2 * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
17 #include <openssl/srp.h>
18 #include <openssl/txt_db.h>
19 #include <openssl/aes.h>
20 #include <openssl/x509v3.h>
22 #include "ssltestlib.h"
24 #include "testutil/output.h"
25 #include "internal/nelem.h"
26 #include "../ssl/ssl_local.h"
28 #ifndef OPENSSL_NO_TLS1_3
30 static SSL_SESSION *clientpsk = NULL;
31 static SSL_SESSION *serverpsk = NULL;
32 static const char *pskid = "Identity";
33 static const char *srvid;
35 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
36 size_t *idlen, SSL_SESSION **sess);
37 static int find_session_cb(SSL *ssl, const unsigned char *identity,
38 size_t identity_len, SSL_SESSION **sess);
40 static int use_session_cb_cnt = 0;
41 static int find_session_cb_cnt = 0;
43 static SSL_SESSION *create_a_psk(SSL *ssl);
46 static char *certsdir = NULL;
47 static char *cert = NULL;
48 static char *privkey = NULL;
49 static char *srpvfile = NULL;
50 static char *tmpfilename = NULL;
52 #define LOG_BUFFER_SIZE 2048
53 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
54 static size_t server_log_buffer_index = 0;
55 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
56 static size_t client_log_buffer_index = 0;
57 static int error_writing_log = 0;
59 #ifndef OPENSSL_NO_OCSP
60 static const unsigned char orespder[] = "Dummy OCSP Response";
61 static int ocsp_server_called = 0;
62 static int ocsp_client_called = 0;
64 static int cdummyarg = 1;
65 static X509 *ocspcert = NULL;
68 #define NUM_EXTRA_CERTS 40
69 #define CLIENT_VERSION_LEN 2
72 * This structure is used to validate that the correct number of log messages
73 * of various types are emitted when emitting secret logs.
75 struct sslapitest_log_counts {
76 unsigned int rsa_key_exchange_count;
77 unsigned int master_secret_count;
78 unsigned int client_early_secret_count;
79 unsigned int client_handshake_secret_count;
80 unsigned int server_handshake_secret_count;
81 unsigned int client_application_secret_count;
82 unsigned int server_application_secret_count;
83 unsigned int early_exporter_secret_count;
84 unsigned int exporter_secret_count;
88 static unsigned char serverinfov1[] = {
89 0xff, 0xff, /* Dummy extension type */
90 0x00, 0x01, /* Extension length is 1 byte */
91 0xff /* Dummy extension data */
94 static unsigned char serverinfov2[] = {
96 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
97 0xff, 0xff, /* Dummy extension type */
98 0x00, 0x01, /* Extension length is 1 byte */
99 0xff /* Dummy extension data */
102 static int hostname_cb(SSL *s, int *al, void *arg)
104 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
106 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
107 || strcmp(hostname, "altgoodhost") == 0))
108 return SSL_TLSEXT_ERR_OK;
110 return SSL_TLSEXT_ERR_NOACK;
113 static void client_keylog_callback(const SSL *ssl, const char *line)
115 int line_length = strlen(line);
117 /* If the log doesn't fit, error out. */
118 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
119 TEST_info("Client log too full");
120 error_writing_log = 1;
124 strcat(client_log_buffer, line);
125 client_log_buffer_index += line_length;
126 client_log_buffer[client_log_buffer_index++] = '\n';
129 static void server_keylog_callback(const SSL *ssl, const char *line)
131 int line_length = strlen(line);
133 /* If the log doesn't fit, error out. */
134 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
135 TEST_info("Server log too full");
136 error_writing_log = 1;
140 strcat(server_log_buffer, line);
141 server_log_buffer_index += line_length;
142 server_log_buffer[server_log_buffer_index++] = '\n';
145 static int compare_hex_encoded_buffer(const char *hex_encoded,
153 if (!TEST_size_t_eq(raw_length * 2, hex_length))
156 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
157 sprintf(hexed, "%02x", raw[i]);
158 if (!TEST_int_eq(hexed[0], hex_encoded[j])
159 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
166 static int test_keylog_output(char *buffer, const SSL *ssl,
167 const SSL_SESSION *session,
168 struct sslapitest_log_counts *expected)
171 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
172 size_t client_random_size = SSL3_RANDOM_SIZE;
173 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
174 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
175 unsigned int rsa_key_exchange_count = 0;
176 unsigned int master_secret_count = 0;
177 unsigned int client_early_secret_count = 0;
178 unsigned int client_handshake_secret_count = 0;
179 unsigned int server_handshake_secret_count = 0;
180 unsigned int client_application_secret_count = 0;
181 unsigned int server_application_secret_count = 0;
182 unsigned int early_exporter_secret_count = 0;
183 unsigned int exporter_secret_count = 0;
185 for (token = strtok(buffer, " \n"); token != NULL;
186 token = strtok(NULL, " \n")) {
187 if (strcmp(token, "RSA") == 0) {
189 * Premaster secret. Tokens should be: 16 ASCII bytes of
190 * hex-encoded encrypted secret, then the hex-encoded pre-master
193 if (!TEST_ptr(token = strtok(NULL, " \n")))
195 if (!TEST_size_t_eq(strlen(token), 16))
197 if (!TEST_ptr(token = strtok(NULL, " \n")))
200 * We can't sensibly check the log because the premaster secret is
201 * transient, and OpenSSL doesn't keep hold of it once the master
202 * secret is generated.
204 rsa_key_exchange_count++;
205 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
207 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
208 * client random, then the hex-encoded master secret.
210 client_random_size = SSL_get_client_random(ssl,
211 actual_client_random,
213 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
216 if (!TEST_ptr(token = strtok(NULL, " \n")))
218 if (!TEST_size_t_eq(strlen(token), 64))
220 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
221 actual_client_random,
222 client_random_size)))
225 if (!TEST_ptr(token = strtok(NULL, " \n")))
227 master_key_size = SSL_SESSION_get_master_key(session,
230 if (!TEST_size_t_ne(master_key_size, 0))
232 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
236 master_secret_count++;
237 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
238 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
239 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
240 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
241 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
242 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
243 || strcmp(token, "EXPORTER_SECRET") == 0) {
245 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
246 * client random, and then the hex-encoded secret. In this case,
247 * we treat all of these secrets identically and then just
248 * distinguish between them when counting what we saw.
250 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
251 client_early_secret_count++;
252 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
253 client_handshake_secret_count++;
254 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
255 server_handshake_secret_count++;
256 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
257 client_application_secret_count++;
258 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
259 server_application_secret_count++;
260 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
261 early_exporter_secret_count++;
262 else if (strcmp(token, "EXPORTER_SECRET") == 0)
263 exporter_secret_count++;
265 client_random_size = SSL_get_client_random(ssl,
266 actual_client_random,
268 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
271 if (!TEST_ptr(token = strtok(NULL, " \n")))
273 if (!TEST_size_t_eq(strlen(token), 64))
275 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
276 actual_client_random,
277 client_random_size)))
280 if (!TEST_ptr(token = strtok(NULL, " \n")))
284 * TODO(TLS1.3): test that application traffic secrets are what
287 TEST_info("Unexpected token %s\n", token);
292 /* Got what we expected? */
293 if (!TEST_size_t_eq(rsa_key_exchange_count,
294 expected->rsa_key_exchange_count)
295 || !TEST_size_t_eq(master_secret_count,
296 expected->master_secret_count)
297 || !TEST_size_t_eq(client_early_secret_count,
298 expected->client_early_secret_count)
299 || !TEST_size_t_eq(client_handshake_secret_count,
300 expected->client_handshake_secret_count)
301 || !TEST_size_t_eq(server_handshake_secret_count,
302 expected->server_handshake_secret_count)
303 || !TEST_size_t_eq(client_application_secret_count,
304 expected->client_application_secret_count)
305 || !TEST_size_t_eq(server_application_secret_count,
306 expected->server_application_secret_count)
307 || !TEST_size_t_eq(early_exporter_secret_count,
308 expected->early_exporter_secret_count)
309 || !TEST_size_t_eq(exporter_secret_count,
310 expected->exporter_secret_count))
315 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
316 static int test_keylog(void)
318 SSL_CTX *cctx = NULL, *sctx = NULL;
319 SSL *clientssl = NULL, *serverssl = NULL;
321 struct sslapitest_log_counts expected = {0};
323 /* Clean up logging space */
324 memset(client_log_buffer, 0, sizeof(client_log_buffer));
325 memset(server_log_buffer, 0, sizeof(server_log_buffer));
326 client_log_buffer_index = 0;
327 server_log_buffer_index = 0;
328 error_writing_log = 0;
330 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
332 TLS1_VERSION, TLS_MAX_VERSION,
333 &sctx, &cctx, cert, privkey)))
336 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
337 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
338 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
340 /* We also want to ensure that we use RSA-based key exchange. */
341 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
344 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
345 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
347 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
348 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
349 == client_keylog_callback))
351 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
352 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
353 == server_keylog_callback))
356 /* Now do a handshake and check that the logs have been written to. */
357 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
358 &clientssl, NULL, NULL))
359 || !TEST_true(create_ssl_connection(serverssl, clientssl,
361 || !TEST_false(error_writing_log)
362 || !TEST_int_gt(client_log_buffer_index, 0)
363 || !TEST_int_gt(server_log_buffer_index, 0))
367 * Now we want to test that our output data was vaguely sensible. We
368 * do that by using strtok and confirming that we have more or less the
369 * data we expect. For both client and server, we expect to see one master
370 * secret. The client should also see a RSA key exchange.
372 expected.rsa_key_exchange_count = 1;
373 expected.master_secret_count = 1;
374 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
375 SSL_get_session(clientssl), &expected)))
378 expected.rsa_key_exchange_count = 0;
379 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
380 SSL_get_session(serverssl), &expected)))
395 #ifndef OPENSSL_NO_TLS1_3
396 static int test_keylog_no_master_key(void)
398 SSL_CTX *cctx = NULL, *sctx = NULL;
399 SSL *clientssl = NULL, *serverssl = NULL;
400 SSL_SESSION *sess = NULL;
402 struct sslapitest_log_counts expected = {0};
403 unsigned char buf[1];
404 size_t readbytes, written;
406 /* Clean up logging space */
407 memset(client_log_buffer, 0, sizeof(client_log_buffer));
408 memset(server_log_buffer, 0, sizeof(server_log_buffer));
409 client_log_buffer_index = 0;
410 server_log_buffer_index = 0;
411 error_writing_log = 0;
413 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
414 TLS1_VERSION, TLS_MAX_VERSION,
415 &sctx, &cctx, cert, privkey))
416 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
417 SSL3_RT_MAX_PLAIN_LENGTH)))
420 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
421 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
424 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
425 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
426 == client_keylog_callback))
429 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
430 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
431 == server_keylog_callback))
434 /* Now do a handshake and check that the logs have been written to. */
435 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
436 &clientssl, NULL, NULL))
437 || !TEST_true(create_ssl_connection(serverssl, clientssl,
439 || !TEST_false(error_writing_log))
443 * Now we want to test that our output data was vaguely sensible. For this
444 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
445 * TLSv1.3, but we do expect both client and server to emit keys.
447 expected.client_handshake_secret_count = 1;
448 expected.server_handshake_secret_count = 1;
449 expected.client_application_secret_count = 1;
450 expected.server_application_secret_count = 1;
451 expected.exporter_secret_count = 1;
452 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
453 SSL_get_session(clientssl), &expected))
454 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
455 SSL_get_session(serverssl),
459 /* Terminate old session and resume with early data. */
460 sess = SSL_get1_session(clientssl);
461 SSL_shutdown(clientssl);
462 SSL_shutdown(serverssl);
465 serverssl = clientssl = NULL;
468 memset(client_log_buffer, 0, sizeof(client_log_buffer));
469 memset(server_log_buffer, 0, sizeof(server_log_buffer));
470 client_log_buffer_index = 0;
471 server_log_buffer_index = 0;
473 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
474 &clientssl, NULL, NULL))
475 || !TEST_true(SSL_set_session(clientssl, sess))
476 /* Here writing 0 length early data is enough. */
477 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
478 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
480 SSL_READ_EARLY_DATA_ERROR)
481 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
482 SSL_EARLY_DATA_ACCEPTED)
483 || !TEST_true(create_ssl_connection(serverssl, clientssl,
485 || !TEST_true(SSL_session_reused(clientssl)))
488 /* In addition to the previous entries, expect early secrets. */
489 expected.client_early_secret_count = 1;
490 expected.early_exporter_secret_count = 1;
491 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
492 SSL_get_session(clientssl), &expected))
493 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
494 SSL_get_session(serverssl),
501 SSL_SESSION_free(sess);
511 #ifndef OPENSSL_NO_TLS1_2
512 static int full_client_hello_callback(SSL *s, int *al, void *arg)
515 const unsigned char *p;
517 /* We only configure two ciphers, but the SCSV is added automatically. */
519 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
521 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
524 const int expected_extensions[] = {
525 #ifndef OPENSSL_NO_EC
531 /* Make sure we can defer processing and get called back. */
533 return SSL_CLIENT_HELLO_RETRY;
535 len = SSL_client_hello_get0_ciphers(s, &p);
536 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
538 SSL_client_hello_get0_compression_methods(s, &p), 1)
539 || !TEST_int_eq(*p, 0))
540 return SSL_CLIENT_HELLO_ERROR;
541 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
542 return SSL_CLIENT_HELLO_ERROR;
543 if (len != OSSL_NELEM(expected_extensions) ||
544 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
545 printf("ClientHello callback expected extensions mismatch\n");
547 return SSL_CLIENT_HELLO_ERROR;
550 return SSL_CLIENT_HELLO_SUCCESS;
553 static int test_client_hello_cb(void)
555 SSL_CTX *cctx = NULL, *sctx = NULL;
556 SSL *clientssl = NULL, *serverssl = NULL;
557 int testctr = 0, testresult = 0;
559 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
560 TLS1_VERSION, TLS_MAX_VERSION,
561 &sctx, &cctx, cert, privkey)))
563 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
565 /* The gimpy cipher list we configure can't do TLS 1.3. */
566 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
568 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
569 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
570 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
571 &clientssl, NULL, NULL))
572 || !TEST_false(create_ssl_connection(serverssl, clientssl,
573 SSL_ERROR_WANT_CLIENT_HELLO_CB))
575 * Passing a -1 literal is a hack since
576 * the real value was lost.
578 || !TEST_int_eq(SSL_get_error(serverssl, -1),
579 SSL_ERROR_WANT_CLIENT_HELLO_CB)
580 || !TEST_true(create_ssl_connection(serverssl, clientssl,
596 * Very focused test to exercise a single case in the server-side state
597 * machine, when the ChangeCipherState message needs to actually change
598 * from one cipher to a different cipher (i.e., not changing from null
599 * encryption to real encryption).
601 static int test_ccs_change_cipher(void)
603 SSL_CTX *cctx = NULL, *sctx = NULL;
604 SSL *clientssl = NULL, *serverssl = NULL;
605 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
612 * Create a conection so we can resume and potentially (but not) use
613 * a different cipher in the second connection.
615 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
617 TLS1_VERSION, TLS1_2_VERSION,
618 &sctx, &cctx, cert, privkey))
619 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
620 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
622 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
623 || !TEST_true(create_ssl_connection(serverssl, clientssl,
625 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
626 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
629 shutdown_ssl_connection(serverssl, clientssl);
630 serverssl = clientssl = NULL;
632 /* Resume, preferring a different cipher. Our server will force the
633 * same cipher to be used as the initial handshake. */
634 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
636 || !TEST_true(SSL_set_session(clientssl, sess))
637 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
638 || !TEST_true(create_ssl_connection(serverssl, clientssl,
640 || !TEST_true(SSL_session_reused(clientssl))
641 || !TEST_true(SSL_session_reused(serverssl))
642 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
643 || !TEST_ptr_eq(sesspre, sesspost)
644 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
645 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
647 shutdown_ssl_connection(serverssl, clientssl);
648 serverssl = clientssl = NULL;
651 * Now create a fresh connection and try to renegotiate a different
654 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
656 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
657 || !TEST_true(create_ssl_connection(serverssl, clientssl,
659 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
660 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
661 || !TEST_true(SSL_renegotiate(clientssl))
662 || !TEST_true(SSL_renegotiate_pending(clientssl)))
664 /* Actually drive the renegotiation. */
665 for (i = 0; i < 3; i++) {
666 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
667 if (!TEST_ulong_eq(readbytes, 0))
669 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
670 SSL_ERROR_WANT_READ)) {
673 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
674 if (!TEST_ulong_eq(readbytes, 0))
676 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
677 SSL_ERROR_WANT_READ)) {
681 /* sesspre and sesspost should be different since the cipher changed. */
682 if (!TEST_false(SSL_renegotiate_pending(clientssl))
683 || !TEST_false(SSL_session_reused(clientssl))
684 || !TEST_false(SSL_session_reused(serverssl))
685 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
686 || !TEST_ptr_ne(sesspre, sesspost)
687 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
688 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
691 shutdown_ssl_connection(serverssl, clientssl);
692 serverssl = clientssl = NULL;
701 SSL_SESSION_free(sess);
707 static int execute_test_large_message(const SSL_METHOD *smeth,
708 const SSL_METHOD *cmeth,
709 int min_version, int max_version,
712 SSL_CTX *cctx = NULL, *sctx = NULL;
713 SSL *clientssl = NULL, *serverssl = NULL;
717 X509 *chaincert = NULL;
720 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
722 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
725 if (!TEST_ptr(chaincert))
728 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
729 &sctx, &cctx, cert, privkey)))
734 * Test that read_ahead works correctly when dealing with large
737 SSL_CTX_set_read_ahead(cctx, 1);
741 * We assume the supplied certificate is big enough so that if we add
742 * NUM_EXTRA_CERTS it will make the overall message large enough. The
743 * default buffer size is requested to be 16k, but due to the way BUF_MEM
744 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
745 * test we need to have a message larger than that.
747 certlen = i2d_X509(chaincert, NULL);
748 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
749 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
750 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
751 if (!X509_up_ref(chaincert))
753 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
754 X509_free(chaincert);
759 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
761 || !TEST_true(create_ssl_connection(serverssl, clientssl,
766 * Calling SSL_clear() first is not required but this tests that SSL_clear()
767 * doesn't leak (when using enable-crypto-mdebug).
769 if (!TEST_true(SSL_clear(serverssl)))
774 X509_free(chaincert);
783 static int test_large_message_tls(void)
785 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
786 TLS1_VERSION, TLS_MAX_VERSION,
790 static int test_large_message_tls_read_ahead(void)
792 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
793 TLS1_VERSION, TLS_MAX_VERSION,
797 #ifndef OPENSSL_NO_DTLS
798 static int test_large_message_dtls(void)
801 * read_ahead is not relevant to DTLS because DTLS always acts as if
804 return execute_test_large_message(DTLS_server_method(),
805 DTLS_client_method(),
806 DTLS1_VERSION, DTLS_MAX_VERSION,
811 #ifndef OPENSSL_NO_OCSP
812 static int ocsp_server_cb(SSL *s, void *arg)
814 int *argi = (int *)arg;
815 unsigned char *copy = NULL;
816 STACK_OF(OCSP_RESPID) *ids = NULL;
817 OCSP_RESPID *id = NULL;
820 /* In this test we are expecting exactly 1 OCSP_RESPID */
821 SSL_get_tlsext_status_ids(s, &ids);
822 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
823 return SSL_TLSEXT_ERR_ALERT_FATAL;
825 id = sk_OCSP_RESPID_value(ids, 0);
826 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
827 return SSL_TLSEXT_ERR_ALERT_FATAL;
828 } else if (*argi != 1) {
829 return SSL_TLSEXT_ERR_ALERT_FATAL;
832 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
833 return SSL_TLSEXT_ERR_ALERT_FATAL;
835 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
836 ocsp_server_called = 1;
837 return SSL_TLSEXT_ERR_OK;
840 static int ocsp_client_cb(SSL *s, void *arg)
842 int *argi = (int *)arg;
843 const unsigned char *respderin;
846 if (*argi != 1 && *argi != 2)
849 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
850 if (!TEST_mem_eq(orespder, len, respderin, len))
853 ocsp_client_called = 1;
857 static int test_tlsext_status_type(void)
859 SSL_CTX *cctx = NULL, *sctx = NULL;
860 SSL *clientssl = NULL, *serverssl = NULL;
862 STACK_OF(OCSP_RESPID) *ids = NULL;
863 OCSP_RESPID *id = NULL;
866 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
867 TLS1_VERSION, TLS_MAX_VERSION,
868 &sctx, &cctx, cert, privkey))
871 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
874 /* First just do various checks getting and setting tlsext_status_type */
876 clientssl = SSL_new(cctx);
877 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
878 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
879 TLSEXT_STATUSTYPE_ocsp))
880 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
881 TLSEXT_STATUSTYPE_ocsp))
887 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
888 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
891 clientssl = SSL_new(cctx);
892 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
898 * Now actually do a handshake and check OCSP information is exchanged and
899 * the callbacks get called
901 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
902 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
903 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
904 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
905 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
906 &clientssl, NULL, NULL))
907 || !TEST_true(create_ssl_connection(serverssl, clientssl,
909 || !TEST_true(ocsp_client_called)
910 || !TEST_true(ocsp_server_called))
917 /* Try again but this time force the server side callback to fail */
918 ocsp_client_called = 0;
919 ocsp_server_called = 0;
921 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
922 &clientssl, NULL, NULL))
923 /* This should fail because the callback will fail */
924 || !TEST_false(create_ssl_connection(serverssl, clientssl,
926 || !TEST_false(ocsp_client_called)
927 || !TEST_false(ocsp_server_called))
935 * This time we'll get the client to send an OCSP_RESPID that it will
938 ocsp_client_called = 0;
939 ocsp_server_called = 0;
941 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
942 &clientssl, NULL, NULL)))
946 * We'll just use any old cert for this test - it doesn't have to be an OCSP
947 * specific one. We'll use the server cert.
949 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
950 || !TEST_ptr(id = OCSP_RESPID_new())
951 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
952 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
954 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
955 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
958 SSL_set_tlsext_status_ids(clientssl, ids);
959 /* Control has been transferred */
965 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
967 || !TEST_true(ocsp_client_called)
968 || !TEST_true(ocsp_server_called))
978 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
979 OCSP_RESPID_free(id);
988 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
989 static int new_called, remove_called, get_called;
991 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
995 * sess has been up-refed for us, but we don't actually need it so free it
998 SSL_SESSION_free(sess);
1002 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1007 static SSL_SESSION *get_sess_val = NULL;
1009 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1014 return get_sess_val;
1017 static int execute_test_session(int maxprot, int use_int_cache,
1020 SSL_CTX *sctx = NULL, *cctx = NULL;
1021 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1022 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1023 # ifndef OPENSSL_NO_TLS1_1
1024 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1026 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1027 int testresult = 0, numnewsesstick = 1;
1029 new_called = remove_called = 0;
1031 /* TLSv1.3 sends 2 NewSessionTickets */
1032 if (maxprot == TLS1_3_VERSION)
1035 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1036 TLS1_VERSION, TLS_MAX_VERSION,
1037 &sctx, &cctx, cert, privkey)))
1041 * Only allow the max protocol version so we can force a connection failure
1044 SSL_CTX_set_min_proto_version(cctx, maxprot);
1045 SSL_CTX_set_max_proto_version(cctx, maxprot);
1047 /* Set up session cache */
1048 if (use_ext_cache) {
1049 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1050 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1052 if (use_int_cache) {
1053 /* Also covers instance where both are set */
1054 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1056 SSL_CTX_set_session_cache_mode(cctx,
1057 SSL_SESS_CACHE_CLIENT
1058 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1061 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1063 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1065 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1068 /* Should fail because it should already be in the cache */
1069 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1072 && (!TEST_int_eq(new_called, numnewsesstick)
1074 || !TEST_int_eq(remove_called, 0)))
1077 new_called = remove_called = 0;
1078 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1079 &clientssl2, NULL, NULL))
1080 || !TEST_true(SSL_set_session(clientssl2, sess1))
1081 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1083 || !TEST_true(SSL_session_reused(clientssl2)))
1086 if (maxprot == TLS1_3_VERSION) {
1088 * In TLSv1.3 we should have created a new session even though we have
1089 * resumed. Since we attempted a resume we should also have removed the
1090 * old ticket from the cache so that we try to only use tickets once.
1093 && (!TEST_int_eq(new_called, 1)
1094 || !TEST_int_eq(remove_called, 1)))
1098 * In TLSv1.2 we expect to have resumed so no sessions added or
1102 && (!TEST_int_eq(new_called, 0)
1103 || !TEST_int_eq(remove_called, 0)))
1107 SSL_SESSION_free(sess1);
1108 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1110 shutdown_ssl_connection(serverssl2, clientssl2);
1111 serverssl2 = clientssl2 = NULL;
1113 new_called = remove_called = 0;
1114 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1115 &clientssl2, NULL, NULL))
1116 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1120 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1124 && (!TEST_int_eq(new_called, numnewsesstick)
1125 || !TEST_int_eq(remove_called, 0)))
1128 new_called = remove_called = 0;
1130 * This should clear sess2 from the cache because it is a "bad" session.
1131 * See SSL_set_session() documentation.
1133 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1136 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1138 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1141 if (use_int_cache) {
1142 /* Should succeeded because it should not already be in the cache */
1143 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1144 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1148 new_called = remove_called = 0;
1149 /* This shouldn't be in the cache so should fail */
1150 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1154 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1157 # if !defined(OPENSSL_NO_TLS1_1)
1158 new_called = remove_called = 0;
1159 /* Force a connection failure */
1160 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1161 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1162 &clientssl3, NULL, NULL))
1163 || !TEST_true(SSL_set_session(clientssl3, sess1))
1164 /* This should fail because of the mismatched protocol versions */
1165 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1169 /* We should have automatically removed the session from the cache */
1171 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1174 /* Should succeed because it should not already be in the cache */
1175 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1179 /* Now do some tests for server side caching */
1180 if (use_ext_cache) {
1181 SSL_CTX_sess_set_new_cb(cctx, NULL);
1182 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1183 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1184 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1185 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1186 get_sess_val = NULL;
1189 SSL_CTX_set_session_cache_mode(cctx, 0);
1190 /* Internal caching is the default on the server side */
1192 SSL_CTX_set_session_cache_mode(sctx,
1193 SSL_SESS_CACHE_SERVER
1194 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1196 SSL_free(serverssl1);
1197 SSL_free(clientssl1);
1198 serverssl1 = clientssl1 = NULL;
1199 SSL_free(serverssl2);
1200 SSL_free(clientssl2);
1201 serverssl2 = clientssl2 = NULL;
1202 SSL_SESSION_free(sess1);
1204 SSL_SESSION_free(sess2);
1207 SSL_CTX_set_max_proto_version(sctx, maxprot);
1208 if (maxprot == TLS1_2_VERSION)
1209 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1210 new_called = remove_called = get_called = 0;
1211 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1213 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1215 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1216 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1219 if (use_int_cache) {
1220 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1222 * In TLSv1.3 it should not have been added to the internal cache,
1223 * except in the case where we also have an external cache (in that
1224 * case it gets added to the cache in order to generate remove
1225 * events after timeout).
1227 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1230 /* Should fail because it should already be in the cache */
1231 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1236 if (use_ext_cache) {
1237 SSL_SESSION *tmp = sess2;
1239 if (!TEST_int_eq(new_called, numnewsesstick)
1240 || !TEST_int_eq(remove_called, 0)
1241 || !TEST_int_eq(get_called, 0))
1244 * Delete the session from the internal cache to force a lookup from
1245 * the external cache. We take a copy first because
1246 * SSL_CTX_remove_session() also marks the session as non-resumable.
1248 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1249 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1250 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1252 SSL_SESSION_free(sess2);
1257 new_called = remove_called = get_called = 0;
1258 get_sess_val = sess2;
1259 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1260 &clientssl2, NULL, NULL))
1261 || !TEST_true(SSL_set_session(clientssl2, sess1))
1262 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1264 || !TEST_true(SSL_session_reused(clientssl2)))
1267 if (use_ext_cache) {
1268 if (!TEST_int_eq(remove_called, 0))
1271 if (maxprot == TLS1_3_VERSION) {
1272 if (!TEST_int_eq(new_called, 1)
1273 || !TEST_int_eq(get_called, 0))
1276 if (!TEST_int_eq(new_called, 0)
1277 || !TEST_int_eq(get_called, 1))
1285 SSL_free(serverssl1);
1286 SSL_free(clientssl1);
1287 SSL_free(serverssl2);
1288 SSL_free(clientssl2);
1289 # ifndef OPENSSL_NO_TLS1_1
1290 SSL_free(serverssl3);
1291 SSL_free(clientssl3);
1293 SSL_SESSION_free(sess1);
1294 SSL_SESSION_free(sess2);
1300 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1302 static int test_session_with_only_int_cache(void)
1304 #ifndef OPENSSL_NO_TLS1_3
1305 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1309 #ifndef OPENSSL_NO_TLS1_2
1310 return execute_test_session(TLS1_2_VERSION, 1, 0);
1316 static int test_session_with_only_ext_cache(void)
1318 #ifndef OPENSSL_NO_TLS1_3
1319 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1323 #ifndef OPENSSL_NO_TLS1_2
1324 return execute_test_session(TLS1_2_VERSION, 0, 1);
1330 static int test_session_with_both_cache(void)
1332 #ifndef OPENSSL_NO_TLS1_3
1333 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1337 #ifndef OPENSSL_NO_TLS1_2
1338 return execute_test_session(TLS1_2_VERSION, 1, 1);
1344 #ifndef OPENSSL_NO_TLS1_3
1345 static SSL_SESSION *sesscache[6];
1346 static int do_cache;
1348 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1351 sesscache[new_called] = sess;
1353 /* We don't need the reference to the session, so free it */
1354 SSL_SESSION_free(sess);
1361 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1363 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1364 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1367 /* Start handshake on the server and client */
1368 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1369 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1370 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1371 || !TEST_true(create_ssl_connection(sssl, cssl,
1378 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1381 int sess_id_ctx = 1;
1383 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1384 TLS1_VERSION, TLS_MAX_VERSION, sctx,
1385 cctx, cert, privkey))
1386 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1387 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1388 (void *)&sess_id_ctx,
1389 sizeof(sess_id_ctx))))
1393 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1395 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1396 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1397 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1402 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1404 SSL *serverssl = NULL, *clientssl = NULL;
1407 /* Test that we can resume with all the tickets we got given */
1408 for (i = 0; i < idx * 2; i++) {
1410 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1411 &clientssl, NULL, NULL))
1412 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1415 SSL_set_post_handshake_auth(clientssl, 1);
1417 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1422 * Following a successful resumption we only get 1 ticket. After a
1423 * failed one we should get idx tickets.
1426 if (!TEST_true(SSL_session_reused(clientssl))
1427 || !TEST_int_eq(new_called, 1))
1430 if (!TEST_false(SSL_session_reused(clientssl))
1431 || !TEST_int_eq(new_called, idx))
1436 /* After a post-handshake authentication we should get 1 new ticket */
1438 && (!post_handshake_verify(serverssl, clientssl)
1439 || !TEST_int_eq(new_called, 1)))
1442 SSL_shutdown(clientssl);
1443 SSL_shutdown(serverssl);
1444 SSL_free(serverssl);
1445 SSL_free(clientssl);
1446 serverssl = clientssl = NULL;
1447 SSL_SESSION_free(sesscache[i]);
1448 sesscache[i] = NULL;
1454 SSL_free(clientssl);
1455 SSL_free(serverssl);
1459 static int test_tickets(int stateful, int idx)
1461 SSL_CTX *sctx = NULL, *cctx = NULL;
1462 SSL *serverssl = NULL, *clientssl = NULL;
1466 /* idx is the test number, but also the number of tickets we want */
1471 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1474 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1475 &clientssl, NULL, NULL)))
1478 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1480 /* Check we got the number of tickets we were expecting */
1481 || !TEST_int_eq(idx, new_called))
1484 SSL_shutdown(clientssl);
1485 SSL_shutdown(serverssl);
1486 SSL_free(serverssl);
1487 SSL_free(clientssl);
1490 clientssl = serverssl = NULL;
1494 * Now we try to resume with the tickets we previously created. The
1495 * resumption attempt is expected to fail (because we're now using a new
1496 * SSL_CTX). We should see idx number of tickets issued again.
1499 /* Stop caching sessions - just count them */
1502 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1505 if (!check_resumption(idx, sctx, cctx, 0))
1508 /* Start again with caching sessions */
1515 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1518 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1519 &clientssl, NULL, NULL)))
1522 SSL_set_post_handshake_auth(clientssl, 1);
1524 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1526 /* Check we got the number of tickets we were expecting */
1527 || !TEST_int_eq(idx, new_called))
1530 /* After a post-handshake authentication we should get new tickets issued */
1531 if (!post_handshake_verify(serverssl, clientssl)
1532 || !TEST_int_eq(idx * 2, new_called))
1535 SSL_shutdown(clientssl);
1536 SSL_shutdown(serverssl);
1537 SSL_free(serverssl);
1538 SSL_free(clientssl);
1539 serverssl = clientssl = NULL;
1541 /* Stop caching sessions - just count them */
1545 * Check we can resume with all the tickets we created. This time around the
1546 * resumptions should all be successful.
1548 if (!check_resumption(idx, sctx, cctx, 1))
1554 SSL_free(serverssl);
1555 SSL_free(clientssl);
1556 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
1557 SSL_SESSION_free(sesscache[j]);
1558 sesscache[j] = NULL;
1566 static int test_stateless_tickets(int idx)
1568 return test_tickets(0, idx);
1571 static int test_stateful_tickets(int idx)
1573 return test_tickets(1, idx);
1576 static int test_psk_tickets(void)
1578 SSL_CTX *sctx = NULL, *cctx = NULL;
1579 SSL *serverssl = NULL, *clientssl = NULL;
1581 int sess_id_ctx = 1;
1583 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1584 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
1586 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
1587 (void *)&sess_id_ctx,
1588 sizeof(sess_id_ctx))))
1591 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1592 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1593 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
1594 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
1595 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1596 use_session_cb_cnt = 0;
1597 find_session_cb_cnt = 0;
1601 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1604 clientpsk = serverpsk = create_a_psk(clientssl);
1605 if (!TEST_ptr(clientpsk))
1607 SSL_SESSION_up_ref(clientpsk);
1609 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1611 || !TEST_int_eq(1, find_session_cb_cnt)
1612 || !TEST_int_eq(1, use_session_cb_cnt)
1613 /* We should always get 1 ticket when using external PSK */
1614 || !TEST_int_eq(1, new_called))
1620 SSL_free(serverssl);
1621 SSL_free(clientssl);
1624 SSL_SESSION_free(clientpsk);
1625 SSL_SESSION_free(serverpsk);
1626 clientpsk = serverpsk = NULL;
1635 #define USE_DEFAULT 3
1637 #define CONNTYPE_CONNECTION_SUCCESS 0
1638 #define CONNTYPE_CONNECTION_FAIL 1
1639 #define CONNTYPE_NO_CONNECTION 2
1641 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1642 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1643 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1644 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1646 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1649 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1650 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1651 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1653 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1670 * Tests calls to SSL_set_bio() under various conditions.
1672 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1673 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1674 * then do more tests where we create a successful connection first using our
1675 * standard connection setup functions, and then call SSL_set_bio() with
1676 * various combinations of valid BIOs or NULL. We then repeat these tests
1677 * following a failed connection. In this last case we are looking to check that
1678 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1680 static int test_ssl_set_bio(int idx)
1682 SSL_CTX *sctx = NULL, *cctx = NULL;
1685 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1686 SSL *serverssl = NULL, *clientssl = NULL;
1687 int initrbio, initwbio, newrbio, newwbio, conntype;
1690 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1698 conntype = CONNTYPE_NO_CONNECTION;
1700 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1701 initrbio = initwbio = USE_DEFAULT;
1709 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1710 TLS1_VERSION, TLS_MAX_VERSION,
1711 &sctx, &cctx, cert, privkey)))
1714 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1716 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1717 * because we reduced the number of tests in the definition of
1718 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1719 * mismatched protocol versions we will force a connection failure.
1721 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1722 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1725 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1729 if (initrbio == USE_BIO_1
1730 || initwbio == USE_BIO_1
1731 || newrbio == USE_BIO_1
1732 || newwbio == USE_BIO_1) {
1733 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1737 if (initrbio == USE_BIO_2
1738 || initwbio == USE_BIO_2
1739 || newrbio == USE_BIO_2
1740 || newwbio == USE_BIO_2) {
1741 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1745 if (initrbio != USE_DEFAULT) {
1746 setupbio(&irbio, bio1, bio2, initrbio);
1747 setupbio(&iwbio, bio1, bio2, initwbio);
1748 SSL_set_bio(clientssl, irbio, iwbio);
1751 * We want to maintain our own refs to these BIO, so do an up ref for
1752 * each BIO that will have ownership transferred in the SSL_set_bio()
1757 if (iwbio != NULL && iwbio != irbio)
1761 if (conntype != CONNTYPE_NO_CONNECTION
1762 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1764 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1767 setupbio(&nrbio, bio1, bio2, newrbio);
1768 setupbio(&nwbio, bio1, bio2, newwbio);
1771 * We will (maybe) transfer ownership again so do more up refs.
1772 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1777 && (nwbio != iwbio || nrbio != nwbio))
1781 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1784 SSL_set_bio(clientssl, nrbio, nwbio);
1793 * This test is checking that the ref counting for SSL_set_bio is correct.
1794 * If we get here and we did too many frees then we will fail in the above
1795 * functions. If we haven't done enough then this will only be detected in
1796 * a crypto-mdebug build
1798 SSL_free(serverssl);
1799 SSL_free(clientssl);
1805 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1807 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1809 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1814 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1815 || !TEST_ptr(ssl = SSL_new(ctx))
1816 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1817 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1820 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1823 * If anything goes wrong here then we could leak memory, so this will
1824 * be caught in a crypto-mdebug build
1826 BIO_push(sslbio, membio1);
1828 /* Verify changing the rbio/wbio directly does not cause leaks */
1829 if (change_bio != NO_BIO_CHANGE) {
1830 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
1834 if (change_bio == CHANGE_RBIO)
1835 SSL_set0_rbio(ssl, membio2);
1837 SSL_set0_wbio(ssl, membio2);
1856 static int test_ssl_bio_pop_next_bio(void)
1858 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1861 static int test_ssl_bio_pop_ssl_bio(void)
1863 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1866 static int test_ssl_bio_change_rbio(void)
1868 return execute_test_ssl_bio(0, CHANGE_RBIO);
1871 static int test_ssl_bio_change_wbio(void)
1873 return execute_test_ssl_bio(0, CHANGE_WBIO);
1876 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
1878 /* The list of sig algs */
1880 /* The length of the list */
1882 /* A sigalgs list in string format */
1883 const char *liststr;
1884 /* Whether setting the list should succeed */
1886 /* Whether creating a connection with the list should succeed */
1890 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1891 # ifndef OPENSSL_NO_EC
1892 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1893 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1895 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1896 static const int invalidlist2[] = {NID_sha256, NID_undef};
1897 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1898 static const int invalidlist4[] = {NID_sha256};
1899 static const sigalgs_list testsigalgs[] = {
1900 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1901 # ifndef OPENSSL_NO_EC
1902 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1903 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1905 {NULL, 0, "RSA+SHA256", 1, 1},
1906 # ifndef OPENSSL_NO_EC
1907 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1908 {NULL, 0, "ECDSA+SHA512", 1, 0},
1910 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1911 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1912 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1913 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1914 {NULL, 0, "RSA", 0, 0},
1915 {NULL, 0, "SHA256", 0, 0},
1916 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1917 {NULL, 0, "Invalid", 0, 0}
1920 static int test_set_sigalgs(int idx)
1922 SSL_CTX *cctx = NULL, *sctx = NULL;
1923 SSL *clientssl = NULL, *serverssl = NULL;
1925 const sigalgs_list *curr;
1928 /* Should never happen */
1929 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1932 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1933 curr = testctx ? &testsigalgs[idx]
1934 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1936 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1937 TLS1_VERSION, TLS_MAX_VERSION,
1938 &sctx, &cctx, cert, privkey)))
1942 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1943 * for TLSv1.2 for now until we add a new API.
1945 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1950 if (curr->list != NULL)
1951 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1953 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1957 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1963 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1968 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1969 &clientssl, NULL, NULL)))
1975 if (curr->list != NULL)
1976 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1978 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1981 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1990 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1998 SSL_free(serverssl);
1999 SSL_free(clientssl);
2007 #ifndef OPENSSL_NO_TLS1_3
2008 static int psk_client_cb_cnt = 0;
2009 static int psk_server_cb_cnt = 0;
2011 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2012 size_t *idlen, SSL_SESSION **sess)
2014 switch (++use_session_cb_cnt) {
2016 /* The first call should always have a NULL md */
2022 /* The second call should always have an md */
2028 /* We should only be called a maximum of twice */
2032 if (clientpsk != NULL)
2033 SSL_SESSION_up_ref(clientpsk);
2036 *id = (const unsigned char *)pskid;
2037 *idlen = strlen(pskid);
2042 #ifndef OPENSSL_NO_PSK
2043 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2044 unsigned int max_id_len,
2046 unsigned int max_psk_len)
2048 unsigned int psklen = 0;
2050 psk_client_cb_cnt++;
2052 if (strlen(pskid) + 1 > max_id_len)
2055 /* We should only ever be called a maximum of twice per connection */
2056 if (psk_client_cb_cnt > 2)
2059 if (clientpsk == NULL)
2062 /* We'll reuse the PSK we set up for TLSv1.3 */
2063 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2065 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2066 strncpy(id, pskid, max_id_len);
2070 #endif /* OPENSSL_NO_PSK */
2072 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2073 size_t identity_len, SSL_SESSION **sess)
2075 find_session_cb_cnt++;
2077 /* We should only ever be called a maximum of twice per connection */
2078 if (find_session_cb_cnt > 2)
2081 if (serverpsk == NULL)
2084 /* Identity should match that set by the client */
2085 if (strlen(srvid) != identity_len
2086 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2087 /* No PSK found, continue but without a PSK */
2092 SSL_SESSION_up_ref(serverpsk);
2098 #ifndef OPENSSL_NO_PSK
2099 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2100 unsigned char *psk, unsigned int max_psk_len)
2102 unsigned int psklen = 0;
2104 psk_server_cb_cnt++;
2106 /* We should only ever be called a maximum of twice per connection */
2107 if (find_session_cb_cnt > 2)
2110 if (serverpsk == NULL)
2113 /* Identity should match that set by the client */
2114 if (strcmp(srvid, identity) != 0) {
2118 /* We'll reuse the PSK we set up for TLSv1.3 */
2119 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2121 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2125 #endif /* OPENSSL_NO_PSK */
2127 #define MSG1 "Hello"
2128 #define MSG2 "World."
2133 #define MSG7 "message."
2135 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2136 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2137 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
2138 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
2139 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
2142 static SSL_SESSION *create_a_psk(SSL *ssl)
2144 const SSL_CIPHER *cipher = NULL;
2145 const unsigned char key[] = {
2146 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2147 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2148 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2149 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2150 0x2c, 0x2d, 0x2e, 0x2f
2152 SSL_SESSION *sess = NULL;
2154 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2155 sess = SSL_SESSION_new();
2157 || !TEST_ptr(cipher)
2158 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2160 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2162 SSL_SESSION_set_protocol_version(sess,
2164 SSL_SESSION_free(sess);
2171 * Helper method to setup objects for early data test. Caller frees objects on
2174 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2175 SSL **serverssl, SSL_SESSION **sess, int idx)
2178 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2179 TLS_client_method(),
2180 TLS1_VERSION, TLS_MAX_VERSION,
2181 sctx, cctx, cert, privkey)))
2184 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2188 /* When idx == 1 we repeat the tests with read_ahead set */
2189 SSL_CTX_set_read_ahead(*cctx, 1);
2190 SSL_CTX_set_read_ahead(*sctx, 1);
2191 } else if (idx == 2) {
2192 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2193 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2194 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2195 use_session_cb_cnt = 0;
2196 find_session_cb_cnt = 0;
2200 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2205 * For one of the run throughs (doesn't matter which one), we'll try sending
2206 * some SNI data in the initial ClientHello. This will be ignored (because
2207 * there is no SNI cb set up by the server), so it should not impact
2211 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2215 clientpsk = create_a_psk(*clientssl);
2216 if (!TEST_ptr(clientpsk)
2218 * We just choose an arbitrary value for max_early_data which
2219 * should be big enough for testing purposes.
2221 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2223 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2224 SSL_SESSION_free(clientpsk);
2228 serverpsk = clientpsk;
2231 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2232 SSL_SESSION_free(clientpsk);
2233 SSL_SESSION_free(serverpsk);
2234 clientpsk = serverpsk = NULL;
2245 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2249 *sess = SSL_get1_session(*clientssl);
2250 SSL_shutdown(*clientssl);
2251 SSL_shutdown(*serverssl);
2252 SSL_free(*serverssl);
2253 SSL_free(*clientssl);
2254 *serverssl = *clientssl = NULL;
2256 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2257 clientssl, NULL, NULL))
2258 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2264 static int test_early_data_read_write(int idx)
2266 SSL_CTX *cctx = NULL, *sctx = NULL;
2267 SSL *clientssl = NULL, *serverssl = NULL;
2269 SSL_SESSION *sess = NULL;
2270 unsigned char buf[20], data[1024];
2271 size_t readbytes, written, eoedlen, rawread, rawwritten;
2274 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2275 &serverssl, &sess, idx)))
2278 /* Write and read some early data */
2279 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2281 || !TEST_size_t_eq(written, strlen(MSG1))
2282 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2283 sizeof(buf), &readbytes),
2284 SSL_READ_EARLY_DATA_SUCCESS)
2285 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2286 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2287 SSL_EARLY_DATA_ACCEPTED))
2291 * Server should be able to write data, and client should be able to
2294 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2296 || !TEST_size_t_eq(written, strlen(MSG2))
2297 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2298 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2301 /* Even after reading normal data, client should be able write early data */
2302 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2304 || !TEST_size_t_eq(written, strlen(MSG3)))
2307 /* Server should still be able read early data after writing data */
2308 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2310 SSL_READ_EARLY_DATA_SUCCESS)
2311 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2314 /* Write more data from server and read it from client */
2315 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2317 || !TEST_size_t_eq(written, strlen(MSG4))
2318 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2319 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2323 * If client writes normal data it should mean writing early data is no
2326 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2327 || !TEST_size_t_eq(written, strlen(MSG5))
2328 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2329 SSL_EARLY_DATA_ACCEPTED))
2333 * At this point the client has written EndOfEarlyData, ClientFinished and
2334 * normal (fully protected) data. We are going to cause a delay between the
2335 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2336 * in the read BIO, and then just put back the EndOfEarlyData message.
2338 rbio = SSL_get_rbio(serverssl);
2339 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2340 || !TEST_size_t_lt(rawread, sizeof(data))
2341 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2344 /* Record length is in the 4th and 5th bytes of the record header */
2345 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2346 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2347 || !TEST_size_t_eq(rawwritten, eoedlen))
2350 /* Server should be told that there is no more early data */
2351 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2353 SSL_READ_EARLY_DATA_FINISH)
2354 || !TEST_size_t_eq(readbytes, 0))
2358 * Server has not finished init yet, so should still be able to write early
2361 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2363 || !TEST_size_t_eq(written, strlen(MSG6)))
2366 /* Push the ClientFinished and the normal data back into the server rbio */
2367 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2369 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2372 /* Server should be able to read normal data */
2373 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2374 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2377 /* Client and server should not be able to write/read early data now */
2378 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2382 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2384 SSL_READ_EARLY_DATA_ERROR))
2388 /* Client should be able to read the data sent by the server */
2389 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2390 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2394 * Make sure we process the two NewSessionTickets. These arrive
2395 * post-handshake. We attempt reads which we do not expect to return any
2398 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2399 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2403 /* Server should be able to write normal data */
2404 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2405 || !TEST_size_t_eq(written, strlen(MSG7))
2406 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2407 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2410 SSL_SESSION_free(sess);
2411 sess = SSL_get1_session(clientssl);
2412 use_session_cb_cnt = 0;
2413 find_session_cb_cnt = 0;
2415 SSL_shutdown(clientssl);
2416 SSL_shutdown(serverssl);
2417 SSL_free(serverssl);
2418 SSL_free(clientssl);
2419 serverssl = clientssl = NULL;
2420 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2421 &clientssl, NULL, NULL))
2422 || !TEST_true(SSL_set_session(clientssl, sess)))
2425 /* Write and read some early data */
2426 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2428 || !TEST_size_t_eq(written, strlen(MSG1))
2429 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2431 SSL_READ_EARLY_DATA_SUCCESS)
2432 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2435 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2436 || !TEST_int_gt(SSL_accept(serverssl), 0))
2439 /* Client and server should not be able to write/read early data now */
2440 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2444 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2446 SSL_READ_EARLY_DATA_ERROR))
2450 /* Client and server should be able to write/read normal data */
2451 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2452 || !TEST_size_t_eq(written, strlen(MSG5))
2453 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2454 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2460 SSL_SESSION_free(sess);
2461 SSL_SESSION_free(clientpsk);
2462 SSL_SESSION_free(serverpsk);
2463 clientpsk = serverpsk = NULL;
2464 SSL_free(serverssl);
2465 SSL_free(clientssl);
2471 static int allow_ed_cb_called = 0;
2473 static int allow_early_data_cb(SSL *s, void *arg)
2475 int *usecb = (int *)arg;
2477 allow_ed_cb_called++;
2486 * idx == 0: Standard early_data setup
2487 * idx == 1: early_data setup using read_ahead
2488 * usecb == 0: Don't use a custom early data callback
2489 * usecb == 1: Use a custom early data callback and reject the early data
2490 * usecb == 2: Use a custom early data callback and accept the early data
2491 * confopt == 0: Configure anti-replay directly
2492 * confopt == 1: Configure anti-replay using SSL_CONF
2494 static int test_early_data_replay_int(int idx, int usecb, int confopt)
2496 SSL_CTX *cctx = NULL, *sctx = NULL;
2497 SSL *clientssl = NULL, *serverssl = NULL;
2499 SSL_SESSION *sess = NULL;
2500 size_t readbytes, written;
2501 unsigned char buf[20];
2503 allow_ed_cb_called = 0;
2505 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2506 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
2507 &cctx, cert, privkey)))
2512 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2514 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2516 if (!TEST_ptr(confctx))
2518 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2519 | SSL_CONF_FLAG_SERVER);
2520 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2521 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2523 SSL_CONF_CTX_free(confctx);
2526 SSL_CONF_CTX_free(confctx);
2528 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2531 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2532 &serverssl, &sess, idx)))
2536 * The server is configured to accept early data. Create a connection to
2537 * "use up" the ticket
2539 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2540 || !TEST_true(SSL_session_reused(clientssl)))
2543 SSL_shutdown(clientssl);
2544 SSL_shutdown(serverssl);
2545 SSL_free(serverssl);
2546 SSL_free(clientssl);
2547 serverssl = clientssl = NULL;
2549 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2550 &clientssl, NULL, NULL))
2551 || !TEST_true(SSL_set_session(clientssl, sess)))
2554 /* Write and read some early data */
2555 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2557 || !TEST_size_t_eq(written, strlen(MSG1)))
2561 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2563 SSL_READ_EARLY_DATA_FINISH)
2565 * The ticket was reused, so the we should have rejected the
2568 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2569 SSL_EARLY_DATA_REJECTED))
2572 /* In this case the callback decides to accept the early data */
2573 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2575 SSL_READ_EARLY_DATA_SUCCESS)
2576 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2578 * Server will have sent its flight so client can now send
2579 * end of early data and complete its half of the handshake
2581 || !TEST_int_gt(SSL_connect(clientssl), 0)
2582 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2584 SSL_READ_EARLY_DATA_FINISH)
2585 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2586 SSL_EARLY_DATA_ACCEPTED))
2590 /* Complete the connection */
2591 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2592 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2593 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
2599 SSL_SESSION_free(sess);
2600 SSL_SESSION_free(clientpsk);
2601 SSL_SESSION_free(serverpsk);
2602 clientpsk = serverpsk = NULL;
2603 SSL_free(serverssl);
2604 SSL_free(clientssl);
2610 static int test_early_data_replay(int idx)
2612 int ret = 1, usecb, confopt;
2614 for (usecb = 0; usecb < 3; usecb++) {
2615 for (confopt = 0; confopt < 2; confopt++)
2616 ret &= test_early_data_replay_int(idx, usecb, confopt);
2623 * Helper function to test that a server attempting to read early data can
2624 * handle a connection from a client where the early data should be skipped.
2625 * testtype: 0 == No HRR
2626 * testtype: 1 == HRR
2627 * testtype: 2 == HRR, invalid early_data sent after HRR
2628 * testtype: 3 == recv_max_early_data set to 0
2630 static int early_data_skip_helper(int testtype, int idx)
2632 SSL_CTX *cctx = NULL, *sctx = NULL;
2633 SSL *clientssl = NULL, *serverssl = NULL;
2635 SSL_SESSION *sess = NULL;
2636 unsigned char buf[20];
2637 size_t readbytes, written;
2639 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2640 &serverssl, &sess, idx)))
2643 if (testtype == 1 || testtype == 2) {
2644 /* Force an HRR to occur */
2645 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2647 } else if (idx == 2) {
2649 * We force early_data rejection by ensuring the PSK identity is
2652 srvid = "Dummy Identity";
2655 * Deliberately corrupt the creation time. We take 20 seconds off the
2656 * time. It could be any value as long as it is not within tolerance.
2657 * This should mean the ticket is rejected.
2659 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
2664 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
2667 /* Write some early data */
2668 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2670 || !TEST_size_t_eq(written, strlen(MSG1)))
2673 /* Server should reject the early data */
2674 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2676 SSL_READ_EARLY_DATA_FINISH)
2677 || !TEST_size_t_eq(readbytes, 0)
2678 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2679 SSL_EARLY_DATA_REJECTED))
2689 * Finish off the handshake. We perform the same writes and reads as
2690 * further down but we expect them to fail due to the incomplete
2693 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2694 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2701 BIO *wbio = SSL_get_wbio(clientssl);
2702 /* A record that will appear as bad early_data */
2703 const unsigned char bad_early_data[] = {
2704 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
2708 * We force the client to attempt a write. This will fail because
2709 * we're still in the handshake. It will cause the second
2710 * ClientHello to be sent.
2712 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
2717 * Inject some early_data after the second ClientHello. This should
2718 * cause the server to fail
2720 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
2721 sizeof(bad_early_data), &written)))
2728 * This client has sent more early_data than we are willing to skip
2729 * (case 3) or sent invalid early_data (case 2) so the connection should
2732 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2733 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
2736 /* Connection has failed - nothing more to do */
2741 TEST_error("Invalid test type");
2746 * Should be able to send normal data despite rejection of early data. The
2747 * early_data should be skipped.
2749 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2750 || !TEST_size_t_eq(written, strlen(MSG2))
2751 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2752 SSL_EARLY_DATA_REJECTED)
2753 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2754 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2760 SSL_SESSION_free(clientpsk);
2761 SSL_SESSION_free(serverpsk);
2762 clientpsk = serverpsk = NULL;
2763 SSL_SESSION_free(sess);
2764 SSL_free(serverssl);
2765 SSL_free(clientssl);
2772 * Test that a server attempting to read early data can handle a connection
2773 * from a client where the early data is not acceptable.
2775 static int test_early_data_skip(int idx)
2777 return early_data_skip_helper(0, idx);
2781 * Test that a server attempting to read early data can handle a connection
2782 * from a client where an HRR occurs.
2784 static int test_early_data_skip_hrr(int idx)
2786 return early_data_skip_helper(1, idx);
2790 * Test that a server attempting to read early data can handle a connection
2791 * from a client where an HRR occurs and correctly fails if early_data is sent
2794 static int test_early_data_skip_hrr_fail(int idx)
2796 return early_data_skip_helper(2, idx);
2800 * Test that a server attempting to read early data will abort if it tries to
2801 * skip over too much.
2803 static int test_early_data_skip_abort(int idx)
2805 return early_data_skip_helper(3, idx);
2809 * Test that a server attempting to read early data can handle a connection
2810 * from a client that doesn't send any.
2812 static int test_early_data_not_sent(int idx)
2814 SSL_CTX *cctx = NULL, *sctx = NULL;
2815 SSL *clientssl = NULL, *serverssl = NULL;
2817 SSL_SESSION *sess = NULL;
2818 unsigned char buf[20];
2819 size_t readbytes, written;
2821 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2822 &serverssl, &sess, idx)))
2825 /* Write some data - should block due to handshake with server */
2826 SSL_set_connect_state(clientssl);
2827 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2830 /* Server should detect that early data has not been sent */
2831 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2833 SSL_READ_EARLY_DATA_FINISH)
2834 || !TEST_size_t_eq(readbytes, 0)
2835 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2836 SSL_EARLY_DATA_NOT_SENT)
2837 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2838 SSL_EARLY_DATA_NOT_SENT))
2841 /* Continue writing the message we started earlier */
2842 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2843 || !TEST_size_t_eq(written, strlen(MSG1))
2844 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2845 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2846 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2847 || !TEST_size_t_eq(written, strlen(MSG2)))
2850 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2851 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2857 SSL_SESSION_free(sess);
2858 SSL_SESSION_free(clientpsk);
2859 SSL_SESSION_free(serverpsk);
2860 clientpsk = serverpsk = NULL;
2861 SSL_free(serverssl);
2862 SSL_free(clientssl);
2868 static const char *servalpn;
2870 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2871 unsigned char *outlen, const unsigned char *in,
2872 unsigned int inlen, void *arg)
2874 unsigned int protlen = 0;
2875 const unsigned char *prot;
2877 for (prot = in; prot < in + inlen; prot += protlen) {
2879 if (in + inlen < prot + protlen)
2880 return SSL_TLSEXT_ERR_NOACK;
2882 if (protlen == strlen(servalpn)
2883 && memcmp(prot, servalpn, protlen) == 0) {
2886 return SSL_TLSEXT_ERR_OK;
2890 return SSL_TLSEXT_ERR_NOACK;
2893 /* Test that a PSK can be used to send early_data */
2894 static int test_early_data_psk(int idx)
2896 SSL_CTX *cctx = NULL, *sctx = NULL;
2897 SSL *clientssl = NULL, *serverssl = NULL;
2899 SSL_SESSION *sess = NULL;
2900 unsigned char alpnlist[] = {
2901 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2904 #define GOODALPNLEN 9
2905 #define BADALPNLEN 8
2906 #define GOODALPN (alpnlist)
2907 #define BADALPN (alpnlist + GOODALPNLEN)
2909 unsigned char buf[20];
2910 size_t readbytes, written;
2911 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2912 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2914 /* We always set this up with a final parameter of "2" for PSK */
2915 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2916 &serverssl, &sess, 2)))
2919 servalpn = "goodalpn";
2922 * Note: There is no test for inconsistent SNI with late client detection.
2923 * This is because servers do not acknowledge SNI even if they are using
2924 * it in a resumption handshake - so it is not actually possible for a
2925 * client to detect a problem.
2929 /* Set inconsistent SNI (early client detection) */
2930 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2931 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2932 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2937 /* Set inconsistent ALPN (early client detection) */
2938 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2939 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
2940 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2942 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2949 * Set invalid protocol version. Technically this affects PSKs without
2950 * early_data too, but we test it here because it is similar to the
2951 * SNI/ALPN consistency tests.
2953 err = SSL_R_BAD_PSK;
2954 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2960 * Set inconsistent SNI (server side). In this case the connection
2961 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
2962 * is associated with each handshake - not the session. Therefore it
2963 * should not matter that we used a different server name last time.
2965 SSL_SESSION_free(serverpsk);
2966 serverpsk = SSL_SESSION_dup(clientpsk);
2967 if (!TEST_ptr(serverpsk)
2968 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2972 /* Set consistent SNI */
2973 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2974 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2975 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2982 * Set inconsistent ALPN (server detected). In this case the connection
2983 * will succeed but reject early_data.
2985 servalpn = "badalpn";
2986 edstatus = SSL_EARLY_DATA_REJECTED;
2987 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2991 * Set consistent ALPN.
2992 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2993 * accepts a list of protos (each one length prefixed).
2994 * SSL_set1_alpn_selected accepts a single protocol (not length
2997 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2999 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3003 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3007 /* Set inconsistent ALPN (late client detection) */
3008 SSL_SESSION_free(serverpsk);
3009 serverpsk = SSL_SESSION_dup(clientpsk);
3010 if (!TEST_ptr(serverpsk)
3011 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3014 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3017 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3020 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3021 edstatus = SSL_EARLY_DATA_ACCEPTED;
3022 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3023 /* SSL_connect() call should fail */
3028 TEST_error("Bad test index");
3032 SSL_set_connect_state(clientssl);
3034 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3036 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3037 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3040 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3044 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3045 &readbytes), readearlyres)
3046 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3047 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3048 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3049 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3056 SSL_SESSION_free(sess);
3057 SSL_SESSION_free(clientpsk);
3058 SSL_SESSION_free(serverpsk);
3059 clientpsk = serverpsk = NULL;
3060 SSL_free(serverssl);
3061 SSL_free(clientssl);
3068 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
3069 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
3070 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
3071 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3072 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
3073 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
3075 static int test_early_data_psk_with_all_ciphers(int idx)
3077 SSL_CTX *cctx = NULL, *sctx = NULL;
3078 SSL *clientssl = NULL, *serverssl = NULL;
3080 SSL_SESSION *sess = NULL;
3081 unsigned char buf[20];
3082 size_t readbytes, written;
3083 const SSL_CIPHER *cipher;
3084 const char *cipher_str[] = {
3085 TLS1_3_RFC_AES_128_GCM_SHA256,
3086 TLS1_3_RFC_AES_256_GCM_SHA384,
3087 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3088 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3092 TLS1_3_RFC_AES_128_CCM_SHA256,
3093 TLS1_3_RFC_AES_128_CCM_8_SHA256
3095 const unsigned char *cipher_bytes[] = {
3096 TLS13_AES_128_GCM_SHA256_BYTES,
3097 TLS13_AES_256_GCM_SHA384_BYTES,
3098 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3099 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
3103 TLS13_AES_128_CCM_SHA256_BYTES,
3104 TLS13_AES_128_CCM_8_SHA256_BYTES
3107 if (cipher_str[idx] == NULL)
3110 /* We always set this up with a final parameter of "2" for PSK */
3111 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3112 &serverssl, &sess, 2)))
3115 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
3116 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
3120 * 'setupearly_data_test' creates only one instance of SSL_SESSION
3121 * and assigns to both client and server with incremented reference
3122 * and the same instance is updated in 'sess'.
3123 * So updating ciphersuite in 'sess' which will get reflected in
3124 * PSK handshake using psk use sess and find sess cb.
3126 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
3127 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
3130 SSL_set_connect_state(clientssl);
3131 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3135 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3137 SSL_READ_EARLY_DATA_SUCCESS)
3138 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3139 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3140 SSL_EARLY_DATA_ACCEPTED)
3141 || !TEST_int_eq(SSL_connect(clientssl), 1)
3142 || !TEST_int_eq(SSL_accept(serverssl), 1))
3145 /* Send some normal data from client to server */
3146 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3147 || !TEST_size_t_eq(written, strlen(MSG2)))
3150 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3151 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3156 SSL_SESSION_free(sess);
3157 SSL_SESSION_free(clientpsk);
3158 SSL_SESSION_free(serverpsk);
3159 clientpsk = serverpsk = NULL;
3160 if (clientssl != NULL)
3161 SSL_shutdown(clientssl);
3162 if (serverssl != NULL)
3163 SSL_shutdown(serverssl);
3164 SSL_free(serverssl);
3165 SSL_free(clientssl);
3172 * Test that a server that doesn't try to read early data can handle a
3173 * client sending some.
3175 static int test_early_data_not_expected(int idx)
3177 SSL_CTX *cctx = NULL, *sctx = NULL;
3178 SSL *clientssl = NULL, *serverssl = NULL;
3180 SSL_SESSION *sess = NULL;
3181 unsigned char buf[20];
3182 size_t readbytes, written;
3184 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3185 &serverssl, &sess, idx)))
3188 /* Write some early data */
3189 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3194 * Server should skip over early data and then block waiting for client to
3195 * continue handshake
3197 if (!TEST_int_le(SSL_accept(serverssl), 0)
3198 || !TEST_int_gt(SSL_connect(clientssl), 0)
3199 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3200 SSL_EARLY_DATA_REJECTED)
3201 || !TEST_int_gt(SSL_accept(serverssl), 0)
3202 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3203 SSL_EARLY_DATA_REJECTED))
3206 /* Send some normal data from client to server */
3207 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3208 || !TEST_size_t_eq(written, strlen(MSG2)))
3211 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3212 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3218 SSL_SESSION_free(sess);
3219 SSL_SESSION_free(clientpsk);
3220 SSL_SESSION_free(serverpsk);
3221 clientpsk = serverpsk = NULL;
3222 SSL_free(serverssl);
3223 SSL_free(clientssl);
3230 # ifndef OPENSSL_NO_TLS1_2
3232 * Test that a server attempting to read early data can handle a connection
3233 * from a TLSv1.2 client.
3235 static int test_early_data_tls1_2(int idx)
3237 SSL_CTX *cctx = NULL, *sctx = NULL;
3238 SSL *clientssl = NULL, *serverssl = NULL;
3240 unsigned char buf[20];
3241 size_t readbytes, written;
3243 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3244 &serverssl, NULL, idx)))
3247 /* Write some data - should block due to handshake with server */
3248 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3249 SSL_set_connect_state(clientssl);
3250 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3254 * Server should do TLSv1.2 handshake. First it will block waiting for more
3255 * messages from client after ServerDone. Then SSL_read_early_data should
3256 * finish and detect that early data has not been sent
3258 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3260 SSL_READ_EARLY_DATA_ERROR))
3264 * Continue writing the message we started earlier. Will still block waiting
3265 * for the CCS/Finished from server
3267 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3268 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3270 SSL_READ_EARLY_DATA_FINISH)
3271 || !TEST_size_t_eq(readbytes, 0)
3272 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3273 SSL_EARLY_DATA_NOT_SENT))
3276 /* Continue writing the message we started earlier */
3277 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3278 || !TEST_size_t_eq(written, strlen(MSG1))
3279 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3280 SSL_EARLY_DATA_NOT_SENT)
3281 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3282 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3283 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3284 || !TEST_size_t_eq(written, strlen(MSG2))
3285 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3286 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3292 SSL_SESSION_free(clientpsk);
3293 SSL_SESSION_free(serverpsk);
3294 clientpsk = serverpsk = NULL;
3295 SSL_free(serverssl);
3296 SSL_free(clientssl);
3302 # endif /* OPENSSL_NO_TLS1_2 */
3305 * Test configuring the TLSv1.3 ciphersuites
3307 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3308 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3309 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3310 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3311 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3312 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3313 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3314 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3315 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3316 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3318 static int test_set_ciphersuite(int idx)
3320 SSL_CTX *cctx = NULL, *sctx = NULL;
3321 SSL *clientssl = NULL, *serverssl = NULL;
3324 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3325 TLS1_VERSION, TLS_MAX_VERSION,
3326 &sctx, &cctx, cert, privkey))
3327 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3328 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3331 if (idx >=4 && idx <= 7) {
3332 /* SSL_CTX explicit cipher list */
3333 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3337 if (idx == 0 || idx == 4) {
3338 /* Default ciphersuite */
3339 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3340 "TLS_AES_128_GCM_SHA256")))
3342 } else if (idx == 1 || idx == 5) {
3343 /* Non default ciphersuite */
3344 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3345 "TLS_AES_128_CCM_SHA256")))
3349 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3350 &clientssl, NULL, NULL)))
3353 if (idx == 8 || idx == 9) {
3354 /* SSL explicit cipher list */
3355 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3359 if (idx == 2 || idx == 6 || idx == 8) {
3360 /* Default ciphersuite */
3361 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3362 "TLS_AES_128_GCM_SHA256")))
3364 } else if (idx == 3 || idx == 7 || idx == 9) {
3365 /* Non default ciphersuite */
3366 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3367 "TLS_AES_128_CCM_SHA256")))
3371 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3377 SSL_free(serverssl);
3378 SSL_free(clientssl);
3385 static int test_ciphersuite_change(void)
3387 SSL_CTX *cctx = NULL, *sctx = NULL;
3388 SSL *clientssl = NULL, *serverssl = NULL;
3389 SSL_SESSION *clntsess = NULL;
3391 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3393 /* Create a session based on SHA-256 */
3394 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3395 TLS1_VERSION, TLS_MAX_VERSION,
3396 &sctx, &cctx, cert, privkey))
3397 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3398 "TLS_AES_128_GCM_SHA256"))
3399 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3400 &clientssl, NULL, NULL))
3401 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3405 clntsess = SSL_get1_session(clientssl);
3406 /* Save for later */
3407 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3408 SSL_shutdown(clientssl);
3409 SSL_shutdown(serverssl);
3410 SSL_free(serverssl);
3411 SSL_free(clientssl);
3412 serverssl = clientssl = NULL;
3414 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3415 /* Check we can resume a session with a different SHA-256 ciphersuite */
3416 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3417 "TLS_CHACHA20_POLY1305_SHA256"))
3418 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3420 || !TEST_true(SSL_set_session(clientssl, clntsess))
3421 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3423 || !TEST_true(SSL_session_reused(clientssl)))
3426 SSL_SESSION_free(clntsess);
3427 clntsess = SSL_get1_session(clientssl);
3428 SSL_shutdown(clientssl);
3429 SSL_shutdown(serverssl);
3430 SSL_free(serverssl);
3431 SSL_free(clientssl);
3432 serverssl = clientssl = NULL;
3436 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3437 * succeeds but does not resume.
3439 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3440 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3442 || !TEST_true(SSL_set_session(clientssl, clntsess))
3443 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3445 || !TEST_false(SSL_session_reused(clientssl)))
3448 SSL_SESSION_free(clntsess);
3450 SSL_shutdown(clientssl);
3451 SSL_shutdown(serverssl);
3452 SSL_free(serverssl);
3453 SSL_free(clientssl);
3454 serverssl = clientssl = NULL;
3456 /* Create a session based on SHA384 */
3457 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3458 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3459 &clientssl, NULL, NULL))
3460 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3464 clntsess = SSL_get1_session(clientssl);
3465 SSL_shutdown(clientssl);
3466 SSL_shutdown(serverssl);
3467 SSL_free(serverssl);
3468 SSL_free(clientssl);
3469 serverssl = clientssl = NULL;
3471 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3472 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3473 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3474 "TLS_AES_256_GCM_SHA384"))
3475 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3477 || !TEST_true(SSL_set_session(clientssl, clntsess))
3479 * We use SSL_ERROR_WANT_READ below so that we can pause the
3480 * connection after the initial ClientHello has been sent to
3481 * enable us to make some session changes.
3483 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3484 SSL_ERROR_WANT_READ)))
3487 /* Trick the client into thinking this session is for a different digest */
3488 clntsess->cipher = aes_128_gcm_sha256;
3489 clntsess->cipher_id = clntsess->cipher->id;
3492 * Continue the previously started connection. Server has selected a SHA-384
3493 * ciphersuite, but client thinks the session is for SHA-256, so it should
3496 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3498 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3499 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3505 SSL_SESSION_free(clntsess);
3506 SSL_free(serverssl);
3507 SSL_free(clientssl);
3515 * Test TLSv1.3 Cipher Suite
3516 * Test 0 = Set TLS1.3 cipher on context
3517 * Test 1 = Set TLS1.3 cipher on SSL
3518 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
3519 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
3521 static int test_tls13_ciphersuite(int idx)
3523 SSL_CTX *sctx = NULL, *cctx = NULL;
3524 SSL *serverssl = NULL, *clientssl = NULL;
3525 static const char *t13_ciphers[] = {
3526 TLS1_3_RFC_AES_128_GCM_SHA256,
3527 TLS1_3_RFC_AES_256_GCM_SHA384,
3528 TLS1_3_RFC_AES_128_CCM_SHA256,
3529 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3530 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3531 TLS1_3_RFC_AES_256_GCM_SHA384 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3533 TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256
3535 const char *t13_cipher = NULL;
3536 const char *t12_cipher = NULL;
3537 const char *negotiated_scipher;
3538 const char *negotiated_ccipher;
3554 t12_cipher = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
3558 t12_cipher = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
3562 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
3563 # ifdef OPENSSL_NO_TLS1_2
3564 if (max_ver == TLS1_2_VERSION)
3567 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
3568 t13_cipher = t13_ciphers[i];
3569 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3570 TLS_client_method(),
3571 TLS1_VERSION, max_ver,
3572 &sctx, &cctx, cert, privkey)))
3576 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
3577 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
3579 if (t12_cipher != NULL) {
3580 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
3581 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
3587 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3588 &clientssl, NULL, NULL)))
3592 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
3593 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
3595 if (t12_cipher != NULL) {
3596 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
3597 || !TEST_true(SSL_set_cipher_list(clientssl,
3603 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3607 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
3609 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
3611 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
3615 * TEST_strn_eq is used below because t13_cipher can contain
3616 * multiple ciphersuites
3618 if (max_ver == TLS1_3_VERSION
3619 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
3620 strlen(negotiated_scipher)))
3623 # ifndef OPENSSL_NO_TLS1_2
3624 /* Below validation is not done when t12_cipher is NULL */
3625 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
3626 && !TEST_str_eq(t12_cipher, negotiated_scipher))
3630 SSL_free(serverssl);
3632 SSL_free(clientssl);
3643 SSL_free(serverssl);
3644 SSL_free(clientssl);
3652 * Test 0 = Test new style callbacks
3653 * Test 1 = Test both new and old style callbacks
3654 * Test 2 = Test old style callbacks
3655 * Test 3 = Test old style callbacks with no certificate
3657 static int test_tls13_psk(int idx)
3659 SSL_CTX *sctx = NULL, *cctx = NULL;
3660 SSL *serverssl = NULL, *clientssl = NULL;
3661 const SSL_CIPHER *cipher = NULL;
3662 const unsigned char key[] = {
3663 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
3664 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
3665 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
3666 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
3670 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3671 TLS1_VERSION, TLS_MAX_VERSION,
3672 &sctx, &cctx, idx == 3 ? NULL : cert,
3673 idx == 3 ? NULL : privkey)))
3678 * We use a ciphersuite with SHA256 to ease testing old style PSK
3679 * callbacks which will always default to SHA256. This should not be
3680 * necessary if we have no cert/priv key. In that case the server should
3681 * prefer SHA256 automatically.
3683 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3684 "TLS_AES_128_GCM_SHA256")))
3689 * Test 0: New style callbacks only
3690 * Test 1: New and old style callbacks (only the new ones should be used)
3691 * Test 2: Old style callbacks only
3693 if (idx == 0 || idx == 1) {
3694 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
3695 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
3697 #ifndef OPENSSL_NO_PSK
3699 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
3700 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
3704 use_session_cb_cnt = 0;
3705 find_session_cb_cnt = 0;
3706 psk_client_cb_cnt = 0;
3707 psk_server_cb_cnt = 0;
3711 * Check we can create a connection if callback decides not to send a
3714 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3716 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3718 || !TEST_false(SSL_session_reused(clientssl))
3719 || !TEST_false(SSL_session_reused(serverssl)))
3722 if (idx == 0 || idx == 1) {
3723 if (!TEST_true(use_session_cb_cnt == 1)
3724 || !TEST_true(find_session_cb_cnt == 0)
3726 * If no old style callback then below should be 0
3729 || !TEST_true(psk_client_cb_cnt == idx)
3730 || !TEST_true(psk_server_cb_cnt == 0))
3733 if (!TEST_true(use_session_cb_cnt == 0)
3734 || !TEST_true(find_session_cb_cnt == 0)
3735 || !TEST_true(psk_client_cb_cnt == 1)
3736 || !TEST_true(psk_server_cb_cnt == 0))
3740 shutdown_ssl_connection(serverssl, clientssl);
3741 serverssl = clientssl = NULL;
3742 use_session_cb_cnt = psk_client_cb_cnt = 0;
3745 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3749 /* Create the PSK */
3750 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
3751 clientpsk = SSL_SESSION_new();
3752 if (!TEST_ptr(clientpsk)
3753 || !TEST_ptr(cipher)
3754 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
3756 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
3757 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
3759 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
3761 serverpsk = clientpsk;
3763 /* Check we can create a connection and the PSK is used */
3764 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3765 || !TEST_true(SSL_session_reused(clientssl))
3766 || !TEST_true(SSL_session_reused(serverssl)))
3769 if (idx == 0 || idx == 1) {
3770 if (!TEST_true(use_session_cb_cnt == 1)
3771 || !TEST_true(find_session_cb_cnt == 1)
3772 || !TEST_true(psk_client_cb_cnt == 0)
3773 || !TEST_true(psk_server_cb_cnt == 0))
3776 if (!TEST_true(use_session_cb_cnt == 0)
3777 || !TEST_true(find_session_cb_cnt == 0)
3778 || !TEST_true(psk_client_cb_cnt == 1)
3779 || !TEST_true(psk_server_cb_cnt == 1))
3783 shutdown_ssl_connection(serverssl, clientssl);
3784 serverssl = clientssl = NULL;
3785 use_session_cb_cnt = find_session_cb_cnt = 0;
3786 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3788 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3793 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3797 * Check we can create a connection, the PSK is used and the callbacks are
3800 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3801 || !TEST_true(SSL_session_reused(clientssl))
3802 || !TEST_true(SSL_session_reused(serverssl)))
3805 if (idx == 0 || idx == 1) {
3806 if (!TEST_true(use_session_cb_cnt == 2)
3807 || !TEST_true(find_session_cb_cnt == 2)
3808 || !TEST_true(psk_client_cb_cnt == 0)
3809 || !TEST_true(psk_server_cb_cnt == 0))
3812 if (!TEST_true(use_session_cb_cnt == 0)
3813 || !TEST_true(find_session_cb_cnt == 0)
3814 || !TEST_true(psk_client_cb_cnt == 2)
3815 || !TEST_true(psk_server_cb_cnt == 2))
3819 shutdown_ssl_connection(serverssl, clientssl);
3820 serverssl = clientssl = NULL;
3821 use_session_cb_cnt = find_session_cb_cnt = 0;
3822 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3826 * Check that if the server rejects the PSK we can still connect, but with
3829 srvid = "Dummy Identity";
3830 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3832 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3834 || !TEST_false(SSL_session_reused(clientssl))
3835 || !TEST_false(SSL_session_reused(serverssl)))
3838 if (idx == 0 || idx == 1) {
3839 if (!TEST_true(use_session_cb_cnt == 1)
3840 || !TEST_true(find_session_cb_cnt == 1)
3841 || !TEST_true(psk_client_cb_cnt == 0)
3843 * If no old style callback then below should be 0
3846 || !TEST_true(psk_server_cb_cnt == idx))
3849 if (!TEST_true(use_session_cb_cnt == 0)
3850 || !TEST_true(find_session_cb_cnt == 0)
3851 || !TEST_true(psk_client_cb_cnt == 1)
3852 || !TEST_true(psk_server_cb_cnt == 1))
3856 shutdown_ssl_connection(serverssl, clientssl);
3857 serverssl = clientssl = NULL;
3862 SSL_SESSION_free(clientpsk);
3863 SSL_SESSION_free(serverpsk);
3864 clientpsk = serverpsk = NULL;
3865 SSL_free(serverssl);
3866 SSL_free(clientssl);
3872 static unsigned char cookie_magic_value[] = "cookie magic";
3874 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
3875 unsigned int *cookie_len)
3878 * Not suitable as a real cookie generation function but good enough for
3881 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3882 *cookie_len = sizeof(cookie_magic_value) - 1;
3887 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3888 unsigned int cookie_len)
3890 if (cookie_len == sizeof(cookie_magic_value) - 1
3891 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3897 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3901 int res = generate_cookie_callback(ssl, cookie, &temp);
3906 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3909 return verify_cookie_callback(ssl, cookie, cookie_len);
3912 static int test_stateless(void)
3914 SSL_CTX *sctx = NULL, *cctx = NULL;
3915 SSL *serverssl = NULL, *clientssl = NULL;
3918 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3919 TLS1_VERSION, TLS_MAX_VERSION,
3920 &sctx, &cctx, cert, privkey)))
3923 /* The arrival of CCS messages can confuse the test */
3924 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3926 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3928 /* Send the first ClientHello */
3929 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3930 SSL_ERROR_WANT_READ))
3932 * This should fail with a -1 return because we have no callbacks
3935 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3938 /* Fatal error so abandon the connection from this client */
3939 SSL_free(clientssl);
3942 /* Set up the cookie generation and verification callbacks */
3943 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3944 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
3947 * Create a new connection from the client (we can reuse the server SSL
3950 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3952 /* Send the first ClientHello */
3953 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3954 SSL_ERROR_WANT_READ))
3955 /* This should fail because there is no cookie */
3956 || !TEST_int_eq(SSL_stateless(serverssl), 0))
3959 /* Abandon the connection from this client */
3960 SSL_free(clientssl);
3964 * Now create a connection from a new client but with the same server SSL
3967 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3969 /* Send the first ClientHello */
3970 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3971 SSL_ERROR_WANT_READ))
3972 /* This should fail because there is no cookie */
3973 || !TEST_int_eq(SSL_stateless(serverssl), 0)
3974 /* Send the second ClientHello */
3975 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3976 SSL_ERROR_WANT_READ))
3977 /* This should succeed because a cookie is now present */
3978 || !TEST_int_eq(SSL_stateless(serverssl), 1)
3979 /* Complete the connection */
3980 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3984 shutdown_ssl_connection(serverssl, clientssl);
3985 serverssl = clientssl = NULL;
3989 SSL_free(serverssl);
3990 SSL_free(clientssl);
3996 #endif /* OPENSSL_NO_TLS1_3 */
3998 static int clntaddoldcb = 0;
3999 static int clntparseoldcb = 0;
4000 static int srvaddoldcb = 0;
4001 static int srvparseoldcb = 0;
4002 static int clntaddnewcb = 0;
4003 static int clntparsenewcb = 0;
4004 static int srvaddnewcb = 0;
4005 static int srvparsenewcb = 0;
4006 static int snicb = 0;
4008 #define TEST_EXT_TYPE1 0xff00
4010 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4011 size_t *outlen, int *al, void *add_arg)
4013 int *server = (int *)add_arg;
4014 unsigned char *data;
4016 if (SSL_is_server(s))
4021 if (*server != SSL_is_server(s)
4022 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4027 *outlen = sizeof(char);
4031 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4034 OPENSSL_free((unsigned char *)out);
4037 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4038 size_t inlen, int *al, void *parse_arg)
4040 int *server = (int *)parse_arg;
4042 if (SSL_is_server(s))
4047 if (*server != SSL_is_server(s)
4048 || inlen != sizeof(char)
4055 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4056 const unsigned char **out, size_t *outlen, X509 *x,
4057 size_t chainidx, int *al, void *add_arg)
4059 int *server = (int *)add_arg;
4060 unsigned char *data;
4062 if (SSL_is_server(s))
4067 if (*server != SSL_is_server(s)
4068 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4073 *outlen = sizeof(*data);
4077 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
4078 const unsigned char *out, void *add_arg)
4080 OPENSSL_free((unsigned char *)out);
4083 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
4084 const unsigned char *in, size_t inlen, X509 *x,
4085 size_t chainidx, int *al, void *parse_arg)
4087 int *server = (int *)parse_arg;
4089 if (SSL_is_server(s))
4094 if (*server != SSL_is_server(s)
4095 || inlen != sizeof(char) || *in != 1)
4101 static int sni_cb(SSL *s, int *al, void *arg)
4103 SSL_CTX *ctx = (SSL_CTX *)arg;
4105 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
4106 *al = SSL_AD_INTERNAL_ERROR;
4107 return SSL_TLSEXT_ERR_ALERT_FATAL;
4110 return SSL_TLSEXT_ERR_OK;
4114 * Custom call back tests.
4115 * Test 0: Old style callbacks in TLSv1.2
4116 * Test 1: New style callbacks in TLSv1.2
4117 * Test 2: New style callbacks in TLSv1.2 with SNI
4118 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4119 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
4121 static int test_custom_exts(int tst)
4123 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4124 SSL *clientssl = NULL, *serverssl = NULL;
4126 static int server = 1;
4127 static int client = 0;
4128 SSL_SESSION *sess = NULL;
4129 unsigned int context;
4131 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4132 /* Skip tests for TLSv1.2 and below in this case */
4137 /* Reset callback counters */
4138 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4139 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
4142 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4143 TLS1_VERSION, TLS_MAX_VERSION,
4144 &sctx, &cctx, cert, privkey)))
4148 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
4149 TLS1_VERSION, TLS_MAX_VERSION,
4150 &sctx2, NULL, cert, privkey)))
4155 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4156 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
4158 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
4162 context = SSL_EXT_CLIENT_HELLO
4163 | SSL_EXT_TLS1_2_SERVER_HELLO
4164 | SSL_EXT_TLS1_3_SERVER_HELLO
4165 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4166 | SSL_EXT_TLS1_3_CERTIFICATE
4167 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4169 context = SSL_EXT_CLIENT_HELLO
4170 | SSL_EXT_TLS1_2_SERVER_HELLO
4171 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4174 /* Create a client side custom extension */
4176 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4177 old_add_cb, old_free_cb,
4178 &client, old_parse_cb,
4182 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4183 new_add_cb, new_free_cb,
4184 &client, new_parse_cb, &client)))
4188 /* Should not be able to add duplicates */
4189 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4190 old_add_cb, old_free_cb,
4191 &client, old_parse_cb,
4193 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4194 context, new_add_cb,
4195 new_free_cb, &client,
4196 new_parse_cb, &client)))
4199 /* Create a server side custom extension */
4201 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4202 old_add_cb, old_free_cb,
4203 &server, old_parse_cb,
4207 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4208 new_add_cb, new_free_cb,
4209 &server, new_parse_cb, &server)))
4212 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4213 context, new_add_cb,
4214 new_free_cb, &server,
4215 new_parse_cb, &server)))
4219 /* Should not be able to add duplicates */
4220 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4221 old_add_cb, old_free_cb,
4222 &server, old_parse_cb,
4224 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4225 context, new_add_cb,
4226 new_free_cb, &server,
4227 new_parse_cb, &server)))
4232 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4233 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4237 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4238 &clientssl, NULL, NULL))
4239 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4244 if (clntaddoldcb != 1
4245 || clntparseoldcb != 1
4247 || srvparseoldcb != 1)
4249 } else if (tst == 1 || tst == 2 || tst == 3) {
4250 if (clntaddnewcb != 1
4251 || clntparsenewcb != 1
4253 || srvparsenewcb != 1
4254 || (tst != 2 && snicb != 0)
4255 || (tst == 2 && snicb != 1))
4258 /* In this case there 2 NewSessionTicket messages created */
4259 if (clntaddnewcb != 1
4260 || clntparsenewcb != 5
4262 || srvparsenewcb != 1)
4266 sess = SSL_get1_session(clientssl);
4267 SSL_shutdown(clientssl);
4268 SSL_shutdown(serverssl);
4269 SSL_free(serverssl);
4270 SSL_free(clientssl);
4271 serverssl = clientssl = NULL;
4274 /* We don't bother with the resumption aspects for this test */
4279 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4281 || !TEST_true(SSL_set_session(clientssl, sess))
4282 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4287 * For a resumed session we expect to add the ClientHello extension. For the
4288 * old style callbacks we ignore it on the server side because they set
4289 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4293 if (clntaddoldcb != 2
4294 || clntparseoldcb != 1
4296 || srvparseoldcb != 1)
4298 } else if (tst == 1 || tst == 2 || tst == 3) {
4299 if (clntaddnewcb != 2
4300 || clntparsenewcb != 2
4302 || srvparsenewcb != 2)
4306 * No Certificate message extensions in the resumption handshake,
4307 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4309 if (clntaddnewcb != 2
4310 || clntparsenewcb != 8
4312 || srvparsenewcb != 2)
4319 SSL_SESSION_free(sess);
4320 SSL_free(serverssl);
4321 SSL_free(clientssl);
4322 SSL_CTX_free(sctx2);
4329 * Test loading of serverinfo data in various formats. test_sslmessages actually
4330 * tests to make sure the extensions appear in the handshake
4332 static int test_serverinfo(int tst)
4334 unsigned int version;
4335 unsigned char *sibuf;
4337 int ret, expected, testresult = 0;
4340 ctx = SSL_CTX_new(TLS_method());
4344 if ((tst & 0x01) == 0x01)
4345 version = SSL_SERVERINFOV2;
4347 version = SSL_SERVERINFOV1;
4349 if ((tst & 0x02) == 0x02) {
4350 sibuf = serverinfov2;
4351 sibuflen = sizeof(serverinfov2);
4352 expected = (version == SSL_SERVERINFOV2);
4354 sibuf = serverinfov1;
4355 sibuflen = sizeof(serverinfov1);
4356 expected = (version == SSL_SERVERINFOV1);
4359 if ((tst & 0x04) == 0x04) {
4360 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4362 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4365 * The version variable is irrelevant in this case - it's what is in the
4366 * buffer that matters
4368 if ((tst & 0x02) == 0x02)
4374 if (!TEST_true(ret == expected))
4386 * Test that SSL_export_keying_material() produces expected results. There are
4387 * no test vectors so all we do is test that both sides of the communication
4388 * produce the same results for different protocol versions.
4390 #define SMALL_LABEL_LEN 10
4391 #define LONG_LABEL_LEN 249
4392 static int test_export_key_mat(int tst)
4395 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4396 SSL *clientssl = NULL, *serverssl = NULL;
4397 const char label[LONG_LABEL_LEN + 1] = "test label";
4398 const unsigned char context[] = "context";
4399 const unsigned char *emptycontext = NULL;
4400 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4401 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
4403 const int protocols[] = {
4412 #ifdef OPENSSL_NO_TLS1
4416 #ifdef OPENSSL_NO_TLS1_1
4420 #ifdef OPENSSL_NO_TLS1_2
4424 #ifdef OPENSSL_NO_TLS1_3
4428 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4429 TLS1_VERSION, TLS_MAX_VERSION,
4430 &sctx, &cctx, cert, privkey)))
4433 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4434 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4435 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
4437 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4442 * Premature call of SSL_export_keying_material should just fail.
4444 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4445 sizeof(ckeymat1), label,
4446 SMALL_LABEL_LEN + 1, context,
4447 sizeof(context) - 1, 1), 0))
4450 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4456 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4459 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4460 sizeof(ckeymat1), label,
4461 LONG_LABEL_LEN + 1, context,
4462 sizeof(context) - 1, 1), 0))
4467 } else if (tst == 4) {
4468 labellen = LONG_LABEL_LEN;
4470 labellen = SMALL_LABEL_LEN;
4473 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4474 sizeof(ckeymat1), label,
4476 sizeof(context) - 1, 1), 1)
4477 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4478 sizeof(ckeymat2), label,
4482 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4483 sizeof(ckeymat3), label,
4486 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4487 sizeof(skeymat1), label,
4490 sizeof(context) -1, 1),
4492 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4493 sizeof(skeymat2), label,
4497 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4498 sizeof(skeymat3), label,
4502 * Check that both sides created the same key material with the
4505 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4508 * Check that both sides created the same key material with an
4511 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4514 * Check that both sides created the same key material without a
4517 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
4519 /* Different contexts should produce different results */
4520 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4525 * Check that an empty context and no context produce different results in
4526 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
4528 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
4530 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
4537 SSL_free(serverssl);
4538 SSL_free(clientssl);
4539 SSL_CTX_free(sctx2);
4546 #ifndef OPENSSL_NO_TLS1_3
4548 * Test that SSL_export_keying_material_early() produces expected
4549 * results. There are no test vectors so all we do is test that both
4550 * sides of the communication produce the same results for different
4551 * protocol versions.
4553 static int test_export_key_mat_early(int idx)
4555 static const char label[] = "test label";
4556 static const unsigned char context[] = "context";
4558 SSL_CTX *cctx = NULL, *sctx = NULL;
4559 SSL *clientssl = NULL, *serverssl = NULL;
4560 SSL_SESSION *sess = NULL;
4561 const unsigned char *emptycontext = NULL;
4562 unsigned char ckeymat1[80], ckeymat2[80];
4563 unsigned char skeymat1[80], skeymat2[80];
4564 unsigned char buf[1];
4565 size_t readbytes, written;
4567 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
4571 /* Here writing 0 length early data is enough. */
4572 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
4573 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4575 SSL_READ_EARLY_DATA_ERROR)
4576 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4577 SSL_EARLY_DATA_ACCEPTED))
4580 if (!TEST_int_eq(SSL_export_keying_material_early(
4581 clientssl, ckeymat1, sizeof(ckeymat1), label,
4582 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4583 || !TEST_int_eq(SSL_export_keying_material_early(
4584 clientssl, ckeymat2, sizeof(ckeymat2), label,
4585 sizeof(label) - 1, emptycontext, 0), 1)
4586 || !TEST_int_eq(SSL_export_keying_material_early(
4587 serverssl, skeymat1, sizeof(skeymat1), label,
4588 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4589 || !TEST_int_eq(SSL_export_keying_material_early(
4590 serverssl, skeymat2, sizeof(skeymat2), label,
4591 sizeof(label) - 1, emptycontext, 0), 1)
4593 * Check that both sides created the same key material with the
4596 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4599 * Check that both sides created the same key material with an
4602 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4604 /* Different contexts should produce different results */
4605 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4612 SSL_SESSION_free(sess);
4613 SSL_SESSION_free(clientpsk);
4614 SSL_SESSION_free(serverpsk);
4615 clientpsk = serverpsk = NULL;
4616 SSL_free(serverssl);
4617 SSL_free(clientssl);
4624 #define NUM_KEY_UPDATE_MESSAGES 40
4628 static int test_key_update(void)
4630 SSL_CTX *cctx = NULL, *sctx = NULL;
4631 SSL *clientssl = NULL, *serverssl = NULL;
4632 int testresult = 0, i, j;
4634 static char *mess = "A test message";
4636 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4637 TLS_client_method(),
4640 &sctx, &cctx, cert, privkey))
4641 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4643 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4647 for (j = 0; j < 2; j++) {
4648 /* Send lots of KeyUpdate messages */
4649 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
4650 if (!TEST_true(SSL_key_update(clientssl,
4652 ? SSL_KEY_UPDATE_NOT_REQUESTED
4653 : SSL_KEY_UPDATE_REQUESTED))
4654 || !TEST_true(SSL_do_handshake(clientssl)))
4658 /* Check that sending and receiving app data is ok */
4659 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
4660 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
4664 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
4665 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
4673 SSL_free(serverssl);
4674 SSL_free(clientssl);
4682 * Test we can handle a KeyUpdate (update requested) message while write data
4684 * Test 0: Client sends KeyUpdate while Server is writing
4685 * Test 1: Server sends KeyUpdate while Client is writing
4687 static int test_key_update_in_write(int tst)
4689 SSL_CTX *cctx = NULL, *sctx = NULL;
4690 SSL *clientssl = NULL, *serverssl = NULL;
4693 static char *mess = "A test message";
4694 BIO *bretry = BIO_new(bio_s_always_retry());
4696 SSL *peerupdate = NULL, *peerwrite = NULL;
4698 if (!TEST_ptr(bretry)
4699 || !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4700 TLS_client_method(),
4703 &sctx, &cctx, cert, privkey))
4704 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4706 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4710 peerupdate = tst == 0 ? clientssl : serverssl;
4711 peerwrite = tst == 0 ? serverssl : clientssl;
4713 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
4714 || !TEST_true(SSL_do_handshake(peerupdate)))
4717 /* Swap the writing endpoint's write BIO to force a retry */
4718 tmp = SSL_get_wbio(peerwrite);
4719 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
4723 SSL_set0_wbio(peerwrite, bretry);
4726 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
4727 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
4728 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
4731 /* Reinstate the original writing endpoint's write BIO */
4732 SSL_set0_wbio(peerwrite, tmp);
4735 /* Now read some data - we will read the key update */
4736 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
4737 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
4741 * Complete the write we started previously and read it from the other
4744 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
4745 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
4748 /* Write more data to ensure we send the KeyUpdate message back */
4749 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
4750 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
4756 SSL_free(serverssl);
4757 SSL_free(clientssl);
4765 #endif /* OPENSSL_NO_TLS1_3 */
4767 static int test_ssl_clear(int idx)
4769 SSL_CTX *cctx = NULL, *sctx = NULL;
4770 SSL *clientssl = NULL, *serverssl = NULL;
4773 #ifdef OPENSSL_NO_TLS1_2
4778 /* Create an initial connection */
4779 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4780 TLS1_VERSION, TLS_MAX_VERSION,
4781 &sctx, &cctx, cert, privkey))
4783 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
4785 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4786 &clientssl, NULL, NULL))
4787 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4791 SSL_shutdown(clientssl);
4792 SSL_shutdown(serverssl);
4793 SSL_free(serverssl);
4796 /* Clear clientssl - we're going to reuse the object */
4797 if (!TEST_true(SSL_clear(clientssl)))
4800 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4802 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4804 || !TEST_true(SSL_session_reused(clientssl)))
4807 SSL_shutdown(clientssl);
4808 SSL_shutdown(serverssl);
4813 SSL_free(serverssl);
4814 SSL_free(clientssl);
4821 /* Parse CH and retrieve any MFL extension value if present */
4822 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
4825 unsigned char *data;
4826 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
4827 unsigned int MFL_code = 0, type = 0;
4829 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
4832 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
4833 /* Skip the record header */
4834 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
4835 /* Skip the handshake message header */
4836 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
4837 /* Skip client version and random */
4838 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
4839 + SSL3_RANDOM_SIZE))
4840 /* Skip session id */
4841 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4843 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
4844 /* Skip compression */
4845 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4846 /* Extensions len */
4847 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
4850 /* Loop through all extensions */
4851 while (PACKET_remaining(&pkt2)) {
4852 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
4853 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
4856 if (type == TLSEXT_TYPE_max_fragment_length) {
4857 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
4858 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
4861 *mfl_codemfl_code = MFL_code;
4870 /* Maximum-Fragment-Length TLS extension mode to test */
4871 static const unsigned char max_fragment_len_test[] = {
4872 TLSEXT_max_fragment_length_512,
4873 TLSEXT_max_fragment_length_1024,
4874 TLSEXT_max_fragment_length_2048,
4875 TLSEXT_max_fragment_length_4096
4878 static int test_max_fragment_len_ext(int idx_tst)
4882 int testresult = 0, MFL_mode = 0;
4885 ctx = SSL_CTX_new(TLS_method());
4889 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
4890 ctx, max_fragment_len_test[idx_tst])))
4897 rbio = BIO_new(BIO_s_mem());
4898 wbio = BIO_new(BIO_s_mem());
4899 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
4905 SSL_set_bio(con, rbio, wbio);
4906 SSL_set_connect_state(con);
4908 if (!TEST_int_le(SSL_connect(con), 0)) {
4909 /* This shouldn't succeed because we don't have a server! */
4913 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
4914 /* no MFL in client hello */
4916 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
4928 #ifndef OPENSSL_NO_TLS1_3
4929 static int test_pha_key_update(void)
4931 SSL_CTX *cctx = NULL, *sctx = NULL;
4932 SSL *clientssl = NULL, *serverssl = NULL;
4935 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4936 TLS1_VERSION, TLS_MAX_VERSION,
4937 &sctx, &cctx, cert, privkey)))
4940 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
4941 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
4942 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
4943 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
4946 SSL_CTX_set_post_handshake_auth(cctx, 1);
4948 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4952 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4956 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
4957 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
4960 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
4963 /* Start handshake on the server */
4964 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
4967 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
4968 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4972 SSL_shutdown(clientssl);
4973 SSL_shutdown(serverssl);
4978 SSL_free(serverssl);
4979 SSL_free(clientssl);
4986 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4988 static SRP_VBASE *vbase = NULL;
4990 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
4992 int ret = SSL3_AL_FATAL;
4994 SRP_user_pwd *user = NULL;
4996 username = SSL_get_srp_username(s);
4997 if (username == NULL) {
4998 *ad = SSL_AD_INTERNAL_ERROR;
5002 user = SRP_VBASE_get1_by_user(vbase, username);
5004 *ad = SSL_AD_INTERNAL_ERROR;
5008 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5010 *ad = SSL_AD_INTERNAL_ERROR;
5017 SRP_user_pwd_free(user);
5021 static int create_new_vfile(char *userid, char *password, const char *filename)
5024 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5027 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5030 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5033 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
5034 &row[DB_srpverifier], NULL, NULL);
5035 if (!TEST_ptr(gNid))
5039 * The only way to create an empty TXT_DB is to provide a BIO with no data
5042 db = TXT_DB_read(dummy, DB_NUMBER);
5046 out = BIO_new_file(filename, "w");
5050 row[DB_srpid] = OPENSSL_strdup(userid);
5051 row[DB_srptype] = OPENSSL_strdup("V");
5052 row[DB_srpgN] = OPENSSL_strdup(gNid);
5054 if (!TEST_ptr(row[DB_srpid])
5055 || !TEST_ptr(row[DB_srptype])
5056 || !TEST_ptr(row[DB_srpgN])
5057 || !TEST_true(TXT_DB_insert(db, row)))
5062 if (!TXT_DB_write(out, db))
5068 for (i = 0; i < DB_NUMBER; i++)
5069 OPENSSL_free(row[i]);
5079 static int create_new_vbase(char *userid, char *password)
5081 BIGNUM *verifier = NULL, *salt = NULL;
5082 const SRP_gN *lgN = NULL;
5083 SRP_user_pwd *user_pwd = NULL;
5086 lgN = SRP_get_default_gN(NULL);
5090 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
5094 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
5095 if (!TEST_ptr(user_pwd))
5098 user_pwd->N = lgN->N;
5099 user_pwd->g = lgN->g;
5100 user_pwd->id = OPENSSL_strdup(userid);
5101 if (!TEST_ptr(user_pwd->id))
5104 user_pwd->v = verifier;
5106 verifier = salt = NULL;
5108 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
5114 SRP_user_pwd_free(user_pwd);
5124 * Test 0: Simple successful SRP connection, new vbase
5125 * Test 1: Connection failure due to bad password, new vbase
5126 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5127 * Test 3: Connection failure due to bad password, vbase loaded from existing
5129 * Test 4: Simple successful SRP connection, vbase loaded from new file
5130 * Test 5: Connection failure due to bad password, vbase loaded from new file
5132 static int test_srp(int tst)
5134 char *userid = "test", *password = "password", *tstsrpfile;
5135 SSL_CTX *cctx = NULL, *sctx = NULL;
5136 SSL *clientssl = NULL, *serverssl = NULL;
5137 int ret, testresult = 0;
5139 vbase = SRP_VBASE_new(NULL);
5140 if (!TEST_ptr(vbase))
5143 if (tst == 0 || tst == 1) {
5144 if (!TEST_true(create_new_vbase(userid, password)))
5147 if (tst == 4 || tst == 5) {
5148 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5150 tstsrpfile = tmpfilename;
5152 tstsrpfile = srpvfile;
5154 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5158 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5159 TLS1_VERSION, TLS_MAX_VERSION,
5160 &sctx, &cctx, cert, privkey)))
5163 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5164 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5165 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5166 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5167 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5171 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5174 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5178 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5182 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5184 if (!TEST_true(tst % 2 == 0))
5187 if (!TEST_true(tst % 2 == 1))
5194 SRP_VBASE_free(vbase);
5196 SSL_free(serverssl);
5197 SSL_free(clientssl);
5205 static int info_cb_failed = 0;
5206 static int info_cb_offset = 0;
5207 static int info_cb_this_state = -1;
5209 static struct info_cb_states_st {
5211 const char *statestr;
5212 } info_cb_states[][60] = {
5214 /* TLSv1.2 server followed by resumption */
5215 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5216 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5217 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
5218 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
5219 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
5220 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5221 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5222 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5223 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
5224 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5225 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
5226 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5227 {SSL_CB_EXIT, NULL}, {0, NULL},
5229 /* TLSv1.2 client followed by resumption */
5230 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5231 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5232 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
5233 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
5234 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
5235 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5236 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5237 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5238 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5239 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5240 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5241 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
5243 /* TLSv1.3 server followed by resumption */
5244 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5245 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5246 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
5247 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5248 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
5249 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5250 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5251 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5252 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5253 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5254 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
5255 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5256 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5258 /* TLSv1.3 client followed by resumption */
5259 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5260 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5261 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
5262 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
5263 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5264 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5265 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
5266 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5267 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5268 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5269 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5270 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5271 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5272 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
5273 {SSL_CB_EXIT, NULL}, {0, NULL},
5275 /* TLSv1.3 server, early_data */
5276 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5277 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5278 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5279 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5280 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5281 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
5282 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5283 {SSL_CB_EXIT, NULL}, {0, NULL},
5285 /* TLSv1.3 client, early_data */
5286 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5287 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5288 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5289 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5290 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5291 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5292 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5293 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5294 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5300 static void sslapi_info_callback(const SSL *s, int where, int ret)
5302 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5304 /* We do not ever expect a connection to fail in this test */
5305 if (!TEST_false(ret == 0)) {
5311 * Do some sanity checks. We never expect these things to happen in this
5314 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5315 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5316 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5321 /* Now check we're in the right state */
5322 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5326 if ((where & SSL_CB_LOOP) != 0
5327 && !TEST_int_eq(strcmp(SSL_state_string(s),
5328 state[info_cb_this_state].statestr), 0)) {
5334 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
5336 if ((where & SSL_CB_HANDSHAKE_DONE)
5337 && SSL_in_init((SSL *)s) != 0) {
5344 * Test the info callback gets called when we expect it to.
5346 * Test 0: TLSv1.2, server
5347 * Test 1: TLSv1.2, client
5348 * Test 2: TLSv1.3, server
5349 * Test 3: TLSv1.3, client
5350 * Test 4: TLSv1.3, server, early_data
5351 * Test 5: TLSv1.3, client, early_data
5353 static int test_info_callback(int tst)
5355 SSL_CTX *cctx = NULL, *sctx = NULL;
5356 SSL *clientssl = NULL, *serverssl = NULL;
5357 SSL_SESSION *clntsess = NULL;
5362 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
5363 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5364 || !defined(OPENSSL_NO_DH))
5365 tlsvers = TLS1_2_VERSION;
5370 #ifndef OPENSSL_NO_TLS1_3
5371 tlsvers = TLS1_3_VERSION;
5379 info_cb_this_state = -1;
5380 info_cb_offset = tst;
5382 #ifndef OPENSSL_NO_TLS1_3
5384 SSL_SESSION *sess = NULL;
5385 size_t written, readbytes;
5386 unsigned char buf[80];
5388 /* early_data tests */
5389 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5390 &serverssl, &sess, 0)))
5393 /* We don't actually need this reference */
5394 SSL_SESSION_free(sess);
5396 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5397 sslapi_info_callback);
5399 /* Write and read some early data and then complete the connection */
5400 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5402 || !TEST_size_t_eq(written, strlen(MSG1))
5403 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5404 sizeof(buf), &readbytes),
5405 SSL_READ_EARLY_DATA_SUCCESS)
5406 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5407 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5408 SSL_EARLY_DATA_ACCEPTED)
5409 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5411 || !TEST_false(info_cb_failed))
5419 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5420 TLS_client_method(),
5421 tlsvers, tlsvers, &sctx, &cctx, cert,
5426 * For even numbered tests we check the server callbacks. For odd numbers we
5429 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5430 sslapi_info_callback);
5432 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5433 &clientssl, NULL, NULL))
5434 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5436 || !TEST_false(info_cb_failed))
5441 clntsess = SSL_get1_session(clientssl);
5442 SSL_shutdown(clientssl);
5443 SSL_shutdown(serverssl);
5444 SSL_free(serverssl);
5445 SSL_free(clientssl);
5446 serverssl = clientssl = NULL;
5448 /* Now do a resumption */
5449 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5451 || !TEST_true(SSL_set_session(clientssl, clntsess))
5452 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5454 || !TEST_true(SSL_session_reused(clientssl))
5455 || !TEST_false(info_cb_failed))
5461 SSL_free(serverssl);
5462 SSL_free(clientssl);
5463 SSL_SESSION_free(clntsess);
5469 static int test_ssl_pending(int tst)
5471 SSL_CTX *cctx = NULL, *sctx = NULL;
5472 SSL *clientssl = NULL, *serverssl = NULL;
5474 char msg[] = "A test message";
5476 size_t written, readbytes;
5479 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5480 TLS_client_method(),
5481 TLS1_VERSION, TLS_MAX_VERSION,
5482 &sctx, &cctx, cert, privkey)))
5485 #ifndef OPENSSL_NO_DTLS
5486 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
5487 DTLS_client_method(),
5488 DTLS1_VERSION, DTLS_MAX_VERSION,
5489 &sctx, &cctx, cert, privkey)))
5496 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5498 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5502 if (!TEST_int_eq(SSL_pending(clientssl), 0)
5503 || !TEST_false(SSL_has_pending(clientssl))
5504 || !TEST_int_eq(SSL_pending(serverssl), 0)
5505 || !TEST_false(SSL_has_pending(serverssl))
5506 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5507 || !TEST_size_t_eq(written, sizeof(msg))
5508 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
5509 || !TEST_size_t_eq(readbytes, sizeof(buf))
5510 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
5511 || !TEST_true(SSL_has_pending(clientssl)))
5517 SSL_free(serverssl);
5518 SSL_free(clientssl);
5526 unsigned int maxprot;
5527 const char *clntciphers;
5528 const char *clnttls13ciphers;
5529 const char *srvrciphers;
5530 const char *srvrtls13ciphers;
5532 } shared_ciphers_data[] = {
5534 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
5535 * TLSv1.3 is enabled but TLSv1.2 is disabled.
5537 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
5540 "AES128-SHA:AES256-SHA",
5542 "AES256-SHA:DHE-RSA-AES128-SHA",
5548 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
5550 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
5552 "AES128-SHA:AES256-SHA"
5556 "AES128-SHA:AES256-SHA",
5558 "AES128-SHA:DHE-RSA-AES128-SHA",
5564 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
5567 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
5568 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5571 "AES128-SHA:AES256-SHA",
5573 "AES256-SHA:AES128-SHA256",
5575 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
5576 "TLS_AES_128_GCM_SHA256:AES256-SHA"
5579 #ifndef OPENSSL_NO_TLS1_3
5583 "TLS_AES_256_GCM_SHA384",
5585 "TLS_AES_256_GCM_SHA384",
5586 "TLS_AES_256_GCM_SHA384"
5591 static int test_ssl_get_shared_ciphers(int tst)
5593 SSL_CTX *cctx = NULL, *sctx = NULL;
5594 SSL *clientssl = NULL, *serverssl = NULL;
5598 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5599 TLS_client_method(),
5601 shared_ciphers_data[tst].maxprot,
5602 &sctx, &cctx, cert, privkey)))
5605 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5606 shared_ciphers_data[tst].clntciphers))
5607 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
5608 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
5609 shared_ciphers_data[tst].clnttls13ciphers)))
5610 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
5611 shared_ciphers_data[tst].srvrciphers))
5612 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
5613 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
5614 shared_ciphers_data[tst].srvrtls13ciphers))))
5618 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5620 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5624 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
5625 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
5626 TEST_info("Shared ciphers are: %s\n", buf);
5633 SSL_free(serverssl);
5634 SSL_free(clientssl);
5641 static const char *appdata = "Hello World";
5642 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
5643 static int tick_key_renew = 0;
5644 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5646 static int gen_tick_cb(SSL *s, void *arg)
5648 gen_tick_called = 1;
5650 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
5654 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
5655 const unsigned char *keyname,
5656 size_t keyname_length,
5657 SSL_TICKET_STATUS status,
5663 dec_tick_called = 1;
5665 if (status == SSL_TICKET_EMPTY)
5666 return SSL_TICKET_RETURN_IGNORE_RENEW;
5668 if (!TEST_true(status == SSL_TICKET_SUCCESS
5669 || status == SSL_TICKET_SUCCESS_RENEW))
5670 return SSL_TICKET_RETURN_ABORT;
5672 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
5674 || !TEST_size_t_eq(tickdlen, strlen(appdata))
5675 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
5676 return SSL_TICKET_RETURN_ABORT;
5678 if (tick_key_cb_called) {
5679 /* Don't change what the ticket key callback wanted to do */
5681 case SSL_TICKET_NO_DECRYPT:
5682 return SSL_TICKET_RETURN_IGNORE_RENEW;
5684 case SSL_TICKET_SUCCESS:
5685 return SSL_TICKET_RETURN_USE;
5687 case SSL_TICKET_SUCCESS_RENEW:
5688 return SSL_TICKET_RETURN_USE_RENEW;
5691 return SSL_TICKET_RETURN_ABORT;
5694 return tick_dec_ret;
5698 static int tick_key_cb(SSL *s, unsigned char key_name[16],
5699 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
5700 HMAC_CTX *hctx, int enc)
5702 const unsigned char tick_aes_key[16] = "0123456789abcdef";
5703 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5705 tick_key_cb_called = 1;
5706 memset(iv, 0, AES_BLOCK_SIZE);
5707 memset(key_name, 0, 16);
5708 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
5709 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
5710 EVP_sha256(), NULL))
5713 return tick_key_renew ? 2 : 1;
5717 * Test the various ticket callbacks
5718 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
5719 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
5720 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
5721 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
5722 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
5723 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
5724 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
5725 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
5726 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
5727 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
5728 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
5729 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
5731 static int test_ticket_callbacks(int tst)
5733 SSL_CTX *cctx = NULL, *sctx = NULL;
5734 SSL *clientssl = NULL, *serverssl = NULL;
5735 SSL_SESSION *clntsess = NULL;
5738 #ifdef OPENSSL_NO_TLS1_2
5742 #ifdef OPENSSL_NO_TLS1_3
5747 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
5749 /* Which tests the ticket key callback should request renewal for */
5750 if (tst == 10 || tst == 11)
5755 /* Which tests the decrypt ticket callback should request renewal for */
5759 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
5764 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
5769 tick_dec_ret = SSL_TICKET_RETURN_USE;
5774 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
5778 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5781 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5782 TLS_client_method(),
5784 ((tst % 2) == 0) ? TLS1_2_VERSION
5786 &sctx, &cctx, cert, privkey)))
5790 * We only want sessions to resume from tickets - not the session cache. So
5791 * switch the cache off.
5793 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
5796 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
5801 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
5804 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5806 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5811 * The decrypt ticket key callback in TLSv1.2 should be called even though
5812 * we have no ticket yet, because it gets called with a status of
5813 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
5814 * actually send any ticket data). This does not happen in TLSv1.3 because
5815 * it is not valid to send empty ticket data in TLSv1.3.
5817 if (!TEST_int_eq(gen_tick_called, 1)
5818 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
5821 gen_tick_called = dec_tick_called = 0;
5823 clntsess = SSL_get1_session(clientssl);
5824 SSL_shutdown(clientssl);
5825 SSL_shutdown(serverssl);
5826 SSL_free(serverssl);
5827 SSL_free(clientssl);
5828 serverssl = clientssl = NULL;
5830 /* Now do a resumption */
5831 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5833 || !TEST_true(SSL_set_session(clientssl, clntsess))
5834 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5838 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
5839 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
5840 if (!TEST_false(SSL_session_reused(clientssl)))
5843 if (!TEST_true(SSL_session_reused(clientssl)))
5847 if (!TEST_int_eq(gen_tick_called,
5849 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
5850 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
5852 || !TEST_int_eq(dec_tick_called, 1))
5858 SSL_SESSION_free(clntsess);
5859 SSL_free(serverssl);
5860 SSL_free(clientssl);
5868 * Test bi-directional shutdown.
5870 * Test 1: TLSv1.2, server continues to read/write after client shutdown
5871 * Test 2: TLSv1.3, no pending NewSessionTicket messages
5872 * Test 3: TLSv1.3, pending NewSessionTicket messages
5873 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
5874 * sends key update, client reads it
5875 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
5876 * sends CertificateRequest, client reads and ignores it
5877 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
5880 static int test_shutdown(int tst)
5882 SSL_CTX *cctx = NULL, *sctx = NULL;
5883 SSL *clientssl = NULL, *serverssl = NULL;
5885 char msg[] = "A test message";
5887 size_t written, readbytes;
5890 #ifdef OPENSSL_NO_TLS1_2
5894 #ifdef OPENSSL_NO_TLS1_3
5899 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5900 TLS_client_method(),
5902 (tst <= 1) ? TLS1_2_VERSION
5904 &sctx, &cctx, cert, privkey)))
5908 SSL_CTX_set_post_handshake_auth(cctx, 1);
5910 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5915 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
5917 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5918 || !TEST_false(SSL_SESSION_is_resumable(sess)))
5920 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5922 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5923 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
5927 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
5932 * Reading on the server after the client has sent close_notify should
5933 * fail and provide SSL_ERROR_ZERO_RETURN
5935 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
5936 || !TEST_int_eq(SSL_get_error(serverssl, 0),
5937 SSL_ERROR_ZERO_RETURN)
5938 || !TEST_int_eq(SSL_get_shutdown(serverssl),
5939 SSL_RECEIVED_SHUTDOWN)
5941 * Even though we're shutdown on receive we should still be
5944 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
5947 && !TEST_true(SSL_key_update(serverssl,
5948 SSL_KEY_UPDATE_REQUESTED)))
5951 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5952 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5955 if ((tst == 4 || tst == 5)
5956 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
5958 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
5960 if (tst == 4 || tst == 5) {
5961 /* Should still be able to read data from server */
5962 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5964 || !TEST_size_t_eq(readbytes, sizeof(msg))
5965 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
5966 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5968 || !TEST_size_t_eq(readbytes, sizeof(msg))
5969 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
5974 /* Writing on the client after sending close_notify shouldn't be possible */
5975 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
5980 * For these tests the client has sent close_notify but it has not yet
5981 * been received by the server. The server has not sent close_notify
5984 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
5986 * Writing on the server after sending close_notify shouldn't
5989 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5990 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
5991 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5992 || !TEST_true(SSL_SESSION_is_resumable(sess))
5993 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
5995 } else if (tst == 4 || tst == 5) {
5997 * In this test the client has sent close_notify and it has been
5998 * received by the server which has responded with a close_notify. The
5999 * client needs to read the close_notify sent by the server.
6001 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
6002 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6003 || !TEST_true(SSL_SESSION_is_resumable(sess)))
6009 * The client has sent close_notify and is expecting a close_notify
6010 * back, but instead there is application data first. The shutdown
6011 * should fail with a fatal error.
6013 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
6014 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
6021 SSL_free(serverssl);
6022 SSL_free(clientssl);
6029 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6030 static int cert_cb_cnt;
6032 static int cert_cb(SSL *s, void *arg)
6034 SSL_CTX *ctx = (SSL_CTX *)arg;
6036 EVP_PKEY *pkey = NULL;
6037 X509 *x509 = NULL, *rootx = NULL;
6038 STACK_OF(X509) *chain = NULL;
6039 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
6042 if (cert_cb_cnt == 0) {
6043 /* Suspend the handshake */
6046 } else if (cert_cb_cnt == 1) {
6048 * Update the SSL_CTX, set the certificate and private key and then
6049 * continue the handshake normally.
6051 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
6054 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
6055 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
6057 || !TEST_true(SSL_check_private_key(s)))
6061 } else if (cert_cb_cnt == 3) {
6064 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
6065 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
6066 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
6067 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
6069 chain = sk_X509_new_null();
6070 if (!TEST_ptr(chain))
6072 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6073 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
6074 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
6075 || !TEST_true(sk_X509_push(chain, rootx)))
6079 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6080 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
6081 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
6084 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6085 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
6086 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
6088 rv = SSL_check_chain(s, x509, pkey, chain);
6090 * If the cert doesn't show as valid here (e.g., because we don't
6091 * have any shared sigalgs), then we will not set it, and there will
6092 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
6093 * will cause tls_choose_sigalgs() to fail the connection.
6095 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
6096 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
6097 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
6104 /* Abort the handshake */
6106 OPENSSL_free(ecdsacert);
6107 OPENSSL_free(ecdsakey);
6108 OPENSSL_free(rootfile);
6110 EVP_PKEY_free(pkey);
6113 sk_X509_pop_free(chain, X509_free);
6118 * Test the certificate callback.
6119 * Test 0: Callback fails
6120 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
6121 * Test 2: Success - SSL_set_SSL_CTX() in the callback
6122 * Test 3: Success - Call SSL_check_chain from the callback
6123 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
6125 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
6127 static int test_cert_cb_int(int prot, int tst)
6129 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
6130 SSL *clientssl = NULL, *serverssl = NULL;
6131 int testresult = 0, ret;
6133 #ifdef OPENSSL_NO_EC
6134 /* We use an EC cert in these tests, so we skip in a no-ec build */
6139 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6140 TLS_client_method(),
6143 &sctx, &cctx, NULL, NULL)))
6154 snictx = SSL_CTX_new(TLS_server_method());
6155 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
6157 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6163 * We cause SSL_check_chain() to fail by specifying sig_algs that
6164 * the chain doesn't meet (the root uses an RSA cert)
6166 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6167 "ecdsa_secp256r1_sha256")))
6169 } else if (tst == 5) {
6171 * We cause SSL_check_chain() to fail by specifying sig_algs that
6172 * the ee cert doesn't meet (the ee uses an ECDSA cert)
6174 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6175 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
6179 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6180 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
6182 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
6189 SSL_free(serverssl);
6190 SSL_free(clientssl);
6193 SSL_CTX_free(snictx);
6199 static int test_cert_cb(int tst)
6203 #ifndef OPENSSL_NO_TLS1_2
6204 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
6206 #ifndef OPENSSL_NO_TLS1_3
6207 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
6213 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
6219 /* Check that SSL_get_peer_certificate() returns something sensible */
6220 peer = SSL_get_peer_certificate(ssl);
6221 if (!TEST_ptr(peer))
6225 in = BIO_new_file(cert, "r");
6229 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
6231 if (!TEST_ptr(xcert))
6234 in = BIO_new_file(privkey, "r");
6235 if (!TEST_ptr(in)) {
6240 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
6242 if (!TEST_ptr(privpkey)) {
6253 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6258 static int test_client_cert_cb(int tst)
6260 SSL_CTX *cctx = NULL, *sctx = NULL;
6261 SSL *clientssl = NULL, *serverssl = NULL;
6264 #ifdef OPENSSL_NO_TLS1_2
6268 #ifdef OPENSSL_NO_TLS1_3
6273 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6274 TLS_client_method(),
6276 tst == 0 ? TLS1_2_VERSION
6278 &sctx, &cctx, cert, privkey)))
6282 * Test that setting a client_cert_cb results in a client certificate being
6285 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
6286 SSL_CTX_set_verify(sctx,
6287 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6290 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6292 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6299 SSL_free(serverssl);
6300 SSL_free(clientssl);
6307 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6309 * Test setting certificate authorities on both client and server.
6311 * Test 0: SSL_CTX_set0_CA_list() only
6312 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
6313 * Test 2: Only SSL_CTX_set_client_CA_list()
6315 static int test_ca_names_int(int prot, int tst)
6317 SSL_CTX *cctx = NULL, *sctx = NULL;
6318 SSL *clientssl = NULL, *serverssl = NULL;
6321 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
6322 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
6323 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
6324 const STACK_OF(X509_NAME) *sktmp = NULL;
6326 for (i = 0; i < OSSL_NELEM(name); i++) {
6327 name[i] = X509_NAME_new();
6328 if (!TEST_ptr(name[i])
6329 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
6337 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6338 TLS_client_method(),
6341 &sctx, &cctx, cert, privkey)))
6344 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
6346 if (tst == 0 || tst == 1) {
6347 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6348 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
6349 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
6350 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6351 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
6352 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
6355 SSL_CTX_set0_CA_list(sctx, sk1);
6356 SSL_CTX_set0_CA_list(cctx, sk2);
6359 if (tst == 1 || tst == 2) {
6360 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6361 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
6362 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
6363 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6364 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
6365 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
6368 SSL_CTX_set_client_CA_list(sctx, sk1);
6369 SSL_CTX_set_client_CA_list(cctx, sk2);
6373 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6375 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6380 * We only expect certificate authorities to have been sent to the server
6381 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
6383 sktmp = SSL_get0_peer_CA_list(serverssl);
6384 if (prot == TLS1_3_VERSION
6385 && (tst == 0 || tst == 1)) {
6386 if (!TEST_ptr(sktmp)
6387 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6388 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6390 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6393 } else if (!TEST_ptr_null(sktmp)) {
6398 * In all tests we expect certificate authorities to have been sent to the
6399 * client. However, SSL_set_client_CA_list() should override
6400 * SSL_set0_CA_list()
6402 sktmp = SSL_get0_peer_CA_list(clientssl);
6403 if (!TEST_ptr(sktmp)
6404 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6405 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6406 name[tst == 0 ? 0 : 2]), 0)
6407 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6408 name[tst == 0 ? 1 : 3]), 0))
6414 SSL_free(serverssl);
6415 SSL_free(clientssl);
6418 for (i = 0; i < OSSL_NELEM(name); i++)
6419 X509_NAME_free(name[i]);
6420 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
6421 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
6427 static int test_ca_names(int tst)
6431 #ifndef OPENSSL_NO_TLS1_2
6432 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
6434 #ifndef OPENSSL_NO_TLS1_3
6435 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
6442 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
6443 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
6444 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
6445 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
6446 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
6447 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
6448 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
6449 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
6450 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
6451 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
6453 static int test_servername(int tst)
6455 SSL_CTX *cctx = NULL, *sctx = NULL;
6456 SSL *clientssl = NULL, *serverssl = NULL;
6458 SSL_SESSION *sess = NULL;
6459 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
6461 #ifdef OPENSSL_NO_TLS1_2
6465 #ifdef OPENSSL_NO_TLS1_3
6470 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6471 TLS_client_method(),
6473 (tst <= 4) ? TLS1_2_VERSION
6475 &sctx, &cctx, cert, privkey))
6476 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6480 if (tst != 1 && tst != 6) {
6481 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
6486 if (tst != 3 && tst != 8) {
6487 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
6489 sexpectedhost = cexpectedhost = "goodhost";
6492 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
6495 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
6497 || !TEST_str_eq(SSL_get_servername(serverssl,
6498 TLSEXT_NAMETYPE_host_name),
6502 /* Now repeat with a resumption handshake */
6504 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
6505 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
6506 || !TEST_true(SSL_SESSION_is_resumable(sess))
6507 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
6510 SSL_free(clientssl);
6511 SSL_free(serverssl);
6512 clientssl = serverssl = NULL;
6514 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6518 if (!TEST_true(SSL_set_session(clientssl, sess)))
6521 sexpectedhost = cexpectedhost = "goodhost";
6522 if (tst == 2 || tst == 7) {
6523 /* Set an inconsistent hostname */
6524 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
6527 * In TLSv1.2 we expect the hostname from the original handshake, in
6528 * TLSv1.3 we expect the hostname from this handshake
6531 sexpectedhost = cexpectedhost = "altgoodhost";
6533 if (!TEST_str_eq(SSL_get_servername(clientssl,
6534 TLSEXT_NAMETYPE_host_name),
6537 } else if (tst == 4 || tst == 9) {
6539 * A TLSv1.3 session does not associate a session with a servername,
6540 * but a TLSv1.2 session does.
6543 sexpectedhost = cexpectedhost = NULL;
6545 if (!TEST_str_eq(SSL_get_servername(clientssl,
6546 TLSEXT_NAMETYPE_host_name),
6550 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
6553 * In a TLSv1.2 resumption where the hostname was not acknowledged
6554 * we expect the hostname on the server to be empty. On the client we
6555 * return what was requested in this case.
6557 * Similarly if the client didn't set a hostname on an original TLSv1.2
6558 * session but is now, the server hostname will be empty, but the client
6561 if (tst == 1 || tst == 3)
6562 sexpectedhost = NULL;
6564 if (!TEST_str_eq(SSL_get_servername(clientssl,
6565 TLSEXT_NAMETYPE_host_name),
6570 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
6573 if (!TEST_true(SSL_session_reused(clientssl))
6574 || !TEST_true(SSL_session_reused(serverssl))
6575 || !TEST_str_eq(SSL_get_servername(clientssl,
6576 TLSEXT_NAMETYPE_host_name),
6578 || !TEST_str_eq(SSL_get_servername(serverssl,
6579 TLSEXT_NAMETYPE_host_name),
6586 SSL_SESSION_free(sess);
6587 SSL_free(serverssl);
6588 SSL_free(clientssl);
6595 #ifndef OPENSSL_NO_TLS1_2
6596 static int test_ssl_dup(void)
6598 SSL_CTX *cctx = NULL, *sctx = NULL;
6599 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
6601 BIO *rbio = NULL, *wbio = NULL;
6603 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6604 TLS_client_method(),
6607 &sctx, &cctx, cert, privkey)))
6610 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6614 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
6615 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
6618 client2ssl = SSL_dup(clientssl);
6619 rbio = SSL_get_rbio(clientssl);
6621 || !TEST_true(BIO_up_ref(rbio)))
6623 SSL_set0_rbio(client2ssl, rbio);
6626 wbio = SSL_get_wbio(clientssl);
6627 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
6629 SSL_set0_wbio(client2ssl, wbio);
6632 if (!TEST_ptr(client2ssl)
6633 /* Handshake not started so pointers should be different */
6634 || !TEST_ptr_ne(clientssl, client2ssl))
6637 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
6638 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
6641 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
6644 SSL_free(clientssl);
6645 clientssl = SSL_dup(client2ssl);
6646 if (!TEST_ptr(clientssl)
6647 /* Handshake has finished so pointers should be the same */
6648 || !TEST_ptr_eq(clientssl, client2ssl))
6654 SSL_free(serverssl);
6655 SSL_free(clientssl);
6656 SSL_free(client2ssl);
6664 #ifndef OPENSSL_NO_TLS1_3
6666 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
6667 * that it works even without a certificate configured for the original
6670 static int test_sni_tls13(void)
6672 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6673 SSL *clientssl = NULL, *serverssl = NULL;
6676 /* Reset callback counter */
6679 /* Create an initial SSL_CTX with no certificate configured */
6680 sctx = SSL_CTX_new(TLS_server_method());
6681 if (!TEST_ptr(sctx))
6683 /* Require TLSv1.3 as a minimum */
6684 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
6685 TLS1_3_VERSION, 0, &sctx2, &cctx, cert,
6690 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
6691 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
6695 * Connection should still succeed because the final SSL_CTX has the right
6696 * certificates configured.
6698 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6699 &clientssl, NULL, NULL))
6700 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6704 /* We should have had the SNI callback called exactly once */
6705 if (!TEST_int_eq(snicb, 1))
6711 SSL_free(serverssl);
6712 SSL_free(clientssl);
6713 SSL_CTX_free(sctx2);
6720 * Test that setting an ALPN does not violate RFC
6722 static int test_set_alpn(void)
6724 SSL_CTX *ctx = NULL;
6728 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
6729 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
6730 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
6731 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
6732 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
6733 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
6735 /* Create an initial SSL_CTX with no certificate configured */
6736 ctx = SSL_CTX_new(TLS_server_method());
6740 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
6741 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
6743 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
6745 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
6747 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
6749 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
6751 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
6753 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
6755 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
6757 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
6764 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
6766 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
6768 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
6770 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
6772 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
6774 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
6776 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
6778 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
6780 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
6791 static int test_inherit_verify_param(void)
6795 SSL_CTX *ctx = NULL;
6796 X509_VERIFY_PARAM *cp = NULL;
6798 X509_VERIFY_PARAM *sp = NULL;
6799 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
6801 ctx = SSL_CTX_new(TLS_server_method());
6805 cp = SSL_CTX_get0_param(ctx);
6808 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
6811 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
6817 sp = SSL_get0_param(ssl);
6820 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
6832 int setup_tests(void)
6834 if (!TEST_ptr(certsdir = test_get_argument(0))
6835 || !TEST_ptr(srpvfile = test_get_argument(1))
6836 || !TEST_ptr(tmpfilename = test_get_argument(2)))
6839 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
6840 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
6841 TEST_error("not supported in this build");
6844 int i, mcount, rcount, fcount;
6846 for (i = 0; i < 4; i++)
6847 test_export_key_mat(i);
6848 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
6849 test_printf_stdout("malloc %d realloc %d free %d\n",
6850 mcount, rcount, fcount);
6855 cert = test_mk_file_path(certsdir, "servercert.pem");
6859 privkey = test_mk_file_path(certsdir, "serverkey.pem");
6860 if (privkey == NULL) {
6865 ADD_TEST(test_large_message_tls);
6866 ADD_TEST(test_large_message_tls_read_ahead);
6867 #ifndef OPENSSL_NO_DTLS
6868 ADD_TEST(test_large_message_dtls);
6870 #ifndef OPENSSL_NO_OCSP
6871 ADD_TEST(test_tlsext_status_type);
6873 ADD_TEST(test_session_with_only_int_cache);
6874 ADD_TEST(test_session_with_only_ext_cache);
6875 ADD_TEST(test_session_with_both_cache);
6876 #ifndef OPENSSL_NO_TLS1_3
6877 ADD_ALL_TESTS(test_stateful_tickets, 3);
6878 ADD_ALL_TESTS(test_stateless_tickets, 3);
6879 ADD_TEST(test_psk_tickets);
6881 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
6882 ADD_TEST(test_ssl_bio_pop_next_bio);
6883 ADD_TEST(test_ssl_bio_pop_ssl_bio);
6884 ADD_TEST(test_ssl_bio_change_rbio);
6885 ADD_TEST(test_ssl_bio_change_wbio);
6886 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
6887 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6888 ADD_TEST(test_keylog);
6890 #ifndef OPENSSL_NO_TLS1_3
6891 ADD_TEST(test_keylog_no_master_key);
6893 #ifndef OPENSSL_NO_TLS1_2
6894 ADD_TEST(test_client_hello_cb);
6895 ADD_TEST(test_ccs_change_cipher);
6897 #ifndef OPENSSL_NO_TLS1_3
6898 ADD_ALL_TESTS(test_early_data_read_write, 3);
6900 * We don't do replay tests for external PSK. Replay protection isn't used
6903 ADD_ALL_TESTS(test_early_data_replay, 2);
6904 ADD_ALL_TESTS(test_early_data_skip, 3);
6905 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
6906 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
6907 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
6908 ADD_ALL_TESTS(test_early_data_not_sent, 3);
6909 ADD_ALL_TESTS(test_early_data_psk, 8);
6910 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
6911 ADD_ALL_TESTS(test_early_data_not_expected, 3);
6912 # ifndef OPENSSL_NO_TLS1_2
6913 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
6916 #ifndef OPENSSL_NO_TLS1_3
6917 ADD_ALL_TESTS(test_set_ciphersuite, 10);
6918 ADD_TEST(test_ciphersuite_change);
6919 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
6920 #ifdef OPENSSL_NO_PSK
6921 ADD_ALL_TESTS(test_tls13_psk, 1);
6923 ADD_ALL_TESTS(test_tls13_psk, 4);
6924 #endif /* OPENSSL_NO_PSK */
6925 ADD_ALL_TESTS(test_custom_exts, 5);
6926 ADD_TEST(test_stateless);
6927 ADD_TEST(test_pha_key_update);
6929 ADD_ALL_TESTS(test_custom_exts, 3);
6931 ADD_ALL_TESTS(test_serverinfo, 8);
6932 ADD_ALL_TESTS(test_export_key_mat, 6);
6933 #ifndef OPENSSL_NO_TLS1_3
6934 ADD_ALL_TESTS(test_export_key_mat_early, 3);
6935 ADD_TEST(test_key_update);
6936 ADD_ALL_TESTS(test_key_update_in_write, 2);
6938 ADD_ALL_TESTS(test_ssl_clear, 2);
6939 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
6940 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6941 ADD_ALL_TESTS(test_srp, 6);
6943 ADD_ALL_TESTS(test_info_callback, 6);
6944 ADD_ALL_TESTS(test_ssl_pending, 2);
6945 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
6946 ADD_ALL_TESTS(test_ticket_callbacks, 12);
6947 ADD_ALL_TESTS(test_shutdown, 7);
6948 ADD_ALL_TESTS(test_cert_cb, 6);
6949 ADD_ALL_TESTS(test_client_cert_cb, 2);
6950 ADD_ALL_TESTS(test_ca_names, 3);
6951 ADD_ALL_TESTS(test_servername, 10);
6952 #ifndef OPENSSL_NO_TLS1_2
6953 ADD_TEST(test_ssl_dup);
6955 #ifndef OPENSSL_NO_TLS1_3
6956 ADD_TEST(test_sni_tls13);
6958 ADD_TEST(test_set_alpn);
6959 ADD_TEST(test_inherit_verify_param);
6963 void cleanup_tests(void)
6966 OPENSSL_free(privkey);
6967 bio_s_mempacket_test_free();
6968 bio_s_always_retry_free();