]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Update libssl to use the new library context aware SRP functions
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
6738bf14 2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
a76ce286
P		 10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
7c3a7561 18#include <stdio.h>
ba881d3b
MC		 19#include <string.h>
20
2cb4b5f6
MC		 21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
ba881d3b 25#include <openssl/ocsp.h>
76fd7a1d
MC		 26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
d0191fe0 28#include <openssl/aes.h>
7c3a7561 29#include <openssl/rand.h>
a76ce286 30#include <openssl/core_names.h>
2cb4b5f6
MC		 31
32#include "ssltestlib.h"
c887104f 33#include "testutil.h"
f297e4ec 34#include "testutil/output.h"
176db6dc 35#include "internal/nelem.h"
fe5d9450 36#include "internal/ktls.h"
706457b7 37#include "../ssl/ssl_local.h"
2cb4b5f6 38
8614a4eb
MC		 39#ifndef OPENSSL_NO_TLS1_3
40
41static SSL_SESSION *clientpsk = NULL;
42static SSL_SESSION *serverpsk = NULL;
43static const char *pskid = "Identity";
44static const char *srvid;
45
46static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
47 size_t *idlen, SSL_SESSION **sess);
48static int find_session_cb(SSL *ssl, const unsigned char *identity,
49 size_t identity_len, SSL_SESSION **sess);
50
51static int use_session_cb_cnt = 0;
52static int find_session_cb_cnt = 0;
53
54static SSL_SESSION *create_a_psk(SSL *ssl);
55#endif
56
1a2a3a42 57static char *certsdir = NULL;
2cb4b5f6
MC		 58static char *cert = NULL;
59static char *privkey = NULL;
76fd7a1d
MC		 60static char *srpvfile = NULL;
61static char *tmpfilename = NULL;
2cb4b5f6 62
cffe973c 63#define LOG_BUFFER_SIZE 2048
6acdd3e5 64static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 65static size_t server_log_buffer_index = 0;
6acdd3e5 66static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 67static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 68static int error_writing_log = 0;
69
8f8c11d8 70#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 71static const unsigned char orespder[] = "Dummy OCSP Response";
72static int ocsp_server_called = 0;
73static int ocsp_client_called = 0;
74
75static int cdummyarg = 1;
76static X509 *ocspcert = NULL;
8f8c11d8 77#endif
ba881d3b 78
84d5549e 79#define NUM_EXTRA_CERTS 40
cf72c757 80#define CLIENT_VERSION_LEN 2
84d5549e 81
f1a5939f
CB		 82/*
83 * This structure is used to validate that the correct number of log messages
84 * of various types are emitted when emitting secret logs.
85 */
86struct sslapitest_log_counts {
87 unsigned int rsa_key_exchange_count;
88 unsigned int master_secret_count;
cffe973c 89 unsigned int client_early_secret_count;
f1a5939f
CB		 90 unsigned int client_handshake_secret_count;
91 unsigned int server_handshake_secret_count;
92 unsigned int client_application_secret_count;
93 unsigned int server_application_secret_count;
01a2a654 94 unsigned int early_exporter_secret_count;
6329ce8f 95 unsigned int exporter_secret_count;
f1a5939f
CB		 96};
97
16afd71c
MC		 98
99static unsigned char serverinfov1[] = {
100 0xff, 0xff, /* Dummy extension type */
101 0x00, 0x01, /* Extension length is 1 byte */
102 0xff /* Dummy extension data */
103};
104
105static unsigned char serverinfov2[] = {
106 0x00, 0x00, 0x00,
107 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
108 0xff, 0xff, /* Dummy extension type */
109 0x00, 0x01, /* Extension length is 1 byte */
110 0xff /* Dummy extension data */
111};
112
104a733d
MC		 113static int hostname_cb(SSL *s, int *al, void *arg)
114{
115 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
116
117 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
118 || strcmp(hostname, "altgoodhost") == 0))
119 return SSL_TLSEXT_ERR_OK;
120
121 return SSL_TLSEXT_ERR_NOACK;
122}
123
710756a9
RS		 124static void client_keylog_callback(const SSL *ssl, const char *line)
125{
6acdd3e5
CB		 126 int line_length = strlen(line);
127
128 /* If the log doesn't fit, error out. */
710756a9
RS		 129 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
130 TEST_info("Client log too full");
6acdd3e5
CB		 131 error_writing_log = 1;
132 return;
133 }
134
135 strcat(client_log_buffer, line);
136 client_log_buffer_index += line_length;
710756a9 137 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 138}
139
710756a9
RS		 140static void server_keylog_callback(const SSL *ssl, const char *line)
141{
6acdd3e5
CB		 142 int line_length = strlen(line);
143
144 /* If the log doesn't fit, error out. */
710756a9 145 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 146 TEST_info("Server log too full");
6acdd3e5
CB		 147 error_writing_log = 1;
148 return;
149 }
150
151 strcat(server_log_buffer, line);
152 server_log_buffer_index += line_length;
710756a9 153 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 154}
155
156static int compare_hex_encoded_buffer(const char *hex_encoded,
157 size_t hex_length,
158 const uint8_t *raw,
710756a9
RS		 159 size_t raw_length)
160{
161 size_t i, j;
162 char hexed[3];
6acdd3e5 163
710756a9 164 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 165 return 1;
6acdd3e5 166
710756a9 167 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 168 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 169 if (!TEST_int_eq(hexed[0], hex_encoded[j])
170 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 171 return 1;
6acdd3e5
CB		 172 }
173
174 return 0;
175}
176
177static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 178 const SSL_SESSION *session,
710756a9
RS		 179 struct sslapitest_log_counts *expected)
180{
6acdd3e5
CB		 181 char *token = NULL;
182 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
183 size_t client_random_size = SSL3_RANDOM_SIZE;
184 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
185 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 186 unsigned int rsa_key_exchange_count = 0;
187 unsigned int master_secret_count = 0;
cffe973c 188 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 189 unsigned int client_handshake_secret_count = 0;
190 unsigned int server_handshake_secret_count = 0;
191 unsigned int client_application_secret_count = 0;
192 unsigned int server_application_secret_count = 0;
01a2a654 193 unsigned int early_exporter_secret_count = 0;
6329ce8f 194 unsigned int exporter_secret_count = 0;
6acdd3e5 195
710756a9
RS		 196 for (token = strtok(buffer, " \n"); token != NULL;
197 token = strtok(NULL, " \n")) {
6acdd3e5 198 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 199 /*
200 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 201 * hex-encoded encrypted secret, then the hex-encoded pre-master
202 * secret.
203 */
710756a9 204 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 205 return 0;
710756a9 206 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 207 return 0;
710756a9 208 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 209 return 0;
f1a5939f
CB		 210 /*
211 * We can't sensibly check the log because the premaster secret is
212 * transient, and OpenSSL doesn't keep hold of it once the master
213 * secret is generated.
214 */
215 rsa_key_exchange_count++;
6acdd3e5 216 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 217 /*
218 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 219 * client random, then the hex-encoded master secret.
220 */
221 client_random_size = SSL_get_client_random(ssl,
222 actual_client_random,
223 SSL3_RANDOM_SIZE);
710756a9 224 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 225 return 0;
6acdd3e5 226
710756a9 227 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 228 return 0;
710756a9 229 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 230 return 0;
710756a9
RS		 231 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
232 actual_client_random,
233 client_random_size)))
f1a5939f 234 return 0;
6acdd3e5 235
710756a9 236 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 237 return 0;
6acdd3e5
CB		 238 master_key_size = SSL_SESSION_get_master_key(session,
239 actual_master_key,
240 master_key_size);
710756a9 241 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 242 return 0;
710756a9
RS		 243 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
244 actual_master_key,
245 master_key_size)))
f1a5939f 246 return 0;
f1a5939f 247 master_secret_count++;
cffe973c
PW		 248 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
249 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 250 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
251 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 252 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 253 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 254 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 255 /*
256 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
257 * client random, and then the hex-encoded secret. In this case,
258 * we treat all of these secrets identically and then just
259 * distinguish between them when counting what we saw.
260 */
cffe973c
PW		 261 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
262 client_early_secret_count++;
263 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 264 client_handshake_secret_count++;
265 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
266 server_handshake_secret_count++;
267 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
268 client_application_secret_count++;
269 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
270 server_application_secret_count++;
01a2a654
PW		 271 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
272 early_exporter_secret_count++;
6329ce8f
PW		 273 else if (strcmp(token, "EXPORTER_SECRET") == 0)
274 exporter_secret_count++;
f1a5939f
CB		 275
276 client_random_size = SSL_get_client_random(ssl,
277 actual_client_random,
278 SSL3_RANDOM_SIZE);
710756a9 279 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 280 return 0;
f1a5939f 281
710756a9 282 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 283 return 0;
710756a9 284 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 285 return 0;
710756a9
RS		 286 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
287 actual_client_random,
288 client_random_size)))
f1a5939f 289 return 0;
6acdd3e5 290
710756a9 291 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 292 return 0;
f1a5939f
CB		 293
294 /*
295 * TODO(TLS1.3): test that application traffic secrets are what
296 * we expect */
6acdd3e5 297 } else {
710756a9 298 TEST_info("Unexpected token %s\n", token);
f1a5939f 299 return 0;
6acdd3e5 300 }
6acdd3e5
CB		 301 }
302
710756a9
RS		 303 /* Got what we expected? */
304 if (!TEST_size_t_eq(rsa_key_exchange_count,
305 expected->rsa_key_exchange_count)
306 || !TEST_size_t_eq(master_secret_count,
307 expected->master_secret_count)
cffe973c
PW		 308 || !TEST_size_t_eq(client_early_secret_count,
309 expected->client_early_secret_count)
710756a9
RS		 310 || !TEST_size_t_eq(client_handshake_secret_count,
311 expected->client_handshake_secret_count)
312 || !TEST_size_t_eq(server_handshake_secret_count,
313 expected->server_handshake_secret_count)
314 || !TEST_size_t_eq(client_application_secret_count,
315 expected->client_application_secret_count)
316 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 317 expected->server_application_secret_count)
01a2a654
PW		 318 || !TEST_size_t_eq(early_exporter_secret_count,
319 expected->early_exporter_secret_count)
6329ce8f
PW		 320 || !TEST_size_t_eq(exporter_secret_count,
321 expected->exporter_secret_count))
710756a9
RS		 322 return 0;
323 return 1;
6acdd3e5
CB		 324}
325
c423ecaa 326#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
710756a9
RS		 327static int test_keylog(void)
328{
6acdd3e5
CB		 329 SSL_CTX *cctx = NULL, *sctx = NULL;
330 SSL *clientssl = NULL, *serverssl = NULL;
331 int testresult = 0;
6fc1e624 332 struct sslapitest_log_counts expected;
6acdd3e5
CB		 333
334 /* Clean up logging space */
6fc1e624 335 memset(&expected, 0, sizeof(expected));
710756a9
RS		 336 memset(client_log_buffer, 0, sizeof(client_log_buffer));
337 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 338 client_log_buffer_index = 0;
339 server_log_buffer_index = 0;
340 error_writing_log = 0;
341
710756a9
RS		 342 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
343 TLS_client_method(),
5c587fb6 344 TLS1_VERSION, 0,
710756a9 345 &sctx, &cctx, cert, privkey)))
6acdd3e5 346 return 0;
6acdd3e5
CB		 347
348 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
349 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
350 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
351
f0deb4d3 352 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 353 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 354 goto end;
f0deb4d3 355
cf10df81
RS		 356 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
357 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 358 goto end;
6acdd3e5 359 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 360 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
361 == client_keylog_callback))
6acdd3e5 362 goto end;
710756a9 363 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 364 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
365 == server_keylog_callback))
6acdd3e5 366 goto end;
6acdd3e5 367
710756a9
RS		 368 /* Now do a handshake and check that the logs have been written to. */
369 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
370 &clientssl, NULL, NULL))
371 || !TEST_true(create_ssl_connection(serverssl, clientssl,
372 SSL_ERROR_NONE))
373 || !TEST_false(error_writing_log)
374 || !TEST_int_gt(client_log_buffer_index, 0)
375 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 376 goto end;
6acdd3e5 377
f1a5939f
CB		 378 /*
379 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 380 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 381 * data we expect. For both client and server, we expect to see one master
382 * secret. The client should also see a RSA key exchange.
6acdd3e5 383 */
f1a5939f
CB		 384 expected.rsa_key_exchange_count = 1;
385 expected.master_secret_count = 1;
710756a9
RS		 386 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
387 SSL_get_session(clientssl), &expected)))
6acdd3e5 388 goto end;
f1a5939f
CB		 389
390 expected.rsa_key_exchange_count = 0;
710756a9
RS		 391 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
392 SSL_get_session(serverssl), &expected)))
6acdd3e5 393 goto end;
6acdd3e5
CB		 394
395 testresult = 1;
396
397end:
398 SSL_free(serverssl);
399 SSL_free(clientssl);
400 SSL_CTX_free(sctx);
401 SSL_CTX_free(cctx);
402
403 return testresult;
404}
c423ecaa 405#endif
6acdd3e5
CB		 406
407#ifndef OPENSSL_NO_TLS1_3
710756a9
RS		 408static int test_keylog_no_master_key(void)
409{
6acdd3e5
CB		 410 SSL_CTX *cctx = NULL, *sctx = NULL;
411 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 412 SSL_SESSION *sess = NULL;
6acdd3e5 413 int testresult = 0;
6fc1e624 414 struct sslapitest_log_counts expected;
cffe973c
PW		 415 unsigned char buf[1];
416 size_t readbytes, written;
6acdd3e5
CB		 417
418 /* Clean up logging space */
6fc1e624 419 memset(&expected, 0, sizeof(expected));
710756a9
RS		 420 memset(client_log_buffer, 0, sizeof(client_log_buffer));
421 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 422 client_log_buffer_index = 0;
423 server_log_buffer_index = 0;
424 error_writing_log = 0;
425
7d7f6834 426 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 427 TLS1_VERSION, 0,
cffe973c
PW		 428 &sctx, &cctx, cert, privkey))
429 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 430 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 431 return 0;
6acdd3e5 432
cf10df81
RS		 433 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
434 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 435 goto end;
6acdd3e5
CB		 436
437 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 438 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
439 == client_keylog_callback))
6acdd3e5 440 goto end;
6acdd3e5 441
710756a9 442 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 443 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
444 == server_keylog_callback))
6acdd3e5 445 goto end;
6acdd3e5 446
710756a9
RS		 447 /* Now do a handshake and check that the logs have been written to. */
448 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
449 &clientssl, NULL, NULL))
450 || !TEST_true(create_ssl_connection(serverssl, clientssl,
451 SSL_ERROR_NONE))
452 || !TEST_false(error_writing_log))
6acdd3e5 453 goto end;
6acdd3e5 454
f1a5939f
CB		 455 /*
456 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 457 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 458 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 459 */
f1a5939f
CB		 460 expected.client_handshake_secret_count = 1;
461 expected.server_handshake_secret_count = 1;
462 expected.client_application_secret_count = 1;
463 expected.server_application_secret_count = 1;
6329ce8f 464 expected.exporter_secret_count = 1;
710756a9
RS		 465 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
466 SSL_get_session(clientssl), &expected))
467 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
468 SSL_get_session(serverssl),
469 &expected)))
6acdd3e5 470 goto end;
6acdd3e5 471
cffe973c
PW		 472 /* Terminate old session and resume with early data. */
473 sess = SSL_get1_session(clientssl);
474 SSL_shutdown(clientssl);
475 SSL_shutdown(serverssl);
476 SSL_free(serverssl);
477 SSL_free(clientssl);
478 serverssl = clientssl = NULL;
479
480 /* Reset key log */
481 memset(client_log_buffer, 0, sizeof(client_log_buffer));
482 memset(server_log_buffer, 0, sizeof(server_log_buffer));
483 client_log_buffer_index = 0;
484 server_log_buffer_index = 0;
485
486 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
487 &clientssl, NULL, NULL))
488 || !TEST_true(SSL_set_session(clientssl, sess))
489 /* Here writing 0 length early data is enough. */
490 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
491 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
492 &readbytes),
493 SSL_READ_EARLY_DATA_ERROR)
494 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
495 SSL_EARLY_DATA_ACCEPTED)
496 || !TEST_true(create_ssl_connection(serverssl, clientssl,
497 SSL_ERROR_NONE))
498 || !TEST_true(SSL_session_reused(clientssl)))
499 goto end;
500
501 /* In addition to the previous entries, expect early secrets. */
502 expected.client_early_secret_count = 1;
01a2a654 503 expected.early_exporter_secret_count = 1;
cffe973c
PW		 504 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
505 SSL_get_session(clientssl), &expected))
506 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
507 SSL_get_session(serverssl),
508 &expected)))
509 goto end;
510
6acdd3e5
CB		 511 testresult = 1;
512
513end:
cffe973c 514 SSL_SESSION_free(sess);
6acdd3e5
CB		 515 SSL_free(serverssl);
516 SSL_free(clientssl);
517 SSL_CTX_free(sctx);
518 SSL_CTX_free(cctx);
519
520 return testresult;
521}
522#endif
523
e9ee6536 524#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 525static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 526{
527 int *ctr = arg;
528 const unsigned char *p;
8ea404fb 529 int *exts;
2afaee51
BK		 530 /* We only configure two ciphers, but the SCSV is added automatically. */
531#ifdef OPENSSL_NO_EC
532 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
533#else
534 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
535 0x2c, 0x00, 0xff};
536#endif
8ea404fb
BK		 537 const int expected_extensions[] = {
538#ifndef OPENSSL_NO_EC
539 11, 10,
540#endif
10ed1b72 541 35, 22, 23, 13};
2afaee51
BK		 542 size_t len;
543
544 /* Make sure we can defer processing and get called back. */
545 if ((*ctr)++ == 0)
f1b97da1 546 return SSL_CLIENT_HELLO_RETRY;
2afaee51 547
a9c0d8be 548 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 549 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 550 || !TEST_size_t_eq(
551 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 552 || !TEST_int_eq(*p, 0))
f1b97da1 553 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 554 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 555 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 556 if (len != OSSL_NELEM(expected_extensions) ||
557 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 558 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 559 OPENSSL_free(exts);
f1b97da1 560 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 561 }
562 OPENSSL_free(exts);
f1b97da1 563 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 564}
565
a9c0d8be 566static int test_client_hello_cb(void)
710756a9 567{
2afaee51
BK		 568 SSL_CTX *cctx = NULL, *sctx = NULL;
569 SSL *clientssl = NULL, *serverssl = NULL;
570 int testctr = 0, testresult = 0;
571
7d7f6834 572 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 573 TLS1_VERSION, 0,
7d7f6834 574 &sctx, &cctx, cert, privkey)))
2afaee51 575 goto end;
a9c0d8be 576 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 577
2afaee51
BK		 578 /* The gimpy cipher list we configure can't do TLS 1.3. */
579 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 580
710756a9
RS		 581 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
582 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
583 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
584 &clientssl, NULL, NULL))
585 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 586 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 587 /*
588 * Passing a -1 literal is a hack since
589 * the real value was lost.
590 * */
a9c0d8be
DB		 591 || !TEST_int_eq(SSL_get_error(serverssl, -1),
592 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 593 || !TEST_true(create_ssl_connection(serverssl, clientssl,
594 SSL_ERROR_NONE)))
2afaee51 595 goto end;
2afaee51
BK		 596
597 testresult = 1;
598
088dfa13
TS		 599end:
600 SSL_free(serverssl);
601 SSL_free(clientssl);
602 SSL_CTX_free(sctx);
603 SSL_CTX_free(cctx);
604
605 return testresult;
606}
607
608static int test_no_ems(void)
609{
610 SSL_CTX *cctx = NULL, *sctx = NULL;
611 SSL *clientssl = NULL, *serverssl = NULL;
612 int testresult = 0;
613
614 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
615 TLS1_VERSION, TLS1_2_VERSION,
616 &sctx, &cctx, cert, privkey)) {
617 printf("Unable to create SSL_CTX pair\n");
618 goto end;
619 }
620
621 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
622
623 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
624 printf("Unable to create SSL objects\n");
625 goto end;
626 }
627
628 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
629 printf("Creating SSL connection failed\n");
630 goto end;
631 }
632
633 if (SSL_get_extms_support(serverssl)) {
634 printf("Server reports Extended Master Secret support\n");
635 goto end;
636 }
637
638 if (SSL_get_extms_support(clientssl)) {
639 printf("Client reports Extended Master Secret support\n");
640 goto end;
641 }
642 testresult = 1;
643
2afaee51
BK		 644end:
645 SSL_free(serverssl);
646 SSL_free(clientssl);
647 SSL_CTX_free(sctx);
648 SSL_CTX_free(cctx);
649
650 return testresult;
651}
e9ee6536 652#endif
2afaee51 653
3cd14e5e
BK		 654/*
655 * Very focused test to exercise a single case in the server-side state
656 * machine, when the ChangeCipherState message needs to actually change
657 * from one cipher to a different cipher (i.e., not changing from null
b3e6d666 658 * encryption to real encryption).
3cd14e5e
BK		 659 */
660static int test_ccs_change_cipher(void)
661{
662 SSL_CTX *cctx = NULL, *sctx = NULL;
663 SSL *clientssl = NULL, *serverssl = NULL;
664 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
665 int testresult = 0;
666 int i;
667 unsigned char buf;
668 size_t readbytes;
669
670 /*
671 * Create a conection so we can resume and potentially (but not) use
672 * a different cipher in the second connection.
673 */
674 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
675 TLS_client_method(),
676 TLS1_VERSION, TLS1_2_VERSION,
677 &sctx, &cctx, cert, privkey))
678 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
679 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
680 NULL, NULL))
681 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
682 || !TEST_true(create_ssl_connection(serverssl, clientssl,
683 SSL_ERROR_NONE))
684 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
685 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
686 goto end;
687
688 shutdown_ssl_connection(serverssl, clientssl);
689 serverssl = clientssl = NULL;
690
691 /* Resume, preferring a different cipher. Our server will force the
692 * same cipher to be used as the initial handshake. */
693 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
694 NULL, NULL))
695 || !TEST_true(SSL_set_session(clientssl, sess))
696 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
697 || !TEST_true(create_ssl_connection(serverssl, clientssl,
698 SSL_ERROR_NONE))
699 || !TEST_true(SSL_session_reused(clientssl))
700 || !TEST_true(SSL_session_reused(serverssl))
701 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
702 || !TEST_ptr_eq(sesspre, sesspost)
703 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
704 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
705 goto end;
706 shutdown_ssl_connection(serverssl, clientssl);
707 serverssl = clientssl = NULL;
708
709 /*
710 * Now create a fresh connection and try to renegotiate a different
711 * cipher on it.
712 */
b3e6d666
BK		 713 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
714 NULL, NULL))
3cd14e5e
BK		 715 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
716 || !TEST_true(create_ssl_connection(serverssl, clientssl,
717 SSL_ERROR_NONE))
718 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
719 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
720 || !TEST_true(SSL_renegotiate(clientssl))
721 || !TEST_true(SSL_renegotiate_pending(clientssl)))
722 goto end;
723 /* Actually drive the renegotiation. */
724 for (i = 0; i < 3; i++) {
725 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
726 if (!TEST_ulong_eq(readbytes, 0))
727 goto end;
728 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
729 SSL_ERROR_WANT_READ)) {
730 goto end;
731 }
732 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
733 if (!TEST_ulong_eq(readbytes, 0))
734 goto end;
735 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
736 SSL_ERROR_WANT_READ)) {
737 goto end;
738 }
739 }
740 /* sesspre and sesspost should be different since the cipher changed. */
741 if (!TEST_false(SSL_renegotiate_pending(clientssl))
742 || !TEST_false(SSL_session_reused(clientssl))
743 || !TEST_false(SSL_session_reused(serverssl))
744 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
745 || !TEST_ptr_ne(sesspre, sesspost)
746 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
747 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
748 goto end;
749
750 shutdown_ssl_connection(serverssl, clientssl);
751 serverssl = clientssl = NULL;
752
753 testresult = 1;
754
755end:
756 SSL_free(serverssl);
757 SSL_free(clientssl);
758 SSL_CTX_free(sctx);
759 SSL_CTX_free(cctx);
760 SSL_SESSION_free(sess);
761
762 return testresult;
763}
764
84d5549e 765static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 766 const SSL_METHOD *cmeth,
767 int min_version, int max_version,
768 int read_ahead)
84d5549e
MC		 769{
770 SSL_CTX *cctx = NULL, *sctx = NULL;
771 SSL *clientssl = NULL, *serverssl = NULL;
772 int testresult = 0;
773 int i;
710756a9 774 BIO *certbio = NULL;
84d5549e
MC		 775 X509 *chaincert = NULL;
776 int certlen;
777
710756a9 778 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 779 goto end;
84d5549e 780 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
fa454945
MC		 781 BIO_free(certbio);
782 certbio = NULL;
710756a9 783 if (!TEST_ptr(chaincert))
fa454945 784 goto end;
84d5549e 785
7d7f6834
RL		 786 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
787 &sctx, &cctx, cert, privkey)))
84d5549e 788 goto end;
84d5549e 789
710756a9 790 if (read_ahead) {
7856332e
MC		 791 /*
792 * Test that read_ahead works correctly when dealing with large
793 * records
794 */
795 SSL_CTX_set_read_ahead(cctx, 1);
796 }
797
84d5549e
MC		 798 /*
799 * We assume the supplied certificate is big enough so that if we add
800 * NUM_EXTRA_CERTS it will make the overall message large enough. The
801 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 802 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
803 * test we need to have a message larger than that.
84d5549e
MC		 804 */
805 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 806 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
807 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 808 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 809 if (!X509_up_ref(chaincert))
84d5549e 810 goto end;
84d5549e 811 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 812 X509_free(chaincert);
813 goto end;
814 }
815 }
816
710756a9
RS		 817 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
818 NULL, NULL))
819 || !TEST_true(create_ssl_connection(serverssl, clientssl,
820 SSL_ERROR_NONE)))
84d5549e 821 goto end;
84d5549e 822
4bf08600
MC		 823 /*
824 * Calling SSL_clear() first is not required but this tests that SSL_clear()
742ccab3 825 * doesn't leak.
4bf08600 826 */
710756a9 827 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 828 goto end;
84d5549e 829
4bf08600 830 testresult = 1;
84d5549e
MC		 831 end:
832 X509_free(chaincert);
833 SSL_free(serverssl);
834 SSL_free(clientssl);
835 SSL_CTX_free(sctx);
836 SSL_CTX_free(cctx);
837
838 return testresult;
839}
840
5e9072ed
MC		 841#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
842 && !defined(OPENSSL_NO_SOCK)
fe5d9450
BP		 843
844/* sock must be connected */
845static int ktls_chk_platform(int sock)
846{
847 if (!ktls_enable(sock))
848 return 0;
849 return 1;
850}
851
852static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
853{
854 static char count = 1;
855 unsigned char cbuf[16000] = {0};
856 unsigned char sbuf[16000];
857 size_t err = 0;
858 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
859 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
2fab79af
BP		 860 char crec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
861 char crec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
fe5d9450
BP		 862 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
863 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
864 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
865 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
866
867 cbuf[0] = count++;
868 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
869 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
2fab79af
BP		 870 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence,
871 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
fe5d9450
BP		 872 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
873 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
874 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
875 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
876
877 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
878 goto end;
879
880 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
881 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
882 goto end;
883 }
884 }
885
886 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
887 goto end;
888
889 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
890 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
891 goto end;
892 }
893 }
894
895 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
896 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
2fab79af
BP		 897 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence,
898 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
fe5d9450
BP		 899 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
900 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
901 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
902 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
903
904 /* verify the payload */
905 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
906 goto end;
907
908 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
909 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
910 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
911 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
912 goto end;
913 } else {
914 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
915 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
916 goto end;
917 }
918
919 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
920 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
921 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
922 goto end;
923 } else {
924 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
925 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
926 goto end;
927 }
928
2fab79af
BP		 929 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
930 if (!TEST_mem_ne(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
931 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
932 goto end;
933 } else {
934 if (!TEST_mem_eq(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
935 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
936 goto end;
937 }
938
939 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
940 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
941 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
942 goto end;
943 } else {
944 if (!TEST_mem_eq(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
945 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
946 goto end;
947 }
fe5d9450
BP		 948
949 return 1;
950end:
951 return 0;
952}
953
2fab79af
BP		 954static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
955 int sis_ktls_tx, int sis_ktls_rx)
fe5d9450
BP		 956{
957 SSL_CTX *cctx = NULL, *sctx = NULL;
958 SSL *clientssl = NULL, *serverssl = NULL;
959 int testresult = 0;
960 int cfd, sfd;
961
962 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
963 goto end;
964
965 /* Skip this test if the platform does not support ktls */
966 if (!ktls_chk_platform(cfd))
967 return 1;
968
969 /* Create a session based on SHA-256 */
970 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
971 TLS_client_method(),
972 TLS1_2_VERSION, TLS1_2_VERSION,
973 &sctx, &cctx, cert, privkey))
974 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
975 "AES128-GCM-SHA256"))
976 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
977 &clientssl, sfd, cfd)))
978 goto end;
979
980 if (!cis_ktls_tx) {
981 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
982 goto end;
983 }
984
985 if (!sis_ktls_tx) {
986 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
987 goto end;
988 }
989
2fab79af
BP		 990 if (!cis_ktls_rx) {
991 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
992 goto end;
993 }
994
995 if (!sis_ktls_rx) {
996 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
997 goto end;
998 }
999
fe5d9450
BP		 1000 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1001 SSL_ERROR_NONE)))
1002 goto end;
1003
1004 if (!cis_ktls_tx) {
1005 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1006 goto end;
1007 } else {
1008 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1009 goto end;
1010 }
1011
1012 if (!sis_ktls_tx) {
1013 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1014 goto end;
1015 } else {
1016 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1017 goto end;
1018 }
1019
2fab79af
BP		 1020 if (!cis_ktls_rx) {
1021 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1022 goto end;
1023 } else {
1024 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1025 goto end;
1026 }
1027
1028 if (!sis_ktls_rx) {
1029 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1030 goto end;
1031 } else {
1032 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1033 goto end;
1034 }
1035
fe5d9450
BP		 1036 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
1037 goto end;
1038
1039 testresult = 1;
1040end:
1041 if (clientssl) {
1042 SSL_shutdown(clientssl);
1043 SSL_free(clientssl);
1044 }
1045 if (serverssl) {
1046 SSL_shutdown(serverssl);
1047 SSL_free(serverssl);
1048 }
1049 SSL_CTX_free(sctx);
1050 SSL_CTX_free(cctx);
1051 serverssl = clientssl = NULL;
1052 return testresult;
1053}
1054
7c3a7561
BP		 1055#define SENDFILE_SZ (16 * 4096)
1056#define SENDFILE_CHUNK (4 * 4096)
1057#define min(a,b) ((a) > (b) ? (b) : (a))
1058
1059static int test_ktls_sendfile(void)
1060{
1061 SSL_CTX *cctx = NULL, *sctx = NULL;
1062 SSL *clientssl = NULL, *serverssl = NULL;
1063 unsigned char *buf, *buf_dst;
1064 BIO *out = NULL, *in = NULL;
1065 int cfd, sfd, ffd, err;
1066 ssize_t chunk_size = 0;
1067 off_t chunk_off = 0;
1068 int testresult = 0;
1069 FILE *ffdp;
1070
1071 buf = OPENSSL_zalloc(SENDFILE_SZ);
1072 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1073 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1074 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1075 goto end;
1076
1077 /* Skip this test if the platform does not support ktls */
1078 if (!ktls_chk_platform(sfd)) {
1079 testresult = 1;
1080 goto end;
1081 }
1082
1083 /* Create a session based on SHA-256 */
1084 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1085 TLS_client_method(),
1086 TLS1_2_VERSION, TLS1_2_VERSION,
1087 &sctx, &cctx, cert, privkey))
1088 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1089 "AES128-GCM-SHA256"))
1090 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1091 &clientssl, sfd, cfd)))
1092 goto end;
1093
1094 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1095 SSL_ERROR_NONE))
1096 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1097 goto end;
1098
1099 RAND_bytes(buf, SENDFILE_SZ);
1100 out = BIO_new_file(tmpfilename, "wb");
1101 if (!TEST_ptr(out))
1102 goto end;
1103
1104 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1105 goto end;
1106
1107 BIO_free(out);
1108 out = NULL;
1109 in = BIO_new_file(tmpfilename, "rb");
1110 BIO_get_fp(in, &ffdp);
1111 ffd = fileno(ffdp);
1112
1113 while (chunk_off < SENDFILE_SZ) {
1114 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1115 while ((err = SSL_sendfile(serverssl,
1116 ffd,
1117 chunk_off,
1118 chunk_size,
1119 0)) != chunk_size) {
1120 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1121 goto end;
1122 }
1123 while ((err = SSL_read(clientssl,
1124 buf_dst + chunk_off,
1125 chunk_size)) != chunk_size) {
1126 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1127 goto end;
1128 }
1129
1130 /* verify the payload */
1131 if (!TEST_mem_eq(buf_dst + chunk_off,
1132 chunk_size,
1133 buf + chunk_off,
1134 chunk_size))
1135 goto end;
1136
1137 chunk_off += chunk_size;
1138 }
1139
1140 testresult = 1;
1141end:
1142 if (clientssl) {
1143 SSL_shutdown(clientssl);
1144 SSL_free(clientssl);
1145 }
1146 if (serverssl) {
1147 SSL_shutdown(serverssl);
1148 SSL_free(serverssl);
1149 }
1150 SSL_CTX_free(sctx);
1151 SSL_CTX_free(cctx);
1152 serverssl = clientssl = NULL;
1153 BIO_free(out);
1154 BIO_free(in);
1155 OPENSSL_free(buf);
1156 OPENSSL_free(buf_dst);
1157 return testresult;
1158}
1159
2fab79af
BP		 1160static int test_ktls_no_txrx_client_no_txrx_server(void)
1161{
1162 return execute_test_ktls(0, 0, 0, 0);
1163}
1164
1165static int test_ktls_no_rx_client_no_txrx_server(void)
1166{
1167 return execute_test_ktls(1, 0, 0, 0);
1168}
1169
1170static int test_ktls_no_tx_client_no_txrx_server(void)
1171{
1172 return execute_test_ktls(0, 1, 0, 0);
1173}
1174
1175static int test_ktls_client_no_txrx_server(void)
1176{
1177 return execute_test_ktls(1, 1, 0, 0);
1178}
1179
1180static int test_ktls_no_txrx_client_no_rx_server(void)
1181{
1182 return execute_test_ktls(0, 0, 1, 0);
1183}
1184
1185static int test_ktls_no_rx_client_no_rx_server(void)
1186{
1187 return execute_test_ktls(1, 0, 1, 0);
1188}
1189
1190static int test_ktls_no_tx_client_no_rx_server(void)
1191{
1192 return execute_test_ktls(0, 1, 1, 0);
1193}
1194
1195static int test_ktls_client_no_rx_server(void)
fe5d9450 1196{
2fab79af 1197 return execute_test_ktls(1, 1, 1, 0);
fe5d9450
BP		 1198}
1199
2fab79af 1200static int test_ktls_no_txrx_client_no_tx_server(void)
fe5d9450 1201{
2fab79af 1202 return execute_test_ktls(0, 0, 0, 1);
fe5d9450
BP		 1203}
1204
2fab79af 1205static int test_ktls_no_rx_client_no_tx_server(void)
fe5d9450 1206{
2fab79af 1207 return execute_test_ktls(1, 0, 0, 1);
fe5d9450
BP		 1208}
1209
2fab79af
BP		 1210static int test_ktls_no_tx_client_no_tx_server(void)
1211{
1212 return execute_test_ktls(0, 1, 0, 1);
1213}
1214
1215static int test_ktls_client_no_tx_server(void)
1216{
1217 return execute_test_ktls(1, 1, 0, 1);
1218}
1219
1220static int test_ktls_no_txrx_client_server(void)
1221{
1222 return execute_test_ktls(0, 0, 1, 1);
1223}
1224
1225static int test_ktls_no_rx_client_server(void)
1226{
1227 return execute_test_ktls(1, 0, 1, 1);
1228}
1229
1230static int test_ktls_no_tx_client_server(void)
1231{
1232 return execute_test_ktls(0, 1, 1, 1);
1233}
1234
1235static int test_ktls_client_server(void)
fe5d9450 1236{
2fab79af 1237 return execute_test_ktls(1, 1, 1, 1);
fe5d9450 1238}
fe5d9450
BP		 1239#endif
1240
84d5549e
MC		 1241static int test_large_message_tls(void)
1242{
7856332e 1243 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1244 TLS1_VERSION, 0, 0);
7856332e
MC		 1245}
1246
1247static int test_large_message_tls_read_ahead(void)
1248{
1249 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1250 TLS1_VERSION, 0, 1);
84d5549e
MC		 1251}
1252
55386bef 1253#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 1254static int test_large_message_dtls(void)
1255{
7856332e
MC		 1256 /*
1257 * read_ahead is not relevant to DTLS because DTLS always acts as if
1258 * read_ahead is set.
1259 */
84d5549e 1260 return execute_test_large_message(DTLS_server_method(),
7d7f6834 1261 DTLS_client_method(),
5c587fb6 1262 DTLS1_VERSION, 0, 0);
84d5549e 1263}
55386bef 1264#endif
84d5549e 1265
8f8c11d8 1266#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 1267static int ocsp_server_cb(SSL *s, void *arg)
1268{
1269 int *argi = (int *)arg;
710756a9 1270 unsigned char *copy = NULL;
ba881d3b
MC		 1271 STACK_OF(OCSP_RESPID) *ids = NULL;
1272 OCSP_RESPID *id = NULL;
1273
1274 if (*argi == 2) {
1275 /* In this test we are expecting exactly 1 OCSP_RESPID */
1276 SSL_get_tlsext_status_ids(s, &ids);
1277 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1278 return SSL_TLSEXT_ERR_ALERT_FATAL;
1279
1280 id = sk_OCSP_RESPID_value(ids, 0);
c9f51264 1281 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, NULL, NULL))
ba881d3b
MC		 1282 return SSL_TLSEXT_ERR_ALERT_FATAL;
1283 } else if (*argi != 1) {
1284 return SSL_TLSEXT_ERR_ALERT_FATAL;
1285 }
1286
710756a9 1287 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 1288 return SSL_TLSEXT_ERR_ALERT_FATAL;
1289
710756a9 1290 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 1291 ocsp_server_called = 1;
ba881d3b
MC		 1292 return SSL_TLSEXT_ERR_OK;
1293}
1294
1295static int ocsp_client_cb(SSL *s, void *arg)
1296{
1297 int *argi = (int *)arg;
1298 const unsigned char *respderin;
1299 size_t len;
1300
1301 if (*argi != 1 && *argi != 2)
1302 return 0;
1303
1304 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 1305 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 1306 return 0;
1307
1308 ocsp_client_called = 1;
ba881d3b
MC		 1309 return 1;
1310}
1311
2cb4b5f6
MC		 1312static int test_tlsext_status_type(void)
1313{
ba881d3b
MC		 1314 SSL_CTX *cctx = NULL, *sctx = NULL;
1315 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 1316 int testresult = 0;
ba881d3b
MC		 1317 STACK_OF(OCSP_RESPID) *ids = NULL;
1318 OCSP_RESPID *id = NULL;
1319 BIO *certbio = NULL;
2cb4b5f6 1320
7d7f6834 1321 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 1322 TLS1_VERSION, 0,
7d7f6834 1323 &sctx, &cctx, cert, privkey))
ba881d3b 1324 return 0;
2cb4b5f6 1325
710756a9 1326 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 1327 goto end;
2cb4b5f6 1328
ba881d3b 1329 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 1330
ba881d3b 1331 clientssl = SSL_new(cctx);
710756a9
RS		 1332 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1333 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1334 TLSEXT_STATUSTYPE_ocsp))
1335 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1336 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 1337 goto end;
2cb4b5f6 1338
ba881d3b
MC		 1339 SSL_free(clientssl);
1340 clientssl = NULL;
2cb4b5f6 1341
710756a9
RS		 1342 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1343 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1344 goto end;
2cb4b5f6 1345
ba881d3b 1346 clientssl = SSL_new(cctx);
710756a9 1347 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1348 goto end;
ba881d3b
MC		 1349 SSL_free(clientssl);
1350 clientssl = NULL;
1351
1352 /*
1353 * Now actually do a handshake and check OCSP information is exchanged and
1354 * the callbacks get called
1355 */
ba881d3b
MC		 1356 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1357 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1358 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1359 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1360 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1361 &clientssl, NULL, NULL))
1362 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1363 SSL_ERROR_NONE))
1364 || !TEST_true(ocsp_client_called)
1365 || !TEST_true(ocsp_server_called))
ba881d3b 1366 goto end;
ba881d3b
MC		 1367 SSL_free(serverssl);
1368 SSL_free(clientssl);
1369 serverssl = NULL;
1370 clientssl = NULL;
1371
1372 /* Try again but this time force the server side callback to fail */
1373 ocsp_client_called = 0;
1374 ocsp_server_called = 0;
1375 cdummyarg = 0;
710756a9
RS		 1376 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1377 &clientssl, NULL, NULL))
1378 /* This should fail because the callback will fail */
1379 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1380 SSL_ERROR_NONE))
1381 || !TEST_false(ocsp_client_called)
1382 || !TEST_false(ocsp_server_called))
ba881d3b 1383 goto end;
ba881d3b
MC		 1384 SSL_free(serverssl);
1385 SSL_free(clientssl);
1386 serverssl = NULL;
1387 clientssl = NULL;
1388
1389 /*
1390 * This time we'll get the client to send an OCSP_RESPID that it will
1391 * accept.
1392 */
1393 ocsp_client_called = 0;
1394 ocsp_server_called = 0;
1395 cdummyarg = 2;
710756a9
RS		 1396 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1397 &clientssl, NULL, NULL)))
ba881d3b 1398 goto end;
ba881d3b
MC		 1399
1400 /*
1401 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1402 * specific one. We'll use the server cert.
ba881d3b 1403 */
710756a9
RS		 1404 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1405 || !TEST_ptr(id = OCSP_RESPID_new())
1406 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1407 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1408 NULL, NULL, NULL))
c9f51264 1409 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, NULL, NULL))
710756a9 1410 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1411 goto end;
ba881d3b
MC		 1412 id = NULL;
1413 SSL_set_tlsext_status_ids(clientssl, ids);
1414 /* Control has been transferred */
1415 ids = NULL;
1416
1417 BIO_free(certbio);
1418 certbio = NULL;
1419
710756a9
RS		 1420 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1421 SSL_ERROR_NONE))
1422 || !TEST_true(ocsp_client_called)
1423 || !TEST_true(ocsp_server_called))
ba881d3b 1424 goto end;
ba881d3b 1425
2cb4b5f6
MC		 1426 testresult = 1;
1427
1428 end:
ba881d3b
MC		 1429 SSL_free(serverssl);
1430 SSL_free(clientssl);
1431 SSL_CTX_free(sctx);
1432 SSL_CTX_free(cctx);
1433 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1434 OCSP_RESPID_free(id);
1435 BIO_free(certbio);
1436 X509_free(ocspcert);
1437 ocspcert = NULL;
2cb4b5f6
MC		 1438
1439 return testresult;
1440}
8f8c11d8 1441#endif
2cb4b5f6 1442
bf208d95 1443#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 1444static int new_called, remove_called, get_called;
eaa776da 1445
eaa776da
MC		 1446static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1447{
1448 new_called++;
c0537ebd
MC		 1449 /*
1450 * sess has been up-refed for us, but we don't actually need it so free it
1451 * immediately.
1452 */
1453 SSL_SESSION_free(sess);
eaa776da
MC		 1454 return 1;
1455}
1456
1457static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1458{
1459 remove_called++;
1460}
1461
7a301f08
MC		 1462static SSL_SESSION *get_sess_val = NULL;
1463
1464static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1465 int *copy)
1466{
0afca811 1467 get_called++;
7a301f08
MC		 1468 *copy = 1;
1469 return get_sess_val;
1470}
1471
7a301f08
MC		 1472static int execute_test_session(int maxprot, int use_int_cache,
1473 int use_ext_cache)
2cb4b5f6
MC		 1474{
1475 SSL_CTX *sctx = NULL, *cctx = NULL;
1476 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1477 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 1478# ifndef OPENSSL_NO_TLS1_1
eaa776da 1479 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 1480# endif
2cb4b5f6 1481 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 1482 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 1483
7e885b7b
P		 1484 new_called = remove_called = 0;
1485
36ff232c
MC		 1486 /* TLSv1.3 sends 2 NewSessionTickets */
1487 if (maxprot == TLS1_3_VERSION)
1488 numnewsesstick = 2;
1489
7d7f6834 1490 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 1491 TLS1_VERSION, 0,
7d7f6834 1492 &sctx, &cctx, cert, privkey)))
2cb4b5f6 1493 return 0;
2cb4b5f6 1494
7a301f08
MC		 1495 /*
1496 * Only allow the max protocol version so we can force a connection failure
1497 * later
1498 */
1499 SSL_CTX_set_min_proto_version(cctx, maxprot);
1500 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 1501
1502 /* Set up session cache */
7e885b7b 1503 if (use_ext_cache) {
eaa776da
MC		 1504 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1505 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1506 }
7e885b7b 1507 if (use_int_cache) {
eaa776da
MC		 1508 /* Also covers instance where both are set */
1509 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1510 } else {
1511 SSL_CTX_set_session_cache_mode(cctx,
1512 SSL_SESS_CACHE_CLIENT
1513 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1514 }
2cb4b5f6 1515
710756a9
RS		 1516 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1517 NULL, NULL))
1518 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1519 SSL_ERROR_NONE))
1520 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 1521 goto end;
2cb4b5f6 1522
710756a9 1523 /* Should fail because it should already be in the cache */
7e885b7b 1524 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 1525 goto end;
7a301f08 1526 if (use_ext_cache
36ff232c
MC		 1527 && (!TEST_int_eq(new_called, numnewsesstick)
1528
1529 || !TEST_int_eq(remove_called, 0)))
b4982125 1530 goto end;
b4982125 1531
c0537ebd
MC		 1532 new_called = remove_called = 0;
1533 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1534 &clientssl2, NULL, NULL))
1535 || !TEST_true(SSL_set_session(clientssl2, sess1))
1536 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1537 SSL_ERROR_NONE))
1538 || !TEST_true(SSL_session_reused(clientssl2)))
1539 goto end;
1540
7a301f08
MC		 1541 if (maxprot == TLS1_3_VERSION) {
1542 /*
1543 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 1544 * resumed. Since we attempted a resume we should also have removed the
1545 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 1546 */
1547 if (use_ext_cache
1548 && (!TEST_int_eq(new_called, 1)
4cb00457 1549 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 1550 goto end;
1551 } else {
1552 /*
1553 * In TLSv1.2 we expect to have resumed so no sessions added or
1554 * removed.
1555 */
1556 if (use_ext_cache
1557 && (!TEST_int_eq(new_called, 0)
1558 || !TEST_int_eq(remove_called, 0)))
1559 goto end;
1560 }
c0537ebd
MC		 1561
1562 SSL_SESSION_free(sess1);
1563 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1564 goto end;
1565 shutdown_ssl_connection(serverssl2, clientssl2);
1566 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 1567
1568 new_called = remove_called = 0;
710756a9
RS		 1569 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1570 &clientssl2, NULL, NULL))
1571 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1572 SSL_ERROR_NONE)))
2cb4b5f6 1573 goto end;
2cb4b5f6 1574
710756a9 1575 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 1576 goto end;
2cb4b5f6 1577
7a301f08 1578 if (use_ext_cache
36ff232c
MC		 1579 && (!TEST_int_eq(new_called, numnewsesstick)
1580 || !TEST_int_eq(remove_called, 0)))
eaa776da 1581 goto end;
eaa776da 1582
c0537ebd 1583 new_called = remove_called = 0;
2cb4b5f6 1584 /*
710756a9
RS		 1585 * This should clear sess2 from the cache because it is a "bad" session.
1586 * See SSL_set_session() documentation.
2cb4b5f6 1587 */
710756a9 1588 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 1589 goto end;
7a301f08
MC		 1590 if (use_ext_cache
1591 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 1592 goto end;
710756a9 1593 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 1594 goto end;
2cb4b5f6 1595
7e885b7b 1596 if (use_int_cache) {
710756a9
RS		 1597 /* Should succeeded because it should not already be in the cache */
1598 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1599 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 1600 goto end;
eaa776da
MC		 1601 }
1602
c0537ebd 1603 new_called = remove_called = 0;
eaa776da 1604 /* This shouldn't be in the cache so should fail */
710756a9 1605 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 1606 goto end;
2cb4b5f6 1607
7a301f08
MC		 1608 if (use_ext_cache
1609 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1610 goto end;
2cb4b5f6 1611
bf208d95 1612# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 1613 new_called = remove_called = 0;
eaa776da
MC		 1614 /* Force a connection failure */
1615 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 1616 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1617 &clientssl3, NULL, NULL))
1618 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 1619 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 1620 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1621 SSL_ERROR_NONE)))
eaa776da 1622 goto end;
b4982125 1623
eaa776da 1624 /* We should have automatically removed the session from the cache */
7a301f08
MC		 1625 if (use_ext_cache
1626 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1627 goto end;
2cb4b5f6 1628
710756a9 1629 /* Should succeed because it should not already be in the cache */
7e885b7b 1630 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 1631 goto end;
bf208d95 1632# endif
eaa776da 1633
7a301f08
MC		 1634 /* Now do some tests for server side caching */
1635 if (use_ext_cache) {
1636 SSL_CTX_sess_set_new_cb(cctx, NULL);
1637 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1638 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1639 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1640 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1641 get_sess_val = NULL;
1642 }
1643
1644 SSL_CTX_set_session_cache_mode(cctx, 0);
1645 /* Internal caching is the default on the server side */
1646 if (!use_int_cache)
1647 SSL_CTX_set_session_cache_mode(sctx,
1648 SSL_SESS_CACHE_SERVER
1649 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1650
1651 SSL_free(serverssl1);
1652 SSL_free(clientssl1);
1653 serverssl1 = clientssl1 = NULL;
1654 SSL_free(serverssl2);
1655 SSL_free(clientssl2);
1656 serverssl2 = clientssl2 = NULL;
1657 SSL_SESSION_free(sess1);
1658 sess1 = NULL;
1659 SSL_SESSION_free(sess2);
1660 sess2 = NULL;
1661
1662 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 1663 if (maxprot == TLS1_2_VERSION)
1664 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 1665 new_called = remove_called = get_called = 0;
7a301f08
MC		 1666 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1667 NULL, NULL))
1668 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1669 SSL_ERROR_NONE))
1670 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1671 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1672 goto end;
1673
ee94ec2e
MC		 1674 if (use_int_cache) {
1675 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1676 /*
1677 * In TLSv1.3 it should not have been added to the internal cache,
1678 * except in the case where we also have an external cache (in that
1679 * case it gets added to the cache in order to generate remove
1680 * events after timeout).
1681 */
1682 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1683 goto end;
1684 } else {
1685 /* Should fail because it should already be in the cache */
1686 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1687 goto end;
1688 }
1689 }
7a301f08
MC		 1690
1691 if (use_ext_cache) {
1692 SSL_SESSION *tmp = sess2;
1693
36ff232c 1694 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 1695 || !TEST_int_eq(remove_called, 0)
1696 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 1697 goto end;
1698 /*
1699 * Delete the session from the internal cache to force a lookup from
1700 * the external cache. We take a copy first because
1701 * SSL_CTX_remove_session() also marks the session as non-resumable.
1702 */
ee94ec2e 1703 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 1704 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1705 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1706 goto end;
1707 SSL_SESSION_free(sess2);
1708 }
7a301f08
MC		 1709 sess2 = tmp;
1710 }
1711
0afca811 1712 new_called = remove_called = get_called = 0;
7a301f08
MC		 1713 get_sess_val = sess2;
1714 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1715 &clientssl2, NULL, NULL))
1716 || !TEST_true(SSL_set_session(clientssl2, sess1))
1717 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1718 SSL_ERROR_NONE))
1719 || !TEST_true(SSL_session_reused(clientssl2)))
1720 goto end;
1721
0afca811 1722 if (use_ext_cache) {
32305f88 1723 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 1724 goto end;
1725
1726 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 1727 if (!TEST_int_eq(new_called, 1)
1728 || !TEST_int_eq(get_called, 0))
0afca811
KY		 1729 goto end;
1730 } else {
32305f88
MC		 1731 if (!TEST_int_eq(new_called, 0)
1732 || !TEST_int_eq(get_called, 1))
0afca811
KY		 1733 goto end;
1734 }
1735 }
7a301f08 1736
2cb4b5f6 1737 testresult = 1;
eaa776da 1738
2cb4b5f6
MC		 1739 end:
1740 SSL_free(serverssl1);
1741 SSL_free(clientssl1);
1742 SSL_free(serverssl2);
1743 SSL_free(clientssl2);
bf208d95 1744# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 1745 SSL_free(serverssl3);
1746 SSL_free(clientssl3);
bf208d95 1747# endif
2cb4b5f6
MC		 1748 SSL_SESSION_free(sess1);
1749 SSL_SESSION_free(sess2);
1750 SSL_CTX_free(sctx);
1751 SSL_CTX_free(cctx);
1752
1753 return testresult;
1754}
bf208d95 1755#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 1756
7fb4c820
MC		 1757static int test_session_with_only_int_cache(void)
1758{
7a301f08
MC		 1759#ifndef OPENSSL_NO_TLS1_3
1760 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1761 return 0;
1762#endif
1763
1764#ifndef OPENSSL_NO_TLS1_2
1765 return execute_test_session(TLS1_2_VERSION, 1, 0);
1766#else
1767 return 1;
1768#endif
eaa776da
MC		 1769}
1770
7fb4c820
MC		 1771static int test_session_with_only_ext_cache(void)
1772{
7a301f08
MC		 1773#ifndef OPENSSL_NO_TLS1_3
1774 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1775 return 0;
1776#endif
1777
1778#ifndef OPENSSL_NO_TLS1_2
1779 return execute_test_session(TLS1_2_VERSION, 0, 1);
1780#else
1781 return 1;
1782#endif
eaa776da
MC		 1783}
1784
7fb4c820
MC		 1785static int test_session_with_both_cache(void)
1786{
7a301f08
MC		 1787#ifndef OPENSSL_NO_TLS1_3
1788 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1789 return 0;
1790#endif
1791
1792#ifndef OPENSSL_NO_TLS1_2
1793 return execute_test_session(TLS1_2_VERSION, 1, 1);
1794#else
1795 return 1;
1796#endif
eaa776da
MC		 1797}
1798
04225915 1799#ifndef OPENSSL_NO_TLS1_3
c22365b3
MC		 1800static SSL_SESSION *sesscache[6];
1801static int do_cache;
36ff232c
MC		 1802
1803static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1804{
c22365b3
MC		 1805 if (do_cache) {
1806 sesscache[new_called] = sess;
1807 } else {
1808 /* We don't need the reference to the session, so free it */
1809 SSL_SESSION_free(sess);
1810 }
1811 new_called++;
1812
1813 return 1;
1814}
1815
1816static int post_handshake_verify(SSL *sssl, SSL *cssl)
1817{
1818 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1819 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1820 return 0;
1821
1822 /* Start handshake on the server and client */
1823 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1824 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1825 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1826 || !TEST_true(create_ssl_connection(sssl, cssl,
1827 SSL_ERROR_NONE)))
1828 return 0;
36ff232c
MC		 1829
1830 return 1;
1831}
1832
fbe9dafd 1833static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 1834 SSL_CTX **cctx)
1835{
1836 int sess_id_ctx = 1;
1837
1838 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 1839 TLS1_VERSION, 0, sctx,
03cdf559
MC		 1840 cctx, cert, privkey))
1841 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1842 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1843 (void *)&sess_id_ctx,
1844 sizeof(sess_id_ctx))))
1845 return 0;
1846
1847 if (stateful)
1848 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1849
1850 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1851 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1852 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1853
1854 return 1;
1855}
1856
1857static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1858{
1859 SSL *serverssl = NULL, *clientssl = NULL;
1860 int i;
1861
1862 /* Test that we can resume with all the tickets we got given */
1863 for (i = 0; i < idx * 2; i++) {
1864 new_called = 0;
1865 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1866 &clientssl, NULL, NULL))
1867 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1868 goto end;
1869
32097b33 1870 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 1871
1872 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1873 SSL_ERROR_NONE)))
1874 goto end;
1875
1876 /*
1877 * Following a successful resumption we only get 1 ticket. After a
1878 * failed one we should get idx tickets.
1879 */
1880 if (succ) {
1881 if (!TEST_true(SSL_session_reused(clientssl))
1882 || !TEST_int_eq(new_called, 1))
1883 goto end;
1884 } else {
1885 if (!TEST_false(SSL_session_reused(clientssl))
1886 || !TEST_int_eq(new_called, idx))
1887 goto end;
1888 }
1889
1890 new_called = 0;
1891 /* After a post-handshake authentication we should get 1 new ticket */
1892 if (succ
1893 && (!post_handshake_verify(serverssl, clientssl)
1894 || !TEST_int_eq(new_called, 1)))
1895 goto end;
1896
1897 SSL_shutdown(clientssl);
1898 SSL_shutdown(serverssl);
1899 SSL_free(serverssl);
1900 SSL_free(clientssl);
1901 serverssl = clientssl = NULL;
1902 SSL_SESSION_free(sesscache[i]);
1903 sesscache[i] = NULL;
1904 }
1905
1906 return 1;
1907
1908 end:
1909 SSL_free(clientssl);
1910 SSL_free(serverssl);
1911 return 0;
1912}
1913
04d7814a 1914static int test_tickets(int stateful, int idx)
36ff232c
MC		 1915{
1916 SSL_CTX *sctx = NULL, *cctx = NULL;
1917 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 1918 int testresult = 0;
36ff232c
MC		 1919 size_t j;
1920
1921 /* idx is the test number, but also the number of tickets we want */
1922
1923 new_called = 0;
c22365b3 1924 do_cache = 1;
36ff232c 1925
fbe9dafd 1926 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 1927 goto end;
1928
03cdf559
MC		 1929 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1930 &clientssl, NULL, NULL)))
1931 goto end;
1932
1933 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1934 SSL_ERROR_NONE))
1935 /* Check we got the number of tickets we were expecting */
1936 || !TEST_int_eq(idx, new_called))
1937 goto end;
04d7814a 1938
03cdf559
MC		 1939 SSL_shutdown(clientssl);
1940 SSL_shutdown(serverssl);
1941 SSL_free(serverssl);
1942 SSL_free(clientssl);
1943 SSL_CTX_free(sctx);
1944 SSL_CTX_free(cctx);
1945 clientssl = serverssl = NULL;
1946 sctx = cctx = NULL;
1947
1948 /*
1949 * Now we try to resume with the tickets we previously created. The
1950 * resumption attempt is expected to fail (because we're now using a new
1951 * SSL_CTX). We should see idx number of tickets issued again.
1952 */
1953
1954 /* Stop caching sessions - just count them */
1955 do_cache = 0;
1956
fbe9dafd 1957 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 1958 goto end;
1959
1960 if (!check_resumption(idx, sctx, cctx, 0))
1961 goto end;
1962
1963 /* Start again with caching sessions */
1964 new_called = 0;
1965 do_cache = 1;
fbe9dafd
MC		 1966 SSL_CTX_free(sctx);
1967 SSL_CTX_free(cctx);
1968 sctx = cctx = NULL;
03cdf559 1969
fbe9dafd 1970 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 1971 goto end;
36ff232c
MC		 1972
1973 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1974 &clientssl, NULL, NULL)))
1975 goto end;
1976
32097b33 1977 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 1978
1979 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1980 SSL_ERROR_NONE))
1981 /* Check we got the number of tickets we were expecting */
1982 || !TEST_int_eq(idx, new_called))
1983 goto end;
1984
1985 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 1986 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 1987 || !TEST_int_eq(idx * 2, new_called))
1988 goto end;
1989
36ff232c
MC		 1990 SSL_shutdown(clientssl);
1991 SSL_shutdown(serverssl);
1992 SSL_free(serverssl);
1993 SSL_free(clientssl);
1994 serverssl = clientssl = NULL;
1995
c22365b3
MC		 1996 /* Stop caching sessions - just count them */
1997 do_cache = 0;
1998
03cdf559
MC		 1999 /*
2000 * Check we can resume with all the tickets we created. This time around the
2001 * resumptions should all be successful.
2002 */
2003 if (!check_resumption(idx, sctx, cctx, 1))
2004 goto end;
36ff232c
MC		 2005
2006 testresult = 1;
2007
2008 end:
2009 SSL_free(serverssl);
2010 SSL_free(clientssl);
c22365b3 2011 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 2012 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 2013 sesscache[j] = NULL;
2014 }
36ff232c
MC		 2015 SSL_CTX_free(sctx);
2016 SSL_CTX_free(cctx);
2017
2018 return testresult;
2019}
04d7814a
MC		 2020
2021static int test_stateless_tickets(int idx)
2022{
2023 return test_tickets(0, idx);
2024}
2025
2026static int test_stateful_tickets(int idx)
2027{
2028 return test_tickets(1, idx);
2029}
8614a4eb
MC		 2030
2031static int test_psk_tickets(void)
2032{
2033 SSL_CTX *sctx = NULL, *cctx = NULL;
2034 SSL *serverssl = NULL, *clientssl = NULL;
2035 int testresult = 0;
2036 int sess_id_ctx = 1;
2037
2038 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 2039 TLS1_VERSION, 0, &sctx,
8614a4eb
MC		 2040 &cctx, NULL, NULL))
2041 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2042 (void *)&sess_id_ctx,
2043 sizeof(sess_id_ctx))))
2044 goto end;
2045
2046 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2047 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2048 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2049 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2050 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2051 use_session_cb_cnt = 0;
2052 find_session_cb_cnt = 0;
2053 srvid = pskid;
2054 new_called = 0;
2055
2056 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2057 NULL, NULL)))
2058 goto end;
2059 clientpsk = serverpsk = create_a_psk(clientssl);
2060 if (!TEST_ptr(clientpsk))
2061 goto end;
2062 SSL_SESSION_up_ref(clientpsk);
2063
2064 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2065 SSL_ERROR_NONE))
2066 || !TEST_int_eq(1, find_session_cb_cnt)
2067 || !TEST_int_eq(1, use_session_cb_cnt)
2068 /* We should always get 1 ticket when using external PSK */
2069 || !TEST_int_eq(1, new_called))
2070 goto end;
2071
2072 testresult = 1;
2073
2074 end:
2075 SSL_free(serverssl);
2076 SSL_free(clientssl);
2077 SSL_CTX_free(sctx);
2078 SSL_CTX_free(cctx);
2079 SSL_SESSION_free(clientpsk);
2080 SSL_SESSION_free(serverpsk);
2081 clientpsk = serverpsk = NULL;
2082
2083 return testresult;
2084}
04225915 2085#endif
36ff232c 2086
7d4488bb
MC		 2087#define USE_NULL 0
2088#define USE_BIO_1 1
2089#define USE_BIO_2 2
2090#define USE_DEFAULT 3
2091
2092#define CONNTYPE_CONNECTION_SUCCESS 0
2093#define CONNTYPE_CONNECTION_FAIL 1
2094#define CONNTYPE_NO_CONNECTION 2
2095
2096#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2097#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2098#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2099# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2100#else
2101# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2102#endif
2103
7d4488bb
MC		 2104#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2105 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2106 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 2107
2108static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2109{
2110 switch (type) {
2111 case USE_NULL:
2112 *res = NULL;
2113 break;
2114 case USE_BIO_1:
2115 *res = bio1;
2116 break;
2117 case USE_BIO_2:
2118 *res = bio2;
2119 break;
2120 }
2121}
2122
7d4488bb
MC		 2123
2124/*
2125 * Tests calls to SSL_set_bio() under various conditions.
2126 *
2127 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2128 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2129 * then do more tests where we create a successful connection first using our
2130 * standard connection setup functions, and then call SSL_set_bio() with
2131 * various combinations of valid BIOs or NULL. We then repeat these tests
2132 * following a failed connection. In this last case we are looking to check that
2133 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2134 */
7fb4c820
MC		 2135static int test_ssl_set_bio(int idx)
2136{
7d4488bb 2137 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 2138 BIO *bio1 = NULL;
2139 BIO *bio2 = NULL;
0fae8150 2140 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 2141 SSL *serverssl = NULL, *clientssl = NULL;
2142 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 2143 int testresult = 0;
2144
7d4488bb
MC		 2145 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2146 initrbio = idx % 3;
2147 idx /= 3;
2148 initwbio = idx % 3;
2149 idx /= 3;
2150 newrbio = idx % 3;
2151 idx /= 3;
2152 newwbio = idx % 3;
2153 conntype = CONNTYPE_NO_CONNECTION;
2154 } else {
2155 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2156 initrbio = initwbio = USE_DEFAULT;
2157 newrbio = idx % 2;
2158 idx /= 2;
2159 newwbio = idx % 2;
2160 idx /= 2;
2161 conntype = idx % 2;
2162 }
710756a9 2163
7d4488bb 2164 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 2165 TLS1_VERSION, 0,
7d4488bb
MC		 2166 &sctx, &cctx, cert, privkey)))
2167 goto end;
2168
2169 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2170 /*
2171 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2172 * because we reduced the number of tests in the definition of
2173 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2174 * mismatched protocol versions we will force a connection failure.
2175 */
2176 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2177 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2178 }
2179
2180 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2181 NULL, NULL)))
710756a9 2182 goto end;
7fb4c820 2183
710756a9
RS		 2184 if (initrbio == USE_BIO_1
2185 || initwbio == USE_BIO_1
2186 || newrbio == USE_BIO_1
7fb4c820 2187 || newwbio == USE_BIO_1) {
710756a9 2188 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 2189 goto end;
7fb4c820
MC		 2190 }
2191
710756a9
RS		 2192 if (initrbio == USE_BIO_2
2193 || initwbio == USE_BIO_2
2194 || newrbio == USE_BIO_2
7fb4c820 2195 || newwbio == USE_BIO_2) {
710756a9 2196 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 2197 goto end;
7fb4c820
MC		 2198 }
2199
7d4488bb
MC		 2200 if (initrbio != USE_DEFAULT) {
2201 setupbio(&irbio, bio1, bio2, initrbio);
2202 setupbio(&iwbio, bio1, bio2, initwbio);
2203 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 2204
7d4488bb
MC		 2205 /*
2206 * We want to maintain our own refs to these BIO, so do an up ref for
2207 * each BIO that will have ownership transferred in the SSL_set_bio()
2208 * call
2209 */
2210 if (irbio != NULL)
2211 BIO_up_ref(irbio);
2212 if (iwbio != NULL && iwbio != irbio)
2213 BIO_up_ref(iwbio);
2214 }
7fb4c820 2215
7d4488bb
MC		 2216 if (conntype != CONNTYPE_NO_CONNECTION
2217 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2218 SSL_ERROR_NONE)
2219 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2220 goto end;
7fb4c820
MC		 2221
2222 setupbio(&nrbio, bio1, bio2, newrbio);
2223 setupbio(&nwbio, bio1, bio2, newwbio);
2224
2225 /*
2226 * We will (maybe) transfer ownership again so do more up refs.
2227 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2228 * already been set!
2229 */
710756a9
RS		 2230 if (nrbio != NULL
2231 && nrbio != irbio
2232 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 2233 BIO_up_ref(nrbio);
710756a9
RS		 2234 if (nwbio != NULL
2235 && nwbio != nrbio
2236 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 2237 BIO_up_ref(nwbio);
2238
7d4488bb 2239 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 2240
2241 testresult = 1;
2242
2243 end:
7fb4c820
MC		 2244 BIO_free(bio1);
2245 BIO_free(bio2);
710756a9 2246
7fb4c820
MC		 2247 /*
2248 * This test is checking that the ref counting for SSL_set_bio is correct.
2249 * If we get here and we did too many frees then we will fail in the above
742ccab3 2250 * functions.
7fb4c820 2251 */
7d4488bb
MC		 2252 SSL_free(serverssl);
2253 SSL_free(clientssl);
2254 SSL_CTX_free(sctx);
2255 SSL_CTX_free(cctx);
7fb4c820
MC		 2256 return testresult;
2257}
2258
7e885b7b 2259typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 2260
7e885b7b 2261static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 2262{
2263 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 2264 SSL_CTX *ctx;
9a716987
MC		 2265 SSL *ssl = NULL;
2266 int testresult = 0;
2267
710756a9
RS		 2268 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
2269 || !TEST_ptr(ssl = SSL_new(ctx))
2270 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2271 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 2272 goto end;
9a716987
MC		 2273
2274 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2275
2276 /*
742ccab3 2277 * If anything goes wrong here then we could leak memory.
9a716987
MC		 2278 */
2279 BIO_push(sslbio, membio1);
2280
69687aa8 2281 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 2282 if (change_bio != NO_BIO_CHANGE) {
710756a9 2283 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
9a716987 2284 goto end;
7e885b7b 2285 if (change_bio == CHANGE_RBIO)
65e2d672 2286 SSL_set0_rbio(ssl, membio2);
9a716987 2287 else
65e2d672 2288 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 2289 }
2290 ssl = NULL;
2291
7e885b7b 2292 if (pop_ssl)
9a716987
MC		 2293 BIO_pop(sslbio);
2294 else
2295 BIO_pop(membio1);
2296
2297 testresult = 1;
2298 end:
2299 BIO_free(membio1);
2300 BIO_free(sslbio);
2301 SSL_free(ssl);
2302 SSL_CTX_free(ctx);
2303
2304 return testresult;
2305}
2306
2307static int test_ssl_bio_pop_next_bio(void)
2308{
7e885b7b 2309 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 2310}
2311
2312static int test_ssl_bio_pop_ssl_bio(void)
2313{
7e885b7b 2314 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 2315}
2316
2317static int test_ssl_bio_change_rbio(void)
2318{
7e885b7b 2319 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 2320}
2321
2322static int test_ssl_bio_change_wbio(void)
2323{
7e885b7b 2324 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 2325}
2326
c423ecaa 2327#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae
MC		 2328typedef struct {
2329 /* The list of sig algs */
2330 const int *list;
2331 /* The length of the list */
2332 size_t listlen;
2333 /* A sigalgs list in string format */
2334 const char *liststr;
2335 /* Whether setting the list should succeed */
2336 int valid;
2337 /* Whether creating a connection with the list should succeed */
2338 int connsuccess;
2339} sigalgs_list;
2340
2341static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 2342# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2343static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2344static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 2345# endif
f1b25aae
MC		 2346static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2347static const int invalidlist2[] = {NID_sha256, NID_undef};
2348static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2349static const int invalidlist4[] = {NID_sha256};
2350static const sigalgs_list testsigalgs[] = {
2351 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 2352# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2353 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2354 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 2355# endif
f1b25aae 2356 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 2357# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2358 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2359 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 2360# endif
f1b25aae
MC		 2361 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2362 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2363 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2364 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2365 {NULL, 0, "RSA", 0, 0},
2366 {NULL, 0, "SHA256", 0, 0},
2367 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 2368 {NULL, 0, "Invalid", 0, 0}
2369};
f1b25aae
MC		 2370
2371static int test_set_sigalgs(int idx)
2372{
2373 SSL_CTX *cctx = NULL, *sctx = NULL;
2374 SSL *clientssl = NULL, *serverssl = NULL;
2375 int testresult = 0;
2376 const sigalgs_list *curr;
2377 int testctx;
2378
2379 /* Should never happen */
710756a9 2380 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 2381 return 0;
2382
2383 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2384 curr = testctx ? &testsigalgs[idx]
2385 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2386
7d7f6834 2387 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 2388 TLS1_VERSION, 0,
7d7f6834 2389 &sctx, &cctx, cert, privkey)))
f1b25aae 2390 return 0;
f1b25aae 2391
d2e491f2
MC		 2392 /*
2393 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2394 * for TLSv1.2 for now until we add a new API.
2395 */
2396 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2397
f1b25aae
MC		 2398 if (testctx) {
2399 int ret;
710756a9 2400
f1b25aae
MC		 2401 if (curr->list != NULL)
2402 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2403 else
2404 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2405
2406 if (!ret) {
2407 if (curr->valid)
710756a9 2408 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2409 else
2410 testresult = 1;
2411 goto end;
2412 }
2413 if (!curr->valid) {
710756a9 2414 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2415 goto end;
2416 }
2417 }
2418
710756a9
RS		 2419 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2420 &clientssl, NULL, NULL)))
f1b25aae 2421 goto end;
f1b25aae
MC		 2422
2423 if (!testctx) {
2424 int ret;
2425
2426 if (curr->list != NULL)
2427 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2428 else
2429 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2430 if (!ret) {
2431 if (curr->valid)
710756a9 2432 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 2433 else
2434 testresult = 1;
2435 goto end;
2436 }
710756a9 2437 if (!curr->valid)
f1b25aae 2438 goto end;
f1b25aae
MC		 2439 }
2440
710756a9
RS		 2441 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2442 SSL_ERROR_NONE),
2443 curr->connsuccess))
f1b25aae 2444 goto end;
f1b25aae
MC		 2445
2446 testresult = 1;
2447
2448 end:
2449 SSL_free(serverssl);
2450 SSL_free(clientssl);
2451 SSL_CTX_free(sctx);
2452 SSL_CTX_free(cctx);
2453
2454 return testresult;
2455}
c423ecaa 2456#endif
f1b25aae 2457
fff202e5 2458#ifndef OPENSSL_NO_TLS1_3
532f9578
MC		 2459static int psk_client_cb_cnt = 0;
2460static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 2461
2462static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2463 size_t *idlen, SSL_SESSION **sess)
2464{
2465 switch (++use_session_cb_cnt) {
2466 case 1:
2467 /* The first call should always have a NULL md */
2468 if (md != NULL)
2469 return 0;
2470 break;
2471
2472 case 2:
2473 /* The second call should always have an md */
2474 if (md == NULL)
2475 return 0;
2476 break;
2477
2478 default:
2479 /* We should only be called a maximum of twice */
2480 return 0;
2481 }
2482
57dee9bb
MC		 2483 if (clientpsk != NULL)
2484 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 2485
57dee9bb 2486 *sess = clientpsk;
02a3ed5a
MC		 2487 *id = (const unsigned char *)pskid;
2488 *idlen = strlen(pskid);
2489
2490 return 1;
2491}
2492
c2b290c3 2493#ifndef OPENSSL_NO_PSK
532f9578
MC		 2494static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2495 unsigned int max_id_len,
2496 unsigned char *psk,
2497 unsigned int max_psk_len)
2498{
2499 unsigned int psklen = 0;
2500
2501 psk_client_cb_cnt++;
2502
2503 if (strlen(pskid) + 1 > max_id_len)
2504 return 0;
2505
2506 /* We should only ever be called a maximum of twice per connection */
2507 if (psk_client_cb_cnt > 2)
2508 return 0;
2509
2510 if (clientpsk == NULL)
2511 return 0;
2512
2513 /* We'll reuse the PSK we set up for TLSv1.3 */
2514 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2515 return 0;
2516 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2517 strncpy(id, pskid, max_id_len);
2518
2519 return psklen;
2520}
c2b290c3 2521#endif /* OPENSSL_NO_PSK */
532f9578 2522
02a3ed5a
MC		 2523static int find_session_cb(SSL *ssl, const unsigned char *identity,
2524 size_t identity_len, SSL_SESSION **sess)
2525{
2526 find_session_cb_cnt++;
2527
2528 /* We should only ever be called a maximum of twice per connection */
2529 if (find_session_cb_cnt > 2)
2530 return 0;
2531
57dee9bb 2532 if (serverpsk == NULL)
02a3ed5a
MC		 2533 return 0;
2534
2535 /* Identity should match that set by the client */
2536 if (strlen(srvid) != identity_len
2537 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2538 /* No PSK found, continue but without a PSK */
2539 *sess = NULL;
2540 return 1;
2541 }
2542
57dee9bb
MC		 2543 SSL_SESSION_up_ref(serverpsk);
2544 *sess = serverpsk;
02a3ed5a
MC		 2545
2546 return 1;
2547}
2548
c2b290c3 2549#ifndef OPENSSL_NO_PSK
532f9578
MC		 2550static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2551 unsigned char *psk, unsigned int max_psk_len)
2552{
2553 unsigned int psklen = 0;
2554
2555 psk_server_cb_cnt++;
2556
2557 /* We should only ever be called a maximum of twice per connection */
2558 if (find_session_cb_cnt > 2)
2559 return 0;
2560
2561 if (serverpsk == NULL)
2562 return 0;
2563
2564 /* Identity should match that set by the client */
2565 if (strcmp(srvid, identity) != 0) {
2566 return 0;
2567 }
2568
2569 /* We'll reuse the PSK we set up for TLSv1.3 */
2570 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2571 return 0;
2572 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2573
2574 return psklen;
2575}
c2b290c3 2576#endif /* OPENSSL_NO_PSK */
532f9578 2577
5f982038
MC		 2578#define MSG1 "Hello"
2579#define MSG2 "World."
2580#define MSG3 "This"
2581#define MSG4 "is"
2582#define MSG5 "a"
90049cea
MC		 2583#define MSG6 "test"
2584#define MSG7 "message."
5f982038 2585
02a3ed5a 2586#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
532f9578 2587#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
02a3ed5a 2588
8614a4eb
MC		 2589
2590static SSL_SESSION *create_a_psk(SSL *ssl)
2591{
2592 const SSL_CIPHER *cipher = NULL;
2593 const unsigned char key[] = {
2594 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2595 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2596 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2597 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2598 0x2c, 0x2d, 0x2e, 0x2f
2599 };
2600 SSL_SESSION *sess = NULL;
2601
2602 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2603 sess = SSL_SESSION_new();
2604 if (!TEST_ptr(sess)
2605 || !TEST_ptr(cipher)
2606 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2607 sizeof(key)))
2608 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2609 || !TEST_true(
2610 SSL_SESSION_set_protocol_version(sess,
2611 TLS1_3_VERSION))) {
2612 SSL_SESSION_free(sess);
2613 return NULL;
2614 }
2615 return sess;
2616}
2617
5f982038
MC		 2618/*
2619 * Helper method to setup objects for early data test. Caller frees objects on
2620 * error.
2621 */
2622static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 2623 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 2624{
5a421415
MC		 2625 if (*sctx == NULL
2626 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2627 TLS_client_method(),
5c587fb6 2628 TLS1_VERSION, 0,
5a421415
MC		 2629 sctx, cctx, cert, privkey)))
2630 return 0;
2631
2632 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 2633 return 0;
5f982038 2634
02a3ed5a
MC		 2635 if (idx == 1) {
2636 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 2637 SSL_CTX_set_read_ahead(*cctx, 1);
2638 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 2639 } else if (idx == 2) {
2640 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2641 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2642 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2643 use_session_cb_cnt = 0;
2644 find_session_cb_cnt = 0;
2645 srvid = pskid;
3cb47b4e
MC		 2646 }
2647
710756a9 2648 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 2649 NULL, NULL)))
2650 return 0;
2651
141e4709
MC		 2652 /*
2653 * For one of the run throughs (doesn't matter which one), we'll try sending
2654 * some SNI data in the initial ClientHello. This will be ignored (because
2655 * there is no SNI cb set up by the server), so it should not impact
2656 * early_data.
2657 */
2658 if (idx == 1
2659 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2660 return 0;
2661
02a3ed5a 2662 if (idx == 2) {
8614a4eb 2663 clientpsk = create_a_psk(*clientssl);
57dee9bb 2664 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 2665 /*
2666 * We just choose an arbitrary value for max_early_data which
2667 * should be big enough for testing purposes.
2668 */
57dee9bb
MC		 2669 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2670 0x100))
2671 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2672 SSL_SESSION_free(clientpsk);
2673 clientpsk = NULL;
02a3ed5a
MC		 2674 return 0;
2675 }
57dee9bb 2676 serverpsk = clientpsk;
02a3ed5a 2677
c20e3b28
MC		 2678 if (sess != NULL) {
2679 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2680 SSL_SESSION_free(clientpsk);
2681 SSL_SESSION_free(serverpsk);
2682 clientpsk = serverpsk = NULL;
2683 return 0;
2684 }
57dee9bb 2685 *sess = clientpsk;
c20e3b28 2686 }
02a3ed5a
MC		 2687 return 1;
2688 }
2689
2690 if (sess == NULL)
2691 return 1;
2692
2693 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2694 SSL_ERROR_NONE)))
5f982038 2695 return 0;
5f982038
MC		 2696
2697 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 2698 SSL_shutdown(*clientssl);
2699 SSL_shutdown(*serverssl);
5f982038
MC		 2700 SSL_free(*serverssl);
2701 SSL_free(*clientssl);
2702 *serverssl = *clientssl = NULL;
2703
710756a9
RS		 2704 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2705 clientssl, NULL, NULL))
2706 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 2707 return 0;
5f982038
MC		 2708
2709 return 1;
2710}
2711
3cb47b4e 2712static int test_early_data_read_write(int idx)
5f982038
MC		 2713{
2714 SSL_CTX *cctx = NULL, *sctx = NULL;
2715 SSL *clientssl = NULL, *serverssl = NULL;
2716 int testresult = 0;
2717 SSL_SESSION *sess = NULL;
9b5c865d
MC		 2718 unsigned char buf[20], data[1024];
2719 size_t readbytes, written, eoedlen, rawread, rawwritten;
2720 BIO *rbio;
5f982038 2721
710756a9
RS		 2722 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2723 &serverssl, &sess, idx)))
5f982038
MC		 2724 goto end;
2725
2726 /* Write and read some early data */
710756a9
RS		 2727 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2728 &written))
2729 || !TEST_size_t_eq(written, strlen(MSG1))
2730 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2731 sizeof(buf), &readbytes),
2732 SSL_READ_EARLY_DATA_SUCCESS)
2733 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2734 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2735 SSL_EARLY_DATA_ACCEPTED))
5f982038 2736 goto end;
5f982038
MC		 2737
2738 /*
09f28874 2739 * Server should be able to write data, and client should be able to
5f982038
MC		 2740 * read it.
2741 */
710756a9
RS		 2742 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2743 &written))
2744 || !TEST_size_t_eq(written, strlen(MSG2))
2745 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2746 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2747 goto end;
5f982038
MC		 2748
2749 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 2750 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2751 &written))
2752 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 2753 goto end;
5f982038 2754
09f28874 2755 /* Server should still be able read early data after writing data */
710756a9
RS		 2756 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2757 &readbytes),
2758 SSL_READ_EARLY_DATA_SUCCESS)
2759 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 2760 goto end;
5f982038 2761
09f28874 2762 /* Write more data from server and read it from client */
710756a9
RS		 2763 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2764 &written))
2765 || !TEST_size_t_eq(written, strlen(MSG4))
2766 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2767 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 2768 goto end;
5f982038
MC		 2769
2770 /*
2771 * If client writes normal data it should mean writing early data is no
2772 * longer possible.
2773 */
710756a9
RS		 2774 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2775 || !TEST_size_t_eq(written, strlen(MSG5))
2776 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2777 SSL_EARLY_DATA_ACCEPTED))
5f982038 2778 goto end;
5f982038 2779
9b5c865d
MC		 2780 /*
2781 * At this point the client has written EndOfEarlyData, ClientFinished and
2782 * normal (fully protected) data. We are going to cause a delay between the
2783 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2784 * in the read BIO, and then just put back the EndOfEarlyData message.
2785 */
2786 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 2787 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2788 || !TEST_size_t_lt(rawread, sizeof(data))
2789 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 2790 goto end;
710756a9 2791
9b5c865d
MC		 2792 /* Record length is in the 4th and 5th bytes of the record header */
2793 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 2794 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2795 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 2796 goto end;
9b5c865d 2797
5f982038 2798 /* Server should be told that there is no more early data */
710756a9
RS		 2799 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2800 &readbytes),
2801 SSL_READ_EARLY_DATA_FINISH)
2802 || !TEST_size_t_eq(readbytes, 0))
5f982038 2803 goto end;
5f982038 2804
9b5c865d
MC		 2805 /*
2806 * Server has not finished init yet, so should still be able to write early
2807 * data.
2808 */
710756a9
RS		 2809 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2810 &written))
2811 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 2812 goto end;
9b5c865d 2813
f8a303fa 2814 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 2815 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2816 &rawwritten))
2817 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 2818 goto end;
f8a303fa 2819
5f982038 2820 /* Server should be able to read normal data */
710756a9
RS		 2821 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2822 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 2823 goto end;
5f982038 2824
09f28874 2825 /* Client and server should not be able to write/read early data now */
710756a9
RS		 2826 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2827 &written)))
5f982038 2828 goto end;
5f982038 2829 ERR_clear_error();
710756a9
RS		 2830 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2831 &readbytes),
2832 SSL_READ_EARLY_DATA_ERROR))
5f982038 2833 goto end;
5f982038
MC		 2834 ERR_clear_error();
2835
9b5c865d 2836 /* Client should be able to read the data sent by the server */
710756a9
RS		 2837 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2838 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 2839 goto end;
710756a9 2840
f8a303fa 2841 /*
36ff232c
MC		 2842 * Make sure we process the two NewSessionTickets. These arrive
2843 * post-handshake. We attempt reads which we do not expect to return any
2844 * data.
f8a303fa 2845 */
36ff232c
MC		 2846 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2847 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2848 &readbytes)))
f8a303fa 2849 goto end;
5f982038 2850
90049cea 2851 /* Server should be able to write normal data */
710756a9
RS		 2852 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2853 || !TEST_size_t_eq(written, strlen(MSG7))
2854 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2855 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 2856 goto end;
90049cea 2857
c20e3b28 2858 SSL_SESSION_free(sess);
5f982038 2859 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 2860 use_session_cb_cnt = 0;
2861 find_session_cb_cnt = 0;
5f982038
MC		 2862
2863 SSL_shutdown(clientssl);
2864 SSL_shutdown(serverssl);
5f982038
MC		 2865 SSL_free(serverssl);
2866 SSL_free(clientssl);
2867 serverssl = clientssl = NULL;
710756a9
RS		 2868 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2869 &clientssl, NULL, NULL))
2870 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 2871 goto end;
5f982038
MC		 2872
2873 /* Write and read some early data */
710756a9
RS		 2874 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2875 &written))
2876 || !TEST_size_t_eq(written, strlen(MSG1))
2877 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2878 &readbytes),
2879 SSL_READ_EARLY_DATA_SUCCESS)
2880 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 2881 goto end;
5f982038 2882
710756a9
RS		 2883 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2884 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 2885 goto end;
5f982038 2886
09f28874 2887 /* Client and server should not be able to write/read early data now */
710756a9
RS		 2888 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2889 &written)))
5f982038 2890 goto end;
5f982038 2891 ERR_clear_error();
710756a9
RS		 2892 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2893 &readbytes),
2894 SSL_READ_EARLY_DATA_ERROR))
5f982038 2895 goto end;
5f982038
MC		 2896 ERR_clear_error();
2897
2898 /* Client and server should be able to write/read normal data */
710756a9
RS		 2899 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2900 || !TEST_size_t_eq(written, strlen(MSG5))
2901 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2902 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 2903 goto end;
5f982038
MC		 2904
2905 testresult = 1;
2906
2907 end:
c20e3b28 2908 SSL_SESSION_free(sess);
57dee9bb
MC		 2909 SSL_SESSION_free(clientpsk);
2910 SSL_SESSION_free(serverpsk);
2911 clientpsk = serverpsk = NULL;
5f982038
MC		 2912 SSL_free(serverssl);
2913 SSL_free(clientssl);
2914 SSL_CTX_free(sctx);
2915 SSL_CTX_free(cctx);
5f982038
MC		 2916 return testresult;
2917}
2918
5a421415
MC		 2919static int allow_ed_cb_called = 0;
2920
2921static int allow_early_data_cb(SSL *s, void *arg)
2922{
2923 int *usecb = (int *)arg;
2924
2925 allow_ed_cb_called++;
2926
2927 if (*usecb == 1)
2928 return 0;
2929
2930 return 1;
2931}
2932
2933/*
2934 * idx == 0: Standard early_data setup
2935 * idx == 1: early_data setup using read_ahead
2936 * usecb == 0: Don't use a custom early data callback
2937 * usecb == 1: Use a custom early data callback and reject the early data
2938 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 2939 * confopt == 0: Configure anti-replay directly
2940 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 2941 */
3bb5e5b0 2942static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 2943{
2944 SSL_CTX *cctx = NULL, *sctx = NULL;
2945 SSL *clientssl = NULL, *serverssl = NULL;
2946 int testresult = 0;
2947 SSL_SESSION *sess = NULL;
5a421415
MC		 2948 size_t readbytes, written;
2949 unsigned char buf[20];
2950
2951 allow_ed_cb_called = 0;
2952
2953 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 2954 TLS1_VERSION, 0, &sctx,
5a421415
MC		 2955 &cctx, cert, privkey)))
2956 return 0;
2957
2958 if (usecb > 0) {
3bb5e5b0
MC		 2959 if (confopt == 0) {
2960 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2961 } else {
2962 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2963
2964 if (!TEST_ptr(confctx))
2965 goto end;
2966 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2967 | SSL_CONF_FLAG_SERVER);
2968 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2969 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2970 2)) {
2971 SSL_CONF_CTX_free(confctx);
2972 goto end;
2973 }
2974 SSL_CONF_CTX_free(confctx);
2975 }
5a421415
MC		 2976 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2977 }
78fb5374
MC		 2978
2979 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2980 &serverssl, &sess, idx)))
2981 goto end;
2982
2983 /*
2984 * The server is configured to accept early data. Create a connection to
2985 * "use up" the ticket
2986 */
2987 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2988 || !TEST_true(SSL_session_reused(clientssl)))
2989 goto end;
2990
2991 SSL_shutdown(clientssl);
2992 SSL_shutdown(serverssl);
2993 SSL_free(serverssl);
2994 SSL_free(clientssl);
2995 serverssl = clientssl = NULL;
2996
2997 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2998 &clientssl, NULL, NULL))
5a421415
MC		 2999 || !TEST_true(SSL_set_session(clientssl, sess)))
3000 goto end;
3001
3002 /* Write and read some early data */
3003 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3004 &written))
3005 || !TEST_size_t_eq(written, strlen(MSG1)))
3006 goto end;
3007
3008 if (usecb <= 1) {
3009 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3010 &readbytes),
3011 SSL_READ_EARLY_DATA_FINISH)
3012 /*
3013 * The ticket was reused, so the we should have rejected the
3014 * early data
3015 */
3016 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3017 SSL_EARLY_DATA_REJECTED))
3018 goto end;
3019 } else {
3020 /* In this case the callback decides to accept the early data */
3021 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3022 &readbytes),
3023 SSL_READ_EARLY_DATA_SUCCESS)
3024 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3025 /*
3026 * Server will have sent its flight so client can now send
3027 * end of early data and complete its half of the handshake
3028 */
3029 || !TEST_int_gt(SSL_connect(clientssl), 0)
3030 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3031 &readbytes),
3032 SSL_READ_EARLY_DATA_FINISH)
3033 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3034 SSL_EARLY_DATA_ACCEPTED))
3035 goto end;
3036 }
3037
3038 /* Complete the connection */
3039 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3040 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3041 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 3042 goto end;
3043
3044 testresult = 1;
3045
3046 end:
c20e3b28 3047 SSL_SESSION_free(sess);
78fb5374
MC		 3048 SSL_SESSION_free(clientpsk);
3049 SSL_SESSION_free(serverpsk);
3050 clientpsk = serverpsk = NULL;
3051 SSL_free(serverssl);
3052 SSL_free(clientssl);
3053 SSL_CTX_free(sctx);
3054 SSL_CTX_free(cctx);
3055 return testresult;
3056}
3057
5a421415
MC		 3058static int test_early_data_replay(int idx)
3059{
3bb5e5b0 3060 int ret = 1, usecb, confopt;
5a421415 3061
3bb5e5b0
MC		 3062 for (usecb = 0; usecb < 3; usecb++) {
3063 for (confopt = 0; confopt < 2; confopt++)
3064 ret &= test_early_data_replay_int(idx, usecb, confopt);
3065 }
5a421415
MC		 3066
3067 return ret;
3068}
3069
710756a9 3070/*
6b84e6bf
MC		 3071 * Helper function to test that a server attempting to read early data can
3072 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 3073 * testtype: 0 == No HRR
3074 * testtype: 1 == HRR
0efa0ba4
MC		 3075 * testtype: 2 == HRR, invalid early_data sent after HRR
3076 * testtype: 3 == recv_max_early_data set to 0
710756a9 3077 */
0d1b7789 3078static int early_data_skip_helper(int testtype, int idx)
5f982038
MC		 3079{
3080 SSL_CTX *cctx = NULL, *sctx = NULL;
3081 SSL *clientssl = NULL, *serverssl = NULL;
3082 int testresult = 0;
018fcbec 3083 SSL_SESSION *sess = NULL;
5f982038
MC		 3084 unsigned char buf[20];
3085 size_t readbytes, written;
3086
710756a9
RS		 3087 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3088 &serverssl, &sess, idx)))
5f982038
MC		 3089 goto end;
3090
0efa0ba4 3091 if (testtype == 1 || testtype == 2) {
6b84e6bf 3092 /* Force an HRR to occur */
dbc6268f
MC		 3093#if defined(OPENSSL_NO_EC)
3094 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3095 goto end;
3096#else
6b84e6bf
MC		 3097 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3098 goto end;
dbc6268f 3099#endif
02a3ed5a
MC		 3100 } else if (idx == 2) {
3101 /*
3102 * We force early_data rejection by ensuring the PSK identity is
3103 * unrecognised
3104 */
3105 srvid = "Dummy Identity";
6b84e6bf
MC		 3106 } else {
3107 /*
3108 * Deliberately corrupt the creation time. We take 20 seconds off the
3109 * time. It could be any value as long as it is not within tolerance.
3110 * This should mean the ticket is rejected.
3111 */
5d99881e 3112 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 3113 goto end;
3114 }
5f982038 3115
0efa0ba4 3116 if (testtype == 3
0d1b7789
MC		 3117 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3118 goto end;
3119
5f982038 3120 /* Write some early data */
710756a9
RS		 3121 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3122 &written))
3123 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 3124 goto end;
5f982038 3125
0d1b7789 3126 /* Server should reject the early data */
710756a9
RS		 3127 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3128 &readbytes),
3129 SSL_READ_EARLY_DATA_FINISH)
3130 || !TEST_size_t_eq(readbytes, 0)
3131 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3132 SSL_EARLY_DATA_REJECTED))
5f982038 3133 goto end;
5f982038 3134
0efa0ba4
MC		 3135 switch (testtype) {
3136 case 0:
3137 /* Nothing to do */
3138 break;
3139
3140 case 1:
6b84e6bf
MC		 3141 /*
3142 * Finish off the handshake. We perform the same writes and reads as
3143 * further down but we expect them to fail due to the incomplete
3144 * handshake.
3145 */
3146 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3147 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3148 &readbytes)))
3149 goto end;
0efa0ba4
MC		 3150 break;
3151
3152 case 2:
3153 {
3154 BIO *wbio = SSL_get_wbio(clientssl);
3155 /* A record that will appear as bad early_data */
3156 const unsigned char bad_early_data[] = {
3157 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3158 };
3159
3160 /*
3161 * We force the client to attempt a write. This will fail because
3162 * we're still in the handshake. It will cause the second
3163 * ClientHello to be sent.
3164 */
3165 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3166 &written)))
3167 goto end;
3168
3169 /*
3170 * Inject some early_data after the second ClientHello. This should
3171 * cause the server to fail
3172 */
3173 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3174 sizeof(bad_early_data), &written)))
3175 goto end;
3176 }
3177 /* fallthrough */
3178
3179 case 3:
0d1b7789 3180 /*
0efa0ba4
MC		 3181 * This client has sent more early_data than we are willing to skip
3182 * (case 3) or sent invalid early_data (case 2) so the connection should
3183 * abort.
0d1b7789
MC		 3184 */
3185 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3186 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3187 goto end;
3188
3189 /* Connection has failed - nothing more to do */
3190 testresult = 1;
3191 goto end;
0efa0ba4
MC		 3192
3193 default:
3194 TEST_error("Invalid test type");
3195 goto end;
6b84e6bf
MC		 3196 }
3197
0d1b7789
MC		 3198 /*
3199 * Should be able to send normal data despite rejection of early data. The
3200 * early_data should be skipped.
3201 */
710756a9
RS		 3202 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3203 || !TEST_size_t_eq(written, strlen(MSG2))
3204 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3205 SSL_EARLY_DATA_REJECTED)
3206 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3207 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3208 goto end;
5f982038
MC		 3209
3210 testresult = 1;
3211
3212 end:
c20e3b28 3213 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3214 SSL_SESSION_free(serverpsk);
3215 clientpsk = serverpsk = NULL;
5f982038
MC		 3216 SSL_SESSION_free(sess);
3217 SSL_free(serverssl);
3218 SSL_free(clientssl);
3219 SSL_CTX_free(sctx);
3220 SSL_CTX_free(cctx);
5f982038
MC		 3221 return testresult;
3222}
3223
6b84e6bf
MC		 3224/*
3225 * Test that a server attempting to read early data can handle a connection
3226 * from a client where the early data is not acceptable.
3227 */
3228static int test_early_data_skip(int idx)
3229{
3230 return early_data_skip_helper(0, idx);
3231}
3232
3233/*
3234 * Test that a server attempting to read early data can handle a connection
3235 * from a client where an HRR occurs.
3236 */
3237static int test_early_data_skip_hrr(int idx)
3238{
3239 return early_data_skip_helper(1, idx);
3240}
3241
0efa0ba4
MC		 3242/*
3243 * Test that a server attempting to read early data can handle a connection
3244 * from a client where an HRR occurs and correctly fails if early_data is sent
3245 * after the HRR
3246 */
3247static int test_early_data_skip_hrr_fail(int idx)
3248{
3249 return early_data_skip_helper(2, idx);
3250}
3251
0d1b7789
MC		 3252/*
3253 * Test that a server attempting to read early data will abort if it tries to
3254 * skip over too much.
3255 */
3256static int test_early_data_skip_abort(int idx)
3257{
0efa0ba4 3258 return early_data_skip_helper(3, idx);
0d1b7789
MC		 3259}
3260
710756a9
RS		 3261/*
3262 * Test that a server attempting to read early data can handle a connection
3263 * from a client that doesn't send any.
3264 */
3cb47b4e 3265static int test_early_data_not_sent(int idx)
5f982038
MC		 3266{
3267 SSL_CTX *cctx = NULL, *sctx = NULL;
3268 SSL *clientssl = NULL, *serverssl = NULL;
3269 int testresult = 0;
018fcbec 3270 SSL_SESSION *sess = NULL;
5f982038
MC		 3271 unsigned char buf[20];
3272 size_t readbytes, written;
3273
710756a9
RS		 3274 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3275 &serverssl, &sess, idx)))
5f982038
MC		 3276 goto end;
3277
3278 /* Write some data - should block due to handshake with server */
3279 SSL_set_connect_state(clientssl);
710756a9 3280 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3281 goto end;
5f982038
MC		 3282
3283 /* Server should detect that early data has not been sent */
710756a9
RS		 3284 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3285 &readbytes),
3286 SSL_READ_EARLY_DATA_FINISH)
3287 || !TEST_size_t_eq(readbytes, 0)
3288 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3289 SSL_EARLY_DATA_NOT_SENT)
3290 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3291 SSL_EARLY_DATA_NOT_SENT))
5f982038 3292 goto end;
5f982038
MC		 3293
3294 /* Continue writing the message we started earlier */
710756a9
RS		 3295 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3296 || !TEST_size_t_eq(written, strlen(MSG1))
3297 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3298 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3299 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3300 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3301 goto end;
5f982038 3302
710756a9
RS		 3303 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3304 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3305 goto end;
5f982038
MC		 3306
3307 testresult = 1;
3308
3309 end:
5f982038 3310 SSL_SESSION_free(sess);
c20e3b28 3311 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3312 SSL_SESSION_free(serverpsk);
3313 clientpsk = serverpsk = NULL;
5f982038
MC		 3314 SSL_free(serverssl);
3315 SSL_free(clientssl);
3316 SSL_CTX_free(sctx);
3317 SSL_CTX_free(cctx);
5f982038
MC		 3318 return testresult;
3319}
3320
976e5323
MC		 3321static const char *servalpn;
3322
c7558d5b
PY		 3323static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3324 unsigned char *outlen, const unsigned char *in,
3325 unsigned int inlen, void *arg)
976e5323 3326{
c7558d5b 3327 unsigned int protlen = 0;
976e5323
MC		 3328 const unsigned char *prot;
3329
c7558d5b
PY		 3330 for (prot = in; prot < in + inlen; prot += protlen) {
3331 protlen = *prot++;
5d99881e 3332 if (in + inlen < prot + protlen)
976e5323
MC		 3333 return SSL_TLSEXT_ERR_NOACK;
3334
3335 if (protlen == strlen(servalpn)
0bd42fde 3336 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 3337 *out = prot;
3338 *outlen = protlen;
3339 return SSL_TLSEXT_ERR_OK;
3340 }
3341 }
3342
3343 return SSL_TLSEXT_ERR_NOACK;
3344}
3345
57dee9bb 3346/* Test that a PSK can be used to send early_data */
976e5323
MC		 3347static int test_early_data_psk(int idx)
3348{
3349 SSL_CTX *cctx = NULL, *sctx = NULL;
3350 SSL *clientssl = NULL, *serverssl = NULL;
3351 int testresult = 0;
3352 SSL_SESSION *sess = NULL;
57dee9bb
MC		 3353 unsigned char alpnlist[] = {
3354 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3355 'l', 'p', 'n'
3356 };
3357#define GOODALPNLEN 9
3358#define BADALPNLEN 8
3359#define GOODALPN (alpnlist)
3360#define BADALPN (alpnlist + GOODALPNLEN)
3361 int err = 0;
976e5323
MC		 3362 unsigned char buf[20];
3363 size_t readbytes, written;
57dee9bb 3364 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 3365 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3366
3367 /* We always set this up with a final parameter of "2" for PSK */
3368 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3369 &serverssl, &sess, 2)))
3370 goto end;
3371
976e5323
MC		 3372 servalpn = "goodalpn";
3373
57dee9bb
MC		 3374 /*
3375 * Note: There is no test for inconsistent SNI with late client detection.
3376 * This is because servers do not acknowledge SNI even if they are using
3377 * it in a resumption handshake - so it is not actually possible for a
3378 * client to detect a problem.
3379 */
976e5323
MC		 3380 switch (idx) {
3381 case 0:
57dee9bb 3382 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 3383 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3384 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3385 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3386 goto end;
3387 break;
3388
3389 case 1:
57dee9bb 3390 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 3391 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3392 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 3393 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3394 GOODALPNLEN))
3395 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3396 BADALPNLEN)))
976e5323
MC		 3397 goto end;
3398 break;
3399
3400 case 2:
3401 /*
3402 * Set invalid protocol version. Technically this affects PSKs without
3403 * early_data too, but we test it here because it is similar to the
3404 * SNI/ALPN consistency tests.
3405 */
3406 err = SSL_R_BAD_PSK;
3407 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3408 goto end;
3409 break;
3410
3411 case 3:
3412 /*
49ef3d07
MC		 3413 * Set inconsistent SNI (server side). In this case the connection
3414 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3415 * is associated with each handshake - not the session. Therefore it
3416 * should not matter that we used a different server name last time.
976e5323 3417 */
281bf233
MC		 3418 SSL_SESSION_free(serverpsk);
3419 serverpsk = SSL_SESSION_dup(clientpsk);
3420 if (!TEST_ptr(serverpsk)
3421 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3422 goto end;
976e5323
MC		 3423 /* Fall through */
3424 case 4:
3425 /* Set consistent SNI */
976e5323
MC		 3426 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3427 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3428 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3429 hostname_cb)))
3430 goto end;
3431 break;
3432
3433 case 5:
3434 /*
3435 * Set inconsistent ALPN (server detected). In this case the connection
3436 * will succeed but reject early_data.
3437 */
3438 servalpn = "badalpn";
3439 edstatus = SSL_EARLY_DATA_REJECTED;
3440 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3441 /* Fall through */
3442 case 6:
976e5323 3443 /*
57dee9bb 3444 * Set consistent ALPN.
976e5323
MC		 3445 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3446 * accepts a list of protos (each one length prefixed).
3447 * SSL_set1_alpn_selected accepts a single protocol (not length
3448 * prefixed)
3449 */
57dee9bb
MC		 3450 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3451 GOODALPNLEN - 1))
3452 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3453 GOODALPNLEN)))
976e5323
MC		 3454 goto end;
3455
3456 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3457 break;
3458
57dee9bb
MC		 3459 case 7:
3460 /* Set inconsistent ALPN (late client detection) */
3461 SSL_SESSION_free(serverpsk);
3462 serverpsk = SSL_SESSION_dup(clientpsk);
3463 if (!TEST_ptr(serverpsk)
3464 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3465 BADALPN + 1,
3466 BADALPNLEN - 1))
3467 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3468 GOODALPN + 1,
3469 GOODALPNLEN - 1))
3470 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3471 sizeof(alpnlist))))
3472 goto end;
3473 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3474 edstatus = SSL_EARLY_DATA_ACCEPTED;
3475 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3476 /* SSL_connect() call should fail */
3477 connectres = -1;
3478 break;
3479
976e5323
MC		 3480 default:
3481 TEST_error("Bad test index");
3482 goto end;
3483 }
3484
3485 SSL_set_connect_state(clientssl);
3486 if (err != 0) {
3487 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3488 &written))
3489 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3490 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3491 goto end;
3492 } else {
3493 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 3494 &written)))
3495 goto end;
3496
3497 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3498 &readbytes), readearlyres)
976e5323
MC		 3499 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3500 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 3501 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3502 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 3503 goto end;
3504 }
3505
3506 testresult = 1;
3507
3508 end:
c20e3b28 3509 SSL_SESSION_free(sess);
57dee9bb
MC		 3510 SSL_SESSION_free(clientpsk);
3511 SSL_SESSION_free(serverpsk);
3512 clientpsk = serverpsk = NULL;
976e5323
MC		 3513 SSL_free(serverssl);
3514 SSL_free(clientssl);
3515 SSL_CTX_free(sctx);
3516 SSL_CTX_free(cctx);
3517 return testresult;
3518}
3519
710756a9
RS		 3520/*
3521 * Test that a server that doesn't try to read early data can handle a
3522 * client sending some.
3523 */
3cb47b4e 3524static int test_early_data_not_expected(int idx)
5f982038
MC		 3525{
3526 SSL_CTX *cctx = NULL, *sctx = NULL;
3527 SSL *clientssl = NULL, *serverssl = NULL;
3528 int testresult = 0;
018fcbec 3529 SSL_SESSION *sess = NULL;
5f982038
MC		 3530 unsigned char buf[20];
3531 size_t readbytes, written;
3532
710756a9
RS		 3533 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3534 &serverssl, &sess, idx)))
5f982038
MC		 3535 goto end;
3536
3537 /* Write some early data */
710756a9
RS		 3538 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3539 &written)))
5f982038 3540 goto end;
5f982038
MC		 3541
3542 /*
3543 * Server should skip over early data and then block waiting for client to
3544 * continue handshake
3545 */
710756a9
RS		 3546 if (!TEST_int_le(SSL_accept(serverssl), 0)
3547 || !TEST_int_gt(SSL_connect(clientssl), 0)
3548 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3549 SSL_EARLY_DATA_REJECTED)
3550 || !TEST_int_gt(SSL_accept(serverssl), 0)
3551 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3552 SSL_EARLY_DATA_REJECTED))
5f982038 3553 goto end;
5f982038
MC		 3554
3555 /* Send some normal data from client to server */
710756a9
RS		 3556 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3557 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3558 goto end;
5f982038 3559
710756a9
RS		 3560 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3561 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3562 goto end;
5f982038
MC		 3563
3564 testresult = 1;
3565
3566 end:
5f982038 3567 SSL_SESSION_free(sess);
c20e3b28 3568 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3569 SSL_SESSION_free(serverpsk);
3570 clientpsk = serverpsk = NULL;
5f982038
MC		 3571 SSL_free(serverssl);
3572 SSL_free(clientssl);
3573 SSL_CTX_free(sctx);
3574 SSL_CTX_free(cctx);
5f982038
MC		 3575 return testresult;
3576}
3577
3578
3579# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 3580/*
3581 * Test that a server attempting to read early data can handle a connection
3582 * from a TLSv1.2 client.
3583 */
3cb47b4e 3584static int test_early_data_tls1_2(int idx)
5f982038
MC		 3585{
3586 SSL_CTX *cctx = NULL, *sctx = NULL;
3587 SSL *clientssl = NULL, *serverssl = NULL;
3588 int testresult = 0;
3589 unsigned char buf[20];
3590 size_t readbytes, written;
3591
02a3ed5a
MC		 3592 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3593 &serverssl, NULL, idx)))
5f982038 3594 goto end;
5f982038
MC		 3595
3596 /* Write some data - should block due to handshake with server */
3597 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3598 SSL_set_connect_state(clientssl);
710756a9 3599 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3600 goto end;
5f982038
MC		 3601
3602 /*
3603 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 3604 * messages from client after ServerDone. Then SSL_read_early_data should
3605 * finish and detect that early data has not been sent
5f982038 3606 */
710756a9
RS		 3607 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3608 &readbytes),
3609 SSL_READ_EARLY_DATA_ERROR))
5f982038 3610 goto end;
5f982038
MC		 3611
3612 /*
3613 * Continue writing the message we started earlier. Will still block waiting
3614 * for the CCS/Finished from server
3615 */
710756a9
RS		 3616 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3617 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3618 &readbytes),
3619 SSL_READ_EARLY_DATA_FINISH)
3620 || !TEST_size_t_eq(readbytes, 0)
3621 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3622 SSL_EARLY_DATA_NOT_SENT))
5f982038 3623 goto end;
5f982038
MC		 3624
3625 /* Continue writing the message we started earlier */
710756a9
RS		 3626 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3627 || !TEST_size_t_eq(written, strlen(MSG1))
3628 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3629 SSL_EARLY_DATA_NOT_SENT)
3630 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3631 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3632 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3633 || !TEST_size_t_eq(written, strlen(MSG2))
3634 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3635 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3636 goto end;
5f982038
MC		 3637
3638 testresult = 1;
3639
3640 end:
57dee9bb
MC		 3641 SSL_SESSION_free(clientpsk);
3642 SSL_SESSION_free(serverpsk);
3643 clientpsk = serverpsk = NULL;
5f982038
MC		 3644 SSL_free(serverssl);
3645 SSL_free(clientssl);
3646 SSL_CTX_free(sctx);
3647 SSL_CTX_free(cctx);
3648
3649 return testresult;
3650}
ca0413ae
MC		 3651# endif /* OPENSSL_NO_TLS1_2 */
3652
034cb87b
MC		 3653/*
3654 * Test configuring the TLSv1.3 ciphersuites
3655 *
3656 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3657 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3658 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3659 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3660 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3661 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3662 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3663 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3664 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3665 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3666 */
3667static int test_set_ciphersuite(int idx)
3668{
3669 SSL_CTX *cctx = NULL, *sctx = NULL;
3670 SSL *clientssl = NULL, *serverssl = NULL;
3671 int testresult = 0;
3672
3673 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 3674 TLS1_VERSION, 0,
034cb87b
MC		 3675 &sctx, &cctx, cert, privkey))
3676 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3677 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3678 goto end;
3679
3680 if (idx >=4 && idx <= 7) {
3681 /* SSL_CTX explicit cipher list */
3682 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3683 goto end;
3684 }
3685
3686 if (idx == 0 || idx == 4) {
3687 /* Default ciphersuite */
3688 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3689 "TLS_AES_128_GCM_SHA256")))
3690 goto end;
3691 } else if (idx == 1 || idx == 5) {
3692 /* Non default ciphersuite */
3693 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3694 "TLS_AES_128_CCM_SHA256")))
3695 goto end;
3696 }
3697
3698 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3699 &clientssl, NULL, NULL)))
3700 goto end;
3701
3702 if (idx == 8 || idx == 9) {
3703 /* SSL explicit cipher list */
3704 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3705 goto end;
3706 }
3707
3708 if (idx == 2 || idx == 6 || idx == 8) {
3709 /* Default ciphersuite */
3710 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3711 "TLS_AES_128_GCM_SHA256")))
3712 goto end;
3713 } else if (idx == 3 || idx == 7 || idx == 9) {
3714 /* Non default ciphersuite */
3715 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3716 "TLS_AES_128_CCM_SHA256")))
3717 goto end;
3718 }
3719
3720 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3721 goto end;
3722
3723 testresult = 1;
3724
3725 end:
3726 SSL_free(serverssl);
3727 SSL_free(clientssl);
3728 SSL_CTX_free(sctx);
3729 SSL_CTX_free(cctx);
3730
3731 return testresult;
3732}
3733
ca0413ae
MC		 3734static int test_ciphersuite_change(void)
3735{
3736 SSL_CTX *cctx = NULL, *sctx = NULL;
3737 SSL *clientssl = NULL, *serverssl = NULL;
3738 SSL_SESSION *clntsess = NULL;
3739 int testresult = 0;
3740 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3741
3742 /* Create a session based on SHA-256 */
7d7f6834 3743 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 3744 TLS1_VERSION, 0,
7d7f6834 3745 &sctx, &cctx, cert, privkey))
f865b081
MC		 3746 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3747 "TLS_AES_128_GCM_SHA256"))
ca0413ae
MC		 3748 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3749 &clientssl, NULL, NULL))
3750 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3751 SSL_ERROR_NONE)))
3752 goto end;
3753
3754 clntsess = SSL_get1_session(clientssl);
3755 /* Save for later */
3756 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3757 SSL_shutdown(clientssl);
3758 SSL_shutdown(serverssl);
3759 SSL_free(serverssl);
3760 SSL_free(clientssl);
3761 serverssl = clientssl = NULL;
3762
71cff963 3763# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
ca0413ae 3764 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081
MC		 3765 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3766 "TLS_CHACHA20_POLY1305_SHA256"))
ca0413ae
MC		 3767 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3768 NULL, NULL))
3769 || !TEST_true(SSL_set_session(clientssl, clntsess))
3770 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3771 SSL_ERROR_NONE))
3772 || !TEST_true(SSL_session_reused(clientssl)))
3773 goto end;
3774
3775 SSL_SESSION_free(clntsess);
3776 clntsess = SSL_get1_session(clientssl);
3777 SSL_shutdown(clientssl);
3778 SSL_shutdown(serverssl);
3779 SSL_free(serverssl);
3780 SSL_free(clientssl);
3781 serverssl = clientssl = NULL;
71cff963 3782# endif
ca0413ae
MC		 3783
3784 /*
3785 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 3786 * succeeds but does not resume.
ca0413ae 3787 */
f865b081 3788 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3789 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3790 NULL, NULL))
3791 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 3792 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 3793 SSL_ERROR_SSL))
0de6d66d 3794 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 3795 goto end;
3796
3797 SSL_SESSION_free(clntsess);
3798 clntsess = NULL;
3799 SSL_shutdown(clientssl);
3800 SSL_shutdown(serverssl);
3801 SSL_free(serverssl);
3802 SSL_free(clientssl);
3803 serverssl = clientssl = NULL;
3804
3805 /* Create a session based on SHA384 */
f865b081 3806 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3807 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3808 &clientssl, NULL, NULL))
3809 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3810 SSL_ERROR_NONE)))
3811 goto end;
3812
3813 clntsess = SSL_get1_session(clientssl);
3814 SSL_shutdown(clientssl);
3815 SSL_shutdown(serverssl);
3816 SSL_free(serverssl);
3817 SSL_free(clientssl);
3818 serverssl = clientssl = NULL;
3819
f865b081
MC		 3820 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3821 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3822 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3823 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3824 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3825 NULL, NULL))
3826 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 3827 /*
3828 * We use SSL_ERROR_WANT_READ below so that we can pause the
3829 * connection after the initial ClientHello has been sent to
3830 * enable us to make some session changes.
3831 */
ca0413ae
MC		 3832 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3833 SSL_ERROR_WANT_READ)))
3834 goto end;
3835
3836 /* Trick the client into thinking this session is for a different digest */
3837 clntsess->cipher = aes_128_gcm_sha256;
3838 clntsess->cipher_id = clntsess->cipher->id;
3839
3840 /*
3b0e88d3
MC		 3841 * Continue the previously started connection. Server has selected a SHA-384
3842 * ciphersuite, but client thinks the session is for SHA-256, so it should
3843 * bail out.
ca0413ae
MC		 3844 */
3845 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3846 SSL_ERROR_SSL))
3847 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3848 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3849 goto end;
3850
3851 testresult = 1;
3852
3853 end:
3854 SSL_SESSION_free(clntsess);
3855 SSL_free(serverssl);
3856 SSL_free(clientssl);
3857 SSL_CTX_free(sctx);
3858 SSL_CTX_free(cctx);
3859
3860 return testresult;
3861}
3862
8e63900a 3863/*
5bf2eade 3864 * Test TLSv1.3 Key exchange
3865 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
3866 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
3867 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
3868 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
3869 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
3870 * Test 5 = Test NID_X448 with TLSv1.3 client and server
3871 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
3872 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
3873 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
3874 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
3875 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
3876 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
3877 * Test 12 = Test all ECDHE with TLSv1.2 client and server
3878 * Test 13 = Test all FFDHE with TLSv1.2 client and server
8e63900a 3879 */
db26ec80 3880static int test_key_exchange(int idx)
8e63900a 3881{
3882 SSL_CTX *sctx = NULL, *cctx = NULL;
3883 SSL *serverssl = NULL, *clientssl = NULL;
3884 int testresult = 0;
5bf2eade 3885# ifndef OPENSSL_NO_EC
3886 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
3887 NID_secp521r1, NID_X25519, NID_X448};
3888# endif
3889# ifndef OPENSSL_NO_DH
8e63900a 3890 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
3891 NID_ffdhe6144, NID_ffdhe8192};
5bf2eade 3892# endif
fb8c6db4 3893 int kexch_alg;
3894 int *kexch_groups = &kexch_alg;
3895 int kexch_groups_size = 1;
8e63900a 3896 int max_version = TLS1_3_VERSION;
8e63900a 3897
3898 switch (idx) {
5bf2eade 3899# ifndef OPENSSL_NO_EC
db26ec80 3900# ifndef OPENSSL_NO_TLS1_2
5bf2eade 3901 case 12:
fb8c6db4 3902 max_version = TLS1_2_VERSION;
db26ec80 3903# endif
fb8c6db4 3904 /* Fall through */
3905 case 0:
3906 kexch_groups = ecdhe_kexch_groups;
3907 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
3908 break;
5bf2eade 3909 case 1:
fb8c6db4 3910 kexch_alg = NID_X9_62_prime256v1;
3911 break;
5bf2eade 3912 case 2:
fb8c6db4 3913 kexch_alg = NID_secp384r1;
3914 break;
5bf2eade 3915 case 3:
fb8c6db4 3916 kexch_alg = NID_secp521r1;
3917 break;
5bf2eade 3918 case 4:
fb8c6db4 3919 kexch_alg = NID_X25519;
3920 break;
5bf2eade 3921 case 5:
fb8c6db4 3922 kexch_alg = NID_X448;
3923 break;
5bf2eade 3924# endif
3925# ifndef OPENSSL_NO_DH
db26ec80 3926# ifndef OPENSSL_NO_TLS1_2
5bf2eade 3927 case 13:
dbc6268f 3928 max_version = TLS1_2_VERSION;
db26ec80 3929# endif
dbc6268f 3930 /* Fall through */
5bf2eade 3931 case 6:
8e63900a 3932 kexch_groups = ffdhe_kexch_groups;
3933 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
3934 break;
5bf2eade 3935 case 7:
fb8c6db4 3936 kexch_alg = NID_ffdhe2048;
3937 break;
5bf2eade 3938 case 8:
fb8c6db4 3939 kexch_alg = NID_ffdhe3072;
3940 break;
5bf2eade 3941 case 9:
fb8c6db4 3942 kexch_alg = NID_ffdhe4096;
3943 break;
5bf2eade 3944 case 10:
fb8c6db4 3945 kexch_alg = NID_ffdhe6144;
3946 break;
5bf2eade 3947 case 11:
fb8c6db4 3948 kexch_alg = NID_ffdhe8192;
8e63900a 3949 break;
5bf2eade 3950# endif
6597d62b
MC		 3951 default:
3952 /* We're skipping this test */
3953 return 1;
8e63900a 3954 }
3955
3956 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3957 TLS1_VERSION, max_version,
3958 &sctx, &cctx, cert, privkey)))
3959 goto end;
3960
5bf2eade 3961 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
3962 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 3963 goto end;
3964
5bf2eade 3965 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3966 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 3967 goto end;
3968
5bf2eade 3969 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
3970 TLS1_TXT_RSA_WITH_AES_128_SHA)))
8e63900a 3971 goto end;
3972
dbc6268f
MC		 3973 /*
3974 * Must include an EC ciphersuite so that we send supported groups in
3975 * TLSv1.2
3976 */
5bf2eade 3977# ifndef OPENSSL_NO_TLS1_2
dbc6268f
MC		 3978 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
3979 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
3980 TLS1_TXT_RSA_WITH_AES_128_SHA)))
8e63900a 3981 goto end;
5bf2eade 3982# endif
8e63900a 3983
3984 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3985 NULL, NULL)))
3986 goto end;
3987
3988 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
3989 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
3990 goto end;
3991
5bf2eade 3992 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8e63900a 3993 goto end;
8e63900a 3994
dbc6268f 3995 /*
5bf2eade 3996 * If Handshake succeeds the negotiated kexch alg should be the first one in
3997 * configured, except in the case of FFDHE groups (idx 13), which are
3998 * TLSv1.3 only so we expect no shared group to exist.
dbc6268f
MC		 3999 */
4000 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5bf2eade 4001 idx == 13 ? 0 : kexch_groups[0]))
8e63900a 4002 goto end;
fb8c6db4 4003 if (max_version == TLS1_3_VERSION) {
4004 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4005 goto end;
4006 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4007 goto end;
4008 }
8e63900a 4009
4010 testresult = 1;
4011 end:
4012 SSL_free(serverssl);
4013 SSL_free(clientssl);
4014 SSL_CTX_free(sctx);
4015 SSL_CTX_free(cctx);
4016 return testresult;
4017}
4018
5bf2eade 4019/*
4020 * Test TLSv1.3 Cipher Suite
4021 * Test 0 = Set TLS1.3 cipher on context
4022 * Test 1 = Set TLS1.3 cipher on SSL
4023 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4024 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4025 */
4026static int test_tls13_ciphersuite(int idx)
4027{
4028 SSL_CTX *sctx = NULL, *cctx = NULL;
4029 SSL *serverssl = NULL, *clientssl = NULL;
4030 static const char *t13_ciphers[] = {
4031 TLS1_3_RFC_AES_128_GCM_SHA256,
4032 TLS1_3_RFC_AES_256_GCM_SHA384,
4033 TLS1_3_RFC_AES_128_CCM_SHA256,
4034# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4035 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4036 TLS1_3_RFC_AES_256_GCM_SHA384 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4037# endif
4038 TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256
4039 };
4040 const char *t13_cipher = NULL;
4041 const char *t12_cipher = NULL;
4042 const char *negotiated_scipher;
4043 const char *negotiated_ccipher;
4044 int set_at_ctx = 0;
4045 int set_at_ssl = 0;
4046 int testresult = 0;
4047 int max_ver;
4048 size_t i;
4049
4050 switch (idx) {
4051 case 0:
4052 set_at_ctx = 1;
4053 break;
4054 case 1:
4055 set_at_ssl = 1;
4056 break;
4057 case 2:
4058 set_at_ctx = 1;
2d900758 4059 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4060 break;
4061 case 3:
4062 set_at_ssl = 1;
2d900758 4063 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4064 break;
4065 }
4066
4067 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4068# ifdef OPENSSL_NO_TLS1_2
4069 if (max_ver == TLS1_2_VERSION)
4070 continue;
4071# endif
4072 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4073 t13_cipher = t13_ciphers[i];
4074 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4075 TLS_client_method(),
4076 TLS1_VERSION, max_ver,
4077 &sctx, &cctx, cert, privkey)))
4078 goto end;
4079
4080 if (set_at_ctx) {
4081 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4082 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4083 goto end;
4084 if (t12_cipher != NULL) {
4085 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4086 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4087 t12_cipher)))
4088 goto end;
4089 }
4090 }
4091
4092 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4093 &clientssl, NULL, NULL)))
4094 goto end;
4095
4096 if (set_at_ssl) {
4097 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4098 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4099 goto end;
4100 if (t12_cipher != NULL) {
4101 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4102 || !TEST_true(SSL_set_cipher_list(clientssl,
4103 t12_cipher)))
4104 goto end;
4105 }
4106 }
4107
4108 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4109 SSL_ERROR_NONE)))
4110 goto end;
4111
4112 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4113 serverssl));
4114 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4115 clientssl));
4116 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4117 goto end;
4118
4119 /*
4120 * TEST_strn_eq is used below because t13_cipher can contain
4121 * multiple ciphersuites
4122 */
4123 if (max_ver == TLS1_3_VERSION
4124 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4125 strlen(negotiated_scipher)))
4126 goto end;
4127
4128# ifndef OPENSSL_NO_TLS1_2
4129 /* Below validation is not done when t12_cipher is NULL */
4130 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4131 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4132 goto end;
4133# endif
4134
4135 SSL_free(serverssl);
4136 serverssl = NULL;
4137 SSL_free(clientssl);
4138 clientssl = NULL;
4139 SSL_CTX_free(sctx);
4140 sctx = NULL;
4141 SSL_CTX_free(cctx);
4142 cctx = NULL;
4143 }
4144 }
4145
4146 testresult = 1;
4147 end:
4148 SSL_free(serverssl);
4149 SSL_free(clientssl);
4150 SSL_CTX_free(sctx);
4151 SSL_CTX_free(cctx);
4152 return testresult;
4153}
4154
0d8da779
MC		 4155/*
4156 * Test TLSv1.3 PSKs
4157 * Test 0 = Test new style callbacks
4158 * Test 1 = Test both new and old style callbacks
4159 * Test 2 = Test old style callbacks
4160 * Test 3 = Test old style callbacks with no certificate
4161 */
532f9578 4162static int test_tls13_psk(int idx)
ca8c71ba
MC		 4163{
4164 SSL_CTX *sctx = NULL, *cctx = NULL;
4165 SSL *serverssl = NULL, *clientssl = NULL;
4166 const SSL_CIPHER *cipher = NULL;
4167 const unsigned char key[] = {
4168 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4169 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 4170 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4171 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 4172 };
4173 int testresult = 0;
4174
7d7f6834 4175 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 4176 TLS1_VERSION, 0,
0d8da779
MC		 4177 &sctx, &cctx, idx == 3 ? NULL : cert,
4178 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 4179 goto end;
4180
0d8da779
MC		 4181 if (idx != 3) {
4182 /*
4183 * We use a ciphersuite with SHA256 to ease testing old style PSK
4184 * callbacks which will always default to SHA256. This should not be
4185 * necessary if we have no cert/priv key. In that case the server should
4186 * prefer SHA256 automatically.
4187 */
4188 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4189 "TLS_AES_128_GCM_SHA256")))
4190 goto end;
4191 }
532f9578
MC		 4192
4193 /*
4194 * Test 0: New style callbacks only
4195 * Test 1: New and old style callbacks (only the new ones should be used)
4196 * Test 2: Old style callbacks only
4197 */
4198 if (idx == 0 || idx == 1) {
4199 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4200 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4201 }
c2b290c3 4202#ifndef OPENSSL_NO_PSK
0d8da779 4203 if (idx >= 1) {
532f9578
MC		 4204 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4205 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4206 }
c2b290c3 4207#endif
ca8c71ba 4208 srvid = pskid;
02a3ed5a
MC		 4209 use_session_cb_cnt = 0;
4210 find_session_cb_cnt = 0;
532f9578
MC		 4211 psk_client_cb_cnt = 0;
4212 psk_server_cb_cnt = 0;
ca8c71ba 4213
0d8da779
MC		 4214 if (idx != 3) {
4215 /*
4216 * Check we can create a connection if callback decides not to send a
4217 * PSK
4218 */
4219 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4220 NULL, NULL))
4221 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4222 SSL_ERROR_NONE))
4223 || !TEST_false(SSL_session_reused(clientssl))
4224 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 4225 goto end;
532f9578 4226
0d8da779
MC		 4227 if (idx == 0 || idx == 1) {
4228 if (!TEST_true(use_session_cb_cnt == 1)
4229 || !TEST_true(find_session_cb_cnt == 0)
4230 /*
4231 * If no old style callback then below should be 0
4232 * otherwise 1
4233 */
4234 || !TEST_true(psk_client_cb_cnt == idx)
4235 || !TEST_true(psk_server_cb_cnt == 0))
4236 goto end;
4237 } else {
4238 if (!TEST_true(use_session_cb_cnt == 0)
4239 || !TEST_true(find_session_cb_cnt == 0)
4240 || !TEST_true(psk_client_cb_cnt == 1)
4241 || !TEST_true(psk_server_cb_cnt == 0))
4242 goto end;
4243 }
4244
4245 shutdown_ssl_connection(serverssl, clientssl);
4246 serverssl = clientssl = NULL;
4247 use_session_cb_cnt = psk_client_cb_cnt = 0;
4248 }
ca8c71ba
MC		 4249
4250 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4251 NULL, NULL)))
4252 goto end;
4253
4254 /* Create the PSK */
532f9578 4255 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 4256 clientpsk = SSL_SESSION_new();
4257 if (!TEST_ptr(clientpsk)
ca8c71ba 4258 || !TEST_ptr(cipher)
57dee9bb
MC		 4259 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4260 sizeof(key)))
4261 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4262 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4263 TLS1_3_VERSION))
4264 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 4265 goto end;
57dee9bb 4266 serverpsk = clientpsk;
ca8c71ba
MC		 4267
4268 /* Check we can create a connection and the PSK is used */
4269 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4270 || !TEST_true(SSL_session_reused(clientssl))
532f9578 4271 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 4272 goto end;
4273
532f9578
MC		 4274 if (idx == 0 || idx == 1) {
4275 if (!TEST_true(use_session_cb_cnt == 1)
4276 || !TEST_true(find_session_cb_cnt == 1)
4277 || !TEST_true(psk_client_cb_cnt == 0)
4278 || !TEST_true(psk_server_cb_cnt == 0))
4279 goto end;
4280 } else {
4281 if (!TEST_true(use_session_cb_cnt == 0)
4282 || !TEST_true(find_session_cb_cnt == 0)
4283 || !TEST_true(psk_client_cb_cnt == 1)
4284 || !TEST_true(psk_server_cb_cnt == 1))
4285 goto end;
4286 }
4287
ca8c71ba
MC		 4288 shutdown_ssl_connection(serverssl, clientssl);
4289 serverssl = clientssl = NULL;
4290 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 4291 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 4292
4293 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4294 NULL, NULL)))
4295 goto end;
4296
4297 /* Force an HRR */
dbc6268f
MC		 4298#if defined(OPENSSL_NO_EC)
4299 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4300 goto end;
4301#else
ca8c71ba
MC		 4302 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4303 goto end;
dbc6268f 4304#endif
ca8c71ba
MC		 4305
4306 /*
4307 * Check we can create a connection, the PSK is used and the callbacks are
4308 * called twice.
4309 */
4310 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4311 || !TEST_true(SSL_session_reused(clientssl))
532f9578 4312 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 4313 goto end;
4314
532f9578
MC		 4315 if (idx == 0 || idx == 1) {
4316 if (!TEST_true(use_session_cb_cnt == 2)
4317 || !TEST_true(find_session_cb_cnt == 2)
4318 || !TEST_true(psk_client_cb_cnt == 0)
4319 || !TEST_true(psk_server_cb_cnt == 0))
4320 goto end;
4321 } else {
4322 if (!TEST_true(use_session_cb_cnt == 0)
4323 || !TEST_true(find_session_cb_cnt == 0)
4324 || !TEST_true(psk_client_cb_cnt == 2)
4325 || !TEST_true(psk_server_cb_cnt == 2))
4326 goto end;
4327 }
4328
ca8c71ba
MC		 4329 shutdown_ssl_connection(serverssl, clientssl);
4330 serverssl = clientssl = NULL;
4331 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 4332 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 4333
0d8da779
MC		 4334 if (idx != 3) {
4335 /*
4336 * Check that if the server rejects the PSK we can still connect, but with
4337 * a full handshake
4338 */
4339 srvid = "Dummy Identity";
4340 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4341 NULL, NULL))
4342 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4343 SSL_ERROR_NONE))
4344 || !TEST_false(SSL_session_reused(clientssl))
4345 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 4346 goto end;
532f9578 4347
0d8da779
MC		 4348 if (idx == 0 || idx == 1) {
4349 if (!TEST_true(use_session_cb_cnt == 1)
4350 || !TEST_true(find_session_cb_cnt == 1)
4351 || !TEST_true(psk_client_cb_cnt == 0)
4352 /*
4353 * If no old style callback then below should be 0
4354 * otherwise 1
4355 */
4356 || !TEST_true(psk_server_cb_cnt == idx))
4357 goto end;
4358 } else {
4359 if (!TEST_true(use_session_cb_cnt == 0)
4360 || !TEST_true(find_session_cb_cnt == 0)
4361 || !TEST_true(psk_client_cb_cnt == 1)
4362 || !TEST_true(psk_server_cb_cnt == 1))
4363 goto end;
4364 }
4365
4366 shutdown_ssl_connection(serverssl, clientssl);
4367 serverssl = clientssl = NULL;
4368 }
ca8c71ba
MC		 4369 testresult = 1;
4370
4371 end:
57dee9bb
MC		 4372 SSL_SESSION_free(clientpsk);
4373 SSL_SESSION_free(serverpsk);
4374 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 4375 SSL_free(serverssl);
4376 SSL_free(clientssl);
4377 SSL_CTX_free(sctx);
4378 SSL_CTX_free(cctx);
4379 return testresult;
4380}
4381
c7b8ff25
MC		 4382static unsigned char cookie_magic_value[] = "cookie magic";
4383
4384static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4385 unsigned int *cookie_len)
4386{
4387 /*
4388 * Not suitable as a real cookie generation function but good enough for
4389 * testing!
4390 */
97ea1e7f
MC		 4391 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4392 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 4393
4394 return 1;
4395}
4396
4397static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4398 unsigned int cookie_len)
4399{
97ea1e7f 4400 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 4401 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4402 return 1;
4403
4404 return 0;
4405}
4406
3fa2812f
BS		 4407static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4408 size_t *cookie_len)
4409{
4410 unsigned int temp;
4411 int res = generate_cookie_callback(ssl, cookie, &temp);
4412 *cookie_len = temp;
4413 return res;
4414}
4415
4416static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4417 size_t cookie_len)
4418{
4419 return verify_cookie_callback(ssl, cookie, cookie_len);
4420}
4421
c7b8ff25
MC		 4422static int test_stateless(void)
4423{
4424 SSL_CTX *sctx = NULL, *cctx = NULL;
4425 SSL *serverssl = NULL, *clientssl = NULL;
4426 int testresult = 0;
4427
7d7f6834 4428 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 4429 TLS1_VERSION, 0,
7d7f6834 4430 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 4431 goto end;
4432
e440f513
MC		 4433 /* The arrival of CCS messages can confuse the test */
4434 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4435
4436 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4437 NULL, NULL))
4438 /* Send the first ClientHello */
4439 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4440 SSL_ERROR_WANT_READ))
4441 /*
4442 * This should fail with a -1 return because we have no callbacks
4443 * set up
4444 */
4445 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4446 goto end;
4447
4448 /* Fatal error so abandon the connection from this client */
4449 SSL_free(clientssl);
4450 clientssl = NULL;
4451
c7b8ff25 4452 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 4453 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4454 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 4455
e440f513
MC		 4456 /*
4457 * Create a new connection from the client (we can reuse the server SSL
4458 * object).
4459 */
c7b8ff25
MC		 4460 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4461 NULL, NULL))
4462 /* Send the first ClientHello */
4463 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4464 SSL_ERROR_WANT_READ))
4465 /* This should fail because there is no cookie */
e440f513 4466 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 4467 goto end;
4468
4469 /* Abandon the connection from this client */
4470 SSL_free(clientssl);
4471 clientssl = NULL;
4472
4473 /*
4474 * Now create a connection from a new client but with the same server SSL
4475 * object
4476 */
4477 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4478 NULL, NULL))
4479 /* Send the first ClientHello */
4480 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4481 SSL_ERROR_WANT_READ))
4482 /* This should fail because there is no cookie */
e440f513 4483 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 4484 /* Send the second ClientHello */
4485 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4486 SSL_ERROR_WANT_READ))
4487 /* This should succeed because a cookie is now present */
e440f513 4488 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 4489 /* Complete the connection */
4490 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4491 SSL_ERROR_NONE)))
4492 goto end;
4493
4494 shutdown_ssl_connection(serverssl, clientssl);
4495 serverssl = clientssl = NULL;
4496 testresult = 1;
4497
4498 end:
4499 SSL_free(serverssl);
4500 SSL_free(clientssl);
4501 SSL_CTX_free(sctx);
4502 SSL_CTX_free(cctx);
4503 return testresult;
4504
4505}
ca0413ae 4506#endif /* OPENSSL_NO_TLS1_3 */
5f982038 4507
a37008d9
MC		 4508static int clntaddoldcb = 0;
4509static int clntparseoldcb = 0;
4510static int srvaddoldcb = 0;
4511static int srvparseoldcb = 0;
4512static int clntaddnewcb = 0;
4513static int clntparsenewcb = 0;
4514static int srvaddnewcb = 0;
4515static int srvparsenewcb = 0;
bb01ef3f 4516static int snicb = 0;
a37008d9
MC		 4517
4518#define TEST_EXT_TYPE1 0xff00
4519
4520static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4521 size_t *outlen, int *al, void *add_arg)
4522{
4523 int *server = (int *)add_arg;
4524 unsigned char *data;
4525
4526 if (SSL_is_server(s))
4527 srvaddoldcb++;
4528 else
4529 clntaddoldcb++;
4530
710756a9
RS		 4531 if (*server != SSL_is_server(s)
4532 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 4533 return -1;
4534
4535 *data = 1;
4536 *out = data;
4537 *outlen = sizeof(char);
a37008d9
MC		 4538 return 1;
4539}
4540
4541static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4542 void *add_arg)
4543{
4544 OPENSSL_free((unsigned char *)out);
4545}
4546
4547static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4548 size_t inlen, int *al, void *parse_arg)
4549{
4550 int *server = (int *)parse_arg;
4551
4552 if (SSL_is_server(s))
4553 srvparseoldcb++;
4554 else
4555 clntparseoldcb++;
4556
710756a9
RS		 4557 if (*server != SSL_is_server(s)
4558 || inlen != sizeof(char)
4559 || *in != 1)
a37008d9
MC		 4560 return -1;
4561
4562 return 1;
4563}
4564
4565static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4566 const unsigned char **out, size_t *outlen, X509 *x,
4567 size_t chainidx, int *al, void *add_arg)
4568{
4569 int *server = (int *)add_arg;
4570 unsigned char *data;
4571
4572 if (SSL_is_server(s))
4573 srvaddnewcb++;
4574 else
4575 clntaddnewcb++;
4576
710756a9
RS		 4577 if (*server != SSL_is_server(s)
4578 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 4579 return -1;
4580
4581 *data = 1;
4582 *out = data;
710756a9 4583 *outlen = sizeof(*data);
a37008d9
MC		 4584 return 1;
4585}
4586
4587static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
4588 const unsigned char *out, void *add_arg)
4589{
4590 OPENSSL_free((unsigned char *)out);
4591}
4592
4593static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
4594 const unsigned char *in, size_t inlen, X509 *x,
4595 size_t chainidx, int *al, void *parse_arg)
4596{
4597 int *server = (int *)parse_arg;
4598
4599 if (SSL_is_server(s))
4600 srvparsenewcb++;
4601 else
4602 clntparsenewcb++;
4603
710756a9
RS		 4604 if (*server != SSL_is_server(s)
4605 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 4606 return -1;
4607
4608 return 1;
4609}
bb01ef3f
MC		 4610
4611static int sni_cb(SSL *s, int *al, void *arg)
4612{
4613 SSL_CTX *ctx = (SSL_CTX *)arg;
4614
4615 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
4616 *al = SSL_AD_INTERNAL_ERROR;
4617 return SSL_TLSEXT_ERR_ALERT_FATAL;
4618 }
4619 snicb++;
4620 return SSL_TLSEXT_ERR_OK;
4621}
4622
a37008d9
MC		 4623/*
4624 * Custom call back tests.
4625 * Test 0: Old style callbacks in TLSv1.2
4626 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 4627 * Test 2: New style callbacks in TLSv1.2 with SNI
4628 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4629 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 4630 */
710756a9
RS		 4631static int test_custom_exts(int tst)
4632{
bb01ef3f 4633 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 4634 SSL *clientssl = NULL, *serverssl = NULL;
4635 int testresult = 0;
4636 static int server = 1;
4637 static int client = 0;
4638 SSL_SESSION *sess = NULL;
4639 unsigned int context;
4640
c423ecaa
MC		 4641#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4642 /* Skip tests for TLSv1.2 and below in this case */
4643 if (tst < 3)
4644 return 1;
4645#endif
4646
a37008d9
MC		 4647 /* Reset callback counters */
4648 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4649 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 4650 snicb = 0;
a37008d9 4651
7d7f6834 4652 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 4653 TLS1_VERSION, 0,
7d7f6834 4654 &sctx, &cctx, cert, privkey)))
710756a9 4655 goto end;
a37008d9 4656
bb01ef3f 4657 if (tst == 2
7d7f6834 4658 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
5c587fb6 4659 TLS1_VERSION, 0,
7d7f6834 4660 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 4661 goto end;
4662
4663
4664 if (tst < 3) {
a37008d9
MC		 4665 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4666 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 4667 if (sctx2 != NULL)
4668 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 4669 }
4670
bb01ef3f 4671 if (tst == 4) {
710756a9
RS		 4672 context = SSL_EXT_CLIENT_HELLO
4673 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 4674 | SSL_EXT_TLS1_3_SERVER_HELLO
4675 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4676 | SSL_EXT_TLS1_3_CERTIFICATE
4677 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4678 } else {
710756a9
RS		 4679 context = SSL_EXT_CLIENT_HELLO
4680 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 4681 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4682 }
4683
4684 /* Create a client side custom extension */
4685 if (tst == 0) {
710756a9
RS		 4686 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4687 old_add_cb, old_free_cb,
4688 &client, old_parse_cb,
4689 &client)))
4690 goto end;
a37008d9 4691 } else {
710756a9
RS		 4692 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4693 new_add_cb, new_free_cb,
4694 &client, new_parse_cb, &client)))
4695 goto end;
a37008d9
MC		 4696 }
4697
4698 /* Should not be able to add duplicates */
710756a9
RS		 4699 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4700 old_add_cb, old_free_cb,
4701 &client, old_parse_cb,
4702 &client))
4703 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4704 context, new_add_cb,
4705 new_free_cb, &client,
4706 new_parse_cb, &client)))
4707 goto end;
a37008d9
MC		 4708
4709 /* Create a server side custom extension */
4710 if (tst == 0) {
710756a9
RS		 4711 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4712 old_add_cb, old_free_cb,
4713 &server, old_parse_cb,
4714 &server)))
4715 goto end;
a37008d9 4716 } else {
710756a9
RS		 4717 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4718 new_add_cb, new_free_cb,
4719 &server, new_parse_cb, &server)))
4720 goto end;
bb01ef3f
MC		 4721 if (sctx2 != NULL
4722 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4723 context, new_add_cb,
4724 new_free_cb, &server,
4725 new_parse_cb, &server)))
4726 goto end;
a37008d9
MC		 4727 }
4728
4729 /* Should not be able to add duplicates */
710756a9
RS		 4730 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4731 old_add_cb, old_free_cb,
4732 &server, old_parse_cb,
4733 &server))
4734 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4735 context, new_add_cb,
4736 new_free_cb, &server,
4737 new_parse_cb, &server)))
a37008d9 4738 goto end;
a37008d9 4739
bb01ef3f
MC		 4740 if (tst == 2) {
4741 /* Set up SNI */
4742 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4743 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4744 goto end;
4745 }
4746
710756a9
RS		 4747 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4748 &clientssl, NULL, NULL))
4749 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4750 SSL_ERROR_NONE)))
a37008d9 4751 goto end;
a37008d9
MC		 4752
4753 if (tst == 0) {
710756a9
RS		 4754 if (clntaddoldcb != 1
4755 || clntparseoldcb != 1
4756 || srvaddoldcb != 1
4757 || srvparseoldcb != 1)
a37008d9 4758 goto end;
bb01ef3f 4759 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 4760 if (clntaddnewcb != 1
4761 || clntparsenewcb != 1
4762 || srvaddnewcb != 1
bb01ef3f
MC		 4763 || srvparsenewcb != 1
4764 || (tst != 2 && snicb != 0)
4765 || (tst == 2 && snicb != 1))
a37008d9 4766 goto end;
a37008d9 4767 } else {
36ff232c 4768 /* In this case there 2 NewSessionTicket messages created */
710756a9 4769 if (clntaddnewcb != 1
36ff232c
MC		 4770 || clntparsenewcb != 5
4771 || srvaddnewcb != 5
710756a9 4772 || srvparsenewcb != 1)
a37008d9 4773 goto end;
a37008d9
MC		 4774 }
4775
4776 sess = SSL_get1_session(clientssl);
a37008d9
MC		 4777 SSL_shutdown(clientssl);
4778 SSL_shutdown(serverssl);
a37008d9
MC		 4779 SSL_free(serverssl);
4780 SSL_free(clientssl);
4781 serverssl = clientssl = NULL;
4782
bb01ef3f
MC		 4783 if (tst == 3) {
4784 /* We don't bother with the resumption aspects for this test */
4785 testresult = 1;
4786 goto end;
4787 }
4788
710756a9
RS		 4789 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4790 NULL, NULL))
4791 || !TEST_true(SSL_set_session(clientssl, sess))
4792 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4793 SSL_ERROR_NONE)))
a37008d9 4794 goto end;
a37008d9
MC		 4795
4796 /*
4797 * For a resumed session we expect to add the ClientHello extension. For the
4798 * old style callbacks we ignore it on the server side because they set
4799 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4800 * them.
4801 */
4802 if (tst == 0) {
710756a9
RS		 4803 if (clntaddoldcb != 2
4804 || clntparseoldcb != 1
4805 || srvaddoldcb != 1
4806 || srvparseoldcb != 1)
a37008d9 4807 goto end;
bb01ef3f 4808 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 4809 if (clntaddnewcb != 2
4810 || clntparsenewcb != 2
4811 || srvaddnewcb != 2
4812 || srvparsenewcb != 2)
a37008d9 4813 goto end;
a37008d9 4814 } else {
36ff232c
MC		 4815 /*
4816 * No Certificate message extensions in the resumption handshake,
4817 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4818 */
710756a9 4819 if (clntaddnewcb != 2
36ff232c
MC		 4820 || clntparsenewcb != 8
4821 || srvaddnewcb != 8
710756a9 4822 || srvparsenewcb != 2)
a37008d9 4823 goto end;
a37008d9
MC		 4824 }
4825
4826 testresult = 1;
4827
4828end:
4829 SSL_SESSION_free(sess);
4830 SSL_free(serverssl);
4831 SSL_free(clientssl);
bb01ef3f 4832 SSL_CTX_free(sctx2);
a37008d9
MC		 4833 SSL_CTX_free(sctx);
4834 SSL_CTX_free(cctx);
a37008d9
MC		 4835 return testresult;
4836}
4837
16afd71c
MC		 4838/*
4839 * Test loading of serverinfo data in various formats. test_sslmessages actually
4840 * tests to make sure the extensions appear in the handshake
4841 */
4842static int test_serverinfo(int tst)
4843{
4844 unsigned int version;
4845 unsigned char *sibuf;
4846 size_t sibuflen;
4847 int ret, expected, testresult = 0;
4848 SSL_CTX *ctx;
4849
4850 ctx = SSL_CTX_new(TLS_method());
4851 if (!TEST_ptr(ctx))
4852 goto end;
4853
4854 if ((tst & 0x01) == 0x01)
4855 version = SSL_SERVERINFOV2;
4856 else
4857 version = SSL_SERVERINFOV1;
4858
4859 if ((tst & 0x02) == 0x02) {
4860 sibuf = serverinfov2;
4861 sibuflen = sizeof(serverinfov2);
4862 expected = (version == SSL_SERVERINFOV2);
4863 } else {
4864 sibuf = serverinfov1;
4865 sibuflen = sizeof(serverinfov1);
4866 expected = (version == SSL_SERVERINFOV1);
4867 }
4868
4869 if ((tst & 0x04) == 0x04) {
4870 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4871 } else {
4872 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4873
4874 /*
4875 * The version variable is irrelevant in this case - it's what is in the
4876 * buffer that matters
4877 */
4878 if ((tst & 0x02) == 0x02)
4879 expected = 0;
4880 else
4881 expected = 1;
4882 }
4883
4884 if (!TEST_true(ret == expected))
4885 goto end;
4886
4887 testresult = 1;
4888
4889 end:
4890 SSL_CTX_free(ctx);
4891
4892 return testresult;
4893}
4894
2197d1df
MC		 4895/*
4896 * Test that SSL_export_keying_material() produces expected results. There are
4897 * no test vectors so all we do is test that both sides of the communication
4898 * produce the same results for different protocol versions.
4899 */
0fb2815b
MC		 4900#define SMALL_LABEL_LEN 10
4901#define LONG_LABEL_LEN 249
2197d1df
MC		 4902static int test_export_key_mat(int tst)
4903{
a599574b 4904 int testresult = 0;
2197d1df
MC		 4905 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4906 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 4907 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 4908 const unsigned char context[] = "context";
4909 const unsigned char *emptycontext = NULL;
4910 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4911 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
0fb2815b 4912 size_t labellen;
a599574b
MC		 4913 const int protocols[] = {
4914 TLS1_VERSION,
4915 TLS1_1_VERSION,
4916 TLS1_2_VERSION,
0fb2815b
MC		 4917 TLS1_3_VERSION,
4918 TLS1_3_VERSION,
a599574b
MC		 4919 TLS1_3_VERSION
4920 };
2197d1df
MC		 4921
4922#ifdef OPENSSL_NO_TLS1
4923 if (tst == 0)
4924 return 1;
4925#endif
4926#ifdef OPENSSL_NO_TLS1_1
4927 if (tst == 1)
4928 return 1;
4929#endif
4930#ifdef OPENSSL_NO_TLS1_2
4931 if (tst == 2)
4932 return 1;
4933#endif
4934#ifdef OPENSSL_NO_TLS1_3
0fb2815b 4935 if (tst >= 3)
2197d1df
MC		 4936 return 1;
4937#endif
7d7f6834 4938 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 4939 TLS1_VERSION, 0,
7d7f6834 4940 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 4941 goto end;
4942
a599574b
MC		 4943 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4944 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4945 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
2197d1df
MC		 4946
4947 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4948 NULL))
4949 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4950 SSL_ERROR_NONE)))
4951 goto end;
4952
0fb2815b
MC		 4953 if (tst == 5) {
4954 /*
4955 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4956 * go over that.
4957 */
4958 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4959 sizeof(ckeymat1), label,
4960 LONG_LABEL_LEN + 1, context,
4961 sizeof(context) - 1, 1), 0))
4962 goto end;
4963
4964 testresult = 1;
4965 goto end;
4966 } else if (tst == 4) {
4967 labellen = LONG_LABEL_LEN;
4968 } else {
4969 labellen = SMALL_LABEL_LEN;
4970 }
4971
2197d1df
MC		 4972 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4973 sizeof(ckeymat1), label,
0fb2815b 4974 labellen, context,
2197d1df
MC		 4975 sizeof(context) - 1, 1), 1)
4976 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4977 sizeof(ckeymat2), label,
0fb2815b 4978 labellen,
2197d1df
MC		 4979 emptycontext,
4980 0, 1), 1)
4981 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4982 sizeof(ckeymat3), label,
0fb2815b 4983 labellen,
2197d1df
MC		 4984 NULL, 0, 0), 1)
4985 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4986 sizeof(skeymat1), label,
0fb2815b 4987 labellen,
2197d1df
MC		 4988 context,
4989 sizeof(context) -1, 1),
4990 1)
4991 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4992 sizeof(skeymat2), label,
0fb2815b 4993 labellen,
2197d1df
MC		 4994 emptycontext,
4995 0, 1), 1)
4996 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4997 sizeof(skeymat3), label,
0fb2815b 4998 labellen,
2197d1df
MC		 4999 NULL, 0, 0), 1)
5000 /*
5001 * Check that both sides created the same key material with the
5002 * same context.
5003 */
5004 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5005 sizeof(skeymat1))
5006 /*
5007 * Check that both sides created the same key material with an
5008 * empty context.
5009 */
5010 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5011 sizeof(skeymat2))
5012 /*
5013 * Check that both sides created the same key material without a
5014 * context.
5015 */
5016 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5017 sizeof(skeymat3))
5018 /* Different contexts should produce different results */
5019 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5020 sizeof(ckeymat2)))
5021 goto end;
5022
5023 /*
5024 * Check that an empty context and no context produce different results in
5025 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5026 */
0fb2815b 5027 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 5028 sizeof(ckeymat3)))
0fb2815b
MC		 5029 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5030 sizeof(ckeymat3))))
2197d1df
MC		 5031 goto end;
5032
5033 testresult = 1;
5034
5035 end:
5036 SSL_free(serverssl);
5037 SSL_free(clientssl);
5038 SSL_CTX_free(sctx2);
5039 SSL_CTX_free(sctx);
5040 SSL_CTX_free(cctx);
5041
5042 return testresult;
5043}
5044
b38ede80
TT		 5045#ifndef OPENSSL_NO_TLS1_3
5046/*
5047 * Test that SSL_export_keying_material_early() produces expected
5048 * results. There are no test vectors so all we do is test that both
5049 * sides of the communication produce the same results for different
5050 * protocol versions.
5051 */
5052static int test_export_key_mat_early(int idx)
5053{
5054 static const char label[] = "test label";
5055 static const unsigned char context[] = "context";
5056 int testresult = 0;
5057 SSL_CTX *cctx = NULL, *sctx = NULL;
5058 SSL *clientssl = NULL, *serverssl = NULL;
5059 SSL_SESSION *sess = NULL;
5060 const unsigned char *emptycontext = NULL;
5061 unsigned char ckeymat1[80], ckeymat2[80];
5062 unsigned char skeymat1[80], skeymat2[80];
5063 unsigned char buf[1];
5064 size_t readbytes, written;
5065
5066 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5067 &sess, idx)))
5068 goto end;
5069
5070 /* Here writing 0 length early data is enough. */
5071 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5072 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5073 &readbytes),
5074 SSL_READ_EARLY_DATA_ERROR)
5075 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5076 SSL_EARLY_DATA_ACCEPTED))
5077 goto end;
5078
5079 if (!TEST_int_eq(SSL_export_keying_material_early(
5080 clientssl, ckeymat1, sizeof(ckeymat1), label,
5081 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5082 || !TEST_int_eq(SSL_export_keying_material_early(
5083 clientssl, ckeymat2, sizeof(ckeymat2), label,
5084 sizeof(label) - 1, emptycontext, 0), 1)
5085 || !TEST_int_eq(SSL_export_keying_material_early(
5086 serverssl, skeymat1, sizeof(skeymat1), label,
5087 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5088 || !TEST_int_eq(SSL_export_keying_material_early(
5089 serverssl, skeymat2, sizeof(skeymat2), label,
5090 sizeof(label) - 1, emptycontext, 0), 1)
5091 /*
5092 * Check that both sides created the same key material with the
5093 * same context.
5094 */
5095 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5096 sizeof(skeymat1))
5097 /*
5098 * Check that both sides created the same key material with an
5099 * empty context.
5100 */
5101 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5102 sizeof(skeymat2))
5103 /* Different contexts should produce different results */
5104 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5105 sizeof(ckeymat2)))
5106 goto end;
5107
5108 testresult = 1;
5109
5110 end:
c20e3b28 5111 SSL_SESSION_free(sess);
b38ede80
TT		 5112 SSL_SESSION_free(clientpsk);
5113 SSL_SESSION_free(serverpsk);
34ff74eb 5114 clientpsk = serverpsk = NULL;
b38ede80
TT		 5115 SSL_free(serverssl);
5116 SSL_free(clientssl);
5117 SSL_CTX_free(sctx);
5118 SSL_CTX_free(cctx);
5119
5120 return testresult;
5121}
3409a5ff
MC		 5122
5123#define NUM_KEY_UPDATE_MESSAGES 40
5124/*
5125 * Test KeyUpdate.
5126 */
5127static int test_key_update(void)
5128{
5129 SSL_CTX *cctx = NULL, *sctx = NULL;
5130 SSL *clientssl = NULL, *serverssl = NULL;
5131 int testresult = 0, i, j;
5132 char buf[20];
5133 static char *mess = "A test message";
5134
5135 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5136 TLS_client_method(),
5137 TLS1_3_VERSION,
5138 0,
5139 &sctx, &cctx, cert, privkey))
5140 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5141 NULL, NULL))
5142 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5143 SSL_ERROR_NONE)))
5144 goto end;
5145
5146 for (j = 0; j < 2; j++) {
5147 /* Send lots of KeyUpdate messages */
5148 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5149 if (!TEST_true(SSL_key_update(clientssl,
5150 (j == 0)
5151 ? SSL_KEY_UPDATE_NOT_REQUESTED
5152 : SSL_KEY_UPDATE_REQUESTED))
5153 || !TEST_true(SSL_do_handshake(clientssl)))
5154 goto end;
5155 }
5156
5157 /* Check that sending and receiving app data is ok */
5158 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5159 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5160 strlen(mess)))
5161 goto end;
a77b4dba
MC		 5162
5163 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5164 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5165 strlen(mess)))
5166 goto end;
3409a5ff
MC		 5167 }
5168
5169 testresult = 1;
5170
5171 end:
5172 SSL_free(serverssl);
5173 SSL_free(clientssl);
5174 SSL_CTX_free(sctx);
5175 SSL_CTX_free(cctx);
5176
5177 return testresult;
5178}
a77b4dba
MC		 5179
5180/*
5181 * Test we can handle a KeyUpdate (update requested) message while write data
5182 * is pending.
5183 * Test 0: Client sends KeyUpdate while Server is writing
5184 * Test 1: Server sends KeyUpdate while Client is writing
5185 */
5186static int test_key_update_in_write(int tst)
5187{
5188 SSL_CTX *cctx = NULL, *sctx = NULL;
5189 SSL *clientssl = NULL, *serverssl = NULL;
5190 int testresult = 0;
5191 char buf[20];
5192 static char *mess = "A test message";
5193 BIO *bretry = BIO_new(bio_s_always_retry());
5194 BIO *tmp = NULL;
5195 SSL *peerupdate = NULL, *peerwrite = NULL;
5196
5197 if (!TEST_ptr(bretry)
5198 || !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5199 TLS_client_method(),
5200 TLS1_3_VERSION,
5201 0,
5202 &sctx, &cctx, cert, privkey))
5203 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5204 NULL, NULL))
5205 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5206 SSL_ERROR_NONE)))
5207 goto end;
5208
5209 peerupdate = tst == 0 ? clientssl : serverssl;
5210 peerwrite = tst == 0 ? serverssl : clientssl;
5211
5212 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5213 || !TEST_true(SSL_do_handshake(peerupdate)))
5214 goto end;
5215
5216 /* Swap the writing endpoint's write BIO to force a retry */
5217 tmp = SSL_get_wbio(peerwrite);
5218 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5219 tmp = NULL;
5220 goto end;
5221 }
5222 SSL_set0_wbio(peerwrite, bretry);
5223 bretry = NULL;
5224
5225 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5226 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5227 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5228 goto end;
5229
5230 /* Reinstate the original writing endpoint's write BIO */
5231 SSL_set0_wbio(peerwrite, tmp);
5232 tmp = NULL;
5233
5234 /* Now read some data - we will read the key update */
5235 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5236 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5237 goto end;
5238
5239 /*
5240 * Complete the write we started previously and read it from the other
5241 * endpoint
5242 */
5243 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5244 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5245 goto end;
5246
5247 /* Write more data to ensure we send the KeyUpdate message back */
5248 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5249 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5250 goto end;
5251
5252 testresult = 1;
5253
5254 end:
5255 SSL_free(serverssl);
5256 SSL_free(clientssl);
5257 SSL_CTX_free(sctx);
5258 SSL_CTX_free(cctx);
5259 BIO_free(bretry);
5260 BIO_free(tmp);
5261
5262 return testresult;
5263}
b38ede80
TT		 5264#endif /* OPENSSL_NO_TLS1_3 */
5265
e11b6aa4
MC		 5266static int test_ssl_clear(int idx)
5267{
5268 SSL_CTX *cctx = NULL, *sctx = NULL;
5269 SSL *clientssl = NULL, *serverssl = NULL;
5270 int testresult = 0;
5271
5272#ifdef OPENSSL_NO_TLS1_2
5273 if (idx == 1)
5274 return 1;
5275#endif
5276
5277 /* Create an initial connection */
7d7f6834 5278 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 5279 TLS1_VERSION, 0,
7d7f6834 5280 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 5281 || (idx == 1
5282 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5283 TLS1_2_VERSION)))
5284 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5285 &clientssl, NULL, NULL))
5286 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5287 SSL_ERROR_NONE)))
5288 goto end;
5289
5290 SSL_shutdown(clientssl);
5291 SSL_shutdown(serverssl);
5292 SSL_free(serverssl);
5293 serverssl = NULL;
5294
5295 /* Clear clientssl - we're going to reuse the object */
5296 if (!TEST_true(SSL_clear(clientssl)))
5297 goto end;
5298
5299 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5300 NULL, NULL))
5301 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5302 SSL_ERROR_NONE))
5303 || !TEST_true(SSL_session_reused(clientssl)))
5304 goto end;
5305
5306 SSL_shutdown(clientssl);
5307 SSL_shutdown(serverssl);
5308
5309 testresult = 1;
5310
5311 end:
5312 SSL_free(serverssl);
5313 SSL_free(clientssl);
5314 SSL_CTX_free(sctx);
5315 SSL_CTX_free(cctx);
5316
5317 return testresult;
5318}
5319
cf72c757
F		 5320/* Parse CH and retrieve any MFL extension value if present */
5321static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5322{
5323 long len;
5324 unsigned char *data;
72962d02 5325 PACKET pkt, pkt2, pkt3;
cf72c757
F		 5326 unsigned int MFL_code = 0, type = 0;
5327
5328 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5329 goto end;
5330
72962d02
P		 5331 memset(&pkt, 0, sizeof(pkt));
5332 memset(&pkt2, 0, sizeof(pkt2));
5333 memset(&pkt3, 0, sizeof(pkt3));
5334
cf72c757
F		 5335 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5336 /* Skip the record header */
5337 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5338 /* Skip the handshake message header */
5339 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5340 /* Skip client version and random */
5341 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5342 + SSL3_RANDOM_SIZE))
5343 /* Skip session id */
5344 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5345 /* Skip ciphers */
5346 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5347 /* Skip compression */
5348 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5349 /* Extensions len */
5350 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5351 goto end;
5352
5353 /* Loop through all extensions */
5354 while (PACKET_remaining(&pkt2)) {
5355 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5356 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5357 goto end;
5358
5359 if (type == TLSEXT_TYPE_max_fragment_length) {
5360 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5361 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5362 goto end;
5363
5364 *mfl_codemfl_code = MFL_code;
5365 return 1;
5366 }
5367 }
5368
5369 end:
5370 return 0;
5371}
5372
5373/* Maximum-Fragment-Length TLS extension mode to test */
5374static const unsigned char max_fragment_len_test[] = {
5375 TLSEXT_max_fragment_length_512,
5376 TLSEXT_max_fragment_length_1024,
5377 TLSEXT_max_fragment_length_2048,
5378 TLSEXT_max_fragment_length_4096
5379};
5380
5381static int test_max_fragment_len_ext(int idx_tst)
5382{
5383 SSL_CTX *ctx;
5384 SSL *con = NULL;
5385 int testresult = 0, MFL_mode = 0;
5386 BIO *rbio, *wbio;
5387
5388 ctx = SSL_CTX_new(TLS_method());
5389 if (!TEST_ptr(ctx))
5390 goto end;
5391
5392 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5393 ctx, max_fragment_len_test[idx_tst])))
5394 goto end;
5395
5396 con = SSL_new(ctx);
5397 if (!TEST_ptr(con))
5398 goto end;
5399
5400 rbio = BIO_new(BIO_s_mem());
5401 wbio = BIO_new(BIO_s_mem());
5402 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5403 BIO_free(rbio);
5404 BIO_free(wbio);
5405 goto end;
5406 }
5407
5408 SSL_set_bio(con, rbio, wbio);
5409 SSL_set_connect_state(con);
5410
5411 if (!TEST_int_le(SSL_connect(con), 0)) {
5412 /* This shouldn't succeed because we don't have a server! */
5413 goto end;
5414 }
5415
5416 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5417 /* no MFL in client hello */
5418 goto end;
5419 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5420 goto end;
5421
5422 testresult = 1;
5423
5424end:
5425 SSL_free(con);
5426 SSL_CTX_free(ctx);
5427
5428 return testresult;
5429}
5430
9d75dce3
TS		 5431#ifndef OPENSSL_NO_TLS1_3
5432static int test_pha_key_update(void)
5433{
5434 SSL_CTX *cctx = NULL, *sctx = NULL;
5435 SSL *clientssl = NULL, *serverssl = NULL;
5436 int testresult = 0;
5437
7d7f6834 5438 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 5439 TLS1_VERSION, 0,
9d75dce3
TS		 5440 &sctx, &cctx, cert, privkey)))
5441 return 0;
5442
5443 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5444 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5445 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5446 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5447 goto end;
5448
e97be718 5449 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 5450
5451 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5452 NULL, NULL)))
5453 goto end;
5454
9d75dce3
TS		 5455 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5456 SSL_ERROR_NONE)))
5457 goto end;
5458
5459 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5460 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5461 goto end;
5462
5463 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5464 goto end;
5465
5466 /* Start handshake on the server */
5467 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5468 goto end;
5469
5470 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5471 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5472 SSL_ERROR_NONE)))
5473 goto end;
5474
5475 SSL_shutdown(clientssl);
5476 SSL_shutdown(serverssl);
5477
5478 testresult = 1;
5479
5480 end:
5481 SSL_free(serverssl);
5482 SSL_free(clientssl);
5483 SSL_CTX_free(sctx);
5484 SSL_CTX_free(cctx);
5485 return testresult;
5486}
5487#endif
5488
76fd7a1d
MC		 5489#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5490
5491static SRP_VBASE *vbase = NULL;
5492
5493static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5494{
5495 int ret = SSL3_AL_FATAL;
5496 char *username;
5497 SRP_user_pwd *user = NULL;
5498
5499 username = SSL_get_srp_username(s);
5500 if (username == NULL) {
5501 *ad = SSL_AD_INTERNAL_ERROR;
5502 goto err;
5503 }
5504
5505 user = SRP_VBASE_get1_by_user(vbase, username);
5506 if (user == NULL) {
5507 *ad = SSL_AD_INTERNAL_ERROR;
5508 goto err;
5509 }
5510
5511 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5512 user->info) <= 0) {
5513 *ad = SSL_AD_INTERNAL_ERROR;
5514 goto err;
5515 }
5516
5517 ret = 0;
5518
5519 err:
5520 SRP_user_pwd_free(user);
5521 return ret;
5522}
5523
5524static int create_new_vfile(char *userid, char *password, const char *filename)
5525{
5526 char *gNid = NULL;
5527 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5528 TXT_DB *db = NULL;
5529 int ret = 0;
5530 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5531 size_t i;
5532
5533 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5534 goto end;
5535
5536 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
5537 &row[DB_srpverifier], NULL, NULL);
5538 if (!TEST_ptr(gNid))
5539 goto end;
5540
5541 /*
5542 * The only way to create an empty TXT_DB is to provide a BIO with no data
5543 * in it!
5544 */
5545 db = TXT_DB_read(dummy, DB_NUMBER);
5546 if (!TEST_ptr(db))
5547 goto end;
5548
5549 out = BIO_new_file(filename, "w");
5550 if (!TEST_ptr(out))
5551 goto end;
5552
5553 row[DB_srpid] = OPENSSL_strdup(userid);
5554 row[DB_srptype] = OPENSSL_strdup("V");
5555 row[DB_srpgN] = OPENSSL_strdup(gNid);
5556
5557 if (!TEST_ptr(row[DB_srpid])
5558 || !TEST_ptr(row[DB_srptype])
5559 || !TEST_ptr(row[DB_srpgN])
5560 || !TEST_true(TXT_DB_insert(db, row)))
5561 goto end;
5562
5563 row = NULL;
5564
5565 if (!TXT_DB_write(out, db))
5566 goto end;
5567
5568 ret = 1;
5569 end:
5570 if (row != NULL) {
5571 for (i = 0; i < DB_NUMBER; i++)
5572 OPENSSL_free(row[i]);
5573 }
5574 OPENSSL_free(row);
5575 BIO_free(dummy);
5576 BIO_free(out);
5577 TXT_DB_free(db);
5578
5579 return ret;
5580}
5581
5582static int create_new_vbase(char *userid, char *password)
5583{
5584 BIGNUM *verifier = NULL, *salt = NULL;
5585 const SRP_gN *lgN = NULL;
5586 SRP_user_pwd *user_pwd = NULL;
5587 int ret = 0;
5588
5589 lgN = SRP_get_default_gN(NULL);
5590 if (!TEST_ptr(lgN))
5591 goto end;
5592
5593 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
5594 lgN->N, lgN->g)))
5595 goto end;
5596
5597 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
5598 if (!TEST_ptr(user_pwd))
5599 goto end;
5600
5601 user_pwd->N = lgN->N;
5602 user_pwd->g = lgN->g;
5603 user_pwd->id = OPENSSL_strdup(userid);
5604 if (!TEST_ptr(user_pwd->id))
5605 goto end;
5606
5607 user_pwd->v = verifier;
5608 user_pwd->s = salt;
5609 verifier = salt = NULL;
5610
5611 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
5612 goto end;
5613 user_pwd = NULL;
5614
5615 ret = 1;
5616end:
5617 SRP_user_pwd_free(user_pwd);
5618 BN_free(salt);
5619 BN_free(verifier);
5620
5621 return ret;
5622}
5623
5624/*
5625 * SRP tests
5626 *
5627 * Test 0: Simple successful SRP connection, new vbase
5628 * Test 1: Connection failure due to bad password, new vbase
5629 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5630 * Test 3: Connection failure due to bad password, vbase loaded from existing
5631 * file
5632 * Test 4: Simple successful SRP connection, vbase loaded from new file
5633 * Test 5: Connection failure due to bad password, vbase loaded from new file
5634 */
5635static int test_srp(int tst)
5636{
5637 char *userid = "test", *password = "password", *tstsrpfile;
5638 SSL_CTX *cctx = NULL, *sctx = NULL;
5639 SSL *clientssl = NULL, *serverssl = NULL;
5640 int ret, testresult = 0;
5641
5642 vbase = SRP_VBASE_new(NULL);
5643 if (!TEST_ptr(vbase))
5644 goto end;
5645
5646 if (tst == 0 || tst == 1) {
5647 if (!TEST_true(create_new_vbase(userid, password)))
5648 goto end;
5649 } else {
5650 if (tst == 4 || tst == 5) {
5651 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5652 goto end;
5653 tstsrpfile = tmpfilename;
5654 } else {
5655 tstsrpfile = srpvfile;
5656 }
5657 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5658 goto end;
5659 }
5660
5661 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 5662 TLS1_VERSION, 0,
76fd7a1d
MC		 5663 &sctx, &cctx, cert, privkey)))
5664 goto end;
5665
5666 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5667 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5668 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5669 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5670 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5671 goto end;
5672
5673 if (tst % 2 == 1) {
5674 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5675 goto end;
5676 } else {
5677 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5678 goto end;
5679 }
5680
5681 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5682 NULL, NULL)))
5683 goto end;
5684
5685 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5686 if (ret) {
5687 if (!TEST_true(tst % 2 == 0))
5688 goto end;
5689 } else {
5690 if (!TEST_true(tst % 2 == 1))
5691 goto end;
5692 }
5693
5694 testresult = 1;
5695
5696 end:
5697 SRP_VBASE_free(vbase);
5698 vbase = NULL;
5699 SSL_free(serverssl);
5700 SSL_free(clientssl);
5701 SSL_CTX_free(sctx);
5702 SSL_CTX_free(cctx);
5703
5704 return testresult;
5705}
5706#endif
5707
5718fe45
MC		 5708static int info_cb_failed = 0;
5709static int info_cb_offset = 0;
5710static int info_cb_this_state = -1;
5711
5712static struct info_cb_states_st {
5713 int where;
5714 const char *statestr;
5715} info_cb_states[][60] = {
5716 {
5717 /* TLSv1.2 server followed by resumption */
5718 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5719 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5720 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
5721 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
5722 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
5723 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5724 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5725 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5726 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
5727 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5728 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
5729 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5730 {SSL_CB_EXIT, NULL}, {0, NULL},
5731 }, {
5732 /* TLSv1.2 client followed by resumption */
5733 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5734 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5735 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
5736 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
5737 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
5738 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5739 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5740 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5741 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5742 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5743 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5744 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
5745 }, {
5746 /* TLSv1.3 server followed by resumption */
5747 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5748 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5749 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
5750 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5751 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 5752 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5753 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5754 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5755 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5756 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5757 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
5758 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5759 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 5760 }, {
5761 /* TLSv1.3 client followed by resumption */
5762 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5763 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5764 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
5765 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
5766 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 5767 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5768 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
5769 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 5770 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5771 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5772 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5773 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5774 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4af5836b
MC		 5775 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
5776 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 5777 }, {
5778 /* TLSv1.3 server, early_data */
5779 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5780 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5781 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5782 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5783 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5784 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 5785 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 5786 {SSL_CB_EXIT, NULL}, {0, NULL},
5787 }, {
5788 /* TLSv1.3 client, early_data */
5789 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5790 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5791 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5792 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5793 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5794 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5795 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 5796 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5797 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 5798 }, {
5799 {0, NULL},
5800 }
5801};
5802
5803static void sslapi_info_callback(const SSL *s, int where, int ret)
5804{
5805 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5806
5807 /* We do not ever expect a connection to fail in this test */
5808 if (!TEST_false(ret == 0)) {
5809 info_cb_failed = 1;
5810 return;
5811 }
5812
5813 /*
5814 * Do some sanity checks. We never expect these things to happen in this
5815 * test
5816 */
5817 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5818 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5819 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5820 info_cb_failed = 1;
5821 return;
5822 }
5823
5824 /* Now check we're in the right state */
5825 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5826 info_cb_failed = 1;
5827 return;
5828 }
5829 if ((where & SSL_CB_LOOP) != 0
5830 && !TEST_int_eq(strcmp(SSL_state_string(s),
5831 state[info_cb_this_state].statestr), 0)) {
5832 info_cb_failed = 1;
5833 return;
5834 }
033c181b 5835
4af5836b
MC		 5836 /*
5837 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
5838 */
5839 if ((where & SSL_CB_HANDSHAKE_DONE)
5840 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 5841 info_cb_failed = 1;
5842 return;
5843 }
5718fe45
MC		 5844}
5845
5846/*
5847 * Test the info callback gets called when we expect it to.
5848 *
5849 * Test 0: TLSv1.2, server
5850 * Test 1: TLSv1.2, client
5851 * Test 2: TLSv1.3, server
5852 * Test 3: TLSv1.3, client
5853 * Test 4: TLSv1.3, server, early_data
5854 * Test 5: TLSv1.3, client, early_data
5855 */
5856static int test_info_callback(int tst)
5857{
5858 SSL_CTX *cctx = NULL, *sctx = NULL;
5859 SSL *clientssl = NULL, *serverssl = NULL;
5860 SSL_SESSION *clntsess = NULL;
5861 int testresult = 0;
5862 int tlsvers;
5863
5864 if (tst < 2) {
1aac20f5
MC		 5865/* We need either ECDHE or DHE for the TLSv1.2 test to work */
5866#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5867 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 5868 tlsvers = TLS1_2_VERSION;
5869#else
5870 return 1;
5871#endif
5872 } else {
5873#ifndef OPENSSL_NO_TLS1_3
5874 tlsvers = TLS1_3_VERSION;
5875#else
5876 return 1;
5877#endif
5878 }
5879
5880 /* Reset globals */
5881 info_cb_failed = 0;
5882 info_cb_this_state = -1;
5883 info_cb_offset = tst;
5884
6e07834c 5885#ifndef OPENSSL_NO_TLS1_3
5718fe45
MC		 5886 if (tst >= 4) {
5887 SSL_SESSION *sess = NULL;
5888 size_t written, readbytes;
5889 unsigned char buf[80];
5890
5891 /* early_data tests */
5892 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5893 &serverssl, &sess, 0)))
5894 goto end;
5895
5896 /* We don't actually need this reference */
5897 SSL_SESSION_free(sess);
5898
5899 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5900 sslapi_info_callback);
5901
5902 /* Write and read some early data and then complete the connection */
5903 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5904 &written))
5905 || !TEST_size_t_eq(written, strlen(MSG1))
5906 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5907 sizeof(buf), &readbytes),
5908 SSL_READ_EARLY_DATA_SUCCESS)
5909 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5910 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5911 SSL_EARLY_DATA_ACCEPTED)
5912 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5913 SSL_ERROR_NONE))
5914 || !TEST_false(info_cb_failed))
5915 goto end;
5916
5917 testresult = 1;
5918 goto end;
5919 }
6e07834c 5920#endif
5718fe45
MC		 5921
5922 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5923 TLS_client_method(),
5924 tlsvers, tlsvers, &sctx, &cctx, cert,
5925 privkey)))
5926 goto end;
5927
5928 /*
5929 * For even numbered tests we check the server callbacks. For odd numbers we
5930 * check the client.
5931 */
5932 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5933 sslapi_info_callback);
5934
5935 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5936 &clientssl, NULL, NULL))
5937 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5938 SSL_ERROR_NONE))
5939 || !TEST_false(info_cb_failed))
5940 goto end;
5941
5942
5943
5944 clntsess = SSL_get1_session(clientssl);
5945 SSL_shutdown(clientssl);
5946 SSL_shutdown(serverssl);
5947 SSL_free(serverssl);
5948 SSL_free(clientssl);
5949 serverssl = clientssl = NULL;
5950
5951 /* Now do a resumption */
5952 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5953 NULL))
5954 || !TEST_true(SSL_set_session(clientssl, clntsess))
5955 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5956 SSL_ERROR_NONE))
5957 || !TEST_true(SSL_session_reused(clientssl))
5958 || !TEST_false(info_cb_failed))
5959 goto end;
5960
5961 testresult = 1;
5962
5963 end:
5964 SSL_free(serverssl);
5965 SSL_free(clientssl);
5966 SSL_SESSION_free(clntsess);
5967 SSL_CTX_free(sctx);
5968 SSL_CTX_free(cctx);
5969 return testresult;
5970}
5971
4a432af8
MC		 5972static int test_ssl_pending(int tst)
5973{
5974 SSL_CTX *cctx = NULL, *sctx = NULL;
5975 SSL *clientssl = NULL, *serverssl = NULL;
5976 int testresult = 0;
5977 char msg[] = "A test message";
5978 char buf[5];
5979 size_t written, readbytes;
5980
5981 if (tst == 0) {
5982 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5983 TLS_client_method(),
5c587fb6 5984 TLS1_VERSION, 0,
4a432af8
MC		 5985 &sctx, &cctx, cert, privkey)))
5986 goto end;
5987 } else {
5988#ifndef OPENSSL_NO_DTLS
5989 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
5990 DTLS_client_method(),
5c587fb6 5991 DTLS1_VERSION, 0,
4a432af8
MC		 5992 &sctx, &cctx, cert, privkey)))
5993 goto end;
5994#else
5995 return 1;
5996#endif
5997 }
5998
5999 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6000 NULL, NULL))
6001 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6002 SSL_ERROR_NONE)))
6003 goto end;
6004
e8251092
MC		 6005 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6006 || !TEST_false(SSL_has_pending(clientssl))
6007 || !TEST_int_eq(SSL_pending(serverssl), 0)
6008 || !TEST_false(SSL_has_pending(serverssl))
6009 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 6010 || !TEST_size_t_eq(written, sizeof(msg))
6011 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6012 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 6013 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6014 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 6015 goto end;
6016
6017 testresult = 1;
6018
6019 end:
6020 SSL_free(serverssl);
6021 SSL_free(clientssl);
6022 SSL_CTX_free(sctx);
6023 SSL_CTX_free(cctx);
6024
6025 return testresult;
6026}
6027
e401389a
MC		 6028static struct {
6029 unsigned int maxprot;
6030 const char *clntciphers;
6031 const char *clnttls13ciphers;
6032 const char *srvrciphers;
6033 const char *srvrtls13ciphers;
6034 const char *shared;
6035} shared_ciphers_data[] = {
60155b9a
MC		 6036/*
6037 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6038 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6039 */
6040#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 6041 {
6042 TLS1_2_VERSION,
6043 "AES128-SHA:AES256-SHA",
6044 NULL,
6045 "AES256-SHA:DHE-RSA-AES128-SHA",
6046 NULL,
6047 "AES256-SHA"
6048 },
6049 {
6050 TLS1_2_VERSION,
6051 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6052 NULL,
6053 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6054 NULL,
6055 "AES128-SHA:AES256-SHA"
6056 },
6057 {
6058 TLS1_2_VERSION,
6059 "AES128-SHA:AES256-SHA",
6060 NULL,
6061 "AES128-SHA:DHE-RSA-AES128-SHA",
6062 NULL,
6063 "AES128-SHA"
6064 },
60155b9a
MC		 6065#endif
6066/*
6067 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6068 * enabled.
6069 */
6070#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6071 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 6072 {
6073 TLS1_3_VERSION,
6074 "AES128-SHA:AES256-SHA",
6075 NULL,
6076 "AES256-SHA:AES128-SHA256",
6077 NULL,
6078 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
6079 "TLS_AES_128_GCM_SHA256:AES256-SHA"
6080 },
60155b9a
MC		 6081#endif
6082#ifndef OPENSSL_NO_TLS1_3
e401389a
MC		 6083 {
6084 TLS1_3_VERSION,
6085 "AES128-SHA",
6086 "TLS_AES_256_GCM_SHA384",
6087 "AES256-SHA",
6088 "TLS_AES_256_GCM_SHA384",
6089 "TLS_AES_256_GCM_SHA384"
6090 },
6091#endif
6092};
6093
6094static int test_ssl_get_shared_ciphers(int tst)
6095{
6096 SSL_CTX *cctx = NULL, *sctx = NULL;
6097 SSL *clientssl = NULL, *serverssl = NULL;
6098 int testresult = 0;
6099 char buf[1024];
6100
6101 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6102 TLS_client_method(),
6103 TLS1_VERSION,
6104 shared_ciphers_data[tst].maxprot,
6105 &sctx, &cctx, cert, privkey)))
6106 goto end;
6107
6108 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6109 shared_ciphers_data[tst].clntciphers))
6110 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6111 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6112 shared_ciphers_data[tst].clnttls13ciphers)))
6113 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6114 shared_ciphers_data[tst].srvrciphers))
6115 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6116 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6117 shared_ciphers_data[tst].srvrtls13ciphers))))
6118 goto end;
6119
6120
6121 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6122 NULL, NULL))
6123 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6124 SSL_ERROR_NONE)))
6125 goto end;
6126
6127 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6128 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
6129 TEST_info("Shared ciphers are: %s\n", buf);
6130 goto end;
6131 }
6132
6133 testresult = 1;
6134
6135 end:
6136 SSL_free(serverssl);
6137 SSL_free(clientssl);
6138 SSL_CTX_free(sctx);
6139 SSL_CTX_free(cctx);
6140
6141 return testresult;
6142}
6143
d0191fe0 6144static const char *appdata = "Hello World";
61fb5923
MC		 6145static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6146static int tick_key_renew = 0;
6147static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 6148
6149static int gen_tick_cb(SSL *s, void *arg)
6150{
6151 gen_tick_called = 1;
6152
6153 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6154 strlen(appdata));
6155}
6156
6157static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6158 const unsigned char *keyname,
6159 size_t keyname_length,
61fb5923
MC		 6160 SSL_TICKET_STATUS status,
6161 void *arg)
d0191fe0
MC		 6162{
6163 void *tickdata;
6164 size_t tickdlen;
6165
6166 dec_tick_called = 1;
6167
61fb5923
MC		 6168 if (status == SSL_TICKET_EMPTY)
6169 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 6170
61fb5923
MC		 6171 if (!TEST_true(status == SSL_TICKET_SUCCESS
6172 || status == SSL_TICKET_SUCCESS_RENEW))
6173 return SSL_TICKET_RETURN_ABORT;
6174
6175 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6176 &tickdlen))
d0191fe0
MC		 6177 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6178 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 6179 return SSL_TICKET_RETURN_ABORT;
d0191fe0 6180
61fb5923
MC		 6181 if (tick_key_cb_called) {
6182 /* Don't change what the ticket key callback wanted to do */
6183 switch (status) {
6184 case SSL_TICKET_NO_DECRYPT:
6185 return SSL_TICKET_RETURN_IGNORE_RENEW;
6186
6187 case SSL_TICKET_SUCCESS:
6188 return SSL_TICKET_RETURN_USE;
d0191fe0 6189
61fb5923
MC		 6190 case SSL_TICKET_SUCCESS_RENEW:
6191 return SSL_TICKET_RETURN_USE_RENEW;
6192
6193 default:
6194 return SSL_TICKET_RETURN_ABORT;
6195 }
6196 }
6197 return tick_dec_ret;
6198
6199}
d0191fe0 6200
a76ce286 6201#ifndef OPENSSL_NO_DEPRECATED_3_0
d0191fe0
MC		 6202static int tick_key_cb(SSL *s, unsigned char key_name[16],
6203 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6204 HMAC_CTX *hctx, int enc)
6205{
6206 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6207 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
6208
61fb5923 6209 tick_key_cb_called = 1;
d0191fe0
MC		 6210 memset(iv, 0, AES_BLOCK_SIZE);
6211 memset(key_name, 0, 16);
6212 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
6213 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
6214 EVP_sha256(), NULL))
6215 return -1;
6216
61fb5923 6217 return tick_key_renew ? 2 : 1;
d0191fe0 6218}
a76ce286
P		 6219#endif
6220
6221static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6222 unsigned char iv[EVP_MAX_IV_LENGTH],
6223 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6224{
6225 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6226 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6227 OSSL_PARAM params[3];
6228
6229 tick_key_cb_called = 1;
6230 memset(iv, 0, AES_BLOCK_SIZE);
6231 memset(key_name, 0, 16);
6232 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6233 "SHA256", 0);
6234 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6235 tick_hmac_key,
6236 sizeof(tick_hmac_key));
6237 params[2] = OSSL_PARAM_construct_end();
6238 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
6239 || !EVP_MAC_CTX_set_params(hctx, params)
6240 || !EVP_MAC_init(hctx))
6241 return -1;
6242
6243 return tick_key_renew ? 2 : 1;
6244}
d0191fe0
MC		 6245
6246/*
6247 * Test the various ticket callbacks
61fb5923
MC		 6248 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6249 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6250 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6251 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6252 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6253 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6254 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6255 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
a76ce286
P		 6256 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6257 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6258 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6259 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6260 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6261 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6262 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6263 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 6264 */
6265static int test_ticket_callbacks(int tst)
6266{
6267 SSL_CTX *cctx = NULL, *sctx = NULL;
6268 SSL *clientssl = NULL, *serverssl = NULL;
6269 SSL_SESSION *clntsess = NULL;
6270 int testresult = 0;
6271
6272#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 6273 if (tst % 2 == 0)
d0191fe0
MC		 6274 return 1;
6275#endif
6276#ifdef OPENSSL_NO_TLS1_3
ba8b48e9 6277 if (tst % 2 == 1)
d0191fe0
MC		 6278 return 1;
6279#endif
a76ce286
P		 6280#ifdef OPENSSL_NO_DEPRECATED_3_0
6281 if (tst >= 8 && tst <= 11)
6282 return 1;
6283#endif
d0191fe0 6284
61fb5923 6285 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 6286
6287 /* Which tests the ticket key callback should request renewal for */
a76ce286 6288 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
61fb5923 6289 tick_key_renew = 1;
d0191fe0 6290 else
61fb5923
MC		 6291 tick_key_renew = 0;
6292
6293 /* Which tests the decrypt ticket callback should request renewal for */
6294 switch (tst) {
6295 case 0:
6296 case 1:
6297 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6298 break;
6299
6300 case 2:
6301 case 3:
6302 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6303 break;
6304
6305 case 4:
6306 case 5:
6307 tick_dec_ret = SSL_TICKET_RETURN_USE;
6308 break;
6309
6310 case 6:
6311 case 7:
6312 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6313 break;
6314
6315 default:
6316 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6317 }
d0191fe0
MC		 6318
6319 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6320 TLS_client_method(),
6321 TLS1_VERSION,
61fb5923
MC		 6322 ((tst % 2) == 0) ? TLS1_2_VERSION
6323 : TLS1_3_VERSION,
d0191fe0
MC		 6324 &sctx, &cctx, cert, privkey)))
6325 goto end;
6326
61fb5923
MC		 6327 /*
6328 * We only want sessions to resume from tickets - not the session cache. So
6329 * switch the cache off.
6330 */
6331 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6332 goto end;
6333
d0191fe0
MC		 6334 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6335 NULL)))
6336 goto end;
6337
a76ce286
P		 6338 if (tst >= 12) {
6339 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
6340 goto end;
6341#ifndef OPENSSL_NO_DEPRECATED_3_0
6342 } else if (tst >= 8) {
6343 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6344 goto end;
6345#endif
6346 }
d0191fe0
MC		 6347
6348 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6349 NULL, NULL))
6350 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6351 SSL_ERROR_NONE)))
6352 goto end;
6353
61fb5923
MC		 6354 /*
6355 * The decrypt ticket key callback in TLSv1.2 should be called even though
6356 * we have no ticket yet, because it gets called with a status of
6357 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6358 * actually send any ticket data). This does not happen in TLSv1.3 because
6359 * it is not valid to send empty ticket data in TLSv1.3.
6360 */
d0191fe0 6361 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 6362 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 6363 goto end;
6364
6365 gen_tick_called = dec_tick_called = 0;
6366
6367 clntsess = SSL_get1_session(clientssl);
6368 SSL_shutdown(clientssl);
6369 SSL_shutdown(serverssl);
6370 SSL_free(serverssl);
6371 SSL_free(clientssl);
6372 serverssl = clientssl = NULL;
6373
6374 /* Now do a resumption */
6375 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6376 NULL))
6377 || !TEST_true(SSL_set_session(clientssl, clntsess))
6378 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 6379 SSL_ERROR_NONE)))
d0191fe0
MC		 6380 goto end;
6381
61fb5923
MC		 6382 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6383 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6384 if (!TEST_false(SSL_session_reused(clientssl)))
6385 goto end;
6386 } else {
6387 if (!TEST_true(SSL_session_reused(clientssl)))
6388 goto end;
6389 }
6390
d0191fe0 6391 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 6392 (tick_key_renew
6393 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6394 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6395 ? 1 : 0)
d0191fe0
MC		 6396 || !TEST_int_eq(dec_tick_called, 1))
6397 goto end;
6398
6399 testresult = 1;
6400
6401 end:
6402 SSL_SESSION_free(clntsess);
6403 SSL_free(serverssl);
6404 SSL_free(clientssl);
6405 SSL_CTX_free(sctx);
6406 SSL_CTX_free(cctx);
6407
6408 return testresult;
6409}
6410
c748834f
MC		 6411/*
6412 * Test bi-directional shutdown.
6413 * Test 0: TLSv1.2
6414 * Test 1: TLSv1.2, server continues to read/write after client shutdown
6415 * Test 2: TLSv1.3, no pending NewSessionTicket messages
6416 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 6417 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
6418 * sends key update, client reads it
57d7b988
MC		 6419 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
6420 * sends CertificateRequest, client reads and ignores it
6421 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 6422 * doesn't read it
6423 */
6424static int test_shutdown(int tst)
6425{
6426 SSL_CTX *cctx = NULL, *sctx = NULL;
6427 SSL *clientssl = NULL, *serverssl = NULL;
6428 int testresult = 0;
6429 char msg[] = "A test message";
6430 char buf[80];
6431 size_t written, readbytes;
80eff008 6432 SSL_SESSION *sess;
c748834f
MC		 6433
6434#ifdef OPENSSL_NO_TLS1_2
a97d19f7 6435 if (tst <= 1)
c748834f
MC		 6436 return 1;
6437#endif
6438#ifdef OPENSSL_NO_TLS1_3
a97d19f7 6439 if (tst >= 2)
c748834f
MC		 6440 return 1;
6441#endif
6442
6443 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6444 TLS_client_method(),
6445 TLS1_VERSION,
6446 (tst <= 1) ? TLS1_2_VERSION
6447 : TLS1_3_VERSION,
57d7b988
MC		 6448 &sctx, &cctx, cert, privkey)))
6449 goto end;
6450
6451 if (tst == 5)
6452 SSL_CTX_set_post_handshake_auth(cctx, 1);
6453
6454 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 6455 NULL, NULL)))
6456 goto end;
6457
6458 if (tst == 3) {
6459 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
80c455d5 6460 SSL_ERROR_NONE, 1))
80eff008
KR		 6461 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6462 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 6463 goto end;
6464 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 6465 SSL_ERROR_NONE))
6466 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6467 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 6468 goto end;
6469 }
6470
6471 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
6472 goto end;
6473
6474 if (tst >= 4) {
6475 /*
6476 * Reading on the server after the client has sent close_notify should
6477 * fail and provide SSL_ERROR_ZERO_RETURN
6478 */
6479 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
6480 || !TEST_int_eq(SSL_get_error(serverssl, 0),
6481 SSL_ERROR_ZERO_RETURN)
6482 || !TEST_int_eq(SSL_get_shutdown(serverssl),
6483 SSL_RECEIVED_SHUTDOWN)
6484 /*
6485 * Even though we're shutdown on receive we should still be
6486 * able to write.
6487 */
80eff008
KR		 6488 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6489 goto end;
57d7b988
MC		 6490 if (tst == 4
6491 && !TEST_true(SSL_key_update(serverssl,
6492 SSL_KEY_UPDATE_REQUESTED)))
6493 goto end;
6494 if (tst == 5) {
6495 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6496 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6497 goto end;
6498 }
6499 if ((tst == 4 || tst == 5)
6500 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 6501 goto end;
6502 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 6503 goto end;
57d7b988 6504 if (tst == 4 || tst == 5) {
80eff008 6505 /* Should still be able to read data from server */
c748834f 6506 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 6507 &readbytes))
6508 || !TEST_size_t_eq(readbytes, sizeof(msg))
6509 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
6510 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6511 &readbytes))
c748834f
MC		 6512 || !TEST_size_t_eq(readbytes, sizeof(msg))
6513 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
6514 goto end;
6515 }
6516 }
6517
6518 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 6519 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 6520 goto end;
6521
6522 if (tst < 4) {
6523 /*
6524 * For these tests the client has sent close_notify but it has not yet
6525 * been received by the server. The server has not sent close_notify
6526 * yet.
6527 */
6528 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 6529 /*
6530 * Writing on the server after sending close_notify shouldn't
6531 * be possible.
6532 */
6533 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 6534 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 6535 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6536 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 6537 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
6538 goto end;
57d7b988 6539 } else if (tst == 4 || tst == 5) {
c748834f
MC		 6540 /*
6541 * In this test the client has sent close_notify and it has been
6542 * received by the server which has responded with a close_notify. The
358ffa05 6543 * client needs to read the close_notify sent by the server.
c748834f 6544 */
80eff008
KR		 6545 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
6546 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6547 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 6548 goto end;
358ffa05
MC		 6549 } else {
6550 /*
57d7b988 6551 * tst == 6
358ffa05
MC		 6552 *
6553 * The client has sent close_notify and is expecting a close_notify
6554 * back, but instead there is application data first. The shutdown
6555 * should fail with a fatal error.
6556 */
6557 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
6558 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
6559 goto end;
c748834f
MC		 6560 }
6561
6562 testresult = 1;
6563
6564 end:
6565 SSL_free(serverssl);
6566 SSL_free(clientssl);
6567 SSL_CTX_free(sctx);
6568 SSL_CTX_free(cctx);
6569
6570 return testresult;
6571}
6572
7f1d923a 6573#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
cd6fe29f
MC		 6574static int cert_cb_cnt;
6575
6576static int cert_cb(SSL *s, void *arg)
6577{
6578 SSL_CTX *ctx = (SSL_CTX *)arg;
7cb8fb07
BK		 6579 BIO *in = NULL;
6580 EVP_PKEY *pkey = NULL;
1a2a3a42
MC		 6581 X509 *x509 = NULL, *rootx = NULL;
6582 STACK_OF(X509) *chain = NULL;
6583 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
6584 int ret = 0;
cd6fe29f
MC		 6585
6586 if (cert_cb_cnt == 0) {
6587 /* Suspend the handshake */
6588 cert_cb_cnt++;
6589 return -1;
6590 } else if (cert_cb_cnt == 1) {
6591 /*
6592 * Update the SSL_CTX, set the certificate and private key and then
6593 * continue the handshake normally.
6594 */
6595 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
6596 return 0;
6597
6598 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
6599 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
6600 SSL_FILETYPE_PEM))
6601 || !TEST_true(SSL_check_private_key(s)))
6602 return 0;
6603 cert_cb_cnt++;
6604 return 1;
7cb8fb07
BK		 6605 } else if (cert_cb_cnt == 3) {
6606 int rv;
1a2a3a42
MC		 6607
6608 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
6609 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
6610 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
6611 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
6612 goto out;
6613 chain = sk_X509_new_null();
6614 if (!TEST_ptr(chain))
6615 goto out;
7cb8fb07 6616 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42
MC		 6617 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
6618 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
6619 || !TEST_true(sk_X509_push(chain, rootx)))
6620 goto out;
6621 rootx = NULL;
6622 BIO_free(in);
6623 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6624 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
7cb8fb07
BK		 6625 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
6626 goto out;
6627 BIO_free(in);
6628 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42 6629 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
7cb8fb07
BK		 6630 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
6631 goto out;
1a2a3a42 6632 rv = SSL_check_chain(s, x509, pkey, chain);
7cb8fb07
BK		 6633 /*
6634 * If the cert doesn't show as valid here (e.g., because we don't
6635 * have any shared sigalgs), then we will not set it, and there will
6636 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
6637 * will cause tls_choose_sigalgs() to fail the connection.
6638 */
1a2a3a42
MC		 6639 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
6640 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7cb8fb07
BK		 6641 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
6642 goto out;
6643 }
1a2a3a42
MC		 6644
6645 ret = 1;
cd6fe29f
MC		 6646 }
6647
6648 /* Abort the handshake */
7cb8fb07 6649 out:
1a2a3a42
MC		 6650 OPENSSL_free(ecdsacert);
6651 OPENSSL_free(ecdsakey);
6652 OPENSSL_free(rootfile);
7cb8fb07
BK		 6653 BIO_free(in);
6654 EVP_PKEY_free(pkey);
6655 X509_free(x509);
1a2a3a42
MC		 6656 X509_free(rootx);
6657 sk_X509_pop_free(chain, X509_free);
6658 return ret;
cd6fe29f
MC		 6659}
6660
6661/*
6662 * Test the certificate callback.
6663 * Test 0: Callback fails
6664 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
6665 * Test 2: Success - SSL_set_SSL_CTX() in the callback
1a2a3a42
MC		 6666 * Test 3: Success - Call SSL_check_chain from the callback
6667 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
6668 * chain
6669 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
cd6fe29f
MC		 6670 */
6671static int test_cert_cb_int(int prot, int tst)
6672{
6673 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
6674 SSL *clientssl = NULL, *serverssl = NULL;
6675 int testresult = 0, ret;
6676
1a2a3a42
MC		 6677#ifdef OPENSSL_NO_EC
6678 /* We use an EC cert in these tests, so we skip in a no-ec build */
6679 if (tst >= 3)
6680 return 1;
6681#endif
6682
cd6fe29f
MC		 6683 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6684 TLS_client_method(),
6685 TLS1_VERSION,
6686 prot,
6687 &sctx, &cctx, NULL, NULL)))
6688 goto end;
6689
6690 if (tst == 0)
6691 cert_cb_cnt = -1;
1a2a3a42 6692 else if (tst >= 3)
7cb8fb07 6693 cert_cb_cnt = 3;
cd6fe29f
MC		 6694 else
6695 cert_cb_cnt = 0;
1a2a3a42 6696
cd6fe29f
MC		 6697 if (tst == 2)
6698 snictx = SSL_CTX_new(TLS_server_method());
6699 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
6700
6701 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6702 NULL, NULL)))
6703 goto end;
6704
1a2a3a42
MC		 6705 if (tst == 4) {
6706 /*
6707 * We cause SSL_check_chain() to fail by specifying sig_algs that
6708 * the chain doesn't meet (the root uses an RSA cert)
6709 */
6710 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6711 "ecdsa_secp256r1_sha256")))
6712 goto end;
6713 } else if (tst == 5) {
6714 /*
6715 * We cause SSL_check_chain() to fail by specifying sig_algs that
6716 * the ee cert doesn't meet (the ee uses an ECDSA cert)
6717 */
6718 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6719 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
6720 goto end;
6721 }
6722
cd6fe29f 6723 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
1a2a3a42 6724 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7cb8fb07
BK		 6725 || (tst > 0
6726 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
cd6fe29f
MC		 6727 goto end;
6728 }
6729
6730 testresult = 1;
6731
6732 end:
6733 SSL_free(serverssl);
6734 SSL_free(clientssl);
6735 SSL_CTX_free(sctx);
6736 SSL_CTX_free(cctx);
6737 SSL_CTX_free(snictx);
6738
6739 return testresult;
6740}
7f1d923a 6741#endif
cd6fe29f
MC		 6742
6743static int test_cert_cb(int tst)
6744{
6745 int testresult = 1;
6746
6747#ifndef OPENSSL_NO_TLS1_2
6748 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
6749#endif
7f1d923a 6750#ifndef OPENSSL_NO_TLS1_3
cd6fe29f
MC		 6751 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
6752#endif
6753
6754 return testresult;
6755}
6756
6e46c065
MC		 6757static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
6758{
6759 X509 *xcert, *peer;
6760 EVP_PKEY *privpkey;
6761 BIO *in = NULL;
6762
6763 /* Check that SSL_get_peer_certificate() returns something sensible */
6764 peer = SSL_get_peer_certificate(ssl);
6765 if (!TEST_ptr(peer))
6766 return 0;
6767 X509_free(peer);
6768
6769 in = BIO_new_file(cert, "r");
6770 if (!TEST_ptr(in))
6771 return 0;
6772
6773 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
6774 BIO_free(in);
6775 if (!TEST_ptr(xcert))
6776 return 0;
6777
6778 in = BIO_new_file(privkey, "r");
6779 if (!TEST_ptr(in)) {
6780 X509_free(xcert);
6781 return 0;
6782 }
6783
6784 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
6785 BIO_free(in);
6786 if (!TEST_ptr(privpkey)) {
6787 X509_free(xcert);
6788 return 0;
6789 }
6790
6791 *x509 = xcert;
6792 *pkey = privpkey;
6793
6794 return 1;
6795}
6796
6797static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6798{
6799 return 1;
6800}
6801
6802static int test_client_cert_cb(int tst)
6803{
6804 SSL_CTX *cctx = NULL, *sctx = NULL;
6805 SSL *clientssl = NULL, *serverssl = NULL;
6806 int testresult = 0;
6807
6808#ifdef OPENSSL_NO_TLS1_2
6809 if (tst == 0)
6810 return 1;
6811#endif
6812#ifdef OPENSSL_NO_TLS1_3
6813 if (tst == 1)
6814 return 1;
6815#endif
6816
6817 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6818 TLS_client_method(),
6819 TLS1_VERSION,
6820 tst == 0 ? TLS1_2_VERSION
6821 : TLS1_3_VERSION,
6822 &sctx, &cctx, cert, privkey)))
6823 goto end;
6824
6825 /*
6826 * Test that setting a client_cert_cb results in a client certificate being
6827 * sent.
6828 */
6829 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
6830 SSL_CTX_set_verify(sctx,
6831 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6832 verify_cb);
fb8c8359
MC		 6833
6834 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6835 NULL, NULL))
6836 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6837 SSL_ERROR_NONE)))
6838 goto end;
6839
6840 testresult = 1;
6841
6842 end:
6843 SSL_free(serverssl);
6844 SSL_free(clientssl);
6845 SSL_CTX_free(sctx);
6846 SSL_CTX_free(cctx);
6847
6848 return testresult;
6849}
6850
6851#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6852/*
6853 * Test setting certificate authorities on both client and server.
6854 *
6855 * Test 0: SSL_CTX_set0_CA_list() only
6856 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
6857 * Test 2: Only SSL_CTX_set_client_CA_list()
6858 */
6859static int test_ca_names_int(int prot, int tst)
6860{
6861 SSL_CTX *cctx = NULL, *sctx = NULL;
6862 SSL *clientssl = NULL, *serverssl = NULL;
6863 int testresult = 0;
6864 size_t i;
6865 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
6866 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
6867 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
6868 const STACK_OF(X509_NAME) *sktmp = NULL;
6869
6870 for (i = 0; i < OSSL_NELEM(name); i++) {
6871 name[i] = X509_NAME_new();
6872 if (!TEST_ptr(name[i])
6873 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
6874 MBSTRING_ASC,
6875 (unsigned char *)
6876 strnames[i],
6877 -1, -1, 0)))
6878 goto end;
6879 }
6880
6881 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6882 TLS_client_method(),
6883 TLS1_VERSION,
6884 prot,
6885 &sctx, &cctx, cert, privkey)))
6886 goto end;
6887
6888 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
6889
6890 if (tst == 0 || tst == 1) {
6891 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6892 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
6893 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
6894 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6895 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
6896 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
6897 goto end;
6898
6899 SSL_CTX_set0_CA_list(sctx, sk1);
6900 SSL_CTX_set0_CA_list(cctx, sk2);
6901 sk1 = sk2 = NULL;
6902 }
6903 if (tst == 1 || tst == 2) {
6904 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6905 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
6906 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
6907 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6908 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
6909 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
6910 goto end;
6911
6912 SSL_CTX_set_client_CA_list(sctx, sk1);
6913 SSL_CTX_set_client_CA_list(cctx, sk2);
6914 sk1 = sk2 = NULL;
6915 }
6916
6e46c065
MC		 6917 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6918 NULL, NULL))
6919 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6920 SSL_ERROR_NONE)))
6921 goto end;
6922
fb8c8359
MC		 6923 /*
6924 * We only expect certificate authorities to have been sent to the server
6925 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
6926 */
6927 sktmp = SSL_get0_peer_CA_list(serverssl);
6928 if (prot == TLS1_3_VERSION
6929 && (tst == 0 || tst == 1)) {
6930 if (!TEST_ptr(sktmp)
6931 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6932 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6933 name[0]), 0)
6934 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6935 name[1]), 0))
6936 goto end;
6937 } else if (!TEST_ptr_null(sktmp)) {
6938 goto end;
6939 }
6940
6941 /*
6942 * In all tests we expect certificate authorities to have been sent to the
6943 * client. However, SSL_set_client_CA_list() should override
6944 * SSL_set0_CA_list()
6945 */
6946 sktmp = SSL_get0_peer_CA_list(clientssl);
6947 if (!TEST_ptr(sktmp)
6948 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6949 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6950 name[tst == 0 ? 0 : 2]), 0)
6951 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6952 name[tst == 0 ? 1 : 3]), 0))
6953 goto end;
6954
6e46c065
MC		 6955 testresult = 1;
6956
6957 end:
6958 SSL_free(serverssl);
6959 SSL_free(clientssl);
6960 SSL_CTX_free(sctx);
6961 SSL_CTX_free(cctx);
fb8c8359
MC		 6962 for (i = 0; i < OSSL_NELEM(name); i++)
6963 X509_NAME_free(name[i]);
6964 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
6965 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
6966
6967 return testresult;
6968}
6969#endif
6970
6971static int test_ca_names(int tst)
6972{
6973 int testresult = 1;
6974
6975#ifndef OPENSSL_NO_TLS1_2
6976 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
6977#endif
6978#ifndef OPENSSL_NO_TLS1_3
6979 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
6980#endif
6e46c065
MC		 6981
6982 return testresult;
6983}
6984
0d2bfe52
SL		 6985#ifndef OPENSSL_NO_TLS1_2
6986static const char *multiblock_cipherlist_data[]=
6987{
6988 "AES128-SHA",
6989 "AES128-SHA256",
6990 "AES256-SHA",
6991 "AES256-SHA256",
6992};
6993
6994/* Reduce the fragment size - so the multiblock test buffer can be small */
6995# define MULTIBLOCK_FRAGSIZE 512
6996
6997static int test_multiblock_write(int test_index)
6998{
6999 static const char *fetchable_ciphers[]=
7000 {
7001 "AES-128-CBC-HMAC-SHA1",
7002 "AES-128-CBC-HMAC-SHA256",
7003 "AES-256-CBC-HMAC-SHA1",
7004 "AES-256-CBC-HMAC-SHA256"
7005 };
7006 const char *cipherlist = multiblock_cipherlist_data[test_index];
7007 const SSL_METHOD *smeth = TLS_server_method();
7008 const SSL_METHOD *cmeth = TLS_client_method();
7009 int min_version = TLS1_VERSION;
7010 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7011 SSL_CTX *cctx = NULL, *sctx = NULL;
7012 SSL *clientssl = NULL, *serverssl = NULL;
7013 int testresult = 0;
7014
7015 /*
7016 * Choose a buffer large enough to perform a multi-block operation
7017 * i.e: write_len >= 4 * frag_size
7018 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7019 */
7020 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7021 unsigned char buf[sizeof(msg)], *p = buf;
7022 size_t readbytes, written, len;
7023 EVP_CIPHER *ciph = NULL;
7024
7025 /*
7026 * Check if the cipher exists before attempting to use it since it only has
7027 * a hardware specific implementation.
7028 */
7029 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7030 if (ciph == NULL) {
7031 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7032 return 1;
7033 }
7034 EVP_CIPHER_free(ciph);
7035
7036 /* Set up a buffer with some data that will be sent to the client */
7037 RAND_bytes(msg, sizeof(msg));
7038
7039 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
7040 &sctx, &cctx, cert, privkey)))
7041 goto end;
7042
7043 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7044 goto end;
7045
7046 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7047 NULL, NULL)))
7048 goto end;
7049
7050 /* settings to force it to use AES-CBC-HMAC_SHA */
7051 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7052 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7053 goto end;
7054
7055 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7056 goto end;
7057
7058 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7059 || !TEST_size_t_eq(written, sizeof(msg)))
7060 goto end;
7061
7062 len = written;
7063 while (len > 0) {
7064 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7065 goto end;
7066 p += readbytes;
7067 len -= readbytes;
7068 }
7069 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7070 goto end;
7071
7072 testresult = 1;
7073end:
7074 SSL_free(serverssl);
7075 SSL_free(clientssl);
7076 SSL_CTX_free(sctx);
7077 SSL_CTX_free(cctx);
7078
7079 return testresult;
7080}
7081#endif /* OPENSSL_NO_TLS1_2 */
a43ce58f 7082
49ef3d07
MC		 7083/*
7084 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7085 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7086 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7087 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7088 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7089 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7090 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7091 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7092 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7093 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7094 */
7095static int test_servername(int tst)
7096{
7097 SSL_CTX *cctx = NULL, *sctx = NULL;
7098 SSL *clientssl = NULL, *serverssl = NULL;
7099 int testresult = 0;
7100 SSL_SESSION *sess = NULL;
7101 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7102
7103#ifdef OPENSSL_NO_TLS1_2
7104 if (tst <= 4)
7105 return 1;
7106#endif
7107#ifdef OPENSSL_NO_TLS1_3
7108 if (tst >= 5)
7109 return 1;
7110#endif
7111
7112 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
7113 TLS_client_method(),
7114 TLS1_VERSION,
7115 (tst <= 4) ? TLS1_2_VERSION
7116 : TLS1_3_VERSION,
7117 &sctx, &cctx, cert, privkey))
7118 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7119 NULL, NULL)))
7120 goto end;
7121
7122 if (tst != 1 && tst != 6) {
7123 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7124 hostname_cb)))
7125 goto end;
7126 }
7127
7128 if (tst != 3 && tst != 8) {
7129 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7130 goto end;
7131 sexpectedhost = cexpectedhost = "goodhost";
7132 }
7133
7134 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7135 goto end;
7136
7137 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7138 cexpectedhost)
7139 || !TEST_str_eq(SSL_get_servername(serverssl,
7140 TLSEXT_NAMETYPE_host_name),
7141 sexpectedhost))
7142 goto end;
7143
7144 /* Now repeat with a resumption handshake */
7145
7146 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7147 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7148 || !TEST_true(SSL_SESSION_is_resumable(sess))
7149 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7150 goto end;
7151
7152 SSL_free(clientssl);
7153 SSL_free(serverssl);
7154 clientssl = serverssl = NULL;
7155
7156 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7157 NULL)))
7158 goto end;
7159
7160 if (!TEST_true(SSL_set_session(clientssl, sess)))
7161 goto end;
7162
7163 sexpectedhost = cexpectedhost = "goodhost";
7164 if (tst == 2 || tst == 7) {
7165 /* Set an inconsistent hostname */
7166 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7167 goto end;
7168 /*
7169 * In TLSv1.2 we expect the hostname from the original handshake, in
7170 * TLSv1.3 we expect the hostname from this handshake
7171 */
7172 if (tst == 7)
7173 sexpectedhost = cexpectedhost = "altgoodhost";
7174
7175 if (!TEST_str_eq(SSL_get_servername(clientssl,
7176 TLSEXT_NAMETYPE_host_name),
7177 "altgoodhost"))
7178 goto end;
7179 } else if (tst == 4 || tst == 9) {
7180 /*
7181 * A TLSv1.3 session does not associate a session with a servername,
7182 * but a TLSv1.2 session does.
7183 */
7184 if (tst == 9)
7185 sexpectedhost = cexpectedhost = NULL;
7186
7187 if (!TEST_str_eq(SSL_get_servername(clientssl,
7188 TLSEXT_NAMETYPE_host_name),
7189 cexpectedhost))
7190 goto end;
7191 } else {
7192 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7193 goto end;
7194 /*
7195 * In a TLSv1.2 resumption where the hostname was not acknowledged
7196 * we expect the hostname on the server to be empty. On the client we
7197 * return what was requested in this case.
7198 *
7199 * Similarly if the client didn't set a hostname on an original TLSv1.2
7200 * session but is now, the server hostname will be empty, but the client
7201 * is as we set it.
7202 */
7203 if (tst == 1 || tst == 3)
7204 sexpectedhost = NULL;
7205
7206 if (!TEST_str_eq(SSL_get_servername(clientssl,
7207 TLSEXT_NAMETYPE_host_name),
7208 "goodhost"))
7209 goto end;
7210 }
7211
7212 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7213 goto end;
7214
7215 if (!TEST_true(SSL_session_reused(clientssl))
7216 || !TEST_true(SSL_session_reused(serverssl))
7217 || !TEST_str_eq(SSL_get_servername(clientssl,
7218 TLSEXT_NAMETYPE_host_name),
7219 cexpectedhost)
7220 || !TEST_str_eq(SSL_get_servername(serverssl,
7221 TLSEXT_NAMETYPE_host_name),
7222 sexpectedhost))
7223 goto end;
7224
7225 testresult = 1;
7226
7227 end:
7228 SSL_SESSION_free(sess);
7229 SSL_free(serverssl);
7230 SSL_free(clientssl);
7231 SSL_CTX_free(sctx);
7232 SSL_CTX_free(cctx);
7233
7234 return testresult;
7235}
7236
a43ce58f
SL		 7237OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile\n")
7238
ad887416 7239int setup_tests(void)
2cb4b5f6 7240{
8d242823
MC		 7241 if (!test_skip_common_options()) {
7242 TEST_error("Error parsing test options\n");
7243 return 0;
7244 }
7245
1a2a3a42
MC		 7246 if (!TEST_ptr(certsdir = test_get_argument(0))
7247 || !TEST_ptr(srpvfile = test_get_argument(1))
7248 || !TEST_ptr(tmpfilename = test_get_argument(2)))
710756a9 7249 return 0;
2cb4b5f6 7250
f297e4ec
RS		 7251 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
7252#ifdef OPENSSL_NO_CRYPTO_MDEBUG
7253 TEST_error("not supported in this build");
7254 return 0;
7255#else
7256 int i, mcount, rcount, fcount;
7257
7258 for (i = 0; i < 4; i++)
7259 test_export_key_mat(i);
7260 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
7261 test_printf_stdout("malloc %d realloc %d free %d\n",
7262 mcount, rcount, fcount);
7263 return 1;
7264#endif
7265 }
7266
1a2a3a42
MC		 7267 cert = test_mk_file_path(certsdir, "servercert.pem");
7268 if (cert == NULL)
7269 return 0;
7270
7271 privkey = test_mk_file_path(certsdir, "serverkey.pem");
7272 if (privkey == NULL) {
7273 OPENSSL_free(cert);
7274 return 0;
7275 }
7276
5e9072ed
MC		 7277#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
7278 && !defined(OPENSSL_NO_SOCK)
2fab79af
BP		 7279 ADD_TEST(test_ktls_no_txrx_client_no_txrx_server);
7280 ADD_TEST(test_ktls_no_rx_client_no_txrx_server);
7281 ADD_TEST(test_ktls_no_tx_client_no_txrx_server);
7282 ADD_TEST(test_ktls_client_no_txrx_server);
7283 ADD_TEST(test_ktls_no_txrx_client_no_rx_server);
7284 ADD_TEST(test_ktls_no_rx_client_no_rx_server);
7285 ADD_TEST(test_ktls_no_tx_client_no_rx_server);
7286 ADD_TEST(test_ktls_client_no_rx_server);
7287 ADD_TEST(test_ktls_no_txrx_client_no_tx_server);
7288 ADD_TEST(test_ktls_no_rx_client_no_tx_server);
7289 ADD_TEST(test_ktls_no_tx_client_no_tx_server);
7290 ADD_TEST(test_ktls_client_no_tx_server);
7291 ADD_TEST(test_ktls_no_txrx_client_server);
7292 ADD_TEST(test_ktls_no_rx_client_server);
7293 ADD_TEST(test_ktls_no_tx_client_server);
fe5d9450 7294 ADD_TEST(test_ktls_client_server);
7c3a7561 7295 ADD_TEST(test_ktls_sendfile);
fe5d9450 7296#endif
84d5549e 7297 ADD_TEST(test_large_message_tls);
7856332e 7298 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 7299#ifndef OPENSSL_NO_DTLS
84d5549e 7300 ADD_TEST(test_large_message_dtls);
55386bef 7301#endif
8f8c11d8 7302#ifndef OPENSSL_NO_OCSP
c887104f 7303 ADD_TEST(test_tlsext_status_type);
8f8c11d8 7304#endif
eaa776da
MC		 7305 ADD_TEST(test_session_with_only_int_cache);
7306 ADD_TEST(test_session_with_only_ext_cache);
7307 ADD_TEST(test_session_with_both_cache);
36ff232c 7308#ifndef OPENSSL_NO_TLS1_3
04d7814a
MC		 7309 ADD_ALL_TESTS(test_stateful_tickets, 3);
7310 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 7311 ADD_TEST(test_psk_tickets);
36ff232c 7312#endif
7fb4c820 7313 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 7314 ADD_TEST(test_ssl_bio_pop_next_bio);
7315 ADD_TEST(test_ssl_bio_pop_ssl_bio);
7316 ADD_TEST(test_ssl_bio_change_rbio);
7317 ADD_TEST(test_ssl_bio_change_wbio);
c423ecaa 7318#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae 7319 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 7320 ADD_TEST(test_keylog);
c423ecaa 7321#endif
6acdd3e5
CB		 7322#ifndef OPENSSL_NO_TLS1_3
7323 ADD_TEST(test_keylog_no_master_key);
7324#endif
e9ee6536 7325#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 7326 ADD_TEST(test_client_hello_cb);
088dfa13 7327 ADD_TEST(test_no_ems);
3cd14e5e 7328 ADD_TEST(test_ccs_change_cipher);
5f982038
MC		 7329#endif
7330#ifndef OPENSSL_NO_TLS1_3
02a3ed5a 7331 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 7332 /*
7333 * We don't do replay tests for external PSK. Replay protection isn't used
7334 * in that scenario.
7335 */
7336 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 7337 ADD_ALL_TESTS(test_early_data_skip, 3);
7338 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
0efa0ba4 7339 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
0d1b7789 7340 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
02a3ed5a 7341 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 7342 ADD_ALL_TESTS(test_early_data_psk, 8);
02a3ed5a 7343 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 7344# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 7345 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 7346# endif
e9ee6536 7347#endif
a273157a 7348#ifndef OPENSSL_NO_TLS1_3
034cb87b 7349 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 7350 ADD_TEST(test_ciphersuite_change);
5bf2eade 7351 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
7352# ifdef OPENSSL_NO_PSK
c2b290c3 7353 ADD_ALL_TESTS(test_tls13_psk, 1);
5bf2eade 7354# else
0d8da779 7355 ADD_ALL_TESTS(test_tls13_psk, 4);
5bf2eade 7356# endif /* OPENSSL_NO_PSK */
7357# ifndef OPENSSL_NO_TLS1_2
7358 /* Test with both TLSv1.3 and 1.2 versions */
db26ec80 7359 ADD_ALL_TESTS(test_key_exchange, 14);
5bf2eade 7360# else
7361 /* Test with only TLSv1.3 versions */
7362 ADD_ALL_TESTS(test_key_exchange, 12);
7363# endif
bb01ef3f 7364 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 7365 ADD_TEST(test_stateless);
9d75dce3 7366 ADD_TEST(test_pha_key_update);
a273157a 7367#else
bb01ef3f 7368 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 7369#endif
16afd71c 7370 ADD_ALL_TESTS(test_serverinfo, 8);
0fb2815b 7371 ADD_ALL_TESTS(test_export_key_mat, 6);
b38ede80
TT		 7372#ifndef OPENSSL_NO_TLS1_3
7373 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3409a5ff 7374 ADD_TEST(test_key_update);
a77b4dba 7375 ADD_ALL_TESTS(test_key_update_in_write, 2);
b38ede80 7376#endif
e11b6aa4 7377 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 7378 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 7379#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7380 ADD_ALL_TESTS(test_srp, 6);
7381#endif
5718fe45 7382 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 7383 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 7384 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
a76ce286 7385 ADD_ALL_TESTS(test_ticket_callbacks, 16);
57d7b988 7386 ADD_ALL_TESTS(test_shutdown, 7);
1a2a3a42 7387 ADD_ALL_TESTS(test_cert_cb, 6);
6e46c065 7388 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 7389 ADD_ALL_TESTS(test_ca_names, 3);
0d2bfe52
SL		 7390#ifndef OPENSSL_NO_TLS1_2
7391 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
7392#endif
49ef3d07 7393 ADD_ALL_TESTS(test_servername, 10);
ad887416
P		 7394 return 1;
7395}
2cb4b5f6 7396
ad887416
P		 7397void cleanup_tests(void)
7398{
1a2a3a42
MC		 7399 OPENSSL_free(cert);
7400 OPENSSL_free(privkey);
fa454945 7401 bio_s_mempacket_test_free();
a77b4dba 7402 bio_s_always_retry_free();
2cb4b5f6 7403}
A mirror of the official openssl repository