2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
17 #include <openssl/srp.h>
18 #include <openssl/txt_db.h>
19 #include <openssl/aes.h>
21 #include "ssltestlib.h"
23 #include "testutil/output.h"
24 #include "internal/nelem.h"
25 #include "../ssl/ssl_locl.h"
27 static char *cert = NULL;
28 static char *privkey = NULL;
29 static char *srpvfile = NULL;
30 static char *tmpfilename = NULL;
32 #define LOG_BUFFER_SIZE 2048
33 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
34 static size_t server_log_buffer_index = 0;
35 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
36 static size_t client_log_buffer_index = 0;
37 static int error_writing_log = 0;
39 #ifndef OPENSSL_NO_OCSP
40 static const unsigned char orespder[] = "Dummy OCSP Response";
41 static int ocsp_server_called = 0;
42 static int ocsp_client_called = 0;
44 static int cdummyarg = 1;
45 static X509 *ocspcert = NULL;
48 #define NUM_EXTRA_CERTS 40
49 #define CLIENT_VERSION_LEN 2
52 * This structure is used to validate that the correct number of log messages
53 * of various types are emitted when emitting secret logs.
55 struct sslapitest_log_counts {
56 unsigned int rsa_key_exchange_count;
57 unsigned int master_secret_count;
58 unsigned int client_early_secret_count;
59 unsigned int client_handshake_secret_count;
60 unsigned int server_handshake_secret_count;
61 unsigned int client_application_secret_count;
62 unsigned int server_application_secret_count;
63 unsigned int early_exporter_secret_count;
64 unsigned int exporter_secret_count;
68 static unsigned char serverinfov1[] = {
69 0xff, 0xff, /* Dummy extension type */
70 0x00, 0x01, /* Extension length is 1 byte */
71 0xff /* Dummy extension data */
74 static unsigned char serverinfov2[] = {
76 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
77 0xff, 0xff, /* Dummy extension type */
78 0x00, 0x01, /* Extension length is 1 byte */
79 0xff /* Dummy extension data */
82 static void client_keylog_callback(const SSL *ssl, const char *line)
84 int line_length = strlen(line);
86 /* If the log doesn't fit, error out. */
87 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
88 TEST_info("Client log too full");
89 error_writing_log = 1;
93 strcat(client_log_buffer, line);
94 client_log_buffer_index += line_length;
95 client_log_buffer[client_log_buffer_index++] = '\n';
98 static void server_keylog_callback(const SSL *ssl, const char *line)
100 int line_length = strlen(line);
102 /* If the log doesn't fit, error out. */
103 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
104 TEST_info("Server log too full");
105 error_writing_log = 1;
109 strcat(server_log_buffer, line);
110 server_log_buffer_index += line_length;
111 server_log_buffer[server_log_buffer_index++] = '\n';
114 static int compare_hex_encoded_buffer(const char *hex_encoded,
122 if (!TEST_size_t_eq(raw_length * 2, hex_length))
125 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
126 sprintf(hexed, "%02x", raw[i]);
127 if (!TEST_int_eq(hexed[0], hex_encoded[j])
128 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
135 static int test_keylog_output(char *buffer, const SSL *ssl,
136 const SSL_SESSION *session,
137 struct sslapitest_log_counts *expected)
140 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
141 size_t client_random_size = SSL3_RANDOM_SIZE;
142 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
143 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
144 unsigned int rsa_key_exchange_count = 0;
145 unsigned int master_secret_count = 0;
146 unsigned int client_early_secret_count = 0;
147 unsigned int client_handshake_secret_count = 0;
148 unsigned int server_handshake_secret_count = 0;
149 unsigned int client_application_secret_count = 0;
150 unsigned int server_application_secret_count = 0;
151 unsigned int early_exporter_secret_count = 0;
152 unsigned int exporter_secret_count = 0;
154 for (token = strtok(buffer, " \n"); token != NULL;
155 token = strtok(NULL, " \n")) {
156 if (strcmp(token, "RSA") == 0) {
158 * Premaster secret. Tokens should be: 16 ASCII bytes of
159 * hex-encoded encrypted secret, then the hex-encoded pre-master
162 if (!TEST_ptr(token = strtok(NULL, " \n")))
164 if (!TEST_size_t_eq(strlen(token), 16))
166 if (!TEST_ptr(token = strtok(NULL, " \n")))
169 * We can't sensibly check the log because the premaster secret is
170 * transient, and OpenSSL doesn't keep hold of it once the master
171 * secret is generated.
173 rsa_key_exchange_count++;
174 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
176 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
177 * client random, then the hex-encoded master secret.
179 client_random_size = SSL_get_client_random(ssl,
180 actual_client_random,
182 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
185 if (!TEST_ptr(token = strtok(NULL, " \n")))
187 if (!TEST_size_t_eq(strlen(token), 64))
189 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
190 actual_client_random,
191 client_random_size)))
194 if (!TEST_ptr(token = strtok(NULL, " \n")))
196 master_key_size = SSL_SESSION_get_master_key(session,
199 if (!TEST_size_t_ne(master_key_size, 0))
201 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
205 master_secret_count++;
206 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
207 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
208 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
209 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
210 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
211 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
212 || strcmp(token, "EXPORTER_SECRET") == 0) {
214 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
215 * client random, and then the hex-encoded secret. In this case,
216 * we treat all of these secrets identically and then just
217 * distinguish between them when counting what we saw.
219 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
220 client_early_secret_count++;
221 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
222 client_handshake_secret_count++;
223 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
224 server_handshake_secret_count++;
225 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
226 client_application_secret_count++;
227 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
228 server_application_secret_count++;
229 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
230 early_exporter_secret_count++;
231 else if (strcmp(token, "EXPORTER_SECRET") == 0)
232 exporter_secret_count++;
234 client_random_size = SSL_get_client_random(ssl,
235 actual_client_random,
237 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
240 if (!TEST_ptr(token = strtok(NULL, " \n")))
242 if (!TEST_size_t_eq(strlen(token), 64))
244 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
245 actual_client_random,
246 client_random_size)))
249 if (!TEST_ptr(token = strtok(NULL, " \n")))
253 * TODO(TLS1.3): test that application traffic secrets are what
256 TEST_info("Unexpected token %s\n", token);
261 /* Got what we expected? */
262 if (!TEST_size_t_eq(rsa_key_exchange_count,
263 expected->rsa_key_exchange_count)
264 || !TEST_size_t_eq(master_secret_count,
265 expected->master_secret_count)
266 || !TEST_size_t_eq(client_early_secret_count,
267 expected->client_early_secret_count)
268 || !TEST_size_t_eq(client_handshake_secret_count,
269 expected->client_handshake_secret_count)
270 || !TEST_size_t_eq(server_handshake_secret_count,
271 expected->server_handshake_secret_count)
272 || !TEST_size_t_eq(client_application_secret_count,
273 expected->client_application_secret_count)
274 || !TEST_size_t_eq(server_application_secret_count,
275 expected->server_application_secret_count)
276 || !TEST_size_t_eq(early_exporter_secret_count,
277 expected->early_exporter_secret_count)
278 || !TEST_size_t_eq(exporter_secret_count,
279 expected->exporter_secret_count))
284 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
285 static int test_keylog(void)
287 SSL_CTX *cctx = NULL, *sctx = NULL;
288 SSL *clientssl = NULL, *serverssl = NULL;
290 struct sslapitest_log_counts expected = {0};
292 /* Clean up logging space */
293 memset(client_log_buffer, 0, sizeof(client_log_buffer));
294 memset(server_log_buffer, 0, sizeof(server_log_buffer));
295 client_log_buffer_index = 0;
296 server_log_buffer_index = 0;
297 error_writing_log = 0;
299 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
301 TLS1_VERSION, TLS_MAX_VERSION,
302 &sctx, &cctx, cert, privkey)))
305 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
306 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
307 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
309 /* We also want to ensure that we use RSA-based key exchange. */
310 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
313 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
314 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
316 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
317 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
318 == client_keylog_callback))
320 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
321 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
322 == server_keylog_callback))
325 /* Now do a handshake and check that the logs have been written to. */
326 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
327 &clientssl, NULL, NULL))
328 || !TEST_true(create_ssl_connection(serverssl, clientssl,
330 || !TEST_false(error_writing_log)
331 || !TEST_int_gt(client_log_buffer_index, 0)
332 || !TEST_int_gt(server_log_buffer_index, 0))
336 * Now we want to test that our output data was vaguely sensible. We
337 * do that by using strtok and confirming that we have more or less the
338 * data we expect. For both client and server, we expect to see one master
339 * secret. The client should also see a RSA key exchange.
341 expected.rsa_key_exchange_count = 1;
342 expected.master_secret_count = 1;
343 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
344 SSL_get_session(clientssl), &expected)))
347 expected.rsa_key_exchange_count = 0;
348 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
349 SSL_get_session(serverssl), &expected)))
364 #ifndef OPENSSL_NO_TLS1_3
365 static int test_keylog_no_master_key(void)
367 SSL_CTX *cctx = NULL, *sctx = NULL;
368 SSL *clientssl = NULL, *serverssl = NULL;
369 SSL_SESSION *sess = NULL;
371 struct sslapitest_log_counts expected = {0};
372 unsigned char buf[1];
373 size_t readbytes, written;
375 /* Clean up logging space */
376 memset(client_log_buffer, 0, sizeof(client_log_buffer));
377 memset(server_log_buffer, 0, sizeof(server_log_buffer));
378 client_log_buffer_index = 0;
379 server_log_buffer_index = 0;
380 error_writing_log = 0;
382 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
383 TLS1_VERSION, TLS_MAX_VERSION,
384 &sctx, &cctx, cert, privkey))
385 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
386 SSL3_RT_MAX_PLAIN_LENGTH)))
389 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
390 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
393 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
394 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
395 == client_keylog_callback))
398 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
399 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
400 == server_keylog_callback))
403 /* Now do a handshake and check that the logs have been written to. */
404 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
405 &clientssl, NULL, NULL))
406 || !TEST_true(create_ssl_connection(serverssl, clientssl,
408 || !TEST_false(error_writing_log))
412 * Now we want to test that our output data was vaguely sensible. For this
413 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
414 * TLSv1.3, but we do expect both client and server to emit keys.
416 expected.client_handshake_secret_count = 1;
417 expected.server_handshake_secret_count = 1;
418 expected.client_application_secret_count = 1;
419 expected.server_application_secret_count = 1;
420 expected.exporter_secret_count = 1;
421 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
422 SSL_get_session(clientssl), &expected))
423 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
424 SSL_get_session(serverssl),
428 /* Terminate old session and resume with early data. */
429 sess = SSL_get1_session(clientssl);
430 SSL_shutdown(clientssl);
431 SSL_shutdown(serverssl);
434 serverssl = clientssl = NULL;
437 memset(client_log_buffer, 0, sizeof(client_log_buffer));
438 memset(server_log_buffer, 0, sizeof(server_log_buffer));
439 client_log_buffer_index = 0;
440 server_log_buffer_index = 0;
442 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
443 &clientssl, NULL, NULL))
444 || !TEST_true(SSL_set_session(clientssl, sess))
445 /* Here writing 0 length early data is enough. */
446 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
447 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
449 SSL_READ_EARLY_DATA_ERROR)
450 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
451 SSL_EARLY_DATA_ACCEPTED)
452 || !TEST_true(create_ssl_connection(serverssl, clientssl,
454 || !TEST_true(SSL_session_reused(clientssl)))
457 /* In addition to the previous entries, expect early secrets. */
458 expected.client_early_secret_count = 1;
459 expected.early_exporter_secret_count = 1;
460 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
461 SSL_get_session(clientssl), &expected))
462 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
463 SSL_get_session(serverssl),
470 SSL_SESSION_free(sess);
480 #ifndef OPENSSL_NO_TLS1_2
481 static int full_client_hello_callback(SSL *s, int *al, void *arg)
484 const unsigned char *p;
486 /* We only configure two ciphers, but the SCSV is added automatically. */
488 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
490 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
493 const int expected_extensions[] = {
494 #ifndef OPENSSL_NO_EC
500 /* Make sure we can defer processing and get called back. */
502 return SSL_CLIENT_HELLO_RETRY;
504 len = SSL_client_hello_get0_ciphers(s, &p);
505 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
507 SSL_client_hello_get0_compression_methods(s, &p), 1)
508 || !TEST_int_eq(*p, 0))
509 return SSL_CLIENT_HELLO_ERROR;
510 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
511 return SSL_CLIENT_HELLO_ERROR;
512 if (len != OSSL_NELEM(expected_extensions) ||
513 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
514 printf("ClientHello callback expected extensions mismatch\n");
516 return SSL_CLIENT_HELLO_ERROR;
519 return SSL_CLIENT_HELLO_SUCCESS;
522 static int test_client_hello_cb(void)
524 SSL_CTX *cctx = NULL, *sctx = NULL;
525 SSL *clientssl = NULL, *serverssl = NULL;
526 int testctr = 0, testresult = 0;
528 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
529 TLS1_VERSION, TLS_MAX_VERSION,
530 &sctx, &cctx, cert, privkey)))
532 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
534 /* The gimpy cipher list we configure can't do TLS 1.3. */
535 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
537 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
538 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
539 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
540 &clientssl, NULL, NULL))
541 || !TEST_false(create_ssl_connection(serverssl, clientssl,
542 SSL_ERROR_WANT_CLIENT_HELLO_CB))
544 * Passing a -1 literal is a hack since
545 * the real value was lost.
547 || !TEST_int_eq(SSL_get_error(serverssl, -1),
548 SSL_ERROR_WANT_CLIENT_HELLO_CB)
549 || !TEST_true(create_ssl_connection(serverssl, clientssl,
565 static int execute_test_large_message(const SSL_METHOD *smeth,
566 const SSL_METHOD *cmeth,
567 int min_version, int max_version,
570 SSL_CTX *cctx = NULL, *sctx = NULL;
571 SSL *clientssl = NULL, *serverssl = NULL;
575 X509 *chaincert = NULL;
578 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
580 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
583 if (!TEST_ptr(chaincert))
586 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
587 &sctx, &cctx, cert, privkey)))
592 * Test that read_ahead works correctly when dealing with large
595 SSL_CTX_set_read_ahead(cctx, 1);
599 * We assume the supplied certificate is big enough so that if we add
600 * NUM_EXTRA_CERTS it will make the overall message large enough. The
601 * default buffer size is requested to be 16k, but due to the way BUF_MEM
602 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
603 * test we need to have a message larger than that.
605 certlen = i2d_X509(chaincert, NULL);
606 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
607 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
608 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
609 if (!X509_up_ref(chaincert))
611 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
612 X509_free(chaincert);
617 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
619 || !TEST_true(create_ssl_connection(serverssl, clientssl,
624 * Calling SSL_clear() first is not required but this tests that SSL_clear()
625 * doesn't leak (when using enable-crypto-mdebug).
627 if (!TEST_true(SSL_clear(serverssl)))
632 X509_free(chaincert);
641 static int test_large_message_tls(void)
643 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
644 TLS1_VERSION, TLS_MAX_VERSION,
648 static int test_large_message_tls_read_ahead(void)
650 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
651 TLS1_VERSION, TLS_MAX_VERSION,
655 #ifndef OPENSSL_NO_DTLS
656 static int test_large_message_dtls(void)
659 * read_ahead is not relevant to DTLS because DTLS always acts as if
662 return execute_test_large_message(DTLS_server_method(),
663 DTLS_client_method(),
664 DTLS1_VERSION, DTLS_MAX_VERSION,
669 #ifndef OPENSSL_NO_OCSP
670 static int ocsp_server_cb(SSL *s, void *arg)
672 int *argi = (int *)arg;
673 unsigned char *copy = NULL;
674 STACK_OF(OCSP_RESPID) *ids = NULL;
675 OCSP_RESPID *id = NULL;
678 /* In this test we are expecting exactly 1 OCSP_RESPID */
679 SSL_get_tlsext_status_ids(s, &ids);
680 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
681 return SSL_TLSEXT_ERR_ALERT_FATAL;
683 id = sk_OCSP_RESPID_value(ids, 0);
684 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
685 return SSL_TLSEXT_ERR_ALERT_FATAL;
686 } else if (*argi != 1) {
687 return SSL_TLSEXT_ERR_ALERT_FATAL;
690 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
691 return SSL_TLSEXT_ERR_ALERT_FATAL;
693 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
694 ocsp_server_called = 1;
695 return SSL_TLSEXT_ERR_OK;
698 static int ocsp_client_cb(SSL *s, void *arg)
700 int *argi = (int *)arg;
701 const unsigned char *respderin;
704 if (*argi != 1 && *argi != 2)
707 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
708 if (!TEST_mem_eq(orespder, len, respderin, len))
711 ocsp_client_called = 1;
715 static int test_tlsext_status_type(void)
717 SSL_CTX *cctx = NULL, *sctx = NULL;
718 SSL *clientssl = NULL, *serverssl = NULL;
720 STACK_OF(OCSP_RESPID) *ids = NULL;
721 OCSP_RESPID *id = NULL;
724 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
725 TLS1_VERSION, TLS_MAX_VERSION,
726 &sctx, &cctx, cert, privkey))
729 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
732 /* First just do various checks getting and setting tlsext_status_type */
734 clientssl = SSL_new(cctx);
735 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
736 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
737 TLSEXT_STATUSTYPE_ocsp))
738 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
739 TLSEXT_STATUSTYPE_ocsp))
745 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
746 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
749 clientssl = SSL_new(cctx);
750 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
756 * Now actually do a handshake and check OCSP information is exchanged and
757 * the callbacks get called
759 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
760 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
761 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
762 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
763 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
764 &clientssl, NULL, NULL))
765 || !TEST_true(create_ssl_connection(serverssl, clientssl,
767 || !TEST_true(ocsp_client_called)
768 || !TEST_true(ocsp_server_called))
775 /* Try again but this time force the server side callback to fail */
776 ocsp_client_called = 0;
777 ocsp_server_called = 0;
779 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
780 &clientssl, NULL, NULL))
781 /* This should fail because the callback will fail */
782 || !TEST_false(create_ssl_connection(serverssl, clientssl,
784 || !TEST_false(ocsp_client_called)
785 || !TEST_false(ocsp_server_called))
793 * This time we'll get the client to send an OCSP_RESPID that it will
796 ocsp_client_called = 0;
797 ocsp_server_called = 0;
799 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
800 &clientssl, NULL, NULL)))
804 * We'll just use any old cert for this test - it doesn't have to be an OCSP
805 * specific one. We'll use the server cert.
807 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
808 || !TEST_ptr(id = OCSP_RESPID_new())
809 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
810 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
812 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
813 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
816 SSL_set_tlsext_status_ids(clientssl, ids);
817 /* Control has been transferred */
823 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
825 || !TEST_true(ocsp_client_called)
826 || !TEST_true(ocsp_server_called))
836 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
837 OCSP_RESPID_free(id);
846 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
847 static int new_called, remove_called, get_called;
849 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
853 * sess has been up-refed for us, but we don't actually need it so free it
856 SSL_SESSION_free(sess);
860 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
865 static SSL_SESSION *get_sess_val = NULL;
867 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
875 static int execute_test_session(int maxprot, int use_int_cache,
878 SSL_CTX *sctx = NULL, *cctx = NULL;
879 SSL *serverssl1 = NULL, *clientssl1 = NULL;
880 SSL *serverssl2 = NULL, *clientssl2 = NULL;
881 # ifndef OPENSSL_NO_TLS1_1
882 SSL *serverssl3 = NULL, *clientssl3 = NULL;
884 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
885 int testresult = 0, numnewsesstick = 1;
887 new_called = remove_called = 0;
889 /* TLSv1.3 sends 2 NewSessionTickets */
890 if (maxprot == TLS1_3_VERSION)
893 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
894 TLS1_VERSION, TLS_MAX_VERSION,
895 &sctx, &cctx, cert, privkey)))
899 * Only allow the max protocol version so we can force a connection failure
902 SSL_CTX_set_min_proto_version(cctx, maxprot);
903 SSL_CTX_set_max_proto_version(cctx, maxprot);
905 /* Set up session cache */
907 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
908 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
911 /* Also covers instance where both are set */
912 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
914 SSL_CTX_set_session_cache_mode(cctx,
915 SSL_SESS_CACHE_CLIENT
916 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
919 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
921 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
923 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
926 /* Should fail because it should already be in the cache */
927 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
930 && (!TEST_int_eq(new_called, numnewsesstick)
932 || !TEST_int_eq(remove_called, 0)))
935 new_called = remove_called = 0;
936 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
937 &clientssl2, NULL, NULL))
938 || !TEST_true(SSL_set_session(clientssl2, sess1))
939 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
941 || !TEST_true(SSL_session_reused(clientssl2)))
944 if (maxprot == TLS1_3_VERSION) {
946 * In TLSv1.3 we should have created a new session even though we have
947 * resumed. Since we attempted a resume we should also have removed the
948 * old ticket from the cache so that we try to only use tickets once.
951 && (!TEST_int_eq(new_called, 1)
952 || !TEST_int_eq(remove_called, 1)))
956 * In TLSv1.2 we expect to have resumed so no sessions added or
960 && (!TEST_int_eq(new_called, 0)
961 || !TEST_int_eq(remove_called, 0)))
965 SSL_SESSION_free(sess1);
966 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
968 shutdown_ssl_connection(serverssl2, clientssl2);
969 serverssl2 = clientssl2 = NULL;
971 new_called = remove_called = 0;
972 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
973 &clientssl2, NULL, NULL))
974 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
978 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
982 && (!TEST_int_eq(new_called, numnewsesstick)
983 || !TEST_int_eq(remove_called, 0)))
986 new_called = remove_called = 0;
988 * This should clear sess2 from the cache because it is a "bad" session.
989 * See SSL_set_session() documentation.
991 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
994 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
996 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1000 /* Should succeeded because it should not already be in the cache */
1001 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1002 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1006 new_called = remove_called = 0;
1007 /* This shouldn't be in the cache so should fail */
1008 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1012 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1015 # if !defined(OPENSSL_NO_TLS1_1)
1016 new_called = remove_called = 0;
1017 /* Force a connection failure */
1018 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1019 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1020 &clientssl3, NULL, NULL))
1021 || !TEST_true(SSL_set_session(clientssl3, sess1))
1022 /* This should fail because of the mismatched protocol versions */
1023 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1027 /* We should have automatically removed the session from the cache */
1029 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1032 /* Should succeed because it should not already be in the cache */
1033 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1037 /* Now do some tests for server side caching */
1038 if (use_ext_cache) {
1039 SSL_CTX_sess_set_new_cb(cctx, NULL);
1040 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1041 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1042 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1043 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1044 get_sess_val = NULL;
1047 SSL_CTX_set_session_cache_mode(cctx, 0);
1048 /* Internal caching is the default on the server side */
1050 SSL_CTX_set_session_cache_mode(sctx,
1051 SSL_SESS_CACHE_SERVER
1052 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1054 SSL_free(serverssl1);
1055 SSL_free(clientssl1);
1056 serverssl1 = clientssl1 = NULL;
1057 SSL_free(serverssl2);
1058 SSL_free(clientssl2);
1059 serverssl2 = clientssl2 = NULL;
1060 SSL_SESSION_free(sess1);
1062 SSL_SESSION_free(sess2);
1065 SSL_CTX_set_max_proto_version(sctx, maxprot);
1066 if (maxprot == TLS1_2_VERSION)
1067 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1068 new_called = remove_called = get_called = 0;
1069 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1071 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1073 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1074 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1077 if (use_int_cache) {
1078 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1080 * In TLSv1.3 it should not have been added to the internal cache,
1081 * except in the case where we also have an external cache (in that
1082 * case it gets added to the cache in order to generate remove
1083 * events after timeout).
1085 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1088 /* Should fail because it should already be in the cache */
1089 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1094 if (use_ext_cache) {
1095 SSL_SESSION *tmp = sess2;
1097 if (!TEST_int_eq(new_called, numnewsesstick)
1098 || !TEST_int_eq(remove_called, 0)
1099 || !TEST_int_eq(get_called, 0))
1102 * Delete the session from the internal cache to force a lookup from
1103 * the external cache. We take a copy first because
1104 * SSL_CTX_remove_session() also marks the session as non-resumable.
1106 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1107 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1108 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1110 SSL_SESSION_free(sess2);
1115 new_called = remove_called = get_called = 0;
1116 get_sess_val = sess2;
1117 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1118 &clientssl2, NULL, NULL))
1119 || !TEST_true(SSL_set_session(clientssl2, sess1))
1120 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1122 || !TEST_true(SSL_session_reused(clientssl2)))
1125 if (use_ext_cache) {
1126 if (!TEST_int_eq(remove_called, 0))
1129 if (maxprot == TLS1_3_VERSION) {
1130 if (!TEST_int_eq(new_called, 1)
1131 || !TEST_int_eq(get_called, 0))
1134 if (!TEST_int_eq(new_called, 0)
1135 || !TEST_int_eq(get_called, 1))
1143 SSL_free(serverssl1);
1144 SSL_free(clientssl1);
1145 SSL_free(serverssl2);
1146 SSL_free(clientssl2);
1147 # ifndef OPENSSL_NO_TLS1_1
1148 SSL_free(serverssl3);
1149 SSL_free(clientssl3);
1151 SSL_SESSION_free(sess1);
1152 SSL_SESSION_free(sess2);
1158 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1160 static int test_session_with_only_int_cache(void)
1162 #ifndef OPENSSL_NO_TLS1_3
1163 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1167 #ifndef OPENSSL_NO_TLS1_2
1168 return execute_test_session(TLS1_2_VERSION, 1, 0);
1174 static int test_session_with_only_ext_cache(void)
1176 #ifndef OPENSSL_NO_TLS1_3
1177 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1181 #ifndef OPENSSL_NO_TLS1_2
1182 return execute_test_session(TLS1_2_VERSION, 0, 1);
1188 static int test_session_with_both_cache(void)
1190 #ifndef OPENSSL_NO_TLS1_3
1191 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1195 #ifndef OPENSSL_NO_TLS1_2
1196 return execute_test_session(TLS1_2_VERSION, 1, 1);
1202 #ifndef OPENSSL_NO_TLS1_3
1203 static SSL_SESSION *sesscache[6];
1204 static int do_cache;
1206 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1209 sesscache[new_called] = sess;
1211 /* We don't need the reference to the session, so free it */
1212 SSL_SESSION_free(sess);
1219 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1221 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1222 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1225 /* Start handshake on the server and client */
1226 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1227 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1228 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1229 || !TEST_true(create_ssl_connection(sssl, cssl,
1236 static int test_tickets(int stateful, int idx)
1238 SSL_CTX *sctx = NULL, *cctx = NULL;
1239 SSL *serverssl = NULL, *clientssl = NULL;
1240 int testresult = 0, sess_id_ctx = 1, i;
1243 /* idx is the test number, but also the number of tickets we want */
1248 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1249 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
1250 &cctx, cert, privkey))
1251 || !TEST_true(SSL_CTX_set_num_tickets(sctx, idx))
1252 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
1253 (void *)&sess_id_ctx,
1254 sizeof(sess_id_ctx))))
1258 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1260 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1261 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1262 SSL_CTX_sess_set_new_cb(cctx, new_cachesession_cb);
1264 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1265 &clientssl, NULL, NULL)))
1268 SSL_force_post_handshake_auth(clientssl);
1270 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1272 /* Check we got the number of tickets we were expecting */
1273 || !TEST_int_eq(idx, new_called))
1276 /* After a post-handshake authentication we should get new tickets issued */
1277 if (!post_handshake_verify(serverssl, clientssl)
1278 || !TEST_int_eq(idx * 2, new_called))
1281 SSL_shutdown(clientssl);
1282 SSL_shutdown(serverssl);
1283 SSL_free(serverssl);
1284 SSL_free(clientssl);
1285 serverssl = clientssl = NULL;
1287 /* Stop caching sessions - just count them */
1290 /* Test that we can resume with all the tickets we got given */
1291 for (i = 0; i < idx * 2; i++) {
1293 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1294 &clientssl, NULL, NULL))
1295 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1298 SSL_force_post_handshake_auth(clientssl);
1300 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1302 || !TEST_true(SSL_session_reused(clientssl))
1303 /* Following a resumption we only get 1 ticket */
1304 || !TEST_int_eq(new_called, 1))
1308 /* After a post-handshake authentication we should get 1 new ticket */
1309 if (!post_handshake_verify(serverssl, clientssl)
1310 || !TEST_int_eq(new_called, 1))
1313 SSL_shutdown(clientssl);
1314 SSL_shutdown(serverssl);
1315 SSL_free(serverssl);
1316 SSL_free(clientssl);
1317 serverssl = clientssl = NULL;
1318 SSL_SESSION_free(sesscache[i]);
1319 sesscache[i] = NULL;
1325 SSL_free(serverssl);
1326 SSL_free(clientssl);
1327 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
1328 SSL_SESSION_free(sesscache[j]);
1329 sesscache[j] = NULL;
1337 static int test_stateless_tickets(int idx)
1339 return test_tickets(0, idx);
1342 static int test_stateful_tickets(int idx)
1344 return test_tickets(1, idx);
1351 #define USE_DEFAULT 3
1353 #define CONNTYPE_CONNECTION_SUCCESS 0
1354 #define CONNTYPE_CONNECTION_FAIL 1
1355 #define CONNTYPE_NO_CONNECTION 2
1357 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1358 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1359 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1360 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1362 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1365 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1366 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1367 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1369 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1386 * Tests calls to SSL_set_bio() under various conditions.
1388 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1389 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1390 * then do more tests where we create a successful connection first using our
1391 * standard connection setup functions, and then call SSL_set_bio() with
1392 * various combinations of valid BIOs or NULL. We then repeat these tests
1393 * following a failed connection. In this last case we are looking to check that
1394 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1396 static int test_ssl_set_bio(int idx)
1398 SSL_CTX *sctx = NULL, *cctx = NULL;
1401 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1402 SSL *serverssl = NULL, *clientssl = NULL;
1403 int initrbio, initwbio, newrbio, newwbio, conntype;
1406 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1414 conntype = CONNTYPE_NO_CONNECTION;
1416 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1417 initrbio = initwbio = USE_DEFAULT;
1425 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1426 TLS1_VERSION, TLS_MAX_VERSION,
1427 &sctx, &cctx, cert, privkey)))
1430 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1432 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1433 * because we reduced the number of tests in the definition of
1434 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1435 * mismatched protocol versions we will force a connection failure.
1437 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1438 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1441 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1445 if (initrbio == USE_BIO_1
1446 || initwbio == USE_BIO_1
1447 || newrbio == USE_BIO_1
1448 || newwbio == USE_BIO_1) {
1449 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1453 if (initrbio == USE_BIO_2
1454 || initwbio == USE_BIO_2
1455 || newrbio == USE_BIO_2
1456 || newwbio == USE_BIO_2) {
1457 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1461 if (initrbio != USE_DEFAULT) {
1462 setupbio(&irbio, bio1, bio2, initrbio);
1463 setupbio(&iwbio, bio1, bio2, initwbio);
1464 SSL_set_bio(clientssl, irbio, iwbio);
1467 * We want to maintain our own refs to these BIO, so do an up ref for
1468 * each BIO that will have ownership transferred in the SSL_set_bio()
1473 if (iwbio != NULL && iwbio != irbio)
1477 if (conntype != CONNTYPE_NO_CONNECTION
1478 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1480 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1483 setupbio(&nrbio, bio1, bio2, newrbio);
1484 setupbio(&nwbio, bio1, bio2, newwbio);
1487 * We will (maybe) transfer ownership again so do more up refs.
1488 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1493 && (nwbio != iwbio || nrbio != nwbio))
1497 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1500 SSL_set_bio(clientssl, nrbio, nwbio);
1509 * This test is checking that the ref counting for SSL_set_bio is correct.
1510 * If we get here and we did too many frees then we will fail in the above
1511 * functions. If we haven't done enough then this will only be detected in
1512 * a crypto-mdebug build
1514 SSL_free(serverssl);
1515 SSL_free(clientssl);
1521 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1523 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1525 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1530 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1531 || !TEST_ptr(ssl = SSL_new(ctx))
1532 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1533 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1536 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1539 * If anything goes wrong here then we could leak memory, so this will
1540 * be caught in a crypto-mdebug build
1542 BIO_push(sslbio, membio1);
1544 /* Verify changing the rbio/wbio directly does not cause leaks */
1545 if (change_bio != NO_BIO_CHANGE) {
1546 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1548 if (change_bio == CHANGE_RBIO)
1549 SSL_set0_rbio(ssl, membio2);
1551 SSL_set0_wbio(ssl, membio2);
1570 static int test_ssl_bio_pop_next_bio(void)
1572 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1575 static int test_ssl_bio_pop_ssl_bio(void)
1577 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1580 static int test_ssl_bio_change_rbio(void)
1582 return execute_test_ssl_bio(0, CHANGE_RBIO);
1585 static int test_ssl_bio_change_wbio(void)
1587 return execute_test_ssl_bio(0, CHANGE_WBIO);
1590 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
1592 /* The list of sig algs */
1594 /* The length of the list */
1596 /* A sigalgs list in string format */
1597 const char *liststr;
1598 /* Whether setting the list should succeed */
1600 /* Whether creating a connection with the list should succeed */
1604 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1605 # ifndef OPENSSL_NO_EC
1606 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1607 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1609 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1610 static const int invalidlist2[] = {NID_sha256, NID_undef};
1611 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1612 static const int invalidlist4[] = {NID_sha256};
1613 static const sigalgs_list testsigalgs[] = {
1614 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1615 # ifndef OPENSSL_NO_EC
1616 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1617 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1619 {NULL, 0, "RSA+SHA256", 1, 1},
1620 # ifndef OPENSSL_NO_EC
1621 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1622 {NULL, 0, "ECDSA+SHA512", 1, 0},
1624 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1625 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1626 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1627 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1628 {NULL, 0, "RSA", 0, 0},
1629 {NULL, 0, "SHA256", 0, 0},
1630 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1631 {NULL, 0, "Invalid", 0, 0}
1634 static int test_set_sigalgs(int idx)
1636 SSL_CTX *cctx = NULL, *sctx = NULL;
1637 SSL *clientssl = NULL, *serverssl = NULL;
1639 const sigalgs_list *curr;
1642 /* Should never happen */
1643 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1646 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1647 curr = testctx ? &testsigalgs[idx]
1648 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1650 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1651 TLS1_VERSION, TLS_MAX_VERSION,
1652 &sctx, &cctx, cert, privkey)))
1656 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1657 * for TLSv1.2 for now until we add a new API.
1659 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1664 if (curr->list != NULL)
1665 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1667 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1671 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1677 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1682 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1683 &clientssl, NULL, NULL)))
1689 if (curr->list != NULL)
1690 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1692 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1695 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1704 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1712 SSL_free(serverssl);
1713 SSL_free(clientssl);
1721 #ifndef OPENSSL_NO_TLS1_3
1723 static SSL_SESSION *clientpsk = NULL;
1724 static SSL_SESSION *serverpsk = NULL;
1725 static const char *pskid = "Identity";
1726 static const char *srvid;
1728 static int use_session_cb_cnt = 0;
1729 static int find_session_cb_cnt = 0;
1730 static int psk_client_cb_cnt = 0;
1731 static int psk_server_cb_cnt = 0;
1733 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1734 size_t *idlen, SSL_SESSION **sess)
1736 switch (++use_session_cb_cnt) {
1738 /* The first call should always have a NULL md */
1744 /* The second call should always have an md */
1750 /* We should only be called a maximum of twice */
1754 if (clientpsk != NULL)
1755 SSL_SESSION_up_ref(clientpsk);
1758 *id = (const unsigned char *)pskid;
1759 *idlen = strlen(pskid);
1764 #ifndef OPENSSL_NO_PSK
1765 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1766 unsigned int max_id_len,
1768 unsigned int max_psk_len)
1770 unsigned int psklen = 0;
1772 psk_client_cb_cnt++;
1774 if (strlen(pskid) + 1 > max_id_len)
1777 /* We should only ever be called a maximum of twice per connection */
1778 if (psk_client_cb_cnt > 2)
1781 if (clientpsk == NULL)
1784 /* We'll reuse the PSK we set up for TLSv1.3 */
1785 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1787 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1788 strncpy(id, pskid, max_id_len);
1792 #endif /* OPENSSL_NO_PSK */
1794 static int find_session_cb(SSL *ssl, const unsigned char *identity,
1795 size_t identity_len, SSL_SESSION **sess)
1797 find_session_cb_cnt++;
1799 /* We should only ever be called a maximum of twice per connection */
1800 if (find_session_cb_cnt > 2)
1803 if (serverpsk == NULL)
1806 /* Identity should match that set by the client */
1807 if (strlen(srvid) != identity_len
1808 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1809 /* No PSK found, continue but without a PSK */
1814 SSL_SESSION_up_ref(serverpsk);
1820 #ifndef OPENSSL_NO_PSK
1821 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1822 unsigned char *psk, unsigned int max_psk_len)
1824 unsigned int psklen = 0;
1826 psk_server_cb_cnt++;
1828 /* We should only ever be called a maximum of twice per connection */
1829 if (find_session_cb_cnt > 2)
1832 if (serverpsk == NULL)
1835 /* Identity should match that set by the client */
1836 if (strcmp(srvid, identity) != 0) {
1840 /* We'll reuse the PSK we set up for TLSv1.3 */
1841 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1843 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1847 #endif /* OPENSSL_NO_PSK */
1849 #define MSG1 "Hello"
1850 #define MSG2 "World."
1855 #define MSG7 "message."
1857 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
1858 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
1861 * Helper method to setup objects for early data test. Caller frees objects on
1864 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
1865 SSL **serverssl, SSL_SESSION **sess, int idx)
1868 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1869 TLS_client_method(),
1870 TLS1_VERSION, TLS_MAX_VERSION,
1871 sctx, cctx, cert, privkey)))
1874 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
1878 /* When idx == 1 we repeat the tests with read_ahead set */
1879 SSL_CTX_set_read_ahead(*cctx, 1);
1880 SSL_CTX_set_read_ahead(*sctx, 1);
1881 } else if (idx == 2) {
1882 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1883 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1884 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1885 use_session_cb_cnt = 0;
1886 find_session_cb_cnt = 0;
1890 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
1895 * For one of the run throughs (doesn't matter which one), we'll try sending
1896 * some SNI data in the initial ClientHello. This will be ignored (because
1897 * there is no SNI cb set up by the server), so it should not impact
1901 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1905 /* Create the PSK */
1906 const SSL_CIPHER *cipher = NULL;
1907 const unsigned char key[] = {
1908 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1909 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1910 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1911 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1912 0x2c, 0x2d, 0x2e, 0x2f
1915 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
1916 clientpsk = SSL_SESSION_new();
1917 if (!TEST_ptr(clientpsk)
1918 || !TEST_ptr(cipher)
1919 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
1921 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
1923 SSL_SESSION_set_protocol_version(clientpsk,
1926 * We just choose an arbitrary value for max_early_data which
1927 * should be big enough for testing purposes.
1929 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1931 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1932 SSL_SESSION_free(clientpsk);
1936 serverpsk = clientpsk;
1939 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1940 SSL_SESSION_free(clientpsk);
1941 SSL_SESSION_free(serverpsk);
1942 clientpsk = serverpsk = NULL;
1953 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1957 *sess = SSL_get1_session(*clientssl);
1958 SSL_shutdown(*clientssl);
1959 SSL_shutdown(*serverssl);
1960 SSL_free(*serverssl);
1961 SSL_free(*clientssl);
1962 *serverssl = *clientssl = NULL;
1964 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1965 clientssl, NULL, NULL))
1966 || !TEST_true(SSL_set_session(*clientssl, *sess)))
1972 static int test_early_data_read_write(int idx)
1974 SSL_CTX *cctx = NULL, *sctx = NULL;
1975 SSL *clientssl = NULL, *serverssl = NULL;
1977 SSL_SESSION *sess = NULL;
1978 unsigned char buf[20], data[1024];
1979 size_t readbytes, written, eoedlen, rawread, rawwritten;
1982 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1983 &serverssl, &sess, idx)))
1986 /* Write and read some early data */
1987 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1989 || !TEST_size_t_eq(written, strlen(MSG1))
1990 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1991 sizeof(buf), &readbytes),
1992 SSL_READ_EARLY_DATA_SUCCESS)
1993 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1994 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1995 SSL_EARLY_DATA_ACCEPTED))
1999 * Server should be able to write data, and client should be able to
2002 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2004 || !TEST_size_t_eq(written, strlen(MSG2))
2005 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2006 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2009 /* Even after reading normal data, client should be able write early data */
2010 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2012 || !TEST_size_t_eq(written, strlen(MSG3)))
2015 /* Server should still be able read early data after writing data */
2016 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2018 SSL_READ_EARLY_DATA_SUCCESS)
2019 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2022 /* Write more data from server and read it from client */
2023 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2025 || !TEST_size_t_eq(written, strlen(MSG4))
2026 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2027 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2031 * If client writes normal data it should mean writing early data is no
2034 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2035 || !TEST_size_t_eq(written, strlen(MSG5))
2036 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2037 SSL_EARLY_DATA_ACCEPTED))
2041 * At this point the client has written EndOfEarlyData, ClientFinished and
2042 * normal (fully protected) data. We are going to cause a delay between the
2043 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2044 * in the read BIO, and then just put back the EndOfEarlyData message.
2046 rbio = SSL_get_rbio(serverssl);
2047 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2048 || !TEST_size_t_lt(rawread, sizeof(data))
2049 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2052 /* Record length is in the 4th and 5th bytes of the record header */
2053 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2054 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2055 || !TEST_size_t_eq(rawwritten, eoedlen))
2058 /* Server should be told that there is no more early data */
2059 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2061 SSL_READ_EARLY_DATA_FINISH)
2062 || !TEST_size_t_eq(readbytes, 0))
2066 * Server has not finished init yet, so should still be able to write early
2069 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2071 || !TEST_size_t_eq(written, strlen(MSG6)))
2074 /* Push the ClientFinished and the normal data back into the server rbio */
2075 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2077 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2080 /* Server should be able to read normal data */
2081 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2082 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2085 /* Client and server should not be able to write/read early data now */
2086 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2090 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2092 SSL_READ_EARLY_DATA_ERROR))
2096 /* Client should be able to read the data sent by the server */
2097 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2098 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2102 * Make sure we process the two NewSessionTickets. These arrive
2103 * post-handshake. We attempt reads which we do not expect to return any
2106 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2107 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2111 /* Server should be able to write normal data */
2112 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2113 || !TEST_size_t_eq(written, strlen(MSG7))
2114 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2115 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2118 SSL_SESSION_free(sess);
2119 sess = SSL_get1_session(clientssl);
2120 use_session_cb_cnt = 0;
2121 find_session_cb_cnt = 0;
2123 SSL_shutdown(clientssl);
2124 SSL_shutdown(serverssl);
2125 SSL_free(serverssl);
2126 SSL_free(clientssl);
2127 serverssl = clientssl = NULL;
2128 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2129 &clientssl, NULL, NULL))
2130 || !TEST_true(SSL_set_session(clientssl, sess)))
2133 /* Write and read some early data */
2134 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2136 || !TEST_size_t_eq(written, strlen(MSG1))
2137 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2139 SSL_READ_EARLY_DATA_SUCCESS)
2140 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2143 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2144 || !TEST_int_gt(SSL_accept(serverssl), 0))
2147 /* Client and server should not be able to write/read early data now */
2148 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2152 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2154 SSL_READ_EARLY_DATA_ERROR))
2158 /* Client and server should be able to write/read normal data */
2159 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2160 || !TEST_size_t_eq(written, strlen(MSG5))
2161 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2162 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2168 SSL_SESSION_free(sess);
2169 SSL_SESSION_free(clientpsk);
2170 SSL_SESSION_free(serverpsk);
2171 clientpsk = serverpsk = NULL;
2172 SSL_free(serverssl);
2173 SSL_free(clientssl);
2179 static int allow_ed_cb_called = 0;
2181 static int allow_early_data_cb(SSL *s, void *arg)
2183 int *usecb = (int *)arg;
2185 allow_ed_cb_called++;
2194 * idx == 0: Standard early_data setup
2195 * idx == 1: early_data setup using read_ahead
2196 * usecb == 0: Don't use a custom early data callback
2197 * usecb == 1: Use a custom early data callback and reject the early data
2198 * usecb == 2: Use a custom early data callback and accept the early data
2199 * confopt == 0: Configure anti-replay directly
2200 * confopt == 1: Configure anti-replay using SSL_CONF
2202 static int test_early_data_replay_int(int idx, int usecb, int confopt)
2204 SSL_CTX *cctx = NULL, *sctx = NULL;
2205 SSL *clientssl = NULL, *serverssl = NULL;
2207 SSL_SESSION *sess = NULL;
2208 size_t readbytes, written;
2209 unsigned char buf[20];
2211 allow_ed_cb_called = 0;
2213 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2214 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
2215 &cctx, cert, privkey)))
2220 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2222 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2224 if (!TEST_ptr(confctx))
2226 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2227 | SSL_CONF_FLAG_SERVER);
2228 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2229 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2231 SSL_CONF_CTX_free(confctx);
2234 SSL_CONF_CTX_free(confctx);
2236 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2239 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2240 &serverssl, &sess, idx)))
2244 * The server is configured to accept early data. Create a connection to
2245 * "use up" the ticket
2247 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2248 || !TEST_true(SSL_session_reused(clientssl)))
2251 SSL_shutdown(clientssl);
2252 SSL_shutdown(serverssl);
2253 SSL_free(serverssl);
2254 SSL_free(clientssl);
2255 serverssl = clientssl = NULL;
2257 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2258 &clientssl, NULL, NULL))
2259 || !TEST_true(SSL_set_session(clientssl, sess)))
2262 /* Write and read some early data */
2263 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2265 || !TEST_size_t_eq(written, strlen(MSG1)))
2269 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2271 SSL_READ_EARLY_DATA_FINISH)
2273 * The ticket was reused, so the we should have rejected the
2276 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2277 SSL_EARLY_DATA_REJECTED))
2280 /* In this case the callback decides to accept the early data */
2281 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2283 SSL_READ_EARLY_DATA_SUCCESS)
2284 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2286 * Server will have sent its flight so client can now send
2287 * end of early data and complete its half of the handshake
2289 || !TEST_int_gt(SSL_connect(clientssl), 0)
2290 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2292 SSL_READ_EARLY_DATA_FINISH)
2293 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2294 SSL_EARLY_DATA_ACCEPTED))
2298 /* Complete the connection */
2299 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2300 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2301 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
2307 SSL_SESSION_free(sess);
2308 SSL_SESSION_free(clientpsk);
2309 SSL_SESSION_free(serverpsk);
2310 clientpsk = serverpsk = NULL;
2311 SSL_free(serverssl);
2312 SSL_free(clientssl);
2318 static int test_early_data_replay(int idx)
2320 int ret = 1, usecb, confopt;
2322 for (usecb = 0; usecb < 3; usecb++) {
2323 for (confopt = 0; confopt < 2; confopt++)
2324 ret &= test_early_data_replay_int(idx, usecb, confopt);
2331 * Helper function to test that a server attempting to read early data can
2332 * handle a connection from a client where the early data should be skipped.
2333 * testtype: 0 == No HRR
2334 * testtype: 1 == HRR
2335 * testtype: 2 == recv_max_early_data set to 0
2337 static int early_data_skip_helper(int testtype, int idx)
2339 SSL_CTX *cctx = NULL, *sctx = NULL;
2340 SSL *clientssl = NULL, *serverssl = NULL;
2342 SSL_SESSION *sess = NULL;
2343 unsigned char buf[20];
2344 size_t readbytes, written;
2346 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2347 &serverssl, &sess, idx)))
2350 if (testtype == 1) {
2351 /* Force an HRR to occur */
2352 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2354 } else if (idx == 2) {
2356 * We force early_data rejection by ensuring the PSK identity is
2359 srvid = "Dummy Identity";
2362 * Deliberately corrupt the creation time. We take 20 seconds off the
2363 * time. It could be any value as long as it is not within tolerance.
2364 * This should mean the ticket is rejected.
2366 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
2371 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
2374 /* Write some early data */
2375 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2377 || !TEST_size_t_eq(written, strlen(MSG1)))
2380 /* Server should reject the early data */
2381 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2383 SSL_READ_EARLY_DATA_FINISH)
2384 || !TEST_size_t_eq(readbytes, 0)
2385 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2386 SSL_EARLY_DATA_REJECTED))
2389 if (testtype == 1) {
2391 * Finish off the handshake. We perform the same writes and reads as
2392 * further down but we expect them to fail due to the incomplete
2395 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2396 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2399 } else if (testtype == 2) {
2401 * This client has sent more early_data than we are willing to skip so
2402 * the connection should abort.
2404 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2405 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
2408 /* Connection has failed - nothing more to do */
2414 * Should be able to send normal data despite rejection of early data. The
2415 * early_data should be skipped.
2417 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2418 || !TEST_size_t_eq(written, strlen(MSG2))
2419 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2420 SSL_EARLY_DATA_REJECTED)
2421 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2422 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2428 SSL_SESSION_free(clientpsk);
2429 SSL_SESSION_free(serverpsk);
2430 clientpsk = serverpsk = NULL;
2431 SSL_SESSION_free(sess);
2432 SSL_free(serverssl);
2433 SSL_free(clientssl);
2440 * Test that a server attempting to read early data can handle a connection
2441 * from a client where the early data is not acceptable.
2443 static int test_early_data_skip(int idx)
2445 return early_data_skip_helper(0, idx);
2449 * Test that a server attempting to read early data can handle a connection
2450 * from a client where an HRR occurs.
2452 static int test_early_data_skip_hrr(int idx)
2454 return early_data_skip_helper(1, idx);
2458 * Test that a server attempting to read early data will abort if it tries to
2459 * skip over too much.
2461 static int test_early_data_skip_abort(int idx)
2463 return early_data_skip_helper(2, idx);
2467 * Test that a server attempting to read early data can handle a connection
2468 * from a client that doesn't send any.
2470 static int test_early_data_not_sent(int idx)
2472 SSL_CTX *cctx = NULL, *sctx = NULL;
2473 SSL *clientssl = NULL, *serverssl = NULL;
2475 SSL_SESSION *sess = NULL;
2476 unsigned char buf[20];
2477 size_t readbytes, written;
2479 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2480 &serverssl, &sess, idx)))
2483 /* Write some data - should block due to handshake with server */
2484 SSL_set_connect_state(clientssl);
2485 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2488 /* Server should detect that early data has not been sent */
2489 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2491 SSL_READ_EARLY_DATA_FINISH)
2492 || !TEST_size_t_eq(readbytes, 0)
2493 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2494 SSL_EARLY_DATA_NOT_SENT)
2495 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2496 SSL_EARLY_DATA_NOT_SENT))
2499 /* Continue writing the message we started earlier */
2500 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2501 || !TEST_size_t_eq(written, strlen(MSG1))
2502 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2503 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2504 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2505 || !TEST_size_t_eq(written, strlen(MSG2)))
2508 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2509 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2515 SSL_SESSION_free(sess);
2516 SSL_SESSION_free(clientpsk);
2517 SSL_SESSION_free(serverpsk);
2518 clientpsk = serverpsk = NULL;
2519 SSL_free(serverssl);
2520 SSL_free(clientssl);
2526 static int hostname_cb(SSL *s, int *al, void *arg)
2528 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2530 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
2531 return SSL_TLSEXT_ERR_OK;
2533 return SSL_TLSEXT_ERR_NOACK;
2536 static const char *servalpn;
2538 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2539 unsigned char *outlen, const unsigned char *in,
2540 unsigned int inlen, void *arg)
2542 unsigned int protlen = 0;
2543 const unsigned char *prot;
2545 for (prot = in; prot < in + inlen; prot += protlen) {
2547 if (in + inlen < prot + protlen)
2548 return SSL_TLSEXT_ERR_NOACK;
2550 if (protlen == strlen(servalpn)
2551 && memcmp(prot, servalpn, protlen) == 0) {
2554 return SSL_TLSEXT_ERR_OK;
2558 return SSL_TLSEXT_ERR_NOACK;
2561 /* Test that a PSK can be used to send early_data */
2562 static int test_early_data_psk(int idx)
2564 SSL_CTX *cctx = NULL, *sctx = NULL;
2565 SSL *clientssl = NULL, *serverssl = NULL;
2567 SSL_SESSION *sess = NULL;
2568 unsigned char alpnlist[] = {
2569 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2572 #define GOODALPNLEN 9
2573 #define BADALPNLEN 8
2574 #define GOODALPN (alpnlist)
2575 #define BADALPN (alpnlist + GOODALPNLEN)
2577 unsigned char buf[20];
2578 size_t readbytes, written;
2579 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2580 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2582 /* We always set this up with a final parameter of "2" for PSK */
2583 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2584 &serverssl, &sess, 2)))
2587 servalpn = "goodalpn";
2590 * Note: There is no test for inconsistent SNI with late client detection.
2591 * This is because servers do not acknowledge SNI even if they are using
2592 * it in a resumption handshake - so it is not actually possible for a
2593 * client to detect a problem.
2597 /* Set inconsistent SNI (early client detection) */
2598 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2599 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2600 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2605 /* Set inconsistent ALPN (early client detection) */
2606 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2607 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
2608 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2610 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2617 * Set invalid protocol version. Technically this affects PSKs without
2618 * early_data too, but we test it here because it is similar to the
2619 * SNI/ALPN consistency tests.
2621 err = SSL_R_BAD_PSK;
2622 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2628 * Set inconsistent SNI (server detected). In this case the connection
2629 * will succeed but reject early_data.
2631 SSL_SESSION_free(serverpsk);
2632 serverpsk = SSL_SESSION_dup(clientpsk);
2633 if (!TEST_ptr(serverpsk)
2634 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2636 edstatus = SSL_EARLY_DATA_REJECTED;
2637 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2640 /* Set consistent SNI */
2641 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2642 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2643 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2650 * Set inconsistent ALPN (server detected). In this case the connection
2651 * will succeed but reject early_data.
2653 servalpn = "badalpn";
2654 edstatus = SSL_EARLY_DATA_REJECTED;
2655 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2659 * Set consistent ALPN.
2660 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2661 * accepts a list of protos (each one length prefixed).
2662 * SSL_set1_alpn_selected accepts a single protocol (not length
2665 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2667 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2671 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2675 /* Set inconsistent ALPN (late client detection) */
2676 SSL_SESSION_free(serverpsk);
2677 serverpsk = SSL_SESSION_dup(clientpsk);
2678 if (!TEST_ptr(serverpsk)
2679 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2682 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2685 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2688 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2689 edstatus = SSL_EARLY_DATA_ACCEPTED;
2690 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2691 /* SSL_connect() call should fail */
2696 TEST_error("Bad test index");
2700 SSL_set_connect_state(clientssl);
2702 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2704 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2705 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2708 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2712 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2713 &readbytes), readearlyres)
2714 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2715 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2716 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2717 || !TEST_int_eq(SSL_connect(clientssl), connectres))
2724 SSL_SESSION_free(sess);
2725 SSL_SESSION_free(clientpsk);
2726 SSL_SESSION_free(serverpsk);
2727 clientpsk = serverpsk = NULL;
2728 SSL_free(serverssl);
2729 SSL_free(clientssl);
2736 * Test that a server that doesn't try to read early data can handle a
2737 * client sending some.
2739 static int test_early_data_not_expected(int idx)
2741 SSL_CTX *cctx = NULL, *sctx = NULL;
2742 SSL *clientssl = NULL, *serverssl = NULL;
2744 SSL_SESSION *sess = NULL;
2745 unsigned char buf[20];
2746 size_t readbytes, written;
2748 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2749 &serverssl, &sess, idx)))
2752 /* Write some early data */
2753 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2758 * Server should skip over early data and then block waiting for client to
2759 * continue handshake
2761 if (!TEST_int_le(SSL_accept(serverssl), 0)
2762 || !TEST_int_gt(SSL_connect(clientssl), 0)
2763 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2764 SSL_EARLY_DATA_REJECTED)
2765 || !TEST_int_gt(SSL_accept(serverssl), 0)
2766 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2767 SSL_EARLY_DATA_REJECTED))
2770 /* Send some normal data from client to server */
2771 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2772 || !TEST_size_t_eq(written, strlen(MSG2)))
2775 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2776 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2782 SSL_SESSION_free(sess);
2783 SSL_SESSION_free(clientpsk);
2784 SSL_SESSION_free(serverpsk);
2785 clientpsk = serverpsk = NULL;
2786 SSL_free(serverssl);
2787 SSL_free(clientssl);
2794 # ifndef OPENSSL_NO_TLS1_2
2796 * Test that a server attempting to read early data can handle a connection
2797 * from a TLSv1.2 client.
2799 static int test_early_data_tls1_2(int idx)
2801 SSL_CTX *cctx = NULL, *sctx = NULL;
2802 SSL *clientssl = NULL, *serverssl = NULL;
2804 unsigned char buf[20];
2805 size_t readbytes, written;
2807 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2808 &serverssl, NULL, idx)))
2811 /* Write some data - should block due to handshake with server */
2812 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2813 SSL_set_connect_state(clientssl);
2814 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2818 * Server should do TLSv1.2 handshake. First it will block waiting for more
2819 * messages from client after ServerDone. Then SSL_read_early_data should
2820 * finish and detect that early data has not been sent
2822 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2824 SSL_READ_EARLY_DATA_ERROR))
2828 * Continue writing the message we started earlier. Will still block waiting
2829 * for the CCS/Finished from server
2831 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2832 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2834 SSL_READ_EARLY_DATA_FINISH)
2835 || !TEST_size_t_eq(readbytes, 0)
2836 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2837 SSL_EARLY_DATA_NOT_SENT))
2840 /* Continue writing the message we started earlier */
2841 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2842 || !TEST_size_t_eq(written, strlen(MSG1))
2843 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2844 SSL_EARLY_DATA_NOT_SENT)
2845 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2846 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2847 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2848 || !TEST_size_t_eq(written, strlen(MSG2))
2849 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2850 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2856 SSL_SESSION_free(clientpsk);
2857 SSL_SESSION_free(serverpsk);
2858 clientpsk = serverpsk = NULL;
2859 SSL_free(serverssl);
2860 SSL_free(clientssl);
2866 # endif /* OPENSSL_NO_TLS1_2 */
2869 * Test configuring the TLSv1.3 ciphersuites
2871 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
2872 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
2873 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
2874 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
2875 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2876 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2877 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
2878 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
2879 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
2880 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
2882 static int test_set_ciphersuite(int idx)
2884 SSL_CTX *cctx = NULL, *sctx = NULL;
2885 SSL *clientssl = NULL, *serverssl = NULL;
2888 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2889 TLS1_VERSION, TLS_MAX_VERSION,
2890 &sctx, &cctx, cert, privkey))
2891 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2892 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
2895 if (idx >=4 && idx <= 7) {
2896 /* SSL_CTX explicit cipher list */
2897 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
2901 if (idx == 0 || idx == 4) {
2902 /* Default ciphersuite */
2903 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2904 "TLS_AES_128_GCM_SHA256")))
2906 } else if (idx == 1 || idx == 5) {
2907 /* Non default ciphersuite */
2908 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2909 "TLS_AES_128_CCM_SHA256")))
2913 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2914 &clientssl, NULL, NULL)))
2917 if (idx == 8 || idx == 9) {
2918 /* SSL explicit cipher list */
2919 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
2923 if (idx == 2 || idx == 6 || idx == 8) {
2924 /* Default ciphersuite */
2925 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2926 "TLS_AES_128_GCM_SHA256")))
2928 } else if (idx == 3 || idx == 7 || idx == 9) {
2929 /* Non default ciphersuite */
2930 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2931 "TLS_AES_128_CCM_SHA256")))
2935 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
2941 SSL_free(serverssl);
2942 SSL_free(clientssl);
2949 static int test_ciphersuite_change(void)
2951 SSL_CTX *cctx = NULL, *sctx = NULL;
2952 SSL *clientssl = NULL, *serverssl = NULL;
2953 SSL_SESSION *clntsess = NULL;
2955 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2957 /* Create a session based on SHA-256 */
2958 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2959 TLS1_VERSION, TLS_MAX_VERSION,
2960 &sctx, &cctx, cert, privkey))
2961 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
2962 "TLS_AES_128_GCM_SHA256"))
2963 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2964 &clientssl, NULL, NULL))
2965 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2969 clntsess = SSL_get1_session(clientssl);
2970 /* Save for later */
2971 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2972 SSL_shutdown(clientssl);
2973 SSL_shutdown(serverssl);
2974 SSL_free(serverssl);
2975 SSL_free(clientssl);
2976 serverssl = clientssl = NULL;
2978 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
2979 /* Check we can resume a session with a different SHA-256 ciphersuite */
2980 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2981 "TLS_CHACHA20_POLY1305_SHA256"))
2982 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2984 || !TEST_true(SSL_set_session(clientssl, clntsess))
2985 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2987 || !TEST_true(SSL_session_reused(clientssl)))
2990 SSL_SESSION_free(clntsess);
2991 clntsess = SSL_get1_session(clientssl);
2992 SSL_shutdown(clientssl);
2993 SSL_shutdown(serverssl);
2994 SSL_free(serverssl);
2995 SSL_free(clientssl);
2996 serverssl = clientssl = NULL;
3000 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3001 * succeeds but does not resume.
3003 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3004 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3006 || !TEST_true(SSL_set_session(clientssl, clntsess))
3007 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3009 || !TEST_false(SSL_session_reused(clientssl)))
3012 SSL_SESSION_free(clntsess);
3014 SSL_shutdown(clientssl);
3015 SSL_shutdown(serverssl);
3016 SSL_free(serverssl);
3017 SSL_free(clientssl);
3018 serverssl = clientssl = NULL;
3020 /* Create a session based on SHA384 */
3021 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3022 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3023 &clientssl, NULL, NULL))
3024 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3028 clntsess = SSL_get1_session(clientssl);
3029 SSL_shutdown(clientssl);
3030 SSL_shutdown(serverssl);
3031 SSL_free(serverssl);
3032 SSL_free(clientssl);
3033 serverssl = clientssl = NULL;
3035 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3036 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3037 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3038 "TLS_AES_256_GCM_SHA384"))
3039 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3041 || !TEST_true(SSL_set_session(clientssl, clntsess))
3043 * We use SSL_ERROR_WANT_READ below so that we can pause the
3044 * connection after the initial ClientHello has been sent to
3045 * enable us to make some session changes.
3047 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3048 SSL_ERROR_WANT_READ)))
3051 /* Trick the client into thinking this session is for a different digest */
3052 clntsess->cipher = aes_128_gcm_sha256;
3053 clntsess->cipher_id = clntsess->cipher->id;
3056 * Continue the previously started connection. Server has selected a SHA-384
3057 * ciphersuite, but client thinks the session is for SHA-256, so it should
3060 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3062 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3063 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3069 SSL_SESSION_free(clntsess);
3070 SSL_free(serverssl);
3071 SSL_free(clientssl);
3080 * Test 0 = Test new style callbacks
3081 * Test 1 = Test both new and old style callbacks
3082 * Test 2 = Test old style callbacks
3083 * Test 3 = Test old style callbacks with no certificate
3085 static int test_tls13_psk(int idx)
3087 SSL_CTX *sctx = NULL, *cctx = NULL;
3088 SSL *serverssl = NULL, *clientssl = NULL;
3089 const SSL_CIPHER *cipher = NULL;
3090 const unsigned char key[] = {
3091 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
3092 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
3093 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
3094 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
3098 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3099 TLS1_VERSION, TLS_MAX_VERSION,
3100 &sctx, &cctx, idx == 3 ? NULL : cert,
3101 idx == 3 ? NULL : privkey)))
3106 * We use a ciphersuite with SHA256 to ease testing old style PSK
3107 * callbacks which will always default to SHA256. This should not be
3108 * necessary if we have no cert/priv key. In that case the server should
3109 * prefer SHA256 automatically.
3111 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3112 "TLS_AES_128_GCM_SHA256")))
3117 * Test 0: New style callbacks only
3118 * Test 1: New and old style callbacks (only the new ones should be used)
3119 * Test 2: Old style callbacks only
3121 if (idx == 0 || idx == 1) {
3122 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
3123 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
3125 #ifndef OPENSSL_NO_PSK
3127 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
3128 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
3132 use_session_cb_cnt = 0;
3133 find_session_cb_cnt = 0;
3134 psk_client_cb_cnt = 0;
3135 psk_server_cb_cnt = 0;
3139 * Check we can create a connection if callback decides not to send a
3142 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3144 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3146 || !TEST_false(SSL_session_reused(clientssl))
3147 || !TEST_false(SSL_session_reused(serverssl)))
3150 if (idx == 0 || idx == 1) {
3151 if (!TEST_true(use_session_cb_cnt == 1)
3152 || !TEST_true(find_session_cb_cnt == 0)
3154 * If no old style callback then below should be 0
3157 || !TEST_true(psk_client_cb_cnt == idx)
3158 || !TEST_true(psk_server_cb_cnt == 0))
3161 if (!TEST_true(use_session_cb_cnt == 0)
3162 || !TEST_true(find_session_cb_cnt == 0)
3163 || !TEST_true(psk_client_cb_cnt == 1)
3164 || !TEST_true(psk_server_cb_cnt == 0))
3168 shutdown_ssl_connection(serverssl, clientssl);
3169 serverssl = clientssl = NULL;
3170 use_session_cb_cnt = psk_client_cb_cnt = 0;
3173 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3177 /* Create the PSK */
3178 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
3179 clientpsk = SSL_SESSION_new();
3180 if (!TEST_ptr(clientpsk)
3181 || !TEST_ptr(cipher)
3182 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
3184 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
3185 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
3187 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
3189 serverpsk = clientpsk;
3191 /* Check we can create a connection and the PSK is used */
3192 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3193 || !TEST_true(SSL_session_reused(clientssl))
3194 || !TEST_true(SSL_session_reused(serverssl)))
3197 if (idx == 0 || idx == 1) {
3198 if (!TEST_true(use_session_cb_cnt == 1)
3199 || !TEST_true(find_session_cb_cnt == 1)
3200 || !TEST_true(psk_client_cb_cnt == 0)
3201 || !TEST_true(psk_server_cb_cnt == 0))
3204 if (!TEST_true(use_session_cb_cnt == 0)
3205 || !TEST_true(find_session_cb_cnt == 0)
3206 || !TEST_true(psk_client_cb_cnt == 1)
3207 || !TEST_true(psk_server_cb_cnt == 1))
3211 shutdown_ssl_connection(serverssl, clientssl);
3212 serverssl = clientssl = NULL;
3213 use_session_cb_cnt = find_session_cb_cnt = 0;
3214 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3216 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3221 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3225 * Check we can create a connection, the PSK is used and the callbacks are
3228 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3229 || !TEST_true(SSL_session_reused(clientssl))
3230 || !TEST_true(SSL_session_reused(serverssl)))
3233 if (idx == 0 || idx == 1) {
3234 if (!TEST_true(use_session_cb_cnt == 2)
3235 || !TEST_true(find_session_cb_cnt == 2)
3236 || !TEST_true(psk_client_cb_cnt == 0)
3237 || !TEST_true(psk_server_cb_cnt == 0))
3240 if (!TEST_true(use_session_cb_cnt == 0)
3241 || !TEST_true(find_session_cb_cnt == 0)
3242 || !TEST_true(psk_client_cb_cnt == 2)
3243 || !TEST_true(psk_server_cb_cnt == 2))
3247 shutdown_ssl_connection(serverssl, clientssl);
3248 serverssl = clientssl = NULL;
3249 use_session_cb_cnt = find_session_cb_cnt = 0;
3250 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3254 * Check that if the server rejects the PSK we can still connect, but with
3257 srvid = "Dummy Identity";
3258 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3260 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3262 || !TEST_false(SSL_session_reused(clientssl))
3263 || !TEST_false(SSL_session_reused(serverssl)))
3266 if (idx == 0 || idx == 1) {
3267 if (!TEST_true(use_session_cb_cnt == 1)
3268 || !TEST_true(find_session_cb_cnt == 1)
3269 || !TEST_true(psk_client_cb_cnt == 0)
3271 * If no old style callback then below should be 0
3274 || !TEST_true(psk_server_cb_cnt == idx))
3277 if (!TEST_true(use_session_cb_cnt == 0)
3278 || !TEST_true(find_session_cb_cnt == 0)
3279 || !TEST_true(psk_client_cb_cnt == 1)
3280 || !TEST_true(psk_server_cb_cnt == 1))
3284 shutdown_ssl_connection(serverssl, clientssl);
3285 serverssl = clientssl = NULL;
3290 SSL_SESSION_free(clientpsk);
3291 SSL_SESSION_free(serverpsk);
3292 clientpsk = serverpsk = NULL;
3293 SSL_free(serverssl);
3294 SSL_free(clientssl);
3300 static unsigned char cookie_magic_value[] = "cookie magic";
3302 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
3303 unsigned int *cookie_len)
3306 * Not suitable as a real cookie generation function but good enough for
3309 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3310 *cookie_len = sizeof(cookie_magic_value) - 1;
3315 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3316 unsigned int cookie_len)
3318 if (cookie_len == sizeof(cookie_magic_value) - 1
3319 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3325 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3329 int res = generate_cookie_callback(ssl, cookie, &temp);
3334 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3337 return verify_cookie_callback(ssl, cookie, cookie_len);
3340 static int test_stateless(void)
3342 SSL_CTX *sctx = NULL, *cctx = NULL;
3343 SSL *serverssl = NULL, *clientssl = NULL;
3346 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3347 TLS1_VERSION, TLS_MAX_VERSION,
3348 &sctx, &cctx, cert, privkey)))
3351 /* The arrival of CCS messages can confuse the test */
3352 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3354 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3356 /* Send the first ClientHello */
3357 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3358 SSL_ERROR_WANT_READ))
3360 * This should fail with a -1 return because we have no callbacks
3363 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3366 /* Fatal error so abandon the connection from this client */
3367 SSL_free(clientssl);
3370 /* Set up the cookie generation and verification callbacks */
3371 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3372 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
3375 * Create a new connection from the client (we can reuse the server SSL
3378 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3380 /* Send the first ClientHello */
3381 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3382 SSL_ERROR_WANT_READ))
3383 /* This should fail because there is no cookie */
3384 || !TEST_int_eq(SSL_stateless(serverssl), 0))
3387 /* Abandon the connection from this client */
3388 SSL_free(clientssl);
3392 * Now create a connection from a new client but with the same server SSL
3395 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3397 /* Send the first ClientHello */
3398 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3399 SSL_ERROR_WANT_READ))
3400 /* This should fail because there is no cookie */
3401 || !TEST_int_eq(SSL_stateless(serverssl), 0)
3402 /* Send the second ClientHello */
3403 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3404 SSL_ERROR_WANT_READ))
3405 /* This should succeed because a cookie is now present */
3406 || !TEST_int_eq(SSL_stateless(serverssl), 1)
3407 /* Complete the connection */
3408 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3412 shutdown_ssl_connection(serverssl, clientssl);
3413 serverssl = clientssl = NULL;
3417 SSL_free(serverssl);
3418 SSL_free(clientssl);
3424 #endif /* OPENSSL_NO_TLS1_3 */
3426 static int clntaddoldcb = 0;
3427 static int clntparseoldcb = 0;
3428 static int srvaddoldcb = 0;
3429 static int srvparseoldcb = 0;
3430 static int clntaddnewcb = 0;
3431 static int clntparsenewcb = 0;
3432 static int srvaddnewcb = 0;
3433 static int srvparsenewcb = 0;
3434 static int snicb = 0;
3436 #define TEST_EXT_TYPE1 0xff00
3438 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3439 size_t *outlen, int *al, void *add_arg)
3441 int *server = (int *)add_arg;
3442 unsigned char *data;
3444 if (SSL_is_server(s))
3449 if (*server != SSL_is_server(s)
3450 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3455 *outlen = sizeof(char);
3459 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3462 OPENSSL_free((unsigned char *)out);
3465 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3466 size_t inlen, int *al, void *parse_arg)
3468 int *server = (int *)parse_arg;
3470 if (SSL_is_server(s))
3475 if (*server != SSL_is_server(s)
3476 || inlen != sizeof(char)
3483 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3484 const unsigned char **out, size_t *outlen, X509 *x,
3485 size_t chainidx, int *al, void *add_arg)
3487 int *server = (int *)add_arg;
3488 unsigned char *data;
3490 if (SSL_is_server(s))
3495 if (*server != SSL_is_server(s)
3496 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3501 *outlen = sizeof(*data);
3505 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3506 const unsigned char *out, void *add_arg)
3508 OPENSSL_free((unsigned char *)out);
3511 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3512 const unsigned char *in, size_t inlen, X509 *x,
3513 size_t chainidx, int *al, void *parse_arg)
3515 int *server = (int *)parse_arg;
3517 if (SSL_is_server(s))
3522 if (*server != SSL_is_server(s)
3523 || inlen != sizeof(char) || *in != 1)
3529 static int sni_cb(SSL *s, int *al, void *arg)
3531 SSL_CTX *ctx = (SSL_CTX *)arg;
3533 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3534 *al = SSL_AD_INTERNAL_ERROR;
3535 return SSL_TLSEXT_ERR_ALERT_FATAL;
3538 return SSL_TLSEXT_ERR_OK;
3542 * Custom call back tests.
3543 * Test 0: Old style callbacks in TLSv1.2
3544 * Test 1: New style callbacks in TLSv1.2
3545 * Test 2: New style callbacks in TLSv1.2 with SNI
3546 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3547 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
3549 static int test_custom_exts(int tst)
3551 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3552 SSL *clientssl = NULL, *serverssl = NULL;
3554 static int server = 1;
3555 static int client = 0;
3556 SSL_SESSION *sess = NULL;
3557 unsigned int context;
3559 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
3560 /* Skip tests for TLSv1.2 and below in this case */
3565 /* Reset callback counters */
3566 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
3567 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
3570 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3571 TLS1_VERSION, TLS_MAX_VERSION,
3572 &sctx, &cctx, cert, privkey)))
3576 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
3577 TLS1_VERSION, TLS_MAX_VERSION,
3578 &sctx2, NULL, cert, privkey)))
3583 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
3584 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
3586 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
3590 context = SSL_EXT_CLIENT_HELLO
3591 | SSL_EXT_TLS1_2_SERVER_HELLO
3592 | SSL_EXT_TLS1_3_SERVER_HELLO
3593 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
3594 | SSL_EXT_TLS1_3_CERTIFICATE
3595 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
3597 context = SSL_EXT_CLIENT_HELLO
3598 | SSL_EXT_TLS1_2_SERVER_HELLO
3599 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3602 /* Create a client side custom extension */
3604 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3605 old_add_cb, old_free_cb,
3606 &client, old_parse_cb,
3610 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
3611 new_add_cb, new_free_cb,
3612 &client, new_parse_cb, &client)))
3616 /* Should not be able to add duplicates */
3617 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3618 old_add_cb, old_free_cb,
3619 &client, old_parse_cb,
3621 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
3622 context, new_add_cb,
3623 new_free_cb, &client,
3624 new_parse_cb, &client)))
3627 /* Create a server side custom extension */
3629 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3630 old_add_cb, old_free_cb,
3631 &server, old_parse_cb,
3635 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3636 new_add_cb, new_free_cb,
3637 &server, new_parse_cb, &server)))
3640 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3641 context, new_add_cb,
3642 new_free_cb, &server,
3643 new_parse_cb, &server)))
3647 /* Should not be able to add duplicates */
3648 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3649 old_add_cb, old_free_cb,
3650 &server, old_parse_cb,
3652 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3653 context, new_add_cb,
3654 new_free_cb, &server,
3655 new_parse_cb, &server)))
3660 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3661 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3665 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3666 &clientssl, NULL, NULL))
3667 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3672 if (clntaddoldcb != 1
3673 || clntparseoldcb != 1
3675 || srvparseoldcb != 1)
3677 } else if (tst == 1 || tst == 2 || tst == 3) {
3678 if (clntaddnewcb != 1
3679 || clntparsenewcb != 1
3681 || srvparsenewcb != 1
3682 || (tst != 2 && snicb != 0)
3683 || (tst == 2 && snicb != 1))
3686 /* In this case there 2 NewSessionTicket messages created */
3687 if (clntaddnewcb != 1
3688 || clntparsenewcb != 5
3690 || srvparsenewcb != 1)
3694 sess = SSL_get1_session(clientssl);
3695 SSL_shutdown(clientssl);
3696 SSL_shutdown(serverssl);
3697 SSL_free(serverssl);
3698 SSL_free(clientssl);
3699 serverssl = clientssl = NULL;
3702 /* We don't bother with the resumption aspects for this test */
3707 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3709 || !TEST_true(SSL_set_session(clientssl, sess))
3710 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3715 * For a resumed session we expect to add the ClientHello extension. For the
3716 * old style callbacks we ignore it on the server side because they set
3717 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3721 if (clntaddoldcb != 2
3722 || clntparseoldcb != 1
3724 || srvparseoldcb != 1)
3726 } else if (tst == 1 || tst == 2 || tst == 3) {
3727 if (clntaddnewcb != 2
3728 || clntparsenewcb != 2
3730 || srvparsenewcb != 2)
3734 * No Certificate message extensions in the resumption handshake,
3735 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
3737 if (clntaddnewcb != 2
3738 || clntparsenewcb != 8
3740 || srvparsenewcb != 2)
3747 SSL_SESSION_free(sess);
3748 SSL_free(serverssl);
3749 SSL_free(clientssl);
3750 SSL_CTX_free(sctx2);
3757 * Test loading of serverinfo data in various formats. test_sslmessages actually
3758 * tests to make sure the extensions appear in the handshake
3760 static int test_serverinfo(int tst)
3762 unsigned int version;
3763 unsigned char *sibuf;
3765 int ret, expected, testresult = 0;
3768 ctx = SSL_CTX_new(TLS_method());
3772 if ((tst & 0x01) == 0x01)
3773 version = SSL_SERVERINFOV2;
3775 version = SSL_SERVERINFOV1;
3777 if ((tst & 0x02) == 0x02) {
3778 sibuf = serverinfov2;
3779 sibuflen = sizeof(serverinfov2);
3780 expected = (version == SSL_SERVERINFOV2);
3782 sibuf = serverinfov1;
3783 sibuflen = sizeof(serverinfov1);
3784 expected = (version == SSL_SERVERINFOV1);
3787 if ((tst & 0x04) == 0x04) {
3788 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
3790 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
3793 * The version variable is irrelevant in this case - it's what is in the
3794 * buffer that matters
3796 if ((tst & 0x02) == 0x02)
3802 if (!TEST_true(ret == expected))
3814 * Test that SSL_export_keying_material() produces expected results. There are
3815 * no test vectors so all we do is test that both sides of the communication
3816 * produce the same results for different protocol versions.
3818 static int test_export_key_mat(int tst)
3821 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3822 SSL *clientssl = NULL, *serverssl = NULL;
3823 const char label[] = "test label";
3824 const unsigned char context[] = "context";
3825 const unsigned char *emptycontext = NULL;
3826 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
3827 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
3828 const int protocols[] = {
3835 #ifdef OPENSSL_NO_TLS1
3839 #ifdef OPENSSL_NO_TLS1_1
3843 #ifdef OPENSSL_NO_TLS1_2
3847 #ifdef OPENSSL_NO_TLS1_3
3851 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3852 TLS1_VERSION, TLS_MAX_VERSION,
3853 &sctx, &cctx, cert, privkey)))
3856 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
3857 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
3858 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
3860 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
3862 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3866 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
3867 sizeof(ckeymat1), label,
3868 sizeof(label) - 1, context,
3869 sizeof(context) - 1, 1), 1)
3870 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
3871 sizeof(ckeymat2), label,
3875 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
3876 sizeof(ckeymat3), label,
3879 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
3880 sizeof(skeymat1), label,
3883 sizeof(context) -1, 1),
3885 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
3886 sizeof(skeymat2), label,
3890 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
3891 sizeof(skeymat3), label,
3895 * Check that both sides created the same key material with the
3898 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3901 * Check that both sides created the same key material with an
3904 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3907 * Check that both sides created the same key material without a
3910 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3912 /* Different contexts should produce different results */
3913 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3918 * Check that an empty context and no context produce different results in
3919 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3921 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3923 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3930 SSL_free(serverssl);
3931 SSL_free(clientssl);
3932 SSL_CTX_free(sctx2);
3939 #ifndef OPENSSL_NO_TLS1_3
3941 * Test that SSL_export_keying_material_early() produces expected
3942 * results. There are no test vectors so all we do is test that both
3943 * sides of the communication produce the same results for different
3944 * protocol versions.
3946 static int test_export_key_mat_early(int idx)
3948 static const char label[] = "test label";
3949 static const unsigned char context[] = "context";
3951 SSL_CTX *cctx = NULL, *sctx = NULL;
3952 SSL *clientssl = NULL, *serverssl = NULL;
3953 SSL_SESSION *sess = NULL;
3954 const unsigned char *emptycontext = NULL;
3955 unsigned char ckeymat1[80], ckeymat2[80];
3956 unsigned char skeymat1[80], skeymat2[80];
3957 unsigned char buf[1];
3958 size_t readbytes, written;
3960 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
3964 /* Here writing 0 length early data is enough. */
3965 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
3966 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3968 SSL_READ_EARLY_DATA_ERROR)
3969 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3970 SSL_EARLY_DATA_ACCEPTED))
3973 if (!TEST_int_eq(SSL_export_keying_material_early(
3974 clientssl, ckeymat1, sizeof(ckeymat1), label,
3975 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3976 || !TEST_int_eq(SSL_export_keying_material_early(
3977 clientssl, ckeymat2, sizeof(ckeymat2), label,
3978 sizeof(label) - 1, emptycontext, 0), 1)
3979 || !TEST_int_eq(SSL_export_keying_material_early(
3980 serverssl, skeymat1, sizeof(skeymat1), label,
3981 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3982 || !TEST_int_eq(SSL_export_keying_material_early(
3983 serverssl, skeymat2, sizeof(skeymat2), label,
3984 sizeof(label) - 1, emptycontext, 0), 1)
3986 * Check that both sides created the same key material with the
3989 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3992 * Check that both sides created the same key material with an
3995 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3997 /* Different contexts should produce different results */
3998 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4005 SSL_SESSION_free(sess);
4006 SSL_SESSION_free(clientpsk);
4007 SSL_SESSION_free(serverpsk);
4008 clientpsk = serverpsk = NULL;
4009 SSL_free(serverssl);
4010 SSL_free(clientssl);
4016 #endif /* OPENSSL_NO_TLS1_3 */
4018 static int test_ssl_clear(int idx)
4020 SSL_CTX *cctx = NULL, *sctx = NULL;
4021 SSL *clientssl = NULL, *serverssl = NULL;
4024 #ifdef OPENSSL_NO_TLS1_2
4029 /* Create an initial connection */
4030 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4031 TLS1_VERSION, TLS_MAX_VERSION,
4032 &sctx, &cctx, cert, privkey))
4034 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
4036 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4037 &clientssl, NULL, NULL))
4038 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4042 SSL_shutdown(clientssl);
4043 SSL_shutdown(serverssl);
4044 SSL_free(serverssl);
4047 /* Clear clientssl - we're going to reuse the object */
4048 if (!TEST_true(SSL_clear(clientssl)))
4051 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4053 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4055 || !TEST_true(SSL_session_reused(clientssl)))
4058 SSL_shutdown(clientssl);
4059 SSL_shutdown(serverssl);
4064 SSL_free(serverssl);
4065 SSL_free(clientssl);
4072 /* Parse CH and retrieve any MFL extension value if present */
4073 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
4076 unsigned char *data;
4077 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
4078 unsigned int MFL_code = 0, type = 0;
4080 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
4083 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
4084 /* Skip the record header */
4085 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
4086 /* Skip the handshake message header */
4087 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
4088 /* Skip client version and random */
4089 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
4090 + SSL3_RANDOM_SIZE))
4091 /* Skip session id */
4092 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4094 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
4095 /* Skip compression */
4096 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4097 /* Extensions len */
4098 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
4101 /* Loop through all extensions */
4102 while (PACKET_remaining(&pkt2)) {
4103 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
4104 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
4107 if (type == TLSEXT_TYPE_max_fragment_length) {
4108 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
4109 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
4112 *mfl_codemfl_code = MFL_code;
4121 /* Maximum-Fragment-Length TLS extension mode to test */
4122 static const unsigned char max_fragment_len_test[] = {
4123 TLSEXT_max_fragment_length_512,
4124 TLSEXT_max_fragment_length_1024,
4125 TLSEXT_max_fragment_length_2048,
4126 TLSEXT_max_fragment_length_4096
4129 static int test_max_fragment_len_ext(int idx_tst)
4133 int testresult = 0, MFL_mode = 0;
4136 ctx = SSL_CTX_new(TLS_method());
4140 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
4141 ctx, max_fragment_len_test[idx_tst])))
4148 rbio = BIO_new(BIO_s_mem());
4149 wbio = BIO_new(BIO_s_mem());
4150 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
4156 SSL_set_bio(con, rbio, wbio);
4157 SSL_set_connect_state(con);
4159 if (!TEST_int_le(SSL_connect(con), 0)) {
4160 /* This shouldn't succeed because we don't have a server! */
4164 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
4165 /* no MFL in client hello */
4167 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
4179 #ifndef OPENSSL_NO_TLS1_3
4180 static int test_pha_key_update(void)
4182 SSL_CTX *cctx = NULL, *sctx = NULL;
4183 SSL *clientssl = NULL, *serverssl = NULL;
4186 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4187 TLS1_VERSION, TLS_MAX_VERSION,
4188 &sctx, &cctx, cert, privkey)))
4191 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
4192 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
4193 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
4194 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
4198 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4202 SSL_force_post_handshake_auth(clientssl);
4204 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4208 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
4209 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
4212 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
4215 /* Start handshake on the server */
4216 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
4219 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
4220 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4224 SSL_shutdown(clientssl);
4225 SSL_shutdown(serverssl);
4230 SSL_free(serverssl);
4231 SSL_free(clientssl);
4238 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4240 static SRP_VBASE *vbase = NULL;
4242 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
4244 int ret = SSL3_AL_FATAL;
4246 SRP_user_pwd *user = NULL;
4248 username = SSL_get_srp_username(s);
4249 if (username == NULL) {
4250 *ad = SSL_AD_INTERNAL_ERROR;
4254 user = SRP_VBASE_get1_by_user(vbase, username);
4256 *ad = SSL_AD_INTERNAL_ERROR;
4260 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
4262 *ad = SSL_AD_INTERNAL_ERROR;
4269 SRP_user_pwd_free(user);
4273 static int create_new_vfile(char *userid, char *password, const char *filename)
4276 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
4279 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
4282 if (!TEST_ptr(dummy) || !TEST_ptr(row))
4285 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
4286 &row[DB_srpverifier], NULL, NULL);
4287 if (!TEST_ptr(gNid))
4291 * The only way to create an empty TXT_DB is to provide a BIO with no data
4294 db = TXT_DB_read(dummy, DB_NUMBER);
4298 out = BIO_new_file(filename, "w");
4302 row[DB_srpid] = OPENSSL_strdup(userid);
4303 row[DB_srptype] = OPENSSL_strdup("V");
4304 row[DB_srpgN] = OPENSSL_strdup(gNid);
4306 if (!TEST_ptr(row[DB_srpid])
4307 || !TEST_ptr(row[DB_srptype])
4308 || !TEST_ptr(row[DB_srpgN])
4309 || !TEST_true(TXT_DB_insert(db, row)))
4314 if (!TXT_DB_write(out, db))
4320 for (i = 0; i < DB_NUMBER; i++)
4321 OPENSSL_free(row[i]);
4331 static int create_new_vbase(char *userid, char *password)
4333 BIGNUM *verifier = NULL, *salt = NULL;
4334 const SRP_gN *lgN = NULL;
4335 SRP_user_pwd *user_pwd = NULL;
4338 lgN = SRP_get_default_gN(NULL);
4342 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
4346 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
4347 if (!TEST_ptr(user_pwd))
4350 user_pwd->N = lgN->N;
4351 user_pwd->g = lgN->g;
4352 user_pwd->id = OPENSSL_strdup(userid);
4353 if (!TEST_ptr(user_pwd->id))
4356 user_pwd->v = verifier;
4358 verifier = salt = NULL;
4360 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
4366 SRP_user_pwd_free(user_pwd);
4376 * Test 0: Simple successful SRP connection, new vbase
4377 * Test 1: Connection failure due to bad password, new vbase
4378 * Test 2: Simple successful SRP connection, vbase loaded from existing file
4379 * Test 3: Connection failure due to bad password, vbase loaded from existing
4381 * Test 4: Simple successful SRP connection, vbase loaded from new file
4382 * Test 5: Connection failure due to bad password, vbase loaded from new file
4384 static int test_srp(int tst)
4386 char *userid = "test", *password = "password", *tstsrpfile;
4387 SSL_CTX *cctx = NULL, *sctx = NULL;
4388 SSL *clientssl = NULL, *serverssl = NULL;
4389 int ret, testresult = 0;
4391 vbase = SRP_VBASE_new(NULL);
4392 if (!TEST_ptr(vbase))
4395 if (tst == 0 || tst == 1) {
4396 if (!TEST_true(create_new_vbase(userid, password)))
4399 if (tst == 4 || tst == 5) {
4400 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
4402 tstsrpfile = tmpfilename;
4404 tstsrpfile = srpvfile;
4406 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
4410 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4411 TLS1_VERSION, TLS_MAX_VERSION,
4412 &sctx, &cctx, cert, privkey)))
4415 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
4416 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
4417 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
4418 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
4419 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
4423 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
4426 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
4430 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4434 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
4436 if (!TEST_true(tst % 2 == 0))
4439 if (!TEST_true(tst % 2 == 1))
4446 SRP_VBASE_free(vbase);
4448 SSL_free(serverssl);
4449 SSL_free(clientssl);
4457 static int info_cb_failed = 0;
4458 static int info_cb_offset = 0;
4459 static int info_cb_this_state = -1;
4461 static struct info_cb_states_st {
4463 const char *statestr;
4464 } info_cb_states[][60] = {
4466 /* TLSv1.2 server followed by resumption */
4467 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4468 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4469 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
4470 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
4471 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
4472 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4473 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4474 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4475 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4476 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4477 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
4478 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4479 {SSL_CB_EXIT, NULL}, {0, NULL},
4481 /* TLSv1.2 client followed by resumption */
4482 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4483 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4484 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
4485 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
4486 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
4487 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4488 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4489 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4490 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4491 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4492 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4493 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4495 /* TLSv1.3 server followed by resumption */
4496 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4497 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4498 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
4499 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
4500 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4501 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4502 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4503 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TWST"},
4504 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4505 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4506 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4507 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"},
4508 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL},
4509 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4510 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4511 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4512 {SSL_CB_EXIT, NULL}, {0, NULL},
4514 /* TLSv1.3 client followed by resumption */
4515 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4516 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4517 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
4518 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
4519 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4520 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4521 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4522 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4523 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4524 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4525 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4526 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4527 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
4528 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4529 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4530 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4531 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4532 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4533 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4535 /* TLSv1.3 server, early_data */
4536 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4537 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4538 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4539 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4540 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4541 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4542 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4543 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4544 {SSL_CB_EXIT, NULL}, {0, NULL},
4546 /* TLSv1.3 client, early_data */
4547 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4548 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
4549 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4550 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4551 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4552 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
4553 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4554 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4555 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4556 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4562 static void sslapi_info_callback(const SSL *s, int where, int ret)
4564 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
4566 /* We do not ever expect a connection to fail in this test */
4567 if (!TEST_false(ret == 0)) {
4573 * Do some sanity checks. We never expect these things to happen in this
4576 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
4577 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
4578 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
4583 /* Now check we're in the right state */
4584 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
4588 if ((where & SSL_CB_LOOP) != 0
4589 && !TEST_int_eq(strcmp(SSL_state_string(s),
4590 state[info_cb_this_state].statestr), 0)) {
4595 /* Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init */
4596 if ((where & SSL_CB_HANDSHAKE_DONE) && SSL_in_init((SSL *)s) != 0) {
4603 * Test the info callback gets called when we expect it to.
4605 * Test 0: TLSv1.2, server
4606 * Test 1: TLSv1.2, client
4607 * Test 2: TLSv1.3, server
4608 * Test 3: TLSv1.3, client
4609 * Test 4: TLSv1.3, server, early_data
4610 * Test 5: TLSv1.3, client, early_data
4612 static int test_info_callback(int tst)
4614 SSL_CTX *cctx = NULL, *sctx = NULL;
4615 SSL *clientssl = NULL, *serverssl = NULL;
4616 SSL_SESSION *clntsess = NULL;
4621 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
4622 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
4623 || !defined(OPENSSL_NO_DH))
4624 tlsvers = TLS1_2_VERSION;
4629 #ifndef OPENSSL_NO_TLS1_3
4630 tlsvers = TLS1_3_VERSION;
4638 info_cb_this_state = -1;
4639 info_cb_offset = tst;
4641 #ifndef OPENSSL_NO_TLS1_3
4643 SSL_SESSION *sess = NULL;
4644 size_t written, readbytes;
4645 unsigned char buf[80];
4647 /* early_data tests */
4648 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4649 &serverssl, &sess, 0)))
4652 /* We don't actually need this reference */
4653 SSL_SESSION_free(sess);
4655 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
4656 sslapi_info_callback);
4658 /* Write and read some early data and then complete the connection */
4659 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4661 || !TEST_size_t_eq(written, strlen(MSG1))
4662 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
4663 sizeof(buf), &readbytes),
4664 SSL_READ_EARLY_DATA_SUCCESS)
4665 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
4666 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4667 SSL_EARLY_DATA_ACCEPTED)
4668 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4670 || !TEST_false(info_cb_failed))
4678 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4679 TLS_client_method(),
4680 tlsvers, tlsvers, &sctx, &cctx, cert,
4685 * For even numbered tests we check the server callbacks. For odd numbers we
4688 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
4689 sslapi_info_callback);
4691 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4692 &clientssl, NULL, NULL))
4693 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4695 || !TEST_false(info_cb_failed))
4700 clntsess = SSL_get1_session(clientssl);
4701 SSL_shutdown(clientssl);
4702 SSL_shutdown(serverssl);
4703 SSL_free(serverssl);
4704 SSL_free(clientssl);
4705 serverssl = clientssl = NULL;
4707 /* Now do a resumption */
4708 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4710 || !TEST_true(SSL_set_session(clientssl, clntsess))
4711 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4713 || !TEST_true(SSL_session_reused(clientssl))
4714 || !TEST_false(info_cb_failed))
4720 SSL_free(serverssl);
4721 SSL_free(clientssl);
4722 SSL_SESSION_free(clntsess);
4728 static int test_ssl_pending(int tst)
4730 SSL_CTX *cctx = NULL, *sctx = NULL;
4731 SSL *clientssl = NULL, *serverssl = NULL;
4733 char msg[] = "A test message";
4735 size_t written, readbytes;
4738 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4739 TLS_client_method(),
4740 TLS1_VERSION, TLS_MAX_VERSION,
4741 &sctx, &cctx, cert, privkey)))
4744 #ifndef OPENSSL_NO_DTLS
4745 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
4746 DTLS_client_method(),
4747 DTLS1_VERSION, DTLS_MAX_VERSION,
4748 &sctx, &cctx, cert, privkey)))
4755 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4757 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4761 if (!TEST_int_eq(SSL_pending(clientssl), 0)
4762 || !TEST_false(SSL_has_pending(clientssl))
4763 || !TEST_int_eq(SSL_pending(serverssl), 0)
4764 || !TEST_false(SSL_has_pending(serverssl))
4765 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4766 || !TEST_size_t_eq(written, sizeof(msg))
4767 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4768 || !TEST_size_t_eq(readbytes, sizeof(buf))
4769 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
4770 || !TEST_true(SSL_has_pending(clientssl)))
4776 SSL_free(serverssl);
4777 SSL_free(clientssl);
4785 unsigned int maxprot;
4786 const char *clntciphers;
4787 const char *clnttls13ciphers;
4788 const char *srvrciphers;
4789 const char *srvrtls13ciphers;
4791 } shared_ciphers_data[] = {
4793 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
4794 * TLSv1.3 is enabled but TLSv1.2 is disabled.
4796 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
4799 "AES128-SHA:AES256-SHA",
4801 "AES256-SHA:DHE-RSA-AES128-SHA",
4807 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
4809 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
4811 "AES128-SHA:AES256-SHA"
4815 "AES128-SHA:AES256-SHA",
4817 "AES128-SHA:DHE-RSA-AES128-SHA",
4823 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
4826 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
4827 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4830 "AES128-SHA:AES256-SHA",
4832 "AES256-SHA:AES128-SHA256",
4834 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
4835 "TLS_AES_128_GCM_SHA256:AES256-SHA"
4838 #ifndef OPENSSL_NO_TLS1_3
4842 "TLS_AES_256_GCM_SHA384",
4844 "TLS_AES_256_GCM_SHA384",
4845 "TLS_AES_256_GCM_SHA384"
4850 static int test_ssl_get_shared_ciphers(int tst)
4852 SSL_CTX *cctx = NULL, *sctx = NULL;
4853 SSL *clientssl = NULL, *serverssl = NULL;
4857 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4858 TLS_client_method(),
4860 shared_ciphers_data[tst].maxprot,
4861 &sctx, &cctx, cert, privkey)))
4864 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4865 shared_ciphers_data[tst].clntciphers))
4866 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
4867 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4868 shared_ciphers_data[tst].clnttls13ciphers)))
4869 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
4870 shared_ciphers_data[tst].srvrciphers))
4871 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
4872 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4873 shared_ciphers_data[tst].srvrtls13ciphers))))
4877 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4879 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4883 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
4884 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
4885 TEST_info("Shared ciphers are: %s\n", buf);
4892 SSL_free(serverssl);
4893 SSL_free(clientssl);
4900 static const char *appdata = "Hello World";
4901 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
4902 static int tick_key_renew = 0;
4903 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
4905 static int gen_tick_cb(SSL *s, void *arg)
4907 gen_tick_called = 1;
4909 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
4913 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
4914 const unsigned char *keyname,
4915 size_t keyname_length,
4916 SSL_TICKET_STATUS status,
4922 dec_tick_called = 1;
4924 if (status == SSL_TICKET_EMPTY)
4925 return SSL_TICKET_RETURN_IGNORE_RENEW;
4927 if (!TEST_true(status == SSL_TICKET_SUCCESS
4928 || status == SSL_TICKET_SUCCESS_RENEW))
4929 return SSL_TICKET_RETURN_ABORT;
4931 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
4933 || !TEST_size_t_eq(tickdlen, strlen(appdata))
4934 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
4935 return SSL_TICKET_RETURN_ABORT;
4937 if (tick_key_cb_called) {
4938 /* Don't change what the ticket key callback wanted to do */
4940 case SSL_TICKET_NO_DECRYPT:
4941 return SSL_TICKET_RETURN_IGNORE_RENEW;
4943 case SSL_TICKET_SUCCESS:
4944 return SSL_TICKET_RETURN_USE;
4946 case SSL_TICKET_SUCCESS_RENEW:
4947 return SSL_TICKET_RETURN_USE_RENEW;
4950 return SSL_TICKET_RETURN_ABORT;
4953 return tick_dec_ret;
4957 static int tick_key_cb(SSL *s, unsigned char key_name[16],
4958 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
4959 HMAC_CTX *hctx, int enc)
4961 const unsigned char tick_aes_key[16] = "0123456789abcdef";
4962 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
4964 tick_key_cb_called = 1;
4965 memset(iv, 0, AES_BLOCK_SIZE);
4966 memset(key_name, 0, 16);
4967 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
4968 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
4969 EVP_sha256(), NULL))
4972 return tick_key_renew ? 2 : 1;
4976 * Test the various ticket callbacks
4977 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
4978 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
4979 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
4980 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
4981 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
4982 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
4983 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
4984 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
4985 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
4986 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
4987 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
4988 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
4990 static int test_ticket_callbacks(int tst)
4992 SSL_CTX *cctx = NULL, *sctx = NULL;
4993 SSL *clientssl = NULL, *serverssl = NULL;
4994 SSL_SESSION *clntsess = NULL;
4997 #ifdef OPENSSL_NO_TLS1_2
5001 #ifdef OPENSSL_NO_TLS1_3
5006 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
5008 /* Which tests the ticket key callback should request renewal for */
5009 if (tst == 10 || tst == 11)
5014 /* Which tests the decrypt ticket callback should request renewal for */
5018 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
5023 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
5028 tick_dec_ret = SSL_TICKET_RETURN_USE;
5033 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
5037 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5040 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5041 TLS_client_method(),
5043 ((tst % 2) == 0) ? TLS1_2_VERSION
5045 &sctx, &cctx, cert, privkey)))
5049 * We only want sessions to resume from tickets - not the session cache. So
5050 * switch the cache off.
5052 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
5055 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
5060 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
5063 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5065 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5070 * The decrypt ticket key callback in TLSv1.2 should be called even though
5071 * we have no ticket yet, because it gets called with a status of
5072 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
5073 * actually send any ticket data). This does not happen in TLSv1.3 because
5074 * it is not valid to send empty ticket data in TLSv1.3.
5076 if (!TEST_int_eq(gen_tick_called, 1)
5077 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
5080 gen_tick_called = dec_tick_called = 0;
5082 clntsess = SSL_get1_session(clientssl);
5083 SSL_shutdown(clientssl);
5084 SSL_shutdown(serverssl);
5085 SSL_free(serverssl);
5086 SSL_free(clientssl);
5087 serverssl = clientssl = NULL;
5089 /* Now do a resumption */
5090 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5092 || !TEST_true(SSL_set_session(clientssl, clntsess))
5093 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5097 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
5098 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
5099 if (!TEST_false(SSL_session_reused(clientssl)))
5102 if (!TEST_true(SSL_session_reused(clientssl)))
5106 if (!TEST_int_eq(gen_tick_called,
5108 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
5109 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
5111 || !TEST_int_eq(dec_tick_called, 1))
5117 SSL_SESSION_free(clntsess);
5118 SSL_free(serverssl);
5119 SSL_free(clientssl);
5127 * Test bi-directional shutdown.
5129 * Test 1: TLSv1.2, server continues to read/write after client shutdown
5130 * Test 2: TLSv1.3, no pending NewSessionTicket messages
5131 * Test 3: TLSv1.3, pending NewSessionTicket messages
5132 * Test 4: TLSv1.3, server continues to read/write after client shutdown, client
5134 * Test 5: TLSv1.3, server continues to read/write after client shutdown, client
5137 static int test_shutdown(int tst)
5139 SSL_CTX *cctx = NULL, *sctx = NULL;
5140 SSL *clientssl = NULL, *serverssl = NULL;
5142 char msg[] = "A test message";
5144 size_t written, readbytes;
5146 #ifdef OPENSSL_NO_TLS1_2
5150 #ifdef OPENSSL_NO_TLS1_3
5155 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5156 TLS_client_method(),
5158 (tst <= 1) ? TLS1_2_VERSION
5160 &sctx, &cctx, cert, privkey))
5161 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5166 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
5169 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5174 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
5179 * Reading on the server after the client has sent close_notify should
5180 * fail and provide SSL_ERROR_ZERO_RETURN
5182 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
5183 || !TEST_int_eq(SSL_get_error(serverssl, 0),
5184 SSL_ERROR_ZERO_RETURN)
5185 || !TEST_int_eq(SSL_get_shutdown(serverssl),
5186 SSL_RECEIVED_SHUTDOWN)
5188 * Even though we're shutdown on receive we should still be
5191 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg)))
5192 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
5195 /* Should still be able to read data from server */
5196 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5198 || !TEST_size_t_eq(readbytes, sizeof(msg))
5199 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
5204 /* Writing on the client after sending close_notify shouldn't be possible */
5205 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
5210 * For these tests the client has sent close_notify but it has not yet
5211 * been received by the server. The server has not sent close_notify
5214 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
5216 * Writing on the server after sending close_notify shouldn't
5219 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5220 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
5221 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
5223 } else if (tst == 4) {
5225 * In this test the client has sent close_notify and it has been
5226 * received by the server which has responded with a close_notify. The
5227 * client needs to read the close_notify sent by the server.
5229 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
5235 * The client has sent close_notify and is expecting a close_notify
5236 * back, but instead there is application data first. The shutdown
5237 * should fail with a fatal error.
5239 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
5240 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
5247 SSL_free(serverssl);
5248 SSL_free(clientssl);
5255 int setup_tests(void)
5257 if (!TEST_ptr(cert = test_get_argument(0))
5258 || !TEST_ptr(privkey = test_get_argument(1))
5259 || !TEST_ptr(srpvfile = test_get_argument(2))
5260 || !TEST_ptr(tmpfilename = test_get_argument(3)))
5263 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
5264 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
5265 TEST_error("not supported in this build");
5268 int i, mcount, rcount, fcount;
5270 for (i = 0; i < 4; i++)
5271 test_export_key_mat(i);
5272 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
5273 test_printf_stdout("malloc %d realloc %d free %d\n",
5274 mcount, rcount, fcount);
5279 ADD_TEST(test_large_message_tls);
5280 ADD_TEST(test_large_message_tls_read_ahead);
5281 #ifndef OPENSSL_NO_DTLS
5282 ADD_TEST(test_large_message_dtls);
5284 #ifndef OPENSSL_NO_OCSP
5285 ADD_TEST(test_tlsext_status_type);
5287 ADD_TEST(test_session_with_only_int_cache);
5288 ADD_TEST(test_session_with_only_ext_cache);
5289 ADD_TEST(test_session_with_both_cache);
5290 #ifndef OPENSSL_NO_TLS1_3
5291 ADD_ALL_TESTS(test_stateful_tickets, 3);
5292 ADD_ALL_TESTS(test_stateless_tickets, 3);
5294 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
5295 ADD_TEST(test_ssl_bio_pop_next_bio);
5296 ADD_TEST(test_ssl_bio_pop_ssl_bio);
5297 ADD_TEST(test_ssl_bio_change_rbio);
5298 ADD_TEST(test_ssl_bio_change_wbio);
5299 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
5300 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
5301 ADD_TEST(test_keylog);
5303 #ifndef OPENSSL_NO_TLS1_3
5304 ADD_TEST(test_keylog_no_master_key);
5306 #ifndef OPENSSL_NO_TLS1_2
5307 ADD_TEST(test_client_hello_cb);
5309 #ifndef OPENSSL_NO_TLS1_3
5310 ADD_ALL_TESTS(test_early_data_read_write, 3);
5312 * We don't do replay tests for external PSK. Replay protection isn't used
5315 ADD_ALL_TESTS(test_early_data_replay, 2);
5316 ADD_ALL_TESTS(test_early_data_skip, 3);
5317 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
5318 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
5319 ADD_ALL_TESTS(test_early_data_not_sent, 3);
5320 ADD_ALL_TESTS(test_early_data_psk, 8);
5321 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5322 # ifndef OPENSSL_NO_TLS1_2
5323 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5326 #ifndef OPENSSL_NO_TLS1_3
5327 ADD_ALL_TESTS(test_set_ciphersuite, 10);
5328 ADD_TEST(test_ciphersuite_change);
5329 #ifdef OPENSSL_NO_PSK
5330 ADD_ALL_TESTS(test_tls13_psk, 1);
5332 ADD_ALL_TESTS(test_tls13_psk, 4);
5333 #endif /* OPENSSL_NO_PSK */
5334 ADD_ALL_TESTS(test_custom_exts, 5);
5335 ADD_TEST(test_stateless);
5336 ADD_TEST(test_pha_key_update);
5338 ADD_ALL_TESTS(test_custom_exts, 3);
5340 ADD_ALL_TESTS(test_serverinfo, 8);
5341 ADD_ALL_TESTS(test_export_key_mat, 4);
5342 #ifndef OPENSSL_NO_TLS1_3
5343 ADD_ALL_TESTS(test_export_key_mat_early, 3);
5345 ADD_ALL_TESTS(test_ssl_clear, 2);
5346 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
5347 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5348 ADD_ALL_TESTS(test_srp, 6);
5350 ADD_ALL_TESTS(test_info_callback, 6);
5351 ADD_ALL_TESTS(test_ssl_pending, 2);
5352 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
5353 ADD_ALL_TESTS(test_ticket_callbacks, 12);
5354 ADD_ALL_TESTS(test_shutdown, 6);
5358 void cleanup_tests(void)
5360 bio_s_mempacket_test_free();