2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
13 #include <openssl/opensslconf.h>
14 #include <openssl/bio.h>
15 #include <openssl/crypto.h>
16 #include <openssl/ssl.h>
17 #include <openssl/ocsp.h>
18 #include <openssl/srp.h>
19 #include <openssl/txt_db.h>
20 #include <openssl/aes.h>
21 #include <openssl/rand.h>
23 #include "ssltestlib.h"
25 #include "testutil/output.h"
26 #include "internal/nelem.h"
27 #include "internal/ktls.h"
28 #include "../ssl/ssl_locl.h"
30 #ifndef OPENSSL_NO_TLS1_3
32 static SSL_SESSION *clientpsk = NULL;
33 static SSL_SESSION *serverpsk = NULL;
34 static const char *pskid = "Identity";
35 static const char *srvid;
37 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
38 size_t *idlen, SSL_SESSION **sess);
39 static int find_session_cb(SSL *ssl, const unsigned char *identity,
40 size_t identity_len, SSL_SESSION **sess);
42 static int use_session_cb_cnt = 0;
43 static int find_session_cb_cnt = 0;
45 static SSL_SESSION *create_a_psk(SSL *ssl);
48 static char *cert = NULL;
49 static char *privkey = NULL;
50 static char *srpvfile = NULL;
51 static char *tmpfilename = NULL;
53 #define LOG_BUFFER_SIZE 2048
54 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
55 static size_t server_log_buffer_index = 0;
56 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
57 static size_t client_log_buffer_index = 0;
58 static int error_writing_log = 0;
60 #ifndef OPENSSL_NO_OCSP
61 static const unsigned char orespder[] = "Dummy OCSP Response";
62 static int ocsp_server_called = 0;
63 static int ocsp_client_called = 0;
65 static int cdummyarg = 1;
66 static X509 *ocspcert = NULL;
69 #define NUM_EXTRA_CERTS 40
70 #define CLIENT_VERSION_LEN 2
73 * This structure is used to validate that the correct number of log messages
74 * of various types are emitted when emitting secret logs.
76 struct sslapitest_log_counts {
77 unsigned int rsa_key_exchange_count;
78 unsigned int master_secret_count;
79 unsigned int client_early_secret_count;
80 unsigned int client_handshake_secret_count;
81 unsigned int server_handshake_secret_count;
82 unsigned int client_application_secret_count;
83 unsigned int server_application_secret_count;
84 unsigned int early_exporter_secret_count;
85 unsigned int exporter_secret_count;
89 static unsigned char serverinfov1[] = {
90 0xff, 0xff, /* Dummy extension type */
91 0x00, 0x01, /* Extension length is 1 byte */
92 0xff /* Dummy extension data */
95 static unsigned char serverinfov2[] = {
97 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
98 0xff, 0xff, /* Dummy extension type */
99 0x00, 0x01, /* Extension length is 1 byte */
100 0xff /* Dummy extension data */
103 static void client_keylog_callback(const SSL *ssl, const char *line)
105 int line_length = strlen(line);
107 /* If the log doesn't fit, error out. */
108 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
109 TEST_info("Client log too full");
110 error_writing_log = 1;
114 strcat(client_log_buffer, line);
115 client_log_buffer_index += line_length;
116 client_log_buffer[client_log_buffer_index++] = '\n';
119 static void server_keylog_callback(const SSL *ssl, const char *line)
121 int line_length = strlen(line);
123 /* If the log doesn't fit, error out. */
124 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
125 TEST_info("Server log too full");
126 error_writing_log = 1;
130 strcat(server_log_buffer, line);
131 server_log_buffer_index += line_length;
132 server_log_buffer[server_log_buffer_index++] = '\n';
135 static int compare_hex_encoded_buffer(const char *hex_encoded,
143 if (!TEST_size_t_eq(raw_length * 2, hex_length))
146 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
147 sprintf(hexed, "%02x", raw[i]);
148 if (!TEST_int_eq(hexed[0], hex_encoded[j])
149 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
156 static int test_keylog_output(char *buffer, const SSL *ssl,
157 const SSL_SESSION *session,
158 struct sslapitest_log_counts *expected)
161 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
162 size_t client_random_size = SSL3_RANDOM_SIZE;
163 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
164 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
165 unsigned int rsa_key_exchange_count = 0;
166 unsigned int master_secret_count = 0;
167 unsigned int client_early_secret_count = 0;
168 unsigned int client_handshake_secret_count = 0;
169 unsigned int server_handshake_secret_count = 0;
170 unsigned int client_application_secret_count = 0;
171 unsigned int server_application_secret_count = 0;
172 unsigned int early_exporter_secret_count = 0;
173 unsigned int exporter_secret_count = 0;
175 for (token = strtok(buffer, " \n"); token != NULL;
176 token = strtok(NULL, " \n")) {
177 if (strcmp(token, "RSA") == 0) {
179 * Premaster secret. Tokens should be: 16 ASCII bytes of
180 * hex-encoded encrypted secret, then the hex-encoded pre-master
183 if (!TEST_ptr(token = strtok(NULL, " \n")))
185 if (!TEST_size_t_eq(strlen(token), 16))
187 if (!TEST_ptr(token = strtok(NULL, " \n")))
190 * We can't sensibly check the log because the premaster secret is
191 * transient, and OpenSSL doesn't keep hold of it once the master
192 * secret is generated.
194 rsa_key_exchange_count++;
195 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
197 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
198 * client random, then the hex-encoded master secret.
200 client_random_size = SSL_get_client_random(ssl,
201 actual_client_random,
203 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
206 if (!TEST_ptr(token = strtok(NULL, " \n")))
208 if (!TEST_size_t_eq(strlen(token), 64))
210 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
211 actual_client_random,
212 client_random_size)))
215 if (!TEST_ptr(token = strtok(NULL, " \n")))
217 master_key_size = SSL_SESSION_get_master_key(session,
220 if (!TEST_size_t_ne(master_key_size, 0))
222 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
226 master_secret_count++;
227 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
228 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
229 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
230 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
231 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
232 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
233 || strcmp(token, "EXPORTER_SECRET") == 0) {
235 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
236 * client random, and then the hex-encoded secret. In this case,
237 * we treat all of these secrets identically and then just
238 * distinguish between them when counting what we saw.
240 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
241 client_early_secret_count++;
242 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
243 client_handshake_secret_count++;
244 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
245 server_handshake_secret_count++;
246 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
247 client_application_secret_count++;
248 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
249 server_application_secret_count++;
250 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
251 early_exporter_secret_count++;
252 else if (strcmp(token, "EXPORTER_SECRET") == 0)
253 exporter_secret_count++;
255 client_random_size = SSL_get_client_random(ssl,
256 actual_client_random,
258 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
261 if (!TEST_ptr(token = strtok(NULL, " \n")))
263 if (!TEST_size_t_eq(strlen(token), 64))
265 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
266 actual_client_random,
267 client_random_size)))
270 if (!TEST_ptr(token = strtok(NULL, " \n")))
274 * TODO(TLS1.3): test that application traffic secrets are what
277 TEST_info("Unexpected token %s\n", token);
282 /* Got what we expected? */
283 if (!TEST_size_t_eq(rsa_key_exchange_count,
284 expected->rsa_key_exchange_count)
285 || !TEST_size_t_eq(master_secret_count,
286 expected->master_secret_count)
287 || !TEST_size_t_eq(client_early_secret_count,
288 expected->client_early_secret_count)
289 || !TEST_size_t_eq(client_handshake_secret_count,
290 expected->client_handshake_secret_count)
291 || !TEST_size_t_eq(server_handshake_secret_count,
292 expected->server_handshake_secret_count)
293 || !TEST_size_t_eq(client_application_secret_count,
294 expected->client_application_secret_count)
295 || !TEST_size_t_eq(server_application_secret_count,
296 expected->server_application_secret_count)
297 || !TEST_size_t_eq(early_exporter_secret_count,
298 expected->early_exporter_secret_count)
299 || !TEST_size_t_eq(exporter_secret_count,
300 expected->exporter_secret_count))
305 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
306 static int test_keylog(void)
308 SSL_CTX *cctx = NULL, *sctx = NULL;
309 SSL *clientssl = NULL, *serverssl = NULL;
311 struct sslapitest_log_counts expected;
313 /* Clean up logging space */
314 memset(&expected, 0, sizeof(expected));
315 memset(client_log_buffer, 0, sizeof(client_log_buffer));
316 memset(server_log_buffer, 0, sizeof(server_log_buffer));
317 client_log_buffer_index = 0;
318 server_log_buffer_index = 0;
319 error_writing_log = 0;
321 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
324 &sctx, &cctx, cert, privkey)))
327 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
328 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
329 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
331 /* We also want to ensure that we use RSA-based key exchange. */
332 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
335 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
336 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
338 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
339 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
340 == client_keylog_callback))
342 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
343 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
344 == server_keylog_callback))
347 /* Now do a handshake and check that the logs have been written to. */
348 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
349 &clientssl, NULL, NULL))
350 || !TEST_true(create_ssl_connection(serverssl, clientssl,
352 || !TEST_false(error_writing_log)
353 || !TEST_int_gt(client_log_buffer_index, 0)
354 || !TEST_int_gt(server_log_buffer_index, 0))
358 * Now we want to test that our output data was vaguely sensible. We
359 * do that by using strtok and confirming that we have more or less the
360 * data we expect. For both client and server, we expect to see one master
361 * secret. The client should also see a RSA key exchange.
363 expected.rsa_key_exchange_count = 1;
364 expected.master_secret_count = 1;
365 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
366 SSL_get_session(clientssl), &expected)))
369 expected.rsa_key_exchange_count = 0;
370 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
371 SSL_get_session(serverssl), &expected)))
386 #ifndef OPENSSL_NO_TLS1_3
387 static int test_keylog_no_master_key(void)
389 SSL_CTX *cctx = NULL, *sctx = NULL;
390 SSL *clientssl = NULL, *serverssl = NULL;
391 SSL_SESSION *sess = NULL;
393 struct sslapitest_log_counts expected;
394 unsigned char buf[1];
395 size_t readbytes, written;
397 /* Clean up logging space */
398 memset(&expected, 0, sizeof(expected));
399 memset(client_log_buffer, 0, sizeof(client_log_buffer));
400 memset(server_log_buffer, 0, sizeof(server_log_buffer));
401 client_log_buffer_index = 0;
402 server_log_buffer_index = 0;
403 error_writing_log = 0;
405 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
407 &sctx, &cctx, cert, privkey))
408 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
409 SSL3_RT_MAX_PLAIN_LENGTH)))
412 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
413 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
416 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
417 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
418 == client_keylog_callback))
421 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
422 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
423 == server_keylog_callback))
426 /* Now do a handshake and check that the logs have been written to. */
427 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
428 &clientssl, NULL, NULL))
429 || !TEST_true(create_ssl_connection(serverssl, clientssl,
431 || !TEST_false(error_writing_log))
435 * Now we want to test that our output data was vaguely sensible. For this
436 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
437 * TLSv1.3, but we do expect both client and server to emit keys.
439 expected.client_handshake_secret_count = 1;
440 expected.server_handshake_secret_count = 1;
441 expected.client_application_secret_count = 1;
442 expected.server_application_secret_count = 1;
443 expected.exporter_secret_count = 1;
444 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
445 SSL_get_session(clientssl), &expected))
446 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
447 SSL_get_session(serverssl),
451 /* Terminate old session and resume with early data. */
452 sess = SSL_get1_session(clientssl);
453 SSL_shutdown(clientssl);
454 SSL_shutdown(serverssl);
457 serverssl = clientssl = NULL;
460 memset(client_log_buffer, 0, sizeof(client_log_buffer));
461 memset(server_log_buffer, 0, sizeof(server_log_buffer));
462 client_log_buffer_index = 0;
463 server_log_buffer_index = 0;
465 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
466 &clientssl, NULL, NULL))
467 || !TEST_true(SSL_set_session(clientssl, sess))
468 /* Here writing 0 length early data is enough. */
469 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
470 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
472 SSL_READ_EARLY_DATA_ERROR)
473 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
474 SSL_EARLY_DATA_ACCEPTED)
475 || !TEST_true(create_ssl_connection(serverssl, clientssl,
477 || !TEST_true(SSL_session_reused(clientssl)))
480 /* In addition to the previous entries, expect early secrets. */
481 expected.client_early_secret_count = 1;
482 expected.early_exporter_secret_count = 1;
483 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
484 SSL_get_session(clientssl), &expected))
485 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
486 SSL_get_session(serverssl),
493 SSL_SESSION_free(sess);
503 #ifndef OPENSSL_NO_TLS1_2
504 static int full_client_hello_callback(SSL *s, int *al, void *arg)
507 const unsigned char *p;
509 /* We only configure two ciphers, but the SCSV is added automatically. */
511 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
513 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
516 const int expected_extensions[] = {
517 #ifndef OPENSSL_NO_EC
523 /* Make sure we can defer processing and get called back. */
525 return SSL_CLIENT_HELLO_RETRY;
527 len = SSL_client_hello_get0_ciphers(s, &p);
528 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
530 SSL_client_hello_get0_compression_methods(s, &p), 1)
531 || !TEST_int_eq(*p, 0))
532 return SSL_CLIENT_HELLO_ERROR;
533 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
534 return SSL_CLIENT_HELLO_ERROR;
535 if (len != OSSL_NELEM(expected_extensions) ||
536 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
537 printf("ClientHello callback expected extensions mismatch\n");
539 return SSL_CLIENT_HELLO_ERROR;
542 return SSL_CLIENT_HELLO_SUCCESS;
545 static int test_client_hello_cb(void)
547 SSL_CTX *cctx = NULL, *sctx = NULL;
548 SSL *clientssl = NULL, *serverssl = NULL;
549 int testctr = 0, testresult = 0;
551 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
553 &sctx, &cctx, cert, privkey)))
555 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
557 /* The gimpy cipher list we configure can't do TLS 1.3. */
558 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
560 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
561 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
562 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
563 &clientssl, NULL, NULL))
564 || !TEST_false(create_ssl_connection(serverssl, clientssl,
565 SSL_ERROR_WANT_CLIENT_HELLO_CB))
567 * Passing a -1 literal is a hack since
568 * the real value was lost.
570 || !TEST_int_eq(SSL_get_error(serverssl, -1),
571 SSL_ERROR_WANT_CLIENT_HELLO_CB)
572 || !TEST_true(create_ssl_connection(serverssl, clientssl,
587 static int test_no_ems(void)
589 SSL_CTX *cctx = NULL, *sctx = NULL;
590 SSL *clientssl = NULL, *serverssl = NULL;
593 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
594 TLS1_VERSION, TLS1_2_VERSION,
595 &sctx, &cctx, cert, privkey)) {
596 printf("Unable to create SSL_CTX pair\n");
600 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
602 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
603 printf("Unable to create SSL objects\n");
607 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
608 printf("Creating SSL connection failed\n");
612 if (SSL_get_extms_support(serverssl)) {
613 printf("Server reports Extended Master Secret support\n");
617 if (SSL_get_extms_support(clientssl)) {
618 printf("Client reports Extended Master Secret support\n");
633 static int execute_test_large_message(const SSL_METHOD *smeth,
634 const SSL_METHOD *cmeth,
635 int min_version, int max_version,
638 SSL_CTX *cctx = NULL, *sctx = NULL;
639 SSL *clientssl = NULL, *serverssl = NULL;
643 X509 *chaincert = NULL;
646 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
648 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
651 if (!TEST_ptr(chaincert))
654 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
655 &sctx, &cctx, cert, privkey)))
660 * Test that read_ahead works correctly when dealing with large
663 SSL_CTX_set_read_ahead(cctx, 1);
667 * We assume the supplied certificate is big enough so that if we add
668 * NUM_EXTRA_CERTS it will make the overall message large enough. The
669 * default buffer size is requested to be 16k, but due to the way BUF_MEM
670 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
671 * test we need to have a message larger than that.
673 certlen = i2d_X509(chaincert, NULL);
674 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
675 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
676 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
677 if (!X509_up_ref(chaincert))
679 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
680 X509_free(chaincert);
685 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
687 || !TEST_true(create_ssl_connection(serverssl, clientssl,
692 * Calling SSL_clear() first is not required but this tests that SSL_clear()
693 * doesn't leak (when using enable-crypto-mdebug).
695 if (!TEST_true(SSL_clear(serverssl)))
700 X509_free(chaincert);
709 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
710 && !defined(OPENSSL_NO_SOCK)
712 /* sock must be connected */
713 static int ktls_chk_platform(int sock)
715 if (!ktls_enable(sock))
720 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
722 static char count = 1;
723 unsigned char cbuf[16000] = {0};
724 unsigned char sbuf[16000];
726 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
727 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
728 char crec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
729 char crec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
730 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
731 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
732 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
733 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
736 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
737 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
738 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence,
739 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
740 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
741 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
742 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
743 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
745 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
748 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
749 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
754 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
757 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
758 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
763 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
764 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
765 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence,
766 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
767 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
768 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
769 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
770 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
772 /* verify the payload */
773 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
776 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
777 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
778 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
779 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
782 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
783 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
787 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
788 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
789 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
792 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
793 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
797 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
798 if (!TEST_mem_ne(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
799 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
802 if (!TEST_mem_eq(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
803 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
807 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
808 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
809 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
812 if (!TEST_mem_eq(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
813 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
822 static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
823 int sis_ktls_tx, int sis_ktls_rx)
825 SSL_CTX *cctx = NULL, *sctx = NULL;
826 SSL *clientssl = NULL, *serverssl = NULL;
830 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
833 /* Skip this test if the platform does not support ktls */
834 if (!ktls_chk_platform(cfd))
837 /* Create a session based on SHA-256 */
838 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
840 TLS1_2_VERSION, TLS1_2_VERSION,
841 &sctx, &cctx, cert, privkey))
842 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
843 "AES128-GCM-SHA256"))
844 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
845 &clientssl, sfd, cfd)))
849 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
854 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
859 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
864 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
868 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
873 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
876 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
881 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
884 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
889 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
892 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
897 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
900 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
904 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
910 SSL_shutdown(clientssl);
914 SSL_shutdown(serverssl);
919 serverssl = clientssl = NULL;
923 #define SENDFILE_SZ (16 * 4096)
924 #define SENDFILE_CHUNK (4 * 4096)
925 #define min(a,b) ((a) > (b) ? (b) : (a))
927 static int test_ktls_sendfile(void)
929 SSL_CTX *cctx = NULL, *sctx = NULL;
930 SSL *clientssl = NULL, *serverssl = NULL;
931 unsigned char *buf, *buf_dst;
932 BIO *out = NULL, *in = NULL;
933 int cfd, sfd, ffd, err;
934 ssize_t chunk_size = 0;
939 buf = OPENSSL_zalloc(SENDFILE_SZ);
940 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
941 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
942 || !TEST_true(create_test_sockets(&cfd, &sfd)))
945 /* Skip this test if the platform does not support ktls */
946 if (!ktls_chk_platform(sfd)) {
951 /* Create a session based on SHA-256 */
952 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
954 TLS1_2_VERSION, TLS1_2_VERSION,
955 &sctx, &cctx, cert, privkey))
956 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
957 "AES128-GCM-SHA256"))
958 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
959 &clientssl, sfd, cfd)))
962 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
964 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
967 RAND_bytes(buf, SENDFILE_SZ);
968 out = BIO_new_file(tmpfilename, "wb");
972 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
977 in = BIO_new_file(tmpfilename, "rb");
978 BIO_get_fp(in, &ffdp);
981 while (chunk_off < SENDFILE_SZ) {
982 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
983 while ((err = SSL_sendfile(serverssl,
988 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
991 while ((err = SSL_read(clientssl,
993 chunk_size)) != chunk_size) {
994 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
998 /* verify the payload */
999 if (!TEST_mem_eq(buf_dst + chunk_off,
1005 chunk_off += chunk_size;
1011 SSL_shutdown(clientssl);
1012 SSL_free(clientssl);
1015 SSL_shutdown(serverssl);
1016 SSL_free(serverssl);
1020 serverssl = clientssl = NULL;
1024 OPENSSL_free(buf_dst);
1028 static int test_ktls_no_txrx_client_no_txrx_server(void)
1030 return execute_test_ktls(0, 0, 0, 0);
1033 static int test_ktls_no_rx_client_no_txrx_server(void)
1035 return execute_test_ktls(1, 0, 0, 0);
1038 static int test_ktls_no_tx_client_no_txrx_server(void)
1040 return execute_test_ktls(0, 1, 0, 0);
1043 static int test_ktls_client_no_txrx_server(void)
1045 return execute_test_ktls(1, 1, 0, 0);
1048 static int test_ktls_no_txrx_client_no_rx_server(void)
1050 return execute_test_ktls(0, 0, 1, 0);
1053 static int test_ktls_no_rx_client_no_rx_server(void)
1055 return execute_test_ktls(1, 0, 1, 0);
1058 static int test_ktls_no_tx_client_no_rx_server(void)
1060 return execute_test_ktls(0, 1, 1, 0);
1063 static int test_ktls_client_no_rx_server(void)
1065 return execute_test_ktls(1, 1, 1, 0);
1068 static int test_ktls_no_txrx_client_no_tx_server(void)
1070 return execute_test_ktls(0, 0, 0, 1);
1073 static int test_ktls_no_rx_client_no_tx_server(void)
1075 return execute_test_ktls(1, 0, 0, 1);
1078 static int test_ktls_no_tx_client_no_tx_server(void)
1080 return execute_test_ktls(0, 1, 0, 1);
1083 static int test_ktls_client_no_tx_server(void)
1085 return execute_test_ktls(1, 1, 0, 1);
1088 static int test_ktls_no_txrx_client_server(void)
1090 return execute_test_ktls(0, 0, 1, 1);
1093 static int test_ktls_no_rx_client_server(void)
1095 return execute_test_ktls(1, 0, 1, 1);
1098 static int test_ktls_no_tx_client_server(void)
1100 return execute_test_ktls(0, 1, 1, 1);
1103 static int test_ktls_client_server(void)
1105 return execute_test_ktls(1, 1, 1, 1);
1109 static int test_large_message_tls(void)
1111 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1112 TLS1_VERSION, 0, 0);
1115 static int test_large_message_tls_read_ahead(void)
1117 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1118 TLS1_VERSION, 0, 1);
1121 #ifndef OPENSSL_NO_DTLS
1122 static int test_large_message_dtls(void)
1125 * read_ahead is not relevant to DTLS because DTLS always acts as if
1126 * read_ahead is set.
1128 return execute_test_large_message(DTLS_server_method(),
1129 DTLS_client_method(),
1130 DTLS1_VERSION, 0, 0);
1134 #ifndef OPENSSL_NO_OCSP
1135 static int ocsp_server_cb(SSL *s, void *arg)
1137 int *argi = (int *)arg;
1138 unsigned char *copy = NULL;
1139 STACK_OF(OCSP_RESPID) *ids = NULL;
1140 OCSP_RESPID *id = NULL;
1143 /* In this test we are expecting exactly 1 OCSP_RESPID */
1144 SSL_get_tlsext_status_ids(s, &ids);
1145 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1146 return SSL_TLSEXT_ERR_ALERT_FATAL;
1148 id = sk_OCSP_RESPID_value(ids, 0);
1149 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
1150 return SSL_TLSEXT_ERR_ALERT_FATAL;
1151 } else if (*argi != 1) {
1152 return SSL_TLSEXT_ERR_ALERT_FATAL;
1155 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1156 return SSL_TLSEXT_ERR_ALERT_FATAL;
1158 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1159 ocsp_server_called = 1;
1160 return SSL_TLSEXT_ERR_OK;
1163 static int ocsp_client_cb(SSL *s, void *arg)
1165 int *argi = (int *)arg;
1166 const unsigned char *respderin;
1169 if (*argi != 1 && *argi != 2)
1172 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1173 if (!TEST_mem_eq(orespder, len, respderin, len))
1176 ocsp_client_called = 1;
1180 static int test_tlsext_status_type(void)
1182 SSL_CTX *cctx = NULL, *sctx = NULL;
1183 SSL *clientssl = NULL, *serverssl = NULL;
1185 STACK_OF(OCSP_RESPID) *ids = NULL;
1186 OCSP_RESPID *id = NULL;
1187 BIO *certbio = NULL;
1189 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1191 &sctx, &cctx, cert, privkey))
1194 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1197 /* First just do various checks getting and setting tlsext_status_type */
1199 clientssl = SSL_new(cctx);
1200 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1201 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1202 TLSEXT_STATUSTYPE_ocsp))
1203 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1204 TLSEXT_STATUSTYPE_ocsp))
1207 SSL_free(clientssl);
1210 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1211 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1214 clientssl = SSL_new(cctx);
1215 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1217 SSL_free(clientssl);
1221 * Now actually do a handshake and check OCSP information is exchanged and
1222 * the callbacks get called
1224 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1225 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1226 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1227 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1228 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1229 &clientssl, NULL, NULL))
1230 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1232 || !TEST_true(ocsp_client_called)
1233 || !TEST_true(ocsp_server_called))
1235 SSL_free(serverssl);
1236 SSL_free(clientssl);
1240 /* Try again but this time force the server side callback to fail */
1241 ocsp_client_called = 0;
1242 ocsp_server_called = 0;
1244 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1245 &clientssl, NULL, NULL))
1246 /* This should fail because the callback will fail */
1247 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1249 || !TEST_false(ocsp_client_called)
1250 || !TEST_false(ocsp_server_called))
1252 SSL_free(serverssl);
1253 SSL_free(clientssl);
1258 * This time we'll get the client to send an OCSP_RESPID that it will
1261 ocsp_client_called = 0;
1262 ocsp_server_called = 0;
1264 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1265 &clientssl, NULL, NULL)))
1269 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1270 * specific one. We'll use the server cert.
1272 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1273 || !TEST_ptr(id = OCSP_RESPID_new())
1274 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1275 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1277 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
1278 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1281 SSL_set_tlsext_status_ids(clientssl, ids);
1282 /* Control has been transferred */
1288 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1290 || !TEST_true(ocsp_client_called)
1291 || !TEST_true(ocsp_server_called))
1297 SSL_free(serverssl);
1298 SSL_free(clientssl);
1301 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1302 OCSP_RESPID_free(id);
1304 X509_free(ocspcert);
1311 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1312 static int new_called, remove_called, get_called;
1314 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1318 * sess has been up-refed for us, but we don't actually need it so free it
1321 SSL_SESSION_free(sess);
1325 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1330 static SSL_SESSION *get_sess_val = NULL;
1332 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1337 return get_sess_val;
1340 static int execute_test_session(int maxprot, int use_int_cache,
1343 SSL_CTX *sctx = NULL, *cctx = NULL;
1344 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1345 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1346 # ifndef OPENSSL_NO_TLS1_1
1347 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1349 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1350 int testresult = 0, numnewsesstick = 1;
1352 new_called = remove_called = 0;
1354 /* TLSv1.3 sends 2 NewSessionTickets */
1355 if (maxprot == TLS1_3_VERSION)
1358 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1360 &sctx, &cctx, cert, privkey)))
1364 * Only allow the max protocol version so we can force a connection failure
1367 SSL_CTX_set_min_proto_version(cctx, maxprot);
1368 SSL_CTX_set_max_proto_version(cctx, maxprot);
1370 /* Set up session cache */
1371 if (use_ext_cache) {
1372 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1373 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1375 if (use_int_cache) {
1376 /* Also covers instance where both are set */
1377 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1379 SSL_CTX_set_session_cache_mode(cctx,
1380 SSL_SESS_CACHE_CLIENT
1381 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1384 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1386 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1388 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1391 /* Should fail because it should already be in the cache */
1392 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1395 && (!TEST_int_eq(new_called, numnewsesstick)
1397 || !TEST_int_eq(remove_called, 0)))
1400 new_called = remove_called = 0;
1401 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1402 &clientssl2, NULL, NULL))
1403 || !TEST_true(SSL_set_session(clientssl2, sess1))
1404 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1406 || !TEST_true(SSL_session_reused(clientssl2)))
1409 if (maxprot == TLS1_3_VERSION) {
1411 * In TLSv1.3 we should have created a new session even though we have
1412 * resumed. Since we attempted a resume we should also have removed the
1413 * old ticket from the cache so that we try to only use tickets once.
1416 && (!TEST_int_eq(new_called, 1)
1417 || !TEST_int_eq(remove_called, 1)))
1421 * In TLSv1.2 we expect to have resumed so no sessions added or
1425 && (!TEST_int_eq(new_called, 0)
1426 || !TEST_int_eq(remove_called, 0)))
1430 SSL_SESSION_free(sess1);
1431 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1433 shutdown_ssl_connection(serverssl2, clientssl2);
1434 serverssl2 = clientssl2 = NULL;
1436 new_called = remove_called = 0;
1437 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1438 &clientssl2, NULL, NULL))
1439 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1443 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1447 && (!TEST_int_eq(new_called, numnewsesstick)
1448 || !TEST_int_eq(remove_called, 0)))
1451 new_called = remove_called = 0;
1453 * This should clear sess2 from the cache because it is a "bad" session.
1454 * See SSL_set_session() documentation.
1456 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1459 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1461 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1464 if (use_int_cache) {
1465 /* Should succeeded because it should not already be in the cache */
1466 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1467 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1471 new_called = remove_called = 0;
1472 /* This shouldn't be in the cache so should fail */
1473 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1477 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1480 # if !defined(OPENSSL_NO_TLS1_1)
1481 new_called = remove_called = 0;
1482 /* Force a connection failure */
1483 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1484 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1485 &clientssl3, NULL, NULL))
1486 || !TEST_true(SSL_set_session(clientssl3, sess1))
1487 /* This should fail because of the mismatched protocol versions */
1488 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1492 /* We should have automatically removed the session from the cache */
1494 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1497 /* Should succeed because it should not already be in the cache */
1498 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1502 /* Now do some tests for server side caching */
1503 if (use_ext_cache) {
1504 SSL_CTX_sess_set_new_cb(cctx, NULL);
1505 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1506 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1507 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1508 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1509 get_sess_val = NULL;
1512 SSL_CTX_set_session_cache_mode(cctx, 0);
1513 /* Internal caching is the default on the server side */
1515 SSL_CTX_set_session_cache_mode(sctx,
1516 SSL_SESS_CACHE_SERVER
1517 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1519 SSL_free(serverssl1);
1520 SSL_free(clientssl1);
1521 serverssl1 = clientssl1 = NULL;
1522 SSL_free(serverssl2);
1523 SSL_free(clientssl2);
1524 serverssl2 = clientssl2 = NULL;
1525 SSL_SESSION_free(sess1);
1527 SSL_SESSION_free(sess2);
1530 SSL_CTX_set_max_proto_version(sctx, maxprot);
1531 if (maxprot == TLS1_2_VERSION)
1532 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1533 new_called = remove_called = get_called = 0;
1534 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1536 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1538 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1539 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1542 if (use_int_cache) {
1543 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1545 * In TLSv1.3 it should not have been added to the internal cache,
1546 * except in the case where we also have an external cache (in that
1547 * case it gets added to the cache in order to generate remove
1548 * events after timeout).
1550 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1553 /* Should fail because it should already be in the cache */
1554 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1559 if (use_ext_cache) {
1560 SSL_SESSION *tmp = sess2;
1562 if (!TEST_int_eq(new_called, numnewsesstick)
1563 || !TEST_int_eq(remove_called, 0)
1564 || !TEST_int_eq(get_called, 0))
1567 * Delete the session from the internal cache to force a lookup from
1568 * the external cache. We take a copy first because
1569 * SSL_CTX_remove_session() also marks the session as non-resumable.
1571 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1572 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1573 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1575 SSL_SESSION_free(sess2);
1580 new_called = remove_called = get_called = 0;
1581 get_sess_val = sess2;
1582 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1583 &clientssl2, NULL, NULL))
1584 || !TEST_true(SSL_set_session(clientssl2, sess1))
1585 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1587 || !TEST_true(SSL_session_reused(clientssl2)))
1590 if (use_ext_cache) {
1591 if (!TEST_int_eq(remove_called, 0))
1594 if (maxprot == TLS1_3_VERSION) {
1595 if (!TEST_int_eq(new_called, 1)
1596 || !TEST_int_eq(get_called, 0))
1599 if (!TEST_int_eq(new_called, 0)
1600 || !TEST_int_eq(get_called, 1))
1608 SSL_free(serverssl1);
1609 SSL_free(clientssl1);
1610 SSL_free(serverssl2);
1611 SSL_free(clientssl2);
1612 # ifndef OPENSSL_NO_TLS1_1
1613 SSL_free(serverssl3);
1614 SSL_free(clientssl3);
1616 SSL_SESSION_free(sess1);
1617 SSL_SESSION_free(sess2);
1623 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1625 static int test_session_with_only_int_cache(void)
1627 #ifndef OPENSSL_NO_TLS1_3
1628 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1632 #ifndef OPENSSL_NO_TLS1_2
1633 return execute_test_session(TLS1_2_VERSION, 1, 0);
1639 static int test_session_with_only_ext_cache(void)
1641 #ifndef OPENSSL_NO_TLS1_3
1642 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1646 #ifndef OPENSSL_NO_TLS1_2
1647 return execute_test_session(TLS1_2_VERSION, 0, 1);
1653 static int test_session_with_both_cache(void)
1655 #ifndef OPENSSL_NO_TLS1_3
1656 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1660 #ifndef OPENSSL_NO_TLS1_2
1661 return execute_test_session(TLS1_2_VERSION, 1, 1);
1667 #ifndef OPENSSL_NO_TLS1_3
1668 static SSL_SESSION *sesscache[6];
1669 static int do_cache;
1671 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1674 sesscache[new_called] = sess;
1676 /* We don't need the reference to the session, so free it */
1677 SSL_SESSION_free(sess);
1684 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1686 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1687 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1690 /* Start handshake on the server and client */
1691 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1692 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1693 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1694 || !TEST_true(create_ssl_connection(sssl, cssl,
1701 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1704 int sess_id_ctx = 1;
1706 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1707 TLS1_VERSION, 0, sctx,
1708 cctx, cert, privkey))
1709 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1710 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1711 (void *)&sess_id_ctx,
1712 sizeof(sess_id_ctx))))
1716 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1718 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1719 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1720 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1725 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1727 SSL *serverssl = NULL, *clientssl = NULL;
1730 /* Test that we can resume with all the tickets we got given */
1731 for (i = 0; i < idx * 2; i++) {
1733 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1734 &clientssl, NULL, NULL))
1735 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1738 SSL_set_post_handshake_auth(clientssl, 1);
1740 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1745 * Following a successful resumption we only get 1 ticket. After a
1746 * failed one we should get idx tickets.
1749 if (!TEST_true(SSL_session_reused(clientssl))
1750 || !TEST_int_eq(new_called, 1))
1753 if (!TEST_false(SSL_session_reused(clientssl))
1754 || !TEST_int_eq(new_called, idx))
1759 /* After a post-handshake authentication we should get 1 new ticket */
1761 && (!post_handshake_verify(serverssl, clientssl)
1762 || !TEST_int_eq(new_called, 1)))
1765 SSL_shutdown(clientssl);
1766 SSL_shutdown(serverssl);
1767 SSL_free(serverssl);
1768 SSL_free(clientssl);
1769 serverssl = clientssl = NULL;
1770 SSL_SESSION_free(sesscache[i]);
1771 sesscache[i] = NULL;
1777 SSL_free(clientssl);
1778 SSL_free(serverssl);
1782 static int test_tickets(int stateful, int idx)
1784 SSL_CTX *sctx = NULL, *cctx = NULL;
1785 SSL *serverssl = NULL, *clientssl = NULL;
1789 /* idx is the test number, but also the number of tickets we want */
1794 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1797 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1798 &clientssl, NULL, NULL)))
1801 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1803 /* Check we got the number of tickets we were expecting */
1804 || !TEST_int_eq(idx, new_called))
1807 SSL_shutdown(clientssl);
1808 SSL_shutdown(serverssl);
1809 SSL_free(serverssl);
1810 SSL_free(clientssl);
1813 clientssl = serverssl = NULL;
1817 * Now we try to resume with the tickets we previously created. The
1818 * resumption attempt is expected to fail (because we're now using a new
1819 * SSL_CTX). We should see idx number of tickets issued again.
1822 /* Stop caching sessions - just count them */
1825 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1828 if (!check_resumption(idx, sctx, cctx, 0))
1831 /* Start again with caching sessions */
1838 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1841 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1842 &clientssl, NULL, NULL)))
1845 SSL_set_post_handshake_auth(clientssl, 1);
1847 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1849 /* Check we got the number of tickets we were expecting */
1850 || !TEST_int_eq(idx, new_called))
1853 /* After a post-handshake authentication we should get new tickets issued */
1854 if (!post_handshake_verify(serverssl, clientssl)
1855 || !TEST_int_eq(idx * 2, new_called))
1858 SSL_shutdown(clientssl);
1859 SSL_shutdown(serverssl);
1860 SSL_free(serverssl);
1861 SSL_free(clientssl);
1862 serverssl = clientssl = NULL;
1864 /* Stop caching sessions - just count them */
1868 * Check we can resume with all the tickets we created. This time around the
1869 * resumptions should all be successful.
1871 if (!check_resumption(idx, sctx, cctx, 1))
1877 SSL_free(serverssl);
1878 SSL_free(clientssl);
1879 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
1880 SSL_SESSION_free(sesscache[j]);
1881 sesscache[j] = NULL;
1889 static int test_stateless_tickets(int idx)
1891 return test_tickets(0, idx);
1894 static int test_stateful_tickets(int idx)
1896 return test_tickets(1, idx);
1899 static int test_psk_tickets(void)
1901 SSL_CTX *sctx = NULL, *cctx = NULL;
1902 SSL *serverssl = NULL, *clientssl = NULL;
1904 int sess_id_ctx = 1;
1906 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1907 TLS1_VERSION, 0, &sctx,
1909 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
1910 (void *)&sess_id_ctx,
1911 sizeof(sess_id_ctx))))
1914 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1915 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1916 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
1917 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
1918 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1919 use_session_cb_cnt = 0;
1920 find_session_cb_cnt = 0;
1924 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1927 clientpsk = serverpsk = create_a_psk(clientssl);
1928 if (!TEST_ptr(clientpsk))
1930 SSL_SESSION_up_ref(clientpsk);
1932 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1934 || !TEST_int_eq(1, find_session_cb_cnt)
1935 || !TEST_int_eq(1, use_session_cb_cnt)
1936 /* We should always get 1 ticket when using external PSK */
1937 || !TEST_int_eq(1, new_called))
1943 SSL_free(serverssl);
1944 SSL_free(clientssl);
1947 SSL_SESSION_free(clientpsk);
1948 SSL_SESSION_free(serverpsk);
1949 clientpsk = serverpsk = NULL;
1958 #define USE_DEFAULT 3
1960 #define CONNTYPE_CONNECTION_SUCCESS 0
1961 #define CONNTYPE_CONNECTION_FAIL 1
1962 #define CONNTYPE_NO_CONNECTION 2
1964 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1965 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1966 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1967 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1969 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1972 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1973 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1974 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1976 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1993 * Tests calls to SSL_set_bio() under various conditions.
1995 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1996 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1997 * then do more tests where we create a successful connection first using our
1998 * standard connection setup functions, and then call SSL_set_bio() with
1999 * various combinations of valid BIOs or NULL. We then repeat these tests
2000 * following a failed connection. In this last case we are looking to check that
2001 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2003 static int test_ssl_set_bio(int idx)
2005 SSL_CTX *sctx = NULL, *cctx = NULL;
2008 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2009 SSL *serverssl = NULL, *clientssl = NULL;
2010 int initrbio, initwbio, newrbio, newwbio, conntype;
2013 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2021 conntype = CONNTYPE_NO_CONNECTION;
2023 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2024 initrbio = initwbio = USE_DEFAULT;
2032 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2034 &sctx, &cctx, cert, privkey)))
2037 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2039 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2040 * because we reduced the number of tests in the definition of
2041 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2042 * mismatched protocol versions we will force a connection failure.
2044 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2045 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2048 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2052 if (initrbio == USE_BIO_1
2053 || initwbio == USE_BIO_1
2054 || newrbio == USE_BIO_1
2055 || newwbio == USE_BIO_1) {
2056 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2060 if (initrbio == USE_BIO_2
2061 || initwbio == USE_BIO_2
2062 || newrbio == USE_BIO_2
2063 || newwbio == USE_BIO_2) {
2064 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2068 if (initrbio != USE_DEFAULT) {
2069 setupbio(&irbio, bio1, bio2, initrbio);
2070 setupbio(&iwbio, bio1, bio2, initwbio);
2071 SSL_set_bio(clientssl, irbio, iwbio);
2074 * We want to maintain our own refs to these BIO, so do an up ref for
2075 * each BIO that will have ownership transferred in the SSL_set_bio()
2080 if (iwbio != NULL && iwbio != irbio)
2084 if (conntype != CONNTYPE_NO_CONNECTION
2085 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2087 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2090 setupbio(&nrbio, bio1, bio2, newrbio);
2091 setupbio(&nwbio, bio1, bio2, newwbio);
2094 * We will (maybe) transfer ownership again so do more up refs.
2095 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2100 && (nwbio != iwbio || nrbio != nwbio))
2104 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2107 SSL_set_bio(clientssl, nrbio, nwbio);
2116 * This test is checking that the ref counting for SSL_set_bio is correct.
2117 * If we get here and we did too many frees then we will fail in the above
2118 * functions. If we haven't done enough then this will only be detected in
2119 * a crypto-mdebug build
2121 SSL_free(serverssl);
2122 SSL_free(clientssl);
2128 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2130 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2132 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2137 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
2138 || !TEST_ptr(ssl = SSL_new(ctx))
2139 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2140 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2143 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2146 * If anything goes wrong here then we could leak memory, so this will
2147 * be caught in a crypto-mdebug build
2149 BIO_push(sslbio, membio1);
2151 /* Verify changing the rbio/wbio directly does not cause leaks */
2152 if (change_bio != NO_BIO_CHANGE) {
2153 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
2155 if (change_bio == CHANGE_RBIO)
2156 SSL_set0_rbio(ssl, membio2);
2158 SSL_set0_wbio(ssl, membio2);
2177 static int test_ssl_bio_pop_next_bio(void)
2179 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2182 static int test_ssl_bio_pop_ssl_bio(void)
2184 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2187 static int test_ssl_bio_change_rbio(void)
2189 return execute_test_ssl_bio(0, CHANGE_RBIO);
2192 static int test_ssl_bio_change_wbio(void)
2194 return execute_test_ssl_bio(0, CHANGE_WBIO);
2197 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2199 /* The list of sig algs */
2201 /* The length of the list */
2203 /* A sigalgs list in string format */
2204 const char *liststr;
2205 /* Whether setting the list should succeed */
2207 /* Whether creating a connection with the list should succeed */
2211 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2212 # ifndef OPENSSL_NO_EC
2213 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2214 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2216 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2217 static const int invalidlist2[] = {NID_sha256, NID_undef};
2218 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2219 static const int invalidlist4[] = {NID_sha256};
2220 static const sigalgs_list testsigalgs[] = {
2221 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2222 # ifndef OPENSSL_NO_EC
2223 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2224 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2226 {NULL, 0, "RSA+SHA256", 1, 1},
2227 # ifndef OPENSSL_NO_EC
2228 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2229 {NULL, 0, "ECDSA+SHA512", 1, 0},
2231 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2232 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2233 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2234 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2235 {NULL, 0, "RSA", 0, 0},
2236 {NULL, 0, "SHA256", 0, 0},
2237 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2238 {NULL, 0, "Invalid", 0, 0}
2241 static int test_set_sigalgs(int idx)
2243 SSL_CTX *cctx = NULL, *sctx = NULL;
2244 SSL *clientssl = NULL, *serverssl = NULL;
2246 const sigalgs_list *curr;
2249 /* Should never happen */
2250 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2253 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2254 curr = testctx ? &testsigalgs[idx]
2255 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2257 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2259 &sctx, &cctx, cert, privkey)))
2263 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2264 * for TLSv1.2 for now until we add a new API.
2266 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2271 if (curr->list != NULL)
2272 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2274 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2278 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2284 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2289 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2290 &clientssl, NULL, NULL)))
2296 if (curr->list != NULL)
2297 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2299 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2302 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2311 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2319 SSL_free(serverssl);
2320 SSL_free(clientssl);
2328 #ifndef OPENSSL_NO_TLS1_3
2329 static int psk_client_cb_cnt = 0;
2330 static int psk_server_cb_cnt = 0;
2332 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2333 size_t *idlen, SSL_SESSION **sess)
2335 switch (++use_session_cb_cnt) {
2337 /* The first call should always have a NULL md */
2343 /* The second call should always have an md */
2349 /* We should only be called a maximum of twice */
2353 if (clientpsk != NULL)
2354 SSL_SESSION_up_ref(clientpsk);
2357 *id = (const unsigned char *)pskid;
2358 *idlen = strlen(pskid);
2363 #ifndef OPENSSL_NO_PSK
2364 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2365 unsigned int max_id_len,
2367 unsigned int max_psk_len)
2369 unsigned int psklen = 0;
2371 psk_client_cb_cnt++;
2373 if (strlen(pskid) + 1 > max_id_len)
2376 /* We should only ever be called a maximum of twice per connection */
2377 if (psk_client_cb_cnt > 2)
2380 if (clientpsk == NULL)
2383 /* We'll reuse the PSK we set up for TLSv1.3 */
2384 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2386 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2387 strncpy(id, pskid, max_id_len);
2391 #endif /* OPENSSL_NO_PSK */
2393 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2394 size_t identity_len, SSL_SESSION **sess)
2396 find_session_cb_cnt++;
2398 /* We should only ever be called a maximum of twice per connection */
2399 if (find_session_cb_cnt > 2)
2402 if (serverpsk == NULL)
2405 /* Identity should match that set by the client */
2406 if (strlen(srvid) != identity_len
2407 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2408 /* No PSK found, continue but without a PSK */
2413 SSL_SESSION_up_ref(serverpsk);
2419 #ifndef OPENSSL_NO_PSK
2420 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2421 unsigned char *psk, unsigned int max_psk_len)
2423 unsigned int psklen = 0;
2425 psk_server_cb_cnt++;
2427 /* We should only ever be called a maximum of twice per connection */
2428 if (find_session_cb_cnt > 2)
2431 if (serverpsk == NULL)
2434 /* Identity should match that set by the client */
2435 if (strcmp(srvid, identity) != 0) {
2439 /* We'll reuse the PSK we set up for TLSv1.3 */
2440 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2442 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2446 #endif /* OPENSSL_NO_PSK */
2448 #define MSG1 "Hello"
2449 #define MSG2 "World."
2454 #define MSG7 "message."
2456 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2457 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2460 static SSL_SESSION *create_a_psk(SSL *ssl)
2462 const SSL_CIPHER *cipher = NULL;
2463 const unsigned char key[] = {
2464 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2465 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2466 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2467 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2468 0x2c, 0x2d, 0x2e, 0x2f
2470 SSL_SESSION *sess = NULL;
2472 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2473 sess = SSL_SESSION_new();
2475 || !TEST_ptr(cipher)
2476 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2478 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2480 SSL_SESSION_set_protocol_version(sess,
2482 SSL_SESSION_free(sess);
2489 * Helper method to setup objects for early data test. Caller frees objects on
2492 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2493 SSL **serverssl, SSL_SESSION **sess, int idx)
2496 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2497 TLS_client_method(),
2499 sctx, cctx, cert, privkey)))
2502 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2506 /* When idx == 1 we repeat the tests with read_ahead set */
2507 SSL_CTX_set_read_ahead(*cctx, 1);
2508 SSL_CTX_set_read_ahead(*sctx, 1);
2509 } else if (idx == 2) {
2510 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2511 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2512 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2513 use_session_cb_cnt = 0;
2514 find_session_cb_cnt = 0;
2518 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2523 * For one of the run throughs (doesn't matter which one), we'll try sending
2524 * some SNI data in the initial ClientHello. This will be ignored (because
2525 * there is no SNI cb set up by the server), so it should not impact
2529 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2533 clientpsk = create_a_psk(*clientssl);
2534 if (!TEST_ptr(clientpsk)
2536 * We just choose an arbitrary value for max_early_data which
2537 * should be big enough for testing purposes.
2539 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2541 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2542 SSL_SESSION_free(clientpsk);
2546 serverpsk = clientpsk;
2549 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2550 SSL_SESSION_free(clientpsk);
2551 SSL_SESSION_free(serverpsk);
2552 clientpsk = serverpsk = NULL;
2563 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2567 *sess = SSL_get1_session(*clientssl);
2568 SSL_shutdown(*clientssl);
2569 SSL_shutdown(*serverssl);
2570 SSL_free(*serverssl);
2571 SSL_free(*clientssl);
2572 *serverssl = *clientssl = NULL;
2574 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2575 clientssl, NULL, NULL))
2576 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2582 static int test_early_data_read_write(int idx)
2584 SSL_CTX *cctx = NULL, *sctx = NULL;
2585 SSL *clientssl = NULL, *serverssl = NULL;
2587 SSL_SESSION *sess = NULL;
2588 unsigned char buf[20], data[1024];
2589 size_t readbytes, written, eoedlen, rawread, rawwritten;
2592 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2593 &serverssl, &sess, idx)))
2596 /* Write and read some early data */
2597 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2599 || !TEST_size_t_eq(written, strlen(MSG1))
2600 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2601 sizeof(buf), &readbytes),
2602 SSL_READ_EARLY_DATA_SUCCESS)
2603 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2604 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2605 SSL_EARLY_DATA_ACCEPTED))
2609 * Server should be able to write data, and client should be able to
2612 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2614 || !TEST_size_t_eq(written, strlen(MSG2))
2615 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2616 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2619 /* Even after reading normal data, client should be able write early data */
2620 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2622 || !TEST_size_t_eq(written, strlen(MSG3)))
2625 /* Server should still be able read early data after writing data */
2626 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2628 SSL_READ_EARLY_DATA_SUCCESS)
2629 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2632 /* Write more data from server and read it from client */
2633 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2635 || !TEST_size_t_eq(written, strlen(MSG4))
2636 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2637 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2641 * If client writes normal data it should mean writing early data is no
2644 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2645 || !TEST_size_t_eq(written, strlen(MSG5))
2646 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2647 SSL_EARLY_DATA_ACCEPTED))
2651 * At this point the client has written EndOfEarlyData, ClientFinished and
2652 * normal (fully protected) data. We are going to cause a delay between the
2653 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2654 * in the read BIO, and then just put back the EndOfEarlyData message.
2656 rbio = SSL_get_rbio(serverssl);
2657 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2658 || !TEST_size_t_lt(rawread, sizeof(data))
2659 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2662 /* Record length is in the 4th and 5th bytes of the record header */
2663 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2664 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2665 || !TEST_size_t_eq(rawwritten, eoedlen))
2668 /* Server should be told that there is no more early data */
2669 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2671 SSL_READ_EARLY_DATA_FINISH)
2672 || !TEST_size_t_eq(readbytes, 0))
2676 * Server has not finished init yet, so should still be able to write early
2679 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2681 || !TEST_size_t_eq(written, strlen(MSG6)))
2684 /* Push the ClientFinished and the normal data back into the server rbio */
2685 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2687 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2690 /* Server should be able to read normal data */
2691 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2692 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2695 /* Client and server should not be able to write/read early data now */
2696 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2700 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2702 SSL_READ_EARLY_DATA_ERROR))
2706 /* Client should be able to read the data sent by the server */
2707 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2708 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2712 * Make sure we process the two NewSessionTickets. These arrive
2713 * post-handshake. We attempt reads which we do not expect to return any
2716 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2717 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2721 /* Server should be able to write normal data */
2722 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2723 || !TEST_size_t_eq(written, strlen(MSG7))
2724 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2725 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2728 SSL_SESSION_free(sess);
2729 sess = SSL_get1_session(clientssl);
2730 use_session_cb_cnt = 0;
2731 find_session_cb_cnt = 0;
2733 SSL_shutdown(clientssl);
2734 SSL_shutdown(serverssl);
2735 SSL_free(serverssl);
2736 SSL_free(clientssl);
2737 serverssl = clientssl = NULL;
2738 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2739 &clientssl, NULL, NULL))
2740 || !TEST_true(SSL_set_session(clientssl, sess)))
2743 /* Write and read some early data */
2744 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2746 || !TEST_size_t_eq(written, strlen(MSG1))
2747 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2749 SSL_READ_EARLY_DATA_SUCCESS)
2750 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2753 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2754 || !TEST_int_gt(SSL_accept(serverssl), 0))
2757 /* Client and server should not be able to write/read early data now */
2758 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2762 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2764 SSL_READ_EARLY_DATA_ERROR))
2768 /* Client and server should be able to write/read normal data */
2769 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2770 || !TEST_size_t_eq(written, strlen(MSG5))
2771 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2772 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2778 SSL_SESSION_free(sess);
2779 SSL_SESSION_free(clientpsk);
2780 SSL_SESSION_free(serverpsk);
2781 clientpsk = serverpsk = NULL;
2782 SSL_free(serverssl);
2783 SSL_free(clientssl);
2789 static int allow_ed_cb_called = 0;
2791 static int allow_early_data_cb(SSL *s, void *arg)
2793 int *usecb = (int *)arg;
2795 allow_ed_cb_called++;
2804 * idx == 0: Standard early_data setup
2805 * idx == 1: early_data setup using read_ahead
2806 * usecb == 0: Don't use a custom early data callback
2807 * usecb == 1: Use a custom early data callback and reject the early data
2808 * usecb == 2: Use a custom early data callback and accept the early data
2809 * confopt == 0: Configure anti-replay directly
2810 * confopt == 1: Configure anti-replay using SSL_CONF
2812 static int test_early_data_replay_int(int idx, int usecb, int confopt)
2814 SSL_CTX *cctx = NULL, *sctx = NULL;
2815 SSL *clientssl = NULL, *serverssl = NULL;
2817 SSL_SESSION *sess = NULL;
2818 size_t readbytes, written;
2819 unsigned char buf[20];
2821 allow_ed_cb_called = 0;
2823 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2824 TLS1_VERSION, 0, &sctx,
2825 &cctx, cert, privkey)))
2830 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2832 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2834 if (!TEST_ptr(confctx))
2836 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2837 | SSL_CONF_FLAG_SERVER);
2838 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2839 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2841 SSL_CONF_CTX_free(confctx);
2844 SSL_CONF_CTX_free(confctx);
2846 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2849 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2850 &serverssl, &sess, idx)))
2854 * The server is configured to accept early data. Create a connection to
2855 * "use up" the ticket
2857 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2858 || !TEST_true(SSL_session_reused(clientssl)))
2861 SSL_shutdown(clientssl);
2862 SSL_shutdown(serverssl);
2863 SSL_free(serverssl);
2864 SSL_free(clientssl);
2865 serverssl = clientssl = NULL;
2867 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2868 &clientssl, NULL, NULL))
2869 || !TEST_true(SSL_set_session(clientssl, sess)))
2872 /* Write and read some early data */
2873 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2875 || !TEST_size_t_eq(written, strlen(MSG1)))
2879 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2881 SSL_READ_EARLY_DATA_FINISH)
2883 * The ticket was reused, so the we should have rejected the
2886 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2887 SSL_EARLY_DATA_REJECTED))
2890 /* In this case the callback decides to accept the early data */
2891 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2893 SSL_READ_EARLY_DATA_SUCCESS)
2894 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2896 * Server will have sent its flight so client can now send
2897 * end of early data and complete its half of the handshake
2899 || !TEST_int_gt(SSL_connect(clientssl), 0)
2900 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2902 SSL_READ_EARLY_DATA_FINISH)
2903 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2904 SSL_EARLY_DATA_ACCEPTED))
2908 /* Complete the connection */
2909 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2910 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2911 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
2917 SSL_SESSION_free(sess);
2918 SSL_SESSION_free(clientpsk);
2919 SSL_SESSION_free(serverpsk);
2920 clientpsk = serverpsk = NULL;
2921 SSL_free(serverssl);
2922 SSL_free(clientssl);
2928 static int test_early_data_replay(int idx)
2930 int ret = 1, usecb, confopt;
2932 for (usecb = 0; usecb < 3; usecb++) {
2933 for (confopt = 0; confopt < 2; confopt++)
2934 ret &= test_early_data_replay_int(idx, usecb, confopt);
2941 * Helper function to test that a server attempting to read early data can
2942 * handle a connection from a client where the early data should be skipped.
2943 * testtype: 0 == No HRR
2944 * testtype: 1 == HRR
2945 * testtype: 2 == HRR, invalid early_data sent after HRR
2946 * testtype: 3 == recv_max_early_data set to 0
2948 static int early_data_skip_helper(int testtype, int idx)
2950 SSL_CTX *cctx = NULL, *sctx = NULL;
2951 SSL *clientssl = NULL, *serverssl = NULL;
2953 SSL_SESSION *sess = NULL;
2954 unsigned char buf[20];
2955 size_t readbytes, written;
2957 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2958 &serverssl, &sess, idx)))
2961 if (testtype == 1 || testtype == 2) {
2962 /* Force an HRR to occur */
2963 #if defined(OPENSSL_NO_EC)
2964 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
2967 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2970 } else if (idx == 2) {
2972 * We force early_data rejection by ensuring the PSK identity is
2975 srvid = "Dummy Identity";
2978 * Deliberately corrupt the creation time. We take 20 seconds off the
2979 * time. It could be any value as long as it is not within tolerance.
2980 * This should mean the ticket is rejected.
2982 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
2987 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
2990 /* Write some early data */
2991 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2993 || !TEST_size_t_eq(written, strlen(MSG1)))
2996 /* Server should reject the early data */
2997 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2999 SSL_READ_EARLY_DATA_FINISH)
3000 || !TEST_size_t_eq(readbytes, 0)
3001 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3002 SSL_EARLY_DATA_REJECTED))
3012 * Finish off the handshake. We perform the same writes and reads as
3013 * further down but we expect them to fail due to the incomplete
3016 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3017 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3024 BIO *wbio = SSL_get_wbio(clientssl);
3025 /* A record that will appear as bad early_data */
3026 const unsigned char bad_early_data[] = {
3027 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3031 * We force the client to attempt a write. This will fail because
3032 * we're still in the handshake. It will cause the second
3033 * ClientHello to be sent.
3035 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3040 * Inject some early_data after the second ClientHello. This should
3041 * cause the server to fail
3043 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3044 sizeof(bad_early_data), &written)))
3051 * This client has sent more early_data than we are willing to skip
3052 * (case 3) or sent invalid early_data (case 2) so the connection should
3055 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3056 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3059 /* Connection has failed - nothing more to do */
3064 TEST_error("Invalid test type");
3069 * Should be able to send normal data despite rejection of early data. The
3070 * early_data should be skipped.
3072 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3073 || !TEST_size_t_eq(written, strlen(MSG2))
3074 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3075 SSL_EARLY_DATA_REJECTED)
3076 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3077 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3083 SSL_SESSION_free(clientpsk);
3084 SSL_SESSION_free(serverpsk);
3085 clientpsk = serverpsk = NULL;
3086 SSL_SESSION_free(sess);
3087 SSL_free(serverssl);
3088 SSL_free(clientssl);
3095 * Test that a server attempting to read early data can handle a connection
3096 * from a client where the early data is not acceptable.
3098 static int test_early_data_skip(int idx)
3100 return early_data_skip_helper(0, idx);
3104 * Test that a server attempting to read early data can handle a connection
3105 * from a client where an HRR occurs.
3107 static int test_early_data_skip_hrr(int idx)
3109 return early_data_skip_helper(1, idx);
3113 * Test that a server attempting to read early data can handle a connection
3114 * from a client where an HRR occurs and correctly fails if early_data is sent
3117 static int test_early_data_skip_hrr_fail(int idx)
3119 return early_data_skip_helper(2, idx);
3123 * Test that a server attempting to read early data will abort if it tries to
3124 * skip over too much.
3126 static int test_early_data_skip_abort(int idx)
3128 return early_data_skip_helper(3, idx);
3132 * Test that a server attempting to read early data can handle a connection
3133 * from a client that doesn't send any.
3135 static int test_early_data_not_sent(int idx)
3137 SSL_CTX *cctx = NULL, *sctx = NULL;
3138 SSL *clientssl = NULL, *serverssl = NULL;
3140 SSL_SESSION *sess = NULL;
3141 unsigned char buf[20];
3142 size_t readbytes, written;
3144 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3145 &serverssl, &sess, idx)))
3148 /* Write some data - should block due to handshake with server */
3149 SSL_set_connect_state(clientssl);
3150 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3153 /* Server should detect that early data has not been sent */
3154 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3156 SSL_READ_EARLY_DATA_FINISH)
3157 || !TEST_size_t_eq(readbytes, 0)
3158 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3159 SSL_EARLY_DATA_NOT_SENT)
3160 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3161 SSL_EARLY_DATA_NOT_SENT))
3164 /* Continue writing the message we started earlier */
3165 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3166 || !TEST_size_t_eq(written, strlen(MSG1))
3167 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3168 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3169 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3170 || !TEST_size_t_eq(written, strlen(MSG2)))
3173 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3174 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3180 SSL_SESSION_free(sess);
3181 SSL_SESSION_free(clientpsk);
3182 SSL_SESSION_free(serverpsk);
3183 clientpsk = serverpsk = NULL;
3184 SSL_free(serverssl);
3185 SSL_free(clientssl);
3191 static int hostname_cb(SSL *s, int *al, void *arg)
3193 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3195 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
3196 return SSL_TLSEXT_ERR_OK;
3198 return SSL_TLSEXT_ERR_NOACK;
3201 static const char *servalpn;
3203 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3204 unsigned char *outlen, const unsigned char *in,
3205 unsigned int inlen, void *arg)
3207 unsigned int protlen = 0;
3208 const unsigned char *prot;
3210 for (prot = in; prot < in + inlen; prot += protlen) {
3212 if (in + inlen < prot + protlen)
3213 return SSL_TLSEXT_ERR_NOACK;
3215 if (protlen == strlen(servalpn)
3216 && memcmp(prot, servalpn, protlen) == 0) {
3219 return SSL_TLSEXT_ERR_OK;
3223 return SSL_TLSEXT_ERR_NOACK;
3226 /* Test that a PSK can be used to send early_data */
3227 static int test_early_data_psk(int idx)
3229 SSL_CTX *cctx = NULL, *sctx = NULL;
3230 SSL *clientssl = NULL, *serverssl = NULL;
3232 SSL_SESSION *sess = NULL;
3233 unsigned char alpnlist[] = {
3234 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3237 #define GOODALPNLEN 9
3238 #define BADALPNLEN 8
3239 #define GOODALPN (alpnlist)
3240 #define BADALPN (alpnlist + GOODALPNLEN)
3242 unsigned char buf[20];
3243 size_t readbytes, written;
3244 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3245 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3247 /* We always set this up with a final parameter of "2" for PSK */
3248 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3249 &serverssl, &sess, 2)))
3252 servalpn = "goodalpn";
3255 * Note: There is no test for inconsistent SNI with late client detection.
3256 * This is because servers do not acknowledge SNI even if they are using
3257 * it in a resumption handshake - so it is not actually possible for a
3258 * client to detect a problem.
3262 /* Set inconsistent SNI (early client detection) */
3263 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3264 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3265 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3270 /* Set inconsistent ALPN (early client detection) */
3271 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3272 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3273 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3275 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3282 * Set invalid protocol version. Technically this affects PSKs without
3283 * early_data too, but we test it here because it is similar to the
3284 * SNI/ALPN consistency tests.
3286 err = SSL_R_BAD_PSK;
3287 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3293 * Set inconsistent SNI (server detected). In this case the connection
3294 * will succeed but reject early_data.
3296 SSL_SESSION_free(serverpsk);
3297 serverpsk = SSL_SESSION_dup(clientpsk);
3298 if (!TEST_ptr(serverpsk)
3299 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3301 edstatus = SSL_EARLY_DATA_REJECTED;
3302 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3305 /* Set consistent SNI */
3306 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3307 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3308 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3315 * Set inconsistent ALPN (server detected). In this case the connection
3316 * will succeed but reject early_data.
3318 servalpn = "badalpn";
3319 edstatus = SSL_EARLY_DATA_REJECTED;
3320 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3324 * Set consistent ALPN.
3325 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3326 * accepts a list of protos (each one length prefixed).
3327 * SSL_set1_alpn_selected accepts a single protocol (not length
3330 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3332 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3336 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3340 /* Set inconsistent ALPN (late client detection) */
3341 SSL_SESSION_free(serverpsk);
3342 serverpsk = SSL_SESSION_dup(clientpsk);
3343 if (!TEST_ptr(serverpsk)
3344 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3347 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3350 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3353 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3354 edstatus = SSL_EARLY_DATA_ACCEPTED;
3355 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3356 /* SSL_connect() call should fail */
3361 TEST_error("Bad test index");
3365 SSL_set_connect_state(clientssl);
3367 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3369 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3370 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3373 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3377 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3378 &readbytes), readearlyres)
3379 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3380 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3381 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3382 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3389 SSL_SESSION_free(sess);
3390 SSL_SESSION_free(clientpsk);
3391 SSL_SESSION_free(serverpsk);
3392 clientpsk = serverpsk = NULL;
3393 SSL_free(serverssl);
3394 SSL_free(clientssl);
3401 * Test that a server that doesn't try to read early data can handle a
3402 * client sending some.
3404 static int test_early_data_not_expected(int idx)
3406 SSL_CTX *cctx = NULL, *sctx = NULL;
3407 SSL *clientssl = NULL, *serverssl = NULL;
3409 SSL_SESSION *sess = NULL;
3410 unsigned char buf[20];
3411 size_t readbytes, written;
3413 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3414 &serverssl, &sess, idx)))
3417 /* Write some early data */
3418 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3423 * Server should skip over early data and then block waiting for client to
3424 * continue handshake
3426 if (!TEST_int_le(SSL_accept(serverssl), 0)
3427 || !TEST_int_gt(SSL_connect(clientssl), 0)
3428 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3429 SSL_EARLY_DATA_REJECTED)
3430 || !TEST_int_gt(SSL_accept(serverssl), 0)
3431 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3432 SSL_EARLY_DATA_REJECTED))
3435 /* Send some normal data from client to server */
3436 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3437 || !TEST_size_t_eq(written, strlen(MSG2)))
3440 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3441 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3447 SSL_SESSION_free(sess);
3448 SSL_SESSION_free(clientpsk);
3449 SSL_SESSION_free(serverpsk);
3450 clientpsk = serverpsk = NULL;
3451 SSL_free(serverssl);
3452 SSL_free(clientssl);
3459 # ifndef OPENSSL_NO_TLS1_2
3461 * Test that a server attempting to read early data can handle a connection
3462 * from a TLSv1.2 client.
3464 static int test_early_data_tls1_2(int idx)
3466 SSL_CTX *cctx = NULL, *sctx = NULL;
3467 SSL *clientssl = NULL, *serverssl = NULL;
3469 unsigned char buf[20];
3470 size_t readbytes, written;
3472 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3473 &serverssl, NULL, idx)))
3476 /* Write some data - should block due to handshake with server */
3477 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3478 SSL_set_connect_state(clientssl);
3479 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3483 * Server should do TLSv1.2 handshake. First it will block waiting for more
3484 * messages from client after ServerDone. Then SSL_read_early_data should
3485 * finish and detect that early data has not been sent
3487 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3489 SSL_READ_EARLY_DATA_ERROR))
3493 * Continue writing the message we started earlier. Will still block waiting
3494 * for the CCS/Finished from server
3496 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3497 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3499 SSL_READ_EARLY_DATA_FINISH)
3500 || !TEST_size_t_eq(readbytes, 0)
3501 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3502 SSL_EARLY_DATA_NOT_SENT))
3505 /* Continue writing the message we started earlier */
3506 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3507 || !TEST_size_t_eq(written, strlen(MSG1))
3508 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3509 SSL_EARLY_DATA_NOT_SENT)
3510 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3511 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3512 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3513 || !TEST_size_t_eq(written, strlen(MSG2))
3514 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3515 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3521 SSL_SESSION_free(clientpsk);
3522 SSL_SESSION_free(serverpsk);
3523 clientpsk = serverpsk = NULL;
3524 SSL_free(serverssl);
3525 SSL_free(clientssl);
3531 # endif /* OPENSSL_NO_TLS1_2 */
3534 * Test configuring the TLSv1.3 ciphersuites
3536 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3537 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3538 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3539 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3540 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3541 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3542 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3543 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3544 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3545 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3547 static int test_set_ciphersuite(int idx)
3549 SSL_CTX *cctx = NULL, *sctx = NULL;
3550 SSL *clientssl = NULL, *serverssl = NULL;
3553 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3555 &sctx, &cctx, cert, privkey))
3556 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3557 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3560 if (idx >=4 && idx <= 7) {
3561 /* SSL_CTX explicit cipher list */
3562 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3566 if (idx == 0 || idx == 4) {
3567 /* Default ciphersuite */
3568 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3569 "TLS_AES_128_GCM_SHA256")))
3571 } else if (idx == 1 || idx == 5) {
3572 /* Non default ciphersuite */
3573 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3574 "TLS_AES_128_CCM_SHA256")))
3578 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3579 &clientssl, NULL, NULL)))
3582 if (idx == 8 || idx == 9) {
3583 /* SSL explicit cipher list */
3584 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3588 if (idx == 2 || idx == 6 || idx == 8) {
3589 /* Default ciphersuite */
3590 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3591 "TLS_AES_128_GCM_SHA256")))
3593 } else if (idx == 3 || idx == 7 || idx == 9) {
3594 /* Non default ciphersuite */
3595 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3596 "TLS_AES_128_CCM_SHA256")))
3600 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3606 SSL_free(serverssl);
3607 SSL_free(clientssl);
3614 static int test_ciphersuite_change(void)
3616 SSL_CTX *cctx = NULL, *sctx = NULL;
3617 SSL *clientssl = NULL, *serverssl = NULL;
3618 SSL_SESSION *clntsess = NULL;
3620 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3622 /* Create a session based on SHA-256 */
3623 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3625 &sctx, &cctx, cert, privkey))
3626 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3627 "TLS_AES_128_GCM_SHA256"))
3628 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3629 &clientssl, NULL, NULL))
3630 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3634 clntsess = SSL_get1_session(clientssl);
3635 /* Save for later */
3636 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3637 SSL_shutdown(clientssl);
3638 SSL_shutdown(serverssl);
3639 SSL_free(serverssl);
3640 SSL_free(clientssl);
3641 serverssl = clientssl = NULL;
3643 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3644 /* Check we can resume a session with a different SHA-256 ciphersuite */
3645 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3646 "TLS_CHACHA20_POLY1305_SHA256"))
3647 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3649 || !TEST_true(SSL_set_session(clientssl, clntsess))
3650 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3652 || !TEST_true(SSL_session_reused(clientssl)))
3655 SSL_SESSION_free(clntsess);
3656 clntsess = SSL_get1_session(clientssl);
3657 SSL_shutdown(clientssl);
3658 SSL_shutdown(serverssl);
3659 SSL_free(serverssl);
3660 SSL_free(clientssl);
3661 serverssl = clientssl = NULL;
3665 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3666 * succeeds but does not resume.
3668 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3669 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3671 || !TEST_true(SSL_set_session(clientssl, clntsess))
3672 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3674 || !TEST_false(SSL_session_reused(clientssl)))
3677 SSL_SESSION_free(clntsess);
3679 SSL_shutdown(clientssl);
3680 SSL_shutdown(serverssl);
3681 SSL_free(serverssl);
3682 SSL_free(clientssl);
3683 serverssl = clientssl = NULL;
3685 /* Create a session based on SHA384 */
3686 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3687 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3688 &clientssl, NULL, NULL))
3689 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3693 clntsess = SSL_get1_session(clientssl);
3694 SSL_shutdown(clientssl);
3695 SSL_shutdown(serverssl);
3696 SSL_free(serverssl);
3697 SSL_free(clientssl);
3698 serverssl = clientssl = NULL;
3700 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3701 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3702 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3703 "TLS_AES_256_GCM_SHA384"))
3704 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3706 || !TEST_true(SSL_set_session(clientssl, clntsess))
3708 * We use SSL_ERROR_WANT_READ below so that we can pause the
3709 * connection after the initial ClientHello has been sent to
3710 * enable us to make some session changes.
3712 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3713 SSL_ERROR_WANT_READ)))
3716 /* Trick the client into thinking this session is for a different digest */
3717 clntsess->cipher = aes_128_gcm_sha256;
3718 clntsess->cipher_id = clntsess->cipher->id;
3721 * Continue the previously started connection. Server has selected a SHA-384
3722 * ciphersuite, but client thinks the session is for SHA-256, so it should
3725 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3727 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3728 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3734 SSL_SESSION_free(clntsess);
3735 SSL_free(serverssl);
3736 SSL_free(clientssl);
3744 * Test TLSv1.3 Key exchange
3745 * Test 0 = Test ECDHE Key exchange with TLSv1.3 client and server
3746 * Test 1 = Test ECDHE with TLSv1.2 client and server
3747 * Test 2 = Test FFDHE Key exchange with TLSv1.3 client and server
3748 * Test 3 = Test FFDHE with TLSv1.2 client and server
3749 * Test 4 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
3750 * Test 5 = Test NID_secp384r1 with TLSv1.3 client and server
3751 * Test 6 = Test NID_secp521r1 with TLSv1.3 client and server
3752 * Test 7 = Test NID_X25519 with TLSv1.3 client and server
3753 * Test 8 = Test NID_X448 with TLSv1.3 client and server
3754 * Test 9 = Test NID_ffdhe2048 with TLSv1.3 client and server
3755 * Test 10 = Test NID_ffdhe3072 with TLSv1.3 client and server
3756 * Test 11 = Test NID_ffdhe4096 with TLSv1.3 client and server
3757 * Test 12 = Test NID_ffdhe6144 with TLSv1.3 client and server
3758 * Test 13 = Test NID_ffdhe8192 with TLSv1.3 client and server
3760 static int test_tls13_key_exchange(int idx)
3762 SSL_CTX *sctx = NULL, *cctx = NULL;
3763 SSL *serverssl = NULL, *clientssl = NULL;
3765 #ifndef OPENSSL_NO_EC
3766 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1, NID_secp521r1,
3767 NID_X25519, NID_X448};
3769 #ifndef OPENSSL_NO_DH
3770 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
3771 NID_ffdhe6144, NID_ffdhe8192};
3774 int *kexch_groups = &kexch_alg;
3775 int kexch_groups_size = 1;
3776 int max_version = TLS1_3_VERSION;
3777 int want_err = SSL_ERROR_NONE;
3778 int expected_err_reason = 0;
3781 #ifndef OPENSSL_NO_EC
3783 max_version = TLS1_2_VERSION;
3786 kexch_groups = ecdhe_kexch_groups;
3787 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
3790 kexch_alg = NID_X9_62_prime256v1;
3793 kexch_alg = NID_secp384r1;
3796 kexch_alg = NID_secp521r1;
3799 kexch_alg = NID_X25519;
3802 kexch_alg = NID_X448;
3805 #ifndef OPENSSL_NO_DH
3807 max_version = TLS1_2_VERSION;
3810 kexch_groups = ffdhe_kexch_groups;
3811 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
3814 kexch_alg = NID_ffdhe2048;
3817 kexch_alg = NID_ffdhe3072;
3820 kexch_alg = NID_ffdhe4096;
3823 kexch_alg = NID_ffdhe6144;
3826 kexch_alg = NID_ffdhe8192;
3830 /* We're skipping this test */
3834 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3835 TLS1_VERSION, max_version,
3836 &sctx, &cctx, cert, privkey)))
3839 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, TLS1_3_RFC_AES_128_GCM_SHA256)))
3842 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, TLS1_3_RFC_AES_128_GCM_SHA256)))
3845 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, TLS1_TXT_RSA_WITH_AES_128_SHA)))
3849 * Must include an EC ciphersuite so that we send supported groups in
3852 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
3853 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
3854 TLS1_TXT_RSA_WITH_AES_128_SHA)))
3857 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3861 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
3862 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
3865 if (!TEST_true(create_ssl_connection(serverssl, clientssl, want_err))) {
3866 /* Fail only if no error is expected in handshake */
3867 if (expected_err_reason == 0)
3871 /* Fail if expected error is not happening for failure testcases */
3872 if (expected_err_reason != 0) {
3873 unsigned long err_code = ERR_get_error();
3875 ERR_print_errors_fp(stdout);
3876 if (TEST_int_eq(ERR_GET_REASON(err_code), expected_err_reason))
3882 * If Handshake succeeds the negotiated kexch alg should the first one in
3883 * configured, except in the case of FFDHE groups which are TLSv1.3 only
3884 * so we expect no shared group to exist.
3886 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
3887 idx == 3 ? 0 : kexch_groups[0]))
3889 if (max_version == TLS1_3_VERSION) {
3890 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
3892 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
3898 SSL_free(serverssl);
3899 SSL_free(clientssl);
3907 * Test 0 = Test new style callbacks
3908 * Test 1 = Test both new and old style callbacks
3909 * Test 2 = Test old style callbacks
3910 * Test 3 = Test old style callbacks with no certificate
3912 static int test_tls13_psk(int idx)
3914 SSL_CTX *sctx = NULL, *cctx = NULL;
3915 SSL *serverssl = NULL, *clientssl = NULL;
3916 const SSL_CIPHER *cipher = NULL;
3917 const unsigned char key[] = {
3918 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
3919 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
3920 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
3921 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
3925 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3927 &sctx, &cctx, idx == 3 ? NULL : cert,
3928 idx == 3 ? NULL : privkey)))
3933 * We use a ciphersuite with SHA256 to ease testing old style PSK
3934 * callbacks which will always default to SHA256. This should not be
3935 * necessary if we have no cert/priv key. In that case the server should
3936 * prefer SHA256 automatically.
3938 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3939 "TLS_AES_128_GCM_SHA256")))
3944 * Test 0: New style callbacks only
3945 * Test 1: New and old style callbacks (only the new ones should be used)
3946 * Test 2: Old style callbacks only
3948 if (idx == 0 || idx == 1) {
3949 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
3950 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
3952 #ifndef OPENSSL_NO_PSK
3954 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
3955 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
3959 use_session_cb_cnt = 0;
3960 find_session_cb_cnt = 0;
3961 psk_client_cb_cnt = 0;
3962 psk_server_cb_cnt = 0;
3966 * Check we can create a connection if callback decides not to send a
3969 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3971 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3973 || !TEST_false(SSL_session_reused(clientssl))
3974 || !TEST_false(SSL_session_reused(serverssl)))
3977 if (idx == 0 || idx == 1) {
3978 if (!TEST_true(use_session_cb_cnt == 1)
3979 || !TEST_true(find_session_cb_cnt == 0)
3981 * If no old style callback then below should be 0
3984 || !TEST_true(psk_client_cb_cnt == idx)
3985 || !TEST_true(psk_server_cb_cnt == 0))
3988 if (!TEST_true(use_session_cb_cnt == 0)
3989 || !TEST_true(find_session_cb_cnt == 0)
3990 || !TEST_true(psk_client_cb_cnt == 1)
3991 || !TEST_true(psk_server_cb_cnt == 0))
3995 shutdown_ssl_connection(serverssl, clientssl);
3996 serverssl = clientssl = NULL;
3997 use_session_cb_cnt = psk_client_cb_cnt = 0;
4000 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4004 /* Create the PSK */
4005 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
4006 clientpsk = SSL_SESSION_new();
4007 if (!TEST_ptr(clientpsk)
4008 || !TEST_ptr(cipher)
4009 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4011 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4012 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4014 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
4016 serverpsk = clientpsk;
4018 /* Check we can create a connection and the PSK is used */
4019 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4020 || !TEST_true(SSL_session_reused(clientssl))
4021 || !TEST_true(SSL_session_reused(serverssl)))
4024 if (idx == 0 || idx == 1) {
4025 if (!TEST_true(use_session_cb_cnt == 1)
4026 || !TEST_true(find_session_cb_cnt == 1)
4027 || !TEST_true(psk_client_cb_cnt == 0)
4028 || !TEST_true(psk_server_cb_cnt == 0))
4031 if (!TEST_true(use_session_cb_cnt == 0)
4032 || !TEST_true(find_session_cb_cnt == 0)
4033 || !TEST_true(psk_client_cb_cnt == 1)
4034 || !TEST_true(psk_server_cb_cnt == 1))
4038 shutdown_ssl_connection(serverssl, clientssl);
4039 serverssl = clientssl = NULL;
4040 use_session_cb_cnt = find_session_cb_cnt = 0;
4041 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4043 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4048 #if defined(OPENSSL_NO_EC)
4049 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4052 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4057 * Check we can create a connection, the PSK is used and the callbacks are
4060 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4061 || !TEST_true(SSL_session_reused(clientssl))
4062 || !TEST_true(SSL_session_reused(serverssl)))
4065 if (idx == 0 || idx == 1) {
4066 if (!TEST_true(use_session_cb_cnt == 2)
4067 || !TEST_true(find_session_cb_cnt == 2)
4068 || !TEST_true(psk_client_cb_cnt == 0)
4069 || !TEST_true(psk_server_cb_cnt == 0))
4072 if (!TEST_true(use_session_cb_cnt == 0)
4073 || !TEST_true(find_session_cb_cnt == 0)
4074 || !TEST_true(psk_client_cb_cnt == 2)
4075 || !TEST_true(psk_server_cb_cnt == 2))
4079 shutdown_ssl_connection(serverssl, clientssl);
4080 serverssl = clientssl = NULL;
4081 use_session_cb_cnt = find_session_cb_cnt = 0;
4082 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4086 * Check that if the server rejects the PSK we can still connect, but with
4089 srvid = "Dummy Identity";
4090 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4092 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4094 || !TEST_false(SSL_session_reused(clientssl))
4095 || !TEST_false(SSL_session_reused(serverssl)))
4098 if (idx == 0 || idx == 1) {
4099 if (!TEST_true(use_session_cb_cnt == 1)
4100 || !TEST_true(find_session_cb_cnt == 1)
4101 || !TEST_true(psk_client_cb_cnt == 0)
4103 * If no old style callback then below should be 0
4106 || !TEST_true(psk_server_cb_cnt == idx))
4109 if (!TEST_true(use_session_cb_cnt == 0)
4110 || !TEST_true(find_session_cb_cnt == 0)
4111 || !TEST_true(psk_client_cb_cnt == 1)
4112 || !TEST_true(psk_server_cb_cnt == 1))
4116 shutdown_ssl_connection(serverssl, clientssl);
4117 serverssl = clientssl = NULL;
4122 SSL_SESSION_free(clientpsk);
4123 SSL_SESSION_free(serverpsk);
4124 clientpsk = serverpsk = NULL;
4125 SSL_free(serverssl);
4126 SSL_free(clientssl);
4132 static unsigned char cookie_magic_value[] = "cookie magic";
4134 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4135 unsigned int *cookie_len)
4138 * Not suitable as a real cookie generation function but good enough for
4141 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4142 *cookie_len = sizeof(cookie_magic_value) - 1;
4147 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4148 unsigned int cookie_len)
4150 if (cookie_len == sizeof(cookie_magic_value) - 1
4151 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4157 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4161 int res = generate_cookie_callback(ssl, cookie, &temp);
4166 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4169 return verify_cookie_callback(ssl, cookie, cookie_len);
4172 static int test_stateless(void)
4174 SSL_CTX *sctx = NULL, *cctx = NULL;
4175 SSL *serverssl = NULL, *clientssl = NULL;
4178 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4180 &sctx, &cctx, cert, privkey)))
4183 /* The arrival of CCS messages can confuse the test */
4184 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4186 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4188 /* Send the first ClientHello */
4189 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4190 SSL_ERROR_WANT_READ))
4192 * This should fail with a -1 return because we have no callbacks
4195 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4198 /* Fatal error so abandon the connection from this client */
4199 SSL_free(clientssl);
4202 /* Set up the cookie generation and verification callbacks */
4203 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4204 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
4207 * Create a new connection from the client (we can reuse the server SSL
4210 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4212 /* Send the first ClientHello */
4213 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4214 SSL_ERROR_WANT_READ))
4215 /* This should fail because there is no cookie */
4216 || !TEST_int_eq(SSL_stateless(serverssl), 0))
4219 /* Abandon the connection from this client */
4220 SSL_free(clientssl);
4224 * Now create a connection from a new client but with the same server SSL
4227 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4229 /* Send the first ClientHello */
4230 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4231 SSL_ERROR_WANT_READ))
4232 /* This should fail because there is no cookie */
4233 || !TEST_int_eq(SSL_stateless(serverssl), 0)
4234 /* Send the second ClientHello */
4235 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4236 SSL_ERROR_WANT_READ))
4237 /* This should succeed because a cookie is now present */
4238 || !TEST_int_eq(SSL_stateless(serverssl), 1)
4239 /* Complete the connection */
4240 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4244 shutdown_ssl_connection(serverssl, clientssl);
4245 serverssl = clientssl = NULL;
4249 SSL_free(serverssl);
4250 SSL_free(clientssl);
4256 #endif /* OPENSSL_NO_TLS1_3 */
4258 static int clntaddoldcb = 0;
4259 static int clntparseoldcb = 0;
4260 static int srvaddoldcb = 0;
4261 static int srvparseoldcb = 0;
4262 static int clntaddnewcb = 0;
4263 static int clntparsenewcb = 0;
4264 static int srvaddnewcb = 0;
4265 static int srvparsenewcb = 0;
4266 static int snicb = 0;
4268 #define TEST_EXT_TYPE1 0xff00
4270 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4271 size_t *outlen, int *al, void *add_arg)
4273 int *server = (int *)add_arg;
4274 unsigned char *data;
4276 if (SSL_is_server(s))
4281 if (*server != SSL_is_server(s)
4282 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4287 *outlen = sizeof(char);
4291 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4294 OPENSSL_free((unsigned char *)out);
4297 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4298 size_t inlen, int *al, void *parse_arg)
4300 int *server = (int *)parse_arg;
4302 if (SSL_is_server(s))
4307 if (*server != SSL_is_server(s)
4308 || inlen != sizeof(char)
4315 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4316 const unsigned char **out, size_t *outlen, X509 *x,
4317 size_t chainidx, int *al, void *add_arg)
4319 int *server = (int *)add_arg;
4320 unsigned char *data;
4322 if (SSL_is_server(s))
4327 if (*server != SSL_is_server(s)
4328 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4333 *outlen = sizeof(*data);
4337 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
4338 const unsigned char *out, void *add_arg)
4340 OPENSSL_free((unsigned char *)out);
4343 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
4344 const unsigned char *in, size_t inlen, X509 *x,
4345 size_t chainidx, int *al, void *parse_arg)
4347 int *server = (int *)parse_arg;
4349 if (SSL_is_server(s))
4354 if (*server != SSL_is_server(s)
4355 || inlen != sizeof(char) || *in != 1)
4361 static int sni_cb(SSL *s, int *al, void *arg)
4363 SSL_CTX *ctx = (SSL_CTX *)arg;
4365 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
4366 *al = SSL_AD_INTERNAL_ERROR;
4367 return SSL_TLSEXT_ERR_ALERT_FATAL;
4370 return SSL_TLSEXT_ERR_OK;
4374 * Custom call back tests.
4375 * Test 0: Old style callbacks in TLSv1.2
4376 * Test 1: New style callbacks in TLSv1.2
4377 * Test 2: New style callbacks in TLSv1.2 with SNI
4378 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4379 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
4381 static int test_custom_exts(int tst)
4383 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4384 SSL *clientssl = NULL, *serverssl = NULL;
4386 static int server = 1;
4387 static int client = 0;
4388 SSL_SESSION *sess = NULL;
4389 unsigned int context;
4391 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4392 /* Skip tests for TLSv1.2 and below in this case */
4397 /* Reset callback counters */
4398 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4399 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
4402 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4404 &sctx, &cctx, cert, privkey)))
4408 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
4410 &sctx2, NULL, cert, privkey)))
4415 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4416 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
4418 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
4422 context = SSL_EXT_CLIENT_HELLO
4423 | SSL_EXT_TLS1_2_SERVER_HELLO
4424 | SSL_EXT_TLS1_3_SERVER_HELLO
4425 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4426 | SSL_EXT_TLS1_3_CERTIFICATE
4427 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4429 context = SSL_EXT_CLIENT_HELLO
4430 | SSL_EXT_TLS1_2_SERVER_HELLO
4431 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4434 /* Create a client side custom extension */
4436 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4437 old_add_cb, old_free_cb,
4438 &client, old_parse_cb,
4442 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4443 new_add_cb, new_free_cb,
4444 &client, new_parse_cb, &client)))
4448 /* Should not be able to add duplicates */
4449 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4450 old_add_cb, old_free_cb,
4451 &client, old_parse_cb,
4453 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4454 context, new_add_cb,
4455 new_free_cb, &client,
4456 new_parse_cb, &client)))
4459 /* Create a server side custom extension */
4461 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4462 old_add_cb, old_free_cb,
4463 &server, old_parse_cb,
4467 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4468 new_add_cb, new_free_cb,
4469 &server, new_parse_cb, &server)))
4472 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4473 context, new_add_cb,
4474 new_free_cb, &server,
4475 new_parse_cb, &server)))
4479 /* Should not be able to add duplicates */
4480 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4481 old_add_cb, old_free_cb,
4482 &server, old_parse_cb,
4484 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4485 context, new_add_cb,
4486 new_free_cb, &server,
4487 new_parse_cb, &server)))
4492 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4493 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4497 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4498 &clientssl, NULL, NULL))
4499 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4504 if (clntaddoldcb != 1
4505 || clntparseoldcb != 1
4507 || srvparseoldcb != 1)
4509 } else if (tst == 1 || tst == 2 || tst == 3) {
4510 if (clntaddnewcb != 1
4511 || clntparsenewcb != 1
4513 || srvparsenewcb != 1
4514 || (tst != 2 && snicb != 0)
4515 || (tst == 2 && snicb != 1))
4518 /* In this case there 2 NewSessionTicket messages created */
4519 if (clntaddnewcb != 1
4520 || clntparsenewcb != 5
4522 || srvparsenewcb != 1)
4526 sess = SSL_get1_session(clientssl);
4527 SSL_shutdown(clientssl);
4528 SSL_shutdown(serverssl);
4529 SSL_free(serverssl);
4530 SSL_free(clientssl);
4531 serverssl = clientssl = NULL;
4534 /* We don't bother with the resumption aspects for this test */
4539 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4541 || !TEST_true(SSL_set_session(clientssl, sess))
4542 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4547 * For a resumed session we expect to add the ClientHello extension. For the
4548 * old style callbacks we ignore it on the server side because they set
4549 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4553 if (clntaddoldcb != 2
4554 || clntparseoldcb != 1
4556 || srvparseoldcb != 1)
4558 } else if (tst == 1 || tst == 2 || tst == 3) {
4559 if (clntaddnewcb != 2
4560 || clntparsenewcb != 2
4562 || srvparsenewcb != 2)
4566 * No Certificate message extensions in the resumption handshake,
4567 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4569 if (clntaddnewcb != 2
4570 || clntparsenewcb != 8
4572 || srvparsenewcb != 2)
4579 SSL_SESSION_free(sess);
4580 SSL_free(serverssl);
4581 SSL_free(clientssl);
4582 SSL_CTX_free(sctx2);
4589 * Test loading of serverinfo data in various formats. test_sslmessages actually
4590 * tests to make sure the extensions appear in the handshake
4592 static int test_serverinfo(int tst)
4594 unsigned int version;
4595 unsigned char *sibuf;
4597 int ret, expected, testresult = 0;
4600 ctx = SSL_CTX_new(TLS_method());
4604 if ((tst & 0x01) == 0x01)
4605 version = SSL_SERVERINFOV2;
4607 version = SSL_SERVERINFOV1;
4609 if ((tst & 0x02) == 0x02) {
4610 sibuf = serverinfov2;
4611 sibuflen = sizeof(serverinfov2);
4612 expected = (version == SSL_SERVERINFOV2);
4614 sibuf = serverinfov1;
4615 sibuflen = sizeof(serverinfov1);
4616 expected = (version == SSL_SERVERINFOV1);
4619 if ((tst & 0x04) == 0x04) {
4620 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4622 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4625 * The version variable is irrelevant in this case - it's what is in the
4626 * buffer that matters
4628 if ((tst & 0x02) == 0x02)
4634 if (!TEST_true(ret == expected))
4646 * Test that SSL_export_keying_material() produces expected results. There are
4647 * no test vectors so all we do is test that both sides of the communication
4648 * produce the same results for different protocol versions.
4650 #define SMALL_LABEL_LEN 10
4651 #define LONG_LABEL_LEN 249
4652 static int test_export_key_mat(int tst)
4655 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4656 SSL *clientssl = NULL, *serverssl = NULL;
4657 const char label[LONG_LABEL_LEN + 1] = "test label";
4658 const unsigned char context[] = "context";
4659 const unsigned char *emptycontext = NULL;
4660 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4661 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
4663 const int protocols[] = {
4672 #ifdef OPENSSL_NO_TLS1
4676 #ifdef OPENSSL_NO_TLS1_1
4680 #ifdef OPENSSL_NO_TLS1_2
4684 #ifdef OPENSSL_NO_TLS1_3
4688 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4690 &sctx, &cctx, cert, privkey)))
4693 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4694 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4695 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
4697 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4699 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4705 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4708 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4709 sizeof(ckeymat1), label,
4710 LONG_LABEL_LEN + 1, context,
4711 sizeof(context) - 1, 1), 0))
4716 } else if (tst == 4) {
4717 labellen = LONG_LABEL_LEN;
4719 labellen = SMALL_LABEL_LEN;
4722 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4723 sizeof(ckeymat1), label,
4725 sizeof(context) - 1, 1), 1)
4726 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4727 sizeof(ckeymat2), label,
4731 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4732 sizeof(ckeymat3), label,
4735 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4736 sizeof(skeymat1), label,
4739 sizeof(context) -1, 1),
4741 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4742 sizeof(skeymat2), label,
4746 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4747 sizeof(skeymat3), label,
4751 * Check that both sides created the same key material with the
4754 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4757 * Check that both sides created the same key material with an
4760 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4763 * Check that both sides created the same key material without a
4766 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
4768 /* Different contexts should produce different results */
4769 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4774 * Check that an empty context and no context produce different results in
4775 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
4777 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
4779 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
4786 SSL_free(serverssl);
4787 SSL_free(clientssl);
4788 SSL_CTX_free(sctx2);
4795 #ifndef OPENSSL_NO_TLS1_3
4797 * Test that SSL_export_keying_material_early() produces expected
4798 * results. There are no test vectors so all we do is test that both
4799 * sides of the communication produce the same results for different
4800 * protocol versions.
4802 static int test_export_key_mat_early(int idx)
4804 static const char label[] = "test label";
4805 static const unsigned char context[] = "context";
4807 SSL_CTX *cctx = NULL, *sctx = NULL;
4808 SSL *clientssl = NULL, *serverssl = NULL;
4809 SSL_SESSION *sess = NULL;
4810 const unsigned char *emptycontext = NULL;
4811 unsigned char ckeymat1[80], ckeymat2[80];
4812 unsigned char skeymat1[80], skeymat2[80];
4813 unsigned char buf[1];
4814 size_t readbytes, written;
4816 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
4820 /* Here writing 0 length early data is enough. */
4821 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
4822 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4824 SSL_READ_EARLY_DATA_ERROR)
4825 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4826 SSL_EARLY_DATA_ACCEPTED))
4829 if (!TEST_int_eq(SSL_export_keying_material_early(
4830 clientssl, ckeymat1, sizeof(ckeymat1), label,
4831 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4832 || !TEST_int_eq(SSL_export_keying_material_early(
4833 clientssl, ckeymat2, sizeof(ckeymat2), label,
4834 sizeof(label) - 1, emptycontext, 0), 1)
4835 || !TEST_int_eq(SSL_export_keying_material_early(
4836 serverssl, skeymat1, sizeof(skeymat1), label,
4837 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4838 || !TEST_int_eq(SSL_export_keying_material_early(
4839 serverssl, skeymat2, sizeof(skeymat2), label,
4840 sizeof(label) - 1, emptycontext, 0), 1)
4842 * Check that both sides created the same key material with the
4845 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4848 * Check that both sides created the same key material with an
4851 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4853 /* Different contexts should produce different results */
4854 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4861 SSL_SESSION_free(sess);
4862 SSL_SESSION_free(clientpsk);
4863 SSL_SESSION_free(serverpsk);
4864 clientpsk = serverpsk = NULL;
4865 SSL_free(serverssl);
4866 SSL_free(clientssl);
4873 #define NUM_KEY_UPDATE_MESSAGES 40
4877 static int test_key_update(void)
4879 SSL_CTX *cctx = NULL, *sctx = NULL;
4880 SSL *clientssl = NULL, *serverssl = NULL;
4881 int testresult = 0, i, j;
4883 static char *mess = "A test message";
4885 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4886 TLS_client_method(),
4889 &sctx, &cctx, cert, privkey))
4890 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4892 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4896 for (j = 0; j < 2; j++) {
4897 /* Send lots of KeyUpdate messages */
4898 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
4899 if (!TEST_true(SSL_key_update(clientssl,
4901 ? SSL_KEY_UPDATE_NOT_REQUESTED
4902 : SSL_KEY_UPDATE_REQUESTED))
4903 || !TEST_true(SSL_do_handshake(clientssl)))
4907 /* Check that sending and receiving app data is ok */
4908 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
4909 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
4913 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
4914 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
4922 SSL_free(serverssl);
4923 SSL_free(clientssl);
4931 * Test we can handle a KeyUpdate (update requested) message while write data
4933 * Test 0: Client sends KeyUpdate while Server is writing
4934 * Test 1: Server sends KeyUpdate while Client is writing
4936 static int test_key_update_in_write(int tst)
4938 SSL_CTX *cctx = NULL, *sctx = NULL;
4939 SSL *clientssl = NULL, *serverssl = NULL;
4942 static char *mess = "A test message";
4943 BIO *bretry = BIO_new(bio_s_always_retry());
4945 SSL *peerupdate = NULL, *peerwrite = NULL;
4947 if (!TEST_ptr(bretry)
4948 || !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4949 TLS_client_method(),
4952 &sctx, &cctx, cert, privkey))
4953 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4955 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4959 peerupdate = tst == 0 ? clientssl : serverssl;
4960 peerwrite = tst == 0 ? serverssl : clientssl;
4962 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
4963 || !TEST_true(SSL_do_handshake(peerupdate)))
4966 /* Swap the writing endpoint's write BIO to force a retry */
4967 tmp = SSL_get_wbio(peerwrite);
4968 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
4972 SSL_set0_wbio(peerwrite, bretry);
4975 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
4976 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
4977 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
4980 /* Reinstate the original writing endpoint's write BIO */
4981 SSL_set0_wbio(peerwrite, tmp);
4984 /* Now read some data - we will read the key update */
4985 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
4986 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
4990 * Complete the write we started previously and read it from the other
4993 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
4994 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
4997 /* Write more data to ensure we send the KeyUpdate message back */
4998 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
4999 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5005 SSL_free(serverssl);
5006 SSL_free(clientssl);
5014 #endif /* OPENSSL_NO_TLS1_3 */
5016 static int test_ssl_clear(int idx)
5018 SSL_CTX *cctx = NULL, *sctx = NULL;
5019 SSL *clientssl = NULL, *serverssl = NULL;
5022 #ifdef OPENSSL_NO_TLS1_2
5027 /* Create an initial connection */
5028 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5030 &sctx, &cctx, cert, privkey))
5032 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5034 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5035 &clientssl, NULL, NULL))
5036 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5040 SSL_shutdown(clientssl);
5041 SSL_shutdown(serverssl);
5042 SSL_free(serverssl);
5045 /* Clear clientssl - we're going to reuse the object */
5046 if (!TEST_true(SSL_clear(clientssl)))
5049 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5051 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5053 || !TEST_true(SSL_session_reused(clientssl)))
5056 SSL_shutdown(clientssl);
5057 SSL_shutdown(serverssl);
5062 SSL_free(serverssl);
5063 SSL_free(clientssl);
5070 /* Parse CH and retrieve any MFL extension value if present */
5071 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5074 unsigned char *data;
5075 PACKET pkt, pkt2, pkt3;
5076 unsigned int MFL_code = 0, type = 0;
5078 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5081 memset(&pkt, 0, sizeof(pkt));
5082 memset(&pkt2, 0, sizeof(pkt2));
5083 memset(&pkt3, 0, sizeof(pkt3));
5085 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5086 /* Skip the record header */
5087 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5088 /* Skip the handshake message header */
5089 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5090 /* Skip client version and random */
5091 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5092 + SSL3_RANDOM_SIZE))
5093 /* Skip session id */
5094 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5096 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5097 /* Skip compression */
5098 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5099 /* Extensions len */
5100 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5103 /* Loop through all extensions */
5104 while (PACKET_remaining(&pkt2)) {
5105 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5106 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5109 if (type == TLSEXT_TYPE_max_fragment_length) {
5110 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5111 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5114 *mfl_codemfl_code = MFL_code;
5123 /* Maximum-Fragment-Length TLS extension mode to test */
5124 static const unsigned char max_fragment_len_test[] = {
5125 TLSEXT_max_fragment_length_512,
5126 TLSEXT_max_fragment_length_1024,
5127 TLSEXT_max_fragment_length_2048,
5128 TLSEXT_max_fragment_length_4096
5131 static int test_max_fragment_len_ext(int idx_tst)
5135 int testresult = 0, MFL_mode = 0;
5138 ctx = SSL_CTX_new(TLS_method());
5142 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5143 ctx, max_fragment_len_test[idx_tst])))
5150 rbio = BIO_new(BIO_s_mem());
5151 wbio = BIO_new(BIO_s_mem());
5152 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5158 SSL_set_bio(con, rbio, wbio);
5159 SSL_set_connect_state(con);
5161 if (!TEST_int_le(SSL_connect(con), 0)) {
5162 /* This shouldn't succeed because we don't have a server! */
5166 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5167 /* no MFL in client hello */
5169 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5181 #ifndef OPENSSL_NO_TLS1_3
5182 static int test_pha_key_update(void)
5184 SSL_CTX *cctx = NULL, *sctx = NULL;
5185 SSL *clientssl = NULL, *serverssl = NULL;
5188 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5190 &sctx, &cctx, cert, privkey)))
5193 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5194 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5195 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5196 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5199 SSL_CTX_set_post_handshake_auth(cctx, 1);
5201 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5205 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5209 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5210 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5213 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5216 /* Start handshake on the server */
5217 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5220 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5221 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5225 SSL_shutdown(clientssl);
5226 SSL_shutdown(serverssl);
5231 SSL_free(serverssl);
5232 SSL_free(clientssl);
5239 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5241 static SRP_VBASE *vbase = NULL;
5243 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5245 int ret = SSL3_AL_FATAL;
5247 SRP_user_pwd *user = NULL;
5249 username = SSL_get_srp_username(s);
5250 if (username == NULL) {
5251 *ad = SSL_AD_INTERNAL_ERROR;
5255 user = SRP_VBASE_get1_by_user(vbase, username);
5257 *ad = SSL_AD_INTERNAL_ERROR;
5261 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5263 *ad = SSL_AD_INTERNAL_ERROR;
5270 SRP_user_pwd_free(user);
5274 static int create_new_vfile(char *userid, char *password, const char *filename)
5277 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5280 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5283 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5286 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
5287 &row[DB_srpverifier], NULL, NULL);
5288 if (!TEST_ptr(gNid))
5292 * The only way to create an empty TXT_DB is to provide a BIO with no data
5295 db = TXT_DB_read(dummy, DB_NUMBER);
5299 out = BIO_new_file(filename, "w");
5303 row[DB_srpid] = OPENSSL_strdup(userid);
5304 row[DB_srptype] = OPENSSL_strdup("V");
5305 row[DB_srpgN] = OPENSSL_strdup(gNid);
5307 if (!TEST_ptr(row[DB_srpid])
5308 || !TEST_ptr(row[DB_srptype])
5309 || !TEST_ptr(row[DB_srpgN])
5310 || !TEST_true(TXT_DB_insert(db, row)))
5315 if (!TXT_DB_write(out, db))
5321 for (i = 0; i < DB_NUMBER; i++)
5322 OPENSSL_free(row[i]);
5332 static int create_new_vbase(char *userid, char *password)
5334 BIGNUM *verifier = NULL, *salt = NULL;
5335 const SRP_gN *lgN = NULL;
5336 SRP_user_pwd *user_pwd = NULL;
5339 lgN = SRP_get_default_gN(NULL);
5343 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
5347 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
5348 if (!TEST_ptr(user_pwd))
5351 user_pwd->N = lgN->N;
5352 user_pwd->g = lgN->g;
5353 user_pwd->id = OPENSSL_strdup(userid);
5354 if (!TEST_ptr(user_pwd->id))
5357 user_pwd->v = verifier;
5359 verifier = salt = NULL;
5361 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
5367 SRP_user_pwd_free(user_pwd);
5377 * Test 0: Simple successful SRP connection, new vbase
5378 * Test 1: Connection failure due to bad password, new vbase
5379 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5380 * Test 3: Connection failure due to bad password, vbase loaded from existing
5382 * Test 4: Simple successful SRP connection, vbase loaded from new file
5383 * Test 5: Connection failure due to bad password, vbase loaded from new file
5385 static int test_srp(int tst)
5387 char *userid = "test", *password = "password", *tstsrpfile;
5388 SSL_CTX *cctx = NULL, *sctx = NULL;
5389 SSL *clientssl = NULL, *serverssl = NULL;
5390 int ret, testresult = 0;
5392 vbase = SRP_VBASE_new(NULL);
5393 if (!TEST_ptr(vbase))
5396 if (tst == 0 || tst == 1) {
5397 if (!TEST_true(create_new_vbase(userid, password)))
5400 if (tst == 4 || tst == 5) {
5401 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5403 tstsrpfile = tmpfilename;
5405 tstsrpfile = srpvfile;
5407 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5411 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5413 &sctx, &cctx, cert, privkey)))
5416 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5417 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5418 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5419 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5420 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5424 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5427 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5431 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5435 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5437 if (!TEST_true(tst % 2 == 0))
5440 if (!TEST_true(tst % 2 == 1))
5447 SRP_VBASE_free(vbase);
5449 SSL_free(serverssl);
5450 SSL_free(clientssl);
5458 static int info_cb_failed = 0;
5459 static int info_cb_offset = 0;
5460 static int info_cb_this_state = -1;
5462 static struct info_cb_states_st {
5464 const char *statestr;
5465 } info_cb_states[][60] = {
5467 /* TLSv1.2 server followed by resumption */
5468 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5469 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5470 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
5471 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
5472 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
5473 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5474 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5475 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5476 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
5477 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5478 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
5479 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5480 {SSL_CB_EXIT, NULL}, {0, NULL},
5482 /* TLSv1.2 client followed by resumption */
5483 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5484 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5485 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
5486 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
5487 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
5488 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5489 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5490 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5491 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5492 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5493 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5494 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
5496 /* TLSv1.3 server followed by resumption */
5497 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5498 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5499 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
5500 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5501 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
5502 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5503 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5504 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5505 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5506 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5507 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
5508 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5509 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5511 /* TLSv1.3 client followed by resumption */
5512 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5513 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5514 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
5515 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
5516 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5517 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5518 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
5519 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5520 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5521 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5522 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5523 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5524 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5525 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
5526 {SSL_CB_EXIT, NULL}, {0, NULL},
5528 /* TLSv1.3 server, early_data */
5529 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5530 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5531 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5532 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5533 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5534 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
5535 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5536 {SSL_CB_EXIT, NULL}, {0, NULL},
5538 /* TLSv1.3 client, early_data */
5539 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5540 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5541 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5542 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5543 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5544 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5545 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5546 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5547 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5553 static void sslapi_info_callback(const SSL *s, int where, int ret)
5555 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5557 /* We do not ever expect a connection to fail in this test */
5558 if (!TEST_false(ret == 0)) {
5564 * Do some sanity checks. We never expect these things to happen in this
5567 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5568 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5569 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5574 /* Now check we're in the right state */
5575 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5579 if ((where & SSL_CB_LOOP) != 0
5580 && !TEST_int_eq(strcmp(SSL_state_string(s),
5581 state[info_cb_this_state].statestr), 0)) {
5587 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
5589 if ((where & SSL_CB_HANDSHAKE_DONE)
5590 && SSL_in_init((SSL *)s) != 0) {
5597 * Test the info callback gets called when we expect it to.
5599 * Test 0: TLSv1.2, server
5600 * Test 1: TLSv1.2, client
5601 * Test 2: TLSv1.3, server
5602 * Test 3: TLSv1.3, client
5603 * Test 4: TLSv1.3, server, early_data
5604 * Test 5: TLSv1.3, client, early_data
5606 static int test_info_callback(int tst)
5608 SSL_CTX *cctx = NULL, *sctx = NULL;
5609 SSL *clientssl = NULL, *serverssl = NULL;
5610 SSL_SESSION *clntsess = NULL;
5615 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
5616 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5617 || !defined(OPENSSL_NO_DH))
5618 tlsvers = TLS1_2_VERSION;
5623 #ifndef OPENSSL_NO_TLS1_3
5624 tlsvers = TLS1_3_VERSION;
5632 info_cb_this_state = -1;
5633 info_cb_offset = tst;
5635 #ifndef OPENSSL_NO_TLS1_3
5637 SSL_SESSION *sess = NULL;
5638 size_t written, readbytes;
5639 unsigned char buf[80];
5641 /* early_data tests */
5642 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5643 &serverssl, &sess, 0)))
5646 /* We don't actually need this reference */
5647 SSL_SESSION_free(sess);
5649 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5650 sslapi_info_callback);
5652 /* Write and read some early data and then complete the connection */
5653 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5655 || !TEST_size_t_eq(written, strlen(MSG1))
5656 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5657 sizeof(buf), &readbytes),
5658 SSL_READ_EARLY_DATA_SUCCESS)
5659 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5660 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5661 SSL_EARLY_DATA_ACCEPTED)
5662 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5664 || !TEST_false(info_cb_failed))
5672 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5673 TLS_client_method(),
5674 tlsvers, tlsvers, &sctx, &cctx, cert,
5679 * For even numbered tests we check the server callbacks. For odd numbers we
5682 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5683 sslapi_info_callback);
5685 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5686 &clientssl, NULL, NULL))
5687 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5689 || !TEST_false(info_cb_failed))
5694 clntsess = SSL_get1_session(clientssl);
5695 SSL_shutdown(clientssl);
5696 SSL_shutdown(serverssl);
5697 SSL_free(serverssl);
5698 SSL_free(clientssl);
5699 serverssl = clientssl = NULL;
5701 /* Now do a resumption */
5702 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5704 || !TEST_true(SSL_set_session(clientssl, clntsess))
5705 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5707 || !TEST_true(SSL_session_reused(clientssl))
5708 || !TEST_false(info_cb_failed))
5714 SSL_free(serverssl);
5715 SSL_free(clientssl);
5716 SSL_SESSION_free(clntsess);
5722 static int test_ssl_pending(int tst)
5724 SSL_CTX *cctx = NULL, *sctx = NULL;
5725 SSL *clientssl = NULL, *serverssl = NULL;
5727 char msg[] = "A test message";
5729 size_t written, readbytes;
5732 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5733 TLS_client_method(),
5735 &sctx, &cctx, cert, privkey)))
5738 #ifndef OPENSSL_NO_DTLS
5739 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
5740 DTLS_client_method(),
5742 &sctx, &cctx, cert, privkey)))
5749 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5751 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5755 if (!TEST_int_eq(SSL_pending(clientssl), 0)
5756 || !TEST_false(SSL_has_pending(clientssl))
5757 || !TEST_int_eq(SSL_pending(serverssl), 0)
5758 || !TEST_false(SSL_has_pending(serverssl))
5759 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5760 || !TEST_size_t_eq(written, sizeof(msg))
5761 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
5762 || !TEST_size_t_eq(readbytes, sizeof(buf))
5763 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
5764 || !TEST_true(SSL_has_pending(clientssl)))
5770 SSL_free(serverssl);
5771 SSL_free(clientssl);
5779 unsigned int maxprot;
5780 const char *clntciphers;
5781 const char *clnttls13ciphers;
5782 const char *srvrciphers;
5783 const char *srvrtls13ciphers;
5785 } shared_ciphers_data[] = {
5787 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
5788 * TLSv1.3 is enabled but TLSv1.2 is disabled.
5790 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
5793 "AES128-SHA:AES256-SHA",
5795 "AES256-SHA:DHE-RSA-AES128-SHA",
5801 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
5803 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
5805 "AES128-SHA:AES256-SHA"
5809 "AES128-SHA:AES256-SHA",
5811 "AES128-SHA:DHE-RSA-AES128-SHA",
5817 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
5820 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
5821 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5824 "AES128-SHA:AES256-SHA",
5826 "AES256-SHA:AES128-SHA256",
5828 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
5829 "TLS_AES_128_GCM_SHA256:AES256-SHA"
5832 #ifndef OPENSSL_NO_TLS1_3
5836 "TLS_AES_256_GCM_SHA384",
5838 "TLS_AES_256_GCM_SHA384",
5839 "TLS_AES_256_GCM_SHA384"
5844 static int test_ssl_get_shared_ciphers(int tst)
5846 SSL_CTX *cctx = NULL, *sctx = NULL;
5847 SSL *clientssl = NULL, *serverssl = NULL;
5851 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5852 TLS_client_method(),
5854 shared_ciphers_data[tst].maxprot,
5855 &sctx, &cctx, cert, privkey)))
5858 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5859 shared_ciphers_data[tst].clntciphers))
5860 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
5861 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
5862 shared_ciphers_data[tst].clnttls13ciphers)))
5863 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
5864 shared_ciphers_data[tst].srvrciphers))
5865 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
5866 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
5867 shared_ciphers_data[tst].srvrtls13ciphers))))
5871 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5873 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5877 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
5878 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
5879 TEST_info("Shared ciphers are: %s\n", buf);
5886 SSL_free(serverssl);
5887 SSL_free(clientssl);
5894 static const char *appdata = "Hello World";
5895 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
5896 static int tick_key_renew = 0;
5897 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5899 static int gen_tick_cb(SSL *s, void *arg)
5901 gen_tick_called = 1;
5903 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
5907 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
5908 const unsigned char *keyname,
5909 size_t keyname_length,
5910 SSL_TICKET_STATUS status,
5916 dec_tick_called = 1;
5918 if (status == SSL_TICKET_EMPTY)
5919 return SSL_TICKET_RETURN_IGNORE_RENEW;
5921 if (!TEST_true(status == SSL_TICKET_SUCCESS
5922 || status == SSL_TICKET_SUCCESS_RENEW))
5923 return SSL_TICKET_RETURN_ABORT;
5925 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
5927 || !TEST_size_t_eq(tickdlen, strlen(appdata))
5928 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
5929 return SSL_TICKET_RETURN_ABORT;
5931 if (tick_key_cb_called) {
5932 /* Don't change what the ticket key callback wanted to do */
5934 case SSL_TICKET_NO_DECRYPT:
5935 return SSL_TICKET_RETURN_IGNORE_RENEW;
5937 case SSL_TICKET_SUCCESS:
5938 return SSL_TICKET_RETURN_USE;
5940 case SSL_TICKET_SUCCESS_RENEW:
5941 return SSL_TICKET_RETURN_USE_RENEW;
5944 return SSL_TICKET_RETURN_ABORT;
5947 return tick_dec_ret;
5951 static int tick_key_cb(SSL *s, unsigned char key_name[16],
5952 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
5953 HMAC_CTX *hctx, int enc)
5955 const unsigned char tick_aes_key[16] = "0123456789abcdef";
5956 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5958 tick_key_cb_called = 1;
5959 memset(iv, 0, AES_BLOCK_SIZE);
5960 memset(key_name, 0, 16);
5961 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
5962 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
5963 EVP_sha256(), NULL))
5966 return tick_key_renew ? 2 : 1;
5970 * Test the various ticket callbacks
5971 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
5972 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
5973 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
5974 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
5975 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
5976 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
5977 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
5978 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
5979 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
5980 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
5981 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
5982 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
5984 static int test_ticket_callbacks(int tst)
5986 SSL_CTX *cctx = NULL, *sctx = NULL;
5987 SSL *clientssl = NULL, *serverssl = NULL;
5988 SSL_SESSION *clntsess = NULL;
5991 #ifdef OPENSSL_NO_TLS1_2
5995 #ifdef OPENSSL_NO_TLS1_3
6000 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
6002 /* Which tests the ticket key callback should request renewal for */
6003 if (tst == 10 || tst == 11)
6008 /* Which tests the decrypt ticket callback should request renewal for */
6012 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6017 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6022 tick_dec_ret = SSL_TICKET_RETURN_USE;
6027 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6031 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6034 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6035 TLS_client_method(),
6037 ((tst % 2) == 0) ? TLS1_2_VERSION
6039 &sctx, &cctx, cert, privkey)))
6043 * We only want sessions to resume from tickets - not the session cache. So
6044 * switch the cache off.
6046 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6049 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6054 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6057 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6059 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6064 * The decrypt ticket key callback in TLSv1.2 should be called even though
6065 * we have no ticket yet, because it gets called with a status of
6066 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6067 * actually send any ticket data). This does not happen in TLSv1.3 because
6068 * it is not valid to send empty ticket data in TLSv1.3.
6070 if (!TEST_int_eq(gen_tick_called, 1)
6071 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
6074 gen_tick_called = dec_tick_called = 0;
6076 clntsess = SSL_get1_session(clientssl);
6077 SSL_shutdown(clientssl);
6078 SSL_shutdown(serverssl);
6079 SSL_free(serverssl);
6080 SSL_free(clientssl);
6081 serverssl = clientssl = NULL;
6083 /* Now do a resumption */
6084 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6086 || !TEST_true(SSL_set_session(clientssl, clntsess))
6087 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6091 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6092 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6093 if (!TEST_false(SSL_session_reused(clientssl)))
6096 if (!TEST_true(SSL_session_reused(clientssl)))
6100 if (!TEST_int_eq(gen_tick_called,
6102 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6103 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6105 || !TEST_int_eq(dec_tick_called, 1))
6111 SSL_SESSION_free(clntsess);
6112 SSL_free(serverssl);
6113 SSL_free(clientssl);
6121 * Test bi-directional shutdown.
6123 * Test 1: TLSv1.2, server continues to read/write after client shutdown
6124 * Test 2: TLSv1.3, no pending NewSessionTicket messages
6125 * Test 3: TLSv1.3, pending NewSessionTicket messages
6126 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
6127 * sends key update, client reads it
6128 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
6129 * sends CertificateRequest, client reads and ignores it
6130 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
6133 static int test_shutdown(int tst)
6135 SSL_CTX *cctx = NULL, *sctx = NULL;
6136 SSL *clientssl = NULL, *serverssl = NULL;
6138 char msg[] = "A test message";
6140 size_t written, readbytes;
6143 #ifdef OPENSSL_NO_TLS1_2
6147 #ifdef OPENSSL_NO_TLS1_3
6152 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6153 TLS_client_method(),
6155 (tst <= 1) ? TLS1_2_VERSION
6157 &sctx, &cctx, cert, privkey)))
6161 SSL_CTX_set_post_handshake_auth(cctx, 1);
6163 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6168 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
6170 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6171 || !TEST_false(SSL_SESSION_is_resumable(sess)))
6173 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6175 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6176 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
6180 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
6185 * Reading on the server after the client has sent close_notify should
6186 * fail and provide SSL_ERROR_ZERO_RETURN
6188 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
6189 || !TEST_int_eq(SSL_get_error(serverssl, 0),
6190 SSL_ERROR_ZERO_RETURN)
6191 || !TEST_int_eq(SSL_get_shutdown(serverssl),
6192 SSL_RECEIVED_SHUTDOWN)
6194 * Even though we're shutdown on receive we should still be
6197 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6200 && !TEST_true(SSL_key_update(serverssl,
6201 SSL_KEY_UPDATE_REQUESTED)))
6204 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6205 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6208 if ((tst == 4 || tst == 5)
6209 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6211 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
6213 if (tst == 4 || tst == 5) {
6214 /* Should still be able to read data from server */
6215 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6217 || !TEST_size_t_eq(readbytes, sizeof(msg))
6218 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
6219 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6221 || !TEST_size_t_eq(readbytes, sizeof(msg))
6222 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
6227 /* Writing on the client after sending close_notify shouldn't be possible */
6228 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
6233 * For these tests the client has sent close_notify but it has not yet
6234 * been received by the server. The server has not sent close_notify
6237 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
6239 * Writing on the server after sending close_notify shouldn't
6242 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6243 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
6244 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6245 || !TEST_true(SSL_SESSION_is_resumable(sess))
6246 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
6248 } else if (tst == 4 || tst == 5) {
6250 * In this test the client has sent close_notify and it has been
6251 * received by the server which has responded with a close_notify. The
6252 * client needs to read the close_notify sent by the server.
6254 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
6255 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6256 || !TEST_true(SSL_SESSION_is_resumable(sess)))
6262 * The client has sent close_notify and is expecting a close_notify
6263 * back, but instead there is application data first. The shutdown
6264 * should fail with a fatal error.
6266 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
6267 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
6274 SSL_free(serverssl);
6275 SSL_free(clientssl);
6282 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6283 static int cert_cb_cnt;
6285 static int cert_cb(SSL *s, void *arg)
6287 SSL_CTX *ctx = (SSL_CTX *)arg;
6289 EVP_PKEY *pkey = NULL;
6292 if (cert_cb_cnt == 0) {
6293 /* Suspend the handshake */
6296 } else if (cert_cb_cnt == 1) {
6298 * Update the SSL_CTX, set the certificate and private key and then
6299 * continue the handshake normally.
6301 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
6304 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
6305 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
6307 || !TEST_true(SSL_check_private_key(s)))
6311 } else if (cert_cb_cnt == 3) {
6313 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6314 || !TEST_int_ge(BIO_read_filename(in, cert), 0)
6315 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
6318 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6319 || !TEST_int_ge(BIO_read_filename(in, privkey), 0)
6320 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
6322 rv = SSL_check_chain(s, x509, pkey, NULL);
6324 * If the cert doesn't show as valid here (e.g., because we don't
6325 * have any shared sigalgs), then we will not set it, and there will
6326 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
6327 * will cause tls_choose_sigalgs() to fail the connection.
6329 if ((rv & CERT_PKEY_VALID)) {
6330 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
6334 EVP_PKEY_free(pkey);
6339 /* Abort the handshake */
6342 EVP_PKEY_free(pkey);
6348 * Test the certificate callback.
6349 * Test 0: Callback fails
6350 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
6351 * Test 2: Success - SSL_set_SSL_CTX() in the callback
6353 static int test_cert_cb_int(int prot, int tst)
6355 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
6356 SSL *clientssl = NULL, *serverssl = NULL;
6357 int testresult = 0, ret;
6359 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6360 TLS_client_method(),
6363 &sctx, &cctx, NULL, NULL)))
6373 snictx = SSL_CTX_new(TLS_server_method());
6374 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
6376 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6380 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6381 if (!TEST_true(tst == 0 ? !ret : ret)
6383 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
6390 SSL_free(serverssl);
6391 SSL_free(clientssl);
6394 SSL_CTX_free(snictx);
6400 static int test_cert_cb(int tst)
6404 #ifndef OPENSSL_NO_TLS1_2
6405 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
6407 #ifndef OPENSSL_NO_TLS1_3
6408 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
6414 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
6420 /* Check that SSL_get_peer_certificate() returns something sensible */
6421 peer = SSL_get_peer_certificate(ssl);
6422 if (!TEST_ptr(peer))
6426 in = BIO_new_file(cert, "r");
6430 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
6432 if (!TEST_ptr(xcert))
6435 in = BIO_new_file(privkey, "r");
6436 if (!TEST_ptr(in)) {
6441 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
6443 if (!TEST_ptr(privpkey)) {
6454 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6459 static int test_client_cert_cb(int tst)
6461 SSL_CTX *cctx = NULL, *sctx = NULL;
6462 SSL *clientssl = NULL, *serverssl = NULL;
6465 #ifdef OPENSSL_NO_TLS1_2
6469 #ifdef OPENSSL_NO_TLS1_3
6474 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6475 TLS_client_method(),
6477 tst == 0 ? TLS1_2_VERSION
6479 &sctx, &cctx, cert, privkey)))
6483 * Test that setting a client_cert_cb results in a client certificate being
6486 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
6487 SSL_CTX_set_verify(sctx,
6488 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6491 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6493 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6500 SSL_free(serverssl);
6501 SSL_free(clientssl);
6508 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6510 * Test setting certificate authorities on both client and server.
6512 * Test 0: SSL_CTX_set0_CA_list() only
6513 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
6514 * Test 2: Only SSL_CTX_set_client_CA_list()
6516 static int test_ca_names_int(int prot, int tst)
6518 SSL_CTX *cctx = NULL, *sctx = NULL;
6519 SSL *clientssl = NULL, *serverssl = NULL;
6522 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
6523 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
6524 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
6525 const STACK_OF(X509_NAME) *sktmp = NULL;
6527 for (i = 0; i < OSSL_NELEM(name); i++) {
6528 name[i] = X509_NAME_new();
6529 if (!TEST_ptr(name[i])
6530 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
6538 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6539 TLS_client_method(),
6542 &sctx, &cctx, cert, privkey)))
6545 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
6547 if (tst == 0 || tst == 1) {
6548 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6549 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
6550 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
6551 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6552 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
6553 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
6556 SSL_CTX_set0_CA_list(sctx, sk1);
6557 SSL_CTX_set0_CA_list(cctx, sk2);
6560 if (tst == 1 || tst == 2) {
6561 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6562 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
6563 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
6564 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6565 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
6566 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
6569 SSL_CTX_set_client_CA_list(sctx, sk1);
6570 SSL_CTX_set_client_CA_list(cctx, sk2);
6574 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6576 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6581 * We only expect certificate authorities to have been sent to the server
6582 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
6584 sktmp = SSL_get0_peer_CA_list(serverssl);
6585 if (prot == TLS1_3_VERSION
6586 && (tst == 0 || tst == 1)) {
6587 if (!TEST_ptr(sktmp)
6588 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6589 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6591 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6594 } else if (!TEST_ptr_null(sktmp)) {
6599 * In all tests we expect certificate authorities to have been sent to the
6600 * client. However, SSL_set_client_CA_list() should override
6601 * SSL_set0_CA_list()
6603 sktmp = SSL_get0_peer_CA_list(clientssl);
6604 if (!TEST_ptr(sktmp)
6605 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6606 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6607 name[tst == 0 ? 0 : 2]), 0)
6608 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6609 name[tst == 0 ? 1 : 3]), 0))
6615 SSL_free(serverssl);
6616 SSL_free(clientssl);
6619 for (i = 0; i < OSSL_NELEM(name); i++)
6620 X509_NAME_free(name[i]);
6621 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
6622 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
6628 static int test_ca_names(int tst)
6632 #ifndef OPENSSL_NO_TLS1_2
6633 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
6635 #ifndef OPENSSL_NO_TLS1_3
6636 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
6643 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile\n")
6645 int setup_tests(void)
6647 if (!TEST_ptr(cert = test_get_argument(0))
6648 || !TEST_ptr(privkey = test_get_argument(1))
6649 || !TEST_ptr(srpvfile = test_get_argument(2))
6650 || !TEST_ptr(tmpfilename = test_get_argument(3)))
6653 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
6654 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
6655 TEST_error("not supported in this build");
6658 int i, mcount, rcount, fcount;
6660 for (i = 0; i < 4; i++)
6661 test_export_key_mat(i);
6662 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
6663 test_printf_stdout("malloc %d realloc %d free %d\n",
6664 mcount, rcount, fcount);
6669 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
6670 && !defined(OPENSSL_NO_SOCK)
6671 ADD_TEST(test_ktls_no_txrx_client_no_txrx_server);
6672 ADD_TEST(test_ktls_no_rx_client_no_txrx_server);
6673 ADD_TEST(test_ktls_no_tx_client_no_txrx_server);
6674 ADD_TEST(test_ktls_client_no_txrx_server);
6675 ADD_TEST(test_ktls_no_txrx_client_no_rx_server);
6676 ADD_TEST(test_ktls_no_rx_client_no_rx_server);
6677 ADD_TEST(test_ktls_no_tx_client_no_rx_server);
6678 ADD_TEST(test_ktls_client_no_rx_server);
6679 ADD_TEST(test_ktls_no_txrx_client_no_tx_server);
6680 ADD_TEST(test_ktls_no_rx_client_no_tx_server);
6681 ADD_TEST(test_ktls_no_tx_client_no_tx_server);
6682 ADD_TEST(test_ktls_client_no_tx_server);
6683 ADD_TEST(test_ktls_no_txrx_client_server);
6684 ADD_TEST(test_ktls_no_rx_client_server);
6685 ADD_TEST(test_ktls_no_tx_client_server);
6686 ADD_TEST(test_ktls_client_server);
6687 ADD_TEST(test_ktls_sendfile);
6689 ADD_TEST(test_large_message_tls);
6690 ADD_TEST(test_large_message_tls_read_ahead);
6691 #ifndef OPENSSL_NO_DTLS
6692 ADD_TEST(test_large_message_dtls);
6694 #ifndef OPENSSL_NO_OCSP
6695 ADD_TEST(test_tlsext_status_type);
6697 ADD_TEST(test_session_with_only_int_cache);
6698 ADD_TEST(test_session_with_only_ext_cache);
6699 ADD_TEST(test_session_with_both_cache);
6700 #ifndef OPENSSL_NO_TLS1_3
6701 ADD_ALL_TESTS(test_stateful_tickets, 3);
6702 ADD_ALL_TESTS(test_stateless_tickets, 3);
6703 ADD_TEST(test_psk_tickets);
6705 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
6706 ADD_TEST(test_ssl_bio_pop_next_bio);
6707 ADD_TEST(test_ssl_bio_pop_ssl_bio);
6708 ADD_TEST(test_ssl_bio_change_rbio);
6709 ADD_TEST(test_ssl_bio_change_wbio);
6710 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
6711 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6712 ADD_TEST(test_keylog);
6714 #ifndef OPENSSL_NO_TLS1_3
6715 ADD_TEST(test_keylog_no_master_key);
6717 #ifndef OPENSSL_NO_TLS1_2
6718 ADD_TEST(test_client_hello_cb);
6719 ADD_TEST(test_no_ems);
6721 #ifndef OPENSSL_NO_TLS1_3
6722 ADD_ALL_TESTS(test_early_data_read_write, 3);
6724 * We don't do replay tests for external PSK. Replay protection isn't used
6727 ADD_ALL_TESTS(test_early_data_replay, 2);
6728 ADD_ALL_TESTS(test_early_data_skip, 3);
6729 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
6730 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
6731 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
6732 ADD_ALL_TESTS(test_early_data_not_sent, 3);
6733 ADD_ALL_TESTS(test_early_data_psk, 8);
6734 ADD_ALL_TESTS(test_early_data_not_expected, 3);
6735 # ifndef OPENSSL_NO_TLS1_2
6736 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
6739 #ifndef OPENSSL_NO_TLS1_3
6740 ADD_ALL_TESTS(test_set_ciphersuite, 10);
6741 ADD_TEST(test_ciphersuite_change);
6742 #ifdef OPENSSL_NO_PSK
6743 ADD_ALL_TESTS(test_tls13_psk, 1);
6745 ADD_ALL_TESTS(test_tls13_psk, 4);
6746 #endif /* OPENSSL_NO_PSK */
6747 ADD_ALL_TESTS(test_tls13_key_exchange, 14);
6748 ADD_ALL_TESTS(test_custom_exts, 5);
6749 ADD_TEST(test_stateless);
6750 ADD_TEST(test_pha_key_update);
6752 ADD_ALL_TESTS(test_custom_exts, 3);
6754 ADD_ALL_TESTS(test_serverinfo, 8);
6755 ADD_ALL_TESTS(test_export_key_mat, 6);
6756 #ifndef OPENSSL_NO_TLS1_3
6757 ADD_ALL_TESTS(test_export_key_mat_early, 3);
6758 ADD_TEST(test_key_update);
6759 ADD_ALL_TESTS(test_key_update_in_write, 2);
6761 ADD_ALL_TESTS(test_ssl_clear, 2);
6762 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
6763 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6764 ADD_ALL_TESTS(test_srp, 6);
6766 ADD_ALL_TESTS(test_info_callback, 6);
6767 ADD_ALL_TESTS(test_ssl_pending, 2);
6768 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
6769 ADD_ALL_TESTS(test_ticket_callbacks, 12);
6770 ADD_ALL_TESTS(test_shutdown, 7);
6771 ADD_ALL_TESTS(test_cert_cb, 4);
6772 ADD_ALL_TESTS(test_client_cert_cb, 2);
6773 ADD_ALL_TESTS(test_ca_names, 3);
6777 void cleanup_tests(void)
6779 bio_s_mempacket_test_free();
6780 bio_s_always_retry_free();
projects / oweals / openssl.git / blob