2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
18 #include "ssltestlib.h"
21 #include "../ssl/ssl_locl.h"
23 static char *cert = NULL;
24 static char *privkey = NULL;
26 #define LOG_BUFFER_SIZE 1024
27 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
28 static size_t server_log_buffer_index = 0;
29 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
30 static size_t client_log_buffer_index = 0;
31 static int error_writing_log = 0;
33 #ifndef OPENSSL_NO_OCSP
34 static const unsigned char orespder[] = "Dummy OCSP Response";
35 static int ocsp_server_called = 0;
36 static int ocsp_client_called = 0;
38 static int cdummyarg = 1;
39 static X509 *ocspcert = NULL;
42 #define NUM_EXTRA_CERTS 40
45 * This structure is used to validate that the correct number of log messages
46 * of various types are emitted when emitting secret logs.
48 struct sslapitest_log_counts {
49 unsigned int rsa_key_exchange_count;
50 unsigned int master_secret_count;
51 unsigned int client_handshake_secret_count;
52 unsigned int server_handshake_secret_count;
53 unsigned int client_application_secret_count;
54 unsigned int server_application_secret_count;
58 static unsigned char serverinfov1[] = {
59 0xff, 0xff, /* Dummy extension type */
60 0x00, 0x01, /* Extension length is 1 byte */
61 0xff /* Dummy extension data */
64 static unsigned char serverinfov2[] = {
66 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
67 0xff, 0xff, /* Dummy extension type */
68 0x00, 0x01, /* Extension length is 1 byte */
69 0xff /* Dummy extension data */
72 static void client_keylog_callback(const SSL *ssl, const char *line)
74 int line_length = strlen(line);
76 /* If the log doesn't fit, error out. */
77 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
78 TEST_info("Client log too full");
79 error_writing_log = 1;
83 strcat(client_log_buffer, line);
84 client_log_buffer_index += line_length;
85 client_log_buffer[client_log_buffer_index++] = '\n';
88 static void server_keylog_callback(const SSL *ssl, const char *line)
90 int line_length = strlen(line);
92 /* If the log doesn't fit, error out. */
93 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
94 TEST_info("Server og too full");
95 error_writing_log = 1;
99 strcat(server_log_buffer, line);
100 server_log_buffer_index += line_length;
101 server_log_buffer[server_log_buffer_index++] = '\n';
104 static int compare_hex_encoded_buffer(const char *hex_encoded,
112 if (!TEST_size_t_eq(raw_length * 2, hex_length))
115 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
116 sprintf(hexed, "%02x", raw[i]);
117 if (!TEST_int_eq(hexed[0], hex_encoded[j])
118 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
125 static int test_keylog_output(char *buffer, const SSL *ssl,
126 const SSL_SESSION *session,
127 struct sslapitest_log_counts *expected)
130 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
131 size_t client_random_size = SSL3_RANDOM_SIZE;
132 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
133 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
134 unsigned int rsa_key_exchange_count = 0;
135 unsigned int master_secret_count = 0;
136 unsigned int client_handshake_secret_count = 0;
137 unsigned int server_handshake_secret_count = 0;
138 unsigned int client_application_secret_count = 0;
139 unsigned int server_application_secret_count = 0;
141 for (token = strtok(buffer, " \n"); token != NULL;
142 token = strtok(NULL, " \n")) {
143 if (strcmp(token, "RSA") == 0) {
145 * Premaster secret. Tokens should be: 16 ASCII bytes of
146 * hex-encoded encrypted secret, then the hex-encoded pre-master
149 if (!TEST_ptr(token = strtok(NULL, " \n")))
151 if (!TEST_size_t_eq(strlen(token), 16))
153 if (!TEST_ptr(token = strtok(NULL, " \n")))
156 * We can't sensibly check the log because the premaster secret is
157 * transient, and OpenSSL doesn't keep hold of it once the master
158 * secret is generated.
160 rsa_key_exchange_count++;
161 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
163 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
164 * client random, then the hex-encoded master secret.
166 client_random_size = SSL_get_client_random(ssl,
167 actual_client_random,
169 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
172 if (!TEST_ptr(token = strtok(NULL, " \n")))
174 if (!TEST_size_t_eq(strlen(token), 64))
176 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
177 actual_client_random,
178 client_random_size)))
181 if (!TEST_ptr(token = strtok(NULL, " \n")))
183 master_key_size = SSL_SESSION_get_master_key(session,
186 if (!TEST_size_t_ne(master_key_size, 0))
188 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
192 master_secret_count++;
193 } else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
194 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
195 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
196 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) {
198 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
199 * client random, and then the hex-encoded secret. In this case,
200 * we treat all of these secrets identically and then just
201 * distinguish between them when counting what we saw.
203 if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
204 client_handshake_secret_count++;
205 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
206 server_handshake_secret_count++;
207 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
208 client_application_secret_count++;
209 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
210 server_application_secret_count++;
212 client_random_size = SSL_get_client_random(ssl,
213 actual_client_random,
215 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
218 if (!TEST_ptr(token = strtok(NULL, " \n")))
220 if (!TEST_size_t_eq(strlen(token), 64))
222 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
223 actual_client_random,
224 client_random_size)))
227 if (!TEST_ptr(token = strtok(NULL, " \n")))
231 * TODO(TLS1.3): test that application traffic secrets are what
234 TEST_info("Unexpected token %s\n", token);
239 /* Got what we expected? */
240 if (!TEST_size_t_eq(rsa_key_exchange_count,
241 expected->rsa_key_exchange_count)
242 || !TEST_size_t_eq(master_secret_count,
243 expected->master_secret_count)
244 || !TEST_size_t_eq(client_handshake_secret_count,
245 expected->client_handshake_secret_count)
246 || !TEST_size_t_eq(server_handshake_secret_count,
247 expected->server_handshake_secret_count)
248 || !TEST_size_t_eq(client_application_secret_count,
249 expected->client_application_secret_count)
250 || !TEST_size_t_eq(server_application_secret_count,
251 expected->server_application_secret_count))
256 static int test_keylog(void)
258 SSL_CTX *cctx = NULL, *sctx = NULL;
259 SSL *clientssl = NULL, *serverssl = NULL;
261 struct sslapitest_log_counts expected = {0};
263 /* Clean up logging space */
264 memset(client_log_buffer, 0, sizeof(client_log_buffer));
265 memset(server_log_buffer, 0, sizeof(server_log_buffer));
266 client_log_buffer_index = 0;
267 server_log_buffer_index = 0;
268 error_writing_log = 0;
270 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
272 &sctx, &cctx, cert, privkey)))
275 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
276 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
277 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
279 /* We also want to ensure that we use RSA-based key exchange. */
280 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
283 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
284 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
286 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
287 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
288 == client_keylog_callback))
290 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
291 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
292 == server_keylog_callback))
295 /* Now do a handshake and check that the logs have been written to. */
296 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
297 &clientssl, NULL, NULL))
298 || !TEST_true(create_ssl_connection(serverssl, clientssl,
300 || !TEST_false(error_writing_log)
301 || !TEST_int_gt(client_log_buffer_index, 0)
302 || !TEST_int_gt(server_log_buffer_index, 0))
306 * Now we want to test that our output data was vaguely sensible. We
307 * do that by using strtok and confirming that we have more or less the
308 * data we expect. For both client and server, we expect to see one master
309 * secret. The client should also see a RSA key exchange.
311 expected.rsa_key_exchange_count = 1;
312 expected.master_secret_count = 1;
313 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
314 SSL_get_session(clientssl), &expected)))
317 expected.rsa_key_exchange_count = 0;
318 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
319 SSL_get_session(serverssl), &expected)))
333 #ifndef OPENSSL_NO_TLS1_3
334 static int test_keylog_no_master_key(void)
336 SSL_CTX *cctx = NULL, *sctx = NULL;
337 SSL *clientssl = NULL, *serverssl = NULL;
339 struct sslapitest_log_counts expected = {0};
341 /* Clean up logging space */
342 memset(client_log_buffer, 0, sizeof(client_log_buffer));
343 memset(server_log_buffer, 0, sizeof(server_log_buffer));
344 client_log_buffer_index = 0;
345 server_log_buffer_index = 0;
346 error_writing_log = 0;
348 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
349 TLS_client_method(), &sctx,
350 &cctx, cert, privkey)))
353 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
354 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
357 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
358 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
359 == client_keylog_callback))
362 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
363 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
364 == server_keylog_callback))
367 /* Now do a handshake and check that the logs have been written to. */
368 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
369 &clientssl, NULL, NULL))
370 || !TEST_true(create_ssl_connection(serverssl, clientssl,
372 || !TEST_false(error_writing_log))
376 * Now we want to test that our output data was vaguely sensible. For this
377 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
378 * TLSv1.3, but we do expect both client and server to emit keys.
380 expected.client_handshake_secret_count = 1;
381 expected.server_handshake_secret_count = 1;
382 expected.client_application_secret_count = 1;
383 expected.server_application_secret_count = 1;
384 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
385 SSL_get_session(clientssl), &expected))
386 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
387 SSL_get_session(serverssl),
403 #ifndef OPENSSL_NO_TLS1_2
404 static int full_early_callback(SSL *s, int *al, void *arg)
407 const unsigned char *p;
409 /* We only configure two ciphers, but the SCSV is added automatically. */
411 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
413 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
416 const int expected_extensions[] = {
417 #ifndef OPENSSL_NO_EC
423 /* Make sure we can defer processing and get called back. */
427 len = SSL_early_get0_ciphers(s, &p);
428 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
429 || !TEST_size_t_eq(SSL_early_get0_compression_methods(s, &p), 1)
430 || !TEST_int_eq(*p, 0))
432 if (!SSL_early_get1_extensions_present(s, &exts, &len))
434 if (len != OSSL_NELEM(expected_extensions) ||
435 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
436 printf("Early callback expected ClientHello extensions mismatch\n");
444 static int test_early_cb(void)
446 SSL_CTX *cctx = NULL, *sctx = NULL;
447 SSL *clientssl = NULL, *serverssl = NULL;
448 int testctr = 0, testresult = 0;
450 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
451 TLS_client_method(), &sctx,
452 &cctx, cert, privkey)))
454 SSL_CTX_set_early_cb(sctx, full_early_callback, &testctr);
456 /* The gimpy cipher list we configure can't do TLS 1.3. */
457 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
459 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
460 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
461 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
462 &clientssl, NULL, NULL))
463 || !TEST_false(create_ssl_connection(serverssl, clientssl,
464 SSL_ERROR_WANT_EARLY))
466 * Passing a -1 literal is a hack since
467 * the real value was lost.
469 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_EARLY)
470 || !TEST_true(create_ssl_connection(serverssl, clientssl,
486 static int execute_test_large_message(const SSL_METHOD *smeth,
487 const SSL_METHOD *cmeth, int read_ahead)
489 SSL_CTX *cctx = NULL, *sctx = NULL;
490 SSL *clientssl = NULL, *serverssl = NULL;
494 X509 *chaincert = NULL;
497 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
499 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
502 if (!TEST_ptr(chaincert))
505 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, &sctx,
506 &cctx, cert, privkey)))
511 * Test that read_ahead works correctly when dealing with large
514 SSL_CTX_set_read_ahead(cctx, 1);
518 * We assume the supplied certificate is big enough so that if we add
519 * NUM_EXTRA_CERTS it will make the overall message large enough. The
520 * default buffer size is requested to be 16k, but due to the way BUF_MEM
521 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
522 * test we need to have a message larger than that.
524 certlen = i2d_X509(chaincert, NULL);
525 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
526 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
527 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
528 if (!X509_up_ref(chaincert))
530 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
531 X509_free(chaincert);
536 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
538 || !TEST_true(create_ssl_connection(serverssl, clientssl,
543 * Calling SSL_clear() first is not required but this tests that SSL_clear()
544 * doesn't leak (when using enable-crypto-mdebug).
546 if (!TEST_true(SSL_clear(serverssl)))
551 X509_free(chaincert);
560 static int test_large_message_tls(void)
562 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
566 static int test_large_message_tls_read_ahead(void)
568 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
572 #ifndef OPENSSL_NO_DTLS
573 static int test_large_message_dtls(void)
576 * read_ahead is not relevant to DTLS because DTLS always acts as if
579 return execute_test_large_message(DTLS_server_method(),
580 DTLS_client_method(), 0);
584 #ifndef OPENSSL_NO_OCSP
585 static int ocsp_server_cb(SSL *s, void *arg)
587 int *argi = (int *)arg;
588 unsigned char *copy = NULL;
589 STACK_OF(OCSP_RESPID) *ids = NULL;
590 OCSP_RESPID *id = NULL;
593 /* In this test we are expecting exactly 1 OCSP_RESPID */
594 SSL_get_tlsext_status_ids(s, &ids);
595 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
596 return SSL_TLSEXT_ERR_ALERT_FATAL;
598 id = sk_OCSP_RESPID_value(ids, 0);
599 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
600 return SSL_TLSEXT_ERR_ALERT_FATAL;
601 } else if (*argi != 1) {
602 return SSL_TLSEXT_ERR_ALERT_FATAL;
605 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
606 return SSL_TLSEXT_ERR_ALERT_FATAL;
608 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
609 ocsp_server_called = 1;
610 return SSL_TLSEXT_ERR_OK;
613 static int ocsp_client_cb(SSL *s, void *arg)
615 int *argi = (int *)arg;
616 const unsigned char *respderin;
619 if (*argi != 1 && *argi != 2)
622 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
623 if (!TEST_mem_eq(orespder, len, respderin, len))
626 ocsp_client_called = 1;
630 static int test_tlsext_status_type(void)
632 SSL_CTX *cctx = NULL, *sctx = NULL;
633 SSL *clientssl = NULL, *serverssl = NULL;
635 STACK_OF(OCSP_RESPID) *ids = NULL;
636 OCSP_RESPID *id = NULL;
639 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
640 &cctx, cert, privkey))
643 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
646 /* First just do various checks getting and setting tlsext_status_type */
648 clientssl = SSL_new(cctx);
649 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
650 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
651 TLSEXT_STATUSTYPE_ocsp))
652 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
653 TLSEXT_STATUSTYPE_ocsp))
659 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
660 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
663 clientssl = SSL_new(cctx);
664 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
670 * Now actually do a handshake and check OCSP information is exchanged and
671 * the callbacks get called
673 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
674 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
675 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
676 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
677 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
678 &clientssl, NULL, NULL))
679 || !TEST_true(create_ssl_connection(serverssl, clientssl,
681 || !TEST_true(ocsp_client_called)
682 || !TEST_true(ocsp_server_called))
689 /* Try again but this time force the server side callback to fail */
690 ocsp_client_called = 0;
691 ocsp_server_called = 0;
693 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
694 &clientssl, NULL, NULL))
695 /* This should fail because the callback will fail */
696 || !TEST_false(create_ssl_connection(serverssl, clientssl,
698 || !TEST_false(ocsp_client_called)
699 || !TEST_false(ocsp_server_called))
707 * This time we'll get the client to send an OCSP_RESPID that it will
710 ocsp_client_called = 0;
711 ocsp_server_called = 0;
713 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
714 &clientssl, NULL, NULL)))
718 * We'll just use any old cert for this test - it doesn't have to be an OCSP
719 * specific one. We'll use the server cert.
721 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
722 || !TEST_ptr(id = OCSP_RESPID_new())
723 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
724 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
726 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
727 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
730 SSL_set_tlsext_status_ids(clientssl, ids);
731 /* Control has been transferred */
737 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
739 || !TEST_true(ocsp_client_called)
740 || !TEST_true(ocsp_server_called))
750 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
751 OCSP_RESPID_free(id);
760 typedef struct ssl_session_test_fixture {
761 const char *test_case_name;
764 } SSL_SESSION_TEST_FIXTURE;
766 static int new_called = 0, remove_called = 0;
768 static SSL_SESSION_TEST_FIXTURE
769 ssl_session_set_up(const char *const test_case_name)
771 SSL_SESSION_TEST_FIXTURE fixture;
773 fixture.test_case_name = test_case_name;
774 fixture.use_ext_cache = 1;
775 fixture.use_int_cache = 1;
777 new_called = remove_called = 0;
782 static void ssl_session_tear_down(SSL_SESSION_TEST_FIXTURE fixture)
786 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
792 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
797 static int execute_test_session(SSL_SESSION_TEST_FIXTURE fix)
799 SSL_CTX *sctx = NULL, *cctx = NULL;
800 SSL *serverssl1 = NULL, *clientssl1 = NULL;
801 SSL *serverssl2 = NULL, *clientssl2 = NULL;
802 #ifndef OPENSSL_NO_TLS1_1
803 SSL *serverssl3 = NULL, *clientssl3 = NULL;
805 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
808 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
809 TLS_client_method(), &sctx,
810 &cctx, cert, privkey)))
813 #ifndef OPENSSL_NO_TLS1_2
814 /* Only allow TLS1.2 so we can force a connection failure later */
815 SSL_CTX_set_min_proto_version(cctx, TLS1_2_VERSION);
818 /* Set up session cache */
819 if (fix.use_ext_cache) {
820 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
821 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
823 if (fix.use_int_cache) {
824 /* Also covers instance where both are set */
825 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
827 SSL_CTX_set_session_cache_mode(cctx,
828 SSL_SESS_CACHE_CLIENT
829 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
832 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
834 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
836 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
839 /* Should fail because it should already be in the cache */
840 if (fix.use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
842 if (fix.use_ext_cache && (new_called != 1 || remove_called != 0))
845 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
846 &clientssl2, NULL, NULL))
847 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
851 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
854 if (fix.use_ext_cache && (new_called != 2 || remove_called != 0))
858 * This should clear sess2 from the cache because it is a "bad" session.
859 * See SSL_set_session() documentation.
861 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
863 if (fix.use_ext_cache && (new_called != 2 || remove_called != 1))
865 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
868 if (fix.use_int_cache) {
869 /* Should succeeded because it should not already be in the cache */
870 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
871 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
875 * This is for the purposes of internal cache testing...ignore the
876 * counter for external cache
878 if (fix.use_ext_cache)
882 /* This shouldn't be in the cache so should fail */
883 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
886 if (fix.use_ext_cache && (new_called != 2 || remove_called != 2))
889 #if !defined(OPENSSL_NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_2)
890 /* Force a connection failure */
891 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
892 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
893 &clientssl3, NULL, NULL))
894 || !TEST_true(SSL_set_session(clientssl3, sess1))
895 /* This should fail because of the mismatched protocol versions */
896 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
900 /* We should have automatically removed the session from the cache */
901 if (fix.use_ext_cache && (new_called != 2 || remove_called != 3))
904 /* Should succeed because it should not already be in the cache */
905 if (fix.use_int_cache && !SSL_CTX_add_session(cctx, sess2))
912 SSL_free(serverssl1);
913 SSL_free(clientssl1);
914 SSL_free(serverssl2);
915 SSL_free(clientssl2);
916 #ifndef OPENSSL_NO_TLS1_1
917 SSL_free(serverssl3);
918 SSL_free(clientssl3);
920 SSL_SESSION_free(sess1);
921 SSL_SESSION_free(sess2);
924 * Check if we need to remove any sessions up-refed for the external cache
927 SSL_SESSION_free(sess1);
929 SSL_SESSION_free(sess2);
936 static int test_session_with_only_int_cache(void)
938 SETUP_TEST_FIXTURE(SSL_SESSION_TEST_FIXTURE, ssl_session_set_up);
939 fixture.use_ext_cache = 0;
940 EXECUTE_TEST(execute_test_session, ssl_session_tear_down);
943 static int test_session_with_only_ext_cache(void)
945 SETUP_TEST_FIXTURE(SSL_SESSION_TEST_FIXTURE, ssl_session_set_up);
946 fixture.use_int_cache = 0;
947 EXECUTE_TEST(execute_test_session, ssl_session_tear_down);
950 static int test_session_with_both_cache(void)
952 SETUP_TEST_FIXTURE(SSL_SESSION_TEST_FIXTURE, ssl_session_set_up);
953 EXECUTE_TEST(execute_test_session, ssl_session_tear_down);
960 #define TOTAL_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
962 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
977 static int test_ssl_set_bio(int idx)
982 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
984 int initrbio, initwbio, newrbio, newwbio;
994 if (!TEST_int_le(newwbio, 2))
997 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
998 || !TEST_ptr(ssl = SSL_new(ctx)))
1001 if (initrbio == USE_BIO_1
1002 || initwbio == USE_BIO_1
1003 || newrbio == USE_BIO_1
1004 || newwbio == USE_BIO_1) {
1005 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1009 if (initrbio == USE_BIO_2
1010 || initwbio == USE_BIO_2
1011 || newrbio == USE_BIO_2
1012 || newwbio == USE_BIO_2) {
1013 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1017 setupbio(&irbio, bio1, bio2, initrbio);
1018 setupbio(&iwbio, bio1, bio2, initwbio);
1021 * We want to maintain our own refs to these BIO, so do an up ref for each
1022 * BIO that will have ownership transferred in the SSL_set_bio() call
1026 if (iwbio != NULL && iwbio != irbio)
1029 SSL_set_bio(ssl, irbio, iwbio);
1031 setupbio(&nrbio, bio1, bio2, newrbio);
1032 setupbio(&nwbio, bio1, bio2, newwbio);
1035 * We will (maybe) transfer ownership again so do more up refs.
1036 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1041 && (nwbio != iwbio || nrbio != nwbio))
1045 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1048 SSL_set_bio(ssl, nrbio, nwbio);
1058 * This test is checking that the ref counting for SSL_set_bio is correct.
1059 * If we get here and we did too many frees then we will fail in the above
1060 * functions. If we haven't done enough then this will only be detected in
1061 * a crypto-mdebug build
1067 typedef struct ssl_bio_test_fixture {
1068 const char *test_case_name;
1070 enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } change_bio;
1071 } SSL_BIO_TEST_FIXTURE;
1073 static SSL_BIO_TEST_FIXTURE ssl_bio_set_up(const char *const test_case_name)
1075 SSL_BIO_TEST_FIXTURE fixture;
1077 fixture.test_case_name = test_case_name;
1078 fixture.pop_ssl = 0;
1079 fixture.change_bio = NO_BIO_CHANGE;
1083 static void ssl_bio_tear_down(SSL_BIO_TEST_FIXTURE fixture)
1087 static int execute_test_ssl_bio(SSL_BIO_TEST_FIXTURE fix)
1089 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1094 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1095 || !TEST_ptr(ssl = SSL_new(ctx))
1096 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1097 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1100 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1103 * If anything goes wrong here then we could leak memory, so this will
1104 * be caught in a crypto-mdebug build
1106 BIO_push(sslbio, membio1);
1108 /* Verify changing the rbio/wbio directly does not cause leaks */
1109 if (fix.change_bio != NO_BIO_CHANGE) {
1110 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1112 if (fix.change_bio == CHANGE_RBIO)
1113 SSL_set0_rbio(ssl, membio2);
1115 SSL_set0_wbio(ssl, membio2);
1134 static int test_ssl_bio_pop_next_bio(void)
1136 SETUP_TEST_FIXTURE(SSL_BIO_TEST_FIXTURE, ssl_bio_set_up);
1137 EXECUTE_TEST(execute_test_ssl_bio, ssl_bio_tear_down);
1140 static int test_ssl_bio_pop_ssl_bio(void)
1142 SETUP_TEST_FIXTURE(SSL_BIO_TEST_FIXTURE, ssl_bio_set_up);
1143 fixture.pop_ssl = 1;
1144 EXECUTE_TEST(execute_test_ssl_bio, ssl_bio_tear_down);
1147 static int test_ssl_bio_change_rbio(void)
1149 SETUP_TEST_FIXTURE(SSL_BIO_TEST_FIXTURE, ssl_bio_set_up);
1150 fixture.change_bio = CHANGE_RBIO;
1151 EXECUTE_TEST(execute_test_ssl_bio, ssl_bio_tear_down);
1154 static int test_ssl_bio_change_wbio(void)
1156 SETUP_TEST_FIXTURE(SSL_BIO_TEST_FIXTURE, ssl_bio_set_up);
1157 fixture.change_bio = CHANGE_WBIO;
1158 EXECUTE_TEST(execute_test_ssl_bio, ssl_bio_tear_down);
1162 /* The list of sig algs */
1164 /* The length of the list */
1166 /* A sigalgs list in string format */
1167 const char *liststr;
1168 /* Whether setting the list should succeed */
1170 /* Whether creating a connection with the list should succeed */
1174 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1175 #ifndef OPENSSL_NO_EC
1176 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1177 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1179 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1180 static const int invalidlist2[] = {NID_sha256, NID_undef};
1181 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1182 static const int invalidlist4[] = {NID_sha256};
1183 static const sigalgs_list testsigalgs[] = {
1184 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1185 #ifndef OPENSSL_NO_EC
1186 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1187 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1189 {NULL, 0, "RSA+SHA256", 1, 1},
1190 #ifndef OPENSSL_NO_EC
1191 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1192 {NULL, 0, "ECDSA+SHA512", 1, 0},
1194 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1195 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1196 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1197 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1198 {NULL, 0, "RSA", 0, 0},
1199 {NULL, 0, "SHA256", 0, 0},
1200 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1201 {NULL, 0, "Invalid", 0, 0}
1204 static int test_set_sigalgs(int idx)
1206 SSL_CTX *cctx = NULL, *sctx = NULL;
1207 SSL *clientssl = NULL, *serverssl = NULL;
1209 const sigalgs_list *curr;
1212 /* Should never happen */
1213 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1216 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1217 curr = testctx ? &testsigalgs[idx]
1218 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1220 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1221 TLS_client_method(), &sctx,
1222 &cctx, cert, privkey)))
1226 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1227 * for TLSv1.2 for now until we add a new API.
1229 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1234 if (curr->list != NULL)
1235 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1237 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1241 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1247 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1252 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1253 &clientssl, NULL, NULL)))
1259 if (curr->list != NULL)
1260 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1262 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1265 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1274 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1282 SSL_free(serverssl);
1283 SSL_free(clientssl);
1290 #ifndef OPENSSL_NO_TLS1_3
1292 #define MSG1 "Hello"
1293 #define MSG2 "World."
1298 #define MSG7 "message."
1301 * Helper method to setup objects for early data test. Caller frees objects on
1304 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
1305 SSL **serverssl, SSL_SESSION **sess, int idx)
1307 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1308 TLS_client_method(), sctx,
1309 cctx, cert, privkey)))
1312 /* When idx == 1 we repeat the tests with read_ahead set */
1314 SSL_CTX_set_read_ahead(*cctx, 1);
1315 SSL_CTX_set_read_ahead(*sctx, 1);
1318 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
1320 || !TEST_true(create_ssl_connection(*serverssl, *clientssl,
1324 *sess = SSL_get1_session(*clientssl);
1325 SSL_shutdown(*clientssl);
1326 SSL_shutdown(*serverssl);
1327 SSL_free(*serverssl);
1328 SSL_free(*clientssl);
1329 *serverssl = *clientssl = NULL;
1331 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1332 clientssl, NULL, NULL))
1333 || !TEST_true(SSL_set_session(*clientssl, *sess)))
1339 static int test_early_data_read_write(int idx)
1341 SSL_CTX *cctx = NULL, *sctx = NULL;
1342 SSL *clientssl = NULL, *serverssl = NULL;
1344 SSL_SESSION *sess = NULL;
1345 unsigned char buf[20], data[1024];
1346 size_t readbytes, written, eoedlen, rawread, rawwritten;
1349 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1350 &serverssl, &sess, idx)))
1353 /* Write and read some early data */
1354 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1356 || !TEST_size_t_eq(written, strlen(MSG1))
1357 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1358 sizeof(buf), &readbytes),
1359 SSL_READ_EARLY_DATA_SUCCESS)
1360 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1361 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1362 SSL_EARLY_DATA_ACCEPTED))
1366 * Server should be able to write data, and client should be able to
1369 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1371 || !TEST_size_t_eq(written, strlen(MSG2))
1372 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1373 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1376 /* Even after reading normal data, client should be able write early data */
1377 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1379 || !TEST_size_t_eq(written, strlen(MSG3)))
1382 /* Server should still be able read early data after writing data */
1383 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1385 SSL_READ_EARLY_DATA_SUCCESS)
1386 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
1389 /* Write more data from server and read it from client */
1390 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
1392 || !TEST_size_t_eq(written, strlen(MSG4))
1393 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1394 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
1398 * If client writes normal data it should mean writing early data is no
1401 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1402 || !TEST_size_t_eq(written, strlen(MSG5))
1403 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1404 SSL_EARLY_DATA_ACCEPTED))
1408 * At this point the client has written EndOfEarlyData, ClientFinished and
1409 * normal (fully protected) data. We are going to cause a delay between the
1410 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
1411 * in the read BIO, and then just put back the EndOfEarlyData message.
1413 rbio = SSL_get_rbio(serverssl);
1414 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
1415 || !TEST_size_t_lt(rawread, sizeof(data))
1416 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
1419 /* Record length is in the 4th and 5th bytes of the record header */
1420 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
1421 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
1422 || !TEST_size_t_eq(rawwritten, eoedlen))
1425 /* Server should be told that there is no more early data */
1426 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1428 SSL_READ_EARLY_DATA_FINISH)
1429 || !TEST_size_t_eq(readbytes, 0))
1433 * Server has not finished init yet, so should still be able to write early
1436 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
1438 || !TEST_size_t_eq(written, strlen(MSG6)))
1441 /* Push the ClientFinished and the normal data back into the server rbio */
1442 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
1444 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
1447 /* Server should be able to read normal data */
1448 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1449 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1452 /* Client and server should not be able to write/read early data now */
1453 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1457 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1459 SSL_READ_EARLY_DATA_ERROR))
1463 /* Client should be able to read the data sent by the server */
1464 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1465 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
1469 * Make sure we process the NewSessionTicket. This arrives post-handshake.
1470 * We attempt a read which we do not expect to return any data.
1472 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1475 /* Server should be able to write normal data */
1476 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
1477 || !TEST_size_t_eq(written, strlen(MSG7))
1478 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1479 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
1482 SSL_SESSION_free(sess);
1483 sess = SSL_get1_session(clientssl);
1485 SSL_shutdown(clientssl);
1486 SSL_shutdown(serverssl);
1487 SSL_free(serverssl);
1488 SSL_free(clientssl);
1489 serverssl = clientssl = NULL;
1490 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1491 &clientssl, NULL, NULL))
1492 || !TEST_true(SSL_set_session(clientssl, sess)))
1495 /* Write and read some early data */
1496 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1498 || !TEST_size_t_eq(written, strlen(MSG1))
1499 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1501 SSL_READ_EARLY_DATA_SUCCESS)
1502 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
1505 if (!TEST_int_gt(SSL_connect(clientssl), 0)
1506 || !TEST_int_gt(SSL_accept(serverssl), 0))
1509 /* Client and server should not be able to write/read early data now */
1510 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1514 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1516 SSL_READ_EARLY_DATA_ERROR))
1520 /* Client and server should be able to write/read normal data */
1521 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1522 || !TEST_size_t_eq(written, strlen(MSG5))
1523 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1524 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1530 SSL_SESSION_free(sess);
1531 SSL_free(serverssl);
1532 SSL_free(clientssl);
1539 * Test that a server attempting to read early data can handle a connection
1540 * from a client where the early data is not acceptable.
1542 static int test_early_data_skip(int idx)
1544 SSL_CTX *cctx = NULL, *sctx = NULL;
1545 SSL *clientssl = NULL, *serverssl = NULL;
1547 SSL_SESSION *sess = NULL;
1548 unsigned char buf[20];
1549 size_t readbytes, written;
1551 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1552 &serverssl, &sess, idx)))
1556 * Deliberately corrupt the creation time. We take 20 seconds off the time.
1557 * It could be any value as long as it is not within tolerance. This should
1558 * mean the ticket is rejected.
1560 if (!TEST_true(SSL_SESSION_set_time(sess, time(NULL) - 20)))
1563 /* Write some early data */
1564 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1566 || !TEST_size_t_eq(written, strlen(MSG1)))
1569 /* Server should reject the early data and skip over it */
1570 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1572 SSL_READ_EARLY_DATA_FINISH)
1573 || !TEST_size_t_eq(readbytes, 0)
1574 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1575 SSL_EARLY_DATA_REJECTED))
1578 /* Should be able to send normal data despite rejection of early data */
1579 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1580 || !TEST_size_t_eq(written, strlen(MSG2))
1581 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1582 SSL_EARLY_DATA_REJECTED)
1583 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1584 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1590 SSL_SESSION_free(sess);
1591 SSL_free(serverssl);
1592 SSL_free(clientssl);
1599 * Test that a server attempting to read early data can handle a connection
1600 * from a client that doesn't send any.
1602 static int test_early_data_not_sent(int idx)
1604 SSL_CTX *cctx = NULL, *sctx = NULL;
1605 SSL *clientssl = NULL, *serverssl = NULL;
1607 SSL_SESSION *sess = NULL;
1608 unsigned char buf[20];
1609 size_t readbytes, written;
1611 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1612 &serverssl, &sess, idx)))
1615 /* Write some data - should block due to handshake with server */
1616 SSL_set_connect_state(clientssl);
1617 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
1620 /* Server should detect that early data has not been sent */
1621 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1623 SSL_READ_EARLY_DATA_FINISH)
1624 || !TEST_size_t_eq(readbytes, 0)
1625 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1626 SSL_EARLY_DATA_NOT_SENT)
1627 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1628 SSL_EARLY_DATA_NOT_SENT))
1631 /* Continue writing the message we started earlier */
1632 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
1633 || !TEST_size_t_eq(written, strlen(MSG1))
1634 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1635 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
1636 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
1637 || !TEST_size_t_eq(written, strlen(MSG2)))
1641 * Should block due to the NewSessionTicket arrival unless we're using
1645 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1649 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1650 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1656 SSL_SESSION_free(sess);
1657 SSL_free(serverssl);
1658 SSL_free(clientssl);
1665 * Test that a server that doesn't try to read early data can handle a
1666 * client sending some.
1668 static int test_early_data_not_expected(int idx)
1670 SSL_CTX *cctx = NULL, *sctx = NULL;
1671 SSL *clientssl = NULL, *serverssl = NULL;
1673 SSL_SESSION *sess = NULL;
1674 unsigned char buf[20];
1675 size_t readbytes, written;
1678 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1679 &serverssl, &sess, idx)))
1682 /* Write some early data */
1683 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1688 * Server should skip over early data and then block waiting for client to
1689 * continue handshake
1691 if (!TEST_int_le(SSL_accept(serverssl), 0)
1692 || !TEST_int_gt(SSL_connect(clientssl), 0)
1693 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1694 SSL_EARLY_DATA_REJECTED)
1695 || !TEST_int_gt(SSL_accept(serverssl), 0)
1696 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1697 SSL_EARLY_DATA_REJECTED))
1700 /* Send some normal data from client to server */
1701 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1702 || !TEST_size_t_eq(written, strlen(MSG2)))
1705 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1706 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1712 SSL_SESSION_free(sess);
1713 SSL_free(serverssl);
1714 SSL_free(clientssl);
1721 # ifndef OPENSSL_NO_TLS1_2
1723 * Test that a server attempting to read early data can handle a connection
1724 * from a TLSv1.2 client.
1726 static int test_early_data_tls1_2(int idx)
1728 SSL_CTX *cctx = NULL, *sctx = NULL;
1729 SSL *clientssl = NULL, *serverssl = NULL;
1731 unsigned char buf[20];
1732 size_t readbytes, written;
1734 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1735 TLS_client_method(), &sctx,
1736 &cctx, cert, privkey)))
1739 /* When idx == 1 we repeat the tests with read_ahead set */
1741 SSL_CTX_set_read_ahead(cctx, 1);
1742 SSL_CTX_set_read_ahead(sctx, 1);
1745 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1746 &clientssl, NULL, NULL)))
1749 /* Write some data - should block due to handshake with server */
1750 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
1751 SSL_set_connect_state(clientssl);
1752 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
1756 * Server should do TLSv1.2 handshake. First it will block waiting for more
1757 * messages from client after ServerDone. Then SSL_read_early_data should
1758 * finish and detect that early data has not been sent
1760 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1762 SSL_READ_EARLY_DATA_ERROR))
1766 * Continue writing the message we started earlier. Will still block waiting
1767 * for the CCS/Finished from server
1769 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
1770 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1772 SSL_READ_EARLY_DATA_FINISH)
1773 || !TEST_size_t_eq(readbytes, 0)
1774 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1775 SSL_EARLY_DATA_NOT_SENT))
1778 /* Continue writing the message we started earlier */
1779 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
1780 || !TEST_size_t_eq(written, strlen(MSG1))
1781 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1782 SSL_EARLY_DATA_NOT_SENT)
1783 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1784 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
1785 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
1786 || !TEST_size_t_eq(written, strlen(MSG2))
1787 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
1788 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1794 SSL_free(serverssl);
1795 SSL_free(clientssl);
1801 # endif /* OPENSSL_NO_TLS1_2 */
1803 static int test_ciphersuite_change(void)
1805 SSL_CTX *cctx = NULL, *sctx = NULL;
1806 SSL *clientssl = NULL, *serverssl = NULL;
1807 SSL_SESSION *clntsess = NULL;
1809 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
1811 /* Create a session based on SHA-256 */
1812 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1813 TLS_client_method(), &sctx,
1814 &cctx, cert, privkey))
1815 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1816 "TLS13-AES-128-GCM-SHA256"))
1817 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1818 &clientssl, NULL, NULL))
1819 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1823 clntsess = SSL_get1_session(clientssl);
1824 /* Save for later */
1825 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
1826 SSL_shutdown(clientssl);
1827 SSL_shutdown(serverssl);
1828 SSL_free(serverssl);
1829 SSL_free(clientssl);
1830 serverssl = clientssl = NULL;
1832 /* Check we can resume a session with a different SHA-256 ciphersuite */
1833 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
1834 "TLS13-CHACHA20-POLY1305-SHA256"))
1835 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1837 || !TEST_true(SSL_set_session(clientssl, clntsess))
1838 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1840 || !TEST_true(SSL_session_reused(clientssl)))
1843 SSL_SESSION_free(clntsess);
1844 clntsess = SSL_get1_session(clientssl);
1845 SSL_shutdown(clientssl);
1846 SSL_shutdown(serverssl);
1847 SSL_free(serverssl);
1848 SSL_free(clientssl);
1849 serverssl = clientssl = NULL;
1852 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
1853 * succeeds but does not resume.
1855 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-256-GCM-SHA384"))
1856 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1858 || !TEST_true(SSL_set_session(clientssl, clntsess))
1859 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1861 || !TEST_false(SSL_session_reused(clientssl)))
1864 SSL_SESSION_free(clntsess);
1866 SSL_shutdown(clientssl);
1867 SSL_shutdown(serverssl);
1868 SSL_free(serverssl);
1869 SSL_free(clientssl);
1870 serverssl = clientssl = NULL;
1872 /* Create a session based on SHA384 */
1873 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-256-GCM-SHA384"))
1874 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1875 &clientssl, NULL, NULL))
1876 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1880 clntsess = SSL_get1_session(clientssl);
1881 SSL_shutdown(clientssl);
1882 SSL_shutdown(serverssl);
1883 SSL_free(serverssl);
1884 SSL_free(clientssl);
1885 serverssl = clientssl = NULL;
1887 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
1888 "TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384"))
1889 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1890 "TLS13-AES-256-GCM-SHA384"))
1891 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1893 || !TEST_true(SSL_set_session(clientssl, clntsess))
1895 * We use SSL_ERROR_WANT_READ below so that we can pause the
1896 * connection after the initial ClientHello has been sent to
1897 * enable us to make some session changes.
1899 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1900 SSL_ERROR_WANT_READ)))
1903 /* Trick the client into thinking this session is for a different digest */
1904 clntsess->cipher = aes_128_gcm_sha256;
1905 clntsess->cipher_id = clntsess->cipher->id;
1908 * Continue the previously started connection. Server has selected a SHA-384
1909 * ciphersuite, but client thinks the session is for SHA-256, so it should
1912 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
1914 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
1915 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
1921 SSL_SESSION_free(clntsess);
1922 SSL_free(serverssl);
1923 SSL_free(clientssl);
1931 static SSL_SESSION *psk = NULL;
1932 static const char *pskid = "Identity";
1933 static const char *srvid;
1935 static int use_session_cb_cnt = 0;
1936 static int find_session_cb_cnt = 0;
1938 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1939 size_t *idlen, SSL_SESSION **sess)
1941 switch (++use_session_cb_cnt) {
1943 /* The first call should always have a NULL md */
1949 /* The second call should always have an md */
1955 /* We should only be called a maximum of twice */
1960 SSL_SESSION_up_ref(psk);
1963 *id = (const unsigned char *)pskid;
1964 *idlen = strlen(pskid);
1969 static int find_session_cb(SSL *ssl, const unsigned char *identity,
1970 size_t identity_len, SSL_SESSION **sess)
1972 find_session_cb_cnt++;
1974 /* We should only ever be called a maximum of twice per connection */
1975 if (find_session_cb_cnt > 2)
1981 /* Identity should match that set by the client */
1982 if (strlen(srvid) != identity_len
1983 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1984 /* No PSK found, continue but without a PSK */
1989 SSL_SESSION_up_ref(psk);
1995 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
1997 static int test_tls13_psk(void)
1999 SSL_CTX *sctx = NULL, *cctx = NULL;
2000 SSL *serverssl = NULL, *clientssl = NULL;
2001 const SSL_CIPHER *cipher = NULL;
2002 const unsigned char key[] = {
2003 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2004 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2005 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
2009 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2010 TLS_client_method(), &sctx,
2011 &cctx, cert, privkey)))
2014 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2015 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2018 /* Check we can create a connection if callback decides not to send a PSK */
2019 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2021 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2023 || !TEST_false(SSL_session_reused(clientssl))
2024 || !TEST_false(SSL_session_reused(serverssl))
2025 || !TEST_true(use_session_cb_cnt == 1)
2026 || !TEST_true(find_session_cb_cnt == 0))
2029 shutdown_ssl_connection(serverssl, clientssl);
2030 serverssl = clientssl = NULL;
2031 use_session_cb_cnt = 0;
2033 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2037 /* Create the PSK */
2038 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
2039 psk = SSL_SESSION_new();
2041 || !TEST_ptr(cipher)
2042 || !TEST_true(SSL_SESSION_set1_master_key(psk, key, sizeof(key)))
2043 || !TEST_true(SSL_SESSION_set_cipher(psk, cipher))
2044 || !TEST_true(SSL_SESSION_set_protocol_version(psk,
2048 /* Check we can create a connection and the PSK is used */
2049 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2050 || !TEST_true(SSL_session_reused(clientssl))
2051 || !TEST_true(SSL_session_reused(serverssl))
2052 || !TEST_true(use_session_cb_cnt == 1)
2053 || !TEST_true(find_session_cb_cnt == 1))
2056 shutdown_ssl_connection(serverssl, clientssl);
2057 serverssl = clientssl = NULL;
2058 use_session_cb_cnt = find_session_cb_cnt = 0;
2060 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2065 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2069 * Check we can create a connection, the PSK is used and the callbacks are
2072 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2073 || !TEST_true(SSL_session_reused(clientssl))
2074 || !TEST_true(SSL_session_reused(serverssl))
2075 || !TEST_true(use_session_cb_cnt == 2)
2076 || !TEST_true(find_session_cb_cnt == 2))
2079 shutdown_ssl_connection(serverssl, clientssl);
2080 serverssl = clientssl = NULL;
2081 use_session_cb_cnt = find_session_cb_cnt = 0;
2084 * Check that if the server rejects the PSK we can still connect, but with
2087 srvid = "Dummy Identity";
2088 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2090 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2092 || !TEST_false(SSL_session_reused(clientssl))
2093 || !TEST_false(SSL_session_reused(serverssl))
2094 || !TEST_true(use_session_cb_cnt == 1)
2095 || !TEST_true(find_session_cb_cnt == 1))
2098 shutdown_ssl_connection(serverssl, clientssl);
2099 serverssl = clientssl = NULL;
2103 SSL_SESSION_free(psk);
2104 SSL_free(serverssl);
2105 SSL_free(clientssl);
2111 #endif /* OPENSSL_NO_TLS1_3 */
2113 static int clntaddoldcb = 0;
2114 static int clntparseoldcb = 0;
2115 static int srvaddoldcb = 0;
2116 static int srvparseoldcb = 0;
2117 static int clntaddnewcb = 0;
2118 static int clntparsenewcb = 0;
2119 static int srvaddnewcb = 0;
2120 static int srvparsenewcb = 0;
2121 static int snicb = 0;
2123 #define TEST_EXT_TYPE1 0xff00
2125 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
2126 size_t *outlen, int *al, void *add_arg)
2128 int *server = (int *)add_arg;
2129 unsigned char *data;
2131 if (SSL_is_server(s))
2136 if (*server != SSL_is_server(s)
2137 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
2142 *outlen = sizeof(char);
2146 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
2149 OPENSSL_free((unsigned char *)out);
2152 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
2153 size_t inlen, int *al, void *parse_arg)
2155 int *server = (int *)parse_arg;
2157 if (SSL_is_server(s))
2162 if (*server != SSL_is_server(s)
2163 || inlen != sizeof(char)
2170 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
2171 const unsigned char **out, size_t *outlen, X509 *x,
2172 size_t chainidx, int *al, void *add_arg)
2174 int *server = (int *)add_arg;
2175 unsigned char *data;
2177 if (SSL_is_server(s))
2182 if (*server != SSL_is_server(s)
2183 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
2188 *outlen = sizeof(*data);
2192 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
2193 const unsigned char *out, void *add_arg)
2195 OPENSSL_free((unsigned char *)out);
2198 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
2199 const unsigned char *in, size_t inlen, X509 *x,
2200 size_t chainidx, int *al, void *parse_arg)
2202 int *server = (int *)parse_arg;
2204 if (SSL_is_server(s))
2209 if (*server != SSL_is_server(s)
2210 || inlen != sizeof(char) || *in != 1)
2216 static int sni_cb(SSL *s, int *al, void *arg)
2218 SSL_CTX *ctx = (SSL_CTX *)arg;
2220 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
2221 *al = SSL_AD_INTERNAL_ERROR;
2222 return SSL_TLSEXT_ERR_ALERT_FATAL;
2225 return SSL_TLSEXT_ERR_OK;
2229 * Custom call back tests.
2230 * Test 0: Old style callbacks in TLSv1.2
2231 * Test 1: New style callbacks in TLSv1.2
2232 * Test 2: New style callbacks in TLSv1.2 with SNI
2233 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
2234 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
2236 static int test_custom_exts(int tst)
2238 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
2239 SSL *clientssl = NULL, *serverssl = NULL;
2241 static int server = 1;
2242 static int client = 0;
2243 SSL_SESSION *sess = NULL;
2244 unsigned int context;
2246 /* Reset callback counters */
2247 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
2248 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
2251 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2252 TLS_client_method(), &sctx,
2253 &cctx, cert, privkey)))
2257 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL, &sctx2,
2258 NULL, cert, privkey)))
2263 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
2264 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
2266 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
2270 context = SSL_EXT_CLIENT_HELLO
2271 | SSL_EXT_TLS1_2_SERVER_HELLO
2272 | SSL_EXT_TLS1_3_SERVER_HELLO
2273 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
2274 | SSL_EXT_TLS1_3_CERTIFICATE
2275 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
2277 context = SSL_EXT_CLIENT_HELLO
2278 | SSL_EXT_TLS1_2_SERVER_HELLO
2279 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
2282 /* Create a client side custom extension */
2284 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
2285 old_add_cb, old_free_cb,
2286 &client, old_parse_cb,
2290 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
2291 new_add_cb, new_free_cb,
2292 &client, new_parse_cb, &client)))
2296 /* Should not be able to add duplicates */
2297 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
2298 old_add_cb, old_free_cb,
2299 &client, old_parse_cb,
2301 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
2302 context, new_add_cb,
2303 new_free_cb, &client,
2304 new_parse_cb, &client)))
2307 /* Create a server side custom extension */
2309 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
2310 old_add_cb, old_free_cb,
2311 &server, old_parse_cb,
2315 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
2316 new_add_cb, new_free_cb,
2317 &server, new_parse_cb, &server)))
2320 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
2321 context, new_add_cb,
2322 new_free_cb, &server,
2323 new_parse_cb, &server)))
2327 /* Should not be able to add duplicates */
2328 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
2329 old_add_cb, old_free_cb,
2330 &server, old_parse_cb,
2332 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
2333 context, new_add_cb,
2334 new_free_cb, &server,
2335 new_parse_cb, &server)))
2340 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
2341 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
2345 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2346 &clientssl, NULL, NULL))
2347 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2352 if (clntaddoldcb != 1
2353 || clntparseoldcb != 1
2355 || srvparseoldcb != 1)
2357 } else if (tst == 1 || tst == 2 || tst == 3) {
2358 if (clntaddnewcb != 1
2359 || clntparsenewcb != 1
2361 || srvparsenewcb != 1
2362 || (tst != 2 && snicb != 0)
2363 || (tst == 2 && snicb != 1))
2366 if (clntaddnewcb != 1
2367 || clntparsenewcb != 4
2369 || srvparsenewcb != 1)
2373 sess = SSL_get1_session(clientssl);
2374 SSL_shutdown(clientssl);
2375 SSL_shutdown(serverssl);
2376 SSL_free(serverssl);
2377 SSL_free(clientssl);
2378 serverssl = clientssl = NULL;
2381 /* We don't bother with the resumption aspects for this test */
2386 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2388 || !TEST_true(SSL_set_session(clientssl, sess))
2389 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2394 * For a resumed session we expect to add the ClientHello extension. For the
2395 * old style callbacks we ignore it on the server side because they set
2396 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
2400 if (clntaddoldcb != 2
2401 || clntparseoldcb != 1
2403 || srvparseoldcb != 1)
2405 } else if (tst == 1 || tst == 2 || tst == 3) {
2406 if (clntaddnewcb != 2
2407 || clntparsenewcb != 2
2409 || srvparsenewcb != 2)
2412 /* No Certificate message extensions in the resumption handshake */
2413 if (clntaddnewcb != 2
2414 || clntparsenewcb != 7
2416 || srvparsenewcb != 2)
2423 SSL_SESSION_free(sess);
2424 SSL_free(serverssl);
2425 SSL_free(clientssl);
2426 SSL_CTX_free(sctx2);
2433 * Test loading of serverinfo data in various formats. test_sslmessages actually
2434 * tests to make sure the extensions appear in the handshake
2436 static int test_serverinfo(int tst)
2438 unsigned int version;
2439 unsigned char *sibuf;
2441 int ret, expected, testresult = 0;
2444 ctx = SSL_CTX_new(TLS_method());
2448 if ((tst & 0x01) == 0x01)
2449 version = SSL_SERVERINFOV2;
2451 version = SSL_SERVERINFOV1;
2453 if ((tst & 0x02) == 0x02) {
2454 sibuf = serverinfov2;
2455 sibuflen = sizeof(serverinfov2);
2456 expected = (version == SSL_SERVERINFOV2);
2458 sibuf = serverinfov1;
2459 sibuflen = sizeof(serverinfov1);
2460 expected = (version == SSL_SERVERINFOV1);
2463 if ((tst & 0x04) == 0x04) {
2464 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
2466 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
2469 * The version variable is irrelevant in this case - it's what is in the
2470 * buffer that matters
2472 if ((tst & 0x02) == 0x02)
2478 if (!TEST_true(ret == expected))
2490 * Test that SSL_export_keying_material() produces expected results. There are
2491 * no test vectors so all we do is test that both sides of the communication
2492 * produce the same results for different protocol versions.
2494 static int test_export_key_mat(int tst)
2497 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
2498 SSL *clientssl = NULL, *serverssl = NULL;
2499 const char label[] = "test label";
2500 const unsigned char context[] = "context";
2501 const unsigned char *emptycontext = NULL;
2502 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
2503 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
2504 const int protocols[] = {
2511 #ifdef OPENSSL_NO_TLS1
2515 #ifdef OPENSSL_NO_TLS1_1
2519 #ifdef OPENSSL_NO_TLS1_2
2523 #ifdef OPENSSL_NO_TLS1_3
2527 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2528 TLS_client_method(), &sctx,
2529 &cctx, cert, privkey)))
2532 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
2533 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
2534 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
2536 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
2538 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2542 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
2543 sizeof(ckeymat1), label,
2544 sizeof(label) - 1, context,
2545 sizeof(context) - 1, 1), 1)
2546 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
2547 sizeof(ckeymat2), label,
2551 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
2552 sizeof(ckeymat3), label,
2555 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
2556 sizeof(skeymat1), label,
2559 sizeof(context) -1, 1),
2561 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
2562 sizeof(skeymat2), label,
2566 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
2567 sizeof(skeymat3), label,
2571 * Check that both sides created the same key material with the
2574 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
2577 * Check that both sides created the same key material with an
2580 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
2583 * Check that both sides created the same key material without a
2586 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
2588 /* Different contexts should produce different results */
2589 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
2594 * Check that an empty context and no context produce different results in
2595 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
2597 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2599 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
2606 SSL_free(serverssl);
2607 SSL_free(clientssl);
2608 SSL_CTX_free(sctx2);
2615 int test_main(int argc, char *argv[])
2620 TEST_error("Wrong argument count");
2627 ADD_TEST(test_large_message_tls);
2628 ADD_TEST(test_large_message_tls_read_ahead);
2629 #ifndef OPENSSL_NO_DTLS
2630 ADD_TEST(test_large_message_dtls);
2632 #ifndef OPENSSL_NO_OCSP
2633 ADD_TEST(test_tlsext_status_type);
2635 ADD_TEST(test_session_with_only_int_cache);
2636 ADD_TEST(test_session_with_only_ext_cache);
2637 ADD_TEST(test_session_with_both_cache);
2638 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
2639 ADD_TEST(test_ssl_bio_pop_next_bio);
2640 ADD_TEST(test_ssl_bio_pop_ssl_bio);
2641 ADD_TEST(test_ssl_bio_change_rbio);
2642 ADD_TEST(test_ssl_bio_change_wbio);
2643 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
2644 ADD_TEST(test_keylog);
2645 #ifndef OPENSSL_NO_TLS1_3
2646 ADD_TEST(test_keylog_no_master_key);
2648 #ifndef OPENSSL_NO_TLS1_2
2649 ADD_TEST(test_early_cb);
2651 #ifndef OPENSSL_NO_TLS1_3
2652 ADD_ALL_TESTS(test_early_data_read_write, 2);
2653 ADD_ALL_TESTS(test_early_data_skip, 2);
2654 ADD_ALL_TESTS(test_early_data_not_sent, 2);
2655 ADD_ALL_TESTS(test_early_data_not_expected, 2);
2656 # ifndef OPENSSL_NO_TLS1_2
2657 ADD_ALL_TESTS(test_early_data_tls1_2, 2);
2660 #ifndef OPENSSL_NO_TLS1_3
2661 ADD_TEST(test_ciphersuite_change);
2662 ADD_TEST(test_tls13_psk);
2663 ADD_ALL_TESTS(test_custom_exts, 5);
2665 ADD_ALL_TESTS(test_custom_exts, 3);
2667 ADD_ALL_TESTS(test_serverinfo, 8);
2668 ADD_ALL_TESTS(test_export_key_mat, 4);
2670 testresult = run_tests(argv[0]);
2672 bio_s_mempacket_test_free();