2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
13 #include <openssl/opensslconf.h>
14 #include <openssl/bio.h>
15 #include <openssl/crypto.h>
16 #include <openssl/ssl.h>
17 #include <openssl/ocsp.h>
18 #include <openssl/srp.h>
19 #include <openssl/txt_db.h>
20 #include <openssl/aes.h>
21 #include <openssl/rand.h>
23 #include "ssltestlib.h"
25 #include "testutil/output.h"
26 #include "internal/nelem.h"
27 #include "internal/ktls.h"
28 #include "../ssl/ssl_locl.h"
30 #ifndef OPENSSL_NO_TLS1_3
32 static SSL_SESSION *clientpsk = NULL;
33 static SSL_SESSION *serverpsk = NULL;
34 static const char *pskid = "Identity";
35 static const char *srvid;
37 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
38 size_t *idlen, SSL_SESSION **sess);
39 static int find_session_cb(SSL *ssl, const unsigned char *identity,
40 size_t identity_len, SSL_SESSION **sess);
42 static int use_session_cb_cnt = 0;
43 static int find_session_cb_cnt = 0;
45 static SSL_SESSION *create_a_psk(SSL *ssl);
48 static char *certsdir = NULL;
49 static char *cert = NULL;
50 static char *privkey = NULL;
51 static char *srpvfile = NULL;
52 static char *tmpfilename = NULL;
54 #define LOG_BUFFER_SIZE 2048
55 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
56 static size_t server_log_buffer_index = 0;
57 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
58 static size_t client_log_buffer_index = 0;
59 static int error_writing_log = 0;
61 #ifndef OPENSSL_NO_OCSP
62 static const unsigned char orespder[] = "Dummy OCSP Response";
63 static int ocsp_server_called = 0;
64 static int ocsp_client_called = 0;
66 static int cdummyarg = 1;
67 static X509 *ocspcert = NULL;
70 #define NUM_EXTRA_CERTS 40
71 #define CLIENT_VERSION_LEN 2
74 * This structure is used to validate that the correct number of log messages
75 * of various types are emitted when emitting secret logs.
77 struct sslapitest_log_counts {
78 unsigned int rsa_key_exchange_count;
79 unsigned int master_secret_count;
80 unsigned int client_early_secret_count;
81 unsigned int client_handshake_secret_count;
82 unsigned int server_handshake_secret_count;
83 unsigned int client_application_secret_count;
84 unsigned int server_application_secret_count;
85 unsigned int early_exporter_secret_count;
86 unsigned int exporter_secret_count;
90 static unsigned char serverinfov1[] = {
91 0xff, 0xff, /* Dummy extension type */
92 0x00, 0x01, /* Extension length is 1 byte */
93 0xff /* Dummy extension data */
96 static unsigned char serverinfov2[] = {
98 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
99 0xff, 0xff, /* Dummy extension type */
100 0x00, 0x01, /* Extension length is 1 byte */
101 0xff /* Dummy extension data */
104 static void client_keylog_callback(const SSL *ssl, const char *line)
106 int line_length = strlen(line);
108 /* If the log doesn't fit, error out. */
109 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
110 TEST_info("Client log too full");
111 error_writing_log = 1;
115 strcat(client_log_buffer, line);
116 client_log_buffer_index += line_length;
117 client_log_buffer[client_log_buffer_index++] = '\n';
120 static void server_keylog_callback(const SSL *ssl, const char *line)
122 int line_length = strlen(line);
124 /* If the log doesn't fit, error out. */
125 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
126 TEST_info("Server log too full");
127 error_writing_log = 1;
131 strcat(server_log_buffer, line);
132 server_log_buffer_index += line_length;
133 server_log_buffer[server_log_buffer_index++] = '\n';
136 static int compare_hex_encoded_buffer(const char *hex_encoded,
144 if (!TEST_size_t_eq(raw_length * 2, hex_length))
147 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
148 sprintf(hexed, "%02x", raw[i]);
149 if (!TEST_int_eq(hexed[0], hex_encoded[j])
150 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
157 static int test_keylog_output(char *buffer, const SSL *ssl,
158 const SSL_SESSION *session,
159 struct sslapitest_log_counts *expected)
162 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
163 size_t client_random_size = SSL3_RANDOM_SIZE;
164 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
165 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
166 unsigned int rsa_key_exchange_count = 0;
167 unsigned int master_secret_count = 0;
168 unsigned int client_early_secret_count = 0;
169 unsigned int client_handshake_secret_count = 0;
170 unsigned int server_handshake_secret_count = 0;
171 unsigned int client_application_secret_count = 0;
172 unsigned int server_application_secret_count = 0;
173 unsigned int early_exporter_secret_count = 0;
174 unsigned int exporter_secret_count = 0;
176 for (token = strtok(buffer, " \n"); token != NULL;
177 token = strtok(NULL, " \n")) {
178 if (strcmp(token, "RSA") == 0) {
180 * Premaster secret. Tokens should be: 16 ASCII bytes of
181 * hex-encoded encrypted secret, then the hex-encoded pre-master
184 if (!TEST_ptr(token = strtok(NULL, " \n")))
186 if (!TEST_size_t_eq(strlen(token), 16))
188 if (!TEST_ptr(token = strtok(NULL, " \n")))
191 * We can't sensibly check the log because the premaster secret is
192 * transient, and OpenSSL doesn't keep hold of it once the master
193 * secret is generated.
195 rsa_key_exchange_count++;
196 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
198 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
199 * client random, then the hex-encoded master secret.
201 client_random_size = SSL_get_client_random(ssl,
202 actual_client_random,
204 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
207 if (!TEST_ptr(token = strtok(NULL, " \n")))
209 if (!TEST_size_t_eq(strlen(token), 64))
211 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
212 actual_client_random,
213 client_random_size)))
216 if (!TEST_ptr(token = strtok(NULL, " \n")))
218 master_key_size = SSL_SESSION_get_master_key(session,
221 if (!TEST_size_t_ne(master_key_size, 0))
223 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
227 master_secret_count++;
228 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
229 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
230 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
231 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
232 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
233 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
234 || strcmp(token, "EXPORTER_SECRET") == 0) {
236 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
237 * client random, and then the hex-encoded secret. In this case,
238 * we treat all of these secrets identically and then just
239 * distinguish between them when counting what we saw.
241 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
242 client_early_secret_count++;
243 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
244 client_handshake_secret_count++;
245 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
246 server_handshake_secret_count++;
247 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
248 client_application_secret_count++;
249 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
250 server_application_secret_count++;
251 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
252 early_exporter_secret_count++;
253 else if (strcmp(token, "EXPORTER_SECRET") == 0)
254 exporter_secret_count++;
256 client_random_size = SSL_get_client_random(ssl,
257 actual_client_random,
259 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
262 if (!TEST_ptr(token = strtok(NULL, " \n")))
264 if (!TEST_size_t_eq(strlen(token), 64))
266 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
267 actual_client_random,
268 client_random_size)))
271 if (!TEST_ptr(token = strtok(NULL, " \n")))
275 * TODO(TLS1.3): test that application traffic secrets are what
278 TEST_info("Unexpected token %s\n", token);
283 /* Got what we expected? */
284 if (!TEST_size_t_eq(rsa_key_exchange_count,
285 expected->rsa_key_exchange_count)
286 || !TEST_size_t_eq(master_secret_count,
287 expected->master_secret_count)
288 || !TEST_size_t_eq(client_early_secret_count,
289 expected->client_early_secret_count)
290 || !TEST_size_t_eq(client_handshake_secret_count,
291 expected->client_handshake_secret_count)
292 || !TEST_size_t_eq(server_handshake_secret_count,
293 expected->server_handshake_secret_count)
294 || !TEST_size_t_eq(client_application_secret_count,
295 expected->client_application_secret_count)
296 || !TEST_size_t_eq(server_application_secret_count,
297 expected->server_application_secret_count)
298 || !TEST_size_t_eq(early_exporter_secret_count,
299 expected->early_exporter_secret_count)
300 || !TEST_size_t_eq(exporter_secret_count,
301 expected->exporter_secret_count))
306 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
307 static int test_keylog(void)
309 SSL_CTX *cctx = NULL, *sctx = NULL;
310 SSL *clientssl = NULL, *serverssl = NULL;
312 struct sslapitest_log_counts expected;
314 /* Clean up logging space */
315 memset(&expected, 0, sizeof(expected));
316 memset(client_log_buffer, 0, sizeof(client_log_buffer));
317 memset(server_log_buffer, 0, sizeof(server_log_buffer));
318 client_log_buffer_index = 0;
319 server_log_buffer_index = 0;
320 error_writing_log = 0;
322 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
325 &sctx, &cctx, cert, privkey)))
328 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
329 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
330 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
332 /* We also want to ensure that we use RSA-based key exchange. */
333 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
336 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
337 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
339 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
340 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
341 == client_keylog_callback))
343 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
344 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
345 == server_keylog_callback))
348 /* Now do a handshake and check that the logs have been written to. */
349 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
350 &clientssl, NULL, NULL))
351 || !TEST_true(create_ssl_connection(serverssl, clientssl,
353 || !TEST_false(error_writing_log)
354 || !TEST_int_gt(client_log_buffer_index, 0)
355 || !TEST_int_gt(server_log_buffer_index, 0))
359 * Now we want to test that our output data was vaguely sensible. We
360 * do that by using strtok and confirming that we have more or less the
361 * data we expect. For both client and server, we expect to see one master
362 * secret. The client should also see a RSA key exchange.
364 expected.rsa_key_exchange_count = 1;
365 expected.master_secret_count = 1;
366 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
367 SSL_get_session(clientssl), &expected)))
370 expected.rsa_key_exchange_count = 0;
371 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
372 SSL_get_session(serverssl), &expected)))
387 #ifndef OPENSSL_NO_TLS1_3
388 static int test_keylog_no_master_key(void)
390 SSL_CTX *cctx = NULL, *sctx = NULL;
391 SSL *clientssl = NULL, *serverssl = NULL;
392 SSL_SESSION *sess = NULL;
394 struct sslapitest_log_counts expected;
395 unsigned char buf[1];
396 size_t readbytes, written;
398 /* Clean up logging space */
399 memset(&expected, 0, sizeof(expected));
400 memset(client_log_buffer, 0, sizeof(client_log_buffer));
401 memset(server_log_buffer, 0, sizeof(server_log_buffer));
402 client_log_buffer_index = 0;
403 server_log_buffer_index = 0;
404 error_writing_log = 0;
406 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
408 &sctx, &cctx, cert, privkey))
409 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
410 SSL3_RT_MAX_PLAIN_LENGTH)))
413 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
414 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
417 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
418 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
419 == client_keylog_callback))
422 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
423 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
424 == server_keylog_callback))
427 /* Now do a handshake and check that the logs have been written to. */
428 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
429 &clientssl, NULL, NULL))
430 || !TEST_true(create_ssl_connection(serverssl, clientssl,
432 || !TEST_false(error_writing_log))
436 * Now we want to test that our output data was vaguely sensible. For this
437 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
438 * TLSv1.3, but we do expect both client and server to emit keys.
440 expected.client_handshake_secret_count = 1;
441 expected.server_handshake_secret_count = 1;
442 expected.client_application_secret_count = 1;
443 expected.server_application_secret_count = 1;
444 expected.exporter_secret_count = 1;
445 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
446 SSL_get_session(clientssl), &expected))
447 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
448 SSL_get_session(serverssl),
452 /* Terminate old session and resume with early data. */
453 sess = SSL_get1_session(clientssl);
454 SSL_shutdown(clientssl);
455 SSL_shutdown(serverssl);
458 serverssl = clientssl = NULL;
461 memset(client_log_buffer, 0, sizeof(client_log_buffer));
462 memset(server_log_buffer, 0, sizeof(server_log_buffer));
463 client_log_buffer_index = 0;
464 server_log_buffer_index = 0;
466 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
467 &clientssl, NULL, NULL))
468 || !TEST_true(SSL_set_session(clientssl, sess))
469 /* Here writing 0 length early data is enough. */
470 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
471 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
473 SSL_READ_EARLY_DATA_ERROR)
474 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
475 SSL_EARLY_DATA_ACCEPTED)
476 || !TEST_true(create_ssl_connection(serverssl, clientssl,
478 || !TEST_true(SSL_session_reused(clientssl)))
481 /* In addition to the previous entries, expect early secrets. */
482 expected.client_early_secret_count = 1;
483 expected.early_exporter_secret_count = 1;
484 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
485 SSL_get_session(clientssl), &expected))
486 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
487 SSL_get_session(serverssl),
494 SSL_SESSION_free(sess);
504 #ifndef OPENSSL_NO_TLS1_2
505 static int full_client_hello_callback(SSL *s, int *al, void *arg)
508 const unsigned char *p;
510 /* We only configure two ciphers, but the SCSV is added automatically. */
512 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
514 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
517 const int expected_extensions[] = {
518 #ifndef OPENSSL_NO_EC
524 /* Make sure we can defer processing and get called back. */
526 return SSL_CLIENT_HELLO_RETRY;
528 len = SSL_client_hello_get0_ciphers(s, &p);
529 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
531 SSL_client_hello_get0_compression_methods(s, &p), 1)
532 || !TEST_int_eq(*p, 0))
533 return SSL_CLIENT_HELLO_ERROR;
534 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
535 return SSL_CLIENT_HELLO_ERROR;
536 if (len != OSSL_NELEM(expected_extensions) ||
537 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
538 printf("ClientHello callback expected extensions mismatch\n");
540 return SSL_CLIENT_HELLO_ERROR;
543 return SSL_CLIENT_HELLO_SUCCESS;
546 static int test_client_hello_cb(void)
548 SSL_CTX *cctx = NULL, *sctx = NULL;
549 SSL *clientssl = NULL, *serverssl = NULL;
550 int testctr = 0, testresult = 0;
552 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
554 &sctx, &cctx, cert, privkey)))
556 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
558 /* The gimpy cipher list we configure can't do TLS 1.3. */
559 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
561 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
562 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
563 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
564 &clientssl, NULL, NULL))
565 || !TEST_false(create_ssl_connection(serverssl, clientssl,
566 SSL_ERROR_WANT_CLIENT_HELLO_CB))
568 * Passing a -1 literal is a hack since
569 * the real value was lost.
571 || !TEST_int_eq(SSL_get_error(serverssl, -1),
572 SSL_ERROR_WANT_CLIENT_HELLO_CB)
573 || !TEST_true(create_ssl_connection(serverssl, clientssl,
588 static int test_no_ems(void)
590 SSL_CTX *cctx = NULL, *sctx = NULL;
591 SSL *clientssl = NULL, *serverssl = NULL;
594 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
595 TLS1_VERSION, TLS1_2_VERSION,
596 &sctx, &cctx, cert, privkey)) {
597 printf("Unable to create SSL_CTX pair\n");
601 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
603 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
604 printf("Unable to create SSL objects\n");
608 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
609 printf("Creating SSL connection failed\n");
613 if (SSL_get_extms_support(serverssl)) {
614 printf("Server reports Extended Master Secret support\n");
618 if (SSL_get_extms_support(clientssl)) {
619 printf("Client reports Extended Master Secret support\n");
634 static int execute_test_large_message(const SSL_METHOD *smeth,
635 const SSL_METHOD *cmeth,
636 int min_version, int max_version,
639 SSL_CTX *cctx = NULL, *sctx = NULL;
640 SSL *clientssl = NULL, *serverssl = NULL;
644 X509 *chaincert = NULL;
647 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
649 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
652 if (!TEST_ptr(chaincert))
655 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
656 &sctx, &cctx, cert, privkey)))
661 * Test that read_ahead works correctly when dealing with large
664 SSL_CTX_set_read_ahead(cctx, 1);
668 * We assume the supplied certificate is big enough so that if we add
669 * NUM_EXTRA_CERTS it will make the overall message large enough. The
670 * default buffer size is requested to be 16k, but due to the way BUF_MEM
671 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
672 * test we need to have a message larger than that.
674 certlen = i2d_X509(chaincert, NULL);
675 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
676 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
677 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
678 if (!X509_up_ref(chaincert))
680 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
681 X509_free(chaincert);
686 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
688 || !TEST_true(create_ssl_connection(serverssl, clientssl,
693 * Calling SSL_clear() first is not required but this tests that SSL_clear()
694 * doesn't leak (when using enable-crypto-mdebug).
696 if (!TEST_true(SSL_clear(serverssl)))
701 X509_free(chaincert);
710 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
711 && !defined(OPENSSL_NO_SOCK)
713 /* sock must be connected */
714 static int ktls_chk_platform(int sock)
716 if (!ktls_enable(sock))
721 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
723 static char count = 1;
724 unsigned char cbuf[16000] = {0};
725 unsigned char sbuf[16000];
727 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
728 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
729 char crec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
730 char crec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
731 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
732 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
733 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
734 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
737 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
738 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
739 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence,
740 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
741 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
742 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
743 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
744 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
746 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
749 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
750 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
755 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
758 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
759 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
764 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
765 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
766 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence,
767 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
768 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
769 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
770 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
771 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
773 /* verify the payload */
774 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
777 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
778 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
779 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
780 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
783 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
784 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
788 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
789 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
790 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
793 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
794 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
798 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
799 if (!TEST_mem_ne(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
800 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
803 if (!TEST_mem_eq(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
804 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
808 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
809 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
810 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
813 if (!TEST_mem_eq(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
814 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
823 static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
824 int sis_ktls_tx, int sis_ktls_rx)
826 SSL_CTX *cctx = NULL, *sctx = NULL;
827 SSL *clientssl = NULL, *serverssl = NULL;
831 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
834 /* Skip this test if the platform does not support ktls */
835 if (!ktls_chk_platform(cfd))
838 /* Create a session based on SHA-256 */
839 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
841 TLS1_2_VERSION, TLS1_2_VERSION,
842 &sctx, &cctx, cert, privkey))
843 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
844 "AES128-GCM-SHA256"))
845 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
846 &clientssl, sfd, cfd)))
850 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
855 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
860 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
865 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
869 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
874 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
877 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
882 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
885 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
890 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
893 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
898 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
901 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
905 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
911 SSL_shutdown(clientssl);
915 SSL_shutdown(serverssl);
920 serverssl = clientssl = NULL;
924 #define SENDFILE_SZ (16 * 4096)
925 #define SENDFILE_CHUNK (4 * 4096)
926 #define min(a,b) ((a) > (b) ? (b) : (a))
928 static int test_ktls_sendfile(void)
930 SSL_CTX *cctx = NULL, *sctx = NULL;
931 SSL *clientssl = NULL, *serverssl = NULL;
932 unsigned char *buf, *buf_dst;
933 BIO *out = NULL, *in = NULL;
934 int cfd, sfd, ffd, err;
935 ssize_t chunk_size = 0;
940 buf = OPENSSL_zalloc(SENDFILE_SZ);
941 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
942 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
943 || !TEST_true(create_test_sockets(&cfd, &sfd)))
946 /* Skip this test if the platform does not support ktls */
947 if (!ktls_chk_platform(sfd)) {
952 /* Create a session based on SHA-256 */
953 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
955 TLS1_2_VERSION, TLS1_2_VERSION,
956 &sctx, &cctx, cert, privkey))
957 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
958 "AES128-GCM-SHA256"))
959 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
960 &clientssl, sfd, cfd)))
963 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
965 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
968 RAND_bytes(buf, SENDFILE_SZ);
969 out = BIO_new_file(tmpfilename, "wb");
973 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
978 in = BIO_new_file(tmpfilename, "rb");
979 BIO_get_fp(in, &ffdp);
982 while (chunk_off < SENDFILE_SZ) {
983 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
984 while ((err = SSL_sendfile(serverssl,
989 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
992 while ((err = SSL_read(clientssl,
994 chunk_size)) != chunk_size) {
995 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
999 /* verify the payload */
1000 if (!TEST_mem_eq(buf_dst + chunk_off,
1006 chunk_off += chunk_size;
1012 SSL_shutdown(clientssl);
1013 SSL_free(clientssl);
1016 SSL_shutdown(serverssl);
1017 SSL_free(serverssl);
1021 serverssl = clientssl = NULL;
1025 OPENSSL_free(buf_dst);
1029 static int test_ktls_no_txrx_client_no_txrx_server(void)
1031 return execute_test_ktls(0, 0, 0, 0);
1034 static int test_ktls_no_rx_client_no_txrx_server(void)
1036 return execute_test_ktls(1, 0, 0, 0);
1039 static int test_ktls_no_tx_client_no_txrx_server(void)
1041 return execute_test_ktls(0, 1, 0, 0);
1044 static int test_ktls_client_no_txrx_server(void)
1046 return execute_test_ktls(1, 1, 0, 0);
1049 static int test_ktls_no_txrx_client_no_rx_server(void)
1051 return execute_test_ktls(0, 0, 1, 0);
1054 static int test_ktls_no_rx_client_no_rx_server(void)
1056 return execute_test_ktls(1, 0, 1, 0);
1059 static int test_ktls_no_tx_client_no_rx_server(void)
1061 return execute_test_ktls(0, 1, 1, 0);
1064 static int test_ktls_client_no_rx_server(void)
1066 return execute_test_ktls(1, 1, 1, 0);
1069 static int test_ktls_no_txrx_client_no_tx_server(void)
1071 return execute_test_ktls(0, 0, 0, 1);
1074 static int test_ktls_no_rx_client_no_tx_server(void)
1076 return execute_test_ktls(1, 0, 0, 1);
1079 static int test_ktls_no_tx_client_no_tx_server(void)
1081 return execute_test_ktls(0, 1, 0, 1);
1084 static int test_ktls_client_no_tx_server(void)
1086 return execute_test_ktls(1, 1, 0, 1);
1089 static int test_ktls_no_txrx_client_server(void)
1091 return execute_test_ktls(0, 0, 1, 1);
1094 static int test_ktls_no_rx_client_server(void)
1096 return execute_test_ktls(1, 0, 1, 1);
1099 static int test_ktls_no_tx_client_server(void)
1101 return execute_test_ktls(0, 1, 1, 1);
1104 static int test_ktls_client_server(void)
1106 return execute_test_ktls(1, 1, 1, 1);
1110 static int test_large_message_tls(void)
1112 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1113 TLS1_VERSION, 0, 0);
1116 static int test_large_message_tls_read_ahead(void)
1118 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1119 TLS1_VERSION, 0, 1);
1122 #ifndef OPENSSL_NO_DTLS
1123 static int test_large_message_dtls(void)
1126 * read_ahead is not relevant to DTLS because DTLS always acts as if
1127 * read_ahead is set.
1129 return execute_test_large_message(DTLS_server_method(),
1130 DTLS_client_method(),
1131 DTLS1_VERSION, 0, 0);
1135 #ifndef OPENSSL_NO_OCSP
1136 static int ocsp_server_cb(SSL *s, void *arg)
1138 int *argi = (int *)arg;
1139 unsigned char *copy = NULL;
1140 STACK_OF(OCSP_RESPID) *ids = NULL;
1141 OCSP_RESPID *id = NULL;
1144 /* In this test we are expecting exactly 1 OCSP_RESPID */
1145 SSL_get_tlsext_status_ids(s, &ids);
1146 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1147 return SSL_TLSEXT_ERR_ALERT_FATAL;
1149 id = sk_OCSP_RESPID_value(ids, 0);
1150 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
1151 return SSL_TLSEXT_ERR_ALERT_FATAL;
1152 } else if (*argi != 1) {
1153 return SSL_TLSEXT_ERR_ALERT_FATAL;
1156 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1157 return SSL_TLSEXT_ERR_ALERT_FATAL;
1159 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1160 ocsp_server_called = 1;
1161 return SSL_TLSEXT_ERR_OK;
1164 static int ocsp_client_cb(SSL *s, void *arg)
1166 int *argi = (int *)arg;
1167 const unsigned char *respderin;
1170 if (*argi != 1 && *argi != 2)
1173 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1174 if (!TEST_mem_eq(orespder, len, respderin, len))
1177 ocsp_client_called = 1;
1181 static int test_tlsext_status_type(void)
1183 SSL_CTX *cctx = NULL, *sctx = NULL;
1184 SSL *clientssl = NULL, *serverssl = NULL;
1186 STACK_OF(OCSP_RESPID) *ids = NULL;
1187 OCSP_RESPID *id = NULL;
1188 BIO *certbio = NULL;
1190 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1192 &sctx, &cctx, cert, privkey))
1195 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1198 /* First just do various checks getting and setting tlsext_status_type */
1200 clientssl = SSL_new(cctx);
1201 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1202 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1203 TLSEXT_STATUSTYPE_ocsp))
1204 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1205 TLSEXT_STATUSTYPE_ocsp))
1208 SSL_free(clientssl);
1211 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1212 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1215 clientssl = SSL_new(cctx);
1216 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1218 SSL_free(clientssl);
1222 * Now actually do a handshake and check OCSP information is exchanged and
1223 * the callbacks get called
1225 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1226 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1227 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1228 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1229 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1230 &clientssl, NULL, NULL))
1231 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1233 || !TEST_true(ocsp_client_called)
1234 || !TEST_true(ocsp_server_called))
1236 SSL_free(serverssl);
1237 SSL_free(clientssl);
1241 /* Try again but this time force the server side callback to fail */
1242 ocsp_client_called = 0;
1243 ocsp_server_called = 0;
1245 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1246 &clientssl, NULL, NULL))
1247 /* This should fail because the callback will fail */
1248 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1250 || !TEST_false(ocsp_client_called)
1251 || !TEST_false(ocsp_server_called))
1253 SSL_free(serverssl);
1254 SSL_free(clientssl);
1259 * This time we'll get the client to send an OCSP_RESPID that it will
1262 ocsp_client_called = 0;
1263 ocsp_server_called = 0;
1265 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1266 &clientssl, NULL, NULL)))
1270 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1271 * specific one. We'll use the server cert.
1273 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1274 || !TEST_ptr(id = OCSP_RESPID_new())
1275 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1276 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1278 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
1279 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1282 SSL_set_tlsext_status_ids(clientssl, ids);
1283 /* Control has been transferred */
1289 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1291 || !TEST_true(ocsp_client_called)
1292 || !TEST_true(ocsp_server_called))
1298 SSL_free(serverssl);
1299 SSL_free(clientssl);
1302 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1303 OCSP_RESPID_free(id);
1305 X509_free(ocspcert);
1312 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1313 static int new_called, remove_called, get_called;
1315 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1319 * sess has been up-refed for us, but we don't actually need it so free it
1322 SSL_SESSION_free(sess);
1326 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1331 static SSL_SESSION *get_sess_val = NULL;
1333 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1338 return get_sess_val;
1341 static int execute_test_session(int maxprot, int use_int_cache,
1344 SSL_CTX *sctx = NULL, *cctx = NULL;
1345 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1346 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1347 # ifndef OPENSSL_NO_TLS1_1
1348 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1350 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1351 int testresult = 0, numnewsesstick = 1;
1353 new_called = remove_called = 0;
1355 /* TLSv1.3 sends 2 NewSessionTickets */
1356 if (maxprot == TLS1_3_VERSION)
1359 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1361 &sctx, &cctx, cert, privkey)))
1365 * Only allow the max protocol version so we can force a connection failure
1368 SSL_CTX_set_min_proto_version(cctx, maxprot);
1369 SSL_CTX_set_max_proto_version(cctx, maxprot);
1371 /* Set up session cache */
1372 if (use_ext_cache) {
1373 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1374 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1376 if (use_int_cache) {
1377 /* Also covers instance where both are set */
1378 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1380 SSL_CTX_set_session_cache_mode(cctx,
1381 SSL_SESS_CACHE_CLIENT
1382 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1385 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1387 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1389 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1392 /* Should fail because it should already be in the cache */
1393 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1396 && (!TEST_int_eq(new_called, numnewsesstick)
1398 || !TEST_int_eq(remove_called, 0)))
1401 new_called = remove_called = 0;
1402 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1403 &clientssl2, NULL, NULL))
1404 || !TEST_true(SSL_set_session(clientssl2, sess1))
1405 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1407 || !TEST_true(SSL_session_reused(clientssl2)))
1410 if (maxprot == TLS1_3_VERSION) {
1412 * In TLSv1.3 we should have created a new session even though we have
1413 * resumed. Since we attempted a resume we should also have removed the
1414 * old ticket from the cache so that we try to only use tickets once.
1417 && (!TEST_int_eq(new_called, 1)
1418 || !TEST_int_eq(remove_called, 1)))
1422 * In TLSv1.2 we expect to have resumed so no sessions added or
1426 && (!TEST_int_eq(new_called, 0)
1427 || !TEST_int_eq(remove_called, 0)))
1431 SSL_SESSION_free(sess1);
1432 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1434 shutdown_ssl_connection(serverssl2, clientssl2);
1435 serverssl2 = clientssl2 = NULL;
1437 new_called = remove_called = 0;
1438 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1439 &clientssl2, NULL, NULL))
1440 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1444 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1448 && (!TEST_int_eq(new_called, numnewsesstick)
1449 || !TEST_int_eq(remove_called, 0)))
1452 new_called = remove_called = 0;
1454 * This should clear sess2 from the cache because it is a "bad" session.
1455 * See SSL_set_session() documentation.
1457 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1460 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1462 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1465 if (use_int_cache) {
1466 /* Should succeeded because it should not already be in the cache */
1467 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1468 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1472 new_called = remove_called = 0;
1473 /* This shouldn't be in the cache so should fail */
1474 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1478 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1481 # if !defined(OPENSSL_NO_TLS1_1)
1482 new_called = remove_called = 0;
1483 /* Force a connection failure */
1484 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1485 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1486 &clientssl3, NULL, NULL))
1487 || !TEST_true(SSL_set_session(clientssl3, sess1))
1488 /* This should fail because of the mismatched protocol versions */
1489 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1493 /* We should have automatically removed the session from the cache */
1495 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1498 /* Should succeed because it should not already be in the cache */
1499 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1503 /* Now do some tests for server side caching */
1504 if (use_ext_cache) {
1505 SSL_CTX_sess_set_new_cb(cctx, NULL);
1506 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1507 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1508 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1509 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1510 get_sess_val = NULL;
1513 SSL_CTX_set_session_cache_mode(cctx, 0);
1514 /* Internal caching is the default on the server side */
1516 SSL_CTX_set_session_cache_mode(sctx,
1517 SSL_SESS_CACHE_SERVER
1518 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1520 SSL_free(serverssl1);
1521 SSL_free(clientssl1);
1522 serverssl1 = clientssl1 = NULL;
1523 SSL_free(serverssl2);
1524 SSL_free(clientssl2);
1525 serverssl2 = clientssl2 = NULL;
1526 SSL_SESSION_free(sess1);
1528 SSL_SESSION_free(sess2);
1531 SSL_CTX_set_max_proto_version(sctx, maxprot);
1532 if (maxprot == TLS1_2_VERSION)
1533 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1534 new_called = remove_called = get_called = 0;
1535 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1537 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1539 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1540 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1543 if (use_int_cache) {
1544 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1546 * In TLSv1.3 it should not have been added to the internal cache,
1547 * except in the case where we also have an external cache (in that
1548 * case it gets added to the cache in order to generate remove
1549 * events after timeout).
1551 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1554 /* Should fail because it should already be in the cache */
1555 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1560 if (use_ext_cache) {
1561 SSL_SESSION *tmp = sess2;
1563 if (!TEST_int_eq(new_called, numnewsesstick)
1564 || !TEST_int_eq(remove_called, 0)
1565 || !TEST_int_eq(get_called, 0))
1568 * Delete the session from the internal cache to force a lookup from
1569 * the external cache. We take a copy first because
1570 * SSL_CTX_remove_session() also marks the session as non-resumable.
1572 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1573 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1574 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1576 SSL_SESSION_free(sess2);
1581 new_called = remove_called = get_called = 0;
1582 get_sess_val = sess2;
1583 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1584 &clientssl2, NULL, NULL))
1585 || !TEST_true(SSL_set_session(clientssl2, sess1))
1586 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1588 || !TEST_true(SSL_session_reused(clientssl2)))
1591 if (use_ext_cache) {
1592 if (!TEST_int_eq(remove_called, 0))
1595 if (maxprot == TLS1_3_VERSION) {
1596 if (!TEST_int_eq(new_called, 1)
1597 || !TEST_int_eq(get_called, 0))
1600 if (!TEST_int_eq(new_called, 0)
1601 || !TEST_int_eq(get_called, 1))
1609 SSL_free(serverssl1);
1610 SSL_free(clientssl1);
1611 SSL_free(serverssl2);
1612 SSL_free(clientssl2);
1613 # ifndef OPENSSL_NO_TLS1_1
1614 SSL_free(serverssl3);
1615 SSL_free(clientssl3);
1617 SSL_SESSION_free(sess1);
1618 SSL_SESSION_free(sess2);
1624 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1626 static int test_session_with_only_int_cache(void)
1628 #ifndef OPENSSL_NO_TLS1_3
1629 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1633 #ifndef OPENSSL_NO_TLS1_2
1634 return execute_test_session(TLS1_2_VERSION, 1, 0);
1640 static int test_session_with_only_ext_cache(void)
1642 #ifndef OPENSSL_NO_TLS1_3
1643 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1647 #ifndef OPENSSL_NO_TLS1_2
1648 return execute_test_session(TLS1_2_VERSION, 0, 1);
1654 static int test_session_with_both_cache(void)
1656 #ifndef OPENSSL_NO_TLS1_3
1657 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1661 #ifndef OPENSSL_NO_TLS1_2
1662 return execute_test_session(TLS1_2_VERSION, 1, 1);
1668 #ifndef OPENSSL_NO_TLS1_3
1669 static SSL_SESSION *sesscache[6];
1670 static int do_cache;
1672 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1675 sesscache[new_called] = sess;
1677 /* We don't need the reference to the session, so free it */
1678 SSL_SESSION_free(sess);
1685 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1687 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1688 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1691 /* Start handshake on the server and client */
1692 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1693 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1694 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1695 || !TEST_true(create_ssl_connection(sssl, cssl,
1702 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1705 int sess_id_ctx = 1;
1707 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1708 TLS1_VERSION, 0, sctx,
1709 cctx, cert, privkey))
1710 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1711 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1712 (void *)&sess_id_ctx,
1713 sizeof(sess_id_ctx))))
1717 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1719 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1720 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1721 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1726 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1728 SSL *serverssl = NULL, *clientssl = NULL;
1731 /* Test that we can resume with all the tickets we got given */
1732 for (i = 0; i < idx * 2; i++) {
1734 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1735 &clientssl, NULL, NULL))
1736 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1739 SSL_set_post_handshake_auth(clientssl, 1);
1741 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1746 * Following a successful resumption we only get 1 ticket. After a
1747 * failed one we should get idx tickets.
1750 if (!TEST_true(SSL_session_reused(clientssl))
1751 || !TEST_int_eq(new_called, 1))
1754 if (!TEST_false(SSL_session_reused(clientssl))
1755 || !TEST_int_eq(new_called, idx))
1760 /* After a post-handshake authentication we should get 1 new ticket */
1762 && (!post_handshake_verify(serverssl, clientssl)
1763 || !TEST_int_eq(new_called, 1)))
1766 SSL_shutdown(clientssl);
1767 SSL_shutdown(serverssl);
1768 SSL_free(serverssl);
1769 SSL_free(clientssl);
1770 serverssl = clientssl = NULL;
1771 SSL_SESSION_free(sesscache[i]);
1772 sesscache[i] = NULL;
1778 SSL_free(clientssl);
1779 SSL_free(serverssl);
1783 static int test_tickets(int stateful, int idx)
1785 SSL_CTX *sctx = NULL, *cctx = NULL;
1786 SSL *serverssl = NULL, *clientssl = NULL;
1790 /* idx is the test number, but also the number of tickets we want */
1795 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1798 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1799 &clientssl, NULL, NULL)))
1802 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1804 /* Check we got the number of tickets we were expecting */
1805 || !TEST_int_eq(idx, new_called))
1808 SSL_shutdown(clientssl);
1809 SSL_shutdown(serverssl);
1810 SSL_free(serverssl);
1811 SSL_free(clientssl);
1814 clientssl = serverssl = NULL;
1818 * Now we try to resume with the tickets we previously created. The
1819 * resumption attempt is expected to fail (because we're now using a new
1820 * SSL_CTX). We should see idx number of tickets issued again.
1823 /* Stop caching sessions - just count them */
1826 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1829 if (!check_resumption(idx, sctx, cctx, 0))
1832 /* Start again with caching sessions */
1839 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1842 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1843 &clientssl, NULL, NULL)))
1846 SSL_set_post_handshake_auth(clientssl, 1);
1848 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1850 /* Check we got the number of tickets we were expecting */
1851 || !TEST_int_eq(idx, new_called))
1854 /* After a post-handshake authentication we should get new tickets issued */
1855 if (!post_handshake_verify(serverssl, clientssl)
1856 || !TEST_int_eq(idx * 2, new_called))
1859 SSL_shutdown(clientssl);
1860 SSL_shutdown(serverssl);
1861 SSL_free(serverssl);
1862 SSL_free(clientssl);
1863 serverssl = clientssl = NULL;
1865 /* Stop caching sessions - just count them */
1869 * Check we can resume with all the tickets we created. This time around the
1870 * resumptions should all be successful.
1872 if (!check_resumption(idx, sctx, cctx, 1))
1878 SSL_free(serverssl);
1879 SSL_free(clientssl);
1880 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
1881 SSL_SESSION_free(sesscache[j]);
1882 sesscache[j] = NULL;
1890 static int test_stateless_tickets(int idx)
1892 return test_tickets(0, idx);
1895 static int test_stateful_tickets(int idx)
1897 return test_tickets(1, idx);
1900 static int test_psk_tickets(void)
1902 SSL_CTX *sctx = NULL, *cctx = NULL;
1903 SSL *serverssl = NULL, *clientssl = NULL;
1905 int sess_id_ctx = 1;
1907 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1908 TLS1_VERSION, 0, &sctx,
1910 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
1911 (void *)&sess_id_ctx,
1912 sizeof(sess_id_ctx))))
1915 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1916 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1917 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
1918 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
1919 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1920 use_session_cb_cnt = 0;
1921 find_session_cb_cnt = 0;
1925 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1928 clientpsk = serverpsk = create_a_psk(clientssl);
1929 if (!TEST_ptr(clientpsk))
1931 SSL_SESSION_up_ref(clientpsk);
1933 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1935 || !TEST_int_eq(1, find_session_cb_cnt)
1936 || !TEST_int_eq(1, use_session_cb_cnt)
1937 /* We should always get 1 ticket when using external PSK */
1938 || !TEST_int_eq(1, new_called))
1944 SSL_free(serverssl);
1945 SSL_free(clientssl);
1948 SSL_SESSION_free(clientpsk);
1949 SSL_SESSION_free(serverpsk);
1950 clientpsk = serverpsk = NULL;
1959 #define USE_DEFAULT 3
1961 #define CONNTYPE_CONNECTION_SUCCESS 0
1962 #define CONNTYPE_CONNECTION_FAIL 1
1963 #define CONNTYPE_NO_CONNECTION 2
1965 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1966 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1967 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1968 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1970 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1973 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1974 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1975 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1977 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1994 * Tests calls to SSL_set_bio() under various conditions.
1996 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1997 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1998 * then do more tests where we create a successful connection first using our
1999 * standard connection setup functions, and then call SSL_set_bio() with
2000 * various combinations of valid BIOs or NULL. We then repeat these tests
2001 * following a failed connection. In this last case we are looking to check that
2002 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2004 static int test_ssl_set_bio(int idx)
2006 SSL_CTX *sctx = NULL, *cctx = NULL;
2009 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2010 SSL *serverssl = NULL, *clientssl = NULL;
2011 int initrbio, initwbio, newrbio, newwbio, conntype;
2014 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2022 conntype = CONNTYPE_NO_CONNECTION;
2024 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2025 initrbio = initwbio = USE_DEFAULT;
2033 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2035 &sctx, &cctx, cert, privkey)))
2038 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2040 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2041 * because we reduced the number of tests in the definition of
2042 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2043 * mismatched protocol versions we will force a connection failure.
2045 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2046 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2049 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2053 if (initrbio == USE_BIO_1
2054 || initwbio == USE_BIO_1
2055 || newrbio == USE_BIO_1
2056 || newwbio == USE_BIO_1) {
2057 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2061 if (initrbio == USE_BIO_2
2062 || initwbio == USE_BIO_2
2063 || newrbio == USE_BIO_2
2064 || newwbio == USE_BIO_2) {
2065 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2069 if (initrbio != USE_DEFAULT) {
2070 setupbio(&irbio, bio1, bio2, initrbio);
2071 setupbio(&iwbio, bio1, bio2, initwbio);
2072 SSL_set_bio(clientssl, irbio, iwbio);
2075 * We want to maintain our own refs to these BIO, so do an up ref for
2076 * each BIO that will have ownership transferred in the SSL_set_bio()
2081 if (iwbio != NULL && iwbio != irbio)
2085 if (conntype != CONNTYPE_NO_CONNECTION
2086 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2088 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2091 setupbio(&nrbio, bio1, bio2, newrbio);
2092 setupbio(&nwbio, bio1, bio2, newwbio);
2095 * We will (maybe) transfer ownership again so do more up refs.
2096 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2101 && (nwbio != iwbio || nrbio != nwbio))
2105 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2108 SSL_set_bio(clientssl, nrbio, nwbio);
2117 * This test is checking that the ref counting for SSL_set_bio is correct.
2118 * If we get here and we did too many frees then we will fail in the above
2119 * functions. If we haven't done enough then this will only be detected in
2120 * a crypto-mdebug build
2122 SSL_free(serverssl);
2123 SSL_free(clientssl);
2129 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2131 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2133 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2138 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
2139 || !TEST_ptr(ssl = SSL_new(ctx))
2140 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2141 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2144 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2147 * If anything goes wrong here then we could leak memory, so this will
2148 * be caught in a crypto-mdebug build
2150 BIO_push(sslbio, membio1);
2152 /* Verify changing the rbio/wbio directly does not cause leaks */
2153 if (change_bio != NO_BIO_CHANGE) {
2154 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
2156 if (change_bio == CHANGE_RBIO)
2157 SSL_set0_rbio(ssl, membio2);
2159 SSL_set0_wbio(ssl, membio2);
2178 static int test_ssl_bio_pop_next_bio(void)
2180 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2183 static int test_ssl_bio_pop_ssl_bio(void)
2185 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2188 static int test_ssl_bio_change_rbio(void)
2190 return execute_test_ssl_bio(0, CHANGE_RBIO);
2193 static int test_ssl_bio_change_wbio(void)
2195 return execute_test_ssl_bio(0, CHANGE_WBIO);
2198 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2200 /* The list of sig algs */
2202 /* The length of the list */
2204 /* A sigalgs list in string format */
2205 const char *liststr;
2206 /* Whether setting the list should succeed */
2208 /* Whether creating a connection with the list should succeed */
2212 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2213 # ifndef OPENSSL_NO_EC
2214 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2215 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2217 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2218 static const int invalidlist2[] = {NID_sha256, NID_undef};
2219 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2220 static const int invalidlist4[] = {NID_sha256};
2221 static const sigalgs_list testsigalgs[] = {
2222 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2223 # ifndef OPENSSL_NO_EC
2224 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2225 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2227 {NULL, 0, "RSA+SHA256", 1, 1},
2228 # ifndef OPENSSL_NO_EC
2229 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2230 {NULL, 0, "ECDSA+SHA512", 1, 0},
2232 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2233 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2234 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2235 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2236 {NULL, 0, "RSA", 0, 0},
2237 {NULL, 0, "SHA256", 0, 0},
2238 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2239 {NULL, 0, "Invalid", 0, 0}
2242 static int test_set_sigalgs(int idx)
2244 SSL_CTX *cctx = NULL, *sctx = NULL;
2245 SSL *clientssl = NULL, *serverssl = NULL;
2247 const sigalgs_list *curr;
2250 /* Should never happen */
2251 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2254 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2255 curr = testctx ? &testsigalgs[idx]
2256 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2258 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2260 &sctx, &cctx, cert, privkey)))
2264 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2265 * for TLSv1.2 for now until we add a new API.
2267 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2272 if (curr->list != NULL)
2273 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2275 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2279 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2285 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2290 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2291 &clientssl, NULL, NULL)))
2297 if (curr->list != NULL)
2298 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2300 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2303 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2312 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2320 SSL_free(serverssl);
2321 SSL_free(clientssl);
2329 #ifndef OPENSSL_NO_TLS1_3
2330 static int psk_client_cb_cnt = 0;
2331 static int psk_server_cb_cnt = 0;
2333 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2334 size_t *idlen, SSL_SESSION **sess)
2336 switch (++use_session_cb_cnt) {
2338 /* The first call should always have a NULL md */
2344 /* The second call should always have an md */
2350 /* We should only be called a maximum of twice */
2354 if (clientpsk != NULL)
2355 SSL_SESSION_up_ref(clientpsk);
2358 *id = (const unsigned char *)pskid;
2359 *idlen = strlen(pskid);
2364 #ifndef OPENSSL_NO_PSK
2365 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2366 unsigned int max_id_len,
2368 unsigned int max_psk_len)
2370 unsigned int psklen = 0;
2372 psk_client_cb_cnt++;
2374 if (strlen(pskid) + 1 > max_id_len)
2377 /* We should only ever be called a maximum of twice per connection */
2378 if (psk_client_cb_cnt > 2)
2381 if (clientpsk == NULL)
2384 /* We'll reuse the PSK we set up for TLSv1.3 */
2385 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2387 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2388 strncpy(id, pskid, max_id_len);
2392 #endif /* OPENSSL_NO_PSK */
2394 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2395 size_t identity_len, SSL_SESSION **sess)
2397 find_session_cb_cnt++;
2399 /* We should only ever be called a maximum of twice per connection */
2400 if (find_session_cb_cnt > 2)
2403 if (serverpsk == NULL)
2406 /* Identity should match that set by the client */
2407 if (strlen(srvid) != identity_len
2408 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2409 /* No PSK found, continue but without a PSK */
2414 SSL_SESSION_up_ref(serverpsk);
2420 #ifndef OPENSSL_NO_PSK
2421 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2422 unsigned char *psk, unsigned int max_psk_len)
2424 unsigned int psklen = 0;
2426 psk_server_cb_cnt++;
2428 /* We should only ever be called a maximum of twice per connection */
2429 if (find_session_cb_cnt > 2)
2432 if (serverpsk == NULL)
2435 /* Identity should match that set by the client */
2436 if (strcmp(srvid, identity) != 0) {
2440 /* We'll reuse the PSK we set up for TLSv1.3 */
2441 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2443 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2447 #endif /* OPENSSL_NO_PSK */
2449 #define MSG1 "Hello"
2450 #define MSG2 "World."
2455 #define MSG7 "message."
2457 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2458 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2461 static SSL_SESSION *create_a_psk(SSL *ssl)
2463 const SSL_CIPHER *cipher = NULL;
2464 const unsigned char key[] = {
2465 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2466 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2467 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2468 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2469 0x2c, 0x2d, 0x2e, 0x2f
2471 SSL_SESSION *sess = NULL;
2473 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2474 sess = SSL_SESSION_new();
2476 || !TEST_ptr(cipher)
2477 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2479 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2481 SSL_SESSION_set_protocol_version(sess,
2483 SSL_SESSION_free(sess);
2490 * Helper method to setup objects for early data test. Caller frees objects on
2493 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2494 SSL **serverssl, SSL_SESSION **sess, int idx)
2497 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2498 TLS_client_method(),
2500 sctx, cctx, cert, privkey)))
2503 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2507 /* When idx == 1 we repeat the tests with read_ahead set */
2508 SSL_CTX_set_read_ahead(*cctx, 1);
2509 SSL_CTX_set_read_ahead(*sctx, 1);
2510 } else if (idx == 2) {
2511 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2512 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2513 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2514 use_session_cb_cnt = 0;
2515 find_session_cb_cnt = 0;
2519 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2524 * For one of the run throughs (doesn't matter which one), we'll try sending
2525 * some SNI data in the initial ClientHello. This will be ignored (because
2526 * there is no SNI cb set up by the server), so it should not impact
2530 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2534 clientpsk = create_a_psk(*clientssl);
2535 if (!TEST_ptr(clientpsk)
2537 * We just choose an arbitrary value for max_early_data which
2538 * should be big enough for testing purposes.
2540 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2542 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2543 SSL_SESSION_free(clientpsk);
2547 serverpsk = clientpsk;
2550 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2551 SSL_SESSION_free(clientpsk);
2552 SSL_SESSION_free(serverpsk);
2553 clientpsk = serverpsk = NULL;
2564 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2568 *sess = SSL_get1_session(*clientssl);
2569 SSL_shutdown(*clientssl);
2570 SSL_shutdown(*serverssl);
2571 SSL_free(*serverssl);
2572 SSL_free(*clientssl);
2573 *serverssl = *clientssl = NULL;
2575 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2576 clientssl, NULL, NULL))
2577 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2583 static int test_early_data_read_write(int idx)
2585 SSL_CTX *cctx = NULL, *sctx = NULL;
2586 SSL *clientssl = NULL, *serverssl = NULL;
2588 SSL_SESSION *sess = NULL;
2589 unsigned char buf[20], data[1024];
2590 size_t readbytes, written, eoedlen, rawread, rawwritten;
2593 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2594 &serverssl, &sess, idx)))
2597 /* Write and read some early data */
2598 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2600 || !TEST_size_t_eq(written, strlen(MSG1))
2601 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2602 sizeof(buf), &readbytes),
2603 SSL_READ_EARLY_DATA_SUCCESS)
2604 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2605 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2606 SSL_EARLY_DATA_ACCEPTED))
2610 * Server should be able to write data, and client should be able to
2613 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2615 || !TEST_size_t_eq(written, strlen(MSG2))
2616 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2617 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2620 /* Even after reading normal data, client should be able write early data */
2621 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2623 || !TEST_size_t_eq(written, strlen(MSG3)))
2626 /* Server should still be able read early data after writing data */
2627 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2629 SSL_READ_EARLY_DATA_SUCCESS)
2630 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2633 /* Write more data from server and read it from client */
2634 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2636 || !TEST_size_t_eq(written, strlen(MSG4))
2637 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2638 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2642 * If client writes normal data it should mean writing early data is no
2645 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2646 || !TEST_size_t_eq(written, strlen(MSG5))
2647 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2648 SSL_EARLY_DATA_ACCEPTED))
2652 * At this point the client has written EndOfEarlyData, ClientFinished and
2653 * normal (fully protected) data. We are going to cause a delay between the
2654 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2655 * in the read BIO, and then just put back the EndOfEarlyData message.
2657 rbio = SSL_get_rbio(serverssl);
2658 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2659 || !TEST_size_t_lt(rawread, sizeof(data))
2660 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2663 /* Record length is in the 4th and 5th bytes of the record header */
2664 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2665 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2666 || !TEST_size_t_eq(rawwritten, eoedlen))
2669 /* Server should be told that there is no more early data */
2670 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2672 SSL_READ_EARLY_DATA_FINISH)
2673 || !TEST_size_t_eq(readbytes, 0))
2677 * Server has not finished init yet, so should still be able to write early
2680 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2682 || !TEST_size_t_eq(written, strlen(MSG6)))
2685 /* Push the ClientFinished and the normal data back into the server rbio */
2686 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2688 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2691 /* Server should be able to read normal data */
2692 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2693 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2696 /* Client and server should not be able to write/read early data now */
2697 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2701 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2703 SSL_READ_EARLY_DATA_ERROR))
2707 /* Client should be able to read the data sent by the server */
2708 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2709 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2713 * Make sure we process the two NewSessionTickets. These arrive
2714 * post-handshake. We attempt reads which we do not expect to return any
2717 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2718 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2722 /* Server should be able to write normal data */
2723 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2724 || !TEST_size_t_eq(written, strlen(MSG7))
2725 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2726 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2729 SSL_SESSION_free(sess);
2730 sess = SSL_get1_session(clientssl);
2731 use_session_cb_cnt = 0;
2732 find_session_cb_cnt = 0;
2734 SSL_shutdown(clientssl);
2735 SSL_shutdown(serverssl);
2736 SSL_free(serverssl);
2737 SSL_free(clientssl);
2738 serverssl = clientssl = NULL;
2739 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2740 &clientssl, NULL, NULL))
2741 || !TEST_true(SSL_set_session(clientssl, sess)))
2744 /* Write and read some early data */
2745 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2747 || !TEST_size_t_eq(written, strlen(MSG1))
2748 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2750 SSL_READ_EARLY_DATA_SUCCESS)
2751 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2754 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2755 || !TEST_int_gt(SSL_accept(serverssl), 0))
2758 /* Client and server should not be able to write/read early data now */
2759 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2763 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2765 SSL_READ_EARLY_DATA_ERROR))
2769 /* Client and server should be able to write/read normal data */
2770 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2771 || !TEST_size_t_eq(written, strlen(MSG5))
2772 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2773 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2779 SSL_SESSION_free(sess);
2780 SSL_SESSION_free(clientpsk);
2781 SSL_SESSION_free(serverpsk);
2782 clientpsk = serverpsk = NULL;
2783 SSL_free(serverssl);
2784 SSL_free(clientssl);
2790 static int allow_ed_cb_called = 0;
2792 static int allow_early_data_cb(SSL *s, void *arg)
2794 int *usecb = (int *)arg;
2796 allow_ed_cb_called++;
2805 * idx == 0: Standard early_data setup
2806 * idx == 1: early_data setup using read_ahead
2807 * usecb == 0: Don't use a custom early data callback
2808 * usecb == 1: Use a custom early data callback and reject the early data
2809 * usecb == 2: Use a custom early data callback and accept the early data
2810 * confopt == 0: Configure anti-replay directly
2811 * confopt == 1: Configure anti-replay using SSL_CONF
2813 static int test_early_data_replay_int(int idx, int usecb, int confopt)
2815 SSL_CTX *cctx = NULL, *sctx = NULL;
2816 SSL *clientssl = NULL, *serverssl = NULL;
2818 SSL_SESSION *sess = NULL;
2819 size_t readbytes, written;
2820 unsigned char buf[20];
2822 allow_ed_cb_called = 0;
2824 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2825 TLS1_VERSION, 0, &sctx,
2826 &cctx, cert, privkey)))
2831 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2833 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2835 if (!TEST_ptr(confctx))
2837 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2838 | SSL_CONF_FLAG_SERVER);
2839 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2840 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2842 SSL_CONF_CTX_free(confctx);
2845 SSL_CONF_CTX_free(confctx);
2847 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2850 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2851 &serverssl, &sess, idx)))
2855 * The server is configured to accept early data. Create a connection to
2856 * "use up" the ticket
2858 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2859 || !TEST_true(SSL_session_reused(clientssl)))
2862 SSL_shutdown(clientssl);
2863 SSL_shutdown(serverssl);
2864 SSL_free(serverssl);
2865 SSL_free(clientssl);
2866 serverssl = clientssl = NULL;
2868 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2869 &clientssl, NULL, NULL))
2870 || !TEST_true(SSL_set_session(clientssl, sess)))
2873 /* Write and read some early data */
2874 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2876 || !TEST_size_t_eq(written, strlen(MSG1)))
2880 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2882 SSL_READ_EARLY_DATA_FINISH)
2884 * The ticket was reused, so the we should have rejected the
2887 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2888 SSL_EARLY_DATA_REJECTED))
2891 /* In this case the callback decides to accept the early data */
2892 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2894 SSL_READ_EARLY_DATA_SUCCESS)
2895 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2897 * Server will have sent its flight so client can now send
2898 * end of early data and complete its half of the handshake
2900 || !TEST_int_gt(SSL_connect(clientssl), 0)
2901 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2903 SSL_READ_EARLY_DATA_FINISH)
2904 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2905 SSL_EARLY_DATA_ACCEPTED))
2909 /* Complete the connection */
2910 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2911 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2912 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
2918 SSL_SESSION_free(sess);
2919 SSL_SESSION_free(clientpsk);
2920 SSL_SESSION_free(serverpsk);
2921 clientpsk = serverpsk = NULL;
2922 SSL_free(serverssl);
2923 SSL_free(clientssl);
2929 static int test_early_data_replay(int idx)
2931 int ret = 1, usecb, confopt;
2933 for (usecb = 0; usecb < 3; usecb++) {
2934 for (confopt = 0; confopt < 2; confopt++)
2935 ret &= test_early_data_replay_int(idx, usecb, confopt);
2942 * Helper function to test that a server attempting to read early data can
2943 * handle a connection from a client where the early data should be skipped.
2944 * testtype: 0 == No HRR
2945 * testtype: 1 == HRR
2946 * testtype: 2 == HRR, invalid early_data sent after HRR
2947 * testtype: 3 == recv_max_early_data set to 0
2949 static int early_data_skip_helper(int testtype, int idx)
2951 SSL_CTX *cctx = NULL, *sctx = NULL;
2952 SSL *clientssl = NULL, *serverssl = NULL;
2954 SSL_SESSION *sess = NULL;
2955 unsigned char buf[20];
2956 size_t readbytes, written;
2958 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2959 &serverssl, &sess, idx)))
2962 if (testtype == 1 || testtype == 2) {
2963 /* Force an HRR to occur */
2964 #if defined(OPENSSL_NO_EC)
2965 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
2968 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2971 } else if (idx == 2) {
2973 * We force early_data rejection by ensuring the PSK identity is
2976 srvid = "Dummy Identity";
2979 * Deliberately corrupt the creation time. We take 20 seconds off the
2980 * time. It could be any value as long as it is not within tolerance.
2981 * This should mean the ticket is rejected.
2983 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
2988 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
2991 /* Write some early data */
2992 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2994 || !TEST_size_t_eq(written, strlen(MSG1)))
2997 /* Server should reject the early data */
2998 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3000 SSL_READ_EARLY_DATA_FINISH)
3001 || !TEST_size_t_eq(readbytes, 0)
3002 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3003 SSL_EARLY_DATA_REJECTED))
3013 * Finish off the handshake. We perform the same writes and reads as
3014 * further down but we expect them to fail due to the incomplete
3017 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3018 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3025 BIO *wbio = SSL_get_wbio(clientssl);
3026 /* A record that will appear as bad early_data */
3027 const unsigned char bad_early_data[] = {
3028 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3032 * We force the client to attempt a write. This will fail because
3033 * we're still in the handshake. It will cause the second
3034 * ClientHello to be sent.
3036 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3041 * Inject some early_data after the second ClientHello. This should
3042 * cause the server to fail
3044 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3045 sizeof(bad_early_data), &written)))
3052 * This client has sent more early_data than we are willing to skip
3053 * (case 3) or sent invalid early_data (case 2) so the connection should
3056 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3057 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3060 /* Connection has failed - nothing more to do */
3065 TEST_error("Invalid test type");
3070 * Should be able to send normal data despite rejection of early data. The
3071 * early_data should be skipped.
3073 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3074 || !TEST_size_t_eq(written, strlen(MSG2))
3075 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3076 SSL_EARLY_DATA_REJECTED)
3077 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3078 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3084 SSL_SESSION_free(clientpsk);
3085 SSL_SESSION_free(serverpsk);
3086 clientpsk = serverpsk = NULL;
3087 SSL_SESSION_free(sess);
3088 SSL_free(serverssl);
3089 SSL_free(clientssl);
3096 * Test that a server attempting to read early data can handle a connection
3097 * from a client where the early data is not acceptable.
3099 static int test_early_data_skip(int idx)
3101 return early_data_skip_helper(0, idx);
3105 * Test that a server attempting to read early data can handle a connection
3106 * from a client where an HRR occurs.
3108 static int test_early_data_skip_hrr(int idx)
3110 return early_data_skip_helper(1, idx);
3114 * Test that a server attempting to read early data can handle a connection
3115 * from a client where an HRR occurs and correctly fails if early_data is sent
3118 static int test_early_data_skip_hrr_fail(int idx)
3120 return early_data_skip_helper(2, idx);
3124 * Test that a server attempting to read early data will abort if it tries to
3125 * skip over too much.
3127 static int test_early_data_skip_abort(int idx)
3129 return early_data_skip_helper(3, idx);
3133 * Test that a server attempting to read early data can handle a connection
3134 * from a client that doesn't send any.
3136 static int test_early_data_not_sent(int idx)
3138 SSL_CTX *cctx = NULL, *sctx = NULL;
3139 SSL *clientssl = NULL, *serverssl = NULL;
3141 SSL_SESSION *sess = NULL;
3142 unsigned char buf[20];
3143 size_t readbytes, written;
3145 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3146 &serverssl, &sess, idx)))
3149 /* Write some data - should block due to handshake with server */
3150 SSL_set_connect_state(clientssl);
3151 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3154 /* Server should detect that early data has not been sent */
3155 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3157 SSL_READ_EARLY_DATA_FINISH)
3158 || !TEST_size_t_eq(readbytes, 0)
3159 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3160 SSL_EARLY_DATA_NOT_SENT)
3161 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3162 SSL_EARLY_DATA_NOT_SENT))
3165 /* Continue writing the message we started earlier */
3166 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3167 || !TEST_size_t_eq(written, strlen(MSG1))
3168 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3169 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3170 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3171 || !TEST_size_t_eq(written, strlen(MSG2)))
3174 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3175 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3181 SSL_SESSION_free(sess);
3182 SSL_SESSION_free(clientpsk);
3183 SSL_SESSION_free(serverpsk);
3184 clientpsk = serverpsk = NULL;
3185 SSL_free(serverssl);
3186 SSL_free(clientssl);
3192 static int hostname_cb(SSL *s, int *al, void *arg)
3194 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3196 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
3197 return SSL_TLSEXT_ERR_OK;
3199 return SSL_TLSEXT_ERR_NOACK;
3202 static const char *servalpn;
3204 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3205 unsigned char *outlen, const unsigned char *in,
3206 unsigned int inlen, void *arg)
3208 unsigned int protlen = 0;
3209 const unsigned char *prot;
3211 for (prot = in; prot < in + inlen; prot += protlen) {
3213 if (in + inlen < prot + protlen)
3214 return SSL_TLSEXT_ERR_NOACK;
3216 if (protlen == strlen(servalpn)
3217 && memcmp(prot, servalpn, protlen) == 0) {
3220 return SSL_TLSEXT_ERR_OK;
3224 return SSL_TLSEXT_ERR_NOACK;
3227 /* Test that a PSK can be used to send early_data */
3228 static int test_early_data_psk(int idx)
3230 SSL_CTX *cctx = NULL, *sctx = NULL;
3231 SSL *clientssl = NULL, *serverssl = NULL;
3233 SSL_SESSION *sess = NULL;
3234 unsigned char alpnlist[] = {
3235 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3238 #define GOODALPNLEN 9
3239 #define BADALPNLEN 8
3240 #define GOODALPN (alpnlist)
3241 #define BADALPN (alpnlist + GOODALPNLEN)
3243 unsigned char buf[20];
3244 size_t readbytes, written;
3245 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3246 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3248 /* We always set this up with a final parameter of "2" for PSK */
3249 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3250 &serverssl, &sess, 2)))
3253 servalpn = "goodalpn";
3256 * Note: There is no test for inconsistent SNI with late client detection.
3257 * This is because servers do not acknowledge SNI even if they are using
3258 * it in a resumption handshake - so it is not actually possible for a
3259 * client to detect a problem.
3263 /* Set inconsistent SNI (early client detection) */
3264 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3265 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3266 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3271 /* Set inconsistent ALPN (early client detection) */
3272 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3273 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3274 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3276 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3283 * Set invalid protocol version. Technically this affects PSKs without
3284 * early_data too, but we test it here because it is similar to the
3285 * SNI/ALPN consistency tests.
3287 err = SSL_R_BAD_PSK;
3288 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3294 * Set inconsistent SNI (server detected). In this case the connection
3295 * will succeed but reject early_data.
3297 SSL_SESSION_free(serverpsk);
3298 serverpsk = SSL_SESSION_dup(clientpsk);
3299 if (!TEST_ptr(serverpsk)
3300 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3302 edstatus = SSL_EARLY_DATA_REJECTED;
3303 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3306 /* Set consistent SNI */
3307 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3308 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3309 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3316 * Set inconsistent ALPN (server detected). In this case the connection
3317 * will succeed but reject early_data.
3319 servalpn = "badalpn";
3320 edstatus = SSL_EARLY_DATA_REJECTED;
3321 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3325 * Set consistent ALPN.
3326 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3327 * accepts a list of protos (each one length prefixed).
3328 * SSL_set1_alpn_selected accepts a single protocol (not length
3331 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3333 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3337 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3341 /* Set inconsistent ALPN (late client detection) */
3342 SSL_SESSION_free(serverpsk);
3343 serverpsk = SSL_SESSION_dup(clientpsk);
3344 if (!TEST_ptr(serverpsk)
3345 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3348 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3351 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3354 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3355 edstatus = SSL_EARLY_DATA_ACCEPTED;
3356 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3357 /* SSL_connect() call should fail */
3362 TEST_error("Bad test index");
3366 SSL_set_connect_state(clientssl);
3368 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3370 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3371 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3374 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3378 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3379 &readbytes), readearlyres)
3380 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3381 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3382 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3383 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3390 SSL_SESSION_free(sess);
3391 SSL_SESSION_free(clientpsk);
3392 SSL_SESSION_free(serverpsk);
3393 clientpsk = serverpsk = NULL;
3394 SSL_free(serverssl);
3395 SSL_free(clientssl);
3402 * Test that a server that doesn't try to read early data can handle a
3403 * client sending some.
3405 static int test_early_data_not_expected(int idx)
3407 SSL_CTX *cctx = NULL, *sctx = NULL;
3408 SSL *clientssl = NULL, *serverssl = NULL;
3410 SSL_SESSION *sess = NULL;
3411 unsigned char buf[20];
3412 size_t readbytes, written;
3414 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3415 &serverssl, &sess, idx)))
3418 /* Write some early data */
3419 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3424 * Server should skip over early data and then block waiting for client to
3425 * continue handshake
3427 if (!TEST_int_le(SSL_accept(serverssl), 0)
3428 || !TEST_int_gt(SSL_connect(clientssl), 0)
3429 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3430 SSL_EARLY_DATA_REJECTED)
3431 || !TEST_int_gt(SSL_accept(serverssl), 0)
3432 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3433 SSL_EARLY_DATA_REJECTED))
3436 /* Send some normal data from client to server */
3437 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3438 || !TEST_size_t_eq(written, strlen(MSG2)))
3441 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3442 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3448 SSL_SESSION_free(sess);
3449 SSL_SESSION_free(clientpsk);
3450 SSL_SESSION_free(serverpsk);
3451 clientpsk = serverpsk = NULL;
3452 SSL_free(serverssl);
3453 SSL_free(clientssl);
3460 # ifndef OPENSSL_NO_TLS1_2
3462 * Test that a server attempting to read early data can handle a connection
3463 * from a TLSv1.2 client.
3465 static int test_early_data_tls1_2(int idx)
3467 SSL_CTX *cctx = NULL, *sctx = NULL;
3468 SSL *clientssl = NULL, *serverssl = NULL;
3470 unsigned char buf[20];
3471 size_t readbytes, written;
3473 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3474 &serverssl, NULL, idx)))
3477 /* Write some data - should block due to handshake with server */
3478 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3479 SSL_set_connect_state(clientssl);
3480 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3484 * Server should do TLSv1.2 handshake. First it will block waiting for more
3485 * messages from client after ServerDone. Then SSL_read_early_data should
3486 * finish and detect that early data has not been sent
3488 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3490 SSL_READ_EARLY_DATA_ERROR))
3494 * Continue writing the message we started earlier. Will still block waiting
3495 * for the CCS/Finished from server
3497 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3498 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3500 SSL_READ_EARLY_DATA_FINISH)
3501 || !TEST_size_t_eq(readbytes, 0)
3502 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3503 SSL_EARLY_DATA_NOT_SENT))
3506 /* Continue writing the message we started earlier */
3507 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3508 || !TEST_size_t_eq(written, strlen(MSG1))
3509 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3510 SSL_EARLY_DATA_NOT_SENT)
3511 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3512 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3513 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3514 || !TEST_size_t_eq(written, strlen(MSG2))
3515 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3516 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3522 SSL_SESSION_free(clientpsk);
3523 SSL_SESSION_free(serverpsk);
3524 clientpsk = serverpsk = NULL;
3525 SSL_free(serverssl);
3526 SSL_free(clientssl);
3532 # endif /* OPENSSL_NO_TLS1_2 */
3535 * Test configuring the TLSv1.3 ciphersuites
3537 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3538 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3539 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3540 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3541 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3542 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3543 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3544 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3545 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3546 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3548 static int test_set_ciphersuite(int idx)
3550 SSL_CTX *cctx = NULL, *sctx = NULL;
3551 SSL *clientssl = NULL, *serverssl = NULL;
3554 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3556 &sctx, &cctx, cert, privkey))
3557 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3558 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3561 if (idx >=4 && idx <= 7) {
3562 /* SSL_CTX explicit cipher list */
3563 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3567 if (idx == 0 || idx == 4) {
3568 /* Default ciphersuite */
3569 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3570 "TLS_AES_128_GCM_SHA256")))
3572 } else if (idx == 1 || idx == 5) {
3573 /* Non default ciphersuite */
3574 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3575 "TLS_AES_128_CCM_SHA256")))
3579 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3580 &clientssl, NULL, NULL)))
3583 if (idx == 8 || idx == 9) {
3584 /* SSL explicit cipher list */
3585 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3589 if (idx == 2 || idx == 6 || idx == 8) {
3590 /* Default ciphersuite */
3591 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3592 "TLS_AES_128_GCM_SHA256")))
3594 } else if (idx == 3 || idx == 7 || idx == 9) {
3595 /* Non default ciphersuite */
3596 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3597 "TLS_AES_128_CCM_SHA256")))
3601 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3607 SSL_free(serverssl);
3608 SSL_free(clientssl);
3615 static int test_ciphersuite_change(void)
3617 SSL_CTX *cctx = NULL, *sctx = NULL;
3618 SSL *clientssl = NULL, *serverssl = NULL;
3619 SSL_SESSION *clntsess = NULL;
3621 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3623 /* Create a session based on SHA-256 */
3624 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3626 &sctx, &cctx, cert, privkey))
3627 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3628 "TLS_AES_128_GCM_SHA256"))
3629 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3630 &clientssl, NULL, NULL))
3631 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3635 clntsess = SSL_get1_session(clientssl);
3636 /* Save for later */
3637 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3638 SSL_shutdown(clientssl);
3639 SSL_shutdown(serverssl);
3640 SSL_free(serverssl);
3641 SSL_free(clientssl);
3642 serverssl = clientssl = NULL;
3644 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3645 /* Check we can resume a session with a different SHA-256 ciphersuite */
3646 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3647 "TLS_CHACHA20_POLY1305_SHA256"))
3648 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3650 || !TEST_true(SSL_set_session(clientssl, clntsess))
3651 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3653 || !TEST_true(SSL_session_reused(clientssl)))
3656 SSL_SESSION_free(clntsess);
3657 clntsess = SSL_get1_session(clientssl);
3658 SSL_shutdown(clientssl);
3659 SSL_shutdown(serverssl);
3660 SSL_free(serverssl);
3661 SSL_free(clientssl);
3662 serverssl = clientssl = NULL;
3666 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3667 * succeeds but does not resume.
3669 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3670 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3672 || !TEST_true(SSL_set_session(clientssl, clntsess))
3673 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3675 || !TEST_false(SSL_session_reused(clientssl)))
3678 SSL_SESSION_free(clntsess);
3680 SSL_shutdown(clientssl);
3681 SSL_shutdown(serverssl);
3682 SSL_free(serverssl);
3683 SSL_free(clientssl);
3684 serverssl = clientssl = NULL;
3686 /* Create a session based on SHA384 */
3687 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3688 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3689 &clientssl, NULL, NULL))
3690 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3694 clntsess = SSL_get1_session(clientssl);
3695 SSL_shutdown(clientssl);
3696 SSL_shutdown(serverssl);
3697 SSL_free(serverssl);
3698 SSL_free(clientssl);
3699 serverssl = clientssl = NULL;
3701 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3702 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3703 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3704 "TLS_AES_256_GCM_SHA384"))
3705 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3707 || !TEST_true(SSL_set_session(clientssl, clntsess))
3709 * We use SSL_ERROR_WANT_READ below so that we can pause the
3710 * connection after the initial ClientHello has been sent to
3711 * enable us to make some session changes.
3713 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3714 SSL_ERROR_WANT_READ)))
3717 /* Trick the client into thinking this session is for a different digest */
3718 clntsess->cipher = aes_128_gcm_sha256;
3719 clntsess->cipher_id = clntsess->cipher->id;
3722 * Continue the previously started connection. Server has selected a SHA-384
3723 * ciphersuite, but client thinks the session is for SHA-256, so it should
3726 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3728 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3729 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3735 SSL_SESSION_free(clntsess);
3736 SSL_free(serverssl);
3737 SSL_free(clientssl);
3746 * Test 0 = Test ECDHE Key exchange with TLSv1.3 client and server
3747 * Test 1 = Test ECDHE with TLSv1.2 client and server
3748 * Test 2 = Test FFDHE Key exchange with TLSv1.3 client and server
3749 * Test 3 = Test FFDHE with TLSv1.2 client and server
3750 * Test 4 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
3751 * Test 5 = Test NID_secp384r1 with TLSv1.3 client and server
3752 * Test 6 = Test NID_secp521r1 with TLSv1.3 client and server
3753 * Test 7 = Test NID_X25519 with TLSv1.3 client and server
3754 * Test 8 = Test NID_X448 with TLSv1.3 client and server
3755 * Test 9 = Test NID_ffdhe2048 with TLSv1.3 client and server
3756 * Test 10 = Test NID_ffdhe3072 with TLSv1.3 client and server
3757 * Test 11 = Test NID_ffdhe4096 with TLSv1.3 client and server
3758 * Test 12 = Test NID_ffdhe6144 with TLSv1.3 client and server
3759 * Test 13 = Test NID_ffdhe8192 with TLSv1.3 client and server
3761 static int test_key_exchange(int idx)
3763 SSL_CTX *sctx = NULL, *cctx = NULL;
3764 SSL *serverssl = NULL, *clientssl = NULL;
3766 #if !defined(OPENSSL_NO_EC)
3767 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1, NID_secp521r1,
3768 NID_X25519, NID_X448};
3770 #ifndef OPENSSL_NO_DH
3771 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
3772 NID_ffdhe6144, NID_ffdhe8192};
3775 int *kexch_groups = &kexch_alg;
3776 int kexch_groups_size = 1;
3777 int max_version = TLS1_3_VERSION;
3778 int want_err = SSL_ERROR_NONE;
3779 int expected_err_reason = 0;
3782 #ifndef OPENSSL_NO_EC
3783 # ifndef OPENSSL_NO_TLS1_2
3785 max_version = TLS1_2_VERSION;
3789 kexch_groups = ecdhe_kexch_groups;
3790 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
3793 kexch_alg = NID_X9_62_prime256v1;
3796 kexch_alg = NID_secp384r1;
3799 kexch_alg = NID_secp521r1;
3802 kexch_alg = NID_X25519;
3805 kexch_alg = NID_X448;
3808 #ifndef OPENSSL_NO_DH
3809 # ifndef OPENSSL_NO_TLS1_2
3811 max_version = TLS1_2_VERSION;
3815 kexch_groups = ffdhe_kexch_groups;
3816 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
3819 kexch_alg = NID_ffdhe2048;
3822 kexch_alg = NID_ffdhe3072;
3825 kexch_alg = NID_ffdhe4096;
3828 kexch_alg = NID_ffdhe6144;
3831 kexch_alg = NID_ffdhe8192;
3835 /* We're skipping this test */
3839 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3840 TLS1_VERSION, max_version,
3841 &sctx, &cctx, cert, privkey)))
3844 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, TLS1_3_RFC_AES_128_GCM_SHA256)))
3847 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, TLS1_3_RFC_AES_128_GCM_SHA256)))
3850 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, TLS1_TXT_RSA_WITH_AES_128_SHA)))
3854 * Must include an EC ciphersuite so that we send supported groups in
3857 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
3858 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
3859 TLS1_TXT_RSA_WITH_AES_128_SHA)))
3862 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3866 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
3867 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
3870 if (!TEST_true(create_ssl_connection(serverssl, clientssl, want_err))) {
3871 /* Fail only if no error is expected in handshake */
3872 if (expected_err_reason == 0)
3876 /* Fail if expected error is not happening for failure testcases */
3877 if (expected_err_reason != 0) {
3878 unsigned long err_code = ERR_get_error();
3880 ERR_print_errors_fp(stdout);
3881 if (TEST_int_eq(ERR_GET_REASON(err_code), expected_err_reason))
3887 * If Handshake succeeds the negotiated kexch alg should the first one in
3888 * configured, except in the case of FFDHE groups which are TLSv1.3 only
3889 * so we expect no shared group to exist.
3891 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
3892 idx == 3 ? 0 : kexch_groups[0]))
3894 if (max_version == TLS1_3_VERSION) {
3895 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
3897 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
3903 SSL_free(serverssl);
3904 SSL_free(clientssl);
3912 * Test 0 = Test new style callbacks
3913 * Test 1 = Test both new and old style callbacks
3914 * Test 2 = Test old style callbacks
3915 * Test 3 = Test old style callbacks with no certificate
3917 static int test_tls13_psk(int idx)
3919 SSL_CTX *sctx = NULL, *cctx = NULL;
3920 SSL *serverssl = NULL, *clientssl = NULL;
3921 const SSL_CIPHER *cipher = NULL;
3922 const unsigned char key[] = {
3923 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
3924 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
3925 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
3926 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
3930 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3932 &sctx, &cctx, idx == 3 ? NULL : cert,
3933 idx == 3 ? NULL : privkey)))
3938 * We use a ciphersuite with SHA256 to ease testing old style PSK
3939 * callbacks which will always default to SHA256. This should not be
3940 * necessary if we have no cert/priv key. In that case the server should
3941 * prefer SHA256 automatically.
3943 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3944 "TLS_AES_128_GCM_SHA256")))
3949 * Test 0: New style callbacks only
3950 * Test 1: New and old style callbacks (only the new ones should be used)
3951 * Test 2: Old style callbacks only
3953 if (idx == 0 || idx == 1) {
3954 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
3955 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
3957 #ifndef OPENSSL_NO_PSK
3959 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
3960 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
3964 use_session_cb_cnt = 0;
3965 find_session_cb_cnt = 0;
3966 psk_client_cb_cnt = 0;
3967 psk_server_cb_cnt = 0;
3971 * Check we can create a connection if callback decides not to send a
3974 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3976 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3978 || !TEST_false(SSL_session_reused(clientssl))
3979 || !TEST_false(SSL_session_reused(serverssl)))
3982 if (idx == 0 || idx == 1) {
3983 if (!TEST_true(use_session_cb_cnt == 1)
3984 || !TEST_true(find_session_cb_cnt == 0)
3986 * If no old style callback then below should be 0
3989 || !TEST_true(psk_client_cb_cnt == idx)
3990 || !TEST_true(psk_server_cb_cnt == 0))
3993 if (!TEST_true(use_session_cb_cnt == 0)
3994 || !TEST_true(find_session_cb_cnt == 0)
3995 || !TEST_true(psk_client_cb_cnt == 1)
3996 || !TEST_true(psk_server_cb_cnt == 0))
4000 shutdown_ssl_connection(serverssl, clientssl);
4001 serverssl = clientssl = NULL;
4002 use_session_cb_cnt = psk_client_cb_cnt = 0;
4005 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4009 /* Create the PSK */
4010 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
4011 clientpsk = SSL_SESSION_new();
4012 if (!TEST_ptr(clientpsk)
4013 || !TEST_ptr(cipher)
4014 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4016 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4017 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4019 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
4021 serverpsk = clientpsk;
4023 /* Check we can create a connection and the PSK is used */
4024 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4025 || !TEST_true(SSL_session_reused(clientssl))
4026 || !TEST_true(SSL_session_reused(serverssl)))
4029 if (idx == 0 || idx == 1) {
4030 if (!TEST_true(use_session_cb_cnt == 1)
4031 || !TEST_true(find_session_cb_cnt == 1)
4032 || !TEST_true(psk_client_cb_cnt == 0)
4033 || !TEST_true(psk_server_cb_cnt == 0))
4036 if (!TEST_true(use_session_cb_cnt == 0)
4037 || !TEST_true(find_session_cb_cnt == 0)
4038 || !TEST_true(psk_client_cb_cnt == 1)
4039 || !TEST_true(psk_server_cb_cnt == 1))
4043 shutdown_ssl_connection(serverssl, clientssl);
4044 serverssl = clientssl = NULL;
4045 use_session_cb_cnt = find_session_cb_cnt = 0;
4046 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4048 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4053 #if defined(OPENSSL_NO_EC)
4054 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4057 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4062 * Check we can create a connection, the PSK is used and the callbacks are
4065 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4066 || !TEST_true(SSL_session_reused(clientssl))
4067 || !TEST_true(SSL_session_reused(serverssl)))
4070 if (idx == 0 || idx == 1) {
4071 if (!TEST_true(use_session_cb_cnt == 2)
4072 || !TEST_true(find_session_cb_cnt == 2)
4073 || !TEST_true(psk_client_cb_cnt == 0)
4074 || !TEST_true(psk_server_cb_cnt == 0))
4077 if (!TEST_true(use_session_cb_cnt == 0)
4078 || !TEST_true(find_session_cb_cnt == 0)
4079 || !TEST_true(psk_client_cb_cnt == 2)
4080 || !TEST_true(psk_server_cb_cnt == 2))
4084 shutdown_ssl_connection(serverssl, clientssl);
4085 serverssl = clientssl = NULL;
4086 use_session_cb_cnt = find_session_cb_cnt = 0;
4087 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4091 * Check that if the server rejects the PSK we can still connect, but with
4094 srvid = "Dummy Identity";
4095 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4097 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4099 || !TEST_false(SSL_session_reused(clientssl))
4100 || !TEST_false(SSL_session_reused(serverssl)))
4103 if (idx == 0 || idx == 1) {
4104 if (!TEST_true(use_session_cb_cnt == 1)
4105 || !TEST_true(find_session_cb_cnt == 1)
4106 || !TEST_true(psk_client_cb_cnt == 0)
4108 * If no old style callback then below should be 0
4111 || !TEST_true(psk_server_cb_cnt == idx))
4114 if (!TEST_true(use_session_cb_cnt == 0)
4115 || !TEST_true(find_session_cb_cnt == 0)
4116 || !TEST_true(psk_client_cb_cnt == 1)
4117 || !TEST_true(psk_server_cb_cnt == 1))
4121 shutdown_ssl_connection(serverssl, clientssl);
4122 serverssl = clientssl = NULL;
4127 SSL_SESSION_free(clientpsk);
4128 SSL_SESSION_free(serverpsk);
4129 clientpsk = serverpsk = NULL;
4130 SSL_free(serverssl);
4131 SSL_free(clientssl);
4137 static unsigned char cookie_magic_value[] = "cookie magic";
4139 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4140 unsigned int *cookie_len)
4143 * Not suitable as a real cookie generation function but good enough for
4146 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4147 *cookie_len = sizeof(cookie_magic_value) - 1;
4152 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4153 unsigned int cookie_len)
4155 if (cookie_len == sizeof(cookie_magic_value) - 1
4156 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4162 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4166 int res = generate_cookie_callback(ssl, cookie, &temp);
4171 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4174 return verify_cookie_callback(ssl, cookie, cookie_len);
4177 static int test_stateless(void)
4179 SSL_CTX *sctx = NULL, *cctx = NULL;
4180 SSL *serverssl = NULL, *clientssl = NULL;
4183 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4185 &sctx, &cctx, cert, privkey)))
4188 /* The arrival of CCS messages can confuse the test */
4189 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4191 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4193 /* Send the first ClientHello */
4194 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4195 SSL_ERROR_WANT_READ))
4197 * This should fail with a -1 return because we have no callbacks
4200 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4203 /* Fatal error so abandon the connection from this client */
4204 SSL_free(clientssl);
4207 /* Set up the cookie generation and verification callbacks */
4208 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4209 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
4212 * Create a new connection from the client (we can reuse the server SSL
4215 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4217 /* Send the first ClientHello */
4218 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4219 SSL_ERROR_WANT_READ))
4220 /* This should fail because there is no cookie */
4221 || !TEST_int_eq(SSL_stateless(serverssl), 0))
4224 /* Abandon the connection from this client */
4225 SSL_free(clientssl);
4229 * Now create a connection from a new client but with the same server SSL
4232 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4234 /* Send the first ClientHello */
4235 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4236 SSL_ERROR_WANT_READ))
4237 /* This should fail because there is no cookie */
4238 || !TEST_int_eq(SSL_stateless(serverssl), 0)
4239 /* Send the second ClientHello */
4240 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4241 SSL_ERROR_WANT_READ))
4242 /* This should succeed because a cookie is now present */
4243 || !TEST_int_eq(SSL_stateless(serverssl), 1)
4244 /* Complete the connection */
4245 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4249 shutdown_ssl_connection(serverssl, clientssl);
4250 serverssl = clientssl = NULL;
4254 SSL_free(serverssl);
4255 SSL_free(clientssl);
4261 #endif /* OPENSSL_NO_TLS1_3 */
4263 static int clntaddoldcb = 0;
4264 static int clntparseoldcb = 0;
4265 static int srvaddoldcb = 0;
4266 static int srvparseoldcb = 0;
4267 static int clntaddnewcb = 0;
4268 static int clntparsenewcb = 0;
4269 static int srvaddnewcb = 0;
4270 static int srvparsenewcb = 0;
4271 static int snicb = 0;
4273 #define TEST_EXT_TYPE1 0xff00
4275 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4276 size_t *outlen, int *al, void *add_arg)
4278 int *server = (int *)add_arg;
4279 unsigned char *data;
4281 if (SSL_is_server(s))
4286 if (*server != SSL_is_server(s)
4287 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4292 *outlen = sizeof(char);
4296 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4299 OPENSSL_free((unsigned char *)out);
4302 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4303 size_t inlen, int *al, void *parse_arg)
4305 int *server = (int *)parse_arg;
4307 if (SSL_is_server(s))
4312 if (*server != SSL_is_server(s)
4313 || inlen != sizeof(char)
4320 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4321 const unsigned char **out, size_t *outlen, X509 *x,
4322 size_t chainidx, int *al, void *add_arg)
4324 int *server = (int *)add_arg;
4325 unsigned char *data;
4327 if (SSL_is_server(s))
4332 if (*server != SSL_is_server(s)
4333 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4338 *outlen = sizeof(*data);
4342 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
4343 const unsigned char *out, void *add_arg)
4345 OPENSSL_free((unsigned char *)out);
4348 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
4349 const unsigned char *in, size_t inlen, X509 *x,
4350 size_t chainidx, int *al, void *parse_arg)
4352 int *server = (int *)parse_arg;
4354 if (SSL_is_server(s))
4359 if (*server != SSL_is_server(s)
4360 || inlen != sizeof(char) || *in != 1)
4366 static int sni_cb(SSL *s, int *al, void *arg)
4368 SSL_CTX *ctx = (SSL_CTX *)arg;
4370 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
4371 *al = SSL_AD_INTERNAL_ERROR;
4372 return SSL_TLSEXT_ERR_ALERT_FATAL;
4375 return SSL_TLSEXT_ERR_OK;
4379 * Custom call back tests.
4380 * Test 0: Old style callbacks in TLSv1.2
4381 * Test 1: New style callbacks in TLSv1.2
4382 * Test 2: New style callbacks in TLSv1.2 with SNI
4383 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4384 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
4386 static int test_custom_exts(int tst)
4388 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4389 SSL *clientssl = NULL, *serverssl = NULL;
4391 static int server = 1;
4392 static int client = 0;
4393 SSL_SESSION *sess = NULL;
4394 unsigned int context;
4396 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4397 /* Skip tests for TLSv1.2 and below in this case */
4402 /* Reset callback counters */
4403 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4404 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
4407 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4409 &sctx, &cctx, cert, privkey)))
4413 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
4415 &sctx2, NULL, cert, privkey)))
4420 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4421 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
4423 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
4427 context = SSL_EXT_CLIENT_HELLO
4428 | SSL_EXT_TLS1_2_SERVER_HELLO
4429 | SSL_EXT_TLS1_3_SERVER_HELLO
4430 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4431 | SSL_EXT_TLS1_3_CERTIFICATE
4432 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4434 context = SSL_EXT_CLIENT_HELLO
4435 | SSL_EXT_TLS1_2_SERVER_HELLO
4436 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4439 /* Create a client side custom extension */
4441 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4442 old_add_cb, old_free_cb,
4443 &client, old_parse_cb,
4447 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4448 new_add_cb, new_free_cb,
4449 &client, new_parse_cb, &client)))
4453 /* Should not be able to add duplicates */
4454 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4455 old_add_cb, old_free_cb,
4456 &client, old_parse_cb,
4458 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4459 context, new_add_cb,
4460 new_free_cb, &client,
4461 new_parse_cb, &client)))
4464 /* Create a server side custom extension */
4466 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4467 old_add_cb, old_free_cb,
4468 &server, old_parse_cb,
4472 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4473 new_add_cb, new_free_cb,
4474 &server, new_parse_cb, &server)))
4477 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4478 context, new_add_cb,
4479 new_free_cb, &server,
4480 new_parse_cb, &server)))
4484 /* Should not be able to add duplicates */
4485 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4486 old_add_cb, old_free_cb,
4487 &server, old_parse_cb,
4489 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4490 context, new_add_cb,
4491 new_free_cb, &server,
4492 new_parse_cb, &server)))
4497 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4498 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4502 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4503 &clientssl, NULL, NULL))
4504 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4509 if (clntaddoldcb != 1
4510 || clntparseoldcb != 1
4512 || srvparseoldcb != 1)
4514 } else if (tst == 1 || tst == 2 || tst == 3) {
4515 if (clntaddnewcb != 1
4516 || clntparsenewcb != 1
4518 || srvparsenewcb != 1
4519 || (tst != 2 && snicb != 0)
4520 || (tst == 2 && snicb != 1))
4523 /* In this case there 2 NewSessionTicket messages created */
4524 if (clntaddnewcb != 1
4525 || clntparsenewcb != 5
4527 || srvparsenewcb != 1)
4531 sess = SSL_get1_session(clientssl);
4532 SSL_shutdown(clientssl);
4533 SSL_shutdown(serverssl);
4534 SSL_free(serverssl);
4535 SSL_free(clientssl);
4536 serverssl = clientssl = NULL;
4539 /* We don't bother with the resumption aspects for this test */
4544 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4546 || !TEST_true(SSL_set_session(clientssl, sess))
4547 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4552 * For a resumed session we expect to add the ClientHello extension. For the
4553 * old style callbacks we ignore it on the server side because they set
4554 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4558 if (clntaddoldcb != 2
4559 || clntparseoldcb != 1
4561 || srvparseoldcb != 1)
4563 } else if (tst == 1 || tst == 2 || tst == 3) {
4564 if (clntaddnewcb != 2
4565 || clntparsenewcb != 2
4567 || srvparsenewcb != 2)
4571 * No Certificate message extensions in the resumption handshake,
4572 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4574 if (clntaddnewcb != 2
4575 || clntparsenewcb != 8
4577 || srvparsenewcb != 2)
4584 SSL_SESSION_free(sess);
4585 SSL_free(serverssl);
4586 SSL_free(clientssl);
4587 SSL_CTX_free(sctx2);
4594 * Test loading of serverinfo data in various formats. test_sslmessages actually
4595 * tests to make sure the extensions appear in the handshake
4597 static int test_serverinfo(int tst)
4599 unsigned int version;
4600 unsigned char *sibuf;
4602 int ret, expected, testresult = 0;
4605 ctx = SSL_CTX_new(TLS_method());
4609 if ((tst & 0x01) == 0x01)
4610 version = SSL_SERVERINFOV2;
4612 version = SSL_SERVERINFOV1;
4614 if ((tst & 0x02) == 0x02) {
4615 sibuf = serverinfov2;
4616 sibuflen = sizeof(serverinfov2);
4617 expected = (version == SSL_SERVERINFOV2);
4619 sibuf = serverinfov1;
4620 sibuflen = sizeof(serverinfov1);
4621 expected = (version == SSL_SERVERINFOV1);
4624 if ((tst & 0x04) == 0x04) {
4625 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4627 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4630 * The version variable is irrelevant in this case - it's what is in the
4631 * buffer that matters
4633 if ((tst & 0x02) == 0x02)
4639 if (!TEST_true(ret == expected))
4651 * Test that SSL_export_keying_material() produces expected results. There are
4652 * no test vectors so all we do is test that both sides of the communication
4653 * produce the same results for different protocol versions.
4655 #define SMALL_LABEL_LEN 10
4656 #define LONG_LABEL_LEN 249
4657 static int test_export_key_mat(int tst)
4660 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4661 SSL *clientssl = NULL, *serverssl = NULL;
4662 const char label[LONG_LABEL_LEN + 1] = "test label";
4663 const unsigned char context[] = "context";
4664 const unsigned char *emptycontext = NULL;
4665 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4666 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
4668 const int protocols[] = {
4677 #ifdef OPENSSL_NO_TLS1
4681 #ifdef OPENSSL_NO_TLS1_1
4685 #ifdef OPENSSL_NO_TLS1_2
4689 #ifdef OPENSSL_NO_TLS1_3
4693 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4695 &sctx, &cctx, cert, privkey)))
4698 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4699 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4700 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
4702 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4704 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4710 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4713 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4714 sizeof(ckeymat1), label,
4715 LONG_LABEL_LEN + 1, context,
4716 sizeof(context) - 1, 1), 0))
4721 } else if (tst == 4) {
4722 labellen = LONG_LABEL_LEN;
4724 labellen = SMALL_LABEL_LEN;
4727 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4728 sizeof(ckeymat1), label,
4730 sizeof(context) - 1, 1), 1)
4731 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4732 sizeof(ckeymat2), label,
4736 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4737 sizeof(ckeymat3), label,
4740 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4741 sizeof(skeymat1), label,
4744 sizeof(context) -1, 1),
4746 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4747 sizeof(skeymat2), label,
4751 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4752 sizeof(skeymat3), label,
4756 * Check that both sides created the same key material with the
4759 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4762 * Check that both sides created the same key material with an
4765 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4768 * Check that both sides created the same key material without a
4771 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
4773 /* Different contexts should produce different results */
4774 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4779 * Check that an empty context and no context produce different results in
4780 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
4782 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
4784 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
4791 SSL_free(serverssl);
4792 SSL_free(clientssl);
4793 SSL_CTX_free(sctx2);
4800 #ifndef OPENSSL_NO_TLS1_3
4802 * Test that SSL_export_keying_material_early() produces expected
4803 * results. There are no test vectors so all we do is test that both
4804 * sides of the communication produce the same results for different
4805 * protocol versions.
4807 static int test_export_key_mat_early(int idx)
4809 static const char label[] = "test label";
4810 static const unsigned char context[] = "context";
4812 SSL_CTX *cctx = NULL, *sctx = NULL;
4813 SSL *clientssl = NULL, *serverssl = NULL;
4814 SSL_SESSION *sess = NULL;
4815 const unsigned char *emptycontext = NULL;
4816 unsigned char ckeymat1[80], ckeymat2[80];
4817 unsigned char skeymat1[80], skeymat2[80];
4818 unsigned char buf[1];
4819 size_t readbytes, written;
4821 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
4825 /* Here writing 0 length early data is enough. */
4826 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
4827 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4829 SSL_READ_EARLY_DATA_ERROR)
4830 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4831 SSL_EARLY_DATA_ACCEPTED))
4834 if (!TEST_int_eq(SSL_export_keying_material_early(
4835 clientssl, ckeymat1, sizeof(ckeymat1), label,
4836 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4837 || !TEST_int_eq(SSL_export_keying_material_early(
4838 clientssl, ckeymat2, sizeof(ckeymat2), label,
4839 sizeof(label) - 1, emptycontext, 0), 1)
4840 || !TEST_int_eq(SSL_export_keying_material_early(
4841 serverssl, skeymat1, sizeof(skeymat1), label,
4842 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4843 || !TEST_int_eq(SSL_export_keying_material_early(
4844 serverssl, skeymat2, sizeof(skeymat2), label,
4845 sizeof(label) - 1, emptycontext, 0), 1)
4847 * Check that both sides created the same key material with the
4850 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4853 * Check that both sides created the same key material with an
4856 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4858 /* Different contexts should produce different results */
4859 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4866 SSL_SESSION_free(sess);
4867 SSL_SESSION_free(clientpsk);
4868 SSL_SESSION_free(serverpsk);
4869 clientpsk = serverpsk = NULL;
4870 SSL_free(serverssl);
4871 SSL_free(clientssl);
4878 #define NUM_KEY_UPDATE_MESSAGES 40
4882 static int test_key_update(void)
4884 SSL_CTX *cctx = NULL, *sctx = NULL;
4885 SSL *clientssl = NULL, *serverssl = NULL;
4886 int testresult = 0, i, j;
4888 static char *mess = "A test message";
4890 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4891 TLS_client_method(),
4894 &sctx, &cctx, cert, privkey))
4895 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4897 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4901 for (j = 0; j < 2; j++) {
4902 /* Send lots of KeyUpdate messages */
4903 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
4904 if (!TEST_true(SSL_key_update(clientssl,
4906 ? SSL_KEY_UPDATE_NOT_REQUESTED
4907 : SSL_KEY_UPDATE_REQUESTED))
4908 || !TEST_true(SSL_do_handshake(clientssl)))
4912 /* Check that sending and receiving app data is ok */
4913 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
4914 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
4918 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
4919 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
4927 SSL_free(serverssl);
4928 SSL_free(clientssl);
4936 * Test we can handle a KeyUpdate (update requested) message while write data
4938 * Test 0: Client sends KeyUpdate while Server is writing
4939 * Test 1: Server sends KeyUpdate while Client is writing
4941 static int test_key_update_in_write(int tst)
4943 SSL_CTX *cctx = NULL, *sctx = NULL;
4944 SSL *clientssl = NULL, *serverssl = NULL;
4947 static char *mess = "A test message";
4948 BIO *bretry = BIO_new(bio_s_always_retry());
4950 SSL *peerupdate = NULL, *peerwrite = NULL;
4952 if (!TEST_ptr(bretry)
4953 || !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4954 TLS_client_method(),
4957 &sctx, &cctx, cert, privkey))
4958 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4960 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4964 peerupdate = tst == 0 ? clientssl : serverssl;
4965 peerwrite = tst == 0 ? serverssl : clientssl;
4967 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
4968 || !TEST_true(SSL_do_handshake(peerupdate)))
4971 /* Swap the writing endpoint's write BIO to force a retry */
4972 tmp = SSL_get_wbio(peerwrite);
4973 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
4977 SSL_set0_wbio(peerwrite, bretry);
4980 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
4981 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
4982 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
4985 /* Reinstate the original writing endpoint's write BIO */
4986 SSL_set0_wbio(peerwrite, tmp);
4989 /* Now read some data - we will read the key update */
4990 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
4991 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
4995 * Complete the write we started previously and read it from the other
4998 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
4999 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5002 /* Write more data to ensure we send the KeyUpdate message back */
5003 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5004 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5010 SSL_free(serverssl);
5011 SSL_free(clientssl);
5019 #endif /* OPENSSL_NO_TLS1_3 */
5021 static int test_ssl_clear(int idx)
5023 SSL_CTX *cctx = NULL, *sctx = NULL;
5024 SSL *clientssl = NULL, *serverssl = NULL;
5027 #ifdef OPENSSL_NO_TLS1_2
5032 /* Create an initial connection */
5033 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5035 &sctx, &cctx, cert, privkey))
5037 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5039 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5040 &clientssl, NULL, NULL))
5041 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5045 SSL_shutdown(clientssl);
5046 SSL_shutdown(serverssl);
5047 SSL_free(serverssl);
5050 /* Clear clientssl - we're going to reuse the object */
5051 if (!TEST_true(SSL_clear(clientssl)))
5054 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5056 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5058 || !TEST_true(SSL_session_reused(clientssl)))
5061 SSL_shutdown(clientssl);
5062 SSL_shutdown(serverssl);
5067 SSL_free(serverssl);
5068 SSL_free(clientssl);
5075 /* Parse CH and retrieve any MFL extension value if present */
5076 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5079 unsigned char *data;
5080 PACKET pkt, pkt2, pkt3;
5081 unsigned int MFL_code = 0, type = 0;
5083 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5086 memset(&pkt, 0, sizeof(pkt));
5087 memset(&pkt2, 0, sizeof(pkt2));
5088 memset(&pkt3, 0, sizeof(pkt3));
5090 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5091 /* Skip the record header */
5092 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5093 /* Skip the handshake message header */
5094 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5095 /* Skip client version and random */
5096 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5097 + SSL3_RANDOM_SIZE))
5098 /* Skip session id */
5099 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5101 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5102 /* Skip compression */
5103 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5104 /* Extensions len */
5105 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5108 /* Loop through all extensions */
5109 while (PACKET_remaining(&pkt2)) {
5110 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5111 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5114 if (type == TLSEXT_TYPE_max_fragment_length) {
5115 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5116 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5119 *mfl_codemfl_code = MFL_code;
5128 /* Maximum-Fragment-Length TLS extension mode to test */
5129 static const unsigned char max_fragment_len_test[] = {
5130 TLSEXT_max_fragment_length_512,
5131 TLSEXT_max_fragment_length_1024,
5132 TLSEXT_max_fragment_length_2048,
5133 TLSEXT_max_fragment_length_4096
5136 static int test_max_fragment_len_ext(int idx_tst)
5140 int testresult = 0, MFL_mode = 0;
5143 ctx = SSL_CTX_new(TLS_method());
5147 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5148 ctx, max_fragment_len_test[idx_tst])))
5155 rbio = BIO_new(BIO_s_mem());
5156 wbio = BIO_new(BIO_s_mem());
5157 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5163 SSL_set_bio(con, rbio, wbio);
5164 SSL_set_connect_state(con);
5166 if (!TEST_int_le(SSL_connect(con), 0)) {
5167 /* This shouldn't succeed because we don't have a server! */
5171 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5172 /* no MFL in client hello */
5174 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5186 #ifndef OPENSSL_NO_TLS1_3
5187 static int test_pha_key_update(void)
5189 SSL_CTX *cctx = NULL, *sctx = NULL;
5190 SSL *clientssl = NULL, *serverssl = NULL;
5193 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5195 &sctx, &cctx, cert, privkey)))
5198 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5199 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5200 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5201 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5204 SSL_CTX_set_post_handshake_auth(cctx, 1);
5206 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5210 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5214 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5215 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5218 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5221 /* Start handshake on the server */
5222 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5225 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5226 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5230 SSL_shutdown(clientssl);
5231 SSL_shutdown(serverssl);
5236 SSL_free(serverssl);
5237 SSL_free(clientssl);
5244 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5246 static SRP_VBASE *vbase = NULL;
5248 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5250 int ret = SSL3_AL_FATAL;
5252 SRP_user_pwd *user = NULL;
5254 username = SSL_get_srp_username(s);
5255 if (username == NULL) {
5256 *ad = SSL_AD_INTERNAL_ERROR;
5260 user = SRP_VBASE_get1_by_user(vbase, username);
5262 *ad = SSL_AD_INTERNAL_ERROR;
5266 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5268 *ad = SSL_AD_INTERNAL_ERROR;
5275 SRP_user_pwd_free(user);
5279 static int create_new_vfile(char *userid, char *password, const char *filename)
5282 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5285 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5288 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5291 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
5292 &row[DB_srpverifier], NULL, NULL);
5293 if (!TEST_ptr(gNid))
5297 * The only way to create an empty TXT_DB is to provide a BIO with no data
5300 db = TXT_DB_read(dummy, DB_NUMBER);
5304 out = BIO_new_file(filename, "w");
5308 row[DB_srpid] = OPENSSL_strdup(userid);
5309 row[DB_srptype] = OPENSSL_strdup("V");
5310 row[DB_srpgN] = OPENSSL_strdup(gNid);
5312 if (!TEST_ptr(row[DB_srpid])
5313 || !TEST_ptr(row[DB_srptype])
5314 || !TEST_ptr(row[DB_srpgN])
5315 || !TEST_true(TXT_DB_insert(db, row)))
5320 if (!TXT_DB_write(out, db))
5326 for (i = 0; i < DB_NUMBER; i++)
5327 OPENSSL_free(row[i]);
5337 static int create_new_vbase(char *userid, char *password)
5339 BIGNUM *verifier = NULL, *salt = NULL;
5340 const SRP_gN *lgN = NULL;
5341 SRP_user_pwd *user_pwd = NULL;
5344 lgN = SRP_get_default_gN(NULL);
5348 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
5352 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
5353 if (!TEST_ptr(user_pwd))
5356 user_pwd->N = lgN->N;
5357 user_pwd->g = lgN->g;
5358 user_pwd->id = OPENSSL_strdup(userid);
5359 if (!TEST_ptr(user_pwd->id))
5362 user_pwd->v = verifier;
5364 verifier = salt = NULL;
5366 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
5372 SRP_user_pwd_free(user_pwd);
5382 * Test 0: Simple successful SRP connection, new vbase
5383 * Test 1: Connection failure due to bad password, new vbase
5384 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5385 * Test 3: Connection failure due to bad password, vbase loaded from existing
5387 * Test 4: Simple successful SRP connection, vbase loaded from new file
5388 * Test 5: Connection failure due to bad password, vbase loaded from new file
5390 static int test_srp(int tst)
5392 char *userid = "test", *password = "password", *tstsrpfile;
5393 SSL_CTX *cctx = NULL, *sctx = NULL;
5394 SSL *clientssl = NULL, *serverssl = NULL;
5395 int ret, testresult = 0;
5397 vbase = SRP_VBASE_new(NULL);
5398 if (!TEST_ptr(vbase))
5401 if (tst == 0 || tst == 1) {
5402 if (!TEST_true(create_new_vbase(userid, password)))
5405 if (tst == 4 || tst == 5) {
5406 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5408 tstsrpfile = tmpfilename;
5410 tstsrpfile = srpvfile;
5412 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5416 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5418 &sctx, &cctx, cert, privkey)))
5421 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5422 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5423 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5424 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5425 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5429 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5432 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5436 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5440 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5442 if (!TEST_true(tst % 2 == 0))
5445 if (!TEST_true(tst % 2 == 1))
5452 SRP_VBASE_free(vbase);
5454 SSL_free(serverssl);
5455 SSL_free(clientssl);
5463 static int info_cb_failed = 0;
5464 static int info_cb_offset = 0;
5465 static int info_cb_this_state = -1;
5467 static struct info_cb_states_st {
5469 const char *statestr;
5470 } info_cb_states[][60] = {
5472 /* TLSv1.2 server followed by resumption */
5473 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5474 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5475 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
5476 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
5477 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
5478 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5479 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5480 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5481 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
5482 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5483 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
5484 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5485 {SSL_CB_EXIT, NULL}, {0, NULL},
5487 /* TLSv1.2 client followed by resumption */
5488 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5489 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5490 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
5491 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
5492 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
5493 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5494 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5495 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5496 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5497 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5498 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5499 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
5501 /* TLSv1.3 server followed by resumption */
5502 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5503 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5504 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
5505 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5506 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
5507 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5508 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5509 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5510 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5511 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5512 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
5513 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5514 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5516 /* TLSv1.3 client followed by resumption */
5517 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5518 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5519 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
5520 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
5521 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5522 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5523 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
5524 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5525 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5526 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5527 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5528 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5529 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5530 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
5531 {SSL_CB_EXIT, NULL}, {0, NULL},
5533 /* TLSv1.3 server, early_data */
5534 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5535 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5536 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5537 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5538 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5539 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
5540 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5541 {SSL_CB_EXIT, NULL}, {0, NULL},
5543 /* TLSv1.3 client, early_data */
5544 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5545 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5546 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5547 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5548 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5549 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5550 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5551 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5552 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5558 static void sslapi_info_callback(const SSL *s, int where, int ret)
5560 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5562 /* We do not ever expect a connection to fail in this test */
5563 if (!TEST_false(ret == 0)) {
5569 * Do some sanity checks. We never expect these things to happen in this
5572 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5573 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5574 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5579 /* Now check we're in the right state */
5580 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5584 if ((where & SSL_CB_LOOP) != 0
5585 && !TEST_int_eq(strcmp(SSL_state_string(s),
5586 state[info_cb_this_state].statestr), 0)) {
5592 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
5594 if ((where & SSL_CB_HANDSHAKE_DONE)
5595 && SSL_in_init((SSL *)s) != 0) {
5602 * Test the info callback gets called when we expect it to.
5604 * Test 0: TLSv1.2, server
5605 * Test 1: TLSv1.2, client
5606 * Test 2: TLSv1.3, server
5607 * Test 3: TLSv1.3, client
5608 * Test 4: TLSv1.3, server, early_data
5609 * Test 5: TLSv1.3, client, early_data
5611 static int test_info_callback(int tst)
5613 SSL_CTX *cctx = NULL, *sctx = NULL;
5614 SSL *clientssl = NULL, *serverssl = NULL;
5615 SSL_SESSION *clntsess = NULL;
5620 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
5621 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5622 || !defined(OPENSSL_NO_DH))
5623 tlsvers = TLS1_2_VERSION;
5628 #ifndef OPENSSL_NO_TLS1_3
5629 tlsvers = TLS1_3_VERSION;
5637 info_cb_this_state = -1;
5638 info_cb_offset = tst;
5640 #ifndef OPENSSL_NO_TLS1_3
5642 SSL_SESSION *sess = NULL;
5643 size_t written, readbytes;
5644 unsigned char buf[80];
5646 /* early_data tests */
5647 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5648 &serverssl, &sess, 0)))
5651 /* We don't actually need this reference */
5652 SSL_SESSION_free(sess);
5654 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5655 sslapi_info_callback);
5657 /* Write and read some early data and then complete the connection */
5658 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5660 || !TEST_size_t_eq(written, strlen(MSG1))
5661 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5662 sizeof(buf), &readbytes),
5663 SSL_READ_EARLY_DATA_SUCCESS)
5664 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5665 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5666 SSL_EARLY_DATA_ACCEPTED)
5667 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5669 || !TEST_false(info_cb_failed))
5677 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5678 TLS_client_method(),
5679 tlsvers, tlsvers, &sctx, &cctx, cert,
5684 * For even numbered tests we check the server callbacks. For odd numbers we
5687 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5688 sslapi_info_callback);
5690 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5691 &clientssl, NULL, NULL))
5692 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5694 || !TEST_false(info_cb_failed))
5699 clntsess = SSL_get1_session(clientssl);
5700 SSL_shutdown(clientssl);
5701 SSL_shutdown(serverssl);
5702 SSL_free(serverssl);
5703 SSL_free(clientssl);
5704 serverssl = clientssl = NULL;
5706 /* Now do a resumption */
5707 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5709 || !TEST_true(SSL_set_session(clientssl, clntsess))
5710 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5712 || !TEST_true(SSL_session_reused(clientssl))
5713 || !TEST_false(info_cb_failed))
5719 SSL_free(serverssl);
5720 SSL_free(clientssl);
5721 SSL_SESSION_free(clntsess);
5727 static int test_ssl_pending(int tst)
5729 SSL_CTX *cctx = NULL, *sctx = NULL;
5730 SSL *clientssl = NULL, *serverssl = NULL;
5732 char msg[] = "A test message";
5734 size_t written, readbytes;
5737 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5738 TLS_client_method(),
5740 &sctx, &cctx, cert, privkey)))
5743 #ifndef OPENSSL_NO_DTLS
5744 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
5745 DTLS_client_method(),
5747 &sctx, &cctx, cert, privkey)))
5754 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5756 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5760 if (!TEST_int_eq(SSL_pending(clientssl), 0)
5761 || !TEST_false(SSL_has_pending(clientssl))
5762 || !TEST_int_eq(SSL_pending(serverssl), 0)
5763 || !TEST_false(SSL_has_pending(serverssl))
5764 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5765 || !TEST_size_t_eq(written, sizeof(msg))
5766 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
5767 || !TEST_size_t_eq(readbytes, sizeof(buf))
5768 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
5769 || !TEST_true(SSL_has_pending(clientssl)))
5775 SSL_free(serverssl);
5776 SSL_free(clientssl);
5784 unsigned int maxprot;
5785 const char *clntciphers;
5786 const char *clnttls13ciphers;
5787 const char *srvrciphers;
5788 const char *srvrtls13ciphers;
5790 } shared_ciphers_data[] = {
5792 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
5793 * TLSv1.3 is enabled but TLSv1.2 is disabled.
5795 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
5798 "AES128-SHA:AES256-SHA",
5800 "AES256-SHA:DHE-RSA-AES128-SHA",
5806 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
5808 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
5810 "AES128-SHA:AES256-SHA"
5814 "AES128-SHA:AES256-SHA",
5816 "AES128-SHA:DHE-RSA-AES128-SHA",
5822 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
5825 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
5826 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5829 "AES128-SHA:AES256-SHA",
5831 "AES256-SHA:AES128-SHA256",
5833 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
5834 "TLS_AES_128_GCM_SHA256:AES256-SHA"
5837 #ifndef OPENSSL_NO_TLS1_3
5841 "TLS_AES_256_GCM_SHA384",
5843 "TLS_AES_256_GCM_SHA384",
5844 "TLS_AES_256_GCM_SHA384"
5849 static int test_ssl_get_shared_ciphers(int tst)
5851 SSL_CTX *cctx = NULL, *sctx = NULL;
5852 SSL *clientssl = NULL, *serverssl = NULL;
5856 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5857 TLS_client_method(),
5859 shared_ciphers_data[tst].maxprot,
5860 &sctx, &cctx, cert, privkey)))
5863 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5864 shared_ciphers_data[tst].clntciphers))
5865 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
5866 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
5867 shared_ciphers_data[tst].clnttls13ciphers)))
5868 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
5869 shared_ciphers_data[tst].srvrciphers))
5870 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
5871 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
5872 shared_ciphers_data[tst].srvrtls13ciphers))))
5876 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5878 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5882 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
5883 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
5884 TEST_info("Shared ciphers are: %s\n", buf);
5891 SSL_free(serverssl);
5892 SSL_free(clientssl);
5899 static const char *appdata = "Hello World";
5900 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
5901 static int tick_key_renew = 0;
5902 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5904 static int gen_tick_cb(SSL *s, void *arg)
5906 gen_tick_called = 1;
5908 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
5912 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
5913 const unsigned char *keyname,
5914 size_t keyname_length,
5915 SSL_TICKET_STATUS status,
5921 dec_tick_called = 1;
5923 if (status == SSL_TICKET_EMPTY)
5924 return SSL_TICKET_RETURN_IGNORE_RENEW;
5926 if (!TEST_true(status == SSL_TICKET_SUCCESS
5927 || status == SSL_TICKET_SUCCESS_RENEW))
5928 return SSL_TICKET_RETURN_ABORT;
5930 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
5932 || !TEST_size_t_eq(tickdlen, strlen(appdata))
5933 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
5934 return SSL_TICKET_RETURN_ABORT;
5936 if (tick_key_cb_called) {
5937 /* Don't change what the ticket key callback wanted to do */
5939 case SSL_TICKET_NO_DECRYPT:
5940 return SSL_TICKET_RETURN_IGNORE_RENEW;
5942 case SSL_TICKET_SUCCESS:
5943 return SSL_TICKET_RETURN_USE;
5945 case SSL_TICKET_SUCCESS_RENEW:
5946 return SSL_TICKET_RETURN_USE_RENEW;
5949 return SSL_TICKET_RETURN_ABORT;
5952 return tick_dec_ret;
5956 static int tick_key_cb(SSL *s, unsigned char key_name[16],
5957 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
5958 HMAC_CTX *hctx, int enc)
5960 const unsigned char tick_aes_key[16] = "0123456789abcdef";
5961 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5963 tick_key_cb_called = 1;
5964 memset(iv, 0, AES_BLOCK_SIZE);
5965 memset(key_name, 0, 16);
5966 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
5967 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
5968 EVP_sha256(), NULL))
5971 return tick_key_renew ? 2 : 1;
5975 * Test the various ticket callbacks
5976 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
5977 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
5978 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
5979 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
5980 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
5981 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
5982 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
5983 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
5984 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
5985 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
5986 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
5987 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
5989 static int test_ticket_callbacks(int tst)
5991 SSL_CTX *cctx = NULL, *sctx = NULL;
5992 SSL *clientssl = NULL, *serverssl = NULL;
5993 SSL_SESSION *clntsess = NULL;
5996 #ifdef OPENSSL_NO_TLS1_2
6000 #ifdef OPENSSL_NO_TLS1_3
6005 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
6007 /* Which tests the ticket key callback should request renewal for */
6008 if (tst == 10 || tst == 11)
6013 /* Which tests the decrypt ticket callback should request renewal for */
6017 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6022 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6027 tick_dec_ret = SSL_TICKET_RETURN_USE;
6032 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6036 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6039 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6040 TLS_client_method(),
6042 ((tst % 2) == 0) ? TLS1_2_VERSION
6044 &sctx, &cctx, cert, privkey)))
6048 * We only want sessions to resume from tickets - not the session cache. So
6049 * switch the cache off.
6051 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6054 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6059 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6062 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6064 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6069 * The decrypt ticket key callback in TLSv1.2 should be called even though
6070 * we have no ticket yet, because it gets called with a status of
6071 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6072 * actually send any ticket data). This does not happen in TLSv1.3 because
6073 * it is not valid to send empty ticket data in TLSv1.3.
6075 if (!TEST_int_eq(gen_tick_called, 1)
6076 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
6079 gen_tick_called = dec_tick_called = 0;
6081 clntsess = SSL_get1_session(clientssl);
6082 SSL_shutdown(clientssl);
6083 SSL_shutdown(serverssl);
6084 SSL_free(serverssl);
6085 SSL_free(clientssl);
6086 serverssl = clientssl = NULL;
6088 /* Now do a resumption */
6089 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6091 || !TEST_true(SSL_set_session(clientssl, clntsess))
6092 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6096 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6097 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6098 if (!TEST_false(SSL_session_reused(clientssl)))
6101 if (!TEST_true(SSL_session_reused(clientssl)))
6105 if (!TEST_int_eq(gen_tick_called,
6107 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6108 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6110 || !TEST_int_eq(dec_tick_called, 1))
6116 SSL_SESSION_free(clntsess);
6117 SSL_free(serverssl);
6118 SSL_free(clientssl);
6126 * Test bi-directional shutdown.
6128 * Test 1: TLSv1.2, server continues to read/write after client shutdown
6129 * Test 2: TLSv1.3, no pending NewSessionTicket messages
6130 * Test 3: TLSv1.3, pending NewSessionTicket messages
6131 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
6132 * sends key update, client reads it
6133 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
6134 * sends CertificateRequest, client reads and ignores it
6135 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
6138 static int test_shutdown(int tst)
6140 SSL_CTX *cctx = NULL, *sctx = NULL;
6141 SSL *clientssl = NULL, *serverssl = NULL;
6143 char msg[] = "A test message";
6145 size_t written, readbytes;
6148 #ifdef OPENSSL_NO_TLS1_2
6152 #ifdef OPENSSL_NO_TLS1_3
6157 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6158 TLS_client_method(),
6160 (tst <= 1) ? TLS1_2_VERSION
6162 &sctx, &cctx, cert, privkey)))
6166 SSL_CTX_set_post_handshake_auth(cctx, 1);
6168 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6173 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
6175 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6176 || !TEST_false(SSL_SESSION_is_resumable(sess)))
6178 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6180 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6181 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
6185 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
6190 * Reading on the server after the client has sent close_notify should
6191 * fail and provide SSL_ERROR_ZERO_RETURN
6193 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
6194 || !TEST_int_eq(SSL_get_error(serverssl, 0),
6195 SSL_ERROR_ZERO_RETURN)
6196 || !TEST_int_eq(SSL_get_shutdown(serverssl),
6197 SSL_RECEIVED_SHUTDOWN)
6199 * Even though we're shutdown on receive we should still be
6202 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6205 && !TEST_true(SSL_key_update(serverssl,
6206 SSL_KEY_UPDATE_REQUESTED)))
6209 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6210 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6213 if ((tst == 4 || tst == 5)
6214 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6216 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
6218 if (tst == 4 || tst == 5) {
6219 /* Should still be able to read data from server */
6220 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6222 || !TEST_size_t_eq(readbytes, sizeof(msg))
6223 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
6224 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6226 || !TEST_size_t_eq(readbytes, sizeof(msg))
6227 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
6232 /* Writing on the client after sending close_notify shouldn't be possible */
6233 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
6238 * For these tests the client has sent close_notify but it has not yet
6239 * been received by the server. The server has not sent close_notify
6242 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
6244 * Writing on the server after sending close_notify shouldn't
6247 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6248 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
6249 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6250 || !TEST_true(SSL_SESSION_is_resumable(sess))
6251 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
6253 } else if (tst == 4 || tst == 5) {
6255 * In this test the client has sent close_notify and it has been
6256 * received by the server which has responded with a close_notify. The
6257 * client needs to read the close_notify sent by the server.
6259 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
6260 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6261 || !TEST_true(SSL_SESSION_is_resumable(sess)))
6267 * The client has sent close_notify and is expecting a close_notify
6268 * back, but instead there is application data first. The shutdown
6269 * should fail with a fatal error.
6271 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
6272 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
6279 SSL_free(serverssl);
6280 SSL_free(clientssl);
6287 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6288 static int cert_cb_cnt;
6290 static int cert_cb(SSL *s, void *arg)
6292 SSL_CTX *ctx = (SSL_CTX *)arg;
6294 EVP_PKEY *pkey = NULL;
6295 X509 *x509 = NULL, *rootx = NULL;
6296 STACK_OF(X509) *chain = NULL;
6297 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
6300 if (cert_cb_cnt == 0) {
6301 /* Suspend the handshake */
6304 } else if (cert_cb_cnt == 1) {
6306 * Update the SSL_CTX, set the certificate and private key and then
6307 * continue the handshake normally.
6309 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
6312 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
6313 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
6315 || !TEST_true(SSL_check_private_key(s)))
6319 } else if (cert_cb_cnt == 3) {
6322 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
6323 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
6324 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
6325 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
6327 chain = sk_X509_new_null();
6328 if (!TEST_ptr(chain))
6330 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6331 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
6332 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
6333 || !TEST_true(sk_X509_push(chain, rootx)))
6337 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6338 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
6339 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
6342 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6343 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
6344 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
6346 rv = SSL_check_chain(s, x509, pkey, chain);
6348 * If the cert doesn't show as valid here (e.g., because we don't
6349 * have any shared sigalgs), then we will not set it, and there will
6350 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
6351 * will cause tls_choose_sigalgs() to fail the connection.
6353 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
6354 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
6355 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
6362 /* Abort the handshake */
6364 OPENSSL_free(ecdsacert);
6365 OPENSSL_free(ecdsakey);
6366 OPENSSL_free(rootfile);
6368 EVP_PKEY_free(pkey);
6371 sk_X509_pop_free(chain, X509_free);
6376 * Test the certificate callback.
6377 * Test 0: Callback fails
6378 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
6379 * Test 2: Success - SSL_set_SSL_CTX() in the callback
6380 * Test 3: Success - Call SSL_check_chain from the callback
6381 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
6383 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
6385 static int test_cert_cb_int(int prot, int tst)
6387 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
6388 SSL *clientssl = NULL, *serverssl = NULL;
6389 int testresult = 0, ret;
6391 #ifdef OPENSSL_NO_EC
6392 /* We use an EC cert in these tests, so we skip in a no-ec build */
6397 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6398 TLS_client_method(),
6401 &sctx, &cctx, NULL, NULL)))
6412 snictx = SSL_CTX_new(TLS_server_method());
6413 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
6415 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6421 * We cause SSL_check_chain() to fail by specifying sig_algs that
6422 * the chain doesn't meet (the root uses an RSA cert)
6424 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6425 "ecdsa_secp256r1_sha256")))
6427 } else if (tst == 5) {
6429 * We cause SSL_check_chain() to fail by specifying sig_algs that
6430 * the ee cert doesn't meet (the ee uses an ECDSA cert)
6432 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6433 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
6437 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6438 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
6440 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
6447 SSL_free(serverssl);
6448 SSL_free(clientssl);
6451 SSL_CTX_free(snictx);
6457 static int test_cert_cb(int tst)
6461 #ifndef OPENSSL_NO_TLS1_2
6462 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
6464 #ifndef OPENSSL_NO_TLS1_3
6465 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
6471 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
6477 /* Check that SSL_get_peer_certificate() returns something sensible */
6478 peer = SSL_get_peer_certificate(ssl);
6479 if (!TEST_ptr(peer))
6483 in = BIO_new_file(cert, "r");
6487 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
6489 if (!TEST_ptr(xcert))
6492 in = BIO_new_file(privkey, "r");
6493 if (!TEST_ptr(in)) {
6498 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
6500 if (!TEST_ptr(privpkey)) {
6511 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6516 static int test_client_cert_cb(int tst)
6518 SSL_CTX *cctx = NULL, *sctx = NULL;
6519 SSL *clientssl = NULL, *serverssl = NULL;
6522 #ifdef OPENSSL_NO_TLS1_2
6526 #ifdef OPENSSL_NO_TLS1_3
6531 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6532 TLS_client_method(),
6534 tst == 0 ? TLS1_2_VERSION
6536 &sctx, &cctx, cert, privkey)))
6540 * Test that setting a client_cert_cb results in a client certificate being
6543 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
6544 SSL_CTX_set_verify(sctx,
6545 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6548 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6550 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6557 SSL_free(serverssl);
6558 SSL_free(clientssl);
6565 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6567 * Test setting certificate authorities on both client and server.
6569 * Test 0: SSL_CTX_set0_CA_list() only
6570 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
6571 * Test 2: Only SSL_CTX_set_client_CA_list()
6573 static int test_ca_names_int(int prot, int tst)
6575 SSL_CTX *cctx = NULL, *sctx = NULL;
6576 SSL *clientssl = NULL, *serverssl = NULL;
6579 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
6580 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
6581 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
6582 const STACK_OF(X509_NAME) *sktmp = NULL;
6584 for (i = 0; i < OSSL_NELEM(name); i++) {
6585 name[i] = X509_NAME_new();
6586 if (!TEST_ptr(name[i])
6587 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
6595 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6596 TLS_client_method(),
6599 &sctx, &cctx, cert, privkey)))
6602 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
6604 if (tst == 0 || tst == 1) {
6605 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6606 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
6607 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
6608 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6609 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
6610 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
6613 SSL_CTX_set0_CA_list(sctx, sk1);
6614 SSL_CTX_set0_CA_list(cctx, sk2);
6617 if (tst == 1 || tst == 2) {
6618 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6619 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
6620 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
6621 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6622 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
6623 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
6626 SSL_CTX_set_client_CA_list(sctx, sk1);
6627 SSL_CTX_set_client_CA_list(cctx, sk2);
6631 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6633 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6638 * We only expect certificate authorities to have been sent to the server
6639 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
6641 sktmp = SSL_get0_peer_CA_list(serverssl);
6642 if (prot == TLS1_3_VERSION
6643 && (tst == 0 || tst == 1)) {
6644 if (!TEST_ptr(sktmp)
6645 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6646 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6648 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6651 } else if (!TEST_ptr_null(sktmp)) {
6656 * In all tests we expect certificate authorities to have been sent to the
6657 * client. However, SSL_set_client_CA_list() should override
6658 * SSL_set0_CA_list()
6660 sktmp = SSL_get0_peer_CA_list(clientssl);
6661 if (!TEST_ptr(sktmp)
6662 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6663 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6664 name[tst == 0 ? 0 : 2]), 0)
6665 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6666 name[tst == 0 ? 1 : 3]), 0))
6672 SSL_free(serverssl);
6673 SSL_free(clientssl);
6676 for (i = 0; i < OSSL_NELEM(name); i++)
6677 X509_NAME_free(name[i]);
6678 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
6679 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
6685 static int test_ca_names(int tst)
6689 #ifndef OPENSSL_NO_TLS1_2
6690 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
6692 #ifndef OPENSSL_NO_TLS1_3
6693 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
6700 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile\n")
6702 int setup_tests(void)
6704 if (!TEST_ptr(certsdir = test_get_argument(0))
6705 || !TEST_ptr(srpvfile = test_get_argument(1))
6706 || !TEST_ptr(tmpfilename = test_get_argument(2)))
6709 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
6710 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
6711 TEST_error("not supported in this build");
6714 int i, mcount, rcount, fcount;
6716 for (i = 0; i < 4; i++)
6717 test_export_key_mat(i);
6718 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
6719 test_printf_stdout("malloc %d realloc %d free %d\n",
6720 mcount, rcount, fcount);
6725 cert = test_mk_file_path(certsdir, "servercert.pem");
6729 privkey = test_mk_file_path(certsdir, "serverkey.pem");
6730 if (privkey == NULL) {
6735 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
6736 && !defined(OPENSSL_NO_SOCK)
6737 ADD_TEST(test_ktls_no_txrx_client_no_txrx_server);
6738 ADD_TEST(test_ktls_no_rx_client_no_txrx_server);
6739 ADD_TEST(test_ktls_no_tx_client_no_txrx_server);
6740 ADD_TEST(test_ktls_client_no_txrx_server);
6741 ADD_TEST(test_ktls_no_txrx_client_no_rx_server);
6742 ADD_TEST(test_ktls_no_rx_client_no_rx_server);
6743 ADD_TEST(test_ktls_no_tx_client_no_rx_server);
6744 ADD_TEST(test_ktls_client_no_rx_server);
6745 ADD_TEST(test_ktls_no_txrx_client_no_tx_server);
6746 ADD_TEST(test_ktls_no_rx_client_no_tx_server);
6747 ADD_TEST(test_ktls_no_tx_client_no_tx_server);
6748 ADD_TEST(test_ktls_client_no_tx_server);
6749 ADD_TEST(test_ktls_no_txrx_client_server);
6750 ADD_TEST(test_ktls_no_rx_client_server);
6751 ADD_TEST(test_ktls_no_tx_client_server);
6752 ADD_TEST(test_ktls_client_server);
6753 ADD_TEST(test_ktls_sendfile);
6755 ADD_TEST(test_large_message_tls);
6756 ADD_TEST(test_large_message_tls_read_ahead);
6757 #ifndef OPENSSL_NO_DTLS
6758 ADD_TEST(test_large_message_dtls);
6760 #ifndef OPENSSL_NO_OCSP
6761 ADD_TEST(test_tlsext_status_type);
6763 ADD_TEST(test_session_with_only_int_cache);
6764 ADD_TEST(test_session_with_only_ext_cache);
6765 ADD_TEST(test_session_with_both_cache);
6766 #ifndef OPENSSL_NO_TLS1_3
6767 ADD_ALL_TESTS(test_stateful_tickets, 3);
6768 ADD_ALL_TESTS(test_stateless_tickets, 3);
6769 ADD_TEST(test_psk_tickets);
6771 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
6772 ADD_TEST(test_ssl_bio_pop_next_bio);
6773 ADD_TEST(test_ssl_bio_pop_ssl_bio);
6774 ADD_TEST(test_ssl_bio_change_rbio);
6775 ADD_TEST(test_ssl_bio_change_wbio);
6776 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
6777 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6778 ADD_TEST(test_keylog);
6780 #ifndef OPENSSL_NO_TLS1_3
6781 ADD_TEST(test_keylog_no_master_key);
6783 #ifndef OPENSSL_NO_TLS1_2
6784 ADD_TEST(test_client_hello_cb);
6785 ADD_TEST(test_no_ems);
6787 #ifndef OPENSSL_NO_TLS1_3
6788 ADD_ALL_TESTS(test_early_data_read_write, 3);
6790 * We don't do replay tests for external PSK. Replay protection isn't used
6793 ADD_ALL_TESTS(test_early_data_replay, 2);
6794 ADD_ALL_TESTS(test_early_data_skip, 3);
6795 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
6796 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
6797 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
6798 ADD_ALL_TESTS(test_early_data_not_sent, 3);
6799 ADD_ALL_TESTS(test_early_data_psk, 8);
6800 ADD_ALL_TESTS(test_early_data_not_expected, 3);
6801 # ifndef OPENSSL_NO_TLS1_2
6802 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
6805 #ifndef OPENSSL_NO_TLS1_3
6806 ADD_ALL_TESTS(test_set_ciphersuite, 10);
6807 ADD_TEST(test_ciphersuite_change);
6808 #ifdef OPENSSL_NO_PSK
6809 ADD_ALL_TESTS(test_tls13_psk, 1);
6811 ADD_ALL_TESTS(test_tls13_psk, 4);
6812 #endif /* OPENSSL_NO_PSK */
6813 ADD_ALL_TESTS(test_key_exchange, 14);
6814 ADD_ALL_TESTS(test_custom_exts, 5);
6815 ADD_TEST(test_stateless);
6816 ADD_TEST(test_pha_key_update);
6818 ADD_ALL_TESTS(test_custom_exts, 3);
6820 ADD_ALL_TESTS(test_serverinfo, 8);
6821 ADD_ALL_TESTS(test_export_key_mat, 6);
6822 #ifndef OPENSSL_NO_TLS1_3
6823 ADD_ALL_TESTS(test_export_key_mat_early, 3);
6824 ADD_TEST(test_key_update);
6825 ADD_ALL_TESTS(test_key_update_in_write, 2);
6827 ADD_ALL_TESTS(test_ssl_clear, 2);
6828 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
6829 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6830 ADD_ALL_TESTS(test_srp, 6);
6832 ADD_ALL_TESTS(test_info_callback, 6);
6833 ADD_ALL_TESTS(test_ssl_pending, 2);
6834 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
6835 ADD_ALL_TESTS(test_ticket_callbacks, 12);
6836 ADD_ALL_TESTS(test_shutdown, 7);
6837 ADD_ALL_TESTS(test_cert_cb, 6);
6838 ADD_ALL_TESTS(test_client_cert_cb, 2);
6839 ADD_ALL_TESTS(test_ca_names, 3);
6843 void cleanup_tests(void)
6846 OPENSSL_free(privkey);
6847 bio_s_mempacket_test_free();
6848 bio_s_always_retry_free();