2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
32 #include "ssltestlib.h"
34 #include "testutil/output.h"
35 #include "internal/nelem.h"
36 #include "internal/ktls.h"
37 #include "../ssl/ssl_local.h"
39 #ifndef OPENSSL_NO_TLS1_3
41 static SSL_SESSION *clientpsk = NULL;
42 static SSL_SESSION *serverpsk = NULL;
43 static const char *pskid = "Identity";
44 static const char *srvid;
46 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
47 size_t *idlen, SSL_SESSION **sess);
48 static int find_session_cb(SSL *ssl, const unsigned char *identity,
49 size_t identity_len, SSL_SESSION **sess);
51 static int use_session_cb_cnt = 0;
52 static int find_session_cb_cnt = 0;
54 static SSL_SESSION *create_a_psk(SSL *ssl);
57 static char *certsdir = NULL;
58 static char *cert = NULL;
59 static char *privkey = NULL;
60 static char *srpvfile = NULL;
61 static char *tmpfilename = NULL;
63 #define LOG_BUFFER_SIZE 2048
64 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
65 static size_t server_log_buffer_index = 0;
66 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
67 static size_t client_log_buffer_index = 0;
68 static int error_writing_log = 0;
70 #ifndef OPENSSL_NO_OCSP
71 static const unsigned char orespder[] = "Dummy OCSP Response";
72 static int ocsp_server_called = 0;
73 static int ocsp_client_called = 0;
75 static int cdummyarg = 1;
76 static X509 *ocspcert = NULL;
79 #define NUM_EXTRA_CERTS 40
80 #define CLIENT_VERSION_LEN 2
83 * This structure is used to validate that the correct number of log messages
84 * of various types are emitted when emitting secret logs.
86 struct sslapitest_log_counts {
87 unsigned int rsa_key_exchange_count;
88 unsigned int master_secret_count;
89 unsigned int client_early_secret_count;
90 unsigned int client_handshake_secret_count;
91 unsigned int server_handshake_secret_count;
92 unsigned int client_application_secret_count;
93 unsigned int server_application_secret_count;
94 unsigned int early_exporter_secret_count;
95 unsigned int exporter_secret_count;
99 static unsigned char serverinfov1[] = {
100 0xff, 0xff, /* Dummy extension type */
101 0x00, 0x01, /* Extension length is 1 byte */
102 0xff /* Dummy extension data */
105 static unsigned char serverinfov2[] = {
107 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
108 0xff, 0xff, /* Dummy extension type */
109 0x00, 0x01, /* Extension length is 1 byte */
110 0xff /* Dummy extension data */
113 static int hostname_cb(SSL *s, int *al, void *arg)
115 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
117 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
118 || strcmp(hostname, "altgoodhost") == 0))
119 return SSL_TLSEXT_ERR_OK;
121 return SSL_TLSEXT_ERR_NOACK;
124 static void client_keylog_callback(const SSL *ssl, const char *line)
126 int line_length = strlen(line);
128 /* If the log doesn't fit, error out. */
129 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
130 TEST_info("Client log too full");
131 error_writing_log = 1;
135 strcat(client_log_buffer, line);
136 client_log_buffer_index += line_length;
137 client_log_buffer[client_log_buffer_index++] = '\n';
140 static void server_keylog_callback(const SSL *ssl, const char *line)
142 int line_length = strlen(line);
144 /* If the log doesn't fit, error out. */
145 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
146 TEST_info("Server log too full");
147 error_writing_log = 1;
151 strcat(server_log_buffer, line);
152 server_log_buffer_index += line_length;
153 server_log_buffer[server_log_buffer_index++] = '\n';
156 static int compare_hex_encoded_buffer(const char *hex_encoded,
164 if (!TEST_size_t_eq(raw_length * 2, hex_length))
167 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
168 sprintf(hexed, "%02x", raw[i]);
169 if (!TEST_int_eq(hexed[0], hex_encoded[j])
170 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
177 static int test_keylog_output(char *buffer, const SSL *ssl,
178 const SSL_SESSION *session,
179 struct sslapitest_log_counts *expected)
182 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
183 size_t client_random_size = SSL3_RANDOM_SIZE;
184 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
185 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
186 unsigned int rsa_key_exchange_count = 0;
187 unsigned int master_secret_count = 0;
188 unsigned int client_early_secret_count = 0;
189 unsigned int client_handshake_secret_count = 0;
190 unsigned int server_handshake_secret_count = 0;
191 unsigned int client_application_secret_count = 0;
192 unsigned int server_application_secret_count = 0;
193 unsigned int early_exporter_secret_count = 0;
194 unsigned int exporter_secret_count = 0;
196 for (token = strtok(buffer, " \n"); token != NULL;
197 token = strtok(NULL, " \n")) {
198 if (strcmp(token, "RSA") == 0) {
200 * Premaster secret. Tokens should be: 16 ASCII bytes of
201 * hex-encoded encrypted secret, then the hex-encoded pre-master
204 if (!TEST_ptr(token = strtok(NULL, " \n")))
206 if (!TEST_size_t_eq(strlen(token), 16))
208 if (!TEST_ptr(token = strtok(NULL, " \n")))
211 * We can't sensibly check the log because the premaster secret is
212 * transient, and OpenSSL doesn't keep hold of it once the master
213 * secret is generated.
215 rsa_key_exchange_count++;
216 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
218 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
219 * client random, then the hex-encoded master secret.
221 client_random_size = SSL_get_client_random(ssl,
222 actual_client_random,
224 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
227 if (!TEST_ptr(token = strtok(NULL, " \n")))
229 if (!TEST_size_t_eq(strlen(token), 64))
231 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
232 actual_client_random,
233 client_random_size)))
236 if (!TEST_ptr(token = strtok(NULL, " \n")))
238 master_key_size = SSL_SESSION_get_master_key(session,
241 if (!TEST_size_t_ne(master_key_size, 0))
243 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
247 master_secret_count++;
248 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
249 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
250 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
251 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
252 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
253 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
254 || strcmp(token, "EXPORTER_SECRET") == 0) {
256 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
257 * client random, and then the hex-encoded secret. In this case,
258 * we treat all of these secrets identically and then just
259 * distinguish between them when counting what we saw.
261 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
262 client_early_secret_count++;
263 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
264 client_handshake_secret_count++;
265 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
266 server_handshake_secret_count++;
267 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
268 client_application_secret_count++;
269 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
270 server_application_secret_count++;
271 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
272 early_exporter_secret_count++;
273 else if (strcmp(token, "EXPORTER_SECRET") == 0)
274 exporter_secret_count++;
276 client_random_size = SSL_get_client_random(ssl,
277 actual_client_random,
279 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
282 if (!TEST_ptr(token = strtok(NULL, " \n")))
284 if (!TEST_size_t_eq(strlen(token), 64))
286 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
287 actual_client_random,
288 client_random_size)))
291 if (!TEST_ptr(token = strtok(NULL, " \n")))
295 * TODO(TLS1.3): test that application traffic secrets are what
298 TEST_info("Unexpected token %s\n", token);
303 /* Got what we expected? */
304 if (!TEST_size_t_eq(rsa_key_exchange_count,
305 expected->rsa_key_exchange_count)
306 || !TEST_size_t_eq(master_secret_count,
307 expected->master_secret_count)
308 || !TEST_size_t_eq(client_early_secret_count,
309 expected->client_early_secret_count)
310 || !TEST_size_t_eq(client_handshake_secret_count,
311 expected->client_handshake_secret_count)
312 || !TEST_size_t_eq(server_handshake_secret_count,
313 expected->server_handshake_secret_count)
314 || !TEST_size_t_eq(client_application_secret_count,
315 expected->client_application_secret_count)
316 || !TEST_size_t_eq(server_application_secret_count,
317 expected->server_application_secret_count)
318 || !TEST_size_t_eq(early_exporter_secret_count,
319 expected->early_exporter_secret_count)
320 || !TEST_size_t_eq(exporter_secret_count,
321 expected->exporter_secret_count))
326 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
327 static int test_keylog(void)
329 SSL_CTX *cctx = NULL, *sctx = NULL;
330 SSL *clientssl = NULL, *serverssl = NULL;
332 struct sslapitest_log_counts expected;
334 /* Clean up logging space */
335 memset(&expected, 0, sizeof(expected));
336 memset(client_log_buffer, 0, sizeof(client_log_buffer));
337 memset(server_log_buffer, 0, sizeof(server_log_buffer));
338 client_log_buffer_index = 0;
339 server_log_buffer_index = 0;
340 error_writing_log = 0;
342 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
345 &sctx, &cctx, cert, privkey)))
348 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
349 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
350 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
352 /* We also want to ensure that we use RSA-based key exchange. */
353 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
356 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
357 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
359 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
360 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
361 == client_keylog_callback))
363 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
364 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
365 == server_keylog_callback))
368 /* Now do a handshake and check that the logs have been written to. */
369 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
370 &clientssl, NULL, NULL))
371 || !TEST_true(create_ssl_connection(serverssl, clientssl,
373 || !TEST_false(error_writing_log)
374 || !TEST_int_gt(client_log_buffer_index, 0)
375 || !TEST_int_gt(server_log_buffer_index, 0))
379 * Now we want to test that our output data was vaguely sensible. We
380 * do that by using strtok and confirming that we have more or less the
381 * data we expect. For both client and server, we expect to see one master
382 * secret. The client should also see a RSA key exchange.
384 expected.rsa_key_exchange_count = 1;
385 expected.master_secret_count = 1;
386 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
387 SSL_get_session(clientssl), &expected)))
390 expected.rsa_key_exchange_count = 0;
391 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
392 SSL_get_session(serverssl), &expected)))
407 #ifndef OPENSSL_NO_TLS1_3
408 static int test_keylog_no_master_key(void)
410 SSL_CTX *cctx = NULL, *sctx = NULL;
411 SSL *clientssl = NULL, *serverssl = NULL;
412 SSL_SESSION *sess = NULL;
414 struct sslapitest_log_counts expected;
415 unsigned char buf[1];
416 size_t readbytes, written;
418 /* Clean up logging space */
419 memset(&expected, 0, sizeof(expected));
420 memset(client_log_buffer, 0, sizeof(client_log_buffer));
421 memset(server_log_buffer, 0, sizeof(server_log_buffer));
422 client_log_buffer_index = 0;
423 server_log_buffer_index = 0;
424 error_writing_log = 0;
426 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
428 &sctx, &cctx, cert, privkey))
429 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
430 SSL3_RT_MAX_PLAIN_LENGTH)))
433 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
434 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
437 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
438 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
439 == client_keylog_callback))
442 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
443 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
444 == server_keylog_callback))
447 /* Now do a handshake and check that the logs have been written to. */
448 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
449 &clientssl, NULL, NULL))
450 || !TEST_true(create_ssl_connection(serverssl, clientssl,
452 || !TEST_false(error_writing_log))
456 * Now we want to test that our output data was vaguely sensible. For this
457 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
458 * TLSv1.3, but we do expect both client and server to emit keys.
460 expected.client_handshake_secret_count = 1;
461 expected.server_handshake_secret_count = 1;
462 expected.client_application_secret_count = 1;
463 expected.server_application_secret_count = 1;
464 expected.exporter_secret_count = 1;
465 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
466 SSL_get_session(clientssl), &expected))
467 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
468 SSL_get_session(serverssl),
472 /* Terminate old session and resume with early data. */
473 sess = SSL_get1_session(clientssl);
474 SSL_shutdown(clientssl);
475 SSL_shutdown(serverssl);
478 serverssl = clientssl = NULL;
481 memset(client_log_buffer, 0, sizeof(client_log_buffer));
482 memset(server_log_buffer, 0, sizeof(server_log_buffer));
483 client_log_buffer_index = 0;
484 server_log_buffer_index = 0;
486 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
487 &clientssl, NULL, NULL))
488 || !TEST_true(SSL_set_session(clientssl, sess))
489 /* Here writing 0 length early data is enough. */
490 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
491 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
493 SSL_READ_EARLY_DATA_ERROR)
494 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
495 SSL_EARLY_DATA_ACCEPTED)
496 || !TEST_true(create_ssl_connection(serverssl, clientssl,
498 || !TEST_true(SSL_session_reused(clientssl)))
501 /* In addition to the previous entries, expect early secrets. */
502 expected.client_early_secret_count = 1;
503 expected.early_exporter_secret_count = 1;
504 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
505 SSL_get_session(clientssl), &expected))
506 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
507 SSL_get_session(serverssl),
514 SSL_SESSION_free(sess);
524 #ifndef OPENSSL_NO_TLS1_2
525 static int full_client_hello_callback(SSL *s, int *al, void *arg)
528 const unsigned char *p;
530 /* We only configure two ciphers, but the SCSV is added automatically. */
532 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
534 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
537 const int expected_extensions[] = {
538 #ifndef OPENSSL_NO_EC
544 /* Make sure we can defer processing and get called back. */
546 return SSL_CLIENT_HELLO_RETRY;
548 len = SSL_client_hello_get0_ciphers(s, &p);
549 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
551 SSL_client_hello_get0_compression_methods(s, &p), 1)
552 || !TEST_int_eq(*p, 0))
553 return SSL_CLIENT_HELLO_ERROR;
554 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
555 return SSL_CLIENT_HELLO_ERROR;
556 if (len != OSSL_NELEM(expected_extensions) ||
557 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
558 printf("ClientHello callback expected extensions mismatch\n");
560 return SSL_CLIENT_HELLO_ERROR;
563 return SSL_CLIENT_HELLO_SUCCESS;
566 static int test_client_hello_cb(void)
568 SSL_CTX *cctx = NULL, *sctx = NULL;
569 SSL *clientssl = NULL, *serverssl = NULL;
570 int testctr = 0, testresult = 0;
572 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
574 &sctx, &cctx, cert, privkey)))
576 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
578 /* The gimpy cipher list we configure can't do TLS 1.3. */
579 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
581 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
582 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
583 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
584 &clientssl, NULL, NULL))
585 || !TEST_false(create_ssl_connection(serverssl, clientssl,
586 SSL_ERROR_WANT_CLIENT_HELLO_CB))
588 * Passing a -1 literal is a hack since
589 * the real value was lost.
591 || !TEST_int_eq(SSL_get_error(serverssl, -1),
592 SSL_ERROR_WANT_CLIENT_HELLO_CB)
593 || !TEST_true(create_ssl_connection(serverssl, clientssl,
608 static int test_no_ems(void)
610 SSL_CTX *cctx = NULL, *sctx = NULL;
611 SSL *clientssl = NULL, *serverssl = NULL;
614 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
615 TLS1_VERSION, TLS1_2_VERSION,
616 &sctx, &cctx, cert, privkey)) {
617 printf("Unable to create SSL_CTX pair\n");
621 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
623 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
624 printf("Unable to create SSL objects\n");
628 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
629 printf("Creating SSL connection failed\n");
633 if (SSL_get_extms_support(serverssl)) {
634 printf("Server reports Extended Master Secret support\n");
638 if (SSL_get_extms_support(clientssl)) {
639 printf("Client reports Extended Master Secret support\n");
655 * Very focused test to exercise a single case in the server-side state
656 * machine, when the ChangeCipherState message needs to actually change
657 * from one cipher to a different cipher (i.e., not changing from null
658 * encryption to real encryption).
660 static int test_ccs_change_cipher(void)
662 SSL_CTX *cctx = NULL, *sctx = NULL;
663 SSL *clientssl = NULL, *serverssl = NULL;
664 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
671 * Create a conection so we can resume and potentially (but not) use
672 * a different cipher in the second connection.
674 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
676 TLS1_VERSION, TLS1_2_VERSION,
677 &sctx, &cctx, cert, privkey))
678 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
679 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
681 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
682 || !TEST_true(create_ssl_connection(serverssl, clientssl,
684 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
685 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
688 shutdown_ssl_connection(serverssl, clientssl);
689 serverssl = clientssl = NULL;
691 /* Resume, preferring a different cipher. Our server will force the
692 * same cipher to be used as the initial handshake. */
693 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
695 || !TEST_true(SSL_set_session(clientssl, sess))
696 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
697 || !TEST_true(create_ssl_connection(serverssl, clientssl,
699 || !TEST_true(SSL_session_reused(clientssl))
700 || !TEST_true(SSL_session_reused(serverssl))
701 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
702 || !TEST_ptr_eq(sesspre, sesspost)
703 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
704 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
706 shutdown_ssl_connection(serverssl, clientssl);
707 serverssl = clientssl = NULL;
710 * Now create a fresh connection and try to renegotiate a different
713 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
715 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
716 || !TEST_true(create_ssl_connection(serverssl, clientssl,
718 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
719 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
720 || !TEST_true(SSL_renegotiate(clientssl))
721 || !TEST_true(SSL_renegotiate_pending(clientssl)))
723 /* Actually drive the renegotiation. */
724 for (i = 0; i < 3; i++) {
725 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
726 if (!TEST_ulong_eq(readbytes, 0))
728 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
729 SSL_ERROR_WANT_READ)) {
732 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
733 if (!TEST_ulong_eq(readbytes, 0))
735 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
736 SSL_ERROR_WANT_READ)) {
740 /* sesspre and sesspost should be different since the cipher changed. */
741 if (!TEST_false(SSL_renegotiate_pending(clientssl))
742 || !TEST_false(SSL_session_reused(clientssl))
743 || !TEST_false(SSL_session_reused(serverssl))
744 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
745 || !TEST_ptr_ne(sesspre, sesspost)
746 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
747 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
750 shutdown_ssl_connection(serverssl, clientssl);
751 serverssl = clientssl = NULL;
760 SSL_SESSION_free(sess);
765 static int execute_test_large_message(const SSL_METHOD *smeth,
766 const SSL_METHOD *cmeth,
767 int min_version, int max_version,
770 SSL_CTX *cctx = NULL, *sctx = NULL;
771 SSL *clientssl = NULL, *serverssl = NULL;
775 X509 *chaincert = NULL;
778 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
780 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
783 if (!TEST_ptr(chaincert))
786 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
787 &sctx, &cctx, cert, privkey)))
792 * Test that read_ahead works correctly when dealing with large
795 SSL_CTX_set_read_ahead(cctx, 1);
799 * We assume the supplied certificate is big enough so that if we add
800 * NUM_EXTRA_CERTS it will make the overall message large enough. The
801 * default buffer size is requested to be 16k, but due to the way BUF_MEM
802 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
803 * test we need to have a message larger than that.
805 certlen = i2d_X509(chaincert, NULL);
806 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
807 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
808 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
809 if (!X509_up_ref(chaincert))
811 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
812 X509_free(chaincert);
817 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
819 || !TEST_true(create_ssl_connection(serverssl, clientssl,
824 * Calling SSL_clear() first is not required but this tests that SSL_clear()
827 if (!TEST_true(SSL_clear(serverssl)))
832 X509_free(chaincert);
841 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
842 && !defined(OPENSSL_NO_SOCK)
844 /* sock must be connected */
845 static int ktls_chk_platform(int sock)
847 if (!ktls_enable(sock))
852 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
854 static char count = 1;
855 unsigned char cbuf[16000] = {0};
856 unsigned char sbuf[16000];
858 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
859 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
860 char crec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
861 char crec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
862 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
863 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
864 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
865 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
868 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
869 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
870 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence,
871 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
872 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
873 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
874 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
875 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
877 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
880 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
881 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
886 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
889 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
890 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
895 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
896 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
897 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence,
898 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
899 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
900 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
901 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
902 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
904 /* verify the payload */
905 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
908 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
909 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
910 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
911 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
914 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
915 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
919 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
920 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
921 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
924 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
925 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
929 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
930 if (!TEST_mem_ne(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
931 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
934 if (!TEST_mem_eq(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
935 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
939 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
940 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
941 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
944 if (!TEST_mem_eq(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
945 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
954 static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
955 int sis_ktls_tx, int sis_ktls_rx)
957 SSL_CTX *cctx = NULL, *sctx = NULL;
958 SSL *clientssl = NULL, *serverssl = NULL;
962 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
965 /* Skip this test if the platform does not support ktls */
966 if (!ktls_chk_platform(cfd))
969 /* Create a session based on SHA-256 */
970 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
972 TLS1_2_VERSION, TLS1_2_VERSION,
973 &sctx, &cctx, cert, privkey))
974 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
975 "AES128-GCM-SHA256"))
976 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
977 &clientssl, sfd, cfd)))
981 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
986 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
991 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
996 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1000 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1005 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1008 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1013 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1016 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1021 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1024 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1029 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1032 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1036 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
1042 SSL_shutdown(clientssl);
1043 SSL_free(clientssl);
1046 SSL_shutdown(serverssl);
1047 SSL_free(serverssl);
1051 serverssl = clientssl = NULL;
1055 #define SENDFILE_SZ (16 * 4096)
1056 #define SENDFILE_CHUNK (4 * 4096)
1057 #define min(a,b) ((a) > (b) ? (b) : (a))
1059 static int test_ktls_sendfile(void)
1061 SSL_CTX *cctx = NULL, *sctx = NULL;
1062 SSL *clientssl = NULL, *serverssl = NULL;
1063 unsigned char *buf, *buf_dst;
1064 BIO *out = NULL, *in = NULL;
1065 int cfd, sfd, ffd, err;
1066 ssize_t chunk_size = 0;
1067 off_t chunk_off = 0;
1071 buf = OPENSSL_zalloc(SENDFILE_SZ);
1072 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1073 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1074 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1077 /* Skip this test if the platform does not support ktls */
1078 if (!ktls_chk_platform(sfd)) {
1083 /* Create a session based on SHA-256 */
1084 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1085 TLS_client_method(),
1086 TLS1_2_VERSION, TLS1_2_VERSION,
1087 &sctx, &cctx, cert, privkey))
1088 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1089 "AES128-GCM-SHA256"))
1090 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1091 &clientssl, sfd, cfd)))
1094 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1096 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1099 RAND_bytes(buf, SENDFILE_SZ);
1100 out = BIO_new_file(tmpfilename, "wb");
1104 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1109 in = BIO_new_file(tmpfilename, "rb");
1110 BIO_get_fp(in, &ffdp);
1113 while (chunk_off < SENDFILE_SZ) {
1114 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1115 while ((err = SSL_sendfile(serverssl,
1119 0)) != chunk_size) {
1120 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1123 while ((err = SSL_read(clientssl,
1124 buf_dst + chunk_off,
1125 chunk_size)) != chunk_size) {
1126 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1130 /* verify the payload */
1131 if (!TEST_mem_eq(buf_dst + chunk_off,
1137 chunk_off += chunk_size;
1143 SSL_shutdown(clientssl);
1144 SSL_free(clientssl);
1147 SSL_shutdown(serverssl);
1148 SSL_free(serverssl);
1152 serverssl = clientssl = NULL;
1156 OPENSSL_free(buf_dst);
1160 static int test_ktls_no_txrx_client_no_txrx_server(void)
1162 return execute_test_ktls(0, 0, 0, 0);
1165 static int test_ktls_no_rx_client_no_txrx_server(void)
1167 return execute_test_ktls(1, 0, 0, 0);
1170 static int test_ktls_no_tx_client_no_txrx_server(void)
1172 return execute_test_ktls(0, 1, 0, 0);
1175 static int test_ktls_client_no_txrx_server(void)
1177 return execute_test_ktls(1, 1, 0, 0);
1180 static int test_ktls_no_txrx_client_no_rx_server(void)
1182 return execute_test_ktls(0, 0, 1, 0);
1185 static int test_ktls_no_rx_client_no_rx_server(void)
1187 return execute_test_ktls(1, 0, 1, 0);
1190 static int test_ktls_no_tx_client_no_rx_server(void)
1192 return execute_test_ktls(0, 1, 1, 0);
1195 static int test_ktls_client_no_rx_server(void)
1197 return execute_test_ktls(1, 1, 1, 0);
1200 static int test_ktls_no_txrx_client_no_tx_server(void)
1202 return execute_test_ktls(0, 0, 0, 1);
1205 static int test_ktls_no_rx_client_no_tx_server(void)
1207 return execute_test_ktls(1, 0, 0, 1);
1210 static int test_ktls_no_tx_client_no_tx_server(void)
1212 return execute_test_ktls(0, 1, 0, 1);
1215 static int test_ktls_client_no_tx_server(void)
1217 return execute_test_ktls(1, 1, 0, 1);
1220 static int test_ktls_no_txrx_client_server(void)
1222 return execute_test_ktls(0, 0, 1, 1);
1225 static int test_ktls_no_rx_client_server(void)
1227 return execute_test_ktls(1, 0, 1, 1);
1230 static int test_ktls_no_tx_client_server(void)
1232 return execute_test_ktls(0, 1, 1, 1);
1235 static int test_ktls_client_server(void)
1237 return execute_test_ktls(1, 1, 1, 1);
1241 static int test_large_message_tls(void)
1243 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1244 TLS1_VERSION, 0, 0);
1247 static int test_large_message_tls_read_ahead(void)
1249 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1250 TLS1_VERSION, 0, 1);
1253 #ifndef OPENSSL_NO_DTLS
1254 static int test_large_message_dtls(void)
1257 * read_ahead is not relevant to DTLS because DTLS always acts as if
1258 * read_ahead is set.
1260 return execute_test_large_message(DTLS_server_method(),
1261 DTLS_client_method(),
1262 DTLS1_VERSION, 0, 0);
1266 #ifndef OPENSSL_NO_OCSP
1267 static int ocsp_server_cb(SSL *s, void *arg)
1269 int *argi = (int *)arg;
1270 unsigned char *copy = NULL;
1271 STACK_OF(OCSP_RESPID) *ids = NULL;
1272 OCSP_RESPID *id = NULL;
1275 /* In this test we are expecting exactly 1 OCSP_RESPID */
1276 SSL_get_tlsext_status_ids(s, &ids);
1277 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1278 return SSL_TLSEXT_ERR_ALERT_FATAL;
1280 id = sk_OCSP_RESPID_value(ids, 0);
1281 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
1282 return SSL_TLSEXT_ERR_ALERT_FATAL;
1283 } else if (*argi != 1) {
1284 return SSL_TLSEXT_ERR_ALERT_FATAL;
1287 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1288 return SSL_TLSEXT_ERR_ALERT_FATAL;
1290 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1291 ocsp_server_called = 1;
1292 return SSL_TLSEXT_ERR_OK;
1295 static int ocsp_client_cb(SSL *s, void *arg)
1297 int *argi = (int *)arg;
1298 const unsigned char *respderin;
1301 if (*argi != 1 && *argi != 2)
1304 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1305 if (!TEST_mem_eq(orespder, len, respderin, len))
1308 ocsp_client_called = 1;
1312 static int test_tlsext_status_type(void)
1314 SSL_CTX *cctx = NULL, *sctx = NULL;
1315 SSL *clientssl = NULL, *serverssl = NULL;
1317 STACK_OF(OCSP_RESPID) *ids = NULL;
1318 OCSP_RESPID *id = NULL;
1319 BIO *certbio = NULL;
1321 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1323 &sctx, &cctx, cert, privkey))
1326 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1329 /* First just do various checks getting and setting tlsext_status_type */
1331 clientssl = SSL_new(cctx);
1332 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1333 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1334 TLSEXT_STATUSTYPE_ocsp))
1335 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1336 TLSEXT_STATUSTYPE_ocsp))
1339 SSL_free(clientssl);
1342 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1343 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1346 clientssl = SSL_new(cctx);
1347 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1349 SSL_free(clientssl);
1353 * Now actually do a handshake and check OCSP information is exchanged and
1354 * the callbacks get called
1356 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1357 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1358 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1359 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1360 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1361 &clientssl, NULL, NULL))
1362 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1364 || !TEST_true(ocsp_client_called)
1365 || !TEST_true(ocsp_server_called))
1367 SSL_free(serverssl);
1368 SSL_free(clientssl);
1372 /* Try again but this time force the server side callback to fail */
1373 ocsp_client_called = 0;
1374 ocsp_server_called = 0;
1376 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1377 &clientssl, NULL, NULL))
1378 /* This should fail because the callback will fail */
1379 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1381 || !TEST_false(ocsp_client_called)
1382 || !TEST_false(ocsp_server_called))
1384 SSL_free(serverssl);
1385 SSL_free(clientssl);
1390 * This time we'll get the client to send an OCSP_RESPID that it will
1393 ocsp_client_called = 0;
1394 ocsp_server_called = 0;
1396 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1397 &clientssl, NULL, NULL)))
1401 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1402 * specific one. We'll use the server cert.
1404 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1405 || !TEST_ptr(id = OCSP_RESPID_new())
1406 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1407 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1409 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
1410 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1413 SSL_set_tlsext_status_ids(clientssl, ids);
1414 /* Control has been transferred */
1420 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1422 || !TEST_true(ocsp_client_called)
1423 || !TEST_true(ocsp_server_called))
1429 SSL_free(serverssl);
1430 SSL_free(clientssl);
1433 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1434 OCSP_RESPID_free(id);
1436 X509_free(ocspcert);
1443 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1444 static int new_called, remove_called, get_called;
1446 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1450 * sess has been up-refed for us, but we don't actually need it so free it
1453 SSL_SESSION_free(sess);
1457 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1462 static SSL_SESSION *get_sess_val = NULL;
1464 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1469 return get_sess_val;
1472 static int execute_test_session(int maxprot, int use_int_cache,
1475 SSL_CTX *sctx = NULL, *cctx = NULL;
1476 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1477 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1478 # ifndef OPENSSL_NO_TLS1_1
1479 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1481 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1482 int testresult = 0, numnewsesstick = 1;
1484 new_called = remove_called = 0;
1486 /* TLSv1.3 sends 2 NewSessionTickets */
1487 if (maxprot == TLS1_3_VERSION)
1490 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1492 &sctx, &cctx, cert, privkey)))
1496 * Only allow the max protocol version so we can force a connection failure
1499 SSL_CTX_set_min_proto_version(cctx, maxprot);
1500 SSL_CTX_set_max_proto_version(cctx, maxprot);
1502 /* Set up session cache */
1503 if (use_ext_cache) {
1504 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1505 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1507 if (use_int_cache) {
1508 /* Also covers instance where both are set */
1509 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1511 SSL_CTX_set_session_cache_mode(cctx,
1512 SSL_SESS_CACHE_CLIENT
1513 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1516 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1518 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1520 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1523 /* Should fail because it should already be in the cache */
1524 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1527 && (!TEST_int_eq(new_called, numnewsesstick)
1529 || !TEST_int_eq(remove_called, 0)))
1532 new_called = remove_called = 0;
1533 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1534 &clientssl2, NULL, NULL))
1535 || !TEST_true(SSL_set_session(clientssl2, sess1))
1536 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1538 || !TEST_true(SSL_session_reused(clientssl2)))
1541 if (maxprot == TLS1_3_VERSION) {
1543 * In TLSv1.3 we should have created a new session even though we have
1544 * resumed. Since we attempted a resume we should also have removed the
1545 * old ticket from the cache so that we try to only use tickets once.
1548 && (!TEST_int_eq(new_called, 1)
1549 || !TEST_int_eq(remove_called, 1)))
1553 * In TLSv1.2 we expect to have resumed so no sessions added or
1557 && (!TEST_int_eq(new_called, 0)
1558 || !TEST_int_eq(remove_called, 0)))
1562 SSL_SESSION_free(sess1);
1563 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1565 shutdown_ssl_connection(serverssl2, clientssl2);
1566 serverssl2 = clientssl2 = NULL;
1568 new_called = remove_called = 0;
1569 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1570 &clientssl2, NULL, NULL))
1571 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1575 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1579 && (!TEST_int_eq(new_called, numnewsesstick)
1580 || !TEST_int_eq(remove_called, 0)))
1583 new_called = remove_called = 0;
1585 * This should clear sess2 from the cache because it is a "bad" session.
1586 * See SSL_set_session() documentation.
1588 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1591 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1593 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1596 if (use_int_cache) {
1597 /* Should succeeded because it should not already be in the cache */
1598 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1599 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1603 new_called = remove_called = 0;
1604 /* This shouldn't be in the cache so should fail */
1605 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1609 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1612 # if !defined(OPENSSL_NO_TLS1_1)
1613 new_called = remove_called = 0;
1614 /* Force a connection failure */
1615 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1616 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1617 &clientssl3, NULL, NULL))
1618 || !TEST_true(SSL_set_session(clientssl3, sess1))
1619 /* This should fail because of the mismatched protocol versions */
1620 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1624 /* We should have automatically removed the session from the cache */
1626 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1629 /* Should succeed because it should not already be in the cache */
1630 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1634 /* Now do some tests for server side caching */
1635 if (use_ext_cache) {
1636 SSL_CTX_sess_set_new_cb(cctx, NULL);
1637 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1638 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1639 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1640 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1641 get_sess_val = NULL;
1644 SSL_CTX_set_session_cache_mode(cctx, 0);
1645 /* Internal caching is the default on the server side */
1647 SSL_CTX_set_session_cache_mode(sctx,
1648 SSL_SESS_CACHE_SERVER
1649 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1651 SSL_free(serverssl1);
1652 SSL_free(clientssl1);
1653 serverssl1 = clientssl1 = NULL;
1654 SSL_free(serverssl2);
1655 SSL_free(clientssl2);
1656 serverssl2 = clientssl2 = NULL;
1657 SSL_SESSION_free(sess1);
1659 SSL_SESSION_free(sess2);
1662 SSL_CTX_set_max_proto_version(sctx, maxprot);
1663 if (maxprot == TLS1_2_VERSION)
1664 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1665 new_called = remove_called = get_called = 0;
1666 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1668 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1670 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1671 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1674 if (use_int_cache) {
1675 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1677 * In TLSv1.3 it should not have been added to the internal cache,
1678 * except in the case where we also have an external cache (in that
1679 * case it gets added to the cache in order to generate remove
1680 * events after timeout).
1682 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1685 /* Should fail because it should already be in the cache */
1686 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1691 if (use_ext_cache) {
1692 SSL_SESSION *tmp = sess2;
1694 if (!TEST_int_eq(new_called, numnewsesstick)
1695 || !TEST_int_eq(remove_called, 0)
1696 || !TEST_int_eq(get_called, 0))
1699 * Delete the session from the internal cache to force a lookup from
1700 * the external cache. We take a copy first because
1701 * SSL_CTX_remove_session() also marks the session as non-resumable.
1703 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1704 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1705 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1707 SSL_SESSION_free(sess2);
1712 new_called = remove_called = get_called = 0;
1713 get_sess_val = sess2;
1714 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1715 &clientssl2, NULL, NULL))
1716 || !TEST_true(SSL_set_session(clientssl2, sess1))
1717 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1719 || !TEST_true(SSL_session_reused(clientssl2)))
1722 if (use_ext_cache) {
1723 if (!TEST_int_eq(remove_called, 0))
1726 if (maxprot == TLS1_3_VERSION) {
1727 if (!TEST_int_eq(new_called, 1)
1728 || !TEST_int_eq(get_called, 0))
1731 if (!TEST_int_eq(new_called, 0)
1732 || !TEST_int_eq(get_called, 1))
1740 SSL_free(serverssl1);
1741 SSL_free(clientssl1);
1742 SSL_free(serverssl2);
1743 SSL_free(clientssl2);
1744 # ifndef OPENSSL_NO_TLS1_1
1745 SSL_free(serverssl3);
1746 SSL_free(clientssl3);
1748 SSL_SESSION_free(sess1);
1749 SSL_SESSION_free(sess2);
1755 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1757 static int test_session_with_only_int_cache(void)
1759 #ifndef OPENSSL_NO_TLS1_3
1760 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1764 #ifndef OPENSSL_NO_TLS1_2
1765 return execute_test_session(TLS1_2_VERSION, 1, 0);
1771 static int test_session_with_only_ext_cache(void)
1773 #ifndef OPENSSL_NO_TLS1_3
1774 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1778 #ifndef OPENSSL_NO_TLS1_2
1779 return execute_test_session(TLS1_2_VERSION, 0, 1);
1785 static int test_session_with_both_cache(void)
1787 #ifndef OPENSSL_NO_TLS1_3
1788 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1792 #ifndef OPENSSL_NO_TLS1_2
1793 return execute_test_session(TLS1_2_VERSION, 1, 1);
1799 #ifndef OPENSSL_NO_TLS1_3
1800 static SSL_SESSION *sesscache[6];
1801 static int do_cache;
1803 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1806 sesscache[new_called] = sess;
1808 /* We don't need the reference to the session, so free it */
1809 SSL_SESSION_free(sess);
1816 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1818 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1819 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1822 /* Start handshake on the server and client */
1823 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1824 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1825 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1826 || !TEST_true(create_ssl_connection(sssl, cssl,
1833 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1836 int sess_id_ctx = 1;
1838 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1839 TLS1_VERSION, 0, sctx,
1840 cctx, cert, privkey))
1841 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1842 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1843 (void *)&sess_id_ctx,
1844 sizeof(sess_id_ctx))))
1848 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1850 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1851 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1852 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1857 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1859 SSL *serverssl = NULL, *clientssl = NULL;
1862 /* Test that we can resume with all the tickets we got given */
1863 for (i = 0; i < idx * 2; i++) {
1865 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1866 &clientssl, NULL, NULL))
1867 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1870 SSL_set_post_handshake_auth(clientssl, 1);
1872 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1877 * Following a successful resumption we only get 1 ticket. After a
1878 * failed one we should get idx tickets.
1881 if (!TEST_true(SSL_session_reused(clientssl))
1882 || !TEST_int_eq(new_called, 1))
1885 if (!TEST_false(SSL_session_reused(clientssl))
1886 || !TEST_int_eq(new_called, idx))
1891 /* After a post-handshake authentication we should get 1 new ticket */
1893 && (!post_handshake_verify(serverssl, clientssl)
1894 || !TEST_int_eq(new_called, 1)))
1897 SSL_shutdown(clientssl);
1898 SSL_shutdown(serverssl);
1899 SSL_free(serverssl);
1900 SSL_free(clientssl);
1901 serverssl = clientssl = NULL;
1902 SSL_SESSION_free(sesscache[i]);
1903 sesscache[i] = NULL;
1909 SSL_free(clientssl);
1910 SSL_free(serverssl);
1914 static int test_tickets(int stateful, int idx)
1916 SSL_CTX *sctx = NULL, *cctx = NULL;
1917 SSL *serverssl = NULL, *clientssl = NULL;
1921 /* idx is the test number, but also the number of tickets we want */
1926 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1929 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1930 &clientssl, NULL, NULL)))
1933 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1935 /* Check we got the number of tickets we were expecting */
1936 || !TEST_int_eq(idx, new_called))
1939 SSL_shutdown(clientssl);
1940 SSL_shutdown(serverssl);
1941 SSL_free(serverssl);
1942 SSL_free(clientssl);
1945 clientssl = serverssl = NULL;
1949 * Now we try to resume with the tickets we previously created. The
1950 * resumption attempt is expected to fail (because we're now using a new
1951 * SSL_CTX). We should see idx number of tickets issued again.
1954 /* Stop caching sessions - just count them */
1957 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1960 if (!check_resumption(idx, sctx, cctx, 0))
1963 /* Start again with caching sessions */
1970 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1973 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1974 &clientssl, NULL, NULL)))
1977 SSL_set_post_handshake_auth(clientssl, 1);
1979 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1981 /* Check we got the number of tickets we were expecting */
1982 || !TEST_int_eq(idx, new_called))
1985 /* After a post-handshake authentication we should get new tickets issued */
1986 if (!post_handshake_verify(serverssl, clientssl)
1987 || !TEST_int_eq(idx * 2, new_called))
1990 SSL_shutdown(clientssl);
1991 SSL_shutdown(serverssl);
1992 SSL_free(serverssl);
1993 SSL_free(clientssl);
1994 serverssl = clientssl = NULL;
1996 /* Stop caching sessions - just count them */
2000 * Check we can resume with all the tickets we created. This time around the
2001 * resumptions should all be successful.
2003 if (!check_resumption(idx, sctx, cctx, 1))
2009 SSL_free(serverssl);
2010 SSL_free(clientssl);
2011 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2012 SSL_SESSION_free(sesscache[j]);
2013 sesscache[j] = NULL;
2021 static int test_stateless_tickets(int idx)
2023 return test_tickets(0, idx);
2026 static int test_stateful_tickets(int idx)
2028 return test_tickets(1, idx);
2031 static int test_psk_tickets(void)
2033 SSL_CTX *sctx = NULL, *cctx = NULL;
2034 SSL *serverssl = NULL, *clientssl = NULL;
2036 int sess_id_ctx = 1;
2038 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2039 TLS1_VERSION, 0, &sctx,
2041 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2042 (void *)&sess_id_ctx,
2043 sizeof(sess_id_ctx))))
2046 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2047 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2048 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2049 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2050 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2051 use_session_cb_cnt = 0;
2052 find_session_cb_cnt = 0;
2056 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2059 clientpsk = serverpsk = create_a_psk(clientssl);
2060 if (!TEST_ptr(clientpsk))
2062 SSL_SESSION_up_ref(clientpsk);
2064 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2066 || !TEST_int_eq(1, find_session_cb_cnt)
2067 || !TEST_int_eq(1, use_session_cb_cnt)
2068 /* We should always get 1 ticket when using external PSK */
2069 || !TEST_int_eq(1, new_called))
2075 SSL_free(serverssl);
2076 SSL_free(clientssl);
2079 SSL_SESSION_free(clientpsk);
2080 SSL_SESSION_free(serverpsk);
2081 clientpsk = serverpsk = NULL;
2090 #define USE_DEFAULT 3
2092 #define CONNTYPE_CONNECTION_SUCCESS 0
2093 #define CONNTYPE_CONNECTION_FAIL 1
2094 #define CONNTYPE_NO_CONNECTION 2
2096 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2097 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2098 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2099 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2101 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2104 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2105 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2106 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2108 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2125 * Tests calls to SSL_set_bio() under various conditions.
2127 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2128 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2129 * then do more tests where we create a successful connection first using our
2130 * standard connection setup functions, and then call SSL_set_bio() with
2131 * various combinations of valid BIOs or NULL. We then repeat these tests
2132 * following a failed connection. In this last case we are looking to check that
2133 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2135 static int test_ssl_set_bio(int idx)
2137 SSL_CTX *sctx = NULL, *cctx = NULL;
2140 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2141 SSL *serverssl = NULL, *clientssl = NULL;
2142 int initrbio, initwbio, newrbio, newwbio, conntype;
2145 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2153 conntype = CONNTYPE_NO_CONNECTION;
2155 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2156 initrbio = initwbio = USE_DEFAULT;
2164 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2166 &sctx, &cctx, cert, privkey)))
2169 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2171 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2172 * because we reduced the number of tests in the definition of
2173 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2174 * mismatched protocol versions we will force a connection failure.
2176 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2177 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2180 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2184 if (initrbio == USE_BIO_1
2185 || initwbio == USE_BIO_1
2186 || newrbio == USE_BIO_1
2187 || newwbio == USE_BIO_1) {
2188 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2192 if (initrbio == USE_BIO_2
2193 || initwbio == USE_BIO_2
2194 || newrbio == USE_BIO_2
2195 || newwbio == USE_BIO_2) {
2196 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2200 if (initrbio != USE_DEFAULT) {
2201 setupbio(&irbio, bio1, bio2, initrbio);
2202 setupbio(&iwbio, bio1, bio2, initwbio);
2203 SSL_set_bio(clientssl, irbio, iwbio);
2206 * We want to maintain our own refs to these BIO, so do an up ref for
2207 * each BIO that will have ownership transferred in the SSL_set_bio()
2212 if (iwbio != NULL && iwbio != irbio)
2216 if (conntype != CONNTYPE_NO_CONNECTION
2217 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2219 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2222 setupbio(&nrbio, bio1, bio2, newrbio);
2223 setupbio(&nwbio, bio1, bio2, newwbio);
2226 * We will (maybe) transfer ownership again so do more up refs.
2227 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2232 && (nwbio != iwbio || nrbio != nwbio))
2236 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2239 SSL_set_bio(clientssl, nrbio, nwbio);
2248 * This test is checking that the ref counting for SSL_set_bio is correct.
2249 * If we get here and we did too many frees then we will fail in the above
2252 SSL_free(serverssl);
2253 SSL_free(clientssl);
2259 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2261 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2263 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2268 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
2269 || !TEST_ptr(ssl = SSL_new(ctx))
2270 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2271 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2274 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2277 * If anything goes wrong here then we could leak memory.
2279 BIO_push(sslbio, membio1);
2281 /* Verify changing the rbio/wbio directly does not cause leaks */
2282 if (change_bio != NO_BIO_CHANGE) {
2283 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
2285 if (change_bio == CHANGE_RBIO)
2286 SSL_set0_rbio(ssl, membio2);
2288 SSL_set0_wbio(ssl, membio2);
2307 static int test_ssl_bio_pop_next_bio(void)
2309 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2312 static int test_ssl_bio_pop_ssl_bio(void)
2314 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2317 static int test_ssl_bio_change_rbio(void)
2319 return execute_test_ssl_bio(0, CHANGE_RBIO);
2322 static int test_ssl_bio_change_wbio(void)
2324 return execute_test_ssl_bio(0, CHANGE_WBIO);
2327 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2329 /* The list of sig algs */
2331 /* The length of the list */
2333 /* A sigalgs list in string format */
2334 const char *liststr;
2335 /* Whether setting the list should succeed */
2337 /* Whether creating a connection with the list should succeed */
2341 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2342 # ifndef OPENSSL_NO_EC
2343 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2344 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2346 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2347 static const int invalidlist2[] = {NID_sha256, NID_undef};
2348 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2349 static const int invalidlist4[] = {NID_sha256};
2350 static const sigalgs_list testsigalgs[] = {
2351 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2352 # ifndef OPENSSL_NO_EC
2353 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2354 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2356 {NULL, 0, "RSA+SHA256", 1, 1},
2357 # ifndef OPENSSL_NO_EC
2358 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2359 {NULL, 0, "ECDSA+SHA512", 1, 0},
2361 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2362 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2363 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2364 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2365 {NULL, 0, "RSA", 0, 0},
2366 {NULL, 0, "SHA256", 0, 0},
2367 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2368 {NULL, 0, "Invalid", 0, 0}
2371 static int test_set_sigalgs(int idx)
2373 SSL_CTX *cctx = NULL, *sctx = NULL;
2374 SSL *clientssl = NULL, *serverssl = NULL;
2376 const sigalgs_list *curr;
2379 /* Should never happen */
2380 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2383 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2384 curr = testctx ? &testsigalgs[idx]
2385 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2387 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2389 &sctx, &cctx, cert, privkey)))
2393 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2394 * for TLSv1.2 for now until we add a new API.
2396 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2401 if (curr->list != NULL)
2402 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2404 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2408 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2414 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2419 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2420 &clientssl, NULL, NULL)))
2426 if (curr->list != NULL)
2427 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2429 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2432 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2441 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2449 SSL_free(serverssl);
2450 SSL_free(clientssl);
2458 #ifndef OPENSSL_NO_TLS1_3
2459 static int psk_client_cb_cnt = 0;
2460 static int psk_server_cb_cnt = 0;
2462 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2463 size_t *idlen, SSL_SESSION **sess)
2465 switch (++use_session_cb_cnt) {
2467 /* The first call should always have a NULL md */
2473 /* The second call should always have an md */
2479 /* We should only be called a maximum of twice */
2483 if (clientpsk != NULL)
2484 SSL_SESSION_up_ref(clientpsk);
2487 *id = (const unsigned char *)pskid;
2488 *idlen = strlen(pskid);
2493 #ifndef OPENSSL_NO_PSK
2494 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2495 unsigned int max_id_len,
2497 unsigned int max_psk_len)
2499 unsigned int psklen = 0;
2501 psk_client_cb_cnt++;
2503 if (strlen(pskid) + 1 > max_id_len)
2506 /* We should only ever be called a maximum of twice per connection */
2507 if (psk_client_cb_cnt > 2)
2510 if (clientpsk == NULL)
2513 /* We'll reuse the PSK we set up for TLSv1.3 */
2514 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2516 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2517 strncpy(id, pskid, max_id_len);
2521 #endif /* OPENSSL_NO_PSK */
2523 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2524 size_t identity_len, SSL_SESSION **sess)
2526 find_session_cb_cnt++;
2528 /* We should only ever be called a maximum of twice per connection */
2529 if (find_session_cb_cnt > 2)
2532 if (serverpsk == NULL)
2535 /* Identity should match that set by the client */
2536 if (strlen(srvid) != identity_len
2537 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2538 /* No PSK found, continue but without a PSK */
2543 SSL_SESSION_up_ref(serverpsk);
2549 #ifndef OPENSSL_NO_PSK
2550 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2551 unsigned char *psk, unsigned int max_psk_len)
2553 unsigned int psklen = 0;
2555 psk_server_cb_cnt++;
2557 /* We should only ever be called a maximum of twice per connection */
2558 if (find_session_cb_cnt > 2)
2561 if (serverpsk == NULL)
2564 /* Identity should match that set by the client */
2565 if (strcmp(srvid, identity) != 0) {
2569 /* We'll reuse the PSK we set up for TLSv1.3 */
2570 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2572 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2576 #endif /* OPENSSL_NO_PSK */
2578 #define MSG1 "Hello"
2579 #define MSG2 "World."
2584 #define MSG7 "message."
2586 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2587 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2590 static SSL_SESSION *create_a_psk(SSL *ssl)
2592 const SSL_CIPHER *cipher = NULL;
2593 const unsigned char key[] = {
2594 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2595 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2596 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2597 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2598 0x2c, 0x2d, 0x2e, 0x2f
2600 SSL_SESSION *sess = NULL;
2602 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2603 sess = SSL_SESSION_new();
2605 || !TEST_ptr(cipher)
2606 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2608 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2610 SSL_SESSION_set_protocol_version(sess,
2612 SSL_SESSION_free(sess);
2619 * Helper method to setup objects for early data test. Caller frees objects on
2622 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2623 SSL **serverssl, SSL_SESSION **sess, int idx)
2626 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2627 TLS_client_method(),
2629 sctx, cctx, cert, privkey)))
2632 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2636 /* When idx == 1 we repeat the tests with read_ahead set */
2637 SSL_CTX_set_read_ahead(*cctx, 1);
2638 SSL_CTX_set_read_ahead(*sctx, 1);
2639 } else if (idx == 2) {
2640 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2641 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2642 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2643 use_session_cb_cnt = 0;
2644 find_session_cb_cnt = 0;
2648 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2653 * For one of the run throughs (doesn't matter which one), we'll try sending
2654 * some SNI data in the initial ClientHello. This will be ignored (because
2655 * there is no SNI cb set up by the server), so it should not impact
2659 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2663 clientpsk = create_a_psk(*clientssl);
2664 if (!TEST_ptr(clientpsk)
2666 * We just choose an arbitrary value for max_early_data which
2667 * should be big enough for testing purposes.
2669 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2671 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2672 SSL_SESSION_free(clientpsk);
2676 serverpsk = clientpsk;
2679 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2680 SSL_SESSION_free(clientpsk);
2681 SSL_SESSION_free(serverpsk);
2682 clientpsk = serverpsk = NULL;
2693 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2697 *sess = SSL_get1_session(*clientssl);
2698 SSL_shutdown(*clientssl);
2699 SSL_shutdown(*serverssl);
2700 SSL_free(*serverssl);
2701 SSL_free(*clientssl);
2702 *serverssl = *clientssl = NULL;
2704 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2705 clientssl, NULL, NULL))
2706 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2712 static int test_early_data_read_write(int idx)
2714 SSL_CTX *cctx = NULL, *sctx = NULL;
2715 SSL *clientssl = NULL, *serverssl = NULL;
2717 SSL_SESSION *sess = NULL;
2718 unsigned char buf[20], data[1024];
2719 size_t readbytes, written, eoedlen, rawread, rawwritten;
2722 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2723 &serverssl, &sess, idx)))
2726 /* Write and read some early data */
2727 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2729 || !TEST_size_t_eq(written, strlen(MSG1))
2730 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2731 sizeof(buf), &readbytes),
2732 SSL_READ_EARLY_DATA_SUCCESS)
2733 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2734 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2735 SSL_EARLY_DATA_ACCEPTED))
2739 * Server should be able to write data, and client should be able to
2742 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2744 || !TEST_size_t_eq(written, strlen(MSG2))
2745 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2746 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2749 /* Even after reading normal data, client should be able write early data */
2750 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2752 || !TEST_size_t_eq(written, strlen(MSG3)))
2755 /* Server should still be able read early data after writing data */
2756 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2758 SSL_READ_EARLY_DATA_SUCCESS)
2759 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2762 /* Write more data from server and read it from client */
2763 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2765 || !TEST_size_t_eq(written, strlen(MSG4))
2766 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2767 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2771 * If client writes normal data it should mean writing early data is no
2774 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2775 || !TEST_size_t_eq(written, strlen(MSG5))
2776 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2777 SSL_EARLY_DATA_ACCEPTED))
2781 * At this point the client has written EndOfEarlyData, ClientFinished and
2782 * normal (fully protected) data. We are going to cause a delay between the
2783 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2784 * in the read BIO, and then just put back the EndOfEarlyData message.
2786 rbio = SSL_get_rbio(serverssl);
2787 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2788 || !TEST_size_t_lt(rawread, sizeof(data))
2789 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2792 /* Record length is in the 4th and 5th bytes of the record header */
2793 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2794 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2795 || !TEST_size_t_eq(rawwritten, eoedlen))
2798 /* Server should be told that there is no more early data */
2799 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2801 SSL_READ_EARLY_DATA_FINISH)
2802 || !TEST_size_t_eq(readbytes, 0))
2806 * Server has not finished init yet, so should still be able to write early
2809 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2811 || !TEST_size_t_eq(written, strlen(MSG6)))
2814 /* Push the ClientFinished and the normal data back into the server rbio */
2815 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2817 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2820 /* Server should be able to read normal data */
2821 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2822 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2825 /* Client and server should not be able to write/read early data now */
2826 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2830 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2832 SSL_READ_EARLY_DATA_ERROR))
2836 /* Client should be able to read the data sent by the server */
2837 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2838 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2842 * Make sure we process the two NewSessionTickets. These arrive
2843 * post-handshake. We attempt reads which we do not expect to return any
2846 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2847 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2851 /* Server should be able to write normal data */
2852 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2853 || !TEST_size_t_eq(written, strlen(MSG7))
2854 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2855 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2858 SSL_SESSION_free(sess);
2859 sess = SSL_get1_session(clientssl);
2860 use_session_cb_cnt = 0;
2861 find_session_cb_cnt = 0;
2863 SSL_shutdown(clientssl);
2864 SSL_shutdown(serverssl);
2865 SSL_free(serverssl);
2866 SSL_free(clientssl);
2867 serverssl = clientssl = NULL;
2868 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2869 &clientssl, NULL, NULL))
2870 || !TEST_true(SSL_set_session(clientssl, sess)))
2873 /* Write and read some early data */
2874 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2876 || !TEST_size_t_eq(written, strlen(MSG1))
2877 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2879 SSL_READ_EARLY_DATA_SUCCESS)
2880 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2883 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2884 || !TEST_int_gt(SSL_accept(serverssl), 0))
2887 /* Client and server should not be able to write/read early data now */
2888 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2892 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2894 SSL_READ_EARLY_DATA_ERROR))
2898 /* Client and server should be able to write/read normal data */
2899 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2900 || !TEST_size_t_eq(written, strlen(MSG5))
2901 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2902 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2908 SSL_SESSION_free(sess);
2909 SSL_SESSION_free(clientpsk);
2910 SSL_SESSION_free(serverpsk);
2911 clientpsk = serverpsk = NULL;
2912 SSL_free(serverssl);
2913 SSL_free(clientssl);
2919 static int allow_ed_cb_called = 0;
2921 static int allow_early_data_cb(SSL *s, void *arg)
2923 int *usecb = (int *)arg;
2925 allow_ed_cb_called++;
2934 * idx == 0: Standard early_data setup
2935 * idx == 1: early_data setup using read_ahead
2936 * usecb == 0: Don't use a custom early data callback
2937 * usecb == 1: Use a custom early data callback and reject the early data
2938 * usecb == 2: Use a custom early data callback and accept the early data
2939 * confopt == 0: Configure anti-replay directly
2940 * confopt == 1: Configure anti-replay using SSL_CONF
2942 static int test_early_data_replay_int(int idx, int usecb, int confopt)
2944 SSL_CTX *cctx = NULL, *sctx = NULL;
2945 SSL *clientssl = NULL, *serverssl = NULL;
2947 SSL_SESSION *sess = NULL;
2948 size_t readbytes, written;
2949 unsigned char buf[20];
2951 allow_ed_cb_called = 0;
2953 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2954 TLS1_VERSION, 0, &sctx,
2955 &cctx, cert, privkey)))
2960 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2962 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2964 if (!TEST_ptr(confctx))
2966 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2967 | SSL_CONF_FLAG_SERVER);
2968 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2969 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2971 SSL_CONF_CTX_free(confctx);
2974 SSL_CONF_CTX_free(confctx);
2976 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2979 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2980 &serverssl, &sess, idx)))
2984 * The server is configured to accept early data. Create a connection to
2985 * "use up" the ticket
2987 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2988 || !TEST_true(SSL_session_reused(clientssl)))
2991 SSL_shutdown(clientssl);
2992 SSL_shutdown(serverssl);
2993 SSL_free(serverssl);
2994 SSL_free(clientssl);
2995 serverssl = clientssl = NULL;
2997 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2998 &clientssl, NULL, NULL))
2999 || !TEST_true(SSL_set_session(clientssl, sess)))
3002 /* Write and read some early data */
3003 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3005 || !TEST_size_t_eq(written, strlen(MSG1)))
3009 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3011 SSL_READ_EARLY_DATA_FINISH)
3013 * The ticket was reused, so the we should have rejected the
3016 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3017 SSL_EARLY_DATA_REJECTED))
3020 /* In this case the callback decides to accept the early data */
3021 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3023 SSL_READ_EARLY_DATA_SUCCESS)
3024 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3026 * Server will have sent its flight so client can now send
3027 * end of early data and complete its half of the handshake
3029 || !TEST_int_gt(SSL_connect(clientssl), 0)
3030 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3032 SSL_READ_EARLY_DATA_FINISH)
3033 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3034 SSL_EARLY_DATA_ACCEPTED))
3038 /* Complete the connection */
3039 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3040 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3041 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3047 SSL_SESSION_free(sess);
3048 SSL_SESSION_free(clientpsk);
3049 SSL_SESSION_free(serverpsk);
3050 clientpsk = serverpsk = NULL;
3051 SSL_free(serverssl);
3052 SSL_free(clientssl);
3058 static int test_early_data_replay(int idx)
3060 int ret = 1, usecb, confopt;
3062 for (usecb = 0; usecb < 3; usecb++) {
3063 for (confopt = 0; confopt < 2; confopt++)
3064 ret &= test_early_data_replay_int(idx, usecb, confopt);
3071 * Helper function to test that a server attempting to read early data can
3072 * handle a connection from a client where the early data should be skipped.
3073 * testtype: 0 == No HRR
3074 * testtype: 1 == HRR
3075 * testtype: 2 == HRR, invalid early_data sent after HRR
3076 * testtype: 3 == recv_max_early_data set to 0
3078 static int early_data_skip_helper(int testtype, int idx)
3080 SSL_CTX *cctx = NULL, *sctx = NULL;
3081 SSL *clientssl = NULL, *serverssl = NULL;
3083 SSL_SESSION *sess = NULL;
3084 unsigned char buf[20];
3085 size_t readbytes, written;
3087 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3088 &serverssl, &sess, idx)))
3091 if (testtype == 1 || testtype == 2) {
3092 /* Force an HRR to occur */
3093 #if defined(OPENSSL_NO_EC)
3094 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3097 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3100 } else if (idx == 2) {
3102 * We force early_data rejection by ensuring the PSK identity is
3105 srvid = "Dummy Identity";
3108 * Deliberately corrupt the creation time. We take 20 seconds off the
3109 * time. It could be any value as long as it is not within tolerance.
3110 * This should mean the ticket is rejected.
3112 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3117 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3120 /* Write some early data */
3121 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3123 || !TEST_size_t_eq(written, strlen(MSG1)))
3126 /* Server should reject the early data */
3127 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3129 SSL_READ_EARLY_DATA_FINISH)
3130 || !TEST_size_t_eq(readbytes, 0)
3131 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3132 SSL_EARLY_DATA_REJECTED))
3142 * Finish off the handshake. We perform the same writes and reads as
3143 * further down but we expect them to fail due to the incomplete
3146 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3147 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3154 BIO *wbio = SSL_get_wbio(clientssl);
3155 /* A record that will appear as bad early_data */
3156 const unsigned char bad_early_data[] = {
3157 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3161 * We force the client to attempt a write. This will fail because
3162 * we're still in the handshake. It will cause the second
3163 * ClientHello to be sent.
3165 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3170 * Inject some early_data after the second ClientHello. This should
3171 * cause the server to fail
3173 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3174 sizeof(bad_early_data), &written)))
3181 * This client has sent more early_data than we are willing to skip
3182 * (case 3) or sent invalid early_data (case 2) so the connection should
3185 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3186 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3189 /* Connection has failed - nothing more to do */
3194 TEST_error("Invalid test type");
3199 * Should be able to send normal data despite rejection of early data. The
3200 * early_data should be skipped.
3202 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3203 || !TEST_size_t_eq(written, strlen(MSG2))
3204 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3205 SSL_EARLY_DATA_REJECTED)
3206 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3207 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3213 SSL_SESSION_free(clientpsk);
3214 SSL_SESSION_free(serverpsk);
3215 clientpsk = serverpsk = NULL;
3216 SSL_SESSION_free(sess);
3217 SSL_free(serverssl);
3218 SSL_free(clientssl);
3225 * Test that a server attempting to read early data can handle a connection
3226 * from a client where the early data is not acceptable.
3228 static int test_early_data_skip(int idx)
3230 return early_data_skip_helper(0, idx);
3234 * Test that a server attempting to read early data can handle a connection
3235 * from a client where an HRR occurs.
3237 static int test_early_data_skip_hrr(int idx)
3239 return early_data_skip_helper(1, idx);
3243 * Test that a server attempting to read early data can handle a connection
3244 * from a client where an HRR occurs and correctly fails if early_data is sent
3247 static int test_early_data_skip_hrr_fail(int idx)
3249 return early_data_skip_helper(2, idx);
3253 * Test that a server attempting to read early data will abort if it tries to
3254 * skip over too much.
3256 static int test_early_data_skip_abort(int idx)
3258 return early_data_skip_helper(3, idx);
3262 * Test that a server attempting to read early data can handle a connection
3263 * from a client that doesn't send any.
3265 static int test_early_data_not_sent(int idx)
3267 SSL_CTX *cctx = NULL, *sctx = NULL;
3268 SSL *clientssl = NULL, *serverssl = NULL;
3270 SSL_SESSION *sess = NULL;
3271 unsigned char buf[20];
3272 size_t readbytes, written;
3274 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3275 &serverssl, &sess, idx)))
3278 /* Write some data - should block due to handshake with server */
3279 SSL_set_connect_state(clientssl);
3280 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3283 /* Server should detect that early data has not been sent */
3284 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3286 SSL_READ_EARLY_DATA_FINISH)
3287 || !TEST_size_t_eq(readbytes, 0)
3288 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3289 SSL_EARLY_DATA_NOT_SENT)
3290 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3291 SSL_EARLY_DATA_NOT_SENT))
3294 /* Continue writing the message we started earlier */
3295 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3296 || !TEST_size_t_eq(written, strlen(MSG1))
3297 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3298 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3299 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3300 || !TEST_size_t_eq(written, strlen(MSG2)))
3303 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3304 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3310 SSL_SESSION_free(sess);
3311 SSL_SESSION_free(clientpsk);
3312 SSL_SESSION_free(serverpsk);
3313 clientpsk = serverpsk = NULL;
3314 SSL_free(serverssl);
3315 SSL_free(clientssl);
3321 static const char *servalpn;
3323 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3324 unsigned char *outlen, const unsigned char *in,
3325 unsigned int inlen, void *arg)
3327 unsigned int protlen = 0;
3328 const unsigned char *prot;
3330 for (prot = in; prot < in + inlen; prot += protlen) {
3332 if (in + inlen < prot + protlen)
3333 return SSL_TLSEXT_ERR_NOACK;
3335 if (protlen == strlen(servalpn)
3336 && memcmp(prot, servalpn, protlen) == 0) {
3339 return SSL_TLSEXT_ERR_OK;
3343 return SSL_TLSEXT_ERR_NOACK;
3346 /* Test that a PSK can be used to send early_data */
3347 static int test_early_data_psk(int idx)
3349 SSL_CTX *cctx = NULL, *sctx = NULL;
3350 SSL *clientssl = NULL, *serverssl = NULL;
3352 SSL_SESSION *sess = NULL;
3353 unsigned char alpnlist[] = {
3354 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3357 #define GOODALPNLEN 9
3358 #define BADALPNLEN 8
3359 #define GOODALPN (alpnlist)
3360 #define BADALPN (alpnlist + GOODALPNLEN)
3362 unsigned char buf[20];
3363 size_t readbytes, written;
3364 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3365 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3367 /* We always set this up with a final parameter of "2" for PSK */
3368 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3369 &serverssl, &sess, 2)))
3372 servalpn = "goodalpn";
3375 * Note: There is no test for inconsistent SNI with late client detection.
3376 * This is because servers do not acknowledge SNI even if they are using
3377 * it in a resumption handshake - so it is not actually possible for a
3378 * client to detect a problem.
3382 /* Set inconsistent SNI (early client detection) */
3383 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3384 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3385 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3390 /* Set inconsistent ALPN (early client detection) */
3391 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3392 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3393 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3395 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3402 * Set invalid protocol version. Technically this affects PSKs without
3403 * early_data too, but we test it here because it is similar to the
3404 * SNI/ALPN consistency tests.
3406 err = SSL_R_BAD_PSK;
3407 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3413 * Set inconsistent SNI (server side). In this case the connection
3414 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3415 * is associated with each handshake - not the session. Therefore it
3416 * should not matter that we used a different server name last time.
3418 SSL_SESSION_free(serverpsk);
3419 serverpsk = SSL_SESSION_dup(clientpsk);
3420 if (!TEST_ptr(serverpsk)
3421 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3425 /* Set consistent SNI */
3426 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3427 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3428 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3435 * Set inconsistent ALPN (server detected). In this case the connection
3436 * will succeed but reject early_data.
3438 servalpn = "badalpn";
3439 edstatus = SSL_EARLY_DATA_REJECTED;
3440 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3444 * Set consistent ALPN.
3445 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3446 * accepts a list of protos (each one length prefixed).
3447 * SSL_set1_alpn_selected accepts a single protocol (not length
3450 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3452 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3456 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3460 /* Set inconsistent ALPN (late client detection) */
3461 SSL_SESSION_free(serverpsk);
3462 serverpsk = SSL_SESSION_dup(clientpsk);
3463 if (!TEST_ptr(serverpsk)
3464 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3467 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3470 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3473 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3474 edstatus = SSL_EARLY_DATA_ACCEPTED;
3475 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3476 /* SSL_connect() call should fail */
3481 TEST_error("Bad test index");
3485 SSL_set_connect_state(clientssl);
3487 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3489 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3490 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3493 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3497 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3498 &readbytes), readearlyres)
3499 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3500 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3501 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3502 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3509 SSL_SESSION_free(sess);
3510 SSL_SESSION_free(clientpsk);
3511 SSL_SESSION_free(serverpsk);
3512 clientpsk = serverpsk = NULL;
3513 SSL_free(serverssl);
3514 SSL_free(clientssl);
3521 * Test that a server that doesn't try to read early data can handle a
3522 * client sending some.
3524 static int test_early_data_not_expected(int idx)
3526 SSL_CTX *cctx = NULL, *sctx = NULL;
3527 SSL *clientssl = NULL, *serverssl = NULL;
3529 SSL_SESSION *sess = NULL;
3530 unsigned char buf[20];
3531 size_t readbytes, written;
3533 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3534 &serverssl, &sess, idx)))
3537 /* Write some early data */
3538 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3543 * Server should skip over early data and then block waiting for client to
3544 * continue handshake
3546 if (!TEST_int_le(SSL_accept(serverssl), 0)
3547 || !TEST_int_gt(SSL_connect(clientssl), 0)
3548 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3549 SSL_EARLY_DATA_REJECTED)
3550 || !TEST_int_gt(SSL_accept(serverssl), 0)
3551 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3552 SSL_EARLY_DATA_REJECTED))
3555 /* Send some normal data from client to server */
3556 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3557 || !TEST_size_t_eq(written, strlen(MSG2)))
3560 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3561 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3567 SSL_SESSION_free(sess);
3568 SSL_SESSION_free(clientpsk);
3569 SSL_SESSION_free(serverpsk);
3570 clientpsk = serverpsk = NULL;
3571 SSL_free(serverssl);
3572 SSL_free(clientssl);
3579 # ifndef OPENSSL_NO_TLS1_2
3581 * Test that a server attempting to read early data can handle a connection
3582 * from a TLSv1.2 client.
3584 static int test_early_data_tls1_2(int idx)
3586 SSL_CTX *cctx = NULL, *sctx = NULL;
3587 SSL *clientssl = NULL, *serverssl = NULL;
3589 unsigned char buf[20];
3590 size_t readbytes, written;
3592 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3593 &serverssl, NULL, idx)))
3596 /* Write some data - should block due to handshake with server */
3597 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3598 SSL_set_connect_state(clientssl);
3599 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3603 * Server should do TLSv1.2 handshake. First it will block waiting for more
3604 * messages from client after ServerDone. Then SSL_read_early_data should
3605 * finish and detect that early data has not been sent
3607 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3609 SSL_READ_EARLY_DATA_ERROR))
3613 * Continue writing the message we started earlier. Will still block waiting
3614 * for the CCS/Finished from server
3616 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3617 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3619 SSL_READ_EARLY_DATA_FINISH)
3620 || !TEST_size_t_eq(readbytes, 0)
3621 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3622 SSL_EARLY_DATA_NOT_SENT))
3625 /* Continue writing the message we started earlier */
3626 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3627 || !TEST_size_t_eq(written, strlen(MSG1))
3628 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3629 SSL_EARLY_DATA_NOT_SENT)
3630 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3631 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3632 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3633 || !TEST_size_t_eq(written, strlen(MSG2))
3634 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3635 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3641 SSL_SESSION_free(clientpsk);
3642 SSL_SESSION_free(serverpsk);
3643 clientpsk = serverpsk = NULL;
3644 SSL_free(serverssl);
3645 SSL_free(clientssl);
3651 # endif /* OPENSSL_NO_TLS1_2 */
3654 * Test configuring the TLSv1.3 ciphersuites
3656 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3657 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3658 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3659 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3660 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3661 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3662 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3663 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3664 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3665 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3667 static int test_set_ciphersuite(int idx)
3669 SSL_CTX *cctx = NULL, *sctx = NULL;
3670 SSL *clientssl = NULL, *serverssl = NULL;
3673 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3675 &sctx, &cctx, cert, privkey))
3676 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3677 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3680 if (idx >=4 && idx <= 7) {
3681 /* SSL_CTX explicit cipher list */
3682 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3686 if (idx == 0 || idx == 4) {
3687 /* Default ciphersuite */
3688 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3689 "TLS_AES_128_GCM_SHA256")))
3691 } else if (idx == 1 || idx == 5) {
3692 /* Non default ciphersuite */
3693 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3694 "TLS_AES_128_CCM_SHA256")))
3698 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3699 &clientssl, NULL, NULL)))
3702 if (idx == 8 || idx == 9) {
3703 /* SSL explicit cipher list */
3704 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3708 if (idx == 2 || idx == 6 || idx == 8) {
3709 /* Default ciphersuite */
3710 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3711 "TLS_AES_128_GCM_SHA256")))
3713 } else if (idx == 3 || idx == 7 || idx == 9) {
3714 /* Non default ciphersuite */
3715 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3716 "TLS_AES_128_CCM_SHA256")))
3720 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3726 SSL_free(serverssl);
3727 SSL_free(clientssl);
3734 static int test_ciphersuite_change(void)
3736 SSL_CTX *cctx = NULL, *sctx = NULL;
3737 SSL *clientssl = NULL, *serverssl = NULL;
3738 SSL_SESSION *clntsess = NULL;
3740 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3742 /* Create a session based on SHA-256 */
3743 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3745 &sctx, &cctx, cert, privkey))
3746 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3747 "TLS_AES_128_GCM_SHA256"))
3748 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3749 &clientssl, NULL, NULL))
3750 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3754 clntsess = SSL_get1_session(clientssl);
3755 /* Save for later */
3756 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3757 SSL_shutdown(clientssl);
3758 SSL_shutdown(serverssl);
3759 SSL_free(serverssl);
3760 SSL_free(clientssl);
3761 serverssl = clientssl = NULL;
3763 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3764 /* Check we can resume a session with a different SHA-256 ciphersuite */
3765 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3766 "TLS_CHACHA20_POLY1305_SHA256"))
3767 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3769 || !TEST_true(SSL_set_session(clientssl, clntsess))
3770 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3772 || !TEST_true(SSL_session_reused(clientssl)))
3775 SSL_SESSION_free(clntsess);
3776 clntsess = SSL_get1_session(clientssl);
3777 SSL_shutdown(clientssl);
3778 SSL_shutdown(serverssl);
3779 SSL_free(serverssl);
3780 SSL_free(clientssl);
3781 serverssl = clientssl = NULL;
3785 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3786 * succeeds but does not resume.
3788 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3789 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3791 || !TEST_true(SSL_set_session(clientssl, clntsess))
3792 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3794 || !TEST_false(SSL_session_reused(clientssl)))
3797 SSL_SESSION_free(clntsess);
3799 SSL_shutdown(clientssl);
3800 SSL_shutdown(serverssl);
3801 SSL_free(serverssl);
3802 SSL_free(clientssl);
3803 serverssl = clientssl = NULL;
3805 /* Create a session based on SHA384 */
3806 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3807 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3808 &clientssl, NULL, NULL))
3809 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3813 clntsess = SSL_get1_session(clientssl);
3814 SSL_shutdown(clientssl);
3815 SSL_shutdown(serverssl);
3816 SSL_free(serverssl);
3817 SSL_free(clientssl);
3818 serverssl = clientssl = NULL;
3820 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3821 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3822 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3823 "TLS_AES_256_GCM_SHA384"))
3824 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3826 || !TEST_true(SSL_set_session(clientssl, clntsess))
3828 * We use SSL_ERROR_WANT_READ below so that we can pause the
3829 * connection after the initial ClientHello has been sent to
3830 * enable us to make some session changes.
3832 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3833 SSL_ERROR_WANT_READ)))
3836 /* Trick the client into thinking this session is for a different digest */
3837 clntsess->cipher = aes_128_gcm_sha256;
3838 clntsess->cipher_id = clntsess->cipher->id;
3841 * Continue the previously started connection. Server has selected a SHA-384
3842 * ciphersuite, but client thinks the session is for SHA-256, so it should
3845 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3847 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3848 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3854 SSL_SESSION_free(clntsess);
3855 SSL_free(serverssl);
3856 SSL_free(clientssl);
3864 * Test TLSv1.3 Key exchange
3865 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
3866 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
3867 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
3868 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
3869 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
3870 * Test 5 = Test NID_X448 with TLSv1.3 client and server
3871 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
3872 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
3873 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
3874 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
3875 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
3876 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
3877 * Test 12 = Test all ECDHE with TLSv1.2 client and server
3878 * Test 13 = Test all FFDHE with TLSv1.2 client and server
3880 static int test_key_exchange(int idx)
3882 SSL_CTX *sctx = NULL, *cctx = NULL;
3883 SSL *serverssl = NULL, *clientssl = NULL;
3885 # ifndef OPENSSL_NO_EC
3886 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
3887 NID_secp521r1, NID_X25519, NID_X448};
3889 # ifndef OPENSSL_NO_DH
3890 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
3891 NID_ffdhe6144, NID_ffdhe8192};
3894 int *kexch_groups = &kexch_alg;
3895 int kexch_groups_size = 1;
3896 int max_version = TLS1_3_VERSION;
3899 # ifndef OPENSSL_NO_EC
3900 # ifndef OPENSSL_NO_TLS1_2
3902 max_version = TLS1_2_VERSION;
3906 kexch_groups = ecdhe_kexch_groups;
3907 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
3910 kexch_alg = NID_X9_62_prime256v1;
3913 kexch_alg = NID_secp384r1;
3916 kexch_alg = NID_secp521r1;
3919 kexch_alg = NID_X25519;
3922 kexch_alg = NID_X448;
3925 # ifndef OPENSSL_NO_DH
3926 # ifndef OPENSSL_NO_TLS1_2
3928 max_version = TLS1_2_VERSION;
3932 kexch_groups = ffdhe_kexch_groups;
3933 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
3936 kexch_alg = NID_ffdhe2048;
3939 kexch_alg = NID_ffdhe3072;
3942 kexch_alg = NID_ffdhe4096;
3945 kexch_alg = NID_ffdhe6144;
3948 kexch_alg = NID_ffdhe8192;
3952 /* We're skipping this test */
3956 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3957 TLS1_VERSION, max_version,
3958 &sctx, &cctx, cert, privkey)))
3961 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
3962 TLS1_3_RFC_AES_128_GCM_SHA256)))
3965 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3966 TLS1_3_RFC_AES_128_GCM_SHA256)))
3969 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
3970 TLS1_TXT_RSA_WITH_AES_128_SHA)))
3974 * Must include an EC ciphersuite so that we send supported groups in
3977 # ifndef OPENSSL_NO_TLS1_2
3978 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
3979 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
3980 TLS1_TXT_RSA_WITH_AES_128_SHA)))
3984 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3988 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
3989 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
3992 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3996 * If Handshake succeeds the negotiated kexch alg should be the first one in
3997 * configured, except in the case of FFDHE groups (idx 13), which are
3998 * TLSv1.3 only so we expect no shared group to exist.
4000 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4001 idx == 13 ? 0 : kexch_groups[0]))
4003 if (max_version == TLS1_3_VERSION) {
4004 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4006 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4012 SSL_free(serverssl);
4013 SSL_free(clientssl);
4020 * Test TLSv1.3 Cipher Suite
4021 * Test 0 = Set TLS1.3 cipher on context
4022 * Test 1 = Set TLS1.3 cipher on SSL
4023 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4024 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4026 static int test_tls13_ciphersuite(int idx)
4028 SSL_CTX *sctx = NULL, *cctx = NULL;
4029 SSL *serverssl = NULL, *clientssl = NULL;
4030 static const char *t13_ciphers[] = {
4031 TLS1_3_RFC_AES_128_GCM_SHA256,
4032 TLS1_3_RFC_AES_256_GCM_SHA384,
4033 TLS1_3_RFC_AES_128_CCM_SHA256,
4034 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4035 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4036 TLS1_3_RFC_AES_256_GCM_SHA384 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4038 TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256
4040 const char *t13_cipher = NULL;
4041 const char *t12_cipher = NULL;
4042 const char *negotiated_scipher;
4043 const char *negotiated_ccipher;
4059 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4063 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4067 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4068 # ifdef OPENSSL_NO_TLS1_2
4069 if (max_ver == TLS1_2_VERSION)
4072 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4073 t13_cipher = t13_ciphers[i];
4074 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4075 TLS_client_method(),
4076 TLS1_VERSION, max_ver,
4077 &sctx, &cctx, cert, privkey)))
4081 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4082 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4084 if (t12_cipher != NULL) {
4085 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4086 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4092 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4093 &clientssl, NULL, NULL)))
4097 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4098 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4100 if (t12_cipher != NULL) {
4101 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4102 || !TEST_true(SSL_set_cipher_list(clientssl,
4108 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4112 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4114 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4116 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4120 * TEST_strn_eq is used below because t13_cipher can contain
4121 * multiple ciphersuites
4123 if (max_ver == TLS1_3_VERSION
4124 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4125 strlen(negotiated_scipher)))
4128 # ifndef OPENSSL_NO_TLS1_2
4129 /* Below validation is not done when t12_cipher is NULL */
4130 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4131 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4135 SSL_free(serverssl);
4137 SSL_free(clientssl);
4148 SSL_free(serverssl);
4149 SSL_free(clientssl);
4157 * Test 0 = Test new style callbacks
4158 * Test 1 = Test both new and old style callbacks
4159 * Test 2 = Test old style callbacks
4160 * Test 3 = Test old style callbacks with no certificate
4162 static int test_tls13_psk(int idx)
4164 SSL_CTX *sctx = NULL, *cctx = NULL;
4165 SSL *serverssl = NULL, *clientssl = NULL;
4166 const SSL_CIPHER *cipher = NULL;
4167 const unsigned char key[] = {
4168 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4169 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4170 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4171 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
4175 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4177 &sctx, &cctx, idx == 3 ? NULL : cert,
4178 idx == 3 ? NULL : privkey)))
4183 * We use a ciphersuite with SHA256 to ease testing old style PSK
4184 * callbacks which will always default to SHA256. This should not be
4185 * necessary if we have no cert/priv key. In that case the server should
4186 * prefer SHA256 automatically.
4188 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4189 "TLS_AES_128_GCM_SHA256")))
4194 * Test 0: New style callbacks only
4195 * Test 1: New and old style callbacks (only the new ones should be used)
4196 * Test 2: Old style callbacks only
4198 if (idx == 0 || idx == 1) {
4199 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4200 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4202 #ifndef OPENSSL_NO_PSK
4204 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4205 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4209 use_session_cb_cnt = 0;
4210 find_session_cb_cnt = 0;
4211 psk_client_cb_cnt = 0;
4212 psk_server_cb_cnt = 0;
4216 * Check we can create a connection if callback decides not to send a
4219 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4221 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4223 || !TEST_false(SSL_session_reused(clientssl))
4224 || !TEST_false(SSL_session_reused(serverssl)))
4227 if (idx == 0 || idx == 1) {
4228 if (!TEST_true(use_session_cb_cnt == 1)
4229 || !TEST_true(find_session_cb_cnt == 0)
4231 * If no old style callback then below should be 0
4234 || !TEST_true(psk_client_cb_cnt == idx)
4235 || !TEST_true(psk_server_cb_cnt == 0))
4238 if (!TEST_true(use_session_cb_cnt == 0)
4239 || !TEST_true(find_session_cb_cnt == 0)
4240 || !TEST_true(psk_client_cb_cnt == 1)
4241 || !TEST_true(psk_server_cb_cnt == 0))
4245 shutdown_ssl_connection(serverssl, clientssl);
4246 serverssl = clientssl = NULL;
4247 use_session_cb_cnt = psk_client_cb_cnt = 0;
4250 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4254 /* Create the PSK */
4255 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
4256 clientpsk = SSL_SESSION_new();
4257 if (!TEST_ptr(clientpsk)
4258 || !TEST_ptr(cipher)
4259 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4261 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4262 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4264 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
4266 serverpsk = clientpsk;
4268 /* Check we can create a connection and the PSK is used */
4269 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4270 || !TEST_true(SSL_session_reused(clientssl))
4271 || !TEST_true(SSL_session_reused(serverssl)))
4274 if (idx == 0 || idx == 1) {
4275 if (!TEST_true(use_session_cb_cnt == 1)
4276 || !TEST_true(find_session_cb_cnt == 1)
4277 || !TEST_true(psk_client_cb_cnt == 0)
4278 || !TEST_true(psk_server_cb_cnt == 0))
4281 if (!TEST_true(use_session_cb_cnt == 0)
4282 || !TEST_true(find_session_cb_cnt == 0)
4283 || !TEST_true(psk_client_cb_cnt == 1)
4284 || !TEST_true(psk_server_cb_cnt == 1))
4288 shutdown_ssl_connection(serverssl, clientssl);
4289 serverssl = clientssl = NULL;
4290 use_session_cb_cnt = find_session_cb_cnt = 0;
4291 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4293 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4298 #if defined(OPENSSL_NO_EC)
4299 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4302 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4307 * Check we can create a connection, the PSK is used and the callbacks are
4310 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4311 || !TEST_true(SSL_session_reused(clientssl))
4312 || !TEST_true(SSL_session_reused(serverssl)))
4315 if (idx == 0 || idx == 1) {
4316 if (!TEST_true(use_session_cb_cnt == 2)
4317 || !TEST_true(find_session_cb_cnt == 2)
4318 || !TEST_true(psk_client_cb_cnt == 0)
4319 || !TEST_true(psk_server_cb_cnt == 0))
4322 if (!TEST_true(use_session_cb_cnt == 0)
4323 || !TEST_true(find_session_cb_cnt == 0)
4324 || !TEST_true(psk_client_cb_cnt == 2)
4325 || !TEST_true(psk_server_cb_cnt == 2))
4329 shutdown_ssl_connection(serverssl, clientssl);
4330 serverssl = clientssl = NULL;
4331 use_session_cb_cnt = find_session_cb_cnt = 0;
4332 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4336 * Check that if the server rejects the PSK we can still connect, but with
4339 srvid = "Dummy Identity";
4340 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4342 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4344 || !TEST_false(SSL_session_reused(clientssl))
4345 || !TEST_false(SSL_session_reused(serverssl)))
4348 if (idx == 0 || idx == 1) {
4349 if (!TEST_true(use_session_cb_cnt == 1)
4350 || !TEST_true(find_session_cb_cnt == 1)
4351 || !TEST_true(psk_client_cb_cnt == 0)
4353 * If no old style callback then below should be 0
4356 || !TEST_true(psk_server_cb_cnt == idx))
4359 if (!TEST_true(use_session_cb_cnt == 0)
4360 || !TEST_true(find_session_cb_cnt == 0)
4361 || !TEST_true(psk_client_cb_cnt == 1)
4362 || !TEST_true(psk_server_cb_cnt == 1))
4366 shutdown_ssl_connection(serverssl, clientssl);
4367 serverssl = clientssl = NULL;
4372 SSL_SESSION_free(clientpsk);
4373 SSL_SESSION_free(serverpsk);
4374 clientpsk = serverpsk = NULL;
4375 SSL_free(serverssl);
4376 SSL_free(clientssl);
4382 static unsigned char cookie_magic_value[] = "cookie magic";
4384 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4385 unsigned int *cookie_len)
4388 * Not suitable as a real cookie generation function but good enough for
4391 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4392 *cookie_len = sizeof(cookie_magic_value) - 1;
4397 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4398 unsigned int cookie_len)
4400 if (cookie_len == sizeof(cookie_magic_value) - 1
4401 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4407 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4411 int res = generate_cookie_callback(ssl, cookie, &temp);
4416 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4419 return verify_cookie_callback(ssl, cookie, cookie_len);
4422 static int test_stateless(void)
4424 SSL_CTX *sctx = NULL, *cctx = NULL;
4425 SSL *serverssl = NULL, *clientssl = NULL;
4428 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4430 &sctx, &cctx, cert, privkey)))
4433 /* The arrival of CCS messages can confuse the test */
4434 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4436 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4438 /* Send the first ClientHello */
4439 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4440 SSL_ERROR_WANT_READ))
4442 * This should fail with a -1 return because we have no callbacks
4445 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4448 /* Fatal error so abandon the connection from this client */
4449 SSL_free(clientssl);
4452 /* Set up the cookie generation and verification callbacks */
4453 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4454 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
4457 * Create a new connection from the client (we can reuse the server SSL
4460 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4462 /* Send the first ClientHello */
4463 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4464 SSL_ERROR_WANT_READ))
4465 /* This should fail because there is no cookie */
4466 || !TEST_int_eq(SSL_stateless(serverssl), 0))
4469 /* Abandon the connection from this client */
4470 SSL_free(clientssl);
4474 * Now create a connection from a new client but with the same server SSL
4477 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4479 /* Send the first ClientHello */
4480 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4481 SSL_ERROR_WANT_READ))
4482 /* This should fail because there is no cookie */
4483 || !TEST_int_eq(SSL_stateless(serverssl), 0)
4484 /* Send the second ClientHello */
4485 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4486 SSL_ERROR_WANT_READ))
4487 /* This should succeed because a cookie is now present */
4488 || !TEST_int_eq(SSL_stateless(serverssl), 1)
4489 /* Complete the connection */
4490 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4494 shutdown_ssl_connection(serverssl, clientssl);
4495 serverssl = clientssl = NULL;
4499 SSL_free(serverssl);
4500 SSL_free(clientssl);
4506 #endif /* OPENSSL_NO_TLS1_3 */
4508 static int clntaddoldcb = 0;
4509 static int clntparseoldcb = 0;
4510 static int srvaddoldcb = 0;
4511 static int srvparseoldcb = 0;
4512 static int clntaddnewcb = 0;
4513 static int clntparsenewcb = 0;
4514 static int srvaddnewcb = 0;
4515 static int srvparsenewcb = 0;
4516 static int snicb = 0;
4518 #define TEST_EXT_TYPE1 0xff00
4520 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4521 size_t *outlen, int *al, void *add_arg)
4523 int *server = (int *)add_arg;
4524 unsigned char *data;
4526 if (SSL_is_server(s))
4531 if (*server != SSL_is_server(s)
4532 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4537 *outlen = sizeof(char);
4541 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4544 OPENSSL_free((unsigned char *)out);
4547 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4548 size_t inlen, int *al, void *parse_arg)
4550 int *server = (int *)parse_arg;
4552 if (SSL_is_server(s))
4557 if (*server != SSL_is_server(s)
4558 || inlen != sizeof(char)
4565 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4566 const unsigned char **out, size_t *outlen, X509 *x,
4567 size_t chainidx, int *al, void *add_arg)
4569 int *server = (int *)add_arg;
4570 unsigned char *data;
4572 if (SSL_is_server(s))
4577 if (*server != SSL_is_server(s)
4578 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4583 *outlen = sizeof(*data);
4587 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
4588 const unsigned char *out, void *add_arg)
4590 OPENSSL_free((unsigned char *)out);
4593 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
4594 const unsigned char *in, size_t inlen, X509 *x,
4595 size_t chainidx, int *al, void *parse_arg)
4597 int *server = (int *)parse_arg;
4599 if (SSL_is_server(s))
4604 if (*server != SSL_is_server(s)
4605 || inlen != sizeof(char) || *in != 1)
4611 static int sni_cb(SSL *s, int *al, void *arg)
4613 SSL_CTX *ctx = (SSL_CTX *)arg;
4615 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
4616 *al = SSL_AD_INTERNAL_ERROR;
4617 return SSL_TLSEXT_ERR_ALERT_FATAL;
4620 return SSL_TLSEXT_ERR_OK;
4624 * Custom call back tests.
4625 * Test 0: Old style callbacks in TLSv1.2
4626 * Test 1: New style callbacks in TLSv1.2
4627 * Test 2: New style callbacks in TLSv1.2 with SNI
4628 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4629 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
4631 static int test_custom_exts(int tst)
4633 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4634 SSL *clientssl = NULL, *serverssl = NULL;
4636 static int server = 1;
4637 static int client = 0;
4638 SSL_SESSION *sess = NULL;
4639 unsigned int context;
4641 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4642 /* Skip tests for TLSv1.2 and below in this case */
4647 /* Reset callback counters */
4648 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4649 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
4652 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4654 &sctx, &cctx, cert, privkey)))
4658 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
4660 &sctx2, NULL, cert, privkey)))
4665 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4666 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
4668 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
4672 context = SSL_EXT_CLIENT_HELLO
4673 | SSL_EXT_TLS1_2_SERVER_HELLO
4674 | SSL_EXT_TLS1_3_SERVER_HELLO
4675 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4676 | SSL_EXT_TLS1_3_CERTIFICATE
4677 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4679 context = SSL_EXT_CLIENT_HELLO
4680 | SSL_EXT_TLS1_2_SERVER_HELLO
4681 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4684 /* Create a client side custom extension */
4686 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4687 old_add_cb, old_free_cb,
4688 &client, old_parse_cb,
4692 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4693 new_add_cb, new_free_cb,
4694 &client, new_parse_cb, &client)))
4698 /* Should not be able to add duplicates */
4699 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4700 old_add_cb, old_free_cb,
4701 &client, old_parse_cb,
4703 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4704 context, new_add_cb,
4705 new_free_cb, &client,
4706 new_parse_cb, &client)))
4709 /* Create a server side custom extension */
4711 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4712 old_add_cb, old_free_cb,
4713 &server, old_parse_cb,
4717 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4718 new_add_cb, new_free_cb,
4719 &server, new_parse_cb, &server)))
4722 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4723 context, new_add_cb,
4724 new_free_cb, &server,
4725 new_parse_cb, &server)))
4729 /* Should not be able to add duplicates */
4730 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4731 old_add_cb, old_free_cb,
4732 &server, old_parse_cb,
4734 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4735 context, new_add_cb,
4736 new_free_cb, &server,
4737 new_parse_cb, &server)))
4742 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4743 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4747 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4748 &clientssl, NULL, NULL))
4749 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4754 if (clntaddoldcb != 1
4755 || clntparseoldcb != 1
4757 || srvparseoldcb != 1)
4759 } else if (tst == 1 || tst == 2 || tst == 3) {
4760 if (clntaddnewcb != 1
4761 || clntparsenewcb != 1
4763 || srvparsenewcb != 1
4764 || (tst != 2 && snicb != 0)
4765 || (tst == 2 && snicb != 1))
4768 /* In this case there 2 NewSessionTicket messages created */
4769 if (clntaddnewcb != 1
4770 || clntparsenewcb != 5
4772 || srvparsenewcb != 1)
4776 sess = SSL_get1_session(clientssl);
4777 SSL_shutdown(clientssl);
4778 SSL_shutdown(serverssl);
4779 SSL_free(serverssl);
4780 SSL_free(clientssl);
4781 serverssl = clientssl = NULL;
4784 /* We don't bother with the resumption aspects for this test */
4789 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4791 || !TEST_true(SSL_set_session(clientssl, sess))
4792 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4797 * For a resumed session we expect to add the ClientHello extension. For the
4798 * old style callbacks we ignore it on the server side because they set
4799 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4803 if (clntaddoldcb != 2
4804 || clntparseoldcb != 1
4806 || srvparseoldcb != 1)
4808 } else if (tst == 1 || tst == 2 || tst == 3) {
4809 if (clntaddnewcb != 2
4810 || clntparsenewcb != 2
4812 || srvparsenewcb != 2)
4816 * No Certificate message extensions in the resumption handshake,
4817 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4819 if (clntaddnewcb != 2
4820 || clntparsenewcb != 8
4822 || srvparsenewcb != 2)
4829 SSL_SESSION_free(sess);
4830 SSL_free(serverssl);
4831 SSL_free(clientssl);
4832 SSL_CTX_free(sctx2);
4839 * Test loading of serverinfo data in various formats. test_sslmessages actually
4840 * tests to make sure the extensions appear in the handshake
4842 static int test_serverinfo(int tst)
4844 unsigned int version;
4845 unsigned char *sibuf;
4847 int ret, expected, testresult = 0;
4850 ctx = SSL_CTX_new(TLS_method());
4854 if ((tst & 0x01) == 0x01)
4855 version = SSL_SERVERINFOV2;
4857 version = SSL_SERVERINFOV1;
4859 if ((tst & 0x02) == 0x02) {
4860 sibuf = serverinfov2;
4861 sibuflen = sizeof(serverinfov2);
4862 expected = (version == SSL_SERVERINFOV2);
4864 sibuf = serverinfov1;
4865 sibuflen = sizeof(serverinfov1);
4866 expected = (version == SSL_SERVERINFOV1);
4869 if ((tst & 0x04) == 0x04) {
4870 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4872 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4875 * The version variable is irrelevant in this case - it's what is in the
4876 * buffer that matters
4878 if ((tst & 0x02) == 0x02)
4884 if (!TEST_true(ret == expected))
4896 * Test that SSL_export_keying_material() produces expected results. There are
4897 * no test vectors so all we do is test that both sides of the communication
4898 * produce the same results for different protocol versions.
4900 #define SMALL_LABEL_LEN 10
4901 #define LONG_LABEL_LEN 249
4902 static int test_export_key_mat(int tst)
4905 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4906 SSL *clientssl = NULL, *serverssl = NULL;
4907 const char label[LONG_LABEL_LEN + 1] = "test label";
4908 const unsigned char context[] = "context";
4909 const unsigned char *emptycontext = NULL;
4910 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4911 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
4913 const int protocols[] = {
4922 #ifdef OPENSSL_NO_TLS1
4926 #ifdef OPENSSL_NO_TLS1_1
4930 #ifdef OPENSSL_NO_TLS1_2
4934 #ifdef OPENSSL_NO_TLS1_3
4938 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4940 &sctx, &cctx, cert, privkey)))
4943 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4944 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4945 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
4947 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4949 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4955 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4958 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4959 sizeof(ckeymat1), label,
4960 LONG_LABEL_LEN + 1, context,
4961 sizeof(context) - 1, 1), 0))
4966 } else if (tst == 4) {
4967 labellen = LONG_LABEL_LEN;
4969 labellen = SMALL_LABEL_LEN;
4972 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4973 sizeof(ckeymat1), label,
4975 sizeof(context) - 1, 1), 1)
4976 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4977 sizeof(ckeymat2), label,
4981 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4982 sizeof(ckeymat3), label,
4985 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4986 sizeof(skeymat1), label,
4989 sizeof(context) -1, 1),
4991 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4992 sizeof(skeymat2), label,
4996 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4997 sizeof(skeymat3), label,
5001 * Check that both sides created the same key material with the
5004 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5007 * Check that both sides created the same key material with an
5010 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5013 * Check that both sides created the same key material without a
5016 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5018 /* Different contexts should produce different results */
5019 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5024 * Check that an empty context and no context produce different results in
5025 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5027 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
5029 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5036 SSL_free(serverssl);
5037 SSL_free(clientssl);
5038 SSL_CTX_free(sctx2);
5045 #ifndef OPENSSL_NO_TLS1_3
5047 * Test that SSL_export_keying_material_early() produces expected
5048 * results. There are no test vectors so all we do is test that both
5049 * sides of the communication produce the same results for different
5050 * protocol versions.
5052 static int test_export_key_mat_early(int idx)
5054 static const char label[] = "test label";
5055 static const unsigned char context[] = "context";
5057 SSL_CTX *cctx = NULL, *sctx = NULL;
5058 SSL *clientssl = NULL, *serverssl = NULL;
5059 SSL_SESSION *sess = NULL;
5060 const unsigned char *emptycontext = NULL;
5061 unsigned char ckeymat1[80], ckeymat2[80];
5062 unsigned char skeymat1[80], skeymat2[80];
5063 unsigned char buf[1];
5064 size_t readbytes, written;
5066 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5070 /* Here writing 0 length early data is enough. */
5071 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5072 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5074 SSL_READ_EARLY_DATA_ERROR)
5075 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5076 SSL_EARLY_DATA_ACCEPTED))
5079 if (!TEST_int_eq(SSL_export_keying_material_early(
5080 clientssl, ckeymat1, sizeof(ckeymat1), label,
5081 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5082 || !TEST_int_eq(SSL_export_keying_material_early(
5083 clientssl, ckeymat2, sizeof(ckeymat2), label,
5084 sizeof(label) - 1, emptycontext, 0), 1)
5085 || !TEST_int_eq(SSL_export_keying_material_early(
5086 serverssl, skeymat1, sizeof(skeymat1), label,
5087 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5088 || !TEST_int_eq(SSL_export_keying_material_early(
5089 serverssl, skeymat2, sizeof(skeymat2), label,
5090 sizeof(label) - 1, emptycontext, 0), 1)
5092 * Check that both sides created the same key material with the
5095 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5098 * Check that both sides created the same key material with an
5101 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5103 /* Different contexts should produce different results */
5104 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5111 SSL_SESSION_free(sess);
5112 SSL_SESSION_free(clientpsk);
5113 SSL_SESSION_free(serverpsk);
5114 clientpsk = serverpsk = NULL;
5115 SSL_free(serverssl);
5116 SSL_free(clientssl);
5123 #define NUM_KEY_UPDATE_MESSAGES 40
5127 static int test_key_update(void)
5129 SSL_CTX *cctx = NULL, *sctx = NULL;
5130 SSL *clientssl = NULL, *serverssl = NULL;
5131 int testresult = 0, i, j;
5133 static char *mess = "A test message";
5135 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5136 TLS_client_method(),
5139 &sctx, &cctx, cert, privkey))
5140 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5142 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5146 for (j = 0; j < 2; j++) {
5147 /* Send lots of KeyUpdate messages */
5148 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5149 if (!TEST_true(SSL_key_update(clientssl,
5151 ? SSL_KEY_UPDATE_NOT_REQUESTED
5152 : SSL_KEY_UPDATE_REQUESTED))
5153 || !TEST_true(SSL_do_handshake(clientssl)))
5157 /* Check that sending and receiving app data is ok */
5158 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5159 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5163 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5164 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5172 SSL_free(serverssl);
5173 SSL_free(clientssl);
5181 * Test we can handle a KeyUpdate (update requested) message while write data
5183 * Test 0: Client sends KeyUpdate while Server is writing
5184 * Test 1: Server sends KeyUpdate while Client is writing
5186 static int test_key_update_in_write(int tst)
5188 SSL_CTX *cctx = NULL, *sctx = NULL;
5189 SSL *clientssl = NULL, *serverssl = NULL;
5192 static char *mess = "A test message";
5193 BIO *bretry = BIO_new(bio_s_always_retry());
5195 SSL *peerupdate = NULL, *peerwrite = NULL;
5197 if (!TEST_ptr(bretry)
5198 || !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5199 TLS_client_method(),
5202 &sctx, &cctx, cert, privkey))
5203 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5205 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5209 peerupdate = tst == 0 ? clientssl : serverssl;
5210 peerwrite = tst == 0 ? serverssl : clientssl;
5212 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5213 || !TEST_true(SSL_do_handshake(peerupdate)))
5216 /* Swap the writing endpoint's write BIO to force a retry */
5217 tmp = SSL_get_wbio(peerwrite);
5218 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5222 SSL_set0_wbio(peerwrite, bretry);
5225 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5226 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5227 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5230 /* Reinstate the original writing endpoint's write BIO */
5231 SSL_set0_wbio(peerwrite, tmp);
5234 /* Now read some data - we will read the key update */
5235 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5236 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5240 * Complete the write we started previously and read it from the other
5243 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5244 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5247 /* Write more data to ensure we send the KeyUpdate message back */
5248 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5249 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5255 SSL_free(serverssl);
5256 SSL_free(clientssl);
5264 #endif /* OPENSSL_NO_TLS1_3 */
5266 static int test_ssl_clear(int idx)
5268 SSL_CTX *cctx = NULL, *sctx = NULL;
5269 SSL *clientssl = NULL, *serverssl = NULL;
5272 #ifdef OPENSSL_NO_TLS1_2
5277 /* Create an initial connection */
5278 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5280 &sctx, &cctx, cert, privkey))
5282 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5284 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5285 &clientssl, NULL, NULL))
5286 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5290 SSL_shutdown(clientssl);
5291 SSL_shutdown(serverssl);
5292 SSL_free(serverssl);
5295 /* Clear clientssl - we're going to reuse the object */
5296 if (!TEST_true(SSL_clear(clientssl)))
5299 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5301 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5303 || !TEST_true(SSL_session_reused(clientssl)))
5306 SSL_shutdown(clientssl);
5307 SSL_shutdown(serverssl);
5312 SSL_free(serverssl);
5313 SSL_free(clientssl);
5320 /* Parse CH and retrieve any MFL extension value if present */
5321 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5324 unsigned char *data;
5325 PACKET pkt, pkt2, pkt3;
5326 unsigned int MFL_code = 0, type = 0;
5328 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5331 memset(&pkt, 0, sizeof(pkt));
5332 memset(&pkt2, 0, sizeof(pkt2));
5333 memset(&pkt3, 0, sizeof(pkt3));
5335 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5336 /* Skip the record header */
5337 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5338 /* Skip the handshake message header */
5339 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5340 /* Skip client version and random */
5341 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5342 + SSL3_RANDOM_SIZE))
5343 /* Skip session id */
5344 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5346 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5347 /* Skip compression */
5348 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5349 /* Extensions len */
5350 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5353 /* Loop through all extensions */
5354 while (PACKET_remaining(&pkt2)) {
5355 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5356 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5359 if (type == TLSEXT_TYPE_max_fragment_length) {
5360 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5361 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5364 *mfl_codemfl_code = MFL_code;
5373 /* Maximum-Fragment-Length TLS extension mode to test */
5374 static const unsigned char max_fragment_len_test[] = {
5375 TLSEXT_max_fragment_length_512,
5376 TLSEXT_max_fragment_length_1024,
5377 TLSEXT_max_fragment_length_2048,
5378 TLSEXT_max_fragment_length_4096
5381 static int test_max_fragment_len_ext(int idx_tst)
5385 int testresult = 0, MFL_mode = 0;
5388 ctx = SSL_CTX_new(TLS_method());
5392 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5393 ctx, max_fragment_len_test[idx_tst])))
5400 rbio = BIO_new(BIO_s_mem());
5401 wbio = BIO_new(BIO_s_mem());
5402 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5408 SSL_set_bio(con, rbio, wbio);
5409 SSL_set_connect_state(con);
5411 if (!TEST_int_le(SSL_connect(con), 0)) {
5412 /* This shouldn't succeed because we don't have a server! */
5416 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5417 /* no MFL in client hello */
5419 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5431 #ifndef OPENSSL_NO_TLS1_3
5432 static int test_pha_key_update(void)
5434 SSL_CTX *cctx = NULL, *sctx = NULL;
5435 SSL *clientssl = NULL, *serverssl = NULL;
5438 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5440 &sctx, &cctx, cert, privkey)))
5443 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5444 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5445 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5446 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5449 SSL_CTX_set_post_handshake_auth(cctx, 1);
5451 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5455 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5459 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5460 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5463 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5466 /* Start handshake on the server */
5467 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5470 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5471 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5475 SSL_shutdown(clientssl);
5476 SSL_shutdown(serverssl);
5481 SSL_free(serverssl);
5482 SSL_free(clientssl);
5489 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5491 static SRP_VBASE *vbase = NULL;
5493 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5495 int ret = SSL3_AL_FATAL;
5497 SRP_user_pwd *user = NULL;
5499 username = SSL_get_srp_username(s);
5500 if (username == NULL) {
5501 *ad = SSL_AD_INTERNAL_ERROR;
5505 user = SRP_VBASE_get1_by_user(vbase, username);
5507 *ad = SSL_AD_INTERNAL_ERROR;
5511 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5513 *ad = SSL_AD_INTERNAL_ERROR;
5520 SRP_user_pwd_free(user);
5524 static int create_new_vfile(char *userid, char *password, const char *filename)
5527 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5530 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5533 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5536 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
5537 &row[DB_srpverifier], NULL, NULL);
5538 if (!TEST_ptr(gNid))
5542 * The only way to create an empty TXT_DB is to provide a BIO with no data
5545 db = TXT_DB_read(dummy, DB_NUMBER);
5549 out = BIO_new_file(filename, "w");
5553 row[DB_srpid] = OPENSSL_strdup(userid);
5554 row[DB_srptype] = OPENSSL_strdup("V");
5555 row[DB_srpgN] = OPENSSL_strdup(gNid);
5557 if (!TEST_ptr(row[DB_srpid])
5558 || !TEST_ptr(row[DB_srptype])
5559 || !TEST_ptr(row[DB_srpgN])
5560 || !TEST_true(TXT_DB_insert(db, row)))
5565 if (!TXT_DB_write(out, db))
5571 for (i = 0; i < DB_NUMBER; i++)
5572 OPENSSL_free(row[i]);
5582 static int create_new_vbase(char *userid, char *password)
5584 BIGNUM *verifier = NULL, *salt = NULL;
5585 const SRP_gN *lgN = NULL;
5586 SRP_user_pwd *user_pwd = NULL;
5589 lgN = SRP_get_default_gN(NULL);
5593 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
5597 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
5598 if (!TEST_ptr(user_pwd))
5601 user_pwd->N = lgN->N;
5602 user_pwd->g = lgN->g;
5603 user_pwd->id = OPENSSL_strdup(userid);
5604 if (!TEST_ptr(user_pwd->id))
5607 user_pwd->v = verifier;
5609 verifier = salt = NULL;
5611 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
5617 SRP_user_pwd_free(user_pwd);
5627 * Test 0: Simple successful SRP connection, new vbase
5628 * Test 1: Connection failure due to bad password, new vbase
5629 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5630 * Test 3: Connection failure due to bad password, vbase loaded from existing
5632 * Test 4: Simple successful SRP connection, vbase loaded from new file
5633 * Test 5: Connection failure due to bad password, vbase loaded from new file
5635 static int test_srp(int tst)
5637 char *userid = "test", *password = "password", *tstsrpfile;
5638 SSL_CTX *cctx = NULL, *sctx = NULL;
5639 SSL *clientssl = NULL, *serverssl = NULL;
5640 int ret, testresult = 0;
5642 vbase = SRP_VBASE_new(NULL);
5643 if (!TEST_ptr(vbase))
5646 if (tst == 0 || tst == 1) {
5647 if (!TEST_true(create_new_vbase(userid, password)))
5650 if (tst == 4 || tst == 5) {
5651 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5653 tstsrpfile = tmpfilename;
5655 tstsrpfile = srpvfile;
5657 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5661 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5663 &sctx, &cctx, cert, privkey)))
5666 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5667 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5668 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5669 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5670 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5674 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5677 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5681 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5685 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5687 if (!TEST_true(tst % 2 == 0))
5690 if (!TEST_true(tst % 2 == 1))
5697 SRP_VBASE_free(vbase);
5699 SSL_free(serverssl);
5700 SSL_free(clientssl);
5708 static int info_cb_failed = 0;
5709 static int info_cb_offset = 0;
5710 static int info_cb_this_state = -1;
5712 static struct info_cb_states_st {
5714 const char *statestr;
5715 } info_cb_states[][60] = {
5717 /* TLSv1.2 server followed by resumption */
5718 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5719 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5720 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
5721 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
5722 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
5723 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5724 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5725 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5726 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
5727 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5728 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
5729 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5730 {SSL_CB_EXIT, NULL}, {0, NULL},
5732 /* TLSv1.2 client followed by resumption */
5733 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5734 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5735 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
5736 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
5737 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
5738 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5739 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5740 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5741 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5742 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5743 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5744 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
5746 /* TLSv1.3 server followed by resumption */
5747 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5748 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5749 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
5750 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5751 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
5752 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5753 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5754 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5755 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5756 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5757 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
5758 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5759 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5761 /* TLSv1.3 client followed by resumption */
5762 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5763 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5764 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
5765 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
5766 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5767 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5768 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
5769 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5770 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5771 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5772 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5773 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5774 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5775 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
5776 {SSL_CB_EXIT, NULL}, {0, NULL},
5778 /* TLSv1.3 server, early_data */
5779 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5780 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5781 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5782 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5783 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5784 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
5785 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5786 {SSL_CB_EXIT, NULL}, {0, NULL},
5788 /* TLSv1.3 client, early_data */
5789 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5790 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5791 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5792 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5793 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5794 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5795 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5796 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5797 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5803 static void sslapi_info_callback(const SSL *s, int where, int ret)
5805 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5807 /* We do not ever expect a connection to fail in this test */
5808 if (!TEST_false(ret == 0)) {
5814 * Do some sanity checks. We never expect these things to happen in this
5817 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5818 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5819 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5824 /* Now check we're in the right state */
5825 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5829 if ((where & SSL_CB_LOOP) != 0
5830 && !TEST_int_eq(strcmp(SSL_state_string(s),
5831 state[info_cb_this_state].statestr), 0)) {
5837 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
5839 if ((where & SSL_CB_HANDSHAKE_DONE)
5840 && SSL_in_init((SSL *)s) != 0) {
5847 * Test the info callback gets called when we expect it to.
5849 * Test 0: TLSv1.2, server
5850 * Test 1: TLSv1.2, client
5851 * Test 2: TLSv1.3, server
5852 * Test 3: TLSv1.3, client
5853 * Test 4: TLSv1.3, server, early_data
5854 * Test 5: TLSv1.3, client, early_data
5856 static int test_info_callback(int tst)
5858 SSL_CTX *cctx = NULL, *sctx = NULL;
5859 SSL *clientssl = NULL, *serverssl = NULL;
5860 SSL_SESSION *clntsess = NULL;
5865 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
5866 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5867 || !defined(OPENSSL_NO_DH))
5868 tlsvers = TLS1_2_VERSION;
5873 #ifndef OPENSSL_NO_TLS1_3
5874 tlsvers = TLS1_3_VERSION;
5882 info_cb_this_state = -1;
5883 info_cb_offset = tst;
5885 #ifndef OPENSSL_NO_TLS1_3
5887 SSL_SESSION *sess = NULL;
5888 size_t written, readbytes;
5889 unsigned char buf[80];
5891 /* early_data tests */
5892 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5893 &serverssl, &sess, 0)))
5896 /* We don't actually need this reference */
5897 SSL_SESSION_free(sess);
5899 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5900 sslapi_info_callback);
5902 /* Write and read some early data and then complete the connection */
5903 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5905 || !TEST_size_t_eq(written, strlen(MSG1))
5906 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5907 sizeof(buf), &readbytes),
5908 SSL_READ_EARLY_DATA_SUCCESS)
5909 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5910 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5911 SSL_EARLY_DATA_ACCEPTED)
5912 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5914 || !TEST_false(info_cb_failed))
5922 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5923 TLS_client_method(),
5924 tlsvers, tlsvers, &sctx, &cctx, cert,
5929 * For even numbered tests we check the server callbacks. For odd numbers we
5932 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5933 sslapi_info_callback);
5935 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5936 &clientssl, NULL, NULL))
5937 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5939 || !TEST_false(info_cb_failed))
5944 clntsess = SSL_get1_session(clientssl);
5945 SSL_shutdown(clientssl);
5946 SSL_shutdown(serverssl);
5947 SSL_free(serverssl);
5948 SSL_free(clientssl);
5949 serverssl = clientssl = NULL;
5951 /* Now do a resumption */
5952 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5954 || !TEST_true(SSL_set_session(clientssl, clntsess))
5955 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5957 || !TEST_true(SSL_session_reused(clientssl))
5958 || !TEST_false(info_cb_failed))
5964 SSL_free(serverssl);
5965 SSL_free(clientssl);
5966 SSL_SESSION_free(clntsess);
5972 static int test_ssl_pending(int tst)
5974 SSL_CTX *cctx = NULL, *sctx = NULL;
5975 SSL *clientssl = NULL, *serverssl = NULL;
5977 char msg[] = "A test message";
5979 size_t written, readbytes;
5982 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5983 TLS_client_method(),
5985 &sctx, &cctx, cert, privkey)))
5988 #ifndef OPENSSL_NO_DTLS
5989 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
5990 DTLS_client_method(),
5992 &sctx, &cctx, cert, privkey)))
5999 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6001 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6005 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6006 || !TEST_false(SSL_has_pending(clientssl))
6007 || !TEST_int_eq(SSL_pending(serverssl), 0)
6008 || !TEST_false(SSL_has_pending(serverssl))
6009 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6010 || !TEST_size_t_eq(written, sizeof(msg))
6011 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6012 || !TEST_size_t_eq(readbytes, sizeof(buf))
6013 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6014 || !TEST_true(SSL_has_pending(clientssl)))
6020 SSL_free(serverssl);
6021 SSL_free(clientssl);
6029 unsigned int maxprot;
6030 const char *clntciphers;
6031 const char *clnttls13ciphers;
6032 const char *srvrciphers;
6033 const char *srvrtls13ciphers;
6035 } shared_ciphers_data[] = {
6037 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6038 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6040 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
6043 "AES128-SHA:AES256-SHA",
6045 "AES256-SHA:DHE-RSA-AES128-SHA",
6051 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6053 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6055 "AES128-SHA:AES256-SHA"
6059 "AES128-SHA:AES256-SHA",
6061 "AES128-SHA:DHE-RSA-AES128-SHA",
6067 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6070 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6071 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
6074 "AES128-SHA:AES256-SHA",
6076 "AES256-SHA:AES128-SHA256",
6078 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
6079 "TLS_AES_128_GCM_SHA256:AES256-SHA"
6082 #ifndef OPENSSL_NO_TLS1_3
6086 "TLS_AES_256_GCM_SHA384",
6088 "TLS_AES_256_GCM_SHA384",
6089 "TLS_AES_256_GCM_SHA384"
6094 static int test_ssl_get_shared_ciphers(int tst)
6096 SSL_CTX *cctx = NULL, *sctx = NULL;
6097 SSL *clientssl = NULL, *serverssl = NULL;
6101 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6102 TLS_client_method(),
6104 shared_ciphers_data[tst].maxprot,
6105 &sctx, &cctx, cert, privkey)))
6108 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6109 shared_ciphers_data[tst].clntciphers))
6110 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6111 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6112 shared_ciphers_data[tst].clnttls13ciphers)))
6113 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6114 shared_ciphers_data[tst].srvrciphers))
6115 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6116 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6117 shared_ciphers_data[tst].srvrtls13ciphers))))
6121 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6123 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6127 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6128 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
6129 TEST_info("Shared ciphers are: %s\n", buf);
6136 SSL_free(serverssl);
6137 SSL_free(clientssl);
6144 static const char *appdata = "Hello World";
6145 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6146 static int tick_key_renew = 0;
6147 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6149 static int gen_tick_cb(SSL *s, void *arg)
6151 gen_tick_called = 1;
6153 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6157 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6158 const unsigned char *keyname,
6159 size_t keyname_length,
6160 SSL_TICKET_STATUS status,
6166 dec_tick_called = 1;
6168 if (status == SSL_TICKET_EMPTY)
6169 return SSL_TICKET_RETURN_IGNORE_RENEW;
6171 if (!TEST_true(status == SSL_TICKET_SUCCESS
6172 || status == SSL_TICKET_SUCCESS_RENEW))
6173 return SSL_TICKET_RETURN_ABORT;
6175 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6177 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6178 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
6179 return SSL_TICKET_RETURN_ABORT;
6181 if (tick_key_cb_called) {
6182 /* Don't change what the ticket key callback wanted to do */
6184 case SSL_TICKET_NO_DECRYPT:
6185 return SSL_TICKET_RETURN_IGNORE_RENEW;
6187 case SSL_TICKET_SUCCESS:
6188 return SSL_TICKET_RETURN_USE;
6190 case SSL_TICKET_SUCCESS_RENEW:
6191 return SSL_TICKET_RETURN_USE_RENEW;
6194 return SSL_TICKET_RETURN_ABORT;
6197 return tick_dec_ret;
6201 #ifndef OPENSSL_NO_DEPRECATED_3_0
6202 static int tick_key_cb(SSL *s, unsigned char key_name[16],
6203 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6204 HMAC_CTX *hctx, int enc)
6206 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6207 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
6209 tick_key_cb_called = 1;
6210 memset(iv, 0, AES_BLOCK_SIZE);
6211 memset(key_name, 0, 16);
6212 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
6213 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
6214 EVP_sha256(), NULL))
6217 return tick_key_renew ? 2 : 1;
6221 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6222 unsigned char iv[EVP_MAX_IV_LENGTH],
6223 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6225 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6226 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6227 OSSL_PARAM params[3];
6229 tick_key_cb_called = 1;
6230 memset(iv, 0, AES_BLOCK_SIZE);
6231 memset(key_name, 0, 16);
6232 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6234 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6236 sizeof(tick_hmac_key));
6237 params[2] = OSSL_PARAM_construct_end();
6238 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
6239 || !EVP_MAC_CTX_set_params(hctx, params)
6240 || !EVP_MAC_init(hctx))
6243 return tick_key_renew ? 2 : 1;
6247 * Test the various ticket callbacks
6248 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6249 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6250 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6251 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6252 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6253 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6254 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6255 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
6256 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6257 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6258 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6259 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6260 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6261 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6262 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6263 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
6265 static int test_ticket_callbacks(int tst)
6267 SSL_CTX *cctx = NULL, *sctx = NULL;
6268 SSL *clientssl = NULL, *serverssl = NULL;
6269 SSL_SESSION *clntsess = NULL;
6272 #ifdef OPENSSL_NO_TLS1_2
6276 #ifdef OPENSSL_NO_TLS1_3
6280 #ifdef OPENSSL_NO_DEPRECATED_3_0
6281 if (tst >= 8 && tst <= 11)
6285 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
6287 /* Which tests the ticket key callback should request renewal for */
6288 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
6293 /* Which tests the decrypt ticket callback should request renewal for */
6297 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6302 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6307 tick_dec_ret = SSL_TICKET_RETURN_USE;
6312 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6316 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6319 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6320 TLS_client_method(),
6322 ((tst % 2) == 0) ? TLS1_2_VERSION
6324 &sctx, &cctx, cert, privkey)))
6328 * We only want sessions to resume from tickets - not the session cache. So
6329 * switch the cache off.
6331 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6334 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6339 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
6341 #ifndef OPENSSL_NO_DEPRECATED_3_0
6342 } else if (tst >= 8) {
6343 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6348 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6350 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6355 * The decrypt ticket key callback in TLSv1.2 should be called even though
6356 * we have no ticket yet, because it gets called with a status of
6357 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6358 * actually send any ticket data). This does not happen in TLSv1.3 because
6359 * it is not valid to send empty ticket data in TLSv1.3.
6361 if (!TEST_int_eq(gen_tick_called, 1)
6362 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
6365 gen_tick_called = dec_tick_called = 0;
6367 clntsess = SSL_get1_session(clientssl);
6368 SSL_shutdown(clientssl);
6369 SSL_shutdown(serverssl);
6370 SSL_free(serverssl);
6371 SSL_free(clientssl);
6372 serverssl = clientssl = NULL;
6374 /* Now do a resumption */
6375 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6377 || !TEST_true(SSL_set_session(clientssl, clntsess))
6378 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6382 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6383 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6384 if (!TEST_false(SSL_session_reused(clientssl)))
6387 if (!TEST_true(SSL_session_reused(clientssl)))
6391 if (!TEST_int_eq(gen_tick_called,
6393 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6394 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6396 || !TEST_int_eq(dec_tick_called, 1))
6402 SSL_SESSION_free(clntsess);
6403 SSL_free(serverssl);
6404 SSL_free(clientssl);
6412 * Test bi-directional shutdown.
6414 * Test 1: TLSv1.2, server continues to read/write after client shutdown
6415 * Test 2: TLSv1.3, no pending NewSessionTicket messages
6416 * Test 3: TLSv1.3, pending NewSessionTicket messages
6417 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
6418 * sends key update, client reads it
6419 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
6420 * sends CertificateRequest, client reads and ignores it
6421 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
6424 static int test_shutdown(int tst)
6426 SSL_CTX *cctx = NULL, *sctx = NULL;
6427 SSL *clientssl = NULL, *serverssl = NULL;
6429 char msg[] = "A test message";
6431 size_t written, readbytes;
6434 #ifdef OPENSSL_NO_TLS1_2
6438 #ifdef OPENSSL_NO_TLS1_3
6443 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6444 TLS_client_method(),
6446 (tst <= 1) ? TLS1_2_VERSION
6448 &sctx, &cctx, cert, privkey)))
6452 SSL_CTX_set_post_handshake_auth(cctx, 1);
6454 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6459 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
6461 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6462 || !TEST_false(SSL_SESSION_is_resumable(sess)))
6464 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6466 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6467 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
6471 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
6476 * Reading on the server after the client has sent close_notify should
6477 * fail and provide SSL_ERROR_ZERO_RETURN
6479 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
6480 || !TEST_int_eq(SSL_get_error(serverssl, 0),
6481 SSL_ERROR_ZERO_RETURN)
6482 || !TEST_int_eq(SSL_get_shutdown(serverssl),
6483 SSL_RECEIVED_SHUTDOWN)
6485 * Even though we're shutdown on receive we should still be
6488 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6491 && !TEST_true(SSL_key_update(serverssl,
6492 SSL_KEY_UPDATE_REQUESTED)))
6495 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6496 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6499 if ((tst == 4 || tst == 5)
6500 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6502 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
6504 if (tst == 4 || tst == 5) {
6505 /* Should still be able to read data from server */
6506 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6508 || !TEST_size_t_eq(readbytes, sizeof(msg))
6509 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
6510 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6512 || !TEST_size_t_eq(readbytes, sizeof(msg))
6513 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
6518 /* Writing on the client after sending close_notify shouldn't be possible */
6519 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
6524 * For these tests the client has sent close_notify but it has not yet
6525 * been received by the server. The server has not sent close_notify
6528 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
6530 * Writing on the server after sending close_notify shouldn't
6533 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6534 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
6535 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6536 || !TEST_true(SSL_SESSION_is_resumable(sess))
6537 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
6539 } else if (tst == 4 || tst == 5) {
6541 * In this test the client has sent close_notify and it has been
6542 * received by the server which has responded with a close_notify. The
6543 * client needs to read the close_notify sent by the server.
6545 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
6546 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6547 || !TEST_true(SSL_SESSION_is_resumable(sess)))
6553 * The client has sent close_notify and is expecting a close_notify
6554 * back, but instead there is application data first. The shutdown
6555 * should fail with a fatal error.
6557 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
6558 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
6565 SSL_free(serverssl);
6566 SSL_free(clientssl);
6573 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6574 static int cert_cb_cnt;
6576 static int cert_cb(SSL *s, void *arg)
6578 SSL_CTX *ctx = (SSL_CTX *)arg;
6580 EVP_PKEY *pkey = NULL;
6581 X509 *x509 = NULL, *rootx = NULL;
6582 STACK_OF(X509) *chain = NULL;
6583 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
6586 if (cert_cb_cnt == 0) {
6587 /* Suspend the handshake */
6590 } else if (cert_cb_cnt == 1) {
6592 * Update the SSL_CTX, set the certificate and private key and then
6593 * continue the handshake normally.
6595 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
6598 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
6599 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
6601 || !TEST_true(SSL_check_private_key(s)))
6605 } else if (cert_cb_cnt == 3) {
6608 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
6609 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
6610 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
6611 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
6613 chain = sk_X509_new_null();
6614 if (!TEST_ptr(chain))
6616 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6617 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
6618 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
6619 || !TEST_true(sk_X509_push(chain, rootx)))
6623 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6624 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
6625 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
6628 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6629 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
6630 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
6632 rv = SSL_check_chain(s, x509, pkey, chain);
6634 * If the cert doesn't show as valid here (e.g., because we don't
6635 * have any shared sigalgs), then we will not set it, and there will
6636 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
6637 * will cause tls_choose_sigalgs() to fail the connection.
6639 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
6640 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
6641 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
6648 /* Abort the handshake */
6650 OPENSSL_free(ecdsacert);
6651 OPENSSL_free(ecdsakey);
6652 OPENSSL_free(rootfile);
6654 EVP_PKEY_free(pkey);
6657 sk_X509_pop_free(chain, X509_free);
6662 * Test the certificate callback.
6663 * Test 0: Callback fails
6664 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
6665 * Test 2: Success - SSL_set_SSL_CTX() in the callback
6666 * Test 3: Success - Call SSL_check_chain from the callback
6667 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
6669 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
6671 static int test_cert_cb_int(int prot, int tst)
6673 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
6674 SSL *clientssl = NULL, *serverssl = NULL;
6675 int testresult = 0, ret;
6677 #ifdef OPENSSL_NO_EC
6678 /* We use an EC cert in these tests, so we skip in a no-ec build */
6683 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6684 TLS_client_method(),
6687 &sctx, &cctx, NULL, NULL)))
6698 snictx = SSL_CTX_new(TLS_server_method());
6699 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
6701 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6707 * We cause SSL_check_chain() to fail by specifying sig_algs that
6708 * the chain doesn't meet (the root uses an RSA cert)
6710 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6711 "ecdsa_secp256r1_sha256")))
6713 } else if (tst == 5) {
6715 * We cause SSL_check_chain() to fail by specifying sig_algs that
6716 * the ee cert doesn't meet (the ee uses an ECDSA cert)
6718 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6719 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
6723 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6724 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
6726 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
6733 SSL_free(serverssl);
6734 SSL_free(clientssl);
6737 SSL_CTX_free(snictx);
6743 static int test_cert_cb(int tst)
6747 #ifndef OPENSSL_NO_TLS1_2
6748 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
6750 #ifndef OPENSSL_NO_TLS1_3
6751 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
6757 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
6763 /* Check that SSL_get_peer_certificate() returns something sensible */
6764 peer = SSL_get_peer_certificate(ssl);
6765 if (!TEST_ptr(peer))
6769 in = BIO_new_file(cert, "r");
6773 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
6775 if (!TEST_ptr(xcert))
6778 in = BIO_new_file(privkey, "r");
6779 if (!TEST_ptr(in)) {
6784 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
6786 if (!TEST_ptr(privpkey)) {
6797 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6802 static int test_client_cert_cb(int tst)
6804 SSL_CTX *cctx = NULL, *sctx = NULL;
6805 SSL *clientssl = NULL, *serverssl = NULL;
6808 #ifdef OPENSSL_NO_TLS1_2
6812 #ifdef OPENSSL_NO_TLS1_3
6817 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6818 TLS_client_method(),
6820 tst == 0 ? TLS1_2_VERSION
6822 &sctx, &cctx, cert, privkey)))
6826 * Test that setting a client_cert_cb results in a client certificate being
6829 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
6830 SSL_CTX_set_verify(sctx,
6831 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6834 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6836 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6843 SSL_free(serverssl);
6844 SSL_free(clientssl);
6851 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6853 * Test setting certificate authorities on both client and server.
6855 * Test 0: SSL_CTX_set0_CA_list() only
6856 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
6857 * Test 2: Only SSL_CTX_set_client_CA_list()
6859 static int test_ca_names_int(int prot, int tst)
6861 SSL_CTX *cctx = NULL, *sctx = NULL;
6862 SSL *clientssl = NULL, *serverssl = NULL;
6865 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
6866 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
6867 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
6868 const STACK_OF(X509_NAME) *sktmp = NULL;
6870 for (i = 0; i < OSSL_NELEM(name); i++) {
6871 name[i] = X509_NAME_new();
6872 if (!TEST_ptr(name[i])
6873 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
6881 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6882 TLS_client_method(),
6885 &sctx, &cctx, cert, privkey)))
6888 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
6890 if (tst == 0 || tst == 1) {
6891 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6892 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
6893 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
6894 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6895 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
6896 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
6899 SSL_CTX_set0_CA_list(sctx, sk1);
6900 SSL_CTX_set0_CA_list(cctx, sk2);
6903 if (tst == 1 || tst == 2) {
6904 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6905 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
6906 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
6907 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6908 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
6909 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
6912 SSL_CTX_set_client_CA_list(sctx, sk1);
6913 SSL_CTX_set_client_CA_list(cctx, sk2);
6917 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6919 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6924 * We only expect certificate authorities to have been sent to the server
6925 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
6927 sktmp = SSL_get0_peer_CA_list(serverssl);
6928 if (prot == TLS1_3_VERSION
6929 && (tst == 0 || tst == 1)) {
6930 if (!TEST_ptr(sktmp)
6931 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6932 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6934 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6937 } else if (!TEST_ptr_null(sktmp)) {
6942 * In all tests we expect certificate authorities to have been sent to the
6943 * client. However, SSL_set_client_CA_list() should override
6944 * SSL_set0_CA_list()
6946 sktmp = SSL_get0_peer_CA_list(clientssl);
6947 if (!TEST_ptr(sktmp)
6948 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6949 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6950 name[tst == 0 ? 0 : 2]), 0)
6951 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6952 name[tst == 0 ? 1 : 3]), 0))
6958 SSL_free(serverssl);
6959 SSL_free(clientssl);
6962 for (i = 0; i < OSSL_NELEM(name); i++)
6963 X509_NAME_free(name[i]);
6964 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
6965 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
6971 static int test_ca_names(int tst)
6975 #ifndef OPENSSL_NO_TLS1_2
6976 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
6978 #ifndef OPENSSL_NO_TLS1_3
6979 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
6985 #ifndef OPENSSL_NO_TLS1_2
6986 static const char *multiblock_cipherlist_data[]=
6994 /* Reduce the fragment size - so the multiblock test buffer can be small */
6995 # define MULTIBLOCK_FRAGSIZE 512
6997 static int test_multiblock_write(int test_index)
6999 static const char *fetchable_ciphers[]=
7001 "AES-128-CBC-HMAC-SHA1",
7002 "AES-128-CBC-HMAC-SHA256",
7003 "AES-256-CBC-HMAC-SHA1",
7004 "AES-256-CBC-HMAC-SHA256"
7006 const char *cipherlist = multiblock_cipherlist_data[test_index];
7007 const SSL_METHOD *smeth = TLS_server_method();
7008 const SSL_METHOD *cmeth = TLS_client_method();
7009 int min_version = TLS1_VERSION;
7010 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7011 SSL_CTX *cctx = NULL, *sctx = NULL;
7012 SSL *clientssl = NULL, *serverssl = NULL;
7016 * Choose a buffer large enough to perform a multi-block operation
7017 * i.e: write_len >= 4 * frag_size
7018 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7020 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7021 unsigned char buf[sizeof(msg)], *p = buf;
7022 size_t readbytes, written, len;
7023 EVP_CIPHER *ciph = NULL;
7026 * Check if the cipher exists before attempting to use it since it only has
7027 * a hardware specific implementation.
7029 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7031 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7034 EVP_CIPHER_free(ciph);
7036 /* Set up a buffer with some data that will be sent to the client */
7037 RAND_bytes(msg, sizeof(msg));
7039 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
7040 &sctx, &cctx, cert, privkey)))
7043 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7046 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7050 /* settings to force it to use AES-CBC-HMAC_SHA */
7051 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7052 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7055 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7058 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7059 || !TEST_size_t_eq(written, sizeof(msg)))
7064 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7069 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7074 SSL_free(serverssl);
7075 SSL_free(clientssl);
7081 #endif /* OPENSSL_NO_TLS1_2 */
7084 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7085 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7086 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7087 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7088 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7089 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7090 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7091 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7092 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7093 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7095 static int test_servername(int tst)
7097 SSL_CTX *cctx = NULL, *sctx = NULL;
7098 SSL *clientssl = NULL, *serverssl = NULL;
7100 SSL_SESSION *sess = NULL;
7101 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7103 #ifdef OPENSSL_NO_TLS1_2
7107 #ifdef OPENSSL_NO_TLS1_3
7112 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
7113 TLS_client_method(),
7115 (tst <= 4) ? TLS1_2_VERSION
7117 &sctx, &cctx, cert, privkey))
7118 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7122 if (tst != 1 && tst != 6) {
7123 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7128 if (tst != 3 && tst != 8) {
7129 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7131 sexpectedhost = cexpectedhost = "goodhost";
7134 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7137 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7139 || !TEST_str_eq(SSL_get_servername(serverssl,
7140 TLSEXT_NAMETYPE_host_name),
7144 /* Now repeat with a resumption handshake */
7146 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7147 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7148 || !TEST_true(SSL_SESSION_is_resumable(sess))
7149 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7152 SSL_free(clientssl);
7153 SSL_free(serverssl);
7154 clientssl = serverssl = NULL;
7156 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7160 if (!TEST_true(SSL_set_session(clientssl, sess)))
7163 sexpectedhost = cexpectedhost = "goodhost";
7164 if (tst == 2 || tst == 7) {
7165 /* Set an inconsistent hostname */
7166 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7169 * In TLSv1.2 we expect the hostname from the original handshake, in
7170 * TLSv1.3 we expect the hostname from this handshake
7173 sexpectedhost = cexpectedhost = "altgoodhost";
7175 if (!TEST_str_eq(SSL_get_servername(clientssl,
7176 TLSEXT_NAMETYPE_host_name),
7179 } else if (tst == 4 || tst == 9) {
7181 * A TLSv1.3 session does not associate a session with a servername,
7182 * but a TLSv1.2 session does.
7185 sexpectedhost = cexpectedhost = NULL;
7187 if (!TEST_str_eq(SSL_get_servername(clientssl,
7188 TLSEXT_NAMETYPE_host_name),
7192 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7195 * In a TLSv1.2 resumption where the hostname was not acknowledged
7196 * we expect the hostname on the server to be empty. On the client we
7197 * return what was requested in this case.
7199 * Similarly if the client didn't set a hostname on an original TLSv1.2
7200 * session but is now, the server hostname will be empty, but the client
7203 if (tst == 1 || tst == 3)
7204 sexpectedhost = NULL;
7206 if (!TEST_str_eq(SSL_get_servername(clientssl,
7207 TLSEXT_NAMETYPE_host_name),
7212 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7215 if (!TEST_true(SSL_session_reused(clientssl))
7216 || !TEST_true(SSL_session_reused(serverssl))
7217 || !TEST_str_eq(SSL_get_servername(clientssl,
7218 TLSEXT_NAMETYPE_host_name),
7220 || !TEST_str_eq(SSL_get_servername(serverssl,
7221 TLSEXT_NAMETYPE_host_name),
7228 SSL_SESSION_free(sess);
7229 SSL_free(serverssl);
7230 SSL_free(clientssl);
7237 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile\n")
7239 int setup_tests(void)
7241 if (!test_skip_common_options()) {
7242 TEST_error("Error parsing test options\n");
7246 if (!TEST_ptr(certsdir = test_get_argument(0))
7247 || !TEST_ptr(srpvfile = test_get_argument(1))
7248 || !TEST_ptr(tmpfilename = test_get_argument(2)))
7251 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
7252 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
7253 TEST_error("not supported in this build");
7256 int i, mcount, rcount, fcount;
7258 for (i = 0; i < 4; i++)
7259 test_export_key_mat(i);
7260 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
7261 test_printf_stdout("malloc %d realloc %d free %d\n",
7262 mcount, rcount, fcount);
7267 cert = test_mk_file_path(certsdir, "servercert.pem");
7271 privkey = test_mk_file_path(certsdir, "serverkey.pem");
7272 if (privkey == NULL) {
7277 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
7278 && !defined(OPENSSL_NO_SOCK)
7279 ADD_TEST(test_ktls_no_txrx_client_no_txrx_server);
7280 ADD_TEST(test_ktls_no_rx_client_no_txrx_server);
7281 ADD_TEST(test_ktls_no_tx_client_no_txrx_server);
7282 ADD_TEST(test_ktls_client_no_txrx_server);
7283 ADD_TEST(test_ktls_no_txrx_client_no_rx_server);
7284 ADD_TEST(test_ktls_no_rx_client_no_rx_server);
7285 ADD_TEST(test_ktls_no_tx_client_no_rx_server);
7286 ADD_TEST(test_ktls_client_no_rx_server);
7287 ADD_TEST(test_ktls_no_txrx_client_no_tx_server);
7288 ADD_TEST(test_ktls_no_rx_client_no_tx_server);
7289 ADD_TEST(test_ktls_no_tx_client_no_tx_server);
7290 ADD_TEST(test_ktls_client_no_tx_server);
7291 ADD_TEST(test_ktls_no_txrx_client_server);
7292 ADD_TEST(test_ktls_no_rx_client_server);
7293 ADD_TEST(test_ktls_no_tx_client_server);
7294 ADD_TEST(test_ktls_client_server);
7295 ADD_TEST(test_ktls_sendfile);
7297 ADD_TEST(test_large_message_tls);
7298 ADD_TEST(test_large_message_tls_read_ahead);
7299 #ifndef OPENSSL_NO_DTLS
7300 ADD_TEST(test_large_message_dtls);
7302 #ifndef OPENSSL_NO_OCSP
7303 ADD_TEST(test_tlsext_status_type);
7305 ADD_TEST(test_session_with_only_int_cache);
7306 ADD_TEST(test_session_with_only_ext_cache);
7307 ADD_TEST(test_session_with_both_cache);
7308 #ifndef OPENSSL_NO_TLS1_3
7309 ADD_ALL_TESTS(test_stateful_tickets, 3);
7310 ADD_ALL_TESTS(test_stateless_tickets, 3);
7311 ADD_TEST(test_psk_tickets);
7313 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
7314 ADD_TEST(test_ssl_bio_pop_next_bio);
7315 ADD_TEST(test_ssl_bio_pop_ssl_bio);
7316 ADD_TEST(test_ssl_bio_change_rbio);
7317 ADD_TEST(test_ssl_bio_change_wbio);
7318 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
7319 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
7320 ADD_TEST(test_keylog);
7322 #ifndef OPENSSL_NO_TLS1_3
7323 ADD_TEST(test_keylog_no_master_key);
7325 #ifndef OPENSSL_NO_TLS1_2
7326 ADD_TEST(test_client_hello_cb);
7327 ADD_TEST(test_no_ems);
7328 ADD_TEST(test_ccs_change_cipher);
7330 #ifndef OPENSSL_NO_TLS1_3
7331 ADD_ALL_TESTS(test_early_data_read_write, 3);
7333 * We don't do replay tests for external PSK. Replay protection isn't used
7336 ADD_ALL_TESTS(test_early_data_replay, 2);
7337 ADD_ALL_TESTS(test_early_data_skip, 3);
7338 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
7339 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
7340 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
7341 ADD_ALL_TESTS(test_early_data_not_sent, 3);
7342 ADD_ALL_TESTS(test_early_data_psk, 8);
7343 ADD_ALL_TESTS(test_early_data_not_expected, 3);
7344 # ifndef OPENSSL_NO_TLS1_2
7345 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
7348 #ifndef OPENSSL_NO_TLS1_3
7349 ADD_ALL_TESTS(test_set_ciphersuite, 10);
7350 ADD_TEST(test_ciphersuite_change);
7351 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
7352 # ifdef OPENSSL_NO_PSK
7353 ADD_ALL_TESTS(test_tls13_psk, 1);
7355 ADD_ALL_TESTS(test_tls13_psk, 4);
7356 # endif /* OPENSSL_NO_PSK */
7357 # ifndef OPENSSL_NO_TLS1_2
7358 /* Test with both TLSv1.3 and 1.2 versions */
7359 ADD_ALL_TESTS(test_key_exchange, 14);
7361 /* Test with only TLSv1.3 versions */
7362 ADD_ALL_TESTS(test_key_exchange, 12);
7364 ADD_ALL_TESTS(test_custom_exts, 5);
7365 ADD_TEST(test_stateless);
7366 ADD_TEST(test_pha_key_update);
7368 ADD_ALL_TESTS(test_custom_exts, 3);
7370 ADD_ALL_TESTS(test_serverinfo, 8);
7371 ADD_ALL_TESTS(test_export_key_mat, 6);
7372 #ifndef OPENSSL_NO_TLS1_3
7373 ADD_ALL_TESTS(test_export_key_mat_early, 3);
7374 ADD_TEST(test_key_update);
7375 ADD_ALL_TESTS(test_key_update_in_write, 2);
7377 ADD_ALL_TESTS(test_ssl_clear, 2);
7378 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
7379 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7380 ADD_ALL_TESTS(test_srp, 6);
7382 ADD_ALL_TESTS(test_info_callback, 6);
7383 ADD_ALL_TESTS(test_ssl_pending, 2);
7384 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
7385 ADD_ALL_TESTS(test_ticket_callbacks, 16);
7386 ADD_ALL_TESTS(test_shutdown, 7);
7387 ADD_ALL_TESTS(test_cert_cb, 6);
7388 ADD_ALL_TESTS(test_client_cert_cb, 2);
7389 ADD_ALL_TESTS(test_ca_names, 3);
7390 #ifndef OPENSSL_NO_TLS1_2
7391 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
7393 ADD_ALL_TESTS(test_servername, 10);
7397 void cleanup_tests(void)
7400 OPENSSL_free(privkey);
7401 bio_s_mempacket_test_free();
7402 bio_s_always_retry_free();