]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Code to thread-safety in ChangeCipherState
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
6738bf14 2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
a76ce286
P		 10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
7c3a7561 18#include <stdio.h>
ba881d3b
MC		 19#include <string.h>
20
2cb4b5f6
MC		 21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
ba881d3b 25#include <openssl/ocsp.h>
76fd7a1d
MC		 26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
d0191fe0 28#include <openssl/aes.h>
7c3a7561 29#include <openssl/rand.h>
a76ce286 30#include <openssl/core_names.h>
2cb4b5f6
MC		 31
32#include "ssltestlib.h"
c887104f 33#include "testutil.h"
f297e4ec 34#include "testutil/output.h"
176db6dc 35#include "internal/nelem.h"
fe5d9450 36#include "internal/ktls.h"
706457b7 37#include "../ssl/ssl_local.h"
2cb4b5f6 38
8614a4eb
MC		 39#ifndef OPENSSL_NO_TLS1_3
40
41static SSL_SESSION *clientpsk = NULL;
42static SSL_SESSION *serverpsk = NULL;
43static const char *pskid = "Identity";
44static const char *srvid;
45
46static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
47 size_t *idlen, SSL_SESSION **sess);
48static int find_session_cb(SSL *ssl, const unsigned char *identity,
49 size_t identity_len, SSL_SESSION **sess);
50
51static int use_session_cb_cnt = 0;
52static int find_session_cb_cnt = 0;
53
54static SSL_SESSION *create_a_psk(SSL *ssl);
55#endif
56
1a2a3a42 57static char *certsdir = NULL;
2cb4b5f6
MC		 58static char *cert = NULL;
59static char *privkey = NULL;
76fd7a1d
MC		 60static char *srpvfile = NULL;
61static char *tmpfilename = NULL;
2cb4b5f6 62
cffe973c 63#define LOG_BUFFER_SIZE 2048
6acdd3e5 64static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 65static size_t server_log_buffer_index = 0;
6acdd3e5 66static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 67static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 68static int error_writing_log = 0;
69
8f8c11d8 70#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 71static const unsigned char orespder[] = "Dummy OCSP Response";
72static int ocsp_server_called = 0;
73static int ocsp_client_called = 0;
74
75static int cdummyarg = 1;
76static X509 *ocspcert = NULL;
8f8c11d8 77#endif
ba881d3b 78
84d5549e 79#define NUM_EXTRA_CERTS 40
cf72c757 80#define CLIENT_VERSION_LEN 2
84d5549e 81
f1a5939f
CB		 82/*
83 * This structure is used to validate that the correct number of log messages
84 * of various types are emitted when emitting secret logs.
85 */
86struct sslapitest_log_counts {
87 unsigned int rsa_key_exchange_count;
88 unsigned int master_secret_count;
cffe973c 89 unsigned int client_early_secret_count;
f1a5939f
CB		 90 unsigned int client_handshake_secret_count;
91 unsigned int server_handshake_secret_count;
92 unsigned int client_application_secret_count;
93 unsigned int server_application_secret_count;
01a2a654 94 unsigned int early_exporter_secret_count;
6329ce8f 95 unsigned int exporter_secret_count;
f1a5939f
CB		 96};
97
16afd71c
MC		 98
99static unsigned char serverinfov1[] = {
100 0xff, 0xff, /* Dummy extension type */
101 0x00, 0x01, /* Extension length is 1 byte */
102 0xff /* Dummy extension data */
103};
104
105static unsigned char serverinfov2[] = {
106 0x00, 0x00, 0x00,
107 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
108 0xff, 0xff, /* Dummy extension type */
109 0x00, 0x01, /* Extension length is 1 byte */
110 0xff /* Dummy extension data */
111};
112
104a733d
MC		 113static int hostname_cb(SSL *s, int *al, void *arg)
114{
115 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
116
117 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
118 || strcmp(hostname, "altgoodhost") == 0))
119 return SSL_TLSEXT_ERR_OK;
120
121 return SSL_TLSEXT_ERR_NOACK;
122}
123
710756a9
RS		 124static void client_keylog_callback(const SSL *ssl, const char *line)
125{
6acdd3e5
CB		 126 int line_length = strlen(line);
127
128 /* If the log doesn't fit, error out. */
710756a9
RS		 129 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
130 TEST_info("Client log too full");
6acdd3e5
CB		 131 error_writing_log = 1;
132 return;
133 }
134
135 strcat(client_log_buffer, line);
136 client_log_buffer_index += line_length;
710756a9 137 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 138}
139
710756a9
RS		 140static void server_keylog_callback(const SSL *ssl, const char *line)
141{
6acdd3e5
CB		 142 int line_length = strlen(line);
143
144 /* If the log doesn't fit, error out. */
710756a9 145 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 146 TEST_info("Server log too full");
6acdd3e5
CB		 147 error_writing_log = 1;
148 return;
149 }
150
151 strcat(server_log_buffer, line);
152 server_log_buffer_index += line_length;
710756a9 153 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 154}
155
156static int compare_hex_encoded_buffer(const char *hex_encoded,
157 size_t hex_length,
158 const uint8_t *raw,
710756a9
RS		 159 size_t raw_length)
160{
161 size_t i, j;
162 char hexed[3];
6acdd3e5 163
710756a9 164 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 165 return 1;
6acdd3e5 166
710756a9 167 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 168 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 169 if (!TEST_int_eq(hexed[0], hex_encoded[j])
170 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 171 return 1;
6acdd3e5
CB		 172 }
173
174 return 0;
175}
176
177static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 178 const SSL_SESSION *session,
710756a9
RS		 179 struct sslapitest_log_counts *expected)
180{
6acdd3e5
CB		 181 char *token = NULL;
182 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
183 size_t client_random_size = SSL3_RANDOM_SIZE;
184 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
185 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 186 unsigned int rsa_key_exchange_count = 0;
187 unsigned int master_secret_count = 0;
cffe973c 188 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 189 unsigned int client_handshake_secret_count = 0;
190 unsigned int server_handshake_secret_count = 0;
191 unsigned int client_application_secret_count = 0;
192 unsigned int server_application_secret_count = 0;
01a2a654 193 unsigned int early_exporter_secret_count = 0;
6329ce8f 194 unsigned int exporter_secret_count = 0;
6acdd3e5 195
710756a9
RS		 196 for (token = strtok(buffer, " \n"); token != NULL;
197 token = strtok(NULL, " \n")) {
6acdd3e5 198 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 199 /*
200 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 201 * hex-encoded encrypted secret, then the hex-encoded pre-master
202 * secret.
203 */
710756a9 204 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 205 return 0;
710756a9 206 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 207 return 0;
710756a9 208 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 209 return 0;
f1a5939f
CB		 210 /*
211 * We can't sensibly check the log because the premaster secret is
212 * transient, and OpenSSL doesn't keep hold of it once the master
213 * secret is generated.
214 */
215 rsa_key_exchange_count++;
6acdd3e5 216 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 217 /*
218 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 219 * client random, then the hex-encoded master secret.
220 */
221 client_random_size = SSL_get_client_random(ssl,
222 actual_client_random,
223 SSL3_RANDOM_SIZE);
710756a9 224 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 225 return 0;
6acdd3e5 226
710756a9 227 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 228 return 0;
710756a9 229 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 230 return 0;
710756a9
RS		 231 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
232 actual_client_random,
233 client_random_size)))
f1a5939f 234 return 0;
6acdd3e5 235
710756a9 236 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 237 return 0;
6acdd3e5
CB		 238 master_key_size = SSL_SESSION_get_master_key(session,
239 actual_master_key,
240 master_key_size);
710756a9 241 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 242 return 0;
710756a9
RS		 243 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
244 actual_master_key,
245 master_key_size)))
f1a5939f 246 return 0;
f1a5939f 247 master_secret_count++;
cffe973c
PW		 248 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
249 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 250 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
251 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 252 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 253 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 254 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 255 /*
256 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
257 * client random, and then the hex-encoded secret. In this case,
258 * we treat all of these secrets identically and then just
259 * distinguish between them when counting what we saw.
260 */
cffe973c
PW		 261 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
262 client_early_secret_count++;
263 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 264 client_handshake_secret_count++;
265 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
266 server_handshake_secret_count++;
267 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
268 client_application_secret_count++;
269 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
270 server_application_secret_count++;
01a2a654
PW		 271 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
272 early_exporter_secret_count++;
6329ce8f
PW		 273 else if (strcmp(token, "EXPORTER_SECRET") == 0)
274 exporter_secret_count++;
f1a5939f
CB		 275
276 client_random_size = SSL_get_client_random(ssl,
277 actual_client_random,
278 SSL3_RANDOM_SIZE);
710756a9 279 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 280 return 0;
f1a5939f 281
710756a9 282 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 283 return 0;
710756a9 284 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 285 return 0;
710756a9
RS		 286 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
287 actual_client_random,
288 client_random_size)))
f1a5939f 289 return 0;
6acdd3e5 290
710756a9 291 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 292 return 0;
f1a5939f
CB		 293
294 /*
295 * TODO(TLS1.3): test that application traffic secrets are what
296 * we expect */
6acdd3e5 297 } else {
710756a9 298 TEST_info("Unexpected token %s\n", token);
f1a5939f 299 return 0;
6acdd3e5 300 }
6acdd3e5
CB		 301 }
302
710756a9
RS		 303 /* Got what we expected? */
304 if (!TEST_size_t_eq(rsa_key_exchange_count,
305 expected->rsa_key_exchange_count)
306 || !TEST_size_t_eq(master_secret_count,
307 expected->master_secret_count)
cffe973c
PW		 308 || !TEST_size_t_eq(client_early_secret_count,
309 expected->client_early_secret_count)
710756a9
RS		 310 || !TEST_size_t_eq(client_handshake_secret_count,
311 expected->client_handshake_secret_count)
312 || !TEST_size_t_eq(server_handshake_secret_count,
313 expected->server_handshake_secret_count)
314 || !TEST_size_t_eq(client_application_secret_count,
315 expected->client_application_secret_count)
316 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 317 expected->server_application_secret_count)
01a2a654
PW		 318 || !TEST_size_t_eq(early_exporter_secret_count,
319 expected->early_exporter_secret_count)
6329ce8f
PW		 320 || !TEST_size_t_eq(exporter_secret_count,
321 expected->exporter_secret_count))
710756a9
RS		 322 return 0;
323 return 1;
6acdd3e5
CB		 324}
325
c423ecaa 326#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
710756a9
RS		 327static int test_keylog(void)
328{
6acdd3e5
CB		 329 SSL_CTX *cctx = NULL, *sctx = NULL;
330 SSL *clientssl = NULL, *serverssl = NULL;
331 int testresult = 0;
6fc1e624 332 struct sslapitest_log_counts expected;
6acdd3e5
CB		 333
334 /* Clean up logging space */
6fc1e624 335 memset(&expected, 0, sizeof(expected));
710756a9
RS		 336 memset(client_log_buffer, 0, sizeof(client_log_buffer));
337 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 338 client_log_buffer_index = 0;
339 server_log_buffer_index = 0;
340 error_writing_log = 0;
341
710756a9
RS		 342 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
343 TLS_client_method(),
5c587fb6 344 TLS1_VERSION, 0,
710756a9 345 &sctx, &cctx, cert, privkey)))
6acdd3e5 346 return 0;
6acdd3e5
CB		 347
348 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
349 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
350 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
351
f0deb4d3 352 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 353 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 354 goto end;
f0deb4d3 355
cf10df81
RS		 356 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
357 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 358 goto end;
6acdd3e5 359 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 360 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
361 == client_keylog_callback))
6acdd3e5 362 goto end;
710756a9 363 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 364 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
365 == server_keylog_callback))
6acdd3e5 366 goto end;
6acdd3e5 367
710756a9
RS		 368 /* Now do a handshake and check that the logs have been written to. */
369 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
370 &clientssl, NULL, NULL))
371 || !TEST_true(create_ssl_connection(serverssl, clientssl,
372 SSL_ERROR_NONE))
373 || !TEST_false(error_writing_log)
374 || !TEST_int_gt(client_log_buffer_index, 0)
375 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 376 goto end;
6acdd3e5 377
f1a5939f
CB		 378 /*
379 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 380 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 381 * data we expect. For both client and server, we expect to see one master
382 * secret. The client should also see a RSA key exchange.
6acdd3e5 383 */
f1a5939f
CB		 384 expected.rsa_key_exchange_count = 1;
385 expected.master_secret_count = 1;
710756a9
RS		 386 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
387 SSL_get_session(clientssl), &expected)))
6acdd3e5 388 goto end;
f1a5939f
CB		 389
390 expected.rsa_key_exchange_count = 0;
710756a9
RS		 391 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
392 SSL_get_session(serverssl), &expected)))
6acdd3e5 393 goto end;
6acdd3e5
CB		 394
395 testresult = 1;
396
397end:
398 SSL_free(serverssl);
399 SSL_free(clientssl);
400 SSL_CTX_free(sctx);
401 SSL_CTX_free(cctx);
402
403 return testresult;
404}
c423ecaa 405#endif
6acdd3e5
CB		 406
407#ifndef OPENSSL_NO_TLS1_3
710756a9
RS		 408static int test_keylog_no_master_key(void)
409{
6acdd3e5
CB		 410 SSL_CTX *cctx = NULL, *sctx = NULL;
411 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 412 SSL_SESSION *sess = NULL;
6acdd3e5 413 int testresult = 0;
6fc1e624 414 struct sslapitest_log_counts expected;
cffe973c
PW		 415 unsigned char buf[1];
416 size_t readbytes, written;
6acdd3e5
CB		 417
418 /* Clean up logging space */
6fc1e624 419 memset(&expected, 0, sizeof(expected));
710756a9
RS		 420 memset(client_log_buffer, 0, sizeof(client_log_buffer));
421 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 422 client_log_buffer_index = 0;
423 server_log_buffer_index = 0;
424 error_writing_log = 0;
425
7d7f6834 426 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 427 TLS1_VERSION, 0,
cffe973c
PW		 428 &sctx, &cctx, cert, privkey))
429 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 430 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 431 return 0;
6acdd3e5 432
cf10df81
RS		 433 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
434 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 435 goto end;
6acdd3e5
CB		 436
437 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 438 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
439 == client_keylog_callback))
6acdd3e5 440 goto end;
6acdd3e5 441
710756a9 442 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 443 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
444 == server_keylog_callback))
6acdd3e5 445 goto end;
6acdd3e5 446
710756a9
RS		 447 /* Now do a handshake and check that the logs have been written to. */
448 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
449 &clientssl, NULL, NULL))
450 || !TEST_true(create_ssl_connection(serverssl, clientssl,
451 SSL_ERROR_NONE))
452 || !TEST_false(error_writing_log))
6acdd3e5 453 goto end;
6acdd3e5 454
f1a5939f
CB		 455 /*
456 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 457 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 458 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 459 */
f1a5939f
CB		 460 expected.client_handshake_secret_count = 1;
461 expected.server_handshake_secret_count = 1;
462 expected.client_application_secret_count = 1;
463 expected.server_application_secret_count = 1;
6329ce8f 464 expected.exporter_secret_count = 1;
710756a9
RS		 465 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
466 SSL_get_session(clientssl), &expected))
467 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
468 SSL_get_session(serverssl),
469 &expected)))
6acdd3e5 470 goto end;
6acdd3e5 471
cffe973c
PW		 472 /* Terminate old session and resume with early data. */
473 sess = SSL_get1_session(clientssl);
474 SSL_shutdown(clientssl);
475 SSL_shutdown(serverssl);
476 SSL_free(serverssl);
477 SSL_free(clientssl);
478 serverssl = clientssl = NULL;
479
480 /* Reset key log */
481 memset(client_log_buffer, 0, sizeof(client_log_buffer));
482 memset(server_log_buffer, 0, sizeof(server_log_buffer));
483 client_log_buffer_index = 0;
484 server_log_buffer_index = 0;
485
486 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
487 &clientssl, NULL, NULL))
488 || !TEST_true(SSL_set_session(clientssl, sess))
489 /* Here writing 0 length early data is enough. */
490 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
491 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
492 &readbytes),
493 SSL_READ_EARLY_DATA_ERROR)
494 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
495 SSL_EARLY_DATA_ACCEPTED)
496 || !TEST_true(create_ssl_connection(serverssl, clientssl,
497 SSL_ERROR_NONE))
498 || !TEST_true(SSL_session_reused(clientssl)))
499 goto end;
500
501 /* In addition to the previous entries, expect early secrets. */
502 expected.client_early_secret_count = 1;
01a2a654 503 expected.early_exporter_secret_count = 1;
cffe973c
PW		 504 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
505 SSL_get_session(clientssl), &expected))
506 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
507 SSL_get_session(serverssl),
508 &expected)))
509 goto end;
510
6acdd3e5
CB		 511 testresult = 1;
512
513end:
cffe973c 514 SSL_SESSION_free(sess);
6acdd3e5
CB		 515 SSL_free(serverssl);
516 SSL_free(clientssl);
517 SSL_CTX_free(sctx);
518 SSL_CTX_free(cctx);
519
520 return testresult;
521}
522#endif
523
e9ee6536 524#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 525static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 526{
527 int *ctr = arg;
528 const unsigned char *p;
8ea404fb 529 int *exts;
2afaee51
BK		 530 /* We only configure two ciphers, but the SCSV is added automatically. */
531#ifdef OPENSSL_NO_EC
532 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
533#else
534 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
535 0x2c, 0x00, 0xff};
536#endif
8ea404fb
BK		 537 const int expected_extensions[] = {
538#ifndef OPENSSL_NO_EC
539 11, 10,
540#endif
10ed1b72 541 35, 22, 23, 13};
2afaee51
BK		 542 size_t len;
543
544 /* Make sure we can defer processing and get called back. */
545 if ((*ctr)++ == 0)
f1b97da1 546 return SSL_CLIENT_HELLO_RETRY;
2afaee51 547
a9c0d8be 548 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 549 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 550 || !TEST_size_t_eq(
551 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 552 || !TEST_int_eq(*p, 0))
f1b97da1 553 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 554 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 555 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 556 if (len != OSSL_NELEM(expected_extensions) ||
557 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 558 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 559 OPENSSL_free(exts);
f1b97da1 560 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 561 }
562 OPENSSL_free(exts);
f1b97da1 563 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 564}
565
a9c0d8be 566static int test_client_hello_cb(void)
710756a9 567{
2afaee51
BK		 568 SSL_CTX *cctx = NULL, *sctx = NULL;
569 SSL *clientssl = NULL, *serverssl = NULL;
570 int testctr = 0, testresult = 0;
571
7d7f6834 572 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 573 TLS1_VERSION, 0,
7d7f6834 574 &sctx, &cctx, cert, privkey)))
2afaee51 575 goto end;
a9c0d8be 576 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 577
2afaee51
BK		 578 /* The gimpy cipher list we configure can't do TLS 1.3. */
579 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 580
710756a9
RS		 581 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
582 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
583 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
584 &clientssl, NULL, NULL))
585 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 586 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 587 /*
588 * Passing a -1 literal is a hack since
589 * the real value was lost.
590 * */
a9c0d8be
DB		 591 || !TEST_int_eq(SSL_get_error(serverssl, -1),
592 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 593 || !TEST_true(create_ssl_connection(serverssl, clientssl,
594 SSL_ERROR_NONE)))
2afaee51 595 goto end;
2afaee51
BK		 596
597 testresult = 1;
598
088dfa13
TS		 599end:
600 SSL_free(serverssl);
601 SSL_free(clientssl);
602 SSL_CTX_free(sctx);
603 SSL_CTX_free(cctx);
604
605 return testresult;
606}
607
608static int test_no_ems(void)
609{
610 SSL_CTX *cctx = NULL, *sctx = NULL;
611 SSL *clientssl = NULL, *serverssl = NULL;
612 int testresult = 0;
613
614 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
615 TLS1_VERSION, TLS1_2_VERSION,
616 &sctx, &cctx, cert, privkey)) {
617 printf("Unable to create SSL_CTX pair\n");
618 goto end;
619 }
620
621 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
622
623 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
624 printf("Unable to create SSL objects\n");
625 goto end;
626 }
627
628 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
629 printf("Creating SSL connection failed\n");
630 goto end;
631 }
632
633 if (SSL_get_extms_support(serverssl)) {
634 printf("Server reports Extended Master Secret support\n");
635 goto end;
636 }
637
638 if (SSL_get_extms_support(clientssl)) {
639 printf("Client reports Extended Master Secret support\n");
640 goto end;
641 }
642 testresult = 1;
643
2afaee51
BK		 644end:
645 SSL_free(serverssl);
646 SSL_free(clientssl);
647 SSL_CTX_free(sctx);
648 SSL_CTX_free(cctx);
649
650 return testresult;
651}
e9ee6536 652#endif
2afaee51 653
84d5549e 654static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 655 const SSL_METHOD *cmeth,
656 int min_version, int max_version,
657 int read_ahead)
84d5549e
MC		 658{
659 SSL_CTX *cctx = NULL, *sctx = NULL;
660 SSL *clientssl = NULL, *serverssl = NULL;
661 int testresult = 0;
662 int i;
710756a9 663 BIO *certbio = NULL;
84d5549e
MC		 664 X509 *chaincert = NULL;
665 int certlen;
666
710756a9 667 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 668 goto end;
84d5549e 669 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
fa454945
MC		 670 BIO_free(certbio);
671 certbio = NULL;
710756a9 672 if (!TEST_ptr(chaincert))
fa454945 673 goto end;
84d5549e 674
7d7f6834
RL		 675 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
676 &sctx, &cctx, cert, privkey)))
84d5549e 677 goto end;
84d5549e 678
710756a9 679 if (read_ahead) {
7856332e
MC		 680 /*
681 * Test that read_ahead works correctly when dealing with large
682 * records
683 */
684 SSL_CTX_set_read_ahead(cctx, 1);
685 }
686
84d5549e
MC		 687 /*
688 * We assume the supplied certificate is big enough so that if we add
689 * NUM_EXTRA_CERTS it will make the overall message large enough. The
690 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 691 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
692 * test we need to have a message larger than that.
84d5549e
MC		 693 */
694 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 695 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
696 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 697 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 698 if (!X509_up_ref(chaincert))
84d5549e 699 goto end;
84d5549e 700 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 701 X509_free(chaincert);
702 goto end;
703 }
704 }
705
710756a9
RS		 706 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
707 NULL, NULL))
708 || !TEST_true(create_ssl_connection(serverssl, clientssl,
709 SSL_ERROR_NONE)))
84d5549e 710 goto end;
84d5549e 711
4bf08600
MC		 712 /*
713 * Calling SSL_clear() first is not required but this tests that SSL_clear()
742ccab3 714 * doesn't leak.
4bf08600 715 */
710756a9 716 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 717 goto end;
84d5549e 718
4bf08600 719 testresult = 1;
84d5549e
MC		 720 end:
721 X509_free(chaincert);
722 SSL_free(serverssl);
723 SSL_free(clientssl);
724 SSL_CTX_free(sctx);
725 SSL_CTX_free(cctx);
726
727 return testresult;
728}
729
5e9072ed
MC		 730#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
731 && !defined(OPENSSL_NO_SOCK)
fe5d9450
BP		 732
733/* sock must be connected */
734static int ktls_chk_platform(int sock)
735{
736 if (!ktls_enable(sock))
737 return 0;
738 return 1;
739}
740
741static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
742{
743 static char count = 1;
744 unsigned char cbuf[16000] = {0};
745 unsigned char sbuf[16000];
746 size_t err = 0;
747 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
748 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
2fab79af
BP		 749 char crec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
750 char crec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
fe5d9450
BP		 751 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
752 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
753 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
754 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
755
756 cbuf[0] = count++;
757 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
758 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
2fab79af
BP		 759 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence,
760 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
fe5d9450
BP		 761 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
762 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
763 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
764 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
765
766 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
767 goto end;
768
769 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
770 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
771 goto end;
772 }
773 }
774
775 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
776 goto end;
777
778 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
779 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
780 goto end;
781 }
782 }
783
784 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
785 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
2fab79af
BP		 786 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence,
787 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
fe5d9450
BP		 788 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
789 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
790 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
791 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
792
793 /* verify the payload */
794 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
795 goto end;
796
797 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
798 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
799 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
800 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
801 goto end;
802 } else {
803 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
804 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
805 goto end;
806 }
807
808 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
809 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
810 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
811 goto end;
812 } else {
813 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
814 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
815 goto end;
816 }
817
2fab79af
BP		 818 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
819 if (!TEST_mem_ne(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
820 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
821 goto end;
822 } else {
823 if (!TEST_mem_eq(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
824 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
825 goto end;
826 }
827
828 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
829 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
830 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
831 goto end;
832 } else {
833 if (!TEST_mem_eq(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
834 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
835 goto end;
836 }
fe5d9450
BP		 837
838 return 1;
839end:
840 return 0;
841}
842
2fab79af
BP		 843static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
844 int sis_ktls_tx, int sis_ktls_rx)
fe5d9450
BP		 845{
846 SSL_CTX *cctx = NULL, *sctx = NULL;
847 SSL *clientssl = NULL, *serverssl = NULL;
848 int testresult = 0;
849 int cfd, sfd;
850
851 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
852 goto end;
853
854 /* Skip this test if the platform does not support ktls */
855 if (!ktls_chk_platform(cfd))
856 return 1;
857
858 /* Create a session based on SHA-256 */
859 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
860 TLS_client_method(),
861 TLS1_2_VERSION, TLS1_2_VERSION,
862 &sctx, &cctx, cert, privkey))
863 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
864 "AES128-GCM-SHA256"))
865 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
866 &clientssl, sfd, cfd)))
867 goto end;
868
869 if (!cis_ktls_tx) {
870 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
871 goto end;
872 }
873
874 if (!sis_ktls_tx) {
875 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
876 goto end;
877 }
878
2fab79af
BP		 879 if (!cis_ktls_rx) {
880 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
881 goto end;
882 }
883
884 if (!sis_ktls_rx) {
885 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
886 goto end;
887 }
888
fe5d9450
BP		 889 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
890 SSL_ERROR_NONE)))
891 goto end;
892
893 if (!cis_ktls_tx) {
894 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
895 goto end;
896 } else {
897 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
898 goto end;
899 }
900
901 if (!sis_ktls_tx) {
902 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
903 goto end;
904 } else {
905 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
906 goto end;
907 }
908
2fab79af
BP		 909 if (!cis_ktls_rx) {
910 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
911 goto end;
912 } else {
913 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
914 goto end;
915 }
916
917 if (!sis_ktls_rx) {
918 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
919 goto end;
920 } else {
921 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
922 goto end;
923 }
924
fe5d9450
BP		 925 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
926 goto end;
927
928 testresult = 1;
929end:
930 if (clientssl) {
931 SSL_shutdown(clientssl);
932 SSL_free(clientssl);
933 }
934 if (serverssl) {
935 SSL_shutdown(serverssl);
936 SSL_free(serverssl);
937 }
938 SSL_CTX_free(sctx);
939 SSL_CTX_free(cctx);
940 serverssl = clientssl = NULL;
941 return testresult;
942}
943
7c3a7561
BP		 944#define SENDFILE_SZ (16 * 4096)
945#define SENDFILE_CHUNK (4 * 4096)
946#define min(a,b) ((a) > (b) ? (b) : (a))
947
948static int test_ktls_sendfile(void)
949{
950 SSL_CTX *cctx = NULL, *sctx = NULL;
951 SSL *clientssl = NULL, *serverssl = NULL;
952 unsigned char *buf, *buf_dst;
953 BIO *out = NULL, *in = NULL;
954 int cfd, sfd, ffd, err;
955 ssize_t chunk_size = 0;
956 off_t chunk_off = 0;
957 int testresult = 0;
958 FILE *ffdp;
959
960 buf = OPENSSL_zalloc(SENDFILE_SZ);
961 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
962 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
963 || !TEST_true(create_test_sockets(&cfd, &sfd)))
964 goto end;
965
966 /* Skip this test if the platform does not support ktls */
967 if (!ktls_chk_platform(sfd)) {
968 testresult = 1;
969 goto end;
970 }
971
972 /* Create a session based on SHA-256 */
973 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
974 TLS_client_method(),
975 TLS1_2_VERSION, TLS1_2_VERSION,
976 &sctx, &cctx, cert, privkey))
977 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
978 "AES128-GCM-SHA256"))
979 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
980 &clientssl, sfd, cfd)))
981 goto end;
982
983 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
984 SSL_ERROR_NONE))
985 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
986 goto end;
987
988 RAND_bytes(buf, SENDFILE_SZ);
989 out = BIO_new_file(tmpfilename, "wb");
990 if (!TEST_ptr(out))
991 goto end;
992
993 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
994 goto end;
995
996 BIO_free(out);
997 out = NULL;
998 in = BIO_new_file(tmpfilename, "rb");
999 BIO_get_fp(in, &ffdp);
1000 ffd = fileno(ffdp);
1001
1002 while (chunk_off < SENDFILE_SZ) {
1003 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1004 while ((err = SSL_sendfile(serverssl,
1005 ffd,
1006 chunk_off,
1007 chunk_size,
1008 0)) != chunk_size) {
1009 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1010 goto end;
1011 }
1012 while ((err = SSL_read(clientssl,
1013 buf_dst + chunk_off,
1014 chunk_size)) != chunk_size) {
1015 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1016 goto end;
1017 }
1018
1019 /* verify the payload */
1020 if (!TEST_mem_eq(buf_dst + chunk_off,
1021 chunk_size,
1022 buf + chunk_off,
1023 chunk_size))
1024 goto end;
1025
1026 chunk_off += chunk_size;
1027 }
1028
1029 testresult = 1;
1030end:
1031 if (clientssl) {
1032 SSL_shutdown(clientssl);
1033 SSL_free(clientssl);
1034 }
1035 if (serverssl) {
1036 SSL_shutdown(serverssl);
1037 SSL_free(serverssl);
1038 }
1039 SSL_CTX_free(sctx);
1040 SSL_CTX_free(cctx);
1041 serverssl = clientssl = NULL;
1042 BIO_free(out);
1043 BIO_free(in);
1044 OPENSSL_free(buf);
1045 OPENSSL_free(buf_dst);
1046 return testresult;
1047}
1048
2fab79af
BP		 1049static int test_ktls_no_txrx_client_no_txrx_server(void)
1050{
1051 return execute_test_ktls(0, 0, 0, 0);
1052}
1053
1054static int test_ktls_no_rx_client_no_txrx_server(void)
1055{
1056 return execute_test_ktls(1, 0, 0, 0);
1057}
1058
1059static int test_ktls_no_tx_client_no_txrx_server(void)
1060{
1061 return execute_test_ktls(0, 1, 0, 0);
1062}
1063
1064static int test_ktls_client_no_txrx_server(void)
1065{
1066 return execute_test_ktls(1, 1, 0, 0);
1067}
1068
1069static int test_ktls_no_txrx_client_no_rx_server(void)
1070{
1071 return execute_test_ktls(0, 0, 1, 0);
1072}
1073
1074static int test_ktls_no_rx_client_no_rx_server(void)
1075{
1076 return execute_test_ktls(1, 0, 1, 0);
1077}
1078
1079static int test_ktls_no_tx_client_no_rx_server(void)
1080{
1081 return execute_test_ktls(0, 1, 1, 0);
1082}
1083
1084static int test_ktls_client_no_rx_server(void)
fe5d9450 1085{
2fab79af 1086 return execute_test_ktls(1, 1, 1, 0);
fe5d9450
BP		 1087}
1088
2fab79af 1089static int test_ktls_no_txrx_client_no_tx_server(void)
fe5d9450 1090{
2fab79af 1091 return execute_test_ktls(0, 0, 0, 1);
fe5d9450
BP		 1092}
1093
2fab79af 1094static int test_ktls_no_rx_client_no_tx_server(void)
fe5d9450 1095{
2fab79af 1096 return execute_test_ktls(1, 0, 0, 1);
fe5d9450
BP		 1097}
1098
2fab79af
BP		 1099static int test_ktls_no_tx_client_no_tx_server(void)
1100{
1101 return execute_test_ktls(0, 1, 0, 1);
1102}
1103
1104static int test_ktls_client_no_tx_server(void)
1105{
1106 return execute_test_ktls(1, 1, 0, 1);
1107}
1108
1109static int test_ktls_no_txrx_client_server(void)
1110{
1111 return execute_test_ktls(0, 0, 1, 1);
1112}
1113
1114static int test_ktls_no_rx_client_server(void)
1115{
1116 return execute_test_ktls(1, 0, 1, 1);
1117}
1118
1119static int test_ktls_no_tx_client_server(void)
1120{
1121 return execute_test_ktls(0, 1, 1, 1);
1122}
1123
1124static int test_ktls_client_server(void)
fe5d9450 1125{
2fab79af 1126 return execute_test_ktls(1, 1, 1, 1);
fe5d9450 1127}
fe5d9450
BP		 1128#endif
1129
84d5549e
MC		 1130static int test_large_message_tls(void)
1131{
7856332e 1132 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1133 TLS1_VERSION, 0, 0);
7856332e
MC		 1134}
1135
1136static int test_large_message_tls_read_ahead(void)
1137{
1138 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1139 TLS1_VERSION, 0, 1);
84d5549e
MC		 1140}
1141
55386bef 1142#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 1143static int test_large_message_dtls(void)
1144{
7856332e
MC		 1145 /*
1146 * read_ahead is not relevant to DTLS because DTLS always acts as if
1147 * read_ahead is set.
1148 */
84d5549e 1149 return execute_test_large_message(DTLS_server_method(),
7d7f6834 1150 DTLS_client_method(),
5c587fb6 1151 DTLS1_VERSION, 0, 0);
84d5549e 1152}
55386bef 1153#endif
84d5549e 1154
8f8c11d8 1155#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 1156static int ocsp_server_cb(SSL *s, void *arg)
1157{
1158 int *argi = (int *)arg;
710756a9 1159 unsigned char *copy = NULL;
ba881d3b
MC		 1160 STACK_OF(OCSP_RESPID) *ids = NULL;
1161 OCSP_RESPID *id = NULL;
1162
1163 if (*argi == 2) {
1164 /* In this test we are expecting exactly 1 OCSP_RESPID */
1165 SSL_get_tlsext_status_ids(s, &ids);
1166 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1167 return SSL_TLSEXT_ERR_ALERT_FATAL;
1168
1169 id = sk_OCSP_RESPID_value(ids, 0);
1170 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
1171 return SSL_TLSEXT_ERR_ALERT_FATAL;
1172 } else if (*argi != 1) {
1173 return SSL_TLSEXT_ERR_ALERT_FATAL;
1174 }
1175
710756a9 1176 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 1177 return SSL_TLSEXT_ERR_ALERT_FATAL;
1178
710756a9 1179 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 1180 ocsp_server_called = 1;
ba881d3b
MC		 1181 return SSL_TLSEXT_ERR_OK;
1182}
1183
1184static int ocsp_client_cb(SSL *s, void *arg)
1185{
1186 int *argi = (int *)arg;
1187 const unsigned char *respderin;
1188 size_t len;
1189
1190 if (*argi != 1 && *argi != 2)
1191 return 0;
1192
1193 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 1194 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 1195 return 0;
1196
1197 ocsp_client_called = 1;
ba881d3b
MC		 1198 return 1;
1199}
1200
2cb4b5f6
MC		 1201static int test_tlsext_status_type(void)
1202{
ba881d3b
MC		 1203 SSL_CTX *cctx = NULL, *sctx = NULL;
1204 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 1205 int testresult = 0;
ba881d3b
MC		 1206 STACK_OF(OCSP_RESPID) *ids = NULL;
1207 OCSP_RESPID *id = NULL;
1208 BIO *certbio = NULL;
2cb4b5f6 1209
7d7f6834 1210 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 1211 TLS1_VERSION, 0,
7d7f6834 1212 &sctx, &cctx, cert, privkey))
ba881d3b 1213 return 0;
2cb4b5f6 1214
710756a9 1215 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 1216 goto end;
2cb4b5f6 1217
ba881d3b 1218 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 1219
ba881d3b 1220 clientssl = SSL_new(cctx);
710756a9
RS		 1221 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1222 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1223 TLSEXT_STATUSTYPE_ocsp))
1224 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1225 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 1226 goto end;
2cb4b5f6 1227
ba881d3b
MC		 1228 SSL_free(clientssl);
1229 clientssl = NULL;
2cb4b5f6 1230
710756a9
RS		 1231 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1232 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1233 goto end;
2cb4b5f6 1234
ba881d3b 1235 clientssl = SSL_new(cctx);
710756a9 1236 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1237 goto end;
ba881d3b
MC		 1238 SSL_free(clientssl);
1239 clientssl = NULL;
1240
1241 /*
1242 * Now actually do a handshake and check OCSP information is exchanged and
1243 * the callbacks get called
1244 */
ba881d3b
MC		 1245 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1246 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1247 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1248 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1249 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1250 &clientssl, NULL, NULL))
1251 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1252 SSL_ERROR_NONE))
1253 || !TEST_true(ocsp_client_called)
1254 || !TEST_true(ocsp_server_called))
ba881d3b 1255 goto end;
ba881d3b
MC		 1256 SSL_free(serverssl);
1257 SSL_free(clientssl);
1258 serverssl = NULL;
1259 clientssl = NULL;
1260
1261 /* Try again but this time force the server side callback to fail */
1262 ocsp_client_called = 0;
1263 ocsp_server_called = 0;
1264 cdummyarg = 0;
710756a9
RS		 1265 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1266 &clientssl, NULL, NULL))
1267 /* This should fail because the callback will fail */
1268 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1269 SSL_ERROR_NONE))
1270 || !TEST_false(ocsp_client_called)
1271 || !TEST_false(ocsp_server_called))
ba881d3b 1272 goto end;
ba881d3b
MC		 1273 SSL_free(serverssl);
1274 SSL_free(clientssl);
1275 serverssl = NULL;
1276 clientssl = NULL;
1277
1278 /*
1279 * This time we'll get the client to send an OCSP_RESPID that it will
1280 * accept.
1281 */
1282 ocsp_client_called = 0;
1283 ocsp_server_called = 0;
1284 cdummyarg = 2;
710756a9
RS		 1285 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1286 &clientssl, NULL, NULL)))
ba881d3b 1287 goto end;
ba881d3b
MC		 1288
1289 /*
1290 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1291 * specific one. We'll use the server cert.
ba881d3b 1292 */
710756a9
RS		 1293 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1294 || !TEST_ptr(id = OCSP_RESPID_new())
1295 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1296 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1297 NULL, NULL, NULL))
1298 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
1299 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1300 goto end;
ba881d3b
MC		 1301 id = NULL;
1302 SSL_set_tlsext_status_ids(clientssl, ids);
1303 /* Control has been transferred */
1304 ids = NULL;
1305
1306 BIO_free(certbio);
1307 certbio = NULL;
1308
710756a9
RS		 1309 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1310 SSL_ERROR_NONE))
1311 || !TEST_true(ocsp_client_called)
1312 || !TEST_true(ocsp_server_called))
ba881d3b 1313 goto end;
ba881d3b 1314
2cb4b5f6
MC		 1315 testresult = 1;
1316
1317 end:
ba881d3b
MC		 1318 SSL_free(serverssl);
1319 SSL_free(clientssl);
1320 SSL_CTX_free(sctx);
1321 SSL_CTX_free(cctx);
1322 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1323 OCSP_RESPID_free(id);
1324 BIO_free(certbio);
1325 X509_free(ocspcert);
1326 ocspcert = NULL;
2cb4b5f6
MC		 1327
1328 return testresult;
1329}
8f8c11d8 1330#endif
2cb4b5f6 1331
bf208d95 1332#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 1333static int new_called, remove_called, get_called;
eaa776da 1334
eaa776da
MC		 1335static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1336{
1337 new_called++;
c0537ebd
MC		 1338 /*
1339 * sess has been up-refed for us, but we don't actually need it so free it
1340 * immediately.
1341 */
1342 SSL_SESSION_free(sess);
eaa776da
MC		 1343 return 1;
1344}
1345
1346static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1347{
1348 remove_called++;
1349}
1350
7a301f08
MC		 1351static SSL_SESSION *get_sess_val = NULL;
1352
1353static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1354 int *copy)
1355{
0afca811 1356 get_called++;
7a301f08
MC		 1357 *copy = 1;
1358 return get_sess_val;
1359}
1360
7a301f08
MC		 1361static int execute_test_session(int maxprot, int use_int_cache,
1362 int use_ext_cache)
2cb4b5f6
MC		 1363{
1364 SSL_CTX *sctx = NULL, *cctx = NULL;
1365 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1366 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 1367# ifndef OPENSSL_NO_TLS1_1
eaa776da 1368 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 1369# endif
2cb4b5f6 1370 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 1371 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 1372
7e885b7b
P		 1373 new_called = remove_called = 0;
1374
36ff232c
MC		 1375 /* TLSv1.3 sends 2 NewSessionTickets */
1376 if (maxprot == TLS1_3_VERSION)
1377 numnewsesstick = 2;
1378
7d7f6834 1379 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 1380 TLS1_VERSION, 0,
7d7f6834 1381 &sctx, &cctx, cert, privkey)))
2cb4b5f6 1382 return 0;
2cb4b5f6 1383
7a301f08
MC		 1384 /*
1385 * Only allow the max protocol version so we can force a connection failure
1386 * later
1387 */
1388 SSL_CTX_set_min_proto_version(cctx, maxprot);
1389 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 1390
1391 /* Set up session cache */
7e885b7b 1392 if (use_ext_cache) {
eaa776da
MC		 1393 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1394 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1395 }
7e885b7b 1396 if (use_int_cache) {
eaa776da
MC		 1397 /* Also covers instance where both are set */
1398 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1399 } else {
1400 SSL_CTX_set_session_cache_mode(cctx,
1401 SSL_SESS_CACHE_CLIENT
1402 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1403 }
2cb4b5f6 1404
710756a9
RS		 1405 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1406 NULL, NULL))
1407 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1408 SSL_ERROR_NONE))
1409 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 1410 goto end;
2cb4b5f6 1411
710756a9 1412 /* Should fail because it should already be in the cache */
7e885b7b 1413 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 1414 goto end;
7a301f08 1415 if (use_ext_cache
36ff232c
MC		 1416 && (!TEST_int_eq(new_called, numnewsesstick)
1417
1418 || !TEST_int_eq(remove_called, 0)))
b4982125 1419 goto end;
b4982125 1420
c0537ebd
MC		 1421 new_called = remove_called = 0;
1422 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1423 &clientssl2, NULL, NULL))
1424 || !TEST_true(SSL_set_session(clientssl2, sess1))
1425 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1426 SSL_ERROR_NONE))
1427 || !TEST_true(SSL_session_reused(clientssl2)))
1428 goto end;
1429
7a301f08
MC		 1430 if (maxprot == TLS1_3_VERSION) {
1431 /*
1432 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 1433 * resumed. Since we attempted a resume we should also have removed the
1434 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 1435 */
1436 if (use_ext_cache
1437 && (!TEST_int_eq(new_called, 1)
4cb00457 1438 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 1439 goto end;
1440 } else {
1441 /*
1442 * In TLSv1.2 we expect to have resumed so no sessions added or
1443 * removed.
1444 */
1445 if (use_ext_cache
1446 && (!TEST_int_eq(new_called, 0)
1447 || !TEST_int_eq(remove_called, 0)))
1448 goto end;
1449 }
c0537ebd
MC		 1450
1451 SSL_SESSION_free(sess1);
1452 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1453 goto end;
1454 shutdown_ssl_connection(serverssl2, clientssl2);
1455 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 1456
1457 new_called = remove_called = 0;
710756a9
RS		 1458 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1459 &clientssl2, NULL, NULL))
1460 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1461 SSL_ERROR_NONE)))
2cb4b5f6 1462 goto end;
2cb4b5f6 1463
710756a9 1464 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 1465 goto end;
2cb4b5f6 1466
7a301f08 1467 if (use_ext_cache
36ff232c
MC		 1468 && (!TEST_int_eq(new_called, numnewsesstick)
1469 || !TEST_int_eq(remove_called, 0)))
eaa776da 1470 goto end;
eaa776da 1471
c0537ebd 1472 new_called = remove_called = 0;
2cb4b5f6 1473 /*
710756a9
RS		 1474 * This should clear sess2 from the cache because it is a "bad" session.
1475 * See SSL_set_session() documentation.
2cb4b5f6 1476 */
710756a9 1477 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 1478 goto end;
7a301f08
MC		 1479 if (use_ext_cache
1480 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 1481 goto end;
710756a9 1482 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 1483 goto end;
2cb4b5f6 1484
7e885b7b 1485 if (use_int_cache) {
710756a9
RS		 1486 /* Should succeeded because it should not already be in the cache */
1487 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1488 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 1489 goto end;
eaa776da
MC		 1490 }
1491
c0537ebd 1492 new_called = remove_called = 0;
eaa776da 1493 /* This shouldn't be in the cache so should fail */
710756a9 1494 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 1495 goto end;
2cb4b5f6 1496
7a301f08
MC		 1497 if (use_ext_cache
1498 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1499 goto end;
2cb4b5f6 1500
bf208d95 1501# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 1502 new_called = remove_called = 0;
eaa776da
MC		 1503 /* Force a connection failure */
1504 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 1505 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1506 &clientssl3, NULL, NULL))
1507 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 1508 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 1509 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1510 SSL_ERROR_NONE)))
eaa776da 1511 goto end;
b4982125 1512
eaa776da 1513 /* We should have automatically removed the session from the cache */
7a301f08
MC		 1514 if (use_ext_cache
1515 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1516 goto end;
2cb4b5f6 1517
710756a9 1518 /* Should succeed because it should not already be in the cache */
7e885b7b 1519 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 1520 goto end;
bf208d95 1521# endif
eaa776da 1522
7a301f08
MC		 1523 /* Now do some tests for server side caching */
1524 if (use_ext_cache) {
1525 SSL_CTX_sess_set_new_cb(cctx, NULL);
1526 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1527 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1528 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1529 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1530 get_sess_val = NULL;
1531 }
1532
1533 SSL_CTX_set_session_cache_mode(cctx, 0);
1534 /* Internal caching is the default on the server side */
1535 if (!use_int_cache)
1536 SSL_CTX_set_session_cache_mode(sctx,
1537 SSL_SESS_CACHE_SERVER
1538 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1539
1540 SSL_free(serverssl1);
1541 SSL_free(clientssl1);
1542 serverssl1 = clientssl1 = NULL;
1543 SSL_free(serverssl2);
1544 SSL_free(clientssl2);
1545 serverssl2 = clientssl2 = NULL;
1546 SSL_SESSION_free(sess1);
1547 sess1 = NULL;
1548 SSL_SESSION_free(sess2);
1549 sess2 = NULL;
1550
1551 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 1552 if (maxprot == TLS1_2_VERSION)
1553 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 1554 new_called = remove_called = get_called = 0;
7a301f08
MC		 1555 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1556 NULL, NULL))
1557 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1558 SSL_ERROR_NONE))
1559 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1560 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1561 goto end;
1562
ee94ec2e
MC		 1563 if (use_int_cache) {
1564 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1565 /*
1566 * In TLSv1.3 it should not have been added to the internal cache,
1567 * except in the case where we also have an external cache (in that
1568 * case it gets added to the cache in order to generate remove
1569 * events after timeout).
1570 */
1571 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1572 goto end;
1573 } else {
1574 /* Should fail because it should already be in the cache */
1575 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1576 goto end;
1577 }
1578 }
7a301f08
MC		 1579
1580 if (use_ext_cache) {
1581 SSL_SESSION *tmp = sess2;
1582
36ff232c 1583 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 1584 || !TEST_int_eq(remove_called, 0)
1585 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 1586 goto end;
1587 /*
1588 * Delete the session from the internal cache to force a lookup from
1589 * the external cache. We take a copy first because
1590 * SSL_CTX_remove_session() also marks the session as non-resumable.
1591 */
ee94ec2e 1592 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 1593 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1594 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1595 goto end;
1596 SSL_SESSION_free(sess2);
1597 }
7a301f08
MC		 1598 sess2 = tmp;
1599 }
1600
0afca811 1601 new_called = remove_called = get_called = 0;
7a301f08
MC		 1602 get_sess_val = sess2;
1603 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1604 &clientssl2, NULL, NULL))
1605 || !TEST_true(SSL_set_session(clientssl2, sess1))
1606 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1607 SSL_ERROR_NONE))
1608 || !TEST_true(SSL_session_reused(clientssl2)))
1609 goto end;
1610
0afca811 1611 if (use_ext_cache) {
32305f88 1612 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 1613 goto end;
1614
1615 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 1616 if (!TEST_int_eq(new_called, 1)
1617 || !TEST_int_eq(get_called, 0))
0afca811
KY		 1618 goto end;
1619 } else {
32305f88
MC		 1620 if (!TEST_int_eq(new_called, 0)
1621 || !TEST_int_eq(get_called, 1))
0afca811
KY		 1622 goto end;
1623 }
1624 }
7a301f08 1625
2cb4b5f6 1626 testresult = 1;
eaa776da 1627
2cb4b5f6
MC		 1628 end:
1629 SSL_free(serverssl1);
1630 SSL_free(clientssl1);
1631 SSL_free(serverssl2);
1632 SSL_free(clientssl2);
bf208d95 1633# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 1634 SSL_free(serverssl3);
1635 SSL_free(clientssl3);
bf208d95 1636# endif
2cb4b5f6
MC		 1637 SSL_SESSION_free(sess1);
1638 SSL_SESSION_free(sess2);
1639 SSL_CTX_free(sctx);
1640 SSL_CTX_free(cctx);
1641
1642 return testresult;
1643}
bf208d95 1644#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 1645
7fb4c820
MC		 1646static int test_session_with_only_int_cache(void)
1647{
7a301f08
MC		 1648#ifndef OPENSSL_NO_TLS1_3
1649 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1650 return 0;
1651#endif
1652
1653#ifndef OPENSSL_NO_TLS1_2
1654 return execute_test_session(TLS1_2_VERSION, 1, 0);
1655#else
1656 return 1;
1657#endif
eaa776da
MC		 1658}
1659
7fb4c820
MC		 1660static int test_session_with_only_ext_cache(void)
1661{
7a301f08
MC		 1662#ifndef OPENSSL_NO_TLS1_3
1663 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1664 return 0;
1665#endif
1666
1667#ifndef OPENSSL_NO_TLS1_2
1668 return execute_test_session(TLS1_2_VERSION, 0, 1);
1669#else
1670 return 1;
1671#endif
eaa776da
MC		 1672}
1673
7fb4c820
MC		 1674static int test_session_with_both_cache(void)
1675{
7a301f08
MC		 1676#ifndef OPENSSL_NO_TLS1_3
1677 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1678 return 0;
1679#endif
1680
1681#ifndef OPENSSL_NO_TLS1_2
1682 return execute_test_session(TLS1_2_VERSION, 1, 1);
1683#else
1684 return 1;
1685#endif
eaa776da
MC		 1686}
1687
04225915 1688#ifndef OPENSSL_NO_TLS1_3
c22365b3
MC		 1689static SSL_SESSION *sesscache[6];
1690static int do_cache;
36ff232c
MC		 1691
1692static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1693{
c22365b3
MC		 1694 if (do_cache) {
1695 sesscache[new_called] = sess;
1696 } else {
1697 /* We don't need the reference to the session, so free it */
1698 SSL_SESSION_free(sess);
1699 }
1700 new_called++;
1701
1702 return 1;
1703}
1704
1705static int post_handshake_verify(SSL *sssl, SSL *cssl)
1706{
1707 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1708 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1709 return 0;
1710
1711 /* Start handshake on the server and client */
1712 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1713 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1714 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1715 || !TEST_true(create_ssl_connection(sssl, cssl,
1716 SSL_ERROR_NONE)))
1717 return 0;
36ff232c
MC		 1718
1719 return 1;
1720}
1721
fbe9dafd 1722static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 1723 SSL_CTX **cctx)
1724{
1725 int sess_id_ctx = 1;
1726
1727 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 1728 TLS1_VERSION, 0, sctx,
03cdf559
MC		 1729 cctx, cert, privkey))
1730 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1731 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1732 (void *)&sess_id_ctx,
1733 sizeof(sess_id_ctx))))
1734 return 0;
1735
1736 if (stateful)
1737 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1738
1739 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1740 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1741 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1742
1743 return 1;
1744}
1745
1746static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1747{
1748 SSL *serverssl = NULL, *clientssl = NULL;
1749 int i;
1750
1751 /* Test that we can resume with all the tickets we got given */
1752 for (i = 0; i < idx * 2; i++) {
1753 new_called = 0;
1754 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1755 &clientssl, NULL, NULL))
1756 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1757 goto end;
1758
32097b33 1759 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 1760
1761 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1762 SSL_ERROR_NONE)))
1763 goto end;
1764
1765 /*
1766 * Following a successful resumption we only get 1 ticket. After a
1767 * failed one we should get idx tickets.
1768 */
1769 if (succ) {
1770 if (!TEST_true(SSL_session_reused(clientssl))
1771 || !TEST_int_eq(new_called, 1))
1772 goto end;
1773 } else {
1774 if (!TEST_false(SSL_session_reused(clientssl))
1775 || !TEST_int_eq(new_called, idx))
1776 goto end;
1777 }
1778
1779 new_called = 0;
1780 /* After a post-handshake authentication we should get 1 new ticket */
1781 if (succ
1782 && (!post_handshake_verify(serverssl, clientssl)
1783 || !TEST_int_eq(new_called, 1)))
1784 goto end;
1785
1786 SSL_shutdown(clientssl);
1787 SSL_shutdown(serverssl);
1788 SSL_free(serverssl);
1789 SSL_free(clientssl);
1790 serverssl = clientssl = NULL;
1791 SSL_SESSION_free(sesscache[i]);
1792 sesscache[i] = NULL;
1793 }
1794
1795 return 1;
1796
1797 end:
1798 SSL_free(clientssl);
1799 SSL_free(serverssl);
1800 return 0;
1801}
1802
04d7814a 1803static int test_tickets(int stateful, int idx)
36ff232c
MC		 1804{
1805 SSL_CTX *sctx = NULL, *cctx = NULL;
1806 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 1807 int testresult = 0;
36ff232c
MC		 1808 size_t j;
1809
1810 /* idx is the test number, but also the number of tickets we want */
1811
1812 new_called = 0;
c22365b3 1813 do_cache = 1;
36ff232c 1814
fbe9dafd 1815 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 1816 goto end;
1817
03cdf559
MC		 1818 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1819 &clientssl, NULL, NULL)))
1820 goto end;
1821
1822 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1823 SSL_ERROR_NONE))
1824 /* Check we got the number of tickets we were expecting */
1825 || !TEST_int_eq(idx, new_called))
1826 goto end;
04d7814a 1827
03cdf559
MC		 1828 SSL_shutdown(clientssl);
1829 SSL_shutdown(serverssl);
1830 SSL_free(serverssl);
1831 SSL_free(clientssl);
1832 SSL_CTX_free(sctx);
1833 SSL_CTX_free(cctx);
1834 clientssl = serverssl = NULL;
1835 sctx = cctx = NULL;
1836
1837 /*
1838 * Now we try to resume with the tickets we previously created. The
1839 * resumption attempt is expected to fail (because we're now using a new
1840 * SSL_CTX). We should see idx number of tickets issued again.
1841 */
1842
1843 /* Stop caching sessions - just count them */
1844 do_cache = 0;
1845
fbe9dafd 1846 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 1847 goto end;
1848
1849 if (!check_resumption(idx, sctx, cctx, 0))
1850 goto end;
1851
1852 /* Start again with caching sessions */
1853 new_called = 0;
1854 do_cache = 1;
fbe9dafd
MC		 1855 SSL_CTX_free(sctx);
1856 SSL_CTX_free(cctx);
1857 sctx = cctx = NULL;
03cdf559 1858
fbe9dafd 1859 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 1860 goto end;
36ff232c
MC		 1861
1862 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1863 &clientssl, NULL, NULL)))
1864 goto end;
1865
32097b33 1866 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 1867
1868 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1869 SSL_ERROR_NONE))
1870 /* Check we got the number of tickets we were expecting */
1871 || !TEST_int_eq(idx, new_called))
1872 goto end;
1873
1874 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 1875 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 1876 || !TEST_int_eq(idx * 2, new_called))
1877 goto end;
1878
36ff232c
MC		 1879 SSL_shutdown(clientssl);
1880 SSL_shutdown(serverssl);
1881 SSL_free(serverssl);
1882 SSL_free(clientssl);
1883 serverssl = clientssl = NULL;
1884
c22365b3
MC		 1885 /* Stop caching sessions - just count them */
1886 do_cache = 0;
1887
03cdf559
MC		 1888 /*
1889 * Check we can resume with all the tickets we created. This time around the
1890 * resumptions should all be successful.
1891 */
1892 if (!check_resumption(idx, sctx, cctx, 1))
1893 goto end;
36ff232c
MC		 1894
1895 testresult = 1;
1896
1897 end:
1898 SSL_free(serverssl);
1899 SSL_free(clientssl);
c22365b3 1900 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 1901 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 1902 sesscache[j] = NULL;
1903 }
36ff232c
MC		 1904 SSL_CTX_free(sctx);
1905 SSL_CTX_free(cctx);
1906
1907 return testresult;
1908}
04d7814a
MC		 1909
1910static int test_stateless_tickets(int idx)
1911{
1912 return test_tickets(0, idx);
1913}
1914
1915static int test_stateful_tickets(int idx)
1916{
1917 return test_tickets(1, idx);
1918}
8614a4eb
MC		 1919
1920static int test_psk_tickets(void)
1921{
1922 SSL_CTX *sctx = NULL, *cctx = NULL;
1923 SSL *serverssl = NULL, *clientssl = NULL;
1924 int testresult = 0;
1925 int sess_id_ctx = 1;
1926
1927 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 1928 TLS1_VERSION, 0, &sctx,
8614a4eb
MC		 1929 &cctx, NULL, NULL))
1930 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
1931 (void *)&sess_id_ctx,
1932 sizeof(sess_id_ctx))))
1933 goto end;
1934
1935 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1936 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1937 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
1938 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
1939 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1940 use_session_cb_cnt = 0;
1941 find_session_cb_cnt = 0;
1942 srvid = pskid;
1943 new_called = 0;
1944
1945 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1946 NULL, NULL)))
1947 goto end;
1948 clientpsk = serverpsk = create_a_psk(clientssl);
1949 if (!TEST_ptr(clientpsk))
1950 goto end;
1951 SSL_SESSION_up_ref(clientpsk);
1952
1953 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1954 SSL_ERROR_NONE))
1955 || !TEST_int_eq(1, find_session_cb_cnt)
1956 || !TEST_int_eq(1, use_session_cb_cnt)
1957 /* We should always get 1 ticket when using external PSK */
1958 || !TEST_int_eq(1, new_called))
1959 goto end;
1960
1961 testresult = 1;
1962
1963 end:
1964 SSL_free(serverssl);
1965 SSL_free(clientssl);
1966 SSL_CTX_free(sctx);
1967 SSL_CTX_free(cctx);
1968 SSL_SESSION_free(clientpsk);
1969 SSL_SESSION_free(serverpsk);
1970 clientpsk = serverpsk = NULL;
1971
1972 return testresult;
1973}
04225915 1974#endif
36ff232c 1975
7d4488bb
MC		 1976#define USE_NULL 0
1977#define USE_BIO_1 1
1978#define USE_BIO_2 2
1979#define USE_DEFAULT 3
1980
1981#define CONNTYPE_CONNECTION_SUCCESS 0
1982#define CONNTYPE_CONNECTION_FAIL 1
1983#define CONNTYPE_NO_CONNECTION 2
1984
1985#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1986#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1987#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1988# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1989#else
1990# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1991#endif
1992
7d4488bb
MC		 1993#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1994 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1995 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 1996
1997static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1998{
1999 switch (type) {
2000 case USE_NULL:
2001 *res = NULL;
2002 break;
2003 case USE_BIO_1:
2004 *res = bio1;
2005 break;
2006 case USE_BIO_2:
2007 *res = bio2;
2008 break;
2009 }
2010}
2011
7d4488bb
MC		 2012
2013/*
2014 * Tests calls to SSL_set_bio() under various conditions.
2015 *
2016 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2017 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2018 * then do more tests where we create a successful connection first using our
2019 * standard connection setup functions, and then call SSL_set_bio() with
2020 * various combinations of valid BIOs or NULL. We then repeat these tests
2021 * following a failed connection. In this last case we are looking to check that
2022 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2023 */
7fb4c820
MC		 2024static int test_ssl_set_bio(int idx)
2025{
7d4488bb 2026 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 2027 BIO *bio1 = NULL;
2028 BIO *bio2 = NULL;
0fae8150 2029 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 2030 SSL *serverssl = NULL, *clientssl = NULL;
2031 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 2032 int testresult = 0;
2033
7d4488bb
MC		 2034 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2035 initrbio = idx % 3;
2036 idx /= 3;
2037 initwbio = idx % 3;
2038 idx /= 3;
2039 newrbio = idx % 3;
2040 idx /= 3;
2041 newwbio = idx % 3;
2042 conntype = CONNTYPE_NO_CONNECTION;
2043 } else {
2044 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2045 initrbio = initwbio = USE_DEFAULT;
2046 newrbio = idx % 2;
2047 idx /= 2;
2048 newwbio = idx % 2;
2049 idx /= 2;
2050 conntype = idx % 2;
2051 }
710756a9 2052
7d4488bb 2053 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 2054 TLS1_VERSION, 0,
7d4488bb
MC		 2055 &sctx, &cctx, cert, privkey)))
2056 goto end;
2057
2058 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2059 /*
2060 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2061 * because we reduced the number of tests in the definition of
2062 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2063 * mismatched protocol versions we will force a connection failure.
2064 */
2065 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2066 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2067 }
2068
2069 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2070 NULL, NULL)))
710756a9 2071 goto end;
7fb4c820 2072
710756a9
RS		 2073 if (initrbio == USE_BIO_1
2074 || initwbio == USE_BIO_1
2075 || newrbio == USE_BIO_1
7fb4c820 2076 || newwbio == USE_BIO_1) {
710756a9 2077 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 2078 goto end;
7fb4c820
MC		 2079 }
2080
710756a9
RS		 2081 if (initrbio == USE_BIO_2
2082 || initwbio == USE_BIO_2
2083 || newrbio == USE_BIO_2
7fb4c820 2084 || newwbio == USE_BIO_2) {
710756a9 2085 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 2086 goto end;
7fb4c820
MC		 2087 }
2088
7d4488bb
MC		 2089 if (initrbio != USE_DEFAULT) {
2090 setupbio(&irbio, bio1, bio2, initrbio);
2091 setupbio(&iwbio, bio1, bio2, initwbio);
2092 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 2093
7d4488bb
MC		 2094 /*
2095 * We want to maintain our own refs to these BIO, so do an up ref for
2096 * each BIO that will have ownership transferred in the SSL_set_bio()
2097 * call
2098 */
2099 if (irbio != NULL)
2100 BIO_up_ref(irbio);
2101 if (iwbio != NULL && iwbio != irbio)
2102 BIO_up_ref(iwbio);
2103 }
7fb4c820 2104
7d4488bb
MC		 2105 if (conntype != CONNTYPE_NO_CONNECTION
2106 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2107 SSL_ERROR_NONE)
2108 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2109 goto end;
7fb4c820
MC		 2110
2111 setupbio(&nrbio, bio1, bio2, newrbio);
2112 setupbio(&nwbio, bio1, bio2, newwbio);
2113
2114 /*
2115 * We will (maybe) transfer ownership again so do more up refs.
2116 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2117 * already been set!
2118 */
710756a9
RS		 2119 if (nrbio != NULL
2120 && nrbio != irbio
2121 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 2122 BIO_up_ref(nrbio);
710756a9
RS		 2123 if (nwbio != NULL
2124 && nwbio != nrbio
2125 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 2126 BIO_up_ref(nwbio);
2127
7d4488bb 2128 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 2129
2130 testresult = 1;
2131
2132 end:
7fb4c820
MC		 2133 BIO_free(bio1);
2134 BIO_free(bio2);
710756a9 2135
7fb4c820
MC		 2136 /*
2137 * This test is checking that the ref counting for SSL_set_bio is correct.
2138 * If we get here and we did too many frees then we will fail in the above
742ccab3 2139 * functions.
7fb4c820 2140 */
7d4488bb
MC		 2141 SSL_free(serverssl);
2142 SSL_free(clientssl);
2143 SSL_CTX_free(sctx);
2144 SSL_CTX_free(cctx);
7fb4c820
MC		 2145 return testresult;
2146}
2147
7e885b7b 2148typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 2149
7e885b7b 2150static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 2151{
2152 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 2153 SSL_CTX *ctx;
9a716987
MC		 2154 SSL *ssl = NULL;
2155 int testresult = 0;
2156
710756a9
RS		 2157 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
2158 || !TEST_ptr(ssl = SSL_new(ctx))
2159 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2160 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 2161 goto end;
9a716987
MC		 2162
2163 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2164
2165 /*
742ccab3 2166 * If anything goes wrong here then we could leak memory.
9a716987
MC		 2167 */
2168 BIO_push(sslbio, membio1);
2169
69687aa8 2170 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 2171 if (change_bio != NO_BIO_CHANGE) {
710756a9 2172 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
9a716987 2173 goto end;
7e885b7b 2174 if (change_bio == CHANGE_RBIO)
65e2d672 2175 SSL_set0_rbio(ssl, membio2);
9a716987 2176 else
65e2d672 2177 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 2178 }
2179 ssl = NULL;
2180
7e885b7b 2181 if (pop_ssl)
9a716987
MC		 2182 BIO_pop(sslbio);
2183 else
2184 BIO_pop(membio1);
2185
2186 testresult = 1;
2187 end:
2188 BIO_free(membio1);
2189 BIO_free(sslbio);
2190 SSL_free(ssl);
2191 SSL_CTX_free(ctx);
2192
2193 return testresult;
2194}
2195
2196static int test_ssl_bio_pop_next_bio(void)
2197{
7e885b7b 2198 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 2199}
2200
2201static int test_ssl_bio_pop_ssl_bio(void)
2202{
7e885b7b 2203 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 2204}
2205
2206static int test_ssl_bio_change_rbio(void)
2207{
7e885b7b 2208 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 2209}
2210
2211static int test_ssl_bio_change_wbio(void)
2212{
7e885b7b 2213 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 2214}
2215
c423ecaa 2216#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae
MC		 2217typedef struct {
2218 /* The list of sig algs */
2219 const int *list;
2220 /* The length of the list */
2221 size_t listlen;
2222 /* A sigalgs list in string format */
2223 const char *liststr;
2224 /* Whether setting the list should succeed */
2225 int valid;
2226 /* Whether creating a connection with the list should succeed */
2227 int connsuccess;
2228} sigalgs_list;
2229
2230static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 2231# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2232static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2233static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 2234# endif
f1b25aae
MC		 2235static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2236static const int invalidlist2[] = {NID_sha256, NID_undef};
2237static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2238static const int invalidlist4[] = {NID_sha256};
2239static const sigalgs_list testsigalgs[] = {
2240 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 2241# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2242 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2243 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 2244# endif
f1b25aae 2245 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 2246# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2247 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2248 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 2249# endif
f1b25aae
MC		 2250 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2251 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2252 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2253 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2254 {NULL, 0, "RSA", 0, 0},
2255 {NULL, 0, "SHA256", 0, 0},
2256 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 2257 {NULL, 0, "Invalid", 0, 0}
2258};
f1b25aae
MC		 2259
2260static int test_set_sigalgs(int idx)
2261{
2262 SSL_CTX *cctx = NULL, *sctx = NULL;
2263 SSL *clientssl = NULL, *serverssl = NULL;
2264 int testresult = 0;
2265 const sigalgs_list *curr;
2266 int testctx;
2267
2268 /* Should never happen */
710756a9 2269 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 2270 return 0;
2271
2272 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2273 curr = testctx ? &testsigalgs[idx]
2274 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2275
7d7f6834 2276 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 2277 TLS1_VERSION, 0,
7d7f6834 2278 &sctx, &cctx, cert, privkey)))
f1b25aae 2279 return 0;
f1b25aae 2280
d2e491f2
MC		 2281 /*
2282 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2283 * for TLSv1.2 for now until we add a new API.
2284 */
2285 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2286
f1b25aae
MC		 2287 if (testctx) {
2288 int ret;
710756a9 2289
f1b25aae
MC		 2290 if (curr->list != NULL)
2291 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2292 else
2293 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2294
2295 if (!ret) {
2296 if (curr->valid)
710756a9 2297 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2298 else
2299 testresult = 1;
2300 goto end;
2301 }
2302 if (!curr->valid) {
710756a9 2303 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2304 goto end;
2305 }
2306 }
2307
710756a9
RS		 2308 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2309 &clientssl, NULL, NULL)))
f1b25aae 2310 goto end;
f1b25aae
MC		 2311
2312 if (!testctx) {
2313 int ret;
2314
2315 if (curr->list != NULL)
2316 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2317 else
2318 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2319 if (!ret) {
2320 if (curr->valid)
710756a9 2321 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 2322 else
2323 testresult = 1;
2324 goto end;
2325 }
710756a9 2326 if (!curr->valid)
f1b25aae 2327 goto end;
f1b25aae
MC		 2328 }
2329
710756a9
RS		 2330 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2331 SSL_ERROR_NONE),
2332 curr->connsuccess))
f1b25aae 2333 goto end;
f1b25aae
MC		 2334
2335 testresult = 1;
2336
2337 end:
2338 SSL_free(serverssl);
2339 SSL_free(clientssl);
2340 SSL_CTX_free(sctx);
2341 SSL_CTX_free(cctx);
2342
2343 return testresult;
2344}
c423ecaa 2345#endif
f1b25aae 2346
fff202e5 2347#ifndef OPENSSL_NO_TLS1_3
532f9578
MC		 2348static int psk_client_cb_cnt = 0;
2349static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 2350
2351static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2352 size_t *idlen, SSL_SESSION **sess)
2353{
2354 switch (++use_session_cb_cnt) {
2355 case 1:
2356 /* The first call should always have a NULL md */
2357 if (md != NULL)
2358 return 0;
2359 break;
2360
2361 case 2:
2362 /* The second call should always have an md */
2363 if (md == NULL)
2364 return 0;
2365 break;
2366
2367 default:
2368 /* We should only be called a maximum of twice */
2369 return 0;
2370 }
2371
57dee9bb
MC		 2372 if (clientpsk != NULL)
2373 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 2374
57dee9bb 2375 *sess = clientpsk;
02a3ed5a
MC		 2376 *id = (const unsigned char *)pskid;
2377 *idlen = strlen(pskid);
2378
2379 return 1;
2380}
2381
c2b290c3 2382#ifndef OPENSSL_NO_PSK
532f9578
MC		 2383static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2384 unsigned int max_id_len,
2385 unsigned char *psk,
2386 unsigned int max_psk_len)
2387{
2388 unsigned int psklen = 0;
2389
2390 psk_client_cb_cnt++;
2391
2392 if (strlen(pskid) + 1 > max_id_len)
2393 return 0;
2394
2395 /* We should only ever be called a maximum of twice per connection */
2396 if (psk_client_cb_cnt > 2)
2397 return 0;
2398
2399 if (clientpsk == NULL)
2400 return 0;
2401
2402 /* We'll reuse the PSK we set up for TLSv1.3 */
2403 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2404 return 0;
2405 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2406 strncpy(id, pskid, max_id_len);
2407
2408 return psklen;
2409}
c2b290c3 2410#endif /* OPENSSL_NO_PSK */
532f9578 2411
02a3ed5a
MC		 2412static int find_session_cb(SSL *ssl, const unsigned char *identity,
2413 size_t identity_len, SSL_SESSION **sess)
2414{
2415 find_session_cb_cnt++;
2416
2417 /* We should only ever be called a maximum of twice per connection */
2418 if (find_session_cb_cnt > 2)
2419 return 0;
2420
57dee9bb 2421 if (serverpsk == NULL)
02a3ed5a
MC		 2422 return 0;
2423
2424 /* Identity should match that set by the client */
2425 if (strlen(srvid) != identity_len
2426 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2427 /* No PSK found, continue but without a PSK */
2428 *sess = NULL;
2429 return 1;
2430 }
2431
57dee9bb
MC		 2432 SSL_SESSION_up_ref(serverpsk);
2433 *sess = serverpsk;
02a3ed5a
MC		 2434
2435 return 1;
2436}
2437
c2b290c3 2438#ifndef OPENSSL_NO_PSK
532f9578
MC		 2439static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2440 unsigned char *psk, unsigned int max_psk_len)
2441{
2442 unsigned int psklen = 0;
2443
2444 psk_server_cb_cnt++;
2445
2446 /* We should only ever be called a maximum of twice per connection */
2447 if (find_session_cb_cnt > 2)
2448 return 0;
2449
2450 if (serverpsk == NULL)
2451 return 0;
2452
2453 /* Identity should match that set by the client */
2454 if (strcmp(srvid, identity) != 0) {
2455 return 0;
2456 }
2457
2458 /* We'll reuse the PSK we set up for TLSv1.3 */
2459 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2460 return 0;
2461 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2462
2463 return psklen;
2464}
c2b290c3 2465#endif /* OPENSSL_NO_PSK */
532f9578 2466
5f982038
MC		 2467#define MSG1 "Hello"
2468#define MSG2 "World."
2469#define MSG3 "This"
2470#define MSG4 "is"
2471#define MSG5 "a"
90049cea
MC		 2472#define MSG6 "test"
2473#define MSG7 "message."
5f982038 2474
02a3ed5a 2475#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
532f9578 2476#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
02a3ed5a 2477
8614a4eb
MC		 2478
2479static SSL_SESSION *create_a_psk(SSL *ssl)
2480{
2481 const SSL_CIPHER *cipher = NULL;
2482 const unsigned char key[] = {
2483 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2484 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2485 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2486 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2487 0x2c, 0x2d, 0x2e, 0x2f
2488 };
2489 SSL_SESSION *sess = NULL;
2490
2491 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2492 sess = SSL_SESSION_new();
2493 if (!TEST_ptr(sess)
2494 || !TEST_ptr(cipher)
2495 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2496 sizeof(key)))
2497 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2498 || !TEST_true(
2499 SSL_SESSION_set_protocol_version(sess,
2500 TLS1_3_VERSION))) {
2501 SSL_SESSION_free(sess);
2502 return NULL;
2503 }
2504 return sess;
2505}
2506
5f982038
MC		 2507/*
2508 * Helper method to setup objects for early data test. Caller frees objects on
2509 * error.
2510 */
2511static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 2512 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 2513{
5a421415
MC		 2514 if (*sctx == NULL
2515 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2516 TLS_client_method(),
5c587fb6 2517 TLS1_VERSION, 0,
5a421415
MC		 2518 sctx, cctx, cert, privkey)))
2519 return 0;
2520
2521 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 2522 return 0;
5f982038 2523
02a3ed5a
MC		 2524 if (idx == 1) {
2525 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 2526 SSL_CTX_set_read_ahead(*cctx, 1);
2527 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 2528 } else if (idx == 2) {
2529 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2530 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2531 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2532 use_session_cb_cnt = 0;
2533 find_session_cb_cnt = 0;
2534 srvid = pskid;
3cb47b4e
MC		 2535 }
2536
710756a9 2537 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 2538 NULL, NULL)))
2539 return 0;
2540
141e4709
MC		 2541 /*
2542 * For one of the run throughs (doesn't matter which one), we'll try sending
2543 * some SNI data in the initial ClientHello. This will be ignored (because
2544 * there is no SNI cb set up by the server), so it should not impact
2545 * early_data.
2546 */
2547 if (idx == 1
2548 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2549 return 0;
2550
02a3ed5a 2551 if (idx == 2) {
8614a4eb 2552 clientpsk = create_a_psk(*clientssl);
57dee9bb 2553 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 2554 /*
2555 * We just choose an arbitrary value for max_early_data which
2556 * should be big enough for testing purposes.
2557 */
57dee9bb
MC		 2558 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2559 0x100))
2560 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2561 SSL_SESSION_free(clientpsk);
2562 clientpsk = NULL;
02a3ed5a
MC		 2563 return 0;
2564 }
57dee9bb 2565 serverpsk = clientpsk;
02a3ed5a 2566
c20e3b28
MC		 2567 if (sess != NULL) {
2568 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2569 SSL_SESSION_free(clientpsk);
2570 SSL_SESSION_free(serverpsk);
2571 clientpsk = serverpsk = NULL;
2572 return 0;
2573 }
57dee9bb 2574 *sess = clientpsk;
c20e3b28 2575 }
02a3ed5a
MC		 2576 return 1;
2577 }
2578
2579 if (sess == NULL)
2580 return 1;
2581
2582 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2583 SSL_ERROR_NONE)))
5f982038 2584 return 0;
5f982038
MC		 2585
2586 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 2587 SSL_shutdown(*clientssl);
2588 SSL_shutdown(*serverssl);
5f982038
MC		 2589 SSL_free(*serverssl);
2590 SSL_free(*clientssl);
2591 *serverssl = *clientssl = NULL;
2592
710756a9
RS		 2593 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2594 clientssl, NULL, NULL))
2595 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 2596 return 0;
5f982038
MC		 2597
2598 return 1;
2599}
2600
3cb47b4e 2601static int test_early_data_read_write(int idx)
5f982038
MC		 2602{
2603 SSL_CTX *cctx = NULL, *sctx = NULL;
2604 SSL *clientssl = NULL, *serverssl = NULL;
2605 int testresult = 0;
2606 SSL_SESSION *sess = NULL;
9b5c865d
MC		 2607 unsigned char buf[20], data[1024];
2608 size_t readbytes, written, eoedlen, rawread, rawwritten;
2609 BIO *rbio;
5f982038 2610
710756a9
RS		 2611 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2612 &serverssl, &sess, idx)))
5f982038
MC		 2613 goto end;
2614
2615 /* Write and read some early data */
710756a9
RS		 2616 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2617 &written))
2618 || !TEST_size_t_eq(written, strlen(MSG1))
2619 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2620 sizeof(buf), &readbytes),
2621 SSL_READ_EARLY_DATA_SUCCESS)
2622 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2623 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2624 SSL_EARLY_DATA_ACCEPTED))
5f982038 2625 goto end;
5f982038
MC		 2626
2627 /*
09f28874 2628 * Server should be able to write data, and client should be able to
5f982038
MC		 2629 * read it.
2630 */
710756a9
RS		 2631 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2632 &written))
2633 || !TEST_size_t_eq(written, strlen(MSG2))
2634 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2635 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2636 goto end;
5f982038
MC		 2637
2638 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 2639 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2640 &written))
2641 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 2642 goto end;
5f982038 2643
09f28874 2644 /* Server should still be able read early data after writing data */
710756a9
RS		 2645 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2646 &readbytes),
2647 SSL_READ_EARLY_DATA_SUCCESS)
2648 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 2649 goto end;
5f982038 2650
09f28874 2651 /* Write more data from server and read it from client */
710756a9
RS		 2652 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2653 &written))
2654 || !TEST_size_t_eq(written, strlen(MSG4))
2655 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2656 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 2657 goto end;
5f982038
MC		 2658
2659 /*
2660 * If client writes normal data it should mean writing early data is no
2661 * longer possible.
2662 */
710756a9
RS		 2663 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2664 || !TEST_size_t_eq(written, strlen(MSG5))
2665 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2666 SSL_EARLY_DATA_ACCEPTED))
5f982038 2667 goto end;
5f982038 2668
9b5c865d
MC		 2669 /*
2670 * At this point the client has written EndOfEarlyData, ClientFinished and
2671 * normal (fully protected) data. We are going to cause a delay between the
2672 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2673 * in the read BIO, and then just put back the EndOfEarlyData message.
2674 */
2675 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 2676 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2677 || !TEST_size_t_lt(rawread, sizeof(data))
2678 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 2679 goto end;
710756a9 2680
9b5c865d
MC		 2681 /* Record length is in the 4th and 5th bytes of the record header */
2682 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 2683 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2684 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 2685 goto end;
9b5c865d 2686
5f982038 2687 /* Server should be told that there is no more early data */
710756a9
RS		 2688 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2689 &readbytes),
2690 SSL_READ_EARLY_DATA_FINISH)
2691 || !TEST_size_t_eq(readbytes, 0))
5f982038 2692 goto end;
5f982038 2693
9b5c865d
MC		 2694 /*
2695 * Server has not finished init yet, so should still be able to write early
2696 * data.
2697 */
710756a9
RS		 2698 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2699 &written))
2700 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 2701 goto end;
9b5c865d 2702
f8a303fa 2703 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 2704 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2705 &rawwritten))
2706 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 2707 goto end;
f8a303fa 2708
5f982038 2709 /* Server should be able to read normal data */
710756a9
RS		 2710 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2711 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 2712 goto end;
5f982038 2713
09f28874 2714 /* Client and server should not be able to write/read early data now */
710756a9
RS		 2715 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2716 &written)))
5f982038 2717 goto end;
5f982038 2718 ERR_clear_error();
710756a9
RS		 2719 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2720 &readbytes),
2721 SSL_READ_EARLY_DATA_ERROR))
5f982038 2722 goto end;
5f982038
MC		 2723 ERR_clear_error();
2724
9b5c865d 2725 /* Client should be able to read the data sent by the server */
710756a9
RS		 2726 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2727 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 2728 goto end;
710756a9 2729
f8a303fa 2730 /*
36ff232c
MC		 2731 * Make sure we process the two NewSessionTickets. These arrive
2732 * post-handshake. We attempt reads which we do not expect to return any
2733 * data.
f8a303fa 2734 */
36ff232c
MC		 2735 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2736 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2737 &readbytes)))
f8a303fa 2738 goto end;
5f982038 2739
90049cea 2740 /* Server should be able to write normal data */
710756a9
RS		 2741 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2742 || !TEST_size_t_eq(written, strlen(MSG7))
2743 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2744 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 2745 goto end;
90049cea 2746
c20e3b28 2747 SSL_SESSION_free(sess);
5f982038 2748 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 2749 use_session_cb_cnt = 0;
2750 find_session_cb_cnt = 0;
5f982038
MC		 2751
2752 SSL_shutdown(clientssl);
2753 SSL_shutdown(serverssl);
5f982038
MC		 2754 SSL_free(serverssl);
2755 SSL_free(clientssl);
2756 serverssl = clientssl = NULL;
710756a9
RS		 2757 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2758 &clientssl, NULL, NULL))
2759 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 2760 goto end;
5f982038
MC		 2761
2762 /* Write and read some early data */
710756a9
RS		 2763 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2764 &written))
2765 || !TEST_size_t_eq(written, strlen(MSG1))
2766 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2767 &readbytes),
2768 SSL_READ_EARLY_DATA_SUCCESS)
2769 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 2770 goto end;
5f982038 2771
710756a9
RS		 2772 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2773 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 2774 goto end;
5f982038 2775
09f28874 2776 /* Client and server should not be able to write/read early data now */
710756a9
RS		 2777 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2778 &written)))
5f982038 2779 goto end;
5f982038 2780 ERR_clear_error();
710756a9
RS		 2781 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2782 &readbytes),
2783 SSL_READ_EARLY_DATA_ERROR))
5f982038 2784 goto end;
5f982038
MC		 2785 ERR_clear_error();
2786
2787 /* Client and server should be able to write/read normal data */
710756a9
RS		 2788 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2789 || !TEST_size_t_eq(written, strlen(MSG5))
2790 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2791 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 2792 goto end;
5f982038
MC		 2793
2794 testresult = 1;
2795
2796 end:
c20e3b28 2797 SSL_SESSION_free(sess);
57dee9bb
MC		 2798 SSL_SESSION_free(clientpsk);
2799 SSL_SESSION_free(serverpsk);
2800 clientpsk = serverpsk = NULL;
5f982038
MC		 2801 SSL_free(serverssl);
2802 SSL_free(clientssl);
2803 SSL_CTX_free(sctx);
2804 SSL_CTX_free(cctx);
5f982038
MC		 2805 return testresult;
2806}
2807
5a421415
MC		 2808static int allow_ed_cb_called = 0;
2809
2810static int allow_early_data_cb(SSL *s, void *arg)
2811{
2812 int *usecb = (int *)arg;
2813
2814 allow_ed_cb_called++;
2815
2816 if (*usecb == 1)
2817 return 0;
2818
2819 return 1;
2820}
2821
2822/*
2823 * idx == 0: Standard early_data setup
2824 * idx == 1: early_data setup using read_ahead
2825 * usecb == 0: Don't use a custom early data callback
2826 * usecb == 1: Use a custom early data callback and reject the early data
2827 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 2828 * confopt == 0: Configure anti-replay directly
2829 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 2830 */
3bb5e5b0 2831static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 2832{
2833 SSL_CTX *cctx = NULL, *sctx = NULL;
2834 SSL *clientssl = NULL, *serverssl = NULL;
2835 int testresult = 0;
2836 SSL_SESSION *sess = NULL;
5a421415
MC		 2837 size_t readbytes, written;
2838 unsigned char buf[20];
2839
2840 allow_ed_cb_called = 0;
2841
2842 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 2843 TLS1_VERSION, 0, &sctx,
5a421415
MC		 2844 &cctx, cert, privkey)))
2845 return 0;
2846
2847 if (usecb > 0) {
3bb5e5b0
MC		 2848 if (confopt == 0) {
2849 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2850 } else {
2851 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2852
2853 if (!TEST_ptr(confctx))
2854 goto end;
2855 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2856 | SSL_CONF_FLAG_SERVER);
2857 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2858 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2859 2)) {
2860 SSL_CONF_CTX_free(confctx);
2861 goto end;
2862 }
2863 SSL_CONF_CTX_free(confctx);
2864 }
5a421415
MC		 2865 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2866 }
78fb5374
MC		 2867
2868 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2869 &serverssl, &sess, idx)))
2870 goto end;
2871
2872 /*
2873 * The server is configured to accept early data. Create a connection to
2874 * "use up" the ticket
2875 */
2876 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2877 || !TEST_true(SSL_session_reused(clientssl)))
2878 goto end;
2879
2880 SSL_shutdown(clientssl);
2881 SSL_shutdown(serverssl);
2882 SSL_free(serverssl);
2883 SSL_free(clientssl);
2884 serverssl = clientssl = NULL;
2885
2886 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2887 &clientssl, NULL, NULL))
5a421415
MC		 2888 || !TEST_true(SSL_set_session(clientssl, sess)))
2889 goto end;
2890
2891 /* Write and read some early data */
2892 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2893 &written))
2894 || !TEST_size_t_eq(written, strlen(MSG1)))
2895 goto end;
2896
2897 if (usecb <= 1) {
2898 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2899 &readbytes),
2900 SSL_READ_EARLY_DATA_FINISH)
2901 /*
2902 * The ticket was reused, so the we should have rejected the
2903 * early data
2904 */
2905 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2906 SSL_EARLY_DATA_REJECTED))
2907 goto end;
2908 } else {
2909 /* In this case the callback decides to accept the early data */
2910 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2911 &readbytes),
2912 SSL_READ_EARLY_DATA_SUCCESS)
2913 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2914 /*
2915 * Server will have sent its flight so client can now send
2916 * end of early data and complete its half of the handshake
2917 */
2918 || !TEST_int_gt(SSL_connect(clientssl), 0)
2919 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2920 &readbytes),
2921 SSL_READ_EARLY_DATA_FINISH)
2922 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2923 SSL_EARLY_DATA_ACCEPTED))
2924 goto end;
2925 }
2926
2927 /* Complete the connection */
2928 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2929 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2930 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 2931 goto end;
2932
2933 testresult = 1;
2934
2935 end:
c20e3b28 2936 SSL_SESSION_free(sess);
78fb5374
MC		 2937 SSL_SESSION_free(clientpsk);
2938 SSL_SESSION_free(serverpsk);
2939 clientpsk = serverpsk = NULL;
2940 SSL_free(serverssl);
2941 SSL_free(clientssl);
2942 SSL_CTX_free(sctx);
2943 SSL_CTX_free(cctx);
2944 return testresult;
2945}
2946
5a421415
MC		 2947static int test_early_data_replay(int idx)
2948{
3bb5e5b0 2949 int ret = 1, usecb, confopt;
5a421415 2950
3bb5e5b0
MC		 2951 for (usecb = 0; usecb < 3; usecb++) {
2952 for (confopt = 0; confopt < 2; confopt++)
2953 ret &= test_early_data_replay_int(idx, usecb, confopt);
2954 }
5a421415
MC		 2955
2956 return ret;
2957}
2958
710756a9 2959/*
6b84e6bf
MC		 2960 * Helper function to test that a server attempting to read early data can
2961 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 2962 * testtype: 0 == No HRR
2963 * testtype: 1 == HRR
0efa0ba4
MC		 2964 * testtype: 2 == HRR, invalid early_data sent after HRR
2965 * testtype: 3 == recv_max_early_data set to 0
710756a9 2966 */
0d1b7789 2967static int early_data_skip_helper(int testtype, int idx)
5f982038
MC		 2968{
2969 SSL_CTX *cctx = NULL, *sctx = NULL;
2970 SSL *clientssl = NULL, *serverssl = NULL;
2971 int testresult = 0;
018fcbec 2972 SSL_SESSION *sess = NULL;
5f982038
MC		 2973 unsigned char buf[20];
2974 size_t readbytes, written;
2975
710756a9
RS		 2976 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2977 &serverssl, &sess, idx)))
5f982038
MC		 2978 goto end;
2979
0efa0ba4 2980 if (testtype == 1 || testtype == 2) {
6b84e6bf 2981 /* Force an HRR to occur */
dbc6268f
MC		 2982#if defined(OPENSSL_NO_EC)
2983 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
2984 goto end;
2985#else
6b84e6bf
MC		 2986 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2987 goto end;
dbc6268f 2988#endif
02a3ed5a
MC		 2989 } else if (idx == 2) {
2990 /*
2991 * We force early_data rejection by ensuring the PSK identity is
2992 * unrecognised
2993 */
2994 srvid = "Dummy Identity";
6b84e6bf
MC		 2995 } else {
2996 /*
2997 * Deliberately corrupt the creation time. We take 20 seconds off the
2998 * time. It could be any value as long as it is not within tolerance.
2999 * This should mean the ticket is rejected.
3000 */
5d99881e 3001 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 3002 goto end;
3003 }
5f982038 3004
0efa0ba4 3005 if (testtype == 3
0d1b7789
MC		 3006 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3007 goto end;
3008
5f982038 3009 /* Write some early data */
710756a9
RS		 3010 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3011 &written))
3012 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 3013 goto end;
5f982038 3014
0d1b7789 3015 /* Server should reject the early data */
710756a9
RS		 3016 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3017 &readbytes),
3018 SSL_READ_EARLY_DATA_FINISH)
3019 || !TEST_size_t_eq(readbytes, 0)
3020 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3021 SSL_EARLY_DATA_REJECTED))
5f982038 3022 goto end;
5f982038 3023
0efa0ba4
MC		 3024 switch (testtype) {
3025 case 0:
3026 /* Nothing to do */
3027 break;
3028
3029 case 1:
6b84e6bf
MC		 3030 /*
3031 * Finish off the handshake. We perform the same writes and reads as
3032 * further down but we expect them to fail due to the incomplete
3033 * handshake.
3034 */
3035 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3036 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3037 &readbytes)))
3038 goto end;
0efa0ba4
MC		 3039 break;
3040
3041 case 2:
3042 {
3043 BIO *wbio = SSL_get_wbio(clientssl);
3044 /* A record that will appear as bad early_data */
3045 const unsigned char bad_early_data[] = {
3046 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3047 };
3048
3049 /*
3050 * We force the client to attempt a write. This will fail because
3051 * we're still in the handshake. It will cause the second
3052 * ClientHello to be sent.
3053 */
3054 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3055 &written)))
3056 goto end;
3057
3058 /*
3059 * Inject some early_data after the second ClientHello. This should
3060 * cause the server to fail
3061 */
3062 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3063 sizeof(bad_early_data), &written)))
3064 goto end;
3065 }
3066 /* fallthrough */
3067
3068 case 3:
0d1b7789 3069 /*
0efa0ba4
MC		 3070 * This client has sent more early_data than we are willing to skip
3071 * (case 3) or sent invalid early_data (case 2) so the connection should
3072 * abort.
0d1b7789
MC		 3073 */
3074 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3075 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3076 goto end;
3077
3078 /* Connection has failed - nothing more to do */
3079 testresult = 1;
3080 goto end;
0efa0ba4
MC		 3081
3082 default:
3083 TEST_error("Invalid test type");
3084 goto end;
6b84e6bf
MC		 3085 }
3086
0d1b7789
MC		 3087 /*
3088 * Should be able to send normal data despite rejection of early data. The
3089 * early_data should be skipped.
3090 */
710756a9
RS		 3091 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3092 || !TEST_size_t_eq(written, strlen(MSG2))
3093 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3094 SSL_EARLY_DATA_REJECTED)
3095 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3096 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3097 goto end;
5f982038
MC		 3098
3099 testresult = 1;
3100
3101 end:
c20e3b28 3102 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3103 SSL_SESSION_free(serverpsk);
3104 clientpsk = serverpsk = NULL;
5f982038
MC		 3105 SSL_SESSION_free(sess);
3106 SSL_free(serverssl);
3107 SSL_free(clientssl);
3108 SSL_CTX_free(sctx);
3109 SSL_CTX_free(cctx);
5f982038
MC		 3110 return testresult;
3111}
3112
6b84e6bf
MC		 3113/*
3114 * Test that a server attempting to read early data can handle a connection
3115 * from a client where the early data is not acceptable.
3116 */
3117static int test_early_data_skip(int idx)
3118{
3119 return early_data_skip_helper(0, idx);
3120}
3121
3122/*
3123 * Test that a server attempting to read early data can handle a connection
3124 * from a client where an HRR occurs.
3125 */
3126static int test_early_data_skip_hrr(int idx)
3127{
3128 return early_data_skip_helper(1, idx);
3129}
3130
0efa0ba4
MC		 3131/*
3132 * Test that a server attempting to read early data can handle a connection
3133 * from a client where an HRR occurs and correctly fails if early_data is sent
3134 * after the HRR
3135 */
3136static int test_early_data_skip_hrr_fail(int idx)
3137{
3138 return early_data_skip_helper(2, idx);
3139}
3140
0d1b7789
MC		 3141/*
3142 * Test that a server attempting to read early data will abort if it tries to
3143 * skip over too much.
3144 */
3145static int test_early_data_skip_abort(int idx)
3146{
0efa0ba4 3147 return early_data_skip_helper(3, idx);
0d1b7789
MC		 3148}
3149
710756a9
RS		 3150/*
3151 * Test that a server attempting to read early data can handle a connection
3152 * from a client that doesn't send any.
3153 */
3cb47b4e 3154static int test_early_data_not_sent(int idx)
5f982038
MC		 3155{
3156 SSL_CTX *cctx = NULL, *sctx = NULL;
3157 SSL *clientssl = NULL, *serverssl = NULL;
3158 int testresult = 0;
018fcbec 3159 SSL_SESSION *sess = NULL;
5f982038
MC		 3160 unsigned char buf[20];
3161 size_t readbytes, written;
3162
710756a9
RS		 3163 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3164 &serverssl, &sess, idx)))
5f982038
MC		 3165 goto end;
3166
3167 /* Write some data - should block due to handshake with server */
3168 SSL_set_connect_state(clientssl);
710756a9 3169 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3170 goto end;
5f982038
MC		 3171
3172 /* Server should detect that early data has not been sent */
710756a9
RS		 3173 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3174 &readbytes),
3175 SSL_READ_EARLY_DATA_FINISH)
3176 || !TEST_size_t_eq(readbytes, 0)
3177 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3178 SSL_EARLY_DATA_NOT_SENT)
3179 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3180 SSL_EARLY_DATA_NOT_SENT))
5f982038 3181 goto end;
5f982038
MC		 3182
3183 /* Continue writing the message we started earlier */
710756a9
RS		 3184 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3185 || !TEST_size_t_eq(written, strlen(MSG1))
3186 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3187 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3188 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3189 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3190 goto end;
5f982038 3191
710756a9
RS		 3192 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3193 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3194 goto end;
5f982038
MC		 3195
3196 testresult = 1;
3197
3198 end:
5f982038 3199 SSL_SESSION_free(sess);
c20e3b28 3200 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3201 SSL_SESSION_free(serverpsk);
3202 clientpsk = serverpsk = NULL;
5f982038
MC		 3203 SSL_free(serverssl);
3204 SSL_free(clientssl);
3205 SSL_CTX_free(sctx);
3206 SSL_CTX_free(cctx);
5f982038
MC		 3207 return testresult;
3208}
3209
976e5323
MC		 3210static const char *servalpn;
3211
c7558d5b
PY		 3212static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3213 unsigned char *outlen, const unsigned char *in,
3214 unsigned int inlen, void *arg)
976e5323 3215{
c7558d5b 3216 unsigned int protlen = 0;
976e5323
MC		 3217 const unsigned char *prot;
3218
c7558d5b
PY		 3219 for (prot = in; prot < in + inlen; prot += protlen) {
3220 protlen = *prot++;
5d99881e 3221 if (in + inlen < prot + protlen)
976e5323
MC		 3222 return SSL_TLSEXT_ERR_NOACK;
3223
3224 if (protlen == strlen(servalpn)
0bd42fde 3225 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 3226 *out = prot;
3227 *outlen = protlen;
3228 return SSL_TLSEXT_ERR_OK;
3229 }
3230 }
3231
3232 return SSL_TLSEXT_ERR_NOACK;
3233}
3234
57dee9bb 3235/* Test that a PSK can be used to send early_data */
976e5323
MC		 3236static int test_early_data_psk(int idx)
3237{
3238 SSL_CTX *cctx = NULL, *sctx = NULL;
3239 SSL *clientssl = NULL, *serverssl = NULL;
3240 int testresult = 0;
3241 SSL_SESSION *sess = NULL;
57dee9bb
MC		 3242 unsigned char alpnlist[] = {
3243 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3244 'l', 'p', 'n'
3245 };
3246#define GOODALPNLEN 9
3247#define BADALPNLEN 8
3248#define GOODALPN (alpnlist)
3249#define BADALPN (alpnlist + GOODALPNLEN)
3250 int err = 0;
976e5323
MC		 3251 unsigned char buf[20];
3252 size_t readbytes, written;
57dee9bb 3253 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 3254 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3255
3256 /* We always set this up with a final parameter of "2" for PSK */
3257 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3258 &serverssl, &sess, 2)))
3259 goto end;
3260
976e5323
MC		 3261 servalpn = "goodalpn";
3262
57dee9bb
MC		 3263 /*
3264 * Note: There is no test for inconsistent SNI with late client detection.
3265 * This is because servers do not acknowledge SNI even if they are using
3266 * it in a resumption handshake - so it is not actually possible for a
3267 * client to detect a problem.
3268 */
976e5323
MC		 3269 switch (idx) {
3270 case 0:
57dee9bb 3271 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 3272 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3273 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3274 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3275 goto end;
3276 break;
3277
3278 case 1:
57dee9bb 3279 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 3280 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3281 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 3282 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3283 GOODALPNLEN))
3284 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3285 BADALPNLEN)))
976e5323
MC		 3286 goto end;
3287 break;
3288
3289 case 2:
3290 /*
3291 * Set invalid protocol version. Technically this affects PSKs without
3292 * early_data too, but we test it here because it is similar to the
3293 * SNI/ALPN consistency tests.
3294 */
3295 err = SSL_R_BAD_PSK;
3296 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3297 goto end;
3298 break;
3299
3300 case 3:
3301 /*
49ef3d07
MC		 3302 * Set inconsistent SNI (server side). In this case the connection
3303 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3304 * is associated with each handshake - not the session. Therefore it
3305 * should not matter that we used a different server name last time.
976e5323 3306 */
281bf233
MC		 3307 SSL_SESSION_free(serverpsk);
3308 serverpsk = SSL_SESSION_dup(clientpsk);
3309 if (!TEST_ptr(serverpsk)
3310 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3311 goto end;
976e5323
MC		 3312 /* Fall through */
3313 case 4:
3314 /* Set consistent SNI */
976e5323
MC		 3315 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3316 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3317 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3318 hostname_cb)))
3319 goto end;
3320 break;
3321
3322 case 5:
3323 /*
3324 * Set inconsistent ALPN (server detected). In this case the connection
3325 * will succeed but reject early_data.
3326 */
3327 servalpn = "badalpn";
3328 edstatus = SSL_EARLY_DATA_REJECTED;
3329 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3330 /* Fall through */
3331 case 6:
976e5323 3332 /*
57dee9bb 3333 * Set consistent ALPN.
976e5323
MC		 3334 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3335 * accepts a list of protos (each one length prefixed).
3336 * SSL_set1_alpn_selected accepts a single protocol (not length
3337 * prefixed)
3338 */
57dee9bb
MC		 3339 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3340 GOODALPNLEN - 1))
3341 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3342 GOODALPNLEN)))
976e5323
MC		 3343 goto end;
3344
3345 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3346 break;
3347
57dee9bb
MC		 3348 case 7:
3349 /* Set inconsistent ALPN (late client detection) */
3350 SSL_SESSION_free(serverpsk);
3351 serverpsk = SSL_SESSION_dup(clientpsk);
3352 if (!TEST_ptr(serverpsk)
3353 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3354 BADALPN + 1,
3355 BADALPNLEN - 1))
3356 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3357 GOODALPN + 1,
3358 GOODALPNLEN - 1))
3359 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3360 sizeof(alpnlist))))
3361 goto end;
3362 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3363 edstatus = SSL_EARLY_DATA_ACCEPTED;
3364 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3365 /* SSL_connect() call should fail */
3366 connectres = -1;
3367 break;
3368
976e5323
MC		 3369 default:
3370 TEST_error("Bad test index");
3371 goto end;
3372 }
3373
3374 SSL_set_connect_state(clientssl);
3375 if (err != 0) {
3376 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3377 &written))
3378 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3379 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3380 goto end;
3381 } else {
3382 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 3383 &written)))
3384 goto end;
3385
3386 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3387 &readbytes), readearlyres)
976e5323
MC		 3388 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3389 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 3390 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3391 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 3392 goto end;
3393 }
3394
3395 testresult = 1;
3396
3397 end:
c20e3b28 3398 SSL_SESSION_free(sess);
57dee9bb
MC		 3399 SSL_SESSION_free(clientpsk);
3400 SSL_SESSION_free(serverpsk);
3401 clientpsk = serverpsk = NULL;
976e5323
MC		 3402 SSL_free(serverssl);
3403 SSL_free(clientssl);
3404 SSL_CTX_free(sctx);
3405 SSL_CTX_free(cctx);
3406 return testresult;
3407}
3408
710756a9
RS		 3409/*
3410 * Test that a server that doesn't try to read early data can handle a
3411 * client sending some.
3412 */
3cb47b4e 3413static int test_early_data_not_expected(int idx)
5f982038
MC		 3414{
3415 SSL_CTX *cctx = NULL, *sctx = NULL;
3416 SSL *clientssl = NULL, *serverssl = NULL;
3417 int testresult = 0;
018fcbec 3418 SSL_SESSION *sess = NULL;
5f982038
MC		 3419 unsigned char buf[20];
3420 size_t readbytes, written;
3421
710756a9
RS		 3422 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3423 &serverssl, &sess, idx)))
5f982038
MC		 3424 goto end;
3425
3426 /* Write some early data */
710756a9
RS		 3427 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3428 &written)))
5f982038 3429 goto end;
5f982038
MC		 3430
3431 /*
3432 * Server should skip over early data and then block waiting for client to
3433 * continue handshake
3434 */
710756a9
RS		 3435 if (!TEST_int_le(SSL_accept(serverssl), 0)
3436 || !TEST_int_gt(SSL_connect(clientssl), 0)
3437 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3438 SSL_EARLY_DATA_REJECTED)
3439 || !TEST_int_gt(SSL_accept(serverssl), 0)
3440 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3441 SSL_EARLY_DATA_REJECTED))
5f982038 3442 goto end;
5f982038
MC		 3443
3444 /* Send some normal data from client to server */
710756a9
RS		 3445 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3446 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3447 goto end;
5f982038 3448
710756a9
RS		 3449 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3450 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3451 goto end;
5f982038
MC		 3452
3453 testresult = 1;
3454
3455 end:
5f982038 3456 SSL_SESSION_free(sess);
c20e3b28 3457 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3458 SSL_SESSION_free(serverpsk);
3459 clientpsk = serverpsk = NULL;
5f982038
MC		 3460 SSL_free(serverssl);
3461 SSL_free(clientssl);
3462 SSL_CTX_free(sctx);
3463 SSL_CTX_free(cctx);
5f982038
MC		 3464 return testresult;
3465}
3466
3467
3468# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 3469/*
3470 * Test that a server attempting to read early data can handle a connection
3471 * from a TLSv1.2 client.
3472 */
3cb47b4e 3473static int test_early_data_tls1_2(int idx)
5f982038
MC		 3474{
3475 SSL_CTX *cctx = NULL, *sctx = NULL;
3476 SSL *clientssl = NULL, *serverssl = NULL;
3477 int testresult = 0;
3478 unsigned char buf[20];
3479 size_t readbytes, written;
3480
02a3ed5a
MC		 3481 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3482 &serverssl, NULL, idx)))
5f982038 3483 goto end;
5f982038
MC		 3484
3485 /* Write some data - should block due to handshake with server */
3486 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3487 SSL_set_connect_state(clientssl);
710756a9 3488 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3489 goto end;
5f982038
MC		 3490
3491 /*
3492 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 3493 * messages from client after ServerDone. Then SSL_read_early_data should
3494 * finish and detect that early data has not been sent
5f982038 3495 */
710756a9
RS		 3496 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3497 &readbytes),
3498 SSL_READ_EARLY_DATA_ERROR))
5f982038 3499 goto end;
5f982038
MC		 3500
3501 /*
3502 * Continue writing the message we started earlier. Will still block waiting
3503 * for the CCS/Finished from server
3504 */
710756a9
RS		 3505 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3506 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3507 &readbytes),
3508 SSL_READ_EARLY_DATA_FINISH)
3509 || !TEST_size_t_eq(readbytes, 0)
3510 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3511 SSL_EARLY_DATA_NOT_SENT))
5f982038 3512 goto end;
5f982038
MC		 3513
3514 /* Continue writing the message we started earlier */
710756a9
RS		 3515 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3516 || !TEST_size_t_eq(written, strlen(MSG1))
3517 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3518 SSL_EARLY_DATA_NOT_SENT)
3519 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3520 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3521 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3522 || !TEST_size_t_eq(written, strlen(MSG2))
3523 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3524 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3525 goto end;
5f982038
MC		 3526
3527 testresult = 1;
3528
3529 end:
57dee9bb
MC		 3530 SSL_SESSION_free(clientpsk);
3531 SSL_SESSION_free(serverpsk);
3532 clientpsk = serverpsk = NULL;
5f982038
MC		 3533 SSL_free(serverssl);
3534 SSL_free(clientssl);
3535 SSL_CTX_free(sctx);
3536 SSL_CTX_free(cctx);
3537
3538 return testresult;
3539}
ca0413ae
MC		 3540# endif /* OPENSSL_NO_TLS1_2 */
3541
034cb87b
MC		 3542/*
3543 * Test configuring the TLSv1.3 ciphersuites
3544 *
3545 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3546 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3547 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3548 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3549 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3550 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3551 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3552 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3553 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3554 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3555 */
3556static int test_set_ciphersuite(int idx)
3557{
3558 SSL_CTX *cctx = NULL, *sctx = NULL;
3559 SSL *clientssl = NULL, *serverssl = NULL;
3560 int testresult = 0;
3561
3562 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 3563 TLS1_VERSION, 0,
034cb87b
MC		 3564 &sctx, &cctx, cert, privkey))
3565 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3566 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3567 goto end;
3568
3569 if (idx >=4 && idx <= 7) {
3570 /* SSL_CTX explicit cipher list */
3571 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3572 goto end;
3573 }
3574
3575 if (idx == 0 || idx == 4) {
3576 /* Default ciphersuite */
3577 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3578 "TLS_AES_128_GCM_SHA256")))
3579 goto end;
3580 } else if (idx == 1 || idx == 5) {
3581 /* Non default ciphersuite */
3582 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3583 "TLS_AES_128_CCM_SHA256")))
3584 goto end;
3585 }
3586
3587 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3588 &clientssl, NULL, NULL)))
3589 goto end;
3590
3591 if (idx == 8 || idx == 9) {
3592 /* SSL explicit cipher list */
3593 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3594 goto end;
3595 }
3596
3597 if (idx == 2 || idx == 6 || idx == 8) {
3598 /* Default ciphersuite */
3599 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3600 "TLS_AES_128_GCM_SHA256")))
3601 goto end;
3602 } else if (idx == 3 || idx == 7 || idx == 9) {
3603 /* Non default ciphersuite */
3604 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3605 "TLS_AES_128_CCM_SHA256")))
3606 goto end;
3607 }
3608
3609 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3610 goto end;
3611
3612 testresult = 1;
3613
3614 end:
3615 SSL_free(serverssl);
3616 SSL_free(clientssl);
3617 SSL_CTX_free(sctx);
3618 SSL_CTX_free(cctx);
3619
3620 return testresult;
3621}
3622
ca0413ae
MC		 3623static int test_ciphersuite_change(void)
3624{
3625 SSL_CTX *cctx = NULL, *sctx = NULL;
3626 SSL *clientssl = NULL, *serverssl = NULL;
3627 SSL_SESSION *clntsess = NULL;
3628 int testresult = 0;
3629 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3630
3631 /* Create a session based on SHA-256 */
7d7f6834 3632 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 3633 TLS1_VERSION, 0,
7d7f6834 3634 &sctx, &cctx, cert, privkey))
f865b081
MC		 3635 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3636 "TLS_AES_128_GCM_SHA256"))
ca0413ae
MC		 3637 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3638 &clientssl, NULL, NULL))
3639 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3640 SSL_ERROR_NONE)))
3641 goto end;
3642
3643 clntsess = SSL_get1_session(clientssl);
3644 /* Save for later */
3645 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3646 SSL_shutdown(clientssl);
3647 SSL_shutdown(serverssl);
3648 SSL_free(serverssl);
3649 SSL_free(clientssl);
3650 serverssl = clientssl = NULL;
3651
71cff963 3652# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
ca0413ae 3653 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081
MC		 3654 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3655 "TLS_CHACHA20_POLY1305_SHA256"))
ca0413ae
MC		 3656 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3657 NULL, NULL))
3658 || !TEST_true(SSL_set_session(clientssl, clntsess))
3659 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3660 SSL_ERROR_NONE))
3661 || !TEST_true(SSL_session_reused(clientssl)))
3662 goto end;
3663
3664 SSL_SESSION_free(clntsess);
3665 clntsess = SSL_get1_session(clientssl);
3666 SSL_shutdown(clientssl);
3667 SSL_shutdown(serverssl);
3668 SSL_free(serverssl);
3669 SSL_free(clientssl);
3670 serverssl = clientssl = NULL;
71cff963 3671# endif
ca0413ae
MC		 3672
3673 /*
3674 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 3675 * succeeds but does not resume.
ca0413ae 3676 */
f865b081 3677 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3678 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3679 NULL, NULL))
3680 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 3681 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 3682 SSL_ERROR_SSL))
0de6d66d 3683 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 3684 goto end;
3685
3686 SSL_SESSION_free(clntsess);
3687 clntsess = NULL;
3688 SSL_shutdown(clientssl);
3689 SSL_shutdown(serverssl);
3690 SSL_free(serverssl);
3691 SSL_free(clientssl);
3692 serverssl = clientssl = NULL;
3693
3694 /* Create a session based on SHA384 */
f865b081 3695 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3696 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3697 &clientssl, NULL, NULL))
3698 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3699 SSL_ERROR_NONE)))
3700 goto end;
3701
3702 clntsess = SSL_get1_session(clientssl);
3703 SSL_shutdown(clientssl);
3704 SSL_shutdown(serverssl);
3705 SSL_free(serverssl);
3706 SSL_free(clientssl);
3707 serverssl = clientssl = NULL;
3708
f865b081
MC		 3709 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3710 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3711 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3712 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3713 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3714 NULL, NULL))
3715 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 3716 /*
3717 * We use SSL_ERROR_WANT_READ below so that we can pause the
3718 * connection after the initial ClientHello has been sent to
3719 * enable us to make some session changes.
3720 */
ca0413ae
MC		 3721 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3722 SSL_ERROR_WANT_READ)))
3723 goto end;
3724
3725 /* Trick the client into thinking this session is for a different digest */
3726 clntsess->cipher = aes_128_gcm_sha256;
3727 clntsess->cipher_id = clntsess->cipher->id;
3728
3729 /*
3b0e88d3
MC		 3730 * Continue the previously started connection. Server has selected a SHA-384
3731 * ciphersuite, but client thinks the session is for SHA-256, so it should
3732 * bail out.
ca0413ae
MC		 3733 */
3734 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3735 SSL_ERROR_SSL))
3736 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3737 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3738 goto end;
3739
3740 testresult = 1;
3741
3742 end:
3743 SSL_SESSION_free(clntsess);
3744 SSL_free(serverssl);
3745 SSL_free(clientssl);
3746 SSL_CTX_free(sctx);
3747 SSL_CTX_free(cctx);
3748
3749 return testresult;
3750}
3751
8e63900a 3752/*
5bf2eade 3753 * Test TLSv1.3 Key exchange
3754 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
3755 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
3756 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
3757 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
3758 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
3759 * Test 5 = Test NID_X448 with TLSv1.3 client and server
3760 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
3761 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
3762 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
3763 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
3764 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
3765 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
3766 * Test 12 = Test all ECDHE with TLSv1.2 client and server
3767 * Test 13 = Test all FFDHE with TLSv1.2 client and server
8e63900a 3768 */
db26ec80 3769static int test_key_exchange(int idx)
8e63900a 3770{
3771 SSL_CTX *sctx = NULL, *cctx = NULL;
3772 SSL *serverssl = NULL, *clientssl = NULL;
3773 int testresult = 0;
5bf2eade 3774# ifndef OPENSSL_NO_EC
3775 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
3776 NID_secp521r1, NID_X25519, NID_X448};
3777# endif
3778# ifndef OPENSSL_NO_DH
8e63900a 3779 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
3780 NID_ffdhe6144, NID_ffdhe8192};
5bf2eade 3781# endif
fb8c6db4 3782 int kexch_alg;
3783 int *kexch_groups = &kexch_alg;
3784 int kexch_groups_size = 1;
8e63900a 3785 int max_version = TLS1_3_VERSION;
8e63900a 3786
3787 switch (idx) {
5bf2eade 3788# ifndef OPENSSL_NO_EC
db26ec80 3789# ifndef OPENSSL_NO_TLS1_2
5bf2eade 3790 case 12:
fb8c6db4 3791 max_version = TLS1_2_VERSION;
db26ec80 3792# endif
fb8c6db4 3793 /* Fall through */
3794 case 0:
3795 kexch_groups = ecdhe_kexch_groups;
3796 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
3797 break;
5bf2eade 3798 case 1:
fb8c6db4 3799 kexch_alg = NID_X9_62_prime256v1;
3800 break;
5bf2eade 3801 case 2:
fb8c6db4 3802 kexch_alg = NID_secp384r1;
3803 break;
5bf2eade 3804 case 3:
fb8c6db4 3805 kexch_alg = NID_secp521r1;
3806 break;
5bf2eade 3807 case 4:
fb8c6db4 3808 kexch_alg = NID_X25519;
3809 break;
5bf2eade 3810 case 5:
fb8c6db4 3811 kexch_alg = NID_X448;
3812 break;
5bf2eade 3813# endif
3814# ifndef OPENSSL_NO_DH
db26ec80 3815# ifndef OPENSSL_NO_TLS1_2
5bf2eade 3816 case 13:
dbc6268f 3817 max_version = TLS1_2_VERSION;
db26ec80 3818# endif
dbc6268f 3819 /* Fall through */
5bf2eade 3820 case 6:
8e63900a 3821 kexch_groups = ffdhe_kexch_groups;
3822 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
3823 break;
5bf2eade 3824 case 7:
fb8c6db4 3825 kexch_alg = NID_ffdhe2048;
3826 break;
5bf2eade 3827 case 8:
fb8c6db4 3828 kexch_alg = NID_ffdhe3072;
3829 break;
5bf2eade 3830 case 9:
fb8c6db4 3831 kexch_alg = NID_ffdhe4096;
3832 break;
5bf2eade 3833 case 10:
fb8c6db4 3834 kexch_alg = NID_ffdhe6144;
3835 break;
5bf2eade 3836 case 11:
fb8c6db4 3837 kexch_alg = NID_ffdhe8192;
8e63900a 3838 break;
5bf2eade 3839# endif
6597d62b
MC		 3840 default:
3841 /* We're skipping this test */
3842 return 1;
8e63900a 3843 }
3844
3845 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3846 TLS1_VERSION, max_version,
3847 &sctx, &cctx, cert, privkey)))
3848 goto end;
3849
5bf2eade 3850 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
3851 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 3852 goto end;
3853
5bf2eade 3854 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3855 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 3856 goto end;
3857
5bf2eade 3858 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
3859 TLS1_TXT_RSA_WITH_AES_128_SHA)))
8e63900a 3860 goto end;
3861
dbc6268f
MC		 3862 /*
3863 * Must include an EC ciphersuite so that we send supported groups in
3864 * TLSv1.2
3865 */
5bf2eade 3866# ifndef OPENSSL_NO_TLS1_2
dbc6268f
MC		 3867 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
3868 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
3869 TLS1_TXT_RSA_WITH_AES_128_SHA)))
8e63900a 3870 goto end;
5bf2eade 3871# endif
8e63900a 3872
3873 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3874 NULL, NULL)))
3875 goto end;
3876
3877 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
3878 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
3879 goto end;
3880
5bf2eade 3881 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8e63900a 3882 goto end;
8e63900a 3883
dbc6268f 3884 /*
5bf2eade 3885 * If Handshake succeeds the negotiated kexch alg should be the first one in
3886 * configured, except in the case of FFDHE groups (idx 13), which are
3887 * TLSv1.3 only so we expect no shared group to exist.
dbc6268f
MC		 3888 */
3889 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5bf2eade 3890 idx == 13 ? 0 : kexch_groups[0]))
8e63900a 3891 goto end;
fb8c6db4 3892 if (max_version == TLS1_3_VERSION) {
3893 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
3894 goto end;
3895 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
3896 goto end;
3897 }
8e63900a 3898
3899 testresult = 1;
3900 end:
3901 SSL_free(serverssl);
3902 SSL_free(clientssl);
3903 SSL_CTX_free(sctx);
3904 SSL_CTX_free(cctx);
3905 return testresult;
3906}
3907
5bf2eade 3908/*
3909 * Test TLSv1.3 Cipher Suite
3910 * Test 0 = Set TLS1.3 cipher on context
3911 * Test 1 = Set TLS1.3 cipher on SSL
3912 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
3913 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
3914 */
3915static int test_tls13_ciphersuite(int idx)
3916{
3917 SSL_CTX *sctx = NULL, *cctx = NULL;
3918 SSL *serverssl = NULL, *clientssl = NULL;
3919 static const char *t13_ciphers[] = {
3920 TLS1_3_RFC_AES_128_GCM_SHA256,
3921 TLS1_3_RFC_AES_256_GCM_SHA384,
3922 TLS1_3_RFC_AES_128_CCM_SHA256,
3923# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3924 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3925 TLS1_3_RFC_AES_256_GCM_SHA384 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3926# endif
3927 TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256
3928 };
3929 const char *t13_cipher = NULL;
3930 const char *t12_cipher = NULL;
3931 const char *negotiated_scipher;
3932 const char *negotiated_ccipher;
3933 int set_at_ctx = 0;
3934 int set_at_ssl = 0;
3935 int testresult = 0;
3936 int max_ver;
3937 size_t i;
3938
3939 switch (idx) {
3940 case 0:
3941 set_at_ctx = 1;
3942 break;
3943 case 1:
3944 set_at_ssl = 1;
3945 break;
3946 case 2:
3947 set_at_ctx = 1;
2d900758 3948 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 3949 break;
3950 case 3:
3951 set_at_ssl = 1;
2d900758 3952 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 3953 break;
3954 }
3955
3956 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
3957# ifdef OPENSSL_NO_TLS1_2
3958 if (max_ver == TLS1_2_VERSION)
3959 continue;
3960# endif
3961 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
3962 t13_cipher = t13_ciphers[i];
3963 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3964 TLS_client_method(),
3965 TLS1_VERSION, max_ver,
3966 &sctx, &cctx, cert, privkey)))
3967 goto end;
3968
3969 if (set_at_ctx) {
3970 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
3971 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
3972 goto end;
3973 if (t12_cipher != NULL) {
3974 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
3975 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
3976 t12_cipher)))
3977 goto end;
3978 }
3979 }
3980
3981 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3982 &clientssl, NULL, NULL)))
3983 goto end;
3984
3985 if (set_at_ssl) {
3986 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
3987 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
3988 goto end;
3989 if (t12_cipher != NULL) {
3990 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
3991 || !TEST_true(SSL_set_cipher_list(clientssl,
3992 t12_cipher)))
3993 goto end;
3994 }
3995 }
3996
3997 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3998 SSL_ERROR_NONE)))
3999 goto end;
4000
4001 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4002 serverssl));
4003 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4004 clientssl));
4005 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4006 goto end;
4007
4008 /*
4009 * TEST_strn_eq is used below because t13_cipher can contain
4010 * multiple ciphersuites
4011 */
4012 if (max_ver == TLS1_3_VERSION
4013 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4014 strlen(negotiated_scipher)))
4015 goto end;
4016
4017# ifndef OPENSSL_NO_TLS1_2
4018 /* Below validation is not done when t12_cipher is NULL */
4019 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4020 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4021 goto end;
4022# endif
4023
4024 SSL_free(serverssl);
4025 serverssl = NULL;
4026 SSL_free(clientssl);
4027 clientssl = NULL;
4028 SSL_CTX_free(sctx);
4029 sctx = NULL;
4030 SSL_CTX_free(cctx);
4031 cctx = NULL;
4032 }
4033 }
4034
4035 testresult = 1;
4036 end:
4037 SSL_free(serverssl);
4038 SSL_free(clientssl);
4039 SSL_CTX_free(sctx);
4040 SSL_CTX_free(cctx);
4041 return testresult;
4042}
4043
0d8da779
MC		 4044/*
4045 * Test TLSv1.3 PSKs
4046 * Test 0 = Test new style callbacks
4047 * Test 1 = Test both new and old style callbacks
4048 * Test 2 = Test old style callbacks
4049 * Test 3 = Test old style callbacks with no certificate
4050 */
532f9578 4051static int test_tls13_psk(int idx)
ca8c71ba
MC		 4052{
4053 SSL_CTX *sctx = NULL, *cctx = NULL;
4054 SSL *serverssl = NULL, *clientssl = NULL;
4055 const SSL_CIPHER *cipher = NULL;
4056 const unsigned char key[] = {
4057 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4058 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 4059 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4060 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 4061 };
4062 int testresult = 0;
4063
7d7f6834 4064 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 4065 TLS1_VERSION, 0,
0d8da779
MC		 4066 &sctx, &cctx, idx == 3 ? NULL : cert,
4067 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 4068 goto end;
4069
0d8da779
MC		 4070 if (idx != 3) {
4071 /*
4072 * We use a ciphersuite with SHA256 to ease testing old style PSK
4073 * callbacks which will always default to SHA256. This should not be
4074 * necessary if we have no cert/priv key. In that case the server should
4075 * prefer SHA256 automatically.
4076 */
4077 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4078 "TLS_AES_128_GCM_SHA256")))
4079 goto end;
4080 }
532f9578
MC		 4081
4082 /*
4083 * Test 0: New style callbacks only
4084 * Test 1: New and old style callbacks (only the new ones should be used)
4085 * Test 2: Old style callbacks only
4086 */
4087 if (idx == 0 || idx == 1) {
4088 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4089 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4090 }
c2b290c3 4091#ifndef OPENSSL_NO_PSK
0d8da779 4092 if (idx >= 1) {
532f9578
MC		 4093 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4094 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4095 }
c2b290c3 4096#endif
ca8c71ba 4097 srvid = pskid;
02a3ed5a
MC		 4098 use_session_cb_cnt = 0;
4099 find_session_cb_cnt = 0;
532f9578
MC		 4100 psk_client_cb_cnt = 0;
4101 psk_server_cb_cnt = 0;
ca8c71ba 4102
0d8da779
MC		 4103 if (idx != 3) {
4104 /*
4105 * Check we can create a connection if callback decides not to send a
4106 * PSK
4107 */
4108 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4109 NULL, NULL))
4110 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4111 SSL_ERROR_NONE))
4112 || !TEST_false(SSL_session_reused(clientssl))
4113 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 4114 goto end;
532f9578 4115
0d8da779
MC		 4116 if (idx == 0 || idx == 1) {
4117 if (!TEST_true(use_session_cb_cnt == 1)
4118 || !TEST_true(find_session_cb_cnt == 0)
4119 /*
4120 * If no old style callback then below should be 0
4121 * otherwise 1
4122 */
4123 || !TEST_true(psk_client_cb_cnt == idx)
4124 || !TEST_true(psk_server_cb_cnt == 0))
4125 goto end;
4126 } else {
4127 if (!TEST_true(use_session_cb_cnt == 0)
4128 || !TEST_true(find_session_cb_cnt == 0)
4129 || !TEST_true(psk_client_cb_cnt == 1)
4130 || !TEST_true(psk_server_cb_cnt == 0))
4131 goto end;
4132 }
4133
4134 shutdown_ssl_connection(serverssl, clientssl);
4135 serverssl = clientssl = NULL;
4136 use_session_cb_cnt = psk_client_cb_cnt = 0;
4137 }
ca8c71ba
MC		 4138
4139 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4140 NULL, NULL)))
4141 goto end;
4142
4143 /* Create the PSK */
532f9578 4144 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 4145 clientpsk = SSL_SESSION_new();
4146 if (!TEST_ptr(clientpsk)
ca8c71ba 4147 || !TEST_ptr(cipher)
57dee9bb
MC		 4148 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4149 sizeof(key)))
4150 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4151 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4152 TLS1_3_VERSION))
4153 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 4154 goto end;
57dee9bb 4155 serverpsk = clientpsk;
ca8c71ba
MC		 4156
4157 /* Check we can create a connection and the PSK is used */
4158 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4159 || !TEST_true(SSL_session_reused(clientssl))
532f9578 4160 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 4161 goto end;
4162
532f9578
MC		 4163 if (idx == 0 || idx == 1) {
4164 if (!TEST_true(use_session_cb_cnt == 1)
4165 || !TEST_true(find_session_cb_cnt == 1)
4166 || !TEST_true(psk_client_cb_cnt == 0)
4167 || !TEST_true(psk_server_cb_cnt == 0))
4168 goto end;
4169 } else {
4170 if (!TEST_true(use_session_cb_cnt == 0)
4171 || !TEST_true(find_session_cb_cnt == 0)
4172 || !TEST_true(psk_client_cb_cnt == 1)
4173 || !TEST_true(psk_server_cb_cnt == 1))
4174 goto end;
4175 }
4176
ca8c71ba
MC		 4177 shutdown_ssl_connection(serverssl, clientssl);
4178 serverssl = clientssl = NULL;
4179 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 4180 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 4181
4182 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4183 NULL, NULL)))
4184 goto end;
4185
4186 /* Force an HRR */
dbc6268f
MC		 4187#if defined(OPENSSL_NO_EC)
4188 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4189 goto end;
4190#else
ca8c71ba
MC		 4191 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4192 goto end;
dbc6268f 4193#endif
ca8c71ba
MC		 4194
4195 /*
4196 * Check we can create a connection, the PSK is used and the callbacks are
4197 * called twice.
4198 */
4199 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4200 || !TEST_true(SSL_session_reused(clientssl))
532f9578 4201 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 4202 goto end;
4203
532f9578
MC		 4204 if (idx == 0 || idx == 1) {
4205 if (!TEST_true(use_session_cb_cnt == 2)
4206 || !TEST_true(find_session_cb_cnt == 2)
4207 || !TEST_true(psk_client_cb_cnt == 0)
4208 || !TEST_true(psk_server_cb_cnt == 0))
4209 goto end;
4210 } else {
4211 if (!TEST_true(use_session_cb_cnt == 0)
4212 || !TEST_true(find_session_cb_cnt == 0)
4213 || !TEST_true(psk_client_cb_cnt == 2)
4214 || !TEST_true(psk_server_cb_cnt == 2))
4215 goto end;
4216 }
4217
ca8c71ba
MC		 4218 shutdown_ssl_connection(serverssl, clientssl);
4219 serverssl = clientssl = NULL;
4220 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 4221 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 4222
0d8da779
MC		 4223 if (idx != 3) {
4224 /*
4225 * Check that if the server rejects the PSK we can still connect, but with
4226 * a full handshake
4227 */
4228 srvid = "Dummy Identity";
4229 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4230 NULL, NULL))
4231 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4232 SSL_ERROR_NONE))
4233 || !TEST_false(SSL_session_reused(clientssl))
4234 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 4235 goto end;
532f9578 4236
0d8da779
MC		 4237 if (idx == 0 || idx == 1) {
4238 if (!TEST_true(use_session_cb_cnt == 1)
4239 || !TEST_true(find_session_cb_cnt == 1)
4240 || !TEST_true(psk_client_cb_cnt == 0)
4241 /*
4242 * If no old style callback then below should be 0
4243 * otherwise 1
4244 */
4245 || !TEST_true(psk_server_cb_cnt == idx))
4246 goto end;
4247 } else {
4248 if (!TEST_true(use_session_cb_cnt == 0)
4249 || !TEST_true(find_session_cb_cnt == 0)
4250 || !TEST_true(psk_client_cb_cnt == 1)
4251 || !TEST_true(psk_server_cb_cnt == 1))
4252 goto end;
4253 }
4254
4255 shutdown_ssl_connection(serverssl, clientssl);
4256 serverssl = clientssl = NULL;
4257 }
ca8c71ba
MC		 4258 testresult = 1;
4259
4260 end:
57dee9bb
MC		 4261 SSL_SESSION_free(clientpsk);
4262 SSL_SESSION_free(serverpsk);
4263 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 4264 SSL_free(serverssl);
4265 SSL_free(clientssl);
4266 SSL_CTX_free(sctx);
4267 SSL_CTX_free(cctx);
4268 return testresult;
4269}
4270
c7b8ff25
MC		 4271static unsigned char cookie_magic_value[] = "cookie magic";
4272
4273static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4274 unsigned int *cookie_len)
4275{
4276 /*
4277 * Not suitable as a real cookie generation function but good enough for
4278 * testing!
4279 */
97ea1e7f
MC		 4280 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4281 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 4282
4283 return 1;
4284}
4285
4286static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4287 unsigned int cookie_len)
4288{
97ea1e7f 4289 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 4290 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4291 return 1;
4292
4293 return 0;
4294}
4295
3fa2812f
BS		 4296static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4297 size_t *cookie_len)
4298{
4299 unsigned int temp;
4300 int res = generate_cookie_callback(ssl, cookie, &temp);
4301 *cookie_len = temp;
4302 return res;
4303}
4304
4305static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4306 size_t cookie_len)
4307{
4308 return verify_cookie_callback(ssl, cookie, cookie_len);
4309}
4310
c7b8ff25
MC		 4311static int test_stateless(void)
4312{
4313 SSL_CTX *sctx = NULL, *cctx = NULL;
4314 SSL *serverssl = NULL, *clientssl = NULL;
4315 int testresult = 0;
4316
7d7f6834 4317 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 4318 TLS1_VERSION, 0,
7d7f6834 4319 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 4320 goto end;
4321
e440f513
MC		 4322 /* The arrival of CCS messages can confuse the test */
4323 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4324
4325 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4326 NULL, NULL))
4327 /* Send the first ClientHello */
4328 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4329 SSL_ERROR_WANT_READ))
4330 /*
4331 * This should fail with a -1 return because we have no callbacks
4332 * set up
4333 */
4334 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4335 goto end;
4336
4337 /* Fatal error so abandon the connection from this client */
4338 SSL_free(clientssl);
4339 clientssl = NULL;
4340
c7b8ff25 4341 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 4342 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4343 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 4344
e440f513
MC		 4345 /*
4346 * Create a new connection from the client (we can reuse the server SSL
4347 * object).
4348 */
c7b8ff25
MC		 4349 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4350 NULL, NULL))
4351 /* Send the first ClientHello */
4352 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4353 SSL_ERROR_WANT_READ))
4354 /* This should fail because there is no cookie */
e440f513 4355 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 4356 goto end;
4357
4358 /* Abandon the connection from this client */
4359 SSL_free(clientssl);
4360 clientssl = NULL;
4361
4362 /*
4363 * Now create a connection from a new client but with the same server SSL
4364 * object
4365 */
4366 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4367 NULL, NULL))
4368 /* Send the first ClientHello */
4369 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4370 SSL_ERROR_WANT_READ))
4371 /* This should fail because there is no cookie */
e440f513 4372 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 4373 /* Send the second ClientHello */
4374 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4375 SSL_ERROR_WANT_READ))
4376 /* This should succeed because a cookie is now present */
e440f513 4377 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 4378 /* Complete the connection */
4379 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4380 SSL_ERROR_NONE)))
4381 goto end;
4382
4383 shutdown_ssl_connection(serverssl, clientssl);
4384 serverssl = clientssl = NULL;
4385 testresult = 1;
4386
4387 end:
4388 SSL_free(serverssl);
4389 SSL_free(clientssl);
4390 SSL_CTX_free(sctx);
4391 SSL_CTX_free(cctx);
4392 return testresult;
4393
4394}
ca0413ae 4395#endif /* OPENSSL_NO_TLS1_3 */
5f982038 4396
a37008d9
MC		 4397static int clntaddoldcb = 0;
4398static int clntparseoldcb = 0;
4399static int srvaddoldcb = 0;
4400static int srvparseoldcb = 0;
4401static int clntaddnewcb = 0;
4402static int clntparsenewcb = 0;
4403static int srvaddnewcb = 0;
4404static int srvparsenewcb = 0;
bb01ef3f 4405static int snicb = 0;
a37008d9
MC		 4406
4407#define TEST_EXT_TYPE1 0xff00
4408
4409static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4410 size_t *outlen, int *al, void *add_arg)
4411{
4412 int *server = (int *)add_arg;
4413 unsigned char *data;
4414
4415 if (SSL_is_server(s))
4416 srvaddoldcb++;
4417 else
4418 clntaddoldcb++;
4419
710756a9
RS		 4420 if (*server != SSL_is_server(s)
4421 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 4422 return -1;
4423
4424 *data = 1;
4425 *out = data;
4426 *outlen = sizeof(char);
a37008d9
MC		 4427 return 1;
4428}
4429
4430static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4431 void *add_arg)
4432{
4433 OPENSSL_free((unsigned char *)out);
4434}
4435
4436static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4437 size_t inlen, int *al, void *parse_arg)
4438{
4439 int *server = (int *)parse_arg;
4440
4441 if (SSL_is_server(s))
4442 srvparseoldcb++;
4443 else
4444 clntparseoldcb++;
4445
710756a9
RS		 4446 if (*server != SSL_is_server(s)
4447 || inlen != sizeof(char)
4448 || *in != 1)
a37008d9
MC		 4449 return -1;
4450
4451 return 1;
4452}
4453
4454static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4455 const unsigned char **out, size_t *outlen, X509 *x,
4456 size_t chainidx, int *al, void *add_arg)
4457{
4458 int *server = (int *)add_arg;
4459 unsigned char *data;
4460
4461 if (SSL_is_server(s))
4462 srvaddnewcb++;
4463 else
4464 clntaddnewcb++;
4465
710756a9
RS		 4466 if (*server != SSL_is_server(s)
4467 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 4468 return -1;
4469
4470 *data = 1;
4471 *out = data;
710756a9 4472 *outlen = sizeof(*data);
a37008d9
MC		 4473 return 1;
4474}
4475
4476static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
4477 const unsigned char *out, void *add_arg)
4478{
4479 OPENSSL_free((unsigned char *)out);
4480}
4481
4482static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
4483 const unsigned char *in, size_t inlen, X509 *x,
4484 size_t chainidx, int *al, void *parse_arg)
4485{
4486 int *server = (int *)parse_arg;
4487
4488 if (SSL_is_server(s))
4489 srvparsenewcb++;
4490 else
4491 clntparsenewcb++;
4492
710756a9
RS		 4493 if (*server != SSL_is_server(s)
4494 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 4495 return -1;
4496
4497 return 1;
4498}
bb01ef3f
MC		 4499
4500static int sni_cb(SSL *s, int *al, void *arg)
4501{
4502 SSL_CTX *ctx = (SSL_CTX *)arg;
4503
4504 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
4505 *al = SSL_AD_INTERNAL_ERROR;
4506 return SSL_TLSEXT_ERR_ALERT_FATAL;
4507 }
4508 snicb++;
4509 return SSL_TLSEXT_ERR_OK;
4510}
4511
a37008d9
MC		 4512/*
4513 * Custom call back tests.
4514 * Test 0: Old style callbacks in TLSv1.2
4515 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 4516 * Test 2: New style callbacks in TLSv1.2 with SNI
4517 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4518 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 4519 */
710756a9
RS		 4520static int test_custom_exts(int tst)
4521{
bb01ef3f 4522 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 4523 SSL *clientssl = NULL, *serverssl = NULL;
4524 int testresult = 0;
4525 static int server = 1;
4526 static int client = 0;
4527 SSL_SESSION *sess = NULL;
4528 unsigned int context;
4529
c423ecaa
MC		 4530#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4531 /* Skip tests for TLSv1.2 and below in this case */
4532 if (tst < 3)
4533 return 1;
4534#endif
4535
a37008d9
MC		 4536 /* Reset callback counters */
4537 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4538 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 4539 snicb = 0;
a37008d9 4540
7d7f6834 4541 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 4542 TLS1_VERSION, 0,
7d7f6834 4543 &sctx, &cctx, cert, privkey)))
710756a9 4544 goto end;
a37008d9 4545
bb01ef3f 4546 if (tst == 2
7d7f6834 4547 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
5c587fb6 4548 TLS1_VERSION, 0,
7d7f6834 4549 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 4550 goto end;
4551
4552
4553 if (tst < 3) {
a37008d9
MC		 4554 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4555 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 4556 if (sctx2 != NULL)
4557 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 4558 }
4559
bb01ef3f 4560 if (tst == 4) {
710756a9
RS		 4561 context = SSL_EXT_CLIENT_HELLO
4562 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 4563 | SSL_EXT_TLS1_3_SERVER_HELLO
4564 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4565 | SSL_EXT_TLS1_3_CERTIFICATE
4566 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4567 } else {
710756a9
RS		 4568 context = SSL_EXT_CLIENT_HELLO
4569 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 4570 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4571 }
4572
4573 /* Create a client side custom extension */
4574 if (tst == 0) {
710756a9
RS		 4575 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4576 old_add_cb, old_free_cb,
4577 &client, old_parse_cb,
4578 &client)))
4579 goto end;
a37008d9 4580 } else {
710756a9
RS		 4581 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4582 new_add_cb, new_free_cb,
4583 &client, new_parse_cb, &client)))
4584 goto end;
a37008d9
MC		 4585 }
4586
4587 /* Should not be able to add duplicates */
710756a9
RS		 4588 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4589 old_add_cb, old_free_cb,
4590 &client, old_parse_cb,
4591 &client))
4592 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4593 context, new_add_cb,
4594 new_free_cb, &client,
4595 new_parse_cb, &client)))
4596 goto end;
a37008d9
MC		 4597
4598 /* Create a server side custom extension */
4599 if (tst == 0) {
710756a9
RS		 4600 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4601 old_add_cb, old_free_cb,
4602 &server, old_parse_cb,
4603 &server)))
4604 goto end;
a37008d9 4605 } else {
710756a9
RS		 4606 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4607 new_add_cb, new_free_cb,
4608 &server, new_parse_cb, &server)))
4609 goto end;
bb01ef3f
MC		 4610 if (sctx2 != NULL
4611 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4612 context, new_add_cb,
4613 new_free_cb, &server,
4614 new_parse_cb, &server)))
4615 goto end;
a37008d9
MC		 4616 }
4617
4618 /* Should not be able to add duplicates */
710756a9
RS		 4619 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4620 old_add_cb, old_free_cb,
4621 &server, old_parse_cb,
4622 &server))
4623 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4624 context, new_add_cb,
4625 new_free_cb, &server,
4626 new_parse_cb, &server)))
a37008d9 4627 goto end;
a37008d9 4628
bb01ef3f
MC		 4629 if (tst == 2) {
4630 /* Set up SNI */
4631 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4632 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4633 goto end;
4634 }
4635
710756a9
RS		 4636 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4637 &clientssl, NULL, NULL))
4638 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4639 SSL_ERROR_NONE)))
a37008d9 4640 goto end;
a37008d9
MC		 4641
4642 if (tst == 0) {
710756a9
RS		 4643 if (clntaddoldcb != 1
4644 || clntparseoldcb != 1
4645 || srvaddoldcb != 1
4646 || srvparseoldcb != 1)
a37008d9 4647 goto end;
bb01ef3f 4648 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 4649 if (clntaddnewcb != 1
4650 || clntparsenewcb != 1
4651 || srvaddnewcb != 1
bb01ef3f
MC		 4652 || srvparsenewcb != 1
4653 || (tst != 2 && snicb != 0)
4654 || (tst == 2 && snicb != 1))
a37008d9 4655 goto end;
a37008d9 4656 } else {
36ff232c 4657 /* In this case there 2 NewSessionTicket messages created */
710756a9 4658 if (clntaddnewcb != 1
36ff232c
MC		 4659 || clntparsenewcb != 5
4660 || srvaddnewcb != 5
710756a9 4661 || srvparsenewcb != 1)
a37008d9 4662 goto end;
a37008d9
MC		 4663 }
4664
4665 sess = SSL_get1_session(clientssl);
a37008d9
MC		 4666 SSL_shutdown(clientssl);
4667 SSL_shutdown(serverssl);
a37008d9
MC		 4668 SSL_free(serverssl);
4669 SSL_free(clientssl);
4670 serverssl = clientssl = NULL;
4671
bb01ef3f
MC		 4672 if (tst == 3) {
4673 /* We don't bother with the resumption aspects for this test */
4674 testresult = 1;
4675 goto end;
4676 }
4677
710756a9
RS		 4678 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4679 NULL, NULL))
4680 || !TEST_true(SSL_set_session(clientssl, sess))
4681 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4682 SSL_ERROR_NONE)))
a37008d9 4683 goto end;
a37008d9
MC		 4684
4685 /*
4686 * For a resumed session we expect to add the ClientHello extension. For the
4687 * old style callbacks we ignore it on the server side because they set
4688 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4689 * them.
4690 */
4691 if (tst == 0) {
710756a9
RS		 4692 if (clntaddoldcb != 2
4693 || clntparseoldcb != 1
4694 || srvaddoldcb != 1
4695 || srvparseoldcb != 1)
a37008d9 4696 goto end;
bb01ef3f 4697 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 4698 if (clntaddnewcb != 2
4699 || clntparsenewcb != 2
4700 || srvaddnewcb != 2
4701 || srvparsenewcb != 2)
a37008d9 4702 goto end;
a37008d9 4703 } else {
36ff232c
MC		 4704 /*
4705 * No Certificate message extensions in the resumption handshake,
4706 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4707 */
710756a9 4708 if (clntaddnewcb != 2
36ff232c
MC		 4709 || clntparsenewcb != 8
4710 || srvaddnewcb != 8
710756a9 4711 || srvparsenewcb != 2)
a37008d9 4712 goto end;
a37008d9
MC		 4713 }
4714
4715 testresult = 1;
4716
4717end:
4718 SSL_SESSION_free(sess);
4719 SSL_free(serverssl);
4720 SSL_free(clientssl);
bb01ef3f 4721 SSL_CTX_free(sctx2);
a37008d9
MC		 4722 SSL_CTX_free(sctx);
4723 SSL_CTX_free(cctx);
a37008d9
MC		 4724 return testresult;
4725}
4726
16afd71c
MC		 4727/*
4728 * Test loading of serverinfo data in various formats. test_sslmessages actually
4729 * tests to make sure the extensions appear in the handshake
4730 */
4731static int test_serverinfo(int tst)
4732{
4733 unsigned int version;
4734 unsigned char *sibuf;
4735 size_t sibuflen;
4736 int ret, expected, testresult = 0;
4737 SSL_CTX *ctx;
4738
4739 ctx = SSL_CTX_new(TLS_method());
4740 if (!TEST_ptr(ctx))
4741 goto end;
4742
4743 if ((tst & 0x01) == 0x01)
4744 version = SSL_SERVERINFOV2;
4745 else
4746 version = SSL_SERVERINFOV1;
4747
4748 if ((tst & 0x02) == 0x02) {
4749 sibuf = serverinfov2;
4750 sibuflen = sizeof(serverinfov2);
4751 expected = (version == SSL_SERVERINFOV2);
4752 } else {
4753 sibuf = serverinfov1;
4754 sibuflen = sizeof(serverinfov1);
4755 expected = (version == SSL_SERVERINFOV1);
4756 }
4757
4758 if ((tst & 0x04) == 0x04) {
4759 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4760 } else {
4761 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4762
4763 /*
4764 * The version variable is irrelevant in this case - it's what is in the
4765 * buffer that matters
4766 */
4767 if ((tst & 0x02) == 0x02)
4768 expected = 0;
4769 else
4770 expected = 1;
4771 }
4772
4773 if (!TEST_true(ret == expected))
4774 goto end;
4775
4776 testresult = 1;
4777
4778 end:
4779 SSL_CTX_free(ctx);
4780
4781 return testresult;
4782}
4783
2197d1df
MC		 4784/*
4785 * Test that SSL_export_keying_material() produces expected results. There are
4786 * no test vectors so all we do is test that both sides of the communication
4787 * produce the same results for different protocol versions.
4788 */
0fb2815b
MC		 4789#define SMALL_LABEL_LEN 10
4790#define LONG_LABEL_LEN 249
2197d1df
MC		 4791static int test_export_key_mat(int tst)
4792{
a599574b 4793 int testresult = 0;
2197d1df
MC		 4794 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4795 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 4796 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 4797 const unsigned char context[] = "context";
4798 const unsigned char *emptycontext = NULL;
4799 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4800 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
0fb2815b 4801 size_t labellen;
a599574b
MC		 4802 const int protocols[] = {
4803 TLS1_VERSION,
4804 TLS1_1_VERSION,
4805 TLS1_2_VERSION,
0fb2815b
MC		 4806 TLS1_3_VERSION,
4807 TLS1_3_VERSION,
a599574b
MC		 4808 TLS1_3_VERSION
4809 };
2197d1df
MC		 4810
4811#ifdef OPENSSL_NO_TLS1
4812 if (tst == 0)
4813 return 1;
4814#endif
4815#ifdef OPENSSL_NO_TLS1_1
4816 if (tst == 1)
4817 return 1;
4818#endif
4819#ifdef OPENSSL_NO_TLS1_2
4820 if (tst == 2)
4821 return 1;
4822#endif
4823#ifdef OPENSSL_NO_TLS1_3
0fb2815b 4824 if (tst >= 3)
2197d1df
MC		 4825 return 1;
4826#endif
7d7f6834 4827 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 4828 TLS1_VERSION, 0,
7d7f6834 4829 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 4830 goto end;
4831
a599574b
MC		 4832 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4833 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4834 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
2197d1df
MC		 4835
4836 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4837 NULL))
4838 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4839 SSL_ERROR_NONE)))
4840 goto end;
4841
0fb2815b
MC		 4842 if (tst == 5) {
4843 /*
4844 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4845 * go over that.
4846 */
4847 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4848 sizeof(ckeymat1), label,
4849 LONG_LABEL_LEN + 1, context,
4850 sizeof(context) - 1, 1), 0))
4851 goto end;
4852
4853 testresult = 1;
4854 goto end;
4855 } else if (tst == 4) {
4856 labellen = LONG_LABEL_LEN;
4857 } else {
4858 labellen = SMALL_LABEL_LEN;
4859 }
4860
2197d1df
MC		 4861 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4862 sizeof(ckeymat1), label,
0fb2815b 4863 labellen, context,
2197d1df
MC		 4864 sizeof(context) - 1, 1), 1)
4865 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4866 sizeof(ckeymat2), label,
0fb2815b 4867 labellen,
2197d1df
MC		 4868 emptycontext,
4869 0, 1), 1)
4870 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4871 sizeof(ckeymat3), label,
0fb2815b 4872 labellen,
2197d1df
MC		 4873 NULL, 0, 0), 1)
4874 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4875 sizeof(skeymat1), label,
0fb2815b 4876 labellen,
2197d1df
MC		 4877 context,
4878 sizeof(context) -1, 1),
4879 1)
4880 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4881 sizeof(skeymat2), label,
0fb2815b 4882 labellen,
2197d1df
MC		 4883 emptycontext,
4884 0, 1), 1)
4885 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4886 sizeof(skeymat3), label,
0fb2815b 4887 labellen,
2197d1df
MC		 4888 NULL, 0, 0), 1)
4889 /*
4890 * Check that both sides created the same key material with the
4891 * same context.
4892 */
4893 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4894 sizeof(skeymat1))
4895 /*
4896 * Check that both sides created the same key material with an
4897 * empty context.
4898 */
4899 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4900 sizeof(skeymat2))
4901 /*
4902 * Check that both sides created the same key material without a
4903 * context.
4904 */
4905 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
4906 sizeof(skeymat3))
4907 /* Different contexts should produce different results */
4908 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4909 sizeof(ckeymat2)))
4910 goto end;
4911
4912 /*
4913 * Check that an empty context and no context produce different results in
4914 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
4915 */
0fb2815b 4916 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 4917 sizeof(ckeymat3)))
0fb2815b
MC		 4918 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
4919 sizeof(ckeymat3))))
2197d1df
MC		 4920 goto end;
4921
4922 testresult = 1;
4923
4924 end:
4925 SSL_free(serverssl);
4926 SSL_free(clientssl);
4927 SSL_CTX_free(sctx2);
4928 SSL_CTX_free(sctx);
4929 SSL_CTX_free(cctx);
4930
4931 return testresult;
4932}
4933
b38ede80
TT		 4934#ifndef OPENSSL_NO_TLS1_3
4935/*
4936 * Test that SSL_export_keying_material_early() produces expected
4937 * results. There are no test vectors so all we do is test that both
4938 * sides of the communication produce the same results for different
4939 * protocol versions.
4940 */
4941static int test_export_key_mat_early(int idx)
4942{
4943 static const char label[] = "test label";
4944 static const unsigned char context[] = "context";
4945 int testresult = 0;
4946 SSL_CTX *cctx = NULL, *sctx = NULL;
4947 SSL *clientssl = NULL, *serverssl = NULL;
4948 SSL_SESSION *sess = NULL;
4949 const unsigned char *emptycontext = NULL;
4950 unsigned char ckeymat1[80], ckeymat2[80];
4951 unsigned char skeymat1[80], skeymat2[80];
4952 unsigned char buf[1];
4953 size_t readbytes, written;
4954
4955 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
4956 &sess, idx)))
4957 goto end;
4958
4959 /* Here writing 0 length early data is enough. */
4960 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
4961 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4962 &readbytes),
4963 SSL_READ_EARLY_DATA_ERROR)
4964 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4965 SSL_EARLY_DATA_ACCEPTED))
4966 goto end;
4967
4968 if (!TEST_int_eq(SSL_export_keying_material_early(
4969 clientssl, ckeymat1, sizeof(ckeymat1), label,
4970 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4971 || !TEST_int_eq(SSL_export_keying_material_early(
4972 clientssl, ckeymat2, sizeof(ckeymat2), label,
4973 sizeof(label) - 1, emptycontext, 0), 1)
4974 || !TEST_int_eq(SSL_export_keying_material_early(
4975 serverssl, skeymat1, sizeof(skeymat1), label,
4976 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4977 || !TEST_int_eq(SSL_export_keying_material_early(
4978 serverssl, skeymat2, sizeof(skeymat2), label,
4979 sizeof(label) - 1, emptycontext, 0), 1)
4980 /*
4981 * Check that both sides created the same key material with the
4982 * same context.
4983 */
4984 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4985 sizeof(skeymat1))
4986 /*
4987 * Check that both sides created the same key material with an
4988 * empty context.
4989 */
4990 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4991 sizeof(skeymat2))
4992 /* Different contexts should produce different results */
4993 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4994 sizeof(ckeymat2)))
4995 goto end;
4996
4997 testresult = 1;
4998
4999 end:
c20e3b28 5000 SSL_SESSION_free(sess);
b38ede80
TT		 5001 SSL_SESSION_free(clientpsk);
5002 SSL_SESSION_free(serverpsk);
34ff74eb 5003 clientpsk = serverpsk = NULL;
b38ede80
TT		 5004 SSL_free(serverssl);
5005 SSL_free(clientssl);
5006 SSL_CTX_free(sctx);
5007 SSL_CTX_free(cctx);
5008
5009 return testresult;
5010}
3409a5ff
MC		 5011
5012#define NUM_KEY_UPDATE_MESSAGES 40
5013/*
5014 * Test KeyUpdate.
5015 */
5016static int test_key_update(void)
5017{
5018 SSL_CTX *cctx = NULL, *sctx = NULL;
5019 SSL *clientssl = NULL, *serverssl = NULL;
5020 int testresult = 0, i, j;
5021 char buf[20];
5022 static char *mess = "A test message";
5023
5024 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5025 TLS_client_method(),
5026 TLS1_3_VERSION,
5027 0,
5028 &sctx, &cctx, cert, privkey))
5029 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5030 NULL, NULL))
5031 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5032 SSL_ERROR_NONE)))
5033 goto end;
5034
5035 for (j = 0; j < 2; j++) {
5036 /* Send lots of KeyUpdate messages */
5037 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5038 if (!TEST_true(SSL_key_update(clientssl,
5039 (j == 0)
5040 ? SSL_KEY_UPDATE_NOT_REQUESTED
5041 : SSL_KEY_UPDATE_REQUESTED))
5042 || !TEST_true(SSL_do_handshake(clientssl)))
5043 goto end;
5044 }
5045
5046 /* Check that sending and receiving app data is ok */
5047 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5048 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5049 strlen(mess)))
5050 goto end;
a77b4dba
MC		 5051
5052 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5053 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5054 strlen(mess)))
5055 goto end;
3409a5ff
MC		 5056 }
5057
5058 testresult = 1;
5059
5060 end:
5061 SSL_free(serverssl);
5062 SSL_free(clientssl);
5063 SSL_CTX_free(sctx);
5064 SSL_CTX_free(cctx);
5065
5066 return testresult;
5067}
a77b4dba
MC		 5068
5069/*
5070 * Test we can handle a KeyUpdate (update requested) message while write data
5071 * is pending.
5072 * Test 0: Client sends KeyUpdate while Server is writing
5073 * Test 1: Server sends KeyUpdate while Client is writing
5074 */
5075static int test_key_update_in_write(int tst)
5076{
5077 SSL_CTX *cctx = NULL, *sctx = NULL;
5078 SSL *clientssl = NULL, *serverssl = NULL;
5079 int testresult = 0;
5080 char buf[20];
5081 static char *mess = "A test message";
5082 BIO *bretry = BIO_new(bio_s_always_retry());
5083 BIO *tmp = NULL;
5084 SSL *peerupdate = NULL, *peerwrite = NULL;
5085
5086 if (!TEST_ptr(bretry)
5087 || !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5088 TLS_client_method(),
5089 TLS1_3_VERSION,
5090 0,
5091 &sctx, &cctx, cert, privkey))
5092 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5093 NULL, NULL))
5094 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5095 SSL_ERROR_NONE)))
5096 goto end;
5097
5098 peerupdate = tst == 0 ? clientssl : serverssl;
5099 peerwrite = tst == 0 ? serverssl : clientssl;
5100
5101 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5102 || !TEST_true(SSL_do_handshake(peerupdate)))
5103 goto end;
5104
5105 /* Swap the writing endpoint's write BIO to force a retry */
5106 tmp = SSL_get_wbio(peerwrite);
5107 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5108 tmp = NULL;
5109 goto end;
5110 }
5111 SSL_set0_wbio(peerwrite, bretry);
5112 bretry = NULL;
5113
5114 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5115 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5116 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5117 goto end;
5118
5119 /* Reinstate the original writing endpoint's write BIO */
5120 SSL_set0_wbio(peerwrite, tmp);
5121 tmp = NULL;
5122
5123 /* Now read some data - we will read the key update */
5124 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5125 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5126 goto end;
5127
5128 /*
5129 * Complete the write we started previously and read it from the other
5130 * endpoint
5131 */
5132 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5133 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5134 goto end;
5135
5136 /* Write more data to ensure we send the KeyUpdate message back */
5137 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5138 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5139 goto end;
5140
5141 testresult = 1;
5142
5143 end:
5144 SSL_free(serverssl);
5145 SSL_free(clientssl);
5146 SSL_CTX_free(sctx);
5147 SSL_CTX_free(cctx);
5148 BIO_free(bretry);
5149 BIO_free(tmp);
5150
5151 return testresult;
5152}
b38ede80
TT		 5153#endif /* OPENSSL_NO_TLS1_3 */
5154
e11b6aa4
MC		 5155static int test_ssl_clear(int idx)
5156{
5157 SSL_CTX *cctx = NULL, *sctx = NULL;
5158 SSL *clientssl = NULL, *serverssl = NULL;
5159 int testresult = 0;
5160
5161#ifdef OPENSSL_NO_TLS1_2
5162 if (idx == 1)
5163 return 1;
5164#endif
5165
5166 /* Create an initial connection */
7d7f6834 5167 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 5168 TLS1_VERSION, 0,
7d7f6834 5169 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 5170 || (idx == 1
5171 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5172 TLS1_2_VERSION)))
5173 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5174 &clientssl, NULL, NULL))
5175 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5176 SSL_ERROR_NONE)))
5177 goto end;
5178
5179 SSL_shutdown(clientssl);
5180 SSL_shutdown(serverssl);
5181 SSL_free(serverssl);
5182 serverssl = NULL;
5183
5184 /* Clear clientssl - we're going to reuse the object */
5185 if (!TEST_true(SSL_clear(clientssl)))
5186 goto end;
5187
5188 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5189 NULL, NULL))
5190 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5191 SSL_ERROR_NONE))
5192 || !TEST_true(SSL_session_reused(clientssl)))
5193 goto end;
5194
5195 SSL_shutdown(clientssl);
5196 SSL_shutdown(serverssl);
5197
5198 testresult = 1;
5199
5200 end:
5201 SSL_free(serverssl);
5202 SSL_free(clientssl);
5203 SSL_CTX_free(sctx);
5204 SSL_CTX_free(cctx);
5205
5206 return testresult;
5207}
5208
cf72c757
F		 5209/* Parse CH and retrieve any MFL extension value if present */
5210static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5211{
5212 long len;
5213 unsigned char *data;
72962d02 5214 PACKET pkt, pkt2, pkt3;
cf72c757
F		 5215 unsigned int MFL_code = 0, type = 0;
5216
5217 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5218 goto end;
5219
72962d02
P		 5220 memset(&pkt, 0, sizeof(pkt));
5221 memset(&pkt2, 0, sizeof(pkt2));
5222 memset(&pkt3, 0, sizeof(pkt3));
5223
cf72c757
F		 5224 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5225 /* Skip the record header */
5226 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5227 /* Skip the handshake message header */
5228 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5229 /* Skip client version and random */
5230 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5231 + SSL3_RANDOM_SIZE))
5232 /* Skip session id */
5233 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5234 /* Skip ciphers */
5235 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5236 /* Skip compression */
5237 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5238 /* Extensions len */
5239 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5240 goto end;
5241
5242 /* Loop through all extensions */
5243 while (PACKET_remaining(&pkt2)) {
5244 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5245 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5246 goto end;
5247
5248 if (type == TLSEXT_TYPE_max_fragment_length) {
5249 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5250 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5251 goto end;
5252
5253 *mfl_codemfl_code = MFL_code;
5254 return 1;
5255 }
5256 }
5257
5258 end:
5259 return 0;
5260}
5261
5262/* Maximum-Fragment-Length TLS extension mode to test */
5263static const unsigned char max_fragment_len_test[] = {
5264 TLSEXT_max_fragment_length_512,
5265 TLSEXT_max_fragment_length_1024,
5266 TLSEXT_max_fragment_length_2048,
5267 TLSEXT_max_fragment_length_4096
5268};
5269
5270static int test_max_fragment_len_ext(int idx_tst)
5271{
5272 SSL_CTX *ctx;
5273 SSL *con = NULL;
5274 int testresult = 0, MFL_mode = 0;
5275 BIO *rbio, *wbio;
5276
5277 ctx = SSL_CTX_new(TLS_method());
5278 if (!TEST_ptr(ctx))
5279 goto end;
5280
5281 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5282 ctx, max_fragment_len_test[idx_tst])))
5283 goto end;
5284
5285 con = SSL_new(ctx);
5286 if (!TEST_ptr(con))
5287 goto end;
5288
5289 rbio = BIO_new(BIO_s_mem());
5290 wbio = BIO_new(BIO_s_mem());
5291 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5292 BIO_free(rbio);
5293 BIO_free(wbio);
5294 goto end;
5295 }
5296
5297 SSL_set_bio(con, rbio, wbio);
5298 SSL_set_connect_state(con);
5299
5300 if (!TEST_int_le(SSL_connect(con), 0)) {
5301 /* This shouldn't succeed because we don't have a server! */
5302 goto end;
5303 }
5304
5305 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5306 /* no MFL in client hello */
5307 goto end;
5308 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5309 goto end;
5310
5311 testresult = 1;
5312
5313end:
5314 SSL_free(con);
5315 SSL_CTX_free(ctx);
5316
5317 return testresult;
5318}
5319
9d75dce3
TS		 5320#ifndef OPENSSL_NO_TLS1_3
5321static int test_pha_key_update(void)
5322{
5323 SSL_CTX *cctx = NULL, *sctx = NULL;
5324 SSL *clientssl = NULL, *serverssl = NULL;
5325 int testresult = 0;
5326
7d7f6834 5327 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 5328 TLS1_VERSION, 0,
9d75dce3
TS		 5329 &sctx, &cctx, cert, privkey)))
5330 return 0;
5331
5332 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5333 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5334 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5335 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5336 goto end;
5337
e97be718 5338 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 5339
5340 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5341 NULL, NULL)))
5342 goto end;
5343
9d75dce3
TS		 5344 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5345 SSL_ERROR_NONE)))
5346 goto end;
5347
5348 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5349 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5350 goto end;
5351
5352 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5353 goto end;
5354
5355 /* Start handshake on the server */
5356 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5357 goto end;
5358
5359 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5360 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5361 SSL_ERROR_NONE)))
5362 goto end;
5363
5364 SSL_shutdown(clientssl);
5365 SSL_shutdown(serverssl);
5366
5367 testresult = 1;
5368
5369 end:
5370 SSL_free(serverssl);
5371 SSL_free(clientssl);
5372 SSL_CTX_free(sctx);
5373 SSL_CTX_free(cctx);
5374 return testresult;
5375}
5376#endif
5377
76fd7a1d
MC		 5378#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5379
5380static SRP_VBASE *vbase = NULL;
5381
5382static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5383{
5384 int ret = SSL3_AL_FATAL;
5385 char *username;
5386 SRP_user_pwd *user = NULL;
5387
5388 username = SSL_get_srp_username(s);
5389 if (username == NULL) {
5390 *ad = SSL_AD_INTERNAL_ERROR;
5391 goto err;
5392 }
5393
5394 user = SRP_VBASE_get1_by_user(vbase, username);
5395 if (user == NULL) {
5396 *ad = SSL_AD_INTERNAL_ERROR;
5397 goto err;
5398 }
5399
5400 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5401 user->info) <= 0) {
5402 *ad = SSL_AD_INTERNAL_ERROR;
5403 goto err;
5404 }
5405
5406 ret = 0;
5407
5408 err:
5409 SRP_user_pwd_free(user);
5410 return ret;
5411}
5412
5413static int create_new_vfile(char *userid, char *password, const char *filename)
5414{
5415 char *gNid = NULL;
5416 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5417 TXT_DB *db = NULL;
5418 int ret = 0;
5419 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5420 size_t i;
5421
5422 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5423 goto end;
5424
5425 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
5426 &row[DB_srpverifier], NULL, NULL);
5427 if (!TEST_ptr(gNid))
5428 goto end;
5429
5430 /*
5431 * The only way to create an empty TXT_DB is to provide a BIO with no data
5432 * in it!
5433 */
5434 db = TXT_DB_read(dummy, DB_NUMBER);
5435 if (!TEST_ptr(db))
5436 goto end;
5437
5438 out = BIO_new_file(filename, "w");
5439 if (!TEST_ptr(out))
5440 goto end;
5441
5442 row[DB_srpid] = OPENSSL_strdup(userid);
5443 row[DB_srptype] = OPENSSL_strdup("V");
5444 row[DB_srpgN] = OPENSSL_strdup(gNid);
5445
5446 if (!TEST_ptr(row[DB_srpid])
5447 || !TEST_ptr(row[DB_srptype])
5448 || !TEST_ptr(row[DB_srpgN])
5449 || !TEST_true(TXT_DB_insert(db, row)))
5450 goto end;
5451
5452 row = NULL;
5453
5454 if (!TXT_DB_write(out, db))
5455 goto end;
5456
5457 ret = 1;
5458 end:
5459 if (row != NULL) {
5460 for (i = 0; i < DB_NUMBER; i++)
5461 OPENSSL_free(row[i]);
5462 }
5463 OPENSSL_free(row);
5464 BIO_free(dummy);
5465 BIO_free(out);
5466 TXT_DB_free(db);
5467
5468 return ret;
5469}
5470
5471static int create_new_vbase(char *userid, char *password)
5472{
5473 BIGNUM *verifier = NULL, *salt = NULL;
5474 const SRP_gN *lgN = NULL;
5475 SRP_user_pwd *user_pwd = NULL;
5476 int ret = 0;
5477
5478 lgN = SRP_get_default_gN(NULL);
5479 if (!TEST_ptr(lgN))
5480 goto end;
5481
5482 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
5483 lgN->N, lgN->g)))
5484 goto end;
5485
5486 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
5487 if (!TEST_ptr(user_pwd))
5488 goto end;
5489
5490 user_pwd->N = lgN->N;
5491 user_pwd->g = lgN->g;
5492 user_pwd->id = OPENSSL_strdup(userid);
5493 if (!TEST_ptr(user_pwd->id))
5494 goto end;
5495
5496 user_pwd->v = verifier;
5497 user_pwd->s = salt;
5498 verifier = salt = NULL;
5499
5500 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
5501 goto end;
5502 user_pwd = NULL;
5503
5504 ret = 1;
5505end:
5506 SRP_user_pwd_free(user_pwd);
5507 BN_free(salt);
5508 BN_free(verifier);
5509
5510 return ret;
5511}
5512
5513/*
5514 * SRP tests
5515 *
5516 * Test 0: Simple successful SRP connection, new vbase
5517 * Test 1: Connection failure due to bad password, new vbase
5518 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5519 * Test 3: Connection failure due to bad password, vbase loaded from existing
5520 * file
5521 * Test 4: Simple successful SRP connection, vbase loaded from new file
5522 * Test 5: Connection failure due to bad password, vbase loaded from new file
5523 */
5524static int test_srp(int tst)
5525{
5526 char *userid = "test", *password = "password", *tstsrpfile;
5527 SSL_CTX *cctx = NULL, *sctx = NULL;
5528 SSL *clientssl = NULL, *serverssl = NULL;
5529 int ret, testresult = 0;
5530
5531 vbase = SRP_VBASE_new(NULL);
5532 if (!TEST_ptr(vbase))
5533 goto end;
5534
5535 if (tst == 0 || tst == 1) {
5536 if (!TEST_true(create_new_vbase(userid, password)))
5537 goto end;
5538 } else {
5539 if (tst == 4 || tst == 5) {
5540 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5541 goto end;
5542 tstsrpfile = tmpfilename;
5543 } else {
5544 tstsrpfile = srpvfile;
5545 }
5546 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5547 goto end;
5548 }
5549
5550 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 5551 TLS1_VERSION, 0,
76fd7a1d
MC		 5552 &sctx, &cctx, cert, privkey)))
5553 goto end;
5554
5555 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5556 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5557 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5558 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5559 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5560 goto end;
5561
5562 if (tst % 2 == 1) {
5563 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5564 goto end;
5565 } else {
5566 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5567 goto end;
5568 }
5569
5570 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5571 NULL, NULL)))
5572 goto end;
5573
5574 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5575 if (ret) {
5576 if (!TEST_true(tst % 2 == 0))
5577 goto end;
5578 } else {
5579 if (!TEST_true(tst % 2 == 1))
5580 goto end;
5581 }
5582
5583 testresult = 1;
5584
5585 end:
5586 SRP_VBASE_free(vbase);
5587 vbase = NULL;
5588 SSL_free(serverssl);
5589 SSL_free(clientssl);
5590 SSL_CTX_free(sctx);
5591 SSL_CTX_free(cctx);
5592
5593 return testresult;
5594}
5595#endif
5596
5718fe45
MC		 5597static int info_cb_failed = 0;
5598static int info_cb_offset = 0;
5599static int info_cb_this_state = -1;
5600
5601static struct info_cb_states_st {
5602 int where;
5603 const char *statestr;
5604} info_cb_states[][60] = {
5605 {
5606 /* TLSv1.2 server followed by resumption */
5607 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5608 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5609 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
5610 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
5611 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
5612 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5613 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5614 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5615 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
5616 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5617 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
5618 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5619 {SSL_CB_EXIT, NULL}, {0, NULL},
5620 }, {
5621 /* TLSv1.2 client followed by resumption */
5622 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5623 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5624 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
5625 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
5626 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
5627 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5628 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5629 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5630 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5631 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5632 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5633 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
5634 }, {
5635 /* TLSv1.3 server followed by resumption */
5636 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5637 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5638 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
5639 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5640 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 5641 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5642 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5643 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5644 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5645 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5646 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
5647 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5648 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 5649 }, {
5650 /* TLSv1.3 client followed by resumption */
5651 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5652 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5653 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
5654 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
5655 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 5656 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5657 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
5658 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 5659 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5660 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5661 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5662 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5663 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4af5836b
MC		 5664 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
5665 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 5666 }, {
5667 /* TLSv1.3 server, early_data */
5668 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5669 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5670 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5671 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5672 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5673 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 5674 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 5675 {SSL_CB_EXIT, NULL}, {0, NULL},
5676 }, {
5677 /* TLSv1.3 client, early_data */
5678 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5679 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5680 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5681 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5682 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5683 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5684 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 5685 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5686 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 5687 }, {
5688 {0, NULL},
5689 }
5690};
5691
5692static void sslapi_info_callback(const SSL *s, int where, int ret)
5693{
5694 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5695
5696 /* We do not ever expect a connection to fail in this test */
5697 if (!TEST_false(ret == 0)) {
5698 info_cb_failed = 1;
5699 return;
5700 }
5701
5702 /*
5703 * Do some sanity checks. We never expect these things to happen in this
5704 * test
5705 */
5706 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5707 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5708 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5709 info_cb_failed = 1;
5710 return;
5711 }
5712
5713 /* Now check we're in the right state */
5714 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5715 info_cb_failed = 1;
5716 return;
5717 }
5718 if ((where & SSL_CB_LOOP) != 0
5719 && !TEST_int_eq(strcmp(SSL_state_string(s),
5720 state[info_cb_this_state].statestr), 0)) {
5721 info_cb_failed = 1;
5722 return;
5723 }
033c181b 5724
4af5836b
MC		 5725 /*
5726 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
5727 */
5728 if ((where & SSL_CB_HANDSHAKE_DONE)
5729 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 5730 info_cb_failed = 1;
5731 return;
5732 }
5718fe45
MC		 5733}
5734
5735/*
5736 * Test the info callback gets called when we expect it to.
5737 *
5738 * Test 0: TLSv1.2, server
5739 * Test 1: TLSv1.2, client
5740 * Test 2: TLSv1.3, server
5741 * Test 3: TLSv1.3, client
5742 * Test 4: TLSv1.3, server, early_data
5743 * Test 5: TLSv1.3, client, early_data
5744 */
5745static int test_info_callback(int tst)
5746{
5747 SSL_CTX *cctx = NULL, *sctx = NULL;
5748 SSL *clientssl = NULL, *serverssl = NULL;
5749 SSL_SESSION *clntsess = NULL;
5750 int testresult = 0;
5751 int tlsvers;
5752
5753 if (tst < 2) {
1aac20f5
MC		 5754/* We need either ECDHE or DHE for the TLSv1.2 test to work */
5755#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5756 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 5757 tlsvers = TLS1_2_VERSION;
5758#else
5759 return 1;
5760#endif
5761 } else {
5762#ifndef OPENSSL_NO_TLS1_3
5763 tlsvers = TLS1_3_VERSION;
5764#else
5765 return 1;
5766#endif
5767 }
5768
5769 /* Reset globals */
5770 info_cb_failed = 0;
5771 info_cb_this_state = -1;
5772 info_cb_offset = tst;
5773
6e07834c 5774#ifndef OPENSSL_NO_TLS1_3
5718fe45
MC		 5775 if (tst >= 4) {
5776 SSL_SESSION *sess = NULL;
5777 size_t written, readbytes;
5778 unsigned char buf[80];
5779
5780 /* early_data tests */
5781 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5782 &serverssl, &sess, 0)))
5783 goto end;
5784
5785 /* We don't actually need this reference */
5786 SSL_SESSION_free(sess);
5787
5788 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5789 sslapi_info_callback);
5790
5791 /* Write and read some early data and then complete the connection */
5792 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5793 &written))
5794 || !TEST_size_t_eq(written, strlen(MSG1))
5795 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5796 sizeof(buf), &readbytes),
5797 SSL_READ_EARLY_DATA_SUCCESS)
5798 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5799 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5800 SSL_EARLY_DATA_ACCEPTED)
5801 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5802 SSL_ERROR_NONE))
5803 || !TEST_false(info_cb_failed))
5804 goto end;
5805
5806 testresult = 1;
5807 goto end;
5808 }
6e07834c 5809#endif
5718fe45
MC		 5810
5811 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5812 TLS_client_method(),
5813 tlsvers, tlsvers, &sctx, &cctx, cert,
5814 privkey)))
5815 goto end;
5816
5817 /*
5818 * For even numbered tests we check the server callbacks. For odd numbers we
5819 * check the client.
5820 */
5821 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5822 sslapi_info_callback);
5823
5824 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5825 &clientssl, NULL, NULL))
5826 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5827 SSL_ERROR_NONE))
5828 || !TEST_false(info_cb_failed))
5829 goto end;
5830
5831
5832
5833 clntsess = SSL_get1_session(clientssl);
5834 SSL_shutdown(clientssl);
5835 SSL_shutdown(serverssl);
5836 SSL_free(serverssl);
5837 SSL_free(clientssl);
5838 serverssl = clientssl = NULL;
5839
5840 /* Now do a resumption */
5841 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5842 NULL))
5843 || !TEST_true(SSL_set_session(clientssl, clntsess))
5844 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5845 SSL_ERROR_NONE))
5846 || !TEST_true(SSL_session_reused(clientssl))
5847 || !TEST_false(info_cb_failed))
5848 goto end;
5849
5850 testresult = 1;
5851
5852 end:
5853 SSL_free(serverssl);
5854 SSL_free(clientssl);
5855 SSL_SESSION_free(clntsess);
5856 SSL_CTX_free(sctx);
5857 SSL_CTX_free(cctx);
5858 return testresult;
5859}
5860
4a432af8
MC		 5861static int test_ssl_pending(int tst)
5862{
5863 SSL_CTX *cctx = NULL, *sctx = NULL;
5864 SSL *clientssl = NULL, *serverssl = NULL;
5865 int testresult = 0;
5866 char msg[] = "A test message";
5867 char buf[5];
5868 size_t written, readbytes;
5869
5870 if (tst == 0) {
5871 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5872 TLS_client_method(),
5c587fb6 5873 TLS1_VERSION, 0,
4a432af8
MC		 5874 &sctx, &cctx, cert, privkey)))
5875 goto end;
5876 } else {
5877#ifndef OPENSSL_NO_DTLS
5878 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
5879 DTLS_client_method(),
5c587fb6 5880 DTLS1_VERSION, 0,
4a432af8
MC		 5881 &sctx, &cctx, cert, privkey)))
5882 goto end;
5883#else
5884 return 1;
5885#endif
5886 }
5887
5888 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5889 NULL, NULL))
5890 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5891 SSL_ERROR_NONE)))
5892 goto end;
5893
e8251092
MC		 5894 if (!TEST_int_eq(SSL_pending(clientssl), 0)
5895 || !TEST_false(SSL_has_pending(clientssl))
5896 || !TEST_int_eq(SSL_pending(serverssl), 0)
5897 || !TEST_false(SSL_has_pending(serverssl))
5898 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 5899 || !TEST_size_t_eq(written, sizeof(msg))
5900 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
5901 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 5902 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
5903 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 5904 goto end;
5905
5906 testresult = 1;
5907
5908 end:
5909 SSL_free(serverssl);
5910 SSL_free(clientssl);
5911 SSL_CTX_free(sctx);
5912 SSL_CTX_free(cctx);
5913
5914 return testresult;
5915}
5916
e401389a
MC		 5917static struct {
5918 unsigned int maxprot;
5919 const char *clntciphers;
5920 const char *clnttls13ciphers;
5921 const char *srvrciphers;
5922 const char *srvrtls13ciphers;
5923 const char *shared;
5924} shared_ciphers_data[] = {
60155b9a
MC		 5925/*
5926 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
5927 * TLSv1.3 is enabled but TLSv1.2 is disabled.
5928 */
5929#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 5930 {
5931 TLS1_2_VERSION,
5932 "AES128-SHA:AES256-SHA",
5933 NULL,
5934 "AES256-SHA:DHE-RSA-AES128-SHA",
5935 NULL,
5936 "AES256-SHA"
5937 },
5938 {
5939 TLS1_2_VERSION,
5940 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
5941 NULL,
5942 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
5943 NULL,
5944 "AES128-SHA:AES256-SHA"
5945 },
5946 {
5947 TLS1_2_VERSION,
5948 "AES128-SHA:AES256-SHA",
5949 NULL,
5950 "AES128-SHA:DHE-RSA-AES128-SHA",
5951 NULL,
5952 "AES128-SHA"
5953 },
60155b9a
MC		 5954#endif
5955/*
5956 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
5957 * enabled.
5958 */
5959#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
5960 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 5961 {
5962 TLS1_3_VERSION,
5963 "AES128-SHA:AES256-SHA",
5964 NULL,
5965 "AES256-SHA:AES128-SHA256",
5966 NULL,
5967 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
5968 "TLS_AES_128_GCM_SHA256:AES256-SHA"
5969 },
60155b9a
MC		 5970#endif
5971#ifndef OPENSSL_NO_TLS1_3
e401389a
MC		 5972 {
5973 TLS1_3_VERSION,
5974 "AES128-SHA",
5975 "TLS_AES_256_GCM_SHA384",
5976 "AES256-SHA",
5977 "TLS_AES_256_GCM_SHA384",
5978 "TLS_AES_256_GCM_SHA384"
5979 },
5980#endif
5981};
5982
5983static int test_ssl_get_shared_ciphers(int tst)
5984{
5985 SSL_CTX *cctx = NULL, *sctx = NULL;
5986 SSL *clientssl = NULL, *serverssl = NULL;
5987 int testresult = 0;
5988 char buf[1024];
5989
5990 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5991 TLS_client_method(),
5992 TLS1_VERSION,
5993 shared_ciphers_data[tst].maxprot,
5994 &sctx, &cctx, cert, privkey)))
5995 goto end;
5996
5997 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5998 shared_ciphers_data[tst].clntciphers))
5999 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6000 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6001 shared_ciphers_data[tst].clnttls13ciphers)))
6002 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6003 shared_ciphers_data[tst].srvrciphers))
6004 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6005 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6006 shared_ciphers_data[tst].srvrtls13ciphers))))
6007 goto end;
6008
6009
6010 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6011 NULL, NULL))
6012 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6013 SSL_ERROR_NONE)))
6014 goto end;
6015
6016 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6017 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
6018 TEST_info("Shared ciphers are: %s\n", buf);
6019 goto end;
6020 }
6021
6022 testresult = 1;
6023
6024 end:
6025 SSL_free(serverssl);
6026 SSL_free(clientssl);
6027 SSL_CTX_free(sctx);
6028 SSL_CTX_free(cctx);
6029
6030 return testresult;
6031}
6032
d0191fe0 6033static const char *appdata = "Hello World";
61fb5923
MC		 6034static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6035static int tick_key_renew = 0;
6036static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 6037
6038static int gen_tick_cb(SSL *s, void *arg)
6039{
6040 gen_tick_called = 1;
6041
6042 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6043 strlen(appdata));
6044}
6045
6046static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6047 const unsigned char *keyname,
6048 size_t keyname_length,
61fb5923
MC		 6049 SSL_TICKET_STATUS status,
6050 void *arg)
d0191fe0
MC		 6051{
6052 void *tickdata;
6053 size_t tickdlen;
6054
6055 dec_tick_called = 1;
6056
61fb5923
MC		 6057 if (status == SSL_TICKET_EMPTY)
6058 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 6059
61fb5923
MC		 6060 if (!TEST_true(status == SSL_TICKET_SUCCESS
6061 || status == SSL_TICKET_SUCCESS_RENEW))
6062 return SSL_TICKET_RETURN_ABORT;
6063
6064 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6065 &tickdlen))
d0191fe0
MC		 6066 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6067 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 6068 return SSL_TICKET_RETURN_ABORT;
d0191fe0 6069
61fb5923
MC		 6070 if (tick_key_cb_called) {
6071 /* Don't change what the ticket key callback wanted to do */
6072 switch (status) {
6073 case SSL_TICKET_NO_DECRYPT:
6074 return SSL_TICKET_RETURN_IGNORE_RENEW;
6075
6076 case SSL_TICKET_SUCCESS:
6077 return SSL_TICKET_RETURN_USE;
d0191fe0 6078
61fb5923
MC		 6079 case SSL_TICKET_SUCCESS_RENEW:
6080 return SSL_TICKET_RETURN_USE_RENEW;
6081
6082 default:
6083 return SSL_TICKET_RETURN_ABORT;
6084 }
6085 }
6086 return tick_dec_ret;
6087
6088}
d0191fe0 6089
a76ce286 6090#ifndef OPENSSL_NO_DEPRECATED_3_0
d0191fe0
MC		 6091static int tick_key_cb(SSL *s, unsigned char key_name[16],
6092 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6093 HMAC_CTX *hctx, int enc)
6094{
6095 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6096 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
6097
61fb5923 6098 tick_key_cb_called = 1;
d0191fe0
MC		 6099 memset(iv, 0, AES_BLOCK_SIZE);
6100 memset(key_name, 0, 16);
6101 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
6102 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
6103 EVP_sha256(), NULL))
6104 return -1;
6105
61fb5923 6106 return tick_key_renew ? 2 : 1;
d0191fe0 6107}
a76ce286
P		 6108#endif
6109
6110static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6111 unsigned char iv[EVP_MAX_IV_LENGTH],
6112 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6113{
6114 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6115 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6116 OSSL_PARAM params[3];
6117
6118 tick_key_cb_called = 1;
6119 memset(iv, 0, AES_BLOCK_SIZE);
6120 memset(key_name, 0, 16);
6121 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6122 "SHA256", 0);
6123 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6124 tick_hmac_key,
6125 sizeof(tick_hmac_key));
6126 params[2] = OSSL_PARAM_construct_end();
6127 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
6128 || !EVP_MAC_CTX_set_params(hctx, params)
6129 || !EVP_MAC_init(hctx))
6130 return -1;
6131
6132 return tick_key_renew ? 2 : 1;
6133}
d0191fe0
MC		 6134
6135/*
6136 * Test the various ticket callbacks
61fb5923
MC		 6137 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6138 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6139 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6140 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6141 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6142 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6143 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6144 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
a76ce286
P		 6145 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6146 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6147 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6148 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6149 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6150 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6151 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6152 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 6153 */
6154static int test_ticket_callbacks(int tst)
6155{
6156 SSL_CTX *cctx = NULL, *sctx = NULL;
6157 SSL *clientssl = NULL, *serverssl = NULL;
6158 SSL_SESSION *clntsess = NULL;
6159 int testresult = 0;
6160
6161#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 6162 if (tst % 2 == 0)
d0191fe0
MC		 6163 return 1;
6164#endif
6165#ifdef OPENSSL_NO_TLS1_3
ba8b48e9 6166 if (tst % 2 == 1)
d0191fe0
MC		 6167 return 1;
6168#endif
a76ce286
P		 6169#ifdef OPENSSL_NO_DEPRECATED_3_0
6170 if (tst >= 8 && tst <= 11)
6171 return 1;
6172#endif
d0191fe0 6173
61fb5923 6174 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 6175
6176 /* Which tests the ticket key callback should request renewal for */
a76ce286 6177 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
61fb5923 6178 tick_key_renew = 1;
d0191fe0 6179 else
61fb5923
MC		 6180 tick_key_renew = 0;
6181
6182 /* Which tests the decrypt ticket callback should request renewal for */
6183 switch (tst) {
6184 case 0:
6185 case 1:
6186 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6187 break;
6188
6189 case 2:
6190 case 3:
6191 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6192 break;
6193
6194 case 4:
6195 case 5:
6196 tick_dec_ret = SSL_TICKET_RETURN_USE;
6197 break;
6198
6199 case 6:
6200 case 7:
6201 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6202 break;
6203
6204 default:
6205 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6206 }
d0191fe0
MC		 6207
6208 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6209 TLS_client_method(),
6210 TLS1_VERSION,
61fb5923
MC		 6211 ((tst % 2) == 0) ? TLS1_2_VERSION
6212 : TLS1_3_VERSION,
d0191fe0
MC		 6213 &sctx, &cctx, cert, privkey)))
6214 goto end;
6215
61fb5923
MC		 6216 /*
6217 * We only want sessions to resume from tickets - not the session cache. So
6218 * switch the cache off.
6219 */
6220 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6221 goto end;
6222
d0191fe0
MC		 6223 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6224 NULL)))
6225 goto end;
6226
a76ce286
P		 6227 if (tst >= 12) {
6228 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
6229 goto end;
6230#ifndef OPENSSL_NO_DEPRECATED_3_0
6231 } else if (tst >= 8) {
6232 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6233 goto end;
6234#endif
6235 }
d0191fe0
MC		 6236
6237 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6238 NULL, NULL))
6239 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6240 SSL_ERROR_NONE)))
6241 goto end;
6242
61fb5923
MC		 6243 /*
6244 * The decrypt ticket key callback in TLSv1.2 should be called even though
6245 * we have no ticket yet, because it gets called with a status of
6246 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6247 * actually send any ticket data). This does not happen in TLSv1.3 because
6248 * it is not valid to send empty ticket data in TLSv1.3.
6249 */
d0191fe0 6250 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 6251 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 6252 goto end;
6253
6254 gen_tick_called = dec_tick_called = 0;
6255
6256 clntsess = SSL_get1_session(clientssl);
6257 SSL_shutdown(clientssl);
6258 SSL_shutdown(serverssl);
6259 SSL_free(serverssl);
6260 SSL_free(clientssl);
6261 serverssl = clientssl = NULL;
6262
6263 /* Now do a resumption */
6264 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6265 NULL))
6266 || !TEST_true(SSL_set_session(clientssl, clntsess))
6267 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 6268 SSL_ERROR_NONE)))
d0191fe0
MC		 6269 goto end;
6270
61fb5923
MC		 6271 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6272 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6273 if (!TEST_false(SSL_session_reused(clientssl)))
6274 goto end;
6275 } else {
6276 if (!TEST_true(SSL_session_reused(clientssl)))
6277 goto end;
6278 }
6279
d0191fe0 6280 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 6281 (tick_key_renew
6282 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6283 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6284 ? 1 : 0)
d0191fe0
MC		 6285 || !TEST_int_eq(dec_tick_called, 1))
6286 goto end;
6287
6288 testresult = 1;
6289
6290 end:
6291 SSL_SESSION_free(clntsess);
6292 SSL_free(serverssl);
6293 SSL_free(clientssl);
6294 SSL_CTX_free(sctx);
6295 SSL_CTX_free(cctx);
6296
6297 return testresult;
6298}
6299
c748834f
MC		 6300/*
6301 * Test bi-directional shutdown.
6302 * Test 0: TLSv1.2
6303 * Test 1: TLSv1.2, server continues to read/write after client shutdown
6304 * Test 2: TLSv1.3, no pending NewSessionTicket messages
6305 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 6306 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
6307 * sends key update, client reads it
57d7b988
MC		 6308 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
6309 * sends CertificateRequest, client reads and ignores it
6310 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 6311 * doesn't read it
6312 */
6313static int test_shutdown(int tst)
6314{
6315 SSL_CTX *cctx = NULL, *sctx = NULL;
6316 SSL *clientssl = NULL, *serverssl = NULL;
6317 int testresult = 0;
6318 char msg[] = "A test message";
6319 char buf[80];
6320 size_t written, readbytes;
80eff008 6321 SSL_SESSION *sess;
c748834f
MC		 6322
6323#ifdef OPENSSL_NO_TLS1_2
a97d19f7 6324 if (tst <= 1)
c748834f
MC		 6325 return 1;
6326#endif
6327#ifdef OPENSSL_NO_TLS1_3
a97d19f7 6328 if (tst >= 2)
c748834f
MC		 6329 return 1;
6330#endif
6331
6332 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6333 TLS_client_method(),
6334 TLS1_VERSION,
6335 (tst <= 1) ? TLS1_2_VERSION
6336 : TLS1_3_VERSION,
57d7b988
MC		 6337 &sctx, &cctx, cert, privkey)))
6338 goto end;
6339
6340 if (tst == 5)
6341 SSL_CTX_set_post_handshake_auth(cctx, 1);
6342
6343 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 6344 NULL, NULL)))
6345 goto end;
6346
6347 if (tst == 3) {
6348 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
80c455d5 6349 SSL_ERROR_NONE, 1))
80eff008
KR		 6350 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6351 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 6352 goto end;
6353 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 6354 SSL_ERROR_NONE))
6355 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6356 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 6357 goto end;
6358 }
6359
6360 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
6361 goto end;
6362
6363 if (tst >= 4) {
6364 /*
6365 * Reading on the server after the client has sent close_notify should
6366 * fail and provide SSL_ERROR_ZERO_RETURN
6367 */
6368 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
6369 || !TEST_int_eq(SSL_get_error(serverssl, 0),
6370 SSL_ERROR_ZERO_RETURN)
6371 || !TEST_int_eq(SSL_get_shutdown(serverssl),
6372 SSL_RECEIVED_SHUTDOWN)
6373 /*
6374 * Even though we're shutdown on receive we should still be
6375 * able to write.
6376 */
80eff008
KR		 6377 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6378 goto end;
57d7b988
MC		 6379 if (tst == 4
6380 && !TEST_true(SSL_key_update(serverssl,
6381 SSL_KEY_UPDATE_REQUESTED)))
6382 goto end;
6383 if (tst == 5) {
6384 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6385 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6386 goto end;
6387 }
6388 if ((tst == 4 || tst == 5)
6389 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 6390 goto end;
6391 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 6392 goto end;
57d7b988 6393 if (tst == 4 || tst == 5) {
80eff008 6394 /* Should still be able to read data from server */
c748834f 6395 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 6396 &readbytes))
6397 || !TEST_size_t_eq(readbytes, sizeof(msg))
6398 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
6399 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6400 &readbytes))
c748834f
MC		 6401 || !TEST_size_t_eq(readbytes, sizeof(msg))
6402 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
6403 goto end;
6404 }
6405 }
6406
6407 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 6408 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 6409 goto end;
6410
6411 if (tst < 4) {
6412 /*
6413 * For these tests the client has sent close_notify but it has not yet
6414 * been received by the server. The server has not sent close_notify
6415 * yet.
6416 */
6417 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 6418 /*
6419 * Writing on the server after sending close_notify shouldn't
6420 * be possible.
6421 */
6422 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 6423 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 6424 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6425 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 6426 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
6427 goto end;
57d7b988 6428 } else if (tst == 4 || tst == 5) {
c748834f
MC		 6429 /*
6430 * In this test the client has sent close_notify and it has been
6431 * received by the server which has responded with a close_notify. The
358ffa05 6432 * client needs to read the close_notify sent by the server.
c748834f 6433 */
80eff008
KR		 6434 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
6435 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6436 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 6437 goto end;
358ffa05
MC		 6438 } else {
6439 /*
57d7b988 6440 * tst == 6
358ffa05
MC		 6441 *
6442 * The client has sent close_notify and is expecting a close_notify
6443 * back, but instead there is application data first. The shutdown
6444 * should fail with a fatal error.
6445 */
6446 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
6447 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
6448 goto end;
c748834f
MC		 6449 }
6450
6451 testresult = 1;
6452
6453 end:
6454 SSL_free(serverssl);
6455 SSL_free(clientssl);
6456 SSL_CTX_free(sctx);
6457 SSL_CTX_free(cctx);
6458
6459 return testresult;
6460}
6461
7f1d923a 6462#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
cd6fe29f
MC		 6463static int cert_cb_cnt;
6464
6465static int cert_cb(SSL *s, void *arg)
6466{
6467 SSL_CTX *ctx = (SSL_CTX *)arg;
7cb8fb07
BK		 6468 BIO *in = NULL;
6469 EVP_PKEY *pkey = NULL;
1a2a3a42
MC		 6470 X509 *x509 = NULL, *rootx = NULL;
6471 STACK_OF(X509) *chain = NULL;
6472 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
6473 int ret = 0;
cd6fe29f
MC		 6474
6475 if (cert_cb_cnt == 0) {
6476 /* Suspend the handshake */
6477 cert_cb_cnt++;
6478 return -1;
6479 } else if (cert_cb_cnt == 1) {
6480 /*
6481 * Update the SSL_CTX, set the certificate and private key and then
6482 * continue the handshake normally.
6483 */
6484 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
6485 return 0;
6486
6487 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
6488 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
6489 SSL_FILETYPE_PEM))
6490 || !TEST_true(SSL_check_private_key(s)))
6491 return 0;
6492 cert_cb_cnt++;
6493 return 1;
7cb8fb07
BK		 6494 } else if (cert_cb_cnt == 3) {
6495 int rv;
1a2a3a42
MC		 6496
6497 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
6498 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
6499 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
6500 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
6501 goto out;
6502 chain = sk_X509_new_null();
6503 if (!TEST_ptr(chain))
6504 goto out;
7cb8fb07 6505 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42
MC		 6506 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
6507 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
6508 || !TEST_true(sk_X509_push(chain, rootx)))
6509 goto out;
6510 rootx = NULL;
6511 BIO_free(in);
6512 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6513 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
7cb8fb07
BK		 6514 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
6515 goto out;
6516 BIO_free(in);
6517 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42 6518 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
7cb8fb07
BK		 6519 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
6520 goto out;
1a2a3a42 6521 rv = SSL_check_chain(s, x509, pkey, chain);
7cb8fb07
BK		 6522 /*
6523 * If the cert doesn't show as valid here (e.g., because we don't
6524 * have any shared sigalgs), then we will not set it, and there will
6525 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
6526 * will cause tls_choose_sigalgs() to fail the connection.
6527 */
1a2a3a42
MC		 6528 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
6529 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7cb8fb07
BK		 6530 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
6531 goto out;
6532 }
1a2a3a42
MC		 6533
6534 ret = 1;
cd6fe29f
MC		 6535 }
6536
6537 /* Abort the handshake */
7cb8fb07 6538 out:
1a2a3a42
MC		 6539 OPENSSL_free(ecdsacert);
6540 OPENSSL_free(ecdsakey);
6541 OPENSSL_free(rootfile);
7cb8fb07
BK		 6542 BIO_free(in);
6543 EVP_PKEY_free(pkey);
6544 X509_free(x509);
1a2a3a42
MC		 6545 X509_free(rootx);
6546 sk_X509_pop_free(chain, X509_free);
6547 return ret;
cd6fe29f
MC		 6548}
6549
6550/*
6551 * Test the certificate callback.
6552 * Test 0: Callback fails
6553 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
6554 * Test 2: Success - SSL_set_SSL_CTX() in the callback
1a2a3a42
MC		 6555 * Test 3: Success - Call SSL_check_chain from the callback
6556 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
6557 * chain
6558 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
cd6fe29f
MC		 6559 */
6560static int test_cert_cb_int(int prot, int tst)
6561{
6562 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
6563 SSL *clientssl = NULL, *serverssl = NULL;
6564 int testresult = 0, ret;
6565
1a2a3a42
MC		 6566#ifdef OPENSSL_NO_EC
6567 /* We use an EC cert in these tests, so we skip in a no-ec build */
6568 if (tst >= 3)
6569 return 1;
6570#endif
6571
cd6fe29f
MC		 6572 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6573 TLS_client_method(),
6574 TLS1_VERSION,
6575 prot,
6576 &sctx, &cctx, NULL, NULL)))
6577 goto end;
6578
6579 if (tst == 0)
6580 cert_cb_cnt = -1;
1a2a3a42 6581 else if (tst >= 3)
7cb8fb07 6582 cert_cb_cnt = 3;
cd6fe29f
MC		 6583 else
6584 cert_cb_cnt = 0;
1a2a3a42 6585
cd6fe29f
MC		 6586 if (tst == 2)
6587 snictx = SSL_CTX_new(TLS_server_method());
6588 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
6589
6590 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6591 NULL, NULL)))
6592 goto end;
6593
1a2a3a42
MC		 6594 if (tst == 4) {
6595 /*
6596 * We cause SSL_check_chain() to fail by specifying sig_algs that
6597 * the chain doesn't meet (the root uses an RSA cert)
6598 */
6599 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6600 "ecdsa_secp256r1_sha256")))
6601 goto end;
6602 } else if (tst == 5) {
6603 /*
6604 * We cause SSL_check_chain() to fail by specifying sig_algs that
6605 * the ee cert doesn't meet (the ee uses an ECDSA cert)
6606 */
6607 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6608 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
6609 goto end;
6610 }
6611
cd6fe29f 6612 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
1a2a3a42 6613 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7cb8fb07
BK		 6614 || (tst > 0
6615 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
cd6fe29f
MC		 6616 goto end;
6617 }
6618
6619 testresult = 1;
6620
6621 end:
6622 SSL_free(serverssl);
6623 SSL_free(clientssl);
6624 SSL_CTX_free(sctx);
6625 SSL_CTX_free(cctx);
6626 SSL_CTX_free(snictx);
6627
6628 return testresult;
6629}
7f1d923a 6630#endif
cd6fe29f
MC		 6631
6632static int test_cert_cb(int tst)
6633{
6634 int testresult = 1;
6635
6636#ifndef OPENSSL_NO_TLS1_2
6637 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
6638#endif
7f1d923a 6639#ifndef OPENSSL_NO_TLS1_3
cd6fe29f
MC		 6640 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
6641#endif
6642
6643 return testresult;
6644}
6645
6e46c065
MC		 6646static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
6647{
6648 X509 *xcert, *peer;
6649 EVP_PKEY *privpkey;
6650 BIO *in = NULL;
6651
6652 /* Check that SSL_get_peer_certificate() returns something sensible */
6653 peer = SSL_get_peer_certificate(ssl);
6654 if (!TEST_ptr(peer))
6655 return 0;
6656 X509_free(peer);
6657
6658 in = BIO_new_file(cert, "r");
6659 if (!TEST_ptr(in))
6660 return 0;
6661
6662 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
6663 BIO_free(in);
6664 if (!TEST_ptr(xcert))
6665 return 0;
6666
6667 in = BIO_new_file(privkey, "r");
6668 if (!TEST_ptr(in)) {
6669 X509_free(xcert);
6670 return 0;
6671 }
6672
6673 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
6674 BIO_free(in);
6675 if (!TEST_ptr(privpkey)) {
6676 X509_free(xcert);
6677 return 0;
6678 }
6679
6680 *x509 = xcert;
6681 *pkey = privpkey;
6682
6683 return 1;
6684}
6685
6686static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6687{
6688 return 1;
6689}
6690
6691static int test_client_cert_cb(int tst)
6692{
6693 SSL_CTX *cctx = NULL, *sctx = NULL;
6694 SSL *clientssl = NULL, *serverssl = NULL;
6695 int testresult = 0;
6696
6697#ifdef OPENSSL_NO_TLS1_2
6698 if (tst == 0)
6699 return 1;
6700#endif
6701#ifdef OPENSSL_NO_TLS1_3
6702 if (tst == 1)
6703 return 1;
6704#endif
6705
6706 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6707 TLS_client_method(),
6708 TLS1_VERSION,
6709 tst == 0 ? TLS1_2_VERSION
6710 : TLS1_3_VERSION,
6711 &sctx, &cctx, cert, privkey)))
6712 goto end;
6713
6714 /*
6715 * Test that setting a client_cert_cb results in a client certificate being
6716 * sent.
6717 */
6718 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
6719 SSL_CTX_set_verify(sctx,
6720 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6721 verify_cb);
fb8c8359
MC		 6722
6723 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6724 NULL, NULL))
6725 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6726 SSL_ERROR_NONE)))
6727 goto end;
6728
6729 testresult = 1;
6730
6731 end:
6732 SSL_free(serverssl);
6733 SSL_free(clientssl);
6734 SSL_CTX_free(sctx);
6735 SSL_CTX_free(cctx);
6736
6737 return testresult;
6738}
6739
6740#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6741/*
6742 * Test setting certificate authorities on both client and server.
6743 *
6744 * Test 0: SSL_CTX_set0_CA_list() only
6745 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
6746 * Test 2: Only SSL_CTX_set_client_CA_list()
6747 */
6748static int test_ca_names_int(int prot, int tst)
6749{
6750 SSL_CTX *cctx = NULL, *sctx = NULL;
6751 SSL *clientssl = NULL, *serverssl = NULL;
6752 int testresult = 0;
6753 size_t i;
6754 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
6755 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
6756 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
6757 const STACK_OF(X509_NAME) *sktmp = NULL;
6758
6759 for (i = 0; i < OSSL_NELEM(name); i++) {
6760 name[i] = X509_NAME_new();
6761 if (!TEST_ptr(name[i])
6762 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
6763 MBSTRING_ASC,
6764 (unsigned char *)
6765 strnames[i],
6766 -1, -1, 0)))
6767 goto end;
6768 }
6769
6770 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6771 TLS_client_method(),
6772 TLS1_VERSION,
6773 prot,
6774 &sctx, &cctx, cert, privkey)))
6775 goto end;
6776
6777 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
6778
6779 if (tst == 0 || tst == 1) {
6780 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6781 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
6782 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
6783 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6784 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
6785 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
6786 goto end;
6787
6788 SSL_CTX_set0_CA_list(sctx, sk1);
6789 SSL_CTX_set0_CA_list(cctx, sk2);
6790 sk1 = sk2 = NULL;
6791 }
6792 if (tst == 1 || tst == 2) {
6793 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6794 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
6795 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
6796 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6797 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
6798 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
6799 goto end;
6800
6801 SSL_CTX_set_client_CA_list(sctx, sk1);
6802 SSL_CTX_set_client_CA_list(cctx, sk2);
6803 sk1 = sk2 = NULL;
6804 }
6805
6e46c065
MC		 6806 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6807 NULL, NULL))
6808 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6809 SSL_ERROR_NONE)))
6810 goto end;
6811
fb8c8359
MC		 6812 /*
6813 * We only expect certificate authorities to have been sent to the server
6814 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
6815 */
6816 sktmp = SSL_get0_peer_CA_list(serverssl);
6817 if (prot == TLS1_3_VERSION
6818 && (tst == 0 || tst == 1)) {
6819 if (!TEST_ptr(sktmp)
6820 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6821 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6822 name[0]), 0)
6823 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6824 name[1]), 0))
6825 goto end;
6826 } else if (!TEST_ptr_null(sktmp)) {
6827 goto end;
6828 }
6829
6830 /*
6831 * In all tests we expect certificate authorities to have been sent to the
6832 * client. However, SSL_set_client_CA_list() should override
6833 * SSL_set0_CA_list()
6834 */
6835 sktmp = SSL_get0_peer_CA_list(clientssl);
6836 if (!TEST_ptr(sktmp)
6837 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6838 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6839 name[tst == 0 ? 0 : 2]), 0)
6840 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6841 name[tst == 0 ? 1 : 3]), 0))
6842 goto end;
6843
6e46c065
MC		 6844 testresult = 1;
6845
6846 end:
6847 SSL_free(serverssl);
6848 SSL_free(clientssl);
6849 SSL_CTX_free(sctx);
6850 SSL_CTX_free(cctx);
fb8c8359
MC		 6851 for (i = 0; i < OSSL_NELEM(name); i++)
6852 X509_NAME_free(name[i]);
6853 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
6854 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
6855
6856 return testresult;
6857}
6858#endif
6859
6860static int test_ca_names(int tst)
6861{
6862 int testresult = 1;
6863
6864#ifndef OPENSSL_NO_TLS1_2
6865 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
6866#endif
6867#ifndef OPENSSL_NO_TLS1_3
6868 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
6869#endif
6e46c065
MC		 6870
6871 return testresult;
6872}
6873
0d2bfe52
SL		 6874#ifndef OPENSSL_NO_TLS1_2
6875static const char *multiblock_cipherlist_data[]=
6876{
6877 "AES128-SHA",
6878 "AES128-SHA256",
6879 "AES256-SHA",
6880 "AES256-SHA256",
6881};
6882
6883/* Reduce the fragment size - so the multiblock test buffer can be small */
6884# define MULTIBLOCK_FRAGSIZE 512
6885
6886static int test_multiblock_write(int test_index)
6887{
6888 static const char *fetchable_ciphers[]=
6889 {
6890 "AES-128-CBC-HMAC-SHA1",
6891 "AES-128-CBC-HMAC-SHA256",
6892 "AES-256-CBC-HMAC-SHA1",
6893 "AES-256-CBC-HMAC-SHA256"
6894 };
6895 const char *cipherlist = multiblock_cipherlist_data[test_index];
6896 const SSL_METHOD *smeth = TLS_server_method();
6897 const SSL_METHOD *cmeth = TLS_client_method();
6898 int min_version = TLS1_VERSION;
6899 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
6900 SSL_CTX *cctx = NULL, *sctx = NULL;
6901 SSL *clientssl = NULL, *serverssl = NULL;
6902 int testresult = 0;
6903
6904 /*
6905 * Choose a buffer large enough to perform a multi-block operation
6906 * i.e: write_len >= 4 * frag_size
6907 * 9 * is chosen so that multiple multiblocks are used + some leftover.
6908 */
6909 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
6910 unsigned char buf[sizeof(msg)], *p = buf;
6911 size_t readbytes, written, len;
6912 EVP_CIPHER *ciph = NULL;
6913
6914 /*
6915 * Check if the cipher exists before attempting to use it since it only has
6916 * a hardware specific implementation.
6917 */
6918 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
6919 if (ciph == NULL) {
6920 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
6921 return 1;
6922 }
6923 EVP_CIPHER_free(ciph);
6924
6925 /* Set up a buffer with some data that will be sent to the client */
6926 RAND_bytes(msg, sizeof(msg));
6927
6928 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
6929 &sctx, &cctx, cert, privkey)))
6930 goto end;
6931
6932 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
6933 goto end;
6934
6935 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6936 NULL, NULL)))
6937 goto end;
6938
6939 /* settings to force it to use AES-CBC-HMAC_SHA */
6940 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
6941 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
6942 goto end;
6943
6944 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
6945 goto end;
6946
6947 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6948 || !TEST_size_t_eq(written, sizeof(msg)))
6949 goto end;
6950
6951 len = written;
6952 while (len > 0) {
6953 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
6954 goto end;
6955 p += readbytes;
6956 len -= readbytes;
6957 }
6958 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
6959 goto end;
6960
6961 testresult = 1;
6962end:
6963 SSL_free(serverssl);
6964 SSL_free(clientssl);
6965 SSL_CTX_free(sctx);
6966 SSL_CTX_free(cctx);
6967
6968 return testresult;
6969}
6970#endif /* OPENSSL_NO_TLS1_2 */
a43ce58f 6971
49ef3d07
MC		 6972/*
6973 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
6974 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
6975 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
6976 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
6977 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
6978 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
6979 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
6980 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
6981 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
6982 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
6983 */
6984static int test_servername(int tst)
6985{
6986 SSL_CTX *cctx = NULL, *sctx = NULL;
6987 SSL *clientssl = NULL, *serverssl = NULL;
6988 int testresult = 0;
6989 SSL_SESSION *sess = NULL;
6990 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
6991
6992#ifdef OPENSSL_NO_TLS1_2
6993 if (tst <= 4)
6994 return 1;
6995#endif
6996#ifdef OPENSSL_NO_TLS1_3
6997 if (tst >= 5)
6998 return 1;
6999#endif
7000
7001 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
7002 TLS_client_method(),
7003 TLS1_VERSION,
7004 (tst <= 4) ? TLS1_2_VERSION
7005 : TLS1_3_VERSION,
7006 &sctx, &cctx, cert, privkey))
7007 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7008 NULL, NULL)))
7009 goto end;
7010
7011 if (tst != 1 && tst != 6) {
7012 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7013 hostname_cb)))
7014 goto end;
7015 }
7016
7017 if (tst != 3 && tst != 8) {
7018 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7019 goto end;
7020 sexpectedhost = cexpectedhost = "goodhost";
7021 }
7022
7023 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7024 goto end;
7025
7026 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7027 cexpectedhost)
7028 || !TEST_str_eq(SSL_get_servername(serverssl,
7029 TLSEXT_NAMETYPE_host_name),
7030 sexpectedhost))
7031 goto end;
7032
7033 /* Now repeat with a resumption handshake */
7034
7035 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7036 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7037 || !TEST_true(SSL_SESSION_is_resumable(sess))
7038 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7039 goto end;
7040
7041 SSL_free(clientssl);
7042 SSL_free(serverssl);
7043 clientssl = serverssl = NULL;
7044
7045 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7046 NULL)))
7047 goto end;
7048
7049 if (!TEST_true(SSL_set_session(clientssl, sess)))
7050 goto end;
7051
7052 sexpectedhost = cexpectedhost = "goodhost";
7053 if (tst == 2 || tst == 7) {
7054 /* Set an inconsistent hostname */
7055 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7056 goto end;
7057 /*
7058 * In TLSv1.2 we expect the hostname from the original handshake, in
7059 * TLSv1.3 we expect the hostname from this handshake
7060 */
7061 if (tst == 7)
7062 sexpectedhost = cexpectedhost = "altgoodhost";
7063
7064 if (!TEST_str_eq(SSL_get_servername(clientssl,
7065 TLSEXT_NAMETYPE_host_name),
7066 "altgoodhost"))
7067 goto end;
7068 } else if (tst == 4 || tst == 9) {
7069 /*
7070 * A TLSv1.3 session does not associate a session with a servername,
7071 * but a TLSv1.2 session does.
7072 */
7073 if (tst == 9)
7074 sexpectedhost = cexpectedhost = NULL;
7075
7076 if (!TEST_str_eq(SSL_get_servername(clientssl,
7077 TLSEXT_NAMETYPE_host_name),
7078 cexpectedhost))
7079 goto end;
7080 } else {
7081 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7082 goto end;
7083 /*
7084 * In a TLSv1.2 resumption where the hostname was not acknowledged
7085 * we expect the hostname on the server to be empty. On the client we
7086 * return what was requested in this case.
7087 *
7088 * Similarly if the client didn't set a hostname on an original TLSv1.2
7089 * session but is now, the server hostname will be empty, but the client
7090 * is as we set it.
7091 */
7092 if (tst == 1 || tst == 3)
7093 sexpectedhost = NULL;
7094
7095 if (!TEST_str_eq(SSL_get_servername(clientssl,
7096 TLSEXT_NAMETYPE_host_name),
7097 "goodhost"))
7098 goto end;
7099 }
7100
7101 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7102 goto end;
7103
7104 if (!TEST_true(SSL_session_reused(clientssl))
7105 || !TEST_true(SSL_session_reused(serverssl))
7106 || !TEST_str_eq(SSL_get_servername(clientssl,
7107 TLSEXT_NAMETYPE_host_name),
7108 cexpectedhost)
7109 || !TEST_str_eq(SSL_get_servername(serverssl,
7110 TLSEXT_NAMETYPE_host_name),
7111 sexpectedhost))
7112 goto end;
7113
7114 testresult = 1;
7115
7116 end:
7117 SSL_SESSION_free(sess);
7118 SSL_free(serverssl);
7119 SSL_free(clientssl);
7120 SSL_CTX_free(sctx);
7121 SSL_CTX_free(cctx);
7122
7123 return testresult;
7124}
7125
a43ce58f
SL		 7126OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile\n")
7127
ad887416 7128int setup_tests(void)
2cb4b5f6 7129{
8d242823
MC		 7130 if (!test_skip_common_options()) {
7131 TEST_error("Error parsing test options\n");
7132 return 0;
7133 }
7134
1a2a3a42
MC		 7135 if (!TEST_ptr(certsdir = test_get_argument(0))
7136 || !TEST_ptr(srpvfile = test_get_argument(1))
7137 || !TEST_ptr(tmpfilename = test_get_argument(2)))
710756a9 7138 return 0;
2cb4b5f6 7139
f297e4ec
RS		 7140 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
7141#ifdef OPENSSL_NO_CRYPTO_MDEBUG
7142 TEST_error("not supported in this build");
7143 return 0;
7144#else
7145 int i, mcount, rcount, fcount;
7146
7147 for (i = 0; i < 4; i++)
7148 test_export_key_mat(i);
7149 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
7150 test_printf_stdout("malloc %d realloc %d free %d\n",
7151 mcount, rcount, fcount);
7152 return 1;
7153#endif
7154 }
7155
1a2a3a42
MC		 7156 cert = test_mk_file_path(certsdir, "servercert.pem");
7157 if (cert == NULL)
7158 return 0;
7159
7160 privkey = test_mk_file_path(certsdir, "serverkey.pem");
7161 if (privkey == NULL) {
7162 OPENSSL_free(cert);
7163 return 0;
7164 }
7165
5e9072ed
MC		 7166#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
7167 && !defined(OPENSSL_NO_SOCK)
2fab79af
BP		 7168 ADD_TEST(test_ktls_no_txrx_client_no_txrx_server);
7169 ADD_TEST(test_ktls_no_rx_client_no_txrx_server);
7170 ADD_TEST(test_ktls_no_tx_client_no_txrx_server);
7171 ADD_TEST(test_ktls_client_no_txrx_server);
7172 ADD_TEST(test_ktls_no_txrx_client_no_rx_server);
7173 ADD_TEST(test_ktls_no_rx_client_no_rx_server);
7174 ADD_TEST(test_ktls_no_tx_client_no_rx_server);
7175 ADD_TEST(test_ktls_client_no_rx_server);
7176 ADD_TEST(test_ktls_no_txrx_client_no_tx_server);
7177 ADD_TEST(test_ktls_no_rx_client_no_tx_server);
7178 ADD_TEST(test_ktls_no_tx_client_no_tx_server);
7179 ADD_TEST(test_ktls_client_no_tx_server);
7180 ADD_TEST(test_ktls_no_txrx_client_server);
7181 ADD_TEST(test_ktls_no_rx_client_server);
7182 ADD_TEST(test_ktls_no_tx_client_server);
fe5d9450 7183 ADD_TEST(test_ktls_client_server);
7c3a7561 7184 ADD_TEST(test_ktls_sendfile);
fe5d9450 7185#endif
84d5549e 7186 ADD_TEST(test_large_message_tls);
7856332e 7187 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 7188#ifndef OPENSSL_NO_DTLS
84d5549e 7189 ADD_TEST(test_large_message_dtls);
55386bef 7190#endif
8f8c11d8 7191#ifndef OPENSSL_NO_OCSP
c887104f 7192 ADD_TEST(test_tlsext_status_type);
8f8c11d8 7193#endif
eaa776da
MC		 7194 ADD_TEST(test_session_with_only_int_cache);
7195 ADD_TEST(test_session_with_only_ext_cache);
7196 ADD_TEST(test_session_with_both_cache);
36ff232c 7197#ifndef OPENSSL_NO_TLS1_3
04d7814a
MC		 7198 ADD_ALL_TESTS(test_stateful_tickets, 3);
7199 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 7200 ADD_TEST(test_psk_tickets);
36ff232c 7201#endif
7fb4c820 7202 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 7203 ADD_TEST(test_ssl_bio_pop_next_bio);
7204 ADD_TEST(test_ssl_bio_pop_ssl_bio);
7205 ADD_TEST(test_ssl_bio_change_rbio);
7206 ADD_TEST(test_ssl_bio_change_wbio);
c423ecaa 7207#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae 7208 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 7209 ADD_TEST(test_keylog);
c423ecaa 7210#endif
6acdd3e5
CB		 7211#ifndef OPENSSL_NO_TLS1_3
7212 ADD_TEST(test_keylog_no_master_key);
7213#endif
e9ee6536 7214#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 7215 ADD_TEST(test_client_hello_cb);
088dfa13 7216 ADD_TEST(test_no_ems);
5f982038
MC		 7217#endif
7218#ifndef OPENSSL_NO_TLS1_3
02a3ed5a 7219 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 7220 /*
7221 * We don't do replay tests for external PSK. Replay protection isn't used
7222 * in that scenario.
7223 */
7224 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 7225 ADD_ALL_TESTS(test_early_data_skip, 3);
7226 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
0efa0ba4 7227 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
0d1b7789 7228 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
02a3ed5a 7229 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 7230 ADD_ALL_TESTS(test_early_data_psk, 8);
02a3ed5a 7231 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 7232# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 7233 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 7234# endif
e9ee6536 7235#endif
a273157a 7236#ifndef OPENSSL_NO_TLS1_3
034cb87b 7237 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 7238 ADD_TEST(test_ciphersuite_change);
5bf2eade 7239 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
7240# ifdef OPENSSL_NO_PSK
c2b290c3 7241 ADD_ALL_TESTS(test_tls13_psk, 1);
5bf2eade 7242# else
0d8da779 7243 ADD_ALL_TESTS(test_tls13_psk, 4);
5bf2eade 7244# endif /* OPENSSL_NO_PSK */
7245# ifndef OPENSSL_NO_TLS1_2
7246 /* Test with both TLSv1.3 and 1.2 versions */
db26ec80 7247 ADD_ALL_TESTS(test_key_exchange, 14);
5bf2eade 7248# else
7249 /* Test with only TLSv1.3 versions */
7250 ADD_ALL_TESTS(test_key_exchange, 12);
7251# endif
bb01ef3f 7252 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 7253 ADD_TEST(test_stateless);
9d75dce3 7254 ADD_TEST(test_pha_key_update);
a273157a 7255#else
bb01ef3f 7256 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 7257#endif
16afd71c 7258 ADD_ALL_TESTS(test_serverinfo, 8);
0fb2815b 7259 ADD_ALL_TESTS(test_export_key_mat, 6);
b38ede80
TT		 7260#ifndef OPENSSL_NO_TLS1_3
7261 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3409a5ff 7262 ADD_TEST(test_key_update);
a77b4dba 7263 ADD_ALL_TESTS(test_key_update_in_write, 2);
b38ede80 7264#endif
e11b6aa4 7265 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 7266 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 7267#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7268 ADD_ALL_TESTS(test_srp, 6);
7269#endif
5718fe45 7270 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 7271 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 7272 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
a76ce286 7273 ADD_ALL_TESTS(test_ticket_callbacks, 16);
57d7b988 7274 ADD_ALL_TESTS(test_shutdown, 7);
1a2a3a42 7275 ADD_ALL_TESTS(test_cert_cb, 6);
6e46c065 7276 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 7277 ADD_ALL_TESTS(test_ca_names, 3);
0d2bfe52
SL		 7278#ifndef OPENSSL_NO_TLS1_2
7279 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
7280#endif
49ef3d07 7281 ADD_ALL_TESTS(test_servername, 10);
ad887416
P		 7282 return 1;
7283}
2cb4b5f6 7284
ad887416
P		 7285void cleanup_tests(void)
7286{
1a2a3a42
MC		 7287 OPENSSL_free(cert);
7288 OPENSSL_free(privkey);
fa454945 7289 bio_s_mempacket_test_free();
a77b4dba 7290 bio_s_always_retry_free();
2cb4b5f6 7291}
A mirror of the official openssl repository