2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
17 #include <openssl/srp.h>
18 #include <openssl/txt_db.h>
19 #include <openssl/aes.h>
21 #include "ssltestlib.h"
23 #include "testutil/output.h"
24 #include "internal/nelem.h"
25 #include "internal/ktls.h"
26 #include "../ssl/ssl_locl.h"
28 #ifndef OPENSSL_NO_TLS1_3
30 static SSL_SESSION *clientpsk = NULL;
31 static SSL_SESSION *serverpsk = NULL;
32 static const char *pskid = "Identity";
33 static const char *srvid;
35 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
36 size_t *idlen, SSL_SESSION **sess);
37 static int find_session_cb(SSL *ssl, const unsigned char *identity,
38 size_t identity_len, SSL_SESSION **sess);
40 static int use_session_cb_cnt = 0;
41 static int find_session_cb_cnt = 0;
43 static SSL_SESSION *create_a_psk(SSL *ssl);
46 static char *cert = NULL;
47 static char *privkey = NULL;
48 static char *srpvfile = NULL;
49 static char *tmpfilename = NULL;
51 #define LOG_BUFFER_SIZE 2048
52 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
53 static size_t server_log_buffer_index = 0;
54 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
55 static size_t client_log_buffer_index = 0;
56 static int error_writing_log = 0;
58 #ifndef OPENSSL_NO_OCSP
59 static const unsigned char orespder[] = "Dummy OCSP Response";
60 static int ocsp_server_called = 0;
61 static int ocsp_client_called = 0;
63 static int cdummyarg = 1;
64 static X509 *ocspcert = NULL;
67 #define NUM_EXTRA_CERTS 40
68 #define CLIENT_VERSION_LEN 2
71 * This structure is used to validate that the correct number of log messages
72 * of various types are emitted when emitting secret logs.
74 struct sslapitest_log_counts {
75 unsigned int rsa_key_exchange_count;
76 unsigned int master_secret_count;
77 unsigned int client_early_secret_count;
78 unsigned int client_handshake_secret_count;
79 unsigned int server_handshake_secret_count;
80 unsigned int client_application_secret_count;
81 unsigned int server_application_secret_count;
82 unsigned int early_exporter_secret_count;
83 unsigned int exporter_secret_count;
87 static unsigned char serverinfov1[] = {
88 0xff, 0xff, /* Dummy extension type */
89 0x00, 0x01, /* Extension length is 1 byte */
90 0xff /* Dummy extension data */
93 static unsigned char serverinfov2[] = {
95 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
96 0xff, 0xff, /* Dummy extension type */
97 0x00, 0x01, /* Extension length is 1 byte */
98 0xff /* Dummy extension data */
101 static void client_keylog_callback(const SSL *ssl, const char *line)
103 int line_length = strlen(line);
105 /* If the log doesn't fit, error out. */
106 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
107 TEST_info("Client log too full");
108 error_writing_log = 1;
112 strcat(client_log_buffer, line);
113 client_log_buffer_index += line_length;
114 client_log_buffer[client_log_buffer_index++] = '\n';
117 static void server_keylog_callback(const SSL *ssl, const char *line)
119 int line_length = strlen(line);
121 /* If the log doesn't fit, error out. */
122 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
123 TEST_info("Server log too full");
124 error_writing_log = 1;
128 strcat(server_log_buffer, line);
129 server_log_buffer_index += line_length;
130 server_log_buffer[server_log_buffer_index++] = '\n';
133 static int compare_hex_encoded_buffer(const char *hex_encoded,
141 if (!TEST_size_t_eq(raw_length * 2, hex_length))
144 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
145 sprintf(hexed, "%02x", raw[i]);
146 if (!TEST_int_eq(hexed[0], hex_encoded[j])
147 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
154 static int test_keylog_output(char *buffer, const SSL *ssl,
155 const SSL_SESSION *session,
156 struct sslapitest_log_counts *expected)
159 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
160 size_t client_random_size = SSL3_RANDOM_SIZE;
161 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
162 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
163 unsigned int rsa_key_exchange_count = 0;
164 unsigned int master_secret_count = 0;
165 unsigned int client_early_secret_count = 0;
166 unsigned int client_handshake_secret_count = 0;
167 unsigned int server_handshake_secret_count = 0;
168 unsigned int client_application_secret_count = 0;
169 unsigned int server_application_secret_count = 0;
170 unsigned int early_exporter_secret_count = 0;
171 unsigned int exporter_secret_count = 0;
173 for (token = strtok(buffer, " \n"); token != NULL;
174 token = strtok(NULL, " \n")) {
175 if (strcmp(token, "RSA") == 0) {
177 * Premaster secret. Tokens should be: 16 ASCII bytes of
178 * hex-encoded encrypted secret, then the hex-encoded pre-master
181 if (!TEST_ptr(token = strtok(NULL, " \n")))
183 if (!TEST_size_t_eq(strlen(token), 16))
185 if (!TEST_ptr(token = strtok(NULL, " \n")))
188 * We can't sensibly check the log because the premaster secret is
189 * transient, and OpenSSL doesn't keep hold of it once the master
190 * secret is generated.
192 rsa_key_exchange_count++;
193 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
195 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
196 * client random, then the hex-encoded master secret.
198 client_random_size = SSL_get_client_random(ssl,
199 actual_client_random,
201 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
204 if (!TEST_ptr(token = strtok(NULL, " \n")))
206 if (!TEST_size_t_eq(strlen(token), 64))
208 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
209 actual_client_random,
210 client_random_size)))
213 if (!TEST_ptr(token = strtok(NULL, " \n")))
215 master_key_size = SSL_SESSION_get_master_key(session,
218 if (!TEST_size_t_ne(master_key_size, 0))
220 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
224 master_secret_count++;
225 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
226 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
227 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
228 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
229 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
230 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
231 || strcmp(token, "EXPORTER_SECRET") == 0) {
233 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
234 * client random, and then the hex-encoded secret. In this case,
235 * we treat all of these secrets identically and then just
236 * distinguish between them when counting what we saw.
238 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
239 client_early_secret_count++;
240 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
241 client_handshake_secret_count++;
242 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
243 server_handshake_secret_count++;
244 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
245 client_application_secret_count++;
246 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
247 server_application_secret_count++;
248 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
249 early_exporter_secret_count++;
250 else if (strcmp(token, "EXPORTER_SECRET") == 0)
251 exporter_secret_count++;
253 client_random_size = SSL_get_client_random(ssl,
254 actual_client_random,
256 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
259 if (!TEST_ptr(token = strtok(NULL, " \n")))
261 if (!TEST_size_t_eq(strlen(token), 64))
263 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
264 actual_client_random,
265 client_random_size)))
268 if (!TEST_ptr(token = strtok(NULL, " \n")))
272 * TODO(TLS1.3): test that application traffic secrets are what
275 TEST_info("Unexpected token %s\n", token);
280 /* Got what we expected? */
281 if (!TEST_size_t_eq(rsa_key_exchange_count,
282 expected->rsa_key_exchange_count)
283 || !TEST_size_t_eq(master_secret_count,
284 expected->master_secret_count)
285 || !TEST_size_t_eq(client_early_secret_count,
286 expected->client_early_secret_count)
287 || !TEST_size_t_eq(client_handshake_secret_count,
288 expected->client_handshake_secret_count)
289 || !TEST_size_t_eq(server_handshake_secret_count,
290 expected->server_handshake_secret_count)
291 || !TEST_size_t_eq(client_application_secret_count,
292 expected->client_application_secret_count)
293 || !TEST_size_t_eq(server_application_secret_count,
294 expected->server_application_secret_count)
295 || !TEST_size_t_eq(early_exporter_secret_count,
296 expected->early_exporter_secret_count)
297 || !TEST_size_t_eq(exporter_secret_count,
298 expected->exporter_secret_count))
303 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
304 static int test_keylog(void)
306 SSL_CTX *cctx = NULL, *sctx = NULL;
307 SSL *clientssl = NULL, *serverssl = NULL;
309 struct sslapitest_log_counts expected = {0};
311 /* Clean up logging space */
312 memset(client_log_buffer, 0, sizeof(client_log_buffer));
313 memset(server_log_buffer, 0, sizeof(server_log_buffer));
314 client_log_buffer_index = 0;
315 server_log_buffer_index = 0;
316 error_writing_log = 0;
318 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
321 &sctx, &cctx, cert, privkey)))
324 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
325 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
326 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
328 /* We also want to ensure that we use RSA-based key exchange. */
329 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
332 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
333 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
335 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
336 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
337 == client_keylog_callback))
339 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
340 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
341 == server_keylog_callback))
344 /* Now do a handshake and check that the logs have been written to. */
345 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
346 &clientssl, NULL, NULL))
347 || !TEST_true(create_ssl_connection(serverssl, clientssl,
349 || !TEST_false(error_writing_log)
350 || !TEST_int_gt(client_log_buffer_index, 0)
351 || !TEST_int_gt(server_log_buffer_index, 0))
355 * Now we want to test that our output data was vaguely sensible. We
356 * do that by using strtok and confirming that we have more or less the
357 * data we expect. For both client and server, we expect to see one master
358 * secret. The client should also see a RSA key exchange.
360 expected.rsa_key_exchange_count = 1;
361 expected.master_secret_count = 1;
362 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
363 SSL_get_session(clientssl), &expected)))
366 expected.rsa_key_exchange_count = 0;
367 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
368 SSL_get_session(serverssl), &expected)))
383 #ifndef OPENSSL_NO_TLS1_3
384 static int test_keylog_no_master_key(void)
386 SSL_CTX *cctx = NULL, *sctx = NULL;
387 SSL *clientssl = NULL, *serverssl = NULL;
388 SSL_SESSION *sess = NULL;
390 struct sslapitest_log_counts expected = {0};
391 unsigned char buf[1];
392 size_t readbytes, written;
394 /* Clean up logging space */
395 memset(client_log_buffer, 0, sizeof(client_log_buffer));
396 memset(server_log_buffer, 0, sizeof(server_log_buffer));
397 client_log_buffer_index = 0;
398 server_log_buffer_index = 0;
399 error_writing_log = 0;
401 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
403 &sctx, &cctx, cert, privkey))
404 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
405 SSL3_RT_MAX_PLAIN_LENGTH)))
408 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
409 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
412 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
413 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
414 == client_keylog_callback))
417 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
418 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
419 == server_keylog_callback))
422 /* Now do a handshake and check that the logs have been written to. */
423 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
424 &clientssl, NULL, NULL))
425 || !TEST_true(create_ssl_connection(serverssl, clientssl,
427 || !TEST_false(error_writing_log))
431 * Now we want to test that our output data was vaguely sensible. For this
432 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
433 * TLSv1.3, but we do expect both client and server to emit keys.
435 expected.client_handshake_secret_count = 1;
436 expected.server_handshake_secret_count = 1;
437 expected.client_application_secret_count = 1;
438 expected.server_application_secret_count = 1;
439 expected.exporter_secret_count = 1;
440 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
441 SSL_get_session(clientssl), &expected))
442 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
443 SSL_get_session(serverssl),
447 /* Terminate old session and resume with early data. */
448 sess = SSL_get1_session(clientssl);
449 SSL_shutdown(clientssl);
450 SSL_shutdown(serverssl);
453 serverssl = clientssl = NULL;
456 memset(client_log_buffer, 0, sizeof(client_log_buffer));
457 memset(server_log_buffer, 0, sizeof(server_log_buffer));
458 client_log_buffer_index = 0;
459 server_log_buffer_index = 0;
461 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
462 &clientssl, NULL, NULL))
463 || !TEST_true(SSL_set_session(clientssl, sess))
464 /* Here writing 0 length early data is enough. */
465 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
466 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
468 SSL_READ_EARLY_DATA_ERROR)
469 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
470 SSL_EARLY_DATA_ACCEPTED)
471 || !TEST_true(create_ssl_connection(serverssl, clientssl,
473 || !TEST_true(SSL_session_reused(clientssl)))
476 /* In addition to the previous entries, expect early secrets. */
477 expected.client_early_secret_count = 1;
478 expected.early_exporter_secret_count = 1;
479 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
480 SSL_get_session(clientssl), &expected))
481 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
482 SSL_get_session(serverssl),
489 SSL_SESSION_free(sess);
499 #ifndef OPENSSL_NO_TLS1_2
500 static int full_client_hello_callback(SSL *s, int *al, void *arg)
503 const unsigned char *p;
505 /* We only configure two ciphers, but the SCSV is added automatically. */
507 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
509 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
512 const int expected_extensions[] = {
513 #ifndef OPENSSL_NO_EC
519 /* Make sure we can defer processing and get called back. */
521 return SSL_CLIENT_HELLO_RETRY;
523 len = SSL_client_hello_get0_ciphers(s, &p);
524 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
526 SSL_client_hello_get0_compression_methods(s, &p), 1)
527 || !TEST_int_eq(*p, 0))
528 return SSL_CLIENT_HELLO_ERROR;
529 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
530 return SSL_CLIENT_HELLO_ERROR;
531 if (len != OSSL_NELEM(expected_extensions) ||
532 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
533 printf("ClientHello callback expected extensions mismatch\n");
535 return SSL_CLIENT_HELLO_ERROR;
538 return SSL_CLIENT_HELLO_SUCCESS;
541 static int test_client_hello_cb(void)
543 SSL_CTX *cctx = NULL, *sctx = NULL;
544 SSL *clientssl = NULL, *serverssl = NULL;
545 int testctr = 0, testresult = 0;
547 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
549 &sctx, &cctx, cert, privkey)))
551 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
553 /* The gimpy cipher list we configure can't do TLS 1.3. */
554 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
556 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
557 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
558 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
559 &clientssl, NULL, NULL))
560 || !TEST_false(create_ssl_connection(serverssl, clientssl,
561 SSL_ERROR_WANT_CLIENT_HELLO_CB))
563 * Passing a -1 literal is a hack since
564 * the real value was lost.
566 || !TEST_int_eq(SSL_get_error(serverssl, -1),
567 SSL_ERROR_WANT_CLIENT_HELLO_CB)
568 || !TEST_true(create_ssl_connection(serverssl, clientssl,
583 static int test_no_ems(void)
585 SSL_CTX *cctx = NULL, *sctx = NULL;
586 SSL *clientssl = NULL, *serverssl = NULL;
589 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
590 TLS1_VERSION, TLS1_2_VERSION,
591 &sctx, &cctx, cert, privkey)) {
592 printf("Unable to create SSL_CTX pair\n");
596 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
598 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
599 printf("Unable to create SSL objects\n");
603 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
604 printf("Creating SSL connection failed\n");
608 if (SSL_get_extms_support(serverssl)) {
609 printf("Server reports Extended Master Secret support\n");
613 if (SSL_get_extms_support(clientssl)) {
614 printf("Client reports Extended Master Secret support\n");
629 static int execute_test_large_message(const SSL_METHOD *smeth,
630 const SSL_METHOD *cmeth,
631 int min_version, int max_version,
634 SSL_CTX *cctx = NULL, *sctx = NULL;
635 SSL *clientssl = NULL, *serverssl = NULL;
639 X509 *chaincert = NULL;
642 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
644 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
647 if (!TEST_ptr(chaincert))
650 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
651 &sctx, &cctx, cert, privkey)))
656 * Test that read_ahead works correctly when dealing with large
659 SSL_CTX_set_read_ahead(cctx, 1);
663 * We assume the supplied certificate is big enough so that if we add
664 * NUM_EXTRA_CERTS it will make the overall message large enough. The
665 * default buffer size is requested to be 16k, but due to the way BUF_MEM
666 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
667 * test we need to have a message larger than that.
669 certlen = i2d_X509(chaincert, NULL);
670 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
671 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
672 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
673 if (!X509_up_ref(chaincert))
675 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
676 X509_free(chaincert);
681 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
683 || !TEST_true(create_ssl_connection(serverssl, clientssl,
688 * Calling SSL_clear() first is not required but this tests that SSL_clear()
689 * doesn't leak (when using enable-crypto-mdebug).
691 if (!TEST_true(SSL_clear(serverssl)))
696 X509_free(chaincert);
705 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
706 && !defined(OPENSSL_NO_SOCK)
708 /* sock must be connected */
709 static int ktls_chk_platform(int sock)
711 if (!ktls_enable(sock))
716 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
718 static char count = 1;
719 unsigned char cbuf[16000] = {0};
720 unsigned char sbuf[16000];
722 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
723 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
724 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
725 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
726 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
727 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
730 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
731 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
732 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
733 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
734 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
735 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
737 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
740 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
741 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
746 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
749 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
750 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
755 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
756 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
757 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
758 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
759 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
760 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
762 /* verify the payload */
763 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
766 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
767 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
768 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
769 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
772 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
773 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
777 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
778 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
779 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
782 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
783 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
787 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
788 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
796 static int execute_test_ktls(int cis_ktls_tx, int sis_ktls_tx)
798 SSL_CTX *cctx = NULL, *sctx = NULL;
799 SSL *clientssl = NULL, *serverssl = NULL;
803 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
806 /* Skip this test if the platform does not support ktls */
807 if (!ktls_chk_platform(cfd))
810 /* Create a session based on SHA-256 */
811 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
813 TLS1_2_VERSION, TLS1_2_VERSION,
814 &sctx, &cctx, cert, privkey))
815 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
816 "AES128-GCM-SHA256"))
817 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
818 &clientssl, sfd, cfd)))
822 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
827 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
831 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
836 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
839 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
844 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
847 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
851 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
857 SSL_shutdown(clientssl);
861 SSL_shutdown(serverssl);
866 serverssl = clientssl = NULL;
870 static int test_ktls_client_server(void)
872 return execute_test_ktls(1, 1);
875 static int test_ktls_no_client_server(void)
877 return execute_test_ktls(0, 1);
880 static int test_ktls_client_no_server(void)
882 return execute_test_ktls(1, 0);
885 static int test_ktls_no_client_no_server(void)
887 return execute_test_ktls(0, 0);
892 static int test_large_message_tls(void)
894 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
898 static int test_large_message_tls_read_ahead(void)
900 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
904 #ifndef OPENSSL_NO_DTLS
905 static int test_large_message_dtls(void)
908 * read_ahead is not relevant to DTLS because DTLS always acts as if
911 return execute_test_large_message(DTLS_server_method(),
912 DTLS_client_method(),
913 DTLS1_VERSION, 0, 0);
917 #ifndef OPENSSL_NO_OCSP
918 static int ocsp_server_cb(SSL *s, void *arg)
920 int *argi = (int *)arg;
921 unsigned char *copy = NULL;
922 STACK_OF(OCSP_RESPID) *ids = NULL;
923 OCSP_RESPID *id = NULL;
926 /* In this test we are expecting exactly 1 OCSP_RESPID */
927 SSL_get_tlsext_status_ids(s, &ids);
928 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
929 return SSL_TLSEXT_ERR_ALERT_FATAL;
931 id = sk_OCSP_RESPID_value(ids, 0);
932 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
933 return SSL_TLSEXT_ERR_ALERT_FATAL;
934 } else if (*argi != 1) {
935 return SSL_TLSEXT_ERR_ALERT_FATAL;
938 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
939 return SSL_TLSEXT_ERR_ALERT_FATAL;
941 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
942 ocsp_server_called = 1;
943 return SSL_TLSEXT_ERR_OK;
946 static int ocsp_client_cb(SSL *s, void *arg)
948 int *argi = (int *)arg;
949 const unsigned char *respderin;
952 if (*argi != 1 && *argi != 2)
955 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
956 if (!TEST_mem_eq(orespder, len, respderin, len))
959 ocsp_client_called = 1;
963 static int test_tlsext_status_type(void)
965 SSL_CTX *cctx = NULL, *sctx = NULL;
966 SSL *clientssl = NULL, *serverssl = NULL;
968 STACK_OF(OCSP_RESPID) *ids = NULL;
969 OCSP_RESPID *id = NULL;
972 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
974 &sctx, &cctx, cert, privkey))
977 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
980 /* First just do various checks getting and setting tlsext_status_type */
982 clientssl = SSL_new(cctx);
983 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
984 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
985 TLSEXT_STATUSTYPE_ocsp))
986 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
987 TLSEXT_STATUSTYPE_ocsp))
993 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
994 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
997 clientssl = SSL_new(cctx);
998 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1000 SSL_free(clientssl);
1004 * Now actually do a handshake and check OCSP information is exchanged and
1005 * the callbacks get called
1007 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1008 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1009 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1010 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1011 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1012 &clientssl, NULL, NULL))
1013 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1015 || !TEST_true(ocsp_client_called)
1016 || !TEST_true(ocsp_server_called))
1018 SSL_free(serverssl);
1019 SSL_free(clientssl);
1023 /* Try again but this time force the server side callback to fail */
1024 ocsp_client_called = 0;
1025 ocsp_server_called = 0;
1027 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1028 &clientssl, NULL, NULL))
1029 /* This should fail because the callback will fail */
1030 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1032 || !TEST_false(ocsp_client_called)
1033 || !TEST_false(ocsp_server_called))
1035 SSL_free(serverssl);
1036 SSL_free(clientssl);
1041 * This time we'll get the client to send an OCSP_RESPID that it will
1044 ocsp_client_called = 0;
1045 ocsp_server_called = 0;
1047 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1048 &clientssl, NULL, NULL)))
1052 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1053 * specific one. We'll use the server cert.
1055 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1056 || !TEST_ptr(id = OCSP_RESPID_new())
1057 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1058 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1060 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
1061 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1064 SSL_set_tlsext_status_ids(clientssl, ids);
1065 /* Control has been transferred */
1071 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1073 || !TEST_true(ocsp_client_called)
1074 || !TEST_true(ocsp_server_called))
1080 SSL_free(serverssl);
1081 SSL_free(clientssl);
1084 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1085 OCSP_RESPID_free(id);
1087 X509_free(ocspcert);
1094 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1095 static int new_called, remove_called, get_called;
1097 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1101 * sess has been up-refed for us, but we don't actually need it so free it
1104 SSL_SESSION_free(sess);
1108 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1113 static SSL_SESSION *get_sess_val = NULL;
1115 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1120 return get_sess_val;
1123 static int execute_test_session(int maxprot, int use_int_cache,
1126 SSL_CTX *sctx = NULL, *cctx = NULL;
1127 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1128 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1129 # ifndef OPENSSL_NO_TLS1_1
1130 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1132 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1133 int testresult = 0, numnewsesstick = 1;
1135 new_called = remove_called = 0;
1137 /* TLSv1.3 sends 2 NewSessionTickets */
1138 if (maxprot == TLS1_3_VERSION)
1141 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1143 &sctx, &cctx, cert, privkey)))
1147 * Only allow the max protocol version so we can force a connection failure
1150 SSL_CTX_set_min_proto_version(cctx, maxprot);
1151 SSL_CTX_set_max_proto_version(cctx, maxprot);
1153 /* Set up session cache */
1154 if (use_ext_cache) {
1155 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1156 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1158 if (use_int_cache) {
1159 /* Also covers instance where both are set */
1160 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1162 SSL_CTX_set_session_cache_mode(cctx,
1163 SSL_SESS_CACHE_CLIENT
1164 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1167 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1169 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1171 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1174 /* Should fail because it should already be in the cache */
1175 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1178 && (!TEST_int_eq(new_called, numnewsesstick)
1180 || !TEST_int_eq(remove_called, 0)))
1183 new_called = remove_called = 0;
1184 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1185 &clientssl2, NULL, NULL))
1186 || !TEST_true(SSL_set_session(clientssl2, sess1))
1187 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1189 || !TEST_true(SSL_session_reused(clientssl2)))
1192 if (maxprot == TLS1_3_VERSION) {
1194 * In TLSv1.3 we should have created a new session even though we have
1195 * resumed. Since we attempted a resume we should also have removed the
1196 * old ticket from the cache so that we try to only use tickets once.
1199 && (!TEST_int_eq(new_called, 1)
1200 || !TEST_int_eq(remove_called, 1)))
1204 * In TLSv1.2 we expect to have resumed so no sessions added or
1208 && (!TEST_int_eq(new_called, 0)
1209 || !TEST_int_eq(remove_called, 0)))
1213 SSL_SESSION_free(sess1);
1214 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1216 shutdown_ssl_connection(serverssl2, clientssl2);
1217 serverssl2 = clientssl2 = NULL;
1219 new_called = remove_called = 0;
1220 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1221 &clientssl2, NULL, NULL))
1222 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1226 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1230 && (!TEST_int_eq(new_called, numnewsesstick)
1231 || !TEST_int_eq(remove_called, 0)))
1234 new_called = remove_called = 0;
1236 * This should clear sess2 from the cache because it is a "bad" session.
1237 * See SSL_set_session() documentation.
1239 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1242 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1244 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1247 if (use_int_cache) {
1248 /* Should succeeded because it should not already be in the cache */
1249 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1250 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1254 new_called = remove_called = 0;
1255 /* This shouldn't be in the cache so should fail */
1256 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1260 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1263 # if !defined(OPENSSL_NO_TLS1_1)
1264 new_called = remove_called = 0;
1265 /* Force a connection failure */
1266 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1267 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1268 &clientssl3, NULL, NULL))
1269 || !TEST_true(SSL_set_session(clientssl3, sess1))
1270 /* This should fail because of the mismatched protocol versions */
1271 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1275 /* We should have automatically removed the session from the cache */
1277 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1280 /* Should succeed because it should not already be in the cache */
1281 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1285 /* Now do some tests for server side caching */
1286 if (use_ext_cache) {
1287 SSL_CTX_sess_set_new_cb(cctx, NULL);
1288 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1289 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1290 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1291 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1292 get_sess_val = NULL;
1295 SSL_CTX_set_session_cache_mode(cctx, 0);
1296 /* Internal caching is the default on the server side */
1298 SSL_CTX_set_session_cache_mode(sctx,
1299 SSL_SESS_CACHE_SERVER
1300 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1302 SSL_free(serverssl1);
1303 SSL_free(clientssl1);
1304 serverssl1 = clientssl1 = NULL;
1305 SSL_free(serverssl2);
1306 SSL_free(clientssl2);
1307 serverssl2 = clientssl2 = NULL;
1308 SSL_SESSION_free(sess1);
1310 SSL_SESSION_free(sess2);
1313 SSL_CTX_set_max_proto_version(sctx, maxprot);
1314 if (maxprot == TLS1_2_VERSION)
1315 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1316 new_called = remove_called = get_called = 0;
1317 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1319 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1321 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1322 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1325 if (use_int_cache) {
1326 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1328 * In TLSv1.3 it should not have been added to the internal cache,
1329 * except in the case where we also have an external cache (in that
1330 * case it gets added to the cache in order to generate remove
1331 * events after timeout).
1333 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1336 /* Should fail because it should already be in the cache */
1337 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1342 if (use_ext_cache) {
1343 SSL_SESSION *tmp = sess2;
1345 if (!TEST_int_eq(new_called, numnewsesstick)
1346 || !TEST_int_eq(remove_called, 0)
1347 || !TEST_int_eq(get_called, 0))
1350 * Delete the session from the internal cache to force a lookup from
1351 * the external cache. We take a copy first because
1352 * SSL_CTX_remove_session() also marks the session as non-resumable.
1354 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1355 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1356 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1358 SSL_SESSION_free(sess2);
1363 new_called = remove_called = get_called = 0;
1364 get_sess_val = sess2;
1365 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1366 &clientssl2, NULL, NULL))
1367 || !TEST_true(SSL_set_session(clientssl2, sess1))
1368 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1370 || !TEST_true(SSL_session_reused(clientssl2)))
1373 if (use_ext_cache) {
1374 if (!TEST_int_eq(remove_called, 0))
1377 if (maxprot == TLS1_3_VERSION) {
1378 if (!TEST_int_eq(new_called, 1)
1379 || !TEST_int_eq(get_called, 0))
1382 if (!TEST_int_eq(new_called, 0)
1383 || !TEST_int_eq(get_called, 1))
1391 SSL_free(serverssl1);
1392 SSL_free(clientssl1);
1393 SSL_free(serverssl2);
1394 SSL_free(clientssl2);
1395 # ifndef OPENSSL_NO_TLS1_1
1396 SSL_free(serverssl3);
1397 SSL_free(clientssl3);
1399 SSL_SESSION_free(sess1);
1400 SSL_SESSION_free(sess2);
1406 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1408 static int test_session_with_only_int_cache(void)
1410 #ifndef OPENSSL_NO_TLS1_3
1411 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1415 #ifndef OPENSSL_NO_TLS1_2
1416 return execute_test_session(TLS1_2_VERSION, 1, 0);
1422 static int test_session_with_only_ext_cache(void)
1424 #ifndef OPENSSL_NO_TLS1_3
1425 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1429 #ifndef OPENSSL_NO_TLS1_2
1430 return execute_test_session(TLS1_2_VERSION, 0, 1);
1436 static int test_session_with_both_cache(void)
1438 #ifndef OPENSSL_NO_TLS1_3
1439 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1443 #ifndef OPENSSL_NO_TLS1_2
1444 return execute_test_session(TLS1_2_VERSION, 1, 1);
1450 #ifndef OPENSSL_NO_TLS1_3
1451 static SSL_SESSION *sesscache[6];
1452 static int do_cache;
1454 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1457 sesscache[new_called] = sess;
1459 /* We don't need the reference to the session, so free it */
1460 SSL_SESSION_free(sess);
1467 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1469 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1470 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1473 /* Start handshake on the server and client */
1474 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1475 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1476 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1477 || !TEST_true(create_ssl_connection(sssl, cssl,
1484 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1487 int sess_id_ctx = 1;
1489 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1490 TLS1_VERSION, 0, sctx,
1491 cctx, cert, privkey))
1492 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1493 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1494 (void *)&sess_id_ctx,
1495 sizeof(sess_id_ctx))))
1499 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1501 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1502 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1503 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1508 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1510 SSL *serverssl = NULL, *clientssl = NULL;
1513 /* Test that we can resume with all the tickets we got given */
1514 for (i = 0; i < idx * 2; i++) {
1516 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1517 &clientssl, NULL, NULL))
1518 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1521 SSL_set_post_handshake_auth(clientssl, 1);
1523 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1528 * Following a successful resumption we only get 1 ticket. After a
1529 * failed one we should get idx tickets.
1532 if (!TEST_true(SSL_session_reused(clientssl))
1533 || !TEST_int_eq(new_called, 1))
1536 if (!TEST_false(SSL_session_reused(clientssl))
1537 || !TEST_int_eq(new_called, idx))
1542 /* After a post-handshake authentication we should get 1 new ticket */
1544 && (!post_handshake_verify(serverssl, clientssl)
1545 || !TEST_int_eq(new_called, 1)))
1548 SSL_shutdown(clientssl);
1549 SSL_shutdown(serverssl);
1550 SSL_free(serverssl);
1551 SSL_free(clientssl);
1552 serverssl = clientssl = NULL;
1553 SSL_SESSION_free(sesscache[i]);
1554 sesscache[i] = NULL;
1560 SSL_free(clientssl);
1561 SSL_free(serverssl);
1565 static int test_tickets(int stateful, int idx)
1567 SSL_CTX *sctx = NULL, *cctx = NULL;
1568 SSL *serverssl = NULL, *clientssl = NULL;
1572 /* idx is the test number, but also the number of tickets we want */
1577 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1580 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1581 &clientssl, NULL, NULL)))
1584 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1586 /* Check we got the number of tickets we were expecting */
1587 || !TEST_int_eq(idx, new_called))
1590 SSL_shutdown(clientssl);
1591 SSL_shutdown(serverssl);
1592 SSL_free(serverssl);
1593 SSL_free(clientssl);
1596 clientssl = serverssl = NULL;
1600 * Now we try to resume with the tickets we previously created. The
1601 * resumption attempt is expected to fail (because we're now using a new
1602 * SSL_CTX). We should see idx number of tickets issued again.
1605 /* Stop caching sessions - just count them */
1608 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1611 if (!check_resumption(idx, sctx, cctx, 0))
1614 /* Start again with caching sessions */
1621 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1624 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1625 &clientssl, NULL, NULL)))
1628 SSL_set_post_handshake_auth(clientssl, 1);
1630 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1632 /* Check we got the number of tickets we were expecting */
1633 || !TEST_int_eq(idx, new_called))
1636 /* After a post-handshake authentication we should get new tickets issued */
1637 if (!post_handshake_verify(serverssl, clientssl)
1638 || !TEST_int_eq(idx * 2, new_called))
1641 SSL_shutdown(clientssl);
1642 SSL_shutdown(serverssl);
1643 SSL_free(serverssl);
1644 SSL_free(clientssl);
1645 serverssl = clientssl = NULL;
1647 /* Stop caching sessions - just count them */
1651 * Check we can resume with all the tickets we created. This time around the
1652 * resumptions should all be successful.
1654 if (!check_resumption(idx, sctx, cctx, 1))
1660 SSL_free(serverssl);
1661 SSL_free(clientssl);
1662 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
1663 SSL_SESSION_free(sesscache[j]);
1664 sesscache[j] = NULL;
1672 static int test_stateless_tickets(int idx)
1674 return test_tickets(0, idx);
1677 static int test_stateful_tickets(int idx)
1679 return test_tickets(1, idx);
1682 static int test_psk_tickets(void)
1684 SSL_CTX *sctx = NULL, *cctx = NULL;
1685 SSL *serverssl = NULL, *clientssl = NULL;
1687 int sess_id_ctx = 1;
1689 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1690 TLS1_VERSION, 0, &sctx,
1692 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
1693 (void *)&sess_id_ctx,
1694 sizeof(sess_id_ctx))))
1697 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1698 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1699 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
1700 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
1701 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1702 use_session_cb_cnt = 0;
1703 find_session_cb_cnt = 0;
1707 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1710 clientpsk = serverpsk = create_a_psk(clientssl);
1711 if (!TEST_ptr(clientpsk))
1713 SSL_SESSION_up_ref(clientpsk);
1715 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1717 || !TEST_int_eq(1, find_session_cb_cnt)
1718 || !TEST_int_eq(1, use_session_cb_cnt)
1719 /* We should always get 1 ticket when using external PSK */
1720 || !TEST_int_eq(1, new_called))
1726 SSL_free(serverssl);
1727 SSL_free(clientssl);
1730 SSL_SESSION_free(clientpsk);
1731 SSL_SESSION_free(serverpsk);
1732 clientpsk = serverpsk = NULL;
1741 #define USE_DEFAULT 3
1743 #define CONNTYPE_CONNECTION_SUCCESS 0
1744 #define CONNTYPE_CONNECTION_FAIL 1
1745 #define CONNTYPE_NO_CONNECTION 2
1747 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1748 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1749 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1750 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1752 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1755 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1756 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1757 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1759 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1776 * Tests calls to SSL_set_bio() under various conditions.
1778 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1779 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1780 * then do more tests where we create a successful connection first using our
1781 * standard connection setup functions, and then call SSL_set_bio() with
1782 * various combinations of valid BIOs or NULL. We then repeat these tests
1783 * following a failed connection. In this last case we are looking to check that
1784 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1786 static int test_ssl_set_bio(int idx)
1788 SSL_CTX *sctx = NULL, *cctx = NULL;
1791 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1792 SSL *serverssl = NULL, *clientssl = NULL;
1793 int initrbio, initwbio, newrbio, newwbio, conntype;
1796 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1804 conntype = CONNTYPE_NO_CONNECTION;
1806 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1807 initrbio = initwbio = USE_DEFAULT;
1815 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1817 &sctx, &cctx, cert, privkey)))
1820 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1822 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1823 * because we reduced the number of tests in the definition of
1824 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1825 * mismatched protocol versions we will force a connection failure.
1827 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1828 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1831 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1835 if (initrbio == USE_BIO_1
1836 || initwbio == USE_BIO_1
1837 || newrbio == USE_BIO_1
1838 || newwbio == USE_BIO_1) {
1839 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1843 if (initrbio == USE_BIO_2
1844 || initwbio == USE_BIO_2
1845 || newrbio == USE_BIO_2
1846 || newwbio == USE_BIO_2) {
1847 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1851 if (initrbio != USE_DEFAULT) {
1852 setupbio(&irbio, bio1, bio2, initrbio);
1853 setupbio(&iwbio, bio1, bio2, initwbio);
1854 SSL_set_bio(clientssl, irbio, iwbio);
1857 * We want to maintain our own refs to these BIO, so do an up ref for
1858 * each BIO that will have ownership transferred in the SSL_set_bio()
1863 if (iwbio != NULL && iwbio != irbio)
1867 if (conntype != CONNTYPE_NO_CONNECTION
1868 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1870 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1873 setupbio(&nrbio, bio1, bio2, newrbio);
1874 setupbio(&nwbio, bio1, bio2, newwbio);
1877 * We will (maybe) transfer ownership again so do more up refs.
1878 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1883 && (nwbio != iwbio || nrbio != nwbio))
1887 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1890 SSL_set_bio(clientssl, nrbio, nwbio);
1899 * This test is checking that the ref counting for SSL_set_bio is correct.
1900 * If we get here and we did too many frees then we will fail in the above
1901 * functions. If we haven't done enough then this will only be detected in
1902 * a crypto-mdebug build
1904 SSL_free(serverssl);
1905 SSL_free(clientssl);
1911 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1913 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1915 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1920 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1921 || !TEST_ptr(ssl = SSL_new(ctx))
1922 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1923 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1926 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1929 * If anything goes wrong here then we could leak memory, so this will
1930 * be caught in a crypto-mdebug build
1932 BIO_push(sslbio, membio1);
1934 /* Verify changing the rbio/wbio directly does not cause leaks */
1935 if (change_bio != NO_BIO_CHANGE) {
1936 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1938 if (change_bio == CHANGE_RBIO)
1939 SSL_set0_rbio(ssl, membio2);
1941 SSL_set0_wbio(ssl, membio2);
1960 static int test_ssl_bio_pop_next_bio(void)
1962 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1965 static int test_ssl_bio_pop_ssl_bio(void)
1967 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1970 static int test_ssl_bio_change_rbio(void)
1972 return execute_test_ssl_bio(0, CHANGE_RBIO);
1975 static int test_ssl_bio_change_wbio(void)
1977 return execute_test_ssl_bio(0, CHANGE_WBIO);
1980 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
1982 /* The list of sig algs */
1984 /* The length of the list */
1986 /* A sigalgs list in string format */
1987 const char *liststr;
1988 /* Whether setting the list should succeed */
1990 /* Whether creating a connection with the list should succeed */
1994 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1995 # ifndef OPENSSL_NO_EC
1996 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1997 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1999 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2000 static const int invalidlist2[] = {NID_sha256, NID_undef};
2001 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2002 static const int invalidlist4[] = {NID_sha256};
2003 static const sigalgs_list testsigalgs[] = {
2004 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2005 # ifndef OPENSSL_NO_EC
2006 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2007 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2009 {NULL, 0, "RSA+SHA256", 1, 1},
2010 # ifndef OPENSSL_NO_EC
2011 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2012 {NULL, 0, "ECDSA+SHA512", 1, 0},
2014 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2015 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2016 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2017 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2018 {NULL, 0, "RSA", 0, 0},
2019 {NULL, 0, "SHA256", 0, 0},
2020 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2021 {NULL, 0, "Invalid", 0, 0}
2024 static int test_set_sigalgs(int idx)
2026 SSL_CTX *cctx = NULL, *sctx = NULL;
2027 SSL *clientssl = NULL, *serverssl = NULL;
2029 const sigalgs_list *curr;
2032 /* Should never happen */
2033 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2036 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2037 curr = testctx ? &testsigalgs[idx]
2038 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2040 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2042 &sctx, &cctx, cert, privkey)))
2046 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2047 * for TLSv1.2 for now until we add a new API.
2049 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2054 if (curr->list != NULL)
2055 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2057 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2061 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2067 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2072 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2073 &clientssl, NULL, NULL)))
2079 if (curr->list != NULL)
2080 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2082 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2085 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2094 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2102 SSL_free(serverssl);
2103 SSL_free(clientssl);
2111 #ifndef OPENSSL_NO_TLS1_3
2112 static int psk_client_cb_cnt = 0;
2113 static int psk_server_cb_cnt = 0;
2115 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2116 size_t *idlen, SSL_SESSION **sess)
2118 switch (++use_session_cb_cnt) {
2120 /* The first call should always have a NULL md */
2126 /* The second call should always have an md */
2132 /* We should only be called a maximum of twice */
2136 if (clientpsk != NULL)
2137 SSL_SESSION_up_ref(clientpsk);
2140 *id = (const unsigned char *)pskid;
2141 *idlen = strlen(pskid);
2146 #ifndef OPENSSL_NO_PSK
2147 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2148 unsigned int max_id_len,
2150 unsigned int max_psk_len)
2152 unsigned int psklen = 0;
2154 psk_client_cb_cnt++;
2156 if (strlen(pskid) + 1 > max_id_len)
2159 /* We should only ever be called a maximum of twice per connection */
2160 if (psk_client_cb_cnt > 2)
2163 if (clientpsk == NULL)
2166 /* We'll reuse the PSK we set up for TLSv1.3 */
2167 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2169 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2170 strncpy(id, pskid, max_id_len);
2174 #endif /* OPENSSL_NO_PSK */
2176 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2177 size_t identity_len, SSL_SESSION **sess)
2179 find_session_cb_cnt++;
2181 /* We should only ever be called a maximum of twice per connection */
2182 if (find_session_cb_cnt > 2)
2185 if (serverpsk == NULL)
2188 /* Identity should match that set by the client */
2189 if (strlen(srvid) != identity_len
2190 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2191 /* No PSK found, continue but without a PSK */
2196 SSL_SESSION_up_ref(serverpsk);
2202 #ifndef OPENSSL_NO_PSK
2203 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2204 unsigned char *psk, unsigned int max_psk_len)
2206 unsigned int psklen = 0;
2208 psk_server_cb_cnt++;
2210 /* We should only ever be called a maximum of twice per connection */
2211 if (find_session_cb_cnt > 2)
2214 if (serverpsk == NULL)
2217 /* Identity should match that set by the client */
2218 if (strcmp(srvid, identity) != 0) {
2222 /* We'll reuse the PSK we set up for TLSv1.3 */
2223 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2225 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2229 #endif /* OPENSSL_NO_PSK */
2231 #define MSG1 "Hello"
2232 #define MSG2 "World."
2237 #define MSG7 "message."
2239 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2240 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2243 static SSL_SESSION *create_a_psk(SSL *ssl)
2245 const SSL_CIPHER *cipher = NULL;
2246 const unsigned char key[] = {
2247 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2248 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2249 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2250 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2251 0x2c, 0x2d, 0x2e, 0x2f
2253 SSL_SESSION *sess = NULL;
2255 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2256 sess = SSL_SESSION_new();
2258 || !TEST_ptr(cipher)
2259 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2261 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2263 SSL_SESSION_set_protocol_version(sess,
2265 SSL_SESSION_free(sess);
2272 * Helper method to setup objects for early data test. Caller frees objects on
2275 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2276 SSL **serverssl, SSL_SESSION **sess, int idx)
2279 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2280 TLS_client_method(),
2282 sctx, cctx, cert, privkey)))
2285 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2289 /* When idx == 1 we repeat the tests with read_ahead set */
2290 SSL_CTX_set_read_ahead(*cctx, 1);
2291 SSL_CTX_set_read_ahead(*sctx, 1);
2292 } else if (idx == 2) {
2293 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2294 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2295 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2296 use_session_cb_cnt = 0;
2297 find_session_cb_cnt = 0;
2301 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2306 * For one of the run throughs (doesn't matter which one), we'll try sending
2307 * some SNI data in the initial ClientHello. This will be ignored (because
2308 * there is no SNI cb set up by the server), so it should not impact
2312 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2316 clientpsk = create_a_psk(*clientssl);
2317 if (!TEST_ptr(clientpsk)
2319 * We just choose an arbitrary value for max_early_data which
2320 * should be big enough for testing purposes.
2322 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2324 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2325 SSL_SESSION_free(clientpsk);
2329 serverpsk = clientpsk;
2332 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2333 SSL_SESSION_free(clientpsk);
2334 SSL_SESSION_free(serverpsk);
2335 clientpsk = serverpsk = NULL;
2346 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2350 *sess = SSL_get1_session(*clientssl);
2351 SSL_shutdown(*clientssl);
2352 SSL_shutdown(*serverssl);
2353 SSL_free(*serverssl);
2354 SSL_free(*clientssl);
2355 *serverssl = *clientssl = NULL;
2357 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2358 clientssl, NULL, NULL))
2359 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2365 static int test_early_data_read_write(int idx)
2367 SSL_CTX *cctx = NULL, *sctx = NULL;
2368 SSL *clientssl = NULL, *serverssl = NULL;
2370 SSL_SESSION *sess = NULL;
2371 unsigned char buf[20], data[1024];
2372 size_t readbytes, written, eoedlen, rawread, rawwritten;
2375 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2376 &serverssl, &sess, idx)))
2379 /* Write and read some early data */
2380 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2382 || !TEST_size_t_eq(written, strlen(MSG1))
2383 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2384 sizeof(buf), &readbytes),
2385 SSL_READ_EARLY_DATA_SUCCESS)
2386 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2387 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2388 SSL_EARLY_DATA_ACCEPTED))
2392 * Server should be able to write data, and client should be able to
2395 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2397 || !TEST_size_t_eq(written, strlen(MSG2))
2398 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2399 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2402 /* Even after reading normal data, client should be able write early data */
2403 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2405 || !TEST_size_t_eq(written, strlen(MSG3)))
2408 /* Server should still be able read early data after writing data */
2409 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2411 SSL_READ_EARLY_DATA_SUCCESS)
2412 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2415 /* Write more data from server and read it from client */
2416 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2418 || !TEST_size_t_eq(written, strlen(MSG4))
2419 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2420 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2424 * If client writes normal data it should mean writing early data is no
2427 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2428 || !TEST_size_t_eq(written, strlen(MSG5))
2429 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2430 SSL_EARLY_DATA_ACCEPTED))
2434 * At this point the client has written EndOfEarlyData, ClientFinished and
2435 * normal (fully protected) data. We are going to cause a delay between the
2436 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2437 * in the read BIO, and then just put back the EndOfEarlyData message.
2439 rbio = SSL_get_rbio(serverssl);
2440 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2441 || !TEST_size_t_lt(rawread, sizeof(data))
2442 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2445 /* Record length is in the 4th and 5th bytes of the record header */
2446 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2447 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2448 || !TEST_size_t_eq(rawwritten, eoedlen))
2451 /* Server should be told that there is no more early data */
2452 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2454 SSL_READ_EARLY_DATA_FINISH)
2455 || !TEST_size_t_eq(readbytes, 0))
2459 * Server has not finished init yet, so should still be able to write early
2462 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2464 || !TEST_size_t_eq(written, strlen(MSG6)))
2467 /* Push the ClientFinished and the normal data back into the server rbio */
2468 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2470 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2473 /* Server should be able to read normal data */
2474 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2475 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2478 /* Client and server should not be able to write/read early data now */
2479 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2483 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2485 SSL_READ_EARLY_DATA_ERROR))
2489 /* Client should be able to read the data sent by the server */
2490 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2491 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2495 * Make sure we process the two NewSessionTickets. These arrive
2496 * post-handshake. We attempt reads which we do not expect to return any
2499 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2500 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2504 /* Server should be able to write normal data */
2505 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2506 || !TEST_size_t_eq(written, strlen(MSG7))
2507 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2508 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2511 SSL_SESSION_free(sess);
2512 sess = SSL_get1_session(clientssl);
2513 use_session_cb_cnt = 0;
2514 find_session_cb_cnt = 0;
2516 SSL_shutdown(clientssl);
2517 SSL_shutdown(serverssl);
2518 SSL_free(serverssl);
2519 SSL_free(clientssl);
2520 serverssl = clientssl = NULL;
2521 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2522 &clientssl, NULL, NULL))
2523 || !TEST_true(SSL_set_session(clientssl, sess)))
2526 /* Write and read some early data */
2527 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2529 || !TEST_size_t_eq(written, strlen(MSG1))
2530 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2532 SSL_READ_EARLY_DATA_SUCCESS)
2533 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2536 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2537 || !TEST_int_gt(SSL_accept(serverssl), 0))
2540 /* Client and server should not be able to write/read early data now */
2541 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2545 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2547 SSL_READ_EARLY_DATA_ERROR))
2551 /* Client and server should be able to write/read normal data */
2552 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2553 || !TEST_size_t_eq(written, strlen(MSG5))
2554 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2555 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2561 SSL_SESSION_free(sess);
2562 SSL_SESSION_free(clientpsk);
2563 SSL_SESSION_free(serverpsk);
2564 clientpsk = serverpsk = NULL;
2565 SSL_free(serverssl);
2566 SSL_free(clientssl);
2572 static int allow_ed_cb_called = 0;
2574 static int allow_early_data_cb(SSL *s, void *arg)
2576 int *usecb = (int *)arg;
2578 allow_ed_cb_called++;
2587 * idx == 0: Standard early_data setup
2588 * idx == 1: early_data setup using read_ahead
2589 * usecb == 0: Don't use a custom early data callback
2590 * usecb == 1: Use a custom early data callback and reject the early data
2591 * usecb == 2: Use a custom early data callback and accept the early data
2592 * confopt == 0: Configure anti-replay directly
2593 * confopt == 1: Configure anti-replay using SSL_CONF
2595 static int test_early_data_replay_int(int idx, int usecb, int confopt)
2597 SSL_CTX *cctx = NULL, *sctx = NULL;
2598 SSL *clientssl = NULL, *serverssl = NULL;
2600 SSL_SESSION *sess = NULL;
2601 size_t readbytes, written;
2602 unsigned char buf[20];
2604 allow_ed_cb_called = 0;
2606 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2607 TLS1_VERSION, 0, &sctx,
2608 &cctx, cert, privkey)))
2613 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2615 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2617 if (!TEST_ptr(confctx))
2619 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2620 | SSL_CONF_FLAG_SERVER);
2621 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2622 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2624 SSL_CONF_CTX_free(confctx);
2627 SSL_CONF_CTX_free(confctx);
2629 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2632 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2633 &serverssl, &sess, idx)))
2637 * The server is configured to accept early data. Create a connection to
2638 * "use up" the ticket
2640 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2641 || !TEST_true(SSL_session_reused(clientssl)))
2644 SSL_shutdown(clientssl);
2645 SSL_shutdown(serverssl);
2646 SSL_free(serverssl);
2647 SSL_free(clientssl);
2648 serverssl = clientssl = NULL;
2650 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2651 &clientssl, NULL, NULL))
2652 || !TEST_true(SSL_set_session(clientssl, sess)))
2655 /* Write and read some early data */
2656 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2658 || !TEST_size_t_eq(written, strlen(MSG1)))
2662 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2664 SSL_READ_EARLY_DATA_FINISH)
2666 * The ticket was reused, so the we should have rejected the
2669 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2670 SSL_EARLY_DATA_REJECTED))
2673 /* In this case the callback decides to accept the early data */
2674 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2676 SSL_READ_EARLY_DATA_SUCCESS)
2677 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2679 * Server will have sent its flight so client can now send
2680 * end of early data and complete its half of the handshake
2682 || !TEST_int_gt(SSL_connect(clientssl), 0)
2683 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2685 SSL_READ_EARLY_DATA_FINISH)
2686 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2687 SSL_EARLY_DATA_ACCEPTED))
2691 /* Complete the connection */
2692 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2693 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2694 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
2700 SSL_SESSION_free(sess);
2701 SSL_SESSION_free(clientpsk);
2702 SSL_SESSION_free(serverpsk);
2703 clientpsk = serverpsk = NULL;
2704 SSL_free(serverssl);
2705 SSL_free(clientssl);
2711 static int test_early_data_replay(int idx)
2713 int ret = 1, usecb, confopt;
2715 for (usecb = 0; usecb < 3; usecb++) {
2716 for (confopt = 0; confopt < 2; confopt++)
2717 ret &= test_early_data_replay_int(idx, usecb, confopt);
2724 * Helper function to test that a server attempting to read early data can
2725 * handle a connection from a client where the early data should be skipped.
2726 * testtype: 0 == No HRR
2727 * testtype: 1 == HRR
2728 * testtype: 2 == HRR, invalid early_data sent after HRR
2729 * testtype: 3 == recv_max_early_data set to 0
2731 static int early_data_skip_helper(int testtype, int idx)
2733 SSL_CTX *cctx = NULL, *sctx = NULL;
2734 SSL *clientssl = NULL, *serverssl = NULL;
2736 SSL_SESSION *sess = NULL;
2737 unsigned char buf[20];
2738 size_t readbytes, written;
2740 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2741 &serverssl, &sess, idx)))
2744 if (testtype == 1 || testtype == 2) {
2745 /* Force an HRR to occur */
2746 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2748 } else if (idx == 2) {
2750 * We force early_data rejection by ensuring the PSK identity is
2753 srvid = "Dummy Identity";
2756 * Deliberately corrupt the creation time. We take 20 seconds off the
2757 * time. It could be any value as long as it is not within tolerance.
2758 * This should mean the ticket is rejected.
2760 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
2765 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
2768 /* Write some early data */
2769 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2771 || !TEST_size_t_eq(written, strlen(MSG1)))
2774 /* Server should reject the early data */
2775 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2777 SSL_READ_EARLY_DATA_FINISH)
2778 || !TEST_size_t_eq(readbytes, 0)
2779 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2780 SSL_EARLY_DATA_REJECTED))
2790 * Finish off the handshake. We perform the same writes and reads as
2791 * further down but we expect them to fail due to the incomplete
2794 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2795 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2802 BIO *wbio = SSL_get_wbio(clientssl);
2803 /* A record that will appear as bad early_data */
2804 const unsigned char bad_early_data[] = {
2805 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
2809 * We force the client to attempt a write. This will fail because
2810 * we're still in the handshake. It will cause the second
2811 * ClientHello to be sent.
2813 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
2818 * Inject some early_data after the second ClientHello. This should
2819 * cause the server to fail
2821 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
2822 sizeof(bad_early_data), &written)))
2829 * This client has sent more early_data than we are willing to skip
2830 * (case 3) or sent invalid early_data (case 2) so the connection should
2833 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2834 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
2837 /* Connection has failed - nothing more to do */
2842 TEST_error("Invalid test type");
2847 * Should be able to send normal data despite rejection of early data. The
2848 * early_data should be skipped.
2850 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2851 || !TEST_size_t_eq(written, strlen(MSG2))
2852 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2853 SSL_EARLY_DATA_REJECTED)
2854 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2855 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2861 SSL_SESSION_free(clientpsk);
2862 SSL_SESSION_free(serverpsk);
2863 clientpsk = serverpsk = NULL;
2864 SSL_SESSION_free(sess);
2865 SSL_free(serverssl);
2866 SSL_free(clientssl);
2873 * Test that a server attempting to read early data can handle a connection
2874 * from a client where the early data is not acceptable.
2876 static int test_early_data_skip(int idx)
2878 return early_data_skip_helper(0, idx);
2882 * Test that a server attempting to read early data can handle a connection
2883 * from a client where an HRR occurs.
2885 static int test_early_data_skip_hrr(int idx)
2887 return early_data_skip_helper(1, idx);
2891 * Test that a server attempting to read early data can handle a connection
2892 * from a client where an HRR occurs and correctly fails if early_data is sent
2895 static int test_early_data_skip_hrr_fail(int idx)
2897 return early_data_skip_helper(2, idx);
2901 * Test that a server attempting to read early data will abort if it tries to
2902 * skip over too much.
2904 static int test_early_data_skip_abort(int idx)
2906 return early_data_skip_helper(3, idx);
2910 * Test that a server attempting to read early data can handle a connection
2911 * from a client that doesn't send any.
2913 static int test_early_data_not_sent(int idx)
2915 SSL_CTX *cctx = NULL, *sctx = NULL;
2916 SSL *clientssl = NULL, *serverssl = NULL;
2918 SSL_SESSION *sess = NULL;
2919 unsigned char buf[20];
2920 size_t readbytes, written;
2922 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2923 &serverssl, &sess, idx)))
2926 /* Write some data - should block due to handshake with server */
2927 SSL_set_connect_state(clientssl);
2928 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2931 /* Server should detect that early data has not been sent */
2932 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2934 SSL_READ_EARLY_DATA_FINISH)
2935 || !TEST_size_t_eq(readbytes, 0)
2936 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2937 SSL_EARLY_DATA_NOT_SENT)
2938 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2939 SSL_EARLY_DATA_NOT_SENT))
2942 /* Continue writing the message we started earlier */
2943 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2944 || !TEST_size_t_eq(written, strlen(MSG1))
2945 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2946 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2947 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2948 || !TEST_size_t_eq(written, strlen(MSG2)))
2951 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2952 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2958 SSL_SESSION_free(sess);
2959 SSL_SESSION_free(clientpsk);
2960 SSL_SESSION_free(serverpsk);
2961 clientpsk = serverpsk = NULL;
2962 SSL_free(serverssl);
2963 SSL_free(clientssl);
2969 static int hostname_cb(SSL *s, int *al, void *arg)
2971 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2973 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
2974 return SSL_TLSEXT_ERR_OK;
2976 return SSL_TLSEXT_ERR_NOACK;
2979 static const char *servalpn;
2981 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2982 unsigned char *outlen, const unsigned char *in,
2983 unsigned int inlen, void *arg)
2985 unsigned int protlen = 0;
2986 const unsigned char *prot;
2988 for (prot = in; prot < in + inlen; prot += protlen) {
2990 if (in + inlen < prot + protlen)
2991 return SSL_TLSEXT_ERR_NOACK;
2993 if (protlen == strlen(servalpn)
2994 && memcmp(prot, servalpn, protlen) == 0) {
2997 return SSL_TLSEXT_ERR_OK;
3001 return SSL_TLSEXT_ERR_NOACK;
3004 /* Test that a PSK can be used to send early_data */
3005 static int test_early_data_psk(int idx)
3007 SSL_CTX *cctx = NULL, *sctx = NULL;
3008 SSL *clientssl = NULL, *serverssl = NULL;
3010 SSL_SESSION *sess = NULL;
3011 unsigned char alpnlist[] = {
3012 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3015 #define GOODALPNLEN 9
3016 #define BADALPNLEN 8
3017 #define GOODALPN (alpnlist)
3018 #define BADALPN (alpnlist + GOODALPNLEN)
3020 unsigned char buf[20];
3021 size_t readbytes, written;
3022 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3023 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3025 /* We always set this up with a final parameter of "2" for PSK */
3026 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3027 &serverssl, &sess, 2)))
3030 servalpn = "goodalpn";
3033 * Note: There is no test for inconsistent SNI with late client detection.
3034 * This is because servers do not acknowledge SNI even if they are using
3035 * it in a resumption handshake - so it is not actually possible for a
3036 * client to detect a problem.
3040 /* Set inconsistent SNI (early client detection) */
3041 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3042 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3043 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3048 /* Set inconsistent ALPN (early client detection) */
3049 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3050 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3051 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3053 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3060 * Set invalid protocol version. Technically this affects PSKs without
3061 * early_data too, but we test it here because it is similar to the
3062 * SNI/ALPN consistency tests.
3064 err = SSL_R_BAD_PSK;
3065 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3071 * Set inconsistent SNI (server detected). In this case the connection
3072 * will succeed but reject early_data.
3074 SSL_SESSION_free(serverpsk);
3075 serverpsk = SSL_SESSION_dup(clientpsk);
3076 if (!TEST_ptr(serverpsk)
3077 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3079 edstatus = SSL_EARLY_DATA_REJECTED;
3080 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3083 /* Set consistent SNI */
3084 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3085 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3086 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3093 * Set inconsistent ALPN (server detected). In this case the connection
3094 * will succeed but reject early_data.
3096 servalpn = "badalpn";
3097 edstatus = SSL_EARLY_DATA_REJECTED;
3098 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3102 * Set consistent ALPN.
3103 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3104 * accepts a list of protos (each one length prefixed).
3105 * SSL_set1_alpn_selected accepts a single protocol (not length
3108 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3110 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3114 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3118 /* Set inconsistent ALPN (late client detection) */
3119 SSL_SESSION_free(serverpsk);
3120 serverpsk = SSL_SESSION_dup(clientpsk);
3121 if (!TEST_ptr(serverpsk)
3122 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3125 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3128 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3131 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3132 edstatus = SSL_EARLY_DATA_ACCEPTED;
3133 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3134 /* SSL_connect() call should fail */
3139 TEST_error("Bad test index");
3143 SSL_set_connect_state(clientssl);
3145 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3147 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3148 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3151 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3155 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3156 &readbytes), readearlyres)
3157 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3158 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3159 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3160 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3167 SSL_SESSION_free(sess);
3168 SSL_SESSION_free(clientpsk);
3169 SSL_SESSION_free(serverpsk);
3170 clientpsk = serverpsk = NULL;
3171 SSL_free(serverssl);
3172 SSL_free(clientssl);
3179 * Test that a server that doesn't try to read early data can handle a
3180 * client sending some.
3182 static int test_early_data_not_expected(int idx)
3184 SSL_CTX *cctx = NULL, *sctx = NULL;
3185 SSL *clientssl = NULL, *serverssl = NULL;
3187 SSL_SESSION *sess = NULL;
3188 unsigned char buf[20];
3189 size_t readbytes, written;
3191 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3192 &serverssl, &sess, idx)))
3195 /* Write some early data */
3196 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3201 * Server should skip over early data and then block waiting for client to
3202 * continue handshake
3204 if (!TEST_int_le(SSL_accept(serverssl), 0)
3205 || !TEST_int_gt(SSL_connect(clientssl), 0)
3206 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3207 SSL_EARLY_DATA_REJECTED)
3208 || !TEST_int_gt(SSL_accept(serverssl), 0)
3209 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3210 SSL_EARLY_DATA_REJECTED))
3213 /* Send some normal data from client to server */
3214 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3215 || !TEST_size_t_eq(written, strlen(MSG2)))
3218 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3219 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3225 SSL_SESSION_free(sess);
3226 SSL_SESSION_free(clientpsk);
3227 SSL_SESSION_free(serverpsk);
3228 clientpsk = serverpsk = NULL;
3229 SSL_free(serverssl);
3230 SSL_free(clientssl);
3237 # ifndef OPENSSL_NO_TLS1_2
3239 * Test that a server attempting to read early data can handle a connection
3240 * from a TLSv1.2 client.
3242 static int test_early_data_tls1_2(int idx)
3244 SSL_CTX *cctx = NULL, *sctx = NULL;
3245 SSL *clientssl = NULL, *serverssl = NULL;
3247 unsigned char buf[20];
3248 size_t readbytes, written;
3250 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3251 &serverssl, NULL, idx)))
3254 /* Write some data - should block due to handshake with server */
3255 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3256 SSL_set_connect_state(clientssl);
3257 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3261 * Server should do TLSv1.2 handshake. First it will block waiting for more
3262 * messages from client after ServerDone. Then SSL_read_early_data should
3263 * finish and detect that early data has not been sent
3265 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3267 SSL_READ_EARLY_DATA_ERROR))
3271 * Continue writing the message we started earlier. Will still block waiting
3272 * for the CCS/Finished from server
3274 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3275 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3277 SSL_READ_EARLY_DATA_FINISH)
3278 || !TEST_size_t_eq(readbytes, 0)
3279 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3280 SSL_EARLY_DATA_NOT_SENT))
3283 /* Continue writing the message we started earlier */
3284 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3285 || !TEST_size_t_eq(written, strlen(MSG1))
3286 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3287 SSL_EARLY_DATA_NOT_SENT)
3288 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3289 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3290 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3291 || !TEST_size_t_eq(written, strlen(MSG2))
3292 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3293 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3299 SSL_SESSION_free(clientpsk);
3300 SSL_SESSION_free(serverpsk);
3301 clientpsk = serverpsk = NULL;
3302 SSL_free(serverssl);
3303 SSL_free(clientssl);
3309 # endif /* OPENSSL_NO_TLS1_2 */
3312 * Test configuring the TLSv1.3 ciphersuites
3314 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3315 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3316 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3317 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3318 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3319 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3320 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3321 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3322 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3323 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3325 static int test_set_ciphersuite(int idx)
3327 SSL_CTX *cctx = NULL, *sctx = NULL;
3328 SSL *clientssl = NULL, *serverssl = NULL;
3331 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3333 &sctx, &cctx, cert, privkey))
3334 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3335 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3338 if (idx >=4 && idx <= 7) {
3339 /* SSL_CTX explicit cipher list */
3340 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3344 if (idx == 0 || idx == 4) {
3345 /* Default ciphersuite */
3346 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3347 "TLS_AES_128_GCM_SHA256")))
3349 } else if (idx == 1 || idx == 5) {
3350 /* Non default ciphersuite */
3351 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3352 "TLS_AES_128_CCM_SHA256")))
3356 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3357 &clientssl, NULL, NULL)))
3360 if (idx == 8 || idx == 9) {
3361 /* SSL explicit cipher list */
3362 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3366 if (idx == 2 || idx == 6 || idx == 8) {
3367 /* Default ciphersuite */
3368 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3369 "TLS_AES_128_GCM_SHA256")))
3371 } else if (idx == 3 || idx == 7 || idx == 9) {
3372 /* Non default ciphersuite */
3373 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3374 "TLS_AES_128_CCM_SHA256")))
3378 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3384 SSL_free(serverssl);
3385 SSL_free(clientssl);
3392 static int test_ciphersuite_change(void)
3394 SSL_CTX *cctx = NULL, *sctx = NULL;
3395 SSL *clientssl = NULL, *serverssl = NULL;
3396 SSL_SESSION *clntsess = NULL;
3398 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3400 /* Create a session based on SHA-256 */
3401 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3403 &sctx, &cctx, cert, privkey))
3404 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3405 "TLS_AES_128_GCM_SHA256"))
3406 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3407 &clientssl, NULL, NULL))
3408 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3412 clntsess = SSL_get1_session(clientssl);
3413 /* Save for later */
3414 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3415 SSL_shutdown(clientssl);
3416 SSL_shutdown(serverssl);
3417 SSL_free(serverssl);
3418 SSL_free(clientssl);
3419 serverssl = clientssl = NULL;
3421 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3422 /* Check we can resume a session with a different SHA-256 ciphersuite */
3423 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3424 "TLS_CHACHA20_POLY1305_SHA256"))
3425 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3427 || !TEST_true(SSL_set_session(clientssl, clntsess))
3428 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3430 || !TEST_true(SSL_session_reused(clientssl)))
3433 SSL_SESSION_free(clntsess);
3434 clntsess = SSL_get1_session(clientssl);
3435 SSL_shutdown(clientssl);
3436 SSL_shutdown(serverssl);
3437 SSL_free(serverssl);
3438 SSL_free(clientssl);
3439 serverssl = clientssl = NULL;
3443 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3444 * succeeds but does not resume.
3446 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3447 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3449 || !TEST_true(SSL_set_session(clientssl, clntsess))
3450 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3452 || !TEST_false(SSL_session_reused(clientssl)))
3455 SSL_SESSION_free(clntsess);
3457 SSL_shutdown(clientssl);
3458 SSL_shutdown(serverssl);
3459 SSL_free(serverssl);
3460 SSL_free(clientssl);
3461 serverssl = clientssl = NULL;
3463 /* Create a session based on SHA384 */
3464 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3465 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3466 &clientssl, NULL, NULL))
3467 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3471 clntsess = SSL_get1_session(clientssl);
3472 SSL_shutdown(clientssl);
3473 SSL_shutdown(serverssl);
3474 SSL_free(serverssl);
3475 SSL_free(clientssl);
3476 serverssl = clientssl = NULL;
3478 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3479 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3480 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3481 "TLS_AES_256_GCM_SHA384"))
3482 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3484 || !TEST_true(SSL_set_session(clientssl, clntsess))
3486 * We use SSL_ERROR_WANT_READ below so that we can pause the
3487 * connection after the initial ClientHello has been sent to
3488 * enable us to make some session changes.
3490 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3491 SSL_ERROR_WANT_READ)))
3494 /* Trick the client into thinking this session is for a different digest */
3495 clntsess->cipher = aes_128_gcm_sha256;
3496 clntsess->cipher_id = clntsess->cipher->id;
3499 * Continue the previously started connection. Server has selected a SHA-384
3500 * ciphersuite, but client thinks the session is for SHA-256, so it should
3503 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3505 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3506 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3512 SSL_SESSION_free(clntsess);
3513 SSL_free(serverssl);
3514 SSL_free(clientssl);
3523 * Test 0 = Test new style callbacks
3524 * Test 1 = Test both new and old style callbacks
3525 * Test 2 = Test old style callbacks
3526 * Test 3 = Test old style callbacks with no certificate
3528 static int test_tls13_psk(int idx)
3530 SSL_CTX *sctx = NULL, *cctx = NULL;
3531 SSL *serverssl = NULL, *clientssl = NULL;
3532 const SSL_CIPHER *cipher = NULL;
3533 const unsigned char key[] = {
3534 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
3535 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
3536 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
3537 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
3541 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3543 &sctx, &cctx, idx == 3 ? NULL : cert,
3544 idx == 3 ? NULL : privkey)))
3549 * We use a ciphersuite with SHA256 to ease testing old style PSK
3550 * callbacks which will always default to SHA256. This should not be
3551 * necessary if we have no cert/priv key. In that case the server should
3552 * prefer SHA256 automatically.
3554 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3555 "TLS_AES_128_GCM_SHA256")))
3560 * Test 0: New style callbacks only
3561 * Test 1: New and old style callbacks (only the new ones should be used)
3562 * Test 2: Old style callbacks only
3564 if (idx == 0 || idx == 1) {
3565 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
3566 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
3568 #ifndef OPENSSL_NO_PSK
3570 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
3571 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
3575 use_session_cb_cnt = 0;
3576 find_session_cb_cnt = 0;
3577 psk_client_cb_cnt = 0;
3578 psk_server_cb_cnt = 0;
3582 * Check we can create a connection if callback decides not to send a
3585 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3587 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3589 || !TEST_false(SSL_session_reused(clientssl))
3590 || !TEST_false(SSL_session_reused(serverssl)))
3593 if (idx == 0 || idx == 1) {
3594 if (!TEST_true(use_session_cb_cnt == 1)
3595 || !TEST_true(find_session_cb_cnt == 0)
3597 * If no old style callback then below should be 0
3600 || !TEST_true(psk_client_cb_cnt == idx)
3601 || !TEST_true(psk_server_cb_cnt == 0))
3604 if (!TEST_true(use_session_cb_cnt == 0)
3605 || !TEST_true(find_session_cb_cnt == 0)
3606 || !TEST_true(psk_client_cb_cnt == 1)
3607 || !TEST_true(psk_server_cb_cnt == 0))
3611 shutdown_ssl_connection(serverssl, clientssl);
3612 serverssl = clientssl = NULL;
3613 use_session_cb_cnt = psk_client_cb_cnt = 0;
3616 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3620 /* Create the PSK */
3621 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
3622 clientpsk = SSL_SESSION_new();
3623 if (!TEST_ptr(clientpsk)
3624 || !TEST_ptr(cipher)
3625 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
3627 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
3628 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
3630 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
3632 serverpsk = clientpsk;
3634 /* Check we can create a connection and the PSK is used */
3635 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3636 || !TEST_true(SSL_session_reused(clientssl))
3637 || !TEST_true(SSL_session_reused(serverssl)))
3640 if (idx == 0 || idx == 1) {
3641 if (!TEST_true(use_session_cb_cnt == 1)
3642 || !TEST_true(find_session_cb_cnt == 1)
3643 || !TEST_true(psk_client_cb_cnt == 0)
3644 || !TEST_true(psk_server_cb_cnt == 0))
3647 if (!TEST_true(use_session_cb_cnt == 0)
3648 || !TEST_true(find_session_cb_cnt == 0)
3649 || !TEST_true(psk_client_cb_cnt == 1)
3650 || !TEST_true(psk_server_cb_cnt == 1))
3654 shutdown_ssl_connection(serverssl, clientssl);
3655 serverssl = clientssl = NULL;
3656 use_session_cb_cnt = find_session_cb_cnt = 0;
3657 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3659 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3664 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3668 * Check we can create a connection, the PSK is used and the callbacks are
3671 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3672 || !TEST_true(SSL_session_reused(clientssl))
3673 || !TEST_true(SSL_session_reused(serverssl)))
3676 if (idx == 0 || idx == 1) {
3677 if (!TEST_true(use_session_cb_cnt == 2)
3678 || !TEST_true(find_session_cb_cnt == 2)
3679 || !TEST_true(psk_client_cb_cnt == 0)
3680 || !TEST_true(psk_server_cb_cnt == 0))
3683 if (!TEST_true(use_session_cb_cnt == 0)
3684 || !TEST_true(find_session_cb_cnt == 0)
3685 || !TEST_true(psk_client_cb_cnt == 2)
3686 || !TEST_true(psk_server_cb_cnt == 2))
3690 shutdown_ssl_connection(serverssl, clientssl);
3691 serverssl = clientssl = NULL;
3692 use_session_cb_cnt = find_session_cb_cnt = 0;
3693 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3697 * Check that if the server rejects the PSK we can still connect, but with
3700 srvid = "Dummy Identity";
3701 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3703 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3705 || !TEST_false(SSL_session_reused(clientssl))
3706 || !TEST_false(SSL_session_reused(serverssl)))
3709 if (idx == 0 || idx == 1) {
3710 if (!TEST_true(use_session_cb_cnt == 1)
3711 || !TEST_true(find_session_cb_cnt == 1)
3712 || !TEST_true(psk_client_cb_cnt == 0)
3714 * If no old style callback then below should be 0
3717 || !TEST_true(psk_server_cb_cnt == idx))
3720 if (!TEST_true(use_session_cb_cnt == 0)
3721 || !TEST_true(find_session_cb_cnt == 0)
3722 || !TEST_true(psk_client_cb_cnt == 1)
3723 || !TEST_true(psk_server_cb_cnt == 1))
3727 shutdown_ssl_connection(serverssl, clientssl);
3728 serverssl = clientssl = NULL;
3733 SSL_SESSION_free(clientpsk);
3734 SSL_SESSION_free(serverpsk);
3735 clientpsk = serverpsk = NULL;
3736 SSL_free(serverssl);
3737 SSL_free(clientssl);
3743 static unsigned char cookie_magic_value[] = "cookie magic";
3745 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
3746 unsigned int *cookie_len)
3749 * Not suitable as a real cookie generation function but good enough for
3752 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3753 *cookie_len = sizeof(cookie_magic_value) - 1;
3758 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3759 unsigned int cookie_len)
3761 if (cookie_len == sizeof(cookie_magic_value) - 1
3762 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3768 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3772 int res = generate_cookie_callback(ssl, cookie, &temp);
3777 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3780 return verify_cookie_callback(ssl, cookie, cookie_len);
3783 static int test_stateless(void)
3785 SSL_CTX *sctx = NULL, *cctx = NULL;
3786 SSL *serverssl = NULL, *clientssl = NULL;
3789 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3791 &sctx, &cctx, cert, privkey)))
3794 /* The arrival of CCS messages can confuse the test */
3795 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3797 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3799 /* Send the first ClientHello */
3800 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3801 SSL_ERROR_WANT_READ))
3803 * This should fail with a -1 return because we have no callbacks
3806 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3809 /* Fatal error so abandon the connection from this client */
3810 SSL_free(clientssl);
3813 /* Set up the cookie generation and verification callbacks */
3814 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3815 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
3818 * Create a new connection from the client (we can reuse the server SSL
3821 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3823 /* Send the first ClientHello */
3824 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3825 SSL_ERROR_WANT_READ))
3826 /* This should fail because there is no cookie */
3827 || !TEST_int_eq(SSL_stateless(serverssl), 0))
3830 /* Abandon the connection from this client */
3831 SSL_free(clientssl);
3835 * Now create a connection from a new client but with the same server SSL
3838 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3840 /* Send the first ClientHello */
3841 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3842 SSL_ERROR_WANT_READ))
3843 /* This should fail because there is no cookie */
3844 || !TEST_int_eq(SSL_stateless(serverssl), 0)
3845 /* Send the second ClientHello */
3846 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3847 SSL_ERROR_WANT_READ))
3848 /* This should succeed because a cookie is now present */
3849 || !TEST_int_eq(SSL_stateless(serverssl), 1)
3850 /* Complete the connection */
3851 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3855 shutdown_ssl_connection(serverssl, clientssl);
3856 serverssl = clientssl = NULL;
3860 SSL_free(serverssl);
3861 SSL_free(clientssl);
3867 #endif /* OPENSSL_NO_TLS1_3 */
3869 static int clntaddoldcb = 0;
3870 static int clntparseoldcb = 0;
3871 static int srvaddoldcb = 0;
3872 static int srvparseoldcb = 0;
3873 static int clntaddnewcb = 0;
3874 static int clntparsenewcb = 0;
3875 static int srvaddnewcb = 0;
3876 static int srvparsenewcb = 0;
3877 static int snicb = 0;
3879 #define TEST_EXT_TYPE1 0xff00
3881 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3882 size_t *outlen, int *al, void *add_arg)
3884 int *server = (int *)add_arg;
3885 unsigned char *data;
3887 if (SSL_is_server(s))
3892 if (*server != SSL_is_server(s)
3893 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3898 *outlen = sizeof(char);
3902 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3905 OPENSSL_free((unsigned char *)out);
3908 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3909 size_t inlen, int *al, void *parse_arg)
3911 int *server = (int *)parse_arg;
3913 if (SSL_is_server(s))
3918 if (*server != SSL_is_server(s)
3919 || inlen != sizeof(char)
3926 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3927 const unsigned char **out, size_t *outlen, X509 *x,
3928 size_t chainidx, int *al, void *add_arg)
3930 int *server = (int *)add_arg;
3931 unsigned char *data;
3933 if (SSL_is_server(s))
3938 if (*server != SSL_is_server(s)
3939 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3944 *outlen = sizeof(*data);
3948 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3949 const unsigned char *out, void *add_arg)
3951 OPENSSL_free((unsigned char *)out);
3954 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3955 const unsigned char *in, size_t inlen, X509 *x,
3956 size_t chainidx, int *al, void *parse_arg)
3958 int *server = (int *)parse_arg;
3960 if (SSL_is_server(s))
3965 if (*server != SSL_is_server(s)
3966 || inlen != sizeof(char) || *in != 1)
3972 static int sni_cb(SSL *s, int *al, void *arg)
3974 SSL_CTX *ctx = (SSL_CTX *)arg;
3976 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3977 *al = SSL_AD_INTERNAL_ERROR;
3978 return SSL_TLSEXT_ERR_ALERT_FATAL;
3981 return SSL_TLSEXT_ERR_OK;
3985 * Custom call back tests.
3986 * Test 0: Old style callbacks in TLSv1.2
3987 * Test 1: New style callbacks in TLSv1.2
3988 * Test 2: New style callbacks in TLSv1.2 with SNI
3989 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3990 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
3992 static int test_custom_exts(int tst)
3994 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3995 SSL *clientssl = NULL, *serverssl = NULL;
3997 static int server = 1;
3998 static int client = 0;
3999 SSL_SESSION *sess = NULL;
4000 unsigned int context;
4002 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4003 /* Skip tests for TLSv1.2 and below in this case */
4008 /* Reset callback counters */
4009 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4010 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
4013 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4015 &sctx, &cctx, cert, privkey)))
4019 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
4021 &sctx2, NULL, cert, privkey)))
4026 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4027 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
4029 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
4033 context = SSL_EXT_CLIENT_HELLO
4034 | SSL_EXT_TLS1_2_SERVER_HELLO
4035 | SSL_EXT_TLS1_3_SERVER_HELLO
4036 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4037 | SSL_EXT_TLS1_3_CERTIFICATE
4038 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4040 context = SSL_EXT_CLIENT_HELLO
4041 | SSL_EXT_TLS1_2_SERVER_HELLO
4042 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4045 /* Create a client side custom extension */
4047 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4048 old_add_cb, old_free_cb,
4049 &client, old_parse_cb,
4053 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4054 new_add_cb, new_free_cb,
4055 &client, new_parse_cb, &client)))
4059 /* Should not be able to add duplicates */
4060 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4061 old_add_cb, old_free_cb,
4062 &client, old_parse_cb,
4064 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4065 context, new_add_cb,
4066 new_free_cb, &client,
4067 new_parse_cb, &client)))
4070 /* Create a server side custom extension */
4072 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4073 old_add_cb, old_free_cb,
4074 &server, old_parse_cb,
4078 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4079 new_add_cb, new_free_cb,
4080 &server, new_parse_cb, &server)))
4083 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4084 context, new_add_cb,
4085 new_free_cb, &server,
4086 new_parse_cb, &server)))
4090 /* Should not be able to add duplicates */
4091 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4092 old_add_cb, old_free_cb,
4093 &server, old_parse_cb,
4095 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4096 context, new_add_cb,
4097 new_free_cb, &server,
4098 new_parse_cb, &server)))
4103 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4104 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4108 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4109 &clientssl, NULL, NULL))
4110 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4115 if (clntaddoldcb != 1
4116 || clntparseoldcb != 1
4118 || srvparseoldcb != 1)
4120 } else if (tst == 1 || tst == 2 || tst == 3) {
4121 if (clntaddnewcb != 1
4122 || clntparsenewcb != 1
4124 || srvparsenewcb != 1
4125 || (tst != 2 && snicb != 0)
4126 || (tst == 2 && snicb != 1))
4129 /* In this case there 2 NewSessionTicket messages created */
4130 if (clntaddnewcb != 1
4131 || clntparsenewcb != 5
4133 || srvparsenewcb != 1)
4137 sess = SSL_get1_session(clientssl);
4138 SSL_shutdown(clientssl);
4139 SSL_shutdown(serverssl);
4140 SSL_free(serverssl);
4141 SSL_free(clientssl);
4142 serverssl = clientssl = NULL;
4145 /* We don't bother with the resumption aspects for this test */
4150 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4152 || !TEST_true(SSL_set_session(clientssl, sess))
4153 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4158 * For a resumed session we expect to add the ClientHello extension. For the
4159 * old style callbacks we ignore it on the server side because they set
4160 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4164 if (clntaddoldcb != 2
4165 || clntparseoldcb != 1
4167 || srvparseoldcb != 1)
4169 } else if (tst == 1 || tst == 2 || tst == 3) {
4170 if (clntaddnewcb != 2
4171 || clntparsenewcb != 2
4173 || srvparsenewcb != 2)
4177 * No Certificate message extensions in the resumption handshake,
4178 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4180 if (clntaddnewcb != 2
4181 || clntparsenewcb != 8
4183 || srvparsenewcb != 2)
4190 SSL_SESSION_free(sess);
4191 SSL_free(serverssl);
4192 SSL_free(clientssl);
4193 SSL_CTX_free(sctx2);
4200 * Test loading of serverinfo data in various formats. test_sslmessages actually
4201 * tests to make sure the extensions appear in the handshake
4203 static int test_serverinfo(int tst)
4205 unsigned int version;
4206 unsigned char *sibuf;
4208 int ret, expected, testresult = 0;
4211 ctx = SSL_CTX_new(TLS_method());
4215 if ((tst & 0x01) == 0x01)
4216 version = SSL_SERVERINFOV2;
4218 version = SSL_SERVERINFOV1;
4220 if ((tst & 0x02) == 0x02) {
4221 sibuf = serverinfov2;
4222 sibuflen = sizeof(serverinfov2);
4223 expected = (version == SSL_SERVERINFOV2);
4225 sibuf = serverinfov1;
4226 sibuflen = sizeof(serverinfov1);
4227 expected = (version == SSL_SERVERINFOV1);
4230 if ((tst & 0x04) == 0x04) {
4231 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4233 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4236 * The version variable is irrelevant in this case - it's what is in the
4237 * buffer that matters
4239 if ((tst & 0x02) == 0x02)
4245 if (!TEST_true(ret == expected))
4257 * Test that SSL_export_keying_material() produces expected results. There are
4258 * no test vectors so all we do is test that both sides of the communication
4259 * produce the same results for different protocol versions.
4261 #define SMALL_LABEL_LEN 10
4262 #define LONG_LABEL_LEN 249
4263 static int test_export_key_mat(int tst)
4266 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4267 SSL *clientssl = NULL, *serverssl = NULL;
4268 const char label[LONG_LABEL_LEN + 1] = "test label";
4269 const unsigned char context[] = "context";
4270 const unsigned char *emptycontext = NULL;
4271 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4272 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
4274 const int protocols[] = {
4283 #ifdef OPENSSL_NO_TLS1
4287 #ifdef OPENSSL_NO_TLS1_1
4291 #ifdef OPENSSL_NO_TLS1_2
4295 #ifdef OPENSSL_NO_TLS1_3
4299 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4301 &sctx, &cctx, cert, privkey)))
4304 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4305 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4306 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
4308 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4310 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4316 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4319 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4320 sizeof(ckeymat1), label,
4321 LONG_LABEL_LEN + 1, context,
4322 sizeof(context) - 1, 1), 0))
4327 } else if (tst == 4) {
4328 labellen = LONG_LABEL_LEN;
4330 labellen = SMALL_LABEL_LEN;
4333 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4334 sizeof(ckeymat1), label,
4336 sizeof(context) - 1, 1), 1)
4337 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4338 sizeof(ckeymat2), label,
4342 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4343 sizeof(ckeymat3), label,
4346 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4347 sizeof(skeymat1), label,
4350 sizeof(context) -1, 1),
4352 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4353 sizeof(skeymat2), label,
4357 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4358 sizeof(skeymat3), label,
4362 * Check that both sides created the same key material with the
4365 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4368 * Check that both sides created the same key material with an
4371 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4374 * Check that both sides created the same key material without a
4377 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
4379 /* Different contexts should produce different results */
4380 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4385 * Check that an empty context and no context produce different results in
4386 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
4388 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
4390 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
4397 SSL_free(serverssl);
4398 SSL_free(clientssl);
4399 SSL_CTX_free(sctx2);
4406 #ifndef OPENSSL_NO_TLS1_3
4408 * Test that SSL_export_keying_material_early() produces expected
4409 * results. There are no test vectors so all we do is test that both
4410 * sides of the communication produce the same results for different
4411 * protocol versions.
4413 static int test_export_key_mat_early(int idx)
4415 static const char label[] = "test label";
4416 static const unsigned char context[] = "context";
4418 SSL_CTX *cctx = NULL, *sctx = NULL;
4419 SSL *clientssl = NULL, *serverssl = NULL;
4420 SSL_SESSION *sess = NULL;
4421 const unsigned char *emptycontext = NULL;
4422 unsigned char ckeymat1[80], ckeymat2[80];
4423 unsigned char skeymat1[80], skeymat2[80];
4424 unsigned char buf[1];
4425 size_t readbytes, written;
4427 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
4431 /* Here writing 0 length early data is enough. */
4432 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
4433 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4435 SSL_READ_EARLY_DATA_ERROR)
4436 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4437 SSL_EARLY_DATA_ACCEPTED))
4440 if (!TEST_int_eq(SSL_export_keying_material_early(
4441 clientssl, ckeymat1, sizeof(ckeymat1), label,
4442 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4443 || !TEST_int_eq(SSL_export_keying_material_early(
4444 clientssl, ckeymat2, sizeof(ckeymat2), label,
4445 sizeof(label) - 1, emptycontext, 0), 1)
4446 || !TEST_int_eq(SSL_export_keying_material_early(
4447 serverssl, skeymat1, sizeof(skeymat1), label,
4448 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4449 || !TEST_int_eq(SSL_export_keying_material_early(
4450 serverssl, skeymat2, sizeof(skeymat2), label,
4451 sizeof(label) - 1, emptycontext, 0), 1)
4453 * Check that both sides created the same key material with the
4456 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4459 * Check that both sides created the same key material with an
4462 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4464 /* Different contexts should produce different results */
4465 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4472 SSL_SESSION_free(sess);
4473 SSL_SESSION_free(clientpsk);
4474 SSL_SESSION_free(serverpsk);
4475 clientpsk = serverpsk = NULL;
4476 SSL_free(serverssl);
4477 SSL_free(clientssl);
4483 #endif /* OPENSSL_NO_TLS1_3 */
4485 static int test_ssl_clear(int idx)
4487 SSL_CTX *cctx = NULL, *sctx = NULL;
4488 SSL *clientssl = NULL, *serverssl = NULL;
4491 #ifdef OPENSSL_NO_TLS1_2
4496 /* Create an initial connection */
4497 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4499 &sctx, &cctx, cert, privkey))
4501 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
4503 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4504 &clientssl, NULL, NULL))
4505 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4509 SSL_shutdown(clientssl);
4510 SSL_shutdown(serverssl);
4511 SSL_free(serverssl);
4514 /* Clear clientssl - we're going to reuse the object */
4515 if (!TEST_true(SSL_clear(clientssl)))
4518 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4520 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4522 || !TEST_true(SSL_session_reused(clientssl)))
4525 SSL_shutdown(clientssl);
4526 SSL_shutdown(serverssl);
4531 SSL_free(serverssl);
4532 SSL_free(clientssl);
4539 /* Parse CH and retrieve any MFL extension value if present */
4540 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
4543 unsigned char *data;
4544 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
4545 unsigned int MFL_code = 0, type = 0;
4547 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
4550 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
4551 /* Skip the record header */
4552 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
4553 /* Skip the handshake message header */
4554 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
4555 /* Skip client version and random */
4556 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
4557 + SSL3_RANDOM_SIZE))
4558 /* Skip session id */
4559 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4561 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
4562 /* Skip compression */
4563 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4564 /* Extensions len */
4565 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
4568 /* Loop through all extensions */
4569 while (PACKET_remaining(&pkt2)) {
4570 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
4571 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
4574 if (type == TLSEXT_TYPE_max_fragment_length) {
4575 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
4576 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
4579 *mfl_codemfl_code = MFL_code;
4588 /* Maximum-Fragment-Length TLS extension mode to test */
4589 static const unsigned char max_fragment_len_test[] = {
4590 TLSEXT_max_fragment_length_512,
4591 TLSEXT_max_fragment_length_1024,
4592 TLSEXT_max_fragment_length_2048,
4593 TLSEXT_max_fragment_length_4096
4596 static int test_max_fragment_len_ext(int idx_tst)
4600 int testresult = 0, MFL_mode = 0;
4603 ctx = SSL_CTX_new(TLS_method());
4607 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
4608 ctx, max_fragment_len_test[idx_tst])))
4615 rbio = BIO_new(BIO_s_mem());
4616 wbio = BIO_new(BIO_s_mem());
4617 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
4623 SSL_set_bio(con, rbio, wbio);
4624 SSL_set_connect_state(con);
4626 if (!TEST_int_le(SSL_connect(con), 0)) {
4627 /* This shouldn't succeed because we don't have a server! */
4631 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
4632 /* no MFL in client hello */
4634 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
4646 #ifndef OPENSSL_NO_TLS1_3
4647 static int test_pha_key_update(void)
4649 SSL_CTX *cctx = NULL, *sctx = NULL;
4650 SSL *clientssl = NULL, *serverssl = NULL;
4653 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4655 &sctx, &cctx, cert, privkey)))
4658 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
4659 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
4660 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
4661 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
4664 SSL_CTX_set_post_handshake_auth(cctx, 1);
4666 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4670 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4674 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
4675 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
4678 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
4681 /* Start handshake on the server */
4682 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
4685 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
4686 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4690 SSL_shutdown(clientssl);
4691 SSL_shutdown(serverssl);
4696 SSL_free(serverssl);
4697 SSL_free(clientssl);
4704 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4706 static SRP_VBASE *vbase = NULL;
4708 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
4710 int ret = SSL3_AL_FATAL;
4712 SRP_user_pwd *user = NULL;
4714 username = SSL_get_srp_username(s);
4715 if (username == NULL) {
4716 *ad = SSL_AD_INTERNAL_ERROR;
4720 user = SRP_VBASE_get1_by_user(vbase, username);
4722 *ad = SSL_AD_INTERNAL_ERROR;
4726 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
4728 *ad = SSL_AD_INTERNAL_ERROR;
4735 SRP_user_pwd_free(user);
4739 static int create_new_vfile(char *userid, char *password, const char *filename)
4742 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
4745 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
4748 if (!TEST_ptr(dummy) || !TEST_ptr(row))
4751 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
4752 &row[DB_srpverifier], NULL, NULL);
4753 if (!TEST_ptr(gNid))
4757 * The only way to create an empty TXT_DB is to provide a BIO with no data
4760 db = TXT_DB_read(dummy, DB_NUMBER);
4764 out = BIO_new_file(filename, "w");
4768 row[DB_srpid] = OPENSSL_strdup(userid);
4769 row[DB_srptype] = OPENSSL_strdup("V");
4770 row[DB_srpgN] = OPENSSL_strdup(gNid);
4772 if (!TEST_ptr(row[DB_srpid])
4773 || !TEST_ptr(row[DB_srptype])
4774 || !TEST_ptr(row[DB_srpgN])
4775 || !TEST_true(TXT_DB_insert(db, row)))
4780 if (!TXT_DB_write(out, db))
4786 for (i = 0; i < DB_NUMBER; i++)
4787 OPENSSL_free(row[i]);
4797 static int create_new_vbase(char *userid, char *password)
4799 BIGNUM *verifier = NULL, *salt = NULL;
4800 const SRP_gN *lgN = NULL;
4801 SRP_user_pwd *user_pwd = NULL;
4804 lgN = SRP_get_default_gN(NULL);
4808 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
4812 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
4813 if (!TEST_ptr(user_pwd))
4816 user_pwd->N = lgN->N;
4817 user_pwd->g = lgN->g;
4818 user_pwd->id = OPENSSL_strdup(userid);
4819 if (!TEST_ptr(user_pwd->id))
4822 user_pwd->v = verifier;
4824 verifier = salt = NULL;
4826 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
4832 SRP_user_pwd_free(user_pwd);
4842 * Test 0: Simple successful SRP connection, new vbase
4843 * Test 1: Connection failure due to bad password, new vbase
4844 * Test 2: Simple successful SRP connection, vbase loaded from existing file
4845 * Test 3: Connection failure due to bad password, vbase loaded from existing
4847 * Test 4: Simple successful SRP connection, vbase loaded from new file
4848 * Test 5: Connection failure due to bad password, vbase loaded from new file
4850 static int test_srp(int tst)
4852 char *userid = "test", *password = "password", *tstsrpfile;
4853 SSL_CTX *cctx = NULL, *sctx = NULL;
4854 SSL *clientssl = NULL, *serverssl = NULL;
4855 int ret, testresult = 0;
4857 vbase = SRP_VBASE_new(NULL);
4858 if (!TEST_ptr(vbase))
4861 if (tst == 0 || tst == 1) {
4862 if (!TEST_true(create_new_vbase(userid, password)))
4865 if (tst == 4 || tst == 5) {
4866 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
4868 tstsrpfile = tmpfilename;
4870 tstsrpfile = srpvfile;
4872 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
4876 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4878 &sctx, &cctx, cert, privkey)))
4881 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
4882 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
4883 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
4884 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
4885 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
4889 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
4892 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
4896 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4900 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
4902 if (!TEST_true(tst % 2 == 0))
4905 if (!TEST_true(tst % 2 == 1))
4912 SRP_VBASE_free(vbase);
4914 SSL_free(serverssl);
4915 SSL_free(clientssl);
4923 static int info_cb_failed = 0;
4924 static int info_cb_offset = 0;
4925 static int info_cb_this_state = -1;
4927 static struct info_cb_states_st {
4929 const char *statestr;
4930 } info_cb_states[][60] = {
4932 /* TLSv1.2 server followed by resumption */
4933 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4934 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4935 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
4936 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
4937 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
4938 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4939 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4940 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4941 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4942 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4943 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
4944 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4945 {SSL_CB_EXIT, NULL}, {0, NULL},
4947 /* TLSv1.2 client followed by resumption */
4948 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4949 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4950 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
4951 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
4952 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
4953 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4954 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4955 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4956 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4957 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4958 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4959 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4961 /* TLSv1.3 server followed by resumption */
4962 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4963 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4964 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
4965 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
4966 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4967 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
4968 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4969 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4970 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4971 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4972 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
4973 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4974 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
4976 /* TLSv1.3 client followed by resumption */
4977 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4978 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4979 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
4980 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
4981 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4982 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
4983 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
4984 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
4985 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4986 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
4987 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4988 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4989 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4990 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4991 {SSL_CB_EXIT, NULL}, {0, NULL},
4993 /* TLSv1.3 server, early_data */
4994 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4995 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4996 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4997 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4998 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4999 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
5000 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5001 {SSL_CB_EXIT, NULL}, {0, NULL},
5003 /* TLSv1.3 client, early_data */
5004 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5005 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5006 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5007 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5008 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5009 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5010 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5011 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5012 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5018 static void sslapi_info_callback(const SSL *s, int where, int ret)
5020 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5022 /* We do not ever expect a connection to fail in this test */
5023 if (!TEST_false(ret == 0)) {
5029 * Do some sanity checks. We never expect these things to happen in this
5032 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5033 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5034 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5039 /* Now check we're in the right state */
5040 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5044 if ((where & SSL_CB_LOOP) != 0
5045 && !TEST_int_eq(strcmp(SSL_state_string(s),
5046 state[info_cb_this_state].statestr), 0)) {
5052 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
5054 if ((where & SSL_CB_HANDSHAKE_DONE)
5055 && SSL_in_init((SSL *)s) != 0) {
5062 * Test the info callback gets called when we expect it to.
5064 * Test 0: TLSv1.2, server
5065 * Test 1: TLSv1.2, client
5066 * Test 2: TLSv1.3, server
5067 * Test 3: TLSv1.3, client
5068 * Test 4: TLSv1.3, server, early_data
5069 * Test 5: TLSv1.3, client, early_data
5071 static int test_info_callback(int tst)
5073 SSL_CTX *cctx = NULL, *sctx = NULL;
5074 SSL *clientssl = NULL, *serverssl = NULL;
5075 SSL_SESSION *clntsess = NULL;
5080 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
5081 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5082 || !defined(OPENSSL_NO_DH))
5083 tlsvers = TLS1_2_VERSION;
5088 #ifndef OPENSSL_NO_TLS1_3
5089 tlsvers = TLS1_3_VERSION;
5097 info_cb_this_state = -1;
5098 info_cb_offset = tst;
5100 #ifndef OPENSSL_NO_TLS1_3
5102 SSL_SESSION *sess = NULL;
5103 size_t written, readbytes;
5104 unsigned char buf[80];
5106 /* early_data tests */
5107 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5108 &serverssl, &sess, 0)))
5111 /* We don't actually need this reference */
5112 SSL_SESSION_free(sess);
5114 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5115 sslapi_info_callback);
5117 /* Write and read some early data and then complete the connection */
5118 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5120 || !TEST_size_t_eq(written, strlen(MSG1))
5121 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5122 sizeof(buf), &readbytes),
5123 SSL_READ_EARLY_DATA_SUCCESS)
5124 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5125 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5126 SSL_EARLY_DATA_ACCEPTED)
5127 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5129 || !TEST_false(info_cb_failed))
5137 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5138 TLS_client_method(),
5139 tlsvers, tlsvers, &sctx, &cctx, cert,
5144 * For even numbered tests we check the server callbacks. For odd numbers we
5147 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5148 sslapi_info_callback);
5150 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5151 &clientssl, NULL, NULL))
5152 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5154 || !TEST_false(info_cb_failed))
5159 clntsess = SSL_get1_session(clientssl);
5160 SSL_shutdown(clientssl);
5161 SSL_shutdown(serverssl);
5162 SSL_free(serverssl);
5163 SSL_free(clientssl);
5164 serverssl = clientssl = NULL;
5166 /* Now do a resumption */
5167 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5169 || !TEST_true(SSL_set_session(clientssl, clntsess))
5170 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5172 || !TEST_true(SSL_session_reused(clientssl))
5173 || !TEST_false(info_cb_failed))
5179 SSL_free(serverssl);
5180 SSL_free(clientssl);
5181 SSL_SESSION_free(clntsess);
5187 static int test_ssl_pending(int tst)
5189 SSL_CTX *cctx = NULL, *sctx = NULL;
5190 SSL *clientssl = NULL, *serverssl = NULL;
5192 char msg[] = "A test message";
5194 size_t written, readbytes;
5197 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5198 TLS_client_method(),
5200 &sctx, &cctx, cert, privkey)))
5203 #ifndef OPENSSL_NO_DTLS
5204 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
5205 DTLS_client_method(),
5207 &sctx, &cctx, cert, privkey)))
5214 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5216 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5220 if (!TEST_int_eq(SSL_pending(clientssl), 0)
5221 || !TEST_false(SSL_has_pending(clientssl))
5222 || !TEST_int_eq(SSL_pending(serverssl), 0)
5223 || !TEST_false(SSL_has_pending(serverssl))
5224 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5225 || !TEST_size_t_eq(written, sizeof(msg))
5226 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
5227 || !TEST_size_t_eq(readbytes, sizeof(buf))
5228 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
5229 || !TEST_true(SSL_has_pending(clientssl)))
5235 SSL_free(serverssl);
5236 SSL_free(clientssl);
5244 unsigned int maxprot;
5245 const char *clntciphers;
5246 const char *clnttls13ciphers;
5247 const char *srvrciphers;
5248 const char *srvrtls13ciphers;
5250 } shared_ciphers_data[] = {
5252 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
5253 * TLSv1.3 is enabled but TLSv1.2 is disabled.
5255 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
5258 "AES128-SHA:AES256-SHA",
5260 "AES256-SHA:DHE-RSA-AES128-SHA",
5266 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
5268 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
5270 "AES128-SHA:AES256-SHA"
5274 "AES128-SHA:AES256-SHA",
5276 "AES128-SHA:DHE-RSA-AES128-SHA",
5282 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
5285 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
5286 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5289 "AES128-SHA:AES256-SHA",
5291 "AES256-SHA:AES128-SHA256",
5293 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
5294 "TLS_AES_128_GCM_SHA256:AES256-SHA"
5297 #ifndef OPENSSL_NO_TLS1_3
5301 "TLS_AES_256_GCM_SHA384",
5303 "TLS_AES_256_GCM_SHA384",
5304 "TLS_AES_256_GCM_SHA384"
5309 static int test_ssl_get_shared_ciphers(int tst)
5311 SSL_CTX *cctx = NULL, *sctx = NULL;
5312 SSL *clientssl = NULL, *serverssl = NULL;
5316 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5317 TLS_client_method(),
5319 shared_ciphers_data[tst].maxprot,
5320 &sctx, &cctx, cert, privkey)))
5323 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5324 shared_ciphers_data[tst].clntciphers))
5325 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
5326 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
5327 shared_ciphers_data[tst].clnttls13ciphers)))
5328 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
5329 shared_ciphers_data[tst].srvrciphers))
5330 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
5331 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
5332 shared_ciphers_data[tst].srvrtls13ciphers))))
5336 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5338 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5342 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
5343 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
5344 TEST_info("Shared ciphers are: %s\n", buf);
5351 SSL_free(serverssl);
5352 SSL_free(clientssl);
5359 static const char *appdata = "Hello World";
5360 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
5361 static int tick_key_renew = 0;
5362 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5364 static int gen_tick_cb(SSL *s, void *arg)
5366 gen_tick_called = 1;
5368 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
5372 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
5373 const unsigned char *keyname,
5374 size_t keyname_length,
5375 SSL_TICKET_STATUS status,
5381 dec_tick_called = 1;
5383 if (status == SSL_TICKET_EMPTY)
5384 return SSL_TICKET_RETURN_IGNORE_RENEW;
5386 if (!TEST_true(status == SSL_TICKET_SUCCESS
5387 || status == SSL_TICKET_SUCCESS_RENEW))
5388 return SSL_TICKET_RETURN_ABORT;
5390 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
5392 || !TEST_size_t_eq(tickdlen, strlen(appdata))
5393 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
5394 return SSL_TICKET_RETURN_ABORT;
5396 if (tick_key_cb_called) {
5397 /* Don't change what the ticket key callback wanted to do */
5399 case SSL_TICKET_NO_DECRYPT:
5400 return SSL_TICKET_RETURN_IGNORE_RENEW;
5402 case SSL_TICKET_SUCCESS:
5403 return SSL_TICKET_RETURN_USE;
5405 case SSL_TICKET_SUCCESS_RENEW:
5406 return SSL_TICKET_RETURN_USE_RENEW;
5409 return SSL_TICKET_RETURN_ABORT;
5412 return tick_dec_ret;
5416 static int tick_key_cb(SSL *s, unsigned char key_name[16],
5417 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
5418 HMAC_CTX *hctx, int enc)
5420 const unsigned char tick_aes_key[16] = "0123456789abcdef";
5421 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5423 tick_key_cb_called = 1;
5424 memset(iv, 0, AES_BLOCK_SIZE);
5425 memset(key_name, 0, 16);
5426 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
5427 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
5428 EVP_sha256(), NULL))
5431 return tick_key_renew ? 2 : 1;
5435 * Test the various ticket callbacks
5436 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
5437 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
5438 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
5439 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
5440 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
5441 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
5442 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
5443 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
5444 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
5445 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
5446 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
5447 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
5449 static int test_ticket_callbacks(int tst)
5451 SSL_CTX *cctx = NULL, *sctx = NULL;
5452 SSL *clientssl = NULL, *serverssl = NULL;
5453 SSL_SESSION *clntsess = NULL;
5456 #ifdef OPENSSL_NO_TLS1_2
5460 #ifdef OPENSSL_NO_TLS1_3
5465 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
5467 /* Which tests the ticket key callback should request renewal for */
5468 if (tst == 10 || tst == 11)
5473 /* Which tests the decrypt ticket callback should request renewal for */
5477 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
5482 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
5487 tick_dec_ret = SSL_TICKET_RETURN_USE;
5492 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
5496 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5499 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5500 TLS_client_method(),
5502 ((tst % 2) == 0) ? TLS1_2_VERSION
5504 &sctx, &cctx, cert, privkey)))
5508 * We only want sessions to resume from tickets - not the session cache. So
5509 * switch the cache off.
5511 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
5514 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
5519 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
5522 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5524 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5529 * The decrypt ticket key callback in TLSv1.2 should be called even though
5530 * we have no ticket yet, because it gets called with a status of
5531 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
5532 * actually send any ticket data). This does not happen in TLSv1.3 because
5533 * it is not valid to send empty ticket data in TLSv1.3.
5535 if (!TEST_int_eq(gen_tick_called, 1)
5536 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
5539 gen_tick_called = dec_tick_called = 0;
5541 clntsess = SSL_get1_session(clientssl);
5542 SSL_shutdown(clientssl);
5543 SSL_shutdown(serverssl);
5544 SSL_free(serverssl);
5545 SSL_free(clientssl);
5546 serverssl = clientssl = NULL;
5548 /* Now do a resumption */
5549 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5551 || !TEST_true(SSL_set_session(clientssl, clntsess))
5552 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5556 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
5557 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
5558 if (!TEST_false(SSL_session_reused(clientssl)))
5561 if (!TEST_true(SSL_session_reused(clientssl)))
5565 if (!TEST_int_eq(gen_tick_called,
5567 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
5568 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
5570 || !TEST_int_eq(dec_tick_called, 1))
5576 SSL_SESSION_free(clntsess);
5577 SSL_free(serverssl);
5578 SSL_free(clientssl);
5586 * Test bi-directional shutdown.
5588 * Test 1: TLSv1.2, server continues to read/write after client shutdown
5589 * Test 2: TLSv1.3, no pending NewSessionTicket messages
5590 * Test 3: TLSv1.3, pending NewSessionTicket messages
5591 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
5592 * sends key update, client reads it
5593 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
5594 * sends CertificateRequest, client reads and ignores it
5595 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
5598 static int test_shutdown(int tst)
5600 SSL_CTX *cctx = NULL, *sctx = NULL;
5601 SSL *clientssl = NULL, *serverssl = NULL;
5603 char msg[] = "A test message";
5605 size_t written, readbytes;
5608 #ifdef OPENSSL_NO_TLS1_2
5612 #ifdef OPENSSL_NO_TLS1_3
5617 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5618 TLS_client_method(),
5620 (tst <= 1) ? TLS1_2_VERSION
5622 &sctx, &cctx, cert, privkey)))
5626 SSL_CTX_set_post_handshake_auth(cctx, 1);
5628 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5633 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
5635 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5636 || !TEST_false(SSL_SESSION_is_resumable(sess)))
5638 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5640 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5641 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
5645 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
5650 * Reading on the server after the client has sent close_notify should
5651 * fail and provide SSL_ERROR_ZERO_RETURN
5653 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
5654 || !TEST_int_eq(SSL_get_error(serverssl, 0),
5655 SSL_ERROR_ZERO_RETURN)
5656 || !TEST_int_eq(SSL_get_shutdown(serverssl),
5657 SSL_RECEIVED_SHUTDOWN)
5659 * Even though we're shutdown on receive we should still be
5662 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
5665 && !TEST_true(SSL_key_update(serverssl,
5666 SSL_KEY_UPDATE_REQUESTED)))
5669 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5670 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5673 if ((tst == 4 || tst == 5)
5674 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
5676 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
5678 if (tst == 4 || tst == 5) {
5679 /* Should still be able to read data from server */
5680 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5682 || !TEST_size_t_eq(readbytes, sizeof(msg))
5683 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
5684 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5686 || !TEST_size_t_eq(readbytes, sizeof(msg))
5687 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
5692 /* Writing on the client after sending close_notify shouldn't be possible */
5693 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
5698 * For these tests the client has sent close_notify but it has not yet
5699 * been received by the server. The server has not sent close_notify
5702 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
5704 * Writing on the server after sending close_notify shouldn't
5707 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5708 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
5709 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5710 || !TEST_true(SSL_SESSION_is_resumable(sess))
5711 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
5713 } else if (tst == 4 || tst == 5) {
5715 * In this test the client has sent close_notify and it has been
5716 * received by the server which has responded with a close_notify. The
5717 * client needs to read the close_notify sent by the server.
5719 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
5720 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5721 || !TEST_true(SSL_SESSION_is_resumable(sess)))
5727 * The client has sent close_notify and is expecting a close_notify
5728 * back, but instead there is application data first. The shutdown
5729 * should fail with a fatal error.
5731 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
5732 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
5739 SSL_free(serverssl);
5740 SSL_free(clientssl);
5747 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
5748 static int cert_cb_cnt;
5750 static int cert_cb(SSL *s, void *arg)
5752 SSL_CTX *ctx = (SSL_CTX *)arg;
5754 if (cert_cb_cnt == 0) {
5755 /* Suspend the handshake */
5758 } else if (cert_cb_cnt == 1) {
5760 * Update the SSL_CTX, set the certificate and private key and then
5761 * continue the handshake normally.
5763 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
5766 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
5767 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
5769 || !TEST_true(SSL_check_private_key(s)))
5775 /* Abort the handshake */
5780 * Test the certificate callback.
5781 * Test 0: Callback fails
5782 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
5783 * Test 2: Success - SSL_set_SSL_CTX() in the callback
5785 static int test_cert_cb_int(int prot, int tst)
5787 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
5788 SSL *clientssl = NULL, *serverssl = NULL;
5789 int testresult = 0, ret;
5791 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5792 TLS_client_method(),
5795 &sctx, &cctx, NULL, NULL)))
5803 snictx = SSL_CTX_new(TLS_server_method());
5804 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
5806 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5810 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5811 if (!TEST_true(tst == 0 ? !ret : ret)
5812 || (tst > 0 && !TEST_int_eq(cert_cb_cnt, 2))) {
5819 SSL_free(serverssl);
5820 SSL_free(clientssl);
5823 SSL_CTX_free(snictx);
5829 static int test_cert_cb(int tst)
5833 #ifndef OPENSSL_NO_TLS1_2
5834 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
5836 #ifndef OPENSSL_NO_TLS1_3
5837 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
5843 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
5849 /* Check that SSL_get_peer_certificate() returns something sensible */
5850 peer = SSL_get_peer_certificate(ssl);
5851 if (!TEST_ptr(peer))
5855 in = BIO_new_file(cert, "r");
5859 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
5861 if (!TEST_ptr(xcert))
5864 in = BIO_new_file(privkey, "r");
5865 if (!TEST_ptr(in)) {
5870 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
5872 if (!TEST_ptr(privpkey)) {
5883 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5888 static int test_client_cert_cb(int tst)
5890 SSL_CTX *cctx = NULL, *sctx = NULL;
5891 SSL *clientssl = NULL, *serverssl = NULL;
5894 #ifdef OPENSSL_NO_TLS1_2
5898 #ifdef OPENSSL_NO_TLS1_3
5903 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5904 TLS_client_method(),
5906 tst == 0 ? TLS1_2_VERSION
5908 &sctx, &cctx, cert, privkey)))
5912 * Test that setting a client_cert_cb results in a client certificate being
5915 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
5916 SSL_CTX_set_verify(sctx,
5917 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5920 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5922 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5929 SSL_free(serverssl);
5930 SSL_free(clientssl);
5937 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
5939 * Test setting certificate authorities on both client and server.
5941 * Test 0: SSL_CTX_set0_CA_list() only
5942 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
5943 * Test 2: Only SSL_CTX_set_client_CA_list()
5945 static int test_ca_names_int(int prot, int tst)
5947 SSL_CTX *cctx = NULL, *sctx = NULL;
5948 SSL *clientssl = NULL, *serverssl = NULL;
5951 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
5952 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
5953 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
5954 const STACK_OF(X509_NAME) *sktmp = NULL;
5956 for (i = 0; i < OSSL_NELEM(name); i++) {
5957 name[i] = X509_NAME_new();
5958 if (!TEST_ptr(name[i])
5959 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
5967 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5968 TLS_client_method(),
5971 &sctx, &cctx, cert, privkey)))
5974 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
5976 if (tst == 0 || tst == 1) {
5977 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
5978 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
5979 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
5980 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
5981 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
5982 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
5985 SSL_CTX_set0_CA_list(sctx, sk1);
5986 SSL_CTX_set0_CA_list(cctx, sk2);
5989 if (tst == 1 || tst == 2) {
5990 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
5991 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
5992 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
5993 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
5994 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
5995 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
5998 SSL_CTX_set_client_CA_list(sctx, sk1);
5999 SSL_CTX_set_client_CA_list(cctx, sk2);
6003 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6005 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6010 * We only expect certificate authorities to have been sent to the server
6011 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
6013 sktmp = SSL_get0_peer_CA_list(serverssl);
6014 if (prot == TLS1_3_VERSION
6015 && (tst == 0 || tst == 1)) {
6016 if (!TEST_ptr(sktmp)
6017 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6018 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6020 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6023 } else if (!TEST_ptr_null(sktmp)) {
6028 * In all tests we expect certificate authorities to have been sent to the
6029 * client. However, SSL_set_client_CA_list() should override
6030 * SSL_set0_CA_list()
6032 sktmp = SSL_get0_peer_CA_list(clientssl);
6033 if (!TEST_ptr(sktmp)
6034 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6035 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6036 name[tst == 0 ? 0 : 2]), 0)
6037 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6038 name[tst == 0 ? 1 : 3]), 0))
6044 SSL_free(serverssl);
6045 SSL_free(clientssl);
6048 for (i = 0; i < OSSL_NELEM(name); i++)
6049 X509_NAME_free(name[i]);
6050 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
6051 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
6057 static int test_ca_names(int tst)
6061 #ifndef OPENSSL_NO_TLS1_2
6062 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
6064 #ifndef OPENSSL_NO_TLS1_3
6065 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
6072 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile\n")
6074 int setup_tests(void)
6076 if (!TEST_ptr(cert = test_get_argument(0))
6077 || !TEST_ptr(privkey = test_get_argument(1))
6078 || !TEST_ptr(srpvfile = test_get_argument(2))
6079 || !TEST_ptr(tmpfilename = test_get_argument(3)))
6082 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
6083 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
6084 TEST_error("not supported in this build");
6087 int i, mcount, rcount, fcount;
6089 for (i = 0; i < 4; i++)
6090 test_export_key_mat(i);
6091 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
6092 test_printf_stdout("malloc %d realloc %d free %d\n",
6093 mcount, rcount, fcount);
6098 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
6099 && !defined(OPENSSL_NO_SOCK)
6100 ADD_TEST(test_ktls_client_server);
6101 ADD_TEST(test_ktls_no_client_server);
6102 ADD_TEST(test_ktls_client_no_server);
6103 ADD_TEST(test_ktls_no_client_no_server);
6105 ADD_TEST(test_large_message_tls);
6106 ADD_TEST(test_large_message_tls_read_ahead);
6107 #ifndef OPENSSL_NO_DTLS
6108 ADD_TEST(test_large_message_dtls);
6110 #ifndef OPENSSL_NO_OCSP
6111 ADD_TEST(test_tlsext_status_type);
6113 ADD_TEST(test_session_with_only_int_cache);
6114 ADD_TEST(test_session_with_only_ext_cache);
6115 ADD_TEST(test_session_with_both_cache);
6116 #ifndef OPENSSL_NO_TLS1_3
6117 ADD_ALL_TESTS(test_stateful_tickets, 3);
6118 ADD_ALL_TESTS(test_stateless_tickets, 3);
6119 ADD_TEST(test_psk_tickets);
6121 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
6122 ADD_TEST(test_ssl_bio_pop_next_bio);
6123 ADD_TEST(test_ssl_bio_pop_ssl_bio);
6124 ADD_TEST(test_ssl_bio_change_rbio);
6125 ADD_TEST(test_ssl_bio_change_wbio);
6126 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
6127 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6128 ADD_TEST(test_keylog);
6130 #ifndef OPENSSL_NO_TLS1_3
6131 ADD_TEST(test_keylog_no_master_key);
6133 #ifndef OPENSSL_NO_TLS1_2
6134 ADD_TEST(test_client_hello_cb);
6135 ADD_TEST(test_no_ems);
6137 #ifndef OPENSSL_NO_TLS1_3
6138 ADD_ALL_TESTS(test_early_data_read_write, 3);
6140 * We don't do replay tests for external PSK. Replay protection isn't used
6143 ADD_ALL_TESTS(test_early_data_replay, 2);
6144 ADD_ALL_TESTS(test_early_data_skip, 3);
6145 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
6146 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
6147 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
6148 ADD_ALL_TESTS(test_early_data_not_sent, 3);
6149 ADD_ALL_TESTS(test_early_data_psk, 8);
6150 ADD_ALL_TESTS(test_early_data_not_expected, 3);
6151 # ifndef OPENSSL_NO_TLS1_2
6152 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
6155 #ifndef OPENSSL_NO_TLS1_3
6156 ADD_ALL_TESTS(test_set_ciphersuite, 10);
6157 ADD_TEST(test_ciphersuite_change);
6158 #ifdef OPENSSL_NO_PSK
6159 ADD_ALL_TESTS(test_tls13_psk, 1);
6161 ADD_ALL_TESTS(test_tls13_psk, 4);
6162 #endif /* OPENSSL_NO_PSK */
6163 ADD_ALL_TESTS(test_custom_exts, 5);
6164 ADD_TEST(test_stateless);
6165 ADD_TEST(test_pha_key_update);
6167 ADD_ALL_TESTS(test_custom_exts, 3);
6169 ADD_ALL_TESTS(test_serverinfo, 8);
6170 ADD_ALL_TESTS(test_export_key_mat, 6);
6171 #ifndef OPENSSL_NO_TLS1_3
6172 ADD_ALL_TESTS(test_export_key_mat_early, 3);
6174 ADD_ALL_TESTS(test_ssl_clear, 2);
6175 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
6176 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6177 ADD_ALL_TESTS(test_srp, 6);
6179 ADD_ALL_TESTS(test_info_callback, 6);
6180 ADD_ALL_TESTS(test_ssl_pending, 2);
6181 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
6182 ADD_ALL_TESTS(test_ticket_callbacks, 12);
6183 ADD_ALL_TESTS(test_shutdown, 7);
6184 ADD_ALL_TESTS(test_cert_cb, 3);
6185 ADD_ALL_TESTS(test_client_cert_cb, 2);
6186 ADD_ALL_TESTS(test_ca_names, 3);
6190 void cleanup_tests(void)
6192 bio_s_mempacket_test_free();
projects / oweals / openssl.git / blob