2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
17 #include <openssl/srp.h>
18 #include <openssl/txt_db.h>
20 #include "ssltestlib.h"
22 #include "testutil/output.h"
23 #include "internal/nelem.h"
24 #include "../ssl/ssl_locl.h"
26 static char *cert = NULL;
27 static char *privkey = NULL;
28 static char *srpvfile = NULL;
29 static char *tmpfilename = NULL;
31 #define LOG_BUFFER_SIZE 1024
32 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
33 static size_t server_log_buffer_index = 0;
34 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
35 static size_t client_log_buffer_index = 0;
36 static int error_writing_log = 0;
38 #ifndef OPENSSL_NO_OCSP
39 static const unsigned char orespder[] = "Dummy OCSP Response";
40 static int ocsp_server_called = 0;
41 static int ocsp_client_called = 0;
43 static int cdummyarg = 1;
44 static X509 *ocspcert = NULL;
47 #define NUM_EXTRA_CERTS 40
48 #define CLIENT_VERSION_LEN 2
51 * This structure is used to validate that the correct number of log messages
52 * of various types are emitted when emitting secret logs.
54 struct sslapitest_log_counts {
55 unsigned int rsa_key_exchange_count;
56 unsigned int master_secret_count;
57 unsigned int client_handshake_secret_count;
58 unsigned int server_handshake_secret_count;
59 unsigned int client_application_secret_count;
60 unsigned int server_application_secret_count;
64 static unsigned char serverinfov1[] = {
65 0xff, 0xff, /* Dummy extension type */
66 0x00, 0x01, /* Extension length is 1 byte */
67 0xff /* Dummy extension data */
70 static unsigned char serverinfov2[] = {
72 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
73 0xff, 0xff, /* Dummy extension type */
74 0x00, 0x01, /* Extension length is 1 byte */
75 0xff /* Dummy extension data */
78 static void client_keylog_callback(const SSL *ssl, const char *line)
80 int line_length = strlen(line);
82 /* If the log doesn't fit, error out. */
83 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
84 TEST_info("Client log too full");
85 error_writing_log = 1;
89 strcat(client_log_buffer, line);
90 client_log_buffer_index += line_length;
91 client_log_buffer[client_log_buffer_index++] = '\n';
94 static void server_keylog_callback(const SSL *ssl, const char *line)
96 int line_length = strlen(line);
98 /* If the log doesn't fit, error out. */
99 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
100 TEST_info("Server log too full");
101 error_writing_log = 1;
105 strcat(server_log_buffer, line);
106 server_log_buffer_index += line_length;
107 server_log_buffer[server_log_buffer_index++] = '\n';
110 static int compare_hex_encoded_buffer(const char *hex_encoded,
118 if (!TEST_size_t_eq(raw_length * 2, hex_length))
121 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
122 sprintf(hexed, "%02x", raw[i]);
123 if (!TEST_int_eq(hexed[0], hex_encoded[j])
124 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
131 static int test_keylog_output(char *buffer, const SSL *ssl,
132 const SSL_SESSION *session,
133 struct sslapitest_log_counts *expected)
136 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
137 size_t client_random_size = SSL3_RANDOM_SIZE;
138 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
139 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
140 unsigned int rsa_key_exchange_count = 0;
141 unsigned int master_secret_count = 0;
142 unsigned int client_handshake_secret_count = 0;
143 unsigned int server_handshake_secret_count = 0;
144 unsigned int client_application_secret_count = 0;
145 unsigned int server_application_secret_count = 0;
147 for (token = strtok(buffer, " \n"); token != NULL;
148 token = strtok(NULL, " \n")) {
149 if (strcmp(token, "RSA") == 0) {
151 * Premaster secret. Tokens should be: 16 ASCII bytes of
152 * hex-encoded encrypted secret, then the hex-encoded pre-master
155 if (!TEST_ptr(token = strtok(NULL, " \n")))
157 if (!TEST_size_t_eq(strlen(token), 16))
159 if (!TEST_ptr(token = strtok(NULL, " \n")))
162 * We can't sensibly check the log because the premaster secret is
163 * transient, and OpenSSL doesn't keep hold of it once the master
164 * secret is generated.
166 rsa_key_exchange_count++;
167 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
169 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
170 * client random, then the hex-encoded master secret.
172 client_random_size = SSL_get_client_random(ssl,
173 actual_client_random,
175 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
178 if (!TEST_ptr(token = strtok(NULL, " \n")))
180 if (!TEST_size_t_eq(strlen(token), 64))
182 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
183 actual_client_random,
184 client_random_size)))
187 if (!TEST_ptr(token = strtok(NULL, " \n")))
189 master_key_size = SSL_SESSION_get_master_key(session,
192 if (!TEST_size_t_ne(master_key_size, 0))
194 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
198 master_secret_count++;
199 } else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
200 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
201 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
202 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) {
204 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
205 * client random, and then the hex-encoded secret. In this case,
206 * we treat all of these secrets identically and then just
207 * distinguish between them when counting what we saw.
209 if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
210 client_handshake_secret_count++;
211 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
212 server_handshake_secret_count++;
213 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
214 client_application_secret_count++;
215 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
216 server_application_secret_count++;
218 client_random_size = SSL_get_client_random(ssl,
219 actual_client_random,
221 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
224 if (!TEST_ptr(token = strtok(NULL, " \n")))
226 if (!TEST_size_t_eq(strlen(token), 64))
228 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
229 actual_client_random,
230 client_random_size)))
233 if (!TEST_ptr(token = strtok(NULL, " \n")))
237 * TODO(TLS1.3): test that application traffic secrets are what
240 TEST_info("Unexpected token %s\n", token);
245 /* Got what we expected? */
246 if (!TEST_size_t_eq(rsa_key_exchange_count,
247 expected->rsa_key_exchange_count)
248 || !TEST_size_t_eq(master_secret_count,
249 expected->master_secret_count)
250 || !TEST_size_t_eq(client_handshake_secret_count,
251 expected->client_handshake_secret_count)
252 || !TEST_size_t_eq(server_handshake_secret_count,
253 expected->server_handshake_secret_count)
254 || !TEST_size_t_eq(client_application_secret_count,
255 expected->client_application_secret_count)
256 || !TEST_size_t_eq(server_application_secret_count,
257 expected->server_application_secret_count))
262 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
263 static int test_keylog(void)
265 SSL_CTX *cctx = NULL, *sctx = NULL;
266 SSL *clientssl = NULL, *serverssl = NULL;
268 struct sslapitest_log_counts expected = {0};
270 /* Clean up logging space */
271 memset(client_log_buffer, 0, sizeof(client_log_buffer));
272 memset(server_log_buffer, 0, sizeof(server_log_buffer));
273 client_log_buffer_index = 0;
274 server_log_buffer_index = 0;
275 error_writing_log = 0;
277 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
279 TLS1_VERSION, TLS_MAX_VERSION,
280 &sctx, &cctx, cert, privkey)))
283 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
284 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
285 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
287 /* We also want to ensure that we use RSA-based key exchange. */
288 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
291 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
292 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
294 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
295 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
296 == client_keylog_callback))
298 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
299 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
300 == server_keylog_callback))
303 /* Now do a handshake and check that the logs have been written to. */
304 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
305 &clientssl, NULL, NULL))
306 || !TEST_true(create_ssl_connection(serverssl, clientssl,
308 || !TEST_false(error_writing_log)
309 || !TEST_int_gt(client_log_buffer_index, 0)
310 || !TEST_int_gt(server_log_buffer_index, 0))
314 * Now we want to test that our output data was vaguely sensible. We
315 * do that by using strtok and confirming that we have more or less the
316 * data we expect. For both client and server, we expect to see one master
317 * secret. The client should also see a RSA key exchange.
319 expected.rsa_key_exchange_count = 1;
320 expected.master_secret_count = 1;
321 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
322 SSL_get_session(clientssl), &expected)))
325 expected.rsa_key_exchange_count = 0;
326 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
327 SSL_get_session(serverssl), &expected)))
342 #ifndef OPENSSL_NO_TLS1_3
343 static int test_keylog_no_master_key(void)
345 SSL_CTX *cctx = NULL, *sctx = NULL;
346 SSL *clientssl = NULL, *serverssl = NULL;
348 struct sslapitest_log_counts expected = {0};
350 /* Clean up logging space */
351 memset(client_log_buffer, 0, sizeof(client_log_buffer));
352 memset(server_log_buffer, 0, sizeof(server_log_buffer));
353 client_log_buffer_index = 0;
354 server_log_buffer_index = 0;
355 error_writing_log = 0;
357 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
358 TLS1_VERSION, TLS_MAX_VERSION,
359 &sctx, &cctx, cert, privkey)))
362 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
363 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
366 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
367 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
368 == client_keylog_callback))
371 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
372 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
373 == server_keylog_callback))
376 /* Now do a handshake and check that the logs have been written to. */
377 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
378 &clientssl, NULL, NULL))
379 || !TEST_true(create_ssl_connection(serverssl, clientssl,
381 || !TEST_false(error_writing_log))
385 * Now we want to test that our output data was vaguely sensible. For this
386 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
387 * TLSv1.3, but we do expect both client and server to emit keys.
389 expected.client_handshake_secret_count = 1;
390 expected.server_handshake_secret_count = 1;
391 expected.client_application_secret_count = 1;
392 expected.server_application_secret_count = 1;
393 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
394 SSL_get_session(clientssl), &expected))
395 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
396 SSL_get_session(serverssl),
412 #ifndef OPENSSL_NO_TLS1_2
413 static int full_client_hello_callback(SSL *s, int *al, void *arg)
416 const unsigned char *p;
418 /* We only configure two ciphers, but the SCSV is added automatically. */
420 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
422 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
425 const int expected_extensions[] = {
426 #ifndef OPENSSL_NO_EC
432 /* Make sure we can defer processing and get called back. */
434 return SSL_CLIENT_HELLO_RETRY;
436 len = SSL_client_hello_get0_ciphers(s, &p);
437 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
439 SSL_client_hello_get0_compression_methods(s, &p), 1)
440 || !TEST_int_eq(*p, 0))
441 return SSL_CLIENT_HELLO_ERROR;
442 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
443 return SSL_CLIENT_HELLO_ERROR;
444 if (len != OSSL_NELEM(expected_extensions) ||
445 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
446 printf("ClientHello callback expected extensions mismatch\n");
448 return SSL_CLIENT_HELLO_ERROR;
451 return SSL_CLIENT_HELLO_SUCCESS;
454 static int test_client_hello_cb(void)
456 SSL_CTX *cctx = NULL, *sctx = NULL;
457 SSL *clientssl = NULL, *serverssl = NULL;
458 int testctr = 0, testresult = 0;
460 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
461 TLS1_VERSION, TLS_MAX_VERSION,
462 &sctx, &cctx, cert, privkey)))
464 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
466 /* The gimpy cipher list we configure can't do TLS 1.3. */
467 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
469 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
470 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
471 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
472 &clientssl, NULL, NULL))
473 || !TEST_false(create_ssl_connection(serverssl, clientssl,
474 SSL_ERROR_WANT_CLIENT_HELLO_CB))
476 * Passing a -1 literal is a hack since
477 * the real value was lost.
479 || !TEST_int_eq(SSL_get_error(serverssl, -1),
480 SSL_ERROR_WANT_CLIENT_HELLO_CB)
481 || !TEST_true(create_ssl_connection(serverssl, clientssl,
497 static int execute_test_large_message(const SSL_METHOD *smeth,
498 const SSL_METHOD *cmeth,
499 int min_version, int max_version,
502 SSL_CTX *cctx = NULL, *sctx = NULL;
503 SSL *clientssl = NULL, *serverssl = NULL;
507 X509 *chaincert = NULL;
510 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
512 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
515 if (!TEST_ptr(chaincert))
518 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
519 &sctx, &cctx, cert, privkey)))
524 * Test that read_ahead works correctly when dealing with large
527 SSL_CTX_set_read_ahead(cctx, 1);
531 * We assume the supplied certificate is big enough so that if we add
532 * NUM_EXTRA_CERTS it will make the overall message large enough. The
533 * default buffer size is requested to be 16k, but due to the way BUF_MEM
534 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
535 * test we need to have a message larger than that.
537 certlen = i2d_X509(chaincert, NULL);
538 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
539 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
540 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
541 if (!X509_up_ref(chaincert))
543 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
544 X509_free(chaincert);
549 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
551 || !TEST_true(create_ssl_connection(serverssl, clientssl,
556 * Calling SSL_clear() first is not required but this tests that SSL_clear()
557 * doesn't leak (when using enable-crypto-mdebug).
559 if (!TEST_true(SSL_clear(serverssl)))
564 X509_free(chaincert);
573 static int test_large_message_tls(void)
575 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
576 TLS1_VERSION, TLS_MAX_VERSION,
580 static int test_large_message_tls_read_ahead(void)
582 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
583 TLS1_VERSION, TLS_MAX_VERSION,
587 #ifndef OPENSSL_NO_DTLS
588 static int test_large_message_dtls(void)
591 * read_ahead is not relevant to DTLS because DTLS always acts as if
594 return execute_test_large_message(DTLS_server_method(),
595 DTLS_client_method(),
596 DTLS1_VERSION, DTLS_MAX_VERSION,
601 #ifndef OPENSSL_NO_OCSP
602 static int ocsp_server_cb(SSL *s, void *arg)
604 int *argi = (int *)arg;
605 unsigned char *copy = NULL;
606 STACK_OF(OCSP_RESPID) *ids = NULL;
607 OCSP_RESPID *id = NULL;
610 /* In this test we are expecting exactly 1 OCSP_RESPID */
611 SSL_get_tlsext_status_ids(s, &ids);
612 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
613 return SSL_TLSEXT_ERR_ALERT_FATAL;
615 id = sk_OCSP_RESPID_value(ids, 0);
616 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
617 return SSL_TLSEXT_ERR_ALERT_FATAL;
618 } else if (*argi != 1) {
619 return SSL_TLSEXT_ERR_ALERT_FATAL;
622 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
623 return SSL_TLSEXT_ERR_ALERT_FATAL;
625 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
626 ocsp_server_called = 1;
627 return SSL_TLSEXT_ERR_OK;
630 static int ocsp_client_cb(SSL *s, void *arg)
632 int *argi = (int *)arg;
633 const unsigned char *respderin;
636 if (*argi != 1 && *argi != 2)
639 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
640 if (!TEST_mem_eq(orespder, len, respderin, len))
643 ocsp_client_called = 1;
647 static int test_tlsext_status_type(void)
649 SSL_CTX *cctx = NULL, *sctx = NULL;
650 SSL *clientssl = NULL, *serverssl = NULL;
652 STACK_OF(OCSP_RESPID) *ids = NULL;
653 OCSP_RESPID *id = NULL;
656 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
657 TLS1_VERSION, TLS_MAX_VERSION,
658 &sctx, &cctx, cert, privkey))
661 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
664 /* First just do various checks getting and setting tlsext_status_type */
666 clientssl = SSL_new(cctx);
667 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
668 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
669 TLSEXT_STATUSTYPE_ocsp))
670 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
671 TLSEXT_STATUSTYPE_ocsp))
677 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
678 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
681 clientssl = SSL_new(cctx);
682 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
688 * Now actually do a handshake and check OCSP information is exchanged and
689 * the callbacks get called
691 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
692 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
693 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
694 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
695 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
696 &clientssl, NULL, NULL))
697 || !TEST_true(create_ssl_connection(serverssl, clientssl,
699 || !TEST_true(ocsp_client_called)
700 || !TEST_true(ocsp_server_called))
707 /* Try again but this time force the server side callback to fail */
708 ocsp_client_called = 0;
709 ocsp_server_called = 0;
711 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
712 &clientssl, NULL, NULL))
713 /* This should fail because the callback will fail */
714 || !TEST_false(create_ssl_connection(serverssl, clientssl,
716 || !TEST_false(ocsp_client_called)
717 || !TEST_false(ocsp_server_called))
725 * This time we'll get the client to send an OCSP_RESPID that it will
728 ocsp_client_called = 0;
729 ocsp_server_called = 0;
731 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
732 &clientssl, NULL, NULL)))
736 * We'll just use any old cert for this test - it doesn't have to be an OCSP
737 * specific one. We'll use the server cert.
739 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
740 || !TEST_ptr(id = OCSP_RESPID_new())
741 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
742 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
744 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
745 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
748 SSL_set_tlsext_status_ids(clientssl, ids);
749 /* Control has been transferred */
755 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
757 || !TEST_true(ocsp_client_called)
758 || !TEST_true(ocsp_server_called))
768 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
769 OCSP_RESPID_free(id);
778 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
779 static int new_called, remove_called, get_called;
781 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
785 * sess has been up-refed for us, but we don't actually need it so free it
788 SSL_SESSION_free(sess);
792 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
797 static SSL_SESSION *get_sess_val = NULL;
799 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
807 static int execute_test_session(int maxprot, int use_int_cache,
810 SSL_CTX *sctx = NULL, *cctx = NULL;
811 SSL *serverssl1 = NULL, *clientssl1 = NULL;
812 SSL *serverssl2 = NULL, *clientssl2 = NULL;
813 # ifndef OPENSSL_NO_TLS1_1
814 SSL *serverssl3 = NULL, *clientssl3 = NULL;
816 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
819 new_called = remove_called = 0;
821 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
822 TLS1_VERSION, TLS_MAX_VERSION,
823 &sctx, &cctx, cert, privkey)))
827 * Only allow the max protocol version so we can force a connection failure
830 SSL_CTX_set_min_proto_version(cctx, maxprot);
831 SSL_CTX_set_max_proto_version(cctx, maxprot);
833 /* Set up session cache */
835 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
836 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
839 /* Also covers instance where both are set */
840 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
842 SSL_CTX_set_session_cache_mode(cctx,
843 SSL_SESS_CACHE_CLIENT
844 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
847 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
849 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
851 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
854 /* Should fail because it should already be in the cache */
855 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
858 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
861 new_called = remove_called = 0;
862 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
863 &clientssl2, NULL, NULL))
864 || !TEST_true(SSL_set_session(clientssl2, sess1))
865 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
867 || !TEST_true(SSL_session_reused(clientssl2)))
870 if (maxprot == TLS1_3_VERSION) {
872 * In TLSv1.3 we should have created a new session even though we have
873 * resumed. The original session should also have been removed.
876 && (!TEST_int_eq(new_called, 1)
877 || !TEST_int_eq(remove_called, 1)))
881 * In TLSv1.2 we expect to have resumed so no sessions added or
885 && (!TEST_int_eq(new_called, 0)
886 || !TEST_int_eq(remove_called, 0)))
890 SSL_SESSION_free(sess1);
891 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
893 shutdown_ssl_connection(serverssl2, clientssl2);
894 serverssl2 = clientssl2 = NULL;
896 new_called = remove_called = 0;
897 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
898 &clientssl2, NULL, NULL))
899 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
903 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
907 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
910 new_called = remove_called = 0;
912 * This should clear sess2 from the cache because it is a "bad" session.
913 * See SSL_set_session() documentation.
915 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
918 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
920 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
924 /* Should succeeded because it should not already be in the cache */
925 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
926 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
930 new_called = remove_called = 0;
931 /* This shouldn't be in the cache so should fail */
932 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
936 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
939 # if !defined(OPENSSL_NO_TLS1_1)
940 new_called = remove_called = 0;
941 /* Force a connection failure */
942 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
943 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
944 &clientssl3, NULL, NULL))
945 || !TEST_true(SSL_set_session(clientssl3, sess1))
946 /* This should fail because of the mismatched protocol versions */
947 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
951 /* We should have automatically removed the session from the cache */
953 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
956 /* Should succeed because it should not already be in the cache */
957 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
961 /* Now do some tests for server side caching */
963 SSL_CTX_sess_set_new_cb(cctx, NULL);
964 SSL_CTX_sess_set_remove_cb(cctx, NULL);
965 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
966 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
967 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
971 SSL_CTX_set_session_cache_mode(cctx, 0);
972 /* Internal caching is the default on the server side */
974 SSL_CTX_set_session_cache_mode(sctx,
975 SSL_SESS_CACHE_SERVER
976 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
978 SSL_free(serverssl1);
979 SSL_free(clientssl1);
980 serverssl1 = clientssl1 = NULL;
981 SSL_free(serverssl2);
982 SSL_free(clientssl2);
983 serverssl2 = clientssl2 = NULL;
984 SSL_SESSION_free(sess1);
986 SSL_SESSION_free(sess2);
989 SSL_CTX_set_max_proto_version(sctx, maxprot);
990 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
991 new_called = remove_called = get_called = 0;
992 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
994 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
996 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
997 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1000 /* Should fail because it should already be in the cache */
1001 if (use_int_cache && !TEST_false(SSL_CTX_add_session(sctx, sess2)))
1004 if (use_ext_cache) {
1005 SSL_SESSION *tmp = sess2;
1007 if (!TEST_int_eq(new_called, 1)
1008 || !TEST_int_eq(remove_called, 0)
1009 || !TEST_int_eq(get_called, 0))
1012 * Delete the session from the internal cache to force a lookup from
1013 * the external cache. We take a copy first because
1014 * SSL_CTX_remove_session() also marks the session as non-resumable.
1016 if (use_int_cache) {
1017 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1018 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1020 SSL_SESSION_free(sess2);
1025 new_called = remove_called = get_called = 0;
1026 get_sess_val = sess2;
1027 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1028 &clientssl2, NULL, NULL))
1029 || !TEST_true(SSL_set_session(clientssl2, sess1))
1030 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1032 || !TEST_true(SSL_session_reused(clientssl2)))
1035 if (use_ext_cache) {
1036 if (!TEST_int_eq(remove_called, 0))
1039 if (maxprot == TLS1_3_VERSION) {
1041 * Every time we issue a NewSessionTicket we are creating a new
1042 * session for next time in TLSv1.3
1044 if (!TEST_int_eq(new_called, 1)
1045 || !TEST_int_eq(get_called, 0))
1048 if (!TEST_int_eq(new_called, 0)
1049 || !TEST_int_eq(get_called, 1))
1057 SSL_free(serverssl1);
1058 SSL_free(clientssl1);
1059 SSL_free(serverssl2);
1060 SSL_free(clientssl2);
1061 # ifndef OPENSSL_NO_TLS1_1
1062 SSL_free(serverssl3);
1063 SSL_free(clientssl3);
1065 SSL_SESSION_free(sess1);
1066 SSL_SESSION_free(sess2);
1072 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1074 static int test_session_with_only_int_cache(void)
1076 #ifndef OPENSSL_NO_TLS1_3
1077 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1081 #ifndef OPENSSL_NO_TLS1_2
1082 return execute_test_session(TLS1_2_VERSION, 1, 0);
1088 static int test_session_with_only_ext_cache(void)
1090 #ifndef OPENSSL_NO_TLS1_3
1091 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1095 #ifndef OPENSSL_NO_TLS1_2
1096 return execute_test_session(TLS1_2_VERSION, 0, 1);
1102 static int test_session_with_both_cache(void)
1104 #ifndef OPENSSL_NO_TLS1_3
1105 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1109 #ifndef OPENSSL_NO_TLS1_2
1110 return execute_test_session(TLS1_2_VERSION, 1, 1);
1119 #define USE_DEFAULT 3
1121 #define CONNTYPE_CONNECTION_SUCCESS 0
1122 #define CONNTYPE_CONNECTION_FAIL 1
1123 #define CONNTYPE_NO_CONNECTION 2
1125 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1126 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1127 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1128 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1130 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1134 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1135 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1136 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1138 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1155 * Tests calls to SSL_set_bio() under various conditions.
1157 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1158 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1159 * then do more tests where we create a successful connection first using our
1160 * standard connection setup functions, and then call SSL_set_bio() with
1161 * various combinations of valid BIOs or NULL. We then repeat these tests
1162 * following a failed connection. In this last case we are looking to check that
1163 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1165 static int test_ssl_set_bio(int idx)
1167 SSL_CTX *sctx = NULL, *cctx = NULL;
1170 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1171 SSL *serverssl = NULL, *clientssl = NULL;
1172 int initrbio, initwbio, newrbio, newwbio, conntype;
1175 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1183 conntype = CONNTYPE_NO_CONNECTION;
1185 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1186 initrbio = initwbio = USE_DEFAULT;
1194 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1195 TLS1_VERSION, TLS_MAX_VERSION,
1196 &sctx, &cctx, cert, privkey)))
1199 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1201 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1202 * because we reduced the number of tests in the definition of
1203 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1204 * mismatched protocol versions we will force a connection failure.
1206 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1207 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1210 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1214 if (initrbio == USE_BIO_1
1215 || initwbio == USE_BIO_1
1216 || newrbio == USE_BIO_1
1217 || newwbio == USE_BIO_1) {
1218 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1222 if (initrbio == USE_BIO_2
1223 || initwbio == USE_BIO_2
1224 || newrbio == USE_BIO_2
1225 || newwbio == USE_BIO_2) {
1226 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1230 if (initrbio != USE_DEFAULT) {
1231 setupbio(&irbio, bio1, bio2, initrbio);
1232 setupbio(&iwbio, bio1, bio2, initwbio);
1233 SSL_set_bio(clientssl, irbio, iwbio);
1236 * We want to maintain our own refs to these BIO, so do an up ref for
1237 * each BIO that will have ownership transferred in the SSL_set_bio()
1242 if (iwbio != NULL && iwbio != irbio)
1246 if (conntype != CONNTYPE_NO_CONNECTION
1247 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1249 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1252 setupbio(&nrbio, bio1, bio2, newrbio);
1253 setupbio(&nwbio, bio1, bio2, newwbio);
1256 * We will (maybe) transfer ownership again so do more up refs.
1257 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1262 && (nwbio != iwbio || nrbio != nwbio))
1266 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1269 SSL_set_bio(clientssl, nrbio, nwbio);
1278 * This test is checking that the ref counting for SSL_set_bio is correct.
1279 * If we get here and we did too many frees then we will fail in the above
1280 * functions. If we haven't done enough then this will only be detected in
1281 * a crypto-mdebug build
1283 SSL_free(serverssl);
1284 SSL_free(clientssl);
1290 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1292 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1294 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1299 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1300 || !TEST_ptr(ssl = SSL_new(ctx))
1301 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1302 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1305 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1308 * If anything goes wrong here then we could leak memory, so this will
1309 * be caught in a crypto-mdebug build
1311 BIO_push(sslbio, membio1);
1313 /* Verify changing the rbio/wbio directly does not cause leaks */
1314 if (change_bio != NO_BIO_CHANGE) {
1315 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1317 if (change_bio == CHANGE_RBIO)
1318 SSL_set0_rbio(ssl, membio2);
1320 SSL_set0_wbio(ssl, membio2);
1339 static int test_ssl_bio_pop_next_bio(void)
1341 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1344 static int test_ssl_bio_pop_ssl_bio(void)
1346 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1349 static int test_ssl_bio_change_rbio(void)
1351 return execute_test_ssl_bio(0, CHANGE_RBIO);
1354 static int test_ssl_bio_change_wbio(void)
1356 return execute_test_ssl_bio(0, CHANGE_WBIO);
1359 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
1361 /* The list of sig algs */
1363 /* The length of the list */
1365 /* A sigalgs list in string format */
1366 const char *liststr;
1367 /* Whether setting the list should succeed */
1369 /* Whether creating a connection with the list should succeed */
1373 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1374 # ifndef OPENSSL_NO_EC
1375 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1376 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1378 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1379 static const int invalidlist2[] = {NID_sha256, NID_undef};
1380 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1381 static const int invalidlist4[] = {NID_sha256};
1382 static const sigalgs_list testsigalgs[] = {
1383 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1384 # ifndef OPENSSL_NO_EC
1385 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1386 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1388 {NULL, 0, "RSA+SHA256", 1, 1},
1389 # ifndef OPENSSL_NO_EC
1390 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1391 {NULL, 0, "ECDSA+SHA512", 1, 0},
1393 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1394 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1395 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1396 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1397 {NULL, 0, "RSA", 0, 0},
1398 {NULL, 0, "SHA256", 0, 0},
1399 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1400 {NULL, 0, "Invalid", 0, 0}
1403 static int test_set_sigalgs(int idx)
1405 SSL_CTX *cctx = NULL, *sctx = NULL;
1406 SSL *clientssl = NULL, *serverssl = NULL;
1408 const sigalgs_list *curr;
1411 /* Should never happen */
1412 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1415 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1416 curr = testctx ? &testsigalgs[idx]
1417 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1419 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1420 TLS1_VERSION, TLS_MAX_VERSION,
1421 &sctx, &cctx, cert, privkey)))
1425 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1426 * for TLSv1.2 for now until we add a new API.
1428 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1433 if (curr->list != NULL)
1434 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1436 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1440 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1446 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1451 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1452 &clientssl, NULL, NULL)))
1458 if (curr->list != NULL)
1459 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1461 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1464 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1473 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1481 SSL_free(serverssl);
1482 SSL_free(clientssl);
1490 #ifndef OPENSSL_NO_TLS1_3
1492 static SSL_SESSION *clientpsk = NULL;
1493 static SSL_SESSION *serverpsk = NULL;
1494 static const char *pskid = "Identity";
1495 static const char *srvid;
1497 static int use_session_cb_cnt = 0;
1498 static int find_session_cb_cnt = 0;
1499 static int psk_client_cb_cnt = 0;
1500 static int psk_server_cb_cnt = 0;
1502 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1503 size_t *idlen, SSL_SESSION **sess)
1505 switch (++use_session_cb_cnt) {
1507 /* The first call should always have a NULL md */
1513 /* The second call should always have an md */
1519 /* We should only be called a maximum of twice */
1523 if (clientpsk != NULL)
1524 SSL_SESSION_up_ref(clientpsk);
1527 *id = (const unsigned char *)pskid;
1528 *idlen = strlen(pskid);
1533 #ifndef OPENSSL_NO_PSK
1534 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1535 unsigned int max_id_len,
1537 unsigned int max_psk_len)
1539 unsigned int psklen = 0;
1541 psk_client_cb_cnt++;
1543 if (strlen(pskid) + 1 > max_id_len)
1546 /* We should only ever be called a maximum of twice per connection */
1547 if (psk_client_cb_cnt > 2)
1550 if (clientpsk == NULL)
1553 /* We'll reuse the PSK we set up for TLSv1.3 */
1554 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1556 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1557 strncpy(id, pskid, max_id_len);
1561 #endif /* OPENSSL_NO_PSK */
1563 static int find_session_cb(SSL *ssl, const unsigned char *identity,
1564 size_t identity_len, SSL_SESSION **sess)
1566 find_session_cb_cnt++;
1568 /* We should only ever be called a maximum of twice per connection */
1569 if (find_session_cb_cnt > 2)
1572 if (serverpsk == NULL)
1575 /* Identity should match that set by the client */
1576 if (strlen(srvid) != identity_len
1577 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1578 /* No PSK found, continue but without a PSK */
1583 SSL_SESSION_up_ref(serverpsk);
1589 #ifndef OPENSSL_NO_PSK
1590 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1591 unsigned char *psk, unsigned int max_psk_len)
1593 unsigned int psklen = 0;
1595 psk_server_cb_cnt++;
1597 /* We should only ever be called a maximum of twice per connection */
1598 if (find_session_cb_cnt > 2)
1601 if (serverpsk == NULL)
1604 /* Identity should match that set by the client */
1605 if (strcmp(srvid, identity) != 0) {
1609 /* We'll reuse the PSK we set up for TLSv1.3 */
1610 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1612 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1616 #endif /* OPENSSL_NO_PSK */
1618 #define MSG1 "Hello"
1619 #define MSG2 "World."
1624 #define MSG7 "message."
1626 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
1627 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
1630 * Helper method to setup objects for early data test. Caller frees objects on
1633 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
1634 SSL **serverssl, SSL_SESSION **sess, int idx)
1636 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1637 TLS1_VERSION, TLS_MAX_VERSION,
1638 sctx, cctx, cert, privkey))
1639 || !TEST_true(SSL_CTX_set_max_early_data(*sctx,
1640 SSL3_RT_MAX_PLAIN_LENGTH))
1641 || !TEST_true(SSL_CTX_set_max_early_data(*cctx,
1642 SSL3_RT_MAX_PLAIN_LENGTH)))
1646 /* When idx == 1 we repeat the tests with read_ahead set */
1647 SSL_CTX_set_read_ahead(*cctx, 1);
1648 SSL_CTX_set_read_ahead(*sctx, 1);
1649 } else if (idx == 2) {
1650 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1651 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1652 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1653 use_session_cb_cnt = 0;
1654 find_session_cb_cnt = 0;
1658 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
1663 * For one of the run throughs (doesn't matter which one), we'll try sending
1664 * some SNI data in the initial ClientHello. This will be ignored (because
1665 * there is no SNI cb set up by the server), so it should not impact
1669 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1673 /* Create the PSK */
1674 const SSL_CIPHER *cipher = NULL;
1675 const unsigned char key[] = {
1676 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1677 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1678 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1679 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1680 0x2c, 0x2d, 0x2e, 0x2f
1683 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
1684 clientpsk = SSL_SESSION_new();
1685 if (!TEST_ptr(clientpsk)
1686 || !TEST_ptr(cipher)
1687 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
1689 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
1691 SSL_SESSION_set_protocol_version(clientpsk,
1694 * We just choose an arbitrary value for max_early_data which
1695 * should be big enough for testing purposes.
1697 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1699 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1700 SSL_SESSION_free(clientpsk);
1704 serverpsk = clientpsk;
1714 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1718 *sess = SSL_get1_session(*clientssl);
1719 SSL_shutdown(*clientssl);
1720 SSL_shutdown(*serverssl);
1721 SSL_free(*serverssl);
1722 SSL_free(*clientssl);
1723 *serverssl = *clientssl = NULL;
1725 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1726 clientssl, NULL, NULL))
1727 || !TEST_true(SSL_set_session(*clientssl, *sess)))
1733 static int test_early_data_read_write(int idx)
1735 SSL_CTX *cctx = NULL, *sctx = NULL;
1736 SSL *clientssl = NULL, *serverssl = NULL;
1738 SSL_SESSION *sess = NULL;
1739 unsigned char buf[20], data[1024];
1740 size_t readbytes, written, eoedlen, rawread, rawwritten;
1743 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1744 &serverssl, &sess, idx)))
1747 /* Write and read some early data */
1748 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1750 || !TEST_size_t_eq(written, strlen(MSG1))
1751 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1752 sizeof(buf), &readbytes),
1753 SSL_READ_EARLY_DATA_SUCCESS)
1754 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1755 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1756 SSL_EARLY_DATA_ACCEPTED))
1760 * Server should be able to write data, and client should be able to
1763 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1765 || !TEST_size_t_eq(written, strlen(MSG2))
1766 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1767 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1770 /* Even after reading normal data, client should be able write early data */
1771 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1773 || !TEST_size_t_eq(written, strlen(MSG3)))
1776 /* Server should still be able read early data after writing data */
1777 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1779 SSL_READ_EARLY_DATA_SUCCESS)
1780 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
1783 /* Write more data from server and read it from client */
1784 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
1786 || !TEST_size_t_eq(written, strlen(MSG4))
1787 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1788 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
1792 * If client writes normal data it should mean writing early data is no
1795 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1796 || !TEST_size_t_eq(written, strlen(MSG5))
1797 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1798 SSL_EARLY_DATA_ACCEPTED))
1802 * At this point the client has written EndOfEarlyData, ClientFinished and
1803 * normal (fully protected) data. We are going to cause a delay between the
1804 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
1805 * in the read BIO, and then just put back the EndOfEarlyData message.
1807 rbio = SSL_get_rbio(serverssl);
1808 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
1809 || !TEST_size_t_lt(rawread, sizeof(data))
1810 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
1813 /* Record length is in the 4th and 5th bytes of the record header */
1814 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
1815 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
1816 || !TEST_size_t_eq(rawwritten, eoedlen))
1819 /* Server should be told that there is no more early data */
1820 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1822 SSL_READ_EARLY_DATA_FINISH)
1823 || !TEST_size_t_eq(readbytes, 0))
1827 * Server has not finished init yet, so should still be able to write early
1830 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
1832 || !TEST_size_t_eq(written, strlen(MSG6)))
1835 /* Push the ClientFinished and the normal data back into the server rbio */
1836 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
1838 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
1841 /* Server should be able to read normal data */
1842 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1843 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1846 /* Client and server should not be able to write/read early data now */
1847 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1851 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1853 SSL_READ_EARLY_DATA_ERROR))
1857 /* Client should be able to read the data sent by the server */
1858 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1859 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
1863 * Make sure we process the NewSessionTicket. This arrives post-handshake.
1864 * We attempt a read which we do not expect to return any data.
1866 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1869 /* Server should be able to write normal data */
1870 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
1871 || !TEST_size_t_eq(written, strlen(MSG7))
1872 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1873 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
1876 /* We keep the PSK session around if using PSK */
1878 SSL_SESSION_free(sess);
1879 sess = SSL_get1_session(clientssl);
1880 use_session_cb_cnt = 0;
1881 find_session_cb_cnt = 0;
1883 SSL_shutdown(clientssl);
1884 SSL_shutdown(serverssl);
1885 SSL_free(serverssl);
1886 SSL_free(clientssl);
1887 serverssl = clientssl = NULL;
1888 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1889 &clientssl, NULL, NULL))
1890 || !TEST_true(SSL_set_session(clientssl, sess)))
1893 /* Write and read some early data */
1894 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1896 || !TEST_size_t_eq(written, strlen(MSG1))
1897 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1899 SSL_READ_EARLY_DATA_SUCCESS)
1900 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
1903 if (!TEST_int_gt(SSL_connect(clientssl), 0)
1904 || !TEST_int_gt(SSL_accept(serverssl), 0))
1907 /* Client and server should not be able to write/read early data now */
1908 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1912 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1914 SSL_READ_EARLY_DATA_ERROR))
1918 /* Client and server should be able to write/read normal data */
1919 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1920 || !TEST_size_t_eq(written, strlen(MSG5))
1921 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1922 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1928 if (sess != clientpsk)
1929 SSL_SESSION_free(sess);
1930 SSL_SESSION_free(clientpsk);
1931 SSL_SESSION_free(serverpsk);
1932 clientpsk = serverpsk = NULL;
1933 SSL_free(serverssl);
1934 SSL_free(clientssl);
1940 static int test_early_data_replay(int idx)
1942 SSL_CTX *cctx = NULL, *sctx = NULL;
1943 SSL *clientssl = NULL, *serverssl = NULL;
1945 SSL_SESSION *sess = NULL;
1947 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1948 &serverssl, &sess, idx)))
1952 * The server is configured to accept early data. Create a connection to
1953 * "use up" the ticket
1955 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
1956 || !TEST_true(SSL_session_reused(clientssl)))
1959 SSL_shutdown(clientssl);
1960 SSL_shutdown(serverssl);
1961 SSL_free(serverssl);
1962 SSL_free(clientssl);
1963 serverssl = clientssl = NULL;
1965 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1966 &clientssl, NULL, NULL))
1967 || !TEST_true(SSL_set_session(clientssl, sess))
1968 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1971 * This time we should not have resumed the session because we
1972 * already used it once.
1974 || !TEST_false(SSL_session_reused(clientssl)))
1980 if (sess != clientpsk)
1981 SSL_SESSION_free(sess);
1982 SSL_SESSION_free(clientpsk);
1983 SSL_SESSION_free(serverpsk);
1984 clientpsk = serverpsk = NULL;
1985 SSL_free(serverssl);
1986 SSL_free(clientssl);
1993 * Helper function to test that a server attempting to read early data can
1994 * handle a connection from a client where the early data should be skipped.
1996 static int early_data_skip_helper(int hrr, int idx)
1998 SSL_CTX *cctx = NULL, *sctx = NULL;
1999 SSL *clientssl = NULL, *serverssl = NULL;
2001 SSL_SESSION *sess = NULL;
2002 unsigned char buf[20];
2003 size_t readbytes, written;
2005 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2006 &serverssl, &sess, idx)))
2010 /* Force an HRR to occur */
2011 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2013 } else if (idx == 2) {
2015 * We force early_data rejection by ensuring the PSK identity is
2018 srvid = "Dummy Identity";
2021 * Deliberately corrupt the creation time. We take 20 seconds off the
2022 * time. It could be any value as long as it is not within tolerance.
2023 * This should mean the ticket is rejected.
2025 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
2029 /* Write some early data */
2030 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2032 || !TEST_size_t_eq(written, strlen(MSG1)))
2035 /* Server should reject the early data and skip over it */
2036 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2038 SSL_READ_EARLY_DATA_FINISH)
2039 || !TEST_size_t_eq(readbytes, 0)
2040 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2041 SSL_EARLY_DATA_REJECTED))
2046 * Finish off the handshake. We perform the same writes and reads as
2047 * further down but we expect them to fail due to the incomplete
2050 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2051 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2056 /* Should be able to send normal data despite rejection of early data */
2057 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2058 || !TEST_size_t_eq(written, strlen(MSG2))
2059 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2060 SSL_EARLY_DATA_REJECTED)
2061 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2062 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2068 if (sess != clientpsk)
2069 SSL_SESSION_free(clientpsk);
2070 SSL_SESSION_free(serverpsk);
2071 clientpsk = serverpsk = NULL;
2072 SSL_SESSION_free(sess);
2073 SSL_free(serverssl);
2074 SSL_free(clientssl);
2081 * Test that a server attempting to read early data can handle a connection
2082 * from a client where the early data is not acceptable.
2084 static int test_early_data_skip(int idx)
2086 return early_data_skip_helper(0, idx);
2090 * Test that a server attempting to read early data can handle a connection
2091 * from a client where an HRR occurs.
2093 static int test_early_data_skip_hrr(int idx)
2095 return early_data_skip_helper(1, idx);
2099 * Test that a server attempting to read early data can handle a connection
2100 * from a client that doesn't send any.
2102 static int test_early_data_not_sent(int idx)
2104 SSL_CTX *cctx = NULL, *sctx = NULL;
2105 SSL *clientssl = NULL, *serverssl = NULL;
2107 SSL_SESSION *sess = NULL;
2108 unsigned char buf[20];
2109 size_t readbytes, written;
2111 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2112 &serverssl, &sess, idx)))
2115 /* Write some data - should block due to handshake with server */
2116 SSL_set_connect_state(clientssl);
2117 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2120 /* Server should detect that early data has not been sent */
2121 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2123 SSL_READ_EARLY_DATA_FINISH)
2124 || !TEST_size_t_eq(readbytes, 0)
2125 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2126 SSL_EARLY_DATA_NOT_SENT)
2127 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2128 SSL_EARLY_DATA_NOT_SENT))
2131 /* Continue writing the message we started earlier */
2132 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2133 || !TEST_size_t_eq(written, strlen(MSG1))
2134 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2135 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2136 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2137 || !TEST_size_t_eq(written, strlen(MSG2)))
2141 * Should block due to the NewSessionTicket arrival unless we're using
2145 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
2149 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2150 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2156 /* If using PSK then clientpsk and sess are the same */
2157 SSL_SESSION_free(sess);
2158 SSL_SESSION_free(serverpsk);
2159 clientpsk = serverpsk = NULL;
2160 SSL_free(serverssl);
2161 SSL_free(clientssl);
2167 static int hostname_cb(SSL *s, int *al, void *arg)
2169 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2171 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
2172 return SSL_TLSEXT_ERR_OK;
2174 return SSL_TLSEXT_ERR_NOACK;
2177 static const char *servalpn;
2179 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2180 unsigned char *outlen, const unsigned char *in,
2181 unsigned int inlen, void *arg)
2183 unsigned int protlen = 0;
2184 const unsigned char *prot;
2186 for (prot = in; prot < in + inlen; prot += protlen) {
2188 if (in + inlen < prot + protlen)
2189 return SSL_TLSEXT_ERR_NOACK;
2191 if (protlen == strlen(servalpn)
2192 && memcmp(prot, servalpn, protlen) == 0) {
2195 return SSL_TLSEXT_ERR_OK;
2199 return SSL_TLSEXT_ERR_NOACK;
2202 /* Test that a PSK can be used to send early_data */
2203 static int test_early_data_psk(int idx)
2205 SSL_CTX *cctx = NULL, *sctx = NULL;
2206 SSL *clientssl = NULL, *serverssl = NULL;
2208 SSL_SESSION *sess = NULL;
2209 unsigned char alpnlist[] = {
2210 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2213 #define GOODALPNLEN 9
2214 #define BADALPNLEN 8
2215 #define GOODALPN (alpnlist)
2216 #define BADALPN (alpnlist + GOODALPNLEN)
2218 unsigned char buf[20];
2219 size_t readbytes, written;
2220 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2221 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2223 /* We always set this up with a final parameter of "2" for PSK */
2224 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2225 &serverssl, &sess, 2)))
2228 servalpn = "goodalpn";
2231 * Note: There is no test for inconsistent SNI with late client detection.
2232 * This is because servers do not acknowledge SNI even if they are using
2233 * it in a resumption handshake - so it is not actually possible for a
2234 * client to detect a problem.
2238 /* Set inconsistent SNI (early client detection) */
2239 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2240 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2241 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2246 /* Set inconsistent ALPN (early client detection) */
2247 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2248 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
2249 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2251 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2258 * Set invalid protocol version. Technically this affects PSKs without
2259 * early_data too, but we test it here because it is similar to the
2260 * SNI/ALPN consistency tests.
2262 err = SSL_R_BAD_PSK;
2263 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2269 * Set inconsistent SNI (server detected). In this case the connection
2270 * will succeed but reject early_data.
2272 SSL_SESSION_free(serverpsk);
2273 serverpsk = SSL_SESSION_dup(clientpsk);
2274 if (!TEST_ptr(serverpsk)
2275 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2277 edstatus = SSL_EARLY_DATA_REJECTED;
2278 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2281 /* Set consistent SNI */
2282 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2283 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2284 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2291 * Set inconsistent ALPN (server detected). In this case the connection
2292 * will succeed but reject early_data.
2294 servalpn = "badalpn";
2295 edstatus = SSL_EARLY_DATA_REJECTED;
2296 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2300 * Set consistent ALPN.
2301 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2302 * accepts a list of protos (each one length prefixed).
2303 * SSL_set1_alpn_selected accepts a single protocol (not length
2306 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2308 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2312 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2316 /* Set inconsistent ALPN (late client detection) */
2317 SSL_SESSION_free(serverpsk);
2318 serverpsk = SSL_SESSION_dup(clientpsk);
2319 if (!TEST_ptr(serverpsk)
2320 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2323 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2326 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2329 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2330 edstatus = SSL_EARLY_DATA_ACCEPTED;
2331 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2332 /* SSL_connect() call should fail */
2337 TEST_error("Bad test index");
2341 SSL_set_connect_state(clientssl);
2343 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2345 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2346 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2349 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2353 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2354 &readbytes), readearlyres)
2355 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2356 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2357 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2358 || !TEST_int_eq(SSL_connect(clientssl), connectres))
2365 SSL_SESSION_free(clientpsk);
2366 SSL_SESSION_free(serverpsk);
2367 clientpsk = serverpsk = NULL;
2368 SSL_free(serverssl);
2369 SSL_free(clientssl);
2376 * Test that a server that doesn't try to read early data can handle a
2377 * client sending some.
2379 static int test_early_data_not_expected(int idx)
2381 SSL_CTX *cctx = NULL, *sctx = NULL;
2382 SSL *clientssl = NULL, *serverssl = NULL;
2384 SSL_SESSION *sess = NULL;
2385 unsigned char buf[20];
2386 size_t readbytes, written;
2388 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2389 &serverssl, &sess, idx)))
2392 /* Write some early data */
2393 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2398 * Server should skip over early data and then block waiting for client to
2399 * continue handshake
2401 if (!TEST_int_le(SSL_accept(serverssl), 0)
2402 || !TEST_int_gt(SSL_connect(clientssl), 0)
2403 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2404 SSL_EARLY_DATA_REJECTED)
2405 || !TEST_int_gt(SSL_accept(serverssl), 0)
2406 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2407 SSL_EARLY_DATA_REJECTED))
2410 /* Send some normal data from client to server */
2411 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2412 || !TEST_size_t_eq(written, strlen(MSG2)))
2415 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2416 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2422 /* If using PSK then clientpsk and sess are the same */
2423 SSL_SESSION_free(sess);
2424 SSL_SESSION_free(serverpsk);
2425 clientpsk = serverpsk = NULL;
2426 SSL_free(serverssl);
2427 SSL_free(clientssl);
2434 # ifndef OPENSSL_NO_TLS1_2
2436 * Test that a server attempting to read early data can handle a connection
2437 * from a TLSv1.2 client.
2439 static int test_early_data_tls1_2(int idx)
2441 SSL_CTX *cctx = NULL, *sctx = NULL;
2442 SSL *clientssl = NULL, *serverssl = NULL;
2444 unsigned char buf[20];
2445 size_t readbytes, written;
2447 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2448 &serverssl, NULL, idx)))
2451 /* Write some data - should block due to handshake with server */
2452 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2453 SSL_set_connect_state(clientssl);
2454 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2458 * Server should do TLSv1.2 handshake. First it will block waiting for more
2459 * messages from client after ServerDone. Then SSL_read_early_data should
2460 * finish and detect that early data has not been sent
2462 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2464 SSL_READ_EARLY_DATA_ERROR))
2468 * Continue writing the message we started earlier. Will still block waiting
2469 * for the CCS/Finished from server
2471 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2472 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2474 SSL_READ_EARLY_DATA_FINISH)
2475 || !TEST_size_t_eq(readbytes, 0)
2476 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2477 SSL_EARLY_DATA_NOT_SENT))
2480 /* Continue writing the message we started earlier */
2481 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2482 || !TEST_size_t_eq(written, strlen(MSG1))
2483 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2484 SSL_EARLY_DATA_NOT_SENT)
2485 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2486 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2487 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2488 || !TEST_size_t_eq(written, strlen(MSG2))
2489 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2490 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2496 /* If using PSK then clientpsk and sess are the same */
2497 SSL_SESSION_free(clientpsk);
2498 SSL_SESSION_free(serverpsk);
2499 clientpsk = serverpsk = NULL;
2500 SSL_free(serverssl);
2501 SSL_free(clientssl);
2507 # endif /* OPENSSL_NO_TLS1_2 */
2510 * Test configuring the TLSv1.3 ciphersuites
2512 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
2513 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
2514 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
2515 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
2516 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2517 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2518 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
2519 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
2520 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
2521 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
2523 static int test_set_ciphersuite(int idx)
2525 SSL_CTX *cctx = NULL, *sctx = NULL;
2526 SSL *clientssl = NULL, *serverssl = NULL;
2529 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2530 TLS1_VERSION, TLS_MAX_VERSION,
2531 &sctx, &cctx, cert, privkey))
2532 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2533 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
2536 if (idx >=4 && idx <= 7) {
2537 /* SSL_CTX explicit cipher list */
2538 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
2542 if (idx == 0 || idx == 4) {
2543 /* Default ciphersuite */
2544 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2545 "TLS_AES_128_GCM_SHA256")))
2547 } else if (idx == 1 || idx == 5) {
2548 /* Non default ciphersuite */
2549 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2550 "TLS_AES_128_CCM_SHA256")))
2554 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2555 &clientssl, NULL, NULL)))
2558 if (idx == 8 || idx == 9) {
2559 /* SSL explicit cipher list */
2560 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
2564 if (idx == 2 || idx == 6 || idx == 8) {
2565 /* Default ciphersuite */
2566 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2567 "TLS_AES_128_GCM_SHA256")))
2569 } else if (idx == 3 || idx == 7 || idx == 9) {
2570 /* Non default ciphersuite */
2571 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2572 "TLS_AES_128_CCM_SHA256")))
2576 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
2582 SSL_free(serverssl);
2583 SSL_free(clientssl);
2590 static int test_ciphersuite_change(void)
2592 SSL_CTX *cctx = NULL, *sctx = NULL;
2593 SSL *clientssl = NULL, *serverssl = NULL;
2594 SSL_SESSION *clntsess = NULL;
2596 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2598 /* Create a session based on SHA-256 */
2599 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2600 TLS1_VERSION, TLS_MAX_VERSION,
2601 &sctx, &cctx, cert, privkey))
2602 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
2603 "TLS_AES_128_GCM_SHA256"))
2604 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2605 &clientssl, NULL, NULL))
2606 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2610 clntsess = SSL_get1_session(clientssl);
2611 /* Save for later */
2612 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2613 SSL_shutdown(clientssl);
2614 SSL_shutdown(serverssl);
2615 SSL_free(serverssl);
2616 SSL_free(clientssl);
2617 serverssl = clientssl = NULL;
2619 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
2620 /* Check we can resume a session with a different SHA-256 ciphersuite */
2621 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2622 "TLS_CHACHA20_POLY1305_SHA256"))
2623 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2625 || !TEST_true(SSL_set_session(clientssl, clntsess))
2626 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2628 || !TEST_true(SSL_session_reused(clientssl)))
2631 SSL_SESSION_free(clntsess);
2632 clntsess = SSL_get1_session(clientssl);
2633 SSL_shutdown(clientssl);
2634 SSL_shutdown(serverssl);
2635 SSL_free(serverssl);
2636 SSL_free(clientssl);
2637 serverssl = clientssl = NULL;
2641 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
2642 * succeeds but does not resume.
2644 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
2645 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2647 || !TEST_true(SSL_set_session(clientssl, clntsess))
2648 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2650 || !TEST_false(SSL_session_reused(clientssl)))
2653 SSL_SESSION_free(clntsess);
2655 SSL_shutdown(clientssl);
2656 SSL_shutdown(serverssl);
2657 SSL_free(serverssl);
2658 SSL_free(clientssl);
2659 serverssl = clientssl = NULL;
2661 /* Create a session based on SHA384 */
2662 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
2663 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2664 &clientssl, NULL, NULL))
2665 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2669 clntsess = SSL_get1_session(clientssl);
2670 SSL_shutdown(clientssl);
2671 SSL_shutdown(serverssl);
2672 SSL_free(serverssl);
2673 SSL_free(clientssl);
2674 serverssl = clientssl = NULL;
2676 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2677 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
2678 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2679 "TLS_AES_256_GCM_SHA384"))
2680 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2682 || !TEST_true(SSL_set_session(clientssl, clntsess))
2684 * We use SSL_ERROR_WANT_READ below so that we can pause the
2685 * connection after the initial ClientHello has been sent to
2686 * enable us to make some session changes.
2688 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2689 SSL_ERROR_WANT_READ)))
2692 /* Trick the client into thinking this session is for a different digest */
2693 clntsess->cipher = aes_128_gcm_sha256;
2694 clntsess->cipher_id = clntsess->cipher->id;
2697 * Continue the previously started connection. Server has selected a SHA-384
2698 * ciphersuite, but client thinks the session is for SHA-256, so it should
2701 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2703 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2704 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2710 SSL_SESSION_free(clntsess);
2711 SSL_free(serverssl);
2712 SSL_free(clientssl);
2719 static int test_tls13_psk(int idx)
2721 SSL_CTX *sctx = NULL, *cctx = NULL;
2722 SSL *serverssl = NULL, *clientssl = NULL;
2723 const SSL_CIPHER *cipher = NULL;
2724 const unsigned char key[] = {
2725 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2726 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2727 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2728 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
2732 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2733 TLS1_VERSION, TLS_MAX_VERSION,
2734 &sctx, &cctx, cert, privkey)))
2738 * We use a ciphersuite with SHA256 to ease testing old style PSK callbacks
2739 * which will always default to SHA256
2741 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_128_GCM_SHA256")))
2745 * Test 0: New style callbacks only
2746 * Test 1: New and old style callbacks (only the new ones should be used)
2747 * Test 2: Old style callbacks only
2749 if (idx == 0 || idx == 1) {
2750 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2751 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2753 #ifndef OPENSSL_NO_PSK
2754 if (idx == 1 || idx == 2) {
2755 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
2756 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
2760 use_session_cb_cnt = 0;
2761 find_session_cb_cnt = 0;
2762 psk_client_cb_cnt = 0;
2763 psk_server_cb_cnt = 0;
2765 /* Check we can create a connection if callback decides not to send a PSK */
2766 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2768 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2770 || !TEST_false(SSL_session_reused(clientssl))
2771 || !TEST_false(SSL_session_reused(serverssl)))
2774 if (idx == 0 || idx == 1) {
2775 if (!TEST_true(use_session_cb_cnt == 1)
2776 || !TEST_true(find_session_cb_cnt == 0)
2778 * If no old style callback then below should be 0
2781 || !TEST_true(psk_client_cb_cnt == idx)
2782 || !TEST_true(psk_server_cb_cnt == 0))
2785 if (!TEST_true(use_session_cb_cnt == 0)
2786 || !TEST_true(find_session_cb_cnt == 0)
2787 || !TEST_true(psk_client_cb_cnt == 1)
2788 || !TEST_true(psk_server_cb_cnt == 0))
2792 shutdown_ssl_connection(serverssl, clientssl);
2793 serverssl = clientssl = NULL;
2794 use_session_cb_cnt = psk_client_cb_cnt = 0;
2796 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2800 /* Create the PSK */
2801 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
2802 clientpsk = SSL_SESSION_new();
2803 if (!TEST_ptr(clientpsk)
2804 || !TEST_ptr(cipher)
2805 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
2807 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
2808 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
2810 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
2812 serverpsk = clientpsk;
2814 /* Check we can create a connection and the PSK is used */
2815 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2816 || !TEST_true(SSL_session_reused(clientssl))
2817 || !TEST_true(SSL_session_reused(serverssl)))
2820 if (idx == 0 || idx == 1) {
2821 if (!TEST_true(use_session_cb_cnt == 1)
2822 || !TEST_true(find_session_cb_cnt == 1)
2823 || !TEST_true(psk_client_cb_cnt == 0)
2824 || !TEST_true(psk_server_cb_cnt == 0))
2827 if (!TEST_true(use_session_cb_cnt == 0)
2828 || !TEST_true(find_session_cb_cnt == 0)
2829 || !TEST_true(psk_client_cb_cnt == 1)
2830 || !TEST_true(psk_server_cb_cnt == 1))
2834 shutdown_ssl_connection(serverssl, clientssl);
2835 serverssl = clientssl = NULL;
2836 use_session_cb_cnt = find_session_cb_cnt = 0;
2837 psk_client_cb_cnt = psk_server_cb_cnt = 0;
2839 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2844 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2848 * Check we can create a connection, the PSK is used and the callbacks are
2851 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2852 || !TEST_true(SSL_session_reused(clientssl))
2853 || !TEST_true(SSL_session_reused(serverssl)))
2856 if (idx == 0 || idx == 1) {
2857 if (!TEST_true(use_session_cb_cnt == 2)
2858 || !TEST_true(find_session_cb_cnt == 2)
2859 || !TEST_true(psk_client_cb_cnt == 0)
2860 || !TEST_true(psk_server_cb_cnt == 0))
2863 if (!TEST_true(use_session_cb_cnt == 0)
2864 || !TEST_true(find_session_cb_cnt == 0)
2865 || !TEST_true(psk_client_cb_cnt == 2)
2866 || !TEST_true(psk_server_cb_cnt == 2))
2870 shutdown_ssl_connection(serverssl, clientssl);
2871 serverssl = clientssl = NULL;
2872 use_session_cb_cnt = find_session_cb_cnt = 0;
2873 psk_client_cb_cnt = psk_server_cb_cnt = 0;
2876 * Check that if the server rejects the PSK we can still connect, but with
2879 srvid = "Dummy Identity";
2880 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2882 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2884 || !TEST_false(SSL_session_reused(clientssl))
2885 || !TEST_false(SSL_session_reused(serverssl)))
2888 if (idx == 0 || idx == 1) {
2889 if (!TEST_true(use_session_cb_cnt == 1)
2890 || !TEST_true(find_session_cb_cnt == 1)
2891 || !TEST_true(psk_client_cb_cnt == 0)
2893 * If no old style callback then below should be 0
2896 || !TEST_true(psk_server_cb_cnt == idx))
2899 if (!TEST_true(use_session_cb_cnt == 0)
2900 || !TEST_true(find_session_cb_cnt == 0)
2901 || !TEST_true(psk_client_cb_cnt == 1)
2902 || !TEST_true(psk_server_cb_cnt == 1))
2906 shutdown_ssl_connection(serverssl, clientssl);
2907 serverssl = clientssl = NULL;
2911 SSL_SESSION_free(clientpsk);
2912 SSL_SESSION_free(serverpsk);
2913 clientpsk = serverpsk = NULL;
2914 SSL_free(serverssl);
2915 SSL_free(clientssl);
2921 static unsigned char cookie_magic_value[] = "cookie magic";
2923 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
2924 unsigned int *cookie_len)
2927 * Not suitable as a real cookie generation function but good enough for
2930 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
2931 *cookie_len = sizeof(cookie_magic_value) - 1;
2936 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
2937 unsigned int cookie_len)
2939 if (cookie_len == sizeof(cookie_magic_value) - 1
2940 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
2946 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
2950 int res = generate_cookie_callback(ssl, cookie, &temp);
2955 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
2958 return verify_cookie_callback(ssl, cookie, cookie_len);
2961 static int test_stateless(void)
2963 SSL_CTX *sctx = NULL, *cctx = NULL;
2964 SSL *serverssl = NULL, *clientssl = NULL;
2967 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2968 TLS1_VERSION, TLS_MAX_VERSION,
2969 &sctx, &cctx, cert, privkey)))
2972 /* The arrival of CCS messages can confuse the test */
2973 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
2975 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2977 /* Send the first ClientHello */
2978 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2979 SSL_ERROR_WANT_READ))
2981 * This should fail with a -1 return because we have no callbacks
2984 || !TEST_int_eq(SSL_stateless(serverssl), -1))
2987 /* Fatal error so abandon the connection from this client */
2988 SSL_free(clientssl);
2991 /* Set up the cookie generation and verification callbacks */
2992 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
2993 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
2996 * Create a new connection from the client (we can reuse the server SSL
2999 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3001 /* Send the first ClientHello */
3002 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3003 SSL_ERROR_WANT_READ))
3004 /* This should fail because there is no cookie */
3005 || !TEST_int_eq(SSL_stateless(serverssl), 0))
3008 /* Abandon the connection from this client */
3009 SSL_free(clientssl);
3013 * Now create a connection from a new client but with the same server SSL
3016 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3018 /* Send the first ClientHello */
3019 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3020 SSL_ERROR_WANT_READ))
3021 /* This should fail because there is no cookie */
3022 || !TEST_int_eq(SSL_stateless(serverssl), 0)
3023 /* Send the second ClientHello */
3024 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3025 SSL_ERROR_WANT_READ))
3026 /* This should succeed because a cookie is now present */
3027 || !TEST_int_eq(SSL_stateless(serverssl), 1)
3028 /* Complete the connection */
3029 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3033 shutdown_ssl_connection(serverssl, clientssl);
3034 serverssl = clientssl = NULL;
3038 SSL_free(serverssl);
3039 SSL_free(clientssl);
3045 #endif /* OPENSSL_NO_TLS1_3 */
3047 static int clntaddoldcb = 0;
3048 static int clntparseoldcb = 0;
3049 static int srvaddoldcb = 0;
3050 static int srvparseoldcb = 0;
3051 static int clntaddnewcb = 0;
3052 static int clntparsenewcb = 0;
3053 static int srvaddnewcb = 0;
3054 static int srvparsenewcb = 0;
3055 static int snicb = 0;
3057 #define TEST_EXT_TYPE1 0xff00
3059 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3060 size_t *outlen, int *al, void *add_arg)
3062 int *server = (int *)add_arg;
3063 unsigned char *data;
3065 if (SSL_is_server(s))
3070 if (*server != SSL_is_server(s)
3071 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3076 *outlen = sizeof(char);
3080 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3083 OPENSSL_free((unsigned char *)out);
3086 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3087 size_t inlen, int *al, void *parse_arg)
3089 int *server = (int *)parse_arg;
3091 if (SSL_is_server(s))
3096 if (*server != SSL_is_server(s)
3097 || inlen != sizeof(char)
3104 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3105 const unsigned char **out, size_t *outlen, X509 *x,
3106 size_t chainidx, int *al, void *add_arg)
3108 int *server = (int *)add_arg;
3109 unsigned char *data;
3111 if (SSL_is_server(s))
3116 if (*server != SSL_is_server(s)
3117 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3122 *outlen = sizeof(*data);
3126 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3127 const unsigned char *out, void *add_arg)
3129 OPENSSL_free((unsigned char *)out);
3132 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3133 const unsigned char *in, size_t inlen, X509 *x,
3134 size_t chainidx, int *al, void *parse_arg)
3136 int *server = (int *)parse_arg;
3138 if (SSL_is_server(s))
3143 if (*server != SSL_is_server(s)
3144 || inlen != sizeof(char) || *in != 1)
3150 static int sni_cb(SSL *s, int *al, void *arg)
3152 SSL_CTX *ctx = (SSL_CTX *)arg;
3154 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3155 *al = SSL_AD_INTERNAL_ERROR;
3156 return SSL_TLSEXT_ERR_ALERT_FATAL;
3159 return SSL_TLSEXT_ERR_OK;
3163 * Custom call back tests.
3164 * Test 0: Old style callbacks in TLSv1.2
3165 * Test 1: New style callbacks in TLSv1.2
3166 * Test 2: New style callbacks in TLSv1.2 with SNI
3167 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3168 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
3170 static int test_custom_exts(int tst)
3172 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3173 SSL *clientssl = NULL, *serverssl = NULL;
3175 static int server = 1;
3176 static int client = 0;
3177 SSL_SESSION *sess = NULL;
3178 unsigned int context;
3180 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
3181 /* Skip tests for TLSv1.2 and below in this case */
3186 /* Reset callback counters */
3187 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
3188 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
3191 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3192 TLS1_VERSION, TLS_MAX_VERSION,
3193 &sctx, &cctx, cert, privkey)))
3197 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
3198 TLS1_VERSION, TLS_MAX_VERSION,
3199 &sctx2, NULL, cert, privkey)))
3204 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
3205 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
3207 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
3211 context = SSL_EXT_CLIENT_HELLO
3212 | SSL_EXT_TLS1_2_SERVER_HELLO
3213 | SSL_EXT_TLS1_3_SERVER_HELLO
3214 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
3215 | SSL_EXT_TLS1_3_CERTIFICATE
3216 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
3218 context = SSL_EXT_CLIENT_HELLO
3219 | SSL_EXT_TLS1_2_SERVER_HELLO
3220 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3223 /* Create a client side custom extension */
3225 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3226 old_add_cb, old_free_cb,
3227 &client, old_parse_cb,
3231 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
3232 new_add_cb, new_free_cb,
3233 &client, new_parse_cb, &client)))
3237 /* Should not be able to add duplicates */
3238 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3239 old_add_cb, old_free_cb,
3240 &client, old_parse_cb,
3242 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
3243 context, new_add_cb,
3244 new_free_cb, &client,
3245 new_parse_cb, &client)))
3248 /* Create a server side custom extension */
3250 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3251 old_add_cb, old_free_cb,
3252 &server, old_parse_cb,
3256 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3257 new_add_cb, new_free_cb,
3258 &server, new_parse_cb, &server)))
3261 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3262 context, new_add_cb,
3263 new_free_cb, &server,
3264 new_parse_cb, &server)))
3268 /* Should not be able to add duplicates */
3269 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3270 old_add_cb, old_free_cb,
3271 &server, old_parse_cb,
3273 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3274 context, new_add_cb,
3275 new_free_cb, &server,
3276 new_parse_cb, &server)))
3281 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3282 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3286 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3287 &clientssl, NULL, NULL))
3288 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3293 if (clntaddoldcb != 1
3294 || clntparseoldcb != 1
3296 || srvparseoldcb != 1)
3298 } else if (tst == 1 || tst == 2 || tst == 3) {
3299 if (clntaddnewcb != 1
3300 || clntparsenewcb != 1
3302 || srvparsenewcb != 1
3303 || (tst != 2 && snicb != 0)
3304 || (tst == 2 && snicb != 1))
3307 if (clntaddnewcb != 1
3308 || clntparsenewcb != 4
3310 || srvparsenewcb != 1)
3314 sess = SSL_get1_session(clientssl);
3315 SSL_shutdown(clientssl);
3316 SSL_shutdown(serverssl);
3317 SSL_free(serverssl);
3318 SSL_free(clientssl);
3319 serverssl = clientssl = NULL;
3322 /* We don't bother with the resumption aspects for this test */
3327 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3329 || !TEST_true(SSL_set_session(clientssl, sess))
3330 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3335 * For a resumed session we expect to add the ClientHello extension. For the
3336 * old style callbacks we ignore it on the server side because they set
3337 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3341 if (clntaddoldcb != 2
3342 || clntparseoldcb != 1
3344 || srvparseoldcb != 1)
3346 } else if (tst == 1 || tst == 2 || tst == 3) {
3347 if (clntaddnewcb != 2
3348 || clntparsenewcb != 2
3350 || srvparsenewcb != 2)
3353 /* No Certificate message extensions in the resumption handshake */
3354 if (clntaddnewcb != 2
3355 || clntparsenewcb != 7
3357 || srvparsenewcb != 2)
3364 SSL_SESSION_free(sess);
3365 SSL_free(serverssl);
3366 SSL_free(clientssl);
3367 SSL_CTX_free(sctx2);
3374 * Test loading of serverinfo data in various formats. test_sslmessages actually
3375 * tests to make sure the extensions appear in the handshake
3377 static int test_serverinfo(int tst)
3379 unsigned int version;
3380 unsigned char *sibuf;
3382 int ret, expected, testresult = 0;
3385 ctx = SSL_CTX_new(TLS_method());
3389 if ((tst & 0x01) == 0x01)
3390 version = SSL_SERVERINFOV2;
3392 version = SSL_SERVERINFOV1;
3394 if ((tst & 0x02) == 0x02) {
3395 sibuf = serverinfov2;
3396 sibuflen = sizeof(serverinfov2);
3397 expected = (version == SSL_SERVERINFOV2);
3399 sibuf = serverinfov1;
3400 sibuflen = sizeof(serverinfov1);
3401 expected = (version == SSL_SERVERINFOV1);
3404 if ((tst & 0x04) == 0x04) {
3405 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
3407 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
3410 * The version variable is irrelevant in this case - it's what is in the
3411 * buffer that matters
3413 if ((tst & 0x02) == 0x02)
3419 if (!TEST_true(ret == expected))
3431 * Test that SSL_export_keying_material() produces expected results. There are
3432 * no test vectors so all we do is test that both sides of the communication
3433 * produce the same results for different protocol versions.
3435 static int test_export_key_mat(int tst)
3438 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3439 SSL *clientssl = NULL, *serverssl = NULL;
3440 const char label[] = "test label";
3441 const unsigned char context[] = "context";
3442 const unsigned char *emptycontext = NULL;
3443 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
3444 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
3445 const int protocols[] = {
3452 #ifdef OPENSSL_NO_TLS1
3456 #ifdef OPENSSL_NO_TLS1_1
3460 #ifdef OPENSSL_NO_TLS1_2
3464 #ifdef OPENSSL_NO_TLS1_3
3468 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3469 TLS1_VERSION, TLS_MAX_VERSION,
3470 &sctx, &cctx, cert, privkey)))
3473 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
3474 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
3475 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
3477 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
3479 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3483 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
3484 sizeof(ckeymat1), label,
3485 sizeof(label) - 1, context,
3486 sizeof(context) - 1, 1), 1)
3487 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
3488 sizeof(ckeymat2), label,
3492 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
3493 sizeof(ckeymat3), label,
3496 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
3497 sizeof(skeymat1), label,
3500 sizeof(context) -1, 1),
3502 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
3503 sizeof(skeymat2), label,
3507 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
3508 sizeof(skeymat3), label,
3512 * Check that both sides created the same key material with the
3515 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3518 * Check that both sides created the same key material with an
3521 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3524 * Check that both sides created the same key material without a
3527 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3529 /* Different contexts should produce different results */
3530 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3535 * Check that an empty context and no context produce different results in
3536 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3538 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3540 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3547 SSL_free(serverssl);
3548 SSL_free(clientssl);
3549 SSL_CTX_free(sctx2);
3556 #ifndef OPENSSL_NO_TLS1_3
3558 * Test that SSL_export_keying_material_early() produces expected
3559 * results. There are no test vectors so all we do is test that both
3560 * sides of the communication produce the same results for different
3561 * protocol versions.
3563 static int test_export_key_mat_early(int idx)
3565 static const char label[] = "test label";
3566 static const unsigned char context[] = "context";
3568 SSL_CTX *cctx = NULL, *sctx = NULL;
3569 SSL *clientssl = NULL, *serverssl = NULL;
3570 SSL_SESSION *sess = NULL;
3571 const unsigned char *emptycontext = NULL;
3572 unsigned char ckeymat1[80], ckeymat2[80];
3573 unsigned char skeymat1[80], skeymat2[80];
3574 unsigned char buf[1];
3575 size_t readbytes, written;
3577 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
3581 /* Here writing 0 length early data is enough. */
3582 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
3583 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3585 SSL_READ_EARLY_DATA_ERROR)
3586 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3587 SSL_EARLY_DATA_ACCEPTED))
3590 if (!TEST_int_eq(SSL_export_keying_material_early(
3591 clientssl, ckeymat1, sizeof(ckeymat1), label,
3592 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3593 || !TEST_int_eq(SSL_export_keying_material_early(
3594 clientssl, ckeymat2, sizeof(ckeymat2), label,
3595 sizeof(label) - 1, emptycontext, 0), 1)
3596 || !TEST_int_eq(SSL_export_keying_material_early(
3597 serverssl, skeymat1, sizeof(skeymat1), label,
3598 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3599 || !TEST_int_eq(SSL_export_keying_material_early(
3600 serverssl, skeymat2, sizeof(skeymat2), label,
3601 sizeof(label) - 1, emptycontext, 0), 1)
3603 * Check that both sides created the same key material with the
3606 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3609 * Check that both sides created the same key material with an
3612 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3614 /* Different contexts should produce different results */
3615 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3622 if (sess != clientpsk)
3623 SSL_SESSION_free(sess);
3624 SSL_SESSION_free(clientpsk);
3625 SSL_SESSION_free(serverpsk);
3626 clientpsk = serverpsk = NULL;
3627 SSL_free(serverssl);
3628 SSL_free(clientssl);
3634 #endif /* OPENSSL_NO_TLS1_3 */
3636 static int test_ssl_clear(int idx)
3638 SSL_CTX *cctx = NULL, *sctx = NULL;
3639 SSL *clientssl = NULL, *serverssl = NULL;
3642 #ifdef OPENSSL_NO_TLS1_2
3647 /* Create an initial connection */
3648 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3649 TLS1_VERSION, TLS_MAX_VERSION,
3650 &sctx, &cctx, cert, privkey))
3652 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
3654 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3655 &clientssl, NULL, NULL))
3656 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3660 SSL_shutdown(clientssl);
3661 SSL_shutdown(serverssl);
3662 SSL_free(serverssl);
3665 /* Clear clientssl - we're going to reuse the object */
3666 if (!TEST_true(SSL_clear(clientssl)))
3669 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3671 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3673 || !TEST_true(SSL_session_reused(clientssl)))
3676 SSL_shutdown(clientssl);
3677 SSL_shutdown(serverssl);
3682 SSL_free(serverssl);
3683 SSL_free(clientssl);
3690 /* Parse CH and retrieve any MFL extension value if present */
3691 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
3694 unsigned char *data;
3695 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
3696 unsigned int MFL_code = 0, type = 0;
3698 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
3701 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
3702 /* Skip the record header */
3703 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
3704 /* Skip the handshake message header */
3705 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
3706 /* Skip client version and random */
3707 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
3708 + SSL3_RANDOM_SIZE))
3709 /* Skip session id */
3710 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3712 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
3713 /* Skip compression */
3714 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3715 /* Extensions len */
3716 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
3719 /* Loop through all extensions */
3720 while (PACKET_remaining(&pkt2)) {
3721 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
3722 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
3725 if (type == TLSEXT_TYPE_max_fragment_length) {
3726 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
3727 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
3730 *mfl_codemfl_code = MFL_code;
3739 /* Maximum-Fragment-Length TLS extension mode to test */
3740 static const unsigned char max_fragment_len_test[] = {
3741 TLSEXT_max_fragment_length_512,
3742 TLSEXT_max_fragment_length_1024,
3743 TLSEXT_max_fragment_length_2048,
3744 TLSEXT_max_fragment_length_4096
3747 static int test_max_fragment_len_ext(int idx_tst)
3751 int testresult = 0, MFL_mode = 0;
3754 ctx = SSL_CTX_new(TLS_method());
3758 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
3759 ctx, max_fragment_len_test[idx_tst])))
3766 rbio = BIO_new(BIO_s_mem());
3767 wbio = BIO_new(BIO_s_mem());
3768 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
3774 SSL_set_bio(con, rbio, wbio);
3775 SSL_set_connect_state(con);
3777 if (!TEST_int_le(SSL_connect(con), 0)) {
3778 /* This shouldn't succeed because we don't have a server! */
3782 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
3783 /* no MFL in client hello */
3785 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
3797 #ifndef OPENSSL_NO_TLS1_3
3798 static int test_pha_key_update(void)
3800 SSL_CTX *cctx = NULL, *sctx = NULL;
3801 SSL *clientssl = NULL, *serverssl = NULL;
3804 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3805 TLS1_VERSION, TLS_MAX_VERSION,
3806 &sctx, &cctx, cert, privkey)))
3809 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
3810 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
3811 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
3812 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
3816 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3820 SSL_force_post_handshake_auth(clientssl);
3822 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3826 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
3827 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
3830 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
3833 /* Start handshake on the server */
3834 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
3837 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
3838 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3842 SSL_shutdown(clientssl);
3843 SSL_shutdown(serverssl);
3848 SSL_free(serverssl);
3849 SSL_free(clientssl);
3856 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
3858 static SRP_VBASE *vbase = NULL;
3860 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
3862 int ret = SSL3_AL_FATAL;
3864 SRP_user_pwd *user = NULL;
3866 username = SSL_get_srp_username(s);
3867 if (username == NULL) {
3868 *ad = SSL_AD_INTERNAL_ERROR;
3872 user = SRP_VBASE_get1_by_user(vbase, username);
3874 *ad = SSL_AD_INTERNAL_ERROR;
3878 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
3880 *ad = SSL_AD_INTERNAL_ERROR;
3887 SRP_user_pwd_free(user);
3891 static int create_new_vfile(char *userid, char *password, const char *filename)
3894 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
3897 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
3900 if (!TEST_ptr(dummy) || !TEST_ptr(row))
3903 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
3904 &row[DB_srpverifier], NULL, NULL);
3905 if (!TEST_ptr(gNid))
3909 * The only way to create an empty TXT_DB is to provide a BIO with no data
3912 db = TXT_DB_read(dummy, DB_NUMBER);
3916 out = BIO_new_file(filename, "w");
3920 row[DB_srpid] = OPENSSL_strdup(userid);
3921 row[DB_srptype] = OPENSSL_strdup("V");
3922 row[DB_srpgN] = OPENSSL_strdup(gNid);
3924 if (!TEST_ptr(row[DB_srpid])
3925 || !TEST_ptr(row[DB_srptype])
3926 || !TEST_ptr(row[DB_srpgN])
3927 || !TEST_true(TXT_DB_insert(db, row)))
3932 if (!TXT_DB_write(out, db))
3938 for (i = 0; i < DB_NUMBER; i++)
3939 OPENSSL_free(row[i]);
3949 static int create_new_vbase(char *userid, char *password)
3951 BIGNUM *verifier = NULL, *salt = NULL;
3952 const SRP_gN *lgN = NULL;
3953 SRP_user_pwd *user_pwd = NULL;
3956 lgN = SRP_get_default_gN(NULL);
3960 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
3964 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
3965 if (!TEST_ptr(user_pwd))
3968 user_pwd->N = lgN->N;
3969 user_pwd->g = lgN->g;
3970 user_pwd->id = OPENSSL_strdup(userid);
3971 if (!TEST_ptr(user_pwd->id))
3974 user_pwd->v = verifier;
3976 verifier = salt = NULL;
3978 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
3984 SRP_user_pwd_free(user_pwd);
3994 * Test 0: Simple successful SRP connection, new vbase
3995 * Test 1: Connection failure due to bad password, new vbase
3996 * Test 2: Simple successful SRP connection, vbase loaded from existing file
3997 * Test 3: Connection failure due to bad password, vbase loaded from existing
3999 * Test 4: Simple successful SRP connection, vbase loaded from new file
4000 * Test 5: Connection failure due to bad password, vbase loaded from new file
4002 static int test_srp(int tst)
4004 char *userid = "test", *password = "password", *tstsrpfile;
4005 SSL_CTX *cctx = NULL, *sctx = NULL;
4006 SSL *clientssl = NULL, *serverssl = NULL;
4007 int ret, testresult = 0;
4009 vbase = SRP_VBASE_new(NULL);
4010 if (!TEST_ptr(vbase))
4013 if (tst == 0 || tst == 1) {
4014 if (!TEST_true(create_new_vbase(userid, password)))
4017 if (tst == 4 || tst == 5) {
4018 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
4020 tstsrpfile = tmpfilename;
4022 tstsrpfile = srpvfile;
4024 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
4028 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4029 TLS1_VERSION, TLS_MAX_VERSION,
4030 &sctx, &cctx, cert, privkey)))
4033 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
4034 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
4035 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
4036 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
4037 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
4041 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
4044 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
4048 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4052 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
4054 if (!TEST_true(tst % 2 == 0))
4057 if (!TEST_true(tst % 2 == 1))
4064 SRP_VBASE_free(vbase);
4066 SSL_free(serverssl);
4067 SSL_free(clientssl);
4075 static int info_cb_failed = 0;
4076 static int info_cb_offset = 0;
4077 static int info_cb_this_state = -1;
4079 static struct info_cb_states_st {
4081 const char *statestr;
4082 } info_cb_states[][60] = {
4084 /* TLSv1.2 server followed by resumption */
4085 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4086 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4087 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
4088 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
4089 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
4090 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4091 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4092 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4093 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4094 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4095 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
4096 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4097 {SSL_CB_EXIT, NULL}, {0, NULL},
4099 /* TLSv1.2 client followed by resumption */
4100 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4101 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4102 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
4103 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
4104 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
4105 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4106 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4107 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4108 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4109 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4110 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4111 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4113 /* TLSv1.3 server followed by resumption */
4114 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4115 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4116 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
4117 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
4118 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4119 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4120 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4121 {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4122 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4123 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4124 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4125 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
4126 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4127 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TWST"},
4128 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4130 /* TLSv1.3 client followed by resumption */
4131 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4132 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4133 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
4134 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
4135 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4136 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4137 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4138 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4139 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4140 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
4141 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4142 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4143 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4144 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4145 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4146 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4148 /* TLSv1.3 server, early_data */
4149 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4150 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4151 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4152 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4153 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4154 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4155 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4156 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4157 {SSL_CB_EXIT, NULL}, {0, NULL},
4159 /* TLSv1.3 client, early_data */
4160 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4161 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
4162 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4163 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4164 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4165 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
4166 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4167 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4168 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4169 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4175 static void sslapi_info_callback(const SSL *s, int where, int ret)
4177 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
4179 /* We do not ever expect a connection to fail in this test */
4180 if (!TEST_false(ret == 0)) {
4186 * Do some sanity checks. We never expect these things to happen in this
4189 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
4190 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
4191 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
4196 /* Now check we're in the right state */
4197 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
4201 if ((where & SSL_CB_LOOP) != 0
4202 && !TEST_int_eq(strcmp(SSL_state_string(s),
4203 state[info_cb_this_state].statestr), 0)) {
4210 * Test the info callback gets called when we expect it to.
4212 * Test 0: TLSv1.2, server
4213 * Test 1: TLSv1.2, client
4214 * Test 2: TLSv1.3, server
4215 * Test 3: TLSv1.3, client
4216 * Test 4: TLSv1.3, server, early_data
4217 * Test 5: TLSv1.3, client, early_data
4219 static int test_info_callback(int tst)
4221 SSL_CTX *cctx = NULL, *sctx = NULL;
4222 SSL *clientssl = NULL, *serverssl = NULL;
4223 SSL_SESSION *clntsess = NULL;
4228 #ifndef OPENSSL_NO_TLS1_2
4229 tlsvers = TLS1_2_VERSION;
4234 #ifndef OPENSSL_NO_TLS1_3
4235 tlsvers = TLS1_3_VERSION;
4243 info_cb_this_state = -1;
4244 info_cb_offset = tst;
4247 SSL_SESSION *sess = NULL;
4248 size_t written, readbytes;
4249 unsigned char buf[80];
4251 /* early_data tests */
4252 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4253 &serverssl, &sess, 0)))
4256 /* We don't actually need this reference */
4257 SSL_SESSION_free(sess);
4259 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
4260 sslapi_info_callback);
4262 /* Write and read some early data and then complete the connection */
4263 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4265 || !TEST_size_t_eq(written, strlen(MSG1))
4266 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
4267 sizeof(buf), &readbytes),
4268 SSL_READ_EARLY_DATA_SUCCESS)
4269 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
4270 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4271 SSL_EARLY_DATA_ACCEPTED)
4272 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4274 || !TEST_false(info_cb_failed))
4281 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4282 TLS_client_method(),
4283 tlsvers, tlsvers, &sctx, &cctx, cert,
4288 * For even numbered tests we check the server callbacks. For odd numbers we
4291 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
4292 sslapi_info_callback);
4294 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4295 &clientssl, NULL, NULL))
4296 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4298 || !TEST_false(info_cb_failed))
4303 clntsess = SSL_get1_session(clientssl);
4304 SSL_shutdown(clientssl);
4305 SSL_shutdown(serverssl);
4306 SSL_free(serverssl);
4307 SSL_free(clientssl);
4308 serverssl = clientssl = NULL;
4310 /* Now do a resumption */
4311 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4313 || !TEST_true(SSL_set_session(clientssl, clntsess))
4314 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4316 || !TEST_true(SSL_session_reused(clientssl))
4317 || !TEST_false(info_cb_failed))
4323 SSL_free(serverssl);
4324 SSL_free(clientssl);
4325 SSL_SESSION_free(clntsess);
4331 int setup_tests(void)
4333 if (!TEST_ptr(cert = test_get_argument(0))
4334 || !TEST_ptr(privkey = test_get_argument(1))
4335 || !TEST_ptr(srpvfile = test_get_argument(2))
4336 || !TEST_ptr(tmpfilename = test_get_argument(3)))
4339 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
4340 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
4341 TEST_error("not supported in this build");
4344 int i, mcount, rcount, fcount;
4346 for (i = 0; i < 4; i++)
4347 test_export_key_mat(i);
4348 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
4349 test_printf_stdout("malloc %d realloc %d free %d\n",
4350 mcount, rcount, fcount);
4355 ADD_TEST(test_large_message_tls);
4356 ADD_TEST(test_large_message_tls_read_ahead);
4357 #ifndef OPENSSL_NO_DTLS
4358 ADD_TEST(test_large_message_dtls);
4360 #ifndef OPENSSL_NO_OCSP
4361 ADD_TEST(test_tlsext_status_type);
4363 ADD_TEST(test_session_with_only_int_cache);
4364 ADD_TEST(test_session_with_only_ext_cache);
4365 ADD_TEST(test_session_with_both_cache);
4366 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
4367 ADD_TEST(test_ssl_bio_pop_next_bio);
4368 ADD_TEST(test_ssl_bio_pop_ssl_bio);
4369 ADD_TEST(test_ssl_bio_change_rbio);
4370 ADD_TEST(test_ssl_bio_change_wbio);
4371 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
4372 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
4373 ADD_TEST(test_keylog);
4375 #ifndef OPENSSL_NO_TLS1_3
4376 ADD_TEST(test_keylog_no_master_key);
4378 #ifndef OPENSSL_NO_TLS1_2
4379 ADD_TEST(test_client_hello_cb);
4381 #ifndef OPENSSL_NO_TLS1_3
4382 ADD_ALL_TESTS(test_early_data_read_write, 3);
4384 * We don't do replay tests for external PSK. Replay protection isn't used
4387 ADD_ALL_TESTS(test_early_data_replay, 2);
4388 ADD_ALL_TESTS(test_early_data_skip, 3);
4389 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
4390 ADD_ALL_TESTS(test_early_data_not_sent, 3);
4391 ADD_ALL_TESTS(test_early_data_psk, 8);
4392 ADD_ALL_TESTS(test_early_data_not_expected, 3);
4393 # ifndef OPENSSL_NO_TLS1_2
4394 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
4397 #ifndef OPENSSL_NO_TLS1_3
4398 ADD_ALL_TESTS(test_set_ciphersuite, 10);
4399 ADD_TEST(test_ciphersuite_change);
4400 #ifdef OPENSSL_NO_PSK
4401 ADD_ALL_TESTS(test_tls13_psk, 1);
4403 ADD_ALL_TESTS(test_tls13_psk, 3);
4404 #endif /* OPENSSL_NO_PSK */
4405 ADD_ALL_TESTS(test_custom_exts, 5);
4406 ADD_TEST(test_stateless);
4407 ADD_TEST(test_pha_key_update);
4409 ADD_ALL_TESTS(test_custom_exts, 3);
4411 ADD_ALL_TESTS(test_serverinfo, 8);
4412 ADD_ALL_TESTS(test_export_key_mat, 4);
4413 #ifndef OPENSSL_NO_TLS1_3
4414 ADD_ALL_TESTS(test_export_key_mat_early, 3);
4416 ADD_ALL_TESTS(test_ssl_clear, 2);
4417 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
4418 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4419 ADD_ALL_TESTS(test_srp, 6);
4421 ADD_ALL_TESTS(test_info_callback, 6);
4425 void cleanup_tests(void)
4427 bio_s_mempacket_test_free();