2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
17 #include <openssl/srp.h>
18 #include <openssl/txt_db.h>
19 #include <openssl/aes.h>
21 #include "ssltestlib.h"
23 #include "testutil/output.h"
24 #include "internal/nelem.h"
25 #include "internal/ktls.h"
26 #include "../ssl/ssl_locl.h"
28 #ifndef OPENSSL_NO_TLS1_3
30 static SSL_SESSION *clientpsk = NULL;
31 static SSL_SESSION *serverpsk = NULL;
32 static const char *pskid = "Identity";
33 static const char *srvid;
35 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
36 size_t *idlen, SSL_SESSION **sess);
37 static int find_session_cb(SSL *ssl, const unsigned char *identity,
38 size_t identity_len, SSL_SESSION **sess);
40 static int use_session_cb_cnt = 0;
41 static int find_session_cb_cnt = 0;
43 static SSL_SESSION *create_a_psk(SSL *ssl);
46 static char *cert = NULL;
47 static char *privkey = NULL;
48 static char *srpvfile = NULL;
49 static char *tmpfilename = NULL;
51 #define LOG_BUFFER_SIZE 2048
52 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
53 static size_t server_log_buffer_index = 0;
54 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
55 static size_t client_log_buffer_index = 0;
56 static int error_writing_log = 0;
58 #ifndef OPENSSL_NO_OCSP
59 static const unsigned char orespder[] = "Dummy OCSP Response";
60 static int ocsp_server_called = 0;
61 static int ocsp_client_called = 0;
63 static int cdummyarg = 1;
64 static X509 *ocspcert = NULL;
67 #define NUM_EXTRA_CERTS 40
68 #define CLIENT_VERSION_LEN 2
71 * This structure is used to validate that the correct number of log messages
72 * of various types are emitted when emitting secret logs.
74 struct sslapitest_log_counts {
75 unsigned int rsa_key_exchange_count;
76 unsigned int master_secret_count;
77 unsigned int client_early_secret_count;
78 unsigned int client_handshake_secret_count;
79 unsigned int server_handshake_secret_count;
80 unsigned int client_application_secret_count;
81 unsigned int server_application_secret_count;
82 unsigned int early_exporter_secret_count;
83 unsigned int exporter_secret_count;
87 static unsigned char serverinfov1[] = {
88 0xff, 0xff, /* Dummy extension type */
89 0x00, 0x01, /* Extension length is 1 byte */
90 0xff /* Dummy extension data */
93 static unsigned char serverinfov2[] = {
95 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
96 0xff, 0xff, /* Dummy extension type */
97 0x00, 0x01, /* Extension length is 1 byte */
98 0xff /* Dummy extension data */
101 static void client_keylog_callback(const SSL *ssl, const char *line)
103 int line_length = strlen(line);
105 /* If the log doesn't fit, error out. */
106 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
107 TEST_info("Client log too full");
108 error_writing_log = 1;
112 strcat(client_log_buffer, line);
113 client_log_buffer_index += line_length;
114 client_log_buffer[client_log_buffer_index++] = '\n';
117 static void server_keylog_callback(const SSL *ssl, const char *line)
119 int line_length = strlen(line);
121 /* If the log doesn't fit, error out. */
122 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
123 TEST_info("Server log too full");
124 error_writing_log = 1;
128 strcat(server_log_buffer, line);
129 server_log_buffer_index += line_length;
130 server_log_buffer[server_log_buffer_index++] = '\n';
133 static int compare_hex_encoded_buffer(const char *hex_encoded,
141 if (!TEST_size_t_eq(raw_length * 2, hex_length))
144 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
145 sprintf(hexed, "%02x", raw[i]);
146 if (!TEST_int_eq(hexed[0], hex_encoded[j])
147 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
154 static int test_keylog_output(char *buffer, const SSL *ssl,
155 const SSL_SESSION *session,
156 struct sslapitest_log_counts *expected)
159 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
160 size_t client_random_size = SSL3_RANDOM_SIZE;
161 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
162 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
163 unsigned int rsa_key_exchange_count = 0;
164 unsigned int master_secret_count = 0;
165 unsigned int client_early_secret_count = 0;
166 unsigned int client_handshake_secret_count = 0;
167 unsigned int server_handshake_secret_count = 0;
168 unsigned int client_application_secret_count = 0;
169 unsigned int server_application_secret_count = 0;
170 unsigned int early_exporter_secret_count = 0;
171 unsigned int exporter_secret_count = 0;
173 for (token = strtok(buffer, " \n"); token != NULL;
174 token = strtok(NULL, " \n")) {
175 if (strcmp(token, "RSA") == 0) {
177 * Premaster secret. Tokens should be: 16 ASCII bytes of
178 * hex-encoded encrypted secret, then the hex-encoded pre-master
181 if (!TEST_ptr(token = strtok(NULL, " \n")))
183 if (!TEST_size_t_eq(strlen(token), 16))
185 if (!TEST_ptr(token = strtok(NULL, " \n")))
188 * We can't sensibly check the log because the premaster secret is
189 * transient, and OpenSSL doesn't keep hold of it once the master
190 * secret is generated.
192 rsa_key_exchange_count++;
193 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
195 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
196 * client random, then the hex-encoded master secret.
198 client_random_size = SSL_get_client_random(ssl,
199 actual_client_random,
201 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
204 if (!TEST_ptr(token = strtok(NULL, " \n")))
206 if (!TEST_size_t_eq(strlen(token), 64))
208 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
209 actual_client_random,
210 client_random_size)))
213 if (!TEST_ptr(token = strtok(NULL, " \n")))
215 master_key_size = SSL_SESSION_get_master_key(session,
218 if (!TEST_size_t_ne(master_key_size, 0))
220 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
224 master_secret_count++;
225 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
226 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
227 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
228 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
229 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
230 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
231 || strcmp(token, "EXPORTER_SECRET") == 0) {
233 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
234 * client random, and then the hex-encoded secret. In this case,
235 * we treat all of these secrets identically and then just
236 * distinguish between them when counting what we saw.
238 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
239 client_early_secret_count++;
240 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
241 client_handshake_secret_count++;
242 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
243 server_handshake_secret_count++;
244 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
245 client_application_secret_count++;
246 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
247 server_application_secret_count++;
248 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
249 early_exporter_secret_count++;
250 else if (strcmp(token, "EXPORTER_SECRET") == 0)
251 exporter_secret_count++;
253 client_random_size = SSL_get_client_random(ssl,
254 actual_client_random,
256 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
259 if (!TEST_ptr(token = strtok(NULL, " \n")))
261 if (!TEST_size_t_eq(strlen(token), 64))
263 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
264 actual_client_random,
265 client_random_size)))
268 if (!TEST_ptr(token = strtok(NULL, " \n")))
272 * TODO(TLS1.3): test that application traffic secrets are what
275 TEST_info("Unexpected token %s\n", token);
280 /* Got what we expected? */
281 if (!TEST_size_t_eq(rsa_key_exchange_count,
282 expected->rsa_key_exchange_count)
283 || !TEST_size_t_eq(master_secret_count,
284 expected->master_secret_count)
285 || !TEST_size_t_eq(client_early_secret_count,
286 expected->client_early_secret_count)
287 || !TEST_size_t_eq(client_handshake_secret_count,
288 expected->client_handshake_secret_count)
289 || !TEST_size_t_eq(server_handshake_secret_count,
290 expected->server_handshake_secret_count)
291 || !TEST_size_t_eq(client_application_secret_count,
292 expected->client_application_secret_count)
293 || !TEST_size_t_eq(server_application_secret_count,
294 expected->server_application_secret_count)
295 || !TEST_size_t_eq(early_exporter_secret_count,
296 expected->early_exporter_secret_count)
297 || !TEST_size_t_eq(exporter_secret_count,
298 expected->exporter_secret_count))
303 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
304 static int test_keylog(void)
306 SSL_CTX *cctx = NULL, *sctx = NULL;
307 SSL *clientssl = NULL, *serverssl = NULL;
309 struct sslapitest_log_counts expected = {0};
311 /* Clean up logging space */
312 memset(client_log_buffer, 0, sizeof(client_log_buffer));
313 memset(server_log_buffer, 0, sizeof(server_log_buffer));
314 client_log_buffer_index = 0;
315 server_log_buffer_index = 0;
316 error_writing_log = 0;
318 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
321 &sctx, &cctx, cert, privkey)))
324 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
325 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
326 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
328 /* We also want to ensure that we use RSA-based key exchange. */
329 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
332 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
333 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
335 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
336 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
337 == client_keylog_callback))
339 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
340 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
341 == server_keylog_callback))
344 /* Now do a handshake and check that the logs have been written to. */
345 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
346 &clientssl, NULL, NULL))
347 || !TEST_true(create_ssl_connection(serverssl, clientssl,
349 || !TEST_false(error_writing_log)
350 || !TEST_int_gt(client_log_buffer_index, 0)
351 || !TEST_int_gt(server_log_buffer_index, 0))
355 * Now we want to test that our output data was vaguely sensible. We
356 * do that by using strtok and confirming that we have more or less the
357 * data we expect. For both client and server, we expect to see one master
358 * secret. The client should also see a RSA key exchange.
360 expected.rsa_key_exchange_count = 1;
361 expected.master_secret_count = 1;
362 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
363 SSL_get_session(clientssl), &expected)))
366 expected.rsa_key_exchange_count = 0;
367 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
368 SSL_get_session(serverssl), &expected)))
383 #ifndef OPENSSL_NO_TLS1_3
384 static int test_keylog_no_master_key(void)
386 SSL_CTX *cctx = NULL, *sctx = NULL;
387 SSL *clientssl = NULL, *serverssl = NULL;
388 SSL_SESSION *sess = NULL;
390 struct sslapitest_log_counts expected = {0};
391 unsigned char buf[1];
392 size_t readbytes, written;
394 /* Clean up logging space */
395 memset(client_log_buffer, 0, sizeof(client_log_buffer));
396 memset(server_log_buffer, 0, sizeof(server_log_buffer));
397 client_log_buffer_index = 0;
398 server_log_buffer_index = 0;
399 error_writing_log = 0;
401 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
403 &sctx, &cctx, cert, privkey))
404 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
405 SSL3_RT_MAX_PLAIN_LENGTH)))
408 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
409 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
412 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
413 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
414 == client_keylog_callback))
417 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
418 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
419 == server_keylog_callback))
422 /* Now do a handshake and check that the logs have been written to. */
423 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
424 &clientssl, NULL, NULL))
425 || !TEST_true(create_ssl_connection(serverssl, clientssl,
427 || !TEST_false(error_writing_log))
431 * Now we want to test that our output data was vaguely sensible. For this
432 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
433 * TLSv1.3, but we do expect both client and server to emit keys.
435 expected.client_handshake_secret_count = 1;
436 expected.server_handshake_secret_count = 1;
437 expected.client_application_secret_count = 1;
438 expected.server_application_secret_count = 1;
439 expected.exporter_secret_count = 1;
440 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
441 SSL_get_session(clientssl), &expected))
442 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
443 SSL_get_session(serverssl),
447 /* Terminate old session and resume with early data. */
448 sess = SSL_get1_session(clientssl);
449 SSL_shutdown(clientssl);
450 SSL_shutdown(serverssl);
453 serverssl = clientssl = NULL;
456 memset(client_log_buffer, 0, sizeof(client_log_buffer));
457 memset(server_log_buffer, 0, sizeof(server_log_buffer));
458 client_log_buffer_index = 0;
459 server_log_buffer_index = 0;
461 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
462 &clientssl, NULL, NULL))
463 || !TEST_true(SSL_set_session(clientssl, sess))
464 /* Here writing 0 length early data is enough. */
465 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
466 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
468 SSL_READ_EARLY_DATA_ERROR)
469 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
470 SSL_EARLY_DATA_ACCEPTED)
471 || !TEST_true(create_ssl_connection(serverssl, clientssl,
473 || !TEST_true(SSL_session_reused(clientssl)))
476 /* In addition to the previous entries, expect early secrets. */
477 expected.client_early_secret_count = 1;
478 expected.early_exporter_secret_count = 1;
479 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
480 SSL_get_session(clientssl), &expected))
481 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
482 SSL_get_session(serverssl),
489 SSL_SESSION_free(sess);
499 #ifndef OPENSSL_NO_TLS1_2
500 static int full_client_hello_callback(SSL *s, int *al, void *arg)
503 const unsigned char *p;
505 /* We only configure two ciphers, but the SCSV is added automatically. */
507 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
509 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
512 const int expected_extensions[] = {
513 #ifndef OPENSSL_NO_EC
519 /* Make sure we can defer processing and get called back. */
521 return SSL_CLIENT_HELLO_RETRY;
523 len = SSL_client_hello_get0_ciphers(s, &p);
524 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
526 SSL_client_hello_get0_compression_methods(s, &p), 1)
527 || !TEST_int_eq(*p, 0))
528 return SSL_CLIENT_HELLO_ERROR;
529 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
530 return SSL_CLIENT_HELLO_ERROR;
531 if (len != OSSL_NELEM(expected_extensions) ||
532 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
533 printf("ClientHello callback expected extensions mismatch\n");
535 return SSL_CLIENT_HELLO_ERROR;
538 return SSL_CLIENT_HELLO_SUCCESS;
541 static int test_client_hello_cb(void)
543 SSL_CTX *cctx = NULL, *sctx = NULL;
544 SSL *clientssl = NULL, *serverssl = NULL;
545 int testctr = 0, testresult = 0;
547 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
549 &sctx, &cctx, cert, privkey)))
551 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
553 /* The gimpy cipher list we configure can't do TLS 1.3. */
554 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
556 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
557 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
558 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
559 &clientssl, NULL, NULL))
560 || !TEST_false(create_ssl_connection(serverssl, clientssl,
561 SSL_ERROR_WANT_CLIENT_HELLO_CB))
563 * Passing a -1 literal is a hack since
564 * the real value was lost.
566 || !TEST_int_eq(SSL_get_error(serverssl, -1),
567 SSL_ERROR_WANT_CLIENT_HELLO_CB)
568 || !TEST_true(create_ssl_connection(serverssl, clientssl,
584 static int execute_test_large_message(const SSL_METHOD *smeth,
585 const SSL_METHOD *cmeth,
586 int min_version, int max_version,
589 SSL_CTX *cctx = NULL, *sctx = NULL;
590 SSL *clientssl = NULL, *serverssl = NULL;
594 X509 *chaincert = NULL;
597 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
599 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
602 if (!TEST_ptr(chaincert))
605 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
606 &sctx, &cctx, cert, privkey)))
611 * Test that read_ahead works correctly when dealing with large
614 SSL_CTX_set_read_ahead(cctx, 1);
618 * We assume the supplied certificate is big enough so that if we add
619 * NUM_EXTRA_CERTS it will make the overall message large enough. The
620 * default buffer size is requested to be 16k, but due to the way BUF_MEM
621 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
622 * test we need to have a message larger than that.
624 certlen = i2d_X509(chaincert, NULL);
625 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
626 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
627 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
628 if (!X509_up_ref(chaincert))
630 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
631 X509_free(chaincert);
636 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
638 || !TEST_true(create_ssl_connection(serverssl, clientssl,
643 * Calling SSL_clear() first is not required but this tests that SSL_clear()
644 * doesn't leak (when using enable-crypto-mdebug).
646 if (!TEST_true(SSL_clear(serverssl)))
651 X509_free(chaincert);
660 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
661 && !defined(OPENSSL_NO_SOCK)
663 /* sock must be connected */
664 static int ktls_chk_platform(int sock)
666 if (!ktls_enable(sock))
671 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
673 static char count = 1;
674 unsigned char cbuf[16000] = {0};
675 unsigned char sbuf[16000];
677 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
678 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
679 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
680 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
681 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
682 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
685 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
686 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
687 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
688 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
689 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
690 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
692 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
695 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
696 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
701 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
704 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
705 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
710 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
711 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
712 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
713 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
714 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
715 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
717 /* verify the payload */
718 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
721 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
722 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
723 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
724 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
727 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
728 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
732 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
733 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
734 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
737 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
738 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
742 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
743 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
751 static int execute_test_ktls(int cis_ktls_tx, int sis_ktls_tx)
753 SSL_CTX *cctx = NULL, *sctx = NULL;
754 SSL *clientssl = NULL, *serverssl = NULL;
758 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
761 /* Skip this test if the platform does not support ktls */
762 if (!ktls_chk_platform(cfd))
765 /* Create a session based on SHA-256 */
766 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
768 TLS1_2_VERSION, TLS1_2_VERSION,
769 &sctx, &cctx, cert, privkey))
770 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
771 "AES128-GCM-SHA256"))
772 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
773 &clientssl, sfd, cfd)))
777 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
782 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
786 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
791 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
794 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
799 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
802 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
806 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
812 SSL_shutdown(clientssl);
816 SSL_shutdown(serverssl);
821 serverssl = clientssl = NULL;
825 static int test_ktls_client_server(void)
827 return execute_test_ktls(1, 1);
830 static int test_ktls_no_client_server(void)
832 return execute_test_ktls(0, 1);
835 static int test_ktls_client_no_server(void)
837 return execute_test_ktls(1, 0);
840 static int test_ktls_no_client_no_server(void)
842 return execute_test_ktls(0, 0);
847 static int test_large_message_tls(void)
849 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
853 static int test_large_message_tls_read_ahead(void)
855 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
859 #ifndef OPENSSL_NO_DTLS
860 static int test_large_message_dtls(void)
863 * read_ahead is not relevant to DTLS because DTLS always acts as if
866 return execute_test_large_message(DTLS_server_method(),
867 DTLS_client_method(),
868 DTLS1_VERSION, 0, 0);
872 #ifndef OPENSSL_NO_OCSP
873 static int ocsp_server_cb(SSL *s, void *arg)
875 int *argi = (int *)arg;
876 unsigned char *copy = NULL;
877 STACK_OF(OCSP_RESPID) *ids = NULL;
878 OCSP_RESPID *id = NULL;
881 /* In this test we are expecting exactly 1 OCSP_RESPID */
882 SSL_get_tlsext_status_ids(s, &ids);
883 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
884 return SSL_TLSEXT_ERR_ALERT_FATAL;
886 id = sk_OCSP_RESPID_value(ids, 0);
887 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
888 return SSL_TLSEXT_ERR_ALERT_FATAL;
889 } else if (*argi != 1) {
890 return SSL_TLSEXT_ERR_ALERT_FATAL;
893 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
894 return SSL_TLSEXT_ERR_ALERT_FATAL;
896 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
897 ocsp_server_called = 1;
898 return SSL_TLSEXT_ERR_OK;
901 static int ocsp_client_cb(SSL *s, void *arg)
903 int *argi = (int *)arg;
904 const unsigned char *respderin;
907 if (*argi != 1 && *argi != 2)
910 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
911 if (!TEST_mem_eq(orespder, len, respderin, len))
914 ocsp_client_called = 1;
918 static int test_tlsext_status_type(void)
920 SSL_CTX *cctx = NULL, *sctx = NULL;
921 SSL *clientssl = NULL, *serverssl = NULL;
923 STACK_OF(OCSP_RESPID) *ids = NULL;
924 OCSP_RESPID *id = NULL;
927 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
929 &sctx, &cctx, cert, privkey))
932 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
935 /* First just do various checks getting and setting tlsext_status_type */
937 clientssl = SSL_new(cctx);
938 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
939 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
940 TLSEXT_STATUSTYPE_ocsp))
941 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
942 TLSEXT_STATUSTYPE_ocsp))
948 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
949 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
952 clientssl = SSL_new(cctx);
953 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
959 * Now actually do a handshake and check OCSP information is exchanged and
960 * the callbacks get called
962 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
963 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
964 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
965 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
966 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
967 &clientssl, NULL, NULL))
968 || !TEST_true(create_ssl_connection(serverssl, clientssl,
970 || !TEST_true(ocsp_client_called)
971 || !TEST_true(ocsp_server_called))
978 /* Try again but this time force the server side callback to fail */
979 ocsp_client_called = 0;
980 ocsp_server_called = 0;
982 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
983 &clientssl, NULL, NULL))
984 /* This should fail because the callback will fail */
985 || !TEST_false(create_ssl_connection(serverssl, clientssl,
987 || !TEST_false(ocsp_client_called)
988 || !TEST_false(ocsp_server_called))
996 * This time we'll get the client to send an OCSP_RESPID that it will
999 ocsp_client_called = 0;
1000 ocsp_server_called = 0;
1002 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1003 &clientssl, NULL, NULL)))
1007 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1008 * specific one. We'll use the server cert.
1010 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1011 || !TEST_ptr(id = OCSP_RESPID_new())
1012 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1013 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1015 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
1016 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1019 SSL_set_tlsext_status_ids(clientssl, ids);
1020 /* Control has been transferred */
1026 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1028 || !TEST_true(ocsp_client_called)
1029 || !TEST_true(ocsp_server_called))
1035 SSL_free(serverssl);
1036 SSL_free(clientssl);
1039 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1040 OCSP_RESPID_free(id);
1042 X509_free(ocspcert);
1049 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1050 static int new_called, remove_called, get_called;
1052 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1056 * sess has been up-refed for us, but we don't actually need it so free it
1059 SSL_SESSION_free(sess);
1063 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1068 static SSL_SESSION *get_sess_val = NULL;
1070 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1075 return get_sess_val;
1078 static int execute_test_session(int maxprot, int use_int_cache,
1081 SSL_CTX *sctx = NULL, *cctx = NULL;
1082 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1083 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1084 # ifndef OPENSSL_NO_TLS1_1
1085 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1087 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1088 int testresult = 0, numnewsesstick = 1;
1090 new_called = remove_called = 0;
1092 /* TLSv1.3 sends 2 NewSessionTickets */
1093 if (maxprot == TLS1_3_VERSION)
1096 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1098 &sctx, &cctx, cert, privkey)))
1102 * Only allow the max protocol version so we can force a connection failure
1105 SSL_CTX_set_min_proto_version(cctx, maxprot);
1106 SSL_CTX_set_max_proto_version(cctx, maxprot);
1108 /* Set up session cache */
1109 if (use_ext_cache) {
1110 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1111 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1113 if (use_int_cache) {
1114 /* Also covers instance where both are set */
1115 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1117 SSL_CTX_set_session_cache_mode(cctx,
1118 SSL_SESS_CACHE_CLIENT
1119 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1122 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1124 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1126 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1129 /* Should fail because it should already be in the cache */
1130 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1133 && (!TEST_int_eq(new_called, numnewsesstick)
1135 || !TEST_int_eq(remove_called, 0)))
1138 new_called = remove_called = 0;
1139 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1140 &clientssl2, NULL, NULL))
1141 || !TEST_true(SSL_set_session(clientssl2, sess1))
1142 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1144 || !TEST_true(SSL_session_reused(clientssl2)))
1147 if (maxprot == TLS1_3_VERSION) {
1149 * In TLSv1.3 we should have created a new session even though we have
1150 * resumed. Since we attempted a resume we should also have removed the
1151 * old ticket from the cache so that we try to only use tickets once.
1154 && (!TEST_int_eq(new_called, 1)
1155 || !TEST_int_eq(remove_called, 1)))
1159 * In TLSv1.2 we expect to have resumed so no sessions added or
1163 && (!TEST_int_eq(new_called, 0)
1164 || !TEST_int_eq(remove_called, 0)))
1168 SSL_SESSION_free(sess1);
1169 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1171 shutdown_ssl_connection(serverssl2, clientssl2);
1172 serverssl2 = clientssl2 = NULL;
1174 new_called = remove_called = 0;
1175 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1176 &clientssl2, NULL, NULL))
1177 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1181 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1185 && (!TEST_int_eq(new_called, numnewsesstick)
1186 || !TEST_int_eq(remove_called, 0)))
1189 new_called = remove_called = 0;
1191 * This should clear sess2 from the cache because it is a "bad" session.
1192 * See SSL_set_session() documentation.
1194 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1197 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1199 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1202 if (use_int_cache) {
1203 /* Should succeeded because it should not already be in the cache */
1204 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1205 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1209 new_called = remove_called = 0;
1210 /* This shouldn't be in the cache so should fail */
1211 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1215 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1218 # if !defined(OPENSSL_NO_TLS1_1)
1219 new_called = remove_called = 0;
1220 /* Force a connection failure */
1221 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1222 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1223 &clientssl3, NULL, NULL))
1224 || !TEST_true(SSL_set_session(clientssl3, sess1))
1225 /* This should fail because of the mismatched protocol versions */
1226 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1230 /* We should have automatically removed the session from the cache */
1232 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1235 /* Should succeed because it should not already be in the cache */
1236 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1240 /* Now do some tests for server side caching */
1241 if (use_ext_cache) {
1242 SSL_CTX_sess_set_new_cb(cctx, NULL);
1243 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1244 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1245 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1246 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1247 get_sess_val = NULL;
1250 SSL_CTX_set_session_cache_mode(cctx, 0);
1251 /* Internal caching is the default on the server side */
1253 SSL_CTX_set_session_cache_mode(sctx,
1254 SSL_SESS_CACHE_SERVER
1255 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1257 SSL_free(serverssl1);
1258 SSL_free(clientssl1);
1259 serverssl1 = clientssl1 = NULL;
1260 SSL_free(serverssl2);
1261 SSL_free(clientssl2);
1262 serverssl2 = clientssl2 = NULL;
1263 SSL_SESSION_free(sess1);
1265 SSL_SESSION_free(sess2);
1268 SSL_CTX_set_max_proto_version(sctx, maxprot);
1269 if (maxprot == TLS1_2_VERSION)
1270 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1271 new_called = remove_called = get_called = 0;
1272 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1274 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1276 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1277 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1280 if (use_int_cache) {
1281 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1283 * In TLSv1.3 it should not have been added to the internal cache,
1284 * except in the case where we also have an external cache (in that
1285 * case it gets added to the cache in order to generate remove
1286 * events after timeout).
1288 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1291 /* Should fail because it should already be in the cache */
1292 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1297 if (use_ext_cache) {
1298 SSL_SESSION *tmp = sess2;
1300 if (!TEST_int_eq(new_called, numnewsesstick)
1301 || !TEST_int_eq(remove_called, 0)
1302 || !TEST_int_eq(get_called, 0))
1305 * Delete the session from the internal cache to force a lookup from
1306 * the external cache. We take a copy first because
1307 * SSL_CTX_remove_session() also marks the session as non-resumable.
1309 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1310 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1311 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1313 SSL_SESSION_free(sess2);
1318 new_called = remove_called = get_called = 0;
1319 get_sess_val = sess2;
1320 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1321 &clientssl2, NULL, NULL))
1322 || !TEST_true(SSL_set_session(clientssl2, sess1))
1323 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1325 || !TEST_true(SSL_session_reused(clientssl2)))
1328 if (use_ext_cache) {
1329 if (!TEST_int_eq(remove_called, 0))
1332 if (maxprot == TLS1_3_VERSION) {
1333 if (!TEST_int_eq(new_called, 1)
1334 || !TEST_int_eq(get_called, 0))
1337 if (!TEST_int_eq(new_called, 0)
1338 || !TEST_int_eq(get_called, 1))
1346 SSL_free(serverssl1);
1347 SSL_free(clientssl1);
1348 SSL_free(serverssl2);
1349 SSL_free(clientssl2);
1350 # ifndef OPENSSL_NO_TLS1_1
1351 SSL_free(serverssl3);
1352 SSL_free(clientssl3);
1354 SSL_SESSION_free(sess1);
1355 SSL_SESSION_free(sess2);
1361 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1363 static int test_session_with_only_int_cache(void)
1365 #ifndef OPENSSL_NO_TLS1_3
1366 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1370 #ifndef OPENSSL_NO_TLS1_2
1371 return execute_test_session(TLS1_2_VERSION, 1, 0);
1377 static int test_session_with_only_ext_cache(void)
1379 #ifndef OPENSSL_NO_TLS1_3
1380 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1384 #ifndef OPENSSL_NO_TLS1_2
1385 return execute_test_session(TLS1_2_VERSION, 0, 1);
1391 static int test_session_with_both_cache(void)
1393 #ifndef OPENSSL_NO_TLS1_3
1394 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1398 #ifndef OPENSSL_NO_TLS1_2
1399 return execute_test_session(TLS1_2_VERSION, 1, 1);
1405 #ifndef OPENSSL_NO_TLS1_3
1406 static SSL_SESSION *sesscache[6];
1407 static int do_cache;
1409 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1412 sesscache[new_called] = sess;
1414 /* We don't need the reference to the session, so free it */
1415 SSL_SESSION_free(sess);
1422 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1424 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1425 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1428 /* Start handshake on the server and client */
1429 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1430 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1431 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1432 || !TEST_true(create_ssl_connection(sssl, cssl,
1439 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1442 int sess_id_ctx = 1;
1444 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1445 TLS1_VERSION, 0, sctx,
1446 cctx, cert, privkey))
1447 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1448 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1449 (void *)&sess_id_ctx,
1450 sizeof(sess_id_ctx))))
1454 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1456 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1457 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1458 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1463 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1465 SSL *serverssl = NULL, *clientssl = NULL;
1468 /* Test that we can resume with all the tickets we got given */
1469 for (i = 0; i < idx * 2; i++) {
1471 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1472 &clientssl, NULL, NULL))
1473 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1476 SSL_set_post_handshake_auth(clientssl, 1);
1478 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1483 * Following a successful resumption we only get 1 ticket. After a
1484 * failed one we should get idx tickets.
1487 if (!TEST_true(SSL_session_reused(clientssl))
1488 || !TEST_int_eq(new_called, 1))
1491 if (!TEST_false(SSL_session_reused(clientssl))
1492 || !TEST_int_eq(new_called, idx))
1497 /* After a post-handshake authentication we should get 1 new ticket */
1499 && (!post_handshake_verify(serverssl, clientssl)
1500 || !TEST_int_eq(new_called, 1)))
1503 SSL_shutdown(clientssl);
1504 SSL_shutdown(serverssl);
1505 SSL_free(serverssl);
1506 SSL_free(clientssl);
1507 serverssl = clientssl = NULL;
1508 SSL_SESSION_free(sesscache[i]);
1509 sesscache[i] = NULL;
1515 SSL_free(clientssl);
1516 SSL_free(serverssl);
1520 static int test_tickets(int stateful, int idx)
1522 SSL_CTX *sctx = NULL, *cctx = NULL;
1523 SSL *serverssl = NULL, *clientssl = NULL;
1527 /* idx is the test number, but also the number of tickets we want */
1532 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1535 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1536 &clientssl, NULL, NULL)))
1539 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1541 /* Check we got the number of tickets we were expecting */
1542 || !TEST_int_eq(idx, new_called))
1545 SSL_shutdown(clientssl);
1546 SSL_shutdown(serverssl);
1547 SSL_free(serverssl);
1548 SSL_free(clientssl);
1551 clientssl = serverssl = NULL;
1555 * Now we try to resume with the tickets we previously created. The
1556 * resumption attempt is expected to fail (because we're now using a new
1557 * SSL_CTX). We should see idx number of tickets issued again.
1560 /* Stop caching sessions - just count them */
1563 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1566 if (!check_resumption(idx, sctx, cctx, 0))
1569 /* Start again with caching sessions */
1576 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1579 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1580 &clientssl, NULL, NULL)))
1583 SSL_set_post_handshake_auth(clientssl, 1);
1585 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1587 /* Check we got the number of tickets we were expecting */
1588 || !TEST_int_eq(idx, new_called))
1591 /* After a post-handshake authentication we should get new tickets issued */
1592 if (!post_handshake_verify(serverssl, clientssl)
1593 || !TEST_int_eq(idx * 2, new_called))
1596 SSL_shutdown(clientssl);
1597 SSL_shutdown(serverssl);
1598 SSL_free(serverssl);
1599 SSL_free(clientssl);
1600 serverssl = clientssl = NULL;
1602 /* Stop caching sessions - just count them */
1606 * Check we can resume with all the tickets we created. This time around the
1607 * resumptions should all be successful.
1609 if (!check_resumption(idx, sctx, cctx, 1))
1615 SSL_free(serverssl);
1616 SSL_free(clientssl);
1617 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
1618 SSL_SESSION_free(sesscache[j]);
1619 sesscache[j] = NULL;
1627 static int test_stateless_tickets(int idx)
1629 return test_tickets(0, idx);
1632 static int test_stateful_tickets(int idx)
1634 return test_tickets(1, idx);
1637 static int test_psk_tickets(void)
1639 SSL_CTX *sctx = NULL, *cctx = NULL;
1640 SSL *serverssl = NULL, *clientssl = NULL;
1642 int sess_id_ctx = 1;
1644 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1645 TLS1_VERSION, 0, &sctx,
1647 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
1648 (void *)&sess_id_ctx,
1649 sizeof(sess_id_ctx))))
1652 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1653 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1654 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
1655 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
1656 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1657 use_session_cb_cnt = 0;
1658 find_session_cb_cnt = 0;
1662 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1665 clientpsk = serverpsk = create_a_psk(clientssl);
1666 if (!TEST_ptr(clientpsk))
1668 SSL_SESSION_up_ref(clientpsk);
1670 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1672 || !TEST_int_eq(1, find_session_cb_cnt)
1673 || !TEST_int_eq(1, use_session_cb_cnt)
1674 /* We should always get 1 ticket when using external PSK */
1675 || !TEST_int_eq(1, new_called))
1681 SSL_free(serverssl);
1682 SSL_free(clientssl);
1685 SSL_SESSION_free(clientpsk);
1686 SSL_SESSION_free(serverpsk);
1687 clientpsk = serverpsk = NULL;
1696 #define USE_DEFAULT 3
1698 #define CONNTYPE_CONNECTION_SUCCESS 0
1699 #define CONNTYPE_CONNECTION_FAIL 1
1700 #define CONNTYPE_NO_CONNECTION 2
1702 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1703 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1704 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1705 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1707 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1710 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1711 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1712 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1714 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1731 * Tests calls to SSL_set_bio() under various conditions.
1733 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1734 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1735 * then do more tests where we create a successful connection first using our
1736 * standard connection setup functions, and then call SSL_set_bio() with
1737 * various combinations of valid BIOs or NULL. We then repeat these tests
1738 * following a failed connection. In this last case we are looking to check that
1739 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1741 static int test_ssl_set_bio(int idx)
1743 SSL_CTX *sctx = NULL, *cctx = NULL;
1746 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1747 SSL *serverssl = NULL, *clientssl = NULL;
1748 int initrbio, initwbio, newrbio, newwbio, conntype;
1751 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1759 conntype = CONNTYPE_NO_CONNECTION;
1761 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1762 initrbio = initwbio = USE_DEFAULT;
1770 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1772 &sctx, &cctx, cert, privkey)))
1775 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1777 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1778 * because we reduced the number of tests in the definition of
1779 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1780 * mismatched protocol versions we will force a connection failure.
1782 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1783 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1786 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1790 if (initrbio == USE_BIO_1
1791 || initwbio == USE_BIO_1
1792 || newrbio == USE_BIO_1
1793 || newwbio == USE_BIO_1) {
1794 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1798 if (initrbio == USE_BIO_2
1799 || initwbio == USE_BIO_2
1800 || newrbio == USE_BIO_2
1801 || newwbio == USE_BIO_2) {
1802 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1806 if (initrbio != USE_DEFAULT) {
1807 setupbio(&irbio, bio1, bio2, initrbio);
1808 setupbio(&iwbio, bio1, bio2, initwbio);
1809 SSL_set_bio(clientssl, irbio, iwbio);
1812 * We want to maintain our own refs to these BIO, so do an up ref for
1813 * each BIO that will have ownership transferred in the SSL_set_bio()
1818 if (iwbio != NULL && iwbio != irbio)
1822 if (conntype != CONNTYPE_NO_CONNECTION
1823 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1825 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1828 setupbio(&nrbio, bio1, bio2, newrbio);
1829 setupbio(&nwbio, bio1, bio2, newwbio);
1832 * We will (maybe) transfer ownership again so do more up refs.
1833 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1838 && (nwbio != iwbio || nrbio != nwbio))
1842 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1845 SSL_set_bio(clientssl, nrbio, nwbio);
1854 * This test is checking that the ref counting for SSL_set_bio is correct.
1855 * If we get here and we did too many frees then we will fail in the above
1856 * functions. If we haven't done enough then this will only be detected in
1857 * a crypto-mdebug build
1859 SSL_free(serverssl);
1860 SSL_free(clientssl);
1866 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1868 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1870 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1875 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1876 || !TEST_ptr(ssl = SSL_new(ctx))
1877 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1878 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1881 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1884 * If anything goes wrong here then we could leak memory, so this will
1885 * be caught in a crypto-mdebug build
1887 BIO_push(sslbio, membio1);
1889 /* Verify changing the rbio/wbio directly does not cause leaks */
1890 if (change_bio != NO_BIO_CHANGE) {
1891 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1893 if (change_bio == CHANGE_RBIO)
1894 SSL_set0_rbio(ssl, membio2);
1896 SSL_set0_wbio(ssl, membio2);
1915 static int test_ssl_bio_pop_next_bio(void)
1917 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1920 static int test_ssl_bio_pop_ssl_bio(void)
1922 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1925 static int test_ssl_bio_change_rbio(void)
1927 return execute_test_ssl_bio(0, CHANGE_RBIO);
1930 static int test_ssl_bio_change_wbio(void)
1932 return execute_test_ssl_bio(0, CHANGE_WBIO);
1935 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
1937 /* The list of sig algs */
1939 /* The length of the list */
1941 /* A sigalgs list in string format */
1942 const char *liststr;
1943 /* Whether setting the list should succeed */
1945 /* Whether creating a connection with the list should succeed */
1949 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1950 # ifndef OPENSSL_NO_EC
1951 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1952 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1954 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1955 static const int invalidlist2[] = {NID_sha256, NID_undef};
1956 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1957 static const int invalidlist4[] = {NID_sha256};
1958 static const sigalgs_list testsigalgs[] = {
1959 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1960 # ifndef OPENSSL_NO_EC
1961 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1962 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1964 {NULL, 0, "RSA+SHA256", 1, 1},
1965 # ifndef OPENSSL_NO_EC
1966 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1967 {NULL, 0, "ECDSA+SHA512", 1, 0},
1969 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1970 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1971 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1972 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1973 {NULL, 0, "RSA", 0, 0},
1974 {NULL, 0, "SHA256", 0, 0},
1975 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1976 {NULL, 0, "Invalid", 0, 0}
1979 static int test_set_sigalgs(int idx)
1981 SSL_CTX *cctx = NULL, *sctx = NULL;
1982 SSL *clientssl = NULL, *serverssl = NULL;
1984 const sigalgs_list *curr;
1987 /* Should never happen */
1988 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1991 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1992 curr = testctx ? &testsigalgs[idx]
1993 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1995 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1997 &sctx, &cctx, cert, privkey)))
2001 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2002 * for TLSv1.2 for now until we add a new API.
2004 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2009 if (curr->list != NULL)
2010 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2012 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2016 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2022 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2027 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2028 &clientssl, NULL, NULL)))
2034 if (curr->list != NULL)
2035 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2037 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2040 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2049 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2057 SSL_free(serverssl);
2058 SSL_free(clientssl);
2066 #ifndef OPENSSL_NO_TLS1_3
2067 static int psk_client_cb_cnt = 0;
2068 static int psk_server_cb_cnt = 0;
2070 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2071 size_t *idlen, SSL_SESSION **sess)
2073 switch (++use_session_cb_cnt) {
2075 /* The first call should always have a NULL md */
2081 /* The second call should always have an md */
2087 /* We should only be called a maximum of twice */
2091 if (clientpsk != NULL)
2092 SSL_SESSION_up_ref(clientpsk);
2095 *id = (const unsigned char *)pskid;
2096 *idlen = strlen(pskid);
2101 #ifndef OPENSSL_NO_PSK
2102 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2103 unsigned int max_id_len,
2105 unsigned int max_psk_len)
2107 unsigned int psklen = 0;
2109 psk_client_cb_cnt++;
2111 if (strlen(pskid) + 1 > max_id_len)
2114 /* We should only ever be called a maximum of twice per connection */
2115 if (psk_client_cb_cnt > 2)
2118 if (clientpsk == NULL)
2121 /* We'll reuse the PSK we set up for TLSv1.3 */
2122 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2124 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2125 strncpy(id, pskid, max_id_len);
2129 #endif /* OPENSSL_NO_PSK */
2131 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2132 size_t identity_len, SSL_SESSION **sess)
2134 find_session_cb_cnt++;
2136 /* We should only ever be called a maximum of twice per connection */
2137 if (find_session_cb_cnt > 2)
2140 if (serverpsk == NULL)
2143 /* Identity should match that set by the client */
2144 if (strlen(srvid) != identity_len
2145 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2146 /* No PSK found, continue but without a PSK */
2151 SSL_SESSION_up_ref(serverpsk);
2157 #ifndef OPENSSL_NO_PSK
2158 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2159 unsigned char *psk, unsigned int max_psk_len)
2161 unsigned int psklen = 0;
2163 psk_server_cb_cnt++;
2165 /* We should only ever be called a maximum of twice per connection */
2166 if (find_session_cb_cnt > 2)
2169 if (serverpsk == NULL)
2172 /* Identity should match that set by the client */
2173 if (strcmp(srvid, identity) != 0) {
2177 /* We'll reuse the PSK we set up for TLSv1.3 */
2178 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2180 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2184 #endif /* OPENSSL_NO_PSK */
2186 #define MSG1 "Hello"
2187 #define MSG2 "World."
2192 #define MSG7 "message."
2194 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2195 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2198 static SSL_SESSION *create_a_psk(SSL *ssl)
2200 const SSL_CIPHER *cipher = NULL;
2201 const unsigned char key[] = {
2202 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2203 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2204 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2205 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2206 0x2c, 0x2d, 0x2e, 0x2f
2208 SSL_SESSION *sess = NULL;
2210 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2211 sess = SSL_SESSION_new();
2213 || !TEST_ptr(cipher)
2214 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2216 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2218 SSL_SESSION_set_protocol_version(sess,
2220 SSL_SESSION_free(sess);
2227 * Helper method to setup objects for early data test. Caller frees objects on
2230 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2231 SSL **serverssl, SSL_SESSION **sess, int idx)
2234 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2235 TLS_client_method(),
2237 sctx, cctx, cert, privkey)))
2240 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2244 /* When idx == 1 we repeat the tests with read_ahead set */
2245 SSL_CTX_set_read_ahead(*cctx, 1);
2246 SSL_CTX_set_read_ahead(*sctx, 1);
2247 } else if (idx == 2) {
2248 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2249 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2250 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2251 use_session_cb_cnt = 0;
2252 find_session_cb_cnt = 0;
2256 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2261 * For one of the run throughs (doesn't matter which one), we'll try sending
2262 * some SNI data in the initial ClientHello. This will be ignored (because
2263 * there is no SNI cb set up by the server), so it should not impact
2267 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2271 clientpsk = create_a_psk(*clientssl);
2272 if (!TEST_ptr(clientpsk)
2274 * We just choose an arbitrary value for max_early_data which
2275 * should be big enough for testing purposes.
2277 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2279 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2280 SSL_SESSION_free(clientpsk);
2284 serverpsk = clientpsk;
2287 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2288 SSL_SESSION_free(clientpsk);
2289 SSL_SESSION_free(serverpsk);
2290 clientpsk = serverpsk = NULL;
2301 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2305 *sess = SSL_get1_session(*clientssl);
2306 SSL_shutdown(*clientssl);
2307 SSL_shutdown(*serverssl);
2308 SSL_free(*serverssl);
2309 SSL_free(*clientssl);
2310 *serverssl = *clientssl = NULL;
2312 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2313 clientssl, NULL, NULL))
2314 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2320 static int test_early_data_read_write(int idx)
2322 SSL_CTX *cctx = NULL, *sctx = NULL;
2323 SSL *clientssl = NULL, *serverssl = NULL;
2325 SSL_SESSION *sess = NULL;
2326 unsigned char buf[20], data[1024];
2327 size_t readbytes, written, eoedlen, rawread, rawwritten;
2330 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2331 &serverssl, &sess, idx)))
2334 /* Write and read some early data */
2335 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2337 || !TEST_size_t_eq(written, strlen(MSG1))
2338 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2339 sizeof(buf), &readbytes),
2340 SSL_READ_EARLY_DATA_SUCCESS)
2341 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2342 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2343 SSL_EARLY_DATA_ACCEPTED))
2347 * Server should be able to write data, and client should be able to
2350 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2352 || !TEST_size_t_eq(written, strlen(MSG2))
2353 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2354 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2357 /* Even after reading normal data, client should be able write early data */
2358 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2360 || !TEST_size_t_eq(written, strlen(MSG3)))
2363 /* Server should still be able read early data after writing data */
2364 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2366 SSL_READ_EARLY_DATA_SUCCESS)
2367 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2370 /* Write more data from server and read it from client */
2371 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2373 || !TEST_size_t_eq(written, strlen(MSG4))
2374 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2375 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2379 * If client writes normal data it should mean writing early data is no
2382 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2383 || !TEST_size_t_eq(written, strlen(MSG5))
2384 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2385 SSL_EARLY_DATA_ACCEPTED))
2389 * At this point the client has written EndOfEarlyData, ClientFinished and
2390 * normal (fully protected) data. We are going to cause a delay between the
2391 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2392 * in the read BIO, and then just put back the EndOfEarlyData message.
2394 rbio = SSL_get_rbio(serverssl);
2395 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2396 || !TEST_size_t_lt(rawread, sizeof(data))
2397 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2400 /* Record length is in the 4th and 5th bytes of the record header */
2401 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2402 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2403 || !TEST_size_t_eq(rawwritten, eoedlen))
2406 /* Server should be told that there is no more early data */
2407 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2409 SSL_READ_EARLY_DATA_FINISH)
2410 || !TEST_size_t_eq(readbytes, 0))
2414 * Server has not finished init yet, so should still be able to write early
2417 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2419 || !TEST_size_t_eq(written, strlen(MSG6)))
2422 /* Push the ClientFinished and the normal data back into the server rbio */
2423 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2425 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2428 /* Server should be able to read normal data */
2429 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2430 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2433 /* Client and server should not be able to write/read early data now */
2434 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2438 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2440 SSL_READ_EARLY_DATA_ERROR))
2444 /* Client should be able to read the data sent by the server */
2445 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2446 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2450 * Make sure we process the two NewSessionTickets. These arrive
2451 * post-handshake. We attempt reads which we do not expect to return any
2454 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2455 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2459 /* Server should be able to write normal data */
2460 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2461 || !TEST_size_t_eq(written, strlen(MSG7))
2462 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2463 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2466 SSL_SESSION_free(sess);
2467 sess = SSL_get1_session(clientssl);
2468 use_session_cb_cnt = 0;
2469 find_session_cb_cnt = 0;
2471 SSL_shutdown(clientssl);
2472 SSL_shutdown(serverssl);
2473 SSL_free(serverssl);
2474 SSL_free(clientssl);
2475 serverssl = clientssl = NULL;
2476 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2477 &clientssl, NULL, NULL))
2478 || !TEST_true(SSL_set_session(clientssl, sess)))
2481 /* Write and read some early data */
2482 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2484 || !TEST_size_t_eq(written, strlen(MSG1))
2485 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2487 SSL_READ_EARLY_DATA_SUCCESS)
2488 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2491 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2492 || !TEST_int_gt(SSL_accept(serverssl), 0))
2495 /* Client and server should not be able to write/read early data now */
2496 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2500 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2502 SSL_READ_EARLY_DATA_ERROR))
2506 /* Client and server should be able to write/read normal data */
2507 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2508 || !TEST_size_t_eq(written, strlen(MSG5))
2509 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2510 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2516 SSL_SESSION_free(sess);
2517 SSL_SESSION_free(clientpsk);
2518 SSL_SESSION_free(serverpsk);
2519 clientpsk = serverpsk = NULL;
2520 SSL_free(serverssl);
2521 SSL_free(clientssl);
2527 static int allow_ed_cb_called = 0;
2529 static int allow_early_data_cb(SSL *s, void *arg)
2531 int *usecb = (int *)arg;
2533 allow_ed_cb_called++;
2542 * idx == 0: Standard early_data setup
2543 * idx == 1: early_data setup using read_ahead
2544 * usecb == 0: Don't use a custom early data callback
2545 * usecb == 1: Use a custom early data callback and reject the early data
2546 * usecb == 2: Use a custom early data callback and accept the early data
2547 * confopt == 0: Configure anti-replay directly
2548 * confopt == 1: Configure anti-replay using SSL_CONF
2550 static int test_early_data_replay_int(int idx, int usecb, int confopt)
2552 SSL_CTX *cctx = NULL, *sctx = NULL;
2553 SSL *clientssl = NULL, *serverssl = NULL;
2555 SSL_SESSION *sess = NULL;
2556 size_t readbytes, written;
2557 unsigned char buf[20];
2559 allow_ed_cb_called = 0;
2561 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2562 TLS1_VERSION, 0, &sctx,
2563 &cctx, cert, privkey)))
2568 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2570 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2572 if (!TEST_ptr(confctx))
2574 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2575 | SSL_CONF_FLAG_SERVER);
2576 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2577 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2579 SSL_CONF_CTX_free(confctx);
2582 SSL_CONF_CTX_free(confctx);
2584 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2587 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2588 &serverssl, &sess, idx)))
2592 * The server is configured to accept early data. Create a connection to
2593 * "use up" the ticket
2595 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2596 || !TEST_true(SSL_session_reused(clientssl)))
2599 SSL_shutdown(clientssl);
2600 SSL_shutdown(serverssl);
2601 SSL_free(serverssl);
2602 SSL_free(clientssl);
2603 serverssl = clientssl = NULL;
2605 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2606 &clientssl, NULL, NULL))
2607 || !TEST_true(SSL_set_session(clientssl, sess)))
2610 /* Write and read some early data */
2611 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2613 || !TEST_size_t_eq(written, strlen(MSG1)))
2617 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2619 SSL_READ_EARLY_DATA_FINISH)
2621 * The ticket was reused, so the we should have rejected the
2624 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2625 SSL_EARLY_DATA_REJECTED))
2628 /* In this case the callback decides to accept the early data */
2629 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2631 SSL_READ_EARLY_DATA_SUCCESS)
2632 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2634 * Server will have sent its flight so client can now send
2635 * end of early data and complete its half of the handshake
2637 || !TEST_int_gt(SSL_connect(clientssl), 0)
2638 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2640 SSL_READ_EARLY_DATA_FINISH)
2641 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2642 SSL_EARLY_DATA_ACCEPTED))
2646 /* Complete the connection */
2647 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2648 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2649 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
2655 SSL_SESSION_free(sess);
2656 SSL_SESSION_free(clientpsk);
2657 SSL_SESSION_free(serverpsk);
2658 clientpsk = serverpsk = NULL;
2659 SSL_free(serverssl);
2660 SSL_free(clientssl);
2666 static int test_early_data_replay(int idx)
2668 int ret = 1, usecb, confopt;
2670 for (usecb = 0; usecb < 3; usecb++) {
2671 for (confopt = 0; confopt < 2; confopt++)
2672 ret &= test_early_data_replay_int(idx, usecb, confopt);
2679 * Helper function to test that a server attempting to read early data can
2680 * handle a connection from a client where the early data should be skipped.
2681 * testtype: 0 == No HRR
2682 * testtype: 1 == HRR
2683 * testtype: 2 == HRR, invalid early_data sent after HRR
2684 * testtype: 3 == recv_max_early_data set to 0
2686 static int early_data_skip_helper(int testtype, int idx)
2688 SSL_CTX *cctx = NULL, *sctx = NULL;
2689 SSL *clientssl = NULL, *serverssl = NULL;
2691 SSL_SESSION *sess = NULL;
2692 unsigned char buf[20];
2693 size_t readbytes, written;
2695 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2696 &serverssl, &sess, idx)))
2699 if (testtype == 1 || testtype == 2) {
2700 /* Force an HRR to occur */
2701 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2703 } else if (idx == 2) {
2705 * We force early_data rejection by ensuring the PSK identity is
2708 srvid = "Dummy Identity";
2711 * Deliberately corrupt the creation time. We take 20 seconds off the
2712 * time. It could be any value as long as it is not within tolerance.
2713 * This should mean the ticket is rejected.
2715 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
2720 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
2723 /* Write some early data */
2724 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2726 || !TEST_size_t_eq(written, strlen(MSG1)))
2729 /* Server should reject the early data */
2730 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2732 SSL_READ_EARLY_DATA_FINISH)
2733 || !TEST_size_t_eq(readbytes, 0)
2734 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2735 SSL_EARLY_DATA_REJECTED))
2745 * Finish off the handshake. We perform the same writes and reads as
2746 * further down but we expect them to fail due to the incomplete
2749 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2750 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2757 BIO *wbio = SSL_get_wbio(clientssl);
2758 /* A record that will appear as bad early_data */
2759 const unsigned char bad_early_data[] = {
2760 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
2764 * We force the client to attempt a write. This will fail because
2765 * we're still in the handshake. It will cause the second
2766 * ClientHello to be sent.
2768 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
2773 * Inject some early_data after the second ClientHello. This should
2774 * cause the server to fail
2776 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
2777 sizeof(bad_early_data), &written)))
2784 * This client has sent more early_data than we are willing to skip
2785 * (case 3) or sent invalid early_data (case 2) so the connection should
2788 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2789 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
2792 /* Connection has failed - nothing more to do */
2797 TEST_error("Invalid test type");
2802 * Should be able to send normal data despite rejection of early data. The
2803 * early_data should be skipped.
2805 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2806 || !TEST_size_t_eq(written, strlen(MSG2))
2807 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2808 SSL_EARLY_DATA_REJECTED)
2809 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2810 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2816 SSL_SESSION_free(clientpsk);
2817 SSL_SESSION_free(serverpsk);
2818 clientpsk = serverpsk = NULL;
2819 SSL_SESSION_free(sess);
2820 SSL_free(serverssl);
2821 SSL_free(clientssl);
2828 * Test that a server attempting to read early data can handle a connection
2829 * from a client where the early data is not acceptable.
2831 static int test_early_data_skip(int idx)
2833 return early_data_skip_helper(0, idx);
2837 * Test that a server attempting to read early data can handle a connection
2838 * from a client where an HRR occurs.
2840 static int test_early_data_skip_hrr(int idx)
2842 return early_data_skip_helper(1, idx);
2846 * Test that a server attempting to read early data can handle a connection
2847 * from a client where an HRR occurs and correctly fails if early_data is sent
2850 static int test_early_data_skip_hrr_fail(int idx)
2852 return early_data_skip_helper(2, idx);
2856 * Test that a server attempting to read early data will abort if it tries to
2857 * skip over too much.
2859 static int test_early_data_skip_abort(int idx)
2861 return early_data_skip_helper(3, idx);
2865 * Test that a server attempting to read early data can handle a connection
2866 * from a client that doesn't send any.
2868 static int test_early_data_not_sent(int idx)
2870 SSL_CTX *cctx = NULL, *sctx = NULL;
2871 SSL *clientssl = NULL, *serverssl = NULL;
2873 SSL_SESSION *sess = NULL;
2874 unsigned char buf[20];
2875 size_t readbytes, written;
2877 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2878 &serverssl, &sess, idx)))
2881 /* Write some data - should block due to handshake with server */
2882 SSL_set_connect_state(clientssl);
2883 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2886 /* Server should detect that early data has not been sent */
2887 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2889 SSL_READ_EARLY_DATA_FINISH)
2890 || !TEST_size_t_eq(readbytes, 0)
2891 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2892 SSL_EARLY_DATA_NOT_SENT)
2893 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2894 SSL_EARLY_DATA_NOT_SENT))
2897 /* Continue writing the message we started earlier */
2898 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2899 || !TEST_size_t_eq(written, strlen(MSG1))
2900 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2901 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2902 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2903 || !TEST_size_t_eq(written, strlen(MSG2)))
2906 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2907 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2913 SSL_SESSION_free(sess);
2914 SSL_SESSION_free(clientpsk);
2915 SSL_SESSION_free(serverpsk);
2916 clientpsk = serverpsk = NULL;
2917 SSL_free(serverssl);
2918 SSL_free(clientssl);
2924 static int hostname_cb(SSL *s, int *al, void *arg)
2926 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2928 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
2929 return SSL_TLSEXT_ERR_OK;
2931 return SSL_TLSEXT_ERR_NOACK;
2934 static const char *servalpn;
2936 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2937 unsigned char *outlen, const unsigned char *in,
2938 unsigned int inlen, void *arg)
2940 unsigned int protlen = 0;
2941 const unsigned char *prot;
2943 for (prot = in; prot < in + inlen; prot += protlen) {
2945 if (in + inlen < prot + protlen)
2946 return SSL_TLSEXT_ERR_NOACK;
2948 if (protlen == strlen(servalpn)
2949 && memcmp(prot, servalpn, protlen) == 0) {
2952 return SSL_TLSEXT_ERR_OK;
2956 return SSL_TLSEXT_ERR_NOACK;
2959 /* Test that a PSK can be used to send early_data */
2960 static int test_early_data_psk(int idx)
2962 SSL_CTX *cctx = NULL, *sctx = NULL;
2963 SSL *clientssl = NULL, *serverssl = NULL;
2965 SSL_SESSION *sess = NULL;
2966 unsigned char alpnlist[] = {
2967 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2970 #define GOODALPNLEN 9
2971 #define BADALPNLEN 8
2972 #define GOODALPN (alpnlist)
2973 #define BADALPN (alpnlist + GOODALPNLEN)
2975 unsigned char buf[20];
2976 size_t readbytes, written;
2977 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2978 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2980 /* We always set this up with a final parameter of "2" for PSK */
2981 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2982 &serverssl, &sess, 2)))
2985 servalpn = "goodalpn";
2988 * Note: There is no test for inconsistent SNI with late client detection.
2989 * This is because servers do not acknowledge SNI even if they are using
2990 * it in a resumption handshake - so it is not actually possible for a
2991 * client to detect a problem.
2995 /* Set inconsistent SNI (early client detection) */
2996 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2997 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2998 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3003 /* Set inconsistent ALPN (early client detection) */
3004 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3005 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3006 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3008 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3015 * Set invalid protocol version. Technically this affects PSKs without
3016 * early_data too, but we test it here because it is similar to the
3017 * SNI/ALPN consistency tests.
3019 err = SSL_R_BAD_PSK;
3020 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3026 * Set inconsistent SNI (server detected). In this case the connection
3027 * will succeed but reject early_data.
3029 SSL_SESSION_free(serverpsk);
3030 serverpsk = SSL_SESSION_dup(clientpsk);
3031 if (!TEST_ptr(serverpsk)
3032 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3034 edstatus = SSL_EARLY_DATA_REJECTED;
3035 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3038 /* Set consistent SNI */
3039 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3040 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3041 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3048 * Set inconsistent ALPN (server detected). In this case the connection
3049 * will succeed but reject early_data.
3051 servalpn = "badalpn";
3052 edstatus = SSL_EARLY_DATA_REJECTED;
3053 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3057 * Set consistent ALPN.
3058 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3059 * accepts a list of protos (each one length prefixed).
3060 * SSL_set1_alpn_selected accepts a single protocol (not length
3063 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3065 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3069 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3073 /* Set inconsistent ALPN (late client detection) */
3074 SSL_SESSION_free(serverpsk);
3075 serverpsk = SSL_SESSION_dup(clientpsk);
3076 if (!TEST_ptr(serverpsk)
3077 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3080 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3083 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3086 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3087 edstatus = SSL_EARLY_DATA_ACCEPTED;
3088 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3089 /* SSL_connect() call should fail */
3094 TEST_error("Bad test index");
3098 SSL_set_connect_state(clientssl);
3100 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3102 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3103 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3106 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3110 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3111 &readbytes), readearlyres)
3112 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3113 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3114 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3115 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3122 SSL_SESSION_free(sess);
3123 SSL_SESSION_free(clientpsk);
3124 SSL_SESSION_free(serverpsk);
3125 clientpsk = serverpsk = NULL;
3126 SSL_free(serverssl);
3127 SSL_free(clientssl);
3134 * Test that a server that doesn't try to read early data can handle a
3135 * client sending some.
3137 static int test_early_data_not_expected(int idx)
3139 SSL_CTX *cctx = NULL, *sctx = NULL;
3140 SSL *clientssl = NULL, *serverssl = NULL;
3142 SSL_SESSION *sess = NULL;
3143 unsigned char buf[20];
3144 size_t readbytes, written;
3146 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3147 &serverssl, &sess, idx)))
3150 /* Write some early data */
3151 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3156 * Server should skip over early data and then block waiting for client to
3157 * continue handshake
3159 if (!TEST_int_le(SSL_accept(serverssl), 0)
3160 || !TEST_int_gt(SSL_connect(clientssl), 0)
3161 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3162 SSL_EARLY_DATA_REJECTED)
3163 || !TEST_int_gt(SSL_accept(serverssl), 0)
3164 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3165 SSL_EARLY_DATA_REJECTED))
3168 /* Send some normal data from client to server */
3169 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3170 || !TEST_size_t_eq(written, strlen(MSG2)))
3173 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3174 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3180 SSL_SESSION_free(sess);
3181 SSL_SESSION_free(clientpsk);
3182 SSL_SESSION_free(serverpsk);
3183 clientpsk = serverpsk = NULL;
3184 SSL_free(serverssl);
3185 SSL_free(clientssl);
3192 # ifndef OPENSSL_NO_TLS1_2
3194 * Test that a server attempting to read early data can handle a connection
3195 * from a TLSv1.2 client.
3197 static int test_early_data_tls1_2(int idx)
3199 SSL_CTX *cctx = NULL, *sctx = NULL;
3200 SSL *clientssl = NULL, *serverssl = NULL;
3202 unsigned char buf[20];
3203 size_t readbytes, written;
3205 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3206 &serverssl, NULL, idx)))
3209 /* Write some data - should block due to handshake with server */
3210 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3211 SSL_set_connect_state(clientssl);
3212 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3216 * Server should do TLSv1.2 handshake. First it will block waiting for more
3217 * messages from client after ServerDone. Then SSL_read_early_data should
3218 * finish and detect that early data has not been sent
3220 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3222 SSL_READ_EARLY_DATA_ERROR))
3226 * Continue writing the message we started earlier. Will still block waiting
3227 * for the CCS/Finished from server
3229 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3230 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3232 SSL_READ_EARLY_DATA_FINISH)
3233 || !TEST_size_t_eq(readbytes, 0)
3234 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3235 SSL_EARLY_DATA_NOT_SENT))
3238 /* Continue writing the message we started earlier */
3239 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3240 || !TEST_size_t_eq(written, strlen(MSG1))
3241 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3242 SSL_EARLY_DATA_NOT_SENT)
3243 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3244 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3245 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3246 || !TEST_size_t_eq(written, strlen(MSG2))
3247 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3248 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3254 SSL_SESSION_free(clientpsk);
3255 SSL_SESSION_free(serverpsk);
3256 clientpsk = serverpsk = NULL;
3257 SSL_free(serverssl);
3258 SSL_free(clientssl);
3264 # endif /* OPENSSL_NO_TLS1_2 */
3267 * Test configuring the TLSv1.3 ciphersuites
3269 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3270 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3271 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3272 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3273 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3274 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3275 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3276 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3277 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3278 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3280 static int test_set_ciphersuite(int idx)
3282 SSL_CTX *cctx = NULL, *sctx = NULL;
3283 SSL *clientssl = NULL, *serverssl = NULL;
3286 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3288 &sctx, &cctx, cert, privkey))
3289 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3290 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3293 if (idx >=4 && idx <= 7) {
3294 /* SSL_CTX explicit cipher list */
3295 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3299 if (idx == 0 || idx == 4) {
3300 /* Default ciphersuite */
3301 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3302 "TLS_AES_128_GCM_SHA256")))
3304 } else if (idx == 1 || idx == 5) {
3305 /* Non default ciphersuite */
3306 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3307 "TLS_AES_128_CCM_SHA256")))
3311 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3312 &clientssl, NULL, NULL)))
3315 if (idx == 8 || idx == 9) {
3316 /* SSL explicit cipher list */
3317 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3321 if (idx == 2 || idx == 6 || idx == 8) {
3322 /* Default ciphersuite */
3323 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3324 "TLS_AES_128_GCM_SHA256")))
3326 } else if (idx == 3 || idx == 7 || idx == 9) {
3327 /* Non default ciphersuite */
3328 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3329 "TLS_AES_128_CCM_SHA256")))
3333 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3339 SSL_free(serverssl);
3340 SSL_free(clientssl);
3347 static int test_ciphersuite_change(void)
3349 SSL_CTX *cctx = NULL, *sctx = NULL;
3350 SSL *clientssl = NULL, *serverssl = NULL;
3351 SSL_SESSION *clntsess = NULL;
3353 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3355 /* Create a session based on SHA-256 */
3356 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3358 &sctx, &cctx, cert, privkey))
3359 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3360 "TLS_AES_128_GCM_SHA256"))
3361 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3362 &clientssl, NULL, NULL))
3363 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3367 clntsess = SSL_get1_session(clientssl);
3368 /* Save for later */
3369 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3370 SSL_shutdown(clientssl);
3371 SSL_shutdown(serverssl);
3372 SSL_free(serverssl);
3373 SSL_free(clientssl);
3374 serverssl = clientssl = NULL;
3376 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3377 /* Check we can resume a session with a different SHA-256 ciphersuite */
3378 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3379 "TLS_CHACHA20_POLY1305_SHA256"))
3380 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3382 || !TEST_true(SSL_set_session(clientssl, clntsess))
3383 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3385 || !TEST_true(SSL_session_reused(clientssl)))
3388 SSL_SESSION_free(clntsess);
3389 clntsess = SSL_get1_session(clientssl);
3390 SSL_shutdown(clientssl);
3391 SSL_shutdown(serverssl);
3392 SSL_free(serverssl);
3393 SSL_free(clientssl);
3394 serverssl = clientssl = NULL;
3398 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3399 * succeeds but does not resume.
3401 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3402 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3404 || !TEST_true(SSL_set_session(clientssl, clntsess))
3405 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3407 || !TEST_false(SSL_session_reused(clientssl)))
3410 SSL_SESSION_free(clntsess);
3412 SSL_shutdown(clientssl);
3413 SSL_shutdown(serverssl);
3414 SSL_free(serverssl);
3415 SSL_free(clientssl);
3416 serverssl = clientssl = NULL;
3418 /* Create a session based on SHA384 */
3419 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3420 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3421 &clientssl, NULL, NULL))
3422 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3426 clntsess = SSL_get1_session(clientssl);
3427 SSL_shutdown(clientssl);
3428 SSL_shutdown(serverssl);
3429 SSL_free(serverssl);
3430 SSL_free(clientssl);
3431 serverssl = clientssl = NULL;
3433 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3434 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3435 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3436 "TLS_AES_256_GCM_SHA384"))
3437 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3439 || !TEST_true(SSL_set_session(clientssl, clntsess))
3441 * We use SSL_ERROR_WANT_READ below so that we can pause the
3442 * connection after the initial ClientHello has been sent to
3443 * enable us to make some session changes.
3445 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3446 SSL_ERROR_WANT_READ)))
3449 /* Trick the client into thinking this session is for a different digest */
3450 clntsess->cipher = aes_128_gcm_sha256;
3451 clntsess->cipher_id = clntsess->cipher->id;
3454 * Continue the previously started connection. Server has selected a SHA-384
3455 * ciphersuite, but client thinks the session is for SHA-256, so it should
3458 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3460 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3461 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3467 SSL_SESSION_free(clntsess);
3468 SSL_free(serverssl);
3469 SSL_free(clientssl);
3478 * Test 0 = Test new style callbacks
3479 * Test 1 = Test both new and old style callbacks
3480 * Test 2 = Test old style callbacks
3481 * Test 3 = Test old style callbacks with no certificate
3483 static int test_tls13_psk(int idx)
3485 SSL_CTX *sctx = NULL, *cctx = NULL;
3486 SSL *serverssl = NULL, *clientssl = NULL;
3487 const SSL_CIPHER *cipher = NULL;
3488 const unsigned char key[] = {
3489 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
3490 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
3491 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
3492 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
3496 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3498 &sctx, &cctx, idx == 3 ? NULL : cert,
3499 idx == 3 ? NULL : privkey)))
3504 * We use a ciphersuite with SHA256 to ease testing old style PSK
3505 * callbacks which will always default to SHA256. This should not be
3506 * necessary if we have no cert/priv key. In that case the server should
3507 * prefer SHA256 automatically.
3509 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3510 "TLS_AES_128_GCM_SHA256")))
3515 * Test 0: New style callbacks only
3516 * Test 1: New and old style callbacks (only the new ones should be used)
3517 * Test 2: Old style callbacks only
3519 if (idx == 0 || idx == 1) {
3520 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
3521 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
3523 #ifndef OPENSSL_NO_PSK
3525 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
3526 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
3530 use_session_cb_cnt = 0;
3531 find_session_cb_cnt = 0;
3532 psk_client_cb_cnt = 0;
3533 psk_server_cb_cnt = 0;
3537 * Check we can create a connection if callback decides not to send a
3540 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3542 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3544 || !TEST_false(SSL_session_reused(clientssl))
3545 || !TEST_false(SSL_session_reused(serverssl)))
3548 if (idx == 0 || idx == 1) {
3549 if (!TEST_true(use_session_cb_cnt == 1)
3550 || !TEST_true(find_session_cb_cnt == 0)
3552 * If no old style callback then below should be 0
3555 || !TEST_true(psk_client_cb_cnt == idx)
3556 || !TEST_true(psk_server_cb_cnt == 0))
3559 if (!TEST_true(use_session_cb_cnt == 0)
3560 || !TEST_true(find_session_cb_cnt == 0)
3561 || !TEST_true(psk_client_cb_cnt == 1)
3562 || !TEST_true(psk_server_cb_cnt == 0))
3566 shutdown_ssl_connection(serverssl, clientssl);
3567 serverssl = clientssl = NULL;
3568 use_session_cb_cnt = psk_client_cb_cnt = 0;
3571 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3575 /* Create the PSK */
3576 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
3577 clientpsk = SSL_SESSION_new();
3578 if (!TEST_ptr(clientpsk)
3579 || !TEST_ptr(cipher)
3580 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
3582 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
3583 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
3585 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
3587 serverpsk = clientpsk;
3589 /* Check we can create a connection and the PSK is used */
3590 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3591 || !TEST_true(SSL_session_reused(clientssl))
3592 || !TEST_true(SSL_session_reused(serverssl)))
3595 if (idx == 0 || idx == 1) {
3596 if (!TEST_true(use_session_cb_cnt == 1)
3597 || !TEST_true(find_session_cb_cnt == 1)
3598 || !TEST_true(psk_client_cb_cnt == 0)
3599 || !TEST_true(psk_server_cb_cnt == 0))
3602 if (!TEST_true(use_session_cb_cnt == 0)
3603 || !TEST_true(find_session_cb_cnt == 0)
3604 || !TEST_true(psk_client_cb_cnt == 1)
3605 || !TEST_true(psk_server_cb_cnt == 1))
3609 shutdown_ssl_connection(serverssl, clientssl);
3610 serverssl = clientssl = NULL;
3611 use_session_cb_cnt = find_session_cb_cnt = 0;
3612 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3614 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3619 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3623 * Check we can create a connection, the PSK is used and the callbacks are
3626 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3627 || !TEST_true(SSL_session_reused(clientssl))
3628 || !TEST_true(SSL_session_reused(serverssl)))
3631 if (idx == 0 || idx == 1) {
3632 if (!TEST_true(use_session_cb_cnt == 2)
3633 || !TEST_true(find_session_cb_cnt == 2)
3634 || !TEST_true(psk_client_cb_cnt == 0)
3635 || !TEST_true(psk_server_cb_cnt == 0))
3638 if (!TEST_true(use_session_cb_cnt == 0)
3639 || !TEST_true(find_session_cb_cnt == 0)
3640 || !TEST_true(psk_client_cb_cnt == 2)
3641 || !TEST_true(psk_server_cb_cnt == 2))
3645 shutdown_ssl_connection(serverssl, clientssl);
3646 serverssl = clientssl = NULL;
3647 use_session_cb_cnt = find_session_cb_cnt = 0;
3648 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3652 * Check that if the server rejects the PSK we can still connect, but with
3655 srvid = "Dummy Identity";
3656 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3658 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3660 || !TEST_false(SSL_session_reused(clientssl))
3661 || !TEST_false(SSL_session_reused(serverssl)))
3664 if (idx == 0 || idx == 1) {
3665 if (!TEST_true(use_session_cb_cnt == 1)
3666 || !TEST_true(find_session_cb_cnt == 1)
3667 || !TEST_true(psk_client_cb_cnt == 0)
3669 * If no old style callback then below should be 0
3672 || !TEST_true(psk_server_cb_cnt == idx))
3675 if (!TEST_true(use_session_cb_cnt == 0)
3676 || !TEST_true(find_session_cb_cnt == 0)
3677 || !TEST_true(psk_client_cb_cnt == 1)
3678 || !TEST_true(psk_server_cb_cnt == 1))
3682 shutdown_ssl_connection(serverssl, clientssl);
3683 serverssl = clientssl = NULL;
3688 SSL_SESSION_free(clientpsk);
3689 SSL_SESSION_free(serverpsk);
3690 clientpsk = serverpsk = NULL;
3691 SSL_free(serverssl);
3692 SSL_free(clientssl);
3698 static unsigned char cookie_magic_value[] = "cookie magic";
3700 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
3701 unsigned int *cookie_len)
3704 * Not suitable as a real cookie generation function but good enough for
3707 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3708 *cookie_len = sizeof(cookie_magic_value) - 1;
3713 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3714 unsigned int cookie_len)
3716 if (cookie_len == sizeof(cookie_magic_value) - 1
3717 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3723 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3727 int res = generate_cookie_callback(ssl, cookie, &temp);
3732 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3735 return verify_cookie_callback(ssl, cookie, cookie_len);
3738 static int test_stateless(void)
3740 SSL_CTX *sctx = NULL, *cctx = NULL;
3741 SSL *serverssl = NULL, *clientssl = NULL;
3744 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3746 &sctx, &cctx, cert, privkey)))
3749 /* The arrival of CCS messages can confuse the test */
3750 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3752 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3754 /* Send the first ClientHello */
3755 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3756 SSL_ERROR_WANT_READ))
3758 * This should fail with a -1 return because we have no callbacks
3761 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3764 /* Fatal error so abandon the connection from this client */
3765 SSL_free(clientssl);
3768 /* Set up the cookie generation and verification callbacks */
3769 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3770 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
3773 * Create a new connection from the client (we can reuse the server SSL
3776 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3778 /* Send the first ClientHello */
3779 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3780 SSL_ERROR_WANT_READ))
3781 /* This should fail because there is no cookie */
3782 || !TEST_int_eq(SSL_stateless(serverssl), 0))
3785 /* Abandon the connection from this client */
3786 SSL_free(clientssl);
3790 * Now create a connection from a new client but with the same server SSL
3793 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3795 /* Send the first ClientHello */
3796 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3797 SSL_ERROR_WANT_READ))
3798 /* This should fail because there is no cookie */
3799 || !TEST_int_eq(SSL_stateless(serverssl), 0)
3800 /* Send the second ClientHello */
3801 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3802 SSL_ERROR_WANT_READ))
3803 /* This should succeed because a cookie is now present */
3804 || !TEST_int_eq(SSL_stateless(serverssl), 1)
3805 /* Complete the connection */
3806 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3810 shutdown_ssl_connection(serverssl, clientssl);
3811 serverssl = clientssl = NULL;
3815 SSL_free(serverssl);
3816 SSL_free(clientssl);
3822 #endif /* OPENSSL_NO_TLS1_3 */
3824 static int clntaddoldcb = 0;
3825 static int clntparseoldcb = 0;
3826 static int srvaddoldcb = 0;
3827 static int srvparseoldcb = 0;
3828 static int clntaddnewcb = 0;
3829 static int clntparsenewcb = 0;
3830 static int srvaddnewcb = 0;
3831 static int srvparsenewcb = 0;
3832 static int snicb = 0;
3834 #define TEST_EXT_TYPE1 0xff00
3836 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3837 size_t *outlen, int *al, void *add_arg)
3839 int *server = (int *)add_arg;
3840 unsigned char *data;
3842 if (SSL_is_server(s))
3847 if (*server != SSL_is_server(s)
3848 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3853 *outlen = sizeof(char);
3857 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3860 OPENSSL_free((unsigned char *)out);
3863 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3864 size_t inlen, int *al, void *parse_arg)
3866 int *server = (int *)parse_arg;
3868 if (SSL_is_server(s))
3873 if (*server != SSL_is_server(s)
3874 || inlen != sizeof(char)
3881 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3882 const unsigned char **out, size_t *outlen, X509 *x,
3883 size_t chainidx, int *al, void *add_arg)
3885 int *server = (int *)add_arg;
3886 unsigned char *data;
3888 if (SSL_is_server(s))
3893 if (*server != SSL_is_server(s)
3894 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3899 *outlen = sizeof(*data);
3903 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3904 const unsigned char *out, void *add_arg)
3906 OPENSSL_free((unsigned char *)out);
3909 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3910 const unsigned char *in, size_t inlen, X509 *x,
3911 size_t chainidx, int *al, void *parse_arg)
3913 int *server = (int *)parse_arg;
3915 if (SSL_is_server(s))
3920 if (*server != SSL_is_server(s)
3921 || inlen != sizeof(char) || *in != 1)
3927 static int sni_cb(SSL *s, int *al, void *arg)
3929 SSL_CTX *ctx = (SSL_CTX *)arg;
3931 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3932 *al = SSL_AD_INTERNAL_ERROR;
3933 return SSL_TLSEXT_ERR_ALERT_FATAL;
3936 return SSL_TLSEXT_ERR_OK;
3940 * Custom call back tests.
3941 * Test 0: Old style callbacks in TLSv1.2
3942 * Test 1: New style callbacks in TLSv1.2
3943 * Test 2: New style callbacks in TLSv1.2 with SNI
3944 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3945 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
3947 static int test_custom_exts(int tst)
3949 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3950 SSL *clientssl = NULL, *serverssl = NULL;
3952 static int server = 1;
3953 static int client = 0;
3954 SSL_SESSION *sess = NULL;
3955 unsigned int context;
3957 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
3958 /* Skip tests for TLSv1.2 and below in this case */
3963 /* Reset callback counters */
3964 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
3965 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
3968 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3970 &sctx, &cctx, cert, privkey)))
3974 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
3976 &sctx2, NULL, cert, privkey)))
3981 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
3982 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
3984 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
3988 context = SSL_EXT_CLIENT_HELLO
3989 | SSL_EXT_TLS1_2_SERVER_HELLO
3990 | SSL_EXT_TLS1_3_SERVER_HELLO
3991 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
3992 | SSL_EXT_TLS1_3_CERTIFICATE
3993 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
3995 context = SSL_EXT_CLIENT_HELLO
3996 | SSL_EXT_TLS1_2_SERVER_HELLO
3997 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4000 /* Create a client side custom extension */
4002 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4003 old_add_cb, old_free_cb,
4004 &client, old_parse_cb,
4008 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4009 new_add_cb, new_free_cb,
4010 &client, new_parse_cb, &client)))
4014 /* Should not be able to add duplicates */
4015 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4016 old_add_cb, old_free_cb,
4017 &client, old_parse_cb,
4019 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4020 context, new_add_cb,
4021 new_free_cb, &client,
4022 new_parse_cb, &client)))
4025 /* Create a server side custom extension */
4027 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4028 old_add_cb, old_free_cb,
4029 &server, old_parse_cb,
4033 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4034 new_add_cb, new_free_cb,
4035 &server, new_parse_cb, &server)))
4038 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4039 context, new_add_cb,
4040 new_free_cb, &server,
4041 new_parse_cb, &server)))
4045 /* Should not be able to add duplicates */
4046 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4047 old_add_cb, old_free_cb,
4048 &server, old_parse_cb,
4050 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4051 context, new_add_cb,
4052 new_free_cb, &server,
4053 new_parse_cb, &server)))
4058 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4059 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4063 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4064 &clientssl, NULL, NULL))
4065 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4070 if (clntaddoldcb != 1
4071 || clntparseoldcb != 1
4073 || srvparseoldcb != 1)
4075 } else if (tst == 1 || tst == 2 || tst == 3) {
4076 if (clntaddnewcb != 1
4077 || clntparsenewcb != 1
4079 || srvparsenewcb != 1
4080 || (tst != 2 && snicb != 0)
4081 || (tst == 2 && snicb != 1))
4084 /* In this case there 2 NewSessionTicket messages created */
4085 if (clntaddnewcb != 1
4086 || clntparsenewcb != 5
4088 || srvparsenewcb != 1)
4092 sess = SSL_get1_session(clientssl);
4093 SSL_shutdown(clientssl);
4094 SSL_shutdown(serverssl);
4095 SSL_free(serverssl);
4096 SSL_free(clientssl);
4097 serverssl = clientssl = NULL;
4100 /* We don't bother with the resumption aspects for this test */
4105 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4107 || !TEST_true(SSL_set_session(clientssl, sess))
4108 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4113 * For a resumed session we expect to add the ClientHello extension. For the
4114 * old style callbacks we ignore it on the server side because they set
4115 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4119 if (clntaddoldcb != 2
4120 || clntparseoldcb != 1
4122 || srvparseoldcb != 1)
4124 } else if (tst == 1 || tst == 2 || tst == 3) {
4125 if (clntaddnewcb != 2
4126 || clntparsenewcb != 2
4128 || srvparsenewcb != 2)
4132 * No Certificate message extensions in the resumption handshake,
4133 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4135 if (clntaddnewcb != 2
4136 || clntparsenewcb != 8
4138 || srvparsenewcb != 2)
4145 SSL_SESSION_free(sess);
4146 SSL_free(serverssl);
4147 SSL_free(clientssl);
4148 SSL_CTX_free(sctx2);
4155 * Test loading of serverinfo data in various formats. test_sslmessages actually
4156 * tests to make sure the extensions appear in the handshake
4158 static int test_serverinfo(int tst)
4160 unsigned int version;
4161 unsigned char *sibuf;
4163 int ret, expected, testresult = 0;
4166 ctx = SSL_CTX_new(TLS_method());
4170 if ((tst & 0x01) == 0x01)
4171 version = SSL_SERVERINFOV2;
4173 version = SSL_SERVERINFOV1;
4175 if ((tst & 0x02) == 0x02) {
4176 sibuf = serverinfov2;
4177 sibuflen = sizeof(serverinfov2);
4178 expected = (version == SSL_SERVERINFOV2);
4180 sibuf = serverinfov1;
4181 sibuflen = sizeof(serverinfov1);
4182 expected = (version == SSL_SERVERINFOV1);
4185 if ((tst & 0x04) == 0x04) {
4186 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4188 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4191 * The version variable is irrelevant in this case - it's what is in the
4192 * buffer that matters
4194 if ((tst & 0x02) == 0x02)
4200 if (!TEST_true(ret == expected))
4212 * Test that SSL_export_keying_material() produces expected results. There are
4213 * no test vectors so all we do is test that both sides of the communication
4214 * produce the same results for different protocol versions.
4216 #define SMALL_LABEL_LEN 10
4217 #define LONG_LABEL_LEN 249
4218 static int test_export_key_mat(int tst)
4221 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4222 SSL *clientssl = NULL, *serverssl = NULL;
4223 const char label[LONG_LABEL_LEN + 1] = "test label";
4224 const unsigned char context[] = "context";
4225 const unsigned char *emptycontext = NULL;
4226 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4227 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
4229 const int protocols[] = {
4238 #ifdef OPENSSL_NO_TLS1
4242 #ifdef OPENSSL_NO_TLS1_1
4246 #ifdef OPENSSL_NO_TLS1_2
4250 #ifdef OPENSSL_NO_TLS1_3
4254 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4256 &sctx, &cctx, cert, privkey)))
4259 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4260 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4261 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
4263 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4265 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4271 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4274 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4275 sizeof(ckeymat1), label,
4276 LONG_LABEL_LEN + 1, context,
4277 sizeof(context) - 1, 1), 0))
4282 } else if (tst == 4) {
4283 labellen = LONG_LABEL_LEN;
4285 labellen = SMALL_LABEL_LEN;
4288 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4289 sizeof(ckeymat1), label,
4291 sizeof(context) - 1, 1), 1)
4292 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4293 sizeof(ckeymat2), label,
4297 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4298 sizeof(ckeymat3), label,
4301 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4302 sizeof(skeymat1), label,
4305 sizeof(context) -1, 1),
4307 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4308 sizeof(skeymat2), label,
4312 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4313 sizeof(skeymat3), label,
4317 * Check that both sides created the same key material with the
4320 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4323 * Check that both sides created the same key material with an
4326 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4329 * Check that both sides created the same key material without a
4332 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
4334 /* Different contexts should produce different results */
4335 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4340 * Check that an empty context and no context produce different results in
4341 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
4343 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
4345 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
4352 SSL_free(serverssl);
4353 SSL_free(clientssl);
4354 SSL_CTX_free(sctx2);
4361 #ifndef OPENSSL_NO_TLS1_3
4363 * Test that SSL_export_keying_material_early() produces expected
4364 * results. There are no test vectors so all we do is test that both
4365 * sides of the communication produce the same results for different
4366 * protocol versions.
4368 static int test_export_key_mat_early(int idx)
4370 static const char label[] = "test label";
4371 static const unsigned char context[] = "context";
4373 SSL_CTX *cctx = NULL, *sctx = NULL;
4374 SSL *clientssl = NULL, *serverssl = NULL;
4375 SSL_SESSION *sess = NULL;
4376 const unsigned char *emptycontext = NULL;
4377 unsigned char ckeymat1[80], ckeymat2[80];
4378 unsigned char skeymat1[80], skeymat2[80];
4379 unsigned char buf[1];
4380 size_t readbytes, written;
4382 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
4386 /* Here writing 0 length early data is enough. */
4387 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
4388 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4390 SSL_READ_EARLY_DATA_ERROR)
4391 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4392 SSL_EARLY_DATA_ACCEPTED))
4395 if (!TEST_int_eq(SSL_export_keying_material_early(
4396 clientssl, ckeymat1, sizeof(ckeymat1), label,
4397 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4398 || !TEST_int_eq(SSL_export_keying_material_early(
4399 clientssl, ckeymat2, sizeof(ckeymat2), label,
4400 sizeof(label) - 1, emptycontext, 0), 1)
4401 || !TEST_int_eq(SSL_export_keying_material_early(
4402 serverssl, skeymat1, sizeof(skeymat1), label,
4403 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4404 || !TEST_int_eq(SSL_export_keying_material_early(
4405 serverssl, skeymat2, sizeof(skeymat2), label,
4406 sizeof(label) - 1, emptycontext, 0), 1)
4408 * Check that both sides created the same key material with the
4411 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4414 * Check that both sides created the same key material with an
4417 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4419 /* Different contexts should produce different results */
4420 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4427 SSL_SESSION_free(sess);
4428 SSL_SESSION_free(clientpsk);
4429 SSL_SESSION_free(serverpsk);
4430 clientpsk = serverpsk = NULL;
4431 SSL_free(serverssl);
4432 SSL_free(clientssl);
4438 #endif /* OPENSSL_NO_TLS1_3 */
4440 static int test_ssl_clear(int idx)
4442 SSL_CTX *cctx = NULL, *sctx = NULL;
4443 SSL *clientssl = NULL, *serverssl = NULL;
4446 #ifdef OPENSSL_NO_TLS1_2
4451 /* Create an initial connection */
4452 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4454 &sctx, &cctx, cert, privkey))
4456 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
4458 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4459 &clientssl, NULL, NULL))
4460 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4464 SSL_shutdown(clientssl);
4465 SSL_shutdown(serverssl);
4466 SSL_free(serverssl);
4469 /* Clear clientssl - we're going to reuse the object */
4470 if (!TEST_true(SSL_clear(clientssl)))
4473 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4475 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4477 || !TEST_true(SSL_session_reused(clientssl)))
4480 SSL_shutdown(clientssl);
4481 SSL_shutdown(serverssl);
4486 SSL_free(serverssl);
4487 SSL_free(clientssl);
4494 /* Parse CH and retrieve any MFL extension value if present */
4495 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
4498 unsigned char *data;
4499 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
4500 unsigned int MFL_code = 0, type = 0;
4502 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
4505 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
4506 /* Skip the record header */
4507 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
4508 /* Skip the handshake message header */
4509 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
4510 /* Skip client version and random */
4511 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
4512 + SSL3_RANDOM_SIZE))
4513 /* Skip session id */
4514 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4516 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
4517 /* Skip compression */
4518 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4519 /* Extensions len */
4520 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
4523 /* Loop through all extensions */
4524 while (PACKET_remaining(&pkt2)) {
4525 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
4526 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
4529 if (type == TLSEXT_TYPE_max_fragment_length) {
4530 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
4531 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
4534 *mfl_codemfl_code = MFL_code;
4543 /* Maximum-Fragment-Length TLS extension mode to test */
4544 static const unsigned char max_fragment_len_test[] = {
4545 TLSEXT_max_fragment_length_512,
4546 TLSEXT_max_fragment_length_1024,
4547 TLSEXT_max_fragment_length_2048,
4548 TLSEXT_max_fragment_length_4096
4551 static int test_max_fragment_len_ext(int idx_tst)
4555 int testresult = 0, MFL_mode = 0;
4558 ctx = SSL_CTX_new(TLS_method());
4562 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
4563 ctx, max_fragment_len_test[idx_tst])))
4570 rbio = BIO_new(BIO_s_mem());
4571 wbio = BIO_new(BIO_s_mem());
4572 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
4578 SSL_set_bio(con, rbio, wbio);
4579 SSL_set_connect_state(con);
4581 if (!TEST_int_le(SSL_connect(con), 0)) {
4582 /* This shouldn't succeed because we don't have a server! */
4586 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
4587 /* no MFL in client hello */
4589 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
4601 #ifndef OPENSSL_NO_TLS1_3
4602 static int test_pha_key_update(void)
4604 SSL_CTX *cctx = NULL, *sctx = NULL;
4605 SSL *clientssl = NULL, *serverssl = NULL;
4608 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4610 &sctx, &cctx, cert, privkey)))
4613 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
4614 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
4615 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
4616 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
4619 SSL_CTX_set_post_handshake_auth(cctx, 1);
4621 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4625 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4629 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
4630 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
4633 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
4636 /* Start handshake on the server */
4637 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
4640 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
4641 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4645 SSL_shutdown(clientssl);
4646 SSL_shutdown(serverssl);
4651 SSL_free(serverssl);
4652 SSL_free(clientssl);
4659 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4661 static SRP_VBASE *vbase = NULL;
4663 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
4665 int ret = SSL3_AL_FATAL;
4667 SRP_user_pwd *user = NULL;
4669 username = SSL_get_srp_username(s);
4670 if (username == NULL) {
4671 *ad = SSL_AD_INTERNAL_ERROR;
4675 user = SRP_VBASE_get1_by_user(vbase, username);
4677 *ad = SSL_AD_INTERNAL_ERROR;
4681 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
4683 *ad = SSL_AD_INTERNAL_ERROR;
4690 SRP_user_pwd_free(user);
4694 static int create_new_vfile(char *userid, char *password, const char *filename)
4697 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
4700 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
4703 if (!TEST_ptr(dummy) || !TEST_ptr(row))
4706 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
4707 &row[DB_srpverifier], NULL, NULL);
4708 if (!TEST_ptr(gNid))
4712 * The only way to create an empty TXT_DB is to provide a BIO with no data
4715 db = TXT_DB_read(dummy, DB_NUMBER);
4719 out = BIO_new_file(filename, "w");
4723 row[DB_srpid] = OPENSSL_strdup(userid);
4724 row[DB_srptype] = OPENSSL_strdup("V");
4725 row[DB_srpgN] = OPENSSL_strdup(gNid);
4727 if (!TEST_ptr(row[DB_srpid])
4728 || !TEST_ptr(row[DB_srptype])
4729 || !TEST_ptr(row[DB_srpgN])
4730 || !TEST_true(TXT_DB_insert(db, row)))
4735 if (!TXT_DB_write(out, db))
4741 for (i = 0; i < DB_NUMBER; i++)
4742 OPENSSL_free(row[i]);
4752 static int create_new_vbase(char *userid, char *password)
4754 BIGNUM *verifier = NULL, *salt = NULL;
4755 const SRP_gN *lgN = NULL;
4756 SRP_user_pwd *user_pwd = NULL;
4759 lgN = SRP_get_default_gN(NULL);
4763 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
4767 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
4768 if (!TEST_ptr(user_pwd))
4771 user_pwd->N = lgN->N;
4772 user_pwd->g = lgN->g;
4773 user_pwd->id = OPENSSL_strdup(userid);
4774 if (!TEST_ptr(user_pwd->id))
4777 user_pwd->v = verifier;
4779 verifier = salt = NULL;
4781 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
4787 SRP_user_pwd_free(user_pwd);
4797 * Test 0: Simple successful SRP connection, new vbase
4798 * Test 1: Connection failure due to bad password, new vbase
4799 * Test 2: Simple successful SRP connection, vbase loaded from existing file
4800 * Test 3: Connection failure due to bad password, vbase loaded from existing
4802 * Test 4: Simple successful SRP connection, vbase loaded from new file
4803 * Test 5: Connection failure due to bad password, vbase loaded from new file
4805 static int test_srp(int tst)
4807 char *userid = "test", *password = "password", *tstsrpfile;
4808 SSL_CTX *cctx = NULL, *sctx = NULL;
4809 SSL *clientssl = NULL, *serverssl = NULL;
4810 int ret, testresult = 0;
4812 vbase = SRP_VBASE_new(NULL);
4813 if (!TEST_ptr(vbase))
4816 if (tst == 0 || tst == 1) {
4817 if (!TEST_true(create_new_vbase(userid, password)))
4820 if (tst == 4 || tst == 5) {
4821 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
4823 tstsrpfile = tmpfilename;
4825 tstsrpfile = srpvfile;
4827 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
4831 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4833 &sctx, &cctx, cert, privkey)))
4836 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
4837 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
4838 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
4839 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
4840 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
4844 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
4847 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
4851 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4855 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
4857 if (!TEST_true(tst % 2 == 0))
4860 if (!TEST_true(tst % 2 == 1))
4867 SRP_VBASE_free(vbase);
4869 SSL_free(serverssl);
4870 SSL_free(clientssl);
4878 static int info_cb_failed = 0;
4879 static int info_cb_offset = 0;
4880 static int info_cb_this_state = -1;
4882 static struct info_cb_states_st {
4884 const char *statestr;
4885 } info_cb_states[][60] = {
4887 /* TLSv1.2 server followed by resumption */
4888 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4889 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4890 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
4891 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
4892 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
4893 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4894 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4895 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4896 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4897 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4898 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
4899 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4900 {SSL_CB_EXIT, NULL}, {0, NULL},
4902 /* TLSv1.2 client followed by resumption */
4903 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4904 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4905 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
4906 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
4907 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
4908 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4909 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4910 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4911 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4912 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4913 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4914 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4916 /* TLSv1.3 server followed by resumption */
4917 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4918 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4919 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
4920 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
4921 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4922 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4923 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4924 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TWST"},
4925 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4926 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4927 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4928 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"},
4929 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL},
4930 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4931 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4932 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4933 {SSL_CB_EXIT, NULL}, {0, NULL},
4935 /* TLSv1.3 client followed by resumption */
4936 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4937 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4938 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
4939 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
4940 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4941 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4942 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4943 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4944 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4945 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4946 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4947 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4948 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
4949 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4950 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4951 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4952 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4953 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4954 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4956 /* TLSv1.3 server, early_data */
4957 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4958 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4959 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4960 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4961 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4962 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4963 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4964 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4965 {SSL_CB_EXIT, NULL}, {0, NULL},
4967 /* TLSv1.3 client, early_data */
4968 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4969 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
4970 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4971 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4972 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4973 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
4974 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4975 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4976 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4977 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4983 static void sslapi_info_callback(const SSL *s, int where, int ret)
4985 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
4987 /* We do not ever expect a connection to fail in this test */
4988 if (!TEST_false(ret == 0)) {
4994 * Do some sanity checks. We never expect these things to happen in this
4997 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
4998 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
4999 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5004 /* Now check we're in the right state */
5005 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5009 if ((where & SSL_CB_LOOP) != 0
5010 && !TEST_int_eq(strcmp(SSL_state_string(s),
5011 state[info_cb_this_state].statestr), 0)) {
5016 /* Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init */
5017 if ((where & SSL_CB_HANDSHAKE_DONE) && SSL_in_init((SSL *)s) != 0) {
5024 * Test the info callback gets called when we expect it to.
5026 * Test 0: TLSv1.2, server
5027 * Test 1: TLSv1.2, client
5028 * Test 2: TLSv1.3, server
5029 * Test 3: TLSv1.3, client
5030 * Test 4: TLSv1.3, server, early_data
5031 * Test 5: TLSv1.3, client, early_data
5033 static int test_info_callback(int tst)
5035 SSL_CTX *cctx = NULL, *sctx = NULL;
5036 SSL *clientssl = NULL, *serverssl = NULL;
5037 SSL_SESSION *clntsess = NULL;
5042 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
5043 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5044 || !defined(OPENSSL_NO_DH))
5045 tlsvers = TLS1_2_VERSION;
5050 #ifndef OPENSSL_NO_TLS1_3
5051 tlsvers = TLS1_3_VERSION;
5059 info_cb_this_state = -1;
5060 info_cb_offset = tst;
5062 #ifndef OPENSSL_NO_TLS1_3
5064 SSL_SESSION *sess = NULL;
5065 size_t written, readbytes;
5066 unsigned char buf[80];
5068 /* early_data tests */
5069 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5070 &serverssl, &sess, 0)))
5073 /* We don't actually need this reference */
5074 SSL_SESSION_free(sess);
5076 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5077 sslapi_info_callback);
5079 /* Write and read some early data and then complete the connection */
5080 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5082 || !TEST_size_t_eq(written, strlen(MSG1))
5083 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5084 sizeof(buf), &readbytes),
5085 SSL_READ_EARLY_DATA_SUCCESS)
5086 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5087 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5088 SSL_EARLY_DATA_ACCEPTED)
5089 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5091 || !TEST_false(info_cb_failed))
5099 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5100 TLS_client_method(),
5101 tlsvers, tlsvers, &sctx, &cctx, cert,
5106 * For even numbered tests we check the server callbacks. For odd numbers we
5109 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5110 sslapi_info_callback);
5112 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5113 &clientssl, NULL, NULL))
5114 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5116 || !TEST_false(info_cb_failed))
5121 clntsess = SSL_get1_session(clientssl);
5122 SSL_shutdown(clientssl);
5123 SSL_shutdown(serverssl);
5124 SSL_free(serverssl);
5125 SSL_free(clientssl);
5126 serverssl = clientssl = NULL;
5128 /* Now do a resumption */
5129 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5131 || !TEST_true(SSL_set_session(clientssl, clntsess))
5132 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5134 || !TEST_true(SSL_session_reused(clientssl))
5135 || !TEST_false(info_cb_failed))
5141 SSL_free(serverssl);
5142 SSL_free(clientssl);
5143 SSL_SESSION_free(clntsess);
5149 static int test_ssl_pending(int tst)
5151 SSL_CTX *cctx = NULL, *sctx = NULL;
5152 SSL *clientssl = NULL, *serverssl = NULL;
5154 char msg[] = "A test message";
5156 size_t written, readbytes;
5159 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5160 TLS_client_method(),
5162 &sctx, &cctx, cert, privkey)))
5165 #ifndef OPENSSL_NO_DTLS
5166 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
5167 DTLS_client_method(),
5169 &sctx, &cctx, cert, privkey)))
5176 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5178 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5182 if (!TEST_int_eq(SSL_pending(clientssl), 0)
5183 || !TEST_false(SSL_has_pending(clientssl))
5184 || !TEST_int_eq(SSL_pending(serverssl), 0)
5185 || !TEST_false(SSL_has_pending(serverssl))
5186 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5187 || !TEST_size_t_eq(written, sizeof(msg))
5188 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
5189 || !TEST_size_t_eq(readbytes, sizeof(buf))
5190 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
5191 || !TEST_true(SSL_has_pending(clientssl)))
5197 SSL_free(serverssl);
5198 SSL_free(clientssl);
5206 unsigned int maxprot;
5207 const char *clntciphers;
5208 const char *clnttls13ciphers;
5209 const char *srvrciphers;
5210 const char *srvrtls13ciphers;
5212 } shared_ciphers_data[] = {
5214 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
5215 * TLSv1.3 is enabled but TLSv1.2 is disabled.
5217 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
5220 "AES128-SHA:AES256-SHA",
5222 "AES256-SHA:DHE-RSA-AES128-SHA",
5228 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
5230 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
5232 "AES128-SHA:AES256-SHA"
5236 "AES128-SHA:AES256-SHA",
5238 "AES128-SHA:DHE-RSA-AES128-SHA",
5244 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
5247 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
5248 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5251 "AES128-SHA:AES256-SHA",
5253 "AES256-SHA:AES128-SHA256",
5255 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
5256 "TLS_AES_128_GCM_SHA256:AES256-SHA"
5259 #ifndef OPENSSL_NO_TLS1_3
5263 "TLS_AES_256_GCM_SHA384",
5265 "TLS_AES_256_GCM_SHA384",
5266 "TLS_AES_256_GCM_SHA384"
5271 static int test_ssl_get_shared_ciphers(int tst)
5273 SSL_CTX *cctx = NULL, *sctx = NULL;
5274 SSL *clientssl = NULL, *serverssl = NULL;
5278 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5279 TLS_client_method(),
5281 shared_ciphers_data[tst].maxprot,
5282 &sctx, &cctx, cert, privkey)))
5285 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5286 shared_ciphers_data[tst].clntciphers))
5287 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
5288 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
5289 shared_ciphers_data[tst].clnttls13ciphers)))
5290 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
5291 shared_ciphers_data[tst].srvrciphers))
5292 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
5293 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
5294 shared_ciphers_data[tst].srvrtls13ciphers))))
5298 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5300 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5304 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
5305 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
5306 TEST_info("Shared ciphers are: %s\n", buf);
5313 SSL_free(serverssl);
5314 SSL_free(clientssl);
5321 static const char *appdata = "Hello World";
5322 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
5323 static int tick_key_renew = 0;
5324 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5326 static int gen_tick_cb(SSL *s, void *arg)
5328 gen_tick_called = 1;
5330 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
5334 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
5335 const unsigned char *keyname,
5336 size_t keyname_length,
5337 SSL_TICKET_STATUS status,
5343 dec_tick_called = 1;
5345 if (status == SSL_TICKET_EMPTY)
5346 return SSL_TICKET_RETURN_IGNORE_RENEW;
5348 if (!TEST_true(status == SSL_TICKET_SUCCESS
5349 || status == SSL_TICKET_SUCCESS_RENEW))
5350 return SSL_TICKET_RETURN_ABORT;
5352 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
5354 || !TEST_size_t_eq(tickdlen, strlen(appdata))
5355 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
5356 return SSL_TICKET_RETURN_ABORT;
5358 if (tick_key_cb_called) {
5359 /* Don't change what the ticket key callback wanted to do */
5361 case SSL_TICKET_NO_DECRYPT:
5362 return SSL_TICKET_RETURN_IGNORE_RENEW;
5364 case SSL_TICKET_SUCCESS:
5365 return SSL_TICKET_RETURN_USE;
5367 case SSL_TICKET_SUCCESS_RENEW:
5368 return SSL_TICKET_RETURN_USE_RENEW;
5371 return SSL_TICKET_RETURN_ABORT;
5374 return tick_dec_ret;
5378 static int tick_key_cb(SSL *s, unsigned char key_name[16],
5379 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
5380 HMAC_CTX *hctx, int enc)
5382 const unsigned char tick_aes_key[16] = "0123456789abcdef";
5383 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5385 tick_key_cb_called = 1;
5386 memset(iv, 0, AES_BLOCK_SIZE);
5387 memset(key_name, 0, 16);
5388 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
5389 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
5390 EVP_sha256(), NULL))
5393 return tick_key_renew ? 2 : 1;
5397 * Test the various ticket callbacks
5398 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
5399 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
5400 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
5401 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
5402 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
5403 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
5404 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
5405 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
5406 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
5407 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
5408 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
5409 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
5411 static int test_ticket_callbacks(int tst)
5413 SSL_CTX *cctx = NULL, *sctx = NULL;
5414 SSL *clientssl = NULL, *serverssl = NULL;
5415 SSL_SESSION *clntsess = NULL;
5418 #ifdef OPENSSL_NO_TLS1_2
5422 #ifdef OPENSSL_NO_TLS1_3
5427 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
5429 /* Which tests the ticket key callback should request renewal for */
5430 if (tst == 10 || tst == 11)
5435 /* Which tests the decrypt ticket callback should request renewal for */
5439 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
5444 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
5449 tick_dec_ret = SSL_TICKET_RETURN_USE;
5454 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
5458 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5461 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5462 TLS_client_method(),
5464 ((tst % 2) == 0) ? TLS1_2_VERSION
5466 &sctx, &cctx, cert, privkey)))
5470 * We only want sessions to resume from tickets - not the session cache. So
5471 * switch the cache off.
5473 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
5476 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
5481 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
5484 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5486 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5491 * The decrypt ticket key callback in TLSv1.2 should be called even though
5492 * we have no ticket yet, because it gets called with a status of
5493 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
5494 * actually send any ticket data). This does not happen in TLSv1.3 because
5495 * it is not valid to send empty ticket data in TLSv1.3.
5497 if (!TEST_int_eq(gen_tick_called, 1)
5498 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
5501 gen_tick_called = dec_tick_called = 0;
5503 clntsess = SSL_get1_session(clientssl);
5504 SSL_shutdown(clientssl);
5505 SSL_shutdown(serverssl);
5506 SSL_free(serverssl);
5507 SSL_free(clientssl);
5508 serverssl = clientssl = NULL;
5510 /* Now do a resumption */
5511 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5513 || !TEST_true(SSL_set_session(clientssl, clntsess))
5514 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5518 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
5519 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
5520 if (!TEST_false(SSL_session_reused(clientssl)))
5523 if (!TEST_true(SSL_session_reused(clientssl)))
5527 if (!TEST_int_eq(gen_tick_called,
5529 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
5530 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
5532 || !TEST_int_eq(dec_tick_called, 1))
5538 SSL_SESSION_free(clntsess);
5539 SSL_free(serverssl);
5540 SSL_free(clientssl);
5548 * Test bi-directional shutdown.
5550 * Test 1: TLSv1.2, server continues to read/write after client shutdown
5551 * Test 2: TLSv1.3, no pending NewSessionTicket messages
5552 * Test 3: TLSv1.3, pending NewSessionTicket messages
5553 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
5554 * sends key update, client reads it
5555 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
5556 * sends CertificateRequest, client reads and ignores it
5557 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
5560 static int test_shutdown(int tst)
5562 SSL_CTX *cctx = NULL, *sctx = NULL;
5563 SSL *clientssl = NULL, *serverssl = NULL;
5565 char msg[] = "A test message";
5567 size_t written, readbytes;
5570 #ifdef OPENSSL_NO_TLS1_2
5574 #ifdef OPENSSL_NO_TLS1_3
5579 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5580 TLS_client_method(),
5582 (tst <= 1) ? TLS1_2_VERSION
5584 &sctx, &cctx, cert, privkey)))
5588 SSL_CTX_set_post_handshake_auth(cctx, 1);
5590 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5595 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
5597 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5598 || !TEST_false(SSL_SESSION_is_resumable(sess)))
5600 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5602 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5603 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
5607 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
5612 * Reading on the server after the client has sent close_notify should
5613 * fail and provide SSL_ERROR_ZERO_RETURN
5615 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
5616 || !TEST_int_eq(SSL_get_error(serverssl, 0),
5617 SSL_ERROR_ZERO_RETURN)
5618 || !TEST_int_eq(SSL_get_shutdown(serverssl),
5619 SSL_RECEIVED_SHUTDOWN)
5621 * Even though we're shutdown on receive we should still be
5624 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
5627 && !TEST_true(SSL_key_update(serverssl,
5628 SSL_KEY_UPDATE_REQUESTED)))
5631 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5632 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5635 if ((tst == 4 || tst == 5)
5636 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
5638 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
5640 if (tst == 4 || tst == 5) {
5641 /* Should still be able to read data from server */
5642 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5644 || !TEST_size_t_eq(readbytes, sizeof(msg))
5645 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
5646 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5648 || !TEST_size_t_eq(readbytes, sizeof(msg))
5649 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
5654 /* Writing on the client after sending close_notify shouldn't be possible */
5655 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
5660 * For these tests the client has sent close_notify but it has not yet
5661 * been received by the server. The server has not sent close_notify
5664 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
5666 * Writing on the server after sending close_notify shouldn't
5669 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5670 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
5671 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5672 || !TEST_true(SSL_SESSION_is_resumable(sess))
5673 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
5675 } else if (tst == 4 || tst == 5) {
5677 * In this test the client has sent close_notify and it has been
5678 * received by the server which has responded with a close_notify. The
5679 * client needs to read the close_notify sent by the server.
5681 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
5682 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5683 || !TEST_true(SSL_SESSION_is_resumable(sess)))
5689 * The client has sent close_notify and is expecting a close_notify
5690 * back, but instead there is application data first. The shutdown
5691 * should fail with a fatal error.
5693 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
5694 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
5701 SSL_free(serverssl);
5702 SSL_free(clientssl);
5709 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
5710 static int cert_cb_cnt;
5712 static int cert_cb(SSL *s, void *arg)
5714 SSL_CTX *ctx = (SSL_CTX *)arg;
5716 if (cert_cb_cnt == 0) {
5717 /* Suspend the handshake */
5720 } else if (cert_cb_cnt == 1) {
5722 * Update the SSL_CTX, set the certificate and private key and then
5723 * continue the handshake normally.
5725 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
5728 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
5729 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
5731 || !TEST_true(SSL_check_private_key(s)))
5737 /* Abort the handshake */
5742 * Test the certificate callback.
5743 * Test 0: Callback fails
5744 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
5745 * Test 2: Success - SSL_set_SSL_CTX() in the callback
5747 static int test_cert_cb_int(int prot, int tst)
5749 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
5750 SSL *clientssl = NULL, *serverssl = NULL;
5751 int testresult = 0, ret;
5753 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5754 TLS_client_method(),
5757 &sctx, &cctx, NULL, NULL)))
5765 snictx = SSL_CTX_new(TLS_server_method());
5766 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
5768 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5772 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5773 if (!TEST_true(tst == 0 ? !ret : ret)
5774 || (tst > 0 && !TEST_int_eq(cert_cb_cnt, 2))) {
5781 SSL_free(serverssl);
5782 SSL_free(clientssl);
5785 SSL_CTX_free(snictx);
5791 static int test_cert_cb(int tst)
5795 #ifndef OPENSSL_NO_TLS1_2
5796 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
5798 #ifndef OPENSSL_NO_TLS1_3
5799 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
5805 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
5811 /* Check that SSL_get_peer_certificate() returns something sensible */
5812 peer = SSL_get_peer_certificate(ssl);
5813 if (!TEST_ptr(peer))
5817 in = BIO_new_file(cert, "r");
5821 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
5823 if (!TEST_ptr(xcert))
5826 in = BIO_new_file(privkey, "r");
5827 if (!TEST_ptr(in)) {
5832 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
5834 if (!TEST_ptr(privpkey)) {
5845 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5850 static int test_client_cert_cb(int tst)
5852 SSL_CTX *cctx = NULL, *sctx = NULL;
5853 SSL *clientssl = NULL, *serverssl = NULL;
5856 #ifdef OPENSSL_NO_TLS1_2
5860 #ifdef OPENSSL_NO_TLS1_3
5865 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5866 TLS_client_method(),
5868 tst == 0 ? TLS1_2_VERSION
5870 &sctx, &cctx, cert, privkey)))
5874 * Test that setting a client_cert_cb results in a client certificate being
5877 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
5878 SSL_CTX_set_verify(sctx,
5879 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5882 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5884 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5891 SSL_free(serverssl);
5892 SSL_free(clientssl);
5899 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
5901 * Test setting certificate authorities on both client and server.
5903 * Test 0: SSL_CTX_set0_CA_list() only
5904 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
5905 * Test 2: Only SSL_CTX_set_client_CA_list()
5907 static int test_ca_names_int(int prot, int tst)
5909 SSL_CTX *cctx = NULL, *sctx = NULL;
5910 SSL *clientssl = NULL, *serverssl = NULL;
5913 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
5914 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
5915 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
5916 const STACK_OF(X509_NAME) *sktmp = NULL;
5918 for (i = 0; i < OSSL_NELEM(name); i++) {
5919 name[i] = X509_NAME_new();
5920 if (!TEST_ptr(name[i])
5921 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
5929 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5930 TLS_client_method(),
5933 &sctx, &cctx, cert, privkey)))
5936 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
5938 if (tst == 0 || tst == 1) {
5939 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
5940 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
5941 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
5942 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
5943 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
5944 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
5947 SSL_CTX_set0_CA_list(sctx, sk1);
5948 SSL_CTX_set0_CA_list(cctx, sk2);
5951 if (tst == 1 || tst == 2) {
5952 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
5953 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
5954 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
5955 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
5956 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
5957 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
5960 SSL_CTX_set_client_CA_list(sctx, sk1);
5961 SSL_CTX_set_client_CA_list(cctx, sk2);
5965 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5967 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5972 * We only expect certificate authorities to have been sent to the server
5973 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
5975 sktmp = SSL_get0_peer_CA_list(serverssl);
5976 if (prot == TLS1_3_VERSION
5977 && (tst == 0 || tst == 1)) {
5978 if (!TEST_ptr(sktmp)
5979 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
5980 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
5982 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
5985 } else if (!TEST_ptr_null(sktmp)) {
5990 * In all tests we expect certificate authorities to have been sent to the
5991 * client. However, SSL_set_client_CA_list() should override
5992 * SSL_set0_CA_list()
5994 sktmp = SSL_get0_peer_CA_list(clientssl);
5995 if (!TEST_ptr(sktmp)
5996 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
5997 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
5998 name[tst == 0 ? 0 : 2]), 0)
5999 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6000 name[tst == 0 ? 1 : 3]), 0))
6006 SSL_free(serverssl);
6007 SSL_free(clientssl);
6010 for (i = 0; i < OSSL_NELEM(name); i++)
6011 X509_NAME_free(name[i]);
6012 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
6013 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
6019 static int test_ca_names(int tst)
6023 #ifndef OPENSSL_NO_TLS1_2
6024 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
6026 #ifndef OPENSSL_NO_TLS1_3
6027 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
6033 int setup_tests(void)
6035 if (!TEST_ptr(cert = test_get_argument(0))
6036 || !TEST_ptr(privkey = test_get_argument(1))
6037 || !TEST_ptr(srpvfile = test_get_argument(2))
6038 || !TEST_ptr(tmpfilename = test_get_argument(3)))
6041 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
6042 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
6043 TEST_error("not supported in this build");
6046 int i, mcount, rcount, fcount;
6048 for (i = 0; i < 4; i++)
6049 test_export_key_mat(i);
6050 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
6051 test_printf_stdout("malloc %d realloc %d free %d\n",
6052 mcount, rcount, fcount);
6057 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
6058 && !defined(OPENSSL_NO_SOCK)
6059 ADD_TEST(test_ktls_client_server);
6060 ADD_TEST(test_ktls_no_client_server);
6061 ADD_TEST(test_ktls_client_no_server);
6062 ADD_TEST(test_ktls_no_client_no_server);
6064 ADD_TEST(test_large_message_tls);
6065 ADD_TEST(test_large_message_tls_read_ahead);
6066 #ifndef OPENSSL_NO_DTLS
6067 ADD_TEST(test_large_message_dtls);
6069 #ifndef OPENSSL_NO_OCSP
6070 ADD_TEST(test_tlsext_status_type);
6072 ADD_TEST(test_session_with_only_int_cache);
6073 ADD_TEST(test_session_with_only_ext_cache);
6074 ADD_TEST(test_session_with_both_cache);
6075 #ifndef OPENSSL_NO_TLS1_3
6076 ADD_ALL_TESTS(test_stateful_tickets, 3);
6077 ADD_ALL_TESTS(test_stateless_tickets, 3);
6078 ADD_TEST(test_psk_tickets);
6080 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
6081 ADD_TEST(test_ssl_bio_pop_next_bio);
6082 ADD_TEST(test_ssl_bio_pop_ssl_bio);
6083 ADD_TEST(test_ssl_bio_change_rbio);
6084 ADD_TEST(test_ssl_bio_change_wbio);
6085 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
6086 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6087 ADD_TEST(test_keylog);
6089 #ifndef OPENSSL_NO_TLS1_3
6090 ADD_TEST(test_keylog_no_master_key);
6092 #ifndef OPENSSL_NO_TLS1_2
6093 ADD_TEST(test_client_hello_cb);
6095 #ifndef OPENSSL_NO_TLS1_3
6096 ADD_ALL_TESTS(test_early_data_read_write, 3);
6098 * We don't do replay tests for external PSK. Replay protection isn't used
6101 ADD_ALL_TESTS(test_early_data_replay, 2);
6102 ADD_ALL_TESTS(test_early_data_skip, 3);
6103 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
6104 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
6105 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
6106 ADD_ALL_TESTS(test_early_data_not_sent, 3);
6107 ADD_ALL_TESTS(test_early_data_psk, 8);
6108 ADD_ALL_TESTS(test_early_data_not_expected, 3);
6109 # ifndef OPENSSL_NO_TLS1_2
6110 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
6113 #ifndef OPENSSL_NO_TLS1_3
6114 ADD_ALL_TESTS(test_set_ciphersuite, 10);
6115 ADD_TEST(test_ciphersuite_change);
6116 #ifdef OPENSSL_NO_PSK
6117 ADD_ALL_TESTS(test_tls13_psk, 1);
6119 ADD_ALL_TESTS(test_tls13_psk, 4);
6120 #endif /* OPENSSL_NO_PSK */
6121 ADD_ALL_TESTS(test_custom_exts, 5);
6122 ADD_TEST(test_stateless);
6123 ADD_TEST(test_pha_key_update);
6125 ADD_ALL_TESTS(test_custom_exts, 3);
6127 ADD_ALL_TESTS(test_serverinfo, 8);
6128 ADD_ALL_TESTS(test_export_key_mat, 6);
6129 #ifndef OPENSSL_NO_TLS1_3
6130 ADD_ALL_TESTS(test_export_key_mat_early, 3);
6132 ADD_ALL_TESTS(test_ssl_clear, 2);
6133 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
6134 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6135 ADD_ALL_TESTS(test_srp, 6);
6137 ADD_ALL_TESTS(test_info_callback, 6);
6138 ADD_ALL_TESTS(test_ssl_pending, 2);
6139 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
6140 ADD_ALL_TESTS(test_ticket_callbacks, 12);
6141 ADD_ALL_TESTS(test_shutdown, 7);
6142 ADD_ALL_TESTS(test_cert_cb, 3);
6143 ADD_ALL_TESTS(test_client_cert_cb, 2);
6144 ADD_ALL_TESTS(test_ca_names, 3);
6148 void cleanup_tests(void)
6150 bio_s_mempacket_test_free();