]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Update the various SSL group getting and setting functions
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
33388b44 2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
a76ce286
P		 10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
7c3a7561 18#include <stdio.h>
ba881d3b
MC		 19#include <string.h>
20
2cb4b5f6
MC		 21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
ba881d3b 25#include <openssl/ocsp.h>
76fd7a1d
MC		 26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
d0191fe0 28#include <openssl/aes.h>
7c3a7561 29#include <openssl/rand.h>
a76ce286 30#include <openssl/core_names.h>
b3842539 31#include <openssl/core_numbers.h>
5e30f2fd 32#include <openssl/provider.h>
2cb4b5f6
MC		 33
34#include "ssltestlib.h"
c887104f 35#include "testutil.h"
f297e4ec 36#include "testutil/output.h"
176db6dc 37#include "internal/nelem.h"
fe5d9450 38#include "internal/ktls.h"
706457b7 39#include "../ssl/ssl_local.h"
2cb4b5f6 40
b3842539
MC		 41/* Defined in filterprov.c */
42OSSL_provider_init_fn filter_provider_init;
43int filter_provider_set_filter(int operation, const char *name);
44
852c2ed2
RS		 45DEFINE_STACK_OF(OCSP_RESPID)
46DEFINE_STACK_OF(X509)
47DEFINE_STACK_OF(X509_NAME)
48
5e30f2fd
MC		 49static OPENSSL_CTX *libctx = NULL;
50static OSSL_PROVIDER *defctxnull = NULL;
51
8614a4eb
MC		 52#ifndef OPENSSL_NO_TLS1_3
53
54static SSL_SESSION *clientpsk = NULL;
55static SSL_SESSION *serverpsk = NULL;
56static const char *pskid = "Identity";
57static const char *srvid;
58
59static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
60 size_t *idlen, SSL_SESSION **sess);
61static int find_session_cb(SSL *ssl, const unsigned char *identity,
62 size_t identity_len, SSL_SESSION **sess);
63
64static int use_session_cb_cnt = 0;
65static int find_session_cb_cnt = 0;
66
67static SSL_SESSION *create_a_psk(SSL *ssl);
68#endif
69
1a2a3a42 70static char *certsdir = NULL;
2cb4b5f6
MC		 71static char *cert = NULL;
72static char *privkey = NULL;
b3842539
MC		 73static char *cert2 = NULL;
74static char *privkey2 = NULL;
76fd7a1d
MC		 75static char *srpvfile = NULL;
76static char *tmpfilename = NULL;
2cb4b5f6 77
4f6c7044
MC		 78static int is_fips = 0;
79
cffe973c 80#define LOG_BUFFER_SIZE 2048
6acdd3e5 81static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 82static size_t server_log_buffer_index = 0;
6acdd3e5 83static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 84static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 85static int error_writing_log = 0;
86
8f8c11d8 87#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 88static const unsigned char orespder[] = "Dummy OCSP Response";
89static int ocsp_server_called = 0;
90static int ocsp_client_called = 0;
91
92static int cdummyarg = 1;
93static X509 *ocspcert = NULL;
8f8c11d8 94#endif
ba881d3b 95
84d5549e 96#define NUM_EXTRA_CERTS 40
cf72c757 97#define CLIENT_VERSION_LEN 2
84d5549e 98
f1a5939f
CB		 99/*
100 * This structure is used to validate that the correct number of log messages
101 * of various types are emitted when emitting secret logs.
102 */
103struct sslapitest_log_counts {
104 unsigned int rsa_key_exchange_count;
105 unsigned int master_secret_count;
cffe973c 106 unsigned int client_early_secret_count;
f1a5939f
CB		 107 unsigned int client_handshake_secret_count;
108 unsigned int server_handshake_secret_count;
109 unsigned int client_application_secret_count;
110 unsigned int server_application_secret_count;
01a2a654 111 unsigned int early_exporter_secret_count;
6329ce8f 112 unsigned int exporter_secret_count;
f1a5939f
CB		 113};
114
16afd71c
MC		 115
116static unsigned char serverinfov1[] = {
117 0xff, 0xff, /* Dummy extension type */
118 0x00, 0x01, /* Extension length is 1 byte */
119 0xff /* Dummy extension data */
120};
121
122static unsigned char serverinfov2[] = {
123 0x00, 0x00, 0x00,
124 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
125 0xff, 0xff, /* Dummy extension type */
126 0x00, 0x01, /* Extension length is 1 byte */
127 0xff /* Dummy extension data */
128};
129
104a733d
MC		 130static int hostname_cb(SSL *s, int *al, void *arg)
131{
132 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
133
134 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
135 || strcmp(hostname, "altgoodhost") == 0))
136 return SSL_TLSEXT_ERR_OK;
137
138 return SSL_TLSEXT_ERR_NOACK;
139}
140
710756a9
RS		 141static void client_keylog_callback(const SSL *ssl, const char *line)
142{
6acdd3e5
CB		 143 int line_length = strlen(line);
144
145 /* If the log doesn't fit, error out. */
710756a9
RS		 146 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
147 TEST_info("Client log too full");
6acdd3e5
CB		 148 error_writing_log = 1;
149 return;
150 }
151
152 strcat(client_log_buffer, line);
153 client_log_buffer_index += line_length;
710756a9 154 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 155}
156
710756a9
RS		 157static void server_keylog_callback(const SSL *ssl, const char *line)
158{
6acdd3e5
CB		 159 int line_length = strlen(line);
160
161 /* If the log doesn't fit, error out. */
710756a9 162 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 163 TEST_info("Server log too full");
6acdd3e5
CB		 164 error_writing_log = 1;
165 return;
166 }
167
168 strcat(server_log_buffer, line);
169 server_log_buffer_index += line_length;
710756a9 170 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 171}
172
173static int compare_hex_encoded_buffer(const char *hex_encoded,
174 size_t hex_length,
175 const uint8_t *raw,
710756a9
RS		 176 size_t raw_length)
177{
178 size_t i, j;
179 char hexed[3];
6acdd3e5 180
710756a9 181 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 182 return 1;
6acdd3e5 183
710756a9 184 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 185 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 186 if (!TEST_int_eq(hexed[0], hex_encoded[j])
187 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 188 return 1;
6acdd3e5
CB		 189 }
190
191 return 0;
192}
193
194static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 195 const SSL_SESSION *session,
710756a9
RS		 196 struct sslapitest_log_counts *expected)
197{
6acdd3e5
CB		 198 char *token = NULL;
199 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
200 size_t client_random_size = SSL3_RANDOM_SIZE;
201 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
202 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 203 unsigned int rsa_key_exchange_count = 0;
204 unsigned int master_secret_count = 0;
cffe973c 205 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 206 unsigned int client_handshake_secret_count = 0;
207 unsigned int server_handshake_secret_count = 0;
208 unsigned int client_application_secret_count = 0;
209 unsigned int server_application_secret_count = 0;
01a2a654 210 unsigned int early_exporter_secret_count = 0;
6329ce8f 211 unsigned int exporter_secret_count = 0;
6acdd3e5 212
710756a9
RS		 213 for (token = strtok(buffer, " \n"); token != NULL;
214 token = strtok(NULL, " \n")) {
6acdd3e5 215 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 216 /*
217 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 218 * hex-encoded encrypted secret, then the hex-encoded pre-master
219 * secret.
220 */
710756a9 221 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 222 return 0;
710756a9 223 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 224 return 0;
710756a9 225 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 226 return 0;
f1a5939f
CB		 227 /*
228 * We can't sensibly check the log because the premaster secret is
229 * transient, and OpenSSL doesn't keep hold of it once the master
230 * secret is generated.
231 */
232 rsa_key_exchange_count++;
6acdd3e5 233 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 234 /*
235 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 236 * client random, then the hex-encoded master secret.
237 */
238 client_random_size = SSL_get_client_random(ssl,
239 actual_client_random,
240 SSL3_RANDOM_SIZE);
710756a9 241 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 242 return 0;
6acdd3e5 243
710756a9 244 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 245 return 0;
710756a9 246 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 247 return 0;
710756a9
RS		 248 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
249 actual_client_random,
250 client_random_size)))
f1a5939f 251 return 0;
6acdd3e5 252
710756a9 253 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 254 return 0;
6acdd3e5
CB		 255 master_key_size = SSL_SESSION_get_master_key(session,
256 actual_master_key,
257 master_key_size);
710756a9 258 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 259 return 0;
710756a9
RS		 260 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
261 actual_master_key,
262 master_key_size)))
f1a5939f 263 return 0;
f1a5939f 264 master_secret_count++;
cffe973c
PW		 265 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
266 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 267 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
268 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 269 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 270 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 271 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 272 /*
273 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
274 * client random, and then the hex-encoded secret. In this case,
275 * we treat all of these secrets identically and then just
276 * distinguish between them when counting what we saw.
277 */
cffe973c
PW		 278 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
279 client_early_secret_count++;
280 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 281 client_handshake_secret_count++;
282 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
283 server_handshake_secret_count++;
284 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
285 client_application_secret_count++;
286 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
287 server_application_secret_count++;
01a2a654
PW		 288 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
289 early_exporter_secret_count++;
6329ce8f
PW		 290 else if (strcmp(token, "EXPORTER_SECRET") == 0)
291 exporter_secret_count++;
f1a5939f
CB		 292
293 client_random_size = SSL_get_client_random(ssl,
294 actual_client_random,
295 SSL3_RANDOM_SIZE);
710756a9 296 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 297 return 0;
f1a5939f 298
710756a9 299 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 300 return 0;
710756a9 301 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 302 return 0;
710756a9
RS		 303 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
304 actual_client_random,
305 client_random_size)))
f1a5939f 306 return 0;
6acdd3e5 307
710756a9 308 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 309 return 0;
f1a5939f
CB		 310
311 /*
312 * TODO(TLS1.3): test that application traffic secrets are what
313 * we expect */
6acdd3e5 314 } else {
710756a9 315 TEST_info("Unexpected token %s\n", token);
f1a5939f 316 return 0;
6acdd3e5 317 }
6acdd3e5
CB		 318 }
319
710756a9
RS		 320 /* Got what we expected? */
321 if (!TEST_size_t_eq(rsa_key_exchange_count,
322 expected->rsa_key_exchange_count)
323 || !TEST_size_t_eq(master_secret_count,
324 expected->master_secret_count)
cffe973c
PW		 325 || !TEST_size_t_eq(client_early_secret_count,
326 expected->client_early_secret_count)
710756a9
RS		 327 || !TEST_size_t_eq(client_handshake_secret_count,
328 expected->client_handshake_secret_count)
329 || !TEST_size_t_eq(server_handshake_secret_count,
330 expected->server_handshake_secret_count)
331 || !TEST_size_t_eq(client_application_secret_count,
332 expected->client_application_secret_count)
333 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 334 expected->server_application_secret_count)
01a2a654
PW		 335 || !TEST_size_t_eq(early_exporter_secret_count,
336 expected->early_exporter_secret_count)
6329ce8f
PW		 337 || !TEST_size_t_eq(exporter_secret_count,
338 expected->exporter_secret_count))
710756a9
RS		 339 return 0;
340 return 1;
6acdd3e5
CB		 341}
342
c423ecaa 343#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
710756a9
RS		 344static int test_keylog(void)
345{
6acdd3e5
CB		 346 SSL_CTX *cctx = NULL, *sctx = NULL;
347 SSL *clientssl = NULL, *serverssl = NULL;
348 int testresult = 0;
6fc1e624 349 struct sslapitest_log_counts expected;
6acdd3e5
CB		 350
351 /* Clean up logging space */
6fc1e624 352 memset(&expected, 0, sizeof(expected));
710756a9
RS		 353 memset(client_log_buffer, 0, sizeof(client_log_buffer));
354 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 355 client_log_buffer_index = 0;
356 server_log_buffer_index = 0;
357 error_writing_log = 0;
358
5e30f2fd 359 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
710756a9 360 TLS_client_method(),
5c587fb6 361 TLS1_VERSION, 0,
710756a9 362 &sctx, &cctx, cert, privkey)))
6acdd3e5 363 return 0;
6acdd3e5
CB		 364
365 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
366 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
367 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
368
f0deb4d3 369 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 370 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 371 goto end;
f0deb4d3 372
cf10df81
RS		 373 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
374 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 375 goto end;
6acdd3e5 376 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 377 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
378 == client_keylog_callback))
6acdd3e5 379 goto end;
710756a9 380 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 381 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
382 == server_keylog_callback))
6acdd3e5 383 goto end;
6acdd3e5 384
710756a9
RS		 385 /* Now do a handshake and check that the logs have been written to. */
386 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
387 &clientssl, NULL, NULL))
388 || !TEST_true(create_ssl_connection(serverssl, clientssl,
389 SSL_ERROR_NONE))
390 || !TEST_false(error_writing_log)
391 || !TEST_int_gt(client_log_buffer_index, 0)
392 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 393 goto end;
6acdd3e5 394
f1a5939f
CB		 395 /*
396 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 397 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 398 * data we expect. For both client and server, we expect to see one master
399 * secret. The client should also see a RSA key exchange.
6acdd3e5 400 */
f1a5939f
CB		 401 expected.rsa_key_exchange_count = 1;
402 expected.master_secret_count = 1;
710756a9
RS		 403 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
404 SSL_get_session(clientssl), &expected)))
6acdd3e5 405 goto end;
f1a5939f
CB		 406
407 expected.rsa_key_exchange_count = 0;
710756a9
RS		 408 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
409 SSL_get_session(serverssl), &expected)))
6acdd3e5 410 goto end;
6acdd3e5
CB		 411
412 testresult = 1;
413
414end:
415 SSL_free(serverssl);
416 SSL_free(clientssl);
417 SSL_CTX_free(sctx);
418 SSL_CTX_free(cctx);
419
420 return testresult;
421}
c423ecaa 422#endif
6acdd3e5
CB		 423
424#ifndef OPENSSL_NO_TLS1_3
710756a9
RS		 425static int test_keylog_no_master_key(void)
426{
6acdd3e5
CB		 427 SSL_CTX *cctx = NULL, *sctx = NULL;
428 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 429 SSL_SESSION *sess = NULL;
6acdd3e5 430 int testresult = 0;
6fc1e624 431 struct sslapitest_log_counts expected;
cffe973c
PW		 432 unsigned char buf[1];
433 size_t readbytes, written;
6acdd3e5
CB		 434
435 /* Clean up logging space */
6fc1e624 436 memset(&expected, 0, sizeof(expected));
710756a9
RS		 437 memset(client_log_buffer, 0, sizeof(client_log_buffer));
438 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 439 client_log_buffer_index = 0;
440 server_log_buffer_index = 0;
441 error_writing_log = 0;
442
5e30f2fd
MC		 443 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
444 TLS_client_method(), TLS1_VERSION, 0,
cffe973c
PW		 445 &sctx, &cctx, cert, privkey))
446 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 447 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 448 return 0;
6acdd3e5 449
cf10df81
RS		 450 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
451 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 452 goto end;
6acdd3e5
CB		 453
454 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 455 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
456 == client_keylog_callback))
6acdd3e5 457 goto end;
6acdd3e5 458
710756a9 459 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 460 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
461 == server_keylog_callback))
6acdd3e5 462 goto end;
6acdd3e5 463
710756a9
RS		 464 /* Now do a handshake and check that the logs have been written to. */
465 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
466 &clientssl, NULL, NULL))
467 || !TEST_true(create_ssl_connection(serverssl, clientssl,
468 SSL_ERROR_NONE))
469 || !TEST_false(error_writing_log))
6acdd3e5 470 goto end;
6acdd3e5 471
f1a5939f
CB		 472 /*
473 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 474 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 475 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 476 */
f1a5939f
CB		 477 expected.client_handshake_secret_count = 1;
478 expected.server_handshake_secret_count = 1;
479 expected.client_application_secret_count = 1;
480 expected.server_application_secret_count = 1;
6329ce8f 481 expected.exporter_secret_count = 1;
710756a9
RS		 482 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
483 SSL_get_session(clientssl), &expected))
484 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
485 SSL_get_session(serverssl),
486 &expected)))
6acdd3e5 487 goto end;
6acdd3e5 488
cffe973c
PW		 489 /* Terminate old session and resume with early data. */
490 sess = SSL_get1_session(clientssl);
491 SSL_shutdown(clientssl);
492 SSL_shutdown(serverssl);
493 SSL_free(serverssl);
494 SSL_free(clientssl);
495 serverssl = clientssl = NULL;
496
497 /* Reset key log */
498 memset(client_log_buffer, 0, sizeof(client_log_buffer));
499 memset(server_log_buffer, 0, sizeof(server_log_buffer));
500 client_log_buffer_index = 0;
501 server_log_buffer_index = 0;
502
503 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
504 &clientssl, NULL, NULL))
505 || !TEST_true(SSL_set_session(clientssl, sess))
506 /* Here writing 0 length early data is enough. */
507 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
508 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
509 &readbytes),
510 SSL_READ_EARLY_DATA_ERROR)
511 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
512 SSL_EARLY_DATA_ACCEPTED)
513 || !TEST_true(create_ssl_connection(serverssl, clientssl,
514 SSL_ERROR_NONE))
515 || !TEST_true(SSL_session_reused(clientssl)))
516 goto end;
517
518 /* In addition to the previous entries, expect early secrets. */
519 expected.client_early_secret_count = 1;
01a2a654 520 expected.early_exporter_secret_count = 1;
cffe973c
PW		 521 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
522 SSL_get_session(clientssl), &expected))
523 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
524 SSL_get_session(serverssl),
525 &expected)))
526 goto end;
527
6acdd3e5
CB		 528 testresult = 1;
529
530end:
cffe973c 531 SSL_SESSION_free(sess);
6acdd3e5
CB		 532 SSL_free(serverssl);
533 SSL_free(clientssl);
534 SSL_CTX_free(sctx);
535 SSL_CTX_free(cctx);
536
537 return testresult;
538}
539#endif
540
e9ee6536 541#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 542static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 543{
544 int *ctr = arg;
545 const unsigned char *p;
8ea404fb 546 int *exts;
2afaee51
BK		 547 /* We only configure two ciphers, but the SCSV is added automatically. */
548#ifdef OPENSSL_NO_EC
549 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
550#else
551 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
552 0x2c, 0x00, 0xff};
553#endif
8ea404fb
BK		 554 const int expected_extensions[] = {
555#ifndef OPENSSL_NO_EC
556 11, 10,
557#endif
10ed1b72 558 35, 22, 23, 13};
2afaee51
BK		 559 size_t len;
560
561 /* Make sure we can defer processing and get called back. */
562 if ((*ctr)++ == 0)
f1b97da1 563 return SSL_CLIENT_HELLO_RETRY;
2afaee51 564
a9c0d8be 565 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 566 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 567 || !TEST_size_t_eq(
568 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 569 || !TEST_int_eq(*p, 0))
f1b97da1 570 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 571 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 572 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 573 if (len != OSSL_NELEM(expected_extensions) ||
574 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 575 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 576 OPENSSL_free(exts);
f1b97da1 577 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 578 }
579 OPENSSL_free(exts);
f1b97da1 580 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 581}
582
a9c0d8be 583static int test_client_hello_cb(void)
710756a9 584{
2afaee51
BK		 585 SSL_CTX *cctx = NULL, *sctx = NULL;
586 SSL *clientssl = NULL, *serverssl = NULL;
587 int testctr = 0, testresult = 0;
588
5e30f2fd
MC		 589 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
590 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 591 &sctx, &cctx, cert, privkey)))
2afaee51 592 goto end;
a9c0d8be 593 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 594
2afaee51
BK		 595 /* The gimpy cipher list we configure can't do TLS 1.3. */
596 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 597
710756a9
RS		 598 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
599 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
600 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
601 &clientssl, NULL, NULL))
602 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 603 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 604 /*
605 * Passing a -1 literal is a hack since
606 * the real value was lost.
607 * */
a9c0d8be
DB		 608 || !TEST_int_eq(SSL_get_error(serverssl, -1),
609 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 610 || !TEST_true(create_ssl_connection(serverssl, clientssl,
611 SSL_ERROR_NONE)))
2afaee51 612 goto end;
2afaee51
BK		 613
614 testresult = 1;
615
088dfa13
TS		 616end:
617 SSL_free(serverssl);
618 SSL_free(clientssl);
619 SSL_CTX_free(sctx);
620 SSL_CTX_free(cctx);
621
622 return testresult;
623}
624
625static int test_no_ems(void)
626{
627 SSL_CTX *cctx = NULL, *sctx = NULL;
628 SSL *clientssl = NULL, *serverssl = NULL;
629 int testresult = 0;
630
5e30f2fd 631 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
088dfa13
TS		 632 TLS1_VERSION, TLS1_2_VERSION,
633 &sctx, &cctx, cert, privkey)) {
634 printf("Unable to create SSL_CTX pair\n");
635 goto end;
636 }
637
638 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
639
640 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
641 printf("Unable to create SSL objects\n");
642 goto end;
643 }
644
645 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
646 printf("Creating SSL connection failed\n");
647 goto end;
648 }
649
650 if (SSL_get_extms_support(serverssl)) {
651 printf("Server reports Extended Master Secret support\n");
652 goto end;
653 }
654
655 if (SSL_get_extms_support(clientssl)) {
656 printf("Client reports Extended Master Secret support\n");
657 goto end;
658 }
659 testresult = 1;
660
2afaee51
BK		 661end:
662 SSL_free(serverssl);
663 SSL_free(clientssl);
664 SSL_CTX_free(sctx);
665 SSL_CTX_free(cctx);
666
667 return testresult;
668}
669
3cd14e5e
BK		 670/*
671 * Very focused test to exercise a single case in the server-side state
672 * machine, when the ChangeCipherState message needs to actually change
673 * from one cipher to a different cipher (i.e., not changing from null
b3e6d666 674 * encryption to real encryption).
3cd14e5e
BK		 675 */
676static int test_ccs_change_cipher(void)
677{
678 SSL_CTX *cctx = NULL, *sctx = NULL;
679 SSL *clientssl = NULL, *serverssl = NULL;
680 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
681 int testresult = 0;
682 int i;
683 unsigned char buf;
684 size_t readbytes;
685
686 /*
687 * Create a conection so we can resume and potentially (but not) use
688 * a different cipher in the second connection.
689 */
5e30f2fd 690 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3cd14e5e
BK		 691 TLS_client_method(),
692 TLS1_VERSION, TLS1_2_VERSION,
693 &sctx, &cctx, cert, privkey))
694 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
695 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
696 NULL, NULL))
697 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
698 || !TEST_true(create_ssl_connection(serverssl, clientssl,
699 SSL_ERROR_NONE))
700 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
701 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
702 goto end;
703
704 shutdown_ssl_connection(serverssl, clientssl);
705 serverssl = clientssl = NULL;
706
707 /* Resume, preferring a different cipher. Our server will force the
708 * same cipher to be used as the initial handshake. */
709 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
710 NULL, NULL))
711 || !TEST_true(SSL_set_session(clientssl, sess))
712 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
713 || !TEST_true(create_ssl_connection(serverssl, clientssl,
714 SSL_ERROR_NONE))
715 || !TEST_true(SSL_session_reused(clientssl))
716 || !TEST_true(SSL_session_reused(serverssl))
717 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
718 || !TEST_ptr_eq(sesspre, sesspost)
719 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
720 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
721 goto end;
722 shutdown_ssl_connection(serverssl, clientssl);
723 serverssl = clientssl = NULL;
724
725 /*
726 * Now create a fresh connection and try to renegotiate a different
727 * cipher on it.
728 */
b3e6d666
BK		 729 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
730 NULL, NULL))
3cd14e5e
BK		 731 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
732 || !TEST_true(create_ssl_connection(serverssl, clientssl,
733 SSL_ERROR_NONE))
734 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
735 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
736 || !TEST_true(SSL_renegotiate(clientssl))
737 || !TEST_true(SSL_renegotiate_pending(clientssl)))
738 goto end;
739 /* Actually drive the renegotiation. */
740 for (i = 0; i < 3; i++) {
741 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
742 if (!TEST_ulong_eq(readbytes, 0))
743 goto end;
744 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
745 SSL_ERROR_WANT_READ)) {
746 goto end;
747 }
748 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
749 if (!TEST_ulong_eq(readbytes, 0))
750 goto end;
751 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
752 SSL_ERROR_WANT_READ)) {
753 goto end;
754 }
755 }
756 /* sesspre and sesspost should be different since the cipher changed. */
757 if (!TEST_false(SSL_renegotiate_pending(clientssl))
758 || !TEST_false(SSL_session_reused(clientssl))
759 || !TEST_false(SSL_session_reused(serverssl))
760 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
761 || !TEST_ptr_ne(sesspre, sesspost)
762 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
763 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
764 goto end;
765
766 shutdown_ssl_connection(serverssl, clientssl);
767 serverssl = clientssl = NULL;
768
769 testresult = 1;
770
771end:
772 SSL_free(serverssl);
773 SSL_free(clientssl);
774 SSL_CTX_free(sctx);
775 SSL_CTX_free(cctx);
776 SSL_SESSION_free(sess);
777
778 return testresult;
779}
fb121631 780#endif
3cd14e5e 781
84d5549e 782static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 783 const SSL_METHOD *cmeth,
784 int min_version, int max_version,
785 int read_ahead)
84d5549e
MC		 786{
787 SSL_CTX *cctx = NULL, *sctx = NULL;
788 SSL *clientssl = NULL, *serverssl = NULL;
789 int testresult = 0;
790 int i;
710756a9 791 BIO *certbio = NULL;
84d5549e
MC		 792 X509 *chaincert = NULL;
793 int certlen;
794
710756a9 795 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 796 goto end;
84d5549e 797 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
fa454945
MC		 798 BIO_free(certbio);
799 certbio = NULL;
710756a9 800 if (!TEST_ptr(chaincert))
fa454945 801 goto end;
84d5549e 802
5e30f2fd
MC		 803 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
804 max_version, &sctx, &cctx, cert,
805 privkey)))
84d5549e 806 goto end;
84d5549e 807
710756a9 808 if (read_ahead) {
7856332e
MC		 809 /*
810 * Test that read_ahead works correctly when dealing with large
811 * records
812 */
813 SSL_CTX_set_read_ahead(cctx, 1);
814 }
815
84d5549e
MC		 816 /*
817 * We assume the supplied certificate is big enough so that if we add
818 * NUM_EXTRA_CERTS it will make the overall message large enough. The
819 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 820 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
821 * test we need to have a message larger than that.
84d5549e
MC		 822 */
823 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 824 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
825 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 826 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 827 if (!X509_up_ref(chaincert))
84d5549e 828 goto end;
84d5549e 829 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 830 X509_free(chaincert);
831 goto end;
832 }
833 }
834
710756a9
RS		 835 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
836 NULL, NULL))
837 || !TEST_true(create_ssl_connection(serverssl, clientssl,
838 SSL_ERROR_NONE)))
84d5549e 839 goto end;
84d5549e 840
4bf08600
MC		 841 /*
842 * Calling SSL_clear() first is not required but this tests that SSL_clear()
742ccab3 843 * doesn't leak.
4bf08600 844 */
710756a9 845 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 846 goto end;
84d5549e 847
4bf08600 848 testresult = 1;
84d5549e
MC		 849 end:
850 X509_free(chaincert);
851 SSL_free(serverssl);
852 SSL_free(clientssl);
853 SSL_CTX_free(sctx);
854 SSL_CTX_free(cctx);
855
856 return testresult;
857}
858
da4db160
VF		 859#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
860 !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
861#define TLS_CIPHER_MAX_REC_SEQ_SIZE 8
fe5d9450
BP		 862/* sock must be connected */
863static int ktls_chk_platform(int sock)
864{
865 if (!ktls_enable(sock))
866 return 0;
867 return 1;
868}
869
da4db160 870static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd, int rec_seq_size)
fe5d9450
BP		 871{
872 static char count = 1;
873 unsigned char cbuf[16000] = {0};
874 unsigned char sbuf[16000];
875 size_t err = 0;
da4db160
VF		 876 char crec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
877 char crec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
878 char crec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
879 char crec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
880 char srec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
881 char srec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
882 char srec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
883 char srec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
fe5d9450
BP		 884
885 cbuf[0] = count++;
da4db160
VF		 886 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, rec_seq_size);
887 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, rec_seq_size);
888 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, rec_seq_size);
889 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, rec_seq_size);
fe5d9450
BP		 890
891 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
892 goto end;
893
894 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
895 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
896 goto end;
897 }
898 }
899
900 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
901 goto end;
902
903 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
904 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
905 goto end;
906 }
907 }
908
da4db160
VF		 909 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, rec_seq_size);
910 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, rec_seq_size);
911 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, rec_seq_size);
912 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, rec_seq_size);
fe5d9450
BP		 913
914 /* verify the payload */
915 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
916 goto end;
917
918 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
919 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
da4db160
VF		 920 if (!TEST_mem_ne(crec_wseq_before, rec_seq_size,
921 crec_wseq_after, rec_seq_size))
fe5d9450
BP		 922 goto end;
923 } else {
da4db160
VF		 924 if (!TEST_mem_eq(crec_wseq_before, rec_seq_size,
925 crec_wseq_after, rec_seq_size))
fe5d9450
BP		 926 goto end;
927 }
928
929 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
da4db160
VF		 930 if (!TEST_mem_ne(srec_wseq_before, rec_seq_size,
931 srec_wseq_after, rec_seq_size))
fe5d9450
BP		 932 goto end;
933 } else {
da4db160
VF		 934 if (!TEST_mem_eq(srec_wseq_before, rec_seq_size,
935 srec_wseq_after, rec_seq_size))
fe5d9450
BP		 936 goto end;
937 }
938
2fab79af 939 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
da4db160
VF		 940 if (!TEST_mem_ne(crec_rseq_before, rec_seq_size,
941 crec_rseq_after, rec_seq_size))
2fab79af
BP		 942 goto end;
943 } else {
da4db160
VF		 944 if (!TEST_mem_eq(crec_rseq_before, rec_seq_size,
945 crec_rseq_after, rec_seq_size))
2fab79af
BP		 946 goto end;
947 }
948
949 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
da4db160
VF		 950 if (!TEST_mem_ne(srec_rseq_before, rec_seq_size,
951 srec_rseq_after, rec_seq_size))
2fab79af
BP		 952 goto end;
953 } else {
da4db160
VF		 954 if (!TEST_mem_eq(srec_rseq_before, rec_seq_size,
955 srec_rseq_after, rec_seq_size))
2fab79af
BP		 956 goto end;
957 }
fe5d9450
BP		 958
959 return 1;
960end:
961 return 0;
962}
963
2fab79af 964static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
da4db160
VF		 965 int sis_ktls_tx, int sis_ktls_rx,
966 int tls_version, const char *cipher,
967 int rec_seq_size)
fe5d9450
BP		 968{
969 SSL_CTX *cctx = NULL, *sctx = NULL;
970 SSL *clientssl = NULL, *serverssl = NULL;
971 int testresult = 0;
972 int cfd, sfd;
973
974 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
975 goto end;
976
977 /* Skip this test if the platform does not support ktls */
978 if (!ktls_chk_platform(cfd))
979 return 1;
980
981 /* Create a session based on SHA-256 */
5e30f2fd 982 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fe5d9450 983 TLS_client_method(),
da4db160 984 tls_version, tls_version,
fe5d9450 985 &sctx, &cctx, cert, privkey))
da4db160 986 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
fe5d9450
BP		 987 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
988 &clientssl, sfd, cfd)))
989 goto end;
990
991 if (!cis_ktls_tx) {
992 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
993 goto end;
994 }
995
996 if (!sis_ktls_tx) {
997 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
998 goto end;
999 }
1000
2fab79af
BP		 1001 if (!cis_ktls_rx) {
1002 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
1003 goto end;
1004 }
1005
1006 if (!sis_ktls_rx) {
1007 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1008 goto end;
1009 }
1010
fe5d9450
BP		 1011 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1012 SSL_ERROR_NONE)))
1013 goto end;
1014
1015 if (!cis_ktls_tx) {
1016 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1017 goto end;
1018 } else {
1019 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1020 goto end;
1021 }
1022
1023 if (!sis_ktls_tx) {
1024 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1025 goto end;
1026 } else {
1027 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1028 goto end;
1029 }
1030
2fab79af
BP		 1031 if (!cis_ktls_rx) {
1032 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1033 goto end;
1034 } else {
1035 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1036 goto end;
1037 }
1038
1039 if (!sis_ktls_rx) {
1040 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1041 goto end;
1042 } else {
1043 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1044 goto end;
1045 }
1046
da4db160
VF		 1047 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd,
1048 rec_seq_size)))
fe5d9450
BP		 1049 goto end;
1050
1051 testresult = 1;
1052end:
1053 if (clientssl) {
1054 SSL_shutdown(clientssl);
1055 SSL_free(clientssl);
1056 }
1057 if (serverssl) {
1058 SSL_shutdown(serverssl);
1059 SSL_free(serverssl);
1060 }
1061 SSL_CTX_free(sctx);
1062 SSL_CTX_free(cctx);
1063 serverssl = clientssl = NULL;
1064 return testresult;
1065}
1066
7c3a7561
BP		 1067#define SENDFILE_SZ (16 * 4096)
1068#define SENDFILE_CHUNK (4 * 4096)
1069#define min(a,b) ((a) > (b) ? (b) : (a))
1070
da4db160 1071static int test_ktls_sendfile(int tls_version, const char *cipher)
7c3a7561
BP		 1072{
1073 SSL_CTX *cctx = NULL, *sctx = NULL;
1074 SSL *clientssl = NULL, *serverssl = NULL;
1075 unsigned char *buf, *buf_dst;
1076 BIO *out = NULL, *in = NULL;
1077 int cfd, sfd, ffd, err;
1078 ssize_t chunk_size = 0;
1079 off_t chunk_off = 0;
1080 int testresult = 0;
1081 FILE *ffdp;
1082
1083 buf = OPENSSL_zalloc(SENDFILE_SZ);
1084 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1085 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1086 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1087 goto end;
1088
1089 /* Skip this test if the platform does not support ktls */
1090 if (!ktls_chk_platform(sfd)) {
1091 testresult = 1;
1092 goto end;
1093 }
1094
1095 /* Create a session based on SHA-256 */
5e30f2fd 1096 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7c3a7561 1097 TLS_client_method(),
da4db160 1098 tls_version, tls_version,
7c3a7561 1099 &sctx, &cctx, cert, privkey))
da4db160 1100 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
7c3a7561
BP		 1101 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1102 &clientssl, sfd, cfd)))
1103 goto end;
1104
1105 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1106 SSL_ERROR_NONE))
1107 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1108 goto end;
1109
1110 RAND_bytes(buf, SENDFILE_SZ);
1111 out = BIO_new_file(tmpfilename, "wb");
1112 if (!TEST_ptr(out))
1113 goto end;
1114
1115 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1116 goto end;
1117
1118 BIO_free(out);
1119 out = NULL;
1120 in = BIO_new_file(tmpfilename, "rb");
1121 BIO_get_fp(in, &ffdp);
1122 ffd = fileno(ffdp);
1123
1124 while (chunk_off < SENDFILE_SZ) {
1125 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1126 while ((err = SSL_sendfile(serverssl,
1127 ffd,
1128 chunk_off,
1129 chunk_size,
1130 0)) != chunk_size) {
1131 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1132 goto end;
1133 }
1134 while ((err = SSL_read(clientssl,
1135 buf_dst + chunk_off,
1136 chunk_size)) != chunk_size) {
1137 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1138 goto end;
1139 }
1140
1141 /* verify the payload */
1142 if (!TEST_mem_eq(buf_dst + chunk_off,
1143 chunk_size,
1144 buf + chunk_off,
1145 chunk_size))
1146 goto end;
1147
1148 chunk_off += chunk_size;
1149 }
1150
1151 testresult = 1;
1152end:
1153 if (clientssl) {
1154 SSL_shutdown(clientssl);
1155 SSL_free(clientssl);
1156 }
1157 if (serverssl) {
1158 SSL_shutdown(serverssl);
1159 SSL_free(serverssl);
1160 }
1161 SSL_CTX_free(sctx);
1162 SSL_CTX_free(cctx);
1163 serverssl = clientssl = NULL;
1164 BIO_free(out);
1165 BIO_free(in);
1166 OPENSSL_free(buf);
1167 OPENSSL_free(buf_dst);
1168 return testresult;
1169}
1170
da4db160 1171static int test_ktls_no_txrx_client_no_txrx_server(int tlsver)
2fab79af 1172{
da4db160
VF		 1173 int testresult = 1;
1174
1175#ifdef OPENSSL_KTLS_AES_GCM_128
1176 testresult &= execute_test_ktls(0, 0, 0, 0, tlsver,
1177 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1178#endif
1179#ifdef OPENSSL_KTLS_AES_CCM_128
1180 testresult &= execute_test_ktls(0, 0, 0, 0, tlsver,
1181 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1182#endif
1183#ifdef OPENSSL_KTLS_AES_GCM_256
1184 testresult &= execute_test_ktls(0, 0, 0, 0, tlsver,
1185 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1186#endif
1187 return testresult;
2fab79af
BP		 1188}
1189
da4db160 1190static int test_ktls_no_rx_client_no_txrx_server(int tlsver)
2fab79af 1191{
da4db160
VF		 1192 int testresult = 1;
1193
1194#ifdef OPENSSL_KTLS_AES_GCM_128
1195 testresult &= execute_test_ktls(1, 0, 0, 0, tlsver,
1196 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1197#endif
1198#ifdef OPENSSL_KTLS_AES_CCM_128
1199 testresult &= execute_test_ktls(1, 0, 0, 0, tlsver,
1200 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1201#endif
1202#ifdef OPENSSL_KTLS_AES_GCM_256
1203 testresult &= execute_test_ktls(1, 0, 0, 0, tlsver,
1204 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1205#endif
1206 return testresult;
2fab79af
BP		 1207}
1208
da4db160 1209static int test_ktls_no_tx_client_no_txrx_server(int tlsver)
2fab79af 1210{
da4db160
VF		 1211 int testresult = 1;
1212
1213#ifdef OPENSSL_KTLS_AES_GCM_128
1214 testresult &= execute_test_ktls(0, 1, 0, 0, tlsver,
1215 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1216#endif
1217#ifdef OPENSSL_KTLS_AES_CCM_128
1218 testresult &= execute_test_ktls(0, 1, 0, 0, tlsver,
1219 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1220#endif
1221#ifdef OPENSSL_KTLS_AES_GCM_256
1222 testresult &= execute_test_ktls(0, 1, 0, 0, tlsver,
1223 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1224#endif
1225 return testresult;
2fab79af
BP		 1226}
1227
da4db160 1228static int test_ktls_client_no_txrx_server(int tlsver)
2fab79af 1229{
da4db160
VF		 1230 int testresult = 1;
1231
1232#ifdef OPENSSL_KTLS_AES_GCM_128
1233 testresult &= execute_test_ktls(1, 1, 0, 0, tlsver,
1234 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1235#endif
1236#ifdef OPENSSL_KTLS_AES_CCM_128
1237 testresult &= execute_test_ktls(1, 1, 0, 0, tlsver,
1238 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1239#endif
1240#ifdef OPENSSL_KTLS_AES_GCM_256
1241 testresult &= execute_test_ktls(1, 1, 0, 0, tlsver,
1242 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1243#endif
1244 return testresult;
2fab79af
BP		 1245}
1246
da4db160 1247static int test_ktls_no_txrx_client_no_rx_server(int tlsver)
2fab79af 1248{
da4db160
VF		 1249 int testresult = 1;
1250
1251#ifdef OPENSSL_KTLS_AES_GCM_128
1252 testresult &= execute_test_ktls(0, 0, 1, 0, tlsver,
1253 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1254#endif
1255#ifdef OPENSSL_KTLS_AES_CCM_128
1256 testresult &= execute_test_ktls(0, 0, 1, 0, tlsver,
1257 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1258#endif
1259#ifdef OPENSSL_KTLS_AES_GCM_256
1260 testresult &= execute_test_ktls(0, 0, 1, 0, tlsver,
1261 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1262#endif
1263 return testresult;
2fab79af
BP		 1264}
1265
da4db160 1266static int test_ktls_no_rx_client_no_rx_server(int tlsver)
2fab79af 1267{
da4db160
VF		 1268 int testresult = 1;
1269
1270#ifdef OPENSSL_KTLS_AES_GCM_128
1271 testresult &= execute_test_ktls(1, 0, 1, 0, tlsver,
1272 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1273#endif
1274#ifdef OPENSSL_KTLS_AES_CCM_128
1275 testresult &= execute_test_ktls(1, 0, 1, 0, tlsver,
1276 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1277#endif
1278#ifdef OPENSSL_KTLS_AES_GCM_256
1279 testresult &= execute_test_ktls(1, 0, 1, 0, tlsver,
1280 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1281#endif
1282 return testresult;
2fab79af
BP		 1283}
1284
da4db160 1285static int test_ktls_no_tx_client_no_rx_server(int tlsver)
2fab79af 1286{
da4db160
VF		 1287 int testresult = 1;
1288
1289#ifdef OPENSSL_KTLS_AES_GCM_128
1290 testresult &= execute_test_ktls(0, 1, 1, 0, tlsver,
1291 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1292#endif
1293#ifdef OPENSSL_KTLS_AES_CCM_128
1294 testresult &= execute_test_ktls(0, 1, 1, 0, tlsver,
1295 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1296#endif
1297#ifdef OPENSSL_KTLS_AES_GCM_256
1298 testresult &= execute_test_ktls(0, 1, 1, 0, tlsver,
1299 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1300#endif
1301 return testresult;
2fab79af
BP		 1302}
1303
da4db160 1304static int test_ktls_client_no_rx_server(int tlsver)
fe5d9450 1305{
da4db160
VF		 1306 int testresult = 1;
1307
1308#ifdef OPENSSL_KTLS_AES_GCM_128
1309 testresult &= execute_test_ktls(1, 1, 1, 0, tlsver,
1310 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1311#endif
1312#ifdef OPENSSL_KTLS_AES_CCM_128
1313 testresult &= execute_test_ktls(1, 1, 1, 0, tlsver,
1314 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1315#endif
1316#ifdef OPENSSL_KTLS_AES_GCM_256
1317 testresult &= execute_test_ktls(1, 1, 1, 0, tlsver,
1318 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1319#endif
1320 return testresult;
fe5d9450
BP		 1321}
1322
da4db160 1323static int test_ktls_no_txrx_client_no_tx_server(int tlsver)
fe5d9450 1324{
da4db160
VF		 1325 int testresult = 1;
1326
1327#ifdef OPENSSL_KTLS_AES_GCM_128
1328 testresult &= execute_test_ktls(0, 0, 0, 1, tlsver,
1329 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1330#endif
1331#ifdef OPENSSL_KTLS_AES_CCM_128
1332 testresult &= execute_test_ktls(0, 0, 0, 1, tlsver,
1333 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1334#endif
1335#ifdef OPENSSL_KTLS_AES_GCM_256
1336 testresult &= execute_test_ktls(0, 0, 0, 1, tlsver,
1337 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1338#endif
1339 return testresult;
fe5d9450
BP		 1340}
1341
da4db160 1342static int test_ktls_no_rx_client_no_tx_server(int tlsver)
fe5d9450 1343{
da4db160
VF		 1344 int testresult = 1;
1345
1346#ifdef OPENSSL_KTLS_AES_GCM_128
1347 testresult &= execute_test_ktls(1, 0, 0, 1, tlsver,
1348 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1349#endif
1350#ifdef OPENSSL_KTLS_AES_CCM_128
1351 testresult &= execute_test_ktls(1, 0, 0, 1, tlsver,
1352 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1353#endif
1354#ifdef OPENSSL_KTLS_AES_GCM_256
1355 testresult &= execute_test_ktls(1, 0, 0, 1, tlsver,
1356 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1357#endif
1358 return testresult;
fe5d9450
BP		 1359}
1360
da4db160 1361static int test_ktls_no_tx_client_no_tx_server(int tlsver)
2fab79af 1362{
da4db160
VF		 1363 int testresult = 1;
1364
1365#ifdef OPENSSL_KTLS_AES_GCM_128
1366 testresult &= execute_test_ktls(0, 1, 0, 1, tlsver,
1367 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1368#endif
1369#ifdef OPENSSL_KTLS_AES_CCM_128
1370 testresult &= execute_test_ktls(0, 1, 0, 1, tlsver,
1371 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1372#endif
1373#ifdef OPENSSL_KTLS_AES_GCM_256
1374 testresult &= execute_test_ktls(0, 1, 0, 1, tlsver,
1375 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1376#endif
1377 return testresult;
2fab79af
BP		 1378}
1379
da4db160 1380static int test_ktls_client_no_tx_server(int tlsver)
2fab79af 1381{
da4db160
VF		 1382 int testresult = 1;
1383
1384#ifdef OPENSSL_KTLS_AES_GCM_128
1385 testresult &= execute_test_ktls(1, 1, 0, 1, tlsver,
1386 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1387#endif
1388#ifdef OPENSSL_KTLS_AES_CCM_128
1389 testresult &= execute_test_ktls(1, 1, 0, 1, tlsver,
1390 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1391#endif
1392#ifdef OPENSSL_KTLS_AES_GCM_256
1393 testresult &= execute_test_ktls(1, 1, 0, 1, tlsver,
1394 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1395#endif
1396 return testresult;
2fab79af
BP		 1397}
1398
da4db160 1399static int test_ktls_no_txrx_client_server(int tlsver)
2fab79af 1400{
da4db160
VF		 1401 int testresult = 1;
1402
1403#ifdef OPENSSL_KTLS_AES_GCM_128
1404 testresult &= execute_test_ktls(0, 0, 1, 1, tlsver,
1405 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1406#endif
1407#ifdef OPENSSL_KTLS_AES_CCM_128
1408 testresult &= execute_test_ktls(0, 0, 1, 1, tlsver,
1409 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1410#endif
1411#ifdef OPENSSL_KTLS_AES_GCM_256
1412 testresult &= execute_test_ktls(0, 0, 1, 1, tlsver,
1413 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1414#endif
1415 return testresult;
2fab79af
BP		 1416}
1417
da4db160 1418static int test_ktls_no_rx_client_server(int tlsver)
2fab79af 1419{
da4db160
VF		 1420 int testresult = 1;
1421
1422#ifdef OPENSSL_KTLS_AES_GCM_128
1423 testresult &= execute_test_ktls(1, 0, 1, 1, tlsver,
1424 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1425#endif
1426#ifdef OPENSSL_KTLS_AES_CCM_128
1427 testresult &= execute_test_ktls(1, 0, 1, 1, tlsver,
1428 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1429#endif
1430#ifdef OPENSSL_KTLS_AES_GCM_256
1431 testresult &= execute_test_ktls(1, 0, 1, 1, tlsver,
1432 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1433#endif
1434 return testresult;
2fab79af
BP		 1435}
1436
da4db160 1437static int test_ktls_no_tx_client_server(int tlsver)
2fab79af 1438{
da4db160
VF		 1439 int testresult = 1;
1440
1441#ifdef OPENSSL_KTLS_AES_GCM_128
1442 testresult &= execute_test_ktls(0, 1, 1, 1, tlsver,
1443 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1444#endif
1445#ifdef OPENSSL_KTLS_AES_CCM_128
1446 testresult &= execute_test_ktls(0, 1, 1, 1, tlsver,
1447 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1448#endif
1449#ifdef OPENSSL_KTLS_AES_GCM_256
1450 testresult &= execute_test_ktls(0, 1, 1, 1, tlsver,
1451 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1452#endif
1453 return testresult;
1454}
1455
1456static int test_ktls_client_server(int tlsver)
1457{
1458 int testresult = 1;
1459
1460#ifdef OPENSSL_KTLS_AES_GCM_128
1461 testresult &= execute_test_ktls(1, 1, 1, 1, tlsver,
1462 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1463#endif
1464#ifdef OPENSSL_KTLS_AES_CCM_128
1465 testresult &= execute_test_ktls(1, 1, 1, 1, tlsver,
1466 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1467#endif
1468#ifdef OPENSSL_KTLS_AES_GCM_256
1469 testresult &= execute_test_ktls(1, 1, 1, 1, tlsver,
1470 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1471#endif
1472 return testresult;
1473}
1474
1475#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
1476static int test_ktls(int test)
1477{
1478 int tlsver;
1479
1480 if (test > 15) {
1481#if defined(OPENSSL_NO_TLS1_3)
1482 return 1;
1483#else
1484 test -= 16;
1485 tlsver = TLS1_3_VERSION;
1486#endif
1487 } else {
1488#if defined(OPENSSL_NO_TLS1_2)
1489 return 1;
1490#else
1491 tlsver = TLS1_2_VERSION;
1492#endif
1493 }
1494
1495 switch(test) {
1496 case 0:
1497 return test_ktls_no_txrx_client_no_txrx_server(tlsver);
1498 case 1:
1499 return test_ktls_no_rx_client_no_txrx_server(tlsver);
1500 case 2:
1501 return test_ktls_no_tx_client_no_txrx_server(tlsver);
1502 case 3:
1503 return test_ktls_client_no_txrx_server(tlsver);
1504 case 4:
1505 return test_ktls_no_txrx_client_no_rx_server(tlsver);
1506 case 5:
1507 return test_ktls_no_rx_client_no_rx_server(tlsver);
1508 case 6:
1509 return test_ktls_no_tx_client_no_rx_server(tlsver);
1510 case 7:
1511 return test_ktls_client_no_rx_server(tlsver);
1512 case 8:
1513 return test_ktls_no_txrx_client_no_tx_server(tlsver);
1514 case 9:
1515 return test_ktls_no_rx_client_no_tx_server(tlsver);
1516 case 10:
1517 return test_ktls_no_tx_client_no_tx_server(tlsver);
1518 case 11:
1519 return test_ktls_client_no_tx_server(tlsver);
1520 case 12:
1521 return test_ktls_no_txrx_client_server(tlsver);
1522 case 13:
1523 return test_ktls_no_rx_client_server(tlsver);
1524 case 14:
1525 return test_ktls_no_tx_client_server(tlsver);
1526 case 15:
1527 return test_ktls_client_server(tlsver);
1528 default:
1529 return 0;
1530 }
2fab79af
BP		 1531}
1532
da4db160 1533static int test_ktls_sendfile_anytls(int tst)
fe5d9450 1534{
da4db160
VF		 1535 char *cipher[] = {"AES128-GCM-SHA256","AES128-CCM-SHA256","AES256-GCM-SHA384"};
1536 int tlsver;
1537
1538 if (tst > 2) {
1539#if defined(OPENSSL_NO_TLS1_3)
1540 return 1;
1541#else
1542 tst -= 3;
1543 tlsver = TLS1_3_VERSION;
1544#endif
1545 } else {
1546#if defined(OPENSSL_NO_TLS1_2)
1547 return 1;
1548#else
1549 tlsver = TLS1_2_VERSION;
1550#endif
1551 }
1552
1553#ifndef OPENSSL_KTLS_AES_GCM_128
1554 if(tst == 0) return 1;
1555#endif
1556#ifndef OPENSSL_KTLS_AES_CCM_128
1557 if(tst == 1) return 1;
1558#endif
1559#ifndef OPENSSL_KTLS_AES_GCM_256
1560 if(tst == 2) return 1;
1561#endif
1562 return test_ktls_sendfile(tlsver, cipher[tst]);
fe5d9450 1563}
da4db160
VF		 1564
1565#endif
fe5d9450
BP		 1566#endif
1567
84d5549e
MC		 1568static int test_large_message_tls(void)
1569{
7856332e 1570 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1571 TLS1_VERSION, 0, 0);
7856332e
MC		 1572}
1573
1574static int test_large_message_tls_read_ahead(void)
1575{
1576 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1577 TLS1_VERSION, 0, 1);
84d5549e
MC		 1578}
1579
55386bef 1580#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 1581static int test_large_message_dtls(void)
1582{
7856332e
MC		 1583 /*
1584 * read_ahead is not relevant to DTLS because DTLS always acts as if
1585 * read_ahead is set.
1586 */
84d5549e 1587 return execute_test_large_message(DTLS_server_method(),
7d7f6834 1588 DTLS_client_method(),
5c587fb6 1589 DTLS1_VERSION, 0, 0);
84d5549e 1590}
55386bef 1591#endif
84d5549e 1592
8f8c11d8 1593#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 1594static int ocsp_server_cb(SSL *s, void *arg)
1595{
1596 int *argi = (int *)arg;
710756a9 1597 unsigned char *copy = NULL;
ba881d3b
MC		 1598 STACK_OF(OCSP_RESPID) *ids = NULL;
1599 OCSP_RESPID *id = NULL;
1600
1601 if (*argi == 2) {
1602 /* In this test we are expecting exactly 1 OCSP_RESPID */
1603 SSL_get_tlsext_status_ids(s, &ids);
1604 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1605 return SSL_TLSEXT_ERR_ALERT_FATAL;
1606
1607 id = sk_OCSP_RESPID_value(ids, 0);
5e30f2fd 1608 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
ba881d3b
MC		 1609 return SSL_TLSEXT_ERR_ALERT_FATAL;
1610 } else if (*argi != 1) {
1611 return SSL_TLSEXT_ERR_ALERT_FATAL;
1612 }
1613
710756a9 1614 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 1615 return SSL_TLSEXT_ERR_ALERT_FATAL;
1616
710756a9 1617 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 1618 ocsp_server_called = 1;
ba881d3b
MC		 1619 return SSL_TLSEXT_ERR_OK;
1620}
1621
1622static int ocsp_client_cb(SSL *s, void *arg)
1623{
1624 int *argi = (int *)arg;
1625 const unsigned char *respderin;
1626 size_t len;
1627
1628 if (*argi != 1 && *argi != 2)
1629 return 0;
1630
1631 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 1632 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 1633 return 0;
1634
1635 ocsp_client_called = 1;
ba881d3b
MC		 1636 return 1;
1637}
1638
2cb4b5f6
MC		 1639static int test_tlsext_status_type(void)
1640{
ba881d3b
MC		 1641 SSL_CTX *cctx = NULL, *sctx = NULL;
1642 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 1643 int testresult = 0;
ba881d3b
MC		 1644 STACK_OF(OCSP_RESPID) *ids = NULL;
1645 OCSP_RESPID *id = NULL;
1646 BIO *certbio = NULL;
2cb4b5f6 1647
5e30f2fd 1648 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
5c587fb6 1649 TLS1_VERSION, 0,
7d7f6834 1650 &sctx, &cctx, cert, privkey))
ba881d3b 1651 return 0;
2cb4b5f6 1652
710756a9 1653 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 1654 goto end;
2cb4b5f6 1655
ba881d3b 1656 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 1657
ba881d3b 1658 clientssl = SSL_new(cctx);
710756a9
RS		 1659 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1660 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1661 TLSEXT_STATUSTYPE_ocsp))
1662 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1663 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 1664 goto end;
2cb4b5f6 1665
ba881d3b
MC		 1666 SSL_free(clientssl);
1667 clientssl = NULL;
2cb4b5f6 1668
710756a9
RS		 1669 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1670 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1671 goto end;
2cb4b5f6 1672
ba881d3b 1673 clientssl = SSL_new(cctx);
710756a9 1674 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1675 goto end;
ba881d3b
MC		 1676 SSL_free(clientssl);
1677 clientssl = NULL;
1678
1679 /*
1680 * Now actually do a handshake and check OCSP information is exchanged and
1681 * the callbacks get called
1682 */
ba881d3b
MC		 1683 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1684 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1685 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1686 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1687 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1688 &clientssl, NULL, NULL))
1689 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1690 SSL_ERROR_NONE))
1691 || !TEST_true(ocsp_client_called)
1692 || !TEST_true(ocsp_server_called))
ba881d3b 1693 goto end;
ba881d3b
MC		 1694 SSL_free(serverssl);
1695 SSL_free(clientssl);
1696 serverssl = NULL;
1697 clientssl = NULL;
1698
1699 /* Try again but this time force the server side callback to fail */
1700 ocsp_client_called = 0;
1701 ocsp_server_called = 0;
1702 cdummyarg = 0;
710756a9
RS		 1703 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1704 &clientssl, NULL, NULL))
1705 /* This should fail because the callback will fail */
1706 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1707 SSL_ERROR_NONE))
1708 || !TEST_false(ocsp_client_called)
1709 || !TEST_false(ocsp_server_called))
ba881d3b 1710 goto end;
ba881d3b
MC		 1711 SSL_free(serverssl);
1712 SSL_free(clientssl);
1713 serverssl = NULL;
1714 clientssl = NULL;
1715
1716 /*
1717 * This time we'll get the client to send an OCSP_RESPID that it will
1718 * accept.
1719 */
1720 ocsp_client_called = 0;
1721 ocsp_server_called = 0;
1722 cdummyarg = 2;
710756a9
RS		 1723 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1724 &clientssl, NULL, NULL)))
ba881d3b 1725 goto end;
ba881d3b
MC		 1726
1727 /*
1728 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1729 * specific one. We'll use the server cert.
ba881d3b 1730 */
710756a9
RS		 1731 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1732 || !TEST_ptr(id = OCSP_RESPID_new())
1733 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1734 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1735 NULL, NULL, NULL))
5e30f2fd 1736 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
710756a9 1737 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1738 goto end;
ba881d3b
MC		 1739 id = NULL;
1740 SSL_set_tlsext_status_ids(clientssl, ids);
1741 /* Control has been transferred */
1742 ids = NULL;
1743
1744 BIO_free(certbio);
1745 certbio = NULL;
1746
710756a9
RS		 1747 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1748 SSL_ERROR_NONE))
1749 || !TEST_true(ocsp_client_called)
1750 || !TEST_true(ocsp_server_called))
ba881d3b 1751 goto end;
ba881d3b 1752
2cb4b5f6
MC		 1753 testresult = 1;
1754
1755 end:
ba881d3b
MC		 1756 SSL_free(serverssl);
1757 SSL_free(clientssl);
1758 SSL_CTX_free(sctx);
1759 SSL_CTX_free(cctx);
1760 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1761 OCSP_RESPID_free(id);
1762 BIO_free(certbio);
1763 X509_free(ocspcert);
1764 ocspcert = NULL;
2cb4b5f6
MC		 1765
1766 return testresult;
1767}
8f8c11d8 1768#endif
2cb4b5f6 1769
bf208d95 1770#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 1771static int new_called, remove_called, get_called;
eaa776da 1772
eaa776da
MC		 1773static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1774{
1775 new_called++;
c0537ebd
MC		 1776 /*
1777 * sess has been up-refed for us, but we don't actually need it so free it
1778 * immediately.
1779 */
1780 SSL_SESSION_free(sess);
eaa776da
MC		 1781 return 1;
1782}
1783
1784static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1785{
1786 remove_called++;
1787}
1788
7a301f08
MC		 1789static SSL_SESSION *get_sess_val = NULL;
1790
1791static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1792 int *copy)
1793{
0afca811 1794 get_called++;
7a301f08
MC		 1795 *copy = 1;
1796 return get_sess_val;
1797}
1798
7a301f08 1799static int execute_test_session(int maxprot, int use_int_cache,
90fc2c26 1800 int use_ext_cache, long s_options)
2cb4b5f6
MC		 1801{
1802 SSL_CTX *sctx = NULL, *cctx = NULL;
1803 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1804 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 1805# ifndef OPENSSL_NO_TLS1_1
eaa776da 1806 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 1807# endif
2cb4b5f6 1808 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 1809 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 1810
7e885b7b
P		 1811 new_called = remove_called = 0;
1812
36ff232c
MC		 1813 /* TLSv1.3 sends 2 NewSessionTickets */
1814 if (maxprot == TLS1_3_VERSION)
1815 numnewsesstick = 2;
1816
5e30f2fd
MC		 1817 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1818 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 1819 &sctx, &cctx, cert, privkey)))
2cb4b5f6 1820 return 0;
2cb4b5f6 1821
7a301f08
MC		 1822 /*
1823 * Only allow the max protocol version so we can force a connection failure
1824 * later
1825 */
1826 SSL_CTX_set_min_proto_version(cctx, maxprot);
1827 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 1828
1829 /* Set up session cache */
7e885b7b 1830 if (use_ext_cache) {
eaa776da
MC		 1831 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1832 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1833 }
7e885b7b 1834 if (use_int_cache) {
eaa776da
MC		 1835 /* Also covers instance where both are set */
1836 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1837 } else {
1838 SSL_CTX_set_session_cache_mode(cctx,
1839 SSL_SESS_CACHE_CLIENT
1840 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1841 }
2cb4b5f6 1842
90fc2c26
NM		 1843 if (s_options) {
1844 SSL_CTX_set_options(sctx, s_options);
1845 }
1846
710756a9
RS		 1847 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1848 NULL, NULL))
1849 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1850 SSL_ERROR_NONE))
1851 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 1852 goto end;
2cb4b5f6 1853
710756a9 1854 /* Should fail because it should already be in the cache */
7e885b7b 1855 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 1856 goto end;
7a301f08 1857 if (use_ext_cache
36ff232c
MC		 1858 && (!TEST_int_eq(new_called, numnewsesstick)
1859
1860 || !TEST_int_eq(remove_called, 0)))
b4982125 1861 goto end;
b4982125 1862
c0537ebd
MC		 1863 new_called = remove_called = 0;
1864 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1865 &clientssl2, NULL, NULL))
1866 || !TEST_true(SSL_set_session(clientssl2, sess1))
1867 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1868 SSL_ERROR_NONE))
1869 || !TEST_true(SSL_session_reused(clientssl2)))
1870 goto end;
1871
7a301f08
MC		 1872 if (maxprot == TLS1_3_VERSION) {
1873 /*
1874 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 1875 * resumed. Since we attempted a resume we should also have removed the
1876 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 1877 */
1878 if (use_ext_cache
1879 && (!TEST_int_eq(new_called, 1)
4cb00457 1880 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 1881 goto end;
1882 } else {
1883 /*
1884 * In TLSv1.2 we expect to have resumed so no sessions added or
1885 * removed.
1886 */
1887 if (use_ext_cache
1888 && (!TEST_int_eq(new_called, 0)
1889 || !TEST_int_eq(remove_called, 0)))
1890 goto end;
1891 }
c0537ebd
MC		 1892
1893 SSL_SESSION_free(sess1);
1894 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1895 goto end;
1896 shutdown_ssl_connection(serverssl2, clientssl2);
1897 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 1898
1899 new_called = remove_called = 0;
710756a9
RS		 1900 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1901 &clientssl2, NULL, NULL))
1902 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1903 SSL_ERROR_NONE)))
2cb4b5f6 1904 goto end;
2cb4b5f6 1905
710756a9 1906 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 1907 goto end;
2cb4b5f6 1908
7a301f08 1909 if (use_ext_cache
36ff232c
MC		 1910 && (!TEST_int_eq(new_called, numnewsesstick)
1911 || !TEST_int_eq(remove_called, 0)))
eaa776da 1912 goto end;
eaa776da 1913
c0537ebd 1914 new_called = remove_called = 0;
2cb4b5f6 1915 /*
710756a9
RS		 1916 * This should clear sess2 from the cache because it is a "bad" session.
1917 * See SSL_set_session() documentation.
2cb4b5f6 1918 */
710756a9 1919 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 1920 goto end;
7a301f08
MC		 1921 if (use_ext_cache
1922 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 1923 goto end;
710756a9 1924 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 1925 goto end;
2cb4b5f6 1926
7e885b7b 1927 if (use_int_cache) {
710756a9
RS		 1928 /* Should succeeded because it should not already be in the cache */
1929 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1930 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 1931 goto end;
eaa776da
MC		 1932 }
1933
c0537ebd 1934 new_called = remove_called = 0;
eaa776da 1935 /* This shouldn't be in the cache so should fail */
710756a9 1936 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 1937 goto end;
2cb4b5f6 1938
7a301f08
MC		 1939 if (use_ext_cache
1940 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1941 goto end;
2cb4b5f6 1942
bf208d95 1943# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 1944 new_called = remove_called = 0;
eaa776da
MC		 1945 /* Force a connection failure */
1946 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 1947 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1948 &clientssl3, NULL, NULL))
1949 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 1950 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 1951 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1952 SSL_ERROR_NONE)))
eaa776da 1953 goto end;
b4982125 1954
eaa776da 1955 /* We should have automatically removed the session from the cache */
7a301f08
MC		 1956 if (use_ext_cache
1957 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1958 goto end;
2cb4b5f6 1959
710756a9 1960 /* Should succeed because it should not already be in the cache */
7e885b7b 1961 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 1962 goto end;
bf208d95 1963# endif
eaa776da 1964
7a301f08
MC		 1965 /* Now do some tests for server side caching */
1966 if (use_ext_cache) {
1967 SSL_CTX_sess_set_new_cb(cctx, NULL);
1968 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1969 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1970 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1971 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1972 get_sess_val = NULL;
1973 }
1974
1975 SSL_CTX_set_session_cache_mode(cctx, 0);
1976 /* Internal caching is the default on the server side */
1977 if (!use_int_cache)
1978 SSL_CTX_set_session_cache_mode(sctx,
1979 SSL_SESS_CACHE_SERVER
1980 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1981
1982 SSL_free(serverssl1);
1983 SSL_free(clientssl1);
1984 serverssl1 = clientssl1 = NULL;
1985 SSL_free(serverssl2);
1986 SSL_free(clientssl2);
1987 serverssl2 = clientssl2 = NULL;
1988 SSL_SESSION_free(sess1);
1989 sess1 = NULL;
1990 SSL_SESSION_free(sess2);
1991 sess2 = NULL;
1992
1993 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 1994 if (maxprot == TLS1_2_VERSION)
1995 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 1996 new_called = remove_called = get_called = 0;
7a301f08
MC		 1997 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1998 NULL, NULL))
1999 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2000 SSL_ERROR_NONE))
2001 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2002 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2003 goto end;
2004
ee94ec2e
MC		 2005 if (use_int_cache) {
2006 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2007 /*
2008 * In TLSv1.3 it should not have been added to the internal cache,
2009 * except in the case where we also have an external cache (in that
2010 * case it gets added to the cache in order to generate remove
2011 * events after timeout).
2012 */
2013 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2014 goto end;
2015 } else {
2016 /* Should fail because it should already be in the cache */
2017 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2018 goto end;
2019 }
2020 }
7a301f08
MC		 2021
2022 if (use_ext_cache) {
2023 SSL_SESSION *tmp = sess2;
2024
36ff232c 2025 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 2026 || !TEST_int_eq(remove_called, 0)
2027 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 2028 goto end;
2029 /*
2030 * Delete the session from the internal cache to force a lookup from
2031 * the external cache. We take a copy first because
2032 * SSL_CTX_remove_session() also marks the session as non-resumable.
2033 */
ee94ec2e 2034 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 2035 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2036 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2037 goto end;
2038 SSL_SESSION_free(sess2);
2039 }
7a301f08
MC		 2040 sess2 = tmp;
2041 }
2042
0afca811 2043 new_called = remove_called = get_called = 0;
7a301f08
MC		 2044 get_sess_val = sess2;
2045 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2046 &clientssl2, NULL, NULL))
2047 || !TEST_true(SSL_set_session(clientssl2, sess1))
2048 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2049 SSL_ERROR_NONE))
2050 || !TEST_true(SSL_session_reused(clientssl2)))
2051 goto end;
2052
0afca811 2053 if (use_ext_cache) {
32305f88 2054 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 2055 goto end;
2056
2057 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 2058 if (!TEST_int_eq(new_called, 1)
2059 || !TEST_int_eq(get_called, 0))
0afca811
KY		 2060 goto end;
2061 } else {
32305f88
MC		 2062 if (!TEST_int_eq(new_called, 0)
2063 || !TEST_int_eq(get_called, 1))
0afca811
KY		 2064 goto end;
2065 }
2066 }
7a301f08 2067
2cb4b5f6 2068 testresult = 1;
eaa776da 2069
2cb4b5f6
MC		 2070 end:
2071 SSL_free(serverssl1);
2072 SSL_free(clientssl1);
2073 SSL_free(serverssl2);
2074 SSL_free(clientssl2);
bf208d95 2075# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 2076 SSL_free(serverssl3);
2077 SSL_free(clientssl3);
bf208d95 2078# endif
2cb4b5f6
MC		 2079 SSL_SESSION_free(sess1);
2080 SSL_SESSION_free(sess2);
2081 SSL_CTX_free(sctx);
2082 SSL_CTX_free(cctx);
2083
2084 return testresult;
2085}
bf208d95 2086#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 2087
7fb4c820
MC		 2088static int test_session_with_only_int_cache(void)
2089{
7a301f08 2090#ifndef OPENSSL_NO_TLS1_3
90fc2c26 2091 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
7a301f08
MC		 2092 return 0;
2093#endif
2094
2095#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2096 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
7a301f08
MC		 2097#else
2098 return 1;
2099#endif
eaa776da
MC		 2100}
2101
7fb4c820
MC		 2102static int test_session_with_only_ext_cache(void)
2103{
7a301f08 2104#ifndef OPENSSL_NO_TLS1_3
90fc2c26 2105 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
7a301f08
MC		 2106 return 0;
2107#endif
2108
2109#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2110 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
7a301f08
MC		 2111#else
2112 return 1;
2113#endif
eaa776da
MC		 2114}
2115
7fb4c820
MC		 2116static int test_session_with_both_cache(void)
2117{
7a301f08 2118#ifndef OPENSSL_NO_TLS1_3
90fc2c26
NM		 2119 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2120 return 0;
2121#endif
2122
2123#ifndef OPENSSL_NO_TLS1_2
2124 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2125#else
2126 return 1;
2127#endif
2128}
2129
2130static int test_session_wo_ca_names(void)
2131{
2132#ifndef OPENSSL_NO_TLS1_3
2133 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
7a301f08
MC		 2134 return 0;
2135#endif
2136
2137#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2138 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
7a301f08
MC		 2139#else
2140 return 1;
2141#endif
eaa776da
MC		 2142}
2143
90fc2c26 2144
04225915 2145#ifndef OPENSSL_NO_TLS1_3
c22365b3
MC		 2146static SSL_SESSION *sesscache[6];
2147static int do_cache;
36ff232c
MC		 2148
2149static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2150{
c22365b3
MC		 2151 if (do_cache) {
2152 sesscache[new_called] = sess;
2153 } else {
2154 /* We don't need the reference to the session, so free it */
2155 SSL_SESSION_free(sess);
2156 }
2157 new_called++;
2158
2159 return 1;
2160}
2161
2162static int post_handshake_verify(SSL *sssl, SSL *cssl)
2163{
2164 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2165 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2166 return 0;
2167
2168 /* Start handshake on the server and client */
2169 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2170 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2171 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2172 || !TEST_true(create_ssl_connection(sssl, cssl,
2173 SSL_ERROR_NONE)))
2174 return 0;
36ff232c
MC		 2175
2176 return 1;
2177}
2178
fbe9dafd 2179static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 2180 SSL_CTX **cctx)
2181{
2182 int sess_id_ctx = 1;
2183
5e30f2fd
MC		 2184 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2185 TLS_client_method(), TLS1_VERSION, 0,
2186 sctx, cctx, cert, privkey))
03cdf559
MC		 2187 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2188 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2189 (void *)&sess_id_ctx,
2190 sizeof(sess_id_ctx))))
2191 return 0;
2192
2193 if (stateful)
2194 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2195
2196 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2197 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2198 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2199
2200 return 1;
2201}
2202
2203static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2204{
2205 SSL *serverssl = NULL, *clientssl = NULL;
2206 int i;
2207
2208 /* Test that we can resume with all the tickets we got given */
2209 for (i = 0; i < idx * 2; i++) {
2210 new_called = 0;
2211 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2212 &clientssl, NULL, NULL))
2213 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2214 goto end;
2215
32097b33 2216 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 2217
2218 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2219 SSL_ERROR_NONE)))
2220 goto end;
2221
2222 /*
2223 * Following a successful resumption we only get 1 ticket. After a
2224 * failed one we should get idx tickets.
2225 */
2226 if (succ) {
2227 if (!TEST_true(SSL_session_reused(clientssl))
2228 || !TEST_int_eq(new_called, 1))
2229 goto end;
2230 } else {
2231 if (!TEST_false(SSL_session_reused(clientssl))
2232 || !TEST_int_eq(new_called, idx))
2233 goto end;
2234 }
2235
2236 new_called = 0;
2237 /* After a post-handshake authentication we should get 1 new ticket */
2238 if (succ
2239 && (!post_handshake_verify(serverssl, clientssl)
2240 || !TEST_int_eq(new_called, 1)))
2241 goto end;
2242
2243 SSL_shutdown(clientssl);
2244 SSL_shutdown(serverssl);
2245 SSL_free(serverssl);
2246 SSL_free(clientssl);
2247 serverssl = clientssl = NULL;
2248 SSL_SESSION_free(sesscache[i]);
2249 sesscache[i] = NULL;
2250 }
2251
2252 return 1;
2253
2254 end:
2255 SSL_free(clientssl);
2256 SSL_free(serverssl);
2257 return 0;
2258}
2259
04d7814a 2260static int test_tickets(int stateful, int idx)
36ff232c
MC		 2261{
2262 SSL_CTX *sctx = NULL, *cctx = NULL;
2263 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 2264 int testresult = 0;
36ff232c
MC		 2265 size_t j;
2266
2267 /* idx is the test number, but also the number of tickets we want */
2268
2269 new_called = 0;
c22365b3 2270 do_cache = 1;
36ff232c 2271
fbe9dafd 2272 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 2273 goto end;
2274
03cdf559
MC		 2275 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2276 &clientssl, NULL, NULL)))
2277 goto end;
2278
2279 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2280 SSL_ERROR_NONE))
2281 /* Check we got the number of tickets we were expecting */
2282 || !TEST_int_eq(idx, new_called))
2283 goto end;
04d7814a 2284
03cdf559
MC		 2285 SSL_shutdown(clientssl);
2286 SSL_shutdown(serverssl);
2287 SSL_free(serverssl);
2288 SSL_free(clientssl);
2289 SSL_CTX_free(sctx);
2290 SSL_CTX_free(cctx);
2291 clientssl = serverssl = NULL;
2292 sctx = cctx = NULL;
2293
2294 /*
2295 * Now we try to resume with the tickets we previously created. The
2296 * resumption attempt is expected to fail (because we're now using a new
2297 * SSL_CTX). We should see idx number of tickets issued again.
2298 */
2299
2300 /* Stop caching sessions - just count them */
2301 do_cache = 0;
2302
fbe9dafd 2303 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 2304 goto end;
2305
2306 if (!check_resumption(idx, sctx, cctx, 0))
2307 goto end;
2308
2309 /* Start again with caching sessions */
2310 new_called = 0;
2311 do_cache = 1;
fbe9dafd
MC		 2312 SSL_CTX_free(sctx);
2313 SSL_CTX_free(cctx);
2314 sctx = cctx = NULL;
03cdf559 2315
fbe9dafd 2316 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 2317 goto end;
36ff232c
MC		 2318
2319 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2320 &clientssl, NULL, NULL)))
2321 goto end;
2322
32097b33 2323 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 2324
2325 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2326 SSL_ERROR_NONE))
2327 /* Check we got the number of tickets we were expecting */
2328 || !TEST_int_eq(idx, new_called))
2329 goto end;
2330
2331 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 2332 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 2333 || !TEST_int_eq(idx * 2, new_called))
2334 goto end;
2335
36ff232c
MC		 2336 SSL_shutdown(clientssl);
2337 SSL_shutdown(serverssl);
2338 SSL_free(serverssl);
2339 SSL_free(clientssl);
2340 serverssl = clientssl = NULL;
2341
c22365b3
MC		 2342 /* Stop caching sessions - just count them */
2343 do_cache = 0;
2344
03cdf559
MC		 2345 /*
2346 * Check we can resume with all the tickets we created. This time around the
2347 * resumptions should all be successful.
2348 */
2349 if (!check_resumption(idx, sctx, cctx, 1))
2350 goto end;
36ff232c
MC		 2351
2352 testresult = 1;
2353
2354 end:
2355 SSL_free(serverssl);
2356 SSL_free(clientssl);
c22365b3 2357 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 2358 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 2359 sesscache[j] = NULL;
2360 }
36ff232c
MC		 2361 SSL_CTX_free(sctx);
2362 SSL_CTX_free(cctx);
2363
2364 return testresult;
2365}
04d7814a
MC		 2366
2367static int test_stateless_tickets(int idx)
2368{
2369 return test_tickets(0, idx);
2370}
2371
2372static int test_stateful_tickets(int idx)
2373{
2374 return test_tickets(1, idx);
2375}
8614a4eb
MC		 2376
2377static int test_psk_tickets(void)
2378{
2379 SSL_CTX *sctx = NULL, *cctx = NULL;
2380 SSL *serverssl = NULL, *clientssl = NULL;
2381 int testresult = 0;
2382 int sess_id_ctx = 1;
2383
5e30f2fd
MC		 2384 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2385 TLS_client_method(), TLS1_VERSION, 0,
2386 &sctx, &cctx, NULL, NULL))
8614a4eb
MC		 2387 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2388 (void *)&sess_id_ctx,
2389 sizeof(sess_id_ctx))))
2390 goto end;
2391
2392 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2393 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2394 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2395 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2396 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2397 use_session_cb_cnt = 0;
2398 find_session_cb_cnt = 0;
2399 srvid = pskid;
2400 new_called = 0;
2401
2402 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2403 NULL, NULL)))
2404 goto end;
2405 clientpsk = serverpsk = create_a_psk(clientssl);
2406 if (!TEST_ptr(clientpsk))
2407 goto end;
2408 SSL_SESSION_up_ref(clientpsk);
2409
2410 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2411 SSL_ERROR_NONE))
2412 || !TEST_int_eq(1, find_session_cb_cnt)
2413 || !TEST_int_eq(1, use_session_cb_cnt)
2414 /* We should always get 1 ticket when using external PSK */
2415 || !TEST_int_eq(1, new_called))
2416 goto end;
2417
2418 testresult = 1;
2419
2420 end:
2421 SSL_free(serverssl);
2422 SSL_free(clientssl);
2423 SSL_CTX_free(sctx);
2424 SSL_CTX_free(cctx);
2425 SSL_SESSION_free(clientpsk);
2426 SSL_SESSION_free(serverpsk);
2427 clientpsk = serverpsk = NULL;
2428
2429 return testresult;
2430}
f0049b86
BK		 2431
2432static int test_extra_tickets(int idx)
2433{
2434 SSL_CTX *sctx = NULL, *cctx = NULL;
2435 SSL *serverssl = NULL, *clientssl = NULL;
2436 BIO *bretry = BIO_new(bio_s_always_retry());
2437 BIO *tmp = NULL;
2438 int testresult = 0;
2439 int stateful = 0;
2440 size_t nbytes;
2441 unsigned char c, buf[1];
2442
2443 new_called = 0;
2444 do_cache = 1;
2445
2446 if (idx >= 3) {
2447 idx -= 3;
2448 stateful = 1;
2449 }
2450
2451 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2452 goto end;
2453 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2454 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2455 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2456
2457 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2458 &clientssl, NULL, NULL)))
2459 goto end;
2460
2461 /*
2462 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2463 * incremented by both client and server.
2464 */
2465 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2466 SSL_ERROR_NONE))
2467 /* Check we got the number of tickets we were expecting */
2468 || !TEST_int_eq(idx * 2, new_called)
2469 || !TEST_true(SSL_new_session_ticket(serverssl))
2470 || !TEST_true(SSL_new_session_ticket(serverssl))
2471 || !TEST_int_eq(idx * 2, new_called))
2472 goto end;
2473
2474 /* Now try a (real) write to actually send the tickets */
2475 c = '1';
2476 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2477 || !TEST_size_t_eq(1, nbytes)
2478 || !TEST_int_eq(idx * 2 + 2, new_called)
2479 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2480 || !TEST_int_eq(idx * 2 + 4, new_called)
2481 || !TEST_int_eq(sizeof(buf), nbytes)
2482 || !TEST_int_eq(c, buf[0])
2483 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2484 goto end;
2485
2486 /* Try with only requesting one new ticket, too */
2487 c = '2';
2488 new_called = 0;
2489 if (!TEST_true(SSL_new_session_ticket(serverssl))
2490 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2491 || !TEST_size_t_eq(sizeof(c), nbytes)
2492 || !TEST_int_eq(1, new_called)
2493 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2494 || !TEST_int_eq(2, new_called)
2495 || !TEST_size_t_eq(sizeof(buf), nbytes)
2496 || !TEST_int_eq(c, buf[0]))
2497 goto end;
2498
2499 /* Do it again but use dummy writes to drive the ticket generation */
2500 c = '3';
2501 new_called = 0;
2502 if (!TEST_true(SSL_new_session_ticket(serverssl))
2503 || !TEST_true(SSL_new_session_ticket(serverssl))
2504 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2505 || !TEST_size_t_eq(0, nbytes)
2506 || !TEST_int_eq(2, new_called)
2507 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2508 || !TEST_int_eq(4, new_called))
2509 goto end;
2510
2511 /*
2512 * Use the always-retry BIO to exercise the logic that forces ticket
2513 * generation to wait until a record boundary.
2514 */
2515 c = '4';
2516 new_called = 0;
2517 tmp = SSL_get_wbio(serverssl);
2518 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2519 tmp = NULL;
2520 goto end;
2521 }
2522 SSL_set0_wbio(serverssl, bretry);
2523 bretry = NULL;
2524 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2525 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2526 || !TEST_size_t_eq(nbytes, 0))
2527 goto end;
2528 /* Restore a BIO that will let the write succeed */
2529 SSL_set0_wbio(serverssl, tmp);
2530 tmp = NULL;
2531 /* These calls should just queue the request and not send anything. */
2532 if (!TEST_true(SSL_new_session_ticket(serverssl))
2533 || !TEST_true(SSL_new_session_ticket(serverssl))
2534 || !TEST_int_eq(0, new_called))
2535 goto end;
2536 /* Re-do the write; still no tickets sent */
2537 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2538 || !TEST_size_t_eq(1, nbytes)
2539 || !TEST_int_eq(0, new_called)
2540 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2541 || !TEST_int_eq(0, new_called)
2542 || !TEST_int_eq(sizeof(buf), nbytes)
2543 || !TEST_int_eq(c, buf[0])
2544 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2545 goto end;
2546 /* Now the *next* write should send the tickets */
2547 c = '5';
2548 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2549 || !TEST_size_t_eq(1, nbytes)
2550 || !TEST_int_eq(2, new_called)
2551 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2552 || !TEST_int_eq(4, new_called)
2553 || !TEST_int_eq(sizeof(buf), nbytes)
2554 || !TEST_int_eq(c, buf[0])
2555 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2556 goto end;
2557
2558 SSL_shutdown(clientssl);
2559 SSL_shutdown(serverssl);
2560 testresult = 1;
2561
2562 end:
2563 BIO_free(bretry);
2564 BIO_free(tmp);
2565 SSL_free(serverssl);
2566 SSL_free(clientssl);
2567 SSL_CTX_free(sctx);
2568 SSL_CTX_free(cctx);
2569 clientssl = serverssl = NULL;
2570 sctx = cctx = NULL;
2571 return testresult;
2572}
04225915 2573#endif
36ff232c 2574
7d4488bb
MC		 2575#define USE_NULL 0
2576#define USE_BIO_1 1
2577#define USE_BIO_2 2
2578#define USE_DEFAULT 3
2579
2580#define CONNTYPE_CONNECTION_SUCCESS 0
2581#define CONNTYPE_CONNECTION_FAIL 1
2582#define CONNTYPE_NO_CONNECTION 2
2583
2584#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2585#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2586#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2587# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2588#else
2589# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2590#endif
2591
7d4488bb
MC		 2592#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2593 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2594 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 2595
2596static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2597{
2598 switch (type) {
2599 case USE_NULL:
2600 *res = NULL;
2601 break;
2602 case USE_BIO_1:
2603 *res = bio1;
2604 break;
2605 case USE_BIO_2:
2606 *res = bio2;
2607 break;
2608 }
2609}
2610
7d4488bb
MC		 2611
2612/*
2613 * Tests calls to SSL_set_bio() under various conditions.
2614 *
2615 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2616 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2617 * then do more tests where we create a successful connection first using our
2618 * standard connection setup functions, and then call SSL_set_bio() with
2619 * various combinations of valid BIOs or NULL. We then repeat these tests
2620 * following a failed connection. In this last case we are looking to check that
2621 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2622 */
7fb4c820
MC		 2623static int test_ssl_set_bio(int idx)
2624{
7d4488bb 2625 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 2626 BIO *bio1 = NULL;
2627 BIO *bio2 = NULL;
0fae8150 2628 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 2629 SSL *serverssl = NULL, *clientssl = NULL;
2630 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 2631 int testresult = 0;
2632
7d4488bb
MC		 2633 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2634 initrbio = idx % 3;
2635 idx /= 3;
2636 initwbio = idx % 3;
2637 idx /= 3;
2638 newrbio = idx % 3;
2639 idx /= 3;
2640 newwbio = idx % 3;
2641 conntype = CONNTYPE_NO_CONNECTION;
2642 } else {
2643 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2644 initrbio = initwbio = USE_DEFAULT;
2645 newrbio = idx % 2;
2646 idx /= 2;
2647 newwbio = idx % 2;
2648 idx /= 2;
2649 conntype = idx % 2;
2650 }
710756a9 2651
5e30f2fd
MC		 2652 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2653 TLS_client_method(), TLS1_VERSION, 0,
7d4488bb
MC		 2654 &sctx, &cctx, cert, privkey)))
2655 goto end;
2656
2657 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2658 /*
2659 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2660 * because we reduced the number of tests in the definition of
2661 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2662 * mismatched protocol versions we will force a connection failure.
2663 */
2664 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2665 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2666 }
2667
2668 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2669 NULL, NULL)))
710756a9 2670 goto end;
7fb4c820 2671
710756a9
RS		 2672 if (initrbio == USE_BIO_1
2673 || initwbio == USE_BIO_1
2674 || newrbio == USE_BIO_1
7fb4c820 2675 || newwbio == USE_BIO_1) {
710756a9 2676 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 2677 goto end;
7fb4c820
MC		 2678 }
2679
710756a9
RS		 2680 if (initrbio == USE_BIO_2
2681 || initwbio == USE_BIO_2
2682 || newrbio == USE_BIO_2
7fb4c820 2683 || newwbio == USE_BIO_2) {
710756a9 2684 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 2685 goto end;
7fb4c820
MC		 2686 }
2687
7d4488bb
MC		 2688 if (initrbio != USE_DEFAULT) {
2689 setupbio(&irbio, bio1, bio2, initrbio);
2690 setupbio(&iwbio, bio1, bio2, initwbio);
2691 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 2692
7d4488bb
MC		 2693 /*
2694 * We want to maintain our own refs to these BIO, so do an up ref for
2695 * each BIO that will have ownership transferred in the SSL_set_bio()
2696 * call
2697 */
2698 if (irbio != NULL)
2699 BIO_up_ref(irbio);
2700 if (iwbio != NULL && iwbio != irbio)
2701 BIO_up_ref(iwbio);
2702 }
7fb4c820 2703
7d4488bb
MC		 2704 if (conntype != CONNTYPE_NO_CONNECTION
2705 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2706 SSL_ERROR_NONE)
2707 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2708 goto end;
7fb4c820
MC		 2709
2710 setupbio(&nrbio, bio1, bio2, newrbio);
2711 setupbio(&nwbio, bio1, bio2, newwbio);
2712
2713 /*
2714 * We will (maybe) transfer ownership again so do more up refs.
2715 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2716 * already been set!
2717 */
710756a9
RS		 2718 if (nrbio != NULL
2719 && nrbio != irbio
2720 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 2721 BIO_up_ref(nrbio);
710756a9
RS		 2722 if (nwbio != NULL
2723 && nwbio != nrbio
2724 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 2725 BIO_up_ref(nwbio);
2726
7d4488bb 2727 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 2728
2729 testresult = 1;
2730
2731 end:
7fb4c820
MC		 2732 BIO_free(bio1);
2733 BIO_free(bio2);
710756a9 2734
7fb4c820
MC		 2735 /*
2736 * This test is checking that the ref counting for SSL_set_bio is correct.
2737 * If we get here and we did too many frees then we will fail in the above
742ccab3 2738 * functions.
7fb4c820 2739 */
7d4488bb
MC		 2740 SSL_free(serverssl);
2741 SSL_free(clientssl);
2742 SSL_CTX_free(sctx);
2743 SSL_CTX_free(cctx);
7fb4c820
MC		 2744 return testresult;
2745}
2746
7e885b7b 2747typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 2748
7e885b7b 2749static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 2750{
2751 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 2752 SSL_CTX *ctx;
9a716987
MC		 2753 SSL *ssl = NULL;
2754 int testresult = 0;
2755
5e30f2fd 2756 if (!TEST_ptr(ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method()))
710756a9
RS		 2757 || !TEST_ptr(ssl = SSL_new(ctx))
2758 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2759 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 2760 goto end;
9a716987
MC		 2761
2762 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2763
2764 /*
742ccab3 2765 * If anything goes wrong here then we could leak memory.
9a716987
MC		 2766 */
2767 BIO_push(sslbio, membio1);
2768
69687aa8 2769 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 2770 if (change_bio != NO_BIO_CHANGE) {
710756a9 2771 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
9a716987 2772 goto end;
7e885b7b 2773 if (change_bio == CHANGE_RBIO)
65e2d672 2774 SSL_set0_rbio(ssl, membio2);
9a716987 2775 else
65e2d672 2776 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 2777 }
2778 ssl = NULL;
2779
7e885b7b 2780 if (pop_ssl)
9a716987
MC		 2781 BIO_pop(sslbio);
2782 else
2783 BIO_pop(membio1);
2784
2785 testresult = 1;
2786 end:
2787 BIO_free(membio1);
2788 BIO_free(sslbio);
2789 SSL_free(ssl);
2790 SSL_CTX_free(ctx);
2791
2792 return testresult;
2793}
2794
2795static int test_ssl_bio_pop_next_bio(void)
2796{
7e885b7b 2797 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 2798}
2799
2800static int test_ssl_bio_pop_ssl_bio(void)
2801{
7e885b7b 2802 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 2803}
2804
2805static int test_ssl_bio_change_rbio(void)
2806{
7e885b7b 2807 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 2808}
2809
2810static int test_ssl_bio_change_wbio(void)
2811{
7e885b7b 2812 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 2813}
2814
c423ecaa 2815#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae
MC		 2816typedef struct {
2817 /* The list of sig algs */
2818 const int *list;
2819 /* The length of the list */
2820 size_t listlen;
2821 /* A sigalgs list in string format */
2822 const char *liststr;
2823 /* Whether setting the list should succeed */
2824 int valid;
2825 /* Whether creating a connection with the list should succeed */
2826 int connsuccess;
2827} sigalgs_list;
2828
2829static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 2830# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2831static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2832static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 2833# endif
f1b25aae
MC		 2834static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2835static const int invalidlist2[] = {NID_sha256, NID_undef};
2836static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2837static const int invalidlist4[] = {NID_sha256};
2838static const sigalgs_list testsigalgs[] = {
2839 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 2840# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2841 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2842 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 2843# endif
f1b25aae 2844 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 2845# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2846 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2847 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 2848# endif
f1b25aae
MC		 2849 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2850 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2851 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2852 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2853 {NULL, 0, "RSA", 0, 0},
2854 {NULL, 0, "SHA256", 0, 0},
2855 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 2856 {NULL, 0, "Invalid", 0, 0}
2857};
f1b25aae
MC		 2858
2859static int test_set_sigalgs(int idx)
2860{
2861 SSL_CTX *cctx = NULL, *sctx = NULL;
2862 SSL *clientssl = NULL, *serverssl = NULL;
2863 int testresult = 0;
2864 const sigalgs_list *curr;
2865 int testctx;
2866
2867 /* Should never happen */
710756a9 2868 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 2869 return 0;
2870
2871 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2872 curr = testctx ? &testsigalgs[idx]
2873 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2874
5e30f2fd
MC		 2875 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2876 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 2877 &sctx, &cctx, cert, privkey)))
f1b25aae 2878 return 0;
f1b25aae 2879
d2e491f2
MC		 2880 /*
2881 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2882 * for TLSv1.2 for now until we add a new API.
2883 */
2884 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2885
f1b25aae
MC		 2886 if (testctx) {
2887 int ret;
710756a9 2888
f1b25aae
MC		 2889 if (curr->list != NULL)
2890 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2891 else
2892 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2893
2894 if (!ret) {
2895 if (curr->valid)
710756a9 2896 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2897 else
2898 testresult = 1;
2899 goto end;
2900 }
2901 if (!curr->valid) {
710756a9 2902 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2903 goto end;
2904 }
2905 }
2906
710756a9
RS		 2907 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2908 &clientssl, NULL, NULL)))
f1b25aae 2909 goto end;
f1b25aae
MC		 2910
2911 if (!testctx) {
2912 int ret;
2913
2914 if (curr->list != NULL)
2915 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2916 else
2917 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2918 if (!ret) {
2919 if (curr->valid)
710756a9 2920 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 2921 else
2922 testresult = 1;
2923 goto end;
2924 }
710756a9 2925 if (!curr->valid)
f1b25aae 2926 goto end;
f1b25aae
MC		 2927 }
2928
710756a9
RS		 2929 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2930 SSL_ERROR_NONE),
2931 curr->connsuccess))
f1b25aae 2932 goto end;
f1b25aae
MC		 2933
2934 testresult = 1;
2935
2936 end:
2937 SSL_free(serverssl);
2938 SSL_free(clientssl);
2939 SSL_CTX_free(sctx);
2940 SSL_CTX_free(cctx);
2941
2942 return testresult;
2943}
c423ecaa 2944#endif
f1b25aae 2945
fff202e5 2946#ifndef OPENSSL_NO_TLS1_3
532f9578
MC		 2947static int psk_client_cb_cnt = 0;
2948static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 2949
2950static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2951 size_t *idlen, SSL_SESSION **sess)
2952{
2953 switch (++use_session_cb_cnt) {
2954 case 1:
2955 /* The first call should always have a NULL md */
2956 if (md != NULL)
2957 return 0;
2958 break;
2959
2960 case 2:
2961 /* The second call should always have an md */
2962 if (md == NULL)
2963 return 0;
2964 break;
2965
2966 default:
2967 /* We should only be called a maximum of twice */
2968 return 0;
2969 }
2970
57dee9bb
MC		 2971 if (clientpsk != NULL)
2972 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 2973
57dee9bb 2974 *sess = clientpsk;
02a3ed5a
MC		 2975 *id = (const unsigned char *)pskid;
2976 *idlen = strlen(pskid);
2977
2978 return 1;
2979}
2980
c2b290c3 2981#ifndef OPENSSL_NO_PSK
532f9578
MC		 2982static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2983 unsigned int max_id_len,
2984 unsigned char *psk,
2985 unsigned int max_psk_len)
2986{
2987 unsigned int psklen = 0;
2988
2989 psk_client_cb_cnt++;
2990
2991 if (strlen(pskid) + 1 > max_id_len)
2992 return 0;
2993
2994 /* We should only ever be called a maximum of twice per connection */
2995 if (psk_client_cb_cnt > 2)
2996 return 0;
2997
2998 if (clientpsk == NULL)
2999 return 0;
3000
3001 /* We'll reuse the PSK we set up for TLSv1.3 */
3002 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3003 return 0;
3004 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3005 strncpy(id, pskid, max_id_len);
3006
3007 return psklen;
3008}
c2b290c3 3009#endif /* OPENSSL_NO_PSK */
532f9578 3010
02a3ed5a
MC		 3011static int find_session_cb(SSL *ssl, const unsigned char *identity,
3012 size_t identity_len, SSL_SESSION **sess)
3013{
3014 find_session_cb_cnt++;
3015
3016 /* We should only ever be called a maximum of twice per connection */
3017 if (find_session_cb_cnt > 2)
3018 return 0;
3019
57dee9bb 3020 if (serverpsk == NULL)
02a3ed5a
MC		 3021 return 0;
3022
3023 /* Identity should match that set by the client */
3024 if (strlen(srvid) != identity_len
3025 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3026 /* No PSK found, continue but without a PSK */
3027 *sess = NULL;
3028 return 1;
3029 }
3030
57dee9bb
MC		 3031 SSL_SESSION_up_ref(serverpsk);
3032 *sess = serverpsk;
02a3ed5a
MC		 3033
3034 return 1;
3035}
3036
c2b290c3 3037#ifndef OPENSSL_NO_PSK
532f9578
MC		 3038static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3039 unsigned char *psk, unsigned int max_psk_len)
3040{
3041 unsigned int psklen = 0;
3042
3043 psk_server_cb_cnt++;
3044
3045 /* We should only ever be called a maximum of twice per connection */
3046 if (find_session_cb_cnt > 2)
3047 return 0;
3048
3049 if (serverpsk == NULL)
3050 return 0;
3051
3052 /* Identity should match that set by the client */
3053 if (strcmp(srvid, identity) != 0) {
3054 return 0;
3055 }
3056
3057 /* We'll reuse the PSK we set up for TLSv1.3 */
3058 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3059 return 0;
3060 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3061
3062 return psklen;
3063}
c2b290c3 3064#endif /* OPENSSL_NO_PSK */
532f9578 3065
5f982038
MC		 3066#define MSG1 "Hello"
3067#define MSG2 "World."
3068#define MSG3 "This"
3069#define MSG4 "is"
3070#define MSG5 "a"
90049cea
MC		 3071#define MSG6 "test"
3072#define MSG7 "message."
5f982038 3073
532f9578 3074#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
0b2b0be9 3075#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3076#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3077#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3078#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
02a3ed5a 3079
8614a4eb
MC		 3080
3081static SSL_SESSION *create_a_psk(SSL *ssl)
3082{
3083 const SSL_CIPHER *cipher = NULL;
3084 const unsigned char key[] = {
3085 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3086 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3087 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3088 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3089 0x2c, 0x2d, 0x2e, 0x2f
3090 };
3091 SSL_SESSION *sess = NULL;
3092
3093 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3094 sess = SSL_SESSION_new();
3095 if (!TEST_ptr(sess)
3096 || !TEST_ptr(cipher)
3097 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3098 sizeof(key)))
3099 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3100 || !TEST_true(
3101 SSL_SESSION_set_protocol_version(sess,
3102 TLS1_3_VERSION))) {
3103 SSL_SESSION_free(sess);
3104 return NULL;
3105 }
3106 return sess;
3107}
3108
5f982038
MC		 3109/*
3110 * Helper method to setup objects for early data test. Caller frees objects on
3111 * error.
3112 */
3113static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 3114 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 3115{
5a421415 3116 if (*sctx == NULL
5e30f2fd 3117 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5a421415 3118 TLS_client_method(),
5c587fb6 3119 TLS1_VERSION, 0,
5a421415
MC		 3120 sctx, cctx, cert, privkey)))
3121 return 0;
3122
3123 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 3124 return 0;
5f982038 3125
02a3ed5a
MC		 3126 if (idx == 1) {
3127 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 3128 SSL_CTX_set_read_ahead(*cctx, 1);
3129 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 3130 } else if (idx == 2) {
3131 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3132 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3133 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3134 use_session_cb_cnt = 0;
3135 find_session_cb_cnt = 0;
3136 srvid = pskid;
3cb47b4e
MC		 3137 }
3138
710756a9 3139 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 3140 NULL, NULL)))
3141 return 0;
3142
141e4709
MC		 3143 /*
3144 * For one of the run throughs (doesn't matter which one), we'll try sending
3145 * some SNI data in the initial ClientHello. This will be ignored (because
3146 * there is no SNI cb set up by the server), so it should not impact
3147 * early_data.
3148 */
3149 if (idx == 1
3150 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3151 return 0;
3152
02a3ed5a 3153 if (idx == 2) {
8614a4eb 3154 clientpsk = create_a_psk(*clientssl);
57dee9bb 3155 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 3156 /*
3157 * We just choose an arbitrary value for max_early_data which
3158 * should be big enough for testing purposes.
3159 */
57dee9bb
MC		 3160 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3161 0x100))
3162 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3163 SSL_SESSION_free(clientpsk);
3164 clientpsk = NULL;
02a3ed5a
MC		 3165 return 0;
3166 }
57dee9bb 3167 serverpsk = clientpsk;
02a3ed5a 3168
c20e3b28
MC		 3169 if (sess != NULL) {
3170 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3171 SSL_SESSION_free(clientpsk);
3172 SSL_SESSION_free(serverpsk);
3173 clientpsk = serverpsk = NULL;
3174 return 0;
3175 }
57dee9bb 3176 *sess = clientpsk;
c20e3b28 3177 }
02a3ed5a
MC		 3178 return 1;
3179 }
3180
3181 if (sess == NULL)
3182 return 1;
3183
3184 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3185 SSL_ERROR_NONE)))
5f982038 3186 return 0;
5f982038
MC		 3187
3188 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 3189 SSL_shutdown(*clientssl);
3190 SSL_shutdown(*serverssl);
5f982038
MC		 3191 SSL_free(*serverssl);
3192 SSL_free(*clientssl);
3193 *serverssl = *clientssl = NULL;
3194
710756a9
RS		 3195 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3196 clientssl, NULL, NULL))
3197 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 3198 return 0;
5f982038
MC		 3199
3200 return 1;
3201}
3202
3cb47b4e 3203static int test_early_data_read_write(int idx)
5f982038
MC		 3204{
3205 SSL_CTX *cctx = NULL, *sctx = NULL;
3206 SSL *clientssl = NULL, *serverssl = NULL;
3207 int testresult = 0;
3208 SSL_SESSION *sess = NULL;
9b5c865d
MC		 3209 unsigned char buf[20], data[1024];
3210 size_t readbytes, written, eoedlen, rawread, rawwritten;
3211 BIO *rbio;
5f982038 3212
710756a9
RS		 3213 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3214 &serverssl, &sess, idx)))
5f982038
MC		 3215 goto end;
3216
3217 /* Write and read some early data */
710756a9
RS		 3218 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3219 &written))
3220 || !TEST_size_t_eq(written, strlen(MSG1))
3221 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3222 sizeof(buf), &readbytes),
3223 SSL_READ_EARLY_DATA_SUCCESS)
3224 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3225 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3226 SSL_EARLY_DATA_ACCEPTED))
5f982038 3227 goto end;
5f982038
MC		 3228
3229 /*
09f28874 3230 * Server should be able to write data, and client should be able to
5f982038
MC		 3231 * read it.
3232 */
710756a9
RS		 3233 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3234 &written))
3235 || !TEST_size_t_eq(written, strlen(MSG2))
3236 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3237 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3238 goto end;
5f982038
MC		 3239
3240 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 3241 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3242 &written))
3243 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 3244 goto end;
5f982038 3245
09f28874 3246 /* Server should still be able read early data after writing data */
710756a9
RS		 3247 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3248 &readbytes),
3249 SSL_READ_EARLY_DATA_SUCCESS)
3250 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 3251 goto end;
5f982038 3252
09f28874 3253 /* Write more data from server and read it from client */
710756a9
RS		 3254 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3255 &written))
3256 || !TEST_size_t_eq(written, strlen(MSG4))
3257 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3258 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 3259 goto end;
5f982038
MC		 3260
3261 /*
3262 * If client writes normal data it should mean writing early data is no
3263 * longer possible.
3264 */
710756a9
RS		 3265 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3266 || !TEST_size_t_eq(written, strlen(MSG5))
3267 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3268 SSL_EARLY_DATA_ACCEPTED))
5f982038 3269 goto end;
5f982038 3270
9b5c865d
MC		 3271 /*
3272 * At this point the client has written EndOfEarlyData, ClientFinished and
3273 * normal (fully protected) data. We are going to cause a delay between the
3274 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3275 * in the read BIO, and then just put back the EndOfEarlyData message.
3276 */
3277 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 3278 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3279 || !TEST_size_t_lt(rawread, sizeof(data))
3280 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 3281 goto end;
710756a9 3282
9b5c865d
MC		 3283 /* Record length is in the 4th and 5th bytes of the record header */
3284 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 3285 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3286 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 3287 goto end;
9b5c865d 3288
5f982038 3289 /* Server should be told that there is no more early data */
710756a9
RS		 3290 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3291 &readbytes),
3292 SSL_READ_EARLY_DATA_FINISH)
3293 || !TEST_size_t_eq(readbytes, 0))
5f982038 3294 goto end;
5f982038 3295
9b5c865d
MC		 3296 /*
3297 * Server has not finished init yet, so should still be able to write early
3298 * data.
3299 */
710756a9
RS		 3300 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3301 &written))
3302 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 3303 goto end;
9b5c865d 3304
f8a303fa 3305 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 3306 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3307 &rawwritten))
3308 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 3309 goto end;
f8a303fa 3310
5f982038 3311 /* Server should be able to read normal data */
710756a9
RS		 3312 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3313 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3314 goto end;
5f982038 3315
09f28874 3316 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3317 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3318 &written)))
5f982038 3319 goto end;
5f982038 3320 ERR_clear_error();
710756a9
RS		 3321 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3322 &readbytes),
3323 SSL_READ_EARLY_DATA_ERROR))
5f982038 3324 goto end;
5f982038
MC		 3325 ERR_clear_error();
3326
9b5c865d 3327 /* Client should be able to read the data sent by the server */
710756a9
RS		 3328 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3329 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 3330 goto end;
710756a9 3331
f8a303fa 3332 /*
36ff232c
MC		 3333 * Make sure we process the two NewSessionTickets. These arrive
3334 * post-handshake. We attempt reads which we do not expect to return any
3335 * data.
f8a303fa 3336 */
36ff232c
MC		 3337 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3338 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3339 &readbytes)))
f8a303fa 3340 goto end;
5f982038 3341
90049cea 3342 /* Server should be able to write normal data */
710756a9
RS		 3343 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3344 || !TEST_size_t_eq(written, strlen(MSG7))
3345 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3346 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 3347 goto end;
90049cea 3348
c20e3b28 3349 SSL_SESSION_free(sess);
5f982038 3350 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 3351 use_session_cb_cnt = 0;
3352 find_session_cb_cnt = 0;
5f982038
MC		 3353
3354 SSL_shutdown(clientssl);
3355 SSL_shutdown(serverssl);
5f982038
MC		 3356 SSL_free(serverssl);
3357 SSL_free(clientssl);
3358 serverssl = clientssl = NULL;
710756a9
RS		 3359 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3360 &clientssl, NULL, NULL))
3361 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 3362 goto end;
5f982038
MC		 3363
3364 /* Write and read some early data */
710756a9
RS		 3365 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3366 &written))
3367 || !TEST_size_t_eq(written, strlen(MSG1))
3368 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3369 &readbytes),
3370 SSL_READ_EARLY_DATA_SUCCESS)
3371 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 3372 goto end;
5f982038 3373
710756a9
RS		 3374 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3375 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 3376 goto end;
5f982038 3377
09f28874 3378 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3379 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3380 &written)))
5f982038 3381 goto end;
5f982038 3382 ERR_clear_error();
710756a9
RS		 3383 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3384 &readbytes),
3385 SSL_READ_EARLY_DATA_ERROR))
5f982038 3386 goto end;
5f982038
MC		 3387 ERR_clear_error();
3388
3389 /* Client and server should be able to write/read normal data */
710756a9
RS		 3390 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3391 || !TEST_size_t_eq(written, strlen(MSG5))
3392 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3393 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3394 goto end;
5f982038
MC		 3395
3396 testresult = 1;
3397
3398 end:
c20e3b28 3399 SSL_SESSION_free(sess);
57dee9bb
MC		 3400 SSL_SESSION_free(clientpsk);
3401 SSL_SESSION_free(serverpsk);
3402 clientpsk = serverpsk = NULL;
5f982038
MC		 3403 SSL_free(serverssl);
3404 SSL_free(clientssl);
3405 SSL_CTX_free(sctx);
3406 SSL_CTX_free(cctx);
5f982038
MC		 3407 return testresult;
3408}
3409
5a421415
MC		 3410static int allow_ed_cb_called = 0;
3411
3412static int allow_early_data_cb(SSL *s, void *arg)
3413{
3414 int *usecb = (int *)arg;
3415
3416 allow_ed_cb_called++;
3417
3418 if (*usecb == 1)
3419 return 0;
3420
3421 return 1;
3422}
3423
3424/*
3425 * idx == 0: Standard early_data setup
3426 * idx == 1: early_data setup using read_ahead
3427 * usecb == 0: Don't use a custom early data callback
3428 * usecb == 1: Use a custom early data callback and reject the early data
3429 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 3430 * confopt == 0: Configure anti-replay directly
3431 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 3432 */
3bb5e5b0 3433static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 3434{
3435 SSL_CTX *cctx = NULL, *sctx = NULL;
3436 SSL *clientssl = NULL, *serverssl = NULL;
3437 int testresult = 0;
3438 SSL_SESSION *sess = NULL;
5a421415
MC		 3439 size_t readbytes, written;
3440 unsigned char buf[20];
3441
3442 allow_ed_cb_called = 0;
3443
5e30f2fd
MC		 3444 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3445 TLS_client_method(), TLS1_VERSION, 0,
3446 &sctx, &cctx, cert, privkey)))
5a421415
MC		 3447 return 0;
3448
3449 if (usecb > 0) {
3bb5e5b0
MC		 3450 if (confopt == 0) {
3451 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3452 } else {
3453 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3454
3455 if (!TEST_ptr(confctx))
3456 goto end;
3457 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3458 | SSL_CONF_FLAG_SERVER);
3459 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3460 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3461 2)) {
3462 SSL_CONF_CTX_free(confctx);
3463 goto end;
3464 }
3465 SSL_CONF_CTX_free(confctx);
3466 }
5a421415
MC		 3467 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3468 }
78fb5374
MC		 3469
3470 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3471 &serverssl, &sess, idx)))
3472 goto end;
3473
3474 /*
3475 * The server is configured to accept early data. Create a connection to
3476 * "use up" the ticket
3477 */
3478 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3479 || !TEST_true(SSL_session_reused(clientssl)))
3480 goto end;
3481
3482 SSL_shutdown(clientssl);
3483 SSL_shutdown(serverssl);
3484 SSL_free(serverssl);
3485 SSL_free(clientssl);
3486 serverssl = clientssl = NULL;
3487
3488 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3489 &clientssl, NULL, NULL))
5a421415
MC		 3490 || !TEST_true(SSL_set_session(clientssl, sess)))
3491 goto end;
3492
3493 /* Write and read some early data */
3494 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3495 &written))
3496 || !TEST_size_t_eq(written, strlen(MSG1)))
3497 goto end;
3498
3499 if (usecb <= 1) {
3500 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3501 &readbytes),
3502 SSL_READ_EARLY_DATA_FINISH)
3503 /*
3504 * The ticket was reused, so the we should have rejected the
3505 * early data
3506 */
3507 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3508 SSL_EARLY_DATA_REJECTED))
3509 goto end;
3510 } else {
3511 /* In this case the callback decides to accept the early data */
3512 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3513 &readbytes),
3514 SSL_READ_EARLY_DATA_SUCCESS)
3515 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3516 /*
3517 * Server will have sent its flight so client can now send
3518 * end of early data and complete its half of the handshake
3519 */
3520 || !TEST_int_gt(SSL_connect(clientssl), 0)
3521 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3522 &readbytes),
3523 SSL_READ_EARLY_DATA_FINISH)
3524 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3525 SSL_EARLY_DATA_ACCEPTED))
3526 goto end;
3527 }
3528
3529 /* Complete the connection */
3530 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3531 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3532 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 3533 goto end;
3534
3535 testresult = 1;
3536
3537 end:
c20e3b28 3538 SSL_SESSION_free(sess);
78fb5374
MC		 3539 SSL_SESSION_free(clientpsk);
3540 SSL_SESSION_free(serverpsk);
3541 clientpsk = serverpsk = NULL;
3542 SSL_free(serverssl);
3543 SSL_free(clientssl);
3544 SSL_CTX_free(sctx);
3545 SSL_CTX_free(cctx);
3546 return testresult;
3547}
3548
5a421415
MC		 3549static int test_early_data_replay(int idx)
3550{
3bb5e5b0 3551 int ret = 1, usecb, confopt;
5a421415 3552
3bb5e5b0
MC		 3553 for (usecb = 0; usecb < 3; usecb++) {
3554 for (confopt = 0; confopt < 2; confopt++)
3555 ret &= test_early_data_replay_int(idx, usecb, confopt);
3556 }
5a421415
MC		 3557
3558 return ret;
3559}
3560
710756a9 3561/*
6b84e6bf
MC		 3562 * Helper function to test that a server attempting to read early data can
3563 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 3564 * testtype: 0 == No HRR
3565 * testtype: 1 == HRR
0efa0ba4
MC		 3566 * testtype: 2 == HRR, invalid early_data sent after HRR
3567 * testtype: 3 == recv_max_early_data set to 0
710756a9 3568 */
0d1b7789 3569static int early_data_skip_helper(int testtype, int idx)
5f982038
MC		 3570{
3571 SSL_CTX *cctx = NULL, *sctx = NULL;
3572 SSL *clientssl = NULL, *serverssl = NULL;
3573 int testresult = 0;
018fcbec 3574 SSL_SESSION *sess = NULL;
5f982038
MC		 3575 unsigned char buf[20];
3576 size_t readbytes, written;
3577
710756a9
RS		 3578 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3579 &serverssl, &sess, idx)))
5f982038
MC		 3580 goto end;
3581
0efa0ba4 3582 if (testtype == 1 || testtype == 2) {
6b84e6bf 3583 /* Force an HRR to occur */
dbc6268f
MC		 3584#if defined(OPENSSL_NO_EC)
3585 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3586 goto end;
3587#else
6b84e6bf
MC		 3588 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3589 goto end;
dbc6268f 3590#endif
02a3ed5a
MC		 3591 } else if (idx == 2) {
3592 /*
3593 * We force early_data rejection by ensuring the PSK identity is
3594 * unrecognised
3595 */
3596 srvid = "Dummy Identity";
6b84e6bf
MC		 3597 } else {
3598 /*
3599 * Deliberately corrupt the creation time. We take 20 seconds off the
3600 * time. It could be any value as long as it is not within tolerance.
3601 * This should mean the ticket is rejected.
3602 */
5d99881e 3603 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 3604 goto end;
3605 }
5f982038 3606
0efa0ba4 3607 if (testtype == 3
0d1b7789
MC		 3608 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3609 goto end;
3610
5f982038 3611 /* Write some early data */
710756a9
RS		 3612 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3613 &written))
3614 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 3615 goto end;
5f982038 3616
0d1b7789 3617 /* Server should reject the early data */
710756a9
RS		 3618 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3619 &readbytes),
3620 SSL_READ_EARLY_DATA_FINISH)
3621 || !TEST_size_t_eq(readbytes, 0)
3622 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3623 SSL_EARLY_DATA_REJECTED))
5f982038 3624 goto end;
5f982038 3625
0efa0ba4
MC		 3626 switch (testtype) {
3627 case 0:
3628 /* Nothing to do */
3629 break;
3630
3631 case 1:
6b84e6bf
MC		 3632 /*
3633 * Finish off the handshake. We perform the same writes and reads as
3634 * further down but we expect them to fail due to the incomplete
3635 * handshake.
3636 */
3637 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3638 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3639 &readbytes)))
3640 goto end;
0efa0ba4
MC		 3641 break;
3642
3643 case 2:
3644 {
3645 BIO *wbio = SSL_get_wbio(clientssl);
3646 /* A record that will appear as bad early_data */
3647 const unsigned char bad_early_data[] = {
3648 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3649 };
3650
3651 /*
3652 * We force the client to attempt a write. This will fail because
3653 * we're still in the handshake. It will cause the second
3654 * ClientHello to be sent.
3655 */
3656 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3657 &written)))
3658 goto end;
3659
3660 /*
3661 * Inject some early_data after the second ClientHello. This should
3662 * cause the server to fail
3663 */
3664 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3665 sizeof(bad_early_data), &written)))
3666 goto end;
3667 }
3668 /* fallthrough */
3669
3670 case 3:
0d1b7789 3671 /*
0efa0ba4
MC		 3672 * This client has sent more early_data than we are willing to skip
3673 * (case 3) or sent invalid early_data (case 2) so the connection should
3674 * abort.
0d1b7789
MC		 3675 */
3676 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3677 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3678 goto end;
3679
3680 /* Connection has failed - nothing more to do */
3681 testresult = 1;
3682 goto end;
0efa0ba4
MC		 3683
3684 default:
3685 TEST_error("Invalid test type");
3686 goto end;
6b84e6bf
MC		 3687 }
3688
0d1b7789
MC		 3689 /*
3690 * Should be able to send normal data despite rejection of early data. The
3691 * early_data should be skipped.
3692 */
710756a9
RS		 3693 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3694 || !TEST_size_t_eq(written, strlen(MSG2))
3695 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3696 SSL_EARLY_DATA_REJECTED)
3697 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3698 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3699 goto end;
5f982038
MC		 3700
3701 testresult = 1;
3702
3703 end:
c20e3b28 3704 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3705 SSL_SESSION_free(serverpsk);
3706 clientpsk = serverpsk = NULL;
5f982038
MC		 3707 SSL_SESSION_free(sess);
3708 SSL_free(serverssl);
3709 SSL_free(clientssl);
3710 SSL_CTX_free(sctx);
3711 SSL_CTX_free(cctx);
5f982038
MC		 3712 return testresult;
3713}
3714
6b84e6bf
MC		 3715/*
3716 * Test that a server attempting to read early data can handle a connection
3717 * from a client where the early data is not acceptable.
3718 */
3719static int test_early_data_skip(int idx)
3720{
3721 return early_data_skip_helper(0, idx);
3722}
3723
3724/*
3725 * Test that a server attempting to read early data can handle a connection
3726 * from a client where an HRR occurs.
3727 */
3728static int test_early_data_skip_hrr(int idx)
3729{
3730 return early_data_skip_helper(1, idx);
3731}
3732
0efa0ba4
MC		 3733/*
3734 * Test that a server attempting to read early data can handle a connection
3735 * from a client where an HRR occurs and correctly fails if early_data is sent
3736 * after the HRR
3737 */
3738static int test_early_data_skip_hrr_fail(int idx)
3739{
3740 return early_data_skip_helper(2, idx);
3741}
3742
0d1b7789
MC		 3743/*
3744 * Test that a server attempting to read early data will abort if it tries to
3745 * skip over too much.
3746 */
3747static int test_early_data_skip_abort(int idx)
3748{
0efa0ba4 3749 return early_data_skip_helper(3, idx);
0d1b7789
MC		 3750}
3751
710756a9
RS		 3752/*
3753 * Test that a server attempting to read early data can handle a connection
3754 * from a client that doesn't send any.
3755 */
3cb47b4e 3756static int test_early_data_not_sent(int idx)
5f982038
MC		 3757{
3758 SSL_CTX *cctx = NULL, *sctx = NULL;
3759 SSL *clientssl = NULL, *serverssl = NULL;
3760 int testresult = 0;
018fcbec 3761 SSL_SESSION *sess = NULL;
5f982038
MC		 3762 unsigned char buf[20];
3763 size_t readbytes, written;
3764
710756a9
RS		 3765 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3766 &serverssl, &sess, idx)))
5f982038
MC		 3767 goto end;
3768
3769 /* Write some data - should block due to handshake with server */
3770 SSL_set_connect_state(clientssl);
710756a9 3771 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3772 goto end;
5f982038
MC		 3773
3774 /* Server should detect that early data has not been sent */
710756a9
RS		 3775 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3776 &readbytes),
3777 SSL_READ_EARLY_DATA_FINISH)
3778 || !TEST_size_t_eq(readbytes, 0)
3779 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3780 SSL_EARLY_DATA_NOT_SENT)
3781 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3782 SSL_EARLY_DATA_NOT_SENT))
5f982038 3783 goto end;
5f982038
MC		 3784
3785 /* Continue writing the message we started earlier */
710756a9
RS		 3786 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3787 || !TEST_size_t_eq(written, strlen(MSG1))
3788 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3789 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3790 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3791 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3792 goto end;
5f982038 3793
710756a9
RS		 3794 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3795 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3796 goto end;
5f982038
MC		 3797
3798 testresult = 1;
3799
3800 end:
5f982038 3801 SSL_SESSION_free(sess);
c20e3b28 3802 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3803 SSL_SESSION_free(serverpsk);
3804 clientpsk = serverpsk = NULL;
5f982038
MC		 3805 SSL_free(serverssl);
3806 SSL_free(clientssl);
3807 SSL_CTX_free(sctx);
3808 SSL_CTX_free(cctx);
5f982038
MC		 3809 return testresult;
3810}
3811
976e5323
MC		 3812static const char *servalpn;
3813
c7558d5b
PY		 3814static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3815 unsigned char *outlen, const unsigned char *in,
3816 unsigned int inlen, void *arg)
976e5323 3817{
c7558d5b 3818 unsigned int protlen = 0;
976e5323
MC		 3819 const unsigned char *prot;
3820
c7558d5b
PY		 3821 for (prot = in; prot < in + inlen; prot += protlen) {
3822 protlen = *prot++;
5d99881e 3823 if (in + inlen < prot + protlen)
976e5323
MC		 3824 return SSL_TLSEXT_ERR_NOACK;
3825
3826 if (protlen == strlen(servalpn)
0bd42fde 3827 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 3828 *out = prot;
3829 *outlen = protlen;
3830 return SSL_TLSEXT_ERR_OK;
3831 }
3832 }
3833
3834 return SSL_TLSEXT_ERR_NOACK;
3835}
3836
57dee9bb 3837/* Test that a PSK can be used to send early_data */
976e5323
MC		 3838static int test_early_data_psk(int idx)
3839{
3840 SSL_CTX *cctx = NULL, *sctx = NULL;
3841 SSL *clientssl = NULL, *serverssl = NULL;
3842 int testresult = 0;
3843 SSL_SESSION *sess = NULL;
57dee9bb
MC		 3844 unsigned char alpnlist[] = {
3845 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3846 'l', 'p', 'n'
3847 };
3848#define GOODALPNLEN 9
3849#define BADALPNLEN 8
3850#define GOODALPN (alpnlist)
3851#define BADALPN (alpnlist + GOODALPNLEN)
3852 int err = 0;
976e5323
MC		 3853 unsigned char buf[20];
3854 size_t readbytes, written;
57dee9bb 3855 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 3856 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3857
3858 /* We always set this up with a final parameter of "2" for PSK */
3859 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3860 &serverssl, &sess, 2)))
3861 goto end;
3862
976e5323
MC		 3863 servalpn = "goodalpn";
3864
57dee9bb
MC		 3865 /*
3866 * Note: There is no test for inconsistent SNI with late client detection.
3867 * This is because servers do not acknowledge SNI even if they are using
3868 * it in a resumption handshake - so it is not actually possible for a
3869 * client to detect a problem.
3870 */
976e5323
MC		 3871 switch (idx) {
3872 case 0:
57dee9bb 3873 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 3874 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3875 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3876 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3877 goto end;
3878 break;
3879
3880 case 1:
57dee9bb 3881 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 3882 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3883 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 3884 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3885 GOODALPNLEN))
3886 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3887 BADALPNLEN)))
976e5323
MC		 3888 goto end;
3889 break;
3890
3891 case 2:
3892 /*
3893 * Set invalid protocol version. Technically this affects PSKs without
3894 * early_data too, but we test it here because it is similar to the
3895 * SNI/ALPN consistency tests.
3896 */
3897 err = SSL_R_BAD_PSK;
3898 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3899 goto end;
3900 break;
3901
3902 case 3:
3903 /*
49ef3d07
MC		 3904 * Set inconsistent SNI (server side). In this case the connection
3905 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3906 * is associated with each handshake - not the session. Therefore it
3907 * should not matter that we used a different server name last time.
976e5323 3908 */
281bf233
MC		 3909 SSL_SESSION_free(serverpsk);
3910 serverpsk = SSL_SESSION_dup(clientpsk);
3911 if (!TEST_ptr(serverpsk)
3912 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3913 goto end;
976e5323
MC		 3914 /* Fall through */
3915 case 4:
3916 /* Set consistent SNI */
976e5323
MC		 3917 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3918 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3919 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3920 hostname_cb)))
3921 goto end;
3922 break;
3923
3924 case 5:
3925 /*
3926 * Set inconsistent ALPN (server detected). In this case the connection
3927 * will succeed but reject early_data.
3928 */
3929 servalpn = "badalpn";
3930 edstatus = SSL_EARLY_DATA_REJECTED;
3931 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3932 /* Fall through */
3933 case 6:
976e5323 3934 /*
57dee9bb 3935 * Set consistent ALPN.
976e5323
MC		 3936 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3937 * accepts a list of protos (each one length prefixed).
3938 * SSL_set1_alpn_selected accepts a single protocol (not length
3939 * prefixed)
3940 */
57dee9bb
MC		 3941 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3942 GOODALPNLEN - 1))
3943 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3944 GOODALPNLEN)))
976e5323
MC		 3945 goto end;
3946
3947 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3948 break;
3949
57dee9bb
MC		 3950 case 7:
3951 /* Set inconsistent ALPN (late client detection) */
3952 SSL_SESSION_free(serverpsk);
3953 serverpsk = SSL_SESSION_dup(clientpsk);
3954 if (!TEST_ptr(serverpsk)
3955 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3956 BADALPN + 1,
3957 BADALPNLEN - 1))
3958 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3959 GOODALPN + 1,
3960 GOODALPNLEN - 1))
3961 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3962 sizeof(alpnlist))))
3963 goto end;
3964 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3965 edstatus = SSL_EARLY_DATA_ACCEPTED;
3966 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3967 /* SSL_connect() call should fail */
3968 connectres = -1;
3969 break;
3970
976e5323
MC		 3971 default:
3972 TEST_error("Bad test index");
3973 goto end;
3974 }
3975
3976 SSL_set_connect_state(clientssl);
3977 if (err != 0) {
3978 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3979 &written))
3980 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3981 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3982 goto end;
3983 } else {
3984 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 3985 &written)))
3986 goto end;
3987
3988 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3989 &readbytes), readearlyres)
976e5323
MC		 3990 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3991 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 3992 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3993 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 3994 goto end;
3995 }
3996
3997 testresult = 1;
3998
3999 end:
c20e3b28 4000 SSL_SESSION_free(sess);
57dee9bb
MC		 4001 SSL_SESSION_free(clientpsk);
4002 SSL_SESSION_free(serverpsk);
4003 clientpsk = serverpsk = NULL;
976e5323
MC		 4004 SSL_free(serverssl);
4005 SSL_free(clientssl);
4006 SSL_CTX_free(sctx);
4007 SSL_CTX_free(cctx);
4008 return testresult;
4009}
4010
0b2b0be9 4011/*
4012 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4013 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4014 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4015 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4016 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4017 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4018 */
4019static int test_early_data_psk_with_all_ciphers(int idx)
4020{
4021 SSL_CTX *cctx = NULL, *sctx = NULL;
4022 SSL *clientssl = NULL, *serverssl = NULL;
4023 int testresult = 0;
4024 SSL_SESSION *sess = NULL;
4025 unsigned char buf[20];
4026 size_t readbytes, written;
4027 const SSL_CIPHER *cipher;
4028 const char *cipher_str[] = {
4029 TLS1_3_RFC_AES_128_GCM_SHA256,
4030 TLS1_3_RFC_AES_256_GCM_SHA384,
4031# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4032 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4033# else
4034 NULL,
4035# endif
4036 TLS1_3_RFC_AES_128_CCM_SHA256,
4037 TLS1_3_RFC_AES_128_CCM_8_SHA256
4038 };
4039 const unsigned char *cipher_bytes[] = {
4040 TLS13_AES_128_GCM_SHA256_BYTES,
4041 TLS13_AES_256_GCM_SHA384_BYTES,
4042# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4043 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4044# else
4045 NULL,
4046# endif
4047 TLS13_AES_128_CCM_SHA256_BYTES,
4048 TLS13_AES_128_CCM_8_SHA256_BYTES
4049 };
4050
4051 if (cipher_str[idx] == NULL)
4052 return 1;
4053 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4054 if (idx == 2 && is_fips == 1)
4055 return 1;
4056
4057 /* We always set this up with a final parameter of "2" for PSK */
4058 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4059 &serverssl, &sess, 2)))
4060 goto end;
4061
4062 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4063 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4064 goto end;
4065
4066 /*
4067 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4068 * and assigns to both client and server with incremented reference
4069 * and the same instance is updated in 'sess'.
4070 * So updating ciphersuite in 'sess' which will get reflected in
4071 * PSK handshake using psk use sess and find sess cb.
4072 */
4073 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4074 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4075 goto end;
4076
4077 SSL_set_connect_state(clientssl);
4078 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4079 &written)))
4080 goto end;
4081
4082 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4083 &readbytes),
4084 SSL_READ_EARLY_DATA_SUCCESS)
4085 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4086 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4087 SSL_EARLY_DATA_ACCEPTED)
4088 || !TEST_int_eq(SSL_connect(clientssl), 1)
4089 || !TEST_int_eq(SSL_accept(serverssl), 1))
4090 goto end;
4091
4092 /* Send some normal data from client to server */
4093 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4094 || !TEST_size_t_eq(written, strlen(MSG2)))
4095 goto end;
4096
4097 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4098 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4099 goto end;
4100
4101 testresult = 1;
4102 end:
4103 SSL_SESSION_free(sess);
4104 SSL_SESSION_free(clientpsk);
4105 SSL_SESSION_free(serverpsk);
4106 clientpsk = serverpsk = NULL;
4107 if (clientssl != NULL)
4108 SSL_shutdown(clientssl);
4109 if (serverssl != NULL)
4110 SSL_shutdown(serverssl);
4111 SSL_free(serverssl);
4112 SSL_free(clientssl);
4113 SSL_CTX_free(sctx);
4114 SSL_CTX_free(cctx);
4115 return testresult;
4116}
4117
710756a9
RS		 4118/*
4119 * Test that a server that doesn't try to read early data can handle a
4120 * client sending some.
4121 */
3cb47b4e 4122static int test_early_data_not_expected(int idx)
5f982038
MC		 4123{
4124 SSL_CTX *cctx = NULL, *sctx = NULL;
4125 SSL *clientssl = NULL, *serverssl = NULL;
4126 int testresult = 0;
018fcbec 4127 SSL_SESSION *sess = NULL;
5f982038
MC		 4128 unsigned char buf[20];
4129 size_t readbytes, written;
4130
710756a9
RS		 4131 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4132 &serverssl, &sess, idx)))
5f982038
MC		 4133 goto end;
4134
4135 /* Write some early data */
710756a9
RS		 4136 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4137 &written)))
5f982038 4138 goto end;
5f982038
MC		 4139
4140 /*
4141 * Server should skip over early data and then block waiting for client to
4142 * continue handshake
4143 */
710756a9
RS		 4144 if (!TEST_int_le(SSL_accept(serverssl), 0)
4145 || !TEST_int_gt(SSL_connect(clientssl), 0)
4146 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4147 SSL_EARLY_DATA_REJECTED)
4148 || !TEST_int_gt(SSL_accept(serverssl), 0)
4149 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4150 SSL_EARLY_DATA_REJECTED))
5f982038 4151 goto end;
5f982038
MC		 4152
4153 /* Send some normal data from client to server */
710756a9
RS		 4154 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4155 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 4156 goto end;
5f982038 4157
710756a9
RS		 4158 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4159 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4160 goto end;
5f982038
MC		 4161
4162 testresult = 1;
4163
4164 end:
5f982038 4165 SSL_SESSION_free(sess);
c20e3b28 4166 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4167 SSL_SESSION_free(serverpsk);
4168 clientpsk = serverpsk = NULL;
5f982038
MC		 4169 SSL_free(serverssl);
4170 SSL_free(clientssl);
4171 SSL_CTX_free(sctx);
4172 SSL_CTX_free(cctx);
5f982038
MC		 4173 return testresult;
4174}
4175
4176
4177# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 4178/*
4179 * Test that a server attempting to read early data can handle a connection
4180 * from a TLSv1.2 client.
4181 */
3cb47b4e 4182static int test_early_data_tls1_2(int idx)
5f982038
MC		 4183{
4184 SSL_CTX *cctx = NULL, *sctx = NULL;
4185 SSL *clientssl = NULL, *serverssl = NULL;
4186 int testresult = 0;
4187 unsigned char buf[20];
4188 size_t readbytes, written;
4189
02a3ed5a
MC		 4190 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4191 &serverssl, NULL, idx)))
5f982038 4192 goto end;
5f982038
MC		 4193
4194 /* Write some data - should block due to handshake with server */
4195 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4196 SSL_set_connect_state(clientssl);
710756a9 4197 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4198 goto end;
5f982038
MC		 4199
4200 /*
4201 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 4202 * messages from client after ServerDone. Then SSL_read_early_data should
4203 * finish and detect that early data has not been sent
5f982038 4204 */
710756a9
RS		 4205 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4206 &readbytes),
4207 SSL_READ_EARLY_DATA_ERROR))
5f982038 4208 goto end;
5f982038
MC		 4209
4210 /*
4211 * Continue writing the message we started earlier. Will still block waiting
4212 * for the CCS/Finished from server
4213 */
710756a9
RS		 4214 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4215 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4216 &readbytes),
4217 SSL_READ_EARLY_DATA_FINISH)
4218 || !TEST_size_t_eq(readbytes, 0)
4219 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4220 SSL_EARLY_DATA_NOT_SENT))
5f982038 4221 goto end;
5f982038
MC		 4222
4223 /* Continue writing the message we started earlier */
710756a9
RS		 4224 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4225 || !TEST_size_t_eq(written, strlen(MSG1))
4226 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4227 SSL_EARLY_DATA_NOT_SENT)
4228 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4229 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4230 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4231 || !TEST_size_t_eq(written, strlen(MSG2))
4232 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4233 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4234 goto end;
5f982038
MC		 4235
4236 testresult = 1;
4237
4238 end:
57dee9bb
MC		 4239 SSL_SESSION_free(clientpsk);
4240 SSL_SESSION_free(serverpsk);
4241 clientpsk = serverpsk = NULL;
5f982038
MC		 4242 SSL_free(serverssl);
4243 SSL_free(clientssl);
4244 SSL_CTX_free(sctx);
4245 SSL_CTX_free(cctx);
4246
4247 return testresult;
4248}
ca0413ae
MC		 4249# endif /* OPENSSL_NO_TLS1_2 */
4250
034cb87b
MC		 4251/*
4252 * Test configuring the TLSv1.3 ciphersuites
4253 *
4254 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4255 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4256 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4257 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4258 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4259 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4260 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4261 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4262 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4263 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4264 */
4265static int test_set_ciphersuite(int idx)
4266{
4267 SSL_CTX *cctx = NULL, *sctx = NULL;
4268 SSL *clientssl = NULL, *serverssl = NULL;
4269 int testresult = 0;
4270
5e30f2fd
MC		 4271 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4272 TLS_client_method(), TLS1_VERSION, 0,
034cb87b
MC		 4273 &sctx, &cctx, cert, privkey))
4274 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4275 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4276 goto end;
4277
4278 if (idx >=4 && idx <= 7) {
4279 /* SSL_CTX explicit cipher list */
4280 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4281 goto end;
4282 }
4283
4284 if (idx == 0 || idx == 4) {
4285 /* Default ciphersuite */
4286 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4287 "TLS_AES_128_GCM_SHA256")))
4288 goto end;
4289 } else if (idx == 1 || idx == 5) {
4290 /* Non default ciphersuite */
4291 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4292 "TLS_AES_128_CCM_SHA256")))
4293 goto end;
4294 }
4295
4296 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4297 &clientssl, NULL, NULL)))
4298 goto end;
4299
4300 if (idx == 8 || idx == 9) {
4301 /* SSL explicit cipher list */
4302 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4303 goto end;
4304 }
4305
4306 if (idx == 2 || idx == 6 || idx == 8) {
4307 /* Default ciphersuite */
4308 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4309 "TLS_AES_128_GCM_SHA256")))
4310 goto end;
4311 } else if (idx == 3 || idx == 7 || idx == 9) {
4312 /* Non default ciphersuite */
4313 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4314 "TLS_AES_128_CCM_SHA256")))
4315 goto end;
4316 }
4317
4318 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4319 goto end;
4320
4321 testresult = 1;
4322
4323 end:
4324 SSL_free(serverssl);
4325 SSL_free(clientssl);
4326 SSL_CTX_free(sctx);
4327 SSL_CTX_free(cctx);
4328
4329 return testresult;
4330}
4331
ca0413ae
MC		 4332static int test_ciphersuite_change(void)
4333{
4334 SSL_CTX *cctx = NULL, *sctx = NULL;
4335 SSL *clientssl = NULL, *serverssl = NULL;
4336 SSL_SESSION *clntsess = NULL;
4337 int testresult = 0;
4338 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4339
4340 /* Create a session based on SHA-256 */
5e30f2fd
MC		 4341 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4342 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4343 &sctx, &cctx, cert, privkey))
4f6c7044
MC		 4344 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4345 "TLS_AES_128_GCM_SHA256:"
4346 "TLS_AES_256_GCM_SHA384:"
4347 "TLS_AES_128_CCM_SHA256"))
f865b081
MC		 4348 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4349 "TLS_AES_128_GCM_SHA256"))
ca0413ae
MC		 4350 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4351 &clientssl, NULL, NULL))
4352 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4353 SSL_ERROR_NONE)))
4354 goto end;
4355
4356 clntsess = SSL_get1_session(clientssl);
4357 /* Save for later */
4358 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4359 SSL_shutdown(clientssl);
4360 SSL_shutdown(serverssl);
4361 SSL_free(serverssl);
4362 SSL_free(clientssl);
4363 serverssl = clientssl = NULL;
4364
4365 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081 4366 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4f6c7044
MC		 4367 "TLS_AES_128_CCM_SHA256"))
4368 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4369 &clientssl, NULL, NULL))
ca0413ae
MC		 4370 || !TEST_true(SSL_set_session(clientssl, clntsess))
4371 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4372 SSL_ERROR_NONE))
4373 || !TEST_true(SSL_session_reused(clientssl)))
4374 goto end;
4375
4376 SSL_SESSION_free(clntsess);
4377 clntsess = SSL_get1_session(clientssl);
4378 SSL_shutdown(clientssl);
4379 SSL_shutdown(serverssl);
4380 SSL_free(serverssl);
4381 SSL_free(clientssl);
4382 serverssl = clientssl = NULL;
4383
4384 /*
4385 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 4386 * succeeds but does not resume.
ca0413ae 4387 */
f865b081 4388 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4389 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4390 NULL, NULL))
4391 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 4392 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 4393 SSL_ERROR_SSL))
0de6d66d 4394 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 4395 goto end;
4396
4397 SSL_SESSION_free(clntsess);
4398 clntsess = NULL;
4399 SSL_shutdown(clientssl);
4400 SSL_shutdown(serverssl);
4401 SSL_free(serverssl);
4402 SSL_free(clientssl);
4403 serverssl = clientssl = NULL;
4404
4405 /* Create a session based on SHA384 */
f865b081 4406 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4407 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4408 &clientssl, NULL, NULL))
4409 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4410 SSL_ERROR_NONE)))
4411 goto end;
4412
4413 clntsess = SSL_get1_session(clientssl);
4414 SSL_shutdown(clientssl);
4415 SSL_shutdown(serverssl);
4416 SSL_free(serverssl);
4417 SSL_free(clientssl);
4418 serverssl = clientssl = NULL;
4419
f865b081
MC		 4420 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4421 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4422 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4423 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4424 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4425 NULL, NULL))
4426 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 4427 /*
4428 * We use SSL_ERROR_WANT_READ below so that we can pause the
4429 * connection after the initial ClientHello has been sent to
4430 * enable us to make some session changes.
4431 */
ca0413ae
MC		 4432 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4433 SSL_ERROR_WANT_READ)))
4434 goto end;
4435
4436 /* Trick the client into thinking this session is for a different digest */
4437 clntsess->cipher = aes_128_gcm_sha256;
4438 clntsess->cipher_id = clntsess->cipher->id;
4439
4440 /*
3b0e88d3
MC		 4441 * Continue the previously started connection. Server has selected a SHA-384
4442 * ciphersuite, but client thinks the session is for SHA-256, so it should
4443 * bail out.
ca0413ae
MC		 4444 */
4445 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4446 SSL_ERROR_SSL))
4447 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4448 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4449 goto end;
4450
4451 testresult = 1;
4452
4453 end:
4454 SSL_SESSION_free(clntsess);
4455 SSL_free(serverssl);
4456 SSL_free(clientssl);
4457 SSL_CTX_free(sctx);
4458 SSL_CTX_free(cctx);
4459
4460 return testresult;
4461}
4462
8e63900a 4463/*
5bf2eade 4464 * Test TLSv1.3 Key exchange
4465 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4466 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4467 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4468 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4469 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4470 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4471 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4472 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4473 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4474 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4475 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4476 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4477 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4478 * Test 13 = Test all FFDHE with TLSv1.2 client and server
8e63900a 4479 */
db26ec80 4480static int test_key_exchange(int idx)
8e63900a 4481{
4482 SSL_CTX *sctx = NULL, *cctx = NULL;
4483 SSL *serverssl = NULL, *clientssl = NULL;
4484 int testresult = 0;
5bf2eade 4485# ifndef OPENSSL_NO_EC
4486 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4487 NID_secp521r1, NID_X25519, NID_X448};
4488# endif
4489# ifndef OPENSSL_NO_DH
8e63900a 4490 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4491 NID_ffdhe6144, NID_ffdhe8192};
5bf2eade 4492# endif
fb8c6db4 4493 int kexch_alg;
4494 int *kexch_groups = &kexch_alg;
4495 int kexch_groups_size = 1;
8e63900a 4496 int max_version = TLS1_3_VERSION;
8e63900a 4497
4498 switch (idx) {
5bf2eade 4499# ifndef OPENSSL_NO_EC
db26ec80 4500# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4501 case 12:
fb8c6db4 4502 max_version = TLS1_2_VERSION;
db26ec80 4503# endif
fb8c6db4 4504 /* Fall through */
4505 case 0:
4506 kexch_groups = ecdhe_kexch_groups;
4507 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4508 break;
5bf2eade 4509 case 1:
fb8c6db4 4510 kexch_alg = NID_X9_62_prime256v1;
4511 break;
5bf2eade 4512 case 2:
fb8c6db4 4513 kexch_alg = NID_secp384r1;
4514 break;
5bf2eade 4515 case 3:
fb8c6db4 4516 kexch_alg = NID_secp521r1;
4517 break;
5bf2eade 4518 case 4:
fb8c6db4 4519 kexch_alg = NID_X25519;
4520 break;
5bf2eade 4521 case 5:
fb8c6db4 4522 kexch_alg = NID_X448;
4523 break;
5bf2eade 4524# endif
4525# ifndef OPENSSL_NO_DH
db26ec80 4526# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4527 case 13:
dbc6268f 4528 max_version = TLS1_2_VERSION;
db26ec80 4529# endif
dbc6268f 4530 /* Fall through */
5bf2eade 4531 case 6:
8e63900a 4532 kexch_groups = ffdhe_kexch_groups;
4533 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4534 break;
5bf2eade 4535 case 7:
fb8c6db4 4536 kexch_alg = NID_ffdhe2048;
4537 break;
5bf2eade 4538 case 8:
fb8c6db4 4539 kexch_alg = NID_ffdhe3072;
4540 break;
5bf2eade 4541 case 9:
fb8c6db4 4542 kexch_alg = NID_ffdhe4096;
4543 break;
5bf2eade 4544 case 10:
fb8c6db4 4545 kexch_alg = NID_ffdhe6144;
4546 break;
5bf2eade 4547 case 11:
fb8c6db4 4548 kexch_alg = NID_ffdhe8192;
8e63900a 4549 break;
5bf2eade 4550# endif
6597d62b
MC		 4551 default:
4552 /* We're skipping this test */
4553 return 1;
8e63900a 4554 }
4555
5e30f2fd
MC		 4556 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4557 TLS_client_method(), TLS1_VERSION,
4558 max_version, &sctx, &cctx, cert,
4559 privkey)))
8e63900a 4560 goto end;
4561
5bf2eade 4562 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4563 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4564 goto end;
4565
5bf2eade 4566 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4567 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4568 goto end;
4569
5bf2eade 4570 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4571 TLS1_TXT_RSA_WITH_AES_128_SHA)))
8e63900a 4572 goto end;
4573
dbc6268f
MC		 4574 /*
4575 * Must include an EC ciphersuite so that we send supported groups in
4576 * TLSv1.2
4577 */
5bf2eade 4578# ifndef OPENSSL_NO_TLS1_2
dbc6268f
MC		 4579 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4580 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
4581 TLS1_TXT_RSA_WITH_AES_128_SHA)))
8e63900a 4582 goto end;
5bf2eade 4583# endif
8e63900a 4584
4585 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4586 NULL, NULL)))
4587 goto end;
4588
4589 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4590 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4591 goto end;
4592
5bf2eade 4593 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8e63900a 4594 goto end;
8e63900a 4595
dbc6268f 4596 /*
5bf2eade 4597 * If Handshake succeeds the negotiated kexch alg should be the first one in
4598 * configured, except in the case of FFDHE groups (idx 13), which are
4599 * TLSv1.3 only so we expect no shared group to exist.
dbc6268f
MC		 4600 */
4601 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5bf2eade 4602 idx == 13 ? 0 : kexch_groups[0]))
8e63900a 4603 goto end;
fb8c6db4 4604 if (max_version == TLS1_3_VERSION) {
4605 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4606 goto end;
4607 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4608 goto end;
4609 }
8e63900a 4610
4611 testresult = 1;
4612 end:
4613 SSL_free(serverssl);
4614 SSL_free(clientssl);
4615 SSL_CTX_free(sctx);
4616 SSL_CTX_free(cctx);
4617 return testresult;
4618}
4619
5bf2eade 4620/*
4621 * Test TLSv1.3 Cipher Suite
4622 * Test 0 = Set TLS1.3 cipher on context
4623 * Test 1 = Set TLS1.3 cipher on SSL
4624 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4625 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4626 */
4627static int test_tls13_ciphersuite(int idx)
4628{
4629 SSL_CTX *sctx = NULL, *cctx = NULL;
4630 SSL *serverssl = NULL, *clientssl = NULL;
4f6c7044
MC		 4631 static const struct {
4632 const char *ciphername;
4633 int fipscapable;
4634 } t13_ciphers[] = {
4635 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4636 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4637 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
5bf2eade 4638# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4f6c7044
MC		 4639 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4640 { TLS1_3_RFC_AES_256_GCM_SHA384
4641 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
5bf2eade 4642# endif
4f6c7044 4643 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
5bf2eade 4644 };
4645 const char *t13_cipher = NULL;
4646 const char *t12_cipher = NULL;
4647 const char *negotiated_scipher;
4648 const char *negotiated_ccipher;
4649 int set_at_ctx = 0;
4650 int set_at_ssl = 0;
4651 int testresult = 0;
4652 int max_ver;
4653 size_t i;
4654
4655 switch (idx) {
4656 case 0:
4657 set_at_ctx = 1;
4658 break;
4659 case 1:
4660 set_at_ssl = 1;
4661 break;
4662 case 2:
4663 set_at_ctx = 1;
2d900758 4664 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4665 break;
4666 case 3:
4667 set_at_ssl = 1;
2d900758 4668 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4669 break;
4670 }
4671
4672 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4673# ifdef OPENSSL_NO_TLS1_2
4674 if (max_ver == TLS1_2_VERSION)
4675 continue;
4676# endif
4677 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4f6c7044
MC		 4678 if (is_fips && !t13_ciphers[i].fipscapable)
4679 continue;
4680 t13_cipher = t13_ciphers[i].ciphername;
5e30f2fd 4681 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5bf2eade 4682 TLS_client_method(),
4683 TLS1_VERSION, max_ver,
4684 &sctx, &cctx, cert, privkey)))
4685 goto end;
4686
4687 if (set_at_ctx) {
4688 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4689 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4690 goto end;
4691 if (t12_cipher != NULL) {
4692 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4693 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4694 t12_cipher)))
4695 goto end;
4696 }
4697 }
4698
4699 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4700 &clientssl, NULL, NULL)))
4701 goto end;
4702
4703 if (set_at_ssl) {
4704 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4705 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4706 goto end;
4707 if (t12_cipher != NULL) {
4708 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4709 || !TEST_true(SSL_set_cipher_list(clientssl,
4710 t12_cipher)))
4711 goto end;
4712 }
4713 }
4714
4715 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4716 SSL_ERROR_NONE)))
4717 goto end;
4718
4719 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4720 serverssl));
4721 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4722 clientssl));
4723 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4724 goto end;
4725
4726 /*
4727 * TEST_strn_eq is used below because t13_cipher can contain
4728 * multiple ciphersuites
4729 */
4730 if (max_ver == TLS1_3_VERSION
4731 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4732 strlen(negotiated_scipher)))
4733 goto end;
4734
4735# ifndef OPENSSL_NO_TLS1_2
4736 /* Below validation is not done when t12_cipher is NULL */
4737 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4738 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4739 goto end;
4740# endif
4741
4742 SSL_free(serverssl);
4743 serverssl = NULL;
4744 SSL_free(clientssl);
4745 clientssl = NULL;
4746 SSL_CTX_free(sctx);
4747 sctx = NULL;
4748 SSL_CTX_free(cctx);
4749 cctx = NULL;
4750 }
4751 }
4752
4753 testresult = 1;
4754 end:
4755 SSL_free(serverssl);
4756 SSL_free(clientssl);
4757 SSL_CTX_free(sctx);
4758 SSL_CTX_free(cctx);
4759 return testresult;
4760}
4761
0d8da779
MC		 4762/*
4763 * Test TLSv1.3 PSKs
4764 * Test 0 = Test new style callbacks
4765 * Test 1 = Test both new and old style callbacks
4766 * Test 2 = Test old style callbacks
4767 * Test 3 = Test old style callbacks with no certificate
4768 */
532f9578 4769static int test_tls13_psk(int idx)
ca8c71ba
MC		 4770{
4771 SSL_CTX *sctx = NULL, *cctx = NULL;
4772 SSL *serverssl = NULL, *clientssl = NULL;
4773 const SSL_CIPHER *cipher = NULL;
4774 const unsigned char key[] = {
4775 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4776 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 4777 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4778 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 4779 };
4780 int testresult = 0;
4781
5e30f2fd
MC		 4782 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4783 TLS_client_method(), TLS1_VERSION, 0,
0d8da779
MC		 4784 &sctx, &cctx, idx == 3 ? NULL : cert,
4785 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 4786 goto end;
4787
0d8da779
MC		 4788 if (idx != 3) {
4789 /*
4790 * We use a ciphersuite with SHA256 to ease testing old style PSK
4791 * callbacks which will always default to SHA256. This should not be
4792 * necessary if we have no cert/priv key. In that case the server should
4793 * prefer SHA256 automatically.
4794 */
4795 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4796 "TLS_AES_128_GCM_SHA256")))
4797 goto end;
4f6c7044
MC		 4798 } else {
4799 /*
4800 * As noted above the server should prefer SHA256 automatically. However
4801 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4802 * code works even if we are testing with only the FIPS provider loaded.
4803 */
4804 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4805 "TLS_AES_256_GCM_SHA384:"
4806 "TLS_AES_128_GCM_SHA256")))
4807 goto end;
0d8da779 4808 }
532f9578
MC		 4809
4810 /*
4811 * Test 0: New style callbacks only
4812 * Test 1: New and old style callbacks (only the new ones should be used)
4813 * Test 2: Old style callbacks only
4814 */
4815 if (idx == 0 || idx == 1) {
4816 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4817 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4818 }
c2b290c3 4819#ifndef OPENSSL_NO_PSK
0d8da779 4820 if (idx >= 1) {
532f9578
MC		 4821 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4822 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4823 }
c2b290c3 4824#endif
ca8c71ba 4825 srvid = pskid;
02a3ed5a
MC		 4826 use_session_cb_cnt = 0;
4827 find_session_cb_cnt = 0;
532f9578
MC		 4828 psk_client_cb_cnt = 0;
4829 psk_server_cb_cnt = 0;
ca8c71ba 4830
0d8da779
MC		 4831 if (idx != 3) {
4832 /*
4833 * Check we can create a connection if callback decides not to send a
4834 * PSK
4835 */
4836 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4837 NULL, NULL))
4838 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4839 SSL_ERROR_NONE))
4840 || !TEST_false(SSL_session_reused(clientssl))
4841 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 4842 goto end;
532f9578 4843
0d8da779
MC		 4844 if (idx == 0 || idx == 1) {
4845 if (!TEST_true(use_session_cb_cnt == 1)
4846 || !TEST_true(find_session_cb_cnt == 0)
4847 /*
4848 * If no old style callback then below should be 0
4849 * otherwise 1
4850 */
4851 || !TEST_true(psk_client_cb_cnt == idx)
4852 || !TEST_true(psk_server_cb_cnt == 0))
4853 goto end;
4854 } else {
4855 if (!TEST_true(use_session_cb_cnt == 0)
4856 || !TEST_true(find_session_cb_cnt == 0)
4857 || !TEST_true(psk_client_cb_cnt == 1)
4858 || !TEST_true(psk_server_cb_cnt == 0))
4859 goto end;
4860 }
4861
4862 shutdown_ssl_connection(serverssl, clientssl);
4863 serverssl = clientssl = NULL;
4864 use_session_cb_cnt = psk_client_cb_cnt = 0;
4865 }
ca8c71ba
MC		 4866
4867 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4868 NULL, NULL)))
4869 goto end;
4870
4871 /* Create the PSK */
532f9578 4872 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 4873 clientpsk = SSL_SESSION_new();
4874 if (!TEST_ptr(clientpsk)
ca8c71ba 4875 || !TEST_ptr(cipher)
57dee9bb
MC		 4876 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4877 sizeof(key)))
4878 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4879 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4880 TLS1_3_VERSION))
4881 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 4882 goto end;
57dee9bb 4883 serverpsk = clientpsk;
ca8c71ba
MC		 4884
4885 /* Check we can create a connection and the PSK is used */
4886 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4887 || !TEST_true(SSL_session_reused(clientssl))
532f9578 4888 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 4889 goto end;
4890
532f9578
MC		 4891 if (idx == 0 || idx == 1) {
4892 if (!TEST_true(use_session_cb_cnt == 1)
4893 || !TEST_true(find_session_cb_cnt == 1)
4894 || !TEST_true(psk_client_cb_cnt == 0)
4895 || !TEST_true(psk_server_cb_cnt == 0))
4896 goto end;
4897 } else {
4898 if (!TEST_true(use_session_cb_cnt == 0)
4899 || !TEST_true(find_session_cb_cnt == 0)
4900 || !TEST_true(psk_client_cb_cnt == 1)
4901 || !TEST_true(psk_server_cb_cnt == 1))
4902 goto end;
4903 }
4904
ca8c71ba
MC		 4905 shutdown_ssl_connection(serverssl, clientssl);
4906 serverssl = clientssl = NULL;
4907 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 4908 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 4909
4910 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4911 NULL, NULL)))
4912 goto end;
4913
4914 /* Force an HRR */
dbc6268f
MC		 4915#if defined(OPENSSL_NO_EC)
4916 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4917 goto end;
4918#else
ca8c71ba
MC		 4919 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4920 goto end;
dbc6268f 4921#endif
ca8c71ba
MC		 4922
4923 /*
4924 * Check we can create a connection, the PSK is used and the callbacks are
4925 * called twice.
4926 */
4927 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4928 || !TEST_true(SSL_session_reused(clientssl))
532f9578 4929 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 4930 goto end;
4931
532f9578
MC		 4932 if (idx == 0 || idx == 1) {
4933 if (!TEST_true(use_session_cb_cnt == 2)
4934 || !TEST_true(find_session_cb_cnt == 2)
4935 || !TEST_true(psk_client_cb_cnt == 0)
4936 || !TEST_true(psk_server_cb_cnt == 0))
4937 goto end;
4938 } else {
4939 if (!TEST_true(use_session_cb_cnt == 0)
4940 || !TEST_true(find_session_cb_cnt == 0)
4941 || !TEST_true(psk_client_cb_cnt == 2)
4942 || !TEST_true(psk_server_cb_cnt == 2))
4943 goto end;
4944 }
4945
ca8c71ba
MC		 4946 shutdown_ssl_connection(serverssl, clientssl);
4947 serverssl = clientssl = NULL;
4948 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 4949 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 4950
0d8da779
MC		 4951 if (idx != 3) {
4952 /*
4953 * Check that if the server rejects the PSK we can still connect, but with
4954 * a full handshake
4955 */
4956 srvid = "Dummy Identity";
4957 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4958 NULL, NULL))
4959 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4960 SSL_ERROR_NONE))
4961 || !TEST_false(SSL_session_reused(clientssl))
4962 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 4963 goto end;
532f9578 4964
0d8da779
MC		 4965 if (idx == 0 || idx == 1) {
4966 if (!TEST_true(use_session_cb_cnt == 1)
4967 || !TEST_true(find_session_cb_cnt == 1)
4968 || !TEST_true(psk_client_cb_cnt == 0)
4969 /*
4970 * If no old style callback then below should be 0
4971 * otherwise 1
4972 */
4973 || !TEST_true(psk_server_cb_cnt == idx))
4974 goto end;
4975 } else {
4976 if (!TEST_true(use_session_cb_cnt == 0)
4977 || !TEST_true(find_session_cb_cnt == 0)
4978 || !TEST_true(psk_client_cb_cnt == 1)
4979 || !TEST_true(psk_server_cb_cnt == 1))
4980 goto end;
4981 }
4982
4983 shutdown_ssl_connection(serverssl, clientssl);
4984 serverssl = clientssl = NULL;
4985 }
ca8c71ba
MC		 4986 testresult = 1;
4987
4988 end:
57dee9bb
MC		 4989 SSL_SESSION_free(clientpsk);
4990 SSL_SESSION_free(serverpsk);
4991 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 4992 SSL_free(serverssl);
4993 SSL_free(clientssl);
4994 SSL_CTX_free(sctx);
4995 SSL_CTX_free(cctx);
4996 return testresult;
4997}
4998
c7b8ff25
MC		 4999static unsigned char cookie_magic_value[] = "cookie magic";
5000
5001static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5002 unsigned int *cookie_len)
5003{
5004 /*
5005 * Not suitable as a real cookie generation function but good enough for
5006 * testing!
5007 */
97ea1e7f
MC		 5008 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5009 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 5010
5011 return 1;
5012}
5013
5014static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5015 unsigned int cookie_len)
5016{
97ea1e7f 5017 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 5018 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5019 return 1;
5020
5021 return 0;
5022}
5023
3fa2812f
BS		 5024static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5025 size_t *cookie_len)
5026{
5027 unsigned int temp;
5028 int res = generate_cookie_callback(ssl, cookie, &temp);
5029 *cookie_len = temp;
5030 return res;
5031}
5032
5033static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5034 size_t cookie_len)
5035{
5036 return verify_cookie_callback(ssl, cookie, cookie_len);
5037}
5038
c7b8ff25
MC		 5039static int test_stateless(void)
5040{
5041 SSL_CTX *sctx = NULL, *cctx = NULL;
5042 SSL *serverssl = NULL, *clientssl = NULL;
5043 int testresult = 0;
5044
5e30f2fd
MC		 5045 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5046 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5047 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 5048 goto end;
5049
e440f513
MC		 5050 /* The arrival of CCS messages can confuse the test */
5051 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5052
5053 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5054 NULL, NULL))
5055 /* Send the first ClientHello */
5056 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5057 SSL_ERROR_WANT_READ))
5058 /*
5059 * This should fail with a -1 return because we have no callbacks
5060 * set up
5061 */
5062 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5063 goto end;
5064
5065 /* Fatal error so abandon the connection from this client */
5066 SSL_free(clientssl);
5067 clientssl = NULL;
5068
c7b8ff25 5069 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 5070 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5071 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 5072
e440f513
MC		 5073 /*
5074 * Create a new connection from the client (we can reuse the server SSL
5075 * object).
5076 */
c7b8ff25
MC		 5077 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5078 NULL, NULL))
5079 /* Send the first ClientHello */
5080 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5081 SSL_ERROR_WANT_READ))
5082 /* This should fail because there is no cookie */
e440f513 5083 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 5084 goto end;
5085
5086 /* Abandon the connection from this client */
5087 SSL_free(clientssl);
5088 clientssl = NULL;
5089
5090 /*
5091 * Now create a connection from a new client but with the same server SSL
5092 * object
5093 */
5094 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5095 NULL, NULL))
5096 /* Send the first ClientHello */
5097 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5098 SSL_ERROR_WANT_READ))
5099 /* This should fail because there is no cookie */
e440f513 5100 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 5101 /* Send the second ClientHello */
5102 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5103 SSL_ERROR_WANT_READ))
5104 /* This should succeed because a cookie is now present */
e440f513 5105 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 5106 /* Complete the connection */
5107 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5108 SSL_ERROR_NONE)))
5109 goto end;
5110
5111 shutdown_ssl_connection(serverssl, clientssl);
5112 serverssl = clientssl = NULL;
5113 testresult = 1;
5114
5115 end:
5116 SSL_free(serverssl);
5117 SSL_free(clientssl);
5118 SSL_CTX_free(sctx);
5119 SSL_CTX_free(cctx);
5120 return testresult;
5121
5122}
ca0413ae 5123#endif /* OPENSSL_NO_TLS1_3 */
5f982038 5124
a37008d9
MC		 5125static int clntaddoldcb = 0;
5126static int clntparseoldcb = 0;
5127static int srvaddoldcb = 0;
5128static int srvparseoldcb = 0;
5129static int clntaddnewcb = 0;
5130static int clntparsenewcb = 0;
5131static int srvaddnewcb = 0;
5132static int srvparsenewcb = 0;
bb01ef3f 5133static int snicb = 0;
a37008d9
MC		 5134
5135#define TEST_EXT_TYPE1 0xff00
5136
5137static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5138 size_t *outlen, int *al, void *add_arg)
5139{
5140 int *server = (int *)add_arg;
5141 unsigned char *data;
5142
5143 if (SSL_is_server(s))
5144 srvaddoldcb++;
5145 else
5146 clntaddoldcb++;
5147
710756a9
RS		 5148 if (*server != SSL_is_server(s)
5149 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5150 return -1;
5151
5152 *data = 1;
5153 *out = data;
5154 *outlen = sizeof(char);
a37008d9
MC		 5155 return 1;
5156}
5157
5158static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5159 void *add_arg)
5160{
5161 OPENSSL_free((unsigned char *)out);
5162}
5163
5164static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5165 size_t inlen, int *al, void *parse_arg)
5166{
5167 int *server = (int *)parse_arg;
5168
5169 if (SSL_is_server(s))
5170 srvparseoldcb++;
5171 else
5172 clntparseoldcb++;
5173
710756a9
RS		 5174 if (*server != SSL_is_server(s)
5175 || inlen != sizeof(char)
5176 || *in != 1)
a37008d9
MC		 5177 return -1;
5178
5179 return 1;
5180}
5181
5182static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5183 const unsigned char **out, size_t *outlen, X509 *x,
5184 size_t chainidx, int *al, void *add_arg)
5185{
5186 int *server = (int *)add_arg;
5187 unsigned char *data;
5188
5189 if (SSL_is_server(s))
5190 srvaddnewcb++;
5191 else
5192 clntaddnewcb++;
5193
710756a9
RS		 5194 if (*server != SSL_is_server(s)
5195 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5196 return -1;
5197
5198 *data = 1;
5199 *out = data;
710756a9 5200 *outlen = sizeof(*data);
a37008d9
MC		 5201 return 1;
5202}
5203
5204static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5205 const unsigned char *out, void *add_arg)
5206{
5207 OPENSSL_free((unsigned char *)out);
5208}
5209
5210static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5211 const unsigned char *in, size_t inlen, X509 *x,
5212 size_t chainidx, int *al, void *parse_arg)
5213{
5214 int *server = (int *)parse_arg;
5215
5216 if (SSL_is_server(s))
5217 srvparsenewcb++;
5218 else
5219 clntparsenewcb++;
5220
710756a9
RS		 5221 if (*server != SSL_is_server(s)
5222 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 5223 return -1;
5224
5225 return 1;
5226}
bb01ef3f
MC		 5227
5228static int sni_cb(SSL *s, int *al, void *arg)
5229{
5230 SSL_CTX *ctx = (SSL_CTX *)arg;
5231
5232 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5233 *al = SSL_AD_INTERNAL_ERROR;
5234 return SSL_TLSEXT_ERR_ALERT_FATAL;
5235 }
5236 snicb++;
5237 return SSL_TLSEXT_ERR_OK;
5238}
5239
a37008d9
MC		 5240/*
5241 * Custom call back tests.
5242 * Test 0: Old style callbacks in TLSv1.2
5243 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 5244 * Test 2: New style callbacks in TLSv1.2 with SNI
5245 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5246 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 5247 */
710756a9
RS		 5248static int test_custom_exts(int tst)
5249{
bb01ef3f 5250 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 5251 SSL *clientssl = NULL, *serverssl = NULL;
5252 int testresult = 0;
5253 static int server = 1;
5254 static int client = 0;
5255 SSL_SESSION *sess = NULL;
5256 unsigned int context;
5257
c423ecaa
MC		 5258#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
5259 /* Skip tests for TLSv1.2 and below in this case */
5260 if (tst < 3)
5261 return 1;
5262#endif
5263
a37008d9
MC		 5264 /* Reset callback counters */
5265 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5266 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 5267 snicb = 0;
a37008d9 5268
5e30f2fd
MC		 5269 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5270 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5271 &sctx, &cctx, cert, privkey)))
710756a9 5272 goto end;
a37008d9 5273
bb01ef3f 5274 if (tst == 2
5e30f2fd 5275 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5c587fb6 5276 TLS1_VERSION, 0,
7d7f6834 5277 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 5278 goto end;
5279
5280
5281 if (tst < 3) {
a37008d9
MC		 5282 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5283 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 5284 if (sctx2 != NULL)
5285 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 5286 }
5287
bb01ef3f 5288 if (tst == 4) {
710756a9
RS		 5289 context = SSL_EXT_CLIENT_HELLO
5290 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5291 | SSL_EXT_TLS1_3_SERVER_HELLO
5292 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5293 | SSL_EXT_TLS1_3_CERTIFICATE
5294 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5295 } else {
710756a9
RS		 5296 context = SSL_EXT_CLIENT_HELLO
5297 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5298 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5299 }
5300
5301 /* Create a client side custom extension */
5302 if (tst == 0) {
710756a9
RS		 5303 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5304 old_add_cb, old_free_cb,
5305 &client, old_parse_cb,
5306 &client)))
5307 goto end;
a37008d9 5308 } else {
710756a9
RS		 5309 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5310 new_add_cb, new_free_cb,
5311 &client, new_parse_cb, &client)))
5312 goto end;
a37008d9
MC		 5313 }
5314
5315 /* Should not be able to add duplicates */
710756a9
RS		 5316 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5317 old_add_cb, old_free_cb,
5318 &client, old_parse_cb,
5319 &client))
5320 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5321 context, new_add_cb,
5322 new_free_cb, &client,
5323 new_parse_cb, &client)))
5324 goto end;
a37008d9
MC		 5325
5326 /* Create a server side custom extension */
5327 if (tst == 0) {
710756a9
RS		 5328 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5329 old_add_cb, old_free_cb,
5330 &server, old_parse_cb,
5331 &server)))
5332 goto end;
a37008d9 5333 } else {
710756a9
RS		 5334 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5335 new_add_cb, new_free_cb,
5336 &server, new_parse_cb, &server)))
5337 goto end;
bb01ef3f
MC		 5338 if (sctx2 != NULL
5339 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5340 context, new_add_cb,
5341 new_free_cb, &server,
5342 new_parse_cb, &server)))
5343 goto end;
a37008d9
MC		 5344 }
5345
5346 /* Should not be able to add duplicates */
710756a9
RS		 5347 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5348 old_add_cb, old_free_cb,
5349 &server, old_parse_cb,
5350 &server))
5351 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5352 context, new_add_cb,
5353 new_free_cb, &server,
5354 new_parse_cb, &server)))
a37008d9 5355 goto end;
a37008d9 5356
bb01ef3f
MC		 5357 if (tst == 2) {
5358 /* Set up SNI */
5359 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5360 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5361 goto end;
5362 }
5363
710756a9
RS		 5364 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5365 &clientssl, NULL, NULL))
5366 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5367 SSL_ERROR_NONE)))
a37008d9 5368 goto end;
a37008d9
MC		 5369
5370 if (tst == 0) {
710756a9
RS		 5371 if (clntaddoldcb != 1
5372 || clntparseoldcb != 1
5373 || srvaddoldcb != 1
5374 || srvparseoldcb != 1)
a37008d9 5375 goto end;
bb01ef3f 5376 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5377 if (clntaddnewcb != 1
5378 || clntparsenewcb != 1
5379 || srvaddnewcb != 1
bb01ef3f
MC		 5380 || srvparsenewcb != 1
5381 || (tst != 2 && snicb != 0)
5382 || (tst == 2 && snicb != 1))
a37008d9 5383 goto end;
a37008d9 5384 } else {
36ff232c 5385 /* In this case there 2 NewSessionTicket messages created */
710756a9 5386 if (clntaddnewcb != 1
36ff232c
MC		 5387 || clntparsenewcb != 5
5388 || srvaddnewcb != 5
710756a9 5389 || srvparsenewcb != 1)
a37008d9 5390 goto end;
a37008d9
MC		 5391 }
5392
5393 sess = SSL_get1_session(clientssl);
a37008d9
MC		 5394 SSL_shutdown(clientssl);
5395 SSL_shutdown(serverssl);
a37008d9
MC		 5396 SSL_free(serverssl);
5397 SSL_free(clientssl);
5398 serverssl = clientssl = NULL;
5399
bb01ef3f
MC		 5400 if (tst == 3) {
5401 /* We don't bother with the resumption aspects for this test */
5402 testresult = 1;
5403 goto end;
5404 }
5405
710756a9
RS		 5406 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5407 NULL, NULL))
5408 || !TEST_true(SSL_set_session(clientssl, sess))
5409 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5410 SSL_ERROR_NONE)))
a37008d9 5411 goto end;
a37008d9
MC		 5412
5413 /*
5414 * For a resumed session we expect to add the ClientHello extension. For the
5415 * old style callbacks we ignore it on the server side because they set
5416 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5417 * them.
5418 */
5419 if (tst == 0) {
710756a9
RS		 5420 if (clntaddoldcb != 2
5421 || clntparseoldcb != 1
5422 || srvaddoldcb != 1
5423 || srvparseoldcb != 1)
a37008d9 5424 goto end;
bb01ef3f 5425 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5426 if (clntaddnewcb != 2
5427 || clntparsenewcb != 2
5428 || srvaddnewcb != 2
5429 || srvparsenewcb != 2)
a37008d9 5430 goto end;
a37008d9 5431 } else {
36ff232c
MC		 5432 /*
5433 * No Certificate message extensions in the resumption handshake,
5434 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5435 */
710756a9 5436 if (clntaddnewcb != 2
36ff232c
MC		 5437 || clntparsenewcb != 8
5438 || srvaddnewcb != 8
710756a9 5439 || srvparsenewcb != 2)
a37008d9 5440 goto end;
a37008d9
MC		 5441 }
5442
5443 testresult = 1;
5444
5445end:
5446 SSL_SESSION_free(sess);
5447 SSL_free(serverssl);
5448 SSL_free(clientssl);
bb01ef3f 5449 SSL_CTX_free(sctx2);
a37008d9
MC		 5450 SSL_CTX_free(sctx);
5451 SSL_CTX_free(cctx);
a37008d9
MC		 5452 return testresult;
5453}
5454
16afd71c
MC		 5455/*
5456 * Test loading of serverinfo data in various formats. test_sslmessages actually
5457 * tests to make sure the extensions appear in the handshake
5458 */
5459static int test_serverinfo(int tst)
5460{
5461 unsigned int version;
5462 unsigned char *sibuf;
5463 size_t sibuflen;
5464 int ret, expected, testresult = 0;
5465 SSL_CTX *ctx;
5466
5e30f2fd 5467 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
16afd71c
MC		 5468 if (!TEST_ptr(ctx))
5469 goto end;
5470
5471 if ((tst & 0x01) == 0x01)
5472 version = SSL_SERVERINFOV2;
5473 else
5474 version = SSL_SERVERINFOV1;
5475
5476 if ((tst & 0x02) == 0x02) {
5477 sibuf = serverinfov2;
5478 sibuflen = sizeof(serverinfov2);
5479 expected = (version == SSL_SERVERINFOV2);
5480 } else {
5481 sibuf = serverinfov1;
5482 sibuflen = sizeof(serverinfov1);
5483 expected = (version == SSL_SERVERINFOV1);
5484 }
5485
5486 if ((tst & 0x04) == 0x04) {
5487 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5488 } else {
5489 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5490
5491 /*
5492 * The version variable is irrelevant in this case - it's what is in the
5493 * buffer that matters
5494 */
5495 if ((tst & 0x02) == 0x02)
5496 expected = 0;
5497 else
5498 expected = 1;
5499 }
5500
5501 if (!TEST_true(ret == expected))
5502 goto end;
5503
5504 testresult = 1;
5505
5506 end:
5507 SSL_CTX_free(ctx);
5508
5509 return testresult;
5510}
5511
2197d1df
MC		 5512/*
5513 * Test that SSL_export_keying_material() produces expected results. There are
5514 * no test vectors so all we do is test that both sides of the communication
5515 * produce the same results for different protocol versions.
5516 */
0fb2815b
MC		 5517#define SMALL_LABEL_LEN 10
5518#define LONG_LABEL_LEN 249
2197d1df
MC		 5519static int test_export_key_mat(int tst)
5520{
a599574b 5521 int testresult = 0;
2197d1df
MC		 5522 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5523 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 5524 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 5525 const unsigned char context[] = "context";
5526 const unsigned char *emptycontext = NULL;
5527 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5528 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
0fb2815b 5529 size_t labellen;
a599574b
MC		 5530 const int protocols[] = {
5531 TLS1_VERSION,
5532 TLS1_1_VERSION,
5533 TLS1_2_VERSION,
0fb2815b
MC		 5534 TLS1_3_VERSION,
5535 TLS1_3_VERSION,
a599574b
MC		 5536 TLS1_3_VERSION
5537 };
2197d1df
MC		 5538
5539#ifdef OPENSSL_NO_TLS1
5540 if (tst == 0)
5541 return 1;
5542#endif
5543#ifdef OPENSSL_NO_TLS1_1
5544 if (tst == 1)
5545 return 1;
5546#endif
4f6c7044
MC		 5547 if (is_fips && (tst == 0 || tst == 1))
5548 return 1;
2197d1df
MC		 5549#ifdef OPENSSL_NO_TLS1_2
5550 if (tst == 2)
5551 return 1;
5552#endif
5553#ifdef OPENSSL_NO_TLS1_3
0fb2815b 5554 if (tst >= 3)
2197d1df
MC		 5555 return 1;
5556#endif
5e30f2fd
MC		 5557 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5558 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5559 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 5560 goto end;
5561
a599574b
MC		 5562 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5563 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5564 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
2197d1df
MC		 5565
5566 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5567 NULL))
5568 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5569 SSL_ERROR_NONE)))
5570 goto end;
5571
0fb2815b
MC		 5572 if (tst == 5) {
5573 /*
5574 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5575 * go over that.
5576 */
5577 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5578 sizeof(ckeymat1), label,
5579 LONG_LABEL_LEN + 1, context,
5580 sizeof(context) - 1, 1), 0))
5581 goto end;
5582
5583 testresult = 1;
5584 goto end;
5585 } else if (tst == 4) {
5586 labellen = LONG_LABEL_LEN;
5587 } else {
5588 labellen = SMALL_LABEL_LEN;
5589 }
5590
2197d1df
MC		 5591 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5592 sizeof(ckeymat1), label,
0fb2815b 5593 labellen, context,
2197d1df
MC		 5594 sizeof(context) - 1, 1), 1)
5595 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5596 sizeof(ckeymat2), label,
0fb2815b 5597 labellen,
2197d1df
MC		 5598 emptycontext,
5599 0, 1), 1)
5600 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5601 sizeof(ckeymat3), label,
0fb2815b 5602 labellen,
2197d1df
MC		 5603 NULL, 0, 0), 1)
5604 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5605 sizeof(skeymat1), label,
0fb2815b 5606 labellen,
2197d1df
MC		 5607 context,
5608 sizeof(context) -1, 1),
5609 1)
5610 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5611 sizeof(skeymat2), label,
0fb2815b 5612 labellen,
2197d1df
MC		 5613 emptycontext,
5614 0, 1), 1)
5615 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5616 sizeof(skeymat3), label,
0fb2815b 5617 labellen,
2197d1df
MC		 5618 NULL, 0, 0), 1)
5619 /*
5620 * Check that both sides created the same key material with the
5621 * same context.
5622 */
5623 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5624 sizeof(skeymat1))
5625 /*
5626 * Check that both sides created the same key material with an
5627 * empty context.
5628 */
5629 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5630 sizeof(skeymat2))
5631 /*
5632 * Check that both sides created the same key material without a
5633 * context.
5634 */
5635 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5636 sizeof(skeymat3))
5637 /* Different contexts should produce different results */
5638 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5639 sizeof(ckeymat2)))
5640 goto end;
5641
5642 /*
5643 * Check that an empty context and no context produce different results in
5644 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5645 */
0fb2815b 5646 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 5647 sizeof(ckeymat3)))
0fb2815b
MC		 5648 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5649 sizeof(ckeymat3))))
2197d1df
MC		 5650 goto end;
5651
5652 testresult = 1;
5653
5654 end:
5655 SSL_free(serverssl);
5656 SSL_free(clientssl);
5657 SSL_CTX_free(sctx2);
5658 SSL_CTX_free(sctx);
5659 SSL_CTX_free(cctx);
5660
5661 return testresult;
5662}
5663
b38ede80
TT		 5664#ifndef OPENSSL_NO_TLS1_3
5665/*
5666 * Test that SSL_export_keying_material_early() produces expected
5667 * results. There are no test vectors so all we do is test that both
5668 * sides of the communication produce the same results for different
5669 * protocol versions.
5670 */
5671static int test_export_key_mat_early(int idx)
5672{
5673 static const char label[] = "test label";
5674 static const unsigned char context[] = "context";
5675 int testresult = 0;
5676 SSL_CTX *cctx = NULL, *sctx = NULL;
5677 SSL *clientssl = NULL, *serverssl = NULL;
5678 SSL_SESSION *sess = NULL;
5679 const unsigned char *emptycontext = NULL;
5680 unsigned char ckeymat1[80], ckeymat2[80];
5681 unsigned char skeymat1[80], skeymat2[80];
5682 unsigned char buf[1];
5683 size_t readbytes, written;
5684
5685 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5686 &sess, idx)))
5687 goto end;
5688
5689 /* Here writing 0 length early data is enough. */
5690 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5691 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5692 &readbytes),
5693 SSL_READ_EARLY_DATA_ERROR)
5694 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5695 SSL_EARLY_DATA_ACCEPTED))
5696 goto end;
5697
5698 if (!TEST_int_eq(SSL_export_keying_material_early(
5699 clientssl, ckeymat1, sizeof(ckeymat1), label,
5700 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5701 || !TEST_int_eq(SSL_export_keying_material_early(
5702 clientssl, ckeymat2, sizeof(ckeymat2), label,
5703 sizeof(label) - 1, emptycontext, 0), 1)
5704 || !TEST_int_eq(SSL_export_keying_material_early(
5705 serverssl, skeymat1, sizeof(skeymat1), label,
5706 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5707 || !TEST_int_eq(SSL_export_keying_material_early(
5708 serverssl, skeymat2, sizeof(skeymat2), label,
5709 sizeof(label) - 1, emptycontext, 0), 1)
5710 /*
5711 * Check that both sides created the same key material with the
5712 * same context.
5713 */
5714 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5715 sizeof(skeymat1))
5716 /*
5717 * Check that both sides created the same key material with an
5718 * empty context.
5719 */
5720 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5721 sizeof(skeymat2))
5722 /* Different contexts should produce different results */
5723 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5724 sizeof(ckeymat2)))
5725 goto end;
5726
5727 testresult = 1;
5728
5729 end:
c20e3b28 5730 SSL_SESSION_free(sess);
b38ede80
TT		 5731 SSL_SESSION_free(clientpsk);
5732 SSL_SESSION_free(serverpsk);
34ff74eb 5733 clientpsk = serverpsk = NULL;
b38ede80
TT		 5734 SSL_free(serverssl);
5735 SSL_free(clientssl);
5736 SSL_CTX_free(sctx);
5737 SSL_CTX_free(cctx);
5738
5739 return testresult;
5740}
3409a5ff
MC		 5741
5742#define NUM_KEY_UPDATE_MESSAGES 40
5743/*
5744 * Test KeyUpdate.
5745 */
5746static int test_key_update(void)
5747{
5748 SSL_CTX *cctx = NULL, *sctx = NULL;
5749 SSL *clientssl = NULL, *serverssl = NULL;
5750 int testresult = 0, i, j;
5751 char buf[20];
5752 static char *mess = "A test message";
5753
5e30f2fd 5754 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3409a5ff
MC		 5755 TLS_client_method(),
5756 TLS1_3_VERSION,
5757 0,
5758 &sctx, &cctx, cert, privkey))
5759 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5760 NULL, NULL))
5761 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5762 SSL_ERROR_NONE)))
5763 goto end;
5764
5765 for (j = 0; j < 2; j++) {
5766 /* Send lots of KeyUpdate messages */
5767 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5768 if (!TEST_true(SSL_key_update(clientssl,
5769 (j == 0)
5770 ? SSL_KEY_UPDATE_NOT_REQUESTED
5771 : SSL_KEY_UPDATE_REQUESTED))
5772 || !TEST_true(SSL_do_handshake(clientssl)))
5773 goto end;
5774 }
5775
5776 /* Check that sending and receiving app data is ok */
5777 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5778 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5779 strlen(mess)))
5780 goto end;
a77b4dba
MC		 5781
5782 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5783 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5784 strlen(mess)))
5785 goto end;
3409a5ff
MC		 5786 }
5787
5788 testresult = 1;
5789
5790 end:
5791 SSL_free(serverssl);
5792 SSL_free(clientssl);
5793 SSL_CTX_free(sctx);
5794 SSL_CTX_free(cctx);
5795
5796 return testresult;
5797}
a77b4dba
MC		 5798
5799/*
5800 * Test we can handle a KeyUpdate (update requested) message while write data
5801 * is pending.
5802 * Test 0: Client sends KeyUpdate while Server is writing
5803 * Test 1: Server sends KeyUpdate while Client is writing
5804 */
5805static int test_key_update_in_write(int tst)
5806{
5807 SSL_CTX *cctx = NULL, *sctx = NULL;
5808 SSL *clientssl = NULL, *serverssl = NULL;
5809 int testresult = 0;
5810 char buf[20];
5811 static char *mess = "A test message";
5812 BIO *bretry = BIO_new(bio_s_always_retry());
5813 BIO *tmp = NULL;
5814 SSL *peerupdate = NULL, *peerwrite = NULL;
5815
5816 if (!TEST_ptr(bretry)
5e30f2fd 5817 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
a77b4dba
MC		 5818 TLS_client_method(),
5819 TLS1_3_VERSION,
5820 0,
5821 &sctx, &cctx, cert, privkey))
5822 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5823 NULL, NULL))
5824 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5825 SSL_ERROR_NONE)))
5826 goto end;
5827
5828 peerupdate = tst == 0 ? clientssl : serverssl;
5829 peerwrite = tst == 0 ? serverssl : clientssl;
5830
5831 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5832 || !TEST_true(SSL_do_handshake(peerupdate)))
5833 goto end;
5834
5835 /* Swap the writing endpoint's write BIO to force a retry */
5836 tmp = SSL_get_wbio(peerwrite);
5837 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5838 tmp = NULL;
5839 goto end;
5840 }
5841 SSL_set0_wbio(peerwrite, bretry);
5842 bretry = NULL;
5843
5844 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5845 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5846 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5847 goto end;
5848
5849 /* Reinstate the original writing endpoint's write BIO */
5850 SSL_set0_wbio(peerwrite, tmp);
5851 tmp = NULL;
5852
5853 /* Now read some data - we will read the key update */
5854 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5855 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5856 goto end;
5857
5858 /*
5859 * Complete the write we started previously and read it from the other
5860 * endpoint
5861 */
5862 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5863 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5864 goto end;
5865
5866 /* Write more data to ensure we send the KeyUpdate message back */
5867 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5868 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5869 goto end;
5870
5871 testresult = 1;
5872
5873 end:
5874 SSL_free(serverssl);
5875 SSL_free(clientssl);
5876 SSL_CTX_free(sctx);
5877 SSL_CTX_free(cctx);
5878 BIO_free(bretry);
5879 BIO_free(tmp);
5880
5881 return testresult;
5882}
b38ede80
TT		 5883#endif /* OPENSSL_NO_TLS1_3 */
5884
e11b6aa4
MC		 5885static int test_ssl_clear(int idx)
5886{
5887 SSL_CTX *cctx = NULL, *sctx = NULL;
5888 SSL *clientssl = NULL, *serverssl = NULL;
5889 int testresult = 0;
5890
5891#ifdef OPENSSL_NO_TLS1_2
5892 if (idx == 1)
5893 return 1;
5894#endif
5895
5896 /* Create an initial connection */
5e30f2fd
MC		 5897 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5898 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5899 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 5900 || (idx == 1
5901 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5902 TLS1_2_VERSION)))
5903 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5904 &clientssl, NULL, NULL))
5905 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5906 SSL_ERROR_NONE)))
5907 goto end;
5908
5909 SSL_shutdown(clientssl);
5910 SSL_shutdown(serverssl);
5911 SSL_free(serverssl);
5912 serverssl = NULL;
5913
5914 /* Clear clientssl - we're going to reuse the object */
5915 if (!TEST_true(SSL_clear(clientssl)))
5916 goto end;
5917
5918 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5919 NULL, NULL))
5920 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5921 SSL_ERROR_NONE))
5922 || !TEST_true(SSL_session_reused(clientssl)))
5923 goto end;
5924
5925 SSL_shutdown(clientssl);
5926 SSL_shutdown(serverssl);
5927
5928 testresult = 1;
5929
5930 end:
5931 SSL_free(serverssl);
5932 SSL_free(clientssl);
5933 SSL_CTX_free(sctx);
5934 SSL_CTX_free(cctx);
5935
5936 return testresult;
5937}
5938
cf72c757
F		 5939/* Parse CH and retrieve any MFL extension value if present */
5940static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5941{
5942 long len;
5943 unsigned char *data;
72962d02 5944 PACKET pkt, pkt2, pkt3;
cf72c757
F		 5945 unsigned int MFL_code = 0, type = 0;
5946
5947 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5948 goto end;
5949
72962d02
P		 5950 memset(&pkt, 0, sizeof(pkt));
5951 memset(&pkt2, 0, sizeof(pkt2));
5952 memset(&pkt3, 0, sizeof(pkt3));
5953
cf72c757
F		 5954 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5955 /* Skip the record header */
5956 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5957 /* Skip the handshake message header */
5958 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5959 /* Skip client version and random */
5960 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5961 + SSL3_RANDOM_SIZE))
5962 /* Skip session id */
5963 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5964 /* Skip ciphers */
5965 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5966 /* Skip compression */
5967 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5968 /* Extensions len */
5969 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5970 goto end;
5971
5972 /* Loop through all extensions */
5973 while (PACKET_remaining(&pkt2)) {
5974 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5975 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5976 goto end;
5977
5978 if (type == TLSEXT_TYPE_max_fragment_length) {
5979 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5980 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5981 goto end;
5982
5983 *mfl_codemfl_code = MFL_code;
5984 return 1;
5985 }
5986 }
5987
5988 end:
5989 return 0;
5990}
5991
5992/* Maximum-Fragment-Length TLS extension mode to test */
5993static const unsigned char max_fragment_len_test[] = {
5994 TLSEXT_max_fragment_length_512,
5995 TLSEXT_max_fragment_length_1024,
5996 TLSEXT_max_fragment_length_2048,
5997 TLSEXT_max_fragment_length_4096
5998};
5999
6000static int test_max_fragment_len_ext(int idx_tst)
6001{
6002 SSL_CTX *ctx;
6003 SSL *con = NULL;
6004 int testresult = 0, MFL_mode = 0;
6005 BIO *rbio, *wbio;
6006
5e30f2fd 6007 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
cf72c757
F		 6008 if (!TEST_ptr(ctx))
6009 goto end;
6010
6011 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6012 ctx, max_fragment_len_test[idx_tst])))
6013 goto end;
6014
6015 con = SSL_new(ctx);
6016 if (!TEST_ptr(con))
6017 goto end;
6018
6019 rbio = BIO_new(BIO_s_mem());
6020 wbio = BIO_new(BIO_s_mem());
6021 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6022 BIO_free(rbio);
6023 BIO_free(wbio);
6024 goto end;
6025 }
6026
6027 SSL_set_bio(con, rbio, wbio);
6028 SSL_set_connect_state(con);
6029
6030 if (!TEST_int_le(SSL_connect(con), 0)) {
6031 /* This shouldn't succeed because we don't have a server! */
6032 goto end;
6033 }
6034
6035 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6036 /* no MFL in client hello */
6037 goto end;
6038 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6039 goto end;
6040
6041 testresult = 1;
6042
6043end:
6044 SSL_free(con);
6045 SSL_CTX_free(ctx);
6046
6047 return testresult;
6048}
6049
9d75dce3
TS		 6050#ifndef OPENSSL_NO_TLS1_3
6051static int test_pha_key_update(void)
6052{
6053 SSL_CTX *cctx = NULL, *sctx = NULL;
6054 SSL *clientssl = NULL, *serverssl = NULL;
6055 int testresult = 0;
6056
5e30f2fd
MC		 6057 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6058 TLS_client_method(), TLS1_VERSION, 0,
9d75dce3
TS		 6059 &sctx, &cctx, cert, privkey)))
6060 return 0;
6061
6062 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6063 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6064 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6065 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6066 goto end;
6067
e97be718 6068 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 6069
6070 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6071 NULL, NULL)))
6072 goto end;
6073
9d75dce3
TS		 6074 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6075 SSL_ERROR_NONE)))
6076 goto end;
6077
6078 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6079 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6080 goto end;
6081
6082 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6083 goto end;
6084
6085 /* Start handshake on the server */
6086 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6087 goto end;
6088
6089 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6090 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6091 SSL_ERROR_NONE)))
6092 goto end;
6093
6094 SSL_shutdown(clientssl);
6095 SSL_shutdown(serverssl);
6096
6097 testresult = 1;
6098
6099 end:
6100 SSL_free(serverssl);
6101 SSL_free(clientssl);
6102 SSL_CTX_free(sctx);
6103 SSL_CTX_free(cctx);
6104 return testresult;
6105}
6106#endif
6107
76fd7a1d
MC		 6108#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6109
6110static SRP_VBASE *vbase = NULL;
6111
852c2ed2
RS		 6112DEFINE_STACK_OF(SRP_user_pwd)
6113
76fd7a1d
MC		 6114static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6115{
6116 int ret = SSL3_AL_FATAL;
6117 char *username;
6118 SRP_user_pwd *user = NULL;
6119
6120 username = SSL_get_srp_username(s);
6121 if (username == NULL) {
6122 *ad = SSL_AD_INTERNAL_ERROR;
6123 goto err;
6124 }
6125
6126 user = SRP_VBASE_get1_by_user(vbase, username);
6127 if (user == NULL) {
6128 *ad = SSL_AD_INTERNAL_ERROR;
6129 goto err;
6130 }
6131
6132 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6133 user->info) <= 0) {
6134 *ad = SSL_AD_INTERNAL_ERROR;
6135 goto err;
6136 }
6137
6138 ret = 0;
6139
6140 err:
6141 SRP_user_pwd_free(user);
6142 return ret;
6143}
6144
6145static int create_new_vfile(char *userid, char *password, const char *filename)
6146{
6147 char *gNid = NULL;
6148 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6149 TXT_DB *db = NULL;
6150 int ret = 0;
6151 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6152 size_t i;
6153
6154 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6155 goto end;
6156
20c00d0a 6157 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5e30f2fd 6158 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
76fd7a1d
MC		 6159 if (!TEST_ptr(gNid))
6160 goto end;
6161
6162 /*
6163 * The only way to create an empty TXT_DB is to provide a BIO with no data
6164 * in it!
6165 */
6166 db = TXT_DB_read(dummy, DB_NUMBER);
6167 if (!TEST_ptr(db))
6168 goto end;
6169
6170 out = BIO_new_file(filename, "w");
6171 if (!TEST_ptr(out))
6172 goto end;
6173
6174 row[DB_srpid] = OPENSSL_strdup(userid);
6175 row[DB_srptype] = OPENSSL_strdup("V");
6176 row[DB_srpgN] = OPENSSL_strdup(gNid);
6177
6178 if (!TEST_ptr(row[DB_srpid])
6179 || !TEST_ptr(row[DB_srptype])
6180 || !TEST_ptr(row[DB_srpgN])
6181 || !TEST_true(TXT_DB_insert(db, row)))
6182 goto end;
6183
6184 row = NULL;
6185
6186 if (!TXT_DB_write(out, db))
6187 goto end;
6188
6189 ret = 1;
6190 end:
6191 if (row != NULL) {
6192 for (i = 0; i < DB_NUMBER; i++)
6193 OPENSSL_free(row[i]);
6194 }
6195 OPENSSL_free(row);
6196 BIO_free(dummy);
6197 BIO_free(out);
6198 TXT_DB_free(db);
6199
6200 return ret;
6201}
6202
6203static int create_new_vbase(char *userid, char *password)
6204{
6205 BIGNUM *verifier = NULL, *salt = NULL;
6206 const SRP_gN *lgN = NULL;
6207 SRP_user_pwd *user_pwd = NULL;
6208 int ret = 0;
6209
6210 lgN = SRP_get_default_gN(NULL);
6211 if (!TEST_ptr(lgN))
6212 goto end;
6213
20c00d0a 6214 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5e30f2fd 6215 lgN->N, lgN->g, libctx, NULL)))
76fd7a1d
MC		 6216 goto end;
6217
6218 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6219 if (!TEST_ptr(user_pwd))
6220 goto end;
6221
6222 user_pwd->N = lgN->N;
6223 user_pwd->g = lgN->g;
6224 user_pwd->id = OPENSSL_strdup(userid);
6225 if (!TEST_ptr(user_pwd->id))
6226 goto end;
6227
6228 user_pwd->v = verifier;
6229 user_pwd->s = salt;
6230 verifier = salt = NULL;
6231
6232 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6233 goto end;
6234 user_pwd = NULL;
6235
6236 ret = 1;
6237end:
6238 SRP_user_pwd_free(user_pwd);
6239 BN_free(salt);
6240 BN_free(verifier);
6241
6242 return ret;
6243}
6244
6245/*
6246 * SRP tests
6247 *
6248 * Test 0: Simple successful SRP connection, new vbase
6249 * Test 1: Connection failure due to bad password, new vbase
6250 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6251 * Test 3: Connection failure due to bad password, vbase loaded from existing
6252 * file
6253 * Test 4: Simple successful SRP connection, vbase loaded from new file
6254 * Test 5: Connection failure due to bad password, vbase loaded from new file
6255 */
6256static int test_srp(int tst)
6257{
6258 char *userid = "test", *password = "password", *tstsrpfile;
6259 SSL_CTX *cctx = NULL, *sctx = NULL;
6260 SSL *clientssl = NULL, *serverssl = NULL;
6261 int ret, testresult = 0;
6262
6263 vbase = SRP_VBASE_new(NULL);
6264 if (!TEST_ptr(vbase))
6265 goto end;
6266
6267 if (tst == 0 || tst == 1) {
6268 if (!TEST_true(create_new_vbase(userid, password)))
6269 goto end;
6270 } else {
6271 if (tst == 4 || tst == 5) {
6272 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6273 goto end;
6274 tstsrpfile = tmpfilename;
6275 } else {
6276 tstsrpfile = srpvfile;
6277 }
6278 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6279 goto end;
6280 }
6281
5e30f2fd
MC		 6282 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6283 TLS_client_method(), TLS1_VERSION, 0,
76fd7a1d
MC		 6284 &sctx, &cctx, cert, privkey)))
6285 goto end;
6286
6287 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6288 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6289 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6290 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6291 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6292 goto end;
6293
6294 if (tst % 2 == 1) {
6295 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6296 goto end;
6297 } else {
6298 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6299 goto end;
6300 }
6301
6302 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6303 NULL, NULL)))
6304 goto end;
6305
6306 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6307 if (ret) {
6308 if (!TEST_true(tst % 2 == 0))
6309 goto end;
6310 } else {
6311 if (!TEST_true(tst % 2 == 1))
6312 goto end;
6313 }
6314
6315 testresult = 1;
6316
6317 end:
6318 SRP_VBASE_free(vbase);
6319 vbase = NULL;
6320 SSL_free(serverssl);
6321 SSL_free(clientssl);
6322 SSL_CTX_free(sctx);
6323 SSL_CTX_free(cctx);
6324
6325 return testresult;
6326}
6327#endif
6328
5718fe45
MC		 6329static int info_cb_failed = 0;
6330static int info_cb_offset = 0;
6331static int info_cb_this_state = -1;
6332
6333static struct info_cb_states_st {
6334 int where;
6335 const char *statestr;
6336} info_cb_states[][60] = {
6337 {
6338 /* TLSv1.2 server followed by resumption */
6339 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6340 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6341 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6342 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6343 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6344 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6345 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6346 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6347 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
6348 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6349 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6350 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6351 {SSL_CB_EXIT, NULL}, {0, NULL},
6352 }, {
6353 /* TLSv1.2 client followed by resumption */
6354 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6355 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6356 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6357 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6358 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6359 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6360 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6361 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6362 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6363 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6364 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6365 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6366 }, {
6367 /* TLSv1.3 server followed by resumption */
6368 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6369 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6370 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6371 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6372 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 6373 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6374 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6375 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6376 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6377 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6378 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6379 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6380 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6381 }, {
6382 /* TLSv1.3 client followed by resumption */
6383 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6384 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6385 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
6386 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
6387 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 6388 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6389 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
6390 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 6391 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6392 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
6393 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6394 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6395 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4af5836b
MC		 6396 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
6397 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6398 }, {
6399 /* TLSv1.3 server, early_data */
6400 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6401 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6402 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6403 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6404 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6405 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 6406 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 6407 {SSL_CB_EXIT, NULL}, {0, NULL},
6408 }, {
6409 /* TLSv1.3 client, early_data */
6410 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6411 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
6412 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6413 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6414 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6415 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
6416 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 6417 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6418 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6419 }, {
6420 {0, NULL},
6421 }
6422};
6423
6424static void sslapi_info_callback(const SSL *s, int where, int ret)
6425{
6426 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
6427
6428 /* We do not ever expect a connection to fail in this test */
6429 if (!TEST_false(ret == 0)) {
6430 info_cb_failed = 1;
6431 return;
6432 }
6433
6434 /*
6435 * Do some sanity checks. We never expect these things to happen in this
6436 * test
6437 */
6438 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
6439 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
6440 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
6441 info_cb_failed = 1;
6442 return;
6443 }
6444
6445 /* Now check we're in the right state */
6446 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
6447 info_cb_failed = 1;
6448 return;
6449 }
6450 if ((where & SSL_CB_LOOP) != 0
6451 && !TEST_int_eq(strcmp(SSL_state_string(s),
6452 state[info_cb_this_state].statestr), 0)) {
6453 info_cb_failed = 1;
6454 return;
6455 }
033c181b 6456
4af5836b
MC		 6457 /*
6458 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6459 */
6460 if ((where & SSL_CB_HANDSHAKE_DONE)
6461 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 6462 info_cb_failed = 1;
6463 return;
6464 }
5718fe45
MC		 6465}
6466
6467/*
6468 * Test the info callback gets called when we expect it to.
6469 *
6470 * Test 0: TLSv1.2, server
6471 * Test 1: TLSv1.2, client
6472 * Test 2: TLSv1.3, server
6473 * Test 3: TLSv1.3, client
6474 * Test 4: TLSv1.3, server, early_data
6475 * Test 5: TLSv1.3, client, early_data
6476 */
6477static int test_info_callback(int tst)
6478{
6479 SSL_CTX *cctx = NULL, *sctx = NULL;
6480 SSL *clientssl = NULL, *serverssl = NULL;
6481 SSL_SESSION *clntsess = NULL;
6482 int testresult = 0;
6483 int tlsvers;
6484
6485 if (tst < 2) {
1aac20f5
MC		 6486/* We need either ECDHE or DHE for the TLSv1.2 test to work */
6487#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6488 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 6489 tlsvers = TLS1_2_VERSION;
6490#else
6491 return 1;
6492#endif
6493 } else {
6494#ifndef OPENSSL_NO_TLS1_3
6495 tlsvers = TLS1_3_VERSION;
6496#else
6497 return 1;
6498#endif
6499 }
6500
6501 /* Reset globals */
6502 info_cb_failed = 0;
6503 info_cb_this_state = -1;
6504 info_cb_offset = tst;
6505
6e07834c 6506#ifndef OPENSSL_NO_TLS1_3
5718fe45
MC		 6507 if (tst >= 4) {
6508 SSL_SESSION *sess = NULL;
6509 size_t written, readbytes;
6510 unsigned char buf[80];
6511
6512 /* early_data tests */
6513 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
6514 &serverssl, &sess, 0)))
6515 goto end;
6516
6517 /* We don't actually need this reference */
6518 SSL_SESSION_free(sess);
6519
6520 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
6521 sslapi_info_callback);
6522
6523 /* Write and read some early data and then complete the connection */
6524 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
6525 &written))
6526 || !TEST_size_t_eq(written, strlen(MSG1))
6527 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
6528 sizeof(buf), &readbytes),
6529 SSL_READ_EARLY_DATA_SUCCESS)
6530 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
6531 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6532 SSL_EARLY_DATA_ACCEPTED)
6533 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6534 SSL_ERROR_NONE))
6535 || !TEST_false(info_cb_failed))
6536 goto end;
6537
6538 testresult = 1;
6539 goto end;
6540 }
6e07834c 6541#endif
5718fe45 6542
5e30f2fd 6543 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5718fe45
MC		 6544 TLS_client_method(),
6545 tlsvers, tlsvers, &sctx, &cctx, cert,
6546 privkey)))
6547 goto end;
6548
6549 /*
6550 * For even numbered tests we check the server callbacks. For odd numbers we
6551 * check the client.
6552 */
6553 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
6554 sslapi_info_callback);
6555
6556 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6557 &clientssl, NULL, NULL))
6558 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6559 SSL_ERROR_NONE))
6560 || !TEST_false(info_cb_failed))
6561 goto end;
6562
6563
6564
6565 clntsess = SSL_get1_session(clientssl);
6566 SSL_shutdown(clientssl);
6567 SSL_shutdown(serverssl);
6568 SSL_free(serverssl);
6569 SSL_free(clientssl);
6570 serverssl = clientssl = NULL;
6571
6572 /* Now do a resumption */
6573 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6574 NULL))
6575 || !TEST_true(SSL_set_session(clientssl, clntsess))
6576 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6577 SSL_ERROR_NONE))
6578 || !TEST_true(SSL_session_reused(clientssl))
6579 || !TEST_false(info_cb_failed))
6580 goto end;
6581
6582 testresult = 1;
6583
6584 end:
6585 SSL_free(serverssl);
6586 SSL_free(clientssl);
6587 SSL_SESSION_free(clntsess);
6588 SSL_CTX_free(sctx);
6589 SSL_CTX_free(cctx);
6590 return testresult;
6591}
6592
4a432af8
MC		 6593static int test_ssl_pending(int tst)
6594{
6595 SSL_CTX *cctx = NULL, *sctx = NULL;
6596 SSL *clientssl = NULL, *serverssl = NULL;
6597 int testresult = 0;
6598 char msg[] = "A test message";
6599 char buf[5];
6600 size_t written, readbytes;
6601
6602 if (tst == 0) {
5e30f2fd 6603 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4a432af8 6604 TLS_client_method(),
5c587fb6 6605 TLS1_VERSION, 0,
4a432af8
MC		 6606 &sctx, &cctx, cert, privkey)))
6607 goto end;
6608 } else {
6609#ifndef OPENSSL_NO_DTLS
5e30f2fd 6610 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
4a432af8 6611 DTLS_client_method(),
5c587fb6 6612 DTLS1_VERSION, 0,
4a432af8
MC		 6613 &sctx, &cctx, cert, privkey)))
6614 goto end;
6615#else
6616 return 1;
6617#endif
6618 }
6619
6620 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6621 NULL, NULL))
6622 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6623 SSL_ERROR_NONE)))
6624 goto end;
6625
e8251092
MC		 6626 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6627 || !TEST_false(SSL_has_pending(clientssl))
6628 || !TEST_int_eq(SSL_pending(serverssl), 0)
6629 || !TEST_false(SSL_has_pending(serverssl))
6630 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 6631 || !TEST_size_t_eq(written, sizeof(msg))
6632 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6633 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 6634 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6635 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 6636 goto end;
6637
6638 testresult = 1;
6639
6640 end:
6641 SSL_free(serverssl);
6642 SSL_free(clientssl);
6643 SSL_CTX_free(sctx);
6644 SSL_CTX_free(cctx);
6645
6646 return testresult;
6647}
6648
e401389a
MC		 6649static struct {
6650 unsigned int maxprot;
6651 const char *clntciphers;
6652 const char *clnttls13ciphers;
6653 const char *srvrciphers;
6654 const char *srvrtls13ciphers;
6655 const char *shared;
a96e6c34 6656 const char *fipsshared;
e401389a 6657} shared_ciphers_data[] = {
60155b9a
MC		 6658/*
6659 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6660 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6661 */
6662#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 6663 {
6664 TLS1_2_VERSION,
6665 "AES128-SHA:AES256-SHA",
6666 NULL,
6667 "AES256-SHA:DHE-RSA-AES128-SHA",
6668 NULL,
a96e6c34 6669 "AES256-SHA",
e401389a
MC		 6670 "AES256-SHA"
6671 },
a96e6c34
MC		 6672# if !defined(OPENSSL_NO_CHACHA) \
6673 && !defined(OPENSSL_NO_POLY1305) \
6674 && !defined(OPENSSL_NO_EC)
6675 {
6676 TLS1_2_VERSION,
6677 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6678 NULL,
6679 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6680 NULL,
6681 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6682 "AES128-SHA"
6683 },
6684# endif
e401389a
MC		 6685 {
6686 TLS1_2_VERSION,
6687 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6688 NULL,
6689 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6690 NULL,
a96e6c34 6691 "AES128-SHA:AES256-SHA",
e401389a
MC		 6692 "AES128-SHA:AES256-SHA"
6693 },
6694 {
6695 TLS1_2_VERSION,
6696 "AES128-SHA:AES256-SHA",
6697 NULL,
6698 "AES128-SHA:DHE-RSA-AES128-SHA",
6699 NULL,
a96e6c34 6700 "AES128-SHA",
e401389a
MC		 6701 "AES128-SHA"
6702 },
60155b9a
MC		 6703#endif
6704/*
6705 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6706 * enabled.
6707 */
6708#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6709 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 6710 {
6711 TLS1_3_VERSION,
6712 "AES128-SHA:AES256-SHA",
6713 NULL,
6714 "AES256-SHA:AES128-SHA256",
6715 NULL,
6716 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
a96e6c34
MC		 6717 "TLS_AES_128_GCM_SHA256:AES256-SHA",
6718 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
e401389a 6719 },
60155b9a
MC		 6720#endif
6721#ifndef OPENSSL_NO_TLS1_3
e401389a
MC		 6722 {
6723 TLS1_3_VERSION,
6724 "AES128-SHA",
6725 "TLS_AES_256_GCM_SHA384",
6726 "AES256-SHA",
6727 "TLS_AES_256_GCM_SHA384",
a96e6c34 6728 "TLS_AES_256_GCM_SHA384",
e401389a
MC		 6729 "TLS_AES_256_GCM_SHA384"
6730 },
6731#endif
6732};
6733
a96e6c34 6734static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
e401389a
MC		 6735{
6736 SSL_CTX *cctx = NULL, *sctx = NULL;
6737 SSL *clientssl = NULL, *serverssl = NULL;
6738 int testresult = 0;
6739 char buf[1024];
a96e6c34
MC		 6740 OPENSSL_CTX *tmplibctx = OPENSSL_CTX_new();
6741
6742 if (!TEST_ptr(tmplibctx))
6743 goto end;
6744
6745 /*
6746 * Regardless of whether we're testing with the FIPS provider loaded into
6747 * libctx, we want one peer to always use the full set of ciphersuites
6748 * available. Therefore we use a separate libctx with the default provider
6749 * loaded into it. We run the same tests twice - once with the client side
6750 * having the full set of ciphersuites and once with the server side.
6751 */
6752 if (clnt) {
6753 cctx = SSL_CTX_new_with_libctx(tmplibctx, NULL, TLS_client_method());
6754 if (!TEST_ptr(cctx))
6755 goto end;
6756 } else {
6757 sctx = SSL_CTX_new_with_libctx(tmplibctx, NULL, TLS_server_method());
6758 if (!TEST_ptr(sctx))
6759 goto end;
6760 }
e401389a 6761
5e30f2fd 6762 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
e401389a
MC		 6763 TLS_client_method(),
6764 TLS1_VERSION,
6765 shared_ciphers_data[tst].maxprot,
6766 &sctx, &cctx, cert, privkey)))
6767 goto end;
6768
6769 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6770 shared_ciphers_data[tst].clntciphers))
6771 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6772 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6773 shared_ciphers_data[tst].clnttls13ciphers)))
6774 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6775 shared_ciphers_data[tst].srvrciphers))
6776 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6777 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6778 shared_ciphers_data[tst].srvrtls13ciphers))))
6779 goto end;
6780
6781
6782 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6783 NULL, NULL))
6784 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6785 SSL_ERROR_NONE)))
6786 goto end;
6787
6788 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
a96e6c34
MC		 6789 || !TEST_int_eq(strcmp(buf,
6790 is_fips
6791 ? shared_ciphers_data[tst].fipsshared
6792 : shared_ciphers_data[tst].shared),
6793 0)) {
e401389a
MC		 6794 TEST_info("Shared ciphers are: %s\n", buf);
6795 goto end;
6796 }
6797
6798 testresult = 1;
6799
6800 end:
6801 SSL_free(serverssl);
6802 SSL_free(clientssl);
6803 SSL_CTX_free(sctx);
6804 SSL_CTX_free(cctx);
a96e6c34 6805 OPENSSL_CTX_free(tmplibctx);
e401389a
MC		 6806
6807 return testresult;
6808}
6809
a96e6c34
MC		 6810static int test_ssl_get_shared_ciphers(int tst)
6811{
6812 return int_test_ssl_get_shared_ciphers(tst, 0)
6813 && int_test_ssl_get_shared_ciphers(tst, 1);
6814}
6815
6816
d0191fe0 6817static const char *appdata = "Hello World";
61fb5923
MC		 6818static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6819static int tick_key_renew = 0;
6820static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 6821
6822static int gen_tick_cb(SSL *s, void *arg)
6823{
6824 gen_tick_called = 1;
6825
6826 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6827 strlen(appdata));
6828}
6829
6830static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6831 const unsigned char *keyname,
6832 size_t keyname_length,
61fb5923
MC		 6833 SSL_TICKET_STATUS status,
6834 void *arg)
d0191fe0
MC		 6835{
6836 void *tickdata;
6837 size_t tickdlen;
6838
6839 dec_tick_called = 1;
6840
61fb5923
MC		 6841 if (status == SSL_TICKET_EMPTY)
6842 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 6843
61fb5923
MC		 6844 if (!TEST_true(status == SSL_TICKET_SUCCESS
6845 || status == SSL_TICKET_SUCCESS_RENEW))
6846 return SSL_TICKET_RETURN_ABORT;
6847
6848 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6849 &tickdlen))
d0191fe0
MC		 6850 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6851 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 6852 return SSL_TICKET_RETURN_ABORT;
d0191fe0 6853
61fb5923
MC		 6854 if (tick_key_cb_called) {
6855 /* Don't change what the ticket key callback wanted to do */
6856 switch (status) {
6857 case SSL_TICKET_NO_DECRYPT:
6858 return SSL_TICKET_RETURN_IGNORE_RENEW;
6859
6860 case SSL_TICKET_SUCCESS:
6861 return SSL_TICKET_RETURN_USE;
d0191fe0 6862
61fb5923
MC		 6863 case SSL_TICKET_SUCCESS_RENEW:
6864 return SSL_TICKET_RETURN_USE_RENEW;
6865
6866 default:
6867 return SSL_TICKET_RETURN_ABORT;
6868 }
6869 }
6870 return tick_dec_ret;
6871
6872}
d0191fe0 6873
a76ce286 6874#ifndef OPENSSL_NO_DEPRECATED_3_0
d0191fe0
MC		 6875static int tick_key_cb(SSL *s, unsigned char key_name[16],
6876 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6877 HMAC_CTX *hctx, int enc)
6878{
6879 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6880 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5e30f2fd
MC		 6881 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6882 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
6883 int ret;
d0191fe0 6884
61fb5923 6885 tick_key_cb_called = 1;
d0191fe0
MC		 6886 memset(iv, 0, AES_BLOCK_SIZE);
6887 memset(key_name, 0, 16);
5e30f2fd
MC		 6888 if (aes128cbc == NULL
6889 || sha256 == NULL
6890 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6891 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
6892 NULL))
6893 ret = -1;
6894 else
6895 ret = tick_key_renew ? 2 : 1;
d0191fe0 6896
5e30f2fd
MC		 6897 EVP_CIPHER_free(aes128cbc);
6898 EVP_MD_free(sha256);
6899
6900 return ret;
d0191fe0 6901}
a76ce286
P		 6902#endif
6903
6904static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6905 unsigned char iv[EVP_MAX_IV_LENGTH],
6906 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6907{
6908 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6909 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6910 OSSL_PARAM params[3];
5e30f2fd
MC		 6911 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6912 int ret;
a76ce286
P		 6913
6914 tick_key_cb_called = 1;
6915 memset(iv, 0, AES_BLOCK_SIZE);
6916 memset(key_name, 0, 16);
6917 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6918 "SHA256", 0);
6919 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6920 tick_hmac_key,
6921 sizeof(tick_hmac_key));
6922 params[2] = OSSL_PARAM_construct_end();
5e30f2fd
MC		 6923 if (aes128cbc == NULL
6924 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
d9c2fd51 6925 || !EVP_MAC_set_ctx_params(hctx, params)
a76ce286 6926 || !EVP_MAC_init(hctx))
5e30f2fd
MC		 6927 ret = -1;
6928 else
6929 ret = tick_key_renew ? 2 : 1;
6930
6931 EVP_CIPHER_free(aes128cbc);
a76ce286 6932
5e30f2fd 6933 return ret;
a76ce286 6934}
d0191fe0
MC		 6935
6936/*
6937 * Test the various ticket callbacks
61fb5923
MC		 6938 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6939 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6940 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6941 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6942 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6943 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6944 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6945 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
a76ce286
P		 6946 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6947 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6948 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6949 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6950 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6951 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6952 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6953 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 6954 */
6955static int test_ticket_callbacks(int tst)
6956{
6957 SSL_CTX *cctx = NULL, *sctx = NULL;
6958 SSL *clientssl = NULL, *serverssl = NULL;
6959 SSL_SESSION *clntsess = NULL;
6960 int testresult = 0;
6961
6962#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 6963 if (tst % 2 == 0)
d0191fe0
MC		 6964 return 1;
6965#endif
6966#ifdef OPENSSL_NO_TLS1_3
ba8b48e9 6967 if (tst % 2 == 1)
d0191fe0
MC		 6968 return 1;
6969#endif
a76ce286
P		 6970#ifdef OPENSSL_NO_DEPRECATED_3_0
6971 if (tst >= 8 && tst <= 11)
6972 return 1;
6973#endif
d0191fe0 6974
61fb5923 6975 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 6976
6977 /* Which tests the ticket key callback should request renewal for */
a76ce286 6978 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
61fb5923 6979 tick_key_renew = 1;
d0191fe0 6980 else
61fb5923
MC		 6981 tick_key_renew = 0;
6982
6983 /* Which tests the decrypt ticket callback should request renewal for */
6984 switch (tst) {
6985 case 0:
6986 case 1:
6987 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6988 break;
6989
6990 case 2:
6991 case 3:
6992 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6993 break;
6994
6995 case 4:
6996 case 5:
6997 tick_dec_ret = SSL_TICKET_RETURN_USE;
6998 break;
6999
7000 case 6:
7001 case 7:
7002 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7003 break;
7004
7005 default:
7006 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7007 }
d0191fe0 7008
5e30f2fd 7009 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
d0191fe0
MC		 7010 TLS_client_method(),
7011 TLS1_VERSION,
61fb5923
MC		 7012 ((tst % 2) == 0) ? TLS1_2_VERSION
7013 : TLS1_3_VERSION,
d0191fe0
MC		 7014 &sctx, &cctx, cert, privkey)))
7015 goto end;
7016
61fb5923
MC		 7017 /*
7018 * We only want sessions to resume from tickets - not the session cache. So
7019 * switch the cache off.
7020 */
7021 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7022 goto end;
7023
d0191fe0
MC		 7024 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7025 NULL)))
7026 goto end;
7027
a76ce286
P		 7028 if (tst >= 12) {
7029 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7030 goto end;
7031#ifndef OPENSSL_NO_DEPRECATED_3_0
7032 } else if (tst >= 8) {
7033 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7034 goto end;
7035#endif
7036 }
d0191fe0
MC		 7037
7038 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7039 NULL, NULL))
7040 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7041 SSL_ERROR_NONE)))
7042 goto end;
7043
61fb5923
MC		 7044 /*
7045 * The decrypt ticket key callback in TLSv1.2 should be called even though
7046 * we have no ticket yet, because it gets called with a status of
7047 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7048 * actually send any ticket data). This does not happen in TLSv1.3 because
7049 * it is not valid to send empty ticket data in TLSv1.3.
7050 */
d0191fe0 7051 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 7052 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 7053 goto end;
7054
7055 gen_tick_called = dec_tick_called = 0;
7056
7057 clntsess = SSL_get1_session(clientssl);
7058 SSL_shutdown(clientssl);
7059 SSL_shutdown(serverssl);
7060 SSL_free(serverssl);
7061 SSL_free(clientssl);
7062 serverssl = clientssl = NULL;
7063
7064 /* Now do a resumption */
7065 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7066 NULL))
7067 || !TEST_true(SSL_set_session(clientssl, clntsess))
7068 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 7069 SSL_ERROR_NONE)))
d0191fe0
MC		 7070 goto end;
7071
61fb5923
MC		 7072 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7073 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7074 if (!TEST_false(SSL_session_reused(clientssl)))
7075 goto end;
7076 } else {
7077 if (!TEST_true(SSL_session_reused(clientssl)))
7078 goto end;
7079 }
7080
d0191fe0 7081 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 7082 (tick_key_renew
7083 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7084 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7085 ? 1 : 0)
d0191fe0
MC		 7086 || !TEST_int_eq(dec_tick_called, 1))
7087 goto end;
7088
7089 testresult = 1;
7090
7091 end:
7092 SSL_SESSION_free(clntsess);
7093 SSL_free(serverssl);
7094 SSL_free(clientssl);
7095 SSL_CTX_free(sctx);
7096 SSL_CTX_free(cctx);
7097
7098 return testresult;
7099}
7100
e638112e
DB		 7101/*
7102 * Test incorrect shutdown.
7103 * Test 0: client does not shutdown properly,
7104 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7105 * server should get SSL_ERROR_SSL
7106 * Test 1: client does not shutdown properly,
7107 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7108 * server should get SSL_ERROR_ZERO_RETURN
7109 */
7110static int test_incorrect_shutdown(int tst)
7111{
7112 SSL_CTX *cctx = NULL, *sctx = NULL;
7113 SSL *clientssl = NULL, *serverssl = NULL;
7114 int testresult = 0;
7115 char buf[80];
7116 BIO *c2s;
7117
7118 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7119 TLS_client_method(), 0, 0,
7120 &sctx, &cctx, cert, privkey)))
7121 goto end;
7122
7123 if (tst == 1)
7124 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7125
7126 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7127 NULL, NULL)))
7128 goto end;
7129
7130 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7131 SSL_ERROR_NONE)))
7132 goto end;
7133
7134 c2s = SSL_get_rbio(serverssl);
7135 BIO_set_mem_eof_return(c2s, 0);
7136
7137 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7138 goto end;
7139
7140 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7141 goto end;
7142 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7143 goto end;
7144
7145 testresult = 1;
7146
7147 end:
7148 SSL_free(serverssl);
7149 SSL_free(clientssl);
7150 SSL_CTX_free(sctx);
7151 SSL_CTX_free(cctx);
7152
7153 return testresult;
7154}
7155
c748834f
MC		 7156/*
7157 * Test bi-directional shutdown.
7158 * Test 0: TLSv1.2
7159 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7160 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7161 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 7162 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7163 * sends key update, client reads it
57d7b988
MC		 7164 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7165 * sends CertificateRequest, client reads and ignores it
7166 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 7167 * doesn't read it
7168 */
7169static int test_shutdown(int tst)
7170{
7171 SSL_CTX *cctx = NULL, *sctx = NULL;
7172 SSL *clientssl = NULL, *serverssl = NULL;
7173 int testresult = 0;
7174 char msg[] = "A test message";
7175 char buf[80];
7176 size_t written, readbytes;
80eff008 7177 SSL_SESSION *sess;
c748834f
MC		 7178
7179#ifdef OPENSSL_NO_TLS1_2
a97d19f7 7180 if (tst <= 1)
c748834f
MC		 7181 return 1;
7182#endif
7183#ifdef OPENSSL_NO_TLS1_3
a97d19f7 7184 if (tst >= 2)
c748834f
MC		 7185 return 1;
7186#endif
7187
5e30f2fd 7188 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
c748834f
MC		 7189 TLS_client_method(),
7190 TLS1_VERSION,
7191 (tst <= 1) ? TLS1_2_VERSION
7192 : TLS1_3_VERSION,
57d7b988
MC		 7193 &sctx, &cctx, cert, privkey)))
7194 goto end;
7195
7196 if (tst == 5)
7197 SSL_CTX_set_post_handshake_auth(cctx, 1);
7198
7199 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 7200 NULL, NULL)))
7201 goto end;
7202
7203 if (tst == 3) {
7204 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
80c455d5 7205 SSL_ERROR_NONE, 1))
80eff008
KR		 7206 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7207 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 7208 goto end;
7209 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 7210 SSL_ERROR_NONE))
7211 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7212 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 7213 goto end;
7214 }
7215
7216 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7217 goto end;
7218
7219 if (tst >= 4) {
7220 /*
7221 * Reading on the server after the client has sent close_notify should
7222 * fail and provide SSL_ERROR_ZERO_RETURN
7223 */
7224 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7225 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7226 SSL_ERROR_ZERO_RETURN)
7227 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7228 SSL_RECEIVED_SHUTDOWN)
7229 /*
7230 * Even though we're shutdown on receive we should still be
7231 * able to write.
7232 */
80eff008
KR		 7233 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7234 goto end;
57d7b988
MC		 7235 if (tst == 4
7236 && !TEST_true(SSL_key_update(serverssl,
7237 SSL_KEY_UPDATE_REQUESTED)))
7238 goto end;
7239 if (tst == 5) {
7240 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7241 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7242 goto end;
7243 }
7244 if ((tst == 4 || tst == 5)
7245 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 7246 goto end;
7247 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 7248 goto end;
57d7b988 7249 if (tst == 4 || tst == 5) {
80eff008 7250 /* Should still be able to read data from server */
c748834f 7251 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 7252 &readbytes))
7253 || !TEST_size_t_eq(readbytes, sizeof(msg))
7254 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7255 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7256 &readbytes))
c748834f
MC		 7257 || !TEST_size_t_eq(readbytes, sizeof(msg))
7258 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7259 goto end;
7260 }
7261 }
7262
7263 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 7264 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 7265 goto end;
7266
7267 if (tst < 4) {
7268 /*
7269 * For these tests the client has sent close_notify but it has not yet
7270 * been received by the server. The server has not sent close_notify
7271 * yet.
7272 */
7273 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 7274 /*
7275 * Writing on the server after sending close_notify shouldn't
7276 * be possible.
7277 */
7278 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 7279 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 7280 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7281 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 7282 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7283 goto end;
57d7b988 7284 } else if (tst == 4 || tst == 5) {
c748834f
MC		 7285 /*
7286 * In this test the client has sent close_notify and it has been
7287 * received by the server which has responded with a close_notify. The
358ffa05 7288 * client needs to read the close_notify sent by the server.
c748834f 7289 */
80eff008
KR		 7290 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7291 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7292 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 7293 goto end;
358ffa05
MC		 7294 } else {
7295 /*
57d7b988 7296 * tst == 6
358ffa05
MC		 7297 *
7298 * The client has sent close_notify and is expecting a close_notify
7299 * back, but instead there is application data first. The shutdown
7300 * should fail with a fatal error.
7301 */
7302 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7303 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7304 goto end;
c748834f
MC		 7305 }
7306
7307 testresult = 1;
7308
7309 end:
7310 SSL_free(serverssl);
7311 SSL_free(clientssl);
7312 SSL_CTX_free(sctx);
7313 SSL_CTX_free(cctx);
7314
7315 return testresult;
7316}
7317
7f1d923a 7318#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
cd6fe29f
MC		 7319static int cert_cb_cnt;
7320
7321static int cert_cb(SSL *s, void *arg)
7322{
7323 SSL_CTX *ctx = (SSL_CTX *)arg;
7cb8fb07
BK		 7324 BIO *in = NULL;
7325 EVP_PKEY *pkey = NULL;
1a2a3a42
MC		 7326 X509 *x509 = NULL, *rootx = NULL;
7327 STACK_OF(X509) *chain = NULL;
7328 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7329 int ret = 0;
cd6fe29f
MC		 7330
7331 if (cert_cb_cnt == 0) {
7332 /* Suspend the handshake */
7333 cert_cb_cnt++;
7334 return -1;
7335 } else if (cert_cb_cnt == 1) {
7336 /*
7337 * Update the SSL_CTX, set the certificate and private key and then
7338 * continue the handshake normally.
7339 */
7340 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7341 return 0;
7342
7343 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7344 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7345 SSL_FILETYPE_PEM))
7346 || !TEST_true(SSL_check_private_key(s)))
7347 return 0;
7348 cert_cb_cnt++;
7349 return 1;
7cb8fb07
BK		 7350 } else if (cert_cb_cnt == 3) {
7351 int rv;
1a2a3a42
MC		 7352
7353 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7354 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7355 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7356 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7357 goto out;
7358 chain = sk_X509_new_null();
7359 if (!TEST_ptr(chain))
7360 goto out;
7cb8fb07 7361 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42
MC		 7362 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
7363 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
7364 || !TEST_true(sk_X509_push(chain, rootx)))
7365 goto out;
7366 rootx = NULL;
7367 BIO_free(in);
7368 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7369 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
7cb8fb07
BK		 7370 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
7371 goto out;
7372 BIO_free(in);
7373 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42 7374 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
7cb8fb07
BK		 7375 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
7376 goto out;
1a2a3a42 7377 rv = SSL_check_chain(s, x509, pkey, chain);
7cb8fb07
BK		 7378 /*
7379 * If the cert doesn't show as valid here (e.g., because we don't
7380 * have any shared sigalgs), then we will not set it, and there will
7381 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
7382 * will cause tls_choose_sigalgs() to fail the connection.
7383 */
1a2a3a42
MC		 7384 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
7385 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7cb8fb07
BK		 7386 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
7387 goto out;
7388 }
1a2a3a42
MC		 7389
7390 ret = 1;
cd6fe29f
MC		 7391 }
7392
7393 /* Abort the handshake */
7cb8fb07 7394 out:
1a2a3a42
MC		 7395 OPENSSL_free(ecdsacert);
7396 OPENSSL_free(ecdsakey);
7397 OPENSSL_free(rootfile);
7cb8fb07
BK		 7398 BIO_free(in);
7399 EVP_PKEY_free(pkey);
7400 X509_free(x509);
1a2a3a42
MC		 7401 X509_free(rootx);
7402 sk_X509_pop_free(chain, X509_free);
7403 return ret;
cd6fe29f
MC		 7404}
7405
7406/*
7407 * Test the certificate callback.
7408 * Test 0: Callback fails
7409 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
7410 * Test 2: Success - SSL_set_SSL_CTX() in the callback
1a2a3a42
MC		 7411 * Test 3: Success - Call SSL_check_chain from the callback
7412 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
7413 * chain
7414 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
cd6fe29f
MC		 7415 */
7416static int test_cert_cb_int(int prot, int tst)
7417{
7418 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
7419 SSL *clientssl = NULL, *serverssl = NULL;
7420 int testresult = 0, ret;
7421
1a2a3a42
MC		 7422#ifdef OPENSSL_NO_EC
7423 /* We use an EC cert in these tests, so we skip in a no-ec build */
7424 if (tst >= 3)
7425 return 1;
7426#endif
7427
5e30f2fd 7428 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
cd6fe29f
MC		 7429 TLS_client_method(),
7430 TLS1_VERSION,
7431 prot,
7432 &sctx, &cctx, NULL, NULL)))
7433 goto end;
7434
7435 if (tst == 0)
7436 cert_cb_cnt = -1;
1a2a3a42 7437 else if (tst >= 3)
7cb8fb07 7438 cert_cb_cnt = 3;
cd6fe29f
MC		 7439 else
7440 cert_cb_cnt = 0;
1a2a3a42 7441
cd6fe29f
MC		 7442 if (tst == 2)
7443 snictx = SSL_CTX_new(TLS_server_method());
7444 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
7445
7446 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7447 NULL, NULL)))
7448 goto end;
7449
1a2a3a42
MC		 7450 if (tst == 4) {
7451 /*
7452 * We cause SSL_check_chain() to fail by specifying sig_algs that
7453 * the chain doesn't meet (the root uses an RSA cert)
7454 */
7455 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7456 "ecdsa_secp256r1_sha256")))
7457 goto end;
7458 } else if (tst == 5) {
7459 /*
7460 * We cause SSL_check_chain() to fail by specifying sig_algs that
7461 * the ee cert doesn't meet (the ee uses an ECDSA cert)
7462 */
7463 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7464 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
7465 goto end;
7466 }
7467
cd6fe29f 7468 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
1a2a3a42 7469 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7cb8fb07
BK		 7470 || (tst > 0
7471 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
cd6fe29f
MC		 7472 goto end;
7473 }
7474
7475 testresult = 1;
7476
7477 end:
7478 SSL_free(serverssl);
7479 SSL_free(clientssl);
7480 SSL_CTX_free(sctx);
7481 SSL_CTX_free(cctx);
7482 SSL_CTX_free(snictx);
7483
7484 return testresult;
7485}
7f1d923a 7486#endif
cd6fe29f
MC		 7487
7488static int test_cert_cb(int tst)
7489{
7490 int testresult = 1;
7491
7492#ifndef OPENSSL_NO_TLS1_2
7493 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
7494#endif
7f1d923a 7495#ifndef OPENSSL_NO_TLS1_3
cd6fe29f
MC		 7496 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
7497#endif
7498
7499 return testresult;
7500}
7501
6e46c065
MC		 7502static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
7503{
7504 X509 *xcert, *peer;
7505 EVP_PKEY *privpkey;
7506 BIO *in = NULL;
7507
7508 /* Check that SSL_get_peer_certificate() returns something sensible */
7509 peer = SSL_get_peer_certificate(ssl);
7510 if (!TEST_ptr(peer))
7511 return 0;
7512 X509_free(peer);
7513
7514 in = BIO_new_file(cert, "r");
7515 if (!TEST_ptr(in))
7516 return 0;
7517
7518 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
7519 BIO_free(in);
7520 if (!TEST_ptr(xcert))
7521 return 0;
7522
7523 in = BIO_new_file(privkey, "r");
7524 if (!TEST_ptr(in)) {
7525 X509_free(xcert);
7526 return 0;
7527 }
7528
7529 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
7530 BIO_free(in);
7531 if (!TEST_ptr(privpkey)) {
7532 X509_free(xcert);
7533 return 0;
7534 }
7535
7536 *x509 = xcert;
7537 *pkey = privpkey;
7538
7539 return 1;
7540}
7541
7542static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
7543{
7544 return 1;
7545}
7546
7547static int test_client_cert_cb(int tst)
7548{
7549 SSL_CTX *cctx = NULL, *sctx = NULL;
7550 SSL *clientssl = NULL, *serverssl = NULL;
7551 int testresult = 0;
7552
7553#ifdef OPENSSL_NO_TLS1_2
7554 if (tst == 0)
7555 return 1;
7556#endif
7557#ifdef OPENSSL_NO_TLS1_3
7558 if (tst == 1)
7559 return 1;
7560#endif
7561
5e30f2fd 7562 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6e46c065
MC		 7563 TLS_client_method(),
7564 TLS1_VERSION,
7565 tst == 0 ? TLS1_2_VERSION
7566 : TLS1_3_VERSION,
7567 &sctx, &cctx, cert, privkey)))
7568 goto end;
7569
7570 /*
7571 * Test that setting a client_cert_cb results in a client certificate being
7572 * sent.
7573 */
7574 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
7575 SSL_CTX_set_verify(sctx,
7576 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
7577 verify_cb);
fb8c8359
MC		 7578
7579 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7580 NULL, NULL))
7581 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7582 SSL_ERROR_NONE)))
7583 goto end;
7584
7585 testresult = 1;
7586
7587 end:
7588 SSL_free(serverssl);
7589 SSL_free(clientssl);
7590 SSL_CTX_free(sctx);
7591 SSL_CTX_free(cctx);
7592
7593 return testresult;
7594}
7595
7596#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7597/*
7598 * Test setting certificate authorities on both client and server.
7599 *
7600 * Test 0: SSL_CTX_set0_CA_list() only
7601 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7602 * Test 2: Only SSL_CTX_set_client_CA_list()
7603 */
7604static int test_ca_names_int(int prot, int tst)
7605{
7606 SSL_CTX *cctx = NULL, *sctx = NULL;
7607 SSL *clientssl = NULL, *serverssl = NULL;
7608 int testresult = 0;
7609 size_t i;
7610 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
7611 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
7612 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
7613 const STACK_OF(X509_NAME) *sktmp = NULL;
7614
7615 for (i = 0; i < OSSL_NELEM(name); i++) {
7616 name[i] = X509_NAME_new();
7617 if (!TEST_ptr(name[i])
7618 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
7619 MBSTRING_ASC,
7620 (unsigned char *)
7621 strnames[i],
7622 -1, -1, 0)))
7623 goto end;
7624 }
7625
5e30f2fd 7626 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fb8c8359
MC		 7627 TLS_client_method(),
7628 TLS1_VERSION,
7629 prot,
7630 &sctx, &cctx, cert, privkey)))
7631 goto end;
7632
7633 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
7634
7635 if (tst == 0 || tst == 1) {
7636 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7637 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
7638 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
7639 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7640 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
7641 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
7642 goto end;
7643
7644 SSL_CTX_set0_CA_list(sctx, sk1);
7645 SSL_CTX_set0_CA_list(cctx, sk2);
7646 sk1 = sk2 = NULL;
7647 }
7648 if (tst == 1 || tst == 2) {
7649 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7650 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
7651 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
7652 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7653 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
7654 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
7655 goto end;
7656
7657 SSL_CTX_set_client_CA_list(sctx, sk1);
7658 SSL_CTX_set_client_CA_list(cctx, sk2);
7659 sk1 = sk2 = NULL;
7660 }
7661
6e46c065
MC		 7662 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7663 NULL, NULL))
7664 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7665 SSL_ERROR_NONE)))
7666 goto end;
7667
fb8c8359
MC		 7668 /*
7669 * We only expect certificate authorities to have been sent to the server
7670 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7671 */
7672 sktmp = SSL_get0_peer_CA_list(serverssl);
7673 if (prot == TLS1_3_VERSION
7674 && (tst == 0 || tst == 1)) {
7675 if (!TEST_ptr(sktmp)
7676 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7677 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7678 name[0]), 0)
7679 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7680 name[1]), 0))
7681 goto end;
7682 } else if (!TEST_ptr_null(sktmp)) {
7683 goto end;
7684 }
7685
7686 /*
7687 * In all tests we expect certificate authorities to have been sent to the
7688 * client. However, SSL_set_client_CA_list() should override
7689 * SSL_set0_CA_list()
7690 */
7691 sktmp = SSL_get0_peer_CA_list(clientssl);
7692 if (!TEST_ptr(sktmp)
7693 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7694 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7695 name[tst == 0 ? 0 : 2]), 0)
7696 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7697 name[tst == 0 ? 1 : 3]), 0))
7698 goto end;
7699
6e46c065
MC		 7700 testresult = 1;
7701
7702 end:
7703 SSL_free(serverssl);
7704 SSL_free(clientssl);
7705 SSL_CTX_free(sctx);
7706 SSL_CTX_free(cctx);
fb8c8359
MC		 7707 for (i = 0; i < OSSL_NELEM(name); i++)
7708 X509_NAME_free(name[i]);
7709 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
7710 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
7711
7712 return testresult;
7713}
7714#endif
7715
7716static int test_ca_names(int tst)
7717{
7718 int testresult = 1;
7719
7720#ifndef OPENSSL_NO_TLS1_2
7721 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
7722#endif
7723#ifndef OPENSSL_NO_TLS1_3
7724 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
7725#endif
6e46c065
MC		 7726
7727 return testresult;
7728}
7729
0d2bfe52
SL		 7730#ifndef OPENSSL_NO_TLS1_2
7731static const char *multiblock_cipherlist_data[]=
7732{
7733 "AES128-SHA",
7734 "AES128-SHA256",
7735 "AES256-SHA",
7736 "AES256-SHA256",
7737};
7738
7739/* Reduce the fragment size - so the multiblock test buffer can be small */
7740# define MULTIBLOCK_FRAGSIZE 512
7741
7742static int test_multiblock_write(int test_index)
7743{
7744 static const char *fetchable_ciphers[]=
7745 {
7746 "AES-128-CBC-HMAC-SHA1",
7747 "AES-128-CBC-HMAC-SHA256",
7748 "AES-256-CBC-HMAC-SHA1",
7749 "AES-256-CBC-HMAC-SHA256"
7750 };
7751 const char *cipherlist = multiblock_cipherlist_data[test_index];
7752 const SSL_METHOD *smeth = TLS_server_method();
7753 const SSL_METHOD *cmeth = TLS_client_method();
7754 int min_version = TLS1_VERSION;
7755 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7756 SSL_CTX *cctx = NULL, *sctx = NULL;
7757 SSL *clientssl = NULL, *serverssl = NULL;
7758 int testresult = 0;
7759
7760 /*
7761 * Choose a buffer large enough to perform a multi-block operation
7762 * i.e: write_len >= 4 * frag_size
7763 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7764 */
7765 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7766 unsigned char buf[sizeof(msg)], *p = buf;
7767 size_t readbytes, written, len;
7768 EVP_CIPHER *ciph = NULL;
7769
7770 /*
7771 * Check if the cipher exists before attempting to use it since it only has
7772 * a hardware specific implementation.
7773 */
7774 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7775 if (ciph == NULL) {
7776 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7777 return 1;
7778 }
7779 EVP_CIPHER_free(ciph);
7780
7781 /* Set up a buffer with some data that will be sent to the client */
7782 RAND_bytes(msg, sizeof(msg));
7783
5e30f2fd
MC		 7784 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
7785 max_version, &sctx, &cctx, cert,
7786 privkey)))
0d2bfe52
SL		 7787 goto end;
7788
7789 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7790 goto end;
7791
7792 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7793 NULL, NULL)))
7794 goto end;
7795
7796 /* settings to force it to use AES-CBC-HMAC_SHA */
7797 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7798 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7799 goto end;
7800
7801 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7802 goto end;
7803
7804 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7805 || !TEST_size_t_eq(written, sizeof(msg)))
7806 goto end;
7807
7808 len = written;
7809 while (len > 0) {
7810 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7811 goto end;
7812 p += readbytes;
7813 len -= readbytes;
7814 }
7815 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7816 goto end;
7817
7818 testresult = 1;
7819end:
7820 SSL_free(serverssl);
7821 SSL_free(clientssl);
7822 SSL_CTX_free(sctx);
7823 SSL_CTX_free(cctx);
7824
7825 return testresult;
7826}
7827#endif /* OPENSSL_NO_TLS1_2 */
a43ce58f 7828
49ef3d07
MC		 7829/*
7830 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7831 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7832 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7833 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7834 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7835 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7836 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7837 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7838 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7839 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7840 */
7841static int test_servername(int tst)
7842{
7843 SSL_CTX *cctx = NULL, *sctx = NULL;
7844 SSL *clientssl = NULL, *serverssl = NULL;
7845 int testresult = 0;
7846 SSL_SESSION *sess = NULL;
7847 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7848
7849#ifdef OPENSSL_NO_TLS1_2
7850 if (tst <= 4)
7851 return 1;
7852#endif
7853#ifdef OPENSSL_NO_TLS1_3
7854 if (tst >= 5)
7855 return 1;
7856#endif
7857
5e30f2fd 7858 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
49ef3d07
MC		 7859 TLS_client_method(),
7860 TLS1_VERSION,
7861 (tst <= 4) ? TLS1_2_VERSION
7862 : TLS1_3_VERSION,
7863 &sctx, &cctx, cert, privkey))
7864 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7865 NULL, NULL)))
7866 goto end;
7867
7868 if (tst != 1 && tst != 6) {
7869 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7870 hostname_cb)))
7871 goto end;
7872 }
7873
7874 if (tst != 3 && tst != 8) {
7875 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7876 goto end;
7877 sexpectedhost = cexpectedhost = "goodhost";
7878 }
7879
7880 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7881 goto end;
7882
7883 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7884 cexpectedhost)
7885 || !TEST_str_eq(SSL_get_servername(serverssl,
7886 TLSEXT_NAMETYPE_host_name),
7887 sexpectedhost))
7888 goto end;
7889
7890 /* Now repeat with a resumption handshake */
7891
7892 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7893 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7894 || !TEST_true(SSL_SESSION_is_resumable(sess))
7895 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7896 goto end;
7897
7898 SSL_free(clientssl);
7899 SSL_free(serverssl);
7900 clientssl = serverssl = NULL;
7901
7902 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7903 NULL)))
7904 goto end;
7905
7906 if (!TEST_true(SSL_set_session(clientssl, sess)))
7907 goto end;
7908
7909 sexpectedhost = cexpectedhost = "goodhost";
7910 if (tst == 2 || tst == 7) {
7911 /* Set an inconsistent hostname */
7912 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7913 goto end;
7914 /*
7915 * In TLSv1.2 we expect the hostname from the original handshake, in
7916 * TLSv1.3 we expect the hostname from this handshake
7917 */
7918 if (tst == 7)
7919 sexpectedhost = cexpectedhost = "altgoodhost";
7920
7921 if (!TEST_str_eq(SSL_get_servername(clientssl,
7922 TLSEXT_NAMETYPE_host_name),
7923 "altgoodhost"))
7924 goto end;
7925 } else if (tst == 4 || tst == 9) {
7926 /*
7927 * A TLSv1.3 session does not associate a session with a servername,
7928 * but a TLSv1.2 session does.
7929 */
7930 if (tst == 9)
7931 sexpectedhost = cexpectedhost = NULL;
7932
7933 if (!TEST_str_eq(SSL_get_servername(clientssl,
7934 TLSEXT_NAMETYPE_host_name),
7935 cexpectedhost))
7936 goto end;
7937 } else {
7938 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7939 goto end;
7940 /*
7941 * In a TLSv1.2 resumption where the hostname was not acknowledged
7942 * we expect the hostname on the server to be empty. On the client we
7943 * return what was requested in this case.
7944 *
7945 * Similarly if the client didn't set a hostname on an original TLSv1.2
7946 * session but is now, the server hostname will be empty, but the client
7947 * is as we set it.
7948 */
7949 if (tst == 1 || tst == 3)
7950 sexpectedhost = NULL;
7951
7952 if (!TEST_str_eq(SSL_get_servername(clientssl,
7953 TLSEXT_NAMETYPE_host_name),
7954 "goodhost"))
7955 goto end;
7956 }
7957
7958 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7959 goto end;
7960
7961 if (!TEST_true(SSL_session_reused(clientssl))
7962 || !TEST_true(SSL_session_reused(serverssl))
7963 || !TEST_str_eq(SSL_get_servername(clientssl,
7964 TLSEXT_NAMETYPE_host_name),
7965 cexpectedhost)
7966 || !TEST_str_eq(SSL_get_servername(serverssl,
7967 TLSEXT_NAMETYPE_host_name),
7968 sexpectedhost))
7969 goto end;
7970
7971 testresult = 1;
7972
7973 end:
7974 SSL_SESSION_free(sess);
7975 SSL_free(serverssl);
7976 SSL_free(clientssl);
7977 SSL_CTX_free(sctx);
7978 SSL_CTX_free(cctx);
7979
7980 return testresult;
7981}
7982
b3842539
MC		 7983#ifndef OPENSSL_NO_EC
7984/*
7985 * Test that if signature algorithms are not available, then we do not offer or
7986 * accept them.
7987 * Test 0: Two RSA sig algs available: both RSA sig algs shared
7988 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
7989 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
7990 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
7991 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
7992 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
7993 */
7994static int test_sigalgs_available(int idx)
7995{
7996 SSL_CTX *cctx = NULL, *sctx = NULL;
7997 SSL *clientssl = NULL, *serverssl = NULL;
7998 int testresult = 0;
7999 OPENSSL_CTX *tmpctx = OPENSSL_CTX_new();
8000 OPENSSL_CTX *clientctx = libctx, *serverctx = libctx;
8001 OSSL_PROVIDER *filterprov = NULL;
8002 int sig, hash;
8003
8004 if (!TEST_ptr(tmpctx))
8005 goto end;
8006
8007 if (idx != 0 && idx != 3) {
8008 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
8009 filter_provider_init)))
8010 goto end;
8011
8012 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
8013 if (!TEST_ptr(filterprov))
8014 goto end;
8015
8016 if (idx < 3) {
8017 /*
8018 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8019 * or accepted for the peer that uses this libctx. Note that libssl
8020 * *requires* SHA2-256 to be available so we cannot disable that. We
8021 * also need SHA1 for our certificate.
8022 */
8023 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
8024 "SHA2-256:SHA1")))
8025 goto end;
8026 } else {
8027 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
8028 "ECDSA"))
8029 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
8030 "EC:X25519:X448")))
8031 goto end;
8032 }
8033
8034 if (idx == 1 || idx == 4)
8035 clientctx = tmpctx;
8036 else
8037 serverctx = tmpctx;
8038 }
8039
8040 cctx = SSL_CTX_new_with_libctx(clientctx, NULL, TLS_client_method());
8041 sctx = SSL_CTX_new_with_libctx(serverctx, NULL, TLS_server_method());
9d2d857f
MC		 8042 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
8043 goto end;
b3842539
MC		 8044
8045 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8046 TLS_client_method(),
8047 TLS1_VERSION,
8048 0,
8049 &sctx, &cctx, cert, privkey)))
8050 goto end;
8051
8052 if (idx < 3) {
8053 if (!SSL_CTX_set1_sigalgs_list(cctx,
8054 "rsa_pss_rsae_sha384"
8055 ":rsa_pss_rsae_sha256")
8056 || !SSL_CTX_set1_sigalgs_list(sctx,
8057 "rsa_pss_rsae_sha384"
8058 ":rsa_pss_rsae_sha256"))
8059 goto end;
8060 } else {
8061 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8062 || !SSL_CTX_set1_sigalgs_list(sctx,
8063 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8064 goto end;
8065 }
8066
8067 if (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8068 SSL_FILETYPE_PEM), 1)
8069 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8070 privkey2,
8071 SSL_FILETYPE_PEM), 1)
8072 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
8073 goto end;
8074
8075 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8076 NULL, NULL)))
8077 goto end;
8078
8079 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8080 goto end;
8081
8082 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8083 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8084 NULL, NULL),
8085 (idx == 0 || idx == 3) ? 2 : 1))
8086 goto end;
8087
8088 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8089 goto end;
8090
8091 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8092 : NID_rsassaPss))
8093 goto end;
8094
8095 testresult = 1;
8096
8097 end:
8098 SSL_free(serverssl);
8099 SSL_free(clientssl);
8100 SSL_CTX_free(sctx);
8101 SSL_CTX_free(cctx);
8102 OSSL_PROVIDER_unload(filterprov);
8103 OPENSSL_CTX_free(tmpctx);
8104
8105 return testresult;
8106}
8107#endif /* OPENSSL_NO_EC */
8108
8109
5e30f2fd 8110OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
a43ce58f 8111
ad887416 8112int setup_tests(void)
2cb4b5f6 8113{
5e30f2fd
MC		 8114 char *modulename;
8115 char *configfile;
8116
8117 libctx = OPENSSL_CTX_new();
8118 if (!TEST_ptr(libctx))
8119 return 0;
8120
8121 defctxnull = OSSL_PROVIDER_load(NULL, "null");
8122
8123 /*
8124 * Verify that the default and fips providers in the default libctx are not
8125 * available
8126 */
8127 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
8128 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
8129 return 0;
8130
8d242823
MC		 8131 if (!test_skip_common_options()) {
8132 TEST_error("Error parsing test options\n");
8133 return 0;
8134 }
8135
1a2a3a42
MC		 8136 if (!TEST_ptr(certsdir = test_get_argument(0))
8137 || !TEST_ptr(srpvfile = test_get_argument(1))
5e30f2fd
MC		 8138 || !TEST_ptr(tmpfilename = test_get_argument(2))
8139 || !TEST_ptr(modulename = test_get_argument(3))
8140 || !TEST_ptr(configfile = test_get_argument(4)))
8141 return 0;
8142
8143 if (!TEST_true(OPENSSL_CTX_load_config(libctx, configfile)))
8144 return 0;
8145
8146 /* Check we have the expected provider available */
8147 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
8148 return 0;
8149
8150 /* Check the default provider is not available */
8151 if (strcmp(modulename, "default") != 0
8152 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
710756a9 8153 return 0;
2cb4b5f6 8154
4f6c7044
MC		 8155 if (strcmp(modulename, "fips") == 0)
8156 is_fips = 1;
8157
f297e4ec
RS		 8158 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
8159#ifdef OPENSSL_NO_CRYPTO_MDEBUG
8160 TEST_error("not supported in this build");
8161 return 0;
8162#else
8163 int i, mcount, rcount, fcount;
8164
8165 for (i = 0; i < 4; i++)
8166 test_export_key_mat(i);
8167 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
8168 test_printf_stdout("malloc %d realloc %d free %d\n",
8169 mcount, rcount, fcount);
8170 return 1;
8171#endif
8172 }
8173
1a2a3a42
MC		 8174 cert = test_mk_file_path(certsdir, "servercert.pem");
8175 if (cert == NULL)
b3842539 8176 goto err;
1a2a3a42
MC		 8177
8178 privkey = test_mk_file_path(certsdir, "serverkey.pem");
b3842539
MC		 8179 if (privkey == NULL)
8180 goto err;
8181
8182 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8183 if (cert2 == NULL)
8184 goto err;
8185
8186 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8187 if (privkey2 == NULL)
8188 goto err;
1a2a3a42 8189
da4db160
VF		 8190#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
8191#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
8192 ADD_ALL_TESTS(test_ktls, 32);
8193 ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6);
8194#endif
fe5d9450 8195#endif
84d5549e 8196 ADD_TEST(test_large_message_tls);
7856332e 8197 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 8198#ifndef OPENSSL_NO_DTLS
84d5549e 8199 ADD_TEST(test_large_message_dtls);
55386bef 8200#endif
8f8c11d8 8201#ifndef OPENSSL_NO_OCSP
c887104f 8202 ADD_TEST(test_tlsext_status_type);
8f8c11d8 8203#endif
eaa776da
MC		 8204 ADD_TEST(test_session_with_only_int_cache);
8205 ADD_TEST(test_session_with_only_ext_cache);
8206 ADD_TEST(test_session_with_both_cache);
90fc2c26 8207 ADD_TEST(test_session_wo_ca_names);
36ff232c 8208#ifndef OPENSSL_NO_TLS1_3
04d7814a
MC		 8209 ADD_ALL_TESTS(test_stateful_tickets, 3);
8210 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 8211 ADD_TEST(test_psk_tickets);
f0049b86 8212 ADD_ALL_TESTS(test_extra_tickets, 6);
36ff232c 8213#endif
7fb4c820 8214 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 8215 ADD_TEST(test_ssl_bio_pop_next_bio);
8216 ADD_TEST(test_ssl_bio_pop_ssl_bio);
8217 ADD_TEST(test_ssl_bio_change_rbio);
8218 ADD_TEST(test_ssl_bio_change_wbio);
c423ecaa 8219#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae 8220 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 8221 ADD_TEST(test_keylog);
c423ecaa 8222#endif
6acdd3e5
CB		 8223#ifndef OPENSSL_NO_TLS1_3
8224 ADD_TEST(test_keylog_no_master_key);
8225#endif
e9ee6536 8226#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 8227 ADD_TEST(test_client_hello_cb);
088dfa13 8228 ADD_TEST(test_no_ems);
3cd14e5e 8229 ADD_TEST(test_ccs_change_cipher);
5f982038
MC		 8230#endif
8231#ifndef OPENSSL_NO_TLS1_3
02a3ed5a 8232 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 8233 /*
8234 * We don't do replay tests for external PSK. Replay protection isn't used
8235 * in that scenario.
8236 */
8237 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 8238 ADD_ALL_TESTS(test_early_data_skip, 3);
8239 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
0efa0ba4 8240 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
0d1b7789 8241 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
02a3ed5a 8242 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 8243 ADD_ALL_TESTS(test_early_data_psk, 8);
0b2b0be9 8244 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
02a3ed5a 8245 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 8246# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 8247 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 8248# endif
e9ee6536 8249#endif
a273157a 8250#ifndef OPENSSL_NO_TLS1_3
034cb87b 8251 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 8252 ADD_TEST(test_ciphersuite_change);
5bf2eade 8253 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
8254# ifdef OPENSSL_NO_PSK
c2b290c3 8255 ADD_ALL_TESTS(test_tls13_psk, 1);
5bf2eade 8256# else
0d8da779 8257 ADD_ALL_TESTS(test_tls13_psk, 4);
5bf2eade 8258# endif /* OPENSSL_NO_PSK */
8259# ifndef OPENSSL_NO_TLS1_2
8260 /* Test with both TLSv1.3 and 1.2 versions */
db26ec80 8261 ADD_ALL_TESTS(test_key_exchange, 14);
5bf2eade 8262# else
8263 /* Test with only TLSv1.3 versions */
8264 ADD_ALL_TESTS(test_key_exchange, 12);
8265# endif
bb01ef3f 8266 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 8267 ADD_TEST(test_stateless);
9d75dce3 8268 ADD_TEST(test_pha_key_update);
a273157a 8269#else
bb01ef3f 8270 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 8271#endif
16afd71c 8272 ADD_ALL_TESTS(test_serverinfo, 8);
0fb2815b 8273 ADD_ALL_TESTS(test_export_key_mat, 6);
b38ede80
TT		 8274#ifndef OPENSSL_NO_TLS1_3
8275 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3409a5ff 8276 ADD_TEST(test_key_update);
a77b4dba 8277 ADD_ALL_TESTS(test_key_update_in_write, 2);
b38ede80 8278#endif
e11b6aa4 8279 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 8280 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 8281#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
8282 ADD_ALL_TESTS(test_srp, 6);
8283#endif
5718fe45 8284 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 8285 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 8286 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
a76ce286 8287 ADD_ALL_TESTS(test_ticket_callbacks, 16);
57d7b988 8288 ADD_ALL_TESTS(test_shutdown, 7);
e638112e 8289 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
1a2a3a42 8290 ADD_ALL_TESTS(test_cert_cb, 6);
6e46c065 8291 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 8292 ADD_ALL_TESTS(test_ca_names, 3);
0d2bfe52
SL		 8293#ifndef OPENSSL_NO_TLS1_2
8294 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
8295#endif
49ef3d07 8296 ADD_ALL_TESTS(test_servername, 10);
b3842539
MC		 8297#ifndef OPENSSL_NO_EC
8298 ADD_ALL_TESTS(test_sigalgs_available, 6);
8299#endif
ad887416 8300 return 1;
b3842539
MC		 8301
8302 err:
8303 OPENSSL_free(cert);
8304 OPENSSL_free(privkey);
8305 OPENSSL_free(cert2);
8306 OPENSSL_free(privkey2);
8307 return 0;
ad887416 8308}
2cb4b5f6 8309
ad887416
P		 8310void cleanup_tests(void)
8311{
1a2a3a42
MC		 8312 OPENSSL_free(cert);
8313 OPENSSL_free(privkey);
b3842539
MC		 8314 OPENSSL_free(cert2);
8315 OPENSSL_free(privkey2);
fa454945 8316 bio_s_mempacket_test_free();
a77b4dba 8317 bio_s_always_retry_free();
5e30f2fd
MC		 8318 OSSL_PROVIDER_unload(defctxnull);
8319 OPENSSL_CTX_free(libctx);
2cb4b5f6 8320}
A mirror of the official openssl repository