2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/provider.h>
33 #include "ssltestlib.h"
35 #include "testutil/output.h"
36 #include "internal/nelem.h"
37 #include "internal/ktls.h"
38 #include "../ssl/ssl_local.h"
40 static OPENSSL_CTX *libctx = NULL;
41 static OSSL_PROVIDER *defctxnull = NULL;
43 #ifndef OPENSSL_NO_TLS1_3
45 static SSL_SESSION *clientpsk = NULL;
46 static SSL_SESSION *serverpsk = NULL;
47 static const char *pskid = "Identity";
48 static const char *srvid;
50 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
51 size_t *idlen, SSL_SESSION **sess);
52 static int find_session_cb(SSL *ssl, const unsigned char *identity,
53 size_t identity_len, SSL_SESSION **sess);
55 static int use_session_cb_cnt = 0;
56 static int find_session_cb_cnt = 0;
58 static SSL_SESSION *create_a_psk(SSL *ssl);
61 static char *certsdir = NULL;
62 static char *cert = NULL;
63 static char *privkey = NULL;
64 static char *srpvfile = NULL;
65 static char *tmpfilename = NULL;
67 static int is_fips = 0;
69 #define LOG_BUFFER_SIZE 2048
70 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
71 static size_t server_log_buffer_index = 0;
72 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
73 static size_t client_log_buffer_index = 0;
74 static int error_writing_log = 0;
76 #ifndef OPENSSL_NO_OCSP
77 static const unsigned char orespder[] = "Dummy OCSP Response";
78 static int ocsp_server_called = 0;
79 static int ocsp_client_called = 0;
81 static int cdummyarg = 1;
82 static X509 *ocspcert = NULL;
85 #define NUM_EXTRA_CERTS 40
86 #define CLIENT_VERSION_LEN 2
89 * This structure is used to validate that the correct number of log messages
90 * of various types are emitted when emitting secret logs.
92 struct sslapitest_log_counts {
93 unsigned int rsa_key_exchange_count;
94 unsigned int master_secret_count;
95 unsigned int client_early_secret_count;
96 unsigned int client_handshake_secret_count;
97 unsigned int server_handshake_secret_count;
98 unsigned int client_application_secret_count;
99 unsigned int server_application_secret_count;
100 unsigned int early_exporter_secret_count;
101 unsigned int exporter_secret_count;
105 static unsigned char serverinfov1[] = {
106 0xff, 0xff, /* Dummy extension type */
107 0x00, 0x01, /* Extension length is 1 byte */
108 0xff /* Dummy extension data */
111 static unsigned char serverinfov2[] = {
113 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
114 0xff, 0xff, /* Dummy extension type */
115 0x00, 0x01, /* Extension length is 1 byte */
116 0xff /* Dummy extension data */
119 static int hostname_cb(SSL *s, int *al, void *arg)
121 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
123 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
124 || strcmp(hostname, "altgoodhost") == 0))
125 return SSL_TLSEXT_ERR_OK;
127 return SSL_TLSEXT_ERR_NOACK;
130 static void client_keylog_callback(const SSL *ssl, const char *line)
132 int line_length = strlen(line);
134 /* If the log doesn't fit, error out. */
135 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
136 TEST_info("Client log too full");
137 error_writing_log = 1;
141 strcat(client_log_buffer, line);
142 client_log_buffer_index += line_length;
143 client_log_buffer[client_log_buffer_index++] = '\n';
146 static void server_keylog_callback(const SSL *ssl, const char *line)
148 int line_length = strlen(line);
150 /* If the log doesn't fit, error out. */
151 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
152 TEST_info("Server log too full");
153 error_writing_log = 1;
157 strcat(server_log_buffer, line);
158 server_log_buffer_index += line_length;
159 server_log_buffer[server_log_buffer_index++] = '\n';
162 static int compare_hex_encoded_buffer(const char *hex_encoded,
170 if (!TEST_size_t_eq(raw_length * 2, hex_length))
173 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
174 sprintf(hexed, "%02x", raw[i]);
175 if (!TEST_int_eq(hexed[0], hex_encoded[j])
176 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
183 static int test_keylog_output(char *buffer, const SSL *ssl,
184 const SSL_SESSION *session,
185 struct sslapitest_log_counts *expected)
188 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
189 size_t client_random_size = SSL3_RANDOM_SIZE;
190 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
191 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
192 unsigned int rsa_key_exchange_count = 0;
193 unsigned int master_secret_count = 0;
194 unsigned int client_early_secret_count = 0;
195 unsigned int client_handshake_secret_count = 0;
196 unsigned int server_handshake_secret_count = 0;
197 unsigned int client_application_secret_count = 0;
198 unsigned int server_application_secret_count = 0;
199 unsigned int early_exporter_secret_count = 0;
200 unsigned int exporter_secret_count = 0;
202 for (token = strtok(buffer, " \n"); token != NULL;
203 token = strtok(NULL, " \n")) {
204 if (strcmp(token, "RSA") == 0) {
206 * Premaster secret. Tokens should be: 16 ASCII bytes of
207 * hex-encoded encrypted secret, then the hex-encoded pre-master
210 if (!TEST_ptr(token = strtok(NULL, " \n")))
212 if (!TEST_size_t_eq(strlen(token), 16))
214 if (!TEST_ptr(token = strtok(NULL, " \n")))
217 * We can't sensibly check the log because the premaster secret is
218 * transient, and OpenSSL doesn't keep hold of it once the master
219 * secret is generated.
221 rsa_key_exchange_count++;
222 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
224 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
225 * client random, then the hex-encoded master secret.
227 client_random_size = SSL_get_client_random(ssl,
228 actual_client_random,
230 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
233 if (!TEST_ptr(token = strtok(NULL, " \n")))
235 if (!TEST_size_t_eq(strlen(token), 64))
237 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
238 actual_client_random,
239 client_random_size)))
242 if (!TEST_ptr(token = strtok(NULL, " \n")))
244 master_key_size = SSL_SESSION_get_master_key(session,
247 if (!TEST_size_t_ne(master_key_size, 0))
249 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
253 master_secret_count++;
254 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
255 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
256 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
257 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
258 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
259 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
260 || strcmp(token, "EXPORTER_SECRET") == 0) {
262 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
263 * client random, and then the hex-encoded secret. In this case,
264 * we treat all of these secrets identically and then just
265 * distinguish between them when counting what we saw.
267 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
268 client_early_secret_count++;
269 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
270 client_handshake_secret_count++;
271 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
272 server_handshake_secret_count++;
273 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
274 client_application_secret_count++;
275 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
276 server_application_secret_count++;
277 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
278 early_exporter_secret_count++;
279 else if (strcmp(token, "EXPORTER_SECRET") == 0)
280 exporter_secret_count++;
282 client_random_size = SSL_get_client_random(ssl,
283 actual_client_random,
285 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
288 if (!TEST_ptr(token = strtok(NULL, " \n")))
290 if (!TEST_size_t_eq(strlen(token), 64))
292 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
293 actual_client_random,
294 client_random_size)))
297 if (!TEST_ptr(token = strtok(NULL, " \n")))
301 * TODO(TLS1.3): test that application traffic secrets are what
304 TEST_info("Unexpected token %s\n", token);
309 /* Got what we expected? */
310 if (!TEST_size_t_eq(rsa_key_exchange_count,
311 expected->rsa_key_exchange_count)
312 || !TEST_size_t_eq(master_secret_count,
313 expected->master_secret_count)
314 || !TEST_size_t_eq(client_early_secret_count,
315 expected->client_early_secret_count)
316 || !TEST_size_t_eq(client_handshake_secret_count,
317 expected->client_handshake_secret_count)
318 || !TEST_size_t_eq(server_handshake_secret_count,
319 expected->server_handshake_secret_count)
320 || !TEST_size_t_eq(client_application_secret_count,
321 expected->client_application_secret_count)
322 || !TEST_size_t_eq(server_application_secret_count,
323 expected->server_application_secret_count)
324 || !TEST_size_t_eq(early_exporter_secret_count,
325 expected->early_exporter_secret_count)
326 || !TEST_size_t_eq(exporter_secret_count,
327 expected->exporter_secret_count))
332 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
333 static int test_keylog(void)
335 SSL_CTX *cctx = NULL, *sctx = NULL;
336 SSL *clientssl = NULL, *serverssl = NULL;
338 struct sslapitest_log_counts expected;
340 /* Clean up logging space */
341 memset(&expected, 0, sizeof(expected));
342 memset(client_log_buffer, 0, sizeof(client_log_buffer));
343 memset(server_log_buffer, 0, sizeof(server_log_buffer));
344 client_log_buffer_index = 0;
345 server_log_buffer_index = 0;
346 error_writing_log = 0;
348 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
351 &sctx, &cctx, cert, privkey)))
354 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
355 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
356 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
358 /* We also want to ensure that we use RSA-based key exchange. */
359 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
362 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
363 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
365 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
366 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
367 == client_keylog_callback))
369 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
370 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
371 == server_keylog_callback))
374 /* Now do a handshake and check that the logs have been written to. */
375 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
376 &clientssl, NULL, NULL))
377 || !TEST_true(create_ssl_connection(serverssl, clientssl,
379 || !TEST_false(error_writing_log)
380 || !TEST_int_gt(client_log_buffer_index, 0)
381 || !TEST_int_gt(server_log_buffer_index, 0))
385 * Now we want to test that our output data was vaguely sensible. We
386 * do that by using strtok and confirming that we have more or less the
387 * data we expect. For both client and server, we expect to see one master
388 * secret. The client should also see a RSA key exchange.
390 expected.rsa_key_exchange_count = 1;
391 expected.master_secret_count = 1;
392 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
393 SSL_get_session(clientssl), &expected)))
396 expected.rsa_key_exchange_count = 0;
397 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
398 SSL_get_session(serverssl), &expected)))
413 #ifndef OPENSSL_NO_TLS1_3
414 static int test_keylog_no_master_key(void)
416 SSL_CTX *cctx = NULL, *sctx = NULL;
417 SSL *clientssl = NULL, *serverssl = NULL;
418 SSL_SESSION *sess = NULL;
420 struct sslapitest_log_counts expected;
421 unsigned char buf[1];
422 size_t readbytes, written;
424 /* Clean up logging space */
425 memset(&expected, 0, sizeof(expected));
426 memset(client_log_buffer, 0, sizeof(client_log_buffer));
427 memset(server_log_buffer, 0, sizeof(server_log_buffer));
428 client_log_buffer_index = 0;
429 server_log_buffer_index = 0;
430 error_writing_log = 0;
432 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
433 TLS_client_method(), TLS1_VERSION, 0,
434 &sctx, &cctx, cert, privkey))
435 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
436 SSL3_RT_MAX_PLAIN_LENGTH)))
439 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
440 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
443 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
444 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
445 == client_keylog_callback))
448 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
449 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
450 == server_keylog_callback))
453 /* Now do a handshake and check that the logs have been written to. */
454 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
455 &clientssl, NULL, NULL))
456 || !TEST_true(create_ssl_connection(serverssl, clientssl,
458 || !TEST_false(error_writing_log))
462 * Now we want to test that our output data was vaguely sensible. For this
463 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
464 * TLSv1.3, but we do expect both client and server to emit keys.
466 expected.client_handshake_secret_count = 1;
467 expected.server_handshake_secret_count = 1;
468 expected.client_application_secret_count = 1;
469 expected.server_application_secret_count = 1;
470 expected.exporter_secret_count = 1;
471 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
472 SSL_get_session(clientssl), &expected))
473 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
474 SSL_get_session(serverssl),
478 /* Terminate old session and resume with early data. */
479 sess = SSL_get1_session(clientssl);
480 SSL_shutdown(clientssl);
481 SSL_shutdown(serverssl);
484 serverssl = clientssl = NULL;
487 memset(client_log_buffer, 0, sizeof(client_log_buffer));
488 memset(server_log_buffer, 0, sizeof(server_log_buffer));
489 client_log_buffer_index = 0;
490 server_log_buffer_index = 0;
492 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
493 &clientssl, NULL, NULL))
494 || !TEST_true(SSL_set_session(clientssl, sess))
495 /* Here writing 0 length early data is enough. */
496 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
497 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
499 SSL_READ_EARLY_DATA_ERROR)
500 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
501 SSL_EARLY_DATA_ACCEPTED)
502 || !TEST_true(create_ssl_connection(serverssl, clientssl,
504 || !TEST_true(SSL_session_reused(clientssl)))
507 /* In addition to the previous entries, expect early secrets. */
508 expected.client_early_secret_count = 1;
509 expected.early_exporter_secret_count = 1;
510 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
511 SSL_get_session(clientssl), &expected))
512 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
513 SSL_get_session(serverssl),
520 SSL_SESSION_free(sess);
530 #ifndef OPENSSL_NO_TLS1_2
531 static int full_client_hello_callback(SSL *s, int *al, void *arg)
534 const unsigned char *p;
536 /* We only configure two ciphers, but the SCSV is added automatically. */
538 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
540 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
543 const int expected_extensions[] = {
544 #ifndef OPENSSL_NO_EC
550 /* Make sure we can defer processing and get called back. */
552 return SSL_CLIENT_HELLO_RETRY;
554 len = SSL_client_hello_get0_ciphers(s, &p);
555 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
557 SSL_client_hello_get0_compression_methods(s, &p), 1)
558 || !TEST_int_eq(*p, 0))
559 return SSL_CLIENT_HELLO_ERROR;
560 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
561 return SSL_CLIENT_HELLO_ERROR;
562 if (len != OSSL_NELEM(expected_extensions) ||
563 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
564 printf("ClientHello callback expected extensions mismatch\n");
566 return SSL_CLIENT_HELLO_ERROR;
569 return SSL_CLIENT_HELLO_SUCCESS;
572 static int test_client_hello_cb(void)
574 SSL_CTX *cctx = NULL, *sctx = NULL;
575 SSL *clientssl = NULL, *serverssl = NULL;
576 int testctr = 0, testresult = 0;
578 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
579 TLS_client_method(), TLS1_VERSION, 0,
580 &sctx, &cctx, cert, privkey)))
582 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
584 /* The gimpy cipher list we configure can't do TLS 1.3. */
585 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
587 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
588 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
589 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
590 &clientssl, NULL, NULL))
591 || !TEST_false(create_ssl_connection(serverssl, clientssl,
592 SSL_ERROR_WANT_CLIENT_HELLO_CB))
594 * Passing a -1 literal is a hack since
595 * the real value was lost.
597 || !TEST_int_eq(SSL_get_error(serverssl, -1),
598 SSL_ERROR_WANT_CLIENT_HELLO_CB)
599 || !TEST_true(create_ssl_connection(serverssl, clientssl,
614 static int test_no_ems(void)
616 SSL_CTX *cctx = NULL, *sctx = NULL;
617 SSL *clientssl = NULL, *serverssl = NULL;
620 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
621 TLS1_VERSION, TLS1_2_VERSION,
622 &sctx, &cctx, cert, privkey)) {
623 printf("Unable to create SSL_CTX pair\n");
627 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
629 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
630 printf("Unable to create SSL objects\n");
634 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
635 printf("Creating SSL connection failed\n");
639 if (SSL_get_extms_support(serverssl)) {
640 printf("Server reports Extended Master Secret support\n");
644 if (SSL_get_extms_support(clientssl)) {
645 printf("Client reports Extended Master Secret support\n");
661 * Very focused test to exercise a single case in the server-side state
662 * machine, when the ChangeCipherState message needs to actually change
663 * from one cipher to a different cipher (i.e., not changing from null
664 * encryption to real encryption).
666 static int test_ccs_change_cipher(void)
668 SSL_CTX *cctx = NULL, *sctx = NULL;
669 SSL *clientssl = NULL, *serverssl = NULL;
670 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
677 * Create a conection so we can resume and potentially (but not) use
678 * a different cipher in the second connection.
680 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
682 TLS1_VERSION, TLS1_2_VERSION,
683 &sctx, &cctx, cert, privkey))
684 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
685 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
687 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
688 || !TEST_true(create_ssl_connection(serverssl, clientssl,
690 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
691 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
694 shutdown_ssl_connection(serverssl, clientssl);
695 serverssl = clientssl = NULL;
697 /* Resume, preferring a different cipher. Our server will force the
698 * same cipher to be used as the initial handshake. */
699 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
701 || !TEST_true(SSL_set_session(clientssl, sess))
702 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
703 || !TEST_true(create_ssl_connection(serverssl, clientssl,
705 || !TEST_true(SSL_session_reused(clientssl))
706 || !TEST_true(SSL_session_reused(serverssl))
707 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
708 || !TEST_ptr_eq(sesspre, sesspost)
709 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
710 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
712 shutdown_ssl_connection(serverssl, clientssl);
713 serverssl = clientssl = NULL;
716 * Now create a fresh connection and try to renegotiate a different
719 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
721 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
722 || !TEST_true(create_ssl_connection(serverssl, clientssl,
724 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
725 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
726 || !TEST_true(SSL_renegotiate(clientssl))
727 || !TEST_true(SSL_renegotiate_pending(clientssl)))
729 /* Actually drive the renegotiation. */
730 for (i = 0; i < 3; i++) {
731 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
732 if (!TEST_ulong_eq(readbytes, 0))
734 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
735 SSL_ERROR_WANT_READ)) {
738 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
739 if (!TEST_ulong_eq(readbytes, 0))
741 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
742 SSL_ERROR_WANT_READ)) {
746 /* sesspre and sesspost should be different since the cipher changed. */
747 if (!TEST_false(SSL_renegotiate_pending(clientssl))
748 || !TEST_false(SSL_session_reused(clientssl))
749 || !TEST_false(SSL_session_reused(serverssl))
750 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
751 || !TEST_ptr_ne(sesspre, sesspost)
752 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
753 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
756 shutdown_ssl_connection(serverssl, clientssl);
757 serverssl = clientssl = NULL;
766 SSL_SESSION_free(sess);
771 static int execute_test_large_message(const SSL_METHOD *smeth,
772 const SSL_METHOD *cmeth,
773 int min_version, int max_version,
776 SSL_CTX *cctx = NULL, *sctx = NULL;
777 SSL *clientssl = NULL, *serverssl = NULL;
781 X509 *chaincert = NULL;
784 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
786 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
789 if (!TEST_ptr(chaincert))
792 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
793 max_version, &sctx, &cctx, cert,
799 * Test that read_ahead works correctly when dealing with large
802 SSL_CTX_set_read_ahead(cctx, 1);
806 * We assume the supplied certificate is big enough so that if we add
807 * NUM_EXTRA_CERTS it will make the overall message large enough. The
808 * default buffer size is requested to be 16k, but due to the way BUF_MEM
809 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
810 * test we need to have a message larger than that.
812 certlen = i2d_X509(chaincert, NULL);
813 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
814 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
815 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
816 if (!X509_up_ref(chaincert))
818 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
819 X509_free(chaincert);
824 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
826 || !TEST_true(create_ssl_connection(serverssl, clientssl,
831 * Calling SSL_clear() first is not required but this tests that SSL_clear()
834 if (!TEST_true(SSL_clear(serverssl)))
839 X509_free(chaincert);
848 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
849 && !defined(OPENSSL_NO_SOCK)
851 /* sock must be connected */
852 static int ktls_chk_platform(int sock)
854 if (!ktls_enable(sock))
859 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
861 static char count = 1;
862 unsigned char cbuf[16000] = {0};
863 unsigned char sbuf[16000];
865 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
866 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
867 char crec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
868 char crec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
869 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
870 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
871 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
872 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
875 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
876 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
877 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence,
878 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
879 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
880 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
881 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
882 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
884 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
887 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
888 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
893 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
896 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
897 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
902 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
903 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
904 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence,
905 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
906 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
907 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
908 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
909 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
911 /* verify the payload */
912 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
915 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
916 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
917 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
918 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
921 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
922 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
926 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
927 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
928 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
931 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
932 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
936 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
937 if (!TEST_mem_ne(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
938 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
941 if (!TEST_mem_eq(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
942 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
946 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
947 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
948 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
951 if (!TEST_mem_eq(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
952 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
961 static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
962 int sis_ktls_tx, int sis_ktls_rx)
964 SSL_CTX *cctx = NULL, *sctx = NULL;
965 SSL *clientssl = NULL, *serverssl = NULL;
969 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
972 /* Skip this test if the platform does not support ktls */
973 if (!ktls_chk_platform(cfd))
976 /* Create a session based on SHA-256 */
977 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
979 TLS1_2_VERSION, TLS1_2_VERSION,
980 &sctx, &cctx, cert, privkey))
981 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
982 "AES128-GCM-SHA256"))
983 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
984 &clientssl, sfd, cfd)))
988 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
993 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
998 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
1003 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1007 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1012 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1015 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1020 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1023 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1028 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1031 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1036 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1039 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1043 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
1049 SSL_shutdown(clientssl);
1050 SSL_free(clientssl);
1053 SSL_shutdown(serverssl);
1054 SSL_free(serverssl);
1058 serverssl = clientssl = NULL;
1062 #define SENDFILE_SZ (16 * 4096)
1063 #define SENDFILE_CHUNK (4 * 4096)
1064 #define min(a,b) ((a) > (b) ? (b) : (a))
1066 static int test_ktls_sendfile(void)
1068 SSL_CTX *cctx = NULL, *sctx = NULL;
1069 SSL *clientssl = NULL, *serverssl = NULL;
1070 unsigned char *buf, *buf_dst;
1071 BIO *out = NULL, *in = NULL;
1072 int cfd, sfd, ffd, err;
1073 ssize_t chunk_size = 0;
1074 off_t chunk_off = 0;
1078 buf = OPENSSL_zalloc(SENDFILE_SZ);
1079 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1080 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1081 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1084 /* Skip this test if the platform does not support ktls */
1085 if (!ktls_chk_platform(sfd)) {
1090 /* Create a session based on SHA-256 */
1091 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1092 TLS_client_method(),
1093 TLS1_2_VERSION, TLS1_2_VERSION,
1094 &sctx, &cctx, cert, privkey))
1095 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1096 "AES128-GCM-SHA256"))
1097 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1098 &clientssl, sfd, cfd)))
1101 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1103 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1106 RAND_bytes(buf, SENDFILE_SZ);
1107 out = BIO_new_file(tmpfilename, "wb");
1111 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1116 in = BIO_new_file(tmpfilename, "rb");
1117 BIO_get_fp(in, &ffdp);
1120 while (chunk_off < SENDFILE_SZ) {
1121 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1122 while ((err = SSL_sendfile(serverssl,
1126 0)) != chunk_size) {
1127 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1130 while ((err = SSL_read(clientssl,
1131 buf_dst + chunk_off,
1132 chunk_size)) != chunk_size) {
1133 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1137 /* verify the payload */
1138 if (!TEST_mem_eq(buf_dst + chunk_off,
1144 chunk_off += chunk_size;
1150 SSL_shutdown(clientssl);
1151 SSL_free(clientssl);
1154 SSL_shutdown(serverssl);
1155 SSL_free(serverssl);
1159 serverssl = clientssl = NULL;
1163 OPENSSL_free(buf_dst);
1167 static int test_ktls_no_txrx_client_no_txrx_server(void)
1169 return execute_test_ktls(0, 0, 0, 0);
1172 static int test_ktls_no_rx_client_no_txrx_server(void)
1174 return execute_test_ktls(1, 0, 0, 0);
1177 static int test_ktls_no_tx_client_no_txrx_server(void)
1179 return execute_test_ktls(0, 1, 0, 0);
1182 static int test_ktls_client_no_txrx_server(void)
1184 return execute_test_ktls(1, 1, 0, 0);
1187 static int test_ktls_no_txrx_client_no_rx_server(void)
1189 return execute_test_ktls(0, 0, 1, 0);
1192 static int test_ktls_no_rx_client_no_rx_server(void)
1194 return execute_test_ktls(1, 0, 1, 0);
1197 static int test_ktls_no_tx_client_no_rx_server(void)
1199 return execute_test_ktls(0, 1, 1, 0);
1202 static int test_ktls_client_no_rx_server(void)
1204 return execute_test_ktls(1, 1, 1, 0);
1207 static int test_ktls_no_txrx_client_no_tx_server(void)
1209 return execute_test_ktls(0, 0, 0, 1);
1212 static int test_ktls_no_rx_client_no_tx_server(void)
1214 return execute_test_ktls(1, 0, 0, 1);
1217 static int test_ktls_no_tx_client_no_tx_server(void)
1219 return execute_test_ktls(0, 1, 0, 1);
1222 static int test_ktls_client_no_tx_server(void)
1224 return execute_test_ktls(1, 1, 0, 1);
1227 static int test_ktls_no_txrx_client_server(void)
1229 return execute_test_ktls(0, 0, 1, 1);
1232 static int test_ktls_no_rx_client_server(void)
1234 return execute_test_ktls(1, 0, 1, 1);
1237 static int test_ktls_no_tx_client_server(void)
1239 return execute_test_ktls(0, 1, 1, 1);
1242 static int test_ktls_client_server(void)
1244 return execute_test_ktls(1, 1, 1, 1);
1248 static int test_large_message_tls(void)
1250 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1251 TLS1_VERSION, 0, 0);
1254 static int test_large_message_tls_read_ahead(void)
1256 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1257 TLS1_VERSION, 0, 1);
1260 #ifndef OPENSSL_NO_DTLS
1261 static int test_large_message_dtls(void)
1264 * read_ahead is not relevant to DTLS because DTLS always acts as if
1265 * read_ahead is set.
1267 return execute_test_large_message(DTLS_server_method(),
1268 DTLS_client_method(),
1269 DTLS1_VERSION, 0, 0);
1273 #ifndef OPENSSL_NO_OCSP
1274 static int ocsp_server_cb(SSL *s, void *arg)
1276 int *argi = (int *)arg;
1277 unsigned char *copy = NULL;
1278 STACK_OF(OCSP_RESPID) *ids = NULL;
1279 OCSP_RESPID *id = NULL;
1282 /* In this test we are expecting exactly 1 OCSP_RESPID */
1283 SSL_get_tlsext_status_ids(s, &ids);
1284 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1285 return SSL_TLSEXT_ERR_ALERT_FATAL;
1287 id = sk_OCSP_RESPID_value(ids, 0);
1288 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1289 return SSL_TLSEXT_ERR_ALERT_FATAL;
1290 } else if (*argi != 1) {
1291 return SSL_TLSEXT_ERR_ALERT_FATAL;
1294 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1295 return SSL_TLSEXT_ERR_ALERT_FATAL;
1297 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1298 ocsp_server_called = 1;
1299 return SSL_TLSEXT_ERR_OK;
1302 static int ocsp_client_cb(SSL *s, void *arg)
1304 int *argi = (int *)arg;
1305 const unsigned char *respderin;
1308 if (*argi != 1 && *argi != 2)
1311 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1312 if (!TEST_mem_eq(orespder, len, respderin, len))
1315 ocsp_client_called = 1;
1319 static int test_tlsext_status_type(void)
1321 SSL_CTX *cctx = NULL, *sctx = NULL;
1322 SSL *clientssl = NULL, *serverssl = NULL;
1324 STACK_OF(OCSP_RESPID) *ids = NULL;
1325 OCSP_RESPID *id = NULL;
1326 BIO *certbio = NULL;
1328 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1330 &sctx, &cctx, cert, privkey))
1333 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1336 /* First just do various checks getting and setting tlsext_status_type */
1338 clientssl = SSL_new(cctx);
1339 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1340 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1341 TLSEXT_STATUSTYPE_ocsp))
1342 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1343 TLSEXT_STATUSTYPE_ocsp))
1346 SSL_free(clientssl);
1349 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1350 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1353 clientssl = SSL_new(cctx);
1354 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1356 SSL_free(clientssl);
1360 * Now actually do a handshake and check OCSP information is exchanged and
1361 * the callbacks get called
1363 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1364 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1365 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1366 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1367 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1368 &clientssl, NULL, NULL))
1369 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1371 || !TEST_true(ocsp_client_called)
1372 || !TEST_true(ocsp_server_called))
1374 SSL_free(serverssl);
1375 SSL_free(clientssl);
1379 /* Try again but this time force the server side callback to fail */
1380 ocsp_client_called = 0;
1381 ocsp_server_called = 0;
1383 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1384 &clientssl, NULL, NULL))
1385 /* This should fail because the callback will fail */
1386 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1388 || !TEST_false(ocsp_client_called)
1389 || !TEST_false(ocsp_server_called))
1391 SSL_free(serverssl);
1392 SSL_free(clientssl);
1397 * This time we'll get the client to send an OCSP_RESPID that it will
1400 ocsp_client_called = 0;
1401 ocsp_server_called = 0;
1403 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1404 &clientssl, NULL, NULL)))
1408 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1409 * specific one. We'll use the server cert.
1411 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1412 || !TEST_ptr(id = OCSP_RESPID_new())
1413 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1414 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1416 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1417 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1420 SSL_set_tlsext_status_ids(clientssl, ids);
1421 /* Control has been transferred */
1427 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1429 || !TEST_true(ocsp_client_called)
1430 || !TEST_true(ocsp_server_called))
1436 SSL_free(serverssl);
1437 SSL_free(clientssl);
1440 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1441 OCSP_RESPID_free(id);
1443 X509_free(ocspcert);
1450 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1451 static int new_called, remove_called, get_called;
1453 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1457 * sess has been up-refed for us, but we don't actually need it so free it
1460 SSL_SESSION_free(sess);
1464 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1469 static SSL_SESSION *get_sess_val = NULL;
1471 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1476 return get_sess_val;
1479 static int execute_test_session(int maxprot, int use_int_cache,
1482 SSL_CTX *sctx = NULL, *cctx = NULL;
1483 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1484 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1485 # ifndef OPENSSL_NO_TLS1_1
1486 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1488 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1489 int testresult = 0, numnewsesstick = 1;
1491 new_called = remove_called = 0;
1493 /* TLSv1.3 sends 2 NewSessionTickets */
1494 if (maxprot == TLS1_3_VERSION)
1497 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1498 TLS_client_method(), TLS1_VERSION, 0,
1499 &sctx, &cctx, cert, privkey)))
1503 * Only allow the max protocol version so we can force a connection failure
1506 SSL_CTX_set_min_proto_version(cctx, maxprot);
1507 SSL_CTX_set_max_proto_version(cctx, maxprot);
1509 /* Set up session cache */
1510 if (use_ext_cache) {
1511 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1512 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1514 if (use_int_cache) {
1515 /* Also covers instance where both are set */
1516 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1518 SSL_CTX_set_session_cache_mode(cctx,
1519 SSL_SESS_CACHE_CLIENT
1520 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1523 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1525 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1527 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1530 /* Should fail because it should already be in the cache */
1531 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1534 && (!TEST_int_eq(new_called, numnewsesstick)
1536 || !TEST_int_eq(remove_called, 0)))
1539 new_called = remove_called = 0;
1540 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1541 &clientssl2, NULL, NULL))
1542 || !TEST_true(SSL_set_session(clientssl2, sess1))
1543 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1545 || !TEST_true(SSL_session_reused(clientssl2)))
1548 if (maxprot == TLS1_3_VERSION) {
1550 * In TLSv1.3 we should have created a new session even though we have
1551 * resumed. Since we attempted a resume we should also have removed the
1552 * old ticket from the cache so that we try to only use tickets once.
1555 && (!TEST_int_eq(new_called, 1)
1556 || !TEST_int_eq(remove_called, 1)))
1560 * In TLSv1.2 we expect to have resumed so no sessions added or
1564 && (!TEST_int_eq(new_called, 0)
1565 || !TEST_int_eq(remove_called, 0)))
1569 SSL_SESSION_free(sess1);
1570 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1572 shutdown_ssl_connection(serverssl2, clientssl2);
1573 serverssl2 = clientssl2 = NULL;
1575 new_called = remove_called = 0;
1576 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1577 &clientssl2, NULL, NULL))
1578 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1582 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1586 && (!TEST_int_eq(new_called, numnewsesstick)
1587 || !TEST_int_eq(remove_called, 0)))
1590 new_called = remove_called = 0;
1592 * This should clear sess2 from the cache because it is a "bad" session.
1593 * See SSL_set_session() documentation.
1595 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1598 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1600 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1603 if (use_int_cache) {
1604 /* Should succeeded because it should not already be in the cache */
1605 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1606 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1610 new_called = remove_called = 0;
1611 /* This shouldn't be in the cache so should fail */
1612 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1616 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1619 # if !defined(OPENSSL_NO_TLS1_1)
1620 new_called = remove_called = 0;
1621 /* Force a connection failure */
1622 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1623 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1624 &clientssl3, NULL, NULL))
1625 || !TEST_true(SSL_set_session(clientssl3, sess1))
1626 /* This should fail because of the mismatched protocol versions */
1627 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1631 /* We should have automatically removed the session from the cache */
1633 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1636 /* Should succeed because it should not already be in the cache */
1637 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1641 /* Now do some tests for server side caching */
1642 if (use_ext_cache) {
1643 SSL_CTX_sess_set_new_cb(cctx, NULL);
1644 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1645 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1646 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1647 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1648 get_sess_val = NULL;
1651 SSL_CTX_set_session_cache_mode(cctx, 0);
1652 /* Internal caching is the default on the server side */
1654 SSL_CTX_set_session_cache_mode(sctx,
1655 SSL_SESS_CACHE_SERVER
1656 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1658 SSL_free(serverssl1);
1659 SSL_free(clientssl1);
1660 serverssl1 = clientssl1 = NULL;
1661 SSL_free(serverssl2);
1662 SSL_free(clientssl2);
1663 serverssl2 = clientssl2 = NULL;
1664 SSL_SESSION_free(sess1);
1666 SSL_SESSION_free(sess2);
1669 SSL_CTX_set_max_proto_version(sctx, maxprot);
1670 if (maxprot == TLS1_2_VERSION)
1671 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1672 new_called = remove_called = get_called = 0;
1673 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1675 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1677 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1678 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1681 if (use_int_cache) {
1682 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1684 * In TLSv1.3 it should not have been added to the internal cache,
1685 * except in the case where we also have an external cache (in that
1686 * case it gets added to the cache in order to generate remove
1687 * events after timeout).
1689 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1692 /* Should fail because it should already be in the cache */
1693 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1698 if (use_ext_cache) {
1699 SSL_SESSION *tmp = sess2;
1701 if (!TEST_int_eq(new_called, numnewsesstick)
1702 || !TEST_int_eq(remove_called, 0)
1703 || !TEST_int_eq(get_called, 0))
1706 * Delete the session from the internal cache to force a lookup from
1707 * the external cache. We take a copy first because
1708 * SSL_CTX_remove_session() also marks the session as non-resumable.
1710 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1711 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1712 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1714 SSL_SESSION_free(sess2);
1719 new_called = remove_called = get_called = 0;
1720 get_sess_val = sess2;
1721 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1722 &clientssl2, NULL, NULL))
1723 || !TEST_true(SSL_set_session(clientssl2, sess1))
1724 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1726 || !TEST_true(SSL_session_reused(clientssl2)))
1729 if (use_ext_cache) {
1730 if (!TEST_int_eq(remove_called, 0))
1733 if (maxprot == TLS1_3_VERSION) {
1734 if (!TEST_int_eq(new_called, 1)
1735 || !TEST_int_eq(get_called, 0))
1738 if (!TEST_int_eq(new_called, 0)
1739 || !TEST_int_eq(get_called, 1))
1747 SSL_free(serverssl1);
1748 SSL_free(clientssl1);
1749 SSL_free(serverssl2);
1750 SSL_free(clientssl2);
1751 # ifndef OPENSSL_NO_TLS1_1
1752 SSL_free(serverssl3);
1753 SSL_free(clientssl3);
1755 SSL_SESSION_free(sess1);
1756 SSL_SESSION_free(sess2);
1762 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1764 static int test_session_with_only_int_cache(void)
1766 #ifndef OPENSSL_NO_TLS1_3
1767 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1771 #ifndef OPENSSL_NO_TLS1_2
1772 return execute_test_session(TLS1_2_VERSION, 1, 0);
1778 static int test_session_with_only_ext_cache(void)
1780 #ifndef OPENSSL_NO_TLS1_3
1781 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1785 #ifndef OPENSSL_NO_TLS1_2
1786 return execute_test_session(TLS1_2_VERSION, 0, 1);
1792 static int test_session_with_both_cache(void)
1794 #ifndef OPENSSL_NO_TLS1_3
1795 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1799 #ifndef OPENSSL_NO_TLS1_2
1800 return execute_test_session(TLS1_2_VERSION, 1, 1);
1806 #ifndef OPENSSL_NO_TLS1_3
1807 static SSL_SESSION *sesscache[6];
1808 static int do_cache;
1810 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1813 sesscache[new_called] = sess;
1815 /* We don't need the reference to the session, so free it */
1816 SSL_SESSION_free(sess);
1823 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1825 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1826 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1829 /* Start handshake on the server and client */
1830 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1831 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1832 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1833 || !TEST_true(create_ssl_connection(sssl, cssl,
1840 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1843 int sess_id_ctx = 1;
1845 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1846 TLS_client_method(), TLS1_VERSION, 0,
1847 sctx, cctx, cert, privkey))
1848 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1849 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1850 (void *)&sess_id_ctx,
1851 sizeof(sess_id_ctx))))
1855 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1857 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1858 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1859 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1864 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1866 SSL *serverssl = NULL, *clientssl = NULL;
1869 /* Test that we can resume with all the tickets we got given */
1870 for (i = 0; i < idx * 2; i++) {
1872 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1873 &clientssl, NULL, NULL))
1874 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1877 SSL_set_post_handshake_auth(clientssl, 1);
1879 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1884 * Following a successful resumption we only get 1 ticket. After a
1885 * failed one we should get idx tickets.
1888 if (!TEST_true(SSL_session_reused(clientssl))
1889 || !TEST_int_eq(new_called, 1))
1892 if (!TEST_false(SSL_session_reused(clientssl))
1893 || !TEST_int_eq(new_called, idx))
1898 /* After a post-handshake authentication we should get 1 new ticket */
1900 && (!post_handshake_verify(serverssl, clientssl)
1901 || !TEST_int_eq(new_called, 1)))
1904 SSL_shutdown(clientssl);
1905 SSL_shutdown(serverssl);
1906 SSL_free(serverssl);
1907 SSL_free(clientssl);
1908 serverssl = clientssl = NULL;
1909 SSL_SESSION_free(sesscache[i]);
1910 sesscache[i] = NULL;
1916 SSL_free(clientssl);
1917 SSL_free(serverssl);
1921 static int test_tickets(int stateful, int idx)
1923 SSL_CTX *sctx = NULL, *cctx = NULL;
1924 SSL *serverssl = NULL, *clientssl = NULL;
1928 /* idx is the test number, but also the number of tickets we want */
1933 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1936 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1937 &clientssl, NULL, NULL)))
1940 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1942 /* Check we got the number of tickets we were expecting */
1943 || !TEST_int_eq(idx, new_called))
1946 SSL_shutdown(clientssl);
1947 SSL_shutdown(serverssl);
1948 SSL_free(serverssl);
1949 SSL_free(clientssl);
1952 clientssl = serverssl = NULL;
1956 * Now we try to resume with the tickets we previously created. The
1957 * resumption attempt is expected to fail (because we're now using a new
1958 * SSL_CTX). We should see idx number of tickets issued again.
1961 /* Stop caching sessions - just count them */
1964 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1967 if (!check_resumption(idx, sctx, cctx, 0))
1970 /* Start again with caching sessions */
1977 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1980 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1981 &clientssl, NULL, NULL)))
1984 SSL_set_post_handshake_auth(clientssl, 1);
1986 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1988 /* Check we got the number of tickets we were expecting */
1989 || !TEST_int_eq(idx, new_called))
1992 /* After a post-handshake authentication we should get new tickets issued */
1993 if (!post_handshake_verify(serverssl, clientssl)
1994 || !TEST_int_eq(idx * 2, new_called))
1997 SSL_shutdown(clientssl);
1998 SSL_shutdown(serverssl);
1999 SSL_free(serverssl);
2000 SSL_free(clientssl);
2001 serverssl = clientssl = NULL;
2003 /* Stop caching sessions - just count them */
2007 * Check we can resume with all the tickets we created. This time around the
2008 * resumptions should all be successful.
2010 if (!check_resumption(idx, sctx, cctx, 1))
2016 SSL_free(serverssl);
2017 SSL_free(clientssl);
2018 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2019 SSL_SESSION_free(sesscache[j]);
2020 sesscache[j] = NULL;
2028 static int test_stateless_tickets(int idx)
2030 return test_tickets(0, idx);
2033 static int test_stateful_tickets(int idx)
2035 return test_tickets(1, idx);
2038 static int test_psk_tickets(void)
2040 SSL_CTX *sctx = NULL, *cctx = NULL;
2041 SSL *serverssl = NULL, *clientssl = NULL;
2043 int sess_id_ctx = 1;
2045 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2046 TLS_client_method(), TLS1_VERSION, 0,
2047 &sctx, &cctx, NULL, NULL))
2048 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2049 (void *)&sess_id_ctx,
2050 sizeof(sess_id_ctx))))
2053 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2054 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2055 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2056 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2057 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2058 use_session_cb_cnt = 0;
2059 find_session_cb_cnt = 0;
2063 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2066 clientpsk = serverpsk = create_a_psk(clientssl);
2067 if (!TEST_ptr(clientpsk))
2069 SSL_SESSION_up_ref(clientpsk);
2071 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2073 || !TEST_int_eq(1, find_session_cb_cnt)
2074 || !TEST_int_eq(1, use_session_cb_cnt)
2075 /* We should always get 1 ticket when using external PSK */
2076 || !TEST_int_eq(1, new_called))
2082 SSL_free(serverssl);
2083 SSL_free(clientssl);
2086 SSL_SESSION_free(clientpsk);
2087 SSL_SESSION_free(serverpsk);
2088 clientpsk = serverpsk = NULL;
2097 #define USE_DEFAULT 3
2099 #define CONNTYPE_CONNECTION_SUCCESS 0
2100 #define CONNTYPE_CONNECTION_FAIL 1
2101 #define CONNTYPE_NO_CONNECTION 2
2103 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2104 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2105 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2106 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2108 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2111 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2112 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2113 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2115 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2132 * Tests calls to SSL_set_bio() under various conditions.
2134 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2135 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2136 * then do more tests where we create a successful connection first using our
2137 * standard connection setup functions, and then call SSL_set_bio() with
2138 * various combinations of valid BIOs or NULL. We then repeat these tests
2139 * following a failed connection. In this last case we are looking to check that
2140 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2142 static int test_ssl_set_bio(int idx)
2144 SSL_CTX *sctx = NULL, *cctx = NULL;
2147 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2148 SSL *serverssl = NULL, *clientssl = NULL;
2149 int initrbio, initwbio, newrbio, newwbio, conntype;
2152 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2160 conntype = CONNTYPE_NO_CONNECTION;
2162 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2163 initrbio = initwbio = USE_DEFAULT;
2171 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2172 TLS_client_method(), TLS1_VERSION, 0,
2173 &sctx, &cctx, cert, privkey)))
2176 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2178 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2179 * because we reduced the number of tests in the definition of
2180 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2181 * mismatched protocol versions we will force a connection failure.
2183 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2184 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2187 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2191 if (initrbio == USE_BIO_1
2192 || initwbio == USE_BIO_1
2193 || newrbio == USE_BIO_1
2194 || newwbio == USE_BIO_1) {
2195 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2199 if (initrbio == USE_BIO_2
2200 || initwbio == USE_BIO_2
2201 || newrbio == USE_BIO_2
2202 || newwbio == USE_BIO_2) {
2203 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2207 if (initrbio != USE_DEFAULT) {
2208 setupbio(&irbio, bio1, bio2, initrbio);
2209 setupbio(&iwbio, bio1, bio2, initwbio);
2210 SSL_set_bio(clientssl, irbio, iwbio);
2213 * We want to maintain our own refs to these BIO, so do an up ref for
2214 * each BIO that will have ownership transferred in the SSL_set_bio()
2219 if (iwbio != NULL && iwbio != irbio)
2223 if (conntype != CONNTYPE_NO_CONNECTION
2224 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2226 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2229 setupbio(&nrbio, bio1, bio2, newrbio);
2230 setupbio(&nwbio, bio1, bio2, newwbio);
2233 * We will (maybe) transfer ownership again so do more up refs.
2234 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2239 && (nwbio != iwbio || nrbio != nwbio))
2243 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2246 SSL_set_bio(clientssl, nrbio, nwbio);
2255 * This test is checking that the ref counting for SSL_set_bio is correct.
2256 * If we get here and we did too many frees then we will fail in the above
2259 SSL_free(serverssl);
2260 SSL_free(clientssl);
2266 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2268 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2270 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2275 if (!TEST_ptr(ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method()))
2276 || !TEST_ptr(ssl = SSL_new(ctx))
2277 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2278 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2281 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2284 * If anything goes wrong here then we could leak memory.
2286 BIO_push(sslbio, membio1);
2288 /* Verify changing the rbio/wbio directly does not cause leaks */
2289 if (change_bio != NO_BIO_CHANGE) {
2290 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
2292 if (change_bio == CHANGE_RBIO)
2293 SSL_set0_rbio(ssl, membio2);
2295 SSL_set0_wbio(ssl, membio2);
2314 static int test_ssl_bio_pop_next_bio(void)
2316 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2319 static int test_ssl_bio_pop_ssl_bio(void)
2321 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2324 static int test_ssl_bio_change_rbio(void)
2326 return execute_test_ssl_bio(0, CHANGE_RBIO);
2329 static int test_ssl_bio_change_wbio(void)
2331 return execute_test_ssl_bio(0, CHANGE_WBIO);
2334 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2336 /* The list of sig algs */
2338 /* The length of the list */
2340 /* A sigalgs list in string format */
2341 const char *liststr;
2342 /* Whether setting the list should succeed */
2344 /* Whether creating a connection with the list should succeed */
2348 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2349 # ifndef OPENSSL_NO_EC
2350 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2351 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2353 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2354 static const int invalidlist2[] = {NID_sha256, NID_undef};
2355 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2356 static const int invalidlist4[] = {NID_sha256};
2357 static const sigalgs_list testsigalgs[] = {
2358 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2359 # ifndef OPENSSL_NO_EC
2360 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2361 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2363 {NULL, 0, "RSA+SHA256", 1, 1},
2364 # ifndef OPENSSL_NO_EC
2365 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2366 {NULL, 0, "ECDSA+SHA512", 1, 0},
2368 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2369 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2370 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2371 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2372 {NULL, 0, "RSA", 0, 0},
2373 {NULL, 0, "SHA256", 0, 0},
2374 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2375 {NULL, 0, "Invalid", 0, 0}
2378 static int test_set_sigalgs(int idx)
2380 SSL_CTX *cctx = NULL, *sctx = NULL;
2381 SSL *clientssl = NULL, *serverssl = NULL;
2383 const sigalgs_list *curr;
2386 /* Should never happen */
2387 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2390 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2391 curr = testctx ? &testsigalgs[idx]
2392 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2394 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2395 TLS_client_method(), TLS1_VERSION, 0,
2396 &sctx, &cctx, cert, privkey)))
2400 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2401 * for TLSv1.2 for now until we add a new API.
2403 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2408 if (curr->list != NULL)
2409 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2411 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2415 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2421 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2426 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2427 &clientssl, NULL, NULL)))
2433 if (curr->list != NULL)
2434 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2436 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2439 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2448 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2456 SSL_free(serverssl);
2457 SSL_free(clientssl);
2465 #ifndef OPENSSL_NO_TLS1_3
2466 static int psk_client_cb_cnt = 0;
2467 static int psk_server_cb_cnt = 0;
2469 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2470 size_t *idlen, SSL_SESSION **sess)
2472 switch (++use_session_cb_cnt) {
2474 /* The first call should always have a NULL md */
2480 /* The second call should always have an md */
2486 /* We should only be called a maximum of twice */
2490 if (clientpsk != NULL)
2491 SSL_SESSION_up_ref(clientpsk);
2494 *id = (const unsigned char *)pskid;
2495 *idlen = strlen(pskid);
2500 #ifndef OPENSSL_NO_PSK
2501 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2502 unsigned int max_id_len,
2504 unsigned int max_psk_len)
2506 unsigned int psklen = 0;
2508 psk_client_cb_cnt++;
2510 if (strlen(pskid) + 1 > max_id_len)
2513 /* We should only ever be called a maximum of twice per connection */
2514 if (psk_client_cb_cnt > 2)
2517 if (clientpsk == NULL)
2520 /* We'll reuse the PSK we set up for TLSv1.3 */
2521 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2523 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2524 strncpy(id, pskid, max_id_len);
2528 #endif /* OPENSSL_NO_PSK */
2530 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2531 size_t identity_len, SSL_SESSION **sess)
2533 find_session_cb_cnt++;
2535 /* We should only ever be called a maximum of twice per connection */
2536 if (find_session_cb_cnt > 2)
2539 if (serverpsk == NULL)
2542 /* Identity should match that set by the client */
2543 if (strlen(srvid) != identity_len
2544 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2545 /* No PSK found, continue but without a PSK */
2550 SSL_SESSION_up_ref(serverpsk);
2556 #ifndef OPENSSL_NO_PSK
2557 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2558 unsigned char *psk, unsigned int max_psk_len)
2560 unsigned int psklen = 0;
2562 psk_server_cb_cnt++;
2564 /* We should only ever be called a maximum of twice per connection */
2565 if (find_session_cb_cnt > 2)
2568 if (serverpsk == NULL)
2571 /* Identity should match that set by the client */
2572 if (strcmp(srvid, identity) != 0) {
2576 /* We'll reuse the PSK we set up for TLSv1.3 */
2577 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2579 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2583 #endif /* OPENSSL_NO_PSK */
2585 #define MSG1 "Hello"
2586 #define MSG2 "World."
2591 #define MSG7 "message."
2593 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2594 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2597 static SSL_SESSION *create_a_psk(SSL *ssl)
2599 const SSL_CIPHER *cipher = NULL;
2600 const unsigned char key[] = {
2601 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2602 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2603 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2604 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2605 0x2c, 0x2d, 0x2e, 0x2f
2607 SSL_SESSION *sess = NULL;
2609 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2610 sess = SSL_SESSION_new();
2612 || !TEST_ptr(cipher)
2613 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2615 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2617 SSL_SESSION_set_protocol_version(sess,
2619 SSL_SESSION_free(sess);
2626 * Helper method to setup objects for early data test. Caller frees objects on
2629 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2630 SSL **serverssl, SSL_SESSION **sess, int idx)
2633 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2634 TLS_client_method(),
2636 sctx, cctx, cert, privkey)))
2639 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2643 /* When idx == 1 we repeat the tests with read_ahead set */
2644 SSL_CTX_set_read_ahead(*cctx, 1);
2645 SSL_CTX_set_read_ahead(*sctx, 1);
2646 } else if (idx == 2) {
2647 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2648 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2649 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2650 use_session_cb_cnt = 0;
2651 find_session_cb_cnt = 0;
2655 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2660 * For one of the run throughs (doesn't matter which one), we'll try sending
2661 * some SNI data in the initial ClientHello. This will be ignored (because
2662 * there is no SNI cb set up by the server), so it should not impact
2666 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2670 clientpsk = create_a_psk(*clientssl);
2671 if (!TEST_ptr(clientpsk)
2673 * We just choose an arbitrary value for max_early_data which
2674 * should be big enough for testing purposes.
2676 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2678 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2679 SSL_SESSION_free(clientpsk);
2683 serverpsk = clientpsk;
2686 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2687 SSL_SESSION_free(clientpsk);
2688 SSL_SESSION_free(serverpsk);
2689 clientpsk = serverpsk = NULL;
2700 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2704 *sess = SSL_get1_session(*clientssl);
2705 SSL_shutdown(*clientssl);
2706 SSL_shutdown(*serverssl);
2707 SSL_free(*serverssl);
2708 SSL_free(*clientssl);
2709 *serverssl = *clientssl = NULL;
2711 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2712 clientssl, NULL, NULL))
2713 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2719 static int test_early_data_read_write(int idx)
2721 SSL_CTX *cctx = NULL, *sctx = NULL;
2722 SSL *clientssl = NULL, *serverssl = NULL;
2724 SSL_SESSION *sess = NULL;
2725 unsigned char buf[20], data[1024];
2726 size_t readbytes, written, eoedlen, rawread, rawwritten;
2729 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2730 &serverssl, &sess, idx)))
2733 /* Write and read some early data */
2734 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2736 || !TEST_size_t_eq(written, strlen(MSG1))
2737 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2738 sizeof(buf), &readbytes),
2739 SSL_READ_EARLY_DATA_SUCCESS)
2740 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2741 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2742 SSL_EARLY_DATA_ACCEPTED))
2746 * Server should be able to write data, and client should be able to
2749 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2751 || !TEST_size_t_eq(written, strlen(MSG2))
2752 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2753 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2756 /* Even after reading normal data, client should be able write early data */
2757 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2759 || !TEST_size_t_eq(written, strlen(MSG3)))
2762 /* Server should still be able read early data after writing data */
2763 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2765 SSL_READ_EARLY_DATA_SUCCESS)
2766 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2769 /* Write more data from server and read it from client */
2770 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2772 || !TEST_size_t_eq(written, strlen(MSG4))
2773 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2774 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2778 * If client writes normal data it should mean writing early data is no
2781 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2782 || !TEST_size_t_eq(written, strlen(MSG5))
2783 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2784 SSL_EARLY_DATA_ACCEPTED))
2788 * At this point the client has written EndOfEarlyData, ClientFinished and
2789 * normal (fully protected) data. We are going to cause a delay between the
2790 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2791 * in the read BIO, and then just put back the EndOfEarlyData message.
2793 rbio = SSL_get_rbio(serverssl);
2794 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2795 || !TEST_size_t_lt(rawread, sizeof(data))
2796 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2799 /* Record length is in the 4th and 5th bytes of the record header */
2800 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2801 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2802 || !TEST_size_t_eq(rawwritten, eoedlen))
2805 /* Server should be told that there is no more early data */
2806 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2808 SSL_READ_EARLY_DATA_FINISH)
2809 || !TEST_size_t_eq(readbytes, 0))
2813 * Server has not finished init yet, so should still be able to write early
2816 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2818 || !TEST_size_t_eq(written, strlen(MSG6)))
2821 /* Push the ClientFinished and the normal data back into the server rbio */
2822 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2824 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2827 /* Server should be able to read normal data */
2828 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2829 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2832 /* Client and server should not be able to write/read early data now */
2833 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2837 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2839 SSL_READ_EARLY_DATA_ERROR))
2843 /* Client should be able to read the data sent by the server */
2844 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2845 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2849 * Make sure we process the two NewSessionTickets. These arrive
2850 * post-handshake. We attempt reads which we do not expect to return any
2853 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2854 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2858 /* Server should be able to write normal data */
2859 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2860 || !TEST_size_t_eq(written, strlen(MSG7))
2861 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2862 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2865 SSL_SESSION_free(sess);
2866 sess = SSL_get1_session(clientssl);
2867 use_session_cb_cnt = 0;
2868 find_session_cb_cnt = 0;
2870 SSL_shutdown(clientssl);
2871 SSL_shutdown(serverssl);
2872 SSL_free(serverssl);
2873 SSL_free(clientssl);
2874 serverssl = clientssl = NULL;
2875 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2876 &clientssl, NULL, NULL))
2877 || !TEST_true(SSL_set_session(clientssl, sess)))
2880 /* Write and read some early data */
2881 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2883 || !TEST_size_t_eq(written, strlen(MSG1))
2884 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2886 SSL_READ_EARLY_DATA_SUCCESS)
2887 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2890 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2891 || !TEST_int_gt(SSL_accept(serverssl), 0))
2894 /* Client and server should not be able to write/read early data now */
2895 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2899 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2901 SSL_READ_EARLY_DATA_ERROR))
2905 /* Client and server should be able to write/read normal data */
2906 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2907 || !TEST_size_t_eq(written, strlen(MSG5))
2908 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2909 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2915 SSL_SESSION_free(sess);
2916 SSL_SESSION_free(clientpsk);
2917 SSL_SESSION_free(serverpsk);
2918 clientpsk = serverpsk = NULL;
2919 SSL_free(serverssl);
2920 SSL_free(clientssl);
2926 static int allow_ed_cb_called = 0;
2928 static int allow_early_data_cb(SSL *s, void *arg)
2930 int *usecb = (int *)arg;
2932 allow_ed_cb_called++;
2941 * idx == 0: Standard early_data setup
2942 * idx == 1: early_data setup using read_ahead
2943 * usecb == 0: Don't use a custom early data callback
2944 * usecb == 1: Use a custom early data callback and reject the early data
2945 * usecb == 2: Use a custom early data callback and accept the early data
2946 * confopt == 0: Configure anti-replay directly
2947 * confopt == 1: Configure anti-replay using SSL_CONF
2949 static int test_early_data_replay_int(int idx, int usecb, int confopt)
2951 SSL_CTX *cctx = NULL, *sctx = NULL;
2952 SSL *clientssl = NULL, *serverssl = NULL;
2954 SSL_SESSION *sess = NULL;
2955 size_t readbytes, written;
2956 unsigned char buf[20];
2958 allow_ed_cb_called = 0;
2960 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2961 TLS_client_method(), TLS1_VERSION, 0,
2962 &sctx, &cctx, cert, privkey)))
2967 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2969 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2971 if (!TEST_ptr(confctx))
2973 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2974 | SSL_CONF_FLAG_SERVER);
2975 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2976 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2978 SSL_CONF_CTX_free(confctx);
2981 SSL_CONF_CTX_free(confctx);
2983 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2986 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2987 &serverssl, &sess, idx)))
2991 * The server is configured to accept early data. Create a connection to
2992 * "use up" the ticket
2994 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2995 || !TEST_true(SSL_session_reused(clientssl)))
2998 SSL_shutdown(clientssl);
2999 SSL_shutdown(serverssl);
3000 SSL_free(serverssl);
3001 SSL_free(clientssl);
3002 serverssl = clientssl = NULL;
3004 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3005 &clientssl, NULL, NULL))
3006 || !TEST_true(SSL_set_session(clientssl, sess)))
3009 /* Write and read some early data */
3010 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3012 || !TEST_size_t_eq(written, strlen(MSG1)))
3016 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3018 SSL_READ_EARLY_DATA_FINISH)
3020 * The ticket was reused, so the we should have rejected the
3023 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3024 SSL_EARLY_DATA_REJECTED))
3027 /* In this case the callback decides to accept the early data */
3028 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3030 SSL_READ_EARLY_DATA_SUCCESS)
3031 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3033 * Server will have sent its flight so client can now send
3034 * end of early data and complete its half of the handshake
3036 || !TEST_int_gt(SSL_connect(clientssl), 0)
3037 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3039 SSL_READ_EARLY_DATA_FINISH)
3040 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3041 SSL_EARLY_DATA_ACCEPTED))
3045 /* Complete the connection */
3046 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3047 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3048 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3054 SSL_SESSION_free(sess);
3055 SSL_SESSION_free(clientpsk);
3056 SSL_SESSION_free(serverpsk);
3057 clientpsk = serverpsk = NULL;
3058 SSL_free(serverssl);
3059 SSL_free(clientssl);
3065 static int test_early_data_replay(int idx)
3067 int ret = 1, usecb, confopt;
3069 for (usecb = 0; usecb < 3; usecb++) {
3070 for (confopt = 0; confopt < 2; confopt++)
3071 ret &= test_early_data_replay_int(idx, usecb, confopt);
3078 * Helper function to test that a server attempting to read early data can
3079 * handle a connection from a client where the early data should be skipped.
3080 * testtype: 0 == No HRR
3081 * testtype: 1 == HRR
3082 * testtype: 2 == HRR, invalid early_data sent after HRR
3083 * testtype: 3 == recv_max_early_data set to 0
3085 static int early_data_skip_helper(int testtype, int idx)
3087 SSL_CTX *cctx = NULL, *sctx = NULL;
3088 SSL *clientssl = NULL, *serverssl = NULL;
3090 SSL_SESSION *sess = NULL;
3091 unsigned char buf[20];
3092 size_t readbytes, written;
3094 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3095 &serverssl, &sess, idx)))
3098 if (testtype == 1 || testtype == 2) {
3099 /* Force an HRR to occur */
3100 #if defined(OPENSSL_NO_EC)
3101 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3104 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3107 } else if (idx == 2) {
3109 * We force early_data rejection by ensuring the PSK identity is
3112 srvid = "Dummy Identity";
3115 * Deliberately corrupt the creation time. We take 20 seconds off the
3116 * time. It could be any value as long as it is not within tolerance.
3117 * This should mean the ticket is rejected.
3119 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3124 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3127 /* Write some early data */
3128 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3130 || !TEST_size_t_eq(written, strlen(MSG1)))
3133 /* Server should reject the early data */
3134 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3136 SSL_READ_EARLY_DATA_FINISH)
3137 || !TEST_size_t_eq(readbytes, 0)
3138 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3139 SSL_EARLY_DATA_REJECTED))
3149 * Finish off the handshake. We perform the same writes and reads as
3150 * further down but we expect them to fail due to the incomplete
3153 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3154 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3161 BIO *wbio = SSL_get_wbio(clientssl);
3162 /* A record that will appear as bad early_data */
3163 const unsigned char bad_early_data[] = {
3164 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3168 * We force the client to attempt a write. This will fail because
3169 * we're still in the handshake. It will cause the second
3170 * ClientHello to be sent.
3172 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3177 * Inject some early_data after the second ClientHello. This should
3178 * cause the server to fail
3180 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3181 sizeof(bad_early_data), &written)))
3188 * This client has sent more early_data than we are willing to skip
3189 * (case 3) or sent invalid early_data (case 2) so the connection should
3192 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3193 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3196 /* Connection has failed - nothing more to do */
3201 TEST_error("Invalid test type");
3206 * Should be able to send normal data despite rejection of early data. The
3207 * early_data should be skipped.
3209 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3210 || !TEST_size_t_eq(written, strlen(MSG2))
3211 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3212 SSL_EARLY_DATA_REJECTED)
3213 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3214 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3220 SSL_SESSION_free(clientpsk);
3221 SSL_SESSION_free(serverpsk);
3222 clientpsk = serverpsk = NULL;
3223 SSL_SESSION_free(sess);
3224 SSL_free(serverssl);
3225 SSL_free(clientssl);
3232 * Test that a server attempting to read early data can handle a connection
3233 * from a client where the early data is not acceptable.
3235 static int test_early_data_skip(int idx)
3237 return early_data_skip_helper(0, idx);
3241 * Test that a server attempting to read early data can handle a connection
3242 * from a client where an HRR occurs.
3244 static int test_early_data_skip_hrr(int idx)
3246 return early_data_skip_helper(1, idx);
3250 * Test that a server attempting to read early data can handle a connection
3251 * from a client where an HRR occurs and correctly fails if early_data is sent
3254 static int test_early_data_skip_hrr_fail(int idx)
3256 return early_data_skip_helper(2, idx);
3260 * Test that a server attempting to read early data will abort if it tries to
3261 * skip over too much.
3263 static int test_early_data_skip_abort(int idx)
3265 return early_data_skip_helper(3, idx);
3269 * Test that a server attempting to read early data can handle a connection
3270 * from a client that doesn't send any.
3272 static int test_early_data_not_sent(int idx)
3274 SSL_CTX *cctx = NULL, *sctx = NULL;
3275 SSL *clientssl = NULL, *serverssl = NULL;
3277 SSL_SESSION *sess = NULL;
3278 unsigned char buf[20];
3279 size_t readbytes, written;
3281 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3282 &serverssl, &sess, idx)))
3285 /* Write some data - should block due to handshake with server */
3286 SSL_set_connect_state(clientssl);
3287 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3290 /* Server should detect that early data has not been sent */
3291 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3293 SSL_READ_EARLY_DATA_FINISH)
3294 || !TEST_size_t_eq(readbytes, 0)
3295 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3296 SSL_EARLY_DATA_NOT_SENT)
3297 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3298 SSL_EARLY_DATA_NOT_SENT))
3301 /* Continue writing the message we started earlier */
3302 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3303 || !TEST_size_t_eq(written, strlen(MSG1))
3304 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3305 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3306 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3307 || !TEST_size_t_eq(written, strlen(MSG2)))
3310 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3311 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3317 SSL_SESSION_free(sess);
3318 SSL_SESSION_free(clientpsk);
3319 SSL_SESSION_free(serverpsk);
3320 clientpsk = serverpsk = NULL;
3321 SSL_free(serverssl);
3322 SSL_free(clientssl);
3328 static const char *servalpn;
3330 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3331 unsigned char *outlen, const unsigned char *in,
3332 unsigned int inlen, void *arg)
3334 unsigned int protlen = 0;
3335 const unsigned char *prot;
3337 for (prot = in; prot < in + inlen; prot += protlen) {
3339 if (in + inlen < prot + protlen)
3340 return SSL_TLSEXT_ERR_NOACK;
3342 if (protlen == strlen(servalpn)
3343 && memcmp(prot, servalpn, protlen) == 0) {
3346 return SSL_TLSEXT_ERR_OK;
3350 return SSL_TLSEXT_ERR_NOACK;
3353 /* Test that a PSK can be used to send early_data */
3354 static int test_early_data_psk(int idx)
3356 SSL_CTX *cctx = NULL, *sctx = NULL;
3357 SSL *clientssl = NULL, *serverssl = NULL;
3359 SSL_SESSION *sess = NULL;
3360 unsigned char alpnlist[] = {
3361 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3364 #define GOODALPNLEN 9
3365 #define BADALPNLEN 8
3366 #define GOODALPN (alpnlist)
3367 #define BADALPN (alpnlist + GOODALPNLEN)
3369 unsigned char buf[20];
3370 size_t readbytes, written;
3371 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3372 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3374 /* We always set this up with a final parameter of "2" for PSK */
3375 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3376 &serverssl, &sess, 2)))
3379 servalpn = "goodalpn";
3382 * Note: There is no test for inconsistent SNI with late client detection.
3383 * This is because servers do not acknowledge SNI even if they are using
3384 * it in a resumption handshake - so it is not actually possible for a
3385 * client to detect a problem.
3389 /* Set inconsistent SNI (early client detection) */
3390 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3391 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3392 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3397 /* Set inconsistent ALPN (early client detection) */
3398 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3399 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3400 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3402 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3409 * Set invalid protocol version. Technically this affects PSKs without
3410 * early_data too, but we test it here because it is similar to the
3411 * SNI/ALPN consistency tests.
3413 err = SSL_R_BAD_PSK;
3414 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3420 * Set inconsistent SNI (server side). In this case the connection
3421 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3422 * is associated with each handshake - not the session. Therefore it
3423 * should not matter that we used a different server name last time.
3425 SSL_SESSION_free(serverpsk);
3426 serverpsk = SSL_SESSION_dup(clientpsk);
3427 if (!TEST_ptr(serverpsk)
3428 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3432 /* Set consistent SNI */
3433 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3434 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3435 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3442 * Set inconsistent ALPN (server detected). In this case the connection
3443 * will succeed but reject early_data.
3445 servalpn = "badalpn";
3446 edstatus = SSL_EARLY_DATA_REJECTED;
3447 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3451 * Set consistent ALPN.
3452 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3453 * accepts a list of protos (each one length prefixed).
3454 * SSL_set1_alpn_selected accepts a single protocol (not length
3457 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3459 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3463 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3467 /* Set inconsistent ALPN (late client detection) */
3468 SSL_SESSION_free(serverpsk);
3469 serverpsk = SSL_SESSION_dup(clientpsk);
3470 if (!TEST_ptr(serverpsk)
3471 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3474 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3477 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3480 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3481 edstatus = SSL_EARLY_DATA_ACCEPTED;
3482 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3483 /* SSL_connect() call should fail */
3488 TEST_error("Bad test index");
3492 SSL_set_connect_state(clientssl);
3494 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3496 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3497 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3500 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3504 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3505 &readbytes), readearlyres)
3506 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3507 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3508 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3509 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3516 SSL_SESSION_free(sess);
3517 SSL_SESSION_free(clientpsk);
3518 SSL_SESSION_free(serverpsk);
3519 clientpsk = serverpsk = NULL;
3520 SSL_free(serverssl);
3521 SSL_free(clientssl);
3528 * Test that a server that doesn't try to read early data can handle a
3529 * client sending some.
3531 static int test_early_data_not_expected(int idx)
3533 SSL_CTX *cctx = NULL, *sctx = NULL;
3534 SSL *clientssl = NULL, *serverssl = NULL;
3536 SSL_SESSION *sess = NULL;
3537 unsigned char buf[20];
3538 size_t readbytes, written;
3540 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3541 &serverssl, &sess, idx)))
3544 /* Write some early data */
3545 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3550 * Server should skip over early data and then block waiting for client to
3551 * continue handshake
3553 if (!TEST_int_le(SSL_accept(serverssl), 0)
3554 || !TEST_int_gt(SSL_connect(clientssl), 0)
3555 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3556 SSL_EARLY_DATA_REJECTED)
3557 || !TEST_int_gt(SSL_accept(serverssl), 0)
3558 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3559 SSL_EARLY_DATA_REJECTED))
3562 /* Send some normal data from client to server */
3563 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3564 || !TEST_size_t_eq(written, strlen(MSG2)))
3567 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3568 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3574 SSL_SESSION_free(sess);
3575 SSL_SESSION_free(clientpsk);
3576 SSL_SESSION_free(serverpsk);
3577 clientpsk = serverpsk = NULL;
3578 SSL_free(serverssl);
3579 SSL_free(clientssl);
3586 # ifndef OPENSSL_NO_TLS1_2
3588 * Test that a server attempting to read early data can handle a connection
3589 * from a TLSv1.2 client.
3591 static int test_early_data_tls1_2(int idx)
3593 SSL_CTX *cctx = NULL, *sctx = NULL;
3594 SSL *clientssl = NULL, *serverssl = NULL;
3596 unsigned char buf[20];
3597 size_t readbytes, written;
3599 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3600 &serverssl, NULL, idx)))
3603 /* Write some data - should block due to handshake with server */
3604 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3605 SSL_set_connect_state(clientssl);
3606 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3610 * Server should do TLSv1.2 handshake. First it will block waiting for more
3611 * messages from client after ServerDone. Then SSL_read_early_data should
3612 * finish and detect that early data has not been sent
3614 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3616 SSL_READ_EARLY_DATA_ERROR))
3620 * Continue writing the message we started earlier. Will still block waiting
3621 * for the CCS/Finished from server
3623 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3624 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3626 SSL_READ_EARLY_DATA_FINISH)
3627 || !TEST_size_t_eq(readbytes, 0)
3628 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3629 SSL_EARLY_DATA_NOT_SENT))
3632 /* Continue writing the message we started earlier */
3633 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3634 || !TEST_size_t_eq(written, strlen(MSG1))
3635 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3636 SSL_EARLY_DATA_NOT_SENT)
3637 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3638 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3639 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3640 || !TEST_size_t_eq(written, strlen(MSG2))
3641 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3642 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3648 SSL_SESSION_free(clientpsk);
3649 SSL_SESSION_free(serverpsk);
3650 clientpsk = serverpsk = NULL;
3651 SSL_free(serverssl);
3652 SSL_free(clientssl);
3658 # endif /* OPENSSL_NO_TLS1_2 */
3661 * Test configuring the TLSv1.3 ciphersuites
3663 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3664 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3665 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3666 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3667 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3668 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3669 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3670 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3671 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3672 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3674 static int test_set_ciphersuite(int idx)
3676 SSL_CTX *cctx = NULL, *sctx = NULL;
3677 SSL *clientssl = NULL, *serverssl = NULL;
3680 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3681 TLS_client_method(), TLS1_VERSION, 0,
3682 &sctx, &cctx, cert, privkey))
3683 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3684 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3687 if (idx >=4 && idx <= 7) {
3688 /* SSL_CTX explicit cipher list */
3689 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3693 if (idx == 0 || idx == 4) {
3694 /* Default ciphersuite */
3695 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3696 "TLS_AES_128_GCM_SHA256")))
3698 } else if (idx == 1 || idx == 5) {
3699 /* Non default ciphersuite */
3700 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3701 "TLS_AES_128_CCM_SHA256")))
3705 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3706 &clientssl, NULL, NULL)))
3709 if (idx == 8 || idx == 9) {
3710 /* SSL explicit cipher list */
3711 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3715 if (idx == 2 || idx == 6 || idx == 8) {
3716 /* Default ciphersuite */
3717 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3718 "TLS_AES_128_GCM_SHA256")))
3720 } else if (idx == 3 || idx == 7 || idx == 9) {
3721 /* Non default ciphersuite */
3722 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3723 "TLS_AES_128_CCM_SHA256")))
3727 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3733 SSL_free(serverssl);
3734 SSL_free(clientssl);
3741 static int test_ciphersuite_change(void)
3743 SSL_CTX *cctx = NULL, *sctx = NULL;
3744 SSL *clientssl = NULL, *serverssl = NULL;
3745 SSL_SESSION *clntsess = NULL;
3747 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3749 /* Create a session based on SHA-256 */
3750 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3751 TLS_client_method(), TLS1_VERSION, 0,
3752 &sctx, &cctx, cert, privkey))
3753 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3754 "TLS_AES_128_GCM_SHA256:"
3755 "TLS_AES_256_GCM_SHA384:"
3756 "TLS_AES_128_CCM_SHA256"))
3757 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3758 "TLS_AES_128_GCM_SHA256"))
3759 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3760 &clientssl, NULL, NULL))
3761 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3765 clntsess = SSL_get1_session(clientssl);
3766 /* Save for later */
3767 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3768 SSL_shutdown(clientssl);
3769 SSL_shutdown(serverssl);
3770 SSL_free(serverssl);
3771 SSL_free(clientssl);
3772 serverssl = clientssl = NULL;
3774 /* Check we can resume a session with a different SHA-256 ciphersuite */
3775 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3776 "TLS_AES_128_CCM_SHA256"))
3777 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3778 &clientssl, NULL, NULL))
3779 || !TEST_true(SSL_set_session(clientssl, clntsess))
3780 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3782 || !TEST_true(SSL_session_reused(clientssl)))
3785 SSL_SESSION_free(clntsess);
3786 clntsess = SSL_get1_session(clientssl);
3787 SSL_shutdown(clientssl);
3788 SSL_shutdown(serverssl);
3789 SSL_free(serverssl);
3790 SSL_free(clientssl);
3791 serverssl = clientssl = NULL;
3794 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3795 * succeeds but does not resume.
3797 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3798 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3800 || !TEST_true(SSL_set_session(clientssl, clntsess))
3801 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3803 || !TEST_false(SSL_session_reused(clientssl)))
3806 SSL_SESSION_free(clntsess);
3808 SSL_shutdown(clientssl);
3809 SSL_shutdown(serverssl);
3810 SSL_free(serverssl);
3811 SSL_free(clientssl);
3812 serverssl = clientssl = NULL;
3814 /* Create a session based on SHA384 */
3815 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3816 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3817 &clientssl, NULL, NULL))
3818 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3822 clntsess = SSL_get1_session(clientssl);
3823 SSL_shutdown(clientssl);
3824 SSL_shutdown(serverssl);
3825 SSL_free(serverssl);
3826 SSL_free(clientssl);
3827 serverssl = clientssl = NULL;
3829 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3830 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3831 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3832 "TLS_AES_256_GCM_SHA384"))
3833 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3835 || !TEST_true(SSL_set_session(clientssl, clntsess))
3837 * We use SSL_ERROR_WANT_READ below so that we can pause the
3838 * connection after the initial ClientHello has been sent to
3839 * enable us to make some session changes.
3841 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3842 SSL_ERROR_WANT_READ)))
3845 /* Trick the client into thinking this session is for a different digest */
3846 clntsess->cipher = aes_128_gcm_sha256;
3847 clntsess->cipher_id = clntsess->cipher->id;
3850 * Continue the previously started connection. Server has selected a SHA-384
3851 * ciphersuite, but client thinks the session is for SHA-256, so it should
3854 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3856 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3857 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3863 SSL_SESSION_free(clntsess);
3864 SSL_free(serverssl);
3865 SSL_free(clientssl);
3873 * Test TLSv1.3 Key exchange
3874 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
3875 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
3876 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
3877 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
3878 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
3879 * Test 5 = Test NID_X448 with TLSv1.3 client and server
3880 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
3881 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
3882 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
3883 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
3884 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
3885 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
3886 * Test 12 = Test all ECDHE with TLSv1.2 client and server
3887 * Test 13 = Test all FFDHE with TLSv1.2 client and server
3889 static int test_key_exchange(int idx)
3891 SSL_CTX *sctx = NULL, *cctx = NULL;
3892 SSL *serverssl = NULL, *clientssl = NULL;
3894 # ifndef OPENSSL_NO_EC
3895 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
3896 NID_secp521r1, NID_X25519, NID_X448};
3898 # ifndef OPENSSL_NO_DH
3899 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
3900 NID_ffdhe6144, NID_ffdhe8192};
3903 int *kexch_groups = &kexch_alg;
3904 int kexch_groups_size = 1;
3905 int max_version = TLS1_3_VERSION;
3908 # ifndef OPENSSL_NO_EC
3909 # ifndef OPENSSL_NO_TLS1_2
3911 max_version = TLS1_2_VERSION;
3915 kexch_groups = ecdhe_kexch_groups;
3916 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
3919 kexch_alg = NID_X9_62_prime256v1;
3922 kexch_alg = NID_secp384r1;
3925 kexch_alg = NID_secp521r1;
3928 kexch_alg = NID_X25519;
3931 kexch_alg = NID_X448;
3934 # ifndef OPENSSL_NO_DH
3935 # ifndef OPENSSL_NO_TLS1_2
3937 max_version = TLS1_2_VERSION;
3941 kexch_groups = ffdhe_kexch_groups;
3942 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
3945 kexch_alg = NID_ffdhe2048;
3948 kexch_alg = NID_ffdhe3072;
3951 kexch_alg = NID_ffdhe4096;
3954 kexch_alg = NID_ffdhe6144;
3957 kexch_alg = NID_ffdhe8192;
3961 /* We're skipping this test */
3965 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3966 TLS_client_method(), TLS1_VERSION,
3967 max_version, &sctx, &cctx, cert,
3971 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
3972 TLS1_3_RFC_AES_128_GCM_SHA256)))
3975 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3976 TLS1_3_RFC_AES_128_GCM_SHA256)))
3979 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
3980 TLS1_TXT_RSA_WITH_AES_128_SHA)))
3984 * Must include an EC ciphersuite so that we send supported groups in
3987 # ifndef OPENSSL_NO_TLS1_2
3988 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
3989 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
3990 TLS1_TXT_RSA_WITH_AES_128_SHA)))
3994 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3998 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
3999 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4002 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4006 * If Handshake succeeds the negotiated kexch alg should be the first one in
4007 * configured, except in the case of FFDHE groups (idx 13), which are
4008 * TLSv1.3 only so we expect no shared group to exist.
4010 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4011 idx == 13 ? 0 : kexch_groups[0]))
4013 if (max_version == TLS1_3_VERSION) {
4014 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4016 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4022 SSL_free(serverssl);
4023 SSL_free(clientssl);
4030 * Test TLSv1.3 Cipher Suite
4031 * Test 0 = Set TLS1.3 cipher on context
4032 * Test 1 = Set TLS1.3 cipher on SSL
4033 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4034 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4036 static int test_tls13_ciphersuite(int idx)
4038 SSL_CTX *sctx = NULL, *cctx = NULL;
4039 SSL *serverssl = NULL, *clientssl = NULL;
4040 static const struct {
4041 const char *ciphername;
4044 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4045 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4046 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
4047 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4048 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4049 { TLS1_3_RFC_AES_256_GCM_SHA384
4050 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4052 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
4054 const char *t13_cipher = NULL;
4055 const char *t12_cipher = NULL;
4056 const char *negotiated_scipher;
4057 const char *negotiated_ccipher;
4073 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4077 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4081 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4082 # ifdef OPENSSL_NO_TLS1_2
4083 if (max_ver == TLS1_2_VERSION)
4086 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4087 if (is_fips && !t13_ciphers[i].fipscapable)
4089 t13_cipher = t13_ciphers[i].ciphername;
4090 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4091 TLS_client_method(),
4092 TLS1_VERSION, max_ver,
4093 &sctx, &cctx, cert, privkey)))
4097 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4098 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4100 if (t12_cipher != NULL) {
4101 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4102 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4108 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4109 &clientssl, NULL, NULL)))
4113 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4114 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4116 if (t12_cipher != NULL) {
4117 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4118 || !TEST_true(SSL_set_cipher_list(clientssl,
4124 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4128 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4130 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4132 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4136 * TEST_strn_eq is used below because t13_cipher can contain
4137 * multiple ciphersuites
4139 if (max_ver == TLS1_3_VERSION
4140 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4141 strlen(negotiated_scipher)))
4144 # ifndef OPENSSL_NO_TLS1_2
4145 /* Below validation is not done when t12_cipher is NULL */
4146 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4147 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4151 SSL_free(serverssl);
4153 SSL_free(clientssl);
4164 SSL_free(serverssl);
4165 SSL_free(clientssl);
4173 * Test 0 = Test new style callbacks
4174 * Test 1 = Test both new and old style callbacks
4175 * Test 2 = Test old style callbacks
4176 * Test 3 = Test old style callbacks with no certificate
4178 static int test_tls13_psk(int idx)
4180 SSL_CTX *sctx = NULL, *cctx = NULL;
4181 SSL *serverssl = NULL, *clientssl = NULL;
4182 const SSL_CIPHER *cipher = NULL;
4183 const unsigned char key[] = {
4184 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4185 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4186 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4187 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
4191 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4192 TLS_client_method(), TLS1_VERSION, 0,
4193 &sctx, &cctx, idx == 3 ? NULL : cert,
4194 idx == 3 ? NULL : privkey)))
4199 * We use a ciphersuite with SHA256 to ease testing old style PSK
4200 * callbacks which will always default to SHA256. This should not be
4201 * necessary if we have no cert/priv key. In that case the server should
4202 * prefer SHA256 automatically.
4204 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4205 "TLS_AES_128_GCM_SHA256")))
4209 * As noted above the server should prefer SHA256 automatically. However
4210 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4211 * code works even if we are testing with only the FIPS provider loaded.
4213 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4214 "TLS_AES_256_GCM_SHA384:"
4215 "TLS_AES_128_GCM_SHA256")))
4220 * Test 0: New style callbacks only
4221 * Test 1: New and old style callbacks (only the new ones should be used)
4222 * Test 2: Old style callbacks only
4224 if (idx == 0 || idx == 1) {
4225 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4226 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4228 #ifndef OPENSSL_NO_PSK
4230 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4231 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4235 use_session_cb_cnt = 0;
4236 find_session_cb_cnt = 0;
4237 psk_client_cb_cnt = 0;
4238 psk_server_cb_cnt = 0;
4242 * Check we can create a connection if callback decides not to send a
4245 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4247 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4249 || !TEST_false(SSL_session_reused(clientssl))
4250 || !TEST_false(SSL_session_reused(serverssl)))
4253 if (idx == 0 || idx == 1) {
4254 if (!TEST_true(use_session_cb_cnt == 1)
4255 || !TEST_true(find_session_cb_cnt == 0)
4257 * If no old style callback then below should be 0
4260 || !TEST_true(psk_client_cb_cnt == idx)
4261 || !TEST_true(psk_server_cb_cnt == 0))
4264 if (!TEST_true(use_session_cb_cnt == 0)
4265 || !TEST_true(find_session_cb_cnt == 0)
4266 || !TEST_true(psk_client_cb_cnt == 1)
4267 || !TEST_true(psk_server_cb_cnt == 0))
4271 shutdown_ssl_connection(serverssl, clientssl);
4272 serverssl = clientssl = NULL;
4273 use_session_cb_cnt = psk_client_cb_cnt = 0;
4276 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4280 /* Create the PSK */
4281 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
4282 clientpsk = SSL_SESSION_new();
4283 if (!TEST_ptr(clientpsk)
4284 || !TEST_ptr(cipher)
4285 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4287 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4288 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4290 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
4292 serverpsk = clientpsk;
4294 /* Check we can create a connection and the PSK is used */
4295 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4296 || !TEST_true(SSL_session_reused(clientssl))
4297 || !TEST_true(SSL_session_reused(serverssl)))
4300 if (idx == 0 || idx == 1) {
4301 if (!TEST_true(use_session_cb_cnt == 1)
4302 || !TEST_true(find_session_cb_cnt == 1)
4303 || !TEST_true(psk_client_cb_cnt == 0)
4304 || !TEST_true(psk_server_cb_cnt == 0))
4307 if (!TEST_true(use_session_cb_cnt == 0)
4308 || !TEST_true(find_session_cb_cnt == 0)
4309 || !TEST_true(psk_client_cb_cnt == 1)
4310 || !TEST_true(psk_server_cb_cnt == 1))
4314 shutdown_ssl_connection(serverssl, clientssl);
4315 serverssl = clientssl = NULL;
4316 use_session_cb_cnt = find_session_cb_cnt = 0;
4317 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4319 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4324 #if defined(OPENSSL_NO_EC)
4325 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4328 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4333 * Check we can create a connection, the PSK is used and the callbacks are
4336 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4337 || !TEST_true(SSL_session_reused(clientssl))
4338 || !TEST_true(SSL_session_reused(serverssl)))
4341 if (idx == 0 || idx == 1) {
4342 if (!TEST_true(use_session_cb_cnt == 2)
4343 || !TEST_true(find_session_cb_cnt == 2)
4344 || !TEST_true(psk_client_cb_cnt == 0)
4345 || !TEST_true(psk_server_cb_cnt == 0))
4348 if (!TEST_true(use_session_cb_cnt == 0)
4349 || !TEST_true(find_session_cb_cnt == 0)
4350 || !TEST_true(psk_client_cb_cnt == 2)
4351 || !TEST_true(psk_server_cb_cnt == 2))
4355 shutdown_ssl_connection(serverssl, clientssl);
4356 serverssl = clientssl = NULL;
4357 use_session_cb_cnt = find_session_cb_cnt = 0;
4358 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4362 * Check that if the server rejects the PSK we can still connect, but with
4365 srvid = "Dummy Identity";
4366 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4368 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4370 || !TEST_false(SSL_session_reused(clientssl))
4371 || !TEST_false(SSL_session_reused(serverssl)))
4374 if (idx == 0 || idx == 1) {
4375 if (!TEST_true(use_session_cb_cnt == 1)
4376 || !TEST_true(find_session_cb_cnt == 1)
4377 || !TEST_true(psk_client_cb_cnt == 0)
4379 * If no old style callback then below should be 0
4382 || !TEST_true(psk_server_cb_cnt == idx))
4385 if (!TEST_true(use_session_cb_cnt == 0)
4386 || !TEST_true(find_session_cb_cnt == 0)
4387 || !TEST_true(psk_client_cb_cnt == 1)
4388 || !TEST_true(psk_server_cb_cnt == 1))
4392 shutdown_ssl_connection(serverssl, clientssl);
4393 serverssl = clientssl = NULL;
4398 SSL_SESSION_free(clientpsk);
4399 SSL_SESSION_free(serverpsk);
4400 clientpsk = serverpsk = NULL;
4401 SSL_free(serverssl);
4402 SSL_free(clientssl);
4408 static unsigned char cookie_magic_value[] = "cookie magic";
4410 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4411 unsigned int *cookie_len)
4414 * Not suitable as a real cookie generation function but good enough for
4417 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4418 *cookie_len = sizeof(cookie_magic_value) - 1;
4423 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4424 unsigned int cookie_len)
4426 if (cookie_len == sizeof(cookie_magic_value) - 1
4427 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4433 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4437 int res = generate_cookie_callback(ssl, cookie, &temp);
4442 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4445 return verify_cookie_callback(ssl, cookie, cookie_len);
4448 static int test_stateless(void)
4450 SSL_CTX *sctx = NULL, *cctx = NULL;
4451 SSL *serverssl = NULL, *clientssl = NULL;
4454 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4455 TLS_client_method(), TLS1_VERSION, 0,
4456 &sctx, &cctx, cert, privkey)))
4459 /* The arrival of CCS messages can confuse the test */
4460 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4462 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4464 /* Send the first ClientHello */
4465 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4466 SSL_ERROR_WANT_READ))
4468 * This should fail with a -1 return because we have no callbacks
4471 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4474 /* Fatal error so abandon the connection from this client */
4475 SSL_free(clientssl);
4478 /* Set up the cookie generation and verification callbacks */
4479 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4480 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
4483 * Create a new connection from the client (we can reuse the server SSL
4486 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4488 /* Send the first ClientHello */
4489 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4490 SSL_ERROR_WANT_READ))
4491 /* This should fail because there is no cookie */
4492 || !TEST_int_eq(SSL_stateless(serverssl), 0))
4495 /* Abandon the connection from this client */
4496 SSL_free(clientssl);
4500 * Now create a connection from a new client but with the same server SSL
4503 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4505 /* Send the first ClientHello */
4506 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4507 SSL_ERROR_WANT_READ))
4508 /* This should fail because there is no cookie */
4509 || !TEST_int_eq(SSL_stateless(serverssl), 0)
4510 /* Send the second ClientHello */
4511 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4512 SSL_ERROR_WANT_READ))
4513 /* This should succeed because a cookie is now present */
4514 || !TEST_int_eq(SSL_stateless(serverssl), 1)
4515 /* Complete the connection */
4516 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4520 shutdown_ssl_connection(serverssl, clientssl);
4521 serverssl = clientssl = NULL;
4525 SSL_free(serverssl);
4526 SSL_free(clientssl);
4532 #endif /* OPENSSL_NO_TLS1_3 */
4534 static int clntaddoldcb = 0;
4535 static int clntparseoldcb = 0;
4536 static int srvaddoldcb = 0;
4537 static int srvparseoldcb = 0;
4538 static int clntaddnewcb = 0;
4539 static int clntparsenewcb = 0;
4540 static int srvaddnewcb = 0;
4541 static int srvparsenewcb = 0;
4542 static int snicb = 0;
4544 #define TEST_EXT_TYPE1 0xff00
4546 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4547 size_t *outlen, int *al, void *add_arg)
4549 int *server = (int *)add_arg;
4550 unsigned char *data;
4552 if (SSL_is_server(s))
4557 if (*server != SSL_is_server(s)
4558 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4563 *outlen = sizeof(char);
4567 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4570 OPENSSL_free((unsigned char *)out);
4573 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4574 size_t inlen, int *al, void *parse_arg)
4576 int *server = (int *)parse_arg;
4578 if (SSL_is_server(s))
4583 if (*server != SSL_is_server(s)
4584 || inlen != sizeof(char)
4591 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4592 const unsigned char **out, size_t *outlen, X509 *x,
4593 size_t chainidx, int *al, void *add_arg)
4595 int *server = (int *)add_arg;
4596 unsigned char *data;
4598 if (SSL_is_server(s))
4603 if (*server != SSL_is_server(s)
4604 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4609 *outlen = sizeof(*data);
4613 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
4614 const unsigned char *out, void *add_arg)
4616 OPENSSL_free((unsigned char *)out);
4619 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
4620 const unsigned char *in, size_t inlen, X509 *x,
4621 size_t chainidx, int *al, void *parse_arg)
4623 int *server = (int *)parse_arg;
4625 if (SSL_is_server(s))
4630 if (*server != SSL_is_server(s)
4631 || inlen != sizeof(char) || *in != 1)
4637 static int sni_cb(SSL *s, int *al, void *arg)
4639 SSL_CTX *ctx = (SSL_CTX *)arg;
4641 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
4642 *al = SSL_AD_INTERNAL_ERROR;
4643 return SSL_TLSEXT_ERR_ALERT_FATAL;
4646 return SSL_TLSEXT_ERR_OK;
4650 * Custom call back tests.
4651 * Test 0: Old style callbacks in TLSv1.2
4652 * Test 1: New style callbacks in TLSv1.2
4653 * Test 2: New style callbacks in TLSv1.2 with SNI
4654 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4655 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
4657 static int test_custom_exts(int tst)
4659 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4660 SSL *clientssl = NULL, *serverssl = NULL;
4662 static int server = 1;
4663 static int client = 0;
4664 SSL_SESSION *sess = NULL;
4665 unsigned int context;
4667 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4668 /* Skip tests for TLSv1.2 and below in this case */
4673 /* Reset callback counters */
4674 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4675 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
4678 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4679 TLS_client_method(), TLS1_VERSION, 0,
4680 &sctx, &cctx, cert, privkey)))
4684 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
4686 &sctx2, NULL, cert, privkey)))
4691 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4692 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
4694 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
4698 context = SSL_EXT_CLIENT_HELLO
4699 | SSL_EXT_TLS1_2_SERVER_HELLO
4700 | SSL_EXT_TLS1_3_SERVER_HELLO
4701 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4702 | SSL_EXT_TLS1_3_CERTIFICATE
4703 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4705 context = SSL_EXT_CLIENT_HELLO
4706 | SSL_EXT_TLS1_2_SERVER_HELLO
4707 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4710 /* Create a client side custom extension */
4712 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4713 old_add_cb, old_free_cb,
4714 &client, old_parse_cb,
4718 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4719 new_add_cb, new_free_cb,
4720 &client, new_parse_cb, &client)))
4724 /* Should not be able to add duplicates */
4725 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4726 old_add_cb, old_free_cb,
4727 &client, old_parse_cb,
4729 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4730 context, new_add_cb,
4731 new_free_cb, &client,
4732 new_parse_cb, &client)))
4735 /* Create a server side custom extension */
4737 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4738 old_add_cb, old_free_cb,
4739 &server, old_parse_cb,
4743 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4744 new_add_cb, new_free_cb,
4745 &server, new_parse_cb, &server)))
4748 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4749 context, new_add_cb,
4750 new_free_cb, &server,
4751 new_parse_cb, &server)))
4755 /* Should not be able to add duplicates */
4756 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4757 old_add_cb, old_free_cb,
4758 &server, old_parse_cb,
4760 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4761 context, new_add_cb,
4762 new_free_cb, &server,
4763 new_parse_cb, &server)))
4768 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4769 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4773 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4774 &clientssl, NULL, NULL))
4775 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4780 if (clntaddoldcb != 1
4781 || clntparseoldcb != 1
4783 || srvparseoldcb != 1)
4785 } else if (tst == 1 || tst == 2 || tst == 3) {
4786 if (clntaddnewcb != 1
4787 || clntparsenewcb != 1
4789 || srvparsenewcb != 1
4790 || (tst != 2 && snicb != 0)
4791 || (tst == 2 && snicb != 1))
4794 /* In this case there 2 NewSessionTicket messages created */
4795 if (clntaddnewcb != 1
4796 || clntparsenewcb != 5
4798 || srvparsenewcb != 1)
4802 sess = SSL_get1_session(clientssl);
4803 SSL_shutdown(clientssl);
4804 SSL_shutdown(serverssl);
4805 SSL_free(serverssl);
4806 SSL_free(clientssl);
4807 serverssl = clientssl = NULL;
4810 /* We don't bother with the resumption aspects for this test */
4815 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4817 || !TEST_true(SSL_set_session(clientssl, sess))
4818 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4823 * For a resumed session we expect to add the ClientHello extension. For the
4824 * old style callbacks we ignore it on the server side because they set
4825 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4829 if (clntaddoldcb != 2
4830 || clntparseoldcb != 1
4832 || srvparseoldcb != 1)
4834 } else if (tst == 1 || tst == 2 || tst == 3) {
4835 if (clntaddnewcb != 2
4836 || clntparsenewcb != 2
4838 || srvparsenewcb != 2)
4842 * No Certificate message extensions in the resumption handshake,
4843 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4845 if (clntaddnewcb != 2
4846 || clntparsenewcb != 8
4848 || srvparsenewcb != 2)
4855 SSL_SESSION_free(sess);
4856 SSL_free(serverssl);
4857 SSL_free(clientssl);
4858 SSL_CTX_free(sctx2);
4865 * Test loading of serverinfo data in various formats. test_sslmessages actually
4866 * tests to make sure the extensions appear in the handshake
4868 static int test_serverinfo(int tst)
4870 unsigned int version;
4871 unsigned char *sibuf;
4873 int ret, expected, testresult = 0;
4876 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
4880 if ((tst & 0x01) == 0x01)
4881 version = SSL_SERVERINFOV2;
4883 version = SSL_SERVERINFOV1;
4885 if ((tst & 0x02) == 0x02) {
4886 sibuf = serverinfov2;
4887 sibuflen = sizeof(serverinfov2);
4888 expected = (version == SSL_SERVERINFOV2);
4890 sibuf = serverinfov1;
4891 sibuflen = sizeof(serverinfov1);
4892 expected = (version == SSL_SERVERINFOV1);
4895 if ((tst & 0x04) == 0x04) {
4896 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4898 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4901 * The version variable is irrelevant in this case - it's what is in the
4902 * buffer that matters
4904 if ((tst & 0x02) == 0x02)
4910 if (!TEST_true(ret == expected))
4922 * Test that SSL_export_keying_material() produces expected results. There are
4923 * no test vectors so all we do is test that both sides of the communication
4924 * produce the same results for different protocol versions.
4926 #define SMALL_LABEL_LEN 10
4927 #define LONG_LABEL_LEN 249
4928 static int test_export_key_mat(int tst)
4931 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4932 SSL *clientssl = NULL, *serverssl = NULL;
4933 const char label[LONG_LABEL_LEN + 1] = "test label";
4934 const unsigned char context[] = "context";
4935 const unsigned char *emptycontext = NULL;
4936 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4937 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
4939 const int protocols[] = {
4948 #ifdef OPENSSL_NO_TLS1
4952 #ifdef OPENSSL_NO_TLS1_1
4956 if (is_fips && (tst == 0 || tst == 1))
4958 #ifdef OPENSSL_NO_TLS1_2
4962 #ifdef OPENSSL_NO_TLS1_3
4966 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4967 TLS_client_method(), TLS1_VERSION, 0,
4968 &sctx, &cctx, cert, privkey)))
4971 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4972 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4973 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
4975 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4977 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4983 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4986 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4987 sizeof(ckeymat1), label,
4988 LONG_LABEL_LEN + 1, context,
4989 sizeof(context) - 1, 1), 0))
4994 } else if (tst == 4) {
4995 labellen = LONG_LABEL_LEN;
4997 labellen = SMALL_LABEL_LEN;
5000 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5001 sizeof(ckeymat1), label,
5003 sizeof(context) - 1, 1), 1)
5004 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5005 sizeof(ckeymat2), label,
5009 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5010 sizeof(ckeymat3), label,
5013 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5014 sizeof(skeymat1), label,
5017 sizeof(context) -1, 1),
5019 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5020 sizeof(skeymat2), label,
5024 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5025 sizeof(skeymat3), label,
5029 * Check that both sides created the same key material with the
5032 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5035 * Check that both sides created the same key material with an
5038 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5041 * Check that both sides created the same key material without a
5044 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5046 /* Different contexts should produce different results */
5047 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5052 * Check that an empty context and no context produce different results in
5053 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5055 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
5057 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5064 SSL_free(serverssl);
5065 SSL_free(clientssl);
5066 SSL_CTX_free(sctx2);
5073 #ifndef OPENSSL_NO_TLS1_3
5075 * Test that SSL_export_keying_material_early() produces expected
5076 * results. There are no test vectors so all we do is test that both
5077 * sides of the communication produce the same results for different
5078 * protocol versions.
5080 static int test_export_key_mat_early(int idx)
5082 static const char label[] = "test label";
5083 static const unsigned char context[] = "context";
5085 SSL_CTX *cctx = NULL, *sctx = NULL;
5086 SSL *clientssl = NULL, *serverssl = NULL;
5087 SSL_SESSION *sess = NULL;
5088 const unsigned char *emptycontext = NULL;
5089 unsigned char ckeymat1[80], ckeymat2[80];
5090 unsigned char skeymat1[80], skeymat2[80];
5091 unsigned char buf[1];
5092 size_t readbytes, written;
5094 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5098 /* Here writing 0 length early data is enough. */
5099 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5100 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5102 SSL_READ_EARLY_DATA_ERROR)
5103 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5104 SSL_EARLY_DATA_ACCEPTED))
5107 if (!TEST_int_eq(SSL_export_keying_material_early(
5108 clientssl, ckeymat1, sizeof(ckeymat1), label,
5109 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5110 || !TEST_int_eq(SSL_export_keying_material_early(
5111 clientssl, ckeymat2, sizeof(ckeymat2), label,
5112 sizeof(label) - 1, emptycontext, 0), 1)
5113 || !TEST_int_eq(SSL_export_keying_material_early(
5114 serverssl, skeymat1, sizeof(skeymat1), label,
5115 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5116 || !TEST_int_eq(SSL_export_keying_material_early(
5117 serverssl, skeymat2, sizeof(skeymat2), label,
5118 sizeof(label) - 1, emptycontext, 0), 1)
5120 * Check that both sides created the same key material with the
5123 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5126 * Check that both sides created the same key material with an
5129 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5131 /* Different contexts should produce different results */
5132 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5139 SSL_SESSION_free(sess);
5140 SSL_SESSION_free(clientpsk);
5141 SSL_SESSION_free(serverpsk);
5142 clientpsk = serverpsk = NULL;
5143 SSL_free(serverssl);
5144 SSL_free(clientssl);
5151 #define NUM_KEY_UPDATE_MESSAGES 40
5155 static int test_key_update(void)
5157 SSL_CTX *cctx = NULL, *sctx = NULL;
5158 SSL *clientssl = NULL, *serverssl = NULL;
5159 int testresult = 0, i, j;
5161 static char *mess = "A test message";
5163 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5164 TLS_client_method(),
5167 &sctx, &cctx, cert, privkey))
5168 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5170 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5174 for (j = 0; j < 2; j++) {
5175 /* Send lots of KeyUpdate messages */
5176 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5177 if (!TEST_true(SSL_key_update(clientssl,
5179 ? SSL_KEY_UPDATE_NOT_REQUESTED
5180 : SSL_KEY_UPDATE_REQUESTED))
5181 || !TEST_true(SSL_do_handshake(clientssl)))
5185 /* Check that sending and receiving app data is ok */
5186 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5187 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5191 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5192 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5200 SSL_free(serverssl);
5201 SSL_free(clientssl);
5209 * Test we can handle a KeyUpdate (update requested) message while write data
5211 * Test 0: Client sends KeyUpdate while Server is writing
5212 * Test 1: Server sends KeyUpdate while Client is writing
5214 static int test_key_update_in_write(int tst)
5216 SSL_CTX *cctx = NULL, *sctx = NULL;
5217 SSL *clientssl = NULL, *serverssl = NULL;
5220 static char *mess = "A test message";
5221 BIO *bretry = BIO_new(bio_s_always_retry());
5223 SSL *peerupdate = NULL, *peerwrite = NULL;
5225 if (!TEST_ptr(bretry)
5226 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5227 TLS_client_method(),
5230 &sctx, &cctx, cert, privkey))
5231 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5233 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5237 peerupdate = tst == 0 ? clientssl : serverssl;
5238 peerwrite = tst == 0 ? serverssl : clientssl;
5240 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5241 || !TEST_true(SSL_do_handshake(peerupdate)))
5244 /* Swap the writing endpoint's write BIO to force a retry */
5245 tmp = SSL_get_wbio(peerwrite);
5246 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5250 SSL_set0_wbio(peerwrite, bretry);
5253 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5254 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5255 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5258 /* Reinstate the original writing endpoint's write BIO */
5259 SSL_set0_wbio(peerwrite, tmp);
5262 /* Now read some data - we will read the key update */
5263 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5264 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5268 * Complete the write we started previously and read it from the other
5271 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5272 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5275 /* Write more data to ensure we send the KeyUpdate message back */
5276 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5277 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5283 SSL_free(serverssl);
5284 SSL_free(clientssl);
5292 #endif /* OPENSSL_NO_TLS1_3 */
5294 static int test_ssl_clear(int idx)
5296 SSL_CTX *cctx = NULL, *sctx = NULL;
5297 SSL *clientssl = NULL, *serverssl = NULL;
5300 #ifdef OPENSSL_NO_TLS1_2
5305 /* Create an initial connection */
5306 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5307 TLS_client_method(), TLS1_VERSION, 0,
5308 &sctx, &cctx, cert, privkey))
5310 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5312 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5313 &clientssl, NULL, NULL))
5314 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5318 SSL_shutdown(clientssl);
5319 SSL_shutdown(serverssl);
5320 SSL_free(serverssl);
5323 /* Clear clientssl - we're going to reuse the object */
5324 if (!TEST_true(SSL_clear(clientssl)))
5327 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5329 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5331 || !TEST_true(SSL_session_reused(clientssl)))
5334 SSL_shutdown(clientssl);
5335 SSL_shutdown(serverssl);
5340 SSL_free(serverssl);
5341 SSL_free(clientssl);
5348 /* Parse CH and retrieve any MFL extension value if present */
5349 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5352 unsigned char *data;
5353 PACKET pkt, pkt2, pkt3;
5354 unsigned int MFL_code = 0, type = 0;
5356 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5359 memset(&pkt, 0, sizeof(pkt));
5360 memset(&pkt2, 0, sizeof(pkt2));
5361 memset(&pkt3, 0, sizeof(pkt3));
5363 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5364 /* Skip the record header */
5365 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5366 /* Skip the handshake message header */
5367 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5368 /* Skip client version and random */
5369 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5370 + SSL3_RANDOM_SIZE))
5371 /* Skip session id */
5372 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5374 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5375 /* Skip compression */
5376 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5377 /* Extensions len */
5378 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5381 /* Loop through all extensions */
5382 while (PACKET_remaining(&pkt2)) {
5383 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5384 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5387 if (type == TLSEXT_TYPE_max_fragment_length) {
5388 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5389 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5392 *mfl_codemfl_code = MFL_code;
5401 /* Maximum-Fragment-Length TLS extension mode to test */
5402 static const unsigned char max_fragment_len_test[] = {
5403 TLSEXT_max_fragment_length_512,
5404 TLSEXT_max_fragment_length_1024,
5405 TLSEXT_max_fragment_length_2048,
5406 TLSEXT_max_fragment_length_4096
5409 static int test_max_fragment_len_ext(int idx_tst)
5413 int testresult = 0, MFL_mode = 0;
5416 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
5420 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5421 ctx, max_fragment_len_test[idx_tst])))
5428 rbio = BIO_new(BIO_s_mem());
5429 wbio = BIO_new(BIO_s_mem());
5430 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5436 SSL_set_bio(con, rbio, wbio);
5437 SSL_set_connect_state(con);
5439 if (!TEST_int_le(SSL_connect(con), 0)) {
5440 /* This shouldn't succeed because we don't have a server! */
5444 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5445 /* no MFL in client hello */
5447 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5459 #ifndef OPENSSL_NO_TLS1_3
5460 static int test_pha_key_update(void)
5462 SSL_CTX *cctx = NULL, *sctx = NULL;
5463 SSL *clientssl = NULL, *serverssl = NULL;
5466 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5467 TLS_client_method(), TLS1_VERSION, 0,
5468 &sctx, &cctx, cert, privkey)))
5471 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5472 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5473 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5474 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5477 SSL_CTX_set_post_handshake_auth(cctx, 1);
5479 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5483 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5487 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5488 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5491 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5494 /* Start handshake on the server */
5495 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5498 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5499 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5503 SSL_shutdown(clientssl);
5504 SSL_shutdown(serverssl);
5509 SSL_free(serverssl);
5510 SSL_free(clientssl);
5517 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5519 static SRP_VBASE *vbase = NULL;
5521 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5523 int ret = SSL3_AL_FATAL;
5525 SRP_user_pwd *user = NULL;
5527 username = SSL_get_srp_username(s);
5528 if (username == NULL) {
5529 *ad = SSL_AD_INTERNAL_ERROR;
5533 user = SRP_VBASE_get1_by_user(vbase, username);
5535 *ad = SSL_AD_INTERNAL_ERROR;
5539 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5541 *ad = SSL_AD_INTERNAL_ERROR;
5548 SRP_user_pwd_free(user);
5552 static int create_new_vfile(char *userid, char *password, const char *filename)
5555 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5558 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5561 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5564 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5565 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
5566 if (!TEST_ptr(gNid))
5570 * The only way to create an empty TXT_DB is to provide a BIO with no data
5573 db = TXT_DB_read(dummy, DB_NUMBER);
5577 out = BIO_new_file(filename, "w");
5581 row[DB_srpid] = OPENSSL_strdup(userid);
5582 row[DB_srptype] = OPENSSL_strdup("V");
5583 row[DB_srpgN] = OPENSSL_strdup(gNid);
5585 if (!TEST_ptr(row[DB_srpid])
5586 || !TEST_ptr(row[DB_srptype])
5587 || !TEST_ptr(row[DB_srpgN])
5588 || !TEST_true(TXT_DB_insert(db, row)))
5593 if (!TXT_DB_write(out, db))
5599 for (i = 0; i < DB_NUMBER; i++)
5600 OPENSSL_free(row[i]);
5610 static int create_new_vbase(char *userid, char *password)
5612 BIGNUM *verifier = NULL, *salt = NULL;
5613 const SRP_gN *lgN = NULL;
5614 SRP_user_pwd *user_pwd = NULL;
5617 lgN = SRP_get_default_gN(NULL);
5621 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5622 lgN->N, lgN->g, libctx, NULL)))
5625 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
5626 if (!TEST_ptr(user_pwd))
5629 user_pwd->N = lgN->N;
5630 user_pwd->g = lgN->g;
5631 user_pwd->id = OPENSSL_strdup(userid);
5632 if (!TEST_ptr(user_pwd->id))
5635 user_pwd->v = verifier;
5637 verifier = salt = NULL;
5639 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
5645 SRP_user_pwd_free(user_pwd);
5655 * Test 0: Simple successful SRP connection, new vbase
5656 * Test 1: Connection failure due to bad password, new vbase
5657 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5658 * Test 3: Connection failure due to bad password, vbase loaded from existing
5660 * Test 4: Simple successful SRP connection, vbase loaded from new file
5661 * Test 5: Connection failure due to bad password, vbase loaded from new file
5663 static int test_srp(int tst)
5665 char *userid = "test", *password = "password", *tstsrpfile;
5666 SSL_CTX *cctx = NULL, *sctx = NULL;
5667 SSL *clientssl = NULL, *serverssl = NULL;
5668 int ret, testresult = 0;
5670 vbase = SRP_VBASE_new(NULL);
5671 if (!TEST_ptr(vbase))
5674 if (tst == 0 || tst == 1) {
5675 if (!TEST_true(create_new_vbase(userid, password)))
5678 if (tst == 4 || tst == 5) {
5679 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5681 tstsrpfile = tmpfilename;
5683 tstsrpfile = srpvfile;
5685 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5689 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5690 TLS_client_method(), TLS1_VERSION, 0,
5691 &sctx, &cctx, cert, privkey)))
5694 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5695 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5696 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5697 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5698 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5702 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5705 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5709 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5713 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5715 if (!TEST_true(tst % 2 == 0))
5718 if (!TEST_true(tst % 2 == 1))
5725 SRP_VBASE_free(vbase);
5727 SSL_free(serverssl);
5728 SSL_free(clientssl);
5736 static int info_cb_failed = 0;
5737 static int info_cb_offset = 0;
5738 static int info_cb_this_state = -1;
5740 static struct info_cb_states_st {
5742 const char *statestr;
5743 } info_cb_states[][60] = {
5745 /* TLSv1.2 server followed by resumption */
5746 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5747 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5748 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
5749 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
5750 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
5751 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5752 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5753 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5754 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
5755 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5756 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
5757 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5758 {SSL_CB_EXIT, NULL}, {0, NULL},
5760 /* TLSv1.2 client followed by resumption */
5761 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5762 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5763 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
5764 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
5765 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
5766 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5767 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5768 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5769 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5770 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5771 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5772 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
5774 /* TLSv1.3 server followed by resumption */
5775 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5776 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5777 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
5778 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5779 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
5780 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5781 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5782 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5783 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5784 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5785 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
5786 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5787 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5789 /* TLSv1.3 client followed by resumption */
5790 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5791 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5792 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
5793 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
5794 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5795 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5796 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
5797 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5798 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5799 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5800 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5801 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5802 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5803 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
5804 {SSL_CB_EXIT, NULL}, {0, NULL},
5806 /* TLSv1.3 server, early_data */
5807 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5808 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5809 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5810 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5811 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5812 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
5813 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5814 {SSL_CB_EXIT, NULL}, {0, NULL},
5816 /* TLSv1.3 client, early_data */
5817 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5818 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5819 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5820 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5821 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5822 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5823 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5824 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5825 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5831 static void sslapi_info_callback(const SSL *s, int where, int ret)
5833 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5835 /* We do not ever expect a connection to fail in this test */
5836 if (!TEST_false(ret == 0)) {
5842 * Do some sanity checks. We never expect these things to happen in this
5845 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5846 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5847 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5852 /* Now check we're in the right state */
5853 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5857 if ((where & SSL_CB_LOOP) != 0
5858 && !TEST_int_eq(strcmp(SSL_state_string(s),
5859 state[info_cb_this_state].statestr), 0)) {
5865 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
5867 if ((where & SSL_CB_HANDSHAKE_DONE)
5868 && SSL_in_init((SSL *)s) != 0) {
5875 * Test the info callback gets called when we expect it to.
5877 * Test 0: TLSv1.2, server
5878 * Test 1: TLSv1.2, client
5879 * Test 2: TLSv1.3, server
5880 * Test 3: TLSv1.3, client
5881 * Test 4: TLSv1.3, server, early_data
5882 * Test 5: TLSv1.3, client, early_data
5884 static int test_info_callback(int tst)
5886 SSL_CTX *cctx = NULL, *sctx = NULL;
5887 SSL *clientssl = NULL, *serverssl = NULL;
5888 SSL_SESSION *clntsess = NULL;
5893 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
5894 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5895 || !defined(OPENSSL_NO_DH))
5896 tlsvers = TLS1_2_VERSION;
5901 #ifndef OPENSSL_NO_TLS1_3
5902 tlsvers = TLS1_3_VERSION;
5910 info_cb_this_state = -1;
5911 info_cb_offset = tst;
5913 #ifndef OPENSSL_NO_TLS1_3
5915 SSL_SESSION *sess = NULL;
5916 size_t written, readbytes;
5917 unsigned char buf[80];
5919 /* early_data tests */
5920 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5921 &serverssl, &sess, 0)))
5924 /* We don't actually need this reference */
5925 SSL_SESSION_free(sess);
5927 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5928 sslapi_info_callback);
5930 /* Write and read some early data and then complete the connection */
5931 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5933 || !TEST_size_t_eq(written, strlen(MSG1))
5934 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5935 sizeof(buf), &readbytes),
5936 SSL_READ_EARLY_DATA_SUCCESS)
5937 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5938 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5939 SSL_EARLY_DATA_ACCEPTED)
5940 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5942 || !TEST_false(info_cb_failed))
5950 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5951 TLS_client_method(),
5952 tlsvers, tlsvers, &sctx, &cctx, cert,
5957 * For even numbered tests we check the server callbacks. For odd numbers we
5960 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5961 sslapi_info_callback);
5963 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5964 &clientssl, NULL, NULL))
5965 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5967 || !TEST_false(info_cb_failed))
5972 clntsess = SSL_get1_session(clientssl);
5973 SSL_shutdown(clientssl);
5974 SSL_shutdown(serverssl);
5975 SSL_free(serverssl);
5976 SSL_free(clientssl);
5977 serverssl = clientssl = NULL;
5979 /* Now do a resumption */
5980 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5982 || !TEST_true(SSL_set_session(clientssl, clntsess))
5983 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5985 || !TEST_true(SSL_session_reused(clientssl))
5986 || !TEST_false(info_cb_failed))
5992 SSL_free(serverssl);
5993 SSL_free(clientssl);
5994 SSL_SESSION_free(clntsess);
6000 static int test_ssl_pending(int tst)
6002 SSL_CTX *cctx = NULL, *sctx = NULL;
6003 SSL *clientssl = NULL, *serverssl = NULL;
6005 char msg[] = "A test message";
6007 size_t written, readbytes;
6010 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6011 TLS_client_method(),
6013 &sctx, &cctx, cert, privkey)))
6016 #ifndef OPENSSL_NO_DTLS
6017 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
6018 DTLS_client_method(),
6020 &sctx, &cctx, cert, privkey)))
6027 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6029 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6033 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6034 || !TEST_false(SSL_has_pending(clientssl))
6035 || !TEST_int_eq(SSL_pending(serverssl), 0)
6036 || !TEST_false(SSL_has_pending(serverssl))
6037 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6038 || !TEST_size_t_eq(written, sizeof(msg))
6039 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6040 || !TEST_size_t_eq(readbytes, sizeof(buf))
6041 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6042 || !TEST_true(SSL_has_pending(clientssl)))
6048 SSL_free(serverssl);
6049 SSL_free(clientssl);
6057 unsigned int maxprot;
6058 const char *clntciphers;
6059 const char *clnttls13ciphers;
6060 const char *srvrciphers;
6061 const char *srvrtls13ciphers;
6063 } shared_ciphers_data[] = {
6065 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6066 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6068 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
6071 "AES128-SHA:AES256-SHA",
6073 "AES256-SHA:DHE-RSA-AES128-SHA",
6079 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6081 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6083 "AES128-SHA:AES256-SHA"
6087 "AES128-SHA:AES256-SHA",
6089 "AES128-SHA:DHE-RSA-AES128-SHA",
6095 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6098 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6099 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
6102 "AES128-SHA:AES256-SHA",
6104 "AES256-SHA:AES128-SHA256",
6106 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
6107 "TLS_AES_128_GCM_SHA256:AES256-SHA"
6110 #ifndef OPENSSL_NO_TLS1_3
6114 "TLS_AES_256_GCM_SHA384",
6116 "TLS_AES_256_GCM_SHA384",
6117 "TLS_AES_256_GCM_SHA384"
6122 static int test_ssl_get_shared_ciphers(int tst)
6124 SSL_CTX *cctx = NULL, *sctx = NULL;
6125 SSL *clientssl = NULL, *serverssl = NULL;
6129 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6130 TLS_client_method(),
6132 shared_ciphers_data[tst].maxprot,
6133 &sctx, &cctx, cert, privkey)))
6136 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6137 shared_ciphers_data[tst].clntciphers))
6138 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6139 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6140 shared_ciphers_data[tst].clnttls13ciphers)))
6141 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6142 shared_ciphers_data[tst].srvrciphers))
6143 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6144 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6145 shared_ciphers_data[tst].srvrtls13ciphers))))
6149 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6151 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6155 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6156 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
6157 TEST_info("Shared ciphers are: %s\n", buf);
6164 SSL_free(serverssl);
6165 SSL_free(clientssl);
6172 static const char *appdata = "Hello World";
6173 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6174 static int tick_key_renew = 0;
6175 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6177 static int gen_tick_cb(SSL *s, void *arg)
6179 gen_tick_called = 1;
6181 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6185 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6186 const unsigned char *keyname,
6187 size_t keyname_length,
6188 SSL_TICKET_STATUS status,
6194 dec_tick_called = 1;
6196 if (status == SSL_TICKET_EMPTY)
6197 return SSL_TICKET_RETURN_IGNORE_RENEW;
6199 if (!TEST_true(status == SSL_TICKET_SUCCESS
6200 || status == SSL_TICKET_SUCCESS_RENEW))
6201 return SSL_TICKET_RETURN_ABORT;
6203 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6205 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6206 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
6207 return SSL_TICKET_RETURN_ABORT;
6209 if (tick_key_cb_called) {
6210 /* Don't change what the ticket key callback wanted to do */
6212 case SSL_TICKET_NO_DECRYPT:
6213 return SSL_TICKET_RETURN_IGNORE_RENEW;
6215 case SSL_TICKET_SUCCESS:
6216 return SSL_TICKET_RETURN_USE;
6218 case SSL_TICKET_SUCCESS_RENEW:
6219 return SSL_TICKET_RETURN_USE_RENEW;
6222 return SSL_TICKET_RETURN_ABORT;
6225 return tick_dec_ret;
6229 #ifndef OPENSSL_NO_DEPRECATED_3_0
6230 static int tick_key_cb(SSL *s, unsigned char key_name[16],
6231 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6232 HMAC_CTX *hctx, int enc)
6234 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6235 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
6236 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6237 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
6240 tick_key_cb_called = 1;
6241 memset(iv, 0, AES_BLOCK_SIZE);
6242 memset(key_name, 0, 16);
6243 if (aes128cbc == NULL
6245 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6246 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
6250 ret = tick_key_renew ? 2 : 1;
6252 EVP_CIPHER_free(aes128cbc);
6253 EVP_MD_free(sha256);
6259 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6260 unsigned char iv[EVP_MAX_IV_LENGTH],
6261 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6263 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6264 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6265 OSSL_PARAM params[3];
6266 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6269 tick_key_cb_called = 1;
6270 memset(iv, 0, AES_BLOCK_SIZE);
6271 memset(key_name, 0, 16);
6272 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6274 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6276 sizeof(tick_hmac_key));
6277 params[2] = OSSL_PARAM_construct_end();
6278 if (aes128cbc == NULL
6279 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6280 || !EVP_MAC_CTX_set_params(hctx, params)
6281 || !EVP_MAC_init(hctx))
6284 ret = tick_key_renew ? 2 : 1;
6286 EVP_CIPHER_free(aes128cbc);
6292 * Test the various ticket callbacks
6293 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6294 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6295 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6296 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6297 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6298 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6299 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6300 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
6301 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6302 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6303 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6304 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6305 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6306 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6307 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6308 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
6310 static int test_ticket_callbacks(int tst)
6312 SSL_CTX *cctx = NULL, *sctx = NULL;
6313 SSL *clientssl = NULL, *serverssl = NULL;
6314 SSL_SESSION *clntsess = NULL;
6317 #ifdef OPENSSL_NO_TLS1_2
6321 #ifdef OPENSSL_NO_TLS1_3
6325 #ifdef OPENSSL_NO_DEPRECATED_3_0
6326 if (tst >= 8 && tst <= 11)
6330 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
6332 /* Which tests the ticket key callback should request renewal for */
6333 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
6338 /* Which tests the decrypt ticket callback should request renewal for */
6342 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6347 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6352 tick_dec_ret = SSL_TICKET_RETURN_USE;
6357 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6361 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6364 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6365 TLS_client_method(),
6367 ((tst % 2) == 0) ? TLS1_2_VERSION
6369 &sctx, &cctx, cert, privkey)))
6373 * We only want sessions to resume from tickets - not the session cache. So
6374 * switch the cache off.
6376 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6379 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6384 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
6386 #ifndef OPENSSL_NO_DEPRECATED_3_0
6387 } else if (tst >= 8) {
6388 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6393 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6395 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6400 * The decrypt ticket key callback in TLSv1.2 should be called even though
6401 * we have no ticket yet, because it gets called with a status of
6402 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6403 * actually send any ticket data). This does not happen in TLSv1.3 because
6404 * it is not valid to send empty ticket data in TLSv1.3.
6406 if (!TEST_int_eq(gen_tick_called, 1)
6407 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
6410 gen_tick_called = dec_tick_called = 0;
6412 clntsess = SSL_get1_session(clientssl);
6413 SSL_shutdown(clientssl);
6414 SSL_shutdown(serverssl);
6415 SSL_free(serverssl);
6416 SSL_free(clientssl);
6417 serverssl = clientssl = NULL;
6419 /* Now do a resumption */
6420 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6422 || !TEST_true(SSL_set_session(clientssl, clntsess))
6423 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6427 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6428 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6429 if (!TEST_false(SSL_session_reused(clientssl)))
6432 if (!TEST_true(SSL_session_reused(clientssl)))
6436 if (!TEST_int_eq(gen_tick_called,
6438 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6439 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6441 || !TEST_int_eq(dec_tick_called, 1))
6447 SSL_SESSION_free(clntsess);
6448 SSL_free(serverssl);
6449 SSL_free(clientssl);
6457 * Test bi-directional shutdown.
6459 * Test 1: TLSv1.2, server continues to read/write after client shutdown
6460 * Test 2: TLSv1.3, no pending NewSessionTicket messages
6461 * Test 3: TLSv1.3, pending NewSessionTicket messages
6462 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
6463 * sends key update, client reads it
6464 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
6465 * sends CertificateRequest, client reads and ignores it
6466 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
6469 static int test_shutdown(int tst)
6471 SSL_CTX *cctx = NULL, *sctx = NULL;
6472 SSL *clientssl = NULL, *serverssl = NULL;
6474 char msg[] = "A test message";
6476 size_t written, readbytes;
6479 #ifdef OPENSSL_NO_TLS1_2
6483 #ifdef OPENSSL_NO_TLS1_3
6488 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6489 TLS_client_method(),
6491 (tst <= 1) ? TLS1_2_VERSION
6493 &sctx, &cctx, cert, privkey)))
6497 SSL_CTX_set_post_handshake_auth(cctx, 1);
6499 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6504 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
6506 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6507 || !TEST_false(SSL_SESSION_is_resumable(sess)))
6509 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6511 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6512 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
6516 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
6521 * Reading on the server after the client has sent close_notify should
6522 * fail and provide SSL_ERROR_ZERO_RETURN
6524 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
6525 || !TEST_int_eq(SSL_get_error(serverssl, 0),
6526 SSL_ERROR_ZERO_RETURN)
6527 || !TEST_int_eq(SSL_get_shutdown(serverssl),
6528 SSL_RECEIVED_SHUTDOWN)
6530 * Even though we're shutdown on receive we should still be
6533 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6536 && !TEST_true(SSL_key_update(serverssl,
6537 SSL_KEY_UPDATE_REQUESTED)))
6540 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6541 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6544 if ((tst == 4 || tst == 5)
6545 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6547 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
6549 if (tst == 4 || tst == 5) {
6550 /* Should still be able to read data from server */
6551 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6553 || !TEST_size_t_eq(readbytes, sizeof(msg))
6554 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
6555 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6557 || !TEST_size_t_eq(readbytes, sizeof(msg))
6558 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
6563 /* Writing on the client after sending close_notify shouldn't be possible */
6564 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
6569 * For these tests the client has sent close_notify but it has not yet
6570 * been received by the server. The server has not sent close_notify
6573 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
6575 * Writing on the server after sending close_notify shouldn't
6578 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6579 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
6580 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6581 || !TEST_true(SSL_SESSION_is_resumable(sess))
6582 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
6584 } else if (tst == 4 || tst == 5) {
6586 * In this test the client has sent close_notify and it has been
6587 * received by the server which has responded with a close_notify. The
6588 * client needs to read the close_notify sent by the server.
6590 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
6591 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6592 || !TEST_true(SSL_SESSION_is_resumable(sess)))
6598 * The client has sent close_notify and is expecting a close_notify
6599 * back, but instead there is application data first. The shutdown
6600 * should fail with a fatal error.
6602 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
6603 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
6610 SSL_free(serverssl);
6611 SSL_free(clientssl);
6618 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6619 static int cert_cb_cnt;
6621 static int cert_cb(SSL *s, void *arg)
6623 SSL_CTX *ctx = (SSL_CTX *)arg;
6625 EVP_PKEY *pkey = NULL;
6626 X509 *x509 = NULL, *rootx = NULL;
6627 STACK_OF(X509) *chain = NULL;
6628 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
6631 if (cert_cb_cnt == 0) {
6632 /* Suspend the handshake */
6635 } else if (cert_cb_cnt == 1) {
6637 * Update the SSL_CTX, set the certificate and private key and then
6638 * continue the handshake normally.
6640 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
6643 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
6644 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
6646 || !TEST_true(SSL_check_private_key(s)))
6650 } else if (cert_cb_cnt == 3) {
6653 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
6654 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
6655 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
6656 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
6658 chain = sk_X509_new_null();
6659 if (!TEST_ptr(chain))
6661 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6662 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
6663 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
6664 || !TEST_true(sk_X509_push(chain, rootx)))
6668 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6669 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
6670 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
6673 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6674 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
6675 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
6677 rv = SSL_check_chain(s, x509, pkey, chain);
6679 * If the cert doesn't show as valid here (e.g., because we don't
6680 * have any shared sigalgs), then we will not set it, and there will
6681 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
6682 * will cause tls_choose_sigalgs() to fail the connection.
6684 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
6685 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
6686 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
6693 /* Abort the handshake */
6695 OPENSSL_free(ecdsacert);
6696 OPENSSL_free(ecdsakey);
6697 OPENSSL_free(rootfile);
6699 EVP_PKEY_free(pkey);
6702 sk_X509_pop_free(chain, X509_free);
6707 * Test the certificate callback.
6708 * Test 0: Callback fails
6709 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
6710 * Test 2: Success - SSL_set_SSL_CTX() in the callback
6711 * Test 3: Success - Call SSL_check_chain from the callback
6712 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
6714 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
6716 static int test_cert_cb_int(int prot, int tst)
6718 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
6719 SSL *clientssl = NULL, *serverssl = NULL;
6720 int testresult = 0, ret;
6722 #ifdef OPENSSL_NO_EC
6723 /* We use an EC cert in these tests, so we skip in a no-ec build */
6728 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6729 TLS_client_method(),
6732 &sctx, &cctx, NULL, NULL)))
6743 snictx = SSL_CTX_new(TLS_server_method());
6744 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
6746 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6752 * We cause SSL_check_chain() to fail by specifying sig_algs that
6753 * the chain doesn't meet (the root uses an RSA cert)
6755 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6756 "ecdsa_secp256r1_sha256")))
6758 } else if (tst == 5) {
6760 * We cause SSL_check_chain() to fail by specifying sig_algs that
6761 * the ee cert doesn't meet (the ee uses an ECDSA cert)
6763 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6764 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
6768 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6769 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
6771 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
6778 SSL_free(serverssl);
6779 SSL_free(clientssl);
6782 SSL_CTX_free(snictx);
6788 static int test_cert_cb(int tst)
6792 #ifndef OPENSSL_NO_TLS1_2
6793 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
6795 #ifndef OPENSSL_NO_TLS1_3
6796 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
6802 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
6808 /* Check that SSL_get_peer_certificate() returns something sensible */
6809 peer = SSL_get_peer_certificate(ssl);
6810 if (!TEST_ptr(peer))
6814 in = BIO_new_file(cert, "r");
6818 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
6820 if (!TEST_ptr(xcert))
6823 in = BIO_new_file(privkey, "r");
6824 if (!TEST_ptr(in)) {
6829 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
6831 if (!TEST_ptr(privpkey)) {
6842 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6847 static int test_client_cert_cb(int tst)
6849 SSL_CTX *cctx = NULL, *sctx = NULL;
6850 SSL *clientssl = NULL, *serverssl = NULL;
6853 #ifdef OPENSSL_NO_TLS1_2
6857 #ifdef OPENSSL_NO_TLS1_3
6862 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6863 TLS_client_method(),
6865 tst == 0 ? TLS1_2_VERSION
6867 &sctx, &cctx, cert, privkey)))
6871 * Test that setting a client_cert_cb results in a client certificate being
6874 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
6875 SSL_CTX_set_verify(sctx,
6876 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6879 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6881 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6888 SSL_free(serverssl);
6889 SSL_free(clientssl);
6896 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6898 * Test setting certificate authorities on both client and server.
6900 * Test 0: SSL_CTX_set0_CA_list() only
6901 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
6902 * Test 2: Only SSL_CTX_set_client_CA_list()
6904 static int test_ca_names_int(int prot, int tst)
6906 SSL_CTX *cctx = NULL, *sctx = NULL;
6907 SSL *clientssl = NULL, *serverssl = NULL;
6910 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
6911 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
6912 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
6913 const STACK_OF(X509_NAME) *sktmp = NULL;
6915 for (i = 0; i < OSSL_NELEM(name); i++) {
6916 name[i] = X509_NAME_new();
6917 if (!TEST_ptr(name[i])
6918 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
6926 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6927 TLS_client_method(),
6930 &sctx, &cctx, cert, privkey)))
6933 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
6935 if (tst == 0 || tst == 1) {
6936 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6937 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
6938 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
6939 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6940 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
6941 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
6944 SSL_CTX_set0_CA_list(sctx, sk1);
6945 SSL_CTX_set0_CA_list(cctx, sk2);
6948 if (tst == 1 || tst == 2) {
6949 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6950 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
6951 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
6952 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6953 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
6954 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
6957 SSL_CTX_set_client_CA_list(sctx, sk1);
6958 SSL_CTX_set_client_CA_list(cctx, sk2);
6962 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6964 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6969 * We only expect certificate authorities to have been sent to the server
6970 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
6972 sktmp = SSL_get0_peer_CA_list(serverssl);
6973 if (prot == TLS1_3_VERSION
6974 && (tst == 0 || tst == 1)) {
6975 if (!TEST_ptr(sktmp)
6976 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6977 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6979 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6982 } else if (!TEST_ptr_null(sktmp)) {
6987 * In all tests we expect certificate authorities to have been sent to the
6988 * client. However, SSL_set_client_CA_list() should override
6989 * SSL_set0_CA_list()
6991 sktmp = SSL_get0_peer_CA_list(clientssl);
6992 if (!TEST_ptr(sktmp)
6993 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6994 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6995 name[tst == 0 ? 0 : 2]), 0)
6996 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6997 name[tst == 0 ? 1 : 3]), 0))
7003 SSL_free(serverssl);
7004 SSL_free(clientssl);
7007 for (i = 0; i < OSSL_NELEM(name); i++)
7008 X509_NAME_free(name[i]);
7009 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
7010 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
7016 static int test_ca_names(int tst)
7020 #ifndef OPENSSL_NO_TLS1_2
7021 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
7023 #ifndef OPENSSL_NO_TLS1_3
7024 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
7030 #ifndef OPENSSL_NO_TLS1_2
7031 static const char *multiblock_cipherlist_data[]=
7039 /* Reduce the fragment size - so the multiblock test buffer can be small */
7040 # define MULTIBLOCK_FRAGSIZE 512
7042 static int test_multiblock_write(int test_index)
7044 static const char *fetchable_ciphers[]=
7046 "AES-128-CBC-HMAC-SHA1",
7047 "AES-128-CBC-HMAC-SHA256",
7048 "AES-256-CBC-HMAC-SHA1",
7049 "AES-256-CBC-HMAC-SHA256"
7051 const char *cipherlist = multiblock_cipherlist_data[test_index];
7052 const SSL_METHOD *smeth = TLS_server_method();
7053 const SSL_METHOD *cmeth = TLS_client_method();
7054 int min_version = TLS1_VERSION;
7055 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7056 SSL_CTX *cctx = NULL, *sctx = NULL;
7057 SSL *clientssl = NULL, *serverssl = NULL;
7061 * Choose a buffer large enough to perform a multi-block operation
7062 * i.e: write_len >= 4 * frag_size
7063 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7065 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7066 unsigned char buf[sizeof(msg)], *p = buf;
7067 size_t readbytes, written, len;
7068 EVP_CIPHER *ciph = NULL;
7071 * Check if the cipher exists before attempting to use it since it only has
7072 * a hardware specific implementation.
7074 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7076 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7079 EVP_CIPHER_free(ciph);
7081 /* Set up a buffer with some data that will be sent to the client */
7082 RAND_bytes(msg, sizeof(msg));
7084 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
7085 max_version, &sctx, &cctx, cert,
7089 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7092 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7096 /* settings to force it to use AES-CBC-HMAC_SHA */
7097 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7098 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7101 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7104 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7105 || !TEST_size_t_eq(written, sizeof(msg)))
7110 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7115 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7120 SSL_free(serverssl);
7121 SSL_free(clientssl);
7127 #endif /* OPENSSL_NO_TLS1_2 */
7130 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7131 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7132 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7133 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7134 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7135 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7136 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7137 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7138 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7139 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7141 static int test_servername(int tst)
7143 SSL_CTX *cctx = NULL, *sctx = NULL;
7144 SSL *clientssl = NULL, *serverssl = NULL;
7146 SSL_SESSION *sess = NULL;
7147 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7149 #ifdef OPENSSL_NO_TLS1_2
7153 #ifdef OPENSSL_NO_TLS1_3
7158 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7159 TLS_client_method(),
7161 (tst <= 4) ? TLS1_2_VERSION
7163 &sctx, &cctx, cert, privkey))
7164 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7168 if (tst != 1 && tst != 6) {
7169 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7174 if (tst != 3 && tst != 8) {
7175 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7177 sexpectedhost = cexpectedhost = "goodhost";
7180 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7183 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7185 || !TEST_str_eq(SSL_get_servername(serverssl,
7186 TLSEXT_NAMETYPE_host_name),
7190 /* Now repeat with a resumption handshake */
7192 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7193 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7194 || !TEST_true(SSL_SESSION_is_resumable(sess))
7195 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7198 SSL_free(clientssl);
7199 SSL_free(serverssl);
7200 clientssl = serverssl = NULL;
7202 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7206 if (!TEST_true(SSL_set_session(clientssl, sess)))
7209 sexpectedhost = cexpectedhost = "goodhost";
7210 if (tst == 2 || tst == 7) {
7211 /* Set an inconsistent hostname */
7212 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7215 * In TLSv1.2 we expect the hostname from the original handshake, in
7216 * TLSv1.3 we expect the hostname from this handshake
7219 sexpectedhost = cexpectedhost = "altgoodhost";
7221 if (!TEST_str_eq(SSL_get_servername(clientssl,
7222 TLSEXT_NAMETYPE_host_name),
7225 } else if (tst == 4 || tst == 9) {
7227 * A TLSv1.3 session does not associate a session with a servername,
7228 * but a TLSv1.2 session does.
7231 sexpectedhost = cexpectedhost = NULL;
7233 if (!TEST_str_eq(SSL_get_servername(clientssl,
7234 TLSEXT_NAMETYPE_host_name),
7238 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7241 * In a TLSv1.2 resumption where the hostname was not acknowledged
7242 * we expect the hostname on the server to be empty. On the client we
7243 * return what was requested in this case.
7245 * Similarly if the client didn't set a hostname on an original TLSv1.2
7246 * session but is now, the server hostname will be empty, but the client
7249 if (tst == 1 || tst == 3)
7250 sexpectedhost = NULL;
7252 if (!TEST_str_eq(SSL_get_servername(clientssl,
7253 TLSEXT_NAMETYPE_host_name),
7258 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7261 if (!TEST_true(SSL_session_reused(clientssl))
7262 || !TEST_true(SSL_session_reused(serverssl))
7263 || !TEST_str_eq(SSL_get_servername(clientssl,
7264 TLSEXT_NAMETYPE_host_name),
7266 || !TEST_str_eq(SSL_get_servername(serverssl,
7267 TLSEXT_NAMETYPE_host_name),
7274 SSL_SESSION_free(sess);
7275 SSL_free(serverssl);
7276 SSL_free(clientssl);
7283 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
7285 int setup_tests(void)
7290 libctx = OPENSSL_CTX_new();
7291 if (!TEST_ptr(libctx))
7294 defctxnull = OSSL_PROVIDER_load(NULL, "null");
7297 * Verify that the default and fips providers in the default libctx are not
7300 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
7301 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
7304 if (!test_skip_common_options()) {
7305 TEST_error("Error parsing test options\n");
7309 if (!TEST_ptr(certsdir = test_get_argument(0))
7310 || !TEST_ptr(srpvfile = test_get_argument(1))
7311 || !TEST_ptr(tmpfilename = test_get_argument(2))
7312 || !TEST_ptr(modulename = test_get_argument(3))
7313 || !TEST_ptr(configfile = test_get_argument(4)))
7316 if (!TEST_true(OPENSSL_CTX_load_config(libctx, configfile)))
7319 /* Check we have the expected provider available */
7320 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
7323 /* Check the default provider is not available */
7324 if (strcmp(modulename, "default") != 0
7325 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
7328 if (strcmp(modulename, "fips") == 0)
7331 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
7332 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
7333 TEST_error("not supported in this build");
7336 int i, mcount, rcount, fcount;
7338 for (i = 0; i < 4; i++)
7339 test_export_key_mat(i);
7340 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
7341 test_printf_stdout("malloc %d realloc %d free %d\n",
7342 mcount, rcount, fcount);
7347 cert = test_mk_file_path(certsdir, "servercert.pem");
7351 privkey = test_mk_file_path(certsdir, "serverkey.pem");
7352 if (privkey == NULL) {
7357 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
7358 && !defined(OPENSSL_NO_SOCK)
7359 ADD_TEST(test_ktls_no_txrx_client_no_txrx_server);
7360 ADD_TEST(test_ktls_no_rx_client_no_txrx_server);
7361 ADD_TEST(test_ktls_no_tx_client_no_txrx_server);
7362 ADD_TEST(test_ktls_client_no_txrx_server);
7363 ADD_TEST(test_ktls_no_txrx_client_no_rx_server);
7364 ADD_TEST(test_ktls_no_rx_client_no_rx_server);
7365 ADD_TEST(test_ktls_no_tx_client_no_rx_server);
7366 ADD_TEST(test_ktls_client_no_rx_server);
7367 ADD_TEST(test_ktls_no_txrx_client_no_tx_server);
7368 ADD_TEST(test_ktls_no_rx_client_no_tx_server);
7369 ADD_TEST(test_ktls_no_tx_client_no_tx_server);
7370 ADD_TEST(test_ktls_client_no_tx_server);
7371 ADD_TEST(test_ktls_no_txrx_client_server);
7372 ADD_TEST(test_ktls_no_rx_client_server);
7373 ADD_TEST(test_ktls_no_tx_client_server);
7374 ADD_TEST(test_ktls_client_server);
7375 ADD_TEST(test_ktls_sendfile);
7377 ADD_TEST(test_large_message_tls);
7378 ADD_TEST(test_large_message_tls_read_ahead);
7379 #ifndef OPENSSL_NO_DTLS
7380 ADD_TEST(test_large_message_dtls);
7382 #ifndef OPENSSL_NO_OCSP
7383 ADD_TEST(test_tlsext_status_type);
7385 ADD_TEST(test_session_with_only_int_cache);
7386 ADD_TEST(test_session_with_only_ext_cache);
7387 ADD_TEST(test_session_with_both_cache);
7388 #ifndef OPENSSL_NO_TLS1_3
7389 ADD_ALL_TESTS(test_stateful_tickets, 3);
7390 ADD_ALL_TESTS(test_stateless_tickets, 3);
7391 ADD_TEST(test_psk_tickets);
7393 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
7394 ADD_TEST(test_ssl_bio_pop_next_bio);
7395 ADD_TEST(test_ssl_bio_pop_ssl_bio);
7396 ADD_TEST(test_ssl_bio_change_rbio);
7397 ADD_TEST(test_ssl_bio_change_wbio);
7398 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
7399 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
7400 ADD_TEST(test_keylog);
7402 #ifndef OPENSSL_NO_TLS1_3
7403 ADD_TEST(test_keylog_no_master_key);
7405 #ifndef OPENSSL_NO_TLS1_2
7406 ADD_TEST(test_client_hello_cb);
7407 ADD_TEST(test_no_ems);
7408 ADD_TEST(test_ccs_change_cipher);
7410 #ifndef OPENSSL_NO_TLS1_3
7411 ADD_ALL_TESTS(test_early_data_read_write, 3);
7413 * We don't do replay tests for external PSK. Replay protection isn't used
7416 ADD_ALL_TESTS(test_early_data_replay, 2);
7417 ADD_ALL_TESTS(test_early_data_skip, 3);
7418 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
7419 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
7420 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
7421 ADD_ALL_TESTS(test_early_data_not_sent, 3);
7422 ADD_ALL_TESTS(test_early_data_psk, 8);
7423 ADD_ALL_TESTS(test_early_data_not_expected, 3);
7424 # ifndef OPENSSL_NO_TLS1_2
7425 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
7428 #ifndef OPENSSL_NO_TLS1_3
7429 ADD_ALL_TESTS(test_set_ciphersuite, 10);
7430 ADD_TEST(test_ciphersuite_change);
7431 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
7432 # ifdef OPENSSL_NO_PSK
7433 ADD_ALL_TESTS(test_tls13_psk, 1);
7435 ADD_ALL_TESTS(test_tls13_psk, 4);
7436 # endif /* OPENSSL_NO_PSK */
7437 # ifndef OPENSSL_NO_TLS1_2
7438 /* Test with both TLSv1.3 and 1.2 versions */
7439 ADD_ALL_TESTS(test_key_exchange, 14);
7441 /* Test with only TLSv1.3 versions */
7442 ADD_ALL_TESTS(test_key_exchange, 12);
7444 ADD_ALL_TESTS(test_custom_exts, 5);
7445 ADD_TEST(test_stateless);
7446 ADD_TEST(test_pha_key_update);
7448 ADD_ALL_TESTS(test_custom_exts, 3);
7450 ADD_ALL_TESTS(test_serverinfo, 8);
7451 ADD_ALL_TESTS(test_export_key_mat, 6);
7452 #ifndef OPENSSL_NO_TLS1_3
7453 ADD_ALL_TESTS(test_export_key_mat_early, 3);
7454 ADD_TEST(test_key_update);
7455 ADD_ALL_TESTS(test_key_update_in_write, 2);
7457 ADD_ALL_TESTS(test_ssl_clear, 2);
7458 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
7459 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7460 ADD_ALL_TESTS(test_srp, 6);
7462 ADD_ALL_TESTS(test_info_callback, 6);
7463 ADD_ALL_TESTS(test_ssl_pending, 2);
7464 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
7465 ADD_ALL_TESTS(test_ticket_callbacks, 16);
7466 ADD_ALL_TESTS(test_shutdown, 7);
7467 ADD_ALL_TESTS(test_cert_cb, 6);
7468 ADD_ALL_TESTS(test_client_cert_cb, 2);
7469 ADD_ALL_TESTS(test_ca_names, 3);
7470 #ifndef OPENSSL_NO_TLS1_2
7471 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
7473 ADD_ALL_TESTS(test_servername, 10);
7477 void cleanup_tests(void)
7480 OPENSSL_free(privkey);
7481 bio_s_mempacket_test_free();
7482 bio_s_always_retry_free();
7483 OSSL_PROVIDER_unload(defctxnull);
7484 OPENSSL_CTX_free(libctx);