2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
17 #include <openssl/srp.h>
18 #include <openssl/txt_db.h>
19 #include <openssl/aes.h>
21 #include "ssltestlib.h"
23 #include "testutil/output.h"
24 #include "internal/nelem.h"
25 #include "../ssl/ssl_locl.h"
27 static char *cert = NULL;
28 static char *privkey = NULL;
29 static char *srpvfile = NULL;
30 static char *tmpfilename = NULL;
32 #define LOG_BUFFER_SIZE 2048
33 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
34 static size_t server_log_buffer_index = 0;
35 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
36 static size_t client_log_buffer_index = 0;
37 static int error_writing_log = 0;
39 #ifndef OPENSSL_NO_OCSP
40 static const unsigned char orespder[] = "Dummy OCSP Response";
41 static int ocsp_server_called = 0;
42 static int ocsp_client_called = 0;
44 static int cdummyarg = 1;
45 static X509 *ocspcert = NULL;
48 #define NUM_EXTRA_CERTS 40
49 #define CLIENT_VERSION_LEN 2
52 * This structure is used to validate that the correct number of log messages
53 * of various types are emitted when emitting secret logs.
55 struct sslapitest_log_counts {
56 unsigned int rsa_key_exchange_count;
57 unsigned int master_secret_count;
58 unsigned int client_early_secret_count;
59 unsigned int client_handshake_secret_count;
60 unsigned int server_handshake_secret_count;
61 unsigned int client_application_secret_count;
62 unsigned int server_application_secret_count;
63 unsigned int early_exporter_secret_count;
64 unsigned int exporter_secret_count;
68 static unsigned char serverinfov1[] = {
69 0xff, 0xff, /* Dummy extension type */
70 0x00, 0x01, /* Extension length is 1 byte */
71 0xff /* Dummy extension data */
74 static unsigned char serverinfov2[] = {
76 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
77 0xff, 0xff, /* Dummy extension type */
78 0x00, 0x01, /* Extension length is 1 byte */
79 0xff /* Dummy extension data */
82 static void client_keylog_callback(const SSL *ssl, const char *line)
84 int line_length = strlen(line);
86 /* If the log doesn't fit, error out. */
87 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
88 TEST_info("Client log too full");
89 error_writing_log = 1;
93 strcat(client_log_buffer, line);
94 client_log_buffer_index += line_length;
95 client_log_buffer[client_log_buffer_index++] = '\n';
98 static void server_keylog_callback(const SSL *ssl, const char *line)
100 int line_length = strlen(line);
102 /* If the log doesn't fit, error out. */
103 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
104 TEST_info("Server log too full");
105 error_writing_log = 1;
109 strcat(server_log_buffer, line);
110 server_log_buffer_index += line_length;
111 server_log_buffer[server_log_buffer_index++] = '\n';
114 static int compare_hex_encoded_buffer(const char *hex_encoded,
122 if (!TEST_size_t_eq(raw_length * 2, hex_length))
125 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
126 sprintf(hexed, "%02x", raw[i]);
127 if (!TEST_int_eq(hexed[0], hex_encoded[j])
128 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
135 static int test_keylog_output(char *buffer, const SSL *ssl,
136 const SSL_SESSION *session,
137 struct sslapitest_log_counts *expected)
140 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
141 size_t client_random_size = SSL3_RANDOM_SIZE;
142 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
143 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
144 unsigned int rsa_key_exchange_count = 0;
145 unsigned int master_secret_count = 0;
146 unsigned int client_early_secret_count = 0;
147 unsigned int client_handshake_secret_count = 0;
148 unsigned int server_handshake_secret_count = 0;
149 unsigned int client_application_secret_count = 0;
150 unsigned int server_application_secret_count = 0;
151 unsigned int early_exporter_secret_count = 0;
152 unsigned int exporter_secret_count = 0;
154 for (token = strtok(buffer, " \n"); token != NULL;
155 token = strtok(NULL, " \n")) {
156 if (strcmp(token, "RSA") == 0) {
158 * Premaster secret. Tokens should be: 16 ASCII bytes of
159 * hex-encoded encrypted secret, then the hex-encoded pre-master
162 if (!TEST_ptr(token = strtok(NULL, " \n")))
164 if (!TEST_size_t_eq(strlen(token), 16))
166 if (!TEST_ptr(token = strtok(NULL, " \n")))
169 * We can't sensibly check the log because the premaster secret is
170 * transient, and OpenSSL doesn't keep hold of it once the master
171 * secret is generated.
173 rsa_key_exchange_count++;
174 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
176 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
177 * client random, then the hex-encoded master secret.
179 client_random_size = SSL_get_client_random(ssl,
180 actual_client_random,
182 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
185 if (!TEST_ptr(token = strtok(NULL, " \n")))
187 if (!TEST_size_t_eq(strlen(token), 64))
189 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
190 actual_client_random,
191 client_random_size)))
194 if (!TEST_ptr(token = strtok(NULL, " \n")))
196 master_key_size = SSL_SESSION_get_master_key(session,
199 if (!TEST_size_t_ne(master_key_size, 0))
201 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
205 master_secret_count++;
206 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
207 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
208 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
209 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
210 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
211 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
212 || strcmp(token, "EXPORTER_SECRET") == 0) {
214 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
215 * client random, and then the hex-encoded secret. In this case,
216 * we treat all of these secrets identically and then just
217 * distinguish between them when counting what we saw.
219 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
220 client_early_secret_count++;
221 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
222 client_handshake_secret_count++;
223 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
224 server_handshake_secret_count++;
225 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
226 client_application_secret_count++;
227 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
228 server_application_secret_count++;
229 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
230 early_exporter_secret_count++;
231 else if (strcmp(token, "EXPORTER_SECRET") == 0)
232 exporter_secret_count++;
234 client_random_size = SSL_get_client_random(ssl,
235 actual_client_random,
237 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
240 if (!TEST_ptr(token = strtok(NULL, " \n")))
242 if (!TEST_size_t_eq(strlen(token), 64))
244 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
245 actual_client_random,
246 client_random_size)))
249 if (!TEST_ptr(token = strtok(NULL, " \n")))
253 * TODO(TLS1.3): test that application traffic secrets are what
256 TEST_info("Unexpected token %s\n", token);
261 /* Got what we expected? */
262 if (!TEST_size_t_eq(rsa_key_exchange_count,
263 expected->rsa_key_exchange_count)
264 || !TEST_size_t_eq(master_secret_count,
265 expected->master_secret_count)
266 || !TEST_size_t_eq(client_early_secret_count,
267 expected->client_early_secret_count)
268 || !TEST_size_t_eq(client_handshake_secret_count,
269 expected->client_handshake_secret_count)
270 || !TEST_size_t_eq(server_handshake_secret_count,
271 expected->server_handshake_secret_count)
272 || !TEST_size_t_eq(client_application_secret_count,
273 expected->client_application_secret_count)
274 || !TEST_size_t_eq(server_application_secret_count,
275 expected->server_application_secret_count)
276 || !TEST_size_t_eq(early_exporter_secret_count,
277 expected->early_exporter_secret_count)
278 || !TEST_size_t_eq(exporter_secret_count,
279 expected->exporter_secret_count))
284 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
285 static int test_keylog(void)
287 SSL_CTX *cctx = NULL, *sctx = NULL;
288 SSL *clientssl = NULL, *serverssl = NULL;
290 struct sslapitest_log_counts expected = {0};
292 /* Clean up logging space */
293 memset(client_log_buffer, 0, sizeof(client_log_buffer));
294 memset(server_log_buffer, 0, sizeof(server_log_buffer));
295 client_log_buffer_index = 0;
296 server_log_buffer_index = 0;
297 error_writing_log = 0;
299 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
301 TLS1_VERSION, TLS_MAX_VERSION,
302 &sctx, &cctx, cert, privkey)))
305 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
306 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
307 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
309 /* We also want to ensure that we use RSA-based key exchange. */
310 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
313 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
314 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
316 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
317 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
318 == client_keylog_callback))
320 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
321 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
322 == server_keylog_callback))
325 /* Now do a handshake and check that the logs have been written to. */
326 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
327 &clientssl, NULL, NULL))
328 || !TEST_true(create_ssl_connection(serverssl, clientssl,
330 || !TEST_false(error_writing_log)
331 || !TEST_int_gt(client_log_buffer_index, 0)
332 || !TEST_int_gt(server_log_buffer_index, 0))
336 * Now we want to test that our output data was vaguely sensible. We
337 * do that by using strtok and confirming that we have more or less the
338 * data we expect. For both client and server, we expect to see one master
339 * secret. The client should also see a RSA key exchange.
341 expected.rsa_key_exchange_count = 1;
342 expected.master_secret_count = 1;
343 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
344 SSL_get_session(clientssl), &expected)))
347 expected.rsa_key_exchange_count = 0;
348 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
349 SSL_get_session(serverssl), &expected)))
364 #ifndef OPENSSL_NO_TLS1_3
365 static int test_keylog_no_master_key(void)
367 SSL_CTX *cctx = NULL, *sctx = NULL;
368 SSL *clientssl = NULL, *serverssl = NULL;
369 SSL_SESSION *sess = NULL;
371 struct sslapitest_log_counts expected = {0};
372 unsigned char buf[1];
373 size_t readbytes, written;
375 /* Clean up logging space */
376 memset(client_log_buffer, 0, sizeof(client_log_buffer));
377 memset(server_log_buffer, 0, sizeof(server_log_buffer));
378 client_log_buffer_index = 0;
379 server_log_buffer_index = 0;
380 error_writing_log = 0;
382 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
383 TLS1_VERSION, TLS_MAX_VERSION,
384 &sctx, &cctx, cert, privkey))
385 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
386 SSL3_RT_MAX_PLAIN_LENGTH)))
389 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
390 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
393 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
394 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
395 == client_keylog_callback))
398 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
399 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
400 == server_keylog_callback))
403 /* Now do a handshake and check that the logs have been written to. */
404 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
405 &clientssl, NULL, NULL))
406 || !TEST_true(create_ssl_connection(serverssl, clientssl,
408 || !TEST_false(error_writing_log))
412 * Now we want to test that our output data was vaguely sensible. For this
413 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
414 * TLSv1.3, but we do expect both client and server to emit keys.
416 expected.client_handshake_secret_count = 1;
417 expected.server_handshake_secret_count = 1;
418 expected.client_application_secret_count = 1;
419 expected.server_application_secret_count = 1;
420 expected.exporter_secret_count = 1;
421 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
422 SSL_get_session(clientssl), &expected))
423 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
424 SSL_get_session(serverssl),
428 /* Terminate old session and resume with early data. */
429 sess = SSL_get1_session(clientssl);
430 SSL_shutdown(clientssl);
431 SSL_shutdown(serverssl);
434 serverssl = clientssl = NULL;
437 memset(client_log_buffer, 0, sizeof(client_log_buffer));
438 memset(server_log_buffer, 0, sizeof(server_log_buffer));
439 client_log_buffer_index = 0;
440 server_log_buffer_index = 0;
442 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
443 &clientssl, NULL, NULL))
444 || !TEST_true(SSL_set_session(clientssl, sess))
445 /* Here writing 0 length early data is enough. */
446 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
447 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
449 SSL_READ_EARLY_DATA_ERROR)
450 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
451 SSL_EARLY_DATA_ACCEPTED)
452 || !TEST_true(create_ssl_connection(serverssl, clientssl,
454 || !TEST_true(SSL_session_reused(clientssl)))
457 /* In addition to the previous entries, expect early secrets. */
458 expected.client_early_secret_count = 1;
459 expected.early_exporter_secret_count = 1;
460 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
461 SSL_get_session(clientssl), &expected))
462 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
463 SSL_get_session(serverssl),
470 SSL_SESSION_free(sess);
480 #ifndef OPENSSL_NO_TLS1_2
481 static int full_client_hello_callback(SSL *s, int *al, void *arg)
484 const unsigned char *p;
486 /* We only configure two ciphers, but the SCSV is added automatically. */
488 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
490 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
493 const int expected_extensions[] = {
494 #ifndef OPENSSL_NO_EC
500 /* Make sure we can defer processing and get called back. */
502 return SSL_CLIENT_HELLO_RETRY;
504 len = SSL_client_hello_get0_ciphers(s, &p);
505 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
507 SSL_client_hello_get0_compression_methods(s, &p), 1)
508 || !TEST_int_eq(*p, 0))
509 return SSL_CLIENT_HELLO_ERROR;
510 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
511 return SSL_CLIENT_HELLO_ERROR;
512 if (len != OSSL_NELEM(expected_extensions) ||
513 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
514 printf("ClientHello callback expected extensions mismatch\n");
516 return SSL_CLIENT_HELLO_ERROR;
519 return SSL_CLIENT_HELLO_SUCCESS;
522 static int test_client_hello_cb(void)
524 SSL_CTX *cctx = NULL, *sctx = NULL;
525 SSL *clientssl = NULL, *serverssl = NULL;
526 int testctr = 0, testresult = 0;
528 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
529 TLS1_VERSION, TLS_MAX_VERSION,
530 &sctx, &cctx, cert, privkey)))
532 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
534 /* The gimpy cipher list we configure can't do TLS 1.3. */
535 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
537 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
538 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
539 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
540 &clientssl, NULL, NULL))
541 || !TEST_false(create_ssl_connection(serverssl, clientssl,
542 SSL_ERROR_WANT_CLIENT_HELLO_CB))
544 * Passing a -1 literal is a hack since
545 * the real value was lost.
547 || !TEST_int_eq(SSL_get_error(serverssl, -1),
548 SSL_ERROR_WANT_CLIENT_HELLO_CB)
549 || !TEST_true(create_ssl_connection(serverssl, clientssl,
565 static int execute_test_large_message(const SSL_METHOD *smeth,
566 const SSL_METHOD *cmeth,
567 int min_version, int max_version,
570 SSL_CTX *cctx = NULL, *sctx = NULL;
571 SSL *clientssl = NULL, *serverssl = NULL;
575 X509 *chaincert = NULL;
578 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
580 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
583 if (!TEST_ptr(chaincert))
586 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
587 &sctx, &cctx, cert, privkey)))
592 * Test that read_ahead works correctly when dealing with large
595 SSL_CTX_set_read_ahead(cctx, 1);
599 * We assume the supplied certificate is big enough so that if we add
600 * NUM_EXTRA_CERTS it will make the overall message large enough. The
601 * default buffer size is requested to be 16k, but due to the way BUF_MEM
602 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
603 * test we need to have a message larger than that.
605 certlen = i2d_X509(chaincert, NULL);
606 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
607 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
608 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
609 if (!X509_up_ref(chaincert))
611 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
612 X509_free(chaincert);
617 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
619 || !TEST_true(create_ssl_connection(serverssl, clientssl,
624 * Calling SSL_clear() first is not required but this tests that SSL_clear()
625 * doesn't leak (when using enable-crypto-mdebug).
627 if (!TEST_true(SSL_clear(serverssl)))
632 X509_free(chaincert);
641 static int test_large_message_tls(void)
643 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
644 TLS1_VERSION, TLS_MAX_VERSION,
648 static int test_large_message_tls_read_ahead(void)
650 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
651 TLS1_VERSION, TLS_MAX_VERSION,
655 #ifndef OPENSSL_NO_DTLS
656 static int test_large_message_dtls(void)
659 * read_ahead is not relevant to DTLS because DTLS always acts as if
662 return execute_test_large_message(DTLS_server_method(),
663 DTLS_client_method(),
664 DTLS1_VERSION, DTLS_MAX_VERSION,
669 #ifndef OPENSSL_NO_OCSP
670 static int ocsp_server_cb(SSL *s, void *arg)
672 int *argi = (int *)arg;
673 unsigned char *copy = NULL;
674 STACK_OF(OCSP_RESPID) *ids = NULL;
675 OCSP_RESPID *id = NULL;
678 /* In this test we are expecting exactly 1 OCSP_RESPID */
679 SSL_get_tlsext_status_ids(s, &ids);
680 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
681 return SSL_TLSEXT_ERR_ALERT_FATAL;
683 id = sk_OCSP_RESPID_value(ids, 0);
684 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
685 return SSL_TLSEXT_ERR_ALERT_FATAL;
686 } else if (*argi != 1) {
687 return SSL_TLSEXT_ERR_ALERT_FATAL;
690 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
691 return SSL_TLSEXT_ERR_ALERT_FATAL;
693 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
694 ocsp_server_called = 1;
695 return SSL_TLSEXT_ERR_OK;
698 static int ocsp_client_cb(SSL *s, void *arg)
700 int *argi = (int *)arg;
701 const unsigned char *respderin;
704 if (*argi != 1 && *argi != 2)
707 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
708 if (!TEST_mem_eq(orespder, len, respderin, len))
711 ocsp_client_called = 1;
715 static int test_tlsext_status_type(void)
717 SSL_CTX *cctx = NULL, *sctx = NULL;
718 SSL *clientssl = NULL, *serverssl = NULL;
720 STACK_OF(OCSP_RESPID) *ids = NULL;
721 OCSP_RESPID *id = NULL;
724 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
725 TLS1_VERSION, TLS_MAX_VERSION,
726 &sctx, &cctx, cert, privkey))
729 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
732 /* First just do various checks getting and setting tlsext_status_type */
734 clientssl = SSL_new(cctx);
735 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
736 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
737 TLSEXT_STATUSTYPE_ocsp))
738 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
739 TLSEXT_STATUSTYPE_ocsp))
745 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
746 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
749 clientssl = SSL_new(cctx);
750 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
756 * Now actually do a handshake and check OCSP information is exchanged and
757 * the callbacks get called
759 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
760 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
761 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
762 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
763 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
764 &clientssl, NULL, NULL))
765 || !TEST_true(create_ssl_connection(serverssl, clientssl,
767 || !TEST_true(ocsp_client_called)
768 || !TEST_true(ocsp_server_called))
775 /* Try again but this time force the server side callback to fail */
776 ocsp_client_called = 0;
777 ocsp_server_called = 0;
779 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
780 &clientssl, NULL, NULL))
781 /* This should fail because the callback will fail */
782 || !TEST_false(create_ssl_connection(serverssl, clientssl,
784 || !TEST_false(ocsp_client_called)
785 || !TEST_false(ocsp_server_called))
793 * This time we'll get the client to send an OCSP_RESPID that it will
796 ocsp_client_called = 0;
797 ocsp_server_called = 0;
799 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
800 &clientssl, NULL, NULL)))
804 * We'll just use any old cert for this test - it doesn't have to be an OCSP
805 * specific one. We'll use the server cert.
807 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
808 || !TEST_ptr(id = OCSP_RESPID_new())
809 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
810 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
812 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
813 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
816 SSL_set_tlsext_status_ids(clientssl, ids);
817 /* Control has been transferred */
823 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
825 || !TEST_true(ocsp_client_called)
826 || !TEST_true(ocsp_server_called))
836 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
837 OCSP_RESPID_free(id);
846 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
847 static int new_called, remove_called, get_called;
849 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
853 * sess has been up-refed for us, but we don't actually need it so free it
856 SSL_SESSION_free(sess);
860 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
865 static SSL_SESSION *get_sess_val = NULL;
867 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
875 static int execute_test_session(int maxprot, int use_int_cache,
878 SSL_CTX *sctx = NULL, *cctx = NULL;
879 SSL *serverssl1 = NULL, *clientssl1 = NULL;
880 SSL *serverssl2 = NULL, *clientssl2 = NULL;
881 # ifndef OPENSSL_NO_TLS1_1
882 SSL *serverssl3 = NULL, *clientssl3 = NULL;
884 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
887 new_called = remove_called = 0;
889 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
890 TLS1_VERSION, TLS_MAX_VERSION,
891 &sctx, &cctx, cert, privkey)))
895 * Only allow the max protocol version so we can force a connection failure
898 SSL_CTX_set_min_proto_version(cctx, maxprot);
899 SSL_CTX_set_max_proto_version(cctx, maxprot);
901 /* Set up session cache */
903 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
904 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
907 /* Also covers instance where both are set */
908 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
910 SSL_CTX_set_session_cache_mode(cctx,
911 SSL_SESS_CACHE_CLIENT
912 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
915 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
917 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
919 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
922 /* Should fail because it should already be in the cache */
923 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
926 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
929 new_called = remove_called = 0;
930 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
931 &clientssl2, NULL, NULL))
932 || !TEST_true(SSL_set_session(clientssl2, sess1))
933 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
935 || !TEST_true(SSL_session_reused(clientssl2)))
938 if (maxprot == TLS1_3_VERSION) {
940 * In TLSv1.3 we should have created a new session even though we have
941 * resumed. The original session should also have been removed.
944 && (!TEST_int_eq(new_called, 1)
945 || !TEST_int_eq(remove_called, 1)))
949 * In TLSv1.2 we expect to have resumed so no sessions added or
953 && (!TEST_int_eq(new_called, 0)
954 || !TEST_int_eq(remove_called, 0)))
958 SSL_SESSION_free(sess1);
959 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
961 shutdown_ssl_connection(serverssl2, clientssl2);
962 serverssl2 = clientssl2 = NULL;
964 new_called = remove_called = 0;
965 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
966 &clientssl2, NULL, NULL))
967 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
971 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
975 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
978 new_called = remove_called = 0;
980 * This should clear sess2 from the cache because it is a "bad" session.
981 * See SSL_set_session() documentation.
983 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
986 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
988 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
992 /* Should succeeded because it should not already be in the cache */
993 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
994 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
998 new_called = remove_called = 0;
999 /* This shouldn't be in the cache so should fail */
1000 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1004 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1007 # if !defined(OPENSSL_NO_TLS1_1)
1008 new_called = remove_called = 0;
1009 /* Force a connection failure */
1010 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1011 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1012 &clientssl3, NULL, NULL))
1013 || !TEST_true(SSL_set_session(clientssl3, sess1))
1014 /* This should fail because of the mismatched protocol versions */
1015 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1019 /* We should have automatically removed the session from the cache */
1021 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1024 /* Should succeed because it should not already be in the cache */
1025 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1029 /* Now do some tests for server side caching */
1030 if (use_ext_cache) {
1031 SSL_CTX_sess_set_new_cb(cctx, NULL);
1032 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1033 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1034 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1035 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1036 get_sess_val = NULL;
1039 SSL_CTX_set_session_cache_mode(cctx, 0);
1040 /* Internal caching is the default on the server side */
1042 SSL_CTX_set_session_cache_mode(sctx,
1043 SSL_SESS_CACHE_SERVER
1044 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1046 SSL_free(serverssl1);
1047 SSL_free(clientssl1);
1048 serverssl1 = clientssl1 = NULL;
1049 SSL_free(serverssl2);
1050 SSL_free(clientssl2);
1051 serverssl2 = clientssl2 = NULL;
1052 SSL_SESSION_free(sess1);
1054 SSL_SESSION_free(sess2);
1057 SSL_CTX_set_max_proto_version(sctx, maxprot);
1058 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1059 new_called = remove_called = get_called = 0;
1060 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1062 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1064 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1065 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1068 /* Should fail because it should already be in the cache */
1069 if (use_int_cache && !TEST_false(SSL_CTX_add_session(sctx, sess2)))
1072 if (use_ext_cache) {
1073 SSL_SESSION *tmp = sess2;
1075 if (!TEST_int_eq(new_called, 1)
1076 || !TEST_int_eq(remove_called, 0)
1077 || !TEST_int_eq(get_called, 0))
1080 * Delete the session from the internal cache to force a lookup from
1081 * the external cache. We take a copy first because
1082 * SSL_CTX_remove_session() also marks the session as non-resumable.
1084 if (use_int_cache) {
1085 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1086 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1088 SSL_SESSION_free(sess2);
1093 new_called = remove_called = get_called = 0;
1094 get_sess_val = sess2;
1095 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1096 &clientssl2, NULL, NULL))
1097 || !TEST_true(SSL_set_session(clientssl2, sess1))
1098 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1100 || !TEST_true(SSL_session_reused(clientssl2)))
1103 if (use_ext_cache) {
1104 if (!TEST_int_eq(remove_called, 0))
1107 if (maxprot == TLS1_3_VERSION) {
1109 * Every time we issue a NewSessionTicket we are creating a new
1110 * session for next time in TLSv1.3
1112 if (!TEST_int_eq(new_called, 1)
1113 || !TEST_int_eq(get_called, 0))
1116 if (!TEST_int_eq(new_called, 0)
1117 || !TEST_int_eq(get_called, 1))
1125 SSL_free(serverssl1);
1126 SSL_free(clientssl1);
1127 SSL_free(serverssl2);
1128 SSL_free(clientssl2);
1129 # ifndef OPENSSL_NO_TLS1_1
1130 SSL_free(serverssl3);
1131 SSL_free(clientssl3);
1133 SSL_SESSION_free(sess1);
1134 SSL_SESSION_free(sess2);
1140 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1142 static int test_session_with_only_int_cache(void)
1144 #ifndef OPENSSL_NO_TLS1_3
1145 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1149 #ifndef OPENSSL_NO_TLS1_2
1150 return execute_test_session(TLS1_2_VERSION, 1, 0);
1156 static int test_session_with_only_ext_cache(void)
1158 #ifndef OPENSSL_NO_TLS1_3
1159 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1163 #ifndef OPENSSL_NO_TLS1_2
1164 return execute_test_session(TLS1_2_VERSION, 0, 1);
1170 static int test_session_with_both_cache(void)
1172 #ifndef OPENSSL_NO_TLS1_3
1173 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1177 #ifndef OPENSSL_NO_TLS1_2
1178 return execute_test_session(TLS1_2_VERSION, 1, 1);
1187 #define USE_DEFAULT 3
1189 #define CONNTYPE_CONNECTION_SUCCESS 0
1190 #define CONNTYPE_CONNECTION_FAIL 1
1191 #define CONNTYPE_NO_CONNECTION 2
1193 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1194 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1195 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1196 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1198 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1202 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1203 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1204 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1206 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1223 * Tests calls to SSL_set_bio() under various conditions.
1225 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1226 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1227 * then do more tests where we create a successful connection first using our
1228 * standard connection setup functions, and then call SSL_set_bio() with
1229 * various combinations of valid BIOs or NULL. We then repeat these tests
1230 * following a failed connection. In this last case we are looking to check that
1231 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1233 static int test_ssl_set_bio(int idx)
1235 SSL_CTX *sctx = NULL, *cctx = NULL;
1238 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1239 SSL *serverssl = NULL, *clientssl = NULL;
1240 int initrbio, initwbio, newrbio, newwbio, conntype;
1243 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1251 conntype = CONNTYPE_NO_CONNECTION;
1253 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1254 initrbio = initwbio = USE_DEFAULT;
1262 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1263 TLS1_VERSION, TLS_MAX_VERSION,
1264 &sctx, &cctx, cert, privkey)))
1267 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1269 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1270 * because we reduced the number of tests in the definition of
1271 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1272 * mismatched protocol versions we will force a connection failure.
1274 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1275 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1278 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1282 if (initrbio == USE_BIO_1
1283 || initwbio == USE_BIO_1
1284 || newrbio == USE_BIO_1
1285 || newwbio == USE_BIO_1) {
1286 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1290 if (initrbio == USE_BIO_2
1291 || initwbio == USE_BIO_2
1292 || newrbio == USE_BIO_2
1293 || newwbio == USE_BIO_2) {
1294 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1298 if (initrbio != USE_DEFAULT) {
1299 setupbio(&irbio, bio1, bio2, initrbio);
1300 setupbio(&iwbio, bio1, bio2, initwbio);
1301 SSL_set_bio(clientssl, irbio, iwbio);
1304 * We want to maintain our own refs to these BIO, so do an up ref for
1305 * each BIO that will have ownership transferred in the SSL_set_bio()
1310 if (iwbio != NULL && iwbio != irbio)
1314 if (conntype != CONNTYPE_NO_CONNECTION
1315 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1317 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1320 setupbio(&nrbio, bio1, bio2, newrbio);
1321 setupbio(&nwbio, bio1, bio2, newwbio);
1324 * We will (maybe) transfer ownership again so do more up refs.
1325 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1330 && (nwbio != iwbio || nrbio != nwbio))
1334 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1337 SSL_set_bio(clientssl, nrbio, nwbio);
1346 * This test is checking that the ref counting for SSL_set_bio is correct.
1347 * If we get here and we did too many frees then we will fail in the above
1348 * functions. If we haven't done enough then this will only be detected in
1349 * a crypto-mdebug build
1351 SSL_free(serverssl);
1352 SSL_free(clientssl);
1358 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1360 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1362 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1367 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1368 || !TEST_ptr(ssl = SSL_new(ctx))
1369 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1370 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1373 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1376 * If anything goes wrong here then we could leak memory, so this will
1377 * be caught in a crypto-mdebug build
1379 BIO_push(sslbio, membio1);
1381 /* Verify changing the rbio/wbio directly does not cause leaks */
1382 if (change_bio != NO_BIO_CHANGE) {
1383 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1385 if (change_bio == CHANGE_RBIO)
1386 SSL_set0_rbio(ssl, membio2);
1388 SSL_set0_wbio(ssl, membio2);
1407 static int test_ssl_bio_pop_next_bio(void)
1409 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1412 static int test_ssl_bio_pop_ssl_bio(void)
1414 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1417 static int test_ssl_bio_change_rbio(void)
1419 return execute_test_ssl_bio(0, CHANGE_RBIO);
1422 static int test_ssl_bio_change_wbio(void)
1424 return execute_test_ssl_bio(0, CHANGE_WBIO);
1427 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
1429 /* The list of sig algs */
1431 /* The length of the list */
1433 /* A sigalgs list in string format */
1434 const char *liststr;
1435 /* Whether setting the list should succeed */
1437 /* Whether creating a connection with the list should succeed */
1441 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1442 # ifndef OPENSSL_NO_EC
1443 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1444 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1446 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1447 static const int invalidlist2[] = {NID_sha256, NID_undef};
1448 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1449 static const int invalidlist4[] = {NID_sha256};
1450 static const sigalgs_list testsigalgs[] = {
1451 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1452 # ifndef OPENSSL_NO_EC
1453 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1454 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1456 {NULL, 0, "RSA+SHA256", 1, 1},
1457 # ifndef OPENSSL_NO_EC
1458 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1459 {NULL, 0, "ECDSA+SHA512", 1, 0},
1461 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1462 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1463 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1464 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1465 {NULL, 0, "RSA", 0, 0},
1466 {NULL, 0, "SHA256", 0, 0},
1467 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1468 {NULL, 0, "Invalid", 0, 0}
1471 static int test_set_sigalgs(int idx)
1473 SSL_CTX *cctx = NULL, *sctx = NULL;
1474 SSL *clientssl = NULL, *serverssl = NULL;
1476 const sigalgs_list *curr;
1479 /* Should never happen */
1480 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1483 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1484 curr = testctx ? &testsigalgs[idx]
1485 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1487 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1488 TLS1_VERSION, TLS_MAX_VERSION,
1489 &sctx, &cctx, cert, privkey)))
1493 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1494 * for TLSv1.2 for now until we add a new API.
1496 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1501 if (curr->list != NULL)
1502 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1504 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1508 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1514 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1519 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1520 &clientssl, NULL, NULL)))
1526 if (curr->list != NULL)
1527 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1529 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1532 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1541 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1549 SSL_free(serverssl);
1550 SSL_free(clientssl);
1558 #ifndef OPENSSL_NO_TLS1_3
1560 static SSL_SESSION *clientpsk = NULL;
1561 static SSL_SESSION *serverpsk = NULL;
1562 static const char *pskid = "Identity";
1563 static const char *srvid;
1565 static int use_session_cb_cnt = 0;
1566 static int find_session_cb_cnt = 0;
1567 static int psk_client_cb_cnt = 0;
1568 static int psk_server_cb_cnt = 0;
1570 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1571 size_t *idlen, SSL_SESSION **sess)
1573 switch (++use_session_cb_cnt) {
1575 /* The first call should always have a NULL md */
1581 /* The second call should always have an md */
1587 /* We should only be called a maximum of twice */
1591 if (clientpsk != NULL)
1592 SSL_SESSION_up_ref(clientpsk);
1595 *id = (const unsigned char *)pskid;
1596 *idlen = strlen(pskid);
1601 #ifndef OPENSSL_NO_PSK
1602 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1603 unsigned int max_id_len,
1605 unsigned int max_psk_len)
1607 unsigned int psklen = 0;
1609 psk_client_cb_cnt++;
1611 if (strlen(pskid) + 1 > max_id_len)
1614 /* We should only ever be called a maximum of twice per connection */
1615 if (psk_client_cb_cnt > 2)
1618 if (clientpsk == NULL)
1621 /* We'll reuse the PSK we set up for TLSv1.3 */
1622 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1624 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1625 strncpy(id, pskid, max_id_len);
1629 #endif /* OPENSSL_NO_PSK */
1631 static int find_session_cb(SSL *ssl, const unsigned char *identity,
1632 size_t identity_len, SSL_SESSION **sess)
1634 find_session_cb_cnt++;
1636 /* We should only ever be called a maximum of twice per connection */
1637 if (find_session_cb_cnt > 2)
1640 if (serverpsk == NULL)
1643 /* Identity should match that set by the client */
1644 if (strlen(srvid) != identity_len
1645 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1646 /* No PSK found, continue but without a PSK */
1651 SSL_SESSION_up_ref(serverpsk);
1657 #ifndef OPENSSL_NO_PSK
1658 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1659 unsigned char *psk, unsigned int max_psk_len)
1661 unsigned int psklen = 0;
1663 psk_server_cb_cnt++;
1665 /* We should only ever be called a maximum of twice per connection */
1666 if (find_session_cb_cnt > 2)
1669 if (serverpsk == NULL)
1672 /* Identity should match that set by the client */
1673 if (strcmp(srvid, identity) != 0) {
1677 /* We'll reuse the PSK we set up for TLSv1.3 */
1678 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1680 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1684 #endif /* OPENSSL_NO_PSK */
1686 #define MSG1 "Hello"
1687 #define MSG2 "World."
1692 #define MSG7 "message."
1694 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
1695 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
1698 * Helper method to setup objects for early data test. Caller frees objects on
1701 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
1702 SSL **serverssl, SSL_SESSION **sess, int idx)
1704 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1705 TLS1_VERSION, TLS_MAX_VERSION,
1706 sctx, cctx, cert, privkey))
1707 || !TEST_true(SSL_CTX_set_max_early_data(*sctx,
1708 SSL3_RT_MAX_PLAIN_LENGTH)))
1712 /* When idx == 1 we repeat the tests with read_ahead set */
1713 SSL_CTX_set_read_ahead(*cctx, 1);
1714 SSL_CTX_set_read_ahead(*sctx, 1);
1715 } else if (idx == 2) {
1716 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1717 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1718 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1719 use_session_cb_cnt = 0;
1720 find_session_cb_cnt = 0;
1724 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
1729 * For one of the run throughs (doesn't matter which one), we'll try sending
1730 * some SNI data in the initial ClientHello. This will be ignored (because
1731 * there is no SNI cb set up by the server), so it should not impact
1735 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1739 /* Create the PSK */
1740 const SSL_CIPHER *cipher = NULL;
1741 const unsigned char key[] = {
1742 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1743 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1744 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1745 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1746 0x2c, 0x2d, 0x2e, 0x2f
1749 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
1750 clientpsk = SSL_SESSION_new();
1751 if (!TEST_ptr(clientpsk)
1752 || !TEST_ptr(cipher)
1753 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
1755 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
1757 SSL_SESSION_set_protocol_version(clientpsk,
1760 * We just choose an arbitrary value for max_early_data which
1761 * should be big enough for testing purposes.
1763 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1765 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1766 SSL_SESSION_free(clientpsk);
1770 serverpsk = clientpsk;
1773 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1774 SSL_SESSION_free(clientpsk);
1775 SSL_SESSION_free(serverpsk);
1776 clientpsk = serverpsk = NULL;
1787 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1791 *sess = SSL_get1_session(*clientssl);
1792 SSL_shutdown(*clientssl);
1793 SSL_shutdown(*serverssl);
1794 SSL_free(*serverssl);
1795 SSL_free(*clientssl);
1796 *serverssl = *clientssl = NULL;
1798 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1799 clientssl, NULL, NULL))
1800 || !TEST_true(SSL_set_session(*clientssl, *sess)))
1806 static int test_early_data_read_write(int idx)
1808 SSL_CTX *cctx = NULL, *sctx = NULL;
1809 SSL *clientssl = NULL, *serverssl = NULL;
1811 SSL_SESSION *sess = NULL;
1812 unsigned char buf[20], data[1024];
1813 size_t readbytes, written, eoedlen, rawread, rawwritten;
1816 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1817 &serverssl, &sess, idx)))
1820 /* Write and read some early data */
1821 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1823 || !TEST_size_t_eq(written, strlen(MSG1))
1824 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1825 sizeof(buf), &readbytes),
1826 SSL_READ_EARLY_DATA_SUCCESS)
1827 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1828 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1829 SSL_EARLY_DATA_ACCEPTED))
1833 * Server should be able to write data, and client should be able to
1836 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1838 || !TEST_size_t_eq(written, strlen(MSG2))
1839 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1840 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1843 /* Even after reading normal data, client should be able write early data */
1844 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1846 || !TEST_size_t_eq(written, strlen(MSG3)))
1849 /* Server should still be able read early data after writing data */
1850 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1852 SSL_READ_EARLY_DATA_SUCCESS)
1853 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
1856 /* Write more data from server and read it from client */
1857 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
1859 || !TEST_size_t_eq(written, strlen(MSG4))
1860 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1861 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
1865 * If client writes normal data it should mean writing early data is no
1868 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1869 || !TEST_size_t_eq(written, strlen(MSG5))
1870 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1871 SSL_EARLY_DATA_ACCEPTED))
1875 * At this point the client has written EndOfEarlyData, ClientFinished and
1876 * normal (fully protected) data. We are going to cause a delay between the
1877 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
1878 * in the read BIO, and then just put back the EndOfEarlyData message.
1880 rbio = SSL_get_rbio(serverssl);
1881 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
1882 || !TEST_size_t_lt(rawread, sizeof(data))
1883 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
1886 /* Record length is in the 4th and 5th bytes of the record header */
1887 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
1888 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
1889 || !TEST_size_t_eq(rawwritten, eoedlen))
1892 /* Server should be told that there is no more early data */
1893 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1895 SSL_READ_EARLY_DATA_FINISH)
1896 || !TEST_size_t_eq(readbytes, 0))
1900 * Server has not finished init yet, so should still be able to write early
1903 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
1905 || !TEST_size_t_eq(written, strlen(MSG6)))
1908 /* Push the ClientFinished and the normal data back into the server rbio */
1909 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
1911 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
1914 /* Server should be able to read normal data */
1915 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1916 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1919 /* Client and server should not be able to write/read early data now */
1920 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1924 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1926 SSL_READ_EARLY_DATA_ERROR))
1930 /* Client should be able to read the data sent by the server */
1931 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1932 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
1936 * Make sure we process the NewSessionTicket. This arrives post-handshake.
1937 * We attempt a read which we do not expect to return any data.
1939 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1942 /* Server should be able to write normal data */
1943 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
1944 || !TEST_size_t_eq(written, strlen(MSG7))
1945 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1946 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
1949 SSL_SESSION_free(sess);
1950 sess = SSL_get1_session(clientssl);
1951 use_session_cb_cnt = 0;
1952 find_session_cb_cnt = 0;
1954 SSL_shutdown(clientssl);
1955 SSL_shutdown(serverssl);
1956 SSL_free(serverssl);
1957 SSL_free(clientssl);
1958 serverssl = clientssl = NULL;
1959 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1960 &clientssl, NULL, NULL))
1961 || !TEST_true(SSL_set_session(clientssl, sess)))
1964 /* Write and read some early data */
1965 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1967 || !TEST_size_t_eq(written, strlen(MSG1))
1968 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1970 SSL_READ_EARLY_DATA_SUCCESS)
1971 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
1974 if (!TEST_int_gt(SSL_connect(clientssl), 0)
1975 || !TEST_int_gt(SSL_accept(serverssl), 0))
1978 /* Client and server should not be able to write/read early data now */
1979 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1983 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1985 SSL_READ_EARLY_DATA_ERROR))
1989 /* Client and server should be able to write/read normal data */
1990 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1991 || !TEST_size_t_eq(written, strlen(MSG5))
1992 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1993 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1999 SSL_SESSION_free(sess);
2000 SSL_SESSION_free(clientpsk);
2001 SSL_SESSION_free(serverpsk);
2002 clientpsk = serverpsk = NULL;
2003 SSL_free(serverssl);
2004 SSL_free(clientssl);
2010 static int test_early_data_replay(int idx)
2012 SSL_CTX *cctx = NULL, *sctx = NULL;
2013 SSL *clientssl = NULL, *serverssl = NULL;
2015 SSL_SESSION *sess = NULL;
2017 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2018 &serverssl, &sess, idx)))
2022 * The server is configured to accept early data. Create a connection to
2023 * "use up" the ticket
2025 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2026 || !TEST_true(SSL_session_reused(clientssl)))
2029 SSL_shutdown(clientssl);
2030 SSL_shutdown(serverssl);
2031 SSL_free(serverssl);
2032 SSL_free(clientssl);
2033 serverssl = clientssl = NULL;
2035 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2036 &clientssl, NULL, NULL))
2037 || !TEST_true(SSL_set_session(clientssl, sess))
2038 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2041 * This time we should not have resumed the session because we
2042 * already used it once.
2044 || !TEST_false(SSL_session_reused(clientssl)))
2050 SSL_SESSION_free(sess);
2051 SSL_SESSION_free(clientpsk);
2052 SSL_SESSION_free(serverpsk);
2053 clientpsk = serverpsk = NULL;
2054 SSL_free(serverssl);
2055 SSL_free(clientssl);
2062 * Helper function to test that a server attempting to read early data can
2063 * handle a connection from a client where the early data should be skipped.
2065 static int early_data_skip_helper(int hrr, int idx)
2067 SSL_CTX *cctx = NULL, *sctx = NULL;
2068 SSL *clientssl = NULL, *serverssl = NULL;
2070 SSL_SESSION *sess = NULL;
2071 unsigned char buf[20];
2072 size_t readbytes, written;
2074 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2075 &serverssl, &sess, idx)))
2079 /* Force an HRR to occur */
2080 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2082 } else if (idx == 2) {
2084 * We force early_data rejection by ensuring the PSK identity is
2087 srvid = "Dummy Identity";
2090 * Deliberately corrupt the creation time. We take 20 seconds off the
2091 * time. It could be any value as long as it is not within tolerance.
2092 * This should mean the ticket is rejected.
2094 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
2098 /* Write some early data */
2099 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2101 || !TEST_size_t_eq(written, strlen(MSG1)))
2104 /* Server should reject the early data and skip over it */
2105 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2107 SSL_READ_EARLY_DATA_FINISH)
2108 || !TEST_size_t_eq(readbytes, 0)
2109 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2110 SSL_EARLY_DATA_REJECTED))
2115 * Finish off the handshake. We perform the same writes and reads as
2116 * further down but we expect them to fail due to the incomplete
2119 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2120 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2125 /* Should be able to send normal data despite rejection of early data */
2126 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2127 || !TEST_size_t_eq(written, strlen(MSG2))
2128 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2129 SSL_EARLY_DATA_REJECTED)
2130 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2131 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2137 SSL_SESSION_free(clientpsk);
2138 SSL_SESSION_free(serverpsk);
2139 clientpsk = serverpsk = NULL;
2140 SSL_SESSION_free(sess);
2141 SSL_free(serverssl);
2142 SSL_free(clientssl);
2149 * Test that a server attempting to read early data can handle a connection
2150 * from a client where the early data is not acceptable.
2152 static int test_early_data_skip(int idx)
2154 return early_data_skip_helper(0, idx);
2158 * Test that a server attempting to read early data can handle a connection
2159 * from a client where an HRR occurs.
2161 static int test_early_data_skip_hrr(int idx)
2163 return early_data_skip_helper(1, idx);
2167 * Test that a server attempting to read early data can handle a connection
2168 * from a client that doesn't send any.
2170 static int test_early_data_not_sent(int idx)
2172 SSL_CTX *cctx = NULL, *sctx = NULL;
2173 SSL *clientssl = NULL, *serverssl = NULL;
2175 SSL_SESSION *sess = NULL;
2176 unsigned char buf[20];
2177 size_t readbytes, written;
2179 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2180 &serverssl, &sess, idx)))
2183 /* Write some data - should block due to handshake with server */
2184 SSL_set_connect_state(clientssl);
2185 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2188 /* Server should detect that early data has not been sent */
2189 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2191 SSL_READ_EARLY_DATA_FINISH)
2192 || !TEST_size_t_eq(readbytes, 0)
2193 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2194 SSL_EARLY_DATA_NOT_SENT)
2195 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2196 SSL_EARLY_DATA_NOT_SENT))
2199 /* Continue writing the message we started earlier */
2200 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2201 || !TEST_size_t_eq(written, strlen(MSG1))
2202 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2203 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2204 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2205 || !TEST_size_t_eq(written, strlen(MSG2)))
2209 * Should block due to the NewSessionTicket arrival unless we're using
2210 * read_ahead, or PSKs
2212 if (idx != 1 && idx != 2) {
2213 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
2217 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2218 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2224 SSL_SESSION_free(sess);
2225 SSL_SESSION_free(clientpsk);
2226 SSL_SESSION_free(serverpsk);
2227 clientpsk = serverpsk = NULL;
2228 SSL_free(serverssl);
2229 SSL_free(clientssl);
2235 static int hostname_cb(SSL *s, int *al, void *arg)
2237 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2239 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
2240 return SSL_TLSEXT_ERR_OK;
2242 return SSL_TLSEXT_ERR_NOACK;
2245 static const char *servalpn;
2247 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2248 unsigned char *outlen, const unsigned char *in,
2249 unsigned int inlen, void *arg)
2251 unsigned int protlen = 0;
2252 const unsigned char *prot;
2254 for (prot = in; prot < in + inlen; prot += protlen) {
2256 if (in + inlen < prot + protlen)
2257 return SSL_TLSEXT_ERR_NOACK;
2259 if (protlen == strlen(servalpn)
2260 && memcmp(prot, servalpn, protlen) == 0) {
2263 return SSL_TLSEXT_ERR_OK;
2267 return SSL_TLSEXT_ERR_NOACK;
2270 /* Test that a PSK can be used to send early_data */
2271 static int test_early_data_psk(int idx)
2273 SSL_CTX *cctx = NULL, *sctx = NULL;
2274 SSL *clientssl = NULL, *serverssl = NULL;
2276 SSL_SESSION *sess = NULL;
2277 unsigned char alpnlist[] = {
2278 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2281 #define GOODALPNLEN 9
2282 #define BADALPNLEN 8
2283 #define GOODALPN (alpnlist)
2284 #define BADALPN (alpnlist + GOODALPNLEN)
2286 unsigned char buf[20];
2287 size_t readbytes, written;
2288 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2289 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2291 /* We always set this up with a final parameter of "2" for PSK */
2292 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2293 &serverssl, &sess, 2)))
2296 servalpn = "goodalpn";
2299 * Note: There is no test for inconsistent SNI with late client detection.
2300 * This is because servers do not acknowledge SNI even if they are using
2301 * it in a resumption handshake - so it is not actually possible for a
2302 * client to detect a problem.
2306 /* Set inconsistent SNI (early client detection) */
2307 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2308 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2309 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2314 /* Set inconsistent ALPN (early client detection) */
2315 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2316 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
2317 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2319 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2326 * Set invalid protocol version. Technically this affects PSKs without
2327 * early_data too, but we test it here because it is similar to the
2328 * SNI/ALPN consistency tests.
2330 err = SSL_R_BAD_PSK;
2331 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2337 * Set inconsistent SNI (server detected). In this case the connection
2338 * will succeed but reject early_data.
2340 SSL_SESSION_free(serverpsk);
2341 serverpsk = SSL_SESSION_dup(clientpsk);
2342 if (!TEST_ptr(serverpsk)
2343 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2345 edstatus = SSL_EARLY_DATA_REJECTED;
2346 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2349 /* Set consistent SNI */
2350 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2351 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2352 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2359 * Set inconsistent ALPN (server detected). In this case the connection
2360 * will succeed but reject early_data.
2362 servalpn = "badalpn";
2363 edstatus = SSL_EARLY_DATA_REJECTED;
2364 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2368 * Set consistent ALPN.
2369 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2370 * accepts a list of protos (each one length prefixed).
2371 * SSL_set1_alpn_selected accepts a single protocol (not length
2374 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2376 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2380 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2384 /* Set inconsistent ALPN (late client detection) */
2385 SSL_SESSION_free(serverpsk);
2386 serverpsk = SSL_SESSION_dup(clientpsk);
2387 if (!TEST_ptr(serverpsk)
2388 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2391 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2394 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2397 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2398 edstatus = SSL_EARLY_DATA_ACCEPTED;
2399 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2400 /* SSL_connect() call should fail */
2405 TEST_error("Bad test index");
2409 SSL_set_connect_state(clientssl);
2411 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2413 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2414 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2417 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2421 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2422 &readbytes), readearlyres)
2423 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2424 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2425 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2426 || !TEST_int_eq(SSL_connect(clientssl), connectres))
2433 SSL_SESSION_free(sess);
2434 SSL_SESSION_free(clientpsk);
2435 SSL_SESSION_free(serverpsk);
2436 clientpsk = serverpsk = NULL;
2437 SSL_free(serverssl);
2438 SSL_free(clientssl);
2445 * Test that a server that doesn't try to read early data can handle a
2446 * client sending some.
2448 static int test_early_data_not_expected(int idx)
2450 SSL_CTX *cctx = NULL, *sctx = NULL;
2451 SSL *clientssl = NULL, *serverssl = NULL;
2453 SSL_SESSION *sess = NULL;
2454 unsigned char buf[20];
2455 size_t readbytes, written;
2457 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2458 &serverssl, &sess, idx)))
2461 /* Write some early data */
2462 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2467 * Server should skip over early data and then block waiting for client to
2468 * continue handshake
2470 if (!TEST_int_le(SSL_accept(serverssl), 0)
2471 || !TEST_int_gt(SSL_connect(clientssl), 0)
2472 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2473 SSL_EARLY_DATA_REJECTED)
2474 || !TEST_int_gt(SSL_accept(serverssl), 0)
2475 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2476 SSL_EARLY_DATA_REJECTED))
2479 /* Send some normal data from client to server */
2480 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2481 || !TEST_size_t_eq(written, strlen(MSG2)))
2484 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2485 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2491 SSL_SESSION_free(sess);
2492 SSL_SESSION_free(clientpsk);
2493 SSL_SESSION_free(serverpsk);
2494 clientpsk = serverpsk = NULL;
2495 SSL_free(serverssl);
2496 SSL_free(clientssl);
2503 # ifndef OPENSSL_NO_TLS1_2
2505 * Test that a server attempting to read early data can handle a connection
2506 * from a TLSv1.2 client.
2508 static int test_early_data_tls1_2(int idx)
2510 SSL_CTX *cctx = NULL, *sctx = NULL;
2511 SSL *clientssl = NULL, *serverssl = NULL;
2513 unsigned char buf[20];
2514 size_t readbytes, written;
2516 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2517 &serverssl, NULL, idx)))
2520 /* Write some data - should block due to handshake with server */
2521 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2522 SSL_set_connect_state(clientssl);
2523 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2527 * Server should do TLSv1.2 handshake. First it will block waiting for more
2528 * messages from client after ServerDone. Then SSL_read_early_data should
2529 * finish and detect that early data has not been sent
2531 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2533 SSL_READ_EARLY_DATA_ERROR))
2537 * Continue writing the message we started earlier. Will still block waiting
2538 * for the CCS/Finished from server
2540 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2541 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2543 SSL_READ_EARLY_DATA_FINISH)
2544 || !TEST_size_t_eq(readbytes, 0)
2545 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2546 SSL_EARLY_DATA_NOT_SENT))
2549 /* Continue writing the message we started earlier */
2550 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2551 || !TEST_size_t_eq(written, strlen(MSG1))
2552 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2553 SSL_EARLY_DATA_NOT_SENT)
2554 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2555 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2556 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2557 || !TEST_size_t_eq(written, strlen(MSG2))
2558 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2559 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2565 SSL_SESSION_free(clientpsk);
2566 SSL_SESSION_free(serverpsk);
2567 clientpsk = serverpsk = NULL;
2568 SSL_free(serverssl);
2569 SSL_free(clientssl);
2575 # endif /* OPENSSL_NO_TLS1_2 */
2578 * Test configuring the TLSv1.3 ciphersuites
2580 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
2581 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
2582 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
2583 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
2584 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2585 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2586 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
2587 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
2588 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
2589 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
2591 static int test_set_ciphersuite(int idx)
2593 SSL_CTX *cctx = NULL, *sctx = NULL;
2594 SSL *clientssl = NULL, *serverssl = NULL;
2597 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2598 TLS1_VERSION, TLS_MAX_VERSION,
2599 &sctx, &cctx, cert, privkey))
2600 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2601 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
2604 if (idx >=4 && idx <= 7) {
2605 /* SSL_CTX explicit cipher list */
2606 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
2610 if (idx == 0 || idx == 4) {
2611 /* Default ciphersuite */
2612 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2613 "TLS_AES_128_GCM_SHA256")))
2615 } else if (idx == 1 || idx == 5) {
2616 /* Non default ciphersuite */
2617 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2618 "TLS_AES_128_CCM_SHA256")))
2622 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2623 &clientssl, NULL, NULL)))
2626 if (idx == 8 || idx == 9) {
2627 /* SSL explicit cipher list */
2628 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
2632 if (idx == 2 || idx == 6 || idx == 8) {
2633 /* Default ciphersuite */
2634 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2635 "TLS_AES_128_GCM_SHA256")))
2637 } else if (idx == 3 || idx == 7 || idx == 9) {
2638 /* Non default ciphersuite */
2639 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2640 "TLS_AES_128_CCM_SHA256")))
2644 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
2650 SSL_free(serverssl);
2651 SSL_free(clientssl);
2658 static int test_ciphersuite_change(void)
2660 SSL_CTX *cctx = NULL, *sctx = NULL;
2661 SSL *clientssl = NULL, *serverssl = NULL;
2662 SSL_SESSION *clntsess = NULL;
2664 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2666 /* Create a session based on SHA-256 */
2667 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2668 TLS1_VERSION, TLS_MAX_VERSION,
2669 &sctx, &cctx, cert, privkey))
2670 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
2671 "TLS_AES_128_GCM_SHA256"))
2672 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2673 &clientssl, NULL, NULL))
2674 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2678 clntsess = SSL_get1_session(clientssl);
2679 /* Save for later */
2680 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2681 SSL_shutdown(clientssl);
2682 SSL_shutdown(serverssl);
2683 SSL_free(serverssl);
2684 SSL_free(clientssl);
2685 serverssl = clientssl = NULL;
2687 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
2688 /* Check we can resume a session with a different SHA-256 ciphersuite */
2689 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2690 "TLS_CHACHA20_POLY1305_SHA256"))
2691 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2693 || !TEST_true(SSL_set_session(clientssl, clntsess))
2694 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2696 || !TEST_true(SSL_session_reused(clientssl)))
2699 SSL_SESSION_free(clntsess);
2700 clntsess = SSL_get1_session(clientssl);
2701 SSL_shutdown(clientssl);
2702 SSL_shutdown(serverssl);
2703 SSL_free(serverssl);
2704 SSL_free(clientssl);
2705 serverssl = clientssl = NULL;
2709 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
2710 * succeeds but does not resume.
2712 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
2713 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2715 || !TEST_true(SSL_set_session(clientssl, clntsess))
2716 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2718 || !TEST_false(SSL_session_reused(clientssl)))
2721 SSL_SESSION_free(clntsess);
2723 SSL_shutdown(clientssl);
2724 SSL_shutdown(serverssl);
2725 SSL_free(serverssl);
2726 SSL_free(clientssl);
2727 serverssl = clientssl = NULL;
2729 /* Create a session based on SHA384 */
2730 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
2731 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2732 &clientssl, NULL, NULL))
2733 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2737 clntsess = SSL_get1_session(clientssl);
2738 SSL_shutdown(clientssl);
2739 SSL_shutdown(serverssl);
2740 SSL_free(serverssl);
2741 SSL_free(clientssl);
2742 serverssl = clientssl = NULL;
2744 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2745 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
2746 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2747 "TLS_AES_256_GCM_SHA384"))
2748 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2750 || !TEST_true(SSL_set_session(clientssl, clntsess))
2752 * We use SSL_ERROR_WANT_READ below so that we can pause the
2753 * connection after the initial ClientHello has been sent to
2754 * enable us to make some session changes.
2756 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2757 SSL_ERROR_WANT_READ)))
2760 /* Trick the client into thinking this session is for a different digest */
2761 clntsess->cipher = aes_128_gcm_sha256;
2762 clntsess->cipher_id = clntsess->cipher->id;
2765 * Continue the previously started connection. Server has selected a SHA-384
2766 * ciphersuite, but client thinks the session is for SHA-256, so it should
2769 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2771 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2772 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2778 SSL_SESSION_free(clntsess);
2779 SSL_free(serverssl);
2780 SSL_free(clientssl);
2789 * Test 0 = Test new style callbacks
2790 * Test 1 = Test both new and old style callbacks
2791 * Test 2 = Test old style callbacks
2792 * Test 3 = Test old style callbacks with no certificate
2794 static int test_tls13_psk(int idx)
2796 SSL_CTX *sctx = NULL, *cctx = NULL;
2797 SSL *serverssl = NULL, *clientssl = NULL;
2798 const SSL_CIPHER *cipher = NULL;
2799 const unsigned char key[] = {
2800 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2801 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2802 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2803 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
2807 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2808 TLS1_VERSION, TLS_MAX_VERSION,
2809 &sctx, &cctx, idx == 3 ? NULL : cert,
2810 idx == 3 ? NULL : privkey)))
2815 * We use a ciphersuite with SHA256 to ease testing old style PSK
2816 * callbacks which will always default to SHA256. This should not be
2817 * necessary if we have no cert/priv key. In that case the server should
2818 * prefer SHA256 automatically.
2820 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2821 "TLS_AES_128_GCM_SHA256")))
2826 * Test 0: New style callbacks only
2827 * Test 1: New and old style callbacks (only the new ones should be used)
2828 * Test 2: Old style callbacks only
2830 if (idx == 0 || idx == 1) {
2831 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2832 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2834 #ifndef OPENSSL_NO_PSK
2836 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
2837 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
2841 use_session_cb_cnt = 0;
2842 find_session_cb_cnt = 0;
2843 psk_client_cb_cnt = 0;
2844 psk_server_cb_cnt = 0;
2848 * Check we can create a connection if callback decides not to send a
2851 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2853 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2855 || !TEST_false(SSL_session_reused(clientssl))
2856 || !TEST_false(SSL_session_reused(serverssl)))
2859 if (idx == 0 || idx == 1) {
2860 if (!TEST_true(use_session_cb_cnt == 1)
2861 || !TEST_true(find_session_cb_cnt == 0)
2863 * If no old style callback then below should be 0
2866 || !TEST_true(psk_client_cb_cnt == idx)
2867 || !TEST_true(psk_server_cb_cnt == 0))
2870 if (!TEST_true(use_session_cb_cnt == 0)
2871 || !TEST_true(find_session_cb_cnt == 0)
2872 || !TEST_true(psk_client_cb_cnt == 1)
2873 || !TEST_true(psk_server_cb_cnt == 0))
2877 shutdown_ssl_connection(serverssl, clientssl);
2878 serverssl = clientssl = NULL;
2879 use_session_cb_cnt = psk_client_cb_cnt = 0;
2882 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2886 /* Create the PSK */
2887 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
2888 clientpsk = SSL_SESSION_new();
2889 if (!TEST_ptr(clientpsk)
2890 || !TEST_ptr(cipher)
2891 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
2893 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
2894 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
2896 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
2898 serverpsk = clientpsk;
2900 /* Check we can create a connection and the PSK is used */
2901 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2902 || !TEST_true(SSL_session_reused(clientssl))
2903 || !TEST_true(SSL_session_reused(serverssl)))
2906 if (idx == 0 || idx == 1) {
2907 if (!TEST_true(use_session_cb_cnt == 1)
2908 || !TEST_true(find_session_cb_cnt == 1)
2909 || !TEST_true(psk_client_cb_cnt == 0)
2910 || !TEST_true(psk_server_cb_cnt == 0))
2913 if (!TEST_true(use_session_cb_cnt == 0)
2914 || !TEST_true(find_session_cb_cnt == 0)
2915 || !TEST_true(psk_client_cb_cnt == 1)
2916 || !TEST_true(psk_server_cb_cnt == 1))
2920 shutdown_ssl_connection(serverssl, clientssl);
2921 serverssl = clientssl = NULL;
2922 use_session_cb_cnt = find_session_cb_cnt = 0;
2923 psk_client_cb_cnt = psk_server_cb_cnt = 0;
2925 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2930 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2934 * Check we can create a connection, the PSK is used and the callbacks are
2937 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2938 || !TEST_true(SSL_session_reused(clientssl))
2939 || !TEST_true(SSL_session_reused(serverssl)))
2942 if (idx == 0 || idx == 1) {
2943 if (!TEST_true(use_session_cb_cnt == 2)
2944 || !TEST_true(find_session_cb_cnt == 2)
2945 || !TEST_true(psk_client_cb_cnt == 0)
2946 || !TEST_true(psk_server_cb_cnt == 0))
2949 if (!TEST_true(use_session_cb_cnt == 0)
2950 || !TEST_true(find_session_cb_cnt == 0)
2951 || !TEST_true(psk_client_cb_cnt == 2)
2952 || !TEST_true(psk_server_cb_cnt == 2))
2956 shutdown_ssl_connection(serverssl, clientssl);
2957 serverssl = clientssl = NULL;
2958 use_session_cb_cnt = find_session_cb_cnt = 0;
2959 psk_client_cb_cnt = psk_server_cb_cnt = 0;
2963 * Check that if the server rejects the PSK we can still connect, but with
2966 srvid = "Dummy Identity";
2967 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2969 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2971 || !TEST_false(SSL_session_reused(clientssl))
2972 || !TEST_false(SSL_session_reused(serverssl)))
2975 if (idx == 0 || idx == 1) {
2976 if (!TEST_true(use_session_cb_cnt == 1)
2977 || !TEST_true(find_session_cb_cnt == 1)
2978 || !TEST_true(psk_client_cb_cnt == 0)
2980 * If no old style callback then below should be 0
2983 || !TEST_true(psk_server_cb_cnt == idx))
2986 if (!TEST_true(use_session_cb_cnt == 0)
2987 || !TEST_true(find_session_cb_cnt == 0)
2988 || !TEST_true(psk_client_cb_cnt == 1)
2989 || !TEST_true(psk_server_cb_cnt == 1))
2993 shutdown_ssl_connection(serverssl, clientssl);
2994 serverssl = clientssl = NULL;
2999 SSL_SESSION_free(clientpsk);
3000 SSL_SESSION_free(serverpsk);
3001 clientpsk = serverpsk = NULL;
3002 SSL_free(serverssl);
3003 SSL_free(clientssl);
3009 static unsigned char cookie_magic_value[] = "cookie magic";
3011 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
3012 unsigned int *cookie_len)
3015 * Not suitable as a real cookie generation function but good enough for
3018 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3019 *cookie_len = sizeof(cookie_magic_value) - 1;
3024 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3025 unsigned int cookie_len)
3027 if (cookie_len == sizeof(cookie_magic_value) - 1
3028 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3034 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3038 int res = generate_cookie_callback(ssl, cookie, &temp);
3043 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3046 return verify_cookie_callback(ssl, cookie, cookie_len);
3049 static int test_stateless(void)
3051 SSL_CTX *sctx = NULL, *cctx = NULL;
3052 SSL *serverssl = NULL, *clientssl = NULL;
3055 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3056 TLS1_VERSION, TLS_MAX_VERSION,
3057 &sctx, &cctx, cert, privkey)))
3060 /* The arrival of CCS messages can confuse the test */
3061 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3063 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3065 /* Send the first ClientHello */
3066 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3067 SSL_ERROR_WANT_READ))
3069 * This should fail with a -1 return because we have no callbacks
3072 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3075 /* Fatal error so abandon the connection from this client */
3076 SSL_free(clientssl);
3079 /* Set up the cookie generation and verification callbacks */
3080 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3081 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
3084 * Create a new connection from the client (we can reuse the server SSL
3087 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3089 /* Send the first ClientHello */
3090 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3091 SSL_ERROR_WANT_READ))
3092 /* This should fail because there is no cookie */
3093 || !TEST_int_eq(SSL_stateless(serverssl), 0))
3096 /* Abandon the connection from this client */
3097 SSL_free(clientssl);
3101 * Now create a connection from a new client but with the same server SSL
3104 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3106 /* Send the first ClientHello */
3107 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3108 SSL_ERROR_WANT_READ))
3109 /* This should fail because there is no cookie */
3110 || !TEST_int_eq(SSL_stateless(serverssl), 0)
3111 /* Send the second ClientHello */
3112 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3113 SSL_ERROR_WANT_READ))
3114 /* This should succeed because a cookie is now present */
3115 || !TEST_int_eq(SSL_stateless(serverssl), 1)
3116 /* Complete the connection */
3117 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3121 shutdown_ssl_connection(serverssl, clientssl);
3122 serverssl = clientssl = NULL;
3126 SSL_free(serverssl);
3127 SSL_free(clientssl);
3133 #endif /* OPENSSL_NO_TLS1_3 */
3135 static int clntaddoldcb = 0;
3136 static int clntparseoldcb = 0;
3137 static int srvaddoldcb = 0;
3138 static int srvparseoldcb = 0;
3139 static int clntaddnewcb = 0;
3140 static int clntparsenewcb = 0;
3141 static int srvaddnewcb = 0;
3142 static int srvparsenewcb = 0;
3143 static int snicb = 0;
3145 #define TEST_EXT_TYPE1 0xff00
3147 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3148 size_t *outlen, int *al, void *add_arg)
3150 int *server = (int *)add_arg;
3151 unsigned char *data;
3153 if (SSL_is_server(s))
3158 if (*server != SSL_is_server(s)
3159 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3164 *outlen = sizeof(char);
3168 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3171 OPENSSL_free((unsigned char *)out);
3174 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3175 size_t inlen, int *al, void *parse_arg)
3177 int *server = (int *)parse_arg;
3179 if (SSL_is_server(s))
3184 if (*server != SSL_is_server(s)
3185 || inlen != sizeof(char)
3192 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3193 const unsigned char **out, size_t *outlen, X509 *x,
3194 size_t chainidx, int *al, void *add_arg)
3196 int *server = (int *)add_arg;
3197 unsigned char *data;
3199 if (SSL_is_server(s))
3204 if (*server != SSL_is_server(s)
3205 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3210 *outlen = sizeof(*data);
3214 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3215 const unsigned char *out, void *add_arg)
3217 OPENSSL_free((unsigned char *)out);
3220 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3221 const unsigned char *in, size_t inlen, X509 *x,
3222 size_t chainidx, int *al, void *parse_arg)
3224 int *server = (int *)parse_arg;
3226 if (SSL_is_server(s))
3231 if (*server != SSL_is_server(s)
3232 || inlen != sizeof(char) || *in != 1)
3238 static int sni_cb(SSL *s, int *al, void *arg)
3240 SSL_CTX *ctx = (SSL_CTX *)arg;
3242 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3243 *al = SSL_AD_INTERNAL_ERROR;
3244 return SSL_TLSEXT_ERR_ALERT_FATAL;
3247 return SSL_TLSEXT_ERR_OK;
3251 * Custom call back tests.
3252 * Test 0: Old style callbacks in TLSv1.2
3253 * Test 1: New style callbacks in TLSv1.2
3254 * Test 2: New style callbacks in TLSv1.2 with SNI
3255 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3256 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
3258 static int test_custom_exts(int tst)
3260 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3261 SSL *clientssl = NULL, *serverssl = NULL;
3263 static int server = 1;
3264 static int client = 0;
3265 SSL_SESSION *sess = NULL;
3266 unsigned int context;
3268 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
3269 /* Skip tests for TLSv1.2 and below in this case */
3274 /* Reset callback counters */
3275 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
3276 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
3279 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3280 TLS1_VERSION, TLS_MAX_VERSION,
3281 &sctx, &cctx, cert, privkey)))
3285 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
3286 TLS1_VERSION, TLS_MAX_VERSION,
3287 &sctx2, NULL, cert, privkey)))
3292 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
3293 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
3295 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
3299 context = SSL_EXT_CLIENT_HELLO
3300 | SSL_EXT_TLS1_2_SERVER_HELLO
3301 | SSL_EXT_TLS1_3_SERVER_HELLO
3302 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
3303 | SSL_EXT_TLS1_3_CERTIFICATE
3304 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
3306 context = SSL_EXT_CLIENT_HELLO
3307 | SSL_EXT_TLS1_2_SERVER_HELLO
3308 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3311 /* Create a client side custom extension */
3313 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3314 old_add_cb, old_free_cb,
3315 &client, old_parse_cb,
3319 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
3320 new_add_cb, new_free_cb,
3321 &client, new_parse_cb, &client)))
3325 /* Should not be able to add duplicates */
3326 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3327 old_add_cb, old_free_cb,
3328 &client, old_parse_cb,
3330 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
3331 context, new_add_cb,
3332 new_free_cb, &client,
3333 new_parse_cb, &client)))
3336 /* Create a server side custom extension */
3338 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3339 old_add_cb, old_free_cb,
3340 &server, old_parse_cb,
3344 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3345 new_add_cb, new_free_cb,
3346 &server, new_parse_cb, &server)))
3349 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3350 context, new_add_cb,
3351 new_free_cb, &server,
3352 new_parse_cb, &server)))
3356 /* Should not be able to add duplicates */
3357 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3358 old_add_cb, old_free_cb,
3359 &server, old_parse_cb,
3361 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3362 context, new_add_cb,
3363 new_free_cb, &server,
3364 new_parse_cb, &server)))
3369 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3370 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3374 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3375 &clientssl, NULL, NULL))
3376 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3381 if (clntaddoldcb != 1
3382 || clntparseoldcb != 1
3384 || srvparseoldcb != 1)
3386 } else if (tst == 1 || tst == 2 || tst == 3) {
3387 if (clntaddnewcb != 1
3388 || clntparsenewcb != 1
3390 || srvparsenewcb != 1
3391 || (tst != 2 && snicb != 0)
3392 || (tst == 2 && snicb != 1))
3395 if (clntaddnewcb != 1
3396 || clntparsenewcb != 4
3398 || srvparsenewcb != 1)
3402 sess = SSL_get1_session(clientssl);
3403 SSL_shutdown(clientssl);
3404 SSL_shutdown(serverssl);
3405 SSL_free(serverssl);
3406 SSL_free(clientssl);
3407 serverssl = clientssl = NULL;
3410 /* We don't bother with the resumption aspects for this test */
3415 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3417 || !TEST_true(SSL_set_session(clientssl, sess))
3418 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3423 * For a resumed session we expect to add the ClientHello extension. For the
3424 * old style callbacks we ignore it on the server side because they set
3425 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3429 if (clntaddoldcb != 2
3430 || clntparseoldcb != 1
3432 || srvparseoldcb != 1)
3434 } else if (tst == 1 || tst == 2 || tst == 3) {
3435 if (clntaddnewcb != 2
3436 || clntparsenewcb != 2
3438 || srvparsenewcb != 2)
3441 /* No Certificate message extensions in the resumption handshake */
3442 if (clntaddnewcb != 2
3443 || clntparsenewcb != 7
3445 || srvparsenewcb != 2)
3452 SSL_SESSION_free(sess);
3453 SSL_free(serverssl);
3454 SSL_free(clientssl);
3455 SSL_CTX_free(sctx2);
3462 * Test loading of serverinfo data in various formats. test_sslmessages actually
3463 * tests to make sure the extensions appear in the handshake
3465 static int test_serverinfo(int tst)
3467 unsigned int version;
3468 unsigned char *sibuf;
3470 int ret, expected, testresult = 0;
3473 ctx = SSL_CTX_new(TLS_method());
3477 if ((tst & 0x01) == 0x01)
3478 version = SSL_SERVERINFOV2;
3480 version = SSL_SERVERINFOV1;
3482 if ((tst & 0x02) == 0x02) {
3483 sibuf = serverinfov2;
3484 sibuflen = sizeof(serverinfov2);
3485 expected = (version == SSL_SERVERINFOV2);
3487 sibuf = serverinfov1;
3488 sibuflen = sizeof(serverinfov1);
3489 expected = (version == SSL_SERVERINFOV1);
3492 if ((tst & 0x04) == 0x04) {
3493 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
3495 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
3498 * The version variable is irrelevant in this case - it's what is in the
3499 * buffer that matters
3501 if ((tst & 0x02) == 0x02)
3507 if (!TEST_true(ret == expected))
3519 * Test that SSL_export_keying_material() produces expected results. There are
3520 * no test vectors so all we do is test that both sides of the communication
3521 * produce the same results for different protocol versions.
3523 static int test_export_key_mat(int tst)
3526 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3527 SSL *clientssl = NULL, *serverssl = NULL;
3528 const char label[] = "test label";
3529 const unsigned char context[] = "context";
3530 const unsigned char *emptycontext = NULL;
3531 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
3532 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
3533 const int protocols[] = {
3540 #ifdef OPENSSL_NO_TLS1
3544 #ifdef OPENSSL_NO_TLS1_1
3548 #ifdef OPENSSL_NO_TLS1_2
3552 #ifdef OPENSSL_NO_TLS1_3
3556 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3557 TLS1_VERSION, TLS_MAX_VERSION,
3558 &sctx, &cctx, cert, privkey)))
3561 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
3562 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
3563 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
3565 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
3567 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3571 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
3572 sizeof(ckeymat1), label,
3573 sizeof(label) - 1, context,
3574 sizeof(context) - 1, 1), 1)
3575 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
3576 sizeof(ckeymat2), label,
3580 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
3581 sizeof(ckeymat3), label,
3584 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
3585 sizeof(skeymat1), label,
3588 sizeof(context) -1, 1),
3590 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
3591 sizeof(skeymat2), label,
3595 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
3596 sizeof(skeymat3), label,
3600 * Check that both sides created the same key material with the
3603 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3606 * Check that both sides created the same key material with an
3609 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3612 * Check that both sides created the same key material without a
3615 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3617 /* Different contexts should produce different results */
3618 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3623 * Check that an empty context and no context produce different results in
3624 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3626 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3628 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3635 SSL_free(serverssl);
3636 SSL_free(clientssl);
3637 SSL_CTX_free(sctx2);
3644 #ifndef OPENSSL_NO_TLS1_3
3646 * Test that SSL_export_keying_material_early() produces expected
3647 * results. There are no test vectors so all we do is test that both
3648 * sides of the communication produce the same results for different
3649 * protocol versions.
3651 static int test_export_key_mat_early(int idx)
3653 static const char label[] = "test label";
3654 static const unsigned char context[] = "context";
3656 SSL_CTX *cctx = NULL, *sctx = NULL;
3657 SSL *clientssl = NULL, *serverssl = NULL;
3658 SSL_SESSION *sess = NULL;
3659 const unsigned char *emptycontext = NULL;
3660 unsigned char ckeymat1[80], ckeymat2[80];
3661 unsigned char skeymat1[80], skeymat2[80];
3662 unsigned char buf[1];
3663 size_t readbytes, written;
3665 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
3669 /* Here writing 0 length early data is enough. */
3670 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
3671 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3673 SSL_READ_EARLY_DATA_ERROR)
3674 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3675 SSL_EARLY_DATA_ACCEPTED))
3678 if (!TEST_int_eq(SSL_export_keying_material_early(
3679 clientssl, ckeymat1, sizeof(ckeymat1), label,
3680 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3681 || !TEST_int_eq(SSL_export_keying_material_early(
3682 clientssl, ckeymat2, sizeof(ckeymat2), label,
3683 sizeof(label) - 1, emptycontext, 0), 1)
3684 || !TEST_int_eq(SSL_export_keying_material_early(
3685 serverssl, skeymat1, sizeof(skeymat1), label,
3686 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3687 || !TEST_int_eq(SSL_export_keying_material_early(
3688 serverssl, skeymat2, sizeof(skeymat2), label,
3689 sizeof(label) - 1, emptycontext, 0), 1)
3691 * Check that both sides created the same key material with the
3694 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3697 * Check that both sides created the same key material with an
3700 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3702 /* Different contexts should produce different results */
3703 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3710 SSL_SESSION_free(sess);
3711 SSL_SESSION_free(clientpsk);
3712 SSL_SESSION_free(serverpsk);
3713 clientpsk = serverpsk = NULL;
3714 SSL_free(serverssl);
3715 SSL_free(clientssl);
3721 #endif /* OPENSSL_NO_TLS1_3 */
3723 static int test_ssl_clear(int idx)
3725 SSL_CTX *cctx = NULL, *sctx = NULL;
3726 SSL *clientssl = NULL, *serverssl = NULL;
3729 #ifdef OPENSSL_NO_TLS1_2
3734 /* Create an initial connection */
3735 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3736 TLS1_VERSION, TLS_MAX_VERSION,
3737 &sctx, &cctx, cert, privkey))
3739 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
3741 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3742 &clientssl, NULL, NULL))
3743 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3747 SSL_shutdown(clientssl);
3748 SSL_shutdown(serverssl);
3749 SSL_free(serverssl);
3752 /* Clear clientssl - we're going to reuse the object */
3753 if (!TEST_true(SSL_clear(clientssl)))
3756 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3758 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3760 || !TEST_true(SSL_session_reused(clientssl)))
3763 SSL_shutdown(clientssl);
3764 SSL_shutdown(serverssl);
3769 SSL_free(serverssl);
3770 SSL_free(clientssl);
3777 /* Parse CH and retrieve any MFL extension value if present */
3778 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
3781 unsigned char *data;
3782 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
3783 unsigned int MFL_code = 0, type = 0;
3785 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
3788 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
3789 /* Skip the record header */
3790 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
3791 /* Skip the handshake message header */
3792 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
3793 /* Skip client version and random */
3794 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
3795 + SSL3_RANDOM_SIZE))
3796 /* Skip session id */
3797 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3799 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
3800 /* Skip compression */
3801 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3802 /* Extensions len */
3803 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
3806 /* Loop through all extensions */
3807 while (PACKET_remaining(&pkt2)) {
3808 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
3809 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
3812 if (type == TLSEXT_TYPE_max_fragment_length) {
3813 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
3814 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
3817 *mfl_codemfl_code = MFL_code;
3826 /* Maximum-Fragment-Length TLS extension mode to test */
3827 static const unsigned char max_fragment_len_test[] = {
3828 TLSEXT_max_fragment_length_512,
3829 TLSEXT_max_fragment_length_1024,
3830 TLSEXT_max_fragment_length_2048,
3831 TLSEXT_max_fragment_length_4096
3834 static int test_max_fragment_len_ext(int idx_tst)
3838 int testresult = 0, MFL_mode = 0;
3841 ctx = SSL_CTX_new(TLS_method());
3845 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
3846 ctx, max_fragment_len_test[idx_tst])))
3853 rbio = BIO_new(BIO_s_mem());
3854 wbio = BIO_new(BIO_s_mem());
3855 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
3861 SSL_set_bio(con, rbio, wbio);
3862 SSL_set_connect_state(con);
3864 if (!TEST_int_le(SSL_connect(con), 0)) {
3865 /* This shouldn't succeed because we don't have a server! */
3869 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
3870 /* no MFL in client hello */
3872 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
3884 #ifndef OPENSSL_NO_TLS1_3
3885 static int test_pha_key_update(void)
3887 SSL_CTX *cctx = NULL, *sctx = NULL;
3888 SSL *clientssl = NULL, *serverssl = NULL;
3891 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3892 TLS1_VERSION, TLS_MAX_VERSION,
3893 &sctx, &cctx, cert, privkey)))
3896 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
3897 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
3898 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
3899 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
3903 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3907 SSL_force_post_handshake_auth(clientssl);
3909 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3913 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
3914 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
3917 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
3920 /* Start handshake on the server */
3921 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
3924 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
3925 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3929 SSL_shutdown(clientssl);
3930 SSL_shutdown(serverssl);
3935 SSL_free(serverssl);
3936 SSL_free(clientssl);
3943 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
3945 static SRP_VBASE *vbase = NULL;
3947 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
3949 int ret = SSL3_AL_FATAL;
3951 SRP_user_pwd *user = NULL;
3953 username = SSL_get_srp_username(s);
3954 if (username == NULL) {
3955 *ad = SSL_AD_INTERNAL_ERROR;
3959 user = SRP_VBASE_get1_by_user(vbase, username);
3961 *ad = SSL_AD_INTERNAL_ERROR;
3965 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
3967 *ad = SSL_AD_INTERNAL_ERROR;
3974 SRP_user_pwd_free(user);
3978 static int create_new_vfile(char *userid, char *password, const char *filename)
3981 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
3984 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
3987 if (!TEST_ptr(dummy) || !TEST_ptr(row))
3990 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
3991 &row[DB_srpverifier], NULL, NULL);
3992 if (!TEST_ptr(gNid))
3996 * The only way to create an empty TXT_DB is to provide a BIO with no data
3999 db = TXT_DB_read(dummy, DB_NUMBER);
4003 out = BIO_new_file(filename, "w");
4007 row[DB_srpid] = OPENSSL_strdup(userid);
4008 row[DB_srptype] = OPENSSL_strdup("V");
4009 row[DB_srpgN] = OPENSSL_strdup(gNid);
4011 if (!TEST_ptr(row[DB_srpid])
4012 || !TEST_ptr(row[DB_srptype])
4013 || !TEST_ptr(row[DB_srpgN])
4014 || !TEST_true(TXT_DB_insert(db, row)))
4019 if (!TXT_DB_write(out, db))
4025 for (i = 0; i < DB_NUMBER; i++)
4026 OPENSSL_free(row[i]);
4036 static int create_new_vbase(char *userid, char *password)
4038 BIGNUM *verifier = NULL, *salt = NULL;
4039 const SRP_gN *lgN = NULL;
4040 SRP_user_pwd *user_pwd = NULL;
4043 lgN = SRP_get_default_gN(NULL);
4047 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
4051 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
4052 if (!TEST_ptr(user_pwd))
4055 user_pwd->N = lgN->N;
4056 user_pwd->g = lgN->g;
4057 user_pwd->id = OPENSSL_strdup(userid);
4058 if (!TEST_ptr(user_pwd->id))
4061 user_pwd->v = verifier;
4063 verifier = salt = NULL;
4065 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
4071 SRP_user_pwd_free(user_pwd);
4081 * Test 0: Simple successful SRP connection, new vbase
4082 * Test 1: Connection failure due to bad password, new vbase
4083 * Test 2: Simple successful SRP connection, vbase loaded from existing file
4084 * Test 3: Connection failure due to bad password, vbase loaded from existing
4086 * Test 4: Simple successful SRP connection, vbase loaded from new file
4087 * Test 5: Connection failure due to bad password, vbase loaded from new file
4089 static int test_srp(int tst)
4091 char *userid = "test", *password = "password", *tstsrpfile;
4092 SSL_CTX *cctx = NULL, *sctx = NULL;
4093 SSL *clientssl = NULL, *serverssl = NULL;
4094 int ret, testresult = 0;
4096 vbase = SRP_VBASE_new(NULL);
4097 if (!TEST_ptr(vbase))
4100 if (tst == 0 || tst == 1) {
4101 if (!TEST_true(create_new_vbase(userid, password)))
4104 if (tst == 4 || tst == 5) {
4105 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
4107 tstsrpfile = tmpfilename;
4109 tstsrpfile = srpvfile;
4111 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
4115 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4116 TLS1_VERSION, TLS_MAX_VERSION,
4117 &sctx, &cctx, cert, privkey)))
4120 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
4121 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
4122 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
4123 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
4124 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
4128 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
4131 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
4135 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4139 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
4141 if (!TEST_true(tst % 2 == 0))
4144 if (!TEST_true(tst % 2 == 1))
4151 SRP_VBASE_free(vbase);
4153 SSL_free(serverssl);
4154 SSL_free(clientssl);
4162 static int info_cb_failed = 0;
4163 static int info_cb_offset = 0;
4164 static int info_cb_this_state = -1;
4166 static struct info_cb_states_st {
4168 const char *statestr;
4169 } info_cb_states[][60] = {
4171 /* TLSv1.2 server followed by resumption */
4172 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4173 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4174 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
4175 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
4176 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
4177 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4178 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4179 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4180 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4181 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4182 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
4183 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4184 {SSL_CB_EXIT, NULL}, {0, NULL},
4186 /* TLSv1.2 client followed by resumption */
4187 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4188 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4189 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
4190 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
4191 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
4192 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4193 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4194 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4195 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4196 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4197 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4198 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4200 /* TLSv1.3 server followed by resumption */
4201 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4202 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4203 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
4204 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
4205 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4206 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4207 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4208 {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4209 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4210 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4211 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4212 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
4213 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4214 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TWST"},
4215 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4217 /* TLSv1.3 client followed by resumption */
4218 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4219 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4220 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
4221 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
4222 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4223 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4224 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4225 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4226 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4227 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
4228 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4229 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4230 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4231 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4232 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4233 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4235 /* TLSv1.3 server, early_data */
4236 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4237 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4238 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4239 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4240 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4241 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4242 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4243 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4244 {SSL_CB_EXIT, NULL}, {0, NULL},
4246 /* TLSv1.3 client, early_data */
4247 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4248 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
4249 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4250 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4251 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4252 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
4253 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4254 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4255 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4256 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4262 static void sslapi_info_callback(const SSL *s, int where, int ret)
4264 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
4266 /* We do not ever expect a connection to fail in this test */
4267 if (!TEST_false(ret == 0)) {
4273 * Do some sanity checks. We never expect these things to happen in this
4276 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
4277 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
4278 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
4283 /* Now check we're in the right state */
4284 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
4288 if ((where & SSL_CB_LOOP) != 0
4289 && !TEST_int_eq(strcmp(SSL_state_string(s),
4290 state[info_cb_this_state].statestr), 0)) {
4295 /* Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init */
4296 if ((where & SSL_CB_HANDSHAKE_DONE) && SSL_in_init((SSL *)s) != 0) {
4303 * Test the info callback gets called when we expect it to.
4305 * Test 0: TLSv1.2, server
4306 * Test 1: TLSv1.2, client
4307 * Test 2: TLSv1.3, server
4308 * Test 3: TLSv1.3, client
4309 * Test 4: TLSv1.3, server, early_data
4310 * Test 5: TLSv1.3, client, early_data
4312 static int test_info_callback(int tst)
4314 SSL_CTX *cctx = NULL, *sctx = NULL;
4315 SSL *clientssl = NULL, *serverssl = NULL;
4316 SSL_SESSION *clntsess = NULL;
4321 #ifndef OPENSSL_NO_TLS1_2
4322 tlsvers = TLS1_2_VERSION;
4327 #ifndef OPENSSL_NO_TLS1_3
4328 tlsvers = TLS1_3_VERSION;
4336 info_cb_this_state = -1;
4337 info_cb_offset = tst;
4339 #ifndef OPENSSL_NO_TLS1_3
4341 SSL_SESSION *sess = NULL;
4342 size_t written, readbytes;
4343 unsigned char buf[80];
4345 /* early_data tests */
4346 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4347 &serverssl, &sess, 0)))
4350 /* We don't actually need this reference */
4351 SSL_SESSION_free(sess);
4353 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
4354 sslapi_info_callback);
4356 /* Write and read some early data and then complete the connection */
4357 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4359 || !TEST_size_t_eq(written, strlen(MSG1))
4360 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
4361 sizeof(buf), &readbytes),
4362 SSL_READ_EARLY_DATA_SUCCESS)
4363 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
4364 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4365 SSL_EARLY_DATA_ACCEPTED)
4366 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4368 || !TEST_false(info_cb_failed))
4376 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4377 TLS_client_method(),
4378 tlsvers, tlsvers, &sctx, &cctx, cert,
4383 * For even numbered tests we check the server callbacks. For odd numbers we
4386 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
4387 sslapi_info_callback);
4389 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4390 &clientssl, NULL, NULL))
4391 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4393 || !TEST_false(info_cb_failed))
4398 clntsess = SSL_get1_session(clientssl);
4399 SSL_shutdown(clientssl);
4400 SSL_shutdown(serverssl);
4401 SSL_free(serverssl);
4402 SSL_free(clientssl);
4403 serverssl = clientssl = NULL;
4405 /* Now do a resumption */
4406 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4408 || !TEST_true(SSL_set_session(clientssl, clntsess))
4409 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4411 || !TEST_true(SSL_session_reused(clientssl))
4412 || !TEST_false(info_cb_failed))
4418 SSL_free(serverssl);
4419 SSL_free(clientssl);
4420 SSL_SESSION_free(clntsess);
4426 static int test_ssl_pending(int tst)
4428 SSL_CTX *cctx = NULL, *sctx = NULL;
4429 SSL *clientssl = NULL, *serverssl = NULL;
4431 char msg[] = "A test message";
4433 size_t written, readbytes;
4436 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4437 TLS_client_method(),
4438 TLS1_VERSION, TLS_MAX_VERSION,
4439 &sctx, &cctx, cert, privkey)))
4442 #ifndef OPENSSL_NO_DTLS
4443 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
4444 DTLS_client_method(),
4445 DTLS1_VERSION, DTLS_MAX_VERSION,
4446 &sctx, &cctx, cert, privkey)))
4453 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4455 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4459 if (!TEST_int_eq(SSL_pending(clientssl), 0)
4460 || !TEST_false(SSL_has_pending(clientssl))
4461 || !TEST_int_eq(SSL_pending(serverssl), 0)
4462 || !TEST_false(SSL_has_pending(serverssl))
4463 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4464 || !TEST_size_t_eq(written, sizeof(msg))
4465 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4466 || !TEST_size_t_eq(readbytes, sizeof(buf))
4467 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
4468 || !TEST_true(SSL_has_pending(clientssl)))
4474 SSL_free(serverssl);
4475 SSL_free(clientssl);
4483 unsigned int maxprot;
4484 const char *clntciphers;
4485 const char *clnttls13ciphers;
4486 const char *srvrciphers;
4487 const char *srvrtls13ciphers;
4489 } shared_ciphers_data[] = {
4491 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
4492 * TLSv1.3 is enabled but TLSv1.2 is disabled.
4494 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
4497 "AES128-SHA:AES256-SHA",
4499 "AES256-SHA:DHE-RSA-AES128-SHA",
4505 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
4507 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
4509 "AES128-SHA:AES256-SHA"
4513 "AES128-SHA:AES256-SHA",
4515 "AES128-SHA:DHE-RSA-AES128-SHA",
4521 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
4524 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
4525 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4528 "AES128-SHA:AES256-SHA",
4530 "AES256-SHA:AES128-SHA256",
4532 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
4533 "TLS_AES_128_GCM_SHA256:AES256-SHA"
4536 #ifndef OPENSSL_NO_TLS1_3
4540 "TLS_AES_256_GCM_SHA384",
4542 "TLS_AES_256_GCM_SHA384",
4543 "TLS_AES_256_GCM_SHA384"
4548 static int test_ssl_get_shared_ciphers(int tst)
4550 SSL_CTX *cctx = NULL, *sctx = NULL;
4551 SSL *clientssl = NULL, *serverssl = NULL;
4555 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4556 TLS_client_method(),
4558 shared_ciphers_data[tst].maxprot,
4559 &sctx, &cctx, cert, privkey)))
4562 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4563 shared_ciphers_data[tst].clntciphers))
4564 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
4565 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4566 shared_ciphers_data[tst].clnttls13ciphers)))
4567 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
4568 shared_ciphers_data[tst].srvrciphers))
4569 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
4570 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4571 shared_ciphers_data[tst].srvrtls13ciphers))))
4575 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4577 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4581 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
4582 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
4583 TEST_info("Shared ciphers are: %s\n", buf);
4590 SSL_free(serverssl);
4591 SSL_free(clientssl);
4598 static const char *appdata = "Hello World";
4599 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
4600 static int tick_key_renew = 0;
4601 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
4603 static int gen_tick_cb(SSL *s, void *arg)
4605 gen_tick_called = 1;
4607 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
4611 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
4612 const unsigned char *keyname,
4613 size_t keyname_length,
4614 SSL_TICKET_STATUS status,
4620 dec_tick_called = 1;
4622 if (status == SSL_TICKET_EMPTY)
4623 return SSL_TICKET_RETURN_IGNORE_RENEW;
4625 if (!TEST_true(status == SSL_TICKET_SUCCESS
4626 || status == SSL_TICKET_SUCCESS_RENEW))
4627 return SSL_TICKET_RETURN_ABORT;
4629 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
4631 || !TEST_size_t_eq(tickdlen, strlen(appdata))
4632 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
4633 return SSL_TICKET_RETURN_ABORT;
4635 if (tick_key_cb_called) {
4636 /* Don't change what the ticket key callback wanted to do */
4638 case SSL_TICKET_NO_DECRYPT:
4639 return SSL_TICKET_RETURN_IGNORE_RENEW;
4641 case SSL_TICKET_SUCCESS:
4642 return SSL_TICKET_RETURN_USE;
4644 case SSL_TICKET_SUCCESS_RENEW:
4645 return SSL_TICKET_RETURN_USE_RENEW;
4648 return SSL_TICKET_RETURN_ABORT;
4651 return tick_dec_ret;
4655 static int tick_key_cb(SSL *s, unsigned char key_name[16],
4656 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
4657 HMAC_CTX *hctx, int enc)
4659 const unsigned char tick_aes_key[16] = "0123456789abcdef";
4660 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
4662 tick_key_cb_called = 1;
4663 memset(iv, 0, AES_BLOCK_SIZE);
4664 memset(key_name, 0, 16);
4665 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
4666 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
4667 EVP_sha256(), NULL))
4670 return tick_key_renew ? 2 : 1;
4674 * Test the various ticket callbacks
4675 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
4676 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
4677 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
4678 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
4679 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
4680 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
4681 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
4682 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
4683 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
4684 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
4685 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
4686 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
4688 static int test_ticket_callbacks(int tst)
4690 SSL_CTX *cctx = NULL, *sctx = NULL;
4691 SSL *clientssl = NULL, *serverssl = NULL;
4692 SSL_SESSION *clntsess = NULL;
4695 #ifdef OPENSSL_NO_TLS1_2
4699 #ifdef OPENSSL_NO_TLS1_3
4704 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
4706 /* Which tests the ticket key callback should request renewal for */
4707 if (tst == 10 || tst == 11)
4712 /* Which tests the decrypt ticket callback should request renewal for */
4716 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
4721 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
4726 tick_dec_ret = SSL_TICKET_RETURN_USE;
4731 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
4735 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
4738 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4739 TLS_client_method(),
4741 ((tst % 2) == 0) ? TLS1_2_VERSION
4743 &sctx, &cctx, cert, privkey)))
4747 * We only want sessions to resume from tickets - not the session cache. So
4748 * switch the cache off.
4750 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
4753 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
4758 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
4761 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4763 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4768 * The decrypt ticket key callback in TLSv1.2 should be called even though
4769 * we have no ticket yet, because it gets called with a status of
4770 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
4771 * actually send any ticket data). This does not happen in TLSv1.3 because
4772 * it is not valid to send empty ticket data in TLSv1.3.
4774 if (!TEST_int_eq(gen_tick_called, 1)
4775 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
4778 gen_tick_called = dec_tick_called = 0;
4780 clntsess = SSL_get1_session(clientssl);
4781 SSL_shutdown(clientssl);
4782 SSL_shutdown(serverssl);
4783 SSL_free(serverssl);
4784 SSL_free(clientssl);
4785 serverssl = clientssl = NULL;
4787 /* Now do a resumption */
4788 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4790 || !TEST_true(SSL_set_session(clientssl, clntsess))
4791 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4795 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
4796 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
4797 if (!TEST_false(SSL_session_reused(clientssl)))
4800 if (!TEST_true(SSL_session_reused(clientssl)))
4804 if (!TEST_int_eq(gen_tick_called,
4806 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
4807 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
4809 || !TEST_int_eq(dec_tick_called, 1))
4815 SSL_SESSION_free(clntsess);
4816 SSL_free(serverssl);
4817 SSL_free(clientssl);
4824 int setup_tests(void)
4826 if (!TEST_ptr(cert = test_get_argument(0))
4827 || !TEST_ptr(privkey = test_get_argument(1))
4828 || !TEST_ptr(srpvfile = test_get_argument(2))
4829 || !TEST_ptr(tmpfilename = test_get_argument(3)))
4832 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
4833 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
4834 TEST_error("not supported in this build");
4837 int i, mcount, rcount, fcount;
4839 for (i = 0; i < 4; i++)
4840 test_export_key_mat(i);
4841 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
4842 test_printf_stdout("malloc %d realloc %d free %d\n",
4843 mcount, rcount, fcount);
4848 ADD_TEST(test_large_message_tls);
4849 ADD_TEST(test_large_message_tls_read_ahead);
4850 #ifndef OPENSSL_NO_DTLS
4851 ADD_TEST(test_large_message_dtls);
4853 #ifndef OPENSSL_NO_OCSP
4854 ADD_TEST(test_tlsext_status_type);
4856 ADD_TEST(test_session_with_only_int_cache);
4857 ADD_TEST(test_session_with_only_ext_cache);
4858 ADD_TEST(test_session_with_both_cache);
4859 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
4860 ADD_TEST(test_ssl_bio_pop_next_bio);
4861 ADD_TEST(test_ssl_bio_pop_ssl_bio);
4862 ADD_TEST(test_ssl_bio_change_rbio);
4863 ADD_TEST(test_ssl_bio_change_wbio);
4864 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
4865 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
4866 ADD_TEST(test_keylog);
4868 #ifndef OPENSSL_NO_TLS1_3
4869 ADD_TEST(test_keylog_no_master_key);
4871 #ifndef OPENSSL_NO_TLS1_2
4872 ADD_TEST(test_client_hello_cb);
4874 #ifndef OPENSSL_NO_TLS1_3
4875 ADD_ALL_TESTS(test_early_data_read_write, 3);
4877 * We don't do replay tests for external PSK. Replay protection isn't used
4880 ADD_ALL_TESTS(test_early_data_replay, 2);
4881 ADD_ALL_TESTS(test_early_data_skip, 3);
4882 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
4883 ADD_ALL_TESTS(test_early_data_not_sent, 3);
4884 ADD_ALL_TESTS(test_early_data_psk, 8);
4885 ADD_ALL_TESTS(test_early_data_not_expected, 3);
4886 # ifndef OPENSSL_NO_TLS1_2
4887 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
4890 #ifndef OPENSSL_NO_TLS1_3
4891 ADD_ALL_TESTS(test_set_ciphersuite, 10);
4892 ADD_TEST(test_ciphersuite_change);
4893 #ifdef OPENSSL_NO_PSK
4894 ADD_ALL_TESTS(test_tls13_psk, 1);
4896 ADD_ALL_TESTS(test_tls13_psk, 4);
4897 #endif /* OPENSSL_NO_PSK */
4898 ADD_ALL_TESTS(test_custom_exts, 5);
4899 ADD_TEST(test_stateless);
4900 ADD_TEST(test_pha_key_update);
4902 ADD_ALL_TESTS(test_custom_exts, 3);
4904 ADD_ALL_TESTS(test_serverinfo, 8);
4905 ADD_ALL_TESTS(test_export_key_mat, 4);
4906 #ifndef OPENSSL_NO_TLS1_3
4907 ADD_ALL_TESTS(test_export_key_mat_early, 3);
4909 ADD_ALL_TESTS(test_ssl_clear, 2);
4910 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
4911 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4912 ADD_ALL_TESTS(test_srp, 6);
4914 ADD_ALL_TESTS(test_info_callback, 6);
4915 ADD_ALL_TESTS(test_ssl_pending, 2);
4916 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
4917 ADD_ALL_TESTS(test_ticket_callbacks, 12);
4921 void cleanup_tests(void)
4923 bio_s_mempacket_test_free();