2 * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
17 #include <openssl/srp.h>
18 #include <openssl/txt_db.h>
19 #include <openssl/aes.h>
21 #include "ssltestlib.h"
23 #include "testutil/output.h"
24 #include "internal/nelem.h"
25 #include "../ssl/ssl_locl.h"
27 #ifndef OPENSSL_NO_TLS1_3
29 static SSL_SESSION *clientpsk = NULL;
30 static SSL_SESSION *serverpsk = NULL;
31 static const char *pskid = "Identity";
32 static const char *srvid;
34 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
35 size_t *idlen, SSL_SESSION **sess);
36 static int find_session_cb(SSL *ssl, const unsigned char *identity,
37 size_t identity_len, SSL_SESSION **sess);
39 static int use_session_cb_cnt = 0;
40 static int find_session_cb_cnt = 0;
42 static SSL_SESSION *create_a_psk(SSL *ssl);
45 static char *cert = NULL;
46 static char *privkey = NULL;
47 static char *srpvfile = NULL;
48 static char *tmpfilename = NULL;
50 #define LOG_BUFFER_SIZE 2048
51 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
52 static size_t server_log_buffer_index = 0;
53 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
54 static size_t client_log_buffer_index = 0;
55 static int error_writing_log = 0;
57 #ifndef OPENSSL_NO_OCSP
58 static const unsigned char orespder[] = "Dummy OCSP Response";
59 static int ocsp_server_called = 0;
60 static int ocsp_client_called = 0;
62 static int cdummyarg = 1;
63 static X509 *ocspcert = NULL;
66 #define NUM_EXTRA_CERTS 40
67 #define CLIENT_VERSION_LEN 2
70 * This structure is used to validate that the correct number of log messages
71 * of various types are emitted when emitting secret logs.
73 struct sslapitest_log_counts {
74 unsigned int rsa_key_exchange_count;
75 unsigned int master_secret_count;
76 unsigned int client_early_secret_count;
77 unsigned int client_handshake_secret_count;
78 unsigned int server_handshake_secret_count;
79 unsigned int client_application_secret_count;
80 unsigned int server_application_secret_count;
81 unsigned int early_exporter_secret_count;
82 unsigned int exporter_secret_count;
86 static unsigned char serverinfov1[] = {
87 0xff, 0xff, /* Dummy extension type */
88 0x00, 0x01, /* Extension length is 1 byte */
89 0xff /* Dummy extension data */
92 static unsigned char serverinfov2[] = {
94 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
95 0xff, 0xff, /* Dummy extension type */
96 0x00, 0x01, /* Extension length is 1 byte */
97 0xff /* Dummy extension data */
100 static void client_keylog_callback(const SSL *ssl, const char *line)
102 int line_length = strlen(line);
104 /* If the log doesn't fit, error out. */
105 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
106 TEST_info("Client log too full");
107 error_writing_log = 1;
111 strcat(client_log_buffer, line);
112 client_log_buffer_index += line_length;
113 client_log_buffer[client_log_buffer_index++] = '\n';
116 static void server_keylog_callback(const SSL *ssl, const char *line)
118 int line_length = strlen(line);
120 /* If the log doesn't fit, error out. */
121 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
122 TEST_info("Server log too full");
123 error_writing_log = 1;
127 strcat(server_log_buffer, line);
128 server_log_buffer_index += line_length;
129 server_log_buffer[server_log_buffer_index++] = '\n';
132 static int compare_hex_encoded_buffer(const char *hex_encoded,
140 if (!TEST_size_t_eq(raw_length * 2, hex_length))
143 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
144 sprintf(hexed, "%02x", raw[i]);
145 if (!TEST_int_eq(hexed[0], hex_encoded[j])
146 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
153 static int test_keylog_output(char *buffer, const SSL *ssl,
154 const SSL_SESSION *session,
155 struct sslapitest_log_counts *expected)
158 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
159 size_t client_random_size = SSL3_RANDOM_SIZE;
160 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
161 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
162 unsigned int rsa_key_exchange_count = 0;
163 unsigned int master_secret_count = 0;
164 unsigned int client_early_secret_count = 0;
165 unsigned int client_handshake_secret_count = 0;
166 unsigned int server_handshake_secret_count = 0;
167 unsigned int client_application_secret_count = 0;
168 unsigned int server_application_secret_count = 0;
169 unsigned int early_exporter_secret_count = 0;
170 unsigned int exporter_secret_count = 0;
172 for (token = strtok(buffer, " \n"); token != NULL;
173 token = strtok(NULL, " \n")) {
174 if (strcmp(token, "RSA") == 0) {
176 * Premaster secret. Tokens should be: 16 ASCII bytes of
177 * hex-encoded encrypted secret, then the hex-encoded pre-master
180 if (!TEST_ptr(token = strtok(NULL, " \n")))
182 if (!TEST_size_t_eq(strlen(token), 16))
184 if (!TEST_ptr(token = strtok(NULL, " \n")))
187 * We can't sensibly check the log because the premaster secret is
188 * transient, and OpenSSL doesn't keep hold of it once the master
189 * secret is generated.
191 rsa_key_exchange_count++;
192 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
194 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
195 * client random, then the hex-encoded master secret.
197 client_random_size = SSL_get_client_random(ssl,
198 actual_client_random,
200 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
203 if (!TEST_ptr(token = strtok(NULL, " \n")))
205 if (!TEST_size_t_eq(strlen(token), 64))
207 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
208 actual_client_random,
209 client_random_size)))
212 if (!TEST_ptr(token = strtok(NULL, " \n")))
214 master_key_size = SSL_SESSION_get_master_key(session,
217 if (!TEST_size_t_ne(master_key_size, 0))
219 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
223 master_secret_count++;
224 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
225 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
226 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
227 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
228 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
229 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
230 || strcmp(token, "EXPORTER_SECRET") == 0) {
232 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
233 * client random, and then the hex-encoded secret. In this case,
234 * we treat all of these secrets identically and then just
235 * distinguish between them when counting what we saw.
237 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
238 client_early_secret_count++;
239 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
240 client_handshake_secret_count++;
241 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
242 server_handshake_secret_count++;
243 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
244 client_application_secret_count++;
245 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
246 server_application_secret_count++;
247 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
248 early_exporter_secret_count++;
249 else if (strcmp(token, "EXPORTER_SECRET") == 0)
250 exporter_secret_count++;
252 client_random_size = SSL_get_client_random(ssl,
253 actual_client_random,
255 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
258 if (!TEST_ptr(token = strtok(NULL, " \n")))
260 if (!TEST_size_t_eq(strlen(token), 64))
262 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
263 actual_client_random,
264 client_random_size)))
267 if (!TEST_ptr(token = strtok(NULL, " \n")))
271 * TODO(TLS1.3): test that application traffic secrets are what
274 TEST_info("Unexpected token %s\n", token);
279 /* Got what we expected? */
280 if (!TEST_size_t_eq(rsa_key_exchange_count,
281 expected->rsa_key_exchange_count)
282 || !TEST_size_t_eq(master_secret_count,
283 expected->master_secret_count)
284 || !TEST_size_t_eq(client_early_secret_count,
285 expected->client_early_secret_count)
286 || !TEST_size_t_eq(client_handshake_secret_count,
287 expected->client_handshake_secret_count)
288 || !TEST_size_t_eq(server_handshake_secret_count,
289 expected->server_handshake_secret_count)
290 || !TEST_size_t_eq(client_application_secret_count,
291 expected->client_application_secret_count)
292 || !TEST_size_t_eq(server_application_secret_count,
293 expected->server_application_secret_count)
294 || !TEST_size_t_eq(early_exporter_secret_count,
295 expected->early_exporter_secret_count)
296 || !TEST_size_t_eq(exporter_secret_count,
297 expected->exporter_secret_count))
302 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
303 static int test_keylog(void)
305 SSL_CTX *cctx = NULL, *sctx = NULL;
306 SSL *clientssl = NULL, *serverssl = NULL;
308 struct sslapitest_log_counts expected = {0};
310 /* Clean up logging space */
311 memset(client_log_buffer, 0, sizeof(client_log_buffer));
312 memset(server_log_buffer, 0, sizeof(server_log_buffer));
313 client_log_buffer_index = 0;
314 server_log_buffer_index = 0;
315 error_writing_log = 0;
317 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
319 TLS1_VERSION, TLS_MAX_VERSION,
320 &sctx, &cctx, cert, privkey)))
323 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
324 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
325 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
327 /* We also want to ensure that we use RSA-based key exchange. */
328 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
331 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
332 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
334 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
335 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
336 == client_keylog_callback))
338 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
339 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
340 == server_keylog_callback))
343 /* Now do a handshake and check that the logs have been written to. */
344 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
345 &clientssl, NULL, NULL))
346 || !TEST_true(create_ssl_connection(serverssl, clientssl,
348 || !TEST_false(error_writing_log)
349 || !TEST_int_gt(client_log_buffer_index, 0)
350 || !TEST_int_gt(server_log_buffer_index, 0))
354 * Now we want to test that our output data was vaguely sensible. We
355 * do that by using strtok and confirming that we have more or less the
356 * data we expect. For both client and server, we expect to see one master
357 * secret. The client should also see a RSA key exchange.
359 expected.rsa_key_exchange_count = 1;
360 expected.master_secret_count = 1;
361 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
362 SSL_get_session(clientssl), &expected)))
365 expected.rsa_key_exchange_count = 0;
366 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
367 SSL_get_session(serverssl), &expected)))
382 #ifndef OPENSSL_NO_TLS1_3
383 static int test_keylog_no_master_key(void)
385 SSL_CTX *cctx = NULL, *sctx = NULL;
386 SSL *clientssl = NULL, *serverssl = NULL;
387 SSL_SESSION *sess = NULL;
389 struct sslapitest_log_counts expected = {0};
390 unsigned char buf[1];
391 size_t readbytes, written;
393 /* Clean up logging space */
394 memset(client_log_buffer, 0, sizeof(client_log_buffer));
395 memset(server_log_buffer, 0, sizeof(server_log_buffer));
396 client_log_buffer_index = 0;
397 server_log_buffer_index = 0;
398 error_writing_log = 0;
400 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
401 TLS1_VERSION, TLS_MAX_VERSION,
402 &sctx, &cctx, cert, privkey))
403 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
404 SSL3_RT_MAX_PLAIN_LENGTH)))
407 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
408 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
411 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
412 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
413 == client_keylog_callback))
416 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
417 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
418 == server_keylog_callback))
421 /* Now do a handshake and check that the logs have been written to. */
422 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
423 &clientssl, NULL, NULL))
424 || !TEST_true(create_ssl_connection(serverssl, clientssl,
426 || !TEST_false(error_writing_log))
430 * Now we want to test that our output data was vaguely sensible. For this
431 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
432 * TLSv1.3, but we do expect both client and server to emit keys.
434 expected.client_handshake_secret_count = 1;
435 expected.server_handshake_secret_count = 1;
436 expected.client_application_secret_count = 1;
437 expected.server_application_secret_count = 1;
438 expected.exporter_secret_count = 1;
439 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
440 SSL_get_session(clientssl), &expected))
441 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
442 SSL_get_session(serverssl),
446 /* Terminate old session and resume with early data. */
447 sess = SSL_get1_session(clientssl);
448 SSL_shutdown(clientssl);
449 SSL_shutdown(serverssl);
452 serverssl = clientssl = NULL;
455 memset(client_log_buffer, 0, sizeof(client_log_buffer));
456 memset(server_log_buffer, 0, sizeof(server_log_buffer));
457 client_log_buffer_index = 0;
458 server_log_buffer_index = 0;
460 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
461 &clientssl, NULL, NULL))
462 || !TEST_true(SSL_set_session(clientssl, sess))
463 /* Here writing 0 length early data is enough. */
464 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
465 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
467 SSL_READ_EARLY_DATA_ERROR)
468 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
469 SSL_EARLY_DATA_ACCEPTED)
470 || !TEST_true(create_ssl_connection(serverssl, clientssl,
472 || !TEST_true(SSL_session_reused(clientssl)))
475 /* In addition to the previous entries, expect early secrets. */
476 expected.client_early_secret_count = 1;
477 expected.early_exporter_secret_count = 1;
478 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
479 SSL_get_session(clientssl), &expected))
480 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
481 SSL_get_session(serverssl),
488 SSL_SESSION_free(sess);
498 #ifndef OPENSSL_NO_TLS1_2
499 static int full_client_hello_callback(SSL *s, int *al, void *arg)
502 const unsigned char *p;
504 /* We only configure two ciphers, but the SCSV is added automatically. */
506 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
508 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
511 const int expected_extensions[] = {
512 #ifndef OPENSSL_NO_EC
518 /* Make sure we can defer processing and get called back. */
520 return SSL_CLIENT_HELLO_RETRY;
522 len = SSL_client_hello_get0_ciphers(s, &p);
523 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
525 SSL_client_hello_get0_compression_methods(s, &p), 1)
526 || !TEST_int_eq(*p, 0))
527 return SSL_CLIENT_HELLO_ERROR;
528 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
529 return SSL_CLIENT_HELLO_ERROR;
530 if (len != OSSL_NELEM(expected_extensions) ||
531 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
532 printf("ClientHello callback expected extensions mismatch\n");
534 return SSL_CLIENT_HELLO_ERROR;
537 return SSL_CLIENT_HELLO_SUCCESS;
540 static int test_client_hello_cb(void)
542 SSL_CTX *cctx = NULL, *sctx = NULL;
543 SSL *clientssl = NULL, *serverssl = NULL;
544 int testctr = 0, testresult = 0;
546 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
547 TLS1_VERSION, TLS_MAX_VERSION,
548 &sctx, &cctx, cert, privkey)))
550 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
552 /* The gimpy cipher list we configure can't do TLS 1.3. */
553 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
555 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
556 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
557 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
558 &clientssl, NULL, NULL))
559 || !TEST_false(create_ssl_connection(serverssl, clientssl,
560 SSL_ERROR_WANT_CLIENT_HELLO_CB))
562 * Passing a -1 literal is a hack since
563 * the real value was lost.
565 || !TEST_int_eq(SSL_get_error(serverssl, -1),
566 SSL_ERROR_WANT_CLIENT_HELLO_CB)
567 || !TEST_true(create_ssl_connection(serverssl, clientssl,
583 static int execute_test_large_message(const SSL_METHOD *smeth,
584 const SSL_METHOD *cmeth,
585 int min_version, int max_version,
588 SSL_CTX *cctx = NULL, *sctx = NULL;
589 SSL *clientssl = NULL, *serverssl = NULL;
593 X509 *chaincert = NULL;
596 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
598 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
601 if (!TEST_ptr(chaincert))
604 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
605 &sctx, &cctx, cert, privkey)))
610 * Test that read_ahead works correctly when dealing with large
613 SSL_CTX_set_read_ahead(cctx, 1);
617 * We assume the supplied certificate is big enough so that if we add
618 * NUM_EXTRA_CERTS it will make the overall message large enough. The
619 * default buffer size is requested to be 16k, but due to the way BUF_MEM
620 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
621 * test we need to have a message larger than that.
623 certlen = i2d_X509(chaincert, NULL);
624 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
625 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
626 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
627 if (!X509_up_ref(chaincert))
629 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
630 X509_free(chaincert);
635 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
637 || !TEST_true(create_ssl_connection(serverssl, clientssl,
642 * Calling SSL_clear() first is not required but this tests that SSL_clear()
643 * doesn't leak (when using enable-crypto-mdebug).
645 if (!TEST_true(SSL_clear(serverssl)))
650 X509_free(chaincert);
659 static int test_large_message_tls(void)
661 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
662 TLS1_VERSION, TLS_MAX_VERSION,
666 static int test_large_message_tls_read_ahead(void)
668 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
669 TLS1_VERSION, TLS_MAX_VERSION,
673 #ifndef OPENSSL_NO_DTLS
674 static int test_large_message_dtls(void)
677 * read_ahead is not relevant to DTLS because DTLS always acts as if
680 return execute_test_large_message(DTLS_server_method(),
681 DTLS_client_method(),
682 DTLS1_VERSION, DTLS_MAX_VERSION,
687 #ifndef OPENSSL_NO_OCSP
688 static int ocsp_server_cb(SSL *s, void *arg)
690 int *argi = (int *)arg;
691 unsigned char *copy = NULL;
692 STACK_OF(OCSP_RESPID) *ids = NULL;
693 OCSP_RESPID *id = NULL;
696 /* In this test we are expecting exactly 1 OCSP_RESPID */
697 SSL_get_tlsext_status_ids(s, &ids);
698 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
699 return SSL_TLSEXT_ERR_ALERT_FATAL;
701 id = sk_OCSP_RESPID_value(ids, 0);
702 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
703 return SSL_TLSEXT_ERR_ALERT_FATAL;
704 } else if (*argi != 1) {
705 return SSL_TLSEXT_ERR_ALERT_FATAL;
708 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
709 return SSL_TLSEXT_ERR_ALERT_FATAL;
711 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
712 ocsp_server_called = 1;
713 return SSL_TLSEXT_ERR_OK;
716 static int ocsp_client_cb(SSL *s, void *arg)
718 int *argi = (int *)arg;
719 const unsigned char *respderin;
722 if (*argi != 1 && *argi != 2)
725 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
726 if (!TEST_mem_eq(orespder, len, respderin, len))
729 ocsp_client_called = 1;
733 static int test_tlsext_status_type(void)
735 SSL_CTX *cctx = NULL, *sctx = NULL;
736 SSL *clientssl = NULL, *serverssl = NULL;
738 STACK_OF(OCSP_RESPID) *ids = NULL;
739 OCSP_RESPID *id = NULL;
742 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
743 TLS1_VERSION, TLS_MAX_VERSION,
744 &sctx, &cctx, cert, privkey))
747 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
750 /* First just do various checks getting and setting tlsext_status_type */
752 clientssl = SSL_new(cctx);
753 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
754 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
755 TLSEXT_STATUSTYPE_ocsp))
756 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
757 TLSEXT_STATUSTYPE_ocsp))
763 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
764 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
767 clientssl = SSL_new(cctx);
768 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
774 * Now actually do a handshake and check OCSP information is exchanged and
775 * the callbacks get called
777 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
778 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
779 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
780 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
781 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
782 &clientssl, NULL, NULL))
783 || !TEST_true(create_ssl_connection(serverssl, clientssl,
785 || !TEST_true(ocsp_client_called)
786 || !TEST_true(ocsp_server_called))
793 /* Try again but this time force the server side callback to fail */
794 ocsp_client_called = 0;
795 ocsp_server_called = 0;
797 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
798 &clientssl, NULL, NULL))
799 /* This should fail because the callback will fail */
800 || !TEST_false(create_ssl_connection(serverssl, clientssl,
802 || !TEST_false(ocsp_client_called)
803 || !TEST_false(ocsp_server_called))
811 * This time we'll get the client to send an OCSP_RESPID that it will
814 ocsp_client_called = 0;
815 ocsp_server_called = 0;
817 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
818 &clientssl, NULL, NULL)))
822 * We'll just use any old cert for this test - it doesn't have to be an OCSP
823 * specific one. We'll use the server cert.
825 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
826 || !TEST_ptr(id = OCSP_RESPID_new())
827 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
828 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
830 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
831 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
834 SSL_set_tlsext_status_ids(clientssl, ids);
835 /* Control has been transferred */
841 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
843 || !TEST_true(ocsp_client_called)
844 || !TEST_true(ocsp_server_called))
854 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
855 OCSP_RESPID_free(id);
864 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
865 static int new_called, remove_called, get_called;
867 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
871 * sess has been up-refed for us, but we don't actually need it so free it
874 SSL_SESSION_free(sess);
878 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
883 static SSL_SESSION *get_sess_val = NULL;
885 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
893 static int execute_test_session(int maxprot, int use_int_cache,
896 SSL_CTX *sctx = NULL, *cctx = NULL;
897 SSL *serverssl1 = NULL, *clientssl1 = NULL;
898 SSL *serverssl2 = NULL, *clientssl2 = NULL;
899 # ifndef OPENSSL_NO_TLS1_1
900 SSL *serverssl3 = NULL, *clientssl3 = NULL;
902 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
903 int testresult = 0, numnewsesstick = 1;
905 new_called = remove_called = 0;
907 /* TLSv1.3 sends 2 NewSessionTickets */
908 if (maxprot == TLS1_3_VERSION)
911 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
912 TLS1_VERSION, TLS_MAX_VERSION,
913 &sctx, &cctx, cert, privkey)))
917 * Only allow the max protocol version so we can force a connection failure
920 SSL_CTX_set_min_proto_version(cctx, maxprot);
921 SSL_CTX_set_max_proto_version(cctx, maxprot);
923 /* Set up session cache */
925 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
926 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
929 /* Also covers instance where both are set */
930 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
932 SSL_CTX_set_session_cache_mode(cctx,
933 SSL_SESS_CACHE_CLIENT
934 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
937 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
939 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
941 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
944 /* Should fail because it should already be in the cache */
945 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
948 && (!TEST_int_eq(new_called, numnewsesstick)
950 || !TEST_int_eq(remove_called, 0)))
953 new_called = remove_called = 0;
954 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
955 &clientssl2, NULL, NULL))
956 || !TEST_true(SSL_set_session(clientssl2, sess1))
957 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
959 || !TEST_true(SSL_session_reused(clientssl2)))
962 if (maxprot == TLS1_3_VERSION) {
964 * In TLSv1.3 we should have created a new session even though we have
965 * resumed. Since we attempted a resume we should also have removed the
966 * old ticket from the cache so that we try to only use tickets once.
969 && (!TEST_int_eq(new_called, 1)
970 || !TEST_int_eq(remove_called, 1)))
974 * In TLSv1.2 we expect to have resumed so no sessions added or
978 && (!TEST_int_eq(new_called, 0)
979 || !TEST_int_eq(remove_called, 0)))
983 SSL_SESSION_free(sess1);
984 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
986 shutdown_ssl_connection(serverssl2, clientssl2);
987 serverssl2 = clientssl2 = NULL;
989 new_called = remove_called = 0;
990 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
991 &clientssl2, NULL, NULL))
992 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
996 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1000 && (!TEST_int_eq(new_called, numnewsesstick)
1001 || !TEST_int_eq(remove_called, 0)))
1004 new_called = remove_called = 0;
1006 * This should clear sess2 from the cache because it is a "bad" session.
1007 * See SSL_set_session() documentation.
1009 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1012 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1014 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1017 if (use_int_cache) {
1018 /* Should succeeded because it should not already be in the cache */
1019 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1020 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1024 new_called = remove_called = 0;
1025 /* This shouldn't be in the cache so should fail */
1026 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1030 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1033 # if !defined(OPENSSL_NO_TLS1_1)
1034 new_called = remove_called = 0;
1035 /* Force a connection failure */
1036 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1037 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1038 &clientssl3, NULL, NULL))
1039 || !TEST_true(SSL_set_session(clientssl3, sess1))
1040 /* This should fail because of the mismatched protocol versions */
1041 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1045 /* We should have automatically removed the session from the cache */
1047 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1050 /* Should succeed because it should not already be in the cache */
1051 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1055 /* Now do some tests for server side caching */
1056 if (use_ext_cache) {
1057 SSL_CTX_sess_set_new_cb(cctx, NULL);
1058 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1059 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1060 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1061 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1062 get_sess_val = NULL;
1065 SSL_CTX_set_session_cache_mode(cctx, 0);
1066 /* Internal caching is the default on the server side */
1068 SSL_CTX_set_session_cache_mode(sctx,
1069 SSL_SESS_CACHE_SERVER
1070 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1072 SSL_free(serverssl1);
1073 SSL_free(clientssl1);
1074 serverssl1 = clientssl1 = NULL;
1075 SSL_free(serverssl2);
1076 SSL_free(clientssl2);
1077 serverssl2 = clientssl2 = NULL;
1078 SSL_SESSION_free(sess1);
1080 SSL_SESSION_free(sess2);
1083 SSL_CTX_set_max_proto_version(sctx, maxprot);
1084 if (maxprot == TLS1_2_VERSION)
1085 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1086 new_called = remove_called = get_called = 0;
1087 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1089 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1091 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1092 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1095 if (use_int_cache) {
1096 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1098 * In TLSv1.3 it should not have been added to the internal cache,
1099 * except in the case where we also have an external cache (in that
1100 * case it gets added to the cache in order to generate remove
1101 * events after timeout).
1103 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1106 /* Should fail because it should already be in the cache */
1107 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1112 if (use_ext_cache) {
1113 SSL_SESSION *tmp = sess2;
1115 if (!TEST_int_eq(new_called, numnewsesstick)
1116 || !TEST_int_eq(remove_called, 0)
1117 || !TEST_int_eq(get_called, 0))
1120 * Delete the session from the internal cache to force a lookup from
1121 * the external cache. We take a copy first because
1122 * SSL_CTX_remove_session() also marks the session as non-resumable.
1124 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1125 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1126 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1128 SSL_SESSION_free(sess2);
1133 new_called = remove_called = get_called = 0;
1134 get_sess_val = sess2;
1135 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1136 &clientssl2, NULL, NULL))
1137 || !TEST_true(SSL_set_session(clientssl2, sess1))
1138 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1140 || !TEST_true(SSL_session_reused(clientssl2)))
1143 if (use_ext_cache) {
1144 if (!TEST_int_eq(remove_called, 0))
1147 if (maxprot == TLS1_3_VERSION) {
1148 if (!TEST_int_eq(new_called, 1)
1149 || !TEST_int_eq(get_called, 0))
1152 if (!TEST_int_eq(new_called, 0)
1153 || !TEST_int_eq(get_called, 1))
1161 SSL_free(serverssl1);
1162 SSL_free(clientssl1);
1163 SSL_free(serverssl2);
1164 SSL_free(clientssl2);
1165 # ifndef OPENSSL_NO_TLS1_1
1166 SSL_free(serverssl3);
1167 SSL_free(clientssl3);
1169 SSL_SESSION_free(sess1);
1170 SSL_SESSION_free(sess2);
1176 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1178 static int test_session_with_only_int_cache(void)
1180 #ifndef OPENSSL_NO_TLS1_3
1181 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1185 #ifndef OPENSSL_NO_TLS1_2
1186 return execute_test_session(TLS1_2_VERSION, 1, 0);
1192 static int test_session_with_only_ext_cache(void)
1194 #ifndef OPENSSL_NO_TLS1_3
1195 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1199 #ifndef OPENSSL_NO_TLS1_2
1200 return execute_test_session(TLS1_2_VERSION, 0, 1);
1206 static int test_session_with_both_cache(void)
1208 #ifndef OPENSSL_NO_TLS1_3
1209 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1213 #ifndef OPENSSL_NO_TLS1_2
1214 return execute_test_session(TLS1_2_VERSION, 1, 1);
1220 #ifndef OPENSSL_NO_TLS1_3
1221 static SSL_SESSION *sesscache[6];
1222 static int do_cache;
1224 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1227 sesscache[new_called] = sess;
1229 /* We don't need the reference to the session, so free it */
1230 SSL_SESSION_free(sess);
1237 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1239 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1240 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1243 /* Start handshake on the server and client */
1244 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1245 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1246 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1247 || !TEST_true(create_ssl_connection(sssl, cssl,
1254 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1257 int sess_id_ctx = 1;
1259 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1260 TLS1_VERSION, TLS_MAX_VERSION, sctx,
1261 cctx, cert, privkey))
1262 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1263 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1264 (void *)&sess_id_ctx,
1265 sizeof(sess_id_ctx))))
1269 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1271 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1272 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1273 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1278 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1280 SSL *serverssl = NULL, *clientssl = NULL;
1283 /* Test that we can resume with all the tickets we got given */
1284 for (i = 0; i < idx * 2; i++) {
1286 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1287 &clientssl, NULL, NULL))
1288 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1291 SSL_set_post_handshake_auth(clientssl, 1);
1293 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1298 * Following a successful resumption we only get 1 ticket. After a
1299 * failed one we should get idx tickets.
1302 if (!TEST_true(SSL_session_reused(clientssl))
1303 || !TEST_int_eq(new_called, 1))
1306 if (!TEST_false(SSL_session_reused(clientssl))
1307 || !TEST_int_eq(new_called, idx))
1312 /* After a post-handshake authentication we should get 1 new ticket */
1314 && (!post_handshake_verify(serverssl, clientssl)
1315 || !TEST_int_eq(new_called, 1)))
1318 SSL_shutdown(clientssl);
1319 SSL_shutdown(serverssl);
1320 SSL_free(serverssl);
1321 SSL_free(clientssl);
1322 serverssl = clientssl = NULL;
1323 SSL_SESSION_free(sesscache[i]);
1324 sesscache[i] = NULL;
1330 SSL_free(clientssl);
1331 SSL_free(serverssl);
1335 static int test_tickets(int stateful, int idx)
1337 SSL_CTX *sctx = NULL, *cctx = NULL;
1338 SSL *serverssl = NULL, *clientssl = NULL;
1342 /* idx is the test number, but also the number of tickets we want */
1347 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1350 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1351 &clientssl, NULL, NULL)))
1354 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1356 /* Check we got the number of tickets we were expecting */
1357 || !TEST_int_eq(idx, new_called))
1360 SSL_shutdown(clientssl);
1361 SSL_shutdown(serverssl);
1362 SSL_free(serverssl);
1363 SSL_free(clientssl);
1366 clientssl = serverssl = NULL;
1370 * Now we try to resume with the tickets we previously created. The
1371 * resumption attempt is expected to fail (because we're now using a new
1372 * SSL_CTX). We should see idx number of tickets issued again.
1375 /* Stop caching sessions - just count them */
1378 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1381 if (!check_resumption(idx, sctx, cctx, 0))
1384 /* Start again with caching sessions */
1391 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1394 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1395 &clientssl, NULL, NULL)))
1398 SSL_set_post_handshake_auth(clientssl, 1);
1400 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1402 /* Check we got the number of tickets we were expecting */
1403 || !TEST_int_eq(idx, new_called))
1406 /* After a post-handshake authentication we should get new tickets issued */
1407 if (!post_handshake_verify(serverssl, clientssl)
1408 || !TEST_int_eq(idx * 2, new_called))
1411 SSL_shutdown(clientssl);
1412 SSL_shutdown(serverssl);
1413 SSL_free(serverssl);
1414 SSL_free(clientssl);
1415 serverssl = clientssl = NULL;
1417 /* Stop caching sessions - just count them */
1421 * Check we can resume with all the tickets we created. This time around the
1422 * resumptions should all be successful.
1424 if (!check_resumption(idx, sctx, cctx, 1))
1430 SSL_free(serverssl);
1431 SSL_free(clientssl);
1432 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
1433 SSL_SESSION_free(sesscache[j]);
1434 sesscache[j] = NULL;
1442 static int test_stateless_tickets(int idx)
1444 return test_tickets(0, idx);
1447 static int test_stateful_tickets(int idx)
1449 return test_tickets(1, idx);
1452 static int test_psk_tickets(void)
1454 SSL_CTX *sctx = NULL, *cctx = NULL;
1455 SSL *serverssl = NULL, *clientssl = NULL;
1457 int sess_id_ctx = 1;
1459 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1460 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
1462 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
1463 (void *)&sess_id_ctx,
1464 sizeof(sess_id_ctx))))
1467 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1468 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1469 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
1470 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
1471 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1472 use_session_cb_cnt = 0;
1473 find_session_cb_cnt = 0;
1477 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1480 clientpsk = serverpsk = create_a_psk(clientssl);
1481 if (!TEST_ptr(clientpsk))
1483 SSL_SESSION_up_ref(clientpsk);
1485 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1487 || !TEST_int_eq(1, find_session_cb_cnt)
1488 || !TEST_int_eq(1, use_session_cb_cnt)
1489 /* We should always get 1 ticket when using external PSK */
1490 || !TEST_int_eq(1, new_called))
1496 SSL_free(serverssl);
1497 SSL_free(clientssl);
1500 SSL_SESSION_free(clientpsk);
1501 SSL_SESSION_free(serverpsk);
1502 clientpsk = serverpsk = NULL;
1511 #define USE_DEFAULT 3
1513 #define CONNTYPE_CONNECTION_SUCCESS 0
1514 #define CONNTYPE_CONNECTION_FAIL 1
1515 #define CONNTYPE_NO_CONNECTION 2
1517 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1518 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1519 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1520 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1522 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1525 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1526 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1527 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1529 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1546 * Tests calls to SSL_set_bio() under various conditions.
1548 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1549 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1550 * then do more tests where we create a successful connection first using our
1551 * standard connection setup functions, and then call SSL_set_bio() with
1552 * various combinations of valid BIOs or NULL. We then repeat these tests
1553 * following a failed connection. In this last case we are looking to check that
1554 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1556 static int test_ssl_set_bio(int idx)
1558 SSL_CTX *sctx = NULL, *cctx = NULL;
1561 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1562 SSL *serverssl = NULL, *clientssl = NULL;
1563 int initrbio, initwbio, newrbio, newwbio, conntype;
1566 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1574 conntype = CONNTYPE_NO_CONNECTION;
1576 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1577 initrbio = initwbio = USE_DEFAULT;
1585 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1586 TLS1_VERSION, TLS_MAX_VERSION,
1587 &sctx, &cctx, cert, privkey)))
1590 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1592 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1593 * because we reduced the number of tests in the definition of
1594 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1595 * mismatched protocol versions we will force a connection failure.
1597 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1598 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1601 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1605 if (initrbio == USE_BIO_1
1606 || initwbio == USE_BIO_1
1607 || newrbio == USE_BIO_1
1608 || newwbio == USE_BIO_1) {
1609 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1613 if (initrbio == USE_BIO_2
1614 || initwbio == USE_BIO_2
1615 || newrbio == USE_BIO_2
1616 || newwbio == USE_BIO_2) {
1617 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1621 if (initrbio != USE_DEFAULT) {
1622 setupbio(&irbio, bio1, bio2, initrbio);
1623 setupbio(&iwbio, bio1, bio2, initwbio);
1624 SSL_set_bio(clientssl, irbio, iwbio);
1627 * We want to maintain our own refs to these BIO, so do an up ref for
1628 * each BIO that will have ownership transferred in the SSL_set_bio()
1633 if (iwbio != NULL && iwbio != irbio)
1637 if (conntype != CONNTYPE_NO_CONNECTION
1638 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1640 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1643 setupbio(&nrbio, bio1, bio2, newrbio);
1644 setupbio(&nwbio, bio1, bio2, newwbio);
1647 * We will (maybe) transfer ownership again so do more up refs.
1648 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1653 && (nwbio != iwbio || nrbio != nwbio))
1657 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1660 SSL_set_bio(clientssl, nrbio, nwbio);
1669 * This test is checking that the ref counting for SSL_set_bio is correct.
1670 * If we get here and we did too many frees then we will fail in the above
1671 * functions. If we haven't done enough then this will only be detected in
1672 * a crypto-mdebug build
1674 SSL_free(serverssl);
1675 SSL_free(clientssl);
1681 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1683 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1685 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1690 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1691 || !TEST_ptr(ssl = SSL_new(ctx))
1692 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1693 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1696 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1699 * If anything goes wrong here then we could leak memory, so this will
1700 * be caught in a crypto-mdebug build
1702 BIO_push(sslbio, membio1);
1704 /* Verify changing the rbio/wbio directly does not cause leaks */
1705 if (change_bio != NO_BIO_CHANGE) {
1706 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1708 if (change_bio == CHANGE_RBIO)
1709 SSL_set0_rbio(ssl, membio2);
1711 SSL_set0_wbio(ssl, membio2);
1730 static int test_ssl_bio_pop_next_bio(void)
1732 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1735 static int test_ssl_bio_pop_ssl_bio(void)
1737 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1740 static int test_ssl_bio_change_rbio(void)
1742 return execute_test_ssl_bio(0, CHANGE_RBIO);
1745 static int test_ssl_bio_change_wbio(void)
1747 return execute_test_ssl_bio(0, CHANGE_WBIO);
1750 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
1752 /* The list of sig algs */
1754 /* The length of the list */
1756 /* A sigalgs list in string format */
1757 const char *liststr;
1758 /* Whether setting the list should succeed */
1760 /* Whether creating a connection with the list should succeed */
1764 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1765 # ifndef OPENSSL_NO_EC
1766 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1767 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1769 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1770 static const int invalidlist2[] = {NID_sha256, NID_undef};
1771 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1772 static const int invalidlist4[] = {NID_sha256};
1773 static const sigalgs_list testsigalgs[] = {
1774 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1775 # ifndef OPENSSL_NO_EC
1776 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1777 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1779 {NULL, 0, "RSA+SHA256", 1, 1},
1780 # ifndef OPENSSL_NO_EC
1781 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1782 {NULL, 0, "ECDSA+SHA512", 1, 0},
1784 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1785 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1786 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1787 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1788 {NULL, 0, "RSA", 0, 0},
1789 {NULL, 0, "SHA256", 0, 0},
1790 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1791 {NULL, 0, "Invalid", 0, 0}
1794 static int test_set_sigalgs(int idx)
1796 SSL_CTX *cctx = NULL, *sctx = NULL;
1797 SSL *clientssl = NULL, *serverssl = NULL;
1799 const sigalgs_list *curr;
1802 /* Should never happen */
1803 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1806 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1807 curr = testctx ? &testsigalgs[idx]
1808 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1810 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1811 TLS1_VERSION, TLS_MAX_VERSION,
1812 &sctx, &cctx, cert, privkey)))
1816 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1817 * for TLSv1.2 for now until we add a new API.
1819 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1824 if (curr->list != NULL)
1825 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1827 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1831 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1837 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1842 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1843 &clientssl, NULL, NULL)))
1849 if (curr->list != NULL)
1850 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1852 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1855 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1864 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1872 SSL_free(serverssl);
1873 SSL_free(clientssl);
1881 #ifndef OPENSSL_NO_TLS1_3
1882 static int psk_client_cb_cnt = 0;
1883 static int psk_server_cb_cnt = 0;
1885 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1886 size_t *idlen, SSL_SESSION **sess)
1888 switch (++use_session_cb_cnt) {
1890 /* The first call should always have a NULL md */
1896 /* The second call should always have an md */
1902 /* We should only be called a maximum of twice */
1906 if (clientpsk != NULL)
1907 SSL_SESSION_up_ref(clientpsk);
1910 *id = (const unsigned char *)pskid;
1911 *idlen = strlen(pskid);
1916 #ifndef OPENSSL_NO_PSK
1917 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1918 unsigned int max_id_len,
1920 unsigned int max_psk_len)
1922 unsigned int psklen = 0;
1924 psk_client_cb_cnt++;
1926 if (strlen(pskid) + 1 > max_id_len)
1929 /* We should only ever be called a maximum of twice per connection */
1930 if (psk_client_cb_cnt > 2)
1933 if (clientpsk == NULL)
1936 /* We'll reuse the PSK we set up for TLSv1.3 */
1937 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1939 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1940 strncpy(id, pskid, max_id_len);
1944 #endif /* OPENSSL_NO_PSK */
1946 static int find_session_cb(SSL *ssl, const unsigned char *identity,
1947 size_t identity_len, SSL_SESSION **sess)
1949 find_session_cb_cnt++;
1951 /* We should only ever be called a maximum of twice per connection */
1952 if (find_session_cb_cnt > 2)
1955 if (serverpsk == NULL)
1958 /* Identity should match that set by the client */
1959 if (strlen(srvid) != identity_len
1960 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1961 /* No PSK found, continue but without a PSK */
1966 SSL_SESSION_up_ref(serverpsk);
1972 #ifndef OPENSSL_NO_PSK
1973 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1974 unsigned char *psk, unsigned int max_psk_len)
1976 unsigned int psklen = 0;
1978 psk_server_cb_cnt++;
1980 /* We should only ever be called a maximum of twice per connection */
1981 if (find_session_cb_cnt > 2)
1984 if (serverpsk == NULL)
1987 /* Identity should match that set by the client */
1988 if (strcmp(srvid, identity) != 0) {
1992 /* We'll reuse the PSK we set up for TLSv1.3 */
1993 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1995 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1999 #endif /* OPENSSL_NO_PSK */
2001 #define MSG1 "Hello"
2002 #define MSG2 "World."
2007 #define MSG7 "message."
2009 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2010 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2013 static SSL_SESSION *create_a_psk(SSL *ssl)
2015 const SSL_CIPHER *cipher = NULL;
2016 const unsigned char key[] = {
2017 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2018 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2019 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2020 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2021 0x2c, 0x2d, 0x2e, 0x2f
2023 SSL_SESSION *sess = NULL;
2025 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2026 sess = SSL_SESSION_new();
2028 || !TEST_ptr(cipher)
2029 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2031 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2033 SSL_SESSION_set_protocol_version(sess,
2035 SSL_SESSION_free(sess);
2042 * Helper method to setup objects for early data test. Caller frees objects on
2045 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2046 SSL **serverssl, SSL_SESSION **sess, int idx)
2049 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2050 TLS_client_method(),
2051 TLS1_VERSION, TLS_MAX_VERSION,
2052 sctx, cctx, cert, privkey)))
2055 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2059 /* When idx == 1 we repeat the tests with read_ahead set */
2060 SSL_CTX_set_read_ahead(*cctx, 1);
2061 SSL_CTX_set_read_ahead(*sctx, 1);
2062 } else if (idx == 2) {
2063 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2064 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2065 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2066 use_session_cb_cnt = 0;
2067 find_session_cb_cnt = 0;
2071 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2076 * For one of the run throughs (doesn't matter which one), we'll try sending
2077 * some SNI data in the initial ClientHello. This will be ignored (because
2078 * there is no SNI cb set up by the server), so it should not impact
2082 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2086 clientpsk = create_a_psk(*clientssl);
2087 if (!TEST_ptr(clientpsk)
2089 * We just choose an arbitrary value for max_early_data which
2090 * should be big enough for testing purposes.
2092 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2094 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2095 SSL_SESSION_free(clientpsk);
2099 serverpsk = clientpsk;
2102 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2103 SSL_SESSION_free(clientpsk);
2104 SSL_SESSION_free(serverpsk);
2105 clientpsk = serverpsk = NULL;
2116 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2120 *sess = SSL_get1_session(*clientssl);
2121 SSL_shutdown(*clientssl);
2122 SSL_shutdown(*serverssl);
2123 SSL_free(*serverssl);
2124 SSL_free(*clientssl);
2125 *serverssl = *clientssl = NULL;
2127 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2128 clientssl, NULL, NULL))
2129 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2135 static int test_early_data_read_write(int idx)
2137 SSL_CTX *cctx = NULL, *sctx = NULL;
2138 SSL *clientssl = NULL, *serverssl = NULL;
2140 SSL_SESSION *sess = NULL;
2141 unsigned char buf[20], data[1024];
2142 size_t readbytes, written, eoedlen, rawread, rawwritten;
2145 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2146 &serverssl, &sess, idx)))
2149 /* Write and read some early data */
2150 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2152 || !TEST_size_t_eq(written, strlen(MSG1))
2153 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2154 sizeof(buf), &readbytes),
2155 SSL_READ_EARLY_DATA_SUCCESS)
2156 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2157 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2158 SSL_EARLY_DATA_ACCEPTED))
2162 * Server should be able to write data, and client should be able to
2165 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2167 || !TEST_size_t_eq(written, strlen(MSG2))
2168 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2169 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2172 /* Even after reading normal data, client should be able write early data */
2173 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2175 || !TEST_size_t_eq(written, strlen(MSG3)))
2178 /* Server should still be able read early data after writing data */
2179 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2181 SSL_READ_EARLY_DATA_SUCCESS)
2182 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2185 /* Write more data from server and read it from client */
2186 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2188 || !TEST_size_t_eq(written, strlen(MSG4))
2189 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2190 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2194 * If client writes normal data it should mean writing early data is no
2197 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2198 || !TEST_size_t_eq(written, strlen(MSG5))
2199 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2200 SSL_EARLY_DATA_ACCEPTED))
2204 * At this point the client has written EndOfEarlyData, ClientFinished and
2205 * normal (fully protected) data. We are going to cause a delay between the
2206 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2207 * in the read BIO, and then just put back the EndOfEarlyData message.
2209 rbio = SSL_get_rbio(serverssl);
2210 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2211 || !TEST_size_t_lt(rawread, sizeof(data))
2212 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2215 /* Record length is in the 4th and 5th bytes of the record header */
2216 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2217 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2218 || !TEST_size_t_eq(rawwritten, eoedlen))
2221 /* Server should be told that there is no more early data */
2222 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2224 SSL_READ_EARLY_DATA_FINISH)
2225 || !TEST_size_t_eq(readbytes, 0))
2229 * Server has not finished init yet, so should still be able to write early
2232 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2234 || !TEST_size_t_eq(written, strlen(MSG6)))
2237 /* Push the ClientFinished and the normal data back into the server rbio */
2238 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2240 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2243 /* Server should be able to read normal data */
2244 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2245 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2248 /* Client and server should not be able to write/read early data now */
2249 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2253 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2255 SSL_READ_EARLY_DATA_ERROR))
2259 /* Client should be able to read the data sent by the server */
2260 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2261 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2265 * Make sure we process the two NewSessionTickets. These arrive
2266 * post-handshake. We attempt reads which we do not expect to return any
2269 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2270 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2274 /* Server should be able to write normal data */
2275 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2276 || !TEST_size_t_eq(written, strlen(MSG7))
2277 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2278 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2281 SSL_SESSION_free(sess);
2282 sess = SSL_get1_session(clientssl);
2283 use_session_cb_cnt = 0;
2284 find_session_cb_cnt = 0;
2286 SSL_shutdown(clientssl);
2287 SSL_shutdown(serverssl);
2288 SSL_free(serverssl);
2289 SSL_free(clientssl);
2290 serverssl = clientssl = NULL;
2291 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2292 &clientssl, NULL, NULL))
2293 || !TEST_true(SSL_set_session(clientssl, sess)))
2296 /* Write and read some early data */
2297 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2299 || !TEST_size_t_eq(written, strlen(MSG1))
2300 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2302 SSL_READ_EARLY_DATA_SUCCESS)
2303 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2306 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2307 || !TEST_int_gt(SSL_accept(serverssl), 0))
2310 /* Client and server should not be able to write/read early data now */
2311 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2315 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2317 SSL_READ_EARLY_DATA_ERROR))
2321 /* Client and server should be able to write/read normal data */
2322 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2323 || !TEST_size_t_eq(written, strlen(MSG5))
2324 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2325 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2331 SSL_SESSION_free(sess);
2332 SSL_SESSION_free(clientpsk);
2333 SSL_SESSION_free(serverpsk);
2334 clientpsk = serverpsk = NULL;
2335 SSL_free(serverssl);
2336 SSL_free(clientssl);
2342 static int allow_ed_cb_called = 0;
2344 static int allow_early_data_cb(SSL *s, void *arg)
2346 int *usecb = (int *)arg;
2348 allow_ed_cb_called++;
2357 * idx == 0: Standard early_data setup
2358 * idx == 1: early_data setup using read_ahead
2359 * usecb == 0: Don't use a custom early data callback
2360 * usecb == 1: Use a custom early data callback and reject the early data
2361 * usecb == 2: Use a custom early data callback and accept the early data
2362 * confopt == 0: Configure anti-replay directly
2363 * confopt == 1: Configure anti-replay using SSL_CONF
2365 static int test_early_data_replay_int(int idx, int usecb, int confopt)
2367 SSL_CTX *cctx = NULL, *sctx = NULL;
2368 SSL *clientssl = NULL, *serverssl = NULL;
2370 SSL_SESSION *sess = NULL;
2371 size_t readbytes, written;
2372 unsigned char buf[20];
2374 allow_ed_cb_called = 0;
2376 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2377 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
2378 &cctx, cert, privkey)))
2383 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2385 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2387 if (!TEST_ptr(confctx))
2389 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2390 | SSL_CONF_FLAG_SERVER);
2391 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2392 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2394 SSL_CONF_CTX_free(confctx);
2397 SSL_CONF_CTX_free(confctx);
2399 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2402 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2403 &serverssl, &sess, idx)))
2407 * The server is configured to accept early data. Create a connection to
2408 * "use up" the ticket
2410 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2411 || !TEST_true(SSL_session_reused(clientssl)))
2414 SSL_shutdown(clientssl);
2415 SSL_shutdown(serverssl);
2416 SSL_free(serverssl);
2417 SSL_free(clientssl);
2418 serverssl = clientssl = NULL;
2420 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2421 &clientssl, NULL, NULL))
2422 || !TEST_true(SSL_set_session(clientssl, sess)))
2425 /* Write and read some early data */
2426 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2428 || !TEST_size_t_eq(written, strlen(MSG1)))
2432 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2434 SSL_READ_EARLY_DATA_FINISH)
2436 * The ticket was reused, so the we should have rejected the
2439 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2440 SSL_EARLY_DATA_REJECTED))
2443 /* In this case the callback decides to accept the early data */
2444 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2446 SSL_READ_EARLY_DATA_SUCCESS)
2447 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2449 * Server will have sent its flight so client can now send
2450 * end of early data and complete its half of the handshake
2452 || !TEST_int_gt(SSL_connect(clientssl), 0)
2453 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2455 SSL_READ_EARLY_DATA_FINISH)
2456 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2457 SSL_EARLY_DATA_ACCEPTED))
2461 /* Complete the connection */
2462 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2463 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2464 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
2470 SSL_SESSION_free(sess);
2471 SSL_SESSION_free(clientpsk);
2472 SSL_SESSION_free(serverpsk);
2473 clientpsk = serverpsk = NULL;
2474 SSL_free(serverssl);
2475 SSL_free(clientssl);
2481 static int test_early_data_replay(int idx)
2483 int ret = 1, usecb, confopt;
2485 for (usecb = 0; usecb < 3; usecb++) {
2486 for (confopt = 0; confopt < 2; confopt++)
2487 ret &= test_early_data_replay_int(idx, usecb, confopt);
2494 * Helper function to test that a server attempting to read early data can
2495 * handle a connection from a client where the early data should be skipped.
2496 * testtype: 0 == No HRR
2497 * testtype: 1 == HRR
2498 * testtype: 2 == HRR, invalid early_data sent after HRR
2499 * testtype: 3 == recv_max_early_data set to 0
2501 static int early_data_skip_helper(int testtype, int idx)
2503 SSL_CTX *cctx = NULL, *sctx = NULL;
2504 SSL *clientssl = NULL, *serverssl = NULL;
2506 SSL_SESSION *sess = NULL;
2507 unsigned char buf[20];
2508 size_t readbytes, written;
2510 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2511 &serverssl, &sess, idx)))
2514 if (testtype == 1 || testtype == 2) {
2515 /* Force an HRR to occur */
2516 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2518 } else if (idx == 2) {
2520 * We force early_data rejection by ensuring the PSK identity is
2523 srvid = "Dummy Identity";
2526 * Deliberately corrupt the creation time. We take 20 seconds off the
2527 * time. It could be any value as long as it is not within tolerance.
2528 * This should mean the ticket is rejected.
2530 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
2535 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
2538 /* Write some early data */
2539 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2541 || !TEST_size_t_eq(written, strlen(MSG1)))
2544 /* Server should reject the early data */
2545 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2547 SSL_READ_EARLY_DATA_FINISH)
2548 || !TEST_size_t_eq(readbytes, 0)
2549 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2550 SSL_EARLY_DATA_REJECTED))
2560 * Finish off the handshake. We perform the same writes and reads as
2561 * further down but we expect them to fail due to the incomplete
2564 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2565 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2572 BIO *wbio = SSL_get_wbio(clientssl);
2573 /* A record that will appear as bad early_data */
2574 const unsigned char bad_early_data[] = {
2575 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
2579 * We force the client to attempt a write. This will fail because
2580 * we're still in the handshake. It will cause the second
2581 * ClientHello to be sent.
2583 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
2588 * Inject some early_data after the second ClientHello. This should
2589 * cause the server to fail
2591 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
2592 sizeof(bad_early_data), &written)))
2599 * This client has sent more early_data than we are willing to skip
2600 * (case 3) or sent invalid early_data (case 2) so the connection should
2603 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2604 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
2607 /* Connection has failed - nothing more to do */
2612 TEST_error("Invalid test type");
2617 * Should be able to send normal data despite rejection of early data. The
2618 * early_data should be skipped.
2620 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2621 || !TEST_size_t_eq(written, strlen(MSG2))
2622 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2623 SSL_EARLY_DATA_REJECTED)
2624 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2625 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2631 SSL_SESSION_free(clientpsk);
2632 SSL_SESSION_free(serverpsk);
2633 clientpsk = serverpsk = NULL;
2634 SSL_SESSION_free(sess);
2635 SSL_free(serverssl);
2636 SSL_free(clientssl);
2643 * Test that a server attempting to read early data can handle a connection
2644 * from a client where the early data is not acceptable.
2646 static int test_early_data_skip(int idx)
2648 return early_data_skip_helper(0, idx);
2652 * Test that a server attempting to read early data can handle a connection
2653 * from a client where an HRR occurs.
2655 static int test_early_data_skip_hrr(int idx)
2657 return early_data_skip_helper(1, idx);
2661 * Test that a server attempting to read early data can handle a connection
2662 * from a client where an HRR occurs and correctly fails if early_data is sent
2665 static int test_early_data_skip_hrr_fail(int idx)
2667 return early_data_skip_helper(2, idx);
2671 * Test that a server attempting to read early data will abort if it tries to
2672 * skip over too much.
2674 static int test_early_data_skip_abort(int idx)
2676 return early_data_skip_helper(3, idx);
2680 * Test that a server attempting to read early data can handle a connection
2681 * from a client that doesn't send any.
2683 static int test_early_data_not_sent(int idx)
2685 SSL_CTX *cctx = NULL, *sctx = NULL;
2686 SSL *clientssl = NULL, *serverssl = NULL;
2688 SSL_SESSION *sess = NULL;
2689 unsigned char buf[20];
2690 size_t readbytes, written;
2692 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2693 &serverssl, &sess, idx)))
2696 /* Write some data - should block due to handshake with server */
2697 SSL_set_connect_state(clientssl);
2698 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2701 /* Server should detect that early data has not been sent */
2702 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2704 SSL_READ_EARLY_DATA_FINISH)
2705 || !TEST_size_t_eq(readbytes, 0)
2706 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2707 SSL_EARLY_DATA_NOT_SENT)
2708 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2709 SSL_EARLY_DATA_NOT_SENT))
2712 /* Continue writing the message we started earlier */
2713 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2714 || !TEST_size_t_eq(written, strlen(MSG1))
2715 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2716 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2717 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2718 || !TEST_size_t_eq(written, strlen(MSG2)))
2721 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2722 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2728 SSL_SESSION_free(sess);
2729 SSL_SESSION_free(clientpsk);
2730 SSL_SESSION_free(serverpsk);
2731 clientpsk = serverpsk = NULL;
2732 SSL_free(serverssl);
2733 SSL_free(clientssl);
2739 static int hostname_cb(SSL *s, int *al, void *arg)
2741 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2743 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
2744 return SSL_TLSEXT_ERR_OK;
2746 return SSL_TLSEXT_ERR_NOACK;
2749 static const char *servalpn;
2751 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2752 unsigned char *outlen, const unsigned char *in,
2753 unsigned int inlen, void *arg)
2755 unsigned int protlen = 0;
2756 const unsigned char *prot;
2758 for (prot = in; prot < in + inlen; prot += protlen) {
2760 if (in + inlen < prot + protlen)
2761 return SSL_TLSEXT_ERR_NOACK;
2763 if (protlen == strlen(servalpn)
2764 && memcmp(prot, servalpn, protlen) == 0) {
2767 return SSL_TLSEXT_ERR_OK;
2771 return SSL_TLSEXT_ERR_NOACK;
2774 /* Test that a PSK can be used to send early_data */
2775 static int test_early_data_psk(int idx)
2777 SSL_CTX *cctx = NULL, *sctx = NULL;
2778 SSL *clientssl = NULL, *serverssl = NULL;
2780 SSL_SESSION *sess = NULL;
2781 unsigned char alpnlist[] = {
2782 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2785 #define GOODALPNLEN 9
2786 #define BADALPNLEN 8
2787 #define GOODALPN (alpnlist)
2788 #define BADALPN (alpnlist + GOODALPNLEN)
2790 unsigned char buf[20];
2791 size_t readbytes, written;
2792 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2793 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2795 /* We always set this up with a final parameter of "2" for PSK */
2796 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2797 &serverssl, &sess, 2)))
2800 servalpn = "goodalpn";
2803 * Note: There is no test for inconsistent SNI with late client detection.
2804 * This is because servers do not acknowledge SNI even if they are using
2805 * it in a resumption handshake - so it is not actually possible for a
2806 * client to detect a problem.
2810 /* Set inconsistent SNI (early client detection) */
2811 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2812 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2813 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2818 /* Set inconsistent ALPN (early client detection) */
2819 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2820 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
2821 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2823 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2830 * Set invalid protocol version. Technically this affects PSKs without
2831 * early_data too, but we test it here because it is similar to the
2832 * SNI/ALPN consistency tests.
2834 err = SSL_R_BAD_PSK;
2835 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2841 * Set inconsistent SNI (server detected). In this case the connection
2842 * will succeed but reject early_data.
2844 SSL_SESSION_free(serverpsk);
2845 serverpsk = SSL_SESSION_dup(clientpsk);
2846 if (!TEST_ptr(serverpsk)
2847 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2849 edstatus = SSL_EARLY_DATA_REJECTED;
2850 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2853 /* Set consistent SNI */
2854 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2855 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2856 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2863 * Set inconsistent ALPN (server detected). In this case the connection
2864 * will succeed but reject early_data.
2866 servalpn = "badalpn";
2867 edstatus = SSL_EARLY_DATA_REJECTED;
2868 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2872 * Set consistent ALPN.
2873 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2874 * accepts a list of protos (each one length prefixed).
2875 * SSL_set1_alpn_selected accepts a single protocol (not length
2878 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2880 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2884 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2888 /* Set inconsistent ALPN (late client detection) */
2889 SSL_SESSION_free(serverpsk);
2890 serverpsk = SSL_SESSION_dup(clientpsk);
2891 if (!TEST_ptr(serverpsk)
2892 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2895 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2898 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2901 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2902 edstatus = SSL_EARLY_DATA_ACCEPTED;
2903 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2904 /* SSL_connect() call should fail */
2909 TEST_error("Bad test index");
2913 SSL_set_connect_state(clientssl);
2915 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2917 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2918 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2921 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2925 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2926 &readbytes), readearlyres)
2927 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2928 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2929 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2930 || !TEST_int_eq(SSL_connect(clientssl), connectres))
2937 SSL_SESSION_free(sess);
2938 SSL_SESSION_free(clientpsk);
2939 SSL_SESSION_free(serverpsk);
2940 clientpsk = serverpsk = NULL;
2941 SSL_free(serverssl);
2942 SSL_free(clientssl);
2949 * Test that a server that doesn't try to read early data can handle a
2950 * client sending some.
2952 static int test_early_data_not_expected(int idx)
2954 SSL_CTX *cctx = NULL, *sctx = NULL;
2955 SSL *clientssl = NULL, *serverssl = NULL;
2957 SSL_SESSION *sess = NULL;
2958 unsigned char buf[20];
2959 size_t readbytes, written;
2961 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2962 &serverssl, &sess, idx)))
2965 /* Write some early data */
2966 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2971 * Server should skip over early data and then block waiting for client to
2972 * continue handshake
2974 if (!TEST_int_le(SSL_accept(serverssl), 0)
2975 || !TEST_int_gt(SSL_connect(clientssl), 0)
2976 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2977 SSL_EARLY_DATA_REJECTED)
2978 || !TEST_int_gt(SSL_accept(serverssl), 0)
2979 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2980 SSL_EARLY_DATA_REJECTED))
2983 /* Send some normal data from client to server */
2984 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2985 || !TEST_size_t_eq(written, strlen(MSG2)))
2988 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2989 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2995 SSL_SESSION_free(sess);
2996 SSL_SESSION_free(clientpsk);
2997 SSL_SESSION_free(serverpsk);
2998 clientpsk = serverpsk = NULL;
2999 SSL_free(serverssl);
3000 SSL_free(clientssl);
3007 # ifndef OPENSSL_NO_TLS1_2
3009 * Test that a server attempting to read early data can handle a connection
3010 * from a TLSv1.2 client.
3012 static int test_early_data_tls1_2(int idx)
3014 SSL_CTX *cctx = NULL, *sctx = NULL;
3015 SSL *clientssl = NULL, *serverssl = NULL;
3017 unsigned char buf[20];
3018 size_t readbytes, written;
3020 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3021 &serverssl, NULL, idx)))
3024 /* Write some data - should block due to handshake with server */
3025 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3026 SSL_set_connect_state(clientssl);
3027 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3031 * Server should do TLSv1.2 handshake. First it will block waiting for more
3032 * messages from client after ServerDone. Then SSL_read_early_data should
3033 * finish and detect that early data has not been sent
3035 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3037 SSL_READ_EARLY_DATA_ERROR))
3041 * Continue writing the message we started earlier. Will still block waiting
3042 * for the CCS/Finished from server
3044 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3045 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3047 SSL_READ_EARLY_DATA_FINISH)
3048 || !TEST_size_t_eq(readbytes, 0)
3049 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3050 SSL_EARLY_DATA_NOT_SENT))
3053 /* Continue writing the message we started earlier */
3054 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3055 || !TEST_size_t_eq(written, strlen(MSG1))
3056 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3057 SSL_EARLY_DATA_NOT_SENT)
3058 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3059 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3060 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3061 || !TEST_size_t_eq(written, strlen(MSG2))
3062 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3063 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3069 SSL_SESSION_free(clientpsk);
3070 SSL_SESSION_free(serverpsk);
3071 clientpsk = serverpsk = NULL;
3072 SSL_free(serverssl);
3073 SSL_free(clientssl);
3079 # endif /* OPENSSL_NO_TLS1_2 */
3082 * Test configuring the TLSv1.3 ciphersuites
3084 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3085 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3086 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3087 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3088 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3089 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3090 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3091 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3092 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3093 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3095 static int test_set_ciphersuite(int idx)
3097 SSL_CTX *cctx = NULL, *sctx = NULL;
3098 SSL *clientssl = NULL, *serverssl = NULL;
3101 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3102 TLS1_VERSION, TLS_MAX_VERSION,
3103 &sctx, &cctx, cert, privkey))
3104 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3105 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3108 if (idx >=4 && idx <= 7) {
3109 /* SSL_CTX explicit cipher list */
3110 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3114 if (idx == 0 || idx == 4) {
3115 /* Default ciphersuite */
3116 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3117 "TLS_AES_128_GCM_SHA256")))
3119 } else if (idx == 1 || idx == 5) {
3120 /* Non default ciphersuite */
3121 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3122 "TLS_AES_128_CCM_SHA256")))
3126 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3127 &clientssl, NULL, NULL)))
3130 if (idx == 8 || idx == 9) {
3131 /* SSL explicit cipher list */
3132 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3136 if (idx == 2 || idx == 6 || idx == 8) {
3137 /* Default ciphersuite */
3138 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3139 "TLS_AES_128_GCM_SHA256")))
3141 } else if (idx == 3 || idx == 7 || idx == 9) {
3142 /* Non default ciphersuite */
3143 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3144 "TLS_AES_128_CCM_SHA256")))
3148 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3154 SSL_free(serverssl);
3155 SSL_free(clientssl);
3162 static int test_ciphersuite_change(void)
3164 SSL_CTX *cctx = NULL, *sctx = NULL;
3165 SSL *clientssl = NULL, *serverssl = NULL;
3166 SSL_SESSION *clntsess = NULL;
3168 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3170 /* Create a session based on SHA-256 */
3171 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3172 TLS1_VERSION, TLS_MAX_VERSION,
3173 &sctx, &cctx, cert, privkey))
3174 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3175 "TLS_AES_128_GCM_SHA256"))
3176 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3177 &clientssl, NULL, NULL))
3178 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3182 clntsess = SSL_get1_session(clientssl);
3183 /* Save for later */
3184 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3185 SSL_shutdown(clientssl);
3186 SSL_shutdown(serverssl);
3187 SSL_free(serverssl);
3188 SSL_free(clientssl);
3189 serverssl = clientssl = NULL;
3191 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3192 /* Check we can resume a session with a different SHA-256 ciphersuite */
3193 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3194 "TLS_CHACHA20_POLY1305_SHA256"))
3195 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3197 || !TEST_true(SSL_set_session(clientssl, clntsess))
3198 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3200 || !TEST_true(SSL_session_reused(clientssl)))
3203 SSL_SESSION_free(clntsess);
3204 clntsess = SSL_get1_session(clientssl);
3205 SSL_shutdown(clientssl);
3206 SSL_shutdown(serverssl);
3207 SSL_free(serverssl);
3208 SSL_free(clientssl);
3209 serverssl = clientssl = NULL;
3213 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3214 * succeeds but does not resume.
3216 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3217 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3219 || !TEST_true(SSL_set_session(clientssl, clntsess))
3220 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3222 || !TEST_false(SSL_session_reused(clientssl)))
3225 SSL_SESSION_free(clntsess);
3227 SSL_shutdown(clientssl);
3228 SSL_shutdown(serverssl);
3229 SSL_free(serverssl);
3230 SSL_free(clientssl);
3231 serverssl = clientssl = NULL;
3233 /* Create a session based on SHA384 */
3234 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3235 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3236 &clientssl, NULL, NULL))
3237 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3241 clntsess = SSL_get1_session(clientssl);
3242 SSL_shutdown(clientssl);
3243 SSL_shutdown(serverssl);
3244 SSL_free(serverssl);
3245 SSL_free(clientssl);
3246 serverssl = clientssl = NULL;
3248 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3249 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3250 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3251 "TLS_AES_256_GCM_SHA384"))
3252 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3254 || !TEST_true(SSL_set_session(clientssl, clntsess))
3256 * We use SSL_ERROR_WANT_READ below so that we can pause the
3257 * connection after the initial ClientHello has been sent to
3258 * enable us to make some session changes.
3260 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3261 SSL_ERROR_WANT_READ)))
3264 /* Trick the client into thinking this session is for a different digest */
3265 clntsess->cipher = aes_128_gcm_sha256;
3266 clntsess->cipher_id = clntsess->cipher->id;
3269 * Continue the previously started connection. Server has selected a SHA-384
3270 * ciphersuite, but client thinks the session is for SHA-256, so it should
3273 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3275 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3276 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3282 SSL_SESSION_free(clntsess);
3283 SSL_free(serverssl);
3284 SSL_free(clientssl);
3293 * Test 0 = Test new style callbacks
3294 * Test 1 = Test both new and old style callbacks
3295 * Test 2 = Test old style callbacks
3296 * Test 3 = Test old style callbacks with no certificate
3298 static int test_tls13_psk(int idx)
3300 SSL_CTX *sctx = NULL, *cctx = NULL;
3301 SSL *serverssl = NULL, *clientssl = NULL;
3302 const SSL_CIPHER *cipher = NULL;
3303 const unsigned char key[] = {
3304 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
3305 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
3306 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
3307 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
3311 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3312 TLS1_VERSION, TLS_MAX_VERSION,
3313 &sctx, &cctx, idx == 3 ? NULL : cert,
3314 idx == 3 ? NULL : privkey)))
3319 * We use a ciphersuite with SHA256 to ease testing old style PSK
3320 * callbacks which will always default to SHA256. This should not be
3321 * necessary if we have no cert/priv key. In that case the server should
3322 * prefer SHA256 automatically.
3324 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3325 "TLS_AES_128_GCM_SHA256")))
3330 * Test 0: New style callbacks only
3331 * Test 1: New and old style callbacks (only the new ones should be used)
3332 * Test 2: Old style callbacks only
3334 if (idx == 0 || idx == 1) {
3335 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
3336 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
3338 #ifndef OPENSSL_NO_PSK
3340 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
3341 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
3345 use_session_cb_cnt = 0;
3346 find_session_cb_cnt = 0;
3347 psk_client_cb_cnt = 0;
3348 psk_server_cb_cnt = 0;
3352 * Check we can create a connection if callback decides not to send a
3355 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3357 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3359 || !TEST_false(SSL_session_reused(clientssl))
3360 || !TEST_false(SSL_session_reused(serverssl)))
3363 if (idx == 0 || idx == 1) {
3364 if (!TEST_true(use_session_cb_cnt == 1)
3365 || !TEST_true(find_session_cb_cnt == 0)
3367 * If no old style callback then below should be 0
3370 || !TEST_true(psk_client_cb_cnt == idx)
3371 || !TEST_true(psk_server_cb_cnt == 0))
3374 if (!TEST_true(use_session_cb_cnt == 0)
3375 || !TEST_true(find_session_cb_cnt == 0)
3376 || !TEST_true(psk_client_cb_cnt == 1)
3377 || !TEST_true(psk_server_cb_cnt == 0))
3381 shutdown_ssl_connection(serverssl, clientssl);
3382 serverssl = clientssl = NULL;
3383 use_session_cb_cnt = psk_client_cb_cnt = 0;
3386 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3390 /* Create the PSK */
3391 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
3392 clientpsk = SSL_SESSION_new();
3393 if (!TEST_ptr(clientpsk)
3394 || !TEST_ptr(cipher)
3395 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
3397 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
3398 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
3400 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
3402 serverpsk = clientpsk;
3404 /* Check we can create a connection and the PSK is used */
3405 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3406 || !TEST_true(SSL_session_reused(clientssl))
3407 || !TEST_true(SSL_session_reused(serverssl)))
3410 if (idx == 0 || idx == 1) {
3411 if (!TEST_true(use_session_cb_cnt == 1)
3412 || !TEST_true(find_session_cb_cnt == 1)
3413 || !TEST_true(psk_client_cb_cnt == 0)
3414 || !TEST_true(psk_server_cb_cnt == 0))
3417 if (!TEST_true(use_session_cb_cnt == 0)
3418 || !TEST_true(find_session_cb_cnt == 0)
3419 || !TEST_true(psk_client_cb_cnt == 1)
3420 || !TEST_true(psk_server_cb_cnt == 1))
3424 shutdown_ssl_connection(serverssl, clientssl);
3425 serverssl = clientssl = NULL;
3426 use_session_cb_cnt = find_session_cb_cnt = 0;
3427 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3429 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3434 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3438 * Check we can create a connection, the PSK is used and the callbacks are
3441 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3442 || !TEST_true(SSL_session_reused(clientssl))
3443 || !TEST_true(SSL_session_reused(serverssl)))
3446 if (idx == 0 || idx == 1) {
3447 if (!TEST_true(use_session_cb_cnt == 2)
3448 || !TEST_true(find_session_cb_cnt == 2)
3449 || !TEST_true(psk_client_cb_cnt == 0)
3450 || !TEST_true(psk_server_cb_cnt == 0))
3453 if (!TEST_true(use_session_cb_cnt == 0)
3454 || !TEST_true(find_session_cb_cnt == 0)
3455 || !TEST_true(psk_client_cb_cnt == 2)
3456 || !TEST_true(psk_server_cb_cnt == 2))
3460 shutdown_ssl_connection(serverssl, clientssl);
3461 serverssl = clientssl = NULL;
3462 use_session_cb_cnt = find_session_cb_cnt = 0;
3463 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3467 * Check that if the server rejects the PSK we can still connect, but with
3470 srvid = "Dummy Identity";
3471 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3473 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3475 || !TEST_false(SSL_session_reused(clientssl))
3476 || !TEST_false(SSL_session_reused(serverssl)))
3479 if (idx == 0 || idx == 1) {
3480 if (!TEST_true(use_session_cb_cnt == 1)
3481 || !TEST_true(find_session_cb_cnt == 1)
3482 || !TEST_true(psk_client_cb_cnt == 0)
3484 * If no old style callback then below should be 0
3487 || !TEST_true(psk_server_cb_cnt == idx))
3490 if (!TEST_true(use_session_cb_cnt == 0)
3491 || !TEST_true(find_session_cb_cnt == 0)
3492 || !TEST_true(psk_client_cb_cnt == 1)
3493 || !TEST_true(psk_server_cb_cnt == 1))
3497 shutdown_ssl_connection(serverssl, clientssl);
3498 serverssl = clientssl = NULL;
3503 SSL_SESSION_free(clientpsk);
3504 SSL_SESSION_free(serverpsk);
3505 clientpsk = serverpsk = NULL;
3506 SSL_free(serverssl);
3507 SSL_free(clientssl);
3513 static unsigned char cookie_magic_value[] = "cookie magic";
3515 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
3516 unsigned int *cookie_len)
3519 * Not suitable as a real cookie generation function but good enough for
3522 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3523 *cookie_len = sizeof(cookie_magic_value) - 1;
3528 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3529 unsigned int cookie_len)
3531 if (cookie_len == sizeof(cookie_magic_value) - 1
3532 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3538 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3542 int res = generate_cookie_callback(ssl, cookie, &temp);
3547 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3550 return verify_cookie_callback(ssl, cookie, cookie_len);
3553 static int test_stateless(void)
3555 SSL_CTX *sctx = NULL, *cctx = NULL;
3556 SSL *serverssl = NULL, *clientssl = NULL;
3559 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3560 TLS1_VERSION, TLS_MAX_VERSION,
3561 &sctx, &cctx, cert, privkey)))
3564 /* The arrival of CCS messages can confuse the test */
3565 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3567 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3569 /* Send the first ClientHello */
3570 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3571 SSL_ERROR_WANT_READ))
3573 * This should fail with a -1 return because we have no callbacks
3576 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3579 /* Fatal error so abandon the connection from this client */
3580 SSL_free(clientssl);
3583 /* Set up the cookie generation and verification callbacks */
3584 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3585 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
3588 * Create a new connection from the client (we can reuse the server SSL
3591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3593 /* Send the first ClientHello */
3594 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3595 SSL_ERROR_WANT_READ))
3596 /* This should fail because there is no cookie */
3597 || !TEST_int_eq(SSL_stateless(serverssl), 0))
3600 /* Abandon the connection from this client */
3601 SSL_free(clientssl);
3605 * Now create a connection from a new client but with the same server SSL
3608 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3610 /* Send the first ClientHello */
3611 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3612 SSL_ERROR_WANT_READ))
3613 /* This should fail because there is no cookie */
3614 || !TEST_int_eq(SSL_stateless(serverssl), 0)
3615 /* Send the second ClientHello */
3616 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3617 SSL_ERROR_WANT_READ))
3618 /* This should succeed because a cookie is now present */
3619 || !TEST_int_eq(SSL_stateless(serverssl), 1)
3620 /* Complete the connection */
3621 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3625 shutdown_ssl_connection(serverssl, clientssl);
3626 serverssl = clientssl = NULL;
3630 SSL_free(serverssl);
3631 SSL_free(clientssl);
3637 #endif /* OPENSSL_NO_TLS1_3 */
3639 static int clntaddoldcb = 0;
3640 static int clntparseoldcb = 0;
3641 static int srvaddoldcb = 0;
3642 static int srvparseoldcb = 0;
3643 static int clntaddnewcb = 0;
3644 static int clntparsenewcb = 0;
3645 static int srvaddnewcb = 0;
3646 static int srvparsenewcb = 0;
3647 static int snicb = 0;
3649 #define TEST_EXT_TYPE1 0xff00
3651 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3652 size_t *outlen, int *al, void *add_arg)
3654 int *server = (int *)add_arg;
3655 unsigned char *data;
3657 if (SSL_is_server(s))
3662 if (*server != SSL_is_server(s)
3663 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3668 *outlen = sizeof(char);
3672 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3675 OPENSSL_free((unsigned char *)out);
3678 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3679 size_t inlen, int *al, void *parse_arg)
3681 int *server = (int *)parse_arg;
3683 if (SSL_is_server(s))
3688 if (*server != SSL_is_server(s)
3689 || inlen != sizeof(char)
3696 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3697 const unsigned char **out, size_t *outlen, X509 *x,
3698 size_t chainidx, int *al, void *add_arg)
3700 int *server = (int *)add_arg;
3701 unsigned char *data;
3703 if (SSL_is_server(s))
3708 if (*server != SSL_is_server(s)
3709 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3714 *outlen = sizeof(*data);
3718 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3719 const unsigned char *out, void *add_arg)
3721 OPENSSL_free((unsigned char *)out);
3724 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3725 const unsigned char *in, size_t inlen, X509 *x,
3726 size_t chainidx, int *al, void *parse_arg)
3728 int *server = (int *)parse_arg;
3730 if (SSL_is_server(s))
3735 if (*server != SSL_is_server(s)
3736 || inlen != sizeof(char) || *in != 1)
3742 static int sni_cb(SSL *s, int *al, void *arg)
3744 SSL_CTX *ctx = (SSL_CTX *)arg;
3746 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3747 *al = SSL_AD_INTERNAL_ERROR;
3748 return SSL_TLSEXT_ERR_ALERT_FATAL;
3751 return SSL_TLSEXT_ERR_OK;
3755 * Custom call back tests.
3756 * Test 0: Old style callbacks in TLSv1.2
3757 * Test 1: New style callbacks in TLSv1.2
3758 * Test 2: New style callbacks in TLSv1.2 with SNI
3759 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3760 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
3762 static int test_custom_exts(int tst)
3764 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3765 SSL *clientssl = NULL, *serverssl = NULL;
3767 static int server = 1;
3768 static int client = 0;
3769 SSL_SESSION *sess = NULL;
3770 unsigned int context;
3772 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
3773 /* Skip tests for TLSv1.2 and below in this case */
3778 /* Reset callback counters */
3779 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
3780 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
3783 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3784 TLS1_VERSION, TLS_MAX_VERSION,
3785 &sctx, &cctx, cert, privkey)))
3789 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
3790 TLS1_VERSION, TLS_MAX_VERSION,
3791 &sctx2, NULL, cert, privkey)))
3796 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
3797 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
3799 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
3803 context = SSL_EXT_CLIENT_HELLO
3804 | SSL_EXT_TLS1_2_SERVER_HELLO
3805 | SSL_EXT_TLS1_3_SERVER_HELLO
3806 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
3807 | SSL_EXT_TLS1_3_CERTIFICATE
3808 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
3810 context = SSL_EXT_CLIENT_HELLO
3811 | SSL_EXT_TLS1_2_SERVER_HELLO
3812 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3815 /* Create a client side custom extension */
3817 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3818 old_add_cb, old_free_cb,
3819 &client, old_parse_cb,
3823 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
3824 new_add_cb, new_free_cb,
3825 &client, new_parse_cb, &client)))
3829 /* Should not be able to add duplicates */
3830 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3831 old_add_cb, old_free_cb,
3832 &client, old_parse_cb,
3834 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
3835 context, new_add_cb,
3836 new_free_cb, &client,
3837 new_parse_cb, &client)))
3840 /* Create a server side custom extension */
3842 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3843 old_add_cb, old_free_cb,
3844 &server, old_parse_cb,
3848 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3849 new_add_cb, new_free_cb,
3850 &server, new_parse_cb, &server)))
3853 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3854 context, new_add_cb,
3855 new_free_cb, &server,
3856 new_parse_cb, &server)))
3860 /* Should not be able to add duplicates */
3861 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3862 old_add_cb, old_free_cb,
3863 &server, old_parse_cb,
3865 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3866 context, new_add_cb,
3867 new_free_cb, &server,
3868 new_parse_cb, &server)))
3873 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3874 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3878 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3879 &clientssl, NULL, NULL))
3880 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3885 if (clntaddoldcb != 1
3886 || clntparseoldcb != 1
3888 || srvparseoldcb != 1)
3890 } else if (tst == 1 || tst == 2 || tst == 3) {
3891 if (clntaddnewcb != 1
3892 || clntparsenewcb != 1
3894 || srvparsenewcb != 1
3895 || (tst != 2 && snicb != 0)
3896 || (tst == 2 && snicb != 1))
3899 /* In this case there 2 NewSessionTicket messages created */
3900 if (clntaddnewcb != 1
3901 || clntparsenewcb != 5
3903 || srvparsenewcb != 1)
3907 sess = SSL_get1_session(clientssl);
3908 SSL_shutdown(clientssl);
3909 SSL_shutdown(serverssl);
3910 SSL_free(serverssl);
3911 SSL_free(clientssl);
3912 serverssl = clientssl = NULL;
3915 /* We don't bother with the resumption aspects for this test */
3920 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3922 || !TEST_true(SSL_set_session(clientssl, sess))
3923 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3928 * For a resumed session we expect to add the ClientHello extension. For the
3929 * old style callbacks we ignore it on the server side because they set
3930 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3934 if (clntaddoldcb != 2
3935 || clntparseoldcb != 1
3937 || srvparseoldcb != 1)
3939 } else if (tst == 1 || tst == 2 || tst == 3) {
3940 if (clntaddnewcb != 2
3941 || clntparsenewcb != 2
3943 || srvparsenewcb != 2)
3947 * No Certificate message extensions in the resumption handshake,
3948 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
3950 if (clntaddnewcb != 2
3951 || clntparsenewcb != 8
3953 || srvparsenewcb != 2)
3960 SSL_SESSION_free(sess);
3961 SSL_free(serverssl);
3962 SSL_free(clientssl);
3963 SSL_CTX_free(sctx2);
3970 * Test loading of serverinfo data in various formats. test_sslmessages actually
3971 * tests to make sure the extensions appear in the handshake
3973 static int test_serverinfo(int tst)
3975 unsigned int version;
3976 unsigned char *sibuf;
3978 int ret, expected, testresult = 0;
3981 ctx = SSL_CTX_new(TLS_method());
3985 if ((tst & 0x01) == 0x01)
3986 version = SSL_SERVERINFOV2;
3988 version = SSL_SERVERINFOV1;
3990 if ((tst & 0x02) == 0x02) {
3991 sibuf = serverinfov2;
3992 sibuflen = sizeof(serverinfov2);
3993 expected = (version == SSL_SERVERINFOV2);
3995 sibuf = serverinfov1;
3996 sibuflen = sizeof(serverinfov1);
3997 expected = (version == SSL_SERVERINFOV1);
4000 if ((tst & 0x04) == 0x04) {
4001 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4003 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4006 * The version variable is irrelevant in this case - it's what is in the
4007 * buffer that matters
4009 if ((tst & 0x02) == 0x02)
4015 if (!TEST_true(ret == expected))
4027 * Test that SSL_export_keying_material() produces expected results. There are
4028 * no test vectors so all we do is test that both sides of the communication
4029 * produce the same results for different protocol versions.
4031 #define SMALL_LABEL_LEN 10
4032 #define LONG_LABEL_LEN 249
4033 static int test_export_key_mat(int tst)
4036 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4037 SSL *clientssl = NULL, *serverssl = NULL;
4038 const char label[LONG_LABEL_LEN + 1] = "test label";
4039 const unsigned char context[] = "context";
4040 const unsigned char *emptycontext = NULL;
4041 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4042 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
4044 const int protocols[] = {
4053 #ifdef OPENSSL_NO_TLS1
4057 #ifdef OPENSSL_NO_TLS1_1
4061 #ifdef OPENSSL_NO_TLS1_2
4065 #ifdef OPENSSL_NO_TLS1_3
4069 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4070 TLS1_VERSION, TLS_MAX_VERSION,
4071 &sctx, &cctx, cert, privkey)))
4074 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4075 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4076 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
4078 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4080 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4086 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4089 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4090 sizeof(ckeymat1), label,
4091 LONG_LABEL_LEN + 1, context,
4092 sizeof(context) - 1, 1), 0))
4097 } else if (tst == 4) {
4098 labellen = LONG_LABEL_LEN;
4100 labellen = SMALL_LABEL_LEN;
4103 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4104 sizeof(ckeymat1), label,
4106 sizeof(context) - 1, 1), 1)
4107 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4108 sizeof(ckeymat2), label,
4112 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4113 sizeof(ckeymat3), label,
4116 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4117 sizeof(skeymat1), label,
4120 sizeof(context) -1, 1),
4122 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4123 sizeof(skeymat2), label,
4127 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4128 sizeof(skeymat3), label,
4132 * Check that both sides created the same key material with the
4135 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4138 * Check that both sides created the same key material with an
4141 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4144 * Check that both sides created the same key material without a
4147 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
4149 /* Different contexts should produce different results */
4150 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4155 * Check that an empty context and no context produce different results in
4156 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
4158 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
4160 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
4167 SSL_free(serverssl);
4168 SSL_free(clientssl);
4169 SSL_CTX_free(sctx2);
4176 #ifndef OPENSSL_NO_TLS1_3
4178 * Test that SSL_export_keying_material_early() produces expected
4179 * results. There are no test vectors so all we do is test that both
4180 * sides of the communication produce the same results for different
4181 * protocol versions.
4183 static int test_export_key_mat_early(int idx)
4185 static const char label[] = "test label";
4186 static const unsigned char context[] = "context";
4188 SSL_CTX *cctx = NULL, *sctx = NULL;
4189 SSL *clientssl = NULL, *serverssl = NULL;
4190 SSL_SESSION *sess = NULL;
4191 const unsigned char *emptycontext = NULL;
4192 unsigned char ckeymat1[80], ckeymat2[80];
4193 unsigned char skeymat1[80], skeymat2[80];
4194 unsigned char buf[1];
4195 size_t readbytes, written;
4197 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
4201 /* Here writing 0 length early data is enough. */
4202 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
4203 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4205 SSL_READ_EARLY_DATA_ERROR)
4206 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4207 SSL_EARLY_DATA_ACCEPTED))
4210 if (!TEST_int_eq(SSL_export_keying_material_early(
4211 clientssl, ckeymat1, sizeof(ckeymat1), label,
4212 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4213 || !TEST_int_eq(SSL_export_keying_material_early(
4214 clientssl, ckeymat2, sizeof(ckeymat2), label,
4215 sizeof(label) - 1, emptycontext, 0), 1)
4216 || !TEST_int_eq(SSL_export_keying_material_early(
4217 serverssl, skeymat1, sizeof(skeymat1), label,
4218 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4219 || !TEST_int_eq(SSL_export_keying_material_early(
4220 serverssl, skeymat2, sizeof(skeymat2), label,
4221 sizeof(label) - 1, emptycontext, 0), 1)
4223 * Check that both sides created the same key material with the
4226 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4229 * Check that both sides created the same key material with an
4232 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4234 /* Different contexts should produce different results */
4235 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4242 SSL_SESSION_free(sess);
4243 SSL_SESSION_free(clientpsk);
4244 SSL_SESSION_free(serverpsk);
4245 clientpsk = serverpsk = NULL;
4246 SSL_free(serverssl);
4247 SSL_free(clientssl);
4254 #define NUM_KEY_UPDATE_MESSAGES 40
4258 static int test_key_update(void)
4260 SSL_CTX *cctx = NULL, *sctx = NULL;
4261 SSL *clientssl = NULL, *serverssl = NULL;
4262 int testresult = 0, i, j;
4264 static char *mess = "A test message";
4266 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4267 TLS_client_method(),
4270 &sctx, &cctx, cert, privkey))
4271 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4273 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4277 for (j = 0; j < 2; j++) {
4278 /* Send lots of KeyUpdate messages */
4279 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
4280 if (!TEST_true(SSL_key_update(clientssl,
4282 ? SSL_KEY_UPDATE_NOT_REQUESTED
4283 : SSL_KEY_UPDATE_REQUESTED))
4284 || !TEST_true(SSL_do_handshake(clientssl)))
4288 /* Check that sending and receiving app data is ok */
4289 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
4290 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
4294 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
4295 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
4303 SSL_free(serverssl);
4304 SSL_free(clientssl);
4312 * Test we can handle a KeyUpdate (update requested) message while write data
4314 * Test 0: Client sends KeyUpdate while Server is writing
4315 * Test 1: Server sends KeyUpdate while Client is writing
4317 static int test_key_update_in_write(int tst)
4319 SSL_CTX *cctx = NULL, *sctx = NULL;
4320 SSL *clientssl = NULL, *serverssl = NULL;
4323 static char *mess = "A test message";
4324 BIO *bretry = BIO_new(bio_s_always_retry());
4326 SSL *peerupdate = NULL, *peerwrite = NULL;
4328 if (!TEST_ptr(bretry)
4329 || !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4330 TLS_client_method(),
4333 &sctx, &cctx, cert, privkey))
4334 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4336 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4340 peerupdate = tst == 0 ? clientssl : serverssl;
4341 peerwrite = tst == 0 ? serverssl : clientssl;
4343 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
4344 || !TEST_true(SSL_do_handshake(peerupdate)))
4347 /* Swap the writing endpoint's write BIO to force a retry */
4348 tmp = SSL_get_wbio(peerwrite);
4349 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
4353 SSL_set0_wbio(peerwrite, bretry);
4356 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
4357 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
4358 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
4361 /* Reinstate the original writing endpoint's write BIO */
4362 SSL_set0_wbio(peerwrite, tmp);
4365 /* Now read some data - we will read the key update */
4366 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
4367 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
4371 * Complete the write we started previously and read it from the other
4374 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
4375 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
4378 /* Write more data to ensure we send the KeyUpdate message back */
4379 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
4380 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
4386 SSL_free(serverssl);
4387 SSL_free(clientssl);
4395 #endif /* OPENSSL_NO_TLS1_3 */
4397 static int test_ssl_clear(int idx)
4399 SSL_CTX *cctx = NULL, *sctx = NULL;
4400 SSL *clientssl = NULL, *serverssl = NULL;
4403 #ifdef OPENSSL_NO_TLS1_2
4408 /* Create an initial connection */
4409 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4410 TLS1_VERSION, TLS_MAX_VERSION,
4411 &sctx, &cctx, cert, privkey))
4413 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
4415 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4416 &clientssl, NULL, NULL))
4417 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4421 SSL_shutdown(clientssl);
4422 SSL_shutdown(serverssl);
4423 SSL_free(serverssl);
4426 /* Clear clientssl - we're going to reuse the object */
4427 if (!TEST_true(SSL_clear(clientssl)))
4430 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4432 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4434 || !TEST_true(SSL_session_reused(clientssl)))
4437 SSL_shutdown(clientssl);
4438 SSL_shutdown(serverssl);
4443 SSL_free(serverssl);
4444 SSL_free(clientssl);
4451 /* Parse CH and retrieve any MFL extension value if present */
4452 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
4455 unsigned char *data;
4456 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
4457 unsigned int MFL_code = 0, type = 0;
4459 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
4462 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
4463 /* Skip the record header */
4464 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
4465 /* Skip the handshake message header */
4466 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
4467 /* Skip client version and random */
4468 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
4469 + SSL3_RANDOM_SIZE))
4470 /* Skip session id */
4471 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4473 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
4474 /* Skip compression */
4475 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4476 /* Extensions len */
4477 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
4480 /* Loop through all extensions */
4481 while (PACKET_remaining(&pkt2)) {
4482 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
4483 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
4486 if (type == TLSEXT_TYPE_max_fragment_length) {
4487 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
4488 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
4491 *mfl_codemfl_code = MFL_code;
4500 /* Maximum-Fragment-Length TLS extension mode to test */
4501 static const unsigned char max_fragment_len_test[] = {
4502 TLSEXT_max_fragment_length_512,
4503 TLSEXT_max_fragment_length_1024,
4504 TLSEXT_max_fragment_length_2048,
4505 TLSEXT_max_fragment_length_4096
4508 static int test_max_fragment_len_ext(int idx_tst)
4512 int testresult = 0, MFL_mode = 0;
4515 ctx = SSL_CTX_new(TLS_method());
4519 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
4520 ctx, max_fragment_len_test[idx_tst])))
4527 rbio = BIO_new(BIO_s_mem());
4528 wbio = BIO_new(BIO_s_mem());
4529 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
4535 SSL_set_bio(con, rbio, wbio);
4536 SSL_set_connect_state(con);
4538 if (!TEST_int_le(SSL_connect(con), 0)) {
4539 /* This shouldn't succeed because we don't have a server! */
4543 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
4544 /* no MFL in client hello */
4546 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
4558 #ifndef OPENSSL_NO_TLS1_3
4559 static int test_pha_key_update(void)
4561 SSL_CTX *cctx = NULL, *sctx = NULL;
4562 SSL *clientssl = NULL, *serverssl = NULL;
4565 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4566 TLS1_VERSION, TLS_MAX_VERSION,
4567 &sctx, &cctx, cert, privkey)))
4570 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
4571 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
4572 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
4573 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
4576 SSL_CTX_set_post_handshake_auth(cctx, 1);
4578 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4582 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4586 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
4587 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
4590 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
4593 /* Start handshake on the server */
4594 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
4597 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
4598 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4602 SSL_shutdown(clientssl);
4603 SSL_shutdown(serverssl);
4608 SSL_free(serverssl);
4609 SSL_free(clientssl);
4616 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4618 static SRP_VBASE *vbase = NULL;
4620 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
4622 int ret = SSL3_AL_FATAL;
4624 SRP_user_pwd *user = NULL;
4626 username = SSL_get_srp_username(s);
4627 if (username == NULL) {
4628 *ad = SSL_AD_INTERNAL_ERROR;
4632 user = SRP_VBASE_get1_by_user(vbase, username);
4634 *ad = SSL_AD_INTERNAL_ERROR;
4638 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
4640 *ad = SSL_AD_INTERNAL_ERROR;
4647 SRP_user_pwd_free(user);
4651 static int create_new_vfile(char *userid, char *password, const char *filename)
4654 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
4657 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
4660 if (!TEST_ptr(dummy) || !TEST_ptr(row))
4663 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
4664 &row[DB_srpverifier], NULL, NULL);
4665 if (!TEST_ptr(gNid))
4669 * The only way to create an empty TXT_DB is to provide a BIO with no data
4672 db = TXT_DB_read(dummy, DB_NUMBER);
4676 out = BIO_new_file(filename, "w");
4680 row[DB_srpid] = OPENSSL_strdup(userid);
4681 row[DB_srptype] = OPENSSL_strdup("V");
4682 row[DB_srpgN] = OPENSSL_strdup(gNid);
4684 if (!TEST_ptr(row[DB_srpid])
4685 || !TEST_ptr(row[DB_srptype])
4686 || !TEST_ptr(row[DB_srpgN])
4687 || !TEST_true(TXT_DB_insert(db, row)))
4692 if (!TXT_DB_write(out, db))
4698 for (i = 0; i < DB_NUMBER; i++)
4699 OPENSSL_free(row[i]);
4709 static int create_new_vbase(char *userid, char *password)
4711 BIGNUM *verifier = NULL, *salt = NULL;
4712 const SRP_gN *lgN = NULL;
4713 SRP_user_pwd *user_pwd = NULL;
4716 lgN = SRP_get_default_gN(NULL);
4720 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
4724 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
4725 if (!TEST_ptr(user_pwd))
4728 user_pwd->N = lgN->N;
4729 user_pwd->g = lgN->g;
4730 user_pwd->id = OPENSSL_strdup(userid);
4731 if (!TEST_ptr(user_pwd->id))
4734 user_pwd->v = verifier;
4736 verifier = salt = NULL;
4738 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
4744 SRP_user_pwd_free(user_pwd);
4754 * Test 0: Simple successful SRP connection, new vbase
4755 * Test 1: Connection failure due to bad password, new vbase
4756 * Test 2: Simple successful SRP connection, vbase loaded from existing file
4757 * Test 3: Connection failure due to bad password, vbase loaded from existing
4759 * Test 4: Simple successful SRP connection, vbase loaded from new file
4760 * Test 5: Connection failure due to bad password, vbase loaded from new file
4762 static int test_srp(int tst)
4764 char *userid = "test", *password = "password", *tstsrpfile;
4765 SSL_CTX *cctx = NULL, *sctx = NULL;
4766 SSL *clientssl = NULL, *serverssl = NULL;
4767 int ret, testresult = 0;
4769 vbase = SRP_VBASE_new(NULL);
4770 if (!TEST_ptr(vbase))
4773 if (tst == 0 || tst == 1) {
4774 if (!TEST_true(create_new_vbase(userid, password)))
4777 if (tst == 4 || tst == 5) {
4778 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
4780 tstsrpfile = tmpfilename;
4782 tstsrpfile = srpvfile;
4784 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
4788 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4789 TLS1_VERSION, TLS_MAX_VERSION,
4790 &sctx, &cctx, cert, privkey)))
4793 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
4794 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
4795 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
4796 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
4797 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
4801 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
4804 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
4808 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4812 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
4814 if (!TEST_true(tst % 2 == 0))
4817 if (!TEST_true(tst % 2 == 1))
4824 SRP_VBASE_free(vbase);
4826 SSL_free(serverssl);
4827 SSL_free(clientssl);
4835 static int info_cb_failed = 0;
4836 static int info_cb_offset = 0;
4837 static int info_cb_this_state = -1;
4839 static struct info_cb_states_st {
4841 const char *statestr;
4842 } info_cb_states[][60] = {
4844 /* TLSv1.2 server followed by resumption */
4845 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4846 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4847 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
4848 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
4849 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
4850 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4851 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4852 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4853 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4854 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4855 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
4856 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4857 {SSL_CB_EXIT, NULL}, {0, NULL},
4859 /* TLSv1.2 client followed by resumption */
4860 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4861 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4862 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
4863 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
4864 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
4865 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4866 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4867 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4868 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4869 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4870 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4871 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4873 /* TLSv1.3 server followed by resumption */
4874 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4875 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4876 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
4877 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
4878 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4879 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
4880 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4881 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4882 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4883 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4884 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
4885 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4886 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
4888 /* TLSv1.3 client followed by resumption */
4889 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4890 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4891 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
4892 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
4893 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4894 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
4895 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
4896 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
4897 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4898 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
4899 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4900 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4901 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4902 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4903 {SSL_CB_EXIT, NULL}, {0, NULL},
4905 /* TLSv1.3 server, early_data */
4906 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4907 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4908 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4909 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4910 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4911 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4912 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
4913 {SSL_CB_EXIT, NULL}, {0, NULL},
4915 /* TLSv1.3 client, early_data */
4916 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4917 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
4918 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4919 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4920 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4921 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
4922 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4923 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
4924 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
4930 static void sslapi_info_callback(const SSL *s, int where, int ret)
4932 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
4934 /* We do not ever expect a connection to fail in this test */
4935 if (!TEST_false(ret == 0)) {
4941 * Do some sanity checks. We never expect these things to happen in this
4944 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
4945 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
4946 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
4951 /* Now check we're in the right state */
4952 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
4956 if ((where & SSL_CB_LOOP) != 0
4957 && !TEST_int_eq(strcmp(SSL_state_string(s),
4958 state[info_cb_this_state].statestr), 0)) {
4964 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
4966 if ((where & SSL_CB_HANDSHAKE_DONE)
4967 && SSL_in_init((SSL *)s) != 0) {
4974 * Test the info callback gets called when we expect it to.
4976 * Test 0: TLSv1.2, server
4977 * Test 1: TLSv1.2, client
4978 * Test 2: TLSv1.3, server
4979 * Test 3: TLSv1.3, client
4980 * Test 4: TLSv1.3, server, early_data
4981 * Test 5: TLSv1.3, client, early_data
4983 static int test_info_callback(int tst)
4985 SSL_CTX *cctx = NULL, *sctx = NULL;
4986 SSL *clientssl = NULL, *serverssl = NULL;
4987 SSL_SESSION *clntsess = NULL;
4992 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
4993 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
4994 || !defined(OPENSSL_NO_DH))
4995 tlsvers = TLS1_2_VERSION;
5000 #ifndef OPENSSL_NO_TLS1_3
5001 tlsvers = TLS1_3_VERSION;
5009 info_cb_this_state = -1;
5010 info_cb_offset = tst;
5012 #ifndef OPENSSL_NO_TLS1_3
5014 SSL_SESSION *sess = NULL;
5015 size_t written, readbytes;
5016 unsigned char buf[80];
5018 /* early_data tests */
5019 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5020 &serverssl, &sess, 0)))
5023 /* We don't actually need this reference */
5024 SSL_SESSION_free(sess);
5026 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5027 sslapi_info_callback);
5029 /* Write and read some early data and then complete the connection */
5030 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5032 || !TEST_size_t_eq(written, strlen(MSG1))
5033 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5034 sizeof(buf), &readbytes),
5035 SSL_READ_EARLY_DATA_SUCCESS)
5036 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5037 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5038 SSL_EARLY_DATA_ACCEPTED)
5039 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5041 || !TEST_false(info_cb_failed))
5049 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5050 TLS_client_method(),
5051 tlsvers, tlsvers, &sctx, &cctx, cert,
5056 * For even numbered tests we check the server callbacks. For odd numbers we
5059 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5060 sslapi_info_callback);
5062 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5063 &clientssl, NULL, NULL))
5064 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5066 || !TEST_false(info_cb_failed))
5071 clntsess = SSL_get1_session(clientssl);
5072 SSL_shutdown(clientssl);
5073 SSL_shutdown(serverssl);
5074 SSL_free(serverssl);
5075 SSL_free(clientssl);
5076 serverssl = clientssl = NULL;
5078 /* Now do a resumption */
5079 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5081 || !TEST_true(SSL_set_session(clientssl, clntsess))
5082 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5084 || !TEST_true(SSL_session_reused(clientssl))
5085 || !TEST_false(info_cb_failed))
5091 SSL_free(serverssl);
5092 SSL_free(clientssl);
5093 SSL_SESSION_free(clntsess);
5099 static int test_ssl_pending(int tst)
5101 SSL_CTX *cctx = NULL, *sctx = NULL;
5102 SSL *clientssl = NULL, *serverssl = NULL;
5104 char msg[] = "A test message";
5106 size_t written, readbytes;
5109 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5110 TLS_client_method(),
5111 TLS1_VERSION, TLS_MAX_VERSION,
5112 &sctx, &cctx, cert, privkey)))
5115 #ifndef OPENSSL_NO_DTLS
5116 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
5117 DTLS_client_method(),
5118 DTLS1_VERSION, DTLS_MAX_VERSION,
5119 &sctx, &cctx, cert, privkey)))
5126 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5128 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5132 if (!TEST_int_eq(SSL_pending(clientssl), 0)
5133 || !TEST_false(SSL_has_pending(clientssl))
5134 || !TEST_int_eq(SSL_pending(serverssl), 0)
5135 || !TEST_false(SSL_has_pending(serverssl))
5136 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5137 || !TEST_size_t_eq(written, sizeof(msg))
5138 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
5139 || !TEST_size_t_eq(readbytes, sizeof(buf))
5140 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
5141 || !TEST_true(SSL_has_pending(clientssl)))
5147 SSL_free(serverssl);
5148 SSL_free(clientssl);
5156 unsigned int maxprot;
5157 const char *clntciphers;
5158 const char *clnttls13ciphers;
5159 const char *srvrciphers;
5160 const char *srvrtls13ciphers;
5162 } shared_ciphers_data[] = {
5164 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
5165 * TLSv1.3 is enabled but TLSv1.2 is disabled.
5167 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
5170 "AES128-SHA:AES256-SHA",
5172 "AES256-SHA:DHE-RSA-AES128-SHA",
5178 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
5180 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
5182 "AES128-SHA:AES256-SHA"
5186 "AES128-SHA:AES256-SHA",
5188 "AES128-SHA:DHE-RSA-AES128-SHA",
5194 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
5197 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
5198 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5201 "AES128-SHA:AES256-SHA",
5203 "AES256-SHA:AES128-SHA256",
5205 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
5206 "TLS_AES_128_GCM_SHA256:AES256-SHA"
5209 #ifndef OPENSSL_NO_TLS1_3
5213 "TLS_AES_256_GCM_SHA384",
5215 "TLS_AES_256_GCM_SHA384",
5216 "TLS_AES_256_GCM_SHA384"
5221 static int test_ssl_get_shared_ciphers(int tst)
5223 SSL_CTX *cctx = NULL, *sctx = NULL;
5224 SSL *clientssl = NULL, *serverssl = NULL;
5228 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5229 TLS_client_method(),
5231 shared_ciphers_data[tst].maxprot,
5232 &sctx, &cctx, cert, privkey)))
5235 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5236 shared_ciphers_data[tst].clntciphers))
5237 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
5238 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
5239 shared_ciphers_data[tst].clnttls13ciphers)))
5240 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
5241 shared_ciphers_data[tst].srvrciphers))
5242 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
5243 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
5244 shared_ciphers_data[tst].srvrtls13ciphers))))
5248 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5250 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5254 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
5255 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
5256 TEST_info("Shared ciphers are: %s\n", buf);
5263 SSL_free(serverssl);
5264 SSL_free(clientssl);
5271 static const char *appdata = "Hello World";
5272 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
5273 static int tick_key_renew = 0;
5274 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5276 static int gen_tick_cb(SSL *s, void *arg)
5278 gen_tick_called = 1;
5280 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
5284 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
5285 const unsigned char *keyname,
5286 size_t keyname_length,
5287 SSL_TICKET_STATUS status,
5293 dec_tick_called = 1;
5295 if (status == SSL_TICKET_EMPTY)
5296 return SSL_TICKET_RETURN_IGNORE_RENEW;
5298 if (!TEST_true(status == SSL_TICKET_SUCCESS
5299 || status == SSL_TICKET_SUCCESS_RENEW))
5300 return SSL_TICKET_RETURN_ABORT;
5302 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
5304 || !TEST_size_t_eq(tickdlen, strlen(appdata))
5305 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
5306 return SSL_TICKET_RETURN_ABORT;
5308 if (tick_key_cb_called) {
5309 /* Don't change what the ticket key callback wanted to do */
5311 case SSL_TICKET_NO_DECRYPT:
5312 return SSL_TICKET_RETURN_IGNORE_RENEW;
5314 case SSL_TICKET_SUCCESS:
5315 return SSL_TICKET_RETURN_USE;
5317 case SSL_TICKET_SUCCESS_RENEW:
5318 return SSL_TICKET_RETURN_USE_RENEW;
5321 return SSL_TICKET_RETURN_ABORT;
5324 return tick_dec_ret;
5328 static int tick_key_cb(SSL *s, unsigned char key_name[16],
5329 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
5330 HMAC_CTX *hctx, int enc)
5332 const unsigned char tick_aes_key[16] = "0123456789abcdef";
5333 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5335 tick_key_cb_called = 1;
5336 memset(iv, 0, AES_BLOCK_SIZE);
5337 memset(key_name, 0, 16);
5338 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
5339 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
5340 EVP_sha256(), NULL))
5343 return tick_key_renew ? 2 : 1;
5347 * Test the various ticket callbacks
5348 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
5349 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
5350 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
5351 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
5352 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
5353 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
5354 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
5355 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
5356 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
5357 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
5358 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
5359 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
5361 static int test_ticket_callbacks(int tst)
5363 SSL_CTX *cctx = NULL, *sctx = NULL;
5364 SSL *clientssl = NULL, *serverssl = NULL;
5365 SSL_SESSION *clntsess = NULL;
5368 #ifdef OPENSSL_NO_TLS1_2
5372 #ifdef OPENSSL_NO_TLS1_3
5377 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
5379 /* Which tests the ticket key callback should request renewal for */
5380 if (tst == 10 || tst == 11)
5385 /* Which tests the decrypt ticket callback should request renewal for */
5389 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
5394 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
5399 tick_dec_ret = SSL_TICKET_RETURN_USE;
5404 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
5408 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5411 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5412 TLS_client_method(),
5414 ((tst % 2) == 0) ? TLS1_2_VERSION
5416 &sctx, &cctx, cert, privkey)))
5420 * We only want sessions to resume from tickets - not the session cache. So
5421 * switch the cache off.
5423 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
5426 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
5431 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
5434 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5436 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5441 * The decrypt ticket key callback in TLSv1.2 should be called even though
5442 * we have no ticket yet, because it gets called with a status of
5443 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
5444 * actually send any ticket data). This does not happen in TLSv1.3 because
5445 * it is not valid to send empty ticket data in TLSv1.3.
5447 if (!TEST_int_eq(gen_tick_called, 1)
5448 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
5451 gen_tick_called = dec_tick_called = 0;
5453 clntsess = SSL_get1_session(clientssl);
5454 SSL_shutdown(clientssl);
5455 SSL_shutdown(serverssl);
5456 SSL_free(serverssl);
5457 SSL_free(clientssl);
5458 serverssl = clientssl = NULL;
5460 /* Now do a resumption */
5461 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5463 || !TEST_true(SSL_set_session(clientssl, clntsess))
5464 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5468 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
5469 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
5470 if (!TEST_false(SSL_session_reused(clientssl)))
5473 if (!TEST_true(SSL_session_reused(clientssl)))
5477 if (!TEST_int_eq(gen_tick_called,
5479 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
5480 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
5482 || !TEST_int_eq(dec_tick_called, 1))
5488 SSL_SESSION_free(clntsess);
5489 SSL_free(serverssl);
5490 SSL_free(clientssl);
5498 * Test bi-directional shutdown.
5500 * Test 1: TLSv1.2, server continues to read/write after client shutdown
5501 * Test 2: TLSv1.3, no pending NewSessionTicket messages
5502 * Test 3: TLSv1.3, pending NewSessionTicket messages
5503 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
5504 * sends key update, client reads it
5505 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
5506 * sends CertificateRequest, client reads and ignores it
5507 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
5510 static int test_shutdown(int tst)
5512 SSL_CTX *cctx = NULL, *sctx = NULL;
5513 SSL *clientssl = NULL, *serverssl = NULL;
5515 char msg[] = "A test message";
5517 size_t written, readbytes;
5520 #ifdef OPENSSL_NO_TLS1_2
5524 #ifdef OPENSSL_NO_TLS1_3
5529 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5530 TLS_client_method(),
5532 (tst <= 1) ? TLS1_2_VERSION
5534 &sctx, &cctx, cert, privkey)))
5538 SSL_CTX_set_post_handshake_auth(cctx, 1);
5540 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5545 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
5547 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5548 || !TEST_false(SSL_SESSION_is_resumable(sess)))
5550 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5552 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5553 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
5557 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
5562 * Reading on the server after the client has sent close_notify should
5563 * fail and provide SSL_ERROR_ZERO_RETURN
5565 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
5566 || !TEST_int_eq(SSL_get_error(serverssl, 0),
5567 SSL_ERROR_ZERO_RETURN)
5568 || !TEST_int_eq(SSL_get_shutdown(serverssl),
5569 SSL_RECEIVED_SHUTDOWN)
5571 * Even though we're shutdown on receive we should still be
5574 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
5577 && !TEST_true(SSL_key_update(serverssl,
5578 SSL_KEY_UPDATE_REQUESTED)))
5581 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5582 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5585 if ((tst == 4 || tst == 5)
5586 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
5588 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
5590 if (tst == 4 || tst == 5) {
5591 /* Should still be able to read data from server */
5592 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5594 || !TEST_size_t_eq(readbytes, sizeof(msg))
5595 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
5596 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5598 || !TEST_size_t_eq(readbytes, sizeof(msg))
5599 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
5604 /* Writing on the client after sending close_notify shouldn't be possible */
5605 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
5610 * For these tests the client has sent close_notify but it has not yet
5611 * been received by the server. The server has not sent close_notify
5614 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
5616 * Writing on the server after sending close_notify shouldn't
5619 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5620 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
5621 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5622 || !TEST_true(SSL_SESSION_is_resumable(sess))
5623 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
5625 } else if (tst == 4 || tst == 5) {
5627 * In this test the client has sent close_notify and it has been
5628 * received by the server which has responded with a close_notify. The
5629 * client needs to read the close_notify sent by the server.
5631 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
5632 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5633 || !TEST_true(SSL_SESSION_is_resumable(sess)))
5639 * The client has sent close_notify and is expecting a close_notify
5640 * back, but instead there is application data first. The shutdown
5641 * should fail with a fatal error.
5643 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
5644 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
5651 SSL_free(serverssl);
5652 SSL_free(clientssl);
5659 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
5660 static int cert_cb_cnt;
5662 static int cert_cb(SSL *s, void *arg)
5664 SSL_CTX *ctx = (SSL_CTX *)arg;
5666 EVP_PKEY *pkey = NULL;
5669 if (cert_cb_cnt == 0) {
5670 /* Suspend the handshake */
5673 } else if (cert_cb_cnt == 1) {
5675 * Update the SSL_CTX, set the certificate and private key and then
5676 * continue the handshake normally.
5678 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
5681 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
5682 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
5684 || !TEST_true(SSL_check_private_key(s)))
5688 } else if (cert_cb_cnt == 3) {
5690 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
5691 || !TEST_int_ge(BIO_read_filename(in, cert), 0)
5692 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
5695 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
5696 || !TEST_int_ge(BIO_read_filename(in, privkey), 0)
5697 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
5699 rv = SSL_check_chain(s, x509, pkey, NULL);
5701 * If the cert doesn't show as valid here (e.g., because we don't
5702 * have any shared sigalgs), then we will not set it, and there will
5703 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
5704 * will cause tls_choose_sigalgs() to fail the connection.
5706 if ((rv & CERT_PKEY_VALID)) {
5707 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
5711 EVP_PKEY_free(pkey);
5716 /* Abort the handshake */
5719 EVP_PKEY_free(pkey);
5725 * Test the certificate callback.
5726 * Test 0: Callback fails
5727 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
5728 * Test 2: Success - SSL_set_SSL_CTX() in the callback
5730 static int test_cert_cb_int(int prot, int tst)
5732 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
5733 SSL *clientssl = NULL, *serverssl = NULL;
5734 int testresult = 0, ret;
5736 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5737 TLS_client_method(),
5740 &sctx, &cctx, NULL, NULL)))
5750 snictx = SSL_CTX_new(TLS_server_method());
5751 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
5753 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5757 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5758 if (!TEST_true(tst == 0 ? !ret : ret)
5760 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
5767 SSL_free(serverssl);
5768 SSL_free(clientssl);
5771 SSL_CTX_free(snictx);
5777 static int test_cert_cb(int tst)
5781 #ifndef OPENSSL_NO_TLS1_2
5782 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
5784 #ifndef OPENSSL_NO_TLS1_3
5785 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
5791 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
5797 /* Check that SSL_get_peer_certificate() returns something sensible */
5798 peer = SSL_get_peer_certificate(ssl);
5799 if (!TEST_ptr(peer))
5803 in = BIO_new_file(cert, "r");
5807 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
5809 if (!TEST_ptr(xcert))
5812 in = BIO_new_file(privkey, "r");
5813 if (!TEST_ptr(in)) {
5818 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
5820 if (!TEST_ptr(privpkey)) {
5831 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5836 static int test_client_cert_cb(int tst)
5838 SSL_CTX *cctx = NULL, *sctx = NULL;
5839 SSL *clientssl = NULL, *serverssl = NULL;
5842 #ifdef OPENSSL_NO_TLS1_2
5846 #ifdef OPENSSL_NO_TLS1_3
5851 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5852 TLS_client_method(),
5854 tst == 0 ? TLS1_2_VERSION
5856 &sctx, &cctx, cert, privkey)))
5860 * Test that setting a client_cert_cb results in a client certificate being
5863 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
5864 SSL_CTX_set_verify(sctx,
5865 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5868 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5870 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5877 SSL_free(serverssl);
5878 SSL_free(clientssl);
5885 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
5887 * Test setting certificate authorities on both client and server.
5889 * Test 0: SSL_CTX_set0_CA_list() only
5890 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
5891 * Test 2: Only SSL_CTX_set_client_CA_list()
5893 static int test_ca_names_int(int prot, int tst)
5895 SSL_CTX *cctx = NULL, *sctx = NULL;
5896 SSL *clientssl = NULL, *serverssl = NULL;
5899 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
5900 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
5901 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
5902 const STACK_OF(X509_NAME) *sktmp = NULL;
5904 for (i = 0; i < OSSL_NELEM(name); i++) {
5905 name[i] = X509_NAME_new();
5906 if (!TEST_ptr(name[i])
5907 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
5915 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5916 TLS_client_method(),
5919 &sctx, &cctx, cert, privkey)))
5922 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
5924 if (tst == 0 || tst == 1) {
5925 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
5926 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
5927 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
5928 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
5929 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
5930 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
5933 SSL_CTX_set0_CA_list(sctx, sk1);
5934 SSL_CTX_set0_CA_list(cctx, sk2);
5937 if (tst == 1 || tst == 2) {
5938 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
5939 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
5940 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
5941 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
5942 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
5943 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
5946 SSL_CTX_set_client_CA_list(sctx, sk1);
5947 SSL_CTX_set_client_CA_list(cctx, sk2);
5951 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5953 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5958 * We only expect certificate authorities to have been sent to the server
5959 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
5961 sktmp = SSL_get0_peer_CA_list(serverssl);
5962 if (prot == TLS1_3_VERSION
5963 && (tst == 0 || tst == 1)) {
5964 if (!TEST_ptr(sktmp)
5965 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
5966 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
5968 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
5971 } else if (!TEST_ptr_null(sktmp)) {
5976 * In all tests we expect certificate authorities to have been sent to the
5977 * client. However, SSL_set_client_CA_list() should override
5978 * SSL_set0_CA_list()
5980 sktmp = SSL_get0_peer_CA_list(clientssl);
5981 if (!TEST_ptr(sktmp)
5982 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
5983 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
5984 name[tst == 0 ? 0 : 2]), 0)
5985 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
5986 name[tst == 0 ? 1 : 3]), 0))
5992 SSL_free(serverssl);
5993 SSL_free(clientssl);
5996 for (i = 0; i < OSSL_NELEM(name); i++)
5997 X509_NAME_free(name[i]);
5998 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
5999 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
6005 static int test_ca_names(int tst)
6009 #ifndef OPENSSL_NO_TLS1_2
6010 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
6012 #ifndef OPENSSL_NO_TLS1_3
6013 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
6019 int setup_tests(void)
6021 if (!TEST_ptr(cert = test_get_argument(0))
6022 || !TEST_ptr(privkey = test_get_argument(1))
6023 || !TEST_ptr(srpvfile = test_get_argument(2))
6024 || !TEST_ptr(tmpfilename = test_get_argument(3)))
6027 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
6028 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
6029 TEST_error("not supported in this build");
6032 int i, mcount, rcount, fcount;
6034 for (i = 0; i < 4; i++)
6035 test_export_key_mat(i);
6036 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
6037 test_printf_stdout("malloc %d realloc %d free %d\n",
6038 mcount, rcount, fcount);
6043 ADD_TEST(test_large_message_tls);
6044 ADD_TEST(test_large_message_tls_read_ahead);
6045 #ifndef OPENSSL_NO_DTLS
6046 ADD_TEST(test_large_message_dtls);
6048 #ifndef OPENSSL_NO_OCSP
6049 ADD_TEST(test_tlsext_status_type);
6051 ADD_TEST(test_session_with_only_int_cache);
6052 ADD_TEST(test_session_with_only_ext_cache);
6053 ADD_TEST(test_session_with_both_cache);
6054 #ifndef OPENSSL_NO_TLS1_3
6055 ADD_ALL_TESTS(test_stateful_tickets, 3);
6056 ADD_ALL_TESTS(test_stateless_tickets, 3);
6057 ADD_TEST(test_psk_tickets);
6059 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
6060 ADD_TEST(test_ssl_bio_pop_next_bio);
6061 ADD_TEST(test_ssl_bio_pop_ssl_bio);
6062 ADD_TEST(test_ssl_bio_change_rbio);
6063 ADD_TEST(test_ssl_bio_change_wbio);
6064 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
6065 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6066 ADD_TEST(test_keylog);
6068 #ifndef OPENSSL_NO_TLS1_3
6069 ADD_TEST(test_keylog_no_master_key);
6071 #ifndef OPENSSL_NO_TLS1_2
6072 ADD_TEST(test_client_hello_cb);
6074 #ifndef OPENSSL_NO_TLS1_3
6075 ADD_ALL_TESTS(test_early_data_read_write, 3);
6077 * We don't do replay tests for external PSK. Replay protection isn't used
6080 ADD_ALL_TESTS(test_early_data_replay, 2);
6081 ADD_ALL_TESTS(test_early_data_skip, 3);
6082 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
6083 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
6084 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
6085 ADD_ALL_TESTS(test_early_data_not_sent, 3);
6086 ADD_ALL_TESTS(test_early_data_psk, 8);
6087 ADD_ALL_TESTS(test_early_data_not_expected, 3);
6088 # ifndef OPENSSL_NO_TLS1_2
6089 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
6092 #ifndef OPENSSL_NO_TLS1_3
6093 ADD_ALL_TESTS(test_set_ciphersuite, 10);
6094 ADD_TEST(test_ciphersuite_change);
6095 #ifdef OPENSSL_NO_PSK
6096 ADD_ALL_TESTS(test_tls13_psk, 1);
6098 ADD_ALL_TESTS(test_tls13_psk, 4);
6099 #endif /* OPENSSL_NO_PSK */
6100 ADD_ALL_TESTS(test_custom_exts, 5);
6101 ADD_TEST(test_stateless);
6102 ADD_TEST(test_pha_key_update);
6104 ADD_ALL_TESTS(test_custom_exts, 3);
6106 ADD_ALL_TESTS(test_serverinfo, 8);
6107 ADD_ALL_TESTS(test_export_key_mat, 6);
6108 #ifndef OPENSSL_NO_TLS1_3
6109 ADD_ALL_TESTS(test_export_key_mat_early, 3);
6110 ADD_TEST(test_key_update);
6111 ADD_ALL_TESTS(test_key_update_in_write, 2);
6113 ADD_ALL_TESTS(test_ssl_clear, 2);
6114 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
6115 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6116 ADD_ALL_TESTS(test_srp, 6);
6118 ADD_ALL_TESTS(test_info_callback, 6);
6119 ADD_ALL_TESTS(test_ssl_pending, 2);
6120 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
6121 ADD_ALL_TESTS(test_ticket_callbacks, 12);
6122 ADD_ALL_TESTS(test_shutdown, 7);
6123 ADD_ALL_TESTS(test_cert_cb, 4);
6124 ADD_ALL_TESTS(test_client_cert_cb, 2);
6125 ADD_ALL_TESTS(test_ca_names, 3);
6129 void cleanup_tests(void)
6131 bio_s_mempacket_test_free();
6132 bio_s_always_retry_free();