2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
18 #include "ssltestlib.h"
20 #include "internal/nelem.h"
21 #include "../ssl/ssl_locl.h"
23 static char *cert = NULL;
24 static char *privkey = NULL;
26 #define LOG_BUFFER_SIZE 1024
27 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
28 static size_t server_log_buffer_index = 0;
29 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
30 static size_t client_log_buffer_index = 0;
31 static int error_writing_log = 0;
33 #ifndef OPENSSL_NO_OCSP
34 static const unsigned char orespder[] = "Dummy OCSP Response";
35 static int ocsp_server_called = 0;
36 static int ocsp_client_called = 0;
38 static int cdummyarg = 1;
39 static X509 *ocspcert = NULL;
42 #define NUM_EXTRA_CERTS 40
43 #define CLIENT_VERSION_LEN 2
46 * This structure is used to validate that the correct number of log messages
47 * of various types are emitted when emitting secret logs.
49 struct sslapitest_log_counts {
50 unsigned int rsa_key_exchange_count;
51 unsigned int master_secret_count;
52 unsigned int client_handshake_secret_count;
53 unsigned int server_handshake_secret_count;
54 unsigned int client_application_secret_count;
55 unsigned int server_application_secret_count;
59 static unsigned char serverinfov1[] = {
60 0xff, 0xff, /* Dummy extension type */
61 0x00, 0x01, /* Extension length is 1 byte */
62 0xff /* Dummy extension data */
65 static unsigned char serverinfov2[] = {
67 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
68 0xff, 0xff, /* Dummy extension type */
69 0x00, 0x01, /* Extension length is 1 byte */
70 0xff /* Dummy extension data */
73 static void client_keylog_callback(const SSL *ssl, const char *line)
75 int line_length = strlen(line);
77 /* If the log doesn't fit, error out. */
78 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
79 TEST_info("Client log too full");
80 error_writing_log = 1;
84 strcat(client_log_buffer, line);
85 client_log_buffer_index += line_length;
86 client_log_buffer[client_log_buffer_index++] = '\n';
89 static void server_keylog_callback(const SSL *ssl, const char *line)
91 int line_length = strlen(line);
93 /* If the log doesn't fit, error out. */
94 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
95 TEST_info("Server log too full");
96 error_writing_log = 1;
100 strcat(server_log_buffer, line);
101 server_log_buffer_index += line_length;
102 server_log_buffer[server_log_buffer_index++] = '\n';
105 static int compare_hex_encoded_buffer(const char *hex_encoded,
113 if (!TEST_size_t_eq(raw_length * 2, hex_length))
116 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
117 sprintf(hexed, "%02x", raw[i]);
118 if (!TEST_int_eq(hexed[0], hex_encoded[j])
119 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
126 static int test_keylog_output(char *buffer, const SSL *ssl,
127 const SSL_SESSION *session,
128 struct sslapitest_log_counts *expected)
131 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
132 size_t client_random_size = SSL3_RANDOM_SIZE;
133 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
134 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
135 unsigned int rsa_key_exchange_count = 0;
136 unsigned int master_secret_count = 0;
137 unsigned int client_handshake_secret_count = 0;
138 unsigned int server_handshake_secret_count = 0;
139 unsigned int client_application_secret_count = 0;
140 unsigned int server_application_secret_count = 0;
142 for (token = strtok(buffer, " \n"); token != NULL;
143 token = strtok(NULL, " \n")) {
144 if (strcmp(token, "RSA") == 0) {
146 * Premaster secret. Tokens should be: 16 ASCII bytes of
147 * hex-encoded encrypted secret, then the hex-encoded pre-master
150 if (!TEST_ptr(token = strtok(NULL, " \n")))
152 if (!TEST_size_t_eq(strlen(token), 16))
154 if (!TEST_ptr(token = strtok(NULL, " \n")))
157 * We can't sensibly check the log because the premaster secret is
158 * transient, and OpenSSL doesn't keep hold of it once the master
159 * secret is generated.
161 rsa_key_exchange_count++;
162 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
164 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
165 * client random, then the hex-encoded master secret.
167 client_random_size = SSL_get_client_random(ssl,
168 actual_client_random,
170 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
173 if (!TEST_ptr(token = strtok(NULL, " \n")))
175 if (!TEST_size_t_eq(strlen(token), 64))
177 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
178 actual_client_random,
179 client_random_size)))
182 if (!TEST_ptr(token = strtok(NULL, " \n")))
184 master_key_size = SSL_SESSION_get_master_key(session,
187 if (!TEST_size_t_ne(master_key_size, 0))
189 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
193 master_secret_count++;
194 } else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
195 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
196 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
197 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) {
199 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
200 * client random, and then the hex-encoded secret. In this case,
201 * we treat all of these secrets identically and then just
202 * distinguish between them when counting what we saw.
204 if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
205 client_handshake_secret_count++;
206 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
207 server_handshake_secret_count++;
208 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
209 client_application_secret_count++;
210 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
211 server_application_secret_count++;
213 client_random_size = SSL_get_client_random(ssl,
214 actual_client_random,
216 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
219 if (!TEST_ptr(token = strtok(NULL, " \n")))
221 if (!TEST_size_t_eq(strlen(token), 64))
223 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
224 actual_client_random,
225 client_random_size)))
228 if (!TEST_ptr(token = strtok(NULL, " \n")))
232 * TODO(TLS1.3): test that application traffic secrets are what
235 TEST_info("Unexpected token %s\n", token);
240 /* Got what we expected? */
241 if (!TEST_size_t_eq(rsa_key_exchange_count,
242 expected->rsa_key_exchange_count)
243 || !TEST_size_t_eq(master_secret_count,
244 expected->master_secret_count)
245 || !TEST_size_t_eq(client_handshake_secret_count,
246 expected->client_handshake_secret_count)
247 || !TEST_size_t_eq(server_handshake_secret_count,
248 expected->server_handshake_secret_count)
249 || !TEST_size_t_eq(client_application_secret_count,
250 expected->client_application_secret_count)
251 || !TEST_size_t_eq(server_application_secret_count,
252 expected->server_application_secret_count))
257 static int test_keylog(void)
259 SSL_CTX *cctx = NULL, *sctx = NULL;
260 SSL *clientssl = NULL, *serverssl = NULL;
262 struct sslapitest_log_counts expected = {0};
264 /* Clean up logging space */
265 memset(client_log_buffer, 0, sizeof(client_log_buffer));
266 memset(server_log_buffer, 0, sizeof(server_log_buffer));
267 client_log_buffer_index = 0;
268 server_log_buffer_index = 0;
269 error_writing_log = 0;
271 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
273 &sctx, &cctx, cert, privkey)))
276 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
277 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
278 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
280 /* We also want to ensure that we use RSA-based key exchange. */
281 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
284 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
285 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
287 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
288 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
289 == client_keylog_callback))
291 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
292 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
293 == server_keylog_callback))
296 /* Now do a handshake and check that the logs have been written to. */
297 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
298 &clientssl, NULL, NULL))
299 || !TEST_true(create_ssl_connection(serverssl, clientssl,
301 || !TEST_false(error_writing_log)
302 || !TEST_int_gt(client_log_buffer_index, 0)
303 || !TEST_int_gt(server_log_buffer_index, 0))
307 * Now we want to test that our output data was vaguely sensible. We
308 * do that by using strtok and confirming that we have more or less the
309 * data we expect. For both client and server, we expect to see one master
310 * secret. The client should also see a RSA key exchange.
312 expected.rsa_key_exchange_count = 1;
313 expected.master_secret_count = 1;
314 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
315 SSL_get_session(clientssl), &expected)))
318 expected.rsa_key_exchange_count = 0;
319 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
320 SSL_get_session(serverssl), &expected)))
334 #ifndef OPENSSL_NO_TLS1_3
335 static int test_keylog_no_master_key(void)
337 SSL_CTX *cctx = NULL, *sctx = NULL;
338 SSL *clientssl = NULL, *serverssl = NULL;
340 struct sslapitest_log_counts expected = {0};
342 /* Clean up logging space */
343 memset(client_log_buffer, 0, sizeof(client_log_buffer));
344 memset(server_log_buffer, 0, sizeof(server_log_buffer));
345 client_log_buffer_index = 0;
346 server_log_buffer_index = 0;
347 error_writing_log = 0;
349 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
350 TLS_client_method(), &sctx,
351 &cctx, cert, privkey)))
354 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
355 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
358 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
359 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
360 == client_keylog_callback))
363 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
364 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
365 == server_keylog_callback))
368 /* Now do a handshake and check that the logs have been written to. */
369 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
370 &clientssl, NULL, NULL))
371 || !TEST_true(create_ssl_connection(serverssl, clientssl,
373 || !TEST_false(error_writing_log))
377 * Now we want to test that our output data was vaguely sensible. For this
378 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
379 * TLSv1.3, but we do expect both client and server to emit keys.
381 expected.client_handshake_secret_count = 1;
382 expected.server_handshake_secret_count = 1;
383 expected.client_application_secret_count = 1;
384 expected.server_application_secret_count = 1;
385 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
386 SSL_get_session(clientssl), &expected))
387 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
388 SSL_get_session(serverssl),
404 #ifndef OPENSSL_NO_TLS1_2
405 static int full_client_hello_callback(SSL *s, int *al, void *arg)
408 const unsigned char *p;
410 /* We only configure two ciphers, but the SCSV is added automatically. */
412 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
414 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
417 const int expected_extensions[] = {
418 #ifndef OPENSSL_NO_EC
424 /* Make sure we can defer processing and get called back. */
426 return SSL_CLIENT_HELLO_RETRY;
428 len = SSL_client_hello_get0_ciphers(s, &p);
429 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
431 SSL_client_hello_get0_compression_methods(s, &p), 1)
432 || !TEST_int_eq(*p, 0))
433 return SSL_CLIENT_HELLO_ERROR;
434 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
435 return SSL_CLIENT_HELLO_ERROR;
436 if (len != OSSL_NELEM(expected_extensions) ||
437 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
438 printf("ClientHello callback expected extensions mismatch\n");
440 return SSL_CLIENT_HELLO_ERROR;
443 return SSL_CLIENT_HELLO_SUCCESS;
446 static int test_client_hello_cb(void)
448 SSL_CTX *cctx = NULL, *sctx = NULL;
449 SSL *clientssl = NULL, *serverssl = NULL;
450 int testctr = 0, testresult = 0;
452 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
453 TLS_client_method(), &sctx,
454 &cctx, cert, privkey)))
456 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
458 /* The gimpy cipher list we configure can't do TLS 1.3. */
459 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
461 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
462 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
463 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
464 &clientssl, NULL, NULL))
465 || !TEST_false(create_ssl_connection(serverssl, clientssl,
466 SSL_ERROR_WANT_CLIENT_HELLO_CB))
468 * Passing a -1 literal is a hack since
469 * the real value was lost.
471 || !TEST_int_eq(SSL_get_error(serverssl, -1),
472 SSL_ERROR_WANT_CLIENT_HELLO_CB)
473 || !TEST_true(create_ssl_connection(serverssl, clientssl,
489 static int execute_test_large_message(const SSL_METHOD *smeth,
490 const SSL_METHOD *cmeth, int read_ahead)
492 SSL_CTX *cctx = NULL, *sctx = NULL;
493 SSL *clientssl = NULL, *serverssl = NULL;
497 X509 *chaincert = NULL;
500 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
502 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
505 if (!TEST_ptr(chaincert))
508 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, &sctx,
509 &cctx, cert, privkey)))
514 * Test that read_ahead works correctly when dealing with large
517 SSL_CTX_set_read_ahead(cctx, 1);
521 * We assume the supplied certificate is big enough so that if we add
522 * NUM_EXTRA_CERTS it will make the overall message large enough. The
523 * default buffer size is requested to be 16k, but due to the way BUF_MEM
524 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
525 * test we need to have a message larger than that.
527 certlen = i2d_X509(chaincert, NULL);
528 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
529 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
530 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
531 if (!X509_up_ref(chaincert))
533 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
534 X509_free(chaincert);
539 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
541 || !TEST_true(create_ssl_connection(serverssl, clientssl,
546 * Calling SSL_clear() first is not required but this tests that SSL_clear()
547 * doesn't leak (when using enable-crypto-mdebug).
549 if (!TEST_true(SSL_clear(serverssl)))
554 X509_free(chaincert);
563 static int test_large_message_tls(void)
565 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
569 static int test_large_message_tls_read_ahead(void)
571 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
575 #ifndef OPENSSL_NO_DTLS
576 static int test_large_message_dtls(void)
579 * read_ahead is not relevant to DTLS because DTLS always acts as if
582 return execute_test_large_message(DTLS_server_method(),
583 DTLS_client_method(), 0);
587 #ifndef OPENSSL_NO_OCSP
588 static int ocsp_server_cb(SSL *s, void *arg)
590 int *argi = (int *)arg;
591 unsigned char *copy = NULL;
592 STACK_OF(OCSP_RESPID) *ids = NULL;
593 OCSP_RESPID *id = NULL;
596 /* In this test we are expecting exactly 1 OCSP_RESPID */
597 SSL_get_tlsext_status_ids(s, &ids);
598 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
599 return SSL_TLSEXT_ERR_ALERT_FATAL;
601 id = sk_OCSP_RESPID_value(ids, 0);
602 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
603 return SSL_TLSEXT_ERR_ALERT_FATAL;
604 } else if (*argi != 1) {
605 return SSL_TLSEXT_ERR_ALERT_FATAL;
608 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
609 return SSL_TLSEXT_ERR_ALERT_FATAL;
611 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
612 ocsp_server_called = 1;
613 return SSL_TLSEXT_ERR_OK;
616 static int ocsp_client_cb(SSL *s, void *arg)
618 int *argi = (int *)arg;
619 const unsigned char *respderin;
622 if (*argi != 1 && *argi != 2)
625 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
626 if (!TEST_mem_eq(orespder, len, respderin, len))
629 ocsp_client_called = 1;
633 static int test_tlsext_status_type(void)
635 SSL_CTX *cctx = NULL, *sctx = NULL;
636 SSL *clientssl = NULL, *serverssl = NULL;
638 STACK_OF(OCSP_RESPID) *ids = NULL;
639 OCSP_RESPID *id = NULL;
642 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
643 &cctx, cert, privkey))
646 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
649 /* First just do various checks getting and setting tlsext_status_type */
651 clientssl = SSL_new(cctx);
652 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
653 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
654 TLSEXT_STATUSTYPE_ocsp))
655 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
656 TLSEXT_STATUSTYPE_ocsp))
662 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
663 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
666 clientssl = SSL_new(cctx);
667 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
673 * Now actually do a handshake and check OCSP information is exchanged and
674 * the callbacks get called
676 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
677 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
678 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
679 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
680 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
681 &clientssl, NULL, NULL))
682 || !TEST_true(create_ssl_connection(serverssl, clientssl,
684 || !TEST_true(ocsp_client_called)
685 || !TEST_true(ocsp_server_called))
692 /* Try again but this time force the server side callback to fail */
693 ocsp_client_called = 0;
694 ocsp_server_called = 0;
696 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
697 &clientssl, NULL, NULL))
698 /* This should fail because the callback will fail */
699 || !TEST_false(create_ssl_connection(serverssl, clientssl,
701 || !TEST_false(ocsp_client_called)
702 || !TEST_false(ocsp_server_called))
710 * This time we'll get the client to send an OCSP_RESPID that it will
713 ocsp_client_called = 0;
714 ocsp_server_called = 0;
716 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
717 &clientssl, NULL, NULL)))
721 * We'll just use any old cert for this test - it doesn't have to be an OCSP
722 * specific one. We'll use the server cert.
724 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
725 || !TEST_ptr(id = OCSP_RESPID_new())
726 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
727 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
729 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
730 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
733 SSL_set_tlsext_status_ids(clientssl, ids);
734 /* Control has been transferred */
740 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
742 || !TEST_true(ocsp_client_called)
743 || !TEST_true(ocsp_server_called))
753 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
754 OCSP_RESPID_free(id);
763 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
764 static int new_called, remove_called, get_called;
766 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
770 * sess has been up-refed for us, but we don't actually need it so free it
773 SSL_SESSION_free(sess);
777 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
782 static SSL_SESSION *get_sess_val = NULL;
784 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
792 static int execute_test_session(int maxprot, int use_int_cache,
795 SSL_CTX *sctx = NULL, *cctx = NULL;
796 SSL *serverssl1 = NULL, *clientssl1 = NULL;
797 SSL *serverssl2 = NULL, *clientssl2 = NULL;
798 # ifndef OPENSSL_NO_TLS1_1
799 SSL *serverssl3 = NULL, *clientssl3 = NULL;
801 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
804 new_called = remove_called = 0;
806 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
807 TLS_client_method(), &sctx,
808 &cctx, cert, privkey)))
812 * Only allow the max protocol version so we can force a connection failure
815 SSL_CTX_set_min_proto_version(cctx, maxprot);
816 SSL_CTX_set_max_proto_version(cctx, maxprot);
818 /* Set up session cache */
820 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
821 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
824 /* Also covers instance where both are set */
825 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
827 SSL_CTX_set_session_cache_mode(cctx,
828 SSL_SESS_CACHE_CLIENT
829 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
832 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
834 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
836 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
839 /* Should fail because it should already be in the cache */
840 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
843 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
846 new_called = remove_called = 0;
847 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
848 &clientssl2, NULL, NULL))
849 || !TEST_true(SSL_set_session(clientssl2, sess1))
850 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
852 || !TEST_true(SSL_session_reused(clientssl2)))
855 if (maxprot == TLS1_3_VERSION) {
857 * In TLSv1.3 we should have created a new session even though we have
858 * resumed. The original session should also have been removed.
861 && (!TEST_int_eq(new_called, 1)
862 || !TEST_int_eq(remove_called, 1)))
866 * In TLSv1.2 we expect to have resumed so no sessions added or
870 && (!TEST_int_eq(new_called, 0)
871 || !TEST_int_eq(remove_called, 0)))
875 SSL_SESSION_free(sess1);
876 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
878 shutdown_ssl_connection(serverssl2, clientssl2);
879 serverssl2 = clientssl2 = NULL;
881 new_called = remove_called = 0;
882 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
883 &clientssl2, NULL, NULL))
884 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
888 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
892 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
895 new_called = remove_called = 0;
897 * This should clear sess2 from the cache because it is a "bad" session.
898 * See SSL_set_session() documentation.
900 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
903 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
905 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
909 /* Should succeeded because it should not already be in the cache */
910 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
911 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
915 new_called = remove_called = 0;
916 /* This shouldn't be in the cache so should fail */
917 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
921 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
924 # if !defined(OPENSSL_NO_TLS1_1)
925 new_called = remove_called = 0;
926 /* Force a connection failure */
927 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
928 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
929 &clientssl3, NULL, NULL))
930 || !TEST_true(SSL_set_session(clientssl3, sess1))
931 /* This should fail because of the mismatched protocol versions */
932 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
936 /* We should have automatically removed the session from the cache */
938 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
941 /* Should succeed because it should not already be in the cache */
942 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
946 /* Now do some tests for server side caching */
948 SSL_CTX_sess_set_new_cb(cctx, NULL);
949 SSL_CTX_sess_set_remove_cb(cctx, NULL);
950 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
951 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
952 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
956 SSL_CTX_set_session_cache_mode(cctx, 0);
957 /* Internal caching is the default on the server side */
959 SSL_CTX_set_session_cache_mode(sctx,
960 SSL_SESS_CACHE_SERVER
961 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
963 SSL_free(serverssl1);
964 SSL_free(clientssl1);
965 serverssl1 = clientssl1 = NULL;
966 SSL_free(serverssl2);
967 SSL_free(clientssl2);
968 serverssl2 = clientssl2 = NULL;
969 SSL_SESSION_free(sess1);
971 SSL_SESSION_free(sess2);
974 SSL_CTX_set_max_proto_version(sctx, maxprot);
975 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
976 new_called = remove_called = get_called = 0;
977 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
979 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
981 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
982 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
985 /* Should fail because it should already be in the cache */
986 if (use_int_cache && !TEST_false(SSL_CTX_add_session(sctx, sess2)))
990 SSL_SESSION *tmp = sess2;
992 if (!TEST_int_eq(new_called, 1)
993 || !TEST_int_eq(remove_called, 0)
994 || !TEST_int_eq(get_called, 0))
997 * Delete the session from the internal cache to force a lookup from
998 * the external cache. We take a copy first because
999 * SSL_CTX_remove_session() also marks the session as non-resumable.
1001 if (use_int_cache) {
1002 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1003 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1005 SSL_SESSION_free(sess2);
1010 new_called = remove_called = get_called = 0;
1011 get_sess_val = sess2;
1012 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1013 &clientssl2, NULL, NULL))
1014 || !TEST_true(SSL_set_session(clientssl2, sess1))
1015 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1017 || !TEST_true(SSL_session_reused(clientssl2)))
1020 if (use_ext_cache) {
1021 if (!TEST_int_eq(new_called, 0)
1022 || !TEST_int_eq(remove_called, 0))
1025 if (maxprot == TLS1_3_VERSION) {
1026 if (!TEST_int_eq(get_called, 0))
1029 if (!TEST_int_eq(get_called, 1))
1037 SSL_free(serverssl1);
1038 SSL_free(clientssl1);
1039 SSL_free(serverssl2);
1040 SSL_free(clientssl2);
1041 # ifndef OPENSSL_NO_TLS1_1
1042 SSL_free(serverssl3);
1043 SSL_free(clientssl3);
1045 SSL_SESSION_free(sess1);
1046 SSL_SESSION_free(sess2);
1052 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1054 static int test_session_with_only_int_cache(void)
1056 #ifndef OPENSSL_NO_TLS1_3
1057 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1061 #ifndef OPENSSL_NO_TLS1_2
1062 return execute_test_session(TLS1_2_VERSION, 1, 0);
1068 static int test_session_with_only_ext_cache(void)
1070 #ifndef OPENSSL_NO_TLS1_3
1071 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1075 #ifndef OPENSSL_NO_TLS1_2
1076 return execute_test_session(TLS1_2_VERSION, 0, 1);
1082 static int test_session_with_both_cache(void)
1084 #ifndef OPENSSL_NO_TLS1_3
1085 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1089 #ifndef OPENSSL_NO_TLS1_2
1090 return execute_test_session(TLS1_2_VERSION, 1, 1);
1100 #define TOTAL_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1102 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1117 static int test_ssl_set_bio(int idx)
1122 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1124 int initrbio, initwbio, newrbio, newwbio;
1134 if (!TEST_int_le(newwbio, 2))
1137 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1138 || !TEST_ptr(ssl = SSL_new(ctx)))
1141 if (initrbio == USE_BIO_1
1142 || initwbio == USE_BIO_1
1143 || newrbio == USE_BIO_1
1144 || newwbio == USE_BIO_1) {
1145 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1149 if (initrbio == USE_BIO_2
1150 || initwbio == USE_BIO_2
1151 || newrbio == USE_BIO_2
1152 || newwbio == USE_BIO_2) {
1153 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1157 setupbio(&irbio, bio1, bio2, initrbio);
1158 setupbio(&iwbio, bio1, bio2, initwbio);
1161 * We want to maintain our own refs to these BIO, so do an up ref for each
1162 * BIO that will have ownership transferred in the SSL_set_bio() call
1166 if (iwbio != NULL && iwbio != irbio)
1169 SSL_set_bio(ssl, irbio, iwbio);
1171 setupbio(&nrbio, bio1, bio2, newrbio);
1172 setupbio(&nwbio, bio1, bio2, newwbio);
1175 * We will (maybe) transfer ownership again so do more up refs.
1176 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1181 && (nwbio != iwbio || nrbio != nwbio))
1185 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1188 SSL_set_bio(ssl, nrbio, nwbio);
1198 * This test is checking that the ref counting for SSL_set_bio is correct.
1199 * If we get here and we did too many frees then we will fail in the above
1200 * functions. If we haven't done enough then this will only be detected in
1201 * a crypto-mdebug build
1207 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1209 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1211 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1216 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1217 || !TEST_ptr(ssl = SSL_new(ctx))
1218 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1219 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1222 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1225 * If anything goes wrong here then we could leak memory, so this will
1226 * be caught in a crypto-mdebug build
1228 BIO_push(sslbio, membio1);
1230 /* Verify changing the rbio/wbio directly does not cause leaks */
1231 if (change_bio != NO_BIO_CHANGE) {
1232 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1234 if (change_bio == CHANGE_RBIO)
1235 SSL_set0_rbio(ssl, membio2);
1237 SSL_set0_wbio(ssl, membio2);
1256 static int test_ssl_bio_pop_next_bio(void)
1258 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1261 static int test_ssl_bio_pop_ssl_bio(void)
1263 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1266 static int test_ssl_bio_change_rbio(void)
1268 return execute_test_ssl_bio(0, CHANGE_RBIO);
1271 static int test_ssl_bio_change_wbio(void)
1273 return execute_test_ssl_bio(0, CHANGE_WBIO);
1277 /* The list of sig algs */
1279 /* The length of the list */
1281 /* A sigalgs list in string format */
1282 const char *liststr;
1283 /* Whether setting the list should succeed */
1285 /* Whether creating a connection with the list should succeed */
1289 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1290 #ifndef OPENSSL_NO_EC
1291 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1292 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1294 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1295 static const int invalidlist2[] = {NID_sha256, NID_undef};
1296 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1297 static const int invalidlist4[] = {NID_sha256};
1298 static const sigalgs_list testsigalgs[] = {
1299 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1300 #ifndef OPENSSL_NO_EC
1301 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1302 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1304 {NULL, 0, "RSA+SHA256", 1, 1},
1305 #ifndef OPENSSL_NO_EC
1306 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1307 {NULL, 0, "ECDSA+SHA512", 1, 0},
1309 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1310 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1311 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1312 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1313 {NULL, 0, "RSA", 0, 0},
1314 {NULL, 0, "SHA256", 0, 0},
1315 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1316 {NULL, 0, "Invalid", 0, 0}
1319 static int test_set_sigalgs(int idx)
1321 SSL_CTX *cctx = NULL, *sctx = NULL;
1322 SSL *clientssl = NULL, *serverssl = NULL;
1324 const sigalgs_list *curr;
1327 /* Should never happen */
1328 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1331 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1332 curr = testctx ? &testsigalgs[idx]
1333 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1335 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1336 TLS_client_method(), &sctx,
1337 &cctx, cert, privkey)))
1341 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1342 * for TLSv1.2 for now until we add a new API.
1344 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1349 if (curr->list != NULL)
1350 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1352 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1356 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1362 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1367 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1368 &clientssl, NULL, NULL)))
1374 if (curr->list != NULL)
1375 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1377 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1380 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1389 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1397 SSL_free(serverssl);
1398 SSL_free(clientssl);
1405 #ifndef OPENSSL_NO_TLS1_3
1407 static SSL_SESSION *clientpsk = NULL;
1408 static SSL_SESSION *serverpsk = NULL;
1409 static const char *pskid = "Identity";
1410 static const char *srvid;
1412 static int use_session_cb_cnt = 0;
1413 static int find_session_cb_cnt = 0;
1415 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1416 size_t *idlen, SSL_SESSION **sess)
1418 switch (++use_session_cb_cnt) {
1420 /* The first call should always have a NULL md */
1426 /* The second call should always have an md */
1432 /* We should only be called a maximum of twice */
1436 if (clientpsk != NULL)
1437 SSL_SESSION_up_ref(clientpsk);
1440 *id = (const unsigned char *)pskid;
1441 *idlen = strlen(pskid);
1446 static int find_session_cb(SSL *ssl, const unsigned char *identity,
1447 size_t identity_len, SSL_SESSION **sess)
1449 find_session_cb_cnt++;
1451 /* We should only ever be called a maximum of twice per connection */
1452 if (find_session_cb_cnt > 2)
1455 if (serverpsk == NULL)
1458 /* Identity should match that set by the client */
1459 if (strlen(srvid) != identity_len
1460 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1461 /* No PSK found, continue but without a PSK */
1466 SSL_SESSION_up_ref(serverpsk);
1472 #define MSG1 "Hello"
1473 #define MSG2 "World."
1478 #define MSG7 "message."
1480 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
1483 * Helper method to setup objects for early data test. Caller frees objects on
1486 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
1487 SSL **serverssl, SSL_SESSION **sess, int idx)
1489 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1490 TLS_client_method(), sctx,
1491 cctx, cert, privkey)))
1495 /* When idx == 1 we repeat the tests with read_ahead set */
1496 SSL_CTX_set_read_ahead(*cctx, 1);
1497 SSL_CTX_set_read_ahead(*sctx, 1);
1498 } else if (idx == 2) {
1499 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1500 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1501 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1502 use_session_cb_cnt = 0;
1503 find_session_cb_cnt = 0;
1507 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
1512 * For one of the run throughs (doesn't matter which one), we'll try sending
1513 * some SNI data in the initial ClientHello. This will be ignored (because
1514 * there is no SNI cb set up by the server), so it should not impact
1518 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1522 /* Create the PSK */
1523 const SSL_CIPHER *cipher = NULL;
1524 const unsigned char key[] = {
1525 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1526 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1527 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1528 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1529 0x2c, 0x2d, 0x2e, 0x2f
1532 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
1533 clientpsk = SSL_SESSION_new();
1534 if (!TEST_ptr(clientpsk)
1535 || !TEST_ptr(cipher)
1536 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
1538 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
1540 SSL_SESSION_set_protocol_version(clientpsk,
1543 * We just choose an arbitrary value for max_early_data which
1544 * should be big enough for testing purposes.
1546 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1548 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1549 SSL_SESSION_free(clientpsk);
1553 serverpsk = clientpsk;
1563 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1567 *sess = SSL_get1_session(*clientssl);
1568 SSL_shutdown(*clientssl);
1569 SSL_shutdown(*serverssl);
1570 SSL_free(*serverssl);
1571 SSL_free(*clientssl);
1572 *serverssl = *clientssl = NULL;
1574 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1575 clientssl, NULL, NULL))
1576 || !TEST_true(SSL_set_session(*clientssl, *sess)))
1582 static int test_early_data_read_write(int idx)
1584 SSL_CTX *cctx = NULL, *sctx = NULL;
1585 SSL *clientssl = NULL, *serverssl = NULL;
1587 SSL_SESSION *sess = NULL;
1588 unsigned char buf[20], data[1024];
1589 size_t readbytes, written, eoedlen, rawread, rawwritten;
1592 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1593 &serverssl, &sess, idx)))
1596 /* Write and read some early data */
1597 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1599 || !TEST_size_t_eq(written, strlen(MSG1))
1600 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1601 sizeof(buf), &readbytes),
1602 SSL_READ_EARLY_DATA_SUCCESS)
1603 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1604 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1605 SSL_EARLY_DATA_ACCEPTED))
1609 * Server should be able to write data, and client should be able to
1612 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1614 || !TEST_size_t_eq(written, strlen(MSG2))
1615 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1616 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1619 /* Even after reading normal data, client should be able write early data */
1620 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1622 || !TEST_size_t_eq(written, strlen(MSG3)))
1625 /* Server should still be able read early data after writing data */
1626 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1628 SSL_READ_EARLY_DATA_SUCCESS)
1629 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
1632 /* Write more data from server and read it from client */
1633 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
1635 || !TEST_size_t_eq(written, strlen(MSG4))
1636 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1637 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
1641 * If client writes normal data it should mean writing early data is no
1644 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1645 || !TEST_size_t_eq(written, strlen(MSG5))
1646 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1647 SSL_EARLY_DATA_ACCEPTED))
1651 * At this point the client has written EndOfEarlyData, ClientFinished and
1652 * normal (fully protected) data. We are going to cause a delay between the
1653 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
1654 * in the read BIO, and then just put back the EndOfEarlyData message.
1656 rbio = SSL_get_rbio(serverssl);
1657 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
1658 || !TEST_size_t_lt(rawread, sizeof(data))
1659 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
1662 /* Record length is in the 4th and 5th bytes of the record header */
1663 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
1664 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
1665 || !TEST_size_t_eq(rawwritten, eoedlen))
1668 /* Server should be told that there is no more early data */
1669 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1671 SSL_READ_EARLY_DATA_FINISH)
1672 || !TEST_size_t_eq(readbytes, 0))
1676 * Server has not finished init yet, so should still be able to write early
1679 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
1681 || !TEST_size_t_eq(written, strlen(MSG6)))
1684 /* Push the ClientFinished and the normal data back into the server rbio */
1685 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
1687 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
1690 /* Server should be able to read normal data */
1691 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1692 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1695 /* Client and server should not be able to write/read early data now */
1696 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1700 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1702 SSL_READ_EARLY_DATA_ERROR))
1706 /* Client should be able to read the data sent by the server */
1707 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1708 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
1712 * Make sure we process the NewSessionTicket. This arrives post-handshake.
1713 * We attempt a read which we do not expect to return any data.
1715 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1718 /* Server should be able to write normal data */
1719 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
1720 || !TEST_size_t_eq(written, strlen(MSG7))
1721 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1722 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
1725 /* We keep the PSK session around if using PSK */
1727 SSL_SESSION_free(sess);
1728 sess = SSL_get1_session(clientssl);
1729 use_session_cb_cnt = 0;
1730 find_session_cb_cnt = 0;
1732 SSL_shutdown(clientssl);
1733 SSL_shutdown(serverssl);
1734 SSL_free(serverssl);
1735 SSL_free(clientssl);
1736 serverssl = clientssl = NULL;
1737 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1738 &clientssl, NULL, NULL))
1739 || !TEST_true(SSL_set_session(clientssl, sess)))
1742 /* Write and read some early data */
1743 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1745 || !TEST_size_t_eq(written, strlen(MSG1))
1746 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1748 SSL_READ_EARLY_DATA_SUCCESS)
1749 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
1752 if (!TEST_int_gt(SSL_connect(clientssl), 0)
1753 || !TEST_int_gt(SSL_accept(serverssl), 0))
1756 /* Client and server should not be able to write/read early data now */
1757 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1761 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1763 SSL_READ_EARLY_DATA_ERROR))
1767 /* Client and server should be able to write/read normal data */
1768 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1769 || !TEST_size_t_eq(written, strlen(MSG5))
1770 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1771 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1777 if (sess != clientpsk)
1778 SSL_SESSION_free(sess);
1779 SSL_SESSION_free(clientpsk);
1780 SSL_SESSION_free(serverpsk);
1781 clientpsk = serverpsk = NULL;
1782 SSL_free(serverssl);
1783 SSL_free(clientssl);
1790 * Helper function to test that a server attempting to read early data can
1791 * handle a connection from a client where the early data should be skipped.
1793 static int early_data_skip_helper(int hrr, int idx)
1795 SSL_CTX *cctx = NULL, *sctx = NULL;
1796 SSL *clientssl = NULL, *serverssl = NULL;
1798 SSL_SESSION *sess = NULL;
1799 unsigned char buf[20];
1800 size_t readbytes, written;
1802 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1803 &serverssl, &sess, idx)))
1807 /* Force an HRR to occur */
1808 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
1810 } else if (idx == 2) {
1812 * We force early_data rejection by ensuring the PSK identity is
1815 srvid = "Dummy Identity";
1818 * Deliberately corrupt the creation time. We take 20 seconds off the
1819 * time. It could be any value as long as it is not within tolerance.
1820 * This should mean the ticket is rejected.
1822 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
1826 /* Write some early data */
1827 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1829 || !TEST_size_t_eq(written, strlen(MSG1)))
1832 /* Server should reject the early data and skip over it */
1833 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1835 SSL_READ_EARLY_DATA_FINISH)
1836 || !TEST_size_t_eq(readbytes, 0)
1837 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1838 SSL_EARLY_DATA_REJECTED))
1843 * Finish off the handshake. We perform the same writes and reads as
1844 * further down but we expect them to fail due to the incomplete
1847 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1848 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
1853 /* Should be able to send normal data despite rejection of early data */
1854 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1855 || !TEST_size_t_eq(written, strlen(MSG2))
1856 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1857 SSL_EARLY_DATA_REJECTED)
1858 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1859 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1865 if (sess != clientpsk)
1866 SSL_SESSION_free(clientpsk);
1867 SSL_SESSION_free(serverpsk);
1868 clientpsk = serverpsk = NULL;
1869 SSL_SESSION_free(sess);
1870 SSL_free(serverssl);
1871 SSL_free(clientssl);
1878 * Test that a server attempting to read early data can handle a connection
1879 * from a client where the early data is not acceptable.
1881 static int test_early_data_skip(int idx)
1883 return early_data_skip_helper(0, idx);
1887 * Test that a server attempting to read early data can handle a connection
1888 * from a client where an HRR occurs.
1890 static int test_early_data_skip_hrr(int idx)
1892 return early_data_skip_helper(1, idx);
1896 * Test that a server attempting to read early data can handle a connection
1897 * from a client that doesn't send any.
1899 static int test_early_data_not_sent(int idx)
1901 SSL_CTX *cctx = NULL, *sctx = NULL;
1902 SSL *clientssl = NULL, *serverssl = NULL;
1904 SSL_SESSION *sess = NULL;
1905 unsigned char buf[20];
1906 size_t readbytes, written;
1908 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1909 &serverssl, &sess, idx)))
1912 /* Write some data - should block due to handshake with server */
1913 SSL_set_connect_state(clientssl);
1914 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
1917 /* Server should detect that early data has not been sent */
1918 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1920 SSL_READ_EARLY_DATA_FINISH)
1921 || !TEST_size_t_eq(readbytes, 0)
1922 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1923 SSL_EARLY_DATA_NOT_SENT)
1924 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1925 SSL_EARLY_DATA_NOT_SENT))
1928 /* Continue writing the message we started earlier */
1929 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
1930 || !TEST_size_t_eq(written, strlen(MSG1))
1931 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1932 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
1933 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
1934 || !TEST_size_t_eq(written, strlen(MSG2)))
1938 * Should block due to the NewSessionTicket arrival unless we're using
1942 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1946 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1947 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1953 /* If using PSK then clientpsk and sess are the same */
1954 SSL_SESSION_free(sess);
1955 SSL_SESSION_free(serverpsk);
1956 clientpsk = serverpsk = NULL;
1957 SSL_free(serverssl);
1958 SSL_free(clientssl);
1964 static int hostname_cb(SSL *s, int *al, void *arg)
1966 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
1968 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
1969 return SSL_TLSEXT_ERR_OK;
1971 return SSL_TLSEXT_ERR_NOACK;
1974 static const char *servalpn;
1976 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
1977 unsigned char *outlen, const unsigned char *in,
1978 unsigned int inlen, void *arg)
1980 unsigned int protlen = 0;
1981 const unsigned char *prot;
1983 for (prot = in; prot < in + inlen; prot += protlen) {
1985 if (in + inlen < prot + protlen)
1986 return SSL_TLSEXT_ERR_NOACK;
1988 if (protlen == strlen(servalpn)
1989 && memcmp(prot, servalpn, protlen) == 0) {
1992 return SSL_TLSEXT_ERR_OK;
1996 return SSL_TLSEXT_ERR_NOACK;
1999 /* Test that a PSK can be used to send early_data */
2000 static int test_early_data_psk(int idx)
2002 SSL_CTX *cctx = NULL, *sctx = NULL;
2003 SSL *clientssl = NULL, *serverssl = NULL;
2005 SSL_SESSION *sess = NULL;
2006 unsigned char alpnlist[] = {
2007 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2010 #define GOODALPNLEN 9
2011 #define BADALPNLEN 8
2012 #define GOODALPN (alpnlist)
2013 #define BADALPN (alpnlist + GOODALPNLEN)
2015 unsigned char buf[20];
2016 size_t readbytes, written;
2017 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2018 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2020 /* We always set this up with a final parameter of "2" for PSK */
2021 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2022 &serverssl, &sess, 2)))
2025 servalpn = "goodalpn";
2028 * Note: There is no test for inconsistent SNI with late client detection.
2029 * This is because servers do not acknowledge SNI even if they are using
2030 * it in a resumption handshake - so it is not actually possible for a
2031 * client to detect a problem.
2035 /* Set inconsistent SNI (early client detection) */
2036 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2037 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2038 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2043 /* Set inconsistent ALPN (early client detection) */
2044 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2045 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
2046 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2048 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2055 * Set invalid protocol version. Technically this affects PSKs without
2056 * early_data too, but we test it here because it is similar to the
2057 * SNI/ALPN consistency tests.
2059 err = SSL_R_BAD_PSK;
2060 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2066 * Set inconsistent SNI (server detected). In this case the connection
2067 * will succeed but reject early_data.
2069 SSL_SESSION_free(serverpsk);
2070 serverpsk = SSL_SESSION_dup(clientpsk);
2071 if (!TEST_ptr(serverpsk)
2072 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2074 edstatus = SSL_EARLY_DATA_REJECTED;
2075 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2078 /* Set consistent SNI */
2079 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2080 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2081 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2088 * Set inconsistent ALPN (server detected). In this case the connection
2089 * will succeed but reject early_data.
2091 servalpn = "badalpn";
2092 edstatus = SSL_EARLY_DATA_REJECTED;
2093 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2097 * Set consistent ALPN.
2098 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2099 * accepts a list of protos (each one length prefixed).
2100 * SSL_set1_alpn_selected accepts a single protocol (not length
2103 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2105 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2109 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2113 /* Set inconsistent ALPN (late client detection) */
2114 SSL_SESSION_free(serverpsk);
2115 serverpsk = SSL_SESSION_dup(clientpsk);
2116 if (!TEST_ptr(serverpsk)
2117 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2120 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2123 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2126 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2127 edstatus = SSL_EARLY_DATA_ACCEPTED;
2128 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2129 /* SSL_connect() call should fail */
2134 TEST_error("Bad test index");
2138 SSL_set_connect_state(clientssl);
2140 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2142 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2143 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2146 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2150 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2151 &readbytes), readearlyres)
2152 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2153 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2154 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2155 || !TEST_int_eq(SSL_connect(clientssl), connectres))
2162 SSL_SESSION_free(clientpsk);
2163 SSL_SESSION_free(serverpsk);
2164 clientpsk = serverpsk = NULL;
2165 SSL_free(serverssl);
2166 SSL_free(clientssl);
2173 * Test that a server that doesn't try to read early data can handle a
2174 * client sending some.
2176 static int test_early_data_not_expected(int idx)
2178 SSL_CTX *cctx = NULL, *sctx = NULL;
2179 SSL *clientssl = NULL, *serverssl = NULL;
2181 SSL_SESSION *sess = NULL;
2182 unsigned char buf[20];
2183 size_t readbytes, written;
2185 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2186 &serverssl, &sess, idx)))
2189 /* Write some early data */
2190 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2195 * Server should skip over early data and then block waiting for client to
2196 * continue handshake
2198 if (!TEST_int_le(SSL_accept(serverssl), 0)
2199 || !TEST_int_gt(SSL_connect(clientssl), 0)
2200 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2201 SSL_EARLY_DATA_REJECTED)
2202 || !TEST_int_gt(SSL_accept(serverssl), 0)
2203 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2204 SSL_EARLY_DATA_REJECTED))
2207 /* Send some normal data from client to server */
2208 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2209 || !TEST_size_t_eq(written, strlen(MSG2)))
2212 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2213 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2219 /* If using PSK then clientpsk and sess are the same */
2220 SSL_SESSION_free(sess);
2221 SSL_SESSION_free(serverpsk);
2222 clientpsk = serverpsk = NULL;
2223 SSL_free(serverssl);
2224 SSL_free(clientssl);
2231 # ifndef OPENSSL_NO_TLS1_2
2233 * Test that a server attempting to read early data can handle a connection
2234 * from a TLSv1.2 client.
2236 static int test_early_data_tls1_2(int idx)
2238 SSL_CTX *cctx = NULL, *sctx = NULL;
2239 SSL *clientssl = NULL, *serverssl = NULL;
2241 unsigned char buf[20];
2242 size_t readbytes, written;
2244 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2245 &serverssl, NULL, idx)))
2248 /* Write some data - should block due to handshake with server */
2249 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2250 SSL_set_connect_state(clientssl);
2251 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2255 * Server should do TLSv1.2 handshake. First it will block waiting for more
2256 * messages from client after ServerDone. Then SSL_read_early_data should
2257 * finish and detect that early data has not been sent
2259 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2261 SSL_READ_EARLY_DATA_ERROR))
2265 * Continue writing the message we started earlier. Will still block waiting
2266 * for the CCS/Finished from server
2268 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2269 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2271 SSL_READ_EARLY_DATA_FINISH)
2272 || !TEST_size_t_eq(readbytes, 0)
2273 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2274 SSL_EARLY_DATA_NOT_SENT))
2277 /* Continue writing the message we started earlier */
2278 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2279 || !TEST_size_t_eq(written, strlen(MSG1))
2280 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2281 SSL_EARLY_DATA_NOT_SENT)
2282 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2283 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2284 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2285 || !TEST_size_t_eq(written, strlen(MSG2))
2286 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2287 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2293 /* If using PSK then clientpsk and sess are the same */
2294 SSL_SESSION_free(clientpsk);
2295 SSL_SESSION_free(serverpsk);
2296 clientpsk = serverpsk = NULL;
2297 SSL_free(serverssl);
2298 SSL_free(clientssl);
2304 # endif /* OPENSSL_NO_TLS1_2 */
2306 static int test_ciphersuite_change(void)
2308 SSL_CTX *cctx = NULL, *sctx = NULL;
2309 SSL *clientssl = NULL, *serverssl = NULL;
2310 SSL_SESSION *clntsess = NULL;
2312 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2314 /* Create a session based on SHA-256 */
2315 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2316 TLS_client_method(), &sctx,
2317 &cctx, cert, privkey))
2318 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
2319 "TLS13-AES-128-GCM-SHA256"))
2320 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2321 &clientssl, NULL, NULL))
2322 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2326 clntsess = SSL_get1_session(clientssl);
2327 /* Save for later */
2328 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2329 SSL_shutdown(clientssl);
2330 SSL_shutdown(serverssl);
2331 SSL_free(serverssl);
2332 SSL_free(clientssl);
2333 serverssl = clientssl = NULL;
2335 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
2336 /* Check we can resume a session with a different SHA-256 ciphersuite */
2337 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
2338 "TLS13-CHACHA20-POLY1305-SHA256"))
2339 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2341 || !TEST_true(SSL_set_session(clientssl, clntsess))
2342 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2344 || !TEST_true(SSL_session_reused(clientssl)))
2347 SSL_SESSION_free(clntsess);
2348 clntsess = SSL_get1_session(clientssl);
2349 SSL_shutdown(clientssl);
2350 SSL_shutdown(serverssl);
2351 SSL_free(serverssl);
2352 SSL_free(clientssl);
2353 serverssl = clientssl = NULL;
2357 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
2358 * succeeds but does not resume.
2360 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-256-GCM-SHA384"))
2361 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2363 || !TEST_true(SSL_set_session(clientssl, clntsess))
2364 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2366 || !TEST_false(SSL_session_reused(clientssl)))
2369 SSL_SESSION_free(clntsess);
2371 SSL_shutdown(clientssl);
2372 SSL_shutdown(serverssl);
2373 SSL_free(serverssl);
2374 SSL_free(clientssl);
2375 serverssl = clientssl = NULL;
2377 /* Create a session based on SHA384 */
2378 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-256-GCM-SHA384"))
2379 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2380 &clientssl, NULL, NULL))
2381 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2385 clntsess = SSL_get1_session(clientssl);
2386 SSL_shutdown(clientssl);
2387 SSL_shutdown(serverssl);
2388 SSL_free(serverssl);
2389 SSL_free(clientssl);
2390 serverssl = clientssl = NULL;
2392 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
2393 "TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384"))
2394 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
2395 "TLS13-AES-256-GCM-SHA384"))
2396 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2398 || !TEST_true(SSL_set_session(clientssl, clntsess))
2400 * We use SSL_ERROR_WANT_READ below so that we can pause the
2401 * connection after the initial ClientHello has been sent to
2402 * enable us to make some session changes.
2404 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2405 SSL_ERROR_WANT_READ)))
2408 /* Trick the client into thinking this session is for a different digest */
2409 clntsess->cipher = aes_128_gcm_sha256;
2410 clntsess->cipher_id = clntsess->cipher->id;
2413 * Continue the previously started connection. Server has selected a SHA-384
2414 * ciphersuite, but client thinks the session is for SHA-256, so it should
2417 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2419 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2420 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2426 SSL_SESSION_free(clntsess);
2427 SSL_free(serverssl);
2428 SSL_free(clientssl);
2435 static int test_tls13_psk(void)
2437 SSL_CTX *sctx = NULL, *cctx = NULL;
2438 SSL *serverssl = NULL, *clientssl = NULL;
2439 const SSL_CIPHER *cipher = NULL;
2440 const unsigned char key[] = {
2441 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2442 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2443 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2444 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
2448 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2449 TLS_client_method(), &sctx,
2450 &cctx, cert, privkey)))
2453 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2454 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2456 use_session_cb_cnt = 0;
2457 find_session_cb_cnt = 0;
2459 /* Check we can create a connection if callback decides not to send a PSK */
2460 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2462 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2464 || !TEST_false(SSL_session_reused(clientssl))
2465 || !TEST_false(SSL_session_reused(serverssl))
2466 || !TEST_true(use_session_cb_cnt == 1)
2467 || !TEST_true(find_session_cb_cnt == 0))
2470 shutdown_ssl_connection(serverssl, clientssl);
2471 serverssl = clientssl = NULL;
2472 use_session_cb_cnt = 0;
2474 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2478 /* Create the PSK */
2479 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
2480 clientpsk = SSL_SESSION_new();
2481 if (!TEST_ptr(clientpsk)
2482 || !TEST_ptr(cipher)
2483 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
2485 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
2486 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
2488 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
2490 serverpsk = clientpsk;
2492 /* Check we can create a connection and the PSK is used */
2493 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2494 || !TEST_true(SSL_session_reused(clientssl))
2495 || !TEST_true(SSL_session_reused(serverssl))
2496 || !TEST_true(use_session_cb_cnt == 1)
2497 || !TEST_true(find_session_cb_cnt == 1))
2500 shutdown_ssl_connection(serverssl, clientssl);
2501 serverssl = clientssl = NULL;
2502 use_session_cb_cnt = find_session_cb_cnt = 0;
2504 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2509 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2513 * Check we can create a connection, the PSK is used and the callbacks are
2516 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2517 || !TEST_true(SSL_session_reused(clientssl))
2518 || !TEST_true(SSL_session_reused(serverssl))
2519 || !TEST_true(use_session_cb_cnt == 2)
2520 || !TEST_true(find_session_cb_cnt == 2))
2523 shutdown_ssl_connection(serverssl, clientssl);
2524 serverssl = clientssl = NULL;
2525 use_session_cb_cnt = find_session_cb_cnt = 0;
2528 * Check that if the server rejects the PSK we can still connect, but with
2531 srvid = "Dummy Identity";
2532 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2534 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2536 || !TEST_false(SSL_session_reused(clientssl))
2537 || !TEST_false(SSL_session_reused(serverssl))
2538 || !TEST_true(use_session_cb_cnt == 1)
2539 || !TEST_true(find_session_cb_cnt == 1))
2542 shutdown_ssl_connection(serverssl, clientssl);
2543 serverssl = clientssl = NULL;
2547 SSL_SESSION_free(clientpsk);
2548 SSL_SESSION_free(serverpsk);
2549 clientpsk = serverpsk = NULL;
2550 SSL_free(serverssl);
2551 SSL_free(clientssl);
2557 static unsigned char cookie_magic_value[] = "cookie magic";
2559 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
2560 unsigned int *cookie_len)
2563 * Not suitable as a real cookie generation function but good enough for
2566 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
2567 *cookie_len = sizeof(cookie_magic_value) - 1;
2572 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
2573 unsigned int cookie_len)
2575 if (cookie_len == sizeof(cookie_magic_value) - 1
2576 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
2582 static int test_stateless(void)
2584 SSL_CTX *sctx = NULL, *cctx = NULL;
2585 SSL *serverssl = NULL, *clientssl = NULL;
2588 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2589 TLS_client_method(), &sctx,
2590 &cctx, cert, privkey)))
2593 /* Set up the cookie generation and verification callbacks */
2594 SSL_CTX_set_cookie_generate_cb(sctx, generate_cookie_callback);
2595 SSL_CTX_set_cookie_verify_cb(sctx, verify_cookie_callback);
2597 /* The arrival of CCS messages can confuse the test */
2598 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
2600 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2602 /* Send the first ClientHello */
2603 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2604 SSL_ERROR_WANT_READ))
2605 /* This should fail because there is no cookie */
2606 || !TEST_false(SSL_stateless(serverssl)))
2609 /* Abandon the connection from this client */
2610 SSL_free(clientssl);
2614 * Now create a connection from a new client but with the same server SSL
2617 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2619 /* Send the first ClientHello */
2620 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2621 SSL_ERROR_WANT_READ))
2622 /* This should fail because there is no cookie */
2623 || !TEST_false(SSL_stateless(serverssl))
2624 /* Send the second ClientHello */
2625 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2626 SSL_ERROR_WANT_READ))
2627 /* This should succeed because a cookie is now present */
2628 || !TEST_true(SSL_stateless(serverssl))
2629 /* Complete the connection */
2630 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2634 shutdown_ssl_connection(serverssl, clientssl);
2635 serverssl = clientssl = NULL;
2639 SSL_free(serverssl);
2640 SSL_free(clientssl);
2646 #endif /* OPENSSL_NO_TLS1_3 */
2648 static int clntaddoldcb = 0;
2649 static int clntparseoldcb = 0;
2650 static int srvaddoldcb = 0;
2651 static int srvparseoldcb = 0;
2652 static int clntaddnewcb = 0;
2653 static int clntparsenewcb = 0;
2654 static int srvaddnewcb = 0;
2655 static int srvparsenewcb = 0;
2656 static int snicb = 0;
2658 #define TEST_EXT_TYPE1 0xff00
2660 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
2661 size_t *outlen, int *al, void *add_arg)
2663 int *server = (int *)add_arg;
2664 unsigned char *data;
2666 if (SSL_is_server(s))
2671 if (*server != SSL_is_server(s)
2672 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
2677 *outlen = sizeof(char);
2681 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
2684 OPENSSL_free((unsigned char *)out);
2687 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
2688 size_t inlen, int *al, void *parse_arg)
2690 int *server = (int *)parse_arg;
2692 if (SSL_is_server(s))
2697 if (*server != SSL_is_server(s)
2698 || inlen != sizeof(char)
2705 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
2706 const unsigned char **out, size_t *outlen, X509 *x,
2707 size_t chainidx, int *al, void *add_arg)
2709 int *server = (int *)add_arg;
2710 unsigned char *data;
2712 if (SSL_is_server(s))
2717 if (*server != SSL_is_server(s)
2718 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
2723 *outlen = sizeof(*data);
2727 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
2728 const unsigned char *out, void *add_arg)
2730 OPENSSL_free((unsigned char *)out);
2733 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
2734 const unsigned char *in, size_t inlen, X509 *x,
2735 size_t chainidx, int *al, void *parse_arg)
2737 int *server = (int *)parse_arg;
2739 if (SSL_is_server(s))
2744 if (*server != SSL_is_server(s)
2745 || inlen != sizeof(char) || *in != 1)
2751 static int sni_cb(SSL *s, int *al, void *arg)
2753 SSL_CTX *ctx = (SSL_CTX *)arg;
2755 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
2756 *al = SSL_AD_INTERNAL_ERROR;
2757 return SSL_TLSEXT_ERR_ALERT_FATAL;
2760 return SSL_TLSEXT_ERR_OK;
2764 * Custom call back tests.
2765 * Test 0: Old style callbacks in TLSv1.2
2766 * Test 1: New style callbacks in TLSv1.2
2767 * Test 2: New style callbacks in TLSv1.2 with SNI
2768 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
2769 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
2771 static int test_custom_exts(int tst)
2773 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
2774 SSL *clientssl = NULL, *serverssl = NULL;
2776 static int server = 1;
2777 static int client = 0;
2778 SSL_SESSION *sess = NULL;
2779 unsigned int context;
2781 /* Reset callback counters */
2782 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
2783 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
2786 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2787 TLS_client_method(), &sctx,
2788 &cctx, cert, privkey)))
2792 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL, &sctx2,
2793 NULL, cert, privkey)))
2798 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
2799 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
2801 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
2805 context = SSL_EXT_CLIENT_HELLO
2806 | SSL_EXT_TLS1_2_SERVER_HELLO
2807 | SSL_EXT_TLS1_3_SERVER_HELLO
2808 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
2809 | SSL_EXT_TLS1_3_CERTIFICATE
2810 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
2812 context = SSL_EXT_CLIENT_HELLO
2813 | SSL_EXT_TLS1_2_SERVER_HELLO
2814 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
2817 /* Create a client side custom extension */
2819 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
2820 old_add_cb, old_free_cb,
2821 &client, old_parse_cb,
2825 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
2826 new_add_cb, new_free_cb,
2827 &client, new_parse_cb, &client)))
2831 /* Should not be able to add duplicates */
2832 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
2833 old_add_cb, old_free_cb,
2834 &client, old_parse_cb,
2836 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
2837 context, new_add_cb,
2838 new_free_cb, &client,
2839 new_parse_cb, &client)))
2842 /* Create a server side custom extension */
2844 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
2845 old_add_cb, old_free_cb,
2846 &server, old_parse_cb,
2850 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
2851 new_add_cb, new_free_cb,
2852 &server, new_parse_cb, &server)))
2855 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
2856 context, new_add_cb,
2857 new_free_cb, &server,
2858 new_parse_cb, &server)))
2862 /* Should not be able to add duplicates */
2863 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
2864 old_add_cb, old_free_cb,
2865 &server, old_parse_cb,
2867 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
2868 context, new_add_cb,
2869 new_free_cb, &server,
2870 new_parse_cb, &server)))
2875 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
2876 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
2880 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2881 &clientssl, NULL, NULL))
2882 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2887 if (clntaddoldcb != 1
2888 || clntparseoldcb != 1
2890 || srvparseoldcb != 1)
2892 } else if (tst == 1 || tst == 2 || tst == 3) {
2893 if (clntaddnewcb != 1
2894 || clntparsenewcb != 1
2896 || srvparsenewcb != 1
2897 || (tst != 2 && snicb != 0)
2898 || (tst == 2 && snicb != 1))
2901 if (clntaddnewcb != 1
2902 || clntparsenewcb != 4
2904 || srvparsenewcb != 1)
2908 sess = SSL_get1_session(clientssl);
2909 SSL_shutdown(clientssl);
2910 SSL_shutdown(serverssl);
2911 SSL_free(serverssl);
2912 SSL_free(clientssl);
2913 serverssl = clientssl = NULL;
2916 /* We don't bother with the resumption aspects for this test */
2921 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2923 || !TEST_true(SSL_set_session(clientssl, sess))
2924 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2929 * For a resumed session we expect to add the ClientHello extension. For the
2930 * old style callbacks we ignore it on the server side because they set
2931 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
2935 if (clntaddoldcb != 2
2936 || clntparseoldcb != 1
2938 || srvparseoldcb != 1)
2940 } else if (tst == 1 || tst == 2 || tst == 3) {
2941 if (clntaddnewcb != 2
2942 || clntparsenewcb != 2
2944 || srvparsenewcb != 2)
2947 /* No Certificate message extensions in the resumption handshake */
2948 if (clntaddnewcb != 2
2949 || clntparsenewcb != 7
2951 || srvparsenewcb != 2)
2958 SSL_SESSION_free(sess);
2959 SSL_free(serverssl);
2960 SSL_free(clientssl);
2961 SSL_CTX_free(sctx2);
2968 * Test loading of serverinfo data in various formats. test_sslmessages actually
2969 * tests to make sure the extensions appear in the handshake
2971 static int test_serverinfo(int tst)
2973 unsigned int version;
2974 unsigned char *sibuf;
2976 int ret, expected, testresult = 0;
2979 ctx = SSL_CTX_new(TLS_method());
2983 if ((tst & 0x01) == 0x01)
2984 version = SSL_SERVERINFOV2;
2986 version = SSL_SERVERINFOV1;
2988 if ((tst & 0x02) == 0x02) {
2989 sibuf = serverinfov2;
2990 sibuflen = sizeof(serverinfov2);
2991 expected = (version == SSL_SERVERINFOV2);
2993 sibuf = serverinfov1;
2994 sibuflen = sizeof(serverinfov1);
2995 expected = (version == SSL_SERVERINFOV1);
2998 if ((tst & 0x04) == 0x04) {
2999 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
3001 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
3004 * The version variable is irrelevant in this case - it's what is in the
3005 * buffer that matters
3007 if ((tst & 0x02) == 0x02)
3013 if (!TEST_true(ret == expected))
3025 * Test that SSL_export_keying_material() produces expected results. There are
3026 * no test vectors so all we do is test that both sides of the communication
3027 * produce the same results for different protocol versions.
3029 static int test_export_key_mat(int tst)
3032 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3033 SSL *clientssl = NULL, *serverssl = NULL;
3034 const char label[] = "test label";
3035 const unsigned char context[] = "context";
3036 const unsigned char *emptycontext = NULL;
3037 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
3038 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
3039 const int protocols[] = {
3046 #ifdef OPENSSL_NO_TLS1
3050 #ifdef OPENSSL_NO_TLS1_1
3054 #ifdef OPENSSL_NO_TLS1_2
3058 #ifdef OPENSSL_NO_TLS1_3
3062 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3063 TLS_client_method(), &sctx,
3064 &cctx, cert, privkey)))
3067 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
3068 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
3069 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
3071 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
3073 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3077 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
3078 sizeof(ckeymat1), label,
3079 sizeof(label) - 1, context,
3080 sizeof(context) - 1, 1), 1)
3081 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
3082 sizeof(ckeymat2), label,
3086 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
3087 sizeof(ckeymat3), label,
3090 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
3091 sizeof(skeymat1), label,
3094 sizeof(context) -1, 1),
3096 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
3097 sizeof(skeymat2), label,
3101 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
3102 sizeof(skeymat3), label,
3106 * Check that both sides created the same key material with the
3109 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3112 * Check that both sides created the same key material with an
3115 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3118 * Check that both sides created the same key material without a
3121 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3123 /* Different contexts should produce different results */
3124 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3129 * Check that an empty context and no context produce different results in
3130 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3132 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3134 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3141 SSL_free(serverssl);
3142 SSL_free(clientssl);
3143 SSL_CTX_free(sctx2);
3150 static int test_ssl_clear(int idx)
3152 SSL_CTX *cctx = NULL, *sctx = NULL;
3153 SSL *clientssl = NULL, *serverssl = NULL;
3156 #ifdef OPENSSL_NO_TLS1_2
3161 /* Create an initial connection */
3162 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3163 TLS_client_method(), &sctx,
3164 &cctx, cert, privkey))
3166 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
3168 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3169 &clientssl, NULL, NULL))
3170 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3174 SSL_shutdown(clientssl);
3175 SSL_shutdown(serverssl);
3176 SSL_free(serverssl);
3179 /* Clear clientssl - we're going to reuse the object */
3180 if (!TEST_true(SSL_clear(clientssl)))
3183 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3185 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3187 || !TEST_true(SSL_session_reused(clientssl)))
3190 SSL_shutdown(clientssl);
3191 SSL_shutdown(serverssl);
3196 SSL_free(serverssl);
3197 SSL_free(clientssl);
3204 /* Parse CH and retrieve any MFL extension value if present */
3205 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
3208 unsigned char *data;
3209 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
3210 unsigned int MFL_code = 0, type = 0;
3212 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
3215 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
3216 /* Skip the record header */
3217 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
3218 /* Skip the handshake message header */
3219 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
3220 /* Skip client version and random */
3221 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
3222 + SSL3_RANDOM_SIZE))
3223 /* Skip session id */
3224 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3226 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
3227 /* Skip compression */
3228 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3229 /* Extensions len */
3230 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
3233 /* Loop through all extensions */
3234 while (PACKET_remaining(&pkt2)) {
3235 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
3236 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
3239 if (type == TLSEXT_TYPE_max_fragment_length) {
3240 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
3241 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
3244 *mfl_codemfl_code = MFL_code;
3253 /* Maximum-Fragment-Length TLS extension mode to test */
3254 static const unsigned char max_fragment_len_test[] = {
3255 TLSEXT_max_fragment_length_512,
3256 TLSEXT_max_fragment_length_1024,
3257 TLSEXT_max_fragment_length_2048,
3258 TLSEXT_max_fragment_length_4096
3261 static int test_max_fragment_len_ext(int idx_tst)
3265 int testresult = 0, MFL_mode = 0;
3268 ctx = SSL_CTX_new(TLS_method());
3272 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
3273 ctx, max_fragment_len_test[idx_tst])))
3280 rbio = BIO_new(BIO_s_mem());
3281 wbio = BIO_new(BIO_s_mem());
3282 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
3288 SSL_set_bio(con, rbio, wbio);
3289 SSL_set_connect_state(con);
3291 if (!TEST_int_le(SSL_connect(con), 0)) {
3292 /* This shouldn't succeed because we don't have a server! */
3296 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
3297 /* no MFL in client hello */
3299 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
3311 #ifndef OPENSSL_NO_TLS1_3
3312 static int test_pha_key_update(void)
3314 SSL_CTX *cctx = NULL, *sctx = NULL;
3315 SSL *clientssl = NULL, *serverssl = NULL;
3318 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3319 TLS_client_method(),
3320 &sctx, &cctx, cert, privkey)))
3323 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
3324 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
3325 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
3326 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
3330 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3334 SSL_force_post_handshake_auth(clientssl);
3336 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3340 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
3341 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
3344 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
3347 /* Start handshake on the server */
3348 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
3351 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
3352 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3356 SSL_shutdown(clientssl);
3357 SSL_shutdown(serverssl);
3362 SSL_free(serverssl);
3363 SSL_free(clientssl);
3370 int setup_tests(void)
3372 if (!TEST_ptr(cert = test_get_argument(0))
3373 || !TEST_ptr(privkey = test_get_argument(1)))
3376 ADD_TEST(test_large_message_tls);
3377 ADD_TEST(test_large_message_tls_read_ahead);
3378 #ifndef OPENSSL_NO_DTLS
3379 ADD_TEST(test_large_message_dtls);
3381 #ifndef OPENSSL_NO_OCSP
3382 ADD_TEST(test_tlsext_status_type);
3384 ADD_TEST(test_session_with_only_int_cache);
3385 ADD_TEST(test_session_with_only_ext_cache);
3386 ADD_TEST(test_session_with_both_cache);
3387 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
3388 ADD_TEST(test_ssl_bio_pop_next_bio);
3389 ADD_TEST(test_ssl_bio_pop_ssl_bio);
3390 ADD_TEST(test_ssl_bio_change_rbio);
3391 ADD_TEST(test_ssl_bio_change_wbio);
3392 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
3393 ADD_TEST(test_keylog);
3394 #ifndef OPENSSL_NO_TLS1_3
3395 ADD_TEST(test_keylog_no_master_key);
3397 #ifndef OPENSSL_NO_TLS1_2
3398 ADD_TEST(test_client_hello_cb);
3400 #ifndef OPENSSL_NO_TLS1_3
3401 ADD_ALL_TESTS(test_early_data_read_write, 3);
3402 ADD_ALL_TESTS(test_early_data_skip, 3);
3403 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
3404 ADD_ALL_TESTS(test_early_data_not_sent, 3);
3405 ADD_ALL_TESTS(test_early_data_psk, 8);
3406 ADD_ALL_TESTS(test_early_data_not_expected, 3);
3407 # ifndef OPENSSL_NO_TLS1_2
3408 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
3411 #ifndef OPENSSL_NO_TLS1_3
3412 ADD_TEST(test_ciphersuite_change);
3413 ADD_TEST(test_tls13_psk);
3414 ADD_ALL_TESTS(test_custom_exts, 5);
3415 ADD_TEST(test_stateless);
3416 ADD_TEST(test_pha_key_update);
3418 ADD_ALL_TESTS(test_custom_exts, 3);
3420 ADD_ALL_TESTS(test_serverinfo, 8);
3421 ADD_ALL_TESTS(test_export_key_mat, 4);
3422 ADD_ALL_TESTS(test_ssl_clear, 2);
3423 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
3427 void cleanup_tests(void)
3429 bio_s_mempacket_test_free();