]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Process KeyUpdate and NewSessionTicket messages after a close_notify
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
6738bf14 2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6
MC		 3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
ba881d3b
MC		 10#include <string.h>
11
2cb4b5f6
MC		 12#include <openssl/opensslconf.h>
13#include <openssl/bio.h>
14#include <openssl/crypto.h>
15#include <openssl/ssl.h>
ba881d3b 16#include <openssl/ocsp.h>
76fd7a1d
MC		 17#include <openssl/srp.h>
18#include <openssl/txt_db.h>
d0191fe0 19#include <openssl/aes.h>
2cb4b5f6
MC		 20
21#include "ssltestlib.h"
c887104f 22#include "testutil.h"
f297e4ec 23#include "testutil/output.h"
176db6dc 24#include "internal/nelem.h"
ca0413ae 25#include "../ssl/ssl_locl.h"
2cb4b5f6 26
8614a4eb
MC		 27#ifndef OPENSSL_NO_TLS1_3
28
29static SSL_SESSION *clientpsk = NULL;
30static SSL_SESSION *serverpsk = NULL;
31static const char *pskid = "Identity";
32static const char *srvid;
33
34static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
35 size_t *idlen, SSL_SESSION **sess);
36static int find_session_cb(SSL *ssl, const unsigned char *identity,
37 size_t identity_len, SSL_SESSION **sess);
38
39static int use_session_cb_cnt = 0;
40static int find_session_cb_cnt = 0;
41
42static SSL_SESSION *create_a_psk(SSL *ssl);
43#endif
44
2cb4b5f6
MC		 45static char *cert = NULL;
46static char *privkey = NULL;
76fd7a1d
MC		 47static char *srpvfile = NULL;
48static char *tmpfilename = NULL;
2cb4b5f6 49
cffe973c 50#define LOG_BUFFER_SIZE 2048
6acdd3e5 51static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 52static size_t server_log_buffer_index = 0;
6acdd3e5 53static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 54static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 55static int error_writing_log = 0;
56
8f8c11d8 57#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 58static const unsigned char orespder[] = "Dummy OCSP Response";
59static int ocsp_server_called = 0;
60static int ocsp_client_called = 0;
61
62static int cdummyarg = 1;
63static X509 *ocspcert = NULL;
8f8c11d8 64#endif
ba881d3b 65
84d5549e 66#define NUM_EXTRA_CERTS 40
cf72c757 67#define CLIENT_VERSION_LEN 2
84d5549e 68
f1a5939f
CB		 69/*
70 * This structure is used to validate that the correct number of log messages
71 * of various types are emitted when emitting secret logs.
72 */
73struct sslapitest_log_counts {
74 unsigned int rsa_key_exchange_count;
75 unsigned int master_secret_count;
cffe973c 76 unsigned int client_early_secret_count;
f1a5939f
CB		 77 unsigned int client_handshake_secret_count;
78 unsigned int server_handshake_secret_count;
79 unsigned int client_application_secret_count;
80 unsigned int server_application_secret_count;
01a2a654 81 unsigned int early_exporter_secret_count;
6329ce8f 82 unsigned int exporter_secret_count;
f1a5939f
CB		 83};
84
16afd71c
MC		 85
86static unsigned char serverinfov1[] = {
87 0xff, 0xff, /* Dummy extension type */
88 0x00, 0x01, /* Extension length is 1 byte */
89 0xff /* Dummy extension data */
90};
91
92static unsigned char serverinfov2[] = {
93 0x00, 0x00, 0x00,
94 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
95 0xff, 0xff, /* Dummy extension type */
96 0x00, 0x01, /* Extension length is 1 byte */
97 0xff /* Dummy extension data */
98};
99
710756a9
RS		 100static void client_keylog_callback(const SSL *ssl, const char *line)
101{
6acdd3e5
CB		 102 int line_length = strlen(line);
103
104 /* If the log doesn't fit, error out. */
710756a9
RS		 105 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
106 TEST_info("Client log too full");
6acdd3e5
CB		 107 error_writing_log = 1;
108 return;
109 }
110
111 strcat(client_log_buffer, line);
112 client_log_buffer_index += line_length;
710756a9 113 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 114}
115
710756a9
RS		 116static void server_keylog_callback(const SSL *ssl, const char *line)
117{
6acdd3e5
CB		 118 int line_length = strlen(line);
119
120 /* If the log doesn't fit, error out. */
710756a9 121 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 122 TEST_info("Server log too full");
6acdd3e5
CB		 123 error_writing_log = 1;
124 return;
125 }
126
127 strcat(server_log_buffer, line);
128 server_log_buffer_index += line_length;
710756a9 129 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 130}
131
132static int compare_hex_encoded_buffer(const char *hex_encoded,
133 size_t hex_length,
134 const uint8_t *raw,
710756a9
RS		 135 size_t raw_length)
136{
137 size_t i, j;
138 char hexed[3];
6acdd3e5 139
710756a9 140 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 141 return 1;
6acdd3e5 142
710756a9 143 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 144 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 145 if (!TEST_int_eq(hexed[0], hex_encoded[j])
146 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 147 return 1;
6acdd3e5
CB		 148 }
149
150 return 0;
151}
152
153static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 154 const SSL_SESSION *session,
710756a9
RS		 155 struct sslapitest_log_counts *expected)
156{
6acdd3e5
CB		 157 char *token = NULL;
158 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
159 size_t client_random_size = SSL3_RANDOM_SIZE;
160 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
161 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 162 unsigned int rsa_key_exchange_count = 0;
163 unsigned int master_secret_count = 0;
cffe973c 164 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 165 unsigned int client_handshake_secret_count = 0;
166 unsigned int server_handshake_secret_count = 0;
167 unsigned int client_application_secret_count = 0;
168 unsigned int server_application_secret_count = 0;
01a2a654 169 unsigned int early_exporter_secret_count = 0;
6329ce8f 170 unsigned int exporter_secret_count = 0;
6acdd3e5 171
710756a9
RS		 172 for (token = strtok(buffer, " \n"); token != NULL;
173 token = strtok(NULL, " \n")) {
6acdd3e5 174 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 175 /*
176 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 177 * hex-encoded encrypted secret, then the hex-encoded pre-master
178 * secret.
179 */
710756a9 180 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 181 return 0;
710756a9 182 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 183 return 0;
710756a9 184 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 185 return 0;
f1a5939f
CB		 186 /*
187 * We can't sensibly check the log because the premaster secret is
188 * transient, and OpenSSL doesn't keep hold of it once the master
189 * secret is generated.
190 */
191 rsa_key_exchange_count++;
6acdd3e5 192 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 193 /*
194 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 195 * client random, then the hex-encoded master secret.
196 */
197 client_random_size = SSL_get_client_random(ssl,
198 actual_client_random,
199 SSL3_RANDOM_SIZE);
710756a9 200 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 201 return 0;
6acdd3e5 202
710756a9 203 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 204 return 0;
710756a9 205 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 206 return 0;
710756a9
RS		 207 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
208 actual_client_random,
209 client_random_size)))
f1a5939f 210 return 0;
6acdd3e5 211
710756a9 212 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 213 return 0;
6acdd3e5
CB		 214 master_key_size = SSL_SESSION_get_master_key(session,
215 actual_master_key,
216 master_key_size);
710756a9 217 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 218 return 0;
710756a9
RS		 219 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
220 actual_master_key,
221 master_key_size)))
f1a5939f 222 return 0;
f1a5939f 223 master_secret_count++;
cffe973c
PW		 224 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
225 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 226 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
227 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 228 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 229 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 230 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 231 /*
232 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
233 * client random, and then the hex-encoded secret. In this case,
234 * we treat all of these secrets identically and then just
235 * distinguish between them when counting what we saw.
236 */
cffe973c
PW		 237 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
238 client_early_secret_count++;
239 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 240 client_handshake_secret_count++;
241 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
242 server_handshake_secret_count++;
243 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
244 client_application_secret_count++;
245 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
246 server_application_secret_count++;
01a2a654
PW		 247 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
248 early_exporter_secret_count++;
6329ce8f
PW		 249 else if (strcmp(token, "EXPORTER_SECRET") == 0)
250 exporter_secret_count++;
f1a5939f
CB		 251
252 client_random_size = SSL_get_client_random(ssl,
253 actual_client_random,
254 SSL3_RANDOM_SIZE);
710756a9 255 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 256 return 0;
f1a5939f 257
710756a9 258 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 259 return 0;
710756a9 260 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 261 return 0;
710756a9
RS		 262 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
263 actual_client_random,
264 client_random_size)))
f1a5939f 265 return 0;
6acdd3e5 266
710756a9 267 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 268 return 0;
f1a5939f
CB		 269
270 /*
271 * TODO(TLS1.3): test that application traffic secrets are what
272 * we expect */
6acdd3e5 273 } else {
710756a9 274 TEST_info("Unexpected token %s\n", token);
f1a5939f 275 return 0;
6acdd3e5 276 }
6acdd3e5
CB		 277 }
278
710756a9
RS		 279 /* Got what we expected? */
280 if (!TEST_size_t_eq(rsa_key_exchange_count,
281 expected->rsa_key_exchange_count)
282 || !TEST_size_t_eq(master_secret_count,
283 expected->master_secret_count)
cffe973c
PW		 284 || !TEST_size_t_eq(client_early_secret_count,
285 expected->client_early_secret_count)
710756a9
RS		 286 || !TEST_size_t_eq(client_handshake_secret_count,
287 expected->client_handshake_secret_count)
288 || !TEST_size_t_eq(server_handshake_secret_count,
289 expected->server_handshake_secret_count)
290 || !TEST_size_t_eq(client_application_secret_count,
291 expected->client_application_secret_count)
292 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 293 expected->server_application_secret_count)
01a2a654
PW		 294 || !TEST_size_t_eq(early_exporter_secret_count,
295 expected->early_exporter_secret_count)
6329ce8f
PW		 296 || !TEST_size_t_eq(exporter_secret_count,
297 expected->exporter_secret_count))
710756a9
RS		 298 return 0;
299 return 1;
6acdd3e5
CB		 300}
301
c423ecaa 302#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
710756a9
RS		 303static int test_keylog(void)
304{
6acdd3e5
CB		 305 SSL_CTX *cctx = NULL, *sctx = NULL;
306 SSL *clientssl = NULL, *serverssl = NULL;
307 int testresult = 0;
f1a5939f 308 struct sslapitest_log_counts expected = {0};
6acdd3e5
CB		 309
310 /* Clean up logging space */
710756a9
RS		 311 memset(client_log_buffer, 0, sizeof(client_log_buffer));
312 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 313 client_log_buffer_index = 0;
314 server_log_buffer_index = 0;
315 error_writing_log = 0;
316
710756a9
RS		 317 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
318 TLS_client_method(),
7d7f6834 319 TLS1_VERSION, TLS_MAX_VERSION,
710756a9 320 &sctx, &cctx, cert, privkey)))
6acdd3e5 321 return 0;
6acdd3e5
CB		 322
323 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
324 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
325 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
326
f0deb4d3 327 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 328 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 329 goto end;
f0deb4d3 330
cf10df81
RS		 331 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
332 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 333 goto end;
6acdd3e5 334 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 335 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
336 == client_keylog_callback))
6acdd3e5 337 goto end;
710756a9 338 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 339 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
340 == server_keylog_callback))
6acdd3e5 341 goto end;
6acdd3e5 342
710756a9
RS		 343 /* Now do a handshake and check that the logs have been written to. */
344 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
345 &clientssl, NULL, NULL))
346 || !TEST_true(create_ssl_connection(serverssl, clientssl,
347 SSL_ERROR_NONE))
348 || !TEST_false(error_writing_log)
349 || !TEST_int_gt(client_log_buffer_index, 0)
350 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 351 goto end;
6acdd3e5 352
f1a5939f
CB		 353 /*
354 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 355 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 356 * data we expect. For both client and server, we expect to see one master
357 * secret. The client should also see a RSA key exchange.
6acdd3e5 358 */
f1a5939f
CB		 359 expected.rsa_key_exchange_count = 1;
360 expected.master_secret_count = 1;
710756a9
RS		 361 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
362 SSL_get_session(clientssl), &expected)))
6acdd3e5 363 goto end;
f1a5939f
CB		 364
365 expected.rsa_key_exchange_count = 0;
710756a9
RS		 366 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
367 SSL_get_session(serverssl), &expected)))
6acdd3e5 368 goto end;
6acdd3e5
CB		 369
370 testresult = 1;
371
372end:
373 SSL_free(serverssl);
374 SSL_free(clientssl);
375 SSL_CTX_free(sctx);
376 SSL_CTX_free(cctx);
377
378 return testresult;
379}
c423ecaa 380#endif
6acdd3e5
CB		 381
382#ifndef OPENSSL_NO_TLS1_3
710756a9
RS		 383static int test_keylog_no_master_key(void)
384{
6acdd3e5
CB		 385 SSL_CTX *cctx = NULL, *sctx = NULL;
386 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 387 SSL_SESSION *sess = NULL;
6acdd3e5 388 int testresult = 0;
f1a5939f 389 struct sslapitest_log_counts expected = {0};
cffe973c
PW		 390 unsigned char buf[1];
391 size_t readbytes, written;
6acdd3e5
CB		 392
393 /* Clean up logging space */
710756a9
RS		 394 memset(client_log_buffer, 0, sizeof(client_log_buffer));
395 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 396 client_log_buffer_index = 0;
397 server_log_buffer_index = 0;
398 error_writing_log = 0;
399
7d7f6834
RL		 400 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
401 TLS1_VERSION, TLS_MAX_VERSION,
cffe973c
PW		 402 &sctx, &cctx, cert, privkey))
403 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 404 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 405 return 0;
6acdd3e5 406
cf10df81
RS		 407 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
408 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 409 goto end;
6acdd3e5
CB		 410
411 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 412 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
413 == client_keylog_callback))
6acdd3e5 414 goto end;
6acdd3e5 415
710756a9 416 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 417 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
418 == server_keylog_callback))
6acdd3e5 419 goto end;
6acdd3e5 420
710756a9
RS		 421 /* Now do a handshake and check that the logs have been written to. */
422 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
423 &clientssl, NULL, NULL))
424 || !TEST_true(create_ssl_connection(serverssl, clientssl,
425 SSL_ERROR_NONE))
426 || !TEST_false(error_writing_log))
6acdd3e5 427 goto end;
6acdd3e5 428
f1a5939f
CB		 429 /*
430 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 431 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 432 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 433 */
f1a5939f
CB		 434 expected.client_handshake_secret_count = 1;
435 expected.server_handshake_secret_count = 1;
436 expected.client_application_secret_count = 1;
437 expected.server_application_secret_count = 1;
6329ce8f 438 expected.exporter_secret_count = 1;
710756a9
RS		 439 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
440 SSL_get_session(clientssl), &expected))
441 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
442 SSL_get_session(serverssl),
443 &expected)))
6acdd3e5 444 goto end;
6acdd3e5 445
cffe973c
PW		 446 /* Terminate old session and resume with early data. */
447 sess = SSL_get1_session(clientssl);
448 SSL_shutdown(clientssl);
449 SSL_shutdown(serverssl);
450 SSL_free(serverssl);
451 SSL_free(clientssl);
452 serverssl = clientssl = NULL;
453
454 /* Reset key log */
455 memset(client_log_buffer, 0, sizeof(client_log_buffer));
456 memset(server_log_buffer, 0, sizeof(server_log_buffer));
457 client_log_buffer_index = 0;
458 server_log_buffer_index = 0;
459
460 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
461 &clientssl, NULL, NULL))
462 || !TEST_true(SSL_set_session(clientssl, sess))
463 /* Here writing 0 length early data is enough. */
464 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
465 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
466 &readbytes),
467 SSL_READ_EARLY_DATA_ERROR)
468 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
469 SSL_EARLY_DATA_ACCEPTED)
470 || !TEST_true(create_ssl_connection(serverssl, clientssl,
471 SSL_ERROR_NONE))
472 || !TEST_true(SSL_session_reused(clientssl)))
473 goto end;
474
475 /* In addition to the previous entries, expect early secrets. */
476 expected.client_early_secret_count = 1;
01a2a654 477 expected.early_exporter_secret_count = 1;
cffe973c
PW		 478 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
479 SSL_get_session(clientssl), &expected))
480 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
481 SSL_get_session(serverssl),
482 &expected)))
483 goto end;
484
6acdd3e5
CB		 485 testresult = 1;
486
487end:
cffe973c 488 SSL_SESSION_free(sess);
6acdd3e5
CB		 489 SSL_free(serverssl);
490 SSL_free(clientssl);
491 SSL_CTX_free(sctx);
492 SSL_CTX_free(cctx);
493
494 return testresult;
495}
496#endif
497
e9ee6536 498#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 499static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 500{
501 int *ctr = arg;
502 const unsigned char *p;
8ea404fb 503 int *exts;
2afaee51
BK		 504 /* We only configure two ciphers, but the SCSV is added automatically. */
505#ifdef OPENSSL_NO_EC
506 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
507#else
508 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
509 0x2c, 0x00, 0xff};
510#endif
8ea404fb
BK		 511 const int expected_extensions[] = {
512#ifndef OPENSSL_NO_EC
513 11, 10,
514#endif
10ed1b72 515 35, 22, 23, 13};
2afaee51
BK		 516 size_t len;
517
518 /* Make sure we can defer processing and get called back. */
519 if ((*ctr)++ == 0)
f1b97da1 520 return SSL_CLIENT_HELLO_RETRY;
2afaee51 521
a9c0d8be 522 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 523 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 524 || !TEST_size_t_eq(
525 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 526 || !TEST_int_eq(*p, 0))
f1b97da1 527 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 528 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 529 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 530 if (len != OSSL_NELEM(expected_extensions) ||
531 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 532 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 533 OPENSSL_free(exts);
f1b97da1 534 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 535 }
536 OPENSSL_free(exts);
f1b97da1 537 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 538}
539
a9c0d8be 540static int test_client_hello_cb(void)
710756a9 541{
2afaee51
BK		 542 SSL_CTX *cctx = NULL, *sctx = NULL;
543 SSL *clientssl = NULL, *serverssl = NULL;
544 int testctr = 0, testresult = 0;
545
7d7f6834
RL		 546 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
547 TLS1_VERSION, TLS_MAX_VERSION,
548 &sctx, &cctx, cert, privkey)))
2afaee51 549 goto end;
a9c0d8be 550 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 551
2afaee51
BK		 552 /* The gimpy cipher list we configure can't do TLS 1.3. */
553 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 554
710756a9
RS		 555 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
556 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
557 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
558 &clientssl, NULL, NULL))
559 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 560 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 561 /*
562 * Passing a -1 literal is a hack since
563 * the real value was lost.
564 * */
a9c0d8be
DB		 565 || !TEST_int_eq(SSL_get_error(serverssl, -1),
566 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 567 || !TEST_true(create_ssl_connection(serverssl, clientssl,
568 SSL_ERROR_NONE)))
2afaee51 569 goto end;
2afaee51
BK		 570
571 testresult = 1;
572
573end:
574 SSL_free(serverssl);
575 SSL_free(clientssl);
576 SSL_CTX_free(sctx);
577 SSL_CTX_free(cctx);
578
579 return testresult;
580}
e9ee6536 581#endif
2afaee51 582
84d5549e 583static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 584 const SSL_METHOD *cmeth,
585 int min_version, int max_version,
586 int read_ahead)
84d5549e
MC		 587{
588 SSL_CTX *cctx = NULL, *sctx = NULL;
589 SSL *clientssl = NULL, *serverssl = NULL;
590 int testresult = 0;
591 int i;
710756a9 592 BIO *certbio = NULL;
84d5549e
MC		 593 X509 *chaincert = NULL;
594 int certlen;
595
710756a9 596 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 597 goto end;
84d5549e 598 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
fa454945
MC		 599 BIO_free(certbio);
600 certbio = NULL;
710756a9 601 if (!TEST_ptr(chaincert))
fa454945 602 goto end;
84d5549e 603
7d7f6834
RL		 604 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
605 &sctx, &cctx, cert, privkey)))
84d5549e 606 goto end;
84d5549e 607
710756a9 608 if (read_ahead) {
7856332e
MC		 609 /*
610 * Test that read_ahead works correctly when dealing with large
611 * records
612 */
613 SSL_CTX_set_read_ahead(cctx, 1);
614 }
615
84d5549e
MC		 616 /*
617 * We assume the supplied certificate is big enough so that if we add
618 * NUM_EXTRA_CERTS it will make the overall message large enough. The
619 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 620 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
621 * test we need to have a message larger than that.
84d5549e
MC		 622 */
623 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 624 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
625 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 626 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 627 if (!X509_up_ref(chaincert))
84d5549e 628 goto end;
84d5549e 629 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 630 X509_free(chaincert);
631 goto end;
632 }
633 }
634
710756a9
RS		 635 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
636 NULL, NULL))
637 || !TEST_true(create_ssl_connection(serverssl, clientssl,
638 SSL_ERROR_NONE)))
84d5549e 639 goto end;
84d5549e 640
4bf08600
MC		 641 /*
642 * Calling SSL_clear() first is not required but this tests that SSL_clear()
643 * doesn't leak (when using enable-crypto-mdebug).
644 */
710756a9 645 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 646 goto end;
84d5549e 647
4bf08600 648 testresult = 1;
84d5549e
MC		 649 end:
650 X509_free(chaincert);
651 SSL_free(serverssl);
652 SSL_free(clientssl);
653 SSL_CTX_free(sctx);
654 SSL_CTX_free(cctx);
655
656 return testresult;
657}
658
659static int test_large_message_tls(void)
660{
7856332e 661 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
7d7f6834 662 TLS1_VERSION, TLS_MAX_VERSION,
7856332e
MC		 663 0);
664}
665
666static int test_large_message_tls_read_ahead(void)
667{
668 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
7d7f6834 669 TLS1_VERSION, TLS_MAX_VERSION,
7856332e 670 1);
84d5549e
MC		 671}
672
55386bef 673#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 674static int test_large_message_dtls(void)
675{
7856332e
MC		 676 /*
677 * read_ahead is not relevant to DTLS because DTLS always acts as if
678 * read_ahead is set.
679 */
84d5549e 680 return execute_test_large_message(DTLS_server_method(),
7d7f6834
RL		 681 DTLS_client_method(),
682 DTLS1_VERSION, DTLS_MAX_VERSION,
683 0);
84d5549e 684}
55386bef 685#endif
84d5549e 686
8f8c11d8 687#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 688static int ocsp_server_cb(SSL *s, void *arg)
689{
690 int *argi = (int *)arg;
710756a9 691 unsigned char *copy = NULL;
ba881d3b
MC		 692 STACK_OF(OCSP_RESPID) *ids = NULL;
693 OCSP_RESPID *id = NULL;
694
695 if (*argi == 2) {
696 /* In this test we are expecting exactly 1 OCSP_RESPID */
697 SSL_get_tlsext_status_ids(s, &ids);
698 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
699 return SSL_TLSEXT_ERR_ALERT_FATAL;
700
701 id = sk_OCSP_RESPID_value(ids, 0);
702 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
703 return SSL_TLSEXT_ERR_ALERT_FATAL;
704 } else if (*argi != 1) {
705 return SSL_TLSEXT_ERR_ALERT_FATAL;
706 }
707
710756a9 708 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 709 return SSL_TLSEXT_ERR_ALERT_FATAL;
710
710756a9 711 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 712 ocsp_server_called = 1;
ba881d3b
MC		 713 return SSL_TLSEXT_ERR_OK;
714}
715
716static int ocsp_client_cb(SSL *s, void *arg)
717{
718 int *argi = (int *)arg;
719 const unsigned char *respderin;
720 size_t len;
721
722 if (*argi != 1 && *argi != 2)
723 return 0;
724
725 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 726 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 727 return 0;
728
729 ocsp_client_called = 1;
ba881d3b
MC		 730 return 1;
731}
732
2cb4b5f6
MC		 733static int test_tlsext_status_type(void)
734{
ba881d3b
MC		 735 SSL_CTX *cctx = NULL, *sctx = NULL;
736 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 737 int testresult = 0;
ba881d3b
MC		 738 STACK_OF(OCSP_RESPID) *ids = NULL;
739 OCSP_RESPID *id = NULL;
740 BIO *certbio = NULL;
2cb4b5f6 741
7d7f6834
RL		 742 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
743 TLS1_VERSION, TLS_MAX_VERSION,
744 &sctx, &cctx, cert, privkey))
ba881d3b 745 return 0;
2cb4b5f6 746
710756a9 747 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 748 goto end;
2cb4b5f6 749
ba881d3b 750 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 751
ba881d3b 752 clientssl = SSL_new(cctx);
710756a9
RS		 753 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
754 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
755 TLSEXT_STATUSTYPE_ocsp))
756 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
757 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 758 goto end;
2cb4b5f6 759
ba881d3b
MC		 760 SSL_free(clientssl);
761 clientssl = NULL;
2cb4b5f6 762
710756a9
RS		 763 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
764 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 765 goto end;
2cb4b5f6 766
ba881d3b 767 clientssl = SSL_new(cctx);
710756a9 768 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 769 goto end;
ba881d3b
MC		 770 SSL_free(clientssl);
771 clientssl = NULL;
772
773 /*
774 * Now actually do a handshake and check OCSP information is exchanged and
775 * the callbacks get called
776 */
ba881d3b
MC		 777 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
778 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
779 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
780 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 781 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
782 &clientssl, NULL, NULL))
783 || !TEST_true(create_ssl_connection(serverssl, clientssl,
784 SSL_ERROR_NONE))
785 || !TEST_true(ocsp_client_called)
786 || !TEST_true(ocsp_server_called))
ba881d3b 787 goto end;
ba881d3b
MC		 788 SSL_free(serverssl);
789 SSL_free(clientssl);
790 serverssl = NULL;
791 clientssl = NULL;
792
793 /* Try again but this time force the server side callback to fail */
794 ocsp_client_called = 0;
795 ocsp_server_called = 0;
796 cdummyarg = 0;
710756a9
RS		 797 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
798 &clientssl, NULL, NULL))
799 /* This should fail because the callback will fail */
800 || !TEST_false(create_ssl_connection(serverssl, clientssl,
801 SSL_ERROR_NONE))
802 || !TEST_false(ocsp_client_called)
803 || !TEST_false(ocsp_server_called))
ba881d3b 804 goto end;
ba881d3b
MC		 805 SSL_free(serverssl);
806 SSL_free(clientssl);
807 serverssl = NULL;
808 clientssl = NULL;
809
810 /*
811 * This time we'll get the client to send an OCSP_RESPID that it will
812 * accept.
813 */
814 ocsp_client_called = 0;
815 ocsp_server_called = 0;
816 cdummyarg = 2;
710756a9
RS		 817 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
818 &clientssl, NULL, NULL)))
ba881d3b 819 goto end;
ba881d3b
MC		 820
821 /*
822 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 823 * specific one. We'll use the server cert.
ba881d3b 824 */
710756a9
RS		 825 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
826 || !TEST_ptr(id = OCSP_RESPID_new())
827 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
828 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
829 NULL, NULL, NULL))
830 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
831 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 832 goto end;
ba881d3b
MC		 833 id = NULL;
834 SSL_set_tlsext_status_ids(clientssl, ids);
835 /* Control has been transferred */
836 ids = NULL;
837
838 BIO_free(certbio);
839 certbio = NULL;
840
710756a9
RS		 841 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
842 SSL_ERROR_NONE))
843 || !TEST_true(ocsp_client_called)
844 || !TEST_true(ocsp_server_called))
ba881d3b 845 goto end;
ba881d3b 846
2cb4b5f6
MC		 847 testresult = 1;
848
849 end:
ba881d3b
MC		 850 SSL_free(serverssl);
851 SSL_free(clientssl);
852 SSL_CTX_free(sctx);
853 SSL_CTX_free(cctx);
854 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
855 OCSP_RESPID_free(id);
856 BIO_free(certbio);
857 X509_free(ocspcert);
858 ocspcert = NULL;
2cb4b5f6
MC		 859
860 return testresult;
861}
8f8c11d8 862#endif
2cb4b5f6 863
bf208d95 864#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 865static int new_called, remove_called, get_called;
eaa776da 866
eaa776da
MC		 867static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
868{
869 new_called++;
c0537ebd
MC		 870 /*
871 * sess has been up-refed for us, but we don't actually need it so free it
872 * immediately.
873 */
874 SSL_SESSION_free(sess);
eaa776da
MC		 875 return 1;
876}
877
878static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
879{
880 remove_called++;
881}
882
7a301f08
MC		 883static SSL_SESSION *get_sess_val = NULL;
884
885static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
886 int *copy)
887{
0afca811 888 get_called++;
7a301f08
MC		 889 *copy = 1;
890 return get_sess_val;
891}
892
7a301f08
MC		 893static int execute_test_session(int maxprot, int use_int_cache,
894 int use_ext_cache)
2cb4b5f6
MC		 895{
896 SSL_CTX *sctx = NULL, *cctx = NULL;
897 SSL *serverssl1 = NULL, *clientssl1 = NULL;
898 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 899# ifndef OPENSSL_NO_TLS1_1
eaa776da 900 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 901# endif
2cb4b5f6 902 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 903 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 904
7e885b7b
P		 905 new_called = remove_called = 0;
906
36ff232c
MC		 907 /* TLSv1.3 sends 2 NewSessionTickets */
908 if (maxprot == TLS1_3_VERSION)
909 numnewsesstick = 2;
910
7d7f6834
RL		 911 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
912 TLS1_VERSION, TLS_MAX_VERSION,
913 &sctx, &cctx, cert, privkey)))
2cb4b5f6 914 return 0;
2cb4b5f6 915
7a301f08
MC		 916 /*
917 * Only allow the max protocol version so we can force a connection failure
918 * later
919 */
920 SSL_CTX_set_min_proto_version(cctx, maxprot);
921 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 922
923 /* Set up session cache */
7e885b7b 924 if (use_ext_cache) {
eaa776da
MC		 925 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
926 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
927 }
7e885b7b 928 if (use_int_cache) {
eaa776da
MC		 929 /* Also covers instance where both are set */
930 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
931 } else {
932 SSL_CTX_set_session_cache_mode(cctx,
933 SSL_SESS_CACHE_CLIENT
934 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
935 }
2cb4b5f6 936
710756a9
RS		 937 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
938 NULL, NULL))
939 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
940 SSL_ERROR_NONE))
941 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 942 goto end;
2cb4b5f6 943
710756a9 944 /* Should fail because it should already be in the cache */
7e885b7b 945 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 946 goto end;
7a301f08 947 if (use_ext_cache
36ff232c
MC		 948 && (!TEST_int_eq(new_called, numnewsesstick)
949
950 || !TEST_int_eq(remove_called, 0)))
b4982125 951 goto end;
b4982125 952
c0537ebd
MC		 953 new_called = remove_called = 0;
954 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
955 &clientssl2, NULL, NULL))
956 || !TEST_true(SSL_set_session(clientssl2, sess1))
957 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
958 SSL_ERROR_NONE))
959 || !TEST_true(SSL_session_reused(clientssl2)))
960 goto end;
961
7a301f08
MC		 962 if (maxprot == TLS1_3_VERSION) {
963 /*
964 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 965 * resumed. Since we attempted a resume we should also have removed the
966 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 967 */
968 if (use_ext_cache
969 && (!TEST_int_eq(new_called, 1)
4cb00457 970 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 971 goto end;
972 } else {
973 /*
974 * In TLSv1.2 we expect to have resumed so no sessions added or
975 * removed.
976 */
977 if (use_ext_cache
978 && (!TEST_int_eq(new_called, 0)
979 || !TEST_int_eq(remove_called, 0)))
980 goto end;
981 }
c0537ebd
MC		 982
983 SSL_SESSION_free(sess1);
984 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
985 goto end;
986 shutdown_ssl_connection(serverssl2, clientssl2);
987 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 988
989 new_called = remove_called = 0;
710756a9
RS		 990 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
991 &clientssl2, NULL, NULL))
992 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
993 SSL_ERROR_NONE)))
2cb4b5f6 994 goto end;
2cb4b5f6 995
710756a9 996 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 997 goto end;
2cb4b5f6 998
7a301f08 999 if (use_ext_cache
36ff232c
MC		 1000 && (!TEST_int_eq(new_called, numnewsesstick)
1001 || !TEST_int_eq(remove_called, 0)))
eaa776da 1002 goto end;
eaa776da 1003
c0537ebd 1004 new_called = remove_called = 0;
2cb4b5f6 1005 /*
710756a9
RS		 1006 * This should clear sess2 from the cache because it is a "bad" session.
1007 * See SSL_set_session() documentation.
2cb4b5f6 1008 */
710756a9 1009 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 1010 goto end;
7a301f08
MC		 1011 if (use_ext_cache
1012 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 1013 goto end;
710756a9 1014 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 1015 goto end;
2cb4b5f6 1016
7e885b7b 1017 if (use_int_cache) {
710756a9
RS		 1018 /* Should succeeded because it should not already be in the cache */
1019 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1020 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 1021 goto end;
eaa776da
MC		 1022 }
1023
c0537ebd 1024 new_called = remove_called = 0;
eaa776da 1025 /* This shouldn't be in the cache so should fail */
710756a9 1026 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 1027 goto end;
2cb4b5f6 1028
7a301f08
MC		 1029 if (use_ext_cache
1030 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1031 goto end;
2cb4b5f6 1032
bf208d95 1033# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 1034 new_called = remove_called = 0;
eaa776da
MC		 1035 /* Force a connection failure */
1036 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 1037 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1038 &clientssl3, NULL, NULL))
1039 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 1040 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 1041 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1042 SSL_ERROR_NONE)))
eaa776da 1043 goto end;
b4982125 1044
eaa776da 1045 /* We should have automatically removed the session from the cache */
7a301f08
MC		 1046 if (use_ext_cache
1047 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1048 goto end;
2cb4b5f6 1049
710756a9 1050 /* Should succeed because it should not already be in the cache */
7e885b7b 1051 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 1052 goto end;
bf208d95 1053# endif
eaa776da 1054
7a301f08
MC		 1055 /* Now do some tests for server side caching */
1056 if (use_ext_cache) {
1057 SSL_CTX_sess_set_new_cb(cctx, NULL);
1058 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1059 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1060 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1061 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1062 get_sess_val = NULL;
1063 }
1064
1065 SSL_CTX_set_session_cache_mode(cctx, 0);
1066 /* Internal caching is the default on the server side */
1067 if (!use_int_cache)
1068 SSL_CTX_set_session_cache_mode(sctx,
1069 SSL_SESS_CACHE_SERVER
1070 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1071
1072 SSL_free(serverssl1);
1073 SSL_free(clientssl1);
1074 serverssl1 = clientssl1 = NULL;
1075 SSL_free(serverssl2);
1076 SSL_free(clientssl2);
1077 serverssl2 = clientssl2 = NULL;
1078 SSL_SESSION_free(sess1);
1079 sess1 = NULL;
1080 SSL_SESSION_free(sess2);
1081 sess2 = NULL;
1082
1083 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 1084 if (maxprot == TLS1_2_VERSION)
1085 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 1086 new_called = remove_called = get_called = 0;
7a301f08
MC		 1087 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1088 NULL, NULL))
1089 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1090 SSL_ERROR_NONE))
1091 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1092 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1093 goto end;
1094
ee94ec2e
MC		 1095 if (use_int_cache) {
1096 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1097 /*
1098 * In TLSv1.3 it should not have been added to the internal cache,
1099 * except in the case where we also have an external cache (in that
1100 * case it gets added to the cache in order to generate remove
1101 * events after timeout).
1102 */
1103 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1104 goto end;
1105 } else {
1106 /* Should fail because it should already be in the cache */
1107 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1108 goto end;
1109 }
1110 }
7a301f08
MC		 1111
1112 if (use_ext_cache) {
1113 SSL_SESSION *tmp = sess2;
1114
36ff232c 1115 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 1116 || !TEST_int_eq(remove_called, 0)
1117 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 1118 goto end;
1119 /*
1120 * Delete the session from the internal cache to force a lookup from
1121 * the external cache. We take a copy first because
1122 * SSL_CTX_remove_session() also marks the session as non-resumable.
1123 */
ee94ec2e 1124 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 1125 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1126 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1127 goto end;
1128 SSL_SESSION_free(sess2);
1129 }
7a301f08
MC		 1130 sess2 = tmp;
1131 }
1132
0afca811 1133 new_called = remove_called = get_called = 0;
7a301f08
MC		 1134 get_sess_val = sess2;
1135 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1136 &clientssl2, NULL, NULL))
1137 || !TEST_true(SSL_set_session(clientssl2, sess1))
1138 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1139 SSL_ERROR_NONE))
1140 || !TEST_true(SSL_session_reused(clientssl2)))
1141 goto end;
1142
0afca811 1143 if (use_ext_cache) {
32305f88 1144 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 1145 goto end;
1146
1147 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 1148 if (!TEST_int_eq(new_called, 1)
1149 || !TEST_int_eq(get_called, 0))
0afca811
KY		 1150 goto end;
1151 } else {
32305f88
MC		 1152 if (!TEST_int_eq(new_called, 0)
1153 || !TEST_int_eq(get_called, 1))
0afca811
KY		 1154 goto end;
1155 }
1156 }
7a301f08 1157
2cb4b5f6 1158 testresult = 1;
eaa776da 1159
2cb4b5f6
MC		 1160 end:
1161 SSL_free(serverssl1);
1162 SSL_free(clientssl1);
1163 SSL_free(serverssl2);
1164 SSL_free(clientssl2);
bf208d95 1165# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 1166 SSL_free(serverssl3);
1167 SSL_free(clientssl3);
bf208d95 1168# endif
2cb4b5f6
MC		 1169 SSL_SESSION_free(sess1);
1170 SSL_SESSION_free(sess2);
1171 SSL_CTX_free(sctx);
1172 SSL_CTX_free(cctx);
1173
1174 return testresult;
1175}
bf208d95 1176#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 1177
7fb4c820
MC		 1178static int test_session_with_only_int_cache(void)
1179{
7a301f08
MC		 1180#ifndef OPENSSL_NO_TLS1_3
1181 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1182 return 0;
1183#endif
1184
1185#ifndef OPENSSL_NO_TLS1_2
1186 return execute_test_session(TLS1_2_VERSION, 1, 0);
1187#else
1188 return 1;
1189#endif
eaa776da
MC		 1190}
1191
7fb4c820
MC		 1192static int test_session_with_only_ext_cache(void)
1193{
7a301f08
MC		 1194#ifndef OPENSSL_NO_TLS1_3
1195 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1196 return 0;
1197#endif
1198
1199#ifndef OPENSSL_NO_TLS1_2
1200 return execute_test_session(TLS1_2_VERSION, 0, 1);
1201#else
1202 return 1;
1203#endif
eaa776da
MC		 1204}
1205
7fb4c820
MC		 1206static int test_session_with_both_cache(void)
1207{
7a301f08
MC		 1208#ifndef OPENSSL_NO_TLS1_3
1209 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1210 return 0;
1211#endif
1212
1213#ifndef OPENSSL_NO_TLS1_2
1214 return execute_test_session(TLS1_2_VERSION, 1, 1);
1215#else
1216 return 1;
1217#endif
eaa776da
MC		 1218}
1219
04225915 1220#ifndef OPENSSL_NO_TLS1_3
c22365b3
MC		 1221static SSL_SESSION *sesscache[6];
1222static int do_cache;
36ff232c
MC		 1223
1224static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1225{
c22365b3
MC		 1226 if (do_cache) {
1227 sesscache[new_called] = sess;
1228 } else {
1229 /* We don't need the reference to the session, so free it */
1230 SSL_SESSION_free(sess);
1231 }
1232 new_called++;
1233
1234 return 1;
1235}
1236
1237static int post_handshake_verify(SSL *sssl, SSL *cssl)
1238{
1239 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1240 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1241 return 0;
1242
1243 /* Start handshake on the server and client */
1244 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1245 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1246 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1247 || !TEST_true(create_ssl_connection(sssl, cssl,
1248 SSL_ERROR_NONE)))
1249 return 0;
36ff232c
MC		 1250
1251 return 1;
1252}
1253
fbe9dafd 1254static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 1255 SSL_CTX **cctx)
1256{
1257 int sess_id_ctx = 1;
1258
1259 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1260 TLS1_VERSION, TLS_MAX_VERSION, sctx,
1261 cctx, cert, privkey))
1262 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1263 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1264 (void *)&sess_id_ctx,
1265 sizeof(sess_id_ctx))))
1266 return 0;
1267
1268 if (stateful)
1269 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1270
1271 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1272 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1273 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1274
1275 return 1;
1276}
1277
1278static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1279{
1280 SSL *serverssl = NULL, *clientssl = NULL;
1281 int i;
1282
1283 /* Test that we can resume with all the tickets we got given */
1284 for (i = 0; i < idx * 2; i++) {
1285 new_called = 0;
1286 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1287 &clientssl, NULL, NULL))
1288 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1289 goto end;
1290
32097b33 1291 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 1292
1293 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1294 SSL_ERROR_NONE)))
1295 goto end;
1296
1297 /*
1298 * Following a successful resumption we only get 1 ticket. After a
1299 * failed one we should get idx tickets.
1300 */
1301 if (succ) {
1302 if (!TEST_true(SSL_session_reused(clientssl))
1303 || !TEST_int_eq(new_called, 1))
1304 goto end;
1305 } else {
1306 if (!TEST_false(SSL_session_reused(clientssl))
1307 || !TEST_int_eq(new_called, idx))
1308 goto end;
1309 }
1310
1311 new_called = 0;
1312 /* After a post-handshake authentication we should get 1 new ticket */
1313 if (succ
1314 && (!post_handshake_verify(serverssl, clientssl)
1315 || !TEST_int_eq(new_called, 1)))
1316 goto end;
1317
1318 SSL_shutdown(clientssl);
1319 SSL_shutdown(serverssl);
1320 SSL_free(serverssl);
1321 SSL_free(clientssl);
1322 serverssl = clientssl = NULL;
1323 SSL_SESSION_free(sesscache[i]);
1324 sesscache[i] = NULL;
1325 }
1326
1327 return 1;
1328
1329 end:
1330 SSL_free(clientssl);
1331 SSL_free(serverssl);
1332 return 0;
1333}
1334
04d7814a 1335static int test_tickets(int stateful, int idx)
36ff232c
MC		 1336{
1337 SSL_CTX *sctx = NULL, *cctx = NULL;
1338 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 1339 int testresult = 0;
36ff232c
MC		 1340 size_t j;
1341
1342 /* idx is the test number, but also the number of tickets we want */
1343
1344 new_called = 0;
c22365b3 1345 do_cache = 1;
36ff232c 1346
fbe9dafd 1347 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 1348 goto end;
1349
03cdf559
MC		 1350 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1351 &clientssl, NULL, NULL)))
1352 goto end;
1353
1354 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1355 SSL_ERROR_NONE))
1356 /* Check we got the number of tickets we were expecting */
1357 || !TEST_int_eq(idx, new_called))
1358 goto end;
04d7814a 1359
03cdf559
MC		 1360 SSL_shutdown(clientssl);
1361 SSL_shutdown(serverssl);
1362 SSL_free(serverssl);
1363 SSL_free(clientssl);
1364 SSL_CTX_free(sctx);
1365 SSL_CTX_free(cctx);
1366 clientssl = serverssl = NULL;
1367 sctx = cctx = NULL;
1368
1369 /*
1370 * Now we try to resume with the tickets we previously created. The
1371 * resumption attempt is expected to fail (because we're now using a new
1372 * SSL_CTX). We should see idx number of tickets issued again.
1373 */
1374
1375 /* Stop caching sessions - just count them */
1376 do_cache = 0;
1377
fbe9dafd 1378 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 1379 goto end;
1380
1381 if (!check_resumption(idx, sctx, cctx, 0))
1382 goto end;
1383
1384 /* Start again with caching sessions */
1385 new_called = 0;
1386 do_cache = 1;
fbe9dafd
MC		 1387 SSL_CTX_free(sctx);
1388 SSL_CTX_free(cctx);
1389 sctx = cctx = NULL;
03cdf559 1390
fbe9dafd 1391 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 1392 goto end;
36ff232c
MC		 1393
1394 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1395 &clientssl, NULL, NULL)))
1396 goto end;
1397
32097b33 1398 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 1399
1400 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1401 SSL_ERROR_NONE))
1402 /* Check we got the number of tickets we were expecting */
1403 || !TEST_int_eq(idx, new_called))
1404 goto end;
1405
1406 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 1407 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 1408 || !TEST_int_eq(idx * 2, new_called))
1409 goto end;
1410
36ff232c
MC		 1411 SSL_shutdown(clientssl);
1412 SSL_shutdown(serverssl);
1413 SSL_free(serverssl);
1414 SSL_free(clientssl);
1415 serverssl = clientssl = NULL;
1416
c22365b3
MC		 1417 /* Stop caching sessions - just count them */
1418 do_cache = 0;
1419
03cdf559
MC		 1420 /*
1421 * Check we can resume with all the tickets we created. This time around the
1422 * resumptions should all be successful.
1423 */
1424 if (!check_resumption(idx, sctx, cctx, 1))
1425 goto end;
36ff232c
MC		 1426
1427 testresult = 1;
1428
1429 end:
1430 SSL_free(serverssl);
1431 SSL_free(clientssl);
c22365b3 1432 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 1433 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 1434 sesscache[j] = NULL;
1435 }
36ff232c
MC		 1436 SSL_CTX_free(sctx);
1437 SSL_CTX_free(cctx);
1438
1439 return testresult;
1440}
04d7814a
MC		 1441
1442static int test_stateless_tickets(int idx)
1443{
1444 return test_tickets(0, idx);
1445}
1446
1447static int test_stateful_tickets(int idx)
1448{
1449 return test_tickets(1, idx);
1450}
8614a4eb
MC		 1451
1452static int test_psk_tickets(void)
1453{
1454 SSL_CTX *sctx = NULL, *cctx = NULL;
1455 SSL *serverssl = NULL, *clientssl = NULL;
1456 int testresult = 0;
1457 int sess_id_ctx = 1;
1458
1459 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1460 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
1461 &cctx, NULL, NULL))
1462 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
1463 (void *)&sess_id_ctx,
1464 sizeof(sess_id_ctx))))
1465 goto end;
1466
1467 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1468 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1469 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
1470 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
1471 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1472 use_session_cb_cnt = 0;
1473 find_session_cb_cnt = 0;
1474 srvid = pskid;
1475 new_called = 0;
1476
1477 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1478 NULL, NULL)))
1479 goto end;
1480 clientpsk = serverpsk = create_a_psk(clientssl);
1481 if (!TEST_ptr(clientpsk))
1482 goto end;
1483 SSL_SESSION_up_ref(clientpsk);
1484
1485 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1486 SSL_ERROR_NONE))
1487 || !TEST_int_eq(1, find_session_cb_cnt)
1488 || !TEST_int_eq(1, use_session_cb_cnt)
1489 /* We should always get 1 ticket when using external PSK */
1490 || !TEST_int_eq(1, new_called))
1491 goto end;
1492
1493 testresult = 1;
1494
1495 end:
1496 SSL_free(serverssl);
1497 SSL_free(clientssl);
1498 SSL_CTX_free(sctx);
1499 SSL_CTX_free(cctx);
1500 SSL_SESSION_free(clientpsk);
1501 SSL_SESSION_free(serverpsk);
1502 clientpsk = serverpsk = NULL;
1503
1504 return testresult;
1505}
04225915 1506#endif
36ff232c 1507
7d4488bb
MC		 1508#define USE_NULL 0
1509#define USE_BIO_1 1
1510#define USE_BIO_2 2
1511#define USE_DEFAULT 3
1512
1513#define CONNTYPE_CONNECTION_SUCCESS 0
1514#define CONNTYPE_CONNECTION_FAIL 1
1515#define CONNTYPE_NO_CONNECTION 2
1516
1517#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1518#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1519#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1520# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1521#else
1522# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1523#endif
1524
7d4488bb
MC		 1525#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1526 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1527 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 1528
1529static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1530{
1531 switch (type) {
1532 case USE_NULL:
1533 *res = NULL;
1534 break;
1535 case USE_BIO_1:
1536 *res = bio1;
1537 break;
1538 case USE_BIO_2:
1539 *res = bio2;
1540 break;
1541 }
1542}
1543
7d4488bb
MC		 1544
1545/*
1546 * Tests calls to SSL_set_bio() under various conditions.
1547 *
1548 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1549 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1550 * then do more tests where we create a successful connection first using our
1551 * standard connection setup functions, and then call SSL_set_bio() with
1552 * various combinations of valid BIOs or NULL. We then repeat these tests
1553 * following a failed connection. In this last case we are looking to check that
1554 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1555 */
7fb4c820
MC		 1556static int test_ssl_set_bio(int idx)
1557{
7d4488bb 1558 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 1559 BIO *bio1 = NULL;
1560 BIO *bio2 = NULL;
0fae8150 1561 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 1562 SSL *serverssl = NULL, *clientssl = NULL;
1563 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 1564 int testresult = 0;
1565
7d4488bb
MC		 1566 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1567 initrbio = idx % 3;
1568 idx /= 3;
1569 initwbio = idx % 3;
1570 idx /= 3;
1571 newrbio = idx % 3;
1572 idx /= 3;
1573 newwbio = idx % 3;
1574 conntype = CONNTYPE_NO_CONNECTION;
1575 } else {
1576 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1577 initrbio = initwbio = USE_DEFAULT;
1578 newrbio = idx % 2;
1579 idx /= 2;
1580 newwbio = idx % 2;
1581 idx /= 2;
1582 conntype = idx % 2;
1583 }
710756a9 1584
7d4488bb
MC		 1585 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1586 TLS1_VERSION, TLS_MAX_VERSION,
1587 &sctx, &cctx, cert, privkey)))
1588 goto end;
1589
1590 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1591 /*
1592 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1593 * because we reduced the number of tests in the definition of
1594 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1595 * mismatched protocol versions we will force a connection failure.
1596 */
1597 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1598 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1599 }
1600
1601 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1602 NULL, NULL)))
710756a9 1603 goto end;
7fb4c820 1604
710756a9
RS		 1605 if (initrbio == USE_BIO_1
1606 || initwbio == USE_BIO_1
1607 || newrbio == USE_BIO_1
7fb4c820 1608 || newwbio == USE_BIO_1) {
710756a9 1609 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 1610 goto end;
7fb4c820
MC		 1611 }
1612
710756a9
RS		 1613 if (initrbio == USE_BIO_2
1614 || initwbio == USE_BIO_2
1615 || newrbio == USE_BIO_2
7fb4c820 1616 || newwbio == USE_BIO_2) {
710756a9 1617 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 1618 goto end;
7fb4c820
MC		 1619 }
1620
7d4488bb
MC		 1621 if (initrbio != USE_DEFAULT) {
1622 setupbio(&irbio, bio1, bio2, initrbio);
1623 setupbio(&iwbio, bio1, bio2, initwbio);
1624 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 1625
7d4488bb
MC		 1626 /*
1627 * We want to maintain our own refs to these BIO, so do an up ref for
1628 * each BIO that will have ownership transferred in the SSL_set_bio()
1629 * call
1630 */
1631 if (irbio != NULL)
1632 BIO_up_ref(irbio);
1633 if (iwbio != NULL && iwbio != irbio)
1634 BIO_up_ref(iwbio);
1635 }
7fb4c820 1636
7d4488bb
MC		 1637 if (conntype != CONNTYPE_NO_CONNECTION
1638 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1639 SSL_ERROR_NONE)
1640 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1641 goto end;
7fb4c820
MC		 1642
1643 setupbio(&nrbio, bio1, bio2, newrbio);
1644 setupbio(&nwbio, bio1, bio2, newwbio);
1645
1646 /*
1647 * We will (maybe) transfer ownership again so do more up refs.
1648 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1649 * already been set!
1650 */
710756a9
RS		 1651 if (nrbio != NULL
1652 && nrbio != irbio
1653 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 1654 BIO_up_ref(nrbio);
710756a9
RS		 1655 if (nwbio != NULL
1656 && nwbio != nrbio
1657 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 1658 BIO_up_ref(nwbio);
1659
7d4488bb 1660 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 1661
1662 testresult = 1;
1663
1664 end:
7fb4c820
MC		 1665 BIO_free(bio1);
1666 BIO_free(bio2);
710756a9 1667
7fb4c820
MC		 1668 /*
1669 * This test is checking that the ref counting for SSL_set_bio is correct.
1670 * If we get here and we did too many frees then we will fail in the above
1671 * functions. If we haven't done enough then this will only be detected in
1672 * a crypto-mdebug build
1673 */
7d4488bb
MC		 1674 SSL_free(serverssl);
1675 SSL_free(clientssl);
1676 SSL_CTX_free(sctx);
1677 SSL_CTX_free(cctx);
7fb4c820
MC		 1678 return testresult;
1679}
1680
7e885b7b 1681typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 1682
7e885b7b 1683static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 1684{
1685 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 1686 SSL_CTX *ctx;
9a716987
MC		 1687 SSL *ssl = NULL;
1688 int testresult = 0;
1689
710756a9
RS		 1690 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1691 || !TEST_ptr(ssl = SSL_new(ctx))
1692 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1693 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 1694 goto end;
9a716987
MC		 1695
1696 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1697
1698 /*
1699 * If anything goes wrong here then we could leak memory, so this will
1700 * be caught in a crypto-mdebug build
1701 */
1702 BIO_push(sslbio, membio1);
1703
69687aa8 1704 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 1705 if (change_bio != NO_BIO_CHANGE) {
710756a9 1706 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
9a716987 1707 goto end;
7e885b7b 1708 if (change_bio == CHANGE_RBIO)
65e2d672 1709 SSL_set0_rbio(ssl, membio2);
9a716987 1710 else
65e2d672 1711 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 1712 }
1713 ssl = NULL;
1714
7e885b7b 1715 if (pop_ssl)
9a716987
MC		 1716 BIO_pop(sslbio);
1717 else
1718 BIO_pop(membio1);
1719
1720 testresult = 1;
1721 end:
1722 BIO_free(membio1);
1723 BIO_free(sslbio);
1724 SSL_free(ssl);
1725 SSL_CTX_free(ctx);
1726
1727 return testresult;
1728}
1729
1730static int test_ssl_bio_pop_next_bio(void)
1731{
7e885b7b 1732 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 1733}
1734
1735static int test_ssl_bio_pop_ssl_bio(void)
1736{
7e885b7b 1737 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 1738}
1739
1740static int test_ssl_bio_change_rbio(void)
1741{
7e885b7b 1742 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 1743}
1744
1745static int test_ssl_bio_change_wbio(void)
1746{
7e885b7b 1747 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 1748}
1749
c423ecaa 1750#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae
MC		 1751typedef struct {
1752 /* The list of sig algs */
1753 const int *list;
1754 /* The length of the list */
1755 size_t listlen;
1756 /* A sigalgs list in string format */
1757 const char *liststr;
1758 /* Whether setting the list should succeed */
1759 int valid;
1760 /* Whether creating a connection with the list should succeed */
1761 int connsuccess;
1762} sigalgs_list;
1763
1764static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 1765# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1766static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1767static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 1768# endif
f1b25aae
MC		 1769static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1770static const int invalidlist2[] = {NID_sha256, NID_undef};
1771static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1772static const int invalidlist4[] = {NID_sha256};
1773static const sigalgs_list testsigalgs[] = {
1774 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 1775# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1776 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1777 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 1778# endif
f1b25aae 1779 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 1780# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1781 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1782 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 1783# endif
f1b25aae
MC		 1784 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1785 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1786 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1787 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1788 {NULL, 0, "RSA", 0, 0},
1789 {NULL, 0, "SHA256", 0, 0},
1790 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 1791 {NULL, 0, "Invalid", 0, 0}
1792};
f1b25aae
MC		 1793
1794static int test_set_sigalgs(int idx)
1795{
1796 SSL_CTX *cctx = NULL, *sctx = NULL;
1797 SSL *clientssl = NULL, *serverssl = NULL;
1798 int testresult = 0;
1799 const sigalgs_list *curr;
1800 int testctx;
1801
1802 /* Should never happen */
710756a9 1803 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 1804 return 0;
1805
1806 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1807 curr = testctx ? &testsigalgs[idx]
1808 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1809
7d7f6834
RL		 1810 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1811 TLS1_VERSION, TLS_MAX_VERSION,
1812 &sctx, &cctx, cert, privkey)))
f1b25aae 1813 return 0;
f1b25aae 1814
d2e491f2
MC		 1815 /*
1816 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1817 * for TLSv1.2 for now until we add a new API.
1818 */
1819 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1820
f1b25aae
MC		 1821 if (testctx) {
1822 int ret;
710756a9 1823
f1b25aae
MC		 1824 if (curr->list != NULL)
1825 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1826 else
1827 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1828
1829 if (!ret) {
1830 if (curr->valid)
710756a9 1831 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 1832 else
1833 testresult = 1;
1834 goto end;
1835 }
1836 if (!curr->valid) {
710756a9 1837 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 1838 goto end;
1839 }
1840 }
1841
710756a9
RS		 1842 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1843 &clientssl, NULL, NULL)))
f1b25aae 1844 goto end;
f1b25aae
MC		 1845
1846 if (!testctx) {
1847 int ret;
1848
1849 if (curr->list != NULL)
1850 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1851 else
1852 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1853 if (!ret) {
1854 if (curr->valid)
710756a9 1855 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 1856 else
1857 testresult = 1;
1858 goto end;
1859 }
710756a9 1860 if (!curr->valid)
f1b25aae 1861 goto end;
f1b25aae
MC		 1862 }
1863
710756a9
RS		 1864 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1865 SSL_ERROR_NONE),
1866 curr->connsuccess))
f1b25aae 1867 goto end;
f1b25aae
MC		 1868
1869 testresult = 1;
1870
1871 end:
1872 SSL_free(serverssl);
1873 SSL_free(clientssl);
1874 SSL_CTX_free(sctx);
1875 SSL_CTX_free(cctx);
1876
1877 return testresult;
1878}
c423ecaa 1879#endif
f1b25aae 1880
fff202e5 1881#ifndef OPENSSL_NO_TLS1_3
532f9578
MC		 1882static int psk_client_cb_cnt = 0;
1883static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 1884
1885static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1886 size_t *idlen, SSL_SESSION **sess)
1887{
1888 switch (++use_session_cb_cnt) {
1889 case 1:
1890 /* The first call should always have a NULL md */
1891 if (md != NULL)
1892 return 0;
1893 break;
1894
1895 case 2:
1896 /* The second call should always have an md */
1897 if (md == NULL)
1898 return 0;
1899 break;
1900
1901 default:
1902 /* We should only be called a maximum of twice */
1903 return 0;
1904 }
1905
57dee9bb
MC		 1906 if (clientpsk != NULL)
1907 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 1908
57dee9bb 1909 *sess = clientpsk;
02a3ed5a
MC		 1910 *id = (const unsigned char *)pskid;
1911 *idlen = strlen(pskid);
1912
1913 return 1;
1914}
1915
c2b290c3 1916#ifndef OPENSSL_NO_PSK
532f9578
MC		 1917static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1918 unsigned int max_id_len,
1919 unsigned char *psk,
1920 unsigned int max_psk_len)
1921{
1922 unsigned int psklen = 0;
1923
1924 psk_client_cb_cnt++;
1925
1926 if (strlen(pskid) + 1 > max_id_len)
1927 return 0;
1928
1929 /* We should only ever be called a maximum of twice per connection */
1930 if (psk_client_cb_cnt > 2)
1931 return 0;
1932
1933 if (clientpsk == NULL)
1934 return 0;
1935
1936 /* We'll reuse the PSK we set up for TLSv1.3 */
1937 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1938 return 0;
1939 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1940 strncpy(id, pskid, max_id_len);
1941
1942 return psklen;
1943}
c2b290c3 1944#endif /* OPENSSL_NO_PSK */
532f9578 1945
02a3ed5a
MC		 1946static int find_session_cb(SSL *ssl, const unsigned char *identity,
1947 size_t identity_len, SSL_SESSION **sess)
1948{
1949 find_session_cb_cnt++;
1950
1951 /* We should only ever be called a maximum of twice per connection */
1952 if (find_session_cb_cnt > 2)
1953 return 0;
1954
57dee9bb 1955 if (serverpsk == NULL)
02a3ed5a
MC		 1956 return 0;
1957
1958 /* Identity should match that set by the client */
1959 if (strlen(srvid) != identity_len
1960 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1961 /* No PSK found, continue but without a PSK */
1962 *sess = NULL;
1963 return 1;
1964 }
1965
57dee9bb
MC		 1966 SSL_SESSION_up_ref(serverpsk);
1967 *sess = serverpsk;
02a3ed5a
MC		 1968
1969 return 1;
1970}
1971
c2b290c3 1972#ifndef OPENSSL_NO_PSK
532f9578
MC		 1973static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1974 unsigned char *psk, unsigned int max_psk_len)
1975{
1976 unsigned int psklen = 0;
1977
1978 psk_server_cb_cnt++;
1979
1980 /* We should only ever be called a maximum of twice per connection */
1981 if (find_session_cb_cnt > 2)
1982 return 0;
1983
1984 if (serverpsk == NULL)
1985 return 0;
1986
1987 /* Identity should match that set by the client */
1988 if (strcmp(srvid, identity) != 0) {
1989 return 0;
1990 }
1991
1992 /* We'll reuse the PSK we set up for TLSv1.3 */
1993 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1994 return 0;
1995 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1996
1997 return psklen;
1998}
c2b290c3 1999#endif /* OPENSSL_NO_PSK */
532f9578 2000
5f982038
MC		 2001#define MSG1 "Hello"
2002#define MSG2 "World."
2003#define MSG3 "This"
2004#define MSG4 "is"
2005#define MSG5 "a"
90049cea
MC		 2006#define MSG6 "test"
2007#define MSG7 "message."
5f982038 2008
02a3ed5a 2009#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
532f9578 2010#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
02a3ed5a 2011
8614a4eb
MC		 2012
2013static SSL_SESSION *create_a_psk(SSL *ssl)
2014{
2015 const SSL_CIPHER *cipher = NULL;
2016 const unsigned char key[] = {
2017 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2018 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2019 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2020 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2021 0x2c, 0x2d, 0x2e, 0x2f
2022 };
2023 SSL_SESSION *sess = NULL;
2024
2025 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2026 sess = SSL_SESSION_new();
2027 if (!TEST_ptr(sess)
2028 || !TEST_ptr(cipher)
2029 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2030 sizeof(key)))
2031 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2032 || !TEST_true(
2033 SSL_SESSION_set_protocol_version(sess,
2034 TLS1_3_VERSION))) {
2035 SSL_SESSION_free(sess);
2036 return NULL;
2037 }
2038 return sess;
2039}
2040
5f982038
MC		 2041/*
2042 * Helper method to setup objects for early data test. Caller frees objects on
2043 * error.
2044 */
2045static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 2046 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 2047{
5a421415
MC		 2048 if (*sctx == NULL
2049 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2050 TLS_client_method(),
2051 TLS1_VERSION, TLS_MAX_VERSION,
2052 sctx, cctx, cert, privkey)))
2053 return 0;
2054
2055 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 2056 return 0;
5f982038 2057
02a3ed5a
MC		 2058 if (idx == 1) {
2059 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 2060 SSL_CTX_set_read_ahead(*cctx, 1);
2061 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 2062 } else if (idx == 2) {
2063 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2064 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2065 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2066 use_session_cb_cnt = 0;
2067 find_session_cb_cnt = 0;
2068 srvid = pskid;
3cb47b4e
MC		 2069 }
2070
710756a9 2071 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 2072 NULL, NULL)))
2073 return 0;
2074
141e4709
MC		 2075 /*
2076 * For one of the run throughs (doesn't matter which one), we'll try sending
2077 * some SNI data in the initial ClientHello. This will be ignored (because
2078 * there is no SNI cb set up by the server), so it should not impact
2079 * early_data.
2080 */
2081 if (idx == 1
2082 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2083 return 0;
2084
02a3ed5a 2085 if (idx == 2) {
8614a4eb 2086 clientpsk = create_a_psk(*clientssl);
57dee9bb 2087 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 2088 /*
2089 * We just choose an arbitrary value for max_early_data which
2090 * should be big enough for testing purposes.
2091 */
57dee9bb
MC		 2092 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2093 0x100))
2094 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2095 SSL_SESSION_free(clientpsk);
2096 clientpsk = NULL;
02a3ed5a
MC		 2097 return 0;
2098 }
57dee9bb 2099 serverpsk = clientpsk;
02a3ed5a 2100
c20e3b28
MC		 2101 if (sess != NULL) {
2102 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2103 SSL_SESSION_free(clientpsk);
2104 SSL_SESSION_free(serverpsk);
2105 clientpsk = serverpsk = NULL;
2106 return 0;
2107 }
57dee9bb 2108 *sess = clientpsk;
c20e3b28 2109 }
02a3ed5a
MC		 2110 return 1;
2111 }
2112
2113 if (sess == NULL)
2114 return 1;
2115
2116 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2117 SSL_ERROR_NONE)))
5f982038 2118 return 0;
5f982038
MC		 2119
2120 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 2121 SSL_shutdown(*clientssl);
2122 SSL_shutdown(*serverssl);
5f982038
MC		 2123 SSL_free(*serverssl);
2124 SSL_free(*clientssl);
2125 *serverssl = *clientssl = NULL;
2126
710756a9
RS		 2127 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2128 clientssl, NULL, NULL))
2129 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 2130 return 0;
5f982038
MC		 2131
2132 return 1;
2133}
2134
3cb47b4e 2135static int test_early_data_read_write(int idx)
5f982038
MC		 2136{
2137 SSL_CTX *cctx = NULL, *sctx = NULL;
2138 SSL *clientssl = NULL, *serverssl = NULL;
2139 int testresult = 0;
2140 SSL_SESSION *sess = NULL;
9b5c865d
MC		 2141 unsigned char buf[20], data[1024];
2142 size_t readbytes, written, eoedlen, rawread, rawwritten;
2143 BIO *rbio;
5f982038 2144
710756a9
RS		 2145 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2146 &serverssl, &sess, idx)))
5f982038
MC		 2147 goto end;
2148
2149 /* Write and read some early data */
710756a9
RS		 2150 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2151 &written))
2152 || !TEST_size_t_eq(written, strlen(MSG1))
2153 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2154 sizeof(buf), &readbytes),
2155 SSL_READ_EARLY_DATA_SUCCESS)
2156 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2157 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2158 SSL_EARLY_DATA_ACCEPTED))
5f982038 2159 goto end;
5f982038
MC		 2160
2161 /*
09f28874 2162 * Server should be able to write data, and client should be able to
5f982038
MC		 2163 * read it.
2164 */
710756a9
RS		 2165 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2166 &written))
2167 || !TEST_size_t_eq(written, strlen(MSG2))
2168 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2169 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2170 goto end;
5f982038
MC		 2171
2172 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 2173 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2174 &written))
2175 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 2176 goto end;
5f982038 2177
09f28874 2178 /* Server should still be able read early data after writing data */
710756a9
RS		 2179 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2180 &readbytes),
2181 SSL_READ_EARLY_DATA_SUCCESS)
2182 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 2183 goto end;
5f982038 2184
09f28874 2185 /* Write more data from server and read it from client */
710756a9
RS		 2186 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2187 &written))
2188 || !TEST_size_t_eq(written, strlen(MSG4))
2189 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2190 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 2191 goto end;
5f982038
MC		 2192
2193 /*
2194 * If client writes normal data it should mean writing early data is no
2195 * longer possible.
2196 */
710756a9
RS		 2197 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2198 || !TEST_size_t_eq(written, strlen(MSG5))
2199 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2200 SSL_EARLY_DATA_ACCEPTED))
5f982038 2201 goto end;
5f982038 2202
9b5c865d
MC		 2203 /*
2204 * At this point the client has written EndOfEarlyData, ClientFinished and
2205 * normal (fully protected) data. We are going to cause a delay between the
2206 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2207 * in the read BIO, and then just put back the EndOfEarlyData message.
2208 */
2209 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 2210 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2211 || !TEST_size_t_lt(rawread, sizeof(data))
2212 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 2213 goto end;
710756a9 2214
9b5c865d
MC		 2215 /* Record length is in the 4th and 5th bytes of the record header */
2216 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 2217 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2218 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 2219 goto end;
9b5c865d 2220
5f982038 2221 /* Server should be told that there is no more early data */
710756a9
RS		 2222 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2223 &readbytes),
2224 SSL_READ_EARLY_DATA_FINISH)
2225 || !TEST_size_t_eq(readbytes, 0))
5f982038 2226 goto end;
5f982038 2227
9b5c865d
MC		 2228 /*
2229 * Server has not finished init yet, so should still be able to write early
2230 * data.
2231 */
710756a9
RS		 2232 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2233 &written))
2234 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 2235 goto end;
9b5c865d 2236
f8a303fa 2237 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 2238 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2239 &rawwritten))
2240 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 2241 goto end;
f8a303fa 2242
5f982038 2243 /* Server should be able to read normal data */
710756a9
RS		 2244 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2245 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 2246 goto end;
5f982038 2247
09f28874 2248 /* Client and server should not be able to write/read early data now */
710756a9
RS		 2249 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2250 &written)))
5f982038 2251 goto end;
5f982038 2252 ERR_clear_error();
710756a9
RS		 2253 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2254 &readbytes),
2255 SSL_READ_EARLY_DATA_ERROR))
5f982038 2256 goto end;
5f982038
MC		 2257 ERR_clear_error();
2258
9b5c865d 2259 /* Client should be able to read the data sent by the server */
710756a9
RS		 2260 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2261 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 2262 goto end;
710756a9 2263
f8a303fa 2264 /*
36ff232c
MC		 2265 * Make sure we process the two NewSessionTickets. These arrive
2266 * post-handshake. We attempt reads which we do not expect to return any
2267 * data.
f8a303fa 2268 */
36ff232c
MC		 2269 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2270 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2271 &readbytes)))
f8a303fa 2272 goto end;
5f982038 2273
90049cea 2274 /* Server should be able to write normal data */
710756a9
RS		 2275 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2276 || !TEST_size_t_eq(written, strlen(MSG7))
2277 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2278 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 2279 goto end;
90049cea 2280
c20e3b28 2281 SSL_SESSION_free(sess);
5f982038 2282 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 2283 use_session_cb_cnt = 0;
2284 find_session_cb_cnt = 0;
5f982038
MC		 2285
2286 SSL_shutdown(clientssl);
2287 SSL_shutdown(serverssl);
5f982038
MC		 2288 SSL_free(serverssl);
2289 SSL_free(clientssl);
2290 serverssl = clientssl = NULL;
710756a9
RS		 2291 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2292 &clientssl, NULL, NULL))
2293 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 2294 goto end;
5f982038
MC		 2295
2296 /* Write and read some early data */
710756a9
RS		 2297 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2298 &written))
2299 || !TEST_size_t_eq(written, strlen(MSG1))
2300 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2301 &readbytes),
2302 SSL_READ_EARLY_DATA_SUCCESS)
2303 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 2304 goto end;
5f982038 2305
710756a9
RS		 2306 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2307 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 2308 goto end;
5f982038 2309
09f28874 2310 /* Client and server should not be able to write/read early data now */
710756a9
RS		 2311 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2312 &written)))
5f982038 2313 goto end;
5f982038 2314 ERR_clear_error();
710756a9
RS		 2315 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2316 &readbytes),
2317 SSL_READ_EARLY_DATA_ERROR))
5f982038 2318 goto end;
5f982038
MC		 2319 ERR_clear_error();
2320
2321 /* Client and server should be able to write/read normal data */
710756a9
RS		 2322 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2323 || !TEST_size_t_eq(written, strlen(MSG5))
2324 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2325 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 2326 goto end;
5f982038
MC		 2327
2328 testresult = 1;
2329
2330 end:
c20e3b28 2331 SSL_SESSION_free(sess);
57dee9bb
MC		 2332 SSL_SESSION_free(clientpsk);
2333 SSL_SESSION_free(serverpsk);
2334 clientpsk = serverpsk = NULL;
5f982038
MC		 2335 SSL_free(serverssl);
2336 SSL_free(clientssl);
2337 SSL_CTX_free(sctx);
2338 SSL_CTX_free(cctx);
5f982038
MC		 2339 return testresult;
2340}
2341
5a421415
MC		 2342static int allow_ed_cb_called = 0;
2343
2344static int allow_early_data_cb(SSL *s, void *arg)
2345{
2346 int *usecb = (int *)arg;
2347
2348 allow_ed_cb_called++;
2349
2350 if (*usecb == 1)
2351 return 0;
2352
2353 return 1;
2354}
2355
2356/*
2357 * idx == 0: Standard early_data setup
2358 * idx == 1: early_data setup using read_ahead
2359 * usecb == 0: Don't use a custom early data callback
2360 * usecb == 1: Use a custom early data callback and reject the early data
2361 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 2362 * confopt == 0: Configure anti-replay directly
2363 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 2364 */
3bb5e5b0 2365static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 2366{
2367 SSL_CTX *cctx = NULL, *sctx = NULL;
2368 SSL *clientssl = NULL, *serverssl = NULL;
2369 int testresult = 0;
2370 SSL_SESSION *sess = NULL;
5a421415
MC		 2371 size_t readbytes, written;
2372 unsigned char buf[20];
2373
2374 allow_ed_cb_called = 0;
2375
2376 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2377 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
2378 &cctx, cert, privkey)))
2379 return 0;
2380
2381 if (usecb > 0) {
3bb5e5b0
MC		 2382 if (confopt == 0) {
2383 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2384 } else {
2385 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2386
2387 if (!TEST_ptr(confctx))
2388 goto end;
2389 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2390 | SSL_CONF_FLAG_SERVER);
2391 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2392 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2393 2)) {
2394 SSL_CONF_CTX_free(confctx);
2395 goto end;
2396 }
2397 SSL_CONF_CTX_free(confctx);
2398 }
5a421415
MC		 2399 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2400 }
78fb5374
MC		 2401
2402 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2403 &serverssl, &sess, idx)))
2404 goto end;
2405
2406 /*
2407 * The server is configured to accept early data. Create a connection to
2408 * "use up" the ticket
2409 */
2410 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2411 || !TEST_true(SSL_session_reused(clientssl)))
2412 goto end;
2413
2414 SSL_shutdown(clientssl);
2415 SSL_shutdown(serverssl);
2416 SSL_free(serverssl);
2417 SSL_free(clientssl);
2418 serverssl = clientssl = NULL;
2419
2420 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2421 &clientssl, NULL, NULL))
5a421415
MC		 2422 || !TEST_true(SSL_set_session(clientssl, sess)))
2423 goto end;
2424
2425 /* Write and read some early data */
2426 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2427 &written))
2428 || !TEST_size_t_eq(written, strlen(MSG1)))
2429 goto end;
2430
2431 if (usecb <= 1) {
2432 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2433 &readbytes),
2434 SSL_READ_EARLY_DATA_FINISH)
2435 /*
2436 * The ticket was reused, so the we should have rejected the
2437 * early data
2438 */
2439 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2440 SSL_EARLY_DATA_REJECTED))
2441 goto end;
2442 } else {
2443 /* In this case the callback decides to accept the early data */
2444 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2445 &readbytes),
2446 SSL_READ_EARLY_DATA_SUCCESS)
2447 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2448 /*
2449 * Server will have sent its flight so client can now send
2450 * end of early data and complete its half of the handshake
2451 */
2452 || !TEST_int_gt(SSL_connect(clientssl), 0)
2453 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2454 &readbytes),
2455 SSL_READ_EARLY_DATA_FINISH)
2456 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2457 SSL_EARLY_DATA_ACCEPTED))
2458 goto end;
2459 }
2460
2461 /* Complete the connection */
2462 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2463 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2464 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 2465 goto end;
2466
2467 testresult = 1;
2468
2469 end:
c20e3b28 2470 SSL_SESSION_free(sess);
78fb5374
MC		 2471 SSL_SESSION_free(clientpsk);
2472 SSL_SESSION_free(serverpsk);
2473 clientpsk = serverpsk = NULL;
2474 SSL_free(serverssl);
2475 SSL_free(clientssl);
2476 SSL_CTX_free(sctx);
2477 SSL_CTX_free(cctx);
2478 return testresult;
2479}
2480
5a421415
MC		 2481static int test_early_data_replay(int idx)
2482{
3bb5e5b0 2483 int ret = 1, usecb, confopt;
5a421415 2484
3bb5e5b0
MC		 2485 for (usecb = 0; usecb < 3; usecb++) {
2486 for (confopt = 0; confopt < 2; confopt++)
2487 ret &= test_early_data_replay_int(idx, usecb, confopt);
2488 }
5a421415
MC		 2489
2490 return ret;
2491}
2492
710756a9 2493/*
6b84e6bf
MC		 2494 * Helper function to test that a server attempting to read early data can
2495 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 2496 * testtype: 0 == No HRR
2497 * testtype: 1 == HRR
0efa0ba4
MC		 2498 * testtype: 2 == HRR, invalid early_data sent after HRR
2499 * testtype: 3 == recv_max_early_data set to 0
710756a9 2500 */
0d1b7789 2501static int early_data_skip_helper(int testtype, int idx)
5f982038
MC		 2502{
2503 SSL_CTX *cctx = NULL, *sctx = NULL;
2504 SSL *clientssl = NULL, *serverssl = NULL;
2505 int testresult = 0;
018fcbec 2506 SSL_SESSION *sess = NULL;
5f982038
MC		 2507 unsigned char buf[20];
2508 size_t readbytes, written;
2509
710756a9
RS		 2510 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2511 &serverssl, &sess, idx)))
5f982038
MC		 2512 goto end;
2513
0efa0ba4 2514 if (testtype == 1 || testtype == 2) {
6b84e6bf
MC		 2515 /* Force an HRR to occur */
2516 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2517 goto end;
02a3ed5a
MC		 2518 } else if (idx == 2) {
2519 /*
2520 * We force early_data rejection by ensuring the PSK identity is
2521 * unrecognised
2522 */
2523 srvid = "Dummy Identity";
6b84e6bf
MC		 2524 } else {
2525 /*
2526 * Deliberately corrupt the creation time. We take 20 seconds off the
2527 * time. It could be any value as long as it is not within tolerance.
2528 * This should mean the ticket is rejected.
2529 */
5d99881e 2530 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 2531 goto end;
2532 }
5f982038 2533
0efa0ba4 2534 if (testtype == 3
0d1b7789
MC		 2535 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
2536 goto end;
2537
5f982038 2538 /* Write some early data */
710756a9
RS		 2539 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2540 &written))
2541 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 2542 goto end;
5f982038 2543
0d1b7789 2544 /* Server should reject the early data */
710756a9
RS		 2545 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2546 &readbytes),
2547 SSL_READ_EARLY_DATA_FINISH)
2548 || !TEST_size_t_eq(readbytes, 0)
2549 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2550 SSL_EARLY_DATA_REJECTED))
5f982038 2551 goto end;
5f982038 2552
0efa0ba4
MC		 2553 switch (testtype) {
2554 case 0:
2555 /* Nothing to do */
2556 break;
2557
2558 case 1:
6b84e6bf
MC		 2559 /*
2560 * Finish off the handshake. We perform the same writes and reads as
2561 * further down but we expect them to fail due to the incomplete
2562 * handshake.
2563 */
2564 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2565 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2566 &readbytes)))
2567 goto end;
0efa0ba4
MC		 2568 break;
2569
2570 case 2:
2571 {
2572 BIO *wbio = SSL_get_wbio(clientssl);
2573 /* A record that will appear as bad early_data */
2574 const unsigned char bad_early_data[] = {
2575 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
2576 };
2577
2578 /*
2579 * We force the client to attempt a write. This will fail because
2580 * we're still in the handshake. It will cause the second
2581 * ClientHello to be sent.
2582 */
2583 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
2584 &written)))
2585 goto end;
2586
2587 /*
2588 * Inject some early_data after the second ClientHello. This should
2589 * cause the server to fail
2590 */
2591 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
2592 sizeof(bad_early_data), &written)))
2593 goto end;
2594 }
2595 /* fallthrough */
2596
2597 case 3:
0d1b7789 2598 /*
0efa0ba4
MC		 2599 * This client has sent more early_data than we are willing to skip
2600 * (case 3) or sent invalid early_data (case 2) so the connection should
2601 * abort.
0d1b7789
MC		 2602 */
2603 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2604 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
2605 goto end;
2606
2607 /* Connection has failed - nothing more to do */
2608 testresult = 1;
2609 goto end;
0efa0ba4
MC		 2610
2611 default:
2612 TEST_error("Invalid test type");
2613 goto end;
6b84e6bf
MC		 2614 }
2615
0d1b7789
MC		 2616 /*
2617 * Should be able to send normal data despite rejection of early data. The
2618 * early_data should be skipped.
2619 */
710756a9
RS		 2620 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2621 || !TEST_size_t_eq(written, strlen(MSG2))
2622 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2623 SSL_EARLY_DATA_REJECTED)
2624 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2625 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2626 goto end;
5f982038
MC		 2627
2628 testresult = 1;
2629
2630 end:
c20e3b28 2631 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 2632 SSL_SESSION_free(serverpsk);
2633 clientpsk = serverpsk = NULL;
5f982038
MC		 2634 SSL_SESSION_free(sess);
2635 SSL_free(serverssl);
2636 SSL_free(clientssl);
2637 SSL_CTX_free(sctx);
2638 SSL_CTX_free(cctx);
5f982038
MC		 2639 return testresult;
2640}
2641
6b84e6bf
MC		 2642/*
2643 * Test that a server attempting to read early data can handle a connection
2644 * from a client where the early data is not acceptable.
2645 */
2646static int test_early_data_skip(int idx)
2647{
2648 return early_data_skip_helper(0, idx);
2649}
2650
2651/*
2652 * Test that a server attempting to read early data can handle a connection
2653 * from a client where an HRR occurs.
2654 */
2655static int test_early_data_skip_hrr(int idx)
2656{
2657 return early_data_skip_helper(1, idx);
2658}
2659
0efa0ba4
MC		 2660/*
2661 * Test that a server attempting to read early data can handle a connection
2662 * from a client where an HRR occurs and correctly fails if early_data is sent
2663 * after the HRR
2664 */
2665static int test_early_data_skip_hrr_fail(int idx)
2666{
2667 return early_data_skip_helper(2, idx);
2668}
2669
0d1b7789
MC		 2670/*
2671 * Test that a server attempting to read early data will abort if it tries to
2672 * skip over too much.
2673 */
2674static int test_early_data_skip_abort(int idx)
2675{
0efa0ba4 2676 return early_data_skip_helper(3, idx);
0d1b7789
MC		 2677}
2678
710756a9
RS		 2679/*
2680 * Test that a server attempting to read early data can handle a connection
2681 * from a client that doesn't send any.
2682 */
3cb47b4e 2683static int test_early_data_not_sent(int idx)
5f982038
MC		 2684{
2685 SSL_CTX *cctx = NULL, *sctx = NULL;
2686 SSL *clientssl = NULL, *serverssl = NULL;
2687 int testresult = 0;
018fcbec 2688 SSL_SESSION *sess = NULL;
5f982038
MC		 2689 unsigned char buf[20];
2690 size_t readbytes, written;
2691
710756a9
RS		 2692 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2693 &serverssl, &sess, idx)))
5f982038
MC		 2694 goto end;
2695
2696 /* Write some data - should block due to handshake with server */
2697 SSL_set_connect_state(clientssl);
710756a9 2698 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 2699 goto end;
5f982038
MC		 2700
2701 /* Server should detect that early data has not been sent */
710756a9
RS		 2702 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2703 &readbytes),
2704 SSL_READ_EARLY_DATA_FINISH)
2705 || !TEST_size_t_eq(readbytes, 0)
2706 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2707 SSL_EARLY_DATA_NOT_SENT)
2708 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2709 SSL_EARLY_DATA_NOT_SENT))
5f982038 2710 goto end;
5f982038
MC		 2711
2712 /* Continue writing the message we started earlier */
710756a9
RS		 2713 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2714 || !TEST_size_t_eq(written, strlen(MSG1))
2715 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2716 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2717 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2718 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 2719 goto end;
5f982038 2720
710756a9
RS		 2721 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2722 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2723 goto end;
5f982038
MC		 2724
2725 testresult = 1;
2726
2727 end:
5f982038 2728 SSL_SESSION_free(sess);
c20e3b28 2729 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 2730 SSL_SESSION_free(serverpsk);
2731 clientpsk = serverpsk = NULL;
5f982038
MC		 2732 SSL_free(serverssl);
2733 SSL_free(clientssl);
2734 SSL_CTX_free(sctx);
2735 SSL_CTX_free(cctx);
5f982038
MC		 2736 return testresult;
2737}
2738
976e5323
MC		 2739static int hostname_cb(SSL *s, int *al, void *arg)
2740{
2741 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2742
281bf233 2743 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
976e5323
MC		 2744 return SSL_TLSEXT_ERR_OK;
2745
2746 return SSL_TLSEXT_ERR_NOACK;
2747}
2748
2749static const char *servalpn;
2750
c7558d5b
PY		 2751static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2752 unsigned char *outlen, const unsigned char *in,
2753 unsigned int inlen, void *arg)
976e5323 2754{
c7558d5b 2755 unsigned int protlen = 0;
976e5323
MC		 2756 const unsigned char *prot;
2757
c7558d5b
PY		 2758 for (prot = in; prot < in + inlen; prot += protlen) {
2759 protlen = *prot++;
5d99881e 2760 if (in + inlen < prot + protlen)
976e5323
MC		 2761 return SSL_TLSEXT_ERR_NOACK;
2762
2763 if (protlen == strlen(servalpn)
0bd42fde 2764 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 2765 *out = prot;
2766 *outlen = protlen;
2767 return SSL_TLSEXT_ERR_OK;
2768 }
2769 }
2770
2771 return SSL_TLSEXT_ERR_NOACK;
2772}
2773
57dee9bb 2774/* Test that a PSK can be used to send early_data */
976e5323
MC		 2775static int test_early_data_psk(int idx)
2776{
2777 SSL_CTX *cctx = NULL, *sctx = NULL;
2778 SSL *clientssl = NULL, *serverssl = NULL;
2779 int testresult = 0;
2780 SSL_SESSION *sess = NULL;
57dee9bb
MC		 2781 unsigned char alpnlist[] = {
2782 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2783 'l', 'p', 'n'
2784 };
2785#define GOODALPNLEN 9
2786#define BADALPNLEN 8
2787#define GOODALPN (alpnlist)
2788#define BADALPN (alpnlist + GOODALPNLEN)
2789 int err = 0;
976e5323
MC		 2790 unsigned char buf[20];
2791 size_t readbytes, written;
57dee9bb 2792 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 2793 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2794
2795 /* We always set this up with a final parameter of "2" for PSK */
2796 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2797 &serverssl, &sess, 2)))
2798 goto end;
2799
976e5323
MC		 2800 servalpn = "goodalpn";
2801
57dee9bb
MC		 2802 /*
2803 * Note: There is no test for inconsistent SNI with late client detection.
2804 * This is because servers do not acknowledge SNI even if they are using
2805 * it in a resumption handshake - so it is not actually possible for a
2806 * client to detect a problem.
2807 */
976e5323
MC		 2808 switch (idx) {
2809 case 0:
57dee9bb 2810 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 2811 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2812 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2813 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2814 goto end;
2815 break;
2816
2817 case 1:
57dee9bb 2818 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 2819 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2820 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 2821 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2822 GOODALPNLEN))
2823 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2824 BADALPNLEN)))
976e5323
MC		 2825 goto end;
2826 break;
2827
2828 case 2:
2829 /*
2830 * Set invalid protocol version. Technically this affects PSKs without
2831 * early_data too, but we test it here because it is similar to the
2832 * SNI/ALPN consistency tests.
2833 */
2834 err = SSL_R_BAD_PSK;
2835 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2836 goto end;
2837 break;
2838
2839 case 3:
2840 /*
2841 * Set inconsistent SNI (server detected). In this case the connection
2842 * will succeed but reject early_data.
2843 */
281bf233
MC		 2844 SSL_SESSION_free(serverpsk);
2845 serverpsk = SSL_SESSION_dup(clientpsk);
2846 if (!TEST_ptr(serverpsk)
2847 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2848 goto end;
976e5323
MC		 2849 edstatus = SSL_EARLY_DATA_REJECTED;
2850 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2851 /* Fall through */
2852 case 4:
2853 /* Set consistent SNI */
976e5323
MC		 2854 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2855 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2856 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2857 hostname_cb)))
2858 goto end;
2859 break;
2860
2861 case 5:
2862 /*
2863 * Set inconsistent ALPN (server detected). In this case the connection
2864 * will succeed but reject early_data.
2865 */
2866 servalpn = "badalpn";
2867 edstatus = SSL_EARLY_DATA_REJECTED;
2868 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2869 /* Fall through */
2870 case 6:
976e5323 2871 /*
57dee9bb 2872 * Set consistent ALPN.
976e5323
MC		 2873 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2874 * accepts a list of protos (each one length prefixed).
2875 * SSL_set1_alpn_selected accepts a single protocol (not length
2876 * prefixed)
2877 */
57dee9bb
MC		 2878 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2879 GOODALPNLEN - 1))
2880 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2881 GOODALPNLEN)))
976e5323
MC		 2882 goto end;
2883
2884 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2885 break;
2886
57dee9bb
MC		 2887 case 7:
2888 /* Set inconsistent ALPN (late client detection) */
2889 SSL_SESSION_free(serverpsk);
2890 serverpsk = SSL_SESSION_dup(clientpsk);
2891 if (!TEST_ptr(serverpsk)
2892 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2893 BADALPN + 1,
2894 BADALPNLEN - 1))
2895 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2896 GOODALPN + 1,
2897 GOODALPNLEN - 1))
2898 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2899 sizeof(alpnlist))))
2900 goto end;
2901 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2902 edstatus = SSL_EARLY_DATA_ACCEPTED;
2903 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2904 /* SSL_connect() call should fail */
2905 connectres = -1;
2906 break;
2907
976e5323
MC		 2908 default:
2909 TEST_error("Bad test index");
2910 goto end;
2911 }
2912
2913 SSL_set_connect_state(clientssl);
2914 if (err != 0) {
2915 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2916 &written))
2917 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2918 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2919 goto end;
2920 } else {
2921 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 2922 &written)))
2923 goto end;
2924
2925 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2926 &readbytes), readearlyres)
976e5323
MC		 2927 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2928 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 2929 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2930 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 2931 goto end;
2932 }
2933
2934 testresult = 1;
2935
2936 end:
c20e3b28 2937 SSL_SESSION_free(sess);
57dee9bb
MC		 2938 SSL_SESSION_free(clientpsk);
2939 SSL_SESSION_free(serverpsk);
2940 clientpsk = serverpsk = NULL;
976e5323
MC		 2941 SSL_free(serverssl);
2942 SSL_free(clientssl);
2943 SSL_CTX_free(sctx);
2944 SSL_CTX_free(cctx);
2945 return testresult;
2946}
2947
710756a9
RS		 2948/*
2949 * Test that a server that doesn't try to read early data can handle a
2950 * client sending some.
2951 */
3cb47b4e 2952static int test_early_data_not_expected(int idx)
5f982038
MC		 2953{
2954 SSL_CTX *cctx = NULL, *sctx = NULL;
2955 SSL *clientssl = NULL, *serverssl = NULL;
2956 int testresult = 0;
018fcbec 2957 SSL_SESSION *sess = NULL;
5f982038
MC		 2958 unsigned char buf[20];
2959 size_t readbytes, written;
2960
710756a9
RS		 2961 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2962 &serverssl, &sess, idx)))
5f982038
MC		 2963 goto end;
2964
2965 /* Write some early data */
710756a9
RS		 2966 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2967 &written)))
5f982038 2968 goto end;
5f982038
MC		 2969
2970 /*
2971 * Server should skip over early data and then block waiting for client to
2972 * continue handshake
2973 */
710756a9
RS		 2974 if (!TEST_int_le(SSL_accept(serverssl), 0)
2975 || !TEST_int_gt(SSL_connect(clientssl), 0)
2976 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2977 SSL_EARLY_DATA_REJECTED)
2978 || !TEST_int_gt(SSL_accept(serverssl), 0)
2979 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2980 SSL_EARLY_DATA_REJECTED))
5f982038 2981 goto end;
5f982038
MC		 2982
2983 /* Send some normal data from client to server */
710756a9
RS		 2984 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2985 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 2986 goto end;
5f982038 2987
710756a9
RS		 2988 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2989 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2990 goto end;
5f982038
MC		 2991
2992 testresult = 1;
2993
2994 end:
5f982038 2995 SSL_SESSION_free(sess);
c20e3b28 2996 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 2997 SSL_SESSION_free(serverpsk);
2998 clientpsk = serverpsk = NULL;
5f982038
MC		 2999 SSL_free(serverssl);
3000 SSL_free(clientssl);
3001 SSL_CTX_free(sctx);
3002 SSL_CTX_free(cctx);
5f982038
MC		 3003 return testresult;
3004}
3005
3006
3007# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 3008/*
3009 * Test that a server attempting to read early data can handle a connection
3010 * from a TLSv1.2 client.
3011 */
3cb47b4e 3012static int test_early_data_tls1_2(int idx)
5f982038
MC		 3013{
3014 SSL_CTX *cctx = NULL, *sctx = NULL;
3015 SSL *clientssl = NULL, *serverssl = NULL;
3016 int testresult = 0;
3017 unsigned char buf[20];
3018 size_t readbytes, written;
3019
02a3ed5a
MC		 3020 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3021 &serverssl, NULL, idx)))
5f982038 3022 goto end;
5f982038
MC		 3023
3024 /* Write some data - should block due to handshake with server */
3025 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3026 SSL_set_connect_state(clientssl);
710756a9 3027 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3028 goto end;
5f982038
MC		 3029
3030 /*
3031 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 3032 * messages from client after ServerDone. Then SSL_read_early_data should
3033 * finish and detect that early data has not been sent
5f982038 3034 */
710756a9
RS		 3035 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3036 &readbytes),
3037 SSL_READ_EARLY_DATA_ERROR))
5f982038 3038 goto end;
5f982038
MC		 3039
3040 /*
3041 * Continue writing the message we started earlier. Will still block waiting
3042 * for the CCS/Finished from server
3043 */
710756a9
RS		 3044 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3045 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3046 &readbytes),
3047 SSL_READ_EARLY_DATA_FINISH)
3048 || !TEST_size_t_eq(readbytes, 0)
3049 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3050 SSL_EARLY_DATA_NOT_SENT))
5f982038 3051 goto end;
5f982038
MC		 3052
3053 /* Continue writing the message we started earlier */
710756a9
RS		 3054 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3055 || !TEST_size_t_eq(written, strlen(MSG1))
3056 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3057 SSL_EARLY_DATA_NOT_SENT)
3058 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3059 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3060 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3061 || !TEST_size_t_eq(written, strlen(MSG2))
3062 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3063 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3064 goto end;
5f982038
MC		 3065
3066 testresult = 1;
3067
3068 end:
57dee9bb
MC		 3069 SSL_SESSION_free(clientpsk);
3070 SSL_SESSION_free(serverpsk);
3071 clientpsk = serverpsk = NULL;
5f982038
MC		 3072 SSL_free(serverssl);
3073 SSL_free(clientssl);
3074 SSL_CTX_free(sctx);
3075 SSL_CTX_free(cctx);
3076
3077 return testresult;
3078}
ca0413ae
MC		 3079# endif /* OPENSSL_NO_TLS1_2 */
3080
034cb87b
MC		 3081/*
3082 * Test configuring the TLSv1.3 ciphersuites
3083 *
3084 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3085 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3086 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3087 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3088 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3089 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3090 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3091 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3092 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3093 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3094 */
3095static int test_set_ciphersuite(int idx)
3096{
3097 SSL_CTX *cctx = NULL, *sctx = NULL;
3098 SSL *clientssl = NULL, *serverssl = NULL;
3099 int testresult = 0;
3100
3101 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3102 TLS1_VERSION, TLS_MAX_VERSION,
3103 &sctx, &cctx, cert, privkey))
3104 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3105 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3106 goto end;
3107
3108 if (idx >=4 && idx <= 7) {
3109 /* SSL_CTX explicit cipher list */
3110 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3111 goto end;
3112 }
3113
3114 if (idx == 0 || idx == 4) {
3115 /* Default ciphersuite */
3116 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3117 "TLS_AES_128_GCM_SHA256")))
3118 goto end;
3119 } else if (idx == 1 || idx == 5) {
3120 /* Non default ciphersuite */
3121 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3122 "TLS_AES_128_CCM_SHA256")))
3123 goto end;
3124 }
3125
3126 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3127 &clientssl, NULL, NULL)))
3128 goto end;
3129
3130 if (idx == 8 || idx == 9) {
3131 /* SSL explicit cipher list */
3132 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3133 goto end;
3134 }
3135
3136 if (idx == 2 || idx == 6 || idx == 8) {
3137 /* Default ciphersuite */
3138 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3139 "TLS_AES_128_GCM_SHA256")))
3140 goto end;
3141 } else if (idx == 3 || idx == 7 || idx == 9) {
3142 /* Non default ciphersuite */
3143 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3144 "TLS_AES_128_CCM_SHA256")))
3145 goto end;
3146 }
3147
3148 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3149 goto end;
3150
3151 testresult = 1;
3152
3153 end:
3154 SSL_free(serverssl);
3155 SSL_free(clientssl);
3156 SSL_CTX_free(sctx);
3157 SSL_CTX_free(cctx);
3158
3159 return testresult;
3160}
3161
ca0413ae
MC		 3162static int test_ciphersuite_change(void)
3163{
3164 SSL_CTX *cctx = NULL, *sctx = NULL;
3165 SSL *clientssl = NULL, *serverssl = NULL;
3166 SSL_SESSION *clntsess = NULL;
3167 int testresult = 0;
3168 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3169
3170 /* Create a session based on SHA-256 */
7d7f6834
RL		 3171 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3172 TLS1_VERSION, TLS_MAX_VERSION,
3173 &sctx, &cctx, cert, privkey))
f865b081
MC		 3174 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3175 "TLS_AES_128_GCM_SHA256"))
ca0413ae
MC		 3176 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3177 &clientssl, NULL, NULL))
3178 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3179 SSL_ERROR_NONE)))
3180 goto end;
3181
3182 clntsess = SSL_get1_session(clientssl);
3183 /* Save for later */
3184 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3185 SSL_shutdown(clientssl);
3186 SSL_shutdown(serverssl);
3187 SSL_free(serverssl);
3188 SSL_free(clientssl);
3189 serverssl = clientssl = NULL;
3190
71cff963 3191# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
ca0413ae 3192 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081
MC		 3193 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3194 "TLS_CHACHA20_POLY1305_SHA256"))
ca0413ae
MC		 3195 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3196 NULL, NULL))
3197 || !TEST_true(SSL_set_session(clientssl, clntsess))
3198 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3199 SSL_ERROR_NONE))
3200 || !TEST_true(SSL_session_reused(clientssl)))
3201 goto end;
3202
3203 SSL_SESSION_free(clntsess);
3204 clntsess = SSL_get1_session(clientssl);
3205 SSL_shutdown(clientssl);
3206 SSL_shutdown(serverssl);
3207 SSL_free(serverssl);
3208 SSL_free(clientssl);
3209 serverssl = clientssl = NULL;
71cff963 3210# endif
ca0413ae
MC		 3211
3212 /*
3213 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 3214 * succeeds but does not resume.
ca0413ae 3215 */
f865b081 3216 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3217 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3218 NULL, NULL))
3219 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 3220 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 3221 SSL_ERROR_SSL))
0de6d66d 3222 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 3223 goto end;
3224
3225 SSL_SESSION_free(clntsess);
3226 clntsess = NULL;
3227 SSL_shutdown(clientssl);
3228 SSL_shutdown(serverssl);
3229 SSL_free(serverssl);
3230 SSL_free(clientssl);
3231 serverssl = clientssl = NULL;
3232
3233 /* Create a session based on SHA384 */
f865b081 3234 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3235 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3236 &clientssl, NULL, NULL))
3237 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3238 SSL_ERROR_NONE)))
3239 goto end;
3240
3241 clntsess = SSL_get1_session(clientssl);
3242 SSL_shutdown(clientssl);
3243 SSL_shutdown(serverssl);
3244 SSL_free(serverssl);
3245 SSL_free(clientssl);
3246 serverssl = clientssl = NULL;
3247
f865b081
MC		 3248 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3249 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3250 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3251 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3252 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3253 NULL, NULL))
3254 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 3255 /*
3256 * We use SSL_ERROR_WANT_READ below so that we can pause the
3257 * connection after the initial ClientHello has been sent to
3258 * enable us to make some session changes.
3259 */
ca0413ae
MC		 3260 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3261 SSL_ERROR_WANT_READ)))
3262 goto end;
3263
3264 /* Trick the client into thinking this session is for a different digest */
3265 clntsess->cipher = aes_128_gcm_sha256;
3266 clntsess->cipher_id = clntsess->cipher->id;
3267
3268 /*
3b0e88d3
MC		 3269 * Continue the previously started connection. Server has selected a SHA-384
3270 * ciphersuite, but client thinks the session is for SHA-256, so it should
3271 * bail out.
ca0413ae
MC		 3272 */
3273 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3274 SSL_ERROR_SSL))
3275 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3276 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3277 goto end;
3278
3279 testresult = 1;
3280
3281 end:
3282 SSL_SESSION_free(clntsess);
3283 SSL_free(serverssl);
3284 SSL_free(clientssl);
3285 SSL_CTX_free(sctx);
3286 SSL_CTX_free(cctx);
3287
3288 return testresult;
3289}
3290
0d8da779
MC		 3291/*
3292 * Test TLSv1.3 PSKs
3293 * Test 0 = Test new style callbacks
3294 * Test 1 = Test both new and old style callbacks
3295 * Test 2 = Test old style callbacks
3296 * Test 3 = Test old style callbacks with no certificate
3297 */
532f9578 3298static int test_tls13_psk(int idx)
ca8c71ba
MC		 3299{
3300 SSL_CTX *sctx = NULL, *cctx = NULL;
3301 SSL *serverssl = NULL, *clientssl = NULL;
3302 const SSL_CIPHER *cipher = NULL;
3303 const unsigned char key[] = {
3304 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
3305 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 3306 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
3307 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 3308 };
3309 int testresult = 0;
3310
7d7f6834
RL		 3311 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3312 TLS1_VERSION, TLS_MAX_VERSION,
0d8da779
MC		 3313 &sctx, &cctx, idx == 3 ? NULL : cert,
3314 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 3315 goto end;
3316
0d8da779
MC		 3317 if (idx != 3) {
3318 /*
3319 * We use a ciphersuite with SHA256 to ease testing old style PSK
3320 * callbacks which will always default to SHA256. This should not be
3321 * necessary if we have no cert/priv key. In that case the server should
3322 * prefer SHA256 automatically.
3323 */
3324 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3325 "TLS_AES_128_GCM_SHA256")))
3326 goto end;
3327 }
532f9578
MC		 3328
3329 /*
3330 * Test 0: New style callbacks only
3331 * Test 1: New and old style callbacks (only the new ones should be used)
3332 * Test 2: Old style callbacks only
3333 */
3334 if (idx == 0 || idx == 1) {
3335 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
3336 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
3337 }
c2b290c3 3338#ifndef OPENSSL_NO_PSK
0d8da779 3339 if (idx >= 1) {
532f9578
MC		 3340 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
3341 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
3342 }
c2b290c3 3343#endif
ca8c71ba 3344 srvid = pskid;
02a3ed5a
MC		 3345 use_session_cb_cnt = 0;
3346 find_session_cb_cnt = 0;
532f9578
MC		 3347 psk_client_cb_cnt = 0;
3348 psk_server_cb_cnt = 0;
ca8c71ba 3349
0d8da779
MC		 3350 if (idx != 3) {
3351 /*
3352 * Check we can create a connection if callback decides not to send a
3353 * PSK
3354 */
3355 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3356 NULL, NULL))
3357 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3358 SSL_ERROR_NONE))
3359 || !TEST_false(SSL_session_reused(clientssl))
3360 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 3361 goto end;
532f9578 3362
0d8da779
MC		 3363 if (idx == 0 || idx == 1) {
3364 if (!TEST_true(use_session_cb_cnt == 1)
3365 || !TEST_true(find_session_cb_cnt == 0)
3366 /*
3367 * If no old style callback then below should be 0
3368 * otherwise 1
3369 */
3370 || !TEST_true(psk_client_cb_cnt == idx)
3371 || !TEST_true(psk_server_cb_cnt == 0))
3372 goto end;
3373 } else {
3374 if (!TEST_true(use_session_cb_cnt == 0)
3375 || !TEST_true(find_session_cb_cnt == 0)
3376 || !TEST_true(psk_client_cb_cnt == 1)
3377 || !TEST_true(psk_server_cb_cnt == 0))
3378 goto end;
3379 }
3380
3381 shutdown_ssl_connection(serverssl, clientssl);
3382 serverssl = clientssl = NULL;
3383 use_session_cb_cnt = psk_client_cb_cnt = 0;
3384 }
ca8c71ba
MC		 3385
3386 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3387 NULL, NULL)))
3388 goto end;
3389
3390 /* Create the PSK */
532f9578 3391 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 3392 clientpsk = SSL_SESSION_new();
3393 if (!TEST_ptr(clientpsk)
ca8c71ba 3394 || !TEST_ptr(cipher)
57dee9bb
MC		 3395 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
3396 sizeof(key)))
3397 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
3398 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
3399 TLS1_3_VERSION))
3400 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 3401 goto end;
57dee9bb 3402 serverpsk = clientpsk;
ca8c71ba
MC		 3403
3404 /* Check we can create a connection and the PSK is used */
3405 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3406 || !TEST_true(SSL_session_reused(clientssl))
532f9578 3407 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 3408 goto end;
3409
532f9578
MC		 3410 if (idx == 0 || idx == 1) {
3411 if (!TEST_true(use_session_cb_cnt == 1)
3412 || !TEST_true(find_session_cb_cnt == 1)
3413 || !TEST_true(psk_client_cb_cnt == 0)
3414 || !TEST_true(psk_server_cb_cnt == 0))
3415 goto end;
3416 } else {
3417 if (!TEST_true(use_session_cb_cnt == 0)
3418 || !TEST_true(find_session_cb_cnt == 0)
3419 || !TEST_true(psk_client_cb_cnt == 1)
3420 || !TEST_true(psk_server_cb_cnt == 1))
3421 goto end;
3422 }
3423
ca8c71ba
MC		 3424 shutdown_ssl_connection(serverssl, clientssl);
3425 serverssl = clientssl = NULL;
3426 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 3427 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 3428
3429 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3430 NULL, NULL)))
3431 goto end;
3432
3433 /* Force an HRR */
3434 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3435 goto end;
3436
3437 /*
3438 * Check we can create a connection, the PSK is used and the callbacks are
3439 * called twice.
3440 */
3441 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3442 || !TEST_true(SSL_session_reused(clientssl))
532f9578 3443 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 3444 goto end;
3445
532f9578
MC		 3446 if (idx == 0 || idx == 1) {
3447 if (!TEST_true(use_session_cb_cnt == 2)
3448 || !TEST_true(find_session_cb_cnt == 2)
3449 || !TEST_true(psk_client_cb_cnt == 0)
3450 || !TEST_true(psk_server_cb_cnt == 0))
3451 goto end;
3452 } else {
3453 if (!TEST_true(use_session_cb_cnt == 0)
3454 || !TEST_true(find_session_cb_cnt == 0)
3455 || !TEST_true(psk_client_cb_cnt == 2)
3456 || !TEST_true(psk_server_cb_cnt == 2))
3457 goto end;
3458 }
3459
ca8c71ba
MC		 3460 shutdown_ssl_connection(serverssl, clientssl);
3461 serverssl = clientssl = NULL;
3462 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 3463 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 3464
0d8da779
MC		 3465 if (idx != 3) {
3466 /*
3467 * Check that if the server rejects the PSK we can still connect, but with
3468 * a full handshake
3469 */
3470 srvid = "Dummy Identity";
3471 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3472 NULL, NULL))
3473 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3474 SSL_ERROR_NONE))
3475 || !TEST_false(SSL_session_reused(clientssl))
3476 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 3477 goto end;
532f9578 3478
0d8da779
MC		 3479 if (idx == 0 || idx == 1) {
3480 if (!TEST_true(use_session_cb_cnt == 1)
3481 || !TEST_true(find_session_cb_cnt == 1)
3482 || !TEST_true(psk_client_cb_cnt == 0)
3483 /*
3484 * If no old style callback then below should be 0
3485 * otherwise 1
3486 */
3487 || !TEST_true(psk_server_cb_cnt == idx))
3488 goto end;
3489 } else {
3490 if (!TEST_true(use_session_cb_cnt == 0)
3491 || !TEST_true(find_session_cb_cnt == 0)
3492 || !TEST_true(psk_client_cb_cnt == 1)
3493 || !TEST_true(psk_server_cb_cnt == 1))
3494 goto end;
3495 }
3496
3497 shutdown_ssl_connection(serverssl, clientssl);
3498 serverssl = clientssl = NULL;
3499 }
ca8c71ba
MC		 3500 testresult = 1;
3501
3502 end:
57dee9bb
MC		 3503 SSL_SESSION_free(clientpsk);
3504 SSL_SESSION_free(serverpsk);
3505 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 3506 SSL_free(serverssl);
3507 SSL_free(clientssl);
3508 SSL_CTX_free(sctx);
3509 SSL_CTX_free(cctx);
3510 return testresult;
3511}
3512
c7b8ff25
MC		 3513static unsigned char cookie_magic_value[] = "cookie magic";
3514
3515static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
3516 unsigned int *cookie_len)
3517{
3518 /*
3519 * Not suitable as a real cookie generation function but good enough for
3520 * testing!
3521 */
97ea1e7f
MC		 3522 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3523 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 3524
3525 return 1;
3526}
3527
3528static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3529 unsigned int cookie_len)
3530{
97ea1e7f 3531 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 3532 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3533 return 1;
3534
3535 return 0;
3536}
3537
3fa2812f
BS		 3538static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3539 size_t *cookie_len)
3540{
3541 unsigned int temp;
3542 int res = generate_cookie_callback(ssl, cookie, &temp);
3543 *cookie_len = temp;
3544 return res;
3545}
3546
3547static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3548 size_t cookie_len)
3549{
3550 return verify_cookie_callback(ssl, cookie, cookie_len);
3551}
3552
c7b8ff25
MC		 3553static int test_stateless(void)
3554{
3555 SSL_CTX *sctx = NULL, *cctx = NULL;
3556 SSL *serverssl = NULL, *clientssl = NULL;
3557 int testresult = 0;
3558
7d7f6834
RL		 3559 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3560 TLS1_VERSION, TLS_MAX_VERSION,
3561 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 3562 goto end;
3563
e440f513
MC		 3564 /* The arrival of CCS messages can confuse the test */
3565 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3566
3567 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3568 NULL, NULL))
3569 /* Send the first ClientHello */
3570 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3571 SSL_ERROR_WANT_READ))
3572 /*
3573 * This should fail with a -1 return because we have no callbacks
3574 * set up
3575 */
3576 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3577 goto end;
3578
3579 /* Fatal error so abandon the connection from this client */
3580 SSL_free(clientssl);
3581 clientssl = NULL;
3582
c7b8ff25 3583 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 3584 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3585 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 3586
e440f513
MC		 3587 /*
3588 * Create a new connection from the client (we can reuse the server SSL
3589 * object).
3590 */
c7b8ff25
MC		 3591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3592 NULL, NULL))
3593 /* Send the first ClientHello */
3594 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3595 SSL_ERROR_WANT_READ))
3596 /* This should fail because there is no cookie */
e440f513 3597 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 3598 goto end;
3599
3600 /* Abandon the connection from this client */
3601 SSL_free(clientssl);
3602 clientssl = NULL;
3603
3604 /*
3605 * Now create a connection from a new client but with the same server SSL
3606 * object
3607 */
3608 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3609 NULL, NULL))
3610 /* Send the first ClientHello */
3611 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3612 SSL_ERROR_WANT_READ))
3613 /* This should fail because there is no cookie */
e440f513 3614 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 3615 /* Send the second ClientHello */
3616 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3617 SSL_ERROR_WANT_READ))
3618 /* This should succeed because a cookie is now present */
e440f513 3619 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 3620 /* Complete the connection */
3621 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3622 SSL_ERROR_NONE)))
3623 goto end;
3624
3625 shutdown_ssl_connection(serverssl, clientssl);
3626 serverssl = clientssl = NULL;
3627 testresult = 1;
3628
3629 end:
3630 SSL_free(serverssl);
3631 SSL_free(clientssl);
3632 SSL_CTX_free(sctx);
3633 SSL_CTX_free(cctx);
3634 return testresult;
3635
3636}
ca0413ae 3637#endif /* OPENSSL_NO_TLS1_3 */
5f982038 3638
a37008d9
MC		 3639static int clntaddoldcb = 0;
3640static int clntparseoldcb = 0;
3641static int srvaddoldcb = 0;
3642static int srvparseoldcb = 0;
3643static int clntaddnewcb = 0;
3644static int clntparsenewcb = 0;
3645static int srvaddnewcb = 0;
3646static int srvparsenewcb = 0;
bb01ef3f 3647static int snicb = 0;
a37008d9
MC		 3648
3649#define TEST_EXT_TYPE1 0xff00
3650
3651static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3652 size_t *outlen, int *al, void *add_arg)
3653{
3654 int *server = (int *)add_arg;
3655 unsigned char *data;
3656
3657 if (SSL_is_server(s))
3658 srvaddoldcb++;
3659 else
3660 clntaddoldcb++;
3661
710756a9
RS		 3662 if (*server != SSL_is_server(s)
3663 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 3664 return -1;
3665
3666 *data = 1;
3667 *out = data;
3668 *outlen = sizeof(char);
a37008d9
MC		 3669 return 1;
3670}
3671
3672static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3673 void *add_arg)
3674{
3675 OPENSSL_free((unsigned char *)out);
3676}
3677
3678static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3679 size_t inlen, int *al, void *parse_arg)
3680{
3681 int *server = (int *)parse_arg;
3682
3683 if (SSL_is_server(s))
3684 srvparseoldcb++;
3685 else
3686 clntparseoldcb++;
3687
710756a9
RS		 3688 if (*server != SSL_is_server(s)
3689 || inlen != sizeof(char)
3690 || *in != 1)
a37008d9
MC		 3691 return -1;
3692
3693 return 1;
3694}
3695
3696static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3697 const unsigned char **out, size_t *outlen, X509 *x,
3698 size_t chainidx, int *al, void *add_arg)
3699{
3700 int *server = (int *)add_arg;
3701 unsigned char *data;
3702
3703 if (SSL_is_server(s))
3704 srvaddnewcb++;
3705 else
3706 clntaddnewcb++;
3707
710756a9
RS		 3708 if (*server != SSL_is_server(s)
3709 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 3710 return -1;
3711
3712 *data = 1;
3713 *out = data;
710756a9 3714 *outlen = sizeof(*data);
a37008d9
MC		 3715 return 1;
3716}
3717
3718static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3719 const unsigned char *out, void *add_arg)
3720{
3721 OPENSSL_free((unsigned char *)out);
3722}
3723
3724static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3725 const unsigned char *in, size_t inlen, X509 *x,
3726 size_t chainidx, int *al, void *parse_arg)
3727{
3728 int *server = (int *)parse_arg;
3729
3730 if (SSL_is_server(s))
3731 srvparsenewcb++;
3732 else
3733 clntparsenewcb++;
3734
710756a9
RS		 3735 if (*server != SSL_is_server(s)
3736 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 3737 return -1;
3738
3739 return 1;
3740}
bb01ef3f
MC		 3741
3742static int sni_cb(SSL *s, int *al, void *arg)
3743{
3744 SSL_CTX *ctx = (SSL_CTX *)arg;
3745
3746 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3747 *al = SSL_AD_INTERNAL_ERROR;
3748 return SSL_TLSEXT_ERR_ALERT_FATAL;
3749 }
3750 snicb++;
3751 return SSL_TLSEXT_ERR_OK;
3752}
3753
a37008d9
MC		 3754/*
3755 * Custom call back tests.
3756 * Test 0: Old style callbacks in TLSv1.2
3757 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 3758 * Test 2: New style callbacks in TLSv1.2 with SNI
3759 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3760 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 3761 */
710756a9
RS		 3762static int test_custom_exts(int tst)
3763{
bb01ef3f 3764 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 3765 SSL *clientssl = NULL, *serverssl = NULL;
3766 int testresult = 0;
3767 static int server = 1;
3768 static int client = 0;
3769 SSL_SESSION *sess = NULL;
3770 unsigned int context;
3771
c423ecaa
MC		 3772#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
3773 /* Skip tests for TLSv1.2 and below in this case */
3774 if (tst < 3)
3775 return 1;
3776#endif
3777
a37008d9
MC		 3778 /* Reset callback counters */
3779 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
3780 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 3781 snicb = 0;
a37008d9 3782
7d7f6834
RL		 3783 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3784 TLS1_VERSION, TLS_MAX_VERSION,
3785 &sctx, &cctx, cert, privkey)))
710756a9 3786 goto end;
a37008d9 3787
bb01ef3f 3788 if (tst == 2
7d7f6834
RL		 3789 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
3790 TLS1_VERSION, TLS_MAX_VERSION,
3791 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 3792 goto end;
3793
3794
3795 if (tst < 3) {
a37008d9
MC		 3796 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
3797 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 3798 if (sctx2 != NULL)
3799 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 3800 }
3801
bb01ef3f 3802 if (tst == 4) {
710756a9
RS		 3803 context = SSL_EXT_CLIENT_HELLO
3804 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 3805 | SSL_EXT_TLS1_3_SERVER_HELLO
3806 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
3807 | SSL_EXT_TLS1_3_CERTIFICATE
3808 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
3809 } else {
710756a9
RS		 3810 context = SSL_EXT_CLIENT_HELLO
3811 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 3812 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3813 }
3814
3815 /* Create a client side custom extension */
3816 if (tst == 0) {
710756a9
RS		 3817 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3818 old_add_cb, old_free_cb,
3819 &client, old_parse_cb,
3820 &client)))
3821 goto end;
a37008d9 3822 } else {
710756a9
RS		 3823 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
3824 new_add_cb, new_free_cb,
3825 &client, new_parse_cb, &client)))
3826 goto end;
a37008d9
MC		 3827 }
3828
3829 /* Should not be able to add duplicates */
710756a9
RS		 3830 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3831 old_add_cb, old_free_cb,
3832 &client, old_parse_cb,
3833 &client))
3834 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
3835 context, new_add_cb,
3836 new_free_cb, &client,
3837 new_parse_cb, &client)))
3838 goto end;
a37008d9
MC		 3839
3840 /* Create a server side custom extension */
3841 if (tst == 0) {
710756a9
RS		 3842 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3843 old_add_cb, old_free_cb,
3844 &server, old_parse_cb,
3845 &server)))
3846 goto end;
a37008d9 3847 } else {
710756a9
RS		 3848 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3849 new_add_cb, new_free_cb,
3850 &server, new_parse_cb, &server)))
3851 goto end;
bb01ef3f
MC		 3852 if (sctx2 != NULL
3853 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3854 context, new_add_cb,
3855 new_free_cb, &server,
3856 new_parse_cb, &server)))
3857 goto end;
a37008d9
MC		 3858 }
3859
3860 /* Should not be able to add duplicates */
710756a9
RS		 3861 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3862 old_add_cb, old_free_cb,
3863 &server, old_parse_cb,
3864 &server))
3865 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3866 context, new_add_cb,
3867 new_free_cb, &server,
3868 new_parse_cb, &server)))
a37008d9 3869 goto end;
a37008d9 3870
bb01ef3f
MC		 3871 if (tst == 2) {
3872 /* Set up SNI */
3873 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3874 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3875 goto end;
3876 }
3877
710756a9
RS		 3878 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3879 &clientssl, NULL, NULL))
3880 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3881 SSL_ERROR_NONE)))
a37008d9 3882 goto end;
a37008d9
MC		 3883
3884 if (tst == 0) {
710756a9
RS		 3885 if (clntaddoldcb != 1
3886 || clntparseoldcb != 1
3887 || srvaddoldcb != 1
3888 || srvparseoldcb != 1)
a37008d9 3889 goto end;
bb01ef3f 3890 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 3891 if (clntaddnewcb != 1
3892 || clntparsenewcb != 1
3893 || srvaddnewcb != 1
bb01ef3f
MC		 3894 || srvparsenewcb != 1
3895 || (tst != 2 && snicb != 0)
3896 || (tst == 2 && snicb != 1))
a37008d9 3897 goto end;
a37008d9 3898 } else {
36ff232c 3899 /* In this case there 2 NewSessionTicket messages created */
710756a9 3900 if (clntaddnewcb != 1
36ff232c
MC		 3901 || clntparsenewcb != 5
3902 || srvaddnewcb != 5
710756a9 3903 || srvparsenewcb != 1)
a37008d9 3904 goto end;
a37008d9
MC		 3905 }
3906
3907 sess = SSL_get1_session(clientssl);
a37008d9
MC		 3908 SSL_shutdown(clientssl);
3909 SSL_shutdown(serverssl);
a37008d9
MC		 3910 SSL_free(serverssl);
3911 SSL_free(clientssl);
3912 serverssl = clientssl = NULL;
3913
bb01ef3f
MC		 3914 if (tst == 3) {
3915 /* We don't bother with the resumption aspects for this test */
3916 testresult = 1;
3917 goto end;
3918 }
3919
710756a9
RS		 3920 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3921 NULL, NULL))
3922 || !TEST_true(SSL_set_session(clientssl, sess))
3923 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3924 SSL_ERROR_NONE)))
a37008d9 3925 goto end;
a37008d9
MC		 3926
3927 /*
3928 * For a resumed session we expect to add the ClientHello extension. For the
3929 * old style callbacks we ignore it on the server side because they set
3930 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3931 * them.
3932 */
3933 if (tst == 0) {
710756a9
RS		 3934 if (clntaddoldcb != 2
3935 || clntparseoldcb != 1
3936 || srvaddoldcb != 1
3937 || srvparseoldcb != 1)
a37008d9 3938 goto end;
bb01ef3f 3939 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 3940 if (clntaddnewcb != 2
3941 || clntparsenewcb != 2
3942 || srvaddnewcb != 2
3943 || srvparsenewcb != 2)
a37008d9 3944 goto end;
a37008d9 3945 } else {
36ff232c
MC		 3946 /*
3947 * No Certificate message extensions in the resumption handshake,
3948 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
3949 */
710756a9 3950 if (clntaddnewcb != 2
36ff232c
MC		 3951 || clntparsenewcb != 8
3952 || srvaddnewcb != 8
710756a9 3953 || srvparsenewcb != 2)
a37008d9 3954 goto end;
a37008d9
MC		 3955 }
3956
3957 testresult = 1;
3958
3959end:
3960 SSL_SESSION_free(sess);
3961 SSL_free(serverssl);
3962 SSL_free(clientssl);
bb01ef3f 3963 SSL_CTX_free(sctx2);
a37008d9
MC		 3964 SSL_CTX_free(sctx);
3965 SSL_CTX_free(cctx);
a37008d9
MC		 3966 return testresult;
3967}
3968
16afd71c
MC		 3969/*
3970 * Test loading of serverinfo data in various formats. test_sslmessages actually
3971 * tests to make sure the extensions appear in the handshake
3972 */
3973static int test_serverinfo(int tst)
3974{
3975 unsigned int version;
3976 unsigned char *sibuf;
3977 size_t sibuflen;
3978 int ret, expected, testresult = 0;
3979 SSL_CTX *ctx;
3980
3981 ctx = SSL_CTX_new(TLS_method());
3982 if (!TEST_ptr(ctx))
3983 goto end;
3984
3985 if ((tst & 0x01) == 0x01)
3986 version = SSL_SERVERINFOV2;
3987 else
3988 version = SSL_SERVERINFOV1;
3989
3990 if ((tst & 0x02) == 0x02) {
3991 sibuf = serverinfov2;
3992 sibuflen = sizeof(serverinfov2);
3993 expected = (version == SSL_SERVERINFOV2);
3994 } else {
3995 sibuf = serverinfov1;
3996 sibuflen = sizeof(serverinfov1);
3997 expected = (version == SSL_SERVERINFOV1);
3998 }
3999
4000 if ((tst & 0x04) == 0x04) {
4001 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4002 } else {
4003 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4004
4005 /*
4006 * The version variable is irrelevant in this case - it's what is in the
4007 * buffer that matters
4008 */
4009 if ((tst & 0x02) == 0x02)
4010 expected = 0;
4011 else
4012 expected = 1;
4013 }
4014
4015 if (!TEST_true(ret == expected))
4016 goto end;
4017
4018 testresult = 1;
4019
4020 end:
4021 SSL_CTX_free(ctx);
4022
4023 return testresult;
4024}
4025
2197d1df
MC		 4026/*
4027 * Test that SSL_export_keying_material() produces expected results. There are
4028 * no test vectors so all we do is test that both sides of the communication
4029 * produce the same results for different protocol versions.
4030 */
4031static int test_export_key_mat(int tst)
4032{
a599574b 4033 int testresult = 0;
2197d1df
MC		 4034 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4035 SSL *clientssl = NULL, *serverssl = NULL;
4036 const char label[] = "test label";
4037 const unsigned char context[] = "context";
4038 const unsigned char *emptycontext = NULL;
4039 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4040 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
a599574b
MC		 4041 const int protocols[] = {
4042 TLS1_VERSION,
4043 TLS1_1_VERSION,
4044 TLS1_2_VERSION,
4045 TLS1_3_VERSION
4046 };
2197d1df
MC		 4047
4048#ifdef OPENSSL_NO_TLS1
4049 if (tst == 0)
4050 return 1;
4051#endif
4052#ifdef OPENSSL_NO_TLS1_1
4053 if (tst == 1)
4054 return 1;
4055#endif
4056#ifdef OPENSSL_NO_TLS1_2
4057 if (tst == 2)
4058 return 1;
4059#endif
4060#ifdef OPENSSL_NO_TLS1_3
4061 if (tst == 3)
4062 return 1;
4063#endif
7d7f6834
RL		 4064 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4065 TLS1_VERSION, TLS_MAX_VERSION,
4066 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 4067 goto end;
4068
a599574b
MC		 4069 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4070 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4071 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
2197d1df
MC		 4072
4073 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4074 NULL))
4075 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4076 SSL_ERROR_NONE)))
4077 goto end;
4078
4079 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4080 sizeof(ckeymat1), label,
4081 sizeof(label) - 1, context,
4082 sizeof(context) - 1, 1), 1)
4083 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4084 sizeof(ckeymat2), label,
4085 sizeof(label) - 1,
4086 emptycontext,
4087 0, 1), 1)
4088 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4089 sizeof(ckeymat3), label,
4090 sizeof(label) - 1,
4091 NULL, 0, 0), 1)
4092 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4093 sizeof(skeymat1), label,
4094 sizeof(label) - 1,
4095 context,
4096 sizeof(context) -1, 1),
4097 1)
4098 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4099 sizeof(skeymat2), label,
4100 sizeof(label) - 1,
4101 emptycontext,
4102 0, 1), 1)
4103 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4104 sizeof(skeymat3), label,
4105 sizeof(label) - 1,
4106 NULL, 0, 0), 1)
4107 /*
4108 * Check that both sides created the same key material with the
4109 * same context.
4110 */
4111 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4112 sizeof(skeymat1))
4113 /*
4114 * Check that both sides created the same key material with an
4115 * empty context.
4116 */
4117 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4118 sizeof(skeymat2))
4119 /*
4120 * Check that both sides created the same key material without a
4121 * context.
4122 */
4123 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
4124 sizeof(skeymat3))
4125 /* Different contexts should produce different results */
4126 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4127 sizeof(ckeymat2)))
4128 goto end;
4129
4130 /*
4131 * Check that an empty context and no context produce different results in
4132 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
4133 */
4134 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
4135 sizeof(ckeymat3)))
4136 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
4137 sizeof(ckeymat3))))
4138 goto end;
4139
4140 testresult = 1;
4141
4142 end:
4143 SSL_free(serverssl);
4144 SSL_free(clientssl);
4145 SSL_CTX_free(sctx2);
4146 SSL_CTX_free(sctx);
4147 SSL_CTX_free(cctx);
4148
4149 return testresult;
4150}
4151
b38ede80
TT		 4152#ifndef OPENSSL_NO_TLS1_3
4153/*
4154 * Test that SSL_export_keying_material_early() produces expected
4155 * results. There are no test vectors so all we do is test that both
4156 * sides of the communication produce the same results for different
4157 * protocol versions.
4158 */
4159static int test_export_key_mat_early(int idx)
4160{
4161 static const char label[] = "test label";
4162 static const unsigned char context[] = "context";
4163 int testresult = 0;
4164 SSL_CTX *cctx = NULL, *sctx = NULL;
4165 SSL *clientssl = NULL, *serverssl = NULL;
4166 SSL_SESSION *sess = NULL;
4167 const unsigned char *emptycontext = NULL;
4168 unsigned char ckeymat1[80], ckeymat2[80];
4169 unsigned char skeymat1[80], skeymat2[80];
4170 unsigned char buf[1];
4171 size_t readbytes, written;
4172
4173 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
4174 &sess, idx)))
4175 goto end;
4176
4177 /* Here writing 0 length early data is enough. */
4178 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
4179 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4180 &readbytes),
4181 SSL_READ_EARLY_DATA_ERROR)
4182 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4183 SSL_EARLY_DATA_ACCEPTED))
4184 goto end;
4185
4186 if (!TEST_int_eq(SSL_export_keying_material_early(
4187 clientssl, ckeymat1, sizeof(ckeymat1), label,
4188 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4189 || !TEST_int_eq(SSL_export_keying_material_early(
4190 clientssl, ckeymat2, sizeof(ckeymat2), label,
4191 sizeof(label) - 1, emptycontext, 0), 1)
4192 || !TEST_int_eq(SSL_export_keying_material_early(
4193 serverssl, skeymat1, sizeof(skeymat1), label,
4194 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4195 || !TEST_int_eq(SSL_export_keying_material_early(
4196 serverssl, skeymat2, sizeof(skeymat2), label,
4197 sizeof(label) - 1, emptycontext, 0), 1)
4198 /*
4199 * Check that both sides created the same key material with the
4200 * same context.
4201 */
4202 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4203 sizeof(skeymat1))
4204 /*
4205 * Check that both sides created the same key material with an
4206 * empty context.
4207 */
4208 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4209 sizeof(skeymat2))
4210 /* Different contexts should produce different results */
4211 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4212 sizeof(ckeymat2)))
4213 goto end;
4214
4215 testresult = 1;
4216
4217 end:
c20e3b28 4218 SSL_SESSION_free(sess);
b38ede80
TT		 4219 SSL_SESSION_free(clientpsk);
4220 SSL_SESSION_free(serverpsk);
34ff74eb 4221 clientpsk = serverpsk = NULL;
b38ede80
TT		 4222 SSL_free(serverssl);
4223 SSL_free(clientssl);
4224 SSL_CTX_free(sctx);
4225 SSL_CTX_free(cctx);
4226
4227 return testresult;
4228}
4229#endif /* OPENSSL_NO_TLS1_3 */
4230
e11b6aa4
MC		 4231static int test_ssl_clear(int idx)
4232{
4233 SSL_CTX *cctx = NULL, *sctx = NULL;
4234 SSL *clientssl = NULL, *serverssl = NULL;
4235 int testresult = 0;
4236
4237#ifdef OPENSSL_NO_TLS1_2
4238 if (idx == 1)
4239 return 1;
4240#endif
4241
4242 /* Create an initial connection */
7d7f6834
RL		 4243 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4244 TLS1_VERSION, TLS_MAX_VERSION,
4245 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 4246 || (idx == 1
4247 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
4248 TLS1_2_VERSION)))
4249 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4250 &clientssl, NULL, NULL))
4251 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4252 SSL_ERROR_NONE)))
4253 goto end;
4254
4255 SSL_shutdown(clientssl);
4256 SSL_shutdown(serverssl);
4257 SSL_free(serverssl);
4258 serverssl = NULL;
4259
4260 /* Clear clientssl - we're going to reuse the object */
4261 if (!TEST_true(SSL_clear(clientssl)))
4262 goto end;
4263
4264 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4265 NULL, NULL))
4266 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4267 SSL_ERROR_NONE))
4268 || !TEST_true(SSL_session_reused(clientssl)))
4269 goto end;
4270
4271 SSL_shutdown(clientssl);
4272 SSL_shutdown(serverssl);
4273
4274 testresult = 1;
4275
4276 end:
4277 SSL_free(serverssl);
4278 SSL_free(clientssl);
4279 SSL_CTX_free(sctx);
4280 SSL_CTX_free(cctx);
4281
4282 return testresult;
4283}
4284
cf72c757
F		 4285/* Parse CH and retrieve any MFL extension value if present */
4286static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
4287{
4288 long len;
4289 unsigned char *data;
4290 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
4291 unsigned int MFL_code = 0, type = 0;
4292
4293 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
4294 goto end;
4295
4296 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
4297 /* Skip the record header */
4298 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
4299 /* Skip the handshake message header */
4300 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
4301 /* Skip client version and random */
4302 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
4303 + SSL3_RANDOM_SIZE))
4304 /* Skip session id */
4305 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4306 /* Skip ciphers */
4307 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
4308 /* Skip compression */
4309 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4310 /* Extensions len */
4311 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
4312 goto end;
4313
4314 /* Loop through all extensions */
4315 while (PACKET_remaining(&pkt2)) {
4316 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
4317 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
4318 goto end;
4319
4320 if (type == TLSEXT_TYPE_max_fragment_length) {
4321 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
4322 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
4323 goto end;
4324
4325 *mfl_codemfl_code = MFL_code;
4326 return 1;
4327 }
4328 }
4329
4330 end:
4331 return 0;
4332}
4333
4334/* Maximum-Fragment-Length TLS extension mode to test */
4335static const unsigned char max_fragment_len_test[] = {
4336 TLSEXT_max_fragment_length_512,
4337 TLSEXT_max_fragment_length_1024,
4338 TLSEXT_max_fragment_length_2048,
4339 TLSEXT_max_fragment_length_4096
4340};
4341
4342static int test_max_fragment_len_ext(int idx_tst)
4343{
4344 SSL_CTX *ctx;
4345 SSL *con = NULL;
4346 int testresult = 0, MFL_mode = 0;
4347 BIO *rbio, *wbio;
4348
4349 ctx = SSL_CTX_new(TLS_method());
4350 if (!TEST_ptr(ctx))
4351 goto end;
4352
4353 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
4354 ctx, max_fragment_len_test[idx_tst])))
4355 goto end;
4356
4357 con = SSL_new(ctx);
4358 if (!TEST_ptr(con))
4359 goto end;
4360
4361 rbio = BIO_new(BIO_s_mem());
4362 wbio = BIO_new(BIO_s_mem());
4363 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
4364 BIO_free(rbio);
4365 BIO_free(wbio);
4366 goto end;
4367 }
4368
4369 SSL_set_bio(con, rbio, wbio);
4370 SSL_set_connect_state(con);
4371
4372 if (!TEST_int_le(SSL_connect(con), 0)) {
4373 /* This shouldn't succeed because we don't have a server! */
4374 goto end;
4375 }
4376
4377 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
4378 /* no MFL in client hello */
4379 goto end;
4380 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
4381 goto end;
4382
4383 testresult = 1;
4384
4385end:
4386 SSL_free(con);
4387 SSL_CTX_free(ctx);
4388
4389 return testresult;
4390}
4391
9d75dce3
TS		 4392#ifndef OPENSSL_NO_TLS1_3
4393static int test_pha_key_update(void)
4394{
4395 SSL_CTX *cctx = NULL, *sctx = NULL;
4396 SSL *clientssl = NULL, *serverssl = NULL;
4397 int testresult = 0;
4398
7d7f6834
RL		 4399 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4400 TLS1_VERSION, TLS_MAX_VERSION,
9d75dce3
TS		 4401 &sctx, &cctx, cert, privkey)))
4402 return 0;
4403
4404 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
4405 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
4406 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
4407 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
4408 goto end;
4409
e97be718 4410 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 4411
4412 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4413 NULL, NULL)))
4414 goto end;
4415
9d75dce3
TS		 4416 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4417 SSL_ERROR_NONE)))
4418 goto end;
4419
4420 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
4421 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
4422 goto end;
4423
4424 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
4425 goto end;
4426
4427 /* Start handshake on the server */
4428 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
4429 goto end;
4430
4431 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
4432 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4433 SSL_ERROR_NONE)))
4434 goto end;
4435
4436 SSL_shutdown(clientssl);
4437 SSL_shutdown(serverssl);
4438
4439 testresult = 1;
4440
4441 end:
4442 SSL_free(serverssl);
4443 SSL_free(clientssl);
4444 SSL_CTX_free(sctx);
4445 SSL_CTX_free(cctx);
4446 return testresult;
4447}
4448#endif
4449
76fd7a1d
MC		 4450#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4451
4452static SRP_VBASE *vbase = NULL;
4453
4454static int ssl_srp_cb(SSL *s, int *ad, void *arg)
4455{
4456 int ret = SSL3_AL_FATAL;
4457 char *username;
4458 SRP_user_pwd *user = NULL;
4459
4460 username = SSL_get_srp_username(s);
4461 if (username == NULL) {
4462 *ad = SSL_AD_INTERNAL_ERROR;
4463 goto err;
4464 }
4465
4466 user = SRP_VBASE_get1_by_user(vbase, username);
4467 if (user == NULL) {
4468 *ad = SSL_AD_INTERNAL_ERROR;
4469 goto err;
4470 }
4471
4472 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
4473 user->info) <= 0) {
4474 *ad = SSL_AD_INTERNAL_ERROR;
4475 goto err;
4476 }
4477
4478 ret = 0;
4479
4480 err:
4481 SRP_user_pwd_free(user);
4482 return ret;
4483}
4484
4485static int create_new_vfile(char *userid, char *password, const char *filename)
4486{
4487 char *gNid = NULL;
4488 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
4489 TXT_DB *db = NULL;
4490 int ret = 0;
4491 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
4492 size_t i;
4493
4494 if (!TEST_ptr(dummy) || !TEST_ptr(row))
4495 goto end;
4496
4497 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
4498 &row[DB_srpverifier], NULL, NULL);
4499 if (!TEST_ptr(gNid))
4500 goto end;
4501
4502 /*
4503 * The only way to create an empty TXT_DB is to provide a BIO with no data
4504 * in it!
4505 */
4506 db = TXT_DB_read(dummy, DB_NUMBER);
4507 if (!TEST_ptr(db))
4508 goto end;
4509
4510 out = BIO_new_file(filename, "w");
4511 if (!TEST_ptr(out))
4512 goto end;
4513
4514 row[DB_srpid] = OPENSSL_strdup(userid);
4515 row[DB_srptype] = OPENSSL_strdup("V");
4516 row[DB_srpgN] = OPENSSL_strdup(gNid);
4517
4518 if (!TEST_ptr(row[DB_srpid])
4519 || !TEST_ptr(row[DB_srptype])
4520 || !TEST_ptr(row[DB_srpgN])
4521 || !TEST_true(TXT_DB_insert(db, row)))
4522 goto end;
4523
4524 row = NULL;
4525
4526 if (!TXT_DB_write(out, db))
4527 goto end;
4528
4529 ret = 1;
4530 end:
4531 if (row != NULL) {
4532 for (i = 0; i < DB_NUMBER; i++)
4533 OPENSSL_free(row[i]);
4534 }
4535 OPENSSL_free(row);
4536 BIO_free(dummy);
4537 BIO_free(out);
4538 TXT_DB_free(db);
4539
4540 return ret;
4541}
4542
4543static int create_new_vbase(char *userid, char *password)
4544{
4545 BIGNUM *verifier = NULL, *salt = NULL;
4546 const SRP_gN *lgN = NULL;
4547 SRP_user_pwd *user_pwd = NULL;
4548 int ret = 0;
4549
4550 lgN = SRP_get_default_gN(NULL);
4551 if (!TEST_ptr(lgN))
4552 goto end;
4553
4554 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
4555 lgN->N, lgN->g)))
4556 goto end;
4557
4558 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
4559 if (!TEST_ptr(user_pwd))
4560 goto end;
4561
4562 user_pwd->N = lgN->N;
4563 user_pwd->g = lgN->g;
4564 user_pwd->id = OPENSSL_strdup(userid);
4565 if (!TEST_ptr(user_pwd->id))
4566 goto end;
4567
4568 user_pwd->v = verifier;
4569 user_pwd->s = salt;
4570 verifier = salt = NULL;
4571
4572 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
4573 goto end;
4574 user_pwd = NULL;
4575
4576 ret = 1;
4577end:
4578 SRP_user_pwd_free(user_pwd);
4579 BN_free(salt);
4580 BN_free(verifier);
4581
4582 return ret;
4583}
4584
4585/*
4586 * SRP tests
4587 *
4588 * Test 0: Simple successful SRP connection, new vbase
4589 * Test 1: Connection failure due to bad password, new vbase
4590 * Test 2: Simple successful SRP connection, vbase loaded from existing file
4591 * Test 3: Connection failure due to bad password, vbase loaded from existing
4592 * file
4593 * Test 4: Simple successful SRP connection, vbase loaded from new file
4594 * Test 5: Connection failure due to bad password, vbase loaded from new file
4595 */
4596static int test_srp(int tst)
4597{
4598 char *userid = "test", *password = "password", *tstsrpfile;
4599 SSL_CTX *cctx = NULL, *sctx = NULL;
4600 SSL *clientssl = NULL, *serverssl = NULL;
4601 int ret, testresult = 0;
4602
4603 vbase = SRP_VBASE_new(NULL);
4604 if (!TEST_ptr(vbase))
4605 goto end;
4606
4607 if (tst == 0 || tst == 1) {
4608 if (!TEST_true(create_new_vbase(userid, password)))
4609 goto end;
4610 } else {
4611 if (tst == 4 || tst == 5) {
4612 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
4613 goto end;
4614 tstsrpfile = tmpfilename;
4615 } else {
4616 tstsrpfile = srpvfile;
4617 }
4618 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
4619 goto end;
4620 }
4621
4622 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4623 TLS1_VERSION, TLS_MAX_VERSION,
4624 &sctx, &cctx, cert, privkey)))
4625 goto end;
4626
4627 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
4628 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
4629 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
4630 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
4631 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
4632 goto end;
4633
4634 if (tst % 2 == 1) {
4635 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
4636 goto end;
4637 } else {
4638 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
4639 goto end;
4640 }
4641
4642 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4643 NULL, NULL)))
4644 goto end;
4645
4646 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
4647 if (ret) {
4648 if (!TEST_true(tst % 2 == 0))
4649 goto end;
4650 } else {
4651 if (!TEST_true(tst % 2 == 1))
4652 goto end;
4653 }
4654
4655 testresult = 1;
4656
4657 end:
4658 SRP_VBASE_free(vbase);
4659 vbase = NULL;
4660 SSL_free(serverssl);
4661 SSL_free(clientssl);
4662 SSL_CTX_free(sctx);
4663 SSL_CTX_free(cctx);
4664
4665 return testresult;
4666}
4667#endif
4668
5718fe45
MC		 4669static int info_cb_failed = 0;
4670static int info_cb_offset = 0;
4671static int info_cb_this_state = -1;
4672
4673static struct info_cb_states_st {
4674 int where;
4675 const char *statestr;
4676} info_cb_states[][60] = {
4677 {
4678 /* TLSv1.2 server followed by resumption */
4679 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4680 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4681 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
4682 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
4683 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
4684 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4685 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4686 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4687 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4688 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4689 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
4690 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4691 {SSL_CB_EXIT, NULL}, {0, NULL},
4692 }, {
4693 /* TLSv1.2 client followed by resumption */
4694 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4695 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4696 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
4697 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
4698 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
4699 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4700 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4701 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4702 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4703 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4704 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4705 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4706 }, {
4707 /* TLSv1.3 server followed by resumption */
4708 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4709 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4710 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
4711 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
4712 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4713 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4714 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5718fe45 4715 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TWST"},
36ff232c
MC		 4716 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4717 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4718 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4719 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"},
4720 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL},
4721 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4722 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4723 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4724 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 4725 }, {
4726 /* TLSv1.3 client followed by resumption */
4727 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4728 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4729 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
4730 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
4731 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4732 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4733 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4734 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
36ff232c
MC		 4735 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4736 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4737 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 4738 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4739 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
4740 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4741 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4742 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4743 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4744 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4745 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4746 }, {
4747 /* TLSv1.3 server, early_data */
4748 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4749 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4750 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4751 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4752 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4753 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4754 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4755 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4756 {SSL_CB_EXIT, NULL}, {0, NULL},
4757 }, {
4758 /* TLSv1.3 client, early_data */
4759 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4760 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
4761 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4762 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4763 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4764 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
4765 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4766 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4767 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4768 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4769 }, {
4770 {0, NULL},
4771 }
4772};
4773
4774static void sslapi_info_callback(const SSL *s, int where, int ret)
4775{
4776 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
4777
4778 /* We do not ever expect a connection to fail in this test */
4779 if (!TEST_false(ret == 0)) {
4780 info_cb_failed = 1;
4781 return;
4782 }
4783
4784 /*
4785 * Do some sanity checks. We never expect these things to happen in this
4786 * test
4787 */
4788 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
4789 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
4790 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
4791 info_cb_failed = 1;
4792 return;
4793 }
4794
4795 /* Now check we're in the right state */
4796 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
4797 info_cb_failed = 1;
4798 return;
4799 }
4800 if ((where & SSL_CB_LOOP) != 0
4801 && !TEST_int_eq(strcmp(SSL_state_string(s),
4802 state[info_cb_this_state].statestr), 0)) {
4803 info_cb_failed = 1;
4804 return;
4805 }
033c181b
MC		 4806
4807 /* Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init */
4808 if ((where & SSL_CB_HANDSHAKE_DONE) && SSL_in_init((SSL *)s) != 0) {
4809 info_cb_failed = 1;
4810 return;
4811 }
5718fe45
MC		 4812}
4813
4814/*
4815 * Test the info callback gets called when we expect it to.
4816 *
4817 * Test 0: TLSv1.2, server
4818 * Test 1: TLSv1.2, client
4819 * Test 2: TLSv1.3, server
4820 * Test 3: TLSv1.3, client
4821 * Test 4: TLSv1.3, server, early_data
4822 * Test 5: TLSv1.3, client, early_data
4823 */
4824static int test_info_callback(int tst)
4825{
4826 SSL_CTX *cctx = NULL, *sctx = NULL;
4827 SSL *clientssl = NULL, *serverssl = NULL;
4828 SSL_SESSION *clntsess = NULL;
4829 int testresult = 0;
4830 int tlsvers;
4831
4832 if (tst < 2) {
1aac20f5
MC		 4833/* We need either ECDHE or DHE for the TLSv1.2 test to work */
4834#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
4835 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 4836 tlsvers = TLS1_2_VERSION;
4837#else
4838 return 1;
4839#endif
4840 } else {
4841#ifndef OPENSSL_NO_TLS1_3
4842 tlsvers = TLS1_3_VERSION;
4843#else
4844 return 1;
4845#endif
4846 }
4847
4848 /* Reset globals */
4849 info_cb_failed = 0;
4850 info_cb_this_state = -1;
4851 info_cb_offset = tst;
4852
6e07834c 4853#ifndef OPENSSL_NO_TLS1_3
5718fe45
MC		 4854 if (tst >= 4) {
4855 SSL_SESSION *sess = NULL;
4856 size_t written, readbytes;
4857 unsigned char buf[80];
4858
4859 /* early_data tests */
4860 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4861 &serverssl, &sess, 0)))
4862 goto end;
4863
4864 /* We don't actually need this reference */
4865 SSL_SESSION_free(sess);
4866
4867 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
4868 sslapi_info_callback);
4869
4870 /* Write and read some early data and then complete the connection */
4871 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4872 &written))
4873 || !TEST_size_t_eq(written, strlen(MSG1))
4874 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
4875 sizeof(buf), &readbytes),
4876 SSL_READ_EARLY_DATA_SUCCESS)
4877 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
4878 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4879 SSL_EARLY_DATA_ACCEPTED)
4880 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4881 SSL_ERROR_NONE))
4882 || !TEST_false(info_cb_failed))
4883 goto end;
4884
4885 testresult = 1;
4886 goto end;
4887 }
6e07834c 4888#endif
5718fe45
MC		 4889
4890 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4891 TLS_client_method(),
4892 tlsvers, tlsvers, &sctx, &cctx, cert,
4893 privkey)))
4894 goto end;
4895
4896 /*
4897 * For even numbered tests we check the server callbacks. For odd numbers we
4898 * check the client.
4899 */
4900 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
4901 sslapi_info_callback);
4902
4903 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4904 &clientssl, NULL, NULL))
4905 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4906 SSL_ERROR_NONE))
4907 || !TEST_false(info_cb_failed))
4908 goto end;
4909
4910
4911
4912 clntsess = SSL_get1_session(clientssl);
4913 SSL_shutdown(clientssl);
4914 SSL_shutdown(serverssl);
4915 SSL_free(serverssl);
4916 SSL_free(clientssl);
4917 serverssl = clientssl = NULL;
4918
4919 /* Now do a resumption */
4920 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4921 NULL))
4922 || !TEST_true(SSL_set_session(clientssl, clntsess))
4923 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4924 SSL_ERROR_NONE))
4925 || !TEST_true(SSL_session_reused(clientssl))
4926 || !TEST_false(info_cb_failed))
4927 goto end;
4928
4929 testresult = 1;
4930
4931 end:
4932 SSL_free(serverssl);
4933 SSL_free(clientssl);
4934 SSL_SESSION_free(clntsess);
4935 SSL_CTX_free(sctx);
4936 SSL_CTX_free(cctx);
4937 return testresult;
4938}
4939
4a432af8
MC		 4940static int test_ssl_pending(int tst)
4941{
4942 SSL_CTX *cctx = NULL, *sctx = NULL;
4943 SSL *clientssl = NULL, *serverssl = NULL;
4944 int testresult = 0;
4945 char msg[] = "A test message";
4946 char buf[5];
4947 size_t written, readbytes;
4948
4949 if (tst == 0) {
4950 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4951 TLS_client_method(),
4952 TLS1_VERSION, TLS_MAX_VERSION,
4953 &sctx, &cctx, cert, privkey)))
4954 goto end;
4955 } else {
4956#ifndef OPENSSL_NO_DTLS
4957 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
4958 DTLS_client_method(),
4959 DTLS1_VERSION, DTLS_MAX_VERSION,
4960 &sctx, &cctx, cert, privkey)))
4961 goto end;
4962#else
4963 return 1;
4964#endif
4965 }
4966
4967 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4968 NULL, NULL))
4969 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4970 SSL_ERROR_NONE)))
4971 goto end;
4972
e8251092
MC		 4973 if (!TEST_int_eq(SSL_pending(clientssl), 0)
4974 || !TEST_false(SSL_has_pending(clientssl))
4975 || !TEST_int_eq(SSL_pending(serverssl), 0)
4976 || !TEST_false(SSL_has_pending(serverssl))
4977 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 4978 || !TEST_size_t_eq(written, sizeof(msg))
4979 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4980 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 4981 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
4982 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 4983 goto end;
4984
4985 testresult = 1;
4986
4987 end:
4988 SSL_free(serverssl);
4989 SSL_free(clientssl);
4990 SSL_CTX_free(sctx);
4991 SSL_CTX_free(cctx);
4992
4993 return testresult;
4994}
4995
e401389a
MC		 4996static struct {
4997 unsigned int maxprot;
4998 const char *clntciphers;
4999 const char *clnttls13ciphers;
5000 const char *srvrciphers;
5001 const char *srvrtls13ciphers;
5002 const char *shared;
5003} shared_ciphers_data[] = {
60155b9a
MC		 5004/*
5005 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
5006 * TLSv1.3 is enabled but TLSv1.2 is disabled.
5007 */
5008#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 5009 {
5010 TLS1_2_VERSION,
5011 "AES128-SHA:AES256-SHA",
5012 NULL,
5013 "AES256-SHA:DHE-RSA-AES128-SHA",
5014 NULL,
5015 "AES256-SHA"
5016 },
5017 {
5018 TLS1_2_VERSION,
5019 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
5020 NULL,
5021 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
5022 NULL,
5023 "AES128-SHA:AES256-SHA"
5024 },
5025 {
5026 TLS1_2_VERSION,
5027 "AES128-SHA:AES256-SHA",
5028 NULL,
5029 "AES128-SHA:DHE-RSA-AES128-SHA",
5030 NULL,
5031 "AES128-SHA"
5032 },
60155b9a
MC		 5033#endif
5034/*
5035 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
5036 * enabled.
5037 */
5038#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
5039 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 5040 {
5041 TLS1_3_VERSION,
5042 "AES128-SHA:AES256-SHA",
5043 NULL,
5044 "AES256-SHA:AES128-SHA256",
5045 NULL,
5046 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
5047 "TLS_AES_128_GCM_SHA256:AES256-SHA"
5048 },
60155b9a
MC		 5049#endif
5050#ifndef OPENSSL_NO_TLS1_3
e401389a
MC		 5051 {
5052 TLS1_3_VERSION,
5053 "AES128-SHA",
5054 "TLS_AES_256_GCM_SHA384",
5055 "AES256-SHA",
5056 "TLS_AES_256_GCM_SHA384",
5057 "TLS_AES_256_GCM_SHA384"
5058 },
5059#endif
5060};
5061
5062static int test_ssl_get_shared_ciphers(int tst)
5063{
5064 SSL_CTX *cctx = NULL, *sctx = NULL;
5065 SSL *clientssl = NULL, *serverssl = NULL;
5066 int testresult = 0;
5067 char buf[1024];
5068
5069 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5070 TLS_client_method(),
5071 TLS1_VERSION,
5072 shared_ciphers_data[tst].maxprot,
5073 &sctx, &cctx, cert, privkey)))
5074 goto end;
5075
5076 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5077 shared_ciphers_data[tst].clntciphers))
5078 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
5079 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
5080 shared_ciphers_data[tst].clnttls13ciphers)))
5081 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
5082 shared_ciphers_data[tst].srvrciphers))
5083 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
5084 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
5085 shared_ciphers_data[tst].srvrtls13ciphers))))
5086 goto end;
5087
5088
5089 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5090 NULL, NULL))
5091 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5092 SSL_ERROR_NONE)))
5093 goto end;
5094
5095 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
5096 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
5097 TEST_info("Shared ciphers are: %s\n", buf);
5098 goto end;
5099 }
5100
5101 testresult = 1;
5102
5103 end:
5104 SSL_free(serverssl);
5105 SSL_free(clientssl);
5106 SSL_CTX_free(sctx);
5107 SSL_CTX_free(cctx);
5108
5109 return testresult;
5110}
5111
d0191fe0 5112static const char *appdata = "Hello World";
61fb5923
MC		 5113static int gen_tick_called, dec_tick_called, tick_key_cb_called;
5114static int tick_key_renew = 0;
5115static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 5116
5117static int gen_tick_cb(SSL *s, void *arg)
5118{
5119 gen_tick_called = 1;
5120
5121 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
5122 strlen(appdata));
5123}
5124
5125static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
5126 const unsigned char *keyname,
5127 size_t keyname_length,
61fb5923
MC		 5128 SSL_TICKET_STATUS status,
5129 void *arg)
d0191fe0
MC		 5130{
5131 void *tickdata;
5132 size_t tickdlen;
5133
5134 dec_tick_called = 1;
5135
61fb5923
MC		 5136 if (status == SSL_TICKET_EMPTY)
5137 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 5138
61fb5923
MC		 5139 if (!TEST_true(status == SSL_TICKET_SUCCESS
5140 || status == SSL_TICKET_SUCCESS_RENEW))
5141 return SSL_TICKET_RETURN_ABORT;
5142
5143 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
5144 &tickdlen))
d0191fe0
MC		 5145 || !TEST_size_t_eq(tickdlen, strlen(appdata))
5146 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 5147 return SSL_TICKET_RETURN_ABORT;
d0191fe0 5148
61fb5923
MC		 5149 if (tick_key_cb_called) {
5150 /* Don't change what the ticket key callback wanted to do */
5151 switch (status) {
5152 case SSL_TICKET_NO_DECRYPT:
5153 return SSL_TICKET_RETURN_IGNORE_RENEW;
5154
5155 case SSL_TICKET_SUCCESS:
5156 return SSL_TICKET_RETURN_USE;
d0191fe0 5157
61fb5923
MC		 5158 case SSL_TICKET_SUCCESS_RENEW:
5159 return SSL_TICKET_RETURN_USE_RENEW;
5160
5161 default:
5162 return SSL_TICKET_RETURN_ABORT;
5163 }
5164 }
5165 return tick_dec_ret;
5166
5167}
d0191fe0
MC		 5168
5169static int tick_key_cb(SSL *s, unsigned char key_name[16],
5170 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
5171 HMAC_CTX *hctx, int enc)
5172{
5173 const unsigned char tick_aes_key[16] = "0123456789abcdef";
5174 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5175
61fb5923 5176 tick_key_cb_called = 1;
d0191fe0
MC		 5177 memset(iv, 0, AES_BLOCK_SIZE);
5178 memset(key_name, 0, 16);
5179 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
5180 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
5181 EVP_sha256(), NULL))
5182 return -1;
5183
61fb5923 5184 return tick_key_renew ? 2 : 1;
d0191fe0
MC		 5185}
5186
5187/*
5188 * Test the various ticket callbacks
61fb5923
MC		 5189 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
5190 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
5191 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
5192 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
5193 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
5194 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
5195 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
5196 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
5197 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
5198 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
5199 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
5200 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 5201 */
5202static int test_ticket_callbacks(int tst)
5203{
5204 SSL_CTX *cctx = NULL, *sctx = NULL;
5205 SSL *clientssl = NULL, *serverssl = NULL;
5206 SSL_SESSION *clntsess = NULL;
5207 int testresult = 0;
5208
5209#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 5210 if (tst % 2 == 0)
d0191fe0
MC		 5211 return 1;
5212#endif
5213#ifdef OPENSSL_NO_TLS1_3
ba8b48e9 5214 if (tst % 2 == 1)
d0191fe0
MC		 5215 return 1;
5216#endif
5217
61fb5923 5218 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 5219
5220 /* Which tests the ticket key callback should request renewal for */
61fb5923
MC		 5221 if (tst == 10 || tst == 11)
5222 tick_key_renew = 1;
d0191fe0 5223 else
61fb5923
MC		 5224 tick_key_renew = 0;
5225
5226 /* Which tests the decrypt ticket callback should request renewal for */
5227 switch (tst) {
5228 case 0:
5229 case 1:
5230 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
5231 break;
5232
5233 case 2:
5234 case 3:
5235 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
5236 break;
5237
5238 case 4:
5239 case 5:
5240 tick_dec_ret = SSL_TICKET_RETURN_USE;
5241 break;
5242
5243 case 6:
5244 case 7:
5245 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
5246 break;
5247
5248 default:
5249 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5250 }
d0191fe0
MC		 5251
5252 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5253 TLS_client_method(),
5254 TLS1_VERSION,
61fb5923
MC		 5255 ((tst % 2) == 0) ? TLS1_2_VERSION
5256 : TLS1_3_VERSION,
d0191fe0
MC		 5257 &sctx, &cctx, cert, privkey)))
5258 goto end;
5259
61fb5923
MC		 5260 /*
5261 * We only want sessions to resume from tickets - not the session cache. So
5262 * switch the cache off.
5263 */
5264 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
5265 goto end;
5266
d0191fe0
MC		 5267 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
5268 NULL)))
5269 goto end;
5270
61fb5923 5271 if (tst >= 8
d0191fe0
MC		 5272 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
5273 goto end;
5274
5275 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5276 NULL, NULL))
5277 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5278 SSL_ERROR_NONE)))
5279 goto end;
5280
61fb5923
MC		 5281 /*
5282 * The decrypt ticket key callback in TLSv1.2 should be called even though
5283 * we have no ticket yet, because it gets called with a status of
5284 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
5285 * actually send any ticket data). This does not happen in TLSv1.3 because
5286 * it is not valid to send empty ticket data in TLSv1.3.
5287 */
d0191fe0 5288 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 5289 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 5290 goto end;
5291
5292 gen_tick_called = dec_tick_called = 0;
5293
5294 clntsess = SSL_get1_session(clientssl);
5295 SSL_shutdown(clientssl);
5296 SSL_shutdown(serverssl);
5297 SSL_free(serverssl);
5298 SSL_free(clientssl);
5299 serverssl = clientssl = NULL;
5300
5301 /* Now do a resumption */
5302 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5303 NULL))
5304 || !TEST_true(SSL_set_session(clientssl, clntsess))
5305 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 5306 SSL_ERROR_NONE)))
d0191fe0
MC		 5307 goto end;
5308
61fb5923
MC		 5309 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
5310 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
5311 if (!TEST_false(SSL_session_reused(clientssl)))
5312 goto end;
5313 } else {
5314 if (!TEST_true(SSL_session_reused(clientssl)))
5315 goto end;
5316 }
5317
d0191fe0 5318 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 5319 (tick_key_renew
5320 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
5321 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
5322 ? 1 : 0)
d0191fe0
MC		 5323 || !TEST_int_eq(dec_tick_called, 1))
5324 goto end;
5325
5326 testresult = 1;
5327
5328 end:
5329 SSL_SESSION_free(clntsess);
5330 SSL_free(serverssl);
5331 SSL_free(clientssl);
5332 SSL_CTX_free(sctx);
5333 SSL_CTX_free(cctx);
5334
5335 return testresult;
5336}
5337
c748834f
MC		 5338/*
5339 * Test bi-directional shutdown.
5340 * Test 0: TLSv1.2
5341 * Test 1: TLSv1.2, server continues to read/write after client shutdown
5342 * Test 2: TLSv1.3, no pending NewSessionTicket messages
5343 * Test 3: TLSv1.3, pending NewSessionTicket messages
5344 * Test 4: TLSv1.3, server continues to read/write after client shutdown, client
5345 * reads it
5346 * Test 5: TLSv1.3, server continues to read/write after client shutdown, client
5347 * doesn't read it
5348 */
5349static int test_shutdown(int tst)
5350{
5351 SSL_CTX *cctx = NULL, *sctx = NULL;
5352 SSL *clientssl = NULL, *serverssl = NULL;
5353 int testresult = 0;
5354 char msg[] = "A test message";
5355 char buf[80];
5356 size_t written, readbytes;
5357
5358#ifdef OPENSSL_NO_TLS1_2
a97d19f7 5359 if (tst <= 1)
c748834f
MC		 5360 return 1;
5361#endif
5362#ifdef OPENSSL_NO_TLS1_3
a97d19f7 5363 if (tst >= 2)
c748834f
MC		 5364 return 1;
5365#endif
5366
5367 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5368 TLS_client_method(),
5369 TLS1_VERSION,
5370 (tst <= 1) ? TLS1_2_VERSION
5371 : TLS1_3_VERSION,
5372 &sctx, &cctx, cert, privkey))
5373 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5374 NULL, NULL)))
5375 goto end;
5376
5377 if (tst == 3) {
5378 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
5379 SSL_ERROR_NONE)))
5380 goto end;
5381 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5382 SSL_ERROR_NONE))) {
5383 goto end;
5384 }
5385
5386 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
5387 goto end;
5388
5389 if (tst >= 4) {
5390 /*
5391 * Reading on the server after the client has sent close_notify should
5392 * fail and provide SSL_ERROR_ZERO_RETURN
5393 */
5394 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
5395 || !TEST_int_eq(SSL_get_error(serverssl, 0),
5396 SSL_ERROR_ZERO_RETURN)
5397 || !TEST_int_eq(SSL_get_shutdown(serverssl),
5398 SSL_RECEIVED_SHUTDOWN)
5399 /*
5400 * Even though we're shutdown on receive we should still be
5401 * able to write.
5402 */
5403 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg)))
5404 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
5405 goto end;
5406 if (tst == 4) {
5407 /* Should still be able to read data from server */
5408 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5409 &readbytes))
5410 || !TEST_size_t_eq(readbytes, sizeof(msg))
5411 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
5412 goto end;
5413 }
5414 }
5415
5416 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 5417 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 5418 goto end;
5419
5420 if (tst < 4) {
5421 /*
5422 * For these tests the client has sent close_notify but it has not yet
5423 * been received by the server. The server has not sent close_notify
5424 * yet.
5425 */
5426 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 5427 /*
5428 * Writing on the server after sending close_notify shouldn't
5429 * be possible.
5430 */
5431 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f
MC		 5432 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
5433 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
5434 goto end;
358ffa05 5435 } else if (tst == 4) {
c748834f
MC		 5436 /*
5437 * In this test the client has sent close_notify and it has been
5438 * received by the server which has responded with a close_notify. The
358ffa05 5439 * client needs to read the close_notify sent by the server.
c748834f 5440 */
c748834f
MC		 5441 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
5442 goto end;
358ffa05
MC		 5443 } else {
5444 /*
5445 * tst == 5
5446 *
5447 * The client has sent close_notify and is expecting a close_notify
5448 * back, but instead there is application data first. The shutdown
5449 * should fail with a fatal error.
5450 */
5451 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
5452 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
5453 goto end;
c748834f
MC		 5454 }
5455
5456 testresult = 1;
5457
5458 end:
5459 SSL_free(serverssl);
5460 SSL_free(clientssl);
5461 SSL_CTX_free(sctx);
5462 SSL_CTX_free(cctx);
5463
5464 return testresult;
5465}
5466
ad887416 5467int setup_tests(void)
2cb4b5f6 5468{
ad887416 5469 if (!TEST_ptr(cert = test_get_argument(0))
76fd7a1d
MC		 5470 || !TEST_ptr(privkey = test_get_argument(1))
5471 || !TEST_ptr(srpvfile = test_get_argument(2))
5472 || !TEST_ptr(tmpfilename = test_get_argument(3)))
710756a9 5473 return 0;
2cb4b5f6 5474
f297e4ec
RS		 5475 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
5476#ifdef OPENSSL_NO_CRYPTO_MDEBUG
5477 TEST_error("not supported in this build");
5478 return 0;
5479#else
5480 int i, mcount, rcount, fcount;
5481
5482 for (i = 0; i < 4; i++)
5483 test_export_key_mat(i);
5484 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
5485 test_printf_stdout("malloc %d realloc %d free %d\n",
5486 mcount, rcount, fcount);
5487 return 1;
5488#endif
5489 }
5490
84d5549e 5491 ADD_TEST(test_large_message_tls);
7856332e 5492 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 5493#ifndef OPENSSL_NO_DTLS
84d5549e 5494 ADD_TEST(test_large_message_dtls);
55386bef 5495#endif
8f8c11d8 5496#ifndef OPENSSL_NO_OCSP
c887104f 5497 ADD_TEST(test_tlsext_status_type);
8f8c11d8 5498#endif
eaa776da
MC		 5499 ADD_TEST(test_session_with_only_int_cache);
5500 ADD_TEST(test_session_with_only_ext_cache);
5501 ADD_TEST(test_session_with_both_cache);
36ff232c 5502#ifndef OPENSSL_NO_TLS1_3
04d7814a
MC		 5503 ADD_ALL_TESTS(test_stateful_tickets, 3);
5504 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 5505 ADD_TEST(test_psk_tickets);
36ff232c 5506#endif
7fb4c820 5507 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 5508 ADD_TEST(test_ssl_bio_pop_next_bio);
5509 ADD_TEST(test_ssl_bio_pop_ssl_bio);
5510 ADD_TEST(test_ssl_bio_change_rbio);
5511 ADD_TEST(test_ssl_bio_change_wbio);
c423ecaa 5512#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae 5513 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 5514 ADD_TEST(test_keylog);
c423ecaa 5515#endif
6acdd3e5
CB		 5516#ifndef OPENSSL_NO_TLS1_3
5517 ADD_TEST(test_keylog_no_master_key);
5518#endif
e9ee6536 5519#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 5520 ADD_TEST(test_client_hello_cb);
5f982038
MC		 5521#endif
5522#ifndef OPENSSL_NO_TLS1_3
02a3ed5a 5523 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 5524 /*
5525 * We don't do replay tests for external PSK. Replay protection isn't used
5526 * in that scenario.
5527 */
5528 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 5529 ADD_ALL_TESTS(test_early_data_skip, 3);
5530 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
0efa0ba4 5531 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
0d1b7789 5532 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
02a3ed5a 5533 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 5534 ADD_ALL_TESTS(test_early_data_psk, 8);
02a3ed5a 5535 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 5536# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 5537 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 5538# endif
e9ee6536 5539#endif
a273157a 5540#ifndef OPENSSL_NO_TLS1_3
034cb87b 5541 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 5542 ADD_TEST(test_ciphersuite_change);
c2b290c3
MC		 5543#ifdef OPENSSL_NO_PSK
5544 ADD_ALL_TESTS(test_tls13_psk, 1);
5545#else
0d8da779 5546 ADD_ALL_TESTS(test_tls13_psk, 4);
c2b290c3 5547#endif /* OPENSSL_NO_PSK */
bb01ef3f 5548 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 5549 ADD_TEST(test_stateless);
9d75dce3 5550 ADD_TEST(test_pha_key_update);
a273157a 5551#else
bb01ef3f 5552 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 5553#endif
16afd71c 5554 ADD_ALL_TESTS(test_serverinfo, 8);
2197d1df 5555 ADD_ALL_TESTS(test_export_key_mat, 4);
b38ede80
TT		 5556#ifndef OPENSSL_NO_TLS1_3
5557 ADD_ALL_TESTS(test_export_key_mat_early, 3);
5558#endif
e11b6aa4 5559 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 5560 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 5561#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5562 ADD_ALL_TESTS(test_srp, 6);
5563#endif
5718fe45 5564 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 5565 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 5566 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
61fb5923 5567 ADD_ALL_TESTS(test_ticket_callbacks, 12);
c748834f 5568 ADD_ALL_TESTS(test_shutdown, 6);
ad887416
P		 5569 return 1;
5570}
2cb4b5f6 5571
ad887416
P		 5572void cleanup_tests(void)
5573{
fa454945 5574 bio_s_mempacket_test_free();
2cb4b5f6 5575}
A mirror of the official openssl repository