2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/provider.h>
33 #include "ssltestlib.h"
35 #include "testutil/output.h"
36 #include "internal/nelem.h"
37 #include "internal/ktls.h"
38 #include "../ssl/ssl_local.h"
40 DEFINE_STACK_OF(OCSP_RESPID)
42 DEFINE_STACK_OF(X509_NAME)
44 static OPENSSL_CTX *libctx = NULL;
45 static OSSL_PROVIDER *defctxnull = NULL;
47 #ifndef OPENSSL_NO_TLS1_3
49 static SSL_SESSION *clientpsk = NULL;
50 static SSL_SESSION *serverpsk = NULL;
51 static const char *pskid = "Identity";
52 static const char *srvid;
54 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
55 size_t *idlen, SSL_SESSION **sess);
56 static int find_session_cb(SSL *ssl, const unsigned char *identity,
57 size_t identity_len, SSL_SESSION **sess);
59 static int use_session_cb_cnt = 0;
60 static int find_session_cb_cnt = 0;
62 static SSL_SESSION *create_a_psk(SSL *ssl);
65 static char *certsdir = NULL;
66 static char *cert = NULL;
67 static char *privkey = NULL;
68 static char *srpvfile = NULL;
69 static char *tmpfilename = NULL;
71 static int is_fips = 0;
73 #define LOG_BUFFER_SIZE 2048
74 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
75 static size_t server_log_buffer_index = 0;
76 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
77 static size_t client_log_buffer_index = 0;
78 static int error_writing_log = 0;
80 #ifndef OPENSSL_NO_OCSP
81 static const unsigned char orespder[] = "Dummy OCSP Response";
82 static int ocsp_server_called = 0;
83 static int ocsp_client_called = 0;
85 static int cdummyarg = 1;
86 static X509 *ocspcert = NULL;
89 #define NUM_EXTRA_CERTS 40
90 #define CLIENT_VERSION_LEN 2
93 * This structure is used to validate that the correct number of log messages
94 * of various types are emitted when emitting secret logs.
96 struct sslapitest_log_counts {
97 unsigned int rsa_key_exchange_count;
98 unsigned int master_secret_count;
99 unsigned int client_early_secret_count;
100 unsigned int client_handshake_secret_count;
101 unsigned int server_handshake_secret_count;
102 unsigned int client_application_secret_count;
103 unsigned int server_application_secret_count;
104 unsigned int early_exporter_secret_count;
105 unsigned int exporter_secret_count;
109 static unsigned char serverinfov1[] = {
110 0xff, 0xff, /* Dummy extension type */
111 0x00, 0x01, /* Extension length is 1 byte */
112 0xff /* Dummy extension data */
115 static unsigned char serverinfov2[] = {
117 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
118 0xff, 0xff, /* Dummy extension type */
119 0x00, 0x01, /* Extension length is 1 byte */
120 0xff /* Dummy extension data */
123 static int hostname_cb(SSL *s, int *al, void *arg)
125 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
127 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
128 || strcmp(hostname, "altgoodhost") == 0))
129 return SSL_TLSEXT_ERR_OK;
131 return SSL_TLSEXT_ERR_NOACK;
134 static void client_keylog_callback(const SSL *ssl, const char *line)
136 int line_length = strlen(line);
138 /* If the log doesn't fit, error out. */
139 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
140 TEST_info("Client log too full");
141 error_writing_log = 1;
145 strcat(client_log_buffer, line);
146 client_log_buffer_index += line_length;
147 client_log_buffer[client_log_buffer_index++] = '\n';
150 static void server_keylog_callback(const SSL *ssl, const char *line)
152 int line_length = strlen(line);
154 /* If the log doesn't fit, error out. */
155 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
156 TEST_info("Server log too full");
157 error_writing_log = 1;
161 strcat(server_log_buffer, line);
162 server_log_buffer_index += line_length;
163 server_log_buffer[server_log_buffer_index++] = '\n';
166 static int compare_hex_encoded_buffer(const char *hex_encoded,
174 if (!TEST_size_t_eq(raw_length * 2, hex_length))
177 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
178 sprintf(hexed, "%02x", raw[i]);
179 if (!TEST_int_eq(hexed[0], hex_encoded[j])
180 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
187 static int test_keylog_output(char *buffer, const SSL *ssl,
188 const SSL_SESSION *session,
189 struct sslapitest_log_counts *expected)
192 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
193 size_t client_random_size = SSL3_RANDOM_SIZE;
194 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
195 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
196 unsigned int rsa_key_exchange_count = 0;
197 unsigned int master_secret_count = 0;
198 unsigned int client_early_secret_count = 0;
199 unsigned int client_handshake_secret_count = 0;
200 unsigned int server_handshake_secret_count = 0;
201 unsigned int client_application_secret_count = 0;
202 unsigned int server_application_secret_count = 0;
203 unsigned int early_exporter_secret_count = 0;
204 unsigned int exporter_secret_count = 0;
206 for (token = strtok(buffer, " \n"); token != NULL;
207 token = strtok(NULL, " \n")) {
208 if (strcmp(token, "RSA") == 0) {
210 * Premaster secret. Tokens should be: 16 ASCII bytes of
211 * hex-encoded encrypted secret, then the hex-encoded pre-master
214 if (!TEST_ptr(token = strtok(NULL, " \n")))
216 if (!TEST_size_t_eq(strlen(token), 16))
218 if (!TEST_ptr(token = strtok(NULL, " \n")))
221 * We can't sensibly check the log because the premaster secret is
222 * transient, and OpenSSL doesn't keep hold of it once the master
223 * secret is generated.
225 rsa_key_exchange_count++;
226 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
228 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
229 * client random, then the hex-encoded master secret.
231 client_random_size = SSL_get_client_random(ssl,
232 actual_client_random,
234 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
237 if (!TEST_ptr(token = strtok(NULL, " \n")))
239 if (!TEST_size_t_eq(strlen(token), 64))
241 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
242 actual_client_random,
243 client_random_size)))
246 if (!TEST_ptr(token = strtok(NULL, " \n")))
248 master_key_size = SSL_SESSION_get_master_key(session,
251 if (!TEST_size_t_ne(master_key_size, 0))
253 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
257 master_secret_count++;
258 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
259 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
260 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
261 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
262 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
263 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
264 || strcmp(token, "EXPORTER_SECRET") == 0) {
266 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
267 * client random, and then the hex-encoded secret. In this case,
268 * we treat all of these secrets identically and then just
269 * distinguish between them when counting what we saw.
271 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
272 client_early_secret_count++;
273 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
274 client_handshake_secret_count++;
275 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
276 server_handshake_secret_count++;
277 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
278 client_application_secret_count++;
279 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
280 server_application_secret_count++;
281 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
282 early_exporter_secret_count++;
283 else if (strcmp(token, "EXPORTER_SECRET") == 0)
284 exporter_secret_count++;
286 client_random_size = SSL_get_client_random(ssl,
287 actual_client_random,
289 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
292 if (!TEST_ptr(token = strtok(NULL, " \n")))
294 if (!TEST_size_t_eq(strlen(token), 64))
296 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
297 actual_client_random,
298 client_random_size)))
301 if (!TEST_ptr(token = strtok(NULL, " \n")))
305 * TODO(TLS1.3): test that application traffic secrets are what
308 TEST_info("Unexpected token %s\n", token);
313 /* Got what we expected? */
314 if (!TEST_size_t_eq(rsa_key_exchange_count,
315 expected->rsa_key_exchange_count)
316 || !TEST_size_t_eq(master_secret_count,
317 expected->master_secret_count)
318 || !TEST_size_t_eq(client_early_secret_count,
319 expected->client_early_secret_count)
320 || !TEST_size_t_eq(client_handshake_secret_count,
321 expected->client_handshake_secret_count)
322 || !TEST_size_t_eq(server_handshake_secret_count,
323 expected->server_handshake_secret_count)
324 || !TEST_size_t_eq(client_application_secret_count,
325 expected->client_application_secret_count)
326 || !TEST_size_t_eq(server_application_secret_count,
327 expected->server_application_secret_count)
328 || !TEST_size_t_eq(early_exporter_secret_count,
329 expected->early_exporter_secret_count)
330 || !TEST_size_t_eq(exporter_secret_count,
331 expected->exporter_secret_count))
336 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
337 static int test_keylog(void)
339 SSL_CTX *cctx = NULL, *sctx = NULL;
340 SSL *clientssl = NULL, *serverssl = NULL;
342 struct sslapitest_log_counts expected;
344 /* Clean up logging space */
345 memset(&expected, 0, sizeof(expected));
346 memset(client_log_buffer, 0, sizeof(client_log_buffer));
347 memset(server_log_buffer, 0, sizeof(server_log_buffer));
348 client_log_buffer_index = 0;
349 server_log_buffer_index = 0;
350 error_writing_log = 0;
352 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
355 &sctx, &cctx, cert, privkey)))
358 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
359 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
360 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
362 /* We also want to ensure that we use RSA-based key exchange. */
363 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
366 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
367 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
369 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
370 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
371 == client_keylog_callback))
373 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
374 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
375 == server_keylog_callback))
378 /* Now do a handshake and check that the logs have been written to. */
379 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
380 &clientssl, NULL, NULL))
381 || !TEST_true(create_ssl_connection(serverssl, clientssl,
383 || !TEST_false(error_writing_log)
384 || !TEST_int_gt(client_log_buffer_index, 0)
385 || !TEST_int_gt(server_log_buffer_index, 0))
389 * Now we want to test that our output data was vaguely sensible. We
390 * do that by using strtok and confirming that we have more or less the
391 * data we expect. For both client and server, we expect to see one master
392 * secret. The client should also see a RSA key exchange.
394 expected.rsa_key_exchange_count = 1;
395 expected.master_secret_count = 1;
396 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
397 SSL_get_session(clientssl), &expected)))
400 expected.rsa_key_exchange_count = 0;
401 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
402 SSL_get_session(serverssl), &expected)))
417 #ifndef OPENSSL_NO_TLS1_3
418 static int test_keylog_no_master_key(void)
420 SSL_CTX *cctx = NULL, *sctx = NULL;
421 SSL *clientssl = NULL, *serverssl = NULL;
422 SSL_SESSION *sess = NULL;
424 struct sslapitest_log_counts expected;
425 unsigned char buf[1];
426 size_t readbytes, written;
428 /* Clean up logging space */
429 memset(&expected, 0, sizeof(expected));
430 memset(client_log_buffer, 0, sizeof(client_log_buffer));
431 memset(server_log_buffer, 0, sizeof(server_log_buffer));
432 client_log_buffer_index = 0;
433 server_log_buffer_index = 0;
434 error_writing_log = 0;
436 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
437 TLS_client_method(), TLS1_VERSION, 0,
438 &sctx, &cctx, cert, privkey))
439 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
440 SSL3_RT_MAX_PLAIN_LENGTH)))
443 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
444 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
447 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
448 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
449 == client_keylog_callback))
452 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
453 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
454 == server_keylog_callback))
457 /* Now do a handshake and check that the logs have been written to. */
458 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
459 &clientssl, NULL, NULL))
460 || !TEST_true(create_ssl_connection(serverssl, clientssl,
462 || !TEST_false(error_writing_log))
466 * Now we want to test that our output data was vaguely sensible. For this
467 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
468 * TLSv1.3, but we do expect both client and server to emit keys.
470 expected.client_handshake_secret_count = 1;
471 expected.server_handshake_secret_count = 1;
472 expected.client_application_secret_count = 1;
473 expected.server_application_secret_count = 1;
474 expected.exporter_secret_count = 1;
475 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
476 SSL_get_session(clientssl), &expected))
477 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
478 SSL_get_session(serverssl),
482 /* Terminate old session and resume with early data. */
483 sess = SSL_get1_session(clientssl);
484 SSL_shutdown(clientssl);
485 SSL_shutdown(serverssl);
488 serverssl = clientssl = NULL;
491 memset(client_log_buffer, 0, sizeof(client_log_buffer));
492 memset(server_log_buffer, 0, sizeof(server_log_buffer));
493 client_log_buffer_index = 0;
494 server_log_buffer_index = 0;
496 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
497 &clientssl, NULL, NULL))
498 || !TEST_true(SSL_set_session(clientssl, sess))
499 /* Here writing 0 length early data is enough. */
500 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
501 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
503 SSL_READ_EARLY_DATA_ERROR)
504 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
505 SSL_EARLY_DATA_ACCEPTED)
506 || !TEST_true(create_ssl_connection(serverssl, clientssl,
508 || !TEST_true(SSL_session_reused(clientssl)))
511 /* In addition to the previous entries, expect early secrets. */
512 expected.client_early_secret_count = 1;
513 expected.early_exporter_secret_count = 1;
514 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
515 SSL_get_session(clientssl), &expected))
516 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
517 SSL_get_session(serverssl),
524 SSL_SESSION_free(sess);
534 #ifndef OPENSSL_NO_TLS1_2
535 static int full_client_hello_callback(SSL *s, int *al, void *arg)
538 const unsigned char *p;
540 /* We only configure two ciphers, but the SCSV is added automatically. */
542 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
544 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
547 const int expected_extensions[] = {
548 #ifndef OPENSSL_NO_EC
554 /* Make sure we can defer processing and get called back. */
556 return SSL_CLIENT_HELLO_RETRY;
558 len = SSL_client_hello_get0_ciphers(s, &p);
559 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
561 SSL_client_hello_get0_compression_methods(s, &p), 1)
562 || !TEST_int_eq(*p, 0))
563 return SSL_CLIENT_HELLO_ERROR;
564 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
565 return SSL_CLIENT_HELLO_ERROR;
566 if (len != OSSL_NELEM(expected_extensions) ||
567 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
568 printf("ClientHello callback expected extensions mismatch\n");
570 return SSL_CLIENT_HELLO_ERROR;
573 return SSL_CLIENT_HELLO_SUCCESS;
576 static int test_client_hello_cb(void)
578 SSL_CTX *cctx = NULL, *sctx = NULL;
579 SSL *clientssl = NULL, *serverssl = NULL;
580 int testctr = 0, testresult = 0;
582 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
583 TLS_client_method(), TLS1_VERSION, 0,
584 &sctx, &cctx, cert, privkey)))
586 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
588 /* The gimpy cipher list we configure can't do TLS 1.3. */
589 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
591 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
592 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
593 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
594 &clientssl, NULL, NULL))
595 || !TEST_false(create_ssl_connection(serverssl, clientssl,
596 SSL_ERROR_WANT_CLIENT_HELLO_CB))
598 * Passing a -1 literal is a hack since
599 * the real value was lost.
601 || !TEST_int_eq(SSL_get_error(serverssl, -1),
602 SSL_ERROR_WANT_CLIENT_HELLO_CB)
603 || !TEST_true(create_ssl_connection(serverssl, clientssl,
618 static int test_no_ems(void)
620 SSL_CTX *cctx = NULL, *sctx = NULL;
621 SSL *clientssl = NULL, *serverssl = NULL;
624 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
625 TLS1_VERSION, TLS1_2_VERSION,
626 &sctx, &cctx, cert, privkey)) {
627 printf("Unable to create SSL_CTX pair\n");
631 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
633 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
634 printf("Unable to create SSL objects\n");
638 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
639 printf("Creating SSL connection failed\n");
643 if (SSL_get_extms_support(serverssl)) {
644 printf("Server reports Extended Master Secret support\n");
648 if (SSL_get_extms_support(clientssl)) {
649 printf("Client reports Extended Master Secret support\n");
664 * Very focused test to exercise a single case in the server-side state
665 * machine, when the ChangeCipherState message needs to actually change
666 * from one cipher to a different cipher (i.e., not changing from null
667 * encryption to real encryption).
669 static int test_ccs_change_cipher(void)
671 SSL_CTX *cctx = NULL, *sctx = NULL;
672 SSL *clientssl = NULL, *serverssl = NULL;
673 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
680 * Create a conection so we can resume and potentially (but not) use
681 * a different cipher in the second connection.
683 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
685 TLS1_VERSION, TLS1_2_VERSION,
686 &sctx, &cctx, cert, privkey))
687 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
688 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
690 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
691 || !TEST_true(create_ssl_connection(serverssl, clientssl,
693 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
694 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
697 shutdown_ssl_connection(serverssl, clientssl);
698 serverssl = clientssl = NULL;
700 /* Resume, preferring a different cipher. Our server will force the
701 * same cipher to be used as the initial handshake. */
702 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
704 || !TEST_true(SSL_set_session(clientssl, sess))
705 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
706 || !TEST_true(create_ssl_connection(serverssl, clientssl,
708 || !TEST_true(SSL_session_reused(clientssl))
709 || !TEST_true(SSL_session_reused(serverssl))
710 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
711 || !TEST_ptr_eq(sesspre, sesspost)
712 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
713 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
715 shutdown_ssl_connection(serverssl, clientssl);
716 serverssl = clientssl = NULL;
719 * Now create a fresh connection and try to renegotiate a different
722 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
724 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
725 || !TEST_true(create_ssl_connection(serverssl, clientssl,
727 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
728 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
729 || !TEST_true(SSL_renegotiate(clientssl))
730 || !TEST_true(SSL_renegotiate_pending(clientssl)))
732 /* Actually drive the renegotiation. */
733 for (i = 0; i < 3; i++) {
734 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
735 if (!TEST_ulong_eq(readbytes, 0))
737 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
738 SSL_ERROR_WANT_READ)) {
741 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
742 if (!TEST_ulong_eq(readbytes, 0))
744 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
745 SSL_ERROR_WANT_READ)) {
749 /* sesspre and sesspost should be different since the cipher changed. */
750 if (!TEST_false(SSL_renegotiate_pending(clientssl))
751 || !TEST_false(SSL_session_reused(clientssl))
752 || !TEST_false(SSL_session_reused(serverssl))
753 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
754 || !TEST_ptr_ne(sesspre, sesspost)
755 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
756 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
759 shutdown_ssl_connection(serverssl, clientssl);
760 serverssl = clientssl = NULL;
769 SSL_SESSION_free(sess);
775 static int execute_test_large_message(const SSL_METHOD *smeth,
776 const SSL_METHOD *cmeth,
777 int min_version, int max_version,
780 SSL_CTX *cctx = NULL, *sctx = NULL;
781 SSL *clientssl = NULL, *serverssl = NULL;
785 X509 *chaincert = NULL;
788 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
790 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
793 if (!TEST_ptr(chaincert))
796 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
797 max_version, &sctx, &cctx, cert,
803 * Test that read_ahead works correctly when dealing with large
806 SSL_CTX_set_read_ahead(cctx, 1);
810 * We assume the supplied certificate is big enough so that if we add
811 * NUM_EXTRA_CERTS it will make the overall message large enough. The
812 * default buffer size is requested to be 16k, but due to the way BUF_MEM
813 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
814 * test we need to have a message larger than that.
816 certlen = i2d_X509(chaincert, NULL);
817 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
818 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
819 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
820 if (!X509_up_ref(chaincert))
822 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
823 X509_free(chaincert);
828 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
830 || !TEST_true(create_ssl_connection(serverssl, clientssl,
835 * Calling SSL_clear() first is not required but this tests that SSL_clear()
838 if (!TEST_true(SSL_clear(serverssl)))
843 X509_free(chaincert);
852 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
853 && !defined(OPENSSL_NO_SOCK)
855 /* sock must be connected */
856 static int ktls_chk_platform(int sock)
858 if (!ktls_enable(sock))
863 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
865 static char count = 1;
866 unsigned char cbuf[16000] = {0};
867 unsigned char sbuf[16000];
869 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
870 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
871 char crec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
872 char crec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
873 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
874 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
875 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
876 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
879 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
880 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
881 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence,
882 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
883 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
884 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
885 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
886 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
888 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
891 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
892 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
897 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
900 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
901 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
906 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
907 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
908 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence,
909 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
910 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
911 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
912 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
913 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
915 /* verify the payload */
916 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
919 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
920 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
921 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
922 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
925 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
926 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
930 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
931 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
932 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
935 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
936 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
940 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
941 if (!TEST_mem_ne(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
942 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
945 if (!TEST_mem_eq(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
946 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
950 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
951 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
952 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
955 if (!TEST_mem_eq(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
956 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
965 static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
966 int sis_ktls_tx, int sis_ktls_rx)
968 SSL_CTX *cctx = NULL, *sctx = NULL;
969 SSL *clientssl = NULL, *serverssl = NULL;
973 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
976 /* Skip this test if the platform does not support ktls */
977 if (!ktls_chk_platform(cfd))
980 /* Create a session based on SHA-256 */
981 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
983 TLS1_2_VERSION, TLS1_2_VERSION,
984 &sctx, &cctx, cert, privkey))
985 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
986 "AES128-GCM-SHA256"))
987 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
988 &clientssl, sfd, cfd)))
992 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
997 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
1002 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
1007 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1011 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1016 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1019 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1024 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1027 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1032 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1035 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1040 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1043 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1047 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
1053 SSL_shutdown(clientssl);
1054 SSL_free(clientssl);
1057 SSL_shutdown(serverssl);
1058 SSL_free(serverssl);
1062 serverssl = clientssl = NULL;
1066 #define SENDFILE_SZ (16 * 4096)
1067 #define SENDFILE_CHUNK (4 * 4096)
1068 #define min(a,b) ((a) > (b) ? (b) : (a))
1070 static int test_ktls_sendfile(void)
1072 SSL_CTX *cctx = NULL, *sctx = NULL;
1073 SSL *clientssl = NULL, *serverssl = NULL;
1074 unsigned char *buf, *buf_dst;
1075 BIO *out = NULL, *in = NULL;
1076 int cfd, sfd, ffd, err;
1077 ssize_t chunk_size = 0;
1078 off_t chunk_off = 0;
1082 buf = OPENSSL_zalloc(SENDFILE_SZ);
1083 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1084 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1085 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1088 /* Skip this test if the platform does not support ktls */
1089 if (!ktls_chk_platform(sfd)) {
1094 /* Create a session based on SHA-256 */
1095 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1096 TLS_client_method(),
1097 TLS1_2_VERSION, TLS1_2_VERSION,
1098 &sctx, &cctx, cert, privkey))
1099 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1100 "AES128-GCM-SHA256"))
1101 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1102 &clientssl, sfd, cfd)))
1105 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1107 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1110 RAND_bytes(buf, SENDFILE_SZ);
1111 out = BIO_new_file(tmpfilename, "wb");
1115 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1120 in = BIO_new_file(tmpfilename, "rb");
1121 BIO_get_fp(in, &ffdp);
1124 while (chunk_off < SENDFILE_SZ) {
1125 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1126 while ((err = SSL_sendfile(serverssl,
1130 0)) != chunk_size) {
1131 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1134 while ((err = SSL_read(clientssl,
1135 buf_dst + chunk_off,
1136 chunk_size)) != chunk_size) {
1137 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1141 /* verify the payload */
1142 if (!TEST_mem_eq(buf_dst + chunk_off,
1148 chunk_off += chunk_size;
1154 SSL_shutdown(clientssl);
1155 SSL_free(clientssl);
1158 SSL_shutdown(serverssl);
1159 SSL_free(serverssl);
1163 serverssl = clientssl = NULL;
1167 OPENSSL_free(buf_dst);
1171 static int test_ktls_no_txrx_client_no_txrx_server(void)
1173 return execute_test_ktls(0, 0, 0, 0);
1176 static int test_ktls_no_rx_client_no_txrx_server(void)
1178 return execute_test_ktls(1, 0, 0, 0);
1181 static int test_ktls_no_tx_client_no_txrx_server(void)
1183 return execute_test_ktls(0, 1, 0, 0);
1186 static int test_ktls_client_no_txrx_server(void)
1188 return execute_test_ktls(1, 1, 0, 0);
1191 static int test_ktls_no_txrx_client_no_rx_server(void)
1193 return execute_test_ktls(0, 0, 1, 0);
1196 static int test_ktls_no_rx_client_no_rx_server(void)
1198 return execute_test_ktls(1, 0, 1, 0);
1201 static int test_ktls_no_tx_client_no_rx_server(void)
1203 return execute_test_ktls(0, 1, 1, 0);
1206 static int test_ktls_client_no_rx_server(void)
1208 return execute_test_ktls(1, 1, 1, 0);
1211 static int test_ktls_no_txrx_client_no_tx_server(void)
1213 return execute_test_ktls(0, 0, 0, 1);
1216 static int test_ktls_no_rx_client_no_tx_server(void)
1218 return execute_test_ktls(1, 0, 0, 1);
1221 static int test_ktls_no_tx_client_no_tx_server(void)
1223 return execute_test_ktls(0, 1, 0, 1);
1226 static int test_ktls_client_no_tx_server(void)
1228 return execute_test_ktls(1, 1, 0, 1);
1231 static int test_ktls_no_txrx_client_server(void)
1233 return execute_test_ktls(0, 0, 1, 1);
1236 static int test_ktls_no_rx_client_server(void)
1238 return execute_test_ktls(1, 0, 1, 1);
1241 static int test_ktls_no_tx_client_server(void)
1243 return execute_test_ktls(0, 1, 1, 1);
1246 static int test_ktls_client_server(void)
1248 return execute_test_ktls(1, 1, 1, 1);
1252 static int test_large_message_tls(void)
1254 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1255 TLS1_VERSION, 0, 0);
1258 static int test_large_message_tls_read_ahead(void)
1260 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1261 TLS1_VERSION, 0, 1);
1264 #ifndef OPENSSL_NO_DTLS
1265 static int test_large_message_dtls(void)
1268 * read_ahead is not relevant to DTLS because DTLS always acts as if
1269 * read_ahead is set.
1271 return execute_test_large_message(DTLS_server_method(),
1272 DTLS_client_method(),
1273 DTLS1_VERSION, 0, 0);
1277 #ifndef OPENSSL_NO_OCSP
1278 static int ocsp_server_cb(SSL *s, void *arg)
1280 int *argi = (int *)arg;
1281 unsigned char *copy = NULL;
1282 STACK_OF(OCSP_RESPID) *ids = NULL;
1283 OCSP_RESPID *id = NULL;
1286 /* In this test we are expecting exactly 1 OCSP_RESPID */
1287 SSL_get_tlsext_status_ids(s, &ids);
1288 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1289 return SSL_TLSEXT_ERR_ALERT_FATAL;
1291 id = sk_OCSP_RESPID_value(ids, 0);
1292 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1293 return SSL_TLSEXT_ERR_ALERT_FATAL;
1294 } else if (*argi != 1) {
1295 return SSL_TLSEXT_ERR_ALERT_FATAL;
1298 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1299 return SSL_TLSEXT_ERR_ALERT_FATAL;
1301 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1302 ocsp_server_called = 1;
1303 return SSL_TLSEXT_ERR_OK;
1306 static int ocsp_client_cb(SSL *s, void *arg)
1308 int *argi = (int *)arg;
1309 const unsigned char *respderin;
1312 if (*argi != 1 && *argi != 2)
1315 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1316 if (!TEST_mem_eq(orespder, len, respderin, len))
1319 ocsp_client_called = 1;
1323 static int test_tlsext_status_type(void)
1325 SSL_CTX *cctx = NULL, *sctx = NULL;
1326 SSL *clientssl = NULL, *serverssl = NULL;
1328 STACK_OF(OCSP_RESPID) *ids = NULL;
1329 OCSP_RESPID *id = NULL;
1330 BIO *certbio = NULL;
1332 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1334 &sctx, &cctx, cert, privkey))
1337 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1340 /* First just do various checks getting and setting tlsext_status_type */
1342 clientssl = SSL_new(cctx);
1343 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1344 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1345 TLSEXT_STATUSTYPE_ocsp))
1346 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1347 TLSEXT_STATUSTYPE_ocsp))
1350 SSL_free(clientssl);
1353 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1354 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1357 clientssl = SSL_new(cctx);
1358 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1360 SSL_free(clientssl);
1364 * Now actually do a handshake and check OCSP information is exchanged and
1365 * the callbacks get called
1367 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1368 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1369 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1370 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1371 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1372 &clientssl, NULL, NULL))
1373 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1375 || !TEST_true(ocsp_client_called)
1376 || !TEST_true(ocsp_server_called))
1378 SSL_free(serverssl);
1379 SSL_free(clientssl);
1383 /* Try again but this time force the server side callback to fail */
1384 ocsp_client_called = 0;
1385 ocsp_server_called = 0;
1387 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1388 &clientssl, NULL, NULL))
1389 /* This should fail because the callback will fail */
1390 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1392 || !TEST_false(ocsp_client_called)
1393 || !TEST_false(ocsp_server_called))
1395 SSL_free(serverssl);
1396 SSL_free(clientssl);
1401 * This time we'll get the client to send an OCSP_RESPID that it will
1404 ocsp_client_called = 0;
1405 ocsp_server_called = 0;
1407 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1408 &clientssl, NULL, NULL)))
1412 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1413 * specific one. We'll use the server cert.
1415 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1416 || !TEST_ptr(id = OCSP_RESPID_new())
1417 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1418 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1420 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1421 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1424 SSL_set_tlsext_status_ids(clientssl, ids);
1425 /* Control has been transferred */
1431 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1433 || !TEST_true(ocsp_client_called)
1434 || !TEST_true(ocsp_server_called))
1440 SSL_free(serverssl);
1441 SSL_free(clientssl);
1444 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1445 OCSP_RESPID_free(id);
1447 X509_free(ocspcert);
1454 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1455 static int new_called, remove_called, get_called;
1457 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1461 * sess has been up-refed for us, but we don't actually need it so free it
1464 SSL_SESSION_free(sess);
1468 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1473 static SSL_SESSION *get_sess_val = NULL;
1475 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1480 return get_sess_val;
1483 static int execute_test_session(int maxprot, int use_int_cache,
1486 SSL_CTX *sctx = NULL, *cctx = NULL;
1487 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1488 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1489 # ifndef OPENSSL_NO_TLS1_1
1490 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1492 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1493 int testresult = 0, numnewsesstick = 1;
1495 new_called = remove_called = 0;
1497 /* TLSv1.3 sends 2 NewSessionTickets */
1498 if (maxprot == TLS1_3_VERSION)
1501 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1502 TLS_client_method(), TLS1_VERSION, 0,
1503 &sctx, &cctx, cert, privkey)))
1507 * Only allow the max protocol version so we can force a connection failure
1510 SSL_CTX_set_min_proto_version(cctx, maxprot);
1511 SSL_CTX_set_max_proto_version(cctx, maxprot);
1513 /* Set up session cache */
1514 if (use_ext_cache) {
1515 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1516 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1518 if (use_int_cache) {
1519 /* Also covers instance where both are set */
1520 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1522 SSL_CTX_set_session_cache_mode(cctx,
1523 SSL_SESS_CACHE_CLIENT
1524 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1527 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1529 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1531 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1534 /* Should fail because it should already be in the cache */
1535 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1538 && (!TEST_int_eq(new_called, numnewsesstick)
1540 || !TEST_int_eq(remove_called, 0)))
1543 new_called = remove_called = 0;
1544 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1545 &clientssl2, NULL, NULL))
1546 || !TEST_true(SSL_set_session(clientssl2, sess1))
1547 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1549 || !TEST_true(SSL_session_reused(clientssl2)))
1552 if (maxprot == TLS1_3_VERSION) {
1554 * In TLSv1.3 we should have created a new session even though we have
1555 * resumed. Since we attempted a resume we should also have removed the
1556 * old ticket from the cache so that we try to only use tickets once.
1559 && (!TEST_int_eq(new_called, 1)
1560 || !TEST_int_eq(remove_called, 1)))
1564 * In TLSv1.2 we expect to have resumed so no sessions added or
1568 && (!TEST_int_eq(new_called, 0)
1569 || !TEST_int_eq(remove_called, 0)))
1573 SSL_SESSION_free(sess1);
1574 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1576 shutdown_ssl_connection(serverssl2, clientssl2);
1577 serverssl2 = clientssl2 = NULL;
1579 new_called = remove_called = 0;
1580 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1581 &clientssl2, NULL, NULL))
1582 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1586 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1590 && (!TEST_int_eq(new_called, numnewsesstick)
1591 || !TEST_int_eq(remove_called, 0)))
1594 new_called = remove_called = 0;
1596 * This should clear sess2 from the cache because it is a "bad" session.
1597 * See SSL_set_session() documentation.
1599 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1602 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1604 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1607 if (use_int_cache) {
1608 /* Should succeeded because it should not already be in the cache */
1609 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1610 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1614 new_called = remove_called = 0;
1615 /* This shouldn't be in the cache so should fail */
1616 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1620 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1623 # if !defined(OPENSSL_NO_TLS1_1)
1624 new_called = remove_called = 0;
1625 /* Force a connection failure */
1626 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1627 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1628 &clientssl3, NULL, NULL))
1629 || !TEST_true(SSL_set_session(clientssl3, sess1))
1630 /* This should fail because of the mismatched protocol versions */
1631 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1635 /* We should have automatically removed the session from the cache */
1637 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1640 /* Should succeed because it should not already be in the cache */
1641 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1645 /* Now do some tests for server side caching */
1646 if (use_ext_cache) {
1647 SSL_CTX_sess_set_new_cb(cctx, NULL);
1648 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1649 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1650 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1651 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1652 get_sess_val = NULL;
1655 SSL_CTX_set_session_cache_mode(cctx, 0);
1656 /* Internal caching is the default on the server side */
1658 SSL_CTX_set_session_cache_mode(sctx,
1659 SSL_SESS_CACHE_SERVER
1660 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1662 SSL_free(serverssl1);
1663 SSL_free(clientssl1);
1664 serverssl1 = clientssl1 = NULL;
1665 SSL_free(serverssl2);
1666 SSL_free(clientssl2);
1667 serverssl2 = clientssl2 = NULL;
1668 SSL_SESSION_free(sess1);
1670 SSL_SESSION_free(sess2);
1673 SSL_CTX_set_max_proto_version(sctx, maxprot);
1674 if (maxprot == TLS1_2_VERSION)
1675 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1676 new_called = remove_called = get_called = 0;
1677 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1679 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1681 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1682 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1685 if (use_int_cache) {
1686 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1688 * In TLSv1.3 it should not have been added to the internal cache,
1689 * except in the case where we also have an external cache (in that
1690 * case it gets added to the cache in order to generate remove
1691 * events after timeout).
1693 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1696 /* Should fail because it should already be in the cache */
1697 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1702 if (use_ext_cache) {
1703 SSL_SESSION *tmp = sess2;
1705 if (!TEST_int_eq(new_called, numnewsesstick)
1706 || !TEST_int_eq(remove_called, 0)
1707 || !TEST_int_eq(get_called, 0))
1710 * Delete the session from the internal cache to force a lookup from
1711 * the external cache. We take a copy first because
1712 * SSL_CTX_remove_session() also marks the session as non-resumable.
1714 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1715 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1716 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1718 SSL_SESSION_free(sess2);
1723 new_called = remove_called = get_called = 0;
1724 get_sess_val = sess2;
1725 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1726 &clientssl2, NULL, NULL))
1727 || !TEST_true(SSL_set_session(clientssl2, sess1))
1728 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1730 || !TEST_true(SSL_session_reused(clientssl2)))
1733 if (use_ext_cache) {
1734 if (!TEST_int_eq(remove_called, 0))
1737 if (maxprot == TLS1_3_VERSION) {
1738 if (!TEST_int_eq(new_called, 1)
1739 || !TEST_int_eq(get_called, 0))
1742 if (!TEST_int_eq(new_called, 0)
1743 || !TEST_int_eq(get_called, 1))
1751 SSL_free(serverssl1);
1752 SSL_free(clientssl1);
1753 SSL_free(serverssl2);
1754 SSL_free(clientssl2);
1755 # ifndef OPENSSL_NO_TLS1_1
1756 SSL_free(serverssl3);
1757 SSL_free(clientssl3);
1759 SSL_SESSION_free(sess1);
1760 SSL_SESSION_free(sess2);
1766 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1768 static int test_session_with_only_int_cache(void)
1770 #ifndef OPENSSL_NO_TLS1_3
1771 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1775 #ifndef OPENSSL_NO_TLS1_2
1776 return execute_test_session(TLS1_2_VERSION, 1, 0);
1782 static int test_session_with_only_ext_cache(void)
1784 #ifndef OPENSSL_NO_TLS1_3
1785 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1789 #ifndef OPENSSL_NO_TLS1_2
1790 return execute_test_session(TLS1_2_VERSION, 0, 1);
1796 static int test_session_with_both_cache(void)
1798 #ifndef OPENSSL_NO_TLS1_3
1799 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1803 #ifndef OPENSSL_NO_TLS1_2
1804 return execute_test_session(TLS1_2_VERSION, 1, 1);
1810 #ifndef OPENSSL_NO_TLS1_3
1811 static SSL_SESSION *sesscache[6];
1812 static int do_cache;
1814 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1817 sesscache[new_called] = sess;
1819 /* We don't need the reference to the session, so free it */
1820 SSL_SESSION_free(sess);
1827 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1829 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1830 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1833 /* Start handshake on the server and client */
1834 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1835 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1836 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1837 || !TEST_true(create_ssl_connection(sssl, cssl,
1844 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1847 int sess_id_ctx = 1;
1849 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1850 TLS_client_method(), TLS1_VERSION, 0,
1851 sctx, cctx, cert, privkey))
1852 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1853 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1854 (void *)&sess_id_ctx,
1855 sizeof(sess_id_ctx))))
1859 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1861 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1862 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1863 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1868 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1870 SSL *serverssl = NULL, *clientssl = NULL;
1873 /* Test that we can resume with all the tickets we got given */
1874 for (i = 0; i < idx * 2; i++) {
1876 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1877 &clientssl, NULL, NULL))
1878 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1881 SSL_set_post_handshake_auth(clientssl, 1);
1883 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1888 * Following a successful resumption we only get 1 ticket. After a
1889 * failed one we should get idx tickets.
1892 if (!TEST_true(SSL_session_reused(clientssl))
1893 || !TEST_int_eq(new_called, 1))
1896 if (!TEST_false(SSL_session_reused(clientssl))
1897 || !TEST_int_eq(new_called, idx))
1902 /* After a post-handshake authentication we should get 1 new ticket */
1904 && (!post_handshake_verify(serverssl, clientssl)
1905 || !TEST_int_eq(new_called, 1)))
1908 SSL_shutdown(clientssl);
1909 SSL_shutdown(serverssl);
1910 SSL_free(serverssl);
1911 SSL_free(clientssl);
1912 serverssl = clientssl = NULL;
1913 SSL_SESSION_free(sesscache[i]);
1914 sesscache[i] = NULL;
1920 SSL_free(clientssl);
1921 SSL_free(serverssl);
1925 static int test_tickets(int stateful, int idx)
1927 SSL_CTX *sctx = NULL, *cctx = NULL;
1928 SSL *serverssl = NULL, *clientssl = NULL;
1932 /* idx is the test number, but also the number of tickets we want */
1937 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1940 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1941 &clientssl, NULL, NULL)))
1944 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1946 /* Check we got the number of tickets we were expecting */
1947 || !TEST_int_eq(idx, new_called))
1950 SSL_shutdown(clientssl);
1951 SSL_shutdown(serverssl);
1952 SSL_free(serverssl);
1953 SSL_free(clientssl);
1956 clientssl = serverssl = NULL;
1960 * Now we try to resume with the tickets we previously created. The
1961 * resumption attempt is expected to fail (because we're now using a new
1962 * SSL_CTX). We should see idx number of tickets issued again.
1965 /* Stop caching sessions - just count them */
1968 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1971 if (!check_resumption(idx, sctx, cctx, 0))
1974 /* Start again with caching sessions */
1981 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1984 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1985 &clientssl, NULL, NULL)))
1988 SSL_set_post_handshake_auth(clientssl, 1);
1990 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1992 /* Check we got the number of tickets we were expecting */
1993 || !TEST_int_eq(idx, new_called))
1996 /* After a post-handshake authentication we should get new tickets issued */
1997 if (!post_handshake_verify(serverssl, clientssl)
1998 || !TEST_int_eq(idx * 2, new_called))
2001 SSL_shutdown(clientssl);
2002 SSL_shutdown(serverssl);
2003 SSL_free(serverssl);
2004 SSL_free(clientssl);
2005 serverssl = clientssl = NULL;
2007 /* Stop caching sessions - just count them */
2011 * Check we can resume with all the tickets we created. This time around the
2012 * resumptions should all be successful.
2014 if (!check_resumption(idx, sctx, cctx, 1))
2020 SSL_free(serverssl);
2021 SSL_free(clientssl);
2022 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2023 SSL_SESSION_free(sesscache[j]);
2024 sesscache[j] = NULL;
2032 static int test_stateless_tickets(int idx)
2034 return test_tickets(0, idx);
2037 static int test_stateful_tickets(int idx)
2039 return test_tickets(1, idx);
2042 static int test_psk_tickets(void)
2044 SSL_CTX *sctx = NULL, *cctx = NULL;
2045 SSL *serverssl = NULL, *clientssl = NULL;
2047 int sess_id_ctx = 1;
2049 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2050 TLS_client_method(), TLS1_VERSION, 0,
2051 &sctx, &cctx, NULL, NULL))
2052 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2053 (void *)&sess_id_ctx,
2054 sizeof(sess_id_ctx))))
2057 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2058 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2059 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2060 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2061 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2062 use_session_cb_cnt = 0;
2063 find_session_cb_cnt = 0;
2067 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2070 clientpsk = serverpsk = create_a_psk(clientssl);
2071 if (!TEST_ptr(clientpsk))
2073 SSL_SESSION_up_ref(clientpsk);
2075 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2077 || !TEST_int_eq(1, find_session_cb_cnt)
2078 || !TEST_int_eq(1, use_session_cb_cnt)
2079 /* We should always get 1 ticket when using external PSK */
2080 || !TEST_int_eq(1, new_called))
2086 SSL_free(serverssl);
2087 SSL_free(clientssl);
2090 SSL_SESSION_free(clientpsk);
2091 SSL_SESSION_free(serverpsk);
2092 clientpsk = serverpsk = NULL;
2097 static int test_extra_tickets(int idx)
2099 SSL_CTX *sctx = NULL, *cctx = NULL;
2100 SSL *serverssl = NULL, *clientssl = NULL;
2101 BIO *bretry = BIO_new(bio_s_always_retry());
2106 unsigned char c, buf[1];
2116 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2118 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2119 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2120 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2122 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2123 &clientssl, NULL, NULL)))
2127 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2128 * incremented by both client and server.
2130 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2132 /* Check we got the number of tickets we were expecting */
2133 || !TEST_int_eq(idx * 2, new_called)
2134 || !TEST_true(SSL_new_session_ticket(serverssl))
2135 || !TEST_true(SSL_new_session_ticket(serverssl))
2136 || !TEST_int_eq(idx * 2, new_called))
2139 /* Now try a (real) write to actually send the tickets */
2141 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2142 || !TEST_size_t_eq(1, nbytes)
2143 || !TEST_int_eq(idx * 2 + 2, new_called)
2144 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2145 || !TEST_int_eq(idx * 2 + 4, new_called)
2146 || !TEST_int_eq(sizeof(buf), nbytes)
2147 || !TEST_int_eq(c, buf[0])
2148 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2151 /* Try with only requesting one new ticket, too */
2154 if (!TEST_true(SSL_new_session_ticket(serverssl))
2155 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2156 || !TEST_size_t_eq(sizeof(c), nbytes)
2157 || !TEST_int_eq(1, new_called)
2158 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2159 || !TEST_int_eq(2, new_called)
2160 || !TEST_size_t_eq(sizeof(buf), nbytes)
2161 || !TEST_int_eq(c, buf[0]))
2164 /* Do it again but use dummy writes to drive the ticket generation */
2167 if (!TEST_true(SSL_new_session_ticket(serverssl))
2168 || !TEST_true(SSL_new_session_ticket(serverssl))
2169 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2170 || !TEST_size_t_eq(0, nbytes)
2171 || !TEST_int_eq(2, new_called)
2172 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2173 || !TEST_int_eq(4, new_called))
2177 * Use the always-retry BIO to exercise the logic that forces ticket
2178 * generation to wait until a record boundary.
2182 tmp = SSL_get_wbio(serverssl);
2183 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2187 SSL_set0_wbio(serverssl, bretry);
2189 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2190 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2191 || !TEST_size_t_eq(nbytes, 0))
2193 /* Restore a BIO that will let the write succeed */
2194 SSL_set0_wbio(serverssl, tmp);
2196 /* These calls should just queue the request and not send anything. */
2197 if (!TEST_true(SSL_new_session_ticket(serverssl))
2198 || !TEST_true(SSL_new_session_ticket(serverssl))
2199 || !TEST_int_eq(0, new_called))
2201 /* Re-do the write; still no tickets sent */
2202 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2203 || !TEST_size_t_eq(1, nbytes)
2204 || !TEST_int_eq(0, new_called)
2205 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2206 || !TEST_int_eq(0, new_called)
2207 || !TEST_int_eq(sizeof(buf), nbytes)
2208 || !TEST_int_eq(c, buf[0])
2209 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2211 /* Now the *next* write should send the tickets */
2213 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2214 || !TEST_size_t_eq(1, nbytes)
2215 || !TEST_int_eq(2, new_called)
2216 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2217 || !TEST_int_eq(4, new_called)
2218 || !TEST_int_eq(sizeof(buf), nbytes)
2219 || !TEST_int_eq(c, buf[0])
2220 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2223 SSL_shutdown(clientssl);
2224 SSL_shutdown(serverssl);
2230 SSL_free(serverssl);
2231 SSL_free(clientssl);
2234 clientssl = serverssl = NULL;
2243 #define USE_DEFAULT 3
2245 #define CONNTYPE_CONNECTION_SUCCESS 0
2246 #define CONNTYPE_CONNECTION_FAIL 1
2247 #define CONNTYPE_NO_CONNECTION 2
2249 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2250 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2251 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2252 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2254 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2257 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2258 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2259 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2261 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2278 * Tests calls to SSL_set_bio() under various conditions.
2280 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2281 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2282 * then do more tests where we create a successful connection first using our
2283 * standard connection setup functions, and then call SSL_set_bio() with
2284 * various combinations of valid BIOs or NULL. We then repeat these tests
2285 * following a failed connection. In this last case we are looking to check that
2286 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2288 static int test_ssl_set_bio(int idx)
2290 SSL_CTX *sctx = NULL, *cctx = NULL;
2293 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2294 SSL *serverssl = NULL, *clientssl = NULL;
2295 int initrbio, initwbio, newrbio, newwbio, conntype;
2298 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2306 conntype = CONNTYPE_NO_CONNECTION;
2308 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2309 initrbio = initwbio = USE_DEFAULT;
2317 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2318 TLS_client_method(), TLS1_VERSION, 0,
2319 &sctx, &cctx, cert, privkey)))
2322 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2324 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2325 * because we reduced the number of tests in the definition of
2326 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2327 * mismatched protocol versions we will force a connection failure.
2329 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2330 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2333 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2337 if (initrbio == USE_BIO_1
2338 || initwbio == USE_BIO_1
2339 || newrbio == USE_BIO_1
2340 || newwbio == USE_BIO_1) {
2341 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2345 if (initrbio == USE_BIO_2
2346 || initwbio == USE_BIO_2
2347 || newrbio == USE_BIO_2
2348 || newwbio == USE_BIO_2) {
2349 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2353 if (initrbio != USE_DEFAULT) {
2354 setupbio(&irbio, bio1, bio2, initrbio);
2355 setupbio(&iwbio, bio1, bio2, initwbio);
2356 SSL_set_bio(clientssl, irbio, iwbio);
2359 * We want to maintain our own refs to these BIO, so do an up ref for
2360 * each BIO that will have ownership transferred in the SSL_set_bio()
2365 if (iwbio != NULL && iwbio != irbio)
2369 if (conntype != CONNTYPE_NO_CONNECTION
2370 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2372 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2375 setupbio(&nrbio, bio1, bio2, newrbio);
2376 setupbio(&nwbio, bio1, bio2, newwbio);
2379 * We will (maybe) transfer ownership again so do more up refs.
2380 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2385 && (nwbio != iwbio || nrbio != nwbio))
2389 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2392 SSL_set_bio(clientssl, nrbio, nwbio);
2401 * This test is checking that the ref counting for SSL_set_bio is correct.
2402 * If we get here and we did too many frees then we will fail in the above
2405 SSL_free(serverssl);
2406 SSL_free(clientssl);
2412 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2414 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2416 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2421 if (!TEST_ptr(ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method()))
2422 || !TEST_ptr(ssl = SSL_new(ctx))
2423 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2424 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2427 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2430 * If anything goes wrong here then we could leak memory.
2432 BIO_push(sslbio, membio1);
2434 /* Verify changing the rbio/wbio directly does not cause leaks */
2435 if (change_bio != NO_BIO_CHANGE) {
2436 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
2438 if (change_bio == CHANGE_RBIO)
2439 SSL_set0_rbio(ssl, membio2);
2441 SSL_set0_wbio(ssl, membio2);
2460 static int test_ssl_bio_pop_next_bio(void)
2462 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2465 static int test_ssl_bio_pop_ssl_bio(void)
2467 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2470 static int test_ssl_bio_change_rbio(void)
2472 return execute_test_ssl_bio(0, CHANGE_RBIO);
2475 static int test_ssl_bio_change_wbio(void)
2477 return execute_test_ssl_bio(0, CHANGE_WBIO);
2480 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2482 /* The list of sig algs */
2484 /* The length of the list */
2486 /* A sigalgs list in string format */
2487 const char *liststr;
2488 /* Whether setting the list should succeed */
2490 /* Whether creating a connection with the list should succeed */
2494 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2495 # ifndef OPENSSL_NO_EC
2496 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2497 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2499 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2500 static const int invalidlist2[] = {NID_sha256, NID_undef};
2501 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2502 static const int invalidlist4[] = {NID_sha256};
2503 static const sigalgs_list testsigalgs[] = {
2504 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2505 # ifndef OPENSSL_NO_EC
2506 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2507 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2509 {NULL, 0, "RSA+SHA256", 1, 1},
2510 # ifndef OPENSSL_NO_EC
2511 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2512 {NULL, 0, "ECDSA+SHA512", 1, 0},
2514 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2515 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2516 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2517 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2518 {NULL, 0, "RSA", 0, 0},
2519 {NULL, 0, "SHA256", 0, 0},
2520 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2521 {NULL, 0, "Invalid", 0, 0}
2524 static int test_set_sigalgs(int idx)
2526 SSL_CTX *cctx = NULL, *sctx = NULL;
2527 SSL *clientssl = NULL, *serverssl = NULL;
2529 const sigalgs_list *curr;
2532 /* Should never happen */
2533 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2536 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2537 curr = testctx ? &testsigalgs[idx]
2538 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2540 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2541 TLS_client_method(), TLS1_VERSION, 0,
2542 &sctx, &cctx, cert, privkey)))
2546 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2547 * for TLSv1.2 for now until we add a new API.
2549 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2554 if (curr->list != NULL)
2555 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2557 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2561 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2567 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2572 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2573 &clientssl, NULL, NULL)))
2579 if (curr->list != NULL)
2580 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2582 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2585 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2594 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2602 SSL_free(serverssl);
2603 SSL_free(clientssl);
2611 #ifndef OPENSSL_NO_TLS1_3
2612 static int psk_client_cb_cnt = 0;
2613 static int psk_server_cb_cnt = 0;
2615 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2616 size_t *idlen, SSL_SESSION **sess)
2618 switch (++use_session_cb_cnt) {
2620 /* The first call should always have a NULL md */
2626 /* The second call should always have an md */
2632 /* We should only be called a maximum of twice */
2636 if (clientpsk != NULL)
2637 SSL_SESSION_up_ref(clientpsk);
2640 *id = (const unsigned char *)pskid;
2641 *idlen = strlen(pskid);
2646 #ifndef OPENSSL_NO_PSK
2647 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2648 unsigned int max_id_len,
2650 unsigned int max_psk_len)
2652 unsigned int psklen = 0;
2654 psk_client_cb_cnt++;
2656 if (strlen(pskid) + 1 > max_id_len)
2659 /* We should only ever be called a maximum of twice per connection */
2660 if (psk_client_cb_cnt > 2)
2663 if (clientpsk == NULL)
2666 /* We'll reuse the PSK we set up for TLSv1.3 */
2667 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2669 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2670 strncpy(id, pskid, max_id_len);
2674 #endif /* OPENSSL_NO_PSK */
2676 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2677 size_t identity_len, SSL_SESSION **sess)
2679 find_session_cb_cnt++;
2681 /* We should only ever be called a maximum of twice per connection */
2682 if (find_session_cb_cnt > 2)
2685 if (serverpsk == NULL)
2688 /* Identity should match that set by the client */
2689 if (strlen(srvid) != identity_len
2690 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2691 /* No PSK found, continue but without a PSK */
2696 SSL_SESSION_up_ref(serverpsk);
2702 #ifndef OPENSSL_NO_PSK
2703 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2704 unsigned char *psk, unsigned int max_psk_len)
2706 unsigned int psklen = 0;
2708 psk_server_cb_cnt++;
2710 /* We should only ever be called a maximum of twice per connection */
2711 if (find_session_cb_cnt > 2)
2714 if (serverpsk == NULL)
2717 /* Identity should match that set by the client */
2718 if (strcmp(srvid, identity) != 0) {
2722 /* We'll reuse the PSK we set up for TLSv1.3 */
2723 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2725 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2729 #endif /* OPENSSL_NO_PSK */
2731 #define MSG1 "Hello"
2732 #define MSG2 "World."
2737 #define MSG7 "message."
2739 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2740 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2743 static SSL_SESSION *create_a_psk(SSL *ssl)
2745 const SSL_CIPHER *cipher = NULL;
2746 const unsigned char key[] = {
2747 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2748 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2749 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2750 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2751 0x2c, 0x2d, 0x2e, 0x2f
2753 SSL_SESSION *sess = NULL;
2755 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2756 sess = SSL_SESSION_new();
2758 || !TEST_ptr(cipher)
2759 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2761 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2763 SSL_SESSION_set_protocol_version(sess,
2765 SSL_SESSION_free(sess);
2772 * Helper method to setup objects for early data test. Caller frees objects on
2775 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2776 SSL **serverssl, SSL_SESSION **sess, int idx)
2779 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2780 TLS_client_method(),
2782 sctx, cctx, cert, privkey)))
2785 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2789 /* When idx == 1 we repeat the tests with read_ahead set */
2790 SSL_CTX_set_read_ahead(*cctx, 1);
2791 SSL_CTX_set_read_ahead(*sctx, 1);
2792 } else if (idx == 2) {
2793 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2794 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2795 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2796 use_session_cb_cnt = 0;
2797 find_session_cb_cnt = 0;
2801 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2806 * For one of the run throughs (doesn't matter which one), we'll try sending
2807 * some SNI data in the initial ClientHello. This will be ignored (because
2808 * there is no SNI cb set up by the server), so it should not impact
2812 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2816 clientpsk = create_a_psk(*clientssl);
2817 if (!TEST_ptr(clientpsk)
2819 * We just choose an arbitrary value for max_early_data which
2820 * should be big enough for testing purposes.
2822 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2824 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2825 SSL_SESSION_free(clientpsk);
2829 serverpsk = clientpsk;
2832 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2833 SSL_SESSION_free(clientpsk);
2834 SSL_SESSION_free(serverpsk);
2835 clientpsk = serverpsk = NULL;
2846 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2850 *sess = SSL_get1_session(*clientssl);
2851 SSL_shutdown(*clientssl);
2852 SSL_shutdown(*serverssl);
2853 SSL_free(*serverssl);
2854 SSL_free(*clientssl);
2855 *serverssl = *clientssl = NULL;
2857 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2858 clientssl, NULL, NULL))
2859 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2865 static int test_early_data_read_write(int idx)
2867 SSL_CTX *cctx = NULL, *sctx = NULL;
2868 SSL *clientssl = NULL, *serverssl = NULL;
2870 SSL_SESSION *sess = NULL;
2871 unsigned char buf[20], data[1024];
2872 size_t readbytes, written, eoedlen, rawread, rawwritten;
2875 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2876 &serverssl, &sess, idx)))
2879 /* Write and read some early data */
2880 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2882 || !TEST_size_t_eq(written, strlen(MSG1))
2883 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2884 sizeof(buf), &readbytes),
2885 SSL_READ_EARLY_DATA_SUCCESS)
2886 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2887 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2888 SSL_EARLY_DATA_ACCEPTED))
2892 * Server should be able to write data, and client should be able to
2895 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2897 || !TEST_size_t_eq(written, strlen(MSG2))
2898 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2899 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2902 /* Even after reading normal data, client should be able write early data */
2903 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2905 || !TEST_size_t_eq(written, strlen(MSG3)))
2908 /* Server should still be able read early data after writing data */
2909 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2911 SSL_READ_EARLY_DATA_SUCCESS)
2912 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2915 /* Write more data from server and read it from client */
2916 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2918 || !TEST_size_t_eq(written, strlen(MSG4))
2919 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2920 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2924 * If client writes normal data it should mean writing early data is no
2927 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2928 || !TEST_size_t_eq(written, strlen(MSG5))
2929 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2930 SSL_EARLY_DATA_ACCEPTED))
2934 * At this point the client has written EndOfEarlyData, ClientFinished and
2935 * normal (fully protected) data. We are going to cause a delay between the
2936 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2937 * in the read BIO, and then just put back the EndOfEarlyData message.
2939 rbio = SSL_get_rbio(serverssl);
2940 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2941 || !TEST_size_t_lt(rawread, sizeof(data))
2942 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2945 /* Record length is in the 4th and 5th bytes of the record header */
2946 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2947 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2948 || !TEST_size_t_eq(rawwritten, eoedlen))
2951 /* Server should be told that there is no more early data */
2952 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2954 SSL_READ_EARLY_DATA_FINISH)
2955 || !TEST_size_t_eq(readbytes, 0))
2959 * Server has not finished init yet, so should still be able to write early
2962 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2964 || !TEST_size_t_eq(written, strlen(MSG6)))
2967 /* Push the ClientFinished and the normal data back into the server rbio */
2968 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2970 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2973 /* Server should be able to read normal data */
2974 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2975 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2978 /* Client and server should not be able to write/read early data now */
2979 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2983 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2985 SSL_READ_EARLY_DATA_ERROR))
2989 /* Client should be able to read the data sent by the server */
2990 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2991 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2995 * Make sure we process the two NewSessionTickets. These arrive
2996 * post-handshake. We attempt reads which we do not expect to return any
2999 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3000 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3004 /* Server should be able to write normal data */
3005 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3006 || !TEST_size_t_eq(written, strlen(MSG7))
3007 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3008 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3011 SSL_SESSION_free(sess);
3012 sess = SSL_get1_session(clientssl);
3013 use_session_cb_cnt = 0;
3014 find_session_cb_cnt = 0;
3016 SSL_shutdown(clientssl);
3017 SSL_shutdown(serverssl);
3018 SSL_free(serverssl);
3019 SSL_free(clientssl);
3020 serverssl = clientssl = NULL;
3021 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3022 &clientssl, NULL, NULL))
3023 || !TEST_true(SSL_set_session(clientssl, sess)))
3026 /* Write and read some early data */
3027 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3029 || !TEST_size_t_eq(written, strlen(MSG1))
3030 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3032 SSL_READ_EARLY_DATA_SUCCESS)
3033 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3036 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3037 || !TEST_int_gt(SSL_accept(serverssl), 0))
3040 /* Client and server should not be able to write/read early data now */
3041 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3045 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3047 SSL_READ_EARLY_DATA_ERROR))
3051 /* Client and server should be able to write/read normal data */
3052 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3053 || !TEST_size_t_eq(written, strlen(MSG5))
3054 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3055 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3061 SSL_SESSION_free(sess);
3062 SSL_SESSION_free(clientpsk);
3063 SSL_SESSION_free(serverpsk);
3064 clientpsk = serverpsk = NULL;
3065 SSL_free(serverssl);
3066 SSL_free(clientssl);
3072 static int allow_ed_cb_called = 0;
3074 static int allow_early_data_cb(SSL *s, void *arg)
3076 int *usecb = (int *)arg;
3078 allow_ed_cb_called++;
3087 * idx == 0: Standard early_data setup
3088 * idx == 1: early_data setup using read_ahead
3089 * usecb == 0: Don't use a custom early data callback
3090 * usecb == 1: Use a custom early data callback and reject the early data
3091 * usecb == 2: Use a custom early data callback and accept the early data
3092 * confopt == 0: Configure anti-replay directly
3093 * confopt == 1: Configure anti-replay using SSL_CONF
3095 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3097 SSL_CTX *cctx = NULL, *sctx = NULL;
3098 SSL *clientssl = NULL, *serverssl = NULL;
3100 SSL_SESSION *sess = NULL;
3101 size_t readbytes, written;
3102 unsigned char buf[20];
3104 allow_ed_cb_called = 0;
3106 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3107 TLS_client_method(), TLS1_VERSION, 0,
3108 &sctx, &cctx, cert, privkey)))
3113 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3115 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3117 if (!TEST_ptr(confctx))
3119 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3120 | SSL_CONF_FLAG_SERVER);
3121 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3122 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3124 SSL_CONF_CTX_free(confctx);
3127 SSL_CONF_CTX_free(confctx);
3129 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3132 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3133 &serverssl, &sess, idx)))
3137 * The server is configured to accept early data. Create a connection to
3138 * "use up" the ticket
3140 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3141 || !TEST_true(SSL_session_reused(clientssl)))
3144 SSL_shutdown(clientssl);
3145 SSL_shutdown(serverssl);
3146 SSL_free(serverssl);
3147 SSL_free(clientssl);
3148 serverssl = clientssl = NULL;
3150 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3151 &clientssl, NULL, NULL))
3152 || !TEST_true(SSL_set_session(clientssl, sess)))
3155 /* Write and read some early data */
3156 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3158 || !TEST_size_t_eq(written, strlen(MSG1)))
3162 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3164 SSL_READ_EARLY_DATA_FINISH)
3166 * The ticket was reused, so the we should have rejected the
3169 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3170 SSL_EARLY_DATA_REJECTED))
3173 /* In this case the callback decides to accept the early data */
3174 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3176 SSL_READ_EARLY_DATA_SUCCESS)
3177 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3179 * Server will have sent its flight so client can now send
3180 * end of early data and complete its half of the handshake
3182 || !TEST_int_gt(SSL_connect(clientssl), 0)
3183 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3185 SSL_READ_EARLY_DATA_FINISH)
3186 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3187 SSL_EARLY_DATA_ACCEPTED))
3191 /* Complete the connection */
3192 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3193 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3194 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3200 SSL_SESSION_free(sess);
3201 SSL_SESSION_free(clientpsk);
3202 SSL_SESSION_free(serverpsk);
3203 clientpsk = serverpsk = NULL;
3204 SSL_free(serverssl);
3205 SSL_free(clientssl);
3211 static int test_early_data_replay(int idx)
3213 int ret = 1, usecb, confopt;
3215 for (usecb = 0; usecb < 3; usecb++) {
3216 for (confopt = 0; confopt < 2; confopt++)
3217 ret &= test_early_data_replay_int(idx, usecb, confopt);
3224 * Helper function to test that a server attempting to read early data can
3225 * handle a connection from a client where the early data should be skipped.
3226 * testtype: 0 == No HRR
3227 * testtype: 1 == HRR
3228 * testtype: 2 == HRR, invalid early_data sent after HRR
3229 * testtype: 3 == recv_max_early_data set to 0
3231 static int early_data_skip_helper(int testtype, int idx)
3233 SSL_CTX *cctx = NULL, *sctx = NULL;
3234 SSL *clientssl = NULL, *serverssl = NULL;
3236 SSL_SESSION *sess = NULL;
3237 unsigned char buf[20];
3238 size_t readbytes, written;
3240 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3241 &serverssl, &sess, idx)))
3244 if (testtype == 1 || testtype == 2) {
3245 /* Force an HRR to occur */
3246 #if defined(OPENSSL_NO_EC)
3247 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3250 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3253 } else if (idx == 2) {
3255 * We force early_data rejection by ensuring the PSK identity is
3258 srvid = "Dummy Identity";
3261 * Deliberately corrupt the creation time. We take 20 seconds off the
3262 * time. It could be any value as long as it is not within tolerance.
3263 * This should mean the ticket is rejected.
3265 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3270 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3273 /* Write some early data */
3274 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3276 || !TEST_size_t_eq(written, strlen(MSG1)))
3279 /* Server should reject the early data */
3280 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3282 SSL_READ_EARLY_DATA_FINISH)
3283 || !TEST_size_t_eq(readbytes, 0)
3284 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3285 SSL_EARLY_DATA_REJECTED))
3295 * Finish off the handshake. We perform the same writes and reads as
3296 * further down but we expect them to fail due to the incomplete
3299 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3300 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3307 BIO *wbio = SSL_get_wbio(clientssl);
3308 /* A record that will appear as bad early_data */
3309 const unsigned char bad_early_data[] = {
3310 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3314 * We force the client to attempt a write. This will fail because
3315 * we're still in the handshake. It will cause the second
3316 * ClientHello to be sent.
3318 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3323 * Inject some early_data after the second ClientHello. This should
3324 * cause the server to fail
3326 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3327 sizeof(bad_early_data), &written)))
3334 * This client has sent more early_data than we are willing to skip
3335 * (case 3) or sent invalid early_data (case 2) so the connection should
3338 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3339 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3342 /* Connection has failed - nothing more to do */
3347 TEST_error("Invalid test type");
3352 * Should be able to send normal data despite rejection of early data. The
3353 * early_data should be skipped.
3355 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3356 || !TEST_size_t_eq(written, strlen(MSG2))
3357 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3358 SSL_EARLY_DATA_REJECTED)
3359 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3360 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3366 SSL_SESSION_free(clientpsk);
3367 SSL_SESSION_free(serverpsk);
3368 clientpsk = serverpsk = NULL;
3369 SSL_SESSION_free(sess);
3370 SSL_free(serverssl);
3371 SSL_free(clientssl);
3378 * Test that a server attempting to read early data can handle a connection
3379 * from a client where the early data is not acceptable.
3381 static int test_early_data_skip(int idx)
3383 return early_data_skip_helper(0, idx);
3387 * Test that a server attempting to read early data can handle a connection
3388 * from a client where an HRR occurs.
3390 static int test_early_data_skip_hrr(int idx)
3392 return early_data_skip_helper(1, idx);
3396 * Test that a server attempting to read early data can handle a connection
3397 * from a client where an HRR occurs and correctly fails if early_data is sent
3400 static int test_early_data_skip_hrr_fail(int idx)
3402 return early_data_skip_helper(2, idx);
3406 * Test that a server attempting to read early data will abort if it tries to
3407 * skip over too much.
3409 static int test_early_data_skip_abort(int idx)
3411 return early_data_skip_helper(3, idx);
3415 * Test that a server attempting to read early data can handle a connection
3416 * from a client that doesn't send any.
3418 static int test_early_data_not_sent(int idx)
3420 SSL_CTX *cctx = NULL, *sctx = NULL;
3421 SSL *clientssl = NULL, *serverssl = NULL;
3423 SSL_SESSION *sess = NULL;
3424 unsigned char buf[20];
3425 size_t readbytes, written;
3427 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3428 &serverssl, &sess, idx)))
3431 /* Write some data - should block due to handshake with server */
3432 SSL_set_connect_state(clientssl);
3433 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3436 /* Server should detect that early data has not been sent */
3437 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3439 SSL_READ_EARLY_DATA_FINISH)
3440 || !TEST_size_t_eq(readbytes, 0)
3441 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3442 SSL_EARLY_DATA_NOT_SENT)
3443 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3444 SSL_EARLY_DATA_NOT_SENT))
3447 /* Continue writing the message we started earlier */
3448 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3449 || !TEST_size_t_eq(written, strlen(MSG1))
3450 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3451 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3452 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3453 || !TEST_size_t_eq(written, strlen(MSG2)))
3456 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3457 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3463 SSL_SESSION_free(sess);
3464 SSL_SESSION_free(clientpsk);
3465 SSL_SESSION_free(serverpsk);
3466 clientpsk = serverpsk = NULL;
3467 SSL_free(serverssl);
3468 SSL_free(clientssl);
3474 static const char *servalpn;
3476 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3477 unsigned char *outlen, const unsigned char *in,
3478 unsigned int inlen, void *arg)
3480 unsigned int protlen = 0;
3481 const unsigned char *prot;
3483 for (prot = in; prot < in + inlen; prot += protlen) {
3485 if (in + inlen < prot + protlen)
3486 return SSL_TLSEXT_ERR_NOACK;
3488 if (protlen == strlen(servalpn)
3489 && memcmp(prot, servalpn, protlen) == 0) {
3492 return SSL_TLSEXT_ERR_OK;
3496 return SSL_TLSEXT_ERR_NOACK;
3499 /* Test that a PSK can be used to send early_data */
3500 static int test_early_data_psk(int idx)
3502 SSL_CTX *cctx = NULL, *sctx = NULL;
3503 SSL *clientssl = NULL, *serverssl = NULL;
3505 SSL_SESSION *sess = NULL;
3506 unsigned char alpnlist[] = {
3507 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3510 #define GOODALPNLEN 9
3511 #define BADALPNLEN 8
3512 #define GOODALPN (alpnlist)
3513 #define BADALPN (alpnlist + GOODALPNLEN)
3515 unsigned char buf[20];
3516 size_t readbytes, written;
3517 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3518 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3520 /* We always set this up with a final parameter of "2" for PSK */
3521 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3522 &serverssl, &sess, 2)))
3525 servalpn = "goodalpn";
3528 * Note: There is no test for inconsistent SNI with late client detection.
3529 * This is because servers do not acknowledge SNI even if they are using
3530 * it in a resumption handshake - so it is not actually possible for a
3531 * client to detect a problem.
3535 /* Set inconsistent SNI (early client detection) */
3536 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3537 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3538 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3543 /* Set inconsistent ALPN (early client detection) */
3544 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3545 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3546 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3548 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3555 * Set invalid protocol version. Technically this affects PSKs without
3556 * early_data too, but we test it here because it is similar to the
3557 * SNI/ALPN consistency tests.
3559 err = SSL_R_BAD_PSK;
3560 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3566 * Set inconsistent SNI (server side). In this case the connection
3567 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3568 * is associated with each handshake - not the session. Therefore it
3569 * should not matter that we used a different server name last time.
3571 SSL_SESSION_free(serverpsk);
3572 serverpsk = SSL_SESSION_dup(clientpsk);
3573 if (!TEST_ptr(serverpsk)
3574 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3578 /* Set consistent SNI */
3579 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3580 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3581 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3588 * Set inconsistent ALPN (server detected). In this case the connection
3589 * will succeed but reject early_data.
3591 servalpn = "badalpn";
3592 edstatus = SSL_EARLY_DATA_REJECTED;
3593 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3597 * Set consistent ALPN.
3598 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3599 * accepts a list of protos (each one length prefixed).
3600 * SSL_set1_alpn_selected accepts a single protocol (not length
3603 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3605 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3609 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3613 /* Set inconsistent ALPN (late client detection) */
3614 SSL_SESSION_free(serverpsk);
3615 serverpsk = SSL_SESSION_dup(clientpsk);
3616 if (!TEST_ptr(serverpsk)
3617 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3620 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3623 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3626 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3627 edstatus = SSL_EARLY_DATA_ACCEPTED;
3628 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3629 /* SSL_connect() call should fail */
3634 TEST_error("Bad test index");
3638 SSL_set_connect_state(clientssl);
3640 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3642 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3643 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3646 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3650 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3651 &readbytes), readearlyres)
3652 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3653 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3654 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3655 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3662 SSL_SESSION_free(sess);
3663 SSL_SESSION_free(clientpsk);
3664 SSL_SESSION_free(serverpsk);
3665 clientpsk = serverpsk = NULL;
3666 SSL_free(serverssl);
3667 SSL_free(clientssl);
3674 * Test that a server that doesn't try to read early data can handle a
3675 * client sending some.
3677 static int test_early_data_not_expected(int idx)
3679 SSL_CTX *cctx = NULL, *sctx = NULL;
3680 SSL *clientssl = NULL, *serverssl = NULL;
3682 SSL_SESSION *sess = NULL;
3683 unsigned char buf[20];
3684 size_t readbytes, written;
3686 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3687 &serverssl, &sess, idx)))
3690 /* Write some early data */
3691 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3696 * Server should skip over early data and then block waiting for client to
3697 * continue handshake
3699 if (!TEST_int_le(SSL_accept(serverssl), 0)
3700 || !TEST_int_gt(SSL_connect(clientssl), 0)
3701 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3702 SSL_EARLY_DATA_REJECTED)
3703 || !TEST_int_gt(SSL_accept(serverssl), 0)
3704 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3705 SSL_EARLY_DATA_REJECTED))
3708 /* Send some normal data from client to server */
3709 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3710 || !TEST_size_t_eq(written, strlen(MSG2)))
3713 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3714 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3720 SSL_SESSION_free(sess);
3721 SSL_SESSION_free(clientpsk);
3722 SSL_SESSION_free(serverpsk);
3723 clientpsk = serverpsk = NULL;
3724 SSL_free(serverssl);
3725 SSL_free(clientssl);
3732 # ifndef OPENSSL_NO_TLS1_2
3734 * Test that a server attempting to read early data can handle a connection
3735 * from a TLSv1.2 client.
3737 static int test_early_data_tls1_2(int idx)
3739 SSL_CTX *cctx = NULL, *sctx = NULL;
3740 SSL *clientssl = NULL, *serverssl = NULL;
3742 unsigned char buf[20];
3743 size_t readbytes, written;
3745 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3746 &serverssl, NULL, idx)))
3749 /* Write some data - should block due to handshake with server */
3750 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3751 SSL_set_connect_state(clientssl);
3752 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3756 * Server should do TLSv1.2 handshake. First it will block waiting for more
3757 * messages from client after ServerDone. Then SSL_read_early_data should
3758 * finish and detect that early data has not been sent
3760 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3762 SSL_READ_EARLY_DATA_ERROR))
3766 * Continue writing the message we started earlier. Will still block waiting
3767 * for the CCS/Finished from server
3769 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3770 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3772 SSL_READ_EARLY_DATA_FINISH)
3773 || !TEST_size_t_eq(readbytes, 0)
3774 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3775 SSL_EARLY_DATA_NOT_SENT))
3778 /* Continue writing the message we started earlier */
3779 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3780 || !TEST_size_t_eq(written, strlen(MSG1))
3781 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3782 SSL_EARLY_DATA_NOT_SENT)
3783 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3784 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3785 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3786 || !TEST_size_t_eq(written, strlen(MSG2))
3787 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3788 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3794 SSL_SESSION_free(clientpsk);
3795 SSL_SESSION_free(serverpsk);
3796 clientpsk = serverpsk = NULL;
3797 SSL_free(serverssl);
3798 SSL_free(clientssl);
3804 # endif /* OPENSSL_NO_TLS1_2 */
3807 * Test configuring the TLSv1.3 ciphersuites
3809 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3810 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3811 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3812 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3813 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3814 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3815 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3816 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3817 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3818 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3820 static int test_set_ciphersuite(int idx)
3822 SSL_CTX *cctx = NULL, *sctx = NULL;
3823 SSL *clientssl = NULL, *serverssl = NULL;
3826 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3827 TLS_client_method(), TLS1_VERSION, 0,
3828 &sctx, &cctx, cert, privkey))
3829 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3830 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3833 if (idx >=4 && idx <= 7) {
3834 /* SSL_CTX explicit cipher list */
3835 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3839 if (idx == 0 || idx == 4) {
3840 /* Default ciphersuite */
3841 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3842 "TLS_AES_128_GCM_SHA256")))
3844 } else if (idx == 1 || idx == 5) {
3845 /* Non default ciphersuite */
3846 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3847 "TLS_AES_128_CCM_SHA256")))
3851 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3852 &clientssl, NULL, NULL)))
3855 if (idx == 8 || idx == 9) {
3856 /* SSL explicit cipher list */
3857 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3861 if (idx == 2 || idx == 6 || idx == 8) {
3862 /* Default ciphersuite */
3863 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3864 "TLS_AES_128_GCM_SHA256")))
3866 } else if (idx == 3 || idx == 7 || idx == 9) {
3867 /* Non default ciphersuite */
3868 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3869 "TLS_AES_128_CCM_SHA256")))
3873 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3879 SSL_free(serverssl);
3880 SSL_free(clientssl);
3887 static int test_ciphersuite_change(void)
3889 SSL_CTX *cctx = NULL, *sctx = NULL;
3890 SSL *clientssl = NULL, *serverssl = NULL;
3891 SSL_SESSION *clntsess = NULL;
3893 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3895 /* Create a session based on SHA-256 */
3896 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3897 TLS_client_method(), TLS1_VERSION, 0,
3898 &sctx, &cctx, cert, privkey))
3899 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3900 "TLS_AES_128_GCM_SHA256:"
3901 "TLS_AES_256_GCM_SHA384:"
3902 "TLS_AES_128_CCM_SHA256"))
3903 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3904 "TLS_AES_128_GCM_SHA256"))
3905 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3906 &clientssl, NULL, NULL))
3907 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3911 clntsess = SSL_get1_session(clientssl);
3912 /* Save for later */
3913 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3914 SSL_shutdown(clientssl);
3915 SSL_shutdown(serverssl);
3916 SSL_free(serverssl);
3917 SSL_free(clientssl);
3918 serverssl = clientssl = NULL;
3920 /* Check we can resume a session with a different SHA-256 ciphersuite */
3921 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3922 "TLS_AES_128_CCM_SHA256"))
3923 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3924 &clientssl, NULL, NULL))
3925 || !TEST_true(SSL_set_session(clientssl, clntsess))
3926 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3928 || !TEST_true(SSL_session_reused(clientssl)))
3931 SSL_SESSION_free(clntsess);
3932 clntsess = SSL_get1_session(clientssl);
3933 SSL_shutdown(clientssl);
3934 SSL_shutdown(serverssl);
3935 SSL_free(serverssl);
3936 SSL_free(clientssl);
3937 serverssl = clientssl = NULL;
3940 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3941 * succeeds but does not resume.
3943 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3944 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3946 || !TEST_true(SSL_set_session(clientssl, clntsess))
3947 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3949 || !TEST_false(SSL_session_reused(clientssl)))
3952 SSL_SESSION_free(clntsess);
3954 SSL_shutdown(clientssl);
3955 SSL_shutdown(serverssl);
3956 SSL_free(serverssl);
3957 SSL_free(clientssl);
3958 serverssl = clientssl = NULL;
3960 /* Create a session based on SHA384 */
3961 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3962 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3963 &clientssl, NULL, NULL))
3964 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3968 clntsess = SSL_get1_session(clientssl);
3969 SSL_shutdown(clientssl);
3970 SSL_shutdown(serverssl);
3971 SSL_free(serverssl);
3972 SSL_free(clientssl);
3973 serverssl = clientssl = NULL;
3975 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3976 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3977 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3978 "TLS_AES_256_GCM_SHA384"))
3979 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3981 || !TEST_true(SSL_set_session(clientssl, clntsess))
3983 * We use SSL_ERROR_WANT_READ below so that we can pause the
3984 * connection after the initial ClientHello has been sent to
3985 * enable us to make some session changes.
3987 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3988 SSL_ERROR_WANT_READ)))
3991 /* Trick the client into thinking this session is for a different digest */
3992 clntsess->cipher = aes_128_gcm_sha256;
3993 clntsess->cipher_id = clntsess->cipher->id;
3996 * Continue the previously started connection. Server has selected a SHA-384
3997 * ciphersuite, but client thinks the session is for SHA-256, so it should
4000 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4002 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4003 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4009 SSL_SESSION_free(clntsess);
4010 SSL_free(serverssl);
4011 SSL_free(clientssl);
4019 * Test TLSv1.3 Key exchange
4020 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4021 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4022 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4023 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4024 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4025 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4026 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4027 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4028 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4029 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4030 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4031 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4032 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4033 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4035 static int test_key_exchange(int idx)
4037 SSL_CTX *sctx = NULL, *cctx = NULL;
4038 SSL *serverssl = NULL, *clientssl = NULL;
4040 # ifndef OPENSSL_NO_EC
4041 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4042 NID_secp521r1, NID_X25519, NID_X448};
4044 # ifndef OPENSSL_NO_DH
4045 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4046 NID_ffdhe6144, NID_ffdhe8192};
4049 int *kexch_groups = &kexch_alg;
4050 int kexch_groups_size = 1;
4051 int max_version = TLS1_3_VERSION;
4054 # ifndef OPENSSL_NO_EC
4055 # ifndef OPENSSL_NO_TLS1_2
4057 max_version = TLS1_2_VERSION;
4061 kexch_groups = ecdhe_kexch_groups;
4062 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4065 kexch_alg = NID_X9_62_prime256v1;
4068 kexch_alg = NID_secp384r1;
4071 kexch_alg = NID_secp521r1;
4074 kexch_alg = NID_X25519;
4077 kexch_alg = NID_X448;
4080 # ifndef OPENSSL_NO_DH
4081 # ifndef OPENSSL_NO_TLS1_2
4083 max_version = TLS1_2_VERSION;
4087 kexch_groups = ffdhe_kexch_groups;
4088 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4091 kexch_alg = NID_ffdhe2048;
4094 kexch_alg = NID_ffdhe3072;
4097 kexch_alg = NID_ffdhe4096;
4100 kexch_alg = NID_ffdhe6144;
4103 kexch_alg = NID_ffdhe8192;
4107 /* We're skipping this test */
4111 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4112 TLS_client_method(), TLS1_VERSION,
4113 max_version, &sctx, &cctx, cert,
4117 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4118 TLS1_3_RFC_AES_128_GCM_SHA256)))
4121 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4122 TLS1_3_RFC_AES_128_GCM_SHA256)))
4125 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4126 TLS1_TXT_RSA_WITH_AES_128_SHA)))
4130 * Must include an EC ciphersuite so that we send supported groups in
4133 # ifndef OPENSSL_NO_TLS1_2
4134 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4135 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
4136 TLS1_TXT_RSA_WITH_AES_128_SHA)))
4140 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4144 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4145 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4148 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4152 * If Handshake succeeds the negotiated kexch alg should be the first one in
4153 * configured, except in the case of FFDHE groups (idx 13), which are
4154 * TLSv1.3 only so we expect no shared group to exist.
4156 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4157 idx == 13 ? 0 : kexch_groups[0]))
4159 if (max_version == TLS1_3_VERSION) {
4160 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4162 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4168 SSL_free(serverssl);
4169 SSL_free(clientssl);
4176 * Test TLSv1.3 Cipher Suite
4177 * Test 0 = Set TLS1.3 cipher on context
4178 * Test 1 = Set TLS1.3 cipher on SSL
4179 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4180 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4182 static int test_tls13_ciphersuite(int idx)
4184 SSL_CTX *sctx = NULL, *cctx = NULL;
4185 SSL *serverssl = NULL, *clientssl = NULL;
4186 static const struct {
4187 const char *ciphername;
4190 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4191 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4192 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
4193 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4194 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4195 { TLS1_3_RFC_AES_256_GCM_SHA384
4196 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4198 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
4200 const char *t13_cipher = NULL;
4201 const char *t12_cipher = NULL;
4202 const char *negotiated_scipher;
4203 const char *negotiated_ccipher;
4219 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4223 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4227 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4228 # ifdef OPENSSL_NO_TLS1_2
4229 if (max_ver == TLS1_2_VERSION)
4232 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4233 if (is_fips && !t13_ciphers[i].fipscapable)
4235 t13_cipher = t13_ciphers[i].ciphername;
4236 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4237 TLS_client_method(),
4238 TLS1_VERSION, max_ver,
4239 &sctx, &cctx, cert, privkey)))
4243 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4244 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4246 if (t12_cipher != NULL) {
4247 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4248 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4254 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4255 &clientssl, NULL, NULL)))
4259 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4260 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4262 if (t12_cipher != NULL) {
4263 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4264 || !TEST_true(SSL_set_cipher_list(clientssl,
4270 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4274 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4276 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4278 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4282 * TEST_strn_eq is used below because t13_cipher can contain
4283 * multiple ciphersuites
4285 if (max_ver == TLS1_3_VERSION
4286 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4287 strlen(negotiated_scipher)))
4290 # ifndef OPENSSL_NO_TLS1_2
4291 /* Below validation is not done when t12_cipher is NULL */
4292 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4293 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4297 SSL_free(serverssl);
4299 SSL_free(clientssl);
4310 SSL_free(serverssl);
4311 SSL_free(clientssl);
4319 * Test 0 = Test new style callbacks
4320 * Test 1 = Test both new and old style callbacks
4321 * Test 2 = Test old style callbacks
4322 * Test 3 = Test old style callbacks with no certificate
4324 static int test_tls13_psk(int idx)
4326 SSL_CTX *sctx = NULL, *cctx = NULL;
4327 SSL *serverssl = NULL, *clientssl = NULL;
4328 const SSL_CIPHER *cipher = NULL;
4329 const unsigned char key[] = {
4330 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4331 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4332 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4333 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
4337 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4338 TLS_client_method(), TLS1_VERSION, 0,
4339 &sctx, &cctx, idx == 3 ? NULL : cert,
4340 idx == 3 ? NULL : privkey)))
4345 * We use a ciphersuite with SHA256 to ease testing old style PSK
4346 * callbacks which will always default to SHA256. This should not be
4347 * necessary if we have no cert/priv key. In that case the server should
4348 * prefer SHA256 automatically.
4350 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4351 "TLS_AES_128_GCM_SHA256")))
4355 * As noted above the server should prefer SHA256 automatically. However
4356 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4357 * code works even if we are testing with only the FIPS provider loaded.
4359 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4360 "TLS_AES_256_GCM_SHA384:"
4361 "TLS_AES_128_GCM_SHA256")))
4366 * Test 0: New style callbacks only
4367 * Test 1: New and old style callbacks (only the new ones should be used)
4368 * Test 2: Old style callbacks only
4370 if (idx == 0 || idx == 1) {
4371 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4372 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4374 #ifndef OPENSSL_NO_PSK
4376 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4377 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4381 use_session_cb_cnt = 0;
4382 find_session_cb_cnt = 0;
4383 psk_client_cb_cnt = 0;
4384 psk_server_cb_cnt = 0;
4388 * Check we can create a connection if callback decides not to send a
4391 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4393 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4395 || !TEST_false(SSL_session_reused(clientssl))
4396 || !TEST_false(SSL_session_reused(serverssl)))
4399 if (idx == 0 || idx == 1) {
4400 if (!TEST_true(use_session_cb_cnt == 1)
4401 || !TEST_true(find_session_cb_cnt == 0)
4403 * If no old style callback then below should be 0
4406 || !TEST_true(psk_client_cb_cnt == idx)
4407 || !TEST_true(psk_server_cb_cnt == 0))
4410 if (!TEST_true(use_session_cb_cnt == 0)
4411 || !TEST_true(find_session_cb_cnt == 0)
4412 || !TEST_true(psk_client_cb_cnt == 1)
4413 || !TEST_true(psk_server_cb_cnt == 0))
4417 shutdown_ssl_connection(serverssl, clientssl);
4418 serverssl = clientssl = NULL;
4419 use_session_cb_cnt = psk_client_cb_cnt = 0;
4422 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4426 /* Create the PSK */
4427 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
4428 clientpsk = SSL_SESSION_new();
4429 if (!TEST_ptr(clientpsk)
4430 || !TEST_ptr(cipher)
4431 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4433 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4434 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4436 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
4438 serverpsk = clientpsk;
4440 /* Check we can create a connection and the PSK is used */
4441 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4442 || !TEST_true(SSL_session_reused(clientssl))
4443 || !TEST_true(SSL_session_reused(serverssl)))
4446 if (idx == 0 || idx == 1) {
4447 if (!TEST_true(use_session_cb_cnt == 1)
4448 || !TEST_true(find_session_cb_cnt == 1)
4449 || !TEST_true(psk_client_cb_cnt == 0)
4450 || !TEST_true(psk_server_cb_cnt == 0))
4453 if (!TEST_true(use_session_cb_cnt == 0)
4454 || !TEST_true(find_session_cb_cnt == 0)
4455 || !TEST_true(psk_client_cb_cnt == 1)
4456 || !TEST_true(psk_server_cb_cnt == 1))
4460 shutdown_ssl_connection(serverssl, clientssl);
4461 serverssl = clientssl = NULL;
4462 use_session_cb_cnt = find_session_cb_cnt = 0;
4463 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4465 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4470 #if defined(OPENSSL_NO_EC)
4471 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4474 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4479 * Check we can create a connection, the PSK is used and the callbacks are
4482 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4483 || !TEST_true(SSL_session_reused(clientssl))
4484 || !TEST_true(SSL_session_reused(serverssl)))
4487 if (idx == 0 || idx == 1) {
4488 if (!TEST_true(use_session_cb_cnt == 2)
4489 || !TEST_true(find_session_cb_cnt == 2)
4490 || !TEST_true(psk_client_cb_cnt == 0)
4491 || !TEST_true(psk_server_cb_cnt == 0))
4494 if (!TEST_true(use_session_cb_cnt == 0)
4495 || !TEST_true(find_session_cb_cnt == 0)
4496 || !TEST_true(psk_client_cb_cnt == 2)
4497 || !TEST_true(psk_server_cb_cnt == 2))
4501 shutdown_ssl_connection(serverssl, clientssl);
4502 serverssl = clientssl = NULL;
4503 use_session_cb_cnt = find_session_cb_cnt = 0;
4504 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4508 * Check that if the server rejects the PSK we can still connect, but with
4511 srvid = "Dummy Identity";
4512 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4514 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4516 || !TEST_false(SSL_session_reused(clientssl))
4517 || !TEST_false(SSL_session_reused(serverssl)))
4520 if (idx == 0 || idx == 1) {
4521 if (!TEST_true(use_session_cb_cnt == 1)
4522 || !TEST_true(find_session_cb_cnt == 1)
4523 || !TEST_true(psk_client_cb_cnt == 0)
4525 * If no old style callback then below should be 0
4528 || !TEST_true(psk_server_cb_cnt == idx))
4531 if (!TEST_true(use_session_cb_cnt == 0)
4532 || !TEST_true(find_session_cb_cnt == 0)
4533 || !TEST_true(psk_client_cb_cnt == 1)
4534 || !TEST_true(psk_server_cb_cnt == 1))
4538 shutdown_ssl_connection(serverssl, clientssl);
4539 serverssl = clientssl = NULL;
4544 SSL_SESSION_free(clientpsk);
4545 SSL_SESSION_free(serverpsk);
4546 clientpsk = serverpsk = NULL;
4547 SSL_free(serverssl);
4548 SSL_free(clientssl);
4554 static unsigned char cookie_magic_value[] = "cookie magic";
4556 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4557 unsigned int *cookie_len)
4560 * Not suitable as a real cookie generation function but good enough for
4563 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4564 *cookie_len = sizeof(cookie_magic_value) - 1;
4569 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4570 unsigned int cookie_len)
4572 if (cookie_len == sizeof(cookie_magic_value) - 1
4573 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4579 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4583 int res = generate_cookie_callback(ssl, cookie, &temp);
4588 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4591 return verify_cookie_callback(ssl, cookie, cookie_len);
4594 static int test_stateless(void)
4596 SSL_CTX *sctx = NULL, *cctx = NULL;
4597 SSL *serverssl = NULL, *clientssl = NULL;
4600 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4601 TLS_client_method(), TLS1_VERSION, 0,
4602 &sctx, &cctx, cert, privkey)))
4605 /* The arrival of CCS messages can confuse the test */
4606 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4608 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4610 /* Send the first ClientHello */
4611 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4612 SSL_ERROR_WANT_READ))
4614 * This should fail with a -1 return because we have no callbacks
4617 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4620 /* Fatal error so abandon the connection from this client */
4621 SSL_free(clientssl);
4624 /* Set up the cookie generation and verification callbacks */
4625 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4626 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
4629 * Create a new connection from the client (we can reuse the server SSL
4632 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4634 /* Send the first ClientHello */
4635 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4636 SSL_ERROR_WANT_READ))
4637 /* This should fail because there is no cookie */
4638 || !TEST_int_eq(SSL_stateless(serverssl), 0))
4641 /* Abandon the connection from this client */
4642 SSL_free(clientssl);
4646 * Now create a connection from a new client but with the same server SSL
4649 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4651 /* Send the first ClientHello */
4652 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4653 SSL_ERROR_WANT_READ))
4654 /* This should fail because there is no cookie */
4655 || !TEST_int_eq(SSL_stateless(serverssl), 0)
4656 /* Send the second ClientHello */
4657 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4658 SSL_ERROR_WANT_READ))
4659 /* This should succeed because a cookie is now present */
4660 || !TEST_int_eq(SSL_stateless(serverssl), 1)
4661 /* Complete the connection */
4662 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4666 shutdown_ssl_connection(serverssl, clientssl);
4667 serverssl = clientssl = NULL;
4671 SSL_free(serverssl);
4672 SSL_free(clientssl);
4678 #endif /* OPENSSL_NO_TLS1_3 */
4680 static int clntaddoldcb = 0;
4681 static int clntparseoldcb = 0;
4682 static int srvaddoldcb = 0;
4683 static int srvparseoldcb = 0;
4684 static int clntaddnewcb = 0;
4685 static int clntparsenewcb = 0;
4686 static int srvaddnewcb = 0;
4687 static int srvparsenewcb = 0;
4688 static int snicb = 0;
4690 #define TEST_EXT_TYPE1 0xff00
4692 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4693 size_t *outlen, int *al, void *add_arg)
4695 int *server = (int *)add_arg;
4696 unsigned char *data;
4698 if (SSL_is_server(s))
4703 if (*server != SSL_is_server(s)
4704 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4709 *outlen = sizeof(char);
4713 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4716 OPENSSL_free((unsigned char *)out);
4719 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4720 size_t inlen, int *al, void *parse_arg)
4722 int *server = (int *)parse_arg;
4724 if (SSL_is_server(s))
4729 if (*server != SSL_is_server(s)
4730 || inlen != sizeof(char)
4737 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4738 const unsigned char **out, size_t *outlen, X509 *x,
4739 size_t chainidx, int *al, void *add_arg)
4741 int *server = (int *)add_arg;
4742 unsigned char *data;
4744 if (SSL_is_server(s))
4749 if (*server != SSL_is_server(s)
4750 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4755 *outlen = sizeof(*data);
4759 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
4760 const unsigned char *out, void *add_arg)
4762 OPENSSL_free((unsigned char *)out);
4765 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
4766 const unsigned char *in, size_t inlen, X509 *x,
4767 size_t chainidx, int *al, void *parse_arg)
4769 int *server = (int *)parse_arg;
4771 if (SSL_is_server(s))
4776 if (*server != SSL_is_server(s)
4777 || inlen != sizeof(char) || *in != 1)
4783 static int sni_cb(SSL *s, int *al, void *arg)
4785 SSL_CTX *ctx = (SSL_CTX *)arg;
4787 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
4788 *al = SSL_AD_INTERNAL_ERROR;
4789 return SSL_TLSEXT_ERR_ALERT_FATAL;
4792 return SSL_TLSEXT_ERR_OK;
4796 * Custom call back tests.
4797 * Test 0: Old style callbacks in TLSv1.2
4798 * Test 1: New style callbacks in TLSv1.2
4799 * Test 2: New style callbacks in TLSv1.2 with SNI
4800 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4801 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
4803 static int test_custom_exts(int tst)
4805 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4806 SSL *clientssl = NULL, *serverssl = NULL;
4808 static int server = 1;
4809 static int client = 0;
4810 SSL_SESSION *sess = NULL;
4811 unsigned int context;
4813 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4814 /* Skip tests for TLSv1.2 and below in this case */
4819 /* Reset callback counters */
4820 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4821 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
4824 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4825 TLS_client_method(), TLS1_VERSION, 0,
4826 &sctx, &cctx, cert, privkey)))
4830 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
4832 &sctx2, NULL, cert, privkey)))
4837 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4838 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
4840 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
4844 context = SSL_EXT_CLIENT_HELLO
4845 | SSL_EXT_TLS1_2_SERVER_HELLO
4846 | SSL_EXT_TLS1_3_SERVER_HELLO
4847 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4848 | SSL_EXT_TLS1_3_CERTIFICATE
4849 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4851 context = SSL_EXT_CLIENT_HELLO
4852 | SSL_EXT_TLS1_2_SERVER_HELLO
4853 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4856 /* Create a client side custom extension */
4858 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4859 old_add_cb, old_free_cb,
4860 &client, old_parse_cb,
4864 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4865 new_add_cb, new_free_cb,
4866 &client, new_parse_cb, &client)))
4870 /* Should not be able to add duplicates */
4871 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4872 old_add_cb, old_free_cb,
4873 &client, old_parse_cb,
4875 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4876 context, new_add_cb,
4877 new_free_cb, &client,
4878 new_parse_cb, &client)))
4881 /* Create a server side custom extension */
4883 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4884 old_add_cb, old_free_cb,
4885 &server, old_parse_cb,
4889 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4890 new_add_cb, new_free_cb,
4891 &server, new_parse_cb, &server)))
4894 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4895 context, new_add_cb,
4896 new_free_cb, &server,
4897 new_parse_cb, &server)))
4901 /* Should not be able to add duplicates */
4902 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4903 old_add_cb, old_free_cb,
4904 &server, old_parse_cb,
4906 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4907 context, new_add_cb,
4908 new_free_cb, &server,
4909 new_parse_cb, &server)))
4914 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4915 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4919 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4920 &clientssl, NULL, NULL))
4921 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4926 if (clntaddoldcb != 1
4927 || clntparseoldcb != 1
4929 || srvparseoldcb != 1)
4931 } else if (tst == 1 || tst == 2 || tst == 3) {
4932 if (clntaddnewcb != 1
4933 || clntparsenewcb != 1
4935 || srvparsenewcb != 1
4936 || (tst != 2 && snicb != 0)
4937 || (tst == 2 && snicb != 1))
4940 /* In this case there 2 NewSessionTicket messages created */
4941 if (clntaddnewcb != 1
4942 || clntparsenewcb != 5
4944 || srvparsenewcb != 1)
4948 sess = SSL_get1_session(clientssl);
4949 SSL_shutdown(clientssl);
4950 SSL_shutdown(serverssl);
4951 SSL_free(serverssl);
4952 SSL_free(clientssl);
4953 serverssl = clientssl = NULL;
4956 /* We don't bother with the resumption aspects for this test */
4961 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4963 || !TEST_true(SSL_set_session(clientssl, sess))
4964 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4969 * For a resumed session we expect to add the ClientHello extension. For the
4970 * old style callbacks we ignore it on the server side because they set
4971 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4975 if (clntaddoldcb != 2
4976 || clntparseoldcb != 1
4978 || srvparseoldcb != 1)
4980 } else if (tst == 1 || tst == 2 || tst == 3) {
4981 if (clntaddnewcb != 2
4982 || clntparsenewcb != 2
4984 || srvparsenewcb != 2)
4988 * No Certificate message extensions in the resumption handshake,
4989 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4991 if (clntaddnewcb != 2
4992 || clntparsenewcb != 8
4994 || srvparsenewcb != 2)
5001 SSL_SESSION_free(sess);
5002 SSL_free(serverssl);
5003 SSL_free(clientssl);
5004 SSL_CTX_free(sctx2);
5011 * Test loading of serverinfo data in various formats. test_sslmessages actually
5012 * tests to make sure the extensions appear in the handshake
5014 static int test_serverinfo(int tst)
5016 unsigned int version;
5017 unsigned char *sibuf;
5019 int ret, expected, testresult = 0;
5022 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
5026 if ((tst & 0x01) == 0x01)
5027 version = SSL_SERVERINFOV2;
5029 version = SSL_SERVERINFOV1;
5031 if ((tst & 0x02) == 0x02) {
5032 sibuf = serverinfov2;
5033 sibuflen = sizeof(serverinfov2);
5034 expected = (version == SSL_SERVERINFOV2);
5036 sibuf = serverinfov1;
5037 sibuflen = sizeof(serverinfov1);
5038 expected = (version == SSL_SERVERINFOV1);
5041 if ((tst & 0x04) == 0x04) {
5042 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5044 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5047 * The version variable is irrelevant in this case - it's what is in the
5048 * buffer that matters
5050 if ((tst & 0x02) == 0x02)
5056 if (!TEST_true(ret == expected))
5068 * Test that SSL_export_keying_material() produces expected results. There are
5069 * no test vectors so all we do is test that both sides of the communication
5070 * produce the same results for different protocol versions.
5072 #define SMALL_LABEL_LEN 10
5073 #define LONG_LABEL_LEN 249
5074 static int test_export_key_mat(int tst)
5077 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5078 SSL *clientssl = NULL, *serverssl = NULL;
5079 const char label[LONG_LABEL_LEN + 1] = "test label";
5080 const unsigned char context[] = "context";
5081 const unsigned char *emptycontext = NULL;
5082 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5083 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
5085 const int protocols[] = {
5094 #ifdef OPENSSL_NO_TLS1
5098 #ifdef OPENSSL_NO_TLS1_1
5102 if (is_fips && (tst == 0 || tst == 1))
5104 #ifdef OPENSSL_NO_TLS1_2
5108 #ifdef OPENSSL_NO_TLS1_3
5112 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5113 TLS_client_method(), TLS1_VERSION, 0,
5114 &sctx, &cctx, cert, privkey)))
5117 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5118 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5119 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
5121 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5123 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5129 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5132 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5133 sizeof(ckeymat1), label,
5134 LONG_LABEL_LEN + 1, context,
5135 sizeof(context) - 1, 1), 0))
5140 } else if (tst == 4) {
5141 labellen = LONG_LABEL_LEN;
5143 labellen = SMALL_LABEL_LEN;
5146 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5147 sizeof(ckeymat1), label,
5149 sizeof(context) - 1, 1), 1)
5150 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5151 sizeof(ckeymat2), label,
5155 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5156 sizeof(ckeymat3), label,
5159 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5160 sizeof(skeymat1), label,
5163 sizeof(context) -1, 1),
5165 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5166 sizeof(skeymat2), label,
5170 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5171 sizeof(skeymat3), label,
5175 * Check that both sides created the same key material with the
5178 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5181 * Check that both sides created the same key material with an
5184 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5187 * Check that both sides created the same key material without a
5190 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5192 /* Different contexts should produce different results */
5193 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5198 * Check that an empty context and no context produce different results in
5199 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5201 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
5203 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5210 SSL_free(serverssl);
5211 SSL_free(clientssl);
5212 SSL_CTX_free(sctx2);
5219 #ifndef OPENSSL_NO_TLS1_3
5221 * Test that SSL_export_keying_material_early() produces expected
5222 * results. There are no test vectors so all we do is test that both
5223 * sides of the communication produce the same results for different
5224 * protocol versions.
5226 static int test_export_key_mat_early(int idx)
5228 static const char label[] = "test label";
5229 static const unsigned char context[] = "context";
5231 SSL_CTX *cctx = NULL, *sctx = NULL;
5232 SSL *clientssl = NULL, *serverssl = NULL;
5233 SSL_SESSION *sess = NULL;
5234 const unsigned char *emptycontext = NULL;
5235 unsigned char ckeymat1[80], ckeymat2[80];
5236 unsigned char skeymat1[80], skeymat2[80];
5237 unsigned char buf[1];
5238 size_t readbytes, written;
5240 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5244 /* Here writing 0 length early data is enough. */
5245 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5246 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5248 SSL_READ_EARLY_DATA_ERROR)
5249 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5250 SSL_EARLY_DATA_ACCEPTED))
5253 if (!TEST_int_eq(SSL_export_keying_material_early(
5254 clientssl, ckeymat1, sizeof(ckeymat1), label,
5255 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5256 || !TEST_int_eq(SSL_export_keying_material_early(
5257 clientssl, ckeymat2, sizeof(ckeymat2), label,
5258 sizeof(label) - 1, emptycontext, 0), 1)
5259 || !TEST_int_eq(SSL_export_keying_material_early(
5260 serverssl, skeymat1, sizeof(skeymat1), label,
5261 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5262 || !TEST_int_eq(SSL_export_keying_material_early(
5263 serverssl, skeymat2, sizeof(skeymat2), label,
5264 sizeof(label) - 1, emptycontext, 0), 1)
5266 * Check that both sides created the same key material with the
5269 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5272 * Check that both sides created the same key material with an
5275 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5277 /* Different contexts should produce different results */
5278 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5285 SSL_SESSION_free(sess);
5286 SSL_SESSION_free(clientpsk);
5287 SSL_SESSION_free(serverpsk);
5288 clientpsk = serverpsk = NULL;
5289 SSL_free(serverssl);
5290 SSL_free(clientssl);
5297 #define NUM_KEY_UPDATE_MESSAGES 40
5301 static int test_key_update(void)
5303 SSL_CTX *cctx = NULL, *sctx = NULL;
5304 SSL *clientssl = NULL, *serverssl = NULL;
5305 int testresult = 0, i, j;
5307 static char *mess = "A test message";
5309 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5310 TLS_client_method(),
5313 &sctx, &cctx, cert, privkey))
5314 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5316 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5320 for (j = 0; j < 2; j++) {
5321 /* Send lots of KeyUpdate messages */
5322 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5323 if (!TEST_true(SSL_key_update(clientssl,
5325 ? SSL_KEY_UPDATE_NOT_REQUESTED
5326 : SSL_KEY_UPDATE_REQUESTED))
5327 || !TEST_true(SSL_do_handshake(clientssl)))
5331 /* Check that sending and receiving app data is ok */
5332 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5333 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5337 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5338 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5346 SSL_free(serverssl);
5347 SSL_free(clientssl);
5355 * Test we can handle a KeyUpdate (update requested) message while write data
5357 * Test 0: Client sends KeyUpdate while Server is writing
5358 * Test 1: Server sends KeyUpdate while Client is writing
5360 static int test_key_update_in_write(int tst)
5362 SSL_CTX *cctx = NULL, *sctx = NULL;
5363 SSL *clientssl = NULL, *serverssl = NULL;
5366 static char *mess = "A test message";
5367 BIO *bretry = BIO_new(bio_s_always_retry());
5369 SSL *peerupdate = NULL, *peerwrite = NULL;
5371 if (!TEST_ptr(bretry)
5372 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5373 TLS_client_method(),
5376 &sctx, &cctx, cert, privkey))
5377 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5379 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5383 peerupdate = tst == 0 ? clientssl : serverssl;
5384 peerwrite = tst == 0 ? serverssl : clientssl;
5386 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5387 || !TEST_true(SSL_do_handshake(peerupdate)))
5390 /* Swap the writing endpoint's write BIO to force a retry */
5391 tmp = SSL_get_wbio(peerwrite);
5392 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5396 SSL_set0_wbio(peerwrite, bretry);
5399 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5400 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5401 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5404 /* Reinstate the original writing endpoint's write BIO */
5405 SSL_set0_wbio(peerwrite, tmp);
5408 /* Now read some data - we will read the key update */
5409 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5410 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5414 * Complete the write we started previously and read it from the other
5417 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5418 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5421 /* Write more data to ensure we send the KeyUpdate message back */
5422 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5423 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5429 SSL_free(serverssl);
5430 SSL_free(clientssl);
5438 #endif /* OPENSSL_NO_TLS1_3 */
5440 static int test_ssl_clear(int idx)
5442 SSL_CTX *cctx = NULL, *sctx = NULL;
5443 SSL *clientssl = NULL, *serverssl = NULL;
5446 #ifdef OPENSSL_NO_TLS1_2
5451 /* Create an initial connection */
5452 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5453 TLS_client_method(), TLS1_VERSION, 0,
5454 &sctx, &cctx, cert, privkey))
5456 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5458 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5459 &clientssl, NULL, NULL))
5460 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5464 SSL_shutdown(clientssl);
5465 SSL_shutdown(serverssl);
5466 SSL_free(serverssl);
5469 /* Clear clientssl - we're going to reuse the object */
5470 if (!TEST_true(SSL_clear(clientssl)))
5473 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5475 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5477 || !TEST_true(SSL_session_reused(clientssl)))
5480 SSL_shutdown(clientssl);
5481 SSL_shutdown(serverssl);
5486 SSL_free(serverssl);
5487 SSL_free(clientssl);
5494 /* Parse CH and retrieve any MFL extension value if present */
5495 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5498 unsigned char *data;
5499 PACKET pkt, pkt2, pkt3;
5500 unsigned int MFL_code = 0, type = 0;
5502 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5505 memset(&pkt, 0, sizeof(pkt));
5506 memset(&pkt2, 0, sizeof(pkt2));
5507 memset(&pkt3, 0, sizeof(pkt3));
5509 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5510 /* Skip the record header */
5511 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5512 /* Skip the handshake message header */
5513 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5514 /* Skip client version and random */
5515 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5516 + SSL3_RANDOM_SIZE))
5517 /* Skip session id */
5518 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5520 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5521 /* Skip compression */
5522 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5523 /* Extensions len */
5524 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5527 /* Loop through all extensions */
5528 while (PACKET_remaining(&pkt2)) {
5529 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5530 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5533 if (type == TLSEXT_TYPE_max_fragment_length) {
5534 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5535 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5538 *mfl_codemfl_code = MFL_code;
5547 /* Maximum-Fragment-Length TLS extension mode to test */
5548 static const unsigned char max_fragment_len_test[] = {
5549 TLSEXT_max_fragment_length_512,
5550 TLSEXT_max_fragment_length_1024,
5551 TLSEXT_max_fragment_length_2048,
5552 TLSEXT_max_fragment_length_4096
5555 static int test_max_fragment_len_ext(int idx_tst)
5559 int testresult = 0, MFL_mode = 0;
5562 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
5566 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5567 ctx, max_fragment_len_test[idx_tst])))
5574 rbio = BIO_new(BIO_s_mem());
5575 wbio = BIO_new(BIO_s_mem());
5576 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5582 SSL_set_bio(con, rbio, wbio);
5583 SSL_set_connect_state(con);
5585 if (!TEST_int_le(SSL_connect(con), 0)) {
5586 /* This shouldn't succeed because we don't have a server! */
5590 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5591 /* no MFL in client hello */
5593 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5605 #ifndef OPENSSL_NO_TLS1_3
5606 static int test_pha_key_update(void)
5608 SSL_CTX *cctx = NULL, *sctx = NULL;
5609 SSL *clientssl = NULL, *serverssl = NULL;
5612 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5613 TLS_client_method(), TLS1_VERSION, 0,
5614 &sctx, &cctx, cert, privkey)))
5617 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5618 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5619 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5620 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5623 SSL_CTX_set_post_handshake_auth(cctx, 1);
5625 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5629 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5633 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5634 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5637 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5640 /* Start handshake on the server */
5641 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5644 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5645 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5649 SSL_shutdown(clientssl);
5650 SSL_shutdown(serverssl);
5655 SSL_free(serverssl);
5656 SSL_free(clientssl);
5663 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5665 static SRP_VBASE *vbase = NULL;
5667 DEFINE_STACK_OF(SRP_user_pwd)
5669 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5671 int ret = SSL3_AL_FATAL;
5673 SRP_user_pwd *user = NULL;
5675 username = SSL_get_srp_username(s);
5676 if (username == NULL) {
5677 *ad = SSL_AD_INTERNAL_ERROR;
5681 user = SRP_VBASE_get1_by_user(vbase, username);
5683 *ad = SSL_AD_INTERNAL_ERROR;
5687 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5689 *ad = SSL_AD_INTERNAL_ERROR;
5696 SRP_user_pwd_free(user);
5700 static int create_new_vfile(char *userid, char *password, const char *filename)
5703 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5706 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5709 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5712 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5713 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
5714 if (!TEST_ptr(gNid))
5718 * The only way to create an empty TXT_DB is to provide a BIO with no data
5721 db = TXT_DB_read(dummy, DB_NUMBER);
5725 out = BIO_new_file(filename, "w");
5729 row[DB_srpid] = OPENSSL_strdup(userid);
5730 row[DB_srptype] = OPENSSL_strdup("V");
5731 row[DB_srpgN] = OPENSSL_strdup(gNid);
5733 if (!TEST_ptr(row[DB_srpid])
5734 || !TEST_ptr(row[DB_srptype])
5735 || !TEST_ptr(row[DB_srpgN])
5736 || !TEST_true(TXT_DB_insert(db, row)))
5741 if (!TXT_DB_write(out, db))
5747 for (i = 0; i < DB_NUMBER; i++)
5748 OPENSSL_free(row[i]);
5758 static int create_new_vbase(char *userid, char *password)
5760 BIGNUM *verifier = NULL, *salt = NULL;
5761 const SRP_gN *lgN = NULL;
5762 SRP_user_pwd *user_pwd = NULL;
5765 lgN = SRP_get_default_gN(NULL);
5769 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5770 lgN->N, lgN->g, libctx, NULL)))
5773 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
5774 if (!TEST_ptr(user_pwd))
5777 user_pwd->N = lgN->N;
5778 user_pwd->g = lgN->g;
5779 user_pwd->id = OPENSSL_strdup(userid);
5780 if (!TEST_ptr(user_pwd->id))
5783 user_pwd->v = verifier;
5785 verifier = salt = NULL;
5787 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
5793 SRP_user_pwd_free(user_pwd);
5803 * Test 0: Simple successful SRP connection, new vbase
5804 * Test 1: Connection failure due to bad password, new vbase
5805 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5806 * Test 3: Connection failure due to bad password, vbase loaded from existing
5808 * Test 4: Simple successful SRP connection, vbase loaded from new file
5809 * Test 5: Connection failure due to bad password, vbase loaded from new file
5811 static int test_srp(int tst)
5813 char *userid = "test", *password = "password", *tstsrpfile;
5814 SSL_CTX *cctx = NULL, *sctx = NULL;
5815 SSL *clientssl = NULL, *serverssl = NULL;
5816 int ret, testresult = 0;
5818 vbase = SRP_VBASE_new(NULL);
5819 if (!TEST_ptr(vbase))
5822 if (tst == 0 || tst == 1) {
5823 if (!TEST_true(create_new_vbase(userid, password)))
5826 if (tst == 4 || tst == 5) {
5827 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5829 tstsrpfile = tmpfilename;
5831 tstsrpfile = srpvfile;
5833 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5837 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5838 TLS_client_method(), TLS1_VERSION, 0,
5839 &sctx, &cctx, cert, privkey)))
5842 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5843 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5844 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5845 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5846 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5850 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5853 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5857 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5861 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5863 if (!TEST_true(tst % 2 == 0))
5866 if (!TEST_true(tst % 2 == 1))
5873 SRP_VBASE_free(vbase);
5875 SSL_free(serverssl);
5876 SSL_free(clientssl);
5884 static int info_cb_failed = 0;
5885 static int info_cb_offset = 0;
5886 static int info_cb_this_state = -1;
5888 static struct info_cb_states_st {
5890 const char *statestr;
5891 } info_cb_states[][60] = {
5893 /* TLSv1.2 server followed by resumption */
5894 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5895 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5896 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
5897 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
5898 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
5899 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5900 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5901 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5902 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
5903 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5904 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
5905 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5906 {SSL_CB_EXIT, NULL}, {0, NULL},
5908 /* TLSv1.2 client followed by resumption */
5909 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5910 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5911 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
5912 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
5913 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
5914 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5915 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5916 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5917 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5918 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5919 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5920 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
5922 /* TLSv1.3 server followed by resumption */
5923 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5924 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5925 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
5926 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5927 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
5928 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5929 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5930 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5931 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5932 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5933 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
5934 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5935 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5937 /* TLSv1.3 client followed by resumption */
5938 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5939 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5940 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
5941 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
5942 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5943 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5944 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
5945 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5946 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5947 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5948 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5949 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5950 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5951 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
5952 {SSL_CB_EXIT, NULL}, {0, NULL},
5954 /* TLSv1.3 server, early_data */
5955 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5956 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5957 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5958 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5959 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5960 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
5961 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5962 {SSL_CB_EXIT, NULL}, {0, NULL},
5964 /* TLSv1.3 client, early_data */
5965 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5966 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5967 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5968 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5969 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5970 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5971 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5972 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5973 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5979 static void sslapi_info_callback(const SSL *s, int where, int ret)
5981 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5983 /* We do not ever expect a connection to fail in this test */
5984 if (!TEST_false(ret == 0)) {
5990 * Do some sanity checks. We never expect these things to happen in this
5993 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5994 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5995 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
6000 /* Now check we're in the right state */
6001 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
6005 if ((where & SSL_CB_LOOP) != 0
6006 && !TEST_int_eq(strcmp(SSL_state_string(s),
6007 state[info_cb_this_state].statestr), 0)) {
6013 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6015 if ((where & SSL_CB_HANDSHAKE_DONE)
6016 && SSL_in_init((SSL *)s) != 0) {
6023 * Test the info callback gets called when we expect it to.
6025 * Test 0: TLSv1.2, server
6026 * Test 1: TLSv1.2, client
6027 * Test 2: TLSv1.3, server
6028 * Test 3: TLSv1.3, client
6029 * Test 4: TLSv1.3, server, early_data
6030 * Test 5: TLSv1.3, client, early_data
6032 static int test_info_callback(int tst)
6034 SSL_CTX *cctx = NULL, *sctx = NULL;
6035 SSL *clientssl = NULL, *serverssl = NULL;
6036 SSL_SESSION *clntsess = NULL;
6041 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
6042 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6043 || !defined(OPENSSL_NO_DH))
6044 tlsvers = TLS1_2_VERSION;
6049 #ifndef OPENSSL_NO_TLS1_3
6050 tlsvers = TLS1_3_VERSION;
6058 info_cb_this_state = -1;
6059 info_cb_offset = tst;
6061 #ifndef OPENSSL_NO_TLS1_3
6063 SSL_SESSION *sess = NULL;
6064 size_t written, readbytes;
6065 unsigned char buf[80];
6067 /* early_data tests */
6068 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
6069 &serverssl, &sess, 0)))
6072 /* We don't actually need this reference */
6073 SSL_SESSION_free(sess);
6075 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
6076 sslapi_info_callback);
6078 /* Write and read some early data and then complete the connection */
6079 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
6081 || !TEST_size_t_eq(written, strlen(MSG1))
6082 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
6083 sizeof(buf), &readbytes),
6084 SSL_READ_EARLY_DATA_SUCCESS)
6085 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
6086 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6087 SSL_EARLY_DATA_ACCEPTED)
6088 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6090 || !TEST_false(info_cb_failed))
6098 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6099 TLS_client_method(),
6100 tlsvers, tlsvers, &sctx, &cctx, cert,
6105 * For even numbered tests we check the server callbacks. For odd numbers we
6108 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
6109 sslapi_info_callback);
6111 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6112 &clientssl, NULL, NULL))
6113 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6115 || !TEST_false(info_cb_failed))
6120 clntsess = SSL_get1_session(clientssl);
6121 SSL_shutdown(clientssl);
6122 SSL_shutdown(serverssl);
6123 SSL_free(serverssl);
6124 SSL_free(clientssl);
6125 serverssl = clientssl = NULL;
6127 /* Now do a resumption */
6128 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6130 || !TEST_true(SSL_set_session(clientssl, clntsess))
6131 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6133 || !TEST_true(SSL_session_reused(clientssl))
6134 || !TEST_false(info_cb_failed))
6140 SSL_free(serverssl);
6141 SSL_free(clientssl);
6142 SSL_SESSION_free(clntsess);
6148 static int test_ssl_pending(int tst)
6150 SSL_CTX *cctx = NULL, *sctx = NULL;
6151 SSL *clientssl = NULL, *serverssl = NULL;
6153 char msg[] = "A test message";
6155 size_t written, readbytes;
6158 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6159 TLS_client_method(),
6161 &sctx, &cctx, cert, privkey)))
6164 #ifndef OPENSSL_NO_DTLS
6165 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
6166 DTLS_client_method(),
6168 &sctx, &cctx, cert, privkey)))
6175 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6177 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6181 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6182 || !TEST_false(SSL_has_pending(clientssl))
6183 || !TEST_int_eq(SSL_pending(serverssl), 0)
6184 || !TEST_false(SSL_has_pending(serverssl))
6185 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6186 || !TEST_size_t_eq(written, sizeof(msg))
6187 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6188 || !TEST_size_t_eq(readbytes, sizeof(buf))
6189 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6190 || !TEST_true(SSL_has_pending(clientssl)))
6196 SSL_free(serverssl);
6197 SSL_free(clientssl);
6205 unsigned int maxprot;
6206 const char *clntciphers;
6207 const char *clnttls13ciphers;
6208 const char *srvrciphers;
6209 const char *srvrtls13ciphers;
6211 const char *fipsshared;
6212 } shared_ciphers_data[] = {
6214 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6215 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6217 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
6220 "AES128-SHA:AES256-SHA",
6222 "AES256-SHA:DHE-RSA-AES128-SHA",
6227 # if !defined(OPENSSL_NO_CHACHA) \
6228 && !defined(OPENSSL_NO_POLY1305) \
6229 && !defined(OPENSSL_NO_EC)
6232 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6234 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6236 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6242 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6244 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6246 "AES128-SHA:AES256-SHA",
6247 "AES128-SHA:AES256-SHA"
6251 "AES128-SHA:AES256-SHA",
6253 "AES128-SHA:DHE-RSA-AES128-SHA",
6260 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6263 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6264 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
6267 "AES128-SHA:AES256-SHA",
6269 "AES256-SHA:AES128-SHA256",
6271 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
6272 "TLS_AES_128_GCM_SHA256:AES256-SHA",
6273 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
6276 #ifndef OPENSSL_NO_TLS1_3
6280 "TLS_AES_256_GCM_SHA384",
6282 "TLS_AES_256_GCM_SHA384",
6283 "TLS_AES_256_GCM_SHA384",
6284 "TLS_AES_256_GCM_SHA384"
6289 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
6291 SSL_CTX *cctx = NULL, *sctx = NULL;
6292 SSL *clientssl = NULL, *serverssl = NULL;
6295 OPENSSL_CTX *tmplibctx = OPENSSL_CTX_new();
6297 if (!TEST_ptr(tmplibctx))
6301 * Regardless of whether we're testing with the FIPS provider loaded into
6302 * libctx, we want one peer to always use the full set of ciphersuites
6303 * available. Therefore we use a separate libctx with the default provider
6304 * loaded into it. We run the same tests twice - once with the client side
6305 * having the full set of ciphersuites and once with the server side.
6308 cctx = SSL_CTX_new_with_libctx(tmplibctx, NULL, TLS_client_method());
6309 if (!TEST_ptr(cctx))
6312 sctx = SSL_CTX_new_with_libctx(tmplibctx, NULL, TLS_server_method());
6313 if (!TEST_ptr(sctx))
6317 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6318 TLS_client_method(),
6320 shared_ciphers_data[tst].maxprot,
6321 &sctx, &cctx, cert, privkey)))
6324 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6325 shared_ciphers_data[tst].clntciphers))
6326 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6327 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6328 shared_ciphers_data[tst].clnttls13ciphers)))
6329 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6330 shared_ciphers_data[tst].srvrciphers))
6331 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6332 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6333 shared_ciphers_data[tst].srvrtls13ciphers))))
6337 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6339 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6343 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6344 || !TEST_int_eq(strcmp(buf,
6346 ? shared_ciphers_data[tst].fipsshared
6347 : shared_ciphers_data[tst].shared),
6349 TEST_info("Shared ciphers are: %s\n", buf);
6356 SSL_free(serverssl);
6357 SSL_free(clientssl);
6360 OPENSSL_CTX_free(tmplibctx);
6365 static int test_ssl_get_shared_ciphers(int tst)
6367 return int_test_ssl_get_shared_ciphers(tst, 0)
6368 && int_test_ssl_get_shared_ciphers(tst, 1);
6372 static const char *appdata = "Hello World";
6373 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6374 static int tick_key_renew = 0;
6375 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6377 static int gen_tick_cb(SSL *s, void *arg)
6379 gen_tick_called = 1;
6381 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6385 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6386 const unsigned char *keyname,
6387 size_t keyname_length,
6388 SSL_TICKET_STATUS status,
6394 dec_tick_called = 1;
6396 if (status == SSL_TICKET_EMPTY)
6397 return SSL_TICKET_RETURN_IGNORE_RENEW;
6399 if (!TEST_true(status == SSL_TICKET_SUCCESS
6400 || status == SSL_TICKET_SUCCESS_RENEW))
6401 return SSL_TICKET_RETURN_ABORT;
6403 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6405 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6406 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
6407 return SSL_TICKET_RETURN_ABORT;
6409 if (tick_key_cb_called) {
6410 /* Don't change what the ticket key callback wanted to do */
6412 case SSL_TICKET_NO_DECRYPT:
6413 return SSL_TICKET_RETURN_IGNORE_RENEW;
6415 case SSL_TICKET_SUCCESS:
6416 return SSL_TICKET_RETURN_USE;
6418 case SSL_TICKET_SUCCESS_RENEW:
6419 return SSL_TICKET_RETURN_USE_RENEW;
6422 return SSL_TICKET_RETURN_ABORT;
6425 return tick_dec_ret;
6429 #ifndef OPENSSL_NO_DEPRECATED_3_0
6430 static int tick_key_cb(SSL *s, unsigned char key_name[16],
6431 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6432 HMAC_CTX *hctx, int enc)
6434 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6435 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
6436 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6437 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
6440 tick_key_cb_called = 1;
6441 memset(iv, 0, AES_BLOCK_SIZE);
6442 memset(key_name, 0, 16);
6443 if (aes128cbc == NULL
6445 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6446 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
6450 ret = tick_key_renew ? 2 : 1;
6452 EVP_CIPHER_free(aes128cbc);
6453 EVP_MD_free(sha256);
6459 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6460 unsigned char iv[EVP_MAX_IV_LENGTH],
6461 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6463 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6464 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6465 OSSL_PARAM params[3];
6466 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6469 tick_key_cb_called = 1;
6470 memset(iv, 0, AES_BLOCK_SIZE);
6471 memset(key_name, 0, 16);
6472 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6474 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6476 sizeof(tick_hmac_key));
6477 params[2] = OSSL_PARAM_construct_end();
6478 if (aes128cbc == NULL
6479 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6480 || !EVP_MAC_CTX_set_params(hctx, params)
6481 || !EVP_MAC_init(hctx))
6484 ret = tick_key_renew ? 2 : 1;
6486 EVP_CIPHER_free(aes128cbc);
6492 * Test the various ticket callbacks
6493 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6494 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6495 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6496 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6497 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6498 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6499 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6500 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
6501 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6502 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6503 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6504 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6505 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6506 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6507 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6508 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
6510 static int test_ticket_callbacks(int tst)
6512 SSL_CTX *cctx = NULL, *sctx = NULL;
6513 SSL *clientssl = NULL, *serverssl = NULL;
6514 SSL_SESSION *clntsess = NULL;
6517 #ifdef OPENSSL_NO_TLS1_2
6521 #ifdef OPENSSL_NO_TLS1_3
6525 #ifdef OPENSSL_NO_DEPRECATED_3_0
6526 if (tst >= 8 && tst <= 11)
6530 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
6532 /* Which tests the ticket key callback should request renewal for */
6533 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
6538 /* Which tests the decrypt ticket callback should request renewal for */
6542 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6547 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6552 tick_dec_ret = SSL_TICKET_RETURN_USE;
6557 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6561 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6564 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6565 TLS_client_method(),
6567 ((tst % 2) == 0) ? TLS1_2_VERSION
6569 &sctx, &cctx, cert, privkey)))
6573 * We only want sessions to resume from tickets - not the session cache. So
6574 * switch the cache off.
6576 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6579 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6584 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
6586 #ifndef OPENSSL_NO_DEPRECATED_3_0
6587 } else if (tst >= 8) {
6588 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6593 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6595 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6600 * The decrypt ticket key callback in TLSv1.2 should be called even though
6601 * we have no ticket yet, because it gets called with a status of
6602 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6603 * actually send any ticket data). This does not happen in TLSv1.3 because
6604 * it is not valid to send empty ticket data in TLSv1.3.
6606 if (!TEST_int_eq(gen_tick_called, 1)
6607 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
6610 gen_tick_called = dec_tick_called = 0;
6612 clntsess = SSL_get1_session(clientssl);
6613 SSL_shutdown(clientssl);
6614 SSL_shutdown(serverssl);
6615 SSL_free(serverssl);
6616 SSL_free(clientssl);
6617 serverssl = clientssl = NULL;
6619 /* Now do a resumption */
6620 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6622 || !TEST_true(SSL_set_session(clientssl, clntsess))
6623 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6627 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6628 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6629 if (!TEST_false(SSL_session_reused(clientssl)))
6632 if (!TEST_true(SSL_session_reused(clientssl)))
6636 if (!TEST_int_eq(gen_tick_called,
6638 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6639 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6641 || !TEST_int_eq(dec_tick_called, 1))
6647 SSL_SESSION_free(clntsess);
6648 SSL_free(serverssl);
6649 SSL_free(clientssl);
6657 * Test bi-directional shutdown.
6659 * Test 1: TLSv1.2, server continues to read/write after client shutdown
6660 * Test 2: TLSv1.3, no pending NewSessionTicket messages
6661 * Test 3: TLSv1.3, pending NewSessionTicket messages
6662 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
6663 * sends key update, client reads it
6664 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
6665 * sends CertificateRequest, client reads and ignores it
6666 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
6669 static int test_shutdown(int tst)
6671 SSL_CTX *cctx = NULL, *sctx = NULL;
6672 SSL *clientssl = NULL, *serverssl = NULL;
6674 char msg[] = "A test message";
6676 size_t written, readbytes;
6679 #ifdef OPENSSL_NO_TLS1_2
6683 #ifdef OPENSSL_NO_TLS1_3
6688 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6689 TLS_client_method(),
6691 (tst <= 1) ? TLS1_2_VERSION
6693 &sctx, &cctx, cert, privkey)))
6697 SSL_CTX_set_post_handshake_auth(cctx, 1);
6699 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6704 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
6706 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6707 || !TEST_false(SSL_SESSION_is_resumable(sess)))
6709 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6711 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6712 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
6716 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
6721 * Reading on the server after the client has sent close_notify should
6722 * fail and provide SSL_ERROR_ZERO_RETURN
6724 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
6725 || !TEST_int_eq(SSL_get_error(serverssl, 0),
6726 SSL_ERROR_ZERO_RETURN)
6727 || !TEST_int_eq(SSL_get_shutdown(serverssl),
6728 SSL_RECEIVED_SHUTDOWN)
6730 * Even though we're shutdown on receive we should still be
6733 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6736 && !TEST_true(SSL_key_update(serverssl,
6737 SSL_KEY_UPDATE_REQUESTED)))
6740 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6741 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6744 if ((tst == 4 || tst == 5)
6745 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6747 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
6749 if (tst == 4 || tst == 5) {
6750 /* Should still be able to read data from server */
6751 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6753 || !TEST_size_t_eq(readbytes, sizeof(msg))
6754 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
6755 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6757 || !TEST_size_t_eq(readbytes, sizeof(msg))
6758 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
6763 /* Writing on the client after sending close_notify shouldn't be possible */
6764 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
6769 * For these tests the client has sent close_notify but it has not yet
6770 * been received by the server. The server has not sent close_notify
6773 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
6775 * Writing on the server after sending close_notify shouldn't
6778 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6779 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
6780 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6781 || !TEST_true(SSL_SESSION_is_resumable(sess))
6782 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
6784 } else if (tst == 4 || tst == 5) {
6786 * In this test the client has sent close_notify and it has been
6787 * received by the server which has responded with a close_notify. The
6788 * client needs to read the close_notify sent by the server.
6790 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
6791 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6792 || !TEST_true(SSL_SESSION_is_resumable(sess)))
6798 * The client has sent close_notify and is expecting a close_notify
6799 * back, but instead there is application data first. The shutdown
6800 * should fail with a fatal error.
6802 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
6803 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
6810 SSL_free(serverssl);
6811 SSL_free(clientssl);
6818 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6819 static int cert_cb_cnt;
6821 static int cert_cb(SSL *s, void *arg)
6823 SSL_CTX *ctx = (SSL_CTX *)arg;
6825 EVP_PKEY *pkey = NULL;
6826 X509 *x509 = NULL, *rootx = NULL;
6827 STACK_OF(X509) *chain = NULL;
6828 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
6831 if (cert_cb_cnt == 0) {
6832 /* Suspend the handshake */
6835 } else if (cert_cb_cnt == 1) {
6837 * Update the SSL_CTX, set the certificate and private key and then
6838 * continue the handshake normally.
6840 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
6843 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
6844 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
6846 || !TEST_true(SSL_check_private_key(s)))
6850 } else if (cert_cb_cnt == 3) {
6853 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
6854 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
6855 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
6856 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
6858 chain = sk_X509_new_null();
6859 if (!TEST_ptr(chain))
6861 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6862 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
6863 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
6864 || !TEST_true(sk_X509_push(chain, rootx)))
6868 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6869 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
6870 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
6873 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6874 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
6875 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
6877 rv = SSL_check_chain(s, x509, pkey, chain);
6879 * If the cert doesn't show as valid here (e.g., because we don't
6880 * have any shared sigalgs), then we will not set it, and there will
6881 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
6882 * will cause tls_choose_sigalgs() to fail the connection.
6884 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
6885 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
6886 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
6893 /* Abort the handshake */
6895 OPENSSL_free(ecdsacert);
6896 OPENSSL_free(ecdsakey);
6897 OPENSSL_free(rootfile);
6899 EVP_PKEY_free(pkey);
6902 sk_X509_pop_free(chain, X509_free);
6907 * Test the certificate callback.
6908 * Test 0: Callback fails
6909 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
6910 * Test 2: Success - SSL_set_SSL_CTX() in the callback
6911 * Test 3: Success - Call SSL_check_chain from the callback
6912 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
6914 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
6916 static int test_cert_cb_int(int prot, int tst)
6918 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
6919 SSL *clientssl = NULL, *serverssl = NULL;
6920 int testresult = 0, ret;
6922 #ifdef OPENSSL_NO_EC
6923 /* We use an EC cert in these tests, so we skip in a no-ec build */
6928 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6929 TLS_client_method(),
6932 &sctx, &cctx, NULL, NULL)))
6943 snictx = SSL_CTX_new(TLS_server_method());
6944 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
6946 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6952 * We cause SSL_check_chain() to fail by specifying sig_algs that
6953 * the chain doesn't meet (the root uses an RSA cert)
6955 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6956 "ecdsa_secp256r1_sha256")))
6958 } else if (tst == 5) {
6960 * We cause SSL_check_chain() to fail by specifying sig_algs that
6961 * the ee cert doesn't meet (the ee uses an ECDSA cert)
6963 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6964 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
6968 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6969 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
6971 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
6978 SSL_free(serverssl);
6979 SSL_free(clientssl);
6982 SSL_CTX_free(snictx);
6988 static int test_cert_cb(int tst)
6992 #ifndef OPENSSL_NO_TLS1_2
6993 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
6995 #ifndef OPENSSL_NO_TLS1_3
6996 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
7002 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
7008 /* Check that SSL_get_peer_certificate() returns something sensible */
7009 peer = SSL_get_peer_certificate(ssl);
7010 if (!TEST_ptr(peer))
7014 in = BIO_new_file(cert, "r");
7018 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
7020 if (!TEST_ptr(xcert))
7023 in = BIO_new_file(privkey, "r");
7024 if (!TEST_ptr(in)) {
7029 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
7031 if (!TEST_ptr(privpkey)) {
7042 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
7047 static int test_client_cert_cb(int tst)
7049 SSL_CTX *cctx = NULL, *sctx = NULL;
7050 SSL *clientssl = NULL, *serverssl = NULL;
7053 #ifdef OPENSSL_NO_TLS1_2
7057 #ifdef OPENSSL_NO_TLS1_3
7062 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7063 TLS_client_method(),
7065 tst == 0 ? TLS1_2_VERSION
7067 &sctx, &cctx, cert, privkey)))
7071 * Test that setting a client_cert_cb results in a client certificate being
7074 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
7075 SSL_CTX_set_verify(sctx,
7076 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
7079 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7081 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7088 SSL_free(serverssl);
7089 SSL_free(clientssl);
7096 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7098 * Test setting certificate authorities on both client and server.
7100 * Test 0: SSL_CTX_set0_CA_list() only
7101 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7102 * Test 2: Only SSL_CTX_set_client_CA_list()
7104 static int test_ca_names_int(int prot, int tst)
7106 SSL_CTX *cctx = NULL, *sctx = NULL;
7107 SSL *clientssl = NULL, *serverssl = NULL;
7110 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
7111 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
7112 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
7113 const STACK_OF(X509_NAME) *sktmp = NULL;
7115 for (i = 0; i < OSSL_NELEM(name); i++) {
7116 name[i] = X509_NAME_new();
7117 if (!TEST_ptr(name[i])
7118 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
7126 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7127 TLS_client_method(),
7130 &sctx, &cctx, cert, privkey)))
7133 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
7135 if (tst == 0 || tst == 1) {
7136 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7137 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
7138 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
7139 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7140 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
7141 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
7144 SSL_CTX_set0_CA_list(sctx, sk1);
7145 SSL_CTX_set0_CA_list(cctx, sk2);
7148 if (tst == 1 || tst == 2) {
7149 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7150 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
7151 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
7152 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7153 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
7154 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
7157 SSL_CTX_set_client_CA_list(sctx, sk1);
7158 SSL_CTX_set_client_CA_list(cctx, sk2);
7162 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7164 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7169 * We only expect certificate authorities to have been sent to the server
7170 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7172 sktmp = SSL_get0_peer_CA_list(serverssl);
7173 if (prot == TLS1_3_VERSION
7174 && (tst == 0 || tst == 1)) {
7175 if (!TEST_ptr(sktmp)
7176 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7177 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7179 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7182 } else if (!TEST_ptr_null(sktmp)) {
7187 * In all tests we expect certificate authorities to have been sent to the
7188 * client. However, SSL_set_client_CA_list() should override
7189 * SSL_set0_CA_list()
7191 sktmp = SSL_get0_peer_CA_list(clientssl);
7192 if (!TEST_ptr(sktmp)
7193 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7194 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7195 name[tst == 0 ? 0 : 2]), 0)
7196 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7197 name[tst == 0 ? 1 : 3]), 0))
7203 SSL_free(serverssl);
7204 SSL_free(clientssl);
7207 for (i = 0; i < OSSL_NELEM(name); i++)
7208 X509_NAME_free(name[i]);
7209 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
7210 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
7216 static int test_ca_names(int tst)
7220 #ifndef OPENSSL_NO_TLS1_2
7221 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
7223 #ifndef OPENSSL_NO_TLS1_3
7224 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
7230 #ifndef OPENSSL_NO_TLS1_2
7231 static const char *multiblock_cipherlist_data[]=
7239 /* Reduce the fragment size - so the multiblock test buffer can be small */
7240 # define MULTIBLOCK_FRAGSIZE 512
7242 static int test_multiblock_write(int test_index)
7244 static const char *fetchable_ciphers[]=
7246 "AES-128-CBC-HMAC-SHA1",
7247 "AES-128-CBC-HMAC-SHA256",
7248 "AES-256-CBC-HMAC-SHA1",
7249 "AES-256-CBC-HMAC-SHA256"
7251 const char *cipherlist = multiblock_cipherlist_data[test_index];
7252 const SSL_METHOD *smeth = TLS_server_method();
7253 const SSL_METHOD *cmeth = TLS_client_method();
7254 int min_version = TLS1_VERSION;
7255 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7256 SSL_CTX *cctx = NULL, *sctx = NULL;
7257 SSL *clientssl = NULL, *serverssl = NULL;
7261 * Choose a buffer large enough to perform a multi-block operation
7262 * i.e: write_len >= 4 * frag_size
7263 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7265 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7266 unsigned char buf[sizeof(msg)], *p = buf;
7267 size_t readbytes, written, len;
7268 EVP_CIPHER *ciph = NULL;
7271 * Check if the cipher exists before attempting to use it since it only has
7272 * a hardware specific implementation.
7274 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7276 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7279 EVP_CIPHER_free(ciph);
7281 /* Set up a buffer with some data that will be sent to the client */
7282 RAND_bytes(msg, sizeof(msg));
7284 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
7285 max_version, &sctx, &cctx, cert,
7289 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7292 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7296 /* settings to force it to use AES-CBC-HMAC_SHA */
7297 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7298 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7301 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7304 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7305 || !TEST_size_t_eq(written, sizeof(msg)))
7310 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7315 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7320 SSL_free(serverssl);
7321 SSL_free(clientssl);
7327 #endif /* OPENSSL_NO_TLS1_2 */
7330 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7331 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7332 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7333 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7334 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7335 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7336 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7337 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7338 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7339 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7341 static int test_servername(int tst)
7343 SSL_CTX *cctx = NULL, *sctx = NULL;
7344 SSL *clientssl = NULL, *serverssl = NULL;
7346 SSL_SESSION *sess = NULL;
7347 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7349 #ifdef OPENSSL_NO_TLS1_2
7353 #ifdef OPENSSL_NO_TLS1_3
7358 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7359 TLS_client_method(),
7361 (tst <= 4) ? TLS1_2_VERSION
7363 &sctx, &cctx, cert, privkey))
7364 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7368 if (tst != 1 && tst != 6) {
7369 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7374 if (tst != 3 && tst != 8) {
7375 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7377 sexpectedhost = cexpectedhost = "goodhost";
7380 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7383 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7385 || !TEST_str_eq(SSL_get_servername(serverssl,
7386 TLSEXT_NAMETYPE_host_name),
7390 /* Now repeat with a resumption handshake */
7392 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7393 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7394 || !TEST_true(SSL_SESSION_is_resumable(sess))
7395 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7398 SSL_free(clientssl);
7399 SSL_free(serverssl);
7400 clientssl = serverssl = NULL;
7402 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7406 if (!TEST_true(SSL_set_session(clientssl, sess)))
7409 sexpectedhost = cexpectedhost = "goodhost";
7410 if (tst == 2 || tst == 7) {
7411 /* Set an inconsistent hostname */
7412 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7415 * In TLSv1.2 we expect the hostname from the original handshake, in
7416 * TLSv1.3 we expect the hostname from this handshake
7419 sexpectedhost = cexpectedhost = "altgoodhost";
7421 if (!TEST_str_eq(SSL_get_servername(clientssl,
7422 TLSEXT_NAMETYPE_host_name),
7425 } else if (tst == 4 || tst == 9) {
7427 * A TLSv1.3 session does not associate a session with a servername,
7428 * but a TLSv1.2 session does.
7431 sexpectedhost = cexpectedhost = NULL;
7433 if (!TEST_str_eq(SSL_get_servername(clientssl,
7434 TLSEXT_NAMETYPE_host_name),
7438 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7441 * In a TLSv1.2 resumption where the hostname was not acknowledged
7442 * we expect the hostname on the server to be empty. On the client we
7443 * return what was requested in this case.
7445 * Similarly if the client didn't set a hostname on an original TLSv1.2
7446 * session but is now, the server hostname will be empty, but the client
7449 if (tst == 1 || tst == 3)
7450 sexpectedhost = NULL;
7452 if (!TEST_str_eq(SSL_get_servername(clientssl,
7453 TLSEXT_NAMETYPE_host_name),
7458 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7461 if (!TEST_true(SSL_session_reused(clientssl))
7462 || !TEST_true(SSL_session_reused(serverssl))
7463 || !TEST_str_eq(SSL_get_servername(clientssl,
7464 TLSEXT_NAMETYPE_host_name),
7466 || !TEST_str_eq(SSL_get_servername(serverssl,
7467 TLSEXT_NAMETYPE_host_name),
7474 SSL_SESSION_free(sess);
7475 SSL_free(serverssl);
7476 SSL_free(clientssl);
7483 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
7485 int setup_tests(void)
7490 libctx = OPENSSL_CTX_new();
7491 if (!TEST_ptr(libctx))
7494 defctxnull = OSSL_PROVIDER_load(NULL, "null");
7497 * Verify that the default and fips providers in the default libctx are not
7500 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
7501 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
7504 if (!test_skip_common_options()) {
7505 TEST_error("Error parsing test options\n");
7509 if (!TEST_ptr(certsdir = test_get_argument(0))
7510 || !TEST_ptr(srpvfile = test_get_argument(1))
7511 || !TEST_ptr(tmpfilename = test_get_argument(2))
7512 || !TEST_ptr(modulename = test_get_argument(3))
7513 || !TEST_ptr(configfile = test_get_argument(4)))
7516 if (!TEST_true(OPENSSL_CTX_load_config(libctx, configfile)))
7519 /* Check we have the expected provider available */
7520 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
7523 /* Check the default provider is not available */
7524 if (strcmp(modulename, "default") != 0
7525 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
7528 if (strcmp(modulename, "fips") == 0)
7531 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
7532 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
7533 TEST_error("not supported in this build");
7536 int i, mcount, rcount, fcount;
7538 for (i = 0; i < 4; i++)
7539 test_export_key_mat(i);
7540 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
7541 test_printf_stdout("malloc %d realloc %d free %d\n",
7542 mcount, rcount, fcount);
7547 cert = test_mk_file_path(certsdir, "servercert.pem");
7551 privkey = test_mk_file_path(certsdir, "serverkey.pem");
7552 if (privkey == NULL) {
7557 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
7558 && !defined(OPENSSL_NO_SOCK)
7559 ADD_TEST(test_ktls_no_txrx_client_no_txrx_server);
7560 ADD_TEST(test_ktls_no_rx_client_no_txrx_server);
7561 ADD_TEST(test_ktls_no_tx_client_no_txrx_server);
7562 ADD_TEST(test_ktls_client_no_txrx_server);
7563 ADD_TEST(test_ktls_no_txrx_client_no_rx_server);
7564 ADD_TEST(test_ktls_no_rx_client_no_rx_server);
7565 ADD_TEST(test_ktls_no_tx_client_no_rx_server);
7566 ADD_TEST(test_ktls_client_no_rx_server);
7567 ADD_TEST(test_ktls_no_txrx_client_no_tx_server);
7568 ADD_TEST(test_ktls_no_rx_client_no_tx_server);
7569 ADD_TEST(test_ktls_no_tx_client_no_tx_server);
7570 ADD_TEST(test_ktls_client_no_tx_server);
7571 ADD_TEST(test_ktls_no_txrx_client_server);
7572 ADD_TEST(test_ktls_no_rx_client_server);
7573 ADD_TEST(test_ktls_no_tx_client_server);
7574 ADD_TEST(test_ktls_client_server);
7575 ADD_TEST(test_ktls_sendfile);
7577 ADD_TEST(test_large_message_tls);
7578 ADD_TEST(test_large_message_tls_read_ahead);
7579 #ifndef OPENSSL_NO_DTLS
7580 ADD_TEST(test_large_message_dtls);
7582 #ifndef OPENSSL_NO_OCSP
7583 ADD_TEST(test_tlsext_status_type);
7585 ADD_TEST(test_session_with_only_int_cache);
7586 ADD_TEST(test_session_with_only_ext_cache);
7587 ADD_TEST(test_session_with_both_cache);
7588 #ifndef OPENSSL_NO_TLS1_3
7589 ADD_ALL_TESTS(test_stateful_tickets, 3);
7590 ADD_ALL_TESTS(test_stateless_tickets, 3);
7591 ADD_TEST(test_psk_tickets);
7592 ADD_ALL_TESTS(test_extra_tickets, 6);
7594 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
7595 ADD_TEST(test_ssl_bio_pop_next_bio);
7596 ADD_TEST(test_ssl_bio_pop_ssl_bio);
7597 ADD_TEST(test_ssl_bio_change_rbio);
7598 ADD_TEST(test_ssl_bio_change_wbio);
7599 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
7600 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
7601 ADD_TEST(test_keylog);
7603 #ifndef OPENSSL_NO_TLS1_3
7604 ADD_TEST(test_keylog_no_master_key);
7606 #ifndef OPENSSL_NO_TLS1_2
7607 ADD_TEST(test_client_hello_cb);
7608 ADD_TEST(test_no_ems);
7609 ADD_TEST(test_ccs_change_cipher);
7611 #ifndef OPENSSL_NO_TLS1_3
7612 ADD_ALL_TESTS(test_early_data_read_write, 3);
7614 * We don't do replay tests for external PSK. Replay protection isn't used
7617 ADD_ALL_TESTS(test_early_data_replay, 2);
7618 ADD_ALL_TESTS(test_early_data_skip, 3);
7619 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
7620 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
7621 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
7622 ADD_ALL_TESTS(test_early_data_not_sent, 3);
7623 ADD_ALL_TESTS(test_early_data_psk, 8);
7624 ADD_ALL_TESTS(test_early_data_not_expected, 3);
7625 # ifndef OPENSSL_NO_TLS1_2
7626 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
7629 #ifndef OPENSSL_NO_TLS1_3
7630 ADD_ALL_TESTS(test_set_ciphersuite, 10);
7631 ADD_TEST(test_ciphersuite_change);
7632 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
7633 # ifdef OPENSSL_NO_PSK
7634 ADD_ALL_TESTS(test_tls13_psk, 1);
7636 ADD_ALL_TESTS(test_tls13_psk, 4);
7637 # endif /* OPENSSL_NO_PSK */
7638 # ifndef OPENSSL_NO_TLS1_2
7639 /* Test with both TLSv1.3 and 1.2 versions */
7640 ADD_ALL_TESTS(test_key_exchange, 14);
7642 /* Test with only TLSv1.3 versions */
7643 ADD_ALL_TESTS(test_key_exchange, 12);
7645 ADD_ALL_TESTS(test_custom_exts, 5);
7646 ADD_TEST(test_stateless);
7647 ADD_TEST(test_pha_key_update);
7649 ADD_ALL_TESTS(test_custom_exts, 3);
7651 ADD_ALL_TESTS(test_serverinfo, 8);
7652 ADD_ALL_TESTS(test_export_key_mat, 6);
7653 #ifndef OPENSSL_NO_TLS1_3
7654 ADD_ALL_TESTS(test_export_key_mat_early, 3);
7655 ADD_TEST(test_key_update);
7656 ADD_ALL_TESTS(test_key_update_in_write, 2);
7658 ADD_ALL_TESTS(test_ssl_clear, 2);
7659 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
7660 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7661 ADD_ALL_TESTS(test_srp, 6);
7663 ADD_ALL_TESTS(test_info_callback, 6);
7664 ADD_ALL_TESTS(test_ssl_pending, 2);
7665 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
7666 ADD_ALL_TESTS(test_ticket_callbacks, 16);
7667 ADD_ALL_TESTS(test_shutdown, 7);
7668 ADD_ALL_TESTS(test_cert_cb, 6);
7669 ADD_ALL_TESTS(test_client_cert_cb, 2);
7670 ADD_ALL_TESTS(test_ca_names, 3);
7671 #ifndef OPENSSL_NO_TLS1_2
7672 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
7674 ADD_ALL_TESTS(test_servername, 10);
7678 void cleanup_tests(void)
7681 OPENSSL_free(privkey);
7682 bio_s_mempacket_test_free();
7683 bio_s_always_retry_free();
7684 OSSL_PROVIDER_unload(defctxnull);
7685 OPENSSL_CTX_free(libctx);