2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
17 #include <openssl/srp.h>
18 #include <openssl/txt_db.h>
19 #include <openssl/aes.h>
21 #include "ssltestlib.h"
23 #include "testutil/output.h"
24 #include "internal/nelem.h"
25 #include "../ssl/ssl_locl.h"
27 static char *cert = NULL;
28 static char *privkey = NULL;
29 static char *srpvfile = NULL;
30 static char *tmpfilename = NULL;
32 #define LOG_BUFFER_SIZE 2048
33 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
34 static size_t server_log_buffer_index = 0;
35 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
36 static size_t client_log_buffer_index = 0;
37 static int error_writing_log = 0;
39 #ifndef OPENSSL_NO_OCSP
40 static const unsigned char orespder[] = "Dummy OCSP Response";
41 static int ocsp_server_called = 0;
42 static int ocsp_client_called = 0;
44 static int cdummyarg = 1;
45 static X509 *ocspcert = NULL;
48 #define NUM_EXTRA_CERTS 40
49 #define CLIENT_VERSION_LEN 2
52 * This structure is used to validate that the correct number of log messages
53 * of various types are emitted when emitting secret logs.
55 struct sslapitest_log_counts {
56 unsigned int rsa_key_exchange_count;
57 unsigned int master_secret_count;
58 unsigned int client_early_secret_count;
59 unsigned int client_handshake_secret_count;
60 unsigned int server_handshake_secret_count;
61 unsigned int client_application_secret_count;
62 unsigned int server_application_secret_count;
63 unsigned int early_exporter_secret_count;
64 unsigned int exporter_secret_count;
68 static unsigned char serverinfov1[] = {
69 0xff, 0xff, /* Dummy extension type */
70 0x00, 0x01, /* Extension length is 1 byte */
71 0xff /* Dummy extension data */
74 static unsigned char serverinfov2[] = {
76 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
77 0xff, 0xff, /* Dummy extension type */
78 0x00, 0x01, /* Extension length is 1 byte */
79 0xff /* Dummy extension data */
82 static void client_keylog_callback(const SSL *ssl, const char *line)
84 int line_length = strlen(line);
86 /* If the log doesn't fit, error out. */
87 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
88 TEST_info("Client log too full");
89 error_writing_log = 1;
93 strcat(client_log_buffer, line);
94 client_log_buffer_index += line_length;
95 client_log_buffer[client_log_buffer_index++] = '\n';
98 static void server_keylog_callback(const SSL *ssl, const char *line)
100 int line_length = strlen(line);
102 /* If the log doesn't fit, error out. */
103 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
104 TEST_info("Server log too full");
105 error_writing_log = 1;
109 strcat(server_log_buffer, line);
110 server_log_buffer_index += line_length;
111 server_log_buffer[server_log_buffer_index++] = '\n';
114 static int compare_hex_encoded_buffer(const char *hex_encoded,
122 if (!TEST_size_t_eq(raw_length * 2, hex_length))
125 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
126 sprintf(hexed, "%02x", raw[i]);
127 if (!TEST_int_eq(hexed[0], hex_encoded[j])
128 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
135 static int test_keylog_output(char *buffer, const SSL *ssl,
136 const SSL_SESSION *session,
137 struct sslapitest_log_counts *expected)
140 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
141 size_t client_random_size = SSL3_RANDOM_SIZE;
142 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
143 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
144 unsigned int rsa_key_exchange_count = 0;
145 unsigned int master_secret_count = 0;
146 unsigned int client_early_secret_count = 0;
147 unsigned int client_handshake_secret_count = 0;
148 unsigned int server_handshake_secret_count = 0;
149 unsigned int client_application_secret_count = 0;
150 unsigned int server_application_secret_count = 0;
151 unsigned int early_exporter_secret_count = 0;
152 unsigned int exporter_secret_count = 0;
154 for (token = strtok(buffer, " \n"); token != NULL;
155 token = strtok(NULL, " \n")) {
156 if (strcmp(token, "RSA") == 0) {
158 * Premaster secret. Tokens should be: 16 ASCII bytes of
159 * hex-encoded encrypted secret, then the hex-encoded pre-master
162 if (!TEST_ptr(token = strtok(NULL, " \n")))
164 if (!TEST_size_t_eq(strlen(token), 16))
166 if (!TEST_ptr(token = strtok(NULL, " \n")))
169 * We can't sensibly check the log because the premaster secret is
170 * transient, and OpenSSL doesn't keep hold of it once the master
171 * secret is generated.
173 rsa_key_exchange_count++;
174 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
176 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
177 * client random, then the hex-encoded master secret.
179 client_random_size = SSL_get_client_random(ssl,
180 actual_client_random,
182 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
185 if (!TEST_ptr(token = strtok(NULL, " \n")))
187 if (!TEST_size_t_eq(strlen(token), 64))
189 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
190 actual_client_random,
191 client_random_size)))
194 if (!TEST_ptr(token = strtok(NULL, " \n")))
196 master_key_size = SSL_SESSION_get_master_key(session,
199 if (!TEST_size_t_ne(master_key_size, 0))
201 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
205 master_secret_count++;
206 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
207 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
208 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
209 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
210 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
211 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
212 || strcmp(token, "EXPORTER_SECRET") == 0) {
214 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
215 * client random, and then the hex-encoded secret. In this case,
216 * we treat all of these secrets identically and then just
217 * distinguish between them when counting what we saw.
219 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
220 client_early_secret_count++;
221 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
222 client_handshake_secret_count++;
223 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
224 server_handshake_secret_count++;
225 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
226 client_application_secret_count++;
227 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
228 server_application_secret_count++;
229 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
230 early_exporter_secret_count++;
231 else if (strcmp(token, "EXPORTER_SECRET") == 0)
232 exporter_secret_count++;
234 client_random_size = SSL_get_client_random(ssl,
235 actual_client_random,
237 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
240 if (!TEST_ptr(token = strtok(NULL, " \n")))
242 if (!TEST_size_t_eq(strlen(token), 64))
244 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
245 actual_client_random,
246 client_random_size)))
249 if (!TEST_ptr(token = strtok(NULL, " \n")))
253 * TODO(TLS1.3): test that application traffic secrets are what
256 TEST_info("Unexpected token %s\n", token);
261 /* Got what we expected? */
262 if (!TEST_size_t_eq(rsa_key_exchange_count,
263 expected->rsa_key_exchange_count)
264 || !TEST_size_t_eq(master_secret_count,
265 expected->master_secret_count)
266 || !TEST_size_t_eq(client_early_secret_count,
267 expected->client_early_secret_count)
268 || !TEST_size_t_eq(client_handshake_secret_count,
269 expected->client_handshake_secret_count)
270 || !TEST_size_t_eq(server_handshake_secret_count,
271 expected->server_handshake_secret_count)
272 || !TEST_size_t_eq(client_application_secret_count,
273 expected->client_application_secret_count)
274 || !TEST_size_t_eq(server_application_secret_count,
275 expected->server_application_secret_count)
276 || !TEST_size_t_eq(early_exporter_secret_count,
277 expected->early_exporter_secret_count)
278 || !TEST_size_t_eq(exporter_secret_count,
279 expected->exporter_secret_count))
284 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
285 static int test_keylog(void)
287 SSL_CTX *cctx = NULL, *sctx = NULL;
288 SSL *clientssl = NULL, *serverssl = NULL;
290 struct sslapitest_log_counts expected = {0};
292 /* Clean up logging space */
293 memset(client_log_buffer, 0, sizeof(client_log_buffer));
294 memset(server_log_buffer, 0, sizeof(server_log_buffer));
295 client_log_buffer_index = 0;
296 server_log_buffer_index = 0;
297 error_writing_log = 0;
299 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
301 TLS1_VERSION, TLS_MAX_VERSION,
302 &sctx, &cctx, cert, privkey)))
305 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
306 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
307 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
309 /* We also want to ensure that we use RSA-based key exchange. */
310 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
313 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
314 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
316 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
317 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
318 == client_keylog_callback))
320 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
321 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
322 == server_keylog_callback))
325 /* Now do a handshake and check that the logs have been written to. */
326 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
327 &clientssl, NULL, NULL))
328 || !TEST_true(create_ssl_connection(serverssl, clientssl,
330 || !TEST_false(error_writing_log)
331 || !TEST_int_gt(client_log_buffer_index, 0)
332 || !TEST_int_gt(server_log_buffer_index, 0))
336 * Now we want to test that our output data was vaguely sensible. We
337 * do that by using strtok and confirming that we have more or less the
338 * data we expect. For both client and server, we expect to see one master
339 * secret. The client should also see a RSA key exchange.
341 expected.rsa_key_exchange_count = 1;
342 expected.master_secret_count = 1;
343 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
344 SSL_get_session(clientssl), &expected)))
347 expected.rsa_key_exchange_count = 0;
348 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
349 SSL_get_session(serverssl), &expected)))
364 #ifndef OPENSSL_NO_TLS1_3
365 static int test_keylog_no_master_key(void)
367 SSL_CTX *cctx = NULL, *sctx = NULL;
368 SSL *clientssl = NULL, *serverssl = NULL;
369 SSL_SESSION *sess = NULL;
371 struct sslapitest_log_counts expected = {0};
372 unsigned char buf[1];
373 size_t readbytes, written;
375 /* Clean up logging space */
376 memset(client_log_buffer, 0, sizeof(client_log_buffer));
377 memset(server_log_buffer, 0, sizeof(server_log_buffer));
378 client_log_buffer_index = 0;
379 server_log_buffer_index = 0;
380 error_writing_log = 0;
382 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
383 TLS1_VERSION, TLS_MAX_VERSION,
384 &sctx, &cctx, cert, privkey))
385 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
386 SSL3_RT_MAX_PLAIN_LENGTH)))
389 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
390 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
393 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
394 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
395 == client_keylog_callback))
398 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
399 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
400 == server_keylog_callback))
403 /* Now do a handshake and check that the logs have been written to. */
404 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
405 &clientssl, NULL, NULL))
406 || !TEST_true(create_ssl_connection(serverssl, clientssl,
408 || !TEST_false(error_writing_log))
412 * Now we want to test that our output data was vaguely sensible. For this
413 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
414 * TLSv1.3, but we do expect both client and server to emit keys.
416 expected.client_handshake_secret_count = 1;
417 expected.server_handshake_secret_count = 1;
418 expected.client_application_secret_count = 1;
419 expected.server_application_secret_count = 1;
420 expected.exporter_secret_count = 1;
421 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
422 SSL_get_session(clientssl), &expected))
423 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
424 SSL_get_session(serverssl),
428 /* Terminate old session and resume with early data. */
429 sess = SSL_get1_session(clientssl);
430 SSL_shutdown(clientssl);
431 SSL_shutdown(serverssl);
434 serverssl = clientssl = NULL;
437 memset(client_log_buffer, 0, sizeof(client_log_buffer));
438 memset(server_log_buffer, 0, sizeof(server_log_buffer));
439 client_log_buffer_index = 0;
440 server_log_buffer_index = 0;
442 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
443 &clientssl, NULL, NULL))
444 || !TEST_true(SSL_set_session(clientssl, sess))
445 /* Here writing 0 length early data is enough. */
446 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
447 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
449 SSL_READ_EARLY_DATA_ERROR)
450 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
451 SSL_EARLY_DATA_ACCEPTED)
452 || !TEST_true(create_ssl_connection(serverssl, clientssl,
454 || !TEST_true(SSL_session_reused(clientssl)))
457 /* In addition to the previous entries, expect early secrets. */
458 expected.client_early_secret_count = 1;
459 expected.early_exporter_secret_count = 1;
460 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
461 SSL_get_session(clientssl), &expected))
462 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
463 SSL_get_session(serverssl),
470 SSL_SESSION_free(sess);
480 #ifndef OPENSSL_NO_TLS1_2
481 static int full_client_hello_callback(SSL *s, int *al, void *arg)
484 const unsigned char *p;
486 /* We only configure two ciphers, but the SCSV is added automatically. */
488 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
490 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
493 const int expected_extensions[] = {
494 #ifndef OPENSSL_NO_EC
500 /* Make sure we can defer processing and get called back. */
502 return SSL_CLIENT_HELLO_RETRY;
504 len = SSL_client_hello_get0_ciphers(s, &p);
505 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
507 SSL_client_hello_get0_compression_methods(s, &p), 1)
508 || !TEST_int_eq(*p, 0))
509 return SSL_CLIENT_HELLO_ERROR;
510 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
511 return SSL_CLIENT_HELLO_ERROR;
512 if (len != OSSL_NELEM(expected_extensions) ||
513 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
514 printf("ClientHello callback expected extensions mismatch\n");
516 return SSL_CLIENT_HELLO_ERROR;
519 return SSL_CLIENT_HELLO_SUCCESS;
522 static int test_client_hello_cb(void)
524 SSL_CTX *cctx = NULL, *sctx = NULL;
525 SSL *clientssl = NULL, *serverssl = NULL;
526 int testctr = 0, testresult = 0;
528 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
529 TLS1_VERSION, TLS_MAX_VERSION,
530 &sctx, &cctx, cert, privkey)))
532 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
534 /* The gimpy cipher list we configure can't do TLS 1.3. */
535 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
537 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
538 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
539 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
540 &clientssl, NULL, NULL))
541 || !TEST_false(create_ssl_connection(serverssl, clientssl,
542 SSL_ERROR_WANT_CLIENT_HELLO_CB))
544 * Passing a -1 literal is a hack since
545 * the real value was lost.
547 || !TEST_int_eq(SSL_get_error(serverssl, -1),
548 SSL_ERROR_WANT_CLIENT_HELLO_CB)
549 || !TEST_true(create_ssl_connection(serverssl, clientssl,
565 static int execute_test_large_message(const SSL_METHOD *smeth,
566 const SSL_METHOD *cmeth,
567 int min_version, int max_version,
570 SSL_CTX *cctx = NULL, *sctx = NULL;
571 SSL *clientssl = NULL, *serverssl = NULL;
575 X509 *chaincert = NULL;
578 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
580 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
583 if (!TEST_ptr(chaincert))
586 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
587 &sctx, &cctx, cert, privkey)))
592 * Test that read_ahead works correctly when dealing with large
595 SSL_CTX_set_read_ahead(cctx, 1);
599 * We assume the supplied certificate is big enough so that if we add
600 * NUM_EXTRA_CERTS it will make the overall message large enough. The
601 * default buffer size is requested to be 16k, but due to the way BUF_MEM
602 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
603 * test we need to have a message larger than that.
605 certlen = i2d_X509(chaincert, NULL);
606 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
607 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
608 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
609 if (!X509_up_ref(chaincert))
611 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
612 X509_free(chaincert);
617 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
619 || !TEST_true(create_ssl_connection(serverssl, clientssl,
624 * Calling SSL_clear() first is not required but this tests that SSL_clear()
625 * doesn't leak (when using enable-crypto-mdebug).
627 if (!TEST_true(SSL_clear(serverssl)))
632 X509_free(chaincert);
641 static int test_large_message_tls(void)
643 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
644 TLS1_VERSION, TLS_MAX_VERSION,
648 static int test_large_message_tls_read_ahead(void)
650 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
651 TLS1_VERSION, TLS_MAX_VERSION,
655 #ifndef OPENSSL_NO_DTLS
656 static int test_large_message_dtls(void)
659 * read_ahead is not relevant to DTLS because DTLS always acts as if
662 return execute_test_large_message(DTLS_server_method(),
663 DTLS_client_method(),
664 DTLS1_VERSION, DTLS_MAX_VERSION,
669 #ifndef OPENSSL_NO_OCSP
670 static int ocsp_server_cb(SSL *s, void *arg)
672 int *argi = (int *)arg;
673 unsigned char *copy = NULL;
674 STACK_OF(OCSP_RESPID) *ids = NULL;
675 OCSP_RESPID *id = NULL;
678 /* In this test we are expecting exactly 1 OCSP_RESPID */
679 SSL_get_tlsext_status_ids(s, &ids);
680 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
681 return SSL_TLSEXT_ERR_ALERT_FATAL;
683 id = sk_OCSP_RESPID_value(ids, 0);
684 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
685 return SSL_TLSEXT_ERR_ALERT_FATAL;
686 } else if (*argi != 1) {
687 return SSL_TLSEXT_ERR_ALERT_FATAL;
690 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
691 return SSL_TLSEXT_ERR_ALERT_FATAL;
693 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
694 ocsp_server_called = 1;
695 return SSL_TLSEXT_ERR_OK;
698 static int ocsp_client_cb(SSL *s, void *arg)
700 int *argi = (int *)arg;
701 const unsigned char *respderin;
704 if (*argi != 1 && *argi != 2)
707 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
708 if (!TEST_mem_eq(orespder, len, respderin, len))
711 ocsp_client_called = 1;
715 static int test_tlsext_status_type(void)
717 SSL_CTX *cctx = NULL, *sctx = NULL;
718 SSL *clientssl = NULL, *serverssl = NULL;
720 STACK_OF(OCSP_RESPID) *ids = NULL;
721 OCSP_RESPID *id = NULL;
724 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
725 TLS1_VERSION, TLS_MAX_VERSION,
726 &sctx, &cctx, cert, privkey))
729 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
732 /* First just do various checks getting and setting tlsext_status_type */
734 clientssl = SSL_new(cctx);
735 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
736 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
737 TLSEXT_STATUSTYPE_ocsp))
738 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
739 TLSEXT_STATUSTYPE_ocsp))
745 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
746 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
749 clientssl = SSL_new(cctx);
750 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
756 * Now actually do a handshake and check OCSP information is exchanged and
757 * the callbacks get called
759 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
760 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
761 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
762 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
763 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
764 &clientssl, NULL, NULL))
765 || !TEST_true(create_ssl_connection(serverssl, clientssl,
767 || !TEST_true(ocsp_client_called)
768 || !TEST_true(ocsp_server_called))
775 /* Try again but this time force the server side callback to fail */
776 ocsp_client_called = 0;
777 ocsp_server_called = 0;
779 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
780 &clientssl, NULL, NULL))
781 /* This should fail because the callback will fail */
782 || !TEST_false(create_ssl_connection(serverssl, clientssl,
784 || !TEST_false(ocsp_client_called)
785 || !TEST_false(ocsp_server_called))
793 * This time we'll get the client to send an OCSP_RESPID that it will
796 ocsp_client_called = 0;
797 ocsp_server_called = 0;
799 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
800 &clientssl, NULL, NULL)))
804 * We'll just use any old cert for this test - it doesn't have to be an OCSP
805 * specific one. We'll use the server cert.
807 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
808 || !TEST_ptr(id = OCSP_RESPID_new())
809 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
810 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
812 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
813 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
816 SSL_set_tlsext_status_ids(clientssl, ids);
817 /* Control has been transferred */
823 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
825 || !TEST_true(ocsp_client_called)
826 || !TEST_true(ocsp_server_called))
836 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
837 OCSP_RESPID_free(id);
846 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
847 static int new_called, remove_called, get_called;
849 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
853 * sess has been up-refed for us, but we don't actually need it so free it
856 SSL_SESSION_free(sess);
860 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
865 static SSL_SESSION *get_sess_val = NULL;
867 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
875 static int execute_test_session(int maxprot, int use_int_cache,
878 SSL_CTX *sctx = NULL, *cctx = NULL;
879 SSL *serverssl1 = NULL, *clientssl1 = NULL;
880 SSL *serverssl2 = NULL, *clientssl2 = NULL;
881 # ifndef OPENSSL_NO_TLS1_1
882 SSL *serverssl3 = NULL, *clientssl3 = NULL;
884 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
885 int testresult = 0, numnewsesstick = 1;
887 new_called = remove_called = 0;
889 /* TLSv1.3 sends 2 NewSessionTickets */
890 if (maxprot == TLS1_3_VERSION)
893 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
894 TLS1_VERSION, TLS_MAX_VERSION,
895 &sctx, &cctx, cert, privkey)))
899 * Only allow the max protocol version so we can force a connection failure
902 SSL_CTX_set_min_proto_version(cctx, maxprot);
903 SSL_CTX_set_max_proto_version(cctx, maxprot);
905 /* Set up session cache */
907 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
908 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
911 /* Also covers instance where both are set */
912 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
914 SSL_CTX_set_session_cache_mode(cctx,
915 SSL_SESS_CACHE_CLIENT
916 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
919 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
921 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
923 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
926 /* Should fail because it should already be in the cache */
927 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
930 && (!TEST_int_eq(new_called, numnewsesstick)
932 || !TEST_int_eq(remove_called, 0)))
935 new_called = remove_called = 0;
936 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
937 &clientssl2, NULL, NULL))
938 || !TEST_true(SSL_set_session(clientssl2, sess1))
939 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
941 || !TEST_true(SSL_session_reused(clientssl2)))
944 if (maxprot == TLS1_3_VERSION) {
946 * In TLSv1.3 we should have created a new session even though we have
947 * resumed. Since we attempted a resume we should also have removed the
948 * old ticket from the cache so that we try to only use tickets once.
951 && (!TEST_int_eq(new_called, 1)
952 || !TEST_int_eq(remove_called, 1)))
956 * In TLSv1.2 we expect to have resumed so no sessions added or
960 && (!TEST_int_eq(new_called, 0)
961 || !TEST_int_eq(remove_called, 0)))
965 SSL_SESSION_free(sess1);
966 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
968 shutdown_ssl_connection(serverssl2, clientssl2);
969 serverssl2 = clientssl2 = NULL;
971 new_called = remove_called = 0;
972 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
973 &clientssl2, NULL, NULL))
974 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
978 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
982 && (!TEST_int_eq(new_called, numnewsesstick)
983 || !TEST_int_eq(remove_called, 0)))
986 new_called = remove_called = 0;
988 * This should clear sess2 from the cache because it is a "bad" session.
989 * See SSL_set_session() documentation.
991 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
994 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
996 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1000 /* Should succeeded because it should not already be in the cache */
1001 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1002 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1006 new_called = remove_called = 0;
1007 /* This shouldn't be in the cache so should fail */
1008 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1012 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1015 # if !defined(OPENSSL_NO_TLS1_1)
1016 new_called = remove_called = 0;
1017 /* Force a connection failure */
1018 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1019 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1020 &clientssl3, NULL, NULL))
1021 || !TEST_true(SSL_set_session(clientssl3, sess1))
1022 /* This should fail because of the mismatched protocol versions */
1023 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1027 /* We should have automatically removed the session from the cache */
1029 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1032 /* Should succeed because it should not already be in the cache */
1033 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1037 /* Now do some tests for server side caching */
1038 if (use_ext_cache) {
1039 SSL_CTX_sess_set_new_cb(cctx, NULL);
1040 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1041 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1042 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1043 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1044 get_sess_val = NULL;
1047 SSL_CTX_set_session_cache_mode(cctx, 0);
1048 /* Internal caching is the default on the server side */
1050 SSL_CTX_set_session_cache_mode(sctx,
1051 SSL_SESS_CACHE_SERVER
1052 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1054 SSL_free(serverssl1);
1055 SSL_free(clientssl1);
1056 serverssl1 = clientssl1 = NULL;
1057 SSL_free(serverssl2);
1058 SSL_free(clientssl2);
1059 serverssl2 = clientssl2 = NULL;
1060 SSL_SESSION_free(sess1);
1062 SSL_SESSION_free(sess2);
1065 SSL_CTX_set_max_proto_version(sctx, maxprot);
1066 if (maxprot == TLS1_2_VERSION)
1067 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1068 new_called = remove_called = get_called = 0;
1069 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1071 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1073 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1074 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1077 if (use_int_cache) {
1078 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1080 * In TLSv1.3 it should not have been added to the internal cache,
1081 * except in the case where we also have an external cache (in that
1082 * case it gets added to the cache in order to generate remove
1083 * events after timeout).
1085 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1088 /* Should fail because it should already be in the cache */
1089 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1094 if (use_ext_cache) {
1095 SSL_SESSION *tmp = sess2;
1097 if (!TEST_int_eq(new_called, numnewsesstick)
1098 || !TEST_int_eq(remove_called, 0)
1099 || !TEST_int_eq(get_called, 0))
1102 * Delete the session from the internal cache to force a lookup from
1103 * the external cache. We take a copy first because
1104 * SSL_CTX_remove_session() also marks the session as non-resumable.
1106 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1107 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1108 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1110 SSL_SESSION_free(sess2);
1115 new_called = remove_called = get_called = 0;
1116 get_sess_val = sess2;
1117 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1118 &clientssl2, NULL, NULL))
1119 || !TEST_true(SSL_set_session(clientssl2, sess1))
1120 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1122 || !TEST_true(SSL_session_reused(clientssl2)))
1125 if (use_ext_cache) {
1126 if (!TEST_int_eq(remove_called, 0))
1129 if (maxprot == TLS1_3_VERSION) {
1130 if (!TEST_int_eq(new_called, 1)
1131 || !TEST_int_eq(get_called, 0))
1134 if (!TEST_int_eq(new_called, 0)
1135 || !TEST_int_eq(get_called, 1))
1143 SSL_free(serverssl1);
1144 SSL_free(clientssl1);
1145 SSL_free(serverssl2);
1146 SSL_free(clientssl2);
1147 # ifndef OPENSSL_NO_TLS1_1
1148 SSL_free(serverssl3);
1149 SSL_free(clientssl3);
1151 SSL_SESSION_free(sess1);
1152 SSL_SESSION_free(sess2);
1158 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1160 static int test_session_with_only_int_cache(void)
1162 #ifndef OPENSSL_NO_TLS1_3
1163 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1167 #ifndef OPENSSL_NO_TLS1_2
1168 return execute_test_session(TLS1_2_VERSION, 1, 0);
1174 static int test_session_with_only_ext_cache(void)
1176 #ifndef OPENSSL_NO_TLS1_3
1177 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1181 #ifndef OPENSSL_NO_TLS1_2
1182 return execute_test_session(TLS1_2_VERSION, 0, 1);
1188 static int test_session_with_both_cache(void)
1190 #ifndef OPENSSL_NO_TLS1_3
1191 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1195 #ifndef OPENSSL_NO_TLS1_2
1196 return execute_test_session(TLS1_2_VERSION, 1, 1);
1202 #ifndef OPENSSL_NO_TLS1_3
1203 static SSL_SESSION *sesscache[6];
1204 static int do_cache;
1206 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1209 sesscache[new_called] = sess;
1211 /* We don't need the reference to the session, so free it */
1212 SSL_SESSION_free(sess);
1219 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1221 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1222 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1225 /* Start handshake on the server and client */
1226 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1227 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1228 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1229 || !TEST_true(create_ssl_connection(sssl, cssl,
1236 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1239 int sess_id_ctx = 1;
1241 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1242 TLS1_VERSION, TLS_MAX_VERSION, sctx,
1243 cctx, cert, privkey))
1244 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1245 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1246 (void *)&sess_id_ctx,
1247 sizeof(sess_id_ctx))))
1251 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1253 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1254 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1255 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1260 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1262 SSL *serverssl = NULL, *clientssl = NULL;
1265 /* Test that we can resume with all the tickets we got given */
1266 for (i = 0; i < idx * 2; i++) {
1268 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1269 &clientssl, NULL, NULL))
1270 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1273 SSL_set_post_handshake_auth(clientssl, 1);
1275 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1280 * Following a successful resumption we only get 1 ticket. After a
1281 * failed one we should get idx tickets.
1284 if (!TEST_true(SSL_session_reused(clientssl))
1285 || !TEST_int_eq(new_called, 1))
1288 if (!TEST_false(SSL_session_reused(clientssl))
1289 || !TEST_int_eq(new_called, idx))
1294 /* After a post-handshake authentication we should get 1 new ticket */
1296 && (!post_handshake_verify(serverssl, clientssl)
1297 || !TEST_int_eq(new_called, 1)))
1300 SSL_shutdown(clientssl);
1301 SSL_shutdown(serverssl);
1302 SSL_free(serverssl);
1303 SSL_free(clientssl);
1304 serverssl = clientssl = NULL;
1305 SSL_SESSION_free(sesscache[i]);
1306 sesscache[i] = NULL;
1312 SSL_free(clientssl);
1313 SSL_free(serverssl);
1317 static int test_tickets(int stateful, int idx)
1319 SSL_CTX *sctx = NULL, *cctx = NULL;
1320 SSL *serverssl = NULL, *clientssl = NULL;
1324 /* idx is the test number, but also the number of tickets we want */
1329 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1332 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1333 &clientssl, NULL, NULL)))
1336 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1338 /* Check we got the number of tickets we were expecting */
1339 || !TEST_int_eq(idx, new_called))
1342 SSL_shutdown(clientssl);
1343 SSL_shutdown(serverssl);
1344 SSL_free(serverssl);
1345 SSL_free(clientssl);
1348 clientssl = serverssl = NULL;
1352 * Now we try to resume with the tickets we previously created. The
1353 * resumption attempt is expected to fail (because we're now using a new
1354 * SSL_CTX). We should see idx number of tickets issued again.
1357 /* Stop caching sessions - just count them */
1360 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1363 if (!check_resumption(idx, sctx, cctx, 0))
1366 /* Start again with caching sessions */
1373 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1376 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1377 &clientssl, NULL, NULL)))
1380 SSL_set_post_handshake_auth(clientssl, 1);
1382 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1384 /* Check we got the number of tickets we were expecting */
1385 || !TEST_int_eq(idx, new_called))
1388 /* After a post-handshake authentication we should get new tickets issued */
1389 if (!post_handshake_verify(serverssl, clientssl)
1390 || !TEST_int_eq(idx * 2, new_called))
1393 SSL_shutdown(clientssl);
1394 SSL_shutdown(serverssl);
1395 SSL_free(serverssl);
1396 SSL_free(clientssl);
1397 serverssl = clientssl = NULL;
1399 /* Stop caching sessions - just count them */
1403 * Check we can resume with all the tickets we created. This time around the
1404 * resumptions should all be successful.
1406 if (!check_resumption(idx, sctx, cctx, 1))
1412 SSL_free(serverssl);
1413 SSL_free(clientssl);
1414 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
1415 SSL_SESSION_free(sesscache[j]);
1416 sesscache[j] = NULL;
1424 static int test_stateless_tickets(int idx)
1426 return test_tickets(0, idx);
1429 static int test_stateful_tickets(int idx)
1431 return test_tickets(1, idx);
1438 #define USE_DEFAULT 3
1440 #define CONNTYPE_CONNECTION_SUCCESS 0
1441 #define CONNTYPE_CONNECTION_FAIL 1
1442 #define CONNTYPE_NO_CONNECTION 2
1444 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1445 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1446 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1447 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1449 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1452 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1453 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1454 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1456 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1473 * Tests calls to SSL_set_bio() under various conditions.
1475 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1476 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1477 * then do more tests where we create a successful connection first using our
1478 * standard connection setup functions, and then call SSL_set_bio() with
1479 * various combinations of valid BIOs or NULL. We then repeat these tests
1480 * following a failed connection. In this last case we are looking to check that
1481 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1483 static int test_ssl_set_bio(int idx)
1485 SSL_CTX *sctx = NULL, *cctx = NULL;
1488 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1489 SSL *serverssl = NULL, *clientssl = NULL;
1490 int initrbio, initwbio, newrbio, newwbio, conntype;
1493 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1501 conntype = CONNTYPE_NO_CONNECTION;
1503 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1504 initrbio = initwbio = USE_DEFAULT;
1512 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1513 TLS1_VERSION, TLS_MAX_VERSION,
1514 &sctx, &cctx, cert, privkey)))
1517 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1519 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1520 * because we reduced the number of tests in the definition of
1521 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1522 * mismatched protocol versions we will force a connection failure.
1524 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1525 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1528 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1532 if (initrbio == USE_BIO_1
1533 || initwbio == USE_BIO_1
1534 || newrbio == USE_BIO_1
1535 || newwbio == USE_BIO_1) {
1536 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1540 if (initrbio == USE_BIO_2
1541 || initwbio == USE_BIO_2
1542 || newrbio == USE_BIO_2
1543 || newwbio == USE_BIO_2) {
1544 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1548 if (initrbio != USE_DEFAULT) {
1549 setupbio(&irbio, bio1, bio2, initrbio);
1550 setupbio(&iwbio, bio1, bio2, initwbio);
1551 SSL_set_bio(clientssl, irbio, iwbio);
1554 * We want to maintain our own refs to these BIO, so do an up ref for
1555 * each BIO that will have ownership transferred in the SSL_set_bio()
1560 if (iwbio != NULL && iwbio != irbio)
1564 if (conntype != CONNTYPE_NO_CONNECTION
1565 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1567 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1570 setupbio(&nrbio, bio1, bio2, newrbio);
1571 setupbio(&nwbio, bio1, bio2, newwbio);
1574 * We will (maybe) transfer ownership again so do more up refs.
1575 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1580 && (nwbio != iwbio || nrbio != nwbio))
1584 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1587 SSL_set_bio(clientssl, nrbio, nwbio);
1596 * This test is checking that the ref counting for SSL_set_bio is correct.
1597 * If we get here and we did too many frees then we will fail in the above
1598 * functions. If we haven't done enough then this will only be detected in
1599 * a crypto-mdebug build
1601 SSL_free(serverssl);
1602 SSL_free(clientssl);
1608 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1610 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1612 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1617 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1618 || !TEST_ptr(ssl = SSL_new(ctx))
1619 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1620 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1623 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1626 * If anything goes wrong here then we could leak memory, so this will
1627 * be caught in a crypto-mdebug build
1629 BIO_push(sslbio, membio1);
1631 /* Verify changing the rbio/wbio directly does not cause leaks */
1632 if (change_bio != NO_BIO_CHANGE) {
1633 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1635 if (change_bio == CHANGE_RBIO)
1636 SSL_set0_rbio(ssl, membio2);
1638 SSL_set0_wbio(ssl, membio2);
1657 static int test_ssl_bio_pop_next_bio(void)
1659 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1662 static int test_ssl_bio_pop_ssl_bio(void)
1664 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1667 static int test_ssl_bio_change_rbio(void)
1669 return execute_test_ssl_bio(0, CHANGE_RBIO);
1672 static int test_ssl_bio_change_wbio(void)
1674 return execute_test_ssl_bio(0, CHANGE_WBIO);
1677 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
1679 /* The list of sig algs */
1681 /* The length of the list */
1683 /* A sigalgs list in string format */
1684 const char *liststr;
1685 /* Whether setting the list should succeed */
1687 /* Whether creating a connection with the list should succeed */
1691 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1692 # ifndef OPENSSL_NO_EC
1693 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1694 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1696 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1697 static const int invalidlist2[] = {NID_sha256, NID_undef};
1698 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1699 static const int invalidlist4[] = {NID_sha256};
1700 static const sigalgs_list testsigalgs[] = {
1701 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1702 # ifndef OPENSSL_NO_EC
1703 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1704 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1706 {NULL, 0, "RSA+SHA256", 1, 1},
1707 # ifndef OPENSSL_NO_EC
1708 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1709 {NULL, 0, "ECDSA+SHA512", 1, 0},
1711 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1712 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1713 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1714 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1715 {NULL, 0, "RSA", 0, 0},
1716 {NULL, 0, "SHA256", 0, 0},
1717 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1718 {NULL, 0, "Invalid", 0, 0}
1721 static int test_set_sigalgs(int idx)
1723 SSL_CTX *cctx = NULL, *sctx = NULL;
1724 SSL *clientssl = NULL, *serverssl = NULL;
1726 const sigalgs_list *curr;
1729 /* Should never happen */
1730 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1733 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1734 curr = testctx ? &testsigalgs[idx]
1735 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1737 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1738 TLS1_VERSION, TLS_MAX_VERSION,
1739 &sctx, &cctx, cert, privkey)))
1743 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1744 * for TLSv1.2 for now until we add a new API.
1746 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1751 if (curr->list != NULL)
1752 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1754 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1758 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1764 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1769 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1770 &clientssl, NULL, NULL)))
1776 if (curr->list != NULL)
1777 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1779 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1782 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1791 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1799 SSL_free(serverssl);
1800 SSL_free(clientssl);
1808 #ifndef OPENSSL_NO_TLS1_3
1810 static SSL_SESSION *clientpsk = NULL;
1811 static SSL_SESSION *serverpsk = NULL;
1812 static const char *pskid = "Identity";
1813 static const char *srvid;
1815 static int use_session_cb_cnt = 0;
1816 static int find_session_cb_cnt = 0;
1817 static int psk_client_cb_cnt = 0;
1818 static int psk_server_cb_cnt = 0;
1820 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1821 size_t *idlen, SSL_SESSION **sess)
1823 switch (++use_session_cb_cnt) {
1825 /* The first call should always have a NULL md */
1831 /* The second call should always have an md */
1837 /* We should only be called a maximum of twice */
1841 if (clientpsk != NULL)
1842 SSL_SESSION_up_ref(clientpsk);
1845 *id = (const unsigned char *)pskid;
1846 *idlen = strlen(pskid);
1851 #ifndef OPENSSL_NO_PSK
1852 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1853 unsigned int max_id_len,
1855 unsigned int max_psk_len)
1857 unsigned int psklen = 0;
1859 psk_client_cb_cnt++;
1861 if (strlen(pskid) + 1 > max_id_len)
1864 /* We should only ever be called a maximum of twice per connection */
1865 if (psk_client_cb_cnt > 2)
1868 if (clientpsk == NULL)
1871 /* We'll reuse the PSK we set up for TLSv1.3 */
1872 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1874 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1875 strncpy(id, pskid, max_id_len);
1879 #endif /* OPENSSL_NO_PSK */
1881 static int find_session_cb(SSL *ssl, const unsigned char *identity,
1882 size_t identity_len, SSL_SESSION **sess)
1884 find_session_cb_cnt++;
1886 /* We should only ever be called a maximum of twice per connection */
1887 if (find_session_cb_cnt > 2)
1890 if (serverpsk == NULL)
1893 /* Identity should match that set by the client */
1894 if (strlen(srvid) != identity_len
1895 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1896 /* No PSK found, continue but without a PSK */
1901 SSL_SESSION_up_ref(serverpsk);
1907 #ifndef OPENSSL_NO_PSK
1908 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1909 unsigned char *psk, unsigned int max_psk_len)
1911 unsigned int psklen = 0;
1913 psk_server_cb_cnt++;
1915 /* We should only ever be called a maximum of twice per connection */
1916 if (find_session_cb_cnt > 2)
1919 if (serverpsk == NULL)
1922 /* Identity should match that set by the client */
1923 if (strcmp(srvid, identity) != 0) {
1927 /* We'll reuse the PSK we set up for TLSv1.3 */
1928 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1930 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1934 #endif /* OPENSSL_NO_PSK */
1936 #define MSG1 "Hello"
1937 #define MSG2 "World."
1942 #define MSG7 "message."
1944 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
1945 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
1948 * Helper method to setup objects for early data test. Caller frees objects on
1951 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
1952 SSL **serverssl, SSL_SESSION **sess, int idx)
1955 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1956 TLS_client_method(),
1957 TLS1_VERSION, TLS_MAX_VERSION,
1958 sctx, cctx, cert, privkey)))
1961 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
1965 /* When idx == 1 we repeat the tests with read_ahead set */
1966 SSL_CTX_set_read_ahead(*cctx, 1);
1967 SSL_CTX_set_read_ahead(*sctx, 1);
1968 } else if (idx == 2) {
1969 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1970 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1971 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1972 use_session_cb_cnt = 0;
1973 find_session_cb_cnt = 0;
1977 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
1982 * For one of the run throughs (doesn't matter which one), we'll try sending
1983 * some SNI data in the initial ClientHello. This will be ignored (because
1984 * there is no SNI cb set up by the server), so it should not impact
1988 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1992 /* Create the PSK */
1993 const SSL_CIPHER *cipher = NULL;
1994 const unsigned char key[] = {
1995 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1996 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1997 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1998 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1999 0x2c, 0x2d, 0x2e, 0x2f
2002 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
2003 clientpsk = SSL_SESSION_new();
2004 if (!TEST_ptr(clientpsk)
2005 || !TEST_ptr(cipher)
2006 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
2008 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
2010 SSL_SESSION_set_protocol_version(clientpsk,
2013 * We just choose an arbitrary value for max_early_data which
2014 * should be big enough for testing purposes.
2016 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2018 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2019 SSL_SESSION_free(clientpsk);
2023 serverpsk = clientpsk;
2026 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2027 SSL_SESSION_free(clientpsk);
2028 SSL_SESSION_free(serverpsk);
2029 clientpsk = serverpsk = NULL;
2040 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2044 *sess = SSL_get1_session(*clientssl);
2045 SSL_shutdown(*clientssl);
2046 SSL_shutdown(*serverssl);
2047 SSL_free(*serverssl);
2048 SSL_free(*clientssl);
2049 *serverssl = *clientssl = NULL;
2051 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2052 clientssl, NULL, NULL))
2053 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2059 static int test_early_data_read_write(int idx)
2061 SSL_CTX *cctx = NULL, *sctx = NULL;
2062 SSL *clientssl = NULL, *serverssl = NULL;
2064 SSL_SESSION *sess = NULL;
2065 unsigned char buf[20], data[1024];
2066 size_t readbytes, written, eoedlen, rawread, rawwritten;
2069 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2070 &serverssl, &sess, idx)))
2073 /* Write and read some early data */
2074 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2076 || !TEST_size_t_eq(written, strlen(MSG1))
2077 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2078 sizeof(buf), &readbytes),
2079 SSL_READ_EARLY_DATA_SUCCESS)
2080 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2081 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2082 SSL_EARLY_DATA_ACCEPTED))
2086 * Server should be able to write data, and client should be able to
2089 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2091 || !TEST_size_t_eq(written, strlen(MSG2))
2092 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2093 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2096 /* Even after reading normal data, client should be able write early data */
2097 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2099 || !TEST_size_t_eq(written, strlen(MSG3)))
2102 /* Server should still be able read early data after writing data */
2103 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2105 SSL_READ_EARLY_DATA_SUCCESS)
2106 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2109 /* Write more data from server and read it from client */
2110 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2112 || !TEST_size_t_eq(written, strlen(MSG4))
2113 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2114 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2118 * If client writes normal data it should mean writing early data is no
2121 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2122 || !TEST_size_t_eq(written, strlen(MSG5))
2123 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2124 SSL_EARLY_DATA_ACCEPTED))
2128 * At this point the client has written EndOfEarlyData, ClientFinished and
2129 * normal (fully protected) data. We are going to cause a delay between the
2130 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2131 * in the read BIO, and then just put back the EndOfEarlyData message.
2133 rbio = SSL_get_rbio(serverssl);
2134 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2135 || !TEST_size_t_lt(rawread, sizeof(data))
2136 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2139 /* Record length is in the 4th and 5th bytes of the record header */
2140 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2141 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2142 || !TEST_size_t_eq(rawwritten, eoedlen))
2145 /* Server should be told that there is no more early data */
2146 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2148 SSL_READ_EARLY_DATA_FINISH)
2149 || !TEST_size_t_eq(readbytes, 0))
2153 * Server has not finished init yet, so should still be able to write early
2156 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2158 || !TEST_size_t_eq(written, strlen(MSG6)))
2161 /* Push the ClientFinished and the normal data back into the server rbio */
2162 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2164 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2167 /* Server should be able to read normal data */
2168 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2169 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2172 /* Client and server should not be able to write/read early data now */
2173 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2177 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2179 SSL_READ_EARLY_DATA_ERROR))
2183 /* Client should be able to read the data sent by the server */
2184 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2185 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2189 * Make sure we process the two NewSessionTickets. These arrive
2190 * post-handshake. We attempt reads which we do not expect to return any
2193 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2194 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2198 /* Server should be able to write normal data */
2199 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2200 || !TEST_size_t_eq(written, strlen(MSG7))
2201 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2202 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2205 SSL_SESSION_free(sess);
2206 sess = SSL_get1_session(clientssl);
2207 use_session_cb_cnt = 0;
2208 find_session_cb_cnt = 0;
2210 SSL_shutdown(clientssl);
2211 SSL_shutdown(serverssl);
2212 SSL_free(serverssl);
2213 SSL_free(clientssl);
2214 serverssl = clientssl = NULL;
2215 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2216 &clientssl, NULL, NULL))
2217 || !TEST_true(SSL_set_session(clientssl, sess)))
2220 /* Write and read some early data */
2221 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2223 || !TEST_size_t_eq(written, strlen(MSG1))
2224 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2226 SSL_READ_EARLY_DATA_SUCCESS)
2227 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2230 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2231 || !TEST_int_gt(SSL_accept(serverssl), 0))
2234 /* Client and server should not be able to write/read early data now */
2235 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2239 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2241 SSL_READ_EARLY_DATA_ERROR))
2245 /* Client and server should be able to write/read normal data */
2246 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2247 || !TEST_size_t_eq(written, strlen(MSG5))
2248 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2249 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2255 SSL_SESSION_free(sess);
2256 SSL_SESSION_free(clientpsk);
2257 SSL_SESSION_free(serverpsk);
2258 clientpsk = serverpsk = NULL;
2259 SSL_free(serverssl);
2260 SSL_free(clientssl);
2266 static int allow_ed_cb_called = 0;
2268 static int allow_early_data_cb(SSL *s, void *arg)
2270 int *usecb = (int *)arg;
2272 allow_ed_cb_called++;
2281 * idx == 0: Standard early_data setup
2282 * idx == 1: early_data setup using read_ahead
2283 * usecb == 0: Don't use a custom early data callback
2284 * usecb == 1: Use a custom early data callback and reject the early data
2285 * usecb == 2: Use a custom early data callback and accept the early data
2286 * confopt == 0: Configure anti-replay directly
2287 * confopt == 1: Configure anti-replay using SSL_CONF
2289 static int test_early_data_replay_int(int idx, int usecb, int confopt)
2291 SSL_CTX *cctx = NULL, *sctx = NULL;
2292 SSL *clientssl = NULL, *serverssl = NULL;
2294 SSL_SESSION *sess = NULL;
2295 size_t readbytes, written;
2296 unsigned char buf[20];
2298 allow_ed_cb_called = 0;
2300 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2301 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
2302 &cctx, cert, privkey)))
2307 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2309 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2311 if (!TEST_ptr(confctx))
2313 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2314 | SSL_CONF_FLAG_SERVER);
2315 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2316 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2318 SSL_CONF_CTX_free(confctx);
2321 SSL_CONF_CTX_free(confctx);
2323 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2326 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2327 &serverssl, &sess, idx)))
2331 * The server is configured to accept early data. Create a connection to
2332 * "use up" the ticket
2334 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2335 || !TEST_true(SSL_session_reused(clientssl)))
2338 SSL_shutdown(clientssl);
2339 SSL_shutdown(serverssl);
2340 SSL_free(serverssl);
2341 SSL_free(clientssl);
2342 serverssl = clientssl = NULL;
2344 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2345 &clientssl, NULL, NULL))
2346 || !TEST_true(SSL_set_session(clientssl, sess)))
2349 /* Write and read some early data */
2350 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2352 || !TEST_size_t_eq(written, strlen(MSG1)))
2356 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2358 SSL_READ_EARLY_DATA_FINISH)
2360 * The ticket was reused, so the we should have rejected the
2363 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2364 SSL_EARLY_DATA_REJECTED))
2367 /* In this case the callback decides to accept the early data */
2368 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2370 SSL_READ_EARLY_DATA_SUCCESS)
2371 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2373 * Server will have sent its flight so client can now send
2374 * end of early data and complete its half of the handshake
2376 || !TEST_int_gt(SSL_connect(clientssl), 0)
2377 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2379 SSL_READ_EARLY_DATA_FINISH)
2380 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2381 SSL_EARLY_DATA_ACCEPTED))
2385 /* Complete the connection */
2386 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2387 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2388 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
2394 SSL_SESSION_free(sess);
2395 SSL_SESSION_free(clientpsk);
2396 SSL_SESSION_free(serverpsk);
2397 clientpsk = serverpsk = NULL;
2398 SSL_free(serverssl);
2399 SSL_free(clientssl);
2405 static int test_early_data_replay(int idx)
2407 int ret = 1, usecb, confopt;
2409 for (usecb = 0; usecb < 3; usecb++) {
2410 for (confopt = 0; confopt < 2; confopt++)
2411 ret &= test_early_data_replay_int(idx, usecb, confopt);
2418 * Helper function to test that a server attempting to read early data can
2419 * handle a connection from a client where the early data should be skipped.
2420 * testtype: 0 == No HRR
2421 * testtype: 1 == HRR
2422 * testtype: 2 == HRR, invalid early_data sent after HRR
2423 * testtype: 3 == recv_max_early_data set to 0
2425 static int early_data_skip_helper(int testtype, int idx)
2427 SSL_CTX *cctx = NULL, *sctx = NULL;
2428 SSL *clientssl = NULL, *serverssl = NULL;
2430 SSL_SESSION *sess = NULL;
2431 unsigned char buf[20];
2432 size_t readbytes, written;
2434 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2435 &serverssl, &sess, idx)))
2438 if (testtype == 1 || testtype == 2) {
2439 /* Force an HRR to occur */
2440 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2442 } else if (idx == 2) {
2444 * We force early_data rejection by ensuring the PSK identity is
2447 srvid = "Dummy Identity";
2450 * Deliberately corrupt the creation time. We take 20 seconds off the
2451 * time. It could be any value as long as it is not within tolerance.
2452 * This should mean the ticket is rejected.
2454 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
2459 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
2462 /* Write some early data */
2463 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2465 || !TEST_size_t_eq(written, strlen(MSG1)))
2468 /* Server should reject the early data */
2469 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2471 SSL_READ_EARLY_DATA_FINISH)
2472 || !TEST_size_t_eq(readbytes, 0)
2473 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2474 SSL_EARLY_DATA_REJECTED))
2484 * Finish off the handshake. We perform the same writes and reads as
2485 * further down but we expect them to fail due to the incomplete
2488 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2489 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2496 BIO *wbio = SSL_get_wbio(clientssl);
2497 /* A record that will appear as bad early_data */
2498 const unsigned char bad_early_data[] = {
2499 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
2503 * We force the client to attempt a write. This will fail because
2504 * we're still in the handshake. It will cause the second
2505 * ClientHello to be sent.
2507 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
2512 * Inject some early_data after the second ClientHello. This should
2513 * cause the server to fail
2515 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
2516 sizeof(bad_early_data), &written)))
2523 * This client has sent more early_data than we are willing to skip
2524 * (case 3) or sent invalid early_data (case 2) so the connection should
2527 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2528 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
2531 /* Connection has failed - nothing more to do */
2536 TEST_error("Invalid test type");
2541 * Should be able to send normal data despite rejection of early data. The
2542 * early_data should be skipped.
2544 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2545 || !TEST_size_t_eq(written, strlen(MSG2))
2546 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2547 SSL_EARLY_DATA_REJECTED)
2548 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2549 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2555 SSL_SESSION_free(clientpsk);
2556 SSL_SESSION_free(serverpsk);
2557 clientpsk = serverpsk = NULL;
2558 SSL_SESSION_free(sess);
2559 SSL_free(serverssl);
2560 SSL_free(clientssl);
2567 * Test that a server attempting to read early data can handle a connection
2568 * from a client where the early data is not acceptable.
2570 static int test_early_data_skip(int idx)
2572 return early_data_skip_helper(0, idx);
2576 * Test that a server attempting to read early data can handle a connection
2577 * from a client where an HRR occurs.
2579 static int test_early_data_skip_hrr(int idx)
2581 return early_data_skip_helper(1, idx);
2585 * Test that a server attempting to read early data can handle a connection
2586 * from a client where an HRR occurs and correctly fails if early_data is sent
2589 static int test_early_data_skip_hrr_fail(int idx)
2591 return early_data_skip_helper(2, idx);
2595 * Test that a server attempting to read early data will abort if it tries to
2596 * skip over too much.
2598 static int test_early_data_skip_abort(int idx)
2600 return early_data_skip_helper(3, idx);
2604 * Test that a server attempting to read early data can handle a connection
2605 * from a client that doesn't send any.
2607 static int test_early_data_not_sent(int idx)
2609 SSL_CTX *cctx = NULL, *sctx = NULL;
2610 SSL *clientssl = NULL, *serverssl = NULL;
2612 SSL_SESSION *sess = NULL;
2613 unsigned char buf[20];
2614 size_t readbytes, written;
2616 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2617 &serverssl, &sess, idx)))
2620 /* Write some data - should block due to handshake with server */
2621 SSL_set_connect_state(clientssl);
2622 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2625 /* Server should detect that early data has not been sent */
2626 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2628 SSL_READ_EARLY_DATA_FINISH)
2629 || !TEST_size_t_eq(readbytes, 0)
2630 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2631 SSL_EARLY_DATA_NOT_SENT)
2632 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2633 SSL_EARLY_DATA_NOT_SENT))
2636 /* Continue writing the message we started earlier */
2637 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2638 || !TEST_size_t_eq(written, strlen(MSG1))
2639 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2640 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2641 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2642 || !TEST_size_t_eq(written, strlen(MSG2)))
2645 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2646 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2652 SSL_SESSION_free(sess);
2653 SSL_SESSION_free(clientpsk);
2654 SSL_SESSION_free(serverpsk);
2655 clientpsk = serverpsk = NULL;
2656 SSL_free(serverssl);
2657 SSL_free(clientssl);
2663 static int hostname_cb(SSL *s, int *al, void *arg)
2665 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2667 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
2668 return SSL_TLSEXT_ERR_OK;
2670 return SSL_TLSEXT_ERR_NOACK;
2673 static const char *servalpn;
2675 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2676 unsigned char *outlen, const unsigned char *in,
2677 unsigned int inlen, void *arg)
2679 unsigned int protlen = 0;
2680 const unsigned char *prot;
2682 for (prot = in; prot < in + inlen; prot += protlen) {
2684 if (in + inlen < prot + protlen)
2685 return SSL_TLSEXT_ERR_NOACK;
2687 if (protlen == strlen(servalpn)
2688 && memcmp(prot, servalpn, protlen) == 0) {
2691 return SSL_TLSEXT_ERR_OK;
2695 return SSL_TLSEXT_ERR_NOACK;
2698 /* Test that a PSK can be used to send early_data */
2699 static int test_early_data_psk(int idx)
2701 SSL_CTX *cctx = NULL, *sctx = NULL;
2702 SSL *clientssl = NULL, *serverssl = NULL;
2704 SSL_SESSION *sess = NULL;
2705 unsigned char alpnlist[] = {
2706 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2709 #define GOODALPNLEN 9
2710 #define BADALPNLEN 8
2711 #define GOODALPN (alpnlist)
2712 #define BADALPN (alpnlist + GOODALPNLEN)
2714 unsigned char buf[20];
2715 size_t readbytes, written;
2716 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2717 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2719 /* We always set this up with a final parameter of "2" for PSK */
2720 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2721 &serverssl, &sess, 2)))
2724 servalpn = "goodalpn";
2727 * Note: There is no test for inconsistent SNI with late client detection.
2728 * This is because servers do not acknowledge SNI even if they are using
2729 * it in a resumption handshake - so it is not actually possible for a
2730 * client to detect a problem.
2734 /* Set inconsistent SNI (early client detection) */
2735 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2736 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2737 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2742 /* Set inconsistent ALPN (early client detection) */
2743 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2744 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
2745 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2747 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2754 * Set invalid protocol version. Technically this affects PSKs without
2755 * early_data too, but we test it here because it is similar to the
2756 * SNI/ALPN consistency tests.
2758 err = SSL_R_BAD_PSK;
2759 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2765 * Set inconsistent SNI (server detected). In this case the connection
2766 * will succeed but reject early_data.
2768 SSL_SESSION_free(serverpsk);
2769 serverpsk = SSL_SESSION_dup(clientpsk);
2770 if (!TEST_ptr(serverpsk)
2771 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2773 edstatus = SSL_EARLY_DATA_REJECTED;
2774 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2777 /* Set consistent SNI */
2778 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2779 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2780 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2787 * Set inconsistent ALPN (server detected). In this case the connection
2788 * will succeed but reject early_data.
2790 servalpn = "badalpn";
2791 edstatus = SSL_EARLY_DATA_REJECTED;
2792 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2796 * Set consistent ALPN.
2797 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2798 * accepts a list of protos (each one length prefixed).
2799 * SSL_set1_alpn_selected accepts a single protocol (not length
2802 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2804 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2808 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2812 /* Set inconsistent ALPN (late client detection) */
2813 SSL_SESSION_free(serverpsk);
2814 serverpsk = SSL_SESSION_dup(clientpsk);
2815 if (!TEST_ptr(serverpsk)
2816 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2819 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2822 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2825 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2826 edstatus = SSL_EARLY_DATA_ACCEPTED;
2827 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2828 /* SSL_connect() call should fail */
2833 TEST_error("Bad test index");
2837 SSL_set_connect_state(clientssl);
2839 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2841 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2842 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2845 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2849 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2850 &readbytes), readearlyres)
2851 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2852 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2853 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2854 || !TEST_int_eq(SSL_connect(clientssl), connectres))
2861 SSL_SESSION_free(sess);
2862 SSL_SESSION_free(clientpsk);
2863 SSL_SESSION_free(serverpsk);
2864 clientpsk = serverpsk = NULL;
2865 SSL_free(serverssl);
2866 SSL_free(clientssl);
2873 * Test that a server that doesn't try to read early data can handle a
2874 * client sending some.
2876 static int test_early_data_not_expected(int idx)
2878 SSL_CTX *cctx = NULL, *sctx = NULL;
2879 SSL *clientssl = NULL, *serverssl = NULL;
2881 SSL_SESSION *sess = NULL;
2882 unsigned char buf[20];
2883 size_t readbytes, written;
2885 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2886 &serverssl, &sess, idx)))
2889 /* Write some early data */
2890 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2895 * Server should skip over early data and then block waiting for client to
2896 * continue handshake
2898 if (!TEST_int_le(SSL_accept(serverssl), 0)
2899 || !TEST_int_gt(SSL_connect(clientssl), 0)
2900 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2901 SSL_EARLY_DATA_REJECTED)
2902 || !TEST_int_gt(SSL_accept(serverssl), 0)
2903 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2904 SSL_EARLY_DATA_REJECTED))
2907 /* Send some normal data from client to server */
2908 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2909 || !TEST_size_t_eq(written, strlen(MSG2)))
2912 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2913 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2919 SSL_SESSION_free(sess);
2920 SSL_SESSION_free(clientpsk);
2921 SSL_SESSION_free(serverpsk);
2922 clientpsk = serverpsk = NULL;
2923 SSL_free(serverssl);
2924 SSL_free(clientssl);
2931 # ifndef OPENSSL_NO_TLS1_2
2933 * Test that a server attempting to read early data can handle a connection
2934 * from a TLSv1.2 client.
2936 static int test_early_data_tls1_2(int idx)
2938 SSL_CTX *cctx = NULL, *sctx = NULL;
2939 SSL *clientssl = NULL, *serverssl = NULL;
2941 unsigned char buf[20];
2942 size_t readbytes, written;
2944 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2945 &serverssl, NULL, idx)))
2948 /* Write some data - should block due to handshake with server */
2949 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2950 SSL_set_connect_state(clientssl);
2951 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2955 * Server should do TLSv1.2 handshake. First it will block waiting for more
2956 * messages from client after ServerDone. Then SSL_read_early_data should
2957 * finish and detect that early data has not been sent
2959 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2961 SSL_READ_EARLY_DATA_ERROR))
2965 * Continue writing the message we started earlier. Will still block waiting
2966 * for the CCS/Finished from server
2968 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2969 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2971 SSL_READ_EARLY_DATA_FINISH)
2972 || !TEST_size_t_eq(readbytes, 0)
2973 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2974 SSL_EARLY_DATA_NOT_SENT))
2977 /* Continue writing the message we started earlier */
2978 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2979 || !TEST_size_t_eq(written, strlen(MSG1))
2980 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2981 SSL_EARLY_DATA_NOT_SENT)
2982 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2983 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2984 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2985 || !TEST_size_t_eq(written, strlen(MSG2))
2986 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2987 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2993 SSL_SESSION_free(clientpsk);
2994 SSL_SESSION_free(serverpsk);
2995 clientpsk = serverpsk = NULL;
2996 SSL_free(serverssl);
2997 SSL_free(clientssl);
3003 # endif /* OPENSSL_NO_TLS1_2 */
3006 * Test configuring the TLSv1.3 ciphersuites
3008 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3009 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3010 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3011 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3012 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3013 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3014 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3015 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3016 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3017 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3019 static int test_set_ciphersuite(int idx)
3021 SSL_CTX *cctx = NULL, *sctx = NULL;
3022 SSL *clientssl = NULL, *serverssl = NULL;
3025 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3026 TLS1_VERSION, TLS_MAX_VERSION,
3027 &sctx, &cctx, cert, privkey))
3028 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3029 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3032 if (idx >=4 && idx <= 7) {
3033 /* SSL_CTX explicit cipher list */
3034 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3038 if (idx == 0 || idx == 4) {
3039 /* Default ciphersuite */
3040 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3041 "TLS_AES_128_GCM_SHA256")))
3043 } else if (idx == 1 || idx == 5) {
3044 /* Non default ciphersuite */
3045 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3046 "TLS_AES_128_CCM_SHA256")))
3050 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3051 &clientssl, NULL, NULL)))
3054 if (idx == 8 || idx == 9) {
3055 /* SSL explicit cipher list */
3056 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3060 if (idx == 2 || idx == 6 || idx == 8) {
3061 /* Default ciphersuite */
3062 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3063 "TLS_AES_128_GCM_SHA256")))
3065 } else if (idx == 3 || idx == 7 || idx == 9) {
3066 /* Non default ciphersuite */
3067 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3068 "TLS_AES_128_CCM_SHA256")))
3072 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3078 SSL_free(serverssl);
3079 SSL_free(clientssl);
3086 static int test_ciphersuite_change(void)
3088 SSL_CTX *cctx = NULL, *sctx = NULL;
3089 SSL *clientssl = NULL, *serverssl = NULL;
3090 SSL_SESSION *clntsess = NULL;
3092 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3094 /* Create a session based on SHA-256 */
3095 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3096 TLS1_VERSION, TLS_MAX_VERSION,
3097 &sctx, &cctx, cert, privkey))
3098 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3099 "TLS_AES_128_GCM_SHA256"))
3100 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3101 &clientssl, NULL, NULL))
3102 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3106 clntsess = SSL_get1_session(clientssl);
3107 /* Save for later */
3108 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3109 SSL_shutdown(clientssl);
3110 SSL_shutdown(serverssl);
3111 SSL_free(serverssl);
3112 SSL_free(clientssl);
3113 serverssl = clientssl = NULL;
3115 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3116 /* Check we can resume a session with a different SHA-256 ciphersuite */
3117 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3118 "TLS_CHACHA20_POLY1305_SHA256"))
3119 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3121 || !TEST_true(SSL_set_session(clientssl, clntsess))
3122 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3124 || !TEST_true(SSL_session_reused(clientssl)))
3127 SSL_SESSION_free(clntsess);
3128 clntsess = SSL_get1_session(clientssl);
3129 SSL_shutdown(clientssl);
3130 SSL_shutdown(serverssl);
3131 SSL_free(serverssl);
3132 SSL_free(clientssl);
3133 serverssl = clientssl = NULL;
3137 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3138 * succeeds but does not resume.
3140 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3141 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3143 || !TEST_true(SSL_set_session(clientssl, clntsess))
3144 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3146 || !TEST_false(SSL_session_reused(clientssl)))
3149 SSL_SESSION_free(clntsess);
3151 SSL_shutdown(clientssl);
3152 SSL_shutdown(serverssl);
3153 SSL_free(serverssl);
3154 SSL_free(clientssl);
3155 serverssl = clientssl = NULL;
3157 /* Create a session based on SHA384 */
3158 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3159 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3160 &clientssl, NULL, NULL))
3161 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3165 clntsess = SSL_get1_session(clientssl);
3166 SSL_shutdown(clientssl);
3167 SSL_shutdown(serverssl);
3168 SSL_free(serverssl);
3169 SSL_free(clientssl);
3170 serverssl = clientssl = NULL;
3172 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3173 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3174 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3175 "TLS_AES_256_GCM_SHA384"))
3176 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3178 || !TEST_true(SSL_set_session(clientssl, clntsess))
3180 * We use SSL_ERROR_WANT_READ below so that we can pause the
3181 * connection after the initial ClientHello has been sent to
3182 * enable us to make some session changes.
3184 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3185 SSL_ERROR_WANT_READ)))
3188 /* Trick the client into thinking this session is for a different digest */
3189 clntsess->cipher = aes_128_gcm_sha256;
3190 clntsess->cipher_id = clntsess->cipher->id;
3193 * Continue the previously started connection. Server has selected a SHA-384
3194 * ciphersuite, but client thinks the session is for SHA-256, so it should
3197 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3199 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3200 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3206 SSL_SESSION_free(clntsess);
3207 SSL_free(serverssl);
3208 SSL_free(clientssl);
3217 * Test 0 = Test new style callbacks
3218 * Test 1 = Test both new and old style callbacks
3219 * Test 2 = Test old style callbacks
3220 * Test 3 = Test old style callbacks with no certificate
3222 static int test_tls13_psk(int idx)
3224 SSL_CTX *sctx = NULL, *cctx = NULL;
3225 SSL *serverssl = NULL, *clientssl = NULL;
3226 const SSL_CIPHER *cipher = NULL;
3227 const unsigned char key[] = {
3228 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
3229 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
3230 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
3231 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
3235 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3236 TLS1_VERSION, TLS_MAX_VERSION,
3237 &sctx, &cctx, idx == 3 ? NULL : cert,
3238 idx == 3 ? NULL : privkey)))
3243 * We use a ciphersuite with SHA256 to ease testing old style PSK
3244 * callbacks which will always default to SHA256. This should not be
3245 * necessary if we have no cert/priv key. In that case the server should
3246 * prefer SHA256 automatically.
3248 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3249 "TLS_AES_128_GCM_SHA256")))
3254 * Test 0: New style callbacks only
3255 * Test 1: New and old style callbacks (only the new ones should be used)
3256 * Test 2: Old style callbacks only
3258 if (idx == 0 || idx == 1) {
3259 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
3260 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
3262 #ifndef OPENSSL_NO_PSK
3264 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
3265 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
3269 use_session_cb_cnt = 0;
3270 find_session_cb_cnt = 0;
3271 psk_client_cb_cnt = 0;
3272 psk_server_cb_cnt = 0;
3276 * Check we can create a connection if callback decides not to send a
3279 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3281 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3283 || !TEST_false(SSL_session_reused(clientssl))
3284 || !TEST_false(SSL_session_reused(serverssl)))
3287 if (idx == 0 || idx == 1) {
3288 if (!TEST_true(use_session_cb_cnt == 1)
3289 || !TEST_true(find_session_cb_cnt == 0)
3291 * If no old style callback then below should be 0
3294 || !TEST_true(psk_client_cb_cnt == idx)
3295 || !TEST_true(psk_server_cb_cnt == 0))
3298 if (!TEST_true(use_session_cb_cnt == 0)
3299 || !TEST_true(find_session_cb_cnt == 0)
3300 || !TEST_true(psk_client_cb_cnt == 1)
3301 || !TEST_true(psk_server_cb_cnt == 0))
3305 shutdown_ssl_connection(serverssl, clientssl);
3306 serverssl = clientssl = NULL;
3307 use_session_cb_cnt = psk_client_cb_cnt = 0;
3310 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3314 /* Create the PSK */
3315 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
3316 clientpsk = SSL_SESSION_new();
3317 if (!TEST_ptr(clientpsk)
3318 || !TEST_ptr(cipher)
3319 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
3321 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
3322 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
3324 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
3326 serverpsk = clientpsk;
3328 /* Check we can create a connection and the PSK is used */
3329 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3330 || !TEST_true(SSL_session_reused(clientssl))
3331 || !TEST_true(SSL_session_reused(serverssl)))
3334 if (idx == 0 || idx == 1) {
3335 if (!TEST_true(use_session_cb_cnt == 1)
3336 || !TEST_true(find_session_cb_cnt == 1)
3337 || !TEST_true(psk_client_cb_cnt == 0)
3338 || !TEST_true(psk_server_cb_cnt == 0))
3341 if (!TEST_true(use_session_cb_cnt == 0)
3342 || !TEST_true(find_session_cb_cnt == 0)
3343 || !TEST_true(psk_client_cb_cnt == 1)
3344 || !TEST_true(psk_server_cb_cnt == 1))
3348 shutdown_ssl_connection(serverssl, clientssl);
3349 serverssl = clientssl = NULL;
3350 use_session_cb_cnt = find_session_cb_cnt = 0;
3351 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3353 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3358 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3362 * Check we can create a connection, the PSK is used and the callbacks are
3365 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3366 || !TEST_true(SSL_session_reused(clientssl))
3367 || !TEST_true(SSL_session_reused(serverssl)))
3370 if (idx == 0 || idx == 1) {
3371 if (!TEST_true(use_session_cb_cnt == 2)
3372 || !TEST_true(find_session_cb_cnt == 2)
3373 || !TEST_true(psk_client_cb_cnt == 0)
3374 || !TEST_true(psk_server_cb_cnt == 0))
3377 if (!TEST_true(use_session_cb_cnt == 0)
3378 || !TEST_true(find_session_cb_cnt == 0)
3379 || !TEST_true(psk_client_cb_cnt == 2)
3380 || !TEST_true(psk_server_cb_cnt == 2))
3384 shutdown_ssl_connection(serverssl, clientssl);
3385 serverssl = clientssl = NULL;
3386 use_session_cb_cnt = find_session_cb_cnt = 0;
3387 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3391 * Check that if the server rejects the PSK we can still connect, but with
3394 srvid = "Dummy Identity";
3395 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3397 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3399 || !TEST_false(SSL_session_reused(clientssl))
3400 || !TEST_false(SSL_session_reused(serverssl)))
3403 if (idx == 0 || idx == 1) {
3404 if (!TEST_true(use_session_cb_cnt == 1)
3405 || !TEST_true(find_session_cb_cnt == 1)
3406 || !TEST_true(psk_client_cb_cnt == 0)
3408 * If no old style callback then below should be 0
3411 || !TEST_true(psk_server_cb_cnt == idx))
3414 if (!TEST_true(use_session_cb_cnt == 0)
3415 || !TEST_true(find_session_cb_cnt == 0)
3416 || !TEST_true(psk_client_cb_cnt == 1)
3417 || !TEST_true(psk_server_cb_cnt == 1))
3421 shutdown_ssl_connection(serverssl, clientssl);
3422 serverssl = clientssl = NULL;
3427 SSL_SESSION_free(clientpsk);
3428 SSL_SESSION_free(serverpsk);
3429 clientpsk = serverpsk = NULL;
3430 SSL_free(serverssl);
3431 SSL_free(clientssl);
3437 static unsigned char cookie_magic_value[] = "cookie magic";
3439 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
3440 unsigned int *cookie_len)
3443 * Not suitable as a real cookie generation function but good enough for
3446 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3447 *cookie_len = sizeof(cookie_magic_value) - 1;
3452 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3453 unsigned int cookie_len)
3455 if (cookie_len == sizeof(cookie_magic_value) - 1
3456 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3462 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3466 int res = generate_cookie_callback(ssl, cookie, &temp);
3471 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3474 return verify_cookie_callback(ssl, cookie, cookie_len);
3477 static int test_stateless(void)
3479 SSL_CTX *sctx = NULL, *cctx = NULL;
3480 SSL *serverssl = NULL, *clientssl = NULL;
3483 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3484 TLS1_VERSION, TLS_MAX_VERSION,
3485 &sctx, &cctx, cert, privkey)))
3488 /* The arrival of CCS messages can confuse the test */
3489 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3491 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3493 /* Send the first ClientHello */
3494 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3495 SSL_ERROR_WANT_READ))
3497 * This should fail with a -1 return because we have no callbacks
3500 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3503 /* Fatal error so abandon the connection from this client */
3504 SSL_free(clientssl);
3507 /* Set up the cookie generation and verification callbacks */
3508 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3509 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
3512 * Create a new connection from the client (we can reuse the server SSL
3515 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3517 /* Send the first ClientHello */
3518 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3519 SSL_ERROR_WANT_READ))
3520 /* This should fail because there is no cookie */
3521 || !TEST_int_eq(SSL_stateless(serverssl), 0))
3524 /* Abandon the connection from this client */
3525 SSL_free(clientssl);
3529 * Now create a connection from a new client but with the same server SSL
3532 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3534 /* Send the first ClientHello */
3535 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3536 SSL_ERROR_WANT_READ))
3537 /* This should fail because there is no cookie */
3538 || !TEST_int_eq(SSL_stateless(serverssl), 0)
3539 /* Send the second ClientHello */
3540 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3541 SSL_ERROR_WANT_READ))
3542 /* This should succeed because a cookie is now present */
3543 || !TEST_int_eq(SSL_stateless(serverssl), 1)
3544 /* Complete the connection */
3545 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3549 shutdown_ssl_connection(serverssl, clientssl);
3550 serverssl = clientssl = NULL;
3554 SSL_free(serverssl);
3555 SSL_free(clientssl);
3561 #endif /* OPENSSL_NO_TLS1_3 */
3563 static int clntaddoldcb = 0;
3564 static int clntparseoldcb = 0;
3565 static int srvaddoldcb = 0;
3566 static int srvparseoldcb = 0;
3567 static int clntaddnewcb = 0;
3568 static int clntparsenewcb = 0;
3569 static int srvaddnewcb = 0;
3570 static int srvparsenewcb = 0;
3571 static int snicb = 0;
3573 #define TEST_EXT_TYPE1 0xff00
3575 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3576 size_t *outlen, int *al, void *add_arg)
3578 int *server = (int *)add_arg;
3579 unsigned char *data;
3581 if (SSL_is_server(s))
3586 if (*server != SSL_is_server(s)
3587 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3592 *outlen = sizeof(char);
3596 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3599 OPENSSL_free((unsigned char *)out);
3602 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3603 size_t inlen, int *al, void *parse_arg)
3605 int *server = (int *)parse_arg;
3607 if (SSL_is_server(s))
3612 if (*server != SSL_is_server(s)
3613 || inlen != sizeof(char)
3620 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3621 const unsigned char **out, size_t *outlen, X509 *x,
3622 size_t chainidx, int *al, void *add_arg)
3624 int *server = (int *)add_arg;
3625 unsigned char *data;
3627 if (SSL_is_server(s))
3632 if (*server != SSL_is_server(s)
3633 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3638 *outlen = sizeof(*data);
3642 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3643 const unsigned char *out, void *add_arg)
3645 OPENSSL_free((unsigned char *)out);
3648 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3649 const unsigned char *in, size_t inlen, X509 *x,
3650 size_t chainidx, int *al, void *parse_arg)
3652 int *server = (int *)parse_arg;
3654 if (SSL_is_server(s))
3659 if (*server != SSL_is_server(s)
3660 || inlen != sizeof(char) || *in != 1)
3666 static int sni_cb(SSL *s, int *al, void *arg)
3668 SSL_CTX *ctx = (SSL_CTX *)arg;
3670 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3671 *al = SSL_AD_INTERNAL_ERROR;
3672 return SSL_TLSEXT_ERR_ALERT_FATAL;
3675 return SSL_TLSEXT_ERR_OK;
3679 * Custom call back tests.
3680 * Test 0: Old style callbacks in TLSv1.2
3681 * Test 1: New style callbacks in TLSv1.2
3682 * Test 2: New style callbacks in TLSv1.2 with SNI
3683 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3684 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
3686 static int test_custom_exts(int tst)
3688 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3689 SSL *clientssl = NULL, *serverssl = NULL;
3691 static int server = 1;
3692 static int client = 0;
3693 SSL_SESSION *sess = NULL;
3694 unsigned int context;
3696 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
3697 /* Skip tests for TLSv1.2 and below in this case */
3702 /* Reset callback counters */
3703 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
3704 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
3707 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3708 TLS1_VERSION, TLS_MAX_VERSION,
3709 &sctx, &cctx, cert, privkey)))
3713 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
3714 TLS1_VERSION, TLS_MAX_VERSION,
3715 &sctx2, NULL, cert, privkey)))
3720 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
3721 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
3723 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
3727 context = SSL_EXT_CLIENT_HELLO
3728 | SSL_EXT_TLS1_2_SERVER_HELLO
3729 | SSL_EXT_TLS1_3_SERVER_HELLO
3730 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
3731 | SSL_EXT_TLS1_3_CERTIFICATE
3732 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
3734 context = SSL_EXT_CLIENT_HELLO
3735 | SSL_EXT_TLS1_2_SERVER_HELLO
3736 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3739 /* Create a client side custom extension */
3741 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3742 old_add_cb, old_free_cb,
3743 &client, old_parse_cb,
3747 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
3748 new_add_cb, new_free_cb,
3749 &client, new_parse_cb, &client)))
3753 /* Should not be able to add duplicates */
3754 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3755 old_add_cb, old_free_cb,
3756 &client, old_parse_cb,
3758 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
3759 context, new_add_cb,
3760 new_free_cb, &client,
3761 new_parse_cb, &client)))
3764 /* Create a server side custom extension */
3766 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3767 old_add_cb, old_free_cb,
3768 &server, old_parse_cb,
3772 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3773 new_add_cb, new_free_cb,
3774 &server, new_parse_cb, &server)))
3777 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3778 context, new_add_cb,
3779 new_free_cb, &server,
3780 new_parse_cb, &server)))
3784 /* Should not be able to add duplicates */
3785 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3786 old_add_cb, old_free_cb,
3787 &server, old_parse_cb,
3789 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3790 context, new_add_cb,
3791 new_free_cb, &server,
3792 new_parse_cb, &server)))
3797 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3798 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3802 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3803 &clientssl, NULL, NULL))
3804 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3809 if (clntaddoldcb != 1
3810 || clntparseoldcb != 1
3812 || srvparseoldcb != 1)
3814 } else if (tst == 1 || tst == 2 || tst == 3) {
3815 if (clntaddnewcb != 1
3816 || clntparsenewcb != 1
3818 || srvparsenewcb != 1
3819 || (tst != 2 && snicb != 0)
3820 || (tst == 2 && snicb != 1))
3823 /* In this case there 2 NewSessionTicket messages created */
3824 if (clntaddnewcb != 1
3825 || clntparsenewcb != 5
3827 || srvparsenewcb != 1)
3831 sess = SSL_get1_session(clientssl);
3832 SSL_shutdown(clientssl);
3833 SSL_shutdown(serverssl);
3834 SSL_free(serverssl);
3835 SSL_free(clientssl);
3836 serverssl = clientssl = NULL;
3839 /* We don't bother with the resumption aspects for this test */
3844 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3846 || !TEST_true(SSL_set_session(clientssl, sess))
3847 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3852 * For a resumed session we expect to add the ClientHello extension. For the
3853 * old style callbacks we ignore it on the server side because they set
3854 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3858 if (clntaddoldcb != 2
3859 || clntparseoldcb != 1
3861 || srvparseoldcb != 1)
3863 } else if (tst == 1 || tst == 2 || tst == 3) {
3864 if (clntaddnewcb != 2
3865 || clntparsenewcb != 2
3867 || srvparsenewcb != 2)
3871 * No Certificate message extensions in the resumption handshake,
3872 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
3874 if (clntaddnewcb != 2
3875 || clntparsenewcb != 8
3877 || srvparsenewcb != 2)
3884 SSL_SESSION_free(sess);
3885 SSL_free(serverssl);
3886 SSL_free(clientssl);
3887 SSL_CTX_free(sctx2);
3894 * Test loading of serverinfo data in various formats. test_sslmessages actually
3895 * tests to make sure the extensions appear in the handshake
3897 static int test_serverinfo(int tst)
3899 unsigned int version;
3900 unsigned char *sibuf;
3902 int ret, expected, testresult = 0;
3905 ctx = SSL_CTX_new(TLS_method());
3909 if ((tst & 0x01) == 0x01)
3910 version = SSL_SERVERINFOV2;
3912 version = SSL_SERVERINFOV1;
3914 if ((tst & 0x02) == 0x02) {
3915 sibuf = serverinfov2;
3916 sibuflen = sizeof(serverinfov2);
3917 expected = (version == SSL_SERVERINFOV2);
3919 sibuf = serverinfov1;
3920 sibuflen = sizeof(serverinfov1);
3921 expected = (version == SSL_SERVERINFOV1);
3924 if ((tst & 0x04) == 0x04) {
3925 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
3927 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
3930 * The version variable is irrelevant in this case - it's what is in the
3931 * buffer that matters
3933 if ((tst & 0x02) == 0x02)
3939 if (!TEST_true(ret == expected))
3951 * Test that SSL_export_keying_material() produces expected results. There are
3952 * no test vectors so all we do is test that both sides of the communication
3953 * produce the same results for different protocol versions.
3955 static int test_export_key_mat(int tst)
3958 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3959 SSL *clientssl = NULL, *serverssl = NULL;
3960 const char label[] = "test label";
3961 const unsigned char context[] = "context";
3962 const unsigned char *emptycontext = NULL;
3963 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
3964 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
3965 const int protocols[] = {
3972 #ifdef OPENSSL_NO_TLS1
3976 #ifdef OPENSSL_NO_TLS1_1
3980 #ifdef OPENSSL_NO_TLS1_2
3984 #ifdef OPENSSL_NO_TLS1_3
3988 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3989 TLS1_VERSION, TLS_MAX_VERSION,
3990 &sctx, &cctx, cert, privkey)))
3993 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
3994 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
3995 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
3997 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
3999 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4003 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4004 sizeof(ckeymat1), label,
4005 sizeof(label) - 1, context,
4006 sizeof(context) - 1, 1), 1)
4007 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4008 sizeof(ckeymat2), label,
4012 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4013 sizeof(ckeymat3), label,
4016 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4017 sizeof(skeymat1), label,
4020 sizeof(context) -1, 1),
4022 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4023 sizeof(skeymat2), label,
4027 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4028 sizeof(skeymat3), label,
4032 * Check that both sides created the same key material with the
4035 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4038 * Check that both sides created the same key material with an
4041 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4044 * Check that both sides created the same key material without a
4047 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
4049 /* Different contexts should produce different results */
4050 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4055 * Check that an empty context and no context produce different results in
4056 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
4058 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
4060 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
4067 SSL_free(serverssl);
4068 SSL_free(clientssl);
4069 SSL_CTX_free(sctx2);
4076 #ifndef OPENSSL_NO_TLS1_3
4078 * Test that SSL_export_keying_material_early() produces expected
4079 * results. There are no test vectors so all we do is test that both
4080 * sides of the communication produce the same results for different
4081 * protocol versions.
4083 static int test_export_key_mat_early(int idx)
4085 static const char label[] = "test label";
4086 static const unsigned char context[] = "context";
4088 SSL_CTX *cctx = NULL, *sctx = NULL;
4089 SSL *clientssl = NULL, *serverssl = NULL;
4090 SSL_SESSION *sess = NULL;
4091 const unsigned char *emptycontext = NULL;
4092 unsigned char ckeymat1[80], ckeymat2[80];
4093 unsigned char skeymat1[80], skeymat2[80];
4094 unsigned char buf[1];
4095 size_t readbytes, written;
4097 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
4101 /* Here writing 0 length early data is enough. */
4102 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
4103 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4105 SSL_READ_EARLY_DATA_ERROR)
4106 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4107 SSL_EARLY_DATA_ACCEPTED))
4110 if (!TEST_int_eq(SSL_export_keying_material_early(
4111 clientssl, ckeymat1, sizeof(ckeymat1), label,
4112 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4113 || !TEST_int_eq(SSL_export_keying_material_early(
4114 clientssl, ckeymat2, sizeof(ckeymat2), label,
4115 sizeof(label) - 1, emptycontext, 0), 1)
4116 || !TEST_int_eq(SSL_export_keying_material_early(
4117 serverssl, skeymat1, sizeof(skeymat1), label,
4118 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4119 || !TEST_int_eq(SSL_export_keying_material_early(
4120 serverssl, skeymat2, sizeof(skeymat2), label,
4121 sizeof(label) - 1, emptycontext, 0), 1)
4123 * Check that both sides created the same key material with the
4126 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4129 * Check that both sides created the same key material with an
4132 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4134 /* Different contexts should produce different results */
4135 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4142 SSL_SESSION_free(sess);
4143 SSL_SESSION_free(clientpsk);
4144 SSL_SESSION_free(serverpsk);
4145 clientpsk = serverpsk = NULL;
4146 SSL_free(serverssl);
4147 SSL_free(clientssl);
4153 #endif /* OPENSSL_NO_TLS1_3 */
4155 static int test_ssl_clear(int idx)
4157 SSL_CTX *cctx = NULL, *sctx = NULL;
4158 SSL *clientssl = NULL, *serverssl = NULL;
4161 #ifdef OPENSSL_NO_TLS1_2
4166 /* Create an initial connection */
4167 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4168 TLS1_VERSION, TLS_MAX_VERSION,
4169 &sctx, &cctx, cert, privkey))
4171 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
4173 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4174 &clientssl, NULL, NULL))
4175 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4179 SSL_shutdown(clientssl);
4180 SSL_shutdown(serverssl);
4181 SSL_free(serverssl);
4184 /* Clear clientssl - we're going to reuse the object */
4185 if (!TEST_true(SSL_clear(clientssl)))
4188 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4190 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4192 || !TEST_true(SSL_session_reused(clientssl)))
4195 SSL_shutdown(clientssl);
4196 SSL_shutdown(serverssl);
4201 SSL_free(serverssl);
4202 SSL_free(clientssl);
4209 /* Parse CH and retrieve any MFL extension value if present */
4210 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
4213 unsigned char *data;
4214 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
4215 unsigned int MFL_code = 0, type = 0;
4217 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
4220 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
4221 /* Skip the record header */
4222 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
4223 /* Skip the handshake message header */
4224 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
4225 /* Skip client version and random */
4226 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
4227 + SSL3_RANDOM_SIZE))
4228 /* Skip session id */
4229 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4231 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
4232 /* Skip compression */
4233 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4234 /* Extensions len */
4235 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
4238 /* Loop through all extensions */
4239 while (PACKET_remaining(&pkt2)) {
4240 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
4241 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
4244 if (type == TLSEXT_TYPE_max_fragment_length) {
4245 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
4246 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
4249 *mfl_codemfl_code = MFL_code;
4258 /* Maximum-Fragment-Length TLS extension mode to test */
4259 static const unsigned char max_fragment_len_test[] = {
4260 TLSEXT_max_fragment_length_512,
4261 TLSEXT_max_fragment_length_1024,
4262 TLSEXT_max_fragment_length_2048,
4263 TLSEXT_max_fragment_length_4096
4266 static int test_max_fragment_len_ext(int idx_tst)
4270 int testresult = 0, MFL_mode = 0;
4273 ctx = SSL_CTX_new(TLS_method());
4277 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
4278 ctx, max_fragment_len_test[idx_tst])))
4285 rbio = BIO_new(BIO_s_mem());
4286 wbio = BIO_new(BIO_s_mem());
4287 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
4293 SSL_set_bio(con, rbio, wbio);
4294 SSL_set_connect_state(con);
4296 if (!TEST_int_le(SSL_connect(con), 0)) {
4297 /* This shouldn't succeed because we don't have a server! */
4301 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
4302 /* no MFL in client hello */
4304 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
4316 #ifndef OPENSSL_NO_TLS1_3
4317 static int test_pha_key_update(void)
4319 SSL_CTX *cctx = NULL, *sctx = NULL;
4320 SSL *clientssl = NULL, *serverssl = NULL;
4323 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4324 TLS1_VERSION, TLS_MAX_VERSION,
4325 &sctx, &cctx, cert, privkey)))
4328 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
4329 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
4330 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
4331 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
4334 SSL_CTX_set_post_handshake_auth(cctx, 1);
4336 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4340 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4344 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
4345 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
4348 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
4351 /* Start handshake on the server */
4352 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
4355 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
4356 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4360 SSL_shutdown(clientssl);
4361 SSL_shutdown(serverssl);
4366 SSL_free(serverssl);
4367 SSL_free(clientssl);
4374 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4376 static SRP_VBASE *vbase = NULL;
4378 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
4380 int ret = SSL3_AL_FATAL;
4382 SRP_user_pwd *user = NULL;
4384 username = SSL_get_srp_username(s);
4385 if (username == NULL) {
4386 *ad = SSL_AD_INTERNAL_ERROR;
4390 user = SRP_VBASE_get1_by_user(vbase, username);
4392 *ad = SSL_AD_INTERNAL_ERROR;
4396 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
4398 *ad = SSL_AD_INTERNAL_ERROR;
4405 SRP_user_pwd_free(user);
4409 static int create_new_vfile(char *userid, char *password, const char *filename)
4412 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
4415 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
4418 if (!TEST_ptr(dummy) || !TEST_ptr(row))
4421 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
4422 &row[DB_srpverifier], NULL, NULL);
4423 if (!TEST_ptr(gNid))
4427 * The only way to create an empty TXT_DB is to provide a BIO with no data
4430 db = TXT_DB_read(dummy, DB_NUMBER);
4434 out = BIO_new_file(filename, "w");
4438 row[DB_srpid] = OPENSSL_strdup(userid);
4439 row[DB_srptype] = OPENSSL_strdup("V");
4440 row[DB_srpgN] = OPENSSL_strdup(gNid);
4442 if (!TEST_ptr(row[DB_srpid])
4443 || !TEST_ptr(row[DB_srptype])
4444 || !TEST_ptr(row[DB_srpgN])
4445 || !TEST_true(TXT_DB_insert(db, row)))
4450 if (!TXT_DB_write(out, db))
4456 for (i = 0; i < DB_NUMBER; i++)
4457 OPENSSL_free(row[i]);
4467 static int create_new_vbase(char *userid, char *password)
4469 BIGNUM *verifier = NULL, *salt = NULL;
4470 const SRP_gN *lgN = NULL;
4471 SRP_user_pwd *user_pwd = NULL;
4474 lgN = SRP_get_default_gN(NULL);
4478 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
4482 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
4483 if (!TEST_ptr(user_pwd))
4486 user_pwd->N = lgN->N;
4487 user_pwd->g = lgN->g;
4488 user_pwd->id = OPENSSL_strdup(userid);
4489 if (!TEST_ptr(user_pwd->id))
4492 user_pwd->v = verifier;
4494 verifier = salt = NULL;
4496 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
4502 SRP_user_pwd_free(user_pwd);
4512 * Test 0: Simple successful SRP connection, new vbase
4513 * Test 1: Connection failure due to bad password, new vbase
4514 * Test 2: Simple successful SRP connection, vbase loaded from existing file
4515 * Test 3: Connection failure due to bad password, vbase loaded from existing
4517 * Test 4: Simple successful SRP connection, vbase loaded from new file
4518 * Test 5: Connection failure due to bad password, vbase loaded from new file
4520 static int test_srp(int tst)
4522 char *userid = "test", *password = "password", *tstsrpfile;
4523 SSL_CTX *cctx = NULL, *sctx = NULL;
4524 SSL *clientssl = NULL, *serverssl = NULL;
4525 int ret, testresult = 0;
4527 vbase = SRP_VBASE_new(NULL);
4528 if (!TEST_ptr(vbase))
4531 if (tst == 0 || tst == 1) {
4532 if (!TEST_true(create_new_vbase(userid, password)))
4535 if (tst == 4 || tst == 5) {
4536 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
4538 tstsrpfile = tmpfilename;
4540 tstsrpfile = srpvfile;
4542 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
4546 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4547 TLS1_VERSION, TLS_MAX_VERSION,
4548 &sctx, &cctx, cert, privkey)))
4551 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
4552 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
4553 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
4554 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
4555 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
4559 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
4562 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
4566 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4570 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
4572 if (!TEST_true(tst % 2 == 0))
4575 if (!TEST_true(tst % 2 == 1))
4582 SRP_VBASE_free(vbase);
4584 SSL_free(serverssl);
4585 SSL_free(clientssl);
4593 static int info_cb_failed = 0;
4594 static int info_cb_offset = 0;
4595 static int info_cb_this_state = -1;
4597 static struct info_cb_states_st {
4599 const char *statestr;
4600 } info_cb_states[][60] = {
4602 /* TLSv1.2 server followed by resumption */
4603 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4604 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4605 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
4606 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
4607 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
4608 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4609 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4610 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4611 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4612 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4613 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
4614 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4615 {SSL_CB_EXIT, NULL}, {0, NULL},
4617 /* TLSv1.2 client followed by resumption */
4618 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4619 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4620 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
4621 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
4622 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
4623 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4624 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4625 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4626 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4627 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4628 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4629 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4631 /* TLSv1.3 server followed by resumption */
4632 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4633 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4634 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
4635 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
4636 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4637 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4638 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4639 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TWST"},
4640 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4641 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4642 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4643 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"},
4644 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL},
4645 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4646 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4647 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4648 {SSL_CB_EXIT, NULL}, {0, NULL},
4650 /* TLSv1.3 client followed by resumption */
4651 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4652 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4653 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
4654 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
4655 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4656 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4657 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4658 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4659 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4660 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4661 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4662 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4663 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
4664 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4665 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4666 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4667 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4668 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4669 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4671 /* TLSv1.3 server, early_data */
4672 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4673 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4674 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4675 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4676 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4677 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4678 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4679 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4680 {SSL_CB_EXIT, NULL}, {0, NULL},
4682 /* TLSv1.3 client, early_data */
4683 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4684 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
4685 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4686 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4687 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4688 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
4689 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4690 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4691 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4692 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4698 static void sslapi_info_callback(const SSL *s, int where, int ret)
4700 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
4702 /* We do not ever expect a connection to fail in this test */
4703 if (!TEST_false(ret == 0)) {
4709 * Do some sanity checks. We never expect these things to happen in this
4712 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
4713 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
4714 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
4719 /* Now check we're in the right state */
4720 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
4724 if ((where & SSL_CB_LOOP) != 0
4725 && !TEST_int_eq(strcmp(SSL_state_string(s),
4726 state[info_cb_this_state].statestr), 0)) {
4731 /* Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init */
4732 if ((where & SSL_CB_HANDSHAKE_DONE) && SSL_in_init((SSL *)s) != 0) {
4739 * Test the info callback gets called when we expect it to.
4741 * Test 0: TLSv1.2, server
4742 * Test 1: TLSv1.2, client
4743 * Test 2: TLSv1.3, server
4744 * Test 3: TLSv1.3, client
4745 * Test 4: TLSv1.3, server, early_data
4746 * Test 5: TLSv1.3, client, early_data
4748 static int test_info_callback(int tst)
4750 SSL_CTX *cctx = NULL, *sctx = NULL;
4751 SSL *clientssl = NULL, *serverssl = NULL;
4752 SSL_SESSION *clntsess = NULL;
4757 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
4758 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
4759 || !defined(OPENSSL_NO_DH))
4760 tlsvers = TLS1_2_VERSION;
4765 #ifndef OPENSSL_NO_TLS1_3
4766 tlsvers = TLS1_3_VERSION;
4774 info_cb_this_state = -1;
4775 info_cb_offset = tst;
4777 #ifndef OPENSSL_NO_TLS1_3
4779 SSL_SESSION *sess = NULL;
4780 size_t written, readbytes;
4781 unsigned char buf[80];
4783 /* early_data tests */
4784 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4785 &serverssl, &sess, 0)))
4788 /* We don't actually need this reference */
4789 SSL_SESSION_free(sess);
4791 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
4792 sslapi_info_callback);
4794 /* Write and read some early data and then complete the connection */
4795 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4797 || !TEST_size_t_eq(written, strlen(MSG1))
4798 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
4799 sizeof(buf), &readbytes),
4800 SSL_READ_EARLY_DATA_SUCCESS)
4801 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
4802 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4803 SSL_EARLY_DATA_ACCEPTED)
4804 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4806 || !TEST_false(info_cb_failed))
4814 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4815 TLS_client_method(),
4816 tlsvers, tlsvers, &sctx, &cctx, cert,
4821 * For even numbered tests we check the server callbacks. For odd numbers we
4824 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
4825 sslapi_info_callback);
4827 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4828 &clientssl, NULL, NULL))
4829 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4831 || !TEST_false(info_cb_failed))
4836 clntsess = SSL_get1_session(clientssl);
4837 SSL_shutdown(clientssl);
4838 SSL_shutdown(serverssl);
4839 SSL_free(serverssl);
4840 SSL_free(clientssl);
4841 serverssl = clientssl = NULL;
4843 /* Now do a resumption */
4844 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4846 || !TEST_true(SSL_set_session(clientssl, clntsess))
4847 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4849 || !TEST_true(SSL_session_reused(clientssl))
4850 || !TEST_false(info_cb_failed))
4856 SSL_free(serverssl);
4857 SSL_free(clientssl);
4858 SSL_SESSION_free(clntsess);
4864 static int test_ssl_pending(int tst)
4866 SSL_CTX *cctx = NULL, *sctx = NULL;
4867 SSL *clientssl = NULL, *serverssl = NULL;
4869 char msg[] = "A test message";
4871 size_t written, readbytes;
4874 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4875 TLS_client_method(),
4876 TLS1_VERSION, TLS_MAX_VERSION,
4877 &sctx, &cctx, cert, privkey)))
4880 #ifndef OPENSSL_NO_DTLS
4881 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
4882 DTLS_client_method(),
4883 DTLS1_VERSION, DTLS_MAX_VERSION,
4884 &sctx, &cctx, cert, privkey)))
4891 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4893 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4897 if (!TEST_int_eq(SSL_pending(clientssl), 0)
4898 || !TEST_false(SSL_has_pending(clientssl))
4899 || !TEST_int_eq(SSL_pending(serverssl), 0)
4900 || !TEST_false(SSL_has_pending(serverssl))
4901 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4902 || !TEST_size_t_eq(written, sizeof(msg))
4903 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4904 || !TEST_size_t_eq(readbytes, sizeof(buf))
4905 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
4906 || !TEST_true(SSL_has_pending(clientssl)))
4912 SSL_free(serverssl);
4913 SSL_free(clientssl);
4921 unsigned int maxprot;
4922 const char *clntciphers;
4923 const char *clnttls13ciphers;
4924 const char *srvrciphers;
4925 const char *srvrtls13ciphers;
4927 } shared_ciphers_data[] = {
4929 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
4930 * TLSv1.3 is enabled but TLSv1.2 is disabled.
4932 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
4935 "AES128-SHA:AES256-SHA",
4937 "AES256-SHA:DHE-RSA-AES128-SHA",
4943 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
4945 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
4947 "AES128-SHA:AES256-SHA"
4951 "AES128-SHA:AES256-SHA",
4953 "AES128-SHA:DHE-RSA-AES128-SHA",
4959 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
4962 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
4963 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4966 "AES128-SHA:AES256-SHA",
4968 "AES256-SHA:AES128-SHA256",
4970 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
4971 "TLS_AES_128_GCM_SHA256:AES256-SHA"
4974 #ifndef OPENSSL_NO_TLS1_3
4978 "TLS_AES_256_GCM_SHA384",
4980 "TLS_AES_256_GCM_SHA384",
4981 "TLS_AES_256_GCM_SHA384"
4986 static int test_ssl_get_shared_ciphers(int tst)
4988 SSL_CTX *cctx = NULL, *sctx = NULL;
4989 SSL *clientssl = NULL, *serverssl = NULL;
4993 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4994 TLS_client_method(),
4996 shared_ciphers_data[tst].maxprot,
4997 &sctx, &cctx, cert, privkey)))
5000 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5001 shared_ciphers_data[tst].clntciphers))
5002 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
5003 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
5004 shared_ciphers_data[tst].clnttls13ciphers)))
5005 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
5006 shared_ciphers_data[tst].srvrciphers))
5007 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
5008 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
5009 shared_ciphers_data[tst].srvrtls13ciphers))))
5013 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5015 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5019 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
5020 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
5021 TEST_info("Shared ciphers are: %s\n", buf);
5028 SSL_free(serverssl);
5029 SSL_free(clientssl);
5036 static const char *appdata = "Hello World";
5037 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
5038 static int tick_key_renew = 0;
5039 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5041 static int gen_tick_cb(SSL *s, void *arg)
5043 gen_tick_called = 1;
5045 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
5049 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
5050 const unsigned char *keyname,
5051 size_t keyname_length,
5052 SSL_TICKET_STATUS status,
5058 dec_tick_called = 1;
5060 if (status == SSL_TICKET_EMPTY)
5061 return SSL_TICKET_RETURN_IGNORE_RENEW;
5063 if (!TEST_true(status == SSL_TICKET_SUCCESS
5064 || status == SSL_TICKET_SUCCESS_RENEW))
5065 return SSL_TICKET_RETURN_ABORT;
5067 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
5069 || !TEST_size_t_eq(tickdlen, strlen(appdata))
5070 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
5071 return SSL_TICKET_RETURN_ABORT;
5073 if (tick_key_cb_called) {
5074 /* Don't change what the ticket key callback wanted to do */
5076 case SSL_TICKET_NO_DECRYPT:
5077 return SSL_TICKET_RETURN_IGNORE_RENEW;
5079 case SSL_TICKET_SUCCESS:
5080 return SSL_TICKET_RETURN_USE;
5082 case SSL_TICKET_SUCCESS_RENEW:
5083 return SSL_TICKET_RETURN_USE_RENEW;
5086 return SSL_TICKET_RETURN_ABORT;
5089 return tick_dec_ret;
5093 static int tick_key_cb(SSL *s, unsigned char key_name[16],
5094 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
5095 HMAC_CTX *hctx, int enc)
5097 const unsigned char tick_aes_key[16] = "0123456789abcdef";
5098 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5100 tick_key_cb_called = 1;
5101 memset(iv, 0, AES_BLOCK_SIZE);
5102 memset(key_name, 0, 16);
5103 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
5104 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
5105 EVP_sha256(), NULL))
5108 return tick_key_renew ? 2 : 1;
5112 * Test the various ticket callbacks
5113 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
5114 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
5115 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
5116 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
5117 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
5118 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
5119 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
5120 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
5121 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
5122 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
5123 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
5124 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
5126 static int test_ticket_callbacks(int tst)
5128 SSL_CTX *cctx = NULL, *sctx = NULL;
5129 SSL *clientssl = NULL, *serverssl = NULL;
5130 SSL_SESSION *clntsess = NULL;
5133 #ifdef OPENSSL_NO_TLS1_2
5137 #ifdef OPENSSL_NO_TLS1_3
5142 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
5144 /* Which tests the ticket key callback should request renewal for */
5145 if (tst == 10 || tst == 11)
5150 /* Which tests the decrypt ticket callback should request renewal for */
5154 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
5159 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
5164 tick_dec_ret = SSL_TICKET_RETURN_USE;
5169 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
5173 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5176 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5177 TLS_client_method(),
5179 ((tst % 2) == 0) ? TLS1_2_VERSION
5181 &sctx, &cctx, cert, privkey)))
5185 * We only want sessions to resume from tickets - not the session cache. So
5186 * switch the cache off.
5188 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
5191 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
5196 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
5199 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5201 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5206 * The decrypt ticket key callback in TLSv1.2 should be called even though
5207 * we have no ticket yet, because it gets called with a status of
5208 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
5209 * actually send any ticket data). This does not happen in TLSv1.3 because
5210 * it is not valid to send empty ticket data in TLSv1.3.
5212 if (!TEST_int_eq(gen_tick_called, 1)
5213 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
5216 gen_tick_called = dec_tick_called = 0;
5218 clntsess = SSL_get1_session(clientssl);
5219 SSL_shutdown(clientssl);
5220 SSL_shutdown(serverssl);
5221 SSL_free(serverssl);
5222 SSL_free(clientssl);
5223 serverssl = clientssl = NULL;
5225 /* Now do a resumption */
5226 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5228 || !TEST_true(SSL_set_session(clientssl, clntsess))
5229 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5233 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
5234 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
5235 if (!TEST_false(SSL_session_reused(clientssl)))
5238 if (!TEST_true(SSL_session_reused(clientssl)))
5242 if (!TEST_int_eq(gen_tick_called,
5244 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
5245 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
5247 || !TEST_int_eq(dec_tick_called, 1))
5253 SSL_SESSION_free(clntsess);
5254 SSL_free(serverssl);
5255 SSL_free(clientssl);
5263 * Test bi-directional shutdown.
5265 * Test 1: TLSv1.2, server continues to read/write after client shutdown
5266 * Test 2: TLSv1.3, no pending NewSessionTicket messages
5267 * Test 3: TLSv1.3, pending NewSessionTicket messages
5268 * Test 4: TLSv1.3, server continues to read/write after client shutdown, client
5270 * Test 5: TLSv1.3, server continues to read/write after client shutdown, client
5273 static int test_shutdown(int tst)
5275 SSL_CTX *cctx = NULL, *sctx = NULL;
5276 SSL *clientssl = NULL, *serverssl = NULL;
5278 char msg[] = "A test message";
5280 size_t written, readbytes;
5282 #ifdef OPENSSL_NO_TLS1_2
5286 #ifdef OPENSSL_NO_TLS1_3
5291 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5292 TLS_client_method(),
5294 (tst <= 1) ? TLS1_2_VERSION
5296 &sctx, &cctx, cert, privkey))
5297 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5302 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
5305 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5310 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
5315 * Reading on the server after the client has sent close_notify should
5316 * fail and provide SSL_ERROR_ZERO_RETURN
5318 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
5319 || !TEST_int_eq(SSL_get_error(serverssl, 0),
5320 SSL_ERROR_ZERO_RETURN)
5321 || !TEST_int_eq(SSL_get_shutdown(serverssl),
5322 SSL_RECEIVED_SHUTDOWN)
5324 * Even though we're shutdown on receive we should still be
5327 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg)))
5328 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
5331 /* Should still be able to read data from server */
5332 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5334 || !TEST_size_t_eq(readbytes, sizeof(msg))
5335 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
5340 /* Writing on the client after sending close_notify shouldn't be possible */
5341 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
5346 * For these tests the client has sent close_notify but it has not yet
5347 * been received by the server. The server has not sent close_notify
5350 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
5352 * Writing on the server after sending close_notify shouldn't
5355 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5356 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
5357 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
5359 } else if (tst == 4) {
5361 * In this test the client has sent close_notify and it has been
5362 * received by the server which has responded with a close_notify. The
5363 * client needs to read the close_notify sent by the server.
5365 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
5371 * The client has sent close_notify and is expecting a close_notify
5372 * back, but instead there is application data first. The shutdown
5373 * should fail with a fatal error.
5375 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
5376 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
5383 SSL_free(serverssl);
5384 SSL_free(clientssl);
5391 int setup_tests(void)
5393 if (!TEST_ptr(cert = test_get_argument(0))
5394 || !TEST_ptr(privkey = test_get_argument(1))
5395 || !TEST_ptr(srpvfile = test_get_argument(2))
5396 || !TEST_ptr(tmpfilename = test_get_argument(3)))
5399 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
5400 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
5401 TEST_error("not supported in this build");
5404 int i, mcount, rcount, fcount;
5406 for (i = 0; i < 4; i++)
5407 test_export_key_mat(i);
5408 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
5409 test_printf_stdout("malloc %d realloc %d free %d\n",
5410 mcount, rcount, fcount);
5415 ADD_TEST(test_large_message_tls);
5416 ADD_TEST(test_large_message_tls_read_ahead);
5417 #ifndef OPENSSL_NO_DTLS
5418 ADD_TEST(test_large_message_dtls);
5420 #ifndef OPENSSL_NO_OCSP
5421 ADD_TEST(test_tlsext_status_type);
5423 ADD_TEST(test_session_with_only_int_cache);
5424 ADD_TEST(test_session_with_only_ext_cache);
5425 ADD_TEST(test_session_with_both_cache);
5426 #ifndef OPENSSL_NO_TLS1_3
5427 ADD_ALL_TESTS(test_stateful_tickets, 3);
5428 ADD_ALL_TESTS(test_stateless_tickets, 3);
5430 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
5431 ADD_TEST(test_ssl_bio_pop_next_bio);
5432 ADD_TEST(test_ssl_bio_pop_ssl_bio);
5433 ADD_TEST(test_ssl_bio_change_rbio);
5434 ADD_TEST(test_ssl_bio_change_wbio);
5435 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
5436 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
5437 ADD_TEST(test_keylog);
5439 #ifndef OPENSSL_NO_TLS1_3
5440 ADD_TEST(test_keylog_no_master_key);
5442 #ifndef OPENSSL_NO_TLS1_2
5443 ADD_TEST(test_client_hello_cb);
5445 #ifndef OPENSSL_NO_TLS1_3
5446 ADD_ALL_TESTS(test_early_data_read_write, 3);
5448 * We don't do replay tests for external PSK. Replay protection isn't used
5451 ADD_ALL_TESTS(test_early_data_replay, 2);
5452 ADD_ALL_TESTS(test_early_data_skip, 3);
5453 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
5454 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
5455 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
5456 ADD_ALL_TESTS(test_early_data_not_sent, 3);
5457 ADD_ALL_TESTS(test_early_data_psk, 8);
5458 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5459 # ifndef OPENSSL_NO_TLS1_2
5460 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5463 #ifndef OPENSSL_NO_TLS1_3
5464 ADD_ALL_TESTS(test_set_ciphersuite, 10);
5465 ADD_TEST(test_ciphersuite_change);
5466 #ifdef OPENSSL_NO_PSK
5467 ADD_ALL_TESTS(test_tls13_psk, 1);
5469 ADD_ALL_TESTS(test_tls13_psk, 4);
5470 #endif /* OPENSSL_NO_PSK */
5471 ADD_ALL_TESTS(test_custom_exts, 5);
5472 ADD_TEST(test_stateless);
5473 ADD_TEST(test_pha_key_update);
5475 ADD_ALL_TESTS(test_custom_exts, 3);
5477 ADD_ALL_TESTS(test_serverinfo, 8);
5478 ADD_ALL_TESTS(test_export_key_mat, 4);
5479 #ifndef OPENSSL_NO_TLS1_3
5480 ADD_ALL_TESTS(test_export_key_mat_early, 3);
5482 ADD_ALL_TESTS(test_ssl_clear, 2);
5483 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
5484 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5485 ADD_ALL_TESTS(test_srp, 6);
5487 ADD_ALL_TESTS(test_info_callback, 6);
5488 ADD_ALL_TESTS(test_ssl_pending, 2);
5489 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
5490 ADD_ALL_TESTS(test_ticket_callbacks, 12);
5491 ADD_ALL_TESTS(test_shutdown, 6);
5495 void cleanup_tests(void)
5497 bio_s_mempacket_test_free();