2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
17 #include <openssl/srp.h>
18 #include <openssl/txt_db.h>
19 #include <openssl/aes.h>
21 #include "ssltestlib.h"
23 #include "testutil/output.h"
24 #include "internal/nelem.h"
25 #include "../ssl/ssl_locl.h"
27 static char *cert
= NULL
;
28 static char *privkey
= NULL
;
29 static char *srpvfile
= NULL
;
30 static char *tmpfilename
= NULL
;
32 #define LOG_BUFFER_SIZE 2048
33 static char server_log_buffer
[LOG_BUFFER_SIZE
+ 1] = {0};
34 static size_t server_log_buffer_index
= 0;
35 static char client_log_buffer
[LOG_BUFFER_SIZE
+ 1] = {0};
36 static size_t client_log_buffer_index
= 0;
37 static int error_writing_log
= 0;
39 #ifndef OPENSSL_NO_OCSP
40 static const unsigned char orespder
[] = "Dummy OCSP Response";
41 static int ocsp_server_called
= 0;
42 static int ocsp_client_called
= 0;
44 static int cdummyarg
= 1;
45 static X509
*ocspcert
= NULL
;
48 #define NUM_EXTRA_CERTS 40
49 #define CLIENT_VERSION_LEN 2
52 * This structure is used to validate that the correct number of log messages
53 * of various types are emitted when emitting secret logs.
55 struct sslapitest_log_counts
{
56 unsigned int rsa_key_exchange_count
;
57 unsigned int master_secret_count
;
58 unsigned int client_early_secret_count
;
59 unsigned int client_handshake_secret_count
;
60 unsigned int server_handshake_secret_count
;
61 unsigned int client_application_secret_count
;
62 unsigned int server_application_secret_count
;
63 unsigned int early_exporter_secret_count
;
64 unsigned int exporter_secret_count
;
68 static unsigned char serverinfov1
[] = {
69 0xff, 0xff, /* Dummy extension type */
70 0x00, 0x01, /* Extension length is 1 byte */
71 0xff /* Dummy extension data */
74 static unsigned char serverinfov2
[] = {
76 (unsigned char)(SSL_EXT_CLIENT_HELLO
& 0xff), /* Dummy context - 4 bytes */
77 0xff, 0xff, /* Dummy extension type */
78 0x00, 0x01, /* Extension length is 1 byte */
79 0xff /* Dummy extension data */
82 static void client_keylog_callback(const SSL
*ssl
, const char *line
)
84 int line_length
= strlen(line
);
86 /* If the log doesn't fit, error out. */
87 if (client_log_buffer_index
+ line_length
> sizeof(client_log_buffer
) - 1) {
88 TEST_info("Client log too full");
89 error_writing_log
= 1;
93 strcat(client_log_buffer
, line
);
94 client_log_buffer_index
+= line_length
;
95 client_log_buffer
[client_log_buffer_index
++] = '\n';
98 static void server_keylog_callback(const SSL
*ssl
, const char *line
)
100 int line_length
= strlen(line
);
102 /* If the log doesn't fit, error out. */
103 if (server_log_buffer_index
+ line_length
> sizeof(server_log_buffer
) - 1) {
104 TEST_info("Server log too full");
105 error_writing_log
= 1;
109 strcat(server_log_buffer
, line
);
110 server_log_buffer_index
+= line_length
;
111 server_log_buffer
[server_log_buffer_index
++] = '\n';
114 static int compare_hex_encoded_buffer(const char *hex_encoded
,
122 if (!TEST_size_t_eq(raw_length
* 2, hex_length
))
125 for (i
= j
= 0; i
< raw_length
&& j
+ 1 < hex_length
; i
++, j
+= 2) {
126 sprintf(hexed
, "%02x", raw
[i
]);
127 if (!TEST_int_eq(hexed
[0], hex_encoded
[j
])
128 || !TEST_int_eq(hexed
[1], hex_encoded
[j
+ 1]))
135 static int test_keylog_output(char *buffer
, const SSL
*ssl
,
136 const SSL_SESSION
*session
,
137 struct sslapitest_log_counts
*expected
)
140 unsigned char actual_client_random
[SSL3_RANDOM_SIZE
] = {0};
141 size_t client_random_size
= SSL3_RANDOM_SIZE
;
142 unsigned char actual_master_key
[SSL_MAX_MASTER_KEY_LENGTH
] = {0};
143 size_t master_key_size
= SSL_MAX_MASTER_KEY_LENGTH
;
144 unsigned int rsa_key_exchange_count
= 0;
145 unsigned int master_secret_count
= 0;
146 unsigned int client_early_secret_count
= 0;
147 unsigned int client_handshake_secret_count
= 0;
148 unsigned int server_handshake_secret_count
= 0;
149 unsigned int client_application_secret_count
= 0;
150 unsigned int server_application_secret_count
= 0;
151 unsigned int early_exporter_secret_count
= 0;
152 unsigned int exporter_secret_count
= 0;
154 for (token
= strtok(buffer
, " \n"); token
!= NULL
;
155 token
= strtok(NULL
, " \n")) {
156 if (strcmp(token
, "RSA") == 0) {
158 * Premaster secret. Tokens should be: 16 ASCII bytes of
159 * hex-encoded encrypted secret, then the hex-encoded pre-master
162 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
164 if (!TEST_size_t_eq(strlen(token
), 16))
166 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
169 * We can't sensibly check the log because the premaster secret is
170 * transient, and OpenSSL doesn't keep hold of it once the master
171 * secret is generated.
173 rsa_key_exchange_count
++;
174 } else if (strcmp(token
, "CLIENT_RANDOM") == 0) {
176 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
177 * client random, then the hex-encoded master secret.
179 client_random_size
= SSL_get_client_random(ssl
,
180 actual_client_random
,
182 if (!TEST_size_t_eq(client_random_size
, SSL3_RANDOM_SIZE
))
185 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
187 if (!TEST_size_t_eq(strlen(token
), 64))
189 if (!TEST_false(compare_hex_encoded_buffer(token
, 64,
190 actual_client_random
,
191 client_random_size
)))
194 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
196 master_key_size
= SSL_SESSION_get_master_key(session
,
199 if (!TEST_size_t_ne(master_key_size
, 0))
201 if (!TEST_false(compare_hex_encoded_buffer(token
, strlen(token
),
205 master_secret_count
++;
206 } else if (strcmp(token
, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
207 || strcmp(token
, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
208 || strcmp(token
, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
209 || strcmp(token
, "CLIENT_TRAFFIC_SECRET_0") == 0
210 || strcmp(token
, "SERVER_TRAFFIC_SECRET_0") == 0
211 || strcmp(token
, "EARLY_EXPORTER_SECRET") == 0
212 || strcmp(token
, "EXPORTER_SECRET") == 0) {
214 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
215 * client random, and then the hex-encoded secret. In this case,
216 * we treat all of these secrets identically and then just
217 * distinguish between them when counting what we saw.
219 if (strcmp(token
, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
220 client_early_secret_count
++;
221 else if (strcmp(token
, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
222 client_handshake_secret_count
++;
223 else if (strcmp(token
, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
224 server_handshake_secret_count
++;
225 else if (strcmp(token
, "CLIENT_TRAFFIC_SECRET_0") == 0)
226 client_application_secret_count
++;
227 else if (strcmp(token
, "SERVER_TRAFFIC_SECRET_0") == 0)
228 server_application_secret_count
++;
229 else if (strcmp(token
, "EARLY_EXPORTER_SECRET") == 0)
230 early_exporter_secret_count
++;
231 else if (strcmp(token
, "EXPORTER_SECRET") == 0)
232 exporter_secret_count
++;
234 client_random_size
= SSL_get_client_random(ssl
,
235 actual_client_random
,
237 if (!TEST_size_t_eq(client_random_size
, SSL3_RANDOM_SIZE
))
240 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
242 if (!TEST_size_t_eq(strlen(token
), 64))
244 if (!TEST_false(compare_hex_encoded_buffer(token
, 64,
245 actual_client_random
,
246 client_random_size
)))
249 if (!TEST_ptr(token
= strtok(NULL
, " \n")))
253 * TODO(TLS1.3): test that application traffic secrets are what
256 TEST_info("Unexpected token %s\n", token
);
261 /* Got what we expected? */
262 if (!TEST_size_t_eq(rsa_key_exchange_count
,
263 expected
->rsa_key_exchange_count
)
264 || !TEST_size_t_eq(master_secret_count
,
265 expected
->master_secret_count
)
266 || !TEST_size_t_eq(client_early_secret_count
,
267 expected
->client_early_secret_count
)
268 || !TEST_size_t_eq(client_handshake_secret_count
,
269 expected
->client_handshake_secret_count
)
270 || !TEST_size_t_eq(server_handshake_secret_count
,
271 expected
->server_handshake_secret_count
)
272 || !TEST_size_t_eq(client_application_secret_count
,
273 expected
->client_application_secret_count
)
274 || !TEST_size_t_eq(server_application_secret_count
,
275 expected
->server_application_secret_count
)
276 || !TEST_size_t_eq(early_exporter_secret_count
,
277 expected
->early_exporter_secret_count
)
278 || !TEST_size_t_eq(exporter_secret_count
,
279 expected
->exporter_secret_count
))
284 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
285 static int test_keylog(void)
287 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
288 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
290 struct sslapitest_log_counts expected
= {0};
292 /* Clean up logging space */
293 memset(client_log_buffer
, 0, sizeof(client_log_buffer
));
294 memset(server_log_buffer
, 0, sizeof(server_log_buffer
));
295 client_log_buffer_index
= 0;
296 server_log_buffer_index
= 0;
297 error_writing_log
= 0;
299 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
301 TLS1_VERSION
, TLS_MAX_VERSION
,
302 &sctx
, &cctx
, cert
, privkey
)))
305 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
306 SSL_CTX_set_options(cctx
, SSL_OP_NO_TLSv1_3
);
307 SSL_CTX_set_options(sctx
, SSL_OP_NO_TLSv1_3
);
309 /* We also want to ensure that we use RSA-based key exchange. */
310 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
, "RSA")))
313 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx
) == NULL
)
314 || !TEST_true(SSL_CTX_get_keylog_callback(sctx
) == NULL
))
316 SSL_CTX_set_keylog_callback(cctx
, client_keylog_callback
);
317 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx
)
318 == client_keylog_callback
))
320 SSL_CTX_set_keylog_callback(sctx
, server_keylog_callback
);
321 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx
)
322 == server_keylog_callback
))
325 /* Now do a handshake and check that the logs have been written to. */
326 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
327 &clientssl
, NULL
, NULL
))
328 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
330 || !TEST_false(error_writing_log
)
331 || !TEST_int_gt(client_log_buffer_index
, 0)
332 || !TEST_int_gt(server_log_buffer_index
, 0))
336 * Now we want to test that our output data was vaguely sensible. We
337 * do that by using strtok and confirming that we have more or less the
338 * data we expect. For both client and server, we expect to see one master
339 * secret. The client should also see a RSA key exchange.
341 expected
.rsa_key_exchange_count
= 1;
342 expected
.master_secret_count
= 1;
343 if (!TEST_true(test_keylog_output(client_log_buffer
, clientssl
,
344 SSL_get_session(clientssl
), &expected
)))
347 expected
.rsa_key_exchange_count
= 0;
348 if (!TEST_true(test_keylog_output(server_log_buffer
, serverssl
,
349 SSL_get_session(serverssl
), &expected
)))
364 #ifndef OPENSSL_NO_TLS1_3
365 static int test_keylog_no_master_key(void)
367 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
368 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
369 SSL_SESSION
*sess
= NULL
;
371 struct sslapitest_log_counts expected
= {0};
372 unsigned char buf
[1];
373 size_t readbytes
, written
;
375 /* Clean up logging space */
376 memset(client_log_buffer
, 0, sizeof(client_log_buffer
));
377 memset(server_log_buffer
, 0, sizeof(server_log_buffer
));
378 client_log_buffer_index
= 0;
379 server_log_buffer_index
= 0;
380 error_writing_log
= 0;
382 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
383 TLS1_VERSION
, TLS_MAX_VERSION
,
384 &sctx
, &cctx
, cert
, privkey
))
385 || !TEST_true(SSL_CTX_set_max_early_data(sctx
,
386 SSL3_RT_MAX_PLAIN_LENGTH
)))
389 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx
) == NULL
)
390 || !TEST_true(SSL_CTX_get_keylog_callback(sctx
) == NULL
))
393 SSL_CTX_set_keylog_callback(cctx
, client_keylog_callback
);
394 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx
)
395 == client_keylog_callback
))
398 SSL_CTX_set_keylog_callback(sctx
, server_keylog_callback
);
399 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx
)
400 == server_keylog_callback
))
403 /* Now do a handshake and check that the logs have been written to. */
404 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
405 &clientssl
, NULL
, NULL
))
406 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
408 || !TEST_false(error_writing_log
))
412 * Now we want to test that our output data was vaguely sensible. For this
413 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
414 * TLSv1.3, but we do expect both client and server to emit keys.
416 expected
.client_handshake_secret_count
= 1;
417 expected
.server_handshake_secret_count
= 1;
418 expected
.client_application_secret_count
= 1;
419 expected
.server_application_secret_count
= 1;
420 expected
.exporter_secret_count
= 1;
421 if (!TEST_true(test_keylog_output(client_log_buffer
, clientssl
,
422 SSL_get_session(clientssl
), &expected
))
423 || !TEST_true(test_keylog_output(server_log_buffer
, serverssl
,
424 SSL_get_session(serverssl
),
428 /* Terminate old session and resume with early data. */
429 sess
= SSL_get1_session(clientssl
);
430 SSL_shutdown(clientssl
);
431 SSL_shutdown(serverssl
);
434 serverssl
= clientssl
= NULL
;
437 memset(client_log_buffer
, 0, sizeof(client_log_buffer
));
438 memset(server_log_buffer
, 0, sizeof(server_log_buffer
));
439 client_log_buffer_index
= 0;
440 server_log_buffer_index
= 0;
442 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
443 &clientssl
, NULL
, NULL
))
444 || !TEST_true(SSL_set_session(clientssl
, sess
))
445 /* Here writing 0 length early data is enough. */
446 || !TEST_true(SSL_write_early_data(clientssl
, NULL
, 0, &written
))
447 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
449 SSL_READ_EARLY_DATA_ERROR
)
450 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
451 SSL_EARLY_DATA_ACCEPTED
)
452 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
454 || !TEST_true(SSL_session_reused(clientssl
)))
457 /* In addition to the previous entries, expect early secrets. */
458 expected
.client_early_secret_count
= 1;
459 expected
.early_exporter_secret_count
= 1;
460 if (!TEST_true(test_keylog_output(client_log_buffer
, clientssl
,
461 SSL_get_session(clientssl
), &expected
))
462 || !TEST_true(test_keylog_output(server_log_buffer
, serverssl
,
463 SSL_get_session(serverssl
),
470 SSL_SESSION_free(sess
);
480 #ifndef OPENSSL_NO_TLS1_2
481 static int full_client_hello_callback(SSL
*s
, int *al
, void *arg
)
484 const unsigned char *p
;
486 /* We only configure two ciphers, but the SCSV is added automatically. */
488 const unsigned char expected_ciphers
[] = {0x00, 0x9d, 0x00, 0xff};
490 const unsigned char expected_ciphers
[] = {0x00, 0x9d, 0xc0,
493 const int expected_extensions
[] = {
494 #ifndef OPENSSL_NO_EC
500 /* Make sure we can defer processing and get called back. */
502 return SSL_CLIENT_HELLO_RETRY
;
504 len
= SSL_client_hello_get0_ciphers(s
, &p
);
505 if (!TEST_mem_eq(p
, len
, expected_ciphers
, sizeof(expected_ciphers
))
507 SSL_client_hello_get0_compression_methods(s
, &p
), 1)
508 || !TEST_int_eq(*p
, 0))
509 return SSL_CLIENT_HELLO_ERROR
;
510 if (!SSL_client_hello_get1_extensions_present(s
, &exts
, &len
))
511 return SSL_CLIENT_HELLO_ERROR
;
512 if (len
!= OSSL_NELEM(expected_extensions
) ||
513 memcmp(exts
, expected_extensions
, len
* sizeof(*exts
)) != 0) {
514 printf("ClientHello callback expected extensions mismatch\n");
516 return SSL_CLIENT_HELLO_ERROR
;
519 return SSL_CLIENT_HELLO_SUCCESS
;
522 static int test_client_hello_cb(void)
524 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
525 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
526 int testctr
= 0, testresult
= 0;
528 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
529 TLS1_VERSION
, TLS_MAX_VERSION
,
530 &sctx
, &cctx
, cert
, privkey
)))
532 SSL_CTX_set_client_hello_cb(sctx
, full_client_hello_callback
, &testctr
);
534 /* The gimpy cipher list we configure can't do TLS 1.3. */
535 SSL_CTX_set_max_proto_version(cctx
, TLS1_2_VERSION
);
537 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
538 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
539 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
540 &clientssl
, NULL
, NULL
))
541 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
542 SSL_ERROR_WANT_CLIENT_HELLO_CB
))
544 * Passing a -1 literal is a hack since
545 * the real value was lost.
547 || !TEST_int_eq(SSL_get_error(serverssl
, -1),
548 SSL_ERROR_WANT_CLIENT_HELLO_CB
)
549 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
565 static int execute_test_large_message(const SSL_METHOD
*smeth
,
566 const SSL_METHOD
*cmeth
,
567 int min_version
, int max_version
,
570 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
571 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
575 X509
*chaincert
= NULL
;
578 if (!TEST_ptr(certbio
= BIO_new_file(cert
, "r")))
580 chaincert
= PEM_read_bio_X509(certbio
, NULL
, NULL
, NULL
);
583 if (!TEST_ptr(chaincert
))
586 if (!TEST_true(create_ssl_ctx_pair(smeth
, cmeth
, min_version
, max_version
,
587 &sctx
, &cctx
, cert
, privkey
)))
592 * Test that read_ahead works correctly when dealing with large
595 SSL_CTX_set_read_ahead(cctx
, 1);
599 * We assume the supplied certificate is big enough so that if we add
600 * NUM_EXTRA_CERTS it will make the overall message large enough. The
601 * default buffer size is requested to be 16k, but due to the way BUF_MEM
602 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
603 * test we need to have a message larger than that.
605 certlen
= i2d_X509(chaincert
, NULL
);
606 OPENSSL_assert(certlen
* NUM_EXTRA_CERTS
>
607 (SSL3_RT_MAX_PLAIN_LENGTH
* 4) / 3);
608 for (i
= 0; i
< NUM_EXTRA_CERTS
; i
++) {
609 if (!X509_up_ref(chaincert
))
611 if (!SSL_CTX_add_extra_chain_cert(sctx
, chaincert
)) {
612 X509_free(chaincert
);
617 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
619 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
624 * Calling SSL_clear() first is not required but this tests that SSL_clear()
625 * doesn't leak (when using enable-crypto-mdebug).
627 if (!TEST_true(SSL_clear(serverssl
)))
632 X509_free(chaincert
);
641 static int test_large_message_tls(void)
643 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
644 TLS1_VERSION
, TLS_MAX_VERSION
,
648 static int test_large_message_tls_read_ahead(void)
650 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
651 TLS1_VERSION
, TLS_MAX_VERSION
,
655 #ifndef OPENSSL_NO_DTLS
656 static int test_large_message_dtls(void)
659 * read_ahead is not relevant to DTLS because DTLS always acts as if
662 return execute_test_large_message(DTLS_server_method(),
663 DTLS_client_method(),
664 DTLS1_VERSION
, DTLS_MAX_VERSION
,
669 #ifndef OPENSSL_NO_OCSP
670 static int ocsp_server_cb(SSL
*s
, void *arg
)
672 int *argi
= (int *)arg
;
673 unsigned char *copy
= NULL
;
674 STACK_OF(OCSP_RESPID
) *ids
= NULL
;
675 OCSP_RESPID
*id
= NULL
;
678 /* In this test we are expecting exactly 1 OCSP_RESPID */
679 SSL_get_tlsext_status_ids(s
, &ids
);
680 if (ids
== NULL
|| sk_OCSP_RESPID_num(ids
) != 1)
681 return SSL_TLSEXT_ERR_ALERT_FATAL
;
683 id
= sk_OCSP_RESPID_value(ids
, 0);
684 if (id
== NULL
|| !OCSP_RESPID_match(id
, ocspcert
))
685 return SSL_TLSEXT_ERR_ALERT_FATAL
;
686 } else if (*argi
!= 1) {
687 return SSL_TLSEXT_ERR_ALERT_FATAL
;
690 if (!TEST_ptr(copy
= OPENSSL_memdup(orespder
, sizeof(orespder
))))
691 return SSL_TLSEXT_ERR_ALERT_FATAL
;
693 SSL_set_tlsext_status_ocsp_resp(s
, copy
, sizeof(orespder
));
694 ocsp_server_called
= 1;
695 return SSL_TLSEXT_ERR_OK
;
698 static int ocsp_client_cb(SSL
*s
, void *arg
)
700 int *argi
= (int *)arg
;
701 const unsigned char *respderin
;
704 if (*argi
!= 1 && *argi
!= 2)
707 len
= SSL_get_tlsext_status_ocsp_resp(s
, &respderin
);
708 if (!TEST_mem_eq(orespder
, len
, respderin
, len
))
711 ocsp_client_called
= 1;
715 static int test_tlsext_status_type(void)
717 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
718 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
720 STACK_OF(OCSP_RESPID
) *ids
= NULL
;
721 OCSP_RESPID
*id
= NULL
;
724 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
725 TLS1_VERSION
, TLS_MAX_VERSION
,
726 &sctx
, &cctx
, cert
, privkey
))
729 if (SSL_CTX_get_tlsext_status_type(cctx
) != -1)
732 /* First just do various checks getting and setting tlsext_status_type */
734 clientssl
= SSL_new(cctx
);
735 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl
), -1)
736 || !TEST_true(SSL_set_tlsext_status_type(clientssl
,
737 TLSEXT_STATUSTYPE_ocsp
))
738 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl
),
739 TLSEXT_STATUSTYPE_ocsp
))
745 if (!SSL_CTX_set_tlsext_status_type(cctx
, TLSEXT_STATUSTYPE_ocsp
)
746 || SSL_CTX_get_tlsext_status_type(cctx
) != TLSEXT_STATUSTYPE_ocsp
)
749 clientssl
= SSL_new(cctx
);
750 if (SSL_get_tlsext_status_type(clientssl
) != TLSEXT_STATUSTYPE_ocsp
)
756 * Now actually do a handshake and check OCSP information is exchanged and
757 * the callbacks get called
759 SSL_CTX_set_tlsext_status_cb(cctx
, ocsp_client_cb
);
760 SSL_CTX_set_tlsext_status_arg(cctx
, &cdummyarg
);
761 SSL_CTX_set_tlsext_status_cb(sctx
, ocsp_server_cb
);
762 SSL_CTX_set_tlsext_status_arg(sctx
, &cdummyarg
);
763 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
764 &clientssl
, NULL
, NULL
))
765 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
767 || !TEST_true(ocsp_client_called
)
768 || !TEST_true(ocsp_server_called
))
775 /* Try again but this time force the server side callback to fail */
776 ocsp_client_called
= 0;
777 ocsp_server_called
= 0;
779 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
780 &clientssl
, NULL
, NULL
))
781 /* This should fail because the callback will fail */
782 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
784 || !TEST_false(ocsp_client_called
)
785 || !TEST_false(ocsp_server_called
))
793 * This time we'll get the client to send an OCSP_RESPID that it will
796 ocsp_client_called
= 0;
797 ocsp_server_called
= 0;
799 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
800 &clientssl
, NULL
, NULL
)))
804 * We'll just use any old cert for this test - it doesn't have to be an OCSP
805 * specific one. We'll use the server cert.
807 if (!TEST_ptr(certbio
= BIO_new_file(cert
, "r"))
808 || !TEST_ptr(id
= OCSP_RESPID_new())
809 || !TEST_ptr(ids
= sk_OCSP_RESPID_new_null())
810 || !TEST_ptr(ocspcert
= PEM_read_bio_X509(certbio
,
812 || !TEST_true(OCSP_RESPID_set_by_key(id
, ocspcert
))
813 || !TEST_true(sk_OCSP_RESPID_push(ids
, id
)))
816 SSL_set_tlsext_status_ids(clientssl
, ids
);
817 /* Control has been transferred */
823 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
825 || !TEST_true(ocsp_client_called
)
826 || !TEST_true(ocsp_server_called
))
836 sk_OCSP_RESPID_pop_free(ids
, OCSP_RESPID_free
);
837 OCSP_RESPID_free(id
);
846 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
847 static int new_called
, remove_called
, get_called
;
849 static int new_session_cb(SSL
*ssl
, SSL_SESSION
*sess
)
853 * sess has been up-refed for us, but we don't actually need it so free it
856 SSL_SESSION_free(sess
);
860 static void remove_session_cb(SSL_CTX
*ctx
, SSL_SESSION
*sess
)
865 static SSL_SESSION
*get_sess_val
= NULL
;
867 static SSL_SESSION
*get_session_cb(SSL
*ssl
, const unsigned char *id
, int len
,
875 static int execute_test_session(int maxprot
, int use_int_cache
,
878 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
879 SSL
*serverssl1
= NULL
, *clientssl1
= NULL
;
880 SSL
*serverssl2
= NULL
, *clientssl2
= NULL
;
881 # ifndef OPENSSL_NO_TLS1_1
882 SSL
*serverssl3
= NULL
, *clientssl3
= NULL
;
884 SSL_SESSION
*sess1
= NULL
, *sess2
= NULL
;
885 int testresult
= 0, numnewsesstick
= 1;
887 new_called
= remove_called
= 0;
889 /* TLSv1.3 sends 2 NewSessionTickets */
890 if (maxprot
== TLS1_3_VERSION
)
893 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
894 TLS1_VERSION
, TLS_MAX_VERSION
,
895 &sctx
, &cctx
, cert
, privkey
)))
899 * Only allow the max protocol version so we can force a connection failure
902 SSL_CTX_set_min_proto_version(cctx
, maxprot
);
903 SSL_CTX_set_max_proto_version(cctx
, maxprot
);
905 /* Set up session cache */
907 SSL_CTX_sess_set_new_cb(cctx
, new_session_cb
);
908 SSL_CTX_sess_set_remove_cb(cctx
, remove_session_cb
);
911 /* Also covers instance where both are set */
912 SSL_CTX_set_session_cache_mode(cctx
, SSL_SESS_CACHE_CLIENT
);
914 SSL_CTX_set_session_cache_mode(cctx
,
915 SSL_SESS_CACHE_CLIENT
916 | SSL_SESS_CACHE_NO_INTERNAL_STORE
);
919 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl1
, &clientssl1
,
921 || !TEST_true(create_ssl_connection(serverssl1
, clientssl1
,
923 || !TEST_ptr(sess1
= SSL_get1_session(clientssl1
)))
926 /* Should fail because it should already be in the cache */
927 if (use_int_cache
&& !TEST_false(SSL_CTX_add_session(cctx
, sess1
)))
930 && (!TEST_int_eq(new_called
, numnewsesstick
)
932 || !TEST_int_eq(remove_called
, 0)))
935 new_called
= remove_called
= 0;
936 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl2
,
937 &clientssl2
, NULL
, NULL
))
938 || !TEST_true(SSL_set_session(clientssl2
, sess1
))
939 || !TEST_true(create_ssl_connection(serverssl2
, clientssl2
,
941 || !TEST_true(SSL_session_reused(clientssl2
)))
944 if (maxprot
== TLS1_3_VERSION
) {
946 * In TLSv1.3 we should have created a new session even though we have
950 && (!TEST_int_eq(new_called
, 1)
951 || !TEST_int_eq(remove_called
, 0)))
955 * In TLSv1.2 we expect to have resumed so no sessions added or
959 && (!TEST_int_eq(new_called
, 0)
960 || !TEST_int_eq(remove_called
, 0)))
964 SSL_SESSION_free(sess1
);
965 if (!TEST_ptr(sess1
= SSL_get1_session(clientssl2
)))
967 shutdown_ssl_connection(serverssl2
, clientssl2
);
968 serverssl2
= clientssl2
= NULL
;
970 new_called
= remove_called
= 0;
971 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl2
,
972 &clientssl2
, NULL
, NULL
))
973 || !TEST_true(create_ssl_connection(serverssl2
, clientssl2
,
977 if (!TEST_ptr(sess2
= SSL_get1_session(clientssl2
)))
981 && (!TEST_int_eq(new_called
, numnewsesstick
)
982 || !TEST_int_eq(remove_called
, 0)))
985 new_called
= remove_called
= 0;
987 * This should clear sess2 from the cache because it is a "bad" session.
988 * See SSL_set_session() documentation.
990 if (!TEST_true(SSL_set_session(clientssl2
, sess1
)))
993 && (!TEST_int_eq(new_called
, 0) || !TEST_int_eq(remove_called
, 1)))
995 if (!TEST_ptr_eq(SSL_get_session(clientssl2
), sess1
))
999 /* Should succeeded because it should not already be in the cache */
1000 if (!TEST_true(SSL_CTX_add_session(cctx
, sess2
))
1001 || !TEST_true(SSL_CTX_remove_session(cctx
, sess2
)))
1005 new_called
= remove_called
= 0;
1006 /* This shouldn't be in the cache so should fail */
1007 if (!TEST_false(SSL_CTX_remove_session(cctx
, sess2
)))
1011 && (!TEST_int_eq(new_called
, 0) || !TEST_int_eq(remove_called
, 1)))
1014 # if !defined(OPENSSL_NO_TLS1_1)
1015 new_called
= remove_called
= 0;
1016 /* Force a connection failure */
1017 SSL_CTX_set_max_proto_version(sctx
, TLS1_1_VERSION
);
1018 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl3
,
1019 &clientssl3
, NULL
, NULL
))
1020 || !TEST_true(SSL_set_session(clientssl3
, sess1
))
1021 /* This should fail because of the mismatched protocol versions */
1022 || !TEST_false(create_ssl_connection(serverssl3
, clientssl3
,
1026 /* We should have automatically removed the session from the cache */
1028 && (!TEST_int_eq(new_called
, 0) || !TEST_int_eq(remove_called
, 1)))
1031 /* Should succeed because it should not already be in the cache */
1032 if (use_int_cache
&& !TEST_true(SSL_CTX_add_session(cctx
, sess2
)))
1036 /* Now do some tests for server side caching */
1037 if (use_ext_cache
) {
1038 SSL_CTX_sess_set_new_cb(cctx
, NULL
);
1039 SSL_CTX_sess_set_remove_cb(cctx
, NULL
);
1040 SSL_CTX_sess_set_new_cb(sctx
, new_session_cb
);
1041 SSL_CTX_sess_set_remove_cb(sctx
, remove_session_cb
);
1042 SSL_CTX_sess_set_get_cb(sctx
, get_session_cb
);
1043 get_sess_val
= NULL
;
1046 SSL_CTX_set_session_cache_mode(cctx
, 0);
1047 /* Internal caching is the default on the server side */
1049 SSL_CTX_set_session_cache_mode(sctx
,
1050 SSL_SESS_CACHE_SERVER
1051 | SSL_SESS_CACHE_NO_INTERNAL_STORE
);
1053 SSL_free(serverssl1
);
1054 SSL_free(clientssl1
);
1055 serverssl1
= clientssl1
= NULL
;
1056 SSL_free(serverssl2
);
1057 SSL_free(clientssl2
);
1058 serverssl2
= clientssl2
= NULL
;
1059 SSL_SESSION_free(sess1
);
1061 SSL_SESSION_free(sess2
);
1064 SSL_CTX_set_max_proto_version(sctx
, maxprot
);
1065 SSL_CTX_set_options(sctx
, SSL_OP_NO_TICKET
);
1066 new_called
= remove_called
= get_called
= 0;
1067 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl1
, &clientssl1
,
1069 || !TEST_true(create_ssl_connection(serverssl1
, clientssl1
,
1071 || !TEST_ptr(sess1
= SSL_get1_session(clientssl1
))
1072 || !TEST_ptr(sess2
= SSL_get1_session(serverssl1
)))
1075 if (use_int_cache
) {
1076 if (maxprot
== TLS1_3_VERSION
&& !use_ext_cache
) {
1078 * In TLSv1.3 it should not have been added to the internal cache,
1079 * except in the case where we also have an external cache (in that
1080 * case it gets added to the cache in order to generate remove
1081 * events after timeout).
1083 if (!TEST_false(SSL_CTX_remove_session(sctx
, sess2
)))
1086 /* Should fail because it should already be in the cache */
1087 if (!TEST_false(SSL_CTX_add_session(sctx
, sess2
)))
1092 if (use_ext_cache
) {
1093 SSL_SESSION
*tmp
= sess2
;
1095 if (!TEST_int_eq(new_called
, numnewsesstick
)
1096 || !TEST_int_eq(remove_called
, 0)
1097 || !TEST_int_eq(get_called
, 0))
1100 * Delete the session from the internal cache to force a lookup from
1101 * the external cache. We take a copy first because
1102 * SSL_CTX_remove_session() also marks the session as non-resumable.
1104 if (use_int_cache
&& maxprot
!= TLS1_3_VERSION
) {
1105 if (!TEST_ptr(tmp
= SSL_SESSION_dup(sess2
))
1106 || !TEST_true(SSL_CTX_remove_session(sctx
, sess2
)))
1108 SSL_SESSION_free(sess2
);
1113 new_called
= remove_called
= get_called
= 0;
1114 get_sess_val
= sess2
;
1115 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl2
,
1116 &clientssl2
, NULL
, NULL
))
1117 || !TEST_true(SSL_set_session(clientssl2
, sess1
))
1118 || !TEST_true(create_ssl_connection(serverssl2
, clientssl2
,
1120 || !TEST_true(SSL_session_reused(clientssl2
)))
1123 if (use_ext_cache
) {
1124 if (!TEST_int_eq(remove_called
, 0))
1127 if (maxprot
== TLS1_3_VERSION
) {
1128 if (!TEST_int_eq(new_called
, 1)
1129 || !TEST_int_eq(get_called
, 0))
1132 if (!TEST_int_eq(new_called
, 0)
1133 || !TEST_int_eq(get_called
, 1))
1141 SSL_free(serverssl1
);
1142 SSL_free(clientssl1
);
1143 SSL_free(serverssl2
);
1144 SSL_free(clientssl2
);
1145 # ifndef OPENSSL_NO_TLS1_1
1146 SSL_free(serverssl3
);
1147 SSL_free(clientssl3
);
1149 SSL_SESSION_free(sess1
);
1150 SSL_SESSION_free(sess2
);
1156 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1158 static int test_session_with_only_int_cache(void)
1160 #ifndef OPENSSL_NO_TLS1_3
1161 if (!execute_test_session(TLS1_3_VERSION
, 1, 0))
1165 #ifndef OPENSSL_NO_TLS1_2
1166 return execute_test_session(TLS1_2_VERSION
, 1, 0);
1172 static int test_session_with_only_ext_cache(void)
1174 #ifndef OPENSSL_NO_TLS1_3
1175 if (!execute_test_session(TLS1_3_VERSION
, 0, 1))
1179 #ifndef OPENSSL_NO_TLS1_2
1180 return execute_test_session(TLS1_2_VERSION
, 0, 1);
1186 static int test_session_with_both_cache(void)
1188 #ifndef OPENSSL_NO_TLS1_3
1189 if (!execute_test_session(TLS1_3_VERSION
, 1, 1))
1193 #ifndef OPENSSL_NO_TLS1_2
1194 return execute_test_session(TLS1_2_VERSION
, 1, 1);
1200 static SSL_SESSION
*sesscache
[6];
1201 static int do_cache
;
1203 static int new_cachesession_cb(SSL
*ssl
, SSL_SESSION
*sess
)
1206 sesscache
[new_called
] = sess
;
1208 /* We don't need the reference to the session, so free it */
1209 SSL_SESSION_free(sess
);
1216 static int post_handshake_verify(SSL
*sssl
, SSL
*cssl
)
1218 SSL_set_verify(sssl
, SSL_VERIFY_PEER
, NULL
);
1219 if (!TEST_true(SSL_verify_client_post_handshake(sssl
)))
1222 /* Start handshake on the server and client */
1223 if (!TEST_int_eq(SSL_do_handshake(sssl
), 1)
1224 || !TEST_int_le(SSL_read(cssl
, NULL
, 0), 0)
1225 || !TEST_int_le(SSL_read(sssl
, NULL
, 0), 0)
1226 || !TEST_true(create_ssl_connection(sssl
, cssl
,
1233 static int test_tickets(int idx
)
1235 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
1236 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
1237 int testresult
= 0, i
;
1240 /* idx is the test number, but also the number of tickets we want */
1245 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1246 TLS1_VERSION
, TLS_MAX_VERSION
, &sctx
,
1247 &cctx
, cert
, privkey
))
1248 || !TEST_true(SSL_CTX_set_num_tickets(sctx
, idx
)))
1251 SSL_CTX_set_session_cache_mode(cctx
, SSL_SESS_CACHE_CLIENT
1252 | SSL_SESS_CACHE_NO_INTERNAL_STORE
);
1253 SSL_CTX_sess_set_new_cb(cctx
, new_cachesession_cb
);
1255 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
1256 &clientssl
, NULL
, NULL
)))
1259 SSL_force_post_handshake_auth(clientssl
);
1261 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
1263 /* Check we got the number of tickets we were expecting */
1264 || !TEST_int_eq(idx
, new_called
))
1267 /* After a post-handshake authentication we should get new tickets issued */
1268 if (!post_handshake_verify(serverssl
, clientssl
)
1269 || !TEST_int_eq(idx
* 2, new_called
))
1272 SSL_shutdown(clientssl
);
1273 SSL_shutdown(serverssl
);
1274 SSL_free(serverssl
);
1275 SSL_free(clientssl
);
1276 serverssl
= clientssl
= NULL
;
1278 /* Stop caching sessions - just count them */
1281 /* Test that we can resume with all the tickets we got given */
1282 for (i
= 0; i
< idx
* 2; i
++) {
1284 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
1285 &clientssl
, NULL
, NULL
))
1286 || !TEST_true(SSL_set_session(clientssl
, sesscache
[i
])))
1289 SSL_force_post_handshake_auth(clientssl
);
1291 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
1293 || !TEST_true(SSL_session_reused(clientssl
))
1294 /* Following a resumption we only get 1 ticket */
1295 || !TEST_int_eq(new_called
, 1))
1299 /* After a post-handshake authentication we should get 1 new ticket */
1300 if (!post_handshake_verify(serverssl
, clientssl
)
1301 || !TEST_int_eq(new_called
, 1))
1304 SSL_shutdown(clientssl
);
1305 SSL_shutdown(serverssl
);
1306 SSL_free(serverssl
);
1307 SSL_free(clientssl
);
1308 serverssl
= clientssl
= NULL
;
1309 SSL_SESSION_free(sesscache
[i
]);
1310 sesscache
[i
] = NULL
;
1316 SSL_free(serverssl
);
1317 SSL_free(clientssl
);
1318 for (j
= 0; j
< OSSL_NELEM(sesscache
); j
++) {
1319 SSL_SESSION_free(sesscache
[j
]);
1320 sesscache
[j
] = NULL
;
1331 #define USE_DEFAULT 3
1333 #define CONNTYPE_CONNECTION_SUCCESS 0
1334 #define CONNTYPE_CONNECTION_FAIL 1
1335 #define CONNTYPE_NO_CONNECTION 2
1337 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1338 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1339 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1340 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1342 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1345 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1346 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1347 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1349 static void setupbio(BIO
**res
, BIO
*bio1
, BIO
*bio2
, int type
)
1366 * Tests calls to SSL_set_bio() under various conditions.
1368 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1369 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1370 * then do more tests where we create a successful connection first using our
1371 * standard connection setup functions, and then call SSL_set_bio() with
1372 * various combinations of valid BIOs or NULL. We then repeat these tests
1373 * following a failed connection. In this last case we are looking to check that
1374 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1376 static int test_ssl_set_bio(int idx
)
1378 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
1381 BIO
*irbio
= NULL
, *iwbio
= NULL
, *nrbio
= NULL
, *nwbio
= NULL
;
1382 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
1383 int initrbio
, initwbio
, newrbio
, newwbio
, conntype
;
1386 if (idx
< TOTAL_NO_CONN_SSL_SET_BIO_TESTS
) {
1394 conntype
= CONNTYPE_NO_CONNECTION
;
1396 idx
-= TOTAL_NO_CONN_SSL_SET_BIO_TESTS
;
1397 initrbio
= initwbio
= USE_DEFAULT
;
1405 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1406 TLS1_VERSION
, TLS_MAX_VERSION
,
1407 &sctx
, &cctx
, cert
, privkey
)))
1410 if (conntype
== CONNTYPE_CONNECTION_FAIL
) {
1412 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1413 * because we reduced the number of tests in the definition of
1414 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1415 * mismatched protocol versions we will force a connection failure.
1417 SSL_CTX_set_min_proto_version(sctx
, TLS1_3_VERSION
);
1418 SSL_CTX_set_max_proto_version(cctx
, TLS1_2_VERSION
);
1421 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
1425 if (initrbio
== USE_BIO_1
1426 || initwbio
== USE_BIO_1
1427 || newrbio
== USE_BIO_1
1428 || newwbio
== USE_BIO_1
) {
1429 if (!TEST_ptr(bio1
= BIO_new(BIO_s_mem())))
1433 if (initrbio
== USE_BIO_2
1434 || initwbio
== USE_BIO_2
1435 || newrbio
== USE_BIO_2
1436 || newwbio
== USE_BIO_2
) {
1437 if (!TEST_ptr(bio2
= BIO_new(BIO_s_mem())))
1441 if (initrbio
!= USE_DEFAULT
) {
1442 setupbio(&irbio
, bio1
, bio2
, initrbio
);
1443 setupbio(&iwbio
, bio1
, bio2
, initwbio
);
1444 SSL_set_bio(clientssl
, irbio
, iwbio
);
1447 * We want to maintain our own refs to these BIO, so do an up ref for
1448 * each BIO that will have ownership transferred in the SSL_set_bio()
1453 if (iwbio
!= NULL
&& iwbio
!= irbio
)
1457 if (conntype
!= CONNTYPE_NO_CONNECTION
1458 && !TEST_true(create_ssl_connection(serverssl
, clientssl
,
1460 == (conntype
== CONNTYPE_CONNECTION_SUCCESS
)))
1463 setupbio(&nrbio
, bio1
, bio2
, newrbio
);
1464 setupbio(&nwbio
, bio1
, bio2
, newwbio
);
1467 * We will (maybe) transfer ownership again so do more up refs.
1468 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1473 && (nwbio
!= iwbio
|| nrbio
!= nwbio
))
1477 && (nwbio
!= iwbio
|| (nwbio
== iwbio
&& irbio
== iwbio
)))
1480 SSL_set_bio(clientssl
, nrbio
, nwbio
);
1489 * This test is checking that the ref counting for SSL_set_bio is correct.
1490 * If we get here and we did too many frees then we will fail in the above
1491 * functions. If we haven't done enough then this will only be detected in
1492 * a crypto-mdebug build
1494 SSL_free(serverssl
);
1495 SSL_free(clientssl
);
1501 typedef enum { NO_BIO_CHANGE
, CHANGE_RBIO
, CHANGE_WBIO
} bio_change_t
;
1503 static int execute_test_ssl_bio(int pop_ssl
, bio_change_t change_bio
)
1505 BIO
*sslbio
= NULL
, *membio1
= NULL
, *membio2
= NULL
;
1510 if (!TEST_ptr(ctx
= SSL_CTX_new(TLS_method()))
1511 || !TEST_ptr(ssl
= SSL_new(ctx
))
1512 || !TEST_ptr(sslbio
= BIO_new(BIO_f_ssl()))
1513 || !TEST_ptr(membio1
= BIO_new(BIO_s_mem())))
1516 BIO_set_ssl(sslbio
, ssl
, BIO_CLOSE
);
1519 * If anything goes wrong here then we could leak memory, so this will
1520 * be caught in a crypto-mdebug build
1522 BIO_push(sslbio
, membio1
);
1524 /* Verify changing the rbio/wbio directly does not cause leaks */
1525 if (change_bio
!= NO_BIO_CHANGE
) {
1526 if (!TEST_ptr(membio2
= BIO_new(BIO_s_mem())))
1528 if (change_bio
== CHANGE_RBIO
)
1529 SSL_set0_rbio(ssl
, membio2
);
1531 SSL_set0_wbio(ssl
, membio2
);
1550 static int test_ssl_bio_pop_next_bio(void)
1552 return execute_test_ssl_bio(0, NO_BIO_CHANGE
);
1555 static int test_ssl_bio_pop_ssl_bio(void)
1557 return execute_test_ssl_bio(1, NO_BIO_CHANGE
);
1560 static int test_ssl_bio_change_rbio(void)
1562 return execute_test_ssl_bio(0, CHANGE_RBIO
);
1565 static int test_ssl_bio_change_wbio(void)
1567 return execute_test_ssl_bio(0, CHANGE_WBIO
);
1570 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
1572 /* The list of sig algs */
1574 /* The length of the list */
1576 /* A sigalgs list in string format */
1577 const char *liststr
;
1578 /* Whether setting the list should succeed */
1580 /* Whether creating a connection with the list should succeed */
1584 static const int validlist1
[] = {NID_sha256
, EVP_PKEY_RSA
};
1585 # ifndef OPENSSL_NO_EC
1586 static const int validlist2
[] = {NID_sha256
, EVP_PKEY_RSA
, NID_sha512
, EVP_PKEY_EC
};
1587 static const int validlist3
[] = {NID_sha512
, EVP_PKEY_EC
};
1589 static const int invalidlist1
[] = {NID_undef
, EVP_PKEY_RSA
};
1590 static const int invalidlist2
[] = {NID_sha256
, NID_undef
};
1591 static const int invalidlist3
[] = {NID_sha256
, EVP_PKEY_RSA
, NID_sha256
};
1592 static const int invalidlist4
[] = {NID_sha256
};
1593 static const sigalgs_list testsigalgs
[] = {
1594 {validlist1
, OSSL_NELEM(validlist1
), NULL
, 1, 1},
1595 # ifndef OPENSSL_NO_EC
1596 {validlist2
, OSSL_NELEM(validlist2
), NULL
, 1, 1},
1597 {validlist3
, OSSL_NELEM(validlist3
), NULL
, 1, 0},
1599 {NULL
, 0, "RSA+SHA256", 1, 1},
1600 # ifndef OPENSSL_NO_EC
1601 {NULL
, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1602 {NULL
, 0, "ECDSA+SHA512", 1, 0},
1604 {invalidlist1
, OSSL_NELEM(invalidlist1
), NULL
, 0, 0},
1605 {invalidlist2
, OSSL_NELEM(invalidlist2
), NULL
, 0, 0},
1606 {invalidlist3
, OSSL_NELEM(invalidlist3
), NULL
, 0, 0},
1607 {invalidlist4
, OSSL_NELEM(invalidlist4
), NULL
, 0, 0},
1608 {NULL
, 0, "RSA", 0, 0},
1609 {NULL
, 0, "SHA256", 0, 0},
1610 {NULL
, 0, "RSA+SHA256:SHA256", 0, 0},
1611 {NULL
, 0, "Invalid", 0, 0}
1614 static int test_set_sigalgs(int idx
)
1616 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
1617 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
1619 const sigalgs_list
*curr
;
1622 /* Should never happen */
1623 if (!TEST_size_t_le((size_t)idx
, OSSL_NELEM(testsigalgs
) * 2))
1626 testctx
= ((size_t)idx
< OSSL_NELEM(testsigalgs
));
1627 curr
= testctx
? &testsigalgs
[idx
]
1628 : &testsigalgs
[idx
- OSSL_NELEM(testsigalgs
)];
1630 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1631 TLS1_VERSION
, TLS_MAX_VERSION
,
1632 &sctx
, &cctx
, cert
, privkey
)))
1636 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1637 * for TLSv1.2 for now until we add a new API.
1639 SSL_CTX_set_max_proto_version(cctx
, TLS1_2_VERSION
);
1644 if (curr
->list
!= NULL
)
1645 ret
= SSL_CTX_set1_sigalgs(cctx
, curr
->list
, curr
->listlen
);
1647 ret
= SSL_CTX_set1_sigalgs_list(cctx
, curr
->liststr
);
1651 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx
);
1657 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx
);
1662 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
1663 &clientssl
, NULL
, NULL
)))
1669 if (curr
->list
!= NULL
)
1670 ret
= SSL_set1_sigalgs(clientssl
, curr
->list
, curr
->listlen
);
1672 ret
= SSL_set1_sigalgs_list(clientssl
, curr
->liststr
);
1675 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx
);
1684 if (!TEST_int_eq(create_ssl_connection(serverssl
, clientssl
,
1692 SSL_free(serverssl
);
1693 SSL_free(clientssl
);
1701 #ifndef OPENSSL_NO_TLS1_3
1703 static SSL_SESSION
*clientpsk
= NULL
;
1704 static SSL_SESSION
*serverpsk
= NULL
;
1705 static const char *pskid
= "Identity";
1706 static const char *srvid
;
1708 static int use_session_cb_cnt
= 0;
1709 static int find_session_cb_cnt
= 0;
1710 static int psk_client_cb_cnt
= 0;
1711 static int psk_server_cb_cnt
= 0;
1713 static int use_session_cb(SSL
*ssl
, const EVP_MD
*md
, const unsigned char **id
,
1714 size_t *idlen
, SSL_SESSION
**sess
)
1716 switch (++use_session_cb_cnt
) {
1718 /* The first call should always have a NULL md */
1724 /* The second call should always have an md */
1730 /* We should only be called a maximum of twice */
1734 if (clientpsk
!= NULL
)
1735 SSL_SESSION_up_ref(clientpsk
);
1738 *id
= (const unsigned char *)pskid
;
1739 *idlen
= strlen(pskid
);
1744 #ifndef OPENSSL_NO_PSK
1745 static unsigned int psk_client_cb(SSL
*ssl
, const char *hint
, char *id
,
1746 unsigned int max_id_len
,
1748 unsigned int max_psk_len
)
1750 unsigned int psklen
= 0;
1752 psk_client_cb_cnt
++;
1754 if (strlen(pskid
) + 1 > max_id_len
)
1757 /* We should only ever be called a maximum of twice per connection */
1758 if (psk_client_cb_cnt
> 2)
1761 if (clientpsk
== NULL
)
1764 /* We'll reuse the PSK we set up for TLSv1.3 */
1765 if (SSL_SESSION_get_master_key(clientpsk
, NULL
, 0) > max_psk_len
)
1767 psklen
= SSL_SESSION_get_master_key(clientpsk
, psk
, max_psk_len
);
1768 strncpy(id
, pskid
, max_id_len
);
1772 #endif /* OPENSSL_NO_PSK */
1774 static int find_session_cb(SSL
*ssl
, const unsigned char *identity
,
1775 size_t identity_len
, SSL_SESSION
**sess
)
1777 find_session_cb_cnt
++;
1779 /* We should only ever be called a maximum of twice per connection */
1780 if (find_session_cb_cnt
> 2)
1783 if (serverpsk
== NULL
)
1786 /* Identity should match that set by the client */
1787 if (strlen(srvid
) != identity_len
1788 || strncmp(srvid
, (const char *)identity
, identity_len
) != 0) {
1789 /* No PSK found, continue but without a PSK */
1794 SSL_SESSION_up_ref(serverpsk
);
1800 #ifndef OPENSSL_NO_PSK
1801 static unsigned int psk_server_cb(SSL
*ssl
, const char *identity
,
1802 unsigned char *psk
, unsigned int max_psk_len
)
1804 unsigned int psklen
= 0;
1806 psk_server_cb_cnt
++;
1808 /* We should only ever be called a maximum of twice per connection */
1809 if (find_session_cb_cnt
> 2)
1812 if (serverpsk
== NULL
)
1815 /* Identity should match that set by the client */
1816 if (strcmp(srvid
, identity
) != 0) {
1820 /* We'll reuse the PSK we set up for TLSv1.3 */
1821 if (SSL_SESSION_get_master_key(serverpsk
, NULL
, 0) > max_psk_len
)
1823 psklen
= SSL_SESSION_get_master_key(serverpsk
, psk
, max_psk_len
);
1827 #endif /* OPENSSL_NO_PSK */
1829 #define MSG1 "Hello"
1830 #define MSG2 "World."
1835 #define MSG7 "message."
1837 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
1838 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
1841 * Helper method to setup objects for early data test. Caller frees objects on
1844 static int setupearly_data_test(SSL_CTX
**cctx
, SSL_CTX
**sctx
, SSL
**clientssl
,
1845 SSL
**serverssl
, SSL_SESSION
**sess
, int idx
)
1847 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1848 TLS1_VERSION
, TLS_MAX_VERSION
,
1849 sctx
, cctx
, cert
, privkey
))
1850 || !TEST_true(SSL_CTX_set_max_early_data(*sctx
,
1851 SSL3_RT_MAX_PLAIN_LENGTH
)))
1855 /* When idx == 1 we repeat the tests with read_ahead set */
1856 SSL_CTX_set_read_ahead(*cctx
, 1);
1857 SSL_CTX_set_read_ahead(*sctx
, 1);
1858 } else if (idx
== 2) {
1859 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1860 SSL_CTX_set_psk_use_session_callback(*cctx
, use_session_cb
);
1861 SSL_CTX_set_psk_find_session_callback(*sctx
, find_session_cb
);
1862 use_session_cb_cnt
= 0;
1863 find_session_cb_cnt
= 0;
1867 if (!TEST_true(create_ssl_objects(*sctx
, *cctx
, serverssl
, clientssl
,
1872 * For one of the run throughs (doesn't matter which one), we'll try sending
1873 * some SNI data in the initial ClientHello. This will be ignored (because
1874 * there is no SNI cb set up by the server), so it should not impact
1878 && !TEST_true(SSL_set_tlsext_host_name(*clientssl
, "localhost")))
1882 /* Create the PSK */
1883 const SSL_CIPHER
*cipher
= NULL
;
1884 const unsigned char key
[] = {
1885 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1886 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1887 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1888 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1889 0x2c, 0x2d, 0x2e, 0x2f
1892 cipher
= SSL_CIPHER_find(*clientssl
, TLS13_AES_256_GCM_SHA384_BYTES
);
1893 clientpsk
= SSL_SESSION_new();
1894 if (!TEST_ptr(clientpsk
)
1895 || !TEST_ptr(cipher
)
1896 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk
, key
,
1898 || !TEST_true(SSL_SESSION_set_cipher(clientpsk
, cipher
))
1900 SSL_SESSION_set_protocol_version(clientpsk
,
1903 * We just choose an arbitrary value for max_early_data which
1904 * should be big enough for testing purposes.
1906 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk
,
1908 || !TEST_true(SSL_SESSION_up_ref(clientpsk
))) {
1909 SSL_SESSION_free(clientpsk
);
1913 serverpsk
= clientpsk
;
1916 if (!TEST_true(SSL_SESSION_up_ref(clientpsk
))) {
1917 SSL_SESSION_free(clientpsk
);
1918 SSL_SESSION_free(serverpsk
);
1919 clientpsk
= serverpsk
= NULL
;
1930 if (!TEST_true(create_ssl_connection(*serverssl
, *clientssl
,
1934 *sess
= SSL_get1_session(*clientssl
);
1935 SSL_shutdown(*clientssl
);
1936 SSL_shutdown(*serverssl
);
1937 SSL_free(*serverssl
);
1938 SSL_free(*clientssl
);
1939 *serverssl
= *clientssl
= NULL
;
1941 if (!TEST_true(create_ssl_objects(*sctx
, *cctx
, serverssl
,
1942 clientssl
, NULL
, NULL
))
1943 || !TEST_true(SSL_set_session(*clientssl
, *sess
)))
1949 static int test_early_data_read_write(int idx
)
1951 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
1952 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
1954 SSL_SESSION
*sess
= NULL
;
1955 unsigned char buf
[20], data
[1024];
1956 size_t readbytes
, written
, eoedlen
, rawread
, rawwritten
;
1959 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
1960 &serverssl
, &sess
, idx
)))
1963 /* Write and read some early data */
1964 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
1966 || !TEST_size_t_eq(written
, strlen(MSG1
))
1967 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
,
1968 sizeof(buf
), &readbytes
),
1969 SSL_READ_EARLY_DATA_SUCCESS
)
1970 || !TEST_mem_eq(MSG1
, readbytes
, buf
, strlen(MSG1
))
1971 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
1972 SSL_EARLY_DATA_ACCEPTED
))
1976 * Server should be able to write data, and client should be able to
1979 if (!TEST_true(SSL_write_early_data(serverssl
, MSG2
, strlen(MSG2
),
1981 || !TEST_size_t_eq(written
, strlen(MSG2
))
1982 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
1983 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
1986 /* Even after reading normal data, client should be able write early data */
1987 if (!TEST_true(SSL_write_early_data(clientssl
, MSG3
, strlen(MSG3
),
1989 || !TEST_size_t_eq(written
, strlen(MSG3
)))
1992 /* Server should still be able read early data after writing data */
1993 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
1995 SSL_READ_EARLY_DATA_SUCCESS
)
1996 || !TEST_mem_eq(buf
, readbytes
, MSG3
, strlen(MSG3
)))
1999 /* Write more data from server and read it from client */
2000 if (!TEST_true(SSL_write_early_data(serverssl
, MSG4
, strlen(MSG4
),
2002 || !TEST_size_t_eq(written
, strlen(MSG4
))
2003 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
2004 || !TEST_mem_eq(buf
, readbytes
, MSG4
, strlen(MSG4
)))
2008 * If client writes normal data it should mean writing early data is no
2011 if (!TEST_true(SSL_write_ex(clientssl
, MSG5
, strlen(MSG5
), &written
))
2012 || !TEST_size_t_eq(written
, strlen(MSG5
))
2013 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
2014 SSL_EARLY_DATA_ACCEPTED
))
2018 * At this point the client has written EndOfEarlyData, ClientFinished and
2019 * normal (fully protected) data. We are going to cause a delay between the
2020 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2021 * in the read BIO, and then just put back the EndOfEarlyData message.
2023 rbio
= SSL_get_rbio(serverssl
);
2024 if (!TEST_true(BIO_read_ex(rbio
, data
, sizeof(data
), &rawread
))
2025 || !TEST_size_t_lt(rawread
, sizeof(data
))
2026 || !TEST_size_t_gt(rawread
, SSL3_RT_HEADER_LENGTH
))
2029 /* Record length is in the 4th and 5th bytes of the record header */
2030 eoedlen
= SSL3_RT_HEADER_LENGTH
+ (data
[3] << 8 | data
[4]);
2031 if (!TEST_true(BIO_write_ex(rbio
, data
, eoedlen
, &rawwritten
))
2032 || !TEST_size_t_eq(rawwritten
, eoedlen
))
2035 /* Server should be told that there is no more early data */
2036 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
2038 SSL_READ_EARLY_DATA_FINISH
)
2039 || !TEST_size_t_eq(readbytes
, 0))
2043 * Server has not finished init yet, so should still be able to write early
2046 if (!TEST_true(SSL_write_early_data(serverssl
, MSG6
, strlen(MSG6
),
2048 || !TEST_size_t_eq(written
, strlen(MSG6
)))
2051 /* Push the ClientFinished and the normal data back into the server rbio */
2052 if (!TEST_true(BIO_write_ex(rbio
, data
+ eoedlen
, rawread
- eoedlen
,
2054 || !TEST_size_t_eq(rawwritten
, rawread
- eoedlen
))
2057 /* Server should be able to read normal data */
2058 if (!TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
2059 || !TEST_size_t_eq(readbytes
, strlen(MSG5
)))
2062 /* Client and server should not be able to write/read early data now */
2063 if (!TEST_false(SSL_write_early_data(clientssl
, MSG6
, strlen(MSG6
),
2067 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
2069 SSL_READ_EARLY_DATA_ERROR
))
2073 /* Client should be able to read the data sent by the server */
2074 if (!TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
2075 || !TEST_mem_eq(buf
, readbytes
, MSG6
, strlen(MSG6
)))
2079 * Make sure we process the two NewSessionTickets. These arrive
2080 * post-handshake. We attempt reads which we do not expect to return any
2083 if (!TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
2084 || !TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
),
2088 /* Server should be able to write normal data */
2089 if (!TEST_true(SSL_write_ex(serverssl
, MSG7
, strlen(MSG7
), &written
))
2090 || !TEST_size_t_eq(written
, strlen(MSG7
))
2091 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
2092 || !TEST_mem_eq(buf
, readbytes
, MSG7
, strlen(MSG7
)))
2095 SSL_SESSION_free(sess
);
2096 sess
= SSL_get1_session(clientssl
);
2097 use_session_cb_cnt
= 0;
2098 find_session_cb_cnt
= 0;
2100 SSL_shutdown(clientssl
);
2101 SSL_shutdown(serverssl
);
2102 SSL_free(serverssl
);
2103 SSL_free(clientssl
);
2104 serverssl
= clientssl
= NULL
;
2105 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
2106 &clientssl
, NULL
, NULL
))
2107 || !TEST_true(SSL_set_session(clientssl
, sess
)))
2110 /* Write and read some early data */
2111 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
2113 || !TEST_size_t_eq(written
, strlen(MSG1
))
2114 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
2116 SSL_READ_EARLY_DATA_SUCCESS
)
2117 || !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
)))
2120 if (!TEST_int_gt(SSL_connect(clientssl
), 0)
2121 || !TEST_int_gt(SSL_accept(serverssl
), 0))
2124 /* Client and server should not be able to write/read early data now */
2125 if (!TEST_false(SSL_write_early_data(clientssl
, MSG6
, strlen(MSG6
),
2129 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
2131 SSL_READ_EARLY_DATA_ERROR
))
2135 /* Client and server should be able to write/read normal data */
2136 if (!TEST_true(SSL_write_ex(clientssl
, MSG5
, strlen(MSG5
), &written
))
2137 || !TEST_size_t_eq(written
, strlen(MSG5
))
2138 || !TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
2139 || !TEST_size_t_eq(readbytes
, strlen(MSG5
)))
2145 SSL_SESSION_free(sess
);
2146 SSL_SESSION_free(clientpsk
);
2147 SSL_SESSION_free(serverpsk
);
2148 clientpsk
= serverpsk
= NULL
;
2149 SSL_free(serverssl
);
2150 SSL_free(clientssl
);
2156 static int test_early_data_replay(int idx
)
2158 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
2159 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
2161 SSL_SESSION
*sess
= NULL
;
2163 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
2164 &serverssl
, &sess
, idx
)))
2168 * The server is configured to accept early data. Create a connection to
2169 * "use up" the ticket
2171 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
2172 || !TEST_true(SSL_session_reused(clientssl
)))
2175 SSL_shutdown(clientssl
);
2176 SSL_shutdown(serverssl
);
2177 SSL_free(serverssl
);
2178 SSL_free(clientssl
);
2179 serverssl
= clientssl
= NULL
;
2181 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
2182 &clientssl
, NULL
, NULL
))
2183 || !TEST_true(SSL_set_session(clientssl
, sess
))
2184 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
2187 * This time we should not have resumed the session because we
2188 * already used it once.
2190 || !TEST_false(SSL_session_reused(clientssl
)))
2196 SSL_SESSION_free(sess
);
2197 SSL_SESSION_free(clientpsk
);
2198 SSL_SESSION_free(serverpsk
);
2199 clientpsk
= serverpsk
= NULL
;
2200 SSL_free(serverssl
);
2201 SSL_free(clientssl
);
2208 * Helper function to test that a server attempting to read early data can
2209 * handle a connection from a client where the early data should be skipped.
2211 static int early_data_skip_helper(int hrr
, int idx
)
2213 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
2214 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
2216 SSL_SESSION
*sess
= NULL
;
2217 unsigned char buf
[20];
2218 size_t readbytes
, written
;
2220 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
2221 &serverssl
, &sess
, idx
)))
2225 /* Force an HRR to occur */
2226 if (!TEST_true(SSL_set1_groups_list(serverssl
, "P-256")))
2228 } else if (idx
== 2) {
2230 * We force early_data rejection by ensuring the PSK identity is
2233 srvid
= "Dummy Identity";
2236 * Deliberately corrupt the creation time. We take 20 seconds off the
2237 * time. It could be any value as long as it is not within tolerance.
2238 * This should mean the ticket is rejected.
2240 if (!TEST_true(SSL_SESSION_set_time(sess
, (long)(time(NULL
) - 20))))
2244 /* Write some early data */
2245 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
2247 || !TEST_size_t_eq(written
, strlen(MSG1
)))
2250 /* Server should reject the early data and skip over it */
2251 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
2253 SSL_READ_EARLY_DATA_FINISH
)
2254 || !TEST_size_t_eq(readbytes
, 0)
2255 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
2256 SSL_EARLY_DATA_REJECTED
))
2261 * Finish off the handshake. We perform the same writes and reads as
2262 * further down but we expect them to fail due to the incomplete
2265 if (!TEST_false(SSL_write_ex(clientssl
, MSG2
, strlen(MSG2
), &written
))
2266 || !TEST_false(SSL_read_ex(serverssl
, buf
, sizeof(buf
),
2271 /* Should be able to send normal data despite rejection of early data */
2272 if (!TEST_true(SSL_write_ex(clientssl
, MSG2
, strlen(MSG2
), &written
))
2273 || !TEST_size_t_eq(written
, strlen(MSG2
))
2274 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
2275 SSL_EARLY_DATA_REJECTED
)
2276 || !TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
2277 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
2283 SSL_SESSION_free(clientpsk
);
2284 SSL_SESSION_free(serverpsk
);
2285 clientpsk
= serverpsk
= NULL
;
2286 SSL_SESSION_free(sess
);
2287 SSL_free(serverssl
);
2288 SSL_free(clientssl
);
2295 * Test that a server attempting to read early data can handle a connection
2296 * from a client where the early data is not acceptable.
2298 static int test_early_data_skip(int idx
)
2300 return early_data_skip_helper(0, idx
);
2304 * Test that a server attempting to read early data can handle a connection
2305 * from a client where an HRR occurs.
2307 static int test_early_data_skip_hrr(int idx
)
2309 return early_data_skip_helper(1, idx
);
2313 * Test that a server attempting to read early data can handle a connection
2314 * from a client that doesn't send any.
2316 static int test_early_data_not_sent(int idx
)
2318 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
2319 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
2321 SSL_SESSION
*sess
= NULL
;
2322 unsigned char buf
[20];
2323 size_t readbytes
, written
;
2325 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
2326 &serverssl
, &sess
, idx
)))
2329 /* Write some data - should block due to handshake with server */
2330 SSL_set_connect_state(clientssl
);
2331 if (!TEST_false(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
)))
2334 /* Server should detect that early data has not been sent */
2335 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
2337 SSL_READ_EARLY_DATA_FINISH
)
2338 || !TEST_size_t_eq(readbytes
, 0)
2339 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
2340 SSL_EARLY_DATA_NOT_SENT
)
2341 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
2342 SSL_EARLY_DATA_NOT_SENT
))
2345 /* Continue writing the message we started earlier */
2346 if (!TEST_true(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
))
2347 || !TEST_size_t_eq(written
, strlen(MSG1
))
2348 || !TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
2349 || !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
))
2350 || !SSL_write_ex(serverssl
, MSG2
, strlen(MSG2
), &written
)
2351 || !TEST_size_t_eq(written
, strlen(MSG2
)))
2355 * Should block due to the NewSessionTicket arrival unless we're using
2356 * read_ahead, or PSKs
2358 if (idx
!= 1 && idx
!= 2) {
2359 if (!TEST_false(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
)))
2363 if (!TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
2364 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
2370 SSL_SESSION_free(sess
);
2371 SSL_SESSION_free(clientpsk
);
2372 SSL_SESSION_free(serverpsk
);
2373 clientpsk
= serverpsk
= NULL
;
2374 SSL_free(serverssl
);
2375 SSL_free(clientssl
);
2381 static int hostname_cb(SSL
*s
, int *al
, void *arg
)
2383 const char *hostname
= SSL_get_servername(s
, TLSEXT_NAMETYPE_host_name
);
2385 if (hostname
!= NULL
&& strcmp(hostname
, "goodhost") == 0)
2386 return SSL_TLSEXT_ERR_OK
;
2388 return SSL_TLSEXT_ERR_NOACK
;
2391 static const char *servalpn
;
2393 static int alpn_select_cb(SSL
*ssl
, const unsigned char **out
,
2394 unsigned char *outlen
, const unsigned char *in
,
2395 unsigned int inlen
, void *arg
)
2397 unsigned int protlen
= 0;
2398 const unsigned char *prot
;
2400 for (prot
= in
; prot
< in
+ inlen
; prot
+= protlen
) {
2402 if (in
+ inlen
< prot
+ protlen
)
2403 return SSL_TLSEXT_ERR_NOACK
;
2405 if (protlen
== strlen(servalpn
)
2406 && memcmp(prot
, servalpn
, protlen
) == 0) {
2409 return SSL_TLSEXT_ERR_OK
;
2413 return SSL_TLSEXT_ERR_NOACK
;
2416 /* Test that a PSK can be used to send early_data */
2417 static int test_early_data_psk(int idx
)
2419 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
2420 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
2422 SSL_SESSION
*sess
= NULL
;
2423 unsigned char alpnlist
[] = {
2424 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2427 #define GOODALPNLEN 9
2428 #define BADALPNLEN 8
2429 #define GOODALPN (alpnlist)
2430 #define BADALPN (alpnlist + GOODALPNLEN)
2432 unsigned char buf
[20];
2433 size_t readbytes
, written
;
2434 int readearlyres
= SSL_READ_EARLY_DATA_SUCCESS
, connectres
= 1;
2435 int edstatus
= SSL_EARLY_DATA_ACCEPTED
;
2437 /* We always set this up with a final parameter of "2" for PSK */
2438 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
2439 &serverssl
, &sess
, 2)))
2442 servalpn
= "goodalpn";
2445 * Note: There is no test for inconsistent SNI with late client detection.
2446 * This is because servers do not acknowledge SNI even if they are using
2447 * it in a resumption handshake - so it is not actually possible for a
2448 * client to detect a problem.
2452 /* Set inconsistent SNI (early client detection) */
2453 err
= SSL_R_INCONSISTENT_EARLY_DATA_SNI
;
2454 if (!TEST_true(SSL_SESSION_set1_hostname(sess
, "goodhost"))
2455 || !TEST_true(SSL_set_tlsext_host_name(clientssl
, "badhost")))
2460 /* Set inconsistent ALPN (early client detection) */
2461 err
= SSL_R_INCONSISTENT_EARLY_DATA_ALPN
;
2462 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
2463 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess
, GOODALPN
,
2465 || !TEST_false(SSL_set_alpn_protos(clientssl
, BADALPN
,
2472 * Set invalid protocol version. Technically this affects PSKs without
2473 * early_data too, but we test it here because it is similar to the
2474 * SNI/ALPN consistency tests.
2476 err
= SSL_R_BAD_PSK
;
2477 if (!TEST_true(SSL_SESSION_set_protocol_version(sess
, TLS1_2_VERSION
)))
2483 * Set inconsistent SNI (server detected). In this case the connection
2484 * will succeed but reject early_data.
2486 SSL_SESSION_free(serverpsk
);
2487 serverpsk
= SSL_SESSION_dup(clientpsk
);
2488 if (!TEST_ptr(serverpsk
)
2489 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk
, "badhost")))
2491 edstatus
= SSL_EARLY_DATA_REJECTED
;
2492 readearlyres
= SSL_READ_EARLY_DATA_FINISH
;
2495 /* Set consistent SNI */
2496 if (!TEST_true(SSL_SESSION_set1_hostname(sess
, "goodhost"))
2497 || !TEST_true(SSL_set_tlsext_host_name(clientssl
, "goodhost"))
2498 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx
,
2505 * Set inconsistent ALPN (server detected). In this case the connection
2506 * will succeed but reject early_data.
2508 servalpn
= "badalpn";
2509 edstatus
= SSL_EARLY_DATA_REJECTED
;
2510 readearlyres
= SSL_READ_EARLY_DATA_FINISH
;
2514 * Set consistent ALPN.
2515 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2516 * accepts a list of protos (each one length prefixed).
2517 * SSL_set1_alpn_selected accepts a single protocol (not length
2520 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess
, GOODALPN
+ 1,
2522 || !TEST_false(SSL_set_alpn_protos(clientssl
, GOODALPN
,
2526 SSL_CTX_set_alpn_select_cb(sctx
, alpn_select_cb
, NULL
);
2530 /* Set inconsistent ALPN (late client detection) */
2531 SSL_SESSION_free(serverpsk
);
2532 serverpsk
= SSL_SESSION_dup(clientpsk
);
2533 if (!TEST_ptr(serverpsk
)
2534 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk
,
2537 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk
,
2540 || !TEST_false(SSL_set_alpn_protos(clientssl
, alpnlist
,
2543 SSL_CTX_set_alpn_select_cb(sctx
, alpn_select_cb
, NULL
);
2544 edstatus
= SSL_EARLY_DATA_ACCEPTED
;
2545 readearlyres
= SSL_READ_EARLY_DATA_SUCCESS
;
2546 /* SSL_connect() call should fail */
2551 TEST_error("Bad test index");
2555 SSL_set_connect_state(clientssl
);
2557 if (!TEST_false(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
2559 || !TEST_int_eq(SSL_get_error(clientssl
, 0), SSL_ERROR_SSL
)
2560 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err
))
2563 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
2567 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
2568 &readbytes
), readearlyres
)
2569 || (readearlyres
== SSL_READ_EARLY_DATA_SUCCESS
2570 && !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
)))
2571 || !TEST_int_eq(SSL_get_early_data_status(serverssl
), edstatus
)
2572 || !TEST_int_eq(SSL_connect(clientssl
), connectres
))
2579 SSL_SESSION_free(sess
);
2580 SSL_SESSION_free(clientpsk
);
2581 SSL_SESSION_free(serverpsk
);
2582 clientpsk
= serverpsk
= NULL
;
2583 SSL_free(serverssl
);
2584 SSL_free(clientssl
);
2591 * Test that a server that doesn't try to read early data can handle a
2592 * client sending some.
2594 static int test_early_data_not_expected(int idx
)
2596 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
2597 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
2599 SSL_SESSION
*sess
= NULL
;
2600 unsigned char buf
[20];
2601 size_t readbytes
, written
;
2603 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
2604 &serverssl
, &sess
, idx
)))
2607 /* Write some early data */
2608 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
2613 * Server should skip over early data and then block waiting for client to
2614 * continue handshake
2616 if (!TEST_int_le(SSL_accept(serverssl
), 0)
2617 || !TEST_int_gt(SSL_connect(clientssl
), 0)
2618 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
2619 SSL_EARLY_DATA_REJECTED
)
2620 || !TEST_int_gt(SSL_accept(serverssl
), 0)
2621 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
2622 SSL_EARLY_DATA_REJECTED
))
2625 /* Send some normal data from client to server */
2626 if (!TEST_true(SSL_write_ex(clientssl
, MSG2
, strlen(MSG2
), &written
))
2627 || !TEST_size_t_eq(written
, strlen(MSG2
)))
2630 if (!TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
2631 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
2637 SSL_SESSION_free(sess
);
2638 SSL_SESSION_free(clientpsk
);
2639 SSL_SESSION_free(serverpsk
);
2640 clientpsk
= serverpsk
= NULL
;
2641 SSL_free(serverssl
);
2642 SSL_free(clientssl
);
2649 # ifndef OPENSSL_NO_TLS1_2
2651 * Test that a server attempting to read early data can handle a connection
2652 * from a TLSv1.2 client.
2654 static int test_early_data_tls1_2(int idx
)
2656 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
2657 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
2659 unsigned char buf
[20];
2660 size_t readbytes
, written
;
2662 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
2663 &serverssl
, NULL
, idx
)))
2666 /* Write some data - should block due to handshake with server */
2667 SSL_set_max_proto_version(clientssl
, TLS1_2_VERSION
);
2668 SSL_set_connect_state(clientssl
);
2669 if (!TEST_false(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
)))
2673 * Server should do TLSv1.2 handshake. First it will block waiting for more
2674 * messages from client after ServerDone. Then SSL_read_early_data should
2675 * finish and detect that early data has not been sent
2677 if (!TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
2679 SSL_READ_EARLY_DATA_ERROR
))
2683 * Continue writing the message we started earlier. Will still block waiting
2684 * for the CCS/Finished from server
2686 if (!TEST_false(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
))
2687 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
2689 SSL_READ_EARLY_DATA_FINISH
)
2690 || !TEST_size_t_eq(readbytes
, 0)
2691 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
2692 SSL_EARLY_DATA_NOT_SENT
))
2695 /* Continue writing the message we started earlier */
2696 if (!TEST_true(SSL_write_ex(clientssl
, MSG1
, strlen(MSG1
), &written
))
2697 || !TEST_size_t_eq(written
, strlen(MSG1
))
2698 || !TEST_int_eq(SSL_get_early_data_status(clientssl
),
2699 SSL_EARLY_DATA_NOT_SENT
)
2700 || !TEST_true(SSL_read_ex(serverssl
, buf
, sizeof(buf
), &readbytes
))
2701 || !TEST_mem_eq(buf
, readbytes
, MSG1
, strlen(MSG1
))
2702 || !TEST_true(SSL_write_ex(serverssl
, MSG2
, strlen(MSG2
), &written
))
2703 || !TEST_size_t_eq(written
, strlen(MSG2
))
2704 || !SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
)
2705 || !TEST_mem_eq(buf
, readbytes
, MSG2
, strlen(MSG2
)))
2711 SSL_SESSION_free(clientpsk
);
2712 SSL_SESSION_free(serverpsk
);
2713 clientpsk
= serverpsk
= NULL
;
2714 SSL_free(serverssl
);
2715 SSL_free(clientssl
);
2721 # endif /* OPENSSL_NO_TLS1_2 */
2724 * Test configuring the TLSv1.3 ciphersuites
2726 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
2727 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
2728 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
2729 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
2730 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2731 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2732 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
2733 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
2734 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
2735 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
2737 static int test_set_ciphersuite(int idx
)
2739 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
2740 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
2743 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2744 TLS1_VERSION
, TLS_MAX_VERSION
,
2745 &sctx
, &cctx
, cert
, privkey
))
2746 || !TEST_true(SSL_CTX_set_ciphersuites(sctx
,
2747 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
2750 if (idx
>=4 && idx
<= 7) {
2751 /* SSL_CTX explicit cipher list */
2752 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
, "AES256-GCM-SHA384")))
2756 if (idx
== 0 || idx
== 4) {
2757 /* Default ciphersuite */
2758 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
2759 "TLS_AES_128_GCM_SHA256")))
2761 } else if (idx
== 1 || idx
== 5) {
2762 /* Non default ciphersuite */
2763 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
2764 "TLS_AES_128_CCM_SHA256")))
2768 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
2769 &clientssl
, NULL
, NULL
)))
2772 if (idx
== 8 || idx
== 9) {
2773 /* SSL explicit cipher list */
2774 if (!TEST_true(SSL_set_cipher_list(clientssl
, "AES256-GCM-SHA384")))
2778 if (idx
== 2 || idx
== 6 || idx
== 8) {
2779 /* Default ciphersuite */
2780 if (!TEST_true(SSL_set_ciphersuites(clientssl
,
2781 "TLS_AES_128_GCM_SHA256")))
2783 } else if (idx
== 3 || idx
== 7 || idx
== 9) {
2784 /* Non default ciphersuite */
2785 if (!TEST_true(SSL_set_ciphersuites(clientssl
,
2786 "TLS_AES_128_CCM_SHA256")))
2790 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
)))
2796 SSL_free(serverssl
);
2797 SSL_free(clientssl
);
2804 static int test_ciphersuite_change(void)
2806 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
2807 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
2808 SSL_SESSION
*clntsess
= NULL
;
2810 const SSL_CIPHER
*aes_128_gcm_sha256
= NULL
;
2812 /* Create a session based on SHA-256 */
2813 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2814 TLS1_VERSION
, TLS_MAX_VERSION
,
2815 &sctx
, &cctx
, cert
, privkey
))
2816 || !TEST_true(SSL_CTX_set_ciphersuites(cctx
,
2817 "TLS_AES_128_GCM_SHA256"))
2818 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
2819 &clientssl
, NULL
, NULL
))
2820 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
2824 clntsess
= SSL_get1_session(clientssl
);
2825 /* Save for later */
2826 aes_128_gcm_sha256
= SSL_SESSION_get0_cipher(clntsess
);
2827 SSL_shutdown(clientssl
);
2828 SSL_shutdown(serverssl
);
2829 SSL_free(serverssl
);
2830 SSL_free(clientssl
);
2831 serverssl
= clientssl
= NULL
;
2833 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
2834 /* Check we can resume a session with a different SHA-256 ciphersuite */
2835 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
2836 "TLS_CHACHA20_POLY1305_SHA256"))
2837 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
2839 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
2840 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
2842 || !TEST_true(SSL_session_reused(clientssl
)))
2845 SSL_SESSION_free(clntsess
);
2846 clntsess
= SSL_get1_session(clientssl
);
2847 SSL_shutdown(clientssl
);
2848 SSL_shutdown(serverssl
);
2849 SSL_free(serverssl
);
2850 SSL_free(clientssl
);
2851 serverssl
= clientssl
= NULL
;
2855 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
2856 * succeeds but does not resume.
2858 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
, "TLS_AES_256_GCM_SHA384"))
2859 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
2861 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
2862 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
2864 || !TEST_false(SSL_session_reused(clientssl
)))
2867 SSL_SESSION_free(clntsess
);
2869 SSL_shutdown(clientssl
);
2870 SSL_shutdown(serverssl
);
2871 SSL_free(serverssl
);
2872 SSL_free(clientssl
);
2873 serverssl
= clientssl
= NULL
;
2875 /* Create a session based on SHA384 */
2876 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
, "TLS_AES_256_GCM_SHA384"))
2877 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
2878 &clientssl
, NULL
, NULL
))
2879 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
2883 clntsess
= SSL_get1_session(clientssl
);
2884 SSL_shutdown(clientssl
);
2885 SSL_shutdown(serverssl
);
2886 SSL_free(serverssl
);
2887 SSL_free(clientssl
);
2888 serverssl
= clientssl
= NULL
;
2890 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
2891 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
2892 || !TEST_true(SSL_CTX_set_ciphersuites(sctx
,
2893 "TLS_AES_256_GCM_SHA384"))
2894 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
2896 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
2898 * We use SSL_ERROR_WANT_READ below so that we can pause the
2899 * connection after the initial ClientHello has been sent to
2900 * enable us to make some session changes.
2902 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
2903 SSL_ERROR_WANT_READ
)))
2906 /* Trick the client into thinking this session is for a different digest */
2907 clntsess
->cipher
= aes_128_gcm_sha256
;
2908 clntsess
->cipher_id
= clntsess
->cipher
->id
;
2911 * Continue the previously started connection. Server has selected a SHA-384
2912 * ciphersuite, but client thinks the session is for SHA-256, so it should
2915 if (!TEST_false(create_ssl_connection(serverssl
, clientssl
,
2917 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2918 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED
))
2924 SSL_SESSION_free(clntsess
);
2925 SSL_free(serverssl
);
2926 SSL_free(clientssl
);
2935 * Test 0 = Test new style callbacks
2936 * Test 1 = Test both new and old style callbacks
2937 * Test 2 = Test old style callbacks
2938 * Test 3 = Test old style callbacks with no certificate
2940 static int test_tls13_psk(int idx
)
2942 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
2943 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
2944 const SSL_CIPHER
*cipher
= NULL
;
2945 const unsigned char key
[] = {
2946 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2947 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2948 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2949 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
2953 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2954 TLS1_VERSION
, TLS_MAX_VERSION
,
2955 &sctx
, &cctx
, idx
== 3 ? NULL
: cert
,
2956 idx
== 3 ? NULL
: privkey
)))
2961 * We use a ciphersuite with SHA256 to ease testing old style PSK
2962 * callbacks which will always default to SHA256. This should not be
2963 * necessary if we have no cert/priv key. In that case the server should
2964 * prefer SHA256 automatically.
2966 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx
,
2967 "TLS_AES_128_GCM_SHA256")))
2972 * Test 0: New style callbacks only
2973 * Test 1: New and old style callbacks (only the new ones should be used)
2974 * Test 2: Old style callbacks only
2976 if (idx
== 0 || idx
== 1) {
2977 SSL_CTX_set_psk_use_session_callback(cctx
, use_session_cb
);
2978 SSL_CTX_set_psk_find_session_callback(sctx
, find_session_cb
);
2980 #ifndef OPENSSL_NO_PSK
2982 SSL_CTX_set_psk_client_callback(cctx
, psk_client_cb
);
2983 SSL_CTX_set_psk_server_callback(sctx
, psk_server_cb
);
2987 use_session_cb_cnt
= 0;
2988 find_session_cb_cnt
= 0;
2989 psk_client_cb_cnt
= 0;
2990 psk_server_cb_cnt
= 0;
2994 * Check we can create a connection if callback decides not to send a
2997 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
2999 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
3001 || !TEST_false(SSL_session_reused(clientssl
))
3002 || !TEST_false(SSL_session_reused(serverssl
)))
3005 if (idx
== 0 || idx
== 1) {
3006 if (!TEST_true(use_session_cb_cnt
== 1)
3007 || !TEST_true(find_session_cb_cnt
== 0)
3009 * If no old style callback then below should be 0
3012 || !TEST_true(psk_client_cb_cnt
== idx
)
3013 || !TEST_true(psk_server_cb_cnt
== 0))
3016 if (!TEST_true(use_session_cb_cnt
== 0)
3017 || !TEST_true(find_session_cb_cnt
== 0)
3018 || !TEST_true(psk_client_cb_cnt
== 1)
3019 || !TEST_true(psk_server_cb_cnt
== 0))
3023 shutdown_ssl_connection(serverssl
, clientssl
);
3024 serverssl
= clientssl
= NULL
;
3025 use_session_cb_cnt
= psk_client_cb_cnt
= 0;
3028 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
3032 /* Create the PSK */
3033 cipher
= SSL_CIPHER_find(clientssl
, TLS13_AES_128_GCM_SHA256_BYTES
);
3034 clientpsk
= SSL_SESSION_new();
3035 if (!TEST_ptr(clientpsk
)
3036 || !TEST_ptr(cipher
)
3037 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk
, key
,
3039 || !TEST_true(SSL_SESSION_set_cipher(clientpsk
, cipher
))
3040 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk
,
3042 || !TEST_true(SSL_SESSION_up_ref(clientpsk
)))
3044 serverpsk
= clientpsk
;
3046 /* Check we can create a connection and the PSK is used */
3047 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
3048 || !TEST_true(SSL_session_reused(clientssl
))
3049 || !TEST_true(SSL_session_reused(serverssl
)))
3052 if (idx
== 0 || idx
== 1) {
3053 if (!TEST_true(use_session_cb_cnt
== 1)
3054 || !TEST_true(find_session_cb_cnt
== 1)
3055 || !TEST_true(psk_client_cb_cnt
== 0)
3056 || !TEST_true(psk_server_cb_cnt
== 0))
3059 if (!TEST_true(use_session_cb_cnt
== 0)
3060 || !TEST_true(find_session_cb_cnt
== 0)
3061 || !TEST_true(psk_client_cb_cnt
== 1)
3062 || !TEST_true(psk_server_cb_cnt
== 1))
3066 shutdown_ssl_connection(serverssl
, clientssl
);
3067 serverssl
= clientssl
= NULL
;
3068 use_session_cb_cnt
= find_session_cb_cnt
= 0;
3069 psk_client_cb_cnt
= psk_server_cb_cnt
= 0;
3071 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
3076 if (!TEST_true(SSL_set1_groups_list(serverssl
, "P-256")))
3080 * Check we can create a connection, the PSK is used and the callbacks are
3083 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
))
3084 || !TEST_true(SSL_session_reused(clientssl
))
3085 || !TEST_true(SSL_session_reused(serverssl
)))
3088 if (idx
== 0 || idx
== 1) {
3089 if (!TEST_true(use_session_cb_cnt
== 2)
3090 || !TEST_true(find_session_cb_cnt
== 2)
3091 || !TEST_true(psk_client_cb_cnt
== 0)
3092 || !TEST_true(psk_server_cb_cnt
== 0))
3095 if (!TEST_true(use_session_cb_cnt
== 0)
3096 || !TEST_true(find_session_cb_cnt
== 0)
3097 || !TEST_true(psk_client_cb_cnt
== 2)
3098 || !TEST_true(psk_server_cb_cnt
== 2))
3102 shutdown_ssl_connection(serverssl
, clientssl
);
3103 serverssl
= clientssl
= NULL
;
3104 use_session_cb_cnt
= find_session_cb_cnt
= 0;
3105 psk_client_cb_cnt
= psk_server_cb_cnt
= 0;
3109 * Check that if the server rejects the PSK we can still connect, but with
3112 srvid
= "Dummy Identity";
3113 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
3115 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
3117 || !TEST_false(SSL_session_reused(clientssl
))
3118 || !TEST_false(SSL_session_reused(serverssl
)))
3121 if (idx
== 0 || idx
== 1) {
3122 if (!TEST_true(use_session_cb_cnt
== 1)
3123 || !TEST_true(find_session_cb_cnt
== 1)
3124 || !TEST_true(psk_client_cb_cnt
== 0)
3126 * If no old style callback then below should be 0
3129 || !TEST_true(psk_server_cb_cnt
== idx
))
3132 if (!TEST_true(use_session_cb_cnt
== 0)
3133 || !TEST_true(find_session_cb_cnt
== 0)
3134 || !TEST_true(psk_client_cb_cnt
== 1)
3135 || !TEST_true(psk_server_cb_cnt
== 1))
3139 shutdown_ssl_connection(serverssl
, clientssl
);
3140 serverssl
= clientssl
= NULL
;
3145 SSL_SESSION_free(clientpsk
);
3146 SSL_SESSION_free(serverpsk
);
3147 clientpsk
= serverpsk
= NULL
;
3148 SSL_free(serverssl
);
3149 SSL_free(clientssl
);
3155 static unsigned char cookie_magic_value
[] = "cookie magic";
3157 static int generate_cookie_callback(SSL
*ssl
, unsigned char *cookie
,
3158 unsigned int *cookie_len
)
3161 * Not suitable as a real cookie generation function but good enough for
3164 memcpy(cookie
, cookie_magic_value
, sizeof(cookie_magic_value
) - 1);
3165 *cookie_len
= sizeof(cookie_magic_value
) - 1;
3170 static int verify_cookie_callback(SSL
*ssl
, const unsigned char *cookie
,
3171 unsigned int cookie_len
)
3173 if (cookie_len
== sizeof(cookie_magic_value
) - 1
3174 && memcmp(cookie
, cookie_magic_value
, cookie_len
) == 0)
3180 static int generate_stateless_cookie_callback(SSL
*ssl
, unsigned char *cookie
,
3184 int res
= generate_cookie_callback(ssl
, cookie
, &temp
);
3189 static int verify_stateless_cookie_callback(SSL
*ssl
, const unsigned char *cookie
,
3192 return verify_cookie_callback(ssl
, cookie
, cookie_len
);
3195 static int test_stateless(void)
3197 SSL_CTX
*sctx
= NULL
, *cctx
= NULL
;
3198 SSL
*serverssl
= NULL
, *clientssl
= NULL
;
3201 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3202 TLS1_VERSION
, TLS_MAX_VERSION
,
3203 &sctx
, &cctx
, cert
, privkey
)))
3206 /* The arrival of CCS messages can confuse the test */
3207 SSL_CTX_clear_options(cctx
, SSL_OP_ENABLE_MIDDLEBOX_COMPAT
);
3209 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
3211 /* Send the first ClientHello */
3212 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
3213 SSL_ERROR_WANT_READ
))
3215 * This should fail with a -1 return because we have no callbacks
3218 || !TEST_int_eq(SSL_stateless(serverssl
), -1))
3221 /* Fatal error so abandon the connection from this client */
3222 SSL_free(clientssl
);
3225 /* Set up the cookie generation and verification callbacks */
3226 SSL_CTX_set_stateless_cookie_generate_cb(sctx
, generate_stateless_cookie_callback
);
3227 SSL_CTX_set_stateless_cookie_verify_cb(sctx
, verify_stateless_cookie_callback
);
3230 * Create a new connection from the client (we can reuse the server SSL
3233 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
3235 /* Send the first ClientHello */
3236 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
3237 SSL_ERROR_WANT_READ
))
3238 /* This should fail because there is no cookie */
3239 || !TEST_int_eq(SSL_stateless(serverssl
), 0))
3242 /* Abandon the connection from this client */
3243 SSL_free(clientssl
);
3247 * Now create a connection from a new client but with the same server SSL
3250 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
3252 /* Send the first ClientHello */
3253 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
3254 SSL_ERROR_WANT_READ
))
3255 /* This should fail because there is no cookie */
3256 || !TEST_int_eq(SSL_stateless(serverssl
), 0)
3257 /* Send the second ClientHello */
3258 || !TEST_false(create_ssl_connection(serverssl
, clientssl
,
3259 SSL_ERROR_WANT_READ
))
3260 /* This should succeed because a cookie is now present */
3261 || !TEST_int_eq(SSL_stateless(serverssl
), 1)
3262 /* Complete the connection */
3263 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
3267 shutdown_ssl_connection(serverssl
, clientssl
);
3268 serverssl
= clientssl
= NULL
;
3272 SSL_free(serverssl
);
3273 SSL_free(clientssl
);
3279 #endif /* OPENSSL_NO_TLS1_3 */
3281 static int clntaddoldcb
= 0;
3282 static int clntparseoldcb
= 0;
3283 static int srvaddoldcb
= 0;
3284 static int srvparseoldcb
= 0;
3285 static int clntaddnewcb
= 0;
3286 static int clntparsenewcb
= 0;
3287 static int srvaddnewcb
= 0;
3288 static int srvparsenewcb
= 0;
3289 static int snicb
= 0;
3291 #define TEST_EXT_TYPE1 0xff00
3293 static int old_add_cb(SSL
*s
, unsigned int ext_type
, const unsigned char **out
,
3294 size_t *outlen
, int *al
, void *add_arg
)
3296 int *server
= (int *)add_arg
;
3297 unsigned char *data
;
3299 if (SSL_is_server(s
))
3304 if (*server
!= SSL_is_server(s
)
3305 || (data
= OPENSSL_malloc(sizeof(*data
))) == NULL
)
3310 *outlen
= sizeof(char);
3314 static void old_free_cb(SSL
*s
, unsigned int ext_type
, const unsigned char *out
,
3317 OPENSSL_free((unsigned char *)out
);
3320 static int old_parse_cb(SSL
*s
, unsigned int ext_type
, const unsigned char *in
,
3321 size_t inlen
, int *al
, void *parse_arg
)
3323 int *server
= (int *)parse_arg
;
3325 if (SSL_is_server(s
))
3330 if (*server
!= SSL_is_server(s
)
3331 || inlen
!= sizeof(char)
3338 static int new_add_cb(SSL
*s
, unsigned int ext_type
, unsigned int context
,
3339 const unsigned char **out
, size_t *outlen
, X509
*x
,
3340 size_t chainidx
, int *al
, void *add_arg
)
3342 int *server
= (int *)add_arg
;
3343 unsigned char *data
;
3345 if (SSL_is_server(s
))
3350 if (*server
!= SSL_is_server(s
)
3351 || (data
= OPENSSL_malloc(sizeof(*data
))) == NULL
)
3356 *outlen
= sizeof(*data
);
3360 static void new_free_cb(SSL
*s
, unsigned int ext_type
, unsigned int context
,
3361 const unsigned char *out
, void *add_arg
)
3363 OPENSSL_free((unsigned char *)out
);
3366 static int new_parse_cb(SSL
*s
, unsigned int ext_type
, unsigned int context
,
3367 const unsigned char *in
, size_t inlen
, X509
*x
,
3368 size_t chainidx
, int *al
, void *parse_arg
)
3370 int *server
= (int *)parse_arg
;
3372 if (SSL_is_server(s
))
3377 if (*server
!= SSL_is_server(s
)
3378 || inlen
!= sizeof(char) || *in
!= 1)
3384 static int sni_cb(SSL
*s
, int *al
, void *arg
)
3386 SSL_CTX
*ctx
= (SSL_CTX
*)arg
;
3388 if (SSL_set_SSL_CTX(s
, ctx
) == NULL
) {
3389 *al
= SSL_AD_INTERNAL_ERROR
;
3390 return SSL_TLSEXT_ERR_ALERT_FATAL
;
3393 return SSL_TLSEXT_ERR_OK
;
3397 * Custom call back tests.
3398 * Test 0: Old style callbacks in TLSv1.2
3399 * Test 1: New style callbacks in TLSv1.2
3400 * Test 2: New style callbacks in TLSv1.2 with SNI
3401 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3402 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
3404 static int test_custom_exts(int tst
)
3406 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
, *sctx2
= NULL
;
3407 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3409 static int server
= 1;
3410 static int client
= 0;
3411 SSL_SESSION
*sess
= NULL
;
3412 unsigned int context
;
3414 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
3415 /* Skip tests for TLSv1.2 and below in this case */
3420 /* Reset callback counters */
3421 clntaddoldcb
= clntparseoldcb
= srvaddoldcb
= srvparseoldcb
= 0;
3422 clntaddnewcb
= clntparsenewcb
= srvaddnewcb
= srvparsenewcb
= 0;
3425 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3426 TLS1_VERSION
, TLS_MAX_VERSION
,
3427 &sctx
, &cctx
, cert
, privkey
)))
3431 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL
,
3432 TLS1_VERSION
, TLS_MAX_VERSION
,
3433 &sctx2
, NULL
, cert
, privkey
)))
3438 SSL_CTX_set_options(cctx
, SSL_OP_NO_TLSv1_3
);
3439 SSL_CTX_set_options(sctx
, SSL_OP_NO_TLSv1_3
);
3441 SSL_CTX_set_options(sctx2
, SSL_OP_NO_TLSv1_3
);
3445 context
= SSL_EXT_CLIENT_HELLO
3446 | SSL_EXT_TLS1_2_SERVER_HELLO
3447 | SSL_EXT_TLS1_3_SERVER_HELLO
3448 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
3449 | SSL_EXT_TLS1_3_CERTIFICATE
3450 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET
;
3452 context
= SSL_EXT_CLIENT_HELLO
3453 | SSL_EXT_TLS1_2_SERVER_HELLO
3454 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
;
3457 /* Create a client side custom extension */
3459 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx
, TEST_EXT_TYPE1
,
3460 old_add_cb
, old_free_cb
,
3461 &client
, old_parse_cb
,
3465 if (!TEST_true(SSL_CTX_add_custom_ext(cctx
, TEST_EXT_TYPE1
, context
,
3466 new_add_cb
, new_free_cb
,
3467 &client
, new_parse_cb
, &client
)))
3471 /* Should not be able to add duplicates */
3472 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx
, TEST_EXT_TYPE1
,
3473 old_add_cb
, old_free_cb
,
3474 &client
, old_parse_cb
,
3476 || !TEST_false(SSL_CTX_add_custom_ext(cctx
, TEST_EXT_TYPE1
,
3477 context
, new_add_cb
,
3478 new_free_cb
, &client
,
3479 new_parse_cb
, &client
)))
3482 /* Create a server side custom extension */
3484 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx
, TEST_EXT_TYPE1
,
3485 old_add_cb
, old_free_cb
,
3486 &server
, old_parse_cb
,
3490 if (!TEST_true(SSL_CTX_add_custom_ext(sctx
, TEST_EXT_TYPE1
, context
,
3491 new_add_cb
, new_free_cb
,
3492 &server
, new_parse_cb
, &server
)))
3495 && !TEST_true(SSL_CTX_add_custom_ext(sctx2
, TEST_EXT_TYPE1
,
3496 context
, new_add_cb
,
3497 new_free_cb
, &server
,
3498 new_parse_cb
, &server
)))
3502 /* Should not be able to add duplicates */
3503 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx
, TEST_EXT_TYPE1
,
3504 old_add_cb
, old_free_cb
,
3505 &server
, old_parse_cb
,
3507 || !TEST_false(SSL_CTX_add_custom_ext(sctx
, TEST_EXT_TYPE1
,
3508 context
, new_add_cb
,
3509 new_free_cb
, &server
,
3510 new_parse_cb
, &server
)))
3515 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx
, sni_cb
))
3516 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx
, sctx2
)))
3520 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
3521 &clientssl
, NULL
, NULL
))
3522 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
3527 if (clntaddoldcb
!= 1
3528 || clntparseoldcb
!= 1
3530 || srvparseoldcb
!= 1)
3532 } else if (tst
== 1 || tst
== 2 || tst
== 3) {
3533 if (clntaddnewcb
!= 1
3534 || clntparsenewcb
!= 1
3536 || srvparsenewcb
!= 1
3537 || (tst
!= 2 && snicb
!= 0)
3538 || (tst
== 2 && snicb
!= 1))
3541 /* In this case there 2 NewSessionTicket messages created */
3542 if (clntaddnewcb
!= 1
3543 || clntparsenewcb
!= 5
3545 || srvparsenewcb
!= 1)
3549 sess
= SSL_get1_session(clientssl
);
3550 SSL_shutdown(clientssl
);
3551 SSL_shutdown(serverssl
);
3552 SSL_free(serverssl
);
3553 SSL_free(clientssl
);
3554 serverssl
= clientssl
= NULL
;
3557 /* We don't bother with the resumption aspects for this test */
3562 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
3564 || !TEST_true(SSL_set_session(clientssl
, sess
))
3565 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
3570 * For a resumed session we expect to add the ClientHello extension. For the
3571 * old style callbacks we ignore it on the server side because they set
3572 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3576 if (clntaddoldcb
!= 2
3577 || clntparseoldcb
!= 1
3579 || srvparseoldcb
!= 1)
3581 } else if (tst
== 1 || tst
== 2 || tst
== 3) {
3582 if (clntaddnewcb
!= 2
3583 || clntparsenewcb
!= 2
3585 || srvparsenewcb
!= 2)
3589 * No Certificate message extensions in the resumption handshake,
3590 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
3592 if (clntaddnewcb
!= 2
3593 || clntparsenewcb
!= 8
3595 || srvparsenewcb
!= 2)
3602 SSL_SESSION_free(sess
);
3603 SSL_free(serverssl
);
3604 SSL_free(clientssl
);
3605 SSL_CTX_free(sctx2
);
3612 * Test loading of serverinfo data in various formats. test_sslmessages actually
3613 * tests to make sure the extensions appear in the handshake
3615 static int test_serverinfo(int tst
)
3617 unsigned int version
;
3618 unsigned char *sibuf
;
3620 int ret
, expected
, testresult
= 0;
3623 ctx
= SSL_CTX_new(TLS_method());
3627 if ((tst
& 0x01) == 0x01)
3628 version
= SSL_SERVERINFOV2
;
3630 version
= SSL_SERVERINFOV1
;
3632 if ((tst
& 0x02) == 0x02) {
3633 sibuf
= serverinfov2
;
3634 sibuflen
= sizeof(serverinfov2
);
3635 expected
= (version
== SSL_SERVERINFOV2
);
3637 sibuf
= serverinfov1
;
3638 sibuflen
= sizeof(serverinfov1
);
3639 expected
= (version
== SSL_SERVERINFOV1
);
3642 if ((tst
& 0x04) == 0x04) {
3643 ret
= SSL_CTX_use_serverinfo_ex(ctx
, version
, sibuf
, sibuflen
);
3645 ret
= SSL_CTX_use_serverinfo(ctx
, sibuf
, sibuflen
);
3648 * The version variable is irrelevant in this case - it's what is in the
3649 * buffer that matters
3651 if ((tst
& 0x02) == 0x02)
3657 if (!TEST_true(ret
== expected
))
3669 * Test that SSL_export_keying_material() produces expected results. There are
3670 * no test vectors so all we do is test that both sides of the communication
3671 * produce the same results for different protocol versions.
3673 static int test_export_key_mat(int tst
)
3676 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
, *sctx2
= NULL
;
3677 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3678 const char label
[] = "test label";
3679 const unsigned char context
[] = "context";
3680 const unsigned char *emptycontext
= NULL
;
3681 unsigned char ckeymat1
[80], ckeymat2
[80], ckeymat3
[80];
3682 unsigned char skeymat1
[80], skeymat2
[80], skeymat3
[80];
3683 const int protocols
[] = {
3690 #ifdef OPENSSL_NO_TLS1
3694 #ifdef OPENSSL_NO_TLS1_1
3698 #ifdef OPENSSL_NO_TLS1_2
3702 #ifdef OPENSSL_NO_TLS1_3
3706 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3707 TLS1_VERSION
, TLS_MAX_VERSION
,
3708 &sctx
, &cctx
, cert
, privkey
)))
3711 OPENSSL_assert(tst
>= 0 && (size_t)tst
< OSSL_NELEM(protocols
));
3712 SSL_CTX_set_max_proto_version(cctx
, protocols
[tst
]);
3713 SSL_CTX_set_min_proto_version(cctx
, protocols
[tst
]);
3715 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
,
3717 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
3721 if (!TEST_int_eq(SSL_export_keying_material(clientssl
, ckeymat1
,
3722 sizeof(ckeymat1
), label
,
3723 sizeof(label
) - 1, context
,
3724 sizeof(context
) - 1, 1), 1)
3725 || !TEST_int_eq(SSL_export_keying_material(clientssl
, ckeymat2
,
3726 sizeof(ckeymat2
), label
,
3730 || !TEST_int_eq(SSL_export_keying_material(clientssl
, ckeymat3
,
3731 sizeof(ckeymat3
), label
,
3734 || !TEST_int_eq(SSL_export_keying_material(serverssl
, skeymat1
,
3735 sizeof(skeymat1
), label
,
3738 sizeof(context
) -1, 1),
3740 || !TEST_int_eq(SSL_export_keying_material(serverssl
, skeymat2
,
3741 sizeof(skeymat2
), label
,
3745 || !TEST_int_eq(SSL_export_keying_material(serverssl
, skeymat3
,
3746 sizeof(skeymat3
), label
,
3750 * Check that both sides created the same key material with the
3753 || !TEST_mem_eq(ckeymat1
, sizeof(ckeymat1
), skeymat1
,
3756 * Check that both sides created the same key material with an
3759 || !TEST_mem_eq(ckeymat2
, sizeof(ckeymat2
), skeymat2
,
3762 * Check that both sides created the same key material without a
3765 || !TEST_mem_eq(ckeymat3
, sizeof(ckeymat3
), skeymat3
,
3767 /* Different contexts should produce different results */
3768 || !TEST_mem_ne(ckeymat1
, sizeof(ckeymat1
), ckeymat2
,
3773 * Check that an empty context and no context produce different results in
3774 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3776 if ((tst
!= 3 && !TEST_mem_ne(ckeymat2
, sizeof(ckeymat2
), ckeymat3
,
3778 || (tst
==3 && !TEST_mem_eq(ckeymat2
, sizeof(ckeymat2
), ckeymat3
,
3785 SSL_free(serverssl
);
3786 SSL_free(clientssl
);
3787 SSL_CTX_free(sctx2
);
3794 #ifndef OPENSSL_NO_TLS1_3
3796 * Test that SSL_export_keying_material_early() produces expected
3797 * results. There are no test vectors so all we do is test that both
3798 * sides of the communication produce the same results for different
3799 * protocol versions.
3801 static int test_export_key_mat_early(int idx
)
3803 static const char label
[] = "test label";
3804 static const unsigned char context
[] = "context";
3806 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3807 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3808 SSL_SESSION
*sess
= NULL
;
3809 const unsigned char *emptycontext
= NULL
;
3810 unsigned char ckeymat1
[80], ckeymat2
[80];
3811 unsigned char skeymat1
[80], skeymat2
[80];
3812 unsigned char buf
[1];
3813 size_t readbytes
, written
;
3815 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
, &serverssl
,
3819 /* Here writing 0 length early data is enough. */
3820 if (!TEST_true(SSL_write_early_data(clientssl
, NULL
, 0, &written
))
3821 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
, sizeof(buf
),
3823 SSL_READ_EARLY_DATA_ERROR
)
3824 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
3825 SSL_EARLY_DATA_ACCEPTED
))
3828 if (!TEST_int_eq(SSL_export_keying_material_early(
3829 clientssl
, ckeymat1
, sizeof(ckeymat1
), label
,
3830 sizeof(label
) - 1, context
, sizeof(context
) - 1), 1)
3831 || !TEST_int_eq(SSL_export_keying_material_early(
3832 clientssl
, ckeymat2
, sizeof(ckeymat2
), label
,
3833 sizeof(label
) - 1, emptycontext
, 0), 1)
3834 || !TEST_int_eq(SSL_export_keying_material_early(
3835 serverssl
, skeymat1
, sizeof(skeymat1
), label
,
3836 sizeof(label
) - 1, context
, sizeof(context
) - 1), 1)
3837 || !TEST_int_eq(SSL_export_keying_material_early(
3838 serverssl
, skeymat2
, sizeof(skeymat2
), label
,
3839 sizeof(label
) - 1, emptycontext
, 0), 1)
3841 * Check that both sides created the same key material with the
3844 || !TEST_mem_eq(ckeymat1
, sizeof(ckeymat1
), skeymat1
,
3847 * Check that both sides created the same key material with an
3850 || !TEST_mem_eq(ckeymat2
, sizeof(ckeymat2
), skeymat2
,
3852 /* Different contexts should produce different results */
3853 || !TEST_mem_ne(ckeymat1
, sizeof(ckeymat1
), ckeymat2
,
3860 SSL_SESSION_free(sess
);
3861 SSL_SESSION_free(clientpsk
);
3862 SSL_SESSION_free(serverpsk
);
3863 clientpsk
= serverpsk
= NULL
;
3864 SSL_free(serverssl
);
3865 SSL_free(clientssl
);
3871 #endif /* OPENSSL_NO_TLS1_3 */
3873 static int test_ssl_clear(int idx
)
3875 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
3876 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
3879 #ifdef OPENSSL_NO_TLS1_2
3884 /* Create an initial connection */
3885 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3886 TLS1_VERSION
, TLS_MAX_VERSION
,
3887 &sctx
, &cctx
, cert
, privkey
))
3889 && !TEST_true(SSL_CTX_set_max_proto_version(cctx
,
3891 || !TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
3892 &clientssl
, NULL
, NULL
))
3893 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
3897 SSL_shutdown(clientssl
);
3898 SSL_shutdown(serverssl
);
3899 SSL_free(serverssl
);
3902 /* Clear clientssl - we're going to reuse the object */
3903 if (!TEST_true(SSL_clear(clientssl
)))
3906 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
3908 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
3910 || !TEST_true(SSL_session_reused(clientssl
)))
3913 SSL_shutdown(clientssl
);
3914 SSL_shutdown(serverssl
);
3919 SSL_free(serverssl
);
3920 SSL_free(clientssl
);
3927 /* Parse CH and retrieve any MFL extension value if present */
3928 static int get_MFL_from_client_hello(BIO
*bio
, int *mfl_codemfl_code
)
3931 unsigned char *data
;
3932 PACKET pkt
= {0}, pkt2
= {0}, pkt3
= {0};
3933 unsigned int MFL_code
= 0, type
= 0;
3935 if (!TEST_uint_gt( len
= BIO_get_mem_data( bio
, (char **) &data
), 0 ) )
3938 if (!TEST_true( PACKET_buf_init( &pkt
, data
, len
) )
3939 /* Skip the record header */
3940 || !PACKET_forward(&pkt
, SSL3_RT_HEADER_LENGTH
)
3941 /* Skip the handshake message header */
3942 || !TEST_true(PACKET_forward(&pkt
, SSL3_HM_HEADER_LENGTH
))
3943 /* Skip client version and random */
3944 || !TEST_true(PACKET_forward(&pkt
, CLIENT_VERSION_LEN
3945 + SSL3_RANDOM_SIZE
))
3946 /* Skip session id */
3947 || !TEST_true(PACKET_get_length_prefixed_1(&pkt
, &pkt2
))
3949 || !TEST_true(PACKET_get_length_prefixed_2(&pkt
, &pkt2
))
3950 /* Skip compression */
3951 || !TEST_true(PACKET_get_length_prefixed_1(&pkt
, &pkt2
))
3952 /* Extensions len */
3953 || !TEST_true(PACKET_as_length_prefixed_2(&pkt
, &pkt2
)))
3956 /* Loop through all extensions */
3957 while (PACKET_remaining(&pkt2
)) {
3958 if (!TEST_true(PACKET_get_net_2(&pkt2
, &type
))
3959 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2
, &pkt3
)))
3962 if (type
== TLSEXT_TYPE_max_fragment_length
) {
3963 if (!TEST_uint_ne(PACKET_remaining(&pkt3
), 0)
3964 || !TEST_true(PACKET_get_1(&pkt3
, &MFL_code
)))
3967 *mfl_codemfl_code
= MFL_code
;
3976 /* Maximum-Fragment-Length TLS extension mode to test */
3977 static const unsigned char max_fragment_len_test
[] = {
3978 TLSEXT_max_fragment_length_512
,
3979 TLSEXT_max_fragment_length_1024
,
3980 TLSEXT_max_fragment_length_2048
,
3981 TLSEXT_max_fragment_length_4096
3984 static int test_max_fragment_len_ext(int idx_tst
)
3988 int testresult
= 0, MFL_mode
= 0;
3991 ctx
= SSL_CTX_new(TLS_method());
3995 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
3996 ctx
, max_fragment_len_test
[idx_tst
])))
4003 rbio
= BIO_new(BIO_s_mem());
4004 wbio
= BIO_new(BIO_s_mem());
4005 if (!TEST_ptr(rbio
)|| !TEST_ptr(wbio
)) {
4011 SSL_set_bio(con
, rbio
, wbio
);
4012 SSL_set_connect_state(con
);
4014 if (!TEST_int_le(SSL_connect(con
), 0)) {
4015 /* This shouldn't succeed because we don't have a server! */
4019 if (!TEST_true(get_MFL_from_client_hello(wbio
, &MFL_mode
)))
4020 /* no MFL in client hello */
4022 if (!TEST_true(max_fragment_len_test
[idx_tst
] == MFL_mode
))
4034 #ifndef OPENSSL_NO_TLS1_3
4035 static int test_pha_key_update(void)
4037 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4038 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4041 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4042 TLS1_VERSION
, TLS_MAX_VERSION
,
4043 &sctx
, &cctx
, cert
, privkey
)))
4046 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx
, TLS1_3_VERSION
))
4047 || !TEST_true(SSL_CTX_set_max_proto_version(sctx
, TLS1_3_VERSION
))
4048 || !TEST_true(SSL_CTX_set_min_proto_version(cctx
, TLS1_3_VERSION
))
4049 || !TEST_true(SSL_CTX_set_max_proto_version(cctx
, TLS1_3_VERSION
)))
4053 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4057 SSL_force_post_handshake_auth(clientssl
);
4059 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
4063 SSL_set_verify(serverssl
, SSL_VERIFY_PEER
, NULL
);
4064 if (!TEST_true(SSL_verify_client_post_handshake(serverssl
)))
4067 if (!TEST_true(SSL_key_update(clientssl
, SSL_KEY_UPDATE_NOT_REQUESTED
)))
4070 /* Start handshake on the server */
4071 if (!TEST_int_eq(SSL_do_handshake(serverssl
), 1))
4074 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
4075 if (!TEST_true(create_ssl_connection(serverssl
, clientssl
,
4079 SSL_shutdown(clientssl
);
4080 SSL_shutdown(serverssl
);
4085 SSL_free(serverssl
);
4086 SSL_free(clientssl
);
4093 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4095 static SRP_VBASE
*vbase
= NULL
;
4097 static int ssl_srp_cb(SSL
*s
, int *ad
, void *arg
)
4099 int ret
= SSL3_AL_FATAL
;
4101 SRP_user_pwd
*user
= NULL
;
4103 username
= SSL_get_srp_username(s
);
4104 if (username
== NULL
) {
4105 *ad
= SSL_AD_INTERNAL_ERROR
;
4109 user
= SRP_VBASE_get1_by_user(vbase
, username
);
4111 *ad
= SSL_AD_INTERNAL_ERROR
;
4115 if (SSL_set_srp_server_param(s
, user
->N
, user
->g
, user
->s
, user
->v
,
4117 *ad
= SSL_AD_INTERNAL_ERROR
;
4124 SRP_user_pwd_free(user
);
4128 static int create_new_vfile(char *userid
, char *password
, const char *filename
)
4131 OPENSSL_STRING
*row
= OPENSSL_zalloc(sizeof(row
) * (DB_NUMBER
+ 1));
4134 BIO
*out
= NULL
, *dummy
= BIO_new_mem_buf("", 0);
4137 if (!TEST_ptr(dummy
) || !TEST_ptr(row
))
4140 gNid
= SRP_create_verifier(userid
, password
, &row
[DB_srpsalt
],
4141 &row
[DB_srpverifier
], NULL
, NULL
);
4142 if (!TEST_ptr(gNid
))
4146 * The only way to create an empty TXT_DB is to provide a BIO with no data
4149 db
= TXT_DB_read(dummy
, DB_NUMBER
);
4153 out
= BIO_new_file(filename
, "w");
4157 row
[DB_srpid
] = OPENSSL_strdup(userid
);
4158 row
[DB_srptype
] = OPENSSL_strdup("V");
4159 row
[DB_srpgN
] = OPENSSL_strdup(gNid
);
4161 if (!TEST_ptr(row
[DB_srpid
])
4162 || !TEST_ptr(row
[DB_srptype
])
4163 || !TEST_ptr(row
[DB_srpgN
])
4164 || !TEST_true(TXT_DB_insert(db
, row
)))
4169 if (!TXT_DB_write(out
, db
))
4175 for (i
= 0; i
< DB_NUMBER
; i
++)
4176 OPENSSL_free(row
[i
]);
4186 static int create_new_vbase(char *userid
, char *password
)
4188 BIGNUM
*verifier
= NULL
, *salt
= NULL
;
4189 const SRP_gN
*lgN
= NULL
;
4190 SRP_user_pwd
*user_pwd
= NULL
;
4193 lgN
= SRP_get_default_gN(NULL
);
4197 if (!TEST_true(SRP_create_verifier_BN(userid
, password
, &salt
, &verifier
,
4201 user_pwd
= OPENSSL_zalloc(sizeof(*user_pwd
));
4202 if (!TEST_ptr(user_pwd
))
4205 user_pwd
->N
= lgN
->N
;
4206 user_pwd
->g
= lgN
->g
;
4207 user_pwd
->id
= OPENSSL_strdup(userid
);
4208 if (!TEST_ptr(user_pwd
->id
))
4211 user_pwd
->v
= verifier
;
4213 verifier
= salt
= NULL
;
4215 if (sk_SRP_user_pwd_insert(vbase
->users_pwd
, user_pwd
, 0) == 0)
4221 SRP_user_pwd_free(user_pwd
);
4231 * Test 0: Simple successful SRP connection, new vbase
4232 * Test 1: Connection failure due to bad password, new vbase
4233 * Test 2: Simple successful SRP connection, vbase loaded from existing file
4234 * Test 3: Connection failure due to bad password, vbase loaded from existing
4236 * Test 4: Simple successful SRP connection, vbase loaded from new file
4237 * Test 5: Connection failure due to bad password, vbase loaded from new file
4239 static int test_srp(int tst
)
4241 char *userid
= "test", *password
= "password", *tstsrpfile
;
4242 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4243 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4244 int ret
, testresult
= 0;
4246 vbase
= SRP_VBASE_new(NULL
);
4247 if (!TEST_ptr(vbase
))
4250 if (tst
== 0 || tst
== 1) {
4251 if (!TEST_true(create_new_vbase(userid
, password
)))
4254 if (tst
== 4 || tst
== 5) {
4255 if (!TEST_true(create_new_vfile(userid
, password
, tmpfilename
)))
4257 tstsrpfile
= tmpfilename
;
4259 tstsrpfile
= srpvfile
;
4261 if (!TEST_int_eq(SRP_VBASE_init(vbase
, tstsrpfile
), SRP_NO_ERROR
))
4265 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4266 TLS1_VERSION
, TLS_MAX_VERSION
,
4267 &sctx
, &cctx
, cert
, privkey
)))
4270 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx
, ssl_srp_cb
), 0)
4271 || !TEST_true(SSL_CTX_set_cipher_list(cctx
, "SRP-AES-128-CBC-SHA"))
4272 || !TEST_true(SSL_CTX_set_max_proto_version(sctx
, TLS1_2_VERSION
))
4273 || !TEST_true(SSL_CTX_set_max_proto_version(cctx
, TLS1_2_VERSION
))
4274 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx
, userid
), 0))
4278 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx
, "badpass"), 0))
4281 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx
, password
), 0))
4285 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4289 ret
= create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
);
4291 if (!TEST_true(tst
% 2 == 0))
4294 if (!TEST_true(tst
% 2 == 1))
4301 SRP_VBASE_free(vbase
);
4303 SSL_free(serverssl
);
4304 SSL_free(clientssl
);
4312 static int info_cb_failed
= 0;
4313 static int info_cb_offset
= 0;
4314 static int info_cb_this_state
= -1;
4316 static struct info_cb_states_st
{
4318 const char *statestr
;
4319 } info_cb_states
[][60] = {
4321 /* TLSv1.2 server followed by resumption */
4322 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT "},
4323 {SSL_CB_LOOP
, "PINIT "}, {SSL_CB_LOOP
, "TRCH"}, {SSL_CB_LOOP
, "TWSH"},
4324 {SSL_CB_LOOP
, "TWSC"}, {SSL_CB_LOOP
, "TWSKE"}, {SSL_CB_LOOP
, "TWSD"},
4325 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWSD"}, {SSL_CB_LOOP
, "TRCKE"},
4326 {SSL_CB_LOOP
, "TRCCS"}, {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_LOOP
, "TWST"},
4327 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWFIN"},
4328 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
4329 {SSL_CB_ALERT
, NULL
}, {SSL_CB_HANDSHAKE_START
, NULL
},
4330 {SSL_CB_LOOP
, "PINIT "}, {SSL_CB_LOOP
, "PINIT "}, {SSL_CB_LOOP
, "TRCH"},
4331 {SSL_CB_LOOP
, "TWSH"}, {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWFIN"},
4332 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_LOOP
, "TRCCS"},
4333 {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
4334 {SSL_CB_EXIT
, NULL
}, {0, NULL
},
4336 /* TLSv1.2 client followed by resumption */
4337 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT "},
4338 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWCH"},
4339 {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TRSC"}, {SSL_CB_LOOP
, "TRSKE"},
4340 {SSL_CB_LOOP
, "TRSD"}, {SSL_CB_LOOP
, "TWCKE"}, {SSL_CB_LOOP
, "TWCCS"},
4341 {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWFIN"},
4342 {SSL_CB_LOOP
, "TRST"}, {SSL_CB_LOOP
, "TRCCS"}, {SSL_CB_LOOP
, "TRFIN"},
4343 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_ALERT
, NULL
},
4344 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT "},
4345 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWCH"},
4346 {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TRCCS"}, {SSL_CB_LOOP
, "TRFIN"},
4347 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWFIN"},
4348 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
}, {0, NULL
},
4350 /* TLSv1.3 server followed by resumption */
4351 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT "},
4352 {SSL_CB_LOOP
, "PINIT "}, {SSL_CB_LOOP
, "TRCH"}, {SSL_CB_LOOP
, "TWSH"},
4353 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWEE"}, {SSL_CB_LOOP
, "TWSC"},
4354 {SSL_CB_LOOP
, "TRSCV"}, {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_LOOP
, "TED"},
4355 {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TED"}, {SSL_CB_LOOP
, "TRFIN"},
4356 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_HANDSHAKE_START
, NULL
},
4357 {SSL_CB_LOOP
, "TWST"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
4358 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "TWST"},
4359 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
4360 {SSL_CB_ALERT
, NULL
}, {SSL_CB_HANDSHAKE_START
, NULL
},
4361 {SSL_CB_LOOP
, "PINIT "}, {SSL_CB_LOOP
, "PINIT "}, {SSL_CB_LOOP
, "TRCH"},
4362 {SSL_CB_LOOP
, "TWSH"}, {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWEE"},
4363 {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_LOOP
, "TED"}, {SSL_CB_EXIT
, NULL
},
4364 {SSL_CB_LOOP
, "TED"}, {SSL_CB_LOOP
, "TRFIN"},
4365 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_HANDSHAKE_START
, NULL
},
4366 {SSL_CB_LOOP
, "TWST"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
4367 {SSL_CB_EXIT
, NULL
}, {0, NULL
},
4369 /* TLSv1.3 client followed by resumption */
4370 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT "},
4371 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_EXIT
, NULL
}, {SSL_CB_LOOP
, "TWCH"},
4372 {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TREE"}, {SSL_CB_LOOP
, "TRSC"},
4373 {SSL_CB_LOOP
, "TRSCV"}, {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_LOOP
, "TWCCS"},
4374 {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
4375 {SSL_CB_EXIT
, NULL
}, {SSL_CB_HANDSHAKE_START
, NULL
},
4376 {SSL_CB_LOOP
, "SSLOK "}, {SSL_CB_LOOP
, "SSLOK "}, {SSL_CB_LOOP
, "TRST"},
4377 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
4378 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "SSLOK "},
4379 {SSL_CB_LOOP
, "SSLOK "}, {SSL_CB_LOOP
, "TRST"},
4380 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
4381 {SSL_CB_ALERT
, NULL
}, {SSL_CB_HANDSHAKE_START
, NULL
},
4382 {SSL_CB_LOOP
, "PINIT "}, {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_EXIT
, NULL
},
4383 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TREE"},
4384 {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWFIN"},
4385 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
4386 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "SSLOK "},
4387 {SSL_CB_LOOP
, "SSLOK "}, {SSL_CB_LOOP
, "TRST"},
4388 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
}, {0, NULL
},
4390 /* TLSv1.3 server, early_data */
4391 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT "},
4392 {SSL_CB_LOOP
, "PINIT "}, {SSL_CB_LOOP
, "TRCH"}, {SSL_CB_LOOP
, "TWSH"},
4393 {SSL_CB_LOOP
, "TWCCS"}, {SSL_CB_LOOP
, "TWEE"}, {SSL_CB_LOOP
, "TWFIN"},
4394 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
4395 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "TED"},
4396 {SSL_CB_LOOP
, "TED"}, {SSL_CB_LOOP
, "TWEOED"}, {SSL_CB_LOOP
, "TRFIN"},
4397 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_HANDSHAKE_START
, NULL
},
4398 {SSL_CB_LOOP
, "TWST"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
4399 {SSL_CB_EXIT
, NULL
}, {0, NULL
},
4401 /* TLSv1.3 client, early_data */
4402 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "PINIT "},
4403 {SSL_CB_LOOP
, "TWCH"}, {SSL_CB_LOOP
, "TWCCS"},
4404 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
},
4405 {SSL_CB_HANDSHAKE_START
, NULL
}, {SSL_CB_LOOP
, "TED"},
4406 {SSL_CB_LOOP
, "TED"}, {SSL_CB_LOOP
, "TRSH"}, {SSL_CB_LOOP
, "TREE"},
4407 {SSL_CB_LOOP
, "TRFIN"}, {SSL_CB_LOOP
, "TPEDE"}, {SSL_CB_LOOP
, "TWEOED"},
4408 {SSL_CB_LOOP
, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE
, NULL
},
4409 {SSL_CB_EXIT
, NULL
}, {SSL_CB_HANDSHAKE_START
, NULL
},
4410 {SSL_CB_LOOP
, "SSLOK "}, {SSL_CB_LOOP
, "SSLOK "}, {SSL_CB_LOOP
, "TRST"},
4411 {SSL_CB_HANDSHAKE_DONE
, NULL
}, {SSL_CB_EXIT
, NULL
}, {0, NULL
},
4417 static void sslapi_info_callback(const SSL
*s
, int where
, int ret
)
4419 struct info_cb_states_st
*state
= info_cb_states
[info_cb_offset
];
4421 /* We do not ever expect a connection to fail in this test */
4422 if (!TEST_false(ret
== 0)) {
4428 * Do some sanity checks. We never expect these things to happen in this
4431 if (!TEST_false((SSL_is_server(s
) && (where
& SSL_ST_CONNECT
) != 0))
4432 || !TEST_false(!SSL_is_server(s
) && (where
& SSL_ST_ACCEPT
) != 0)
4433 || !TEST_int_ne(state
[++info_cb_this_state
].where
, 0)) {
4438 /* Now check we're in the right state */
4439 if (!TEST_true((where
& state
[info_cb_this_state
].where
) != 0)) {
4443 if ((where
& SSL_CB_LOOP
) != 0
4444 && !TEST_int_eq(strcmp(SSL_state_string(s
),
4445 state
[info_cb_this_state
].statestr
), 0)) {
4450 /* Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init */
4451 if ((where
& SSL_CB_HANDSHAKE_DONE
) && SSL_in_init((SSL
*)s
) != 0) {
4458 * Test the info callback gets called when we expect it to.
4460 * Test 0: TLSv1.2, server
4461 * Test 1: TLSv1.2, client
4462 * Test 2: TLSv1.3, server
4463 * Test 3: TLSv1.3, client
4464 * Test 4: TLSv1.3, server, early_data
4465 * Test 5: TLSv1.3, client, early_data
4467 static int test_info_callback(int tst
)
4469 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4470 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4471 SSL_SESSION
*clntsess
= NULL
;
4476 #ifndef OPENSSL_NO_TLS1_2
4477 tlsvers
= TLS1_2_VERSION
;
4482 #ifndef OPENSSL_NO_TLS1_3
4483 tlsvers
= TLS1_3_VERSION
;
4491 info_cb_this_state
= -1;
4492 info_cb_offset
= tst
;
4494 #ifndef OPENSSL_NO_TLS1_3
4496 SSL_SESSION
*sess
= NULL
;
4497 size_t written
, readbytes
;
4498 unsigned char buf
[80];
4500 /* early_data tests */
4501 if (!TEST_true(setupearly_data_test(&cctx
, &sctx
, &clientssl
,
4502 &serverssl
, &sess
, 0)))
4505 /* We don't actually need this reference */
4506 SSL_SESSION_free(sess
);
4508 SSL_set_info_callback((tst
% 2) == 0 ? serverssl
: clientssl
,
4509 sslapi_info_callback
);
4511 /* Write and read some early data and then complete the connection */
4512 if (!TEST_true(SSL_write_early_data(clientssl
, MSG1
, strlen(MSG1
),
4514 || !TEST_size_t_eq(written
, strlen(MSG1
))
4515 || !TEST_int_eq(SSL_read_early_data(serverssl
, buf
,
4516 sizeof(buf
), &readbytes
),
4517 SSL_READ_EARLY_DATA_SUCCESS
)
4518 || !TEST_mem_eq(MSG1
, readbytes
, buf
, strlen(MSG1
))
4519 || !TEST_int_eq(SSL_get_early_data_status(serverssl
),
4520 SSL_EARLY_DATA_ACCEPTED
)
4521 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4523 || !TEST_false(info_cb_failed
))
4531 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4532 TLS_client_method(),
4533 tlsvers
, tlsvers
, &sctx
, &cctx
, cert
,
4538 * For even numbered tests we check the server callbacks. For odd numbers we
4541 SSL_CTX_set_info_callback((tst
% 2) == 0 ? sctx
: cctx
,
4542 sslapi_info_callback
);
4544 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
,
4545 &clientssl
, NULL
, NULL
))
4546 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4548 || !TEST_false(info_cb_failed
))
4553 clntsess
= SSL_get1_session(clientssl
);
4554 SSL_shutdown(clientssl
);
4555 SSL_shutdown(serverssl
);
4556 SSL_free(serverssl
);
4557 SSL_free(clientssl
);
4558 serverssl
= clientssl
= NULL
;
4560 /* Now do a resumption */
4561 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
,
4563 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
4564 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4566 || !TEST_true(SSL_session_reused(clientssl
))
4567 || !TEST_false(info_cb_failed
))
4573 SSL_free(serverssl
);
4574 SSL_free(clientssl
);
4575 SSL_SESSION_free(clntsess
);
4581 static int test_ssl_pending(int tst
)
4583 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4584 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4586 char msg
[] = "A test message";
4588 size_t written
, readbytes
;
4591 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4592 TLS_client_method(),
4593 TLS1_VERSION
, TLS_MAX_VERSION
,
4594 &sctx
, &cctx
, cert
, privkey
)))
4597 #ifndef OPENSSL_NO_DTLS
4598 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
4599 DTLS_client_method(),
4600 DTLS1_VERSION
, DTLS_MAX_VERSION
,
4601 &sctx
, &cctx
, cert
, privkey
)))
4608 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4610 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4614 if (!TEST_int_eq(SSL_pending(clientssl
), 0)
4615 || !TEST_false(SSL_has_pending(clientssl
))
4616 || !TEST_int_eq(SSL_pending(serverssl
), 0)
4617 || !TEST_false(SSL_has_pending(serverssl
))
4618 || !TEST_true(SSL_write_ex(serverssl
, msg
, sizeof(msg
), &written
))
4619 || !TEST_size_t_eq(written
, sizeof(msg
))
4620 || !TEST_true(SSL_read_ex(clientssl
, buf
, sizeof(buf
), &readbytes
))
4621 || !TEST_size_t_eq(readbytes
, sizeof(buf
))
4622 || !TEST_int_eq(SSL_pending(clientssl
), (int)(written
- readbytes
))
4623 || !TEST_true(SSL_has_pending(clientssl
)))
4629 SSL_free(serverssl
);
4630 SSL_free(clientssl
);
4638 unsigned int maxprot
;
4639 const char *clntciphers
;
4640 const char *clnttls13ciphers
;
4641 const char *srvrciphers
;
4642 const char *srvrtls13ciphers
;
4644 } shared_ciphers_data
[] = {
4646 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
4647 * TLSv1.3 is enabled but TLSv1.2 is disabled.
4649 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
4652 "AES128-SHA:AES256-SHA",
4654 "AES256-SHA:DHE-RSA-AES128-SHA",
4660 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
4662 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
4664 "AES128-SHA:AES256-SHA"
4668 "AES128-SHA:AES256-SHA",
4670 "AES128-SHA:DHE-RSA-AES128-SHA",
4676 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
4679 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
4680 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4683 "AES128-SHA:AES256-SHA",
4685 "AES256-SHA:AES128-SHA256",
4687 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
4688 "TLS_AES_128_GCM_SHA256:AES256-SHA"
4691 #ifndef OPENSSL_NO_TLS1_3
4695 "TLS_AES_256_GCM_SHA384",
4697 "TLS_AES_256_GCM_SHA384",
4698 "TLS_AES_256_GCM_SHA384"
4703 static int test_ssl_get_shared_ciphers(int tst
)
4705 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4706 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4710 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4711 TLS_client_method(),
4713 shared_ciphers_data
[tst
].maxprot
,
4714 &sctx
, &cctx
, cert
, privkey
)))
4717 if (!TEST_true(SSL_CTX_set_cipher_list(cctx
,
4718 shared_ciphers_data
[tst
].clntciphers
))
4719 || (shared_ciphers_data
[tst
].clnttls13ciphers
!= NULL
4720 && !TEST_true(SSL_CTX_set_ciphersuites(cctx
,
4721 shared_ciphers_data
[tst
].clnttls13ciphers
)))
4722 || !TEST_true(SSL_CTX_set_cipher_list(sctx
,
4723 shared_ciphers_data
[tst
].srvrciphers
))
4724 || (shared_ciphers_data
[tst
].srvrtls13ciphers
!= NULL
4725 && !TEST_true(SSL_CTX_set_ciphersuites(sctx
,
4726 shared_ciphers_data
[tst
].srvrtls13ciphers
))))
4730 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4732 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4736 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl
, buf
, sizeof(buf
)))
4737 || !TEST_int_eq(strcmp(buf
, shared_ciphers_data
[tst
].shared
), 0)) {
4738 TEST_info("Shared ciphers are: %s\n", buf
);
4745 SSL_free(serverssl
);
4746 SSL_free(clientssl
);
4753 static const char *appdata
= "Hello World";
4754 static int gen_tick_called
, dec_tick_called
, tick_key_cb_called
;
4755 static int tick_key_renew
= 0;
4756 static SSL_TICKET_RETURN tick_dec_ret
= SSL_TICKET_RETURN_ABORT
;
4758 static int gen_tick_cb(SSL
*s
, void *arg
)
4760 gen_tick_called
= 1;
4762 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s
), appdata
,
4766 static SSL_TICKET_RETURN
dec_tick_cb(SSL
*s
, SSL_SESSION
*ss
,
4767 const unsigned char *keyname
,
4768 size_t keyname_length
,
4769 SSL_TICKET_STATUS status
,
4775 dec_tick_called
= 1;
4777 if (status
== SSL_TICKET_EMPTY
)
4778 return SSL_TICKET_RETURN_IGNORE_RENEW
;
4780 if (!TEST_true(status
== SSL_TICKET_SUCCESS
4781 || status
== SSL_TICKET_SUCCESS_RENEW
))
4782 return SSL_TICKET_RETURN_ABORT
;
4784 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss
, &tickdata
,
4786 || !TEST_size_t_eq(tickdlen
, strlen(appdata
))
4787 || !TEST_int_eq(memcmp(tickdata
, appdata
, tickdlen
), 0))
4788 return SSL_TICKET_RETURN_ABORT
;
4790 if (tick_key_cb_called
) {
4791 /* Don't change what the ticket key callback wanted to do */
4793 case SSL_TICKET_NO_DECRYPT
:
4794 return SSL_TICKET_RETURN_IGNORE_RENEW
;
4796 case SSL_TICKET_SUCCESS
:
4797 return SSL_TICKET_RETURN_USE
;
4799 case SSL_TICKET_SUCCESS_RENEW
:
4800 return SSL_TICKET_RETURN_USE_RENEW
;
4803 return SSL_TICKET_RETURN_ABORT
;
4806 return tick_dec_ret
;
4810 static int tick_key_cb(SSL
*s
, unsigned char key_name
[16],
4811 unsigned char iv
[EVP_MAX_IV_LENGTH
], EVP_CIPHER_CTX
*ctx
,
4812 HMAC_CTX
*hctx
, int enc
)
4814 const unsigned char tick_aes_key
[16] = "0123456789abcdef";
4815 const unsigned char tick_hmac_key
[16] = "0123456789abcdef";
4817 tick_key_cb_called
= 1;
4818 memset(iv
, 0, AES_BLOCK_SIZE
);
4819 memset(key_name
, 0, 16);
4820 if (!EVP_CipherInit_ex(ctx
, EVP_aes_128_cbc(), NULL
, tick_aes_key
, iv
, enc
)
4821 || !HMAC_Init_ex(hctx
, tick_hmac_key
, sizeof(tick_hmac_key
),
4822 EVP_sha256(), NULL
))
4825 return tick_key_renew
? 2 : 1;
4829 * Test the various ticket callbacks
4830 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
4831 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
4832 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
4833 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
4834 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
4835 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
4836 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
4837 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
4838 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
4839 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
4840 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
4841 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
4843 static int test_ticket_callbacks(int tst
)
4845 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
4846 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
4847 SSL_SESSION
*clntsess
= NULL
;
4850 #ifdef OPENSSL_NO_TLS1_2
4854 #ifdef OPENSSL_NO_TLS1_3
4859 gen_tick_called
= dec_tick_called
= tick_key_cb_called
= 0;
4861 /* Which tests the ticket key callback should request renewal for */
4862 if (tst
== 10 || tst
== 11)
4867 /* Which tests the decrypt ticket callback should request renewal for */
4871 tick_dec_ret
= SSL_TICKET_RETURN_IGNORE
;
4876 tick_dec_ret
= SSL_TICKET_RETURN_IGNORE_RENEW
;
4881 tick_dec_ret
= SSL_TICKET_RETURN_USE
;
4886 tick_dec_ret
= SSL_TICKET_RETURN_USE_RENEW
;
4890 tick_dec_ret
= SSL_TICKET_RETURN_ABORT
;
4893 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4894 TLS_client_method(),
4896 ((tst
% 2) == 0) ? TLS1_2_VERSION
4898 &sctx
, &cctx
, cert
, privkey
)))
4902 * We only want sessions to resume from tickets - not the session cache. So
4903 * switch the cache off.
4905 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx
, SSL_SESS_CACHE_OFF
)))
4908 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx
, gen_tick_cb
, dec_tick_cb
,
4913 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx
, tick_key_cb
)))
4916 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
4918 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4923 * The decrypt ticket key callback in TLSv1.2 should be called even though
4924 * we have no ticket yet, because it gets called with a status of
4925 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
4926 * actually send any ticket data). This does not happen in TLSv1.3 because
4927 * it is not valid to send empty ticket data in TLSv1.3.
4929 if (!TEST_int_eq(gen_tick_called
, 1)
4930 || !TEST_int_eq(dec_tick_called
, ((tst
% 2) == 0) ? 1 : 0))
4933 gen_tick_called
= dec_tick_called
= 0;
4935 clntsess
= SSL_get1_session(clientssl
);
4936 SSL_shutdown(clientssl
);
4937 SSL_shutdown(serverssl
);
4938 SSL_free(serverssl
);
4939 SSL_free(clientssl
);
4940 serverssl
= clientssl
= NULL
;
4942 /* Now do a resumption */
4943 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
, NULL
,
4945 || !TEST_true(SSL_set_session(clientssl
, clntsess
))
4946 || !TEST_true(create_ssl_connection(serverssl
, clientssl
,
4950 if (tick_dec_ret
== SSL_TICKET_RETURN_IGNORE
4951 || tick_dec_ret
== SSL_TICKET_RETURN_IGNORE_RENEW
) {
4952 if (!TEST_false(SSL_session_reused(clientssl
)))
4955 if (!TEST_true(SSL_session_reused(clientssl
)))
4959 if (!TEST_int_eq(gen_tick_called
,
4961 || tick_dec_ret
== SSL_TICKET_RETURN_IGNORE_RENEW
4962 || tick_dec_ret
== SSL_TICKET_RETURN_USE_RENEW
)
4964 || !TEST_int_eq(dec_tick_called
, 1))
4970 SSL_SESSION_free(clntsess
);
4971 SSL_free(serverssl
);
4972 SSL_free(clientssl
);
4979 int setup_tests(void)
4981 if (!TEST_ptr(cert
= test_get_argument(0))
4982 || !TEST_ptr(privkey
= test_get_argument(1))
4983 || !TEST_ptr(srpvfile
= test_get_argument(2))
4984 || !TEST_ptr(tmpfilename
= test_get_argument(3)))
4987 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL
) {
4988 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
4989 TEST_error("not supported in this build");
4992 int i
, mcount
, rcount
, fcount
;
4994 for (i
= 0; i
< 4; i
++)
4995 test_export_key_mat(i
);
4996 CRYPTO_get_alloc_counts(&mcount
, &rcount
, &fcount
);
4997 test_printf_stdout("malloc %d realloc %d free %d\n",
4998 mcount
, rcount
, fcount
);
5003 ADD_TEST(test_large_message_tls
);
5004 ADD_TEST(test_large_message_tls_read_ahead
);
5005 #ifndef OPENSSL_NO_DTLS
5006 ADD_TEST(test_large_message_dtls
);
5008 #ifndef OPENSSL_NO_OCSP
5009 ADD_TEST(test_tlsext_status_type
);
5011 ADD_TEST(test_session_with_only_int_cache
);
5012 ADD_TEST(test_session_with_only_ext_cache
);
5013 ADD_TEST(test_session_with_both_cache
);
5014 #ifndef OPENSSL_NO_TLS1_3
5015 ADD_ALL_TESTS(test_tickets
, 3);
5017 ADD_ALL_TESTS(test_ssl_set_bio
, TOTAL_SSL_SET_BIO_TESTS
);
5018 ADD_TEST(test_ssl_bio_pop_next_bio
);
5019 ADD_TEST(test_ssl_bio_pop_ssl_bio
);
5020 ADD_TEST(test_ssl_bio_change_rbio
);
5021 ADD_TEST(test_ssl_bio_change_wbio
);
5022 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
5023 ADD_ALL_TESTS(test_set_sigalgs
, OSSL_NELEM(testsigalgs
) * 2);
5024 ADD_TEST(test_keylog
);
5026 #ifndef OPENSSL_NO_TLS1_3
5027 ADD_TEST(test_keylog_no_master_key
);
5029 #ifndef OPENSSL_NO_TLS1_2
5030 ADD_TEST(test_client_hello_cb
);
5032 #ifndef OPENSSL_NO_TLS1_3
5033 ADD_ALL_TESTS(test_early_data_read_write
, 3);
5035 * We don't do replay tests for external PSK. Replay protection isn't used
5038 ADD_ALL_TESTS(test_early_data_replay
, 2);
5039 ADD_ALL_TESTS(test_early_data_skip
, 3);
5040 ADD_ALL_TESTS(test_early_data_skip_hrr
, 3);
5041 ADD_ALL_TESTS(test_early_data_not_sent
, 3);
5042 ADD_ALL_TESTS(test_early_data_psk
, 8);
5043 ADD_ALL_TESTS(test_early_data_not_expected
, 3);
5044 # ifndef OPENSSL_NO_TLS1_2
5045 ADD_ALL_TESTS(test_early_data_tls1_2
, 3);
5048 #ifndef OPENSSL_NO_TLS1_3
5049 ADD_ALL_TESTS(test_set_ciphersuite
, 10);
5050 ADD_TEST(test_ciphersuite_change
);
5051 #ifdef OPENSSL_NO_PSK
5052 ADD_ALL_TESTS(test_tls13_psk
, 1);
5054 ADD_ALL_TESTS(test_tls13_psk
, 4);
5055 #endif /* OPENSSL_NO_PSK */
5056 ADD_ALL_TESTS(test_custom_exts
, 5);
5057 ADD_TEST(test_stateless
);
5058 ADD_TEST(test_pha_key_update
);
5060 ADD_ALL_TESTS(test_custom_exts
, 3);
5062 ADD_ALL_TESTS(test_serverinfo
, 8);
5063 ADD_ALL_TESTS(test_export_key_mat
, 4);
5064 #ifndef OPENSSL_NO_TLS1_3
5065 ADD_ALL_TESTS(test_export_key_mat_early
, 3);
5067 ADD_ALL_TESTS(test_ssl_clear
, 2);
5068 ADD_ALL_TESTS(test_max_fragment_len_ext
, OSSL_NELEM(max_fragment_len_test
));
5069 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5070 ADD_ALL_TESTS(test_srp
, 6);
5072 ADD_ALL_TESTS(test_info_callback
, 6);
5073 ADD_ALL_TESTS(test_ssl_pending
, 2);
5074 ADD_ALL_TESTS(test_ssl_get_shared_ciphers
, OSSL_NELEM(shared_ciphers_data
));
5075 ADD_ALL_TESTS(test_ticket_callbacks
, 12);
5079 void cleanup_tests(void)
5081 bio_s_mempacket_test_free();