2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
17 #include <openssl/srp.h>
18 #include <openssl/txt_db.h>
19 #include <openssl/aes.h>
21 #include "ssltestlib.h"
23 #include "testutil/output.h"
24 #include "internal/nelem.h"
25 #include "../ssl/ssl_locl.h"
27 static char *cert = NULL;
28 static char *privkey = NULL;
29 static char *srpvfile = NULL;
30 static char *tmpfilename = NULL;
32 #define LOG_BUFFER_SIZE 2048
33 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
34 static size_t server_log_buffer_index = 0;
35 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
36 static size_t client_log_buffer_index = 0;
37 static int error_writing_log = 0;
39 #ifndef OPENSSL_NO_OCSP
40 static const unsigned char orespder[] = "Dummy OCSP Response";
41 static int ocsp_server_called = 0;
42 static int ocsp_client_called = 0;
44 static int cdummyarg = 1;
45 static X509 *ocspcert = NULL;
48 #define NUM_EXTRA_CERTS 40
49 #define CLIENT_VERSION_LEN 2
52 * This structure is used to validate that the correct number of log messages
53 * of various types are emitted when emitting secret logs.
55 struct sslapitest_log_counts {
56 unsigned int rsa_key_exchange_count;
57 unsigned int master_secret_count;
58 unsigned int client_early_secret_count;
59 unsigned int client_handshake_secret_count;
60 unsigned int server_handshake_secret_count;
61 unsigned int client_application_secret_count;
62 unsigned int server_application_secret_count;
63 unsigned int early_exporter_secret_count;
64 unsigned int exporter_secret_count;
68 static unsigned char serverinfov1[] = {
69 0xff, 0xff, /* Dummy extension type */
70 0x00, 0x01, /* Extension length is 1 byte */
71 0xff /* Dummy extension data */
74 static unsigned char serverinfov2[] = {
76 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
77 0xff, 0xff, /* Dummy extension type */
78 0x00, 0x01, /* Extension length is 1 byte */
79 0xff /* Dummy extension data */
82 static void client_keylog_callback(const SSL *ssl, const char *line)
84 int line_length = strlen(line);
86 /* If the log doesn't fit, error out. */
87 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
88 TEST_info("Client log too full");
89 error_writing_log = 1;
93 strcat(client_log_buffer, line);
94 client_log_buffer_index += line_length;
95 client_log_buffer[client_log_buffer_index++] = '\n';
98 static void server_keylog_callback(const SSL *ssl, const char *line)
100 int line_length = strlen(line);
102 /* If the log doesn't fit, error out. */
103 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
104 TEST_info("Server log too full");
105 error_writing_log = 1;
109 strcat(server_log_buffer, line);
110 server_log_buffer_index += line_length;
111 server_log_buffer[server_log_buffer_index++] = '\n';
114 static int compare_hex_encoded_buffer(const char *hex_encoded,
122 if (!TEST_size_t_eq(raw_length * 2, hex_length))
125 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
126 sprintf(hexed, "%02x", raw[i]);
127 if (!TEST_int_eq(hexed[0], hex_encoded[j])
128 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
135 static int test_keylog_output(char *buffer, const SSL *ssl,
136 const SSL_SESSION *session,
137 struct sslapitest_log_counts *expected)
140 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
141 size_t client_random_size = SSL3_RANDOM_SIZE;
142 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
143 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
144 unsigned int rsa_key_exchange_count = 0;
145 unsigned int master_secret_count = 0;
146 unsigned int client_early_secret_count = 0;
147 unsigned int client_handshake_secret_count = 0;
148 unsigned int server_handshake_secret_count = 0;
149 unsigned int client_application_secret_count = 0;
150 unsigned int server_application_secret_count = 0;
151 unsigned int early_exporter_secret_count = 0;
152 unsigned int exporter_secret_count = 0;
154 for (token = strtok(buffer, " \n"); token != NULL;
155 token = strtok(NULL, " \n")) {
156 if (strcmp(token, "RSA") == 0) {
158 * Premaster secret. Tokens should be: 16 ASCII bytes of
159 * hex-encoded encrypted secret, then the hex-encoded pre-master
162 if (!TEST_ptr(token = strtok(NULL, " \n")))
164 if (!TEST_size_t_eq(strlen(token), 16))
166 if (!TEST_ptr(token = strtok(NULL, " \n")))
169 * We can't sensibly check the log because the premaster secret is
170 * transient, and OpenSSL doesn't keep hold of it once the master
171 * secret is generated.
173 rsa_key_exchange_count++;
174 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
176 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
177 * client random, then the hex-encoded master secret.
179 client_random_size = SSL_get_client_random(ssl,
180 actual_client_random,
182 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
185 if (!TEST_ptr(token = strtok(NULL, " \n")))
187 if (!TEST_size_t_eq(strlen(token), 64))
189 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
190 actual_client_random,
191 client_random_size)))
194 if (!TEST_ptr(token = strtok(NULL, " \n")))
196 master_key_size = SSL_SESSION_get_master_key(session,
199 if (!TEST_size_t_ne(master_key_size, 0))
201 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
205 master_secret_count++;
206 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
207 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
208 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
209 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
210 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
211 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
212 || strcmp(token, "EXPORTER_SECRET") == 0) {
214 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
215 * client random, and then the hex-encoded secret. In this case,
216 * we treat all of these secrets identically and then just
217 * distinguish between them when counting what we saw.
219 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
220 client_early_secret_count++;
221 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
222 client_handshake_secret_count++;
223 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
224 server_handshake_secret_count++;
225 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
226 client_application_secret_count++;
227 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
228 server_application_secret_count++;
229 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
230 early_exporter_secret_count++;
231 else if (strcmp(token, "EXPORTER_SECRET") == 0)
232 exporter_secret_count++;
234 client_random_size = SSL_get_client_random(ssl,
235 actual_client_random,
237 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
240 if (!TEST_ptr(token = strtok(NULL, " \n")))
242 if (!TEST_size_t_eq(strlen(token), 64))
244 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
245 actual_client_random,
246 client_random_size)))
249 if (!TEST_ptr(token = strtok(NULL, " \n")))
253 * TODO(TLS1.3): test that application traffic secrets are what
256 TEST_info("Unexpected token %s\n", token);
261 /* Got what we expected? */
262 if (!TEST_size_t_eq(rsa_key_exchange_count,
263 expected->rsa_key_exchange_count)
264 || !TEST_size_t_eq(master_secret_count,
265 expected->master_secret_count)
266 || !TEST_size_t_eq(client_early_secret_count,
267 expected->client_early_secret_count)
268 || !TEST_size_t_eq(client_handshake_secret_count,
269 expected->client_handshake_secret_count)
270 || !TEST_size_t_eq(server_handshake_secret_count,
271 expected->server_handshake_secret_count)
272 || !TEST_size_t_eq(client_application_secret_count,
273 expected->client_application_secret_count)
274 || !TEST_size_t_eq(server_application_secret_count,
275 expected->server_application_secret_count)
276 || !TEST_size_t_eq(early_exporter_secret_count,
277 expected->early_exporter_secret_count)
278 || !TEST_size_t_eq(exporter_secret_count,
279 expected->exporter_secret_count))
284 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
285 static int test_keylog(void)
287 SSL_CTX *cctx = NULL, *sctx = NULL;
288 SSL *clientssl = NULL, *serverssl = NULL;
290 struct sslapitest_log_counts expected = {0};
292 /* Clean up logging space */
293 memset(client_log_buffer, 0, sizeof(client_log_buffer));
294 memset(server_log_buffer, 0, sizeof(server_log_buffer));
295 client_log_buffer_index = 0;
296 server_log_buffer_index = 0;
297 error_writing_log = 0;
299 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
301 TLS1_VERSION, TLS_MAX_VERSION,
302 &sctx, &cctx, cert, privkey)))
305 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
306 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
307 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
309 /* We also want to ensure that we use RSA-based key exchange. */
310 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
313 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
314 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
316 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
317 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
318 == client_keylog_callback))
320 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
321 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
322 == server_keylog_callback))
325 /* Now do a handshake and check that the logs have been written to. */
326 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
327 &clientssl, NULL, NULL))
328 || !TEST_true(create_ssl_connection(serverssl, clientssl,
330 || !TEST_false(error_writing_log)
331 || !TEST_int_gt(client_log_buffer_index, 0)
332 || !TEST_int_gt(server_log_buffer_index, 0))
336 * Now we want to test that our output data was vaguely sensible. We
337 * do that by using strtok and confirming that we have more or less the
338 * data we expect. For both client and server, we expect to see one master
339 * secret. The client should also see a RSA key exchange.
341 expected.rsa_key_exchange_count = 1;
342 expected.master_secret_count = 1;
343 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
344 SSL_get_session(clientssl), &expected)))
347 expected.rsa_key_exchange_count = 0;
348 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
349 SSL_get_session(serverssl), &expected)))
364 #ifndef OPENSSL_NO_TLS1_3
365 static int test_keylog_no_master_key(void)
367 SSL_CTX *cctx = NULL, *sctx = NULL;
368 SSL *clientssl = NULL, *serverssl = NULL;
369 SSL_SESSION *sess = NULL;
371 struct sslapitest_log_counts expected = {0};
372 unsigned char buf[1];
373 size_t readbytes, written;
375 /* Clean up logging space */
376 memset(client_log_buffer, 0, sizeof(client_log_buffer));
377 memset(server_log_buffer, 0, sizeof(server_log_buffer));
378 client_log_buffer_index = 0;
379 server_log_buffer_index = 0;
380 error_writing_log = 0;
382 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
383 TLS1_VERSION, TLS_MAX_VERSION,
384 &sctx, &cctx, cert, privkey))
385 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
386 SSL3_RT_MAX_PLAIN_LENGTH)))
389 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
390 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
393 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
394 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
395 == client_keylog_callback))
398 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
399 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
400 == server_keylog_callback))
403 /* Now do a handshake and check that the logs have been written to. */
404 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
405 &clientssl, NULL, NULL))
406 || !TEST_true(create_ssl_connection(serverssl, clientssl,
408 || !TEST_false(error_writing_log))
412 * Now we want to test that our output data was vaguely sensible. For this
413 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
414 * TLSv1.3, but we do expect both client and server to emit keys.
416 expected.client_handshake_secret_count = 1;
417 expected.server_handshake_secret_count = 1;
418 expected.client_application_secret_count = 1;
419 expected.server_application_secret_count = 1;
420 expected.exporter_secret_count = 1;
421 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
422 SSL_get_session(clientssl), &expected))
423 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
424 SSL_get_session(serverssl),
428 /* Terminate old session and resume with early data. */
429 sess = SSL_get1_session(clientssl);
430 SSL_shutdown(clientssl);
431 SSL_shutdown(serverssl);
434 serverssl = clientssl = NULL;
437 memset(client_log_buffer, 0, sizeof(client_log_buffer));
438 memset(server_log_buffer, 0, sizeof(server_log_buffer));
439 client_log_buffer_index = 0;
440 server_log_buffer_index = 0;
442 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
443 &clientssl, NULL, NULL))
444 || !TEST_true(SSL_set_session(clientssl, sess))
445 /* Here writing 0 length early data is enough. */
446 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
447 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
449 SSL_READ_EARLY_DATA_ERROR)
450 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
451 SSL_EARLY_DATA_ACCEPTED)
452 || !TEST_true(create_ssl_connection(serverssl, clientssl,
454 || !TEST_true(SSL_session_reused(clientssl)))
457 /* In addition to the previous entries, expect early secrets. */
458 expected.client_early_secret_count = 1;
459 expected.early_exporter_secret_count = 1;
460 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
461 SSL_get_session(clientssl), &expected))
462 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
463 SSL_get_session(serverssl),
470 SSL_SESSION_free(sess);
480 #ifndef OPENSSL_NO_TLS1_2
481 static int full_client_hello_callback(SSL *s, int *al, void *arg)
484 const unsigned char *p;
486 /* We only configure two ciphers, but the SCSV is added automatically. */
488 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
490 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
493 const int expected_extensions[] = {
494 #ifndef OPENSSL_NO_EC
500 /* Make sure we can defer processing and get called back. */
502 return SSL_CLIENT_HELLO_RETRY;
504 len = SSL_client_hello_get0_ciphers(s, &p);
505 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
507 SSL_client_hello_get0_compression_methods(s, &p), 1)
508 || !TEST_int_eq(*p, 0))
509 return SSL_CLIENT_HELLO_ERROR;
510 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
511 return SSL_CLIENT_HELLO_ERROR;
512 if (len != OSSL_NELEM(expected_extensions) ||
513 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
514 printf("ClientHello callback expected extensions mismatch\n");
516 return SSL_CLIENT_HELLO_ERROR;
519 return SSL_CLIENT_HELLO_SUCCESS;
522 static int test_client_hello_cb(void)
524 SSL_CTX *cctx = NULL, *sctx = NULL;
525 SSL *clientssl = NULL, *serverssl = NULL;
526 int testctr = 0, testresult = 0;
528 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
529 TLS1_VERSION, TLS_MAX_VERSION,
530 &sctx, &cctx, cert, privkey)))
532 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
534 /* The gimpy cipher list we configure can't do TLS 1.3. */
535 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
537 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
538 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
539 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
540 &clientssl, NULL, NULL))
541 || !TEST_false(create_ssl_connection(serverssl, clientssl,
542 SSL_ERROR_WANT_CLIENT_HELLO_CB))
544 * Passing a -1 literal is a hack since
545 * the real value was lost.
547 || !TEST_int_eq(SSL_get_error(serverssl, -1),
548 SSL_ERROR_WANT_CLIENT_HELLO_CB)
549 || !TEST_true(create_ssl_connection(serverssl, clientssl,
565 static int execute_test_large_message(const SSL_METHOD *smeth,
566 const SSL_METHOD *cmeth,
567 int min_version, int max_version,
570 SSL_CTX *cctx = NULL, *sctx = NULL;
571 SSL *clientssl = NULL, *serverssl = NULL;
575 X509 *chaincert = NULL;
578 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
580 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
583 if (!TEST_ptr(chaincert))
586 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
587 &sctx, &cctx, cert, privkey)))
592 * Test that read_ahead works correctly when dealing with large
595 SSL_CTX_set_read_ahead(cctx, 1);
599 * We assume the supplied certificate is big enough so that if we add
600 * NUM_EXTRA_CERTS it will make the overall message large enough. The
601 * default buffer size is requested to be 16k, but due to the way BUF_MEM
602 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
603 * test we need to have a message larger than that.
605 certlen = i2d_X509(chaincert, NULL);
606 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
607 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
608 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
609 if (!X509_up_ref(chaincert))
611 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
612 X509_free(chaincert);
617 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
619 || !TEST_true(create_ssl_connection(serverssl, clientssl,
624 * Calling SSL_clear() first is not required but this tests that SSL_clear()
625 * doesn't leak (when using enable-crypto-mdebug).
627 if (!TEST_true(SSL_clear(serverssl)))
632 X509_free(chaincert);
641 static int test_large_message_tls(void)
643 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
644 TLS1_VERSION, TLS_MAX_VERSION,
648 static int test_large_message_tls_read_ahead(void)
650 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
651 TLS1_VERSION, TLS_MAX_VERSION,
655 #ifndef OPENSSL_NO_DTLS
656 static int test_large_message_dtls(void)
659 * read_ahead is not relevant to DTLS because DTLS always acts as if
662 return execute_test_large_message(DTLS_server_method(),
663 DTLS_client_method(),
664 DTLS1_VERSION, DTLS_MAX_VERSION,
669 #ifndef OPENSSL_NO_OCSP
670 static int ocsp_server_cb(SSL *s, void *arg)
672 int *argi = (int *)arg;
673 unsigned char *copy = NULL;
674 STACK_OF(OCSP_RESPID) *ids = NULL;
675 OCSP_RESPID *id = NULL;
678 /* In this test we are expecting exactly 1 OCSP_RESPID */
679 SSL_get_tlsext_status_ids(s, &ids);
680 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
681 return SSL_TLSEXT_ERR_ALERT_FATAL;
683 id = sk_OCSP_RESPID_value(ids, 0);
684 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
685 return SSL_TLSEXT_ERR_ALERT_FATAL;
686 } else if (*argi != 1) {
687 return SSL_TLSEXT_ERR_ALERT_FATAL;
690 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
691 return SSL_TLSEXT_ERR_ALERT_FATAL;
693 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
694 ocsp_server_called = 1;
695 return SSL_TLSEXT_ERR_OK;
698 static int ocsp_client_cb(SSL *s, void *arg)
700 int *argi = (int *)arg;
701 const unsigned char *respderin;
704 if (*argi != 1 && *argi != 2)
707 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
708 if (!TEST_mem_eq(orespder, len, respderin, len))
711 ocsp_client_called = 1;
715 static int test_tlsext_status_type(void)
717 SSL_CTX *cctx = NULL, *sctx = NULL;
718 SSL *clientssl = NULL, *serverssl = NULL;
720 STACK_OF(OCSP_RESPID) *ids = NULL;
721 OCSP_RESPID *id = NULL;
724 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
725 TLS1_VERSION, TLS_MAX_VERSION,
726 &sctx, &cctx, cert, privkey))
729 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
732 /* First just do various checks getting and setting tlsext_status_type */
734 clientssl = SSL_new(cctx);
735 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
736 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
737 TLSEXT_STATUSTYPE_ocsp))
738 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
739 TLSEXT_STATUSTYPE_ocsp))
745 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
746 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
749 clientssl = SSL_new(cctx);
750 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
756 * Now actually do a handshake and check OCSP information is exchanged and
757 * the callbacks get called
759 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
760 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
761 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
762 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
763 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
764 &clientssl, NULL, NULL))
765 || !TEST_true(create_ssl_connection(serverssl, clientssl,
767 || !TEST_true(ocsp_client_called)
768 || !TEST_true(ocsp_server_called))
775 /* Try again but this time force the server side callback to fail */
776 ocsp_client_called = 0;
777 ocsp_server_called = 0;
779 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
780 &clientssl, NULL, NULL))
781 /* This should fail because the callback will fail */
782 || !TEST_false(create_ssl_connection(serverssl, clientssl,
784 || !TEST_false(ocsp_client_called)
785 || !TEST_false(ocsp_server_called))
793 * This time we'll get the client to send an OCSP_RESPID that it will
796 ocsp_client_called = 0;
797 ocsp_server_called = 0;
799 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
800 &clientssl, NULL, NULL)))
804 * We'll just use any old cert for this test - it doesn't have to be an OCSP
805 * specific one. We'll use the server cert.
807 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
808 || !TEST_ptr(id = OCSP_RESPID_new())
809 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
810 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
812 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
813 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
816 SSL_set_tlsext_status_ids(clientssl, ids);
817 /* Control has been transferred */
823 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
825 || !TEST_true(ocsp_client_called)
826 || !TEST_true(ocsp_server_called))
836 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
837 OCSP_RESPID_free(id);
846 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
847 static int new_called, remove_called, get_called;
849 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
853 * sess has been up-refed for us, but we don't actually need it so free it
856 SSL_SESSION_free(sess);
860 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
865 static SSL_SESSION *get_sess_val = NULL;
867 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
875 static int execute_test_session(int maxprot, int use_int_cache,
878 SSL_CTX *sctx = NULL, *cctx = NULL;
879 SSL *serverssl1 = NULL, *clientssl1 = NULL;
880 SSL *serverssl2 = NULL, *clientssl2 = NULL;
881 # ifndef OPENSSL_NO_TLS1_1
882 SSL *serverssl3 = NULL, *clientssl3 = NULL;
884 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
885 int testresult = 0, numnewsesstick = 1;
887 new_called = remove_called = 0;
889 /* TLSv1.3 sends 2 NewSessionTickets */
890 if (maxprot == TLS1_3_VERSION)
893 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
894 TLS1_VERSION, TLS_MAX_VERSION,
895 &sctx, &cctx, cert, privkey)))
899 * Only allow the max protocol version so we can force a connection failure
902 SSL_CTX_set_min_proto_version(cctx, maxprot);
903 SSL_CTX_set_max_proto_version(cctx, maxprot);
905 /* Set up session cache */
907 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
908 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
911 /* Also covers instance where both are set */
912 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
914 SSL_CTX_set_session_cache_mode(cctx,
915 SSL_SESS_CACHE_CLIENT
916 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
919 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
921 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
923 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
926 /* Should fail because it should already be in the cache */
927 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
930 && (!TEST_int_eq(new_called, numnewsesstick)
932 || !TEST_int_eq(remove_called, 0)))
935 new_called = remove_called = 0;
936 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
937 &clientssl2, NULL, NULL))
938 || !TEST_true(SSL_set_session(clientssl2, sess1))
939 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
941 || !TEST_true(SSL_session_reused(clientssl2)))
944 if (maxprot == TLS1_3_VERSION) {
946 * In TLSv1.3 we should have created a new session even though we have
950 && (!TEST_int_eq(new_called, 1)
951 || !TEST_int_eq(remove_called, 0)))
955 * In TLSv1.2 we expect to have resumed so no sessions added or
959 && (!TEST_int_eq(new_called, 0)
960 || !TEST_int_eq(remove_called, 0)))
964 SSL_SESSION_free(sess1);
965 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
967 shutdown_ssl_connection(serverssl2, clientssl2);
968 serverssl2 = clientssl2 = NULL;
970 new_called = remove_called = 0;
971 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
972 &clientssl2, NULL, NULL))
973 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
977 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
981 && (!TEST_int_eq(new_called, numnewsesstick)
982 || !TEST_int_eq(remove_called, 0)))
985 new_called = remove_called = 0;
987 * This should clear sess2 from the cache because it is a "bad" session.
988 * See SSL_set_session() documentation.
990 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
993 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
995 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
999 /* Should succeeded because it should not already be in the cache */
1000 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1001 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1005 new_called = remove_called = 0;
1006 /* This shouldn't be in the cache so should fail */
1007 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1011 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1014 # if !defined(OPENSSL_NO_TLS1_1)
1015 new_called = remove_called = 0;
1016 /* Force a connection failure */
1017 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1018 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1019 &clientssl3, NULL, NULL))
1020 || !TEST_true(SSL_set_session(clientssl3, sess1))
1021 /* This should fail because of the mismatched protocol versions */
1022 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1026 /* We should have automatically removed the session from the cache */
1028 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1031 /* Should succeed because it should not already be in the cache */
1032 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1036 /* Now do some tests for server side caching */
1037 if (use_ext_cache) {
1038 SSL_CTX_sess_set_new_cb(cctx, NULL);
1039 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1040 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1041 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1042 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1043 get_sess_val = NULL;
1046 SSL_CTX_set_session_cache_mode(cctx, 0);
1047 /* Internal caching is the default on the server side */
1049 SSL_CTX_set_session_cache_mode(sctx,
1050 SSL_SESS_CACHE_SERVER
1051 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1053 SSL_free(serverssl1);
1054 SSL_free(clientssl1);
1055 serverssl1 = clientssl1 = NULL;
1056 SSL_free(serverssl2);
1057 SSL_free(clientssl2);
1058 serverssl2 = clientssl2 = NULL;
1059 SSL_SESSION_free(sess1);
1061 SSL_SESSION_free(sess2);
1064 SSL_CTX_set_max_proto_version(sctx, maxprot);
1065 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1066 new_called = remove_called = get_called = 0;
1067 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1069 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1071 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1072 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1075 /* Should fail because it should already be in the cache */
1076 if (use_int_cache && !TEST_false(SSL_CTX_add_session(sctx, sess2)))
1079 if (use_ext_cache) {
1080 SSL_SESSION *tmp = sess2;
1082 if (!TEST_int_eq(new_called, numnewsesstick)
1083 || !TEST_int_eq(remove_called, 0)
1084 || !TEST_int_eq(get_called, 0))
1087 * Delete the session from the internal cache to force a lookup from
1088 * the external cache. We take a copy first because
1089 * SSL_CTX_remove_session() also marks the session as non-resumable.
1091 if (use_int_cache) {
1092 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1093 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1095 SSL_SESSION_free(sess2);
1100 new_called = remove_called = get_called = 0;
1101 get_sess_val = sess2;
1102 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1103 &clientssl2, NULL, NULL))
1104 || !TEST_true(SSL_set_session(clientssl2, sess1))
1105 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1107 || !TEST_true(SSL_session_reused(clientssl2)))
1110 if (use_ext_cache) {
1111 if (!TEST_int_eq(remove_called, 0))
1114 if (maxprot == TLS1_3_VERSION) {
1115 if (!TEST_int_eq(new_called, 1)
1116 || !TEST_int_eq(get_called, 0))
1119 if (!TEST_int_eq(new_called, 0)
1120 || !TEST_int_eq(get_called, 1))
1128 SSL_free(serverssl1);
1129 SSL_free(clientssl1);
1130 SSL_free(serverssl2);
1131 SSL_free(clientssl2);
1132 # ifndef OPENSSL_NO_TLS1_1
1133 SSL_free(serverssl3);
1134 SSL_free(clientssl3);
1136 SSL_SESSION_free(sess1);
1137 SSL_SESSION_free(sess2);
1143 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1145 static int test_session_with_only_int_cache(void)
1147 #ifndef OPENSSL_NO_TLS1_3
1148 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1152 #ifndef OPENSSL_NO_TLS1_2
1153 return execute_test_session(TLS1_2_VERSION, 1, 0);
1159 static int test_session_with_only_ext_cache(void)
1161 #ifndef OPENSSL_NO_TLS1_3
1162 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1166 #ifndef OPENSSL_NO_TLS1_2
1167 return execute_test_session(TLS1_2_VERSION, 0, 1);
1173 static int test_session_with_both_cache(void)
1175 #ifndef OPENSSL_NO_TLS1_3
1176 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1180 #ifndef OPENSSL_NO_TLS1_2
1181 return execute_test_session(TLS1_2_VERSION, 1, 1);
1187 static SSL_SESSION *sesscache[6];
1188 static int do_cache;
1190 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1193 sesscache[new_called] = sess;
1195 /* We don't need the reference to the session, so free it */
1196 SSL_SESSION_free(sess);
1203 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1205 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1206 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1209 /* Start handshake on the server and client */
1210 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1211 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1212 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1213 || !TEST_true(create_ssl_connection(sssl, cssl,
1220 static int test_tickets(int idx)
1222 SSL_CTX *sctx = NULL, *cctx = NULL;
1223 SSL *serverssl = NULL, *clientssl = NULL;
1224 int testresult = 0, i;
1227 /* idx is the test number, but also the number of tickets we want */
1232 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1233 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
1234 &cctx, cert, privkey))
1235 || !TEST_true(SSL_CTX_set_num_tickets(sctx, idx)))
1238 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1239 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1240 SSL_CTX_sess_set_new_cb(cctx, new_cachesession_cb);
1242 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1243 &clientssl, NULL, NULL)))
1246 SSL_force_post_handshake_auth(clientssl);
1248 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1250 /* Check we got the number of tickets we were expecting */
1251 || !TEST_int_eq(idx, new_called))
1254 /* After a post-handshake authentication we should get new tickets issued */
1255 if (!post_handshake_verify(serverssl, clientssl)
1256 || !TEST_int_eq(idx * 2, new_called))
1259 SSL_shutdown(clientssl);
1260 SSL_shutdown(serverssl);
1261 SSL_free(serverssl);
1262 SSL_free(clientssl);
1263 serverssl = clientssl = NULL;
1265 /* Stop caching sessions - just count them */
1268 /* Test that we can resume with all the tickets we got given */
1269 for (i = 0; i < idx * 2; i++) {
1271 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1272 &clientssl, NULL, NULL))
1273 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1276 SSL_force_post_handshake_auth(clientssl);
1278 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1280 || !TEST_true(SSL_session_reused(clientssl))
1281 /* Following a resumption we only get 1 ticket */
1282 || !TEST_int_eq(new_called, 1))
1286 /* After a post-handshake authentication we should get 1 new ticket */
1287 if (!post_handshake_verify(serverssl, clientssl)
1288 || !TEST_int_eq(new_called, 1))
1291 SSL_shutdown(clientssl);
1292 SSL_shutdown(serverssl);
1293 SSL_free(serverssl);
1294 SSL_free(clientssl);
1295 serverssl = clientssl = NULL;
1296 SSL_SESSION_free(sesscache[i]);
1297 sesscache[i] = NULL;
1303 SSL_free(serverssl);
1304 SSL_free(clientssl);
1305 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
1306 SSL_SESSION_free(sesscache[j]);
1307 sesscache[j] = NULL;
1318 #define USE_DEFAULT 3
1320 #define CONNTYPE_CONNECTION_SUCCESS 0
1321 #define CONNTYPE_CONNECTION_FAIL 1
1322 #define CONNTYPE_NO_CONNECTION 2
1324 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1325 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1326 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1327 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1329 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1332 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1333 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1334 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1336 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1353 * Tests calls to SSL_set_bio() under various conditions.
1355 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1356 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1357 * then do more tests where we create a successful connection first using our
1358 * standard connection setup functions, and then call SSL_set_bio() with
1359 * various combinations of valid BIOs or NULL. We then repeat these tests
1360 * following a failed connection. In this last case we are looking to check that
1361 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1363 static int test_ssl_set_bio(int idx)
1365 SSL_CTX *sctx = NULL, *cctx = NULL;
1368 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1369 SSL *serverssl = NULL, *clientssl = NULL;
1370 int initrbio, initwbio, newrbio, newwbio, conntype;
1373 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1381 conntype = CONNTYPE_NO_CONNECTION;
1383 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1384 initrbio = initwbio = USE_DEFAULT;
1392 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1393 TLS1_VERSION, TLS_MAX_VERSION,
1394 &sctx, &cctx, cert, privkey)))
1397 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1399 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1400 * because we reduced the number of tests in the definition of
1401 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1402 * mismatched protocol versions we will force a connection failure.
1404 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1405 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1408 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1412 if (initrbio == USE_BIO_1
1413 || initwbio == USE_BIO_1
1414 || newrbio == USE_BIO_1
1415 || newwbio == USE_BIO_1) {
1416 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1420 if (initrbio == USE_BIO_2
1421 || initwbio == USE_BIO_2
1422 || newrbio == USE_BIO_2
1423 || newwbio == USE_BIO_2) {
1424 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1428 if (initrbio != USE_DEFAULT) {
1429 setupbio(&irbio, bio1, bio2, initrbio);
1430 setupbio(&iwbio, bio1, bio2, initwbio);
1431 SSL_set_bio(clientssl, irbio, iwbio);
1434 * We want to maintain our own refs to these BIO, so do an up ref for
1435 * each BIO that will have ownership transferred in the SSL_set_bio()
1440 if (iwbio != NULL && iwbio != irbio)
1444 if (conntype != CONNTYPE_NO_CONNECTION
1445 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1447 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1450 setupbio(&nrbio, bio1, bio2, newrbio);
1451 setupbio(&nwbio, bio1, bio2, newwbio);
1454 * We will (maybe) transfer ownership again so do more up refs.
1455 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1460 && (nwbio != iwbio || nrbio != nwbio))
1464 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1467 SSL_set_bio(clientssl, nrbio, nwbio);
1476 * This test is checking that the ref counting for SSL_set_bio is correct.
1477 * If we get here and we did too many frees then we will fail in the above
1478 * functions. If we haven't done enough then this will only be detected in
1479 * a crypto-mdebug build
1481 SSL_free(serverssl);
1482 SSL_free(clientssl);
1488 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1490 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1492 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1497 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1498 || !TEST_ptr(ssl = SSL_new(ctx))
1499 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1500 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1503 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1506 * If anything goes wrong here then we could leak memory, so this will
1507 * be caught in a crypto-mdebug build
1509 BIO_push(sslbio, membio1);
1511 /* Verify changing the rbio/wbio directly does not cause leaks */
1512 if (change_bio != NO_BIO_CHANGE) {
1513 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1515 if (change_bio == CHANGE_RBIO)
1516 SSL_set0_rbio(ssl, membio2);
1518 SSL_set0_wbio(ssl, membio2);
1537 static int test_ssl_bio_pop_next_bio(void)
1539 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1542 static int test_ssl_bio_pop_ssl_bio(void)
1544 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1547 static int test_ssl_bio_change_rbio(void)
1549 return execute_test_ssl_bio(0, CHANGE_RBIO);
1552 static int test_ssl_bio_change_wbio(void)
1554 return execute_test_ssl_bio(0, CHANGE_WBIO);
1557 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
1559 /* The list of sig algs */
1561 /* The length of the list */
1563 /* A sigalgs list in string format */
1564 const char *liststr;
1565 /* Whether setting the list should succeed */
1567 /* Whether creating a connection with the list should succeed */
1571 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1572 # ifndef OPENSSL_NO_EC
1573 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1574 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1576 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1577 static const int invalidlist2[] = {NID_sha256, NID_undef};
1578 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1579 static const int invalidlist4[] = {NID_sha256};
1580 static const sigalgs_list testsigalgs[] = {
1581 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1582 # ifndef OPENSSL_NO_EC
1583 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1584 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1586 {NULL, 0, "RSA+SHA256", 1, 1},
1587 # ifndef OPENSSL_NO_EC
1588 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1589 {NULL, 0, "ECDSA+SHA512", 1, 0},
1591 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1592 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1593 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1594 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1595 {NULL, 0, "RSA", 0, 0},
1596 {NULL, 0, "SHA256", 0, 0},
1597 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1598 {NULL, 0, "Invalid", 0, 0}
1601 static int test_set_sigalgs(int idx)
1603 SSL_CTX *cctx = NULL, *sctx = NULL;
1604 SSL *clientssl = NULL, *serverssl = NULL;
1606 const sigalgs_list *curr;
1609 /* Should never happen */
1610 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1613 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1614 curr = testctx ? &testsigalgs[idx]
1615 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1617 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1618 TLS1_VERSION, TLS_MAX_VERSION,
1619 &sctx, &cctx, cert, privkey)))
1623 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1624 * for TLSv1.2 for now until we add a new API.
1626 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1631 if (curr->list != NULL)
1632 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1634 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1638 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1644 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1649 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1650 &clientssl, NULL, NULL)))
1656 if (curr->list != NULL)
1657 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1659 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1662 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1671 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1679 SSL_free(serverssl);
1680 SSL_free(clientssl);
1688 #ifndef OPENSSL_NO_TLS1_3
1690 static SSL_SESSION *clientpsk = NULL;
1691 static SSL_SESSION *serverpsk = NULL;
1692 static const char *pskid = "Identity";
1693 static const char *srvid;
1695 static int use_session_cb_cnt = 0;
1696 static int find_session_cb_cnt = 0;
1697 static int psk_client_cb_cnt = 0;
1698 static int psk_server_cb_cnt = 0;
1700 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1701 size_t *idlen, SSL_SESSION **sess)
1703 switch (++use_session_cb_cnt) {
1705 /* The first call should always have a NULL md */
1711 /* The second call should always have an md */
1717 /* We should only be called a maximum of twice */
1721 if (clientpsk != NULL)
1722 SSL_SESSION_up_ref(clientpsk);
1725 *id = (const unsigned char *)pskid;
1726 *idlen = strlen(pskid);
1731 #ifndef OPENSSL_NO_PSK
1732 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1733 unsigned int max_id_len,
1735 unsigned int max_psk_len)
1737 unsigned int psklen = 0;
1739 psk_client_cb_cnt++;
1741 if (strlen(pskid) + 1 > max_id_len)
1744 /* We should only ever be called a maximum of twice per connection */
1745 if (psk_client_cb_cnt > 2)
1748 if (clientpsk == NULL)
1751 /* We'll reuse the PSK we set up for TLSv1.3 */
1752 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1754 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1755 strncpy(id, pskid, max_id_len);
1759 #endif /* OPENSSL_NO_PSK */
1761 static int find_session_cb(SSL *ssl, const unsigned char *identity,
1762 size_t identity_len, SSL_SESSION **sess)
1764 find_session_cb_cnt++;
1766 /* We should only ever be called a maximum of twice per connection */
1767 if (find_session_cb_cnt > 2)
1770 if (serverpsk == NULL)
1773 /* Identity should match that set by the client */
1774 if (strlen(srvid) != identity_len
1775 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1776 /* No PSK found, continue but without a PSK */
1781 SSL_SESSION_up_ref(serverpsk);
1787 #ifndef OPENSSL_NO_PSK
1788 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1789 unsigned char *psk, unsigned int max_psk_len)
1791 unsigned int psklen = 0;
1793 psk_server_cb_cnt++;
1795 /* We should only ever be called a maximum of twice per connection */
1796 if (find_session_cb_cnt > 2)
1799 if (serverpsk == NULL)
1802 /* Identity should match that set by the client */
1803 if (strcmp(srvid, identity) != 0) {
1807 /* We'll reuse the PSK we set up for TLSv1.3 */
1808 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1810 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1814 #endif /* OPENSSL_NO_PSK */
1816 #define MSG1 "Hello"
1817 #define MSG2 "World."
1822 #define MSG7 "message."
1824 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
1825 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
1828 * Helper method to setup objects for early data test. Caller frees objects on
1831 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
1832 SSL **serverssl, SSL_SESSION **sess, int idx)
1834 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1835 TLS1_VERSION, TLS_MAX_VERSION,
1836 sctx, cctx, cert, privkey))
1837 || !TEST_true(SSL_CTX_set_max_early_data(*sctx,
1838 SSL3_RT_MAX_PLAIN_LENGTH)))
1842 /* When idx == 1 we repeat the tests with read_ahead set */
1843 SSL_CTX_set_read_ahead(*cctx, 1);
1844 SSL_CTX_set_read_ahead(*sctx, 1);
1845 } else if (idx == 2) {
1846 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1847 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1848 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1849 use_session_cb_cnt = 0;
1850 find_session_cb_cnt = 0;
1854 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
1859 * For one of the run throughs (doesn't matter which one), we'll try sending
1860 * some SNI data in the initial ClientHello. This will be ignored (because
1861 * there is no SNI cb set up by the server), so it should not impact
1865 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1869 /* Create the PSK */
1870 const SSL_CIPHER *cipher = NULL;
1871 const unsigned char key[] = {
1872 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1873 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1874 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1875 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1876 0x2c, 0x2d, 0x2e, 0x2f
1879 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
1880 clientpsk = SSL_SESSION_new();
1881 if (!TEST_ptr(clientpsk)
1882 || !TEST_ptr(cipher)
1883 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
1885 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
1887 SSL_SESSION_set_protocol_version(clientpsk,
1890 * We just choose an arbitrary value for max_early_data which
1891 * should be big enough for testing purposes.
1893 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1895 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1896 SSL_SESSION_free(clientpsk);
1900 serverpsk = clientpsk;
1903 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1904 SSL_SESSION_free(clientpsk);
1905 SSL_SESSION_free(serverpsk);
1906 clientpsk = serverpsk = NULL;
1917 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1921 *sess = SSL_get1_session(*clientssl);
1922 SSL_shutdown(*clientssl);
1923 SSL_shutdown(*serverssl);
1924 SSL_free(*serverssl);
1925 SSL_free(*clientssl);
1926 *serverssl = *clientssl = NULL;
1928 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1929 clientssl, NULL, NULL))
1930 || !TEST_true(SSL_set_session(*clientssl, *sess)))
1936 static int test_early_data_read_write(int idx)
1938 SSL_CTX *cctx = NULL, *sctx = NULL;
1939 SSL *clientssl = NULL, *serverssl = NULL;
1941 SSL_SESSION *sess = NULL;
1942 unsigned char buf[20], data[1024];
1943 size_t readbytes, written, eoedlen, rawread, rawwritten;
1946 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1947 &serverssl, &sess, idx)))
1950 /* Write and read some early data */
1951 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1953 || !TEST_size_t_eq(written, strlen(MSG1))
1954 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1955 sizeof(buf), &readbytes),
1956 SSL_READ_EARLY_DATA_SUCCESS)
1957 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1958 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1959 SSL_EARLY_DATA_ACCEPTED))
1963 * Server should be able to write data, and client should be able to
1966 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1968 || !TEST_size_t_eq(written, strlen(MSG2))
1969 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1970 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1973 /* Even after reading normal data, client should be able write early data */
1974 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1976 || !TEST_size_t_eq(written, strlen(MSG3)))
1979 /* Server should still be able read early data after writing data */
1980 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1982 SSL_READ_EARLY_DATA_SUCCESS)
1983 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
1986 /* Write more data from server and read it from client */
1987 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
1989 || !TEST_size_t_eq(written, strlen(MSG4))
1990 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1991 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
1995 * If client writes normal data it should mean writing early data is no
1998 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1999 || !TEST_size_t_eq(written, strlen(MSG5))
2000 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2001 SSL_EARLY_DATA_ACCEPTED))
2005 * At this point the client has written EndOfEarlyData, ClientFinished and
2006 * normal (fully protected) data. We are going to cause a delay between the
2007 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2008 * in the read BIO, and then just put back the EndOfEarlyData message.
2010 rbio = SSL_get_rbio(serverssl);
2011 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2012 || !TEST_size_t_lt(rawread, sizeof(data))
2013 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2016 /* Record length is in the 4th and 5th bytes of the record header */
2017 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2018 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2019 || !TEST_size_t_eq(rawwritten, eoedlen))
2022 /* Server should be told that there is no more early data */
2023 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2025 SSL_READ_EARLY_DATA_FINISH)
2026 || !TEST_size_t_eq(readbytes, 0))
2030 * Server has not finished init yet, so should still be able to write early
2033 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2035 || !TEST_size_t_eq(written, strlen(MSG6)))
2038 /* Push the ClientFinished and the normal data back into the server rbio */
2039 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2041 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2044 /* Server should be able to read normal data */
2045 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2046 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2049 /* Client and server should not be able to write/read early data now */
2050 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2054 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2056 SSL_READ_EARLY_DATA_ERROR))
2060 /* Client should be able to read the data sent by the server */
2061 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2062 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2066 * Make sure we process the two NewSessionTickets. These arrive
2067 * post-handshake. We attempt reads which we do not expect to return any
2070 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2071 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2075 /* Server should be able to write normal data */
2076 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2077 || !TEST_size_t_eq(written, strlen(MSG7))
2078 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2079 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2082 SSL_SESSION_free(sess);
2083 sess = SSL_get1_session(clientssl);
2084 use_session_cb_cnt = 0;
2085 find_session_cb_cnt = 0;
2087 SSL_shutdown(clientssl);
2088 SSL_shutdown(serverssl);
2089 SSL_free(serverssl);
2090 SSL_free(clientssl);
2091 serverssl = clientssl = NULL;
2092 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2093 &clientssl, NULL, NULL))
2094 || !TEST_true(SSL_set_session(clientssl, sess)))
2097 /* Write and read some early data */
2098 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2100 || !TEST_size_t_eq(written, strlen(MSG1))
2101 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2103 SSL_READ_EARLY_DATA_SUCCESS)
2104 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2107 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2108 || !TEST_int_gt(SSL_accept(serverssl), 0))
2111 /* Client and server should not be able to write/read early data now */
2112 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2116 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2118 SSL_READ_EARLY_DATA_ERROR))
2122 /* Client and server should be able to write/read normal data */
2123 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2124 || !TEST_size_t_eq(written, strlen(MSG5))
2125 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2126 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2132 SSL_SESSION_free(sess);
2133 SSL_SESSION_free(clientpsk);
2134 SSL_SESSION_free(serverpsk);
2135 clientpsk = serverpsk = NULL;
2136 SSL_free(serverssl);
2137 SSL_free(clientssl);
2143 static int test_early_data_replay(int idx)
2145 SSL_CTX *cctx = NULL, *sctx = NULL;
2146 SSL *clientssl = NULL, *serverssl = NULL;
2148 SSL_SESSION *sess = NULL;
2150 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2151 &serverssl, &sess, idx)))
2155 * The server is configured to accept early data. Create a connection to
2156 * "use up" the ticket
2158 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2159 || !TEST_true(SSL_session_reused(clientssl)))
2162 SSL_shutdown(clientssl);
2163 SSL_shutdown(serverssl);
2164 SSL_free(serverssl);
2165 SSL_free(clientssl);
2166 serverssl = clientssl = NULL;
2168 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2169 &clientssl, NULL, NULL))
2170 || !TEST_true(SSL_set_session(clientssl, sess))
2171 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2174 * This time we should not have resumed the session because we
2175 * already used it once.
2177 || !TEST_false(SSL_session_reused(clientssl)))
2183 SSL_SESSION_free(sess);
2184 SSL_SESSION_free(clientpsk);
2185 SSL_SESSION_free(serverpsk);
2186 clientpsk = serverpsk = NULL;
2187 SSL_free(serverssl);
2188 SSL_free(clientssl);
2195 * Helper function to test that a server attempting to read early data can
2196 * handle a connection from a client where the early data should be skipped.
2198 static int early_data_skip_helper(int hrr, int idx)
2200 SSL_CTX *cctx = NULL, *sctx = NULL;
2201 SSL *clientssl = NULL, *serverssl = NULL;
2203 SSL_SESSION *sess = NULL;
2204 unsigned char buf[20];
2205 size_t readbytes, written;
2207 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2208 &serverssl, &sess, idx)))
2212 /* Force an HRR to occur */
2213 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2215 } else if (idx == 2) {
2217 * We force early_data rejection by ensuring the PSK identity is
2220 srvid = "Dummy Identity";
2223 * Deliberately corrupt the creation time. We take 20 seconds off the
2224 * time. It could be any value as long as it is not within tolerance.
2225 * This should mean the ticket is rejected.
2227 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
2231 /* Write some early data */
2232 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2234 || !TEST_size_t_eq(written, strlen(MSG1)))
2237 /* Server should reject the early data and skip over it */
2238 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2240 SSL_READ_EARLY_DATA_FINISH)
2241 || !TEST_size_t_eq(readbytes, 0)
2242 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2243 SSL_EARLY_DATA_REJECTED))
2248 * Finish off the handshake. We perform the same writes and reads as
2249 * further down but we expect them to fail due to the incomplete
2252 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2253 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2258 /* Should be able to send normal data despite rejection of early data */
2259 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2260 || !TEST_size_t_eq(written, strlen(MSG2))
2261 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2262 SSL_EARLY_DATA_REJECTED)
2263 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2264 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2270 SSL_SESSION_free(clientpsk);
2271 SSL_SESSION_free(serverpsk);
2272 clientpsk = serverpsk = NULL;
2273 SSL_SESSION_free(sess);
2274 SSL_free(serverssl);
2275 SSL_free(clientssl);
2282 * Test that a server attempting to read early data can handle a connection
2283 * from a client where the early data is not acceptable.
2285 static int test_early_data_skip(int idx)
2287 return early_data_skip_helper(0, idx);
2291 * Test that a server attempting to read early data can handle a connection
2292 * from a client where an HRR occurs.
2294 static int test_early_data_skip_hrr(int idx)
2296 return early_data_skip_helper(1, idx);
2300 * Test that a server attempting to read early data can handle a connection
2301 * from a client that doesn't send any.
2303 static int test_early_data_not_sent(int idx)
2305 SSL_CTX *cctx = NULL, *sctx = NULL;
2306 SSL *clientssl = NULL, *serverssl = NULL;
2308 SSL_SESSION *sess = NULL;
2309 unsigned char buf[20];
2310 size_t readbytes, written;
2312 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2313 &serverssl, &sess, idx)))
2316 /* Write some data - should block due to handshake with server */
2317 SSL_set_connect_state(clientssl);
2318 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2321 /* Server should detect that early data has not been sent */
2322 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2324 SSL_READ_EARLY_DATA_FINISH)
2325 || !TEST_size_t_eq(readbytes, 0)
2326 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2327 SSL_EARLY_DATA_NOT_SENT)
2328 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2329 SSL_EARLY_DATA_NOT_SENT))
2332 /* Continue writing the message we started earlier */
2333 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2334 || !TEST_size_t_eq(written, strlen(MSG1))
2335 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2336 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2337 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2338 || !TEST_size_t_eq(written, strlen(MSG2)))
2342 * Should block due to the NewSessionTicket arrival unless we're using
2343 * read_ahead, or PSKs
2345 if (idx != 1 && idx != 2) {
2346 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
2350 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2351 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2357 SSL_SESSION_free(sess);
2358 SSL_SESSION_free(clientpsk);
2359 SSL_SESSION_free(serverpsk);
2360 clientpsk = serverpsk = NULL;
2361 SSL_free(serverssl);
2362 SSL_free(clientssl);
2368 static int hostname_cb(SSL *s, int *al, void *arg)
2370 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2372 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
2373 return SSL_TLSEXT_ERR_OK;
2375 return SSL_TLSEXT_ERR_NOACK;
2378 static const char *servalpn;
2380 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2381 unsigned char *outlen, const unsigned char *in,
2382 unsigned int inlen, void *arg)
2384 unsigned int protlen = 0;
2385 const unsigned char *prot;
2387 for (prot = in; prot < in + inlen; prot += protlen) {
2389 if (in + inlen < prot + protlen)
2390 return SSL_TLSEXT_ERR_NOACK;
2392 if (protlen == strlen(servalpn)
2393 && memcmp(prot, servalpn, protlen) == 0) {
2396 return SSL_TLSEXT_ERR_OK;
2400 return SSL_TLSEXT_ERR_NOACK;
2403 /* Test that a PSK can be used to send early_data */
2404 static int test_early_data_psk(int idx)
2406 SSL_CTX *cctx = NULL, *sctx = NULL;
2407 SSL *clientssl = NULL, *serverssl = NULL;
2409 SSL_SESSION *sess = NULL;
2410 unsigned char alpnlist[] = {
2411 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2414 #define GOODALPNLEN 9
2415 #define BADALPNLEN 8
2416 #define GOODALPN (alpnlist)
2417 #define BADALPN (alpnlist + GOODALPNLEN)
2419 unsigned char buf[20];
2420 size_t readbytes, written;
2421 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2422 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2424 /* We always set this up with a final parameter of "2" for PSK */
2425 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2426 &serverssl, &sess, 2)))
2429 servalpn = "goodalpn";
2432 * Note: There is no test for inconsistent SNI with late client detection.
2433 * This is because servers do not acknowledge SNI even if they are using
2434 * it in a resumption handshake - so it is not actually possible for a
2435 * client to detect a problem.
2439 /* Set inconsistent SNI (early client detection) */
2440 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2441 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2442 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2447 /* Set inconsistent ALPN (early client detection) */
2448 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2449 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
2450 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2452 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2459 * Set invalid protocol version. Technically this affects PSKs without
2460 * early_data too, but we test it here because it is similar to the
2461 * SNI/ALPN consistency tests.
2463 err = SSL_R_BAD_PSK;
2464 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2470 * Set inconsistent SNI (server detected). In this case the connection
2471 * will succeed but reject early_data.
2473 SSL_SESSION_free(serverpsk);
2474 serverpsk = SSL_SESSION_dup(clientpsk);
2475 if (!TEST_ptr(serverpsk)
2476 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2478 edstatus = SSL_EARLY_DATA_REJECTED;
2479 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2482 /* Set consistent SNI */
2483 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2484 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2485 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2492 * Set inconsistent ALPN (server detected). In this case the connection
2493 * will succeed but reject early_data.
2495 servalpn = "badalpn";
2496 edstatus = SSL_EARLY_DATA_REJECTED;
2497 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2501 * Set consistent ALPN.
2502 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2503 * accepts a list of protos (each one length prefixed).
2504 * SSL_set1_alpn_selected accepts a single protocol (not length
2507 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2509 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2513 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2517 /* Set inconsistent ALPN (late client detection) */
2518 SSL_SESSION_free(serverpsk);
2519 serverpsk = SSL_SESSION_dup(clientpsk);
2520 if (!TEST_ptr(serverpsk)
2521 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2524 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2527 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2530 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2531 edstatus = SSL_EARLY_DATA_ACCEPTED;
2532 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2533 /* SSL_connect() call should fail */
2538 TEST_error("Bad test index");
2542 SSL_set_connect_state(clientssl);
2544 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2546 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2547 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2550 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2554 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2555 &readbytes), readearlyres)
2556 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2557 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2558 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2559 || !TEST_int_eq(SSL_connect(clientssl), connectres))
2566 SSL_SESSION_free(sess);
2567 SSL_SESSION_free(clientpsk);
2568 SSL_SESSION_free(serverpsk);
2569 clientpsk = serverpsk = NULL;
2570 SSL_free(serverssl);
2571 SSL_free(clientssl);
2578 * Test that a server that doesn't try to read early data can handle a
2579 * client sending some.
2581 static int test_early_data_not_expected(int idx)
2583 SSL_CTX *cctx = NULL, *sctx = NULL;
2584 SSL *clientssl = NULL, *serverssl = NULL;
2586 SSL_SESSION *sess = NULL;
2587 unsigned char buf[20];
2588 size_t readbytes, written;
2590 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2591 &serverssl, &sess, idx)))
2594 /* Write some early data */
2595 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2600 * Server should skip over early data and then block waiting for client to
2601 * continue handshake
2603 if (!TEST_int_le(SSL_accept(serverssl), 0)
2604 || !TEST_int_gt(SSL_connect(clientssl), 0)
2605 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2606 SSL_EARLY_DATA_REJECTED)
2607 || !TEST_int_gt(SSL_accept(serverssl), 0)
2608 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2609 SSL_EARLY_DATA_REJECTED))
2612 /* Send some normal data from client to server */
2613 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2614 || !TEST_size_t_eq(written, strlen(MSG2)))
2617 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2618 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2624 SSL_SESSION_free(sess);
2625 SSL_SESSION_free(clientpsk);
2626 SSL_SESSION_free(serverpsk);
2627 clientpsk = serverpsk = NULL;
2628 SSL_free(serverssl);
2629 SSL_free(clientssl);
2636 # ifndef OPENSSL_NO_TLS1_2
2638 * Test that a server attempting to read early data can handle a connection
2639 * from a TLSv1.2 client.
2641 static int test_early_data_tls1_2(int idx)
2643 SSL_CTX *cctx = NULL, *sctx = NULL;
2644 SSL *clientssl = NULL, *serverssl = NULL;
2646 unsigned char buf[20];
2647 size_t readbytes, written;
2649 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2650 &serverssl, NULL, idx)))
2653 /* Write some data - should block due to handshake with server */
2654 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2655 SSL_set_connect_state(clientssl);
2656 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2660 * Server should do TLSv1.2 handshake. First it will block waiting for more
2661 * messages from client after ServerDone. Then SSL_read_early_data should
2662 * finish and detect that early data has not been sent
2664 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2666 SSL_READ_EARLY_DATA_ERROR))
2670 * Continue writing the message we started earlier. Will still block waiting
2671 * for the CCS/Finished from server
2673 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2674 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2676 SSL_READ_EARLY_DATA_FINISH)
2677 || !TEST_size_t_eq(readbytes, 0)
2678 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2679 SSL_EARLY_DATA_NOT_SENT))
2682 /* Continue writing the message we started earlier */
2683 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2684 || !TEST_size_t_eq(written, strlen(MSG1))
2685 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2686 SSL_EARLY_DATA_NOT_SENT)
2687 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2688 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2689 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2690 || !TEST_size_t_eq(written, strlen(MSG2))
2691 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2692 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2698 SSL_SESSION_free(clientpsk);
2699 SSL_SESSION_free(serverpsk);
2700 clientpsk = serverpsk = NULL;
2701 SSL_free(serverssl);
2702 SSL_free(clientssl);
2708 # endif /* OPENSSL_NO_TLS1_2 */
2711 * Test configuring the TLSv1.3 ciphersuites
2713 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
2714 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
2715 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
2716 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
2717 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2718 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2719 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
2720 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
2721 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
2722 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
2724 static int test_set_ciphersuite(int idx)
2726 SSL_CTX *cctx = NULL, *sctx = NULL;
2727 SSL *clientssl = NULL, *serverssl = NULL;
2730 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2731 TLS1_VERSION, TLS_MAX_VERSION,
2732 &sctx, &cctx, cert, privkey))
2733 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2734 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
2737 if (idx >=4 && idx <= 7) {
2738 /* SSL_CTX explicit cipher list */
2739 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
2743 if (idx == 0 || idx == 4) {
2744 /* Default ciphersuite */
2745 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2746 "TLS_AES_128_GCM_SHA256")))
2748 } else if (idx == 1 || idx == 5) {
2749 /* Non default ciphersuite */
2750 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2751 "TLS_AES_128_CCM_SHA256")))
2755 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2756 &clientssl, NULL, NULL)))
2759 if (idx == 8 || idx == 9) {
2760 /* SSL explicit cipher list */
2761 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
2765 if (idx == 2 || idx == 6 || idx == 8) {
2766 /* Default ciphersuite */
2767 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2768 "TLS_AES_128_GCM_SHA256")))
2770 } else if (idx == 3 || idx == 7 || idx == 9) {
2771 /* Non default ciphersuite */
2772 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2773 "TLS_AES_128_CCM_SHA256")))
2777 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
2783 SSL_free(serverssl);
2784 SSL_free(clientssl);
2791 static int test_ciphersuite_change(void)
2793 SSL_CTX *cctx = NULL, *sctx = NULL;
2794 SSL *clientssl = NULL, *serverssl = NULL;
2795 SSL_SESSION *clntsess = NULL;
2797 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2799 /* Create a session based on SHA-256 */
2800 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2801 TLS1_VERSION, TLS_MAX_VERSION,
2802 &sctx, &cctx, cert, privkey))
2803 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
2804 "TLS_AES_128_GCM_SHA256"))
2805 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2806 &clientssl, NULL, NULL))
2807 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2811 clntsess = SSL_get1_session(clientssl);
2812 /* Save for later */
2813 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2814 SSL_shutdown(clientssl);
2815 SSL_shutdown(serverssl);
2816 SSL_free(serverssl);
2817 SSL_free(clientssl);
2818 serverssl = clientssl = NULL;
2820 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
2821 /* Check we can resume a session with a different SHA-256 ciphersuite */
2822 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2823 "TLS_CHACHA20_POLY1305_SHA256"))
2824 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2826 || !TEST_true(SSL_set_session(clientssl, clntsess))
2827 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2829 || !TEST_true(SSL_session_reused(clientssl)))
2832 SSL_SESSION_free(clntsess);
2833 clntsess = SSL_get1_session(clientssl);
2834 SSL_shutdown(clientssl);
2835 SSL_shutdown(serverssl);
2836 SSL_free(serverssl);
2837 SSL_free(clientssl);
2838 serverssl = clientssl = NULL;
2842 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
2843 * succeeds but does not resume.
2845 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
2846 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2848 || !TEST_true(SSL_set_session(clientssl, clntsess))
2849 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2851 || !TEST_false(SSL_session_reused(clientssl)))
2854 SSL_SESSION_free(clntsess);
2856 SSL_shutdown(clientssl);
2857 SSL_shutdown(serverssl);
2858 SSL_free(serverssl);
2859 SSL_free(clientssl);
2860 serverssl = clientssl = NULL;
2862 /* Create a session based on SHA384 */
2863 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
2864 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2865 &clientssl, NULL, NULL))
2866 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2870 clntsess = SSL_get1_session(clientssl);
2871 SSL_shutdown(clientssl);
2872 SSL_shutdown(serverssl);
2873 SSL_free(serverssl);
2874 SSL_free(clientssl);
2875 serverssl = clientssl = NULL;
2877 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2878 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
2879 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2880 "TLS_AES_256_GCM_SHA384"))
2881 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2883 || !TEST_true(SSL_set_session(clientssl, clntsess))
2885 * We use SSL_ERROR_WANT_READ below so that we can pause the
2886 * connection after the initial ClientHello has been sent to
2887 * enable us to make some session changes.
2889 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2890 SSL_ERROR_WANT_READ)))
2893 /* Trick the client into thinking this session is for a different digest */
2894 clntsess->cipher = aes_128_gcm_sha256;
2895 clntsess->cipher_id = clntsess->cipher->id;
2898 * Continue the previously started connection. Server has selected a SHA-384
2899 * ciphersuite, but client thinks the session is for SHA-256, so it should
2902 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2904 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2905 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2911 SSL_SESSION_free(clntsess);
2912 SSL_free(serverssl);
2913 SSL_free(clientssl);
2922 * Test 0 = Test new style callbacks
2923 * Test 1 = Test both new and old style callbacks
2924 * Test 2 = Test old style callbacks
2925 * Test 3 = Test old style callbacks with no certificate
2927 static int test_tls13_psk(int idx)
2929 SSL_CTX *sctx = NULL, *cctx = NULL;
2930 SSL *serverssl = NULL, *clientssl = NULL;
2931 const SSL_CIPHER *cipher = NULL;
2932 const unsigned char key[] = {
2933 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2934 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2935 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2936 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
2940 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2941 TLS1_VERSION, TLS_MAX_VERSION,
2942 &sctx, &cctx, idx == 3 ? NULL : cert,
2943 idx == 3 ? NULL : privkey)))
2948 * We use a ciphersuite with SHA256 to ease testing old style PSK
2949 * callbacks which will always default to SHA256. This should not be
2950 * necessary if we have no cert/priv key. In that case the server should
2951 * prefer SHA256 automatically.
2953 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2954 "TLS_AES_128_GCM_SHA256")))
2959 * Test 0: New style callbacks only
2960 * Test 1: New and old style callbacks (only the new ones should be used)
2961 * Test 2: Old style callbacks only
2963 if (idx == 0 || idx == 1) {
2964 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2965 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2967 #ifndef OPENSSL_NO_PSK
2969 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
2970 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
2974 use_session_cb_cnt = 0;
2975 find_session_cb_cnt = 0;
2976 psk_client_cb_cnt = 0;
2977 psk_server_cb_cnt = 0;
2981 * Check we can create a connection if callback decides not to send a
2984 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2986 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2988 || !TEST_false(SSL_session_reused(clientssl))
2989 || !TEST_false(SSL_session_reused(serverssl)))
2992 if (idx == 0 || idx == 1) {
2993 if (!TEST_true(use_session_cb_cnt == 1)
2994 || !TEST_true(find_session_cb_cnt == 0)
2996 * If no old style callback then below should be 0
2999 || !TEST_true(psk_client_cb_cnt == idx)
3000 || !TEST_true(psk_server_cb_cnt == 0))
3003 if (!TEST_true(use_session_cb_cnt == 0)
3004 || !TEST_true(find_session_cb_cnt == 0)
3005 || !TEST_true(psk_client_cb_cnt == 1)
3006 || !TEST_true(psk_server_cb_cnt == 0))
3010 shutdown_ssl_connection(serverssl, clientssl);
3011 serverssl = clientssl = NULL;
3012 use_session_cb_cnt = psk_client_cb_cnt = 0;
3015 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3019 /* Create the PSK */
3020 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
3021 clientpsk = SSL_SESSION_new();
3022 if (!TEST_ptr(clientpsk)
3023 || !TEST_ptr(cipher)
3024 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
3026 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
3027 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
3029 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
3031 serverpsk = clientpsk;
3033 /* Check we can create a connection and the PSK is used */
3034 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3035 || !TEST_true(SSL_session_reused(clientssl))
3036 || !TEST_true(SSL_session_reused(serverssl)))
3039 if (idx == 0 || idx == 1) {
3040 if (!TEST_true(use_session_cb_cnt == 1)
3041 || !TEST_true(find_session_cb_cnt == 1)
3042 || !TEST_true(psk_client_cb_cnt == 0)
3043 || !TEST_true(psk_server_cb_cnt == 0))
3046 if (!TEST_true(use_session_cb_cnt == 0)
3047 || !TEST_true(find_session_cb_cnt == 0)
3048 || !TEST_true(psk_client_cb_cnt == 1)
3049 || !TEST_true(psk_server_cb_cnt == 1))
3053 shutdown_ssl_connection(serverssl, clientssl);
3054 serverssl = clientssl = NULL;
3055 use_session_cb_cnt = find_session_cb_cnt = 0;
3056 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3058 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3063 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3067 * Check we can create a connection, the PSK is used and the callbacks are
3070 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3071 || !TEST_true(SSL_session_reused(clientssl))
3072 || !TEST_true(SSL_session_reused(serverssl)))
3075 if (idx == 0 || idx == 1) {
3076 if (!TEST_true(use_session_cb_cnt == 2)
3077 || !TEST_true(find_session_cb_cnt == 2)
3078 || !TEST_true(psk_client_cb_cnt == 0)
3079 || !TEST_true(psk_server_cb_cnt == 0))
3082 if (!TEST_true(use_session_cb_cnt == 0)
3083 || !TEST_true(find_session_cb_cnt == 0)
3084 || !TEST_true(psk_client_cb_cnt == 2)
3085 || !TEST_true(psk_server_cb_cnt == 2))
3089 shutdown_ssl_connection(serverssl, clientssl);
3090 serverssl = clientssl = NULL;
3091 use_session_cb_cnt = find_session_cb_cnt = 0;
3092 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3096 * Check that if the server rejects the PSK we can still connect, but with
3099 srvid = "Dummy Identity";
3100 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3102 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3104 || !TEST_false(SSL_session_reused(clientssl))
3105 || !TEST_false(SSL_session_reused(serverssl)))
3108 if (idx == 0 || idx == 1) {
3109 if (!TEST_true(use_session_cb_cnt == 1)
3110 || !TEST_true(find_session_cb_cnt == 1)
3111 || !TEST_true(psk_client_cb_cnt == 0)
3113 * If no old style callback then below should be 0
3116 || !TEST_true(psk_server_cb_cnt == idx))
3119 if (!TEST_true(use_session_cb_cnt == 0)
3120 || !TEST_true(find_session_cb_cnt == 0)
3121 || !TEST_true(psk_client_cb_cnt == 1)
3122 || !TEST_true(psk_server_cb_cnt == 1))
3126 shutdown_ssl_connection(serverssl, clientssl);
3127 serverssl = clientssl = NULL;
3132 SSL_SESSION_free(clientpsk);
3133 SSL_SESSION_free(serverpsk);
3134 clientpsk = serverpsk = NULL;
3135 SSL_free(serverssl);
3136 SSL_free(clientssl);
3142 static unsigned char cookie_magic_value[] = "cookie magic";
3144 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
3145 unsigned int *cookie_len)
3148 * Not suitable as a real cookie generation function but good enough for
3151 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3152 *cookie_len = sizeof(cookie_magic_value) - 1;
3157 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3158 unsigned int cookie_len)
3160 if (cookie_len == sizeof(cookie_magic_value) - 1
3161 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3167 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3171 int res = generate_cookie_callback(ssl, cookie, &temp);
3176 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3179 return verify_cookie_callback(ssl, cookie, cookie_len);
3182 static int test_stateless(void)
3184 SSL_CTX *sctx = NULL, *cctx = NULL;
3185 SSL *serverssl = NULL, *clientssl = NULL;
3188 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3189 TLS1_VERSION, TLS_MAX_VERSION,
3190 &sctx, &cctx, cert, privkey)))
3193 /* The arrival of CCS messages can confuse the test */
3194 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3196 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3198 /* Send the first ClientHello */
3199 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3200 SSL_ERROR_WANT_READ))
3202 * This should fail with a -1 return because we have no callbacks
3205 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3208 /* Fatal error so abandon the connection from this client */
3209 SSL_free(clientssl);
3212 /* Set up the cookie generation and verification callbacks */
3213 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3214 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
3217 * Create a new connection from the client (we can reuse the server SSL
3220 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3222 /* Send the first ClientHello */
3223 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3224 SSL_ERROR_WANT_READ))
3225 /* This should fail because there is no cookie */
3226 || !TEST_int_eq(SSL_stateless(serverssl), 0))
3229 /* Abandon the connection from this client */
3230 SSL_free(clientssl);
3234 * Now create a connection from a new client but with the same server SSL
3237 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3239 /* Send the first ClientHello */
3240 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3241 SSL_ERROR_WANT_READ))
3242 /* This should fail because there is no cookie */
3243 || !TEST_int_eq(SSL_stateless(serverssl), 0)
3244 /* Send the second ClientHello */
3245 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3246 SSL_ERROR_WANT_READ))
3247 /* This should succeed because a cookie is now present */
3248 || !TEST_int_eq(SSL_stateless(serverssl), 1)
3249 /* Complete the connection */
3250 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3254 shutdown_ssl_connection(serverssl, clientssl);
3255 serverssl = clientssl = NULL;
3259 SSL_free(serverssl);
3260 SSL_free(clientssl);
3266 #endif /* OPENSSL_NO_TLS1_3 */
3268 static int clntaddoldcb = 0;
3269 static int clntparseoldcb = 0;
3270 static int srvaddoldcb = 0;
3271 static int srvparseoldcb = 0;
3272 static int clntaddnewcb = 0;
3273 static int clntparsenewcb = 0;
3274 static int srvaddnewcb = 0;
3275 static int srvparsenewcb = 0;
3276 static int snicb = 0;
3278 #define TEST_EXT_TYPE1 0xff00
3280 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3281 size_t *outlen, int *al, void *add_arg)
3283 int *server = (int *)add_arg;
3284 unsigned char *data;
3286 if (SSL_is_server(s))
3291 if (*server != SSL_is_server(s)
3292 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3297 *outlen = sizeof(char);
3301 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3304 OPENSSL_free((unsigned char *)out);
3307 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3308 size_t inlen, int *al, void *parse_arg)
3310 int *server = (int *)parse_arg;
3312 if (SSL_is_server(s))
3317 if (*server != SSL_is_server(s)
3318 || inlen != sizeof(char)
3325 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3326 const unsigned char **out, size_t *outlen, X509 *x,
3327 size_t chainidx, int *al, void *add_arg)
3329 int *server = (int *)add_arg;
3330 unsigned char *data;
3332 if (SSL_is_server(s))
3337 if (*server != SSL_is_server(s)
3338 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3343 *outlen = sizeof(*data);
3347 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3348 const unsigned char *out, void *add_arg)
3350 OPENSSL_free((unsigned char *)out);
3353 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3354 const unsigned char *in, size_t inlen, X509 *x,
3355 size_t chainidx, int *al, void *parse_arg)
3357 int *server = (int *)parse_arg;
3359 if (SSL_is_server(s))
3364 if (*server != SSL_is_server(s)
3365 || inlen != sizeof(char) || *in != 1)
3371 static int sni_cb(SSL *s, int *al, void *arg)
3373 SSL_CTX *ctx = (SSL_CTX *)arg;
3375 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3376 *al = SSL_AD_INTERNAL_ERROR;
3377 return SSL_TLSEXT_ERR_ALERT_FATAL;
3380 return SSL_TLSEXT_ERR_OK;
3384 * Custom call back tests.
3385 * Test 0: Old style callbacks in TLSv1.2
3386 * Test 1: New style callbacks in TLSv1.2
3387 * Test 2: New style callbacks in TLSv1.2 with SNI
3388 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3389 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
3391 static int test_custom_exts(int tst)
3393 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3394 SSL *clientssl = NULL, *serverssl = NULL;
3396 static int server = 1;
3397 static int client = 0;
3398 SSL_SESSION *sess = NULL;
3399 unsigned int context;
3401 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
3402 /* Skip tests for TLSv1.2 and below in this case */
3407 /* Reset callback counters */
3408 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
3409 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
3412 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3413 TLS1_VERSION, TLS_MAX_VERSION,
3414 &sctx, &cctx, cert, privkey)))
3418 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
3419 TLS1_VERSION, TLS_MAX_VERSION,
3420 &sctx2, NULL, cert, privkey)))
3425 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
3426 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
3428 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
3432 context = SSL_EXT_CLIENT_HELLO
3433 | SSL_EXT_TLS1_2_SERVER_HELLO
3434 | SSL_EXT_TLS1_3_SERVER_HELLO
3435 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
3436 | SSL_EXT_TLS1_3_CERTIFICATE
3437 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
3439 context = SSL_EXT_CLIENT_HELLO
3440 | SSL_EXT_TLS1_2_SERVER_HELLO
3441 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3444 /* Create a client side custom extension */
3446 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3447 old_add_cb, old_free_cb,
3448 &client, old_parse_cb,
3452 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
3453 new_add_cb, new_free_cb,
3454 &client, new_parse_cb, &client)))
3458 /* Should not be able to add duplicates */
3459 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3460 old_add_cb, old_free_cb,
3461 &client, old_parse_cb,
3463 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
3464 context, new_add_cb,
3465 new_free_cb, &client,
3466 new_parse_cb, &client)))
3469 /* Create a server side custom extension */
3471 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3472 old_add_cb, old_free_cb,
3473 &server, old_parse_cb,
3477 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3478 new_add_cb, new_free_cb,
3479 &server, new_parse_cb, &server)))
3482 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3483 context, new_add_cb,
3484 new_free_cb, &server,
3485 new_parse_cb, &server)))
3489 /* Should not be able to add duplicates */
3490 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3491 old_add_cb, old_free_cb,
3492 &server, old_parse_cb,
3494 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3495 context, new_add_cb,
3496 new_free_cb, &server,
3497 new_parse_cb, &server)))
3502 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3503 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3507 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3508 &clientssl, NULL, NULL))
3509 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3514 if (clntaddoldcb != 1
3515 || clntparseoldcb != 1
3517 || srvparseoldcb != 1)
3519 } else if (tst == 1 || tst == 2 || tst == 3) {
3520 if (clntaddnewcb != 1
3521 || clntparsenewcb != 1
3523 || srvparsenewcb != 1
3524 || (tst != 2 && snicb != 0)
3525 || (tst == 2 && snicb != 1))
3528 /* In this case there 2 NewSessionTicket messages created */
3529 if (clntaddnewcb != 1
3530 || clntparsenewcb != 5
3532 || srvparsenewcb != 1)
3536 sess = SSL_get1_session(clientssl);
3537 SSL_shutdown(clientssl);
3538 SSL_shutdown(serverssl);
3539 SSL_free(serverssl);
3540 SSL_free(clientssl);
3541 serverssl = clientssl = NULL;
3544 /* We don't bother with the resumption aspects for this test */
3549 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3551 || !TEST_true(SSL_set_session(clientssl, sess))
3552 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3557 * For a resumed session we expect to add the ClientHello extension. For the
3558 * old style callbacks we ignore it on the server side because they set
3559 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3563 if (clntaddoldcb != 2
3564 || clntparseoldcb != 1
3566 || srvparseoldcb != 1)
3568 } else if (tst == 1 || tst == 2 || tst == 3) {
3569 if (clntaddnewcb != 2
3570 || clntparsenewcb != 2
3572 || srvparsenewcb != 2)
3576 * No Certificate message extensions in the resumption handshake,
3577 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
3579 if (clntaddnewcb != 2
3580 || clntparsenewcb != 8
3582 || srvparsenewcb != 2)
3589 SSL_SESSION_free(sess);
3590 SSL_free(serverssl);
3591 SSL_free(clientssl);
3592 SSL_CTX_free(sctx2);
3599 * Test loading of serverinfo data in various formats. test_sslmessages actually
3600 * tests to make sure the extensions appear in the handshake
3602 static int test_serverinfo(int tst)
3604 unsigned int version;
3605 unsigned char *sibuf;
3607 int ret, expected, testresult = 0;
3610 ctx = SSL_CTX_new(TLS_method());
3614 if ((tst & 0x01) == 0x01)
3615 version = SSL_SERVERINFOV2;
3617 version = SSL_SERVERINFOV1;
3619 if ((tst & 0x02) == 0x02) {
3620 sibuf = serverinfov2;
3621 sibuflen = sizeof(serverinfov2);
3622 expected = (version == SSL_SERVERINFOV2);
3624 sibuf = serverinfov1;
3625 sibuflen = sizeof(serverinfov1);
3626 expected = (version == SSL_SERVERINFOV1);
3629 if ((tst & 0x04) == 0x04) {
3630 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
3632 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
3635 * The version variable is irrelevant in this case - it's what is in the
3636 * buffer that matters
3638 if ((tst & 0x02) == 0x02)
3644 if (!TEST_true(ret == expected))
3656 * Test that SSL_export_keying_material() produces expected results. There are
3657 * no test vectors so all we do is test that both sides of the communication
3658 * produce the same results for different protocol versions.
3660 static int test_export_key_mat(int tst)
3663 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3664 SSL *clientssl = NULL, *serverssl = NULL;
3665 const char label[] = "test label";
3666 const unsigned char context[] = "context";
3667 const unsigned char *emptycontext = NULL;
3668 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
3669 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
3670 const int protocols[] = {
3677 #ifdef OPENSSL_NO_TLS1
3681 #ifdef OPENSSL_NO_TLS1_1
3685 #ifdef OPENSSL_NO_TLS1_2
3689 #ifdef OPENSSL_NO_TLS1_3
3693 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3694 TLS1_VERSION, TLS_MAX_VERSION,
3695 &sctx, &cctx, cert, privkey)))
3698 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
3699 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
3700 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
3702 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
3704 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3708 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
3709 sizeof(ckeymat1), label,
3710 sizeof(label) - 1, context,
3711 sizeof(context) - 1, 1), 1)
3712 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
3713 sizeof(ckeymat2), label,
3717 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
3718 sizeof(ckeymat3), label,
3721 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
3722 sizeof(skeymat1), label,
3725 sizeof(context) -1, 1),
3727 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
3728 sizeof(skeymat2), label,
3732 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
3733 sizeof(skeymat3), label,
3737 * Check that both sides created the same key material with the
3740 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3743 * Check that both sides created the same key material with an
3746 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3749 * Check that both sides created the same key material without a
3752 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3754 /* Different contexts should produce different results */
3755 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3760 * Check that an empty context and no context produce different results in
3761 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3763 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3765 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3772 SSL_free(serverssl);
3773 SSL_free(clientssl);
3774 SSL_CTX_free(sctx2);
3781 #ifndef OPENSSL_NO_TLS1_3
3783 * Test that SSL_export_keying_material_early() produces expected
3784 * results. There are no test vectors so all we do is test that both
3785 * sides of the communication produce the same results for different
3786 * protocol versions.
3788 static int test_export_key_mat_early(int idx)
3790 static const char label[] = "test label";
3791 static const unsigned char context[] = "context";
3793 SSL_CTX *cctx = NULL, *sctx = NULL;
3794 SSL *clientssl = NULL, *serverssl = NULL;
3795 SSL_SESSION *sess = NULL;
3796 const unsigned char *emptycontext = NULL;
3797 unsigned char ckeymat1[80], ckeymat2[80];
3798 unsigned char skeymat1[80], skeymat2[80];
3799 unsigned char buf[1];
3800 size_t readbytes, written;
3802 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
3806 /* Here writing 0 length early data is enough. */
3807 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
3808 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3810 SSL_READ_EARLY_DATA_ERROR)
3811 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3812 SSL_EARLY_DATA_ACCEPTED))
3815 if (!TEST_int_eq(SSL_export_keying_material_early(
3816 clientssl, ckeymat1, sizeof(ckeymat1), label,
3817 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3818 || !TEST_int_eq(SSL_export_keying_material_early(
3819 clientssl, ckeymat2, sizeof(ckeymat2), label,
3820 sizeof(label) - 1, emptycontext, 0), 1)
3821 || !TEST_int_eq(SSL_export_keying_material_early(
3822 serverssl, skeymat1, sizeof(skeymat1), label,
3823 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3824 || !TEST_int_eq(SSL_export_keying_material_early(
3825 serverssl, skeymat2, sizeof(skeymat2), label,
3826 sizeof(label) - 1, emptycontext, 0), 1)
3828 * Check that both sides created the same key material with the
3831 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3834 * Check that both sides created the same key material with an
3837 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3839 /* Different contexts should produce different results */
3840 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3847 SSL_SESSION_free(sess);
3848 SSL_SESSION_free(clientpsk);
3849 SSL_SESSION_free(serverpsk);
3850 clientpsk = serverpsk = NULL;
3851 SSL_free(serverssl);
3852 SSL_free(clientssl);
3858 #endif /* OPENSSL_NO_TLS1_3 */
3860 static int test_ssl_clear(int idx)
3862 SSL_CTX *cctx = NULL, *sctx = NULL;
3863 SSL *clientssl = NULL, *serverssl = NULL;
3866 #ifdef OPENSSL_NO_TLS1_2
3871 /* Create an initial connection */
3872 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3873 TLS1_VERSION, TLS_MAX_VERSION,
3874 &sctx, &cctx, cert, privkey))
3876 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
3878 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3879 &clientssl, NULL, NULL))
3880 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3884 SSL_shutdown(clientssl);
3885 SSL_shutdown(serverssl);
3886 SSL_free(serverssl);
3889 /* Clear clientssl - we're going to reuse the object */
3890 if (!TEST_true(SSL_clear(clientssl)))
3893 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3895 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3897 || !TEST_true(SSL_session_reused(clientssl)))
3900 SSL_shutdown(clientssl);
3901 SSL_shutdown(serverssl);
3906 SSL_free(serverssl);
3907 SSL_free(clientssl);
3914 /* Parse CH and retrieve any MFL extension value if present */
3915 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
3918 unsigned char *data;
3919 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
3920 unsigned int MFL_code = 0, type = 0;
3922 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
3925 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
3926 /* Skip the record header */
3927 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
3928 /* Skip the handshake message header */
3929 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
3930 /* Skip client version and random */
3931 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
3932 + SSL3_RANDOM_SIZE))
3933 /* Skip session id */
3934 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3936 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
3937 /* Skip compression */
3938 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3939 /* Extensions len */
3940 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
3943 /* Loop through all extensions */
3944 while (PACKET_remaining(&pkt2)) {
3945 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
3946 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
3949 if (type == TLSEXT_TYPE_max_fragment_length) {
3950 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
3951 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
3954 *mfl_codemfl_code = MFL_code;
3963 /* Maximum-Fragment-Length TLS extension mode to test */
3964 static const unsigned char max_fragment_len_test[] = {
3965 TLSEXT_max_fragment_length_512,
3966 TLSEXT_max_fragment_length_1024,
3967 TLSEXT_max_fragment_length_2048,
3968 TLSEXT_max_fragment_length_4096
3971 static int test_max_fragment_len_ext(int idx_tst)
3975 int testresult = 0, MFL_mode = 0;
3978 ctx = SSL_CTX_new(TLS_method());
3982 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
3983 ctx, max_fragment_len_test[idx_tst])))
3990 rbio = BIO_new(BIO_s_mem());
3991 wbio = BIO_new(BIO_s_mem());
3992 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
3998 SSL_set_bio(con, rbio, wbio);
3999 SSL_set_connect_state(con);
4001 if (!TEST_int_le(SSL_connect(con), 0)) {
4002 /* This shouldn't succeed because we don't have a server! */
4006 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
4007 /* no MFL in client hello */
4009 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
4021 #ifndef OPENSSL_NO_TLS1_3
4022 static int test_pha_key_update(void)
4024 SSL_CTX *cctx = NULL, *sctx = NULL;
4025 SSL *clientssl = NULL, *serverssl = NULL;
4028 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4029 TLS1_VERSION, TLS_MAX_VERSION,
4030 &sctx, &cctx, cert, privkey)))
4033 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
4034 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
4035 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
4036 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
4040 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4044 SSL_force_post_handshake_auth(clientssl);
4046 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4050 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
4051 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
4054 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
4057 /* Start handshake on the server */
4058 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
4061 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
4062 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4066 SSL_shutdown(clientssl);
4067 SSL_shutdown(serverssl);
4072 SSL_free(serverssl);
4073 SSL_free(clientssl);
4080 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4082 static SRP_VBASE *vbase = NULL;
4084 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
4086 int ret = SSL3_AL_FATAL;
4088 SRP_user_pwd *user = NULL;
4090 username = SSL_get_srp_username(s);
4091 if (username == NULL) {
4092 *ad = SSL_AD_INTERNAL_ERROR;
4096 user = SRP_VBASE_get1_by_user(vbase, username);
4098 *ad = SSL_AD_INTERNAL_ERROR;
4102 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
4104 *ad = SSL_AD_INTERNAL_ERROR;
4111 SRP_user_pwd_free(user);
4115 static int create_new_vfile(char *userid, char *password, const char *filename)
4118 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
4121 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
4124 if (!TEST_ptr(dummy) || !TEST_ptr(row))
4127 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
4128 &row[DB_srpverifier], NULL, NULL);
4129 if (!TEST_ptr(gNid))
4133 * The only way to create an empty TXT_DB is to provide a BIO with no data
4136 db = TXT_DB_read(dummy, DB_NUMBER);
4140 out = BIO_new_file(filename, "w");
4144 row[DB_srpid] = OPENSSL_strdup(userid);
4145 row[DB_srptype] = OPENSSL_strdup("V");
4146 row[DB_srpgN] = OPENSSL_strdup(gNid);
4148 if (!TEST_ptr(row[DB_srpid])
4149 || !TEST_ptr(row[DB_srptype])
4150 || !TEST_ptr(row[DB_srpgN])
4151 || !TEST_true(TXT_DB_insert(db, row)))
4156 if (!TXT_DB_write(out, db))
4162 for (i = 0; i < DB_NUMBER; i++)
4163 OPENSSL_free(row[i]);
4173 static int create_new_vbase(char *userid, char *password)
4175 BIGNUM *verifier = NULL, *salt = NULL;
4176 const SRP_gN *lgN = NULL;
4177 SRP_user_pwd *user_pwd = NULL;
4180 lgN = SRP_get_default_gN(NULL);
4184 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
4188 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
4189 if (!TEST_ptr(user_pwd))
4192 user_pwd->N = lgN->N;
4193 user_pwd->g = lgN->g;
4194 user_pwd->id = OPENSSL_strdup(userid);
4195 if (!TEST_ptr(user_pwd->id))
4198 user_pwd->v = verifier;
4200 verifier = salt = NULL;
4202 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
4208 SRP_user_pwd_free(user_pwd);
4218 * Test 0: Simple successful SRP connection, new vbase
4219 * Test 1: Connection failure due to bad password, new vbase
4220 * Test 2: Simple successful SRP connection, vbase loaded from existing file
4221 * Test 3: Connection failure due to bad password, vbase loaded from existing
4223 * Test 4: Simple successful SRP connection, vbase loaded from new file
4224 * Test 5: Connection failure due to bad password, vbase loaded from new file
4226 static int test_srp(int tst)
4228 char *userid = "test", *password = "password", *tstsrpfile;
4229 SSL_CTX *cctx = NULL, *sctx = NULL;
4230 SSL *clientssl = NULL, *serverssl = NULL;
4231 int ret, testresult = 0;
4233 vbase = SRP_VBASE_new(NULL);
4234 if (!TEST_ptr(vbase))
4237 if (tst == 0 || tst == 1) {
4238 if (!TEST_true(create_new_vbase(userid, password)))
4241 if (tst == 4 || tst == 5) {
4242 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
4244 tstsrpfile = tmpfilename;
4246 tstsrpfile = srpvfile;
4248 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
4252 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4253 TLS1_VERSION, TLS_MAX_VERSION,
4254 &sctx, &cctx, cert, privkey)))
4257 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
4258 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
4259 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
4260 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
4261 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
4265 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
4268 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
4272 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4276 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
4278 if (!TEST_true(tst % 2 == 0))
4281 if (!TEST_true(tst % 2 == 1))
4288 SRP_VBASE_free(vbase);
4290 SSL_free(serverssl);
4291 SSL_free(clientssl);
4299 static int info_cb_failed = 0;
4300 static int info_cb_offset = 0;
4301 static int info_cb_this_state = -1;
4303 static struct info_cb_states_st {
4305 const char *statestr;
4306 } info_cb_states[][60] = {
4308 /* TLSv1.2 server followed by resumption */
4309 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4310 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4311 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
4312 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
4313 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
4314 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4315 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4316 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4317 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4318 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4319 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
4320 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4321 {SSL_CB_EXIT, NULL}, {0, NULL},
4323 /* TLSv1.2 client followed by resumption */
4324 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4325 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4326 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
4327 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
4328 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
4329 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4330 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4331 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4332 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4333 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4334 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4335 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4337 /* TLSv1.3 server followed by resumption */
4338 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4339 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4340 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
4341 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
4342 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4343 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4344 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4345 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TWST"},
4346 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4347 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4348 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4349 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"},
4350 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL},
4351 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4352 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4353 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4354 {SSL_CB_EXIT, NULL}, {0, NULL},
4356 /* TLSv1.3 client followed by resumption */
4357 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4358 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4359 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
4360 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
4361 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4362 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4363 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4364 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4365 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4366 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4367 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4368 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4369 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
4370 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4371 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4372 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4373 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4374 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4375 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4377 /* TLSv1.3 server, early_data */
4378 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4379 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4380 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4381 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4382 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4383 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4384 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4385 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4386 {SSL_CB_EXIT, NULL}, {0, NULL},
4388 /* TLSv1.3 client, early_data */
4389 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4390 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
4391 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4392 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4393 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4394 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
4395 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4396 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4397 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4398 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4404 static void sslapi_info_callback(const SSL *s, int where, int ret)
4406 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
4408 /* We do not ever expect a connection to fail in this test */
4409 if (!TEST_false(ret == 0)) {
4415 * Do some sanity checks. We never expect these things to happen in this
4418 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
4419 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
4420 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
4425 /* Now check we're in the right state */
4426 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
4430 if ((where & SSL_CB_LOOP) != 0
4431 && !TEST_int_eq(strcmp(SSL_state_string(s),
4432 state[info_cb_this_state].statestr), 0)) {
4437 /* Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init */
4438 if ((where & SSL_CB_HANDSHAKE_DONE) && SSL_in_init((SSL *)s) != 0) {
4445 * Test the info callback gets called when we expect it to.
4447 * Test 0: TLSv1.2, server
4448 * Test 1: TLSv1.2, client
4449 * Test 2: TLSv1.3, server
4450 * Test 3: TLSv1.3, client
4451 * Test 4: TLSv1.3, server, early_data
4452 * Test 5: TLSv1.3, client, early_data
4454 static int test_info_callback(int tst)
4456 SSL_CTX *cctx = NULL, *sctx = NULL;
4457 SSL *clientssl = NULL, *serverssl = NULL;
4458 SSL_SESSION *clntsess = NULL;
4463 #ifndef OPENSSL_NO_TLS1_2
4464 tlsvers = TLS1_2_VERSION;
4469 #ifndef OPENSSL_NO_TLS1_3
4470 tlsvers = TLS1_3_VERSION;
4478 info_cb_this_state = -1;
4479 info_cb_offset = tst;
4481 #ifndef OPENSSL_NO_TLS1_3
4483 SSL_SESSION *sess = NULL;
4484 size_t written, readbytes;
4485 unsigned char buf[80];
4487 /* early_data tests */
4488 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4489 &serverssl, &sess, 0)))
4492 /* We don't actually need this reference */
4493 SSL_SESSION_free(sess);
4495 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
4496 sslapi_info_callback);
4498 /* Write and read some early data and then complete the connection */
4499 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4501 || !TEST_size_t_eq(written, strlen(MSG1))
4502 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
4503 sizeof(buf), &readbytes),
4504 SSL_READ_EARLY_DATA_SUCCESS)
4505 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
4506 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4507 SSL_EARLY_DATA_ACCEPTED)
4508 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4510 || !TEST_false(info_cb_failed))
4518 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4519 TLS_client_method(),
4520 tlsvers, tlsvers, &sctx, &cctx, cert,
4525 * For even numbered tests we check the server callbacks. For odd numbers we
4528 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
4529 sslapi_info_callback);
4531 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4532 &clientssl, NULL, NULL))
4533 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4535 || !TEST_false(info_cb_failed))
4540 clntsess = SSL_get1_session(clientssl);
4541 SSL_shutdown(clientssl);
4542 SSL_shutdown(serverssl);
4543 SSL_free(serverssl);
4544 SSL_free(clientssl);
4545 serverssl = clientssl = NULL;
4547 /* Now do a resumption */
4548 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4550 || !TEST_true(SSL_set_session(clientssl, clntsess))
4551 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4553 || !TEST_true(SSL_session_reused(clientssl))
4554 || !TEST_false(info_cb_failed))
4560 SSL_free(serverssl);
4561 SSL_free(clientssl);
4562 SSL_SESSION_free(clntsess);
4568 static int test_ssl_pending(int tst)
4570 SSL_CTX *cctx = NULL, *sctx = NULL;
4571 SSL *clientssl = NULL, *serverssl = NULL;
4573 char msg[] = "A test message";
4575 size_t written, readbytes;
4578 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4579 TLS_client_method(),
4580 TLS1_VERSION, TLS_MAX_VERSION,
4581 &sctx, &cctx, cert, privkey)))
4584 #ifndef OPENSSL_NO_DTLS
4585 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
4586 DTLS_client_method(),
4587 DTLS1_VERSION, DTLS_MAX_VERSION,
4588 &sctx, &cctx, cert, privkey)))
4595 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4597 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4601 if (!TEST_int_eq(SSL_pending(clientssl), 0)
4602 || !TEST_false(SSL_has_pending(clientssl))
4603 || !TEST_int_eq(SSL_pending(serverssl), 0)
4604 || !TEST_false(SSL_has_pending(serverssl))
4605 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4606 || !TEST_size_t_eq(written, sizeof(msg))
4607 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4608 || !TEST_size_t_eq(readbytes, sizeof(buf))
4609 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
4610 || !TEST_true(SSL_has_pending(clientssl)))
4616 SSL_free(serverssl);
4617 SSL_free(clientssl);
4625 unsigned int maxprot;
4626 const char *clntciphers;
4627 const char *clnttls13ciphers;
4628 const char *srvrciphers;
4629 const char *srvrtls13ciphers;
4631 } shared_ciphers_data[] = {
4633 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
4634 * TLSv1.3 is enabled but TLSv1.2 is disabled.
4636 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
4639 "AES128-SHA:AES256-SHA",
4641 "AES256-SHA:DHE-RSA-AES128-SHA",
4647 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
4649 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
4651 "AES128-SHA:AES256-SHA"
4655 "AES128-SHA:AES256-SHA",
4657 "AES128-SHA:DHE-RSA-AES128-SHA",
4663 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
4666 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
4667 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4670 "AES128-SHA:AES256-SHA",
4672 "AES256-SHA:AES128-SHA256",
4674 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
4675 "TLS_AES_128_GCM_SHA256:AES256-SHA"
4678 #ifndef OPENSSL_NO_TLS1_3
4682 "TLS_AES_256_GCM_SHA384",
4684 "TLS_AES_256_GCM_SHA384",
4685 "TLS_AES_256_GCM_SHA384"
4690 static int test_ssl_get_shared_ciphers(int tst)
4692 SSL_CTX *cctx = NULL, *sctx = NULL;
4693 SSL *clientssl = NULL, *serverssl = NULL;
4697 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4698 TLS_client_method(),
4700 shared_ciphers_data[tst].maxprot,
4701 &sctx, &cctx, cert, privkey)))
4704 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4705 shared_ciphers_data[tst].clntciphers))
4706 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
4707 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4708 shared_ciphers_data[tst].clnttls13ciphers)))
4709 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
4710 shared_ciphers_data[tst].srvrciphers))
4711 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
4712 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4713 shared_ciphers_data[tst].srvrtls13ciphers))))
4717 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4719 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4723 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
4724 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
4725 TEST_info("Shared ciphers are: %s\n", buf);
4732 SSL_free(serverssl);
4733 SSL_free(clientssl);
4740 static const char *appdata = "Hello World";
4741 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
4742 static int tick_key_renew = 0;
4743 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
4745 static int gen_tick_cb(SSL *s, void *arg)
4747 gen_tick_called = 1;
4749 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
4753 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
4754 const unsigned char *keyname,
4755 size_t keyname_length,
4756 SSL_TICKET_STATUS status,
4762 dec_tick_called = 1;
4764 if (status == SSL_TICKET_EMPTY)
4765 return SSL_TICKET_RETURN_IGNORE_RENEW;
4767 if (!TEST_true(status == SSL_TICKET_SUCCESS
4768 || status == SSL_TICKET_SUCCESS_RENEW))
4769 return SSL_TICKET_RETURN_ABORT;
4771 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
4773 || !TEST_size_t_eq(tickdlen, strlen(appdata))
4774 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
4775 return SSL_TICKET_RETURN_ABORT;
4777 if (tick_key_cb_called) {
4778 /* Don't change what the ticket key callback wanted to do */
4780 case SSL_TICKET_NO_DECRYPT:
4781 return SSL_TICKET_RETURN_IGNORE_RENEW;
4783 case SSL_TICKET_SUCCESS:
4784 return SSL_TICKET_RETURN_USE;
4786 case SSL_TICKET_SUCCESS_RENEW:
4787 return SSL_TICKET_RETURN_USE_RENEW;
4790 return SSL_TICKET_RETURN_ABORT;
4793 return tick_dec_ret;
4797 static int tick_key_cb(SSL *s, unsigned char key_name[16],
4798 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
4799 HMAC_CTX *hctx, int enc)
4801 const unsigned char tick_aes_key[16] = "0123456789abcdef";
4802 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
4804 tick_key_cb_called = 1;
4805 memset(iv, 0, AES_BLOCK_SIZE);
4806 memset(key_name, 0, 16);
4807 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
4808 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
4809 EVP_sha256(), NULL))
4812 return tick_key_renew ? 2 : 1;
4816 * Test the various ticket callbacks
4817 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
4818 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
4819 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
4820 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
4821 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
4822 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
4823 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
4824 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
4825 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
4826 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
4827 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
4828 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
4830 static int test_ticket_callbacks(int tst)
4832 SSL_CTX *cctx = NULL, *sctx = NULL;
4833 SSL *clientssl = NULL, *serverssl = NULL;
4834 SSL_SESSION *clntsess = NULL;
4837 #ifdef OPENSSL_NO_TLS1_2
4841 #ifdef OPENSSL_NO_TLS1_3
4846 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
4848 /* Which tests the ticket key callback should request renewal for */
4849 if (tst == 10 || tst == 11)
4854 /* Which tests the decrypt ticket callback should request renewal for */
4858 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
4863 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
4868 tick_dec_ret = SSL_TICKET_RETURN_USE;
4873 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
4877 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
4880 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4881 TLS_client_method(),
4883 ((tst % 2) == 0) ? TLS1_2_VERSION
4885 &sctx, &cctx, cert, privkey)))
4889 * We only want sessions to resume from tickets - not the session cache. So
4890 * switch the cache off.
4892 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
4895 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
4900 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
4903 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4905 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4910 * The decrypt ticket key callback in TLSv1.2 should be called even though
4911 * we have no ticket yet, because it gets called with a status of
4912 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
4913 * actually send any ticket data). This does not happen in TLSv1.3 because
4914 * it is not valid to send empty ticket data in TLSv1.3.
4916 if (!TEST_int_eq(gen_tick_called, 1)
4917 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
4920 gen_tick_called = dec_tick_called = 0;
4922 clntsess = SSL_get1_session(clientssl);
4923 SSL_shutdown(clientssl);
4924 SSL_shutdown(serverssl);
4925 SSL_free(serverssl);
4926 SSL_free(clientssl);
4927 serverssl = clientssl = NULL;
4929 /* Now do a resumption */
4930 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4932 || !TEST_true(SSL_set_session(clientssl, clntsess))
4933 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4937 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
4938 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
4939 if (!TEST_false(SSL_session_reused(clientssl)))
4942 if (!TEST_true(SSL_session_reused(clientssl)))
4946 if (!TEST_int_eq(gen_tick_called,
4948 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
4949 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
4951 || !TEST_int_eq(dec_tick_called, 1))
4957 SSL_SESSION_free(clntsess);
4958 SSL_free(serverssl);
4959 SSL_free(clientssl);
4966 int setup_tests(void)
4968 if (!TEST_ptr(cert = test_get_argument(0))
4969 || !TEST_ptr(privkey = test_get_argument(1))
4970 || !TEST_ptr(srpvfile = test_get_argument(2))
4971 || !TEST_ptr(tmpfilename = test_get_argument(3)))
4974 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
4975 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
4976 TEST_error("not supported in this build");
4979 int i, mcount, rcount, fcount;
4981 for (i = 0; i < 4; i++)
4982 test_export_key_mat(i);
4983 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
4984 test_printf_stdout("malloc %d realloc %d free %d\n",
4985 mcount, rcount, fcount);
4990 ADD_TEST(test_large_message_tls);
4991 ADD_TEST(test_large_message_tls_read_ahead);
4992 #ifndef OPENSSL_NO_DTLS
4993 ADD_TEST(test_large_message_dtls);
4995 #ifndef OPENSSL_NO_OCSP
4996 ADD_TEST(test_tlsext_status_type);
4998 ADD_TEST(test_session_with_only_int_cache);
4999 ADD_TEST(test_session_with_only_ext_cache);
5000 ADD_TEST(test_session_with_both_cache);
5001 #ifndef OPENSSL_NO_TLS1_3
5002 ADD_ALL_TESTS(test_tickets, 3);
5004 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
5005 ADD_TEST(test_ssl_bio_pop_next_bio);
5006 ADD_TEST(test_ssl_bio_pop_ssl_bio);
5007 ADD_TEST(test_ssl_bio_change_rbio);
5008 ADD_TEST(test_ssl_bio_change_wbio);
5009 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
5010 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
5011 ADD_TEST(test_keylog);
5013 #ifndef OPENSSL_NO_TLS1_3
5014 ADD_TEST(test_keylog_no_master_key);
5016 #ifndef OPENSSL_NO_TLS1_2
5017 ADD_TEST(test_client_hello_cb);
5019 #ifndef OPENSSL_NO_TLS1_3
5020 ADD_ALL_TESTS(test_early_data_read_write, 3);
5022 * We don't do replay tests for external PSK. Replay protection isn't used
5025 ADD_ALL_TESTS(test_early_data_replay, 2);
5026 ADD_ALL_TESTS(test_early_data_skip, 3);
5027 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
5028 ADD_ALL_TESTS(test_early_data_not_sent, 3);
5029 ADD_ALL_TESTS(test_early_data_psk, 8);
5030 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5031 # ifndef OPENSSL_NO_TLS1_2
5032 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5035 #ifndef OPENSSL_NO_TLS1_3
5036 ADD_ALL_TESTS(test_set_ciphersuite, 10);
5037 ADD_TEST(test_ciphersuite_change);
5038 #ifdef OPENSSL_NO_PSK
5039 ADD_ALL_TESTS(test_tls13_psk, 1);
5041 ADD_ALL_TESTS(test_tls13_psk, 4);
5042 #endif /* OPENSSL_NO_PSK */
5043 ADD_ALL_TESTS(test_custom_exts, 5);
5044 ADD_TEST(test_stateless);
5045 ADD_TEST(test_pha_key_update);
5047 ADD_ALL_TESTS(test_custom_exts, 3);
5049 ADD_ALL_TESTS(test_serverinfo, 8);
5050 ADD_ALL_TESTS(test_export_key_mat, 4);
5051 #ifndef OPENSSL_NO_TLS1_3
5052 ADD_ALL_TESTS(test_export_key_mat_early, 3);
5054 ADD_ALL_TESTS(test_ssl_clear, 2);
5055 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
5056 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5057 ADD_ALL_TESTS(test_srp, 6);
5059 ADD_ALL_TESTS(test_info_callback, 6);
5060 ADD_ALL_TESTS(test_ssl_pending, 2);
5061 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
5062 ADD_ALL_TESTS(test_ticket_callbacks, 12);
5066 void cleanup_tests(void)
5068 bio_s_mempacket_test_free();