2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
13 #include <openssl/opensslconf.h>
14 #include <openssl/bio.h>
15 #include <openssl/crypto.h>
16 #include <openssl/ssl.h>
17 #include <openssl/ocsp.h>
18 #include <openssl/srp.h>
19 #include <openssl/txt_db.h>
20 #include <openssl/aes.h>
21 #include <openssl/rand.h>
23 #include "ssltestlib.h"
25 #include "testutil/output.h"
26 #include "internal/nelem.h"
27 #include "internal/ktls.h"
28 #include "../ssl/ssl_locl.h"
30 #ifndef OPENSSL_NO_TLS1_3
32 static SSL_SESSION *clientpsk = NULL;
33 static SSL_SESSION *serverpsk = NULL;
34 static const char *pskid = "Identity";
35 static const char *srvid;
37 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
38 size_t *idlen, SSL_SESSION **sess);
39 static int find_session_cb(SSL *ssl, const unsigned char *identity,
40 size_t identity_len, SSL_SESSION **sess);
42 static int use_session_cb_cnt = 0;
43 static int find_session_cb_cnt = 0;
45 static SSL_SESSION *create_a_psk(SSL *ssl);
48 static char *certsdir = NULL;
49 static char *cert = NULL;
50 static char *privkey = NULL;
51 static char *srpvfile = NULL;
52 static char *tmpfilename = NULL;
54 #define LOG_BUFFER_SIZE 2048
55 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
56 static size_t server_log_buffer_index = 0;
57 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
58 static size_t client_log_buffer_index = 0;
59 static int error_writing_log = 0;
61 #ifndef OPENSSL_NO_OCSP
62 static const unsigned char orespder[] = "Dummy OCSP Response";
63 static int ocsp_server_called = 0;
64 static int ocsp_client_called = 0;
66 static int cdummyarg = 1;
67 static X509 *ocspcert = NULL;
70 #define NUM_EXTRA_CERTS 40
71 #define CLIENT_VERSION_LEN 2
74 * This structure is used to validate that the correct number of log messages
75 * of various types are emitted when emitting secret logs.
77 struct sslapitest_log_counts {
78 unsigned int rsa_key_exchange_count;
79 unsigned int master_secret_count;
80 unsigned int client_early_secret_count;
81 unsigned int client_handshake_secret_count;
82 unsigned int server_handshake_secret_count;
83 unsigned int client_application_secret_count;
84 unsigned int server_application_secret_count;
85 unsigned int early_exporter_secret_count;
86 unsigned int exporter_secret_count;
90 static unsigned char serverinfov1[] = {
91 0xff, 0xff, /* Dummy extension type */
92 0x00, 0x01, /* Extension length is 1 byte */
93 0xff /* Dummy extension data */
96 static unsigned char serverinfov2[] = {
98 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
99 0xff, 0xff, /* Dummy extension type */
100 0x00, 0x01, /* Extension length is 1 byte */
101 0xff /* Dummy extension data */
104 static void client_keylog_callback(const SSL *ssl, const char *line)
106 int line_length = strlen(line);
108 /* If the log doesn't fit, error out. */
109 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
110 TEST_info("Client log too full");
111 error_writing_log = 1;
115 strcat(client_log_buffer, line);
116 client_log_buffer_index += line_length;
117 client_log_buffer[client_log_buffer_index++] = '\n';
120 static void server_keylog_callback(const SSL *ssl, const char *line)
122 int line_length = strlen(line);
124 /* If the log doesn't fit, error out. */
125 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
126 TEST_info("Server log too full");
127 error_writing_log = 1;
131 strcat(server_log_buffer, line);
132 server_log_buffer_index += line_length;
133 server_log_buffer[server_log_buffer_index++] = '\n';
136 static int compare_hex_encoded_buffer(const char *hex_encoded,
144 if (!TEST_size_t_eq(raw_length * 2, hex_length))
147 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
148 sprintf(hexed, "%02x", raw[i]);
149 if (!TEST_int_eq(hexed[0], hex_encoded[j])
150 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
157 static int test_keylog_output(char *buffer, const SSL *ssl,
158 const SSL_SESSION *session,
159 struct sslapitest_log_counts *expected)
162 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
163 size_t client_random_size = SSL3_RANDOM_SIZE;
164 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
165 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
166 unsigned int rsa_key_exchange_count = 0;
167 unsigned int master_secret_count = 0;
168 unsigned int client_early_secret_count = 0;
169 unsigned int client_handshake_secret_count = 0;
170 unsigned int server_handshake_secret_count = 0;
171 unsigned int client_application_secret_count = 0;
172 unsigned int server_application_secret_count = 0;
173 unsigned int early_exporter_secret_count = 0;
174 unsigned int exporter_secret_count = 0;
176 for (token = strtok(buffer, " \n"); token != NULL;
177 token = strtok(NULL, " \n")) {
178 if (strcmp(token, "RSA") == 0) {
180 * Premaster secret. Tokens should be: 16 ASCII bytes of
181 * hex-encoded encrypted secret, then the hex-encoded pre-master
184 if (!TEST_ptr(token = strtok(NULL, " \n")))
186 if (!TEST_size_t_eq(strlen(token), 16))
188 if (!TEST_ptr(token = strtok(NULL, " \n")))
191 * We can't sensibly check the log because the premaster secret is
192 * transient, and OpenSSL doesn't keep hold of it once the master
193 * secret is generated.
195 rsa_key_exchange_count++;
196 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
198 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
199 * client random, then the hex-encoded master secret.
201 client_random_size = SSL_get_client_random(ssl,
202 actual_client_random,
204 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
207 if (!TEST_ptr(token = strtok(NULL, " \n")))
209 if (!TEST_size_t_eq(strlen(token), 64))
211 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
212 actual_client_random,
213 client_random_size)))
216 if (!TEST_ptr(token = strtok(NULL, " \n")))
218 master_key_size = SSL_SESSION_get_master_key(session,
221 if (!TEST_size_t_ne(master_key_size, 0))
223 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
227 master_secret_count++;
228 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
229 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
230 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
231 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
232 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
233 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
234 || strcmp(token, "EXPORTER_SECRET") == 0) {
236 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
237 * client random, and then the hex-encoded secret. In this case,
238 * we treat all of these secrets identically and then just
239 * distinguish between them when counting what we saw.
241 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
242 client_early_secret_count++;
243 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
244 client_handshake_secret_count++;
245 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
246 server_handshake_secret_count++;
247 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
248 client_application_secret_count++;
249 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
250 server_application_secret_count++;
251 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
252 early_exporter_secret_count++;
253 else if (strcmp(token, "EXPORTER_SECRET") == 0)
254 exporter_secret_count++;
256 client_random_size = SSL_get_client_random(ssl,
257 actual_client_random,
259 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
262 if (!TEST_ptr(token = strtok(NULL, " \n")))
264 if (!TEST_size_t_eq(strlen(token), 64))
266 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
267 actual_client_random,
268 client_random_size)))
271 if (!TEST_ptr(token = strtok(NULL, " \n")))
275 * TODO(TLS1.3): test that application traffic secrets are what
278 TEST_info("Unexpected token %s\n", token);
283 /* Got what we expected? */
284 if (!TEST_size_t_eq(rsa_key_exchange_count,
285 expected->rsa_key_exchange_count)
286 || !TEST_size_t_eq(master_secret_count,
287 expected->master_secret_count)
288 || !TEST_size_t_eq(client_early_secret_count,
289 expected->client_early_secret_count)
290 || !TEST_size_t_eq(client_handshake_secret_count,
291 expected->client_handshake_secret_count)
292 || !TEST_size_t_eq(server_handshake_secret_count,
293 expected->server_handshake_secret_count)
294 || !TEST_size_t_eq(client_application_secret_count,
295 expected->client_application_secret_count)
296 || !TEST_size_t_eq(server_application_secret_count,
297 expected->server_application_secret_count)
298 || !TEST_size_t_eq(early_exporter_secret_count,
299 expected->early_exporter_secret_count)
300 || !TEST_size_t_eq(exporter_secret_count,
301 expected->exporter_secret_count))
306 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
307 static int test_keylog(void)
309 SSL_CTX *cctx = NULL, *sctx = NULL;
310 SSL *clientssl = NULL, *serverssl = NULL;
312 struct sslapitest_log_counts expected;
314 /* Clean up logging space */
315 memset(&expected, 0, sizeof(expected));
316 memset(client_log_buffer, 0, sizeof(client_log_buffer));
317 memset(server_log_buffer, 0, sizeof(server_log_buffer));
318 client_log_buffer_index = 0;
319 server_log_buffer_index = 0;
320 error_writing_log = 0;
322 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
325 &sctx, &cctx, cert, privkey)))
328 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
329 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
330 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
332 /* We also want to ensure that we use RSA-based key exchange. */
333 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
336 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
337 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
339 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
340 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
341 == client_keylog_callback))
343 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
344 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
345 == server_keylog_callback))
348 /* Now do a handshake and check that the logs have been written to. */
349 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
350 &clientssl, NULL, NULL))
351 || !TEST_true(create_ssl_connection(serverssl, clientssl,
353 || !TEST_false(error_writing_log)
354 || !TEST_int_gt(client_log_buffer_index, 0)
355 || !TEST_int_gt(server_log_buffer_index, 0))
359 * Now we want to test that our output data was vaguely sensible. We
360 * do that by using strtok and confirming that we have more or less the
361 * data we expect. For both client and server, we expect to see one master
362 * secret. The client should also see a RSA key exchange.
364 expected.rsa_key_exchange_count = 1;
365 expected.master_secret_count = 1;
366 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
367 SSL_get_session(clientssl), &expected)))
370 expected.rsa_key_exchange_count = 0;
371 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
372 SSL_get_session(serverssl), &expected)))
387 #ifndef OPENSSL_NO_TLS1_3
388 static int test_keylog_no_master_key(void)
390 SSL_CTX *cctx = NULL, *sctx = NULL;
391 SSL *clientssl = NULL, *serverssl = NULL;
392 SSL_SESSION *sess = NULL;
394 struct sslapitest_log_counts expected;
395 unsigned char buf[1];
396 size_t readbytes, written;
398 /* Clean up logging space */
399 memset(&expected, 0, sizeof(expected));
400 memset(client_log_buffer, 0, sizeof(client_log_buffer));
401 memset(server_log_buffer, 0, sizeof(server_log_buffer));
402 client_log_buffer_index = 0;
403 server_log_buffer_index = 0;
404 error_writing_log = 0;
406 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
408 &sctx, &cctx, cert, privkey))
409 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
410 SSL3_RT_MAX_PLAIN_LENGTH)))
413 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
414 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
417 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
418 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
419 == client_keylog_callback))
422 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
423 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
424 == server_keylog_callback))
427 /* Now do a handshake and check that the logs have been written to. */
428 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
429 &clientssl, NULL, NULL))
430 || !TEST_true(create_ssl_connection(serverssl, clientssl,
432 || !TEST_false(error_writing_log))
436 * Now we want to test that our output data was vaguely sensible. For this
437 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
438 * TLSv1.3, but we do expect both client and server to emit keys.
440 expected.client_handshake_secret_count = 1;
441 expected.server_handshake_secret_count = 1;
442 expected.client_application_secret_count = 1;
443 expected.server_application_secret_count = 1;
444 expected.exporter_secret_count = 1;
445 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
446 SSL_get_session(clientssl), &expected))
447 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
448 SSL_get_session(serverssl),
452 /* Terminate old session and resume with early data. */
453 sess = SSL_get1_session(clientssl);
454 SSL_shutdown(clientssl);
455 SSL_shutdown(serverssl);
458 serverssl = clientssl = NULL;
461 memset(client_log_buffer, 0, sizeof(client_log_buffer));
462 memset(server_log_buffer, 0, sizeof(server_log_buffer));
463 client_log_buffer_index = 0;
464 server_log_buffer_index = 0;
466 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
467 &clientssl, NULL, NULL))
468 || !TEST_true(SSL_set_session(clientssl, sess))
469 /* Here writing 0 length early data is enough. */
470 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
471 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
473 SSL_READ_EARLY_DATA_ERROR)
474 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
475 SSL_EARLY_DATA_ACCEPTED)
476 || !TEST_true(create_ssl_connection(serverssl, clientssl,
478 || !TEST_true(SSL_session_reused(clientssl)))
481 /* In addition to the previous entries, expect early secrets. */
482 expected.client_early_secret_count = 1;
483 expected.early_exporter_secret_count = 1;
484 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
485 SSL_get_session(clientssl), &expected))
486 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
487 SSL_get_session(serverssl),
494 SSL_SESSION_free(sess);
504 #ifndef OPENSSL_NO_TLS1_2
505 static int full_client_hello_callback(SSL *s, int *al, void *arg)
508 const unsigned char *p;
510 /* We only configure two ciphers, but the SCSV is added automatically. */
512 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
514 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
517 const int expected_extensions[] = {
518 #ifndef OPENSSL_NO_EC
524 /* Make sure we can defer processing and get called back. */
526 return SSL_CLIENT_HELLO_RETRY;
528 len = SSL_client_hello_get0_ciphers(s, &p);
529 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
531 SSL_client_hello_get0_compression_methods(s, &p), 1)
532 || !TEST_int_eq(*p, 0))
533 return SSL_CLIENT_HELLO_ERROR;
534 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
535 return SSL_CLIENT_HELLO_ERROR;
536 if (len != OSSL_NELEM(expected_extensions) ||
537 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
538 printf("ClientHello callback expected extensions mismatch\n");
540 return SSL_CLIENT_HELLO_ERROR;
543 return SSL_CLIENT_HELLO_SUCCESS;
546 static int test_client_hello_cb(void)
548 SSL_CTX *cctx = NULL, *sctx = NULL;
549 SSL *clientssl = NULL, *serverssl = NULL;
550 int testctr = 0, testresult = 0;
552 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
554 &sctx, &cctx, cert, privkey)))
556 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
558 /* The gimpy cipher list we configure can't do TLS 1.3. */
559 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
561 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
562 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
563 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
564 &clientssl, NULL, NULL))
565 || !TEST_false(create_ssl_connection(serverssl, clientssl,
566 SSL_ERROR_WANT_CLIENT_HELLO_CB))
568 * Passing a -1 literal is a hack since
569 * the real value was lost.
571 || !TEST_int_eq(SSL_get_error(serverssl, -1),
572 SSL_ERROR_WANT_CLIENT_HELLO_CB)
573 || !TEST_true(create_ssl_connection(serverssl, clientssl,
588 static int test_no_ems(void)
590 SSL_CTX *cctx = NULL, *sctx = NULL;
591 SSL *clientssl = NULL, *serverssl = NULL;
594 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
595 TLS1_VERSION, TLS1_2_VERSION,
596 &sctx, &cctx, cert, privkey)) {
597 printf("Unable to create SSL_CTX pair\n");
601 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
603 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
604 printf("Unable to create SSL objects\n");
608 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
609 printf("Creating SSL connection failed\n");
613 if (SSL_get_extms_support(serverssl)) {
614 printf("Server reports Extended Master Secret support\n");
618 if (SSL_get_extms_support(clientssl)) {
619 printf("Client reports Extended Master Secret support\n");
634 static int execute_test_large_message(const SSL_METHOD *smeth,
635 const SSL_METHOD *cmeth,
636 int min_version, int max_version,
639 SSL_CTX *cctx = NULL, *sctx = NULL;
640 SSL *clientssl = NULL, *serverssl = NULL;
644 X509 *chaincert = NULL;
647 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
649 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
652 if (!TEST_ptr(chaincert))
655 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
656 &sctx, &cctx, cert, privkey)))
661 * Test that read_ahead works correctly when dealing with large
664 SSL_CTX_set_read_ahead(cctx, 1);
668 * We assume the supplied certificate is big enough so that if we add
669 * NUM_EXTRA_CERTS it will make the overall message large enough. The
670 * default buffer size is requested to be 16k, but due to the way BUF_MEM
671 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
672 * test we need to have a message larger than that.
674 certlen = i2d_X509(chaincert, NULL);
675 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
676 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
677 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
678 if (!X509_up_ref(chaincert))
680 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
681 X509_free(chaincert);
686 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
688 || !TEST_true(create_ssl_connection(serverssl, clientssl,
693 * Calling SSL_clear() first is not required but this tests that SSL_clear()
694 * doesn't leak (when using enable-crypto-mdebug).
696 if (!TEST_true(SSL_clear(serverssl)))
701 X509_free(chaincert);
710 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
711 && !defined(OPENSSL_NO_SOCK)
713 /* sock must be connected */
714 static int ktls_chk_platform(int sock)
716 if (!ktls_enable(sock))
721 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
723 static char count = 1;
724 unsigned char cbuf[16000] = {0};
725 unsigned char sbuf[16000];
727 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
728 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
729 char crec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
730 char crec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
731 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
732 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
733 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
734 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
737 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
738 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
739 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence,
740 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
741 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
742 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
743 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
744 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
746 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
749 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
750 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
755 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
758 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
759 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
764 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
765 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
766 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence,
767 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
768 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
769 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
770 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
771 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
773 /* verify the payload */
774 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
777 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
778 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
779 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
780 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
783 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
784 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
788 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
789 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
790 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
793 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
794 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
798 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
799 if (!TEST_mem_ne(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
800 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
803 if (!TEST_mem_eq(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
804 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
808 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
809 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
810 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
813 if (!TEST_mem_eq(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
814 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
823 static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
824 int sis_ktls_tx, int sis_ktls_rx)
826 SSL_CTX *cctx = NULL, *sctx = NULL;
827 SSL *clientssl = NULL, *serverssl = NULL;
831 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
834 /* Skip this test if the platform does not support ktls */
835 if (!ktls_chk_platform(cfd))
838 /* Create a session based on SHA-256 */
839 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
841 TLS1_2_VERSION, TLS1_2_VERSION,
842 &sctx, &cctx, cert, privkey))
843 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
844 "AES128-GCM-SHA256"))
845 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
846 &clientssl, sfd, cfd)))
850 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
855 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
860 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
865 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
869 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
874 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
877 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
882 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
885 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
890 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
893 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
898 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
901 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
905 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
911 SSL_shutdown(clientssl);
915 SSL_shutdown(serverssl);
920 serverssl = clientssl = NULL;
924 #define SENDFILE_SZ (16 * 4096)
925 #define SENDFILE_CHUNK (4 * 4096)
926 #define min(a,b) ((a) > (b) ? (b) : (a))
928 static int test_ktls_sendfile(void)
930 SSL_CTX *cctx = NULL, *sctx = NULL;
931 SSL *clientssl = NULL, *serverssl = NULL;
932 unsigned char *buf, *buf_dst;
933 BIO *out = NULL, *in = NULL;
934 int cfd, sfd, ffd, err;
935 ssize_t chunk_size = 0;
940 buf = OPENSSL_zalloc(SENDFILE_SZ);
941 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
942 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
943 || !TEST_true(create_test_sockets(&cfd, &sfd)))
946 /* Skip this test if the platform does not support ktls */
947 if (!ktls_chk_platform(sfd)) {
952 /* Create a session based on SHA-256 */
953 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
955 TLS1_2_VERSION, TLS1_2_VERSION,
956 &sctx, &cctx, cert, privkey))
957 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
958 "AES128-GCM-SHA256"))
959 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
960 &clientssl, sfd, cfd)))
963 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
965 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
968 RAND_bytes(buf, SENDFILE_SZ);
969 out = BIO_new_file(tmpfilename, "wb");
973 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
978 in = BIO_new_file(tmpfilename, "rb");
979 BIO_get_fp(in, &ffdp);
982 while (chunk_off < SENDFILE_SZ) {
983 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
984 while ((err = SSL_sendfile(serverssl,
989 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
992 while ((err = SSL_read(clientssl,
994 chunk_size)) != chunk_size) {
995 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
999 /* verify the payload */
1000 if (!TEST_mem_eq(buf_dst + chunk_off,
1006 chunk_off += chunk_size;
1012 SSL_shutdown(clientssl);
1013 SSL_free(clientssl);
1016 SSL_shutdown(serverssl);
1017 SSL_free(serverssl);
1021 serverssl = clientssl = NULL;
1025 OPENSSL_free(buf_dst);
1029 static int test_ktls_no_txrx_client_no_txrx_server(void)
1031 return execute_test_ktls(0, 0, 0, 0);
1034 static int test_ktls_no_rx_client_no_txrx_server(void)
1036 return execute_test_ktls(1, 0, 0, 0);
1039 static int test_ktls_no_tx_client_no_txrx_server(void)
1041 return execute_test_ktls(0, 1, 0, 0);
1044 static int test_ktls_client_no_txrx_server(void)
1046 return execute_test_ktls(1, 1, 0, 0);
1049 static int test_ktls_no_txrx_client_no_rx_server(void)
1051 return execute_test_ktls(0, 0, 1, 0);
1054 static int test_ktls_no_rx_client_no_rx_server(void)
1056 return execute_test_ktls(1, 0, 1, 0);
1059 static int test_ktls_no_tx_client_no_rx_server(void)
1061 return execute_test_ktls(0, 1, 1, 0);
1064 static int test_ktls_client_no_rx_server(void)
1066 return execute_test_ktls(1, 1, 1, 0);
1069 static int test_ktls_no_txrx_client_no_tx_server(void)
1071 return execute_test_ktls(0, 0, 0, 1);
1074 static int test_ktls_no_rx_client_no_tx_server(void)
1076 return execute_test_ktls(1, 0, 0, 1);
1079 static int test_ktls_no_tx_client_no_tx_server(void)
1081 return execute_test_ktls(0, 1, 0, 1);
1084 static int test_ktls_client_no_tx_server(void)
1086 return execute_test_ktls(1, 1, 0, 1);
1089 static int test_ktls_no_txrx_client_server(void)
1091 return execute_test_ktls(0, 0, 1, 1);
1094 static int test_ktls_no_rx_client_server(void)
1096 return execute_test_ktls(1, 0, 1, 1);
1099 static int test_ktls_no_tx_client_server(void)
1101 return execute_test_ktls(0, 1, 1, 1);
1104 static int test_ktls_client_server(void)
1106 return execute_test_ktls(1, 1, 1, 1);
1110 static int test_large_message_tls(void)
1112 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1113 TLS1_VERSION, 0, 0);
1116 static int test_large_message_tls_read_ahead(void)
1118 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1119 TLS1_VERSION, 0, 1);
1122 #ifndef OPENSSL_NO_DTLS
1123 static int test_large_message_dtls(void)
1126 * read_ahead is not relevant to DTLS because DTLS always acts as if
1127 * read_ahead is set.
1129 return execute_test_large_message(DTLS_server_method(),
1130 DTLS_client_method(),
1131 DTLS1_VERSION, 0, 0);
1135 #ifndef OPENSSL_NO_OCSP
1136 static int ocsp_server_cb(SSL *s, void *arg)
1138 int *argi = (int *)arg;
1139 unsigned char *copy = NULL;
1140 STACK_OF(OCSP_RESPID) *ids = NULL;
1141 OCSP_RESPID *id = NULL;
1144 /* In this test we are expecting exactly 1 OCSP_RESPID */
1145 SSL_get_tlsext_status_ids(s, &ids);
1146 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1147 return SSL_TLSEXT_ERR_ALERT_FATAL;
1149 id = sk_OCSP_RESPID_value(ids, 0);
1150 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
1151 return SSL_TLSEXT_ERR_ALERT_FATAL;
1152 } else if (*argi != 1) {
1153 return SSL_TLSEXT_ERR_ALERT_FATAL;
1156 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1157 return SSL_TLSEXT_ERR_ALERT_FATAL;
1159 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1160 ocsp_server_called = 1;
1161 return SSL_TLSEXT_ERR_OK;
1164 static int ocsp_client_cb(SSL *s, void *arg)
1166 int *argi = (int *)arg;
1167 const unsigned char *respderin;
1170 if (*argi != 1 && *argi != 2)
1173 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1174 if (!TEST_mem_eq(orespder, len, respderin, len))
1177 ocsp_client_called = 1;
1181 static int test_tlsext_status_type(void)
1183 SSL_CTX *cctx = NULL, *sctx = NULL;
1184 SSL *clientssl = NULL, *serverssl = NULL;
1186 STACK_OF(OCSP_RESPID) *ids = NULL;
1187 OCSP_RESPID *id = NULL;
1188 BIO *certbio = NULL;
1190 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1192 &sctx, &cctx, cert, privkey))
1195 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1198 /* First just do various checks getting and setting tlsext_status_type */
1200 clientssl = SSL_new(cctx);
1201 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1202 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1203 TLSEXT_STATUSTYPE_ocsp))
1204 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1205 TLSEXT_STATUSTYPE_ocsp))
1208 SSL_free(clientssl);
1211 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1212 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1215 clientssl = SSL_new(cctx);
1216 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1218 SSL_free(clientssl);
1222 * Now actually do a handshake and check OCSP information is exchanged and
1223 * the callbacks get called
1225 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1226 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1227 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1228 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1229 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1230 &clientssl, NULL, NULL))
1231 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1233 || !TEST_true(ocsp_client_called)
1234 || !TEST_true(ocsp_server_called))
1236 SSL_free(serverssl);
1237 SSL_free(clientssl);
1241 /* Try again but this time force the server side callback to fail */
1242 ocsp_client_called = 0;
1243 ocsp_server_called = 0;
1245 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1246 &clientssl, NULL, NULL))
1247 /* This should fail because the callback will fail */
1248 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1250 || !TEST_false(ocsp_client_called)
1251 || !TEST_false(ocsp_server_called))
1253 SSL_free(serverssl);
1254 SSL_free(clientssl);
1259 * This time we'll get the client to send an OCSP_RESPID that it will
1262 ocsp_client_called = 0;
1263 ocsp_server_called = 0;
1265 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1266 &clientssl, NULL, NULL)))
1270 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1271 * specific one. We'll use the server cert.
1273 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1274 || !TEST_ptr(id = OCSP_RESPID_new())
1275 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1276 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1278 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
1279 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1282 SSL_set_tlsext_status_ids(clientssl, ids);
1283 /* Control has been transferred */
1289 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1291 || !TEST_true(ocsp_client_called)
1292 || !TEST_true(ocsp_server_called))
1298 SSL_free(serverssl);
1299 SSL_free(clientssl);
1302 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1303 OCSP_RESPID_free(id);
1305 X509_free(ocspcert);
1312 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1313 static int new_called, remove_called, get_called;
1315 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1319 * sess has been up-refed for us, but we don't actually need it so free it
1322 SSL_SESSION_free(sess);
1326 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1331 static SSL_SESSION *get_sess_val = NULL;
1333 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1338 return get_sess_val;
1341 static int execute_test_session(int maxprot, int use_int_cache,
1344 SSL_CTX *sctx = NULL, *cctx = NULL;
1345 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1346 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1347 # ifndef OPENSSL_NO_TLS1_1
1348 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1350 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1351 int testresult = 0, numnewsesstick = 1;
1353 new_called = remove_called = 0;
1355 /* TLSv1.3 sends 2 NewSessionTickets */
1356 if (maxprot == TLS1_3_VERSION)
1359 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1361 &sctx, &cctx, cert, privkey)))
1365 * Only allow the max protocol version so we can force a connection failure
1368 SSL_CTX_set_min_proto_version(cctx, maxprot);
1369 SSL_CTX_set_max_proto_version(cctx, maxprot);
1371 /* Set up session cache */
1372 if (use_ext_cache) {
1373 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1374 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1376 if (use_int_cache) {
1377 /* Also covers instance where both are set */
1378 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1380 SSL_CTX_set_session_cache_mode(cctx,
1381 SSL_SESS_CACHE_CLIENT
1382 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1385 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1387 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1389 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1392 /* Should fail because it should already be in the cache */
1393 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1396 && (!TEST_int_eq(new_called, numnewsesstick)
1398 || !TEST_int_eq(remove_called, 0)))
1401 new_called = remove_called = 0;
1402 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1403 &clientssl2, NULL, NULL))
1404 || !TEST_true(SSL_set_session(clientssl2, sess1))
1405 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1407 || !TEST_true(SSL_session_reused(clientssl2)))
1410 if (maxprot == TLS1_3_VERSION) {
1412 * In TLSv1.3 we should have created a new session even though we have
1413 * resumed. Since we attempted a resume we should also have removed the
1414 * old ticket from the cache so that we try to only use tickets once.
1417 && (!TEST_int_eq(new_called, 1)
1418 || !TEST_int_eq(remove_called, 1)))
1422 * In TLSv1.2 we expect to have resumed so no sessions added or
1426 && (!TEST_int_eq(new_called, 0)
1427 || !TEST_int_eq(remove_called, 0)))
1431 SSL_SESSION_free(sess1);
1432 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1434 shutdown_ssl_connection(serverssl2, clientssl2);
1435 serverssl2 = clientssl2 = NULL;
1437 new_called = remove_called = 0;
1438 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1439 &clientssl2, NULL, NULL))
1440 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1444 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1448 && (!TEST_int_eq(new_called, numnewsesstick)
1449 || !TEST_int_eq(remove_called, 0)))
1452 new_called = remove_called = 0;
1454 * This should clear sess2 from the cache because it is a "bad" session.
1455 * See SSL_set_session() documentation.
1457 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1460 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1462 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1465 if (use_int_cache) {
1466 /* Should succeeded because it should not already be in the cache */
1467 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1468 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1472 new_called = remove_called = 0;
1473 /* This shouldn't be in the cache so should fail */
1474 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1478 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1481 # if !defined(OPENSSL_NO_TLS1_1)
1482 new_called = remove_called = 0;
1483 /* Force a connection failure */
1484 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1485 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1486 &clientssl3, NULL, NULL))
1487 || !TEST_true(SSL_set_session(clientssl3, sess1))
1488 /* This should fail because of the mismatched protocol versions */
1489 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1493 /* We should have automatically removed the session from the cache */
1495 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1498 /* Should succeed because it should not already be in the cache */
1499 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1503 /* Now do some tests for server side caching */
1504 if (use_ext_cache) {
1505 SSL_CTX_sess_set_new_cb(cctx, NULL);
1506 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1507 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1508 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1509 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1510 get_sess_val = NULL;
1513 SSL_CTX_set_session_cache_mode(cctx, 0);
1514 /* Internal caching is the default on the server side */
1516 SSL_CTX_set_session_cache_mode(sctx,
1517 SSL_SESS_CACHE_SERVER
1518 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1520 SSL_free(serverssl1);
1521 SSL_free(clientssl1);
1522 serverssl1 = clientssl1 = NULL;
1523 SSL_free(serverssl2);
1524 SSL_free(clientssl2);
1525 serverssl2 = clientssl2 = NULL;
1526 SSL_SESSION_free(sess1);
1528 SSL_SESSION_free(sess2);
1531 SSL_CTX_set_max_proto_version(sctx, maxprot);
1532 if (maxprot == TLS1_2_VERSION)
1533 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1534 new_called = remove_called = get_called = 0;
1535 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1537 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1539 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1540 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1543 if (use_int_cache) {
1544 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1546 * In TLSv1.3 it should not have been added to the internal cache,
1547 * except in the case where we also have an external cache (in that
1548 * case it gets added to the cache in order to generate remove
1549 * events after timeout).
1551 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1554 /* Should fail because it should already be in the cache */
1555 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1560 if (use_ext_cache) {
1561 SSL_SESSION *tmp = sess2;
1563 if (!TEST_int_eq(new_called, numnewsesstick)
1564 || !TEST_int_eq(remove_called, 0)
1565 || !TEST_int_eq(get_called, 0))
1568 * Delete the session from the internal cache to force a lookup from
1569 * the external cache. We take a copy first because
1570 * SSL_CTX_remove_session() also marks the session as non-resumable.
1572 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1573 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1574 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1576 SSL_SESSION_free(sess2);
1581 new_called = remove_called = get_called = 0;
1582 get_sess_val = sess2;
1583 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1584 &clientssl2, NULL, NULL))
1585 || !TEST_true(SSL_set_session(clientssl2, sess1))
1586 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1588 || !TEST_true(SSL_session_reused(clientssl2)))
1591 if (use_ext_cache) {
1592 if (!TEST_int_eq(remove_called, 0))
1595 if (maxprot == TLS1_3_VERSION) {
1596 if (!TEST_int_eq(new_called, 1)
1597 || !TEST_int_eq(get_called, 0))
1600 if (!TEST_int_eq(new_called, 0)
1601 || !TEST_int_eq(get_called, 1))
1609 SSL_free(serverssl1);
1610 SSL_free(clientssl1);
1611 SSL_free(serverssl2);
1612 SSL_free(clientssl2);
1613 # ifndef OPENSSL_NO_TLS1_1
1614 SSL_free(serverssl3);
1615 SSL_free(clientssl3);
1617 SSL_SESSION_free(sess1);
1618 SSL_SESSION_free(sess2);
1624 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1626 static int test_session_with_only_int_cache(void)
1628 #ifndef OPENSSL_NO_TLS1_3
1629 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1633 #ifndef OPENSSL_NO_TLS1_2
1634 return execute_test_session(TLS1_2_VERSION, 1, 0);
1640 static int test_session_with_only_ext_cache(void)
1642 #ifndef OPENSSL_NO_TLS1_3
1643 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1647 #ifndef OPENSSL_NO_TLS1_2
1648 return execute_test_session(TLS1_2_VERSION, 0, 1);
1654 static int test_session_with_both_cache(void)
1656 #ifndef OPENSSL_NO_TLS1_3
1657 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1661 #ifndef OPENSSL_NO_TLS1_2
1662 return execute_test_session(TLS1_2_VERSION, 1, 1);
1668 #ifndef OPENSSL_NO_TLS1_3
1669 static SSL_SESSION *sesscache[6];
1670 static int do_cache;
1672 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1675 sesscache[new_called] = sess;
1677 /* We don't need the reference to the session, so free it */
1678 SSL_SESSION_free(sess);
1685 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1687 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1688 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1691 /* Start handshake on the server and client */
1692 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1693 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1694 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1695 || !TEST_true(create_ssl_connection(sssl, cssl,
1702 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1705 int sess_id_ctx = 1;
1707 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1708 TLS1_VERSION, 0, sctx,
1709 cctx, cert, privkey))
1710 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1711 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1712 (void *)&sess_id_ctx,
1713 sizeof(sess_id_ctx))))
1717 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1719 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1720 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1721 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1726 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1728 SSL *serverssl = NULL, *clientssl = NULL;
1731 /* Test that we can resume with all the tickets we got given */
1732 for (i = 0; i < idx * 2; i++) {
1734 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1735 &clientssl, NULL, NULL))
1736 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1739 SSL_set_post_handshake_auth(clientssl, 1);
1741 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1746 * Following a successful resumption we only get 1 ticket. After a
1747 * failed one we should get idx tickets.
1750 if (!TEST_true(SSL_session_reused(clientssl))
1751 || !TEST_int_eq(new_called, 1))
1754 if (!TEST_false(SSL_session_reused(clientssl))
1755 || !TEST_int_eq(new_called, idx))
1760 /* After a post-handshake authentication we should get 1 new ticket */
1762 && (!post_handshake_verify(serverssl, clientssl)
1763 || !TEST_int_eq(new_called, 1)))
1766 SSL_shutdown(clientssl);
1767 SSL_shutdown(serverssl);
1768 SSL_free(serverssl);
1769 SSL_free(clientssl);
1770 serverssl = clientssl = NULL;
1771 SSL_SESSION_free(sesscache[i]);
1772 sesscache[i] = NULL;
1778 SSL_free(clientssl);
1779 SSL_free(serverssl);
1783 static int test_tickets(int stateful, int idx)
1785 SSL_CTX *sctx = NULL, *cctx = NULL;
1786 SSL *serverssl = NULL, *clientssl = NULL;
1790 /* idx is the test number, but also the number of tickets we want */
1795 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1798 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1799 &clientssl, NULL, NULL)))
1802 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1804 /* Check we got the number of tickets we were expecting */
1805 || !TEST_int_eq(idx, new_called))
1808 SSL_shutdown(clientssl);
1809 SSL_shutdown(serverssl);
1810 SSL_free(serverssl);
1811 SSL_free(clientssl);
1814 clientssl = serverssl = NULL;
1818 * Now we try to resume with the tickets we previously created. The
1819 * resumption attempt is expected to fail (because we're now using a new
1820 * SSL_CTX). We should see idx number of tickets issued again.
1823 /* Stop caching sessions - just count them */
1826 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1829 if (!check_resumption(idx, sctx, cctx, 0))
1832 /* Start again with caching sessions */
1839 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1842 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1843 &clientssl, NULL, NULL)))
1846 SSL_set_post_handshake_auth(clientssl, 1);
1848 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1850 /* Check we got the number of tickets we were expecting */
1851 || !TEST_int_eq(idx, new_called))
1854 /* After a post-handshake authentication we should get new tickets issued */
1855 if (!post_handshake_verify(serverssl, clientssl)
1856 || !TEST_int_eq(idx * 2, new_called))
1859 SSL_shutdown(clientssl);
1860 SSL_shutdown(serverssl);
1861 SSL_free(serverssl);
1862 SSL_free(clientssl);
1863 serverssl = clientssl = NULL;
1865 /* Stop caching sessions - just count them */
1869 * Check we can resume with all the tickets we created. This time around the
1870 * resumptions should all be successful.
1872 if (!check_resumption(idx, sctx, cctx, 1))
1878 SSL_free(serverssl);
1879 SSL_free(clientssl);
1880 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
1881 SSL_SESSION_free(sesscache[j]);
1882 sesscache[j] = NULL;
1890 static int test_stateless_tickets(int idx)
1892 return test_tickets(0, idx);
1895 static int test_stateful_tickets(int idx)
1897 return test_tickets(1, idx);
1900 static int test_psk_tickets(void)
1902 SSL_CTX *sctx = NULL, *cctx = NULL;
1903 SSL *serverssl = NULL, *clientssl = NULL;
1905 int sess_id_ctx = 1;
1907 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1908 TLS1_VERSION, 0, &sctx,
1910 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
1911 (void *)&sess_id_ctx,
1912 sizeof(sess_id_ctx))))
1915 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1916 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1917 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
1918 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
1919 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1920 use_session_cb_cnt = 0;
1921 find_session_cb_cnt = 0;
1925 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1928 clientpsk = serverpsk = create_a_psk(clientssl);
1929 if (!TEST_ptr(clientpsk))
1931 SSL_SESSION_up_ref(clientpsk);
1933 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1935 || !TEST_int_eq(1, find_session_cb_cnt)
1936 || !TEST_int_eq(1, use_session_cb_cnt)
1937 /* We should always get 1 ticket when using external PSK */
1938 || !TEST_int_eq(1, new_called))
1944 SSL_free(serverssl);
1945 SSL_free(clientssl);
1948 SSL_SESSION_free(clientpsk);
1949 SSL_SESSION_free(serverpsk);
1950 clientpsk = serverpsk = NULL;
1959 #define USE_DEFAULT 3
1961 #define CONNTYPE_CONNECTION_SUCCESS 0
1962 #define CONNTYPE_CONNECTION_FAIL 1
1963 #define CONNTYPE_NO_CONNECTION 2
1965 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1966 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1967 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1968 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1970 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1973 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1974 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1975 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1977 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1994 * Tests calls to SSL_set_bio() under various conditions.
1996 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1997 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1998 * then do more tests where we create a successful connection first using our
1999 * standard connection setup functions, and then call SSL_set_bio() with
2000 * various combinations of valid BIOs or NULL. We then repeat these tests
2001 * following a failed connection. In this last case we are looking to check that
2002 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2004 static int test_ssl_set_bio(int idx)
2006 SSL_CTX *sctx = NULL, *cctx = NULL;
2009 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2010 SSL *serverssl = NULL, *clientssl = NULL;
2011 int initrbio, initwbio, newrbio, newwbio, conntype;
2014 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2022 conntype = CONNTYPE_NO_CONNECTION;
2024 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2025 initrbio = initwbio = USE_DEFAULT;
2033 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2035 &sctx, &cctx, cert, privkey)))
2038 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2040 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2041 * because we reduced the number of tests in the definition of
2042 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2043 * mismatched protocol versions we will force a connection failure.
2045 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2046 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2049 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2053 if (initrbio == USE_BIO_1
2054 || initwbio == USE_BIO_1
2055 || newrbio == USE_BIO_1
2056 || newwbio == USE_BIO_1) {
2057 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2061 if (initrbio == USE_BIO_2
2062 || initwbio == USE_BIO_2
2063 || newrbio == USE_BIO_2
2064 || newwbio == USE_BIO_2) {
2065 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2069 if (initrbio != USE_DEFAULT) {
2070 setupbio(&irbio, bio1, bio2, initrbio);
2071 setupbio(&iwbio, bio1, bio2, initwbio);
2072 SSL_set_bio(clientssl, irbio, iwbio);
2075 * We want to maintain our own refs to these BIO, so do an up ref for
2076 * each BIO that will have ownership transferred in the SSL_set_bio()
2081 if (iwbio != NULL && iwbio != irbio)
2085 if (conntype != CONNTYPE_NO_CONNECTION
2086 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2088 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2091 setupbio(&nrbio, bio1, bio2, newrbio);
2092 setupbio(&nwbio, bio1, bio2, newwbio);
2095 * We will (maybe) transfer ownership again so do more up refs.
2096 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2101 && (nwbio != iwbio || nrbio != nwbio))
2105 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2108 SSL_set_bio(clientssl, nrbio, nwbio);
2117 * This test is checking that the ref counting for SSL_set_bio is correct.
2118 * If we get here and we did too many frees then we will fail in the above
2119 * functions. If we haven't done enough then this will only be detected in
2120 * a crypto-mdebug build
2122 SSL_free(serverssl);
2123 SSL_free(clientssl);
2129 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2131 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2133 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2138 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
2139 || !TEST_ptr(ssl = SSL_new(ctx))
2140 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2141 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2144 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2147 * If anything goes wrong here then we could leak memory, so this will
2148 * be caught in a crypto-mdebug build
2150 BIO_push(sslbio, membio1);
2152 /* Verify changing the rbio/wbio directly does not cause leaks */
2153 if (change_bio != NO_BIO_CHANGE) {
2154 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
2156 if (change_bio == CHANGE_RBIO)
2157 SSL_set0_rbio(ssl, membio2);
2159 SSL_set0_wbio(ssl, membio2);
2178 static int test_ssl_bio_pop_next_bio(void)
2180 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2183 static int test_ssl_bio_pop_ssl_bio(void)
2185 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2188 static int test_ssl_bio_change_rbio(void)
2190 return execute_test_ssl_bio(0, CHANGE_RBIO);
2193 static int test_ssl_bio_change_wbio(void)
2195 return execute_test_ssl_bio(0, CHANGE_WBIO);
2198 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2200 /* The list of sig algs */
2202 /* The length of the list */
2204 /* A sigalgs list in string format */
2205 const char *liststr;
2206 /* Whether setting the list should succeed */
2208 /* Whether creating a connection with the list should succeed */
2212 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2213 # ifndef OPENSSL_NO_EC
2214 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2215 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2217 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2218 static const int invalidlist2[] = {NID_sha256, NID_undef};
2219 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2220 static const int invalidlist4[] = {NID_sha256};
2221 static const sigalgs_list testsigalgs[] = {
2222 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2223 # ifndef OPENSSL_NO_EC
2224 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2225 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2227 {NULL, 0, "RSA+SHA256", 1, 1},
2228 # ifndef OPENSSL_NO_EC
2229 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2230 {NULL, 0, "ECDSA+SHA512", 1, 0},
2232 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2233 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2234 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2235 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2236 {NULL, 0, "RSA", 0, 0},
2237 {NULL, 0, "SHA256", 0, 0},
2238 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2239 {NULL, 0, "Invalid", 0, 0}
2242 static int test_set_sigalgs(int idx)
2244 SSL_CTX *cctx = NULL, *sctx = NULL;
2245 SSL *clientssl = NULL, *serverssl = NULL;
2247 const sigalgs_list *curr;
2250 /* Should never happen */
2251 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2254 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2255 curr = testctx ? &testsigalgs[idx]
2256 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2258 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2260 &sctx, &cctx, cert, privkey)))
2264 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2265 * for TLSv1.2 for now until we add a new API.
2267 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2272 if (curr->list != NULL)
2273 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2275 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2279 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2285 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2290 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2291 &clientssl, NULL, NULL)))
2297 if (curr->list != NULL)
2298 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2300 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2303 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2312 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2320 SSL_free(serverssl);
2321 SSL_free(clientssl);
2329 #ifndef OPENSSL_NO_TLS1_3
2330 static int psk_client_cb_cnt = 0;
2331 static int psk_server_cb_cnt = 0;
2333 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2334 size_t *idlen, SSL_SESSION **sess)
2336 switch (++use_session_cb_cnt) {
2338 /* The first call should always have a NULL md */
2344 /* The second call should always have an md */
2350 /* We should only be called a maximum of twice */
2354 if (clientpsk != NULL)
2355 SSL_SESSION_up_ref(clientpsk);
2358 *id = (const unsigned char *)pskid;
2359 *idlen = strlen(pskid);
2364 #ifndef OPENSSL_NO_PSK
2365 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2366 unsigned int max_id_len,
2368 unsigned int max_psk_len)
2370 unsigned int psklen = 0;
2372 psk_client_cb_cnt++;
2374 if (strlen(pskid) + 1 > max_id_len)
2377 /* We should only ever be called a maximum of twice per connection */
2378 if (psk_client_cb_cnt > 2)
2381 if (clientpsk == NULL)
2384 /* We'll reuse the PSK we set up for TLSv1.3 */
2385 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2387 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2388 strncpy(id, pskid, max_id_len);
2392 #endif /* OPENSSL_NO_PSK */
2394 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2395 size_t identity_len, SSL_SESSION **sess)
2397 find_session_cb_cnt++;
2399 /* We should only ever be called a maximum of twice per connection */
2400 if (find_session_cb_cnt > 2)
2403 if (serverpsk == NULL)
2406 /* Identity should match that set by the client */
2407 if (strlen(srvid) != identity_len
2408 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2409 /* No PSK found, continue but without a PSK */
2414 SSL_SESSION_up_ref(serverpsk);
2420 #ifndef OPENSSL_NO_PSK
2421 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2422 unsigned char *psk, unsigned int max_psk_len)
2424 unsigned int psklen = 0;
2426 psk_server_cb_cnt++;
2428 /* We should only ever be called a maximum of twice per connection */
2429 if (find_session_cb_cnt > 2)
2432 if (serverpsk == NULL)
2435 /* Identity should match that set by the client */
2436 if (strcmp(srvid, identity) != 0) {
2440 /* We'll reuse the PSK we set up for TLSv1.3 */
2441 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2443 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2447 #endif /* OPENSSL_NO_PSK */
2449 #define MSG1 "Hello"
2450 #define MSG2 "World."
2455 #define MSG7 "message."
2457 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2458 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2461 static SSL_SESSION *create_a_psk(SSL *ssl)
2463 const SSL_CIPHER *cipher = NULL;
2464 const unsigned char key[] = {
2465 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2466 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2467 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2468 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2469 0x2c, 0x2d, 0x2e, 0x2f
2471 SSL_SESSION *sess = NULL;
2473 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2474 sess = SSL_SESSION_new();
2476 || !TEST_ptr(cipher)
2477 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2479 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2481 SSL_SESSION_set_protocol_version(sess,
2483 SSL_SESSION_free(sess);
2490 * Helper method to setup objects for early data test. Caller frees objects on
2493 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2494 SSL **serverssl, SSL_SESSION **sess, int idx)
2497 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2498 TLS_client_method(),
2500 sctx, cctx, cert, privkey)))
2503 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2507 /* When idx == 1 we repeat the tests with read_ahead set */
2508 SSL_CTX_set_read_ahead(*cctx, 1);
2509 SSL_CTX_set_read_ahead(*sctx, 1);
2510 } else if (idx == 2) {
2511 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2512 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2513 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2514 use_session_cb_cnt = 0;
2515 find_session_cb_cnt = 0;
2519 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2524 * For one of the run throughs (doesn't matter which one), we'll try sending
2525 * some SNI data in the initial ClientHello. This will be ignored (because
2526 * there is no SNI cb set up by the server), so it should not impact
2530 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2534 clientpsk = create_a_psk(*clientssl);
2535 if (!TEST_ptr(clientpsk)
2537 * We just choose an arbitrary value for max_early_data which
2538 * should be big enough for testing purposes.
2540 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2542 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2543 SSL_SESSION_free(clientpsk);
2547 serverpsk = clientpsk;
2550 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2551 SSL_SESSION_free(clientpsk);
2552 SSL_SESSION_free(serverpsk);
2553 clientpsk = serverpsk = NULL;
2564 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2568 *sess = SSL_get1_session(*clientssl);
2569 SSL_shutdown(*clientssl);
2570 SSL_shutdown(*serverssl);
2571 SSL_free(*serverssl);
2572 SSL_free(*clientssl);
2573 *serverssl = *clientssl = NULL;
2575 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2576 clientssl, NULL, NULL))
2577 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2583 static int test_early_data_read_write(int idx)
2585 SSL_CTX *cctx = NULL, *sctx = NULL;
2586 SSL *clientssl = NULL, *serverssl = NULL;
2588 SSL_SESSION *sess = NULL;
2589 unsigned char buf[20], data[1024];
2590 size_t readbytes, written, eoedlen, rawread, rawwritten;
2593 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2594 &serverssl, &sess, idx)))
2597 /* Write and read some early data */
2598 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2600 || !TEST_size_t_eq(written, strlen(MSG1))
2601 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2602 sizeof(buf), &readbytes),
2603 SSL_READ_EARLY_DATA_SUCCESS)
2604 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2605 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2606 SSL_EARLY_DATA_ACCEPTED))
2610 * Server should be able to write data, and client should be able to
2613 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2615 || !TEST_size_t_eq(written, strlen(MSG2))
2616 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2617 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2620 /* Even after reading normal data, client should be able write early data */
2621 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2623 || !TEST_size_t_eq(written, strlen(MSG3)))
2626 /* Server should still be able read early data after writing data */
2627 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2629 SSL_READ_EARLY_DATA_SUCCESS)
2630 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2633 /* Write more data from server and read it from client */
2634 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2636 || !TEST_size_t_eq(written, strlen(MSG4))
2637 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2638 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2642 * If client writes normal data it should mean writing early data is no
2645 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2646 || !TEST_size_t_eq(written, strlen(MSG5))
2647 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2648 SSL_EARLY_DATA_ACCEPTED))
2652 * At this point the client has written EndOfEarlyData, ClientFinished and
2653 * normal (fully protected) data. We are going to cause a delay between the
2654 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2655 * in the read BIO, and then just put back the EndOfEarlyData message.
2657 rbio = SSL_get_rbio(serverssl);
2658 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2659 || !TEST_size_t_lt(rawread, sizeof(data))
2660 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2663 /* Record length is in the 4th and 5th bytes of the record header */
2664 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2665 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2666 || !TEST_size_t_eq(rawwritten, eoedlen))
2669 /* Server should be told that there is no more early data */
2670 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2672 SSL_READ_EARLY_DATA_FINISH)
2673 || !TEST_size_t_eq(readbytes, 0))
2677 * Server has not finished init yet, so should still be able to write early
2680 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2682 || !TEST_size_t_eq(written, strlen(MSG6)))
2685 /* Push the ClientFinished and the normal data back into the server rbio */
2686 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2688 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2691 /* Server should be able to read normal data */
2692 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2693 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2696 /* Client and server should not be able to write/read early data now */
2697 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2701 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2703 SSL_READ_EARLY_DATA_ERROR))
2707 /* Client should be able to read the data sent by the server */
2708 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2709 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2713 * Make sure we process the two NewSessionTickets. These arrive
2714 * post-handshake. We attempt reads which we do not expect to return any
2717 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2718 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2722 /* Server should be able to write normal data */
2723 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2724 || !TEST_size_t_eq(written, strlen(MSG7))
2725 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2726 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2729 SSL_SESSION_free(sess);
2730 sess = SSL_get1_session(clientssl);
2731 use_session_cb_cnt = 0;
2732 find_session_cb_cnt = 0;
2734 SSL_shutdown(clientssl);
2735 SSL_shutdown(serverssl);
2736 SSL_free(serverssl);
2737 SSL_free(clientssl);
2738 serverssl = clientssl = NULL;
2739 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2740 &clientssl, NULL, NULL))
2741 || !TEST_true(SSL_set_session(clientssl, sess)))
2744 /* Write and read some early data */
2745 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2747 || !TEST_size_t_eq(written, strlen(MSG1))
2748 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2750 SSL_READ_EARLY_DATA_SUCCESS)
2751 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2754 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2755 || !TEST_int_gt(SSL_accept(serverssl), 0))
2758 /* Client and server should not be able to write/read early data now */
2759 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2763 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2765 SSL_READ_EARLY_DATA_ERROR))
2769 /* Client and server should be able to write/read normal data */
2770 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2771 || !TEST_size_t_eq(written, strlen(MSG5))
2772 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2773 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2779 SSL_SESSION_free(sess);
2780 SSL_SESSION_free(clientpsk);
2781 SSL_SESSION_free(serverpsk);
2782 clientpsk = serverpsk = NULL;
2783 SSL_free(serverssl);
2784 SSL_free(clientssl);
2790 static int allow_ed_cb_called = 0;
2792 static int allow_early_data_cb(SSL *s, void *arg)
2794 int *usecb = (int *)arg;
2796 allow_ed_cb_called++;
2805 * idx == 0: Standard early_data setup
2806 * idx == 1: early_data setup using read_ahead
2807 * usecb == 0: Don't use a custom early data callback
2808 * usecb == 1: Use a custom early data callback and reject the early data
2809 * usecb == 2: Use a custom early data callback and accept the early data
2810 * confopt == 0: Configure anti-replay directly
2811 * confopt == 1: Configure anti-replay using SSL_CONF
2813 static int test_early_data_replay_int(int idx, int usecb, int confopt)
2815 SSL_CTX *cctx = NULL, *sctx = NULL;
2816 SSL *clientssl = NULL, *serverssl = NULL;
2818 SSL_SESSION *sess = NULL;
2819 size_t readbytes, written;
2820 unsigned char buf[20];
2822 allow_ed_cb_called = 0;
2824 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2825 TLS1_VERSION, 0, &sctx,
2826 &cctx, cert, privkey)))
2831 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2833 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2835 if (!TEST_ptr(confctx))
2837 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2838 | SSL_CONF_FLAG_SERVER);
2839 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2840 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2842 SSL_CONF_CTX_free(confctx);
2845 SSL_CONF_CTX_free(confctx);
2847 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2850 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2851 &serverssl, &sess, idx)))
2855 * The server is configured to accept early data. Create a connection to
2856 * "use up" the ticket
2858 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2859 || !TEST_true(SSL_session_reused(clientssl)))
2862 SSL_shutdown(clientssl);
2863 SSL_shutdown(serverssl);
2864 SSL_free(serverssl);
2865 SSL_free(clientssl);
2866 serverssl = clientssl = NULL;
2868 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2869 &clientssl, NULL, NULL))
2870 || !TEST_true(SSL_set_session(clientssl, sess)))
2873 /* Write and read some early data */
2874 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2876 || !TEST_size_t_eq(written, strlen(MSG1)))
2880 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2882 SSL_READ_EARLY_DATA_FINISH)
2884 * The ticket was reused, so the we should have rejected the
2887 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2888 SSL_EARLY_DATA_REJECTED))
2891 /* In this case the callback decides to accept the early data */
2892 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2894 SSL_READ_EARLY_DATA_SUCCESS)
2895 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2897 * Server will have sent its flight so client can now send
2898 * end of early data and complete its half of the handshake
2900 || !TEST_int_gt(SSL_connect(clientssl), 0)
2901 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2903 SSL_READ_EARLY_DATA_FINISH)
2904 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2905 SSL_EARLY_DATA_ACCEPTED))
2909 /* Complete the connection */
2910 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2911 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2912 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
2918 SSL_SESSION_free(sess);
2919 SSL_SESSION_free(clientpsk);
2920 SSL_SESSION_free(serverpsk);
2921 clientpsk = serverpsk = NULL;
2922 SSL_free(serverssl);
2923 SSL_free(clientssl);
2929 static int test_early_data_replay(int idx)
2931 int ret = 1, usecb, confopt;
2933 for (usecb = 0; usecb < 3; usecb++) {
2934 for (confopt = 0; confopt < 2; confopt++)
2935 ret &= test_early_data_replay_int(idx, usecb, confopt);
2942 * Helper function to test that a server attempting to read early data can
2943 * handle a connection from a client where the early data should be skipped.
2944 * testtype: 0 == No HRR
2945 * testtype: 1 == HRR
2946 * testtype: 2 == HRR, invalid early_data sent after HRR
2947 * testtype: 3 == recv_max_early_data set to 0
2949 static int early_data_skip_helper(int testtype, int idx)
2951 SSL_CTX *cctx = NULL, *sctx = NULL;
2952 SSL *clientssl = NULL, *serverssl = NULL;
2954 SSL_SESSION *sess = NULL;
2955 unsigned char buf[20];
2956 size_t readbytes, written;
2958 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2959 &serverssl, &sess, idx)))
2962 if (testtype == 1 || testtype == 2) {
2963 /* Force an HRR to occur */
2964 #if defined(OPENSSL_NO_EC)
2965 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
2968 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2971 } else if (idx == 2) {
2973 * We force early_data rejection by ensuring the PSK identity is
2976 srvid = "Dummy Identity";
2979 * Deliberately corrupt the creation time. We take 20 seconds off the
2980 * time. It could be any value as long as it is not within tolerance.
2981 * This should mean the ticket is rejected.
2983 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
2988 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
2991 /* Write some early data */
2992 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2994 || !TEST_size_t_eq(written, strlen(MSG1)))
2997 /* Server should reject the early data */
2998 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3000 SSL_READ_EARLY_DATA_FINISH)
3001 || !TEST_size_t_eq(readbytes, 0)
3002 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3003 SSL_EARLY_DATA_REJECTED))
3013 * Finish off the handshake. We perform the same writes and reads as
3014 * further down but we expect them to fail due to the incomplete
3017 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3018 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3025 BIO *wbio = SSL_get_wbio(clientssl);
3026 /* A record that will appear as bad early_data */
3027 const unsigned char bad_early_data[] = {
3028 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3032 * We force the client to attempt a write. This will fail because
3033 * we're still in the handshake. It will cause the second
3034 * ClientHello to be sent.
3036 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3041 * Inject some early_data after the second ClientHello. This should
3042 * cause the server to fail
3044 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3045 sizeof(bad_early_data), &written)))
3052 * This client has sent more early_data than we are willing to skip
3053 * (case 3) or sent invalid early_data (case 2) so the connection should
3056 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3057 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3060 /* Connection has failed - nothing more to do */
3065 TEST_error("Invalid test type");
3070 * Should be able to send normal data despite rejection of early data. The
3071 * early_data should be skipped.
3073 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3074 || !TEST_size_t_eq(written, strlen(MSG2))
3075 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3076 SSL_EARLY_DATA_REJECTED)
3077 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3078 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3084 SSL_SESSION_free(clientpsk);
3085 SSL_SESSION_free(serverpsk);
3086 clientpsk = serverpsk = NULL;
3087 SSL_SESSION_free(sess);
3088 SSL_free(serverssl);
3089 SSL_free(clientssl);
3096 * Test that a server attempting to read early data can handle a connection
3097 * from a client where the early data is not acceptable.
3099 static int test_early_data_skip(int idx)
3101 return early_data_skip_helper(0, idx);
3105 * Test that a server attempting to read early data can handle a connection
3106 * from a client where an HRR occurs.
3108 static int test_early_data_skip_hrr(int idx)
3110 return early_data_skip_helper(1, idx);
3114 * Test that a server attempting to read early data can handle a connection
3115 * from a client where an HRR occurs and correctly fails if early_data is sent
3118 static int test_early_data_skip_hrr_fail(int idx)
3120 return early_data_skip_helper(2, idx);
3124 * Test that a server attempting to read early data will abort if it tries to
3125 * skip over too much.
3127 static int test_early_data_skip_abort(int idx)
3129 return early_data_skip_helper(3, idx);
3133 * Test that a server attempting to read early data can handle a connection
3134 * from a client that doesn't send any.
3136 static int test_early_data_not_sent(int idx)
3138 SSL_CTX *cctx = NULL, *sctx = NULL;
3139 SSL *clientssl = NULL, *serverssl = NULL;
3141 SSL_SESSION *sess = NULL;
3142 unsigned char buf[20];
3143 size_t readbytes, written;
3145 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3146 &serverssl, &sess, idx)))
3149 /* Write some data - should block due to handshake with server */
3150 SSL_set_connect_state(clientssl);
3151 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3154 /* Server should detect that early data has not been sent */
3155 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3157 SSL_READ_EARLY_DATA_FINISH)
3158 || !TEST_size_t_eq(readbytes, 0)
3159 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3160 SSL_EARLY_DATA_NOT_SENT)
3161 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3162 SSL_EARLY_DATA_NOT_SENT))
3165 /* Continue writing the message we started earlier */
3166 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3167 || !TEST_size_t_eq(written, strlen(MSG1))
3168 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3169 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3170 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3171 || !TEST_size_t_eq(written, strlen(MSG2)))
3174 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3175 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3181 SSL_SESSION_free(sess);
3182 SSL_SESSION_free(clientpsk);
3183 SSL_SESSION_free(serverpsk);
3184 clientpsk = serverpsk = NULL;
3185 SSL_free(serverssl);
3186 SSL_free(clientssl);
3192 static int hostname_cb(SSL *s, int *al, void *arg)
3194 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3196 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
3197 return SSL_TLSEXT_ERR_OK;
3199 return SSL_TLSEXT_ERR_NOACK;
3202 static const char *servalpn;
3204 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3205 unsigned char *outlen, const unsigned char *in,
3206 unsigned int inlen, void *arg)
3208 unsigned int protlen = 0;
3209 const unsigned char *prot;
3211 for (prot = in; prot < in + inlen; prot += protlen) {
3213 if (in + inlen < prot + protlen)
3214 return SSL_TLSEXT_ERR_NOACK;
3216 if (protlen == strlen(servalpn)
3217 && memcmp(prot, servalpn, protlen) == 0) {
3220 return SSL_TLSEXT_ERR_OK;
3224 return SSL_TLSEXT_ERR_NOACK;
3227 /* Test that a PSK can be used to send early_data */
3228 static int test_early_data_psk(int idx)
3230 SSL_CTX *cctx = NULL, *sctx = NULL;
3231 SSL *clientssl = NULL, *serverssl = NULL;
3233 SSL_SESSION *sess = NULL;
3234 unsigned char alpnlist[] = {
3235 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3238 #define GOODALPNLEN 9
3239 #define BADALPNLEN 8
3240 #define GOODALPN (alpnlist)
3241 #define BADALPN (alpnlist + GOODALPNLEN)
3243 unsigned char buf[20];
3244 size_t readbytes, written;
3245 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3246 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3248 /* We always set this up with a final parameter of "2" for PSK */
3249 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3250 &serverssl, &sess, 2)))
3253 servalpn = "goodalpn";
3256 * Note: There is no test for inconsistent SNI with late client detection.
3257 * This is because servers do not acknowledge SNI even if they are using
3258 * it in a resumption handshake - so it is not actually possible for a
3259 * client to detect a problem.
3263 /* Set inconsistent SNI (early client detection) */
3264 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3265 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3266 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3271 /* Set inconsistent ALPN (early client detection) */
3272 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3273 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3274 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3276 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3283 * Set invalid protocol version. Technically this affects PSKs without
3284 * early_data too, but we test it here because it is similar to the
3285 * SNI/ALPN consistency tests.
3287 err = SSL_R_BAD_PSK;
3288 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3294 * Set inconsistent SNI (server detected). In this case the connection
3295 * will succeed but reject early_data.
3297 SSL_SESSION_free(serverpsk);
3298 serverpsk = SSL_SESSION_dup(clientpsk);
3299 if (!TEST_ptr(serverpsk)
3300 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3302 edstatus = SSL_EARLY_DATA_REJECTED;
3303 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3306 /* Set consistent SNI */
3307 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3308 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3309 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3316 * Set inconsistent ALPN (server detected). In this case the connection
3317 * will succeed but reject early_data.
3319 servalpn = "badalpn";
3320 edstatus = SSL_EARLY_DATA_REJECTED;
3321 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3325 * Set consistent ALPN.
3326 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3327 * accepts a list of protos (each one length prefixed).
3328 * SSL_set1_alpn_selected accepts a single protocol (not length
3331 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3333 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3337 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3341 /* Set inconsistent ALPN (late client detection) */
3342 SSL_SESSION_free(serverpsk);
3343 serverpsk = SSL_SESSION_dup(clientpsk);
3344 if (!TEST_ptr(serverpsk)
3345 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3348 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3351 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3354 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3355 edstatus = SSL_EARLY_DATA_ACCEPTED;
3356 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3357 /* SSL_connect() call should fail */
3362 TEST_error("Bad test index");
3366 SSL_set_connect_state(clientssl);
3368 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3370 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3371 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3374 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3378 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3379 &readbytes), readearlyres)
3380 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3381 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3382 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3383 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3390 SSL_SESSION_free(sess);
3391 SSL_SESSION_free(clientpsk);
3392 SSL_SESSION_free(serverpsk);
3393 clientpsk = serverpsk = NULL;
3394 SSL_free(serverssl);
3395 SSL_free(clientssl);
3402 * Test that a server that doesn't try to read early data can handle a
3403 * client sending some.
3405 static int test_early_data_not_expected(int idx)
3407 SSL_CTX *cctx = NULL, *sctx = NULL;
3408 SSL *clientssl = NULL, *serverssl = NULL;
3410 SSL_SESSION *sess = NULL;
3411 unsigned char buf[20];
3412 size_t readbytes, written;
3414 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3415 &serverssl, &sess, idx)))
3418 /* Write some early data */
3419 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3424 * Server should skip over early data and then block waiting for client to
3425 * continue handshake
3427 if (!TEST_int_le(SSL_accept(serverssl), 0)
3428 || !TEST_int_gt(SSL_connect(clientssl), 0)
3429 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3430 SSL_EARLY_DATA_REJECTED)
3431 || !TEST_int_gt(SSL_accept(serverssl), 0)
3432 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3433 SSL_EARLY_DATA_REJECTED))
3436 /* Send some normal data from client to server */
3437 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3438 || !TEST_size_t_eq(written, strlen(MSG2)))
3441 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3442 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3448 SSL_SESSION_free(sess);
3449 SSL_SESSION_free(clientpsk);
3450 SSL_SESSION_free(serverpsk);
3451 clientpsk = serverpsk = NULL;
3452 SSL_free(serverssl);
3453 SSL_free(clientssl);
3460 # ifndef OPENSSL_NO_TLS1_2
3462 * Test that a server attempting to read early data can handle a connection
3463 * from a TLSv1.2 client.
3465 static int test_early_data_tls1_2(int idx)
3467 SSL_CTX *cctx = NULL, *sctx = NULL;
3468 SSL *clientssl = NULL, *serverssl = NULL;
3470 unsigned char buf[20];
3471 size_t readbytes, written;
3473 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3474 &serverssl, NULL, idx)))
3477 /* Write some data - should block due to handshake with server */
3478 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3479 SSL_set_connect_state(clientssl);
3480 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3484 * Server should do TLSv1.2 handshake. First it will block waiting for more
3485 * messages from client after ServerDone. Then SSL_read_early_data should
3486 * finish and detect that early data has not been sent
3488 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3490 SSL_READ_EARLY_DATA_ERROR))
3494 * Continue writing the message we started earlier. Will still block waiting
3495 * for the CCS/Finished from server
3497 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3498 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3500 SSL_READ_EARLY_DATA_FINISH)
3501 || !TEST_size_t_eq(readbytes, 0)
3502 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3503 SSL_EARLY_DATA_NOT_SENT))
3506 /* Continue writing the message we started earlier */
3507 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3508 || !TEST_size_t_eq(written, strlen(MSG1))
3509 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3510 SSL_EARLY_DATA_NOT_SENT)
3511 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3512 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3513 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3514 || !TEST_size_t_eq(written, strlen(MSG2))
3515 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3516 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3522 SSL_SESSION_free(clientpsk);
3523 SSL_SESSION_free(serverpsk);
3524 clientpsk = serverpsk = NULL;
3525 SSL_free(serverssl);
3526 SSL_free(clientssl);
3532 # endif /* OPENSSL_NO_TLS1_2 */
3535 * Test configuring the TLSv1.3 ciphersuites
3537 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3538 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3539 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3540 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3541 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3542 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3543 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3544 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3545 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3546 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3548 static int test_set_ciphersuite(int idx)
3550 SSL_CTX *cctx = NULL, *sctx = NULL;
3551 SSL *clientssl = NULL, *serverssl = NULL;
3554 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3556 &sctx, &cctx, cert, privkey))
3557 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3558 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3561 if (idx >=4 && idx <= 7) {
3562 /* SSL_CTX explicit cipher list */
3563 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3567 if (idx == 0 || idx == 4) {
3568 /* Default ciphersuite */
3569 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3570 "TLS_AES_128_GCM_SHA256")))
3572 } else if (idx == 1 || idx == 5) {
3573 /* Non default ciphersuite */
3574 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3575 "TLS_AES_128_CCM_SHA256")))
3579 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3580 &clientssl, NULL, NULL)))
3583 if (idx == 8 || idx == 9) {
3584 /* SSL explicit cipher list */
3585 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3589 if (idx == 2 || idx == 6 || idx == 8) {
3590 /* Default ciphersuite */
3591 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3592 "TLS_AES_128_GCM_SHA256")))
3594 } else if (idx == 3 || idx == 7 || idx == 9) {
3595 /* Non default ciphersuite */
3596 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3597 "TLS_AES_128_CCM_SHA256")))
3601 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3607 SSL_free(serverssl);
3608 SSL_free(clientssl);
3615 static int test_ciphersuite_change(void)
3617 SSL_CTX *cctx = NULL, *sctx = NULL;
3618 SSL *clientssl = NULL, *serverssl = NULL;
3619 SSL_SESSION *clntsess = NULL;
3621 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3623 /* Create a session based on SHA-256 */
3624 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3626 &sctx, &cctx, cert, privkey))
3627 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3628 "TLS_AES_128_GCM_SHA256"))
3629 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3630 &clientssl, NULL, NULL))
3631 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3635 clntsess = SSL_get1_session(clientssl);
3636 /* Save for later */
3637 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3638 SSL_shutdown(clientssl);
3639 SSL_shutdown(serverssl);
3640 SSL_free(serverssl);
3641 SSL_free(clientssl);
3642 serverssl = clientssl = NULL;
3644 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3645 /* Check we can resume a session with a different SHA-256 ciphersuite */
3646 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3647 "TLS_CHACHA20_POLY1305_SHA256"))
3648 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3650 || !TEST_true(SSL_set_session(clientssl, clntsess))
3651 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3653 || !TEST_true(SSL_session_reused(clientssl)))
3656 SSL_SESSION_free(clntsess);
3657 clntsess = SSL_get1_session(clientssl);
3658 SSL_shutdown(clientssl);
3659 SSL_shutdown(serverssl);
3660 SSL_free(serverssl);
3661 SSL_free(clientssl);
3662 serverssl = clientssl = NULL;
3666 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3667 * succeeds but does not resume.
3669 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3670 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3672 || !TEST_true(SSL_set_session(clientssl, clntsess))
3673 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3675 || !TEST_false(SSL_session_reused(clientssl)))
3678 SSL_SESSION_free(clntsess);
3680 SSL_shutdown(clientssl);
3681 SSL_shutdown(serverssl);
3682 SSL_free(serverssl);
3683 SSL_free(clientssl);
3684 serverssl = clientssl = NULL;
3686 /* Create a session based on SHA384 */
3687 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3688 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3689 &clientssl, NULL, NULL))
3690 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3694 clntsess = SSL_get1_session(clientssl);
3695 SSL_shutdown(clientssl);
3696 SSL_shutdown(serverssl);
3697 SSL_free(serverssl);
3698 SSL_free(clientssl);
3699 serverssl = clientssl = NULL;
3701 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3702 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3703 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3704 "TLS_AES_256_GCM_SHA384"))
3705 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3707 || !TEST_true(SSL_set_session(clientssl, clntsess))
3709 * We use SSL_ERROR_WANT_READ below so that we can pause the
3710 * connection after the initial ClientHello has been sent to
3711 * enable us to make some session changes.
3713 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3714 SSL_ERROR_WANT_READ)))
3717 /* Trick the client into thinking this session is for a different digest */
3718 clntsess->cipher = aes_128_gcm_sha256;
3719 clntsess->cipher_id = clntsess->cipher->id;
3722 * Continue the previously started connection. Server has selected a SHA-384
3723 * ciphersuite, but client thinks the session is for SHA-256, so it should
3726 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3728 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3729 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3735 SSL_SESSION_free(clntsess);
3736 SSL_free(serverssl);
3737 SSL_free(clientssl);
3745 * Test TLSv1.3 Key exchange
3746 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
3747 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
3748 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
3749 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
3750 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
3751 * Test 5 = Test NID_X448 with TLSv1.3 client and server
3752 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
3753 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
3754 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
3755 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
3756 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
3757 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
3758 * Test 12 = Test all ECDHE with TLSv1.2 client and server
3759 * Test 13 = Test all FFDHE with TLSv1.2 client and server
3761 static int test_key_exchange(int idx)
3763 SSL_CTX *sctx = NULL, *cctx = NULL;
3764 SSL *serverssl = NULL, *clientssl = NULL;
3766 # ifndef OPENSSL_NO_EC
3767 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
3768 NID_secp521r1, NID_X25519, NID_X448};
3770 # ifndef OPENSSL_NO_DH
3771 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
3772 NID_ffdhe6144, NID_ffdhe8192};
3775 int *kexch_groups = &kexch_alg;
3776 int kexch_groups_size = 1;
3777 int max_version = TLS1_3_VERSION;
3780 # ifndef OPENSSL_NO_EC
3781 # ifndef OPENSSL_NO_TLS1_2
3783 max_version = TLS1_2_VERSION;
3787 kexch_groups = ecdhe_kexch_groups;
3788 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
3791 kexch_alg = NID_X9_62_prime256v1;
3794 kexch_alg = NID_secp384r1;
3797 kexch_alg = NID_secp521r1;
3800 kexch_alg = NID_X25519;
3803 kexch_alg = NID_X448;
3806 # ifndef OPENSSL_NO_DH
3807 # ifndef OPENSSL_NO_TLS1_2
3809 max_version = TLS1_2_VERSION;
3813 kexch_groups = ffdhe_kexch_groups;
3814 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
3817 kexch_alg = NID_ffdhe2048;
3820 kexch_alg = NID_ffdhe3072;
3823 kexch_alg = NID_ffdhe4096;
3826 kexch_alg = NID_ffdhe6144;
3829 kexch_alg = NID_ffdhe8192;
3833 /* We're skipping this test */
3837 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3838 TLS1_VERSION, max_version,
3839 &sctx, &cctx, cert, privkey)))
3842 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
3843 TLS1_3_RFC_AES_128_GCM_SHA256)))
3846 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3847 TLS1_3_RFC_AES_128_GCM_SHA256)))
3850 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
3851 TLS1_TXT_RSA_WITH_AES_128_SHA)))
3855 * Must include an EC ciphersuite so that we send supported groups in
3858 # ifndef OPENSSL_NO_TLS1_2
3859 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
3860 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
3861 TLS1_TXT_RSA_WITH_AES_128_SHA)))
3865 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3869 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
3870 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
3873 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3877 * If Handshake succeeds the negotiated kexch alg should be the first one in
3878 * configured, except in the case of FFDHE groups (idx 13), which are
3879 * TLSv1.3 only so we expect no shared group to exist.
3881 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
3882 idx == 13 ? 0 : kexch_groups[0]))
3884 if (max_version == TLS1_3_VERSION) {
3885 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
3887 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
3893 SSL_free(serverssl);
3894 SSL_free(clientssl);
3901 * Test TLSv1.3 Cipher Suite
3902 * Test 0 = Set TLS1.3 cipher on context
3903 * Test 1 = Set TLS1.3 cipher on SSL
3904 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
3905 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
3907 static int test_tls13_ciphersuite(int idx)
3909 SSL_CTX *sctx = NULL, *cctx = NULL;
3910 SSL *serverssl = NULL, *clientssl = NULL;
3911 static const char *t13_ciphers[] = {
3912 TLS1_3_RFC_AES_128_GCM_SHA256,
3913 TLS1_3_RFC_AES_256_GCM_SHA384,
3914 TLS1_3_RFC_AES_128_CCM_SHA256,
3915 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3916 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3917 TLS1_3_RFC_AES_256_GCM_SHA384 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3919 TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256
3921 const char *t13_cipher = NULL;
3922 const char *t12_cipher = NULL;
3923 const char *negotiated_scipher;
3924 const char *negotiated_ccipher;
3940 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
3944 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
3948 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
3949 # ifdef OPENSSL_NO_TLS1_2
3950 if (max_ver == TLS1_2_VERSION)
3953 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
3954 t13_cipher = t13_ciphers[i];
3955 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3956 TLS_client_method(),
3957 TLS1_VERSION, max_ver,
3958 &sctx, &cctx, cert, privkey)))
3962 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
3963 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
3965 if (t12_cipher != NULL) {
3966 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
3967 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
3973 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3974 &clientssl, NULL, NULL)))
3978 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
3979 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
3981 if (t12_cipher != NULL) {
3982 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
3983 || !TEST_true(SSL_set_cipher_list(clientssl,
3989 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3993 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
3995 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
3997 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4001 * TEST_strn_eq is used below because t13_cipher can contain
4002 * multiple ciphersuites
4004 if (max_ver == TLS1_3_VERSION
4005 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4006 strlen(negotiated_scipher)))
4009 # ifndef OPENSSL_NO_TLS1_2
4010 /* Below validation is not done when t12_cipher is NULL */
4011 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4012 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4016 SSL_free(serverssl);
4018 SSL_free(clientssl);
4029 SSL_free(serverssl);
4030 SSL_free(clientssl);
4038 * Test 0 = Test new style callbacks
4039 * Test 1 = Test both new and old style callbacks
4040 * Test 2 = Test old style callbacks
4041 * Test 3 = Test old style callbacks with no certificate
4043 static int test_tls13_psk(int idx)
4045 SSL_CTX *sctx = NULL, *cctx = NULL;
4046 SSL *serverssl = NULL, *clientssl = NULL;
4047 const SSL_CIPHER *cipher = NULL;
4048 const unsigned char key[] = {
4049 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4050 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4051 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4052 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
4056 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4058 &sctx, &cctx, idx == 3 ? NULL : cert,
4059 idx == 3 ? NULL : privkey)))
4064 * We use a ciphersuite with SHA256 to ease testing old style PSK
4065 * callbacks which will always default to SHA256. This should not be
4066 * necessary if we have no cert/priv key. In that case the server should
4067 * prefer SHA256 automatically.
4069 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4070 "TLS_AES_128_GCM_SHA256")))
4075 * Test 0: New style callbacks only
4076 * Test 1: New and old style callbacks (only the new ones should be used)
4077 * Test 2: Old style callbacks only
4079 if (idx == 0 || idx == 1) {
4080 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4081 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4083 #ifndef OPENSSL_NO_PSK
4085 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4086 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4090 use_session_cb_cnt = 0;
4091 find_session_cb_cnt = 0;
4092 psk_client_cb_cnt = 0;
4093 psk_server_cb_cnt = 0;
4097 * Check we can create a connection if callback decides not to send a
4100 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4102 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4104 || !TEST_false(SSL_session_reused(clientssl))
4105 || !TEST_false(SSL_session_reused(serverssl)))
4108 if (idx == 0 || idx == 1) {
4109 if (!TEST_true(use_session_cb_cnt == 1)
4110 || !TEST_true(find_session_cb_cnt == 0)
4112 * If no old style callback then below should be 0
4115 || !TEST_true(psk_client_cb_cnt == idx)
4116 || !TEST_true(psk_server_cb_cnt == 0))
4119 if (!TEST_true(use_session_cb_cnt == 0)
4120 || !TEST_true(find_session_cb_cnt == 0)
4121 || !TEST_true(psk_client_cb_cnt == 1)
4122 || !TEST_true(psk_server_cb_cnt == 0))
4126 shutdown_ssl_connection(serverssl, clientssl);
4127 serverssl = clientssl = NULL;
4128 use_session_cb_cnt = psk_client_cb_cnt = 0;
4131 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4135 /* Create the PSK */
4136 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
4137 clientpsk = SSL_SESSION_new();
4138 if (!TEST_ptr(clientpsk)
4139 || !TEST_ptr(cipher)
4140 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4142 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4143 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4145 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
4147 serverpsk = clientpsk;
4149 /* Check we can create a connection and the PSK is used */
4150 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4151 || !TEST_true(SSL_session_reused(clientssl))
4152 || !TEST_true(SSL_session_reused(serverssl)))
4155 if (idx == 0 || idx == 1) {
4156 if (!TEST_true(use_session_cb_cnt == 1)
4157 || !TEST_true(find_session_cb_cnt == 1)
4158 || !TEST_true(psk_client_cb_cnt == 0)
4159 || !TEST_true(psk_server_cb_cnt == 0))
4162 if (!TEST_true(use_session_cb_cnt == 0)
4163 || !TEST_true(find_session_cb_cnt == 0)
4164 || !TEST_true(psk_client_cb_cnt == 1)
4165 || !TEST_true(psk_server_cb_cnt == 1))
4169 shutdown_ssl_connection(serverssl, clientssl);
4170 serverssl = clientssl = NULL;
4171 use_session_cb_cnt = find_session_cb_cnt = 0;
4172 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4174 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4179 #if defined(OPENSSL_NO_EC)
4180 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4183 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4188 * Check we can create a connection, the PSK is used and the callbacks are
4191 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4192 || !TEST_true(SSL_session_reused(clientssl))
4193 || !TEST_true(SSL_session_reused(serverssl)))
4196 if (idx == 0 || idx == 1) {
4197 if (!TEST_true(use_session_cb_cnt == 2)
4198 || !TEST_true(find_session_cb_cnt == 2)
4199 || !TEST_true(psk_client_cb_cnt == 0)
4200 || !TEST_true(psk_server_cb_cnt == 0))
4203 if (!TEST_true(use_session_cb_cnt == 0)
4204 || !TEST_true(find_session_cb_cnt == 0)
4205 || !TEST_true(psk_client_cb_cnt == 2)
4206 || !TEST_true(psk_server_cb_cnt == 2))
4210 shutdown_ssl_connection(serverssl, clientssl);
4211 serverssl = clientssl = NULL;
4212 use_session_cb_cnt = find_session_cb_cnt = 0;
4213 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4217 * Check that if the server rejects the PSK we can still connect, but with
4220 srvid = "Dummy Identity";
4221 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4223 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4225 || !TEST_false(SSL_session_reused(clientssl))
4226 || !TEST_false(SSL_session_reused(serverssl)))
4229 if (idx == 0 || idx == 1) {
4230 if (!TEST_true(use_session_cb_cnt == 1)
4231 || !TEST_true(find_session_cb_cnt == 1)
4232 || !TEST_true(psk_client_cb_cnt == 0)
4234 * If no old style callback then below should be 0
4237 || !TEST_true(psk_server_cb_cnt == idx))
4240 if (!TEST_true(use_session_cb_cnt == 0)
4241 || !TEST_true(find_session_cb_cnt == 0)
4242 || !TEST_true(psk_client_cb_cnt == 1)
4243 || !TEST_true(psk_server_cb_cnt == 1))
4247 shutdown_ssl_connection(serverssl, clientssl);
4248 serverssl = clientssl = NULL;
4253 SSL_SESSION_free(clientpsk);
4254 SSL_SESSION_free(serverpsk);
4255 clientpsk = serverpsk = NULL;
4256 SSL_free(serverssl);
4257 SSL_free(clientssl);
4263 static unsigned char cookie_magic_value[] = "cookie magic";
4265 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4266 unsigned int *cookie_len)
4269 * Not suitable as a real cookie generation function but good enough for
4272 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4273 *cookie_len = sizeof(cookie_magic_value) - 1;
4278 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4279 unsigned int cookie_len)
4281 if (cookie_len == sizeof(cookie_magic_value) - 1
4282 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4288 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4292 int res = generate_cookie_callback(ssl, cookie, &temp);
4297 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4300 return verify_cookie_callback(ssl, cookie, cookie_len);
4303 static int test_stateless(void)
4305 SSL_CTX *sctx = NULL, *cctx = NULL;
4306 SSL *serverssl = NULL, *clientssl = NULL;
4309 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4311 &sctx, &cctx, cert, privkey)))
4314 /* The arrival of CCS messages can confuse the test */
4315 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4317 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4319 /* Send the first ClientHello */
4320 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4321 SSL_ERROR_WANT_READ))
4323 * This should fail with a -1 return because we have no callbacks
4326 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4329 /* Fatal error so abandon the connection from this client */
4330 SSL_free(clientssl);
4333 /* Set up the cookie generation and verification callbacks */
4334 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4335 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
4338 * Create a new connection from the client (we can reuse the server SSL
4341 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4343 /* Send the first ClientHello */
4344 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4345 SSL_ERROR_WANT_READ))
4346 /* This should fail because there is no cookie */
4347 || !TEST_int_eq(SSL_stateless(serverssl), 0))
4350 /* Abandon the connection from this client */
4351 SSL_free(clientssl);
4355 * Now create a connection from a new client but with the same server SSL
4358 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4360 /* Send the first ClientHello */
4361 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4362 SSL_ERROR_WANT_READ))
4363 /* This should fail because there is no cookie */
4364 || !TEST_int_eq(SSL_stateless(serverssl), 0)
4365 /* Send the second ClientHello */
4366 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4367 SSL_ERROR_WANT_READ))
4368 /* This should succeed because a cookie is now present */
4369 || !TEST_int_eq(SSL_stateless(serverssl), 1)
4370 /* Complete the connection */
4371 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4375 shutdown_ssl_connection(serverssl, clientssl);
4376 serverssl = clientssl = NULL;
4380 SSL_free(serverssl);
4381 SSL_free(clientssl);
4387 #endif /* OPENSSL_NO_TLS1_3 */
4389 static int clntaddoldcb = 0;
4390 static int clntparseoldcb = 0;
4391 static int srvaddoldcb = 0;
4392 static int srvparseoldcb = 0;
4393 static int clntaddnewcb = 0;
4394 static int clntparsenewcb = 0;
4395 static int srvaddnewcb = 0;
4396 static int srvparsenewcb = 0;
4397 static int snicb = 0;
4399 #define TEST_EXT_TYPE1 0xff00
4401 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4402 size_t *outlen, int *al, void *add_arg)
4404 int *server = (int *)add_arg;
4405 unsigned char *data;
4407 if (SSL_is_server(s))
4412 if (*server != SSL_is_server(s)
4413 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4418 *outlen = sizeof(char);
4422 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4425 OPENSSL_free((unsigned char *)out);
4428 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4429 size_t inlen, int *al, void *parse_arg)
4431 int *server = (int *)parse_arg;
4433 if (SSL_is_server(s))
4438 if (*server != SSL_is_server(s)
4439 || inlen != sizeof(char)
4446 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4447 const unsigned char **out, size_t *outlen, X509 *x,
4448 size_t chainidx, int *al, void *add_arg)
4450 int *server = (int *)add_arg;
4451 unsigned char *data;
4453 if (SSL_is_server(s))
4458 if (*server != SSL_is_server(s)
4459 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4464 *outlen = sizeof(*data);
4468 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
4469 const unsigned char *out, void *add_arg)
4471 OPENSSL_free((unsigned char *)out);
4474 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
4475 const unsigned char *in, size_t inlen, X509 *x,
4476 size_t chainidx, int *al, void *parse_arg)
4478 int *server = (int *)parse_arg;
4480 if (SSL_is_server(s))
4485 if (*server != SSL_is_server(s)
4486 || inlen != sizeof(char) || *in != 1)
4492 static int sni_cb(SSL *s, int *al, void *arg)
4494 SSL_CTX *ctx = (SSL_CTX *)arg;
4496 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
4497 *al = SSL_AD_INTERNAL_ERROR;
4498 return SSL_TLSEXT_ERR_ALERT_FATAL;
4501 return SSL_TLSEXT_ERR_OK;
4505 * Custom call back tests.
4506 * Test 0: Old style callbacks in TLSv1.2
4507 * Test 1: New style callbacks in TLSv1.2
4508 * Test 2: New style callbacks in TLSv1.2 with SNI
4509 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4510 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
4512 static int test_custom_exts(int tst)
4514 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4515 SSL *clientssl = NULL, *serverssl = NULL;
4517 static int server = 1;
4518 static int client = 0;
4519 SSL_SESSION *sess = NULL;
4520 unsigned int context;
4522 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4523 /* Skip tests for TLSv1.2 and below in this case */
4528 /* Reset callback counters */
4529 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4530 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
4533 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4535 &sctx, &cctx, cert, privkey)))
4539 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
4541 &sctx2, NULL, cert, privkey)))
4546 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4547 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
4549 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
4553 context = SSL_EXT_CLIENT_HELLO
4554 | SSL_EXT_TLS1_2_SERVER_HELLO
4555 | SSL_EXT_TLS1_3_SERVER_HELLO
4556 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4557 | SSL_EXT_TLS1_3_CERTIFICATE
4558 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4560 context = SSL_EXT_CLIENT_HELLO
4561 | SSL_EXT_TLS1_2_SERVER_HELLO
4562 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4565 /* Create a client side custom extension */
4567 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4568 old_add_cb, old_free_cb,
4569 &client, old_parse_cb,
4573 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4574 new_add_cb, new_free_cb,
4575 &client, new_parse_cb, &client)))
4579 /* Should not be able to add duplicates */
4580 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4581 old_add_cb, old_free_cb,
4582 &client, old_parse_cb,
4584 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4585 context, new_add_cb,
4586 new_free_cb, &client,
4587 new_parse_cb, &client)))
4590 /* Create a server side custom extension */
4592 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4593 old_add_cb, old_free_cb,
4594 &server, old_parse_cb,
4598 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4599 new_add_cb, new_free_cb,
4600 &server, new_parse_cb, &server)))
4603 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4604 context, new_add_cb,
4605 new_free_cb, &server,
4606 new_parse_cb, &server)))
4610 /* Should not be able to add duplicates */
4611 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4612 old_add_cb, old_free_cb,
4613 &server, old_parse_cb,
4615 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4616 context, new_add_cb,
4617 new_free_cb, &server,
4618 new_parse_cb, &server)))
4623 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4624 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4628 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4629 &clientssl, NULL, NULL))
4630 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4635 if (clntaddoldcb != 1
4636 || clntparseoldcb != 1
4638 || srvparseoldcb != 1)
4640 } else if (tst == 1 || tst == 2 || tst == 3) {
4641 if (clntaddnewcb != 1
4642 || clntparsenewcb != 1
4644 || srvparsenewcb != 1
4645 || (tst != 2 && snicb != 0)
4646 || (tst == 2 && snicb != 1))
4649 /* In this case there 2 NewSessionTicket messages created */
4650 if (clntaddnewcb != 1
4651 || clntparsenewcb != 5
4653 || srvparsenewcb != 1)
4657 sess = SSL_get1_session(clientssl);
4658 SSL_shutdown(clientssl);
4659 SSL_shutdown(serverssl);
4660 SSL_free(serverssl);
4661 SSL_free(clientssl);
4662 serverssl = clientssl = NULL;
4665 /* We don't bother with the resumption aspects for this test */
4670 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4672 || !TEST_true(SSL_set_session(clientssl, sess))
4673 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4678 * For a resumed session we expect to add the ClientHello extension. For the
4679 * old style callbacks we ignore it on the server side because they set
4680 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4684 if (clntaddoldcb != 2
4685 || clntparseoldcb != 1
4687 || srvparseoldcb != 1)
4689 } else if (tst == 1 || tst == 2 || tst == 3) {
4690 if (clntaddnewcb != 2
4691 || clntparsenewcb != 2
4693 || srvparsenewcb != 2)
4697 * No Certificate message extensions in the resumption handshake,
4698 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4700 if (clntaddnewcb != 2
4701 || clntparsenewcb != 8
4703 || srvparsenewcb != 2)
4710 SSL_SESSION_free(sess);
4711 SSL_free(serverssl);
4712 SSL_free(clientssl);
4713 SSL_CTX_free(sctx2);
4720 * Test loading of serverinfo data in various formats. test_sslmessages actually
4721 * tests to make sure the extensions appear in the handshake
4723 static int test_serverinfo(int tst)
4725 unsigned int version;
4726 unsigned char *sibuf;
4728 int ret, expected, testresult = 0;
4731 ctx = SSL_CTX_new(TLS_method());
4735 if ((tst & 0x01) == 0x01)
4736 version = SSL_SERVERINFOV2;
4738 version = SSL_SERVERINFOV1;
4740 if ((tst & 0x02) == 0x02) {
4741 sibuf = serverinfov2;
4742 sibuflen = sizeof(serverinfov2);
4743 expected = (version == SSL_SERVERINFOV2);
4745 sibuf = serverinfov1;
4746 sibuflen = sizeof(serverinfov1);
4747 expected = (version == SSL_SERVERINFOV1);
4750 if ((tst & 0x04) == 0x04) {
4751 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4753 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4756 * The version variable is irrelevant in this case - it's what is in the
4757 * buffer that matters
4759 if ((tst & 0x02) == 0x02)
4765 if (!TEST_true(ret == expected))
4777 * Test that SSL_export_keying_material() produces expected results. There are
4778 * no test vectors so all we do is test that both sides of the communication
4779 * produce the same results for different protocol versions.
4781 #define SMALL_LABEL_LEN 10
4782 #define LONG_LABEL_LEN 249
4783 static int test_export_key_mat(int tst)
4786 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4787 SSL *clientssl = NULL, *serverssl = NULL;
4788 const char label[LONG_LABEL_LEN + 1] = "test label";
4789 const unsigned char context[] = "context";
4790 const unsigned char *emptycontext = NULL;
4791 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4792 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
4794 const int protocols[] = {
4803 #ifdef OPENSSL_NO_TLS1
4807 #ifdef OPENSSL_NO_TLS1_1
4811 #ifdef OPENSSL_NO_TLS1_2
4815 #ifdef OPENSSL_NO_TLS1_3
4819 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4821 &sctx, &cctx, cert, privkey)))
4824 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4825 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4826 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
4828 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4830 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4836 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4839 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4840 sizeof(ckeymat1), label,
4841 LONG_LABEL_LEN + 1, context,
4842 sizeof(context) - 1, 1), 0))
4847 } else if (tst == 4) {
4848 labellen = LONG_LABEL_LEN;
4850 labellen = SMALL_LABEL_LEN;
4853 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4854 sizeof(ckeymat1), label,
4856 sizeof(context) - 1, 1), 1)
4857 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4858 sizeof(ckeymat2), label,
4862 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4863 sizeof(ckeymat3), label,
4866 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4867 sizeof(skeymat1), label,
4870 sizeof(context) -1, 1),
4872 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4873 sizeof(skeymat2), label,
4877 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4878 sizeof(skeymat3), label,
4882 * Check that both sides created the same key material with the
4885 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4888 * Check that both sides created the same key material with an
4891 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4894 * Check that both sides created the same key material without a
4897 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
4899 /* Different contexts should produce different results */
4900 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4905 * Check that an empty context and no context produce different results in
4906 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
4908 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
4910 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
4917 SSL_free(serverssl);
4918 SSL_free(clientssl);
4919 SSL_CTX_free(sctx2);
4926 #ifndef OPENSSL_NO_TLS1_3
4928 * Test that SSL_export_keying_material_early() produces expected
4929 * results. There are no test vectors so all we do is test that both
4930 * sides of the communication produce the same results for different
4931 * protocol versions.
4933 static int test_export_key_mat_early(int idx)
4935 static const char label[] = "test label";
4936 static const unsigned char context[] = "context";
4938 SSL_CTX *cctx = NULL, *sctx = NULL;
4939 SSL *clientssl = NULL, *serverssl = NULL;
4940 SSL_SESSION *sess = NULL;
4941 const unsigned char *emptycontext = NULL;
4942 unsigned char ckeymat1[80], ckeymat2[80];
4943 unsigned char skeymat1[80], skeymat2[80];
4944 unsigned char buf[1];
4945 size_t readbytes, written;
4947 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
4951 /* Here writing 0 length early data is enough. */
4952 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
4953 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4955 SSL_READ_EARLY_DATA_ERROR)
4956 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4957 SSL_EARLY_DATA_ACCEPTED))
4960 if (!TEST_int_eq(SSL_export_keying_material_early(
4961 clientssl, ckeymat1, sizeof(ckeymat1), label,
4962 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4963 || !TEST_int_eq(SSL_export_keying_material_early(
4964 clientssl, ckeymat2, sizeof(ckeymat2), label,
4965 sizeof(label) - 1, emptycontext, 0), 1)
4966 || !TEST_int_eq(SSL_export_keying_material_early(
4967 serverssl, skeymat1, sizeof(skeymat1), label,
4968 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4969 || !TEST_int_eq(SSL_export_keying_material_early(
4970 serverssl, skeymat2, sizeof(skeymat2), label,
4971 sizeof(label) - 1, emptycontext, 0), 1)
4973 * Check that both sides created the same key material with the
4976 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4979 * Check that both sides created the same key material with an
4982 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4984 /* Different contexts should produce different results */
4985 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4992 SSL_SESSION_free(sess);
4993 SSL_SESSION_free(clientpsk);
4994 SSL_SESSION_free(serverpsk);
4995 clientpsk = serverpsk = NULL;
4996 SSL_free(serverssl);
4997 SSL_free(clientssl);
5004 #define NUM_KEY_UPDATE_MESSAGES 40
5008 static int test_key_update(void)
5010 SSL_CTX *cctx = NULL, *sctx = NULL;
5011 SSL *clientssl = NULL, *serverssl = NULL;
5012 int testresult = 0, i, j;
5014 static char *mess = "A test message";
5016 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5017 TLS_client_method(),
5020 &sctx, &cctx, cert, privkey))
5021 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5023 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5027 for (j = 0; j < 2; j++) {
5028 /* Send lots of KeyUpdate messages */
5029 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5030 if (!TEST_true(SSL_key_update(clientssl,
5032 ? SSL_KEY_UPDATE_NOT_REQUESTED
5033 : SSL_KEY_UPDATE_REQUESTED))
5034 || !TEST_true(SSL_do_handshake(clientssl)))
5038 /* Check that sending and receiving app data is ok */
5039 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5040 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5044 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5045 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5053 SSL_free(serverssl);
5054 SSL_free(clientssl);
5062 * Test we can handle a KeyUpdate (update requested) message while write data
5064 * Test 0: Client sends KeyUpdate while Server is writing
5065 * Test 1: Server sends KeyUpdate while Client is writing
5067 static int test_key_update_in_write(int tst)
5069 SSL_CTX *cctx = NULL, *sctx = NULL;
5070 SSL *clientssl = NULL, *serverssl = NULL;
5073 static char *mess = "A test message";
5074 BIO *bretry = BIO_new(bio_s_always_retry());
5076 SSL *peerupdate = NULL, *peerwrite = NULL;
5078 if (!TEST_ptr(bretry)
5079 || !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5080 TLS_client_method(),
5083 &sctx, &cctx, cert, privkey))
5084 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5086 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5090 peerupdate = tst == 0 ? clientssl : serverssl;
5091 peerwrite = tst == 0 ? serverssl : clientssl;
5093 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5094 || !TEST_true(SSL_do_handshake(peerupdate)))
5097 /* Swap the writing endpoint's write BIO to force a retry */
5098 tmp = SSL_get_wbio(peerwrite);
5099 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5103 SSL_set0_wbio(peerwrite, bretry);
5106 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5107 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5108 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5111 /* Reinstate the original writing endpoint's write BIO */
5112 SSL_set0_wbio(peerwrite, tmp);
5115 /* Now read some data - we will read the key update */
5116 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5117 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5121 * Complete the write we started previously and read it from the other
5124 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5125 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5128 /* Write more data to ensure we send the KeyUpdate message back */
5129 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5130 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5136 SSL_free(serverssl);
5137 SSL_free(clientssl);
5145 #endif /* OPENSSL_NO_TLS1_3 */
5147 static int test_ssl_clear(int idx)
5149 SSL_CTX *cctx = NULL, *sctx = NULL;
5150 SSL *clientssl = NULL, *serverssl = NULL;
5153 #ifdef OPENSSL_NO_TLS1_2
5158 /* Create an initial connection */
5159 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5161 &sctx, &cctx, cert, privkey))
5163 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5165 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5166 &clientssl, NULL, NULL))
5167 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5171 SSL_shutdown(clientssl);
5172 SSL_shutdown(serverssl);
5173 SSL_free(serverssl);
5176 /* Clear clientssl - we're going to reuse the object */
5177 if (!TEST_true(SSL_clear(clientssl)))
5180 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5182 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5184 || !TEST_true(SSL_session_reused(clientssl)))
5187 SSL_shutdown(clientssl);
5188 SSL_shutdown(serverssl);
5193 SSL_free(serverssl);
5194 SSL_free(clientssl);
5201 /* Parse CH and retrieve any MFL extension value if present */
5202 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5205 unsigned char *data;
5206 PACKET pkt, pkt2, pkt3;
5207 unsigned int MFL_code = 0, type = 0;
5209 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5212 memset(&pkt, 0, sizeof(pkt));
5213 memset(&pkt2, 0, sizeof(pkt2));
5214 memset(&pkt3, 0, sizeof(pkt3));
5216 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5217 /* Skip the record header */
5218 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5219 /* Skip the handshake message header */
5220 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5221 /* Skip client version and random */
5222 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5223 + SSL3_RANDOM_SIZE))
5224 /* Skip session id */
5225 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5227 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5228 /* Skip compression */
5229 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5230 /* Extensions len */
5231 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5234 /* Loop through all extensions */
5235 while (PACKET_remaining(&pkt2)) {
5236 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5237 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5240 if (type == TLSEXT_TYPE_max_fragment_length) {
5241 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5242 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5245 *mfl_codemfl_code = MFL_code;
5254 /* Maximum-Fragment-Length TLS extension mode to test */
5255 static const unsigned char max_fragment_len_test[] = {
5256 TLSEXT_max_fragment_length_512,
5257 TLSEXT_max_fragment_length_1024,
5258 TLSEXT_max_fragment_length_2048,
5259 TLSEXT_max_fragment_length_4096
5262 static int test_max_fragment_len_ext(int idx_tst)
5266 int testresult = 0, MFL_mode = 0;
5269 ctx = SSL_CTX_new(TLS_method());
5273 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5274 ctx, max_fragment_len_test[idx_tst])))
5281 rbio = BIO_new(BIO_s_mem());
5282 wbio = BIO_new(BIO_s_mem());
5283 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5289 SSL_set_bio(con, rbio, wbio);
5290 SSL_set_connect_state(con);
5292 if (!TEST_int_le(SSL_connect(con), 0)) {
5293 /* This shouldn't succeed because we don't have a server! */
5297 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5298 /* no MFL in client hello */
5300 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5312 #ifndef OPENSSL_NO_TLS1_3
5313 static int test_pha_key_update(void)
5315 SSL_CTX *cctx = NULL, *sctx = NULL;
5316 SSL *clientssl = NULL, *serverssl = NULL;
5319 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5321 &sctx, &cctx, cert, privkey)))
5324 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5325 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5326 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5327 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5330 SSL_CTX_set_post_handshake_auth(cctx, 1);
5332 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5336 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5340 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5341 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5344 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5347 /* Start handshake on the server */
5348 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5351 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5352 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5356 SSL_shutdown(clientssl);
5357 SSL_shutdown(serverssl);
5362 SSL_free(serverssl);
5363 SSL_free(clientssl);
5370 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5372 static SRP_VBASE *vbase = NULL;
5374 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5376 int ret = SSL3_AL_FATAL;
5378 SRP_user_pwd *user = NULL;
5380 username = SSL_get_srp_username(s);
5381 if (username == NULL) {
5382 *ad = SSL_AD_INTERNAL_ERROR;
5386 user = SRP_VBASE_get1_by_user(vbase, username);
5388 *ad = SSL_AD_INTERNAL_ERROR;
5392 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5394 *ad = SSL_AD_INTERNAL_ERROR;
5401 SRP_user_pwd_free(user);
5405 static int create_new_vfile(char *userid, char *password, const char *filename)
5408 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5411 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5414 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5417 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
5418 &row[DB_srpverifier], NULL, NULL);
5419 if (!TEST_ptr(gNid))
5423 * The only way to create an empty TXT_DB is to provide a BIO with no data
5426 db = TXT_DB_read(dummy, DB_NUMBER);
5430 out = BIO_new_file(filename, "w");
5434 row[DB_srpid] = OPENSSL_strdup(userid);
5435 row[DB_srptype] = OPENSSL_strdup("V");
5436 row[DB_srpgN] = OPENSSL_strdup(gNid);
5438 if (!TEST_ptr(row[DB_srpid])
5439 || !TEST_ptr(row[DB_srptype])
5440 || !TEST_ptr(row[DB_srpgN])
5441 || !TEST_true(TXT_DB_insert(db, row)))
5446 if (!TXT_DB_write(out, db))
5452 for (i = 0; i < DB_NUMBER; i++)
5453 OPENSSL_free(row[i]);
5463 static int create_new_vbase(char *userid, char *password)
5465 BIGNUM *verifier = NULL, *salt = NULL;
5466 const SRP_gN *lgN = NULL;
5467 SRP_user_pwd *user_pwd = NULL;
5470 lgN = SRP_get_default_gN(NULL);
5474 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
5478 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
5479 if (!TEST_ptr(user_pwd))
5482 user_pwd->N = lgN->N;
5483 user_pwd->g = lgN->g;
5484 user_pwd->id = OPENSSL_strdup(userid);
5485 if (!TEST_ptr(user_pwd->id))
5488 user_pwd->v = verifier;
5490 verifier = salt = NULL;
5492 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
5498 SRP_user_pwd_free(user_pwd);
5508 * Test 0: Simple successful SRP connection, new vbase
5509 * Test 1: Connection failure due to bad password, new vbase
5510 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5511 * Test 3: Connection failure due to bad password, vbase loaded from existing
5513 * Test 4: Simple successful SRP connection, vbase loaded from new file
5514 * Test 5: Connection failure due to bad password, vbase loaded from new file
5516 static int test_srp(int tst)
5518 char *userid = "test", *password = "password", *tstsrpfile;
5519 SSL_CTX *cctx = NULL, *sctx = NULL;
5520 SSL *clientssl = NULL, *serverssl = NULL;
5521 int ret, testresult = 0;
5523 vbase = SRP_VBASE_new(NULL);
5524 if (!TEST_ptr(vbase))
5527 if (tst == 0 || tst == 1) {
5528 if (!TEST_true(create_new_vbase(userid, password)))
5531 if (tst == 4 || tst == 5) {
5532 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5534 tstsrpfile = tmpfilename;
5536 tstsrpfile = srpvfile;
5538 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5542 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5544 &sctx, &cctx, cert, privkey)))
5547 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5548 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5549 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5550 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5551 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5555 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5558 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5562 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5566 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5568 if (!TEST_true(tst % 2 == 0))
5571 if (!TEST_true(tst % 2 == 1))
5578 SRP_VBASE_free(vbase);
5580 SSL_free(serverssl);
5581 SSL_free(clientssl);
5589 static int info_cb_failed = 0;
5590 static int info_cb_offset = 0;
5591 static int info_cb_this_state = -1;
5593 static struct info_cb_states_st {
5595 const char *statestr;
5596 } info_cb_states[][60] = {
5598 /* TLSv1.2 server followed by resumption */
5599 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5600 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5601 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
5602 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
5603 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
5604 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5605 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5606 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5607 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
5608 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5609 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
5610 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5611 {SSL_CB_EXIT, NULL}, {0, NULL},
5613 /* TLSv1.2 client followed by resumption */
5614 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5615 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5616 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
5617 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
5618 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
5619 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5620 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5621 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5622 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5623 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5624 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5625 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
5627 /* TLSv1.3 server followed by resumption */
5628 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5629 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5630 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
5631 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5632 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
5633 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5634 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5635 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5636 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5637 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5638 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
5639 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5640 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5642 /* TLSv1.3 client followed by resumption */
5643 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5644 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5645 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
5646 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
5647 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5648 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5649 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
5650 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5651 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5652 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5653 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5654 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5655 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5656 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
5657 {SSL_CB_EXIT, NULL}, {0, NULL},
5659 /* TLSv1.3 server, early_data */
5660 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5661 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5662 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5663 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5664 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5665 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
5666 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5667 {SSL_CB_EXIT, NULL}, {0, NULL},
5669 /* TLSv1.3 client, early_data */
5670 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5671 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5672 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5673 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5674 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5675 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5676 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5677 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5678 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5684 static void sslapi_info_callback(const SSL *s, int where, int ret)
5686 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5688 /* We do not ever expect a connection to fail in this test */
5689 if (!TEST_false(ret == 0)) {
5695 * Do some sanity checks. We never expect these things to happen in this
5698 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5699 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5700 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5705 /* Now check we're in the right state */
5706 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5710 if ((where & SSL_CB_LOOP) != 0
5711 && !TEST_int_eq(strcmp(SSL_state_string(s),
5712 state[info_cb_this_state].statestr), 0)) {
5718 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
5720 if ((where & SSL_CB_HANDSHAKE_DONE)
5721 && SSL_in_init((SSL *)s) != 0) {
5728 * Test the info callback gets called when we expect it to.
5730 * Test 0: TLSv1.2, server
5731 * Test 1: TLSv1.2, client
5732 * Test 2: TLSv1.3, server
5733 * Test 3: TLSv1.3, client
5734 * Test 4: TLSv1.3, server, early_data
5735 * Test 5: TLSv1.3, client, early_data
5737 static int test_info_callback(int tst)
5739 SSL_CTX *cctx = NULL, *sctx = NULL;
5740 SSL *clientssl = NULL, *serverssl = NULL;
5741 SSL_SESSION *clntsess = NULL;
5746 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
5747 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5748 || !defined(OPENSSL_NO_DH))
5749 tlsvers = TLS1_2_VERSION;
5754 #ifndef OPENSSL_NO_TLS1_3
5755 tlsvers = TLS1_3_VERSION;
5763 info_cb_this_state = -1;
5764 info_cb_offset = tst;
5766 #ifndef OPENSSL_NO_TLS1_3
5768 SSL_SESSION *sess = NULL;
5769 size_t written, readbytes;
5770 unsigned char buf[80];
5772 /* early_data tests */
5773 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5774 &serverssl, &sess, 0)))
5777 /* We don't actually need this reference */
5778 SSL_SESSION_free(sess);
5780 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5781 sslapi_info_callback);
5783 /* Write and read some early data and then complete the connection */
5784 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5786 || !TEST_size_t_eq(written, strlen(MSG1))
5787 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5788 sizeof(buf), &readbytes),
5789 SSL_READ_EARLY_DATA_SUCCESS)
5790 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5791 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5792 SSL_EARLY_DATA_ACCEPTED)
5793 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5795 || !TEST_false(info_cb_failed))
5803 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5804 TLS_client_method(),
5805 tlsvers, tlsvers, &sctx, &cctx, cert,
5810 * For even numbered tests we check the server callbacks. For odd numbers we
5813 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5814 sslapi_info_callback);
5816 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5817 &clientssl, NULL, NULL))
5818 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5820 || !TEST_false(info_cb_failed))
5825 clntsess = SSL_get1_session(clientssl);
5826 SSL_shutdown(clientssl);
5827 SSL_shutdown(serverssl);
5828 SSL_free(serverssl);
5829 SSL_free(clientssl);
5830 serverssl = clientssl = NULL;
5832 /* Now do a resumption */
5833 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5835 || !TEST_true(SSL_set_session(clientssl, clntsess))
5836 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5838 || !TEST_true(SSL_session_reused(clientssl))
5839 || !TEST_false(info_cb_failed))
5845 SSL_free(serverssl);
5846 SSL_free(clientssl);
5847 SSL_SESSION_free(clntsess);
5853 static int test_ssl_pending(int tst)
5855 SSL_CTX *cctx = NULL, *sctx = NULL;
5856 SSL *clientssl = NULL, *serverssl = NULL;
5858 char msg[] = "A test message";
5860 size_t written, readbytes;
5863 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5864 TLS_client_method(),
5866 &sctx, &cctx, cert, privkey)))
5869 #ifndef OPENSSL_NO_DTLS
5870 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
5871 DTLS_client_method(),
5873 &sctx, &cctx, cert, privkey)))
5880 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5882 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5886 if (!TEST_int_eq(SSL_pending(clientssl), 0)
5887 || !TEST_false(SSL_has_pending(clientssl))
5888 || !TEST_int_eq(SSL_pending(serverssl), 0)
5889 || !TEST_false(SSL_has_pending(serverssl))
5890 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5891 || !TEST_size_t_eq(written, sizeof(msg))
5892 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
5893 || !TEST_size_t_eq(readbytes, sizeof(buf))
5894 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
5895 || !TEST_true(SSL_has_pending(clientssl)))
5901 SSL_free(serverssl);
5902 SSL_free(clientssl);
5910 unsigned int maxprot;
5911 const char *clntciphers;
5912 const char *clnttls13ciphers;
5913 const char *srvrciphers;
5914 const char *srvrtls13ciphers;
5916 } shared_ciphers_data[] = {
5918 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
5919 * TLSv1.3 is enabled but TLSv1.2 is disabled.
5921 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
5924 "AES128-SHA:AES256-SHA",
5926 "AES256-SHA:DHE-RSA-AES128-SHA",
5932 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
5934 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
5936 "AES128-SHA:AES256-SHA"
5940 "AES128-SHA:AES256-SHA",
5942 "AES128-SHA:DHE-RSA-AES128-SHA",
5948 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
5951 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
5952 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5955 "AES128-SHA:AES256-SHA",
5957 "AES256-SHA:AES128-SHA256",
5959 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
5960 "TLS_AES_128_GCM_SHA256:AES256-SHA"
5963 #ifndef OPENSSL_NO_TLS1_3
5967 "TLS_AES_256_GCM_SHA384",
5969 "TLS_AES_256_GCM_SHA384",
5970 "TLS_AES_256_GCM_SHA384"
5975 static int test_ssl_get_shared_ciphers(int tst)
5977 SSL_CTX *cctx = NULL, *sctx = NULL;
5978 SSL *clientssl = NULL, *serverssl = NULL;
5982 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5983 TLS_client_method(),
5985 shared_ciphers_data[tst].maxprot,
5986 &sctx, &cctx, cert, privkey)))
5989 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5990 shared_ciphers_data[tst].clntciphers))
5991 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
5992 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
5993 shared_ciphers_data[tst].clnttls13ciphers)))
5994 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
5995 shared_ciphers_data[tst].srvrciphers))
5996 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
5997 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
5998 shared_ciphers_data[tst].srvrtls13ciphers))))
6002 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6004 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6008 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6009 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
6010 TEST_info("Shared ciphers are: %s\n", buf);
6017 SSL_free(serverssl);
6018 SSL_free(clientssl);
6025 static const char *appdata = "Hello World";
6026 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6027 static int tick_key_renew = 0;
6028 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6030 static int gen_tick_cb(SSL *s, void *arg)
6032 gen_tick_called = 1;
6034 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6038 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6039 const unsigned char *keyname,
6040 size_t keyname_length,
6041 SSL_TICKET_STATUS status,
6047 dec_tick_called = 1;
6049 if (status == SSL_TICKET_EMPTY)
6050 return SSL_TICKET_RETURN_IGNORE_RENEW;
6052 if (!TEST_true(status == SSL_TICKET_SUCCESS
6053 || status == SSL_TICKET_SUCCESS_RENEW))
6054 return SSL_TICKET_RETURN_ABORT;
6056 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6058 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6059 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
6060 return SSL_TICKET_RETURN_ABORT;
6062 if (tick_key_cb_called) {
6063 /* Don't change what the ticket key callback wanted to do */
6065 case SSL_TICKET_NO_DECRYPT:
6066 return SSL_TICKET_RETURN_IGNORE_RENEW;
6068 case SSL_TICKET_SUCCESS:
6069 return SSL_TICKET_RETURN_USE;
6071 case SSL_TICKET_SUCCESS_RENEW:
6072 return SSL_TICKET_RETURN_USE_RENEW;
6075 return SSL_TICKET_RETURN_ABORT;
6078 return tick_dec_ret;
6082 static int tick_key_cb(SSL *s, unsigned char key_name[16],
6083 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6084 HMAC_CTX *hctx, int enc)
6086 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6087 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
6089 tick_key_cb_called = 1;
6090 memset(iv, 0, AES_BLOCK_SIZE);
6091 memset(key_name, 0, 16);
6092 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
6093 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
6094 EVP_sha256(), NULL))
6097 return tick_key_renew ? 2 : 1;
6101 * Test the various ticket callbacks
6102 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6103 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6104 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6105 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6106 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6107 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6108 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6109 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
6110 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
6111 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
6112 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
6113 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
6115 static int test_ticket_callbacks(int tst)
6117 SSL_CTX *cctx = NULL, *sctx = NULL;
6118 SSL *clientssl = NULL, *serverssl = NULL;
6119 SSL_SESSION *clntsess = NULL;
6122 #ifdef OPENSSL_NO_TLS1_2
6126 #ifdef OPENSSL_NO_TLS1_3
6131 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
6133 /* Which tests the ticket key callback should request renewal for */
6134 if (tst == 10 || tst == 11)
6139 /* Which tests the decrypt ticket callback should request renewal for */
6143 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6148 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6153 tick_dec_ret = SSL_TICKET_RETURN_USE;
6158 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6162 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6165 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6166 TLS_client_method(),
6168 ((tst % 2) == 0) ? TLS1_2_VERSION
6170 &sctx, &cctx, cert, privkey)))
6174 * We only want sessions to resume from tickets - not the session cache. So
6175 * switch the cache off.
6177 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6180 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6185 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6188 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6190 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6195 * The decrypt ticket key callback in TLSv1.2 should be called even though
6196 * we have no ticket yet, because it gets called with a status of
6197 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6198 * actually send any ticket data). This does not happen in TLSv1.3 because
6199 * it is not valid to send empty ticket data in TLSv1.3.
6201 if (!TEST_int_eq(gen_tick_called, 1)
6202 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
6205 gen_tick_called = dec_tick_called = 0;
6207 clntsess = SSL_get1_session(clientssl);
6208 SSL_shutdown(clientssl);
6209 SSL_shutdown(serverssl);
6210 SSL_free(serverssl);
6211 SSL_free(clientssl);
6212 serverssl = clientssl = NULL;
6214 /* Now do a resumption */
6215 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6217 || !TEST_true(SSL_set_session(clientssl, clntsess))
6218 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6222 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6223 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6224 if (!TEST_false(SSL_session_reused(clientssl)))
6227 if (!TEST_true(SSL_session_reused(clientssl)))
6231 if (!TEST_int_eq(gen_tick_called,
6233 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6234 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6236 || !TEST_int_eq(dec_tick_called, 1))
6242 SSL_SESSION_free(clntsess);
6243 SSL_free(serverssl);
6244 SSL_free(clientssl);
6252 * Test bi-directional shutdown.
6254 * Test 1: TLSv1.2, server continues to read/write after client shutdown
6255 * Test 2: TLSv1.3, no pending NewSessionTicket messages
6256 * Test 3: TLSv1.3, pending NewSessionTicket messages
6257 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
6258 * sends key update, client reads it
6259 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
6260 * sends CertificateRequest, client reads and ignores it
6261 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
6264 static int test_shutdown(int tst)
6266 SSL_CTX *cctx = NULL, *sctx = NULL;
6267 SSL *clientssl = NULL, *serverssl = NULL;
6269 char msg[] = "A test message";
6271 size_t written, readbytes;
6274 #ifdef OPENSSL_NO_TLS1_2
6278 #ifdef OPENSSL_NO_TLS1_3
6283 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6284 TLS_client_method(),
6286 (tst <= 1) ? TLS1_2_VERSION
6288 &sctx, &cctx, cert, privkey)))
6292 SSL_CTX_set_post_handshake_auth(cctx, 1);
6294 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6299 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
6301 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6302 || !TEST_false(SSL_SESSION_is_resumable(sess)))
6304 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6306 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6307 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
6311 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
6316 * Reading on the server after the client has sent close_notify should
6317 * fail and provide SSL_ERROR_ZERO_RETURN
6319 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
6320 || !TEST_int_eq(SSL_get_error(serverssl, 0),
6321 SSL_ERROR_ZERO_RETURN)
6322 || !TEST_int_eq(SSL_get_shutdown(serverssl),
6323 SSL_RECEIVED_SHUTDOWN)
6325 * Even though we're shutdown on receive we should still be
6328 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6331 && !TEST_true(SSL_key_update(serverssl,
6332 SSL_KEY_UPDATE_REQUESTED)))
6335 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6336 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6339 if ((tst == 4 || tst == 5)
6340 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6342 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
6344 if (tst == 4 || tst == 5) {
6345 /* Should still be able to read data from server */
6346 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6348 || !TEST_size_t_eq(readbytes, sizeof(msg))
6349 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
6350 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6352 || !TEST_size_t_eq(readbytes, sizeof(msg))
6353 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
6358 /* Writing on the client after sending close_notify shouldn't be possible */
6359 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
6364 * For these tests the client has sent close_notify but it has not yet
6365 * been received by the server. The server has not sent close_notify
6368 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
6370 * Writing on the server after sending close_notify shouldn't
6373 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6374 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
6375 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6376 || !TEST_true(SSL_SESSION_is_resumable(sess))
6377 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
6379 } else if (tst == 4 || tst == 5) {
6381 * In this test the client has sent close_notify and it has been
6382 * received by the server which has responded with a close_notify. The
6383 * client needs to read the close_notify sent by the server.
6385 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
6386 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6387 || !TEST_true(SSL_SESSION_is_resumable(sess)))
6393 * The client has sent close_notify and is expecting a close_notify
6394 * back, but instead there is application data first. The shutdown
6395 * should fail with a fatal error.
6397 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
6398 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
6405 SSL_free(serverssl);
6406 SSL_free(clientssl);
6413 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6414 static int cert_cb_cnt;
6416 static int cert_cb(SSL *s, void *arg)
6418 SSL_CTX *ctx = (SSL_CTX *)arg;
6420 EVP_PKEY *pkey = NULL;
6421 X509 *x509 = NULL, *rootx = NULL;
6422 STACK_OF(X509) *chain = NULL;
6423 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
6426 if (cert_cb_cnt == 0) {
6427 /* Suspend the handshake */
6430 } else if (cert_cb_cnt == 1) {
6432 * Update the SSL_CTX, set the certificate and private key and then
6433 * continue the handshake normally.
6435 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
6438 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
6439 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
6441 || !TEST_true(SSL_check_private_key(s)))
6445 } else if (cert_cb_cnt == 3) {
6448 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
6449 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
6450 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
6451 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
6453 chain = sk_X509_new_null();
6454 if (!TEST_ptr(chain))
6456 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6457 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
6458 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
6459 || !TEST_true(sk_X509_push(chain, rootx)))
6463 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6464 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
6465 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
6468 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6469 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
6470 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
6472 rv = SSL_check_chain(s, x509, pkey, chain);
6474 * If the cert doesn't show as valid here (e.g., because we don't
6475 * have any shared sigalgs), then we will not set it, and there will
6476 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
6477 * will cause tls_choose_sigalgs() to fail the connection.
6479 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
6480 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
6481 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
6488 /* Abort the handshake */
6490 OPENSSL_free(ecdsacert);
6491 OPENSSL_free(ecdsakey);
6492 OPENSSL_free(rootfile);
6494 EVP_PKEY_free(pkey);
6497 sk_X509_pop_free(chain, X509_free);
6502 * Test the certificate callback.
6503 * Test 0: Callback fails
6504 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
6505 * Test 2: Success - SSL_set_SSL_CTX() in the callback
6506 * Test 3: Success - Call SSL_check_chain from the callback
6507 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
6509 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
6511 static int test_cert_cb_int(int prot, int tst)
6513 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
6514 SSL *clientssl = NULL, *serverssl = NULL;
6515 int testresult = 0, ret;
6517 #ifdef OPENSSL_NO_EC
6518 /* We use an EC cert in these tests, so we skip in a no-ec build */
6523 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6524 TLS_client_method(),
6527 &sctx, &cctx, NULL, NULL)))
6538 snictx = SSL_CTX_new(TLS_server_method());
6539 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
6541 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6547 * We cause SSL_check_chain() to fail by specifying sig_algs that
6548 * the chain doesn't meet (the root uses an RSA cert)
6550 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6551 "ecdsa_secp256r1_sha256")))
6553 } else if (tst == 5) {
6555 * We cause SSL_check_chain() to fail by specifying sig_algs that
6556 * the ee cert doesn't meet (the ee uses an ECDSA cert)
6558 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6559 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
6563 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6564 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
6566 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
6573 SSL_free(serverssl);
6574 SSL_free(clientssl);
6577 SSL_CTX_free(snictx);
6583 static int test_cert_cb(int tst)
6587 #ifndef OPENSSL_NO_TLS1_2
6588 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
6590 #ifndef OPENSSL_NO_TLS1_3
6591 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
6597 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
6603 /* Check that SSL_get_peer_certificate() returns something sensible */
6604 peer = SSL_get_peer_certificate(ssl);
6605 if (!TEST_ptr(peer))
6609 in = BIO_new_file(cert, "r");
6613 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
6615 if (!TEST_ptr(xcert))
6618 in = BIO_new_file(privkey, "r");
6619 if (!TEST_ptr(in)) {
6624 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
6626 if (!TEST_ptr(privpkey)) {
6637 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6642 static int test_client_cert_cb(int tst)
6644 SSL_CTX *cctx = NULL, *sctx = NULL;
6645 SSL *clientssl = NULL, *serverssl = NULL;
6648 #ifdef OPENSSL_NO_TLS1_2
6652 #ifdef OPENSSL_NO_TLS1_3
6657 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6658 TLS_client_method(),
6660 tst == 0 ? TLS1_2_VERSION
6662 &sctx, &cctx, cert, privkey)))
6666 * Test that setting a client_cert_cb results in a client certificate being
6669 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
6670 SSL_CTX_set_verify(sctx,
6671 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6674 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6676 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6683 SSL_free(serverssl);
6684 SSL_free(clientssl);
6691 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6693 * Test setting certificate authorities on both client and server.
6695 * Test 0: SSL_CTX_set0_CA_list() only
6696 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
6697 * Test 2: Only SSL_CTX_set_client_CA_list()
6699 static int test_ca_names_int(int prot, int tst)
6701 SSL_CTX *cctx = NULL, *sctx = NULL;
6702 SSL *clientssl = NULL, *serverssl = NULL;
6705 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
6706 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
6707 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
6708 const STACK_OF(X509_NAME) *sktmp = NULL;
6710 for (i = 0; i < OSSL_NELEM(name); i++) {
6711 name[i] = X509_NAME_new();
6712 if (!TEST_ptr(name[i])
6713 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
6721 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6722 TLS_client_method(),
6725 &sctx, &cctx, cert, privkey)))
6728 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
6730 if (tst == 0 || tst == 1) {
6731 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6732 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
6733 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
6734 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6735 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
6736 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
6739 SSL_CTX_set0_CA_list(sctx, sk1);
6740 SSL_CTX_set0_CA_list(cctx, sk2);
6743 if (tst == 1 || tst == 2) {
6744 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6745 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
6746 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
6747 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6748 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
6749 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
6752 SSL_CTX_set_client_CA_list(sctx, sk1);
6753 SSL_CTX_set_client_CA_list(cctx, sk2);
6757 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6759 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6764 * We only expect certificate authorities to have been sent to the server
6765 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
6767 sktmp = SSL_get0_peer_CA_list(serverssl);
6768 if (prot == TLS1_3_VERSION
6769 && (tst == 0 || tst == 1)) {
6770 if (!TEST_ptr(sktmp)
6771 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6772 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6774 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6777 } else if (!TEST_ptr_null(sktmp)) {
6782 * In all tests we expect certificate authorities to have been sent to the
6783 * client. However, SSL_set_client_CA_list() should override
6784 * SSL_set0_CA_list()
6786 sktmp = SSL_get0_peer_CA_list(clientssl);
6787 if (!TEST_ptr(sktmp)
6788 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6789 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6790 name[tst == 0 ? 0 : 2]), 0)
6791 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6792 name[tst == 0 ? 1 : 3]), 0))
6798 SSL_free(serverssl);
6799 SSL_free(clientssl);
6802 for (i = 0; i < OSSL_NELEM(name); i++)
6803 X509_NAME_free(name[i]);
6804 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
6805 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
6811 static int test_ca_names(int tst)
6815 #ifndef OPENSSL_NO_TLS1_2
6816 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
6818 #ifndef OPENSSL_NO_TLS1_3
6819 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
6826 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile\n")
6828 int setup_tests(void)
6830 if (!TEST_ptr(certsdir = test_get_argument(0))
6831 || !TEST_ptr(srpvfile = test_get_argument(1))
6832 || !TEST_ptr(tmpfilename = test_get_argument(2)))
6835 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
6836 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
6837 TEST_error("not supported in this build");
6840 int i, mcount, rcount, fcount;
6842 for (i = 0; i < 4; i++)
6843 test_export_key_mat(i);
6844 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
6845 test_printf_stdout("malloc %d realloc %d free %d\n",
6846 mcount, rcount, fcount);
6851 cert = test_mk_file_path(certsdir, "servercert.pem");
6855 privkey = test_mk_file_path(certsdir, "serverkey.pem");
6856 if (privkey == NULL) {
6861 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
6862 && !defined(OPENSSL_NO_SOCK)
6863 ADD_TEST(test_ktls_no_txrx_client_no_txrx_server);
6864 ADD_TEST(test_ktls_no_rx_client_no_txrx_server);
6865 ADD_TEST(test_ktls_no_tx_client_no_txrx_server);
6866 ADD_TEST(test_ktls_client_no_txrx_server);
6867 ADD_TEST(test_ktls_no_txrx_client_no_rx_server);
6868 ADD_TEST(test_ktls_no_rx_client_no_rx_server);
6869 ADD_TEST(test_ktls_no_tx_client_no_rx_server);
6870 ADD_TEST(test_ktls_client_no_rx_server);
6871 ADD_TEST(test_ktls_no_txrx_client_no_tx_server);
6872 ADD_TEST(test_ktls_no_rx_client_no_tx_server);
6873 ADD_TEST(test_ktls_no_tx_client_no_tx_server);
6874 ADD_TEST(test_ktls_client_no_tx_server);
6875 ADD_TEST(test_ktls_no_txrx_client_server);
6876 ADD_TEST(test_ktls_no_rx_client_server);
6877 ADD_TEST(test_ktls_no_tx_client_server);
6878 ADD_TEST(test_ktls_client_server);
6879 ADD_TEST(test_ktls_sendfile);
6881 ADD_TEST(test_large_message_tls);
6882 ADD_TEST(test_large_message_tls_read_ahead);
6883 #ifndef OPENSSL_NO_DTLS
6884 ADD_TEST(test_large_message_dtls);
6886 #ifndef OPENSSL_NO_OCSP
6887 ADD_TEST(test_tlsext_status_type);
6889 ADD_TEST(test_session_with_only_int_cache);
6890 ADD_TEST(test_session_with_only_ext_cache);
6891 ADD_TEST(test_session_with_both_cache);
6892 #ifndef OPENSSL_NO_TLS1_3
6893 ADD_ALL_TESTS(test_stateful_tickets, 3);
6894 ADD_ALL_TESTS(test_stateless_tickets, 3);
6895 ADD_TEST(test_psk_tickets);
6897 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
6898 ADD_TEST(test_ssl_bio_pop_next_bio);
6899 ADD_TEST(test_ssl_bio_pop_ssl_bio);
6900 ADD_TEST(test_ssl_bio_change_rbio);
6901 ADD_TEST(test_ssl_bio_change_wbio);
6902 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
6903 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6904 ADD_TEST(test_keylog);
6906 #ifndef OPENSSL_NO_TLS1_3
6907 ADD_TEST(test_keylog_no_master_key);
6909 #ifndef OPENSSL_NO_TLS1_2
6910 ADD_TEST(test_client_hello_cb);
6911 ADD_TEST(test_no_ems);
6913 #ifndef OPENSSL_NO_TLS1_3
6914 ADD_ALL_TESTS(test_early_data_read_write, 3);
6916 * We don't do replay tests for external PSK. Replay protection isn't used
6919 ADD_ALL_TESTS(test_early_data_replay, 2);
6920 ADD_ALL_TESTS(test_early_data_skip, 3);
6921 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
6922 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
6923 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
6924 ADD_ALL_TESTS(test_early_data_not_sent, 3);
6925 ADD_ALL_TESTS(test_early_data_psk, 8);
6926 ADD_ALL_TESTS(test_early_data_not_expected, 3);
6927 # ifndef OPENSSL_NO_TLS1_2
6928 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
6931 #ifndef OPENSSL_NO_TLS1_3
6932 ADD_ALL_TESTS(test_set_ciphersuite, 10);
6933 ADD_TEST(test_ciphersuite_change);
6934 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
6935 # ifdef OPENSSL_NO_PSK
6936 ADD_ALL_TESTS(test_tls13_psk, 1);
6938 ADD_ALL_TESTS(test_tls13_psk, 4);
6939 # endif /* OPENSSL_NO_PSK */
6940 # ifndef OPENSSL_NO_TLS1_2
6941 /* Test with both TLSv1.3 and 1.2 versions */
6942 ADD_ALL_TESTS(test_key_exchange, 14);
6944 /* Test with only TLSv1.3 versions */
6945 ADD_ALL_TESTS(test_key_exchange, 12);
6947 ADD_ALL_TESTS(test_custom_exts, 5);
6948 ADD_TEST(test_stateless);
6949 ADD_TEST(test_pha_key_update);
6951 ADD_ALL_TESTS(test_custom_exts, 3);
6953 ADD_ALL_TESTS(test_serverinfo, 8);
6954 ADD_ALL_TESTS(test_export_key_mat, 6);
6955 #ifndef OPENSSL_NO_TLS1_3
6956 ADD_ALL_TESTS(test_export_key_mat_early, 3);
6957 ADD_TEST(test_key_update);
6958 ADD_ALL_TESTS(test_key_update_in_write, 2);
6960 ADD_ALL_TESTS(test_ssl_clear, 2);
6961 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
6962 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6963 ADD_ALL_TESTS(test_srp, 6);
6965 ADD_ALL_TESTS(test_info_callback, 6);
6966 ADD_ALL_TESTS(test_ssl_pending, 2);
6967 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
6968 ADD_ALL_TESTS(test_ticket_callbacks, 12);
6969 ADD_ALL_TESTS(test_shutdown, 7);
6970 ADD_ALL_TESTS(test_cert_cb, 6);
6971 ADD_ALL_TESTS(test_client_cert_cb, 2);
6972 ADD_ALL_TESTS(test_ca_names, 3);
6976 void cleanup_tests(void)
6979 OPENSSL_free(privkey);
6980 bio_s_mempacket_test_free();
6981 bio_s_always_retry_free();