(NULL, " \n")))
248 master_key_size = SSL_SESSION_get_master_key(session,
251 if (!TEST_size_t_ne(master_key_size, 0))
253 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
257 master_secret_count++;
258 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
259 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
260 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
261 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
262 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
263 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
264 || strcmp(token, "EXPORTER_SECRET") == 0) {
266 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
267 * client random, and then the hex-encoded secret. In this case,
268 * we treat all of these secrets identically and then just
269 * distinguish between them when counting what we saw.
271 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
272 client_early_secret_count++;
273 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
274 client_handshake_secret_count++;
275 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
276 server_handshake_secret_count++;
277 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
278 client_application_secret_count++;
279 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
280 server_application_secret_count++;
281 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
282 early_exporter_secret_count++;
283 else if (strcmp(token, "EXPORTER_SECRET") == 0)
284 exporter_secret_count++;
286 client_random_size = SSL_get_client_random(ssl,
287 actual_client_random,
289 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
292 if (!TEST_ptr(token = strtok(NULL, " \n")))
294 if (!TEST_size_t_eq(strlen(token), 64))
296 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
297 actual_client_random,
298 client_random_size)))
301 if (!TEST_ptr(token = strtok(NULL, " \n")))
305 * TODO(TLS1.3): test that application traffic secrets are what
308 TEST_info("Unexpected token %s\n", token);
313 /* Got what we expected? */
314 if (!TEST_size_t_eq(rsa_key_exchange_count,
315 expected->rsa_key_exchange_count)
316 || !TEST_size_t_eq(master_secret_count,
317 expected->master_secret_count)
318 || !TEST_size_t_eq(client_early_secret_count,
319 expected->client_early_secret_count)
320 || !TEST_size_t_eq(client_handshake_secret_count,
321 expected->client_handshake_secret_count)
322 || !TEST_size_t_eq(server_handshake_secret_count,
323 expected->server_handshake_secret_count)
324 || !TEST_size_t_eq(client_application_secret_count,
325 expected->client_application_secret_count)
326 || !TEST_size_t_eq(server_application_secret_count,
327 expected->server_application_secret_count)
328 || !TEST_size_t_eq(early_exporter_secret_count,
329 expected->early_exporter_secret_count)
330 || !TEST_size_t_eq(exporter_secret_count,
331 expected->exporter_secret_count))
336 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
337 static int test_keylog(void)
339 SSL_CTX *cctx = NULL, *sctx = NULL;
340 SSL *clientssl = NULL, *serverssl = NULL;
342 struct sslapitest_log_counts expected;
344 /* Clean up logging space */
345 memset(&expected, 0, sizeof(expected));
346 memset(client_log_buffer, 0, sizeof(client_log_buffer));
347 memset(server_log_buffer, 0, sizeof(server_log_buffer));
348 client_log_buffer_index = 0;
349 server_log_buffer_index = 0;
350 error_writing_log = 0;
352 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
355 &sctx, &cctx, cert, privkey)))
358 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
359 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
360 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
362 /* We also want to ensure that we use RSA-based key exchange. */
363 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
366 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
367 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
369 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
370 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
371 == client_keylog_callback))
373 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
374 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
375 == server_keylog_callback))
378 /* Now do a handshake and check that the logs have been written to. */
379 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
380 &clientssl, NULL, NULL))
381 || !TEST_true(create_ssl_connection(serverssl, clientssl,
383 || !TEST_false(error_writing_log)
384 || !TEST_int_gt(client_log_buffer_index, 0)
385 || !TEST_int_gt(server_log_buffer_index, 0))
389 * Now we want to test that our output data was vaguely sensible. We
390 * do that by using strtok and confirming that we have more or less the
391 * data we expect. For both client and server, we expect to see one master
392 * secret. The client should also see a RSA key exchange.
394 expected.rsa_key_exchange_count = 1;
395 expected.master_secret_count = 1;
396 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
397 SSL_get_session(clientssl), &expected)))
400 expected.rsa_key_exchange_count = 0;
401 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
402 SSL_get_session(serverssl), &expected)))
417 #ifndef OPENSSL_NO_TLS1_3
418 static int test_keylog_no_master_key(void)
420 SSL_CTX *cctx = NULL, *sctx = NULL;
421 SSL *clientssl = NULL, *serverssl = NULL;
422 SSL_SESSION *sess = NULL;
424 struct sslapitest_log_counts expected;
425 unsigned char buf[1];
426 size_t readbytes, written;
428 /* Clean up logging space */
429 memset(&expected, 0, sizeof(expected));
430 memset(client_log_buffer, 0, sizeof(client_log_buffer));
431 memset(server_log_buffer, 0, sizeof(server_log_buffer));
432 client_log_buffer_index = 0;
433 server_log_buffer_index = 0;
434 error_writing_log = 0;
436 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
437 TLS_client_method(), TLS1_VERSION, 0,
438 &sctx, &cctx, cert, privkey))
439 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
440 SSL3_RT_MAX_PLAIN_LENGTH)))
443 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
444 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
447 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
448 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
449 == client_keylog_callback))
452 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
453 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
454 == server_keylog_callback))
457 /* Now do a handshake and check that the logs have been written to. */
458 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
459 &clientssl, NULL, NULL))
460 || !TEST_true(create_ssl_connection(serverssl, clientssl,
462 || !TEST_false(error_writing_log))
466 * Now we want to test that our output data was vaguely sensible. For this
467 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
468 * TLSv1.3, but we do expect both client and server to emit keys.
470 expected.client_handshake_secret_count = 1;
471 expected.server_handshake_secret_count = 1;
472 expected.client_application_secret_count = 1;
473 expected.server_application_secret_count = 1;
474 expected.exporter_secret_count = 1;
475 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
476 SSL_get_session(clientssl), &expected))
477 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
478 SSL_get_session(serverssl),
482 /* Terminate old session and resume with early data. */
483 sess = SSL_get1_session(clientssl);
484 SSL_shutdown(clientssl);
485 SSL_shutdown(serverssl);
488 serverssl = clientssl = NULL;
491 memset(client_log_buffer, 0, sizeof(client_log_buffer));
492 memset(server_log_buffer, 0, sizeof(server_log_buffer));
493 client_log_buffer_index = 0;
494 server_log_buffer_index = 0;
496 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
497 &clientssl, NULL, NULL))
498 || !TEST_true(SSL_set_session(clientssl, sess))
499 /* Here writing 0 length early data is enough. */
500 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
501 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
503 SSL_READ_EARLY_DATA_ERROR)
504 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
505 SSL_EARLY_DATA_ACCEPTED)
506 || !TEST_true(create_ssl_connection(serverssl, clientssl,
508 || !TEST_true(SSL_session_reused(clientssl)))
511 /* In addition to the previous entries, expect early secrets. */
512 expected.client_early_secret_count = 1;
513 expected.early_exporter_secret_count = 1;
514 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
515 SSL_get_session(clientssl), &expected))
516 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
517 SSL_get_session(serverssl),
524 SSL_SESSION_free(sess);
534 #ifndef OPENSSL_NO_TLS1_2
535 static int full_client_hello_callback(SSL *s, int *al, void *arg)
538 const unsigned char *p;
540 /* We only configure two ciphers, but the SCSV is added automatically. */
542 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
544 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
547 const int expected_extensions[] = {
548 #ifndef OPENSSL_NO_EC
554 /* Make sure we can defer processing and get called back. */
556 return SSL_CLIENT_HELLO_RETRY;
558 len = SSL_client_hello_get0_ciphers(s, &p);
559 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
561 SSL_client_hello_get0_compression_methods(s, &p), 1)
562 || !TEST_int_eq(*p, 0))
563 return SSL_CLIENT_HELLO_ERROR;
564 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
565 return SSL_CLIENT_HELLO_ERROR;
566 if (len != OSSL_NELEM(expected_extensions) ||
567 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
568 printf("ClientHello callback expected extensions mismatch\n");
570 return SSL_CLIENT_HELLO_ERROR;
573 return SSL_CLIENT_HELLO_SUCCESS;
576 static int test_client_hello_cb(void)
578 SSL_CTX *cctx = NULL, *sctx = NULL;
579 SSL *clientssl = NULL, *serverssl = NULL;
580 int testctr = 0, testresult = 0;
582 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
583 TLS_client_method(), TLS1_VERSION, 0,
584 &sctx, &cctx, cert, privkey)))
586 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
588 /* The gimpy cipher list we configure can't do TLS 1.3. */
589 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
591 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
592 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
593 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
594 &clientssl, NULL, NULL))
595 || !TEST_false(create_ssl_connection(serverssl, clientssl,
596 SSL_ERROR_WANT_CLIENT_HELLO_CB))
598 * Passing a -1 literal is a hack since
599 * the real value was lost.
601 || !TEST_int_eq(SSL_get_error(serverssl, -1),
602 SSL_ERROR_WANT_CLIENT_HELLO_CB)
603 || !TEST_true(create_ssl_connection(serverssl, clientssl,
618 static int test_no_ems(void)
620 SSL_CTX *cctx = NULL, *sctx = NULL;
621 SSL *clientssl = NULL, *serverssl = NULL;
624 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
625 TLS1_VERSION, TLS1_2_VERSION,
626 &sctx, &cctx, cert, privkey)) {
627 printf("Unable to create SSL_CTX pair\n");
631 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
633 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
634 printf("Unable to create SSL objects\n");
638 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
639 printf("Creating SSL connection failed\n");
643 if (SSL_get_extms_support(serverssl)) {
644 printf("Server reports Extended Master Secret support\n");
648 if (SSL_get_extms_support(clientssl)) {
649 printf("Client reports Extended Master Secret support\n");
664 * Very focused test to exercise a single case in the server-side state
665 * machine, when the ChangeCipherState message needs to actually change
666 * from one cipher to a different cipher (i.e., not changing from null
667 * encryption to real encryption).
669 static int test_ccs_change_cipher(void)
671 SSL_CTX *cctx = NULL, *sctx = NULL;
672 SSL *clientssl = NULL, *serverssl = NULL;
673 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
680 * Create a conection so we can resume and potentially (but not) use
681 * a different cipher in the second connection.
683 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
685 TLS1_VERSION, TLS1_2_VERSION,
686 &sctx, &cctx, cert, privkey))
687 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
688 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
690 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
691 || !TEST_true(create_ssl_connection(serverssl, clientssl,
693 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
694 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
697 shutdown_ssl_connection(serverssl, clientssl);
698 serverssl = clientssl = NULL;
700 /* Resume, preferring a different cipher. Our server will force the
701 * same cipher to be used as the initial handshake. */
702 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
704 || !TEST_true(SSL_set_session(clientssl, sess))
705 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
706 || !TEST_true(create_ssl_connection(serverssl, clientssl,
708 || !TEST_true(SSL_session_reused(clientssl))
709 || !TEST_true(SSL_session_reused(serverssl))
710 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
711 || !TEST_ptr_eq(sesspre, sesspost)
712 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
713 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
715 shutdown_ssl_connection(serverssl, clientssl);
716 serverssl = clientssl = NULL;
719 * Now create a fresh connection and try to renegotiate a different
722 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
724 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
725 || !TEST_true(create_ssl_connection(serverssl, clientssl,
727 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
728 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
729 || !TEST_true(SSL_renegotiate(clientssl))
730 || !TEST_true(SSL_renegotiate_pending(clientssl)))
732 /* Actually drive the renegotiation. */
733 for (i = 0; i < 3; i++) {
734 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
735 if (!TEST_ulong_eq(readbytes, 0))
737 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
738 SSL_ERROR_WANT_READ)) {
741 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
742 if (!TEST_ulong_eq(readbytes, 0))
744 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
745 SSL_ERROR_WANT_READ)) {
749 /* sesspre and sesspost should be different since the cipher changed. */
750 if (!TEST_false(SSL_renegotiate_pending(clientssl))
751 || !TEST_false(SSL_session_reused(clientssl))
752 || !TEST_false(SSL_session_reused(serverssl))
753 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
754 || !TEST_ptr_ne(sesspre, sesspost)
755 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
756 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
759 shutdown_ssl_connection(serverssl, clientssl);
760 serverssl = clientssl = NULL;
769 SSL_SESSION_free(sess);
775 static int execute_test_large_message(const SSL_METHOD *smeth,
776 const SSL_METHOD *cmeth,
777 int min_version, int max_version,
780 SSL_CTX *cctx = NULL, *sctx = NULL;
781 SSL *clientssl = NULL, *serverssl = NULL;
785 X509 *chaincert = NULL;
788 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
790 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
793 if (!TEST_ptr(chaincert))
796 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
797 max_version, &sctx, &cctx, cert,
803 * Test that read_ahead works correctly when dealing with large
806 SSL_CTX_set_read_ahead(cctx, 1);
810 * We assume the supplied certificate is big enough so that if we add
811 * NUM_EXTRA_CERTS it will make the overall message large enough. The
812 * default buffer size is requested to be 16k, but due to the way BUF_MEM
813 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
814 * test we need to have a message larger than that.
816 certlen = i2d_X509(chaincert, NULL);
817 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
818 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
819 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
820 if (!X509_up_ref(chaincert))
822 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
823 X509_free(chaincert);
828 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
830 || !TEST_true(create_ssl_connection(serverssl, clientssl,
835 * Calling SSL_clear() first is not required but this tests that SSL_clear()
838 if (!TEST_true(SSL_clear(serverssl)))
843 X509_free(chaincert);
852 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
853 && !defined(OPENSSL_NO_SOCK)
855 /* sock must be connected */
856 static int ktls_chk_platform(int sock)
858 if (!ktls_enable(sock))
863 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
865 static char count = 1;
866 unsigned char cbuf[16000] = {0};
867 unsigned char sbuf[16000];
869 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
870 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
871 char crec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
872 char crec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
873 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
874 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
875 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
876 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
879 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
880 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
881 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence,
882 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
883 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
884 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
885 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
886 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
888 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
891 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
892 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
897 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
900 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
901 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
906 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
907 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
908 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence,
909 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
910 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
911 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
912 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
913 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
915 /* verify the payload */
916 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
919 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
920 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
921 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
922 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
925 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
926 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
930 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
931 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
932 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
935 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
936 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
940 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
941 if (!TEST_mem_ne(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
942 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
945 if (!TEST_mem_eq(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
946 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
950 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
951 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
952 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
955 if (!TEST_mem_eq(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
956 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
965 static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
966 int sis_ktls_tx, int sis_ktls_rx)
968 SSL_CTX *cctx = NULL, *sctx = NULL;
969 SSL *clientssl = NULL, *serverssl = NULL;
973 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
976 /* Skip this test if the platform does not support ktls */
977 if (!ktls_chk_platform(cfd))
980 /* Create a session based on SHA-256 */
981 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
983 TLS1_2_VERSION, TLS1_2_VERSION,
984 &sctx, &cctx, cert, privkey))
985 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
986 "AES128-GCM-SHA256"))
987 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
988 &clientssl, sfd, cfd)))
992 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
997 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
1002 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
1007 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1011 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1016 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1019 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1024 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1027 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1032 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1035 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1040 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1043 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1047 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
1053 SSL_shutdown(clientssl);
1054 SSL_free(clientssl);
1057 SSL_shutdown(serverssl);
1058 SSL_free(serverssl);
1062 serverssl = clientssl = NULL;
1066 #define SENDFILE_SZ (16 * 4096)
1067 #define SENDFILE_CHUNK (4 * 4096)
1068 #define min(a,b) ((a) > (b) ? (b) : (a))
1070 static int test_ktls_sendfile(void)
1072 SSL_CTX *cctx = NULL, *sctx = NULL;
1073 SSL *clientssl = NULL, *serverssl = NULL;
1074 unsigned char *buf, *buf_dst;
1075 BIO *out = NULL, *in = NULL;
1076 int cfd, sfd, ffd, err;
1077 ssize_t chunk_size = 0;
1078 off_t chunk_off = 0;
1082 buf = OPENSSL_zalloc(SENDFILE_SZ);
1083 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1084 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1085 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1088 /* Skip this test if the platform does not support ktls */
1089 if (!ktls_chk_platform(sfd)) {
1094 /* Create a session based on SHA-256 */
1095 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1096 TLS_client_method(),
1097 TLS1_2_VERSION, TLS1_2_VERSION,
1098 &sctx, &cctx, cert, privkey))
1099 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1100 "AES128-GCM-SHA256"))
1101 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1102 &clientssl, sfd, cfd)))
1105 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1107 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1110 RAND_bytes(buf, SENDFILE_SZ);
1111 out = BIO_new_file(tmpfilename, "wb");
1115 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1120 in = BIO_new_file(tmpfilename, "rb");
1121 BIO_get_fp(in, &ffdp);
1124 while (chunk_off < SENDFILE_SZ) {
1125 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1126 while ((err = SSL_sendfile(serverssl,
1130 0)) != chunk_size) {
1131 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1134 while ((err = SSL_read(clientssl,
1135 buf_dst + chunk_off,
1136 chunk_size)) != chunk_size) {
1137 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1141 /* verify the payload */
1142 if (!TEST_mem_eq(buf_dst + chunk_off,
1148 chunk_off += chunk_size;
1154 SSL_shutdown(clientssl);
1155 SSL_free(clientssl);
1158 SSL_shutdown(serverssl);
1159 SSL_free(serverssl);
1163 serverssl = clientssl = NULL;
1167 OPENSSL_free(buf_dst);
1171 static int test_ktls_no_txrx_client_no_txrx_server(void)
1173 return execute_test_ktls(0, 0, 0, 0);
1176 static int test_ktls_no_rx_client_no_txrx_server(void)
1178 return execute_test_ktls(1, 0, 0, 0);
1181 static int test_ktls_no_tx_client_no_txrx_server(void)
1183 return execute_test_ktls(0, 1, 0, 0);
1186 static int test_ktls_client_no_txrx_server(void)
1188 return execute_test_ktls(1, 1, 0, 0);
1191 static int test_ktls_no_txrx_client_no_rx_server(void)
1193 return execute_test_ktls(0, 0, 1, 0);
1196 static int test_ktls_no_rx_client_no_rx_server(void)
1198 return execute_test_ktls(1, 0, 1, 0);
1201 static int test_ktls_no_tx_client_no_rx_server(void)
1203 return execute_test_ktls(0, 1, 1, 0);
1206 static int test_ktls_client_no_rx_server(void)
1208 return execute_test_ktls(1, 1, 1, 0);
1211 static int test_ktls_no_txrx_client_no_tx_server(void)
1213 return execute_test_ktls(0, 0, 0, 1);
1216 static int test_ktls_no_rx_client_no_tx_server(void)
1218 return execute_test_ktls(1, 0, 0, 1);
1221 static int test_ktls_no_tx_client_no_tx_server(void)
1223 return execute_test_ktls(0, 1, 0, 1);
1226 static int test_ktls_client_no_tx_server(void)
1228 return execute_test_ktls(1, 1, 0, 1);
1231 static int test_ktls_no_txrx_client_server(void)
1233 return execute_test_ktls(0, 0, 1, 1);
1236 static int test_ktls_no_rx_client_server(void)
1238 return execute_test_ktls(1, 0, 1, 1);
1241 static int test_ktls_no_tx_client_server(void)
1243 return execute_test_ktls(0, 1, 1, 1);
1246 static int test_ktls_client_server(void)
1248 return execute_test_ktls(1, 1, 1, 1);
1252 static int test_large_message_tls(void)
1254 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1255 TLS1_VERSION, 0, 0);
1258 static int test_large_message_tls_read_ahead(void)
1260 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1261 TLS1_VERSION, 0, 1);
1264 #ifndef OPENSSL_NO_DTLS
1265 static int test_large_message_dtls(void)
1268 * read_ahead is not relevant to DTLS because DTLS always acts as if
1269 * read_ahead is set.
1271 return execute_test_large_message(DTLS_server_method(),
1272 DTLS_client_method(),
1273 DTLS1_VERSION, 0, 0);
1277 #ifndef OPENSSL_NO_OCSP
1278 static int ocsp_server_cb(SSL *s, void *arg)
1280 int *argi = (int *)arg;
1281 unsigned char *copy = NULL;
1282 STACK_OF(OCSP_RESPID) *ids = NULL;
1283 OCSP_RESPID *id = NULL;
1286 /* In this test we are expecting exactly 1 OCSP_RESPID */
1287 SSL_get_tlsext_status_ids(s, &ids);
1288 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1289 return SSL_TLSEXT_ERR_ALERT_FATAL;
1291 id = sk_OCSP_RESPID_value(ids, 0);
1292 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1293 return SSL_TLSEXT_ERR_ALERT_FATAL;
1294 } else if (*argi != 1) {
1295 return SSL_TLSEXT_ERR_ALERT_FATAL;
1298 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1299 return SSL_TLSEXT_ERR_ALERT_FATAL;
1301 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1302 ocsp_server_called = 1;
1303 return SSL_TLSEXT_ERR_OK;
1306 static int ocsp_client_cb(SSL *s, void *arg)
1308 int *argi = (int *)arg;
1309 const unsigned char *respderin;
1312 if (*argi != 1 && *argi != 2)
1315 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1316 if (!TEST_mem_eq(orespder, len, respderin, len))
1319 ocsp_client_called = 1;
1323 static int test_tlsext_status_type(void)
1325 SSL_CTX *cctx = NULL, *sctx = NULL;
1326 SSL *clientssl = NULL, *serverssl = NULL;
1328 STACK_OF(OCSP_RESPID) *ids = NULL;
1329 OCSP_RESPID *id = NULL;
1330 BIO *certbio = NULL;
1332 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1334 &sctx, &cctx, cert, privkey))
1337 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1340 /* First just do various checks getting and setting tlsext_status_type */
1342 clientssl = SSL_new(cctx);
1343 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1344 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1345 TLSEXT_STATUSTYPE_ocsp))
1346 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1347 TLSEXT_STATUSTYPE_ocsp))
1350 SSL_free(clientssl);
1353 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1354 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1357 clientssl = SSL_new(cctx);
1358 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1360 SSL_free(clientssl);
1364 * Now actually do a handshake and check OCSP information is exchanged and
1365 * the callbacks get called
1367 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1368 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1369 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1370 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1371 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1372 &clientssl, NULL, NULL))
1373 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1375 || !TEST_true(ocsp_client_called)
1376 || !TEST_true(ocsp_server_called))
1378 SSL_free(serverssl);
1379 SSL_free(clientssl);
1383 /* Try again but this time force the server side callback to fail */
1384 ocsp_client_called = 0;
1385 ocsp_server_called = 0;
1387 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1388 &clientssl, NULL, NULL))
1389 /* This should fail because the callback will fail */
1390 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1392 || !TEST_false(ocsp_client_called)
1393 || !TEST_false(ocsp_server_called))
1395 SSL_free(serverssl);
1396 SSL_free(clientssl);
1401 * This time we'll get the client to send an OCSP_RESPID that it will
1404 ocsp_client_called = 0;
1405 ocsp_server_called = 0;
1407 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1408 &clientssl, NULL, NULL)))
1412 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1413 * specific one. We'll use the server cert.
1415 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1416 || !TEST_ptr(id = OCSP_RESPID_new())
1417 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1418 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1420 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1421 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1424 SSL_set_tlsext_status_ids(clientssl, ids);
1425 /* Control has been transferred */
1431 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1433 || !TEST_true(ocsp_client_called)
1434 || !TEST_true(ocsp_server_called))
1440 SSL_free(serverssl);
1441 SSL_free(clientssl);
1444 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1445 OCSP_RESPID_free(id);
1447 X509_free(ocspcert);
1454 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1455 static int new_called, remove_called, get_called;
1457 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1461 * sess has been up-refed for us, but we don't actually need it so free it
1464 SSL_SESSION_free(sess);
1468 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1473 static SSL_SESSION *get_sess_val = NULL;
1475 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1480 return get_sess_val;
1483 static int execute_test_session(int maxprot, int use_int_cache,
1486 SSL_CTX *sctx = NULL, *cctx = NULL;
1487 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1488 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1489 # ifndef OPENSSL_NO_TLS1_1
1490 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1492 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1493 int testresult = 0, numnewsesstick = 1;
1495 new_called = remove_called = 0;
1497 /* TLSv1.3 sends 2 NewSessionTickets */
1498 if (maxprot == TLS1_3_VERSION)
1501 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1502 TLS_client_method(), TLS1_VERSION, 0,
1503 &sctx, &cctx, cert, privkey)))
1507 * Only allow the max protocol version so we can force a connection failure
1510 SSL_CTX_set_min_proto_version(cctx, maxprot);
1511 SSL_CTX_set_max_proto_version(cctx, maxprot);
1513 /* Set up session cache */
1514 if (use_ext_cache) {
1515 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1516 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1518 if (use_int_cache) {
1519 /* Also covers instance where both are set */
1520 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1522 SSL_CTX_set_session_cache_mode(cctx,
1523 SSL_SESS_CACHE_CLIENT
1524 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1527 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1529 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1531 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1534 /* Should fail because it should already be in the cache */
1535 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1538 && (!TEST_int_eq(new_called, numnewsesstick)
1540 || !TEST_int_eq(remove_called, 0)))
1543 new_called = remove_called = 0;
1544 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1545 &clientssl2, NULL, NULL))
1546 || !TEST_true(SSL_set_session(clientssl2, sess1))
1547 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1549 || !TEST_true(SSL_session_reused(clientssl2)))
1552 if (maxprot == TLS1_3_VERSION) {
1554 * In TLSv1.3 we should have created a new session even though we have
1555 * resumed. Since we attempted a resume we should also have removed the
1556 * old ticket from the cache so that we try to only use tickets once.
1559 && (!TEST_int_eq(new_called, 1)
1560 || !TEST_int_eq(remove_called, 1)))
1564 * In TLSv1.2 we expect to have resumed so no sessions added or
1568 && (!TEST_int_eq(new_called, 0)
1569 || !TEST_int_eq(remove_called, 0)))
1573 SSL_SESSION_free(sess1);
1574 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1576 shutdown_ssl_connection(serverssl2, clientssl2);
1577 serverssl2 = clientssl2 = NULL;
1579 new_called = remove_called = 0;
1580 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1581 &clientssl2, NULL, NULL))
1582 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1586 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1590 && (!TEST_int_eq(new_called, numnewsesstick)
1591 || !TEST_int_eq(remove_called, 0)))
1594 new_called = remove_called = 0;
1596 * This should clear sess2 from the cache because it is a "bad" session.
1597 * See SSL_set_session() documentation.
1599 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1602 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1604 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1607 if (use_int_cache) {
1608 /* Should succeeded because it should not already be in the cache */
1609 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1610 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1614 new_called = remove_called = 0;
1615 /* This shouldn't be in the cache so should fail */
1616 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1620 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1623 # if !defined(OPENSSL_NO_TLS1_1)
1624 new_called = remove_called = 0;
1625 /* Force a connection failure */
1626 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1627 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1628 &clientssl3, NULL, NULL))
1629 || !TEST_true(SSL_set_session(clientssl3, sess1))
1630 /* This should fail because of the mismatched protocol versions */
1631 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1635 /* We should have automatically removed the session from the cache */
1637 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1640 /* Should succeed because it should not already be in the cache */
1641 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1645 /* Now do some tests for server side caching */
1646 if (use_ext_cache) {
1647 SSL_CTX_sess_set_new_cb(cctx, NULL);
1648 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1649 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1650 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1651 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1652 get_sess_val = NULL;
1655 SSL_CTX_set_session_cache_mode(cctx, 0);
1656 /* Internal caching is the default on the server side */
1658 SSL_CTX_set_session_cache_mode(sctx,
1659 SSL_SESS_CACHE_SERVER
1660 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1662 SSL_free(serverssl1);
1663 SSL_free(clientssl1);
1664 serverssl1 = clientssl1 = NULL;
1665 SSL_free(serverssl2);
1666 SSL_free(clientssl2);
1667 serverssl2 = clientssl2 = NULL;
1668 SSL_SESSION_free(sess1);
1670 SSL_SESSION_free(sess2);
1673 SSL_CTX_set_max_proto_version(sctx, maxprot);
1674 if (maxprot == TLS1_2_VERSION)
1675 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1676 new_called = remove_called = get_called = 0;
1677 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1679 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1681 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1682 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1685 if (use_int_cache) {
1686 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1688 * In TLSv1.3 it should not have been added to the internal cache,
1689 * except in the case where we also have an external cache (in that
1690 * case it gets added to the cache in order to generate remove
1691 * events after timeout).
1693 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1696 /* Should fail because it should already be in the cache */
1697 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1702 if (use_ext_cache) {
1703 SSL_SESSION *tmp = sess2;
1705 if (!TEST_int_eq(new_called, numnewsesstick)
1706 || !TEST_int_eq(remove_called, 0)
1707 || !TEST_int_eq(get_called, 0))
1710 * Delete the session from the internal cache to force a lookup from
1711 * the external cache. We take a copy first because
1712 * SSL_CTX_remove_session() also marks the session as non-resumable.
1714 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1715 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1716 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1718 SSL_SESSION_free(sess2);
1723 new_called = remove_called = get_called = 0;
1724 get_sess_val = sess2;
1725 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1726 &clientssl2, NULL, NULL))
1727 || !TEST_true(SSL_set_session(clientssl2, sess1))
1728 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1730 || !TEST_true(SSL_session_reused(clientssl2)))
1733 if (use_ext_cache) {
1734 if (!TEST_int_eq(remove_called, 0))
1737 if (maxprot == TLS1_3_VERSION) {
1738 if (!TEST_int_eq(new_called, 1)
1739 || !TEST_int_eq(get_called, 0))
1742 if (!TEST_int_eq(new_called, 0)
1743 || !TEST_int_eq(get_called, 1))
1751 SSL_free(serverssl1);
1752 SSL_free(clientssl1);
1753 SSL_free(serverssl2);
1754 SSL_free(clientssl2);
1755 # ifndef OPENSSL_NO_TLS1_1
1756 SSL_free(serverssl3);
1757 SSL_free(clientssl3);
1759 SSL_SESSION_free(sess1);
1760 SSL_SESSION_free(sess2);
1766 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1768 static int test_session_with_only_int_cache(void)
1770 #ifndef OPENSSL_NO_TLS1_3
1771 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1775 #ifndef OPENSSL_NO_TLS1_2
1776 return execute_test_session(TLS1_2_VERSION, 1, 0);
1782 static int test_session_with_only_ext_cache(void)
1784 #ifndef OPENSSL_NO_TLS1_3
1785 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1789 #ifndef OPENSSL_NO_TLS1_2
1790 return execute_test_session(TLS1_2_VERSION, 0, 1);
1796 static int test_session_with_both_cache(void)
1798 #ifndef OPENSSL_NO_TLS1_3
1799 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1803 #ifndef OPENSSL_NO_TLS1_2
1804 return execute_test_session(TLS1_2_VERSION, 1, 1);
1810 #ifndef OPENSSL_NO_TLS1_3
1811 static SSL_SESSION *sesscache[6];
1812 static int do_cache;
1814 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1817 sesscache[new_called] = sess;
1819 /* We don't need the reference to the session, so free it */
1820 SSL_SESSION_free(sess);
1827 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1829 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1830 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1833 /* Start handshake on the server and client */
1834 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1835 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1836 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1837 || !TEST_true(create_ssl_connection(sssl, cssl,
1844 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1847 int sess_id_ctx = 1;
1849 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1850 TLS_client_method(), TLS1_VERSION, 0,
1851 sctx, cctx, cert, privkey))
1852 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1853 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1854 (void *)&sess_id_ctx,
1855 sizeof(sess_id_ctx))))
1859 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1861 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1862 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1863 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1868 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1870 SSL *serverssl = NULL, *clientssl = NULL;
1873 /* Test that we can resume with all the tickets we got given */
1874 for (i = 0; i < idx * 2; i++) {
1876 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1877 &clientssl, NULL, NULL))
1878 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1881 SSL_set_post_handshake_auth(clientssl, 1);
1883 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1888 * Following a successful resumption we only get 1 ticket. After a
1889 * failed one we should get idx tickets.
1892 if (!TEST_true(SSL_session_reused(clientssl))
1893 || !TEST_int_eq(new_called, 1))
1896 if (!TEST_false(SSL_session_reused(clientssl))
1897 || !TEST_int_eq(new_called, idx))
1902 /* After a post-handshake authentication we should get 1 new ticket */
1904 && (!post_handshake_verify(serverssl, clientssl)
1905 || !TEST_int_eq(new_called, 1)))
1908 SSL_shutdown(clientssl);
1909 SSL_shutdown(serverssl);
1910 SSL_free(serverssl);
1911 SSL_free(clientssl);
1912 serverssl = clientssl = NULL;
1913 SSL_SESSION_free(sesscache[i]);
1914 sesscache[i] = NULL;
1920 SSL_free(clientssl);
1921 SSL_free(serverssl);
1925 static int test_tickets(int stateful, int idx)
1927 SSL_CTX *sctx = NULL, *cctx = NULL;
1928 SSL *serverssl = NULL, *clientssl = NULL;
1932 /* idx is the test number, but also the number of tickets we want */
1937 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1940 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1941 &clientssl, NULL, NULL)))
1944 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1946 /* Check we got the number of tickets we were expecting */
1947 || !TEST_int_eq(idx, new_called))
1950 SSL_shutdown(clientssl);
1951 SSL_shutdown(serverssl);
1952 SSL_free(serverssl);
1953 SSL_free(clientssl);
1956 clientssl = serverssl = NULL;
1960 * Now we try to resume with the tickets we previously created. The
1961 * resumption attempt is expected to fail (because we're now using a new
1962 * SSL_CTX). We should see idx number of tickets issued again.
1965 /* Stop caching sessions - just count them */
1968 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1971 if (!check_resumption(idx, sctx, cctx, 0))
1974 /* Start again with caching sessions */
1981 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1984 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1985 &clientssl, NULL, NULL)))
1988 SSL_set_post_handshake_auth(clientssl, 1);
1990 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1992 /* Check we got the number of tickets we were expecting */
1993 || !TEST_int_eq(idx, new_called))
1996 /* After a post-handshake authentication we should get new tickets issued */
1997 if (!post_handshake_verify(serverssl, clientssl)
1998 || !TEST_int_eq(idx * 2, new_called))
2001 SSL_shutdown(clientssl);
2002 SSL_shutdown(serverssl);
2003 SSL_free(serverssl);
2004 SSL_free(clientssl);
2005 serverssl = clientssl = NULL;
2007 /* Stop caching sessions - just count them */
2011 * Check we can resume with all the tickets we created. This time around the
2012 * resumptions should all be successful.
2014 if (!check_resumption(idx, sctx, cctx, 1))
2020 SSL_free(serverssl);
2021 SSL_free(clientssl);
2022 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2023 SSL_SESSION_free(sesscache[j]);
2024 sesscache[j] = NULL;
2032 static int test_stateless_tickets(int idx)
2034 return test_tickets(0, idx);
2037 static int test_stateful_tickets(int idx)
2039 return test_tickets(1, idx);
2042 static int test_psk_tickets(void)
2044 SSL_CTX *sctx = NULL, *cctx = NULL;
2045 SSL *serverssl = NULL, *clientssl = NULL;
2047 int sess_id_ctx = 1;
2049 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2050 TLS_client_method(), TLS1_VERSION, 0,
2051 &sctx, &cctx, NULL, NULL))
2052 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2053 (void *)&sess_id_ctx,
2054 sizeof(sess_id_ctx))))
2057 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2058 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2059 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2060 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2061 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2062 use_session_cb_cnt = 0;
2063 find_session_cb_cnt = 0;
2067 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2070 clientpsk = serverpsk = create_a_psk(clientssl);
2071 if (!TEST_ptr(clientpsk))
2073 SSL_SESSION_up_ref(clientpsk);
2075 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2077 || !TEST_int_eq(1, find_session_cb_cnt)
2078 || !TEST_int_eq(1, use_session_cb_cnt)
2079 /* We should always get 1 ticket when using external PSK */
2080 || !TEST_int_eq(1, new_called))
2086 SSL_free(serverssl);
2087 SSL_free(clientssl);
2090 SSL_SESSION_free(clientpsk);
2091 SSL_SESSION_free(serverpsk);
2092 clientpsk = serverpsk = NULL;
2097 static int test_extra_tickets(int idx)
2099 SSL_CTX *sctx = NULL, *cctx = NULL;
2100 SSL *serverssl = NULL, *clientssl = NULL;
2101 BIO *bretry = BIO_new(bio_s_always_retry());
2106 unsigned char c, buf[1];
2116 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2118 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2119 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2120 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2122 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2123 &clientssl, NULL, NULL)))
2127 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2128 * incremented by both client and server.
2130 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2132 /* Check we got the number of tickets we were expecting */
2133 || !TEST_int_eq(idx * 2, new_called)
2134 || !TEST_true(SSL_new_session_ticket(serverssl))
2135 || !TEST_true(SSL_new_session_ticket(serverssl))
2136 || !TEST_int_eq(idx * 2, new_called))
2139 /* Now try a (real) write to actually send the tickets */
2141 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2142 || !TEST_size_t_eq(1, nbytes)
2143 || !TEST_int_eq(idx * 2 + 2, new_called)
2144 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2145 || !TEST_int_eq(idx * 2 + 4, new_called)
2146 || !TEST_int_eq(sizeof(buf), nbytes)
2147 || !TEST_int_eq(c, buf[0])
2148 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2151 /* Try with only requesting one new ticket, too */
2154 if (!TEST_true(SSL_new_session_ticket(serverssl))
2155 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2156 || !TEST_size_t_eq(sizeof(c), nbytes)
2157 || !TEST_int_eq(1, new_called)
2158 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2159 || !TEST_int_eq(2, new_called)
2160 || !TEST_size_t_eq(sizeof(buf), nbytes)
2161 || !TEST_int_eq(c, buf[0]))
2164 /* Do it again but use dummy writes to drive the ticket generation */
2167 if (!TEST_true(SSL_new_session_ticket(serverssl))
2168 || !TEST_true(SSL_new_session_ticket(serverssl))
2169 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2170 || !TEST_size_t_eq(0, nbytes)
2171 || !TEST_int_eq(2, new_called)
2172 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2173 || !TEST_int_eq(4, new_called))
2177 * Use the always-retry BIO to exercise the logic that forces ticket
2178 * generation to wait until a record boundary.
2182 tmp = SSL_get_wbio(serverssl);
2183 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2187 SSL_set0_wbio(serverssl, bretry);
2189 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2190 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2191 || !TEST_size_t_eq(nbytes, 0))
2193 /* Restore a BIO that will let the write succeed */
2194 SSL_set0_wbio(serverssl, tmp);
2196 /* These calls should just queue the request and not send anything. */
2197 if (!TEST_true(SSL_new_session_ticket(serverssl))
2198 || !TEST_true(SSL_new_session_ticket(serverssl))
2199 || !TEST_int_eq(0, new_called))
2201 /* Re-do the write; still no tickets sent */
2202 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2203 || !TEST_size_t_eq(1, nbytes)
2204 || !TEST_int_eq(0, new_called)
2205 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2206 || !TEST_int_eq(0, new_called)
2207 || !TEST_int_eq(sizeof(buf), nbytes)
2208 || !TEST_int_eq(c, buf[0])
2209 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2211 /* Now the *next* write should send the tickets */
2213 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2214 || !TEST_size_t_eq(1, nbytes)
2215 || !TEST_int_eq(2, new_called)
2216 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2217 || !TEST_int_eq(4, new_called)
2218 || !TEST_int_eq(sizeof(buf), nbytes)
2219 || !TEST_int_eq(c, buf[0])
2220 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2223 SSL_shutdown(clientssl);
2224 SSL_shutdown(serverssl);
2230 SSL_free(serverssl);
2231 SSL_free(clientssl);
2234 clientssl = serverssl = NULL;
2243 #define USE_DEFAULT 3
2245 #define CONNTYPE_CONNECTION_SUCCESS 0
2246 #define CONNTYPE_CONNECTION_FAIL 1
2247 #define CONNTYPE_NO_CONNECTION 2
2249 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2250 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2251 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2252 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2254 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2257 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2258 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2259 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2261 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2278 * Tests calls to SSL_set_bio() under various conditions.
2280 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2281 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2282 * then do more tests where we create a successful connection first using our
2283 * standard connection setup functions, and then call SSL_set_bio() with
2284 * various combinations of valid BIOs or NULL. We then repeat these tests
2285 * following a failed connection. In this last case we are looking to check that
2286 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2288 static int test_ssl_set_bio(int idx)
2290 SSL_CTX *sctx = NULL, *cctx = NULL;
2293 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2294 SSL *serverssl = NULL, *clientssl = NULL;
2295 int initrbio, initwbio, newrbio, newwbio, conntype;
2298 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2306 conntype = CONNTYPE_NO_CONNECTION;
2308 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2309 initrbio = initwbio = USE_DEFAULT;
2317 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2318 TLS_client_method(), TLS1_VERSION, 0,
2319 &sctx, &cctx, cert, privkey)))
2322 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2324 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2325 * because we reduced the number of tests in the definition of
2326 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2327 * mismatched protocol versions we will force a connection failure.
2329 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2330 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2333 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2337 if (initrbio == USE_BIO_1
2338 || initwbio == USE_BIO_1
2339 || newrbio == USE_BIO_1
2340 || newwbio == USE_BIO_1) {
2341 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2345 if (initrbio == USE_BIO_2
2346 || initwbio == USE_BIO_2
2347 || newrbio == USE_BIO_2
2348 || newwbio == USE_BIO_2) {
2349 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2353 if (initrbio != USE_DEFAULT) {
2354 setupbio(&irbio, bio1, bio2, initrbio);
2355 setupbio(&iwbio, bio1, bio2, initwbio);
2356 SSL_set_bio(clientssl, irbio, iwbio);
2359 * We want to maintain our own refs to these BIO, so do an up ref for
2360 * each BIO that will have ownership transferred in the SSL_set_bio()
2365 if (iwbio != NULL && iwbio != irbio)
2369 if (conntype != CONNTYPE_NO_CONNECTION
2370 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2372 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2375 setupbio(&nrbio, bio1, bio2, newrbio);
2376 setupbio(&nwbio, bio1, bio2, newwbio);
2379 * We will (maybe) transfer ownership again so do more up refs.
2380 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2385 && (nwbio != iwbio || nrbio != nwbio))
2389 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2392 SSL_set_bio(clientssl, nrbio, nwbio);
2401 * This test is checking that the ref counting for SSL_set_bio is correct.
2402 * If we get here and we did too many frees then we will fail in the above
2405 SSL_free(serverssl);
2406 SSL_free(clientssl);
2412 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2414 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2416 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2421 if (!TEST_ptr(ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method()))
2422 || !TEST_ptr(ssl = SSL_new(ctx))
2423 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2424 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2427 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2430 * If anything goes wrong here then we could leak memory.
2432 BIO_push(sslbio, membio1);
2434 /* Verify changing the rbio/wbio directly does not cause leaks */
2435 if (change_bio != NO_BIO_CHANGE) {
2436 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
2438 if (change_bio == CHANGE_RBIO)
2439 SSL_set0_rbio(ssl, membio2);
2441 SSL_set0_wbio(ssl, membio2);
2460 static int test_ssl_bio_pop_next_bio(void)
2462 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2465 static int test_ssl_bio_pop_ssl_bio(void)
2467 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2470 static int test_ssl_bio_change_rbio(void)
2472 return execute_test_ssl_bio(0, CHANGE_RBIO);
2475 static int test_ssl_bio_change_wbio(void)
2477 return execute_test_ssl_bio(0, CHANGE_WBIO);
2480 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2482 /* The list of sig algs */
2484 /* The length of the list */
2486 /* A sigalgs list in string format */
2487 const char *liststr;
2488 /* Whether setting the list should succeed */
2490 /* Whether creating a connection with the list should succeed */
2494 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2495 # ifndef OPENSSL_NO_EC
2496 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2497 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2499 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2500 static const int invalidlist2[] = {NID_sha256, NID_undef};
2501 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2502 static const int invalidlist4[] = {NID_sha256};
2503 static const sigalgs_list testsigalgs[] = {
2504 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2505 # ifndef OPENSSL_NO_EC
2506 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2507 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2509 {NULL, 0, "RSA+SHA256", 1, 1},
2510 # ifndef OPENSSL_NO_EC
2511 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2512 {NULL, 0, "ECDSA+SHA512", 1, 0},
2514 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2515 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2516 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2517 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2518 {NULL, 0, "RSA", 0, 0},
2519 {NULL, 0, "SHA256", 0, 0},
2520 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2521 {NULL, 0, "Invalid", 0, 0}
2524 static int test_set_sigalgs(int idx)
2526 SSL_CTX *cctx = NULL, *sctx = NULL;
2527 SSL *clientssl = NULL, *serverssl = NULL;
2529 const sigalgs_list *curr;
2532 /* Should never happen */
2533 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2536 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2537 curr = testctx ? &testsigalgs[idx]
2538 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2540 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2541 TLS_client_method(), TLS1_VERSION, 0,
2542 &sctx, &cctx, cert, privkey)))
2546 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2547 * for TLSv1.2 for now until we add a new API.
2549 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2554 if (curr->list != NULL)
2555 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2557 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2561 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2567 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2572 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2573 &clientssl, NULL, NULL)))
2579 if (curr->list != NULL)
2580 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2582 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2585 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2594 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2602 SSL_free(serverssl);
2603 SSL_free(clientssl);
2611 #ifndef OPENSSL_NO_TLS1_3
2612 static int psk_client_cb_cnt = 0;
2613 static int psk_server_cb_cnt = 0;
2615 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2616 size_t *idlen, SSL_SESSION **sess)
2618 switch (++use_session_cb_cnt) {
2620 /* The first call should always have a NULL md */
2626 /* The second call should always have an md */
2632 /* We should only be called a maximum of twice */
2636 if (clientpsk != NULL)
2637 SSL_SESSION_up_ref(clientpsk);
2640 *id = (const unsigned char *)pskid;
2641 *idlen = strlen(pskid);
2646 #ifndef OPENSSL_NO_PSK
2647 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2648 unsigned int max_id_len,
2650 unsigned int max_psk_len)
2652 unsigned int psklen = 0;
2654 psk_client_cb_cnt++;
2656 if (strlen(pskid) + 1 > max_id_len)
2659 /* We should only ever be called a maximum of twice per connection */
2660 if (psk_client_cb_cnt > 2)
2663 if (clientpsk == NULL)
2666 /* We'll reuse the PSK we set up for TLSv1.3 */
2667 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2669 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2670 strncpy(id, pskid, max_id_len);
2674 #endif /* OPENSSL_NO_PSK */
2676 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2677 size_t identity_len, SSL_SESSION **sess)
2679 find_session_cb_cnt++;
2681 /* We should only ever be called a maximum of twice per connection */
2682 if (find_session_cb_cnt > 2)
2685 if (serverpsk == NULL)
2688 /* Identity should match that set by the client */
2689 if (strlen(srvid) != identity_len
2690 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2691 /* No PSK found, continue but without a PSK */
2696 SSL_SESSION_up_ref(serverpsk);
2702 #ifndef OPENSSL_NO_PSK
2703 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2704 unsigned char *psk, unsigned int max_psk_len)
2706 unsigned int psklen = 0;
2708 psk_server_cb_cnt++;
2710 /* We should only ever be called a maximum of twice per connection */
2711 if (find_session_cb_cnt > 2)
2714 if (serverpsk == NULL)
2717 /* Identity should match that set by the client */
2718 if (strcmp(srvid, identity) != 0) {
2722 /* We'll reuse the PSK we set up for TLSv1.3 */
2723 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2725 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2729 #endif /* OPENSSL_NO_PSK */
2731 #define MSG1 "Hello"
2732 #define MSG2 "World."
2737 #define MSG7 "message."
2739 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2740 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2743 static SSL_SESSION *create_a_psk(SSL *ssl)
2745 const SSL_CIPHER *cipher = NULL;
2746 const unsigned char key[] = {
2747 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2748 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2749 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2750 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2751 0x2c, 0x2d, 0x2e, 0x2f
2753 SSL_SESSION *sess = NULL;
2755 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2756 sess = SSL_SESSION_new();
2758 || !TEST_ptr(cipher)
2759 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2761 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2763 SSL_SESSION_set_protocol_version(sess,
2765 SSL_SESSION_free(sess);
2772 * Helper method to setup objects for early data test. Caller frees objects on
2775 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2776 SSL **serverssl, SSL_SESSION **sess, int idx)
2779 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2780 TLS_client_method(),
2782 sctx, cctx, cert, privkey)))
2785 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2789 /* When idx == 1 we repeat the tests with read_ahead set */
2790 SSL_CTX_set_read_ahead(*cctx, 1);
2791 SSL_CTX_set_read_ahead(*sctx, 1);
2792 } else if (idx == 2) {
2793 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2794 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2795 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2796 use_session_cb_cnt = 0;
2797 find_session_cb_cnt = 0;
2801 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2806 * For one of the run throughs (doesn't matter which one), we'll try sending
2807 * some SNI data in the initial ClientHello. This will be ignored (because
2808 * there is no SNI cb set up by the server), so it should not impact
2812 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2816 clientpsk = create_a_psk(*clientssl);
2817 if (!TEST_ptr(clientpsk)
2819 * We just choose an arbitrary value for max_early_data which
2820 * should be big enough for testing purposes.
2822 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2824 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2825 SSL_SESSION_free(clientpsk);
2829 serverpsk = clientpsk;
2832 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2833 SSL_SESSION_free(clientpsk);
2834 SSL_SESSION_free(serverpsk);
2835 clientpsk = serverpsk = NULL;
2846 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2850 *sess = SSL_get1_session(*clientssl);
2851 SSL_shutdown(*clientssl);
2852 SSL_shutdown(*serverssl);
2853 SSL_free(*serverssl);
2854 SSL_free(*clientssl);
2855 *serverssl = *clientssl = NULL;
2857 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2858 clientssl, NULL, NULL))
2859 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2865 static int test_early_data_read_write(int idx)
2867 SSL_CTX *cctx = NULL, *sctx = NULL;
2868 SSL *clientssl = NULL, *serverssl = NULL;
2870 SSL_SESSION *sess = NULL;
2871 unsigned char buf[20], data[1024];
2872 size_t readbytes, written, eoedlen, rawread, rawwritten;
2875 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2876 &serverssl, &sess, idx)))
2879 /* Write and read some early data */
2880 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2882 || !TEST_size_t_eq(written, strlen(MSG1))
2883 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2884 sizeof(buf), &readbytes),
2885 SSL_READ_EARLY_DATA_SUCCESS)
2886 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2887 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2888 SSL_EARLY_DATA_ACCEPTED))
2892 * Server should be able to write data, and client should be able to
2895 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2897 || !TEST_size_t_eq(written, strlen(MSG2))
2898 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2899 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2902 /* Even after reading normal data, client should be able write early data */
2903 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2905 || !TEST_size_t_eq(written, strlen(MSG3)))
2908 /* Server should still be able read early data after writing data */
2909 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2911 SSL_READ_EARLY_DATA_SUCCESS)
2912 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2915 /* Write more data from server and read it from client */
2916 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2918 || !TEST_size_t_eq(written, strlen(MSG4))
2919 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2920 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2924 * If client writes normal data it should mean writing early data is no
2927 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2928 || !TEST_size_t_eq(written, strlen(MSG5))
2929 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2930 SSL_EARLY_DATA_ACCEPTED))
2934 * At this point the client has written EndOfEarlyData, ClientFinished and
2935 * normal (fully protected) data. We are going to cause a delay between the
2936 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2937 * in the read BIO, and then just put back the EndOfEarlyData message.
2939 rbio = SSL_get_rbio(serverssl);
2940 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2941 || !TEST_size_t_lt(rawread, sizeof(data))
2942 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2945 /* Record length is in the 4th and 5th bytes of the record header */
2946 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2947 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2948 || !TEST_size_t_eq(rawwritten, eoedlen))
2951 /* Server should be told that there is no more early data */
2952 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2954 SSL_READ_EARLY_DATA_FINISH)
2955 || !TEST_size_t_eq(readbytes, 0))
2959 * Server has not finished init yet, so should still be able to write early
2962 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2964 || !TEST_size_t_eq(written, strlen(MSG6)))
2967 /* Push the ClientFinished and the normal data back into the server rbio */
2968 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2970 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2973 /* Server should be able to read normal data */
2974 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2975 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2978 /* Client and server should not be able to write/read early data now */
2979 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2983 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2985 SSL_READ_EARLY_DATA_ERROR))
2989 /* Client should be able to read the data sent by the server */
2990 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2991 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2995 * Make sure we process the two NewSessionTickets. These arrive
2996 * post-handshake. We attempt reads which we do not expect to return any
2999 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3000 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3004 /* Server should be able to write normal data */
3005 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3006 || !TEST_size_t_eq(written, strlen(MSG7))
3007 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3008 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3011 SSL_SESSION_free(sess);
3012 sess = SSL_get1_session(clientssl);
3013 use_session_cb_cnt = 0;
3014 find_session_cb_cnt = 0;
3016 SSL_shutdown(clientssl);
3017 SSL_shutdown(serverssl);
3018 SSL_free(serverssl);
3019 SSL_free(clientssl);
3020 serverssl = clientssl = NULL;
3021 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3022 &clientssl, NULL, NULL))
3023 || !TEST_true(SSL_set_session(clientssl, sess)))
3026 /* Write and read some early data */
3027 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3029 || !TEST_size_t_eq(written, strlen(MSG1))
3030 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3032 SSL_READ_EARLY_DATA_SUCCESS)
3033 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3036 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3037 || !TEST_int_gt(SSL_accept(serverssl), 0))
3040 /* Client and server should not be able to write/read early data now */
3041 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3045 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3047 SSL_READ_EARLY_DATA_ERROR))
3051 /* Client and server should be able to write/read normal data */
3052 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3053 || !TEST_size_t_eq(written, strlen(MSG5))
3054 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3055 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3061 SSL_SESSION_free(sess);
3062 SSL_SESSION_free(clientpsk);
3063 SSL_SESSION_free(serverpsk);
3064 clientpsk = serverpsk = NULL;
3065 SSL_free(serverssl);
3066 SSL_free(clientssl);
3072 static int allow_ed_cb_called = 0;
3074 static int allow_early_data_cb(SSL *s, void *arg)
3076 int *usecb = (int *)arg;
3078 allow_ed_cb_called++;
3087 * idx == 0: Standard early_data setup
3088 * idx == 1: early_data setup using read_ahead
3089 * usecb == 0: Don't use a custom early data callback
3090 * usecb == 1: Use a custom early data callback and reject the early data
3091 * usecb == 2: Use a custom early data callback and accept the early data
3092 * confopt == 0: Configure anti-replay directly
3093 * confopt == 1: Configure anti-replay using SSL_CONF
3095 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3097 SSL_CTX *cctx = NULL, *sctx = NULL;
3098 SSL *clientssl = NULL, *serverssl = NULL;
3100 SSL_SESSION *sess = NULL;
3101 size_t readbytes, written;
3102 unsigned char buf[20];
3104 allow_ed_cb_called = 0;
3106 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3107 TLS_client_method(), TLS1_VERSION, 0,
3108 &sctx, &cctx, cert, privkey)))
3113 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3115 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3117 if (!TEST_ptr(confctx))
3119 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3120 | SSL_CONF_FLAG_SERVER);
3121 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3122 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3124 SSL_CONF_CTX_free(confctx);
3127 SSL_CONF_CTX_free(confctx);
3129 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3132 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3133 &serverssl, &sess, idx)))
3137 * The server is configured to accept early data. Create a connection to
3138 * "use up" the ticket
3140 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3141 || !TEST_true(SSL_session_reused(clientssl)))
3144 SSL_shutdown(clientssl);
3145 SSL_shutdown(serverssl);
3146 SSL_free(serverssl);
3147 SSL_free(clientssl);
3148 serverssl = clientssl = NULL;
3150 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3151 &clientssl, NULL, NULL))
3152 || !TEST_true(SSL_set_session(clientssl, sess)))
3155 /* Write and read some early data */
3156 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3158 || !TEST_size_t_eq(written, strlen(MSG1)))
3162 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3164 SSL_READ_EARLY_DATA_FINISH)
3166 * The ticket was reused, so the we should have rejected the
3169 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3170 SSL_EARLY_DATA_REJECTED))
3173 /* In this case the callback decides to accept the early data */
3174 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3176 SSL_READ_EARLY_DATA_SUCCESS)
3177 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3179 * Server will have sent its flight so client can now send
3180 * end of early data and complete its half of the handshake
3182 || !TEST_int_gt(SSL_connect(clientssl), 0)
3183 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3185 SSL_READ_EARLY_DATA_FINISH)
3186 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3187 SSL_EARLY_DATA_ACCEPTED))
3191 /* Complete the connection */
3192 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3193 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3194 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3200 SSL_SESSION_free(sess);
3201 SSL_SESSION_free(clientpsk);
3202 SSL_SESSION_free(serverpsk);
3203 clientpsk = serverpsk = NULL;
3204 SSL_free(serverssl);
3205 SSL_free(clientssl);
3211 static int test_early_data_replay(int idx)
3213 int ret = 1, usecb, confopt;
3215 for (usecb = 0; usecb < 3; usecb++) {
3216 for (confopt = 0; confopt < 2; confopt++)
3217 ret &= test_early_data_replay_int(idx, usecb, confopt);
3224 * Helper function to test that a server attempting to read early data can
3225 * handle a connection from a client where the early data should be skipped.
3226 * testtype: 0 == No HRR
3227 * testtype: 1 == HRR
3228 * testtype: 2 == HRR, invalid early_data sent after HRR
3229 * testtype: 3 == recv_max_early_data set to 0
3231 static int early_data_skip_helper(int testtype, int idx)
3233 SSL_CTX *cctx = NULL, *sctx = NULL;
3234 SSL *clientssl = NULL, *serverssl = NULL;
3236 SSL_SESSION *sess = NULL;
3237 unsigned char buf[20];
3238 size_t readbytes, written;
3240 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3241 &serverssl, &sess, idx)))
3244 if (testtype == 1 || testtype == 2) {
3245 /* Force an HRR to occur */
3246 #if defined(OPENSSL_NO_EC)
3247 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3250 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3253 } else if (idx == 2) {
3255 * We force early_data rejection by ensuring the PSK identity is
3258 srvid = "Dummy Identity";
3261 * Deliberately corrupt the creation time. We take 20 seconds off the
3262 * time. It could be any value as long as it is not within tolerance.
3263 * This should mean the ticket is rejected.
3265 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3270 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3273 /* Write some early data */
3274 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3276 || !TEST_size_t_eq(written, strlen(MSG1)))
3279 /* Server should reject the early data */
3280 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3282 SSL_READ_EARLY_DATA_FINISH)
3283 || !TEST_size_t_eq(readbytes, 0)
3284 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3285 SSL_EARLY_DATA_REJECTED))
3295 * Finish off the handshake. We perform the same writes and reads as
3296 * further down but we expect them to fail due to the incomplete
3299 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3300 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3307 BIO *wbio = SSL_get_wbio(clientssl);
3308 /* A record that will appear as bad early_data */
3309 const unsigned char bad_early_data[] = {
3310 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3314 * We force the client to attempt a write. This will fail because
3315 * we're still in the handshake. It will cause the second
3316 * ClientHello to be sent.
3318 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3323 * Inject some early_data after the second ClientHello. This should
3324 * cause the server to fail
3326 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3327 sizeof(bad_early_data), &written)))
3334 * This client has sent more early_data than we are willing to skip
3335 * (case 3) or sent invalid early_data (case 2) so the connection should
3338 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3339 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3342 /* Connection has failed - nothing more to do */
3347 TEST_error("Invalid test type");
3352 * Should be able to send normal data despite rejection of early data. The
3353 * early_data should be skipped.
3355 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3356 || !TEST_size_t_eq(written, strlen(MSG2))
3357 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3358 SSL_EARLY_DATA_REJECTED)
3359 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3360 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3366 SSL_SESSION_free(clientpsk);
3367 SSL_SESSION_free(serverpsk);
3368 clientpsk = serverpsk = NULL;
3369 SSL_SESSION_free(sess);
3370 SSL_free(serverssl);
3371 SSL_free(clientssl);
3378 * Test that a server attempting to read early data can handle a connection
3379 * from a client where the early data is not acceptable.
3381 static int test_early_data_skip(int idx)
3383 return early_data_skip_helper(0, idx);
3387 * Test that a server attempting to read early data can handle a connection
3388 * from a client where an HRR occurs.
3390 static int test_early_data_skip_hrr(int idx)
3392 return early_data_skip_helper(1, idx);
3396 * Test that a server attempting to read early data can handle a connection
3397 * from a client where an HRR occurs and correctly fails if early_data is sent
3400 static int test_early_data_skip_hrr_fail(int idx)
3402 return early_data_skip_helper(2, idx);
3406 * Test that a server attempting to read early data will abort if it tries to
3407 * skip over too much.
3409 static int test_early_data_skip_abort(int idx)
3411 return early_data_skip_helper(3, idx);
3415 * Test that a server attempting to read early data can handle a connection
3416 * from a client that doesn't send any.
3418 static int test_early_data_not_sent(int idx)
3420 SSL_CTX *cctx = NULL, *sctx = NULL;
3421 SSL *clientssl = NULL, *serverssl = NULL;
3423 SSL_SESSION *sess = NULL;
3424 unsigned char buf[20];
3425 size_t readbytes, written;
3427 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3428 &serverssl, &sess, idx)))
3431 /* Write some data - should block due to handshake with server */
3432 SSL_set_connect_state(clientssl);
3433 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3436 /* Server should detect that early data has not been sent */
3437 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3439 SSL_READ_EARLY_DATA_FINISH)
3440 || !TEST_size_t_eq(readbytes, 0)
3441 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3442 SSL_EARLY_DATA_NOT_SENT)
3443 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3444 SSL_EARLY_DATA_NOT_SENT))
3447 /* Continue writing the message we started earlier */
3448 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3449 || !TEST_size_t_eq(written, strlen(MSG1))
3450 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3451 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3452 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3453 || !TEST_size_t_eq(written, strlen(MSG2)))
3456 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3457 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3463 SSL_SESSION_free(sess);
3464 SSL_SESSION_free(clientpsk);
3465 SSL_SESSION_free(serverpsk);
3466 clientpsk = serverpsk = NULL;
3467 SSL_free(serverssl);
3468 SSL_free(clientssl);
3474 static const char *servalpn;
3476 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3477 unsigned char *outlen, const unsigned char *in,
3478 unsigned int inlen, void *arg)
3480 unsigned int protlen = 0;
3481 const unsigned char *prot;
3483 for (prot = in; prot < in + inlen; prot += protlen) {
3485 if (in + inlen < prot + protlen)
3486 return SSL_TLSEXT_ERR_NOACK;
3488 if (protlen == strlen(servalpn)
3489 && memcmp(prot, servalpn, protlen) == 0) {
3492 return SSL_TLSEXT_ERR_OK;
3496 return SSL_TLSEXT_ERR_NOACK;
3499 /* Test that a PSK can be used to send early_data */
3500 static int test_early_data_psk(int idx)
3502 SSL_CTX *cctx = NULL, *sctx = NULL;
3503 SSL *clientssl = NULL, *serverssl = NULL;
3505 SSL_SESSION *sess = NULL;
3506 unsigned char alpnlist[] = {
3507 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3510 #define GOODALPNLEN 9
3511 #define BADALPNLEN 8
3512 #define GOODALPN (alpnlist)
3513 #define BADALPN (alpnlist + GOODALPNLEN)
3515 unsigned char buf[20];
3516 size_t readbytes, written;
3517 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3518 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3520 /* We always set this up with a final parameter of "2" for PSK */
3521 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3522 &serverssl, &sess, 2)))
3525 servalpn = "goodalpn";
3528 * Note: There is no test for inconsistent SNI with late client detection.
3529 * This is because servers do not acknowledge SNI even if they are using
3530 * it in a resumption handshake - so it is not actually possible for a
3531 * client to detect a problem.
3535 /* Set inconsistent SNI (early client detection) */
3536 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3537 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3538 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3543 /* Set inconsistent ALPN (early client detection) */
3544 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3545 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3546 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3548 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3555 * Set invalid protocol version. Technically this affects PSKs without
3556 * early_data too, but we test it here because it is similar to the
3557 * SNI/ALPN consistency tests.
3559 err = SSL_R_BAD_PSK;
3560 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3566 * Set inconsistent SNI (server side). In this case the connection
3567 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3568 * is associated with each handshake - not the session. Therefore it
3569 * should not matter that we used a different server name last time.
3571 SSL_SESSION_free(serverpsk);
3572 serverpsk = SSL_SESSION_dup(clientpsk);
3573 if (!TEST_ptr(serverpsk)
3574 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3578 /* Set consistent SNI */
3579 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3580 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3581 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3588 * Set inconsistent ALPN (server detected). In this case the connection
3589 * will succeed but reject early_data.
3591 servalpn = "badalpn";
3592 edstatus = SSL_EARLY_DATA_REJECTED;
3593 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3597 * Set consistent ALPN.
3598 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3599 * accepts a list of protos (each one length prefixed).
3600 * SSL_set1_alpn_selected accepts a single protocol (not length
3603 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3605 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3609 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3613 /* Set inconsistent ALPN (late client detection) */
3614 SSL_SESSION_free(serverpsk);
3615 serverpsk = SSL_SESSION_dup(clientpsk);
3616 if (!TEST_ptr(serverpsk)
3617 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3620 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3623 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3626 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3627 edstatus = SSL_EARLY_DATA_ACCEPTED;
3628 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3629 /* SSL_connect() call should fail */
3634 TEST_error("Bad test index");
3638 SSL_set_connect_state(clientssl);
3640 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3642 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3643 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3646 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3650 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3651 &readbytes), readearlyres)
3652 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3653 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3654 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3655 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3662 SSL_SESSION_free(sess);
3663 SSL_SESSION_free(clientpsk);
3664 SSL_SESSION_free(serverpsk);
3665 clientpsk = serverpsk = NULL;
3666 SSL_free(serverssl);
3667 SSL_free(clientssl);
3674 * Test that a server that doesn't try to read early data can handle a
3675 * client sending some.
3677 static int test_early_data_not_expected(int idx)
3679 SSL_CTX *cctx = NULL, *sctx = NULL;
3680 SSL *clientssl = NULL, *serverssl = NULL;
3682 SSL_SESSION *sess = NULL;
3683 unsigned char buf[20];
3684 size_t readbytes, written;
3686 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3687 &serverssl, &sess, idx)))
3690 /* Write some early data */
3691 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3696 * Server should skip over early data and then block waiting for client to
3697 * continue handshake
3699 if (!TEST_int_le(SSL_accept(serverssl), 0)
3700 || !TEST_int_gt(SSL_connect(clientssl), 0)
3701 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3702 SSL_EARLY_DATA_REJECTED)
3703 || !TEST_int_gt(SSL_accept(serverssl), 0)
3704 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3705 SSL_EARLY_DATA_REJECTED))
3708 /* Send some normal data from client to server */
3709 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3710 || !TEST_size_t_eq(written, strlen(MSG2)))
3713 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3714 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3720 SSL_SESSION_free(sess);
3721 SSL_SESSION_free(clientpsk);
3722 SSL_SESSION_free(serverpsk);
3723 clientpsk = serverpsk = NULL;
3724 SSL_free(serverssl);
3725 SSL_free(clientssl);
3732 # ifndef OPENSSL_NO_TLS1_2
3734 * Test that a server attempting to read early data can handle a connection
3735 * from a TLSv1.2 client.
3737 static int test_early_data_tls1_2(int idx)
3739 SSL_CTX *cctx = NULL, *sctx = NULL;
3740 SSL *clientssl = NULL, *serverssl = NULL;
3742 unsigned char buf[20];
3743 size_t readbytes, written;
3745 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3746 &serverssl, NULL, idx)))
3749 /* Write some data - should block due to handshake with server */
3750 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3751 SSL_set_connect_state(clientssl);
3752 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3756 * Server should do TLSv1.2 handshake. First it will block waiting for more
3757 * messages from client after ServerDone. Then SSL_read_early_data should
3758 * finish and detect that early data has not been sent
3760 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3762 SSL_READ_EARLY_DATA_ERROR))
3766 * Continue writing the message we started earlier. Will still block waiting
3767 * for the CCS/Finished from server
3769 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3770 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3772 SSL_READ_EARLY_DATA_FINISH)
3773 || !TEST_size_t_eq(readbytes, 0)
3774 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3775 SSL_EARLY_DATA_NOT_SENT))
3778 /* Continue writing the message we started earlier */
3779 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3780 || !TEST_size_t_eq(written, strlen(MSG1))
3781 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3782 SSL_EARLY_DATA_NOT_SENT)
3783 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3784 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3785 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3786 || !TEST_size_t_eq(written, strlen(MSG2))
3787 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3788 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3794 SSL_SESSION_free(clientpsk);
3795 SSL_SESSION_free(serverpsk);
3796 clientpsk = serverpsk = NULL;
3797 SSL_free(serverssl);
3798 SSL_free(clientssl);
3804 # endif /* OPENSSL_NO_TLS1_2 */
3807 * Test configuring the TLSv1.3 ciphersuites
3809 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3810 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3811 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3812 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3813 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3814 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3815 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3816 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3817 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3818 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3820 static int test_set_ciphersuite(int idx)
3822 SSL_CTX *cctx = NULL, *sctx = NULL;
3823 SSL *clientssl = NULL, *serverssl = NULL;
3826 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3827 TLS_client_method(), TLS1_VERSION, 0,
3828 &sctx, &cctx, cert, privkey))
3829 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3830 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3833 if (idx >=4 && idx <= 7) {
3834 /* SSL_CTX explicit cipher list */
3835 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3839 if (idx == 0 || idx == 4) {
3840 /* Default ciphersuite */
3841 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3842 "TLS_AES_128_GCM_SHA256")))
3844 } else if (idx == 1 || idx == 5) {
3845 /* Non default ciphersuite */
3846 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3847 "TLS_AES_128_CCM_SHA256")))
3851 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3852 &clientssl, NULL, NULL)))
3855 if (idx == 8 || idx == 9) {
3856 /* SSL explicit cipher list */
3857 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3861 if (idx == 2 || idx == 6 || idx == 8) {
3862 /* Default ciphersuite */
3863 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3864 "TLS_AES_128_GCM_SHA256")))
3866 } else if (idx == 3 || idx == 7 || idx == 9) {
3867 /* Non default ciphersuite */
3868 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3869 "TLS_AES_128_CCM_SHA256")))
3873 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3879 SSL_free(serverssl);
3880 SSL_free(clientssl);
3887 static int test_ciphersuite_change(void)
3889 SSL_CTX *cctx = NULL, *sctx = NULL;
3890 SSL *clientssl = NULL, *serverssl = NULL;
3891 SSL_SESSION *clntsess = NULL;
3893 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3895 /* Create a session based on SHA-256 */
3896 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3897 TLS_client_method(), TLS1_VERSION, 0,
3898 &sctx, &cctx, cert, privkey))
3899 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3900 "TLS_AES_128_GCM_SHA256:"
3901 "TLS_AES_256_GCM_SHA384:"
3902 "TLS_AES_128_CCM_SHA256"))
3903 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3904 "TLS_AES_128_GCM_SHA256"))
3905 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3906 &clientssl, NULL, NULL))
3907 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3911 clntsess = SSL_get1_session(clientssl);
3912 /* Save for later */
3913 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3914 SSL_shutdown(clientssl);
3915 SSL_shutdown(serverssl);
3916 SSL_free(serverssl);
3917 SSL_free(clientssl);
3918 serverssl = clientssl = NULL;
3920 /* Check we can resume a session with a different SHA-256 ciphersuite */
3921 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3922 "TLS_AES_128_CCM_SHA256"))
3923 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3924 &clientssl, NULL, NULL))
3925 || !TEST_true(SSL_set_session(clientssl, clntsess))
3926 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3928 || !TEST_true(SSL_session_reused(clientssl)))
3931 SSL_SESSION_free(clntsess);
3932 clntsess = SSL_get1_session(clientssl);
3933 SSL_shutdown(clientssl);
3934 SSL_shutdown(serverssl);
3935 SSL_free(serverssl);
3936 SSL_free(clientssl);
3937 serverssl = clientssl = NULL;
3940 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3941 * succeeds but does not resume.
3943 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3944 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3946 || !TEST_true(SSL_set_session(clientssl, clntsess))
3947 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3949 || !TEST_false(SSL_session_reused(clientssl)))
3952 SSL_SESSION_free(clntsess);
3954 SSL_shutdown(clientssl);
3955 SSL_shutdown(serverssl);
3956 SSL_free(serverssl);
3957 SSL_free(clientssl);
3958 serverssl = clientssl = NULL;
3960 /* Create a session based on SHA384 */
3961 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3962 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3963 &clientssl, NULL, NULL))
3964 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3968 clntsess = SSL_get1_session(clientssl);
3969 SSL_shutdown(clientssl);
3970 SSL_shutdown(serverssl);
3971 SSL_free(serverssl);
3972 SSL_free(clientssl);
3973 serverssl = clientssl = NULL;
3975 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3976 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3977 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3978 "TLS_AES_256_GCM_SHA384"))
3979 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3981 || !TEST_true(SSL_set_session(clientssl, clntsess))
3983 * We use SSL_ERROR_WANT_READ below so that we can pause the
3984 * connection after the initial ClientHello has been sent to
3985 * enable us to make some session changes.
3987 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3988 SSL_ERROR_WANT_READ)))
3991 /* Trick the client into thinking this session is for a different digest */
3992 clntsess->cipher = aes_128_gcm_sha256;
3993 clntsess->cipher_id = clntsess->cipher->id;
3996 * Continue the previously started connection. Server has selected a SHA-384
3997 * ciphersuite, but client thinks the session is for SHA-256, so it should
4000 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4002 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4003 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4009 SSL_SESSION_free(clntsess);
4010 SSL_free(serverssl);
4011 SSL_free(clientssl);
4019 * Test TLSv1.3 Key exchange
4020 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4021 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4022 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4023 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4024 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4025 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4026 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4027 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4028 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4029 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4030 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4031 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4032 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4033 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4035 static int test_key_exchange(int idx)
4037 SSL_CTX *sctx = NULL, *cctx = NULL;
4038 SSL *serverssl = NULL, *clientssl = NULL;
4040 # ifndef OPENSSL_NO_EC
4041 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4042 NID_secp521r1, NID_X25519, NID_X448};
4044 # ifndef OPENSSL_NO_DH
4045 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4046 NID_ffdhe6144, NID_ffdhe8192};
4049 int *kexch_groups = &kexch_alg;
4050 int kexch_groups_size = 1;
4051 int max_version = TLS1_3_VERSION;
4054 # ifndef OPENSSL_NO_EC
4055 # ifndef OPENSSL_NO_TLS1_2
4057 max_version = TLS1_2_VERSION;
4061 kexch_groups = ecdhe_kexch_groups;
4062 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4065 kexch_alg = NID_X9_62_prime256v1;
4068 kexch_alg = NID_secp384r1;
4071 kexch_alg = NID_secp521r1;
4074 kexch_alg = NID_X25519;
4077 kexch_alg = NID_X448;
4080 # ifndef OPENSSL_NO_DH
4081 # ifndef OPENSSL_NO_TLS1_2
4083 max_version = TLS1_2_VERSION;
4087 kexch_groups = ffdhe_kexch_groups;
4088 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4091 kexch_alg = NID_ffdhe2048;
4094 kexch_alg = NID_ffdhe3072;
4097 kexch_alg = NID_ffdhe4096;
4100 kexch_alg = NID_ffdhe6144;
4103 kexch_alg = NID_ffdhe8192;
4107 /* We're skipping this test */
4111 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4112 TLS_client_method(), TLS1_VERSION,
4113 max_version, &sctx, &cctx, cert,
4117 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4118 TLS1_3_RFC_AES_128_GCM_SHA256)))
4121 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4122 TLS1_3_RFC_AES_128_GCM_SHA256)))
4125 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4126 TLS1_TXT_RSA_WITH_AES_128_SHA)))
4130 * Must include an EC ciphersuite so that we send supported groups in
4133 # ifndef OPENSSL_NO_TLS1_2
4134 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4135 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
4136 TLS1_TXT_RSA_WITH_AES_128_SHA)))
4140 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4144 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4145 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4148 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4152 * If Handshake succeeds the negotiated kexch alg should be the first one in
4153 * configured, except in the case of FFDHE groups (idx 13), which are
4154 * TLSv1.3 only so we expect no shared group to exist.
4156 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4157 idx == 13 ? 0 : kexch_groups[0]))
4159 if (max_version == TLS1_3_VERSION) {
4160 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4162 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4168 SSL_free(serverssl);
4169 SSL_free(clientssl);
4176 * Test TLSv1.3 Cipher Suite
4177 * Test 0 = Set TLS1.3 cipher on context
4178 * Test 1 = Set TLS1.3 cipher on SSL
4179 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4180 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4182 static int test_tls13_ciphersuite(int idx)
4184 SSL_CTX *sctx = NULL, *cctx = NULL;
4185 SSL *serverssl = NULL, *clientssl = NULL;
4186 static const struct {
4187 const char *ciphername;
4190 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4191 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4192 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
4193 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4194 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4195 { TLS1_3_RFC_AES_256_GCM_SHA384
4196 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4198 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
4200 const char *t13_cipher = NULL;
4201 const char *t12_cipher = NULL;
4202 const char *negotiated_scipher;
4203 const char *negotiated_ccipher;
4219 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4223 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4227 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4228 # ifdef OPENSSL_NO_TLS1_2
4229 if (max_ver == TLS1_2_VERSION)
4232 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4233 if (is_fips && !t13_ciphers[i].fipscapable)
4235 t13_cipher = t13_ciphers[i].ciphername;
4236 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4237 TLS_client_method(),
4238 TLS1_VERSION, max_ver,
4239 &sctx, &cctx, cert, privkey)))
4243 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4244 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4246 if (t12_cipher != NULL) {
4247 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4248 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4254 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4255 &clientssl, NULL, NULL)))
4259 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4260 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4262 if (t12_cipher != NULL) {
4263 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4264 || !TEST_true(SSL_set_cipher_list(clientssl,
4270 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4274 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4276 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4278 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4282 * TEST_strn_eq is used below because t13_cipher can contain
4283 * multiple ciphersuites
4285 if (max_ver == TLS1_3_VERSION
4286 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4287 strlen(negotiated_scipher)))
4290 # ifndef OPENSSL_NO_TLS1_2
4291 /* Below validation is not done when t12_cipher is NULL */
4292 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4293 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4297 SSL_free(serverssl);
4299 SSL_free(clientssl);
4310 SSL_free(serverssl);
4311 SSL_free(clientssl);
4319 * Test 0 = Test new style callbacks
4320 * Test 1 = Test both new and old style callbacks
4321 * Test 2 = Test old style callbacks
4322 * Test 3 = Test old style callbacks with no certificate
4324 static int test_tls13_psk(int idx)
4326 SSL_CTX *sctx = NULL, *cctx = NULL;
4327 SSL *serverssl = NULL, *clientssl = NULL;
4328 const SSL_CIPHER *cipher = NULL;
4329 const unsigned char key[] = {
4330 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4331 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4332 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4333 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
4337 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4338 TLS_client_method(), TLS1_VERSION, 0,
4339 &sctx, &cctx, idx == 3 ? NULL : cert,
4340 idx == 3 ? NULL : privkey)))
4345 * We use a ciphersuite with SHA256 to ease testing old style PSK
4346 * callbacks which will always default to SHA256. This should not be
4347 * necessary if we have no cert/priv key. In that case the server should
4348 * prefer SHA256 automatically.
4350 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4351 "TLS_AES_128_GCM_SHA256")))
4355 * As noted above the server should prefer SHA256 automatically. However
4356 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4357 * code works even if we are testing with only the FIPS provider loaded.
4359 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4360 "TLS_AES_256_GCM_SHA384:"
4361 "TLS_AES_128_GCM_SHA256")))
4366 * Test 0: New style callbacks only
4367 * Test 1: New and old style callbacks (only the new ones should be used)
4368 * Test 2: Old style callbacks only
4370 if (idx == 0 || idx == 1) {
4371 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4372 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4374 #ifndef OPENSSL_NO_PSK
4376 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4377 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4381 use_session_cb_cnt = 0;
4382 find_session_cb_cnt = 0;
4383 psk_client_cb_cnt = 0;
4384 psk_server_cb_cnt = 0;
4388 * Check we can create a connection if callback decides not to send a
4391 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4393 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4395 || !TEST_false(SSL_session_reused(clientssl))
4396 || !TEST_false(SSL_session_reused(serverssl)))
4399 if (idx == 0 || idx == 1) {
4400 if (!TEST_true(use_session_cb_cnt == 1)
4401 || !TEST_true(find_session_cb_cnt == 0)
4403 * If no old style callback then below should be 0
4406 || !TEST_true(psk_client_cb_cnt == idx)
4407 || !TEST_true(psk_server_cb_cnt == 0))
4410 if (!TEST_true(use_session_cb_cnt == 0)
4411 || !TEST_true(find_session_cb_cnt == 0)
4412 || !TEST_true(psk_client_cb_cnt == 1)
4413 || !TEST_true(psk_server_cb_cnt == 0))
4417 shutdown_ssl_connection(serverssl, clientssl);
4418 serverssl = clientssl = NULL;
4419 use_session_cb_cnt = psk_client_cb_cnt = 0;
4422 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4426 /* Create the PSK */
4427 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
4428 clientpsk = SSL_SESSION_new();
4429 if (!TEST_ptr(clientpsk)
4430 || !TEST_ptr(cipher)
4431 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4433 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4434 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4436 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
4438 serverpsk = clientpsk;
4440 /* Check we can create a connection and the PSK is used */
4441 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4442 || !TEST_true(SSL_session_reused(clientssl))
4443 || !TEST_true(SSL_session_reused(serverssl)))
4446 if (idx == 0 || idx == 1) {
4447 if (!TEST_true(use_session_cb_cnt == 1)
4448 || !TEST_true(find_session_cb_cnt == 1)
4449 || !TEST_true(psk_client_cb_cnt == 0)
4450 || !TEST_true(psk_server_cb_cnt == 0))
4453 if (!TEST_true(use_session_cb_cnt == 0)
4454 || !TEST_true(find_session_cb_cnt == 0)
4455 || !TEST_true(psk_client_cb_cnt == 1)
4456 || !TEST_true(psk_server_cb_cnt == 1))
4460 shutdown_ssl_connection(serverssl, clientssl);
4461 serverssl = clientssl = NULL;
4462 use_session_cb_cnt = find_session_cb_cnt = 0;
4463 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4465 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4470 #if defined(OPENSSL_NO_EC)
4471 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4474 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4479 * Check we can create a connection, the PSK is used and the callbacks are
4482 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4483 || !TEST_true(SSL_session_reused(clientssl))
4484 || !TEST_true(SSL_session_reused(serverssl)))
4487 if (idx == 0 || idx == 1) {
4488 if (!TEST_true(use_session_cb_cnt == 2)
4489 || !TEST_true(find_session_cb_cnt == 2)
4490 || !TEST_true(psk_client_cb_cnt == 0)
4491 || !TEST_true(psk_server_cb_cnt == 0))
4494 if (!TEST_true(use_session_cb_cnt == 0)
4495 || !TEST_true(find_session_cb_cnt == 0)
4496 || !TEST_true(psk_client_cb_cnt == 2)
4497 || !TEST_true(psk_server_cb_cnt == 2))
4501 shutdown_ssl_connection(serverssl, clientssl);
4502 serverssl = clientssl = NULL;
4503 use_session_cb_cnt = find_session_cb_cnt = 0;
4504 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4508 * Check that if the server rejects the PSK we can still connect, but with
4511 srvid = "Dummy Identity";
4512 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4514 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4516 || !TEST_false(SSL_session_reused(clientssl))
4517 || !TEST_false(SSL_session_reused(serverssl)))
4520 if (idx == 0 || idx == 1) {
4521 if (!TEST_true(use_session_cb_cnt == 1)
4522 || !TEST_true(find_session_cb_cnt == 1)
4523 || !TEST_true(psk_client_cb_cnt == 0)
4525 * If no old style callback then below should be 0
4528 || !TEST_true(psk_server_cb_cnt == idx))
4531 if (!TEST_true(use_session_cb_cnt == 0)
4532 || !TEST_true(find_session_cb_cnt == 0)
4533 || !TEST_true(psk_client_cb_cnt == 1)
4534 || !TEST_true(psk_server_cb_cnt == 1))
4538 shutdown_ssl_connection(serverssl, clientssl);
4539 serverssl = clientssl = NULL;
4544 SSL_SESSION_free(clientpsk);
4545 SSL_SESSION_free(serverpsk);
4546 clientpsk = serverpsk = NULL;
4547 SSL_free(serverssl);
4548 SSL_free(clientssl);
4554 static unsigned char cookie_magic_value[] = "cookie magic";
4556 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4557 unsigned int *cookie_len)
4560 * Not suitable as a real cookie generation function but good enough for
4563 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4564 *cookie_len = sizeof(cookie_magic_value) - 1;
4569 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4570 unsigned int cookie_len)
4572 if (cookie_len == sizeof(cookie_magic_value) - 1
4573 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4579 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4583 int res = generate_cookie_callback(ssl, cookie, &temp);
4588 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4591 return verify_cookie_callback(ssl, cookie, cookie_len);
4594 static int test_stateless(void)
4596 SSL_CTX *sctx = NULL, *cctx = NULL;
4597 SSL *serverssl = NULL, *clientssl = NULL;
4600 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4601 TLS_client_method(), TLS1_VERSION, 0,
4602 &sctx, &cctx, cert, privkey)))
4605 /* The arrival of CCS messages can confuse the test */
4606 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4608 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4610 /* Send the first ClientHello */
4611 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4612 SSL_ERROR_WANT_READ))
4614 * This should fail with a -1 return because we have no callbacks
4617 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4620 /* Fatal error so abandon the connection from this client */
4621 SSL_free(clientssl);
4624 /* Set up the cookie generation and verification callbacks */
4625 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4626 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
4629 * Create a new connection from the client (we can reuse the server SSL
4632 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4634 /* Send the first ClientHello */
4635 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4636 SSL_ERROR_WANT_READ))
4637 /* This should fail because there is no cookie */
4638 || !TEST_int_eq(SSL_stateless(serverssl), 0))
4641 /* Abandon the connection from this client */
4642 SSL_free(clientssl);
4646 * Now create a connection from a new client but with the same server SSL
4649 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4651 /* Send the first ClientHello */
4652 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4653 SSL_ERROR_WANT_READ))
4654 /* This should fail because there is no cookie */
4655 || !TEST_int_eq(SSL_stateless(serverssl), 0)
4656 /* Send the second ClientHello */
4657 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4658 SSL_ERROR_WANT_READ))
4659 /* This should succeed because a cookie is now present */
4660 || !TEST_int_eq(SSL_stateless(serverssl), 1)
4661 /* Complete the connection */
4662 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4666 shutdown_ssl_connection(serverssl, clientssl);
4667 serverssl = clientssl = NULL;
4671 SSL_free(serverssl);
4672 SSL_free(clientssl);
4678 #endif /* OPENSSL_NO_TLS1_3 */
4680 static int clntaddoldcb = 0;
4681 static int clntparseoldcb = 0;
4682 static int srvaddoldcb = 0;
4683 static int srvparseoldcb = 0;
4684 static int clntaddnewcb = 0;
4685 static int clntparsenewcb = 0;
4686 static int srvaddnewcb = 0;
4687 static int srvparsenewcb = 0;
4688 static int snicb = 0;
4690 #define TEST_EXT_TYPE1 0xff00
4692 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4693 size_t *outlen, int *al, void *add_arg)
4695 int *server = (int *)add_arg;
4696 unsigned char *data;
4698 if (SSL_is_server(s))
4703 if (*server != SSL_is_server(s)
4704 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4709 *outlen = sizeof(char);
4713 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4716 OPENSSL_free((unsigned char *)out);
4719 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4720 size_t inlen, int *al, void *parse_arg)
4722 int *server = (int *)parse_arg;
4724 if (SSL_is_server(s))
4729 if (*server != SSL_is_server(s)
4730 || inlen != sizeof(char)
4737 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4738 const unsigned char **out, size_t *outlen, X509 *x,
4739 size_t chainidx, int *al, void *add_arg)
4741 int *server = (int *)add_arg;
4742 unsigned char *data;
4744 if (SSL_is_server(s))
4749 if (*server != SSL_is_server(s)
4750 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4755 *outlen = sizeof(*data);
4759 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
4760 const unsigned char *out, void *add_arg)
4762 OPENSSL_free((unsigned char *)out);
4765 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
4766 const unsigned char *in, size_t inlen, X509 *x,
4767 size_t chainidx, int *al, void *parse_arg)
4769 int *server = (int *)parse_arg;
4771 if (SSL_is_server(s))
4776 if (*server != SSL_is_server(s)
4777 || inlen != sizeof(char) || *in != 1)
4783 static int sni_cb(SSL *s, int *al, void *arg)
4785 SSL_CTX *ctx = (SSL_CTX *)arg;
4787 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
4788 *al = SSL_AD_INTERNAL_ERROR;
4789 return SSL_TLSEXT_ERR_ALERT_FATAL;
4792 return SSL_TLSEXT_ERR_OK;
4796 * Custom call back tests.
4797 * Test 0: Old style callbacks in TLSv1.2
4798 * Test 1: New style callbacks in TLSv1.2
4799 * Test 2: New style callbacks in TLSv1.2 with SNI
4800 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4801 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
4803 static int test_custom_exts(int tst)
4805 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4806 SSL *clientssl = NULL, *serverssl = NULL;
4808 static int server = 1;
4809 static int client = 0;
4810 SSL_SESSION *sess = NULL;
4811 unsigned int context;
4813 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4814 /* Skip tests for TLSv1.2 and below in this case */
4819 /* Reset callback counters */
4820 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4821 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
4824 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4825 TLS_client_method(), TLS1_VERSION, 0,
4826 &sctx, &cctx, cert, privkey)))
4830 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
4832 &sctx2, NULL, cert, privkey)))
4837 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4838 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
4840 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
4844 context = SSL_EXT_CLIENT_HELLO
4845 | SSL_EXT_TLS1_2_SERVER_HELLO
4846 | SSL_EXT_TLS1_3_SERVER_HELLO
4847 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4848 | SSL_EXT_TLS1_3_CERTIFICATE
4849 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4851 context = SSL_EXT_CLIENT_HELLO
4852 | SSL_EXT_TLS1_2_SERVER_HELLO
4853 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4856 /* Create a client side custom extension */
4858 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4859 old_add_cb, old_free_cb,
4860 &client, old_parse_cb,
4864 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4865 new_add_cb, new_free_cb,
4866 &client, new_parse_cb, &client)))
4870 /* Should not be able to add duplicates */
4871 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4872 old_add_cb, old_free_cb,
4873 &client, old_parse_cb,
4875 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4876 context, new_add_cb,
4877 new_free_cb, &client,
4878 new_parse_cb, &client)))
4881 /* Create a server side custom extension */
4883 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4884 old_add_cb, old_free_cb,
4885 &server, old_parse_cb,
4889 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4890 new_add_cb, new_free_cb,
4891 &server, new_parse_cb, &server)))
4894 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4895 context, new_add_cb,
4896 new_free_cb, &server,
4897 new_parse_cb, &server)))
4901 /* Should not be able to add duplicates */
4902 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4903 old_add_cb, old_free_cb,
4904 &server, old_parse_cb,
4906 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4907 context, new_add_cb,
4908 new_free_cb, &server,
4909 new_parse_cb, &server)))
4914 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4915 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4919 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4920 &clientssl, NULL, NULL))
4921 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4926 if (clntaddoldcb != 1
4927 || clntparseoldcb != 1
4929 || srvparseoldcb != 1)
4931 } else if (tst == 1 || tst == 2 || tst == 3) {
4932 if (clntaddnewcb != 1
4933 || clntparsenewcb != 1
4935 || srvparsenewcb != 1
4936 || (tst != 2 && snicb != 0)
4937 || (tst == 2 && snicb != 1))
4940 /* In this case there 2 NewSessionTicket messages created */
4941 if (clntaddnewcb != 1
4942 || clntparsenewcb != 5
4944 || srvparsenewcb != 1)
4948 sess = SSL_get1_session(clientssl);
4949 SSL_shutdown(clientssl);
4950 SSL_shutdown(serverssl);
4951 SSL_free(serverssl);
4952 SSL_free(clientssl);
4953 serverssl = clientssl = NULL;
4956 /* We don't bother with the resumption aspects for this test */
4961 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4963 || !TEST_true(SSL_set_session(clientssl, sess))
4964 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4969 * For a resumed session we expect to add the ClientHello extension. For the
4970 * old style callbacks we ignore it on the server side because they set
4971 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4975 if (clntaddoldcb != 2
4976 || clntparseoldcb != 1
4978 || srvparseoldcb != 1)
4980 } else if (tst == 1 || tst == 2 || tst == 3) {
4981 if (clntaddnewcb != 2
4982 || clntparsenewcb != 2
4984 || srvparsenewcb != 2)
4988 * No Certificate message extensions in the resumption handshake,
4989 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4991 if (clntaddnewcb != 2
4992 || clntparsenewcb != 8
4994 || srvparsenewcb != 2)
5001 SSL_SESSION_free(sess);
5002 SSL_free(serverssl);
5003 SSL_free(clientssl);
5004 SSL_CTX_free(sctx2);
5011 * Test loading of serverinfo data in various formats. test_sslmessages actually
5012 * tests to make sure the extensions appear in the handshake
5014 static int test_serverinfo(int tst)
5016 unsigned int version;
5017 unsigned char *sibuf;
5019 int ret, expected, testresult = 0;
5022 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
5026 if ((tst & 0x01) == 0x01)
5027 version = SSL_SERVERINFOV2;
5029 version = SSL_SERVERINFOV1;
5031 if ((tst & 0x02) == 0x02) {
5032 sibuf = serverinfov2;
5033 sibuflen = sizeof(serverinfov2);
5034 expected = (version == SSL_SERVERINFOV2);
5036 sibuf = serverinfov1;
5037 sibuflen = sizeof(serverinfov1);
5038 expected = (version == SSL_SERVERINFOV1);
5041 if ((tst & 0x04) == 0x04) {
5042 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5044 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5047 * The version variable is irrelevant in this case - it's what is in the
5048 * buffer that matters
5050 if ((tst & 0x02) == 0x02)
5056 if (!TEST_true(ret == expected))
5068 * Test that SSL_export_keying_material() produces expected results. There are
5069 * no test vectors so all we do is test that both sides of the communication
5070 * produce the same results for different protocol versions.
5072 #define SMALL_LABEL_LEN 10
5073 #define LONG_LABEL_LEN 249
5074 static int test_export_key_mat(int tst)
5077 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5078 SSL *clientssl = NULL, *serverssl = NULL;
5079 const char label[LONG_LABEL_LEN + 1] = "test label";
5080 const unsigned char context[] = "context";
5081 const unsigned char *emptycontext = NULL;
5082 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5083 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
5085 const int protocols[] = {
5094 #ifdef OPENSSL_NO_TLS1
5098 #ifdef OPENSSL_NO_TLS1_1
5102 if (is_fips && (tst == 0 || tst == 1))
5104 #ifdef OPENSSL_NO_TLS1_2
5108 #ifdef OPENSSL_NO_TLS1_3
5112 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5113 TLS_client_method(), TLS1_VERSION, 0,
5114 &sctx, &cctx, cert, privkey)))
5117 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5118 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5119 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
5121 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5123 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5129 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5132 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5133 sizeof(ckeymat1), label,
5134 LONG_LABEL_LEN + 1, context,
5135 sizeof(context) - 1, 1), 0))
5140 } else if (tst == 4) {
5141 labellen = LONG_LABEL_LEN;
5143 labellen = SMALL_LABEL_LEN;
5146 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5147 sizeof(ckeymat1), label,
5149 sizeof(context) - 1, 1), 1)
5150 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5151 sizeof(ckeymat2), label,
5155 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5156 sizeof(ckeymat3), label,
5159 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5160 sizeof(skeymat1), label,
5163 sizeof(context) -1, 1),
5165 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5166 sizeof(skeymat2), label,
5170 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5171 sizeof(skeymat3), label,
5175 * Check that both sides created the same key material with the
5178 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5181 * Check that both sides created the same key material with an
5184 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5187 * Check that both sides created the same key material without a
5190 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5192 /* Different contexts should produce different results */
5193 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5198 * Check that an empty context and no context produce different results in
5199 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5201 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
5203 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5210 SSL_free(serverssl);
5211 SSL_free(clientssl);
5212 SSL_CTX_free(sctx2);
5219 #ifndef OPENSSL_NO_TLS1_3
5221 * Test that SSL_export_keying_material_early() produces expected
5222 * results. There are no test vectors so all we do is test that both
5223 * sides of the communication produce the same results for different
5224 * protocol versions.
5226 static int test_export_key_mat_early(int idx)
5228 static const char label[] = "test label";
5229 static const unsigned char context[] = "context";
5231 SSL_CTX *cctx = NULL, *sctx = NULL;
5232 SSL *clientssl = NULL, *serverssl = NULL;
5233 SSL_SESSION *sess = NULL;
5234 const unsigned char *emptycontext = NULL;
5235 unsigned char ckeymat1[80], ckeymat2[80];
5236 unsigned char skeymat1[80], skeymat2[80];
5237 unsigned char buf[1];
5238 size_t readbytes, written;
5240 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5244 /* Here writing 0 length early data is enough. */
5245 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5246 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5248 SSL_READ_EARLY_DATA_ERROR)
5249 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5250 SSL_EARLY_DATA_ACCEPTED))
5253 if (!TEST_int_eq(SSL_export_keying_material_early(
5254 clientssl, ckeymat1, sizeof(ckeymat1), label,
5255 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5256 || !TEST_int_eq(SSL_export_keying_material_early(
5257 clientssl, ckeymat2, sizeof(ckeymat2), label,
5258 sizeof(label) - 1, emptycontext, 0), 1)
5259 || !TEST_int_eq(SSL_export_keying_material_early(
5260 serverssl, skeymat1, sizeof(skeymat1), label,
5261 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5262 || !TEST_int_eq(SSL_export_keying_material_early(
5263 serverssl, skeymat2, sizeof(skeymat2), label,
5264 sizeof(label) - 1, emptycontext, 0), 1)
5266 * Check that both sides created the same key material with the
5269 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5272 * Check that both sides created the same key material with an
5275 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5277 /* Different contexts should produce different results */
5278 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5285 SSL_SESSION_free(sess);
5286 SSL_SESSION_free(clientpsk);
5287 SSL_SESSION_free(serverpsk);
5288 clientpsk = serverpsk = NULL;
5289 SSL_free(serverssl);
5290 SSL_free(clientssl);
5297 #define NUM_KEY_UPDATE_MESSAGES 40
5301 static int test_key_update(void)
5303 SSL_CTX *cctx = NULL, *sctx = NULL;
5304 SSL *clientssl = NULL, *serverssl = NULL;
5305 int testresult = 0, i, j;
5307 static char *mess = "A test message";
5309 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5310 TLS_client_method(),
5313 &sctx, &cctx, cert, privkey))
5314 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5316 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5320 for (j = 0; j < 2; j++) {
5321 /* Send lots of KeyUpdate messages */
5322 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5323 if (!TEST_true(SSL_key_update(clientssl,
5325 ? SSL_KEY_UPDATE_NOT_REQUESTED
5326 : SSL_KEY_UPDATE_REQUESTED))
5327 || !TEST_true(SSL_do_handshake(clientssl)))
5331 /* Check that sending and receiving app data is ok */
5332 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5333 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5337 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5338 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5346 SSL_free(serverssl);
5347 SSL_free(clientssl);
5355 * Test we can handle a KeyUpdate (update requested) message while write data
5357 * Test 0: Client sends KeyUpdate while Server is writing
5358 * Test 1: Server sends KeyUpdate while Client is writing
5360 static int test_key_update_in_write(int tst)
5362 SSL_CTX *cctx = NULL, *sctx = NULL;
5363 SSL *clientssl = NULL, *serverssl = NULL;
5366 static char *mess = "A test message";
5367 BIO *bretry = BIO_new(bio_s_always_retry());
5369 SSL *peerupdate = NULL, *peerwrite = NULL;
5371 if (!TEST_ptr(bretry)
5372 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5373 TLS_client_method(),
5376 &sctx, &cctx, cert, privkey))
5377 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5379 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5383 peerupdate = tst == 0 ? clientssl : serverssl;
5384 peerwrite = tst == 0 ? serverssl : clientssl;
5386 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5387 || !TEST_true(SSL_do_handshake(peerupdate)))
5390 /* Swap the writing endpoint's write BIO to force a retry */
5391 tmp = SSL_get_wbio(peerwrite);
5392 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5396 SSL_set0_wbio(peerwrite, bretry);
5399 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5400 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5401 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5404 /* Reinstate the original writing endpoint's write BIO */
5405 SSL_set0_wbio(peerwrite, tmp);
5408 /* Now read some data - we will read the key update */
5409 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5410 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5414 * Complete the write we started previously and read it from the other
5417 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5418 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5421 /* Write more data to ensure we send the KeyUpdate message back */
5422 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5423 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5429 SSL_free(serverssl);
5430 SSL_free(clientssl);
5438 #endif /* OPENSSL_NO_TLS1_3 */
5440 static int test_ssl_clear(int idx)
5442 SSL_CTX *cctx = NULL, *sctx = NULL;
5443 SSL *clientssl = NULL, *serverssl = NULL;
5446 #ifdef OPENSSL_NO_TLS1_2
5451 /* Create an initial connection */
5452 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5453 TLS_client_method(), TLS1_VERSION, 0,
5454 &sctx, &cctx, cert, privkey))
5456 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5458 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5459 &clientssl, NULL, NULL))
5460 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5464 SSL_shutdown(clientssl);
5465 SSL_shutdown(serverssl);
5466 SSL_free(serverssl);
5469 /* Clear clientssl - we're going to reuse the object */
5470 if (!TEST_true(SSL_clear(clientssl)))
5473 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5475 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5477 || !TEST_true(SSL_session_reused(clientssl)))
5480 SSL_shutdown(clientssl);
5481 SSL_shutdown(serverssl);
5486 SSL_free(serverssl);
5487 SSL_free(clientssl);
5494 /* Parse CH and retrieve any MFL extension value if present */
5495 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5498 unsigned char *data;
5499 PACKET pkt, pkt2, pkt3;
5500 unsigned int MFL_code = 0, type = 0;
5502 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5505 memset(&pkt, 0, sizeof(pkt));
5506 memset(&pkt2, 0, sizeof(pkt2));
5507 memset(&pkt3, 0, sizeof(pkt3));
5509 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5510 /* Skip the record header */
5511 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5512 /* Skip the handshake message header */
5513 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5514 /* Skip client version and random */
5515 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5516 + SSL3_RANDOM_SIZE))
5517 /* Skip session id */
5518 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5520 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5521 /* Skip compression */
5522 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5523 /* Extensions len */
5524 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5527 /* Loop through all extensions */
5528 while (PACKET_remaining(&pkt2)) {
5529 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5530 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5533 if (type == TLSEXT_TYPE_max_fragment_length) {
5534 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5535 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5538 *mfl_codemfl_code = MFL_code;
5547 /* Maximum-Fragment-Length TLS extension mode to test */
5548 static const unsigned char max_fragment_len_test[] = {
5549 TLSEXT_max_fragment_length_512,
5550 TLSEXT_max_fragment_length_1024,
5551 TLSEXT_max_fragment_length_2048,
5552 TLSEXT_max_fragment_length_4096
5555 static int test_max_fragment_len_ext(int idx_tst)
5559 int testresult = 0, MFL_mode = 0;
5562 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
5566 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5567 ctx, max_fragment_len_test[idx_tst])))
5574 rbio = BIO_new(BIO_s_mem());
5575 wbio = BIO_new(BIO_s_mem());
5576 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5582 SSL_set_bio(con, rbio, wbio);
5583 SSL_set_connect_state(con);
5585 if (!TEST_int_le(SSL_connect(con), 0)) {
5586 /* This shouldn't succeed because we don't have a server! */
5590 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5591 /* no MFL in client hello */
5593 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5605 #ifndef OPENSSL_NO_TLS1_3
5606 static int test_pha_key_update(void)
5608 SSL_CTX *cctx = NULL, *sctx = NULL;
5609 SSL *clientssl = NULL, *serverssl = NULL;
5612 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5613 TLS_client_method(), TLS1_VERSION, 0,
5614 &sctx, &cctx, cert, privkey)))
5617 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5618 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5619 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5620 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5623 SSL_CTX_set_post_handshake_auth(cctx, 1);
5625 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5629 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5633 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5634 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5637 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5640 /* Start handshake on the server */
5641 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5644 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5645 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5649 SSL_shutdown(clientssl);
5650 SSL_shutdown(serverssl);
5655 SSL_free(serverssl);
5656 SSL_free(clientssl);
5663 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5665 static SRP_VBASE *vbase = NULL;
5667 DEFINE_STACK_OF(SRP_user_pwd)
5669 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5671 int ret = SSL3_AL_FATAL;
5673 SRP_user_pwd *user = NULL;
5675 username = SSL_get_srp_username(s);
5676 if (username == NULL) {
5677 *ad = SSL_AD_INTERNAL_ERROR;
5681 user = SRP_VBASE_get1_by_user(vbase, username);
5683 *ad = SSL_AD_INTERNAL_ERROR;
5687 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5689 *ad = SSL_AD_INTERNAL_ERROR;
5696 SRP_user_pwd_free(user);
5700 static int create_new_vfile(char *userid, char *password, const char *filename)
5703 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5706 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5709 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5712 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5713 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
5714 if (!TEST_ptr(gNid))
5718 * The only way to create an empty TXT_DB is to provide a BIO with no data
5721 db = TXT_DB_read(dummy, DB_NUMBER);
5725 out = BIO_new_file(filename, "w");
5729 row[DB_srpid] = OPENSSL_strdup(userid);
5730 row[DB_srptype] = OPENSSL_strdup("V");
5731 row[DB_srpgN] = OPENSSL_strdup(gNid);
5733 if (!TEST_ptr(row[DB_srpid])
5734 || !TEST_ptr(row[DB_srptype])
5735 || !TEST_ptr(row[DB_srpgN])
5736 || !TEST_true(TXT_DB_insert(db, row)))
5741 if (!TXT_DB_write(out, db))
5747 for (i = 0; i < DB_NUMBER; i++)
5748 OPENSSL_free(row[i]);
5758 static int create_new_vbase(char *userid, char *password)
5760 BIGNUM *verifier = NULL, *salt = NULL;
5761 const SRP_gN *lgN = NULL;
5762 SRP_user_pwd *user_pwd = NULL;
5765 lgN = SRP_get_default_gN(NULL);
5769 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5770 lgN->N, lgN->g, libctx, NULL)))
5773 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
5774 if (!TEST_ptr(user_pwd))
5777 user_pwd->N = lgN->N;
5778 user_pwd->g = lgN->g;
5779 user_pwd->id = OPENSSL_strdup(userid);
5780 if (!TEST_ptr(user_pwd->id))
5783 user_pwd->v = verifier;
5785 verifier = salt = NULL;
5787 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
5793 SRP_user_pwd_free(user_pwd);
5803 * Test 0: Simple successful SRP connection, new vbase
5804 * Test 1: Connection failure due to bad password, new vbase
5805 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5806 * Test 3: Connection failure due to bad password, vbase loaded from existing
5808 * Test 4: Simple successful SRP connection, vbase loaded from new file
5809 * Test 5: Connection failure due to bad password, vbase loaded from new file
5811 static int test_srp(int tst)
5813 char *userid = "test", *password = "password", *tstsrpfile;
5814 SSL_CTX *cctx = NULL, *sctx = NULL;
5815 SSL *clientssl = NULL, *serverssl = NULL;
5816 int ret, testresult = 0;
5818 vbase = SRP_VBASE_new(NULL);
5819 if (!TEST_ptr(vbase))
5822 if (tst == 0 || tst == 1) {
5823 if (!TEST_true(create_new_vbase(userid, password)))
5826 if (tst == 4 || tst == 5) {
5827 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5829 tstsrpfile = tmpfilename;
5831 tstsrpfile = srpvfile;
5833 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5837 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5838 TLS_client_method(), TLS1_VERSION, 0,
5839 &sctx, &cctx, cert, privkey)))
5842 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5843 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5844 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5845 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5846 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5850 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5853 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5857 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5861 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5863 if (!TEST_true(tst % 2 == 0))
5866 if (!TEST_true(tst % 2 == 1))
5873 SRP_VBASE_free(vbase);
5875 SSL_free(serverssl);
5876 SSL_free(clientssl);
5884 static int info_cb_failed = 0;
5885 static int info_cb_offset = 0;
5886 static int info_cb_this_state = -1;
5888 static struct info_cb_states_st {
5890 const char *statestr;
5891 } info_cb_states[][60] = {
5893 /* TLSv1.2 server followed by resumption */
5894 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5895 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5896 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
5897 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
5898 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
5899 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5900 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5901 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5902 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
5903 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5904 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
5905 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5906 {SSL_CB_EXIT, NULL}, {0, NULL},
5908 /* TLSv1.2 client followed by resumption */
5909 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5910 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5911 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
5912 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
5913 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
5914 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5915 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5916 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5917 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5918 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5919 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5920 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
5922 /* TLSv1.3 server followed by resumption */
5923 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5924 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5925 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
5926 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5927 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
5928 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5929 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5930 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5931 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5932 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5933 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
5934 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5935 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5937 /* TLSv1.3 client followed by resumption */
5938 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5939 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5940 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
5941 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
5942 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5943 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5944 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
5945 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5946 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5947 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5948 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5949 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5950 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5951 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
5952 {SSL_CB_EXIT, NULL}, {0, NULL},
5954 /* TLSv1.3 server, early_data */
5955 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5956 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5957 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5958 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5959 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5960 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
5961 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5962 {SSL_CB_EXIT, NULL}, {0, NULL},
5964 /* TLSv1.3 client, early_data */
5965 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5966 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5967 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5968 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5969 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5970 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5971 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5972 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5973 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5979 static void sslapi_info_callback(const SSL *s, int where, int ret)
5981 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5983 /* We do not ever expect a connection to fail in this test */
5984 if (!TEST_false(ret == 0)) {
5990 * Do some sanity checks. We never expect these things to happen in this
5993 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5994 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5995 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
6000 /* Now check we're in the right state */
6001 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
6005 if ((where & SSL_CB_LOOP) != 0
6006 && !TEST_int_eq(strcmp(SSL_state_string(s),
6007 state[info_cb_this_state].statestr), 0)) {
6013 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6015 if ((where & SSL_CB_HANDSHAKE_DONE)
6016 && SSL_in_init((SSL *)s) != 0) {
6023 * Test the info callback gets called when we expect it to.
6025 * Test 0: TLSv1.2, server
6026 * Test 1: TLSv1.2, client
6027 * Test 2: TLSv1.3, server
6028 * Test 3: TLSv1.3, client
6029 * Test 4: TLSv1.3, server, early_data
6030 * Test 5: TLSv1.3, client, early_data
6032 static int test_info_callback(int tst)
6034 SSL_CTX *cctx = NULL, *sctx = NULL;
6035 SSL *clientssl = NULL, *serverssl = NULL;
6036 SSL_SESSION *clntsess = NULL;
6041 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
6042 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6043 || !defined(OPENSSL_NO_DH))
6044 tlsvers = TLS1_2_VERSION;
6049 #ifndef OPENSSL_NO_TLS1_3
6050 tlsvers = TLS1_3_VERSION;
6058 info_cb_this_state = -1;
6059 info_cb_offset = tst;
6061 #ifndef OPENSSL_NO_TLS1_3
6063 SSL_SESSION *sess = NULL;
6064 size_t written, readbytes;
6065 unsigned char buf[80];
6067 /* early_data tests */
6068 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
6069 &serverssl, &sess, 0)))
6072 /* We don't actually need this reference */
6073 SSL_SESSION_free(sess);
6075 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
6076 sslapi_info_callback);
6078 /* Write and read some early data and then complete the connection */
6079 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
6081 || !TEST_size_t_eq(written, strlen(MSG1))
6082 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
6083 sizeof(buf), &readbytes),
6084 SSL_READ_EARLY_DATA_SUCCESS)
6085 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
6086 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6087 SSL_EARLY_DATA_ACCEPTED)
6088 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6090 || !TEST_false(info_cb_failed))
6098 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6099 TLS_client_method(),
6100 tlsvers, tlsvers, &sctx, &cctx, cert,
6105 * For even numbered tests we check the server callbacks. For odd numbers we
6108 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
6109 sslapi_info_callback);
6111 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6112 &clientssl, NULL, NULL))
6113 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6115 || !TEST_false(info_cb_failed))
6120 clntsess = SSL_get1_session(clientssl);
6121 SSL_shutdown(clientssl);
6122 SSL_shutdown(serverssl);
6123 SSL_free(serverssl);
6124 SSL_free(clientssl);
6125 serverssl = clientssl = NULL;
6127 /* Now do a resumption */
6128 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6130 || !TEST_true(SSL_set_session(clientssl, clntsess))
6131 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6133 || !TEST_true(SSL_session_reused(clientssl))
6134 || !TEST_false(info_cb_failed))
6140 SSL_free(serverssl);
6141 SSL_free(clientssl);
6142 SSL_SESSION_free(clntsess);
6148 static int test_ssl_pending(int tst)
6150 SSL_CTX *cctx = NULL, *sctx = NULL;
6151 SSL *clientssl = NULL, *serverssl = NULL;
6153 char msg[] = "A test message";
6155 size_t written, readbytes;
6158 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6159 TLS_client_method(),
6161 &sctx, &cctx, cert, privkey)))
6164 #ifndef OPENSSL_NO_DTLS
6165 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
6166 DTLS_client_method(),
6168 &sctx, &cctx, cert, privkey)))
6175 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6177 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6181 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6182 || !TEST_false(SSL_has_pending(clientssl))
6183 || !TEST_int_eq(SSL_pending(serverssl), 0)
6184 || !TEST_false(SSL_has_pending(serverssl))
6185 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6186 || !TEST_size_t_eq(written, sizeof(msg))
6187 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6188 || !TEST_size_t_eq(readbytes, sizeof(buf))
6189 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6190 || !TEST_true(SSL_has_pending(clientssl)))
6196 SSL_free(serverssl);
6197 SSL_free(clientssl);
6205 unsigned int maxprot;
6206 const char *clntciphers;
6207 const char *clnttls13ciphers;
6208 const char *srvrciphers;
6209 const char *srvrtls13ciphers;
6211 } shared_ciphers_data[] = {
6213 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6214 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6216 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
6219 "AES128-SHA:AES256-SHA",
6221 "AES256-SHA:DHE-RSA-AES128-SHA",
6227 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6229 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6231 "AES128-SHA:AES256-SHA"
6235 "AES128-SHA:AES256-SHA",
6237 "AES128-SHA:DHE-RSA-AES128-SHA",
6243 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6246 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6247 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
6250 "AES128-SHA:AES256-SHA",
6252 "AES256-SHA:AES128-SHA256",
6254 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
6255 "TLS_AES_128_GCM_SHA256:AES256-SHA"
6258 #ifndef OPENSSL_NO_TLS1_3
6262 "TLS_AES_256_GCM_SHA384",
6264 "TLS_AES_256_GCM_SHA384",
6265 "TLS_AES_256_GCM_SHA384"
6270 static int test_ssl_get_shared_ciphers(int tst)
6272 SSL_CTX *cctx = NULL, *sctx = NULL;
6273 SSL *clientssl = NULL, *serverssl = NULL;
6277 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6278 TLS_client_method(),
6280 shared_ciphers_data[tst].maxprot,
6281 &sctx, &cctx, cert, privkey)))
6284 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6285 shared_ciphers_data[tst].clntciphers))
6286 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6287 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6288 shared_ciphers_data[tst].clnttls13ciphers)))
6289 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6290 shared_ciphers_data[tst].srvrciphers))
6291 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6292 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6293 shared_ciphers_data[tst].srvrtls13ciphers))))
6297 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6299 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6303 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6304 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
6305 TEST_info("Shared ciphers are: %s\n", buf);
6312 SSL_free(serverssl);
6313 SSL_free(clientssl);
6320 static const char *appdata = "Hello World";
6321 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6322 static int tick_key_renew = 0;
6323 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6325 static int gen_tick_cb(SSL *s, void *arg)
6327 gen_tick_called = 1;
6329 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6333 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6334 const unsigned char *keyname,
6335 size_t keyname_length,
6336 SSL_TICKET_STATUS status,
6342 dec_tick_called = 1;
6344 if (status == SSL_TICKET_EMPTY)
6345 return SSL_TICKET_RETURN_IGNORE_RENEW;
6347 if (!TEST_true(status == SSL_TICKET_SUCCESS
6348 || status == SSL_TICKET_SUCCESS_RENEW))
6349 return SSL_TICKET_RETURN_ABORT;
6351 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6353 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6354 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
6355 return SSL_TICKET_RETURN_ABORT;
6357 if (tick_key_cb_called) {
6358 /* Don't change what the ticket key callback wanted to do */
6360 case SSL_TICKET_NO_DECRYPT:
6361 return SSL_TICKET_RETURN_IGNORE_RENEW;
6363 case SSL_TICKET_SUCCESS:
6364 return SSL_TICKET_RETURN_USE;
6366 case SSL_TICKET_SUCCESS_RENEW:
6367 return SSL_TICKET_RETURN_USE_RENEW;
6370 return SSL_TICKET_RETURN_ABORT;
6373 return tick_dec_ret;
6377 #ifndef OPENSSL_NO_DEPRECATED_3_0
6378 static int tick_key_cb(SSL *s, unsigned char key_name[16],
6379 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6380 HMAC_CTX *hctx, int enc)
6382 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6383 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
6384 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6385 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
6388 tick_key_cb_called = 1;
6389 memset(iv, 0, AES_BLOCK_SIZE);
6390 memset(key_name, 0, 16);
6391 if (aes128cbc == NULL
6393 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6394 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
6398 ret = tick_key_renew ? 2 : 1;
6400 EVP_CIPHER_free(aes128cbc);
6401 EVP_MD_free(sha256);
6407 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6408 unsigned char iv[EVP_MAX_IV_LENGTH],
6409 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6411 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6412 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6413 OSSL_PARAM params[3];
6414 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6417 tick_key_cb_called = 1;
6418 memset(iv, 0, AES_BLOCK_SIZE);
6419 memset(key_name, 0, 16);
6420 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6422 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6424 sizeof(tick_hmac_key));
6425 params[2] = OSSL_PARAM_construct_end();
6426 if (aes128cbc == NULL
6427 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6428 || !EVP_MAC_CTX_set_params(hctx, params)
6429 || !EVP_MAC_init(hctx))
6432 ret = tick_key_renew ? 2 : 1;
6434 EVP_CIPHER_free(aes128cbc);
6440 * Test the various ticket callbacks
6441 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6442 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6443 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6444 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6445 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6446 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6447 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6448 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
6449 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6450 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6451 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6452 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6453 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6454 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6455 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6456 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
6458 static int test_ticket_callbacks(int tst)
6460 SSL_CTX *cctx = NULL, *sctx = NULL;
6461 SSL *clientssl = NULL, *serverssl = NULL;
6462 SSL_SESSION *clntsess = NULL;
6465 #ifdef OPENSSL_NO_TLS1_2
6469 #ifdef OPENSSL_NO_TLS1_3
6473 #ifdef OPENSSL_NO_DEPRECATED_3_0
6474 if (tst >= 8 && tst <= 11)
6478 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
6480 /* Which tests the ticket key callback should request renewal for */
6481 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
6486 /* Which tests the decrypt ticket callback should request renewal for */
6490 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6495 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6500 tick_dec_ret = SSL_TICKET_RETURN_USE;
6505 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6509 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6512 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6513 TLS_client_method(),
6515 ((tst % 2) == 0) ? TLS1_2_VERSION
6517 &sctx, &cctx, cert, privkey)))
6521 * We only want sessions to resume from tickets - not the session cache. So
6522 * switch the cache off.
6524 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6527 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6532 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
6534 #ifndef OPENSSL_NO_DEPRECATED_3_0
6535 } else if (tst >= 8) {
6536 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6541 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6543 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6548 * The decrypt ticket key callback in TLSv1.2 should be called even though
6549 * we have no ticket yet, because it gets called with a status of
6550 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6551 * actually send any ticket data). This does not happen in TLSv1.3 because
6552 * it is not valid to send empty ticket data in TLSv1.3.
6554 if (!TEST_int_eq(gen_tick_called, 1)
6555 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
6558 gen_tick_called = dec_tick_called = 0;
6560 clntsess = SSL_get1_session(clientssl);
6561 SSL_shutdown(clientssl);
6562 SSL_shutdown(serverssl);
6563 SSL_free(serverssl);
6564 SSL_free(clientssl);
6565 serverssl = clientssl = NULL;
6567 /* Now do a resumption */
6568 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6570 || !TEST_true(SSL_set_session(clientssl, clntsess))
6571 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6575 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6576 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6577 if (!TEST_false(SSL_session_reused(clientssl)))
6580 if (!TEST_true(SSL_session_reused(clientssl)))
6584 if (!TEST_int_eq(gen_tick_called,
6586 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6587 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6589 || !TEST_int_eq(dec_tick_called, 1))
6595 SSL_SESSION_free(clntsess);
6596 SSL_free(serverssl);
6597 SSL_free(clientssl);
6605 * Test bi-directional shutdown.
6607 * Test 1: TLSv1.2, server continues to read/write after client shutdown
6608 * Test 2: TLSv1.3, no pending NewSessionTicket messages
6609 * Test 3: TLSv1.3, pending NewSessionTicket messages
6610 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
6611 * sends key update, client reads it
6612 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
6613 * sends CertificateRequest, client reads and ignores it
6614 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
6617 static int test_shutdown(int tst)
6619 SSL_CTX *cctx = NULL, *sctx = NULL;
6620 SSL *clientssl = NULL, *serverssl = NULL;
6622 char msg[] = "A test message";
6624 size_t written, readbytes;
6627 #ifdef OPENSSL_NO_TLS1_2
6631 #ifdef OPENSSL_NO_TLS1_3
6636 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6637 TLS_client_method(),
6639 (tst <= 1) ? TLS1_2_VERSION
6641 &sctx, &cctx, cert, privkey)))
6645 SSL_CTX_set_post_handshake_auth(cctx, 1);
6647 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6652 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
6654 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6655 || !TEST_false(SSL_SESSION_is_resumable(sess)))
6657 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6659 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6660 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
6664 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
6669 * Reading on the server after the client has sent close_notify should
6670 * fail and provide SSL_ERROR_ZERO_RETURN
6672 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
6673 || !TEST_int_eq(SSL_get_error(serverssl, 0),
6674 SSL_ERROR_ZERO_RETURN)
6675 || !TEST_int_eq(SSL_get_shutdown(serverssl),
6676 SSL_RECEIVED_SHUTDOWN)
6678 * Even though we're shutdown on receive we should still be
6681 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6684 && !TEST_true(SSL_key_update(serverssl,
6685 SSL_KEY_UPDATE_REQUESTED)))
6688 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6689 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6692 if ((tst == 4 || tst == 5)
6693 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6695 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
6697 if (tst == 4 || tst == 5) {
6698 /* Should still be able to read data from server */
6699 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6701 || !TEST_size_t_eq(readbytes, sizeof(msg))
6702 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
6703 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6705 || !TEST_size_t_eq(readbytes, sizeof(msg))
6706 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
6711 /* Writing on the client after sending close_notify shouldn't be possible */
6712 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
6717 * For these tests the client has sent close_notify but it has not yet
6718 * been received by the server. The server has not sent close_notify
6721 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
6723 * Writing on the server after sending close_notify shouldn't
6726 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6727 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
6728 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6729 || !TEST_true(SSL_SESSION_is_resumable(sess))
6730 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
6732 } else if (tst == 4 || tst == 5) {
6734 * In this test the client has sent close_notify and it has been
6735 * received by the server which has responded with a close_notify. The
6736 * client needs to read the close_notify sent by the server.
6738 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
6739 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6740 || !TEST_true(SSL_SESSION_is_resumable(sess)))
6746 * The client has sent close_notify and is expecting a close_notify
6747 * back, but instead there is application data first. The shutdown
6748 * should fail with a fatal error.
6750 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
6751 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
6758 SSL_free(serverssl);
6759 SSL_free(clientssl);
6766 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6767 static int cert_cb_cnt;
6769 static int cert_cb(SSL *s, void *arg)
6771 SSL_CTX *ctx = (SSL_CTX *)arg;
6773 EVP_PKEY *pkey = NULL;
6774 X509 *x509 = NULL, *rootx = NULL;
6775 STACK_OF(X509) *chain = NULL;
6776 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
6779 if (cert_cb_cnt == 0) {
6780 /* Suspend the handshake */
6783 } else if (cert_cb_cnt == 1) {
6785 * Update the SSL_CTX, set the certificate and private key and then
6786 * continue the handshake normally.
6788 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
6791 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
6792 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
6794 || !TEST_true(SSL_check_private_key(s)))
6798 } else if (cert_cb_cnt == 3) {
6801 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
6802 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
6803 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
6804 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
6806 chain = sk_X509_new_null();
6807 if (!TEST_ptr(chain))
6809 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6810 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
6811 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
6812 || !TEST_true(sk_X509_push(chain, rootx)))
6816 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6817 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
6818 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
6821 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6822 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
6823 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
6825 rv = SSL_check_chain(s, x509, pkey, chain);
6827 * If the cert doesn't show as valid here (e.g., because we don't
6828 * have any shared sigalgs), then we will not set it, and there will
6829 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
6830 * will cause tls_choose_sigalgs() to fail the connection.
6832 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
6833 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
6834 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
6841 /* Abort the handshake */
6843 OPENSSL_free(ecdsacert);
6844 OPENSSL_free(ecdsakey);
6845 OPENSSL_free(rootfile);
6847 EVP_PKEY_free(pkey);
6850 sk_X509_pop_free(chain, X509_free);
6855 * Test the certificate callback.
6856 * Test 0: Callback fails
6857 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
6858 * Test 2: Success - SSL_set_SSL_CTX() in the callback
6859 * Test 3: Success - Call SSL_check_chain from the callback
6860 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
6862 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
6864 static int test_cert_cb_int(int prot, int tst)
6866 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
6867 SSL *clientssl = NULL, *serverssl = NULL;
6868 int testresult = 0, ret;
6870 #ifdef OPENSSL_NO_EC
6871 /* We use an EC cert in these tests, so we skip in a no-ec build */
6876 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6877 TLS_client_method(),
6880 &sctx, &cctx, NULL, NULL)))
6891 snictx = SSL_CTX_new(TLS_server_method());
6892 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
6894 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6900 * We cause SSL_check_chain() to fail by specifying sig_algs that
6901 * the chain doesn't meet (the root uses an RSA cert)
6903 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6904 "ecdsa_secp256r1_sha256")))
6906 } else if (tst == 5) {
6908 * We cause SSL_check_chain() to fail by specifying sig_algs that
6909 * the ee cert doesn't meet (the ee uses an ECDSA cert)
6911 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6912 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
6916 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6917 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
6919 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
6926 SSL_free(serverssl);
6927 SSL_free(clientssl);
6930 SSL_CTX_free(snictx);
6936 static int test_cert_cb(int tst)
6940 #ifndef OPENSSL_NO_TLS1_2
6941 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
6943 #ifndef OPENSSL_NO_TLS1_3
6944 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
6950 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
6956 /* Check that SSL_get_peer_certificate() returns something sensible */
6957 peer = SSL_get_peer_certificate(ssl);
6958 if (!TEST_ptr(peer))
6962 in = BIO_new_file(cert, "r");
6966 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
6968 if (!TEST_ptr(xcert))
6971 in = BIO_new_file(privkey, "r");
6972 if (!TEST_ptr(in)) {
6977 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
6979 if (!TEST_ptr(privpkey)) {
6990 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6995 static int test_client_cert_cb(int tst)
6997 SSL_CTX *cctx = NULL, *sctx = NULL;
6998 SSL *clientssl = NULL, *serverssl = NULL;
7001 #ifdef OPENSSL_NO_TLS1_2
7005 #ifdef OPENSSL_NO_TLS1_3
7010 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7011 TLS_client_method(),
7013 tst == 0 ? TLS1_2_VERSION
7015 &sctx, &cctx, cert, privkey)))
7019 * Test that setting a client_cert_cb results in a client certificate being
7022 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
7023 SSL_CTX_set_verify(sctx,
7024 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
7027 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7029 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7036 SSL_free(serverssl);
7037 SSL_free(clientssl);
7044 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7046 * Test setting certificate authorities on both client and server.
7048 * Test 0: SSL_CTX_set0_CA_list() only
7049 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7050 * Test 2: Only SSL_CTX_set_client_CA_list()
7052 static int test_ca_names_int(int prot, int tst)
7054 SSL_CTX *cctx = NULL, *sctx = NULL;
7055 SSL *clientssl = NULL, *serverssl = NULL;
7058 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
7059 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
7060 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
7061 const STACK_OF(X509_NAME) *sktmp = NULL;
7063 for (i = 0; i < OSSL_NELEM(name); i++) {
7064 name[i] = X509_NAME_new();
7065 if (!TEST_ptr(name[i])
7066 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
7074 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7075 TLS_client_method(),
7078 &sctx, &cctx, cert, privkey)))
7081 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
7083 if (tst == 0 || tst == 1) {
7084 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7085 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
7086 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
7087 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7088 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
7089 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
7092 SSL_CTX_set0_CA_list(sctx, sk1);
7093 SSL_CTX_set0_CA_list(cctx, sk2);
7096 if (tst == 1 || tst == 2) {
7097 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7098 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
7099 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
7100 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7101 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
7102 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
7105 SSL_CTX_set_client_CA_list(sctx, sk1);
7106 SSL_CTX_set_client_CA_list(cctx, sk2);
7110 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7112 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7117 * We only expect certificate authorities to have been sent to the server
7118 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7120 sktmp = SSL_get0_peer_CA_list(serverssl);
7121 if (prot == TLS1_3_VERSION
7122 && (tst == 0 || tst == 1)) {
7123 if (!TEST_ptr(sktmp)
7124 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7125 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7127 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7130 } else if (!TEST_ptr_null(sktmp)) {
7135 * In all tests we expect certificate authorities to have been sent to the
7136 * client. However, SSL_set_client_CA_list() should override
7137 * SSL_set0_CA_list()
7139 sktmp = SSL_get0_peer_CA_list(clientssl);
7140 if (!TEST_ptr(sktmp)
7141 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7142 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7143 name[tst == 0 ? 0 : 2]), 0)
7144 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7145 name[tst == 0 ? 1 : 3]), 0))
7151 SSL_free(serverssl);
7152 SSL_free(clientssl);
7155 for (i = 0; i < OSSL_NELEM(name); i++)
7156 X509_NAME_free(name[i]);
7157 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
7158 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
7164 static int test_ca_names(int tst)
7168 #ifndef OPENSSL_NO_TLS1_2
7169 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
7171 #ifndef OPENSSL_NO_TLS1_3
7172 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
7178 #ifndef OPENSSL_NO_TLS1_2
7179 static const char *multiblock_cipherlist_data[]=
7187 /* Reduce the fragment size - so the multiblock test buffer can be small */
7188 # define MULTIBLOCK_FRAGSIZE 512
7190 static int test_multiblock_write(int test_index)
7192 static const char *fetchable_ciphers[]=
7194 "AES-128-CBC-HMAC-SHA1",
7195 "AES-128-CBC-HMAC-SHA256",
7196 "AES-256-CBC-HMAC-SHA1",
7197 "AES-256-CBC-HMAC-SHA256"
7199 const char *cipherlist = multiblock_cipherlist_data[test_index];
7200 const SSL_METHOD *smeth = TLS_server_method();
7201 const SSL_METHOD *cmeth = TLS_client_method();
7202 int min_version = TLS1_VERSION;
7203 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7204 SSL_CTX *cctx = NULL, *sctx = NULL;
7205 SSL *clientssl = NULL, *serverssl = NULL;
7209 * Choose a buffer large enough to perform a multi-block operation
7210 * i.e: write_len >= 4 * frag_size
7211 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7213 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7214 unsigned char buf[sizeof(msg)], *p = buf;
7215 size_t readbytes, written, len;
7216 EVP_CIPHER *ciph = NULL;
7219 * Check if the cipher exists before attempting to use it since it only has
7220 * a hardware specific implementation.
7222 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7224 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7227 EVP_CIPHER_free(ciph);
7229 /* Set up a buffer with some data that will be sent to the client */
7230 RAND_bytes(msg, sizeof(msg));
7232 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
7233 max_version, &sctx, &cctx, cert,
7237 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7240 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7244 /* settings to force it to use AES-CBC-HMAC_SHA */
7245 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7246 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7249 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7252 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7253 || !TEST_size_t_eq(written, sizeof(msg)))
7258 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7263 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7268 SSL_free(serverssl);
7269 SSL_free(clientssl);
7275 #endif /* OPENSSL_NO_TLS1_2 */
7278 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7279 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7280 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7281 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7282 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7283 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7284 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7285 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7286 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7287 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7289 static int test_servername(int tst)
7291 SSL_CTX *cctx = NULL, *sctx = NULL;
7292 SSL *clientssl = NULL, *serverssl = NULL;
7294 SSL_SESSION *sess = NULL;
7295 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7297 #ifdef OPENSSL_NO_TLS1_2
7301 #ifdef OPENSSL_NO_TLS1_3
7306 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7307 TLS_client_method(),
7309 (tst <= 4) ? TLS1_2_VERSION
7311 &sctx, &cctx, cert, privkey))
7312 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7316 if (tst != 1 && tst != 6) {
7317 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7322 if (tst != 3 && tst != 8) {
7323 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7325 sexpectedhost = cexpectedhost = "goodhost";
7328 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7331 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7333 || !TEST_str_eq(SSL_get_servername(serverssl,
7334 TLSEXT_NAMETYPE_host_name),
7338 /* Now repeat with a resumption handshake */
7340 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7341 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7342 || !TEST_true(SSL_SESSION_is_resumable(sess))
7343 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7346 SSL_free(clientssl);
7347 SSL_free(serverssl);
7348 clientssl = serverssl = NULL;
7350 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7354 if (!TEST_true(SSL_set_session(clientssl, sess)))
7357 sexpectedhost = cexpectedhost = "goodhost";
7358 if (tst == 2 || tst == 7) {
7359 /* Set an inconsistent hostname */
7360 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7363 * In TLSv1.2 we expect the hostname from the original handshake, in
7364 * TLSv1.3 we expect the hostname from this handshake
7367 sexpectedhost = cexpectedhost = "altgoodhost";
7369 if (!TEST_str_eq(SSL_get_servername(clientssl,
7370 TLSEXT_NAMETYPE_host_name),
7373 } else if (tst == 4 || tst == 9) {
7375 * A TLSv1.3 session does not associate a session with a servername,
7376 * but a TLSv1.2 session does.
7379 sexpectedhost = cexpectedhost = NULL;
7381 if (!TEST_str_eq(SSL_get_servername(clientssl,
7382 TLSEXT_NAMETYPE_host_name),
7386 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7389 * In a TLSv1.2 resumption where the hostname was not acknowledged
7390 * we expect the hostname on the server to be empty. On the client we
7391 * return what was requested in this case.
7393 * Similarly if the client didn't set a hostname on an original TLSv1.2
7394 * session but is now, the server hostname will be empty, but the client
7397 if (tst == 1 || tst == 3)
7398 sexpectedhost = NULL;
7400 if (!TEST_str_eq(SSL_get_servername(clientssl,
7401 TLSEXT_NAMETYPE_host_name),
7406 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7409 if (!TEST_true(SSL_session_reused(clientssl))
7410 || !TEST_true(SSL_session_reused(serverssl))
7411 || !TEST_str_eq(SSL_get_servername(clientssl,
7412 TLSEXT_NAMETYPE_host_name),
7414 || !TEST_str_eq(SSL_get_servername(serverssl,
7415 TLSEXT_NAMETYPE_host_name),
7422 SSL_SESSION_free(sess);
7423 SSL_free(serverssl);
7424 SSL_free(clientssl);
7431 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
7433 int setup_tests(void)
7438 libctx = OPENSSL_CTX_new();
7439 if (!TEST_ptr(libctx))
7442 defctxnull = OSSL_PROVIDER_load(NULL, "null");
7445 * Verify that the default and fips providers in the default libctx are not
7448 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
7449 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
7452 if (!test_skip_common_options()) {
7453 TEST_error("Error parsing test options\n");
7457 if (!TEST_ptr(certsdir = test_get_argument(0))
7458 || !TEST_ptr(srpvfile = test_get_argument(1))
7459 || !TEST_ptr(tmpfilename = test_get_argument(2))
7460 || !TEST_ptr(modulename = test_get_argument(3))
7461 || !TEST_ptr(configfile = test_get_argument(4)))
7464 if (!TEST_true(OPENSSL_CTX_load_config(libctx, configfile)))
7467 /* Check we have the expected provider available */
7468 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
7471 /* Check the default provider is not available */
7472 if (strcmp(modulename, "default") != 0
7473 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
7476 if (strcmp(modulename, "fips") == 0)
7479 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
7480 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
7481 TEST_error("not supported in this build");
7484 int i, mcount, rcount, fcount;
7486 for (i = 0; i < 4; i++)
7487 test_export_key_mat(i);
7488 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
7489 test_printf_stdout("malloc %d realloc %d free %d\n",
7490 mcount, rcount, fcount);
7495 cert = test_mk_file_path(certsdir, "servercert.pem");
7499 privkey = test_mk_file_path(certsdir, "serverkey.pem");
7500 if (privkey == NULL) {
7505 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
7506 && !defined(OPENSSL_NO_SOCK)
7507 ADD_TEST(test_ktls_no_txrx_client_no_txrx_server);
7508 ADD_TEST(test_ktls_no_rx_client_no_txrx_server);
7509 ADD_TEST(test_ktls_no_tx_client_no_txrx_server);
7510 ADD_TEST(test_ktls_client_no_txrx_server);
7511 ADD_TEST(test_ktls_no_txrx_client_no_rx_server);
7512 ADD_TEST(test_ktls_no_rx_client_no_rx_server);
7513 ADD_TEST(test_ktls_no_tx_client_no_rx_server);
7514 ADD_TEST(test_ktls_client_no_rx_server);
7515 ADD_TEST(test_ktls_no_txrx_client_no_tx_server);
7516 ADD_TEST(test_ktls_no_rx_client_no_tx_server);
7517 ADD_TEST(test_ktls_no_tx_client_no_tx_server);
7518 ADD_TEST(test_ktls_client_no_tx_server);
7519 ADD_TEST(test_ktls_no_txrx_client_server);
7520 ADD_TEST(test_ktls_no_rx_client_server);
7521 ADD_TEST(test_ktls_no_tx_client_server);
7522 ADD_TEST(test_ktls_client_server);
7523 ADD_TEST(test_ktls_sendfile);
7525 ADD_TEST(test_large_message_tls);
7526 ADD_TEST(test_large_message_tls_read_ahead);
7527 #ifndef OPENSSL_NO_DTLS
7528 ADD_TEST(test_large_message_dtls);
7530 #ifndef OPENSSL_NO_OCSP
7531 ADD_TEST(test_tlsext_status_type);
7533 ADD_TEST(test_session_with_only_int_cache);
7534 ADD_TEST(test_session_with_only_ext_cache);
7535 ADD_TEST(test_session_with_both_cache);
7536 #ifndef OPENSSL_NO_TLS1_3
7537 ADD_ALL_TESTS(test_stateful_tickets, 3);
7538 ADD_ALL_TESTS(test_stateless_tickets, 3);
7539 ADD_TEST(test_psk_tickets);
7540 ADD_ALL_TESTS(test_extra_tickets, 6);
7542 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
7543 ADD_TEST(test_ssl_bio_pop_next_bio);
7544 ADD_TEST(test_ssl_bio_pop_ssl_bio);
7545 ADD_TEST(test_ssl_bio_change_rbio);
7546 ADD_TEST(test_ssl_bio_change_wbio);
7547 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
7548 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
7549 ADD_TEST(test_keylog);
7551 #ifndef OPENSSL_NO_TLS1_3
7552 ADD_TEST(test_keylog_no_master_key);
7554 #ifndef OPENSSL_NO_TLS1_2
7555 ADD_TEST(test_client_hello_cb);
7556 ADD_TEST(test_no_ems);
7557 ADD_TEST(test_ccs_change_cipher);
7559 #ifndef OPENSSL_NO_TLS1_3
7560 ADD_ALL_TESTS(test_early_data_read_write, 3);
7562 * We don't do replay tests for external PSK. Replay protection isn't used
7565 ADD_ALL_TESTS(test_early_data_replay, 2);
7566 ADD_ALL_TESTS(test_early_data_skip, 3);
7567 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
7568 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
7569 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
7570 ADD_ALL_TESTS(test_early_data_not_sent, 3);
7571 ADD_ALL_TESTS(test_early_data_psk, 8);
7572 ADD_ALL_TESTS(test_early_data_not_expected, 3);
7573 # ifndef OPENSSL_NO_TLS1_2
7574 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
7577 #ifndef OPENSSL_NO_TLS1_3
7578 ADD_ALL_TESTS(test_set_ciphersuite, 10);
7579 ADD_TEST(test_ciphersuite_change);
7580 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
7581 # ifdef OPENSSL_NO_PSK
7582 ADD_ALL_TESTS(test_tls13_psk, 1);
7584 ADD_ALL_TESTS(test_tls13_psk, 4);
7585 # endif /* OPENSSL_NO_PSK */
7586 # ifndef OPENSSL_NO_TLS1_2
7587 /* Test with both TLSv1.3 and 1.2 versions */
7588 ADD_ALL_TESTS(test_key_exchange, 14);
7590 /* Test with only TLSv1.3 versions */
7591 ADD_ALL_TESTS(test_key_exchange, 12);
7593 ADD_ALL_TESTS(test_custom_exts, 5);
7594 ADD_TEST(test_stateless);
7595 ADD_TEST(test_pha_key_update);
7597 ADD_ALL_TESTS(test_custom_exts, 3);
7599 ADD_ALL_TESTS(test_serverinfo, 8);
7600 ADD_ALL_TESTS(test_export_key_mat, 6);
7601 #ifndef OPENSSL_NO_TLS1_3
7602 ADD_ALL_TESTS(test_export_key_mat_early, 3);
7603 ADD_TEST(test_key_update);
7604 ADD_ALL_TESTS(test_key_update_in_write, 2);
7606 ADD_ALL_TESTS(test_ssl_clear, 2);
7607 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
7608 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7609 ADD_ALL_TESTS(test_srp, 6);
7611 ADD_ALL_TESTS(test_info_callback, 6);
7612 ADD_ALL_TESTS(test_ssl_pending, 2);
7613 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
7614 ADD_ALL_TESTS(test_ticket_callbacks, 16);
7615 ADD_ALL_TESTS(test_shutdown, 7);
7616 ADD_ALL_TESTS(test_cert_cb, 6);
7617 ADD_ALL_TESTS(test_client_cert_cb, 2);
7618 ADD_ALL_TESTS(test_ca_names, 3);
7619 #ifndef OPENSSL_NO_TLS1_2
7620 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
7622 ADD_ALL_TESTS(test_servername, 10);
7626 void cleanup_tests(void)
7629 OPENSSL_free(privkey);
7630 bio_s_mempacket_test_free();
7631 bio_s_always_retry_free();
7632 OSSL_PROVIDER_unload(defctxnull);
7633 OPENSSL_CTX_free(libctx);