2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
17 #include <openssl/srp.h>
18 #include <openssl/txt_db.h>
20 #include "ssltestlib.h"
22 #include "testutil/output.h"
23 #include "internal/nelem.h"
24 #include "../ssl/ssl_locl.h"
26 static char *cert = NULL;
27 static char *privkey = NULL;
28 static char *srpvfile = NULL;
29 static char *tmpfilename = NULL;
31 #define LOG_BUFFER_SIZE 2048
32 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
33 static size_t server_log_buffer_index = 0;
34 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
35 static size_t client_log_buffer_index = 0;
36 static int error_writing_log = 0;
38 #ifndef OPENSSL_NO_OCSP
39 static const unsigned char orespder[] = "Dummy OCSP Response";
40 static int ocsp_server_called = 0;
41 static int ocsp_client_called = 0;
43 static int cdummyarg = 1;
44 static X509 *ocspcert = NULL;
47 #define NUM_EXTRA_CERTS 40
48 #define CLIENT_VERSION_LEN 2
51 * This structure is used to validate that the correct number of log messages
52 * of various types are emitted when emitting secret logs.
54 struct sslapitest_log_counts {
55 unsigned int rsa_key_exchange_count;
56 unsigned int master_secret_count;
57 unsigned int client_early_secret_count;
58 unsigned int client_handshake_secret_count;
59 unsigned int server_handshake_secret_count;
60 unsigned int client_application_secret_count;
61 unsigned int server_application_secret_count;
62 unsigned int early_exporter_secret_count;
63 unsigned int exporter_secret_count;
67 static unsigned char serverinfov1[] = {
68 0xff, 0xff, /* Dummy extension type */
69 0x00, 0x01, /* Extension length is 1 byte */
70 0xff /* Dummy extension data */
73 static unsigned char serverinfov2[] = {
75 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
76 0xff, 0xff, /* Dummy extension type */
77 0x00, 0x01, /* Extension length is 1 byte */
78 0xff /* Dummy extension data */
81 static void client_keylog_callback(const SSL *ssl, const char *line)
83 int line_length = strlen(line);
85 /* If the log doesn't fit, error out. */
86 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
87 TEST_info("Client log too full");
88 error_writing_log = 1;
92 strcat(client_log_buffer, line);
93 client_log_buffer_index += line_length;
94 client_log_buffer[client_log_buffer_index++] = '\n';
97 static void server_keylog_callback(const SSL *ssl, const char *line)
99 int line_length = strlen(line);
101 /* If the log doesn't fit, error out. */
102 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
103 TEST_info("Server log too full");
104 error_writing_log = 1;
108 strcat(server_log_buffer, line);
109 server_log_buffer_index += line_length;
110 server_log_buffer[server_log_buffer_index++] = '\n';
113 static int compare_hex_encoded_buffer(const char *hex_encoded,
121 if (!TEST_size_t_eq(raw_length * 2, hex_length))
124 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
125 sprintf(hexed, "%02x", raw[i]);
126 if (!TEST_int_eq(hexed[0], hex_encoded[j])
127 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
134 static int test_keylog_output(char *buffer, const SSL *ssl,
135 const SSL_SESSION *session,
136 struct sslapitest_log_counts *expected)
139 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
140 size_t client_random_size = SSL3_RANDOM_SIZE;
141 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
142 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
143 unsigned int rsa_key_exchange_count = 0;
144 unsigned int master_secret_count = 0;
145 unsigned int client_early_secret_count = 0;
146 unsigned int client_handshake_secret_count = 0;
147 unsigned int server_handshake_secret_count = 0;
148 unsigned int client_application_secret_count = 0;
149 unsigned int server_application_secret_count = 0;
150 unsigned int early_exporter_secret_count = 0;
151 unsigned int exporter_secret_count = 0;
153 for (token = strtok(buffer, " \n"); token != NULL;
154 token = strtok(NULL, " \n")) {
155 if (strcmp(token, "RSA") == 0) {
157 * Premaster secret. Tokens should be: 16 ASCII bytes of
158 * hex-encoded encrypted secret, then the hex-encoded pre-master
161 if (!TEST_ptr(token = strtok(NULL, " \n")))
163 if (!TEST_size_t_eq(strlen(token), 16))
165 if (!TEST_ptr(token = strtok(NULL, " \n")))
168 * We can't sensibly check the log because the premaster secret is
169 * transient, and OpenSSL doesn't keep hold of it once the master
170 * secret is generated.
172 rsa_key_exchange_count++;
173 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
175 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
176 * client random, then the hex-encoded master secret.
178 client_random_size = SSL_get_client_random(ssl,
179 actual_client_random,
181 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
184 if (!TEST_ptr(token = strtok(NULL, " \n")))
186 if (!TEST_size_t_eq(strlen(token), 64))
188 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
189 actual_client_random,
190 client_random_size)))
193 if (!TEST_ptr(token = strtok(NULL, " \n")))
195 master_key_size = SSL_SESSION_get_master_key(session,
198 if (!TEST_size_t_ne(master_key_size, 0))
200 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
204 master_secret_count++;
205 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
206 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
207 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
208 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
209 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
210 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
211 || strcmp(token, "EXPORTER_SECRET") == 0) {
213 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
214 * client random, and then the hex-encoded secret. In this case,
215 * we treat all of these secrets identically and then just
216 * distinguish between them when counting what we saw.
218 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
219 client_early_secret_count++;
220 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
221 client_handshake_secret_count++;
222 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
223 server_handshake_secret_count++;
224 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
225 client_application_secret_count++;
226 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
227 server_application_secret_count++;
228 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
229 early_exporter_secret_count++;
230 else if (strcmp(token, "EXPORTER_SECRET") == 0)
231 exporter_secret_count++;
233 client_random_size = SSL_get_client_random(ssl,
234 actual_client_random,
236 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
239 if (!TEST_ptr(token = strtok(NULL, " \n")))
241 if (!TEST_size_t_eq(strlen(token), 64))
243 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
244 actual_client_random,
245 client_random_size)))
248 if (!TEST_ptr(token = strtok(NULL, " \n")))
252 * TODO(TLS1.3): test that application traffic secrets are what
255 TEST_info("Unexpected token %s\n", token);
260 /* Got what we expected? */
261 if (!TEST_size_t_eq(rsa_key_exchange_count,
262 expected->rsa_key_exchange_count)
263 || !TEST_size_t_eq(master_secret_count,
264 expected->master_secret_count)
265 || !TEST_size_t_eq(client_early_secret_count,
266 expected->client_early_secret_count)
267 || !TEST_size_t_eq(client_handshake_secret_count,
268 expected->client_handshake_secret_count)
269 || !TEST_size_t_eq(server_handshake_secret_count,
270 expected->server_handshake_secret_count)
271 || !TEST_size_t_eq(client_application_secret_count,
272 expected->client_application_secret_count)
273 || !TEST_size_t_eq(server_application_secret_count,
274 expected->server_application_secret_count)
275 || !TEST_size_t_eq(early_exporter_secret_count,
276 expected->early_exporter_secret_count)
277 || !TEST_size_t_eq(exporter_secret_count,
278 expected->exporter_secret_count))
283 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
284 static int test_keylog(void)
286 SSL_CTX *cctx = NULL, *sctx = NULL;
287 SSL *clientssl = NULL, *serverssl = NULL;
289 struct sslapitest_log_counts expected = {0};
291 /* Clean up logging space */
292 memset(client_log_buffer, 0, sizeof(client_log_buffer));
293 memset(server_log_buffer, 0, sizeof(server_log_buffer));
294 client_log_buffer_index = 0;
295 server_log_buffer_index = 0;
296 error_writing_log = 0;
298 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
300 TLS1_VERSION, TLS_MAX_VERSION,
301 &sctx, &cctx, cert, privkey)))
304 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
305 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
306 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
308 /* We also want to ensure that we use RSA-based key exchange. */
309 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
312 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
313 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
315 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
316 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
317 == client_keylog_callback))
319 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
320 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
321 == server_keylog_callback))
324 /* Now do a handshake and check that the logs have been written to. */
325 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
326 &clientssl, NULL, NULL))
327 || !TEST_true(create_ssl_connection(serverssl, clientssl,
329 || !TEST_false(error_writing_log)
330 || !TEST_int_gt(client_log_buffer_index, 0)
331 || !TEST_int_gt(server_log_buffer_index, 0))
335 * Now we want to test that our output data was vaguely sensible. We
336 * do that by using strtok and confirming that we have more or less the
337 * data we expect. For both client and server, we expect to see one master
338 * secret. The client should also see a RSA key exchange.
340 expected.rsa_key_exchange_count = 1;
341 expected.master_secret_count = 1;
342 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
343 SSL_get_session(clientssl), &expected)))
346 expected.rsa_key_exchange_count = 0;
347 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
348 SSL_get_session(serverssl), &expected)))
363 #ifndef OPENSSL_NO_TLS1_3
364 static int test_keylog_no_master_key(void)
366 SSL_CTX *cctx = NULL, *sctx = NULL;
367 SSL *clientssl = NULL, *serverssl = NULL;
368 SSL_SESSION *sess = NULL;
370 struct sslapitest_log_counts expected = {0};
371 unsigned char buf[1];
372 size_t readbytes, written;
374 /* Clean up logging space */
375 memset(client_log_buffer, 0, sizeof(client_log_buffer));
376 memset(server_log_buffer, 0, sizeof(server_log_buffer));
377 client_log_buffer_index = 0;
378 server_log_buffer_index = 0;
379 error_writing_log = 0;
381 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
382 TLS1_VERSION, TLS_MAX_VERSION,
383 &sctx, &cctx, cert, privkey))
384 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
385 SSL3_RT_MAX_PLAIN_LENGTH)))
388 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
389 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
392 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
393 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
394 == client_keylog_callback))
397 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
398 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
399 == server_keylog_callback))
402 /* Now do a handshake and check that the logs have been written to. */
403 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
404 &clientssl, NULL, NULL))
405 || !TEST_true(create_ssl_connection(serverssl, clientssl,
407 || !TEST_false(error_writing_log))
411 * Now we want to test that our output data was vaguely sensible. For this
412 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
413 * TLSv1.3, but we do expect both client and server to emit keys.
415 expected.client_handshake_secret_count = 1;
416 expected.server_handshake_secret_count = 1;
417 expected.client_application_secret_count = 1;
418 expected.server_application_secret_count = 1;
419 expected.exporter_secret_count = 1;
420 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
421 SSL_get_session(clientssl), &expected))
422 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
423 SSL_get_session(serverssl),
427 /* Terminate old session and resume with early data. */
428 sess = SSL_get1_session(clientssl);
429 SSL_shutdown(clientssl);
430 SSL_shutdown(serverssl);
433 serverssl = clientssl = NULL;
436 memset(client_log_buffer, 0, sizeof(client_log_buffer));
437 memset(server_log_buffer, 0, sizeof(server_log_buffer));
438 client_log_buffer_index = 0;
439 server_log_buffer_index = 0;
441 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
442 &clientssl, NULL, NULL))
443 || !TEST_true(SSL_set_session(clientssl, sess))
444 /* Here writing 0 length early data is enough. */
445 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
446 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
448 SSL_READ_EARLY_DATA_ERROR)
449 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
450 SSL_EARLY_DATA_ACCEPTED)
451 || !TEST_true(create_ssl_connection(serverssl, clientssl,
453 || !TEST_true(SSL_session_reused(clientssl)))
456 /* In addition to the previous entries, expect early secrets. */
457 expected.client_early_secret_count = 1;
458 expected.early_exporter_secret_count = 1;
459 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
460 SSL_get_session(clientssl), &expected))
461 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
462 SSL_get_session(serverssl),
469 SSL_SESSION_free(sess);
479 #ifndef OPENSSL_NO_TLS1_2
480 static int full_client_hello_callback(SSL *s, int *al, void *arg)
483 const unsigned char *p;
485 /* We only configure two ciphers, but the SCSV is added automatically. */
487 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
489 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
492 const int expected_extensions[] = {
493 #ifndef OPENSSL_NO_EC
499 /* Make sure we can defer processing and get called back. */
501 return SSL_CLIENT_HELLO_RETRY;
503 len = SSL_client_hello_get0_ciphers(s, &p);
504 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
506 SSL_client_hello_get0_compression_methods(s, &p), 1)
507 || !TEST_int_eq(*p, 0))
508 return SSL_CLIENT_HELLO_ERROR;
509 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
510 return SSL_CLIENT_HELLO_ERROR;
511 if (len != OSSL_NELEM(expected_extensions) ||
512 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
513 printf("ClientHello callback expected extensions mismatch\n");
515 return SSL_CLIENT_HELLO_ERROR;
518 return SSL_CLIENT_HELLO_SUCCESS;
521 static int test_client_hello_cb(void)
523 SSL_CTX *cctx = NULL, *sctx = NULL;
524 SSL *clientssl = NULL, *serverssl = NULL;
525 int testctr = 0, testresult = 0;
527 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
528 TLS1_VERSION, TLS_MAX_VERSION,
529 &sctx, &cctx, cert, privkey)))
531 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
533 /* The gimpy cipher list we configure can't do TLS 1.3. */
534 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
536 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
537 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
538 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
539 &clientssl, NULL, NULL))
540 || !TEST_false(create_ssl_connection(serverssl, clientssl,
541 SSL_ERROR_WANT_CLIENT_HELLO_CB))
543 * Passing a -1 literal is a hack since
544 * the real value was lost.
546 || !TEST_int_eq(SSL_get_error(serverssl, -1),
547 SSL_ERROR_WANT_CLIENT_HELLO_CB)
548 || !TEST_true(create_ssl_connection(serverssl, clientssl,
564 static int execute_test_large_message(const SSL_METHOD *smeth,
565 const SSL_METHOD *cmeth,
566 int min_version, int max_version,
569 SSL_CTX *cctx = NULL, *sctx = NULL;
570 SSL *clientssl = NULL, *serverssl = NULL;
574 X509 *chaincert = NULL;
577 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
579 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
582 if (!TEST_ptr(chaincert))
585 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
586 &sctx, &cctx, cert, privkey)))
591 * Test that read_ahead works correctly when dealing with large
594 SSL_CTX_set_read_ahead(cctx, 1);
598 * We assume the supplied certificate is big enough so that if we add
599 * NUM_EXTRA_CERTS it will make the overall message large enough. The
600 * default buffer size is requested to be 16k, but due to the way BUF_MEM
601 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
602 * test we need to have a message larger than that.
604 certlen = i2d_X509(chaincert, NULL);
605 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
606 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
607 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
608 if (!X509_up_ref(chaincert))
610 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
611 X509_free(chaincert);
616 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
618 || !TEST_true(create_ssl_connection(serverssl, clientssl,
623 * Calling SSL_clear() first is not required but this tests that SSL_clear()
624 * doesn't leak (when using enable-crypto-mdebug).
626 if (!TEST_true(SSL_clear(serverssl)))
631 X509_free(chaincert);
640 static int test_large_message_tls(void)
642 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
643 TLS1_VERSION, TLS_MAX_VERSION,
647 static int test_large_message_tls_read_ahead(void)
649 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
650 TLS1_VERSION, TLS_MAX_VERSION,
654 #ifndef OPENSSL_NO_DTLS
655 static int test_large_message_dtls(void)
658 * read_ahead is not relevant to DTLS because DTLS always acts as if
661 return execute_test_large_message(DTLS_server_method(),
662 DTLS_client_method(),
663 DTLS1_VERSION, DTLS_MAX_VERSION,
668 #ifndef OPENSSL_NO_OCSP
669 static int ocsp_server_cb(SSL *s, void *arg)
671 int *argi = (int *)arg;
672 unsigned char *copy = NULL;
673 STACK_OF(OCSP_RESPID) *ids = NULL;
674 OCSP_RESPID *id = NULL;
677 /* In this test we are expecting exactly 1 OCSP_RESPID */
678 SSL_get_tlsext_status_ids(s, &ids);
679 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
680 return SSL_TLSEXT_ERR_ALERT_FATAL;
682 id = sk_OCSP_RESPID_value(ids, 0);
683 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
684 return SSL_TLSEXT_ERR_ALERT_FATAL;
685 } else if (*argi != 1) {
686 return SSL_TLSEXT_ERR_ALERT_FATAL;
689 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
690 return SSL_TLSEXT_ERR_ALERT_FATAL;
692 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
693 ocsp_server_called = 1;
694 return SSL_TLSEXT_ERR_OK;
697 static int ocsp_client_cb(SSL *s, void *arg)
699 int *argi = (int *)arg;
700 const unsigned char *respderin;
703 if (*argi != 1 && *argi != 2)
706 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
707 if (!TEST_mem_eq(orespder, len, respderin, len))
710 ocsp_client_called = 1;
714 static int test_tlsext_status_type(void)
716 SSL_CTX *cctx = NULL, *sctx = NULL;
717 SSL *clientssl = NULL, *serverssl = NULL;
719 STACK_OF(OCSP_RESPID) *ids = NULL;
720 OCSP_RESPID *id = NULL;
723 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
724 TLS1_VERSION, TLS_MAX_VERSION,
725 &sctx, &cctx, cert, privkey))
728 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
731 /* First just do various checks getting and setting tlsext_status_type */
733 clientssl = SSL_new(cctx);
734 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
735 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
736 TLSEXT_STATUSTYPE_ocsp))
737 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
738 TLSEXT_STATUSTYPE_ocsp))
744 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
745 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
748 clientssl = SSL_new(cctx);
749 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
755 * Now actually do a handshake and check OCSP information is exchanged and
756 * the callbacks get called
758 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
759 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
760 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
761 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
762 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
763 &clientssl, NULL, NULL))
764 || !TEST_true(create_ssl_connection(serverssl, clientssl,
766 || !TEST_true(ocsp_client_called)
767 || !TEST_true(ocsp_server_called))
774 /* Try again but this time force the server side callback to fail */
775 ocsp_client_called = 0;
776 ocsp_server_called = 0;
778 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
779 &clientssl, NULL, NULL))
780 /* This should fail because the callback will fail */
781 || !TEST_false(create_ssl_connection(serverssl, clientssl,
783 || !TEST_false(ocsp_client_called)
784 || !TEST_false(ocsp_server_called))
792 * This time we'll get the client to send an OCSP_RESPID that it will
795 ocsp_client_called = 0;
796 ocsp_server_called = 0;
798 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
799 &clientssl, NULL, NULL)))
803 * We'll just use any old cert for this test - it doesn't have to be an OCSP
804 * specific one. We'll use the server cert.
806 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
807 || !TEST_ptr(id = OCSP_RESPID_new())
808 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
809 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
811 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
812 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
815 SSL_set_tlsext_status_ids(clientssl, ids);
816 /* Control has been transferred */
822 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
824 || !TEST_true(ocsp_client_called)
825 || !TEST_true(ocsp_server_called))
835 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
836 OCSP_RESPID_free(id);
845 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
846 static int new_called, remove_called, get_called;
848 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
852 * sess has been up-refed for us, but we don't actually need it so free it
855 SSL_SESSION_free(sess);
859 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
864 static SSL_SESSION *get_sess_val = NULL;
866 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
874 static int execute_test_session(int maxprot, int use_int_cache,
877 SSL_CTX *sctx = NULL, *cctx = NULL;
878 SSL *serverssl1 = NULL, *clientssl1 = NULL;
879 SSL *serverssl2 = NULL, *clientssl2 = NULL;
880 # ifndef OPENSSL_NO_TLS1_1
881 SSL *serverssl3 = NULL, *clientssl3 = NULL;
883 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
886 new_called = remove_called = 0;
888 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
889 TLS1_VERSION, TLS_MAX_VERSION,
890 &sctx, &cctx, cert, privkey)))
894 * Only allow the max protocol version so we can force a connection failure
897 SSL_CTX_set_min_proto_version(cctx, maxprot);
898 SSL_CTX_set_max_proto_version(cctx, maxprot);
900 /* Set up session cache */
902 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
903 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
906 /* Also covers instance where both are set */
907 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
909 SSL_CTX_set_session_cache_mode(cctx,
910 SSL_SESS_CACHE_CLIENT
911 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
914 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
916 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
918 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
921 /* Should fail because it should already be in the cache */
922 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
925 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
928 new_called = remove_called = 0;
929 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
930 &clientssl2, NULL, NULL))
931 || !TEST_true(SSL_set_session(clientssl2, sess1))
932 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
934 || !TEST_true(SSL_session_reused(clientssl2)))
937 if (maxprot == TLS1_3_VERSION) {
939 * In TLSv1.3 we should have created a new session even though we have
940 * resumed. The original session should also have been removed.
943 && (!TEST_int_eq(new_called, 1)
944 || !TEST_int_eq(remove_called, 1)))
948 * In TLSv1.2 we expect to have resumed so no sessions added or
952 && (!TEST_int_eq(new_called, 0)
953 || !TEST_int_eq(remove_called, 0)))
957 SSL_SESSION_free(sess1);
958 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
960 shutdown_ssl_connection(serverssl2, clientssl2);
961 serverssl2 = clientssl2 = NULL;
963 new_called = remove_called = 0;
964 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
965 &clientssl2, NULL, NULL))
966 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
970 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
974 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
977 new_called = remove_called = 0;
979 * This should clear sess2 from the cache because it is a "bad" session.
980 * See SSL_set_session() documentation.
982 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
985 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
987 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
991 /* Should succeeded because it should not already be in the cache */
992 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
993 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
997 new_called = remove_called = 0;
998 /* This shouldn't be in the cache so should fail */
999 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1003 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1006 # if !defined(OPENSSL_NO_TLS1_1)
1007 new_called = remove_called = 0;
1008 /* Force a connection failure */
1009 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1010 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1011 &clientssl3, NULL, NULL))
1012 || !TEST_true(SSL_set_session(clientssl3, sess1))
1013 /* This should fail because of the mismatched protocol versions */
1014 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1018 /* We should have automatically removed the session from the cache */
1020 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1023 /* Should succeed because it should not already be in the cache */
1024 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1028 /* Now do some tests for server side caching */
1029 if (use_ext_cache) {
1030 SSL_CTX_sess_set_new_cb(cctx, NULL);
1031 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1032 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1033 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1034 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1035 get_sess_val = NULL;
1038 SSL_CTX_set_session_cache_mode(cctx, 0);
1039 /* Internal caching is the default on the server side */
1041 SSL_CTX_set_session_cache_mode(sctx,
1042 SSL_SESS_CACHE_SERVER
1043 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1045 SSL_free(serverssl1);
1046 SSL_free(clientssl1);
1047 serverssl1 = clientssl1 = NULL;
1048 SSL_free(serverssl2);
1049 SSL_free(clientssl2);
1050 serverssl2 = clientssl2 = NULL;
1051 SSL_SESSION_free(sess1);
1053 SSL_SESSION_free(sess2);
1056 SSL_CTX_set_max_proto_version(sctx, maxprot);
1057 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1058 new_called = remove_called = get_called = 0;
1059 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1061 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1063 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1064 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1067 /* Should fail because it should already be in the cache */
1068 if (use_int_cache && !TEST_false(SSL_CTX_add_session(sctx, sess2)))
1071 if (use_ext_cache) {
1072 SSL_SESSION *tmp = sess2;
1074 if (!TEST_int_eq(new_called, 1)
1075 || !TEST_int_eq(remove_called, 0)
1076 || !TEST_int_eq(get_called, 0))
1079 * Delete the session from the internal cache to force a lookup from
1080 * the external cache. We take a copy first because
1081 * SSL_CTX_remove_session() also marks the session as non-resumable.
1083 if (use_int_cache) {
1084 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1085 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1087 SSL_SESSION_free(sess2);
1092 new_called = remove_called = get_called = 0;
1093 get_sess_val = sess2;
1094 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1095 &clientssl2, NULL, NULL))
1096 || !TEST_true(SSL_set_session(clientssl2, sess1))
1097 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1099 || !TEST_true(SSL_session_reused(clientssl2)))
1102 if (use_ext_cache) {
1103 if (!TEST_int_eq(remove_called, 0))
1106 if (maxprot == TLS1_3_VERSION) {
1108 * Every time we issue a NewSessionTicket we are creating a new
1109 * session for next time in TLSv1.3
1111 if (!TEST_int_eq(new_called, 1)
1112 || !TEST_int_eq(get_called, 0))
1115 if (!TEST_int_eq(new_called, 0)
1116 || !TEST_int_eq(get_called, 1))
1124 SSL_free(serverssl1);
1125 SSL_free(clientssl1);
1126 SSL_free(serverssl2);
1127 SSL_free(clientssl2);
1128 # ifndef OPENSSL_NO_TLS1_1
1129 SSL_free(serverssl3);
1130 SSL_free(clientssl3);
1132 SSL_SESSION_free(sess1);
1133 SSL_SESSION_free(sess2);
1139 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1141 static int test_session_with_only_int_cache(void)
1143 #ifndef OPENSSL_NO_TLS1_3
1144 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1148 #ifndef OPENSSL_NO_TLS1_2
1149 return execute_test_session(TLS1_2_VERSION, 1, 0);
1155 static int test_session_with_only_ext_cache(void)
1157 #ifndef OPENSSL_NO_TLS1_3
1158 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1162 #ifndef OPENSSL_NO_TLS1_2
1163 return execute_test_session(TLS1_2_VERSION, 0, 1);
1169 static int test_session_with_both_cache(void)
1171 #ifndef OPENSSL_NO_TLS1_3
1172 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1176 #ifndef OPENSSL_NO_TLS1_2
1177 return execute_test_session(TLS1_2_VERSION, 1, 1);
1186 #define USE_DEFAULT 3
1188 #define CONNTYPE_CONNECTION_SUCCESS 0
1189 #define CONNTYPE_CONNECTION_FAIL 1
1190 #define CONNTYPE_NO_CONNECTION 2
1192 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1193 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1194 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1195 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1197 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1201 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1202 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1203 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1205 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1222 * Tests calls to SSL_set_bio() under various conditions.
1224 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1225 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1226 * then do more tests where we create a successful connection first using our
1227 * standard connection setup functions, and then call SSL_set_bio() with
1228 * various combinations of valid BIOs or NULL. We then repeat these tests
1229 * following a failed connection. In this last case we are looking to check that
1230 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1232 static int test_ssl_set_bio(int idx)
1234 SSL_CTX *sctx = NULL, *cctx = NULL;
1237 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1238 SSL *serverssl = NULL, *clientssl = NULL;
1239 int initrbio, initwbio, newrbio, newwbio, conntype;
1242 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1250 conntype = CONNTYPE_NO_CONNECTION;
1252 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1253 initrbio = initwbio = USE_DEFAULT;
1261 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1262 TLS1_VERSION, TLS_MAX_VERSION,
1263 &sctx, &cctx, cert, privkey)))
1266 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1268 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1269 * because we reduced the number of tests in the definition of
1270 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1271 * mismatched protocol versions we will force a connection failure.
1273 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1274 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1277 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1281 if (initrbio == USE_BIO_1
1282 || initwbio == USE_BIO_1
1283 || newrbio == USE_BIO_1
1284 || newwbio == USE_BIO_1) {
1285 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1289 if (initrbio == USE_BIO_2
1290 || initwbio == USE_BIO_2
1291 || newrbio == USE_BIO_2
1292 || newwbio == USE_BIO_2) {
1293 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1297 if (initrbio != USE_DEFAULT) {
1298 setupbio(&irbio, bio1, bio2, initrbio);
1299 setupbio(&iwbio, bio1, bio2, initwbio);
1300 SSL_set_bio(clientssl, irbio, iwbio);
1303 * We want to maintain our own refs to these BIO, so do an up ref for
1304 * each BIO that will have ownership transferred in the SSL_set_bio()
1309 if (iwbio != NULL && iwbio != irbio)
1313 if (conntype != CONNTYPE_NO_CONNECTION
1314 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1316 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1319 setupbio(&nrbio, bio1, bio2, newrbio);
1320 setupbio(&nwbio, bio1, bio2, newwbio);
1323 * We will (maybe) transfer ownership again so do more up refs.
1324 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1329 && (nwbio != iwbio || nrbio != nwbio))
1333 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1336 SSL_set_bio(clientssl, nrbio, nwbio);
1345 * This test is checking that the ref counting for SSL_set_bio is correct.
1346 * If we get here and we did too many frees then we will fail in the above
1347 * functions. If we haven't done enough then this will only be detected in
1348 * a crypto-mdebug build
1350 SSL_free(serverssl);
1351 SSL_free(clientssl);
1357 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1359 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1361 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1366 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1367 || !TEST_ptr(ssl = SSL_new(ctx))
1368 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1369 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1372 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1375 * If anything goes wrong here then we could leak memory, so this will
1376 * be caught in a crypto-mdebug build
1378 BIO_push(sslbio, membio1);
1380 /* Verify changing the rbio/wbio directly does not cause leaks */
1381 if (change_bio != NO_BIO_CHANGE) {
1382 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1384 if (change_bio == CHANGE_RBIO)
1385 SSL_set0_rbio(ssl, membio2);
1387 SSL_set0_wbio(ssl, membio2);
1406 static int test_ssl_bio_pop_next_bio(void)
1408 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1411 static int test_ssl_bio_pop_ssl_bio(void)
1413 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1416 static int test_ssl_bio_change_rbio(void)
1418 return execute_test_ssl_bio(0, CHANGE_RBIO);
1421 static int test_ssl_bio_change_wbio(void)
1423 return execute_test_ssl_bio(0, CHANGE_WBIO);
1426 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
1428 /* The list of sig algs */
1430 /* The length of the list */
1432 /* A sigalgs list in string format */
1433 const char *liststr;
1434 /* Whether setting the list should succeed */
1436 /* Whether creating a connection with the list should succeed */
1440 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1441 # ifndef OPENSSL_NO_EC
1442 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1443 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1445 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1446 static const int invalidlist2[] = {NID_sha256, NID_undef};
1447 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1448 static const int invalidlist4[] = {NID_sha256};
1449 static const sigalgs_list testsigalgs[] = {
1450 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1451 # ifndef OPENSSL_NO_EC
1452 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1453 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1455 {NULL, 0, "RSA+SHA256", 1, 1},
1456 # ifndef OPENSSL_NO_EC
1457 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1458 {NULL, 0, "ECDSA+SHA512", 1, 0},
1460 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1461 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1462 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1463 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1464 {NULL, 0, "RSA", 0, 0},
1465 {NULL, 0, "SHA256", 0, 0},
1466 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1467 {NULL, 0, "Invalid", 0, 0}
1470 static int test_set_sigalgs(int idx)
1472 SSL_CTX *cctx = NULL, *sctx = NULL;
1473 SSL *clientssl = NULL, *serverssl = NULL;
1475 const sigalgs_list *curr;
1478 /* Should never happen */
1479 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1482 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1483 curr = testctx ? &testsigalgs[idx]
1484 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1486 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1487 TLS1_VERSION, TLS_MAX_VERSION,
1488 &sctx, &cctx, cert, privkey)))
1492 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1493 * for TLSv1.2 for now until we add a new API.
1495 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1500 if (curr->list != NULL)
1501 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1503 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1507 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1513 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1518 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1519 &clientssl, NULL, NULL)))
1525 if (curr->list != NULL)
1526 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1528 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1531 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1540 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1548 SSL_free(serverssl);
1549 SSL_free(clientssl);
1557 #ifndef OPENSSL_NO_TLS1_3
1559 static SSL_SESSION *clientpsk = NULL;
1560 static SSL_SESSION *serverpsk = NULL;
1561 static const char *pskid = "Identity";
1562 static const char *srvid;
1564 static int use_session_cb_cnt = 0;
1565 static int find_session_cb_cnt = 0;
1566 static int psk_client_cb_cnt = 0;
1567 static int psk_server_cb_cnt = 0;
1569 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1570 size_t *idlen, SSL_SESSION **sess)
1572 switch (++use_session_cb_cnt) {
1574 /* The first call should always have a NULL md */
1580 /* The second call should always have an md */
1586 /* We should only be called a maximum of twice */
1590 if (clientpsk != NULL)
1591 SSL_SESSION_up_ref(clientpsk);
1594 *id = (const unsigned char *)pskid;
1595 *idlen = strlen(pskid);
1600 #ifndef OPENSSL_NO_PSK
1601 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1602 unsigned int max_id_len,
1604 unsigned int max_psk_len)
1606 unsigned int psklen = 0;
1608 psk_client_cb_cnt++;
1610 if (strlen(pskid) + 1 > max_id_len)
1613 /* We should only ever be called a maximum of twice per connection */
1614 if (psk_client_cb_cnt > 2)
1617 if (clientpsk == NULL)
1620 /* We'll reuse the PSK we set up for TLSv1.3 */
1621 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1623 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1624 strncpy(id, pskid, max_id_len);
1628 #endif /* OPENSSL_NO_PSK */
1630 static int find_session_cb(SSL *ssl, const unsigned char *identity,
1631 size_t identity_len, SSL_SESSION **sess)
1633 find_session_cb_cnt++;
1635 /* We should only ever be called a maximum of twice per connection */
1636 if (find_session_cb_cnt > 2)
1639 if (serverpsk == NULL)
1642 /* Identity should match that set by the client */
1643 if (strlen(srvid) != identity_len
1644 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1645 /* No PSK found, continue but without a PSK */
1650 SSL_SESSION_up_ref(serverpsk);
1656 #ifndef OPENSSL_NO_PSK
1657 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1658 unsigned char *psk, unsigned int max_psk_len)
1660 unsigned int psklen = 0;
1662 psk_server_cb_cnt++;
1664 /* We should only ever be called a maximum of twice per connection */
1665 if (find_session_cb_cnt > 2)
1668 if (serverpsk == NULL)
1671 /* Identity should match that set by the client */
1672 if (strcmp(srvid, identity) != 0) {
1676 /* We'll reuse the PSK we set up for TLSv1.3 */
1677 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1679 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1683 #endif /* OPENSSL_NO_PSK */
1685 #define MSG1 "Hello"
1686 #define MSG2 "World."
1691 #define MSG7 "message."
1693 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
1694 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
1697 * Helper method to setup objects for early data test. Caller frees objects on
1700 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
1701 SSL **serverssl, SSL_SESSION **sess, int idx)
1703 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1704 TLS1_VERSION, TLS_MAX_VERSION,
1705 sctx, cctx, cert, privkey))
1706 || !TEST_true(SSL_CTX_set_max_early_data(*sctx,
1707 SSL3_RT_MAX_PLAIN_LENGTH)))
1711 /* When idx == 1 we repeat the tests with read_ahead set */
1712 SSL_CTX_set_read_ahead(*cctx, 1);
1713 SSL_CTX_set_read_ahead(*sctx, 1);
1714 } else if (idx == 2) {
1715 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1716 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1717 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1718 use_session_cb_cnt = 0;
1719 find_session_cb_cnt = 0;
1723 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
1728 * For one of the run throughs (doesn't matter which one), we'll try sending
1729 * some SNI data in the initial ClientHello. This will be ignored (because
1730 * there is no SNI cb set up by the server), so it should not impact
1734 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1738 /* Create the PSK */
1739 const SSL_CIPHER *cipher = NULL;
1740 const unsigned char key[] = {
1741 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1742 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1743 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1744 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1745 0x2c, 0x2d, 0x2e, 0x2f
1748 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
1749 clientpsk = SSL_SESSION_new();
1750 if (!TEST_ptr(clientpsk)
1751 || !TEST_ptr(cipher)
1752 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
1754 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
1756 SSL_SESSION_set_protocol_version(clientpsk,
1759 * We just choose an arbitrary value for max_early_data which
1760 * should be big enough for testing purposes.
1762 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1764 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1765 SSL_SESSION_free(clientpsk);
1769 serverpsk = clientpsk;
1779 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1783 *sess = SSL_get1_session(*clientssl);
1784 SSL_shutdown(*clientssl);
1785 SSL_shutdown(*serverssl);
1786 SSL_free(*serverssl);
1787 SSL_free(*clientssl);
1788 *serverssl = *clientssl = NULL;
1790 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1791 clientssl, NULL, NULL))
1792 || !TEST_true(SSL_set_session(*clientssl, *sess)))
1798 static int test_early_data_read_write(int idx)
1800 SSL_CTX *cctx = NULL, *sctx = NULL;
1801 SSL *clientssl = NULL, *serverssl = NULL;
1803 SSL_SESSION *sess = NULL;
1804 unsigned char buf[20], data[1024];
1805 size_t readbytes, written, eoedlen, rawread, rawwritten;
1808 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1809 &serverssl, &sess, idx)))
1812 /* Write and read some early data */
1813 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1815 || !TEST_size_t_eq(written, strlen(MSG1))
1816 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1817 sizeof(buf), &readbytes),
1818 SSL_READ_EARLY_DATA_SUCCESS)
1819 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1820 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1821 SSL_EARLY_DATA_ACCEPTED))
1825 * Server should be able to write data, and client should be able to
1828 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1830 || !TEST_size_t_eq(written, strlen(MSG2))
1831 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1832 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1835 /* Even after reading normal data, client should be able write early data */
1836 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1838 || !TEST_size_t_eq(written, strlen(MSG3)))
1841 /* Server should still be able read early data after writing data */
1842 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1844 SSL_READ_EARLY_DATA_SUCCESS)
1845 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
1848 /* Write more data from server and read it from client */
1849 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
1851 || !TEST_size_t_eq(written, strlen(MSG4))
1852 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1853 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
1857 * If client writes normal data it should mean writing early data is no
1860 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1861 || !TEST_size_t_eq(written, strlen(MSG5))
1862 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1863 SSL_EARLY_DATA_ACCEPTED))
1867 * At this point the client has written EndOfEarlyData, ClientFinished and
1868 * normal (fully protected) data. We are going to cause a delay between the
1869 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
1870 * in the read BIO, and then just put back the EndOfEarlyData message.
1872 rbio = SSL_get_rbio(serverssl);
1873 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
1874 || !TEST_size_t_lt(rawread, sizeof(data))
1875 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
1878 /* Record length is in the 4th and 5th bytes of the record header */
1879 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
1880 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
1881 || !TEST_size_t_eq(rawwritten, eoedlen))
1884 /* Server should be told that there is no more early data */
1885 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1887 SSL_READ_EARLY_DATA_FINISH)
1888 || !TEST_size_t_eq(readbytes, 0))
1892 * Server has not finished init yet, so should still be able to write early
1895 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
1897 || !TEST_size_t_eq(written, strlen(MSG6)))
1900 /* Push the ClientFinished and the normal data back into the server rbio */
1901 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
1903 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
1906 /* Server should be able to read normal data */
1907 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1908 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1911 /* Client and server should not be able to write/read early data now */
1912 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1916 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1918 SSL_READ_EARLY_DATA_ERROR))
1922 /* Client should be able to read the data sent by the server */
1923 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1924 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
1928 * Make sure we process the NewSessionTicket. This arrives post-handshake.
1929 * We attempt a read which we do not expect to return any data.
1931 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1934 /* Server should be able to write normal data */
1935 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
1936 || !TEST_size_t_eq(written, strlen(MSG7))
1937 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1938 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
1941 /* We keep the PSK session around if using PSK */
1943 SSL_SESSION_free(sess);
1944 sess = SSL_get1_session(clientssl);
1945 use_session_cb_cnt = 0;
1946 find_session_cb_cnt = 0;
1948 SSL_shutdown(clientssl);
1949 SSL_shutdown(serverssl);
1950 SSL_free(serverssl);
1951 SSL_free(clientssl);
1952 serverssl = clientssl = NULL;
1953 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1954 &clientssl, NULL, NULL))
1955 || !TEST_true(SSL_set_session(clientssl, sess)))
1958 /* Write and read some early data */
1959 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1961 || !TEST_size_t_eq(written, strlen(MSG1))
1962 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1964 SSL_READ_EARLY_DATA_SUCCESS)
1965 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
1968 if (!TEST_int_gt(SSL_connect(clientssl), 0)
1969 || !TEST_int_gt(SSL_accept(serverssl), 0))
1972 /* Client and server should not be able to write/read early data now */
1973 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1977 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1979 SSL_READ_EARLY_DATA_ERROR))
1983 /* Client and server should be able to write/read normal data */
1984 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1985 || !TEST_size_t_eq(written, strlen(MSG5))
1986 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1987 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1993 if (sess != clientpsk)
1994 SSL_SESSION_free(sess);
1995 SSL_SESSION_free(clientpsk);
1996 SSL_SESSION_free(serverpsk);
1997 clientpsk = serverpsk = NULL;
1998 SSL_free(serverssl);
1999 SSL_free(clientssl);
2005 static int test_early_data_replay(int idx)
2007 SSL_CTX *cctx = NULL, *sctx = NULL;
2008 SSL *clientssl = NULL, *serverssl = NULL;
2010 SSL_SESSION *sess = NULL;
2012 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2013 &serverssl, &sess, idx)))
2017 * The server is configured to accept early data. Create a connection to
2018 * "use up" the ticket
2020 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2021 || !TEST_true(SSL_session_reused(clientssl)))
2024 SSL_shutdown(clientssl);
2025 SSL_shutdown(serverssl);
2026 SSL_free(serverssl);
2027 SSL_free(clientssl);
2028 serverssl = clientssl = NULL;
2030 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2031 &clientssl, NULL, NULL))
2032 || !TEST_true(SSL_set_session(clientssl, sess))
2033 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2036 * This time we should not have resumed the session because we
2037 * already used it once.
2039 || !TEST_false(SSL_session_reused(clientssl)))
2045 if (sess != clientpsk)
2046 SSL_SESSION_free(sess);
2047 SSL_SESSION_free(clientpsk);
2048 SSL_SESSION_free(serverpsk);
2049 clientpsk = serverpsk = NULL;
2050 SSL_free(serverssl);
2051 SSL_free(clientssl);
2058 * Helper function to test that a server attempting to read early data can
2059 * handle a connection from a client where the early data should be skipped.
2061 static int early_data_skip_helper(int hrr, int idx)
2063 SSL_CTX *cctx = NULL, *sctx = NULL;
2064 SSL *clientssl = NULL, *serverssl = NULL;
2066 SSL_SESSION *sess = NULL;
2067 unsigned char buf[20];
2068 size_t readbytes, written;
2070 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2071 &serverssl, &sess, idx)))
2075 /* Force an HRR to occur */
2076 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2078 } else if (idx == 2) {
2080 * We force early_data rejection by ensuring the PSK identity is
2083 srvid = "Dummy Identity";
2086 * Deliberately corrupt the creation time. We take 20 seconds off the
2087 * time. It could be any value as long as it is not within tolerance.
2088 * This should mean the ticket is rejected.
2090 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
2094 /* Write some early data */
2095 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2097 || !TEST_size_t_eq(written, strlen(MSG1)))
2100 /* Server should reject the early data and skip over it */
2101 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2103 SSL_READ_EARLY_DATA_FINISH)
2104 || !TEST_size_t_eq(readbytes, 0)
2105 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2106 SSL_EARLY_DATA_REJECTED))
2111 * Finish off the handshake. We perform the same writes and reads as
2112 * further down but we expect them to fail due to the incomplete
2115 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2116 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2121 /* Should be able to send normal data despite rejection of early data */
2122 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2123 || !TEST_size_t_eq(written, strlen(MSG2))
2124 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2125 SSL_EARLY_DATA_REJECTED)
2126 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2127 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2133 if (sess != clientpsk)
2134 SSL_SESSION_free(clientpsk);
2135 SSL_SESSION_free(serverpsk);
2136 clientpsk = serverpsk = NULL;
2137 SSL_SESSION_free(sess);
2138 SSL_free(serverssl);
2139 SSL_free(clientssl);
2146 * Test that a server attempting to read early data can handle a connection
2147 * from a client where the early data is not acceptable.
2149 static int test_early_data_skip(int idx)
2151 return early_data_skip_helper(0, idx);
2155 * Test that a server attempting to read early data can handle a connection
2156 * from a client where an HRR occurs.
2158 static int test_early_data_skip_hrr(int idx)
2160 return early_data_skip_helper(1, idx);
2164 * Test that a server attempting to read early data can handle a connection
2165 * from a client that doesn't send any.
2167 static int test_early_data_not_sent(int idx)
2169 SSL_CTX *cctx = NULL, *sctx = NULL;
2170 SSL *clientssl = NULL, *serverssl = NULL;
2172 SSL_SESSION *sess = NULL;
2173 unsigned char buf[20];
2174 size_t readbytes, written;
2176 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2177 &serverssl, &sess, idx)))
2180 /* Write some data - should block due to handshake with server */
2181 SSL_set_connect_state(clientssl);
2182 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2185 /* Server should detect that early data has not been sent */
2186 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2188 SSL_READ_EARLY_DATA_FINISH)
2189 || !TEST_size_t_eq(readbytes, 0)
2190 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2191 SSL_EARLY_DATA_NOT_SENT)
2192 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2193 SSL_EARLY_DATA_NOT_SENT))
2196 /* Continue writing the message we started earlier */
2197 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2198 || !TEST_size_t_eq(written, strlen(MSG1))
2199 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2200 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2201 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2202 || !TEST_size_t_eq(written, strlen(MSG2)))
2206 * Should block due to the NewSessionTicket arrival unless we're using
2210 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
2214 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2215 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2221 /* If using PSK then clientpsk and sess are the same */
2222 SSL_SESSION_free(sess);
2223 SSL_SESSION_free(serverpsk);
2224 clientpsk = serverpsk = NULL;
2225 SSL_free(serverssl);
2226 SSL_free(clientssl);
2232 static int hostname_cb(SSL *s, int *al, void *arg)
2234 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2236 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
2237 return SSL_TLSEXT_ERR_OK;
2239 return SSL_TLSEXT_ERR_NOACK;
2242 static const char *servalpn;
2244 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2245 unsigned char *outlen, const unsigned char *in,
2246 unsigned int inlen, void *arg)
2248 unsigned int protlen = 0;
2249 const unsigned char *prot;
2251 for (prot = in; prot < in + inlen; prot += protlen) {
2253 if (in + inlen < prot + protlen)
2254 return SSL_TLSEXT_ERR_NOACK;
2256 if (protlen == strlen(servalpn)
2257 && memcmp(prot, servalpn, protlen) == 0) {
2260 return SSL_TLSEXT_ERR_OK;
2264 return SSL_TLSEXT_ERR_NOACK;
2267 /* Test that a PSK can be used to send early_data */
2268 static int test_early_data_psk(int idx)
2270 SSL_CTX *cctx = NULL, *sctx = NULL;
2271 SSL *clientssl = NULL, *serverssl = NULL;
2273 SSL_SESSION *sess = NULL;
2274 unsigned char alpnlist[] = {
2275 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2278 #define GOODALPNLEN 9
2279 #define BADALPNLEN 8
2280 #define GOODALPN (alpnlist)
2281 #define BADALPN (alpnlist + GOODALPNLEN)
2283 unsigned char buf[20];
2284 size_t readbytes, written;
2285 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2286 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2288 /* We always set this up with a final parameter of "2" for PSK */
2289 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2290 &serverssl, &sess, 2)))
2293 servalpn = "goodalpn";
2296 * Note: There is no test for inconsistent SNI with late client detection.
2297 * This is because servers do not acknowledge SNI even if they are using
2298 * it in a resumption handshake - so it is not actually possible for a
2299 * client to detect a problem.
2303 /* Set inconsistent SNI (early client detection) */
2304 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2305 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2306 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2311 /* Set inconsistent ALPN (early client detection) */
2312 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2313 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
2314 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2316 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2323 * Set invalid protocol version. Technically this affects PSKs without
2324 * early_data too, but we test it here because it is similar to the
2325 * SNI/ALPN consistency tests.
2327 err = SSL_R_BAD_PSK;
2328 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2334 * Set inconsistent SNI (server detected). In this case the connection
2335 * will succeed but reject early_data.
2337 SSL_SESSION_free(serverpsk);
2338 serverpsk = SSL_SESSION_dup(clientpsk);
2339 if (!TEST_ptr(serverpsk)
2340 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2342 edstatus = SSL_EARLY_DATA_REJECTED;
2343 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2346 /* Set consistent SNI */
2347 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2348 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2349 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2356 * Set inconsistent ALPN (server detected). In this case the connection
2357 * will succeed but reject early_data.
2359 servalpn = "badalpn";
2360 edstatus = SSL_EARLY_DATA_REJECTED;
2361 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2365 * Set consistent ALPN.
2366 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2367 * accepts a list of protos (each one length prefixed).
2368 * SSL_set1_alpn_selected accepts a single protocol (not length
2371 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2373 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2377 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2381 /* Set inconsistent ALPN (late client detection) */
2382 SSL_SESSION_free(serverpsk);
2383 serverpsk = SSL_SESSION_dup(clientpsk);
2384 if (!TEST_ptr(serverpsk)
2385 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2388 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2391 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2394 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2395 edstatus = SSL_EARLY_DATA_ACCEPTED;
2396 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2397 /* SSL_connect() call should fail */
2402 TEST_error("Bad test index");
2406 SSL_set_connect_state(clientssl);
2408 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2410 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2411 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2414 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2418 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2419 &readbytes), readearlyres)
2420 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2421 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2422 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2423 || !TEST_int_eq(SSL_connect(clientssl), connectres))
2430 SSL_SESSION_free(clientpsk);
2431 SSL_SESSION_free(serverpsk);
2432 clientpsk = serverpsk = NULL;
2433 SSL_free(serverssl);
2434 SSL_free(clientssl);
2441 * Test that a server that doesn't try to read early data can handle a
2442 * client sending some.
2444 static int test_early_data_not_expected(int idx)
2446 SSL_CTX *cctx = NULL, *sctx = NULL;
2447 SSL *clientssl = NULL, *serverssl = NULL;
2449 SSL_SESSION *sess = NULL;
2450 unsigned char buf[20];
2451 size_t readbytes, written;
2453 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2454 &serverssl, &sess, idx)))
2457 /* Write some early data */
2458 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2463 * Server should skip over early data and then block waiting for client to
2464 * continue handshake
2466 if (!TEST_int_le(SSL_accept(serverssl), 0)
2467 || !TEST_int_gt(SSL_connect(clientssl), 0)
2468 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2469 SSL_EARLY_DATA_REJECTED)
2470 || !TEST_int_gt(SSL_accept(serverssl), 0)
2471 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2472 SSL_EARLY_DATA_REJECTED))
2475 /* Send some normal data from client to server */
2476 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2477 || !TEST_size_t_eq(written, strlen(MSG2)))
2480 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2481 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2487 /* If using PSK then clientpsk and sess are the same */
2488 SSL_SESSION_free(sess);
2489 SSL_SESSION_free(serverpsk);
2490 clientpsk = serverpsk = NULL;
2491 SSL_free(serverssl);
2492 SSL_free(clientssl);
2499 # ifndef OPENSSL_NO_TLS1_2
2501 * Test that a server attempting to read early data can handle a connection
2502 * from a TLSv1.2 client.
2504 static int test_early_data_tls1_2(int idx)
2506 SSL_CTX *cctx = NULL, *sctx = NULL;
2507 SSL *clientssl = NULL, *serverssl = NULL;
2509 unsigned char buf[20];
2510 size_t readbytes, written;
2512 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2513 &serverssl, NULL, idx)))
2516 /* Write some data - should block due to handshake with server */
2517 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2518 SSL_set_connect_state(clientssl);
2519 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2523 * Server should do TLSv1.2 handshake. First it will block waiting for more
2524 * messages from client after ServerDone. Then SSL_read_early_data should
2525 * finish and detect that early data has not been sent
2527 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2529 SSL_READ_EARLY_DATA_ERROR))
2533 * Continue writing the message we started earlier. Will still block waiting
2534 * for the CCS/Finished from server
2536 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2537 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2539 SSL_READ_EARLY_DATA_FINISH)
2540 || !TEST_size_t_eq(readbytes, 0)
2541 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2542 SSL_EARLY_DATA_NOT_SENT))
2545 /* Continue writing the message we started earlier */
2546 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2547 || !TEST_size_t_eq(written, strlen(MSG1))
2548 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2549 SSL_EARLY_DATA_NOT_SENT)
2550 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2551 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2552 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2553 || !TEST_size_t_eq(written, strlen(MSG2))
2554 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2555 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2561 /* If using PSK then clientpsk and sess are the same */
2562 SSL_SESSION_free(clientpsk);
2563 SSL_SESSION_free(serverpsk);
2564 clientpsk = serverpsk = NULL;
2565 SSL_free(serverssl);
2566 SSL_free(clientssl);
2572 # endif /* OPENSSL_NO_TLS1_2 */
2575 * Test configuring the TLSv1.3 ciphersuites
2577 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
2578 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
2579 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
2580 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
2581 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2582 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2583 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
2584 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
2585 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
2586 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
2588 static int test_set_ciphersuite(int idx)
2590 SSL_CTX *cctx = NULL, *sctx = NULL;
2591 SSL *clientssl = NULL, *serverssl = NULL;
2594 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2595 TLS1_VERSION, TLS_MAX_VERSION,
2596 &sctx, &cctx, cert, privkey))
2597 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2598 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
2601 if (idx >=4 && idx <= 7) {
2602 /* SSL_CTX explicit cipher list */
2603 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
2607 if (idx == 0 || idx == 4) {
2608 /* Default ciphersuite */
2609 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2610 "TLS_AES_128_GCM_SHA256")))
2612 } else if (idx == 1 || idx == 5) {
2613 /* Non default ciphersuite */
2614 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2615 "TLS_AES_128_CCM_SHA256")))
2619 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2620 &clientssl, NULL, NULL)))
2623 if (idx == 8 || idx == 9) {
2624 /* SSL explicit cipher list */
2625 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
2629 if (idx == 2 || idx == 6 || idx == 8) {
2630 /* Default ciphersuite */
2631 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2632 "TLS_AES_128_GCM_SHA256")))
2634 } else if (idx == 3 || idx == 7 || idx == 9) {
2635 /* Non default ciphersuite */
2636 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2637 "TLS_AES_128_CCM_SHA256")))
2641 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
2647 SSL_free(serverssl);
2648 SSL_free(clientssl);
2655 static int test_ciphersuite_change(void)
2657 SSL_CTX *cctx = NULL, *sctx = NULL;
2658 SSL *clientssl = NULL, *serverssl = NULL;
2659 SSL_SESSION *clntsess = NULL;
2661 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2663 /* Create a session based on SHA-256 */
2664 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2665 TLS1_VERSION, TLS_MAX_VERSION,
2666 &sctx, &cctx, cert, privkey))
2667 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
2668 "TLS_AES_128_GCM_SHA256"))
2669 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2670 &clientssl, NULL, NULL))
2671 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2675 clntsess = SSL_get1_session(clientssl);
2676 /* Save for later */
2677 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2678 SSL_shutdown(clientssl);
2679 SSL_shutdown(serverssl);
2680 SSL_free(serverssl);
2681 SSL_free(clientssl);
2682 serverssl = clientssl = NULL;
2684 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
2685 /* Check we can resume a session with a different SHA-256 ciphersuite */
2686 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2687 "TLS_CHACHA20_POLY1305_SHA256"))
2688 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2690 || !TEST_true(SSL_set_session(clientssl, clntsess))
2691 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2693 || !TEST_true(SSL_session_reused(clientssl)))
2696 SSL_SESSION_free(clntsess);
2697 clntsess = SSL_get1_session(clientssl);
2698 SSL_shutdown(clientssl);
2699 SSL_shutdown(serverssl);
2700 SSL_free(serverssl);
2701 SSL_free(clientssl);
2702 serverssl = clientssl = NULL;
2706 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
2707 * succeeds but does not resume.
2709 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
2710 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2712 || !TEST_true(SSL_set_session(clientssl, clntsess))
2713 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2715 || !TEST_false(SSL_session_reused(clientssl)))
2718 SSL_SESSION_free(clntsess);
2720 SSL_shutdown(clientssl);
2721 SSL_shutdown(serverssl);
2722 SSL_free(serverssl);
2723 SSL_free(clientssl);
2724 serverssl = clientssl = NULL;
2726 /* Create a session based on SHA384 */
2727 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
2728 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2729 &clientssl, NULL, NULL))
2730 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2734 clntsess = SSL_get1_session(clientssl);
2735 SSL_shutdown(clientssl);
2736 SSL_shutdown(serverssl);
2737 SSL_free(serverssl);
2738 SSL_free(clientssl);
2739 serverssl = clientssl = NULL;
2741 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2742 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
2743 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2744 "TLS_AES_256_GCM_SHA384"))
2745 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2747 || !TEST_true(SSL_set_session(clientssl, clntsess))
2749 * We use SSL_ERROR_WANT_READ below so that we can pause the
2750 * connection after the initial ClientHello has been sent to
2751 * enable us to make some session changes.
2753 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2754 SSL_ERROR_WANT_READ)))
2757 /* Trick the client into thinking this session is for a different digest */
2758 clntsess->cipher = aes_128_gcm_sha256;
2759 clntsess->cipher_id = clntsess->cipher->id;
2762 * Continue the previously started connection. Server has selected a SHA-384
2763 * ciphersuite, but client thinks the session is for SHA-256, so it should
2766 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2768 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2769 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2775 SSL_SESSION_free(clntsess);
2776 SSL_free(serverssl);
2777 SSL_free(clientssl);
2786 * Test 0 = Test new style callbacks
2787 * Test 1 = Test both new and old style callbacks
2788 * Test 2 = Test old style callbacks
2789 * Test 3 = Test old style callbacks with no certificate
2791 static int test_tls13_psk(int idx)
2793 SSL_CTX *sctx = NULL, *cctx = NULL;
2794 SSL *serverssl = NULL, *clientssl = NULL;
2795 const SSL_CIPHER *cipher = NULL;
2796 const unsigned char key[] = {
2797 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2798 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2799 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2800 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
2804 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2805 TLS1_VERSION, TLS_MAX_VERSION,
2806 &sctx, &cctx, idx == 3 ? NULL : cert,
2807 idx == 3 ? NULL : privkey)))
2812 * We use a ciphersuite with SHA256 to ease testing old style PSK
2813 * callbacks which will always default to SHA256. This should not be
2814 * necessary if we have no cert/priv key. In that case the server should
2815 * prefer SHA256 automatically.
2817 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2818 "TLS_AES_128_GCM_SHA256")))
2823 * Test 0: New style callbacks only
2824 * Test 1: New and old style callbacks (only the new ones should be used)
2825 * Test 2: Old style callbacks only
2827 if (idx == 0 || idx == 1) {
2828 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2829 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2831 #ifndef OPENSSL_NO_PSK
2833 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
2834 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
2838 use_session_cb_cnt = 0;
2839 find_session_cb_cnt = 0;
2840 psk_client_cb_cnt = 0;
2841 psk_server_cb_cnt = 0;
2845 * Check we can create a connection if callback decides not to send a
2848 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2850 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2852 || !TEST_false(SSL_session_reused(clientssl))
2853 || !TEST_false(SSL_session_reused(serverssl)))
2856 if (idx == 0 || idx == 1) {
2857 if (!TEST_true(use_session_cb_cnt == 1)
2858 || !TEST_true(find_session_cb_cnt == 0)
2860 * If no old style callback then below should be 0
2863 || !TEST_true(psk_client_cb_cnt == idx)
2864 || !TEST_true(psk_server_cb_cnt == 0))
2867 if (!TEST_true(use_session_cb_cnt == 0)
2868 || !TEST_true(find_session_cb_cnt == 0)
2869 || !TEST_true(psk_client_cb_cnt == 1)
2870 || !TEST_true(psk_server_cb_cnt == 0))
2874 shutdown_ssl_connection(serverssl, clientssl);
2875 serverssl = clientssl = NULL;
2876 use_session_cb_cnt = psk_client_cb_cnt = 0;
2879 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2883 /* Create the PSK */
2884 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
2885 clientpsk = SSL_SESSION_new();
2886 if (!TEST_ptr(clientpsk)
2887 || !TEST_ptr(cipher)
2888 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
2890 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
2891 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
2893 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
2895 serverpsk = clientpsk;
2897 /* Check we can create a connection and the PSK is used */
2898 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2899 || !TEST_true(SSL_session_reused(clientssl))
2900 || !TEST_true(SSL_session_reused(serverssl)))
2903 if (idx == 0 || idx == 1) {
2904 if (!TEST_true(use_session_cb_cnt == 1)
2905 || !TEST_true(find_session_cb_cnt == 1)
2906 || !TEST_true(psk_client_cb_cnt == 0)
2907 || !TEST_true(psk_server_cb_cnt == 0))
2910 if (!TEST_true(use_session_cb_cnt == 0)
2911 || !TEST_true(find_session_cb_cnt == 0)
2912 || !TEST_true(psk_client_cb_cnt == 1)
2913 || !TEST_true(psk_server_cb_cnt == 1))
2917 shutdown_ssl_connection(serverssl, clientssl);
2918 serverssl = clientssl = NULL;
2919 use_session_cb_cnt = find_session_cb_cnt = 0;
2920 psk_client_cb_cnt = psk_server_cb_cnt = 0;
2922 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2927 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2931 * Check we can create a connection, the PSK is used and the callbacks are
2934 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2935 || !TEST_true(SSL_session_reused(clientssl))
2936 || !TEST_true(SSL_session_reused(serverssl)))
2939 if (idx == 0 || idx == 1) {
2940 if (!TEST_true(use_session_cb_cnt == 2)
2941 || !TEST_true(find_session_cb_cnt == 2)
2942 || !TEST_true(psk_client_cb_cnt == 0)
2943 || !TEST_true(psk_server_cb_cnt == 0))
2946 if (!TEST_true(use_session_cb_cnt == 0)
2947 || !TEST_true(find_session_cb_cnt == 0)
2948 || !TEST_true(psk_client_cb_cnt == 2)
2949 || !TEST_true(psk_server_cb_cnt == 2))
2953 shutdown_ssl_connection(serverssl, clientssl);
2954 serverssl = clientssl = NULL;
2955 use_session_cb_cnt = find_session_cb_cnt = 0;
2956 psk_client_cb_cnt = psk_server_cb_cnt = 0;
2960 * Check that if the server rejects the PSK we can still connect, but with
2963 srvid = "Dummy Identity";
2964 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2966 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2968 || !TEST_false(SSL_session_reused(clientssl))
2969 || !TEST_false(SSL_session_reused(serverssl)))
2972 if (idx == 0 || idx == 1) {
2973 if (!TEST_true(use_session_cb_cnt == 1)
2974 || !TEST_true(find_session_cb_cnt == 1)
2975 || !TEST_true(psk_client_cb_cnt == 0)
2977 * If no old style callback then below should be 0
2980 || !TEST_true(psk_server_cb_cnt == idx))
2983 if (!TEST_true(use_session_cb_cnt == 0)
2984 || !TEST_true(find_session_cb_cnt == 0)
2985 || !TEST_true(psk_client_cb_cnt == 1)
2986 || !TEST_true(psk_server_cb_cnt == 1))
2990 shutdown_ssl_connection(serverssl, clientssl);
2991 serverssl = clientssl = NULL;
2996 SSL_SESSION_free(clientpsk);
2997 SSL_SESSION_free(serverpsk);
2998 clientpsk = serverpsk = NULL;
2999 SSL_free(serverssl);
3000 SSL_free(clientssl);
3006 static unsigned char cookie_magic_value[] = "cookie magic";
3008 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
3009 unsigned int *cookie_len)
3012 * Not suitable as a real cookie generation function but good enough for
3015 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3016 *cookie_len = sizeof(cookie_magic_value) - 1;
3021 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3022 unsigned int cookie_len)
3024 if (cookie_len == sizeof(cookie_magic_value) - 1
3025 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3031 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3035 int res = generate_cookie_callback(ssl, cookie, &temp);
3040 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3043 return verify_cookie_callback(ssl, cookie, cookie_len);
3046 static int test_stateless(void)
3048 SSL_CTX *sctx = NULL, *cctx = NULL;
3049 SSL *serverssl = NULL, *clientssl = NULL;
3052 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3053 TLS1_VERSION, TLS_MAX_VERSION,
3054 &sctx, &cctx, cert, privkey)))
3057 /* The arrival of CCS messages can confuse the test */
3058 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3060 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3062 /* Send the first ClientHello */
3063 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3064 SSL_ERROR_WANT_READ))
3066 * This should fail with a -1 return because we have no callbacks
3069 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3072 /* Fatal error so abandon the connection from this client */
3073 SSL_free(clientssl);
3076 /* Set up the cookie generation and verification callbacks */
3077 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3078 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
3081 * Create a new connection from the client (we can reuse the server SSL
3084 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3086 /* Send the first ClientHello */
3087 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3088 SSL_ERROR_WANT_READ))
3089 /* This should fail because there is no cookie */
3090 || !TEST_int_eq(SSL_stateless(serverssl), 0))
3093 /* Abandon the connection from this client */
3094 SSL_free(clientssl);
3098 * Now create a connection from a new client but with the same server SSL
3101 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3103 /* Send the first ClientHello */
3104 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3105 SSL_ERROR_WANT_READ))
3106 /* This should fail because there is no cookie */
3107 || !TEST_int_eq(SSL_stateless(serverssl), 0)
3108 /* Send the second ClientHello */
3109 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3110 SSL_ERROR_WANT_READ))
3111 /* This should succeed because a cookie is now present */
3112 || !TEST_int_eq(SSL_stateless(serverssl), 1)
3113 /* Complete the connection */
3114 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3118 shutdown_ssl_connection(serverssl, clientssl);
3119 serverssl = clientssl = NULL;
3123 SSL_free(serverssl);
3124 SSL_free(clientssl);
3130 #endif /* OPENSSL_NO_TLS1_3 */
3132 static int clntaddoldcb = 0;
3133 static int clntparseoldcb = 0;
3134 static int srvaddoldcb = 0;
3135 static int srvparseoldcb = 0;
3136 static int clntaddnewcb = 0;
3137 static int clntparsenewcb = 0;
3138 static int srvaddnewcb = 0;
3139 static int srvparsenewcb = 0;
3140 static int snicb = 0;
3142 #define TEST_EXT_TYPE1 0xff00
3144 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3145 size_t *outlen, int *al, void *add_arg)
3147 int *server = (int *)add_arg;
3148 unsigned char *data;
3150 if (SSL_is_server(s))
3155 if (*server != SSL_is_server(s)
3156 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3161 *outlen = sizeof(char);
3165 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3168 OPENSSL_free((unsigned char *)out);
3171 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3172 size_t inlen, int *al, void *parse_arg)
3174 int *server = (int *)parse_arg;
3176 if (SSL_is_server(s))
3181 if (*server != SSL_is_server(s)
3182 || inlen != sizeof(char)
3189 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3190 const unsigned char **out, size_t *outlen, X509 *x,
3191 size_t chainidx, int *al, void *add_arg)
3193 int *server = (int *)add_arg;
3194 unsigned char *data;
3196 if (SSL_is_server(s))
3201 if (*server != SSL_is_server(s)
3202 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3207 *outlen = sizeof(*data);
3211 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3212 const unsigned char *out, void *add_arg)
3214 OPENSSL_free((unsigned char *)out);
3217 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3218 const unsigned char *in, size_t inlen, X509 *x,
3219 size_t chainidx, int *al, void *parse_arg)
3221 int *server = (int *)parse_arg;
3223 if (SSL_is_server(s))
3228 if (*server != SSL_is_server(s)
3229 || inlen != sizeof(char) || *in != 1)
3235 static int sni_cb(SSL *s, int *al, void *arg)
3237 SSL_CTX *ctx = (SSL_CTX *)arg;
3239 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3240 *al = SSL_AD_INTERNAL_ERROR;
3241 return SSL_TLSEXT_ERR_ALERT_FATAL;
3244 return SSL_TLSEXT_ERR_OK;
3248 * Custom call back tests.
3249 * Test 0: Old style callbacks in TLSv1.2
3250 * Test 1: New style callbacks in TLSv1.2
3251 * Test 2: New style callbacks in TLSv1.2 with SNI
3252 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3253 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
3255 static int test_custom_exts(int tst)
3257 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3258 SSL *clientssl = NULL, *serverssl = NULL;
3260 static int server = 1;
3261 static int client = 0;
3262 SSL_SESSION *sess = NULL;
3263 unsigned int context;
3265 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
3266 /* Skip tests for TLSv1.2 and below in this case */
3271 /* Reset callback counters */
3272 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
3273 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
3276 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3277 TLS1_VERSION, TLS_MAX_VERSION,
3278 &sctx, &cctx, cert, privkey)))
3282 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
3283 TLS1_VERSION, TLS_MAX_VERSION,
3284 &sctx2, NULL, cert, privkey)))
3289 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
3290 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
3292 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
3296 context = SSL_EXT_CLIENT_HELLO
3297 | SSL_EXT_TLS1_2_SERVER_HELLO
3298 | SSL_EXT_TLS1_3_SERVER_HELLO
3299 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
3300 | SSL_EXT_TLS1_3_CERTIFICATE
3301 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
3303 context = SSL_EXT_CLIENT_HELLO
3304 | SSL_EXT_TLS1_2_SERVER_HELLO
3305 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3308 /* Create a client side custom extension */
3310 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3311 old_add_cb, old_free_cb,
3312 &client, old_parse_cb,
3316 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
3317 new_add_cb, new_free_cb,
3318 &client, new_parse_cb, &client)))
3322 /* Should not be able to add duplicates */
3323 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3324 old_add_cb, old_free_cb,
3325 &client, old_parse_cb,
3327 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
3328 context, new_add_cb,
3329 new_free_cb, &client,
3330 new_parse_cb, &client)))
3333 /* Create a server side custom extension */
3335 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3336 old_add_cb, old_free_cb,
3337 &server, old_parse_cb,
3341 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3342 new_add_cb, new_free_cb,
3343 &server, new_parse_cb, &server)))
3346 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3347 context, new_add_cb,
3348 new_free_cb, &server,
3349 new_parse_cb, &server)))
3353 /* Should not be able to add duplicates */
3354 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3355 old_add_cb, old_free_cb,
3356 &server, old_parse_cb,
3358 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3359 context, new_add_cb,
3360 new_free_cb, &server,
3361 new_parse_cb, &server)))
3366 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3367 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3371 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3372 &clientssl, NULL, NULL))
3373 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3378 if (clntaddoldcb != 1
3379 || clntparseoldcb != 1
3381 || srvparseoldcb != 1)
3383 } else if (tst == 1 || tst == 2 || tst == 3) {
3384 if (clntaddnewcb != 1
3385 || clntparsenewcb != 1
3387 || srvparsenewcb != 1
3388 || (tst != 2 && snicb != 0)
3389 || (tst == 2 && snicb != 1))
3392 if (clntaddnewcb != 1
3393 || clntparsenewcb != 4
3395 || srvparsenewcb != 1)
3399 sess = SSL_get1_session(clientssl);
3400 SSL_shutdown(clientssl);
3401 SSL_shutdown(serverssl);
3402 SSL_free(serverssl);
3403 SSL_free(clientssl);
3404 serverssl = clientssl = NULL;
3407 /* We don't bother with the resumption aspects for this test */
3412 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3414 || !TEST_true(SSL_set_session(clientssl, sess))
3415 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3420 * For a resumed session we expect to add the ClientHello extension. For the
3421 * old style callbacks we ignore it on the server side because they set
3422 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3426 if (clntaddoldcb != 2
3427 || clntparseoldcb != 1
3429 || srvparseoldcb != 1)
3431 } else if (tst == 1 || tst == 2 || tst == 3) {
3432 if (clntaddnewcb != 2
3433 || clntparsenewcb != 2
3435 || srvparsenewcb != 2)
3438 /* No Certificate message extensions in the resumption handshake */
3439 if (clntaddnewcb != 2
3440 || clntparsenewcb != 7
3442 || srvparsenewcb != 2)
3449 SSL_SESSION_free(sess);
3450 SSL_free(serverssl);
3451 SSL_free(clientssl);
3452 SSL_CTX_free(sctx2);
3459 * Test loading of serverinfo data in various formats. test_sslmessages actually
3460 * tests to make sure the extensions appear in the handshake
3462 static int test_serverinfo(int tst)
3464 unsigned int version;
3465 unsigned char *sibuf;
3467 int ret, expected, testresult = 0;
3470 ctx = SSL_CTX_new(TLS_method());
3474 if ((tst & 0x01) == 0x01)
3475 version = SSL_SERVERINFOV2;
3477 version = SSL_SERVERINFOV1;
3479 if ((tst & 0x02) == 0x02) {
3480 sibuf = serverinfov2;
3481 sibuflen = sizeof(serverinfov2);
3482 expected = (version == SSL_SERVERINFOV2);
3484 sibuf = serverinfov1;
3485 sibuflen = sizeof(serverinfov1);
3486 expected = (version == SSL_SERVERINFOV1);
3489 if ((tst & 0x04) == 0x04) {
3490 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
3492 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
3495 * The version variable is irrelevant in this case - it's what is in the
projects / openssl.git / blob