2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/provider.h>
33 #include "ssltestlib.h"
35 #include "testutil/output.h"
36 #include "internal/nelem.h"
37 #include "internal/ktls.h"
38 #include "../ssl/ssl_local.h"
40 DEFINE_STACK_OF(OCSP_RESPID)
42 DEFINE_STACK_OF(X509_NAME)
44 static OPENSSL_CTX *libctx = NULL;
45 static OSSL_PROVIDER *defctxnull = NULL;
47 #ifndef OPENSSL_NO_TLS1_3
49 static SSL_SESSION *clientpsk = NULL;
50 static SSL_SESSION *serverpsk = NULL;
51 static const char *pskid = "Identity";
52 static const char *srvid;
54 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
55 size_t *idlen, SSL_SESSION **sess);
56 static int find_session_cb(SSL *ssl, const unsigned char *identity,
57 size_t identity_len, SSL_SESSION **sess);
59 static int use_session_cb_cnt = 0;
60 static int find_session_cb_cnt = 0;
62 static SSL_SESSION *create_a_psk(SSL *ssl);
65 static char *certsdir = NULL;
66 static char *cert = NULL;
67 static char *privkey = NULL;
68 static char *srpvfile = NULL;
69 static char *tmpfilename = NULL;
71 static int is_fips = 0;
73 #define LOG_BUFFER_SIZE 2048
74 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
75 static size_t server_log_buffer_index = 0;
76 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
77 static size_t client_log_buffer_index = 0;
78 static int error_writing_log = 0;
80 #ifndef OPENSSL_NO_OCSP
81 static const unsigned char orespder[] = "Dummy OCSP Response";
82 static int ocsp_server_called = 0;
83 static int ocsp_client_called = 0;
85 static int cdummyarg = 1;
86 static X509 *ocspcert = NULL;
89 #define NUM_EXTRA_CERTS 40
90 #define CLIENT_VERSION_LEN 2
93 * This structure is used to validate that the correct number of log messages
94 * of various types are emitted when emitting secret logs.
96 struct sslapitest_log_counts {
97 unsigned int rsa_key_exchange_count;
98 unsigned int master_secret_count;
99 unsigned int client_early_secret_count;
100 unsigned int client_handshake_secret_count;
101 unsigned int server_handshake_secret_count;
102 unsigned int client_application_secret_count;
103 unsigned int server_application_secret_count;
104 unsigned int early_exporter_secret_count;
105 unsigned int exporter_secret_count;
109 static unsigned char serverinfov1[] = {
110 0xff, 0xff, /* Dummy extension type */
111 0x00, 0x01, /* Extension length is 1 byte */
112 0xff /* Dummy extension data */
115 static unsigned char serverinfov2[] = {
117 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
118 0xff, 0xff, /* Dummy extension type */
119 0x00, 0x01, /* Extension length is 1 byte */
120 0xff /* Dummy extension data */
123 static int hostname_cb(SSL *s, int *al, void *arg)
125 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
127 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
128 || strcmp(hostname, "altgoodhost") == 0))
129 return SSL_TLSEXT_ERR_OK;
131 return SSL_TLSEXT_ERR_NOACK;
134 static void client_keylog_callback(const SSL *ssl, const char *line)
136 int line_length = strlen(line);
138 /* If the log doesn't fit, error out. */
139 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
140 TEST_info("Client log too full");
141 error_writing_log = 1;
145 strcat(client_log_buffer, line);
146 client_log_buffer_index += line_length;
147 client_log_buffer[client_log_buffer_index++] = '\n';
150 static void server_keylog_callback(const SSL *ssl, const char *line)
152 int line_length = strlen(line);
154 /* If the log doesn't fit, error out. */
155 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
156 TEST_info("Server log too full");
157 error_writing_log = 1;
161 strcat(server_log_buffer, line);
162 server_log_buffer_index += line_length;
163 server_log_buffer[server_log_buffer_index++] = '\n';
166 static int compare_hex_encoded_buffer(const char *hex_encoded,
174 if (!TEST_size_t_eq(raw_length * 2, hex_length))
177 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
178 sprintf(hexed, "%02x", raw[i]);
179 if (!TEST_int_eq(hexed[0], hex_encoded[j])
180 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
187 static int test_keylog_output(char *buffer, const SSL *ssl,
188 const SSL_SESSION *session,
189 struct sslapitest_log_counts *expected)
192 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
193 size_t client_random_size = SSL3_RANDOM_SIZE;
194 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
195 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
196 unsigned int rsa_key_exchange_count = 0;
197 unsigned int master_secret_count = 0;
198 unsigned int client_early_secret_count = 0;
199 unsigned int client_handshake_secret_count = 0;
200 unsigned int server_handshake_secret_count = 0;
201 unsigned int client_application_secret_count = 0;
202 unsigned int server_application_secret_count = 0;
203 unsigned int early_exporter_secret_count = 0;
204 unsigned int exporter_secret_count = 0;
206 for (token = strtok(buffer, " \n"); token != NULL;
207 token = strtok(NULL, " \n")) {
208 if (strcmp(token, "RSA") == 0) {
210 * Premaster secret. Tokens should be: 16 ASCII bytes of
211 * hex-encoded encrypted secret, then the hex-encoded pre-master
214 if (!TEST_ptr(token = strtok(NULL, " \n")))
216 if (!TEST_size_t_eq(strlen(token), 16))
218 if (!TEST_ptr(token = strtok(NULL, " \n")))
221 * We can't sensibly check the log because the premaster secret is
222 * transient, and OpenSSL doesn't keep hold of it once the master
223 * secret is generated.
225 rsa_key_exchange_count++;
226 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
228 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
229 * client random, then the hex-encoded master secret.
231 client_random_size = SSL_get_client_random(ssl,
232 actual_client_random,
234 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
237 if (!TEST_ptr(token = strtok(NULL, " \n")))
239 if (!TEST_size_t_eq(strlen(token), 64))
241 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
242 actual_client_random,
243 client_random_size)))
246 if (!TEST_ptr(token = strtok(NULL, " \n")))
248 master_key_size = SSL_SESSION_get_master_key(session,
251 if (!TEST_size_t_ne(master_key_size, 0))
253 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
257 master_secret_count++;
258 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
259 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
260 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
261 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
262 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
263 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
264 || strcmp(token, "EXPORTER_SECRET") == 0) {
266 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
267 * client random, and then the hex-encoded secret. In this case,
268 * we treat all of these secrets identically and then just
269 * distinguish between them when counting what we saw.
271 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
272 client_early_secret_count++;
273 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
274 client_handshake_secret_count++;
275 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
276 server_handshake_secret_count++;
277 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
278 client_application_secret_count++;
279 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
280 server_application_secret_count++;
281 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
282 early_exporter_secret_count++;
283 else if (strcmp(token, "EXPORTER_SECRET") == 0)
284 exporter_secret_count++;
286 client_random_size = SSL_get_client_random(ssl,
287 actual_client_random,
289 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
292 if (!TEST_ptr(token = strtok(NULL, " \n")))
294 if (!TEST_size_t_eq(strlen(token), 64))
296 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
297 actual_client_random,
298 client_random_size)))
301 if (!TEST_ptr(token = strtok(NULL, " \n")))
305 * TODO(TLS1.3): test that application traffic secrets are what
308 TEST_info("Unexpected token %s\n", token);
313 /* Got what we expected? */
314 if (!TEST_size_t_eq(rsa_key_exchange_count,
315 expected->rsa_key_exchange_count)
316 || !TEST_size_t_eq(master_secret_count,
317 expected->master_secret_count)
318 || !TEST_size_t_eq(client_early_secret_count,
319 expected->client_early_secret_count)
320 || !TEST_size_t_eq(client_handshake_secret_count,
321 expected->client_handshake_secret_count)
322 || !TEST_size_t_eq(server_handshake_secret_count,
323 expected->server_handshake_secret_count)
324 || !TEST_size_t_eq(client_application_secret_count,
325 expected->client_application_secret_count)
326 || !TEST_size_t_eq(server_application_secret_count,
327 expected->server_application_secret_count)
328 || !TEST_size_t_eq(early_exporter_secret_count,
329 expected->early_exporter_secret_count)
330 || !TEST_size_t_eq(exporter_secret_count,
331 expected->exporter_secret_count))
336 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
337 static int test_keylog(void)
339 SSL_CTX *cctx = NULL, *sctx = NULL;
340 SSL *clientssl = NULL, *serverssl = NULL;
342 struct sslapitest_log_counts expected;
344 /* Clean up logging space */
345 memset(&expected, 0, sizeof(expected));
346 memset(client_log_buffer, 0, sizeof(client_log_buffer));
347 memset(server_log_buffer, 0, sizeof(server_log_buffer));
348 client_log_buffer_index = 0;
349 server_log_buffer_index = 0;
350 error_writing_log = 0;
352 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
355 &sctx, &cctx, cert, privkey)))
358 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
359 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
360 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
362 /* We also want to ensure that we use RSA-based key exchange. */
363 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
366 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
367 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
369 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
370 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
371 == client_keylog_callback))
373 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
374 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
375 == server_keylog_callback))
378 /* Now do a handshake and check that the logs have been written to. */
379 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
380 &clientssl, NULL, NULL))
381 || !TEST_true(create_ssl_connection(serverssl, clientssl,
383 || !TEST_false(error_writing_log)
384 || !TEST_int_gt(client_log_buffer_index, 0)
385 || !TEST_int_gt(server_log_buffer_index, 0))
389 * Now we want to test that our output data was vaguely sensible. We
390 * do that by using strtok and confirming that we have more or less the
391 * data we expect. For both client and server, we expect to see one master
392 * secret. The client should also see a RSA key exchange.
394 expected.rsa_key_exchange_count = 1;
395 expected.master_secret_count = 1;
396 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
397 SSL_get_session(clientssl), &expected)))
400 expected.rsa_key_exchange_count = 0;
401 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
402 SSL_get_session(serverssl), &expected)))
417 #ifndef OPENSSL_NO_TLS1_3
418 static int test_keylog_no_master_key(void)
420 SSL_CTX *cctx = NULL, *sctx = NULL;
421 SSL *clientssl = NULL, *serverssl = NULL;
422 SSL_SESSION *sess = NULL;
424 struct sslapitest_log_counts expected;
425 unsigned char buf[1];
426 size_t readbytes, written;
428 /* Clean up logging space */
429 memset(&expected, 0, sizeof(expected));
430 memset(client_log_buffer, 0, sizeof(client_log_buffer));
431 memset(server_log_buffer, 0, sizeof(server_log_buffer));
432 client_log_buffer_index = 0;
433 server_log_buffer_index = 0;
434 error_writing_log = 0;
436 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
437 TLS_client_method(), TLS1_VERSION, 0,
438 &sctx, &cctx, cert, privkey))
439 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
440 SSL3_RT_MAX_PLAIN_LENGTH)))
443 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
444 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
447 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
448 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
449 == client_keylog_callback))
452 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
453 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
454 == server_keylog_callback))
457 /* Now do a handshake and check that the logs have been written to. */
458 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
459 &clientssl, NULL, NULL))
460 || !TEST_true(create_ssl_connection(serverssl, clientssl,
462 || !TEST_false(error_writing_log))
466 * Now we want to test that our output data was vaguely sensible. For this
467 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
468 * TLSv1.3, but we do expect both client and server to emit keys.
470 expected.client_handshake_secret_count = 1;
471 expected.server_handshake_secret_count = 1;
472 expected.client_application_secret_count = 1;
473 expected.server_application_secret_count = 1;
474 expected.exporter_secret_count = 1;
475 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
476 SSL_get_session(clientssl), &expected))
477 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
478 SSL_get_session(serverssl),
482 /* Terminate old session and resume with early data. */
483 sess = SSL_get1_session(clientssl);
484 SSL_shutdown(clientssl);
485 SSL_shutdown(serverssl);
488 serverssl = clientssl = NULL;
491 memset(client_log_buffer, 0, sizeof(client_log_buffer));
492 memset(server_log_buffer, 0, sizeof(server_log_buffer));
493 client_log_buffer_index = 0;
494 server_log_buffer_index = 0;
496 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
497 &clientssl, NULL, NULL))
498 || !TEST_true(SSL_set_session(clientssl, sess))
499 /* Here writing 0 length early data is enough. */
500 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
501 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
503 SSL_READ_EARLY_DATA_ERROR)
504 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
505 SSL_EARLY_DATA_ACCEPTED)
506 || !TEST_true(create_ssl_connection(serverssl, clientssl,
508 || !TEST_true(SSL_session_reused(clientssl)))
511 /* In addition to the previous entries, expect early secrets. */
512 expected.client_early_secret_count = 1;
513 expected.early_exporter_secret_count = 1;
514 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
515 SSL_get_session(clientssl), &expected))
516 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
517 SSL_get_session(serverssl),
524 SSL_SESSION_free(sess);
534 #ifndef OPENSSL_NO_TLS1_2
535 static int full_client_hello_callback(SSL *s, int *al, void *arg)
538 const unsigned char *p;
540 /* We only configure two ciphers, but the SCSV is added automatically. */
542 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
544 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
547 const int expected_extensions[] = {
548 #ifndef OPENSSL_NO_EC
554 /* Make sure we can defer processing and get called back. */
556 return SSL_CLIENT_HELLO_RETRY;
558 len = SSL_client_hello_get0_ciphers(s, &p);
559 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
561 SSL_client_hello_get0_compression_methods(s, &p), 1)
562 || !TEST_int_eq(*p, 0))
563 return SSL_CLIENT_HELLO_ERROR;
564 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
565 return SSL_CLIENT_HELLO_ERROR;
566 if (len != OSSL_NELEM(expected_extensions) ||
567 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
568 printf("ClientHello callback expected extensions mismatch\n");
570 return SSL_CLIENT_HELLO_ERROR;
573 return SSL_CLIENT_HELLO_SUCCESS;
576 static int test_client_hello_cb(void)
578 SSL_CTX *cctx = NULL, *sctx = NULL;
579 SSL *clientssl = NULL, *serverssl = NULL;
580 int testctr = 0, testresult = 0;
582 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
583 TLS_client_method(), TLS1_VERSION, 0,
584 &sctx, &cctx, cert, privkey)))
586 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
588 /* The gimpy cipher list we configure can't do TLS 1.3. */
589 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
591 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
592 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
593 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
594 &clientssl, NULL, NULL))
595 || !TEST_false(create_ssl_connection(serverssl, clientssl,
596 SSL_ERROR_WANT_CLIENT_HELLO_CB))
598 * Passing a -1 literal is a hack since
599 * the real value was lost.
601 || !TEST_int_eq(SSL_get_error(serverssl, -1),
602 SSL_ERROR_WANT_CLIENT_HELLO_CB)
603 || !TEST_true(create_ssl_connection(serverssl, clientssl,
618 static int test_no_ems(void)
620 SSL_CTX *cctx = NULL, *sctx = NULL;
621 SSL *clientssl = NULL, *serverssl = NULL;
624 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
625 TLS1_VERSION, TLS1_2_VERSION,
626 &sctx, &cctx, cert, privkey)) {
627 printf("Unable to create SSL_CTX pair\n");
631 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
633 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
634 printf("Unable to create SSL objects\n");
638 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
639 printf("Creating SSL connection failed\n");
643 if (SSL_get_extms_support(serverssl)) {
644 printf("Server reports Extended Master Secret support\n");
648 if (SSL_get_extms_support(clientssl)) {
649 printf("Client reports Extended Master Secret support\n");
664 * Very focused test to exercise a single case in the server-side state
665 * machine, when the ChangeCipherState message needs to actually change
666 * from one cipher to a different cipher (i.e., not changing from null
667 * encryption to real encryption).
669 static int test_ccs_change_cipher(void)
671 SSL_CTX *cctx = NULL, *sctx = NULL;
672 SSL *clientssl = NULL, *serverssl = NULL;
673 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
680 * Create a conection so we can resume and potentially (but not) use
681 * a different cipher in the second connection.
683 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
685 TLS1_VERSION, TLS1_2_VERSION,
686 &sctx, &cctx, cert, privkey))
687 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
688 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
690 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
691 || !TEST_true(create_ssl_connection(serverssl, clientssl,
693 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
694 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
697 shutdown_ssl_connection(serverssl, clientssl);
698 serverssl = clientssl = NULL;
700 /* Resume, preferring a different cipher. Our server will force the
701 * same cipher to be used as the initial handshake. */
702 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
704 || !TEST_true(SSL_set_session(clientssl, sess))
705 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
706 || !TEST_true(create_ssl_connection(serverssl, clientssl,
708 || !TEST_true(SSL_session_reused(clientssl))
709 || !TEST_true(SSL_session_reused(serverssl))
710 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
711 || !TEST_ptr_eq(sesspre, sesspost)
712 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
713 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
715 shutdown_ssl_connection(serverssl, clientssl);
716 serverssl = clientssl = NULL;
719 * Now create a fresh connection and try to renegotiate a different
722 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
724 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
725 || !TEST_true(create_ssl_connection(serverssl, clientssl,
727 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
728 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
729 || !TEST_true(SSL_renegotiate(clientssl))
730 || !TEST_true(SSL_renegotiate_pending(clientssl)))
732 /* Actually drive the renegotiation. */
733 for (i = 0; i < 3; i++) {
734 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
735 if (!TEST_ulong_eq(readbytes, 0))
737 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
738 SSL_ERROR_WANT_READ)) {
741 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
742 if (!TEST_ulong_eq(readbytes, 0))
744 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
745 SSL_ERROR_WANT_READ)) {
749 /* sesspre and sesspost should be different since the cipher changed. */
750 if (!TEST_false(SSL_renegotiate_pending(clientssl))
751 || !TEST_false(SSL_session_reused(clientssl))
752 || !TEST_false(SSL_session_reused(serverssl))
753 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
754 || !TEST_ptr_ne(sesspre, sesspost)
755 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
756 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
759 shutdown_ssl_connection(serverssl, clientssl);
760 serverssl = clientssl = NULL;
769 SSL_SESSION_free(sess);
775 static int execute_test_large_message(const SSL_METHOD *smeth,
776 const SSL_METHOD *cmeth,
777 int min_version, int max_version,
780 SSL_CTX *cctx = NULL, *sctx = NULL;
781 SSL *clientssl = NULL, *serverssl = NULL;
785 X509 *chaincert = NULL;
788 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
790 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
793 if (!TEST_ptr(chaincert))
796 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
797 max_version, &sctx, &cctx, cert,
803 * Test that read_ahead works correctly when dealing with large
806 SSL_CTX_set_read_ahead(cctx, 1);
810 * We assume the supplied certificate is big enough so that if we add
811 * NUM_EXTRA_CERTS it will make the overall message large enough. The
812 * default buffer size is requested to be 16k, but due to the way BUF_MEM
813 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
814 * test we need to have a message larger than that.
816 certlen = i2d_X509(chaincert, NULL);
817 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
818 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
819 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
820 if (!X509_up_ref(chaincert))
822 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
823 X509_free(chaincert);
828 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
830 || !TEST_true(create_ssl_connection(serverssl, clientssl,
835 * Calling SSL_clear() first is not required but this tests that SSL_clear()
838 if (!TEST_true(SSL_clear(serverssl)))
843 X509_free(chaincert);
852 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
853 && !defined(OPENSSL_NO_SOCK)
855 /* sock must be connected */
856 static int ktls_chk_platform(int sock)
858 if (!ktls_enable(sock))
863 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
865 static char count = 1;
866 unsigned char cbuf[16000] = {0};
867 unsigned char sbuf[16000];
869 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
870 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
871 char crec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
872 char crec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
873 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
874 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
875 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
876 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
879 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
880 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
881 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence,
882 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
883 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
884 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
885 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
886 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
888 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
891 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
892 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
897 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
900 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
901 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
906 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
907 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
908 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence,
909 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
910 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
911 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
912 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
913 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
915 /* verify the payload */
916 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
919 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
920 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
921 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
922 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
925 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
926 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
930 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
931 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
932 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
935 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
936 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
940 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
941 if (!TEST_mem_ne(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
942 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
945 if (!TEST_mem_eq(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
946 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
950 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
951 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
952 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
955 if (!TEST_mem_eq(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
956 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
965 static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
966 int sis_ktls_tx, int sis_ktls_rx)
968 SSL_CTX *cctx = NULL, *sctx = NULL;
969 SSL *clientssl = NULL, *serverssl = NULL;
973 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
976 /* Skip this test if the platform does not support ktls */
977 if (!ktls_chk_platform(cfd))
980 /* Create a session based on SHA-256 */
981 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
983 TLS1_2_VERSION, TLS1_2_VERSION,
984 &sctx, &cctx, cert, privkey))
985 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
986 "AES128-GCM-SHA256"))
987 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
988 &clientssl, sfd, cfd)))
992 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
997 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
1002 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
1007 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1011 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1016 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1019 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1024 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1027 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1032 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1035 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1040 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1043 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1047 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
1053 SSL_shutdown(clientssl);
1054 SSL_free(clientssl);
1057 SSL_shutdown(serverssl);
1058 SSL_free(serverssl);
1062 serverssl = clientssl = NULL;
1066 #define SENDFILE_SZ (16 * 4096)
1067 #define SENDFILE_CHUNK (4 * 4096)
1068 #define min(a,b) ((a) > (b) ? (b) : (a))
1070 static int test_ktls_sendfile(void)
1072 SSL_CTX *cctx = NULL, *sctx = NULL;
1073 SSL *clientssl = NULL, *serverssl = NULL;
1074 unsigned char *buf, *buf_dst;
1075 BIO *out = NULL, *in = NULL;
1076 int cfd, sfd, ffd, err;
1077 ssize_t chunk_size = 0;
1078 off_t chunk_off = 0;
1082 buf = OPENSSL_zalloc(SENDFILE_SZ);
1083 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1084 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1085 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1088 /* Skip this test if the platform does not support ktls */
1089 if (!ktls_chk_platform(sfd)) {
1094 /* Create a session based on SHA-256 */
1095 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1096 TLS_client_method(),
1097 TLS1_2_VERSION, TLS1_2_VERSION,
1098 &sctx, &cctx, cert, privkey))
1099 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1100 "AES128-GCM-SHA256"))
1101 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1102 &clientssl, sfd, cfd)))
1105 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1107 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1110 RAND_bytes(buf, SENDFILE_SZ);
1111 out = BIO_new_file(tmpfilename, "wb");
1115 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1120 in = BIO_new_file(tmpfilename, "rb");
1121 BIO_get_fp(in, &ffdp);
1124 while (chunk_off < SENDFILE_SZ) {
1125 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1126 while ((err = SSL_sendfile(serverssl,
1130 0)) != chunk_size) {
1131 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1134 while ((err = SSL_read(clientssl,
1135 buf_dst + chunk_off,
1136 chunk_size)) != chunk_size) {
1137 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1141 /* verify the payload */
1142 if (!TEST_mem_eq(buf_dst + chunk_off,
1148 chunk_off += chunk_size;
1154 SSL_shutdown(clientssl);
1155 SSL_free(clientssl);
1158 SSL_shutdown(serverssl);
1159 SSL_free(serverssl);
1163 serverssl = clientssl = NULL;
1167 OPENSSL_free(buf_dst);
1171 static int test_ktls_no_txrx_client_no_txrx_server(void)
1173 return execute_test_ktls(0, 0, 0, 0);
1176 static int test_ktls_no_rx_client_no_txrx_server(void)
1178 return execute_test_ktls(1, 0, 0, 0);
1181 static int test_ktls_no_tx_client_no_txrx_server(void)
1183 return execute_test_ktls(0, 1, 0, 0);
1186 static int test_ktls_client_no_txrx_server(void)
1188 return execute_test_ktls(1, 1, 0, 0);
1191 static int test_ktls_no_txrx_client_no_rx_server(void)
1193 return execute_test_ktls(0, 0, 1, 0);
1196 static int test_ktls_no_rx_client_no_rx_server(void)
1198 return execute_test_ktls(1, 0, 1, 0);
1201 static int test_ktls_no_tx_client_no_rx_server(void)
1203 return execute_test_ktls(0, 1, 1, 0);
1206 static int test_ktls_client_no_rx_server(void)
1208 return execute_test_ktls(1, 1, 1, 0);
1211 static int test_ktls_no_txrx_client_no_tx_server(void)
1213 return execute_test_ktls(0, 0, 0, 1);
1216 static int test_ktls_no_rx_client_no_tx_server(void)
1218 return execute_test_ktls(1, 0, 0, 1);
1221 static int test_ktls_no_tx_client_no_tx_server(void)
1223 return execute_test_ktls(0, 1, 0, 1);
1226 static int test_ktls_client_no_tx_server(void)
1228 return execute_test_ktls(1, 1, 0, 1);
1231 static int test_ktls_no_txrx_client_server(void)
1233 return execute_test_ktls(0, 0, 1, 1);
1236 static int test_ktls_no_rx_client_server(void)
1238 return execute_test_ktls(1, 0, 1, 1);
1241 static int test_ktls_no_tx_client_server(void)
1243 return execute_test_ktls(0, 1, 1, 1);
1246 static int test_ktls_client_server(void)
1248 return execute_test_ktls(1, 1, 1, 1);
1252 static int test_large_message_tls(void)
1254 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1255 TLS1_VERSION, 0, 0);
1258 static int test_large_message_tls_read_ahead(void)
1260 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1261 TLS1_VERSION, 0, 1);
1264 #ifndef OPENSSL_NO_DTLS
1265 static int test_large_message_dtls(void)
1268 * read_ahead is not relevant to DTLS because DTLS always acts as if
1269 * read_ahead is set.
1271 return execute_test_large_message(DTLS_server_method(),
1272 DTLS_client_method(),
1273 DTLS1_VERSION, 0, 0);
1277 #ifndef OPENSSL_NO_OCSP
1278 static int ocsp_server_cb(SSL *s, void *arg)
1280 int *argi = (int *)arg;
1281 unsigned char *copy = NULL;
1282 STACK_OF(OCSP_RESPID) *ids = NULL;
1283 OCSP_RESPID *id = NULL;
1286 /* In this test we are expecting exactly 1 OCSP_RESPID */
1287 SSL_get_tlsext_status_ids(s, &ids);
1288 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1289 return SSL_TLSEXT_ERR_ALERT_FATAL;
1291 id = sk_OCSP_RESPID_value(ids, 0);
1292 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1293 return SSL_TLSEXT_ERR_ALERT_FATAL;
1294 } else if (*argi != 1) {
1295 return SSL_TLSEXT_ERR_ALERT_FATAL;
1298 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1299 return SSL_TLSEXT_ERR_ALERT_FATAL;
1301 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1302 ocsp_server_called = 1;
1303 return SSL_TLSEXT_ERR_OK;
1306 static int ocsp_client_cb(SSL *s, void *arg)
1308 int *argi = (int *)arg;
1309 const unsigned char *respderin;
1312 if (*argi != 1 && *argi != 2)
1315 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1316 if (!TEST_mem_eq(orespder, len, respderin, len))
1319 ocsp_client_called = 1;
1323 static int test_tlsext_status_type(void)
1325 SSL_CTX *cctx = NULL, *sctx = NULL;
1326 SSL *clientssl = NULL, *serverssl = NULL;
1328 STACK_OF(OCSP_RESPID) *ids = NULL;
1329 OCSP_RESPID *id = NULL;
1330 BIO *certbio = NULL;
1332 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1334 &sctx, &cctx, cert, privkey))
1337 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1340 /* First just do various checks getting and setting tlsext_status_type */
1342 clientssl = SSL_new(cctx);
1343 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1344 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1345 TLSEXT_STATUSTYPE_ocsp))
1346 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1347 TLSEXT_STATUSTYPE_ocsp))
1350 SSL_free(clientssl);
1353 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1354 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1357 clientssl = SSL_new(cctx);
1358 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1360 SSL_free(clientssl);
1364 * Now actually do a handshake and check OCSP information is exchanged and
1365 * the callbacks get called
1367 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1368 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1369 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1370 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1371 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1372 &clientssl, NULL, NULL))
1373 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1375 || !TEST_true(ocsp_client_called)
1376 || !TEST_true(ocsp_server_called))
1378 SSL_free(serverssl);
1379 SSL_free(clientssl);
1383 /* Try again but this time force the server side callback to fail */
1384 ocsp_client_called = 0;
1385 ocsp_server_called = 0;
1387 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1388 &clientssl, NULL, NULL))
1389 /* This should fail because the callback will fail */
1390 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1392 || !TEST_false(ocsp_client_called)
1393 || !TEST_false(ocsp_server_called))
1395 SSL_free(serverssl);
1396 SSL_free(clientssl);
1401 * This time we'll get the client to send an OCSP_RESPID that it will
1404 ocsp_client_called = 0;
1405 ocsp_server_called = 0;
1407 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1408 &clientssl, NULL, NULL)))
1412 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1413 * specific one. We'll use the server cert.
1415 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1416 || !TEST_ptr(id = OCSP_RESPID_new())
1417 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1418 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1420 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1421 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1424 SSL_set_tlsext_status_ids(clientssl, ids);
1425 /* Control has been transferred */
1431 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1433 || !TEST_true(ocsp_client_called)
1434 || !TEST_true(ocsp_server_called))
1440 SSL_free(serverssl);
1441 SSL_free(clientssl);
1444 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1445 OCSP_RESPID_free(id);
1447 X509_free(ocspcert);
1454 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1455 static int new_called, remove_called, get_called;
1457 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1461 * sess has been up-refed for us, but we don't actually need it so free it
1464 SSL_SESSION_free(sess);
1468 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1473 static SSL_SESSION *get_sess_val = NULL;
1475 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1480 return get_sess_val;
1483 static int execute_test_session(int maxprot, int use_int_cache,
1486 SSL_CTX *sctx = NULL, *cctx = NULL;
1487 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1488 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1489 # ifndef OPENSSL_NO_TLS1_1
1490 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1492 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1493 int testresult = 0, numnewsesstick = 1;
1495 new_called = remove_called = 0;
1497 /* TLSv1.3 sends 2 NewSessionTickets */
1498 if (maxprot == TLS1_3_VERSION)
1501 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1502 TLS_client_method(), TLS1_VERSION, 0,
1503 &sctx, &cctx, cert, privkey)))
1507 * Only allow the max protocol version so we can force a connection failure
1510 SSL_CTX_set_min_proto_version(cctx, maxprot);
1511 SSL_CTX_set_max_proto_version(cctx, maxprot);
1513 /* Set up session cache */
1514 if (use_ext_cache) {
1515 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1516 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1518 if (use_int_cache) {
1519 /* Also covers instance where both are set */
1520 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1522 SSL_CTX_set_session_cache_mode(cctx,
1523 SSL_SESS_CACHE_CLIENT
1524 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1527 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1529 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1531 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1534 /* Should fail because it should already be in the cache */
1535 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1538 && (!TEST_int_eq(new_called, numnewsesstick)
1540 || !TEST_int_eq(remove_called, 0)))
1543 new_called = remove_called = 0;
1544 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1545 &clientssl2, NULL, NULL))
1546 || !TEST_true(SSL_set_session(clientssl2, sess1))
1547 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1549 || !TEST_true(SSL_session_reused(clientssl2)))
1552 if (maxprot == TLS1_3_VERSION) {
1554 * In TLSv1.3 we should have created a new session even though we have
1555 * resumed. Since we attempted a resume we should also have removed the
1556 * old ticket from the cache so that we try to only use tickets once.
1559 && (!TEST_int_eq(new_called, 1)
1560 || !TEST_int_eq(remove_called, 1)))
1564 * In TLSv1.2 we expect to have resumed so no sessions added or
1568 && (!TEST_int_eq(new_called, 0)
1569 || !TEST_int_eq(remove_called, 0)))
1573 SSL_SESSION_free(sess1);
1574 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1576 shutdown_ssl_connection(serverssl2, clientssl2);
1577 serverssl2 = clientssl2 = NULL;
1579 new_called = remove_called = 0;
1580 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1581 &clientssl2, NULL, NULL))
1582 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1586 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1590 && (!TEST_int_eq(new_called, numnewsesstick)
1591 || !TEST_int_eq(remove_called, 0)))
1594 new_called = remove_called = 0;
1596 * This should clear sess2 from the cache because it is a "bad" session.
1597 * See SSL_set_session() documentation.
1599 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1602 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1604 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1607 if (use_int_cache) {
1608 /* Should succeeded because it should not already be in the cache */
1609 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1610 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1614 new_called = remove_called = 0;
1615 /* This shouldn't be in the cache so should fail */
1616 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1620 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1623 # if !defined(OPENSSL_NO_TLS1_1)
1624 new_called = remove_called = 0;
1625 /* Force a connection failure */
1626 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1627 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1628 &clientssl3, NULL, NULL))
1629 || !TEST_true(SSL_set_session(clientssl3, sess1))
1630 /* This should fail because of the mismatched protocol versions */
1631 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1635 /* We should have automatically removed the session from the cache */
1637 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1640 /* Should succeed because it should not already be in the cache */
1641 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1645 /* Now do some tests for server side caching */
1646 if (use_ext_cache) {
1647 SSL_CTX_sess_set_new_cb(cctx, NULL);
1648 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1649 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1650 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1651 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1652 get_sess_val = NULL;
1655 SSL_CTX_set_session_cache_mode(cctx, 0);
1656 /* Internal caching is the default on the server side */
1658 SSL_CTX_set_session_cache_mode(sctx,
1659 SSL_SESS_CACHE_SERVER
1660 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1662 SSL_free(serverssl1);
1663 SSL_free(clientssl1);
1664 serverssl1 = clientssl1 = NULL;
1665 SSL_free(serverssl2);
1666 SSL_free(clientssl2);
1667 serverssl2 = clientssl2 = NULL;
1668 SSL_SESSION_free(sess1);
1670 SSL_SESSION_free(sess2);
1673 SSL_CTX_set_max_proto_version(sctx, maxprot);
1674 if (maxprot == TLS1_2_VERSION)
1675 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1676 new_called = remove_called = get_called = 0;
1677 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1679 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1681 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1682 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1685 if (use_int_cache) {
1686 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1688 * In TLSv1.3 it should not have been added to the internal cache,
1689 * except in the case where we also have an external cache (in that
1690 * case it gets added to the cache in order to generate remove
1691 * events after timeout).
1693 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1696 /* Should fail because it should already be in the cache */
1697 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1702 if (use_ext_cache) {
1703 SSL_SESSION *tmp = sess2;
1705 if (!TEST_int_eq(new_called, numnewsesstick)
1706 || !TEST_int_eq(remove_called, 0)
1707 || !TEST_int_eq(get_called, 0))
1710 * Delete the session from the internal cache to force a lookup from
1711 * the external cache. We take a copy first because
1712 * SSL_CTX_remove_session() also marks the session as non-resumable.
1714 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1715 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1716 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1718 SSL_SESSION_free(sess2);
1723 new_called = remove_called = get_called = 0;
1724 get_sess_val = sess2;
1725 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1726 &clientssl2, NULL, NULL))
1727 || !TEST_true(SSL_set_session(clientssl2, sess1))
1728 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1730 || !TEST_true(SSL_session_reused(clientssl2)))
1733 if (use_ext_cache) {
1734 if (!TEST_int_eq(remove_called, 0))
1737 if (maxprot == TLS1_3_VERSION) {
1738 if (!TEST_int_eq(new_called, 1)
1739 || !TEST_int_eq(get_called, 0))
1742 if (!TEST_int_eq(new_called, 0)
1743 || !TEST_int_eq(get_called, 1))
1751 SSL_free(serverssl1);
1752 SSL_free(clientssl1);
1753 SSL_free(serverssl2);
1754 SSL_free(clientssl2);
1755 # ifndef OPENSSL_NO_TLS1_1
1756 SSL_free(serverssl3);
1757 SSL_free(clientssl3);
1759 SSL_SESSION_free(sess1);
1760 SSL_SESSION_free(sess2);
1766 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1768 static int test_session_with_only_int_cache(void)
1770 #ifndef OPENSSL_NO_TLS1_3
1771 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1775 #ifndef OPENSSL_NO_TLS1_2
1776 return execute_test_session(TLS1_2_VERSION, 1, 0);
1782 static int test_session_with_only_ext_cache(void)
1784 #ifndef OPENSSL_NO_TLS1_3
1785 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1789 #ifndef OPENSSL_NO_TLS1_2
1790 return execute_test_session(TLS1_2_VERSION, 0, 1);
1796 static int test_session_with_both_cache(void)
1798 #ifndef OPENSSL_NO_TLS1_3
1799 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1803 #ifndef OPENSSL_NO_TLS1_2
1804 return execute_test_session(TLS1_2_VERSION, 1, 1);
1810 #ifndef OPENSSL_NO_TLS1_3
1811 static SSL_SESSION *sesscache[6];
1812 static int do_cache;
1814 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1817 sesscache[new_called] = sess;
1819 /* We don't need the reference to the session, so free it */
1820 SSL_SESSION_free(sess);
1827 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1829 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1830 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1833 /* Start handshake on the server and client */
1834 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1835 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1836 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1837 || !TEST_true(create_ssl_connection(sssl, cssl,
1844 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1847 int sess_id_ctx = 1;
1849 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1850 TLS_client_method(), TLS1_VERSION, 0,
1851 sctx, cctx, cert, privkey))
1852 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1853 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1854 (void *)&sess_id_ctx,
1855 sizeof(sess_id_ctx))))
1859 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1861 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1862 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1863 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1868 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1870 SSL *serverssl = NULL, *clientssl = NULL;
1873 /* Test that we can resume with all the tickets we got given */
1874 for (i = 0; i < idx * 2; i++) {
1876 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1877 &clientssl, NULL, NULL))
1878 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1881 SSL_set_post_handshake_auth(clientssl, 1);
1883 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1888 * Following a successful resumption we only get 1 ticket. After a
1889 * failed one we should get idx tickets.
1892 if (!TEST_true(SSL_session_reused(clientssl))
1893 || !TEST_int_eq(new_called, 1))
1896 if (!TEST_false(SSL_session_reused(clientssl))
1897 || !TEST_int_eq(new_called, idx))
1902 /* After a post-handshake authentication we should get 1 new ticket */
1904 && (!post_handshake_verify(serverssl, clientssl)
1905 || !TEST_int_eq(new_called, 1)))
1908 SSL_shutdown(clientssl);
1909 SSL_shutdown(serverssl);
1910 SSL_free(serverssl);
1911 SSL_free(clientssl);
1912 serverssl = clientssl = NULL;
1913 SSL_SESSION_free(sesscache[i]);
1914 sesscache[i] = NULL;
1920 SSL_free(clientssl);
1921 SSL_free(serverssl);
1925 static int test_tickets(int stateful, int idx)
1927 SSL_CTX *sctx = NULL, *cctx = NULL;
1928 SSL *serverssl = NULL, *clientssl = NULL;
1932 /* idx is the test number, but also the number of tickets we want */
1937 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1940 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1941 &clientssl, NULL, NULL)))
1944 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1946 /* Check we got the number of tickets we were expecting */
1947 || !TEST_int_eq(idx, new_called))
1950 SSL_shutdown(clientssl);
1951 SSL_shutdown(serverssl);
1952 SSL_free(serverssl);
1953 SSL_free(clientssl);
1956 clientssl = serverssl = NULL;
1960 * Now we try to resume with the tickets we previously created. The
1961 * resumption attempt is expected to fail (because we're now using a new
1962 * SSL_CTX). We should see idx number of tickets issued again.
1965 /* Stop caching sessions - just count them */
1968 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1971 if (!check_resumption(idx, sctx, cctx, 0))
1974 /* Start again with caching sessions */
1981 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1984 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1985 &clientssl, NULL, NULL)))
1988 SSL_set_post_handshake_auth(clientssl, 1);
1990 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1992 /* Check we got the number of tickets we were expecting */
1993 || !TEST_int_eq(idx, new_called))
1996 /* After a post-handshake authentication we should get new tickets issued */
1997 if (!post_handshake_verify(serverssl, clientssl)
1998 || !TEST_int_eq(idx * 2, new_called))
2001 SSL_shutdown(clientssl);
2002 SSL_shutdown(serverssl);
2003 SSL_free(serverssl);
2004 SSL_free(clientssl);
2005 serverssl = clientssl = NULL;
2007 /* Stop caching sessions - just count them */
2011 * Check we can resume with all the tickets we created. This time around the
2012 * resumptions should all be successful.
2014 if (!check_resumption(idx, sctx, cctx, 1))
2020 SSL_free(serverssl);
2021 SSL_free(clientssl);
2022 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2023 SSL_SESSION_free(sesscache[j]);
2024 sesscache[j] = NULL;
2032 static int test_stateless_tickets(int idx)
2034 return test_tickets(0, idx);
2037 static int test_stateful_tickets(int idx)
2039 return test_tickets(1, idx);
2042 static int test_psk_tickets(void)
2044 SSL_CTX *sctx = NULL, *cctx = NULL;
2045 SSL *serverssl = NULL, *clientssl = NULL;
2047 int sess_id_ctx = 1;
2049 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2050 TLS_client_method(), TLS1_VERSION, 0,
2051 &sctx, &cctx, NULL, NULL))
2052 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2053 (void *)&sess_id_ctx,
2054 sizeof(sess_id_ctx))))
2057 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2058 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2059 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2060 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2061 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2062 use_session_cb_cnt = 0;
2063 find_session_cb_cnt = 0;
2067 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2070 clientpsk = serverpsk = create_a_psk(clientssl);
2071 if (!TEST_ptr(clientpsk))
2073 SSL_SESSION_up_ref(clientpsk);
2075 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2077 || !TEST_int_eq(1, find_session_cb_cnt)
2078 || !TEST_int_eq(1, use_session_cb_cnt)
2079 /* We should always get 1 ticket when using external PSK */
2080 || !TEST_int_eq(1, new_called))
2086 SSL_free(serverssl);
2087 SSL_free(clientssl);
2090 SSL_SESSION_free(clientpsk);
2091 SSL_SESSION_free(serverpsk);
2092 clientpsk = serverpsk = NULL;
2101 #define USE_DEFAULT 3
2103 #define CONNTYPE_CONNECTION_SUCCESS 0
2104 #define CONNTYPE_CONNECTION_FAIL 1
2105 #define CONNTYPE_NO_CONNECTION 2
2107 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2108 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2109 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2110 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2112 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2115 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2116 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2117 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2119 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2136 * Tests calls to SSL_set_bio() under various conditions.
2138 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2139 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2140 * then do more tests where we create a successful connection first using our
2141 * standard connection setup functions, and then call SSL_set_bio() with
2142 * various combinations of valid BIOs or NULL. We then repeat these tests
2143 * following a failed connection. In this last case we are looking to check that
2144 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2146 static int test_ssl_set_bio(int idx)
2148 SSL_CTX *sctx = NULL, *cctx = NULL;
2151 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2152 SSL *serverssl = NULL, *clientssl = NULL;
2153 int initrbio, initwbio, newrbio, newwbio, conntype;
2156 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2164 conntype = CONNTYPE_NO_CONNECTION;
2166 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2167 initrbio = initwbio = USE_DEFAULT;
2175 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2176 TLS_client_method(), TLS1_VERSION, 0,
2177 &sctx, &cctx, cert, privkey)))
2180 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2182 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2183 * because we reduced the number of tests in the definition of
2184 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2185 * mismatched protocol versions we will force a connection failure.
2187 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2188 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2191 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2195 if (initrbio == USE_BIO_1
2196 || initwbio == USE_BIO_1
2197 || newrbio == USE_BIO_1
2198 || newwbio == USE_BIO_1) {
2199 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2203 if (initrbio == USE_BIO_2
2204 || initwbio == USE_BIO_2
2205 || newrbio == USE_BIO_2
2206 || newwbio == USE_BIO_2) {
2207 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2211 if (initrbio != USE_DEFAULT) {
2212 setupbio(&irbio, bio1, bio2, initrbio);
2213 setupbio(&iwbio, bio1, bio2, initwbio);
2214 SSL_set_bio(clientssl, irbio, iwbio);
2217 * We want to maintain our own refs to these BIO, so do an up ref for
2218 * each BIO that will have ownership transferred in the SSL_set_bio()
2223 if (iwbio != NULL && iwbio != irbio)
2227 if (conntype != CONNTYPE_NO_CONNECTION
2228 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2230 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2233 setupbio(&nrbio, bio1, bio2, newrbio);
2234 setupbio(&nwbio, bio1, bio2, newwbio);
2237 * We will (maybe) transfer ownership again so do more up refs.
2238 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2243 && (nwbio != iwbio || nrbio != nwbio))
2247 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2250 SSL_set_bio(clientssl, nrbio, nwbio);
2259 * This test is checking that the ref counting for SSL_set_bio is correct.
2260 * If we get here and we did too many frees then we will fail in the above
2263 SSL_free(serverssl);
2264 SSL_free(clientssl);
2270 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2272 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2274 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2279 if (!TEST_ptr(ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method()))
2280 || !TEST_ptr(ssl = SSL_new(ctx))
2281 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2282 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2285 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2288 * If anything goes wrong here then we could leak memory.
2290 BIO_push(sslbio, membio1);
2292 /* Verify changing the rbio/wbio directly does not cause leaks */
2293 if (change_bio != NO_BIO_CHANGE) {
2294 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
2296 if (change_bio == CHANGE_RBIO)
2297 SSL_set0_rbio(ssl, membio2);
2299 SSL_set0_wbio(ssl, membio2);
2318 static int test_ssl_bio_pop_next_bio(void)
2320 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2323 static int test_ssl_bio_pop_ssl_bio(void)
2325 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2328 static int test_ssl_bio_change_rbio(void)
2330 return execute_test_ssl_bio(0, CHANGE_RBIO);
2333 static int test_ssl_bio_change_wbio(void)
2335 return execute_test_ssl_bio(0, CHANGE_WBIO);
2338 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2340 /* The list of sig algs */
2342 /* The length of the list */
2344 /* A sigalgs list in string format */
2345 const char *liststr;
2346 /* Whether setting the list should succeed */
2348 /* Whether creating a connection with the list should succeed */
2352 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2353 # ifndef OPENSSL_NO_EC
2354 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2355 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2357 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2358 static const int invalidlist2[] = {NID_sha256, NID_undef};
2359 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2360 static const int invalidlist4[] = {NID_sha256};
2361 static const sigalgs_list testsigalgs[] = {
2362 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2363 # ifndef OPENSSL_NO_EC
2364 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2365 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2367 {NULL, 0, "RSA+SHA256", 1, 1},
2368 # ifndef OPENSSL_NO_EC
2369 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2370 {NULL, 0, "ECDSA+SHA512", 1, 0},
2372 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2373 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2374 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2375 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2376 {NULL, 0, "RSA", 0, 0},
2377 {NULL, 0, "SHA256", 0, 0},
2378 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2379 {NULL, 0, "Invalid", 0, 0}
2382 static int test_set_sigalgs(int idx)
2384 SSL_CTX *cctx = NULL, *sctx = NULL;
2385 SSL *clientssl = NULL, *serverssl = NULL;
2387 const sigalgs_list *curr;
2390 /* Should never happen */
2391 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2394 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2395 curr = testctx ? &testsigalgs[idx]
2396 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2398 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2399 TLS_client_method(), TLS1_VERSION, 0,
2400 &sctx, &cctx, cert, privkey)))
2404 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2405 * for TLSv1.2 for now until we add a new API.
2407 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2412 if (curr->list != NULL)
2413 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2415 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2419 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2425 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2430 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2431 &clientssl, NULL, NULL)))
2437 if (curr->list != NULL)
2438 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2440 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2443 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2452 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2460 SSL_free(serverssl);
2461 SSL_free(clientssl);
2469 #ifndef OPENSSL_NO_TLS1_3
2470 static int psk_client_cb_cnt = 0;
2471 static int psk_server_cb_cnt = 0;
2473 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2474 size_t *idlen, SSL_SESSION **sess)
2476 switch (++use_session_cb_cnt) {
2478 /* The first call should always have a NULL md */
2484 /* The second call should always have an md */
2490 /* We should only be called a maximum of twice */
2494 if (clientpsk != NULL)
2495 SSL_SESSION_up_ref(clientpsk);
2498 *id = (const unsigned char *)pskid;
2499 *idlen = strlen(pskid);
2504 #ifndef OPENSSL_NO_PSK
2505 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2506 unsigned int max_id_len,
2508 unsigned int max_psk_len)
2510 unsigned int psklen = 0;
2512 psk_client_cb_cnt++;
2514 if (strlen(pskid) + 1 > max_id_len)
2517 /* We should only ever be called a maximum of twice per connection */
2518 if (psk_client_cb_cnt > 2)
2521 if (clientpsk == NULL)
2524 /* We'll reuse the PSK we set up for TLSv1.3 */
2525 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2527 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2528 strncpy(id, pskid, max_id_len);
2532 #endif /* OPENSSL_NO_PSK */
2534 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2535 size_t identity_len, SSL_SESSION **sess)
2537 find_session_cb_cnt++;
2539 /* We should only ever be called a maximum of twice per connection */
2540 if (find_session_cb_cnt > 2)
2543 if (serverpsk == NULL)
2546 /* Identity should match that set by the client */
2547 if (strlen(srvid) != identity_len
2548 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2549 /* No PSK found, continue but without a PSK */
2554 SSL_SESSION_up_ref(serverpsk);
2560 #ifndef OPENSSL_NO_PSK
2561 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2562 unsigned char *psk, unsigned int max_psk_len)
2564 unsigned int psklen = 0;
2566 psk_server_cb_cnt++;
2568 /* We should only ever be called a maximum of twice per connection */
2569 if (find_session_cb_cnt > 2)
2572 if (serverpsk == NULL)
2575 /* Identity should match that set by the client */
2576 if (strcmp(srvid, identity) != 0) {
2580 /* We'll reuse the PSK we set up for TLSv1.3 */
2581 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2583 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2587 #endif /* OPENSSL_NO_PSK */
2589 #define MSG1 "Hello"
2590 #define MSG2 "World."
2595 #define MSG7 "message."
2597 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2598 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2601 static SSL_SESSION *create_a_psk(SSL *ssl)
2603 const SSL_CIPHER *cipher = NULL;
2604 const unsigned char key[] = {
2605 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2606 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2607 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2608 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2609 0x2c, 0x2d, 0x2e, 0x2f
2611 SSL_SESSION *sess = NULL;
2613 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2614 sess = SSL_SESSION_new();
2616 || !TEST_ptr(cipher)
2617 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2619 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2621 SSL_SESSION_set_protocol_version(sess,
2623 SSL_SESSION_free(sess);
2630 * Helper method to setup objects for early data test. Caller frees objects on
2633 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2634 SSL **serverssl, SSL_SESSION **sess, int idx)
2637 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2638 TLS_client_method(),
2640 sctx, cctx, cert, privkey)))
2643 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2647 /* When idx == 1 we repeat the tests with read_ahead set */
2648 SSL_CTX_set_read_ahead(*cctx, 1);
2649 SSL_CTX_set_read_ahead(*sctx, 1);
2650 } else if (idx == 2) {
2651 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2652 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2653 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2654 use_session_cb_cnt = 0;
2655 find_session_cb_cnt = 0;
2659 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2664 * For one of the run throughs (doesn't matter which one), we'll try sending
2665 * some SNI data in the initial ClientHello. This will be ignored (because
2666 * there is no SNI cb set up by the server), so it should not impact
2670 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2674 clientpsk = create_a_psk(*clientssl);
2675 if (!TEST_ptr(clientpsk)
2677 * We just choose an arbitrary value for max_early_data which
2678 * should be big enough for testing purposes.
2680 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2682 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2683 SSL_SESSION_free(clientpsk);
2687 serverpsk = clientpsk;
2690 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2691 SSL_SESSION_free(clientpsk);
2692 SSL_SESSION_free(serverpsk);
2693 clientpsk = serverpsk = NULL;
2704 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2708 *sess = SSL_get1_session(*clientssl);
2709 SSL_shutdown(*clientssl);
2710 SSL_shutdown(*serverssl);
2711 SSL_free(*serverssl);
2712 SSL_free(*clientssl);
2713 *serverssl = *clientssl = NULL;
2715 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2716 clientssl, NULL, NULL))
2717 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2723 static int test_early_data_read_write(int idx)
2725 SSL_CTX *cctx = NULL, *sctx = NULL;
2726 SSL *clientssl = NULL, *serverssl = NULL;
2728 SSL_SESSION *sess = NULL;
2729 unsigned char buf[20], data[1024];
2730 size_t readbytes, written, eoedlen, rawread, rawwritten;
2733 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2734 &serverssl, &sess, idx)))
2737 /* Write and read some early data */
2738 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2740 || !TEST_size_t_eq(written, strlen(MSG1))
2741 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2742 sizeof(buf), &readbytes),
2743 SSL_READ_EARLY_DATA_SUCCESS)
2744 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2745 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2746 SSL_EARLY_DATA_ACCEPTED))
2750 * Server should be able to write data, and client should be able to
2753 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2755 || !TEST_size_t_eq(written, strlen(MSG2))
2756 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2757 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2760 /* Even after reading normal data, client should be able write early data */
2761 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2763 || !TEST_size_t_eq(written, strlen(MSG3)))
2766 /* Server should still be able read early data after writing data */
2767 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2769 SSL_READ_EARLY_DATA_SUCCESS)
2770 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2773 /* Write more data from server and read it from client */
2774 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2776 || !TEST_size_t_eq(written, strlen(MSG4))
2777 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2778 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2782 * If client writes normal data it should mean writing early data is no
2785 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2786 || !TEST_size_t_eq(written, strlen(MSG5))
2787 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2788 SSL_EARLY_DATA_ACCEPTED))
2792 * At this point the client has written EndOfEarlyData, ClientFinished and
2793 * normal (fully protected) data. We are going to cause a delay between the
2794 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2795 * in the read BIO, and then just put back the EndOfEarlyData message.
2797 rbio = SSL_get_rbio(serverssl);
2798 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2799 || !TEST_size_t_lt(rawread, sizeof(data))
2800 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2803 /* Record length is in the 4th and 5th bytes of the record header */
2804 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2805 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2806 || !TEST_size_t_eq(rawwritten, eoedlen))
2809 /* Server should be told that there is no more early data */
2810 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2812 SSL_READ_EARLY_DATA_FINISH)
2813 || !TEST_size_t_eq(readbytes, 0))
2817 * Server has not finished init yet, so should still be able to write early
2820 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2822 || !TEST_size_t_eq(written, strlen(MSG6)))
2825 /* Push the ClientFinished and the normal data back into the server rbio */
2826 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2828 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2831 /* Server should be able to read normal data */
2832 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2833 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2836 /* Client and server should not be able to write/read early data now */
2837 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2841 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2843 SSL_READ_EARLY_DATA_ERROR))
2847 /* Client should be able to read the data sent by the server */
2848 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2849 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2853 * Make sure we process the two NewSessionTickets. These arrive
2854 * post-handshake. We attempt reads which we do not expect to return any
2857 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2858 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2862 /* Server should be able to write normal data */
2863 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2864 || !TEST_size_t_eq(written, strlen(MSG7))
2865 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2866 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2869 SSL_SESSION_free(sess);
2870 sess = SSL_get1_session(clientssl);
2871 use_session_cb_cnt = 0;
2872 find_session_cb_cnt = 0;
2874 SSL_shutdown(clientssl);
2875 SSL_shutdown(serverssl);
2876 SSL_free(serverssl);
2877 SSL_free(clientssl);
2878 serverssl = clientssl = NULL;
2879 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2880 &clientssl, NULL, NULL))
2881 || !TEST_true(SSL_set_session(clientssl, sess)))
2884 /* Write and read some early data */
2885 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2887 || !TEST_size_t_eq(written, strlen(MSG1))
2888 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2890 SSL_READ_EARLY_DATA_SUCCESS)
2891 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2894 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2895 || !TEST_int_gt(SSL_accept(serverssl), 0))
2898 /* Client and server should not be able to write/read early data now */
2899 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2903 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2905 SSL_READ_EARLY_DATA_ERROR))
2909 /* Client and server should be able to write/read normal data */
2910 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2911 || !TEST_size_t_eq(written, strlen(MSG5))
2912 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2913 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2919 SSL_SESSION_free(sess);
2920 SSL_SESSION_free(clientpsk);
2921 SSL_SESSION_free(serverpsk);
2922 clientpsk = serverpsk = NULL;
2923 SSL_free(serverssl);
2924 SSL_free(clientssl);
2930 static int allow_ed_cb_called = 0;
2932 static int allow_early_data_cb(SSL *s, void *arg)
2934 int *usecb = (int *)arg;
2936 allow_ed_cb_called++;
2945 * idx == 0: Standard early_data setup
2946 * idx == 1: early_data setup using read_ahead
2947 * usecb == 0: Don't use a custom early data callback
2948 * usecb == 1: Use a custom early data callback and reject the early data
2949 * usecb == 2: Use a custom early data callback and accept the early data
2950 * confopt == 0: Configure anti-replay directly
2951 * confopt == 1: Configure anti-replay using SSL_CONF
2953 static int test_early_data_replay_int(int idx, int usecb, int confopt)
2955 SSL_CTX *cctx = NULL, *sctx = NULL;
2956 SSL *clientssl = NULL, *serverssl = NULL;
2958 SSL_SESSION *sess = NULL;
2959 size_t readbytes, written;
2960 unsigned char buf[20];
2962 allow_ed_cb_called = 0;
2964 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2965 TLS_client_method(), TLS1_VERSION, 0,
2966 &sctx, &cctx, cert, privkey)))
2971 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2973 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2975 if (!TEST_ptr(confctx))
2977 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2978 | SSL_CONF_FLAG_SERVER);
2979 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2980 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2982 SSL_CONF_CTX_free(confctx);
2985 SSL_CONF_CTX_free(confctx);
2987 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2990 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2991 &serverssl, &sess, idx)))
2995 * The server is configured to accept early data. Create a connection to
2996 * "use up" the ticket
2998 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2999 || !TEST_true(SSL_session_reused(clientssl)))
3002 SSL_shutdown(clientssl);
3003 SSL_shutdown(serverssl);
3004 SSL_free(serverssl);
3005 SSL_free(clientssl);
3006 serverssl = clientssl = NULL;
3008 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3009 &clientssl, NULL, NULL))
3010 || !TEST_true(SSL_set_session(clientssl, sess)))
3013 /* Write and read some early data */
3014 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3016 || !TEST_size_t_eq(written, strlen(MSG1)))
3020 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3022 SSL_READ_EARLY_DATA_FINISH)
3024 * The ticket was reused, so the we should have rejected the
3027 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3028 SSL_EARLY_DATA_REJECTED))
3031 /* In this case the callback decides to accept the early data */
3032 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3034 SSL_READ_EARLY_DATA_SUCCESS)
3035 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3037 * Server will have sent its flight so client can now send
3038 * end of early data and complete its half of the handshake
3040 || !TEST_int_gt(SSL_connect(clientssl), 0)
3041 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3043 SSL_READ_EARLY_DATA_FINISH)
3044 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3045 SSL_EARLY_DATA_ACCEPTED))
3049 /* Complete the connection */
3050 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3051 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3052 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3058 SSL_SESSION_free(sess);
3059 SSL_SESSION_free(clientpsk);
3060 SSL_SESSION_free(serverpsk);
3061 clientpsk = serverpsk = NULL;
3062 SSL_free(serverssl);
3063 SSL_free(clientssl);
3069 static int test_early_data_replay(int idx)
3071 int ret = 1, usecb, confopt;
3073 for (usecb = 0; usecb < 3; usecb++) {
3074 for (confopt = 0; confopt < 2; confopt++)
3075 ret &= test_early_data_replay_int(idx, usecb, confopt);
3082 * Helper function to test that a server attempting to read early data can
3083 * handle a connection from a client where the early data should be skipped.
3084 * testtype: 0 == No HRR
3085 * testtype: 1 == HRR
3086 * testtype: 2 == HRR, invalid early_data sent after HRR
3087 * testtype: 3 == recv_max_early_data set to 0
3089 static int early_data_skip_helper(int testtype, int idx)
3091 SSL_CTX *cctx = NULL, *sctx = NULL;
3092 SSL *clientssl = NULL, *serverssl = NULL;
3094 SSL_SESSION *sess = NULL;
3095 unsigned char buf[20];
3096 size_t readbytes, written;
3098 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3099 &serverssl, &sess, idx)))
3102 if (testtype == 1 || testtype == 2) {
3103 /* Force an HRR to occur */
3104 #if defined(OPENSSL_NO_EC)
3105 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3108 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3111 } else if (idx == 2) {
3113 * We force early_data rejection by ensuring the PSK identity is
3116 srvid = "Dummy Identity";
3119 * Deliberately corrupt the creation time. We take 20 seconds off the
3120 * time. It could be any value as long as it is not within tolerance.
3121 * This should mean the ticket is rejected.
3123 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3128 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3131 /* Write some early data */
3132 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3134 || !TEST_size_t_eq(written, strlen(MSG1)))
3137 /* Server should reject the early data */
3138 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3140 SSL_READ_EARLY_DATA_FINISH)
3141 || !TEST_size_t_eq(readbytes, 0)
3142 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3143 SSL_EARLY_DATA_REJECTED))
3153 * Finish off the handshake. We perform the same writes and reads as
3154 * further down but we expect them to fail due to the incomplete
3157 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3158 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3165 BIO *wbio = SSL_get_wbio(clientssl);
3166 /* A record that will appear as bad early_data */
3167 const unsigned char bad_early_data[] = {
3168 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3172 * We force the client to attempt a write. This will fail because
3173 * we're still in the handshake. It will cause the second
3174 * ClientHello to be sent.
3176 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3181 * Inject some early_data after the second ClientHello. This should
3182 * cause the server to fail
3184 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3185 sizeof(bad_early_data), &written)))
3192 * This client has sent more early_data than we are willing to skip
3193 * (case 3) or sent invalid early_data (case 2) so the connection should
3196 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3197 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3200 /* Connection has failed - nothing more to do */
3205 TEST_error("Invalid test type");
3210 * Should be able to send normal data despite rejection of early data. The
3211 * early_data should be skipped.
3213 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3214 || !TEST_size_t_eq(written, strlen(MSG2))
3215 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3216 SSL_EARLY_DATA_REJECTED)
3217 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3218 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3224 SSL_SESSION_free(clientpsk);
3225 SSL_SESSION_free(serverpsk);
3226 clientpsk = serverpsk = NULL;
3227 SSL_SESSION_free(sess);
3228 SSL_free(serverssl);
3229 SSL_free(clientssl);
3236 * Test that a server attempting to read early data can handle a connection
3237 * from a client where the early data is not acceptable.
3239 static int test_early_data_skip(int idx)
3241 return early_data_skip_helper(0, idx);
3245 * Test that a server attempting to read early data can handle a connection
3246 * from a client where an HRR occurs.
3248 static int test_early_data_skip_hrr(int idx)
3250 return early_data_skip_helper(1, idx);
3254 * Test that a server attempting to read early data can handle a connection
3255 * from a client where an HRR occurs and correctly fails if early_data is sent
3258 static int test_early_data_skip_hrr_fail(int idx)
3260 return early_data_skip_helper(2, idx);
3264 * Test that a server attempting to read early data will abort if it tries to
3265 * skip over too much.
3267 static int test_early_data_skip_abort(int idx)
3269 return early_data_skip_helper(3, idx);
3273 * Test that a server attempting to read early data can handle a connection
3274 * from a client that doesn't send any.
3276 static int test_early_data_not_sent(int idx)
3278 SSL_CTX *cctx = NULL, *sctx = NULL;
3279 SSL *clientssl = NULL, *serverssl = NULL;
3281 SSL_SESSION *sess = NULL;
3282 unsigned char buf[20];
3283 size_t readbytes, written;
3285 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3286 &serverssl, &sess, idx)))
3289 /* Write some data - should block due to handshake with server */
3290 SSL_set_connect_state(clientssl);
3291 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3294 /* Server should detect that early data has not been sent */
3295 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3297 SSL_READ_EARLY_DATA_FINISH)
3298 || !TEST_size_t_eq(readbytes, 0)
3299 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3300 SSL_EARLY_DATA_NOT_SENT)
3301 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3302 SSL_EARLY_DATA_NOT_SENT))
3305 /* Continue writing the message we started earlier */
3306 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3307 || !TEST_size_t_eq(written, strlen(MSG1))
3308 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3309 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3310 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3311 || !TEST_size_t_eq(written, strlen(MSG2)))
3314 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3315 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3321 SSL_SESSION_free(sess);
3322 SSL_SESSION_free(clientpsk);
3323 SSL_SESSION_free(serverpsk);
3324 clientpsk = serverpsk = NULL;
3325 SSL_free(serverssl);
3326 SSL_free(clientssl);
3332 static const char *servalpn;
3334 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3335 unsigned char *outlen, const unsigned char *in,
3336 unsigned int inlen, void *arg)
3338 unsigned int protlen = 0;
3339 const unsigned char *prot;
3341 for (prot = in; prot < in + inlen; prot += protlen) {
3343 if (in + inlen < prot + protlen)
3344 return SSL_TLSEXT_ERR_NOACK;
3346 if (protlen == strlen(servalpn)
3347 && memcmp(prot, servalpn, protlen) == 0) {
3350 return SSL_TLSEXT_ERR_OK;
3354 return SSL_TLSEXT_ERR_NOACK;
3357 /* Test that a PSK can be used to send early_data */
3358 static int test_early_data_psk(int idx)
3360 SSL_CTX *cctx = NULL, *sctx = NULL;
3361 SSL *clientssl = NULL, *serverssl = NULL;
3363 SSL_SESSION *sess = NULL;
3364 unsigned char alpnlist[] = {
3365 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3368 #define GOODALPNLEN 9
3369 #define BADALPNLEN 8
3370 #define GOODALPN (alpnlist)
3371 #define BADALPN (alpnlist + GOODALPNLEN)
3373 unsigned char buf[20];
3374 size_t readbytes, written;
3375 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3376 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3378 /* We always set this up with a final parameter of "2" for PSK */
3379 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3380 &serverssl, &sess, 2)))
3383 servalpn = "goodalpn";
3386 * Note: There is no test for inconsistent SNI with late client detection.
3387 * This is because servers do not acknowledge SNI even if they are using
3388 * it in a resumption handshake - so it is not actually possible for a
3389 * client to detect a problem.
3393 /* Set inconsistent SNI (early client detection) */
3394 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3395 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3396 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3401 /* Set inconsistent ALPN (early client detection) */
3402 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3403 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3404 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3406 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3413 * Set invalid protocol version. Technically this affects PSKs without
3414 * early_data too, but we test it here because it is similar to the
3415 * SNI/ALPN consistency tests.
3417 err = SSL_R_BAD_PSK;
3418 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3424 * Set inconsistent SNI (server side). In this case the connection
3425 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3426 * is associated with each handshake - not the session. Therefore it
3427 * should not matter that we used a different server name last time.
3429 SSL_SESSION_free(serverpsk);
3430 serverpsk = SSL_SESSION_dup(clientpsk);
3431 if (!TEST_ptr(serverpsk)
3432 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3436 /* Set consistent SNI */
3437 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3438 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3439 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3446 * Set inconsistent ALPN (server detected). In this case the connection
3447 * will succeed but reject early_data.
3449 servalpn = "badalpn";
3450 edstatus = SSL_EARLY_DATA_REJECTED;
3451 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3455 * Set consistent ALPN.
3456 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3457 * accepts a list of protos (each one length prefixed).
3458 * SSL_set1_alpn_selected accepts a single protocol (not length
3461 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3463 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3467 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3471 /* Set inconsistent ALPN (late client detection) */
3472 SSL_SESSION_free(serverpsk);
3473 serverpsk = SSL_SESSION_dup(clientpsk);
3474 if (!TEST_ptr(serverpsk)
3475 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3478 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3481 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3484 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3485 edstatus = SSL_EARLY_DATA_ACCEPTED;
3486 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3487 /* SSL_connect() call should fail */
3492 TEST_error("Bad test index");
3496 SSL_set_connect_state(clientssl);
3498 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3500 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3501 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3504 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3508 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3509 &readbytes), readearlyres)
3510 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3511 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3512 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3513 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3520 SSL_SESSION_free(sess);
3521 SSL_SESSION_free(clientpsk);
3522 SSL_SESSION_free(serverpsk);
3523 clientpsk = serverpsk = NULL;
3524 SSL_free(serverssl);
3525 SSL_free(clientssl);
3532 * Test that a server that doesn't try to read early data can handle a
3533 * client sending some.
3535 static int test_early_data_not_expected(int idx)
3537 SSL_CTX *cctx = NULL, *sctx = NULL;
3538 SSL *clientssl = NULL, *serverssl = NULL;
3540 SSL_SESSION *sess = NULL;
3541 unsigned char buf[20];
3542 size_t readbytes, written;
3544 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3545 &serverssl, &sess, idx)))
3548 /* Write some early data */
3549 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3554 * Server should skip over early data and then block waiting for client to
3555 * continue handshake
3557 if (!TEST_int_le(SSL_accept(serverssl), 0)
3558 || !TEST_int_gt(SSL_connect(clientssl), 0)
3559 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3560 SSL_EARLY_DATA_REJECTED)
3561 || !TEST_int_gt(SSL_accept(serverssl), 0)
3562 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3563 SSL_EARLY_DATA_REJECTED))
3566 /* Send some normal data from client to server */
3567 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3568 || !TEST_size_t_eq(written, strlen(MSG2)))
3571 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3572 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3578 SSL_SESSION_free(sess);
3579 SSL_SESSION_free(clientpsk);
3580 SSL_SESSION_free(serverpsk);
3581 clientpsk = serverpsk = NULL;
3582 SSL_free(serverssl);
3583 SSL_free(clientssl);
3590 # ifndef OPENSSL_NO_TLS1_2
3592 * Test that a server attempting to read early data can handle a connection
3593 * from a TLSv1.2 client.
3595 static int test_early_data_tls1_2(int idx)
3597 SSL_CTX *cctx = NULL, *sctx = NULL;
3598 SSL *clientssl = NULL, *serverssl = NULL;
3600 unsigned char buf[20];
3601 size_t readbytes, written;
3603 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3604 &serverssl, NULL, idx)))
3607 /* Write some data - should block due to handshake with server */
3608 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3609 SSL_set_connect_state(clientssl);
3610 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3614 * Server should do TLSv1.2 handshake. First it will block waiting for more
3615 * messages from client after ServerDone. Then SSL_read_early_data should
3616 * finish and detect that early data has not been sent
3618 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3620 SSL_READ_EARLY_DATA_ERROR))
3624 * Continue writing the message we started earlier. Will still block waiting
3625 * for the CCS/Finished from server
3627 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3628 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3630 SSL_READ_EARLY_DATA_FINISH)
3631 || !TEST_size_t_eq(readbytes, 0)
3632 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3633 SSL_EARLY_DATA_NOT_SENT))
3636 /* Continue writing the message we started earlier */
3637 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3638 || !TEST_size_t_eq(written, strlen(MSG1))
3639 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3640 SSL_EARLY_DATA_NOT_SENT)
3641 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3642 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3643 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3644 || !TEST_size_t_eq(written, strlen(MSG2))
3645 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3646 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3652 SSL_SESSION_free(clientpsk);
3653 SSL_SESSION_free(serverpsk);
3654 clientpsk = serverpsk = NULL;
3655 SSL_free(serverssl);
3656 SSL_free(clientssl);
3662 # endif /* OPENSSL_NO_TLS1_2 */
3665 * Test configuring the TLSv1.3 ciphersuites
3667 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3668 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3669 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3670 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3671 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3672 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3673 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3674 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3675 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3676 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3678 static int test_set_ciphersuite(int idx)
3680 SSL_CTX *cctx = NULL, *sctx = NULL;
3681 SSL *clientssl = NULL, *serverssl = NULL;
3684 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3685 TLS_client_method(), TLS1_VERSION, 0,
3686 &sctx, &cctx, cert, privkey))
3687 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3688 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3691 if (idx >=4 && idx <= 7) {
3692 /* SSL_CTX explicit cipher list */
3693 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3697 if (idx == 0 || idx == 4) {
3698 /* Default ciphersuite */
3699 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3700 "TLS_AES_128_GCM_SHA256")))
3702 } else if (idx == 1 || idx == 5) {
3703 /* Non default ciphersuite */
3704 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3705 "TLS_AES_128_CCM_SHA256")))
3709 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3710 &clientssl, NULL, NULL)))
3713 if (idx == 8 || idx == 9) {
3714 /* SSL explicit cipher list */
3715 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3719 if (idx == 2 || idx == 6 || idx == 8) {
3720 /* Default ciphersuite */
3721 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3722 "TLS_AES_128_GCM_SHA256")))
3724 } else if (idx == 3 || idx == 7 || idx == 9) {
3725 /* Non default ciphersuite */
3726 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3727 "TLS_AES_128_CCM_SHA256")))
3731 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3737 SSL_free(serverssl);
3738 SSL_free(clientssl);
3745 static int test_ciphersuite_change(void)
3747 SSL_CTX *cctx = NULL, *sctx = NULL;
3748 SSL *clientssl = NULL, *serverssl = NULL;
3749 SSL_SESSION *clntsess = NULL;
3751 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3753 /* Create a session based on SHA-256 */
3754 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3755 TLS_client_method(), TLS1_VERSION, 0,
3756 &sctx, &cctx, cert, privkey))
3757 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3758 "TLS_AES_128_GCM_SHA256:"
3759 "TLS_AES_256_GCM_SHA384:"
3760 "TLS_AES_128_CCM_SHA256"))
3761 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3762 "TLS_AES_128_GCM_SHA256"))
3763 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3764 &clientssl, NULL, NULL))
3765 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3769 clntsess = SSL_get1_session(clientssl);
3770 /* Save for later */
3771 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3772 SSL_shutdown(clientssl);
3773 SSL_shutdown(serverssl);
3774 SSL_free(serverssl);
3775 SSL_free(clientssl);
3776 serverssl = clientssl = NULL;
3778 /* Check we can resume a session with a different SHA-256 ciphersuite */
3779 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3780 "TLS_AES_128_CCM_SHA256"))
3781 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3782 &clientssl, NULL, NULL))
3783 || !TEST_true(SSL_set_session(clientssl, clntsess))
3784 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3786 || !TEST_true(SSL_session_reused(clientssl)))
3789 SSL_SESSION_free(clntsess);
3790 clntsess = SSL_get1_session(clientssl);
3791 SSL_shutdown(clientssl);
3792 SSL_shutdown(serverssl);
3793 SSL_free(serverssl);
3794 SSL_free(clientssl);
3795 serverssl = clientssl = NULL;
3798 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3799 * succeeds but does not resume.
3801 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3802 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3804 || !TEST_true(SSL_set_session(clientssl, clntsess))
3805 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3807 || !TEST_false(SSL_session_reused(clientssl)))
3810 SSL_SESSION_free(clntsess);
3812 SSL_shutdown(clientssl);
3813 SSL_shutdown(serverssl);
3814 SSL_free(serverssl);
3815 SSL_free(clientssl);
3816 serverssl = clientssl = NULL;
3818 /* Create a session based on SHA384 */
3819 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3820 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3821 &clientssl, NULL, NULL))
3822 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3826 clntsess = SSL_get1_session(clientssl);
3827 SSL_shutdown(clientssl);
3828 SSL_shutdown(serverssl);
3829 SSL_free(serverssl);
3830 SSL_free(clientssl);
3831 serverssl = clientssl = NULL;
3833 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3834 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3835 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3836 "TLS_AES_256_GCM_SHA384"))
3837 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3839 || !TEST_true(SSL_set_session(clientssl, clntsess))
3841 * We use SSL_ERROR_WANT_READ below so that we can pause the
3842 * connection after the initial ClientHello has been sent to
3843 * enable us to make some session changes.
3845 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3846 SSL_ERROR_WANT_READ)))
3849 /* Trick the client into thinking this session is for a different digest */
3850 clntsess->cipher = aes_128_gcm_sha256;
3851 clntsess->cipher_id = clntsess->cipher->id;
3854 * Continue the previously started connection. Server has selected a SHA-384
3855 * ciphersuite, but client thinks the session is for SHA-256, so it should
3858 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3860 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3861 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3867 SSL_SESSION_free(clntsess);
3868 SSL_free(serverssl);
3869 SSL_free(clientssl);
3877 * Test TLSv1.3 Key exchange
3878 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
3879 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
3880 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
3881 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
3882 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
3883 * Test 5 = Test NID_X448 with TLSv1.3 client and server
3884 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
3885 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
3886 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
3887 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
3888 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
3889 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
3890 * Test 12 = Test all ECDHE with TLSv1.2 client and server
3891 * Test 13 = Test all FFDHE with TLSv1.2 client and server
3893 static int test_key_exchange(int idx)
3895 SSL_CTX *sctx = NULL, *cctx = NULL;
3896 SSL *serverssl = NULL, *clientssl = NULL;
3898 # ifndef OPENSSL_NO_EC
3899 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
3900 NID_secp521r1, NID_X25519, NID_X448};
3902 # ifndef OPENSSL_NO_DH
3903 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
3904 NID_ffdhe6144, NID_ffdhe8192};
3907 int *kexch_groups = &kexch_alg;
3908 int kexch_groups_size = 1;
3909 int max_version = TLS1_3_VERSION;
3912 # ifndef OPENSSL_NO_EC
3913 # ifndef OPENSSL_NO_TLS1_2
3915 max_version = TLS1_2_VERSION;
3919 kexch_groups = ecdhe_kexch_groups;
3920 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
3923 kexch_alg = NID_X9_62_prime256v1;
3926 kexch_alg = NID_secp384r1;
3929 kexch_alg = NID_secp521r1;
3932 kexch_alg = NID_X25519;
3935 kexch_alg = NID_X448;
3938 # ifndef OPENSSL_NO_DH
3939 # ifndef OPENSSL_NO_TLS1_2
3941 max_version = TLS1_2_VERSION;
3945 kexch_groups = ffdhe_kexch_groups;
3946 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
3949 kexch_alg = NID_ffdhe2048;
3952 kexch_alg = NID_ffdhe3072;
3955 kexch_alg = NID_ffdhe4096;
3958 kexch_alg = NID_ffdhe6144;
3961 kexch_alg = NID_ffdhe8192;
3965 /* We're skipping this test */
3969 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3970 TLS_client_method(), TLS1_VERSION,
3971 max_version, &sctx, &cctx, cert,
3975 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
3976 TLS1_3_RFC_AES_128_GCM_SHA256)))
3979 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3980 TLS1_3_RFC_AES_128_GCM_SHA256)))
3983 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
3984 TLS1_TXT_RSA_WITH_AES_128_SHA)))
3988 * Must include an EC ciphersuite so that we send supported groups in
3991 # ifndef OPENSSL_NO_TLS1_2
3992 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
3993 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
3994 TLS1_TXT_RSA_WITH_AES_128_SHA)))
3998 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4002 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4003 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4006 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4010 * If Handshake succeeds the negotiated kexch alg should be the first one in
4011 * configured, except in the case of FFDHE groups (idx 13), which are
4012 * TLSv1.3 only so we expect no shared group to exist.
4014 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4015 idx == 13 ? 0 : kexch_groups[0]))
4017 if (max_version == TLS1_3_VERSION) {
4018 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4020 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4026 SSL_free(serverssl);
4027 SSL_free(clientssl);
4034 * Test TLSv1.3 Cipher Suite
4035 * Test 0 = Set TLS1.3 cipher on context
4036 * Test 1 = Set TLS1.3 cipher on SSL
4037 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4038 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4040 static int test_tls13_ciphersuite(int idx)
4042 SSL_CTX *sctx = NULL, *cctx = NULL;
4043 SSL *serverssl = NULL, *clientssl = NULL;
4044 static const struct {
4045 const char *ciphername;
4048 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4049 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4050 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
4051 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4052 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4053 { TLS1_3_RFC_AES_256_GCM_SHA384
4054 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4056 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
4058 const char *t13_cipher = NULL;
4059 const char *t12_cipher = NULL;
4060 const char *negotiated_scipher;
4061 const char *negotiated_ccipher;
4077 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4081 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4085 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4086 # ifdef OPENSSL_NO_TLS1_2
4087 if (max_ver == TLS1_2_VERSION)
4090 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4091 if (is_fips && !t13_ciphers[i].fipscapable)
4093 t13_cipher = t13_ciphers[i].ciphername;
4094 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4095 TLS_client_method(),
4096 TLS1_VERSION, max_ver,
4097 &sctx, &cctx, cert, privkey)))
4101 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4102 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4104 if (t12_cipher != NULL) {
4105 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4106 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4112 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4113 &clientssl, NULL, NULL)))
4117 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4118 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4120 if (t12_cipher != NULL) {
4121 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4122 || !TEST_true(SSL_set_cipher_list(clientssl,
4128 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4132 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4134 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4136 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4140 * TEST_strn_eq is used below because t13_cipher can contain
4141 * multiple ciphersuites
4143 if (max_ver == TLS1_3_VERSION
4144 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4145 strlen(negotiated_scipher)))
4148 # ifndef OPENSSL_NO_TLS1_2
4149 /* Below validation is not done when t12_cipher is NULL */
4150 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4151 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4155 SSL_free(serverssl);
4157 SSL_free(clientssl);
4168 SSL_free(serverssl);
4169 SSL_free(clientssl);
4177 * Test 0 = Test new style callbacks
4178 * Test 1 = Test both new and old style callbacks
4179 * Test 2 = Test old style callbacks
4180 * Test 3 = Test old style callbacks with no certificate
4182 static int test_tls13_psk(int idx)
4184 SSL_CTX *sctx = NULL, *cctx = NULL;
4185 SSL *serverssl = NULL, *clientssl = NULL;
4186 const SSL_CIPHER *cipher = NULL;
4187 const unsigned char key[] = {
4188 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4189 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4190 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4191 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
4195 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4196 TLS_client_method(), TLS1_VERSION, 0,
4197 &sctx, &cctx, idx == 3 ? NULL : cert,
4198 idx == 3 ? NULL : privkey)))
4203 * We use a ciphersuite with SHA256 to ease testing old style PSK
4204 * callbacks which will always default to SHA256. This should not be
4205 * necessary if we have no cert/priv key. In that case the server should
4206 * prefer SHA256 automatically.
4208 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4209 "TLS_AES_128_GCM_SHA256")))
4213 * As noted above the server should prefer SHA256 automatically. However
4214 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4215 * code works even if we are testing with only the FIPS provider loaded.
4217 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4218 "TLS_AES_256_GCM_SHA384:"
4219 "TLS_AES_128_GCM_SHA256")))
4224 * Test 0: New style callbacks only
4225 * Test 1: New and old style callbacks (only the new ones should be used)
4226 * Test 2: Old style callbacks only
4228 if (idx == 0 || idx == 1) {
4229 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4230 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4232 #ifndef OPENSSL_NO_PSK
4234 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4235 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4239 use_session_cb_cnt = 0;
4240 find_session_cb_cnt = 0;
4241 psk_client_cb_cnt = 0;
4242 psk_server_cb_cnt = 0;
4246 * Check we can create a connection if callback decides not to send a
4249 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4251 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4253 || !TEST_false(SSL_session_reused(clientssl))
4254 || !TEST_false(SSL_session_reused(serverssl)))
4257 if (idx == 0 || idx == 1) {
4258 if (!TEST_true(use_session_cb_cnt == 1)
4259 || !TEST_true(find_session_cb_cnt == 0)
4261 * If no old style callback then below should be 0
4264 || !TEST_true(psk_client_cb_cnt == idx)
4265 || !TEST_true(psk_server_cb_cnt == 0))
4268 if (!TEST_true(use_session_cb_cnt == 0)
4269 || !TEST_true(find_session_cb_cnt == 0)
4270 || !TEST_true(psk_client_cb_cnt == 1)
4271 || !TEST_true(psk_server_cb_cnt == 0))
4275 shutdown_ssl_connection(serverssl, clientssl);
4276 serverssl = clientssl = NULL;
4277 use_session_cb_cnt = psk_client_cb_cnt = 0;
4280 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4284 /* Create the PSK */
4285 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
4286 clientpsk = SSL_SESSION_new();
4287 if (!TEST_ptr(clientpsk)
4288 || !TEST_ptr(cipher)
4289 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4291 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4292 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4294 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
4296 serverpsk = clientpsk;
4298 /* Check we can create a connection and the PSK is used */
4299 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4300 || !TEST_true(SSL_session_reused(clientssl))
4301 || !TEST_true(SSL_session_reused(serverssl)))
4304 if (idx == 0 || idx == 1) {
4305 if (!TEST_true(use_session_cb_cnt == 1)
4306 || !TEST_true(find_session_cb_cnt == 1)
4307 || !TEST_true(psk_client_cb_cnt == 0)
4308 || !TEST_true(psk_server_cb_cnt == 0))
4311 if (!TEST_true(use_session_cb_cnt == 0)
4312 || !TEST_true(find_session_cb_cnt == 0)
4313 || !TEST_true(psk_client_cb_cnt == 1)
4314 || !TEST_true(psk_server_cb_cnt == 1))
4318 shutdown_ssl_connection(serverssl, clientssl);
4319 serverssl = clientssl = NULL;
4320 use_session_cb_cnt = find_session_cb_cnt = 0;
4321 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4323 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4328 #if defined(OPENSSL_NO_EC)
4329 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4332 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4337 * Check we can create a connection, the PSK is used and the callbacks are
4340 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4341 || !TEST_true(SSL_session_reused(clientssl))
4342 || !TEST_true(SSL_session_reused(serverssl)))
4345 if (idx == 0 || idx == 1) {
4346 if (!TEST_true(use_session_cb_cnt == 2)
4347 || !TEST_true(find_session_cb_cnt == 2)
4348 || !TEST_true(psk_client_cb_cnt == 0)
4349 || !TEST_true(psk_server_cb_cnt == 0))
4352 if (!TEST_true(use_session_cb_cnt == 0)
4353 || !TEST_true(find_session_cb_cnt == 0)
4354 || !TEST_true(psk_client_cb_cnt == 2)
4355 || !TEST_true(psk_server_cb_cnt == 2))
4359 shutdown_ssl_connection(serverssl, clientssl);
4360 serverssl = clientssl = NULL;
4361 use_session_cb_cnt = find_session_cb_cnt = 0;
4362 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4366 * Check that if the server rejects the PSK we can still connect, but with
4369 srvid = "Dummy Identity";
4370 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4372 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4374 || !TEST_false(SSL_session_reused(clientssl))
4375 || !TEST_false(SSL_session_reused(serverssl)))
4378 if (idx == 0 || idx == 1) {
4379 if (!TEST_true(use_session_cb_cnt == 1)
4380 || !TEST_true(find_session_cb_cnt == 1)
4381 || !TEST_true(psk_client_cb_cnt == 0)
4383 * If no old style callback then below should be 0
4386 || !TEST_true(psk_server_cb_cnt == idx))
4389 if (!TEST_true(use_session_cb_cnt == 0)
4390 || !TEST_true(find_session_cb_cnt == 0)
4391 || !TEST_true(psk_client_cb_cnt == 1)
4392 || !TEST_true(psk_server_cb_cnt == 1))
4396 shutdown_ssl_connection(serverssl, clientssl);
4397 serverssl = clientssl = NULL;
4402 SSL_SESSION_free(clientpsk);
4403 SSL_SESSION_free(serverpsk);
4404 clientpsk = serverpsk = NULL;
4405 SSL_free(serverssl);
4406 SSL_free(clientssl);
4412 static unsigned char cookie_magic_value[] = "cookie magic";
4414 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4415 unsigned int *cookie_len)
4418 * Not suitable as a real cookie generation function but good enough for
4421 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4422 *cookie_len = sizeof(cookie_magic_value) - 1;
4427 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4428 unsigned int cookie_len)
4430 if (cookie_len == sizeof(cookie_magic_value) - 1
4431 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4437 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4441 int res = generate_cookie_callback(ssl, cookie, &temp);
4446 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4449 return verify_cookie_callback(ssl, cookie, cookie_len);
4452 static int test_stateless(void)
4454 SSL_CTX *sctx = NULL, *cctx = NULL;
4455 SSL *serverssl = NULL, *clientssl = NULL;
4458 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4459 TLS_client_method(), TLS1_VERSION, 0,
4460 &sctx, &cctx, cert, privkey)))
4463 /* The arrival of CCS messages can confuse the test */
4464 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4466 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4468 /* Send the first ClientHello */
4469 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4470 SSL_ERROR_WANT_READ))
4472 * This should fail with a -1 return because we have no callbacks
4475 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4478 /* Fatal error so abandon the connection from this client */
4479 SSL_free(clientssl);
4482 /* Set up the cookie generation and verification callbacks */
4483 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4484 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
4487 * Create a new connection from the client (we can reuse the server SSL
4490 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4492 /* Send the first ClientHello */
4493 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4494 SSL_ERROR_WANT_READ))
4495 /* This should fail because there is no cookie */
4496 || !TEST_int_eq(SSL_stateless(serverssl), 0))
4499 /* Abandon the connection from this client */
4500 SSL_free(clientssl);
4504 * Now create a connection from a new client but with the same server SSL
4507 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4509 /* Send the first ClientHello */
4510 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4511 SSL_ERROR_WANT_READ))
4512 /* This should fail because there is no cookie */
4513 || !TEST_int_eq(SSL_stateless(serverssl), 0)
4514 /* Send the second ClientHello */
4515 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4516 SSL_ERROR_WANT_READ))
4517 /* This should succeed because a cookie is now present */
4518 || !TEST_int_eq(SSL_stateless(serverssl), 1)
4519 /* Complete the connection */
4520 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4524 shutdown_ssl_connection(serverssl, clientssl);
4525 serverssl = clientssl = NULL;
4529 SSL_free(serverssl);
4530 SSL_free(clientssl);
4536 #endif /* OPENSSL_NO_TLS1_3 */
4538 static int clntaddoldcb = 0;
4539 static int clntparseoldcb = 0;
4540 static int srvaddoldcb = 0;
4541 static int srvparseoldcb = 0;
4542 static int clntaddnewcb = 0;
4543 static int clntparsenewcb = 0;
4544 static int srvaddnewcb = 0;
4545 static int srvparsenewcb = 0;
4546 static int snicb = 0;
4548 #define TEST_EXT_TYPE1 0xff00
4550 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4551 size_t *outlen, int *al, void *add_arg)
4553 int *server = (int *)add_arg;
4554 unsigned char *data;
4556 if (SSL_is_server(s))
4561 if (*server != SSL_is_server(s)
4562 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4567 *outlen = sizeof(char);
4571 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4574 OPENSSL_free((unsigned char *)out);
4577 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4578 size_t inlen, int *al, void *parse_arg)
4580 int *server = (int *)parse_arg;
4582 if (SSL_is_server(s))
4587 if (*server != SSL_is_server(s)
4588 || inlen != sizeof(char)
4595 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4596 const unsigned char **out, size_t *outlen, X509 *x,
4597 size_t chainidx, int *al, void *add_arg)
4599 int *server = (int *)add_arg;
4600 unsigned char *data;
4602 if (SSL_is_server(s))
4607 if (*server != SSL_is_server(s)
4608 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4613 *outlen = sizeof(*data);
4617 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
4618 const unsigned char *out, void *add_arg)
4620 OPENSSL_free((unsigned char *)out);
4623 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
4624 const unsigned char *in, size_t inlen, X509 *x,
4625 size_t chainidx, int *al, void *parse_arg)
4627 int *server = (int *)parse_arg;
4629 if (SSL_is_server(s))
4634 if (*server != SSL_is_server(s)
4635 || inlen != sizeof(char) || *in != 1)
4641 static int sni_cb(SSL *s, int *al, void *arg)
4643 SSL_CTX *ctx = (SSL_CTX *)arg;
4645 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
4646 *al = SSL_AD_INTERNAL_ERROR;
4647 return SSL_TLSEXT_ERR_ALERT_FATAL;
4650 return SSL_TLSEXT_ERR_OK;
4654 * Custom call back tests.
4655 * Test 0: Old style callbacks in TLSv1.2
4656 * Test 1: New style callbacks in TLSv1.2
4657 * Test 2: New style callbacks in TLSv1.2 with SNI
4658 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4659 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
4661 static int test_custom_exts(int tst)
4663 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4664 SSL *clientssl = NULL, *serverssl = NULL;
4666 static int server = 1;
4667 static int client = 0;
4668 SSL_SESSION *sess = NULL;
4669 unsigned int context;
4671 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4672 /* Skip tests for TLSv1.2 and below in this case */
4677 /* Reset callback counters */
4678 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4679 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
4682 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4683 TLS_client_method(), TLS1_VERSION, 0,
4684 &sctx, &cctx, cert, privkey)))
4688 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
4690 &sctx2, NULL, cert, privkey)))
4695 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4696 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
4698 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
4702 context = SSL_EXT_CLIENT_HELLO
4703 | SSL_EXT_TLS1_2_SERVER_HELLO
4704 | SSL_EXT_TLS1_3_SERVER_HELLO
4705 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4706 | SSL_EXT_TLS1_3_CERTIFICATE
4707 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4709 context = SSL_EXT_CLIENT_HELLO
4710 | SSL_EXT_TLS1_2_SERVER_HELLO
4711 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4714 /* Create a client side custom extension */
4716 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4717 old_add_cb, old_free_cb,
4718 &client, old_parse_cb,
4722 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4723 new_add_cb, new_free_cb,
4724 &client, new_parse_cb, &client)))
4728 /* Should not be able to add duplicates */
4729 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4730 old_add_cb, old_free_cb,
4731 &client, old_parse_cb,
4733 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4734 context, new_add_cb,
4735 new_free_cb, &client,
4736 new_parse_cb, &client)))
4739 /* Create a server side custom extension */
4741 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4742 old_add_cb, old_free_cb,
4743 &server, old_parse_cb,
4747 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4748 new_add_cb, new_free_cb,
4749 &server, new_parse_cb, &server)))
4752 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4753 context, new_add_cb,
4754 new_free_cb, &server,
4755 new_parse_cb, &server)))
4759 /* Should not be able to add duplicates */
4760 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4761 old_add_cb, old_free_cb,
4762 &server, old_parse_cb,
4764 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4765 context, new_add_cb,
4766 new_free_cb, &server,
4767 new_parse_cb, &server)))
4772 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4773 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4777 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4778 &clientssl, NULL, NULL))
4779 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4784 if (clntaddoldcb != 1
4785 || clntparseoldcb != 1
4787 || srvparseoldcb != 1)
4789 } else if (tst == 1 || tst == 2 || tst == 3) {
4790 if (clntaddnewcb != 1
4791 || clntparsenewcb != 1
4793 || srvparsenewcb != 1
4794 || (tst != 2 && snicb != 0)
4795 || (tst == 2 && snicb != 1))
4798 /* In this case there 2 NewSessionTicket messages created */
4799 if (clntaddnewcb != 1
4800 || clntparsenewcb != 5
4802 || srvparsenewcb != 1)
4806 sess = SSL_get1_session(clientssl);
4807 SSL_shutdown(clientssl);
4808 SSL_shutdown(serverssl);
4809 SSL_free(serverssl);
4810 SSL_free(clientssl);
4811 serverssl = clientssl = NULL;
4814 /* We don't bother with the resumption aspects for this test */
4819 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4821 || !TEST_true(SSL_set_session(clientssl, sess))
4822 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4827 * For a resumed session we expect to add the ClientHello extension. For the
4828 * old style callbacks we ignore it on the server side because they set
4829 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4833 if (clntaddoldcb != 2
4834 || clntparseoldcb != 1
4836 || srvparseoldcb != 1)
4838 } else if (tst == 1 || tst == 2 || tst == 3) {
4839 if (clntaddnewcb != 2
4840 || clntparsenewcb != 2
4842 || srvparsenewcb != 2)
4846 * No Certificate message extensions in the resumption handshake,
4847 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4849 if (clntaddnewcb != 2
4850 || clntparsenewcb != 8
4852 || srvparsenewcb != 2)
4859 SSL_SESSION_free(sess);
4860 SSL_free(serverssl);
4861 SSL_free(clientssl);
4862 SSL_CTX_free(sctx2);
4869 * Test loading of serverinfo data in various formats. test_sslmessages actually
4870 * tests to make sure the extensions appear in the handshake
4872 static int test_serverinfo(int tst)
4874 unsigned int version;
4875 unsigned char *sibuf;
4877 int ret, expected, testresult = 0;
4880 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
4884 if ((tst & 0x01) == 0x01)
4885 version = SSL_SERVERINFOV2;
4887 version = SSL_SERVERINFOV1;
4889 if ((tst & 0x02) == 0x02) {
4890 sibuf = serverinfov2;
4891 sibuflen = sizeof(serverinfov2);
4892 expected = (version == SSL_SERVERINFOV2);
4894 sibuf = serverinfov1;
4895 sibuflen = sizeof(serverinfov1);
4896 expected = (version == SSL_SERVERINFOV1);
4899 if ((tst & 0x04) == 0x04) {
4900 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4902 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4905 * The version variable is irrelevant in this case - it's what is in the
4906 * buffer that matters
4908 if ((tst & 0x02) == 0x02)
4914 if (!TEST_true(ret == expected))
4926 * Test that SSL_export_keying_material() produces expected results. There are
4927 * no test vectors so all we do is test that both sides of the communication
4928 * produce the same results for different protocol versions.
4930 #define SMALL_LABEL_LEN 10
4931 #define LONG_LABEL_LEN 249
4932 static int test_export_key_mat(int tst)
4935 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4936 SSL *clientssl = NULL, *serverssl = NULL;
4937 const char label[LONG_LABEL_LEN + 1] = "test label";
4938 const unsigned char context[] = "context";
4939 const unsigned char *emptycontext = NULL;
4940 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4941 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
4943 const int protocols[] = {
4952 #ifdef OPENSSL_NO_TLS1
4956 #ifdef OPENSSL_NO_TLS1_1
4960 if (is_fips && (tst == 0 || tst == 1))
4962 #ifdef OPENSSL_NO_TLS1_2
4966 #ifdef OPENSSL_NO_TLS1_3
4970 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4971 TLS_client_method(), TLS1_VERSION, 0,
4972 &sctx, &cctx, cert, privkey)))
4975 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4976 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4977 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
4979 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4981 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4987 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4990 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4991 sizeof(ckeymat1), label,
4992 LONG_LABEL_LEN + 1, context,
4993 sizeof(context) - 1, 1), 0))
4998 } else if (tst == 4) {
4999 labellen = LONG_LABEL_LEN;
5001 labellen = SMALL_LABEL_LEN;
5004 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5005 sizeof(ckeymat1), label,
5007 sizeof(context) - 1, 1), 1)
5008 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5009 sizeof(ckeymat2), label,
5013 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5014 sizeof(ckeymat3), label,
5017 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5018 sizeof(skeymat1), label,
5021 sizeof(context) -1, 1),
5023 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5024 sizeof(skeymat2), label,
5028 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5029 sizeof(skeymat3), label,
5033 * Check that both sides created the same key material with the
5036 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5039 * Check that both sides created the same key material with an
5042 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5045 * Check that both sides created the same key material without a
5048 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5050 /* Different contexts should produce different results */
5051 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5056 * Check that an empty context and no context produce different results in
5057 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5059 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
5061 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5068 SSL_free(serverssl);
5069 SSL_free(clientssl);
5070 SSL_CTX_free(sctx2);
5077 #ifndef OPENSSL_NO_TLS1_3
5079 * Test that SSL_export_keying_material_early() produces expected
5080 * results. There are no test vectors so all we do is test that both
5081 * sides of the communication produce the same results for different
5082 * protocol versions.
5084 static int test_export_key_mat_early(int idx)
5086 static const char label[] = "test label";
5087 static const unsigned char context[] = "context";
5089 SSL_CTX *cctx = NULL, *sctx = NULL;
5090 SSL *clientssl = NULL, *serverssl = NULL;
5091 SSL_SESSION *sess = NULL;
5092 const unsigned char *emptycontext = NULL;
5093 unsigned char ckeymat1[80], ckeymat2[80];
5094 unsigned char skeymat1[80], skeymat2[80];
5095 unsigned char buf[1];
5096 size_t readbytes, written;
5098 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5102 /* Here writing 0 length early data is enough. */
5103 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5104 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5106 SSL_READ_EARLY_DATA_ERROR)
5107 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5108 SSL_EARLY_DATA_ACCEPTED))
5111 if (!TEST_int_eq(SSL_export_keying_material_early(
5112 clientssl, ckeymat1, sizeof(ckeymat1), label,
5113 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5114 || !TEST_int_eq(SSL_export_keying_material_early(
5115 clientssl, ckeymat2, sizeof(ckeymat2), label,
5116 sizeof(label) - 1, emptycontext, 0), 1)
5117 || !TEST_int_eq(SSL_export_keying_material_early(
5118 serverssl, skeymat1, sizeof(skeymat1), label,
5119 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5120 || !TEST_int_eq(SSL_export_keying_material_early(
5121 serverssl, skeymat2, sizeof(skeymat2), label,
5122 sizeof(label) - 1, emptycontext, 0), 1)
5124 * Check that both sides created the same key material with the
5127 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5130 * Check that both sides created the same key material with an
5133 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5135 /* Different contexts should produce different results */
5136 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5143 SSL_SESSION_free(sess);
5144 SSL_SESSION_free(clientpsk);
5145 SSL_SESSION_free(serverpsk);
5146 clientpsk = serverpsk = NULL;
5147 SSL_free(serverssl);
5148 SSL_free(clientssl);
5155 #define NUM_KEY_UPDATE_MESSAGES 40
5159 static int test_key_update(void)
5161 SSL_CTX *cctx = NULL, *sctx = NULL;
5162 SSL *clientssl = NULL, *serverssl = NULL;
5163 int testresult = 0, i, j;
5165 static char *mess = "A test message";
5167 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5168 TLS_client_method(),
5171 &sctx, &cctx, cert, privkey))
5172 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5174 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5178 for (j = 0; j < 2; j++) {
5179 /* Send lots of KeyUpdate messages */
5180 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5181 if (!TEST_true(SSL_key_update(clientssl,
5183 ? SSL_KEY_UPDATE_NOT_REQUESTED
5184 : SSL_KEY_UPDATE_REQUESTED))
5185 || !TEST_true(SSL_do_handshake(clientssl)))
5189 /* Check that sending and receiving app data is ok */
5190 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5191 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5195 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5196 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5204 SSL_free(serverssl);
5205 SSL_free(clientssl);
5213 * Test we can handle a KeyUpdate (update requested) message while write data
5215 * Test 0: Client sends KeyUpdate while Server is writing
5216 * Test 1: Server sends KeyUpdate while Client is writing
5218 static int test_key_update_in_write(int tst)
5220 SSL_CTX *cctx = NULL, *sctx = NULL;
5221 SSL *clientssl = NULL, *serverssl = NULL;
5224 static char *mess = "A test message";
5225 BIO *bretry = BIO_new(bio_s_always_retry());
5227 SSL *peerupdate = NULL, *peerwrite = NULL;
5229 if (!TEST_ptr(bretry)
5230 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5231 TLS_client_method(),
5234 &sctx, &cctx, cert, privkey))
5235 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5237 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5241 peerupdate = tst == 0 ? clientssl : serverssl;
5242 peerwrite = tst == 0 ? serverssl : clientssl;
5244 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5245 || !TEST_true(SSL_do_handshake(peerupdate)))
5248 /* Swap the writing endpoint's write BIO to force a retry */
5249 tmp = SSL_get_wbio(peerwrite);
5250 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5254 SSL_set0_wbio(peerwrite, bretry);
5257 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5258 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5259 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5262 /* Reinstate the original writing endpoint's write BIO */
5263 SSL_set0_wbio(peerwrite, tmp);
5266 /* Now read some data - we will read the key update */
5267 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5268 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5272 * Complete the write we started previously and read it from the other
5275 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5276 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5279 /* Write more data to ensure we send the KeyUpdate message back */
5280 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5281 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5287 SSL_free(serverssl);
5288 SSL_free(clientssl);
5296 #endif /* OPENSSL_NO_TLS1_3 */
5298 static int test_ssl_clear(int idx)
5300 SSL_CTX *cctx = NULL, *sctx = NULL;
5301 SSL *clientssl = NULL, *serverssl = NULL;
5304 #ifdef OPENSSL_NO_TLS1_2
5309 /* Create an initial connection */
5310 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5311 TLS_client_method(), TLS1_VERSION, 0,
5312 &sctx, &cctx, cert, privkey))
5314 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5316 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5317 &clientssl, NULL, NULL))
5318 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5322 SSL_shutdown(clientssl);
5323 SSL_shutdown(serverssl);
5324 SSL_free(serverssl);
5327 /* Clear clientssl - we're going to reuse the object */
5328 if (!TEST_true(SSL_clear(clientssl)))
5331 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5333 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5335 || !TEST_true(SSL_session_reused(clientssl)))
5338 SSL_shutdown(clientssl);
5339 SSL_shutdown(serverssl);
5344 SSL_free(serverssl);
5345 SSL_free(clientssl);
5352 /* Parse CH and retrieve any MFL extension value if present */
5353 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5356 unsigned char *data;
5357 PACKET pkt, pkt2, pkt3;
5358 unsigned int MFL_code = 0, type = 0;
5360 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5363 memset(&pkt, 0, sizeof(pkt));
5364 memset(&pkt2, 0, sizeof(pkt2));
5365 memset(&pkt3, 0, sizeof(pkt3));
5367 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5368 /* Skip the record header */
5369 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5370 /* Skip the handshake message header */
5371 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5372 /* Skip client version and random */
5373 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5374 + SSL3_RANDOM_SIZE))
5375 /* Skip session id */
5376 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5378 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5379 /* Skip compression */
5380 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5381 /* Extensions len */
5382 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5385 /* Loop through all extensions */
5386 while (PACKET_remaining(&pkt2)) {
5387 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5388 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5391 if (type == TLSEXT_TYPE_max_fragment_length) {
5392 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5393 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5396 *mfl_codemfl_code = MFL_code;
5405 /* Maximum-Fragment-Length TLS extension mode to test */
5406 static const unsigned char max_fragment_len_test[] = {
5407 TLSEXT_max_fragment_length_512,
5408 TLSEXT_max_fragment_length_1024,
5409 TLSEXT_max_fragment_length_2048,
5410 TLSEXT_max_fragment_length_4096
5413 static int test_max_fragment_len_ext(int idx_tst)
5417 int testresult = 0, MFL_mode = 0;
5420 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
5424 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5425 ctx, max_fragment_len_test[idx_tst])))
5432 rbio = BIO_new(BIO_s_mem());
5433 wbio = BIO_new(BIO_s_mem());
5434 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5440 SSL_set_bio(con, rbio, wbio);
5441 SSL_set_connect_state(con);
5443 if (!TEST_int_le(SSL_connect(con), 0)) {
5444 /* This shouldn't succeed because we don't have a server! */
5448 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5449 /* no MFL in client hello */
5451 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5463 #ifndef OPENSSL_NO_TLS1_3
5464 static int test_pha_key_update(void)
5466 SSL_CTX *cctx = NULL, *sctx = NULL;
5467 SSL *clientssl = NULL, *serverssl = NULL;
5470 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5471 TLS_client_method(), TLS1_VERSION, 0,
5472 &sctx, &cctx, cert, privkey)))
5475 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5476 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5477 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5478 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5481 SSL_CTX_set_post_handshake_auth(cctx, 1);
5483 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5487 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5491 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5492 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5495 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5498 /* Start handshake on the server */
5499 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5502 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5503 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5507 SSL_shutdown(clientssl);
5508 SSL_shutdown(serverssl);
5513 SSL_free(serverssl);
5514 SSL_free(clientssl);
5521 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5523 static SRP_VBASE *vbase = NULL;
5525 DEFINE_STACK_OF(SRP_user_pwd)
5527 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5529 int ret = SSL3_AL_FATAL;
5531 SRP_user_pwd *user = NULL;
5533 username = SSL_get_srp_username(s);
5534 if (username == NULL) {
5535 *ad = SSL_AD_INTERNAL_ERROR;
5539 user = SRP_VBASE_get1_by_user(vbase, username);
5541 *ad = SSL_AD_INTERNAL_ERROR;
5545 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5547 *ad = SSL_AD_INTERNAL_ERROR;
5554 SRP_user_pwd_free(user);
5558 static int create_new_vfile(char *userid, char *password, const char *filename)
5561 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5564 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5567 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5570 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5571 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
5572 if (!TEST_ptr(gNid))
5576 * The only way to create an empty TXT_DB is to provide a BIO with no data
5579 db = TXT_DB_read(dummy, DB_NUMBER);
5583 out = BIO_new_file(filename, "w");
5587 row[DB_srpid] = OPENSSL_strdup(userid);
5588 row[DB_srptype] = OPENSSL_strdup("V");
5589 row[DB_srpgN] = OPENSSL_strdup(gNid);
5591 if (!TEST_ptr(row[DB_srpid])
5592 || !TEST_ptr(row[DB_srptype])
5593 || !TEST_ptr(row[DB_srpgN])
5594 || !TEST_true(TXT_DB_insert(db, row)))
5599 if (!TXT_DB_write(out, db))
5605 for (i = 0; i < DB_NUMBER; i++)
5606 OPENSSL_free(row[i]);
5616 static int create_new_vbase(char *userid, char *password)
5618 BIGNUM *verifier = NULL, *salt = NULL;
5619 const SRP_gN *lgN = NULL;
5620 SRP_user_pwd *user_pwd = NULL;
5623 lgN = SRP_get_default_gN(NULL);
5627 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5628 lgN->N, lgN->g, libctx, NULL)))
5631 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
5632 if (!TEST_ptr(user_pwd))
5635 user_pwd->N = lgN->N;
5636 user_pwd->g = lgN->g;
5637 user_pwd->id = OPENSSL_strdup(userid);
5638 if (!TEST_ptr(user_pwd->id))
5641 user_pwd->v = verifier;
5643 verifier = salt = NULL;
5645 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
5651 SRP_user_pwd_free(user_pwd);
5661 * Test 0: Simple successful SRP connection, new vbase
5662 * Test 1: Connection failure due to bad password, new vbase
5663 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5664 * Test 3: Connection failure due to bad password, vbase loaded from existing
5666 * Test 4: Simple successful SRP connection, vbase loaded from new file
5667 * Test 5: Connection failure due to bad password, vbase loaded from new file
5669 static int test_srp(int tst)
5671 char *userid = "test", *password = "password", *tstsrpfile;
5672 SSL_CTX *cctx = NULL, *sctx = NULL;
5673 SSL *clientssl = NULL, *serverssl = NULL;
5674 int ret, testresult = 0;
5676 vbase = SRP_VBASE_new(NULL);
5677 if (!TEST_ptr(vbase))
5680 if (tst == 0 || tst == 1) {
5681 if (!TEST_true(create_new_vbase(userid, password)))
5684 if (tst == 4 || tst == 5) {
5685 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5687 tstsrpfile = tmpfilename;
5689 tstsrpfile = srpvfile;
5691 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5695 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5696 TLS_client_method(), TLS1_VERSION, 0,
5697 &sctx, &cctx, cert, privkey)))
5700 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5701 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5702 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5703 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5704 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5708 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5711 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5715 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5719 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5721 if (!TEST_true(tst % 2 == 0))
5724 if (!TEST_true(tst % 2 == 1))
5731 SRP_VBASE_free(vbase);
5733 SSL_free(serverssl);
5734 SSL_free(clientssl);
5742 static int info_cb_failed = 0;
5743 static int info_cb_offset = 0;
5744 static int info_cb_this_state = -1;
5746 static struct info_cb_states_st {
5748 const char *statestr;
5749 } info_cb_states[][60] = {
5751 /* TLSv1.2 server followed by resumption */
5752 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5753 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5754 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
5755 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
5756 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
5757 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5758 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5759 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5760 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
5761 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5762 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
5763 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5764 {SSL_CB_EXIT, NULL}, {0, NULL},
5766 /* TLSv1.2 client followed by resumption */
5767 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5768 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5769 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
5770 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
5771 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
5772 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5773 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5774 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5775 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5776 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5777 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5778 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
5780 /* TLSv1.3 server followed by resumption */
5781 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5782 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5783 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
5784 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5785 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
5786 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5787 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5788 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5789 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5790 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5791 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
5792 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5793 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5795 /* TLSv1.3 client followed by resumption */
5796 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5797 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5798 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
5799 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
5800 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5801 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5802 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
5803 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5804 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5805 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5806 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5807 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5808 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5809 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
5810 {SSL_CB_EXIT, NULL}, {0, NULL},
5812 /* TLSv1.3 server, early_data */
5813 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5814 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5815 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5816 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5817 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5818 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
5819 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5820 {SSL_CB_EXIT, NULL}, {0, NULL},
5822 /* TLSv1.3 client, early_data */
5823 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5824 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5825 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5826 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5827 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5828 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5829 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5830 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5831 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5837 static void sslapi_info_callback(const SSL *s, int where, int ret)
5839 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5841 /* We do not ever expect a connection to fail in this test */
5842 if (!TEST_false(ret == 0)) {
5848 * Do some sanity checks. We never expect these things to happen in this
5851 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5852 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5853 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5858 /* Now check we're in the right state */
5859 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5863 if ((where & SSL_CB_LOOP) != 0
5864 && !TEST_int_eq(strcmp(SSL_state_string(s),
5865 state[info_cb_this_state].statestr), 0)) {
5871 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
5873 if ((where & SSL_CB_HANDSHAKE_DONE)
5874 && SSL_in_init((SSL *)s) != 0) {
5881 * Test the info callback gets called when we expect it to.
5883 * Test 0: TLSv1.2, server
5884 * Test 1: TLSv1.2, client
5885 * Test 2: TLSv1.3, server
5886 * Test 3: TLSv1.3, client
5887 * Test 4: TLSv1.3, server, early_data
5888 * Test 5: TLSv1.3, client, early_data
5890 static int test_info_callback(int tst)
5892 SSL_CTX *cctx = NULL, *sctx = NULL;
5893 SSL *clientssl = NULL, *serverssl = NULL;
5894 SSL_SESSION *clntsess = NULL;
5899 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
5900 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5901 || !defined(OPENSSL_NO_DH))
5902 tlsvers = TLS1_2_VERSION;
5907 #ifndef OPENSSL_NO_TLS1_3
5908 tlsvers = TLS1_3_VERSION;
5916 info_cb_this_state = -1;
5917 info_cb_offset = tst;
5919 #ifndef OPENSSL_NO_TLS1_3
5921 SSL_SESSION *sess = NULL;
5922 size_t written, readbytes;
5923 unsigned char buf[80];
5925 /* early_data tests */
5926 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5927 &serverssl, &sess, 0)))
5930 /* We don't actually need this reference */
5931 SSL_SESSION_free(sess);
5933 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5934 sslapi_info_callback);
5936 /* Write and read some early data and then complete the connection */
5937 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5939 || !TEST_size_t_eq(written, strlen(MSG1))
5940 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5941 sizeof(buf), &readbytes),
5942 SSL_READ_EARLY_DATA_SUCCESS)
5943 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5944 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5945 SSL_EARLY_DATA_ACCEPTED)
5946 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5948 || !TEST_false(info_cb_failed))
5956 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5957 TLS_client_method(),
5958 tlsvers, tlsvers, &sctx, &cctx, cert,
5963 * For even numbered tests we check the server callbacks. For odd numbers we
5966 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5967 sslapi_info_callback);
5969 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5970 &clientssl, NULL, NULL))
5971 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5973 || !TEST_false(info_cb_failed))
5978 clntsess = SSL_get1_session(clientssl);
5979 SSL_shutdown(clientssl);
5980 SSL_shutdown(serverssl);
5981 SSL_free(serverssl);
5982 SSL_free(clientssl);
5983 serverssl = clientssl = NULL;
5985 /* Now do a resumption */
5986 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5988 || !TEST_true(SSL_set_session(clientssl, clntsess))
5989 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5991 || !TEST_true(SSL_session_reused(clientssl))
5992 || !TEST_false(info_cb_failed))
5998 SSL_free(serverssl);
5999 SSL_free(clientssl);
6000 SSL_SESSION_free(clntsess);
6006 static int test_ssl_pending(int tst)
6008 SSL_CTX *cctx = NULL, *sctx = NULL;
6009 SSL *clientssl = NULL, *serverssl = NULL;
6011 char msg[] = "A test message";
6013 size_t written, readbytes;
6016 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6017 TLS_client_method(),
6019 &sctx, &cctx, cert, privkey)))
6022 #ifndef OPENSSL_NO_DTLS
6023 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
6024 DTLS_client_method(),
6026 &sctx, &cctx, cert, privkey)))
6033 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6035 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6039 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6040 || !TEST_false(SSL_has_pending(clientssl))
6041 || !TEST_int_eq(SSL_pending(serverssl), 0)
6042 || !TEST_false(SSL_has_pending(serverssl))
6043 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6044 || !TEST_size_t_eq(written, sizeof(msg))
6045 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6046 || !TEST_size_t_eq(readbytes, sizeof(buf))
6047 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6048 || !TEST_true(SSL_has_pending(clientssl)))
6054 SSL_free(serverssl);
6055 SSL_free(clientssl);
6063 unsigned int maxprot;
6064 const char *clntciphers;
6065 const char *clnttls13ciphers;
6066 const char *srvrciphers;
6067 const char *srvrtls13ciphers;
6069 } shared_ciphers_data[] = {
6071 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6072 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6074 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
6077 "AES128-SHA:AES256-SHA",
6079 "AES256-SHA:DHE-RSA-AES128-SHA",
6085 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6087 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6089 "AES128-SHA:AES256-SHA"
6093 "AES128-SHA:AES256-SHA",
6095 "AES128-SHA:DHE-RSA-AES128-SHA",
6101 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6104 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6105 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
6108 "AES128-SHA:AES256-SHA",
6110 "AES256-SHA:AES128-SHA256",
6112 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
6113 "TLS_AES_128_GCM_SHA256:AES256-SHA"
6116 #ifndef OPENSSL_NO_TLS1_3
6120 "TLS_AES_256_GCM_SHA384",
6122 "TLS_AES_256_GCM_SHA384",
6123 "TLS_AES_256_GCM_SHA384"
6128 static int test_ssl_get_shared_ciphers(int tst)
6130 SSL_CTX *cctx = NULL, *sctx = NULL;
6131 SSL *clientssl = NULL, *serverssl = NULL;
6135 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6136 TLS_client_method(),
6138 shared_ciphers_data[tst].maxprot,
6139 &sctx, &cctx, cert, privkey)))
6142 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6143 shared_ciphers_data[tst].clntciphers))
6144 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6145 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6146 shared_ciphers_data[tst].clnttls13ciphers)))
6147 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6148 shared_ciphers_data[tst].srvrciphers))
6149 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6150 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6151 shared_ciphers_data[tst].srvrtls13ciphers))))
6155 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6157 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6161 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6162 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
6163 TEST_info("Shared ciphers are: %s\n", buf);
6170 SSL_free(serverssl);
6171 SSL_free(clientssl);
6178 static const char *appdata = "Hello World";
6179 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6180 static int tick_key_renew = 0;
6181 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6183 static int gen_tick_cb(SSL *s, void *arg)
6185 gen_tick_called = 1;
6187 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6191 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6192 const unsigned char *keyname,
6193 size_t keyname_length,
6194 SSL_TICKET_STATUS status,
6200 dec_tick_called = 1;
6202 if (status == SSL_TICKET_EMPTY)
6203 return SSL_TICKET_RETURN_IGNORE_RENEW;
6205 if (!TEST_true(status == SSL_TICKET_SUCCESS
6206 || status == SSL_TICKET_SUCCESS_RENEW))
6207 return SSL_TICKET_RETURN_ABORT;
6209 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6211 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6212 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
6213 return SSL_TICKET_RETURN_ABORT;
6215 if (tick_key_cb_called) {
6216 /* Don't change what the ticket key callback wanted to do */
6218 case SSL_TICKET_NO_DECRYPT:
6219 return SSL_TICKET_RETURN_IGNORE_RENEW;
6221 case SSL_TICKET_SUCCESS:
6222 return SSL_TICKET_RETURN_USE;
6224 case SSL_TICKET_SUCCESS_RENEW:
6225 return SSL_TICKET_RETURN_USE_RENEW;
6228 return SSL_TICKET_RETURN_ABORT;
6231 return tick_dec_ret;
6235 #ifndef OPENSSL_NO_DEPRECATED_3_0
6236 static int tick_key_cb(SSL *s, unsigned char key_name[16],
6237 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6238 HMAC_CTX *hctx, int enc)
6240 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6241 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
6242 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6243 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
6246 tick_key_cb_called = 1;
6247 memset(iv, 0, AES_BLOCK_SIZE);
6248 memset(key_name, 0, 16);
6249 if (aes128cbc == NULL
6251 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6252 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
6256 ret = tick_key_renew ? 2 : 1;
6258 EVP_CIPHER_free(aes128cbc);
6259 EVP_MD_free(sha256);
6265 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6266 unsigned char iv[EVP_MAX_IV_LENGTH],
6267 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6269 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6270 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6271 OSSL_PARAM params[3];
6272 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6275 tick_key_cb_called = 1;
6276 memset(iv, 0, AES_BLOCK_SIZE);
6277 memset(key_name, 0, 16);
6278 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6280 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6282 sizeof(tick_hmac_key));
6283 params[2] = OSSL_PARAM_construct_end();
6284 if (aes128cbc == NULL
6285 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6286 || !EVP_MAC_CTX_set_params(hctx, params)
6287 || !EVP_MAC_init(hctx))
6290 ret = tick_key_renew ? 2 : 1;
6292 EVP_CIPHER_free(aes128cbc);
6298 * Test the various ticket callbacks
6299 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6300 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6301 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6302 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6303 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6304 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6305 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6306 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
6307 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6308 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6309 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6310 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6311 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6312 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6313 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6314 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
6316 static int test_ticket_callbacks(int tst)
6318 SSL_CTX *cctx = NULL, *sctx = NULL;
6319 SSL *clientssl = NULL, *serverssl = NULL;
6320 SSL_SESSION *clntsess = NULL;
6323 #ifdef OPENSSL_NO_TLS1_2
6327 #ifdef OPENSSL_NO_TLS1_3
6331 #ifdef OPENSSL_NO_DEPRECATED_3_0
6332 if (tst >= 8 && tst <= 11)
6336 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
6338 /* Which tests the ticket key callback should request renewal for */
6339 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
6344 /* Which tests the decrypt ticket callback should request renewal for */
6348 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6353 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6358 tick_dec_ret = SSL_TICKET_RETURN_USE;
6363 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6367 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6370 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6371 TLS_client_method(),
6373 ((tst % 2) == 0) ? TLS1_2_VERSION
6375 &sctx, &cctx, cert, privkey)))
6379 * We only want sessions to resume from tickets - not the session cache. So
6380 * switch the cache off.
6382 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6385 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6390 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
6392 #ifndef OPENSSL_NO_DEPRECATED_3_0
6393 } else if (tst >= 8) {
6394 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6399 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6401 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6406 * The decrypt ticket key callback in TLSv1.2 should be called even though
6407 * we have no ticket yet, because it gets called with a status of
6408 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6409 * actually send any ticket data). This does not happen in TLSv1.3 because
6410 * it is not valid to send empty ticket data in TLSv1.3.
6412 if (!TEST_int_eq(gen_tick_called, 1)
6413 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
6416 gen_tick_called = dec_tick_called = 0;
6418 clntsess = SSL_get1_session(clientssl);
6419 SSL_shutdown(clientssl);
6420 SSL_shutdown(serverssl);
6421 SSL_free(serverssl);
6422 SSL_free(clientssl);
6423 serverssl = clientssl = NULL;
6425 /* Now do a resumption */
6426 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6428 || !TEST_true(SSL_set_session(clientssl, clntsess))
6429 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6433 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6434 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6435 if (!TEST_false(SSL_session_reused(clientssl)))
6438 if (!TEST_true(SSL_session_reused(clientssl)))
6442 if (!TEST_int_eq(gen_tick_called,
6444 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6445 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6447 || !TEST_int_eq(dec_tick_called, 1))
6453 SSL_SESSION_free(clntsess);
6454 SSL_free(serverssl);
6455 SSL_free(clientssl);
6463 * Test bi-directional shutdown.
6465 * Test 1: TLSv1.2, server continues to read/write after client shutdown
6466 * Test 2: TLSv1.3, no pending NewSessionTicket messages
6467 * Test 3: TLSv1.3, pending NewSessionTicket messages
6468 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
6469 * sends key update, client reads it
6470 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
6471 * sends CertificateRequest, client reads and ignores it
6472 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
6475 static int test_shutdown(int tst)
6477 SSL_CTX *cctx = NULL, *sctx = NULL;
6478 SSL *clientssl = NULL, *serverssl = NULL;
6480 char msg[] = "A test message";
6482 size_t written, readbytes;
6485 #ifdef OPENSSL_NO_TLS1_2
6489 #ifdef OPENSSL_NO_TLS1_3
6494 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6495 TLS_client_method(),
6497 (tst <= 1) ? TLS1_2_VERSION
6499 &sctx, &cctx, cert, privkey)))
6503 SSL_CTX_set_post_handshake_auth(cctx, 1);
6505 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6510 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
6512 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6513 || !TEST_false(SSL_SESSION_is_resumable(sess)))
6515 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6517 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6518 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
6522 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
6527 * Reading on the server after the client has sent close_notify should
6528 * fail and provide SSL_ERROR_ZERO_RETURN
6530 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
6531 || !TEST_int_eq(SSL_get_error(serverssl, 0),
6532 SSL_ERROR_ZERO_RETURN)
6533 || !TEST_int_eq(SSL_get_shutdown(serverssl),
6534 SSL_RECEIVED_SHUTDOWN)
6536 * Even though we're shutdown on receive we should still be
6539 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6542 && !TEST_true(SSL_key_update(serverssl,
6543 SSL_KEY_UPDATE_REQUESTED)))
6546 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6547 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6550 if ((tst == 4 || tst == 5)
6551 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6553 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
6555 if (tst == 4 || tst == 5) {
6556 /* Should still be able to read data from server */
6557 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6559 || !TEST_size_t_eq(readbytes, sizeof(msg))
6560 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
6561 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6563 || !TEST_size_t_eq(readbytes, sizeof(msg))
6564 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
6569 /* Writing on the client after sending close_notify shouldn't be possible */
6570 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
6575 * For these tests the client has sent close_notify but it has not yet
6576 * been received by the server. The server has not sent close_notify
6579 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
6581 * Writing on the server after sending close_notify shouldn't
6584 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6585 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
6586 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6587 || !TEST_true(SSL_SESSION_is_resumable(sess))
6588 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
6590 } else if (tst == 4 || tst == 5) {
6592 * In this test the client has sent close_notify and it has been
6593 * received by the server which has responded with a close_notify. The
6594 * client needs to read the close_notify sent by the server.
6596 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
6597 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6598 || !TEST_true(SSL_SESSION_is_resumable(sess)))
6604 * The client has sent close_notify and is expecting a close_notify
6605 * back, but instead there is application data first. The shutdown
6606 * should fail with a fatal error.
6608 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
6609 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
6616 SSL_free(serverssl);
6617 SSL_free(clientssl);
6624 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6625 static int cert_cb_cnt;
6627 static int cert_cb(SSL *s, void *arg)
6629 SSL_CTX *ctx = (SSL_CTX *)arg;
6631 EVP_PKEY *pkey = NULL;
6632 X509 *x509 = NULL, *rootx = NULL;
6633 STACK_OF(X509) *chain = NULL;
6634 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
6637 if (cert_cb_cnt == 0) {
6638 /* Suspend the handshake */
6641 } else if (cert_cb_cnt == 1) {
6643 * Update the SSL_CTX, set the certificate and private key and then
6644 * continue the handshake normally.
6646 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
6649 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
6650 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
6652 || !TEST_true(SSL_check_private_key(s)))
6656 } else if (cert_cb_cnt == 3) {
6659 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
6660 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
6661 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
6662 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
6664 chain = sk_X509_new_null();
6665 if (!TEST_ptr(chain))
6667 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6668 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
6669 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
6670 || !TEST_true(sk_X509_push(chain, rootx)))
6674 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6675 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
6676 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
6679 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6680 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
6681 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
6683 rv = SSL_check_chain(s, x509, pkey, chain);
6685 * If the cert doesn't show as valid here (e.g., because we don't
6686 * have any shared sigalgs), then we will not set it, and there will
6687 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
6688 * will cause tls_choose_sigalgs() to fail the connection.
6690 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
6691 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
6692 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
6699 /* Abort the handshake */
6701 OPENSSL_free(ecdsacert);
6702 OPENSSL_free(ecdsakey);
6703 OPENSSL_free(rootfile);
6705 EVP_PKEY_free(pkey);
6708 sk_X509_pop_free(chain, X509_free);
6713 * Test the certificate callback.
6714 * Test 0: Callback fails
6715 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
6716 * Test 2: Success - SSL_set_SSL_CTX() in the callback
6717 * Test 3: Success - Call SSL_check_chain from the callback
6718 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
6720 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
6722 static int test_cert_cb_int(int prot, int tst)
6724 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
6725 SSL *clientssl = NULL, *serverssl = NULL;
6726 int testresult = 0, ret;
6728 #ifdef OPENSSL_NO_EC
6729 /* We use an EC cert in these tests, so we skip in a no-ec build */
6734 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6735 TLS_client_method(),
6738 &sctx, &cctx, NULL, NULL)))
6749 snictx = SSL_CTX_new(TLS_server_method());
6750 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
6752 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6758 * We cause SSL_check_chain() to fail by specifying sig_algs that
6759 * the chain doesn't meet (the root uses an RSA cert)
6761 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6762 "ecdsa_secp256r1_sha256")))
6764 } else if (tst == 5) {
6766 * We cause SSL_check_chain() to fail by specifying sig_algs that
6767 * the ee cert doesn't meet (the ee uses an ECDSA cert)
6769 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6770 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
6774 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6775 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
6777 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
6784 SSL_free(serverssl);
6785 SSL_free(clientssl);
6788 SSL_CTX_free(snictx);
6794 static int test_cert_cb(int tst)
6798 #ifndef OPENSSL_NO_TLS1_2
6799 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
6801 #ifndef OPENSSL_NO_TLS1_3
6802 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
6808 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
6814 /* Check that SSL_get_peer_certificate() returns something sensible */
6815 peer = SSL_get_peer_certificate(ssl);
6816 if (!TEST_ptr(peer))
6820 in = BIO_new_file(cert, "r");
6824 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
6826 if (!TEST_ptr(xcert))
6829 in = BIO_new_file(privkey, "r");
6830 if (!TEST_ptr(in)) {
6835 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
6837 if (!TEST_ptr(privpkey)) {
6848 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6853 static int test_client_cert_cb(int tst)
6855 SSL_CTX *cctx = NULL, *sctx = NULL;
6856 SSL *clientssl = NULL, *serverssl = NULL;
6859 #ifdef OPENSSL_NO_TLS1_2
6863 #ifdef OPENSSL_NO_TLS1_3
6868 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6869 TLS_client_method(),
6871 tst == 0 ? TLS1_2_VERSION
6873 &sctx, &cctx, cert, privkey)))
6877 * Test that setting a client_cert_cb results in a client certificate being
6880 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
6881 SSL_CTX_set_verify(sctx,
6882 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6885 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6887 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6894 SSL_free(serverssl);
6895 SSL_free(clientssl);
6902 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6904 * Test setting certificate authorities on both client and server.
6906 * Test 0: SSL_CTX_set0_CA_list() only
6907 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
6908 * Test 2: Only SSL_CTX_set_client_CA_list()
6910 static int test_ca_names_int(int prot, int tst)
6912 SSL_CTX *cctx = NULL, *sctx = NULL;
6913 SSL *clientssl = NULL, *serverssl = NULL;
6916 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
6917 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
6918 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
6919 const STACK_OF(X509_NAME) *sktmp = NULL;
6921 for (i = 0; i < OSSL_NELEM(name); i++) {
6922 name[i] = X509_NAME_new();
6923 if (!TEST_ptr(name[i])
6924 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
6932 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6933 TLS_client_method(),
6936 &sctx, &cctx, cert, privkey)))
6939 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
6941 if (tst == 0 || tst == 1) {
6942 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6943 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
6944 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
6945 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6946 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
6947 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
6950 SSL_CTX_set0_CA_list(sctx, sk1);
6951 SSL_CTX_set0_CA_list(cctx, sk2);
6954 if (tst == 1 || tst == 2) {
6955 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6956 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
6957 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
6958 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6959 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
6960 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
6963 SSL_CTX_set_client_CA_list(sctx, sk1);
6964 SSL_CTX_set_client_CA_list(cctx, sk2);
6968 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6970 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6975 * We only expect certificate authorities to have been sent to the server
6976 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
6978 sktmp = SSL_get0_peer_CA_list(serverssl);
6979 if (prot == TLS1_3_VERSION
6980 && (tst == 0 || tst == 1)) {
6981 if (!TEST_ptr(sktmp)
6982 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6983 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6985 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6988 } else if (!TEST_ptr_null(sktmp)) {
6993 * In all tests we expect certificate authorities to have been sent to the
6994 * client. However, SSL_set_client_CA_list() should override
6995 * SSL_set0_CA_list()
6997 sktmp = SSL_get0_peer_CA_list(clientssl);
6998 if (!TEST_ptr(sktmp)
6999 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7000 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7001 name[tst == 0 ? 0 : 2]), 0)
7002 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7003 name[tst == 0 ? 1 : 3]), 0))
7009 SSL_free(serverssl);
7010 SSL_free(clientssl);
7013 for (i = 0; i < OSSL_NELEM(name); i++)
7014 X509_NAME_free(name[i]);
7015 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
7016 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
7022 static int test_ca_names(int tst)
7026 #ifndef OPENSSL_NO_TLS1_2
7027 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
7029 #ifndef OPENSSL_NO_TLS1_3
7030 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
7036 #ifndef OPENSSL_NO_TLS1_2
7037 static const char *multiblock_cipherlist_data[]=
7045 /* Reduce the fragment size - so the multiblock test buffer can be small */
7046 # define MULTIBLOCK_FRAGSIZE 512
7048 static int test_multiblock_write(int test_index)
7050 static const char *fetchable_ciphers[]=
7052 "AES-128-CBC-HMAC-SHA1",
7053 "AES-128-CBC-HMAC-SHA256",
7054 "AES-256-CBC-HMAC-SHA1",
7055 "AES-256-CBC-HMAC-SHA256"
7057 const char *cipherlist = multiblock_cipherlist_data[test_index];
7058 const SSL_METHOD *smeth = TLS_server_method();
7059 const SSL_METHOD *cmeth = TLS_client_method();
7060 int min_version = TLS1_VERSION;
7061 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7062 SSL_CTX *cctx = NULL, *sctx = NULL;
7063 SSL *clientssl = NULL, *serverssl = NULL;
7067 * Choose a buffer large enough to perform a multi-block operation
7068 * i.e: write_len >= 4 * frag_size
7069 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7071 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7072 unsigned char buf[sizeof(msg)], *p = buf;
7073 size_t readbytes, written, len;
7074 EVP_CIPHER *ciph = NULL;
7077 * Check if the cipher exists before attempting to use it since it only has
7078 * a hardware specific implementation.
7080 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7082 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7085 EVP_CIPHER_free(ciph);
7087 /* Set up a buffer with some data that will be sent to the client */
7088 RAND_bytes(msg, sizeof(msg));
7090 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
7091 max_version, &sctx, &cctx, cert,
7095 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7098 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7102 /* settings to force it to use AES-CBC-HMAC_SHA */
7103 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7104 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7107 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7110 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7111 || !TEST_size_t_eq(written, sizeof(msg)))
7116 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7121 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7126 SSL_free(serverssl);
7127 SSL_free(clientssl);
7133 #endif /* OPENSSL_NO_TLS1_2 */
7136 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7137 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7138 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7139 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7140 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7141 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7142 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7143 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7144 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7145 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7147 static int test_servername(int tst)
7149 SSL_CTX *cctx = NULL, *sctx = NULL;
7150 SSL *clientssl = NULL, *serverssl = NULL;
7152 SSL_SESSION *sess = NULL;
7153 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7155 #ifdef OPENSSL_NO_TLS1_2
7159 #ifdef OPENSSL_NO_TLS1_3
7164 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7165 TLS_client_method(),
7167 (tst <= 4) ? TLS1_2_VERSION
7169 &sctx, &cctx, cert, privkey))
7170 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7174 if (tst != 1 && tst != 6) {
7175 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7180 if (tst != 3 && tst != 8) {
7181 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7183 sexpectedhost = cexpectedhost = "goodhost";
7186 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7189 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7191 || !TEST_str_eq(SSL_get_servername(serverssl,
7192 TLSEXT_NAMETYPE_host_name),
7196 /* Now repeat with a resumption handshake */
7198 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7199 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7200 || !TEST_true(SSL_SESSION_is_resumable(sess))
7201 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7204 SSL_free(clientssl);
7205 SSL_free(serverssl);
7206 clientssl = serverssl = NULL;
7208 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7212 if (!TEST_true(SSL_set_session(clientssl, sess)))
7215 sexpectedhost = cexpectedhost = "goodhost";
7216 if (tst == 2 || tst == 7) {
7217 /* Set an inconsistent hostname */
7218 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7221 * In TLSv1.2 we expect the hostname from the original handshake, in
7222 * TLSv1.3 we expect the hostname from this handshake
7225 sexpectedhost = cexpectedhost = "altgoodhost";
7227 if (!TEST_str_eq(SSL_get_servername(clientssl,
7228 TLSEXT_NAMETYPE_host_name),
7231 } else if (tst == 4 || tst == 9) {
7233 * A TLSv1.3 session does not associate a session with a servername,
7234 * but a TLSv1.2 session does.
7237 sexpectedhost = cexpectedhost = NULL;
7239 if (!TEST_str_eq(SSL_get_servername(clientssl,
7240 TLSEXT_NAMETYPE_host_name),
7244 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7247 * In a TLSv1.2 resumption where the hostname was not acknowledged
7248 * we expect the hostname on the server to be empty. On the client we
7249 * return what was requested in this case.
7251 * Similarly if the client didn't set a hostname on an original TLSv1.2
7252 * session but is now, the server hostname will be empty, but the client
7255 if (tst == 1 || tst == 3)
7256 sexpectedhost = NULL;
7258 if (!TEST_str_eq(SSL_get_servername(clientssl,
7259 TLSEXT_NAMETYPE_host_name),
7264 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7267 if (!TEST_true(SSL_session_reused(clientssl))
7268 || !TEST_true(SSL_session_reused(serverssl))
7269 || !TEST_str_eq(SSL_get_servername(clientssl,
7270 TLSEXT_NAMETYPE_host_name),
7272 || !TEST_str_eq(SSL_get_servername(serverssl,
7273 TLSEXT_NAMETYPE_host_name),
7280 SSL_SESSION_free(sess);
7281 SSL_free(serverssl);
7282 SSL_free(clientssl);
7289 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
7291 int setup_tests(void)
7296 libctx = OPENSSL_CTX_new();
7297 if (!TEST_ptr(libctx))
7300 defctxnull = OSSL_PROVIDER_load(NULL, "null");
7303 * Verify that the default and fips providers in the default libctx are not
7306 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
7307 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
7310 if (!test_skip_common_options()) {
7311 TEST_error("Error parsing test options\n");
7315 if (!TEST_ptr(certsdir = test_get_argument(0))
7316 || !TEST_ptr(srpvfile = test_get_argument(1))
7317 || !TEST_ptr(tmpfilename = test_get_argument(2))
7318 || !TEST_ptr(modulename = test_get_argument(3))
7319 || !TEST_ptr(configfile = test_get_argument(4)))
7322 if (!TEST_true(OPENSSL_CTX_load_config(libctx, configfile)))
7325 /* Check we have the expected provider available */
7326 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
7329 /* Check the default provider is not available */
7330 if (strcmp(modulename, "default") != 0
7331 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
7334 if (strcmp(modulename, "fips") == 0)
7337 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
7338 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
7339 TEST_error("not supported in this build");
7342 int i, mcount, rcount, fcount;
7344 for (i = 0; i < 4; i++)
7345 test_export_key_mat(i);
7346 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
7347 test_printf_stdout("malloc %d realloc %d free %d\n",
7348 mcount, rcount, fcount);
7353 cert = test_mk_file_path(certsdir, "servercert.pem");
7357 privkey = test_mk_file_path(certsdir, "serverkey.pem");
7358 if (privkey == NULL) {
7363 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
7364 && !defined(OPENSSL_NO_SOCK)
7365 ADD_TEST(test_ktls_no_txrx_client_no_txrx_server);
7366 ADD_TEST(test_ktls_no_rx_client_no_txrx_server);
7367 ADD_TEST(test_ktls_no_tx_client_no_txrx_server);
7368 ADD_TEST(test_ktls_client_no_txrx_server);
7369 ADD_TEST(test_ktls_no_txrx_client_no_rx_server);
7370 ADD_TEST(test_ktls_no_rx_client_no_rx_server);
7371 ADD_TEST(test_ktls_no_tx_client_no_rx_server);
7372 ADD_TEST(test_ktls_client_no_rx_server);
7373 ADD_TEST(test_ktls_no_txrx_client_no_tx_server);
7374 ADD_TEST(test_ktls_no_rx_client_no_tx_server);
7375 ADD_TEST(test_ktls_no_tx_client_no_tx_server);
7376 ADD_TEST(test_ktls_client_no_tx_server);
7377 ADD_TEST(test_ktls_no_txrx_client_server);
7378 ADD_TEST(test_ktls_no_rx_client_server);
7379 ADD_TEST(test_ktls_no_tx_client_server);
7380 ADD_TEST(test_ktls_client_server);
7381 ADD_TEST(test_ktls_sendfile);
7383 ADD_TEST(test_large_message_tls);
7384 ADD_TEST(test_large_message_tls_read_ahead);
7385 #ifndef OPENSSL_NO_DTLS
7386 ADD_TEST(test_large_message_dtls);
7388 #ifndef OPENSSL_NO_OCSP
7389 ADD_TEST(test_tlsext_status_type);
7391 ADD_TEST(test_session_with_only_int_cache);
7392 ADD_TEST(test_session_with_only_ext_cache);
7393 ADD_TEST(test_session_with_both_cache);
7394 #ifndef OPENSSL_NO_TLS1_3
7395 ADD_ALL_TESTS(test_stateful_tickets, 3);
7396 ADD_ALL_TESTS(test_stateless_tickets, 3);
7397 ADD_TEST(test_psk_tickets);
7399 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
7400 ADD_TEST(test_ssl_bio_pop_next_bio);
7401 ADD_TEST(test_ssl_bio_pop_ssl_bio);
7402 ADD_TEST(test_ssl_bio_change_rbio);
7403 ADD_TEST(test_ssl_bio_change_wbio);
7404 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
7405 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
7406 ADD_TEST(test_keylog);
7408 #ifndef OPENSSL_NO_TLS1_3
7409 ADD_TEST(test_keylog_no_master_key);
7411 #ifndef OPENSSL_NO_TLS1_2
7412 ADD_TEST(test_client_hello_cb);
7413 ADD_TEST(test_no_ems);
7414 ADD_TEST(test_ccs_change_cipher);
7416 #ifndef OPENSSL_NO_TLS1_3
7417 ADD_ALL_TESTS(test_early_data_read_write, 3);
7419 * We don't do replay tests for external PSK. Replay protection isn't used
7422 ADD_ALL_TESTS(test_early_data_replay, 2);
7423 ADD_ALL_TESTS(test_early_data_skip, 3);
7424 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
7425 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
7426 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
7427 ADD_ALL_TESTS(test_early_data_not_sent, 3);
7428 ADD_ALL_TESTS(test_early_data_psk, 8);
7429 ADD_ALL_TESTS(test_early_data_not_expected, 3);
7430 # ifndef OPENSSL_NO_TLS1_2
7431 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
7434 #ifndef OPENSSL_NO_TLS1_3
7435 ADD_ALL_TESTS(test_set_ciphersuite, 10);
7436 ADD_TEST(test_ciphersuite_change);
7437 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
7438 # ifdef OPENSSL_NO_PSK
7439 ADD_ALL_TESTS(test_tls13_psk, 1);
7441 ADD_ALL_TESTS(test_tls13_psk, 4);
7442 # endif /* OPENSSL_NO_PSK */
7443 # ifndef OPENSSL_NO_TLS1_2
7444 /* Test with both TLSv1.3 and 1.2 versions */
7445 ADD_ALL_TESTS(test_key_exchange, 14);
7447 /* Test with only TLSv1.3 versions */
7448 ADD_ALL_TESTS(test_key_exchange, 12);
7450 ADD_ALL_TESTS(test_custom_exts, 5);
7451 ADD_TEST(test_stateless);
7452 ADD_TEST(test_pha_key_update);
7454 ADD_ALL_TESTS(test_custom_exts, 3);
7456 ADD_ALL_TESTS(test_serverinfo, 8);
7457 ADD_ALL_TESTS(test_export_key_mat, 6);
7458 #ifndef OPENSSL_NO_TLS1_3
7459 ADD_ALL_TESTS(test_export_key_mat_early, 3);
7460 ADD_TEST(test_key_update);
7461 ADD_ALL_TESTS(test_key_update_in_write, 2);
7463 ADD_ALL_TESTS(test_ssl_clear, 2);
7464 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
7465 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7466 ADD_ALL_TESTS(test_srp, 6);
7468 ADD_ALL_TESTS(test_info_callback, 6);
7469 ADD_ALL_TESTS(test_ssl_pending, 2);
7470 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
7471 ADD_ALL_TESTS(test_ticket_callbacks, 16);
7472 ADD_ALL_TESTS(test_shutdown, 7);
7473 ADD_ALL_TESTS(test_cert_cb, 6);
7474 ADD_ALL_TESTS(test_client_cert_cb, 2);
7475 ADD_ALL_TESTS(test_ca_names, 3);
7476 #ifndef OPENSSL_NO_TLS1_2
7477 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
7479 ADD_ALL_TESTS(test_servername, 10);
7483 void cleanup_tests(void)
7486 OPENSSL_free(privkey);
7487 bio_s_mempacket_test_free();
7488 bio_s_always_retry_free();
7489 OSSL_PROVIDER_unload(defctxnull);
7490 OPENSSL_CTX_free(libctx);