2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
17 #include <openssl/srp.h>
18 #include <openssl/txt_db.h>
19 #include <openssl/aes.h>
21 #include "ssltestlib.h"
23 #include "testutil/output.h"
24 #include "internal/nelem.h"
25 #include "internal/ktls.h"
26 #include "../ssl/ssl_locl.h"
28 #ifndef OPENSSL_NO_TLS1_3
30 static SSL_SESSION *clientpsk = NULL;
31 static SSL_SESSION *serverpsk = NULL;
32 static const char *pskid = "Identity";
33 static const char *srvid;
35 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
36 size_t *idlen, SSL_SESSION **sess);
37 static int find_session_cb(SSL *ssl, const unsigned char *identity,
38 size_t identity_len, SSL_SESSION **sess);
40 static int use_session_cb_cnt = 0;
41 static int find_session_cb_cnt = 0;
43 static SSL_SESSION *create_a_psk(SSL *ssl);
46 static char *cert = NULL;
47 static char *privkey = NULL;
48 static char *srpvfile = NULL;
49 static char *tmpfilename = NULL;
51 #define LOG_BUFFER_SIZE 2048
52 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
53 static size_t server_log_buffer_index = 0;
54 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
55 static size_t client_log_buffer_index = 0;
56 static int error_writing_log = 0;
58 #ifndef OPENSSL_NO_OCSP
59 static const unsigned char orespder[] = "Dummy OCSP Response";
60 static int ocsp_server_called = 0;
61 static int ocsp_client_called = 0;
63 static int cdummyarg = 1;
64 static X509 *ocspcert = NULL;
67 #define NUM_EXTRA_CERTS 40
68 #define CLIENT_VERSION_LEN 2
71 * This structure is used to validate that the correct number of log messages
72 * of various types are emitted when emitting secret logs.
74 struct sslapitest_log_counts {
75 unsigned int rsa_key_exchange_count;
76 unsigned int master_secret_count;
77 unsigned int client_early_secret_count;
78 unsigned int client_handshake_secret_count;
79 unsigned int server_handshake_secret_count;
80 unsigned int client_application_secret_count;
81 unsigned int server_application_secret_count;
82 unsigned int early_exporter_secret_count;
83 unsigned int exporter_secret_count;
87 static unsigned char serverinfov1[] = {
88 0xff, 0xff, /* Dummy extension type */
89 0x00, 0x01, /* Extension length is 1 byte */
90 0xff /* Dummy extension data */
93 static unsigned char serverinfov2[] = {
95 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
96 0xff, 0xff, /* Dummy extension type */
97 0x00, 0x01, /* Extension length is 1 byte */
98 0xff /* Dummy extension data */
101 static void client_keylog_callback(const SSL *ssl, const char *line)
103 int line_length = strlen(line);
105 /* If the log doesn't fit, error out. */
106 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
107 TEST_info("Client log too full");
108 error_writing_log = 1;
112 strcat(client_log_buffer, line);
113 client_log_buffer_index += line_length;
114 client_log_buffer[client_log_buffer_index++] = '\n';
117 static void server_keylog_callback(const SSL *ssl, const char *line)
119 int line_length = strlen(line);
121 /* If the log doesn't fit, error out. */
122 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
123 TEST_info("Server log too full");
124 error_writing_log = 1;
128 strcat(server_log_buffer, line);
129 server_log_buffer_index += line_length;
130 server_log_buffer[server_log_buffer_index++] = '\n';
133 static int compare_hex_encoded_buffer(const char *hex_encoded,
141 if (!TEST_size_t_eq(raw_length * 2, hex_length))
144 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
145 sprintf(hexed, "%02x", raw[i]);
146 if (!TEST_int_eq(hexed[0], hex_encoded[j])
147 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
154 static int test_keylog_output(char *buffer, const SSL *ssl,
155 const SSL_SESSION *session,
156 struct sslapitest_log_counts *expected)
159 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
160 size_t client_random_size = SSL3_RANDOM_SIZE;
161 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
162 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
163 unsigned int rsa_key_exchange_count = 0;
164 unsigned int master_secret_count = 0;
165 unsigned int client_early_secret_count = 0;
166 unsigned int client_handshake_secret_count = 0;
167 unsigned int server_handshake_secret_count = 0;
168 unsigned int client_application_secret_count = 0;
169 unsigned int server_application_secret_count = 0;
170 unsigned int early_exporter_secret_count = 0;
171 unsigned int exporter_secret_count = 0;
173 for (token = strtok(buffer, " \n"); token != NULL;
174 token = strtok(NULL, " \n")) {
175 if (strcmp(token, "RSA") == 0) {
177 * Premaster secret. Tokens should be: 16 ASCII bytes of
178 * hex-encoded encrypted secret, then the hex-encoded pre-master
181 if (!TEST_ptr(token = strtok(NULL, " \n")))
183 if (!TEST_size_t_eq(strlen(token), 16))
185 if (!TEST_ptr(token = strtok(NULL, " \n")))
188 * We can't sensibly check the log because the premaster secret is
189 * transient, and OpenSSL doesn't keep hold of it once the master
190 * secret is generated.
192 rsa_key_exchange_count++;
193 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
195 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
196 * client random, then the hex-encoded master secret.
198 client_random_size = SSL_get_client_random(ssl,
199 actual_client_random,
201 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
204 if (!TEST_ptr(token = strtok(NULL, " \n")))
206 if (!TEST_size_t_eq(strlen(token), 64))
208 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
209 actual_client_random,
210 client_random_size)))
213 if (!TEST_ptr(token = strtok(NULL, " \n")))
215 master_key_size = SSL_SESSION_get_master_key(session,
218 if (!TEST_size_t_ne(master_key_size, 0))
220 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
224 master_secret_count++;
225 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
226 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
227 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
228 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
229 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
230 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
231 || strcmp(token, "EXPORTER_SECRET") == 0) {
233 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
234 * client random, and then the hex-encoded secret. In this case,
235 * we treat all of these secrets identically and then just
236 * distinguish between them when counting what we saw.
238 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
239 client_early_secret_count++;
240 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
241 client_handshake_secret_count++;
242 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
243 server_handshake_secret_count++;
244 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
245 client_application_secret_count++;
246 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
247 server_application_secret_count++;
248 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
249 early_exporter_secret_count++;
250 else if (strcmp(token, "EXPORTER_SECRET") == 0)
251 exporter_secret_count++;
253 client_random_size = SSL_get_client_random(ssl,
254 actual_client_random,
256 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
259 if (!TEST_ptr(token = strtok(NULL, " \n")))
261 if (!TEST_size_t_eq(strlen(token), 64))
263 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
264 actual_client_random,
265 client_random_size)))
268 if (!TEST_ptr(token = strtok(NULL, " \n")))
272 * TODO(TLS1.3): test that application traffic secrets are what
275 TEST_info("Unexpected token %s\n", token);
280 /* Got what we expected? */
281 if (!TEST_size_t_eq(rsa_key_exchange_count,
282 expected->rsa_key_exchange_count)
283 || !TEST_size_t_eq(master_secret_count,
284 expected->master_secret_count)
285 || !TEST_size_t_eq(client_early_secret_count,
286 expected->client_early_secret_count)
287 || !TEST_size_t_eq(client_handshake_secret_count,
288 expected->client_handshake_secret_count)
289 || !TEST_size_t_eq(server_handshake_secret_count,
290 expected->server_handshake_secret_count)
291 || !TEST_size_t_eq(client_application_secret_count,
292 expected->client_application_secret_count)
293 || !TEST_size_t_eq(server_application_secret_count,
294 expected->server_application_secret_count)
295 || !TEST_size_t_eq(early_exporter_secret_count,
296 expected->early_exporter_secret_count)
297 || !TEST_size_t_eq(exporter_secret_count,
298 expected->exporter_secret_count))
303 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
304 static int test_keylog(void)
306 SSL_CTX *cctx = NULL, *sctx = NULL;
307 SSL *clientssl = NULL, *serverssl = NULL;
309 struct sslapitest_log_counts expected;
311 /* Clean up logging space */
312 memset(&expected, 0, sizeof(expected));
313 memset(client_log_buffer, 0, sizeof(client_log_buffer));
314 memset(server_log_buffer, 0, sizeof(server_log_buffer));
315 client_log_buffer_index = 0;
316 server_log_buffer_index = 0;
317 error_writing_log = 0;
319 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
322 &sctx, &cctx, cert, privkey)))
325 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
326 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
327 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
329 /* We also want to ensure that we use RSA-based key exchange. */
330 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
333 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
334 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
336 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
337 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
338 == client_keylog_callback))
340 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
341 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
342 == server_keylog_callback))
345 /* Now do a handshake and check that the logs have been written to. */
346 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
347 &clientssl, NULL, NULL))
348 || !TEST_true(create_ssl_connection(serverssl, clientssl,
350 || !TEST_false(error_writing_log)
351 || !TEST_int_gt(client_log_buffer_index, 0)
352 || !TEST_int_gt(server_log_buffer_index, 0))
356 * Now we want to test that our output data was vaguely sensible. We
357 * do that by using strtok and confirming that we have more or less the
358 * data we expect. For both client and server, we expect to see one master
359 * secret. The client should also see a RSA key exchange.
361 expected.rsa_key_exchange_count = 1;
362 expected.master_secret_count = 1;
363 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
364 SSL_get_session(clientssl), &expected)))
367 expected.rsa_key_exchange_count = 0;
368 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
369 SSL_get_session(serverssl), &expected)))
384 #ifndef OPENSSL_NO_TLS1_3
385 static int test_keylog_no_master_key(void)
387 SSL_CTX *cctx = NULL, *sctx = NULL;
388 SSL *clientssl = NULL, *serverssl = NULL;
389 SSL_SESSION *sess = NULL;
391 struct sslapitest_log_counts expected;
392 unsigned char buf[1];
393 size_t readbytes, written;
395 /* Clean up logging space */
396 memset(&expected, 0, sizeof(expected));
397 memset(client_log_buffer, 0, sizeof(client_log_buffer));
398 memset(server_log_buffer, 0, sizeof(server_log_buffer));
399 client_log_buffer_index = 0;
400 server_log_buffer_index = 0;
401 error_writing_log = 0;
403 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
405 &sctx, &cctx, cert, privkey))
406 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
407 SSL3_RT_MAX_PLAIN_LENGTH)))
410 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
411 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
414 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
415 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
416 == client_keylog_callback))
419 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
420 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
421 == server_keylog_callback))
424 /* Now do a handshake and check that the logs have been written to. */
425 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
426 &clientssl, NULL, NULL))
427 || !TEST_true(create_ssl_connection(serverssl, clientssl,
429 || !TEST_false(error_writing_log))
433 * Now we want to test that our output data was vaguely sensible. For this
434 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
435 * TLSv1.3, but we do expect both client and server to emit keys.
437 expected.client_handshake_secret_count = 1;
438 expected.server_handshake_secret_count = 1;
439 expected.client_application_secret_count = 1;
440 expected.server_application_secret_count = 1;
441 expected.exporter_secret_count = 1;
442 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
443 SSL_get_session(clientssl), &expected))
444 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
445 SSL_get_session(serverssl),
449 /* Terminate old session and resume with early data. */
450 sess = SSL_get1_session(clientssl);
451 SSL_shutdown(clientssl);
452 SSL_shutdown(serverssl);
455 serverssl = clientssl = NULL;
458 memset(client_log_buffer, 0, sizeof(client_log_buffer));
459 memset(server_log_buffer, 0, sizeof(server_log_buffer));
460 client_log_buffer_index = 0;
461 server_log_buffer_index = 0;
463 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
464 &clientssl, NULL, NULL))
465 || !TEST_true(SSL_set_session(clientssl, sess))
466 /* Here writing 0 length early data is enough. */
467 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
468 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
470 SSL_READ_EARLY_DATA_ERROR)
471 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
472 SSL_EARLY_DATA_ACCEPTED)
473 || !TEST_true(create_ssl_connection(serverssl, clientssl,
475 || !TEST_true(SSL_session_reused(clientssl)))
478 /* In addition to the previous entries, expect early secrets. */
479 expected.client_early_secret_count = 1;
480 expected.early_exporter_secret_count = 1;
481 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
482 SSL_get_session(clientssl), &expected))
483 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
484 SSL_get_session(serverssl),
491 SSL_SESSION_free(sess);
501 #ifndef OPENSSL_NO_TLS1_2
502 static int full_client_hello_callback(SSL *s, int *al, void *arg)
505 const unsigned char *p;
507 /* We only configure two ciphers, but the SCSV is added automatically. */
509 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
511 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
514 const int expected_extensions[] = {
515 #ifndef OPENSSL_NO_EC
521 /* Make sure we can defer processing and get called back. */
523 return SSL_CLIENT_HELLO_RETRY;
525 len = SSL_client_hello_get0_ciphers(s, &p);
526 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
528 SSL_client_hello_get0_compression_methods(s, &p), 1)
529 || !TEST_int_eq(*p, 0))
530 return SSL_CLIENT_HELLO_ERROR;
531 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
532 return SSL_CLIENT_HELLO_ERROR;
533 if (len != OSSL_NELEM(expected_extensions) ||
534 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
535 printf("ClientHello callback expected extensions mismatch\n");
537 return SSL_CLIENT_HELLO_ERROR;
540 return SSL_CLIENT_HELLO_SUCCESS;
543 static int test_client_hello_cb(void)
545 SSL_CTX *cctx = NULL, *sctx = NULL;
546 SSL *clientssl = NULL, *serverssl = NULL;
547 int testctr = 0, testresult = 0;
549 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
551 &sctx, &cctx, cert, privkey)))
553 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
555 /* The gimpy cipher list we configure can't do TLS 1.3. */
556 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
558 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
559 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
560 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
561 &clientssl, NULL, NULL))
562 || !TEST_false(create_ssl_connection(serverssl, clientssl,
563 SSL_ERROR_WANT_CLIENT_HELLO_CB))
565 * Passing a -1 literal is a hack since
566 * the real value was lost.
568 || !TEST_int_eq(SSL_get_error(serverssl, -1),
569 SSL_ERROR_WANT_CLIENT_HELLO_CB)
570 || !TEST_true(create_ssl_connection(serverssl, clientssl,
585 static int test_no_ems(void)
587 SSL_CTX *cctx = NULL, *sctx = NULL;
588 SSL *clientssl = NULL, *serverssl = NULL;
591 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
592 TLS1_VERSION, TLS1_2_VERSION,
593 &sctx, &cctx, cert, privkey)) {
594 printf("Unable to create SSL_CTX pair\n");
598 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
600 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
601 printf("Unable to create SSL objects\n");
605 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
606 printf("Creating SSL connection failed\n");
610 if (SSL_get_extms_support(serverssl)) {
611 printf("Server reports Extended Master Secret support\n");
615 if (SSL_get_extms_support(clientssl)) {
616 printf("Client reports Extended Master Secret support\n");
631 static int execute_test_large_message(const SSL_METHOD *smeth,
632 const SSL_METHOD *cmeth,
633 int min_version, int max_version,
636 SSL_CTX *cctx = NULL, *sctx = NULL;
637 SSL *clientssl = NULL, *serverssl = NULL;
641 X509 *chaincert = NULL;
644 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
646 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
649 if (!TEST_ptr(chaincert))
652 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
653 &sctx, &cctx, cert, privkey)))
658 * Test that read_ahead works correctly when dealing with large
661 SSL_CTX_set_read_ahead(cctx, 1);
665 * We assume the supplied certificate is big enough so that if we add
666 * NUM_EXTRA_CERTS it will make the overall message large enough. The
667 * default buffer size is requested to be 16k, but due to the way BUF_MEM
668 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
669 * test we need to have a message larger than that.
671 certlen = i2d_X509(chaincert, NULL);
672 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
673 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
674 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
675 if (!X509_up_ref(chaincert))
677 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
678 X509_free(chaincert);
683 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
685 || !TEST_true(create_ssl_connection(serverssl, clientssl,
690 * Calling SSL_clear() first is not required but this tests that SSL_clear()
691 * doesn't leak (when using enable-crypto-mdebug).
693 if (!TEST_true(SSL_clear(serverssl)))
698 X509_free(chaincert);
707 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
708 && !defined(OPENSSL_NO_SOCK)
710 /* sock must be connected */
711 static int ktls_chk_platform(int sock)
713 if (!ktls_enable(sock))
718 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
720 static char count = 1;
721 unsigned char cbuf[16000] = {0};
722 unsigned char sbuf[16000];
724 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
725 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
726 char crec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
727 char crec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
728 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
729 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
730 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
731 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
734 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
735 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
736 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence,
737 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
738 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
739 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
740 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
741 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
743 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
746 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
747 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
752 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
755 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
756 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
761 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
762 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
763 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence,
764 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
765 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
766 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
767 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
768 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
770 /* verify the payload */
771 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
774 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
775 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
776 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
777 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
780 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
781 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
785 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
786 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
787 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
790 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
791 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
795 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
796 if (!TEST_mem_ne(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
797 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
800 if (!TEST_mem_eq(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
801 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
805 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
806 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
807 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
810 if (!TEST_mem_eq(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
811 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
820 static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
821 int sis_ktls_tx, int sis_ktls_rx)
823 SSL_CTX *cctx = NULL, *sctx = NULL;
824 SSL *clientssl = NULL, *serverssl = NULL;
828 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
831 /* Skip this test if the platform does not support ktls */
832 if (!ktls_chk_platform(cfd))
835 /* Create a session based on SHA-256 */
836 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
838 TLS1_2_VERSION, TLS1_2_VERSION,
839 &sctx, &cctx, cert, privkey))
840 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
841 "AES128-GCM-SHA256"))
842 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
843 &clientssl, sfd, cfd)))
847 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
852 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
857 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
862 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
866 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
871 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
874 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
879 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
882 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
887 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
890 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
895 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
898 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
902 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
908 SSL_shutdown(clientssl);
912 SSL_shutdown(serverssl);
917 serverssl = clientssl = NULL;
921 static int test_ktls_no_txrx_client_no_txrx_server(void)
923 return execute_test_ktls(0, 0, 0, 0);
926 static int test_ktls_no_rx_client_no_txrx_server(void)
928 return execute_test_ktls(1, 0, 0, 0);
931 static int test_ktls_no_tx_client_no_txrx_server(void)
933 return execute_test_ktls(0, 1, 0, 0);
936 static int test_ktls_client_no_txrx_server(void)
938 return execute_test_ktls(1, 1, 0, 0);
941 static int test_ktls_no_txrx_client_no_rx_server(void)
943 return execute_test_ktls(0, 0, 1, 0);
946 static int test_ktls_no_rx_client_no_rx_server(void)
948 return execute_test_ktls(1, 0, 1, 0);
951 static int test_ktls_no_tx_client_no_rx_server(void)
953 return execute_test_ktls(0, 1, 1, 0);
956 static int test_ktls_client_no_rx_server(void)
958 return execute_test_ktls(1, 1, 1, 0);
961 static int test_ktls_no_txrx_client_no_tx_server(void)
963 return execute_test_ktls(0, 0, 0, 1);
966 static int test_ktls_no_rx_client_no_tx_server(void)
968 return execute_test_ktls(1, 0, 0, 1);
971 static int test_ktls_no_tx_client_no_tx_server(void)
973 return execute_test_ktls(0, 1, 0, 1);
976 static int test_ktls_client_no_tx_server(void)
978 return execute_test_ktls(1, 1, 0, 1);
981 static int test_ktls_no_txrx_client_server(void)
983 return execute_test_ktls(0, 0, 1, 1);
986 static int test_ktls_no_rx_client_server(void)
988 return execute_test_ktls(1, 0, 1, 1);
991 static int test_ktls_no_tx_client_server(void)
993 return execute_test_ktls(0, 1, 1, 1);
996 static int test_ktls_client_server(void)
998 return execute_test_ktls(1, 1, 1, 1);
1003 static int test_large_message_tls(void)
1005 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1006 TLS1_VERSION, 0, 0);
1009 static int test_large_message_tls_read_ahead(void)
1011 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1012 TLS1_VERSION, 0, 1);
1015 #ifndef OPENSSL_NO_DTLS
1016 static int test_large_message_dtls(void)
1019 * read_ahead is not relevant to DTLS because DTLS always acts as if
1020 * read_ahead is set.
1022 return execute_test_large_message(DTLS_server_method(),
1023 DTLS_client_method(),
1024 DTLS1_VERSION, 0, 0);
1028 #ifndef OPENSSL_NO_OCSP
1029 static int ocsp_server_cb(SSL *s, void *arg)
1031 int *argi = (int *)arg;
1032 unsigned char *copy = NULL;
1033 STACK_OF(OCSP_RESPID) *ids = NULL;
1034 OCSP_RESPID *id = NULL;
1037 /* In this test we are expecting exactly 1 OCSP_RESPID */
1038 SSL_get_tlsext_status_ids(s, &ids);
1039 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1040 return SSL_TLSEXT_ERR_ALERT_FATAL;
1042 id = sk_OCSP_RESPID_value(ids, 0);
1043 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
1044 return SSL_TLSEXT_ERR_ALERT_FATAL;
1045 } else if (*argi != 1) {
1046 return SSL_TLSEXT_ERR_ALERT_FATAL;
1049 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1050 return SSL_TLSEXT_ERR_ALERT_FATAL;
1052 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1053 ocsp_server_called = 1;
1054 return SSL_TLSEXT_ERR_OK;
1057 static int ocsp_client_cb(SSL *s, void *arg)
1059 int *argi = (int *)arg;
1060 const unsigned char *respderin;
1063 if (*argi != 1 && *argi != 2)
1066 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1067 if (!TEST_mem_eq(orespder, len, respderin, len))
1070 ocsp_client_called = 1;
1074 static int test_tlsext_status_type(void)
1076 SSL_CTX *cctx = NULL, *sctx = NULL;
1077 SSL *clientssl = NULL, *serverssl = NULL;
1079 STACK_OF(OCSP_RESPID) *ids = NULL;
1080 OCSP_RESPID *id = NULL;
1081 BIO *certbio = NULL;
1083 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1085 &sctx, &cctx, cert, privkey))
1088 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1091 /* First just do various checks getting and setting tlsext_status_type */
1093 clientssl = SSL_new(cctx);
1094 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1095 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1096 TLSEXT_STATUSTYPE_ocsp))
1097 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1098 TLSEXT_STATUSTYPE_ocsp))
1101 SSL_free(clientssl);
1104 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1105 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1108 clientssl = SSL_new(cctx);
1109 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1111 SSL_free(clientssl);
1115 * Now actually do a handshake and check OCSP information is exchanged and
1116 * the callbacks get called
1118 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1119 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1120 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1121 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1122 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1123 &clientssl, NULL, NULL))
1124 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1126 || !TEST_true(ocsp_client_called)
1127 || !TEST_true(ocsp_server_called))
1129 SSL_free(serverssl);
1130 SSL_free(clientssl);
1134 /* Try again but this time force the server side callback to fail */
1135 ocsp_client_called = 0;
1136 ocsp_server_called = 0;
1138 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1139 &clientssl, NULL, NULL))
1140 /* This should fail because the callback will fail */
1141 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1143 || !TEST_false(ocsp_client_called)
1144 || !TEST_false(ocsp_server_called))
1146 SSL_free(serverssl);
1147 SSL_free(clientssl);
1152 * This time we'll get the client to send an OCSP_RESPID that it will
1155 ocsp_client_called = 0;
1156 ocsp_server_called = 0;
1158 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1159 &clientssl, NULL, NULL)))
1163 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1164 * specific one. We'll use the server cert.
1166 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1167 || !TEST_ptr(id = OCSP_RESPID_new())
1168 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1169 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1171 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
1172 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1175 SSL_set_tlsext_status_ids(clientssl, ids);
1176 /* Control has been transferred */
1182 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1184 || !TEST_true(ocsp_client_called)
1185 || !TEST_true(ocsp_server_called))
1191 SSL_free(serverssl);
1192 SSL_free(clientssl);
1195 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1196 OCSP_RESPID_free(id);
1198 X509_free(ocspcert);
1205 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1206 static int new_called, remove_called, get_called;
1208 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1212 * sess has been up-refed for us, but we don't actually need it so free it
1215 SSL_SESSION_free(sess);
1219 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1224 static SSL_SESSION *get_sess_val = NULL;
1226 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1231 return get_sess_val;
1234 static int execute_test_session(int maxprot, int use_int_cache,
1237 SSL_CTX *sctx = NULL, *cctx = NULL;
1238 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1239 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1240 # ifndef OPENSSL_NO_TLS1_1
1241 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1243 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1244 int testresult = 0, numnewsesstick = 1;
1246 new_called = remove_called = 0;
1248 /* TLSv1.3 sends 2 NewSessionTickets */
1249 if (maxprot == TLS1_3_VERSION)
1252 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1254 &sctx, &cctx, cert, privkey)))
1258 * Only allow the max protocol version so we can force a connection failure
1261 SSL_CTX_set_min_proto_version(cctx, maxprot);
1262 SSL_CTX_set_max_proto_version(cctx, maxprot);
1264 /* Set up session cache */
1265 if (use_ext_cache) {
1266 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1267 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1269 if (use_int_cache) {
1270 /* Also covers instance where both are set */
1271 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1273 SSL_CTX_set_session_cache_mode(cctx,
1274 SSL_SESS_CACHE_CLIENT
1275 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1278 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1280 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1282 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1285 /* Should fail because it should already be in the cache */
1286 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1289 && (!TEST_int_eq(new_called, numnewsesstick)
1291 || !TEST_int_eq(remove_called, 0)))
1294 new_called = remove_called = 0;
1295 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1296 &clientssl2, NULL, NULL))
1297 || !TEST_true(SSL_set_session(clientssl2, sess1))
1298 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1300 || !TEST_true(SSL_session_reused(clientssl2)))
1303 if (maxprot == TLS1_3_VERSION) {
1305 * In TLSv1.3 we should have created a new session even though we have
1306 * resumed. Since we attempted a resume we should also have removed the
1307 * old ticket from the cache so that we try to only use tickets once.
1310 && (!TEST_int_eq(new_called, 1)
1311 || !TEST_int_eq(remove_called, 1)))
1315 * In TLSv1.2 we expect to have resumed so no sessions added or
1319 && (!TEST_int_eq(new_called, 0)
1320 || !TEST_int_eq(remove_called, 0)))
1324 SSL_SESSION_free(sess1);
1325 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1327 shutdown_ssl_connection(serverssl2, clientssl2);
1328 serverssl2 = clientssl2 = NULL;
1330 new_called = remove_called = 0;
1331 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1332 &clientssl2, NULL, NULL))
1333 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1337 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1341 && (!TEST_int_eq(new_called, numnewsesstick)
1342 || !TEST_int_eq(remove_called, 0)))
1345 new_called = remove_called = 0;
1347 * This should clear sess2 from the cache because it is a "bad" session.
1348 * See SSL_set_session() documentation.
1350 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1353 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1355 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1358 if (use_int_cache) {
1359 /* Should succeeded because it should not already be in the cache */
1360 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1361 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1365 new_called = remove_called = 0;
1366 /* This shouldn't be in the cache so should fail */
1367 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1371 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1374 # if !defined(OPENSSL_NO_TLS1_1)
1375 new_called = remove_called = 0;
1376 /* Force a connection failure */
1377 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1378 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1379 &clientssl3, NULL, NULL))
1380 || !TEST_true(SSL_set_session(clientssl3, sess1))
1381 /* This should fail because of the mismatched protocol versions */
1382 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1386 /* We should have automatically removed the session from the cache */
1388 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1391 /* Should succeed because it should not already be in the cache */
1392 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1396 /* Now do some tests for server side caching */
1397 if (use_ext_cache) {
1398 SSL_CTX_sess_set_new_cb(cctx, NULL);
1399 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1400 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1401 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1402 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1403 get_sess_val = NULL;
1406 SSL_CTX_set_session_cache_mode(cctx, 0);
1407 /* Internal caching is the default on the server side */
1409 SSL_CTX_set_session_cache_mode(sctx,
1410 SSL_SESS_CACHE_SERVER
1411 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1413 SSL_free(serverssl1);
1414 SSL_free(clientssl1);
1415 serverssl1 = clientssl1 = NULL;
1416 SSL_free(serverssl2);
1417 SSL_free(clientssl2);
1418 serverssl2 = clientssl2 = NULL;
1419 SSL_SESSION_free(sess1);
1421 SSL_SESSION_free(sess2);
1424 SSL_CTX_set_max_proto_version(sctx, maxprot);
1425 if (maxprot == TLS1_2_VERSION)
1426 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1427 new_called = remove_called = get_called = 0;
1428 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1430 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1432 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1433 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1436 if (use_int_cache) {
1437 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1439 * In TLSv1.3 it should not have been added to the internal cache,
1440 * except in the case where we also have an external cache (in that
1441 * case it gets added to the cache in order to generate remove
1442 * events after timeout).
1444 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1447 /* Should fail because it should already be in the cache */
1448 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1453 if (use_ext_cache) {
1454 SSL_SESSION *tmp = sess2;
1456 if (!TEST_int_eq(new_called, numnewsesstick)
1457 || !TEST_int_eq(remove_called, 0)
1458 || !TEST_int_eq(get_called, 0))
1461 * Delete the session from the internal cache to force a lookup from
1462 * the external cache. We take a copy first because
1463 * SSL_CTX_remove_session() also marks the session as non-resumable.
1465 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1466 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1467 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1469 SSL_SESSION_free(sess2);
1474 new_called = remove_called = get_called = 0;
1475 get_sess_val = sess2;
1476 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1477 &clientssl2, NULL, NULL))
1478 || !TEST_true(SSL_set_session(clientssl2, sess1))
1479 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1481 || !TEST_true(SSL_session_reused(clientssl2)))
1484 if (use_ext_cache) {
1485 if (!TEST_int_eq(remove_called, 0))
1488 if (maxprot == TLS1_3_VERSION) {
1489 if (!TEST_int_eq(new_called, 1)
1490 || !TEST_int_eq(get_called, 0))
1493 if (!TEST_int_eq(new_called, 0)
1494 || !TEST_int_eq(get_called, 1))
1502 SSL_free(serverssl1);
1503 SSL_free(clientssl1);
1504 SSL_free(serverssl2);
1505 SSL_free(clientssl2);
1506 # ifndef OPENSSL_NO_TLS1_1
1507 SSL_free(serverssl3);
1508 SSL_free(clientssl3);
1510 SSL_SESSION_free(sess1);
1511 SSL_SESSION_free(sess2);
1517 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1519 static int test_session_with_only_int_cache(void)
1521 #ifndef OPENSSL_NO_TLS1_3
1522 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1526 #ifndef OPENSSL_NO_TLS1_2
1527 return execute_test_session(TLS1_2_VERSION, 1, 0);
1533 static int test_session_with_only_ext_cache(void)
1535 #ifndef OPENSSL_NO_TLS1_3
1536 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1540 #ifndef OPENSSL_NO_TLS1_2
1541 return execute_test_session(TLS1_2_VERSION, 0, 1);
1547 static int test_session_with_both_cache(void)
1549 #ifndef OPENSSL_NO_TLS1_3
1550 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1554 #ifndef OPENSSL_NO_TLS1_2
1555 return execute_test_session(TLS1_2_VERSION, 1, 1);
1561 #ifndef OPENSSL_NO_TLS1_3
1562 static SSL_SESSION *sesscache[6];
1563 static int do_cache;
1565 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1568 sesscache[new_called] = sess;
1570 /* We don't need the reference to the session, so free it */
1571 SSL_SESSION_free(sess);
1578 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1580 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1581 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1584 /* Start handshake on the server and client */
1585 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1586 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1587 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1588 || !TEST_true(create_ssl_connection(sssl, cssl,
1595 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1598 int sess_id_ctx = 1;
1600 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1601 TLS1_VERSION, 0, sctx,
1602 cctx, cert, privkey))
1603 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1604 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1605 (void *)&sess_id_ctx,
1606 sizeof(sess_id_ctx))))
1610 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1612 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1613 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1614 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1619 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1621 SSL *serverssl = NULL, *clientssl = NULL;
1624 /* Test that we can resume with all the tickets we got given */
1625 for (i = 0; i < idx * 2; i++) {
1627 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1628 &clientssl, NULL, NULL))
1629 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1632 SSL_set_post_handshake_auth(clientssl, 1);
1634 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1639 * Following a successful resumption we only get 1 ticket. After a
1640 * failed one we should get idx tickets.
1643 if (!TEST_true(SSL_session_reused(clientssl))
1644 || !TEST_int_eq(new_called, 1))
1647 if (!TEST_false(SSL_session_reused(clientssl))
1648 || !TEST_int_eq(new_called, idx))
1653 /* After a post-handshake authentication we should get 1 new ticket */
1655 && (!post_handshake_verify(serverssl, clientssl)
1656 || !TEST_int_eq(new_called, 1)))
1659 SSL_shutdown(clientssl);
1660 SSL_shutdown(serverssl);
1661 SSL_free(serverssl);
1662 SSL_free(clientssl);
1663 serverssl = clientssl = NULL;
1664 SSL_SESSION_free(sesscache[i]);
1665 sesscache[i] = NULL;
1671 SSL_free(clientssl);
1672 SSL_free(serverssl);
1676 static int test_tickets(int stateful, int idx)
1678 SSL_CTX *sctx = NULL, *cctx = NULL;
1679 SSL *serverssl = NULL, *clientssl = NULL;
1683 /* idx is the test number, but also the number of tickets we want */
1688 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1691 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1692 &clientssl, NULL, NULL)))
1695 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1697 /* Check we got the number of tickets we were expecting */
1698 || !TEST_int_eq(idx, new_called))
1701 SSL_shutdown(clientssl);
1702 SSL_shutdown(serverssl);
1703 SSL_free(serverssl);
1704 SSL_free(clientssl);
1707 clientssl = serverssl = NULL;
1711 * Now we try to resume with the tickets we previously created. The
1712 * resumption attempt is expected to fail (because we're now using a new
1713 * SSL_CTX). We should see idx number of tickets issued again.
1716 /* Stop caching sessions - just count them */
1719 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1722 if (!check_resumption(idx, sctx, cctx, 0))
1725 /* Start again with caching sessions */
1732 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1735 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1736 &clientssl, NULL, NULL)))
1739 SSL_set_post_handshake_auth(clientssl, 1);
1741 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1743 /* Check we got the number of tickets we were expecting */
1744 || !TEST_int_eq(idx, new_called))
1747 /* After a post-handshake authentication we should get new tickets issued */
1748 if (!post_handshake_verify(serverssl, clientssl)
1749 || !TEST_int_eq(idx * 2, new_called))
1752 SSL_shutdown(clientssl);
1753 SSL_shutdown(serverssl);
1754 SSL_free(serverssl);
1755 SSL_free(clientssl);
1756 serverssl = clientssl = NULL;
1758 /* Stop caching sessions - just count them */
1762 * Check we can resume with all the tickets we created. This time around the
1763 * resumptions should all be successful.
1765 if (!check_resumption(idx, sctx, cctx, 1))
1771 SSL_free(serverssl);
1772 SSL_free(clientssl);
1773 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
1774 SSL_SESSION_free(sesscache[j]);
1775 sesscache[j] = NULL;
1783 static int test_stateless_tickets(int idx)
1785 return test_tickets(0, idx);
1788 static int test_stateful_tickets(int idx)
1790 return test_tickets(1, idx);
1793 static int test_psk_tickets(void)
1795 SSL_CTX *sctx = NULL, *cctx = NULL;
1796 SSL *serverssl = NULL, *clientssl = NULL;
1798 int sess_id_ctx = 1;
1800 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1801 TLS1_VERSION, 0, &sctx,
1803 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
1804 (void *)&sess_id_ctx,
1805 sizeof(sess_id_ctx))))
1808 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1809 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1810 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
1811 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
1812 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1813 use_session_cb_cnt = 0;
1814 find_session_cb_cnt = 0;
1818 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1821 clientpsk = serverpsk = create_a_psk(clientssl);
1822 if (!TEST_ptr(clientpsk))
1824 SSL_SESSION_up_ref(clientpsk);
1826 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1828 || !TEST_int_eq(1, find_session_cb_cnt)
1829 || !TEST_int_eq(1, use_session_cb_cnt)
1830 /* We should always get 1 ticket when using external PSK */
1831 || !TEST_int_eq(1, new_called))
1837 SSL_free(serverssl);
1838 SSL_free(clientssl);
1841 SSL_SESSION_free(clientpsk);
1842 SSL_SESSION_free(serverpsk);
1843 clientpsk = serverpsk = NULL;
1852 #define USE_DEFAULT 3
1854 #define CONNTYPE_CONNECTION_SUCCESS 0
1855 #define CONNTYPE_CONNECTION_FAIL 1
1856 #define CONNTYPE_NO_CONNECTION 2
1858 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1859 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1860 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1861 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1863 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1866 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1867 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1868 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1870 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1887 * Tests calls to SSL_set_bio() under various conditions.
1889 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1890 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1891 * then do more tests where we create a successful connection first using our
1892 * standard connection setup functions, and then call SSL_set_bio() with
1893 * various combinations of valid BIOs or NULL. We then repeat these tests
1894 * following a failed connection. In this last case we are looking to check that
1895 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1897 static int test_ssl_set_bio(int idx)
1899 SSL_CTX *sctx = NULL, *cctx = NULL;
1902 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1903 SSL *serverssl = NULL, *clientssl = NULL;
1904 int initrbio, initwbio, newrbio, newwbio, conntype;
1907 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1915 conntype = CONNTYPE_NO_CONNECTION;
1917 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1918 initrbio = initwbio = USE_DEFAULT;
1926 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1928 &sctx, &cctx, cert, privkey)))
1931 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1933 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1934 * because we reduced the number of tests in the definition of
1935 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1936 * mismatched protocol versions we will force a connection failure.
1938 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1939 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1942 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1946 if (initrbio == USE_BIO_1
1947 || initwbio == USE_BIO_1
1948 || newrbio == USE_BIO_1
1949 || newwbio == USE_BIO_1) {
1950 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1954 if (initrbio == USE_BIO_2
1955 || initwbio == USE_BIO_2
1956 || newrbio == USE_BIO_2
1957 || newwbio == USE_BIO_2) {
1958 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1962 if (initrbio != USE_DEFAULT) {
1963 setupbio(&irbio, bio1, bio2, initrbio);
1964 setupbio(&iwbio, bio1, bio2, initwbio);
1965 SSL_set_bio(clientssl, irbio, iwbio);
1968 * We want to maintain our own refs to these BIO, so do an up ref for
1969 * each BIO that will have ownership transferred in the SSL_set_bio()
1974 if (iwbio != NULL && iwbio != irbio)
1978 if (conntype != CONNTYPE_NO_CONNECTION
1979 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1981 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1984 setupbio(&nrbio, bio1, bio2, newrbio);
1985 setupbio(&nwbio, bio1, bio2, newwbio);
1988 * We will (maybe) transfer ownership again so do more up refs.
1989 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1994 && (nwbio != iwbio || nrbio != nwbio))
1998 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2001 SSL_set_bio(clientssl, nrbio, nwbio);
2010 * This test is checking that the ref counting for SSL_set_bio is correct.
2011 * If we get here and we did too many frees then we will fail in the above
2012 * functions. If we haven't done enough then this will only be detected in
2013 * a crypto-mdebug build
2015 SSL_free(serverssl);
2016 SSL_free(clientssl);
2022 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2024 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2026 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2031 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
2032 || !TEST_ptr(ssl = SSL_new(ctx))
2033 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2034 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2037 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2040 * If anything goes wrong here then we could leak memory, so this will
2041 * be caught in a crypto-mdebug build
2043 BIO_push(sslbio, membio1);
2045 /* Verify changing the rbio/wbio directly does not cause leaks */
2046 if (change_bio != NO_BIO_CHANGE) {
2047 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
2049 if (change_bio == CHANGE_RBIO)
2050 SSL_set0_rbio(ssl, membio2);
2052 SSL_set0_wbio(ssl, membio2);
2071 static int test_ssl_bio_pop_next_bio(void)
2073 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2076 static int test_ssl_bio_pop_ssl_bio(void)
2078 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2081 static int test_ssl_bio_change_rbio(void)
2083 return execute_test_ssl_bio(0, CHANGE_RBIO);
2086 static int test_ssl_bio_change_wbio(void)
2088 return execute_test_ssl_bio(0, CHANGE_WBIO);
2091 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2093 /* The list of sig algs */
2095 /* The length of the list */
2097 /* A sigalgs list in string format */
2098 const char *liststr;
2099 /* Whether setting the list should succeed */
2101 /* Whether creating a connection with the list should succeed */
2105 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2106 # ifndef OPENSSL_NO_EC
2107 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2108 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2110 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2111 static const int invalidlist2[] = {NID_sha256, NID_undef};
2112 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2113 static const int invalidlist4[] = {NID_sha256};
2114 static const sigalgs_list testsigalgs[] = {
2115 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2116 # ifndef OPENSSL_NO_EC
2117 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2118 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2120 {NULL, 0, "RSA+SHA256", 1, 1},
2121 # ifndef OPENSSL_NO_EC
2122 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2123 {NULL, 0, "ECDSA+SHA512", 1, 0},
2125 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2126 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2127 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2128 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2129 {NULL, 0, "RSA", 0, 0},
2130 {NULL, 0, "SHA256", 0, 0},
2131 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2132 {NULL, 0, "Invalid", 0, 0}
2135 static int test_set_sigalgs(int idx)
2137 SSL_CTX *cctx = NULL, *sctx = NULL;
2138 SSL *clientssl = NULL, *serverssl = NULL;
2140 const sigalgs_list *curr;
2143 /* Should never happen */
2144 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2147 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2148 curr = testctx ? &testsigalgs[idx]
2149 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2151 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2153 &sctx, &cctx, cert, privkey)))
2157 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2158 * for TLSv1.2 for now until we add a new API.
2160 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2165 if (curr->list != NULL)
2166 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2168 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2172 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2178 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2183 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2184 &clientssl, NULL, NULL)))
2190 if (curr->list != NULL)
2191 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2193 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2196 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2205 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2213 SSL_free(serverssl);
2214 SSL_free(clientssl);
2222 #ifndef OPENSSL_NO_TLS1_3
2223 static int psk_client_cb_cnt = 0;
2224 static int psk_server_cb_cnt = 0;
2226 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2227 size_t *idlen, SSL_SESSION **sess)
2229 switch (++use_session_cb_cnt) {
2231 /* The first call should always have a NULL md */
2237 /* The second call should always have an md */
2243 /* We should only be called a maximum of twice */
2247 if (clientpsk != NULL)
2248 SSL_SESSION_up_ref(clientpsk);
2251 *id = (const unsigned char *)pskid;
2252 *idlen = strlen(pskid);
2257 #ifndef OPENSSL_NO_PSK
2258 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2259 unsigned int max_id_len,
2261 unsigned int max_psk_len)
2263 unsigned int psklen = 0;
2265 psk_client_cb_cnt++;
2267 if (strlen(pskid) + 1 > max_id_len)
2270 /* We should only ever be called a maximum of twice per connection */
2271 if (psk_client_cb_cnt > 2)
2274 if (clientpsk == NULL)
2277 /* We'll reuse the PSK we set up for TLSv1.3 */
2278 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2280 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2281 strncpy(id, pskid, max_id_len);
2285 #endif /* OPENSSL_NO_PSK */
2287 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2288 size_t identity_len, SSL_SESSION **sess)
2290 find_session_cb_cnt++;
2292 /* We should only ever be called a maximum of twice per connection */
2293 if (find_session_cb_cnt > 2)
2296 if (serverpsk == NULL)
2299 /* Identity should match that set by the client */
2300 if (strlen(srvid) != identity_len
2301 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2302 /* No PSK found, continue but without a PSK */
2307 SSL_SESSION_up_ref(serverpsk);
2313 #ifndef OPENSSL_NO_PSK
2314 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2315 unsigned char *psk, unsigned int max_psk_len)
2317 unsigned int psklen = 0;
2319 psk_server_cb_cnt++;
2321 /* We should only ever be called a maximum of twice per connection */
2322 if (find_session_cb_cnt > 2)
2325 if (serverpsk == NULL)
2328 /* Identity should match that set by the client */
2329 if (strcmp(srvid, identity) != 0) {
2333 /* We'll reuse the PSK we set up for TLSv1.3 */
2334 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2336 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2340 #endif /* OPENSSL_NO_PSK */
2342 #define MSG1 "Hello"
2343 #define MSG2 "World."
2348 #define MSG7 "message."
2350 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2351 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2354 static SSL_SESSION *create_a_psk(SSL *ssl)
2356 const SSL_CIPHER *cipher = NULL;
2357 const unsigned char key[] = {
2358 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2359 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2360 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2361 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2362 0x2c, 0x2d, 0x2e, 0x2f
2364 SSL_SESSION *sess = NULL;
2366 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2367 sess = SSL_SESSION_new();
2369 || !TEST_ptr(cipher)
2370 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2372 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2374 SSL_SESSION_set_protocol_version(sess,
2376 SSL_SESSION_free(sess);
2383 * Helper method to setup objects for early data test. Caller frees objects on
2386 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2387 SSL **serverssl, SSL_SESSION **sess, int idx)
2390 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2391 TLS_client_method(),
2393 sctx, cctx, cert, privkey)))
2396 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2400 /* When idx == 1 we repeat the tests with read_ahead set */
2401 SSL_CTX_set_read_ahead(*cctx, 1);
2402 SSL_CTX_set_read_ahead(*sctx, 1);
2403 } else if (idx == 2) {
2404 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2405 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2406 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2407 use_session_cb_cnt = 0;
2408 find_session_cb_cnt = 0;
2412 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2417 * For one of the run throughs (doesn't matter which one), we'll try sending
2418 * some SNI data in the initial ClientHello. This will be ignored (because
2419 * there is no SNI cb set up by the server), so it should not impact
2423 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2427 clientpsk = create_a_psk(*clientssl);
2428 if (!TEST_ptr(clientpsk)
2430 * We just choose an arbitrary value for max_early_data which
2431 * should be big enough for testing purposes.
2433 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2435 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2436 SSL_SESSION_free(clientpsk);
2440 serverpsk = clientpsk;
2443 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2444 SSL_SESSION_free(clientpsk);
2445 SSL_SESSION_free(serverpsk);
2446 clientpsk = serverpsk = NULL;
2457 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2461 *sess = SSL_get1_session(*clientssl);
2462 SSL_shutdown(*clientssl);
2463 SSL_shutdown(*serverssl);
2464 SSL_free(*serverssl);
2465 SSL_free(*clientssl);
2466 *serverssl = *clientssl = NULL;
2468 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2469 clientssl, NULL, NULL))
2470 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2476 static int test_early_data_read_write(int idx)
2478 SSL_CTX *cctx = NULL, *sctx = NULL;
2479 SSL *clientssl = NULL, *serverssl = NULL;
2481 SSL_SESSION *sess = NULL;
2482 unsigned char buf[20], data[1024];
2483 size_t readbytes, written, eoedlen, rawread, rawwritten;
2486 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2487 &serverssl, &sess, idx)))
2490 /* Write and read some early data */
2491 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2493 || !TEST_size_t_eq(written, strlen(MSG1))
2494 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2495 sizeof(buf), &readbytes),
2496 SSL_READ_EARLY_DATA_SUCCESS)
2497 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2498 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2499 SSL_EARLY_DATA_ACCEPTED))
2503 * Server should be able to write data, and client should be able to
2506 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2508 || !TEST_size_t_eq(written, strlen(MSG2))
2509 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2510 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2513 /* Even after reading normal data, client should be able write early data */
2514 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2516 || !TEST_size_t_eq(written, strlen(MSG3)))
2519 /* Server should still be able read early data after writing data */
2520 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2522 SSL_READ_EARLY_DATA_SUCCESS)
2523 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2526 /* Write more data from server and read it from client */
2527 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2529 || !TEST_size_t_eq(written, strlen(MSG4))
2530 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2531 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2535 * If client writes normal data it should mean writing early data is no
2538 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2539 || !TEST_size_t_eq(written, strlen(MSG5))
2540 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2541 SSL_EARLY_DATA_ACCEPTED))
2545 * At this point the client has written EndOfEarlyData, ClientFinished and
2546 * normal (fully protected) data. We are going to cause a delay between the
2547 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2548 * in the read BIO, and then just put back the EndOfEarlyData message.
2550 rbio = SSL_get_rbio(serverssl);
2551 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2552 || !TEST_size_t_lt(rawread, sizeof(data))
2553 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2556 /* Record length is in the 4th and 5th bytes of the record header */
2557 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2558 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2559 || !TEST_size_t_eq(rawwritten, eoedlen))
2562 /* Server should be told that there is no more early data */
2563 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2565 SSL_READ_EARLY_DATA_FINISH)
2566 || !TEST_size_t_eq(readbytes, 0))
2570 * Server has not finished init yet, so should still be able to write early
2573 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2575 || !TEST_size_t_eq(written, strlen(MSG6)))
2578 /* Push the ClientFinished and the normal data back into the server rbio */
2579 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2581 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2584 /* Server should be able to read normal data */
2585 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2586 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2589 /* Client and server should not be able to write/read early data now */
2590 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2594 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2596 SSL_READ_EARLY_DATA_ERROR))
2600 /* Client should be able to read the data sent by the server */
2601 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2602 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2606 * Make sure we process the two NewSessionTickets. These arrive
2607 * post-handshake. We attempt reads which we do not expect to return any
2610 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2611 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2615 /* Server should be able to write normal data */
2616 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2617 || !TEST_size_t_eq(written, strlen(MSG7))
2618 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2619 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2622 SSL_SESSION_free(sess);
2623 sess = SSL_get1_session(clientssl);
2624 use_session_cb_cnt = 0;
2625 find_session_cb_cnt = 0;
2627 SSL_shutdown(clientssl);
2628 SSL_shutdown(serverssl);
2629 SSL_free(serverssl);
2630 SSL_free(clientssl);
2631 serverssl = clientssl = NULL;
2632 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2633 &clientssl, NULL, NULL))
2634 || !TEST_true(SSL_set_session(clientssl, sess)))
2637 /* Write and read some early data */
2638 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2640 || !TEST_size_t_eq(written, strlen(MSG1))
2641 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2643 SSL_READ_EARLY_DATA_SUCCESS)
2644 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2647 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2648 || !TEST_int_gt(SSL_accept(serverssl), 0))
2651 /* Client and server should not be able to write/read early data now */
2652 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2656 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2658 SSL_READ_EARLY_DATA_ERROR))
2662 /* Client and server should be able to write/read normal data */
2663 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2664 || !TEST_size_t_eq(written, strlen(MSG5))
2665 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2666 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2672 SSL_SESSION_free(sess);
2673 SSL_SESSION_free(clientpsk);
2674 SSL_SESSION_free(serverpsk);
2675 clientpsk = serverpsk = NULL;
2676 SSL_free(serverssl);
2677 SSL_free(clientssl);
2683 static int allow_ed_cb_called = 0;
2685 static int allow_early_data_cb(SSL *s, void *arg)
2687 int *usecb = (int *)arg;
2689 allow_ed_cb_called++;
2698 * idx == 0: Standard early_data setup
2699 * idx == 1: early_data setup using read_ahead
2700 * usecb == 0: Don't use a custom early data callback
2701 * usecb == 1: Use a custom early data callback and reject the early data
2702 * usecb == 2: Use a custom early data callback and accept the early data
2703 * confopt == 0: Configure anti-replay directly
2704 * confopt == 1: Configure anti-replay using SSL_CONF
2706 static int test_early_data_replay_int(int idx, int usecb, int confopt)
2708 SSL_CTX *cctx = NULL, *sctx = NULL;
2709 SSL *clientssl = NULL, *serverssl = NULL;
2711 SSL_SESSION *sess = NULL;
2712 size_t readbytes, written;
2713 unsigned char buf[20];
2715 allow_ed_cb_called = 0;
2717 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2718 TLS1_VERSION, 0, &sctx,
2719 &cctx, cert, privkey)))
2724 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2726 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2728 if (!TEST_ptr(confctx))
2730 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2731 | SSL_CONF_FLAG_SERVER);
2732 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2733 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2735 SSL_CONF_CTX_free(confctx);
2738 SSL_CONF_CTX_free(confctx);
2740 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2743 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2744 &serverssl, &sess, idx)))
2748 * The server is configured to accept early data. Create a connection to
2749 * "use up" the ticket
2751 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2752 || !TEST_true(SSL_session_reused(clientssl)))
2755 SSL_shutdown(clientssl);
2756 SSL_shutdown(serverssl);
2757 SSL_free(serverssl);
2758 SSL_free(clientssl);
2759 serverssl = clientssl = NULL;
2761 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2762 &clientssl, NULL, NULL))
2763 || !TEST_true(SSL_set_session(clientssl, sess)))
2766 /* Write and read some early data */
2767 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2769 || !TEST_size_t_eq(written, strlen(MSG1)))
2773 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2775 SSL_READ_EARLY_DATA_FINISH)
2777 * The ticket was reused, so the we should have rejected the
2780 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2781 SSL_EARLY_DATA_REJECTED))
2784 /* In this case the callback decides to accept the early data */
2785 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2787 SSL_READ_EARLY_DATA_SUCCESS)
2788 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2790 * Server will have sent its flight so client can now send
2791 * end of early data and complete its half of the handshake
2793 || !TEST_int_gt(SSL_connect(clientssl), 0)
2794 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2796 SSL_READ_EARLY_DATA_FINISH)
2797 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2798 SSL_EARLY_DATA_ACCEPTED))
2802 /* Complete the connection */
2803 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2804 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2805 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
2811 SSL_SESSION_free(sess);
2812 SSL_SESSION_free(clientpsk);
2813 SSL_SESSION_free(serverpsk);
2814 clientpsk = serverpsk = NULL;
2815 SSL_free(serverssl);
2816 SSL_free(clientssl);
2822 static int test_early_data_replay(int idx)
2824 int ret = 1, usecb, confopt;
2826 for (usecb = 0; usecb < 3; usecb++) {
2827 for (confopt = 0; confopt < 2; confopt++)
2828 ret &= test_early_data_replay_int(idx, usecb, confopt);
2835 * Helper function to test that a server attempting to read early data can
2836 * handle a connection from a client where the early data should be skipped.
2837 * testtype: 0 == No HRR
2838 * testtype: 1 == HRR
2839 * testtype: 2 == HRR, invalid early_data sent after HRR
2840 * testtype: 3 == recv_max_early_data set to 0
2842 static int early_data_skip_helper(int testtype, int idx)
2844 SSL_CTX *cctx = NULL, *sctx = NULL;
2845 SSL *clientssl = NULL, *serverssl = NULL;
2847 SSL_SESSION *sess = NULL;
2848 unsigned char buf[20];
2849 size_t readbytes, written;
2851 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2852 &serverssl, &sess, idx)))
2855 if (testtype == 1 || testtype == 2) {
2856 /* Force an HRR to occur */
2857 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2859 } else if (idx == 2) {
2861 * We force early_data rejection by ensuring the PSK identity is
2864 srvid = "Dummy Identity";
2867 * Deliberately corrupt the creation time. We take 20 seconds off the
2868 * time. It could be any value as long as it is not within tolerance.
2869 * This should mean the ticket is rejected.
2871 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
2876 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
2879 /* Write some early data */
2880 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2882 || !TEST_size_t_eq(written, strlen(MSG1)))
2885 /* Server should reject the early data */
2886 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2888 SSL_READ_EARLY_DATA_FINISH)
2889 || !TEST_size_t_eq(readbytes, 0)
2890 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2891 SSL_EARLY_DATA_REJECTED))
2901 * Finish off the handshake. We perform the same writes and reads as
2902 * further down but we expect them to fail due to the incomplete
2905 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2906 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2913 BIO *wbio = SSL_get_wbio(clientssl);
2914 /* A record that will appear as bad early_data */
2915 const unsigned char bad_early_data[] = {
2916 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
2920 * We force the client to attempt a write. This will fail because
2921 * we're still in the handshake. It will cause the second
2922 * ClientHello to be sent.
2924 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
2929 * Inject some early_data after the second ClientHello. This should
2930 * cause the server to fail
2932 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
2933 sizeof(bad_early_data), &written)))
2940 * This client has sent more early_data than we are willing to skip
2941 * (case 3) or sent invalid early_data (case 2) so the connection should
2944 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2945 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
2948 /* Connection has failed - nothing more to do */
2953 TEST_error("Invalid test type");
2958 * Should be able to send normal data despite rejection of early data. The
2959 * early_data should be skipped.
2961 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2962 || !TEST_size_t_eq(written, strlen(MSG2))
2963 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2964 SSL_EARLY_DATA_REJECTED)
2965 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2966 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2972 SSL_SESSION_free(clientpsk);
2973 SSL_SESSION_free(serverpsk);
2974 clientpsk = serverpsk = NULL;
2975 SSL_SESSION_free(sess);
2976 SSL_free(serverssl);
2977 SSL_free(clientssl);
2984 * Test that a server attempting to read early data can handle a connection
2985 * from a client where the early data is not acceptable.
2987 static int test_early_data_skip(int idx)
2989 return early_data_skip_helper(0, idx);
2993 * Test that a server attempting to read early data can handle a connection
2994 * from a client where an HRR occurs.
2996 static int test_early_data_skip_hrr(int idx)
2998 return early_data_skip_helper(1, idx);
3002 * Test that a server attempting to read early data can handle a connection
3003 * from a client where an HRR occurs and correctly fails if early_data is sent
3006 static int test_early_data_skip_hrr_fail(int idx)
3008 return early_data_skip_helper(2, idx);
3012 * Test that a server attempting to read early data will abort if it tries to
3013 * skip over too much.
3015 static int test_early_data_skip_abort(int idx)
3017 return early_data_skip_helper(3, idx);
3021 * Test that a server attempting to read early data can handle a connection
3022 * from a client that doesn't send any.
3024 static int test_early_data_not_sent(int idx)
3026 SSL_CTX *cctx = NULL, *sctx = NULL;
3027 SSL *clientssl = NULL, *serverssl = NULL;
3029 SSL_SESSION *sess = NULL;
3030 unsigned char buf[20];
3031 size_t readbytes, written;
3033 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3034 &serverssl, &sess, idx)))
3037 /* Write some data - should block due to handshake with server */
3038 SSL_set_connect_state(clientssl);
3039 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3042 /* Server should detect that early data has not been sent */
3043 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3045 SSL_READ_EARLY_DATA_FINISH)
3046 || !TEST_size_t_eq(readbytes, 0)
3047 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3048 SSL_EARLY_DATA_NOT_SENT)
3049 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3050 SSL_EARLY_DATA_NOT_SENT))
3053 /* Continue writing the message we started earlier */
3054 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3055 || !TEST_size_t_eq(written, strlen(MSG1))
3056 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3057 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3058 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3059 || !TEST_size_t_eq(written, strlen(MSG2)))
3062 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3063 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3069 SSL_SESSION_free(sess);
3070 SSL_SESSION_free(clientpsk);
3071 SSL_SESSION_free(serverpsk);
3072 clientpsk = serverpsk = NULL;
3073 SSL_free(serverssl);
3074 SSL_free(clientssl);
3080 static int hostname_cb(SSL *s, int *al, void *arg)
3082 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3084 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
3085 return SSL_TLSEXT_ERR_OK;
3087 return SSL_TLSEXT_ERR_NOACK;
3090 static const char *servalpn;
3092 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3093 unsigned char *outlen, const unsigned char *in,
3094 unsigned int inlen, void *arg)
3096 unsigned int protlen = 0;
3097 const unsigned char *prot;
3099 for (prot = in; prot < in + inlen; prot += protlen) {
3101 if (in + inlen < prot + protlen)
3102 return SSL_TLSEXT_ERR_NOACK;
3104 if (protlen == strlen(servalpn)
3105 && memcmp(prot, servalpn, protlen) == 0) {
3108 return SSL_TLSEXT_ERR_OK;
3112 return SSL_TLSEXT_ERR_NOACK;
3115 /* Test that a PSK can be used to send early_data */
3116 static int test_early_data_psk(int idx)
3118 SSL_CTX *cctx = NULL, *sctx = NULL;
3119 SSL *clientssl = NULL, *serverssl = NULL;
3121 SSL_SESSION *sess = NULL;
3122 unsigned char alpnlist[] = {
3123 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3126 #define GOODALPNLEN 9
3127 #define BADALPNLEN 8
3128 #define GOODALPN (alpnlist)
3129 #define BADALPN (alpnlist + GOODALPNLEN)
3131 unsigned char buf[20];
3132 size_t readbytes, written;
3133 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3134 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3136 /* We always set this up with a final parameter of "2" for PSK */
3137 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3138 &serverssl, &sess, 2)))
3141 servalpn = "goodalpn";
3144 * Note: There is no test for inconsistent SNI with late client detection.
3145 * This is because servers do not acknowledge SNI even if they are using
3146 * it in a resumption handshake - so it is not actually possible for a
3147 * client to detect a problem.
3151 /* Set inconsistent SNI (early client detection) */
3152 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3153 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3154 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3159 /* Set inconsistent ALPN (early client detection) */
3160 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3161 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3162 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3164 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3171 * Set invalid protocol version. Technically this affects PSKs without
3172 * early_data too, but we test it here because it is similar to the
3173 * SNI/ALPN consistency tests.
3175 err = SSL_R_BAD_PSK;
3176 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3182 * Set inconsistent SNI (server detected). In this case the connection
3183 * will succeed but reject early_data.
3185 SSL_SESSION_free(serverpsk);
3186 serverpsk = SSL_SESSION_dup(clientpsk);
3187 if (!TEST_ptr(serverpsk)
3188 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3190 edstatus = SSL_EARLY_DATA_REJECTED;
3191 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3194 /* Set consistent SNI */
3195 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3196 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3197 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3204 * Set inconsistent ALPN (server detected). In this case the connection
3205 * will succeed but reject early_data.
3207 servalpn = "badalpn";
3208 edstatus = SSL_EARLY_DATA_REJECTED;
3209 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3213 * Set consistent ALPN.
3214 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3215 * accepts a list of protos (each one length prefixed).
3216 * SSL_set1_alpn_selected accepts a single protocol (not length
3219 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3221 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3225 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3229 /* Set inconsistent ALPN (late client detection) */
3230 SSL_SESSION_free(serverpsk);
3231 serverpsk = SSL_SESSION_dup(clientpsk);
3232 if (!TEST_ptr(serverpsk)
3233 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3236 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3239 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3242 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3243 edstatus = SSL_EARLY_DATA_ACCEPTED;
3244 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3245 /* SSL_connect() call should fail */
3250 TEST_error("Bad test index");
3254 SSL_set_connect_state(clientssl);
3256 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3258 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3259 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3262 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3266 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3267 &readbytes), readearlyres)
3268 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3269 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3270 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3271 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3278 SSL_SESSION_free(sess);
3279 SSL_SESSION_free(clientpsk);
3280 SSL_SESSION_free(serverpsk);
3281 clientpsk = serverpsk = NULL;
3282 SSL_free(serverssl);
3283 SSL_free(clientssl);
3290 * Test that a server that doesn't try to read early data can handle a
3291 * client sending some.
3293 static int test_early_data_not_expected(int idx)
3295 SSL_CTX *cctx = NULL, *sctx = NULL;
3296 SSL *clientssl = NULL, *serverssl = NULL;
3298 SSL_SESSION *sess = NULL;
3299 unsigned char buf[20];
3300 size_t readbytes, written;
3302 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3303 &serverssl, &sess, idx)))
3306 /* Write some early data */
3307 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3312 * Server should skip over early data and then block waiting for client to
3313 * continue handshake
3315 if (!TEST_int_le(SSL_accept(serverssl), 0)
3316 || !TEST_int_gt(SSL_connect(clientssl), 0)
3317 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3318 SSL_EARLY_DATA_REJECTED)
3319 || !TEST_int_gt(SSL_accept(serverssl), 0)
3320 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3321 SSL_EARLY_DATA_REJECTED))
3324 /* Send some normal data from client to server */
3325 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3326 || !TEST_size_t_eq(written, strlen(MSG2)))
3329 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3330 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3336 SSL_SESSION_free(sess);
3337 SSL_SESSION_free(clientpsk);
3338 SSL_SESSION_free(serverpsk);
3339 clientpsk = serverpsk = NULL;
3340 SSL_free(serverssl);
3341 SSL_free(clientssl);
3348 # ifndef OPENSSL_NO_TLS1_2
3350 * Test that a server attempting to read early data can handle a connection
3351 * from a TLSv1.2 client.
3353 static int test_early_data_tls1_2(int idx)
3355 SSL_CTX *cctx = NULL, *sctx = NULL;
3356 SSL *clientssl = NULL, *serverssl = NULL;
3358 unsigned char buf[20];
3359 size_t readbytes, written;
3361 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3362 &serverssl, NULL, idx)))
3365 /* Write some data - should block due to handshake with server */
3366 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3367 SSL_set_connect_state(clientssl);
3368 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3372 * Server should do TLSv1.2 handshake. First it will block waiting for more
3373 * messages from client after ServerDone. Then SSL_read_early_data should
3374 * finish and detect that early data has not been sent
3376 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3378 SSL_READ_EARLY_DATA_ERROR))
3382 * Continue writing the message we started earlier. Will still block waiting
3383 * for the CCS/Finished from server
3385 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3386 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3388 SSL_READ_EARLY_DATA_FINISH)
3389 || !TEST_size_t_eq(readbytes, 0)
3390 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3391 SSL_EARLY_DATA_NOT_SENT))
3394 /* Continue writing the message we started earlier */
3395 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3396 || !TEST_size_t_eq(written, strlen(MSG1))
3397 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3398 SSL_EARLY_DATA_NOT_SENT)
3399 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3400 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3401 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3402 || !TEST_size_t_eq(written, strlen(MSG2))
3403 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3404 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3410 SSL_SESSION_free(clientpsk);
3411 SSL_SESSION_free(serverpsk);
3412 clientpsk = serverpsk = NULL;
3413 SSL_free(serverssl);
3414 SSL_free(clientssl);
3420 # endif /* OPENSSL_NO_TLS1_2 */
3423 * Test configuring the TLSv1.3 ciphersuites
3425 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3426 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3427 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3428 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3429 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3430 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3431 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3432 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3433 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3434 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3436 static int test_set_ciphersuite(int idx)
3438 SSL_CTX *cctx = NULL, *sctx = NULL;
3439 SSL *clientssl = NULL, *serverssl = NULL;
3442 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3444 &sctx, &cctx, cert, privkey))
3445 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3446 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3449 if (idx >=4 && idx <= 7) {
3450 /* SSL_CTX explicit cipher list */
3451 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3455 if (idx == 0 || idx == 4) {
3456 /* Default ciphersuite */
3457 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3458 "TLS_AES_128_GCM_SHA256")))
3460 } else if (idx == 1 || idx == 5) {
3461 /* Non default ciphersuite */
3462 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3463 "TLS_AES_128_CCM_SHA256")))
3467 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3468 &clientssl, NULL, NULL)))
3471 if (idx == 8 || idx == 9) {
3472 /* SSL explicit cipher list */
3473 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3477 if (idx == 2 || idx == 6 || idx == 8) {
3478 /* Default ciphersuite */
3479 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3480 "TLS_AES_128_GCM_SHA256")))
3482 } else if (idx == 3 || idx == 7 || idx == 9) {
3483 /* Non default ciphersuite */
3484 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3485 "TLS_AES_128_CCM_SHA256")))
3489 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3495 SSL_free(serverssl);
3496 SSL_free(clientssl);
3503 static int test_ciphersuite_change(void)
3505 SSL_CTX *cctx = NULL, *sctx = NULL;
3506 SSL *clientssl = NULL, *serverssl = NULL;
3507 SSL_SESSION *clntsess = NULL;
3509 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3511 /* Create a session based on SHA-256 */
3512 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3514 &sctx, &cctx, cert, privkey))
3515 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3516 "TLS_AES_128_GCM_SHA256"))
3517 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3518 &clientssl, NULL, NULL))
3519 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3523 clntsess = SSL_get1_session(clientssl);
3524 /* Save for later */
3525 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3526 SSL_shutdown(clientssl);
3527 SSL_shutdown(serverssl);
3528 SSL_free(serverssl);
3529 SSL_free(clientssl);
3530 serverssl = clientssl = NULL;
3532 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3533 /* Check we can resume a session with a different SHA-256 ciphersuite */
3534 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3535 "TLS_CHACHA20_POLY1305_SHA256"))
3536 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3538 || !TEST_true(SSL_set_session(clientssl, clntsess))
3539 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3541 || !TEST_true(SSL_session_reused(clientssl)))
3544 SSL_SESSION_free(clntsess);
3545 clntsess = SSL_get1_session(clientssl);
3546 SSL_shutdown(clientssl);
3547 SSL_shutdown(serverssl);
3548 SSL_free(serverssl);
3549 SSL_free(clientssl);
3550 serverssl = clientssl = NULL;
3554 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3555 * succeeds but does not resume.
3557 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3558 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3560 || !TEST_true(SSL_set_session(clientssl, clntsess))
3561 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3563 || !TEST_false(SSL_session_reused(clientssl)))
3566 SSL_SESSION_free(clntsess);
3568 SSL_shutdown(clientssl);
3569 SSL_shutdown(serverssl);
3570 SSL_free(serverssl);
3571 SSL_free(clientssl);
3572 serverssl = clientssl = NULL;
3574 /* Create a session based on SHA384 */
3575 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3576 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3577 &clientssl, NULL, NULL))
3578 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3582 clntsess = SSL_get1_session(clientssl);
3583 SSL_shutdown(clientssl);
3584 SSL_shutdown(serverssl);
3585 SSL_free(serverssl);
3586 SSL_free(clientssl);
3587 serverssl = clientssl = NULL;
3589 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3590 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3591 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3592 "TLS_AES_256_GCM_SHA384"))
3593 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3595 || !TEST_true(SSL_set_session(clientssl, clntsess))
3597 * We use SSL_ERROR_WANT_READ below so that we can pause the
3598 * connection after the initial ClientHello has been sent to
3599 * enable us to make some session changes.
3601 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3602 SSL_ERROR_WANT_READ)))
3605 /* Trick the client into thinking this session is for a different digest */
3606 clntsess->cipher = aes_128_gcm_sha256;
3607 clntsess->cipher_id = clntsess->cipher->id;
3610 * Continue the previously started connection. Server has selected a SHA-384
3611 * ciphersuite, but client thinks the session is for SHA-256, so it should
3614 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3616 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3617 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3623 SSL_SESSION_free(clntsess);
3624 SSL_free(serverssl);
3625 SSL_free(clientssl);
3634 * Test 0 = Test new style callbacks
3635 * Test 1 = Test both new and old style callbacks
3636 * Test 2 = Test old style callbacks
3637 * Test 3 = Test old style callbacks with no certificate
3639 static int test_tls13_psk(int idx)
3641 SSL_CTX *sctx = NULL, *cctx = NULL;
3642 SSL *serverssl = NULL, *clientssl = NULL;
3643 const SSL_CIPHER *cipher = NULL;
3644 const unsigned char key[] = {
3645 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
3646 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
3647 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
3648 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
3652 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3654 &sctx, &cctx, idx == 3 ? NULL : cert,
3655 idx == 3 ? NULL : privkey)))
3660 * We use a ciphersuite with SHA256 to ease testing old style PSK
3661 * callbacks which will always default to SHA256. This should not be
3662 * necessary if we have no cert/priv key. In that case the server should
3663 * prefer SHA256 automatically.
3665 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3666 "TLS_AES_128_GCM_SHA256")))
3671 * Test 0: New style callbacks only
3672 * Test 1: New and old style callbacks (only the new ones should be used)
3673 * Test 2: Old style callbacks only
3675 if (idx == 0 || idx == 1) {
3676 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
3677 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
3679 #ifndef OPENSSL_NO_PSK
3681 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
3682 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
3686 use_session_cb_cnt = 0;
3687 find_session_cb_cnt = 0;
3688 psk_client_cb_cnt = 0;
3689 psk_server_cb_cnt = 0;
3693 * Check we can create a connection if callback decides not to send a
3696 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3698 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3700 || !TEST_false(SSL_session_reused(clientssl))
3701 || !TEST_false(SSL_session_reused(serverssl)))
3704 if (idx == 0 || idx == 1) {
3705 if (!TEST_true(use_session_cb_cnt == 1)
3706 || !TEST_true(find_session_cb_cnt == 0)
3708 * If no old style callback then below should be 0
3711 || !TEST_true(psk_client_cb_cnt == idx)
3712 || !TEST_true(psk_server_cb_cnt == 0))
3715 if (!TEST_true(use_session_cb_cnt == 0)
3716 || !TEST_true(find_session_cb_cnt == 0)
3717 || !TEST_true(psk_client_cb_cnt == 1)
3718 || !TEST_true(psk_server_cb_cnt == 0))
3722 shutdown_ssl_connection(serverssl, clientssl);
3723 serverssl = clientssl = NULL;
3724 use_session_cb_cnt = psk_client_cb_cnt = 0;
3727 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3731 /* Create the PSK */
3732 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
3733 clientpsk = SSL_SESSION_new();
3734 if (!TEST_ptr(clientpsk)
3735 || !TEST_ptr(cipher)
3736 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
3738 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
3739 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
3741 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
3743 serverpsk = clientpsk;
3745 /* Check we can create a connection and the PSK is used */
3746 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3747 || !TEST_true(SSL_session_reused(clientssl))
3748 || !TEST_true(SSL_session_reused(serverssl)))
3751 if (idx == 0 || idx == 1) {
3752 if (!TEST_true(use_session_cb_cnt == 1)
3753 || !TEST_true(find_session_cb_cnt == 1)
3754 || !TEST_true(psk_client_cb_cnt == 0)
3755 || !TEST_true(psk_server_cb_cnt == 0))
3758 if (!TEST_true(use_session_cb_cnt == 0)
3759 || !TEST_true(find_session_cb_cnt == 0)
3760 || !TEST_true(psk_client_cb_cnt == 1)
3761 || !TEST_true(psk_server_cb_cnt == 1))
3765 shutdown_ssl_connection(serverssl, clientssl);
3766 serverssl = clientssl = NULL;
3767 use_session_cb_cnt = find_session_cb_cnt = 0;
3768 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3770 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3775 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3779 * Check we can create a connection, the PSK is used and the callbacks are
3782 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3783 || !TEST_true(SSL_session_reused(clientssl))
3784 || !TEST_true(SSL_session_reused(serverssl)))
3787 if (idx == 0 || idx == 1) {
3788 if (!TEST_true(use_session_cb_cnt == 2)
3789 || !TEST_true(find_session_cb_cnt == 2)
3790 || !TEST_true(psk_client_cb_cnt == 0)
3791 || !TEST_true(psk_server_cb_cnt == 0))
3794 if (!TEST_true(use_session_cb_cnt == 0)
3795 || !TEST_true(find_session_cb_cnt == 0)
3796 || !TEST_true(psk_client_cb_cnt == 2)
3797 || !TEST_true(psk_server_cb_cnt == 2))
3801 shutdown_ssl_connection(serverssl, clientssl);
3802 serverssl = clientssl = NULL;
3803 use_session_cb_cnt = find_session_cb_cnt = 0;
3804 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3808 * Check that if the server rejects the PSK we can still connect, but with
3811 srvid = "Dummy Identity";
3812 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3814 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3816 || !TEST_false(SSL_session_reused(clientssl))
3817 || !TEST_false(SSL_session_reused(serverssl)))
3820 if (idx == 0 || idx == 1) {
3821 if (!TEST_true(use_session_cb_cnt == 1)
3822 || !TEST_true(find_session_cb_cnt == 1)
3823 || !TEST_true(psk_client_cb_cnt == 0)
3825 * If no old style callback then below should be 0
3828 || !TEST_true(psk_server_cb_cnt == idx))
3831 if (!TEST_true(use_session_cb_cnt == 0)
3832 || !TEST_true(find_session_cb_cnt == 0)
3833 || !TEST_true(psk_client_cb_cnt == 1)
3834 || !TEST_true(psk_server_cb_cnt == 1))
3838 shutdown_ssl_connection(serverssl, clientssl);
3839 serverssl = clientssl = NULL;
3844 SSL_SESSION_free(clientpsk);
3845 SSL_SESSION_free(serverpsk);
3846 clientpsk = serverpsk = NULL;
3847 SSL_free(serverssl);
3848 SSL_free(clientssl);
3854 static unsigned char cookie_magic_value[] = "cookie magic";
3856 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
3857 unsigned int *cookie_len)
3860 * Not suitable as a real cookie generation function but good enough for
3863 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3864 *cookie_len = sizeof(cookie_magic_value) - 1;
3869 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3870 unsigned int cookie_len)
3872 if (cookie_len == sizeof(cookie_magic_value) - 1
3873 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3879 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3883 int res = generate_cookie_callback(ssl, cookie, &temp);
3888 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3891 return verify_cookie_callback(ssl, cookie, cookie_len);
3894 static int test_stateless(void)
3896 SSL_CTX *sctx = NULL, *cctx = NULL;
3897 SSL *serverssl = NULL, *clientssl = NULL;
3900 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3902 &sctx, &cctx, cert, privkey)))
3905 /* The arrival of CCS messages can confuse the test */
3906 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3908 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3910 /* Send the first ClientHello */
3911 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3912 SSL_ERROR_WANT_READ))
3914 * This should fail with a -1 return because we have no callbacks
3917 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3920 /* Fatal error so abandon the connection from this client */
3921 SSL_free(clientssl);
3924 /* Set up the cookie generation and verification callbacks */
3925 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3926 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
3929 * Create a new connection from the client (we can reuse the server SSL
3932 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3934 /* Send the first ClientHello */
3935 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3936 SSL_ERROR_WANT_READ))
3937 /* This should fail because there is no cookie */
3938 || !TEST_int_eq(SSL_stateless(serverssl), 0))
3941 /* Abandon the connection from this client */
3942 SSL_free(clientssl);
3946 * Now create a connection from a new client but with the same server SSL
3949 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3951 /* Send the first ClientHello */
3952 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3953 SSL_ERROR_WANT_READ))
3954 /* This should fail because there is no cookie */
3955 || !TEST_int_eq(SSL_stateless(serverssl), 0)
3956 /* Send the second ClientHello */
3957 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3958 SSL_ERROR_WANT_READ))
3959 /* This should succeed because a cookie is now present */
3960 || !TEST_int_eq(SSL_stateless(serverssl), 1)
3961 /* Complete the connection */
3962 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3966 shutdown_ssl_connection(serverssl, clientssl);
3967 serverssl = clientssl = NULL;
3971 SSL_free(serverssl);
3972 SSL_free(clientssl);
3978 #endif /* OPENSSL_NO_TLS1_3 */
3980 static int clntaddoldcb = 0;
3981 static int clntparseoldcb = 0;
3982 static int srvaddoldcb = 0;
3983 static int srvparseoldcb = 0;
3984 static int clntaddnewcb = 0;
3985 static int clntparsenewcb = 0;
3986 static int srvaddnewcb = 0;
3987 static int srvparsenewcb = 0;
3988 static int snicb = 0;
3990 #define TEST_EXT_TYPE1 0xff00
3992 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3993 size_t *outlen, int *al, void *add_arg)
3995 int *server = (int *)add_arg;
3996 unsigned char *data;
3998 if (SSL_is_server(s))
4003 if (*server != SSL_is_server(s)
4004 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4009 *outlen = sizeof(char);
4013 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4016 OPENSSL_free((unsigned char *)out);
4019 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4020 size_t inlen, int *al, void *parse_arg)
4022 int *server = (int *)parse_arg;
4024 if (SSL_is_server(s))
4029 if (*server != SSL_is_server(s)
4030 || inlen != sizeof(char)
4037 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4038 const unsigned char **out, size_t *outlen, X509 *x,
4039 size_t chainidx, int *al, void *add_arg)
4041 int *server = (int *)add_arg;
4042 unsigned char *data;
4044 if (SSL_is_server(s))
4049 if (*server != SSL_is_server(s)
4050 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4055 *outlen = sizeof(*data);
4059 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
4060 const unsigned char *out, void *add_arg)
4062 OPENSSL_free((unsigned char *)out);
4065 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
4066 const unsigned char *in, size_t inlen, X509 *x,
4067 size_t chainidx, int *al, void *parse_arg)
4069 int *server = (int *)parse_arg;
4071 if (SSL_is_server(s))
4076 if (*server != SSL_is_server(s)
4077 || inlen != sizeof(char) || *in != 1)
4083 static int sni_cb(SSL *s, int *al, void *arg)
4085 SSL_CTX *ctx = (SSL_CTX *)arg;
4087 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
4088 *al = SSL_AD_INTERNAL_ERROR;
4089 return SSL_TLSEXT_ERR_ALERT_FATAL;
4092 return SSL_TLSEXT_ERR_OK;
4096 * Custom call back tests.
4097 * Test 0: Old style callbacks in TLSv1.2
4098 * Test 1: New style callbacks in TLSv1.2
4099 * Test 2: New style callbacks in TLSv1.2 with SNI
4100 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4101 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
4103 static int test_custom_exts(int tst)
4105 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4106 SSL *clientssl = NULL, *serverssl = NULL;
4108 static int server = 1;
4109 static int client = 0;
4110 SSL_SESSION *sess = NULL;
4111 unsigned int context;
4113 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4114 /* Skip tests for TLSv1.2 and below in this case */
4119 /* Reset callback counters */
4120 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4121 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
4124 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4126 &sctx, &cctx, cert, privkey)))
4130 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
4132 &sctx2, NULL, cert, privkey)))
4137 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4138 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
4140 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
4144 context = SSL_EXT_CLIENT_HELLO
4145 | SSL_EXT_TLS1_2_SERVER_HELLO
4146 | SSL_EXT_TLS1_3_SERVER_HELLO
4147 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4148 | SSL_EXT_TLS1_3_CERTIFICATE
4149 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4151 context = SSL_EXT_CLIENT_HELLO
4152 | SSL_EXT_TLS1_2_SERVER_HELLO
4153 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4156 /* Create a client side custom extension */
4158 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4159 old_add_cb, old_free_cb,
4160 &client, old_parse_cb,
4164 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4165 new_add_cb, new_free_cb,
4166 &client, new_parse_cb, &client)))
4170 /* Should not be able to add duplicates */
4171 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4172 old_add_cb, old_free_cb,
4173 &client, old_parse_cb,
4175 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4176 context, new_add_cb,
4177 new_free_cb, &client,
4178 new_parse_cb, &client)))
4181 /* Create a server side custom extension */
4183 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4184 old_add_cb, old_free_cb,
4185 &server, old_parse_cb,
4189 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4190 new_add_cb, new_free_cb,
4191 &server, new_parse_cb, &server)))
4194 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4195 context, new_add_cb,
4196 new_free_cb, &server,
4197 new_parse_cb, &server)))
4201 /* Should not be able to add duplicates */
4202 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4203 old_add_cb, old_free_cb,
4204 &server, old_parse_cb,
4206 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4207 context, new_add_cb,
4208 new_free_cb, &server,
4209 new_parse_cb, &server)))
4214 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4215 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4219 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4220 &clientssl, NULL, NULL))
4221 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4226 if (clntaddoldcb != 1
4227 || clntparseoldcb != 1
4229 || srvparseoldcb != 1)
4231 } else if (tst == 1 || tst == 2 || tst == 3) {
4232 if (clntaddnewcb != 1
4233 || clntparsenewcb != 1
4235 || srvparsenewcb != 1
4236 || (tst != 2 && snicb != 0)
4237 || (tst == 2 && snicb != 1))
4240 /* In this case there 2 NewSessionTicket messages created */
4241 if (clntaddnewcb != 1
4242 || clntparsenewcb != 5
4244 || srvparsenewcb != 1)
4248 sess = SSL_get1_session(clientssl);
4249 SSL_shutdown(clientssl);
4250 SSL_shutdown(serverssl);
4251 SSL_free(serverssl);
4252 SSL_free(clientssl);
4253 serverssl = clientssl = NULL;
4256 /* We don't bother with the resumption aspects for this test */
4261 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4263 || !TEST_true(SSL_set_session(clientssl, sess))
4264 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4269 * For a resumed session we expect to add the ClientHello extension. For the
4270 * old style callbacks we ignore it on the server side because they set
4271 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4275 if (clntaddoldcb != 2
4276 || clntparseoldcb != 1
4278 || srvparseoldcb != 1)
4280 } else if (tst == 1 || tst == 2 || tst == 3) {
4281 if (clntaddnewcb != 2
4282 || clntparsenewcb != 2
4284 || srvparsenewcb != 2)
4288 * No Certificate message extensions in the resumption handshake,
4289 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4291 if (clntaddnewcb != 2
4292 || clntparsenewcb != 8
4294 || srvparsenewcb != 2)
4301 SSL_SESSION_free(sess);
4302 SSL_free(serverssl);
4303 SSL_free(clientssl);
4304 SSL_CTX_free(sctx2);
4311 * Test loading of serverinfo data in various formats. test_sslmessages actually
4312 * tests to make sure the extensions appear in the handshake
4314 static int test_serverinfo(int tst)
4316 unsigned int version;
4317 unsigned char *sibuf;
4319 int ret, expected, testresult = 0;
4322 ctx = SSL_CTX_new(TLS_method());
4326 if ((tst & 0x01) == 0x01)
4327 version = SSL_SERVERINFOV2;
4329 version = SSL_SERVERINFOV1;
4331 if ((tst & 0x02) == 0x02) {
4332 sibuf = serverinfov2;
4333 sibuflen = sizeof(serverinfov2);
4334 expected = (version == SSL_SERVERINFOV2);
4336 sibuf = serverinfov1;
4337 sibuflen = sizeof(serverinfov1);
4338 expected = (version == SSL_SERVERINFOV1);
4341 if ((tst & 0x04) == 0x04) {
4342 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4344 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4347 * The version variable is irrelevant in this case - it's what is in the
4348 * buffer that matters
4350 if ((tst & 0x02) == 0x02)
4356 if (!TEST_true(ret == expected))
4368 * Test that SSL_export_keying_material() produces expected results. There are
4369 * no test vectors so all we do is test that both sides of the communication
4370 * produce the same results for different protocol versions.
4372 #define SMALL_LABEL_LEN 10
4373 #define LONG_LABEL_LEN 249
4374 static int test_export_key_mat(int tst)
4377 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4378 SSL *clientssl = NULL, *serverssl = NULL;
4379 const char label[LONG_LABEL_LEN + 1] = "test label";
4380 const unsigned char context[] = "context";
4381 const unsigned char *emptycontext = NULL;
4382 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4383 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
4385 const int protocols[] = {
4394 #ifdef OPENSSL_NO_TLS1
4398 #ifdef OPENSSL_NO_TLS1_1
4402 #ifdef OPENSSL_NO_TLS1_2
4406 #ifdef OPENSSL_NO_TLS1_3
4410 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4412 &sctx, &cctx, cert, privkey)))
4415 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4416 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4417 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
4419 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4421 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4427 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4430 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4431 sizeof(ckeymat1), label,
4432 LONG_LABEL_LEN + 1, context,
4433 sizeof(context) - 1, 1), 0))
4438 } else if (tst == 4) {
4439 labellen = LONG_LABEL_LEN;
4441 labellen = SMALL_LABEL_LEN;
4444 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4445 sizeof(ckeymat1), label,
4447 sizeof(context) - 1, 1), 1)
4448 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4449 sizeof(ckeymat2), label,
4453 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4454 sizeof(ckeymat3), label,
4457 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4458 sizeof(skeymat1), label,
4461 sizeof(context) -1, 1),
4463 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4464 sizeof(skeymat2), label,
4468 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4469 sizeof(skeymat3), label,
4473 * Check that both sides created the same key material with the
4476 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4479 * Check that both sides created the same key material with an
4482 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4485 * Check that both sides created the same key material without a
4488 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
4490 /* Different contexts should produce different results */
4491 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4496 * Check that an empty context and no context produce different results in
4497 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
4499 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
4501 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
4508 SSL_free(serverssl);
4509 SSL_free(clientssl);
4510 SSL_CTX_free(sctx2);
4517 #ifndef OPENSSL_NO_TLS1_3
4519 * Test that SSL_export_keying_material_early() produces expected
4520 * results. There are no test vectors so all we do is test that both
4521 * sides of the communication produce the same results for different
4522 * protocol versions.
4524 static int test_export_key_mat_early(int idx)
4526 static const char label[] = "test label";
4527 static const unsigned char context[] = "context";
4529 SSL_CTX *cctx = NULL, *sctx = NULL;
4530 SSL *clientssl = NULL, *serverssl = NULL;
4531 SSL_SESSION *sess = NULL;
4532 const unsigned char *emptycontext = NULL;
4533 unsigned char ckeymat1[80], ckeymat2[80];
4534 unsigned char skeymat1[80], skeymat2[80];
4535 unsigned char buf[1];
4536 size_t readbytes, written;
4538 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
4542 /* Here writing 0 length early data is enough. */
4543 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
4544 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4546 SSL_READ_EARLY_DATA_ERROR)
4547 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4548 SSL_EARLY_DATA_ACCEPTED))
4551 if (!TEST_int_eq(SSL_export_keying_material_early(
4552 clientssl, ckeymat1, sizeof(ckeymat1), label,
4553 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4554 || !TEST_int_eq(SSL_export_keying_material_early(
4555 clientssl, ckeymat2, sizeof(ckeymat2), label,
4556 sizeof(label) - 1, emptycontext, 0), 1)
4557 || !TEST_int_eq(SSL_export_keying_material_early(
4558 serverssl, skeymat1, sizeof(skeymat1), label,
4559 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4560 || !TEST_int_eq(SSL_export_keying_material_early(
4561 serverssl, skeymat2, sizeof(skeymat2), label,
4562 sizeof(label) - 1, emptycontext, 0), 1)
4564 * Check that both sides created the same key material with the
4567 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4570 * Check that both sides created the same key material with an
4573 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4575 /* Different contexts should produce different results */
4576 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4583 SSL_SESSION_free(sess);
4584 SSL_SESSION_free(clientpsk);
4585 SSL_SESSION_free(serverpsk);
4586 clientpsk = serverpsk = NULL;
4587 SSL_free(serverssl);
4588 SSL_free(clientssl);
4595 #define NUM_KEY_UPDATE_MESSAGES 40
4599 static int test_key_update(void)
4601 SSL_CTX *cctx = NULL, *sctx = NULL;
4602 SSL *clientssl = NULL, *serverssl = NULL;
4603 int testresult = 0, i, j;
4605 static char *mess = "A test message";
4607 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4608 TLS_client_method(),
4611 &sctx, &cctx, cert, privkey))
4612 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4614 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4618 for (j = 0; j < 2; j++) {
4619 /* Send lots of KeyUpdate messages */
4620 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
4621 if (!TEST_true(SSL_key_update(clientssl,
4623 ? SSL_KEY_UPDATE_NOT_REQUESTED
4624 : SSL_KEY_UPDATE_REQUESTED))
4625 || !TEST_true(SSL_do_handshake(clientssl)))
4629 /* Check that sending and receiving app data is ok */
4630 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
4631 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
4639 SSL_free(serverssl);
4640 SSL_free(clientssl);
4646 #endif /* OPENSSL_NO_TLS1_3 */
4648 static int test_ssl_clear(int idx)
4650 SSL_CTX *cctx = NULL, *sctx = NULL;
4651 SSL *clientssl = NULL, *serverssl = NULL;
4654 #ifdef OPENSSL_NO_TLS1_2
4659 /* Create an initial connection */
4660 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4662 &sctx, &cctx, cert, privkey))
4664 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
4666 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4667 &clientssl, NULL, NULL))
4668 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4672 SSL_shutdown(clientssl);
4673 SSL_shutdown(serverssl);
4674 SSL_free(serverssl);
4677 /* Clear clientssl - we're going to reuse the object */
4678 if (!TEST_true(SSL_clear(clientssl)))
4681 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4683 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4685 || !TEST_true(SSL_session_reused(clientssl)))
4688 SSL_shutdown(clientssl);
4689 SSL_shutdown(serverssl);
4694 SSL_free(serverssl);
4695 SSL_free(clientssl);
4702 /* Parse CH and retrieve any MFL extension value if present */
4703 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
4706 unsigned char *data;
4707 PACKET pkt, pkt2, pkt3;
4708 unsigned int MFL_code = 0, type = 0;
4710 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
4713 memset(&pkt, 0, sizeof(pkt));
4714 memset(&pkt2, 0, sizeof(pkt2));
4715 memset(&pkt3, 0, sizeof(pkt3));
4717 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
4718 /* Skip the record header */
4719 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
4720 /* Skip the handshake message header */
4721 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
4722 /* Skip client version and random */
4723 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
4724 + SSL3_RANDOM_SIZE))
4725 /* Skip session id */
4726 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4728 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
4729 /* Skip compression */
4730 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4731 /* Extensions len */
4732 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
4735 /* Loop through all extensions */
4736 while (PACKET_remaining(&pkt2)) {
4737 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
4738 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
4741 if (type == TLSEXT_TYPE_max_fragment_length) {
4742 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
4743 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
4746 *mfl_codemfl_code = MFL_code;
4755 /* Maximum-Fragment-Length TLS extension mode to test */
4756 static const unsigned char max_fragment_len_test[] = {
4757 TLSEXT_max_fragment_length_512,
4758 TLSEXT_max_fragment_length_1024,
4759 TLSEXT_max_fragment_length_2048,
4760 TLSEXT_max_fragment_length_4096
4763 static int test_max_fragment_len_ext(int idx_tst)
4767 int testresult = 0, MFL_mode = 0;
4770 ctx = SSL_CTX_new(TLS_method());
4774 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
4775 ctx, max_fragment_len_test[idx_tst])))
4782 rbio = BIO_new(BIO_s_mem());
4783 wbio = BIO_new(BIO_s_mem());
4784 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
4790 SSL_set_bio(con, rbio, wbio);
4791 SSL_set_connect_state(con);
4793 if (!TEST_int_le(SSL_connect(con), 0)) {
4794 /* This shouldn't succeed because we don't have a server! */
4798 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
4799 /* no MFL in client hello */
4801 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
4813 #ifndef OPENSSL_NO_TLS1_3
4814 static int test_pha_key_update(void)
4816 SSL_CTX *cctx = NULL, *sctx = NULL;
4817 SSL *clientssl = NULL, *serverssl = NULL;
4820 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4822 &sctx, &cctx, cert, privkey)))
4825 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
4826 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
4827 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
4828 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
4831 SSL_CTX_set_post_handshake_auth(cctx, 1);
4833 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4837 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4841 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
4842 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
4845 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
4848 /* Start handshake on the server */
4849 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
4852 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
4853 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4857 SSL_shutdown(clientssl);
4858 SSL_shutdown(serverssl);
4863 SSL_free(serverssl);
4864 SSL_free(clientssl);
4871 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4873 static SRP_VBASE *vbase = NULL;
4875 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
4877 int ret = SSL3_AL_FATAL;
4879 SRP_user_pwd *user = NULL;
4881 username = SSL_get_srp_username(s);
4882 if (username == NULL) {
4883 *ad = SSL_AD_INTERNAL_ERROR;
4887 user = SRP_VBASE_get1_by_user(vbase, username);
4889 *ad = SSL_AD_INTERNAL_ERROR;
4893 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
4895 *ad = SSL_AD_INTERNAL_ERROR;
4902 SRP_user_pwd_free(user);
4906 static int create_new_vfile(char *userid, char *password, const char *filename)
4909 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
4912 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
4915 if (!TEST_ptr(dummy) || !TEST_ptr(row))
4918 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
4919 &row[DB_srpverifier], NULL, NULL);
4920 if (!TEST_ptr(gNid))
4924 * The only way to create an empty TXT_DB is to provide a BIO with no data
4927 db = TXT_DB_read(dummy, DB_NUMBER);
4931 out = BIO_new_file(filename, "w");
4935 row[DB_srpid] = OPENSSL_strdup(userid);
4936 row[DB_srptype] = OPENSSL_strdup("V");
4937 row[DB_srpgN] = OPENSSL_strdup(gNid);
4939 if (!TEST_ptr(row[DB_srpid])
4940 || !TEST_ptr(row[DB_srptype])
4941 || !TEST_ptr(row[DB_srpgN])
4942 || !TEST_true(TXT_DB_insert(db, row)))
4947 if (!TXT_DB_write(out, db))
4953 for (i = 0; i < DB_NUMBER; i++)
4954 OPENSSL_free(row[i]);
4964 static int create_new_vbase(char *userid, char *password)
4966 BIGNUM *verifier = NULL, *salt = NULL;
4967 const SRP_gN *lgN = NULL;
4968 SRP_user_pwd *user_pwd = NULL;
4971 lgN = SRP_get_default_gN(NULL);
4975 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
4979 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
4980 if (!TEST_ptr(user_pwd))
4983 user_pwd->N = lgN->N;
4984 user_pwd->g = lgN->g;
4985 user_pwd->id = OPENSSL_strdup(userid);
4986 if (!TEST_ptr(user_pwd->id))
4989 user_pwd->v = verifier;
4991 verifier = salt = NULL;
4993 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
4999 SRP_user_pwd_free(user_pwd);
5009 * Test 0: Simple successful SRP connection, new vbase
5010 * Test 1: Connection failure due to bad password, new vbase
5011 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5012 * Test 3: Connection failure due to bad password, vbase loaded from existing
5014 * Test 4: Simple successful SRP connection, vbase loaded from new file
5015 * Test 5: Connection failure due to bad password, vbase loaded from new file
5017 static int test_srp(int tst)
5019 char *userid = "test", *password = "password", *tstsrpfile;
5020 SSL_CTX *cctx = NULL, *sctx = NULL;
5021 SSL *clientssl = NULL, *serverssl = NULL;
5022 int ret, testresult = 0;
5024 vbase = SRP_VBASE_new(NULL);
5025 if (!TEST_ptr(vbase))
5028 if (tst == 0 || tst == 1) {
5029 if (!TEST_true(create_new_vbase(userid, password)))
5032 if (tst == 4 || tst == 5) {
5033 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5035 tstsrpfile = tmpfilename;
5037 tstsrpfile = srpvfile;
5039 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5043 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5045 &sctx, &cctx, cert, privkey)))
5048 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5049 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5050 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5051 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5052 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5056 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5059 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5063 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5067 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5069 if (!TEST_true(tst % 2 == 0))
5072 if (!TEST_true(tst % 2 == 1))
5079 SRP_VBASE_free(vbase);
5081 SSL_free(serverssl);
5082 SSL_free(clientssl);
5090 static int info_cb_failed = 0;
5091 static int info_cb_offset = 0;
5092 static int info_cb_this_state = -1;
5094 static struct info_cb_states_st {
5096 const char *statestr;
5097 } info_cb_states[][60] = {
5099 /* TLSv1.2 server followed by resumption */
5100 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5101 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5102 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
5103 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
5104 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
5105 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5106 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5107 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5108 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
5109 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5110 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
5111 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5112 {SSL_CB_EXIT, NULL}, {0, NULL},
5114 /* TLSv1.2 client followed by resumption */
5115 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5116 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5117 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
5118 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
5119 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
5120 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5121 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5122 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5123 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5124 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5125 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5126 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
5128 /* TLSv1.3 server followed by resumption */
5129 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5130 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5131 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
5132 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5133 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
5134 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5135 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5136 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5137 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5138 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5139 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
5140 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5141 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5143 /* TLSv1.3 client followed by resumption */
5144 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5145 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5146 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
5147 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
5148 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5149 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5150 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
5151 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5152 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5153 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5154 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5155 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5156 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5157 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
5158 {SSL_CB_EXIT, NULL}, {0, NULL},
5160 /* TLSv1.3 server, early_data */
5161 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5162 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5163 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5164 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5165 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5166 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
5167 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5168 {SSL_CB_EXIT, NULL}, {0, NULL},
5170 /* TLSv1.3 client, early_data */
5171 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5172 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5173 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5174 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5175 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5176 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5177 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5178 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5179 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5185 static void sslapi_info_callback(const SSL *s, int where, int ret)
5187 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5189 /* We do not ever expect a connection to fail in this test */
5190 if (!TEST_false(ret == 0)) {
5196 * Do some sanity checks. We never expect these things to happen in this
5199 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5200 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5201 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5206 /* Now check we're in the right state */
5207 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5211 if ((where & SSL_CB_LOOP) != 0
5212 && !TEST_int_eq(strcmp(SSL_state_string(s),
5213 state[info_cb_this_state].statestr), 0)) {
5219 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
5221 if ((where & SSL_CB_HANDSHAKE_DONE)
5222 && SSL_in_init((SSL *)s) != 0) {
5229 * Test the info callback gets called when we expect it to.
5231 * Test 0: TLSv1.2, server
5232 * Test 1: TLSv1.2, client
5233 * Test 2: TLSv1.3, server
5234 * Test 3: TLSv1.3, client
5235 * Test 4: TLSv1.3, server, early_data
5236 * Test 5: TLSv1.3, client, early_data
5238 static int test_info_callback(int tst)
5240 SSL_CTX *cctx = NULL, *sctx = NULL;
5241 SSL *clientssl = NULL, *serverssl = NULL;
5242 SSL_SESSION *clntsess = NULL;
5247 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
5248 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5249 || !defined(OPENSSL_NO_DH))
5250 tlsvers = TLS1_2_VERSION;
5255 #ifndef OPENSSL_NO_TLS1_3
5256 tlsvers = TLS1_3_VERSION;
5264 info_cb_this_state = -1;
5265 info_cb_offset = tst;
5267 #ifndef OPENSSL_NO_TLS1_3
5269 SSL_SESSION *sess = NULL;
5270 size_t written, readbytes;
5271 unsigned char buf[80];
5273 /* early_data tests */
5274 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5275 &serverssl, &sess, 0)))
5278 /* We don't actually need this reference */
5279 SSL_SESSION_free(sess);
5281 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5282 sslapi_info_callback);
5284 /* Write and read some early data and then complete the connection */
5285 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5287 || !TEST_size_t_eq(written, strlen(MSG1))
5288 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5289 sizeof(buf), &readbytes),
5290 SSL_READ_EARLY_DATA_SUCCESS)
5291 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5292 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5293 SSL_EARLY_DATA_ACCEPTED)
5294 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5296 || !TEST_false(info_cb_failed))
5304 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5305 TLS_client_method(),
5306 tlsvers, tlsvers, &sctx, &cctx, cert,
5311 * For even numbered tests we check the server callbacks. For odd numbers we
5314 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5315 sslapi_info_callback);
5317 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5318 &clientssl, NULL, NULL))
5319 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5321 || !TEST_false(info_cb_failed))
5326 clntsess = SSL_get1_session(clientssl);
5327 SSL_shutdown(clientssl);
5328 SSL_shutdown(serverssl);
5329 SSL_free(serverssl);
5330 SSL_free(clientssl);
5331 serverssl = clientssl = NULL;
5333 /* Now do a resumption */
5334 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5336 || !TEST_true(SSL_set_session(clientssl, clntsess))
5337 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5339 || !TEST_true(SSL_session_reused(clientssl))
5340 || !TEST_false(info_cb_failed))
5346 SSL_free(serverssl);
5347 SSL_free(clientssl);
5348 SSL_SESSION_free(clntsess);
5354 static int test_ssl_pending(int tst)
5356 SSL_CTX *cctx = NULL, *sctx = NULL;
5357 SSL *clientssl = NULL, *serverssl = NULL;
5359 char msg[] = "A test message";
5361 size_t written, readbytes;
5364 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5365 TLS_client_method(),
5367 &sctx, &cctx, cert, privkey)))
5370 #ifndef OPENSSL_NO_DTLS
5371 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
5372 DTLS_client_method(),
5374 &sctx, &cctx, cert, privkey)))
5381 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5383 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5387 if (!TEST_int_eq(SSL_pending(clientssl), 0)
5388 || !TEST_false(SSL_has_pending(clientssl))
5389 || !TEST_int_eq(SSL_pending(serverssl), 0)
5390 || !TEST_false(SSL_has_pending(serverssl))
5391 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5392 || !TEST_size_t_eq(written, sizeof(msg))
5393 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
5394 || !TEST_size_t_eq(readbytes, sizeof(buf))
5395 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
5396 || !TEST_true(SSL_has_pending(clientssl)))
5402 SSL_free(serverssl);
5403 SSL_free(clientssl);
5411 unsigned int maxprot;
5412 const char *clntciphers;
5413 const char *clnttls13ciphers;
5414 const char *srvrciphers;
5415 const char *srvrtls13ciphers;
5417 } shared_ciphers_data[] = {
5419 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
5420 * TLSv1.3 is enabled but TLSv1.2 is disabled.
5422 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
5425 "AES128-SHA:AES256-SHA",
5427 "AES256-SHA:DHE-RSA-AES128-SHA",
5433 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
5435 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
5437 "AES128-SHA:AES256-SHA"
5441 "AES128-SHA:AES256-SHA",
5443 "AES128-SHA:DHE-RSA-AES128-SHA",
5449 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
5452 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
5453 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5456 "AES128-SHA:AES256-SHA",
5458 "AES256-SHA:AES128-SHA256",
5460 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
5461 "TLS_AES_128_GCM_SHA256:AES256-SHA"
5464 #ifndef OPENSSL_NO_TLS1_3
5468 "TLS_AES_256_GCM_SHA384",
5470 "TLS_AES_256_GCM_SHA384",
5471 "TLS_AES_256_GCM_SHA384"
5476 static int test_ssl_get_shared_ciphers(int tst)
5478 SSL_CTX *cctx = NULL, *sctx = NULL;
5479 SSL *clientssl = NULL, *serverssl = NULL;
5483 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5484 TLS_client_method(),
5486 shared_ciphers_data[tst].maxprot,
5487 &sctx, &cctx, cert, privkey)))
5490 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5491 shared_ciphers_data[tst].clntciphers))
5492 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
5493 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
5494 shared_ciphers_data[tst].clnttls13ciphers)))
5495 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
5496 shared_ciphers_data[tst].srvrciphers))
5497 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
5498 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
5499 shared_ciphers_data[tst].srvrtls13ciphers))))
5503 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5505 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5509 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
5510 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
5511 TEST_info("Shared ciphers are: %s\n", buf);
5518 SSL_free(serverssl);
5519 SSL_free(clientssl);
5526 static const char *appdata = "Hello World";
5527 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
5528 static int tick_key_renew = 0;
5529 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5531 static int gen_tick_cb(SSL *s, void *arg)
5533 gen_tick_called = 1;
5535 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
5539 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
5540 const unsigned char *keyname,
5541 size_t keyname_length,
5542 SSL_TICKET_STATUS status,
5548 dec_tick_called = 1;
5550 if (status == SSL_TICKET_EMPTY)
5551 return SSL_TICKET_RETURN_IGNORE_RENEW;
5553 if (!TEST_true(status == SSL_TICKET_SUCCESS
5554 || status == SSL_TICKET_SUCCESS_RENEW))
5555 return SSL_TICKET_RETURN_ABORT;
5557 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
5559 || !TEST_size_t_eq(tickdlen, strlen(appdata))
5560 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
5561 return SSL_TICKET_RETURN_ABORT;
5563 if (tick_key_cb_called) {
5564 /* Don't change what the ticket key callback wanted to do */
5566 case SSL_TICKET_NO_DECRYPT:
5567 return SSL_TICKET_RETURN_IGNORE_RENEW;
5569 case SSL_TICKET_SUCCESS:
5570 return SSL_TICKET_RETURN_USE;
5572 case SSL_TICKET_SUCCESS_RENEW:
5573 return SSL_TICKET_RETURN_USE_RENEW;
5576 return SSL_TICKET_RETURN_ABORT;
5579 return tick_dec_ret;
5583 static int tick_key_cb(SSL *s, unsigned char key_name[16],
5584 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
5585 HMAC_CTX *hctx, int enc)
5587 const unsigned char tick_aes_key[16] = "0123456789abcdef";
5588 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5590 tick_key_cb_called = 1;
5591 memset(iv, 0, AES_BLOCK_SIZE);
5592 memset(key_name, 0, 16);
5593 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
5594 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
5595 EVP_sha256(), NULL))
5598 return tick_key_renew ? 2 : 1;
5602 * Test the various ticket callbacks
5603 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
5604 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
5605 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
5606 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
5607 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
5608 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
5609 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
5610 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
5611 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
5612 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
5613 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
5614 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
5616 static int test_ticket_callbacks(int tst)
5618 SSL_CTX *cctx = NULL, *sctx = NULL;
5619 SSL *clientssl = NULL, *serverssl = NULL;
5620 SSL_SESSION *clntsess = NULL;
5623 #ifdef OPENSSL_NO_TLS1_2
5627 #ifdef OPENSSL_NO_TLS1_3
5632 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
5634 /* Which tests the ticket key callback should request renewal for */
5635 if (tst == 10 || tst == 11)
5640 /* Which tests the decrypt ticket callback should request renewal for */
5644 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
5649 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
5654 tick_dec_ret = SSL_TICKET_RETURN_USE;
5659 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
5663 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5666 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5667 TLS_client_method(),
5669 ((tst % 2) == 0) ? TLS1_2_VERSION
5671 &sctx, &cctx, cert, privkey)))
5675 * We only want sessions to resume from tickets - not the session cache. So
5676 * switch the cache off.
5678 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
5681 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
5686 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
5689 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5691 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5696 * The decrypt ticket key callback in TLSv1.2 should be called even though
5697 * we have no ticket yet, because it gets called with a status of
5698 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
5699 * actually send any ticket data). This does not happen in TLSv1.3 because
5700 * it is not valid to send empty ticket data in TLSv1.3.
5702 if (!TEST_int_eq(gen_tick_called, 1)
5703 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
5706 gen_tick_called = dec_tick_called = 0;
5708 clntsess = SSL_get1_session(clientssl);
5709 SSL_shutdown(clientssl);
5710 SSL_shutdown(serverssl);
5711 SSL_free(serverssl);
5712 SSL_free(clientssl);
5713 serverssl = clientssl = NULL;
5715 /* Now do a resumption */
5716 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5718 || !TEST_true(SSL_set_session(clientssl, clntsess))
5719 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5723 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
5724 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
5725 if (!TEST_false(SSL_session_reused(clientssl)))
5728 if (!TEST_true(SSL_session_reused(clientssl)))
5732 if (!TEST_int_eq(gen_tick_called,
5734 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
5735 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
5737 || !TEST_int_eq(dec_tick_called, 1))
5743 SSL_SESSION_free(clntsess);
5744 SSL_free(serverssl);
5745 SSL_free(clientssl);
5753 * Test bi-directional shutdown.
5755 * Test 1: TLSv1.2, server continues to read/write after client shutdown
5756 * Test 2: TLSv1.3, no pending NewSessionTicket messages
5757 * Test 3: TLSv1.3, pending NewSessionTicket messages
5758 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
5759 * sends key update, client reads it
5760 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
5761 * sends CertificateRequest, client reads and ignores it
5762 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
5765 static int test_shutdown(int tst)
5767 SSL_CTX *cctx = NULL, *sctx = NULL;
5768 SSL *clientssl = NULL, *serverssl = NULL;
5770 char msg[] = "A test message";
5772 size_t written, readbytes;
5775 #ifdef OPENSSL_NO_TLS1_2
5779 #ifdef OPENSSL_NO_TLS1_3
5784 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5785 TLS_client_method(),
5787 (tst <= 1) ? TLS1_2_VERSION
5789 &sctx, &cctx, cert, privkey)))
5793 SSL_CTX_set_post_handshake_auth(cctx, 1);
5795 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5800 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
5802 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5803 || !TEST_false(SSL_SESSION_is_resumable(sess)))
5805 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5807 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5808 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
5812 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
5817 * Reading on the server after the client has sent close_notify should
5818 * fail and provide SSL_ERROR_ZERO_RETURN
5820 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
5821 || !TEST_int_eq(SSL_get_error(serverssl, 0),
5822 SSL_ERROR_ZERO_RETURN)
5823 || !TEST_int_eq(SSL_get_shutdown(serverssl),
5824 SSL_RECEIVED_SHUTDOWN)
5826 * Even though we're shutdown on receive we should still be
5829 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
5832 && !TEST_true(SSL_key_update(serverssl,
5833 SSL_KEY_UPDATE_REQUESTED)))
5836 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5837 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5840 if ((tst == 4 || tst == 5)
5841 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
5843 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
5845 if (tst == 4 || tst == 5) {
5846 /* Should still be able to read data from server */
5847 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5849 || !TEST_size_t_eq(readbytes, sizeof(msg))
5850 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
5851 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5853 || !TEST_size_t_eq(readbytes, sizeof(msg))
5854 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
5859 /* Writing on the client after sending close_notify shouldn't be possible */
5860 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
5865 * For these tests the client has sent close_notify but it has not yet
5866 * been received by the server. The server has not sent close_notify
5869 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
5871 * Writing on the server after sending close_notify shouldn't
5874 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5875 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
5876 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5877 || !TEST_true(SSL_SESSION_is_resumable(sess))
5878 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
5880 } else if (tst == 4 || tst == 5) {
5882 * In this test the client has sent close_notify and it has been
5883 * received by the server which has responded with a close_notify. The
5884 * client needs to read the close_notify sent by the server.
5886 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
5887 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5888 || !TEST_true(SSL_SESSION_is_resumable(sess)))
5894 * The client has sent close_notify and is expecting a close_notify
5895 * back, but instead there is application data first. The shutdown
5896 * should fail with a fatal error.
5898 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
5899 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
5906 SSL_free(serverssl);
5907 SSL_free(clientssl);
5914 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
5915 static int cert_cb_cnt;
5917 static int cert_cb(SSL *s, void *arg)
5919 SSL_CTX *ctx = (SSL_CTX *)arg;
5921 if (cert_cb_cnt == 0) {
5922 /* Suspend the handshake */
5925 } else if (cert_cb_cnt == 1) {
5927 * Update the SSL_CTX, set the certificate and private key and then
5928 * continue the handshake normally.
5930 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
5933 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
5934 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
5936 || !TEST_true(SSL_check_private_key(s)))
5942 /* Abort the handshake */
5947 * Test the certificate callback.
5948 * Test 0: Callback fails
5949 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
5950 * Test 2: Success - SSL_set_SSL_CTX() in the callback
5952 static int test_cert_cb_int(int prot, int tst)
5954 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
5955 SSL *clientssl = NULL, *serverssl = NULL;
5956 int testresult = 0, ret;
5958 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5959 TLS_client_method(),
5962 &sctx, &cctx, NULL, NULL)))
5970 snictx = SSL_CTX_new(TLS_server_method());
5971 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
5973 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5977 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5978 if (!TEST_true(tst == 0 ? !ret : ret)
5979 || (tst > 0 && !TEST_int_eq(cert_cb_cnt, 2))) {
5986 SSL_free(serverssl);
5987 SSL_free(clientssl);
5990 SSL_CTX_free(snictx);
5996 static int test_cert_cb(int tst)
6000 #ifndef OPENSSL_NO_TLS1_2
6001 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
6003 #ifndef OPENSSL_NO_TLS1_3
6004 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
6010 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
6016 /* Check that SSL_get_peer_certificate() returns something sensible */
6017 peer = SSL_get_peer_certificate(ssl);
6018 if (!TEST_ptr(peer))
6022 in = BIO_new_file(cert, "r");
6026 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
6028 if (!TEST_ptr(xcert))
6031 in = BIO_new_file(privkey, "r");
6032 if (!TEST_ptr(in)) {
6037 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
6039 if (!TEST_ptr(privpkey)) {
6050 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6055 static int test_client_cert_cb(int tst)
6057 SSL_CTX *cctx = NULL, *sctx = NULL;
6058 SSL *clientssl = NULL, *serverssl = NULL;
6061 #ifdef OPENSSL_NO_TLS1_2
6065 #ifdef OPENSSL_NO_TLS1_3
6070 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6071 TLS_client_method(),
6073 tst == 0 ? TLS1_2_VERSION
6075 &sctx, &cctx, cert, privkey)))
6079 * Test that setting a client_cert_cb results in a client certificate being
6082 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
6083 SSL_CTX_set_verify(sctx,
6084 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6087 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6089 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6096 SSL_free(serverssl);
6097 SSL_free(clientssl);
6104 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6106 * Test setting certificate authorities on both client and server.
6108 * Test 0: SSL_CTX_set0_CA_list() only
6109 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
6110 * Test 2: Only SSL_CTX_set_client_CA_list()
6112 static int test_ca_names_int(int prot, int tst)
6114 SSL_CTX *cctx = NULL, *sctx = NULL;
6115 SSL *clientssl = NULL, *serverssl = NULL;
6118 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
6119 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
6120 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
6121 const STACK_OF(X509_NAME) *sktmp = NULL;
6123 for (i = 0; i < OSSL_NELEM(name); i++) {
6124 name[i] = X509_NAME_new();
6125 if (!TEST_ptr(name[i])
6126 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
6134 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6135 TLS_client_method(),
6138 &sctx, &cctx, cert, privkey)))
6141 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
6143 if (tst == 0 || tst == 1) {
6144 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6145 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
6146 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
6147 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6148 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
6149 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
6152 SSL_CTX_set0_CA_list(sctx, sk1);
6153 SSL_CTX_set0_CA_list(cctx, sk2);
6156 if (tst == 1 || tst == 2) {
6157 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6158 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
6159 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
6160 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6161 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
6162 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
6165 SSL_CTX_set_client_CA_list(sctx, sk1);
6166 SSL_CTX_set_client_CA_list(cctx, sk2);
6170 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6172 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6177 * We only expect certificate authorities to have been sent to the server
6178 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
6180 sktmp = SSL_get0_peer_CA_list(serverssl);
6181 if (prot == TLS1_3_VERSION
6182 && (tst == 0 || tst == 1)) {
6183 if (!TEST_ptr(sktmp)
6184 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6185 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6187 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6190 } else if (!TEST_ptr_null(sktmp)) {
6195 * In all tests we expect certificate authorities to have been sent to the
6196 * client. However, SSL_set_client_CA_list() should override
6197 * SSL_set0_CA_list()
6199 sktmp = SSL_get0_peer_CA_list(clientssl);
6200 if (!TEST_ptr(sktmp)
6201 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6202 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6203 name[tst == 0 ? 0 : 2]), 0)
6204 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6205 name[tst == 0 ? 1 : 3]), 0))
6211 SSL_free(serverssl);
6212 SSL_free(clientssl);
6215 for (i = 0; i < OSSL_NELEM(name); i++)
6216 X509_NAME_free(name[i]);
6217 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
6218 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
6224 static int test_ca_names(int tst)
6228 #ifndef OPENSSL_NO_TLS1_2
6229 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
6231 #ifndef OPENSSL_NO_TLS1_3
6232 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
6239 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile\n")
6241 int setup_tests(void)
6243 if (!TEST_ptr(cert = test_get_argument(0))
6244 || !TEST_ptr(privkey = test_get_argument(1))
6245 || !TEST_ptr(srpvfile = test_get_argument(2))
6246 || !TEST_ptr(tmpfilename = test_get_argument(3)))
6249 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
6250 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
6251 TEST_error("not supported in this build");
6254 int i, mcount, rcount, fcount;
6256 for (i = 0; i < 4; i++)
6257 test_export_key_mat(i);
6258 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
6259 test_printf_stdout("malloc %d realloc %d free %d\n",
6260 mcount, rcount, fcount);
6265 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
6266 && !defined(OPENSSL_NO_SOCK)
6267 ADD_TEST(test_ktls_no_txrx_client_no_txrx_server);
6268 ADD_TEST(test_ktls_no_rx_client_no_txrx_server);
6269 ADD_TEST(test_ktls_no_tx_client_no_txrx_server);
6270 ADD_TEST(test_ktls_client_no_txrx_server);
6271 ADD_TEST(test_ktls_no_txrx_client_no_rx_server);
6272 ADD_TEST(test_ktls_no_rx_client_no_rx_server);
6273 ADD_TEST(test_ktls_no_tx_client_no_rx_server);
6274 ADD_TEST(test_ktls_client_no_rx_server);
6275 ADD_TEST(test_ktls_no_txrx_client_no_tx_server);
6276 ADD_TEST(test_ktls_no_rx_client_no_tx_server);
6277 ADD_TEST(test_ktls_no_tx_client_no_tx_server);
6278 ADD_TEST(test_ktls_client_no_tx_server);
6279 ADD_TEST(test_ktls_no_txrx_client_server);
6280 ADD_TEST(test_ktls_no_rx_client_server);
6281 ADD_TEST(test_ktls_no_tx_client_server);
6282 ADD_TEST(test_ktls_client_server);
6284 ADD_TEST(test_large_message_tls);
6285 ADD_TEST(test_large_message_tls_read_ahead);
6286 #ifndef OPENSSL_NO_DTLS
6287 ADD_TEST(test_large_message_dtls);
6289 #ifndef OPENSSL_NO_OCSP
6290 ADD_TEST(test_tlsext_status_type);
6292 ADD_TEST(test_session_with_only_int_cache);
6293 ADD_TEST(test_session_with_only_ext_cache);
6294 ADD_TEST(test_session_with_both_cache);
6295 #ifndef OPENSSL_NO_TLS1_3
6296 ADD_ALL_TESTS(test_stateful_tickets, 3);
6297 ADD_ALL_TESTS(test_stateless_tickets, 3);
6298 ADD_TEST(test_psk_tickets);
6300 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
6301 ADD_TEST(test_ssl_bio_pop_next_bio);
6302 ADD_TEST(test_ssl_bio_pop_ssl_bio);
6303 ADD_TEST(test_ssl_bio_change_rbio);
6304 ADD_TEST(test_ssl_bio_change_wbio);
6305 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
6306 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6307 ADD_TEST(test_keylog);
6309 #ifndef OPENSSL_NO_TLS1_3
6310 ADD_TEST(test_keylog_no_master_key);
6312 #ifndef OPENSSL_NO_TLS1_2
6313 ADD_TEST(test_client_hello_cb);
6314 ADD_TEST(test_no_ems);
6316 #ifndef OPENSSL_NO_TLS1_3
6317 ADD_ALL_TESTS(test_early_data_read_write, 3);
6319 * We don't do replay tests for external PSK. Replay protection isn't used
6322 ADD_ALL_TESTS(test_early_data_replay, 2);
6323 ADD_ALL_TESTS(test_early_data_skip, 3);
6324 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
6325 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
6326 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
6327 ADD_ALL_TESTS(test_early_data_not_sent, 3);
6328 ADD_ALL_TESTS(test_early_data_psk, 8);
6329 ADD_ALL_TESTS(test_early_data_not_expected, 3);
6330 # ifndef OPENSSL_NO_TLS1_2
6331 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
6334 #ifndef OPENSSL_NO_TLS1_3
6335 ADD_ALL_TESTS(test_set_ciphersuite, 10);
6336 ADD_TEST(test_ciphersuite_change);
6337 #ifdef OPENSSL_NO_PSK
6338 ADD_ALL_TESTS(test_tls13_psk, 1);
6340 ADD_ALL_TESTS(test_tls13_psk, 4);
6341 #endif /* OPENSSL_NO_PSK */
6342 ADD_ALL_TESTS(test_custom_exts, 5);
6343 ADD_TEST(test_stateless);
6344 ADD_TEST(test_pha_key_update);
6346 ADD_ALL_TESTS(test_custom_exts, 3);
6348 ADD_ALL_TESTS(test_serverinfo, 8);
6349 ADD_ALL_TESTS(test_export_key_mat, 6);
6350 #ifndef OPENSSL_NO_TLS1_3
6351 ADD_ALL_TESTS(test_export_key_mat_early, 3);
6352 ADD_TEST(test_key_update);
6354 ADD_ALL_TESTS(test_ssl_clear, 2);
6355 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
6356 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6357 ADD_ALL_TESTS(test_srp, 6);
6359 ADD_ALL_TESTS(test_info_callback, 6);
6360 ADD_ALL_TESTS(test_ssl_pending, 2);
6361 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
6362 ADD_ALL_TESTS(test_ticket_callbacks, 12);
6363 ADD_ALL_TESTS(test_shutdown, 7);
6364 ADD_ALL_TESTS(test_cert_cb, 3);
6365 ADD_ALL_TESTS(test_client_cert_cb, 2);
6366 ADD_ALL_TESTS(test_ca_names, 3);
6370 void cleanup_tests(void)
6372 bio_s_mempacket_test_free();