2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
17 #include <openssl/srp.h>
18 #include <openssl/txt_db.h>
19 #include <openssl/aes.h>
21 #include "ssltestlib.h"
23 #include "testutil/output.h"
24 #include "internal/nelem.h"
25 #include "../ssl/ssl_locl.h"
27 #ifndef OPENSSL_NO_TLS1_3
29 static SSL_SESSION *clientpsk = NULL;
30 static SSL_SESSION *serverpsk = NULL;
31 static const char *pskid = "Identity";
32 static const char *srvid;
34 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
35 size_t *idlen, SSL_SESSION **sess);
36 static int find_session_cb(SSL *ssl, const unsigned char *identity,
37 size_t identity_len, SSL_SESSION **sess);
39 static int use_session_cb_cnt = 0;
40 static int find_session_cb_cnt = 0;
42 static SSL_SESSION *create_a_psk(SSL *ssl);
45 static char *cert = NULL;
46 static char *privkey = NULL;
47 static char *srpvfile = NULL;
48 static char *tmpfilename = NULL;
50 #define LOG_BUFFER_SIZE 2048
51 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
52 static size_t server_log_buffer_index = 0;
53 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
54 static size_t client_log_buffer_index = 0;
55 static int error_writing_log = 0;
57 #ifndef OPENSSL_NO_OCSP
58 static const unsigned char orespder[] = "Dummy OCSP Response";
59 static int ocsp_server_called = 0;
60 static int ocsp_client_called = 0;
62 static int cdummyarg = 1;
63 static X509 *ocspcert = NULL;
66 #define NUM_EXTRA_CERTS 40
67 #define CLIENT_VERSION_LEN 2
70 * This structure is used to validate that the correct number of log messages
71 * of various types are emitted when emitting secret logs.
73 struct sslapitest_log_counts {
74 unsigned int rsa_key_exchange_count;
75 unsigned int master_secret_count;
76 unsigned int client_early_secret_count;
77 unsigned int client_handshake_secret_count;
78 unsigned int server_handshake_secret_count;
79 unsigned int client_application_secret_count;
80 unsigned int server_application_secret_count;
81 unsigned int early_exporter_secret_count;
82 unsigned int exporter_secret_count;
86 static unsigned char serverinfov1[] = {
87 0xff, 0xff, /* Dummy extension type */
88 0x00, 0x01, /* Extension length is 1 byte */
89 0xff /* Dummy extension data */
92 static unsigned char serverinfov2[] = {
94 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
95 0xff, 0xff, /* Dummy extension type */
96 0x00, 0x01, /* Extension length is 1 byte */
97 0xff /* Dummy extension data */
100 static void client_keylog_callback(const SSL *ssl, const char *line)
102 int line_length = strlen(line);
104 /* If the log doesn't fit, error out. */
105 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
106 TEST_info("Client log too full");
107 error_writing_log = 1;
111 strcat(client_log_buffer, line);
112 client_log_buffer_index += line_length;
113 client_log_buffer[client_log_buffer_index++] = '\n';
116 static void server_keylog_callback(const SSL *ssl, const char *line)
118 int line_length = strlen(line);
120 /* If the log doesn't fit, error out. */
121 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
122 TEST_info("Server log too full");
123 error_writing_log = 1;
127 strcat(server_log_buffer, line);
128 server_log_buffer_index += line_length;
129 server_log_buffer[server_log_buffer_index++] = '\n';
132 static int compare_hex_encoded_buffer(const char *hex_encoded,
140 if (!TEST_size_t_eq(raw_length * 2, hex_length))
143 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
144 sprintf(hexed, "%02x", raw[i]);
145 if (!TEST_int_eq(hexed[0], hex_encoded[j])
146 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
153 static int test_keylog_output(char *buffer, const SSL *ssl,
154 const SSL_SESSION *session,
155 struct sslapitest_log_counts *expected)
158 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
159 size_t client_random_size = SSL3_RANDOM_SIZE;
160 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
161 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
162 unsigned int rsa_key_exchange_count = 0;
163 unsigned int master_secret_count = 0;
164 unsigned int client_early_secret_count = 0;
165 unsigned int client_handshake_secret_count = 0;
166 unsigned int server_handshake_secret_count = 0;
167 unsigned int client_application_secret_count = 0;
168 unsigned int server_application_secret_count = 0;
169 unsigned int early_exporter_secret_count = 0;
170 unsigned int exporter_secret_count = 0;
172 for (token = strtok(buffer, " \n"); token != NULL;
173 token = strtok(NULL, " \n")) {
174 if (strcmp(token, "RSA") == 0) {
176 * Premaster secret. Tokens should be: 16 ASCII bytes of
177 * hex-encoded encrypted secret, then the hex-encoded pre-master
180 if (!TEST_ptr(token = strtok(NULL, " \n")))
182 if (!TEST_size_t_eq(strlen(token), 16))
184 if (!TEST_ptr(token = strtok(NULL, " \n")))
187 * We can't sensibly check the log because the premaster secret is
188 * transient, and OpenSSL doesn't keep hold of it once the master
189 * secret is generated.
191 rsa_key_exchange_count++;
192 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
194 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
195 * client random, then the hex-encoded master secret.
197 client_random_size = SSL_get_client_random(ssl,
198 actual_client_random,
200 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
203 if (!TEST_ptr(token = strtok(NULL, " \n")))
205 if (!TEST_size_t_eq(strlen(token), 64))
207 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
208 actual_client_random,
209 client_random_size)))
212 if (!TEST_ptr(token = strtok(NULL, " \n")))
214 master_key_size = SSL_SESSION_get_master_key(session,
217 if (!TEST_size_t_ne(master_key_size, 0))
219 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
223 master_secret_count++;
224 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
225 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
226 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
227 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
228 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
229 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
230 || strcmp(token, "EXPORTER_SECRET") == 0) {
232 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
233 * client random, and then the hex-encoded secret. In this case,
234 * we treat all of these secrets identically and then just
235 * distinguish between them when counting what we saw.
237 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
238 client_early_secret_count++;
239 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
240 client_handshake_secret_count++;
241 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
242 server_handshake_secret_count++;
243 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
244 client_application_secret_count++;
245 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
246 server_application_secret_count++;
247 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
248 early_exporter_secret_count++;
249 else if (strcmp(token, "EXPORTER_SECRET") == 0)
250 exporter_secret_count++;
252 client_random_size = SSL_get_client_random(ssl,
253 actual_client_random,
255 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
258 if (!TEST_ptr(token = strtok(NULL, " \n")))
260 if (!TEST_size_t_eq(strlen(token), 64))
262 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
263 actual_client_random,
264 client_random_size)))
267 if (!TEST_ptr(token = strtok(NULL, " \n")))
271 * TODO(TLS1.3): test that application traffic secrets are what
274 TEST_info("Unexpected token %s\n", token);
279 /* Got what we expected? */
280 if (!TEST_size_t_eq(rsa_key_exchange_count,
281 expected->rsa_key_exchange_count)
282 || !TEST_size_t_eq(master_secret_count,
283 expected->master_secret_count)
284 || !TEST_size_t_eq(client_early_secret_count,
285 expected->client_early_secret_count)
286 || !TEST_size_t_eq(client_handshake_secret_count,
287 expected->client_handshake_secret_count)
288 || !TEST_size_t_eq(server_handshake_secret_count,
289 expected->server_handshake_secret_count)
290 || !TEST_size_t_eq(client_application_secret_count,
291 expected->client_application_secret_count)
292 || !TEST_size_t_eq(server_application_secret_count,
293 expected->server_application_secret_count)
294 || !TEST_size_t_eq(early_exporter_secret_count,
295 expected->early_exporter_secret_count)
296 || !TEST_size_t_eq(exporter_secret_count,
297 expected->exporter_secret_count))
302 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
303 static int test_keylog(void)
305 SSL_CTX *cctx = NULL, *sctx = NULL;
306 SSL *clientssl = NULL, *serverssl = NULL;
308 struct sslapitest_log_counts expected = {0};
310 /* Clean up logging space */
311 memset(client_log_buffer, 0, sizeof(client_log_buffer));
312 memset(server_log_buffer, 0, sizeof(server_log_buffer));
313 client_log_buffer_index = 0;
314 server_log_buffer_index = 0;
315 error_writing_log = 0;
317 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
319 TLS1_VERSION, TLS_MAX_VERSION,
320 &sctx, &cctx, cert, privkey)))
323 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
324 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
325 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
327 /* We also want to ensure that we use RSA-based key exchange. */
328 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
331 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
332 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
334 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
335 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
336 == client_keylog_callback))
338 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
339 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
340 == server_keylog_callback))
343 /* Now do a handshake and check that the logs have been written to. */
344 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
345 &clientssl, NULL, NULL))
346 || !TEST_true(create_ssl_connection(serverssl, clientssl,
348 || !TEST_false(error_writing_log)
349 || !TEST_int_gt(client_log_buffer_index, 0)
350 || !TEST_int_gt(server_log_buffer_index, 0))
354 * Now we want to test that our output data was vaguely sensible. We
355 * do that by using strtok and confirming that we have more or less the
356 * data we expect. For both client and server, we expect to see one master
357 * secret. The client should also see a RSA key exchange.
359 expected.rsa_key_exchange_count = 1;
360 expected.master_secret_count = 1;
361 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
362 SSL_get_session(clientssl), &expected)))
365 expected.rsa_key_exchange_count = 0;
366 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
367 SSL_get_session(serverssl), &expected)))
382 #ifndef OPENSSL_NO_TLS1_3
383 static int test_keylog_no_master_key(void)
385 SSL_CTX *cctx = NULL, *sctx = NULL;
386 SSL *clientssl = NULL, *serverssl = NULL;
387 SSL_SESSION *sess = NULL;
389 struct sslapitest_log_counts expected = {0};
390 unsigned char buf[1];
391 size_t readbytes, written;
393 /* Clean up logging space */
394 memset(client_log_buffer, 0, sizeof(client_log_buffer));
395 memset(server_log_buffer, 0, sizeof(server_log_buffer));
396 client_log_buffer_index = 0;
397 server_log_buffer_index = 0;
398 error_writing_log = 0;
400 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
401 TLS1_VERSION, TLS_MAX_VERSION,
402 &sctx, &cctx, cert, privkey))
403 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
404 SSL3_RT_MAX_PLAIN_LENGTH)))
407 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
408 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
411 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
412 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
413 == client_keylog_callback))
416 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
417 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
418 == server_keylog_callback))
421 /* Now do a handshake and check that the logs have been written to. */
422 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
423 &clientssl, NULL, NULL))
424 || !TEST_true(create_ssl_connection(serverssl, clientssl,
426 || !TEST_false(error_writing_log))
430 * Now we want to test that our output data was vaguely sensible. For this
431 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
432 * TLSv1.3, but we do expect both client and server to emit keys.
434 expected.client_handshake_secret_count = 1;
435 expected.server_handshake_secret_count = 1;
436 expected.client_application_secret_count = 1;
437 expected.server_application_secret_count = 1;
438 expected.exporter_secret_count = 1;
439 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
440 SSL_get_session(clientssl), &expected))
441 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
442 SSL_get_session(serverssl),
446 /* Terminate old session and resume with early data. */
447 sess = SSL_get1_session(clientssl);
448 SSL_shutdown(clientssl);
449 SSL_shutdown(serverssl);
452 serverssl = clientssl = NULL;
455 memset(client_log_buffer, 0, sizeof(client_log_buffer));
456 memset(server_log_buffer, 0, sizeof(server_log_buffer));
457 client_log_buffer_index = 0;
458 server_log_buffer_index = 0;
460 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
461 &clientssl, NULL, NULL))
462 || !TEST_true(SSL_set_session(clientssl, sess))
463 /* Here writing 0 length early data is enough. */
464 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
465 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
467 SSL_READ_EARLY_DATA_ERROR)
468 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
469 SSL_EARLY_DATA_ACCEPTED)
470 || !TEST_true(create_ssl_connection(serverssl, clientssl,
472 || !TEST_true(SSL_session_reused(clientssl)))
475 /* In addition to the previous entries, expect early secrets. */
476 expected.client_early_secret_count = 1;
477 expected.early_exporter_secret_count = 1;
478 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
479 SSL_get_session(clientssl), &expected))
480 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
481 SSL_get_session(serverssl),
488 SSL_SESSION_free(sess);
498 #ifndef OPENSSL_NO_TLS1_2
499 static int full_client_hello_callback(SSL *s, int *al, void *arg)
502 const unsigned char *p;
504 /* We only configure two ciphers, but the SCSV is added automatically. */
506 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
508 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
511 const int expected_extensions[] = {
512 #ifndef OPENSSL_NO_EC
518 /* Make sure we can defer processing and get called back. */
520 return SSL_CLIENT_HELLO_RETRY;
522 len = SSL_client_hello_get0_ciphers(s, &p);
523 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
525 SSL_client_hello_get0_compression_methods(s, &p), 1)
526 || !TEST_int_eq(*p, 0))
527 return SSL_CLIENT_HELLO_ERROR;
528 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
529 return SSL_CLIENT_HELLO_ERROR;
530 if (len != OSSL_NELEM(expected_extensions) ||
531 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
532 printf("ClientHello callback expected extensions mismatch\n");
534 return SSL_CLIENT_HELLO_ERROR;
537 return SSL_CLIENT_HELLO_SUCCESS;
540 static int test_client_hello_cb(void)
542 SSL_CTX *cctx = NULL, *sctx = NULL;
543 SSL *clientssl = NULL, *serverssl = NULL;
544 int testctr = 0, testresult = 0;
546 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
547 TLS1_VERSION, TLS_MAX_VERSION,
548 &sctx, &cctx, cert, privkey)))
550 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
552 /* The gimpy cipher list we configure can't do TLS 1.3. */
553 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
555 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
556 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
557 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
558 &clientssl, NULL, NULL))
559 || !TEST_false(create_ssl_connection(serverssl, clientssl,
560 SSL_ERROR_WANT_CLIENT_HELLO_CB))
562 * Passing a -1 literal is a hack since
563 * the real value was lost.
565 || !TEST_int_eq(SSL_get_error(serverssl, -1),
566 SSL_ERROR_WANT_CLIENT_HELLO_CB)
567 || !TEST_true(create_ssl_connection(serverssl, clientssl,
583 static int execute_test_large_message(const SSL_METHOD *smeth,
584 const SSL_METHOD *cmeth,
585 int min_version, int max_version,
588 SSL_CTX *cctx = NULL, *sctx = NULL;
589 SSL *clientssl = NULL, *serverssl = NULL;
593 X509 *chaincert = NULL;
596 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
598 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
601 if (!TEST_ptr(chaincert))
604 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
605 &sctx, &cctx, cert, privkey)))
610 * Test that read_ahead works correctly when dealing with large
613 SSL_CTX_set_read_ahead(cctx, 1);
617 * We assume the supplied certificate is big enough so that if we add
618 * NUM_EXTRA_CERTS it will make the overall message large enough. The
619 * default buffer size is requested to be 16k, but due to the way BUF_MEM
620 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
621 * test we need to have a message larger than that.
623 certlen = i2d_X509(chaincert, NULL);
624 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
625 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
626 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
627 if (!X509_up_ref(chaincert))
629 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
630 X509_free(chaincert);
635 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
637 || !TEST_true(create_ssl_connection(serverssl, clientssl,
642 * Calling SSL_clear() first is not required but this tests that SSL_clear()
643 * doesn't leak (when using enable-crypto-mdebug).
645 if (!TEST_true(SSL_clear(serverssl)))
650 X509_free(chaincert);
659 static int test_large_message_tls(void)
661 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
662 TLS1_VERSION, TLS_MAX_VERSION,
666 static int test_large_message_tls_read_ahead(void)
668 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
669 TLS1_VERSION, TLS_MAX_VERSION,
673 #ifndef OPENSSL_NO_DTLS
674 static int test_large_message_dtls(void)
677 * read_ahead is not relevant to DTLS because DTLS always acts as if
680 return execute_test_large_message(DTLS_server_method(),
681 DTLS_client_method(),
682 DTLS1_VERSION, DTLS_MAX_VERSION,
687 #ifndef OPENSSL_NO_OCSP
688 static int ocsp_server_cb(SSL *s, void *arg)
690 int *argi = (int *)arg;
691 unsigned char *copy = NULL;
692 STACK_OF(OCSP_RESPID) *ids = NULL;
693 OCSP_RESPID *id = NULL;
696 /* In this test we are expecting exactly 1 OCSP_RESPID */
697 SSL_get_tlsext_status_ids(s, &ids);
698 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
699 return SSL_TLSEXT_ERR_ALERT_FATAL;
701 id = sk_OCSP_RESPID_value(ids, 0);
702 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
703 return SSL_TLSEXT_ERR_ALERT_FATAL;
704 } else if (*argi != 1) {
705 return SSL_TLSEXT_ERR_ALERT_FATAL;
708 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
709 return SSL_TLSEXT_ERR_ALERT_FATAL;
711 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
712 ocsp_server_called = 1;
713 return SSL_TLSEXT_ERR_OK;
716 static int ocsp_client_cb(SSL *s, void *arg)
718 int *argi = (int *)arg;
719 const unsigned char *respderin;
722 if (*argi != 1 && *argi != 2)
725 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
726 if (!TEST_mem_eq(orespder, len, respderin, len))
729 ocsp_client_called = 1;
733 static int test_tlsext_status_type(void)
735 SSL_CTX *cctx = NULL, *sctx = NULL;
736 SSL *clientssl = NULL, *serverssl = NULL;
738 STACK_OF(OCSP_RESPID) *ids = NULL;
739 OCSP_RESPID *id = NULL;
742 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
743 TLS1_VERSION, TLS_MAX_VERSION,
744 &sctx, &cctx, cert, privkey))
747 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
750 /* First just do various checks getting and setting tlsext_status_type */
752 clientssl = SSL_new(cctx);
753 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
754 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
755 TLSEXT_STATUSTYPE_ocsp))
756 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
757 TLSEXT_STATUSTYPE_ocsp))
763 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
764 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
767 clientssl = SSL_new(cctx);
768 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
774 * Now actually do a handshake and check OCSP information is exchanged and
775 * the callbacks get called
777 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
778 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
779 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
780 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
781 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
782 &clientssl, NULL, NULL))
783 || !TEST_true(create_ssl_connection(serverssl, clientssl,
785 || !TEST_true(ocsp_client_called)
786 || !TEST_true(ocsp_server_called))
793 /* Try again but this time force the server side callback to fail */
794 ocsp_client_called = 0;
795 ocsp_server_called = 0;
797 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
798 &clientssl, NULL, NULL))
799 /* This should fail because the callback will fail */
800 || !TEST_false(create_ssl_connection(serverssl, clientssl,
802 || !TEST_false(ocsp_client_called)
803 || !TEST_false(ocsp_server_called))
811 * This time we'll get the client to send an OCSP_RESPID that it will
814 ocsp_client_called = 0;
815 ocsp_server_called = 0;
817 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
818 &clientssl, NULL, NULL)))
822 * We'll just use any old cert for this test - it doesn't have to be an OCSP
823 * specific one. We'll use the server cert.
825 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
826 || !TEST_ptr(id = OCSP_RESPID_new())
827 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
828 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
830 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
831 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
834 SSL_set_tlsext_status_ids(clientssl, ids);
835 /* Control has been transferred */
841 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
843 || !TEST_true(ocsp_client_called)
844 || !TEST_true(ocsp_server_called))
854 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
855 OCSP_RESPID_free(id);
864 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
865 static int new_called, remove_called, get_called;
867 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
871 * sess has been up-refed for us, but we don't actually need it so free it
874 SSL_SESSION_free(sess);
878 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
883 static SSL_SESSION *get_sess_val = NULL;
885 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
893 static int execute_test_session(int maxprot, int use_int_cache,
896 SSL_CTX *sctx = NULL, *cctx = NULL;
897 SSL *serverssl1 = NULL, *clientssl1 = NULL;
898 SSL *serverssl2 = NULL, *clientssl2 = NULL;
899 # ifndef OPENSSL_NO_TLS1_1
900 SSL *serverssl3 = NULL, *clientssl3 = NULL;
902 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
903 int testresult = 0, numnewsesstick = 1;
905 new_called = remove_called = 0;
907 /* TLSv1.3 sends 2 NewSessionTickets */
908 if (maxprot == TLS1_3_VERSION)
911 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
912 TLS1_VERSION, TLS_MAX_VERSION,
913 &sctx, &cctx, cert, privkey)))
917 * Only allow the max protocol version so we can force a connection failure
920 SSL_CTX_set_min_proto_version(cctx, maxprot);
921 SSL_CTX_set_max_proto_version(cctx, maxprot);
923 /* Set up session cache */
925 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
926 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
929 /* Also covers instance where both are set */
930 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
932 SSL_CTX_set_session_cache_mode(cctx,
933 SSL_SESS_CACHE_CLIENT
934 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
937 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
939 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
941 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
944 /* Should fail because it should already be in the cache */
945 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
948 && (!TEST_int_eq(new_called, numnewsesstick)
950 || !TEST_int_eq(remove_called, 0)))
953 new_called = remove_called = 0;
954 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
955 &clientssl2, NULL, NULL))
956 || !TEST_true(SSL_set_session(clientssl2, sess1))
957 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
959 || !TEST_true(SSL_session_reused(clientssl2)))
962 if (maxprot == TLS1_3_VERSION) {
964 * In TLSv1.3 we should have created a new session even though we have
965 * resumed. Since we attempted a resume we should also have removed the
966 * old ticket from the cache so that we try to only use tickets once.
969 && (!TEST_int_eq(new_called, 1)
970 || !TEST_int_eq(remove_called, 1)))
974 * In TLSv1.2 we expect to have resumed so no sessions added or
978 && (!TEST_int_eq(new_called, 0)
979 || !TEST_int_eq(remove_called, 0)))
983 SSL_SESSION_free(sess1);
984 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
986 shutdown_ssl_connection(serverssl2, clientssl2);
987 serverssl2 = clientssl2 = NULL;
989 new_called = remove_called = 0;
990 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
991 &clientssl2, NULL, NULL))
992 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
996 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1000 && (!TEST_int_eq(new_called, numnewsesstick)
1001 || !TEST_int_eq(remove_called, 0)))
1004 new_called = remove_called = 0;
1006 * This should clear sess2 from the cache because it is a "bad" session.
1007 * See SSL_set_session() documentation.
1009 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1012 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1014 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1017 if (use_int_cache) {
1018 /* Should succeeded because it should not already be in the cache */
1019 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1020 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1024 new_called = remove_called = 0;
1025 /* This shouldn't be in the cache so should fail */
1026 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1030 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1033 # if !defined(OPENSSL_NO_TLS1_1)
1034 new_called = remove_called = 0;
1035 /* Force a connection failure */
1036 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1037 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1038 &clientssl3, NULL, NULL))
1039 || !TEST_true(SSL_set_session(clientssl3, sess1))
1040 /* This should fail because of the mismatched protocol versions */
1041 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1045 /* We should have automatically removed the session from the cache */
1047 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1050 /* Should succeed because it should not already be in the cache */
1051 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1055 /* Now do some tests for server side caching */
1056 if (use_ext_cache) {
1057 SSL_CTX_sess_set_new_cb(cctx, NULL);
1058 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1059 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1060 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1061 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1062 get_sess_val = NULL;
1065 SSL_CTX_set_session_cache_mode(cctx, 0);
1066 /* Internal caching is the default on the server side */
1068 SSL_CTX_set_session_cache_mode(sctx,
1069 SSL_SESS_CACHE_SERVER
1070 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1072 SSL_free(serverssl1);
1073 SSL_free(clientssl1);
1074 serverssl1 = clientssl1 = NULL;
1075 SSL_free(serverssl2);
1076 SSL_free(clientssl2);
1077 serverssl2 = clientssl2 = NULL;
1078 SSL_SESSION_free(sess1);
1080 SSL_SESSION_free(sess2);
1083 SSL_CTX_set_max_proto_version(sctx, maxprot);
1084 if (maxprot == TLS1_2_VERSION)
1085 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1086 new_called = remove_called = get_called = 0;
1087 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1089 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1091 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1092 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1095 if (use_int_cache) {
1096 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1098 * In TLSv1.3 it should not have been added to the internal cache,
1099 * except in the case where we also have an external cache (in that
1100 * case it gets added to the cache in order to generate remove
1101 * events after timeout).
1103 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1106 /* Should fail because it should already be in the cache */
1107 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1112 if (use_ext_cache) {
1113 SSL_SESSION *tmp = sess2;
1115 if (!TEST_int_eq(new_called, numnewsesstick)
1116 || !TEST_int_eq(remove_called, 0)
1117 || !TEST_int_eq(get_called, 0))
1120 * Delete the session from the internal cache to force a lookup from
1121 * the external cache. We take a copy first because
1122 * SSL_CTX_remove_session() also marks the session as non-resumable.
1124 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1125 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1126 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1128 SSL_SESSION_free(sess2);
1133 new_called = remove_called = get_called = 0;
1134 get_sess_val = sess2;
1135 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1136 &clientssl2, NULL, NULL))
1137 || !TEST_true(SSL_set_session(clientssl2, sess1))
1138 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1140 || !TEST_true(SSL_session_reused(clientssl2)))
1143 if (use_ext_cache) {
1144 if (!TEST_int_eq(remove_called, 0))
1147 if (maxprot == TLS1_3_VERSION) {
1148 if (!TEST_int_eq(new_called, 1)
1149 || !TEST_int_eq(get_called, 0))
1152 if (!TEST_int_eq(new_called, 0)
1153 || !TEST_int_eq(get_called, 1))
1161 SSL_free(serverssl1);
1162 SSL_free(clientssl1);
1163 SSL_free(serverssl2);
1164 SSL_free(clientssl2);
1165 # ifndef OPENSSL_NO_TLS1_1
1166 SSL_free(serverssl3);
1167 SSL_free(clientssl3);
1169 SSL_SESSION_free(sess1);
1170 SSL_SESSION_free(sess2);
1176 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1178 static int test_session_with_only_int_cache(void)
1180 #ifndef OPENSSL_NO_TLS1_3
1181 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1185 #ifndef OPENSSL_NO_TLS1_2
1186 return execute_test_session(TLS1_2_VERSION, 1, 0);
1192 static int test_session_with_only_ext_cache(void)
1194 #ifndef OPENSSL_NO_TLS1_3
1195 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1199 #ifndef OPENSSL_NO_TLS1_2
1200 return execute_test_session(TLS1_2_VERSION, 0, 1);
1206 static int test_session_with_both_cache(void)
1208 #ifndef OPENSSL_NO_TLS1_3
1209 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1213 #ifndef OPENSSL_NO_TLS1_2
1214 return execute_test_session(TLS1_2_VERSION, 1, 1);
1220 #ifndef OPENSSL_NO_TLS1_3
1221 static SSL_SESSION *sesscache[6];
1222 static int do_cache;
1224 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1227 sesscache[new_called] = sess;
1229 /* We don't need the reference to the session, so free it */
1230 SSL_SESSION_free(sess);
1237 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1239 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1240 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1243 /* Start handshake on the server and client */
1244 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1245 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1246 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1247 || !TEST_true(create_ssl_connection(sssl, cssl,
1254 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1257 int sess_id_ctx = 1;
1259 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1260 TLS1_VERSION, TLS_MAX_VERSION, sctx,
1261 cctx, cert, privkey))
1262 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1263 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1264 (void *)&sess_id_ctx,
1265 sizeof(sess_id_ctx))))
1269 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1271 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1272 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1273 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1278 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1280 SSL *serverssl = NULL, *clientssl = NULL;
1283 /* Test that we can resume with all the tickets we got given */
1284 for (i = 0; i < idx * 2; i++) {
1286 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1287 &clientssl, NULL, NULL))
1288 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1291 SSL_set_post_handshake_auth(clientssl, 1);
1293 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1298 * Following a successful resumption we only get 1 ticket. After a
1299 * failed one we should get idx tickets.
1302 if (!TEST_true(SSL_session_reused(clientssl))
1303 || !TEST_int_eq(new_called, 1))
1306 if (!TEST_false(SSL_session_reused(clientssl))
1307 || !TEST_int_eq(new_called, idx))
1312 /* After a post-handshake authentication we should get 1 new ticket */
1314 && (!post_handshake_verify(serverssl, clientssl)
1315 || !TEST_int_eq(new_called, 1)))
1318 SSL_shutdown(clientssl);
1319 SSL_shutdown(serverssl);
1320 SSL_free(serverssl);
1321 SSL_free(clientssl);
1322 serverssl = clientssl = NULL;
1323 SSL_SESSION_free(sesscache[i]);
1324 sesscache[i] = NULL;
1330 SSL_free(clientssl);
1331 SSL_free(serverssl);
1335 static int test_tickets(int stateful, int idx)
1337 SSL_CTX *sctx = NULL, *cctx = NULL;
1338 SSL *serverssl = NULL, *clientssl = NULL;
1342 /* idx is the test number, but also the number of tickets we want */
1347 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1350 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1351 &clientssl, NULL, NULL)))
1354 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1356 /* Check we got the number of tickets we were expecting */
1357 || !TEST_int_eq(idx, new_called))
1360 SSL_shutdown(clientssl);
1361 SSL_shutdown(serverssl);
1362 SSL_free(serverssl);
1363 SSL_free(clientssl);
1366 clientssl = serverssl = NULL;
1370 * Now we try to resume with the tickets we previously created. The
1371 * resumption attempt is expected to fail (because we're now using a new
1372 * SSL_CTX). We should see idx number of tickets issued again.
1375 /* Stop caching sessions - just count them */
1378 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1381 if (!check_resumption(idx, sctx, cctx, 0))
1384 /* Start again with caching sessions */
1391 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1394 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1395 &clientssl, NULL, NULL)))
1398 SSL_set_post_handshake_auth(clientssl, 1);
1400 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1402 /* Check we got the number of tickets we were expecting */
1403 || !TEST_int_eq(idx, new_called))
1406 /* After a post-handshake authentication we should get new tickets issued */
1407 if (!post_handshake_verify(serverssl, clientssl)
1408 || !TEST_int_eq(idx * 2, new_called))
1411 SSL_shutdown(clientssl);
1412 SSL_shutdown(serverssl);
1413 SSL_free(serverssl);
1414 SSL_free(clientssl);
1415 serverssl = clientssl = NULL;
1417 /* Stop caching sessions - just count them */
1421 * Check we can resume with all the tickets we created. This time around the
1422 * resumptions should all be successful.
1424 if (!check_resumption(idx, sctx, cctx, 1))
1430 SSL_free(serverssl);
1431 SSL_free(clientssl);
1432 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
1433 SSL_SESSION_free(sesscache[j]);
1434 sesscache[j] = NULL;
1442 static int test_stateless_tickets(int idx)
1444 return test_tickets(0, idx);
1447 static int test_stateful_tickets(int idx)
1449 return test_tickets(1, idx);
1452 static int test_psk_tickets(void)
1454 SSL_CTX *sctx = NULL, *cctx = NULL;
1455 SSL *serverssl = NULL, *clientssl = NULL;
1457 int sess_id_ctx = 1;
1459 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1460 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
1462 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
1463 (void *)&sess_id_ctx,
1464 sizeof(sess_id_ctx))))
1467 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1468 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1469 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
1470 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
1471 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1472 use_session_cb_cnt = 0;
1473 find_session_cb_cnt = 0;
1477 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1480 clientpsk = serverpsk = create_a_psk(clientssl);
1481 if (!TEST_ptr(clientpsk))
1483 SSL_SESSION_up_ref(clientpsk);
1485 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1487 || !TEST_int_eq(1, find_session_cb_cnt)
1488 || !TEST_int_eq(1, use_session_cb_cnt)
1489 /* We should always get 1 ticket when using external PSK */
1490 || !TEST_int_eq(1, new_called))
1496 SSL_free(serverssl);
1497 SSL_free(clientssl);
1500 SSL_SESSION_free(clientpsk);
1501 SSL_SESSION_free(serverpsk);
1502 clientpsk = serverpsk = NULL;
1511 #define USE_DEFAULT 3
1513 #define CONNTYPE_CONNECTION_SUCCESS 0
1514 #define CONNTYPE_CONNECTION_FAIL 1
1515 #define CONNTYPE_NO_CONNECTION 2
1517 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1518 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1519 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1520 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1522 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1525 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1526 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1527 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1529 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1546 * Tests calls to SSL_set_bio() under various conditions.
1548 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1549 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1550 * then do more tests where we create a successful connection first using our
1551 * standard connection setup functions, and then call SSL_set_bio() with
1552 * various combinations of valid BIOs or NULL. We then repeat these tests
1553 * following a failed connection. In this last case we are looking to check that
1554 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1556 static int test_ssl_set_bio(int idx)
1558 SSL_CTX *sctx = NULL, *cctx = NULL;
1561 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1562 SSL *serverssl = NULL, *clientssl = NULL;
1563 int initrbio, initwbio, newrbio, newwbio, conntype;
1566 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1574 conntype = CONNTYPE_NO_CONNECTION;
1576 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1577 initrbio = initwbio = USE_DEFAULT;
1585 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1586 TLS1_VERSION, TLS_MAX_VERSION,
1587 &sctx, &cctx, cert, privkey)))
1590 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1592 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1593 * because we reduced the number of tests in the definition of
1594 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1595 * mismatched protocol versions we will force a connection failure.
1597 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1598 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1601 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1605 if (initrbio == USE_BIO_1
1606 || initwbio == USE_BIO_1
1607 || newrbio == USE_BIO_1
1608 || newwbio == USE_BIO_1) {
1609 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1613 if (initrbio == USE_BIO_2
1614 || initwbio == USE_BIO_2
1615 || newrbio == USE_BIO_2
1616 || newwbio == USE_BIO_2) {
1617 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1621 if (initrbio != USE_DEFAULT) {
1622 setupbio(&irbio, bio1, bio2, initrbio);
1623 setupbio(&iwbio, bio1, bio2, initwbio);
1624 SSL_set_bio(clientssl, irbio, iwbio);
1627 * We want to maintain our own refs to these BIO, so do an up ref for
1628 * each BIO that will have ownership transferred in the SSL_set_bio()
1633 if (iwbio != NULL && iwbio != irbio)
1637 if (conntype != CONNTYPE_NO_CONNECTION
1638 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1640 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1643 setupbio(&nrbio, bio1, bio2, newrbio);
1644 setupbio(&nwbio, bio1, bio2, newwbio);
1647 * We will (maybe) transfer ownership again so do more up refs.
1648 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1653 && (nwbio != iwbio || nrbio != nwbio))
1657 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1660 SSL_set_bio(clientssl, nrbio, nwbio);
1669 * This test is checking that the ref counting for SSL_set_bio is correct.
1670 * If we get here and we did too many frees then we will fail in the above
1671 * functions. If we haven't done enough then this will only be detected in
1672 * a crypto-mdebug build
1674 SSL_free(serverssl);
1675 SSL_free(clientssl);
1681 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1683 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1685 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1690 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1691 || !TEST_ptr(ssl = SSL_new(ctx))
1692 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1693 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1696 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1699 * If anything goes wrong here then we could leak memory, so this will
1700 * be caught in a crypto-mdebug build
1702 BIO_push(sslbio, membio1);
1704 /* Verify changing the rbio/wbio directly does not cause leaks */
1705 if (change_bio != NO_BIO_CHANGE) {
1706 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1708 if (change_bio == CHANGE_RBIO)
1709 SSL_set0_rbio(ssl, membio2);
1711 SSL_set0_wbio(ssl, membio2);
1730 static int test_ssl_bio_pop_next_bio(void)
1732 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1735 static int test_ssl_bio_pop_ssl_bio(void)
1737 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1740 static int test_ssl_bio_change_rbio(void)
1742 return execute_test_ssl_bio(0, CHANGE_RBIO);
1745 static int test_ssl_bio_change_wbio(void)
1747 return execute_test_ssl_bio(0, CHANGE_WBIO);
1750 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
1752 /* The list of sig algs */
1754 /* The length of the list */
1756 /* A sigalgs list in string format */
1757 const char *liststr;
1758 /* Whether setting the list should succeed */
1760 /* Whether creating a connection with the list should succeed */
1764 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1765 # ifndef OPENSSL_NO_EC
1766 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1767 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1769 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1770 static const int invalidlist2[] = {NID_sha256, NID_undef};
1771 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1772 static const int invalidlist4[] = {NID_sha256};
1773 static const sigalgs_list testsigalgs[] = {
1774 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1775 # ifndef OPENSSL_NO_EC
1776 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1777 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1779 {NULL, 0, "RSA+SHA256", 1, 1},
1780 # ifndef OPENSSL_NO_EC
1781 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1782 {NULL, 0, "ECDSA+SHA512", 1, 0},
1784 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1785 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1786 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1787 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1788 {NULL, 0, "RSA", 0, 0},
1789 {NULL, 0, "SHA256", 0, 0},
1790 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1791 {NULL, 0, "Invalid", 0, 0}
1794 static int test_set_sigalgs(int idx)
1796 SSL_CTX *cctx = NULL, *sctx = NULL;
1797 SSL *clientssl = NULL, *serverssl = NULL;
1799 const sigalgs_list *curr;
1802 /* Should never happen */
1803 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1806 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1807 curr = testctx ? &testsigalgs[idx]
1808 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1810 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1811 TLS1_VERSION, TLS_MAX_VERSION,
1812 &sctx, &cctx, cert, privkey)))
1816 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1817 * for TLSv1.2 for now until we add a new API.
1819 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1824 if (curr->list != NULL)
1825 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1827 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1831 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1837 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1842 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1843 &clientssl, NULL, NULL)))
1849 if (curr->list != NULL)
1850 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1852 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1855 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1864 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1872 SSL_free(serverssl);
1873 SSL_free(clientssl);
1881 #ifndef OPENSSL_NO_TLS1_3
1882 static int psk_client_cb_cnt = 0;
1883 static int psk_server_cb_cnt = 0;
1885 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1886 size_t *idlen, SSL_SESSION **sess)
1888 switch (++use_session_cb_cnt) {
1890 /* The first call should always have a NULL md */
1896 /* The second call should always have an md */
1902 /* We should only be called a maximum of twice */
1906 if (clientpsk != NULL)
1907 SSL_SESSION_up_ref(clientpsk);
1910 *id = (const unsigned char *)pskid;
1911 *idlen = strlen(pskid);
1916 #ifndef OPENSSL_NO_PSK
1917 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1918 unsigned int max_id_len,
1920 unsigned int max_psk_len)
1922 unsigned int psklen = 0;
1924 psk_client_cb_cnt++;
1926 if (strlen(pskid) + 1 > max_id_len)
1929 /* We should only ever be called a maximum of twice per connection */
1930 if (psk_client_cb_cnt > 2)
1933 if (clientpsk == NULL)
1936 /* We'll reuse the PSK we set up for TLSv1.3 */
1937 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1939 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1940 strncpy(id, pskid, max_id_len);
1944 #endif /* OPENSSL_NO_PSK */
1946 static int find_session_cb(SSL *ssl, const unsigned char *identity,
1947 size_t identity_len, SSL_SESSION **sess)
1949 find_session_cb_cnt++;
1951 /* We should only ever be called a maximum of twice per connection */
1952 if (find_session_cb_cnt > 2)
1955 if (serverpsk == NULL)
1958 /* Identity should match that set by the client */
1959 if (strlen(srvid) != identity_len
1960 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1961 /* No PSK found, continue but without a PSK */
1966 SSL_SESSION_up_ref(serverpsk);
1972 #ifndef OPENSSL_NO_PSK
1973 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1974 unsigned char *psk, unsigned int max_psk_len)
1976 unsigned int psklen = 0;
1978 psk_server_cb_cnt++;
1980 /* We should only ever be called a maximum of twice per connection */
1981 if (find_session_cb_cnt > 2)
1984 if (serverpsk == NULL)
1987 /* Identity should match that set by the client */
1988 if (strcmp(srvid, identity) != 0) {
1992 /* We'll reuse the PSK we set up for TLSv1.3 */
1993 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1995 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1999 #endif /* OPENSSL_NO_PSK */
2001 #define MSG1 "Hello"
2002 #define MSG2 "World."
2007 #define MSG7 "message."
2009 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2010 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2013 static SSL_SESSION *create_a_psk(SSL *ssl)
2015 const SSL_CIPHER *cipher = NULL;
2016 const unsigned char key[] = {
2017 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2018 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2019 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2020 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2021 0x2c, 0x2d, 0x2e, 0x2f
2023 SSL_SESSION *sess = NULL;
2025 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2026 sess = SSL_SESSION_new();
2028 || !TEST_ptr(cipher)
2029 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2031 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2033 SSL_SESSION_set_protocol_version(sess,
2035 SSL_SESSION_free(sess);
2042 * Helper method to setup objects for early data test. Caller frees objects on
2045 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2046 SSL **serverssl, SSL_SESSION **sess, int idx)
2049 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2050 TLS_client_method(),
2051 TLS1_VERSION, TLS_MAX_VERSION,
2052 sctx, cctx, cert, privkey)))
2055 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2059 /* When idx == 1 we repeat the tests with read_ahead set */
2060 SSL_CTX_set_read_ahead(*cctx, 1);
2061 SSL_CTX_set_read_ahead(*sctx, 1);
2062 } else if (idx == 2) {
2063 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2064 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2065 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2066 use_session_cb_cnt = 0;
2067 find_session_cb_cnt = 0;
2071 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2076 * For one of the run throughs (doesn't matter which one), we'll try sending
2077 * some SNI data in the initial ClientHello. This will be ignored (because
2078 * there is no SNI cb set up by the server), so it should not impact
2082 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2086 clientpsk = create_a_psk(*clientssl);
2087 if (!TEST_ptr(clientpsk)
2089 * We just choose an arbitrary value for max_early_data which
2090 * should be big enough for testing purposes.
2092 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2094 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2095 SSL_SESSION_free(clientpsk);
2099 serverpsk = clientpsk;
2102 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2103 SSL_SESSION_free(clientpsk);
2104 SSL_SESSION_free(serverpsk);
2105 clientpsk = serverpsk = NULL;
2116 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2120 *sess = SSL_get1_session(*clientssl);
2121 SSL_shutdown(*clientssl);
2122 SSL_shutdown(*serverssl);
2123 SSL_free(*serverssl);
2124 SSL_free(*clientssl);
2125 *serverssl = *clientssl = NULL;
2127 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2128 clientssl, NULL, NULL))
2129 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2135 static int test_early_data_read_write(int idx)
2137 SSL_CTX *cctx = NULL, *sctx = NULL;
2138 SSL *clientssl = NULL, *serverssl = NULL;
2140 SSL_SESSION *sess = NULL;
2141 unsigned char buf[20], data[1024];
2142 size_t readbytes, written, eoedlen, rawread, rawwritten;
2145 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2146 &serverssl, &sess, idx)))
2149 /* Write and read some early data */
2150 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2152 || !TEST_size_t_eq(written, strlen(MSG1))
2153 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2154 sizeof(buf), &readbytes),
2155 SSL_READ_EARLY_DATA_SUCCESS)
2156 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2157 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2158 SSL_EARLY_DATA_ACCEPTED))
2162 * Server should be able to write data, and client should be able to
2165 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2167 || !TEST_size_t_eq(written, strlen(MSG2))
2168 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2169 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2172 /* Even after reading normal data, client should be able write early data */
2173 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2175 || !TEST_size_t_eq(written, strlen(MSG3)))
2178 /* Server should still be able read early data after writing data */
2179 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2181 SSL_READ_EARLY_DATA_SUCCESS)
2182 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2185 /* Write more data from server and read it from client */
2186 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2188 || !TEST_size_t_eq(written, strlen(MSG4))
2189 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2190 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2194 * If client writes normal data it should mean writing early data is no
2197 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2198 || !TEST_size_t_eq(written, strlen(MSG5))
2199 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2200 SSL_EARLY_DATA_ACCEPTED))
2204 * At this point the client has written EndOfEarlyData, ClientFinished and
2205 * normal (fully protected) data. We are going to cause a delay between the
2206 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2207 * in the read BIO, and then just put back the EndOfEarlyData message.
2209 rbio = SSL_get_rbio(serverssl);
2210 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2211 || !TEST_size_t_lt(rawread, sizeof(data))
2212 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2215 /* Record length is in the 4th and 5th bytes of the record header */
2216 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2217 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2218 || !TEST_size_t_eq(rawwritten, eoedlen))
2221 /* Server should be told that there is no more early data */
2222 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2224 SSL_READ_EARLY_DATA_FINISH)
2225 || !TEST_size_t_eq(readbytes, 0))
2229 * Server has not finished init yet, so should still be able to write early
2232 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2234 || !TEST_size_t_eq(written, strlen(MSG6)))
2237 /* Push the ClientFinished and the normal data back into the server rbio */
2238 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2240 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2243 /* Server should be able to read normal data */
2244 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2245 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2248 /* Client and server should not be able to write/read early data now */
2249 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2253 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2255 SSL_READ_EARLY_DATA_ERROR))
2259 /* Client should be able to read the data sent by the server */
2260 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2261 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2265 * Make sure we process the two NewSessionTickets. These arrive
2266 * post-handshake. We attempt reads which we do not expect to return any
2269 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2270 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2274 /* Server should be able to write normal data */
2275 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2276 || !TEST_size_t_eq(written, strlen(MSG7))
2277 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2278 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2281 SSL_SESSION_free(sess);
2282 sess = SSL_get1_session(clientssl);
2283 use_session_cb_cnt = 0;
2284 find_session_cb_cnt = 0;
2286 SSL_shutdown(clientssl);
2287 SSL_shutdown(serverssl);
2288 SSL_free(serverssl);
2289 SSL_free(clientssl);
2290 serverssl = clientssl = NULL;
2291 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2292 &clientssl, NULL, NULL))
2293 || !TEST_true(SSL_set_session(clientssl, sess)))
2296 /* Write and read some early data */
2297 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2299 || !TEST_size_t_eq(written, strlen(MSG1))
2300 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2302 SSL_READ_EARLY_DATA_SUCCESS)
2303 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2306 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2307 || !TEST_int_gt(SSL_accept(serverssl), 0))
2310 /* Client and server should not be able to write/read early data now */
2311 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2315 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2317 SSL_READ_EARLY_DATA_ERROR))
2321 /* Client and server should be able to write/read normal data */
2322 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2323 || !TEST_size_t_eq(written, strlen(MSG5))
2324 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2325 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2331 SSL_SESSION_free(sess);
2332 SSL_SESSION_free(clientpsk);
2333 SSL_SESSION_free(serverpsk);
2334 clientpsk = serverpsk = NULL;
2335 SSL_free(serverssl);
2336 SSL_free(clientssl);
2342 static int allow_ed_cb_called = 0;
2344 static int allow_early_data_cb(SSL *s, void *arg)
2346 int *usecb = (int *)arg;
2348 allow_ed_cb_called++;
2357 * idx == 0: Standard early_data setup
2358 * idx == 1: early_data setup using read_ahead
2359 * usecb == 0: Don't use a custom early data callback
2360 * usecb == 1: Use a custom early data callback and reject the early data
2361 * usecb == 2: Use a custom early data callback and accept the early data
2362 * confopt == 0: Configure anti-replay directly
2363 * confopt == 1: Configure anti-replay using SSL_CONF
2365 static int test_early_data_replay_int(int idx, int usecb, int confopt)
2367 SSL_CTX *cctx = NULL, *sctx = NULL;
2368 SSL *clientssl = NULL, *serverssl = NULL;
2370 SSL_SESSION *sess = NULL;
2371 size_t readbytes, written;
2372 unsigned char buf[20];
2374 allow_ed_cb_called = 0;
2376 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2377 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
2378 &cctx, cert, privkey)))
2383 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2385 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2387 if (!TEST_ptr(confctx))
2389 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2390 | SSL_CONF_FLAG_SERVER);
2391 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2392 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2394 SSL_CONF_CTX_free(confctx);
2397 SSL_CONF_CTX_free(confctx);
2399 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2402 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2403 &serverssl, &sess, idx)))
2407 * The server is configured to accept early data. Create a connection to
2408 * "use up" the ticket
2410 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2411 || !TEST_true(SSL_session_reused(clientssl)))
2414 SSL_shutdown(clientssl);
2415 SSL_shutdown(serverssl);
2416 SSL_free(serverssl);
2417 SSL_free(clientssl);
2418 serverssl = clientssl = NULL;
2420 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2421 &clientssl, NULL, NULL))
2422 || !TEST_true(SSL_set_session(clientssl, sess)))
2425 /* Write and read some early data */
2426 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2428 || !TEST_size_t_eq(written, strlen(MSG1)))
2432 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2434 SSL_READ_EARLY_DATA_FINISH)
2436 * The ticket was reused, so the we should have rejected the
2439 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2440 SSL_EARLY_DATA_REJECTED))
2443 /* In this case the callback decides to accept the early data */
2444 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2446 SSL_READ_EARLY_DATA_SUCCESS)
2447 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2449 * Server will have sent its flight so client can now send
2450 * end of early data and complete its half of the handshake
2452 || !TEST_int_gt(SSL_connect(clientssl), 0)
2453 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2455 SSL_READ_EARLY_DATA_FINISH)
2456 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2457 SSL_EARLY_DATA_ACCEPTED))
2461 /* Complete the connection */
2462 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2463 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2464 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
2470 SSL_SESSION_free(sess);
2471 SSL_SESSION_free(clientpsk);
2472 SSL_SESSION_free(serverpsk);
2473 clientpsk = serverpsk = NULL;
2474 SSL_free(serverssl);
2475 SSL_free(clientssl);
2481 static int test_early_data_replay(int idx)
2483 int ret = 1, usecb, confopt;
2485 for (usecb = 0; usecb < 3; usecb++) {
2486 for (confopt = 0; confopt < 2; confopt++)
2487 ret &= test_early_data_replay_int(idx, usecb, confopt);
2494 * Helper function to test that a server attempting to read early data can
2495 * handle a connection from a client where the early data should be skipped.
2496 * testtype: 0 == No HRR
2497 * testtype: 1 == HRR
2498 * testtype: 2 == HRR, invalid early_data sent after HRR
2499 * testtype: 3 == recv_max_early_data set to 0
2501 static int early_data_skip_helper(int testtype, int idx)
2503 SSL_CTX *cctx = NULL, *sctx = NULL;
2504 SSL *clientssl = NULL, *serverssl = NULL;
2506 SSL_SESSION *sess = NULL;
2507 unsigned char buf[20];
2508 size_t readbytes, written;
2510 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2511 &serverssl, &sess, idx)))
2514 if (testtype == 1 || testtype == 2) {
2515 /* Force an HRR to occur */
2516 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2518 } else if (idx == 2) {
2520 * We force early_data rejection by ensuring the PSK identity is
2523 srvid = "Dummy Identity";
2526 * Deliberately corrupt the creation time. We take 20 seconds off the
2527 * time. It could be any value as long as it is not within tolerance.
2528 * This should mean the ticket is rejected.
2530 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
2535 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
2538 /* Write some early data */
2539 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2541 || !TEST_size_t_eq(written, strlen(MSG1)))
2544 /* Server should reject the early data */
2545 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2547 SSL_READ_EARLY_DATA_FINISH)
2548 || !TEST_size_t_eq(readbytes, 0)
2549 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2550 SSL_EARLY_DATA_REJECTED))
2560 * Finish off the handshake. We perform the same writes and reads as
2561 * further down but we expect them to fail due to the incomplete
2564 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2565 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2572 BIO *wbio = SSL_get_wbio(clientssl);
2573 /* A record that will appear as bad early_data */
2574 const unsigned char bad_early_data[] = {
2575 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
2579 * We force the client to attempt a write. This will fail because
2580 * we're still in the handshake. It will cause the second
2581 * ClientHello to be sent.
2583 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
2588 * Inject some early_data after the second ClientHello. This should
2589 * cause the server to fail
2591 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
2592 sizeof(bad_early_data), &written)))
2599 * This client has sent more early_data than we are willing to skip
2600 * (case 3) or sent invalid early_data (case 2) so the connection should
2603 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2604 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
2607 /* Connection has failed - nothing more to do */
2612 TEST_error("Invalid test type");
2617 * Should be able to send normal data despite rejection of early data. The
2618 * early_data should be skipped.
2620 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2621 || !TEST_size_t_eq(written, strlen(MSG2))
2622 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2623 SSL_EARLY_DATA_REJECTED)
2624 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2625 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2631 SSL_SESSION_free(clientpsk);
2632 SSL_SESSION_free(serverpsk);
2633 clientpsk = serverpsk = NULL;
2634 SSL_SESSION_free(sess);
2635 SSL_free(serverssl);
2636 SSL_free(clientssl);
2643 * Test that a server attempting to read early data can handle a connection
2644 * from a client where the early data is not acceptable.
2646 static int test_early_data_skip(int idx)
2648 return early_data_skip_helper(0, idx);
2652 * Test that a server attempting to read early data can handle a connection
2653 * from a client where an HRR occurs.
2655 static int test_early_data_skip_hrr(int idx)
2657 return early_data_skip_helper(1, idx);
2661 * Test that a server attempting to read early data can handle a connection
2662 * from a client where an HRR occurs and correctly fails if early_data is sent
2665 static int test_early_data_skip_hrr_fail(int idx)
2667 return early_data_skip_helper(2, idx);
2671 * Test that a server attempting to read early data will abort if it tries to
2672 * skip over too much.
2674 static int test_early_data_skip_abort(int idx)
2676 return early_data_skip_helper(3, idx);
2680 * Test that a server attempting to read early data can handle a connection
2681 * from a client that doesn't send any.
2683 static int test_early_data_not_sent(int idx)
2685 SSL_CTX *cctx = NULL, *sctx = NULL;
2686 SSL *clientssl = NULL, *serverssl = NULL;
2688 SSL_SESSION *sess = NULL;
2689 unsigned char buf[20];
2690 size_t readbytes, written;
2692 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2693 &serverssl, &sess, idx)))
2696 /* Write some data - should block due to handshake with server */
2697 SSL_set_connect_state(clientssl);
2698 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2701 /* Server should detect that early data has not been sent */
2702 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2704 SSL_READ_EARLY_DATA_FINISH)
2705 || !TEST_size_t_eq(readbytes, 0)
2706 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2707 SSL_EARLY_DATA_NOT_SENT)
2708 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2709 SSL_EARLY_DATA_NOT_SENT))
2712 /* Continue writing the message we started earlier */
2713 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2714 || !TEST_size_t_eq(written, strlen(MSG1))
2715 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2716 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2717 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2718 || !TEST_size_t_eq(written, strlen(MSG2)))
2721 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2722 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2728 SSL_SESSION_free(sess);
2729 SSL_SESSION_free(clientpsk);
2730 SSL_SESSION_free(serverpsk);
2731 clientpsk = serverpsk = NULL;
2732 SSL_free(serverssl);
2733 SSL_free(clientssl);
2739 static int hostname_cb(SSL *s, int *al, void *arg)
2741 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2743 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
2744 return SSL_TLSEXT_ERR_OK;
2746 return SSL_TLSEXT_ERR_NOACK;
2749 static const char *servalpn;
2751 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2752 unsigned char *outlen, const unsigned char *in,
2753 unsigned int inlen, void *arg)
2755 unsigned int protlen = 0;
2756 const unsigned char *prot;
2758 for (prot = in; prot < in + inlen; prot += protlen) {
2760 if (in + inlen < prot + protlen)
2761 return SSL_TLSEXT_ERR_NOACK;
2763 if (protlen == strlen(servalpn)
2764 && memcmp(prot, servalpn, protlen) == 0) {
2767 return SSL_TLSEXT_ERR_OK;
2771 return SSL_TLSEXT_ERR_NOACK;
2774 /* Test that a PSK can be used to send early_data */
2775 static int test_early_data_psk(int idx)
2777 SSL_CTX *cctx = NULL, *sctx = NULL;
2778 SSL *clientssl = NULL, *serverssl = NULL;
2780 SSL_SESSION *sess = NULL;
2781 unsigned char alpnlist[] = {
2782 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2785 #define GOODALPNLEN 9
2786 #define BADALPNLEN 8
2787 #define GOODALPN (alpnlist)
2788 #define BADALPN (alpnlist + GOODALPNLEN)
2790 unsigned char buf[20];
2791 size_t readbytes, written;
2792 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2793 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2795 /* We always set this up with a final parameter of "2" for PSK */
2796 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2797 &serverssl, &sess, 2)))
2800 servalpn = "goodalpn";
2803 * Note: There is no test for inconsistent SNI with late client detection.
2804 * This is because servers do not acknowledge SNI even if they are using
2805 * it in a resumption handshake - so it is not actually possible for a
2806 * client to detect a problem.
2810 /* Set inconsistent SNI (early client detection) */
2811 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2812 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2813 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2818 /* Set inconsistent ALPN (early client detection) */
2819 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2820 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
2821 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2823 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2830 * Set invalid protocol version. Technically this affects PSKs without
2831 * early_data too, but we test it here because it is similar to the
2832 * SNI/ALPN consistency tests.
2834 err = SSL_R_BAD_PSK;
2835 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2841 * Set inconsistent SNI (server detected). In this case the connection
2842 * will succeed but reject early_data.
2844 SSL_SESSION_free(serverpsk);
2845 serverpsk = SSL_SESSION_dup(clientpsk);
2846 if (!TEST_ptr(serverpsk)
2847 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2849 edstatus = SSL_EARLY_DATA_REJECTED;
2850 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2853 /* Set consistent SNI */
2854 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2855 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2856 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2863 * Set inconsistent ALPN (server detected). In this case the connection
2864 * will succeed but reject early_data.
2866 servalpn = "badalpn";
2867 edstatus = SSL_EARLY_DATA_REJECTED;
2868 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2872 * Set consistent ALPN.
2873 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2874 * accepts a list of protos (each one length prefixed).
2875 * SSL_set1_alpn_selected accepts a single protocol (not length
2878 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2880 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2884 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2888 /* Set inconsistent ALPN (late client detection) */
2889 SSL_SESSION_free(serverpsk);
2890 serverpsk = SSL_SESSION_dup(clientpsk);
2891 if (!TEST_ptr(serverpsk)
2892 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2895 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2898 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2901 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2902 edstatus = SSL_EARLY_DATA_ACCEPTED;
2903 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2904 /* SSL_connect() call should fail */
2909 TEST_error("Bad test index");
2913 SSL_set_connect_state(clientssl);
2915 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2917 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2918 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2921 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2925 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2926 &readbytes), readearlyres)
2927 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2928 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2929 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2930 || !TEST_int_eq(SSL_connect(clientssl), connectres))
2937 SSL_SESSION_free(sess);
2938 SSL_SESSION_free(clientpsk);
2939 SSL_SESSION_free(serverpsk);
2940 clientpsk = serverpsk = NULL;
2941 SSL_free(serverssl);
2942 SSL_free(clientssl);
2949 * Test that a server that doesn't try to read early data can handle a
2950 * client sending some.
2952 static int test_early_data_not_expected(int idx)
2954 SSL_CTX *cctx = NULL, *sctx = NULL;
2955 SSL *clientssl = NULL, *serverssl = NULL;
2957 SSL_SESSION *sess = NULL;
2958 unsigned char buf[20];
2959 size_t readbytes, written;
2961 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2962 &serverssl, &sess, idx)))
2965 /* Write some early data */
2966 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2971 * Server should skip over early data and then block waiting for client to
2972 * continue handshake
2974 if (!TEST_int_le(SSL_accept(serverssl), 0)
2975 || !TEST_int_gt(SSL_connect(clientssl), 0)
2976 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2977 SSL_EARLY_DATA_REJECTED)
2978 || !TEST_int_gt(SSL_accept(serverssl), 0)
2979 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2980 SSL_EARLY_DATA_REJECTED))
2983 /* Send some normal data from client to server */
2984 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2985 || !TEST_size_t_eq(written, strlen(MSG2)))
2988 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2989 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2995 SSL_SESSION_free(sess);
2996 SSL_SESSION_free(clientpsk);
2997 SSL_SESSION_free(serverpsk);
2998 clientpsk = serverpsk = NULL;
2999 SSL_free(serverssl);
3000 SSL_free(clientssl);
3007 # ifndef OPENSSL_NO_TLS1_2
3009 * Test that a server attempting to read early data can handle a connection
3010 * from a TLSv1.2 client.
3012 static int test_early_data_tls1_2(int idx)
3014 SSL_CTX *cctx = NULL, *sctx = NULL;
3015 SSL *clientssl = NULL, *serverssl = NULL;
3017 unsigned char buf[20];
3018 size_t readbytes, written;
3020 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3021 &serverssl, NULL, idx)))
3024 /* Write some data - should block due to handshake with server */
3025 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3026 SSL_set_connect_state(clientssl);
3027 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3031 * Server should do TLSv1.2 handshake. First it will block waiting for more
3032 * messages from client after ServerDone. Then SSL_read_early_data should
3033 * finish and detect that early data has not been sent
3035 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3037 SSL_READ_EARLY_DATA_ERROR))
3041 * Continue writing the message we started earlier. Will still block waiting
3042 * for the CCS/Finished from server
3044 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3045 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3047 SSL_READ_EARLY_DATA_FINISH)
3048 || !TEST_size_t_eq(readbytes, 0)
3049 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3050 SSL_EARLY_DATA_NOT_SENT))
3053 /* Continue writing the message we started earlier */
3054 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3055 || !TEST_size_t_eq(written, strlen(MSG1))
3056 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3057 SSL_EARLY_DATA_NOT_SENT)
3058 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3059 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3060 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3061 || !TEST_size_t_eq(written, strlen(MSG2))
3062 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3063 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3069 SSL_SESSION_free(clientpsk);
3070 SSL_SESSION_free(serverpsk);
3071 clientpsk = serverpsk = NULL;
3072 SSL_free(serverssl);
3073 SSL_free(clientssl);
3079 # endif /* OPENSSL_NO_TLS1_2 */
3082 * Test configuring the TLSv1.3 ciphersuites
3084 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3085 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3086 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3087 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3088 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3089 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3090 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3091 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3092 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3093 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3095 static int test_set_ciphersuite(int idx)
3097 SSL_CTX *cctx = NULL, *sctx = NULL;
3098 SSL *clientssl = NULL, *serverssl = NULL;
3101 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3102 TLS1_VERSION, TLS_MAX_VERSION,
3103 &sctx, &cctx, cert, privkey))
3104 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3105 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3108 if (idx >=4 && idx <= 7) {
3109 /* SSL_CTX explicit cipher list */
3110 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3114 if (idx == 0 || idx == 4) {
3115 /* Default ciphersuite */
3116 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3117 "TLS_AES_128_GCM_SHA256")))
3119 } else if (idx == 1 || idx == 5) {
3120 /* Non default ciphersuite */
3121 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3122 "TLS_AES_128_CCM_SHA256")))
3126 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3127 &clientssl, NULL, NULL)))
3130 if (idx == 8 || idx == 9) {
3131 /* SSL explicit cipher list */
3132 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3136 if (idx == 2 || idx == 6 || idx == 8) {
3137 /* Default ciphersuite */
3138 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3139 "TLS_AES_128_GCM_SHA256")))
3141 } else if (idx == 3 || idx == 7 || idx == 9) {
3142 /* Non default ciphersuite */
3143 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3144 "TLS_AES_128_CCM_SHA256")))
3148 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3154 SSL_free(serverssl);
3155 SSL_free(clientssl);
3162 static int test_ciphersuite_change(void)
3164 SSL_CTX *cctx = NULL, *sctx = NULL;
3165 SSL *clientssl = NULL, *serverssl = NULL;
3166 SSL_SESSION *clntsess = NULL;
3168 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3170 /* Create a session based on SHA-256 */
3171 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3172 TLS1_VERSION, TLS_MAX_VERSION,
3173 &sctx, &cctx, cert, privkey))
3174 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3175 "TLS_AES_128_GCM_SHA256"))
3176 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3177 &clientssl, NULL, NULL))
3178 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3182 clntsess = SSL_get1_session(clientssl);
3183 /* Save for later */
3184 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3185 SSL_shutdown(clientssl);
3186 SSL_shutdown(serverssl);
3187 SSL_free(serverssl);
3188 SSL_free(clientssl);
3189 serverssl = clientssl = NULL;
3191 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3192 /* Check we can resume a session with a different SHA-256 ciphersuite */
3193 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3194 "TLS_CHACHA20_POLY1305_SHA256"))
3195 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3197 || !TEST_true(SSL_set_session(clientssl, clntsess))
3198 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3200 || !TEST_true(SSL_session_reused(clientssl)))
3203 SSL_SESSION_free(clntsess);
3204 clntsess = SSL_get1_session(clientssl);
3205 SSL_shutdown(clientssl);
3206 SSL_shutdown(serverssl);
3207 SSL_free(serverssl);
3208 SSL_free(clientssl);
3209 serverssl = clientssl = NULL;
3213 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3214 * succeeds but does not resume.
3216 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3217 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3219 || !TEST_true(SSL_set_session(clientssl, clntsess))
3220 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3222 || !TEST_false(SSL_session_reused(clientssl)))
3225 SSL_SESSION_free(clntsess);
3227 SSL_shutdown(clientssl);
3228 SSL_shutdown(serverssl);
3229 SSL_free(serverssl);
3230 SSL_free(clientssl);
3231 serverssl = clientssl = NULL;
3233 /* Create a session based on SHA384 */
3234 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3235 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3236 &clientssl, NULL, NULL))
3237 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3241 clntsess = SSL_get1_session(clientssl);
3242 SSL_shutdown(clientssl);
3243 SSL_shutdown(serverssl);
3244 SSL_free(serverssl);
3245 SSL_free(clientssl);
3246 serverssl = clientssl = NULL;
3248 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3249 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3250 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3251 "TLS_AES_256_GCM_SHA384"))
3252 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3254 || !TEST_true(SSL_set_session(clientssl, clntsess))
3256 * We use SSL_ERROR_WANT_READ below so that we can pause the
3257 * connection after the initial ClientHello has been sent to
3258 * enable us to make some session changes.
3260 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3261 SSL_ERROR_WANT_READ)))
3264 /* Trick the client into thinking this session is for a different digest */
3265 clntsess->cipher = aes_128_gcm_sha256;
3266 clntsess->cipher_id = clntsess->cipher->id;
3269 * Continue the previously started connection. Server has selected a SHA-384
3270 * ciphersuite, but client thinks the session is for SHA-256, so it should
3273 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3275 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3276 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3282 SSL_SESSION_free(clntsess);
3283 SSL_free(serverssl);
3284 SSL_free(clientssl);
3293 * Test 0 = Test new style callbacks
3294 * Test 1 = Test both new and old style callbacks
3295 * Test 2 = Test old style callbacks
3296 * Test 3 = Test old style callbacks with no certificate
3298 static int test_tls13_psk(int idx)
3300 SSL_CTX *sctx = NULL, *cctx = NULL;
3301 SSL *serverssl = NULL, *clientssl = NULL;
3302 const SSL_CIPHER *cipher = NULL;
3303 const unsigned char key[] = {
3304 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
3305 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
3306 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
3307 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
3311 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3312 TLS1_VERSION, TLS_MAX_VERSION,
3313 &sctx, &cctx, idx == 3 ? NULL : cert,
3314 idx == 3 ? NULL : privkey)))
3319 * We use a ciphersuite with SHA256 to ease testing old style PSK
3320 * callbacks which will always default to SHA256. This should not be
3321 * necessary if we have no cert/priv key. In that case the server should
3322 * prefer SHA256 automatically.
3324 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3325 "TLS_AES_128_GCM_SHA256")))
3330 * Test 0: New style callbacks only
3331 * Test 1: New and old style callbacks (only the new ones should be used)
3332 * Test 2: Old style callbacks only
3334 if (idx == 0 || idx == 1) {
3335 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
3336 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
3338 #ifndef OPENSSL_NO_PSK
3340 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
3341 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
3345 use_session_cb_cnt = 0;
3346 find_session_cb_cnt = 0;
3347 psk_client_cb_cnt = 0;
3348 psk_server_cb_cnt = 0;
3352 * Check we can create a connection if callback decides not to send a
3355 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3357 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3359 || !TEST_false(SSL_session_reused(clientssl))
3360 || !TEST_false(SSL_session_reused(serverssl)))
3363 if (idx == 0 || idx == 1) {
3364 if (!TEST_true(use_session_cb_cnt == 1)
3365 || !TEST_true(find_session_cb_cnt == 0)
3367 * If no old style callback then below should be 0
3370 || !TEST_true(psk_client_cb_cnt == idx)
3371 || !TEST_true(psk_server_cb_cnt == 0))
3374 if (!TEST_true(use_session_cb_cnt == 0)
3375 || !TEST_true(find_session_cb_cnt == 0)
3376 || !TEST_true(psk_client_cb_cnt == 1)
3377 || !TEST_true(psk_server_cb_cnt == 0))
3381 shutdown_ssl_connection(serverssl, clientssl);
3382 serverssl = clientssl = NULL;
3383 use_session_cb_cnt = psk_client_cb_cnt = 0;
3386 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3390 /* Create the PSK */
3391 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
3392 clientpsk = SSL_SESSION_new();
3393 if (!TEST_ptr(clientpsk)
3394 || !TEST_ptr(cipher)
3395 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
3397 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
3398 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
3400 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
3402 serverpsk = clientpsk;
3404 /* Check we can create a connection and the PSK is used */
3405 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3406 || !TEST_true(SSL_session_reused(clientssl))
3407 || !TEST_true(SSL_session_reused(serverssl)))
3410 if (idx == 0 || idx == 1) {
3411 if (!TEST_true(use_session_cb_cnt == 1)
3412 || !TEST_true(find_session_cb_cnt == 1)
3413 || !TEST_true(psk_client_cb_cnt == 0)
3414 || !TEST_true(psk_server_cb_cnt == 0))
3417 if (!TEST_true(use_session_cb_cnt == 0)
3418 || !TEST_true(find_session_cb_cnt == 0)
3419 || !TEST_true(psk_client_cb_cnt == 1)
3420 || !TEST_true(psk_server_cb_cnt == 1))
3424 shutdown_ssl_connection(serverssl, clientssl);
3425 serverssl = clientssl = NULL;
3426 use_session_cb_cnt = find_session_cb_cnt = 0;
3427 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3429 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3434 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3438 * Check we can create a connection, the PSK is used and the callbacks are
3441 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3442 || !TEST_true(SSL_session_reused(clientssl))
3443 || !TEST_true(SSL_session_reused(serverssl)))
3446 if (idx == 0 || idx == 1) {
3447 if (!TEST_true(use_session_cb_cnt == 2)
3448 || !TEST_true(find_session_cb_cnt == 2)
3449 || !TEST_true(psk_client_cb_cnt == 0)
3450 || !TEST_true(psk_server_cb_cnt == 0))
3453 if (!TEST_true(use_session_cb_cnt == 0)
3454 || !TEST_true(find_session_cb_cnt == 0)
3455 || !TEST_true(psk_client_cb_cnt == 2)
3456 || !TEST_true(psk_server_cb_cnt == 2))
3460 shutdown_ssl_connection(serverssl, clientssl);
3461 serverssl = clientssl = NULL;
3462 use_session_cb_cnt = find_session_cb_cnt = 0;
3463 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3467 * Check that if the server rejects the PSK we can still connect, but with
3470 srvid = "Dummy Identity";
3471 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3473 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3475 || !TEST_false(SSL_session_reused(clientssl))
3476 || !TEST_false(SSL_session_reused(serverssl)))
3479 if (idx == 0 || idx == 1) {
3480 if (!TEST_true(use_session_cb_cnt == 1)
3481 || !TEST_true(find_session_cb_cnt == 1)
3482 || !TEST_true(psk_client_cb_cnt == 0)
3484 * If no old style callback then below should be 0
3487 || !TEST_true(psk_server_cb_cnt == idx))
3490 if (!TEST_true(use_session_cb_cnt == 0)
3491 || !TEST_true(find_session_cb_cnt == 0)
3492 || !TEST_true(psk_client_cb_cnt == 1)
3493 || !TEST_true(psk_server_cb_cnt == 1))
3497 shutdown_ssl_connection(serverssl, clientssl);
3498 serverssl = clientssl = NULL;
3503 SSL_SESSION_free(clientpsk);
3504 SSL_SESSION_free(serverpsk);
3505 clientpsk = serverpsk = NULL;
3506 SSL_free(serverssl);
3507 SSL_free(clientssl);
3513 static unsigned char cookie_magic_value[] = "cookie magic";
3515 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
3516 unsigned int *cookie_len)
3519 * Not suitable as a real cookie generation function but good enough for
3522 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3523 *cookie_len = sizeof(cookie_magic_value) - 1;
3528 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3529 unsigned int cookie_len)
3531 if (cookie_len == sizeof(cookie_magic_value) - 1
3532 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3538 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3542 int res = generate_cookie_callback(ssl, cookie, &temp);
3547 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3550 return verify_cookie_callback(ssl, cookie, cookie_len);
3553 static int test_stateless(void)
3555 SSL_CTX *sctx = NULL, *cctx = NULL;
3556 SSL *serverssl = NULL, *clientssl = NULL;
3559 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3560 TLS1_VERSION, TLS_MAX_VERSION,
3561 &sctx, &cctx, cert, privkey)))
3564 /* The arrival of CCS messages can confuse the test */
3565 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3567 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3569 /* Send the first ClientHello */
3570 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3571 SSL_ERROR_WANT_READ))
3573 * This should fail with a -1 return because we have no callbacks
3576 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3579 /* Fatal error so abandon the connection from this client */
3580 SSL_free(clientssl);
3583 /* Set up the cookie generation and verification callbacks */
3584 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3585 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
3588 * Create a new connection from the client (we can reuse the server SSL
3591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3593 /* Send the first ClientHello */
3594 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3595 SSL_ERROR_WANT_READ))
3596 /* This should fail because there is no cookie */
3597 || !TEST_int_eq(SSL_stateless(serverssl), 0))
3600 /* Abandon the connection from this client */
3601 SSL_free(clientssl);
3605 * Now create a connection from a new client but with the same server SSL
3608 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3610 /* Send the first ClientHello */
3611 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3612 SSL_ERROR_WANT_READ))
3613 /* This should fail because there is no cookie */
3614 || !TEST_int_eq(SSL_stateless(serverssl), 0)
3615 /* Send the second ClientHello */
3616 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3617 SSL_ERROR_WANT_READ))
3618 /* This should succeed because a cookie is now present */
3619 || !TEST_int_eq(SSL_stateless(serverssl), 1)
3620 /* Complete the connection */
3621 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3625 shutdown_ssl_connection(serverssl, clientssl);
3626 serverssl = clientssl = NULL;
3630 SSL_free(serverssl);
3631 SSL_free(clientssl);
3637 #endif /* OPENSSL_NO_TLS1_3 */
3639 static int clntaddoldcb = 0;
3640 static int clntparseoldcb = 0;
3641 static int srvaddoldcb = 0;
3642 static int srvparseoldcb = 0;
3643 static int clntaddnewcb = 0;
3644 static int clntparsenewcb = 0;
3645 static int srvaddnewcb = 0;
3646 static int srvparsenewcb = 0;
3647 static int snicb = 0;
3649 #define TEST_EXT_TYPE1 0xff00
3651 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3652 size_t *outlen, int *al, void *add_arg)
3654 int *server = (int *)add_arg;
3655 unsigned char *data;
3657 if (SSL_is_server(s))
3662 if (*server != SSL_is_server(s)
3663 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3668 *outlen = sizeof(char);
3672 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3675 OPENSSL_free((unsigned char *)out);
3678 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3679 size_t inlen, int *al, void *parse_arg)
3681 int *server = (int *)parse_arg;
3683 if (SSL_is_server(s))
3688 if (*server != SSL_is_server(s)
3689 || inlen != sizeof(char)
3696 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3697 const unsigned char **out, size_t *outlen, X509 *x,
3698 size_t chainidx, int *al, void *add_arg)
3700 int *server = (int *)add_arg;
3701 unsigned char *data;
3703 if (SSL_is_server(s))
3708 if (*server != SSL_is_server(s)
3709 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3714 *outlen = sizeof(*data);
3718 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3719 const unsigned char *out, void *add_arg)
3721 OPENSSL_free((unsigned char *)out);
3724 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3725 const unsigned char *in, size_t inlen, X509 *x,
3726 size_t chainidx, int *al, void *parse_arg)
3728 int *server = (int *)parse_arg;
3730 if (SSL_is_server(s))
3735 if (*server != SSL_is_server(s)
3736 || inlen != sizeof(char) || *in != 1)
3742 static int sni_cb(SSL *s, int *al, void *arg)
3744 SSL_CTX *ctx = (SSL_CTX *)arg;
3746 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3747 *al = SSL_AD_INTERNAL_ERROR;
3748 return SSL_TLSEXT_ERR_ALERT_FATAL;
3751 return SSL_TLSEXT_ERR_OK;
3755 * Custom call back tests.
3756 * Test 0: Old style callbacks in TLSv1.2
3757 * Test 1: New style callbacks in TLSv1.2
3758 * Test 2: New style callbacks in TLSv1.2 with SNI
3759 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3760 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
3762 static int test_custom_exts(int tst)
3764 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3765 SSL *clientssl = NULL, *serverssl = NULL;
3767 static int server = 1;
3768 static int client = 0;
3769 SSL_SESSION *sess = NULL;
3770 unsigned int context;
3772 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
3773 /* Skip tests for TLSv1.2 and below in this case */
3778 /* Reset callback counters */
3779 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
3780 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
3783 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3784 TLS1_VERSION, TLS_MAX_VERSION,
3785 &sctx, &cctx, cert, privkey)))
3789 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
3790 TLS1_VERSION, TLS_MAX_VERSION,
3791 &sctx2, NULL, cert, privkey)))
3796 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
3797 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
3799 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
3803 context = SSL_EXT_CLIENT_HELLO
3804 | SSL_EXT_TLS1_2_SERVER_HELLO
3805 | SSL_EXT_TLS1_3_SERVER_HELLO
3806 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
3807 | SSL_EXT_TLS1_3_CERTIFICATE
3808 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
3810 context = SSL_EXT_CLIENT_HELLO
3811 | SSL_EXT_TLS1_2_SERVER_HELLO
3812 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3815 /* Create a client side custom extension */
3817 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3818 old_add_cb, old_free_cb,
3819 &client, old_parse_cb,
3823 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
3824 new_add_cb, new_free_cb,
3825 &client, new_parse_cb, &client)))
3829 /* Should not be able to add duplicates */
3830 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3831 old_add_cb, old_free_cb,
3832 &client, old_parse_cb,
3834 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
3835 context, new_add_cb,
3836 new_free_cb, &client,
3837 new_parse_cb, &client)))
3840 /* Create a server side custom extension */
3842 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3843 old_add_cb, old_free_cb,
3844 &server, old_parse_cb,
3848 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3849 new_add_cb, new_free_cb,
3850 &server, new_parse_cb, &server)))
3853 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3854 context, new_add_cb,
3855 new_free_cb, &server,
3856 new_parse_cb, &server)))
3860 /* Should not be able to add duplicates */
3861 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3862 old_add_cb, old_free_cb,
3863 &server, old_parse_cb,
3865 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3866 context, new_add_cb,
3867 new_free_cb, &server,
3868 new_parse_cb, &server)))
3873 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3874 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3878 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3879 &clientssl, NULL, NULL))
3880 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3885 if (clntaddoldcb != 1
3886 || clntparseoldcb != 1
3888 || srvparseoldcb != 1)
3890 } else if (tst == 1 || tst == 2 || tst == 3) {
3891 if (clntaddnewcb != 1
3892 || clntparsenewcb != 1
3894 || srvparsenewcb != 1
3895 || (tst != 2 && snicb != 0)
3896 || (tst == 2 && snicb != 1))
3899 /* In this case there 2 NewSessionTicket messages created */
3900 if (clntaddnewcb != 1
3901 || clntparsenewcb != 5
3903 || srvparsenewcb != 1)
3907 sess = SSL_get1_session(clientssl);
3908 SSL_shutdown(clientssl);
3909 SSL_shutdown(serverssl);
3910 SSL_free(serverssl);
3911 SSL_free(clientssl);
3912 serverssl = clientssl = NULL;
3915 /* We don't bother with the resumption aspects for this test */
3920 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3922 || !TEST_true(SSL_set_session(clientssl, sess))
3923 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3928 * For a resumed session we expect to add the ClientHello extension. For the
3929 * old style callbacks we ignore it on the server side because they set
3930 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3934 if (clntaddoldcb != 2
3935 || clntparseoldcb != 1
3937 || srvparseoldcb != 1)
3939 } else if (tst == 1 || tst == 2 || tst == 3) {
3940 if (clntaddnewcb != 2
3941 || clntparsenewcb != 2
3943 || srvparsenewcb != 2)
3947 * No Certificate message extensions in the resumption handshake,
3948 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
3950 if (clntaddnewcb != 2
3951 || clntparsenewcb != 8
3953 || srvparsenewcb != 2)
3960 SSL_SESSION_free(sess);
3961 SSL_free(serverssl);
3962 SSL_free(clientssl);
3963 SSL_CTX_free(sctx2);
3970 * Test loading of serverinfo data in various formats. test_sslmessages actually
3971 * tests to make sure the extensions appear in the handshake
3973 static int test_serverinfo(int tst)
3975 unsigned int version;
3976 unsigned char *sibuf;
3978 int ret, expected, testresult = 0;
3981 ctx = SSL_CTX_new(TLS_method());
3985 if ((tst & 0x01) == 0x01)
3986 version = SSL_SERVERINFOV2;
3988 version = SSL_SERVERINFOV1;
3990 if ((tst & 0x02) == 0x02) {
3991 sibuf = serverinfov2;
3992 sibuflen = sizeof(serverinfov2);
3993 expected = (version == SSL_SERVERINFOV2);
3995 sibuf = serverinfov1;
3996 sibuflen = sizeof(serverinfov1);
3997 expected = (version == SSL_SERVERINFOV1);
4000 if ((tst & 0x04) == 0x04) {
4001 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4003 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4006 * The version variable is irrelevant in this case - it's what is in the
4007 * buffer that matters
4009 if ((tst & 0x02) == 0x02)
4015 if (!TEST_true(ret == expected))
4027 * Test that SSL_export_keying_material() produces expected results. There are
4028 * no test vectors so all we do is test that both sides of the communication
4029 * produce the same results for different protocol versions.
4031 static int test_export_key_mat(int tst)
4034 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4035 SSL *clientssl = NULL, *serverssl = NULL;
4036 const char label[] = "test label";
4037 const unsigned char context[] = "context";
4038 const unsigned char *emptycontext = NULL;
4039 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4040 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
4041 const int protocols[] = {
4048 #ifdef OPENSSL_NO_TLS1
4052 #ifdef OPENSSL_NO_TLS1_1
4056 #ifdef OPENSSL_NO_TLS1_2
4060 #ifdef OPENSSL_NO_TLS1_3
4064 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4065 TLS1_VERSION, TLS_MAX_VERSION,
4066 &sctx, &cctx, cert, privkey)))
4069 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4070 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4071 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
4073 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4075 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4079 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4080 sizeof(ckeymat1), label,
4081 sizeof(label) - 1, context,
4082 sizeof(context) - 1, 1), 1)
4083 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4084 sizeof(ckeymat2), label,
4088 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4089 sizeof(ckeymat3), label,
4092 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4093 sizeof(skeymat1), label,
4096 sizeof(context) -1, 1),
4098 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4099 sizeof(skeymat2), label,
4103 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4104 sizeof(skeymat3), label,
4108 * Check that both sides created the same key material with the
4111 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4114 * Check that both sides created the same key material with an
4117 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4120 * Check that both sides created the same key material without a
4123 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
4125 /* Different contexts should produce different results */
4126 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4131 * Check that an empty context and no context produce different results in
4132 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
4134 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
4136 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
4143 SSL_free(serverssl);
4144 SSL_free(clientssl);
4145 SSL_CTX_free(sctx2);
4152 #ifndef OPENSSL_NO_TLS1_3
4154 * Test that SSL_export_keying_material_early() produces expected
4155 * results. There are no test vectors so all we do is test that both
4156 * sides of the communication produce the same results for different
4157 * protocol versions.
4159 static int test_export_key_mat_early(int idx)
4161 static const char label[] = "test label";
4162 static const unsigned char context[] = "context";
4164 SSL_CTX *cctx = NULL, *sctx = NULL;
4165 SSL *clientssl = NULL, *serverssl = NULL;
4166 SSL_SESSION *sess = NULL;
4167 const unsigned char *emptycontext = NULL;
4168 unsigned char ckeymat1[80], ckeymat2[80];
4169 unsigned char skeymat1[80], skeymat2[80];
4170 unsigned char buf[1];
4171 size_t readbytes, written;
4173 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
4177 /* Here writing 0 length early data is enough. */
4178 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
4179 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4181 SSL_READ_EARLY_DATA_ERROR)
4182 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4183 SSL_EARLY_DATA_ACCEPTED))
4186 if (!TEST_int_eq(SSL_export_keying_material_early(
4187 clientssl, ckeymat1, sizeof(ckeymat1), label,
4188 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4189 || !TEST_int_eq(SSL_export_keying_material_early(
4190 clientssl, ckeymat2, sizeof(ckeymat2), label,
4191 sizeof(label) - 1, emptycontext, 0), 1)
4192 || !TEST_int_eq(SSL_export_keying_material_early(
4193 serverssl, skeymat1, sizeof(skeymat1), label,
4194 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4195 || !TEST_int_eq(SSL_export_keying_material_early(
4196 serverssl, skeymat2, sizeof(skeymat2), label,
4197 sizeof(label) - 1, emptycontext, 0), 1)
4199 * Check that both sides created the same key material with the
4202 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4205 * Check that both sides created the same key material with an
4208 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4210 /* Different contexts should produce different results */
4211 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4218 SSL_SESSION_free(sess);
4219 SSL_SESSION_free(clientpsk);
4220 SSL_SESSION_free(serverpsk);
4221 clientpsk = serverpsk = NULL;
4222 SSL_free(serverssl);
4223 SSL_free(clientssl);
4229 #endif /* OPENSSL_NO_TLS1_3 */
4231 static int test_ssl_clear(int idx)
4233 SSL_CTX *cctx = NULL, *sctx = NULL;
4234 SSL *clientssl = NULL, *serverssl = NULL;
4237 #ifdef OPENSSL_NO_TLS1_2
4242 /* Create an initial connection */
4243 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4244 TLS1_VERSION, TLS_MAX_VERSION,
4245 &sctx, &cctx, cert, privkey))
4247 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
4249 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4250 &clientssl, NULL, NULL))
4251 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4255 SSL_shutdown(clientssl);
4256 SSL_shutdown(serverssl);
4257 SSL_free(serverssl);
4260 /* Clear clientssl - we're going to reuse the object */
4261 if (!TEST_true(SSL_clear(clientssl)))
4264 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4266 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4268 || !TEST_true(SSL_session_reused(clientssl)))
4271 SSL_shutdown(clientssl);
4272 SSL_shutdown(serverssl);
4277 SSL_free(serverssl);
4278 SSL_free(clientssl);
4285 /* Parse CH and retrieve any MFL extension value if present */
4286 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
4289 unsigned char *data;
4290 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
4291 unsigned int MFL_code = 0, type = 0;
4293 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
4296 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
4297 /* Skip the record header */
4298 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
4299 /* Skip the handshake message header */
4300 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
4301 /* Skip client version and random */
4302 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
4303 + SSL3_RANDOM_SIZE))
4304 /* Skip session id */
4305 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4307 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
4308 /* Skip compression */
4309 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4310 /* Extensions len */
4311 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
4314 /* Loop through all extensions */
4315 while (PACKET_remaining(&pkt2)) {
4316 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
4317 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
4320 if (type == TLSEXT_TYPE_max_fragment_length) {
4321 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
4322 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
4325 *mfl_codemfl_code = MFL_code;
4334 /* Maximum-Fragment-Length TLS extension mode to test */
4335 static const unsigned char max_fragment_len_test[] = {
4336 TLSEXT_max_fragment_length_512,
4337 TLSEXT_max_fragment_length_1024,
4338 TLSEXT_max_fragment_length_2048,
4339 TLSEXT_max_fragment_length_4096
4342 static int test_max_fragment_len_ext(int idx_tst)
4346 int testresult = 0, MFL_mode = 0;
4349 ctx = SSL_CTX_new(TLS_method());
4353 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
4354 ctx, max_fragment_len_test[idx_tst])))
4361 rbio = BIO_new(BIO_s_mem());
4362 wbio = BIO_new(BIO_s_mem());
4363 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
4369 SSL_set_bio(con, rbio, wbio);
4370 SSL_set_connect_state(con);
4372 if (!TEST_int_le(SSL_connect(con), 0)) {
4373 /* This shouldn't succeed because we don't have a server! */
4377 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
4378 /* no MFL in client hello */
4380 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
4392 #ifndef OPENSSL_NO_TLS1_3
4393 static int test_pha_key_update(void)
4395 SSL_CTX *cctx = NULL, *sctx = NULL;
4396 SSL *clientssl = NULL, *serverssl = NULL;
4399 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4400 TLS1_VERSION, TLS_MAX_VERSION,
4401 &sctx, &cctx, cert, privkey)))
4404 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
4405 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
4406 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
4407 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
4410 SSL_CTX_set_post_handshake_auth(cctx, 1);
4412 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4416 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4420 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
4421 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
4424 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
4427 /* Start handshake on the server */
4428 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
4431 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
4432 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4436 SSL_shutdown(clientssl);
4437 SSL_shutdown(serverssl);
4442 SSL_free(serverssl);
4443 SSL_free(clientssl);
4450 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4452 static SRP_VBASE *vbase = NULL;
4454 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
4456 int ret = SSL3_AL_FATAL;
4458 SRP_user_pwd *user = NULL;
4460 username = SSL_get_srp_username(s);
4461 if (username == NULL) {
4462 *ad = SSL_AD_INTERNAL_ERROR;
4466 user = SRP_VBASE_get1_by_user(vbase, username);
4468 *ad = SSL_AD_INTERNAL_ERROR;
4472 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
4474 *ad = SSL_AD_INTERNAL_ERROR;
4481 SRP_user_pwd_free(user);
4485 static int create_new_vfile(char *userid, char *password, const char *filename)
4488 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
4491 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
4494 if (!TEST_ptr(dummy) || !TEST_ptr(row))
4497 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
4498 &row[DB_srpverifier], NULL, NULL);
4499 if (!TEST_ptr(gNid))
4503 * The only way to create an empty TXT_DB is to provide a BIO with no data
4506 db = TXT_DB_read(dummy, DB_NUMBER);
4510 out = BIO_new_file(filename, "w");
4514 row[DB_srpid] = OPENSSL_strdup(userid);
4515 row[DB_srptype] = OPENSSL_strdup("V");
4516 row[DB_srpgN] = OPENSSL_strdup(gNid);
4518 if (!TEST_ptr(row[DB_srpid])
4519 || !TEST_ptr(row[DB_srptype])
4520 || !TEST_ptr(row[DB_srpgN])
4521 || !TEST_true(TXT_DB_insert(db, row)))
4526 if (!TXT_DB_write(out, db))
4532 for (i = 0; i < DB_NUMBER; i++)
4533 OPENSSL_free(row[i]);
4543 static int create_new_vbase(char *userid, char *password)
4545 BIGNUM *verifier = NULL, *salt = NULL;
4546 const SRP_gN *lgN = NULL;
4547 SRP_user_pwd *user_pwd = NULL;
4550 lgN = SRP_get_default_gN(NULL);
4554 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
4558 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
4559 if (!TEST_ptr(user_pwd))
4562 user_pwd->N = lgN->N;
4563 user_pwd->g = lgN->g;
4564 user_pwd->id = OPENSSL_strdup(userid);
4565 if (!TEST_ptr(user_pwd->id))
4568 user_pwd->v = verifier;
4570 verifier = salt = NULL;
4572 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
4578 SRP_user_pwd_free(user_pwd);
4588 * Test 0: Simple successful SRP connection, new vbase
4589 * Test 1: Connection failure due to bad password, new vbase
4590 * Test 2: Simple successful SRP connection, vbase loaded from existing file
4591 * Test 3: Connection failure due to bad password, vbase loaded from existing
4593 * Test 4: Simple successful SRP connection, vbase loaded from new file
4594 * Test 5: Connection failure due to bad password, vbase loaded from new file
4596 static int test_srp(int tst)
4598 char *userid = "test", *password = "password", *tstsrpfile;
4599 SSL_CTX *cctx = NULL, *sctx = NULL;
4600 SSL *clientssl = NULL, *serverssl = NULL;
4601 int ret, testresult = 0;
4603 vbase = SRP_VBASE_new(NULL);
4604 if (!TEST_ptr(vbase))
4607 if (tst == 0 || tst == 1) {
4608 if (!TEST_true(create_new_vbase(userid, password)))
4611 if (tst == 4 || tst == 5) {
4612 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
4614 tstsrpfile = tmpfilename;
4616 tstsrpfile = srpvfile;
4618 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
4622 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4623 TLS1_VERSION, TLS_MAX_VERSION,
4624 &sctx, &cctx, cert, privkey)))
4627 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
4628 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
4629 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
4630 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
4631 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
4635 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
4638 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
4642 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4646 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
4648 if (!TEST_true(tst % 2 == 0))
4651 if (!TEST_true(tst % 2 == 1))
4658 SRP_VBASE_free(vbase);
4660 SSL_free(serverssl);
4661 SSL_free(clientssl);
4669 static int info_cb_failed = 0;
4670 static int info_cb_offset = 0;
4671 static int info_cb_this_state = -1;
4673 static struct info_cb_states_st {
4675 const char *statestr;
4676 } info_cb_states[][60] = {
4678 /* TLSv1.2 server followed by resumption */
4679 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4680 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4681 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
4682 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
4683 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
4684 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4685 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4686 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4687 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4688 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4689 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
4690 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4691 {SSL_CB_EXIT, NULL}, {0, NULL},
4693 /* TLSv1.2 client followed by resumption */
4694 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4695 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4696 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
4697 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
4698 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
4699 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4700 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4701 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4702 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4703 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4704 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4705 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4707 /* TLSv1.3 server followed by resumption */
4708 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4709 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4710 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
4711 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
4712 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4713 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4714 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4715 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TWST"},
4716 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4717 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4718 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4719 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"},
4720 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL},
4721 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4722 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4723 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4724 {SSL_CB_EXIT, NULL}, {0, NULL},
4726 /* TLSv1.3 client followed by resumption */
4727 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4728 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4729 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
4730 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
4731 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4732 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4733 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4734 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4735 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4736 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4737 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4738 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4739 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
4740 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4741 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4742 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4743 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4744 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4745 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4747 /* TLSv1.3 server, early_data */
4748 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4749 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4750 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4751 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4752 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4753 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4754 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4755 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4756 {SSL_CB_EXIT, NULL}, {0, NULL},
4758 /* TLSv1.3 client, early_data */
4759 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4760 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
4761 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4762 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4763 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4764 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
4765 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4766 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4767 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4768 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4774 static void sslapi_info_callback(const SSL *s, int where, int ret)
4776 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
4778 /* We do not ever expect a connection to fail in this test */
4779 if (!TEST_false(ret == 0)) {
4785 * Do some sanity checks. We never expect these things to happen in this
4788 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
4789 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
4790 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
4795 /* Now check we're in the right state */
4796 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
4800 if ((where & SSL_CB_LOOP) != 0
4801 && !TEST_int_eq(strcmp(SSL_state_string(s),
4802 state[info_cb_this_state].statestr), 0)) {
4807 /* Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init */
4808 if ((where & SSL_CB_HANDSHAKE_DONE) && SSL_in_init((SSL *)s) != 0) {
4815 * Test the info callback gets called when we expect it to.
4817 * Test 0: TLSv1.2, server
4818 * Test 1: TLSv1.2, client
4819 * Test 2: TLSv1.3, server
4820 * Test 3: TLSv1.3, client
4821 * Test 4: TLSv1.3, server, early_data
4822 * Test 5: TLSv1.3, client, early_data
4824 static int test_info_callback(int tst)
4826 SSL_CTX *cctx = NULL, *sctx = NULL;
4827 SSL *clientssl = NULL, *serverssl = NULL;
4828 SSL_SESSION *clntsess = NULL;
4833 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
4834 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
4835 || !defined(OPENSSL_NO_DH))
4836 tlsvers = TLS1_2_VERSION;
4841 #ifndef OPENSSL_NO_TLS1_3
4842 tlsvers = TLS1_3_VERSION;
4850 info_cb_this_state = -1;
4851 info_cb_offset = tst;
4853 #ifndef OPENSSL_NO_TLS1_3
4855 SSL_SESSION *sess = NULL;
4856 size_t written, readbytes;
4857 unsigned char buf[80];
4859 /* early_data tests */
4860 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4861 &serverssl, &sess, 0)))
4864 /* We don't actually need this reference */
4865 SSL_SESSION_free(sess);
4867 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
4868 sslapi_info_callback);
4870 /* Write and read some early data and then complete the connection */
4871 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4873 || !TEST_size_t_eq(written, strlen(MSG1))
4874 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
4875 sizeof(buf), &readbytes),
4876 SSL_READ_EARLY_DATA_SUCCESS)
4877 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
4878 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4879 SSL_EARLY_DATA_ACCEPTED)
4880 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4882 || !TEST_false(info_cb_failed))
4890 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4891 TLS_client_method(),
4892 tlsvers, tlsvers, &sctx, &cctx, cert,
4897 * For even numbered tests we check the server callbacks. For odd numbers we
4900 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
4901 sslapi_info_callback);
4903 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4904 &clientssl, NULL, NULL))
4905 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4907 || !TEST_false(info_cb_failed))
4912 clntsess = SSL_get1_session(clientssl);
4913 SSL_shutdown(clientssl);
4914 SSL_shutdown(serverssl);
4915 SSL_free(serverssl);
4916 SSL_free(clientssl);
4917 serverssl = clientssl = NULL;
4919 /* Now do a resumption */
4920 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4922 || !TEST_true(SSL_set_session(clientssl, clntsess))
4923 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4925 || !TEST_true(SSL_session_reused(clientssl))
4926 || !TEST_false(info_cb_failed))
4932 SSL_free(serverssl);
4933 SSL_free(clientssl);
4934 SSL_SESSION_free(clntsess);
4940 static int test_ssl_pending(int tst)
4942 SSL_CTX *cctx = NULL, *sctx = NULL;
4943 SSL *clientssl = NULL, *serverssl = NULL;
4945 char msg[] = "A test message";
4947 size_t written, readbytes;
4950 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4951 TLS_client_method(),
4952 TLS1_VERSION, TLS_MAX_VERSION,
4953 &sctx, &cctx, cert, privkey)))
4956 #ifndef OPENSSL_NO_DTLS
4957 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
4958 DTLS_client_method(),
4959 DTLS1_VERSION, DTLS_MAX_VERSION,
4960 &sctx, &cctx, cert, privkey)))
4967 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4969 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4973 if (!TEST_int_eq(SSL_pending(clientssl), 0)
4974 || !TEST_false(SSL_has_pending(clientssl))
4975 || !TEST_int_eq(SSL_pending(serverssl), 0)
4976 || !TEST_false(SSL_has_pending(serverssl))
4977 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4978 || !TEST_size_t_eq(written, sizeof(msg))
4979 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4980 || !TEST_size_t_eq(readbytes, sizeof(buf))
4981 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
4982 || !TEST_true(SSL_has_pending(clientssl)))
4988 SSL_free(serverssl);
4989 SSL_free(clientssl);
4997 unsigned int maxprot;
4998 const char *clntciphers;
4999 const char *clnttls13ciphers;
5000 const char *srvrciphers;
5001 const char *srvrtls13ciphers;
5003 } shared_ciphers_data[] = {
5005 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
5006 * TLSv1.3 is enabled but TLSv1.2 is disabled.
5008 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
5011 "AES128-SHA:AES256-SHA",
5013 "AES256-SHA:DHE-RSA-AES128-SHA",
5019 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
5021 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
5023 "AES128-SHA:AES256-SHA"
5027 "AES128-SHA:AES256-SHA",
5029 "AES128-SHA:DHE-RSA-AES128-SHA",
5035 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
5038 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
5039 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5042 "AES128-SHA:AES256-SHA",
5044 "AES256-SHA:AES128-SHA256",
5046 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
5047 "TLS_AES_128_GCM_SHA256:AES256-SHA"
5050 #ifndef OPENSSL_NO_TLS1_3
5054 "TLS_AES_256_GCM_SHA384",
5056 "TLS_AES_256_GCM_SHA384",
5057 "TLS_AES_256_GCM_SHA384"
5062 static int test_ssl_get_shared_ciphers(int tst)
5064 SSL_CTX *cctx = NULL, *sctx = NULL;
5065 SSL *clientssl = NULL, *serverssl = NULL;
5069 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5070 TLS_client_method(),
5072 shared_ciphers_data[tst].maxprot,
5073 &sctx, &cctx, cert, privkey)))
5076 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5077 shared_ciphers_data[tst].clntciphers))
5078 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
5079 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
5080 shared_ciphers_data[tst].clnttls13ciphers)))
5081 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
5082 shared_ciphers_data[tst].srvrciphers))
5083 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
5084 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
5085 shared_ciphers_data[tst].srvrtls13ciphers))))
5089 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5091 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5095 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
5096 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
5097 TEST_info("Shared ciphers are: %s\n", buf);
5104 SSL_free(serverssl);
5105 SSL_free(clientssl);
5112 static const char *appdata = "Hello World";
5113 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
5114 static int tick_key_renew = 0;
5115 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5117 static int gen_tick_cb(SSL *s, void *arg)
5119 gen_tick_called = 1;
5121 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
5125 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
5126 const unsigned char *keyname,
5127 size_t keyname_length,
5128 SSL_TICKET_STATUS status,
5134 dec_tick_called = 1;
5136 if (status == SSL_TICKET_EMPTY)
5137 return SSL_TICKET_RETURN_IGNORE_RENEW;
5139 if (!TEST_true(status == SSL_TICKET_SUCCESS
5140 || status == SSL_TICKET_SUCCESS_RENEW))
5141 return SSL_TICKET_RETURN_ABORT;
5143 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
5145 || !TEST_size_t_eq(tickdlen, strlen(appdata))
5146 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
5147 return SSL_TICKET_RETURN_ABORT;
5149 if (tick_key_cb_called) {
5150 /* Don't change what the ticket key callback wanted to do */
5152 case SSL_TICKET_NO_DECRYPT:
5153 return SSL_TICKET_RETURN_IGNORE_RENEW;
5155 case SSL_TICKET_SUCCESS:
5156 return SSL_TICKET_RETURN_USE;
5158 case SSL_TICKET_SUCCESS_RENEW:
5159 return SSL_TICKET_RETURN_USE_RENEW;
5162 return SSL_TICKET_RETURN_ABORT;
5165 return tick_dec_ret;
5169 static int tick_key_cb(SSL *s, unsigned char key_name[16],
5170 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
5171 HMAC_CTX *hctx, int enc)
5173 const unsigned char tick_aes_key[16] = "0123456789abcdef";
5174 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5176 tick_key_cb_called = 1;
5177 memset(iv, 0, AES_BLOCK_SIZE);
5178 memset(key_name, 0, 16);
5179 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
5180 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
5181 EVP_sha256(), NULL))
5184 return tick_key_renew ? 2 : 1;
5188 * Test the various ticket callbacks
5189 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
5190 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
5191 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
5192 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
5193 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
5194 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
5195 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
5196 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
5197 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
5198 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
5199 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
5200 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
5202 static int test_ticket_callbacks(int tst)
5204 SSL_CTX *cctx = NULL, *sctx = NULL;
5205 SSL *clientssl = NULL, *serverssl = NULL;
5206 SSL_SESSION *clntsess = NULL;
5209 #ifdef OPENSSL_NO_TLS1_2
5213 #ifdef OPENSSL_NO_TLS1_3
5218 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
5220 /* Which tests the ticket key callback should request renewal for */
5221 if (tst == 10 || tst == 11)
5226 /* Which tests the decrypt ticket callback should request renewal for */
5230 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
5235 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
5240 tick_dec_ret = SSL_TICKET_RETURN_USE;
5245 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
5249 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5252 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5253 TLS_client_method(),
5255 ((tst % 2) == 0) ? TLS1_2_VERSION
5257 &sctx, &cctx, cert, privkey)))
5261 * We only want sessions to resume from tickets - not the session cache. So
5262 * switch the cache off.
5264 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
5267 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
5272 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
5275 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5277 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5282 * The decrypt ticket key callback in TLSv1.2 should be called even though
5283 * we have no ticket yet, because it gets called with a status of
5284 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
5285 * actually send any ticket data). This does not happen in TLSv1.3 because
5286 * it is not valid to send empty ticket data in TLSv1.3.
5288 if (!TEST_int_eq(gen_tick_called, 1)
5289 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
5292 gen_tick_called = dec_tick_called = 0;
5294 clntsess = SSL_get1_session(clientssl);
5295 SSL_shutdown(clientssl);
5296 SSL_shutdown(serverssl);
5297 SSL_free(serverssl);
5298 SSL_free(clientssl);
5299 serverssl = clientssl = NULL;
5301 /* Now do a resumption */
5302 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5304 || !TEST_true(SSL_set_session(clientssl, clntsess))
5305 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5309 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
5310 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
5311 if (!TEST_false(SSL_session_reused(clientssl)))
5314 if (!TEST_true(SSL_session_reused(clientssl)))
5318 if (!TEST_int_eq(gen_tick_called,
5320 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
5321 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
5323 || !TEST_int_eq(dec_tick_called, 1))
5329 SSL_SESSION_free(clntsess);
5330 SSL_free(serverssl);
5331 SSL_free(clientssl);
5339 * Test bi-directional shutdown.
5341 * Test 1: TLSv1.2, server continues to read/write after client shutdown
5342 * Test 2: TLSv1.3, no pending NewSessionTicket messages
5343 * Test 3: TLSv1.3, pending NewSessionTicket messages
5344 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
5345 * sends key update, client reads it
5346 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
5347 * sends CertificateRequest, client reads and ignores it
5348 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
5351 static int test_shutdown(int tst)
5353 SSL_CTX *cctx = NULL, *sctx = NULL;
5354 SSL *clientssl = NULL, *serverssl = NULL;
5356 char msg[] = "A test message";
5358 size_t written, readbytes;
5361 #ifdef OPENSSL_NO_TLS1_2
5365 #ifdef OPENSSL_NO_TLS1_3
5370 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5371 TLS_client_method(),
5373 (tst <= 1) ? TLS1_2_VERSION
5375 &sctx, &cctx, cert, privkey)))
5379 SSL_CTX_set_post_handshake_auth(cctx, 1);
5381 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5386 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
5388 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5389 || !TEST_false(SSL_SESSION_is_resumable(sess)))
5391 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5393 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5394 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
5398 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
5403 * Reading on the server after the client has sent close_notify should
5404 * fail and provide SSL_ERROR_ZERO_RETURN
5406 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
5407 || !TEST_int_eq(SSL_get_error(serverssl, 0),
5408 SSL_ERROR_ZERO_RETURN)
5409 || !TEST_int_eq(SSL_get_shutdown(serverssl),
5410 SSL_RECEIVED_SHUTDOWN)
5412 * Even though we're shutdown on receive we should still be
5415 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
5418 && !TEST_true(SSL_key_update(serverssl,
5419 SSL_KEY_UPDATE_REQUESTED)))
5422 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5423 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5426 if ((tst == 4 || tst == 5)
5427 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
5429 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
5431 if (tst == 4 || tst == 5) {
5432 /* Should still be able to read data from server */
5433 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5435 || !TEST_size_t_eq(readbytes, sizeof(msg))
5436 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
5437 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5439 || !TEST_size_t_eq(readbytes, sizeof(msg))
5440 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
5445 /* Writing on the client after sending close_notify shouldn't be possible */
5446 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
5451 * For these tests the client has sent close_notify but it has not yet
5452 * been received by the server. The server has not sent close_notify
5455 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
5457 * Writing on the server after sending close_notify shouldn't
5460 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5461 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
5462 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5463 || !TEST_true(SSL_SESSION_is_resumable(sess))
5464 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
5466 } else if (tst == 4 || tst == 5) {
5468 * In this test the client has sent close_notify and it has been
5469 * received by the server which has responded with a close_notify. The
5470 * client needs to read the close_notify sent by the server.
5472 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
5473 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5474 || !TEST_true(SSL_SESSION_is_resumable(sess)))
5480 * The client has sent close_notify and is expecting a close_notify
5481 * back, but instead there is application data first. The shutdown
5482 * should fail with a fatal error.
5484 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
5485 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
5492 SSL_free(serverssl);
5493 SSL_free(clientssl);
5500 static int cert_cb_cnt;
5502 static int cert_cb(SSL *s, void *arg)
5504 SSL_CTX *ctx = (SSL_CTX *)arg;
5506 if (cert_cb_cnt == 0) {
5507 /* Suspend the handshake */
5510 } else if (cert_cb_cnt == 1) {
5512 * Update the SSL_CTX, set the certificate and private key and then
5513 * continue the handshake normally.
5515 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
5518 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
5519 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
5521 || !TEST_true(SSL_check_private_key(s)))
5527 /* Abort the handshake */
5532 * Test the certificate callback.
5533 * Test 0: Callback fails
5534 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
5535 * Test 2: Success - SSL_set_SSL_CTX() in the callback
5537 static int test_cert_cb_int(int prot, int tst)
5539 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
5540 SSL *clientssl = NULL, *serverssl = NULL;
5541 int testresult = 0, ret;
5543 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5544 TLS_client_method(),
5547 &sctx, &cctx, NULL, NULL)))
5555 snictx = SSL_CTX_new(TLS_server_method());
5556 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
5558 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5562 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5563 if (!TEST_true(tst == 0 ? !ret : ret)
5564 || (tst > 0 && !TEST_int_eq(cert_cb_cnt, 2))) {
5571 SSL_free(serverssl);
5572 SSL_free(clientssl);
5575 SSL_CTX_free(snictx);
5580 static int test_cert_cb(int tst)
5584 #ifndef OPENSSL_NO_TLS1_2
5585 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
5587 #ifdef OPENSSL_NO_TLS1_3
5588 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
5594 int setup_tests(void)
5596 if (!TEST_ptr(cert = test_get_argument(0))
5597 || !TEST_ptr(privkey = test_get_argument(1))
5598 || !TEST_ptr(srpvfile = test_get_argument(2))
5599 || !TEST_ptr(tmpfilename = test_get_argument(3)))
5602 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
5603 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
5604 TEST_error("not supported in this build");
5607 int i, mcount, rcount, fcount;
5609 for (i = 0; i < 4; i++)
5610 test_export_key_mat(i);
5611 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
5612 test_printf_stdout("malloc %d realloc %d free %d\n",
5613 mcount, rcount, fcount);
5618 ADD_TEST(test_large_message_tls);
5619 ADD_TEST(test_large_message_tls_read_ahead);
5620 #ifndef OPENSSL_NO_DTLS
5621 ADD_TEST(test_large_message_dtls);
5623 #ifndef OPENSSL_NO_OCSP
5624 ADD_TEST(test_tlsext_status_type);
5626 ADD_TEST(test_session_with_only_int_cache);
5627 ADD_TEST(test_session_with_only_ext_cache);
5628 ADD_TEST(test_session_with_both_cache);
5629 #ifndef OPENSSL_NO_TLS1_3
5630 ADD_ALL_TESTS(test_stateful_tickets, 3);
5631 ADD_ALL_TESTS(test_stateless_tickets, 3);
5632 ADD_TEST(test_psk_tickets);
5634 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
5635 ADD_TEST(test_ssl_bio_pop_next_bio);
5636 ADD_TEST(test_ssl_bio_pop_ssl_bio);
5637 ADD_TEST(test_ssl_bio_change_rbio);
5638 ADD_TEST(test_ssl_bio_change_wbio);
5639 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
5640 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
5641 ADD_TEST(test_keylog);
5643 #ifndef OPENSSL_NO_TLS1_3
5644 ADD_TEST(test_keylog_no_master_key);
5646 #ifndef OPENSSL_NO_TLS1_2
5647 ADD_TEST(test_client_hello_cb);
5649 #ifndef OPENSSL_NO_TLS1_3
5650 ADD_ALL_TESTS(test_early_data_read_write, 3);
5652 * We don't do replay tests for external PSK. Replay protection isn't used
5655 ADD_ALL_TESTS(test_early_data_replay, 2);
5656 ADD_ALL_TESTS(test_early_data_skip, 3);
5657 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
5658 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
5659 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
5660 ADD_ALL_TESTS(test_early_data_not_sent, 3);
5661 ADD_ALL_TESTS(test_early_data_psk, 8);
5662 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5663 # ifndef OPENSSL_NO_TLS1_2
5664 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5667 #ifndef OPENSSL_NO_TLS1_3
5668 ADD_ALL_TESTS(test_set_ciphersuite, 10);
5669 ADD_TEST(test_ciphersuite_change);
5670 #ifdef OPENSSL_NO_PSK
5671 ADD_ALL_TESTS(test_tls13_psk, 1);
5673 ADD_ALL_TESTS(test_tls13_psk, 4);
5674 #endif /* OPENSSL_NO_PSK */
5675 ADD_ALL_TESTS(test_custom_exts, 5);
5676 ADD_TEST(test_stateless);
5677 ADD_TEST(test_pha_key_update);
5679 ADD_ALL_TESTS(test_custom_exts, 3);
5681 ADD_ALL_TESTS(test_serverinfo, 8);
5682 ADD_ALL_TESTS(test_export_key_mat, 4);
5683 #ifndef OPENSSL_NO_TLS1_3
5684 ADD_ALL_TESTS(test_export_key_mat_early, 3);
5686 ADD_ALL_TESTS(test_ssl_clear, 2);
5687 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
5688 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5689 ADD_ALL_TESTS(test_srp, 6);
5691 ADD_ALL_TESTS(test_info_callback, 6);
5692 ADD_ALL_TESTS(test_ssl_pending, 2);
5693 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
5694 ADD_ALL_TESTS(test_ticket_callbacks, 12);
5695 ADD_ALL_TESTS(test_shutdown, 7);
5696 ADD_ALL_TESTS(test_cert_cb, 3);
5700 void cleanup_tests(void)
5702 bio_s_mempacket_test_free();